First came lava lamps—now this tech company is using wave machines to randomize data

Cloudflare’s San Francisco headquarters has 100 lava lamps, its Austin office has iridescent mobiles that dangle from the ceiling, London’s got double pendulums, Singapore has a pellet of uranium, and Lisbon will soon have electric-powered wave machines to help the company randomize data.

Inspired by surfers catching waves, the team at Cloudflare Portugal—the US-based IT company behind a free, privacy-first CAPTCHA alternative known as Turnstile—is working to give its new office in Lisbon, slated to open toward the end of 2024, an eccentric, Hokusai-style upgrade—this time, emulating the ocean. The upcoming wave machine installation is yet another way the IT company is using unique methods to randomize data for SSL encryption.

“There’s actually going to be a wall of them with, I think, about 40 of these wave [devices] on it,” John Graham-Cumming, CTO of the company, told IT Brew. “And it’s very similar to the rest of the systems—we just have a camera pointing outwards, and we take pure photographs and then use the photograph to generate the random number seed.”

Show me the data. A pseudorandom number generator (PRNG) is software that takes “an unpredictable input” and then uses that to create “unpredictable outputs,” according to the Cloudflare site. In theory, a PRNG can generate an unlimited amount of random outputs via a random input. But here’s the thing—the outputs here are only partially random due to two reasons: “When given the same seed to start with twice in a row, a PRNG will produce the exact same results,” and “it’s difficult to prove if the results it generates will be completely random the entire time (if the PRNG runs indefinitely).”

Because of the second reason, the algorithm is constantly in need of new inputs of randomness—or cryptographic seeds—and that’s where these quirky installations come in.

On the back wall, they’ll use a “metallic silver, wave-like material” that will “reflect the movement of the wave motion machines as well as shadows and light which will add to the entropy,” Caroline Quick, the head of global real estate and workplace at the company, told IT Brew in a follow-up email via PR rep Samantha Bobal.

Founded by Matthew Prince, Michelle Zatlyn, and Lee Holloway in 2009, Cloudflare, which now has more than 3,600 employees, is utilizing these and other methods to embrace unpredictability and randomness in a playful way.

“It’s a way of telling a story about the importance of random numbers and getting people to think about security on the internet,” he said. “Because computers are deterministic, it’s a sort of fun way of talking about computer security.”

You may be wondering, couldn’t they do without these installations and use other random data sources for use in cryptographic seeds—like utilizing user mouse movements or typing on a keyboard? Absolutely. But where’s the fun in that?

Graham-Cumming—who had also been part of the brainstorming process for some of Cloudflare’s other unique installations—cites his childhood as part of the inspiration for his wave-maker idea.

“I’m old enough to remember when these wave things were the desk toy to have in the, I’m gonna say, early ’80s,” he said. “Somehow there was a craze for them. At some point, I was like, ‘Wait a minute. I remember these things.’ I probably wanted one when I was a kid.”

He encourages office visitors to interact with the installations. Light, people, environmental changes, selfie-takers—all of this becomes part of the randomness, he says. Even the camera they use adds random noise to the images, with Graham-Cumming noting that the company, of course, uses computers to mix its data.

The team mixes random data obtained from these installations with “data generated by the Linux operating system on two different machines in order to maximize entropy when creating cryptographic seeds for SSL/TLS encryption,” the Cloudflare site also notes.

If a visitor came in with a huge white sheet of paper or even something made of Vantablack—a black material that can absorb at least 99.96% of light—Graham-Cumming says the devices would still be OK to operate business as usual, and it essentially wouldn’t matter—because it’s part of the randomness.

“I don’t want to say it’s unhackable, because it’s a very silly thing to say, but [the randomness] actually doesn’t matter to us,” he said.