Open Source Bridge 2011 schedule

Thursday 23rd June 2011

  • Lunch

    At 12:00pm to 1:30pm, Thursday 23rd June

  • Cookies are Bad for You: Improving Security on the Web

    by Jesse Hallett

    The release of "Firesheep":http://codebutler.com/firesheep last year and "the presentation by Reid Beels and Michael Schwern":http://opensourcebridge.org/sessions/484 at the last Open Source Bridge opened the industry's eyes to the fact that most web applications are inherently insecure. Any application that sends requests over plain HTTP and that uses cookies to track user sessions is vulnerable to "session hijacking":http://en.wikipedia.org/wiki/HTTP_cookie#Cookie_theft_and_session_hijacking.

    Many applications have reacted to this by offering options to run all traffic through HTTPS. Examples include Gmail, Github, Facebook, and Twitter. Using HTTPS does go a long way in improving web application security. But in most cases HTTPS security is opt-in - probably due to difficulties in rolling out HTTPS on a large scale and added application complexity. This means that only relatively paranoid users benefit. Less fortunate users, like Ashton Kutcher, will often be "left vulnerable":http://techcrunch.com/2011/03/15/twitter-enables-always-use-https-setting/.

    Furthermore, HTTPS by itself does little to protect against "cross-site request forgery":http://en.wikipedia.org/wiki/Cross-site_request_forgery. It is still necessary for developers to use "form tokens":http://www.thespanner.co.uk/2007/04/12/one-time-form-tokens/, "JSON obfuscation":http://directwebremoting.org/blog/joe/2007/04/04/how_to_protect_a_json_or_javascript_service.html, and the like to protect application resources. This results in extra complexity and statefulness.

    CSRF(cross-site request forgery) does not just force complexity though. Its existence actively stifles innovation. The new "cross-origin resource sharing specification":http://www.w3.org/TR/cors/, which allows servers to opt-into cross-origin XHR(XMLHttpRequest) requests, presents many possibilities for rich interaction between web applications. Unfortunately this specification is infrequently used because it opens up XHR(XMLHttpRequest) as another vector for CSRF(cross-site request forgery) attacks in cases where cookie authentication is used. In the eyes of many developers this is just too dangerous to justify exploring a new technology.

    All of these problems are products of the fundamental design of cookie authentication: what is essentially a temporary password is transmitted with every web request and that password is easily accessed - directly by eavesdroppers or indirectly by third-party web pages.

    There are better options. There are now pure JavaScript implementations of various cryptographic algorithms, including "SHA-1":http://en.wikipedia.org/wiki/SHA-1, "SHA-256":http://en.wikipedia.org/wiki/Sha-256, "AES":http://en.wikipedia.org/wiki/Advanced_Encryption_Standard, and "RSA":http://en.wikipedia.org/wiki/RSA. There are also well-studied authentication mechanisms built on top of those algorithms designed specifically to prevent man-in-the-middle attacks, like session hijacking. And an authentication mechanism based on JavaScript rather than cookie data would be far less vulnerable to CSRF(cross-site request forgery).

    I will explore authentication mechanisms such as "HMAC":http://en.wikipedia.org/wiki/Hmac, as seen in "OAuth":http://oauth.net/, and block cipher authentication, e.g. "CMAC":http://en.wikipedia.org/wiki/CMAC. I will present on the applicability and feasibility of implementing these solutions in JavaScript in ordinary web applications. I will analyze performance and cross-browser compatibility considerations. Finally, I will demonstrate my own recommendation for next-generation browser authentication.

    At 1:30pm to 2:15pm, Thursday 23rd June

    Coverage note

  • Learn Open Source Skills Without Embarrassing Yourself

    by Asheesh Laroia

    Manuals are boring, but learning is necessary.

    New contributors often have to figure out how to operate the tools of a project, like IRC, git, or svn, in a highly social environment: public communication between peers. When, for example, you post your first patch to a mailing list, it’s intimidating to know that your mistakes with the tools might reflect poorly on your programming skill.

    Some video games have a “training level” where you can get shot without dying. Open source could have a training level where you can learn the skills you need without getting burned.

    Our community built one. The OpenHatch training missions are a group of interactive web pages for learning skills you would use when contributing to free software like using diff, patch, tar, version control, IRC, and so on. A training mission shuns “manuals” and long, boring blobs of text, and it protects its users against learning through trial by fire. We say, “Here’s a short, concrete task to perform. Interact with our web-based robot, and it will tell you if you succeeded.” You can build up your comfort in a space without embarrassment.

