Web Directions Code 2013

08 May 2013 Web Directions Code 2013

The second incarnation of the Web Directions Code conference was this year on 2.-3. May, and I was fortunate enough to both attend and speak. The conference held in Melbourne Town Hall was the place to geek out about all things web: JavaScript, HTML5, and CSS3.  More than 250 web professional turned up to learn about new directions the web is taking. In this blog I will summarise those talks that left the biggest impression on me.

While the Web Directions South conference – held every year in Sydney – is more geared towards web design, the emphasis of  Web Directions Code is clearly on JavaScript and coding. The format of the conference was a single track with a mix of 20 minute and 50 minute presentations. The single track format with all presentations running in the large Auditorium of Melbourne Town Hall had some distinct advantages over multi-track events: the participant didn’t have to choose which presentations to attend, and stayed in the Auditorium with everybody else throughout the whole conference. Since everybody saw the same presentations there was more opportunity for discussions. The round tables the participants were seated on helped the discussions even more.

The mix of 20 and 50 minute presentations meant that some topics could be presented in depth, while other topics got a good introduction, enough to get a taste without boring you if they were not your cup of tea. All of the presentations were high quality, with a great mix of international big names like Angus Croll, Jeremy Ashkenas, and Nicole Sullivan, together with well-known local presenters like Glen Maddern, Tony Milne, and Mark Nottingham.

Angus Croll from Twitter’s web core team kicked off the conference with a philosophical look at JavaScript with his talk on “The Politics of JavaScript”. He showed how the open and accepting community around JavaScript is being clouded more and more by politics.

There are different factions within the community that use JavaScript as a bandwagon to promote their view of how you should develop in JavaScript. Angus went on to describe some of the politics going on

• Paternalism – Telling the developer that JavaScript is hard, but if he listens to the fatherly mentor he’ll be alright

• Cult of Machines – Overly promoting tools like JSLint to do the thinking for the JavaScript developer

• Fearmongering – Spreading fear about the language as a reason to promote overly defensive programming

• Ideology – Making all or nothing statements about irrelevant details

• Absolutisms – Declaring a single view of the JavaScript world to be the definitive answer dividing the community

These types of politics exist in other programming languages as well, but JavaScript has a history of being inclusive and accepting to different views. To see such politics appear in JavaScript is alarming. There is hope, though: JavaScript developers can rise above these politics. Angus advice was to master the fundamentals of the language, and then experiment, play, have fun, and keep an open mind. JavaScript is still the cool little language with a low barrier of entry and high level of hackability. Things just work and it is fun to play around with JavaScript, and it can stay that way if politics don’t take over.

One presentation that I was really looking forward to was that of Jeremy Ashkenas. The topic was “Taking JavaScript Seriously With Backbone.js”, something dear to the heart of many web developers. Rather than taking an in-depth look at Backbone coding the talk was more on the history of Backbone.js, starting from it’s origins as a part of the Document Cloud project Jeremy was part of in 2009.

The project is a web-based platform for journalists to search, analyse, upload, and annotate primary source documents otherwise not available on the web. It was created with a grant from the Knight News Challenge, which states that all parts of a supported project have to be open-sourced. Underscore.js and the Jammit asset packaging library for Rails were other parts aside from Backbone.js that were open-sourced as part of the Document Cloud project. Even though the talk was light on coding details I enjoyed hearing how these breakthrough projects came about.

Local JavaScript hero Tony Milne presented on “Making and Keeping Promises”, promises being a much talked about abstraction that makes asynchronous programming easier. Asynchronous programming in JavaScript today is often done with simple callbacks. While callbacks are relatively straightforward, they can lead to code that on one hand is difficult to read and maintain, and on the other hand also contains much boilerplate code.

A library that implements promises allows chaining of asynchronous calls very nicely without boilerplate, and helps the developer avoid that callback hell that inspired websites. Tony explained how to use the Q library – an implementation of the CommonJS promises A+ proposal – to wrestle down asynchronous code and keep it readable, maintainable, and without boilerplate code.

Troy Hunt’s presentation “Essential Security Practices For Protecting Your Modern Web Services” was entertaining and worrying at the same time. He showed examples of open web services that can easily be sniffed out and used for malicious purposes. Many mobile apps use a web service API to communicate with a back end. App developers may think that these web service API don’t need to be protected, since the actual URLs are invisible to the user. After all they are only called within a closed Android or iPhone app.

Troy showed how configuring a proxy on a phone is trivial, and how such a proxy can  record all web traffic from the phone. Armed with the proxy all calls to the outside become visible in plain text if they are not protected by HTTPS. He used such a proxy to sniff out the traffic of two mobile apps to show the danger. The first app was from an airline, and it had a feature for authenticated VIPs to obtain WiFi passwords for the VIP airport lounges of this airline. The app itself needed authentication and enabled this feature only for it’s VIPs, but the call the app made to obtain the WiFi passwords was a plain HTTP call that could be played back without authentication. This shows that protection by obfuscation does not work.

He went on to show the same problem with another app, this time exposing license plates and images of all cars parked in a public car park at any point in time, something impossible with the mobile app that used the API. The app was there to help you find your own car in the car park, but unintentionally allowed viewing all the cars in the car park. Calling the API directly without using the mobile app enabled hackers to view all cars with location, license plate and an image of the car remotely at any point in time.

In his last demonstration Troy showed what can be done with a so-called Pineapple device, a little WiFi hotspot that can trick mobile devices into auto-connecting to it. It does so by masquerading as a known access point. Mobile devices constantly query all available access points to see if they are one of the access points the device has previously connected to. Pineapple just assumes the identity of a known access point, and can now accept any requests from the mobile device and act as a proxy sniffing out the traffic. Sniffing out the traffic is particularly simple if the unsecure HTTP protocol is used. Troy used the example of stackoverflow.com to show that there are still many websites out there that authenticate users using cookies, but send those cookies via unsecure HTTP for such malicious proxies to sniff out. With the authentication cookie sniffed out a hacker can masquerade as a legitimate user.

There were many other memorable presentations, but these were my highlights. I thoroughly enjoyed my time at the Web Directions Code conference and the lively discussions I had with many of the other participants. The discussions went on all the way to the after-conference party, where at least 100 of the participants continued to talk code over beer. Big thanks to Maxine and John for organising such an event where people passionate about their work can meet and exchange ideas about the direction of the web.