Posts tagged: lunacy

Greatest unit test

By , July 14, 2009

Recently got a warm and fuzzy feeling when opened a new project for inspection, performed search for word “test” and found three matches in the source tree all pointing to different instances of usage of “greatest”.

On ease of IIS vs Apache configuration

By , June 27, 2009

Recently ran across what felt like a relatively straight forward task – make IIS 6 and Apache run side-by-side on the same Windows 2003 server using same port but different network interfaces. How difficult could this be? Apache was installed and configured first. IIS was installed, configured and started next. Then the computer was rebooted to test automatic application restart and all hell broke loose…

1) First Horror – Apache fails to start because IIS is hogging up all ports (well described all over the internet blogs)

After wasting time in fruitless attempts to use nice-looking IIS menus had to switch to Google searching for something much more obscure. Established the fact that IIS consumes all network interfaces even if you explicitly specify which one to listen on in its menu. That is default behavior from Microsoft that assumes that no one in their right mind would ever install another Web Server next to IIS (they turned out to be right). A variety of posts were arguing the merits of editing DisableSocketPooling registry setting vs running optional command-line httpcfg utility. An article from Microsoft ( resolved this confusion – the first command was applicable to IIS 5 (hope no one uses it anymore) and has no effect on IIS 6, the second applies to IIS 6 only.

Per the instructions ran command: httpcfg set iplisten -i IIS_DESIGNATED_IP_ADDRESS. Now Apache and IIS could be started in the reverse order. The perceived man over machine victory was very short-lived because the subsequent reboot test showed a 20-30 minute start-up delay that did not exist before.

2) Second Horror – incredibly slow failing IIS start-up (no answer found on google)

The new non-UI configuration changes to IIS broke the machine beyond the wildest expectations. The services kept trying to start and were timing out and retrying causing very slow start-up behavior. The event log inspection yielded the following message.

The IIS Admin Service service hung on starting.
The FTP Publishing Service service depends on the IIS Admin Service service which failed to start because of the following error:
After starting, the service hung in a start-pending state.

Tried to rollback the changes using httpcfg delete commands – no help, the server seemed to be permanently broken and would not boot normally anymore. A few more people on the internet reported similar problem but no answers were published.

After a lot of experimentation found the solution that definitely qualifies for top lunacy category: IIS configuration needs to be backed up and without any changes immediately restored. I guess httpcfg leaves registry or IIS metabase in somewhat inconsistent shape and IIS restore does more than just restore. Otherwise how could restoring configuration that is known to break a computer fix anything?

So now when someone complains about not having a visual editor for Apache configuration, compare this with IIS registry/metabase combined nonsense. It takes less time to learn advanced Apache configuration examples than deal with this.

The Ostrich Security Model by Adobe (being adopted by MS Silverlight too)

By , May 15, 2009

Adobe introduced crossdomain.xml file to control whether Flash application can read data from servers. In a nutshell, the crossdomain.xml file must be present on the website and explicitly grant access to clients originating from other domains for anyone to read data/make calls to this server. Excerpt from Adobe Flash player security white paper (

… if the site serves private documents or anything that requires some form of authentication (such as a password), or if the server is behind a firewall where only certain users can access it, it is risky to put a public policy file on that server. Doing so would enable Flash applications to download documents from the server whenever they run on the computers of users that the server trusts. These applications could potentially reveal private data from the server to people whom the user or website administrator does not trust.

This is just about as dumb as it gets with server security. It essentially shuts down your polite flash clients from accessing data but it won’t prevent anyone reading the same data via their own proxy server (trivial to write/configure), JavaScript, etc.

So we established that the servers are not protected by this. Would this limitation protect clients? Not likely – any “man in the middle” attacker would not be lazy to put crossdomain.xml file to fool clients into reading data. The only remaining questions is who can protect the society from the idiots who designed this “security” mechanism and made life more difficult for developers of internet mashups?

Panorama Theme by Themocracy