Raw notes, to be written up as separate pages at some point
CodeStock
Hack the planet
@danemorgridge
Tail CEO thru McDonald's, good chance his phone will connect to wifi and then to Outlook Web Access without SSL. If so, his Active Directory credentials just went over the open network.
TODO: change google and yahoo paswords, make sure gmail is SSL
Personal Security Options:
- Always use HttpS
- VPN
Common Security Holes
OWASP top 10
CSRF - trick is to find a URL that might require someone who is authenticated. Then you can set an
![]()
where the url does something damaging, if they load the page with your image on it
Security misconfiguration - searching for myPHPAdmin? Look at logs to see how often this is searched for.
Check OWASP #10, invalid url redirecting. Hmm.
Python is language of choice for hacking - rich network library
Download BackTrack (backtrack-linux.org)
Mantra scanner tool
Functional programming
@rickasaurus
I'm not sure what the point of this talk is. We've discussed functional programming and the composing of functions in F#. I think the idea is that once you write the little functions, you can combine them together as long as the signatures are the same. Could have been better elucidated I think.
Maybe the fundamental thing to remember from college is the idea that you can transform the types that you pass to a chain of generic functions. If you can pass a(b(c(d(5)))) appropriately then you should be able to do a(b(c(d(Maybe<5>)))) appropriately, and pass the maybe<> down the line.
building a website with azure (@dburton)
class User extends Userbase - userbase is from backbone
backbone is based on underscore which has a templating library
use backbone's "rails post" mechanism but with a lib that overrides it to use html5 local storage
did some stuff to set up an azure account, then wrote a node module to create some tables. there is a Node library to talk to Azure. The Azure site has directions on how to set up a node/azure site in a couple of minutes
Then socket.io for communication.
CoffeeScript (@dmohl)
significant whitespace
works fine with JQuery
wraps all code inside self-executing anonymous functions (can use "window." to explicitly add to the global namespace)
can use js keywords as variable names
the == symbol actually compiles to ===
there are compilers for most languages that compile to JS. CoffeeScript style might be the closest to the actual JS though. "An opionated subset of JS"
Syntactic sugar
@ = this
inline string formating. first = "foo" title="the #{first}"
slimArrow: define Add function: add = (val1,val2) -> val1 + val2
fatArrow: allows defining member functions for classes
multiline strings: 3 single quotes, or 3 double quotes for inline formatting
existential operator
Mindscape Web Workbench
WebStorm - a JavaSWcript IDE
Use node.js and NPM to automate watching folders and compiling the CofeeScript into JS (Can it directly do minifying? - BF)
T4 templates (RichardGo@magenic.com)
.tt file compiles to a code class complies to a text file
usage scenarios: Config files, DB enumeration classes, enums in code
aspx navigation ( existing plugin ), data entity classes, WiX file creation, CRUD stored proceures
T4 is built in to visual studio but no editor, Tangible has an editor
"Tangible T4 Editor" In VS go to Tools -> Extension Manager -> Online Templates -> Search
Structure:
<# begins code block.
