Every part of a computer is designed to be predictable,

and to follow logical patterns.

You put the same numbers in,

you're going to get the same numbers out.

Which is a problem, because all modern encryption,

including that padlock up in your browser

that tells you that you're safe,

all of that relies on big, properly random numbers.

If you can somehow predict those numbers,

you can start breaking those locks.

Which is why I'm here,

at the headquarters of Cloudflare, in San Francisco.

Cloudflare is a service that protects websites and web services,

and sort of sits in front of them as a gatekeeper.

Somewhere around 10% of the web flows through Cloudflare's network.

Cloudflare was one of the first companies

to provide free SSL encryption for websites.

So the connection between your web browser and the website you're going to

is fully encrypted and invisible for eavesdroppers

to be able to look at.

In short, these folks deal with a lot of encrypted Internet traffic,

so they need a lot of random numbers.

It is possible to write code that will simulate randomness,

and that's good enough for a lot of uses,

but in theory, those numbers could be predicted.

They're just being generated by code,

so the servers here have to get their randomness

from an external and entirely unpredictable source.

A lot of home computers treat their own users as sources of randomness,

tiny twitches of mouse movement,

the exact milliseconds between keystrokes,

or on a phone maybe even the accelerometer or other sensors.

In all those cases, they generally discard the bigger parts,

the bits that could just be influenced by humans,

and go off the tiny little decimal places,

the bits that you couldn't control precisely,

even if you wanted to.

But that sort of human interaction is nowhere

near enough for an operation on this scale,

hence lava lamps.

We videotape these lava lamps and take the pictures and video,

and turn it into a stream of random, unpredictable bytes.

And this unpredictable data is what we use to help create the keys

that encrypt the traffic that flows through Cloudflare's network.

This data is then fed into our data centres

and then fed into the Linux kernel which

then uses it to help seed random number generators

that are used to generate keys.

Every time that you take a picture with a camera

there's going to be some sort of static, some sort of noise.

So it's not only just where the bubbles are flowing through the lava lamp,

it's the state of the air, the ambient light,

every tiny change impacts the stream of data.

A cryptographic hash function is something that we use

where even if you have one static image and one little bit changes,

it changes the entire stream.

So we use that to help scatter the randomness

as much as possible.

We also collect randomness around the world.

So in our London office, we have this thing

called a chaotic pendulum.

It has three pieces and it's unpredictable in

which way they twist and turn together.

We videotape that and feed it into our randomness source, as well.

In our Singapore office, we have a radioactive source

that we use to feed into the randomness system, as well.

So this is not just some stunt that we pulled,

it's actually being fed into our real systems.

Whether anything in the world is truly random

is arguably a question of philosophy and not science.

Maybe everything is just complicated clockwork.

But these lava lamps are so chaotic

that simulating that camera shot with perfect pixel accuracy,

far enough ahead to be useful

while figuring out everything else those images are being put through,

it's roughly the same level of difficulty as just brute-forcing the encryption in the first place.

And even if you could simulate all that,

you'd only have one piece of the puzzle.

These folks aren't the first to do this.

"Lavarand" was patented by a company called Silicon Graphics in 1996,

but that only lasted a couple of years.

Now of course, there are less flashy and

more practical ways to generate random numbers,

but then I wouldn't be here.

I would be at some other company who'd gone and,

I don't know, pointed a camera at a basket of kittens.

That'd be a bit higher maintenance, though.