Contact

admin

About Me · Send mail to the author(s) E-mail · Twitter

At GROSSWEBER we practice what we preach. We offer trainings for modern software technologies like Behavior Driven Development, Clean Code and Git. Our staff is fluent in a variety of languages, including English.

Feed Icon

Tags

Open Source Projects

Archives

Blogs of friends

Now playing [?]

Error retrieving information from external service.
Audioscrobbler/Last.fm

ClustrMap

Sabines Couscous-Salat

Posted in Recipes (German) at Thursday, 14 June 2007 23:20 W. Europe Daylight Time
  • 500 g Couscous, fertig gedämpft
  • Gurke, gewürfelt
  • Tomaten, gewürfelt
  • Feta, gewürfelt
  • bei Bedarf klein geschnittene schwarze Oliven und fein gehackter Knoblauch
  • 2 Zitronen
  • Salz, Pfeffer, Olivenöl

Alle Zutaten mit etwas Olivenöl vermischen. Pfeffern, Salzen und mit dem Saft zweier Zitronen abschmecken. Optional fein gehackten Knoblauch und Oliven unterrühren. Schmeckt sowohl kalt als auch lauwarm.

Now Playing [?]: Ulrich SchnaussGoodbye – A song about hope

Danke

Posted in NonTech at Monday, 11 June 2007 17:22 W. Europe Daylight Time

Surprise Geocaching Rallye

Danke für das schönste Geburtstagsgeschenk!

Marci, Robert, Robert, Markus, Claudi, Ebi, Sabine, Gunnar, Antje, Sabine, Silke, Martin, Sabine W., Susanne, Anita, Gesa, Susi, Torsten, die Alex, Äffchen, Anna, Kay, Maria, Evy und Andreas vom Späti.

More On Rocket Science

Posted in Fun Stuff | NonTech at Saturday, 09 June 2007 19:42 W. Europe Daylight Time

Like last year, I was having a very relaxing and fun Whitsun weekend with my friends two weeks ago.

This year we continued our attempts building and launching water rockets, so our engineers Marci and Robert continued and refined their efforts building rockets that deserve their name. In 2006 we had only single rocket with one stage (i.e. a 1,5 liter Fanta bottle), but they ventured on designing some multi-stage rocket models. This is where the real fun begins. According to this DIY plan you can create rockets of indefinitely joined bottles. And do not to forget the multi-rocket human missile launch.  Today Jens uploaded the videos he took while we were lying in the grass preparing the rocket launchs.

We also had two rockets exploding because of excess pressure. While bursting one model basically destoyed Robert's self-made launch pad (an empty bin, placed upside down and equipped with a Bowden cable launch mechanism).

What else did we do? Let me tell you, there was quite a bit of barbecue involved. Robert recorded one of his excellent mixtapes live in front of the whole crowd. Slick.

Robert on the decks

Now Playing [?]: Extended Spirit – Caprice

How To Secure Your dasBlog Installation

Posted in dasBlog | Security at Friday, 08 June 2007 09:44 W. Europe Daylight Time

dasBlog LogodasBlog has a pretty large user base, and while browsing some dasBlog sites I occassionally check if they're set up securely. It's not that dasBlog is inherently insecure, but some installations allow for information leakage and most users aren't even aware of this.

Basic setup

There are a couple of locations where you can set up security for any ASP.NET application:

  • NTFS security,
  • IIS virtual directory and folder security,
  • web.config <authentication> element or a HttpForbiddenHandler for certain ASP.NET file extensions.

Note that web.config settings only apply to file extensions mapped to ASP.NET on Windows Server 2003 and before. I am working on IIS 6 here and while I like my security settings in (mostly) one place I usually go with a generic read access configuration in IIS and set the more fine-grained settings using NTFS.

When deploying dasBlog to your web server you will likely enable read access to the dasBlog folder for the IUSR and NETWORK SERVICE accounts on the NTFS Security tab. This gives the IIS and ASP.NET runtimes the rights they need to work. On the /logs, /content and /SiteConfig directories you will also need to enable change access for the NETWORK SERVICE account since this is where dasBlog stores its working data. (dasBlog is represented by the IIS worker process identity, which is NETWORK SERVICE on Windows Server 2003 and ASPNET on Windows 2000 and XP.) If anything is set up incorrectly you'll see the configuration error page when you're trying configure your blog or post a blog entry.

Folder IUSR access NETWORK SERVICE access Notes
/dasBlog root R R  
  /bin RI RI Contents protected by ASP.NET
  /content RI RI, W Blog posts, comments, trackbacks
    /binary RI RI, WI Binary content, i.e. images and enclosures
    /profiles RI RI, WI User profiles
  /DatePicker RI RI  
  /ftb RI RI  
  /images RI RI  
  /logs RI RI, W Log files
  /SiteConfig RI RI, W Config and error pages
  /smilies RI RI  
  /themes RI RI  
Legend: R=Read, RI=Read (inherited), W=Write, WI=Write (inherited)

The /logs folder

Sometimes when I visit a random dasBlog site I try to download one of dasBlog's log files which are located in the /logs folder. Since IUSR's read access is most likely inherited (RI) in this folder, anonymous users can download log files. The log file name format is publicy available so, for example, the /logs/2007-06-08-referrer.log.zip file contains the referrers for today. This information leakage could be easily mitigated by denying IUSR read access to the /logs folder. However, I've found at least three high-traffic blogs where this was not the case (I e-mailed the owners, things are fixed now).

