Data retention is no solution

One year after Germany decided not to have a national law on data retention, the European Union moves towards data retention legislation.

Apparently now the European Commission and the European Council are both competing with proposals for a directive on mandatory data retention of all telecommunication meta-data for up to three years. Meta-data includes MAC addresses, IP addresses, Email addresses, phone numbers, IMEI numbers, location of the base station from which a mobile system initiated the call, and many more (it's a two page listing!).

If you are a EU citizen and think that data retention is invasive, disproportionate and violates the European Constitution on Human Rights, please sign this petition at

Writing conference papers

... as usual in the last minute. I've now finally finished my two papers for Linux Kongress 2005 next month.

The DocBook source to those papers should however be a good starting point for reference documentation to {nf_,nfnetlink_,libnfnetlink_}{log,queue}.

Also, in the good spirit of recycling papers, I'll make a Datenschleuder article on RFID and biometric Passports from my librfid/libmrtd paper.

Let's hope I can get some real work done tomorrow.

My first Bollywood party in Berlin

The frequent reader of this blog will have noticed that I love Indian Bollywood cinema (and of course the corresponding music).

Unfortunately there are very little Bollywood movies in the cinemas in Germany, and other Bollywood events are almost as rare. However, Club Deewane now organizes more or less frequent parties in Berlin.

Due to my frequent travel, yesterday was the first time I was around when the event took place. It was quite an experience... I wouldn't have imagined that such an event could actually draw some 200+ people. I'd say no more than 20% of the guests did were of Indian origin/decent, the rest was the usual multicultural "Berlin mixture".

Anyway, I had a great time, and was surprised how much of the music I actually recognized ;)

No legal basis for voting machines in Germany?

According to press coverage, in todays parliament elections (Bundestagswahl) some 5% of German voters will be forced to cast their vote on electronic voting machines.
However, those voting machines have no paper audit trail, and in fact seem to have no audit trail at all. The ministry of interior does not want to disclose the certification procedures or certification reports of those machines, allegedly to accommodate the trade secrets of the vendors.

Since when has a trade secret (if there is any involved, I doubt it) become more important than the citizens' right to a transparent election process?

After a quick read through the respective laws such as the Election Verification Act (Wahlprüfungsgesetz) and the Federal Election Act (Bundeswahlordnung), there is not a single mention of any kind of electronic voting machines. To the opposite, they go into every tiny detail of how the ballots have to be formatted, what color of paper they are printed on, etc.

Apparently there is already at least one person who wants to challenge the election results in those counties where electronic voting machines are used. I'm more than motivated to join such action and/or start an initiative for transparency of electronic voting. Stay tuned.

Increasing nuclear security by jamming GPS ?

It's quite amazing what kind of bogus ideas government agencies and operators of nuclear power plants have. According to this article, the German federal environmental agency has negotiated with the operators of not airplane crash safe nuclear power plants to install GPS jammers.

The idea is to make it harder to automatically guide a passenger airplane into such a power plant (as part of a terrorist attack). It follows the same awkward logic as the already-proposed "artificial disguise in fog".

It's incredible to see what to what extent they're willing to compromise the security. Either you think an attack to such plants is a danger that needs to be avoided, then you have to shut down those (three, I think) plants. Or you think all that terrorist panicking isn't worth such a measure.

But I don't think that anyone honestly believes that a bit of fog and some GPS jamming will prevent any such attack. At aircraft speeds, it doesn't really matter whether you have GPS 1 or 2 kilometers in front of the power plant. And in a country with a population density like Germany you cannot jam the signal for 100 or even 50km - especially since the highway toll system for tracks operates on the basis of GPS ;)

Apart from that, according to the Bundesnetzagentur (formerly RegTP, similar to the FCC), it is at this point not legal to operate any such jamming devices.

Migrating many services to their new home

Ever since my first contact with the internet in 1994, my personal homepage and later (since 2000) the project have been connected to the Intenet via KNF, a volunteer-based non-for-profit in southern Germany.

Initially I had a 33.6kbps leased line, in 1999 or 2000 that 33.6 line to my home was replaced with a 2MBit SDSL line to my (then new) office.

