(00:34) Mads works on the ASP.NET team building tools for everything that has to do with web development. He’s also done a lot of open source development – BlogEngine.NET, Web Essentials and some other Visual Studio extensions.
(02:48) Visual Studio 2013 has Browser Link, which allows you to connect any browser with Visual Studio. Any extension in the browser or Visual Studio can talk to each other via a web socket connection. The refresh browser feature in Visual Studio 2013 is just a proof of concept, the real feature is the communications channel.
(04:07) Scott K Asks about the Page Inspector feature and whether that would be integrated with Browser Link. Mads says that Page Inspector was introduced with Visual Studio 2012. It includes browser tools and source mapping which allow you to trace the markup back to what generated it, including C# code and server controls. Mads took over the Page Inspector team almost a year ago, and they’re using the same underlying engine. Right now you don’t get live updates in Page Inspector with Visual Studio 2013, but with the Web Essentials extension you will.
(07:19 Jon asks about how the source mapping works. Mads explains that the ASP.NET runtime injects a script tag at the end of your page, and Visual Studio is listening for it to connect on a localhost endpoint. Mads explains that the Browser Link connection is only made under specific conditions – running locally, in debug, etc.
(09:10) Jon asks about some of the recent extensions Mads has demonstrated, especially the example which tracks unused CSS class names. Mads says this has been a long requested feature, but it’s only possible to do this right from inside the browser. They’re now able to add smart tags into the CSS editor to show unused CSS classes. It’s available now using Visual Studio 2013 and Web Essentials.
(12:24) Scott K asks if it’s possible to see which classes are overriding others. Mads said it’s not there yet, but on the way.
(17:23) Scott K asks if they can hook up the model binder to allow deserializing more complex types. Mads says it’s not available yet, but on the way.
(19:04) Jon says they could also test performance using testing automation, and Mads says that they could do quite a bit more with performance and browser testing by working with browser extensions – Page Speed, SEO, accessibility, etc. They can call off to any service anywhere on the internet.
(21:10) Jon asks about some of the extensions and prototypes he’s worked on. Mads says he’s wrote an extension for LESS and CSS editors which updates the page as you type – without even requiring you to save the CSS document.
(23:50) Mads talks about the inspect mode extension. When you hit ctrl-alt-I in the browser, you can hover over any DOM element and see the source in Visual Studio (including controls, views, Master Pages, partials, etc.).
(25:35) Mad talks about design mode (ctrl-alt-d) which turns any DOM element into a content editable field, which allows you to type in the browser and change the server-side code. He talks about some complexities due to changing the server-side code which throws off the source mapping, and how when they make some future changes to allow updating source maps on the fly they’ll be able to allow pretty complex browser-based design and editing.
(29:35) Scott K asks if they could use the shadow DOM to allow updating the source maps. Mads says that wouldn’t work with older browsers, and there’s some discussion of legacy browser support.
(36:12) Mads talks about the history of Web Essentials. It started out in 2010, but the old Visual Studio HTML and CSS editors limited what he could do. He used Web Essentials as the test project to make sure that Visual Studio 2012 supported the extensibility API’s, then released a new version to correspond with Visual Studio 2013. He open sourced it at BUILD 2013 in June.
(37:36) Jon asks about how Mads migrates features from Web Essentials to Visual Studio. Mads says that he does this on every Visual Studio release (including updates) which allows him to delete a lot of code. There are some features which don’t get migrated – niche features, features for which they’re still testing out the user experience. He talks about some neat features in Web Essentials that he likes, but he doesn’t think enough people use to justify migrating.
(39:57) Jon asks about the language Web Essentials supports. Mads lists Markdown, LESS and Coffeescript. Mads talks about how they were able to include LESS and Coffeescript support from Web Essentials while waiting on the Visual Studio 2012.2 release, then removed it when that update shipped. He talks about the problems they hit due to the editor overlap. Mads said that situation caused him to change his philosophy on features to add in Web Essentials – he’ll no longer include features in Web Essentials which could cause a conflict with Visual Studio, especially compiler related features; that’s why he removed TypeScript support from Web Essentials.
(44:14) Jon mentions robots.txt support in Web Essentials. Mads explains that this is a great example of how his personal web development frustrations turn into Web Essentials features. He’s hoping that open sourcing Web Essentials will lead other developers to contribute as well.
Web Dev Checklist
(46:35) Jon asks about Web Dev Checklist. Mads and Sayed were both working on building out some sites last year, and they came up with a list of important checks for any website – performance, accessibility, SEO, etc. They got on Hacker News and were happy that their site held up well under the traffic.
