Profile cover photo
Profile photo
Uwe Trenkner
Interested in making renewable and energy efficient heating ubiquitous
Interested in making renewable and energy efficient heating ubiquitous


"Internet of Stings" - good Economist article explaining the growing challenge of keeping IoT devices in check. Internet service providers could do a lot, but they shy the costs... in fact - as Gert Döring pointed out in his Keynote at the recent EuroBSD conference - one possible future will see governments stepping in and order ISPs to step up their protection mechanisms.

But while ISPs could mitigate (some of) the attacks, we should not let the device manufacturers of the hook. Everyone putting IoT devices on the market must be held responsible for not following security good practice! Exploding phones may harm or kill people, but sustained DDoS attacks on infrastructure may even render hospitals and emergency services helpless.
Add a comment...

IoT devices turned into powerful weapons on the internet – Lessons for the heating industry!

Last week, the well respected security website Krebs on Security[1] was “shot” down by criminals with a sustained gigantic flood of internet traffic. The site received free protection from Akamai, one of the largest internet companies in the world and an expert in mitigating such attacks. But even Akamai gave in after hours of fighting as costs were too high. As a result Krebs on Security vanished from the the net. According to reports, Akamai estimated the attack at 665Gbit per second – twice as big as the biggest they had ever seen before[2].

But the biggest news was not that Krebs on Security went down. But that the attack was unusual in that it did not use mostly misconfigured servers or malware infected desktop computers. A large part of the traffic came from hundreds of thousands of IoT devices, which the criminals had taken over to attack a single website.

Today more and more consumer devices are network connected – from the smart TV to the fitness tracker, from the lighting system to smart thermostats. These IoT devices did not just create “junk traffic” but legitimate looking requests to the Krebs on Security website. Which made it practically impossible to filter out.

This time it “only” targeted a website. But what will be a future target? Hospitals? National infrastructure? Military targets? Voting systems? Security technologist Bruce Schneier recently disclosed a growing attack on the core infrastructure of the internet itself: The DNS system, which is responsible for mapping human readable web addresses to IP addresses on the net. In his post "Someone Is Learning How to Take Down the Internet"[3] Schneier details that someone – likely a nation state – was systematically testing the defenses around the core DNS system by launching ever increasing attacks against it.

So what does this all mean for the IoT and specifically for the heating industry? If you have followed me in recent years, you will certainly know that I am a big proponent of using sensors and the net to upgrade heating and cooling systems. There certainly is much to gain. But I have also always warned to take security and privacy really serious.

In a 2014 interview tado° CEO Christian Deilmann downplayed the need for privacy and security. He argued that we should rather look at the opportunities that came from aggregating and analysing data[4]. Unfortunately this thinking is common in our industry. And it is exactly this attitude which leads our industry to becoming accomplices in internet attacks. If user comfort and product sales are put above common sense, our products will be wide open for criminals to misuse. We need to start thinking paranoid: What could possibly go wrong? Now, and in 5, 10 or 20 years from now? And how do we react to a vulnerability?

Apple has put a high burden on products that want to play in its smart home ecosystem. Required encryption is much stronger than what seems reasonable today. But Apple has thought of the long life time of some of the products and set the requirements accordingly. But even with Apple we should ask ourselves: How long will they support their products? The company has a history of rather abruptly abandoning devices and whole platforms (anyone remembers their switch from PowerPC to Intel chips?). And today they say that 5 years after discontinuation of a product, the product is considered “vintage”, with limited or no support. Do they force their users to throw away old Macs, iPods or iPhones? No, but de-facto the hardware has become unusable. Such a timing would not work for heating systems, which are typically replaced only after 20+ years. It should worry us that reports are more and more often linking Apple with car manufacturing:” Sorry, your car is 6 years old, we do not support it anymore”. And of course, they do not open source the software to let others fix old bugs.

