Yours truly, ‰te>a…t

I like epost. I’d like it even more if they hurried up and processed my direct payment ability — which required a form and a void cheque mailed to an address in Toronto — but it’s a pretty good service. I get my bills, viewable and payable online, on the day of issue. No paper. This is good.

This is good because every single filing container I buy eventually ends up full of (paid) bills and financial administrivia. Less paper = less messy Stewart = happy Stewart. Some messes, like my electronics table, could be classed as glorious, however, and therefore joyous in their creation and use. Not all tidiness is good.

So I got my first Visa bill by e-post. Yay! Reviewed it, paid it. No hassle. But since this a PDF facsimile of my bill, something mighty odd has happened to my address:

It’s a perfect substitution cypher of my name and address. I’ve been out of the prepress industry for long enough not to immediately recognize it as a font encoding error. I’m confused why it might have A, T, E & N, but no M. Odd indeed.

24 hours after sending 286 digital QSL cards …

Of the 286 secure digital QSL cards I sent, 8 were undeliverable. I’ve had 25 responses so far:

  • Fourteen positive
  • Three wondering if I hadn’t seen their confirmation on eQSL/QRZ/LoTW
  • Two that don’t accept QSLs of any kind
  • One language issue; I have “Report” when “RST/RSQ” might be clearer internationally
  • One completely neutral
  • One auto responder
  • One with no record of a QSO in their log
  • One saying their callsign has been hijacked and that they are no longer an active ham
  • One negative

Of the positive ones:

  • Two have also sent real QSL cards (thanks, guys, but really, you shouldn’t have …)
  • Two asked how I did it.

Pretty good and quick response, I thought.

Secure digital QSL cards, part 2: shell script

Following on from Creating secure digital QSL cards with your LoTW certificate, here’s a Bash script to generate encrypted signed PDF QSLs. You will need to edit the certificate file name, the QSL blank file name, your call sign, your LoTW password and the PDF encryption password. After doing so, please keep the script safe, as whoever has your LoTW password can pretend to be you.

The only checks that this script doesn’t do (and probably should) are if you have pdftk and PortableSigner executables in your path. PortableSigner is rather weird the way it runs; you need to specify full paths for all files, or it dies.

The script is called like this:

mkdqsl.sh callsign date utc mhz mode report

for example:

mkdqsl.sh VE3KPK 2011-10-02 2341 7.03581 CW 499

Code below the fold.

Continue reading “Secure digital QSL cards, part 2: shell script”

Creating secure digital QSL cards with your LoTW certificate

Hams have sent out QSL cards since the hobby began. It may be less popular than it used to be, because mail seems slow now (especially when QSL bureaux are used), and there are online alternatives like eQSL, QRZ.com, and the ARRL‘s Logbook of the World (LoTW).

LoTW has been criticized for being too complex. It uses an X.509 public key signature to verify your submitted log entries, and a QSL is confirmed when the other party sends in a matching entry. In a way, it’s rather elegant, as the LoTW server does the work of matching the entries, so QSLs “magically” appear in your log. You don’t get a fancy QSL card in the mail or on your screen, and I think a lot of users miss that.

X.509 might be a bit unweildy, but props to ARRL for setting up a industry standard, robust (-ish; X.509 has its flaws), general purpose signing infrastructure. Since other file formats — notably PDF — support X.509 signing, you can use your LoTW certificate to make other data tamper-evident.

Here I document a method of creating a digital QSL card that can be e-mailed, and subsequently verified by the recipient as being legitimate. Any alterations to the file will break the signature, and the file will just appear as a regular PDF (or not display properly). The process can be used to sign any other Acrobat file. There are probably more streamlined ways to do this, but I only came up with it last night as the beginning of a scriptable solution.

You will need:

  • Your ARRL LoTW electronic certificate file. This is called callsign.p12; mine is VA3PID.P12
  • A means of making a QSL card as a PDF fill-in form. I used Scribus; it’s a free but powerful DTP system.
  • Pdftk, “the” PDF toolkit, to apply the QSL details to the PDF form. If you’re on Windows, you might want the Pdftk GUI.
  • PortableSigner, a java application for signing Acrobat files using an X.509 certificate.

(Quite a bit of what follows was learnt from the two pages Your first PDF form with Scribus – Scribus Wiki and filling in forms with pdftk, so thanks to the authors of those for the guidance.)

First, make your QSL card. Since you’re not going to print this, it can be any size you want, but postcard size is standard. At the very least, create spaces for the recipient callsign, the date, the time, frequency, mode used, and signal report.

