Having Fun with DHL Express!

This is what I got when tracking one of my inbound shipments:

It seems DHL is having fun bouncing the package back and forward between Hong Kong and Leipzig(Germany). So far, it started in HK, then arrived in Leipzig on January 8, went back to HK, back to Leipzig, back to HK, back to Leipzig and is currently allegedly again in Hong Kong _after_ succesfully passing German customs clearance on January 15.

For the TCP/IP nerds among the readers: I wonder when the TTL expires.

Why do self-respecting hackers use Gmail & Co?

Yesterday morning I was reading through the logs of my exim-based mailserver and noticed _how_ many messages were delivered to Google/Gmail. This is mostly related to the various mailing lists that I'm hosting at lists.{gnumonks,osmocom}.org.

Now if those lists were general-purpose mailing lists for let's say a group of environmentalists or a local model train club, I wouldn't be surprised. But almost all of those lists are about very technical projects, where the only subscriber base should be people from either the IT security community, or the Free Software community. The former is typically extremely security and privacy aware, whereas the latter is at least to some extent in favor of what I would describe as 'being a producer rather than just a consumer of technology.

So why is there such a high degree of Gmail usage among those groups? I really don't get it. Let me illustrate why this is a surprise:

• you give away control over your personal data

  Control over your own data means you own it, you have it on your hard disk, it is not on somebody else's storage medium. Control over your data also means that somebody needs a search warrant to your home in order to get to it. It also means that you decide when or how to shut it down, not a large corporation in a foreign country.

• you put your personal data within the U.S. jurisdiction

  Depending on where you are, this may or may not be an improvement. I don't want to start a political debate here, but you have to be aware what this means specifically, especially in terms of government authorities or private companies getting access to your mails. I myself would not even say that I understand enough about the US legal system to determine the full outcome of this. Also, in case there was a subpoena or other legal action in the US, how would I defend myself? That's so much easier in my home country, where I know the laws and regulations.

• you give Google not only the social web information who mails whom, but also the full content of that communication

  Now Google may have privacy policies and other rules that this data is not to be mined for whatever purposes they deem fit. But first of all, what guarantees do you have on it? Definitely less than if you ran your own mail server on your own hardware. Secondly, whatever Google promises is always within the scope of the US jurisdiction. In the 10-year aftermath of 9/11 there have been a number of alarming developments including wiretaps to phone lines without court review/order, etc.

Now I don't want this to be a bashing of Google. The same applies more or less to any email hosting company. I also don't want it to be a bashing about the US. The above is meant as an example only. In Europe we have our own problems with regard to data retention of e-mail related data (who is mailing whom). But those only apply to companies that offer telecommunications services. If you host your own mail server, you are not providing services to anyone else and thus are not required to retain any data.

There's also what I would call the combination effect, i.e. millions of millions of people all using the same service. This leads to a large concentration of information. Such concentrations are ideal for data mining and to get a global 'who is who'. This information is much more interesting to e.g. intelligence communities than the actual content, as it is much easier analyzed automatically. It also doesn't help to encrypt your messages, as the headers (From, To, ...) are still unencrypted.

Furthermore, this concentration leads to single points of failure. I'm not speaking physically, as Google and other web-hosters of course know how to replicate their services using a large-scale distributed system. But all is under control by the same company, maintained by the same staff, subject to the same jurisdiction/laws, etc.

There was a time when the Internet was about a heterogeneous network, de-centralized, without a single point of failure. Why are all people running to a very few number of companies? The same question goes for sites like sourceforge. All the code hosted there subject to the good will of the hosting company. Subject to their financial stability, their intentions and their admin staff. They've had security breaches, as did apparently Google. Sure, self-hosted machines also have security breaches, but only the breakage of a very small set of accounts, not the breakage of thousands, hundred thousands or millions of users simultaneously.

Now hosting your own mailserver on your own machine might be a bit too much effort in terms of money or work for some people. I understand that. But then, there are several other options:

• You team up with some friends, people you know and trust, and you share the administrative and financial effort
• You look out for NGOs, societies, cooperatives or other non-for-profit groups that offer email and other services to their members. At least in Germany we traditionally have many of these.
• You use a local, small Internet service company rather than one of the big entities.

While you still give up some control with those alternatives, you keep your data within your jurisdiction, and you still keep the spirit of de-centralization rather than those large concentrated single point of failures.

