Sometimes technical, sometimes not, never a kitty

A few years ago, I was looking for a version control system that would be easy to implement and not cost a fortune.  I was splitting my time between my laptop and my desktop, and was always forgetting my thumb drive somewhere else.  I did not have a separate NAS device at the time, so that was out of the question.  I was paying for shared hosting, and was greatly underutilizing my disk space allotment.

Enter FtpVC, a version control system that works via FTP.  It was perfect for my needs!  I installed the client on both machines, configured it to use a folder on my hosting account, and got back to work.  Setup was very easy, and the shared hosting space was accessible to either machine, and offsite.  At $50, it was not a budget breaker, either.  All the usual version control features are there, including history and comparisons.  If you're a lone ranger picking up the odd client job, or a small development shop, FtpVC could be a great solution for you.

There's a new version out, and their announcement e-mail reminded me I should blog about it.  No relation other than happy customer.  As a matter of fact, I've since moved on to another solution, but I still recommend FtpVC as a lightweight and inexpensive way to get into version control.

The Internet Explorer team should be proud of themselves this week:

Many people are switching from Internet Explorer to alternative browsers such as Firefox and Safari. Though that might make them feel more secure, the shift has also opened new doors for bad guys.

Case in point: We have no IE bugs to report this month, but both Firefox and Safari have been hit hard.

However, if you're feeling ten feet tall and bulletproof because you're using FireFox, you might want to reexamine that idea and make sure you get the auto-updates installed:

In a somewhat dubious recognition of Firefox's growing popularity, hackers have focused their attention on it, leading to a rash of newly discovered holes. The folks at Mozilla recently released two Firefox updates in less than six weeks, fixing a total of five critical security vulnerabilities. All five can be exploited by planting a poisoned JavaScript file in a Web site and waiting for you to stumble across it.

The scary thing here is that you don't have to do anything to engage this exploit, and JavaScript is all but invisible to any user not really looking for it.

Likewise, Apple cultivates the image of security to every fanboy's peril:

Safari 3.1 patches 13 holes affecting Mac OS X, Windows XP, and Windows Vista.

Think you're safe because you don't have Safari? You may have it without realizing it. Apple now distributes its browser with iTunes updates. Forget to uncheck a box in one of these updates, and it's there.

The Safari holes could allow an attacker to trick you into thinking that a fake site is really your bank site, or to take over your PC via a poisoned page.

Remember it was Safari that led to the hacking of a MacBook Air in a recent contest.  Add in the insult of sneaking Safari onto machines via iTunes updates and Safari in most corporate environments would be defined as malicious.  The distribution policy has recently been changed to be more clear about what is being installed, but some damage has been done, and you still have to refuse the automatic installation.

There is a reason corporate IT departments prefer software we can control via Group Policy, and why we have policies against anyone installing anything.

Although this attack targets websites powered by Microsoft SQL Server, databases such as Oracle are also vulnerable to this attack.

The attacks "are a very sophisticated form of SQL injection," Qualys CTO Wolfgang Kandek told TechNewsWorld. "Normally, SQL injection is targeted to one table. With this attack, they used a generic mechanism of the underlying database to make it work on a much broader set of applications."

The attacks have targeted sites running IIS and ASP that have an MS-SQL database. However, they are not exploiting a particular flaw in these applications -- the exploit could have been written to target any database -- Oracle or WebSphere, for example.

Rather, the code exploits what security researchers are bemoaning as an elementary lapse in Web security on the part of developers installing the databases.

In addition to this attack, the article mentions another one, specific to SQL Server, on the horizon:

"The underlying database servers are often misconfigured to have an extended stored procedure xp_cmdshell enabled," Belani told TechNewsWorld. "This setting allows an attacker to execute commands at the operating system level post compromise via SQL injection. This level of access is hard to come by in other database servers like Oracle."

Full story at http://www.technewsworld.com/edpick/62783.html?welcome=1209477802.

