- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
The one I linked to was put into production in 1996, and was run on power drawn from the computer's parallel port.
Admin
It may clarify things if I tell you I was experimenting with random number generators a quarter of a century before 1996. But in any case, power drawn from a parallel port to drive a GM tube, even a very small one, would be a considerable drain on a phone battery. I'm sure you could make a very small RNG using a microcurie of Cs and a suitable diode + IC, though, as @tarunik suggests. Has anyone done it?
Admin
Why are you using Cs? It's way too hot for this app, partly by being a beta source (more penetrating) -- Am-241 is mostly alpha and very easy to shield as a result, and also has a plenty long enough half-life...
(HotBits probably gets away with it by having a bigger box to play with, and by being centrally located, so they can have a leaden 19" rackmount case somewhere -- for a PCI card app, I don't think mounting a big ol' radiation shield block on the card would go over well.)
Admin
Beta particles aren't that hard to shield against:
It's the gamma radiation from the decay of the 137mBa to 137Ba that would need the heavier shielding.
BTW, there's a picture on their site. Their web servers are rack-mount, but the HotBits bits server "is an entry-level Dell Optiplex 210L office computer with an Intel Celeron 2.8 GHz processor. This machine includes a serial port and Ethernet interface as standard equipment, and is used in factory stock configuration," and connects to the radiation detector through COM1. At least, that's what they used the last time they updated the site in 2006.
One further addendum regarding their 137Cs source and the use of 241Am: "Check sources of this kind are readily available, can be shipped through the mail, and require no license in most reasonable jurisdictions; people in the United States can order them on-line from United Nuclear." Also, "Ionisation-type smoke detectors (as opposed to the photoelectric type) contain a radiation source, usually Americium-241, an alpha emitter with a half-life of 458 years. It is possible to remove the radiation source from one of these units, but it's a bad idea because alpha emitters can be very dangerous should you accidentally expose the radioactive material and ingest it."
Admin
Has anyone looked to see if any of the USB random generators are any good?
Or chips like the True Random Number Generator (TRNG) RPG100 / RPG100F?
Admin
Beta sources aren't really a practical problem with shielding, but in any case a microcurie isn't enough to worry anybody other than a member of Friends of the Earth. If you are using a semiconductor detector, photons and electrons are better things to detect than alphas, because whacking a semiconductor with a helium nucleus isn't good for it whereas an electron with the same energy does much less harm. (Though, of course, with a microcurie or so the dosage isn't going to be a major problem anyway.) I guess tritium would apparently be the best option as its electrons are only a few keV, and the half life is adequate for this service, the only problem is actually getting it close enough to the semiconductor for the electrons to get through. Hence, Cs. [edit - I just went back and checked my textbooks before putting down possible misinformation. The second stage of Cs decay results in a gamma photon but its energy is only about mc^2, which means it can't cause pair production, only Compton scattering. It's pretty safe with quite ordinary shielding.] [edit2 - to clarify, mc^2 here is used in the sense that m = electron rest mass. My edit was too cryptic. Perhaps I should have said "is about 500keV, which is only one electron rest mass and so can't cause pair production". Still, at least I can't be accused of talking down to my audience.]
Admin
I think you'll find that that's used in the normal definition of the mass of a photon (they don't have a rest mass; their
massmomentum comes entirely from the energy they carry, i.e., their frequency).http://en.wikipedia.org/wiki/Photon#Physical_properties
Admin
My particle physics is probably a bit out of date (grad 1972) but in my day we used mc^2 as a shorthand for the mass equivalent energy of the electron (m=electron rest mass). This is a handy way of describing a photon as having the mass equivalent of an electron. I didn't stop to think this isn't popular usage; I just checked with my textbook which of course used mc^2 for the approx. 500keV energy of the electron. So for a gamma to produce a particle pair ( electron and positron) in an interaction, it must have a total energy in excess of 2mc^2 to produce both. As the energy of a gamma increases past 2mc^2, the probability of Compton scattering drops and the probability of particle creation increases, creating a bathtub curve for each element. Positron creation and annihilation will cause its own damage to the substrate, but Compton scattering of low energy gammas, though it can cause chemical change by knocking electrons out of atoms, won't normally cause lattice defects in ionic lattices. I imagine this is one reason why Cs137 is regarded as a "safe" source. Thinking further, to produce a RNG even a microcurie is overkill. 10 nanocuries should be plenty.
Admin
The main reason that 137Cs is used is probably that it has a convenient energy spectrum and half life. You wouldn't want to ingest it; its salts are mostly quite soluble (as with any Group I element).
Positron emitters are fun though; you get correlated γ radiation events (because of the conservation of momentum when the positron annihilates).
Admin
The quantity involved in a microcurie source is literally microscopic. In the Brazilian incident, nearly an ounce of Cs137 was involved - at 8.8curies/g, that's a bit over 200 curies. By contrast, a microcurie of Cs-137 is around a ninth of a microgram. Obviously you don't want even that inside you contributing to your body dose, given the energy of the beta and the gamma - but let's get this into perspective, that's about 8 times your body loading of K-40, and you have that all your life. K-40 does produce gammas with enough energy for pair production about one time in 10.
The thing that would worry me is frequent air travel. When I was working with radioactives, I was at a board meeting when the sales director actually asked "if this stuff we had on site might be harming people". I told him that if he had a dosimeter, with the amount of air travel he did, his dosage would greatly exceed that to anybody else in the company.
