All Postings (95)

2017

Best of 2017

Working Remotely

Computer Science and IT

Taking stock! Physics

Subversive? Physics?

My Philosophy!

Scripts Beget Scripts

2016

Theoretical Physics. A Hobby.

Self-Referential Poetry

Silent Online Writing

'Are You Still Doing PKI?'

My Philosophy (?)

Impact of physics on my life

Not much happened in 2015

2015

Unspeakable

Self-Poetry

Farewell Posting ...

Hacking away...

Web Project - Status

We Interrupt ...

Poetry from Poetry

PKI-Status-Update

Life and Work

Definition: 'Subversive'

2014 in Books

Physics Postings

Engineering Postings

True Expert

2014

2014 - a Good Year

Physics or Engineering?

Engineering Links

What Is Art?

Bio

PKI FAQ

Google's Poetic Talents

Certificates and Heat Pumps

Nr. 5: A Mind-Altering Experience

Technet postings

WOP!

Pink Spaceship

radices = Roots!

IT Postings

Web Projects

Life, the Universe, and Everything

Uh-oh, No Posting in March

PKI Resources

PKI Issues

Subversive Work

Spam Poetry

A Career 'in Science'

Writing

On the Shoulders of Subversive Giants

Search Term Poetry

Facebook Art

2013 in Books

2013

Explain, Evaluate, Utilize

Technology

About Life-Form Elke Stangl

elkement and This Site

No. 3: Internet Apocalypso

Retrospection

Newsletter Resurrection

2012

For Free

Subversive Yearly Report

Is My Life a Cliché?

Indulging in Cliché

Torture Turning Trivia

Intermittent Netizen

Knowledge Worker...

Profile

Physics on the Fringe

Graduation Speech

The Element is Back!

Offline

Physics Links

2011

Not Funny

Calendar and Magic

Expert

In Need of a Deflector

About to Change

A Nerd's Awakening

For the Sake of Knowledge

2008

Profession Or True Calling?

No. 2: On Self-Reference

I Have No Clue About Art

Netizen

2007

The End

No. 1: On Subversion at Large

2005

Emergency Exit

Modern Networker

2004

The Scary Part

Exploring the Work Space

2003

Instead of a CV

Favorite Books

2002

Elke was here

Archive of postings for 2014, listed in descending order by creation date. All Postings shown.

E on Track (Edition 2014 - a Good Year)

(elkement. Last changed: 2015-04-01. Created: 2014-12-24. Tags: Life, Meaning, Looking Back, Contentment. German Version.)

(December 24, 2014. Updated: April 1st, 2015, not funny though.)

The outlook was vague and dubious.

Elke Stangl 2014

You can take pride in the way you've already mastered.

Elke Stangl 2014

Fortune favors the prepared mind.

Elke Stangl 2014

Be creative with what is available.

Elke Stangl 2014

Don't underestimate the power of the right companion.

Elke Stangl 2014

Sorry, wrong image! I try again!

The Two of Us 2014

I am alone in the fog, but the victory is mine.

Elke Stangl 2014

I'll pontificate about anything nonetheless.

Elke Stangl 2014

Physics, Science, Engineering, and a Lot of Fun

(elkement. Last changed: 2015-02-04. Created: 2014-12-17. Tags: Physics, Engineering, Science, Heat Pump, Simulations, Career, Life, Work. German Version.)

I am running a small engineering consultancy together with my husband. Following Star Trek terminology, he is Chief Engineer, and I am Science Officer.

In overly correct legalese, my job titles according to our business licences are 1) Consulting Engineer in Applied Physics and 2) IT Consultant.

We specialize in planning of heat pump systems with unconventional heat sources, that is a combination of an underground water tank and an unglazed solar collector. 'IT' means: playing with control units and data monitorin.

Solar collector for harvesting energy from ambient air.

As we run a German blog focused on this system and I also devote a 'sub-division' of my English blog to it, I use this site (radices.net) mainly for consolidating resources and links - in the same way as I curate security / PKI related links. Perhaps these link dumps will not be very useful for anybody but myself.

I once was a laser physicist and a materials scientists - my specialties having been high-temperature superconductors, laser-materials processing with Excimer lasers, and the microstructure of stainless steel. Then I turned to IT security, IT infrastructure and IT management for more than 10 years.

In 2012 I felt the urge to reconnect with my roots as a scientist and engineer, and we started working on our own heat pump research project in stealth mode. It turned to a second 'branch' of our two-person business. There are connections between my different fields of expertise - IT security and heat pumps - like: the security of the smart grid, 'hacking critical infrastructure', monitoring and control systems. Even the data we gather with our pilot setup have turned into 'big data' that require analysis and management.

So I am actually more of an engineer than a physicist. But I am still very interested in theoretical physics as sort of a mental exercise, and I indulge in reading textbooks as hobby. In 2013 I had focussed on (re-) learning quantum field theory.

Since 2014 I am mainly blogging on down-to-earth classical mechanics or thermodynamics, and I enjoy doing cross-checks and back-of-the-envelope calculations on my blog.

Simplified simulation of ice in the water tank in different years.

Last change: Updated dead link to Austrian statistics on fuels and heating systems.

Heat pumps

Heat pump usage in different countries and history of heat pumps

Unusual heat sources

Sizing heat pumps - I am trying to learn the terminology of standards commonly applied in English-speaking countries:

Power grid and availability

Power generation

Hydro power plants

In Sweden the world's largest pumped hydro storage plant might be built:

  • See bottom of page 30 of this research paper:
    Besides the official estimations there are some discussions [28b] about building pumping capacity between the lakes Vänern and Vättern in Southern Sweden. The difference in altitude is 44 meters between these lakes.?
  • ... and the last page of this presentation:
    Possible future? Mariestads Kraftverks AB & others 50 km tunnel between the lakes Vänern & Vättern Cost: 250 billion SEK. Installed capacity: 50000 MW .

Free long-term weather data

Inputdaten für eigene Simulationen.

Germany and Austria.

World

  • Climate data for the last decades. The navigation is something you need to get used to (Pick: Cities, Climate, Climate Robot...). Therefore I start with Ice Days for Vienna. It is a bit weird that available data seem to depend on the choice of the language (less data for Vienna in English).

Extreme Weather

The winter 1962/63 was the coldest since 250 years in Europe (German article: Winter 1962/63 in Europa. Englisch article: Winter of 1962–63 in the United Kingdom).
More data from a talk / slides avaiable at the website of the Royal Meteorological Society: The bitter winter of 1962/63 - this winter was unusually mild in Canada and Greenland (p.17)

Could such a winter ever happen again? "The 1963 winter is well within the population of other cold winters that have been experienced in this country ... It is not necessary therefore to seek some very special cause in order to explain it." – H.C. Shellard , Meteorological Magazine , 1968  (p.21 of PDF)

Different heating systems

Statistics for Austria: Heating 2003 to 2012 by fuels used and heating system (in Austria). Less than 15% of (primary) heating systems are stoves, and they have been on a decline in the last decade.

Units, heat values, energy costs

Tools for converting units

Heat values

Properties of water (for comparing the energy stored in a water / ice tank)

Costs of energy - international

Monitoring, Control, IT

Metering and monitoring electrical power consumption

  • Smart meters with data loggers and/or various interface for attaching loggers - to be installed behind the official smart meter:
  • Parsing an online monitoring website is perhaps the most universal 'real-time protocol' in case not other interfaces are available. E.g. by using Powershell, I tested with the local website of a Fronius Symo inverter and their web portal www.solarweb.com. One option: Start an InternetExplorer.Application comobject and identify the html containing the interesting value per its ID (getElementById).

Manuals of data loggers by Technische Alternative Gmbh (for control units UVR1611, UVR16x2)

CAN Bus

  • Bus topology. Note that UVR1611 is automatically terminated by default.

Heating with computers

Computers installed in private homes provide their computing power to cloud services - while heating those homes.

Basics (Physics) - Mechanics, Electrodynamics

The Feynman Lectures of Physics

  • Volume 1: Mainly mechanics, radiation and heat.
  • Volume 2: Mainly electromagnetism and matter

Unglazed solar collector - part of the heat source of our heat pump system

What Is Art?

(elkement. Created: 2014-11-08. Tags: Art, Self-Referential, Flarf, Weird, Nostalgia, Poetry. German Version.)

This seems to be fundamental question The Subversive Element is trying to answer on numerous Red Pages.

subversiv.at has been a feeble would-be protest against Dilbertesque world of work. After I had risen to the challenge, lamented, fought, and transmogrified myself I consider that resolved, once for all. What remains to be done here? Write comments on my comments on my old articles, the ones I recoil in horror when re-reading them. Sometimes I comment in English on German stuff or vice versa. Sometimes I resort to Google Translate to reach one more meta-level in creating Google-based poetry from existing Search Term Poetry or Spam Poetry.