The root cause of these attacks is insecure web application design, which allows SQL code to be inserted into a page request and executed in the following database query.  This is an old technique known as SQL Injection.

If you're not familiar with SQL Injection, you need to be, since it's a very basic flaw with serious ramifications.  I recommend highly reading 19 Deadly Sins of Software Security for very good introductions to some very basic design issues.

Following up yesterday's post (http://rjdudley.com/blog/WindowsXPNotDeadYet.aspx):

Microsoft says Windows XP sales will end June 30 despite comments by Microsoft CEO Steve Ballmer. Microsoft says it's listening, but petition author Galen Gruman says Microsoft counts a Windows Vista sale even with an option to downgrade to Windows XP. Galen's petition has more than 170,000 names asking Microsoft to save Windows XP.

Full story at http://www.newsfactor.com/story.xhtml?story_id=121009GB4QVS&nl=2

The recent outcry from fans of Windows XP -- or at least from people who hate Vista so badly they don't want to buy it -- appears to have reached the ears of Steve Ballmer. The Microsoft CEO said the company would listen to its customers if they want to continue to buy XP.

full story at http://www.technewsworld.com/edpick/62741.html

There's a new user group in town:

IS Network: PGH DW Group
Please attend this year’s first Pittsburgh Data Warehouse and Business Intelligence User Group Meeting. The morning will begin with a brief planning session on the goals and purpose of the group followed by a demonstration in building a data warehouse right before your eyes using Microsoft SQL Server 2005. The final presentation titled, "A Single Source of Truth: Implementing Enterprise Profitability" will cover the design and implementation of the enterprise profitability system utilized by Alcoa.

Coffee and light refreshments sponsored by IQ Inc.

Date:        Thursday, April 24
Time:        8 a.m. - 12 p.m.
Venue: Pittsburgh Technology Council
Cost:         Free
Register: Online | E-mail | 412.918.4229

The full error reads:

Parser Error Message: Could not load file or assembly 'Microsoft.ReportViewer.WebForms, Version=9.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' or one of its dependencies. The system cannot find the file specified.

This error means you're using the SQL Server Reporting Services ReportViewer control in your web application, and the server can't find the proper DLL.  All you have to do is deploy them to your server.  With Visual Studio 2008, the location of the ReportViewer DLLs has changed.  You now find them at C:\Program Files\Microsoft Visual Studio 9.0\ReportViewer.

The first way to get these on your server, and this only works if you run your own server, is to directly copy them into the C:\Windows\assembly folder, and reboot the server (this reloads the GAC).  If a reboot is out of the question, you can use GACUTIL.EXE to copy and register the DLLs.

If you're in a shared hosting environment, reference the DLLs from the VS 9 path listed above, and set the Copy Local=True (select the DLL and open the Properties tab).  This will copy the DLLs into your applications BIN folder, and look for them there first.  You can then deploy to a shared host, making sure to copy all the contents of BIN.

All attendees to a "Heroes Happen Here" Launch even receive a software pack, but it's not without its limitations.  Here is what's included, and restrictions:

1. Windows 2008 Server, Enterprise Edition, both 32-bit and 64-bit.  Full version with keys, 1 year time bomb.
2. SQL Server 2008.  This is a CTP, not the final release.  I'd avoid installing this on any machine you like--use a virtual machine or something you can throw away later.  There is a registration code in the pocket with the EULAs for a license of the final version.  No mention of a time bomb.  I just tried to register, and the site craps out when you submit your form.
3. Visual Studio 2008 Standard Edition.  This is the version one step above Express.  It's most notable feature limitation is the Office development.  That's right--all that cool MOSS/Office 2007 integration and workflow they demonstrated, well, you can't do that with this version (you need the Professional version at least).  A version comparison is at http://msdn2.microsoft.com/en-us/vs2008/products/cc149003.aspx.  No indication of a time bomb.
4. Windows Vista Ultimate with SP1.  This was a nice surprise.  The full kitty, no expiration (the Windows Live One Care has a time limit, though).
5. Microsoft Forefront and Microsoft System Center.  Two infrastructure tools marked as "Limited-Time Trial Software", but no indication of the time limit.  Forefront is Microsoft's network security suite, rolling up Antigen and other tools into one product.
6. Windows Mobile 6 Developer Resource Kit.