Themes

Another problem that came up recently on the developer mailing list was how to keep blog templates private. Since we already incorporate the HttpForbiddenHandler for *.blogtemplate files and IIS doesn't serve files when there's no MIME type available this is really a non-issue. The template's manifest file, however, will be served but that should not bother you since there's no valuable information in it.

Special Case: The /content folder

One rather interesting place is the /content folder. Your posts, comments and blogged binary content like images are stored there. The /content/binary subfolder holds images and enclosures, i.e. basically everything you attach to a certain post. The /content/profiles folder serves as a container for user profiles stored in <Username>.format.html files. Please note that *.format.html files are always templated and served through FormatPage.aspx, that is, are never accessed by IUSR directly.

With the basic setup above, read access for anonymous users is enabled in the /content folder and its subfolders. Thus, anonymous users are able to get the raw post data by requesting the *.dayentry.xml and *.dayfeedback.xml files for a certain date, i.e. /content/2007-06-08.dayentry.xml. Again, the file name pattern is no secret.

This last piece of public information should only be served through certain channels like the templated font page or RSS. Because of dasBlog's folder structure securing the /content folder it is kind of tricky:

  • First, deny read access to the /content folder for the IUSR account.
  • In the next step, open the security tab of the /content/binary folder and break NTFS inheritance there copying all existing ACLs.
  • Delete the Deny ACL for IUSR.

Secure Configuration

In the end the NTFS security settings that work best for me look like this: (Changes red)

Folder IUSR access NETWORK SERVICE access Notes
/dasBlog root R R  
  /bin RI RI Contents protected by ASP.NET
  /content RI, RD RI, W Blog posts, comments, trackbacks
    /binary R R, W Binary content, i.e. images and enclosures
    /profiles RI, RDI RI, WI User profiles
  /DatePicker RI RI  
  /ftb RI RI  
  /images RI RI  
  /logs RI, RD RI, W Log files
  /SiteConfig RI, RD RI, W Config and error pages
  /smilies RI RI  
  /themes RI RI  
Legend: R=Read, RI=Read (inherited), W=Write, WI=Write (inherited), RD=Deny read, RDI=Deny read (inherited)

Please note that on Windows Deny ACLs have always preference over Allow ACLs.

Discuss

If you're a dasBlog developer or user, please feel free to leave a comment if you (dis)like this solution, have a question or suggestions for a better solution.

Now Playing [?]: Robert Mechs – The OGD Sessions Vol. 2

The Case Of The Negative Ping

Posted in Networking at Wednesday, 06 June 2007 00:29 W. Europe Daylight Time

Light Speed Recently I've got a new server that will host this blog an other web sites. I hope you'll experience a more stable and faster The Right Stuff since we're still having problems with our DSL line at home. Basically, the attenuation is way too big which causes the occassional disconnect resulting in weird error messages for you, Dear Reader. Downgrading to DSL 3000 wasn't an option until now because we wanted our web sites to be served as fast as possible. But this is all over now, at least for you, and we're just having problems with our internet connection dropping in the middle of a Skype call. Murphy's Law, that's nice.

Today, I was moving Torsten's blog over to the new server (we're sharing the machine and the bills) since I'm kinda of the dasBlog guy here – that's what you become when you've added a bunch of features.

After copying dasBlog's files to the the new machine, I was testing to see if Torsten has already updated the DNS record for the blogs.compactframework.de host and ran a ping on the server console. See what I got:

Ping wird ausgeführt für blogs.compactframework.de [85.25.130.52] mit 32 Bytes Daten:

Antwort von 85.25.130.52: Bytes=32 Zeit=-7ms TTL=128
Antwort von 85.25.130.52: Bytes=32 Zeit=-7ms TTL=128
Antwort von 85.25.130.52: Bytes=32 Zeit=-7ms TTL=128
Antwort von 85.25.130.52: Bytes=32 Zeit=-7ms TTL=128

Ping-Statistik für 85.25.130.52:
    Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0 (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = -7ms, Maximum = -7ms, Mittelwert = 1073741817ms

Negative ping times and an average roundtrip of 12 hours. Normally you would argue about slow ping times, but this one has been faster than the light. Google to the rescue! A little search revealed that this behaviour is caused by some weird timing issue with the AMD dual core CPU that's built into the server. Because Torsten is a strong advocate of AMD nitpicking on my Intel CPU all the time, I am glad to see that AMD isn't perfect. ;-)

Like this posts suggest one has to update the AMD CPU Windows driver (at the time of writing, it's the last but one download in the list). No big deal after all, but updating critical drivers over a Remote Desktop connection was kinda scary. Some minutes with a heavily-beating heart later, you get ping times you're used to:

Ping wird ausgeführt für blogs.compactframework.de [85.25.130.52] mit 32 Bytes Daten:

Antwort von 85.25.130.52: Bytes=32 Zeit<1ms TTL=128
Antwort von 85.25.130.52: Bytes=32 Zeit<1ms TTL=128
Antwort von 85.25.130.52: Bytes=32 Zeit<1ms TTL=128
Antwort von 85.25.130.52: Bytes=32 Zeit<1ms TTL=128

Ping-Statistik für 85.25.130.52:
    Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0 (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 0ms, Maximum = 0ms, Mittelwert = 0ms

Now Playing [?]: Zero 7Simple things – In the waiting line