All Postings (91)


Subversive? Physics?

My Philosophy!

Scripts Beget Scripts


Theoretical Physics. A Hobby.

Self-Referential Poetry

Silent Online Writing

'Are You Still Doing PKI?'

My Philosophy (?)

Impact of physics on my life

Not much happened in 2015




Farewell Posting ...

Hacking away...

Web Project - Status

We Interrupt ...

Poetry from Poetry


Life and Work

Definition: 'Subversive'

2014 in Books

Physics Postings

Engineering Postings

True Expert


2014 - a Good Year

Physics or Engineering?

Engineering Links

What Is Art?



Google's Poetic Talents

Certificates and Heat Pumps

Nr. 5: A Mind-Altering Experience

Technet postings


Pink Spaceship

radices = Roots!

IT Postings

Web Projects

Life, the Universe, and Everything

Uh-oh, No Posting in March

PKI Resources

PKI Issues

Subversive Work

Spam Poetry

A Career 'in Science'


On the Shoulders of Subversive Giants

Search Term Poetry

Facebook Art

2013 in Books


Explain, Evaluate, Utilize


About Life-Form Elke Stangl

elkement and This Site

No. 3: Internet Apocalypso


Newsletter Resurrection


For Free

Subversive Yearly Report

Is My Life a Cliché?

Indulging in Cliché

Torture Turning Trivia

Intermittent Netizen

Knowledge Worker...


Physics on the Fringe

Graduation Speech

The Element is Back!


Physics Links


Not Funny

Calendar and Magic


In Need of a Deflector

About to Change

A Nerd's Awakening

For the Sake of Knowledge


Profession Or True Calling?

No. 2: On Self-Reference

I Have No Clue About Art



The End

No. 1: On Subversion at Large


Emergency Exit

Modern Networker


The Scary Part

Exploring the Work Space


Instead of a CV

Favorite Books


Elke was here

Postings tagged with 'IT', listed in descending order by creation date. All Postings shown.

I have just published a similar, but conciser article on my Wordpress blog. As usual, I try to provide useful information over there, where I just follow my stream of consciousness here.

I have written about all things physics for a long time - mainly on my blog, since 2012 – but I have never been quite satisfied with the result: Too boring for experts, not exciting and popular science-y enough for the 'educated public'. I think the reason was my hidden agenda, an agenda not even obvious to myself.

I wrote about phenomena and subfields I had just immersed myself and (re-)learned about, either because this was very remote from what kind of physics I use on a daily basis, or just because I was concerned with some aspect of it but wanted to complement that with 'more theory' for the fun of it.

In spite of that, I tried to keep a style that somewhat resembles your typical 'science communications', but that was most likely to no avail. Re-reading my old blog posting I don't read so much about 'the physics' as about my own learning process. Or I remember what I actually wanted to write about, but did not – in order to violate the pop-sci agenda - so the result was something in between a learner's notes and sketches of ideas for popular presentations. For example, I (re-)learned Quantum Field Theory after all the news about the Higgs particle and LHC. Both my experimental and theoretical background was in condensed matter physics, so it really took me a while to map what I learned about so-called Second Quantization and many body systems (described in a non-relativistic way) onto your typical QFT introduction that started with Noether's Theorem and Lorentz transformations. Now in order to drive that point home (in a blog posting), to explain what was so interesting for me, I would have had to introduce all those concepts to a lay audience which I considered futile. Or I was just too lazy to learn more LaTex or too hesitant to use equations at all. I noticed, I got on all sorts of tangents when I tried to run a series on QFT – I did exactly what I did not like myself about popular texts on theoretical physics: Pontificate on more or less palpable metaphors about fields and waves, but not being able to really explain anything above a certain threshold of abstractness.

I gave up on my series before I could 'explain' what interested me most: How forces translate into the exchange of virtual particles and how I actually knew about the 'Higgs field giving particles mass' without knowing any more: I had learned about Andersen's mechanism in solid state physics, and Ginzburg-Landau theory of superconductivity. Perhaps that would have been a great example of symmetry breaking and that infamous sombrero hat potential typically used in pop-sci articles about the Higgs field?

I absolutely know that this may sound totally opaque – which is the reason why I only write about it here, on my website in that forgotten corner of the web, rather than trying to turn this into a blog post. Here, I follow my stream of consciousness and don't bother anybody on social media with it. There, I try to be somewhat entertaining and useful.

But even here, I try to write about something that somebody somewhere might be able to relate to, and here 'the internet' comes to rescue: For better or for worse, no matter how seemingly unique, special, and eclectic your hobbies and professional specializations, are – there is somebody somewhere on the net who indulges in the same combination of stuff. So, yes: It seems there is a growing community of hobbyist physics enthusiasts who feel the same and who 'practice' physics in the same way: Professionals with a STEM background who seriously learn about physics in their spare time, like R;&D managers writing textbooks about undergraduate physics or introductions about Quantum Field Theory. Like the IT server admin or the management consulting who write blog posts about what they have (re-)learned in their sparse spare time. Like the retired IT specialists who returns to what they originally studied – physics. Like me, who has an education mainly in applied condensed matter physics and who works as a consulting engineer and IT consultant.

From a down-to-earth perspective, this hobby can be worthwhile and useful: I noticed that it sharpens the mind, even if I don't use that physics and math directly on a daily basis. It's this effect that is makes the hackneyed saying about the 'analytical skills' of physics majors true. However, there is a caveat: Yes, physicists may be good at any corporate job, but I think not to lose you 'analytical edge' you need to practice the skills that originally shaped your mind. I don't know about research in psychology, so this is just my personal anecdotal experience. Living the corporate, inbox- and interrupt-driven work-style and having your mind scattered and distracted my social media does not help. There was a time in my life when I got up at 4:00 AM every day to re-learn physics, starting with Feynman's Physics Lectures. Surprisingly, that investment was well spent. I felt, my IT security concepts become crisper, more concise, and better – and it took me less time to compile them; So the ROI was great.

What triggered this article is my prime example of useful mathematical: While I had some background in QFT there was one subfield in physics I had missed completely: the theory called 'most beautiful', even by sober authors Landau and Lifshitz – the theory of General Relativity (GR). I had specialized in solid state physics, lasers, optics, and high-temperature superconductors, and GR was not a mandatory subject.

But I wanted at least to understand a bit about current research and those issues with not being able to unify quantum (field) theory and relativity. And I can relate to poor consumers of my feeble attempts at pop-sci physics: When I read popular physics books, I enjoy them as long as I have some math background - although I feel sometimes flowery metaphors make it more difficult to recognize something you actually know in terms of math. But when you would have to use new mathematical concepts you cannot understand the metaphors at all. Digression: So it baffles me when people like articles about Black Hole, the universe, and curved spaces but complain about not perfectly comprehensible explanations of more mundane physics and engineering. I believe the reason is that you 'need not' understand worm-holes etc.; so can just relax and scroll through the story, much like watching an illogical science-fiction movie. But mechanical engineering and simple thermodynamics feels like you 'should know it' and 'try a bit harder to understand it', and so it brings back memories of school and tests.

But as I said, there might be small community of people who genuinely want to learn, despite – or because of!! – the so-called hard aspects: Going through mathematical derivations again and again, and banging your head against the wall, until suddenly you understand. Which is a reward in itself, a feeling that's hard to share, and could and should not be shared anyway – in an act of subversive protest against our culture of craving for attention and 'likes'.

So for this community I'd like to share the resources I have picked for learning General Relativity: A set of free resources, each one complete and much more than just 'lecture notes'. Each of them also represents a different philosophy and pedagogical style, and I believe physics is learned best by using such a diverse set of resources.

One can debate endlessly, if and how to introduce the mathematical foundations used in some subfield in theoretical physics. As a physics major, you learn analysis and linear algebra before tackling its applications in physics and/or some mathematical tools are introduced as you go (Hello, Delta function!). I think it does not make such a difference in relation to the first courses in theoretical physics, e.g. learning about vector analysis before or in parallel to solving Maxwell's equations.

I feel it is more difficult the more advanced the math and the physics get, as you have to keep a lot of seemingly abstract concepts in mind, before you finally are presented with what 'you actually use that'. But maybe it is just me: Different presentations of GR seem 'more different to me' than different presentations of special relativity and electromagnetism.

In GR you can insist on presenting a purely mathematical and rigorous introduction of mathematical foundations first – your goal being to erase all false allusions and misguided 'intuitive' mental connections. Thinking about vectors in a 3D 'engineering math' way might harm your learning about GR just as too creative science writing might put false metaphors in your mind.

On the other hand, you could start from our flat space (our flat spacetime) and try to add new concepts bit by bit, for example trying to point out what curvature in 4D spacetime means for curvature in the associated 3D space, and what we might be able to measure.

Some authors use a mixed approach: They starting with a motivational chapter on experiments, photons in an elevator, and co-ordinate transformations in special relativity … and then they leave all that for a while to introduce differential geometry axiomatically … until they are back to apply this something tangible … until more mathematical concepts are again needed.

Sean Carroll does the latter in his Lecture Notes on General Relativity, that are actually much more than notes. He also published a brief No-Nonsense Introduction to GR that serves as a high-level overview, and he manages to keep to his signature conversational tone that makes his writings to enjoyable. Perhaps – if this was the only literature used – the mixed presentation plus digressions into special topics and current questions in physics would be a bit confusing.

But I was still searching for video lectures to complement any written text. A few years ago, I have not found any comprehensive self-contained course, but in 2015 this series of lectures was published, recordings from an event called the Heraeus Winter School on Gravity and Light 2015 – marking the 100th anniversary of Einstein's publication of GR. A nostalgic factoid I found most intriguing: The central lecture of the course by Frederic P. Schuller was given in the very lecture hall at my Alma Mater (Johannes Kepler University of Linz in Austria – JKU) that I received my education in Theoretical Physics, by Heisenberg's last graduate student Wilhelm Macke. Tutorial sheets and video recordings of tutorial sessions can be found on the conference website.

