Saturday, September 14, 2013

TechEd 2013 Round Up / Summary

I've summarised some of the most interesting/important parts of my TechEd 2013 NZ notes here.

Keynote
AZR301 Building Real World Cloud Apps with Windows Azure - Part 1
  • Automate Everything (Everything that can be done in the Azure portal can be automated. Rest API. + Powershell commands. Azure script site with templates)
  • VS2013 has built in support for Git.
  • Continuous Integration and Delivery - http://tfs.visualstudio.com
  • Web DEV Best Practices
    • Scale out our web tier using stateless web servers. Dynamically scale our web tier based on actual usage load.
    • Multiple load balancers (Layer 7) can split requests to multiple VMs running IIS. Can handle server failure and start up a replacement VM. Lots of redundancy to handle failures.
    • Auto scaling rules based on time of day. Schedule times. Day or night for timezone. Logging shows scaling history.
    • 2 Core 4GB VM is a good starting point.
    • Instance count range and CPU load scaling.
    • Avoid using session state if possible. Prefer the cache provider if possible. Use CDN to edge cache static file assets. Use .NET 4.5 async to avoid blocking calls.
  • Single Sign on. - Windows Azure Active Directory (AD). Can be linked to on premise AD. Can be integrated with Salesforce. Wizard to setup sync all the users to the cloud.
  • Data Storage
    • SQL Database (Relational)
    • Table Storage (NoSQL Key/Value Store)- Advantage to store peta-bytes of data.
    • Blob Storage (unstructured files) – More like a standard file system.
    • Virtual Machines to host other options.
    • Slide – Data Storage Questions to Ask. Pros and Cons slide.
  • Data Scale and Persistence
    • Volume – MB/GB/TB/PB
    • Velocity – How quickly will it grow. Twitter – Fast data creation but only interested in most recent data.
    • Variety – Relational, images, key-value pairs, social graphs.
    • Scale out your data by portioning it.
    • Vertical Portioning. Split image data out of relational database into blobs.
    • Horizontal Portioning (Sharding). Split rows between databases based on some key (e.g. User last name).

ARC303 Hack-Ed: Wheedling and cajoling your way to success

Andy Prow and Kirk Jackson

  • Backtracking in RegEx can cause significantly increasing CPU workload. Reg Ex being used can be exposed client side with client side validation.
  • XmlDocument .Load expanding entities in the doc type. Can cause full CPU and rapidly expanding memory usage.
  • Cookies leaking out due to transitions via HTTP and HTTPS.
  • Wireshark. Exposes Client cookies sent over WIFI network.
  • File Upload Cheat Sheet - https://www.owasp.org/index.php/Secure_Coding_Cheat_Sheet#File_Upload
  • Highlighted Dapper SQL Injection Risks
Information Disclosure

Entity expansion is not limited to string literals though. It could very well refer to external data like the example below.

<!DOCTYPE doc [     
    <!ENTITY win SYSTEM “c:\windows\win.ini"> 
]> 
<doc> 
    &win; 
</doc>

If this document is somehow reflected back to the client it would result in disclosing information on the server that a client wouldn't have access to.


App202 Zero to Hundred - EventFinda comes to the Windows 8 store

Donnel Cyril and Mohit Singh

  • UI hidden is UI that doesn't exist. Primary controls on screen for search.
  • Incremental data loading. Lazy loading via ISupportIncremantalLoading to keep delays under 3 to 4 seconds.

DEV302 DevOps at LightSpeed, lessons we learned from building a Raygun

Jeremy Boyd and John-Daniel Trask

  • Octopus Deploy - Automated deployment to staging the production environments
  • Git - create a topic branch for any new task
  • ElasticSearch - for scaled search. Plus REST .NET API for interacting with it.
  • Redis - Out of process cache that can handle Key value pairs, queue data structures, hash structures

