Voting Machines: Complaint against last German Bundestag elections turned down

As several sources have reported, the German Bundestag just decided that the formal complaints of voters against the use of insecure voting machines in the last Bundestag elections are void.

The Bundestag decided to reject those complaints by using pre-worded statements from the Ministry of Interior, some of which can be technically proven to be wrong. It is a real pity - but what do you expect if you ask those people who got elected, whether they accept that election ;) It's also quite embarrassing to see such complaints to be dragged on for more than one year. We're talking about complaints about the Elections on September 18, 2005. I think this says a lot about the state of democracy in this country, and the carelessness of those in power towards a fair and equal election process.

This is why the original plaintiffs now are preparing a lawsuit in front of the federal constitutional court. In order to be filed, some 100 signatures of German voters in support of this lawsuit are required. This shouldn't be a problem, since a petition against the use of voting machines has drawn some 48,000 supporters without any trouble. You can find more information about how to support this complaint of unconstitutionality on the Homepage of Dr. Ulrich Wiesner.

Seen "Kabhi Alvida Naa Kehna" in the cinema

Just by coincidence I noticed that yesterday was the only show of "Kabhi Alvida Naa Kehna" anywhere near Berlin _at all_. So no matter that it was some 60km away, and I had to drive all the way to Potsdam, I had to go. And that decision was right. It definitely has become of my personal "all-time top ten" Hindi movies. It could have been a bit more serious, according to my taste. But apart from that: Great music, fabulous choreography, camera, costumes, acting, .... - everything!

So as soon as it becomes available here, I have to buy the DVD. Oh, and yes, I still have to buy that LCD projector for my home cinema, the one I intended to buy for several months now...

I need a break: Debugging a driver for non-existent hardware

For the development of the OpenMoko system on the Neo1973 phone, we have two different development platforms, one is the phone prototype - the other being a generic S3C2410 development board. Obviously that generic board doesn't have all the phone specific bits on it - but it can interconnect to a GSM modem via DB9 serial port, providing a very close match to the actual product hardware.

For the better part of yesterday, I apparently forgot that this is not true for all the hardware devices. For hours and hours I tried to debug a problem with the power management unit (PMU) driver. The I2C core just didn't want to talk to it.

It is only today morning that I realize: The development board doesn't have this PMU. Doh! Obviously only the phone prototype has that PMU! For god's sake, it looks like I need a break (but can't afford one, time-line wise).

Now why am I 'broadcasting' this embarrassing notice in a blog? To demonstrate: We're all human beings, we all make - apparently stupid - mistakes from time to time.

My reason for being away from OpenEZX

This post should have been posted months ago, but only since very recently I'm allowed to talk about the real reason. You might have read about it, if you read my full blog, but I'm posting this again in the 'a780' category to make it appear on

I've been hired to be key element in the design and implementation of the OpenMoko platform and the first device it supports: The Neo1973 phone. While there is no provision in the contract preventing me from working on the OpenEZX project at all, this assignment has just sucked up all available time like a vacuum cleaner.

To OpenEZX developers, users and supporters: Please be assured that most of the work done on OpenMoko will eventually benefit OpenEZX quite a lot. So please stay tuned, and concentrate on the low-leve device-specific issues that need to be resolved with the Motorola EZX hardware :)

Petition against obnoxious WEEE implementation in Germany

There is now an official Petition to re-work the obnoxious WEEE implementation in Germany (see my detailed posting earlier in this blog. This is good, and definitely a step forward in getting regulations in place which are supportive of small and medium-sized companies, rather them getting them out of business. I've spoken to lawyers about the current regulations, and they e.g. have severe doubt that they are even constitutional.

If you are German, and/or operate a business in Germany, please consider signing the above-mentioned petition!

btw: I'm planning to start a petition against hosting petitions of the German Bundestag at a University in the UK, anybody interested in joining it?