<#= is inline evaluation,
<#+ class
<#@ directives (including @import so you can add your own class libs)
Built in functions:
Write/WriteLIne
PushIndent/PopIndent
Warning, Error
Inputs can come from XML or EDMX (Entity Framework libraries) or SQL database
<#@ include is a directive so you can build up templates. *.ttinclude
(How do command line build? - bf )
Debugging: Have to launch a new devenv to debug the one that's creating the template. Set debug="true" on the template and call Debugger.Launch somewhere in a directive (In VS2012 can debug in a single instance)
Interesting use case: Put a template under another file use T4ScriptFileGenerator (which is part of T4Toolbox, not included), when the above file is saved, the templated script is run. Demo: validating an xml file against a schema
Leon Gersing
Beginning iOS
XCode
InterfaceBuilder (now part of XCode) hierchical design
Objective-C is just smalltalk thrown on top of C
ARC (automated reference counting)
Sending messages to NIL is a no-op. Nothing happens
@ syntax is smalltalk part - @interface, @implementation
@synthesize (appears to be autoproperty but with overrides)
@dynamic
IBOutlet - an interface allowing InterfaceBuilder to work with classes. Also IBAction and IBActionCollection
- KLIJST: Mark List as "Interesting"
Michael Bradbury, independent
Not a myth: working for yourself is hard
First game was a flop even after good reviews
Backed into dev as a side thing from comic strips
- Build something you need. (But what about building for enterprise? - bf)
- Build something you can support. (from email, to faq page, to online forums)
- Support your customers and they will support you
- Some customers suck (the're used to being sold crap and their compaints ignored. Or not unhappy with you so much as unhappy in general. Give 'em a refund and move on)
- Marketing is free. A blog. (TODO - resurrect blog - bf)
- Trust is everything. A blog with a bogus voice dunt help
- Learn how to write
- Nobody reads your help file. Might be better to redesign the feature if it needs that much explanation
- Don't try to be cool. Don't add features just to gain attention. Don't show off.
- Screw the power users. Make it simpler for the regular user. Power users ask for weird features with barely any use cases. Complain when you drop options. This is difficult because we *are* power users. (so what about building for yourself? - bf)
- Embrace change. Stay relevant, unless you want to spend your time maintaining legacy code
- Is advertising your best business model? Probably not unless you have a large user base.
Andrew Day, Fragemntation of Android market
Fragmentation by device, fragmentation by screen size
"Fragments"
Why should we use fragments? - Single code base, multiple screen resolutions. Access to new APIS on older devices! No monolithic activities.
How do fragments work? - Must have a host. Independent. FragmentManager: Add, Replace, Remove. Subclasses: ListFragment, DialogFragment, PreferenceFragment
Handling multiple screen sizes: Can do it in the layout:
Can also do it in code by turning on or off various fragments.
Stop thinking like a developer, start thinking like a designer. If you have space, fill it. Don't leave it blank, don't stretch it.
Download and add back compatibility package. Min target SDK should probably be 7. Use the layout to find your ids
Tobin Titus (@tobint)
HTML5 tips and tricks
Performance: behavior of an app relative to expectations
Netwok optimizations: Enable compressed content (server and client) (but disable on images folder since it's compressed already); minify javascript and css; cache content (Expires header);Create image sprites so lots of little images don't cause separate requests (Use CSS styling to specify the location on the sprite sheet); Don't scale images;
DOM optimizations: link stylesheets in head (inlined styles cause a reload) and don't use @import. Limit number of rules; Externalize css; JS at the bottom of the page (or use "defer" attribute") NOT inline as it interrupts DOM loading to execute; reduce DNS lookups (more than 2 domains will probably slow down loads); Paint vs. Layout (changing a backround color is cheap; changing a position requires massive redrawing. For data that might change, make sure that the DOM knows that the layout won't change when the data does); Minimze dot operations;Reduce the complexity of the DOM tree ( does that mean the depth?)
JS optimization: Minimize symbol resolution (you can cache a function before using it in a loop; keeps from looking for func each time); avoid "with" statement;use requestAnimationFrame to handle redraws (uses browser refresh);
Comiitted to Good Commits
David Ruttka (@druttka)
@codinghorror - source control is the bedrock of software engineering
Link to issue tracker is important
- reviewing issues
- help testers make test cases
- Ad-Hoc changes - do something with them - card for refactoring, or?
- Issue tracker in GitHub auto links if you begin your commit message with #5 (eg)
Atomicity - commits should be atomic. Helps keep comments concise, frequent commits, can pull in to master based on commits (cherrypick), easier to roll back (but is atomicity at the push level or the commit level ? - bf)
Frequency - commit early and often - helps with checkpointing, descriptivity, and CI. But frequent commits may destabilize things. What do you do?