ARC305 Hack-Ed: Develop your Security Spidey-Sense

Andy Prow and Kirk Jackson

Indicators of potential security flaws in a website

  • Unlocked Vault
    • Dropping out of https to http - certain cookies should be marked to only send over https. Add Strict Transport Security header
      Strict-Transport-Security: max-age.
      Sesion abandoning on login. Especially from http to https
    • Password field with length and/or character limit - May indicate that it isn't being hashed and salted on storage.
    • Files that expose secret content (robots.txt, sitemap.xml)
    • Cached search engine results.
  • Too Trusting
    • Too many invalid password attempts. Use the brute force detection built into ASP.NET Membership Provider (max invalid password attempts, password attempt window)
    • Change password without entering existing password
    • Characters give errors, or display incorrectly: < ' " ; UTF smiley face.
    • Client only validation of user input.
    • User content displays directly on screen unescaped. <
    • No random tokens in the form data. CSRF
    • URLs are in the query string
    • SQL statements in the query string
  • Spilling your secrets - Information is being leaked out of the system.
    • Signup or password reset contains an existing password - should use one time URL for resetting password.
    • Site lists characters that are banned in text fields
    • Customer id (or similar object reference) in the URL
    • A number in the URL that increases by one (or in an obvious format)
    • You can tell the underlying technology
  • Back door is open - Front-door security is good but someone's left alternative avenues into the system.
    • Sensitive data is unencrypted
    • Authorisation - by URL or menu
    • Admin site available to the world - god mode. Separate God mode app.
    • Production data in a test environment. Dev laptop has production data / credit card details but no security of production.
  • D.I.Y Security
    • Doesn't use out of the box forms authentication
    • Custom single-sign-on
    • Home-built encryption
  • Dodgy Foundations - There is a poor underlying architecture or technology.
    • Mix of technologies (PHP and ASP.NET)
    • Cross-domain javascript / CSS
    • Rich Client components
    • Old OS, server, ASP.NET version
    • Built using Webforms
    • Writing directly to disk
  • Risky Business - Features requiring strong security have not been done
    • Application accepts file uploads
    • Parsing XML, HTML or other file formats
    • Credit card payments
    • Mobile app talking to API.

DEV304 C# on a diet with scriptcs

Glenn Block

  • Node.js - No IDE or project required. Minimal install
  • Microsoft Roslyn CTP - Compiler as a service
  • scriptcs - No IDE, project, class, namespace, Using statements
  • .csx is the Roslyn file extension.
  • http://choclatey.org/
  • #load to pull in seperate .csx
  • #r "System.Data"; // Get DLL out of GAC
  • using System.Data;
  • Visual Studio load in exe. Add - debug. Can be used to hit breakpoint.
  • Can be run standalone. REPL.
  • ScriptArgs[0] - access command line arguments. Anything after --
    Can be used to create full line command line tools.
  • scriptcs - install mongodb
    packages.config to pull dependancies
    Removes need for #r from GAC.
  • Script Packs - Require(); // Will discover from Packages folder. Skips need for using.
  • Hosting - Host scripts within an existing app.
  • http://github.com/scriptcs/scriptcs

Day Two


DEV305 Level up your API with Hypermedia

Amy Palamountain

Hypermedia.
Reduce the overhead of updates. Client can adjust to changes dynamically. No need to support older version of the API. Self navigation of API. Primary Concern. - Accessible - Consistent - Descriptive - Flexible - shield from breaking changes.

  • GET/POST/PUT/DELETE
    HEAD/PATCH/COPY/PURGE/LINK/UNLINK/OPTIONS

DEV306 10 F# Features Every C# Developer Should Crave

Ivan Towlson

  • F# match expression. No side affects to set the variable
  • immutability - Given by default in F#. Lots of extra effort in C# to hide behind Get only properties and equality overloading.
  • Discriminated Unions - Creating a parser. F# is more concise and isn't open to extension like the c# abstact base class.
  • non-nullable types
    f# types can't have null values (unless interop with other languages)
  • infix notation - Can only overload existing operators in C#. F# can define new ones.
  • Partial application
  • Pattern matching
  • Units of measure

APP308 Working with devices; integrating into peripherals for Windows 8 and Windows Phone.
  • 3D printing.
  • Location awareness
  • Fingerprint scanning. Biometrics instead of passwords.
  • Scan barcodes and read magnetic stripes. POS scanners.
  • Use geofence enter/exit to trigger app actions.
  • Manage virtual smart cards for remote.
  • Scan documents and images with scanners.
  • Bluetooth and low level USB. Native USB rather than relying on third party libraries.
  • Security - WinRT apps must declare deviceCapability. HID - humaninterfacedevice (emulates a keyboard for cammands). Does not require drivers. USB takes a more complicated payload.
  • New generic USB devices.
  • Bluetooth 4.0 GAP

APP309 Taking advantage of Windows 8.1
  • Use the canvas for the primary application buttons
  • AppBar hints similar to Windows Phone
  • Provide a great search experience inside the app. New dedicated control SearchBox
  • Snap view replaced by varible widths.
  • Moving past single screen and touch.
  • Kiosk mode
  • SpeechSynthesizer
  • Second screen support. ApplicationViewSwitcher.