Schuller focuses on the math first, and this was really enlightening and helpful after I used other resources based on mixed intuitive physics and math. The Youtube channel of the event also has recordings of Tutorial sessions, and I found some versions of brief lecture notes. I think this is a must – and unfortunately often overlooked or downplayed in the world of free 'MOOCs'- In order to learn math really, you need to do problems and you absolutely have to walk through every single step of every derivation. It is tempting to just skip the boring proof in a text (that you thought you understood), and it is even more deceptive to watch science videos and believe you understood something. So thanks a lot to my former university to make this course available to the public.

But I was still curious if you can do without manifolds and stuff – without cheating – and I think I found the master of the genre. And again it is a signal from the past (my past): I had looked things up in Landau/Lifshitz Course of Theoretical Physics when I worked at the university. But as the 10 volumes were quite expensive I never bothered to purchase them later. Recently I jumped with glee: Due to whatever quirk in copyright law, the Internet Archive made 9 of 10 volumes available, and I downloaded them all. Browsing through table of contents I noticed that GR was actually explained in volume 2, The Classical Theory of Fields. I am totally smitten by their style, too: Elegant, terse, detached. Much like Dirac's Principles of Quantum Mechanics. And I don't agree with those who say that the explanations are too terse: Landau and Lifshitz try to stay to tangible physics, and they use math in an ingenious way, mathematicians might call it sloppy (like: 'dividing' by differentials to yield a derivative). For that reason, one should consult other resources as well, but I think LL's GR is self-contained.

These books and videos will keep with busy for a while. I also try to interlace it with a bit of QFT again, e.g. by reading Dirac's version of it. My goal for next year is to complete first courses on GR, recapitulate what bit of QFT I learned in 2013/14, and then tackle an actual former specialty again: Re-learning about theories of superconductivity, with an emphasis about how these methods are also used in particle physics.

It might be dangerous thing to announce such grand plans on the web. But next year might be a busy one business-wise, and need to braze myself accordingly.

Artist's concept of general relativity experiment. (Public domain - NASA - Wikimedia)

It's this time of the year ...

Self-Referential Poetry, Edition 2016

(elkement. Last changed: 2016-10-25. Created: 2016-10-24. Tags: Google, Flarf, Poem, Poetry, Self-Referential, Web, Weird, Writing. German Version.)

Time to poetry-size articles on this website again! As usual, I google for this site - using - and take one continuous, unedited snippet from each of the linked pages. Search results must be processed in the order Google shows them, and they must not be re-arranged later.


the Existence of the Matrix AKA Corporate World

I had literally been asked
Who will take care of my dear website in 200 years?

run off to the restrooms at a party
As all stressed managers and other pilgrims on the Camino de Santiago

Algorithms loom large
look more like a placeholder

I am trying to learn the terminology
Off-the-wall geek humor versus existential philosophical questions

But I was penalized for all this.
Don't think about it too long!

While I gravitated against quantum theory
what I had had in mind but never did
not igniting my entrepreneurial spirits yet

back-to-the-roots stuff will be migrated
I want to challenge my own ideas
in a pang of cheeky self-assurance

a grown-up physicist's biggest ethical dilemma
what I never wanted to know
one more telltale sign of the Siren Server (© Jaron Lanier) resisting subversion by poetry

Global corporations have their brand names tested for potentially unwanted connotations
Especially if they are appealing to your vanity

The proof by contradiction
Our village has changed its zip code
to enter a more detached state of mind

You can turn into your own cliché
I'll pontificate about anything nonetheless.
So after all - it was all worth it.

Each phrase becomes a line in this 'poem'
it is no good rationalizing too much

a small-talk question, innocent and harmless.
Physics or Engineering?

I suck at keeping to my own agenda
Do we need a new attempt?
books trigger some random thougths of mine

you don't know how the story will unfold

I start a radical experiment: Opening my blog's editor, and typing what I think right now  - however, planning to never publish it to WordPress.

Contrary to what seems to motivate many freshly minted bloggers, and netizens inhabiting social web worlds in general, feedback and interaction had not been my primary goal. The appeal of writing 'in public' is that on principle somebody could read what you wrote, that the internet never forgets, and that you have to hold yourself accountable to what you wrote. Have to endure reading what you wrote when you were a different being.

The joy of my early web projects was also their subversive, semi-secret, and pseudonymous nature. Online spaces were wild places, blank sheets of paper, laid before me to hone my ideas.

There is another motivation for writing online, and this is as unrelated as possible from the philosophical approach: I enjoy crafting technical arguments, documentation of technical projects, 'science writing' because I want to force myself to turn my thinking into a consistent linear thread. I want to challenge my own ideas, find the loop holes in my own arguments. I know that my blog articles may be either boring or opaque or both unless the reader has explicitly searched for content like that. But actually the latter audience is who I am perhaps writing for: I have found so much useful tech / science stuff online, for free and in sublime quality, for my professional work, my own education, my pleasure of reading - and I do not want to remain on the receiving end of this communication only.

My second motivation is tied to a minimum level of 'feedback' - page views by fellow geeks - only seems to work for my articles written on our German blog: We only blog about two times a month now, but despite the smaller theoretical audience of German speaking readers the other blog has much more views, and views are still increasing. My English blog has fallen in oblivion again after I blog only twice a month and/or after I focussed more and more on energy, heat pumps, and down-to-earth engineering and physics of everyday life.

These are my personal recent top articles in the Physics / History of Science category so far:

As for Engineering / providing how-to's and explanations for DIYers, I like those: And this is where Physics and Engineering meet, in a way I truly enjoy: When I blogged about quantum theory, basic and un-original as my articles might have been, my blog was 'viral' in comparison to that.

But ironically, a silent blog brings me closer to my other goal: Using the silent online space to write just for me, holding myself as accountable as possible though. Last year I had overhauled this / these website(s) here, and it turned more into a blog. Now I finally know what the purpose of having effectively two blog(-like) sites are:

Here, I give myself permission for introspection and self-centered updates. I don't share links anywhere on social media. If somebody wants to reads this, he or she really has to be determined and go to the 20th page of Google search results. There is no interaction. Of course this is also a consequence of my minimal web programming, but feedback can be blessing and curse. You (or maybe only: I) tend to write more about what 'people have liked before', or at least you feel a little bit guilty if you expose your loyal readers to something unusual - which turns each new post into a challenge, one you'd like to dodge sometimes. My writing self is quite 'authentic' here, in modern parlance.

But I don't want to appear fake on my real blog, the one that has much more content that this page, much more carefully crafted, and I don't want my blog to die. My solution has been - since a few months, I am only post-rationalizing now - to stay away from the autobiographical, from opinions, from philosophical, from big ideas ... and to focus on hard things. The stuff I do really know. I think The Internet would be a better place, if people would only post or comment if they 1) had through education on the subject, 2) practical experience with it, and 3) skin in the game - being personally exposed to risks and consequences arising from putting their opinions into practice. (In reverse order.)

So on my blog I just try to be useful (hopefully) to some tech and science enthusiasts, and perhaps a bit entertaining. If I will ever find a more useful 'spin' to what I have written here now, I might actually turn it into a blog article, like: What I learned from having two different websites. Why I stay away from opinion on the web. What I learned from tech / science blogging.

But for now this posting here will just remain some open-ended collection, snippets of my stream of consciousness, and I am copying these lines to a new 'post' at this silent website here and deleting the draft for a blog post.

Since 2012 I have published PKI status updates here, trying to answer the question 'Do you still do PKI?' (or IT). I have re-edited them often, and my responses were erratic - I was in a Schrödinger-cat-like superposition state of different professional identities.

Now and then I still get these questions. Can I answer it finally? I am still in a superposition state - I don't expect the wave-function to break down any time soon. I enjoy this state! But my answer to IT-related requests is most often no.

So yes, I am still 'working with IT' and 'with IT security' professionally. Not necessarily 'in IT'.

I am supporting a few long-term clients with their Windows PKI deployments and related X.509 certificate issues (after having done that for more than 10 years exclusively). Those clients that aren't scared off by my other activities, and clients I had always worked with informally and cordially. But I don't have any strong ties with specific PKI software vendors anymore, and I don't know about latest bugs and issues. So I don't present myself as a Windows PKI consultant to prospects, and I decline especially requests by IT security partner companies who are looking for a consultant to pitch or staff their projects. I am also not interested in replying to Request for Proposals for PKI or identity management and 'offering a solution', competing with other consultants and especially with other companies that have full time stuff doing business development (I hardly did this in my PKI-only time). I am not developing software anymore that might turn into an 'enterprise solution'.

Today I am working 'with IT' more than 'in IT' in the sense that I returned where I came from, as an applied physicist who was initially drawn into IT, armed only with experience in programming software for controlling experimental setups and analyzing my data: I call myself the 'theoretical department' of our small engineering consultancy - I am developing software for handling Big Monitoring Data. I am also tinkering with measurement technology, like connecting a Raspberry Pi to a heat pump's internal CAN bus.

Security is important of course: I have fun with awkward certificates on embedded devices, I sniff and reverse engineer protocols, and I could say I am working with the things in the Internet of Things. But I am not doing large-scale device PKIs or advising the IT departments of major engineering companies: My clients are geeky home owners, and we (the two of us) are planning and implementing our special heat pump system for them. An important part of such projects is monitoring and control.

So every time I feel that somebody is searching for 'a PKI consultant' I am the wrong person. But if somebody stumbles upon my CV or hears my story at full length - and absolutely wants to hire me just because of the combination of this - I might say yes.

But it is no good rationalizing too much: Finally it is a matter of gut feeling; I am spoilt or damaged by our engineering business. Our heat pump clients typically find our blog first - which has been mistaken for a private fun blog by friends. Prospects are either 'deflected' by the blog (and we never hear from them), or they contact us because of the blog's weird style. Having the same sense of humor is the single best pre-requisite for a great collaboration. So whenever I get any other project request, not mediated by a weird website, I try to apply the same reasoning. Years ago I a colleague I had not met before greeted me in the formal kick-off meeting, in front of all others, with: You are the Subversive Element, aren't you? (Alluding to my Alter Ego on That's about the spirit I am looking for.

... and first post published to the new site, live and public now :-)

For a short time, the old sites are still available in parallel to the new site.

Looking back, I mainly struggled with:

  • My flat-file database - accessing content and all meta information stored in text files, using standards SQL queries.
  • Redirect strategy: Existing loads of redirects, temporary ones, permanent 301 ones, nice URLs without physical files...
  • Migration of the actual content, uniting what was separated in different sources - asp files, RSS feed, CSV file databases

See also my latest blog post. Which also contains the expected meta-musings on The Web.