Some details about the GSM infrastructure on the Neo1973 / OpenMoko

I've posted this publicly to some mailing lists in mid-November, but thought it was good to have this information in the blog, too:

First of all, there is a ts0710 multiplex layer, architecture-wise similar to what Motorola uses in their 2.4.x kernels. This ts0710 (de)multiplex takes care of handling GSM TS 07.10 "advanced mode" (the HDLC framing). It will be easy to add "basic mode" for chips that doesn't support advanced mode, and I'm also planning to add support for the Motorola proprietary 07.10 extensions (see OpenEZX wiki) once Neo1973 has been released.

This demultiplex is implemented as a line discipline. Therefore some userspace program (in our case the GSM daemon) attaches as a line discipline to the underlying physical UART.

devices that don't have a physical UART (such as the Motorola phones) will provide a small glue layer that provides a virtual UART on top of e.g. USB as underlying layer.

The GSM mux layer then provides itself one virtual serial port per DLC of the multiplex.

On top of those virtual serial ports, there is a GPRS line discipline, or a PPP line discipline for implementing full in-kernel data connection support, with no need for sending data packets for network traffic from/to userspace.

Both the GPRS line discipline and the ts0710 multiplex are written according to the style and requirements ("good taste") of kernel code, and will be submitted to the mainline kernel as soon as the Neo1973 goes public. I really hope to make this a standard component of the mainline kernel, supporting as many GSM modems as possible over time.

On top of the virtual serial ports, we have a GSM daemon. This daemon takes care of almost all communication with the GSM modem. The daemon initializes AT+CMUX and then attaches the kernel line discipline. It also attaches GPRS line discipline to a virtual serial port afterwards.

The daemon provides a Unix domain socket based protocol for other applications (at some later point this might become a network-enabled protocol by running it over TCP). The "other applications" (such as the contact manager, the dialer program, etc.) link against a library called "libgsmd" which wraps the protocol into a C language API.

This means that programs have a high-level API for initiating and receiving voice calls, for receiving and sending SMS, obtaining list of operators, reading/storing contacts from/to SIM card, etc.

The daemon will be GPL licensed, for the library we're not sure whether to GPL or LGPL it (probably LGPL). All applications shipped on the Neo1973 linking to the library are GPL licensed, so there will be enough example code for people to understand how that API works.

The gsmd/libgsmd code will be run (just like any other program on the Neo1973) as any other free software / open source program. Please understand that while FIC sponsors the OpenMoko project, they don't really exert control over it. So as soon as the device and code is released, I'm happy for any input and discussions the community has on improving such a system, including support for more devices, etc.

Oh, and yes, the daemon has a plug-in interface for vendor-specific extensions, since every GSM modem vendor has commands beyond the GSM07.07 specification. Also, the C API and the Unix domain protocol provide for transparent pass-through of AT commends from application to daemon. This is not meant to be a single-vendor-single-product code, but is at least designed to make it easy to add support for other devices.

Anyway, even without gsmd/libgsmd, I think the kernel-level serial multiplexer (which is not a very complicated thing) is a valuable feature to anyone doing GSM/GPRS on Linux - be it on a PC with GSM modem, or a smartphone.

The reason for doing this (de)multiplex in the kernel:

  1. the individual virtual serial ports have all the features of real serial ports. hardware/software flow control, modem status lines, etc. - and the kernel has a standard API, well known in Unix over decades, to work with serial ports from a userspace program
  2. especially when it comes to data sessions (packet data or circuit switched data), then you don't want to push all data to userspace and back in the kernel. you want to have a fast path for that, both from a CPU consumption (battery!) point of life, but also from a latency point of view. mobile data latencies are already high enough, we don't want to have additional unneccesary latencies in the handset
Please understand that at this time I have to focus on OpenMoko development, and cannot engage in lengthy discussions. This is about all the information I wanted to add about what's actually happening in our project, and this is the architecture the OpenMoko software on the Neo1973 phone has. Please bear with me until January. Once the code is out, I'm happy for any kind of discussion, modification, contribution, etc.

Hacking librfid mifare support in Indian sleeper train

I'm currently on a train ride from Bangalore to Sangli(Miraj Jn), which is a 15 hour ride. Since there's quite a bit of noise from other passengers, and the bed (berth?) is not all that comfortable, I didn't get more than some five hours of sleep.