Oddly, given the risk to frequent flyers, the airlines are exempt from controls on ionising radiation exposure.
Admin
Yes, the app "dehashes" the password to compare it to the plaintext password the user enters instead of just comparing the hash.
Apparently the idea is that the password is stored "securely" in the DB, but not in the memory of the app, plus the app is in Java so a person could de-compile the code and reverse engineer the hashing logic. Moreover, it doesn't use any kind of salt, so any given password will always be the same hashed value.
But don't worry, it is highly unlikely you would ever use this app. It is only distributed to certain very small group people that directly do business with us, and they keep the DB, with only their own data on their own machine, not shared with anybody. The database is totally accessible to them (or anybody that has possession of that computer), so the password protects very little, certainly not the data.
I am not sure why the original author went to all the trouble, but this is fairly typical of the code-base; very Rube Goldberg. If there is a obfuscated convoluted way to do something that takes 100X times as much code to write than it should take, then that is what was done.
I am currently the lead on the project to refactor a LOT of the code in this app, and that particular code is now gone - replaced by nothing; there is now a commercial off the shelf authentication front end you have to go through before you can get to the app, where the user name and password are entered and the password stored separately from the app, the app no longer executes on the users local machine and the data will now be stored securely on corporate servers - not directly accessible even to me.
Admin
That's disappointing. I previously worked with an app the has five-character (both max and min) passwords that are stored in clear text in the database. There is no user-accessible method to change your current password, so you would have to have an admin change it for you it you wanted to do so. Passwords never expire.
This password was for the warehouse management system of a pharmaceuticals warehouse. If you figured out the password of one of five people, you could use it to cover your tracks after you stole a few thousand hydrocodone tabs. You could also use it to divert shipments to the address of your choice.
Admin
Was this in the US? You need to call that shit into your HIPAA privacy officer, stat.
Admin
No HIPAA, this is a distribution center that sells to pharmacies. The DEA would be very interested.
Admin
If you're filling prescriptions, it's HIPAA.
Either way, contact somebody who has a line to the feds, because you'll get your asses fined BAD if they discover it before you fix it.
Admin
One thing that did piss me off about this... we had a security audit around 2012. Or app got dinged for leaving authorizations in our system for deleted Active Directory users, but the app I'm talking about was given a thumbs-up by IT security.
Admin
We got fined regularly. I worked on a project that the DEA made us do that cost us around $100 million dollars in fines and programming work. That works out to a few hour's profit.
Admin
Sounds like a healthy well-run company.
Do you stick around just so you can grab drugs off the shelf at 8:00 PM?
Admin
Admin
Wasn't worth it. Their anti-theft strategy was to dump money on you so fast that stealing wasn't the best way to get wealthy.
Admin
ROFL that's a great short-story idea.
Admin
True story - in the 7 years I worked there, the UPS/DHL truck that did our route was hijacked twice.
Admin
Were you reading the same thing I was? The pharmacies are filling the prescriptions. The company is a supplier of the pharmacies: the supplier doesn't have any patient data (in this part of the firm) and doesn't need it. Consequently, it's not a HIPAA issue, as that's entirely focused on protecting patient data.
Admin
Healthy well run companies are always trading off fines versus compliance costs. It's one of the similarities between CEOs, gangsters and prostitutes; none of them feel any shame for getting caught, just embarrassment if the result is a net loss.
I don't mean to be cynical; I have been in a CEOs office where he suggested that rather than fix a technical compliance issue we should take the risk of being caught. As, if we were caught, it would be my job as technical manager that would go, I promptly shopped him via my back channel to group management. He stayed, I stayed, problem was fixed.
Admin
I am unfamiliar with this use of "shopped" (v.). Care to explain?
Admin
If you look through: http://www.thefreedictionary.com/shopped You find this (the correct definition in this case):
It's slang.
Admin
I am unfamiliar with this use of "Brit" (v.). Care to explain?
Admin
No. Follow the (oneboxed) link and find out for yourself.
Admin
Generally I do try to write American on US websites, but occasionally I feel the need to drop in a word or two of another language just to remind the inhabitants of the new Middle Kingdom that there is a whole world outside its borders. Incidentally, the immoral CEO was Northern English, and the moral group engineering VP was American.
The "(v)." is a reference to the famous New England philologist, Vernon Acular (frequently abbreviated to Vern or just V in popular texts.) Vern's master work, had it been completed, would have reconciled US and British slang terms, now named "Vernacular" terms in his honor. Tragically, however, he passed away (Brit: died) of a heart attack having got no further than "ass".
Shopped, though, guv? It's what one does when one is faced with the need to avoid unpleasantness by informing a higher power of the intentions or actions of one's morally reprehensible associates. Don't you watch our popular entertainment on PBS? (I hope somebody is watching it, I pay to make it and wouldn't be seen dead watching most of it, but YMMV.)
Admin
A computer doesn't have a MAC address. A network interface does, and a computer may have zero, one, or many of these (including, often, purely internal ones). They might come and go as networks are plugged or unplugged, or as WiFi connections are made and dropped. The assumption that a MAC address identifies a computer has caused me a great deal of trouble, and, today, I tend to "fingerprint" a machine instead, by concatenating several values that are unlikely to change without a good reason (MB serial number, HD serial number, etc.) and taking a hash of these.