Can that be art? Never, I'd said a few weeks ago. But recently the Element has learned that this is indeed art, called 'Flarf'. So I have been creating Flarf for nearly two years - or perhaps longer, if some of my early subversive art here counts as well - although I was not the innovator I had hoped I was.

But there is an eerie effect - you experts will explain that to me. Each Flarf poem has the same signature style or flavor - I call it the post-modern, the dystopian. It is experimental sci-fi movie crossed with Dilbert going New Age. It is being ironic about irony. Or maybe not. This is independent of the details of the Flarf method used - search terms, spam comments, arbitrary Google searches, even snippets from my own posts, or readers' comments - they speak to me in the same way.

Here is an example: my latest Spam Poem to date, cross-posted from the elkementary blog. The complete list of all Flarf poetry listed chronologically is curated here - if and which ones I re-post here remains an enigma to myself, much like Flarf.

the destiny of the universe

my honest, preconceived thoughts

a great unreal dream
actual irony
when you con the destiny with your artistry

gloomy and cynical futurism
that any mortal should avoid

you arrive from the Victorian England
in the known galaxy

Illustration for Jules Verne's The Mysterious Island, by Jules Férat

dark and cynical sci-fi
forces an illusion
of that time gone by
When skyscrapers were first built

you are not understanding anything

what if i told you
There are undoubtedly more color options nearby

paradigmatic coal-black
started to be repetitive
one of the big deterrents to me

your deprecating coherence
is a potpourri

this type of despicable hypocirite
it will be the future of the human race

handing more control over
lets us progress even deeper into this sci-fi nightmare

armor and weapon
usually do not adhere to regulations
The glare of the goblin sparks partially blinded him.

Artwork for the book The War of the Worlds, Alvim-correa12

player in cyberspace
heed your call of duty

I’ll certainly come back
through the dust
or snipe the undead beasts

talk with other mentors
emotionally distraught

men and women dressed in cartoon costumes

The cartoon is attractive
corporate, regal, or fair-minded

these crooks
reported to have ghost activity

space zombies
called Glass Collective
never publicly dated anyone

Put your prowess to evaluation
removing their skin

rapidly rose the reputation
conditional upon the execution

Disgrace on Google
the cosmic horror
We do know these people analyze

NSA Muscular Google Cloud

Numerous aliens in space will traumatize you
with the fantasy stars
Your toddlers shall like it

none of the visions has borne fruit
as a matter of fact

unsubstantiated distortions
completely ridiculous.

in public areas nevertheless

This cue
the echo
The spring of 24
most is inconsistent

the web
becomes a virtual community
something that we are hoping

i could truthfully do something to be able

Slowly return your head to the original position

Uhmm..

Will there be a part 2?

the last sentence of the page

Instead of a 'Bio' ...

(elkement. Created: 2014-11-08. Tags: Spaceship, Bizarr, Life, Garden, Lifeform. German Version.)

... we show you an organic - 'bio' - space probe.

Organic 'Bio' Space Probe

Elkement is an amalgam of Elke and the Subversive Element.

Physicist and consulting engineer by trade and by day, self-proclaimed dilettante science blogger and avant-garde poet by night.

(This compilation of links is static - no more amendments planned.)

PKI FAQ

(elkement. Last changed: 2014-12-16. Created: 2014-10-06. Tags: IT, PKI, Cryptography, Security, Forums, Troubleshooting, Postings, X.509, Resources. German Version.)

This is a compilation of threads in Technet forums, organized by topic.

Chain validation and revocation checking issues

Chaining and hierarchies

Time validity

Revocation lists

(For issues with SCEP and EFS, see the sections on applications at the bottom of this page.)

Windows PKI design, implementation, and maintenance

PKI AD integration and clean-up

CA migration, backup and restore and high-availability

Scripts and automation

Certificate generation and deletion (in personal stores)

Searching the CA's databased and expiration notifications.

PKI configuration

Third-party CAs, compatibility

Windows PKI components and features - and related troubleshooting

Web Enrollment (ASP pages)

Simple Device Enrollment Protocol (SCEP) AKA Network Device Enrollment Service (NDES)

Windows OCSP: Errors and Pitfalls

  • White papers on how to make OCSP servers and CRL web servers high-available? There is an article for OCSP, for CRLs it is just a plain simple web server.
  • /ocsp/ application directory is not created before the role service had been configured. However, revocation configurations can be created before using the MMC - this causes and HTTP error 404 despite the Online Responder Management reports 'all green'. [ref]
  • Third-party validator (Axway) causes CryptoAPI to look only for OCSP URLs but OCSP is not used. Root cause finally was: CRL not accessible to the validator. [ref]
  • OCSP Responder issues: Misunderstanding about how to use one Responder for different CAs, and how an array should work. Additional interesting issue: Adding the Intermediate CA certificate to Trusted Root store can cause an error 403.16 in IIS and thus break certificate validation!
  • OCSP design: Use a dedicated OCSP server?

HTTPS-based enrollment via CEP/CES

(Auto-)enrollment troubleshooting

Kerberos troubleshooting

Certificate templates

Pre-requisites

Certificate and request attributes and extensions, and how to create requests

Certificate Subject Name and Subject Alternative Name, and tools and processes for CSR creation. Overlap with section on Scripts and automation.

OIDs

Hash algorithms

Cross-forest certificate enrollment and multiple domains.

PKI Applications

SCEP is listed unter Windows PKI components.

Logon against AD

SSL web servers

See also the section on Certificate and request attributes and extensions above.

LDAPs, DC certificates

  • Concerns re expired DC certificates. Can a DC be rebooted safely? Yes, as certificates are not required for 'standard AD functions'.
  • Easy-to-manage solution for LDAPs (only) - PKI to be avoided (?) Theoretically one might distribute a self-signed server certificate (with multiple SANs) just as a CA. I would not try to re-use an existing server's certificate as a CA certificate. As usual, I am wary about non-SSL-capable crypto providers. In case a simple 1-tier PKI is created today, templates could be moved to a well-planned 2-tier PKI later.
  • Domain Controller uses the wrong certificate for LDAPs. My suggestion was to supersede the current template with one that allows for issuance of certificates that will expire after the unwanted third-party certificate. Another user provided instructions on how to use the AD (NTDS) service's certificate store instead of the machine's store.

RADIUS / NPS and 802.1x

Exchange Server

Outlook and SMIME

EFS - Encrypting File System

BitLocker

SAP

Third-party LDAP clients

RDP / RDS

CISCO VPN

Windows VPN client

IPsec

Office Macro and document signing

Key stores and cryptographic providers

Crypto general

Software stores

Using an HSM as key store

Silent waters. Northwest of Tenerife, 2004.

On the German version of this page you do indeed find my original poetry, written in 1998. In order to allow English readers a glimpse into my post adolescent postmodern gloomy stanzas I resort to Google Translate. This is done deliberately to add that flavor of Search Term Poetry or Spam Poetry.

Words
By the Subversive Element

words
preformed
in the depths of consciousness
blister
on the surface
overdraw my picture of the world
with thousands of multicolored drops

words
rich like tentacles
in my reality
and tug at unwavering.
Burning streams of lava
apparent safety
Streams of water
wet the parched land
my reason

words
dig their tunnels
through my mind
let my soul
go on swaying bridges
about locations of past struggles
past monuments
for heroics
whose meaning I have forgotten

words
flow into my reality
here and now
and satisfy themselves
echoed by
in a world
which has changed
in this moment

This is even worse than the German version. But with more help from Google I know we can do better.

I am running this now through Google Translate again and translate it - using one result as an input for the next round:
>> to Spanish >> to Italian >> to French >> to Zulu >> to Nepalese >> to Korean >> to Finnish >> and back to German

The result (shown on the German page) is quite remarkable - to me this sounds like a Zen koan.

Now I am ready to translate it back to English - and this is what I call poetry!

Text
By the Subversive Element and Google

text
Preformed
deep knowledge of the
GO
surface
Search in my view of the world
Thousands of colorful drops

text
Subscribe to the rich
In fact, my
Hold on tight and pull.
burn the floor
apparently safety
current
short dry
My September

text
shaft tunnel
my heart
My soul
swivel the foot
In the past, a state of war
Monuments of the past
competition
The meaning is forgotten

text
my real
now here
And to ensure
echo
March
change
2 hours

Artistic Jupiter

... an odd combination probably.

But I have a penchant for combining anything. For me IT security, physics, and engineering are all connected naturally, and not only through my biography.

