Q&A with Alex Koutmos

okay yeah we're live uh I'm just gonna just going to copy the it's going to make the announcements everywhere on the internet yeah you can post it on on Reddit as well if you'd like yeah okay no and well there's nobody here really but are we streaming now yeah we're streaming three people on Twitch hello one person on uh there we go there you go hello hello morning good morning wait I got to I got to put you in full screen how do I put this full screen here full screen boom that's better look at that all right welcome everyone thanks for joining so early uh Alex and I we gonna talk about our new startup well startup company easy site our new thing our new thing by the way uh I think yeah you should be you should be good to to be yeah and we also going to talk about Phoenix to ban so yeah if you have any questions about Phoenix to ban then uh please send them in the chat if you have any questions regarding anything else really just anything you want to talk about you know what our favorite coffee brands are like car favorite car brands you know why would yeah cars yeah we could redirect car questions to me coffee brand yeah while we both love electric cars and we think they're great no I like my gas as you can see from my Chev Chev shirt old old school American muscle oh that's a good question here has one who can solve a Rubik's Cube faster I don't know uh I don't know I mean I have mine right here oh you do have one I I don't I don't even have one I just have this black thing which you can like put together oh it's more of like a yeah it's like AET like a fidget spinner yeah like this look my dexterity are you impressed with my dexterity I'm I'm thoroughly impressed look I'm not not even looking yeah I'm pretty intimidated right now I don't know I don't know the logic of a Rubik's Cube but I can do this very fast so uh I should I think my best time is like a minute and a half I'm not I'm not a speed cuber I can't do it in like is that good minut half seconds I don't know I think it depends who you ask if that's good enough yeah what's the world records probably like five six seconds or something yeah I think I think it's something like that it's it's absurd yeah probably like six and a half seconds I'm saying world 3.13 no way 4 seconds that's so fast that's that's crazy I'm going to try to move you back into the frame people can't see you yeah you have to stop moving just stay stay still now don't move at all only talk and look straight into the camera straight no blinking I'm Greek I have to move around and talk with my hands I do you talk with your hands as well I thought only the Italians do but maybe it's the Mediterranean thing it's it's just a Mediterranean thing I see yeah is it because you always have food in your hand or coffee yeah we're always like eating pava Musa or something hello from Germany hello back to Germany from the Netherlands to serpent 213 where about in Germany I'm I'm German I come from Essen maybe you know it Essen Bor no um like Alex I don't want to confuse you but I'm also half talking to the chat like but uh feel free to say whatever comes to your mind anyway I figure I figure everybody's going to react to everything all the influences everything that's happening yeah well seven people already there that's cool right I said do you want to you want just get into it and then yeah sure I guessing I guess people want to actually you know listen a from hanova yeah very close by um oh you can also Alex you can also see the chat if you got to well you should go to Twitch as well and then mute your mute the the video okay and then and then you can see the chat it's it's there yeah um but yeah while Alex is setting up twitch uh we are here to talk about our latest Endeavor in The NeverEnding journey to wealth and depression basically whoever whichever comes first will win uh and yeah we started a new thing called easy sweet EAS sweet um it's it's just going to be an umbrella app or not an app but an umbrella term like umbrella company for multiple small products we have in mind and I mean Alex and I we've been working well in software Alex has been working forever he's one of these dinosaurs that still like that were around when these like uh little you had these little the jQuery days the jQuery days yeah I mean that's even that's even more like more almost modern history right but I mean I'm talking about the The Punch Cards well now probably you were you were in b i I know my father he worked with Punch Cards back in the day yeah and then he he would rent the um the servers well the servers you they didn't call them servers they just called them Computing machines and he would rent them during the night because then the company that owned them didn't use them so he could do his research on them and just had these long these big chunks of Punch Cards and then you to feed them into it and yeah eventually you hope that you get a good result out so those were the days where the real Engineers were working still before the days of uh print debugging yeah I guess right I mean nowadays it's just like iio inspect and you get it and everything is super fast but yeah anyway uh but yeah easy sweet uh it's going to be umbrella project term company name whatever uh for multiple small products and the first one of it is Phoenix the ban and maybe some of you have seen the video that we posted yesterday and maybe some of you even have looked at easys s.de and also looked at Phoenix to ban we also made the public the