October 2004 Entries
Lateral enough for ya...well, I'm at the bad end on a 34 hour workathon, taking a brief respite before starting again tomorrow...I'm getting too old for this, feeling just amazingly tired and ticked off with my chosen occupation (you know the type of thing!). Anyway, just noticed
this great article on structs in C# - an overlooked but really pretty imporant topic, so...it'll take you 5 minutes and you might learn something -
go look!
John Peel was one of the single most important people in British alternative music, very sad to see he's gone - the world will be a slightly less colourful place from now on...
Been busy the past few days trying to gain some ground on the project I'm currently working on; and balancing delivering a new 'application framework' versus actually delivering this single site...which is not easy! I've also been thinking about what I really want to do - and how I'm going to go about getting there. Problem is, I need inspiration; you know, something to really fire me up and get me interested in coding again because lately...
Ah well, the decision about where I want to be is a tricky one - old dilemma safe 'good enough' job versus risky 'job of my dreams' - in addition, the Microsoft bird has pretty much flown (can you tell how annoyed I am about that yet 
, talk about kicking yourself!). So this whole thing leaves me pretty much out on a limb and wondering where to go next...if anywhere!
So here's the question - are you doing the job of your dreams, if so what is it and what does it take to get there?
It's a great product and I really do recommend it...but well, they do offer a free $899 license just for linking to them!
We recommend the ABCUpload .NET file upload component...
This is a balance I never get right when building a new system, inevitably I either have a grogeous UI and a fragile, hackneyed underlying system or a fantastic system design (so, loose coupling between strata, usable caching strategy, secure authorisation system, flexible templating etc...) and a UI that looks like it belongs in the early sixties on a hippy commune (let's say messy 
). I guess this is partly me; I have trouble context switching when building complex apps; and partly the nature of the development culture at my current company; single man with occasional designer input.
Anyway, anyone have any advice on how to merge these two areas? What tricks do you use to get great UIs as well as good application design?
Just read
here, of course this is pure speculation right now but it would seem likely that if
this is true (Sql Server 2005 is being delayed until Q3 2005 or so...) the Visual Studio 2005 will also be delayed by at least that much. This would be a terrible move - especially as MS are already encouraging people to
move to using the 2005 products early and devoting entire editions of
MSDN magazine to the product (which
doesn't even have a go-live license yet!). The latest betas of VS 2005 seem pretty stable and ASP.NET 2.0 appears to be pretty feature complete (especially as many of the
cooler features have recently been ditched) , for many developers the SQL Server and VS releases do not need to be linked at all - it'd suck if you couldn't use the new cool CLR in DB features but it's not a killer.
In short, please Microsoft just get on and release VS 2005 as soon as it's ready - you'll get a lot of happy developers that way!
Sorry, really busy at my real job right now. Back to this soon. Oh, and a recommendation, I recently discovered a Radio Station which plays my exact taste in music (a VERY rare thing!).
KEXP 90.3FM - unfortunately, they're in Seattle, fortunately they have
awesome streams (including a nuts 1.4Mb/s uncompressed one!)
UPDATE: Just had my *first ever* request played on there too! Snow Patrol - Spitting Games! Yay!
I'm getting lots of little questions about ASP.NET by email - it's actually easier for me if you use MSN IM for this (or just to contact me in general if you want to discuss anything) - you can get me at
v0nx@hotmail.com (do NOT email that address though, haven't checked it in about 3 years...)...mind you this way I'll never get an MVP
This has been the bane of my existence for about 18 months. This macro from Cory Smith provides the best solution I've seen so far for this problem, outputting clean formatted code and to demo this...below is an example of my favourite piece of code d'jour (my reworking of the Server Side Viewstate stuff):
#region ServerSide ViewState handling code
// the extension is to protect users from sniffing in on view state via a simple
// HTTP request
private static string FilePathFormat = Global.Config.ViewStateServerPath + "{0}" + Global.Config.ViewStateFileExtension;
private const string ViewStateHiddenFieldName = "__ViewStateGuid";
// creates a new instance of a GUID for the current request
private string pViewStateFilePath = Guid.NewGuid().ToString();
/// <summary>
/// The path for this page's view state information (GUID based).
/// </summary>
public string ViewStateFilePath
{
get { return MapPath(String.Format(FilePathFormat, pViewStateFilePath)); }
}
/// <summary>
/// Saves the view state to the Web server file system.