The communication between devices making up the internet of things need to be secured. Publicy Key Infrastructures may provide X.509 certificates needed to do this.

Physics provides one the one hand the underpinning of engineering, on the other hand mathematical methods used in physics can be applied to all kinds of complex systems. There is some truth to this satirical explanation of the relation between Feynman diagrams, certificate validation, and hydraulic designs..

But philosophical musings aside, on a daily basis I simply like to play with technology: Exploring how applications and systems use digital certificates and how they can or can't be 'hacked'. How to build ('hack') a technical solution using off-the-shelf components? How to develop a simulations tool from so-called simple 'Office software'?

A rehash of the German Subversive Newsletter sent January 31, 2005

Nearly 10 years have passed, so The Subversive Element can speak about it in public.

I do admit:

  • I spent vacations on distant islands. Just like any other tourist.
  • Vacations were for escaping the so-called real world.
  • I used to make fun of literature about quantum consciousness and the like.

But I was penalized for all this.

At first days in the year of 2005 The Element and Somebody embarked on a journey they would never forget. Equipped with lots of popular science magazines on quantum physics and a few ones on so-called alternative physics the travelled to a quite calm, distant, very green, and very wet and foggy island.

[Skipping the boring part about nature and your typical vacation reports.]

There were some eerie forebodings of evil to come:

They were invited by a lonely inhabitant of natural caves at a stormy coast - uttering unintelligible sounds. They declined politely.

An entrance to hell.

The Element was struck by a mysterious illness for one day, right after the island drowned it water as it rained heavily for two days.

Luckily the island did not break in two parts and cause a tsunami as had been proposed by serious scientists.

Streams of muddy water meet the sea.

But the native spirits of that island found the most mischievous way to punish the busy corporate workers. They nearly managed in keeping Element and Somebody prisoners on that green former volcano.

When you see this in movies, you would say this is so improbably it is not even funny:

  • At the island's airport the voice from the speakers says that the plane suffered from a technical defect - more information to come.
  • The plane would not be able to depart today but there are 34 seats left in another plane - two seats left than stranded passengers. Any volunteers?
  • Relief - we were not those two poor souls decided by drawing lots and happily boarded the plane.
  • Finally the plane landed and Element and Somebody went to their car.
    Element: I'll pay for the parking ticket.
    Somebody: Let's check if it starts first
    Element: Ha ha, yes  - very funny!!
    Somebody: [Turns the ignition key]
    [... Silence ...]
    Both: *Panic*
  • So the short story was that the small courtesy light had been on for two weeks and the battery was absolutely empty.
  • Element found the manufacturer's emergency phone number at a sticker in the car. Fortunately it was a company as they discard that type of insurance-like services usually.
  • A helpful human being was answering the phone - he will be here in about half and hour.
  • It is getting cold - it is close to midnight.
  • The helper arrives, and worries that the battery might be too exhausted.
  • OK, it can be recharged and we warned to absolutely never stop for the next 150 kilometers.
  • We drive - to the south. Target: The settlers' home in the Pannonian Plain, via Vienna.
  • And then it starts to snow. Like it hasn't before in that season.
  • We drive slower and slower.
  • We realize we will never make it to z-village so that Element will be able to drive to Vienna again, somewhat recharged.

Piece.

It should be noted that timing was probably a bit too optimistic. The ideas was to arrive at the airport before midnight, drive home through empty streets without issues, and sleep for a few hours - until The Element had to deliver one of its legendary security workshops. But based on perhaps a vague premonition of what was to come The Element had taken a USB stick with course material along during vacation, it had outsourced the preparation of virtual machines to a service provider, and it had its company badge, a toothbrush and some other things for grooming.

  • So The Element accepted its destiny and said to Somebody: We will never make it, drop me off in Vienna.+
  • Fortunately, at that time the Element's employer offered its overworked staff a so-called recreation room.
  • So The Element sleeps peacefully for about two hours on the couch in the recreation room before it is waked up by the lights and sounds of the snowplow outside and by the cleaning stuff.
  • The workshop went well.

Sleep is overrated.

Postings in Technet Forums

(elkement. Last changed: 2015-04-01. Created: 2014-07-29. Tags: IT, PKI, Cryptography, Security, Forums, Troubleshooting, Postings, X.509, Resources. German Version.)

In 2014 I had resumed posting to security forums in the Microsoft Technet community. I have been using these threads as my personal knowledge base.

Here is a feed on recent activity. Seems my mission has come to an end by the end of 2014!

A list of all my threads is also generated automatically but I am hand-curating them here again.

I am not using the original thread title but another one that makes me remember the discussion more easily; and I add a short summary. The date is the date of my first reply in this thread.

(Last changed: April 1, 2015. Added last threads I contributed to in December 2014.)

Insert some years during which I was just busy doing PKI but not contributing to the community. I try to compensate for that now!

  • [2009-07-16] What is PKI compatibility? It depends on what is compared: Certificates and their fields, key stores and access methods, request structure, protocols to enroll for certificates,...
  • [2009-07-16] Notification e-mails sent by the SMTP Exit module contain variables instead of values. Might be an issue of using the variables in a scripts versus running the commands interactively. In a script the % needs to be masked by another %.
  • [2009-07-16] Windows CA and redundancy: Does a second CA help? Templates are redundant in AD anyway. A second CA does not help as it uses a different key and cannot sign CRLs on behalf of a failed first CA automatically. For risk mitigation the CRL validity period should be configured for a few days or whatever is needed to detect and fix an issue in the worst case. Redundancy could be achieved with fail-over clustering.
  • [2008-11-09] Planning fail-over clustering for a CA, in particular how to migrate an existing non-clustered CA into the cluster. Clustering is only supported with HSMs(*). As for the names it can be done but the legacy of LDAP objects and HTTP URLs that contain the old machine name makes that rather messy. Suggestion: Use a new clustered CA setup from scratch with proper names and create a long-lived CRL for the existing CA before retiring it.
    (*) Learned in 2014 that this is not true (anymore?)
  • [2008-10-01] How to configure CRL URLs for offline CAs. It seems either a CRL has not been copied to the CRL server denoted in the CDP or the defaults have been used and the URL points to the Root CA itself. Brief outline of process.
  • [2008-09-23] Variables in CA configuration (starting with %) do not get replaced by their values. Turned out to be a copy and paste error as the lines have been copied to the command window directly.
  • [2008-09-19] Limit PKI usage to one domain - how to set permissions. The CA is a forest resource but permission for domain-specific groups can be set at the CA (Request Certificates right), or permissions on all templates could be limited to groups from this domain
  • [2008-09-18] Time zones and clock skew. Date formats in certificates are in Universal Time format including time zone information. There is only a clock skew of 10 minutes applied by default to avoid false not-yet-valid messages.
  • [2008-07-28] Checking and changing validity periods of CRLs as the default period of a week is too short for a typical Root CA. Overview on how to set the validity period in Properties of Revoked Certificates and - optionally - overlap by editing the registry.
  • [2008-07-28] Requirements for macro signing certificates. I suggest to time-stamp macros as otherwise (even if signed) signature would be considered invalid when the signer's certificate has been expired.
  • [2008-07-26] Certificate services simply fails to start after setup. Not clarified but another user indicated that in his certocm.log a permissions error was logged when he saw the same error - using the domain admin resolved it.
  • [2008-07-26] Sending certificate requests to an untrusted forest. Ideas: Automate the creation of requests and let a service user account from the CA forest fetch the requests, send them to the CA, and collect the certificates. Alternative: Simply use an AD user of the forest where the CA resides and use the certsrv web application to create keys and requests.
  • [2008-07-12] Autoenrollment issues - an XP client does not autoenroll through manual enrollment works and the event log says that Autoenrollment has been completed successfully. Potential root causes: 1) There is already a certificte of that type in the store and the setting Do not re-enroll if a duplicate certificate exists in AD has been set 2) Weird but known issue with credential roaming sometimes falsely archiving certificates.
  • [2008-07-01] Wild-card certificates - feasible but not recommended as there is a slight chance clients may not recognized the wild-card character.

WOP!

(elkement. Created: 2014-06-22. Tags: Art, WOP, Douglas Adams, Spaceship. German Version.)

Finally we know where this fond addiction to eerie spaceships materializing out of thin air stems from:

What happened next they could not ignore. With a noise like a hundred thousand people saying "wop'', a steely white spaceship suddenly seemed to create itself out of nothing in the air directly above the cricket pitch and hung there with infinite menace and a slight hum.

--Douglas Adams, Life, the Universe and Everything, Chapter 4.

Now more than one initiative had been started to actually collect and mix these 100.000 WOPs - it seems without success.

Do we need a new attempt? Do we need a Facebook page?