Lest we not forget - these were the old sites:, before migration 2015, before migration 2015, before migration 2015

Hacking away...

(elkement. Created: 2015-10-18. Tags: Web, Internet, Programming, Software Development, Websites, Blogs)

In the past weeks since the last update I've added the following features:

Web Application

  • XML sitemap including English and German posts - URLs and last changed date.
  • Make yearly archive URLs 'hackable', thus using just /[lang]/[yyyy] as archive URL.
  • Population of meta tags, using also open graph tags.
  • Adding 'breadcrumb' / 'where am I' information by highlighting the item just clicked in the menu and side bars: Current category, current post, current tag.
  • Assign an optional image to a post via related attributes: Image source, image size or full image tage (for embedding Wikimedia images plus copyright information). If an image should be displayed, but no source is given, add a standard image.
  • Display the image automatically on the bottom of the post and use it in the open graph image tag, to be used as a preview image. Calculate height and size from the image's physical size and intended width.
  • Create thumbnails of these images, to be shown in the list of posts in the category pages.
  • Store all global configuration settings such as tagline in a config file that uses the same [name:] [value] parsing logic as content files.
  • Migrate all existing posts on the sites,, and, and keep track of where the content came from. (One former .asp page contained one or more 'posts').
  • Use one default.aspx for all applications, differences depend on the app name. Example: Don't show post archive for the business page, but show latest posts from Wordpress blog feed instead.
  • Clean old content: Replace relative references (../) by absolute ones, replace CSS classes in tags. Move meta infos from content to new file attributes.

Web Server Settings and DNS

  • Tested the IIS URL rewrite module with a key map, to be created from Excel documentation. In case of issues with rewriting: Fall back to redirecting in a main ASP file.
  • Configure new host names and subdomains in DNS as primary URLs of the new applications. Add new host names for testing to reflect the already existing redirects plus the migration redirects plus the future standard redirects.
  • Modify the existing main default.asp, global.asa, and main asp script creating all pages to work with the new redirects (some duplicate code in asp and .net could not be avoided)

Redirect Logic

  • Host name determines application name: One main host name for each  (of the 3-4) application. I will use a subdomain of as my new primary host.
  • Check if the application has been migrated, as per config parameters. If not the existing redirect logic and existing asp code kicks in - which sends the user to a subfolder depending on host name. This is for historical reasons as I had only one virtual web host in the old times, so e.g. redirected to
  • If the app was migrated, redirect all attempts to use a 'secondary' host to the new one. So e.g. accessing will be recognized as calling the elkement app and redirect to my new primary name.
  • Configuring the application as 'migrated' does not yet redirect any attempt to access one of the old articles. I will have to turn on my rewrite map or code for that.

To Do

  • Complete all features for all applications before taking 'elkement' live. mainly:
    - Feed parser for punktwissen,
    - 'image database' for z-village (using small posts with images effectively as entries in a table of images), add an option to show the large version of the image inline.
  • Maybe: Ordering of posts in category by changed date, not by created date.
  • Limit number of posts on main page and on tag's pages, number = global parameter.
  • Replace internal relative URLs to pages in the same virtual directory by absolute ones.
  • Maybe: Replace parent path (../) URLs in old code, to turn Parent Path in the ASP config off as soon as possible.
  • Migrate all content from side panes, header, and footer. Add images used before to new posts, re-use descriptions from old image database (TXT).
  • Take elkement live and test redirects and preview images (social networks).
  • If OK: Take the other apps live.
  • Fix bugs
  • Turn on redirects for old ASP pages.
  • Watch results in web master tools.
  • Inform Google about new URLs (Web Master Tools)

I've built the underlying 'flat-file database' (Details in this post), and my not yet public site has these features now:

  • Menu bar from pages.
  • Show all postings on home page
  • Recent posts and archive in left bar.
  • Tag cloud in right bar, tags created by grouping all posts' meta data.
  • 'Tag page': Show all posts tagged with a specific tag.
  • Indicate category of current posting by highlighting category in the menu.
  • Highlight currently clicked article in archive.
  • Menu page contains custom text plus automatically created list of all postings in this category.
  • Automatic creation of RSS feed.
  • CSS stylesheet and responsive design.
  • 'Nice' URLs - ASP.NET Routing.

Currently I am painstakingly migrating snippets of content to new counterparts / articles / text files.

For testing I am using a layout similar to my's blog design now:

elkement's new site, not public yet

We Interrupt Our Scheduled Programming ...

(elkement. Last changed: 2015-08-17. Created: 2015-08-11. Tags: Announcements, Web, Blogging, Websites, Programming, Webdesign. German Version.)

I am finally doing it:

Having run three differerent websites on a hopelessly outdated 'platform' (ASP) for nearly 15 years, I set out to:

  • Develop a new .NET site from scratch.
  • Merge all three sites -,, - into one.

This will take a while. I am really longing for programming for fun. I don't migrate to WordPress deliberately - I have two blogs and like them a lot, but I want this place I design from scratch just for the joy of it.

All existing subversive / Elke's / back-to-the-roots stuff will be migrated to the new site, and I try to go as gentle as possible on the old asp URLs afterwards.

However, this means I will most likely not pull off to publish new content to the old versions of these sites while I am working on the new one in the background.

I will report on the progress on the main page of the old sites, and I will keep up my usual blogging over at

elkement tackling daunting project

I had been a PKI consultant since 2002, mainly working with European enterprise customers on designing and implementing their PKIs run inhouse. Now I am supporting some long-term existing clients with their PKI / X.509 issues but I don't take on new clients.

As a former Microsoft employee I have focused mainly on the Microsoft PKI, versions Windows 2000 / 2003 / 2008 / R2 / 2012 R2 - but I also had some exposure to various other PKI-enabled applications and devices. The fun part of PKI projects is in debugging weird issues that exotic or allegedly 'industry-grade' applications have with validating certificate paths, using keys etc.

Here is the often requested one A4 page summary, and here you can see that those PKI services are part of an ... uhm... odd combination of IT services.

  • I try to keep track of links, books, papers etc. I found useful and add them to this list. This is not intended to be the perfectly structured, 'educational' collection. I rather pick and add what I stumbled upon while working on PKI issues or discussing with other security freaks.
  • I started logging PKI issues here. The idea is to described them most concisely, in TXT format.
  • Struck by vanity I made the collection of my modest own contributions a page in its own right. I am also trying to keep track of my postings to security forums in order to use those as my knowledge base.

I am originally a physicist (completed PhD in 1995), worked in R&D and switched to IT security. In 2013 I have completed another master's degree called Sustainable Energy Systems and did a master thesis on smart metering and security (LinkeIn profile). Now I am consulting engineer working with heat pumps that use a special heat source. Yes, I know - it is weirder to combine that with PKI.

The security of the smart grid and internet of things [add more buzz words here] provide options to re-use my security know-how in the context of my new field. Such heat pumps may use control units connected to 'the internet' and all kinds of certificate-/PKI-enabled stuff might be involved here.

For five years I have given a yearly lecture in a master's degree program, then called Advanced Security Engineering at FH Joanneum. Here is the last version of the slides.

This is an image I called PKIs in the real world in this post.

PKIs in the real world. By Elke Stangl

(Re-visiting two months in WWW's netherworlds. I can prove my theoryvia two similar but independent and surreal events.)

As the saying goes, an expert is somebody who has committed every blunder in his or her discipline. It should be 'her' discipline as I have finally made it. I can prove via two similar but independent (and surreal) events.

1) The Subversive Element's website had been hacked. Well, not quite, as it was the same web server but the URL pointing to The Element's so-called business identity.

Paranoia and panic was mitigated by the curiosity of the nerd. The Element spent countless hours dabbling with Google Webmaster Tools. That is: Not only clearing Google's cache from spammy URLs, but also with scrutinizing all data available, for all websites including also the elkementary blog. And there we looked into an abyss:

2) Google's love for the elkement's blog was dwindling - by a factor of 100 within a few weeks.

But what an opportunity: Conspiracy theories running wild. In two blog postings, presented to THE INTERNET at a global level:

Of course I want you to click these links. The anatomy of a hack part is perhaps interesting. After all, I can still consider it correct, given most recent findings.

This does not apply to the elemental theories on Google. Here is the final explanation, in an incredibly brief posting, by elkement's standards:

tl;dr: All blogs had been gradually migrated to https only in the past months. In Google Webmaster Tools you need to add the https URL as an additional site. My traffic was tucked away in statistics for the https URL.

Facepalm (7839341408)

Facepalm, Tim Green from Bradford, Wikimedia.

Last change: Updated dead link to Austrian statistics on fuels and heating systems.

Heat pumps

Heat pump usage in different countries and history of heat pumps

Unusual heat sources

Sizing heat pumps - I am trying to learn the terminology of standards commonly applied in English-speaking countries:

Power grid and availability

Power generation

Hydro power plants

In Sweden the world's largest pumped hydro storage plant might be built:

  • See bottom of page 30 of this research paper:
    Besides the official estimations there are some discussions [28b] about building pumping capacity between the lakes Vänern and Vättern in Southern Sweden. The difference in altitude is 44 meters between these lakes.?
  • ... and the last page of this presentation:
    Possible future? Mariestads Kraftverks AB & others 50 km tunnel between the lakes Vänern & Vättern Cost: 250 billion SEK. Installed capacity: 50000 MW .

Free long-term weather data

Inputdaten für eigene Simulationen.

Germany and Austria.


  • Climate data for the last decades. The navigation is something you need to get used to (Pick: Cities, Climate, Climate Robot...). Therefore I start with Ice Days for Vienna. It is a bit weird that available data seem to depend on the choice of the language (less data for Vienna in English).

Extreme Weather

The winter 1962/63 was the coldest since 250 years in Europe (German article: Winter 1962/63 in Europa. Englisch article: Winter of 1962–63 in the United Kingdom).
More data from a talk / slides avaiable at the website of the Royal Meteorological Society: The bitter winter of 1962/63 - this winter was unusually mild in Canada and Greenland (p.17)

Could such a winter ever happen again? "The 1963 winter is well within the population of other cold winters that have been experienced in this country ... It is not necessary therefore to seek some very special cause in order to explain it." – H.C. Shellard , Meteorological Magazine , 1968  (p.21 of PDF)

Different heating systems

Statistics for Austria: Heating 2003 to 2012 by fuels used and heating system (in Austria). Less than 15% of (primary) heating systems are stoves, and they have been on a decline in the last decade.

