I'm Elke Stangl (elkement) - a physcist and engineer. I help people to understand technology and the underlying science. This website is my About Me site - a companion to my research and tech blog.30 Postings shown.
This website shall finally reconnect with its roots – radices.
With the dawn of the new millennium a self-proclaimed Subversive Element has registered a bunch of domains. It was especially fond of radices.net and subversiv.at. Today, all these sites have been re-united and redirected to elkement.subversiv.at. But the site does not deliver on its promising name – I feel it became way too 'professional' recently. Historical content has been filed mostly under Physics (radices) and Art (subversiv). The category life displays some of the matter-antimatter collisions of these two worlds. Which also explains the category of the current article.
The Subversive Site was a Red Padded Cell, with Font Color = White, a so-called creative playground. The Element was aware that 'everybody' could read this but it did not care. The Merger of the sites was inevitable in the end, after a final detour of professionalization – when radices.net suddenly also hosted pages with IT Security links.
I have been a blogger, and I observed the evolution of other blogs: My anecdotal evidence shows that blogs live for about 1-2 years. If they are bound to survive they have to escape the matrix and to overturn their creators. A personal blog or website needs a 'Big' Idea. OK, not really big, but at least a-all-encompassing and abstract enough so that all the authors different threads and lines of thoughts can be silently tied together using this idea's magic glue.
My elkement.blog is relentlessly edited. It was a more philosophical site once, but I aim at following our punktwissen principles now. Articles should be concise, provide value, and perhaps also entertainment. There should be s logical connection between posts and my curated lists should help readers to find something 'useful'.
On the contrary, this site has more or less the same article over and over again – perhaps in disguise and interlaced with technical notes. It is all about my personal keeping the essence of Physics alive and useful for me. Since radices was originally a German-only science and philosophy site, the English version might not reflect this – but in the early articles on elkemental Force (at that time: Theory and Practice of Trying to Combine Just Anything) I recaptured these ideas.
So I do finally accept this – let elkement.subversiv.at have its way. This is elkement's personal site, and its primary topic is How To Learn About Physics And Why This Might Be Useful Or Even Edifying In Very Different Ways.
- Learning physics means to start somewhere in the middle. That's why a first Introductions to Physics lecture is always hard (if the lecturer has some modest mathematical aspirations). You need to look at the same phenomena from different angles, and only after a while – and some work – everything will fall into place. This process and journey of learning is rewarding in itself.
- The more related to mathematical foundations (of physics) a question is, the less googleable the answer is. You can find anecdotes, and examples, science sound-bites for entertainment. Of course you find awesome lecture notes to learn the fundamentals from Feynman Lectures to Landau-Lifshitz – but you need to 'learn' them. In contrary to the mantra of You Just Need to Know Where to Find Something (like: Google for error messages) I believe that really knowing about fundamentals without googling helps a lot with problem solving: You can walk through how a system should work, just using the resources in your head.
- Mathematics purges the brain, and this does not only help with mathematical problem solving. So I believe that the hackneyed problem-solving skills of science graduates are real (albeit it is difficult to assess the self-selecting nature of STEM degrees for people with natural 'analytical' skills). But the caveat it: Years of corporate work, powerpoint slides, office politics, distractions, pressure to deliver ad hoc can erode these skills. I have long-term tested different methods to keep physics knowledge alive and usable - and learned now that science might even provide some evidence, in a sense.
- I have been in 'cyber security' for a while and I have written lots of gloomy articles about our new smart world of automation and where everything (including heating systems) is turned into cloud-based services. Thoughts on all of this is still work in progress, I am working on internal consistency and unambiguity. I came into the world of IT as an experimental physicist, I was applying my training of troubleshooting complex 'analog systems' to digital systems. Despite the myth of crystal-clear 0s and 1s it was often better to treat them as blackboxes. I lacked the typical computer nerd's / enthusiast's background and started late – playing with Microsoft systems and Office VBA and the like. In spite of this Treat-as-a-Blackbox approach I like to understand as much as possible about a system. Yes, I know you cannot understand, yet build, a power plant, from knowing how to solve Maxwell's Equations (yet understand or solve issues in cyber security related to such power plants). Nevertheless, if I have the choice to understand something at all, I'd pick Maxwell's Equations.
Since years I am using an (angry) dinosaur as my web and blog logo. The dinosaur is from another era, and sometimes it cannot deal with 'modern' concepts of our 'smart', 'networked' world. But perhaps, it was part of this world for a while in order to overcompensate.
Now the dinosaur is getting more and more confident that its typical dinosaur activities might be more productive and positive than it thought before.
On science and technology
- I believe there is often a simpler, a more low-tech solution to a problem technology is thrown on.
- I sometimes call myself a geek but I don't understand this 'geek' movement of cheering science and technology - without any desire to learn any of the details.
- I prefer to work on seemingly mundane problems that somebody really wants me to solve right now.
- This explains why I discarded inquiries to participate in and profit from governmentally funded research projects.
- Yet, I often find a universe of intriguing puzzles when mulling upon a 'simple' problem.
- Learning about theoretical physics has a mind purging effect: It helps, no matter if I ever need the math directly.
On business and life
- If a business relationship does not work without a written contract, it does also not work well with one.
- Don't follow any advice by strategists and experts, especially if their primary role is to act as consultants and not as doers.
- If somebody has an opinion on something, I judge them on Skin in the Game, hands-on experience, and education - in that order. I keep this in mind when voicing my own opinions.
- I don't pay for leads - I endorse other for free, and I am endorsed for free. Not necessarily on a 1:1 basis.
On the internet
- The greatest internet-powered innovation in the workplace I have encountered is to work remotely.
- I am grateful that I started writing online before there were Likes and Comments. The point of writing online is to hold yourself accountable because others could read this on principle, not because you need feedback.
- The internet sharing paradox: The more information you share for free, the more requests for free information you get. Learning to say No is a key skill.
- No matter how eclectic you think your combination of specialties is - you will find people on the internet featuring the same combination. Just better. It's humbling and this is a good thing.
Sometimes I wonder why I had created a Tech category separate from an IT category. The two of them are interrelated closely as my recent Wordpress blog post on my so-called Data Kraken had demonstrated.
I call myself the Theoretical Department of our engineering consultancy because I am mainly in charge of software development, simulations, and data analysis – related to measurement data for our heat pump system (and those of our clients).
But there is one big difference between what I call 'IT-only projects' (like my PKI-related services) or engineering projects that also involve software: 'IT' is my tag for providing software-related consulting or software engineering related to somebody else's IT system – a system whose requirements are defined by somebody else. My engineering software is built according to my own requirements. My 'Tech' projects, IT-centered as they may seem, are not primarily about IT: They are about systems using, storing, and transferring energy. IT is just a tool I use to get the job done.
All things I had ever done as an IT professional turn out to be useful, and I am learning something new nearly every day – when thinking about 'energy'. Heating systems today are part of what is called Internet of Things – so IT security is also an important aspect to consider. In 2015 I used this website to finally transition to .NET (… finally, from ASP ?), and as a spin-off I also re-developed the numerical simulations for our heat pump system in .NET – representing every component as on object. 2014 I migrated our initially only Excel-based data analysis to SQL Server, and I have improved my 'Data Kraken framework' since then, adding visualization by automated Excel plots etc.
I still work for some select 'IT-only' clients - and it seems my 'IT articles' here just constitute a series of updates about the exact extent to which I still do PKI. If the occasional data analysis question comes up, any SQL, Excel, or .NET skills might come in handy in my IT projects - like querying a certification authority's database, or using a semi-automated Excel sheet to create a Certificate Policy Statement, following the RFC. But I don't advertise myself as a SQL etc. expert; I rather think I returned to where I came from, many years ago:
When I worked as an IT consultant, I had been asked over and over: How does a physicist end up in IT? There are very different reasons: The obvious one is that as a physicist you might have picked some programming experience. I had indeed contributed to the (mess of patchy 'local-community-developed') software for automating the measurement of electrical resistance of superconducting thin films many years ago, but this was not the main reason. I was an experimental physicist so I can't claim that my work was immensely mathematical or computational (and my job as 'implemented applied cryptography' via Public Key Infrastructures was not either). The main analogy is that IT systems of sufficient complexity are as unpredictable as an experimental setup governed by lots of parameters, some of which you have not identified yet – as was the manufacturing of thin films by laser ablation. I was simply patient, perseverant, and good at troubleshooting by navigating a hyperspace of options what might have gone wrong.
This might be either boring or frustrating for non-geeks. But I believe the grunt work of maintaining and fixing software is rewarding if this is an auxiliary task, done to support the 'actual' system of interest. Mine are heat pump systems, power meters, photovoltaic generators and the like. I want to understand and optimize them and so I am willing to learn new programming languages and spend hours on troubleshooting bugs with software vendors' updates. Just as back then I learn the bare minimum of Turbo Pascal to develop software for low temperature measurements.
In 2017 I am going to focus on maintaining (and bug fixing ?) Data Kraken und ich will work on making usage and 'visualization' of the numerical simulation more and more similar to Data Kraken.
Currently, Data Kraken has the following main features:
- Documentation of the sensors and log files for different loggers (Heat pump / UVR16x2, smart meter, PV…) in an Access database - a small proto-kraken per installed system.
- Documentation of changes to sensors and log files, such as: Shuffled columns in files, modified naming conventions for files, new or replaced sensors. For example, the formerly manual reading off of the surface level of water in the water/ice tank has been replaced with an automated measurement in 2016. So the input value for calculating ice volume moved to a column in a different log file, and was measured in different time intervals.
- A Powershell script grabs all log files from their source locations, and changes date formats, decimal commas and line breaks. (I found this to be more performant than manipulating every line later after the import to SQL Server).
- The Powershell script then creates an updated set of SQL scripts – one set of scripts and one SQL database for each installation / each client. For example, the CREATE TABLE or ALTER TABLE commands are created based on the Access documentation of measured values and their change log.
- SQL scripts create or add SQL Server database fields, import only the files containing data points not imported yet, and import their data to a staging table. Each SQL database can thus always be re-created from scratch – from CSV log files and the meta documentation (Access).
- Error values are modified or deleted from the staging table, as defined before in the Access database (and such in a SQL script): For example vendor-defined error values for not connected sensors (as 9999) are set to NULL or whole rows of values are deleted if the system was e.g. subject to maintenance according to other system's documentation.
- Finally, the most important script is run: The one that does the actual calculation of e.g. average brine temperature, energy harvested by PV panels or the solar / air collector by day, or daily performance factors of the heat pump. The script needs several levels of SQL views – all of which are re-created by the script.
- Microsoft Excel is used as a front-end to show values from tables with calculation results. One Excel-formula only simple table allows for browsing through values, and picking daily, monthly, yearly, or seasonal numbers.
- Excel plots are automated with respect to the fields (columns) and to start and end date. Existing plots can be copied (also from other workbook), then documented in a table. The documentation table can then be modified and is used as input. Color and line widths are still tweaked manually.
Weird as this setup sounds, it allowed me to develop and change the solution just in the right way – installation by installation, e.g. by testing the changes to log files after the control unit's firmware for one specific installation first.
I have written about all things physics for a long time - mainly on my blog, since 2012 – but I have never been quite satisfied with the result: Too boring for experts, not exciting and popular science-y enough for the 'educated public'. I think the reason was my hidden agenda, an agenda not even obvious to myself.
I wrote about phenomena and subfields I had just immersed myself and (re-)learned about, either because this was very remote from what kind of physics I use on a daily basis, or just because I was concerned with some aspect of it but wanted to complement that with 'more theory' for the fun of it.