For librfid users this is good news, since I managed to get quite a bit of work done. First of all, mifare classic authentication is now way more reliable than it was before. With regard to the CL RC632, apparently you have to first issue the LOAD_KEY command before filling the FIFO with the key, rather than the other way around.

Also, mifare classic data block (16 byte) writes are now fixed, so you can finally actually read and write data blocks. Next I've implemented parsing (and compiling) functions for the obnoxious mifare permission bit encoding.

Last, but not least, the auto-detection has been enhanced and it an now correctly distinguish between mifare classic and mifare ultralight.

Stupid extreme AC has made me sick again

Just like the 2003/2004, the insane amount of air condition at J N Tata Auditorium has made me catch a cold once again. This is not a surprise, considering that I had a hard time typing while sitting in there, having to regularly warm up my fingers by sitting on my hands.

This is just something that I will never understand. When there's a reasonable, comfortable temperature outside (let's say 25 degrees Celsius), why would you ever do more than just exchange the air inside the hall (e.g. just blow air from the outside into the room, and remove 'used air')? Of what use is it to chill the room down to sub-20 degrees?

Interestingly, a lot of Indian people seem to be used to it, since they were wearing short-sleeved shirts, while we were freezing even wearing t-shirt plus long-sleeved shirt...

This consumes _a lot_ of energy. The AC in the main hall is at least in the order of 30..50 kW, if not more. No wonder that India wants more nuclear power plants. I don't want to imagine the amount of power consumption by ACs nationwide.

Some ventilation is more than efficient in many cases. Even during two weeks of Kerala in March this year, I was using the AC only once at a single hotel.

Please, think twice before using an AC or even turning it to ridiculous amounts. Is the energy waste and increased health risks (think of not regularly cleaned filters, etc) really worth a slight increase in comfort? How weak have we become if we can't even tolerate temperatures up to, let's say, 30 centigrade?


I want to say sorry to the many people whom I had almost no chance to talk to during my visit. I know it's no excuse, but believe me, I'm just too involved with way too many things at the same time. For any rational reason, I should not have attended the conference, because I cannot afford that amount of time. I have even skipped OLS in Ottawa earlier this year, Linuxtag and Linux Kongreess in Germany, as well as I have turned down an invitation from in early 2007. I always was (and still am) a big fan of lb/, that's why I thought I got to be there, even this time.

My work schedule of the last couple of months has been optimized to work at least 12 hour per day, seven days a week, with no external interruptions and almost no interaction with the outside world apart from checking the most important emails about twice per day. No going out to clubs, no parties, no movies, no TV, and close to zero meeting with friends either. Not even time for filing tax declarations in time.

Now being at the conference, I'm suffering severely since my backlog of work is basically growing by one day every day I'm here. This is very stressful, and I apologize if I cannot respond adequately to those who actually are interested in my work, or even want to offer help. I know this is not helpful, but please accept that this time I just can't help it. My reactions have come down to self-defense. If you ask me anything, even the smallest thing that I'd have to add to my TODO list, you will trigger a defensive reaction, rather than a polite and helpful one.

I hereby ask you for your understanding. I am at the absolute limit. Give me a break. Thanks.

First impressions from day1 of

The first impressions of are very positive. Not only were the security guards clueful enough to not have everyone open their bags at the entrance, but also the WiFi network was fully operational even before the opening ceremony started.

So far, everything is running verry smooth and pleasant.

On my way to 2006

I'm now in the final stage of packing my suitcase for my third trip to India this year. The schedule mainly consists of attending the 2006 conference and meeting some potential business partners regarding OpenPCD and OpenBeacon (which is another open RFID related project that isn't really public yet).

This time there will be a five-person "Berlin delegation" at, which is quite impressive. First, there's Tim Pritlove of CCC fame. Next Brita + Milosch of bitmanufaktur, and finally Sarah and myself.

I'm looking forward to see how this years incarnation of turns out. It's again in the IISC J.N. Tata Auditorium, where the organizers (and the event) suffered quite a bit a couple of years back. But this time, everything shall be fine.

