All Postings (93)

2017

Computer Science and IT

Taking stock! Physics

Subversive? Physics?

My Philosophy!

Scripts Beget Scripts

2016

Theoretical Physics. A Hobby.

Self-Referential Poetry

Silent Online Writing

'Are You Still Doing PKI?'

My Philosophy (?)

Impact of physics on my life

Not much happened in 2015

2015

Unspeakable

Self-Poetry

Farewell Posting ...

Hacking away...

Web Project - Status

We Interrupt ...

Poetry from Poetry

PKI-Status-Update

Life and Work

Definition: 'Subversive'

2014 in Books

Physics Postings

Engineering Postings

True Expert

2014

2014 - a Good Year

Physics or Engineering?

Engineering Links

What Is Art?

Bio

PKI FAQ

Google's Poetic Talents

Certificates and Heat Pumps

Nr. 5: A Mind-Altering Experience

Technet postings

WOP!

Pink Spaceship

radices = Roots!

IT Postings

Web Projects

Life, the Universe, and Everything

Uh-oh, No Posting in March

PKI Resources

PKI Issues

Subversive Work

Spam Poetry

A Career 'in Science'

Writing

On the Shoulders of Subversive Giants

Search Term Poetry

Facebook Art

2013 in Books

2013

Explain, Evaluate, Utilize

Technology

About Life-Form Elke Stangl

elkement and This Site

No. 3: Internet Apocalypso

Retrospection

Newsletter Resurrection

2012

For Free

Subversive Yearly Report

Is My Life a Cliché?

Indulging in Cliché

Torture Turning Trivia

Intermittent Netizen

Knowledge Worker...

Profile

Physics on the Fringe

Graduation Speech

The Element is Back!

Offline

Physics Links

2011

Not Funny

Calendar and Magic

Expert

In Need of a Deflector

About to Change

A Nerd's Awakening

For the Sake of Knowledge

2008

Profession Or True Calling?

No. 2: On Self-Reference

I Have No Clue About Art

Netizen

2007

The End

No. 1: On Subversion at Large

2005

Emergency Exit

Modern Networker

2004

The Scary Part

Exploring the Work Space

2003

Instead of a CV

Favorite Books

2002

Elke was here

Postings tagged with 'Postings', listed in descending order by creation date. All Postings shown.

Heat Pump System and Renewable Energy

(elkement. Last changed: 2015-11-07. Created: 2015-02-04. Tags: Postings, Blogging, Resources, Links, Engineering, Heat Pump. German Version.)

I blog about anything heat-pump-related, in particular about our system. In addition, I am interested in thermodynamics, heat pumps and heating systems in general - and their integration with the smart grid and related security concerns. These are my postings about our 'ice-storage-/solar-' powered system specifically and postings on closely related subjects like the power grid, renewable energy and sustainable living.

Hydraulic schema of our system

(This compilation of links is static - no more amendments planned.)

PKI FAQ

(elkement. Last changed: 2014-12-16. Created: 2014-10-06. Tags: IT, PKI, Cryptography, Security, Forums, Troubleshooting, Postings, X.509, Resources. German Version.)

This is a compilation of threads in Technet forums, organized by topic.

Chain validation and revocation checking issues

Chaining and hierarchies

Time validity

Revocation lists

(For issues with SCEP and EFS, see the sections on applications at the bottom of this page.)

Windows PKI design, implementation, and maintenance

PKI AD integration and clean-up

CA migration, backup and restore and high-availability

Scripts and automation

Certificate generation and deletion (in personal stores)

Searching the CA's databased and expiration notifications.

PKI configuration

Third-party CAs, compatibility

Windows PKI components and features - and related troubleshooting

Web Enrollment (ASP pages)

Simple Device Enrollment Protocol (SCEP) AKA Network Device Enrollment Service (NDES)

Windows OCSP: Errors and Pitfalls

  • White papers on how to make OCSP servers and CRL web servers high-available? There is an article for OCSP, for CRLs it is just a plain simple web server.
  • /ocsp/ application directory is not created before the role service had been configured. However, revocation configurations can be created before using the MMC - this causes and HTTP error 404 despite the Online Responder Management reports 'all green'. [ref]
  • Third-party validator (Axway) causes CryptoAPI to look only for OCSP URLs but OCSP is not used. Root cause finally was: CRL not accessible to the validator. [ref]
  • OCSP Responder issues: Misunderstanding about how to use one Responder for different CAs, and how an array should work. Additional interesting issue: Adding the Intermediate CA certificate to Trusted Root store can cause an error 403.16 in IIS and thus break certificate validation!
  • OCSP design: Use a dedicated OCSP server?

HTTPS-based enrollment via CEP/CES

(Auto-)enrollment troubleshooting

Kerberos troubleshooting

Certificate templates

Pre-requisites

Certificate and request attributes and extensions, and how to create requests

Certificate Subject Name and Subject Alternative Name, and tools and processes for CSR creation. Overlap with section on Scripts and automation.

