I bet you thought that was pretty

random, but that is in fact not that

random. Okay, that was pre-planned. That

was not that's barely even pseudo

random. And why this is important

because today I want to talk about this.

Yes, this gigantic wall of lava lamps.

You're probably wondering what what does

what do all these lava lamps have to do

with anything? Well, it turns out they

run a large portion of the internet's

SSL and TLS encryption. This is in fact

how Cloudflare does it. And these lava

lamps are for anybody to see in the

headquarters front lobby of the

Cloudflare office. If you go and stand

in front of it, you can become part of

encryption, too. A little piece of

internet lore. That's right. Just you.

Just you. You little encrypt. You little

chaotic algorithm. You you know, you're

just so you're just so chaotic. Anywh

who, so why does this what is going on

here? Why are lava lamps being used for

uh encryption? or how are they actually

being used for encryption? Well, the

first thing to know is that random is

actually really, really hard on a

computer. Ultimately, a computer breaks

down to just a series of if statements.

Even large LLMs that are predicting all

these amazing tokens at the end of the

day is just some big gigantic linear

algebra of if statements just really

really condensely find as model weights

and they're like kind of like nebulous

if statement, you know, like nebulous if

statements. Anywh who randomness is

extremely important for secure

encryption. Each new key that a computer

uses to encrypt data must be truly

random so that the attacker won't be

able to figure out the key and decrypt

the data. However, computers are

designed to provide predictable logical

outputs based on given input. They are

not designed to produce the random data

needed for creating unpredictable

encryption keys. So what Cloudflare

actually does is it has these lava lamps

and they're just always running. And

that's because lava lamps once they get

heated up to whatever temperature it's

supposed to be, the lava starts kind of

like flowing up and sways a little bit,

becomes a little bally. Sometimes it's

just like in that weird tube shape.

Sometimes it's up at the top. They're

all just kind of different. And since

there's 100 of them, there's 100 of all

this continuously changing, continuously

different amount of data. And so the

recording came just always taking

pictures of or always getting data from

these 100 cloud flare lava lamps. And if

somebody steps in front of it to

actually look at it, you become part of

the picture. Thus, you are some random

interruption inside of the data. And

this is actually used to seed the random

number generation for SSL/TLS.

And of course, to make it truly random,

they also use two other Linux computers

because Linux computers obviously have

like dev random. They have ability to,

you know, generate random numbers. They

actually use two different Linux

machines, lines, to generate even more

random numbers and combine all of this

together to create a truly random

number. Now, I'm positive there's a lot

of you right now like, okay, well, why

can't you just use mathr random? It it

seems super random to me, right? Well,

it is random in the sense that it

randomly is kind of uniformly set out

inside of the space between 0 to 1, but

it is predictable. And that's the big

thing is random numbers for TLS and SSL

cannot be predictable. So, what do I

mean predictable? Well, watch this

little quick video intro. Let me show

you something wild. I'm going to go

inside Firefox console, write this code

snippet, hit enter, and get three random

numbers. Next, I'm going to go ahead and

take these numbers and write these into

this program that I just created. And

I'm going to hit enter and it's going to

give me a few more numbers. Now, I will

go back here and you can see I don't

have anything else. I have not written

math.random by myself. But let me run

this program again. Let's take a look at

what has happened. So 0.5466 is this

exact number with the last decimal

place.

>> Now I'm sure there's a bunch of you

right now. They're like, "Nah, that guy

probably cheated. There's just it ain't

possible to predict this kind of

randomness." Well, it actually turns out

no. A lot of random number generators

you use are actually quite predictable.

In fact, this became such a problem that

there was this entire Russian hacking

casino thing to make millions of dollars

in which they were able to take a video

of the game that they were playing. It

was transmitted back to St. Petersburg.

The people in St. Petersburg because

they got a hold of the machines and

figured out the pseudo random was

actually not that uh unpredictable

pseudo random. They are able to watch

enough of the game play and then go okay

if you wait until this exact moment you

will be able to uh tilt the odds into

your favor. They would send a message.

It take about a half second to travel

across the world. It would vibrate in

someone's phone. They then offset for

about another $250 milliseconds for a

person from the vibration to pressing

the button and that would actually all

line up and they were able to rake in

about $250,000

per week from these broken older

machines that are spread across the

world because they were able to

accurately predict a pseudo random

number generator. So, this is why it's

so important because if people were able

to kind of guess what Cloudflare's next

set of random numbers are, they could

end up just being able to inspect

effectively some portion of the world's

data going across the internet. That

means they could do some level of

decryption that allows them to gain

access to areas that they should not be

gaining access to. Just like that Alex

fellow with the machines, they would be

able to gamble and probably make

millions of dollars by stealing people's

data, being able to break the

encryption. So having things that are

extremely random turns out is very

important for Cloudflare. Now

specifically this type of random is not

just called a pseudo random number

generator. It's actually called a

cryptographically secure pseudo random

number generator or a CSRNG.