The new woman in my life: Sarah.

After more than half a year after my separation from Elisabeth, there is a new woman in my life, Sarah. The most amazing thing is, that I didn't actually have to look out / search for a new girlfriend, but she just happened to come into my life. There also wouldn't have been any other chance, since I actually have zero time to go out, and even less time to think about anything not related to paid or unpaid work.

She's intelligent, and probably the most geek-compatible type of woman you can imagine. Not that I would ever consider this an important factor (I'm not a typical geek either), but it definitely helps things a lot, if she just understands the way geeks talk, has lots of experience with geeks from previous relationships.

It's the kind of pleasant small surprises like learning that she's running Linux on her computer[s], and that she understands a lot about the net and the FOSS world, without having to start to explain your whole world from its very beginning. As indicated, those facts in themselves are not really important at all. But imagine: Everything else seems to match, and you get those details [right] in addition to the 'usual' partner compatibility :)

It's been a very intense three weeks, and I have to admit that I never happened to get to know somebody in that short period of time, at least not to that level. Actually, it makes you frightened a bit, if everything goes that fast... wondering whether this is real, whether it is sustainable.

Anyway, it has been extremely pleasant, and I'm very happy about that. I'll continue this "experiment", keeping up the pace of this relationship by taking her along to India for 2006 next week. Before meeting Sarah, I probably would never have considered such a step - taking somebody along a long distance trip, whom you barely know for a couple of weeks. But then, if you can hardly imagine being apart from her during that time, there's probably also a lot of egoistic reasons for taking her along, too ;)

My no longer secret project: OpenMoko Linux GSM phone

Yesterday, it was finally revealed on what kind of secret project I was working for the last four months: A quite unique, really free and open Linux GSM (smart-)phone produced by the Taiwan-based manufacturer FIC

In this project I'm responsible for the system-level software design and implementation. This means: Kernel, drivers, GSM communication infrastructure, etc.

So why is this project so exciting? Because it's [yet another] Linux phone? No. It's because this is the first time (to the best of my knowledge), that a vendor is

  • involving (hiring) prominent community members to do the actual architecture design and implementation
  • planning to completely open up their Linux distribution for any contributed development, e.g. use a package manager that can access arbitrary package feeds
  • trying very hard to make sure almost everything will be Free Software, from drivers up to the UI applications
  • actively providing documentation and interfaces for third party development on any level of the system, from debug interface, boot loader, kernel, middleware through the UI applications
  • using X11 to allow users to run any existing X11 Linux application (within resource constraints)

So basically, from a Free Software community level, this is exactly the kind of phone you want to get involved with, and play with. Yes, it's not the perfect phone. It runs a proprietary GSM stack on a separate processor. There are some minor, self-contained proprietary bits on the back end side in userspace. But well, it's probably the best you can do as a first shot of a new generation of devices, and without too much existing market power to put on upstream vendors.

OpenMoko / FIC Neo1973 GPL clarification

Since there have been some misinterpretations / rumors in the press about the amount of Free Software in the OpenMoko / Neo1973 product, I felt obliged to release a couple of further details on the GPL situation.

First of all, I'm surprised that somebody would think that I would engage in a project that would use something like binary-only drivers. I don't think that's ever going to happen ;)

Anyway, looking at the current development version, there is not a single in-kernel piece of software that is not GPL licensed. No proprietary drivers, no proprietary flash file systems, nothing.

In userspace, there only one single component that is not going to be under a Free Software License: It's our GPS daemon. The reason for this is, that the specific high-sensitivity assisted GPS that we wanted is only available in something like a "soft modem GPS", e.g. one that does most of the GPS signal processing in software.

Oh, and yes, the bootloader is u-boot (as the frequent reader of this blog might have guessed). So that is GPL licensed, too.

No news is good news

You might have noticed that the posting frequency in this blog has decreased quite a bit recently. In this particular case, no news is good news. There's been a lot of progress in a number of work related projects.

