0:01

Hello, and welcome to

0:03

the Thinking Elixir podcast, where we cover

0:05

the news of the community and

0:07

learn from each other. My name is

0:09

Mark Erickson. And I'm David Bernheisel.

0:12

Let's jump into the news. First

0:14

up, there is a big piece of

0:16

news that we want to make sure we covered

0:18

first, which is a security vulnerability around

0:20

the Erlang OTP beam. And

0:22

this is specifically around the

0:24

SSH daemon or a little

0:26

service that you can run

0:28

actually in OTP. I

0:30

didn't actually know you could run

0:32

an SSH server in Erlang Beam, but

0:35

you can. And so what

0:37

it was is there was a problem

0:39

with how the protocol was implemented in the

0:41

Erlang side. What this is, is

0:43

it's actually quite a big deal, but then

0:45

we want to talk about what does this

0:47

actually mean for our Elixir apps, for Phoenix,

0:50

for, you know, who does this impact and what do we need to do? So

0:53

what it is is It's unauthenticated

0:55

remote code execution. So

0:57

that is as bad as it gets. In

1:00

terms of the vulnerability score, it's like

1:02

10 out of 10. That you

1:04

can have someone from anywhere in the

1:06

world that's not authenticated be able to

1:08

execute code on your device. That's

1:10

bad. So we have a

1:12

link to the Erlang OTP security

1:15

advisory. Their summary is a

1:17

serious vulnerability has been identified in

1:19

the early OTP SSH server

1:21

that may allow an attacker to

1:23

perform unauthenticated remote code execution

1:25

by exploiting a flaw in

1:27

SSH protocol message handling. A

1:30

malicious actor could gain unauthorized

1:32

access to affected systems and

1:34

execute arbitrary commands without valid

1:36

credentials. The severity is

1:38

10 out of 10. And that

1:40

is literally the worst it gets. So

1:43

the question really is like, okay, Am

1:45

I in danger? What do I need to do? So

1:48

am I affected? To help give

1:50

some context to this, Michael Lubis at

1:52

Paraxial wrote up a blog post about

1:54

it, you know, breaking it out into, okay,

1:56

if you have an Elixir Phoenix application

1:58

and it's deployed on the open internet, are

2:00

you at vulnerable? And the

2:02

answer is most likely no.

2:05

The default configuration for Phoenix

2:07

does not expose the Erlang SSH

2:09

daemon to the public internet.

2:12

It is technically possible. You

2:14

are vulnerable if your application

2:16

does expose Erlang's SSH daemon.

2:18

Like if you're using the

2:20

Erlang SFTP clients, they do

2:22

this. That's not something I've

2:24

ever actually seen set up

2:26

on a project. We have

2:28

a link to the Paraxial blog post on this

2:30

too, where you can check it out. You

2:33

think about it, and if

2:35

your Elixir application is hosted on

2:37

AWS, GCP, Gig Elixir, Fly,

2:39

or really any hosting provider. most

2:41

platform as a service hosting

2:43

providers do not open those ports.

2:45

They're really, it's just the

2:47

TLS and port 80 possibly. So

2:50

you would have to explicitly make

2:52

that open. So

2:54

by default, no, you're

2:56

not vulnerable. So that's

2:58

like my perspective, right? Like I'm

3:00

generally a web developer first

3:02

and Phoenix applications and all, but

3:05

then I thought about, what

3:07

about nerves? That's

3:09

like. the primary way

3:11

SSH -ing into your nerve device to

3:13

like manage it, right? You know, I

3:15

don't know the technical details, maybe

3:17

it doesn't do this, but like, wouldn't

3:19

SSH be the mechanism for sending

3:21

updates to your nerves devices? You know,

3:23

so you have to have these

3:25

ports kind of open, and I realize

3:27

you can change the port numbers,

3:29

you know, to kind of have security

3:31

by obscurity, that's the right word. But

3:34

still, it's the same thing, you just

3:37

scan all the ports, not just port 22,

3:39

and they can find it. So anyway,

3:41

yeah, some nerve systems

3:43

may be impacted. And so

3:45

if you are running nerve

3:47

systems, you should probably

3:49

go look for the updated nervous

3:51

version at least and push

3:53

that out there. And we've got

3:55

a post out to Elixir

3:57

Forum that has a lot more

3:59

details on this. And

4:01

so again, that's some nerve systems that

4:03

are internet exposed, first of all, or

4:05

are at least on a public. network,

4:08

even if it's not internet exposed,

4:10

but you've got like other people that

4:12

can get on that public network and

4:14

then find that device, that would be

4:16

vulnerable at that point. Less

4:20

likely because you're, you know, you're not

4:22

just people sitting at home, can't go

4:24

into your nurse devices. But anyway, this

4:26

is something to think about. So yeah,

4:28

if you've got nurse devices out there,

4:31

consider that. On the plus side, one

4:33

of the great points of nurse

4:35

is nerves hub. And Nerf Hub is

4:37

the ability, is the

4:39

SaaS platform, right? Not

4:42

SaaS is something that you have

4:44

to pay for necessarily, it's just something

4:46

that you can host that can

4:48

push updates remotely to your devices. And

4:50

so yes, there might be a

4:52

vulnerability right now, but like I said,

4:54

there is a system update out

4:56

there. So you should be able to

4:58

re -burn all of your firmware with

5:00

the latest Nerf software and then

5:02

push that updated firmware out to your

5:04

devices and then you're not vulnerable

5:06

anymore. So I highly

5:08

recommend any nerves administrators out

5:11

there to go fix some

5:13

things up. Yeah. So

5:15

just to be clear, there is

5:17

an updated nerve system available as a

5:19

patch release to address this specific

5:21

issue. So yeah, if you

5:24

are running nerves, make sure to go get

5:26

your latest release and get that deployed

5:28

as soon as you can. Also

5:30

on the Praxial blog was how

5:32

to check your exposure. There's some instructions

5:34

there on how you can actually

5:36

use Nmap on your devices within your

5:39

networks and just see like what

5:41

is being exposed here, what is a

5:43

risk. And also

5:45

he has a link to Shodan.

