Chad's News

[Note: This list was originally compiled by me then posted on /r/forgedinfireshow, where I made significant changes based on comments from other members of the subreddit.]

Regular Forged in Fire viewers are all too familiar with statements like these:

<when working with canisters> “I’ve never used a welder before.”

“This is the longest blade I’ve ever forged. I’m going to have to make a bigger quench tank.”

“I’ve never used a coal forge in my life.”

The Forged in Fire producers enjoy throwing unusual situations and obscure techniques at their smiths. And learning new techniques during the competition is a sure path to failure. The following list is based on actual mistakes made by contestants:

Practice the following techniques beforehand:

• Canister Damascus welding
• Using a coal forge with a manual air pump
• Forge welding, especially with (1) different metals and (2) a thick piece of cable

Mistakes that have actually happened:

• Give the Liquid Paper time to dry before adding anything else to the canister
• You need -both- the red and the blue epoxy containers
• They supply 5-minute epoxy and 24-hour epoxy—choose wisely
• Some extremely well-made blades have been eliminated because they didn’t meet parameters
• If the judges tell you something should be fixed, don’t convince yourself there’s not enough time to fix it

General weaponsmithing:

• Never quench in water unless you have a very specific reason for doing so
• For larger blades, the judges take balance and weight very seriously
• When forge welding, first clean the surfaces that will be welded together
• Be extremely careful bending hardened/quenched steel, and never hammer it
• Pro tip: it’s much easier to drill/drift holes before you quench
• Pro tip: quench a test piece of steel and then break it to see what the metal looks like after quenching.

Handles:

• A great blade with a bad handle will almost always lose
• Functionality and quality of construction are far, far more important for a handle than how good it looks
• The judges put significant emphasis on how comfortable a handle is and how well it fits their hands
• Do not get fancy with your handle in an effort to impress the judges—this almost always does more harm than good
• Knife handle shapes that don’t prevent the user’s hand from sliding onto the blade -must- include a guard—failing to do so is an automatic disqualification
• Nothing in the handle should have -any- possibility of digging into or cutting the judge’s hand—a bleeding judge significantly increases your chances of being eliminated
• Round or heavily rounded knife/sword handles look nice but fail to perform
• The burn-through method of creating knife handle holes is risky and should be avoided unless you’re hard-pressed for time and have no other option
• The tests apply significant stress to the handle—epoxy alone will not hold a handle together.
• Pro tip: note the judges’ hand size when you shake hands with them at the beginning of the competition, and craft your handle accordingly

Know the following skills:

• How to use a magnet to check for proper heat treat temperature (also, bring a magnet with you)
• How to use a MIG welder
• How to use a spark test to identify an unknown metal
• How to use a belt grinder like the ones on the show, and especially how to change the belt
• How to use a gas forge like the ones on the show, and especially how to adjust the temperature
• How to correct a post-quench warp without breaking the blade (hint: hammering or bending in a vise rarely works)
• How to construct a friction folder knife

Regarding your home forge:

• Before you leave, triple-check your equipment to ensure it’s in perfect working order
• Equipment failures happen—be prepared
• Some of the weapons you have to make are unusually long or wide—you may need a bigger forge and/or quenching tank, so obtain the materials for that beforehand

General philosophy:

• Stick to the basics; don’t try to be fancy and impress the judges
• Stick to what you know; this is not the time to be experimenting
• Stay calm—getting rushed affects your decision-making and is the best way to be eliminated
• Many, many contestants have been eliminated because of poor time management
• When things are going badly, it’s often better to just abandon what you’ve done and start over
• No matter how bad you’re doing, there’s always the chance that someone else is doing worse

3D printers have been called a “disruptive technology”, and I’m not the only one who thinks they’ll change the world. So this post is a collection of related articles that I’ve found over the last 6 months or so. Before you read further, however, check out this Dilbert cartoon about 3D printers.

