I'm challenged because I don't know how to explain it. I'm trying to say that while the pattern fits and looks random, it is predictably random.
HMAC
is predictable - that's the whole point of a message authentication code, if it was truly random it wouldn't be much use!
However, it appears random (and for all extends and purposes
is random) if you don't know the secret and the input changes each time, even by 1 bit.
Will