In spite of that, I tried to keep a style that somewhat resembles your typical 'science communications', but that was most likely to no avail. Re-reading my old blog posting I don't read so much about 'the physics' as about my own learning process. Or I remember what I actually wanted to write about, but did not – in order to violate the pop-sci agenda - so the result was something in between a learner's notes and sketches of ideas for popular presentations. For example, I (re-)learned Quantum Field Theory after all the news about the Higgs particle and LHC. Both my experimental and theoretical background was in condensed matter physics, so it really took me a while to map what I learned about so-called Second Quantization and many body systems (described in a non-relativistic way) onto your typical QFT introduction that started with Noether's Theorem and Lorentz transformations. Now in order to drive that point home (in a blog posting), to explain what was so interesting for me, I would have had to introduce all those concepts to a lay audience which I considered futile. Or I was just too lazy to learn more LaTex or too hesitant to use equations at all. I noticed, I got on all sorts of tangents when I tried to run a series on QFT – I did exactly what I did not like myself about popular texts on theoretical physics: Pontificate on more or less palpable metaphors about fields and waves, but not being able to really explain anything above a certain threshold of abstractness.
I gave up on my series before I could 'explain' what interested me most: How forces translate into the exchange of virtual particles and how I actually knew about the 'Higgs field giving particles mass' without knowing any more: I had learned about Andersen's mechanism in solid state physics, and Ginzburg-Landau theory of superconductivity. Perhaps that would have been a great example of symmetry breaking and that infamous sombrero hat potential typically used in pop-sci articles about the Higgs field?
I absolutely know that this may sound totally opaque – which is the reason why I only write about it here, on my website in that forgotten corner of the web, rather than trying to turn this into a blog post. Here, I follow my stream of consciousness and don't bother anybody on social media with it. There, I try to be somewhat entertaining and useful.
But even here, I try to write about something that somebody somewhere might be able to relate to, and here 'the internet' comes to rescue: For better or for worse, no matter how seemingly unique, special, and eclectic your hobbies and professional specializations, are – there is somebody somewhere on the net who indulges in the same combination of stuff. So, yes: It seems there is a growing community of hobbyist physics enthusiasts who feel the same and who 'practice' physics in the same way: Professionals with a STEM background who seriously learn about physics in their spare time, like R;&D managers writing textbooks about undergraduate physics or introductions about Quantum Field Theory. Like the IT server admin or the management consulting who write blog posts about what they have (re-)learned in their sparse spare time. Like the retired IT specialists who returns to what they originally studied – physics. Like me, who has an education mainly in applied condensed matter physics and who works as a consulting engineer and IT consultant.
From a down-to-earth perspective, this hobby can be worthwhile and useful: I noticed that it sharpens the mind, even if I don't use that physics and math directly on a daily basis. It's this effect that is makes the hackneyed saying about the 'analytical skills' of physics majors true. However, there is a caveat: Yes, physicists may be good at any corporate job, but I think not to lose you 'analytical edge' you need to practice the skills that originally shaped your mind. I don't know about research in psychology, so this is just my personal anecdotal experience. Living the corporate, inbox- and interrupt-driven work-style and having your mind scattered and distracted my social media does not help. There was a time in my life when I got up at 4:00 AM every day to re-learn physics, starting with Feynman's Physics Lectures. Surprisingly, that investment was well spent. I felt, my IT security concepts become crisper, more concise, and better – and it took me less time to compile them; So the ROI was great.
What triggered this article is my prime example of useful mathematical: While I had some background in QFT there was one subfield in physics I had missed completely: the theory called 'most beautiful', even by sober authors Landau and Lifshitz – the theory of General Relativity (GR). I had specialized in solid state physics, lasers, optics, and high-temperature superconductors, and GR was not a mandatory subject.
But I wanted at least to understand a bit about current research and those issues with not being able to unify quantum (field) theory and relativity. And I can relate to poor consumers of my feeble attempts at pop-sci physics: When I read popular physics books, I enjoy them as long as I have some math background - although I feel sometimes flowery metaphors make it more difficult to recognize something you actually know in terms of math. But when you would have to use new mathematical concepts you cannot understand the metaphors at all. Digression: So it baffles me when people like articles about Black Hole, the universe, and curved spaces but complain about not perfectly comprehensible explanations of more mundane physics and engineering. I believe the reason is that you 'need not' understand worm-holes etc.; so can just relax and scroll through the story, much like watching an illogical science-fiction movie. But mechanical engineering and simple thermodynamics feels like you 'should know it' and 'try a bit harder to understand it', and so it brings back memories of school and tests.
But as I said, there might be small community of people who genuinely want to learn, despite – or because of!! – the so-called hard aspects: Going through mathematical derivations again and again, and banging your head against the wall, until suddenly you understand. Which is a reward in itself, a feeling that's hard to share, and could and should not be shared anyway – in an act of subversive protest against our culture of craving for attention and 'likes'.
So for this community I'd like to share the resources I have picked for learning General Relativity: A set of free resources, each one complete and much more than just 'lecture notes'. Each of them also represents a different philosophy and pedagogical style, and I believe physics is learned best by using such a diverse set of resources.
One can debate endlessly, if and how to introduce the mathematical foundations used in some subfield in theoretical physics. As a physics major, you learn analysis and linear algebra before tackling its applications in physics and/or some mathematical tools are introduced as you go (Hello, Delta function!). I think it does not make such a difference in relation to the first courses in theoretical physics, e.g. learning about vector analysis before or in parallel to solving Maxwell's equations.
I feel it is more difficult the more advanced the math and the physics get, as you have to keep a lot of seemingly abstract concepts in mind, before you finally are presented with what 'you actually use that'. But maybe it is just me: Different presentations of GR seem 'more different to me' than different presentations of special relativity and electromagnetism.
In GR you can insist on presenting a purely mathematical and rigorous introduction of mathematical foundations first – your goal being to erase all false allusions and misguided 'intuitive' mental connections. Thinking about vectors in a 3D 'engineering math' way might harm your learning about GR just as too creative science writing might put false metaphors in your mind.
On the other hand, you could start from our flat space (our flat spacetime) and try to add new concepts bit by bit, for example trying to point out what curvature in 4D spacetime means for curvature in the associated 3D space, and what we might be able to measure.
Some authors use a mixed approach: They starting with a motivational chapter on experiments, photons in an elevator, and co-ordinate transformations in special relativity … and then they leave all that for a while to introduce differential geometry axiomatically … until they are back to apply this something tangible … until more mathematical concepts are again needed.
Sean Carroll does the latter in his Lecture Notes on General Relativity, that are actually much more than notes. He also published a brief No-Nonsense Introduction to GR that serves as a high-level overview, and he manages to keep to his signature conversational tone that makes his writings to enjoyable. Perhaps – if this was the only literature used – the mixed presentation plus digressions into special topics and current questions in physics would be a bit confusing.
But I was still searching for video lectures to complement any written text. A few years ago, I have not found any comprehensive self-contained course, but in 2015 this series of lectures was published, recordings from an event called the Heraeus Winter School on Gravity and Light 2015 – marking the 100th anniversary of Einstein's publication of GR. A nostalgic factoid I found most intriguing: The central lecture of the course by Frederic P. Schuller was given in the very lecture hall at my Alma Mater (Johannes Kepler University of Linz in Austria – JKU) that I received my education in Theoretical Physics, by Heisenberg's last graduate student Wilhelm Macke. Tutorial sheets and video recordings of tutorial sessions can be found on the conference website.
Schuller focuses on the math first, and this was really enlightening and helpful after I used other resources based on mixed intuitive physics and math. The Youtube channel of the event also has recordings of Tutorial sessions, and I found some versions of brief lecture notes. I think this is a must – and unfortunately often overlooked or downplayed in the world of free 'MOOCs'- In order to learn math really, you need to do problems and you absolutely have to walk through every single step of every derivation. It is tempting to just skip the boring proof in a text (that you thought you understood), and it is even more deceptive to watch science videos and believe you understood something. So thanks a lot to my former university to make this course available to the public.
But I was still curious if you can do without manifolds and stuff – without cheating – and I think I found the master of the genre. And again it is a signal from the past (my past): I had looked things up in Landau/Lifshitz Course of Theoretical Physics when I worked at the university. But as the 10 volumes were quite expensive I never bothered to purchase them later. Recently I jumped with glee: Due to whatever quirk in copyright law, the Internet Archive made 9 of 10 volumes available, and I downloaded them all. Browsing through table of contents I noticed that GR was actually explained in volume 2, The Classical Theory of Fields. I am totally smitten by their style, too: Elegant, terse, detached. Much like Dirac's Principles of Quantum Mechanics. And I don't agree with those who say that the explanations are too terse: Landau and Lifshitz try to stay to tangible physics, and they use math in an ingenious way, mathematicians might call it sloppy (like: 'dividing' by differentials to yield a derivative). For that reason, one should consult other resources as well, but I think LL's GR is self-contained.
These books and videos will keep with busy for a while. I also try to interlace it with a bit of QFT again, e.g. by reading Dirac's version of it. My goal for next year is to complete first courses on GR, recapitulate what bit of QFT I learned in 2013/14, and then tackle an actual former specialty again: Re-learning about theories of superconductivity, with an emphasis about how these methods are also used in particle physics.
It might be dangerous thing to announce such grand plans on the web. But next year might be a busy one business-wise, and need to braze myself accordingly.
Time to poetry-size articles on this website again! As usual, I google for this site - using site:elkement.subversiv.at/en - and take one continuous, unedited snippet from each of the linked pages. Search results must be processed in the order Google shows them, and they must not be re-arranged later.
the Existence of the Matrix AKA Corporate World
I had literally been asked
Who will take care of my dear website in 200 years?
run off to the restrooms at a party
As all stressed managers and other pilgrims on the Camino de Santiago
Algorithms loom large
look more like a placeholder
I am trying to learn the terminology
Off-the-wall geek humor versus existential philosophical questions
But I was penalized for all this.
Don't think about it too long!
While I gravitated against quantum theory
what I had had in mind but never did
not igniting my entrepreneurial spirits yet
back-to-the-roots stuff will be migrated
I want to challenge my own ideas
in a pang of cheeky self-assurance
a grown-up physicist's biggest ethical dilemma
what I never wanted to know
one more telltale sign of the Siren Server (© Jaron Lanier) resisting subversion by poetry
Global corporations have their brand names tested for potentially unwanted connotations
Especially if they are appealing to your vanity
The proof by contradiction
Our village has changed its zip code
to enter a more detached state of mind
You can turn into your own cliché
I'll pontificate about anything nonetheless.
So after all - it was all worth it.
Each phrase becomes a line in this 'poem'
it is no good rationalizing too much
a small-talk question, innocent and harmless.
Physics or Engineering?
I suck at keeping to my own agenda
Do we need a new attempt?
books trigger some random thougths of mine
you don't know how the story will unfold
I start a radical experiment: Opening my blog's editor, and typing what I think right now - however, planning to never publish it to WordPress.
Contrary to what seems to motivate many freshly minted bloggers, and netizens inhabiting social web worlds in general, feedback and interaction had not been my primary goal. The appeal of writing 'in public' is that on principle somebody could read what you wrote, that the internet never forgets, and that you have to hold yourself accountable to what you wrote. Have to endure reading what you wrote when you were a different being.
The joy of my early web projects was also their subversive, semi-secret, and pseudonymous nature. Online spaces were wild places, blank sheets of paper, laid before me to hone my ideas.
There is another motivation for writing online, and this is as unrelated as possible from the philosophical approach: I enjoy crafting technical arguments, documentation of technical projects, 'science writing' because I want to force myself to turn my thinking into a consistent linear thread. I want to challenge my own ideas, find the loop holes in my own arguments. I know that my blog articles may be either boring or opaque or both unless the reader has explicitly searched for content like that. But actually the latter audience is who I am perhaps writing for: I have found so much useful tech / science stuff online, for free and in sublime quality, for my professional work, my own education, my pleasure of reading - and I do not want to remain on the receiving end of this communication only.
