OpenID Vulnerability

A rather interesting vulnerability in OpenID has been posted:

Ben Laurie of Google's Applied Security team, while working with an external researcher, Dr. Richard Clayton of the Computer Laboratory, Cambridge University, found that various OpenID Providers (OPs) had TLS Server Certificates that used weak keys, as a result of the Debian Predictable Random Number Generator (CVE-2008-0166).

In combination with the DNS Cache Poisoning issue (CVE-2008-1447) and the fact that almost all SSL/TLS implementations do not consult CRLs (currently an untracked issue), this means that it is impossible to
rely on these OPs.

Neat stuff. (And a reason that software really should check CRLs.)

Debian releases etch-and-a-half

It looks like Debian's been impacted by the popularity of Ubuntu. They just released etch-and-a-half, which for the first time in Debian's history, is a update to a stable version of the distribution that includes new packages to support newer hardware. I am impressed. I'm not planning on going back to Debian for my laptop or desktop (the sauce Ubuntu adds to Debian is quite tasty), but it's a good step for Debian to make. (I remember having to build custom install disks to get Debian stable to boot on new hardware, it would be good never to have to do that again... =)

Ubuntu Hardy Heron and audio

Recently, I started using Banshee to play music on my work laptop, which runs Ubuntu. However, I found that I had sound multiplexing issues: No other sounds would work when Banshee was playing (or even when it was paused). It looks like despite many other things seemingly sharing the sound device nicely, Banshee didn't play well with others. After some internet searching, I got a pointer to this thread on the Ubuntu Forums. I following the instructions there, except the whole patching SDL thing, I figured I'd only go there if I found that I had an SDL app that didn't work. So far, so good, and it seems like it even works in Wine (the post claims that it doesn't work with Wine), and without using padsp! We'll see if I run into any problems, but so far, I'm quite happy.

Anyways, just wanted to share in case someone else has the same problem. (I actually rather like Banshee. It definitely pwns Rhythmbox.)

Mock Objects

Brett shared this post from the Google Open Source blog. While I'm not into Python, a mock object generator seems totally awesome. (Why didn't anyone tell me about this earlier?) Anyways, the Google Blog post linked to EasyMock, which is a mock object generator for Java. Now that looks really useful, since I spend my day job hacking on a very large Java system with not enough tests. EasyMock has quickly made it onto the short list of things I need to look into.


I just came across a method in our code that has a 52 character long name. I'd love to share the name, but I can't come up with a way to disguise the "sensitive" parts of it, and keep the spirit. So instead, I share my astonishment.

LinuxWorld Registration is open

LinuxWorld is no longer as cool or fun as it once was, but I tend to find it worth it just to get the latest Debian t-shirt. I often donate to the EFF as well when I'm there, and sometimes there is something else neat to see on the floor. It is currently possible to register for a free exhibits pass. They apparently also have">community days, which you can register for (also free!). I registered for the Ubuntu one, hopefully I'll be able to make at least part of that. Anyways, if you're going to go, drop me a line, and maybe we can meet up at the show.


Thanks to a link shared by a friend on
Google Reader, I have discovered Ack, and it is the greatest thing
since sliced bread. I don't think I'll ever use grep again. (And it
works anywhere Perl works, which means that if you're stuck on Windows,
you can use it there, too!)