A couple of weeks ago I got me one of these: 
It takes a bit of fiddling to get the Philips software on the PC and device to see each other but once that's done it works a treat. My only complaint is the choice of colour for the display. Light blue text on a blue background although very funky looking makes for reading text on the display from more that a few feet away kinda hard. It would have been nice if it could be inverted to improve the contrast. Nice gadget though.
I'm on annual leave just now which is sadly coming to an end :(. However I've had a damn fine time ploughing through the pile of books that have sat unread for ages -
Joseph Finder - The Moscow Club - This is the second Joseph Finder book I've read and it also happens to be his debut title. I was a bit worried that being his first book his writing style and skill may not have fully developed, kinda like Dan Brown's earlier efforts which are pretty so so. I was however pleasantly surprised to find that it's a real page turner. 8/10
Hunter S. Thompson - Fear and Loathing In Las Vegas - Hunter S. Thompsons classic 1970's novel about his chemical fueled search for the American Dream. Totally outrageous and of it's time. 7/10
Luke Rhinehart - The Diceman - another cult classic (partly based on fact) about Rhinehart's decision to live life by the roll of a dice. It kinda gets a bit lost in itself near the end and you get the feeling that the content of the last 50 or so pages was decided on the roll of a dice no doubt. 7/10
David Wolstencroft - Good News, Bad News - Wolstencroft is the creator of Spooks and Good News, Bad News is his debut novel about two modern day British Spies assigned 'wet work' on each other. Not a bad read for a first novel and it's a reasonable page turner but it kinda just didn't have that 'you gotta read this' spark about it. 5/10
David Wolstencroft - Contact Zero - Wolstencroft's second novel which is again set in the murky world of the British spy business. This is a cracking read about a handful of MI6 'probationers' who are hunted down by their own, and who in turn are on the hunt for the mythical 'Contact Zero' who they hope will provide them sanctuary. This is a way better novel that Good News, Bad News. 8/10.
Joseph Finder - Killer Instinct - This is Finder's latest novel and like Paranoia we find ourselves immersed in the cut and thrust of high technology big business. The main character, Jason Steadman, befriends ex-special forces tough guy Kurt Semko, gets him a job in his company's Corporate Security division and then things start to go sour. This book was yet another great page turner, I read it from cover to cover in a single 6hr sitting. 7.5/10
My current read is Quicksilver: The Baroque Cycle by Neal Stephenson. This is a 900 or so page tome and the first of the Baroque Cycle trilogy. I'm about a hundred pages in and beginning feel that it's a meandering read, there's a lot of unnecessary padding and I can't seem to get the point of the book. I've heard so many good things about Cryptonomicon and I realise that Quicksilver was written afterwards as a prequel and hence me reading it first. However I really hope I've got the energy to make it to the end. Even Martin gave up on it which is a bit of a worry. I too also hate investing lots of time in books with >500 pages. I feel that if you haven't started getting to the point or even within ten miles of it within 150-200 pages then I'm sorry your wasting my time. Score so far....2/10.
Pink Floyd's Pulse DVD is truly awesome but you do need a decent 5.1 surround sound to appreciate it properly. Watching it really brought back memories of seeing them at Wembly Stadium in 1987 - 9/10.
Hostel - This is a pretty gruesome little affair where three back packer blokes are enticed to a Hostel in deepest Slovakia by promises of tasty lasses who let it all hang out. On the surface the hostel looks pretty appealing to the three lads but they soon get more than they bargained for. The victims soon get worked on with a wide range of power tools and other DIY stuff you might normally find in B&Q - 7/10.
Basic Instinct 2 - Another pretty gruesome affair but for all the wrong reasons. If it hadn't been for the UK location and British acting cast - David Morrissey, David Thewlis, Charlotte Rampling an Stan Collymore (isn't he meant to play footy?) - then the DVD woulda been back in the case within 30 mins of watching. Utter cobblers - 3/10
I can't say I'm a huge fan of recent Hollywood attempts at bringing graphic novels and comics to the big screen. They usually turn into insipid heartless vehicles for whatever American eye candy they pay millions of dollars to turn up and generally act badly.
V for Vendetta on the other hand is a nice surprise. I read the graphic novel a while back and absolutely loved it. When I heard that the novel had been earmarked for the silver screen I had that horrible sinking feeling about the compromised crap that Hollywood would no doubt churn out.
However I was wrong. The film doesn't exactly stick to Alan Moore's original creation and there's plenty of artistic license taken by the director of the film but the end result is 2 hours of highly enjoyable viewing. The cast is excellent as well (not sure about Natalie Portman's made up English accent though) - John Hurt, Hugo Weaving, Stephen Fry and Stephen Rea amongst others. One of the nice things about the film, and it really surprised me because the producers are the Wachowski brothers, is that it's the script and the acting that keeps your attention instead of high-tech special effects. Also at no point in the film did you get that feeling of "get on with it" either. All in all 8/10.