My second motivation is tied to a minimum level of 'feedback' - page views by fellow geeks - only seems to work for my articles written on our German blog: We only blog about two times a month now, but despite the smaller theoretical audience of German speaking readers the other blog has much more views, and views are still increasing. My English blog has fallen in oblivion again after I blog only twice a month and/or after I focussed more and more on energy, heat pumps, and down-to-earth engineering and physics of everyday life.
These are my personal recent top articles in the Physics / History of Science category so far:
- Peter von Rittinger’s Steam Pump (AKA: The First Heat Pump)
- Rowboats, Laser Pulses, and Heat Energy (Boring Title: Dimensional Analysis).
- Hacking My Heat Pump – Part 2: Logging Energy Values
- How Does It Work? (The Heat Pump System, That Is)
But ironically, a silent blog brings me closer to my other goal: Using the silent online space to write just for me, holding myself as accountable as possible though. Last year I had overhauled this / these website(s) here, and it turned more into a blog. Now I finally know what the purpose of having effectively two blog(-like) sites are:
Here, I give myself permission for introspection and self-centered updates. I don't share subversiv.at links anywhere on social media. If somebody wants to reads this, he or she really has to be determined and go to the 20th page of Google search results. There is no interaction. Of course this is also a consequence of my minimal web programming, but feedback can be blessing and curse. You (or maybe only: I) tend to write more about what 'people have liked before', or at least you feel a little bit guilty if you expose your loyal readers to something unusual - which turns each new post into a challenge, one you'd like to dodge sometimes. My writing self is quite 'authentic' here, in modern parlance.
But I don't want to appear fake on my real blog, the one that has much more content that this page, much more carefully crafted, and I don't want my blog to die. My solution has been - since a few months, I am only post-rationalizing now - to stay away from the autobiographical, from opinions, from philosophical, from big ideas ... and to focus on hard things. The stuff I do really know. I think The Internet would be a better place, if people would only post or comment if they 1) had through education on the subject, 2) practical experience with it, and 3) skin in the game - being personally exposed to risks and consequences arising from putting their opinions into practice. (In reverse order.)
So on my blog I just try to be useful (hopefully) to some tech and science enthusiasts, and perhaps a bit entertaining. If I will ever find a more useful 'spin' to what I have written here now, I might actually turn it into a blog article, like: What I learned from having two different websites. Why I stay away from opinion on the web. What I learned from tech / science blogging.
But for now this posting here will just remain some open-ended collection, snippets of my stream of consciousness, and I am copying these lines to a new 'post' at this silent website here and deleting the draft for a blog post.
Since 2012 I have published PKI status updates here, trying to answer the question 'Do you still do PKI?' (or IT). I have re-edited them often, and my responses were erratic - I was in a Schrödinger-cat-like superposition state of different professional identities.
Now and then I still get these questions. Can I answer it finally? I am still in a superposition state - I don't expect the wave-function to break down any time soon. I enjoy this state! But my answer to IT-related requests is most often no.
So yes, I am still 'working with IT' and 'with IT security' professionally. Not necessarily 'in IT'.
I am supporting a few long-term clients with their Windows PKI deployments and related X.509 certificate issues (after having done that for more than 10 years exclusively). Those clients that aren't scared off by my other activities, and clients I had always worked with informally and cordially. But I don't have any strong ties with specific PKI software vendors anymore, and I don't know about latest bugs and issues. So I don't present myself as a Windows PKI consultant to prospects, and I decline especially requests by IT security partner companies who are looking for a consultant to pitch or staff their projects. I am also not interested in replying to Request for Proposals for PKI or identity management and 'offering a solution', competing with other consultants and especially with other companies that have full time stuff doing business development (I hardly did this in my PKI-only time). I am not developing software anymore that might turn into an 'enterprise solution'.
Today I am working 'with IT' more than 'in IT' in the sense that I returned where I came from, as an applied physicist who was initially drawn into IT, armed only with experience in programming software for controlling experimental setups and analyzing my data: I call myself the 'theoretical department' of our small engineering consultancy - I am developing software for handling Big Monitoring Data. I am also tinkering with measurement technology, like connecting a Raspberry Pi to a heat pump's internal CAN bus.
Security is important of course: I have fun with awkward certificates on embedded devices, I sniff and reverse engineer protocols, and I could say I am working with the things in the Internet of Things. But I am not doing large-scale device PKIs or advising the IT departments of major engineering companies: My clients are geeky home owners, and we (the two of us) are planning and implementing our special heat pump system for them. An important part of such projects is monitoring and control.
So every time I feel that somebody is searching for 'a PKI consultant' I am the wrong person. But if somebody stumbles upon my CV or hears my story at full length - and absolutely wants to hire me just because of the combination of this - I might say yes.
But it is no good rationalizing too much: Finally it is a matter of gut feeling; I am spoilt or damaged by our engineering business. Our heat pump clients typically find our blog first - which has been mistaken for a private fun blog by friends. Prospects are either 'deflected' by the blog (and we never hear from them), or they contact us because of the blog's weird style. Having the same sense of humor is the single best pre-requisite for a great collaboration. So whenever I get any other project request, not mediated by a weird website, I try to apply the same reasoning. Years ago I a colleague I had not met before greeted me in the formal kick-off meeting, in front of all others, with: You are the Subversive Element, aren't you? (Alluding to my Alter Ego on subversiv.at). That's about the spirit I am looking for.
Once upon a time this category was intended to comprise what I had learned about philosophy. I had even aspired to study philosophy. Then came the dawn of the web and of unconventional philosophers of web culture.
I had also followed common wisdom, and my first FrontPage-generated business website had a section called Philosophy.
What's left of that, or what has been my conclusion?
I believe - in a pang of cheeky self-assurance - that I ought to have my own philosophy. Experience, business and otherwise, should be good for something. My philosophy does not focus on the grand questions of life. I might have had an argument with my former self, the idealistic student of science who aspired to change the world as a physicist, a profession I pictured as a cross-over of hands-on MacGyver theorist-philosopher-mathematician, ad-hoc-inventing smart tools whole mulling upon deep insights on universe and everything.
The unexciting truth is that my personal philosophy is explained best by summing up the different roles I have ever seen myself to take on, no matter what my job title was. None of them was about making profound changes to the world or being any sort of thought leader.
1) The Reverse Engineer
I have been told that I dismantled (tech) stuff already at a time I have no conscious memory of. I wanted to know how things worked, and I found a way to get there. Some of these activities morphed into a career later, the obvious one having been IT Security - the stereotype field for lone maverick nerdswho reverse engineer stuff. Even as a white hat hacker and so-called security consultant you have to indulge in the relentless black hacker's mindset - or you become a security bureaucrat, ticking off checklists and following rules. (Which dies not mean you should not know the rules).
But I could as well have turned into a tax advisor or lawyer, given my pleasure in finding out how such systems work.
I disagree with Keep To Your Core Skills, and I have often used 'wasted my precious time' by 'not delegating'. I hope or believe - delusionally - that 'actually' everybody has this pleasure of finding things out ((c) Richard Feynman). I am wary of marketing (tech) stuff to allegedly dumb or stressed out end-users who don't want to understand anything about underlying technology. Perhaps I am talking to less than 10% of people, but after all this is about my personal credo.
2) The Mediator
One of my first ever fantasies as a child that came close to something like a career was being kind of a negotiator or diplomat. I am not kidding: I dreamt about settling peace treaties between Mickey Mouse and his sinister opponents in his cartoon world.
This has impacted any of my jobs, but it finally surfaced expicitly when a client booked me 'for another mediation', which was in fact the follow-up of a very technical meeting.
I had considered yet another training or degree, in coaching, psychology, or the like. However, I am glad that I never left technology for good (see 1). There is a paradox: People want such 'tech project psychology' services. However, they will not buy it if labelled as such yet happily use them if they come as a hidden by-product of technical consulting.
3) The Communicator
Maybe principles 1) and 2) can only co-exist if you bridge them with a lot of talking. During most of my career 'teaching', 'training', or 'lecturing' had been part of my official duties or a side-project done in moon-lighting fachion. I stopped teaching when I became a moonlightung student again. I have also realized that I am not cut out for
over well managed, structured, quality-assured educational systems. I suck at keeping to my own agenda, and I beg for being carried away by hard off-script questions.
I was not the best class-room teacher, but I think I was good at informal, jam-session-style train-the-experts sessions.
Projects I remember most fondly were those where clients were not only interested in The Tech Guy Who Will Fix Everything but also in my pontifiating on fundamentals, even if that was not required to get the job done. But as I said above (1) - I believe it's always worth it.
4) The Organizer and Automator
When I was a child, I was not called upon to tidy up my room: Not only was I self-motivation to clean it - Mr.Monk-style - but I rather re-organized my cabinets quite frequently. It was Feng Shui of Decluttering meeting obsession with structure, and it has not changed to this day.
I have extended these principles to the virtual world as soon as I had 'data'. Writing a tool, script, program to automate something is second nature. Some sort of software development has always been part of my jobs - just as teaching was, but I found out only recently that I like data analysis and programming much more.
Proficiency with interpreting and manipulating data, and with using or fixing software is part of our culture and should be trained and valued just as other basic technologies and skills. And of course I believe that we, each of us, really needs them! But perhaps it is just my bad luck or my high standards... Every time I just to use and application or service as a normal end-user I end up with low-level troubleshooting.
I am aware of the picture of the obsessed nerd that I have painted here. I don't underestimate subtleties and human nature though. But nowadays soft skills are so often praised to the skies and people with 'big ideas', rather than nitpicking detailed persons, so as Subversive Element the contrarian stance comes natural to me. Even the most empathic coach who tells burnt out IT guys not ot overdo perferctiomism will be very happy if a neuro-surgeon or airplane engineer are totally obsessed with flawless technology.
I renamed my blog elkement.wordpress.com last November:
Theory and Practice of Trying to Combine Just Anything
The original tagline was
Physics versus engineering
off-the-wall geek humor versus existential questions
IT versus the real thing
corporate world's strangeness versus small business entrepreneur's microcosmos, knowledge worker's connectedness
versus striving for independence.
until it became
I mean it
and finally turned into
Research Notes on Energy, Software, Life, the Universe, and Everything
This means that my blog elkement.wordpress.com has found its purpose, and I am able to distinguish blogging better from publishing to this website elkement.subversiv.at. My actual research and 'science writing' is featured on my blog. Over there I am using wordpress.com features I have no desire for developing them myself for - and this website will remain my 100% home-grown self-developed pseudo-blog with a very limited feature set and no interactivity. The blog has LaTex support and allows me to present galleries of technical figures and diagrams.
These recent blog articles showcase what elkemental Force has been and is covering now (the end of a journey that started already two years ago - when heat pumps and thermodynamics replaced quantum physics):
My personal website, on the other hand, should be just this: A more self-indulgent site that provides status updates, meta-information and About-Me-style summaries. Because of that I will keep not sharing articles here to any social network.
And so yes: The hands-on engineering, physics, math and data analysis will be done over there on the blog. But there really are personal meta-thoughts on physics - so I don't have to change categories here.
(Theoretical) Physics and Me
Over the Christmas holidays I have been nearly offline from social media. I used the internet as I believe it was intended for me: To learn about something in depth and not necessarily sharing my insights or my 'progress'. I indulged in theoretical physics lectures just for the joys of it. I can rationalize: Yes, a bit of mathy gymnastics also serves me well when I deal with more mundane physics as a professional - such as toying with the heat transport equation.
But the real reason is unrelated to work: Theoretical physics and mathematical modelling of a small part of a complex world gives me the pleasure - and/or the illusion - of being able to understand and solve, well, something. Whenever I had been very stressed out in the past, close to burn-out, I got up even earlier - as 4:00 AM sometimes - to plow through Feynman's Physics Lectures or my favorite German volumes of theoretical physics by my late professor, W. Macke.