    Project maintainers often end up teaching basic community skills to new contributors. If you can ask them to complete a relevant training mission, you can save time and have a more knowledgeable contributor base.

    In this talk, you will learn about the current training missions and discuss as a group how they can be useful to the attendees. We will highlight the training mission for a version control tool in which you are an agent for Mr. Good trying to gain the trust of Mr. Bad. We will discuss the diversity ramifications of learning community skills in a safe environment. After a tour of the OpenHatch community that built them and the Django-based implementation, we will discuss the attendees’ situations with new contributor skill levels and identify the most useful training missions to build next.

    At 1:30pm to 2:15pm, Thursday 23rd June

    Coverage note

  • Location-Based Hacks - How to Automate Your Life with SMS and GPS

    by Amber Case and Aaron Parecki

    Have you ever wanted to automatically turn on your lights when you get home, or turn them back off when you leave? What about controlling your lights by SMS or IRC? Aaron Parecki and Amber Case have been living in a smart home controlled by mobile devices and their locations for the last year. The house is filled with sensors and networks for collecting all sorts of information and automated processes. They'll show you some of the expensive smart homes of the past, and how the same effects can be achieved with microcontrollers, 20-year-old technologies, and the mobile phone you currently have.

    This presentation will cover a number of fun DIY elements of home automation using GPS, SMS, location sharing, geotriggers, Geonotes and other mashups that can be done using mobile location, IRC and SMS as control hubs. We'll also cover advanced geolocation triggers and messaging based on the real-time location platform and API we built, and how it can be used to build apps that can notify people automatically when you land at an airport, or automatically text message your kids when you're there to pick them up from school.

    At 1:30pm to 2:15pm, Thursday 23rd June

    Coverage note

  • Put THAT in Your Pipe and Deploy It!

    by David Brewer

    A deployment pipeline combines several development best practices, fully automated and taken to their logical extreme. The result is almost magical: changesets go in one end, and fully-tested software packages come out the other. We'll take a tour of the components of a deployment pipeline, with concrete examples showing how to use Hudson, Rake, and Puppet to deploy PHP projects.

    In this session, we will answer the following questions:
    * what is a deployment pipeline?
    * why do I need one?
    * how can I implement one using open source tools?

    We will begin with a quick overview of deployment pipelines and their powerful benefits. We will then look in more detail at the components of such a pipeline, and some of the excellent open source tools you can use to implement your own. Along the way we'll look at concrete examples of a specific deployment pipeline implemented at Second Story to deploy PHP-based web applications.

    The session's examples will involve these tools:
    * continuous integration using Hudson (or its recent fork, Jenkins)
    * configuration management using Puppet
    * build automation using Rake

    This is a high level session meant to introduce concepts and tools; it will be light on code examples or live demonstration of software.

    At 1:30pm to 2:15pm, Thursday 23rd June

    Coverage note

  • Starting and Scaling a Startup Outside of the Silicon Valley

    by Michael Richardson

    Startups have unique business challenges and goals. It can be a very daunting prospect to try to start one, especially when there isn’t a lot of experience or history of success in your area. Getting something off the ground is just the beginning, though, as you have to start managing growth and success. This talk will navigate common pitfalls of creating a startup outside of the Silicon Valley and include advice on when to seek funding, how to go about it, and, once you’ve done that and have started to see success, how to make sure that your team doesn’t fall apart from the changes and transitions that appear.

    At 1:30pm to 2:15pm, Thursday 23rd June

    Coverage note

  • Technical Debt

    by Elizabeth Naramore

    Technical debt is something that most project teams or independent developers have to deal with - we take shortcuts to push out releases, deadlines need to be met, quick fixes slowly become the standard. In this talk, we will discuss what technical debt is, when it is acceptable and when it isn't, and strategies for effectively managing it, both on an independent and team level.

    At 1:30pm to 2:15pm, Thursday 23rd June

    Coverage note

  • Bitcoin 101

    by Don Park

    Bitcoin is an anonymous, distributed, decentralized, internet-based system for storing and transmitting value in a new e-currency. There is an active marketplace to buy and sell Bitcoin for US dollars. It has a controlled rate of inflation. It automatically rewards people for running the servers that make the network work. Exchanges between any two parties are zero cost and anonymous, yes at the same time the transaction history of the bitcoin system is public.

