Disappointing. Nothing but respect for Billy Hoffman, but this talk has very little to do with Javascript and almost everything to do with the browser security model. Being able to using request timing to sniff things out of someone's email spool is an "evil part" of the browser and of the application architecture of Gmail. It's not a facet of Javascript.<p>The only thing in this talk that seemed uniquely Javascript-y was his explanation of di Paola's Prototype Hijacking attack (where you override the Ajax calls to sniff requests). But this is an issue in virtually every dynamic language; it's not a specific flaw in Javascript.<p>I want to be careful here, because I've had to give this talk a bunch of times --- the one security talk at a generalist conference, which is always going to devolve into a survey talk. I'm sure his audience loved it. I'm not sniping at Hoffman. But on HN, when you say "Javascript: The Evil Parts", I'm really wanting to see something about the evil parts of Javascript; like, I don't know, maybe automatic semicolon insertion being exploitable.