For all the copyright problems with digital music, videos, and books, 3D printing is going to be even worse. Say you need a new part for your car. Do you buy it from an auto parts store, or do you print it yourself at home? Or will the mechanic print it out at the garage? Will we have a reasonable system where we pay to download original designs to our printer, or will there be rampant piracy like we have now with digital entertainment? I hope lawmakers will be proactive in this area, rather than reactive.

3D printing will make some existing laws unenforceable, much like what the Internet has done to anti-pornography laws. Michael Guslick, an amateur gunsmith, created the lower receiver of an AR-15 assault rifle with a 3D printer. He used a non-printed “upper”, barrel, etc., all legally available for purchase, and made a working .22 rifle. How effective will gun laws be when you can print one at home, especially once we get the ability to easily print the metal parts?

With recent news about creating drugs with 3D printers, I suspect it won’t be long before we can use a printer to dial up some cocaine. All that crime associated with drug creation and distribution… gone.

And what about the manufacturing sector? My uncle owns a steel fabrication company. Right now that means lots of cutting, welding, and machining. Much of the operation is computerized, but it wouldn’t surprise me to see 3D printers take over a big part of what they do. One article goes even further, speculating on the engineering possibilities now that 3D printers can print using both biological and traditional (metal, ceramic, plastic) materials.

Think about logistics. Many businesses have gone to a “just in time” supply model where they keep a minimal supply of parts on hand and order them right before they need them. With 3D printing, they could go to an “exactly when needed” model. Military operations wouldn’t need to be so heavy on logistics either—front line troops could print what they need, provided the printers and raw materials were supplied via conventional means.

3D printers have come down in price to where the average person can afford them (I have a coworker who owns one). And they’re also getting smaller. Will we soon see the day where there’s one in every home? I believe so.

Thanks to Josh, Slashdot (1,2), and Kim Komando for these articles.

Update (1/12/2013): Did I call it or what?

There are well-defined procedures for permanently erasing data from a traditional hard drive. But for solid-state drives (SSDs), which use Flash memory instead of magnetic platters, things are quite different. The problem stems from two peculiarities of SSDs: “they can only erase data in larger chunks than they can write it, and their storage cells can only be written a certain number of times (10,000 is standard) before they start to fail.” Because of these, SSD firmware does a lot of behind-the-scenes manipulations when writing data to the drive.

Researchers at UCSD have determined the following:

1. Built-in erase commands are effective, but are sometimes implemented incorrectly.
2. Overwriting the entire visible address space of an SSD twice is usually, but not always, sufficient to sanitize the drive.
3. None of the existing techniques for individual file sanitization are effective on SSDs.

That being said, law enforcement agencies are finding that it’s hard to do forensics on SSDs because the drive automatically wipes a significant percentage of deleted data without any intervention by the user. This may seem like a direct contradiction to what the UCSD team determined, but the difficulty there was with the purposeful sanitization of data as well as with the erasure of individual files. So while it’s difficult to wipe everything, it’s also hard to prevent some amount of deleted data from being wiped automatically.

The Ars Technica article (link #3 below) briefly discusses the article in link #1, and then goes on to mention other erasure techniques that are coming down the pipeline. For right now, however, they suggest encrypting the drive as a good way to keep private data secure.

Link #1: http://www.usenix.org/…
(via Slashdot)

Link #2: http://news.techworld.com/…
(via Slashdot)

Link #3: http://arstechnica.com/…

In Internet-speak, a proxy is a server that takes your request, sends it to a destination server as if it were coming from the proxy itself, and then sends the response back to you. It acts as a proxy in much the same way that you can use a lawyer as an intermediary or designate someone else to cast your vote at a stockholder meeting. Internet proxies can be used for a variety of purposes, one of which is anonymous browsing.

