Internet Security

We all know things are ugly out there, but things are particularly ugly in the growing world of connected devices where security is often an afterthought or under-powered for the modern internet.

I was reminded of this yesterday when I needed to recover the root password for an internet device (with the permission of the device’s owner who had forgotten it…so it was legit to hack). Like many such devices, it used a scaled-down older linux kernel, BusyBox, and an old-fashioned /etc/passwd file where salted passwords are stored md5-crypt hashed. (format: $1$<salt>$<128-bithash>.

Fortunately (but also worrying), a popular hacking tool (John the Ripper) makes short easy work of such files. And when I say “easy”, I mean ridiculously easy and when I say “short”, I mean weak passwords are cracked in seconds. If you have access to the passwd file (let’s call it passwd.txt) you would just run the command “john passwd.txt” and in a few minutes, voila: out pop the decrypted passwords. You can enhance JtR with (big) lists of common passwords; there are free lists here and you can also buy lists. You can run JtR on a multi-core machine with a word list using a command like:

john –fork=8 –wordlist=mywordlist.txt filetocrack.txt

In the past, I wouldn’t make a post like this for fear of encouraging hacking, but these days, that fear is misplaced. Tools like JtR (and many much more powerful) are so easy to use and so widely available that *any* hacker at any level knows about them. So rather than keeping head in sand, it’s time to bite the bullet and start assessing (and fixing) your products’ security.

  1. Hire someone to help with security if:
    • your system stores plaintext passwords
    • your passwords aren’t salted before hashing
    • you don’t have a delay before re-entering the password after a few failed attempts
  2. If your products run on small/old linux kernels and/or otherwise use md5crypt for password hashing, consider upgrading and hash passwords using at least SHA256.
  3. Prompt users when they are entering new passwords for what makes a quality password: use an obscure phrase rather than single words or a word with some numbers or some variation on their username.
  4. Store usernames and passwords separately such that only the root user has access to the password file (/etc/passwd and /etc/shadow)
  5. Check new passwords against known lists of pwnd passwords and warn the user.
  6. Run tools like JtR against your own passwd stores and if it quickly guesses your passwords, know that hackers will be doing the same thing.
  7. If possible, don’t use passwords at all on internet-facing systems; use public key certificates instead.
  8. In your own (home/business) networks, segregate insecure devices (i.e. nearly every internet-enabled appliance: cameras, TV streamers, doorbells, etc.) from your computers and storage systems. Devices belong on the guest network or separate VLANs…not on your main WiFi/LAN.
  9. Don’t use the same passwords in internet appliances that you use for things you care about. Assume the internet devices have been cracked. The security in internet appliances is usually *vastly* worse and when hackers crack that doorbell/camera, you don’t want that giving them access to the rest of your network, bank account, etc.
  10. Ideally, use a different, good password for every account. Use a free tool like PasswordSafe to keep your passwords secure; encrypt the safe where your passwords are stored with a single very good password that you don’t use anywhere else and then you can store it on the cloud (OneDrive, GoogleDrive, whatever) so you have easy access to your passwords, but hackers don’t.

Rooftop Solar Panels

You can view my current solar production here

Update 10/12/2023

It’s been an odd summer with extended periods of attenuated sunlight due to huge Canadian wildfires and more summer rain than usual, so I don’t know if this is going to be representative, but total energy production for the first four full months: June, July, August, Sep was 5 MWh which is a little less than I’d expected.

I don’t know whether the system will reach the 14.7MWh annual estimate provided by the vendor this year, but it seems unlikely because it would need to produce 9.7MWh over the next 8 months or nearly 1.2MWh/month which seems doubtful given winter’s shorter days. I’ll update again periodically until there is a full year of production history.

Production as of Oct 12, 2023. Note, May was a partial month as the system was being installed.

As expected, energy production tops out around 7.8KW based on 27 x 290W inverters = 7830W those peaks rarely happen and when they do, are brief, so the selection of 290W inverters seems correct. This means that the “10.8kW” system really is a 7.8kW (peak) system.

Update 5/27/2023

I switched the system on Tuesday evening and Wednesday was the first day of solar production. The system produced 57.2kWh. As expected, the system clips at nearly 8kW, but it was a sunny day and the system produced more than expected!

My utility company lets you see hourly consumption and production thanks to smart net metering; it lags a couple of days, but my energy bill went from $7 the day before to -$2.14 on Wednesday:

I’m looking forward to lower electricity bills and will post a detailed analysis of the costs vs. credits after I’ve gathered a few weeks of data.