Not only did it help me to focus onto abstract details of a logical clear universe and to enter a more detached state of mind, but amazingly it also made me work more efficiently and focused later - on whatever technical challenge I had to solve. In those days, I was mainly concerned with Public Key Infrastructure, networking security, and applied cryptography.
With hindsight - and hopefully not too much hindsight bias - I feel that a rigorous training in a mathy subject boosts your results in any endeavor that needs an analytical approach. Perhaps only your physics training makes your realize that you need a more analytical approach at all, in addition to soft skills, practice, and familiarity with culture in certain industry sectors. I am thinking about project management, for example.
I believe that in any 'STEM' job, e.g. in IT, it is soothing to re-learn fundamentals often. One should know more than seems necessary about 'theory', before or in addition to knowing how to google, where to look up things, or whom of your tech buddies to call. Success in technical troubleshooting always gave me most contentment when I was doing it in my head mainly - like walking through a networking protocol the way it was designed, comparing that to messing reality, and uttering an educated guess about the root cause of an issue which was finally correct.
Whenever I had been blogging about a field of physics not related to my work - like quantum field theory - it was these mental connections I had in mind. I was trying to convey the joys of physics, but my main focus was different from most science writers' ones, so I think my writing was not engaging enough for the interested lay audience and sometimes oblique owing to too much references to math (whereas it was very basic for experts, of course).
My science writing is often a covert and feeble attempt to encourage others to tackle the real thing, that is the fundamentals and the math, and then to feel the same effects. I have seen that more books seem to have been released recently that try to bridge this gap between classical science writing (following the mantra of: Every formula will half readers) and text books.
I want to be part of that movement.
The most existing things, in no particular order:
Infrastructure updates - 'real'
- Turning the supporting construction of the first version of the solar collector into support for new wall heating loops - renovating the old kitchen: German article om the rebirth of the collector.
- Now we finally have what every green-minded home owner is expected to: A photovoltaic generator, plus smart metering infrastructure: Latest blog posting on data.
Infrastructure updates - 'virtual'
- We migrated three bank accounts, and I learned what I never wanted to know about different ways to setup debit orders. My favorite: an anonymous form on the vendor's website. Security = knowing your client account
- Our village has changed its zip code. I learned what I never wanted to know about how organizations store addresses. Goodie: Opening 'support tickets' turned interactions with big platforms into something human.
Work and Life
- One year ago we joked about it, now we do it: Planning heat pump systems the way we did IT projects - remote-only: Series of German blog posting on a project In The North
- Self-sufficiency, 'green life', and skin in the game: Harvesting 'salad' from the meadow for months: Blog posting on edible plants in the garden
Global corporations have their brand names tested for potentially unwanted connotations in different cultures and languages. Now I understand why.
One minimum requirement is perhaps: Being able to get it across on the phone.
...That's my surname, in German it's pronounced like [Add phonetic cryptic signs here]. But never mind, I will spell it out...
That's Latin and means Roots. It is a bit similar to radicles. Well, I realize now it differs just by a single letter... that may be unfortunate, sorry!
All our domains have their issues, also in German. This is the only one that causes no troubles in German. But in English you need to stress:
It's the German translation of Subversive, just remove E at the end!
Wow - that works well in English! You just have to mention the dash!
It's just a non-sensical acronym, I'll spell it out... Yes, name really is a top-level domain!
Now we enter the realm of business - and we have obviously tested the domain with utmost diligence:
That's an artificial German word, Punkt actually meaning Point or Dot. Hadn't I mentioned that it might have been less confusing in English than it is in German. But I'll spell it out for you...
To make it more confusing in English, we could create better sub-domains and e-mail addresses - to convey the spirit of the German confusion:
I wonder if the US Department of Transportation has similar issues.
Same rules as for search term poetry or spam poetry:
- Search your own site or profile on Google, using: site:elkement.subversiv.at/en/.
- Open each page in the order Google dictates.
- Pick one phrase from this (your own) post or article. Don't think about it too long! Editing is not permitted.
- Each phrase becomes a line in this 'poem'. Re-ordering or re-considering previous lines is not allowed.
reconnected with my roots
just reassembling weird snippets
since the turn of the millenium I have been experimenting
Alas, I stick with
Which also contains the expected meta-musings
a world taken right out of a gothic movie
We are now going to challenge this, and we will ask Google
I'll pontificate about anything nonetheless
This is done deliberately
I can hardly see a problem at all
pathetic attempts of mine
It turned to a second 'branch' of
a Perpetuum Mobile
Off-the-wall geek humor versus existential philosophical questions
You be the judge on lightness and darkness.
We are flabbergasted
Instead of a 'Bio'
The subscriber may not be happy with that
I rather pick and add what I stumbled upon
created from cookies
as sort of a mental exercise
allusions to the mystical without knowing about
in the glorious era of THE GREAT dotcom HYPE
my post adolescent postmodern gloomy stanzas
boiling down knowledge to the essential information
somewhen in 2003
a combination of my eternal laziness and lack of motivation
I got involved in some serious discussions
No human being on this planet registered the historical event.
my inner clock
spontaneous outburst of my creativity
the structure is always work in progress
in contrast to standard mantras of modern 'information and knowledge worker society'
We are using the Babylonian system of numbers
in sunny Pannonian Plain
Or could we be subversive all the time?
... and first post published to the new site, live and public now :-)
For a short time, the old sites are still available in parallel to the new site.
Looking back, I mainly struggled with:
- My flat-file database - accessing content and all meta information stored in text files, using standards SQL queries.
- Redirect strategy: Existing loads of redirects, temporary ones, permanent 301 ones, nice URLs without physical files...
- Migration of the actual content, uniting what was separated in different sources - asp files, RSS feed, CSV file databases
See also my latest blog post. Which also contains the expected meta-musings on The Web.
Lest we not forget - these were the old sites:
In the past weeks since the last update I've added the following features:
- XML sitemap including English and German posts - URLs and last changed date.
- Make yearly archive URLs 'hackable', thus using just /[lang]/[yyyy] as archive URL.
- Population of meta tags, using also open graph tags.
- Adding 'breadcrumb' / 'where am I' information by highlighting the item just clicked in the menu and side bars: Current category, current post, current tag.
- Assign an optional image to a post via related attributes: Image source, image size or full image tage (for embedding Wikimedia images plus copyright information). If an image should be displayed, but no source is given, add a standard image.
- Display the image automatically on the bottom of the post and use it in the open graph image tag, to be used as a preview image. Calculate height and size from the image's physical size and intended width.
- Create thumbnails of these images, to be shown in the list of posts in the category pages.
- Store all global configuration settings such as tagline in a config file that uses the same [name:] [value] parsing logic as content files.
- Migrate all existing posts on the sites e-stangl.at, radices.net, and subversiv.at, and keep track of where the content came from. (One former .asp page contained one or more 'posts').
- Use one default.aspx for all applications, differences depend on the app name. Example: Don't show post archive for the business page, but show latest posts from Wordpress blog feed instead.
- Clean old content: Replace relative references (../) by absolute ones, replace CSS classes in tags. Move meta infos from content to new file attributes.
Web Server Settings and DNS
- Tested the IIS URL rewrite module with a key map, to be created from Excel documentation. In case of issues with rewriting: Fall back to redirecting in a main ASP file.
- Configure new host names and subdomains in DNS as primary URLs of the new applications. Add new host names for testing to reflect the already existing redirects plus the migration redirects plus the future standard redirects.
- Modify the existing main default.asp, global.asa, and main asp script creating all pages to work with the new redirects (some duplicate code in asp and .net could not be avoided)
- Host name determines application name: One main host name for each (of the 3-4) application. I will use a subdomain of subversiv.at as my new primary host.
- Check if the application has been migrated, as per config parameters. If not the existing redirect logic and existing asp code kicks in - which sends the user to a subfolder depending on host name. This is for historical reasons as I had only one virtual web host in the old times, so e.g. e-stangl.at/ redirected to e-stangl.at/e/
- If the app was migrated, redirect all attempts to use a 'secondary' host to the new one. So e.g. accessing e-stangl.at will be recognized as calling the elkement app and redirect to my new primary name.
- Configuring the application as 'migrated' does not yet redirect any attempt to access one of the old articles. I will have to turn on my rewrite map or code for that.
- Complete all features for all applications before taking 'elkement'
- Feed parser for punktwissen,
- 'image database' for z-village (using small posts with images effectively as entries in a table of images), add an option to show the large version of the image inline.
- Maybe: Ordering of posts in category by changed date, not by created date.
- Limit number of posts on main page and on tag's pages, number = global parameter.
- Replace internal relative URLs to pages in the same virtual directory by absolute ones.
- Maybe: Replace parent path (../) URLs in old code, to turn Parent Path in the ASP config off as soon as possible.
- Migrate all content from side panes, header, and footer. Add images used before to new posts, re-use descriptions from old image database (TXT).
- Take elkement live and test redirects and preview images (social networks).
- If OK: Take the other apps live.
- Fix bugs
- Turn on redirects for old ASP pages.
- Watch results in web master tools.
- Inform Google about new URLs (Web Master Tools)
I've built the underlying 'flat-file database' (Details in this post), and my not yet public site has these features now:
- Menu bar from pages.
- Show all postings on home page
- Recent posts and archive in left bar.
- Tag cloud in right bar, tags created by grouping all posts' meta data.
- 'Tag page': Show all posts tagged with a specific tag.
- Indicate category of current posting by highlighting category in the menu.
- Highlight currently clicked article in archive.
- Menu page contains custom text plus automatically created list of all postings in this category.
- Automatic creation of RSS feed.
- CSS stylesheet and responsive design.
- 'Nice' URLs - ASP.NET Routing.
Currently I am painstakingly migrating snippets of content to new counterparts / articles / text files.
For testing I am using a layout similar to my Wordpress.com's blog design now:
I am finally doing it:
Having run three differerent websites on a hopelessly outdated 'platform' (ASP) for nearly 15 years, I set out to:
- Develop a new .NET site from scratch.
- Merge all three sites - subversiv.at, radices.net, e-stangl.at - into one.
This will take a while. I am really longing for programming for fun. I don't migrate to WordPress deliberately - I have two wordpress.com blogs and like them a lot, but I want this place I design from scratch just for the joy of it.
All existing subversive / Elke's / back-to-the-roots stuff will be migrated to the new site, and I try to go as gentle as possible on the old asp URLs afterwards.
However, this means I will most likely not pull off to publish new content to the old versions of these sites while I am working on the new one in the background.
I will report on the progress on the main page of the old sites, and I will keep up my usual blogging over at elkement.wordpress.com.
The Elkement is a Netizen and living in many places. Its most innovative poetry has actually seen the light of the virtual day elsewhere.
Shamelessly plagiarizing ourselves, we cross-post the whole list of Poems from the Virtual Scrapyard Below. But we add bonus material and - again! - invent a new genre (first seen @ subversiv.at): From each of the historical poems, one line is picked to be inserted in a new poem (So this is Poetry From Poetry). Rules: One poem needs to be processed after the other, in chronological order, and you must not go back to older poems and change the picked line. So you don't know how the story will unfold. As real life as it can get in experimental poetry!
Poem from Poems
One line taken from each of the poems / articles on poems listed below, starting with the oldest. Note that some blog postings are meta-postings on poetry; so not every line was poetry in the 'original'.
just received a blank piece of paper in the mail
irony vs oxymoron
I ain’t saying your information isn’t solid,
A Digression – There is no digressification, is it?
I don’t dare to do more research!
and things should be back to normal
make sure there are no hidden phrases
poems standing on the shoulders of others
to flush the toilet
everything has already been told
40 below summer fire at zero gravity
you might want to put that on your blacklist.
You must not edit the original lines in any way
If you are inside the horizontal scenery
These are actually enormous ideas
irrevocable, eternal – insert you favorite legal phrases
un-ambiguity and preserveness
alien themed control panels
abilities in narrating an event
travel in past by falling asleep
engineering and art meets
let us determine what you think
i need to remember this
dark side of me is even more interesting
gloomy and cynical futurism
That was a difficult period and I couldn’t maintain my sanity
It doesn’t matter if you forget the lyrics
Fun and adventure that is
Exploding the Phone
What should become a manifesto
sealed by the tokens of 20th century’s civilization
To be continued...
