Disappointing. Nothing but respect for Billy Hoffman, but this talk has very little to do with Javascript and almost everything to do with the browser security model. Being able to using request timing to sniff things out of someone's email spool is an "evil part" of the browser and of the application architecture of Gmail. It's not a facet of Javascript.<p>The only thing in this talk that seemed uniquely Javascript-y was his explanation of di Paola's Prototype Hijacking attack (where you override the Ajax calls to sniff requests). But this is an issue in virtually every dynamic language; it's not a specific flaw in Javascript.<p>I want to be careful here, because I've had to give this talk a bunch of times --- the one security talk at a generalist conference, which is always going to devolve into a survey talk. I'm sure his audience loved it. I'm not sniping at Hoffman. But on HN, when you say "Javascript: The Evil Parts", I'm really wanting to see something about the evil parts of Javascript; like, I don't know, maybe automatic semicolon insertion being exploitable.
This presentation was awesome. In particular, the hydration/dehydration explanation at 51:35 was deliciously evil: replacing ones and zeroes with tabs and spaces to not just obfuscate javascript, but actually hide it from human view altogether.
The most disconcerting part for me was about attacking services inside a firewall using JS, starting around 45:00. He explains how somebody once wrote a page that, if you load it, would log in to your wireless router (if it had the default password) and hijack your DNS and all your requests.