Useful links from Launch:

If you want to review the presentations (or in our case, see them working), check out the Virtual Launch at http://www.microsoft.com/virtualevents/.  You need a Windows Live ID and Silverlight.  Apparently you can choose from several cities, but each time I selected something other than LA, I got a Silverlight error.

Download lab manuals for each demo at http://heroes.labmanuals.virtualwide.com/.  This is totally cool.  Get these and actually do what you saw (or would have seen if the demos didn't keep crashing).  Subject to the limited features of the Standard version, unless you have a better version handy.

In addition to VS2008 Professional, Sql Server 2008 Developer and Windows Server 2008, there's also Vista Ultimate in the software pack.  If you haven't signed up yet, you need to.

Nice lunchbox swag, full of treats. Here's Shaun Eutsey with his.

We're off to the VS 2008 Launch here in Pittsburgh at the convention center.  Just at add to the fun, Hillary Clinton and Barack Obama are speaking at a union rally also at the convention center.

My buddy Shaun has an immediate need for four midlevel .NET developers in Pittsburgh.  You can contact him at shaun [dot] eutsey [at] consultusa [dot] com if you're interested in hearing more.

<edit: email fixed />

I receive a lot of feedback from my ASP Alliance articles, usually comments.  I don't typically answer via e-mail, since that doesn't help the community.  Today I received the following message, and felt it was blog worthy.

Referring URL: http://aspalliance.com/532
Dear Rechard,

I have always been using Datasets and they have given me consistent Results. In fact, I DO NOT USE Report Viewer but export CR Report to a PDF File and then give it to the user as a URL.

BUT, WHEN DATA IS VERY LARGE, THE DATASETS GIVE PROBLEMS such as out of Memory, server not available, Timeouts, hanging etc. I have asked this question to many forums as to how to handle large data sets in ASP.Net with CR.Net. But, nobody has given me any satisfying answer.

I really want to know as to how to solve this problem.

Will You please Help Me.

With Warm Regards,

DN

Here's the problem--the amount of memory which can be utilized by an ASP.NET web app is 2GB (3GB if you use the /3GB switch).  If your dataset exceeds 2GB on a Windows 2003 Server, you will get a Server Not Available error.  Less than but close to 2GB will cause a significant decrease in performance or warnings about memory.

The answer is simple--you need a smaller dataset!  A 2GB dataset is far too large, especially when you're feeding it into Crystal Reports.  It sounds like you are dumping every bit of raw data into the report, and having the report process and present the data.  You really need to have your database queries doing more of the filtering and processing, then return a significantly smaller dataset.  In a web environment, it's best if you only do presentation in your reports--leave the calculations and filtering to the database.

Want to get your hands on SLQ Server 2008, but don't have any hardware?  Check out www.sqlserverbeta.com.  You get RDP access to a SQL Server 2008 server, with your own account space so you can test your scenarios in a quasi-real world environment.  From their site:

So set your sights on the horizon and take advantage of this chance to play with real-world technology before it hits the mainstream - test it with your real-world data, with your own custom scenarios, while it's still under development. This is your chance to influence the product that you use every day - in a secure, hosted working environment.

Important Note: This Beta offer should not be used for production systems, but can be used to fully test and experience Microsoft¹s newest, most intelligent data platform in a hosted environment free of charge.

Create your own brave new world - experiment, test, explore and push SQL Server 2008 to its limits - then report back to your fellow explorers on your experience in the Community discussion forums and blogs. Compare your findings with your peers and colleagues - and share your opinions and assessments.

SQL Server Beta is a joint effort between PASS, MaximumASP and Dell.  Hat tip: SQL Server Magazine.