I finally got round to reading the last book in Philip Pullman's 'His Dark Materials' trilogy, The Amber Spyglass. If you haven't heard of these before then I do thoroughly recommend them. I don't have the time to summarise in a paragraph what the story is about, suffice to say we've got parallel universes, armoured bears, witches, zeppelins, quantum physics, daemons, angels, hair bombs and an good old fashioned battle between good and evil. 9/10. This site does a way better job than I can do of summarising the books.
The other book I finished this week is Paranoia by Joseph Finder which I picked up on recommendation by my mate Spence. This is a really good page turner about Adam Cassidy, a hi-tech product marketing bod and professional corporate waster who is blackmailed into stealing corporate secrets from his company's competitor. I read it in a day it was so good. 8/10.
A year ago I picked up Six Days by journalist Jeremy Bowen which is an account of the 1967 Six Day War between Israel and Syria, Egypt and Jordan. I'd been dipping in and out of it for the last three months and stone me this week Israel is at it again! Anyway, it's highly topical and explains, amongst other things, the background and reasons for territorial anomalies such as the Gaza Strip, the West Bank and other Israeli landgrabs over the past 60 years.
The Legacy has been treated to a shiney new set of Oz Super Leggera 17" Alloys wrapped in Toyo Proxes T1S 215/40ZR17 rubber. The car sticks to the road in high speed corners now and there's not even a hint of understeer like my old Mondeo. The Mondeo had the worst understeer of any modern car I've ever driven, even with decent tyres...trully appauling and trouser soiling.
I also fitted four new high performance vented, grooved and drilled brake discs and carbon fibre pads which makes the car stop on a sixpence.
Any go here http://blog.zygonia.net/content/binary/DSCF0249-s.jpg and ogle at my shineys.
Last week my trusty old Mondeo Diesel stripped it's timing belt and then went on to commit engine hari-kari. Valve heads were lopped off and given a sound thrashing in the piston pots and gawd knows whatever else got mangled, dented and fractured. The cost of an engine rebuild, 600-800 quid, was too much to swallow and there was no guarantee that it would've run properly again. It was a 98 model and I paid £1200 for it two years ago and racked up 35000 miles (it failed with 153000 miles on the clock) so I guess I got value for money. I was sad and disappointed to see it go because I'd kinda hoped for another year of motoring out of it before looking for something else and it was a really comfy car to get around in.
Anyway I needed a car and so it was time to go shopping and I ended up with a 1992 Subaru Legacy 4WD 2.0 GT Turbo. That model era is my favourite shape of Legacy and really looks the business compared to the later euro-curvy-bulgy designs that sadly polluted the minds of Japanese car body designers from the mid 90's onwards.
My bro in NZ has one which I got to use loads when I was over there last year and I absolutely fell in love with it. These are no ordinary estate cars, the standard power plant puts out 236 BHP and the 0-60 time is 6-7 seconds (at a guess). It's the first car I've owned that plants you firmly back in the drivers seat when red-lining all the way through the gears from standstill, through 9 speeding points and all the way to loss of license and a year in jail. It's awesome!
My car at the moment is pretty much in stock condition but the previous owner added a new stainless steel sporty exhaust system which coupled with the boxer flat four engine makes it the most interesting and loudest sounding car I've owned. This is it here -
It doesn't look terribly flash at the moment, but for the first time in my life I've had the urge to do boy racer stuff to a motor and pimp my ride. I'm fancying new 17" alloys, low profile rubber, dropping the suspension, debadging and new paint job and of course the obligitory turbo waste gate dump valve :-) Must be a late 30's crisis thing or something. This is my brother's pimped up Legacy but I reckon I'll be getting wheels with a bit less bling -
I flattened a box the other day and installed a dual boot system with Vista Beta 2 and Longhorn Server Beta 2. Vista is quite nice and I've kinda gotten used now to the new UI but whether I'll do my usual revert-to-Windows-Classic-look-and-feel remains to be seen yet. The box I installed onto has the following spec -
Athlon AMD 2500+
Asus A7V600-E Motherboard
1.5GB DDR333 RAM
Western Digital 120Gb SATA Drive
Asus NVidia GeForce 4 Ti-4200 128Mb Delux (V8420)
The overall performance is not bad but the system is let down by the graphics card which drags the overall 'Performance Rating' down to a score of 2. This means that the Aero Glass UI doesn't get enabled and it falls back to the Windows Vista Basic look and feel which looks like a chromed up version of the XP teletubby UI.
In an attempt to improve the performance rating score I bought an Asus N6200 256MB graphics card which is based on the NVidia 6200 GPU. According to this NVidia Vista page the 6200 GPU is 'Vista Ready'. In reality the card is a disaster and causes Vista to lock and hang for long periods at a time with the MS supplied WDDM driver. The latest NVidia Beta 2 driver (release 88.61) just won't install and complains that there are no drivers compatible with my current hardware. Trying a manual hardware install using Add Hardware in the control panel and browsing to the 'nv_disp.inf' results in an empty list, so no joy there either. It's possible that the Asus implementation just isn't quite what Vista is happy with in the current Beta build.
