08 May 2013 Web Directions Code 2013
The mix of 20 and 50 minute presentations meant that some topics could be presented in depth, while other topics got a good introduction, enough to get a taste without boring you if they were not your cup of tea. All of the presentations were high quality, with a great mix of international big names like Angus Croll, Jeremy Ashkenas, and Nicole Sullivan, together with well-known local presenters like Glen Maddern, Tony Milne, and Mark Nottingham.
Fearmongering – Spreading fear about the language as a reason to promote overly defensive programming
Ideology – Making all or nothing statements about irrelevant details
The project is a web-based platform for journalists to search, analyse, upload, and annotate primary source documents otherwise not available on the web. It was created with a grant from the Knight News Challenge, which states that all parts of a supported project have to be open-sourced. Underscore.js and the Jammit asset packaging library for Rails were other parts aside from Backbone.js that were open-sourced as part of the Document Cloud project. Even though the talk was light on coding details I enjoyed hearing how these breakthrough projects came about.
A library that implements promises allows chaining of asynchronous calls very nicely without boilerplate, and helps the developer avoid that callback hell that inspired websites. Tony explained how to use the Q library – an implementation of the CommonJS promises A+ proposal – to wrestle down asynchronous code and keep it readable, maintainable, and without boilerplate code.
Troy Hunt’s presentation “Essential Security Practices For Protecting Your Modern Web Services” was entertaining and worrying at the same time. He showed examples of open web services that can easily be sniffed out and used for malicious purposes. Many mobile apps use a web service API to communicate with a back end. App developers may think that these web service API don’t need to be protected, since the actual URLs are invisible to the user. After all they are only called within a closed Android or iPhone app.
Troy showed how configuring a proxy on a phone is trivial, and how such a proxy can record all web traffic from the phone. Armed with the proxy all calls to the outside become visible in plain text if they are not protected by HTTPS. He used such a proxy to sniff out the traffic of two mobile apps to show the danger. The first app was from an airline, and it had a feature for authenticated VIPs to obtain WiFi passwords for the VIP airport lounges of this airline. The app itself needed authentication and enabled this feature only for it’s VIPs, but the call the app made to obtain the WiFi passwords was a plain HTTP call that could be played back without authentication. This shows that protection by obfuscation does not work.
He went on to show the same problem with another app, this time exposing license plates and images of all cars parked in a public car park at any point in time, something impossible with the mobile app that used the API. The app was there to help you find your own car in the car park, but unintentionally allowed viewing all the cars in the car park. Calling the API directly without using the mobile app enabled hackers to view all cars with location, license plate and an image of the car remotely at any point in time.
In his last demonstration Troy showed what can be done with a so-called Pineapple device, a little WiFi hotspot that can trick mobile devices into auto-connecting to it. It does so by masquerading as a known access point. Mobile devices constantly query all available access points to see if they are one of the access points the device has previously connected to. Pineapple just assumes the identity of a known access point, and can now accept any requests from the mobile device and act as a proxy sniffing out the traffic. Sniffing out the traffic is particularly simple if the unsecure HTTP protocol is used. Troy used the example of stackoverflow.com to show that there are still many websites out there that authenticate users using cookies, but send those cookies via unsecure HTTP for such malicious proxies to sniff out. With the authentication cookie sniffed out a hacker can masquerade as a legitimate user.
There were many other memorable presentations, but these were my highlights. I thoroughly enjoyed my time at the Web Directions Code conference and the lively discussions I had with many of the other participants. The discussions went on all the way to the after-conference party, where at least 100 of the participants continued to talk code over beer. Big thanks to Maxine and John for organising such an event where people passionate about their work can meet and exchange ideas about the direction of the web.