Scott Hanselman

I spoke at South Colorado.NET a little bit ago and had a blast.  It was a great crowd, very active and outspoken.  David Yack is the group organizer and did a fabulous job of hosting me.  Today I was told he posted an Open Letter to INETA on Scott Hanselman on his blog.  Wow, that's VERY kind, apparently the talk was well thought of.

Here's a few choice tidbits that helped make my day:

I honestly think that if more people knew how good the session would have been I could have doubled attendance!

After Scott’s presentation, I can’t tell you the number of members that expressed their feeling that he did an excellent job presenting and keeping the group engaged.

While all of our speakers from INETA were great, Scott just stood out a little more and I felt he should get recognition for that.

I also want to continue to express our thanks for INETA providing the speakers to our group – this is by far in my opinion is the biggest impact that INETA provides to our user group.

I agree that Kudos go to INETA and everyone in the Speaker's Bureau. I do about 4 to 6 of these a year, and I always have a blast.  It's cool to be a part of such excitement around .NET. Thanks to Dave and to INETA for providing such a great service.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

About   Newsletter

Hosting By

UPDATE: Simon Fell caught me in the midst of evil, as he rightfully points out that when one bypasses a SOAP Stack and "does their own thing" as I have here, I must perform the SOAP Processing Rules.  I've update the code below, changes in RED. 

NOTE: In the interest of correctness, I've included namespace qualification in the NEW code.

A fellow emailed me wanting to get a PDF file out of a SOAP Envelope and write it directly out to the browser using Classic ASP.  Here's the code I used:

<%
Set m_Doc = Server.CreateObject("MSXML2.DOMDocument.4.0")
m_Doc.async = false
m_Doc.ValidateOnParse = false
'This could come from whereever, ADO, a file, another Web Service.
m_Doc.Load Server.MapPath(".") + "\\soapresponse.txt" 
m_Doc.setProperty "SelectionNamespaces", "xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/' xmlns:def='http://localhost/'"

'There's nothing that I DO understand, so if there's anything I must, I'm screwed.
Set oHeader = m_Doc.selectNodes("//soap:Envelope/soap:Header/*[@soap:mustUnderstand = '1']")
If (Not oHeader Is Nothing) Then
   If (oHeader.Length > 0) Then
      Response.Write("Crap! I can't continue! What to do?")
      Response.End
   End If
End If

'Yes, it's a // XPath, but that's the LEAST of our problems before we get into microperf
Set oNode = m_Doc.selectSingleNode("//def:GetImageAsBase64Result")
'This is the Magic that makes it possible.  Otherwise you'll get a string.
oNode.dataType = "bin.base64"
Response.ContentType="application/pdf"
Response.AddHeader "Content-Disposition", "filename=whatever.pdf"
Response.BinaryWrite oNode.nodeTypedValue
%>

This is given a SOAP Response like this:

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<GetImageAsBase64Response xmlns="http://localhost/">
<GetImageAsBase64Result>JVBERi0xLjI SNIP....etc...

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

About   Newsletter

Hosting By

Truly a great man who was dealt a massive blow and took it with stride.  I'm inspired not to complain about my own chronic illness when faced with Christopher Reeve's strength.

- Scott Hanselman, 10/10/2004 11:14pm

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

About   Newsletter

Hosting By

This has been blogged about over and over.  This is another case where if you had UrlScan or any decent security url filter installed on your box, you'd be fine.  Certainly it's a problem in ASP.NET, and Microsoft has an HttpModule to fix it.  This means you can install this once and get the fix on all your systems, rather than adding it in the BeginRequest of the Global.asax.cs.

One interesting note, if you're confirming the user's Security Principal and Identity (WindowsPrincipal, FormsIdentity) via code, or are using a custom Principal (as I do as a best practice) your code will catch this problem even if ASP.NET Form's Authentication's AuthorizationModule didn't.

1) Updated http://www.microsoft.com/security/incident/aspnet.mspx with new information about the reported vulnerability.  This should help clear up some of the confusion we've seen about what is affected by this.  To be super clear, all ASP.NET applications, on ALL OS's should follow the guidance provided.

2) A new HTTP Module mitigation best practice.  This is in the form of an MSI installer that will help protect all ASP.NET applications on a Web server.  This MSI installer will place a binary into the GAC and update the machine.config file for ASP.NET.  You can find download information at http://www.microsoft.com/downloads/details.aspx?FamilyID=da77b852-dfa0-4631-aaf9-8bcc6c743026&displaylang=en

You can also download the MSI directly at http://download.microsoft.com/download/4/6/1/461433d5-cbac-4721-85cb-c5a514fd0049/VPModule.msi

3) Detailed guidance about the HTTP Module, how the MSI works, and how to deploy it.  You can find this KB Article at http://support.microsoft.com/?kbid=887289

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

About   Newsletter

Hosting By

Wow…on a Blackberry this is WAY faster and more useful than the WAP browser.  I did a Google 97229 and found my local Target. :) 

How cool is this: With the new Google SMS service, you can do basic Google queries from any SMS-capable phone (which is darn near all of them) by sending text messages to 46645 (GOOGL).  Results usually come within a minute, and are text-based only - no links or other craziness that could screw up an SMS.  So far, you can get local business listings, product prices and comparisons, dictionary definitions, and more is planned soon (or already there and they just haven’t told us about it yet).  So, for instance, enter something like “Starbucks 10016” and you’ll get a response with nearest place to get burnt-tasting, overpriced coffee.  Well, near us, anyway, unless you change the “10016.”  Give it a go and let us know how it works for you.  So far our results have been positive.
[Engadget]

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

About   Newsletter

Hosting By