XAML Dev differences

  • Flyouts.
  • SettingsFlyout
  • Input Controls Header control
  • DatePicker
  • PlacholderText
  • AppBarButton, toggle
  • CommandBar
  • PDFDocument. Get individual pages.
  • MediaElement. Includes playback controls. Embed YouTube.

DEV309 ASP.Net WebApi – Whats New

Open Web Interface for .NET (OWIN)

Attribute Routing

  • Removes need for configuring the routing in the config. Instead use the Route attribute. RoutePrefix to apply at the class level.
  • Special case routing with RegEx matching.
  • Routes stay with the code.
  • config.MapAttributeRoutes().
  • Helps avoid routing issues.

CORS

  • Cross Orgin Resource Sharing
  • Generally will only work with the newer browsers. IE 9+
  • Access-Control-Allow-Origin: *

OData

  • Edm Model != Entity Framework Model.
  • Discover
  • $select to pull specific columns. Can be useful to exclude image data columns.
  • ODataConventionModelBuilder
  • Makes Services Easier.

DEV310 Not MacGyver's JavaScript - Better Client Side Architectures.
  • jQuery - DOM abstraction library - Gets complicated really quickly. Should be used as a single tool rather than a soltuion to everything. Focus on the object model.
  • Frameworks - generally prescriptive, sometimes restrictive. Hollywood principl.
  • Library - generally focused and to the point.
  • Backbone.js Library
    • Models - data and associated functions
    • Views - UI backed by a model
    • Events - Bind and trigger custom events
    • Router - Provide linkable URLs
  • Problems with backbone:
    • Complexity isues with scaling.
    • Headaches with Routing Insanity.
    • Events can become really complex.
    • Memory Leaks (Zombie Views) View Events didn't unbind.
    • Most of the pain happens in the Router and the View.
  • "The secret to building large apps is never build large apps. Break your...
  • Modula/ Component Application.
    Modules are decoupled from each other. Removing one does not affect the other.
  • Application Orcastration as a first class concern. Responsible or the orchstration of the modules.
  • Marionette.js - helps build composite apps with backbone.
    Backbone extensions to remove boilerplate code. (ItemView, CollectionView)
    Avoids ZombieViews by unbinding.

INO301 Building Apps with the Kinect for Windows SDK
  • v1.5 More Sensor data, IR, Accelerometer, Camera Settings.
  • 1.7 Kinect Fusion. 3D scanning.
  • Kinect will consume about 60% of a single physical USB port.
  • Stride, # of bytes per single line

Day Three


DEV312 Pick your poison; pick your target - multi-platform development with .NET

Xamarin

C# with the .NET rather than the JVM

  • It is not write once use everywhere. UI created differently for each platform. Would otherwise give you lowest common denominator.
  • iOS will run ARM Binary to run natively. Ahead of time compilation. Certain things like reflection and generics won't work.
  • Android can run IL+JIT
  • Can run Windows, Android and iOS emulators.
  • "On the Mac, when it's time to upgrade, you just pick it up, throw it away, and buy a new one."
  • Ensure Windows VM uses two cores. One for its internal VM. Enable HyperV
  • Project Linking

APP213 Game On - Cross Platformer
  • DoDo gogo using - HTML5, impact.js, Canvas. Three.js
    HTML Drawbacks.
    • Draw Call Efficiency. Particle Effects. High Asset Count
    • Audio Management (good), but not fine grained.
    • Tooling - not storing tools for HTML games development.
  • Unity IDE for games
  • Example games using Unity - Jelly Run. Template Run
  • Advantages:
    • Pipeling - import photoshop file.
    • Tooling - All the tools to manage and manipulate a game.
    • Performance Tuning
    • Asset Store - get assets.
    • 3D
    • 2D (Unity 4.2 built in)
    • Multi-Platform deployment.
  • Code Typically written in C#. Runs on mono and targets .NET 3.5
  • Can pull .NET 3.5 Libriaries into the Unity Assets/Plugins folder.
  • Basic support for async/await. But doesn't extend to Task return types.
  • Use common assembly name between Unity .NET and Windows 8 Library to work with both.
  • Unity can process each asset on import and adjust to suit the platform. E.g. down sample for Windos phone.
  • Build config on Phone Solution to "Master" (rather than debug and release) have debug support.
  • Shaders run on the graphic card. Shader runs on Materials.
  • Cross Platform Considerations.
    • - Store approval requirements
    • - Automated certification tests
    • - Start packaging early
  • -
  • Know Your Devices
    • - High memory
    • - Low memory
    • - Resolution
    • - Graphics capabilities
    • - Aspect rations
    • - Device Capabilities
  • Implement anaylitcs. The most popular level may be the hardest level. Nuget import for anaylics in Windows phone.
  • Unity3D.com
  • Unity Answers

