One intersting simple thing I have worked on today (to solve a problem encountered by a couple of friends), is streaming a dynamically generated pdf or other types of files to the user without storing it first in the file system.

Well, it is easy to change the header information (content-type essentially), remove all the unwanted headers and content (Response.Clear() ) so that the normally generated HTML does not corrupt the pdf file ... etc.

The problem is to deal with what will happen when the client doesn't have a pdf reader (acrobat reader) add-in installed in his browser. Then, the browser will simply propose to saven the file, and the filename will be that of an aspx file (or whatever server side page is used), since the client requested an Asp.Net page ...

To handle this situation, there is a simple (comment if you think it is complex) way :

• Map the pdf extension to the ASP.Net engine : simply, in IIS, go to the application configuration and add the exension .pdf as needing  executable C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll, as shown in the following picture

This by itself can do the trick, but it will force a very inelegant (and having great error potential, ...etc.) solution ... this solution would be just renaming the .aspx page to a .pdf ... A more elegant solution is not to use an aspx file at all for this pdf generation and do the next two steps

•  Create an HttpHandler, that deals with the pdf generation. it can get the request parameters (or form parameters), generate the pdf, and stream it right back to the client. The code to do That is illustrated in the following sample :

namespace Malek.Utils{

public class PdfFileHandler : IHttpHandler {

    public void ProcessRequest(HttpContext context) { 

            if (context.Request.RawUrl.ToLower().EndsWith(".pdf"))

            {

                  // do the pdf generation, and get it in a byte array (here, a variable called content)

                  context.Response.ClearHeaders();

                  context.Response.ClearContent();

                  context.Response.ContentType="Application/pdf";

         context.Response.OutputStream.Write(content, 0,

                                            content.Length);

                  context.Response.End();

            }

      }

}

}

The dll generated needs to be placed in the bin directory in the virtual directory of the application

• Add configuration code to direct calls for pdfs to the handler, as illustrated in the follwing Web.Config excerpt :

     <configuration>

          <system.web>

               <httpHandlers>

                     <add verb="*" path="*.pdf"

                     type="Malek.Utils.PdfHandler, PdfHandler" />

                </httpHandlers>

                <!-- rest of the config file -->

          </system.web>

     </configuration>

1/12/2004 9:05:41 PM UTC    Comments [3] 

   In an article by Jaikumar Vijayan on Computer World, titled "Flaws raise red flag on Linux security", a compilation of nonsense takes place (my remarks in blue)... :

<< The rise in such incidents can be attributed to Linux's growing popularity, which makes it a more attractive target for malicious attackers, said David Wreski, CEO of Linux security vendor Guardian Digital Inc. in Allendale, N.J. >>  If this is true, then the problem is just starting. This same message has been used by Microsoft for some time, and the Linux community was simply saying it is not true, and that Linux was a better and more secure environment

<< "The underground hacker community is very interested in Linux as a potential target," he said. "Because of the accessibility of the source code to everyone, it provides an equal opportunity for malicious attackers to find vulnerabilities and ways to exploit them.">>  In simple words, this reads as : Linux is less secure than others because everyone has access to source code, and hackers have a better chance to find and exploit the vulnérabilities. Point well taken ... This guy is great at shooting his own foot ...

<< "I would say it is more secure than Microsoft and other environments because the code is looked over by so many people and it's so widely available that any vulnerabilities can be quickly identified and patched," Cahill said. Piedmont uses Linux for several e-mail-related functions and is considering its use for antispam purposes.>> Well, I thought the opposite has just been stated on the preceding paragraph. Then, what does quickly mean ? The latest vulnerability discovered by iSec is found on versions 2.2, 2.4 and 2.6 (I have seen reports saying it exists on every kernel version). version 2.2 exists at least since january 1999 (I found a version from 1/26/99 that can be downloaded from kernel.org). so, if 4 years is quick, I don't know what slow is ... If what is meant is that after the vulnerability has been exploited and that it has made all the damage it wants, it will not take long before a patch is there, I bet the same goes for any system (I am a big Windows user, and usually, when a vulnerability that was not known before is found, a patch comes out in the following couple of days, so what is the argument ? ...)