5:47

If you've never heard of

5:49

Shodan, it's like Google for the

5:51

internet devices. It just

5:53

goes and searches all IP

5:55

ranges and sees what

5:57

answers here. And then

5:59

they make that accessible so you

6:01

can just search Shodan. It's

6:04

almost like I can only really

6:06

think of nefarious uses for

6:08

this. But it's there. And so

6:10

you can just search Shodan,

6:12

search the query of Erlang and

6:14

SSH. And right now, I'm

6:16

seeing a total of 157 results.

6:18

That's not like thousands or

6:20

millions or anything like that. But

6:22

it is showing these are devices because

6:24

when a device answers a lot, sometimes

6:26

it answers with its version. So you're

6:28

able to see if it is running

6:30

a currently vulnerable version. And now you

6:33

have the IP address and you can

6:35

just blink, right? I own it. Get

6:37

on that as soon as you can. Well,

6:41

now is the perfect time to

6:44

talk about today's sponsor, which is

6:46

paraxial .io. Everyday hackers search the internet

6:48

for vulnerable applications aiming to steal

6:50

sensitive data, commit fraud, and spitefully

6:52

ruin the weekend of a hard

6:54

-working developer. Paraxial is

6:56

the first and only security platform

6:59

with full elixir support that stops

7:01

these attacks. Developers love the

7:03

elixir -native protection. Management loves

7:05

Paraxial's metrics and details of

7:07

security accomplishments of engineering, which

7:10

are also required for

7:12

SOC2, ISO, and HIPAA

7:14

compliance. Sign up for a

7:16

free trial of Praxial today and

7:18

mention thinking elixir when you schedule

7:20

a demo for a limited time

7:22

offer. Check it out today at

7:24

praxial .io. All right,

7:26

next up some open news. So,

7:29

OpenPro 1 .16, the last we talked about,

7:31

I think it was the release candidate

7:33

that was out there. But Oben has published

7:35

a new article out there that talks

7:37

about the new cascade mode and how it

7:39

can be used to generate a collection

7:41

of children's stories, right? It's a use case.

7:44

It's showing you how to use it. So

7:46

we got some links to the

7:48

posts. It's on Oben .pro. So

7:50

you'll find it there. It definitely

7:52

talks about Oben .pro's 1 .6 feature

7:54

set and their new cascading workflows

7:56

feature. It talks about how they

7:58

use the feature to create a

8:00

workflow that basically creates children's stories. using

8:02

AI for the story, the artwork,

8:04

and a markdown file about it

8:06

all. It's a pretty fun and

8:09

interesting way of just thinking about

8:11

it. Yeah,

8:13

it really highlights the strength

8:15

of OpenPro workflows. And so here's

8:17

a quote from the article. It

8:19

says, think of workflows as a

8:21

pipe operator for directed, distributed, persistent,

8:24

map reduce functions. And

8:27

yeah, that's a perfect way of describing

8:29

what this can do for you. And

8:31

so just to describe it just a

8:33

tiny bit more, like here's here's what

8:35

the code kind of looks like, right?

8:37

Like you start a new workflow, you

8:39

put some context into that workflow, like

8:41

for example, a topic or a count

8:43

or something. And then you

8:45

add Cascade. That's the that's the

8:47

new function here workflow dot add cascade.

8:50

And you have names for each

8:52

of those phases, right? Authors,

8:54

stories, images, title, cover, and then

8:56

finally, you know, print. And

8:59

for all of these parts of the

9:01

workflow, they have dependencies on the other,

9:03

like maybe earlier parts of the workflow.

9:05

For example, you can't generate images without

9:07

at least some of the stories or

9:09

the authors in there. And you can't

9:11

really, maybe you think about the title

9:13

after you've written the story. So you

9:15

need the title and the cover after

9:17

the story is there. So it's a

9:19

way to essentially automate, you know, kind

9:21

of like this entry point and then

9:23

this fan out and waiting on dependencies

9:25

to be done. And then you know,

9:27

coming back in. And then finally, the

9:29

last step would be to print the

9:31

thing. In this case, it's just gonna,

9:34

it's not gonna physically print it, but

9:36

you know what I mean, right? Yeah,

9:38

what I liked about the example also

9:40

is just making the point how with

9:42

AI, lots of times the

9:44

services that you're using, reliability

9:46

is not, not 100 % countable

9:48

that you can depend on it,

9:50

right? And that's whenever you

9:52

talk about productionizing a system with AI,

9:54

that's something you have to take into

9:57

account, that this service might go down,

9:59

or they might get overloaded and say

10:01

back off, or they might just whatever.