I have a plan in the pipeline to build an uber machine with some new Intel bits but I kinda hoped this existing box would've been sufficient for the time being.
Yesterday I was working on a product list using the Gridview component and needed to render the list of products ordered by category. The list also had to have a subheading for the category of the product e.g.
It took a while to figure out but this article by Tim Heuer (there's a show/hide code at the bottom of the page) helped solve the problem. With a minor modification I got what I wanted.
I didn't require the sorting mechanism so I assigned the DataKeyNames property of the Gridview the names of the fields used to order the list before binding to the datasource so that I could pick out the category ID (line 71) in the controls overridden Render method:
1 protected override void Render(HtmlTextWriter writer)
2 {
3 Table table = (Table)this.productsGrid.Controls[0];
4
5 int lastCategory = -1;
6
7 foreach(GridViewRow row in productsGrid.Rows)
8 {
9 int realIndex = table.Rows.GetRowIndex(row);
10 int currentCategory = Convert.ToInt32(this.productsGrid.DataKeys[row.RowIndex].Values[1]);
11 if(currentCategory != lastCategory)
12 {
13 GridViewRow groupHeaderRow =
14 new GridViewRow(realIndex, realIndex, DataControlRowType.Separator, DataControlRowState.Normal);
15 TableCell newCell = new TableCell();
16 newCell.ColumnSpan = this.productsGrid.Columns.Count;
17 newCell.BackColor = System.Drawing.Color.FromArgb(233, 229, 229);
18 newCell.ForeColor = System.Drawing.Color.DarkGray;
19 newCell.Font.Bold = true;
20
21 switch(currentCategory)
22 {
23 case 515:
24 case 517:
25 newCell.Text = "Home Products";
26 break;
27
28 default:
29 newCell.Text = "Business Products";
30 break;
31 }
32
33 groupHeaderRow.Cells.Add(newCell);
34
35 table.Controls.AddAt(realIndex, groupHeaderRow);
36 lastCategory = currentCategory;
37 }
38 }
39
40 base.Render(writer);
41 }
Yay! MS have a shiney new website just for IIS at http://www.iis.net. If I were you, my first port of call would be the .NET show interview with Bill Staples and Scot Guthrie where they show off some of the really cool features that are going to be part of IIS7.
Sparkplug (Dave) you're right about not expecting the ORDER BY clause to guarantee which results are returned by the TOP clause but in if you look at the execution plans for the view run on SQL 2000 and then on SQL 2005 we can see that SQL 2000 doesn't optimise out the ORDER BY:
Here's the view
create view [dbo].[testtop] as
select top 100 percent * from prop_tbl_virtualtour order by propertyid
Here's the actual execution plan on SQL Server 2000 and we can see that the ORDER BY clause is honoured -
and this is the actual execution plan on SQL Server 2005, the ORDER BY is removed because TOP 100 PERCENT is returning all rows -
I'd say that's a breaking change, the behaviour in SQL Server 2000 is pretty consistent across a fairly wide selection of test cases.
Over the weekend I migrated various databases to SQL Server 2005 only to find that the hierarchical menus on the websites using the databases were incomplete and out of order.
After a few hours of head scratching I discovered some views along the lines of -
SELECT TOP 100 PERCENT col1, col2, col3
FROM sometable
ORDER BY col1, col2
The ORDER BY clause should only be used in views under certain conditions i.e. when using the TOP operator and the above view worked just fine under SQL Server 2000.
However in SQL Server 2005, the query optimiser optimises out TOP 100 PERCENT because it recognises that no rows are being eliminated from the resultset and because of this optimisation it also optimises out the the ORDER BY clause.
After a few disappointing months with Skype, I decided to try SIP based VOIP. The difference is quite incredible. I bought myself a proper VOIP handset - a Grandstream GXP 2000 and signed up with http://www.voip.co.uk/ and SIPGate.
Both allow me to have proper telephone numbers and even better Perth ones too for just signing up, although voip.co.uk does take your credit card number.
The sound quality of the calls is on par with that of a standard BT voice call or slightly better but the stability of the calls is way better than that of Skype. There's no jitter and delay and it just seems so much more polished.
Another advantage of SIP is that you don't need the PC turned on all the time because the handset plugs into an ethernet port on the switch.
The disadvantages are that for the SIP/VOIP newbies the terminology is pretty opaque and it took me a while to work out why I couldn't receive inbound calls and this is why Skype is a more attractive proposition than SIP/VOIP. There's a UK news group for the technology - uk.telecom.voip - but having lurked on it for a while and posted one message, you are presumed to have a grounding in the workings of SIP/VOIP if you're looking for help. The knowledge on how to get this stuff up and running is pretty technically in-depth and somewhat scattered. It's not really boiled down enough for your average Joe Schmoe who really wants to sign up with a provider and plug in his phone and start making/receiving calls. At the end of the day I don't really care what vocoder to use or what RTP, STUN or SIP/SDP message are, just tell me what I need to get the phone working.
