Today I wanted to try out off-the-record messaging (OTR) using mcabber. I did not really find any documentation or web sites saying anything else than "It works!" so I decided to write this Nano How-To for other people having the same problem.

Get a usable mcabber version

mcabber started supporting OTR from version 0.9.4 onwards. E.g. the version in Debian "Etch" 4.0 is way too old (0.8.3), so you have to make do somehow different (back-port, source compile, magic, etc.).

I created a .deb of mcabber 0.9.7 using the current testing version as a template (for ARM only, so no downloads). To do this I had to recompile the libotr2 package, too, as 3.0 apparently is too old.

Set up mcabber for OTR

mcabber stores its configuration in ~/.mcabber, and its OTR keys in ~/.mcabber/otr, so mkdir ~/.mcabber/otr.

You also have to append/uncomment set otr = 1 in ~/.mcabber/mcabberrc. AFAIK this has to be done in the configuration file and a running mcabber has to be restarted for key generation.

Key generation takes time (roughly seven minutes on my NSLU2, mere fractions of seconds on your shiny new 256-core CPU) and will be started as soon as you restart mcabber. The key will be deposited in ~/.mcabber/otr/<JID>.key

Now set up your buddies for OTR

Of course you have to talk them into using a OTR capable client but that is beyond the scope of this document ;). What I mean is that you have to enable OTR for your buddies in mcabber by issuing /otrpolicy <JID> opportunistic or /otrpolicy <JID> always. The value of <JID> can be an actual JID (e.g. foo@bar.baz or . which is the currently selected buddy. You can (and should) save this in your ~/.mcabber/mcabberrc like this:

otrpolicy <JID> opportunistic

(Or always instead of opportunistic, of course.)

If you now talk to your buddy a OTR channel will be established (the first thing you say will be unencrypted so you probably want to say something inconspicuous like "Hi!", and not directly "Care to overthrow the government of $COUNTRY?"). mcabber will print these messages:

*** OTR: new fingerprint: NNNNNNNN NNNNNNNN NNNNNNNN NNNNNNNN NNNNNNNN
*** OTR: channel established

where NNNNNNNN NNNNNNNN NNNNNNNN NNNNNNNN NNNNNNNN is the fingerprint of your counterpart. Verify this via a secure channel (which of course is not the OTR channel as long as the fingerprint is not verified... use a signed and trusted email for that).

If you have verified your counterpart's key issue /otr fingerprint <JID> "NNNNNNNN NNNNNNNN NNNNNNNN NNNNNNNN NNNNNNNN" (spaces are important!) to trust the key. This will be saved in ~/.mcabber/otr/<YourJID>.fpr automatically so no need to change your ~/.mcabber/mcabberrc for this.

Now you and OTR should be all set (up). Have fun and don't overthrow too many poor governments! And Kathrin, thanks for your help :).

Kathrin, with whom I will visit Ireland Real Soon Now™ (i.e. late September), asked me if I am letting this blog die. No, I don't. I dutifully pay my Fellowship fees, as I believe I am supporting a greater and better cause through it. I just never was this big blogger, as I am a very private person. Also I kind of feel inadequate using my Fellowship blog for personal stuff, whereass ‘all’ the other Fellows blog about important stuff. But as I do not intend to create another blog, you just have to accept that. Which is nice for ‘suck it!’ ;)

To at least say something about free software, I may add how lucky the people are which never once in their lifes touch any Microsoft Windows platform whatsoever. A little example: For my company I am coordinating the introduction in Germany of a company-wide VPN solution. This solution is a nice program (in the confines of proprietary software that is) and is generally hassle free and easy to use. But installing it on ‘patient zero's’ laptop first took the better part of a week. Then one had to package it for our software deployment solution, which taught me the value of the .deb-Package format and apt &c. (as if I did not already knew that), even though I did not do the actual packaging.

The software (really an assembly of different components) came ‘packaged’ in a folder structure using a VB script ‘installer’… which works surprisingly well. My colleague decided to use this script instead of starting from scratch. Of course the script tried to do the right thing by uninstalling other VPN solutions. Now this is not a problem at all, as this new VPN solution is scheduled to replacy any existing solution at my company.

The only thing I have a problem with is the ‘why?’. Why in the name of the universe does one have to uninstall other VPN solutions? Oh, alright, it says in the accompanying documentation that this VPN solution is incompatible with other VPN solutions. Well then: why? Apart from making sure that the routing table is in order no one ever has to uninstall $VPN[0] just to be able to install $VPN[1] (or indeed $VPN[$i]) on any Unixy system I encountered. And why should one need to? Virtual interfaces are all perfectly compatible with one another, and if you do not connect to different networks with the same IP address range everything is just dandy. I just don't get it…

To me this can only mean one thing: spread free software. Completely free systems. Free infrastructure. Stable, reliable, working, compatible systems. I cannot understand how otherwise sophisticated people accept the occasional blue screen (yes, this still happens) or computer that stopped responding and happily reboot (okay, in light of the reboot actually taking up to ten minutes on older machines this forced coffee break may actually appear a nice distraction). But I deeply loathe problems I cannot get to the bottom of and so will never accept this kind of computer ‘experience’, and will never shed a tear looking back to my Windows days.

And the title of this blog entry? Well, last time I blogged I was ‘not dead yet’, but you can consider me dead from now on (dead and zombified, shambling around the streets, slowly decomposing, looking for the living to devour, that is ;)).