September 2004 - Posts
I have an application (originally a Windows Service, now testing with a Console mode application).
The program works perfectly on my home network. On the site where it needs to be deployed, the problem is this: The connection works perfectly, yet when I do a DataAdapter.Fill() or Command.ExecuteReader(), it never returns, and timesout. I initially thought it was a very slow query, but the same thing happens when the SQL is to return a single row based on a value of the primary key (which should return immediately).
The only thing unusual is that the program is accessing the SQL Server over a VPN. I do not think this is the issue, as the connection connects just fine (meaning there is not port issue). I have no real physical access to the live database server.
UPDATE: Turns out that the key to the solution was that the VPN was fragmenting packets, and apparently SQL Server 2000 unpatched (and I presume the server I am getting to is unpatched) has a problem with Fragmented Packets. Changed a VPN tunnel setting, and all was well.
This really is technology related, even though it is also about the election and politics. Fox News reports on a video showing a monkey hacking a Diebold vote tabulating machine.
OK, so the monkey has to actually get to the vote tabulating machine, but inside the article has somewhat more disturbing news about the GEMS program that handles the tabulation of votes:
GEMS requires users to enter a password to access the vote totals, but Harris showed that the totals can also be opened -- and altered -- with Access, without ever running GEMS.
If you are familiar with Access and how it is used and misused, then you know that the developer of this system did not even use the incredibly hackable Access security on this application. While there are password crackers aplenty for Access user security (a Google search for "Jet Security Crack" shows about 83,000 results), Diebold did not even use that! They rely on the application security only, ignoring even the most basic of security offered by the database system they are using.
A Maryland Election official is also quoted:
But Maryland election officials agreed with Bear that no hacking can happen unless the hacker is physically at the computer.
This sort of thinking makes my head explode! Of course you need to have access to the machine. And no one in the Board of Elections has any possible interest in the outcome of an election, right? And all Board of Election workers are aware of the need to watch these machines, right? Yea, right. Anyone besides me want to pick up a copy of the .NET Developer's Guide to Security by Keith Brown and mail it to the software development group at Diebold? I am reading it now, and there is an execellent section on Defense in Depth, as well as Countermeasures that would hopefully bring the developers to their senses. Is there any Diebold software developer out there that can defend deploying an election database without at least using all the security tools provided by the database system? How about defending use of Access rather than MSDE or some other more secure database?
I have long opposed licensing for Software Developers, however, I think that situations like this, where the scary bad programmers we often have living in the next cubicle are actually the ones controlling the election, perhaps the time has come, at least for elections, clinical applications and other government threatening or life threatening systems.
I have been looking into doing some WSE development (WS Security specifically interested me). In looking carefully at the issues involved (including the issue Scott mentions here), I am wondering whether a move to WS-Security and the rest will buy me anything over and above using Web Services over https? The amount of data transferred using the Web Service in question is relatively small, and the SSL overhead has never been an issue. I currently own the code on both ends of the Web Service request.
Has anyone done any serious study of this?
UPDATE: Apparently, they have done a lot of study on this. For instance, here.
So, I am doing a moderately complicated ASP.NET form in an Intranet environment, and for the first time I am making extensive use of SmartNavigation as well as AutoPostback. When it works, it is cool, and allows this overly complex form (over which I have no design say) to work correctly. Almost.
The problem is this: Sometimes, when the form is first loaded, the first AutoPostback sometimes clears the form, as if the Reset button was pressed. I cannot currently reproduce it on my machine, but others are able to reliably, and I did see it once or twice on my machine.
Is this a known problem? Does anyone know of a workaround?
Update: Werner posted a comment about a control, SmartScroller by Strength Technologies. Amazing. Why this company can create what at first glance appears to be the perfect scroll handler, and Microsoft cannot is just beyond me.
More Posts