Niels Provos - News

Casting a forge-shell from Kast-O-Lite 30 LI

nospam@example.com (Niels Provos) — Tue, 21 Aug 2012 17:26:07 -0700

Here are some pictures of my recent forge rebuild. When I originally started to look into refractory concrete as an option, I noticed that there were not a lot of articles on the web describing the process of casting a forge shell from refractory concrete. While many of the steps are pretty straightforward and do not significantly differ from using regular concrete, some people might still find my experience with using Kast-O-Lite 30 LI useful. My need for a new forge arose after some extended forge welding and bloom consolidation caused the roof of my previous forge to cave in. After thinking of different ways to construct a new forge, I decided to go with refractory concrete as it can take more abuse than the kaowool based solution I had employed previously. Kast-O-Lite 30 LI seemed like it fit the bill with a maximum use temperature of 3000F which is not something I am likely to reach unless I am over boiling iron. For general forging, Kast-O-Lite 26 would have been better suited as it provides better heat insulation but I had the 30 LI concrete available. Here is an outline of the process:

The construction used five pieces of concrete: Two sides, one roof, and two pegs. Where the pieces met, I had to split the angle, so used 22.5 degrees on each side of the different pieces. The end result was going to be a shell that would support itself. The first step was creating the forms from 2x4 and some wooden boards. The forge itself is about 13in long, and about 9in high. To get the angles, I used a bandsaw with a swiveling table that I could dial to 22.5 degrees. The measurements that determines the spacing of the pieces were all done on the outside and piece of 2x4 was attached to the board with wood screws. Here is how they looked like.

Continue reading "Casting a forge-shell from Kast-O-Lite 30 LI"

On a quest for Viking-age swords

nospam@example.com (Niels Provos) — Mon, 16 Jul 2012 12:46:58 -0700

While visiting Germany this year, I was on a quest to find Viking-age swords as a source of inspiration for future work. The first trip took me to Nürnberg where I visited the Germanisches Nationalmuseum which had an amazing weapons collection including two amazing carolingian swords - here is a picture of one of them:

Afterwards, I stopped at Rothenburg ob der Tauber and were completely amazed by the Reichsstadtmuseum which featured the Hermann Baumann collection of historic weapons and armor including this interesting pommel of a Viking-age sword from Danmark dated to the 9th/10th century:

The last part of the trip was to Haithabu where not only the museum was a great experience but also the concurrently happing Viking market with over twenty long boats from Northern Europe. One of the sword pommels I saw there was the following:

I had also hoped to catch a performance of the Wikinger Puppentheater Ygdrasil but unfortunately they did not perform during that weekend.

The Serpent in the Sword continued...

nospam@example.com (Niels Provos) — Wed, 21 Mar 2012 21:06:24 -0700

The Serpent in the Sword project is slowly progressing. I have posted a couple more videos documenting the process. In part 2, the bevels of the sword are forged, the geometry is established on a belt sander and the sword is finally heat treated. In part 3, the sword fittings are made, e.g. the lower and upper guard as well as the pommel and wooden hilt. If things go right, the sword will be finished just in time to my visit to Germany in July. The Viking museum in Haithabu has a special event in which 20 Viking ships will sail to its harbor. There is also the new Viking Puppet Theater which should be fun to watch. It's called "Wikinger Puppentheater Ygdrasil" and has it's premiere in April at the museum in Haithabu.

The Serpent in the Sword

nospam@example.com (Niels Provos) — Fri, 20 Jan 2012 22:47:00 -0800

Inspired by "The Serpent in the Sword" from Lee A Jones, I embarked on the quest of forging a pattern-welded double-edged sword that has a visual serpent at its core. The video shows my progress over about 7 days of work. Pattern-welding in addition to structural benefits is also visually very attractive. The sword in this video is constructed from a total of seven bars. Two edge bars, two twisted bars and three bars for the serpent. The whole process while using modern tools is very similar to the one that anglo-saxon or viking-age blacksmiths might have employed. Each step in created a pattern-welded sword is explained and narrated in the video above.