Travelling to Belem/Brazil to talk about OpenPCD and OsmocomBB at UFPA

Tomorrow I'll be leaving for a 10-day trip to the signal processing lab of UFPA (Federal University of Para) in Belem, Brazil. I was kindly invited by Prof. Aldebaro Klautau to hold some lectures and lab exercises regarding Free Software (+Hardware) RFID projects like OpenPCD as well as Free Software GSM projects like OsmocomBB.

I would love to use that opportunity to spend some more time in Brazil for holidays, but my schedule really doesn't allow for anything like that at this time. It's always sad to have to miss such a chance. It would be exactly the right time of the year to spend some time at the beaches of Pernambuco or Alagoas... *sigh*

Heading for a business trip to Nairobi/Kenya

I'm about to leave for a 1-week business related trip to Kenya... so please excuse any [additional] delays in reaching me. I really need to focus on my work in order to keep up productivity.

UPS sends me an invoice over 1 Euro-cent

Yesterday I received this letter from the local UPS subsidiary in Germany.

This is nothing uncommon, as I often import some electronics parts or other equipment from outside the EU, on which I need to pay customs duties and/or import VAT. In such cases, they typically collect an estimated amount as COD (cash on delivery) and then send an invoice about the difference (if any).

The funny part in this case now is: The grand total after subtracting my COD payment is EUR 0.01 - in words: One Euro-cent. They really want me to do a bank transfoer or write them a cheque over 1 cent !?!

One wonders to what grand total the expenses for the paper, printing, postage, banking transfer fees and accounting fees on the UPS side will amount to for processing something like this.

I wonder what would happen if I didn't pay that 1 cent. Would they actually try to sue me? Probably simply stop delivering packets to me, which I cannot afford and thus rather pay that single cent...

The Emperor's Codes: The Breaking of Japan's Secret Ciphers

During the last weeks, I've read the book The Emperor's Codes: The Breaking of Japan's Secret Ciphers. As you can guess from the title, the book relates to the various UK, American and Australian code breaker teams working on breaking the encrypted communication of Japan during the second world war.

There have been plenty of books about the history of breaking Germany's Enigma ciphering machine, but information on how the Japanese codes were broken so far didn't seem to be as widespread - despite the resepective archives being opened up during the last decades.

It has been a most interesting reading. As you can imagine, at that time almost nobody had a sufficient understanding of the Japanese language, not even thinking about how to encode Japanese writing into morse code.

Nonetheless, all of the Japanese merchant, diplomatic, army and navy codes have been broken during the war. And surprisingly, the Japanese never really assumed something is wrong with their actual encryption method. All they did is to replace the codebook or the additive codebook.

Also, just like in today's GSM (A5/1) crypto attacks, even back then the importance of known plaintext could not be underestimated. The verbosity of Japanese soldiers addressing a superior officer and the stereotypical nature of reports on weather or troop movements gave the cryptographers plenty of known plaintext for many of their intercepted message.

What was also new to me is the fact that the British even back then demanded that Cable+Wireless provides copies of all telegraphs through their network. And that's some 70-80 years before data retention on communications networks becomes a big topic ;)

Overall, definitely a very interesting book. I can recommend it to anyone with an interest in security, secret services, WW2 history and/or cryptography.

TXL-CDG-BLR-DLH-TPE

This was the route that I was taking to Taipei this time: Berlin, Paris, Bangalore, Delhi, Taipei... with 7 hours in Bangalore and 4 hours in Delhi, resulting in a total travel time of about 38 hours.

Everything went surprisingly well and I did a lot of work. However, my day/night rhythm is basically completely gone by now. Need to try to synchronize with local time.

Oh, and if you're asking yourself "why"? Because airline ticket pricing is the most ridiculous thing on this planet, even worse than stock exchange. Any more 'direct' asymmetric Germany->Taiwan->India->Germany flight would have been about three times as expensive as both a Germany->India->Germany and a India->Taiwan->India round trip ticket together.

German Post paper form shows HTML font tag

Something fun for a change: This morning I had one of those "you were not present when we tried to deliver something to you, please come to the post office to pick it up" cards in my mailbox.

However, as the scan of this very card shows (check for the red arrow), they inadvertently show half of a HTML FONT tag for the font "HELVETICA" on the actual printed card. I wonder how nobody could notice ;)

Playing around with the HTC TyTN II / Kaiser

For reasons that I cannot yet disclose, I have obtained a HTC TyTN II (aka Kaiser). This is my first (and hopefully last) Windows Mobile based device.