LEGO space ship Duffy photographers jeh

(Remembering a so-called creativity training, autumn 2000)

This is off-base, I know. But there is no point in translating some of my German texts. Nevertheless, I cannot bring myself to accept the glaring gaps in the English version of this site. So this is German stuff, quoted on the English page.

The goal of the exercise was to associate freely or whatever. Participants should write a short story, each sentence had to start with a letter in your full name.

This is what Google Translate makes of the German version:

A pink spaceship lands on the secluded glade.

Slowly, the hatch opens.

No human being on this planet registered the historical event.

An event that will carry out a change in the timeline to the fact that the history of mankind is to be rewritten.

It makes sense is actually not to report it, since the landing of the spaceship will not take place in the other timeline.

Dancing lights appear to move on the outer shell of the spaceship, when the setting is reflected in it.

All members of the team have now left the spaceship and begin to bring the time converter in position.

Still continues the old timeline of the earth for 5 minutes ...

All of a sudden the existing space-time continuum is destabilized with the inconspicuous Click the Einschaltknopfes the time converter.

Slowly, the prehistoric life on earth newly created starts to rain.

I had created radices.net as a German-only site in 2003, with the intention to dump my pseudo-philosophical musings on science, philosophy, and culture somewhere. radices should remind me of my roots - in physics. Since I am already maintaining too many websites and blogs, in German or in English or in both languages, it took more than 10 years since I finally started an English version of this site.

radices = Roots!

(elkement. Last changed: 2015-02-20. Created: 2014-06-01. Tags: PKI, Public Key Infrastructure, IT, IT Security, X.509, Announcements. German Version.)

About radices.net

radices is roots in Latin. And accidentally there is a pun, perhaps as hackneyed as roots of all evil. As a security consultant I built lots of Root CAs, the top anchor in the hierarchies that are called Public Key Infrastructures.

radices.net shall now be dedicated to what  online gurus and internet philosophers call curating today. Which means I just dump links to stuff I am interested in to add some basic structure of headers. radices was a German science pseudo-blog but it also was an experiment in organizing content - so I have come full circle.

About my PKI activities

I had been a PKI consultant since 2002, mainly working with European enterprise customers on designing and implementing their PKIs run inhouse. Now I am supporting some long-term existing clients with their PKI / X.509 issues but I don't take on new clients.

As a former Microsoft employee I have focused mainly on the Microsoft PKI, versions Windows 2000 / 2003 / 2008 / R2 / 2012 R2 - but I also had some exposure to various other PKI-enabled applications and devices. The fun part of PKI projects is in debugging weird issues that exotic or allegedly 'industry-grade' applications have with validating certificate paths, using keys etc.

Here is the often requested one A4 page summary, and here you can see that those PKI services are part of an ... uhm... odd combination of IT services.

  • I try to keep track of links, books, papers etc. I found useful and add them to this list. This is not intended to be the perfectly structured, 'educational' collection. I rather pick and add what I stumbled upon while working on PKI issues or discussing with other security freaks.
  • I started logging PKI issues here. The idea is to described them most concisely, in TXT format.
  • Struck by vanity I made the collection of my modest own contributions a page in its own right. I am also trying to keep track of my postings to security forums in order to use those as my knowledge base.

I am originally a physicist (completed PhD in 1995), worked in R&D and switched to IT security. In 2013 I have completed another master's degree called Sustainable Energy Systems and did a master thesis on smart metering and security (LinkeIn profile). Now I am consulting engineer working with heat pumps that use a special heat source. Yes, I know - it is weirder to combine that with PKI.

The security of the smart grid and internet of things [add more buzz words here] provide options to re-use my security know-how in the context of my new field. Such heat pumps may use control units connected to 'the internet' and all kinds of certificate-/PKI-enabled stuff might be involved here.

For five years I have given a yearly lecture in a master's degree program, then called Advanced Security Engineering at FH Joanneum. Here is the last version of the slides.

My Articles on IT Security, Monitoring, PKI.

(elkement. Last changed: 2015-11-07. Created: 2014-06-01. Tags: Postings, Blogging, Resources, Links, IT, Monitoring, PKI, Security, X.509, Cryptography. German Version.)

My lecture slides on PKI and security are a bit dated already, I add them for completeness though.

Articles on my blog are targeted to a broader audience - perhaps they are too 'philosophical' for security experts. See the complete list of postings below, after the image.

X.509 Certificate

This article has originally been cross-posted to all of elkement's sites (e-stangl.at, radices.net, subversiv.at). These are questions worth some subversive thoughts. The Element is webmaster of a growing universe of weird sites since 1997. The first site was even a commercial one. Crafted with MS FrontPage 98, no less. The Element's Alter Ago, Elke Stangl, tries to answer all of them in the following meta analysis. (I am still looking for more levels of self-reference here -

Why Am I Online?

(elkement. Created: 2014-05-16. Tags: Writing, Blogging, Websites, Web, Netizen, Geek, Announcements, About)

Since 1997 I have been maintaining personal and business websites but I haven't joined the social media borg cube(s) before 2012. You can find a brief overview on all projects, that is a collection of icons plus some more or less funny comments here.

Here I try to keep track of why I am doing this, and I only comment on those pages or blogs who I consider a project of some sort.

My personal blog elkement.wordpress.com is where I finally try really hard to unite all the things again that have been scattered across different sites before, and across different parts of my life - probably of my very self. I am quite satisfied with the structure I have added in April 2014 - main 'category' pages that list individual posts.

This kind of structure is probably what I would have wanted to achieve by splitting my personal space into three distinct realms in 2002:

e-stangl.at: an ancient predecessor of the modern About page. It always got more serious than I wanted it to be - especially the German pages. But this is probably because I have outsourced the fun parts to the subversive site, and it might have triggered that idea that I absolutely have to run a bilingual site. I am still baffled by my on unwillingness to translate - I either write something in German or English, and only with utmost discipline I do translate it. I rather let it rest and write a different and only losely related version in the other language.

Before the Subversive El(k)ement had its own blog, it had its own site: subversiv.at. This was inspired from quotes from The Cluetrain Manifesto about subversive hyperlinks, and it alluded by weird split responsibilities as so-called corporate IT manager on the one hand, and as a supporter of subversive webmasters of  'non-compliant' sites on the other hand. Over the years I have added many layers of meaning to that.

I re-discovered the joys of playful nonsense, wordplay, self-referential comments disguising my ambiguous opinions. This can be seen as what later was to become Search Term Poetry and Spam Poetry. Today I re-use such poems from my blog and enrich them with German translations on the subversive site.

My science & technology site radices.net should focus more on content and less on my personal woes. I was not successful with respect to the latter. Started as a German-only page the effect of over-solemnity was probably worse. I think it did get better after I was done with soul-searching and heart-wrenching career changes - and writing about those with hindsight.

In autumn 2013 I decided this site should become home to the grey area between my interests and hobbies - e.g. as a amateur student of quantum field theory and dilettante science writer - and those parts of my professional life related to it. Translated to English I called it my Practice in Natural Philosophy tongue-in-cheek. But since I can't help but preferring to write about science an philosophy in English, the German site was / is more or less a link dump - using links from my English blog, and our German 'company blog' (see below).

I got hooked again on classical cryptography and IT security - and I finally want to start what I had had in mind but never did some years earlier: Finally 'curate' all my favorite resources, document interesting anecdotes, and in general give back something to a community that had helped my out so often - when I found the much-needed solution via the ultimate oracle, Google. So I at the beginning of 2014 I mainly updated the PKI pages.

But this was not for a German audience, but for an international one. My English blog postings on security are what I really wanted to write and these should be complemented by a Resources page. I finally did it - I turned made this website into a a bilingual, too. The English version hosts nothing but the PKI stuff, and thankfully radices means Roots and there is something like Root CAs. Totally coincidental as the original intention was to re-connect with my roots as a scientist.

My business page is where I / we pretend to be serious. However, our rather peculiar diverified portfolio as I like to call it, thwarts these attempts (hopefully).

I said we have a business blog (though it is not necessarily discernable as such). Here it is: punktwissen.wordpress.com. You can see our work there, sort of, and we use a story-telling approach (And I am trying now to use a sounding-like-business approach). These are the stories of us, the two settlers, who tell their stories about physics, renewable energy, and our related adventures.

The punktwissen blog is successor to the legendary z-village.net site, bringing news from the village at the end of the internet to the internet community. This page was maintained solely by Somebody Doing Anything Nobody Wants to Do - I was (am) just the programmer.

And there was a grand, 'corporate' version of the quaint little village, this was (is) EPSI - a prestigious middle European Think Thank dedicated to: Elementary research, painting blogs, collecting space and doing something.

Now you know.

