My experience with operations security ("opsec") is that everybody thinks they aren't a target. And they're right ... until they become a target, at which point they are woefully unprepared and are owned. (The term "owned" is a technical term in the field. ;-)) It's difficult to shore up opsec retroactively, so I advocate doing it correctly from the start. Note that I express no view on whether anybody in this thread, including dragoncar, is practicing inadequate opsec.
BTW, when you say "not derived from ... deterministic values" do you really use something like random.org to generate "true" random bits?
for anything other than entertainment or educational purposes is a questionable idea. Among many other reasons, you have no idea how it is generating the numbers or what information it is logging. They claim to be generating the numbers in a certain way, but you have no way of verifying the truth of that claim, and no way of knowing whether the random.org
website has been compromised.
The normal everyday operation of a computer involves enough stochastic and unpredictable processes to create a pool of entropy that can be used to generate truly random numbers locally. This includes, for example, measurements of photoelectric interactions in the hardware (which are basically treated as random in quantum mechanics). The interface for accessing this pool of entropy will depend on the operating system. On Linux, this entropy is available through the special file /dev/random
. Windows offers a substantially similar facility through the CryptGenRandom