It's a type of PRNG that meets a more

stringent standard making it safer to

use for cryptography. And it requires

two kind of you know requirements.

First, the random number generator has

to prove that it's unpredictable. And

second, that an attacker is not able to

predict its outputs. And that

[clears throat] is what makes the lava

lamp so unique. They never take the same

shape. So if you take all that image

data, it's just always different. The

light is reflecting different. The, you

know, like the saturation, the amount of

luminosity per pixel is just going to be

constantly changing under this

uncalculable number. And that's why it's

so incredible because when someone does

walk in front of it, they're just so

random. They make the CSP RNG

effectively impossible to guess. But

Cloudflare actually takes it a step

further. You're probably asking, well,

if the lava lamps are the only source

for a cryptographically secure seed,

that must mean that if someone were to

be able to like just put a gigantic sign

in front of the camera, you would be

able to effectively kind of circumvent

Cloudflare's randomness and boom, you

could guess all the keys, right? Well,

it turns out that they do even more than

that. Many operating systems have their

own sources of random data for use in

cryptographic seeds. For instance, user

actions, mouse movements, keyboard

typing, blah blah blah. Although they

obtain this data relatively slowly,

Cloudflare mixes the random data

obtained from the lava lamps with data

generated by the Linux operating system

on two different machines in order to

maximize entropy when creating

cryptographic seeds for SSL and TLS

encryption. So that means even if the

cameras were to go down, they would

actually continue to produce very random

nature. You wouldn't be able to go,

okay, the cameras are down for the next

20 minutes. We can guess. It's like, no,

actually this is still a very, very

unpredictable and an impossible problem

to predict. But even more kind of

interesting, something I did not realize

until reading this blog, it turns out

each office kind of has their own unique

way of doing uh cryptographic data,

which is it just makes this more fun, I

guess. The other two main Cloudflare

offices are in London and Singapore. And

each office has its own method for

generating random data from realworld

inputs. London takes photos of a double

pendulum system mounted in the office, a

pendulum connected to a pendulum, the

movements of which are mathematically

unpredictable. The Singapore office

measures the radioactive decay of a

pellet of uranium. Weird, right? I mean,

who would who would have who would have

guessed? There's actually other methods

that they're using and they're all kind

of just realworld stuff cuz the real

world is unpredictable whereas computers

are just simply predictable. But one

more kind of might shimalon turnaround

and all this. It turns out Cloudflare

not the first company to use lava lamps

for randomness. Was Cloudflare the first

company to use lava lamps for

encryption? No. Surprisingly, a company

called Silicon Graphics designed a

similar system called Lava Rand in 1996.

although the patent has since expired.

Anyways, this rabbit hole actually goes

quite a bit deeper. Uh, randomness turns

out to be actually a very very hard

problem and a very very important

problem. So, if you want to, I will have

links in the description for randomness

and the a lava random production, the

nitty-gritty technical details because

at the end of the day, probably

something you're never going to have to

worry about. But it's also just

something that, you know, it's just

these are one of those weird things that

are so interesting cuz my very first

thought when I saw those lava lamps, I

just assumed it was like, okay, if the

lava's high, that's a one. If the lava's

low, that's a zero. And they use the 100

to create a 100 bit random string. But

no, then I was like, okay, well, what

happens if someone walks in front of it?

Like does that just become zeros? How

does this work? I never even thought

about the fact you just use every single

pixel from the image. It's like okay,

they're all so vastly different at

different at every single moment that it

just works out like mindblowing stuff

going on. Of course, I I classic, by the

way, software engineer. I just think of

the most complex possible way to do the

problem when the actual simple answer is

right in front of me. Hey, just measure

it all. And I'm like, you could just

take, you know, it's like a binary

representation of a 100 bit. [laughter]

I don't know what's wrong with me. I

thought this was awesome. If you think

this is awesome, you know, tell me it

is. Tell me it's awesome. Tell me, tell

me something fantastic. Tell me, hey

girl, tell me about yourself. You come

come here often. Agen. I forgot the

whole prime part though. So, just like

in your head, imagine I said prime and

then I said all of that and then the

agen just makes a lot more sense. A gen.

Hey, do you want to learn how to code?

Do you want to become a better back-end

engineer? Well, you got to check out

boot.dev. Now, I personally have made a

couple courses from them. I have live

walkthroughs free available on YouTube

of the whole course. Everything on

boot.dev you can go through for free.

But if you want the gamified experience,

the tracking of your learning and all

that, then you got to pay up the money.

But hey, go check them out. It's

awesome. Many content creators you know

and you like make courses there.

boot.dev/prime for 25% off.