Original Post

I’ve been waiting for years to install rooftop solar panels. In the past, the math simply didn’t work: the panels might barely pay for themselves over their lifetime: a poor investment. However, costs have come down and it finally makes sense.

The specifics are complicated and in this post, I’ll try to cover the factors that went into my decision and the resources I used. First, I did not want to lease panels; entering into a 25-year consumer contract seems undesirable for a host of reasons including that I don’t know if I’ll be in this house for 25 years and don’t want to incur the cost of moving panels or making the sale of the house contingent on a buyer having to take over the lease (that might not make sense for them). So I will be purchasing the equipment outright. For folks who can’t, I suggest using a home equity loan (which will have a much lower interest rate) rather than borrowing from a solar vendor or leasing.

Q-Cells Q.PEAK DUO ML-G10+

Panels: I’m going with Q-Cells panels (Q.Peak Duo BLK ML-G10+) which are 400W panels that seem to strike the right balance between cost, warranty (25 years) and efficiency (20.4%). EnergySage (a great resource) rates them as excellent and resilient against snow/wind/hail/fire. They have a linear output decline warranty and so should still be delivering 86% of their rated power after 25 years. Q-Cells is a South Korean company and Tesla uses Q-Cells panels so there’s a reasonable chance they will be around in 25 years if I have a warranty claim. If you were buying them on the open market, these panels cost about $326 each. We’ll be getting 27 of these ($8.8K) to produce up to 10.8kW (more on production later).

Inverters: Enphase IQ8+ microinverters were recommended by the company we’ve chosen for installation. These are also rated as excellent by EnergySage and also have a 25 year warranty. One microinverter is used for each panel (i.e. 27 microinverters for 27 panels).

The jobs of a microniverter include:

Enphase IQ8+
  1. Maximum Power-Point Tracking (MPPT): draw power from each panel at a rate that maximizes the panel’s output and thereby extracts as much power as possible from the sun hitting each panel at a given time and ambient temperature. Having one device per panel allows optimizing power for the individual conditions of each panel (e.g. when some are in shade/under-snow/whatever).
  2. Convert the roughly 36VDC panel output to 120VAC which is what is used in your home’s wiring.
  3. Communicate with each other and with monitoring equipment over the 120VAC household wiring using power-line-carrier (PLC) communications (so no extra wiring is needed).
  4. Shut down power production if the power from the main electric grid (the power company) fails so that they don’t back-feed power into the grid which could endanger line crews working to restore power on lines they expect to be powered off. (More on this later too).

The IQ8+ inverters offer high (97.7% peak) efficiency and can provide up to 300W peak, or 290W continuous output power. But “wait” you say: if the panels can produce up to 400W, why use inverters that can only provide 290W continuous output power? The answer is that the 400W panel rating is a little bogus. Panel maximum output ratings are under ideal lighting conditions (1000W/m^2) that generally won’t happen unless you are on the equator at noon. Under the more realistic NMOT lighting conditions (800W/m^2), the 400W (max) panels will produce about 300W. There are also losses in the wiring from the panels to the inverter, and 2-3% loss within the inverter due to conversion inefficiency, so 290W rated continuous output power inverters are actually a good match for the “400W” panels. IQ8+ microinverters retail for $189 each and can be had for $167 each. We’ll be getting 27 of these so around $5.1K total.

Production: the installer estimates 14,726kWh produced in the first year; this will decline 2% after the first year and then gradually over the 25-year life of the equipment until it is 86% of the initial production. They estimated the production ratio for our roof at 1.36. This matches pretty closely with the NREL (government) solar calculator that estimates 15,050kWh/year. Production is much higher in Mar-Oct than in Nov-Feb, but that’s also when we use much more electricity (for A/C). Another great site for estimating what your house can produce is Project Sunroof.

Return-on-Investment: so how does this all work out? The financial case for the panels is complicated and built on several factors, some of which will change over time:

  1. Initial system cost: $28.6K
  2. Energy that you produce and use. This directly offsets energy you would otherwise buy from your local utility. In my case, that power costs about $0.143/kWh. So every kWh the panels produce and I use saves me $0.143.
  3. Excess production. Production that is in excess of what is used (unlikely in my case) can be sold back to the utility at wholesale rates (around $0.05/kWh) through a process called “net-metering”. I’m going to assume none of this.
  4. Solar Renewable Energy Credits (SRECs) – Utilities are required to increase production of energy via renewable sources. One way they can meet this energy requirement is by getting credit for your production. So you can sell these credits on an open market and receive a payment for each MWh you produce. EnergySage explains it better here. Since it’s an open competitive market, the rate being paid for SRECs will vary by location and over time. You can check local SREC rates at SRECTrade here. In my case, in Maryland, the value of each SREC is worth about $59/year; these will decline over time (see estimated values here). A 10.8K system generates about 12 SRECs/year.
  5. Tax Credits: Currently, there is a 30% federal tax credit for solar installations and Maryland offers another $1K credit.
  6. Energy inflation vs. other safe investment returns. – I could put the money I’d spend on panels into another investment of comparable risk (very low) and it would generate revenue. OTOH, energy costs are subject to inflation and so I’m going to call this a wash and ignore it.