docks public just like open Pro um yeah I don't know Alex Fenix the ban is kind of your brainchild like what made you come up with that idea yeah sure uh yeah so having run a few SAS products some more successful than others and some you know no traffic at all uh after like after your your product gets a little bit of of traction and uh you know you start showing up in search results and and stuff like that inevitably you're going to get hammered by BS coming through there trying to find if you're running WordPress or Drupal or any you know D Jango admin Pages or stuff like that and uh yeah I mean eventually these things will just send thousands and thousands of requests just trying to fuzz out and figure out what what you have exposed and what you don't so yeah the the idea behind Phoenix the band was to kind of create a fail to ban alternative but you know built right into your Elixir app because I you know maybe I abuse the beam more than most but I I like to use you know the the airline uh virtual machine kind of as like my operating system as opposed to just like the dumb application layer so if I can pull something into my you know my my Elixir layer I will do that as opposed to you know running a whole bunch of system D services uh just because then you know you have unit test coverage on on things that you're running inside of your app versus not yeah but um yeah I wanted to create something where you could just easily add a couple lines to your supervision tree your your mix file and boom you've got you've got essentially a web application firewall within a couple lines of code yeah and then all that traffic gets filtered out your logs your metrics you know all those things get cleaned up uh you know all those Bots are not wasting CPU time going through your entire router and your entire endpoint file uh yeah just just try to mitigate all that nonsense as best you can yeah that was kind of the idea with with Phoenix the ban that that makes sense do you think that the B Bots will also kind of learn not to P the anymore after they get banned uh maybe I I have no I have no empirical evidence there yeah but I have noticed so I'm running you know Phenix de band in my my SAS application and when I first deployed Phoenix to band you know I was getting spikes of thousands and thousands of of crap requests but as of like this week and last week it's down to like you know a few little spikes here and there but nothing what it what it was yeah maybe maybe maybe they've you maybe they're smart Bots and they they're like oh okay this guy's definitely not running WordPress yeah yeah we don't want we don't want to mess with him right he blocks us yeah yeah he he means business yeah that's interesting I I also have it running now in Indie courses and it's also just fun to see when the attacks happen and I think same with you they they happen at like 3:4 a.m. for for your local time and the same happened with me which is no actually it wasn't 34 it was 34 a.m. your time although I'm in Europe so they probably just assumed like I'm an American person or like the companies run in America but yeah it's also interesting that exactly that time where everybody's asleep that's when the the butts come out so my suspicion there again no empirical evidence is 100% just just shooting from the hip here yeah from my gut good um so I so in in Phoenix the ban we have the live dashboard um plugin so you can see what IP addresses get banned uh I actually looked up that IP address in one of those like geolocation services you see where it was right and you surprisingly was it was I think it was in China or Russia or something but my guess is they probably perform these attacks in the middle of the night on the opposite end of the world yeah because they're like okay I can get away with it because you know the Ops team is sleeping or something yeah and and it's also their work time right exactly so that's probably what happened here just somebody is coming to to the workspace at like 9:00 in the morning and they press a button and the butts run and you see you can do with it yeah okay yeah that's interesting I mean also one one of the things that that I like about it is I mean we we've seen that a lot now with different libraries being pulled into the Elixir space like we have the the error tracker library that basically tries to replace centry you know or app signal and that's pretty cool because you know eventually it's it's free to run it um if it's just running inside your application it's a free open source library and then uh yeah you also got the the Phoenix makes analytics I think is called the library which is kind of plausible uh but then also again run inside your application your Phoenix application um and I like that I like that move I think because what I like about Phoenix saan is I mean right now it is like the one feature we build as an MVP is the spot protection and it runs only on routes that you don't have in your router because you know those are the usually the ones that the Bots try to access like like the WordPress login page or the Drupal login page or like PHP uh certain PHP files that are very common um but I mean like on this this like filtering whether a bot tries to to access a route that does not exist I mean that's only our first step with things to ban right and and what I like about the exciting new features which we can also talk about uh is that they really integrate with Elixir and with Phoenix and that allow us to tailor our solution to