OIDs

Hash algorithms

Cross-forest certificate enrollment and multiple domains.

PKI Applications

SCEP is listed unter Windows PKI components.

Logon against AD

SSL web servers

See also the section on Certificate and request attributes and extensions above.

LDAPs, DC certificates

  • Concerns re expired DC certificates. Can a DC be rebooted safely? Yes, as certificates are not required for 'standard AD functions'.
  • Easy-to-manage solution for LDAPs (only) - PKI to be avoided (?) Theoretically one might distribute a self-signed server certificate (with multiple SANs) just as a CA. I would not try to re-use an existing server's certificate as a CA certificate. As usual, I am wary about non-SSL-capable crypto providers. In case a simple 1-tier PKI is created today, templates could be moved to a well-planned 2-tier PKI later.
  • Domain Controller uses the wrong certificate for LDAPs. My suggestion was to supersede the current template with one that allows for issuance of certificates that will expire after the unwanted third-party certificate. Another user provided instructions on how to use the AD (NTDS) service's certificate store instead of the machine's store.

RADIUS / NPS and 802.1x

Exchange Server

Outlook and SMIME

EFS - Encrypting File System

BitLocker

SAP

Third-party LDAP clients

RDP / RDS

CISCO VPN

Windows VPN client

IPsec

Office Macro and document signing

Key stores and cryptographic providers

Crypto general

Software stores

Using an HSM as key store

Silent waters. Northwest of Tenerife, 2004.

Postings in Technet Forums

(elkement. Last changed: 2015-04-01. Created: 2014-07-29. Tags: IT, PKI, Cryptography, Security, Forums, Troubleshooting, Postings, X.509, Resources. German Version.)

In 2014 I had resumed posting to security forums in the Microsoft Technet community. I have been using these threads as my personal knowledge base.

Here is a feed on recent activity. Seems my mission has come to an end by the end of 2014!

A list of all my threads is also generated automatically but I am hand-curating them here again.

I am not using the original thread title but another one that makes me remember the discussion more easily; and I add a short summary. The date is the date of my first reply in this thread.

(Last changed: April 1, 2015. Added last threads I contributed to in December 2014.)

Insert some years during which I was just busy doing PKI but not contributing to the community. I try to compensate for that now!

  • [2009-07-16] What is PKI compatibility? It depends on what is compared: Certificates and their fields, key stores and access methods, request structure, protocols to enroll for certificates,...
  • [2009-07-16] Notification e-mails sent by the SMTP Exit module contain variables instead of values. Might be an issue of using the variables in a scripts versus running the commands interactively. In a script the % needs to be masked by another %.
  • [2009-07-16] Windows CA and redundancy: Does a second CA help? Templates are redundant in AD anyway. A second CA does not help as it uses a different key and cannot sign CRLs on behalf of a failed first CA automatically. For risk mitigation the CRL validity period should be configured for a few days or whatever is needed to detect and fix an issue in the worst case. Redundancy could be achieved with fail-over clustering.
  • [2008-11-09] Planning fail-over clustering for a CA, in particular how to migrate an existing non-clustered CA into the cluster. Clustering is only supported with HSMs(*). As for the names it can be done but the legacy of LDAP objects and HTTP URLs that contain the old machine name makes that rather messy. Suggestion: Use a new clustered CA setup from scratch with proper names and create a long-lived CRL for the existing CA before retiring it.
    (*) Learned in 2014 that this is not true (anymore?)
  • [2008-10-01] How to configure CRL URLs for offline CAs. It seems either a CRL has not been copied to the CRL server denoted in the CDP or the defaults have been used and the URL points to the Root CA itself. Brief outline of process.
  • [2008-09-23] Variables in CA configuration (starting with %) do not get replaced by their values. Turned out to be a copy and paste error as the lines have been copied to the command window directly.
  • [2008-09-19] Limit PKI usage to one domain - how to set permissions. The CA is a forest resource but permission for domain-specific groups can be set at the CA (Request Certificates right), or permissions on all templates could be limited to groups from this domain
  • [2008-09-18] Time zones and clock skew. Date formats in certificates are in Universal Time format including time zone information. There is only a clock skew of 10 minutes applied by default to avoid false not-yet-valid messages.
  • [2008-07-28] Checking and changing validity periods of CRLs as the default period of a week is too short for a typical Root CA. Overview on how to set the validity period in Properties of Revoked Certificates and - optionally - overlap by editing the registry.
  • [2008-07-28] Requirements for macro signing certificates. I suggest to time-stamp macros as otherwise (even if signed) signature would be considered invalid when the signer's certificate has been expired.
  • [2008-07-26] Certificate services simply fails to start after setup. Not clarified but another user indicated that in his certocm.log a permissions error was logged when he saw the same error - using the domain admin resolved it.
  • [2008-07-26] Sending certificate requests to an untrusted forest. Ideas: Automate the creation of requests and let a service user account from the CA forest fetch the requests, send them to the CA, and collect the certificates. Alternative: Simply use an AD user of the forest where the CA resides and use the certsrv web application to create keys and requests.
  • [2008-07-12] Autoenrollment issues - an XP client does not autoenroll through manual enrollment works and the event log says that Autoenrollment has been completed successfully. Potential root causes: 1) There is already a certificte of that type in the store and the setting Do not re-enroll if a duplicate certificate exists in AD has been set 2) Weird but known issue with credential roaming sometimes falsely archiving certificates.
  • [2008-07-01] Wild-card certificates - feasible but not recommended as there is a slight chance clients may not recognized the wild-card character.