Units, heat values, energy costs

Tools for converting units

Heat values

Properties of water (for comparing the energy stored in a water / ice tank)

Costs of energy - international

Monitoring, Control, IT

Metering and monitoring electrical power consumption

  • Smart meters with data loggers and/or various interface for attaching loggers - to be installed behind the official smart meter:
  • Parsing an online monitoring website is perhaps the most universal 'real-time protocol' in case not other interfaces are available. E.g. by using Powershell, I tested with the local website of a Fronius Symo inverter and their web portal One option: Start an InternetExplorer.Application comobject and identify the html containing the interesting value per its ID (getElementById).

Manuals of data loggers by Technische Alternative Gmbh (for control units UVR1611, UVR16x2)


  • Bus topology. Note that UVR1611 is automatically terminated by default.

Heating with computers

Computers installed in private homes provide their computing power to cloud services - while heating those homes.

Basics (Physics) - Mechanics, Electrodynamics

The Feynman Lectures of Physics

  • Volume 1: Mainly mechanics, radiation and heat.
  • Volume 2: Mainly electromagnetism and matter

Unglazed solar collector - part of the heat source of our heat pump system

(This compilation of links is static - no more amendments planned.)


(elkement. Last changed: 2014-12-16. Created: 2014-10-06. Tags: IT, PKI, Cryptography, Security, Forums, Troubleshooting, Postings, X.509, Resources. German Version.)

This is a compilation of threads in Technet forums, organized by topic.

Chain validation and revocation checking issues

Chaining and hierarchies

Time validity

Revocation lists

(For issues with SCEP and EFS, see the sections on applications at the bottom of this page.)

Windows PKI design, implementation, and maintenance

PKI AD integration and clean-up

CA migration, backup and restore and high-availability

Scripts and automation

Certificate generation and deletion (in personal stores)

Searching the CA's databased and expiration notifications.

PKI configuration

Third-party CAs, compatibility

Windows PKI components and features - and related troubleshooting

Web Enrollment (ASP pages)

Simple Device Enrollment Protocol (SCEP) AKA Network Device Enrollment Service (NDES)

Windows OCSP: Errors and Pitfalls

  • White papers on how to make OCSP servers and CRL web servers high-available? There is an article for OCSP, for CRLs it is just a plain simple web server.
  • /ocsp/ application directory is not created before the role service had been configured. However, revocation configurations can be created before using the MMC - this causes and HTTP error 404 despite the Online Responder Management reports 'all green'. [ref]
  • Third-party validator (Axway) causes CryptoAPI to look only for OCSP URLs but OCSP is not used. Root cause finally was: CRL not accessible to the validator. [ref]
  • OCSP Responder issues: Misunderstanding about how to use one Responder for different CAs, and how an array should work. Additional interesting issue: Adding the Intermediate CA certificate to Trusted Root store can cause an error 403.16 in IIS and thus break certificate validation!
  • OCSP design: Use a dedicated OCSP server?

HTTPS-based enrollment via CEP/CES

(Auto-)enrollment troubleshooting

Kerberos troubleshooting

Certificate templates


Certificate and request attributes and extensions, and how to create requests

Certificate Subject Name and Subject Alternative Name, and tools and processes for CSR creation. Overlap with section on Scripts and automation.


Hash algorithms

Cross-forest certificate enrollment and multiple domains.

PKI Applications

SCEP is listed unter Windows PKI components.

Logon against AD

SSL web servers

See also the section on Certificate and request attributes and extensions above.

LDAPs, DC certificates

  • Concerns re expired DC certificates. Can a DC be rebooted safely? Yes, as certificates are not required for 'standard AD functions'.
  • Easy-to-manage solution for LDAPs (only) - PKI to be avoided (?) Theoretically one might distribute a self-signed server certificate (with multiple SANs) just as a CA. I would not try to re-use an existing server's certificate as a CA certificate. As usual, I am wary about non-SSL-capable crypto providers. In case a simple 1-tier PKI is created today, templates could be moved to a well-planned 2-tier PKI later.
  • Domain Controller uses the wrong certificate for LDAPs. My suggestion was to supersede the current template with one that allows for issuance of certificates that will expire after the unwanted third-party certificate. Another user provided instructions on how to use the AD (NTDS) service's certificate store instead of the machine's store.

RADIUS / NPS and 802.1x

Exchange Server

Outlook and SMIME

EFS - Encrypting File System



Third-party LDAP clients



Windows VPN client


Office Macro and document signing

Key stores and cryptographic providers

Crypto general

Software stores

Using an HSM as key store

Silent waters. Northwest of Tenerife, 2004.

... an odd combination probably.

But I have a penchant for combining anything. For me IT security, physics, and engineering are all connected naturally, and not only through my biography.

The communication between devices making up the internet of things need to be secured. Publicy Key Infrastructures may provide X.509 certificates needed to do this.

Physics provides one the one hand the underpinning of engineering, on the other hand mathematical methods used in physics can be applied to all kinds of complex systems. There is some truth to this satirical explanation of the relation between Feynman diagrams, certificate validation, and hydraulic designs..

But philosophical musings aside, on a daily basis I simply like to play with technology: Exploring how applications and systems use digital certificates and how they can or can't be 'hacked'. How to build ('hack') a technical solution using off-the-shelf components? How to develop a simulations tool from so-called simple 'Office software'?

Postings in Technet Forums

(elkement. Last changed: 2015-04-01. Created: 2014-07-29. Tags: IT, PKI, Cryptography, Security, Forums, Troubleshooting, Postings, X.509, Resources. German Version.)

In 2014 I had resumed posting to security forums in the Microsoft Technet community. I have been using these threads as my personal knowledge base.

Here is a feed on recent activity. Seems my mission has come to an end by the end of 2014!

A list of all my threads is also generated automatically but I am hand-curating them here again.

I am not using the original thread title but another one that makes me remember the discussion more easily; and I add a short summary. The date is the date of my first reply in this thread.

(Last changed: April 1, 2015. Added last threads I contributed to in December 2014.)

Insert some years during which I was just busy doing PKI but not contributing to the community. I try to compensate for that now!

  • [2009-07-16] What is PKI compatibility? It depends on what is compared: Certificates and their fields, key stores and access methods, request structure, protocols to enroll for certificates,...
  • [2009-07-16] Notification e-mails sent by the SMTP Exit module contain variables instead of values. Might be an issue of using the variables in a scripts versus running the commands interactively. In a script the % needs to be masked by another %.
  • [2009-07-16] Windows CA and redundancy: Does a second CA help? Templates are redundant in AD anyway. A second CA does not help as it uses a different key and cannot sign CRLs on behalf of a failed first CA automatically. For risk mitigation the CRL validity period should be configured for a few days or whatever is needed to detect and fix an issue in the worst case. Redundancy could be achieved with fail-over clustering.
  • [2008-11-09] Planning fail-over clustering for a CA, in particular how to migrate an existing non-clustered CA into the cluster. Clustering is only supported with HSMs(*). As for the names it can be done but the legacy of LDAP objects and HTTP URLs that contain the old machine name makes that rather messy. Suggestion: Use a new clustered CA setup from scratch with proper names and create a long-lived CRL for the existing CA before retiring it.
    (*) Learned in 2014 that this is not true (anymore?)
  • [2008-10-01] How to configure CRL URLs for offline CAs. It seems either a CRL has not been copied to the CRL server denoted in the CDP or the defaults have been used and the URL points to the Root CA itself. Brief outline of process.
  • [2008-09-23] Variables in CA configuration (starting with %) do not get replaced by their values. Turned out to be a copy and paste error as the lines have been copied to the command window directly.
  • [2008-09-19] Limit PKI usage to one domain - how to set permissions. The CA is a forest resource but permission for domain-specific groups can be set at the CA (Request Certificates right), or permissions on all templates could be limited to groups from this domain
  • [2008-09-18] Time zones and clock skew. Date formats in certificates are in Universal Time format including time zone information. There is only a clock skew of 10 minutes applied by default to avoid false not-yet-valid messages.
  • [2008-07-28] Checking and changing validity periods of CRLs as the default period of a week is too short for a typical Root CA. Overview on how to set the validity period in Properties of Revoked Certificates and - optionally - overlap by editing the registry.
  • [2008-07-28] Requirements for macro signing certificates. I suggest to time-stamp macros as otherwise (even if signed) signature would be considered invalid when the signer's certificate has been expired.
  • [2008-07-26] Certificate services simply fails to start after setup. Not clarified but another user indicated that in his certocm.log a permissions error was logged when he saw the same error - using the domain admin resolved it.
  • [2008-07-26] Sending certificate requests to an untrusted forest. Ideas: Automate the creation of requests and let a service user account from the CA forest fetch the requests, send them to the CA, and collect the certificates. Alternative: Simply use an AD user of the forest where the CA resides and use the certsrv web application to create keys and requests.
  • [2008-07-12] Autoenrollment issues - an XP client does not autoenroll through manual enrollment works and the event log says that Autoenrollment has been completed successfully. Potential root causes: 1) There is already a certificte of that type in the store and the setting Do not re-enroll if a duplicate certificate exists in AD has been set 2) Weird but known issue with credential roaming sometimes falsely archiving certificates.
  • [2008-07-01] Wild-card certificates - feasible but not recommended as there is a slight chance clients may not recognized the wild-card character.

I had created as a German-only site in 2003, with the intention to dump my pseudo-philosophical musings on science, philosophy, and culture somewhere. radices should remind me of my roots - in physics. Since I am already maintaining too many websites and blogs, in German or in English or in both languages, it took more than 10 years since I finally started an English version of this site.

radices = Roots!