An anonymous proxy keeps no permanent record of which users have connected to which websites. And since the page request comes from the proxy itself, there is no easy way to track who is actually making the request. (In reality the use of multiple, chained proxies is recommended.) This anonymity is quite beneficial for whistle blowers and victims of political oppression, as well as the privacy- and security-conscious. But it also works for organized crime, terrorists, and other criminals.

Another popular use of proxies (not necessarily anonymous ones) is to circumvent corporate/government filters. The destination website may be blocked, but the proxy server is not—thus allowing the user to view prohibited websites.

Here are additional resources:

• Anonymouse.org and the associated Firefox add-on
• Anonymous Internet Surfing HOWTO
• Public CGI (Web, PHP) anonymous proxy free list
• Tor (warning: Tor is not secure, and don’t even think about hosting a Tor node)

Thanks to Josh for this topic and the links.

A web application is a program run over the internet via a browser. So, for example, Writely is a full-featured word processor accessible via the web. The advantage of Writely, as with all web applications, is that you can use the program and access your data from anywhere in the world and on any computer.

An early type of web application was web-based email. Yahoo! Mail, MSN Hotmail, and GMail are examples. But recently we’ve seen the advent of full office suites. In addition to Writely there are Thinkfree, Zoho Writer, Google Spreadsheets, Picasa Photo Editor, Google Calendar, and Google Base (among others). Microsoft, obviously a bit worried about this competition, is planning to make their Works office suite available via the web.

Web applications are catching on—even in the Chad’s News household. I’ve switched mail programs from Outlook Express to Gmail. I did it for the spam filtering, but it’s also nice to be able to check email whenever I’m out of town. I also switched RSS readers from Habari Xenu to Bloglines.

One of the big negatives for web applications is that you’re trusting precious data to a third party. Using Gmail, for example, I have no way of backing up my email data and I’m trusting Google to maintain it in perpetuity. I’m also trusting Google to not go out of business. (This can be a real issue. I have a friend who hosted digital photos in an online repository that went out of business with almost no notice. He happened to be offline for a few weeks, and by the time he got back online it was too late to retrieve his data.) There are also privacy concerns when using a web service for confidential data.

Another negative is that web applications rarely have all of the features found in a dedicated program. For most people this will not be a issue, but power users may run into problems.

Web applications are here to stay, and they’re gaining in popularity. Expect to see them used more frequently.

(Thanks to Josh for the idea behind this article.)
Copyright © 2006 by Chad Cloman

Keystroke logging has become more of a concern in recent years, as more and more spyware programs install a software-based logger and send the results back to the creator—who then takes advantage of the password, bank account, and credit card information that may have been captured. In addition, there’s the problem with loggers installed on public computers (never enter sensitive information on a public computer—you’ve been warned).

With all this emphasis on software, however, it’s easy to forget about the hardware-based loggers. ThinkGeek has one for sale, at a mere $99. Simply unplug the keyboard, attach the Key Katcher, and plug it back in. Remove it later and you can browse up to 130,000 keystrokes. Very useful for checking up on a potentially-cheating significant other, or monitoring a child’s internet use. Or, for the creative, posing as cleaning staff and installing them on a bank’s computers. (The bank in question now super-glues keyboard cables to the computer, although there are other, less-expensive solutions.)

The gist of it all is that physical security is just as important as firewalls, anti-virus/spyware software, and network/internet security. Did you know, for example, that it’s quite easy to reset Windows passwords provided you have physical access to the computer? (Via the Linux disk or the login.scr trick.) And you can usually access the files themselves just by moving the hard drive to another machine that already has Windows installed—which is why really sensitive files should be encrypted.

It’s a dangerous world out there, in the land of computers, but knowing the potential risks is the first line of defense. I’m sure I haven’t covered them all, so feel free to leave comments with any additional information.

