After NDC Oslo 2014

After NDC Oslo 2014

It's over. I'm back in Amsterdam after an awesome week in Oslo. Great sessions, lots of smart people, delicious food and very good coffee. Inspirations everywhere.

I didn't know Norwegians were this much into coffee drinking. I can easily say that I didn't drink a single cup of bad coffee in Oslo in 7 days. One of the world's best coffee shop Tim Wendelboe is also located in Oslo. But more on that later.

I've seen a lot of stuff and spent time with very smart people.

Like I did with my previous conference visit in Microsoft / Seattle, I'll write down all the sessions I've attended, together with the links to the video recordings.

I didn't know the sessions in NDC were recorded. That was a bit of a nice surprise in the beginning of the conference. Deciding which sessions to attended became a lot easier afterwards. Now I can basically see anything I missed if I want.

Workshops

Attending the workshops was the best decision we've made. By far the most educative part of the conference. 2 days of workshop gives enough time to properly dive into a broad topic, allows a good deal of Q/A and lab time.

The workshop I attended was titled as "Identity and Access Control for modern web applications and API's". From Dominick Baier and Brock Allen. 10 out of 10 for those guys. They were well prepared. They were also very responsive to the questions from the attendees.

Unfortunately there is no video recording here. I have pdf's and lab solutions which I'll share in a next blog post.

We've covered everything from the old security techniques to the modern ones. Here are some of the main points:

  • Using security tokens and claims based authentication & authorization is the way to go in to the future.
  • Separating authentication to another shared service is a good technique once you have multiple services in your deployment. This security service will issue access tokens for other services in the system to consume. This avoids repetition of security related code in every other service in the system. Enables DRY. Single point of configuration and control. Good stuff.
  • Microsoft is already moving in this direction with OWIN and Katana. Claims based identity is baked into the framework at the moment. And there are a number of Katana middlewares that implement token based authentication.

I've left the workshop with some ideas and improvements that can be applied to Nfield. Ideas that can enable securer access scenarios and can make security implementation more elegant.

Keynote

If you're doing anything remotely related to UI or UX design you have to see this keynote. Period.

More and more companies are realizing that the intuitiveness and ease of use of their applications are very critical to their competitive advantage. How many taps or clicks does it take to achieve something in your mobile application? Think again. It's a matter of people using or quiting it.

Luke Wroblewski will blow your mind with the statistics and examples he puts up on the screen.

Sessions - 4 June 2014


Sessions - 5 June 2014


I'm finding Javascript combinators very interesting. Javascript has first class functions meaning that a lot of interesting things can be done with them. Once you start combining and decorating functions with other functions, very interesting ways of expressing programs start to appear.

Surprisingly programs become DSL-like and more readable because instead of "HOW" the program syntax starts to tell "WHAT". Making it more declarative than imperative.

I really loved this session and the way Reginald Braithwaite presented it. I'm hoping to find time to read his book JavaScript Allonge.

As programmers our "flow" is something sacred to us. When we're concentrated and in flow we must not be interrupted because it annoys us and costs us too much time to get back into flow again.

Mark Seemann thinks interruptions are going to happen no matter what. Instead of trying to avoid them he focuses on ways of working that will allow him to get back into flow easier and much faster.

I've come across a nice summary blog post about this session.

Sessions - 6 June 2014


Just like with Douglas Crockford, you don't leave a conference without attending a session given by Bob Martin. This is one of those talks with some "aha" moments about functional programming.

One thing that I found really interesting is a book that Uncle Bob mentions during his talk. The book is called Structure and Interpretation of Computer Programs which he praised a lot. At some point during his talk he said something along the lines of the following:

..almost near the end of the book the authors wrote a couple of pages worth apologies on what's about to come, and then they introduced the assignment statement..

This amazed me. They could write almost the whole book without the assignment statement (read as pure functional) and then they introduced it like as if it was a defect in software programs. Funny.

Another Troy Hunt show off session. He talks about a couple of highly effective web attacks. Watch it if you're looking for fun, but basically it all comes down to a couple of main points:

  1. Never ever display a login form on an HTTP connection. Even if you're posting that form to an HTTPS endpoint. A man in the middle can change the form to somewhere else and steal your credentials without you knowing it. Turns out that Iranian government used this technique to steal its citizens' Facebook credentials for a while before Facebook woke up and made their login page HTTPS only.

  2. Always be careful with SQL injection. If you're using latest frameworks you're mostly covered.

  3. Make sure your username & password challenge is computationally costly and time-consuming. If an attacker gets a hold of your user database and decides to convert them to clean text, he should be slowed down. It turns out that simple hashing and salting algorithms are easy to break with rainbow table attacks. Even the ASP.NET Membership implementation from 2010.

This is what I want to share right now. Maybe I can dive into a number of these topics in some of my next blog posts. Thanks for reading.