    At 2:30pm to 3:15pm, Thursday 23rd June

    Coverage note

  • Data Warehousing 101

    by Josh Berkus

    ETL. OLAP. BIDW. ELT. M/R. MPP. Windowing. Matviews. Data Marts. Column Stores. Are you at sea in a tidal surge of arcane terminology, trying to cope with big data problems?

    While big data may be bigger today, and far more common, and while we have a lot of new tools for dealing with it, the essential practices of how to process, store, and visualize large quantities of data haven't changed very much in the last ten years. Data warehousing veteran Josh Berkus will give you a lightning tour of the techniques and tools for dealing with masses of data, including: the data processing pipeline, types of big databases, visualizing and summarizing, and tips on dealing with GB to PB. All in a friendly FAQ format.

    This talk will give you everything you never wanted to know about data warehousing but were forced to find out. Or at least enough that you can Google the rest.

    At 2:30pm to 3:15pm, Thursday 23rd June

    Coverage note

  • How Governments are Building Communities with Open Source

    by Chris Strahl

    Government is helping lead open source adoption. One of the biggest growth areas in the public sector is using web technologies to help build communities. Using technologies like Moses, Drupal, Wordpress, Jabber, and others is helping to connect people in government, and governments to one another. Using open source to enable people to form connections and enhance informal communication is a major area where open source is leading within the public sector.

    Building communities with both domestica and international organizations has helped me see some of this contribution first-hand. I would like to share my own experience of building a community for the US Department of Defense and showcase some of the contributions we're making to Drupal and other open source technologies.

    At 2:30pm to 3:15pm, Thursday 23rd June

    Coverage note

  • JavaScript Up and Down the Stack

    by Mikeal

    If you didn't think JavaScript was ubiquitous enough being in every browser you're certainly happy now that it's taking over as a backend platform languages and even getting embedded in to databases :)

    This talk will cover the common elements of different JavaScript environments in browsers, node.js and CouchDB and various strategies for breaking up and structuring code that can be modularly used across environments.

    I'll also cover some real world use cases and a few libraries that straddle the different JavaScript worlds as well as the fate of CommonJS.

    At 2:30pm to 3:15pm, Thursday 23rd June

    Coverage note

  • Open Source GIS Desktop Smackdown

    by David Percy, Christian Schumann-Curtis and Darrell Fuhriman

    Open Source GIS software has proven to be reliable, fast, and cartographically pleasing on the WWW, however it has traditionally lagged behind commercial systems on the desktop.

    In this session we will highlight the capabilities of some of the leading, most feature-rich, desktop applications in the open source ecosystem. Each presenter will demonstrate a specific set of tasks from cartography to analysis in a specific software platform. The programs featured are: Quantum GIS, gvSig, OpenJump, and MapWindow.

    At 2:30pm to 3:15pm, Thursday 23rd June

    Coverage note

  • Similar, But Not The Same: Designing Projects Around Three Open Datasets

    by Matt Blair

    Over the past year, I've been working on three projects that make open datasets available to the public:

    Although the public-facing parts of these projects appear similar on the surface -- apps or websites with locations on a map -- the design and development process has been quite different for each.

    In this talk, I'll explore the opportunities and challenges I encountered in each, covering factors like:

    • Data source -- Who gathered it, when and why?
    • Data content -- What's in it?
    • Metadata definition and stability -- Is it clearly structured? Does it follow standards? Is the structure or format subject to change?
    • Data accuracy and completeness
    • Data volatility -- How often does the data change?
    • Geographic scope -- Does it cover a neighborhood? A city? A metro region? A state?
    • Geographic density -- Is it more or less evenly distributed or are there obvious clusters and empty areas?
    • Intellectual Property -- Is the data itself clearly licensed for re-use? Does it point to other data or media that have copyright restrictions or limitations?

    I'll use this comparison to suggest a re-usable blueprint for analysis and planning of open data projects, including how to match available data to audience interests and expectations, as well as identifying opportunities for community participation.