10:04

That's part of what the workflow is

10:06

showing is that, hey, these

10:08

important pieces of these steps, those

10:10

are retriable, and we'll come back to those

10:12

as part of the open process. It's

10:15

just neat. I think it was a great way

10:17

of highlighting how you can have that whole flow

10:19

of This has to happen first,

10:21

then this happens, and then you can unlock

10:23

this multiple sets that can happen simultaneously, and

10:25

some of them may be failing and having

10:27

to be retried, but bringing it all back

10:30

together at the end, I think that's a

10:32

great example. Right, and Open

10:34

has tools to allow

10:36

you to visualize what you've

10:38

made. What mess

10:40

did I just create here? You can

10:42

export it into Mermaid, and it'll give

10:44

you a nice little flow chart of

10:46

the overall workflow. And I

10:48

just want to highlight this part too is

10:50

that first function in there is like

10:52

add context, right? And so that context, it's

10:55

a MapReduce, right? So that context is

10:57

kind of like this accumulator that goes through

10:59

the whole and travels through the whole

11:01

workflows. And so those bits of information could

11:03

be picked up in a later step

11:05

to inform how it should work, right? So

11:08

that's how these are all kind of

11:10

interconnected. Another shining example of

11:12

why OpenPro is definitely worth it. So

11:14

if you need something like this, which

11:16

Undoubtedly, I think most businesses need something

11:18

like this at some point, right? I

11:20

guarantee you it's going to cost you

11:22

less to pay for Open Pro than

11:24

it would be for you to have

11:26

even one developer on this for two

11:28

weeks, right? So definitely worth

11:30

it. And I know it's AI

11:32

art, which can be hit or

11:34

miss, but, and I'm

11:36

assuming this is AI art in the

11:39

blog post, but the blog post actually has

11:41

some really really good looking stuff in

11:43

there. So it's a visual candy too. You

11:45

don't even have to read it. Just look at the pictures and you'll

11:47

be delighted. And

11:50

next up, Jose Valim has been

11:52

teasing a new logo. And

11:54

all he's saying about it is

11:56

soon. So at the time

11:58

of this recording, nothing more has been

12:00

shared yet. So it could be any

12:03

day now. He shared this little announcement

12:05

of the logo plus soon twice now.

12:07

So. Maybe it's coming very soon, and

12:09

it'll already be out by the time you hear this,

12:11

but we'll tell you what we do know now. There

12:14

is a GitHub organization that was

12:16

found that is using this logo. It

12:18

is called Tidal Wave

12:21

-AI. And there's only

12:23

one project that's currently

12:25

public in that organization, and

12:27

it is called MCP

12:29

Proxy Elixir. If you remember,

12:31

we've talked about MCP servers,

12:33

which is model context protocol. Being

12:36

put out first by anthropic and

12:38

adopted by open AI It's kind

12:40

of becoming the thing that people

12:42

are all moving to and really

12:44

all it is is a protocol

12:46

as a way of standardized definition

12:48

for saying here is a set

12:50

of services that I want to

12:53

expose to an LLM and So

12:55

I can I can expose things

12:57

as tools and then also they

12:59

can be a client of another

13:01

server to use its tools So

13:03

this project is an elixir MCP

13:05

server for standard IO. So

13:08

that right there is an interesting

13:10

idea, right? Like that you can use

13:12

Unix pipes and standard IO to

13:14

pass data between applications running on the

13:16

same computer. And as that a

13:18

way of talking to your MCP server,

13:20

because that is one of the

13:22

ways you can host an MCP server,

13:24

it could be HTTP requests, or

13:27

it can be standard IO is one

13:29

of them. Right. So that's the

13:31

only thing we really know for sure.

13:34

But we also know that Chris McCord has

13:36

been teasing some things with AI development

13:38

and Phoenix applications. We've got a link to

13:40

the latest one that he'd shared. And

13:43

in this example, it's a little video

13:45

showing how he was having an AI

13:47

agent in a Phoenix application write its

13:49

own JavaScript in the Phoenix application of

13:51

the tools that it could be using.

13:53

And he's just talking about how that

13:55

was really kind of, really heady, you

13:58

know, like this is kind of a

14:00

strange idea that the agent is writing

14:02

its own tools. And it worked. So

14:05

maybe that's related? I don't

14:07

know. But the one

14:09

thing to also be aware of

14:11

is the GitHub organization links

14:13

to a new website called TideWave

14:16

.ai. But currently,

14:18

that doesn't load to anything. So

14:20

we know there's something. It's called

14:22

TideWave. And it's AI. That's

14:24

really all we know for sure,

14:26

and that there's MCP Elixir servers,

14:28

which is in itself really cool.

14:31

Maybe the Sleuthers have sleuthed up enough

14:33

information to figure out what this

14:35

is going to be and maybe they've

14:37

spoiled it, but this is definitely

14:39

pretty exciting. Yes. And

14:42

speaking of teases out there, maybe

14:44

this is related, maybe it's not who knows,

14:46

but Zach Daniels also teasing some Ash news to

14:48

be announced at a lecture conf EU. He

14:51

hasn't, as far as I know, there's

14:53

no sleuthing on what they've, you know,

14:55

what this is about yet. But just

14:57

judging by the icon that they've got,

14:59

you know, in the in the teaser

15:01

and the the latest weekly, Ash Weekly

15:03

issue, issue 13. It definitely

15:05

looks like AI related as well. So

15:07

there's just a lot of AI things

15:09

going on right now. Zach

15:12

Daniels' thing may not have nothing

15:14

to do with Tidal Wave, but

15:16

there's definitely stuff being teased. This

15:19

must be conference -driven development. Yeah,

15:22

we must be coming up to conferences soon, I

15:24

think. Yeah. And

15:26

just to be clear, it is

15:28

going to be hard to remember this.

15:30

but is Tide Wave. Oh, Tide

15:33

Wave. Yes, Tide Wave. Oh,

15:35

why? No, you look at it and you

15:37

think, and you hear it, and you

15:39

hear it spoken, it's like Tidal Wave is

15:41

what you think, but like, no, no,

15:43

Tide Wave. Tide Wave. Oh, man. I

15:45

think they should rename it to Tidal

15:47

Wave now. Well, that might be taken.