The list of seed poems
[2015-08-01] Travelling Like Spam Poetry. How spam poetry actually started - doing it in real-live instead of writing it.
[2015-07-02] What the Internet Asks of Me. A cross-over between Search Term Poetry and trying to seriously learn from the searchers’ questions.
[2015-03-18] Virtual Book Spine Poetry (Edition 2014 + 2015/6). Merging two posts: 1) the 2014 edition of my yearly book reviews, a tradition I started last year, and 2) my next experimental poem, in a new experimental genre.
[2014-12-22] Google Translational Poetry – Austrian Christmas Edition. Poem already created from Google results – transformed once more by running them through 10 languages in Google Translate. Bonus: Literary critique and a connection to a Wikimedia image related to Christmas and to Austria.
[2014-12-04] Imaginative Poetry. Inspired by the Second Name of Collected Space. Flarf taken to the next level: Inspired by images created also by a flarf-y method. And printed on real paper – for the first time.
[2014-11-01] Poetry of Anything. Now I Know This Is Called Flarf! I learned two things: 1) I am very late to the poetry-from-the-internet-scrapyard party, but 2) that stuff is serious art. I am also trying something new – poems unrelated to my websites but fuelled by Google only.
[2014-08-24] The Destiny of the Universe. My darkest spam poem so far, not for the faint of heart. I owe to the spammer trying to sell games involving the killing of aliens.
[2014-07-28] Crowdsourcing Poetry (Again). Search terms from the second quarter, blended with terms from Google Webmaster Tools and some enigmatic – and typically Austrian – images.
[2014-04-04] Search Term Poetry – Spring Edition. Very condensed search terms, mixed with some pathetic images taken by an ancient smart phone.
[2014-01-10] I am determined to subvert Google’s efforts to hide this precious raw material for Search Term Poetry: Search Term Poetry Sans Google.
[2013-12-06] Celebrating one year of so-called poetry with a stream-of-consciousness-style Spam Poem: Poetry from the Virtual Scrapyard Anniversary: I Subconsciously Think about This Element.
[2013-10-12] Breaking News on Search Term Poetry (Good, Bad, Ugly). A post by an accomplished author featuring one of my search term poems has been Freshly Pressed, but Google has started encrypting search terms. The end of Search Term Poetry?
[2013-10-03] The Science of Search Term Poetry, using mostly physics-related search terms from the third quarter.
[2013-09-08] Quarterly Search Term Poetry Results (Overdue!) based on search terms submitted in the second quarter. For the first time comments left on the previous post have been included.
[2013-08-14] Welcome to the Real World! – warm-up after a time-out from social media with an haiku-style short Search Term Poem.
[2013-06-06] What? A Spooky Spam Poem of Danger, Fear, Hope, and Lifeless Faces: combining Spam Poetry and images for the first time. (Warning: This poem is not for the faint of heart.)
[2013-05-26] Decoding Myself: Searching for Hidden Clues in My Blog Posts’ Titles – founding a new variety of the genre (again) by creating poetry from headers of posts of mine.
[2013-05-16] Existential Spam Poem: The Soul of This Bag takes the concept of dialogue one step further: We hear a disciple appealing to his or her cult leader.
[2013-05-07] Remarks Written by Brain-Dead Visitors is a surprisingly apt self-referential comment, promoted to the title of this post and the spam poem (sub-)titled searching for sanskrit tattoos. This poem was the first showing off dialogues containing fortune-cookie-like pearls of bizarre wisdom.
[2013-04-26] My debut as a literary critic and spam poetry expert – a review on the (alleged) first book of Spam Poetry: Surprise Potatoes in the Soldiers’ Vegetable Soup!
[2013-04-16] Impolite and Humiliating Spam and Why We Really Need Tags for Spam Comments More than Time Machines, a poem made from nasty spam only.
[2013-04-04] Spam Poets Write Weird Things was a Search Term Poem. For the first time the title of a blog post was borrowed from a search term. Since search terms on WordPress Stats started to repeat themselves I have also added terms from Google Webmaster Tools. On the other hand I introduced length ordering of search terms.
[2013-03-29] I Need More Trivial Content which was: A Spam Poem created from snippets of a blog post of mine that had been pasted into a spam comment in its entirety.
[2013-03-22] On the Hierarchy of Needs and Needless Things – not really poetry, just two search terms. But the post itself could be called art from the scrapyard.
[2013-03-03] My Zen-ny Search Terms: Where Engineering Meets Art Meets Physics Meets Geekdom. (And Rodents, Sometimes.) and providing the concise How-to-guide readers have asked for.
[2013-02-13] Turning Flattering Chatty Spam into Postmodern Art.
[2013-02-01] An attempt to transcend the genre: The Art of Error Messages.
[2013-01-24] What a let-down: Standing on the Shoulders of Giants and Not Recognizing It.
[2013-01-18] Spam Poems and Search Terms Poems: Preliminary Results. I have started a movement – this is an account of its history.
[2013-01-14] Taking Crowdsourcing of Art to the Next Level? by including spam comments in my poems, in addition to search terms.
[2012-12-31] The end of the year and some some life events are celebrated in a search term poem: 2012: The Year We Make Contact.
[2012-12-12] The very first search term poem saw the light of the blogospheric day: Crowdsourcing of Art: Poetry from Search Terms.
I had been a PKI consultant since 2002, mainly working with European enterprise customers on designing and implementing their PKIs run inhouse. Now I am supporting some long-term existing clients with their PKI / X.509 issues but I don't take on new clients.
As a former Microsoft employee I have focused mainly on the Microsoft PKI, versions Windows 2000 / 2003 / 2008 / R2 / 2012 R2 - but I also had some exposure to various other PKI-enabled applications and devices. The fun part of PKI projects is in debugging weird issues that exotic or allegedly 'industry-grade' applications have with validating certificate paths, using keys etc.
- I try to keep track of links, books, papers etc. I found useful and add them to this list. This is not intended to be the perfectly structured, 'educational' collection. I rather pick and add what I stumbled upon while working on PKI issues or discussing with other security freaks.
- I started logging PKI issues here. The idea is to described them most concisely, in TXT format.
- Struck by vanity I made the collection of my modest own contributions a page in its own right. I am also trying to keep track of my postings to security forums in order to use those as my knowledge base.
I am originally a physicist (completed PhD in 1995), worked in R&D and switched to IT security. In 2013 I have completed another master's degree called Sustainable Energy Systems and did a master thesis on smart metering and security (LinkeIn profile). Now I am consulting engineer working with heat pumps that use a special heat source. Yes, I know - it is weirder to combine that with PKI.
The security of the smart grid and internet of things [add more buzz words here] provide options to re-use my security know-how in the context of my new field. Such heat pumps may use control units connected to 'the internet' and all kinds of certificate-/PKI-enabled stuff might be involved here.
For five years I have given a yearly lecture in a master's degree program, then called Advanced Security Engineering at FH Joanneum. Here is the last version of the slides.
This is an image I called PKIs in the real world in this post.
We feel the fresh air of a new category: A new major tag that has infected most of our online content: It is called Work, Life, and Balance.
So it has to be added here of all websites, of course! Do we need a manifesto?
We don't want only a solar collector for research and self-sufficiency - we want 100% self-sufficiency re tomatoes!
We don't only want to
hack play with our inverter's web interface - we want to have enough time to watch our
PV panels harvesting energy!
We are flabbergasted as we notice that we tied 'Subversion' to hackneyed clichés from managers' self-help books and Dilbert-style satire. Or to fluffy internet poetry. Lest we don't forget that subversion is hard work and rather down-to-earth...
... THIS ist subversive:
I have been chronicling the books I have read on my blog since 2012. For 2014 I wanted to do something different: I created the virtual equivalent of Book Spine Poetry.
This page here (on e-stangl.at) seems not fit into my overall system of writing and curating content in different places. But on the other hand I had once started the first list here, stating that what you write about books says more about you than about the books.
Last year I read mainly about:
IT security and related culture and history. I'd attribute this to nostalgic flashback and the feeling I can and should tell some funny anecdotes many years after they had happened.
Sleep research. I believe that sleep is underrated and professions are self-selecting. I am a different being when I can sleep in harmony with my inner clock. I have briefly reviewed three of these books in my blog posting on hacking the biological clock - written under the impression of the upcoming most hated Sunday of the year, end of March 2014.
Technology and its interdependence with work and life. I wrote only three posts that might qualify as book reviews, and they represent my inner inconsistency and ambiguous thoughts:
- Nicholas Carr's thoughtful critique of too much automation. Though I was some sort of tech professional, maybe even an evangelist, most of life, it struck a chord with me. Not only am I bragging about using a scythe tongue-in-cheek, but I sometimes prefer the less automated and 'smart' solution. I can relate to architects and photographers renouncing of software voluntarily.
- Automattic's (WordPress') way of organizing its global workforce. I also enjoy working 'remotely' and communicate 'asynchronously'. We have worked in IT like this for a long time, but we have also started to do so in our down-to-earth heat pump projects.
- Douglas Coupland's Generation X. Gen X’s denial or envy of their boomer parents’ values and social security, and their denial of their considerably younger siblings who are cooler and more career-oriented. Yet, Coupland ends on an optimistic note.
Today I am writing articles on physics mainly on my English (elkement's) blog and our German (punktwissen) blog. This site (and its precursor, radices.net) help me with curating the links to my English physics postings.
All English postings written to date are displayed below, in decending order, from the Physics category's feed on my blog.
While I gravitated against quantum theory and the connection between physics and philosophy in 2012 and 2013, I finally switched to more hands-on applied physics in 2014. Before I have done 10-15 years of soul searching; some of these posts from 2012-2013 give prove of that.
I blog about anything heat-pump-related, in particular about our system. In addition, I am interested in thermodynamics, heat pumps and heating systems in general - and their integration with the smart grid and related security concerns. These are my postings about our 'ice-storage-/solar-' powered system specifically and postings on closely related subjects like the power grid, renewable energy and sustainable living.
As the saying goes, an expert is somebody who has committed every blunder in his or her discipline. It should be 'her' discipline as I have finally made it. I can prove via two similar but independent (and surreal) events.
1) The Subversive Element's website had been hacked. Well, not quite, as it was the same web server but the URL pointing to The Element's so-called business identity.
Paranoia and panic was mitigated by the curiosity of the nerd. The Element spent countless hours dabbling with Google Webmaster Tools. That is: Not only clearing Google's cache from spammy URLs, but also with scrutinizing all data available, for all websites including also the elkementary blog. And there we looked into an abyss:
2) Google's love for the elkement's blog was dwindling - by a factor of 100 within a few weeks.
But what an opportunity: Conspiracy theories running wild. In two blog postings, presented to THE INTERNET at a global level:
Of course I want you to click these links. The anatomy of a hack part is perhaps interesting. After all, I can still consider it correct, given most recent findings.
This does not apply to the elemental theories on Google. Here is the final explanation, in an incredibly brief posting, by elkement's standards:
- [2015-01-23] All My Theories Have Been Wrong. Fortunately!
tl;dr: All WordPress.com blogs had been gradually migrated to https only in the past months. In Google Webmaster Tools you need to add the https URL as an additional site. My traffic was tucked away in statistics for the https URL.
Facepalm, Tim Green from Bradford, Wikimedia.
(December 24, 2014. Updated: April 1st, 2015, not funny though.)
The outlook was vague and dubious.
You can take pride in the way you've already mastered.
Fortune favors the prepared mind.
Be creative with what is available.
Don't underestimate the power of the right companion.
Sorry, wrong image! I try again!
I am alone in the fog, but the victory is mine.