My Articles on IT Security, Monitoring, PKI.

(elkement. Last changed: 2015-11-07. Created: 2014-06-01. Tags: Postings, Blogging, Resources, Links, IT, Monitoring, PKI, Security, X.509, Cryptography. German Version.)

My lecture slides on PKI and security are a bit dated already, I add them for completeness though.

Articles on my blog are targeted to a broader audience - perhaps they are too 'philosophical' for security experts. See the complete list of postings below, after the image.

X.509 Certificate

(Not sure if I will ever update this.)

PKI Issues: Concise Summary

(elkement. Last changed: 2014-05-16. Created: 2014-03-02. Tags: IT, PKI, Cryptography, Security, Forums, Troubleshooting, Postings, X.509, Resources. German Version.)

Here I am documenting issues with X.509 certificates and Public Key Infrastructure I have encountered.

In the grand tradition of true geeks I use the most compatible format that alien civilizations might be able in million of years - a simple text file (in a pre tag)


                             PKI  Issues
          Random collection by Elke Stangl, elke@punktwissen.at

------------------------------------------------------------------------
Certificate path validation

* Ambiguous chains and chains sent in SSL handshake. The web server
  sends the chain it prefers. If there are two valid chains, such as a
  shorter chain associated with an internal root CA and a longer chain
  connected to a cross-certificate issued by a public CA AND the server
  is available on 'internal' and 'external' networks (via a reverse 
  proxy) it will send the untrusted internal chain to external relying 
  parties as well.

* Some embedded devices cannot deal with chains - including earlier
  versions of CISCO PIX and Apple's IOS SCEP client. In order to get
  validation working you might need to: Import the subordinate CA to the
  root / 'CA' store or add the thumbprint of the sub CA where one would
  expect that of the root CA or vice versa.

* Some apps / devices cannot deal with a 'renewed' CA, that is: Two CA
  certificates with same subject names but different keys imported to
  the same CA cert. store. Unfortunately this is the default state of
  affairs if CA's life times are nested according to the shell model (CA
  certificates renewed at half of its validity period e.g.) CISCO fixed 
  a related bug some years ago.

------------------------------------------------------------------------
Names and encoding

* CAs may change the encoding of subject names of the certificates
  issued in relation to the encoding in the request. The subscriber may
  not be happy with that - and it can be quite a challenge to track this
  down if this client is a custom-made device / blackblox.

* CAs may reorder the X.500 components (Should we go O-->CN or CN-->
  O) and again apps. who combine the binary name blob could fail.

* Details of the validation depend on the browser (version) used. I
  can't recall the versions unfortunately but some years ago some
  browser was happy to match certificates on names (neglecting encoding)
  while another did a binary check of names plus cross-checking AIA 
  versus SKI fields.

* I was surprised to see that Windows clients fall back on name only
  matching if they are not able to match on SKI / AKI. This gives the
  user a nice picture of a certificae chain, however an error message 
  tells you that the certificates may be corrupt.

------------------------------------------------------------------------
Revocation checking

* Devices may have size limits - I recall 256kB for some of the older
  (?) ones. This would cause VPN and the like to fail if you would use,
  say, current cacert certificates or those issued by the Austrian
  public CA, A-Trust.

* I have seen Outlook failing often when trying to download such large
  CRLs as well - although the CRL servers were accessible. Fortunately
  there are some registry keys that allow for tuning the way Outlook
  deals with CRLs and related errors. Unfortunately you cannot manage the
  registry keys of the e-mail clients that receive your e-mail.

* OCSP is a solution to oversome the size issue but not necessarily
  the issue of current revocation information. The Windows OCSP server
  retrieves information from a CRL, and the validity period of OCSP
  responses is either that of the CRL used or of the OCSP signing
  certificate (the latter is two weeks by default). Sure, the caching
  behavior can be configured so the OCSP server would consult the CRL
  more often. Yet the responses sent to relying parties are still
  'long-lived'. As I understood the options the only way to really purge
  responses at the client earlier is to use an HTTP Expires header at 
  the OCSP server and hopefully the OCSP client does respect it.