Some more thoughts on the results of GPL enforcement

Just a small personal note: Yes, this blog is currently seeing close to no updates. This is because I'm literally working every minute that I'm awake, with no time for anything else.

But to get to the main point of this entry: The results we see from GPL enforcement. I don't want to write about the legal results, since they have always been successful, in 100+ violations that I've been dealing with so far.

I'd rather want to talk about other results. They mainly fall into two categories:

Structural results, how I like to call them, show that the vendors / "the industry" now understand the GPL [better] and thus adopt policies and business practises that are more likely to be GPL compliant from now on. This is good, since it has the potential to prevent further GPL violations down the road, presuming license compliance is something that we value and strive for.

But how does Free Software actually benefit from GPL enforcement? I'm talking about the actual software, and not the movement, the community, the advocates, etc.

How many times have you seen some code coming out of a "GPL code release" from one of the many (mostly embedded) vendors that was actually useful to be contributed back to an existing Free Software project, or even that spawned a new Free Software project? I for my part am certain to say: Zero. The actual number might be close to zero, but very small anyways.

The next logical question is to ask ourselves, why it is like that. First of all, the code quality is usually extremely bad. Looking at kernel patches from the various vendors, I'd say the code quality is _by far_ off any scale that would ever even remotely be considered to be suitable for upstream inclusion. Not only do those vendors not care about any CodingStyle (which could be easily fixed), but they ignore any existing standard API's (why use them if we can reinvent our own?), don't ever spend a single second on portability issues such as SMP, DMA safe allocations, endian issues, 32/64bit, etc. This code is "throw-away software". Fire and forget. The complete opposite of the long-term maintainability goals of about any FOSS project I know.

I would be the most embarrassed man if I ever was involved with any such software. Having your name associated with such poor quality would be like a stigma. Any technical person would laugh. And yet, the managers of those respective companies proudly announce the availability of their so-called "GPL code releases". If they only understood how ridiculous they make themselves in the technical community. It's like if they were proudly presenting a drawing from a three-year-old kid as the new Picasso. They just don't notice because the number of people with a taste of art is apparently larger than the number of people with a taste of source code quality and aesthetics.

The next big problem is the perpetual preference of vendors, even in a market with only six month product life-cycles, to use ages old software to base their code on. Of what use is e.g. an obscure netfilter patch that was developed against kernel 2.4.18, something that is many years old and of no relevance to current stable kernels or even current development?

Now you might argue "What about projects like OpenWRT?". While they are no doubt very useful, it is quite simple. Those projects mainly benefit only the customers of the (probably formerly GPL infringing) embedded devices. Therefore, they benefit specific customers, and not Free Software Users in general. Even if OpenWRT or others invest huge amounts of work and manage to clean up / re-implement some of the awkward sources released by embedded manufacturer X, and push it into the upstream project (e.g. Linux kernel), it is something that most often only a very specific user base that benefits from it. All the really interesting bits, if there are any at all, are kept proprietary by the respective manufacturers, using legally extremely questionable practises such as binary-only kernel modules.

If one thinks a bit more, this whole sad process could have envisioned before. It's a myth to believe that Linux and other FOSS is so popular in the embedded market because vendors think it is more reliable, or secure, or even because of the maintainability, audit-ability, or even the benefits that users and developers get from being able to run modified versions of the software. If they were, we would see clean code and regular security updates. In reality almost every product is one gaping security nightmare. None of those potential benefits are of any interest to embedded vendors.

The response to the 'why' question is quite simple: They use GNU/Linux because this way they can avoid per-unit royalties that are very popular with alternative (proprietary) embedded OS's. It's a cheap commodity. Thus, it's not surprising how they treat GPL compliance. Disgruntled, not understanding the issues behind, releasing only the most incomplete non-building source code snippets that make any reasonable developer vomit at first sight. And since they themselves lack the skilled developers internally (they're not cheap!), their management goes ahead and releases something that is embarrassing. If I wanted to evaluate the technical skill-set of a company before making large-scale business with them, I'd [have somebody] look at their source code releases. It can tell a lot about technical expertise and corporate style :)

Please don't get me wrong. I'm not complaining that there is any legal shortcoming in those "GPL Code Releases" though there often is, but that is not the point of this article). But if somebody asks me, how much the actual Free Software source code benefits from the code that was released by the vendors, my honest reply would be simple and sad: None.