(elkement. Last changed: 2015-02-20. Created: 2014-06-01. Tags: PKI, Public Key Infrastructure, IT, IT Security, X.509, Announcements. German Version.)


radices is roots in Latin. And accidentally there is a pun, perhaps as hackneyed as roots of all evil. As a security consultant I built lots of Root CAs, the top anchor in the hierarchies that are called Public Key Infrastructures. shall now be dedicated to what  online gurus and internet philosophers call curating today. Which means I just dump links to stuff I am interested in to add some basic structure of headers. radices was a German science pseudo-blog but it also was an experiment in organizing content - so I have come full circle.

About my PKI activities

I had been a PKI consultant since 2002, mainly working with European enterprise customers on designing and implementing their PKIs run inhouse. Now I am supporting some long-term existing clients with their PKI / X.509 issues but I don't take on new clients.

As a former Microsoft employee I have focused mainly on the Microsoft PKI, versions Windows 2000 / 2003 / 2008 / R2 / 2012 R2 - but I also had some exposure to various other PKI-enabled applications and devices. The fun part of PKI projects is in debugging weird issues that exotic or allegedly 'industry-grade' applications have with validating certificate paths, using keys etc.

Here is the often requested one A4 page summary, and here you can see that those PKI services are part of an ... uhm... odd combination of IT services.

  • I try to keep track of links, books, papers etc. I found useful and add them to this list. This is not intended to be the perfectly structured, 'educational' collection. I rather pick and add what I stumbled upon while working on PKI issues or discussing with other security freaks.
  • I started logging PKI issues here. The idea is to described them most concisely, in TXT format.
  • Struck by vanity I made the collection of my modest own contributions a page in its own right. I am also trying to keep track of my postings to security forums in order to use those as my knowledge base.

I am originally a physicist (completed PhD in 1995), worked in R&D and switched to IT security. In 2013 I have completed another master's degree called Sustainable Energy Systems and did a master thesis on smart metering and security (LinkeIn profile). Now I am consulting engineer working with heat pumps that use a special heat source. Yes, I know - it is weirder to combine that with PKI.

The security of the smart grid and internet of things [add more buzz words here] provide options to re-use my security know-how in the context of my new field. Such heat pumps may use control units connected to 'the internet' and all kinds of certificate-/PKI-enabled stuff might be involved here.

For five years I have given a yearly lecture in a master's degree program, then called Advanced Security Engineering at FH Joanneum. Here is the last version of the slides.

My Articles on IT Security, Monitoring, PKI.

(elkement. Last changed: 2015-11-07. Created: 2014-06-01. Tags: Postings, Blogging, Resources, Links, IT, Monitoring, PKI, Security, X.509, Cryptography. German Version.)

My lecture slides on PKI and security are a bit dated already, I add them for completeness though.

Articles on my blog are targeted to a broader audience - perhaps they are too 'philosophical' for security experts. See the complete list of postings below, after the image.

X.509 Certificate

This article has originally been cross-posted to all of elkement's sites (,, These are questions worth some subversive thoughts. The Element is webmaster of a growing universe of weird sites since 1997. The first site was even a commercial one. Crafted with MS FrontPage 98, no less. The Element's Alter Ago, Elke Stangl, tries to answer all of them in the following meta analysis. (I am still looking for more levels of self-reference here -

Why Am I Online?

(elkement. Created: 2014-05-16. Tags: Writing, Blogging, Websites, Web, Netizen, Geek, Announcements, About)

Since 1997 I have been maintaining personal and business websites but I haven't joined the social media borg cube(s) before 2012. You can find a brief overview on all projects, that is a collection of icons plus some more or less funny comments here.

Here I try to keep track of why I am doing this, and I only comment on those pages or blogs who I consider a project of some sort.

My personal blog is where I finally try really hard to unite all the things again that have been scattered across different sites before, and across different parts of my life - probably of my very self. I am quite satisfied with the structure I have added in April 2014 - main 'category' pages that list individual posts.

This kind of structure is probably what I would have wanted to achieve by splitting my personal space into three distinct realms in 2002: an ancient predecessor of the modern About page. It always got more serious than I wanted it to be - especially the German pages. But this is probably because I have outsourced the fun parts to the subversive site, and it might have triggered that idea that I absolutely have to run a bilingual site. I am still baffled by my on unwillingness to translate - I either write something in German or English, and only with utmost discipline I do translate it. I rather let it rest and write a different and only losely related version in the other language.

Before the Subversive El(k)ement had its own blog, it had its own site: This was inspired from quotes from The Cluetrain Manifesto about subversive hyperlinks, and it alluded by weird split responsibilities as so-called corporate IT manager on the one hand, and as a supporter of subversive webmasters of  'non-compliant' sites on the other hand. Over the years I have added many layers of meaning to that.

I re-discovered the joys of playful nonsense, wordplay, self-referential comments disguising my ambiguous opinions. This can be seen as what later was to become Search Term Poetry and Spam Poetry. Today I re-use such poems from my blog and enrich them with German translations on the subversive site.

My science & technology site should focus more on content and less on my personal woes. I was not successful with respect to the latter. Started as a German-only page the effect of over-solemnity was probably worse. I think it did get better after I was done with soul-searching and heart-wrenching career changes - and writing about those with hindsight.

In autumn 2013 I decided this site should become home to the grey area between my interests and hobbies - e.g. as a amateur student of quantum field theory and dilettante science writer - and those parts of my professional life related to it. Translated to English I called it my Practice in Natural Philosophy tongue-in-cheek. But since I can't help but preferring to write about science an philosophy in English, the German site was / is more or less a link dump - using links from my English blog, and our German 'company blog' (see below).

I got hooked again on classical cryptography and IT security - and I finally want to start what I had had in mind but never did some years earlier: Finally 'curate' all my favorite resources, document interesting anecdotes, and in general give back something to a community that had helped my out so often - when I found the much-needed solution via the ultimate oracle, Google. So I at the beginning of 2014 I mainly updated the PKI pages.

But this was not for a German audience, but for an international one. My English blog postings on security are what I really wanted to write and these should be complemented by a Resources page. I finally did it - I turned made this website into a a bilingual, too. The English version hosts nothing but the PKI stuff, and thankfully radices means Roots and there is something like Root CAs. Totally coincidental as the original intention was to re-connect with my roots as a scientist.

My business page is where I / we pretend to be serious. However, our rather peculiar diverified portfolio as I like to call it, thwarts these attempts (hopefully).

I said we have a business blog (though it is not necessarily discernable as such). Here it is: You can see our work there, sort of, and we use a story-telling approach (And I am trying now to use a sounding-like-business approach). These are the stories of us, the two settlers, who tell their stories about physics, renewable energy, and our related adventures.

The punktwissen blog is successor to the legendary site, bringing news from the village at the end of the internet to the internet community. This page was maintained solely by Somebody Doing Anything Nobody Wants to Do - I was (am) just the programmer.

And there was a grand, 'corporate' version of the quaint little village, this was (is) EPSI - a prestigious middle European Think Thank dedicated to: Elementary research, painting blogs, collecting space and doing something.

Now you know.

All the other social media stuff is tangential, ephemeral and fleeting.

Last link changed: Migration of classical CSP to CNG / KSP, and old but good MS overview on certificates for network authentication of devices.

PKI: Links and Resources

(elkement. Last changed: 2015-12-07. Created: 2014-03-04. Tags: Resources, Links, IT, PKI, Public Key Infrastructure, Security, X.509, Cryptography. German Version.)

This is my list of Links to white papers and the like that I have found useful (restarted 2014). It is not an attempt to create a balanced or educational list. I am adding what I need right now!

Comprehensive reviews of PKI issues

Analysis by Peter Gutmann who likes to throw rocks at PKI according to his bio:

Certificate validation

Request for Comments:

In Windows systems:

Cross-certification and hierachies

Certificate enrollment

Links for Microsoft's autoenrollment are provided in more MS-related sections

Weird, hacked, forged certificates

PKI planning

Somewhat Microsoft-centric:

Windows PKI: Features and management

After I started compiling my own list, I found this - I will keep picking some of the links and publish them to this page though:

Some of the features required to run a Microsoft PKI in a larger, corporate environment:

Windows PKI 2008 R2 versus 2012 R2 and upgrade of hash algorithms

New features in 2012! Note I started added some the detailed articles about specific features - NDES, templates - also to other sections. This section is for overviews covering many new features or cryptograpy / algorithms in particular.

New ways to leverage a TPM chip - key attestation by validation of an endorsement key. You could have used a TPM chip as a custom key store for the machine / SYSTEM in earlier versions of Windows (basically like a 'smartcard for machines) in case the vendor of the TPM chip or a vendor of crypto software provided a suitable CSP / CNG provider. Starting with Windows 8.1 as the end-entity's OS the CA (2012 R2) is able to check if the private key had really been stored to a TPM chip.

New algorithms:

  • Changing public key algorithm of a CA certificate - only the hash algorithm can be changed (for CNG providers), not the provider itself.
  • Upgrade Certification Authority to SHA256 - after the change of a registry key the CA signs anything with the new algorithm, including CRLs and its own CA certificate when renewed (Step-by-step-instructions).
    Attention - according to my experiences with 2008 R2 the registry value for hash values is case-sensitive. Good: The change of the hash algorithm can be reverted easily. Bad: This is a per-CA settings, so once the algorithm has been changed all certificates and CRLs issued by that CA are signed using the new algorithm.

Certificate and key stores

Windows client-side stores:


Using certificates for authentication

Native Active Directory logon:

Webserver-based mapping (no directory)

Apple iDevices, SAP, and other non-MS clients

  • In contrast to Windows'/AD's native logon via UPN string mapping SAP uses a 1:1 mapping of binary certificates to users:
    Single Sign-on mit SAP (part of a German book, assignment of the certificate is explained on pp.33)
  • Apple iPhones, 802.1x authentication against Active Directory using Windows RADIUS server (NPS)
    (promoted to blog post, summary kept here for traceability).
    • Properties of the certificate
      Subject CN: host/
      Subject Alternative Name
      Certificate Template (Windows Enterprise PKI): Copy the default template Workstation Authentication, Subject Name: Name as submitted with the Request.
    • Create the key, request and certificate on a dedicated enrollment machine and export key and certificates as PKCS#12 (PFX) file.
    • Create a shadow account in Active Directory
      ervicePrincipalNames: HOST/
    • According to my tests, the creation of an additional name mapping (as recommended here) is not required - SAN-DNS gets mapped onto dnsHostName in AD.