I'll pontificate about anything nonetheless.
I am running a small engineering consultancy together with my husband. Following Star Trek terminology, he is Chief Engineer, and I am Science Officer.
In overly correct legalese, my job titles according to our business licences are 1) Consulting Engineer in Applied Physics and 2) IT Consultant.
We specialize in planning of heat pump systems with unconventional heat sources, that is a combination of an underground water tank and an unglazed solar collector. 'IT' means: playing with control units and data monitorin.
As we run a German blog focused on this system and I also devote a 'sub-division' of my English blog to it, I use this site (radices.net) mainly for consolidating resources and links - in the same way as I curate security / PKI related links. Perhaps these link dumps will not be very useful for anybody but myself.
I once was a laser physicist and a materials scientists - my specialties having been high-temperature superconductors, laser-materials processing with Excimer lasers, and the microstructure of stainless steel. Then I turned to IT security, IT infrastructure and IT management for more than 10 years.
In 2012 I felt the urge to reconnect with my roots as a scientist and engineer, and we started working on our own heat pump research project in stealth mode. It turned to a second 'branch' of our two-person business. There are connections between my different fields of expertise - IT security and heat pumps - like: the security of the smart grid, 'hacking critical infrastructure', monitoring and control systems. Even the data we gather with our pilot setup have turned into 'big data' that require analysis and management.
So I am actually more of an engineer than a physicist. But I am still very interested in theoretical physics as sort of a mental exercise, and I indulge in reading textbooks as hobby. In 2013 I had focussed on (re-) learning quantum field theory.
Since 2014 I am mainly blogging on down-to-earth classical mechanics or thermodynamics, and I enjoy doing cross-checks and back-of-the-envelope calculations on my blog.
Heat pump usage in different countries and history of heat pumps
- Swedish Ground Source Heat Pump Case Study (2010), by GNS Science (New Zealand based consultancy)
- History of heat pumps - Swiss contributions and interntional milestones, by Martin Zogg, Process and Energy Engineering
Unusual heat sources
- Aquifer at Oslo Airport
- (Former) Cisterns - a paper documenting research done in Iowa in 1993. I have also summarized the paper in this blog post.
Sizing heat pumps - I am trying to learn the terminology of standards commonly applied in English-speaking countries:
Power grid and availability
- March 20 (2015) Solar Eclipse - a challenge for European Transmission System Operators: Announcement by ENTSO-E, Analysis by US-based company, success story. Electricity production in Germany (select week 12 of 2015) - the dip in March 20 is visible.
- Squirrels a major issue for the power infrastructure of the US: Squirrel Power!
- #DarkNL - outage in Newfoundland and Labrador, Canada in January 2014.
Hydro power plants
In Sweden the world's largest pumped hydro storage plant might be built:
- See bottom of page 30 of
this research paper:
Besides the official estimations there are some discussions [28b] about building pumping capacity between the lakes Vänern and Vättern in Southern Sweden. The difference in altitude is 44 meters between these lakes.?
- ... and the
last page of this presentation:
Possible future? Mariestads Kraftverks AB & others 50 km tunnel between the lakes Vänern & Vättern Cost: 250 billion SEK. Installed capacity: 50000 MW .
Free long-term weather data
Inputdaten für eigene Simulationen.
Germany and Austria.
- FTP server of the German weather service. Extensive and detailed datan, e.g. ambient air temperatures, for some locations since 1950!
- Annals by ZAMG - Austrian national weather service. Daily averages since 1994 as CSV files (only if you pick the link for German readers. The EN version still links to data in the older HTML format that requires you to run a browser in compatibility mode.
- Climate data for the last decades. The navigation is something you need to get used to (Pick: Cities, Climate, Climate Robot...). Therefore I start with Ice Days for Vienna. It is a bit weird that available data seem to depend on the choice of the language (less data for Vienna in English).
The winter 1962/63 was the coldest since 250 years in Europe (German article:
Winter 1962/63 in Europa. Englisch article:
Winter of 1962–63 in the United Kingdom).
More data from a talk / slides avaiable at the website of the Royal Meteorological Society: The bitter winter of 1962/63 - this winter was unusually mild in Canada and Greenland (p.17)
Could such a winter ever happen again? "The 1963 winter is well within the population of other cold winters that have been experienced in this country ... It is not necessary therefore to seek some very special cause in order to explain it." – H.C. Shellard , Meteorological Magazine , 1968 (p.21 of PDF)
Different heating systems
Statistics for Austria: Heating 2003 to 2012 by fuels used and heating system (in Austria). Less than 15% of (primary) heating systems are stoves, and they have been on a decline in the last decade.
Units, heat values, energy costs
Tools for converting units
- Heizwerte von festen, flüssigen und gasförmigen Brennstoffen auf Wikipedia.
- Heat values of different varieties of wood, per cord.
- Energy Content in Common Energy Sources (engineeringtoolbox.com)
Properties of water (for comparing the energy stored in a water / ice tank)
- Interesting properties of water as per Wikipedia: Specific heat, density.
- Thermal properties of water (engineeringtoolbox.com)
Costs of energy - international
- Photovoltaic systems are more expensive in the US than in Germany (2014), despite prices have dropped.
- Comparion of costs of kWh electrical energy worldwide. Costs seem to be much lower in the US and in Canada than in German. This article about the details of a typical US electrical bill implies that there are delivery fees on top of energy fees. On the other hand, the value for Germany seems to include anything.
Monitoring, Control, IT
Metering and monitoring electrical power consumption
- Smart meters with data loggers and/or various interface for attaching
loggers - to be installed behind the official smart meter:
- EMU Professional, different types available with different interfaces such as M-Bus, Modbus TCP and RTU, HTTP, included logger.
- Specification of the EMU meter's Modbus RTU interface.
- EM Series by B-Control / TQ-Systems (The SMA Smart Meter is an OEM meter of that type): EM210 has a web server for online monitoring and stores log files, EM300 supports real-time logging via Modbus RTU, Modbus TCP and a simple HTTP interface (but does not store log files, and uses the web server for configuration only).
- Parsing an online monitoring website is perhaps the most universal 'real-time protocol' in case not other interfaces are available. E.g. by using Powershell, I tested with the local website of a Fronius Symo inverter and their web portal www.solarweb.com. One option: Start an InternetExplorer.Application comobject and identify the html containing the interesting value per its ID (getElementById).
Manuals of data loggers by Technische Alternative Gmbh (for control units UVR1611, UVR16x2)
- C.M.I - Control and Monitoring Interface
- BL-NET Bootloader
- Logging with CMI and BL-NET on the same CAN bus in parallel is not supported.
- Bus topology. Note that UVR1611 is automatically terminated by default.
Heating with computers
Computers installed in private homes provide their computing power to cloud services - while heating those homes.
- Paper presented at the conference Hotcloud 2011: The Data Furnace: Heating Up with Cloud Computing.
- A prototype based on a similar idea, in need of crowdfunding, 2015: Project Exergy wants to build a home computer that also heats your house.
Basics (Physics) - Mechanics, Electrodynamics
The Feynman Lectures of Physics
This seems to be fundamental question The Subversive Element is trying to answer on numerous Red Pages.
subversiv.at has been a feeble would-be protest against Dilbertesque world of work. After I had risen to the challenge, lamented, fought, and transmogrified myself I consider that resolved, once for all. What remains to be done here? Write comments on my comments on my old articles, the ones I recoil in horror when re-reading them. Sometimes I comment in English on German stuff or vice versa. Sometimes I resort to Google Translate to reach one more meta-level in creating Google-based poetry from existing Search Term Poetry or Spam Poetry.
Can that be art? Never, I'd said a few weeks ago. But recently the Element has learned that this is indeed art, called 'Flarf'. So I have been creating Flarf for nearly two years - or perhaps longer, if some of my early subversive art here counts as well - although I was not the innovator I had hoped I was.
But there is an eerie effect - you experts will explain that to me. Each Flarf poem has the same signature style or flavor - I call it the post-modern, the dystopian. It is experimental sci-fi movie crossed with Dilbert going New Age. It is being ironic about irony. Or maybe not. This is independent of the details of the Flarf method used - search terms, spam comments, arbitrary Google searches, even snippets from my own posts, or readers' comments - they speak to me in the same way.
Here is an example: my latest Spam Poem to date, cross-posted from the elkementary blog. The complete list of all Flarf poetry listed chronologically is curated here - if and which ones I re-post here remains an enigma to myself, much like Flarf.
the destiny of the universe
my honest, preconceived thoughts
a great unreal dream
when you con the destiny with your artistry
gloomy and cynical futurism
that any mortal should avoid
you arrive from the Victorian England
in the known galaxy
dark and cynical sci-fi
forces an illusion
of that time gone by
When skyscrapers were first built
you are not understanding anything
what if i told you
There are undoubtedly more color options nearby
started to be repetitive
one of the big deterrents to me
your deprecating coherence
is a potpourri
this type of despicable hypocirite
it will be the future of the human race
handing more control over
lets us progress even deeper into this sci-fi nightmare
armor and weapon
usually do not adhere to regulations
The glare of the goblin sparks partially blinded him.
player in cyberspace
heed your call of duty
I’ll certainly come back
through the dust
or snipe the undead beasts
talk with other mentors
men and women dressed in cartoon costumes
The cartoon is attractive
corporate, regal, or fair-minded
reported to have ghost activity
called Glass Collective
never publicly dated anyone
Put your prowess to evaluation
removing their skin
rapidly rose the reputation
conditional upon the execution
Disgrace on Google
the cosmic horror
We do know these people analyze
Numerous aliens in space will traumatize you
with the fantasy stars
Your toddlers shall like it
none of the visions has borne fruit
as a matter of fact
in public areas nevertheless
The spring of 24
most is inconsistent
becomes a virtual community
something that we are hoping
i could truthfully do something to be able
Slowly return your head to the original position
Will there be a part 2?
the last sentence of the page
... we show you an organic - 'bio' - space probe.
Elkement is an amalgam of Elke and the Subversive Element.
Physicist and consulting engineer by trade and by day, self-proclaimed dilettante science blogger and avant-garde poet by night.
This is a compilation of threads in Technet forums, organized by topic.
Chain validation and revocation checking issues
Chaining and hierarchies
- 3 Tier CA Hierachy - Configuring the 2nd Tier. I recommend Microsoft's own PKI showcase and reading Technet forums discussions about policy OID 'inheritance' and avoiding the Invalid Issuance Policies error.
- How to force clients to trust a Windows Enterprise CA? GP Update, check pkiview.msc, publish the CA certificate to AD if it had not been published.
- Population of the Root CA certificate store with CAs certified in the MS Root Program. Done on demand since Vista; it can happen that not all EKUs are finally checked.
- Maintaining Root Certs on Server Without Internet - like subscribing to a list of required CAs in the MS Root Program (and being informed about their 'revocation'). Not an option, unfortunately.
- How to configure and offline policy CA: Standalone CA, not a domain member, better not use LDAP URLs pointing to a location in AD.
- Cross-Certification for Non-Windows Clients - discussions of things to consider when trying to cross-certify a new CA (in this case a SHA256 signed Root CA) by an existing CA (SHA1 signed Root). It seems my conclusions from bifurcated certitficate chains can't generalized to all scenarios.
- What happens to issued certificates when a CA is renewed? The stay valid unless something wird was done in configuring CDP / AIA.
- CRL validation for CACert certificate fails despite accessible CRL. The CRL is large but I believe the main issue is using an HTTPS URL for one of the CDP. Even if it is redirected to HTTP the certutil client might refuse to follow the recursions which is OK as per RFC 5280.
- Processing of policy OIDs in capolicy.inf. It seems in this case the file has not been processed.
- Can an Enterprise Root CA be converted to an intermediate CA? It cannot but a new intermediate CA can be setup with a new certificate and the same key as the former Root CA.