While this whole post might sound bitter and resignated, and like I wanted to give up GPL enforcement since it's not worth it: This is not the message that I want to put out. GPL enforcement remains important. I never assumed that there would be a lot of actual mainline-mergeable source code coming out of it, so I'm not disappointed with the enforcement. I just have the constant feeling that many people are driven by misconceptions, and nobody outside the hacker community really knows what's going on on a technical level.

QNTAL concert in Berlin

One of my favourite band for many years, QNTAL, have been playing tonight in Berlin. The concert was fantastic, and due to my recent high workload, I apparently actually missed their last album relase. They did very well with that latest release.

However, apparently day 15 of the tour (one concert every night) has already left quite some traces on Syrah's otherwise brilliant voice. It was still extremely good, but you could notice she's [again] having some problems :( What kind of torture must it be, to be an excellent singer with classical training, with a crystal clear voice - but then having chronical problems with your throat..

To my big surprise, the support band Unto Ashes was actually extremely good. I'm not saying this because I thought Unto Ashes was bad, but rather because support bands generally suck quite a lot. Maybe it's just me being unlucky, but this was actually the first concert with a great support band that I've been to.

All in all definitely a memorable evening. If it didn't eat that much productive time...

Linux World Expo in Utrecht, The Netherlands

Due to Armijn (of involvement in the programme committee of the 2006, I have been invited to do a session called "Free Software Master Class" together with Georg Greve from the Free Software Foundation Europe. Georg presented on "the business value of Free Software", whereas I was talking about "how to be GPL compliant".

The presentation went quite fine, and there were good questions coming from the audience. Hoewver, you could clearly tell that the organizers didn't really have any experience with holding conference/seminars, but just trade shows.

First of all, the seminar area was not reasonably shielded from the background noise of the trade show. Therefore the volume of the PA had to be quite high to combat that background noise.

Secondly, the light situation was way too bright for the audience to be able to read the image projected by the LCD projector. I mean, there were dozens of neon lights (that couldn't be switched off) directly above the screen, that just cannot work.

My third point of criticism was the organization of speaker travel and accomodation. If it wasn't for me meeting with Armijn at the night of arrival, I wouldn't have known to which hotel to go to. Furthermore, the hotel was located in a different town (so you couldn't just go back to the hotel during the day, to drop some stuff, or change clothes, or whateer). Then that hotel was undergoing a complete reconstruction. I could only take the question "do you need a wake up call" by the receptionist as an ironic joke. At 7.45am the power drilling started - way after all the other noise that started about half an hour earlier.

Luckily I had arranged for my own travel. Georg has received his ticket information only on Monday afternoon (and was leaving on tuesday!). This is not exactly how you professionally organize any kind of event.

I don't want to overly complain, but I just want to give motivation to improve that situation the next time.

Dual-Opteron liquid cooling leaking

I'm not really having that much luck with the liquid cooling system of my main workstation. Today, one of the CPU coolers (dual socket 940 board) started leaking. Unfortunately it was the cooler of the CPU sitting above the AGP and PCI-X slots, spilling coolant on th Radeon 9200 and E1000 cards.

Coincidentally all that happened while I was having a bath, but that just as a side-note.

Now the box still boots up and is accessible from the network. Just no graphics output. Pretty bad for what I use as a dual-head compile and development workstation. So far it looks like at least that AGP card has died. I already bought a used one on eBay (you can't get any Radeon 9200 these days, and that's the really last 'free' graphics chip out there [apart from Intel on-board stuff]...). It could also be the AGP socket or something completely different. I don't have any spare AGP cards, just PCI... 5V PCI that don't fit in the 3.3V-only PCI-X slots, so I couldn't test it with a different card right now.