15:49

I don't know. And if I misspoke

15:51

at any time when I was mentioning

15:54

it, I apologize. I didn't catch it.

15:56

But so, yeah, Tide Wave. Tide Wave.

15:58

OK. All right. All right. Well, moving

16:01

on from that. So I

16:03

came across some interesting things

16:05

on the internet, as

16:07

we all do sometimes. Some of it

16:09

funny, some of it not. A lot

16:11

of it said. This one was pretty

16:13

cool. This is this is

16:15

about Elixir. Well, let me back up

16:17

a little bit. So Sequin has a

16:19

Reddit post out there that explains why

16:21

they built something called Mini Elixir. OK,

16:23

I was like, well, that's intriguing. What's

16:26

Mini Elixir? And I looked into it.

16:28

They have another blog post that properly

16:30

wraps up this whole thing, too. So

16:32

it's both a Reddit post and a

16:34

blog post on the Sequin site. But

16:36

Sequin, they're an Elixir company out there

16:38

that deals with transforming a lot of

16:41

data streams out there, right? And so

16:43

one of their challenges was they need

16:45

the ability for users to provide logical

16:47

transformers to them. So that way when

16:49

they are, when sequence workflows are, you

16:51

know, taking data from one place and

16:53

putting it in another place, a transformer

16:55

can be put into that workflow to

16:58

do the transform, right? Well, if it's

17:00

user input, you're going to

17:02

have problems. So the

17:04

challenge was how do you get

17:06

a sandboxed elixir, you know, transformer?

17:08

or any kind of transfer, it

17:10

doesn't have to be Elixir. And

17:13

so they started experimenting. And

17:15

so there is a blog post

17:17

that compares a lot of these

17:19

Lambda -like functions out there, these

17:21

Lambda solutions out there, right? How

17:23

can I get an isolated little

17:25

environment of some executable, you

17:27

know, small piece of code? That's pretty much

17:29

what we think of Lambda today, right?

17:31

Throw up some JavaScript on some cloud server

17:34

somewhere and then have it take some

17:36

input and give you an output and you

17:38

get charged by the execution, I guess,

17:40

right? All right, so there's a lot of

17:42

those kinds of solutions out there and

17:44

they explore a lot of those solutions. And

17:46

what they came up with, it was

17:48

interesting, one of the interesting parts of their

17:50

post was the comparison of all these

17:52

solutions and their homegrown kind of limited elixir

17:54

AST kind of evaluation. So they benchmarked

17:56

it all and they have like this chart

17:59

of like what the complexity is, what's

18:01

the infrastructure you need for hosting

18:03

this kind of a thing. They're already

18:05

on ElixirShop, so they have Elixir. Their

18:08

app is already out there and evaluates

18:10

Elixir in runtime anyway. And

18:12

so their benchmarks came

18:14

up with 10 microseconds to

18:16

evaluate their user supplied

18:19

Elixir code that has been

18:21

sandboxed in a way

18:23

that cannot really reach outside

18:25

of its own little

18:27

scope. 10 microseconds,

18:29

that's incredibly small. That's the

18:31

fastest for what it's worth. That's

18:33

the fastest execution time in

18:35

their chart that they come up

18:37

with. Compared to probably

18:39

the most common solution out

18:41

there is the typical cloud Lambda

18:44

function to being 10 milliseconds. I

18:46

don't know if that includes the

18:48

cold startup or not, but 10

18:50

milliseconds, that's pretty fast too. But

18:52

10 microseconds compared to 10 milliseconds,

18:55

when you throw percentages at that,

18:57

10 microseconds is a lot

18:59

of percentages faster than 10 milliseconds.

19:02

It's not quite apples to apples,

19:04

obviously. You got a lot more

19:06

going on with other Lambda functions. Just

19:08

to explain what they compare is

19:10

not just Lambda functions out there.

19:12

They also compared Docker and Firecracker

19:14

instances. They compared Wasm functions. They

19:17

compared Dino. Dino's that

19:19

JavaScript runtime. They

19:21

have a solution for that.

19:23

They compared another language called Starlark.

19:26

Which is kind of built for

19:28

this kind of this kind of

19:30

thing maybe and then they also compared

19:32

Lua via Luerl, right? So it's

19:34

still kind of native Erlang VM

19:36

stuff, but it's the Lua language

19:38

Lua was also very fast by

19:40

the way should check out the

19:42

chart to find out more info and

19:45

then they compared obviously their mini

19:47

elixir, which is the the the

19:49

AST All right, so that's

19:51

pretty much it. It's a very interesting post. You

19:53

should read up on it. Can't talk about Mini

19:55

Elixir, which is not a published package or anything.

19:57

This is just like a code sample of they

19:59

did. So this is not something that you can

20:01

just pull into your code base. This

20:03

is not a published package like on Hacks.

20:06

You'd have to go look at the repo

20:08

and rip out the pieces you want. But

20:10

if you're looking for a published package, Mini

20:13

Elixir was inspired a lot by a project

20:15

called Dune. Dune is a published package, and

20:17

it is out there, so you can go check that

20:19

out. Mini Elixir is highly

20:21

inspired by Dune, just a little

20:23

bit differently approached. And by

20:25

the way, Dune is created by one

20:27

of the Phoenix maintainers. So good heritage,

20:29

right? All right.