So what should we do? We as an industry must take responsibility for our products. That means:

* Designing and producing products “secure by default”. Think of security like an onion: The system should not be wide-open to attack if one vulnerability is found. Several layers of protection should make it less likely that any one vulnerability is easily exploitable. Keep the attack surface small: Let the user turn on features only if he or she really needs it. Even if that makes your user's life a little more difficult.

* Let us try to join forces: Let us settle on one or two platforms that we jointly develop and support. Let's make them open source so that no one has to reinvent the wheel. If everyone develops their own security layers and own update mechanisms, many products will be more vulnerable – we see this in the Android ecosystem, where it often takes months for vendors to patch their individually adapted version of Android (if they ever provide patches).

* Accept that you cannot foresee the future: Your device will become vulnerable. It is only a question of time! Plan ahead! Have a clear upgrade strategy! How do security patches get on the device? Do you upgrade them directly? Or can you at least signal a problem to their users – but be aware: registering a user for a heating system may not make sense. Will the user/owner still be the same in 10 years? And will their e-mail address still work? How will you reach them?

* Think also of how to deal with devices you cannot or do not want to support anymore. Are you willing to offer a free replacement?

Maybe we will in the end have to conclude that the user should not be the owner of the heating system anymore. Maybe we should speed up the slow trend toward contracting and “pay-per-kWh”. The manufacturer or a third party service provider stays the owner of the heating system and keeps it in good working condition. And guarantees – as well as possible – its security.

Otherwise we will see our products become members of ever growing bot nets, which can be used to take down anyone on the internet.

Some sources:
4 Christian Deilmann in energynet Podcast No 36, ca. at 12'30''
Add a comment...

Post has attachment
And the winner is...? No 2! Citra!

Since 2013, I have been a big fan of Duvel's Tripel Hop beers. A yearly special with an additional third sort of hop. Only 2015 with "Equinox" was a real disappointment. But luckily it made me discover "Chouffe Houblon", which is also a very fine beer with an intense note of hop.

After six editions of the Duvel Tripel Hop, Duvel has decided that as of 2017 there will be a permanent one. And they let their fans vote. I bought two of their tasting boxes with 1 bottle each of the six Tripel Hops (anticipating that I would need the second for a shoot-out of my top flavors). In the end it came down to No 2 (Citra) and No 6 (HBC 291). And in direct comparison Citra won hands-down. Mosaic came in third.

Apparently, I am not alone with this preference. At the moment (2000+ votes), Citra is in first place with Mosaic and Amarillo on second and third place.

Join in and have your say in what becomes Duvel's permanent Tripel Hop as of next year:
Add a comment...

Comparing Compression for Web Content

For smallest file sizes of typical static asset, brotli beats zopfli, zopfli beats gzip.

Version 2.0 of the h2o web server will offer support for Google's brotli compression algorithm. Now that beta2 is out, it was time for me to check how the different algorithms compare.

My only interest here is in pre-compressing static assets, such as JavaScript, CSS, SVG, HTML and XML files. With the "file.send-compressed: ON" option, h2o will serve a .br or .gz version if the browser signals its support for the algorithm. If both are supported, preference is given to the brotli-compressed file.

On we use the WordPress Theme Melos Pro from In its latest version it has 226 files ending on .js, .css, .html, .xml.

To start with, I ran Yuicompressor over all *.js and *.css files. This reduced the overall size of the files by almost 13% from 6.5 to 5.6 MB. This version, compressed with gzip -1 served as my baseline (gzip at level 1 is standard compression used by nginx and h2o for on-the-fly compression; Apache's mod_deflate uses zlib's default, which is 6).

This is how much the total result is smaller than gzip -1:
gzip -9: 19.7%
zopfli: 23.5%
brotli -q 10: 37.9%

For every single file tested, brotli -q 10  resulted in smaller file sizes than zopfli. And zopfli outperformed gzip -9 in every test.