Pattern-Welded Seax

nospam@example.com (Niels Provos) — Fri, 06 Jan 2012 21:17:44 -0800

In my quest to forge another double-edged viking-age sword, I have been experimenting with a serpent pattern. As part of my experimentation, I forged the the seax shown in the picture. It's over all length is 21.5 in, with a 16.5 in long blade and 5in long handle. It's a 7 bar construction. The cutting edge and back are W1. The two twisted bars are 11-layers of 15n20 and 1095. The serpent itself is an 11-layer straight laminate of 15n20 and 1095 backed by two bars of mild steel. As the picture shows the pattern came out quite nicely and the overall shape of the blade is quite pleasing. The next project is going to take the serpent pattern to a double-edged sword. We will see how that goes.

Creating a Viking Sword

nospam@example.com (Niels Provos) — Wed, 23 Nov 2011 19:39:40 -0800

Forging a Composite Viking-age Sword

nospam@example.com (Niels Provos) — Fri, 09 Sep 2011 00:15:11 -0700

The video shows forging a pattern-welded Viking-age sword consisting of a 5-bar construction based on dimensions from a find in Norway. The video shows squaring up the rods and how I bundle the five bars (3 twisted core and 2 edge) into a sword-like object and then forge weld it. Instead of employing a wrap around edge, I am cutting a V into the tip that is forge-welded back together.

Viking-Age Iron Making In Oakland

nospam@example.com (Niels Provos) — Mon, 18 Jul 2011 22:18:22 -0700

Looking forward to USENIX Security!

nospam@example.com (Niels Provos) — Thu, 07 Jul 2011 17:36:40 -0700

USENIX Security is by far my favorite conference. This year is taking place in San Francisco from August 8th to August 11th and the program looks pretty strong again. There is some great work on quickly detecting malicious Javascript in the Browser and the talk on "Comprehensive Experimental Analyses of Automotive Attack Surfaces" promises to make us all rethink the security of our cars. Actually, all of the sessions seem like they will be interesting. So, see you all there.

Lizamoon SQL Injection Campaign Compared

nospam@example.com (Niels Provos) — Sun, 03 Apr 2011 15:24:20 -0700

Malware infections such as SQL injection are a well known security problem. Over the past two years we have seen several large-scale infections on the web, e.g. Gumblar.cn and Martuz.cn. Recently, a new SQL injection campaign called Lizamoon has gained a lot of attention. I had expected web sites would become more secure over time and less susceptible to simple security problems, so it is surprising that SQL injection is still a prevalent problem. That let me to wonder: Was Lizamoon as successful as previous infections? In a discussion about this problem, my colleague Panayiotis Mavrommatis suggested that comparing the size of campaigns via search engine result estimates might not be very accurate measurement.

That begs the question of how to assess the impact of infections. While the number of infected URLs is one possible measure, it is skewed by many different factors, e.g. a single vulnerable site contributes a large fraction of the infected URLs and overstates the impact. Instead, counting the number of infected sites might be a better metric. Even so, to judge the relative scale of an infection campaign, it might be helpful to compare it to previous incidents.

Below is a comparison of the Gumblar.cn/, Martuz.cn/ and Lizamoon infections based on Google's Safe Browsing data. The graph shows the number of unique infected sites over a 30 day sliding window.

For this analysis, I counted the sites that had a functioning reference to it, e.g. a script src=. Sites that escaped the script tag rendering it harmless were not counted. For Lizamoon, I aggregated the sites provided by the websense blog into a single measure:

hxxp://lizamoon.com/
hxxp://tadygus.com/
hxxp://alexblane.com/
hxxp://alisa-carter.com/
hxxp://online-stats201.info/
hxxp://stats-master111.info/
hxxp://agasi-story.info/
hxxp://general-st.info/
hxxp://extra-service.info/
hxxp://t6ryt56.info/
hxxp://sol-stats.info/
hxxp://google-stats49.info/
hxxp://google-stats45.info/
hxxp://google-stats50.info/
hxxp://stats-master88.info/
hxxp://eva-marine.info/
hxxp://stats-master99.info/
hxxp://worid-of-books.com/
hxxp://google-server43.info/
hxxp://tzv-stats.info/
hxxp://milapop.com/
hxxp://pop-stats.info/
hxxp://star-stats.info/
hxxp://multi-stats.info/
hxxp://google-stats44.info/
hxxp://books-loader.info/
hxxp://google-stats73.info/
hxxp://google-stats47.info/
hxxp://google-stats50.info/

The graph shows two interesting facts.