20:31

Last thing, I mentioned Starlark. If you

20:33

haven't heard of Starlark, here's a quick

20:35

definition. It's a language intended

20:37

for the use as a configuration

20:39

language, and it was designed for

20:41

the Basel build system. All right,

20:44

so that's what Starlark is. It's

20:46

a very small language, and it's

20:48

built for defining infrastructure pretty much

20:50

and build systems. So not

20:52

quite what you're probably wanting

20:54

for this scenario, but interesting

20:56

that they even tried that

20:58

out. So a purpose

21:00

-built kind of language for this sandbox

21:02

environment, even that was slower than

21:04

Mini Elixir. Anyway, found that highly fascinating.

21:06

We've got a couple of great

21:08

links out to Explorer Dune, Mini Elixir,

21:10

and then both the blog posts

21:12

put out by Sequin. Sequin continues to

21:15

be a pretty captivating Elixir company.

21:17

They do a lot of cool stuff

21:19

so far. And next

21:21

up, Semaphore, that's Semaphore CI, they

21:24

have open sourced their CI

21:26

CD platform under the Apache

21:28

2 .0 license in a

21:30

new GitHub repository. So apparently

21:32

the move to open source

21:34

was announced at the end

21:37

of February in 2025 at

21:39

Semaphore Summit. That's really remarkable,

21:41

one, that they're making this

21:43

available open source. But what is

21:45

so cool is that it

21:47

is an Elixir and Phoenix application.

21:50

I didn't know Semaphore was a

21:52

Phoenix application. So that's really

21:54

neat. So we've got a link to

21:56

the GitHub project, Semaphore IO

21:58

website and the documentation where you

22:00

can get started with it.

22:02

So when you look at the

22:04

GitHub project, it's 77 % elixir.

22:06

There's some other languages like

22:08

some TypeScript and Golang and other

22:10

things in there that are

22:12

in smaller percentages. This was

22:14

announced by Marco Anastasov, who

22:17

is a co -founder of

22:19

Semaphore CI. And he said,

22:21

this is the biggest news

22:23

we've released since launching Semaphore

22:25

2 .0 in 2018. So

22:27

what have they actually done here?

22:29

They have open sourced what they're

22:32

calling their community edition, and

22:34

the company continues to offer an

22:36

enterprise edition. So you can still

22:38

run that on -prem, but it does require

22:40

a commercial license. And then

22:42

they also still offer Semaphore Cloud

22:44

as a hosted solution. in

22:46

case, you know, you don't want to run

22:48

your own thing or you're wanting enterprise solution stuff

22:51

that you don't want to maintain. I

22:53

know for myself, I've used GitLab

22:55

for CI CD in the past for

22:57

self -hosted stuff that we needed to

22:59

be able to have for compliance

23:01

reasons to be able to say, you

23:03

know, no one has access to

23:06

this and all these. Yeah, it just,

23:08

it was easier with GitLab. And

23:10

this is just an interesting option to

23:12

say, oh, well, I want to

23:14

run Semaphore. And I can

23:16

do that in -house. And they have

23:18

documentation on how you can do that

23:20

on Kubernetes or different ways of

23:23

running it. But really, I

23:25

mean, the coolest part is that this

23:27

is an Elixir application. So

23:29

if you want to start poking around just

23:31

to like see, how does something like this work?

23:34

That would be a great one to

23:36

just be able to poke around and

23:38

learn from too. Yeah, that's got to

23:40

be a big code base. We've

23:42

typically thought of like Nerve's Hub

23:45

being a good example of like cross

23:47

domain cutting like a lecture code,

23:49

right? It's dealing with devices and then

23:51

Phoenix stuff as well. CMA4

23:53

is going to be similar in that

23:56

regard, right? It's cross cutting into infrastructure at

23:58

this point, right? But then

24:00

also, yeah, so CI things as well. And

24:02

then of course, it's a big elixir

24:04

app. So it could be a really interesting

24:06

thing to see how they accomplished, you

24:08

know, how they solved common problems in Elixir.

24:10

Anyway, very exciting news. It's a general

24:12

tool that you could use because you're a

24:14

software developer and you want to be

24:16

able to have CI CD. So here's another

24:18

option that it's open source. And

24:21

then it's Elixir and Phoenix.

24:24

That's so cool. All

24:26

right, next up there's a

24:28

SQL parser and sigil. It's simply

24:30

called SQL. Good

24:33

luck Googling that one, I guess. It's

24:36

called SQL, and it's been a work in

24:38

progress alpha stage, I guess,

24:40

at this point. So we got a link

24:42

to it. It's elixrdbvisor slash SQL. But

24:44

the news is that they've published some impressive

24:46

benchmarks recently. So we got a link out

24:48

to the Google group post that talks about

24:51

this. Here's a quote from it.

24:53

So SQL, the package here, parser

24:55

package here, is between

24:57

400 to 650 times

24:59

faster than Ecto to

25:01

generate SQL. That's pretty

25:03

darn impressive. That's

25:05

that's pretty impressive. Mind

25:07

you, you know, it's not apples to apples.

25:09

Ecto is obviously doing a lot more. You

25:11

have Ecto schemas in there that do a

25:14

lot of like typecasting and things like that.

25:16

But when it comes to interpolating values

25:18

and translating to SQL, that's that's really

25:20

impressive. That's and it's really fast. The

25:23

idea, you know, here to just

25:25

kind of like rip from the read

25:27

me a little bit, just just

25:29

so you know how to use it.