That said, once you overcome the technical hurdles, it's pretty neat.
Well...I did the final show last week but the good news is that I'm moving to a new slot with one of the other guys, Eric, on a Thursday night (10pm to 12am). It suits me better because 1) I get my Friday nights back and 2) I missed the on-air banter and spraffing about music we used to have when I started doing Fridays. We kinda always intended to dual up on the show but Fridays were never good for Eric. Anyway...here's the playlist (only if you're faintly interested):
The Dandy Warhols - Bohemian Like You
Sonic Youth - 100%
Boris - Ibitsu
The Fall - Pacifying Joint
Neutral Milk Hotel - Song Against Sex
Part Chimp - B2
Bowery Electric - Black Light
Do Make Say Think - Dr Hooch
Godspeed You Black Emperor - Sleep
Explosions In The Sky - Have You Passed Through This Night
Tangerine Dream - Stratosfear
Ash Ra Tempel - Freak 'n' Roll
Roxy Music - In Every Dreamhome a Heartache
King Of Woolworths - Stalker Song
FC Kahuna - Hayling
Tess Ferrandez has a great article on why debug=true is generally a bad thing to leave lying around in your ASP.NET app's web.config file. This can be a pain for hosting companies like the one I work for when customers upload their app still as a debug build and with debug=true left switched on. We have shared servers that have up to 700 websites on them and it took us a fair bit of time and effort to tune the Application Pools to work around this problem in ASP.NET 1.x. Fortunately now we get to turn it off globally in the machine.config file in ASP.NET 2.0.
Doug Stewart has a nice article about keeping your production ASP.NET apps happy and healthy. All good stuff.
Back In the Saddle
It's been month since I did a show due to being on call and a dose of the flu and a cough that hung around to make it virtually impossible to speak without spluttering. Anyway....here's the play list for last nights show:
Hayseed Dixie - Black Dog
[correction] Neutral Milk Hotel - A Song Against Sex
The Fall - Clasp Hands
Spizzenergi - Where's Captain Kirk
Beck - Girl
65 Days of Static - Install A Beak In The Heart That Clucks Time In Arabic
Part Chimp - B2
Bed Head - Living Well
Ivor Cutler - Life In A Scotch Sitting Room - Jungle Tip (Owl)
Ivor Cutler - Life In A Scotch Sitting Room - Episode 1
Takako Minekawa - Fantastic Cat
And The Native Hipsters - Mr Magic
Grandaddy - A.M. 180
Grandaddy - He's Simple, He's Dumb, He's The Pilot
13th Floor Elevators - Your Gonna Miss Me
Silver Apples = A Pox On You
Neu! - Hero
King of Woolworths - Stalker
Bowery Electric - Fear of Flying
Hooverphonic - Sarangi
Santos - Combination
Backini - Little Big Horn
Stereolab - Get Carter
King of Woolworths - To The Devil A Donut
I thoroughly recommend picking up King of Woolworths' Ming Star album. It's a bloody marvellous and the track Stalker will put the willies up you on a late dark and windy night. I picked up some God Speed You Black Emperor and have been listening all day to them. They're utterly amazing, the album Lift Your Skinny Fists Like Antenna To Heaven is incredible. It consists of four 20minute (ish) tracks that take you on an aural rollercoaster ride you won’t forget - in a word mind-bending.
This is a pretty handy feature for taking your ASP.NET 2.0 app offline (for maintenance or whatever) and displaying a friendly message explaining why the site is down.
Just place a file called 'App_offline.htm' in the root of your site with whatever message you want to give your users and bingo your app shuts down and the contents of App_offline.htm are served. Just delete or rename App_offline.htm to something else to bring the app back online again.
I don't know what the Attorney General is so upset about, isn't this what the Home Office wants for all our good citizens anyway? They just happen to be starting from the top.
You may know this already but if you're running ASP.NET 1.1 and ASP.NET 2.0 on the same box then make sure you create a separate application pool for ASP.NET 2.0. You can just clone the Default Application pool if you want, but that can have security implications if you're box is a shared hosting environment because re-using NETWORK SERVICE as the process identity will leave your 2.0 sites open to file harvesting by Full Trust 1.1 apps (that said you are encrypting your connection strings, aren't you? :-) ).
Once you've created the app domain, goto the site or vdir that needs to run ASP.NET 2.0, open the property pages, choose ASP.NET 2.0 from the ASP.NET tab then choose the new ASP.NET 2.0 Application Pool in Home Directory Tab -> Application Settings: Application Pool drop down.
Failure to run ASP.NET 2.0 in it's own app pool will result in the evil 'Server Application Unavailable' message because the ASP.NET 1.1 and 2.0 runtimes can't co-reside in the same worker process.
This is old hat and more of a bookmark for me when I bump into this each time I'm working with XML documents that have default namespace declared. But I thought I'd share anyway.