So let’s do the math:

  • 28.6K up-front for the system includes the materials (panels, inverters, combiner, mounting system) which I estimate cost around $17.5K. I’d guess around $5K for labor and permits, leaving room for about $6K profit for the installation company (which is very little on that size purchase). The company (Revolution Solar) is a family business owned by a neighbor so they’re giving us a break on pricing; my entire experience with Revolution Solar has been fantastic and it’s not just me, they are very well reviewed on EnergySage. I highly recommend them.
  • There’s a 30% Federal Investment Tax Credit (FITC) which returns $8580 and a $1K state tax credit which brings my cost down to $19K.
  • Production declines over time so let’s use a 14MWh/year estimate and assume that we use all of the power produced: 14000*0.143=$2002/year energy savings.
  • SRECs also decline in value over time; over the next 8 years, we can assume an average of $47/month or $564/year * 7.5 years = $4230
  • So: $19K – $4230 SRECs = $14,770 we need to recover in energy savings
  • $14770 divided by $2002 energy savings/yr ~= 7.4 years

This is good enough. ROI might push out past 7.5 years if we don’t use all the power that’s produced, but we are pretty heavy consumers of electricity and given that electric vehicles are likely in everyone’s future, that’s unlikely to change. Fusion will eventually come online and drive electricity costs down, but that’s not likely in the next 20 years and in the interim, solar provides some protection against increases in energy prices, should provide a nice return in years 8-25, and we can be a little greener to leave the world a better place for our kids.

Update 5/2/2023

The panels are installed and we’re waiting for the final inspection and approval. We had to replace our roof as part of the process because it was 20 years old and would otherwise need to be replaced a few years after installation which would incur the cost of removal/re-installation that would make it much harder to cost-in. The solar company (Revolution Solar) did a fantastic job on both the roof replacement and the panel installation. They worked quickly and efficiently, cleaned up well, and gave us favorable pricing. I was particularly taken by the extra effort to do things like hide the electrical conduit which they even painted two colors to match our siding and trim, and they placed the external connection boxes behind hedges so they’re well hidden. The panels themselves are black with black trim and are therefore fairly unobtrusive against the shingles.

I was surprised by how large the panels are:

Emergency Backup Power: my only disappointment with the Enphase system is that they don’t have a cost effective solution for providing emergency power during a grid power outage. When an outage is detected, the inverters shut down so even though there are panels on the roof producing power, you can’t use it. The backup solution Enphase offers for $7-8K is nicely automated, but that’s just too costly given how rarely we have an extended outage (we haven’t had one in more than a decade) and the comparatively low cost of gas emergency generators.

The problem is driven in part by the fact that the solar tie-in is on the line-side of the breaker panel which precludes using the panel itself to disconnect the photovoltaics from the grid. It seems like a better design would be to connect the PV circuits into breakers on the load side of the breaker panel and replace the main breaker with a PLC-enabled smart-breaker that signals the inverters to resume production when the main breaker is opened. This would protect linesmen from backfeed, let homeowners select and power critical circuits (fridge, freezer, sump pump, etc.) using their existing breakers for a few hours a day during multi-day outages. It wouldn’t be pretty, but it would do what’s needed and shouldn’t cost anywhere near $7K. I realize there may be code or other things that preclude this. It would need to be apparent to the homeowner that to completely cut power to the loads would then require throwing both the main breaker and the solar panel load-side breakers. Hopefully, as solar becomes more common, panel makers (Square-D, Eaton, etc.) will start producing smart panels designed to support solar generation.

Netbeans 16 with Tomcat 8.5 on Windows

Getting Tomcat 8.5 to work with Netbeans 16 on Windows is maddeningly difficult in large part because the windows service installer for Tomcat doesn’t set the defaults that Netbeans needs.

If you’re on this page, it’s because you’ve been frustrated with it too. The magic formula to install tomcat correctly seems to be:
1. Set the server shutdown port to the default expected by Netbeans (8005) not the default (-1)
2. Add a Tomcat Administrator (e.g. user name=Tomcat password=Tomcat
3. Add manager-script to the Roles