25:31

It's based on that SQL sigil,

25:33

right? So you're basically writing raw SQL

25:35

in this sigil and it will

25:38

parse it for you and interpolate values

25:40

for you as well. So

25:42

in this like string like thing,

25:44

you could just put your, you

25:46

know, where email equals and then

25:48

interpolate the value of email in

25:50

there. And it will make sure

25:53

that it is parameterized, you know,

25:55

correctly and sent over the wire,

25:57

I presume, via your app dot

25:59

repo. So it's pretty interesting, and

26:02

I presume it would

26:04

handle basic scalar types normally,

26:07

but where it won't connect to Ecto

26:09

at this very moment, at least,

26:11

is your schema. So if your schema

26:13

says that this field is this

26:15

other type here that's not a standard

26:18

type, then that's where it

26:20

may not work out right now. But

26:22

interesting to think about, I think there

26:24

could be a interesting future for SQL.

26:26

You know, I've always loved to SQL

26:28

SQL anyway, at least for compile time

26:30

checks, could be pretty interesting to write

26:32

for, I was thinking about this the

26:34

other day, I'm slowly coming around to

26:36

like a decision here about like a

26:38

normal, a normative practice for Ecto migrations, like

26:41

stop using Ecto for migration,

26:43

not Ecto, like the migrator

26:45

and the runner totally fine,

26:48

but stop using like, Normal

26:50

code application code in Ecto migrations. For

26:52

example, you need to just update some

26:54

some field, you know, across the table.

26:56

Don't use Ecto queries for that. You

26:58

get into trouble nine times out of

27:00

10 or some weird things going to

27:02

happen later in a year after you

27:04

do that migration, right? It's always way

27:07

after someone's starting up from scratch, for

27:09

example, and running migrations and all a

27:11

sudden they're trying to run this stuff

27:13

that doesn't exist anymore. And so instead.

27:15

I've been finding myself just writing a

27:17

lot of executes. And executes is

27:20

just EctoQueer's way of migrations, a way

27:22

of just running raw SQL in

27:24

there. And so I've just

27:26

been writing a lot of

27:28

raw SQL in my migrations like

27:30

this. And so the Sigil

27:32

SQL library here could be a

27:34

really interesting and more safer

27:36

way for me to do that.

27:39

So something I've been thinking about. I'm not ready

27:41

to commit to that quite yet. Interesting.

27:45

Yeah. So very interesting. So anyway,

27:47

the sequel sigil is between 460,

27:49

650 times faster than the Ecto

27:51

is to generate sequel. That's the

27:53

news item today. Worth exploring. Keep

27:55

that in your notebook for coming

27:57

back to. This is going to

28:00

be a good project, I think.

28:02

It's very interesting. And

28:04

next up, beacon CMS

28:06

is reducing development due

28:08

to dockyard cuts. So

28:10

what that is is dockyard. had

28:13

started this project called Beacon CMS,

28:15

which was a content management system

28:17

that was all written with Phoenix

28:19

and LiveView. It's been demoed at

28:21

different conferences and things where showing

28:23

how interactive it was. Like you

28:25

can edit these web content elements

28:27

and just having them immediately updated.

28:29

The idea was to say, hey,

28:31

we want to provide something that

28:33

has WordPress -like functionality in that

28:35

I don't have to be a

28:38

programmer to be able to work

28:40

on this website and my marketing

28:42

website, just business stuff. I

28:44

want WordPress like functionality, but not

28:46

using WordPress because it has its

28:48

own set of issues, running WordPress.

28:51

Unfortunately, Brian Carterella

28:53

shared on Blue Sky that he said,

28:55

it's going to be tough as we

28:57

haven't had any paying clients for it,

28:59

to talk about BeaconCMS. The

29:02

investment is very, very high and

29:04

without any movement on client inquiries,

29:06

it's not making any financial sense.

29:08

Because of that, they're having to

29:10

pull off some of the people

29:12

they had dedicated to working on

29:14

the project. So they're being pulled off to

29:16

other things. So BeaconCMS, still

29:18

there, still open source, but

29:20

Dockyard is not being able to push that

29:22

as much as they have been. So

29:24

just heads up. I'm not sure what that

29:27

means for the future of the project.

29:29

I mean, if it's in a point where

29:31

people want to community level pick it

29:33

up and run with it, I don't know.

29:35

But I just wanted to pass that

29:37

along. Yeah, it makes a lot of sense,

29:39

especially right now. Makes a lot of

29:41

sense. I mean, it's company run, company sponsored

29:43

right now by Dockyard, which we obviously

29:45

the whole community would be very grateful for.

29:48

But that said, Beacon CMS is

29:50

an incredibly important project, I

29:52

think, for the future adoption of

29:54

general CMS systems out there,

29:56

which WordPress has a huge market

29:59

share out there. And

30:01

it's steadily decreasing. No

30:03

thanks to all that drama.

30:05

We won't go into that. But

30:07

Beacon CMS is also a

30:09

very, very interesting approach to CMS

30:11

systems with a compiled system

30:14

like Elixir that also recompiles and

30:16

runtime efficiently. What you

30:18

see is what you get kind

30:20

of editing in there. It's leveraging

30:22

all the superpowers of Phoenix Live

30:24

View. It is a wonderfully architected

30:26

solution so far. I hope

30:28

it doesn't get left on the branch and

30:30

die off. I hope someone picks it and

30:32

runs with it. Well,

30:34

that's everything we have for

30:37

Elixir specific news. There's

30:39

one other thing I've heard and I wanted

30:41

to pass along because this impacts a lot

30:43

of us just who are web developers. And

30:46

this was big interesting news

30:48

about how authentication is changing.

30:50

And this is happening at

30:52

the W3C level with all

30:54

three big major browser makers.

30:57

This is interesting. I'm going to pass along

30:59

a lot of the other resources. There's

31:02

a podcast I listened to. I've been listening

31:04

to it for like over a decade. And

31:06

it's called Security Now. So I've got a

31:08

link to that episode plus the show notes.