    At 2:30pm to 3:15pm, Thursday 23rd June

    Coverage note

  • Afternoon Tea

    At 3:15pm to 3:45pm, Thursday 23rd June

  • Have Your Cake and Eat It Too: Meta-Programming Techniques for Java

    by Howard M. Lewis Ship

    Ever been envious of how easily Python, Ruby and even JavaScript can “meta-program”? Meta-programming provides new ways of writing your code that goes beyond traditional object-oriented composition or inheritance. It’s like magic: seemingly simple or innocuous code takes over big responsibilities; new methods appear out of thin air. Your code, your primary code, stays simple and easy to follow.

    Now, we know you can do that for scripting languages, but what do we do about Java? With the proper context, it is possible to emulate many of those same capabilities, by applying a simple set of code transformations at runtime. In this session you’ll learn about meta-programming and how it can apply to traditional Java. You’ll learn about the techniques needed to transform classes at runtime, adding new behaviors and addressing cross-cutting concerns. The presentation will discuss a new framework for this specific purpose, but also draw examples from the Apache Tapestry web framework, which itself is rich in meta-programming constructs.

    At 3:45pm to 4:30pm, Thursday 23rd June

    Coverage note

  • Inclusive Design From The Start

    by Eitan Isaacson

    Accessibility is commonly viewed as a dry formal requirement absent of any real beneficiary. It is all too often tacked on as reluctant "polish".

    In this talk we will blur the line between people with disabilities and "able-bodied" people and see how everybody benefits from inclusive design, and how good decisions from the start leave us with a more aesthetic product that is usable in more ways than we could have initially imagined.

    We will use user interfaces in GNOME as a case study for good and inclusive design.

    At 3:45pm to 4:30pm, Thursday 23rd June

    Coverage note

  • Inviting Contributors to Open Source Webdev through Virtualization

    by l.m. orchard

    Open Source projects are most successful when they attract enthusiastic and capable contributors. But, often the first thing a new contributor to a web development project faces is a README file with a long list of instructions needed to even get the thing running.

    And that’s if they’re lucky: Just as often, the necessary documentation is incomplete or missing entirely, leaving a new hacker no way to get involved without investing a lot of time up front.

    This is no way to treat potential volunteers; they’re doing us favors by spending time with our projects. In return for their time, we should do the best we can to make our projects accessible and rewarding without unreasonable demands.

    To that end, we can use modern tools like VirtualBox, Vagrant, and Puppet to turn walls of text into virtual machines. We can offer simple bootstraps and even bootable disk images to can get new developers started quickly, allowing them to explore a running system rather than demand they understand the complete stack before the first page view.

    At 3:45pm to 4:30pm, Thursday 23rd June

    Coverage note

  • Keeping Agile at the Heart of the Internet

    by Larissa Shapiro

    At ISC, we work hard to develop and maintain high quality software
    that supports critical internet infrastructure. We have been working
    over the last two years to move our managed open source model into
    an increasingly open development methodology. We are also doing
    collaborating development with organizations around the world and
    have embraced agile as a development methodology. Pulling all this
    off while developing and supporting critical internet infrastructure
    is no easy feat; hopefully some of what we've learned in the effort
    would be useful to other open source citizens.

    At 3:45pm to 4:30pm, Thursday 23rd June

    Coverage note

  • King of the Data Jungle

    by Melissa Hollingsworth

    An experienced DBA who also happens to be a talking lion explains what normalization is, why it's a good idea, and how to do it. When his pupil complains about performance slowdowns, he goes on to explain about when, why, and how we should denormalize. There are slides as well as puppets.

    At 3:45pm to 4:30pm, Thursday 23rd June

    Coverage note

  • Transit Appliances

    by Chris Smith

    Open data, open source code and commodity hardware create the infrastructure to display when the next bus or train is coming at your favorite coffee shop, brew pub or building lobby.

    A combination of JavaScript and CouchDB, coupled to transit agency web services come together in a simple JavaScript API for displaying transit arrivals from multiple agencies.

    At 3:45pm to 4:30pm, Thursday 23rd June

    Coverage note

  • Geek Fitness: Your Body is not Just Transportation for Your Brain

    by Kurt Sussman

    Neck, shoulders, upper back: conditioning, care, and repair. Diet and exercise: science vs politics. Why cycling is not enough. How to stay fit using your own body weight and an optional gallon milk jug full of water. Why shoulders are unstable, and how extended laptop use makes them easy to injure.

    At 4:45pm to 5:30pm, Thursday 23rd June

    Coverage note

Friday 24th June 2011

Schedule incomplete?

Add a new session

Filter by Day

Filter by coverage

Filter by Topic