Take the following simple XML document:
<?xml version="1.0" encoding="utf-8" ?>
<products xmlns="urn:backoffice:products">
<product id="100-1100">
<description>JVC CD Player</description>
<price>120.99</price>
<category>100</category>
</product>
<product id="100-1101">
<description>Sony CD Player</description>
<price>122.99</price>
<category>100</category>
</product>
<product id="100-1102">
<description>LG DVD Player</description>
<price>109.99</price>
<category>110</category>
</product>
<product id="100-1103">
<description>Technics DVD Player</description>
<price>199.99</price>
<category>110</category>
</product>
</products>
You might expect that the code to select all the product nodes would look like:
XmlNamespaceManager nsm = new XmlNamespaceManager(new NameTable());
nsm.AddNamespace("", "urn:backoffice:products");
XmlNodeList productList = products.SelectNodes("/products/*", nsm);
The above seems the logical thing to do because the default namespace doesn't have a prefix so you naturally go ahead and specify String.Empty (or "", whichever) when adding it to the namespace manager. Additionally if you execute the code and breakpoint after setting adding the namespace and inspect the DefaultNamespace property of 'nsm' you'll see that it's even set to "urn:backoffice:products". However, the XmlNodeList returned from products.SelectNodes has no nodes.
This confused the hell out of me when I first encountered it way back when and I tripped up on it again last week. What's going on?
Basically XPath expressions select nodes that are either in a namespace or in the empty namespace. The XPath expression '/products/*' is selecting nodes from the empty namespace (xmlns="") but the document above is defining a default namespace of 'urn:backoffice:products' which is not the empty namespace. We have to tell XPath to select nodes from the namespace 'urn:backoffice:products' otherwise no nodes will be returned.
So how do we do this?
XmlNamespaceManager nsm = new XmlNamespaceManager(new NameTable());
nsm.AddNamespace("p", "urn:backoffice:products");
XmlNodeList productList = products.SelectNodes("/p:products/*", nsm);
We add the namespace with an arbitrary prefix and the XmlNamespaceManager is used to expand 'p' to the default namespace name which then brings the nodes we're interested in into scope.
One thing still puzzles me though is the purpose of the DefaultNamespace property in the XmlNamespaceManager and I guess some digging around will uncover it's intentions because the MS docs are pretty vague.
I haven't done the show for a couple of weeks, mostly because I fancied a couple of Fridays off just to finish work and kick back in front of the telly and catch up on some reading. Also I've been feeling a bit burned out and there's no point sitting in the studio with a lacklustre and last minute choice of tunes and no research and just playing tunes like a robot.
That said, it hasn't kept me from adding a few new items to my music library over the past few weeks -
Mogwai - Mr Beast their newest release and Come on Die Young and Young Team just to complete the set. I'm also seeing them in Edinburgh in April at the Queens Hall. Looking forward to it immensely.
The Dandy Warhols - Come Down, Dandy's Rule Ok, Odditorium Or Warlords of Mars, Thirteen Tales... and Welcome to the Monkey House. I was really put off the Dandy's because of that infernal Vodafone(?) advert which ruined a perfectly good tune. I'm glad I revisited them as they're bloody marvelous.
65 Days of Static - Fall of Math, One For All Time. These guys are just amazing and I'd say they're one of the standard bearers of the 'post rock' movement. If you like Mogwai then your gonna love these guys.
Sparklehorse - I already had 'It's a Wonderful Life' and figured it was time to flesh out with Good Morning Spider, Vivadixiesubmarinetransmissionplot.
Roxy Music - Roxy Music, For Your Pleasure, Stranded, Country Life and Siren. I had these one tape years ago and they were ridiculously cheap on Amazon's marketplace.
The Wedding Present - George Best, Seamonsters, Bizarro and Take Fountain.
The Delays - Faded Seaside Glamour and You See Colours
So as you can see I've got a lot of listening to catch up on and I now need a bigger shelf for my CD's. Anyway I'll be back on the radio next week and if you're in the Perth or Pitlochry area next Friday then tune into 97.5FM between 10pm and midnight.
It's that time of year again for the South by South West Festival (SxSW - March 10th - 19th) in Austin Texas. I first heard about SxSW last year when I started tuning into BBC Radio 6 a bit more frequently (Stuart Maconie's Freak Zone to be precise). The festival has a fairly electic schedule of bands playing and it was where (on radio 6) I first heard what has become one of my favourite bands - The American Analogue Set. You should checkout radio 6 next week for ongoing coverage. Next year I'll maybe make it over there and also to another festival in the states I've wanted to attend for years.
If you host your ASP.NET 1.x website with a hosting company that allows the use of Microsoft Access databases and SQL Server and you host in a shared environment then take some time to consider how secure your SQL data is, or rather possibly isn't.
I have shared hosting accounts with a couple of very well known ASP.NET hosting companies. To discover how secure the shared ASP.NET environments were I found that I was able to traverse out of my web folder to other users web directories and read their web.config files (and of course their SQL Server connection strings and other such goodies).
