As of late, we started a pretty large project (C# XNA game).
It seemed to be pretty obvious solution to store all the files in a remote server, use a database for file "versions" and have the patcher download the newer versions and delete any archaic.
Now this is all nice in theory, we even found a service with the space for it (SkyDrive with the 25GB offer).
The problem came up when it got to file manipulations.
We're looking for:
Can programmatically download/upoad (for the patch maker) files to/from SkyDrive.
Has a secure way of containing uname/pass.
Allow me to explain both.
Thing is, we had to make the SkyDrive on my personal account (due to the 25gb offer only being there for old users). I'm not very happy with someone getting my password, even though I'll obviously change it to something completely archaic, they would still get access to most of my other hotmail/msn related stuff. (I guess it's a reason to remake it all then?). So if possible I would secure the actual uname/pass inside the program. Since it's .NET and is compiled on demand, (and can easily be decompiled) I'm having doubts real security in this case is improbable (if it is possible to secure please do tell me how).
On top of that, there's no efficient&official SkyDrive API. This means that there's an even bigger security hole (see previous paragraph) and the communication won't necessarily work as expected). This also means there may be slowness in communication - something bad if you have 1000 users downloading the same file.
So to formulate all of this:
What is the the proper way (read API) to use SkyDrive as a storage server for a patcher considering it's linked to my personal account?
small sidenote, if I must, I can be evil and get our slow artist to host the server
Edit 1:
The idea is to have anyone be able to download the client, but initiating anything requires an active account on our database. As such the files themselves don't have a problem being read by everyone. So I'll add the following: how to programmaticaly get direct downloads from SkyDrive if the files are public? The current links lead to their web UI. And I mean programmatically (maybe during upload time) as to avoid doing it all by hand.
This is a bad idea.
Given #1:
Use a public folder to store your assets and grant everyone access to it
Use httpclient to download the files from the public folder anonymously in your patcher client
Use the SkyDrive descktop client to synchronize the public folder from a 'build' machine
Related
I am designing a Windows Service which main purpose is to monitor content of network shares. I've already got to know pros and cons of FileSystemWatcher class and probably I am going to use it with some custom enhancement. One thing that bothers me is that I still don't know how to get the information about who exactly modified shared files. I think it could be extracted somehow from permissions mechanism in Windows, but how? Have you got any ideas how to get at least login of the person who accessed and modified shared content?
I can use either C# or PowerShell.
The best way to do this is to enable advanced file auditing on the servers you need this information on. If that isn't an option (it can get quite inefficient on servers with high disk IO), you can try using FileSystemWatcher to get the same results. Here is an example of how to do that!
a requirement for project is to have my winforms system to be able to see a central file repository (central folder of scanned documents). users need to be able to read, and delete and save files.
to do this the server had a shared folder, and every client had a map drive to the folder.
from experience i have found map drives to be a real pain in the but. sometimes u hit security issues, sometimes map drives just go wonky.
i would prefer to avoid this design, and rather have a webservice that publishes a list of files, another service that returns a file, deletes file etc etc.
but it feels like this must have been done before plenty times. rather than rolling my own, has anyone implemented or seen something similar?
Server is windows with IIS, and I am on the ms stack so would make sense to have something that fits into that.
I'm new to web programming and have a question about code behind in ASP.NET C#. How safe is it from someone seeing what's in it? The reason I ask is the program I'm linking this website to requires me to create an object that takes in my admin credentials (It does this in the background thousands of times or I would just prompt for creds). It uses the credentials to create things dynamically. I'm 99.99% sure this is highly unsafe to hard code my credentials into the page but I figured I would ask.
The code behind files and raw aspx files are protected from being retrieved by the web server, so as long as you control console and file share access to the server you are relatively safe.
Still, it is not considered really safe. You should set up the application pool of the site to run under a specific account and then give that account the necessary rights. Having services using ordinary user accounts is considered bad practice. Each service should have its own account, with least possible rights.
ASP.NET pages are compiled before sending the page over HTTP. This is secure. But if the user can access the file system, you have another problem on your hands.
You should put your credentials in your web.config (or you can move them into separate files like AppSettings.config or ConnectionStrings.config etc). The server will should never serve these.
