Internet Security

We all know things are ugly out there, but things are particularly ugly in the growing world of connected devices where security is often an afterthought or under-powered for the modern internet.

I was reminded of this yesterday when I needed to recover the root password for an internet device (with the permission of the device’s owner who had forgotten it…so it was legit to hack). Like many such devices, it used a scaled-down older linux kernel, BusyBox, and an old-fashioned /etc/passwd file where salted passwords are stored md5-crypt hashed. (format: $1$<salt>$<128-bithash>.

Fortunately (but also worrying), a popular hacking tool (John the Ripper) makes short easy work of such files. And when I say “easy”, I mean ridiculously easy and when I say “short”, I mean weak passwords are cracked in seconds. If you have access to the passwd file (let’s call it passwd.txt) you would just run the command “john passwd.txt” and in a few minutes, voila: out pop the decrypted passwords. You can enhance JtR with (big) lists of common passwords; there are free lists here and you can also buy lists. You can run JtR on a multi-core machine with a word list using a command like:

john –fork=8 –wordlist=mywordlist.txt filetocrack.txt

In the past, I wouldn’t make a post like this for fear of encouraging hacking, but these days, that fear is misplaced. Tools like JtR (and many much more powerful) are so easy to use and so widely available that *any* hacker at any level knows about them. So rather than keeping head in sand, it’s time to bite the bullet and start assessing (and fixing) your products’ security.

  1. Hire someone to help with security if:
    • your system stores plaintext passwords
    • your passwords aren’t salted before hashing
    • you don’t have a delay before re-entering the password after a few failed attempts
  2. If your products run on small/old linux kernels and/or otherwise use md5crypt for password hashing, consider upgrading and hash passwords using at least SHA256.
  3. Prompt users when they are entering new passwords for what makes a quality password: use an obscure phrase rather than single words or a word with some numbers or some variation on their username.
  4. Store usernames and passwords separately such that only the root user has access to the password file (/etc/passwd and /etc/shadow)
  5. Check new passwords against known lists of pwnd passwords and warn the user.
  6. Run tools like JtR against your own passwd stores and if it quickly guesses your passwords, know that hackers will be doing the same thing.
  7. If possible, don’t use passwords at all on internet-facing systems; use public key certificates instead.
  8. In your own (home/business) networks, segregate insecure devices (i.e. nearly every internet-enabled appliance: cameras, TV streamers, doorbells, etc.) from your computers and storage systems. Devices belong on the guest network or separate VLANs…not on your main WiFi/LAN.
  9. Don’t use the same passwords in internet appliances that you use for things you care about. Assume the internet devices have been cracked. The security in internet appliances is usually *vastly* worse and when hackers crack that doorbell/camera, you don’t want that giving them access to the rest of your network, bank account, etc.
  10. Ideally, use a different, good password for every account. Use a free tool like PasswordSafe to keep your passwords secure; encrypt the safe where your passwords are stored with a single very good password that you don’t use anywhere else and then you can store it on the cloud (OneDrive, GoogleDrive, whatever) so you have easy access to your passwords, but hackers don’t.

Rooftop Solar Panels

I’ve been waiting for years to install rooftop solar panels. In the past, the math simply didn’t work: the panels might barely pay for themselves over their lifetime: a poor investment. However, costs have come down and it finally makes sense.

The specifics are complicated and in this post, I’ll try to cover the factors that went into my decision and the resources I used. First, I did not want to lease panels; entering into a 25-year consumer contract seems undesirable for a host of reasons including that I don’t know if I’ll be in this house for 25 years and don’t want to incur the cost of moving panels or making the sale of the house contingent on a buyer having to take over the lease (that might not make sense for them). So I will be purchasing the equipment outright. For folks who can’t, I suggest using a home equity loan (which will have a much lower interest rate) rather than borrowing from a solar vendor or leasing.

Q-Cells Q.PEAK DUO ML-G10+

Panels: I’m going with Q-Cells panels (Q.Peak Duo BLK ML-G10+) which are 400W panels that seem to strike the right balance between cost, warranty (25 years) and efficiency (20.4%). EnergySage (a great resource) rates them as excellent and resilient against snow/wind/hail/fire. They have a linear output decline warranty and so should still be delivering 86% of their rated power after 25 years. Q-Cells is a South Korean company and Tesla uses Q-Cells panels so there’s a reasonable chance they will be around in 25 years if I have a warranty claim. If you were buying them on the open market, these panels cost about $326 each. We’ll be getting 27 of these ($8.8K) to produce up to 10.8kW (more on production later).

Inverters: Enphase IQ8+ microinverters were recommended by the company we’ve chosen for installation. These are also rated as excellent by EnergySage and also have a 25 year warranty. One microinverter is used for each panel (i.e. 27 microinverters for 27 panels).

The jobs of a microniverter include:

Enphase IQ8+
  1. Maximum Power-Point Tracking (MPPT): draw power from each panel at a rate that maximizes the panel’s output and thereby extracts as much power as possible from the sun hitting each panel at a given time and ambient temperature. Having one device per panel allows optimizing power for the individual conditions of each panel (e.g. when some are in shade/under-snow/whatever).
  2. Convert the roughly 36VDC panel output to 120VAC which is what is used in your home’s wiring.
  3. Communicate with each other and with monitoring equipment over the 120VAC household wiring using power-line-carrier (PLC) communications (so no extra wiring is needed).
  4. Shut down power production if the power from the main electric grid (the power company) fails so that they don’t back-feed power into the grid which could endanger line crews working to restore power on lines they expect to be powered off. (More on this later too).