* Deleting CRLs regularly should be a built-option of PKI-enabled
  servers. VPN servers (CISCO, Nortel, Juniper) have been able to do
  this since a long time. Then you can configure CRLs a way that allows
  for reasonable operations (that is, solving the issue: What happens if
  the CA runs into an issue when the CEO gives the yearly motivation 
  speech at Dec. 24, 11:30 - when will you be able to spot the problem).
  CRLs would be allowed to live for, say, a week, but are purged at the
  validating server every, say, 3 hours. With Windows, you can do this
  on princple since Vista/Server 2008 has been given a supported option
  to delete CRLs - but you need to create scripts to do it.

------------------------------------------------------------------------
How apps use certificates for authorisation
(in probably unexpected ways)

* Certificates might be used as files to be parsed for name-value
  pairs. I found something like an 'authorisation scheme' coded into 
  X.500 name fields.

* So-called LDAP group memberships: While some devices understand
  memberOf attributes, some so-called groups are based on parsing X.500
  names. Such as: Putting everybody with OU=External in the 'external
  group', 'external VLAN' etc. It can be a challenge to reconcile this
  with a concept of real groups in LDAP directories such as Active
  Directory.

------------------------------------------------------------------------
How users don't expect PKI-enabled apps to work.
(This could probably be used as a title for anything in this file)

* CRLs are blacklists not only used for blacklisting in the way admins
  expect it. Often people are surprised that network logon etc. will
  fail simply because the CRL is not accessible or expired.

* Sent items of encrypted e-mails in Outlook are encrypted. This comes
  as a painful surprise to users who had used smartcards (e.g. the
  Austrian National ID certificates issued by A-Trust) to encrypt their
  mails and whose card used basically for other purposes (health
  insurance) has been retired / cut in two pieces. Ironically, it does
  not help that new cards are issued with the same keys as Outlook tries
  to find the associated certificate in the store first before 
  'accessing' the key (via the CSP).

* CRLs cannot not necessarily be pre-fetched - though this is what
  admins would like to do whose internal AD logon depends on
  certificates and CRLs issued by an external provider. Of course you 
  can build all sorts of hacks as mirroring an external LDAP server,
  periodically polling for CRLs etc.

* Windows NTAuth store and the number 1 misconception of how
  certificates are used for logging on to AD: UPNs in the SAN are
  automatically mapped to UPNs in AD (DNS names for machines). This is a
  string-based mapping - not a binary comparison of certificates or
  hashes - and the security hinges on the fact that the issuing CA's
  certificate has been distributed via an attribute in the so-called 
  NTAuth object in AD's configuration container. This means if you 
  somehow manage to get a highly privileged admin's UPN into a 
  certificate issued by an NTAuth-entitled CA you could impersonate that
  admin (logging in using smartcard for example). That's why it is a
  really bad idea to 'delegate' management of an enterprise CA AND
  management of certificate templates(the defintions of how cert. 
  content is constructed and how certs. are issued - such as allowing
  for arbitrary names in requests) to the administrators of a child 
  domain who on principle only want to issue certificates to their users
  or machines.

* Certificates are not necessarily more secure than machine logon in a
  Windows environment - comparing EAP-TLS using certificates configured
  as non-exportable (as per cert. template) and PEAP-TLS. Hacking the
  latter would require transferring / extracting the machine's password/
  Kerberos secrets / system state. 'Hacking' the former is not hacking
  at all as the 'not exportable' option can be overruled by a local
  administrator at enrolment. Since Vista/2008 this can be done in the
  GUI (certmgr.msc), before you needed to craft your key and request 
  with certreq and submit it in a sepearate step to the CA.

* The advantage of certificates over PEAP-TLS is that they are more
  standards-compatible - but still the process can be painful (to equip
  print server boxes with certifiactes for example. To let iPhones do
  802.1x logon (to AD) via WLAN you need to add host/machine.domain.com
  to the subject CN (so that the device send the correct string) and
  machine.domain.com to the SAN (so that AD-based mapping against the
  dnsHostName attribute does work). And of course you need a dummy /
  shadow object in AD with that DNS name and a service principle name of
  host/machine.domain.com.
  
* Accessing 'public' CAs' CRL is more difficult than expected - in
  particular if the validation is done by machine entities. Servers 
  such as an Exchange server that should check CRLs for e-mail 
  certificates on behfalf of a web access user, or 'internal' webs 
  servers that should validate users' logon certificates) often cannot
  access 'the internet' and/or a proxy server is used in the context of
  users but not in the context of machines.

------------------------------------------------------------------------
Processes and the human factor

* It is always the seemingly simple processes and logistics that go
  wrong - that is: scheduling CA renewal or issuing a CRL signed by an
  offline CA infrequently. This is also true for well-managed
  environments.