Meanwhile, I had moved to Brasil in 2001, came back to southern Germany 2002 and moved to Berlin in 2003. I sold all equipment in that office to a friend of mine, under the provision that the leased line and my systems may remain there indefinitely.

Sine recently 2MBit has become a not particularly high bandwith, I've always hosted larger projects such as at a hosting centre.

During the last week I migrated many of the services to either my Berlin office or that hosting centre. The services include important bits such as DNS primaries, so if you have any trouble contacting {gnumonks,gpl-violations,gpl-devices,librfid,openmrtd,dunkelromantk}.org, please let me know.

As of now, only this blog, and two mailinglists are still behind that SDSL line. I intend to move those services during the next couple of days. At the end of November, I'm planning to pick up the by then totally yunused equipment.

Big thanks to KNF and TowerSoft for providing connectivity and housing for many of my machines over the last decade. It's time to say goodbye.

Submitted the PPTP conntrack/nat helper to the mainline kernel

Following-up some serious testing today, I've finally submitted the latest version of the PPTP helper from the netfilter-2.6.14#pptp tree to the mainline kernel.

With some luck, it will be included before 2.6.14 gets final. It should go in, since it doesn't modify existing code but is merely an addition.

Also, please note that the "ip_conntrack_proto_gre.ko" and "ip_nat_proto_gre.ko" modules are gone with that 3.x version of the PPTP helper. The respective code has been integrated into ip_{conntrack,nat}_pptp.ko. My initial dream of doing some generic (non-PPTP) GRE connection tracking has evaporated, and thus the PPTP helper now really only handles the special case of pptp-GRE.

Reading about the evil empire

I can proudly claim to never have done any windows development, despite using and program PC compatible systems for some 15 years.

Now I've started reading a book on MS(TM) Windows(TM) Device Drivers. No, I do not intend to write any such drivers. However, there are numerous cases where some i386 windows driver is all the "documentation" that a hardware vendor provides. So in order to more efficiently understand the disassembly of windows drivers, I'm now reading my first book on the evil empire.

Struggling with DHCP

Today is one of those days where you want to get something "simple" done (like testing some new pptp conntrack helper code), and where everything goes wrong.

My test boxes are small embedded network booting devices. For some strange reason, they failed to obtain DHCP leases from the DHCP server.

Since I couldn't spot anything wrong while looking at the packets in ethereal, I added lots and lots of debug statements to the etherboot DHCP client code.

And there it was: etherboot refuses to accept a DHCPOFFER that doesn't have the "siaddr" field set in the DHCP/BOOTP header. According to the DHCP specifications (rfc1335, rfc2131), this indicates the address for the "next server in bootup process", i.e. tftp and alike.

A browse through the isc DHCP changelog indicated that version starting from 3.0.2 default this field to "" unless "next-server" is explicitly set in dhcpd.conf.

Unfortunately the man-page states the exact opposite: That it defaults to the DHCPD's IP address.

After some more issues with some strange interaction between my USB2.0 hub, the ehci-hcd host and two different smartcard readers, I can probably finally start to do some real work..

Obtaining a root-shell on the Motorola A780

I've recently acquired a Motorola A780 quad-band GSM cellphone. It's basically an Intel PXA270 based system with 48MB flash, a 256MB TransFlash reader, Bluetooth, a GPS receiver and MotaVista CEE Linux 3.0 (2.4.20 based).

As usual, the vendor tries to "lock down" the OS from the user. Luckily, some nice people of have already found their way into the phone. Using their "linloader", you can put shell scripts on the TransFlash card and execute them by clicking on them in the explorer. Using that you can put the phone into a mode where it runs as usbnet 'device' with telnetd and samba.

By now I've already learned quite a bit about the phone. Interestingly, they are running glibc (not uClibc). The same goes for the rest of the device. No busybox, but rather the standard gnu programs. So it's much less of the typical embedded Linux environment, and more like a "regular" GNU/Linux system.

glibc-2.3.2, embedded QT, and some "ezx" class library on top. Add some J2ME runtime environment, a handful of different filesystems (vfat, cramfs, romfs, TrueFFS, mfs), a SD/MMC reader driver, a GPRS module, some strange "USB Logger" (looks like syslog-over-usb) and a number of userspace programs and there you go.