To use Access databases you generally utilise the data access classes in System.Data.OleDb. There's an unfortunate shortcoming about System.Data.OleDb which is that you need to be running ASP.NET under Full Trust to use it. The security impact of this in a shared hosting environment is that users can exploit this, as I did, to begin touring other customers website folders in search of secrets such as SQL connection strings.
In a shared hosting environment each website runs under it's own unique IUSR_<xxx> anonymous user account and ASP.NET is set to impersonate that account for each request that is handled by the site. The <identity/> impersonate attribute is set to 'true' in the server's machine.config file like this -
<identity impersonate="true" userName="" password=""/>
The web folder, which is the root of your website, also has at least the following NTFS permissions on it - read/write access for the IUSR_<xxx> account and Read access for the ASP.NET worker process account (NETWORK SERVICE if running Windows 2003 or ASPNET if running under Windows 2000). As you can see, the worker process account has read access to every site on the shared server. The reason for this is that ASP.NET needs to be able to monitor the web folders for file changes and to be able to read your ASP.NET files (.aspx, .ascx, dll's etc) to be able to compile them.
If you execute this page script on in your website you can discover what your anonymous user account is:
<% @ Page language="c#" runat="server"%>
<%@ Import Namespace="System.Security.Principal" %>
<script runat=server>
void Page_Load(Object sender, EventArgs e) {
Response.Write("<b>Identity:</b>" + WindowsIdentity.GetCurrent().Name + "<br/>");
}
</script>
Let's modify the script to this:
<% @ page language="c#" runat="server"%>
<%@ Import Namespace="System.Security.Principal" %>
<%@ Import Namespace="System.Runtime.InteropServices"%>
<script runat=server>
[DllImport(@"C:\WINDOWS\system32\advapi32.dll")]
public static extern bool RevertToSelf();
void Page_Load(Object sender, EventArgs e) {
Response.Write("<b>Identity:</b>" + WindowsIdentity.GetCurrent().Name + "<br/>");
RevertToSelf();
Response.Write("<b>Identity:</b>" + WindowsIdentity.GetCurrent().Name + "<br/>");
}
</script>
If your server is running ASP.NET under Full Trust then the RevertToSelf() function ends the impersonation and the remainder of the request executes under the worker process identity, otherwise you'll get an exception thrown (to obtain the path to the system32 directory examine value of the System.Environment.SystemDirectory property).
So what does this mean? The worker process account has read permission to every website folder on the server so it's possible (and I did) to write a script to traverse these folders and harvest web.config files. In fact it's also possible to harvest critical information from every folder that the worker process account has read rights on.
To mitigate this issue you could run each website in it's own application pool and give each application pool it's own identity and each web folder would have NTFS permissions for each of those identities. However this is not really a practical or manageable solution because in a shared hosting environment there can be anything between 500 to 1000 websites. Can you imagine managing up to 1000 application pools and worker processes on the web server? Can you imagine the ACL management for all of those areas that ASP.NET likes to touch? Also your $10.00 a month hosting company is unlikely to give you your own application pool and identity, no matter how nicely you ask, because it's just not economically viable for them. They are more likely to suggest that you buy one of their dedicated server solutions.
So the bottom line is this. If you're hosting on a shared environment and your hosting company allows the use of Access databases then beware that your sensitive SQL data is at risk because -
- to use Access means ASP.NET 1.x has to run at Full Trust
- Full Trust means that the user can call RevertToSelf() to end impersonation and run as the worker process identity
- most likely all the websites run in the same worker process under the same identity
- the worker process identity will have read access to your web folders
Fortunately in ASP.NET 2.0 the Full Trust issue is more or less fixed (System.Data.OleDb and System.Data.Odbc can run under Medium Trust) but if the server is running both ASP.NET 1.x and ASP.NET 2.0 you're still not secure.
Thanks to Dominick for the time spent discussing this.
Update:
I did some poking around and found this article by K. Scott Allen which is worthwhile taking a look at.
I just finished K-Pax III: The Worlds of Prot the third and final installment about the mysterious 'prot' character who claims to be from the planet K-Pax. It's a pretty light hearted affair and has all the welcome familarity of the characters and settings of the previous two books about Gene and prot. That said I didn't feel there was as much substance in this encounter with prot as the original K-Pax but it's still a good read if you're in between a couple of heavier tomes. 7/10.
This got me for a while today. If you're running your web application under Medium Trust (recommended) and you encounter the following exception when trying to read custom application configuration settings in your web config -
System.Security.SecurityException was unhandled by user code
Message="Request for ConfigurationPermission failed while attempting to access configuration section 'someSettings/theSettings. To allow all callers to access the data for this section, set section attribute 'requirePermission' equal 'false' in the configuration file where this section is declared."
Source="System.Configuration"
StackTrace:
[snipped]
Then re-read the exception message again -
"To allow all callers to access the data for this section, set section attribute 'requirePermission' equal 'false' in the configuration file where this section is declared"
i.e.