(49:16) Side Waffle is a Visual Studio extension which gives you a lot of templates so you can add things to your projects which were written the write way, by experts. They’ve got Angular controllers, Durandel, robots.txt, etc. They’re hoping for other developers to add new templates.
(51:36) Mads says that the teams at Visual Studio can’t create and maintain all the templates over time. Jon says he’s seen this again and again – new things get released but don’t always get maintained over the years. Mads says this makes it easy for developers to add and update templates.
(53:28) Mads says Sayed came up with the name from ordering a side order of waffles in a restaurant.
(54:24) Mads explains some of the technical complexities that he and Sayed had to deal with to allow adding new item templates to Visual Studio. Due to the strange ways they worked with MSBuild, Side Waffle isn’t allowed into the Visual Studio Gallery. They register Side Waffle as a Visual Studio gallery provider so when new templates are added, it will show up in the Visual Studio updates list. Jon’s confused, and Mads explains more about what’s going on.
Lightning Round questions from Twitter
(58:31) Barry Dorrans asks why Mads is pushing the #region agenda on unsuspecting HTML files.
(59:08) Warren Buckly asks “There is support for LESS, will there ever be support for SASS?”
(59:34) Jonas Eriksson asks Is it possible to extend the new HTML editor IntelliSense?”
(51:52) Jonas Eriksson asks if it’s possible to start a Grunt task and monitor its output.
(1:00:09) Saul asks how to create a static website in Visual Studio.
(1:01:07) Bret Ferrier asks about getting Angular IntelliSense with TypeScript.
(00:50) K Scott asks about how xSockets got started, and what problem it solves.
(02:05) Jon asks if xSockets is a business or a project. Magnus says it’s now a full-time business – they’ve been working on xSockets for four years, but they’ve gone full-time earlier this year. Uffe points out that while it’s supported by a full time business, xSockets is free to use.
xSockets compared to SignalR, unique xSockets features
(02:57) K Scott asks how xSockets compares with SignalR. Magnus says they’ve been working on this for 4 years and mentions some differences. Uffe compliments the SignalR project and community, then points out that one important difference is that xSockets is stateful, whereas SignalR isn’t.
(04:54) Jon talks about the different approaches towards stateful controllers, and that it seems that stateful controllers could simplify things. Uffe describes some advantages, like filtering where you send messages dynamically with lambda expressions (a lot more control than groups in SignalR).
(07:09) K Scott asks about other differences. Uffe says that xSockets is very portable – running on IIS, OWIN, Azure, Amazon, a Raspberry Pi, even your cellphone if you want. It runs on anything that runs .NET 4 or Mono, and they’ve had reports on it running a wide variety of hardware.
(07:52) Jon says he’s heard of people using local servers for desktop applications. Uffe says they have people in Russia doing that with xSockets.
(08:20) Magnus says that they have support for long-running controllers.
(08:50) Uffe says they’ve got a plugin framework. It was originally built on MEF, but they’ve recently rewritten it to remove the MEF dependency. You can drop an assembly in the xSockets folder and it will be picked up. Jon says it looks pretty similar to MEF; Uffe says he loves MEF and kept it pretty similar.
(09:55) K Scott says it feels very similar to ASP.NET MVC, in that there’s a controller base class that you extend.
(11:00) K Scott asks if there’s a routing mechanism. Uffe describes the extension methods that allow sending messages as well as using the routing system.
(12:56) Magnus describes the channel system, which allows for some complex, private communications without requiring server-side code.
Web Sockets protocol
(14:02) K Scott remarks that the Web Sockets protocol has changed quite a bit over the years. Magnus says that it was very difficult earlier, but has stablilized.
(15:02) K Scott asks if there’s a test suite for Web Sockets available. Uffe says there are some, but all have problems. The xSockets team uses their own testing system.
(16:00) Jon asks if the Web Sockets API is difficult to use. Magnus says the two first versions were pretty easy, but the RFC introduced some more difficult concepts like control frames and continuous frames. There are a lot of solutions on GitHub and CodePlex for dealing with protocol stuff.
(16:40) Jon asks about Web RTC support. Magnus says Web RTC enables realtime communications in the browser using peer-to-peer communication without requiring a server or middleman once the communications are established.
(18:47) K Scott asks if the Web RTC communications are TCP or UDP. Magnus says it’s UDP so it can be unreliable. There’s a NuGet package with a full sample showing how it works.