Oh, and yes, obviously the phone was delivered with no GPL license text, no source code and no written offer thereof. But that's a different chapter.

More CardMan 4000/4040 and OpenCT work

The OpenCT project has merged all my CardMan 4000 / 4040 code and thus the upcoming OpenCT-0.6.6 release will include support for those readers.

On the kernel front, I'm having a bit difficulties accommodating all the cosmetic changes that are requested by various people. Jeez, I always though the netfilter project had a quite strict policy on CodingStyle... I've proven to be wrong.

I'm still hoping to get the drivers into 2.6.14, though.

Getting CardMan 4000 and CardMan 4040 Drivers ready

I've been doing quite some work on the kernel-side drivers for Omnikey CardMan 4000 and 4040 PCMCIA smartcard readers. Apart from a general overhaul (kernel coding style, get rid of 2.4.x cruft, ...) I also added support for the new 2.6.13 hotplug-style PCMCIA subsystem. I'm extremely happy that PCMCIA driver binding can now happen without some userspace daemon running...

On the userspace side, I'm tearing apart all the changes that I did to my local openct-0.6.2 fork. Now the per-feature patches are merged with current openct SVN, which means that I can submit them to the OpenCT project after some testing tomorrow.

Chaosradio 105: Embedded Systems

This month's Chaosradio show (held today) will be looking into the plethora of embedded devices that are present in todays world.

CCC "residents" will be Tim Pritlove and myself.

The main focus will be on consumer embedded systems, especially those running free operating systems and those with good "hack value".

Donating 7000 EUR from GPL enforcement to FoeBud e.V.

Sometimes as part of my GPL enforcement work, vendors will make donations in order to settle things like a grace period, i.e. a time where they can still sell their stock of already-produced gpl incompliant devices.

Recently, as part of such a settlement, I was able to get EUR7000 which have been donated to FoeBud e.V., a registered German charity fighting against privacy-invading technology use such as RFID, and video surveillance. They hold the annual "Big Brother Awards" which give a "prize" to those individuals and organizations that hurt privacy and data protection most in that year.

patchwork rulez!

Some time ago, Jeremy Kerr wrote the patchwork program as a means to track patches sent to mailing-lists (specifically netfilter-devel in our case).

I'm now using it more-or-less frequently and it has already uncovered a number of patches that got lost otherwise. Therefore I consider it a very helpful tool. Hopefully reports of netfilter-devel being "a write-only mailing-list" will cease now..

CLUSTERIP fixes/cleanup

Apparently we now have at least one corporate user of the ipt_CLUSTERIP target (allowing load balancing without a load balancer). Krisztian Kovacs has re-worked some of it's weak parts (like refcounting and procfs). I'll review the patches soon.

Linus has merged the net-2.6.14 tree from DaveM

This means that all the code from my netfilter-2.6.14 tree (master branch) are now in the mainline kernel. The code in question mainly includes

  • conntrack event notifiers
  • nfnetlink layer
  • ctnetlink interface
  • nf_log API extension
  • nf_queue and nf_log /proc files
  • nfnetlink_log as successor of ipt_ULOG and ebt_ulog
  • nfnetlink_queue as successor of ip_queue and ip6_queue

We'll see whether nf_conntrack will also go into 2.6.14, at the moment I have my doubts...

Back from holidays - catching up

So I'm back from holidays and are half way through reading the incredible backlog of emails.

It seems like netdev has been a bit more quiet than it was before, and surprisingly there were no more bug reports on the recently introduced netfilter code (nfnetlink, nfnetlink_log, nfnetlink_queue, nf_log, ...). So things seem to have settled down a bit.

Organization of the netfilter developer workshop seems to proceed quite fine, too. Travel sponsorships are taken care of, however we're still lacking some EUR 1600 for the cost of accommodation. If anyone (any company/organization) is interested in contributing to the netfilter project by funding accommodation for the workshop, please let me know.