Under these headings, I’ve made six PDF text form fields. Scribus creates form fields like text frames/boxes. I used plain text fields (which are selected by this icon: ), centred text, and with the name of the field set from the PDF Options → Field Properties context menu. Each field needs a different name. I used callsign, date, utc, mhz, mode, and report.

Save your QSL card as PDF. It might be an idea to check it to see if the form fields are really there and editable:

Now it starts to get really nerdy. Adobe specified the Forms Data Format (FDF) to allow PDF form data to be slung around. FDF looks a bit like PostScript or raw PDF:

%FDF-1.2

1 0 obj
<<
/FDF << /Fields 2 0 R>>
>>
endobj
2 0 obj
[<< /T (callsign) /V (VE3KPK) >>
<< /T (date) /V (2011-10-02) >>
<< /T (mhz) /V (7.03581) >>
<< /T (mode) /V (CW) >>
<< /T (report) /V (499) >>
<< /T (utc) /V (2341) >>
]
endobj
trailer
<< /Root 1 0 R >>
%%EOF

If you think of the T & V values above as Tag and Value, you can see that the file defines callsign=VE3KPK, date=2011-10-02, mode=CW, and so on. This step can be easily scripted. If you’re not sure what the fields are called, pdftk has a “dump_data_fields” option that spits out the field names as plain text.

pdftk is also used to put the data from the FDF file into the PDF template. It’s a slightly hairy command line:

pdftk QSL-blank.pdf fill_form VE3KPK.fdf output QSL-VE3KPK.pdf flatten

Here the source file is QSL-blank.pdf, the FDF data is VE3KPK.fdf, and the output is to QSL-VE3KPK.pdf. The flatten option turns the pdf form into regular, uneditable PDF. (These details are from a real QSO, by the way, and by utter coincidence I’m writing this in a hotel in Ken VE3KPK’s home town in Northern Ontario.)

Checking that this worked in Adobe Reader:

For many people this is probably enough (or perhaps, too much already!) but I really want to have a digital QSL card that will stand up to some scrutiny. This is where your LoTW certificate file comes in.

PortableSigner is a java application for signing PDF files. It seems quite happy signing the files made in this workflow. It can run from the command line, or as a windowed application:

You use your .p12 signature file and its password to sign the PDF. Once the file is signed, you can send it to your contact, and they can prove (and hopefully, any certification/contest agency will agree) that the contact was confirmed.

Viewing the signed document is deeply unimpressive:

It’s not such a big deal that Reader says that “the validity of the certification is unknown”. It’s just that Adobe doesn’t have the ARRL’s certificate loaded into everyone’s reader (what!? mock outrage!) and so it doesn’t match a certificate it knows about. You have to dig a bit deeper into the signature panel to check out who is responsible for this.

Well, that’s a start; at least it was signed by someone with my e-mail address. There’s more under Show Signature Properties:

There’s the ARRL signature in there. Buried deep in another properties tree is my callsign; can’t find it today, but I saw it in there last night. Either way, the digital QSL PDF is now signed and certified that it came from me, as an ARRL LoTW user.

oh the irony

in pdf2ps output:

 **** This file had errors that were repaired or ignored.
 **** The file was produced by: 
 **** >>>> Adobe PDF Library 7.0 <<<<
 **** Please notify the author of the software that produced this
 **** file that it does not conform to Adobe's published PDF
 **** specification.

demented tiles for demented people

I’d totally put these up on my walls, but I may end up climbing them:

I made them by taking 32×32 pixel tiles of random grey noise, Atkinson dithering them (using pamditherbw) then vectorizing them using potrace. If you click on the tiles, you can download/view the PDF source of each.

(pgmnoise, the source of the grey noise, relies heavily on the system time as its seed. Before I introduced a delay between image generation, several images appeared almost identical.)

banjo chord forms

I’ve been trying to learn banjo chords for a while, and the books I have keep flopping closed. So I resolved to make a blank chord form that I could fill in, like this:

You might wonder why it goes to the 7th fret. If you’re in Double C tuning, you’ll need that if you’re drawing a tuning chart.

So for G tuning, the F chord would look like:

There are 12 fretboard images to a page – that’s enough for four whole folk songs!

Download: stewart’s banjo fretboard / chord grid [PDF].

Lady Goosepelt Rides Again!

Lady Goosepelt, from What a Life!

In case anyone wants them, the 600 dpi page images of What a Life! are stored in this PDF: what_a_life.pdf (16MB). If you merely wish to browse, all the images from the book are here.

