know what’s going on here. See, now you’ve read a couple of these columns and you still haven’t listened to the show. But you’re hooked, right? Well, don’t come to me with your Crack Jones! I’m no psychotic pharmacist! OK, I guess I can deliver the goods ONE MORE TIME, but you really have to listen to the entire show to become a true .NET Rocks! Bodhisattva, or as we say on the show, a Rockhead.
.NET Rocks! is by far the best two hours of my week. This is my third “Heard on .NET Rocks!” column, and it gets more and more fun every time. In the first episode we went back in to .NET Rocks! history with some quotes from Don Box and Alan Cooper. The last column was devoted to our show with Bob Reselman, author of Coding Slave. This time I’m going back to January 2004 when we interviewed William R. “Bill” Vaughn and Peter Blackburn about their experiences with SQL Server 2000 Reporting Services. It had just been released and they were busy writing their book, The Hitchhiker’s Guide to SQL Server 2000 Reporting Services. Timing was perfect, and it was a very enlightening show.
After the break we invited our friends at Data Dynamics (one of our show’s Gold sponsors) to come on the show and compare and contrast SQL RS with their Active Reports .NET, which they did beautifully. After the break we were joined by Dan Appleman, who had just completed his excellent book Always Use Protection. A Teen’s Guide to Computer Security. He had been listening to the first half of the show with Bill and was eager to talk about his book and the security topics that he had been immersed in while writing it. Once Rory decided to chime in, it was all we could do to not pass out from laughing so hard.
What follows is a few memorable moments from both of those conversations. As for the rest of it, well, you just have to download it and listen for yourself.
Bill: Lately we’ve seen an awful lot of databases that were produced by what we’re now calling ParaDevelopers. These people are a doctor or a lawyer, those kinds of guys, which have a job that they’re doing very well at, but that also makes them think that they can create a database. They’ve created a database that contains patient information, or something extremely critical, and they’ll dump it in an Access database?it’s “free” (note the quotes.)
They don’t understand the remotest aspects of relational databases. They see the examples in the books, and the first thing they see is a login with the sa account and no password, and do a SELECT * FROM Customers or something like that.
When they put those “SELECT *” queries in production, it seems to work fine until somebody adds a column and that column doesn’t show up in the program, or it does show up someplace that they didn’t expect it. The DataGrid now shows an extra column, or they add a BLOB! Suddenly their performance goes in the toilet and they don’t understand why.
Carl: So, let’s talk about SQL Reporting Services! I understand that you and Peter [Blackburn] have been working quite a bit with this thing.
Ed. Bill Vaughn and Peter Blackburn have written a book called The Hitchhiker’s Guide to SQL Server 2000 Reporting Services which you can check out at www.betav.com.
Peter: I’d say it’s about the coolest reporting tool in existence today.
Bill: Don’t hold back, Peter.
Peter: The designer is as easy to use as the Microsoft Access designer. You can report off any database at all. You could even report off the serial port if you wanted to build your own .NET data provider to interrogate your serial port.
Carl: So obviously it requires SQL Server, but it doesn’t require SQL Server as a data source. Is that right?
Bill: It requires SQL Server 2000 for the catalog database that the Reporting Services Engine uses. And that can be on one machine. And RS itself (they told us not to say it’s an ASP.NET Web application because it runs on Web services) runs on IIS. You can have an IIS server where the reporting engine runs, and the database can be on another [machine]. But, all of them can be on the same system. So, your developer would typically be running XP, Windows 2000 or Windows Server 2003 and install the whole Magilla on a single system. That’s what a typical developer would do.
Rory: But that’s not recommended? Or…
Bill: Well, actually any of these will work. There are limitations on XP. The number of connections that IIS on XP support by default is either 5 or 10, depending on whether it’s XP Home (which we don’t recommend) or XP Pro. But we’ve got a trick in the book that shows you how to up that to 40, which is kind of a cool little trick.
Carl: Is it legal?
Bill: Absolutely! [But it’s] pseudo-documented.
Carl: Alright…. That’s not something you want to lay on us now?
Bill: Um, I think it’s a “buy the book” kind of thing. But it’s not that hard to do if you understand Nuclear Medicine and Rocket Science (laughs).
Carl: Fair enough.
Bill: There’s one issue that we are emphasizing in the book, and Peter is really excited about this. He is really passionate about security. It turns out that if you uncheck one of the boxes in the installation dialog in the setup that says “Don’t use SSL,” a number of bad things will happen to you. Most of these are job-threatening.