Most of the 'interesting' new email seems to come in on the GPL violations front. I haven't yet analyzed any of the new alleged violations, but there seems to be plenty. It's a pity since it will again keep me from interesting real work. Also, there's still some minor cleanup to do in order to fully close the last 11 cases that I've dealt with...

GPL licensed 100% free software Atheros driver to be hosted on

I've always intended to write a 100% free software driver for Atheros cards, based on the new IEEE80211 subsystem in the mainline kernel. I've even stated at OLS earlier this year that I'd start one. As with many of my projects, there was a significant lack of time.

Meanwhile, Mateusz Berezecki has written a beta-state driver for the ar5212 chipset based wireless cards. He has contacted me for hosting the driver on So this way I'll at least be able to provide some help with the driver this way ;).

I still intend to contribute to the driver (as time permits), as well as the core IEEE80211 stack in the Linux kernel. One of my must-have features is virtual access points, i.e. running as AP of multiple ESSID's with one card on one channel.

Offline until Aug 25

I'm off for holidays in Scotland, so please don't expect any email to be answered before Aug 25.

Don't send any important netfilter issues to me personally, but rather to the core-team or the respective lists.

Gentoo is so broken

The next episode in my Gentoo rant.

Every time I do an "emerge -b -n world" to get the latest security fixes, I have several hours, if not days of cleanup.

A number of times glibc was somehow fucked up, so all dynamically linked applications would refuse to work.

This time, let me only pick the interesting examples:

  • I don't have a "vi" anymore. It tells me "unresolved symbol: pthread_create".
  • Proftpd doesn't start anymore ("unresolved symbol: setproctitle").
  • spamd starts, but fails to do DNS lookups (missing dependency to Net::DNS)
  • clamav regularly crashes (reason unknown)
  • The linker/gcc (3.4.4) fails to detect unresolved symbols at runtime. This leads to the vi and proftpd issues described above

This is a _production server_. *sigh*.

I sincerely consider switching Debian-ppc (in 32bit mode) on that Dual G5 XServe now. If that wasn't such a terrible amount of work...

iRiver hands over source code CD-ROM

Some time ago, I ran into GPL issues with the iRiver PMP-1xx series. For some reason, the Korean company chose to cease distributing their products in Germany, rather than making them GPL compliant.

Despite that, they've now sent me a CD-R with the source code. I've made it available to interested parties at I did not yet have the time to do a full-scale analysis whether it is complete (as per gpl definition of "complete corresponding source code"). However, at least from a first quick look it seems fine (and even documented!).

One day of systems maintainance

Today I really felt like a systems administrator (which I've never been, at least never as daytime job).

On the software side, there were still a cuple of woody -> sarge upgrades to be made. Also, I finally have a running sparc64 setup at home again (all my other sparc's are hosted, and I recently crashed one during development).

On the hardware side, various pending repairs (broken fan's, bad memory, hard disk replacement0) lead to some shuffling of hardware pieces between my various machines.

As a result, I now have more storage capacity on my main NFS server, as well as on the main backup server. While planning the new backup strategy, I found out that all in all I own more than 4.6TB of hard disks. Sounds an awful lot, but most of it is lost due to various raid levels, and some 1.6TB of drives are only used for backups.

I wish tape drives with decent capacities were not all that expensive...

Tomorrow will be one day of accounting and taxes. So don't expect any further new netfilter stuff before I'm leaving for holidays in Scotland next week.

I'll be in Bangalore again :)

Well, according to the organizers it's just a formality, but "just for the record", I've now officially been invited to the-conference-formerly-known-as-Linux-Bangalore. It will happen Nov 29 to Dec 02, but due to timing overlap, I'll probably only be there from the 30th onwards.

I've already tried to raise awareness for this fabulous event with almost everybody I met during my vivid conference travel. Let's hope I have managed to convince a number of high-quality Linux hackers to consider submitting a paper (and let's hope the CfP will be published really soon now).

Netfilter workshop dates

Pablo is working on But at least the dates are fixed now:

  • Oct 4th: some unofficial user-related event with the local lug
  • Oct 5th-6th: The workshop itself. discussions, presentations.
  • Oct 7th-9th: Hacking on code.

Expect more news soon...