31:11

And the show notes is it's

31:13

a PDF where they go

31:15

into deeper. discussion about this. So

31:18

what it's called is device -bound

31:20

session credentials. So

31:22

it's a three -hour -ish long

31:24

podcast. And

31:26

yeah. I guess

31:28

our listeners should be thankful that we don't

31:30

do that. Yes.

31:33

In the show notes, I've got a

31:36

links to where it starts. Like the

31:38

discussion about this topic is two hours

31:40

and 23 minutes in, and it runs

31:42

for 50 minutes where they talk about

31:44

this. So I'm just summarizing, right? There's

31:47

a lot to this. So I'm just going to summarize

31:49

what this is, just to put it on people's radar

31:51

to make sure we're aware of it so we can

31:53

start planning for it and looking forward to this. So

31:55

what this is, is this is a change

31:58

to how session cookies will work. So

32:00

again, it's a W3C initiative. So

32:02

this is All major browsers are working

32:04

on this and implementing this and

32:06

it's a browser side thing. But it

32:09

will require some minor changes to

32:11

the web application frameworks to work

32:13

for it. So that means Phoenix will

32:15

have to have some changes to

32:17

be able to fully support this. But

32:19

most of the work is being

32:21

done by the browsers. And so what

32:24

they're trying to do is fix

32:26

security issues for everyone across the board

32:28

and roll it out slowly and

32:30

let frameworks and websites and servers adjust

32:32

and adapt over time. So it's

32:34

not like it's going to break anything,

32:37

it's just going to be upgrading. So

32:40

let me see if I can

32:42

understand this so far. So DBSC, I'll

32:44

just call it that, device bound

32:46

session credentials, right? So today,

32:48

web applications have a typical authentication

32:50

strategy by sessionizing credentials. And

32:52

that session is stored in a

32:55

cookie that the browser kind

32:57

of takes around and validates and

32:59

makes sure that it only

33:01

is sent. appropriately when you're on

33:03

that domain, send that one

33:05

cookie that's there. Inside

33:08

of that cookie is going

33:10

to be just information that the

33:12

server side application can then

33:14

pick up, decrypt, validate that it's

33:16

still good, and then

33:18

trust that. And so

33:20

the trust there, a typical web application will put

33:22

in the current user ID in that session.

33:24

So that's how they know who that user is.

33:26

And then they may stuff more stuff in

33:28

there. But that's a traditional

33:31

session cookie here, right? Yep.

33:33

And those are typically set by, you

33:35

know, if you think about the methodology

33:37

of logging in, you can, you can

33:40

think of like this as a SSO,

33:42

you know, SSO is where you kind

33:44

of bounce around between a couple of

33:46

websites that know who you are, but

33:48

eventually you get this trusted token and

33:50

so you set your session cookie or

33:52

a magic link, which is again, just

33:55

another mechanism for sending an email. And

33:57

if you have that email, then you

33:59

go to this. you know, the specific

34:01

link that is consumable only once, you

34:03

get that special token and it sessionizes

34:05

your, you know, you at that point.

34:07

So that's SSO, magic link or standard

34:10

email and password login, but the end

34:12

result is all the same. You get

34:14

a session cookie at the end of

34:16

that little flow, but there's more stuff

34:18

coming up. And I guess that's what

34:20

DBSC is about, is about replacing that

34:23

session cookie with something that is more

34:25

secure, but I'm a little

34:27

confused. How does this tie into

34:29

things like, okay, there's the hardware

34:31

level of things, but then there's

34:33

also like upcoming things that are

34:35

not widely adopted yet, like like

34:37

pass keys or web often or

34:39

something like that. Is that pass

34:41

keys and web often? Is that

34:43

leading towards DBSC here? What's the

34:45

thing? What's the deal? It's not

34:48

actually, it's separate and not fully

34:50

related to those. First, we need

34:52

to understand why is DBSC needed?

34:54

David did an awesome job laying

34:56

out how cookies are set and

34:58

what they're actually holding. So

35:00

cookies are a

35:02

31 -year -old technology. It's

35:04

kind of crazy to think about how long it's been. It

35:07

was actually invented in 1994

35:09

by a Netscape engineer. And

35:12

then through the years, they added the

35:14

secure flag so that the cookies will

35:16

only be transferred over HTTPS connections so

35:18

they're not being passed in the clear.

35:21

But really, the reason they're needed

35:23

is because cookie theft is a

35:25

major cause of account hijacking. So

35:27

the idea is if I can get

35:29

your cookie, then I'm logged in effectively as

35:31

you on some other computer because I

35:33

was able to steal that cookie. So

35:36

that's really the problem we're

35:38

trying to solve. And in that

35:40

time of 31 years, there's

35:43

been a lot of improvements to

35:45

cryptographic options that are now

35:47

available. So there's new options that

35:49

we can use. So what

35:51

this does, the core concept here

35:54

is that it uses device -bound

35:56

cryptographic keys that cannot be

35:58

exported from the user's device. So

36:00

you think like an iPhone

36:02

or a Windows machine, they have

36:05

a TPM, which is a

36:07

hardware element that's in the hardware

36:09

that stores a cryptographic secret

36:11

in the hardware that never comes

36:13

out. the other pieces

36:15

of the hardware and the software can

36:18

talk to this TPM. And a

36:20

TPM is a trusted platform module.

