I mean just generating the random numbers, not writing a generator. At the time I only had access to Windows machines, there were no linux boxes on site and nobody in the company (including me - at the time) knew enough about hack it yourself linux boxes to know what to do, I'd never even heard of /dev/random.

The functions available from microsoft were only PRNG and not Cryptographically Secure (as far as I can remember). Even if they were 'Cryptographically Secure' not having a background in randomness theory makes it pretty hard to work out what is actually needed.

So faced with uncertainty over using VB6 to produce random numbers and finding a product that claims to produce truly random numbers I chose to mitigate the risk by transferring it. If there had been a problem down the line related to the nature of the randomness of the numbers then I would have had recourse to the third party vendor that owned the risk.

So in the same way you suggest no-one should write a CSPRNG, I decided that given my level of knowledge, the documentation available to me and the uncertainty that created we shouldn't trust ourselves to produce random numbers for a particular purpose. What if they weren't random enough? What if someone worked out a way to predict the numbers of cards that had been loaded with value but were still sat in a warehouse? Massive risk, mitigated for £150. Now that's value.

When you put it against rolling your in VB6, sure it sounds much more reasonable!

Curious how you interact with a USB device like that in VB6 ... Does it just appear as a keyboard?

Ha ha, no. It was CLI all the way. I generated like a few million numbers as a text file and put those in a table and called them off.

Haha! So random.txt! In that case you could have generated it via /dev/urandom on a laptop and copied it over :D

Prefer to use getrandom instead of /dev/urandom now, if your OS supports it.

http://man7.org/linux/man-pages/man2/getrandom.2.html

> Wow did you really look at that page and say, "This is going to be easier and more secure than using /dev/urandom?". Reading the rest of the info on the page, http://www.protego.se/trnsup.htm, does not give me a lot of confidence in the product. The explanation page of how it works is just a bunch of scare info against using a software solution.

While the page doesn't look as cool as your average SV hardware startup, and their white paper is more or less blank, don't dismiss them that easily. According to linkedin the guy beyond the company has been involved in ASIC TRNG designs at some large companies.

Also, from what I have heard there are multiple open source hardware entropy generator designs that together with minimal software processing can generate pretty good random. Now, this is not NSA-proof randomness but probably better than anything you can get from /dev/random and more than enough for, say, gift cards.

> While the page doesn't look as cool as your average SV hardware startup, and their white paper is more or less blank, don't dismiss them that easily. According to linkedin the guy beyond the company has been involved in ASIC TRNG designs at some large companies.

It doesn't take much to look "professional" and having HTTPS on a page that is meant to sell a security product is table stakes.

> Now, this is not NSA-proof randomness but probably better than anything you can get from /dev/random and more than enough for, say, gift cards.

I disagree. Not being able to vet how it works or seeing the code running on the chip is not better than /dev/urandom. The latter is "more than enough, for, say, gift cards".

Heck if it's good enough for SSH and GPG keys, it better be good enough for gift cards!

Fair enough, their 1990-esque site needs HTTPS and a make over.

Anyway, now I am tempted to buy one and reverse engineer it...