So far I've taken the device fully apart, unmounted all the shielding covers and took high-resolution photographs of each and every part of the phone. The resulting information is now that I'm aware of all the major components in the device, and I've started to do some data mining on those components.

As everyone knows, HTC used a Qualcomm MSM7200 based chipset in this device. The MSM integrates both the GSM baseband (DSP+ARM9) as well as the application processor (ARM11) and many other things. What's less known is the further peripheral configuration.

• The Bluetooth and WiFi chips are from Ti (BRF6300 and WL125, respectively).
• The power management unit is a Qualcomm PM7500
• NAND+DRAM are in a multi-chip module (1.8V, 2GBit NAND x8, 1GBbit DRAM x32) from Samsung
• The 3G/GSM RF part consists of Qualcomm's RFR6500 (receive with integrated GPS) and RTR6275 (transmit) as well as AWT6280, AWT6273 and AWT6273 amplifiers
• There furthermore is a CPLD: Xilinx XC2C128 (3000 system gates, 128 macrocells).

For those interested, I'll go through my PCB photographs and will edit and publish them soon.

I am now digging through all the various XDA/WM6 hacker information out there and trying to understand the various tools that can be used for further taking apart the software side. I've already managed to get into the bootloader, which apparently offers a standard USB serial emulation that can be accessed even from a Linux PC.

Unfortunately the MSM7200 is a highly proprietary/closed chipset, and there is very limited public information available. I've already ran into this while evaluating potential hardware for OpenMoko at some point in the past. I became curious about this MSM7xxx chipset family when they were first added to the ARM-Linux machine type registry many months ago.

Anyway, meanwhile Google seems to be doing a lot using this chipset, as they have recently announced the availability of a linux-msm.git tree. The source code should document many things such as GPIO assignments, IRQ's and contain drivers for most of the hardware (on the application processor side).

Now if some of you ask yourselves if I have turned my back on OpenEZX and OpenMoko: No, that's not true. I'm just looking at this for a very peculiar reason. Hopefully I'm able to reveal more soon.

incommunicado for a while

It seems like my main mail server, ganesha.gnumonks.org, is facing some severe problems (ext3 corruption on a 3ware hardware RAID-1, i.e. something that clearly should not happen.

As per Murphy's law, this had to happen exactly while I was in-flight on my trip to Bangalore for FOSS.in 2007 :( Had it happened 2 days earlier, i would have actually within physical reach of the machine in question.

Luckily, all my hosted servers have remote consoles and actually even remote access to the BIOS setup. So I'm trying to recover what's to recover. The exim mail spool is on the affected /var partition. The much more important cyrus IMAPD spool is not affected. What a relief.

Still, everyone who tried to contact me: Please expect some delays in email based communication through the next few days. Sorry for the inconvenience.

Short update

The last couple of weeks have again been so busy that I didn't find the time to update this blog. After returning from the Taipei trip, as usual, there were tons of things to be done for OpenMoko. Later I spent about one week on a business trip to Bangalore, from which I've returned monday afternoon.

Now I'm only home until thursday next week. Next friday, I'll once again depart for Taipei to speed up and coordinate OpenMoko/FIC development.

Apple can't even properly translate their SPAM

I just received SPAM from apple: "Mit dem Mac ist Codieren immer und überall möglich." and further down "Codieren. Kompilieren. Berechnen."

Seems like a multi-billion multi-national company cannot even afford some native speaker to proof-read their advertisements. Quite embarrassing.

G5 Quad broken one month after warranty: The big bang

Last night, I was once again annoyed by the slow build time of our dual AMD64 2.4GHz build server, and I wanted to use my Apple G5 quad again as a build/compile system.

So I pressed the power button, and immediately in that instance there was an extremely loud BANG!. No smoke, no smell, just that bang. Standby/trickle power was still there, the LED's kept shining.

I quickly opened the case, too off the covers, etc. There is no visible component that has suffered any damage. No leaked/exploded capacitors, no residue from some electrical spark, nothing.

And then I found out: The machine arrived on February the 2nd, and now it's exactly one month after the 1 year warranty has expired. I wonder how they can time their system failures that well :(

A little bit later I found out about the Apple Power Mac G5 Repair Extension Program for Power Supply Issues. It seems like this is a common bug, especially when you see things like this lengthy list of people who report a similar effect.

Seems like I'll have to call some local Apple dealers the first thing Monday morning....