36:22

That's what that means. What

36:24

can happen is, is you can say,

36:26

I want to have this piece of data

36:28

signed by the secret that is in

36:30

the TPM and the little hardware module will

36:32

do that signature for you, but it

36:34

never exposes what that secret is. And that

36:36

secret is tied to that device. So

36:39

you start realizing, okay, so now we

36:41

have this secret that is secure. There's

36:43

been no way that they've discovered about

36:45

how to actually, you know, steal that

36:47

secret. Like software, even if you had

36:49

malware running on the computer, it could

36:51

not steal that secret. It's a physical

36:53

hardware thing. You'd have to crack it

36:55

open and be able to try and

36:57

figure out what was in the actual

36:59

hardware. Something's got to get to it

37:01

though, right? Like you do have to

37:03

like provide some, what, some sort of

37:06

authentication. at the OS level, I guess,

37:08

to be able to access the TPM

37:10

functions to give you the thing. But

37:12

I guess that's the point, is that

37:14

it's OS level at that point, right? That's

37:17

where the MacBook is going to ask

37:19

for your little fingerprint or your iPhone's going

37:21

to ask for the face scan. That's

37:24

the authentication method at that point. Yeah,

37:26

so you could be tying different. The

37:28

OS could say, we're going to tie

37:30

a fingerprint or a face scan to.

37:32

be able to access these

37:35

functions, being able to sign things with the

37:37

TPM. So yeah, you

37:39

still have that separate level

37:41

of authorization, like that you

37:43

need to be authorized to use

37:45

this, but yeah. So anyway, the whole

37:47

core concept is you're talking about

37:49

TPMs, these trusted platform modules. And

37:52

so then what happens

37:54

is, is with session registration,

37:56

browsers can create cryptographic

37:58

keys at sign -in and

38:00

then the cookie has refreshing

38:02

ability now, where the

38:05

browser automatically proves device possession

38:07

periodically. And so what

38:09

you're doing is that sessions

38:11

are cryptographically tied to physical hardware.

38:13

You get your normal cookie

38:15

session set up. And like what's

38:17

beautiful about this solution is

38:19

it doesn't break anything that currently

38:21

works, right? It still all

38:23

works the same. It's just that

38:25

this session, the length of

38:28

that session, is going to be

38:30

much shorter or can be

38:32

much shorter. Because right now, a

38:34

very common approach in mobile

38:36

applications and front end spas is

38:38

that that application, that front

38:40

end spa or the mobile app

38:42

will get a long lived

38:44

token that is used for signing

38:46

short lived sessions. So that

38:48

if the short lived session is stolen, And

38:51

the cookie hijack, you know, it's

38:53

gonna time out in expire in 15

38:55

minutes or something like that. Because

38:57

you'll notice like when you're using your

38:59

mobile apps and stuff, you sign

39:01

in and you like never sign in

39:03

again. You may re -authenticate to do

39:05

a sensitive action, but you're not

39:07

like signing in and proving who you

39:10

are on the mobile device in

39:12

that application over and over. So what

39:14

this does is it's like that.

39:16

It's you're having this long lived secret,

39:18

which lives in the TPM and

39:20

the website then will now say, Hey,

39:22

it's been a little while. I

39:24

need you to reauthenticate your session for

39:26

me. Prove that you're still the

39:28

same device. And then so

39:30

there can be this little handshake

39:33

that goes on where it's read

39:35

the TPM is used to re -sign

39:37

the secret and refresh another short

39:39

lived cookie for the application. People

39:42

have been solving this on their own

39:44

writing their own code to do this. But

39:46

this is saying, you know, this is

39:48

so important. We're just going to like make

39:50

this the way it works and using

39:52

the hardware to hold that session. That's interesting.

39:55

The hardware does not hold the session.

39:57

I shouldn't say it like that.

39:59

But like the hardware is the key

40:01

to proving that you control that

40:03

device and it's signing the session and

40:05

renewing that session. So what it's

40:08

what it actually requires from the web

40:10

frameworks. is that they have to

40:12

have some other endpoints for that extra

40:14

browser conversation to happen. So the

40:16

browser will be able to hit an

40:18

endpoint on the website to redo

40:21

that short -term negotiation for updating the

40:23

session. That's pretty much all it

40:25

will be, right? It's like my normal web

40:27

application code won't change. It'll still just be

40:29

sessions. I won't. have to do anything and

40:31

change the way I code anything. A little

40:33

bit of change has to happen at the

40:35

framework to be able to answer that browser

40:37

query and that session going back and forth. But

40:40

it's going to change how

40:42

cookies work at a fundamental

40:44

level. So yeah, I've got

40:46

links to some other resources where you can

40:49

check it out and get a little bit

40:51

more information. This is just

40:53

starting to roll out. This

40:55

was just recently added to Chrome

40:57

version 135 and Firefox 137. So

40:59

this is starting to happen and

41:01

not all hardware has a

41:03

TPM. So it's not going

41:05

to be everywhere all at

41:07

once, but it's coming. And

41:09

it's just something that we want to

41:12

be aware of because ideally we want to

41:14

protect our users as developers of our

41:16

applications. And so this will

41:18

be another way to prevent cookie

41:20

hijacking and locking sessions to a

41:22

specific device. It's just really cool. Yeah,

41:25

I'm going to have to keep an eye out

41:27

for that one. Yeah. I'm sure we'll be talking

41:29

about it again, especially as updates are made with

41:31

really popular frameworks like Phoenix, the one we care

41:33

about. Yeah. I'll have to hit up

41:35

Owen over there. He's got the

41:37

web often live view example too, so I'll

41:40

have to see what he thinks. Yeah.

41:43

Well, unfortunately, that's all the time we have for

41:45

today. Thank you for listening. We hope

41:47

you'll join us next time on Thinking

41:49

Elixir.