I could confirm Tim Kadlec's observation that the result of brotli -q 11 was no different from brotli -q 10... only slower.

For pre-compression of static assets use brotli -q 10 whenever possible.
If the client does not understand brotli, then serve gzip-compatible files produced with zopfli.

Because I was looking for pre-compressing files, I was not interested in  the time it took for each compression. For a discussion of good compromises between file size and speed, I recommend Tim Kadlec's excellent post on the Akamai blog:
You may also analyse my data (with timings for each compression algorithm and level): (105kB) (73 kB)

h2o's main developer recently introduced the new compression options in h2o version 2.0 on his blog:

The gzip used in this test was FreeBSD's version, zopfli was used at its default setting (15 iterations).
Add a comment...

Post has attachment

Post has attachment
Interesting predictions on IoT development in 2016. Mentions also thermostats and water heaters... Well worth reading, if you are working in this field.
Add a comment...

Post has attachment
One of the best articles on Germany's energy transition (Energiewende). Very balanced, not talking only about electricity but also heat and transportation.
Add a comment...

Post has attachment
For a new project, we recently purchased the Wordpress theme "Melos Pro" from Think Up Themes Ltd.

We had run Webpagetest on their Demo-Side and found it less resource intensive than many others on the market.

We ran further WPT tests, once we had installed the theme on our server. And there we noticed that one Javascript was loaded from a Dropbox-Url ( On further inspection we identified it as a "license verification" script, which was recently introduced by Think Up Themes - probably to thwart unlicensed use of their theme (which in itself is funny, as it is published under the GPL). The script is very simple and checks if it is run in the context of a forbidden web address. That domain is slightly obfuscated and currently checks only for one Italian domain, for which it would block the rendering of the HTML body.

The script itself is not the problem. The problem is, how it is loaded: synchronously, from a Dropbox account, without caching headers. You can see its impact especially well in repeat view.

We contacted the Theme's Support and explained the problem. I even suggested, that if they absolutely believed they needed this "license verification" they should do the following:
1) Link the script asynchronously so that it does not block page rendering
2) Serve the script from a fast server – or even better: through a CDN
3) Add the necessary HTTP headers so that this static file can be cached by the browsers.

The first-level support was not very helpful but wanted to inform the actual developers. However, a new version was released since and this "license verification" is still included. For the moment, we have commented out in the PHP code. But we will have to do this again, every time we update to the latest version.

If you, too, think that serving a Javascript from a Drobbox address is wrong, please share this post.
Add a comment...

Hamburgs Entscheidung verstehen

Die Hamburger Bürgerinnen und Bürger haben (knapp) Nein gesagt zu den Olympischen Spielen. Und in der Sportwelt herrscht offenbar großes Unverständnis, ja geradzu Bestürzung. Zum zweiten Mal innerhalb relativ kurzer Zeit wollen Deutsche Städte keine Olympischen Spiele bei sich. Ich aber kann das gut verstehen. Und es wäre gut, wenn Sportler und ihre Spitzenmanager dies auch langsam verinnerlichten.

Es ist nicht der Sport, den wir nicht wollen. Viele Menschen sind sportlich oder als ehrenamtliche Helfer in Sportvereinen aktiv. Und es macht großen Spaß. Aber der Spitzensport und gerade Großveranstaltungen wie die Olympischen Spiele, Fußballweltmeisterschaften der Männer, Formel 1 oder die Tour de France kommen nicht mehr als fröhliche Sportveranstaltungen rüber.