Branching. Helps to isolate change and preserve stable state. Branch by release - then hotfixing or service packs. Or, branch by feature - create a dev branch off stable then merge back. Can branch off branch for subfeatures. (Couple of links for good explanations)
Validation - Safe place, no garbage, build, test, diff (A prebuild build? - bf)
Synchronization - semantic conflicts, CI. "Checkin dance" pull latest before checkin of big change. "Guthub stoplight" (sounds cool, run by arduino? sweet. - bf )
Signals
Resources: Programmers Stack Exchange, Version Control By Example (Eric Sink - maybe free eBook?) Vincent Dreissen (@nvie) for Git folks
Monads - great talk, built up Maybe Monad step by step, used Monad in a linq statement
WiFu
Need Network adapter that supports "Monitor" mode ($30 from Amazon) Directional antenna is also $40 from Amazon
Wireless packet frames: management, control, or data
Wireshark packet sniffer
- determine the channel of the network you're interested in
airodump - a lightweight packet sniffer
Bypassing security:
- Hiding SSID is an ineffective means of security. Still sending beacon packets, and you can recover it by sending deauth packets. which will cause machines to attempt to reconnect and send the SSID with them.
- Only allowing MAC addresses - ineffective. Deauth requests, watch for the reauth packets and use MacChanger to borrow a MAC address that was being sent (MacChanger only sends the broadcast MAC, not the actual)
- Shared key WEP - Use airodump to watch for reconnect attempts, send a deauth, and monitor the handshake. Aircrack cracks the key
- WPA or WPA/2 - only attack is dictionary attack. Rainbow tables exist for the most common SSID/PW combinations
Tools
Jasegar (Pineapple IV) (mocks networks that are being requested for autoconnects by phones, laptops)
Reaver Pro - cracks WPS setup. Reaver is free cracking software, the pro version is pushbutton hardware
Hack5 podcast
"iw reg set bo" - changes card so it can be used in Bolivia, with all regulations (or lack thereof) on power
StirTrek
Jurgen Appello
How to Change the World
Fails a lot
Wrote "Management 3.0", 6th most influential agiliot
Barriers to further agili adoption:
#1 Ability to change culture
#3 Restance to change
Mojito method (make something cool out of boring ingredients)
Need to get his book list
4 facets of change
1. The system
PDCA cycle (Plan, Do, Check, Act)
Do: define simple steps to follow, choose right moment/place to start
Check: Feedback, Measure
Try again, and again, until you have it right (and learn from others failures)
We cannot control systems, but we can dance with them
2. The people
ADKAR (Ability, Desire, Knowledge, Awareness, Reinforcement)
10 intrinsic desires (CHAMPFROGS)
Build habits with small successes to make behaviors sustainable (gamification)
3. Stimulate the network
Rogers innovation theory
Make sure not on your own
Who will be the innovators?
How do you reach early majority?
Listen to the skeptics and understand what is holding them back
4. Change the environment
self-organization can only happen within a boundary
5 I's - Information, Identity, Incentivies, Infrastructure, Institutions
Information radiators
Identity - appeal to a higher identity that people want to associate with. T-Shirt test - will your employees wear your t-shirts voluntarily? Common tactic: them vs. us
Incentives - small rewards (makes sure focus is on behavior)
Infrastructure - What barriers to remove? Which guides to place?
Institutions - define and enforce rules of good conduct
@LeanDog
UX and agile
Most organizations don't have enough UX specialists
They disagree with: No need for UX if people are forced to use the software
Progressive elaboration
"Lean Startup" a big influence, recomended for at least the third time
Three practices
User Story Mapping - mapping out with post-it notes, then find pain points, focus on Customer Value
Test First Design - make sure to come up with a design that you can put in front of customers quickly, to see if they like the concept. Don't spend months building before finding out.
Flash Builds - Nordstrom innovation, went out to store and built app in a week, getting customer feedback after every change
Persona: Connected Communicated Consumer
Michael Mah
Agility Study
QSM Slim database
Waterfall methodology increaases bug rates
project size mesaured by SLOC
Larger projects all waterfall
Agile metrics Velocity, headcount, stories and point sizing, bugs
Results:
Columbus sw faster schedules fewer bugs than industry average
(Take into consideration regulated industry v. non-regulated? - bf)
(Bug rates and schedule time should increase logarithmically rather than linearly - bf)
Q: Maturity of team? A: Yes, seem to have higher bug rates on less mature teams. Not doing agile properly.