For us netizens who reside in the United States, “use taxes” are starting to become an important topic. Essentially, a use tax is a sales tax on purchases for which you didn’t have to pay sales tax. I know that sounds confusing, so let me give an example:

I live in Denver, Colorado but travel to Oregon (which has no state sales tax) and purchase a car. When I return home, I am required to pay a use tax of 7.6%:

• Colorado state: 2.9%
• Denver city: 3.5%
• Regional Transportation District: 1.0%
• Scientific and Cultural Facilities District: 0.1%
• Metropolitan Football Stadium District: 0.1%

This happens to be exactly the same amount I’d pay in sales tax had I bought the car in Denver. If the car were to be delivered to my location in Denver, then the seller should collect the use tax. Otherwise, it is my responsibility to pay the taxes to the appropriate authorities.

So why is this important? It’s all about the internet. When I purchase a “tax-free” product online and don’t pay the appropriate use tax, I’m breaking the law. As internet sales have become more popular, the states have begun to realize they’re losing use-tax revenues—so they’re cracking down. Some states, Colorado not among them, have put a line on the state tax form for honest citizens to declare any use taxes they owe. As the linked article states:

“If you’ve written zero or left [the use tax entry] blank, during the audit we’re going to make you produce your financial records, bank statements, credit card statements,‘ said Michael Bucci, a spokesman for the New York Department of Taxation and Finance.

Over the past few years I’ve heard various mutterings about the collection of use taxes for internet purchases, and I expect it to become more of an issue as time progresses.

http://news.com.com/…

Paramount is suing Russell Lee for more than $100,000, alleging that he obtained an illegal copy of a movie and subsequently uploaded it to a filesharing network. In defense, Mr. Lee claims the real perpetrator hijacked his (then unsecured) wireless network. The evidence is weak, and while Mr. Lee will probably be exonerated he will still have to pay legal costs and deal with the stress of a court case. This just underscores why wireless security is so important.

If you have a wifi network, here are the basic things you should do to secure it:

• Change the router’s default admin password.
• Change the SSID and disable SSID broadcast.
• Enable WPA2 security. If your wireless router does not support WPA2, then get a router that does. WEP security is easily cracked, and WPA, although better, is still vulnerable.
• Use MAC filtering.

These steps will not keep out a determined expert hacker, but the goal is to make it difficult enough that he/she will hijack someone else’s network.

Every so often the tech news community lights up about a gaffe related to document metadata. Some years ago Apple was running a fairly successful switch campaign where people gave testimonials about why they switched to a Mac. Microsoft responded with its own anti-switch campaign. The name of the person in the Microsoft testimonial was not given but was included in the document’s metadata. An AP reporter was able to track her down and discovered that, much to Microsoft’s embarrassment, she worked for a PR firm employed by Microsoft. To add further damage, the picture in the testimonial was a fake, taken from stock footage. Microsoft quickly pulled the ad from its site and pretty much abandoned the anti-switch campaign.

More recently, the United Nations prepared a report on the murder of Rafik Hariri, the former Lebanese Prime Minister. Some of the more damaging allegations were removed just prior to the report’s release, but they remained in the document as metadata. These politically-sensitive deleted portions were quickly discovered and publicized, to the UN’s embarrassment.

For most practical purposes, “metadata” refers to hidden information kept by Microsoft Word as part of a saved *.doc file. The most common type of metadata is information on the people who created/edited the document. Just pull up a Word document and go to File | Properties. You should be able to quickly find the name and company of the author. This is the type of metadata that caught Microsoft.

The UN situation was a bit different. They had enabled Word’s abililty to track revisions, because the document was being edited by multiple people. The author forgot to accept the changes, thus making the original draft and the full revision history available to those “in the know.”

Anyone in a business or professional environment needs to be aware of document metadata—the potential for damage is just too high. The following are some ways to properly deal with metadata:

• Use the Office add-in provided by Microsoft, or (recommended) purchase a commercial “scrubber”. There is also a free utility, Doc Scrubber™, that works pretty well.
• Save the file in the RTF format and then convert it to PDF for distribution. (You should be doing this anyway—distributing non-draft versions of *.doc files can bite you.) Be aware that Adobe Acrobat also retains some metadata, so just converting to PDF may not be enough.
• Turning off the “track changes” feature and/or selecting “accept changes” are not sufficient to remove your metadata.