< configSections>
<sectionGroup name="someSettings">
<section
name="theSettings"
type="Tollon.ConfigSettings.SomeConfiguration, Tollon.ConfigSettings, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"
requirePermission="false" />
</sectionGroup>
<configSections>
The last day of DevWeek 2006 was probably my favourite. The day started off with an excellent keynote by Tim Ewald on the state of web services. The second session of the day was a bit disappointing - Understanding .NET Through Patterns by Paul Besly. I'm afraid his card trick analogies just didn't quite cut it and I'm pretty certain that many people with some familiarity with patterns went away feeling less than satisfied.
The first session of the afternoon was Extending ASP.NET 2.0 with Custom Providers by Jeff Prosise and as usual Jeff's excellent oratory skills held everyones attention. The last session of the day was Inside the ASP.NET 2.0 Compilation Model by Dino Esposito. This session was a pretty indepth look at the new compilation model and how to extend it using custom build providers - 10/10.
This was my second DevWeek and again it was a very worthwhile conference with great speakers, great topics and quite informal and friendly.
This week I'm down at DevWeek 2006 which I also attended last year. It's quite good value for money and the quality of the speakers and topics is good again this year. The sessions I've attended so far are:
Tuesday:
Keynote - Dave Wheeler
Power ASP.NET 2.0 Programming - Jeff Prosise
Exploring Unit Testing with Visual Studio Team System - Kevin Jones
Writing Extensible Applications Using Reflection - Jason Clark
Wednesday:
Understanding Threads and Thread Synchronisation - Jason Clark
Distributed .NET - Ted Neward
Extending System.Xml - Ted Neward
ASP.NET, AJAX, and you: Introducing MS AJAX - Jeff Prosise
It's nice to know from sessions such as the Jason Clark ones that I'm doing all the right things :-)
More later.
Scott Guthrie announced the release of the second preview of the Web Application Project type for VS05. You can read about it here and download it from here.
If you're developing Visual Studio 2005 ASP.NET 2.0 websites on Windows 2003 server and you're creating a separate IIS website for each project then there's a new gotcha I discovered today.
I prefer developing on Windows 2003 because at the very least you can organise your web projects more sensibly (and sanely) rather than lumping everything into the Default website. There are also many projects we undertake where we need the whole of an existing site on the dev box when we're adding new functionality - often we find absolute urls to scripts or images and unless the darned code gets to live in its own website it can be a bugger to work with.
I know there's a hack to coerce IIS on XP to have more than one Website but it's inconvenient especially when you need to switch between projects quickly (a current project is having a bunch of new functionality added to two sites which will be shared) and lets face it, it's a dirty hack.
Anyway if you start debugging a VS05 website created under IIS (you really shouldn't use the cassini based thing for anything other than knocking up quicky snippets of code, see: Cassini considered harmful (leastprivilege.com) and you encounter the error: "Unable to start debugging on the web server. Logon failure: unknown user name or bad password" then check out this kb article -
You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or IIS 6.
You also need to start the Visual Studio Remote Debugging Monitor and make sure your logon is added to the Permissions for Remote Debugging under Tools->Permissions. This seems to be a new thing because VS02/03 worked just fine without it in the past. Now please can I have the last 4 hours of my life back?
Update:
I forgot to add that the following event is logged when the vs 2005 login failure occurs -
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: 10/02/2006
Time: 01:40:21
User: NT AUTHORITY\SYSTEM
Computer: UKM-W2K3-003
Description:
Logon Failure:
Reason: An error occurred during logon
User Name: Kevin
Domain: MYSERVER
Logon Type: 3
Logon Process: O
Authentication Package: NTLM
Workstation Name: MYSERVER
Status code: 0xC000006D
Substatus code: 0x0
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.100.59
Source Port: 0
This is a hilarious take on the meaningless hyperbole that is 'Web 2.0' - BileBlog - Web TwoPointSchmoe
I couldn't agree more with his closing paragraph -
"There's no doubt that ajax, tagging, semantic fappery and all that other gibberish have some potential. Ultimately though, there is no revolution, nor even an evolution. It's simply the ability to toss in a few more tools in the toolbox. Specialised tools, that can be effective when used against the right obstacle. Nothing more, nothing less."
Jings, crivvens, help ma boab it's announced already here but not shipping until Q3.
I shouldn't laugh but the method of destruction in the style of Frank Spencer left me with tears of laughter. What topped it off for me was the polite letter from the museum asking Mr Flynn not to return in the near future. There is the making of a mastercard advert -
Bus fare into town - £2.80
Two tickets for the museum - £8.40
Nice cup of tea and a biscuit in the museum tearoom - £3.40
Forgetting do up your shoe laces, tripping on them and taking out two rare Chinese vases - Priceless
http://news.bbc.co.uk/1/hi/england/4671450.stm
In the evenings I tend to have the laptop on the coffee table and tippy tap away at stuff whilst the telly's on. But it gets uncomfortable sitting on the settee crouched over the laptop and I miss the dual monitors and beefy workstation power that's in my office.