All the other social media stuff is tangential, ephemeral and fleeting.

This has once been the so-called serious section of this site, holding the links to the articles full of soul-searching.

Meaning of life, true calling - you name it. See the non-translation of my graduation speech as a prime example.

Fortunately, the Lightness of Being a Geek has finally won. 

The Light Side and the Dark Side of the Force are also reflected by posting on my blog, in sections Life and The Web, respectively. You be the judge on lightness and darkness.

Towel Day in Innsbruck, Wikimedia, user Beny Shlevich

Uh-oh, No Posting in March

(elkement. Created: 2014-04-27. Tags: Everything, Art, Search Term Poetry. German Version.)

But now - here it is.

An Englisch-German cross-over based on a search term poem published on my English blog.

This poem in turn was a cross-over of Q1 search terms and pathetic attempts of mine to take photos with my smart phone. Photos of a trip would have deserved something better.

English lines: © My blog's visitors.

German lines: © Elkement.

This is not a translation.

It is an experiment.

the theory and practice of combining just about anything
quality assurance poem
funny ways to combine 2 cliches

Warum praktisch alles verbinden - wenn es theoretisch nicht geht?
Gedichte haben Qualität - aber bieten keine Sicherheit
Lustiger kann man Klischeés nicht verbinden

hoops smoke effect
response to existentialism

Bunte Reifen hüpfen in glitzerndem Rauch
Die einzige Antwort auf düsteren Existenzialismus

poetry

intuitive understanding
shallow and deep reading

Intuitives Verständis
Soll ich dieses Gedicht oberflächlich lesen oder in der Tiefe
die vielleicht nicht vorhanden ist?

poetry

non linear art
describes the tendency of the force

Nichtlineare Kunst
oder doch nur, was die Kraft uns vorschreibt.

poetry

polarize antifragile
what is the measure

Polarisierend und antifragil
Wie finden wir das rechte Maß?

poetry

blank sheet
trusted certificate

Nur ein leeres Blatt
oder doch ein vertrauenswürdiges Zertifikat?

poetry

google on my heat
myzen engineering

Wärme sollte man googeln
und Engineering ist Zen

poetry

build einstein refrigerator
steampunk heat sink

Bauen wir den berühmten Einstein-Kühlschrank
aber nicht ohne Kühlblech im Steampunk-Stil

poetry

call center puzzle
automatic clock

Callcener geben uns Rätsel auf
nicht nur wegen der automatischen Uhren

poetry

chinese wall
scrapyard combines

Eine Chinesische Mauer
und was man sonst noch auf dem Schrottplatz findet

poetry

geonometric art
intersecting lines

Geonometrische Kunst
aber bitte nur Linien die sich schneiden

poetry

sitting gyroscope
entropy and no momentum/energy

Der Kreisel ruht
nicht so Entropie und Impuls

poetry

upward communication
i need to remember this

Erhebende Kommunikation
Ich hoffe, ich werde mich erinnern

poetry

elastic glancing collisions
least action

Streifender Einfall - wie elegant
die Wirking ist minimal

poetry

center of mass
snippet shooting

Im Zentrum der Schwere
sollst Du das Schnippselchen wegschleudern

poetry

fringe science theories
intuitive symbols

Am Abgrund unserer besten Theorien
warten intuitive Symbole

which is more important
to just roll over bump

Was ist nun wichtiger
einfach nur schnell drüber und durch und weg?

Last link changed: Migration of classical CSP to CNG / KSP, and old but good MS overview on certificates for network authentication of devices.

PKI: Links and Resources

(elkement. Last changed: 2015-12-07. Created: 2014-03-04. Tags: Resources, Links, IT, PKI, Public Key Infrastructure, Security, X.509, Cryptography. German Version.)

This is my list of Links to white papers and the like that I have found useful (restarted 2014). It is not an attempt to create a balanced or educational list. I am adding what I need right now!

Comprehensive reviews of PKI issues

Analysis by Peter Gutmann who likes to throw rocks at PKI according to his bio:

Certificate validation

Request for Comments:

In Windows systems:

Cross-certification and hierachies

Certificate enrollment

Links for Microsoft's autoenrollment are provided in more MS-related sections

Weird, hacked, forged certificates

PKI planning

Somewhat Microsoft-centric:

Windows PKI: Features and management

After I started compiling my own list, I found this - I will keep picking some of the microsoft.com links and publish them to this page though:

Some of the features required to run a Microsoft PKI in a larger, corporate environment:

Windows PKI 2008 R2 versus 2012 R2 and upgrade of hash algorithms

New features in 2012! Note I started added some the detailed articles about specific features - NDES, templates - also to other sections. This section is for overviews covering many new features or cryptograpy / algorithms in particular.

New ways to leverage a TPM chip - key attestation by validation of an endorsement key. You could have used a TPM chip as a custom key store for the machine / SYSTEM in earlier versions of Windows (basically like a 'smartcard for machines) in case the vendor of the TPM chip or a vendor of crypto software provided a suitable CSP / CNG provider. Starting with Windows 8.1 as the end-entity's OS the CA (2012 R2) is able to check if the private key had really been stored to a TPM chip.

New algorithms:

  • Changing public key algorithm of a CA certificate - only the hash algorithm can be changed (for CNG providers), not the provider itself.
  • Upgrade Certification Authority to SHA256 - after the change of a registry key the CA signs anything with the new algorithm, including CRLs and its own CA certificate when renewed (Step-by-step-instructions).
    Attention - according to my experiences with 2008 R2 the registry value for hash values is case-sensitive. Good: The change of the hash algorithm can be reverted easily. Bad: This is a per-CA settings, so once the algorithm has been changed all certificates and CRLs issued by that CA are signed using the new algorithm.

Certificate and key stores

Windows client-side stores:

Encoding

Using certificates for authentication

Native Active Directory logon:

Webserver-based mapping (no directory)

Apple iDevices, SAP, and other non-MS clients

  • In contrast to Windows'/AD's native logon via UPN string mapping SAP uses a 1:1 mapping of binary certificates to users:
    Single Sign-on mit SAP (part of a German book, assignment of the certificate is explained on pp.33)
  • Apple iPhones, 802.1x authentication against Active Directory using Windows RADIUS server (NPS)
    (promoted to blog post, summary kept here for traceability).
    • Properties of the certificate
      Subject CN: host/machine.domain.com
      Subject Alternative Name machine.domain.com
      Certificate Template (Windows Enterprise PKI): Copy the default template Workstation Authentication, Subject Name: Name as submitted with the Request.
    • Create the key, request and certificate on a dedicated enrollment machine and export key and certificates as PKCS#12 (PFX) file.
    • Create a shadow account in Active Directory
      dnsHostName: machine.domain.com
      s
      ervicePrincipalNames: HOST/machine.domain.com
    • According to my tests, the creation of an additional name mapping (as recommended here) is not required - SAN-DNS gets mapped onto dnsHostName in AD.

Network authentication of devices

  • Overview: Certificates for different services / protocols, like 802.1x or IPsec

PKI Applications

Started in 2014-10. Usual suspects as SMIME, EFS, 802.1x to be added as needed over time. See also the list of Technet Postings and the PKI FAQ.

Useful commands (in the Windows world)

Configuration parameters:

Emergency processes, for Windows.

  • Delete cached CRLs:
    certutil -setreg chain\ChainCacheResyncFiletime @now
    (Weitere Optionen siehe diesen MS-PKI-Team-Blogeintrag)
  • Start a CA even if the revocation check on its own certificate has failed - set this flag:
    certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
  • Key Recovery:
    • Search for the archived keys of a specific user and create a batach script (CA admin permissions required)
      certutil –getkey domain\username >recovery-username.bat
      This script also contains the password of the p12 key file that will be created.
    • Run this batch file. This creates a single p12 file including all keys for this user. Pre-requisites: The user executing the script needs to have one Key Recovery Agent's certificates associated with each of the keys to be recovered in his/her store. In addition CA Admin permissions are required and this needs to be an admin cmd session.
    • The batch file does the following for every key found:
      certutil -getkey [SerialNumber] [encrypted blob]
      certutil -recoverykey [encrypted blob]
      A temporary p12 file is created from every blob; then all p12 files are merged using
      certutil -mergepfx and all temporary files are deleted.

PKI and smart metering

Requirements for a smart meter PKI in Germany:
Sicherheitsinfrastruktur für „smarte“ Versorgungsnetze

An example: Smart Meter mit PKI Sicherheit

X.509 Certificate

(Not sure if I will ever update this.)

PKI Issues: Concise Summary

(elkement. Last changed: 2014-05-16. Created: 2014-03-02. Tags: IT, PKI, Cryptography, Security, Forums, Troubleshooting, Postings, X.509, Resources. German Version.)