(20:00) K Scott asks about the processing pipeline. Uffe describes the Rewritable attribute – you can use that to override anything in the pipeline.
Fallback and pipeline
(22:25) K Scott asks about the external API. Uffe says it should probably called something clearer – it’s a client that can be used in any C# code, as well as PowerShell and even compiled stored procedures in SQL Server. Uffe describes some of the ways he’s seen it used.
Crazy things people have been doing with xSockets
(24:24) K Scott asks if there’s anything crazy they’ve seen people do with xSockets. Magnus talks about a microscope control system used in Jamaica. Uffe talks about a realtime water monitoring system in Dubai running in C# 2.0 on Windows CE. They’re now able to control the water system via a web page, which replaced the need for an entire water monitoring facility.
(27:32) Magnus talks about a Fruit Ninja like game using xSockets, HTML5 canvas and Kinect. That lead to a job building a virtual lobby, which they completed in 10 days.
(28:18) K Scott asks about authentication and authorization with xSockets.
Final questions, Samples and Videos
(29:08) K Scott takes a question from Twitter about what they think about OWIN. Magnus says they support it and it seems like a good idea, but he can’t
(29:42) K Scott asks about the While You Were Gone example. Uffe says this is a queue system that handles offline messages, so if you’re disconnected for a period of time it will deliver the messages when you reconnect.
(31:12) K Scott asks if there’s anything that may have been missed. Uffe talks about clustered servers – they’re all siblings which communicate peer-to-peer.
(32:48) Uffe talks about some upcoming travel they’ve got later this year for Desert Code Camp in November and possibly NDC London in December.
(33:22) Jon talks about the best way for people to get started. Magnus recommends the videos on xSockets.net.
(00:19) Jon introduces a listener question referring to .
(00:52) Kevin says he thinks the Callback Hell problem is overblown. In the Node world, there are flow control libraries like Async and good practices.
(01:51) Scott K agrees – using named rather than anonymous functions solves a lot of problems he sees. He asks if things would be better if everything was Async by default. Jon says he thinks Async-creep and Async by default push you down a better path most of the time. Kevin says since Node’s always forced that pattern it’s been simpler.
(04:40) Kevin says he Async / Await only address simple cases where you want a series of steps. Flow control libraries allow for more complex flow, parallel operations, etc. Jon talks about how multiple async operations can get complex pretty quickly – dealing with error conditions, timeouts, etc. and Scott K points out the difference between parallel processing and async.
C# Syntax and Xamarin Speculation
(07:42) Jon says there’s room for a lot more syntactic sugar in C# – not just async, but dynamics, chained null checking, etc. Jon and Scott K talk about the benefits and limitations of the null coalescing operator (??).
(10:50) Scott K says async may be the next TDD in terms of driving good design.
(11:47) Kevin wonders when Xamarin will cut the cord and begin innovating on C# separately from Microsoft. The guys discuss some of the things they’ve been doing – repl, SIMD support, etc., but Jon points out that it’s all innovation at the compiler level, not on the language. Scott K talks about how our recent interview with Jon McCoy talked about modifying IL, and wonders if Xamarin will get into doing that kind of thing. Kevin asks what benefit Xamarin gets from keeping compatibility with Microsoft. Jon doesn’t buy it.
(15:01) Scott K wonders if the C# spec or compiler were open enough that people could innovate on it. Jon thinks Roslyn could do that, but he’s just making stuff up.
AngularJS – K Scott’s impressions
(16:36) Jon asks K Scott about his recent experiences with Angular. K Scott says that most things are easy, but hard things get complex, so he’s been reading the source code. He says the source code is mind bending. There are a lot of different ways to accomplish something – binding, watching, raising events, etc. – and it’s hard to know what’s going to work.
(18:33) Jon refers to the Ember / Angular Cage Match at NDC and how Angular worked great until it was time for a directive, and that got trickier. K Scott says there’s room for some polish on the Angular API. For instance, there are 3 or 4 ways to register a service.
(19:40) Jon asks K Scott if he’s used Ember and how he’d compare them. K Scott says he’s invested Angular and hasn’t had time to dig into Ember. He says Ember seems to provide more of a path for users, whereas Angular seems more tacked together.
(21:02) Kevin asks how much people become locked into a front end framework. K Scott say
(22:00) Scott K says most of the complaints about Angular are around changes to the API and documentation over time.
(22:48) Scott K says it seems like Ember examples generally require more code. The guys discuss the balance of declarative code vs. magic that sometimes goes off the rails.
