I suppose if you had one RNG that's 0wned by the NSA, and another that's 0wned by the Chinese MSS, and another by the Russian FSB... and you assume they never ever work together or crack each others' systems, you could XOR their results together.
See, this is the kind of security thinking I can get behind. The kind of realist thinking that says "Ok, we should just assume we've been compromised by every major government entity. Now what."
Strangely, that is what my thoughts on snooping at this level has been for a while. Using a combination of compromising people and infra, it is easy to break pretty much anything if, as a state, you put your mind to it.
Unfortunately, the debate is mostly centered around if crypto is broken, while the question to ponder is why is the state suddenly forcing well-meaning people to start thinking like people who have something to hide.
My current best guess: A Hardware True Random Number Generator installed on one server combined with entropy broker to commingle all the entropy pools of the devices on my internal network into the entropy pool of that server and then serve that pool back to all devices acting as an entropy server.
My intent is that if there is a deliberate weakening of certain entropy sources, that my pool is sufficiently different to at least complicate attacks which are guided by information like browser signatures.
Maybe it's not a perfectly secure solution but hopefully my network isn't among the lowest hanging fruit.
No. You cannot outsource your random number generation unless you have an ultimately trusted third party. The important thing is that nobody knows your random numbers. After all, random.org could be malicious or compromised, too.
If I were the NSA, I'd definitively try to run a service (or two) like random.org. It'll probably be cheaper than my tor exit nodes, and mixmaster remailers...