DEV414 Taming Time: A Deep Dive into the Reactive Extensions
  • The async await pattern does not compose very well.
  • IObservable. Nothing in .NET 4 implements this interface.
  • Reactive Extensions - where to get the IObservable and how to work with them.
  • IObservable.Subscribe - OnCompleted, OnError, OnNext
  • RE - Subscribe takes a delegate/callback.
  • Dispatchers . Invoke. Instead use .ObserveOn() so it runs on the dispatcher thread.
  • .Timestamp()
  • .DistinctUntilChanged()
  • IQbservable - passes query off to the remote datasource and will only the filtered results.
  • Applies the filters much earlier.

DEV316 Getting started with Git: A .NET developer's guide

Ian Randall

  • Record changes to file(s)
  • Restore
  • Who made the changes
  • Centralised VCS.
    • - Collaborate in teams
    • - Server contains history
    • - Client contains working copy.
  • Issues:
    • - Heavy network usage / slow
    • - Single point of failure
    • - Typically poor offline experience
  • Distributed VCS
    • - Repositories
    • - Fully offline
    • - Mostly local commands - fast
  • git-scm.com/doc
  • Basic commands
    • $ git init MyProject
    • $ git add Readme.md
    • $ git status Changes
  • Files must be added to the staging area.
  • Commit - Commit changes to the repo. Working directory clean
  • $ git commit -m "Added Readme"
  • Unstaging - reversing add
  • $ git reset HEAD
  • Unmodify changes
  • $ git checkout --
  • Branching - Git's killer feature
  • snapshots - Git doesn't store deltas. It stores the whole file. Uses compression in storage.
  • Metadata
  • Pointers
  • A commit contains:
  • pointer to the sanpshot...
  • Labels for HEAD and master.
  • $git branch
  • $git checkout
  • Moves HEAD to the feature branch.
  • Merge or Rebase.Rebase can make it easier to read the history, but alters the previous SHAs. Rebase best when only done locally to code that isn't pushed to others.
  • Distributed
  • Git on the Server - Subtly different to client/server
  • Git clone <path>
    <ssh://user@>
    user@server:project.get
    https://foo.bar
  • $ git remote - verbose
  • $ git remote add alias <foo>
  • Remote branch
  • Pull the latest versions from the server.
    $git fetch origin
  • $git fetch
  • $git merge
  • $git pull
  • Push to remote
  • $ git push origin master
  • Pull Requests - Asking someone else to get your changes into their repository.
  • Git support in Visual Studio
    • - Select 'Git' as Source Control type in VS2013
    • - Integrated experience
    • - Brand new, but maturing
  • Git Extensions very good on windows.

DEV415 The conjurer's masterpiece - hiding complexity with async

  • "Asynchronous programming involves the coordination of multiple concurrent processes"
  • Blocking can be dangerous:
    • Scarce resources (threads): UI threads (this is only one), Javascript, I/O
    • Expensive resources: .NET ~1MB per thread memory usage. Threads are only added to the ThreadPool slowly.
    • Too many processes to coordinate. 'Duplex' connnections - long running process per user
  • Callbacks split implementation up. Intention is out of sequence.
  • Promises - Ordering correct, but exception handling is hard. Plus a large amount of ceremony code.
  • async/await - resembles the blocking code flow structure to make following the process easier. Exception handling matches the standard synchronous technique.
  • Async is a "MethodBuilder iterating over tasks and awaiting on the results"
    • Tasks - The results or promise of a result from asynchronous methods
    • Awaiters - Holds a collection of continuations, TaskAdapter acts as adapter for a Task
    • MethodBuilder - Coordinates the running of an async method. How does it iterate over the Tasks.
    • Continuations - What do I run when the task is finished?
    • Schedulers - How do I run the continuation
  • Practical async in C# - 6 things to know
    • Use TaskCompletionSource to create your own Tasks -
    • Make sure all Tasks are observed. If it returns Task make sure you await it. Important for exception handling.
    • Be careful with async void - can't await for the results and can't catch exceptions. Rule of thumb - "async void is only for event handlers at the top of the stack."
    • Use .ConfigureAwait(false) when possible - help avoid multi-threading issues. Don't come back on the same thread if the returning thread isn't important. Useful for library code.
    • Async void can still be unit tested -
      await TaskTrackingSynchronizationContext.WaitForAsync();
    • Visual Studio 2013 - Simplified debugging - Windows > Tasks - Shows all tasks that are currently active and improved stack trace.

Other interesting talks: