[Cryptography] cheap sources of entropy

[Bear]

> My point is:  Combining a bunch of sucky crypto primitives is *not* 
> a good practice.

That is true, but a source of random bits is not very much like 
a cryptographic primitive.  A source of "random" bits has value if
there is *any* subset of attackers to whom its output is unknown
and unpredictable.  

> One well-calibrated well-defended well-monitored entropy source
> makes incomparably more sense than an arbitrarily complicated
> conglomeration of sucky sources.

I would be scared to death of using anything marketed as a "well-
calibrated well-defended well-monitored entropy source" -- and 
nothing else -- because such sources and the organizations that 
produce them are single points of failure.  Also, they are high-
value targets and it is known that adversaries both national and
criminal, both foreign and domestic, routinely attack the 
manufacturers of high-value targets with tactics including but 
not limited to court orders, gag orders, blackmail, extortion, 
bribery of plant workers, covert die alterations, etc.  

By all means, put the darn thing in my system.  There will be 
a lot of attackers whom its output is not known to, so it'll
positively help.  But, I'm also going to be using the sound 
card, camera, hard drive delays, A/D converter noise, thermal 
noise, local wi-fi static, keyboard and mouse timing, USB power 
loads, and everything else I can think of along with it, because 
however limited they are compared to what the device you 
advocate *is purported* to be, there will be other attackers 
whom those outputs are not known to.  The objective is to have 
at least one source in the system that is unknown to every 
attacker.  

It doesn't have to be the same source in each case; any one will 
do.  If the guy who can monitor local wi-fi static is not the 
same guy who can monitor the local audio environment AND predict 
a potentially pwned hardware RNG, I win even if all three sources 
can be monitored or predicted.  

		Bear