May 2007

Finally iTunes is going to offer music downloads that will not be crippled by DRM. For a start only songs by artists of EMI will be available without DRM, but I think as soon as other labels see that there is still money to earn they will jump in, too. Or - at least I hope that most will. Universal probably won’t since ipod owners are thieves anyway ;)

read more | digg story

After typing several months of bank statements into Gnucash once again, I decided it was time for HBCI homebanking. The first step was to find an affordable smartcard reader that was supported by linux.
The Cherry ST2000U was available at Amazon for 40 Euro (approx. 50$) and was on the list of supported devices of the ccid driver.
Anyway the installation was not straight-foward and I did not find an existing howto for this so I want to give a short overview of what I did to get the reader running.


First I checked if I had all the correct USE flags set on my system. For HBCI homebanking the flag “hbci” is required. To use a crypto smartcard for gnupg the flag “smartcard” is also required.

I wanted to use the newest versions of all packages which are at the time of writing:

  • app-crypt/ccid-1.3.0
  • sys-apps/pcsc-lite-1.4.2
  • sys-libs/libchipcard-3.0.2
  • sys-libs/gwenhywfar-2.5.4

All of those packages are masked for x86, so the following lines have to be added to /etc/portage/package.keywords:

=app-crypt/ccid-1.3.0 ~x86
=sys-apps/pcsc-lite-1.4.2 ~x86
=sys-libs/libchipcard-3.0.2 ~x86
=sys-libs/gwenhywfar-2.5.4 ~x86

Now start the emerge by doing

emerge ccid libchipcard


First of all we need to copy the default configs to the correct places. For usb readers not special configuration is needed:

cp /etc/chipcard3/server/chipcardd3.conf.example /etc/chipcard3/server/chipcardd3.conf
cp /etc/chipcard3/client/chipcardc3.conf.example /etc/chipcard3/client/chipcard3c.conf

The next step is to copy the ccid_ifd driver to the drivers directory of libchipcard:

cp /usr/lib/readers/usb/ifd-ccid.bundle/Contents/Linux/ /usr/lib/chipcard3/server/lowlevel

Now check if the driver is found. Running chipcardd3 addreader –dtype list should list a lot of drivers. Most of them will be marked with [not installed] but the very first “ccid_ifd” should not have this label.

If the driver was found we can start the chipcard server for the first time - without attaching the card reader!
chipcardd3 –pidfile /var/run/ -f –loglevel debug –logtype console
After starting the daemon you may now attach the card reader. After a few moments chipcardd3 will print some debug lines while it detects the new hardware. The last line should look like this:

Device UsbRaw/046a/003e is not a known reader

Unfortunately the ccid driver lists the Cherry ST-2000U as a supported device but does not have it included in the config file. To change this open /usr/share/chipcard3/server/drivers/ccid_ifd.xml in an editor and look for the entry of the “Cherry ST-1044u”. The setup of the ST1044U and the ST2000U is identical, so we can simply copy that part and change the names and usb ids. Add the following lines right behind the ST-1044u entry:

<reader name=”ccid_cherry_st2000u” busType=”UsbRaw” addressType=”devicePath” devicePathTmpl=”usb:$(vendorId:04x)/$(productId:04x):libusb:$(busName):$(deviceName)” vendor=”0×046a” product=”0×003e” >
<short>Cherry ST-2000U</short>

After saving, remove the card reader, restart the chipcard-daemon, attach the reader again and the output will show that the reader is detected and configured. As a last check you can run chipcard3-tool list. The output should look like this:

Server: 46583ef0
  - auto1-ccid_cherry_st2000u (ccid_cherry_st2000u, port 0)

That’s it, the reader works now. First thing I did was inserting my Geldkarte and running geldkarte3 loaded to see if the amount was correct ;-)

While instant messaging has become one of the major communication tools besides email, security is almost zero. Skype is the only systems that boast with encryption - but nobody really knows what the skype code is up to.
Whenever other im systems like ICQ, AIM, yahoo messenger and msn are used the conversation can be spyed on with a simple packet sniffer. And perhaps even more important: the messaging service gets the cleartext of all conversation.
While some clients have encryption plugins using rsa or gpg encryption, most of these plugins like pidgin-encryption (formerly gaim-encryption) are limited to one im client. For a long time I had been looking for a solution that would work from my gnome pidgin/gaim to a friends kde kopete setup. A solution working cross-platform from windows to linux would be even better.

The Off-the-Record Messaging project aims to provide a solution by supplying a library that does all the encryption and signing without depending on a specific instant messaging client. Plugins for various clients connect the library to the requested platform. As far as I have found out there are plugins for kopete and pidgin/gaim. Mac OSX and trillian users can use a proxy for icq/aim.

Setting up the plugin for pidgin is straight-forward: in the plugin options we can create a keypair for each IM account. In the message window a new button beside the input box will appear. A single click tries to initiate a secure connection the the other side. If everything works correctly the button will change and the following messages will be encrypted.

Unfortunately I’m not a user of Claws, but this plugin should be included in every mail program: AttachWarner. The idea is not complex to solve, but still the idea is great: If the email contains typical phrases indicating an attachment (”please find the attached file”) and no attachment has been added, a warning will appear when you try to send the mail.

Right now evolution offers support for usenet newsgroups via nntp, but not support for rss. As newsgroup usage is going down and rss is _the_ news source for most internet savvy now, it is a good thing to see rss-support for evolution coming up. I wasn’t yet able to get the plugin compiled, but the screenshots on the project page look quite promising.