Here I am documenting issues with X.509 certificates and Public Key Infrastructure I have encountered.

In the grand tradition of true geeks I use the most compatible format that alien civilizations might be able in million of years - a simple text file (in a pre tag)


                             PKI  Issues
          Random collection by Elke Stangl, elke@punktwissen.at

------------------------------------------------------------------------
Certificate path validation

* Ambiguous chains and chains sent in SSL handshake. The web server
  sends the chain it prefers. If there are two valid chains, such as a
  shorter chain associated with an internal root CA and a longer chain
  connected to a cross-certificate issued by a public CA AND the server
  is available on 'internal' and 'external' networks (via a reverse 
  proxy) it will send the untrusted internal chain to external relying 
  parties as well.

* Some embedded devices cannot deal with chains - including earlier
  versions of CISCO PIX and Apple's IOS SCEP client. In order to get
  validation working you might need to: Import the subordinate CA to the
  root / 'CA' store or add the thumbprint of the sub CA where one would
  expect that of the root CA or vice versa.

* Some apps / devices cannot deal with a 'renewed' CA, that is: Two CA
  certificates with same subject names but different keys imported to
  the same CA cert. store. Unfortunately this is the default state of
  affairs if CA's life times are nested according to the shell model (CA
  certificates renewed at half of its validity period e.g.) CISCO fixed 
  a related bug some years ago.

------------------------------------------------------------------------
Names and encoding

* CAs may change the encoding of subject names of the certificates
  issued in relation to the encoding in the request. The subscriber may
  not be happy with that - and it can be quite a challenge to track this
  down if this client is a custom-made device / blackblox.

* CAs may reorder the X.500 components (Should we go O-->CN or CN-->
  O) and again apps. who combine the binary name blob could fail.

* Details of the validation depend on the browser (version) used. I
  can't recall the versions unfortunately but some years ago some
  browser was happy to match certificates on names (neglecting encoding)
  while another did a binary check of names plus cross-checking AIA 
  versus SKI fields.

* I was surprised to see that Windows clients fall back on name only
  matching if they are not able to match on SKI / AKI. This gives the
  user a nice picture of a certificae chain, however an error message 
  tells you that the certificates may be corrupt.

------------------------------------------------------------------------
Revocation checking

* Devices may have size limits - I recall 256kB for some of the older
  (?) ones. This would cause VPN and the like to fail if you would use,
  say, current cacert certificates or those issued by the Austrian
  public CA, A-Trust.

* I have seen Outlook failing often when trying to download such large
  CRLs as well - although the CRL servers were accessible. Fortunately
  there are some registry keys that allow for tuning the way Outlook
  deals with CRLs and related errors. Unfortunately you cannot manage the
  registry keys of the e-mail clients that receive your e-mail.

* OCSP is a solution to oversome the size issue but not necessarily
  the issue of current revocation information. The Windows OCSP server
  retrieves information from a CRL, and the validity period of OCSP
  responses is either that of the CRL used or of the OCSP signing
  certificate (the latter is two weeks by default). Sure, the caching
  behavior can be configured so the OCSP server would consult the CRL
  more often. Yet the responses sent to relying parties are still
  'long-lived'. As I understood the options the only way to really purge
  responses at the client earlier is to use an HTTP Expires header at 
  the OCSP server and hopefully the OCSP client does respect it.

* Deleting CRLs regularly should be a built-option of PKI-enabled
  servers. VPN servers (CISCO, Nortel, Juniper) have been able to do
  this since a long time. Then you can configure CRLs a way that allows
  for reasonable operations (that is, solving the issue: What happens if
  the CA runs into an issue when the CEO gives the yearly motivation 
  speech at Dec. 24, 11:30 - when will you be able to spot the problem).
  CRLs would be allowed to live for, say, a week, but are purged at the
  validating server every, say, 3 hours. With Windows, you can do this
  on princple since Vista/Server 2008 has been given a supported option
  to delete CRLs - but you need to create scripts to do it.

------------------------------------------------------------------------
How apps use certificates for authorisation
(in probably unexpected ways)

* Certificates might be used as files to be parsed for name-value
  pairs. I found something like an 'authorisation scheme' coded into 
  X.500 name fields.

* So-called LDAP group memberships: While some devices understand
  memberOf attributes, some so-called groups are based on parsing X.500
  names. Such as: Putting everybody with OU=External in the 'external
  group', 'external VLAN' etc. It can be a challenge to reconcile this
  with a concept of real groups in LDAP directories such as Active
  Directory.

------------------------------------------------------------------------
How users don't expect PKI-enabled apps to work.
(This could probably be used as a title for anything in this file)

* CRLs are blacklists not only used for blacklisting in the way admins
  expect it. Often people are surprised that network logon etc. will
  fail simply because the CRL is not accessible or expired.

* Sent items of encrypted e-mails in Outlook are encrypted. This comes
  as a painful surprise to users who had used smartcards (e.g. the
  Austrian National ID certificates issued by A-Trust) to encrypt their
  mails and whose card used basically for other purposes (health
  insurance) has been retired / cut in two pieces. Ironically, it does
  not help that new cards are issued with the same keys as Outlook tries
  to find the associated certificate in the store first before 
  'accessing' the key (via the CSP).

* CRLs cannot not necessarily be pre-fetched - though this is what
  admins would like to do whose internal AD logon depends on
  certificates and CRLs issued by an external provider. Of course you 
  can build all sorts of hacks as mirroring an external LDAP server,
  periodically polling for CRLs etc.

* Windows NTAuth store and the number 1 misconception of how
  certificates are used for logging on to AD: UPNs in the SAN are
  automatically mapped to UPNs in AD (DNS names for machines). This is a
  string-based mapping - not a binary comparison of certificates or
  hashes - and the security hinges on the fact that the issuing CA's
  certificate has been distributed via an attribute in the so-called 
  NTAuth object in AD's configuration container. This means if you 
  somehow manage to get a highly privileged admin's UPN into a 
  certificate issued by an NTAuth-entitled CA you could impersonate that
  admin (logging in using smartcard for example). That's why it is a
  really bad idea to 'delegate' management of an enterprise CA AND
  management of certificate templates(the defintions of how cert. 
  content is constructed and how certs. are issued - such as allowing
  for arbitrary names in requests) to the administrators of a child 
  domain who on principle only want to issue certificates to their users
  or machines.

* Certificates are not necessarily more secure than machine logon in a
  Windows environment - comparing EAP-TLS using certificates configured
  as non-exportable (as per cert. template) and PEAP-TLS. Hacking the
  latter would require transferring / extracting the machine's password/
  Kerberos secrets / system state. 'Hacking' the former is not hacking
  at all as the 'not exportable' option can be overruled by a local
  administrator at enrolment. Since Vista/2008 this can be done in the
  GUI (certmgr.msc), before you needed to craft your key and request 
  with certreq and submit it in a sepearate step to the CA.

* The advantage of certificates over PEAP-TLS is that they are more
  standards-compatible - but still the process can be painful (to equip
  print server boxes with certifiactes for example. To let iPhones do
  802.1x logon (to AD) via WLAN you need to add host/machine.domain.com
  to the subject CN (so that the device send the correct string) and
  machine.domain.com to the SAN (so that AD-based mapping against the
  dnsHostName attribute does work). And of course you need a dummy /
  shadow object in AD with that DNS name and a service principle name of
  host/machine.domain.com.
  
* Accessing 'public' CAs' CRL is more difficult than expected - in
  particular if the validation is done by machine entities. Servers 
  such as an Exchange server that should check CRLs for e-mail 
  certificates on behfalf of a web access user, or 'internal' webs 
  servers that should validate users' logon certificates) often cannot
  access 'the internet' and/or a proxy server is used in the context of
  users but not in the context of machines.

------------------------------------------------------------------------
Processes and the human factor

* It is always the seemingly simple processes and logistics that go
  wrong - that is: scheduling CA renewal or issuing a CRL signed by an
  offline CA infrequently. This is also true for well-managed
  environments.

* Offline CAs escape the usual monitoring processes. There is an
  inside joke about carefully naming an offline CA (e.g. the virtual 
  machine) so that it does not get deleted accidentally because 'it is
  never online'. Since I have encountered such an incident - a classical
  unfortunate connection of events - I don't laugh anymore.

* Freshly minted PKI consultants often take a very academic, PKI
  theological ((C) Peter Gutmann) approach. I was no exception. But who
  needs three tiers for an internal, "device / infrastructure" PKI
  really?
  
* Eternal CRL as fall-back solution. I have seen processes re HSM 
  management gone wrong too often. Thus I recommend to create a CRL that
  will be valid until the related CA's certificate will be expired. In 
  case an HSM is renderend inaccessible this CRL will provide business
  continuity.

