The RNGs that make our life random

Our life is random, but not by chance, but by design. As we live in tandem with technology, we have allowed the RNGs to become the directors of our lives. The acronym for Random Numer Generator, random number generator, determines many of the actions we take throughout the day. Like ordering a bank transfer or making an online purchase. And although we talk about them mainly for their use in video games and online casinos, this everyday way of relating to reality has a much older origin and analog.

When an augur, a Roman soothsayer, cut open an animal to observe its liver, and establish the fate that awaited a government, a general or the city, he was generating a set of random probabilities that could have been expressed numerically. In its simplest version, the viscera was healthy or diseased, therefore 0 or 1, which decided the date of waging a war, the approval of law or the realization of public works. But the liver was also divided into parts, and each one of them could present various aspects, in order to make the answer much more complex than a yes or no. Generations of zeros and ones were created by an algorithm that at that time was nothing more than the possibility of the animal being healthy or sick, and therefore everything was left to chance. Supposedly. In reality, the soothsayers, who were not only priests but also politicians and represented important financial institutions – the temples acted as banks – tried to make the gods rule in their favor. To do this, they chose animals whose external signs – visible only to them – were evidence of illness or fed them the night before the sacrifice with certain plants and mushrooms or concoctions. In today’s words, they hacked the RNG to obtain a benefit in their favor.

Randomness is as old in our societies as the attempts to cheat it are ancient. However, it is not necessary to go that far back to find a group that was able to find the pattern that generated the random numbers to get rich. The Pelayos family became millionaires playing roulette, a rather basic and analogical system of RNG generation, since its ball falls randomly in boxes with numbers along the moves, and its result is not predictable. At least in theory. They found a pattern that repeated itself uniquely and individually on each roulette wheel, which they could define if they spent enough time at the table studying the results. Most of the roulette wheels manufactured in the 1990s had valley areas where the ball tended to fall most often. The Pelayos wrote down the figures, transferred them to a computer to process them, and obtained a statistical prediction. Or as García-Pelayo defined it, they discovered the limits of luck. They tell it with an example in their book of memoirs, explaining that in the casinos of Madrid, they found that the one and its two neighbors, 20 and 30, came out as much as the four and the two numbers that surrounded it, 19 and 21. That roulette wheel therefore had two valleys, and with the calculation of probability, it was possible to know how many spins the ball would fall on those numbers. By understanding how the RNG of each device behaved, they managed to win two hundred million pesetas -about one million two hundred thousand euros- playing in casinos all over the world: Europe, America, and Australia.

If we put it in modern computing terms, the Pelayos managed to crack the code that determines the algorithm. It is the wet dream of any cybercriminal today, and one of the most difficult feats for a hacker to achieve. Whoever succeeds will become a millionaire, without heists as difficult to achieve as those of La Casa de Papel, but becoming a target of all national and international police and security agencies, just like its protagonists. And the fact is that RNG generators now govern the entire global financial system and its transactions and online casinos, betting shops, and similar sites. Gaming and banking are the two sectors that invest the most in IT security worldwide because their business depends on it in order not to lose, and also to win. In fact both coincide in hiring external companies specialized in the creation of cryptographic systems. These computer companies use RNGs to generate cryptographic keys -passwords-; nonces -numbers that can only be used once, like the bank confirmation key we mentioned before-; initialization vectors for encryption; and random protection masks that protect sensitive numbers when we enter data such as ID cards or credit card numbers. As I said, randomness is forcibly part of our daily lives and security is behind it all. Even if we have never thought about it.

And to answer the question of whether it is possible to storm the virtual money train or blow up online banking we have to refer to an organization called Lazarus, born in North Korea in 2009 and dedicated, in theory, to financing Kim Jong-un‘s regime. Their greatest success was achieved in 2016, when they stole $81 million from the central bank of Bangladesh through the Swift electronic payment system. To put it simply, the North Korean hackers ordered fake transfers that did reach their destination because the orders were correctly issued. But there was nothing as sophisticated as gutting the RNG-generating software and predicting its outcome. It was as simple as sending a malware email that attached a word or excel file and when opened, infected the computer and stole the banking data. In fact, this is the hallmark of Lazarus, and their latest attack, in September 2019, consisted of a home-grown virus called electric fish, which obtains sensitive information from the infected computer, including banking information, without the user being aware of it. Not that doing all that is simple, but it is a far cry from being able to identify the pattern of an RNG. The random that surrounds us is still an enigma.

And hackers are having a harder and harder time. From the original, simpler RNGs, four types have emerged, each more sophisticated and difficult to figure out than the last. The simplest, DRNG, generates a random sequence, and is the most similar to the roulette example. The TRNG is much more ambitious, because the numerical sequence it generates is based on environmental phenomena that are impossible to predict. For example, the ambient noise picked up by a radio receiver on an empty broadcast frequency and its variations. Or the changes in temperatures, high and low pressures at different geographical points: yes, weather prediction. The more forward-looking it is, the more unpredictable it is. From here a TRNG can be generated and then encrypted to reinforce security, creating an HTRN. And in the highest degree achieved to date, HDRNGs, instead of a single number a period is created, so that the encryption is not based on a digit but on a random sequence of successive RNGs. It all sounds quite complex, but an expert would tell us that in reality, all this that we have just described are not true RNGs, but pseudo-RNGs. That is, all the sequences generated have a pattern, and that can be identified… by a sufficiently skilled hacker. So something much more ambitious, which enters the realm of quantum physics, the QRNG, literally Quantum Random Number Generator, is already in the works. If you’ve heard of an experiment where an electron had to pass through one of two parallel free slots & demo slots punched in a card, and ended up passing through both – contrary to logic – you’ll come close to knowing what this God-level randomization is all about. It has already been incorporated through 5G technology by some companies, and is based on photons, the particles of light emitted by an LED. The amount of photons emitted by that light is, due to the laws of physics, totally random, and the computer chips are able to transform its fluctuation into a number, a QRNG. Literally impossible to figure out.

The relevance of all this chatter is that not only is it not possible to break the bank, but it is increasingly impossible. And it’s not easy on the dark side either. We could think that the gambling company would program the RNGs so that the result goes only in favor of the online casino and never in favor of the player. It would be a rather stupid strategy, because it would attract customers to lose them quickly, as soon as they realize that it is impossible to win. The truth is that random number generators try to find the balance between keeping customers happy and making an acceptable profit. And they can’t even choose the limits completely freely. Every country, and every state in federated nations like the United States, has its own legal regulations on RNG generation for games.

Random is as regulated as in banking so that there is no fraud. Even so, it is not impossible that the gambling enthusiast ends up lost in the immense offer of online casinos that the Internet offers today. And even end up clicking on a North Korean page with all the appearance of a legal site. For this reason, the wisest thing to do is to go to references such as playfortunefor.fun, which brings together casinos with license -and therefore with RNG regulated by the General Directorate of Gaming Regulation-. We will hardly become millionaires like Los Pelayos, for everything explained above. But at least we will be sure that the machine behaves as randomly as we do in our daily life. Or like this article that talks about random things.