/// </summary>
protected override void SavePageStateToPersistenceMedium(object viewState)
{
if (Global.Config.ServerBasedViewState)
{
// serialize the view state into a base-64 encoded string
LosFormatter los = new LosFormatter();
// save the view state to disk
StreamWriter sw = File.CreateText(ViewStateFilePath);
los.Serialize(sw, viewState);
sw.Close();
// saves the view state GUID to a hidden field
Page.RegisterHiddenField(ViewStateHiddenFieldName, pViewStateFilePath);
}
else
base.SavePageStateToPersistenceMedium(viewState);
}
/// <summary>
/// Loads the page's view state from the Web server's file system.
/// </summary>
protected override object LoadPageStateFromPersistenceMedium()
{
if (Global.Config.ServerBasedViewState)
{
string vsGuid = Request.Form[ViewStateHiddenFieldName];
string vsString = MapPath(String.Format(FilePathFormat, vsGuid));
if (!File.Exists(vsString))
throw new Exception("The Viewstate file " + vsString + " is missing!!!");
else
{
// instantiates the formatter and opens the file
LosFormatter los = new LosFormatter();
StreamReader sr = File.OpenText(vsString);
string viewStateString = sr.ReadToEnd();
// close file and deserialize the view state
sr.Close();
return los.Deserialize(viewStateString);
}
}
else
return base.LoadPageStateFromPersistenceMedium();
}
#endregion
Pretty huh!
So, Slashdot got a hold of the story about the ASP.NET vulnerability (the backslash bug), as usual they're loving it over there. What I haven't seen much of though is mention of the fact that many sites were never affected by this - reason? URLScan for IIS 5 and IIS 6 (which incorporates much of URLScan already) have always blocked this type of attack - remember, URLScan was released in 2001 and it blocks a host of malformed URL type attacks (there've been a bunch before).
The current Microsoft advice is to add some code to each ASP.NET application, fine - but if you have a properly configured URLScan or IIS 6.0 - you've never been at risk of this attack. Whilst I'm pretty disgusted that such a simple error got through testing (and let's face it this will probably cost a few companies developing with ASP.NET a bit of business) it does reinforce the fact that you should never rely on a piece of code you can't inspect personally for your application's security.
UPDATE: The piece below has some new info - including an HttpModule which can patch all your apps...
Today we posted updated information to http://www.microsoft.com/security/incident/aspnet.mspx with additional information about the nature of the reported vulnerability and an additional mitigation best practice. Our additional guidance is an HTTP Module that you can install onto a server that will mitigate all ASP.NET applications on the box and protect them against canonicalization issues we knew about at the time of publication. This is easier then updating the global.asax for each application and if you are dealing with a whole lot of servers much easier to deploy. You can grab the MSI installer for the HTTP Module at http://www.microsoft.com/downloads/details.aspx?FamilyId=DA77B852-DFA0-4631-AAF9-8BCC6C743026. There is also a new KB posted at http://support.microsoft.com/?kbid=887289 that describes how to deploy the MSI and HTTP Module.
We will continue to update the landing page as new information or guidance becomes available, so keep checking back.
posted on Thursday, October 07, 2004 5:34 PM
OK, I know I said I was offline for two weeks...but it's
Brendan's fault, he got me thinking about music again! Anyway, after listening to a whole bunch of horrible tuneless drivel on
Shoutcast, I came across a fantastic tune by a band called 'I Am The Avalanche' - you can get a few of thier tunes (legally Mr Ballmer
) from
here. Gotta say, this is some pretty awesome stuff...well worth a listen! Oh, and
Bloody Symphony is my favourite
I'm taking time off from blogging for the time being - I want to get this thing on to a new server and get a ton of new bits added - the easiest way for me to do this is to leave this version as-is and modify a copy. So, see you all on the 19th of October!
I have made a point of avoiding speaking about my politics on this blog, partly because I don't think my politics are particularly interesting, but I watched the presidential debates last night (which finished at about 4am our time) and a press conference by our own home secretary detailing plans to introduce identity cards, GPS tracking of refugees and other 'security' measures - I have to admit, this makes me pretty sad.
I just thought the following quote was interesting given the current climate throughout the world. In the UK, I think we always have to remember that we had typically one terrorist attack a month for about 25 years until a few years ago resulting in the deaths of 3285 people (on all sides) - since then we've had no attacks at all...
"Of course the people don't want war. But after all, it's the leaders of the country who determine the policy, and it's always a simple matter to drag the people along whether it's a democracy, a fascist dictatorship, or a parliament, or a communist dictatorship. Voice or no voice, the people can always be brought to the bidding of the leaders. That is easy. All you have to do is tell them they are being attacked, and denounce the pacifists for lack of patriotism, and exposing the country to greater danger."
-- Herman Goering at the Nuremberg trials
You can read about the history behind this quote here