IGS QA team
Manual QA. 200 manual test cases. 1st release, couple QAers, 3 weeks, just a few bugs
Next release...
refactoring is a cuss word. 150 bugs logged in 2 weeks, development keeps moving forward, dev and QA antagonistic, QA doesn't know what to test except from a requirements document, new features change existing code
Not really coding bugs, not requirements bugs, but communications bugs
QA is the constant bearer of bad news (telling devs about their bugs)
A release to QA every 3 weeks, and branch the code
Then, a 4 week bug-fixing sprint, what to do to prevent this
Offered a dev to the QA team, but QA didnt trust dev. But the dev was able to start automating tests
3 amigos (BA, QA, Developer), write acceptance criteria in Gherkin
Create a table of testing notes with specific examples
And create gherkins from those
Tips: Break things into small chunks; acceptance criteria being complete before dev begins (Doesn't that slow you down a lot? -bf); remember end goal
Then automating tests (SpecFlow) developers write, but since all one team it doesn't matter (what if changes? QAs still buy in? -bf)
Restructing requirements - took big complicated workflows and replaced them with actual method names. ValidateSingleAccountExists, ValidateUsageDoesNotOverlap, then the function can be tested. (Now requirement seems almost exactly like code - bf)
New Definition of Done (has to be tested, it it's not developers help test) entire iteration on one card board, rather than transferring between rooms. (Bug tracking tool ? How transfer to cards? - bf)
Colocation - a Pod (2 devs, 1 BA, 1 QA)
GOAL over role (Not: I code, you test, but: get quality software out the door)
(Confidence in automated tests means no regression testing? - bf)
Christopher Avery
how to respond to a problem: COPING: denial, blame, justify, shame, obligation. GROWING: responsibility.
3 qualities of high performing\ teams: Going above and beyond, ?, and ?
Intention -> Awareness -> Confront -> Intention
Exercise: figure out what phrases your team uses to respond to a problem, and categorize them. (denial, shame, etc.)
@unclebobmartin
"Clean architecture"
Fermions, bosons
How lasers work, ultraviolet lasers ($12 at Amazon)
What should an architecture look like? (Eclipse, Java, Spring). Those are just tools!
Good architectures _Scream_ their intended usage
Look at the system. Can you find the use cases? Or do you see model/view/controllers? (But how else would you structure a rails app? -bf)
The use cases are hidden and all you know is that it's a web app.
UI and use cases should be separated
A good architecture allow you to defer decisions
Start from the use cases, write the code for those. Defer (web app? database? IOC?)
A good architecture maximizes the number of decisions not made
Recommends "Object-oriented software engineering"
Done properly, the interface becomes a plugin to the application (web,console,Fitnesse)
Bad code? Afraid to change it? Fearing the code is dangerous. You should not fear something you created.
(It really comes down to use-case first. Persistence and interface happen at the end - bf)
@objo
"Pragmatic thinking & Learning"
"How to win friens and inflicene poeple"
People Patterns
Conversation Rolodex
What do they see?
Three Realities - your side, their side, and the truth
Listen Without Agenda
Don't delay bad news
Consistent Uncompromising Honesty
Listen between the lines - what do people actually want?
Assume the positive
Positivity moves forward - negativity leads to a quick end of the road. No point in assuming that people are out to get you, that they can't be trusted. But it's an easy thing to think! Two most important words in improv: "Yes, and"
Brandon Keepers
Why code smells
Recommends "Growing object-oriented software, guided by tests"
Smells:
Dependy on other objects
too many assertions
duplicated setup in multiple tests
difficult to understand test a glance
Shows 8 lines of jQuery that can be expanded into dozens of lines of Backbone (is that really an improvement?)
Slow unit tests