Version Control via FTP

A few years ago, I was looking for a version control system that would be easy to implement and not cost a fortune.  I was splitting my time between my laptop and my desktop, and was always forgetting my thumb drive somewhere else.  I did not have a separate NAS device at the time, so that was out of the question.  I was paying for shared hosting, and was greatly underutilizing my disk space allotment.

Enter FtpVC, a version control system that works via FTP.  It was perfect for my needs!  I installed the client on both machines, configured it to use a folder on my hosting account, and got back to work.  Setup was very easy, and the shared hosting space was accessible to either machine, and offsite.  At $50, it was not a budget breaker, either.  All the usual version control features are there, including history and comparisons.  If you’re a lone ranger picking up the odd client job, or a small development shop, FtpVC could be a great solution for you.

There’s a new version out, and their announcement e-mail reminded me I should blog about it.  No relation other than happy customer.  As a matter of fact, I’ve since moved on to another solution, but I still recommend FtpVC as a lightweight and inexpensive way to get into version control.

Hackers focus efforts on Firefox, Safari

The Internet Explorer team should be proud of themselves this week:

Many people are switching from Internet Explorer to alternative browsers such as Firefox and Safari. Though that might make them feel more secure, the shift has also opened new doors for bad guys.

Case in point: We have no IE bugs to report this month, but both Firefox and Safari have been hit hard.

However, if you’re feeling ten feet tall and bulletproof because you’re using FireFox, you might want to reexamine that idea and make sure you get the auto-updates installed:

In a somewhat dubious recognition of Firefox’s growing popularity, hackers have focused their attention on it, leading to a rash of newly discovered holes. The folks at Mozilla recently released two Firefox updates in less than six weeks, fixing a total of five critical security vulnerabilities. All five can be exploited by planting a poisoned JavaScript file in a Web site and waiting for you to stumble across it.

The scary thing here is that you don’t have to do anything to engage this exploit, and JavaScript is all but invisible to any user not really looking for it.

Likewise, Apple cultivates the image of security to every fanboy’s peril:

Safari 3.1 patches 13 holes affecting Mac OS X, Windows XP, and Windows Vista.

Think you’re safe because you don’t have Safari? You may have it without realizing it. Apple now distributes its browser with iTunes updates. Forget to uncheck a box in one of these updates, and it’s there.

The Safari holes could allow an attacker to trick you into thinking that a fake site is really your bank site, or to take over your PC via a poisoned page.

Remember it was Safari that led to the hacking of a MacBook Air in a recent contest.  Add in the insult of sneaking Safari onto machines via iTunes updates and Safari in most corporate environments would be defined as malicious.  The distribution policy has recently been changed to be more clear about what is being installed, but some damage has been done, and you still have to refuse the automatic installation.

There is a reason corporate IT departments prefer software we can control via Group Policy, and why we have policies against anyone installing anything.

New Sophisticated SQL Injection Attack

Although this attack targets websites powered by Microsoft SQL Server, databases such as Oracle are also vulnerable to this attack.

The attacks “are a very sophisticated form of SQL injection,” Qualys CTO Wolfgang Kandek told TechNewsWorld. “Normally, SQL injection is targeted to one table. With this attack, they used a generic mechanism of the underlying database to make it work on a much broader set of applications.”

The attacks have targeted sites running IIS and ASP that have an MS-SQL database. However, they are not exploiting a particular flaw in these applications — the exploit could have been written to target any database — Oracle or WebSphere, for example.

Rather, the code exploits what security researchers are bemoaning as an elementary lapse in Web security on the part of developers installing the databases.

In addition to this attack, the article mentions another one, specific to SQL Server, on the horizon:

“The underlying database servers are often misconfigured to have an extended stored procedure xp_cmdshell enabled,” Belani told TechNewsWorld. “This setting allows an attacker to execute commands at the operating system level post compromise via SQL injection. This level of access is hard to come by in other database servers like Oracle.”

Full story at http://www.technewsworld.com/edpick/62783.html?welcome=1209477802.

The root cause of these attacks is insecure web application design, which allows SQL code to be inserted into a page request and executed in the following database query.  This is an old technique known as SQL Injection.

If you’re not familiar with SQL Injection, you need to be, since it’s a very basic flaw with serious ramifications.  I recommend highly reading 19 Deadly Sins of Software Security for very good introductions to some very basic design issues.