Phoenix you know instead of like these I mean there already many softwares out there that do this uh web application firewall stuff um but they don't they can't you know go into Phoenix and actually hook into your live view and perform some actions right because they they're not written in Elixir so uh like that's why I like that we also build it inside Phoenix inside Elixir yeah yeah yeah we've had a few questions from people ask like hey how's this differ from something that I could deploy you know it's my kubernetes cluster and you know that's my Ingress and then that filters out traffic and uh yeah I mean just like you said we have the advantage of being inside of the application so we can hook into things that you know maybe something that's running on your network doesn't have access to um you know we can we can validate that people aren't messing with your your Phoenix live view values because we can validate that data I mean these are just things that you can't can't do at the network layer you have to do at the application layer so like everything in engineering it's trade-offs right like okay if you're if you're running some C++ binary that does filtering it's probably going to be faster Phoenix to ban uh but then again now you have to like either AP install it and configure it or you got to deploy it as an Ingress in kubernetes and there's a whole bunch of work involved with deploying that versus like three lines of Elixir code yeah and then you mix depths. getet that's true uh I also want to ask like in in the chat does anybody have questions about Fenix the ban did you did you check it out uh did you like it and uh was everything clear to you or was it was it kind of difficult for you to understand it yeah and sorry I'm just getting a lot of like my my OB my OBS is complaining a little um yeah but Alex I mean you already mentioned a couple of features that we that we tried to build um like can you because you already built a PC for that uh proof of concept like can you talk about the the live view value verification yeah yeah sure so yeah just to give everyone uh the context there so in live view um you could add you know uh attributes to your tags so PHX D- value Dash and then whatever the key is and then any any time an event happens you'll get that in your handle event along with the uh the attributes that you that you wanted there the problem there is um that all get stored in the HTML so if you do like inspect source and you change the the the the Phoenix value when you click that button or whatever the server is going to get that you know tampered with value so if if somebody you know let's say you're you maybe you're a little forgetful on the back end and you you for get to validate that hey uh you know this person can actually delete this record you you know your your authorization bit not your authentication bit so if you forget to do that kind of stuff and you know you have some malicious actor on the front end changing values now you're acting upon data that you didn't necessarily intend the user to have access to um so yeah there there is a a p that I put together I think like a year or two ago on how to validate U incoming data uh on the back end so to make sure that whatever the front end sent was what you intended it to send and it's not something that was uh manually injected by by a malicious actor yeah so I think we're take that from yeah I just want to make that a bit clearer like the the problem here because like I also made already two or three videos I believe about the how to attack live view that's also one about it on on my channel on YouTube and uh yeah basically what you do is you know if you have a button to delete a Rec record like that button would have a phoenix value with the ID of that record and then in your uh in your live view you would get a handle event right with that ID and then you would usually just take that ID of the record and delete it from your database but you know what you got to watch out and also update not only update you update delete and even create although you don't have IDs and in that but still you would need to always check that the ID you're receiving in the in the event handler is actually the ID that you put into the T template because somebody can just inter like can do the man of the middle and just you know use the web ccle connection that they have in the browser and send these events to your back end without ex and they can even literally change the HTML in the browser change the ID to another ID and click the button and that would do the same trick um so that way they can you know just enter an ID of a record they know that exists but that they they don't have access to and they click the button and the record is gone because you're not checking on the backend that the record the ID you receiving belongs to the record that you're expecting right so I think to be clear like in your context function you should add that that logic in there to make sure that whoever's like whatever IDs are getting passed in does this person have access to it based on like the calling context and stuff like that so we're not saying if you use this you don't have to do that kind of authorization you definitely should still do it but just in case this is just another layer of security where now you could also profile traffic like you could say Okay somebody's tampering with my my my uh my data on the front end MH most people are not going to you know press F12 and start changing stuff like you know