[jedberg]

All the other points about the unfairness makes sense, but the complaint about the poor random number generator does not make sense.

This isn't a multistep process that the "adversary" has access to. It doesn't matter how bad the random number generator is or even if it is predictable. Sure you could bribe the person putting it into excel I suppose, but you could do that anyway and just have them switch numbers around.

This is a silly complaint. Yes it is a bad random number generator, but predicability of the sequence isn't an attack surface in this use case.

[stormbrew]

So much this. In order to 'attack' this, how would you go about that? Somehow control who applies for the program so you wind up with an expected number?

And the gambling comparison is particularly bad. Excel is presumably not picking the same seed every day, no matter how bad it is. It's probably using time() when it's loaded, which is not great but also not visible to an 'attacker' and not consistent.

[FactolSarin]

Yeah, the human component is definitely a lot easier to attack. I'm curious how this is handled. Does the person doing the random number generation have anyone else standing over their shoulder at the time? There should definitely be witnesses and/or records of something this important.

And according to the article, I notice they said that only 10k make it past the lottery stage to the vetting stage. That seems like a pretty easy anti-immigration attack surface: just submit a lot of low quality requests to block out potential acceptances.

[sigil]

You’re right that it seems unlikely an individual could exploit this, and it’s silly for the article to emphasize that threat.

However: “it may be that not everybody has exactly the same chance” — this might still be a concern.

Whether it really is depends on how large N is, what version of Excel they’re using, and how often they re-run the lottery.