Predicting and controlling NetHack's randomness (2009)

This bit is clever:<p>&quot;The trickiest part, which was the only point of failure, was in starting a game on the server at some exact second. Due to clock skew, the server could think it is several seconds (or even minutes) earlier or later than your clock does. The server doesn&#x27;t broadcast what it thinks the current time is, either. One way to actually figure out the current time is through the random seed! Start a game on the server, noting the current time on your clock. Then generate NetHack games for that time, that time plus a second, that time minus a second, plus two seconds, and so on until you get the same starting map and stats. The offset you used is the number seconds between your machine and the server, so you can use it to know exactly when to start a server game. It&#x27;s still not as exact as I would like, since you only get resolution of a second.&quot;<p>Reminds me of the oracle exploits the Matasano crypto challenge taught. I&#x27;m sure this is a very common type of tactic, I just haven&#x27;t spent much time practicing exploits, despite my interest.<p>But correct me if I&#x27;m wrong, I would guess that with many attempts, possibly a binary search of time offsets, one can get sub-second timing resolution in the clock skew exploit above, no?

&gt; Unfortunately, a computer&#x27;s pool of truly random numbers is very limited; it has to build up by measuring minute temperature changes or internal timing variations. NetHack, especially being played by fifty people on a public server, would keep that pool empty and harm the game&#x27;s playability.<p>No, no, <i>no</i>. This is a <i>horrible</i> misconception.<p>It&#x27;s <i>easy</i> to generate an effectively infinite stream of random numbers: use a block cipher in CTR mode (i.e., using the seed as the key, encrypt 0, then 1, then 2, then 3 and so on). All you need for this is a <i>single</i> truly-random seed, and from it you&#x27;ll get 2^128 random numbers—far more than you will ever, <i>ever</i> need.<p>Now, how do you get that initial random seed? That&#x27;s where the art comes in, but a basic version would simply hash all those truly-random input events (e.g. those temperature changes or internal timing variations) together. A more complex system, such as Schneier and Ferguson&#x27;s superb Fortuna, uses a system of 32 pools, where the pools are used to periodically reseed the generator, in a clever fashion which can protect even against generator-state compromise.<p>And with modern chips, AES-256 in CTR mode is fast, really fast. Fortuna&#x27;d be perfectly usable in Nethack.<p>(As an aside, it&#x27;d also be perfectly usable as a replacement for the needlessly-complicated and insufficiently-grounded Linux CSPRNG underlying &#x2F;dev&#x2F;random and &#x2F;dev&#x2F;urandom).

<i>You might wonder why we use PRNGs at all; why not use a truly random source for every number? Unfortunately, a computer&#x27;s pool of truly random numbers is very limited; it has to build up by measuring minute temperature changes or internal timing variations. NetHack, especially being played by fifty people on a public server, would keep that pool empty and harm the game&#x27;s playability.</i><p>I&#x27;m confused. Why can&#x27;t they just read from &#x2F;dev&#x2F;urandom for all their random numbers?