Now since this is the second time I'm having quite big trouble with that liquid cooling system, this is a good time to re-think whether it was that good an idea. I still think it was. I mean, for the better part of two years, this system has been running day and night, without any problems. In fact it is so quiet that I now regard my Quad G5 (unloaded, all fans at minimum) as extremely loud. And it is that quiescence which I love so much, and it is even worth at least those two times I've now had problems.

Bollywood Musical in Berlin

Tonight I've been to Bollywood - The Show, a Bollywood musical that is touring through (I guess among other countries) Germany for the next couple of months.

It was truly amazing. First, there is the irony of playing a story that is remotely based on a true story - probably an idealized form of the story of the musicians and choreographer family behind this musical: The Merchant family. Secondly, the number of dancers is actually quite limited, so they need to danca and dance and dance for hours. What is usually done in many takes (with breaks) when shooting the song sequences of a Bollywood movie - those musical dancers have to do it all in one row. One some days even two shows on one day. What an amazing talent and stamina.

It's too sad to learn that such musicals can only exist in the west, since their cost of production is just too expensive for India, plus apparently the lack of a musical culture there.. quite strange, isn't it? I bet a lot of Indian Bollywood fans are definitely sad to lack the opportunity to see this (or another upcoming one, such as the Bharati).

Nedap voting machines in Europe

The regular reader of this weblog might have noticed that for more than a yearI've had an interest in the use of voting machines in elections, specifically Germany.

While my many other interests and projects have not allowed me to look into this subject as much as I wanted, some of my friends of the Berlin CCC have collected a lot of information on voting machines (German) and also actually had a chance to do some hands-on security research together with our Dutch hacker friends

Yesterday, their joint activities became public. First in a TV show that has been aired in the Netherlands. German media reports are catching up today. Expect some more coverage following-up the CCC press release, such as this one.

Now what was actually discovered? In short,

  • There are many possibilities for manipulations
  • That a proof-of-concept firmware for election manipulation on a Nedap machine has been developed
  • That the Nedap machine can be re-programmed just like any other computer, e.g. to turn it into a chess computer
  • That the Nedap machines actually have spurious emissions that can be used to detect which party / candidate is currently being voted from a range of at least a couple of meters distance by using a small radio receiver with earphones.
  • That any contemporary cell phone or Digital TV set-top-box has employed more security mechanisms than those voting machines. Cryptographically signed boot process? Signed applications? Trusted Computing? Such technologies are only employed for the protection of important data, such as commercial audio and video recordings. Unimportant matters such as democratic and free elections do not require any such secure technology, but use 1980's home computer technology.
  • That the legal requirements on the technology of voting machines in the Netherlands and in Germany do apparently not even come close to identifying (and preventing) the most basic IT security threats.

Therefore, the use of such voting machines must be halted immediately, at least until an independent board of renowned international IT security experts has been drawn to specify new technical requirements on their security, and until all old machines have been upgraded or replaced by such machines that follow those requirements.

Because any reasonable set of security requirements will inevitably lead to machines that are by far more expensive than those currently in use, it becomes even more questionable to build and use them in the first place. Why should a few hours quicker election results ever be worth even only the slightest increase in risk of election manipulations?

Bavaria's best gothic/dark wave/industrial/ebm club "Top Act" about to close

I'm sad to hear that the best club "close" (50km) from my old home city is about to close at the end of the year. This is extremely sad, and I suppose it will have quite an impact on the subculture there.

I can only hope that I'll find some spare time for a goodbye visit in November or December this year. A night at Goettertanz or La Nuit Obscure has always been a deeply touching, emotional and aesthetic event. No other club anywhere else has ever managed to make me feel anywhere close to how I felt at Top Act back then. Excellent DJ's, great choice of music, the right kind of people, 18+ limit for admittance, and a gothic dress code(!). Call that elite, if you want - I'll tell you: The result was spectaculous. People would travel 150+ km every weekend to get there.

Good bye Top Act. Thanks to Thomas Manegold and his crew, thanks for hosting that many memorable events. Thanks to Kodachi (didn't forget you!) for first recommending that location to me.