Additional/Reference Links:

• http://www.denniskennedy.com/…
• http://www.lifehacker.com/…
• http://www.corante.com/…

For those who read my recent post on the perils of leaving an unpatched Windows computer connected to the internet, you may have noticed a slight problem. The typical home user would install Windows XP, then connect to the internet and run Windows Update to download/install Service Pack 2. In the time it takes to download the updates, however, your computer has a non-trivial chance of being compromised and turned into a zombie. So what’s the solution?

The first option would be to get a copy of SP2 on CD. Microsoft provides them for free (plus a shipping charge). But there is still a drawback. If you configure your network/internet as part of Windows setup, you could still be compromised in the time it takes to install SP2 from CD.

A better option is known as “slipstreaming.” If you have a Windows XP installation CD, you can combine it with Service Pack 2 to create an integrated installation. This, in turn, can be burned to disc—thus creating a Windows+SP2 installation CD. The slipstreaming process will also save the time required to install SP2 (and the required reboot).

The process is fairly straightforward and is described in detail at Tom’s Hardware. It does require you to download a very large (270+ MB) file from microsoft.com, so no dial-up allowed! The same file appears to be on the SP2 CD, however, so you could probably skip the download if you have the disc.

Copyright © 2005 by Chad Cloman

I’ve been seeing a bunch of articles on a new type of spyware: keystroke loggers. A keystroke logging program will keep track of everything you type and then forward it to someone who will look for account numbers and passwords. This can be very bad when the information is for banking, credit cards, and such. A recent study found that 15% of all spyware is of the keystroke logging type.

Most of you reading this are quite tech savvy and know all about not opening attachments on incoming emails and not clicking through to web addresses given in emails (especially those purporting to be from eBay, your bank, or PayPal). But there are other ways to install malicious keystroke logging programs with which you may not be familiar.

Security Holes: Computer systems that don’t have the latest security updates are vulnerable for as long as they are connected to the internet. Malicious programs continuously scan the internet for computers with open ports to unpatched programs. Tests were run with a fresh installation of WinXP SP1, and it took approximately 4 minutes before the computer was compromised. The best way to protect against this type of attack is two-pronged: 1) Apply all patches and updates as soon as they are available, and 2) use a firewall.

Browser Vulnerabilities: Carefully crafted web pages or even web addresses can attain the ability to execute programs on your system. The best way to protect against this type of attack is to not use Internet Explorer. If you must, ensure that all of the latest patches are applied.

DNS Cache Poisoning: This is one of those cases where even if you do everything “right”, you can still be compromised. Essentially, a system that you use for DNS is given false DNS information and stores the data in its DNS cache. So when you type in www.paypal.com, for instance, you are redirected to a spoof site which gets your login/password information (and may also attempt to exploit browser vulnerabilities). The best way to protect against this type of attack is to minimize financial transactions online. In reality, you just have to trust that your ISP and upstream providers don’t let their systems get compromised—it’s really quite simple and comes down to having their DNS system correctly configured.

Internationalized Domain Names (IDN): IDN is a fairly new standard whereby non-Latin (non-English) character sets can be used in domain names. This is of greatest concern for Asian-language domains, but it was expanded to include all languages. It turns out that some languages have characters that are identical to the English language, but which are treated as different under IDN. This only works when you click through to a spoofed web site, via email or a link on another site. The best defense against an IDN attack is to use Internet Explorer 6, as it does not support the IDN standard. Other browsers, such as Firefox, have implemented security procedures to ensure the user is aware of IDN site names, but older versions do not have these measures in place and are vulnerable. More recently, researchers have found another IDN exploit in Mozilla/Firefox, and it seems like the best thing to do for now is to simply disable IDN.