<<"There's not very much we've needed to do to secure Linux [applications]," said Joe Poole, manager for technical support at Boscov's Department Stores LLC in Reading, Pa. The company runs several virtual Linux servers on its mainframes that are protected by network and internal firewalls. All nonessential services, such as file transfers and Telnet, have been disabled. But there has been no need for the kind of constant patching and maintenance required for Windows, Poole said.>> Again, talking about security as relying on network and firewall only is a huge idiocy, especially when the issue is elevation of privilege through buffer overruns. No firewall will stop a legitimate user from accessing with his restricted rights; the problem is that it is all that is needed to exploit the buffer overrun, and gain access as root... On disabling nonessential services, it is absolutely not a valid argument against Windows, because you can disable nonessential services on every version of Windows, and it is the default on Windows 2003. So if the message is that Windows was not secure before Windows 2003 ...

1/11/2004 7:38:19 AM UTC    Comments [22] 

Off course Linux is not a viable choice for desktop (even Red Hat says so), but is it for servers ?

A few untrue perceptions (Secure, free, fast ...) about Linux and its value for the entreprise lead many people to think so. Here is my two cents :

1- Linux is secure :

• take a look at http://www.linuxsecurity.com/advisories/
• As of  8/1/03, the vulnerabilities discovered on the various OSs for 2003 numbered as follows :

OpenBSD	8
Trustix	18
EnGarde	20
Microsoft(Windows all versions)	26
SuSE	32
Sun	41
Mandrake	82
RedHat	82
Debian	139

2- Linux is free :

• Is it really free ? the cost of ownership of a software is never just the cost of the licencing. It includes deployment, maintenance, and operation. this would at least make Linux not really much cheaper than commercial OSs.
• In a server environment, especially in the entreprise, servers are not independent stand-alone machines, they have to fit in Kerberos realms, use LDAP, which are never out-of the box features on a Linux, and usually would become : go get the download, then spend a good portion of your time (never free in the entreprise) making it work, at your own risks for later maintenance and support ...
• The cost of the Application Servers, Transactional Monitors, Middleware and Message Brokers make any difference in the OS costs insignificant.
• Do we really want a free OS : the binding relation between a vendor and the entreprise is that of customer and vendor, ie: the lincence purchase. If there is no such relation between them, there could not be a binding guarantee on the quality of the software, or that of fixing up any problems that might arise later. It was not hard for Red Hat to simply say they will stop producing, supporting or patching Red Hat Linux. It was so easy for them to say so because their product was free. Do we want to base our system on an OS than can just decide someday to vanish ?

3 - Linux is Fast :

• If Linux can be a performant solution for appliances, it certainly looses of its perf attractiveness when there are serious applications on top of it. The OS is much lighter than Windows for example, but as one starts adding the necessary modules such as LDAP, Kerberos, Transactional monitor, Web Services, Message Broker, ...etc., its performance is much more linked to the performance of the applications server used. To compare for example the perf between Linux and Windows, one should compare a WebSphere over Linux, or WebLogic over Linux, with a Windows 2003. Then Linux is no longer performant.

4- Linux is there to last :

• Although I never like making "propheties", I will still venture with a sentence that might seem full of pretention and irrationality : Linux will not last much longer. What I mean is basically that it will not continue evolving as open source. There will be quite a few commercial product based on Linux, but they will have a very hard time competing, and keeping out of trouble, among all the copyright violations that made up Linux in the first place. When I look at the Red Hat Licence pricing (on average 3 times more expensive than Windows if we allow a version of Windows to be used for three years).
• There cannot be a business model based of free products. Therefore, either the products becomes paying, or it vanishes from the marketplace. There can be community software that is open source and free, but it will never be interesting for the entreprise to use such an unsupported, loosely tested software...

11/17/2003 4:24:11 PM UTC    Comments [2]