This is part of my live blogging from QCon 2015. See my QCon table of contents for other posts.

ES2015 being approved now. Then comes ES 2016 and working on yearly releases. Train model like Eclipse. The train leaves the station once a year and mature proposals get on the train.

To get on release train must have multiple interoperabl implemntations. Avoids “breaks the web” features. Ensures really are mature. Also must have tests. (test 262 collateral)

Timeline

• 1995 – Mocca/JavaScript was born
• 1999 Edition 3 standard. Used by IE 6
• ES 4 didn’t pan out. Then commitee couldn’t agree on anything for a decade
• 2009 – ES5 came out. Added strict mode, getters/setters, minor array features. Small release
• June 2015 – ES 2015
• June 2016 – ES 2016

Disclaimer: Everything is a work in progress and subject to change

s.at(0)
unicode support – how long is an emoji?

Functions

• return a single value synchronously with functions
• return many values synchronously with generator functions
• return a single value asynchronously with promises:
  async function f() { …}
  f().then(f => { …}
  async (a,b) => await a + await b;
• >return many values asynchronously with observables
  let observer = {
  next(value) {},
  throw(error) {},
  return() }let d= new Observable( a => { …});
  d.subscribe(observer());

  Observerables should fel like arrays. Call forEach(), etc.

Math.pow(10,2) becomes 10 ** 2

SIMD (single instruction mutliple data)

• Hardware instructions for number crunching
• Uses data parallelism to perform multiple calclulation simulatnenously
• Good for things like 3D graphics where can use scalar math
• let a = SIMD.int32x4(0,1,2,3);
  let b =SIMD.int32x4(4,5,6,7);
  let c = SIMD.add(a,b);
  let zero = SIMD.init32x4.zero();

‘a’.lpad(4) and ‘a’.rpad(4)

Decorators

• Can decorate classes, properties, functions
• Like a function wrapper. [like an aspect or Ruby active record]
• Annotation to use

Value types

• New primitive typs – Int64, Bignum, Decimal, Complex, Rational,SIMD typs, TypedArray types
• Factory let int8 = Int8(254)
• Literal suffixes let i64= 0L; let bigNum b = 0n; etc
• Primitves are better for serializing across frames
• Still immutable like other primitives
• === compares by value
• Custom primitive types – export let Yard – ValueType(Symbol(“Yard”), Float64)
• Can overload operators on new custom primitives: Reflect.defineOperator(‘+’, f, Yard,Yard)

Q & A

• What about value types in JSON? No plans. JSON is frozen. Can’t break JSON parse and it is used everywhere.
• Opportunity for confusion when assign value types to a JSON object. Would convert back to regular primitives and throw an error if can’t do safely

This is part of my live blogging from QCon 2015. See my QCon table of contents for other posts.

The speaker discovered the Target breach.

Technology evolving faster than user education. We use different keys for our house/car/etc, but use same passwords repeatedly.

Car brakes are by feet for historical reasons. Used to need all body strength to make are go/stop. Now there because people used to it. Retraining would be too hard.

We defend with tools/people/compliance.

Hackers

• state/corporate sponsored
• hacktivists (political/social)
• profit seekers – if something can be monetized, of higher value
• revenge
• employees

Anthem breach might have been China. No way to monetize that many medical records, but could be looking for spies. [I thought medical number theft was a thing]. Sony might have been revenge from Russia.

Most hackers located in countries without extradition treaties with US

99% of hackers fail, get arrested, etc

A spam operation typically involves 10-20 people

Even for a bad hacker who desn’t steal data, have to declare PCI breach, notify customers, re-issue credit cards, etc.

Russian hackers – war of stereotypes – holy war egainst the west

Target breach
Started almost a year before actual breach. Learned from bad experience with BlackPOS with Verifone POS attempted breach in Russia. Then planned for seeral months. A week before Black Friday did large trial run spending $40 million of own money.

The POS malware auhtor was looking for a $12/hour programming job. Couldn’t get one so turned to hacker community. Thorough. Cared about error handling and working on multiple platforms. “Just a job”. His employer cared about the monetization.

Cybervor breach
1.2 billion credentials from 420K sites. Got all data via SQL Injections. Only looked for user id and passwords. Idea of stealing a little bit from different places grew to largest hack to date. Could have gotten credit card data, but chose not to.

Defense 101
Credit card theft on decline because credit card companies see patterns faster and act. For example, Chase flagged Home Depot uses quickly and hackers stopped buying the numbers.

Need to understand patterns.

Biggest vectors – viruses, zero day vulnerabilities(heartbleed, shellshock), stolen/reused credentials

Quantitiative analysis-how much of data is tranfered? What is normal? Learn to look at stats. If usually transfer 20KB on a page, set a limit of 100KB so know have a breach.

Honeypot – using a SQL Injection flaw as honeypot in your system allows detecting hack. Rather than a separate system. The idea is that hackers will think it is real and spend time on it. A zero day attack might be revealed via honeypot. Early warning system to alert you. Having fake data that can be identified as yours but looks normal. Not mymail+hack@gmail.com. Hackers know about the + technique.

Auditors can get you in trouble with your boss. Hackers can get your company in trouble and end your career.

Assume you hae been breached already. Look for your data online. Look for a unique identifier. Search for “/logout” on your company’s site to see if spidered and people can use google cache to navigae. [doesn’t work on coderanch – the word shows up a lot in questions]

Treat security issues as risks; not just bugs/defects. A risk has to be addressed or mitigated. A bug can drag on for years.

This is part of my live blogging from QCon 2015. See my QCon table of contents for other posts.

Definitions

• responsiveness – behavioral, UI/UX specific
• resilience – operational requirement
• event orientation – transport detail
• async – invocation detail
• scalabillity – business requirement. why scale if not many users

Everyone needs to have an architectural mindset. Experience determines how much can contribute to it.

Ideas come from where demand is. Even if sily idea, ok if people will pay for it.

Components coopratethrough minimal cntracts and expectations. Addition to, not replacement of, traditional approches to development. Still need layers, loose coupling, etc. It is involcation behavior that changes.

Context is reactive – data recived, processed and delivered. Lazy logic. Ready to be called

We’ve been using reactive without noticing.Examples, UNIX pipeline, OS kernel, app container.

Benefits

• Responsive to change. Just have to register/subscribe. Easier to experiment with features
• Resource efficiency. Stay lazy until there is work to do
• Fight or flight – react to changes of behavior

Overcome temptation to go full reactive. For example, can change way notify about events. Also, don’t go reactive when doesn’t apply. For example, CRUD for predictable load. Don’t write own reactive framework.

Rx – reactive extensions works for most apps.

Akka or Reactor – for real time/heavy load apps

Observables

Store and forward – don’t have to do everything in memory

Reactive programming can be functional, but doesn’t have to be

Embrace functional programming for laziness, composition nd side effect freedom

Erlang has “let it crash and bring it back”. It is normal for a small actor to crash. Ops has to learn not to see this in the logs and think something is wrong. Akka has the same idea. Declaratively describe what to do when thing crash.

Use randomness in early testing to avoid laster debugging. Test non-determinism with property tests. Doesn’t assume know everything. Define what good/bad and sends much random data in.

How many people are doing unit tests? Maybe 30% of the audience raised hands.