* Offline CAs escape the usual monitoring processes. There is an
  inside joke about carefully naming an offline CA (e.g. the virtual 
  machine) so that it does not get deleted accidentally because 'it is
  never online'. Since I have encountered such an incident - a classical
  unfortunate connection of events - I don't laugh anymore.

* Freshly minted PKI consultants often take a very academic, PKI
  theological ((C) Peter Gutmann) approach. I was no exception. But who
  needs three tiers for an internal, "device / infrastructure" PKI
  really?
  
* Eternal CRL as fall-back solution. I have seen processes re HSM 
  management gone wrong too often. Thus I recommend to create a CRL that
  will be valid until the related CA's certificate will be expired. In 
  case an HSM is renderend inaccessible this CRL will provide business
  continuity.

------------------------------------------------------------------------
CA Operations

* CRL publication can fail due to the CA's issues with writing the CRL
  file to the file system. A virus scanner has once locked the temporary
  .tmp file and a (Windows) CA was not able to rename it to .crl.

------------------------------------------------------------------------
Law and politics

* Digital signatures on invoices transmitted electronically have been
  mandatory in Austria for a few years before the law has been changed.
  I wonder how agencies will ever check the signatures applied in these
  years by wildy varying technologies - XML signatures, signed PDFs
  (including CRLs or not, including time stamps or not), signatures
  stored on / provided by server-side components such as the 'mobile
  signature'...
  
* I wonder how cross-country checks of signatures on PDFs are ever going
  to work. Legal cross-certification does not imply technical 
  compliance. For validating Austrian Qualified signatures (ECC) with 
  Adobe Reader you need to install a plug-In AND know how to configure 
  advanced security settings. Otherwise error messages are misleading.
  
* Time-stamps have not been mandatory with digitally signed invoices in
  AT. Yet, Adobe Reader will report signatures as invalid  in the future
  if the computer's clock time has been embedded. Fortunately some PDF 
  signers allow for embedding CRLs or OCSP responses. 
  
* My impression is that (in middle Europe) governmental organizations
  or organizations closely related to agencies are 'motivated' to use
  PKI-based technology provided by those CA operators that originally
  were founded to bring PKI and digital signatures to the masses.

------------------------------------------------------------------------
Enigmatic stuff to be investigated

* For some Windows 2008 R2 CAs built from scratch with a software-based
  key I saw the CA 'suddenly' losing access to its keys after it had run
  for some days properly, after some service re-start. I thought it is
  some issue with DPAPI protection of system keys, probably when some
  not supported virtualization software is used. Now I rather think it
  is due to a 'confusion' of chains: At the CA its own certificate is
  present different cert. stores, the Personal store being associated
  with the private key, the CA store not so. But then if have seen some
  private keys also being indicated for certificates in a non-Personal
  store - causing some of the chains (in case of renewed CAs) to fail
  while others still work.

------------------------------------------------------------------------

Kathmandu-05

The Collector Size Paradox (2017-11-01 15:11:56)
Recently I presented the usual update of our system’s and measurement data documentation.The PDF document contains consolidated numbers for each year and month of operations: It is finally time to tackle the fundamental questions: What id the impact of the …

Data for the Heat Pump System: Heating Season 2016-2017 (2017-10-12 09:58:29)
I update the documentation of measurement data [PDF] about twice a year. This post is to provide a quick overview for the past season. The PDF also contains the technical configuration and sizing data. Based on typical questions from an …

Tinkering, Science, and (Not) Sharing It (2017-09-17 11:06:44)
I stumbled upon this research paper called PVC polyhedra: We describe how to construct a dodecahedron, tetrahedron, cube, and octahedron out of pvc pipes using standard fittings. … In particular, if we take a connector that takes three pipes each …

Simulations: Levels of Consciousness (2017-08-17 10:41:54)
In a recent post I showed these results of simulations for our heat pump system: I focused on the technical details – this post will be more philosophical. What is a ‘simulation’ – opposed to simplified calculations of monthly or …

Heat Transport: What I Wrote So Far. (2017-07-14 09:15:49)
Don’t worry, The Subversive Elkement will publish the usual silly summer posting soon! Now am just tying up loose ends. In the next months I will keep writing about heat transport: Detailed simulations versus maverick’s rules of thumb, numerical solutions …

Simulating Peak Ice (2017-05-02 08:43:17)
This year ice in the tank was finally melted between March 5 to March 10 – as ‘visual inspection’ showed. Level sensor Mr. Bubble was confused during the melting phase; thus it was an interesting exercise to compare simulations to …

Mr. Bubble Was Confused. A Cliffhanger. (2017-04-08 11:06:20)
This year we experienced a record-breaking January in Austria – the coldest since 30 years. Our heat pump system produced 14m3 of ice in the underground tank. The volume of ice is measured by Mr. Bubble, the winner of The …

Where to Find What? (2017-03-18 15:20:13)
I have confessed on this blog that I have Mr. Monk DVDs for a reason. We like to categorize, tag, painstakingly re-organize, and re-use. This is reflected in our Innovations in Agriculture … … as well as in my periodical …

Ice Storage Hierarchy of Needs (2017-02-22 17:30:10)
Data Kraken – the tentacled tangled pieces of software for data analysis – has a secret theoretical sibling, an older one: Before we built our heat source from a cellar, I developed numerical simulations of the future heat pump system. …

Earth, Air, Water, and Ice. (2017-02-05 11:48:33)
In my attempts at Ice Storage Heat Source popularization I have been facing one big challenge: How can you – succinctly, using pictures – answer questions like: How much energy does the collector harvest? or What’s the contribution of ground? …

Frozen Herbs and Latent Energy Storage (2017-01-20 13:48:10)
… having studied one subject, we immediately have a great deal of direct and precise knowledge … of another. —Richard Feynman Feynman referred to different phenomena that can be described by equations of the same appearance: Learning how to calculate …

My Data Kraken – a Shapeshifter (2016-12-22 10:53:56)
I wonder if Data Kraken is only used by German speakers who translate our hackneyed Datenkrake – is it a word like eigenvector? Anyway, I need this animal metaphor, despite this post is not about facebook or Google. It’s about …

And Now for Something Completely Different: Rotation Heat Pump! (2016-11-03 09:55:35)
Heat pumps for space heating are all very similar: Refrigerant evaporates, pressure is increased by a scroll compressor, refrigerant condenses, pressure is reduced in an expansion value. *yawn* The question is: Can a compression heat pump be built in a …

Same Procedure as Every Autumn: New Data for the Heat Pump System (2016-10-21 09:49:11)
October – time for updating documentation of the heat pump system again! Consolidated data are available in this PDF document. In the last season there were no special experiments – like last year’s Ice Storage Challenge or using the wood …

Re-Visiting Carnot’s Theorem (2016-09-18 10:09:51)
The proof by contradiction used in physics textbooks is one of those arguments that appear surprising, then self-evident, then deceptive in its simplicity. You – or maybe only: I – cannot resist turning it over and over in your head …

Hacking My Heat Pump – Part 2: Logging Energy Values (2016-08-24 09:52:12)
In the last post, I showed how to use Raspberry Pi as CAN bus logger – using a test bus connected to control unit UVR1611. Now I have connected it to my heat pump’s bus. Credits for software and instructions: …

Hacking My Heat Pump – Part 1: CAN Bus Testing with UVR1611 (2016-08-03 10:04:39)
In the old times, measuring data manually sometimes meant braving the elements: Now, nearly all measurements are automated: In order to calculate the seasonal performance factor of the heat pump system we have still used the ‘official’ energy reading provided …

Photovoltaic Generator and Heat Pump: Daily Power Generation and Consumption (2016-06-01 12:21:02)
You can generate electrical power at home but you cannot manufacture your own natural gas, oil, or wood. (I exempt the minority of people owning forestry). This is often an argument for the combination of heat pump and photovoltaic generator. …

Everything as a Service (2016-05-19 13:57:08)
Three years ago I found a research paper that proposed a combination of distributed computing and heating as a service: A cloud provider company like Google or Amazon would install computers in users’ homes – as black-boxes providing heat to …

Alien Energy (2016-04-15 17:03:12)
I am sure it protects us not only from lightning but also from alien attacks and EMP guns … So I wrote about our lightning protection, installed together with our photovoltaic generator. Now our PV generator is operational for 11 …

No, You Cannot ‘Power Your Home’ by One Hour of Cycling Daily (2016-02-07 15:45:30)
In the past days different versions of an article had popped up in my social media streams again and again – claiming that you could power your home for 24 hours by cycling for one hour. Regular readers know that …

Temperature Waves and Geothermal Energy (2016-01-22 11:04:48)
Nearly all of renewable energy exploited today is, in a sense, solar energy. Photovoltaic cells convert solar radiation into electricity, solar thermal collectors heat hot water. Plants need solar power for photosynthesis, for ‘creating biomass’. The motion of water and …

How Does It Work? (The Heat Pump System, That Is) (2016-01-07 11:13:05)
Over the holidays I stayed away from social media, read quantum physics textbooks instead, and The Chief Engineer and I mulled over the fundamental questions of life, the universe and everything. Such as: How to explain our heat pump system? …

Half a Year of Solar Power and Smart Metering (2015-12-07 11:11:53)
Our PV generator and new metering setup is now operational for half a year; this is my next wall of figures. For the first time I am combining data from all our loggers (PV inverter, smart meter for consumption, and …

Peter von Rittinger’s Steam Pump (AKA: The First Heat Pump) (2015-11-24 09:51:42)
Peter von Rittinger’s biography reads like a success story created by a Victorian novelist, and his invention was a text-book example of innovation triggered by scarcity ( Bio DE / EN). Born 1811, he was poor and became an orphan …

The Impact of Ambient Temperature on the Output Power of Solar Panels (2015-11-13 09:21:38)
I have noticed the impact of traversing clouds on solar power output: Immediately after a cloud has passed, power surges to a record value. This can be attributed to the focusing effect of the surrounding clouds and/or cooling of the …

Economics of the Solar Air Collector (2015-10-14 11:43:21)
In the previous post I gave an overview of our recently compiled data for the heat pump system. The figure below, showing the seasonal performance factor and daily energy balances, gave rise to an interesting question: In February the solar …

Heat Pump System Data: Three Seasons 2012 – 2015 (2015-09-29 17:23:33)
We have updated the documentation of monthly and seasonal measurement data – now including also the full season September 2014 to August 2015. The overall Seasonal Performance Factor was 4,4 – despite the slightly lower numbers in February and March, …

Having Survived the Hottest July Ever (Thanks, Natural Cooling!) (2015-08-11 09:27:07)
July 2015 was the hottest July ever since meteorological data had been recorded in Austria (since 248 years). We had more than 38°C ambient air temperature at some days; so finally a chance to stress-test our heat pump system’s cooling …

Solar Energy, Batteries, and Autonomy (2015-07-15 14:00:27)
This is the third post in my series on our photovoltaic generator. It had been a part of previous post with the data for the first month, but I cut and saved it as the other post was so long …

Solar Power: Some Data for the First Month. (2015-06-17 12:04:07)
On May 4, 2015, we started up our photovoltaic generator. Here are some numbers and plots for the first month – and what I plan to do next. Our generator has a rated power of 4,77 kWp (kilowatt peak), one …

An Efficiency Greater Than 1? (2015-06-01 08:41:32)
No, my next project is not building a Perpetuum Mobile. Sometimes I mull upon definitions of performance indicators. It seems straight-forward that the efficiency of a wood log or oil burner is smaller than 1 – if combustion is not …

Two Weeks After Lift-Off (2015-05-18 10:27:44)
After a little delay our photovoltaic generator went online – we had been waiting for the delivery of this sophisticated addition to our office decoration: People on G+ had very cool suggestions, such as a rotating alien-fighting device throwing darts. …

How to Evaluate a Heat Pump’s Performance? (2015-04-21 14:00:52)
The straight-forward way is to read off two energy values at the end of a period – day, month, or season: The electrical energy used by the heat pump and the heating energy delivered. The Seasonal Performance Factor (SPF) is …

Ice Storage Challenge: High Score! (2015-04-01 09:31:38)
Released from ice are brook and river By the quickening glance of the gracious Spring; The colors of hope to the valley cling, And weak old Winter himself must shiver, Withdrawn to the mountains, a crownless king. These are the …

We Have Come a Long Way: Rooftop Solar Power Now! (2015-03-23 23:12:13)
We had considered it already a few years ago – when we decided to live and work in the middle of a dusty and noisy construction site for a few months: The upper part of the roof is inclined by …

Data Logging with UVR1611 – FAQ (2015-03-18 15:10:40)
I have received several questions related to my article on data logging on this blog, or to my postings on monitoring and control on our German blog. Thus I have decided to write the article I would have wanted to read …

The Ice Storage Challenge (2015-03-08 12:41:11)
The more we enjoyed our spring-like winter, the more we were worried if we will ever see much ice in our underground water tank this heating season. So we did what I had announced – we switched off the solar …

“An Unprecedented Test for Europe’s Electricity System” (2015-02-27 15:56:31)
And we will not be able to contribute – by a hair. We have just ordered our photovoltaic generator, and installation is planned for April. It is the (partial) Solar Eclipse on March 20 that made Europe’s Transmission System Operators …

A Sublime Transition (2015-02-14 13:51:01)
Don’t expect anything philosophical or career-change-related. I am talking about water and its phase transition to ice because … …the fact that a process so common and important as water freezing is not fully resolved and understood, is astonishing. (Source) …

More Ice? Exploring Spacetime of Climate and Weather. (2015-01-28 14:58:07)
I have become obsessed with comparing climate data for different regions in the world and in different years (space + time). Finally I have found the tool I was looking for; now I can compare average Ice Days quickly – days …

Personal Risk Assessment (2015-01-22 12:47:53)
We all do risk management intuitively – when we decide on uploading our data to the cloud where the NSA may spy on us. Or when we install heating systems that depend on electrical energy. The previous post triggered an …

We Want Ice! (2015-01-15 17:14:50)
We haven’t seen much of it this winter yet. I am talking both about the ice you would expect in winter and about the one created from extracting heat from a water tank – our heat pump system‘s heat source. …

Cistern-Based Heat Pump – Research Done in 1993 (2014-12-14 21:54:52)
One of the most recent search terms on this blog was: ‘cistern for water source heat pump’. I wanted to double-check and searched for this phrase myself. This was the first Google Search result: Cistern-Based Water-Source Heat Pump System Design …

“Being Creative with What Is Available” (2014-11-27 11:11:00)
This is a quote from Simon Dale’s website who has built several eco-friendly ‘Hobbit’ houses. It reminded me of the cave house built into lava bubbles by Lanzarote’s most famous artist César Manrique: Being creative with what is available has …

Google and Heating Systems (2) (2014-11-15 16:24:46)
I googled our company name. Then I found this: Auftrag means order and the obfuscated parts contain our full company name, the Chief Engineer’s name, the URL of a vendor we ordered material from recently, invoice total, and a comment …

A 1970s Pioneer in Self-Sufficient Living (2014-11-08 12:53:56)
Living in southern France, Jean Pain developed a self-sustaining ecosystem in the 1970s that supplied his home with 100% of the energy needed. He built a 50 tons compost mound from chipped wood – brushwood that had to be cleaned out to lower the …

Pumped Heat from the Tunnel (2014-10-04 14:04:17)
The idea to use a reservoir of water as a heat pump’s heat source is not new. But now and then somebody dares to do it again in a more spectacular way. Provided governmental agencies give you permit, lakes or …

Biology / Chemistry Challenge or: Should We Really Blame the Dead Frog? (2014-09-28 10:28:28)
We often say we operate in Leonardo da Vinci Renaissance Mode – given our odd ‘portfolio of diverse services’. But as much as the Chief Engineer does not like to work with mortar, cement, or any other slimy substances I …

Big Data, Big Plastic Worms, and How to Utilize Your Cellar (2014-09-07 15:03:41)
Our heat pump system will soon commence its third heating season. The amount of measurement data collected so far has exceeded the capabilities of the software I had once developed; so I crafted a new application based on a real database server. Now you …

What Learning about Feynman’s Path Integrals Was Good for (2014-07-03 14:08:07)
I have gone to great lengths on this blog in order to explain how and why a degree in physics prepares you for seemingly different careers, or at least does not hurt. But it would have been so simple. I …

Art from Plastic and Wood (2014-05-31 09:52:18)
After the musings on Life, the Universe and Everything you deserve a break – and a post with not too much verbiage. I am borrowing some images from a series of posts the Chief Engineer is currently running on our …

Measurement Data for Our Heat Pump System – Finally Translated Documentation (2014-04-13 17:12:04)
In an earlier post  I said Although we have very innovative, and if I may say so, geeky / nerdy customers it is rather unlikely that we will plan heat pump systems in Australia via sending checklists or doing ‘remote …

Lost in Translation – an Overdue Update (2014-02-20 14:01:48)
In this post I try something new: I will keep it short. This is actually an update long overdue. Months ago I have written a post on how to control the four elements that is how to harvest energy from …

Greatest Innovation Ever (2013-09-04 15:01:28)
I like Top Something Lists, in particular the hilarious variety. In a more serious state of mind I wondered what a list of the top inventions or top innovations of humankind might comprise. (Nitpickers, I don’t care about distinguishing ‘innovation’ …

Welcome to the Real World! (2013-08-14 19:01:28)
Warning: This is a disturbing post – despite the allusion to The Matrix in the title it is – really – about the real world only. Hardly any geekiness included. In order to compensate for that I will craft a …

Controlling the Four Elements. Or: Why Heat Pumps Are Cool. (2013-02-26 21:41:24)
Despite my attempts to post mainly geeky and weird stuff peppered with (very often not down-to-earth) physics, I got involved in some serious discussions on renewable energy, sustainability, heat pumps, and the pleasures of Building Your Own Stuff. So I …

Trading in IT Security for Heat Pumps? Seriously? (2013-01-22 18:45:21)
Astute analysts of science, technology and the world at large noticed that my resume reads like a character from The Big Bang Theory. After all, an important tag used with this blog is cliché, and I am dead serious about theory and …

The First Heat Pump Ever Was Built in Austria (2012-12-10 17:46:49)
I have confessed recently that I am from Austria. So the patriot in me wants to entertain her readers with the story of a milestone in the history of engineering thermodynamics – set by an Austrian! The development of the …

Why Do Heat Pumps Pump Energy so Easily? (2012-05-10 14:22:28)
I know my posts are usually walls of text, but I am trying to improve! In his landmark physics course, the Feynman Lectures on Physics, Richard Feynman tries to explain what an explanation in physics actually is. You can always understand …

Personal website of Elke Stangl, Zagersdorf, Austria, c/o punktwissen.
elkement [at] subversiv [dot] at. Contact