- Authoritative list of public CAs. There is not a single list but different certification programs
- Which names used for / with a CA can be changed on renewal.
- What is 'verification' of a Root CA certificate?
- Adding the Intermediate CA certificate to Trusted Root store can cause an error 403.16 in IIS and thus break certificate validation. (Side-track of OCSP-related 'case')
- Allegedly corrupt signature: Due to certificate chain built just on name matching as the wrong issuer CA certificate (wrong key but same name) had been imported.
(For issues with SCEP and EFS, see the sections on applications at the bottom of this page.)
- Configuration of UNC paths as CRL publication URLs.
- White papers on how to make OCSP servers and CRL web servers high-available?
- pkiview errors as the Root CAs CRL has not been published manually to the web server. A PKI left as a legacy to the next admin.
- 802.1x authentication error after CA had been migrated to another machine. Reason was: The new instance of the CA haven't published CRLs to the old locations. Note the pkiview.msc keeps seeing the old locations even though all issued certificates (including CAExchange) already show the new ones.
- Disadvantages of LDAP CDP and AIA URLs, and how to populate HTTP URLs via publishing to UNC paths.
- How to configure delta CRLs - properties of extensions, publication options
- How to fix issues with revocation lists using LDAP URLs after a DC had been renamed that also hosted the CA service.
- Sorting out different ways of caching validation info: CRL caching, OCSP response caching, OCSP web proxy..
- CRL validity period and overlap - basics.
- CRL has not been copied to the CRL server denoted in the CDP or the defaults have been used and the URL points to the Root CA itself. [ref]
Windows PKI design, implementation, and maintenance
PKI AD integration and clean-up
- CA migration from Windows 2003 to 2012 R2. Brief summary, link to migration guide.
- Move a CA from a DC to another machine. Mind tweaking the CDP URLs accordingly!
- Backup and recovery and high-availability options - for a CA issuing VPN client certificates.
- Migrating a CA to a machine with a different host name. Discussion of the detailed migration procedures, especially about how to tweak AIA and CDP URLs.
- Cleaning up DC certificates, changing 'preferred CA'. There is not really a preferred CA, it depends on the CA templates are published to.
- Removal of unwanted Root CA certificates - by cleaning up AD stores.
- How to fix issues with revocation lists using LDAP URLs after a DC had been renamed that also hosted the CA service.
- References to the CA's machine name in the Enrollment Services Object in AD versus the once used in certdat.inc.
- What happens when a CA is retired.
- What happens to Active Directory if you install an Enterprise CA
- Impact of Enterprise CA removal on AD replication.
- Clean-up after removing CAs - for an extinct CA and another one that has been restored but is not used.
CA migration, backup and restore and high-availability
- How to migrate the CA's configuration to another machine. Either re-do it (Scripts, certsrv.msc) or export the CertSvc registry key and edit it: Leave only the relevant settings (validity periods, typically).
- Make a PKI high-available that is currently running on a DC. Migration is an option (but CDPs will get messy); starting all over is preferred.
- CA cannot start after 2003 to 2008 upgrade to an issue with incompatible log file format. I guessed wrong - it was not the case-sensitive entry for the hash algorithm in the registry this time.
- Windows CA redundancy - not really possible. Options: Windows clustering (shared database), just make the certificate issuance service high-available with a second CA, proper CRL periods and overlaps, long-lived emergency CRLs.
- How to migrate to a new CA: In this case because the existing CA used DSA instead of RSA.
- CA migration and required actions for EFS Recovery Agents.
- CA in another AD forest.
- Certificate Services backup and restore - short overview.
- Migration to a CA with a different host name.
- Does a second CA help? Only to make certificate issuance HA. Recommendation: Tweak CRL life times. [ref]
- Migration from non-clustered CA into cluster - same issues as with other migrations when the host name has been part of CDP and AIA URLs. [ref]
Scripts and automation
Certificate generation and deletion (in personal stores)
- How to delete certificates from local machines' stores. The problem had been caused by accidental issuance of machine certificates. Command to delete certificates: certutil -delstore my [OID of the template]
- How to delete a bunch of certificates from the Windows CA's database, based on their status (disposition) and start or expiry date.
- Computer certificates for non-domain machines - an outline of how to create those, including links to more detailed articles.
- Automated generation of certificates for non-Windows clients.
Searching the CA's databased and expiration notifications.
- Monitoring expiring certificates - I am aware of two companies who offer Windows PKI add-ons doing that
- Question of mine: How to query large Windows CA databases efficiently.
- Sanitize AIA URLs from machines' host names - discussion of sample CMD scripts.
- Troubleshooting access to CRLs and configuration of the CA using variables. An old thread - I just responded to a comment on allegedly new syntax used for these variables.
- How to use replacement tokens in CMD scripts.
Third-party CAs, compatibility
- Import of the data of a non-Microsoft CA to a Windows CA. It might be doable but there is no simple wizard.
- Import of an existing wild card web server certificate for an Exchange server - from non-Windows machine.
- Definitions: certificates, key stores, requests, protocols. [ref]
Windows PKI components and features - and related troubleshooting
Web Enrollment (ASP pages)
- Issued certificates not showing in client's browser 'View the status of a pending certificate request'. This list is created from cookies at the client. Requests would not show up if the cookie had expired or the cookie don't work, e.g. because a non-standard directory (other than certsrv) had been used.
- Inherited CA with certsrv enrollment issues - create certificate for exchange though. I'd recommend submitting the CSR manually locally at the CA using certreq.
- Issued certificates not showing in client's browser 'View the status of a pending certificate request'. This list is created from cookies at the client. Requests would not show up if the cookie had expired or the cookie don't work, e.g. because a non-standard directory (other than certsrv) had been used.
- certsrv application cannot be accessed on CA machine with unknown history. I recommend using certreq instead for urgent submissions, then fix / rebuild the PKI.
- Missing certsrv application directory. Idea: Role service not configured yet.
- Kerberos issues prevent using the /certsrv web enrollment application. Another expert found the solution - it was a pesky SPN issue. As a workaorund Kerberos could be disabled by giving NTLM a higher priority.
- Web enrollment pages do not work. Solved by re-installation of the OS.
- Issues with key size mismatch when using the certsrv web application.
- Certsrv web application not configured for the correct physical directory by default. Seems like a bug to be - the config. did not point to the directory en-US but to a directory one level up instead.
Simple Device Enrollment Protocol (SCEP) AKA Network Device Enrollment Service (NDES)
- NDES (SCEP) authentication problems: Turned out as an UAC issue.
- NDES (SCEP) cannot distinguish certificate requests based on certificate templates but only based on key usage.
- Troubleshooting of the Microsoft implementation of SCEP / NDES (Simple Certificate Enrollment Protocol, Network Device Enrollment Service). NDES fails to start with a message that indicates it is not happy with its certificates - an issue with the missing revocation list signed by the Root CA as the service does revocation checking.
- SCEP/NDES: Unexpected passphrase asked for HSM software.
- Certificates to be used with NDES
Windows OCSP: Errors and Pitfalls
- White papers on how to make OCSP servers and CRL web servers high-available? There is an article for OCSP, for CRLs it is just a plain simple web server.
- /ocsp/ application directory is not created before the role service had been configured. However, revocation configurations can be created before using the MMC - this causes and HTTP error 404 despite the Online Responder Management reports 'all green'. [ref]
- Third-party validator (Axway) causes CryptoAPI to look only for OCSP URLs but OCSP is not used. Root cause finally was: CRL not accessible to the validator. [ref]
- OCSP Responder issues: Misunderstanding about how to use one Responder for different CAs, and how an array should work. Additional interesting issue: Adding the Intermediate CA certificate to Trusted Root store can cause an error 403.16 in IIS and thus break certificate validation!
- OCSP design: Use a dedicated OCSP server?
HTTPS-based enrollment via CEP/CES
- How / when to use CEP and CES for supporting users in different ADs, but with an account in a hosted forest. I think this is the perfect scenario CEP/CES had been designed for.
- RPC enrollment error after removal of a machine from AD. Perhaps an issue related to a remaining Enrollment Services object?
- Testing auto-enrollment with very short validity periods. Which is not supported by MS as I learned from this thread. Plus: Adding all usual things to test and troubleshoot. Use case: Smart auto-renewal with valid existing certificate.
- MMC Enrollment fails with an error message about a missing trusted CA or missing permissions:
- ASN encoding issues with request submitted to a Windows CA in certsrv. There can't be done much more than analyzing the request and asking for a new one - which solved the issue. ASN encoding issues with request submitted to a Windows CA in certsrv. There can't be done much more than analyzing the request and asking for a new one - which solved the issue.
- Kerberos troubleshooting triggered by an issue with enrolling for certificates at a CA migrated to Windows 2012 R2. After checking for common Kerberos issues with Service Principal Names and computer passwords it finally turned out that it was an issue with incompatible encryption algorithms (etype) that can be fixed by un-joining and re-joining machines to the domain.
- Summary on autoenrollment troubleshooting. There are many potential root causes, such as GPO or DCOM issues.
- Enrol on behalf fails: Application Policy configured in Issuance Requirements of the user's certificate template is set to Smart Card Logon, but not to Certificate Request Agent.
- DCOM permissions, more detailed DCOM permissions troubleshooting.
- Why an Issuing CA certificate shows up in the local CA store.
- RPC Server offline because the CA service could not start. [ref]
- Check if Do not re-enroll if a duplicate certificate exists in AD has been set. [ref]
- ADCS Web Page returns "The RPC server is unavailable" - when accessing the certsrv application from the CA machine.
- Kerberos issues prevent using the /certsrv web enrollment application. Another expert found the solution - it was a pesky SPN issue. As a workaorund Kerberos could be disabled by giving NTLM a higher priority.
- Troubleshooting Kerberos delegation for the web enrollment role service installed on a different machine than the CA. Cross-checking delegation settings.
- Duplicate certificate templates - most likely and AD replication issue.
- When are certificate templates not available on the certsrv website? Permissions, v3 templates, machine templates configured for retrieval of the name from AD.
- Certificate templates for machines that do require the subject name to be retrieved from AD (such as Workstation Authentication or Computer) are not shown by the Web Enrollment pages. So the template needs to be copied an configured for the name to be supplied in the request - then an admin can enroll it, and later import the PFX file to the machine's store.
- Powershell shows templates to be added but certtmpl.msc does not. New question in an older thread - weird as any tool has to check AD's configuration container for the list of templates.
- CA cannot issue certificates as the templates in AD don't have the OID attribute set. The solution was to delete the failed default templates and re-install them with certutil -installdefaulttemplates.
- Certificate templates on Windows Server 2012 R2 CAs - a whole lot of new options and combinations.
- Subordinate Certification Authority template not found in certstrv.
- Web Server template not available for issuing certificates via the MMC
- Windows CA and AD schema: W2K3 CAs can operate in a 2012 forest.
Certificate and request attributes and extensions, and how to create requests
Certificate Subject Name and Subject Alternative Name, and tools and processes for CSR creation. Overlap with section on Scripts and automation.
- Blank Friendly Name. Should not be an issue as the Friendly Name is a store property, not an attribute or extension.
- Adding a custom OID to a certificate. Not sure what the requirement is exactly as OIDs are used for 'any' PKI-related object. I learned something about the EDITF_ATTRIBUTESUBJECTALTNAME2 flag - it is not required if a SAN is added to a CSR but only if a SAN is added to an existing request (e.g. using the /certsrv app.)
- MMC Enrollment: Missing additional information The MMC asks for (another) certificate because the template had been configured for an authorized signature / an Enrollment Agent.
- How subject names in machine certificates are built from AD attributes. Special logic applied by the Windows CA policy module.
- Putting a custom serial number user certificates: 1) Name in the request was too long - set the EnforceX500NameLengths flag to 0, 2) add the DeviceSerialNumber value to the SubjectTemplate registry key 3) but use SERIALNUMBER when referring to the subject name in the INF file used with certreq.