What happens is, since the report engine is running under IIS, all your user credentials will in fact be broadcast in open text. AND all your corporate data will be broadcast in open text. Any high school kid with a packet sniffer will be able to see your confidential data.
If you leave that SSL checkbox enabled, it means that you’ll have to install an SSL certificate on your IIS server, which is not hard to do. We show exactly how to do that in the book in great detail.
Carl: Do you generate your own certificates?
Bill: We talk about that. There are a number of ways to do it. You can go out and get a store-bought certificate and pay the 500 bucks each.
Carl: Actually I can get them for  bucks. There’s an actual place called www.instantssl.com and you can get certificates that work just as well as Verisign certificates at a fraction of the cost… We’re using one now, actually, at www.franklins.net.
Bill: You learn something new every day! Once you enable SSL it means that the packets going up and down the wire are in fact encrypted and only the NSA [National Security Agency] is going to be able to read this data, and they’re off busy looking at other people’s stuff (laughs).
Rory: Yeah, they don’t care about your customers (laughs)
Carl: So Dan [Appleman], were you listening to the first half?
Dan: I was listening! I thought it was a great show. A number of things I found pretty interesting. For example, I was fascinated by the comment about the risk of not using an SSL connection with SQL Server 2000 Reporting Services. And, it really struck me that they felt it was necessary to warn people “don’t uncheck that box.” I was sort of wondering first of all, why is it there in the first place? And second, you would think if you do uncheck that box there would be alarms going off and big sirens and so on.
Carl: I suppose there’s a situation where you have a local server behind a firewall or NAT where it doesn’t matter.
Dan: Oh, absolutely. But is it really adequate warning for the other cases?
Carl: Well, speaking of security, you’re all about security these days. Right?
Dan: It’s funny. We were talking the other night about [how] interests change and how focuses change and so-on, and I’ve spent a lot of time recently dealing with security. I’ve written a security e-book, and I’ve done some licensing and code-access-security work and so on. And, I’ve come to realize that the biggest problem with security isn’t technology at all. It’s people.
Carl and Rory: Definitely. Absolutely.
Dan: We don’t really think about it that way, do we?
Carl: Well, you certainly don’t go to a conference to learn how to be a more secure person, and how to keep the insecure people away from your boxes. It is sort-of assumed knowledge, right?
Rory: Loose lips sink ships. That sort of thing.
Dan: Well, there’s a big focus on technological solutions. We read articles on how to do encryption and so on. But, take as an example this little check box. If you uncheck it you get plain text. And there’s probably a little dialog box that pops up and asks “are you sure you know what you’re doing?” or “this data will be sent in plain text” but… I don’t know if people necessarily get it. Because, let’s face it, unless you’re an enterprise, you have an IT department, and people who really think about security, nobody’s gonna bother to hook this thing up through SSL.
Carl: Well, it’s a big pain in the ass for most people.
Dan: It is!
Carl: As a developer, that’s the last thing I want to do. I mean, it’s something I know I have to do, and I do it but my natural instinct is to leave it until the last moment so I can work with my program without any barriers. Do you find that’s true, Rory?
Rory: Absolutely. I was thinking that the checkbox is there either for that reason or as a weed-out thing.
Carl and Dan: (chuckling)
Rory: You know, you’re about to go into production and you actually unselect that checkbox, and you don’t use SSL, and an alarm goes off somewhere inside Microsoft and the black helicopters come and you are vaporized on the spot.
Carl and Dan: (laughing)
Rory: And, now you’re not competing with me for that job anymore. So, I like that box. I’m happy with that box. That’s a feature.
Carl and Dan: (choking)
Rory: You know? And, that’s the great thing. It’s checked by default, so how crazy can you be? I mean, you see that and you think “Do I want security?” [pauses] “NAH!!!” Bang!
Carl and Dan: (paramedics performing CPR)
Rory: That is a fine box. I’m happy with the box. The box is good. I want more of those boxes. I want a whole row of them.
Carl and Dan: (eyes wide and dilated)
Rory: Bypass Firewall. Open Up All Ports. We should have these too. Because I want to see things thin out a little bit. You know? Less job competition… I like that.
Carl and Dan: (nearly dead)
Rory: I like the whole idea of just a bolt of lightning shooting out of the monitor automatically if you go anywhere near one of those checkboxes.
Carl and Dan: (recovering now)
Rory: If you even hover…
Carl and Dan: (choking again)
Rory: …for a few seconds, I want you to be a pile of ash in your little Aeron chair.
Dan: They’re not going to do that, though. If they vaporize you then you can’t buy more software.