------------------------------------------------------------------------
CA Operations

* CRL publication can fail due to the CA's issues with writing the CRL
  file to the file system. A virus scanner has once locked the temporary
  .tmp file and a (Windows) CA was not able to rename it to .crl.

------------------------------------------------------------------------
Law and politics

* Digital signatures on invoices transmitted electronically have been
  mandatory in Austria for a few years before the law has been changed.
  I wonder how agencies will ever check the signatures applied in these
  years by wildy varying technologies - XML signatures, signed PDFs
  (including CRLs or not, including time stamps or not), signatures
  stored on / provided by server-side components such as the 'mobile
  signature'...
  
* I wonder how cross-country checks of signatures on PDFs are ever going
  to work. Legal cross-certification does not imply technical 
  compliance. For validating Austrian Qualified signatures (ECC) with 
  Adobe Reader you need to install a plug-In AND know how to configure 
  advanced security settings. Otherwise error messages are misleading.
  
* Time-stamps have not been mandatory with digitally signed invoices in
  AT. Yet, Adobe Reader will report signatures as invalid  in the future
  if the computer's clock time has been embedded. Fortunately some PDF 
  signers allow for embedding CRLs or OCSP responses. 
  
* My impression is that (in middle Europe) governmental organizations
  or organizations closely related to agencies are 'motivated' to use
  PKI-based technology provided by those CA operators that originally
  were founded to bring PKI and digital signatures to the masses.

------------------------------------------------------------------------
Enigmatic stuff to be investigated

* For some Windows 2008 R2 CAs built from scratch with a software-based
  key I saw the CA 'suddenly' losing access to its keys after it had run
  for some days properly, after some service re-start. I thought it is
  some issue with DPAPI protection of system keys, probably when some
  not supported virtualization software is used. Now I rather think it
  is due to a 'confusion' of chains: At the CA its own certificate is
  present different cert. stores, the Personal store being associated
  with the private key, the CA store not so. But then if have seen some
  private keys also being indicated for certificates in a non-Personal
  store - causing some of the chains (in case of renewed CAs) to fail
  while others still work.

------------------------------------------------------------------------

Kathmandu-05

Subversive Work

(elkement. Created: 2014-02-28. Tags: Work, Announcements, Subversive. German Version.)

The Element has tried hard to subvert the Modern World of Work. As discussed on this site often - but not necessarily in a way comprehensible to anybody - results are debatable.

The Strategy of Subversion was too complex in the long run - hence The Element now wishes to apply a Keep it Simple approach. It wants to ride real waves: Anything longer than a tweet is not a read anyway.

Up-to-date and meticulously updated information on the current elementary undercover disguise can be found here.

The Elementary Work Portfolio is truly diversified.

On Twitter its tagline reads:

Physicist, engineer, geek, dilettante science blogger, IT security consultant, search term poet, Subversive El(k)ement.

The Element indulges in working (playing) with technology, in particular if there is something to be hacked. As odd as this may seem - it especially likes heat pumps and digital certificates.

On subversiv.at we are still dedicated to spot the weird and the bizarre in daily working routines, mantras, and rituals.

Steampunk workstation

The Eerie Art of Spam Poetry

(elkement. Created: 2014-02-02. Tags: Spam Poetry, Poetry, Art, Spam Comments, Weird)

Spam poetry has long been underrated. I admit I have considered it something lesser - compared to the intriguing soothing voices of search terms.

But suddenly it was clear to me: Spam comments on blogs speak to me, originating from a parallel universe, a world taken right out of a gothic movie. A Victorian dark novel, perhaps blended with one by Douglas Coupland.

Spam poetry at its best has to be eerie. The rules are the same as for Search Term Poetry - phrases have to be taken from spam comments (submitted to my WordPress blog) without modification except truncation at the beginning or the end.

With hindsight I denote this post and spam poem as the point of time I - as an already seasoned spam poet - have found my true calling. And the protagonists in my poem obviously have as well:

searching for sanskrit tattoos

too enforced a Political platform
that roam across the surface over periods of numerous millions of years

Your house is valueble for me
Good luck for the next!

Use your music or television as a continuous background noise
Are you sure concerning the supply?

Teeth are not made of bone
Will there be a part 2?

If you are inside the horizontal scenery
The caribbean have an infinitely more elementary reach

The instruments that lag in real life, lag correctly
I lost track of what I had been performing

A creative bent of mind and an eye for detail
to a great extent kind of free in bizarre grades of refinement

Such is the case, you must purchase tokens
but eventually you have to deliver

Could it be only me or does it look like a few of these remarks come across like they are written by brain dead visitors?

Sanskrit writing on Dutch building (Wikimedia)

This is actually a translation of the title of a German piece I had written long ago (1998) on request of my high school

For better or for worse - those positions I defended back then did not change a lot. Today I probably hold even stronger opinions - however I rather declare them my personal opinions only. I sincerely do understand that there are people who are happy to play the game - and don't read any irony or critique into this.

I mean it. I have met academics who indulge happily and mischievously in optimizing their track record (tweak metrics) - just in the same way as a minority of corporate workers who have fun with metrics in the corporate world.

In 2012 I have blogged about my trading academia for being a computer consultant for small businesses here:

The Dark Side Was Strong in Me.

...

It’s a small-talk question, innocent and harmless. I have worked in the IT sector for about 15 years, about 10 years specialized in a very specific niche in IT security.

In the coffee-break during the workshop or when indulging in the late night pizza after 14 hours in the datacenter … you start talking about random stuff, including education and hobbies. And then you are asked:

But why is a *physicist* working in  *IT security*?

Emphasis may be put on physicist (Flattering: Somebody so smart) or on IT security (Derogatory: Something so mundane). The profession of a physicist might be associated primarily with Stephen-Hawking-type theoretical research. In this case the hidden aside is: Why did you leave the ivory tower for heaven’s sake? Or simply put:

Young Jedi, why Did You – The Chosen One – Succumb to the Dark Side of the Force?

I have probably given different and inconsistent answers, depending on details as the concentration of caffeine or if the client was an MBA or a former scientist.

...

The gist of my story was (and still is - concluding from those many stories shared by contemporay post-ac / alt-ac movement):

  • Simply ignore people who explain to you that they had such high hopes for you, you missed your true vocation.
  • Degrees in fundamental science are fun and mind-altering in a sense. You hone your analytical and mathematical skills (Yes, now I am using that pitch, too!) - but this does not mean they can be translated to real-world jobs in an easy way. At least not in a way that can be explained the HR consultant with a degree in sociology.
  • You are accountable for doing that translation to the real world - you better to do that start while studying. I didn't - and I know I was lucky.
  • Expect your not fitting in (academia, global corporations...) as a matter of fact in life to be dealt with through doing something. You may blog about it but better take action first.
  • The same goes for: Your not being fond of working long hours. There are people - academics as well as corporate colleagues who either like it or feel over-working is forced upon them. Which is their pleasure or problem - not yours.

Though I still agree with my own post it sound a tad too justifying myself. We should be more unapologetic about our life-style choices. Just do it - as the well-known brand told us.

I am not a writer. I feel I had to decide often between being a fence-sitting commentator or somebody who is in charge of and fully accountable for technical problem solving - and I always picked the latter.

I am Not a Writer

(elkement. Created: 2014-01-26. Tags: Writing, Blogging, Websites. German Version.)

The internet is full of moonlighting writers who work in a day job to pay the bills but call them writers nonetheless.

I am not a writer despite I have a bunch of blogs and websites. I can relate to their ambitions somewhat as I had mulled upon working as a science writer or journalist at times. I even sent a job application to Austrian Broadcasting a long time ago.

Finally these ambitions did not get me anywhere. I feel I had to decide often between being a fence-sitting commentator or somebody who is in charge of and fully accountable for technical problem solving - and I always picked the latter.

Disclaimer: This is not to say that being an analyzing commenter or writer is something lesser. Sure, you can work as a problem solver and be paid for writing about some aspects of that, too. But I consider them nearly mutually exclusive options as long as my own career is concerned - in a postive way actually!

I just like writing on what comes to my mind in my spare time too much. I like it too much in a sense, and I don't want to entangle it with commercial transactions. Thus I don't do or plan to do: Blog posts that are sponsored in any way, visual ads, or affiliate marketing. The latter would be rather straight-forward as I write about books a lot. However, I use a free WordPress.com blog that displays ads as I don't pay for the no-ads feature.