The Lizamoon campaign started around September 2010 and actually peaked in October 2010 with ~5600 infected sites. At the moment, it seems to be undergoing a revival.
If we compare the number of infected sites, Gumblar.cn/ is still clearly the winner with ~62,000 sites, followed closely by Martuz.cn/.

For future studies of malware infections, I suggest taking the number of infected sites as a more reliable measure than counting the number of infected URLs.

Update 2011-04-04: The blog post incorrectly referred to Gumblar.cn and Martuz.cn/ as SQL injection attacks. These attacks used stolen FTP credentials.

Honeyd.org running with phpBB3

nospam@example.com (Niels Provos) — Sun, 20 Feb 2011 20:44:30 -0800

Despite being incredibly busy at work, and purusing many extra curricular activities, I finally managed to update www.honeyd.org to phpBB3. Unfortunately, the spammers were slowly taking over the forum and phpBB2 did not provide adquate tools for managing spam. phpBB3 on the other hand supports recaptcha and other nice spam managing features. I also hope to release a new version of honeyd including bug fixes and support for libevent2.

Profile Story On Me :-)

nospam@example.com (Niels Provos) — Wed, 19 Jan 2011 19:39:25 -0800

CNet's Ellinor Mills wrote a nice security profile on me with the catching title: Google's Niels Provos battles malware on the Web. Blacksmithing, security, martial arts, etc, it's all there.

HotSec'11 CFP Out: Singular emphasis on new ideas and problems!

nospam@example.com (Niels Provos) — Sun, 09 Jan 2011 13:12:53 -0800

The HotSec 2011 CFP is out:

http://www.usenix.org/events/hotsec11/cfp/

Important Dates

Submissions due: May 5, 2011, 11:59 p.m. EST
Notification of acceptance: June 14, 2011
Electronic files of final papers due: July 5, 2011

HotSec is renewing its focus by placing singular emphasis on new ideas and problems. Works reflecting incremental ideas or well understood problems will not be accepted. Cross-discipline papers identifying new security problems or exploring approaches not previously applied to security will be given special consideration. All submissions should propose new directions of research, advocate non-traditional approaches, report on noteworthy experience in an emerging area, or generate lively discussion around an important topic.

Adobe PDF Vulnerability: Stack overflow in Font File parsing

nospam@example.com (Niels Provos) — Thu, 09 Sep 2010 22:18:39 -0700

Metasploit has a great write up on new vulnerability in PDF. The basic problem is a stack overflow when parsing OpenType fonts. In particular, SING Glyphlet tables contain a 27 byte long unique name that is expected to be NUL-terminated and stored in a 28-byte buffer. The vulnerable code is using strcat and lacks bounds checking resulting in a stack overflow.

The PDF in the wild prepares the heap via Javascript and contains multiple different font files that are selected by navigating to a specific page in the PDF based on the viewer version. Each font files has slightly different shell code. It was amusing to see that the attackers after modifying the head and SING tables did not fix up their respective checksums. According to Metasploit, this exploit works under Windows 7 with both DEP and ASLR turned on. Fun Fun. As of now, no patched version is available. The SecBrowsing blog contains instructions with temporary remedies.

Libevent-2.0.7-rc release

nospam@example.com (Niels Provos) — Thu, 09 Sep 2010 22:15:40 -0700

Nick announced the release of Libevent-2.0.7-rc today. Here is an excerpt from his email:

Thanks to everybody who reported and fixed bugs in Libevent 2.0.6-rc,
Libevent 2.0.7-rc should be much more stable and portable, especially
for people using IOCP, Windows, rate-limiting, or threads.

There are also numerous small bugfixes thoughout the codebase (though
still not, alas, in the http stuff).

For a complete list of changes, just see the ChangeLog included with
the source distribution.

You can download source code of libevent releases from monkey.org