Opening Keynote – Day 3

Anthony Franco of effectiveui spoke in general about the future of RIAs.  A main point that he tried to get across was that Ajax isn’t something that should be used just for the sake of using it.  As developers, we need make sure we figure out exactly what the client’s needs are and build our requirements off of that.  Ajax is supposed to be used to create more engaging user experiences – but sometimes can lead to overkill.

More to come…

The conference is over but I have a lot more to add.  They pretty much saved the best for last, so there’s a lot to cover.  So many powerpoint slides, so little time…  Expect posts on these topics, and more soon:

• FLEX
• Reverse Ajax
• Widgets
  
• New Ajax Standards
• XQuery

Understanding Top Web 2.0 Security Attacks

One of the most eye-opening sessions of the conference so far has been this one on Web 2.0 security. The speaker, Danny Allan from Watchfire, an IBM company, was a fantastic speaker and one of the most engaging of the week. There are a lot of security risks in just about all rich internet applications on the web today, mostly due to the way the world wide web was built – there are all kinds of ways hackers can attack a web site to gain access to secure information. Why would they want to gain access to this information? Mostly, almost always, for financial gain.

He listed out 3 types of core attacks that may be used:

1. Browser attacks: such as plugin flaws.
2. Server side attacks: this is the more traditional attack such as SQL injection attacks.
3. Client side attacks: Using XSS (cross-site scripting), CSRF, etc hackers can gain control over a users computer. There are 108 ways to exploit XSS attacks.

The main technologies that are attacked are:

1. Browsers
2. Ajax
3. Web Services

It’s also worth noting that mashups are especially difficult to protect. There is the possibility that an attack in one widget could pull sensitive data from other widgets. Also it’s difficult to know when that happens because the DOM doesn’t recognize these sorts of attacks.

Other types of attacks mentioned are JS hijacking, prototype hijacking (hackers are able to basically replace your javascript function with their own), cache poisoning, DNS attacks, DNS Reminding attacks.

He then proceded to show us this demo of a XSS proxy which allowed him to gain control of a users’ bank information (not a real bank site) by pasting some malicious javascript code in the site search box and submitting it. Using the XSS proxy, he basically had a hacker admin panel that allowed him to view all kinds of data he ’stole’ from the user, including every link they clicked, every page viewed, all passwords and data typed in text fields, and basically anything sent through the browser you can think of. Since this was staged and just a demo, there are of course a lot of things that needed to be in place for this to work correctly but the point is, it’s possible. One of the things I thought was really interesting is that he actually leveraged CSS code (href tag styles) in his algorithm to gain access to this fake person’s data. Yikes!

Embracing New Platforms

The speaker was Bert Halstead, chief architect for CURL. This presentation was roughly based on a study commissioned by CURL to compare Flex, CURL, AJAX, and .NET on several different aspects such as learning curve, average development time, loading speed, etc by finding teams of developers to duplicate a certain web application for each language. As you could expect, CURL came out on top a few times… with Flex consistently coming out in the middle. I wasn’t very impressed with the survey – it seemed the results were a bit off, especially for development time aspect since apparently they tested teams that had prior knowledge of some of the languages. Basically the point was that there are trade-offs with each method. He also believed that we’re moving towards building more web-enabled applications for the desktop.

PHP Next Generation RIA Superhero : Tech Session, Day 1

After finally figuring out what floor the conference was located (there were no signs to direct people… very helpful), I headed to the first session. I noticed that I would have to keep on my toes since the number of available seats to each tiny room were significantly less than the number of attendees. It was a difficult choice, but I decided to kick the first day off with something I’m familiar with. The speaker was Andi Gutmans, CTO and co-founder of Zend Technologies.

He showed us a demo of an application that they built using the Zend Framework and Dojo – a javascript library. The demo utilized MVC architecture, lightppd(web server that allows for a higher number of persistent connections), JSON, and a proof of concept COMET server built with PHP. The app was just a simple web form that used an auto-complete field, except it showed an example of the server “pushing” data to the client as opposed to the user explicitly requesting the data. As with most of the other presenters today, there was some propaganda to sell his product – the Zend Framework, but for the most part he was pretty straight forward.

85 Sessions…

There’s a ton of stuff that’s going to be covered this week, so planning some kind of agenda is becoming next to impossible. I’m definitely the kind of person that isn’t happy just staying with one general topic. I like jumping around a bit to try to get a broader idea of what’s going on, although I’m going to try to keep that to a minimum. It’s probably a good thing they’re giving us DVDs of all the sessions, otherwise I’d probably pass out trying to sprint around to every one. There are 85 session, 18 core topics including:

• Rich Internet Applications
• Enterprise Mashups
• Security
• Toolkits & Frameworks
• Web 2.0 | Enterprise Web 2.0
• Enterprise AJAX
• Social Applications
• iPhone
• Reverse AJAX | AJAX Push | Comet
• ASP.NET AJAX
• Silverlight
• Adobe AIR | Flash | Flex
• Yahoo! User Interface Library
• SOA
• Enterprise 2.0
• PHP
• Ruby on Rails | Grails
• JSF | JavaFX | jMaki

View the Complete List of Sessions

I shall return with some sort itinerary… Any requests?