This might be helpful:
http://msdn.microsoft.com/en-us/library/4c2kcht0(v=VS.100).aspx
This tells you how you can can go one step further and encrypt these so they do not store plain text password etc:
http://weblogs.asp.net/scottgu/archive/2006/01/09/434893.aspx
It is "safe". IIS (by default) does not serve up .cs files.
Another option is to precompile the site and then just drop the .aspx files on the web server.
Putting sensitive information into .cs files in ASP.NET is by default not a risky process as ASP.NET does not give access to .cs files from the client side (if you don't change it explictly), however, be sure that if there is a server error, custom errors reporting mode does not send the lines of the code to the client (which is extremely useful when debugging, and extremely risky when you release it to the public) or anyone may be able to read your sensitive information if an exception is thrown near those lines.
There are various levels of "safe" here.
Yes, IIS is configured to not serve up .cs files or .config files. That said, there are attack vectors which have proven successful in getting IIS to deliver those files into the evil doers hands.
First off, I wouldn't deploy .cs files to the server. If possible convert the web site to a web application and deploy it compiled. Of course, .net code can be decompiled (and here); so you should also look into obfuscation. However even obfuscated code can be decompiled but it's generally harder to read. ;)
Note that each level isn't really "secure". It just makes it more difficult.
The real answer is to not store the credentials on the server at all and require them to be provided by the client over an encrypted transport. Certainly you could cache them in memory, but even that has proven insecure to those with physical access.
At the end of the day, ask yourself how valuable the keys are and how much money/time you can invest in securing the system. There's usually a balance somewhere.
Just wondering of what people think of using MonoTorrent and the torrent protocol as the core part of an installer....
Essentially I am creating an installer which has the following requirements:
Access through Firewalls/Proxies
Runs over SSL
Authenticated access to the installer/files
Background download
Handel bad connections (i.e. if a disconnect occurs, pickup downloads that were halfway through a file)
Validate integrity of downloaded content
Download Throttling
So given all of this, I thought that embedding MonoTorrent in the installer package, running a private tracker and having the clients download (no seeding only leaching) from the server would be a good idea.
This also has the side benefit of being able to bring extra servers online or offline depending on load.
What do you guys think? Can I get this functionality from MonoTorrent and how hard is it to setup? Is there a better alternative that will meet these requirements?
I can't comment specifically on MonoTorrent, but large software companies have indeed used the torrent protocol to distribute patchers and installers (see Blizzard Entertainment, for example).
I believe this would be relatively impractical because of the need of seeders (so a big user-base)
You would have to rely on having more people installing your software at the same time, which, unless you are an uber-corp or something else would not be so feasible.
This makes sense in the case of blizzard an highly addictive MMORPG game, with frequent and big patches and millions of p(l)ayers scattered around the world.
Monotorrent seems to be dead... howerver it seems also to work (I'm fighting with it at the moment).
Given that you are not allowing seeders the major torrent benefit is not used, so in my opinion you are asking for a load balanced download system based on https, basic authorization, and SVF-aided file consistency checking.
I have a desktop app for personal use and I would like it to be able to synchronize it's data with the net.
Since it's not trancational, I figured a solition migth be to (de)serialize the lot to a plain text format and store that in some file on the web.
Now I am looking for free storage in a way that I can access it via code, be it HTTP or FTP, that's all equal to me. Of course I would like it to 'steady', so not some obscure free service that can be stopped at any time without prior notice or services with bad connctions/ lots of downtime.
Also it would be nice if the data wasn't readily available for anyone who happens to google the right term, but that's optional since I can encrypt it.
I was thinking about google docs, but really anything will do as long as it is
free
steady (stable/trustworthy)
accessible via code
password protected (optional)
It would be very nice when codesnippets would come with the suggested solution!
I'm using C#
Softronics is a swiss hosting company that offers mydrive, a free 2GB WebDAV storage package.
They also host 2 Gigs of FTP for €1,20 a month
Some of the the Dropbox addons provide various Ruby, Python and PHP scripts and APIs for interacting with your storage space. I would probably start with the Ruby API and write a quick C# version if I were you.
If you do, can you publish it? :)
Not free, but pretty cheap - I use SugarSync. Just mark the local folder and it's automatically synched to the remote server. Version history and multi-machine sync too.