- Limitations of using different strings and AD attributes when building subject names.
- How to request a certificate with a custom name
- How to create certificate requests (with various tools) and send them to enterprise or standalone CAs (using various tools).
- Behavior of the Windows CA's policy module - no elaborate parsing of Subject Alternative Names.
- Wildcard certificates in ISA server - possible, but I am wary. [ref]
- Can the SHA algorithm to be used to sign a certificate defined in the CSR? No, this has to be configured at the CA.
- Migrate SHA-1 Hash Algorithm SSL certificates to SHA-2.
- Picking key sizes and hash algorithms for a new CA. There are always issues with (a few) older applications but I'd rather use the more secure settings in a green-field project.
- Changing the hash algorithm of a Windows CA from SHA1 to SHA256. It can be done by editing a registry and restarting the CA. Then it will sign anything - including its own renewed CA certificate - using the new algorithm. But since CRLs will also be affected the applications' compatibility has to be checked for - and thus it would be better to follow the best practive of setting up a whole new PKI hierarchy using the new algorithm in parallel.
- Checking and changing the hash alrgorithm used by a Windows CA as only Windows 2008 clients are able to see templates to be enrolled for while Windows 2003 and XP clients don't.
- How to switch to SHA256.
Cross-forest certificate enrollment and multiple domains.
- Use an OCSP responder cross AD forests. I proposed manual enrollment, perhaps with extended validity periods. I was in error about using CEP/CES enrollment as this will not work with the OCSP responder's specific type of auto-enrollment. But I learned that the Windows implementation of OCSP allows for using a signing certificate that is not signed by the respective CA - the simples solution in this case.
- Obtaining certificates for RADIUS servers - via cross-forest enrollment.
- Requirements for cross-forest enrollment.
- In the old times: Automate submission (fetch CSRs from target forest) or use a user living in the target forest [ref].
- Limit PKI usage to one domain - how to set permissions
SCEP is listed unter Windows PKI components.
Logon against AD
- Adding a custom DN to a certificate, and certificate mapping.
- How to use certificates with Kerberos.
- Overview on how to implement smart card authentication.
SSL web servers
See also the section on Certificate and request attributes and extensions above.
- SSL certificate error: 'mismatched address'. Unresolved - this error could be due to putting the full URL in the common name but this was not the issue here.
- SSL handshake fails if clients proposes RSA, while DH is fine. No solution yet - the CSP does not seem to be the culprit.
- Troubleshooting IIS error 403.13 that is most likely related to an inaccessible OCSP URL.
- Overcoming certificate validation issues by adding SSL client authentication certificates to the web server's Trusted People store... should not be required. I spotted two issues with CDP / AIA URL: Unsupported file URLs and an uncommon LDAP issue - perhaps to AD MaxPageSize.
- Options to use certificates to restrict access to IIS websites - requiring certificates versus (different flavors of) certificate mapping.
- The simplest way to create a single SSL certificate - is buying one. But I'd also dare to consider a self-signed SSL certificate here (Internal RADIUS server certificate).
- Issuing certificates for Linux servers from a Windows CA - not an issue, can also be done using an AD-integrated Enterprise CA (which is actually more secure than the standalone CA option).
- Certificates for load-balanced web servers.
LDAPs, DC certificates
- Concerns re expired DC certificates. Can a DC be rebooted safely? Yes, as certificates are not required for 'standard AD functions'.
- Easy-to-manage solution for LDAPs (only) - PKI to be avoided (?) Theoretically one might distribute a self-signed server certificate (with multiple SANs) just as a CA. I would not try to re-use an existing server's certificate as a CA certificate. As usual, I am wary about non-SSL-capable crypto providers. In case a simple 1-tier PKI is created today, templates could be moved to a well-planned 2-tier PKI later.
- Domain Controller uses the wrong certificate for LDAPs. My suggestion was to supersede the current template with one that allows for issuance of certificates that will expire after the unwanted third-party certificate. Another user provided instructions on how to use the AD (NTDS) service's certificate store instead of the machine's store.
RADIUS / NPS and 802.1x
- NPS cannot do 'two-factor-style' check of a computer account logon and a domain user logon belonging to the same 'connection'. You can only OR connect the conditions of requiring memberships in users versus machine groups (otherwise, by trying to AND connect the group every machine and every user would need to be member of both user and machine groups). Thus a client that does not attempt to logon as a machine is only checked for the user's membership in the permitted user group.
- NPS 'two-factor' authentication and sending clients to VLANs. The former is not possble, the VLAN issue turned to be due to hex used instead of string in the tag attribute.
- What are computer certificates used for? Question related to avoiding administrative efforts in case they are not needed for AD operations / Kerberos authentication.
- NPS network policies: How to combine user and machine groups. They can only be OR combined which means this is not a two-factor-style check.
- How do I setup redundant Radius Servers without the end user having to accept another certificate? Unfortunately wild card certificates will not work.
- Does NPS recognize a CN in a certificate in a policy? The idea is to craft a CN from a device's MAC address.
- Troubleshooting WLAN 802.1x EAP issues. Not sure what the issue is as PEAP is used (?) but the client has a certificate - I just suggested creating a test policy target to a specific client and only allow either PEAP-MS-CHAPv2 or EAP-TLS.
- NPS authentication and logging on with a local user. It seems the machine is logged on (again) or stays logged on after a failed logon with a local user.
- Authenticate external users at NPS server, using username and password. Idea: Create AD shadow accounts for them and provide them with credentials.
- 802.1x design for branch offices without local radius servers: Concerns: CRLs not accessible for certificates; computers cannot access the local LAN if the WAN does not work.
- NPS authentication can fail due a really weird issue: The shared secret need to be all case letters.
- WLAN authentication issues after the DC's certificate has been renewed. Potential issues: Switch to a new template without a subject CN, or the new certificate is not yet used in the NPS' config.
- NPS: Issues with using MS-EAP MS-Chapv2 used by a CISCO 2960 supplicant. Interesting result posted by the OP, based on a support case: NPS does not support EAP-MSCHAP with 802.1x (as PEAP should be used), so supposedly deprecated EAP-MD5 had been configured.
- How to authenticate machines instead of users by NPS
- Troubleshooting certificate validation in relation to NPS and PEAP authentication. Standard troubleshooting using certutil -verify -urlfetch cert.cer and PEAP-MS-CHAP-v2 versus PEAP-TLS.
- Usability of Windows PEAP client in BYOD scenario - too much to configure on behalf of the user?
- Feasibility: NPS offering PEAP-MSCHAPv2 for domain joined and non-domain-joined machines.
- Can NPS do two-factor authentication of 1) machines and 2) users. Unfortunately it cannot.
- Intermittent problems with computer re-authentication: Finally resolved by disabling re-authentication.
- Selection of WLAN certificate by a Windows machine when talking to radius servers on different networks? TThe client should be able to use an external via an internal certificate. No solution.
- Which certificate to use for RADIUS (NPS) servers.
- How PEAP works and why the Radius server needs a certificate
- Overview: WLAN 802.1x authentication with certificates.
- That annoying popup: Public CA's certificate for RADIUS server, Certificate for iPhones - popup asking for confirmation of the radius server's certificate
- Exchange server does not use CA-signed certificate for secure SMTP although those should take precedence over self-signed ones
Outlook and SMIME
- E-Mail Encryption certificate not found by Outlook - again due to not yet upated offline address book.
- Revocation error in Outlook - seems to be an issue with the client not being able to access CRLs or CRLs having expired.
- Mail recipient's encryption certificate in AD not found by Outlook. The Offline Addressbook had not yet been downloaded.
- Erratic problems with encrypting e-mail with Outlook - Sync or caching issue?
EFS - Encrypting File System
- Encrypting shared folder (using EFS). Implications: Users need to have keys stored on the server, only feasible with Roaming Profiles. In this case the workaround was to have all users use the same local user accounts to access files on a workgroup server.
- Revocation checking and Encrypting File System. A CRL signed by th Root CA in a two-tier PKI hierarchy was expired.
- Configuration of color of names of EFS encrypted files in Windows Explorer - can be configured in the GUI or via GPO.
- Data Recovery Agents versus Key Recovery Agents. Both can be used with EFS - you either recover the files directly or the users' asymmetric keys.
- EFS certificate creation cannot be triggered by GPO with the error Element not found. With Windows 2008 templates a ECDH algorithm needs to be selected and the hash of the EFS certificate needs to be edited manually in the registry.
- EFS decryption problem: due to lack of trust in the user's own certificate - solution: import the user's certificate to the Trusted People store.
- Usage of different keys and passwords with Bitlocker - passwords, recovery key, key on the TPM chip.
- Creating user certificates for SAP - where to put in which name?
Third-party LDAP clients
- LDAPs does not work when accessing a DC from a third-party client (WatchGuard). Ideas: Wrong or missing subject name (third party clients often don't like only the SAN being populated though this is in line with standards), and WatchGuard seems to use its own certificate store to which the chain needs to be imported to.
RDP / RDS
- RDP server certificate is re-created automatically after accidental deletion. I did some tests to be sure - a reboot may be required.
- Fixing issues with validation of RDS certificates. Resolved by using the FQDN specified in the self-signed certificate.
- Inquiry for built-in method to logon via RDP using a certificate but no (expensive) hardware. Unfortunately certificate logon via RDP requires smartcards or a TMP chip.
- How to use certificate authentication with CISCO ASA and Microsoft NPS?
- Certificate requirements for CISCO ASA VPN server. Best practices for CRLs, purge the cache in ASA more often. Certificate types used by ASA (VPN versus SSL).
Windows VPN client
- The Windows 7 VPN client is not able to use a particular user certificate for logging on using IKEv2. The error message says the the certificate cannot loaded.
- Intermittent issue with Kerberos authentication used with IPSec resolved by restarting the Windows Firewall
Office Macro and document signing
- Use CRTs not PFX files to populate public stores - in this case Trusted Publishers.
- Office 2007 cannot use SHA256 certificates for macro signing. Fixed in Office 2010.
- General question on signing and encrypting office documents.
- Time-stamping recommended. [ref]
Key stores and cryptographic providers
- CA cannot start because of issues with access to the private key (or missing key). There is often no other way than restoring the key from the hopefully existing backup.
- Error This CSP cannot be opened in silent mode on doing EAP-TLS authentication, addition to an older thread. I am just guessing: An issue with having Strong Key Protection turned on?
- Change of the crypto provider used with the CA's key. This is doable (using certutil -csp [CSP Name] -importpfx keyfile.pfx) - however from the question I cannot say if it is really an issued with the CA's key store or rather with the CSP used to generate a key on behalf of CISCO's ASA.
- Decryption error for NPS server. Not resolved - problem an issue with the CSP or lack of access (permissions) to the server's private key.
- Certificate cannot be exported. It seems the key is available as a file (PKCS#1) but not in a Windows personal certificate store.
- SSL certificate does not work because of missing private key. CRT files do not contain a private key, and the certificate obtained from the certificate provider needs to be imported at the machine where the request had been generated.
- Logon to WLAN via PEAP fails due to issues with the NPS' certificate. Root cause: The CA certificate had been used in the NPS policy and this had most likely a crypto provider not suitable for SSL (SChannel errors.)
- Access to remote machine's certificate store via MMC does not work as expected.
- Certificate enrollment of certificates configured for private key archival fails specifically for Windows 8.1 - probably due to the new options reusage of TPM chips as key stores?
- Issues with 802.1x WLAN user certificatet likely a SChannel provider problem.
Using an HSM as key store
- Importing software key to HSM and re-associating certificate with the new instance of the key. Walking through commands: Backup software key, delete certificate, import certificate again using the -csp option.
- An offline CA can still use a network HSM - provided it uses a private network.
- nCipher HSM - issues with migrating the key to a new CA: The new HSM client cannot use the key as the counter had been enabled at the old machine.