Federal "Express" - One month to get a customer account

Since sending hardware to Werner Almesberger in Argentina using DHL seems to be suboptimal, I decided to give FedEx a try. So I went to their web-site, and tried to register for a customer account / number.

What struck me first, is that they require you to enter both land-line AND mobile phone number. As if everyone had both these days. I know a lot of people who either only have land-line, or mobile. And obviously there are people like myself, who would never want FedEx to contact them via mobile at all.

Anyway. What I then got back was an automatic email (in German) indicating that the respective employee is "Out of Office till 21st of February", and that "e-mails to this address will not be processed during this time".

Whew, I thought. What kind of express. It takes only three weeks to get a customer number. Maybe I should resort to UPS next. *sigh*

Dual-Opteron liquid cooling leaking

I'm not really having that much luck with the liquid cooling system of my main workstation. Today, one of the CPU coolers (dual socket 940 board) started leaking. Unfortunately it was the cooler of the CPU sitting above the AGP and PCI-X slots, spilling coolant on th Radeon 9200 and E1000 cards.

Coincidentally all that happened while I was having a bath, but that just as a side-note.

Now the box still boots up and is accessible from the network. Just no graphics output. Pretty bad for what I use as a dual-head compile and development workstation. So far it looks like at least that AGP card has died. I already bought a used one on eBay (you can't get any Radeon 9200 these days, and that's the really last 'free' graphics chip out there [apart from Intel on-board stuff]...). It could also be the AGP socket or something completely different. I don't have any spare AGP cards, just PCI... 5V PCI that don't fit in the 3.3V-only PCI-X slots, so I couldn't test it with a different card right now.

Now since this is the second time I'm having quite big trouble with that liquid cooling system, this is a good time to re-think whether it was that good an idea. I still think it was. I mean, for the better part of two years, this system has been running day and night, without any problems. In fact it is so quiet that I now regard my Quad G5 (unloaded, all fans at minimum) as extremely loud. And it is that quiescence which I love so much, and it is even worth at least those two times I've now had problems.

Allnet Allsound / U-Media AudioMate

I couldn't resist any longer to buy a Allnet Allsound aka U-Media AudioMate, basically a small 802.11 WLAN capable Internet streaming radio stand alone receiver. Something that you can just put into your kitchen / bedroom. It hooks up to your WLAN and plays MP3 radio streams stand alone. No running computer / hard disk / server / ... required. IT also seems to support UPnP A/V, but I yet have to look into some Free server software for this.

Oh and yes, you can actually use it as alarm clock, waking you with tunes of your favorite Internet streaming radio. How cool is that?

The wonders of Vienna airport

For my trip to Shanghai, the both cheapest and most convenient flight schedule was offered by Austrian. I mainly use KLM / NW / Air France / Lufthansa for my flights, so Austrian was definitely a new experience.

So here I am, connecting to my int'l flight at Vienna airport. Free 802.11b wireless Internet access, unfiltered, with a DHCP server that provides you an official IP. Guess I'll never connect voluntarily at Frankfurt, Paris or Amsterdam again. Finally somebody understood how you can make an airport much more attractive to the [IT] business traveller, without any big investments.

Software for paleeograpy of Indic scripts

Those of you who know me a bit better will know that my now ex-{fiance,girlfriend} is studying indian philology and indian cultural history at Freie Universitaet Berlin. Now when you think about philology, you will probably think of old people wading through books and paper.

To the contrary. I've always been amazed how much software development they actually do (or have made) there. Some years back, I learned about Sanskritreader, an OCR (optical character recognition) software package for devanagari script.

Now their latest software is IndoSkript, a Palaeograpy software. It comes with a ~600MB database of scans of anciend Indic handwritings, where evey glyph in those scripts has been individually separated, and the scripts are annotated, etc.

Using that software (it's mainly a database software) you can for example check how a particular glyph was written in a certain timeframe in a specific dynasty in the Mysore area. Or you can draw [or import a scan?] a glyph and have it do pattern-matching, giving you a probabilistic analysis of which already-known glyphs match your new one the most.

As of now, it ships with a database of Brahmi, consisting more than 700 scriptures of more than 170,000 glyphs total.

It's great that they develop these tools, and it's even better that they are published as public domain software. What would be even better, is if they made their software Free Software and publicized the source code. This way other people could contribute and e.g. add a much-needed non-German localization, a precondition for any kind of international (e.g. Indian) use of it.

Maybe I can find a minute (and a minute of their time) to explain to them the marvels of Free Software.