For the past 9 months or so, I’ve been working on a secret project. To maximize the big reveal, my partner and I have kept this under wraps… until now! It’s hard to describe what this is succinctly, unless you happen to be part of the DEF CON #badgelife subculture. While DEF CON itself has some amazing electronic badges (check this video for last year’s badge), some attendees create their own “indie” badges. After attending DEF CON for the first time last year, I was hooked. With this year being the big 30th anniversary, I wanted to do something special. Being an electrical engineer by degree and a software engineer by profession, I thought it would be really cool to make my own indie badge. What follows is the very short version of how I came to create the Amulet of Entropy! (You can also get the long version from this podcast.)
What is Entropy?
Entropy is a measure of chaos. You can look at the thermodynamics definition, but in this case, we’re talking about randomness. It turns out that modern cryptography requires sources of true randomness to perform properly. Computers are really good at doing what we tell them to do, but they suck at being unpredictable (despite what your personal experience may lead you to believe). And so, they need help.
One way we can harvest entropy from our environment is to measure some physical phenomena… light, sound, temperature, movement, etc. These measurements may not change much at the macro level, but when measured at very high resolution, the tail end of the measured values can be pretty noisy. Sure, it’s 72 degrees now and it will still be 72 degrees one second from now. But if you measure that value down to micro-degrees, it might be 72.120733 now and 72.129921 one second from now. Some of that is real temperature fluctuation and some of that is just noise in the system. Noise is good. Noise is random. We can exploit this.
The Amulet of Entropy is a mini computer with a handful of sensors attached: temperature, light, motion and shot noise. When you start it up, it takes multiple measurements from these sensors and lops off the most significant digits. The hope is that the noisy, low-level digits are essentially random. It collects the lowest bits of these measurements, packs them into a bigger integer value, and saves the result into a list.
This list then becomes a pool of entropy that I can be used to seed a pseudorandom number generator (PRNG). It’s called “pseudorandom” because it’s not truly random. A good PRNG will generate a list of values that will appear completely random – where every possible value is equally likely to occur. But if you give that PRNG the same seed, it will produce the exact same sequence of values every time.
Using the Entropy
Okay, enough theory. I decided to create a fun indie badge for DEF CON 30 that harvests entropy from the environment and then uses it to do fun things. What sorts of things do you think about when you think of random outcomes? The most obvious is flipping a coin. Or maybe rolling a standard 6-sided die. My badge will do those things. But it will also pick a random card from a standard 52-card deck. Just for fun, I also threw in a 78-card Rider-Waite tarot deck. And for complete childhood nostalgia, I also added a Magic 8 Ball mode!
I wanted to add more modes… a roulette wheel, dungeons and dragons dice (d20, etc), and my own dragon challenge coin. But the tiny computer on this device just doesn’t have enough memory for all these images. I have some ideas of how I might work around that, though. (This project is a living thing.)
The badge is a double-decker printed circuit board, with a fun design on the outside and electronics sandwiched in the middle. The main image on the front (see above) is based on the chaos symbol, where some of the arrow tips are dragon heads. (If you haven’t figured it out yet, I’m kinda into swords and sorcery, dungeons and dragons.) Each dragon head has a glowing eye and each arrow tip has a sparkling gem (they’re all RGB LEDs). In the center is a round, full-color LCD screen, where images of the results are shown. You can see the badge start up and demo mode in the videos below.
You can get a better picture of some of the modes in the image below.
How Do I Get One?
I partnered with HackerBoxes.com to produce these badges – and I absolutely could not have done it without them. I met the founder, Joe, at DEF CON 29 last year and immediately became a happy subscriber. Once a month, I get a really cool, highly educational electronics project to assemble. So when I thought I might make my own badge, I reached out to Joe for some advice. Before that call was over, we decided to collaborate and make this a HackerBoxes project. And the rest is history! You can buy it here. You’ll have to build it, of course, but that’s part of the fun!
While Joe handled all the hardware, I wrote the software. I haven’t done C/C++ in probably 20 years (I’m a python guy now), so I struggled with this – but I’m very happy with the results. When you build the badge using the guide on Instructables, it will eventually send you to my code repository here. You’ll find a lot more info there if you’re interested.
I hope to see some of you wearing this badge at DEF CON 30 in August!!
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!