I think I write in order to organize and develop my thoughts through writing. Even the fact I have so many different sites is related to my considering websites experimental playgrounds. Nobody can escape the power of online feedback by likers and commenter, in particular when positive. But this is exactly the reason why I regularly return to ancient, non-interactive, and badly Google-ranked websites of mine like this. I writer under the assumption somebody could and will read it - someday, and I might be held accountable. But I don't write for likes, just as I don't write for money.

Some blog postings of mine about blogging and writing:

On Science Communication

On Writing or: What Do I Need to Smoke to Understand Your Websites?

Website Resurrection: Status Report

Reconcile All This (Goals of This Blog)

A Blank Sheet of Paper

This site contains a messy collection of allegedly original creative texts which are most likely unintended plagiarisms of really subversive thinkers. This might be true for all pseudo-subversive websites but I do admit it.

The investment in the domain subversiv.at was found to correlate unambiguously with the exposure to a subversive business book: The Cluetrain Manifesto.

The Element holding that book, attenting that management training in 2001

I am now plagiarizing myself:

The website – and the book is a call to the people of earth and puts forward 95 theses, the first of them being Markets are Conversations.

You might say: Yawn. That’s web 2.0 – so what? And the site exhibits HTML design from the last millennium.

But bear with me and remember (people of earth) that this was 1999. Back then I was in charge of “managing” some of those infamous web projects and of operating “compliant” corporate web sites. That is: Theoretically I should have disciplined anarchic web site builders and force them to use the corporate CI. Above all, they should refrain from ordering a domain and web space elsewhere, circumventing “corporate” and setup their subversive departmental website. On the other hand I should have – theoretically – motivated people to add some content to the zombie corporate content management system nobody wanted to use.

But dictatorial directives – “All Web pages must be formally approved by the Department of Business Prevention” — throw cold water onto all that magic-mushroom enthusiasm. (Quote from Chapter 1)

Markets are conversations, and conversations between genuine human beings are at the heart of business. Corporation that ignore this are doomed.

In a nutshell that’s the message of the book, and in contrast to its deceptive simplicity, this is not one of those business books (if it is a business book at all) that make you think that an article in a magazine would have been sufficient to cover it all. The reason is that Christopher Locke, Rick Levine, Doc Searls, and David Weinberger tell their stories instead of stating a message. This makes the book remarkably self-consistent.

Continue reading here: Burn the Org Chart – if Not the Organization – Down to the Ground

The Elkement has published its first Search Term Poem on its blog on 12-12-12. The first weeks of living as a practicing search term poets were exciting, intense... and heart-wrenching at times.

It designated itself as a leader of new cult, attracted new comrades quickly, and transcended the scope of its art to other items from the virtual scrapyard such as spam comments.

But it was existentially frustrated by discovering - as usual - that it just had been a later adopter, at least with respect to spam poetry. Find an account of those tumultuous days here.

However, in relation to Search Term Poetry the judgment is still out. Today, as per 12-02-14 it still believes it founded search term poetry.

This was the first poem based on terms delivered via Bing web master tools. Titles have been added, but search terms are unmodified - one line corresponds to one search term.

Bing poetry (1): On Web 3.0 – Animals Communicate via Household Appliances (I might re-consider this prosaic title)

anything new in microwave ovens?
just rodents
posts in dark
comment via microwave
the dark side is strong in this one

Bing poetry (2): On Theory and Practice

the word cliche address
theory of trying
i am trying to not get attached to a psychologist
i am interested in combining theory and practice
appropriately

At New Year's Eve the Elkement was rewarded with more great search terms. The following philophical poem was crafted from a mixture of search harvested using WordPress stats, Google and Bing webmaster tools. And after all, this is a tightly managed projects. Following the standard operating procedure we need to tick off search terms every quarter.

poetry by crowdsource
theory and practice are different in real life – poem
your search term
status report
resurrection project 2012

the darkside took me
combine 2 cliches
trying to be strong through art
nostalgia and steampunk
retro geek
being cliche

physicist philosopher
irony vs oxymoron
blank sheet theory
philosophy and weird intuition
f as in
fringe science theories
quantum physics in a nutshell
moonlighting with einstein
theory about stupid questions

microwave oven day 2012
can a mouse get in a microwave
rodent electric chair
a sustainable product

the first heat pump
it was built
fundamental research in physics done by outsiders
calculate -18+25-(-15)
full steam productions
vapor ever
braving the elements

dark side strong it is
newbie kafkaesque
meandering
how to avoid inflation
total topics kafkaesque
people become interested in the dark side and want to gain knowledge in using it to their advantage

wholeheartedly cliched?
original idea already cliche

Pannonian Winter

Intellectuals are scathing Facebook in error. This is not at all the preferred network of amateur food photographers, humblebragging spammers of personal success stories, or creators of uncalled for inspirational quotes. It it more of a philosophy, a framework, and an -ism probably that we subversive artists have been waiting for.

About one year since in having indulged in Facebook inspired art we are proud to present the results.

The Subversive El(k)ement has been on its meteoric rise to fame as a spam poet and search term poet since December 2012. However, only the most diligent historians of that sort of art know that the very first elementary search term poem has been published on Facebook. It is hard to find now due to a glitch with FB's timeline back then - one more telltale sign of the Siren Server (© Jaron Lanier) resisting subversion by poetry.

On December 6, 2012 the following poem has seen the light of day 5 minutes before midnight. This poem has been stiched together from search terms submitted by the visitors of the Elkement's Wordpress blog:

burn org chart
theory about stupid questions
just received a blank piece of paper in the mail
universe life combine
heat pump outer space
reconcile corporate goals
stiff wire instead of helium
sniffing of path
original idea already cliche
silly questions on microwave engineering
dead mouse smell around microwave

Find the complete and definitive history of Poetry from the Scrapyard here.

2013 in Books

(elkement. Created: 2014-01-04. Tags: Books, Reading, Philosophy. German Version.)

I read (many) books, and I often pick them in order to answer peculiar specific questions of mine. 2013 was dedicated to: Biographies of scientists, popular science, physics text books and essays that deny categorizing.

These are my top five books of last year:

The Strangest Man: The Hidden Life of Paul Dirac, Quantum Genius 

by Graham Farmelo.

Dirac trained as an engineer and searching for a job without success. He was driven by a top-down approach to physics: by the beauty of mathematical equations that eventually match a model of reality. Dirac’s usage of mathematics and his way of inventing new symbols (Dirac said he invented the bra) was said to give proof of his engineering mindset.

Ludwig Wittgenstein: The Duty of Genius

by Ray Monk.

It is a book for those interested solely in Wittgenstein’s life as well as for amateur philosophers who had tried to decode the Tractatus in vain (as myself). I am not sure if you grasp the combination of his logical analysis of language and his allusions to the mystical without knowing about Wittgenstein’s debut in philosophy as Russell’s mentee on the one hand and his desire to be given the most dangerous task in World War I, in search for a life-altering experience, on the other hand. Peter Higgs has recently stated that he would not have been successful in today’s academic system. The more we are flabbergasted by reading about Wittgenstein’s lifelong reluctance to publish anything. 

Farewell to Reality: How Fairytale Physics Betrays the Search for Scientific Truth

...a sensationalist title. In my opinion Jim Baggott gives a rather balanced account of the history of physics – I would recommend this book to anybody who wants to understand what the big questions in fundamental physics have been in the past 100 years.

Quiet: The power of introverts in a world that can’t stop talking

by Susan Cain

...an eye-opener. I am typically considered an extremely extrovert person by people who know me personally. Cain tells me otherwise, my reluctance of “social” company events gives proof of that. Probably I am a faker on a mission: Introverts are able to transcend their limits if they want to achieve their goals. I enjoyed Cain’s experiment of attending a Tony Robbins workshop for research purposes.

Antifragile: Things that Gain from Disorder

by Nassim Taleb.

This book belongs in a class of its own. In a nutshell, antifragility is the opposite of fragility. This definition goes beyond robustness. Taleb applies his ideas to very diverse aspects of life and work - from medicine (and detrimental iatrogenics), personal fitness, to politics and science / innovation. He has the deepest respect for small business owners and artisans - he is less kind to university professors, particularly those specialized in economics and employed managers, particularly those of banks. Some of Taleb’s ideas appear simple (to comprehend, not necessarily to put into practice), often of the What my grandmother told me variety – which he does not deny. But he can make a nerd like me wonder if some things are probably – simply that simple. In case you are not convinced he also publishes scientific papers loaded with math jargon. Taleb mischievously mentions that his ideas called too trivial and obvious have been taken seriously after he translated them into formal jargon.

Find my detailed post on more great books here. I have also blogged about Taleb's books and ideas in more detail  here, here, here, and here.

Personal website of Elke Stangl, Zagersdorf, Austria, c/o punktwissen.
elkement [at] subversiv [dot] at. Contact