Obnoxious RoHS/WEEE rules and their German implementation

You might have heard about RoHS (Reduction of Hazardous Substances) before. I always thought it is a well-meant and important contribution of the European Union to reduce the amount of hazardous substances in electronic waste. As a supporter of many environmental groups, and an occasional voter for the Green party, I definitely support such a goal.

If I was to manufacture electronic equipment, then certainly I would consider it as my moral duty to pay for the cost of processing ('recycling', how they call it, if that was ever possible)the resulting waste. No debate on that at all.

Now I actually am involved with producing small quantities of electronic equipment, and suddenly those issues come up again. The product obviously only uses RoHS compliant components, no question on that. We do want to reduce the environmental impact, after all.

Now enter EU and German bureaucracy, combined with lobbying of large industrial electronics manufacturers, and you end up with the German implementation called "ElektroG" (Gesetz ueber das Inverkehrbringen, die Ruecknahme und die umweltfreundliche Entsorgung von Elektro- und Elektronikgeraeten [Law about distribution, withdrawal and eco-friendly disposal of electrical and electronic devices]). That law basically regulates and delegates the administration of the RoHS/WEEE guidelines to an authority called EAR (Stiftung Elektro-Altgeraete Register [Foundation for Registry of Electrical Devices]).

The way how this system works is:

  • All manufacturers and importers have to register themselves with EAR
  • They also have to register the quantity (weight) of produced/imported goods every month
  • They furthermore have to produce proof of having made a deposit on the amount of money required to "recycle" the resulting electronic waste, even in the case of bankruptcy of the producer/importer
This all sounds very reasonable and well-thought. Given the facts stated until here, I would still be an avid supporter of such a system.

Now enter the disaster: The minimum quantity that this system can deal with is the metric ton. This is very suitable for large manufacturers, but what about a small company that produces 100 units of 180grams of weight every year? It will take more than 55 years to fill up that metric ton. Now, if they actually allowed you to pay for one ton every 55 years, then that would be great. Obviously, they don't. Rather they employ an undisclosed lottery algorithm, which elects one registered producer/importer who has to take care of recycling one specific container that was filled last at the electronics waste collection station. Yes, every time one container is filled, they elect another lucky lottery winner. And in order to make sure that every possible "winner" could actually afford the disposal of that container, EAR has the "proof of bankruptcy-safe deposit".

You might think: Well, quite a fancy system, but assuming that algorithm was tuned right, there still is no problem, even for small producers, since the probability of them being chosen by the lottery is very low. And in fact it is. An EAR person has publicly stated in an interview that only producers having produced more than 3.5 metric tons of electronics are eligible to win that lottery. Great, since in our example that would be in 194 years. Son nothing to worry about, right?

Wrong. The administrative fees of EAR.

  • 155 EUR one-time fee for registration is still quite acceptable.
  • 85 EUR per product that is put on the market is fine, too.
  • 100 EUR for each notice of change in production quantity is a bit steep, given the inevitable flux of that figure.
  • 455 EUR for the validation of the proof of having made the deposit
  • 215 EUR annually for the re-validation of the proof of having made the deposit

Now what kind of bull**it is this? This means that during those 55 years we would fill one metric ton, we'd have to pay 12066 EUR only in administrative fees for validation and re-validation of the bankruptcy-save deposit? All that for the disposal of one ton of electronic waste, which costs [now] between 200 and 400EUR ?

I would be very surprised if such fees would not violate anti competition rules of the EU somewhere at some point. This is the creation of a serious market entrance barrier for small manufacturers of electronic equipment and nothing else. Call for Papers still open until Oct. 08

Many of you know that for the last three years I enjoy the conference for Linux, Free and Open Source Software formerly known as linux-bangalore, but now known as

Compared with other big international events, call for papers is always tremendously late, which means that it actually is only some 10 weeks in advance of the event. The same goes for the event website. Please don't consider this as a sign of weak organization. It's just like this, it has been like this, and it worked well. This 'late start' has never compromised the vitality and success of the actual event.

If you have some interesting and technical topic in the Free and Open Source software which you want to talk about, I suggest submitting a proposal with the speaker registration website. Expect an excited audience of up to 3,000 attendees.