K Scott says he sometimes gets flashbacks to ASP.NET Web Forms controls. Kevin mentions HTCs in Internet Explorer and Jon says it seems like things are coming back around to that kind of thing with web components. K Scott says there are pretty good separation of concerns to directives, but directives can be really hard to extend – you want to tweak one thing and pretty soon you’re reimplementing a lot more than you wanted to.
(26:36) Jon says he got to use Redis on a project and talks about his experiences. K Scott’s been using Mongo for a hospital system. Kevin says he hears people complain about Mongo, K Scott says performance and diagnostics can be frustrating.
(28:53) Kevin’s used it for Greater Than Parts and at his new job. He says the biggest mind shift is in how you model things. Jon says that was the biggest thing he learned – it’s not just a pile of documents, you still need to model things. K Scott says migrations and configuration management are important.
(31:39) Kevin asks K Scott how they’re working with lack of transactional integrity. K Scott says fortunately not, everything’s bulk loaded in this application.
Kevin’s new job at Brandcast
(32:26) Jon asks Kevin about the new job. Kevin’s working at Brandcast. Their mission is to make it really easy for people to set up a web presence that works well on multiple devices without any technical background. It’s a small shop running Node and Backbone. Kevin’s gone from being the young guy at his old company to the old guy at the new job.
(33:47) Jon asks Kevin about the process and structure there. Kevin says there’s a test server, but they’re pretty aggressive with continuous deployment.
(34:39) Jon asks if they’re using frameworks on top of Backbone. Kevin’s used Marionette, They’re using Backbone Layout Manager and Supermodel.
HerdingCode.com Operations Report
(35:36) Jon gives an update on the Herding Code website and hosting setup. We’ve been running for over five years on an el cheapo WordPress account.
(37:00) Jon’s been using CloudFlare to do some front-end caching and security blocking.
(37:50) Jon talks about some of the security things he’s set up, including a plugin to lockout IPs after incorrect logins, long password and OpenID login.
(38:33) The new release of WordPress uses MediaElement.js to use HTML5 audio with Flash / Silverlight fallback, and Jon extended that using some JavaScirpt to show a play indicator in the browser tab when audio elements are playing.
(39:51) There’s a WordPress plugin to show a mobile friendly theme.
(40:50) Kevin says the times we’ve run into trouble have been CPU related. Jon talks about the different layers of caching – Cloudflare on the front end, W3 Total Cache on the backend.
(44:12) Scott K asks about what kind of value adds a podcast app could add, beyond just an audio player.
(45:58) Jon says that the only thing that does change on the site is comments, so he’s outsourced that to Disqus. Scott K and Kevin talk about how Disqus has been heading downhill by inserting stupid ads, or "climbing douchebag mountain" in Kevin’s words.
(49:30) Kevin asks what everyone’s done with their summers.
(49:37) Scott K had to update a Monorails site using the Brails engine. The biggest frustration was that in the latest rewrite, they pulled all the documentation and source for old versions – even the NuGet packages. Kevin says that’s why he’s not a fan of including package managers in deployment – things can disappear from the feed and you’re screwed. Jon tells an old story about a stored procedure that called a COM object to split comma delimited strings.
(53:42) Kevin got a new job and travelled to Paris and Switzerland and San Diego.
(54:02) Jon went to NDC, then worked on Scott Hanselman’s keynote demo at BUILD, then went on some family vacation time in New Jersey.
(55:21) K Scott worked a lot but says he’ll have exciting stories later. The guys congratulate him on all the press about his Pluralsight courses.
(02:39) Jon asks if it’s still jQuery based. Anthony says it is, though they’ve thought of removing that dependency. It’s mostly used for click event handling. They include a scoped, local copy of jQuery to prevent any conflicts with the host page’s use of jQuery.
(03:50) K Scott asks about some of the impacts of injecting their Glimpse content into the DOM. Anthony discusses issues with CSS, since the host page’s resets and selectors can affect Glimpse’s display. Glimpse includes a custom CSS reset and they scope their CSS rules.
(05:50) K Scott asks if the shadow DOM and HTML5 specifications for widgets would help. Anthony says yes and talks about how people are doing things now using iframes and how things would be improved. Anthony compares it to the XAML concepts of the visual and logical trees.
(07:45) Jon asks how things have changed from just injecting a div. Anthony explains how they use another div to reserve space at the bottom of the page and introduced a message bus to allow publishing and subscribing rather than handling events and callbacks.
(10:33) K Scott asks about patterns used to allow for extensibility and plugins. Anthony talks about how they’ve refactored, first to separate files and then to modules.