The IQ8+ inverters offer high (97.7% peak) efficiency and can provide up to 300W peak, or 290W continuous output power. But “wait” you say: if the panels can produce up to 400W, why use inverters that can only provide 290W continuous output power? The answer is that the 400W panel rating is a little bogus. Panel maximum output ratings are under ideal lighting conditions (1000W/m^2) that generally won’t happen unless you are on the equator at noon. Under the more realistic NMOT lighting conditions (800W/m^2), the 400W (max) panels will produce about 300W. There are also losses in the wiring from the panels to the inverter, and 2-3% loss within the inverter due to conversion inefficiency, so 290W rated continuous output power inverters are actually a good match for the “400W” panels. IQ8+ microinverters retail for $189 each and can be had for $167 each. We’ll be getting 27 of these so around $5.1K total.

Production: the installer estimates 14,726kWh produced in the first year; this will decline 2% after the first year and then gradually over the 25-year life of the equipment until it is 86% of the initial production. They estimated the production ratio for our roof at 1.36. This matches pretty closely with the NREL (government) solar calculator that estimates 15,050kWh/year. Production is much higher in Mar-Oct than in Nov-Feb, but that’s also when we use much more electricity (for A/C). Another great site for estimating what your house can produce is Project Sunroof.

Return-on-Investment: so how does this all work out? The financial case for the panels is complicated and built on several factors, some of which will change over time:

  1. Initial system cost: $28.6K
  2. Energy that you produce and use. This directly offsets energy you would otherwise buy from your local utility. In my case, that power costs about $0.143/kWh. So every kWh the panels produce and I use saves me $0.143.
  3. Excess production. Production that is in excess of what is used (unlikely in my case) can be sold back to the utility at wholesale rates (around $0.05/kWh) through a process called “net-metering”. I’m going to assume none of this.
  4. Solar Renewable Energy Credits (SRECs) – Utilities are required to increase production of energy via renewable sources. One way they can meet this energy requirement is by getting credit for your production. So you can sell these credits on an open market and receive a payment for each MWh you produce. EnergySage explains it better here. Since it’s an open competitive market, the rate being paid for SRECs will vary by location and over time. You can check local SREC rates at SRECTrade here. In my case, in Maryland, the value of each SREC is worth about $59/year; these will decline over time (see estimated values here). A 10.8K system generates about 12 SRECs/year.
  5. Tax Credits: Currently, there is a 30% federal tax credit for solar installations and Maryland offers another $1K credit.
  6. Energy inflation vs. other safe investment returns. – I could put the money I’d spend on panels into another investment of comparable risk (very low) and it would generate revenue. OTOH, energy costs are subject to inflation and so I’m going to call this a wash and ignore it.

So let’s do the math:

  • 28.6K up-front for the system includes the materials (panels, inverters, combiner, mounting system) which I estimate cost around $17.5K. I’d guess around $5K for labor and permits, leaving room for about $6K profit for the installation company (which is very little on that size purchase). The company (Revolution Solar) is a family business owned by a neighbor so they’re giving us a break on pricing the company; they are very well reviewed on EnergySage.
  • There’s a 30% federal and $1K state tax credit which brings my cost down to $19K.
  • Production declines over time so let’s use a 14MWh/year estimate and assume that we use all of the power produced: 14000*0.143=$2002/year energy savings.
  • SRECs also decline in value over time; over the next 8 years, we can assume an average of $47/month or $564/year * 7.5 years = $4230
  • So: $19K – $4230 SRECs = $14,770 we need to recover in energy savings
  • $14770 divided by $2002 energy savings/yr ~= 7.4 years

This is good enough. ROI might push out past 7.5 years if we don’t use all the power that’s produced, but we are pretty heavy consumers of electricity and given that electric vehicles are likely in everyone’s future, that’s unlikely to change. Fusion will eventually come online and drive electricity costs down, but that’s not likely in the next 20 years and in the interim, solar provides some protection against increases in energy prices, should provide a nice return in years 8-25, and we can be a little greener to leave the world a better place for our kids.

Emergency Backup Power: my only disappointment with the Enphase system is that they don’t have a cost effective solution for providing emergency power during a grid power outage. When an outage is detected, the inverters shut down so even though there are panels on the roof producing power, you can’t use it. The backup solution Enphase offers for $7-8K is nicely automated, but that’s just too costly given how rarely we have an extended outage (we haven’t had one in more than a decade) and the comparatively low cost of gas emergency generators. There are easy technical solutions to this and I’ve suggested one to Enphase, but if they adopt it, it will probably require new inverters (which I’ll revisit when it’s time to replace the roof).

The reasons for this are complex; I suspect Enphase needs a device that can communicate with the micro-inverters during an outage to inform them that the main breaker has been opened so the house is disconnected from the grid and they can safely re-start production. A device that integrates the function of the main breaker and PLC comms should not be very costly. The homeowner would open most of their circuit breakers to limit the panel load and then open the main breaker that disconnects the house from the grid to restart production for the remaining closed circuit breakers. This would let homeowners run critical circuits (fridge, freezer, sump pump, etc.) for a few hours a day during multi-day outages. Not pretty, but it shouldn’t be anywhere near $7K.

Netbeans 16 with Tomcat 8.5 on Windows

Getting Tomcat 8.5 to work with Netbeans 16 on Windows is maddeningly difficult in large part because the windows service installer for Tomcat doesn’t set the defaults that Netbeans needs.

If you’re on this page, it’s because you’ve been frustrated with it too. The magic formula to install tomcat correctly seems to be:
1. Set the server shutdown port to the default expected by Netbeans (8005) not the default (-1)
2. Add a Tomcat Administrator (e.g. user name=Tomcat password=Tomcat
3. Add manager-script to the Roles