So today I invested in a TV card for a spare PC + monitor and ran a coax cable from the Sky box in the lounge into the office. I gotta say I wish I'd done this ages ago, it works a treat. All I need now is a remote kit for the Sky box handset so I can channel hop without having to run to the lounge and flick.
The card is a Hauppuage WinTV-HVR 1100 which I bought because it had a built in digital terrestrial TV decoder and remote control. But sadly Perth for some reason hasn't made it to the digital age for telly (even though we do get DAB) so I might exchange it for a cheaper model.
I just noticed that VMware have introduced a free version of VMware server. It's in beta at the moment but they expect to release the finished version in the next few months. You can grab it here. You can also download a bundle of pre-built appliances and virtual machines here which will run using the server, existing products or on the free VMplayer.
David Wang is a member of the IIS team and he can be found in the IIS related newsgroups. His blog has loads of good stuff about IIS based on questions asked in the newsgroups and privately. I've been subscribed since September last year, you should too.
As part of an exercise to see if I can reclaim some tax, I went back through all the invoices I have for IT book purchases since 2002. It comes to £1234.61. 2003 seems to have been a good year for Computer Manuals where I managed to spend £470 with them.
I'm missing a batch of invoices from 2001-2002 and I know I spend a serious pile of dosh with them as I gaze across my lounge at the straining bookshelves.
I was going to post some pics of the steps involved during the mod chip install. However I loaned my digital camera to a mate Andy to take to Chile on his company trip to Concha Y Toro's vineyards so I haven't got any pics of the XBox's insides and dodgy looking solder work and that's probably a good thing :).
There's quite a good guide to installing the mod chip here
Anyhoo if you're going to undertake a mod that requires soldering a few things spring to mind:
1. Get a decent soldering iron and decent solder. The temperature of the gas fired thing I bought was difficult to control and there was a severe risk of lifting the delicate tracks on the XBox PCB. I'd recommend investing in a good temperature controlled professional soldering iron such as a Weller.
2. Practice your solder work on a scrap PCB, especially one that is multilayered and has the same fine trackwork as the XBox.
3. It turns out there are 8 PCB revisions ranging from v1.0 -> 1.6b. Mine was a v1.0 PCB and unfortunately holes for the LPC bus were filled with solder and that had to come out before fitting the pin header assembly. The LPC bus holes newer revisions of the motherboard are fortunately solder free.
4. If you have a v1.6 or v1.6b motherboard be sure that your soldering skills are really good because MS made some slight but significant modifications to the outputs on the LPC bus which means you have to patch the underside of the PCB with jumper wires to get the correct outputs. Some of the newer kits such as the Xecuter 3 CE include a PCB rebuild assembly that reduces the some of the pain. There's still a high risk of accidentally creating a solder bridge between one of the solder points and an adjacent tiny (< 1mm x 1mm in dimension) surface mount resistor and from bitter past experience these little buggers are a bitch to put back on if dislodged by accident when trying to clear the solder bridge. I have a 1.6 XBox as well (that's another story) and didn't even consider trying to fit the rebuild PCB simply because the iron and solder I had weren't of sufficient quality to do the job. I'd get a pro to do it for you.
5. If you have a v1.1 - v1.5 board then the installation should be plain sailing and the only difficult soldering task is soldering the D0 wire in the D0/LAN LED/HDD LED harness to a tiny wee solder point on the underside of the mainboard (v1.0 requires this too). A magnifying glass would've been handy for this task.
More later and how I thought I'd fluffed the install.
I decided it was time to do something interesting with my XBox (std). So begins the story of how I turn it into something more useful than the black brick that sits under the telly that gets used occassionally for that snowboarding game...erm..what's it called again..oh oh aye...SSX Tricky....
Anyway...here are the bits...(cheers Dave for the motivation)....
The XBox:
Ooops...no that's a train from New Zealand.
OK...These are the bits...(really)...
One XBox -
One Xecuter 3 CE Kit from XBox Mod Chips (apologies for the crap photo, not quite got the hang of my new Fuji FinePix camera for indoor work):
One butane soldering iron..some dodgy looking butane fueled thing from B&Q's plumbing dept. It's redeeming features were a small pointy solder bit, heat control and it's reasonably ok to handle for electronic work such as IDC headers, consumer PCB's and the like (I lost my Weller Soldering Station in a house move...grrrr). Anyway...as I said the bit is reasonably fine and after some practice on an old PCB to get used to and control the bit temperature it should do the trick. I might need to order a desoldering tool (again another lost item) if the location where the IDC header goes is filled with solder on the XBox PCB.
Ok.....it's late, I've had some friends round with some decent chunky Chilean red wine (sadly no Wine Makers Lot) and a bit of pizza and it's time to hit the sack before getting drunk and disorderly on my XBox with firey hot tools and pliers...tune in for part two soon......
Kev
|