Windows XP: Then Again, Maybe It Is Dead

Following up yesterday’s post (http://rjdudley.com/blog/WindowsXPNotDeadYet.aspx):



Microsoft says Windows XP sales will end June 30 despite comments by Microsoft CEO Steve Ballmer. Microsoft says it’s listening, but petition author Galen Gruman says Microsoft counts a Windows Vista sale even with an option to downgrade to Windows XP. Galen’s petition has more than 170,000 names asking Microsoft to save Windows XP.


Full story at http://www.newsfactor.com/story.xhtml?story_id=121009GB4QVS&nl=2

New Pittsburgh Data Warehousing Group

There’s a new user group in town:

IS Network: PGH DW Group
Please attend this year’s first Pittsburgh Data Warehouse and Business Intelligence User Group Meeting. The morning will begin with a brief planning session on the goals and purpose of the group followed by a demonstration in building a data warehouse right before your eyes using Microsoft SQL Server 2005. The final presentation titled, “A Single Source of Truth: Implementing Enterprise Profitability” will cover the design and implementation of the enterprise profitability system utilized by Alcoa.

Coffee and light refreshments sponsored by IQ Inc.

Date:        Thursday, April 24
Time:        8 a.m. – 12 p.m.
Venue:
Pittsburgh Technology Council
Cost:         Free
Register:
Online | E-mail | 412.918.4229

Error: Could not load file or assembly ‘Microsoft.ReportViewer.WebForms, Version=9.0.0.0

The full error reads:



Parser Error Message: Could not load file or assembly ‘Microsoft.ReportViewer.WebForms, Version=9.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a’ or one of its dependencies. The system cannot find the file specified.


This error means you’re using the SQL Server Reporting Services ReportViewer control in your web application, and the server can’t find the proper DLL.  All you have to do is deploy them to your server.  With Visual Studio 2008, the location of the ReportViewer DLLs has changed.  You now find them at C:\Program Files\Microsoft Visual Studio 9.0\ReportViewer.


The first way to get these on your server, and this only works if you run your own server, is to directly copy them into the C:\Windows\assembly folder, and reboot the server (this reloads the GAC).  If a reboot is out of the question, you can use GACUTIL.EXE to copy and register the DLLs.


If you’re in a shared hosting environment, reference the DLLs from the VS 9 path listed above, and set the Copy Local=True (select the DLL and open the Properties tab).  This will copy the DLLs into your applications BIN folder, and look for them there first.  You can then deploy to a shared host, making sure to copy all the contents of BIN.

Launch 2008 Software Pack and Links

All attendees to a “Heroes Happen Here” Launch even receive a software pack, but it’s not without its limitations.  Here is what’s included, and restrictions:

  1. Windows 2008 Server, Enterprise Edition, both 32-bit and 64-bit.  Full version with keys, 1 year time bomb.
  2. SQL Server 2008.  This is a CTP, not the final release.  I’d avoid installing this on any machine you like–use a virtual machine or something you can throw away later.  There is a registration code in the pocket with the EULAs for a license of the final version.  No mention of a time bomb.  I just tried to register, and the site craps out when you submit your form.
  3. Visual Studio 2008 Standard Edition.  This is the version one step above Express.  It’s most notable feature limitation is the Office development.  That’s right–all that cool MOSS/Office 2007 integration and workflow they demonstrated, well, you can’t do that with this version (you need the Professional version at least).  A version comparison is at http://msdn2.microsoft.com/en-us/vs2008/products/cc149003.aspx.  No indication of a time bomb.
  4. Windows Vista Ultimate with SP1.  This was a nice surprise.  The full kitty, no expiration (the Windows Live One Care has a time limit, though).
  5. Microsoft Forefront and Microsoft System Center.  Two infrastructure tools marked as “Limited-Time Trial Software”, but no indication of the time limit.  Forefront is Microsoft’s network security suite, rolling up Antigen and other tools into one product.
  6. Windows Mobile 6 Developer Resource Kit.

Useful links from Launch:

If you want to review the presentations (or in our case, see them working), check out the Virtual Launch at http://www.microsoft.com/virtualevents/.  You need a Windows Live ID and Silverlight.  Apparently you can choose from several cities, but each time I selected something other than LA, I got a Silverlight error.

Download lab manuals for each demo at http://heroes.labmanuals.virtualwide.com/.  This is totally cool.  Get these and actually do what you saw (or would have seen if the demos didn’t keep crashing).  Subject to the limited features of the Standard version, unless you have a better version handy.