Network authentication of devices

  • Overview: Certificates for different services / protocols, like 802.1x or IPsec

PKI Applications

Started in 2014-10. Usual suspects as SMIME, EFS, 802.1x to be added as needed over time. See also the list of Technet Postings and the PKI FAQ.

Useful commands (in the Windows world)

Configuration parameters:

Emergency processes, for Windows.

  • Delete cached CRLs:
    certutil -setreg chain\ChainCacheResyncFiletime @now
    (Weitere Optionen siehe diesen MS-PKI-Team-Blogeintrag)
  • Start a CA even if the revocation check on its own certificate has failed - set this flag:
    certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE
  • Key Recovery:
    • Search for the archived keys of a specific user and create a batach script (CA admin permissions required)
      certutil –getkey domain\username >recovery-username.bat
      This script also contains the password of the p12 key file that will be created.
    • Run this batch file. This creates a single p12 file including all keys for this user. Pre-requisites: The user executing the script needs to have one Key Recovery Agent's certificates associated with each of the keys to be recovered in his/her store. In addition CA Admin permissions are required and this needs to be an admin cmd session.
    • The batch file does the following for every key found:
      certutil -getkey [SerialNumber] [encrypted blob]
      certutil -recoverykey [encrypted blob]
      A temporary p12 file is created from every blob; then all p12 files are merged using
      certutil -mergepfx and all temporary files are deleted.

PKI and smart metering

Requirements for a smart meter PKI in Germany:
Sicherheitsinfrastruktur für „smarte“ Versorgungsnetze

An example: Smart Meter mit PKI Sicherheit

X.509 Certificate

(Not sure if I will ever update this.)

PKI Issues: Concise Summary

(elkement. Last changed: 2014-05-16. Created: 2014-03-02. Tags: IT, PKI, Cryptography, Security, Forums, Troubleshooting, Postings, X.509, Resources. German Version.)

Here I am documenting issues with X.509 certificates and Public Key Infrastructure I have encountered.

In the grand tradition of true geeks I use the most compatible format that alien civilizations might be able in million of years - a simple text file (in a pre tag)

                             PKI  Issues
          Random collection by Elke Stangl,

Certificate path validation

* Ambiguous chains and chains sent in SSL handshake. The web server
  sends the chain it prefers. If there are two valid chains, such as a
  shorter chain associated with an internal root CA and a longer chain
  connected to a cross-certificate issued by a public CA AND the server
  is available on 'internal' and 'external' networks (via a reverse 
  proxy) it will send the untrusted internal chain to external relying 
  parties as well.

* Some embedded devices cannot deal with chains - including earlier
  versions of CISCO PIX and Apple's IOS SCEP client. In order to get
  validation working you might need to: Import the subordinate CA to the
  root / 'CA' store or add the thumbprint of the sub CA where one would
  expect that of the root CA or vice versa.

* Some apps / devices cannot deal with a 'renewed' CA, that is: Two CA
  certificates with same subject names but different keys imported to
  the same CA cert. store. Unfortunately this is the default state of
  affairs if CA's life times are nested according to the shell model (CA
  certificates renewed at half of its validity period e.g.) CISCO fixed 
  a related bug some years ago.

Names and encoding

* CAs may change the encoding of subject names of the certificates
  issued in relation to the encoding in the request. The subscriber may
  not be happy with that - and it can be quite a challenge to track this
  down if this client is a custom-made device / blackblox.

* CAs may reorder the X.500 components (Should we go O-->CN or CN-->
  O) and again apps. who combine the binary name blob could fail.

* Details of the validation depend on the browser (version) used. I
  can't recall the versions unfortunately but some years ago some
  browser was happy to match certificates on names (neglecting encoding)
  while another did a binary check of names plus cross-checking AIA 
  versus SKI fields.

* I was surprised to see that Windows clients fall back on name only
  matching if they are not able to match on SKI / AKI. This gives the
  user a nice picture of a certificae chain, however an error message 
  tells you that the certificates may be corrupt.

Revocation checking

* Devices may have size limits - I recall 256kB for some of the older
  (?) ones. This would cause VPN and the like to fail if you would use,
  say, current cacert certificates or those issued by the Austrian
  public CA, A-Trust.

* I have seen Outlook failing often when trying to download such large
  CRLs as well - although the CRL servers were accessible. Fortunately
  there are some registry keys that allow for tuning the way Outlook
  deals with CRLs and related errors. Unfortunately you cannot manage the
  registry keys of the e-mail clients that receive your e-mail.

* OCSP is a solution to oversome the size issue but not necessarily
  the issue of current revocation information. The Windows OCSP server
  retrieves information from a CRL, and the validity period of OCSP
  responses is either that of the CRL used or of the OCSP signing
  certificate (the latter is two weeks by default). Sure, the caching
  behavior can be configured so the OCSP server would consult the CRL
  more often. Yet the responses sent to relying parties are still
  'long-lived'. As I understood the options the only way to really purge
  responses at the client earlier is to use an HTTP Expires header at 
  the OCSP server and hopefully the OCSP client does respect it.

* Deleting CRLs regularly should be a built-option of PKI-enabled
  servers. VPN servers (CISCO, Nortel, Juniper) have been able to do
  this since a long time. Then you can configure CRLs a way that allows
  for reasonable operations (that is, solving the issue: What happens if
  the CA runs into an issue when the CEO gives the yearly motivation 
  speech at Dec. 24, 11:30 - when will you be able to spot the problem).
  CRLs would be allowed to live for, say, a week, but are purged at the
  validating server every, say, 3 hours. With Windows, you can do this
  on princple since Vista/Server 2008 has been given a supported option
  to delete CRLs - but you need to create scripts to do it.

How apps use certificates for authorisation
(in probably unexpected ways)

* Certificates might be used as files to be parsed for name-value
  pairs. I found something like an 'authorisation scheme' coded into 
  X.500 name fields.

* So-called LDAP group memberships: While some devices understand
  memberOf attributes, some so-called groups are based on parsing X.500
  names. Such as: Putting everybody with OU=External in the 'external
  group', 'external VLAN' etc. It can be a challenge to reconcile this
  with a concept of real groups in LDAP directories such as Active

How users don't expect PKI-enabled apps to work.
(This could probably be used as a title for anything in this file)

* CRLs are blacklists not only used for blacklisting in the way admins
  expect it. Often people are surprised that network logon etc. will
  fail simply because the CRL is not accessible or expired.

* Sent items of encrypted e-mails in Outlook are encrypted. This comes
  as a painful surprise to users who had used smartcards (e.g. the
  Austrian National ID certificates issued by A-Trust) to encrypt their
  mails and whose card used basically for other purposes (health
  insurance) has been retired / cut in two pieces. Ironically, it does
  not help that new cards are issued with the same keys as Outlook tries
  to find the associated certificate in the store first before 
  'accessing' the key (via the CSP).

* CRLs cannot not necessarily be pre-fetched - though this is what
  admins would like to do whose internal AD logon depends on
  certificates and CRLs issued by an external provider. Of course you 
  can build all sorts of hacks as mirroring an external LDAP server,
  periodically polling for CRLs etc.

* Windows NTAuth store and the number 1 misconception of how
  certificates are used for logging on to AD: UPNs in the SAN are
  automatically mapped to UPNs in AD (DNS names for machines). This is a
  string-based mapping - not a binary comparison of certificates or
  hashes - and the security hinges on the fact that the issuing CA's
  certificate has been distributed via an attribute in the so-called 
  NTAuth object in AD's configuration container. This means if you 
  somehow manage to get a highly privileged admin's UPN into a 
  certificate issued by an NTAuth-entitled CA you could impersonate that
  admin (logging in using smartcard for example). That's why it is a
  really bad idea to 'delegate' management of an enterprise CA AND
  management of certificate templates(the defintions of how cert. 
  content is constructed and how certs. are issued - such as allowing
  for arbitrary names in requests) to the administrators of a child 
  domain who on principle only want to issue certificates to their users
  or machines.

* Certificates are not necessarily more secure than machine logon in a
  Windows environment - comparing EAP-TLS using certificates configured
  as non-exportable (as per cert. template) and PEAP-TLS. Hacking the
  latter would require transferring / extracting the machine's password/
  Kerberos secrets / system state. 'Hacking' the former is not hacking
  at all as the 'not exportable' option can be overruled by a local
  administrator at enrolment. Since Vista/2008 this can be done in the
  GUI (certmgr.msc), before you needed to craft your key and request 
  with certreq and submit it in a sepearate step to the CA.

* The advantage of certificates over PEAP-TLS is that they are more
  standards-compatible - but still the process can be painful (to equip
  print server boxes with certifiactes for example. To let iPhones do
  802.1x logon (to AD) via WLAN you need to add host/
  to the subject CN (so that the device send the correct string) and to the SAN (so that AD-based mapping against the
  dnsHostName attribute does work). And of course you need a dummy /
  shadow object in AD with that DNS name and a service principle name of
* Accessing 'public' CAs' CRL is more difficult than expected - in
  particular if the validation is done by machine entities. Servers 
  such as an Exchange server that should check CRLs for e-mail 
  certificates on behfalf of a web access user, or 'internal' webs 
  servers that should validate users' logon certificates) often cannot
  access 'the internet' and/or a proxy server is used in the context of
  users but not in the context of machines.

Processes and the human factor

* It is always the seemingly simple processes and logistics that go
  wrong - that is: scheduling CA renewal or issuing a CRL signed by an
  offline CA infrequently. This is also true for well-managed

* Offline CAs escape the usual monitoring processes. There is an
  inside joke about carefully naming an offline CA (e.g. the virtual 
  machine) so that it does not get deleted accidentally because 'it is
  never online'. Since I have encountered such an incident - a classical
  unfortunate connection of events - I don't laugh anymore.

* Freshly minted PKI consultants often take a very academic, PKI
  theological ((C) Peter Gutmann) approach. I was no exception. But who
  needs three tiers for an internal, "device / infrastructure" PKI
* Eternal CRL as fall-back solution. I have seen processes re HSM 
  management gone wrong too often. Thus I recommend to create a CRL that
  will be valid until the related CA's certificate will be expired. In 
  case an HSM is renderend inaccessible this CRL will provide business

CA Operations

* CRL publication can fail due to the CA's issues with writing the CRL
  file to the file system. A virus scanner has once locked the temporary
  .tmp file and a (Windows) CA was not able to rename it to .crl.