I got a bit carried away with doing this. Instead of just smacking together all the 360 dpi TIFFs I scanned seven years ago, I had to scan a new set at a higher resolution, then crop them, then fix the page numbers, add chapter marks, and make the table of contents a set of live links.

I’ve got out of the way of thinking in PostScript, so I spent some time looking for tools that would do things graphically. Bah! These things’d cost a fortune, so armed only with netpbm, libtiff, ghostscript, the pdfmark reference, Aquamacs, awk to add content based on the DSC, and gimp to work out the link zones on the contents page, I made it all go. Even I’m impressed.

One thing that didn’t impress me, though:

aquamacs file size warning

I used to edit multi-gigabyte files with emacs on Suns. They never used to complain like this. They just loaded (admittedly fairly slowly) and let me do my thing. Real emacs don’t give warning messages.

doesn’t rule my web

Lots of people are drooling over the book Rule the Web. I’m not, particularly. It’s good in parts, but reminds me so much of those mid-late 1990s “Best Web Directory Ever” tomes that are currently propping up shelves in bargain bookstore, and propping up houses built on landfills in Arizona.

My biggest complaint is its US-centric approach. Pretty much everything related to buying, selling or finding people or things mentioned in the book only applies to the USA.

As is the way when web meets paper, some things are out of date already. It happens, but it’s a shame when the book’s pretty new in the shops.

I did find a couple of things I genuinely didn’t know about, but might find useful:

  • Combine PDFs, for slicing and dicing PDFs under OS X. (I could do this with pdftk, but Combine PDFs is purty).
  • The Freesound Project is a collaborative database of Creative Commons licensed sounds. When I next need a comic boing, I’ll know where to look.

It also gave links to OnyX and HandBrake, both of which I already use. But that’s about it. I’d have been peeved if I bought the book (yay, Toronto Public Library!), as this is more of a basic manual than a compendium of coolness.

the great lost opportunity

I’ve always thought that Adobe missed a great opportunity when they didn’t make their basic PDF writer freely available for Windows. Other OSs now have transparent print-to-PDF options. If you’re lucky, a corporate PC might have MS Office Document Image Writer installed, but a 300dpi monochrome TIFF can’t compare to a PDF.

Still, one can always install PDFCreator (if you have admin rights to the PC, of course). It’s a shame they decide to bundle a marginally dodgy toolbar/spyware package with it, but you don’t get that if you use the MSI installer package.

“The clean air choice of Earth Day Canada.”

So, what would you think would be “The clean air choice of Earth Day Canada“? A bicycle, perhaps? Some kind of renewable energy? Some really brilliant Canadian enviro-social development, like a biodegradeable donut?

Nope, a car; the Toyota Prius. Last time I checked, it still used petroleum (with its high environmental and geopolitical toxicity). It still causes gridlock; I see Priuses (Prii? Your moon-pie eye!) inching along the Gardiner from the GO train with all the other wretched junkers. The way I see it, it’s not looking like part of the solution. It’s a bit like having an official assault rifle for the the International Day of Peace.

Toyota also give out $5000 Toyota Earth Day Scholarships. I mean, that’s nice and all, but it’s hardly giving back. If you look at all the scholarship materials, it’s carefully arranged so it looks like the event is called Toyota Earth Day, with the ‘scholarship’ on the next line. Nice cooption. Good greenwash.

ex dexit, or trying to be

Coo, was I really all fired up about Dexit, like I appear to have been in January 2004? ‘Cos, basically, Dexit sucks.

The coffee place I get my morning fix got rid of its unreliable Dexit machine when it changed hands. So I’ve got nearly $70 sitting on the useless Dexit tag, doing nothing.

Today I called for a refund, and discovered that Dexit won’t refund your balance. I wouldn’t have signed up for it if I’d known there’d be this in the ultra-sneaky Dexit user agreement (PDF):

Only in the event of your death (and upon receipt of such documents as Dexit reasonably requires in such circumstances as to whom is entitled to your estate funds), or Dexit closing your Dexit Account without cause, will the remaining funds in your Dexit Account be repaid to you. “Cause” will include any violation of this Agreement, any fraud or attempted fraud, any other operation of the Dexit Account or use of a Dexit Tag in an unsatisfactory manner, or non-use of your Dexit Account for over three (3) years.

So, do I hafta kill myself to get my money back?

Oh, and Dexit’s phone support staff are untruthful. I needed to speak to a supervisor. They promised one would call before 8pm this evening. It’s 9:55 now, and I’ve heard nothing.