(15:39) K Scott asks what unit testing frameworks they use. Anthony says they’ve just got a test harness at this point, but a lot of the testing is manual. They’re looking at using TestSwarm and BrowserStack to do browser testing.
(18:06) Jon asks about mobile browsers. Anthony explains the current mobile support that’s been in Glimpse for a while. He discusses some other features they’ve looked at in the future.
(20:30) K Scott asks Anthony about his hobbies. Anthony talks about his new interest in growing his own food and a renewed interest in woodworking.
(21:55) K Scott asks Anthony about what he’s got coming up. Anthony talks about his summer conference schedule and that he’s moving to New York to keep a closer eye on Nik.
(00:30) Jon McCoy overviews his NDC talks, explaining how he got into security and some of the amazing things he’s found out about .NET about along the way, like using Java JARs inside .NET applications.
(02:55) Jon McCoy says that understanding IL and how the JIT works allows him to directly use assembly code and C++ from within .NET applications.
(03:45) K Scott asks Jon McCoy about some of the tools he showed during his talks. Gray Dragon is a memory injection program which allows injecting code and remapping while an application’s running. Gray Wolf allows editing an application’s IL code. In his talk, he demonstrates extracting his admin password from biometrics password with six clicks.
Developer security practices: obfuscation, unit tests, monitoring
(05:20) Jon G asks if obfuscation helps hide his code. Jon McCoy says it’s always reversible and there’s about a three month lag between obfuscator releases and workarounds. Just about anything that can be automated can be reversed.
(06:44) Jon McCoy recommends security unit tests for practices like SQL cleaning and throwing security exceptions. Monitoring for security exceptions will let you know someone’s attacking you – if someone has two years to attack you without you knowing, they’re going to get in.
(07:42) Attackers can target update mechanisms in desktop programs to target users throughout your enterprise. Also, the nature of .NET code makes it very difficult for antivirus software to detect when it’s doing something bad.
(08:30) Jon McCoy says there’s a security issue with Visual Studio in that it executes constructor code for controls as they’re loaded in the designer, so a malicious user can run code which runs under your user permissions.
Securing information on your computer: crypto and passwords
(09:40) Jon McCoy talks about some of the security practices he recommends: full disk crypto with TrueCrypt, using a hardware solution like YubiKey for long passwords, and using encrypted VMs as secure containers.
(11:12) Jon G asks Jon McCoy what he thinks of solutions like Keepass and LastPass. K Scott asks whether OpenID and OAuth help. Jon G laments that CardSpace never took off.
(12:47) Jon G asks if signed code helps secure code at all. Jon McCoy says it doesn’t really, since it’s not validated.
Businesses and security
(13:27) Jon G asks if Jon McCoy gets involved with forensics. Jon McCoy says he mostly works with small businesses who are being attacked or want to fix security issues.
(14:31) K Scott asks Jon McCoy if he deals with mobile device security. Jon McCoy discusses the security blind spots desktop and mobile developers have.
(15:23) Jon G asks what Jon McCoy thinks about two factor auth.
(16:22) Jon McCoy explains how his background as a developer helps him understand issues in a way that IT focused security experts don’t.
Defending against cracks
(17:20) Jon asks about defense against cracks. Jon McCoy says the motivation behind cracks and malware shifts – sometimes the bad guys are just after a proxy network, password cracking machines, or even free cloud storage. Malware distributors can really strike it rich by owning a computer that happens to be inside a big company; they can sell that access for a lot of money. Part of fighting an attack is understanding what’s motivating the attacker.
(19:07) Jon G talks about targeted attacks against employees using fake, infected PDF business documents – send to enough people and a few will open it. Jon McCoy says that’s why he advocates using a hardened VM for browsing the internet as well as using different e-mail addresses so you know unsolicited e-mails to an admin e-mail can’t be valid.
Resources: tools and papers
(20:13) Jon G asks for a little more information about the security tools Jon McCoy distributes on his site.
(20:47) Jon G asks about how Jon McCoy’s security disclosure policies. Jon McCoy says he generally keeps things secret long enough to give his clients a security advantage. He talks about a technique he used which phones home when obfuscated code is decompiled.
(21:51) Jon G asks Jon McCoy how he keeps up with things. Jon McCoy says things are pretty lonely, he’s off on his own most of the time. Jon G says it’s easy to forget that a lot of .NET runs on top of Win32 and COM.
(23:10) Jon G asks Jon McCoy for some reference for developers who are interested in learning more. Jon McCoy lists a few (referenced in the show links).