Die Korruptionsskandale in der Fifa, um WM- und Übtragungsrechte-Vergaben, Schmiergelder und vieles mehr zeigen, dass die Veranstalter nicht die heren Ziele eines UNICEFs haben, auch wenn sie sich nach außen gerne so geben. Wir sehen, dass hinter diesen Veranstaltungen nicht etwa zwischenstaatliche Institutionen stecken, sondern weltweit agierende privatwirtschatliche "Konzerne" wie Fifa, IOC und Bernie Ecclestone's Firmengruppe. Es geht um Macht und viel Geld. Und die US-amerikanischen Ermittlungen gegen die Fifa-Spitze scheinen zu belegen, dass sie eher in der Kategorie Organisierte Kriminialität anzuzusiedeln sind, denn in der Kategorie Philantrophie. Den Spitzenmanageren drohen (möglicherweise jahrzehnte-)lange Haftstrafen. Auch bei den Vergaben der Olympischen Spiele gab es immer wieder Hinweise auf Bestechung in großem Stil. Und dann gingen sie oft auch noch an Länder oder an Orte, mit sehr zweifelhaftem Ruf: Fröhliche Olympische Spiele in Beijing, der Hauptstadt eines für seine Repressalien bekannten Staates, in dem so viele Menschen hingerichtet werden wie (vermutlich) nirgendwo sonst auf dieser Welt. Oder Winterspiele in Sotchi? Wer hat sich das ausgedacht?! Aber schlimmer noch: Das IOC hat diese irrsinnige Idee dann auch noch mit den Spielen geehrt.

Das alles wäre nicht ganz so schlimm, wenn das IOC oder die Fifa selbst das notwendige Geld mitbrächten oder zumindest bereit wären, das finanzielle Risiko zu tragen. Aber zu oft laufen die Kosten aus dem Ruder, aber die Städte oder Länder werden nicht entsprechend an den Milliaren-Einnahmen der Konzerne beteiligt. Am Ende zahlt der Steuerzahler den Fehlbetrag. Rheinland-Pfalz hat zig Millionen in den Nürburgring gesteckt, die abgeschrieben werden mussten. Die Bayerische Landesbank streitet sich nach wie vor mit Bernie Ecclestone wegen Bestechungsvorwürfen, die die öffentliche Bank Millionen gekostet haben. Am Ende trifft es immer die öffentliche Hand und damit den Bürger.

Hinzu kommt, dass man der öffentlichen Hand ohnehin nicht (mehr) zutraut, bei Großprojekten im Kostenrahmen zu bleiben. Die Hamburger können ein Lied von der Elbphilharmonie singen, die Berliner vom BER usw. usw. Warum sollte das diesmal anders sein. Wahrscheinlicher ist doch, dass auch dieses Mal wieder die Kosten viel zu konservativ angenommen wurden, um die Bürger von dem Projekt zu überzeugen.

Neben der Korruption bei den Veranstaltern und der Unfähigkeit in der Politik, den Bürgern die wahren Kosten ehrlich zu nennen, gibt es noch einen weiteren Punkt, warum Bürger gegenüber Sport-Spiztenveranstaltungen skeptisch sind: Doping, Doping, Doping! Sport-Ikonen wie Lance Armstrong werden alle Titel aberkannt, ganze Länder werden mittlerweile gesperrt (Russlands Leichtathletik), aber eigentlich müssten einige Sportarten komplett für Jahre verbannt werden (Radrennen, Gewichtheben etc.) bzw. deren Organisatoren jegliche Lizenzen entzogen werden (Sociéte de la Tour de France). Geht es nicht mittlerweile der Mehrheit der Menschen so: Wenn abends in der Tagesschau von einem neuen Sprintrekord berichtet wird, dass wir uns nicht mehr freuen über die Leistung, sondern längst überzeugt sind, dass dies mit ehrlichen Mitteln gar nicht mehr zu erreichen war?

Das ist zumindest mein Bild vom Spitzensport. Es ist ein schmutziges Bild. Daher kann ich gut verstehen, dass die Hamburger Bürgerinnen und Bürgerinnen das nicht haben wollten. Hamburg hat etwas besseres verdient!
Add a comment...

Post has shared content
Totally hilarious and spot-on. Has to be the best public service video ever done by a government office.  A small police department in the UK.
Add a comment...
Wait while more posts are being loaded