Law and politics

* Digital signatures on invoices transmitted electronically have been
  mandatory in Austria for a few years before the law has been changed.
  I wonder how agencies will ever check the signatures applied in these
  years by wildy varying technologies - XML signatures, signed PDFs
  (including CRLs or not, including time stamps or not), signatures
  stored on / provided by server-side components such as the 'mobile
* I wonder how cross-country checks of signatures on PDFs are ever going
  to work. Legal cross-certification does not imply technical 
  compliance. For validating Austrian Qualified signatures (ECC) with 
  Adobe Reader you need to install a plug-In AND know how to configure 
  advanced security settings. Otherwise error messages are misleading.
* Time-stamps have not been mandatory with digitally signed invoices in
  AT. Yet, Adobe Reader will report signatures as invalid  in the future
  if the computer's clock time has been embedded. Fortunately some PDF 
  signers allow for embedding CRLs or OCSP responses. 
* My impression is that (in middle Europe) governmental organizations
  or organizations closely related to agencies are 'motivated' to use
  PKI-based technology provided by those CA operators that originally
  were founded to bring PKI and digital signatures to the masses.

Enigmatic stuff to be investigated

* For some Windows 2008 R2 CAs built from scratch with a software-based
  key I saw the CA 'suddenly' losing access to its keys after it had run
  for some days properly, after some service re-start. I thought it is
  some issue with DPAPI protection of system keys, probably when some
  not supported virtualization software is used. Now I rather think it
  is due to a 'confusion' of chains: At the CA its own certificate is
  present different cert. stores, the Personal store being associated
  with the private key, the CA store not so. But then if have seen some
  private keys also being indicated for certificates in a non-Personal
  store - causing some of the chains (in case of renewed CAs) to fail
  while others still work.



This is actually a translation of the title of a German piece I had written long ago (1998) on request of my high school

For better or for worse - those positions I defended back then did not change a lot. Today I probably hold even stronger opinions - however I rather declare them my personal opinions only. I sincerely do understand that there are people who are happy to play the game - and don't read any irony or critique into this.

I mean it. I have met academics who indulge happily and mischievously in optimizing their track record (tweak metrics) - just in the same way as a minority of corporate workers who have fun with metrics in the corporate world.

In 2012 I have blogged about my trading academia for being a computer consultant for small businesses here:

The Dark Side Was Strong in Me.


It’s a small-talk question, innocent and harmless. I have worked in the IT sector for about 15 years, about 10 years specialized in a very specific niche in IT security.

In the coffee-break during the workshop or when indulging in the late night pizza after 14 hours in the datacenter … you start talking about random stuff, including education and hobbies. And then you are asked:

But why is a *physicist* working in  *IT security*?

Emphasis may be put on physicist (Flattering: Somebody so smart) or on IT security (Derogatory: Something so mundane). The profession of a physicist might be associated primarily with Stephen-Hawking-type theoretical research. In this case the hidden aside is: Why did you leave the ivory tower for heaven’s sake? Or simply put:

Young Jedi, why Did You – The Chosen One – Succumb to the Dark Side of the Force?

I have probably given different and inconsistent answers, depending on details as the concentration of caffeine or if the client was an MBA or a former scientist.


The gist of my story was (and still is - concluding from those many stories shared by contemporay post-ac / alt-ac movement):

  • Simply ignore people who explain to you that they had such high hopes for you, you missed your true vocation.
  • Degrees in fundamental science are fun and mind-altering in a sense. You hone your analytical and mathematical skills (Yes, now I am using that pitch, too!) - but this does not mean they can be translated to real-world jobs in an easy way. At least not in a way that can be explained the HR consultant with a degree in sociology.
  • You are accountable for doing that translation to the real world - you better to do that start while studying. I didn't - and I know I was lucky.
  • Expect your not fitting in (academia, global corporations...) as a matter of fact in life to be dealt with through doing something. You may blog about it but better take action first.
  • The same goes for: Your not being fond of working long hours. There are people - academics as well as corporate colleagues who either like it or feel over-working is forced upon them. Which is their pleasure or problem - not yours.

Though I still agree with my own post it sound a tad too justifying myself. We should be more unapologetic about our life-style choices. Just do it - as the well-known brand told us.

I am not a writer. I feel I had to decide often between being a fence-sitting commentator or somebody who is in charge of and fully accountable for technical problem solving - and I always picked the latter.

I am Not a Writer

(elkement. Created: 2014-01-26. Tags: Writing, Blogging, Websites. German Version.)

The internet is full of moonlighting writers who work in a day job to pay the bills but call them writers nonetheless.

I am not a writer despite I have a bunch of blogs and websites. I can relate to their ambitions somewhat as I had mulled upon working as a science writer or journalist at times. I even sent a job application to Austrian Broadcasting a long time ago.

Finally these ambitions did not get me anywhere. I feel I had to decide often between being a fence-sitting commentator or somebody who is in charge of and fully accountable for technical problem solving - and I always picked the latter.

Disclaimer: This is not to say that being an analyzing commenter or writer is something lesser. Sure, you can work as a problem solver and be paid for writing about some aspects of that, too. But I consider them nearly mutually exclusive options as long as my own career is concerned - in a postive way actually!

I just like writing on what comes to my mind in my spare time too much. I like it too much in a sense, and I don't want to entangle it with commercial transactions. Thus I don't do or plan to do: Blog posts that are sponsored in any way, visual ads, or affiliate marketing. The latter would be rather straight-forward as I write about books a lot. However, I use a free blog that displays ads as I don't pay for the no-ads feature.

I think I write in order to organize and develop my thoughts through writing. Even the fact I have so many different sites is related to my considering websites experimental playgrounds. Nobody can escape the power of online feedback by likers and commenter, in particular when positive. But this is exactly the reason why I regularly return to ancient, non-interactive, and badly Google-ranked websites of mine like this. I writer under the assumption somebody could and will read it - someday, and I might be held accountable. But I don't write for likes, just as I don't write for money.

Some blog postings of mine about blogging and writing:

On Science Communication

On Writing or: What Do I Need to Smoke to Understand Your Websites?

Website Resurrection: Status Report

Reconcile All This (Goals of This Blog)

A Blank Sheet of Paper

Explaining science and technology is my passion and my mission - as a physicist, engineer and IT expert.

All children are curious scientists: We want to know 'how stuff really works'. However, in science education answers are finally given in the language of mathematics - which might kill curiosity.

I admit that I can indulge in math at times, just for the sake of it. Theoretical Physics was my personal therapy in fighting the detrimental impacts of having been sucked into Dilbert's (corporate) world once.

Nevertheless, I understand your discomfort - math haters / deniers. Fundamental theories in physics, such as string theory, seem to have developed a purely mathematical life of their own. Algorithms loom large: Corporations dig Big Data to predict our behaviors as consumers, and of course there is the NSA. And Facebook ads.

Thus I am determined to dissect and expound scientific underpinnings of, well of basically anything interesting I come across in physics, engineering or IT. As an IT consultant I sometimes gave stand-up quantum physics edutainment sessions in coffee breaks. So you are my target group: Experts in any science-y, geeky, technical or other quantitative field.

I am indecisive: shilly-shallying between excitement about curved space-time and multiverses on the one hand, and focusing on hands-on research and development from whose impacts we - taxpayers, John and Jane Does - will benefit in our lifetimes.

Currently my (science) writing is focused on

  • Quantum Field Theory. When the Higgs boson was discovered in 2012 I realized that I cannot make head or tail of how the Higgs field gives the other particles mass. Based on the theory of superconductivity and phase transitions I had once been exposed too - I actually should have. Thus I am set to (re-)learn QFT.
  • Thermodynamics - this is were fundamentals (entropy and the arrow of time) meet hands-on engineering (heat pumps).

And I am pondering on:

CV | Elkement's Blog

La Palma, mountains Cumbre Vieja.


(elkement. Created: 2012-04-29. Tags: Web, Blogging, Writing, Decisions, Life, Announcements. German Version.)

The Element is offline - or at least it wants you to believe it is. In a distant corner of the web(*) it is more active than ever.

The red pages will be back online - probably changed a bit - in due time.

The pages are still there - you just need to know the URLs.


The chance in a life time to quote from the grand Offline Page I've never used:

This website is temporarily offline...

...being updated with new revolutionary content

... or just to fix some stupid error

Stay tuned.

I Have No Clue About Art

(elkement. Last changed: 2012-11-02. Created: 2008-01-06. Tags: Art, Definition, Self-Referential, Writing. German Version.)

(Final Insight, 2012)

That's the whole point of all that self-referential navel-gazing here.

Nevertheless I need to admit that these website, wimpy as they are, are The Element's only creative output. The Element is creative with respect to arranging characters on (virtual) paper. But I am not into drawings, paintings, or music.

What is creativity? Actions without purpose, without goals. Above all:  lacking any commercial or job relevant hidden agenda. Rather the opposite, actually.

This site has been started despite <..>, but not because of <...>.

What do I need to smoke in order to understand your websites? proves that his is not exactly a revenue booster.

What is Art? (2008)

The Subversive Element does not know what art is. And anybody claiming to be able to explain does not know either.

But you can elaborate on what art is not:

  • Tailored to meet the expectations of your target group.
  • Understandable.
  • Pleasing.

Don't Talk

Do it.

We can give it a try and explain that art is everything... (please also visit our Everything page)

  • ... that is not at all created to help the creator make a living (rather the opposite)
  • ... which cannot be understood, analyzed and comprehended not even (and especially not) by the creator.

The Scary Part

(elkement. Created: 2004-12-01. Tags: Web, Weird, Websites, Blogging)

What is this website all about? Most of the time this was not clear even to The Element itself. This is the history of the content of the default page.

Hello all you anonymous IP addresses ... out there in the net ...

I find your traces in my log file and ask myself: Why do you enter just the single word SUBVERSIV into the Google search form?

I suppose you are disappointed, because that page is not what you expected, despite the red background (the background color of subversive pages is usually either red or black - do not ask me why)

But I have to frustrate you even more: This is an Austrian website written in German. I apologize for having such a high Google ranking, luring you to my site.

So, the English part is over...

"OK, the scary part is over now. You can come out. It's safe. " (Christopher Locke, The Cluetrain Manifesto - Chapter 1)

No idea what I had in mind when I uploaded this image

Elke was here

(elkement. Last changed: 2014-04-01. Created: 2002-12-16. Tags: Web, Blogging, Websites, Nostalgia. German Version.)

This Website is My Hub of Hubs and There Are Many Spokes

(Last updated: September 14, 2013. Created: December 2, 2012.)

It is an About site in its own right. Every few months I ask myself  WHOAMI, and since the console does not give me a satisfactory answer I am updating this website instead.

Since I am very active on other blogs and social networks, is not updated frequently. On the other hand, it is not subject to unimportant mood swings - you should see only milestone-y updates here. was my first domain ever. Despite its austere, web 2.0 look & feel it remains the center of the el(k)emental universe. Therefore I need to maintain a list of my other profiles and sites here.


10 Years: Back to the Roots in a Subversive Way

(October 2012)

This site is celebrating its 10 years anniversary. After many years of soul searching that resulted in bizzare and weird content ('What do I need to smoke to comprehend the message of your websites?') there is hope. e-stangl returns to normal. is the personal website of Elke Stangl. It is complemented by, and

Jump directly to the chronological overview at your own risk.

Back to the Roots - Radices!


e-stangl: Think Tank for Science & Technology

(2006, updated 2011) is the central node and root of Elke Stangl's websites, supported and inspired by the Subversive Element

This website comprises an overview of thoughts and ideas evolving from experiences gathered throughout my professional career and private projects. The English version had always been lagging behind the German version by 2 or 3 update cycles. It is catching up, but still an experiment - an experiment on how the choice of language impacts brain activities. I cannot resist creating different content in English than in German.

These pages are changed on a completely irregular basis and at the locations you would never expect it. This is not a blog: I am committed to sculpturing  existing pages again and again. But: I am also committed to preserving top embarrassing old versions.

ELKE in Wikipedia


The Image that Kicked It All off

(End of December 2002 or beginning of January 2003)

This image of The Element and Somebody (Irgendwer) was used a placeholder after the website had been turned from Elke Stangl's small business website to a private web site.

Elke Stangl (2003 - I look much older now!) Sigi Proyer | maybe somebody else from the village at the end of the internet!


The List of Comments that Never Wanted to be a Blog but that Actually was

(Entries since 2002. The latest comment is shown in the header of this page)

History of this site: The purpose of this website (if it exists at all) is changing with time. Here is the archive of comments:


I had once started a first list of books here, stating that what you write about books says more about you than about the books. Last year I read mainly about...


I have come a long way. I celebrate a year devoid of planning, of stress, of expectations. Don't Worry, Be Happy! This was the year of 2014: Some images...


Digital Certificates and Heat Pumps ... an odd combination probably. But I have a penchant for combining anything. For me IT security, physics, and engineering are all connected naturally, and not only through my biography. More...


Hello world! I am happy! I have just updated all my websites (see icons below) and I feel they / I do reach some Zen-like equilibrium. As weird as it seems I am combining anything - as the title of my blog says. I do still indulge in marvelling at and troubleshooting of Public Key Infrastructures, I call myself the Science Office of our 'renewable energies startup', and I write about philsophical stuff I am not qualified for.


Douglas Coupland has reminded us twice - in Generation X and in Generation A - that our lifes should become stories instead of just consisting of a few moments strung together. I am not sure what my life is - in any case I have updated the page on My Life with my 3 seconds of fame, that is interviews in German and blog posts that should have been interviews in English.


I am not a writer. I feel I had to decide often between being a fence-sitting commentator or somebody who is in charge of and fully accountable for technical problem solving - and I always picked the latter. More 'On Writing'.


The Elkement has become a curator - see the update on 2013 in Books. My favorite posting 2013 was: Fragile Technology? (Confessions of a Luddite Disguised as Tech Enthusiast). 2014 is dedicated to finally putting the Theory of Combining Just Anything into practice.


End of August 2013 The Subversive Elkement is able to prove its engineer-ness. My CPU is underutilized - I will throw brain power at e.g. Quantum Field Theory. New: Find Elkement's Best-of-Posts at the Science page. German readers: Don't forget to stalk the settlers at


Decloaking slowly and giving up stealth mode. The Subversive Element asks me to introduce the latest subversive / elementary website: (German). The settlers might have found and populated z-village. Now they have started to tell their tales: On physics, renewable energies and braving the elements in the village at the end of the world.


This website has undergone an update and in November 2012 a major milestone in the Website Resurrection Project has been reached. Life, Science, Technology, and Reading do reflect the current status. Time stands still, History is halted. My virtual Zen garden. I am looking forward to grating gravel. ~~~ Last update: The Science page has been updated with links to discerning articles on 'Leaving Academia'.


This website effectively has been a blog all the time. Now I finally surrender to web 2.0 standards and I am modifying the structure of this website to make it as bloggy as possible (to the extent my home-grown CMS based on classical ASP and TXT databases would allow for). The overall goal of this site is equivalent with the goals set forth for my blog which is still in its infancy.


I had started all over again with A Blank Sheet of Paper, but finally I have resurrected most of the web pages. My websites have been online for about 10 years now - and I feel privileged to sort of start from scratch now. This is not only related to my websites.


I have reached the other side of the worm hole finally. Since I could not have published anything to my website when I was right in the middle of it I am going to catch up now. Finally I have realized I rather prefer writing on the past. The Subversive El(k)ement also has started blogging at


At the beginning of spring 2012 this website and its author are going to take a break. The old web pages are undergoing a revision, but they are still there and accessible if you know the URLs. 10 years after its launch this website has sort of fulfilled its mission - I am finally making a change in my real life that was overdue.


Happy New Year 2011 - the Year we Make Contact (plus One). No - this is still not a blog. This site is still an attempt to confuse and bore its readers with long-winded an linear stuff. I am a lonely write talking to her lonely readers ((C)) N. Carr). I am using hyperlinks. But in contrast to the motto of this site, they are not subversive any more. I recommend: The Shallows / Nicholas Carr.


This website has not changed throughout the past year. And this is positive. It is still totally non Web 2.0, un-bloggy and probably a little out-of-date. I might simply be satisfied with status quo. I am archiving old entries, I do not even need - I am preserving the past, this website is neither for the present nor for the future.


This website is setup as a non-blog - on purpose. There are so many places on the web, where written statements tied to context, date and daily routine can be found. But this here is my personal console - replying to my individual WHOAMI. An I am expecting concise and current info's. This website is in use since early 1998 - and archiving my ancient footprints in the web is important to me. - a warm welcome! I am asking myself: We are all netizens spreading out thoughts in digital formats - what will endure throughout the centuries? Who will take care of my dear website in 200 years?


As the (hi)story of this website goes, this is all about abnormal and recursive self-reflection. WHOAMI has produced pre-liminary answers to the questions (of life) which has caused a delay in updating these pages. Now 100s of years will be necessary to analyze: change, life, the universe and everything. Other version: The Subversive Element is subverting even this serious website und is especially its motivation to subversion is growing again - but sill: The basic target to subversion is unknown.


Unbelievable, but true: The purpose of this website has not changed since several months: It is a kind of graphical version of the command line tool WHOAMI (Who am I), which tells me who I really am. Every 2-3 months WHOAMI is flickering at my console and I start searching for the ultimate answer: being my own processor, operating system and self-analyzing logic. Spending some sleepless night in front of my PC, the answer comes to me wrapped in my home-made web sites. The input is generated in a process I hardly understand: I am reading my own e-mails and postings, wondering about the ways my thinking goes sometimes, and listening to me telling my own stories again and again.


Slowly the purpose of my website is revealed to me: It is a kind of graphical version of the command line tool WHOAMI (Who am I), which tells me who I really am. Every 2-3 months WHOAMI is flickering at my console and I start searching for the ultimate answer: being my own processor, operating system and self-analyzing logic. Spending some sleepless night in front of my PC, the answer comes to me wrapped in my home-made web sites. The input is generated in a process I hardly understand: I am reading my own e-mails and postings, wondering about the ways my thinking goes sometimes, and listening to me telling my own stories again and again.


This is my private Website. I am working as an IT consultant and am exploring my scientific roots again. I have a PhD in physics, which turned to a hobby now. In the moment my main field of interest is quantum cryptography (whose applications are directly related to my professional work). But due to insights in different "worlds" gathered throughout my career I cannot assign my scientific interests to an academic discipline. The one which fits best is: philosophy


This is my private website. I do not want to sell anything to anybody and I do not want to convince anybody of anything. These are snippets of content representing my identity as a netizen (an internet citizen), which may seem strange, incomplete and ambiguous by now. The pseudo-intellectual captions of navigation hyperlinks will be changed - don't panic ;-) Until end of 2004 this site will comprise thoughts about information technology and physics - which are the two fields I am concerned with professionally and non-professionally.


This is my private website. I do not want to sell anything to anybody and I do not want to convince anybody of anything. This not a fiercely managed IT project, so progress is moderate. These are snippets of content representing my identity as a netizen (an internet citizen).


Maintenance of this website is not a fiercely managed IT project, so there is NO deadline (Read one of my favorite books: "Slack" by Tom DeMarco). Therefore updates are published on a completely irregular basis and coming from the bottom of my heart. Or better: From the bottom of my mind, your are visiting e-stangl Think Tank ;-).


No slack, no goals for this web site. Optimum pre-requisites - let's go!


This is a private website. It's design motivation is to make you think and read. I am not a professional web designer (any more), nevertheless it is one of my goals, that this site should not look like a typical private web page ;-) In the moment this site is heavily under construction. This is not a fiercely managed IT project, so there is NO deadline (Read one of my favorite books: "Slack" by Tom DeMarco)


The domain was delegated in the glorious era of THE GREAT dotcom HYPE, thus contains e-. The non-hyperlink part - the part above the underscore - reflects the golden light of the evening sun or is being shaken by an amber sandstorm

element und Irgendwer am Ende der Welt

Personal website of Elke Stangl, Zagersdorf, Austria, c/o punktwissen.
elkement [at] subversiv [dot] at. Contact and Legal Notice