your daily users are not goingon to be doing that yeah so you can start figuring out okay someone's trying to actively attack my site and profile and figure out and deal with it accordingly okay so so like the PC that you built a year ago so how did it work technically in in high level terms yeah so they're in in cryptography there's something called the hmax and that's essentially a way to sign a piece of data and then if that data ever changes you're going to get a different uh you're going to get a different hmac key so then you know okay this data does not line up with this hmac key I know that it must have been uh you know tampered with it's there's no longer data Integrity there so the way that PC worked back uh you know a year ago was every time you did a um or you had a phoenix value you had to call a function it would take whatever you passed in it would append some sort of a an hmac key at the end of it and then in your handle event you would say okay when I'm handling this event and taking in this data ensure that number one it has an HM key because you could do the you could also do the same thing you could delete the hmac key and the Phoenix value and then you're back in would say oh okay this value looks fine I don't have an hmac key to compare so you say hey this should have an hmac key please validate it so checks to see if an hmac uh key exists and if it do does exist then take the data and then uh pass it through the the airline crypto function for generating hmax given your secret key and then do the signatures line up if so this is valid data and the user can proceed else you have a uh you have a malicious actor yeah yeah that's that was the high level yeah yeah that's pretty cool and and again because we build Fenix the ban as a as an Elixir application we're able to hook hook into your life view um hooks basically maybe or at least give you a very easy to use helper function like we haven't defined the the API yet um but eventually yeah that's that's the one in the works yeah but it will allow us to give you the tools to do this very quickly yourself as well and ideally we would do it for you because that's what easy site is all about yeah yeah we got one question sorry already a little while ago uh is it a good fit to protect a public registration form from Bots it's a long form so I considered making a minimum fill out time a condition uh or use ash policies but that's related to The Ash framework so is it a good fit to protect the public registration form from Bots yes I would say so um because one of the features that we're working on right now is the uh the public uh IP ban lists and so maybe want to talk about that because I think you're going to be working on that next yeah well the idea here is your thunder no it's all right uh so so the the idea here is that uh there are public IP lists out there that list um malicious like IPS that have shown malicious activity and well these you know IP lists they are just publicly available and our idea with Fenix toban is that we would pull these lists every like 30 minutes and then whenever you get a request in We compare the request IP against these lists of malicious IPS and if we see well the IP that made the request is actually malicious according to that list we would ban it um and then you know they could not uh make any further requests to your application and these requests they might then also include to your gen your entire application because right now we only focus on the rout the routes that are not defined by you so we you know don't want to uh block any legitimate traffic to your to your existing routes but then in the future we want to extend this umbrella of protection over your entire application so that that is that is the idea here uh so if you have a public registration form and then you know there would be B Bots that already are on a public block block list they would be blocked by Phoenix ban as well yeah um then I mean you you could also so we provide the in Phoenix sabana Behavior so you could also Define your own like application specific rules uh you're not just limited to the rules that we we generate so we actually uh what's it called dog fooding when you when you use your own API type of thing yeah so we made the we made the behavior as part of the the you know the the library and we adhere to that same behavior when we you know give you guys rules to use out of the box that you know you could use as well yeah so if there's you know if there's some kind of behavior that uh not like elixir Behavior like actual Behavior just some kind of behavior that you see happening on your on your app that you can profile that traffic as malicious and yeah you can you can write a rule for it to to BL to you to ban those IP addresses and again also what Alex has mentioned earlier with the verification of of parameters um that might be also an extension maybe you know we could actually add um not sure well you know maybe there there ways to detect the Bots then but again like if you really want to go into bot protection like to like that looks like legitimate traffic you know because like we also don't want to block too much but there might be traffic that comes in that looks legitimate but it might be bot related and uh our good friend Michael actually he has a whole company basically built around that Pro that problem and the company is called perial and like Michael R works with businesses and Enterprises but I think he also now has a like a free library that people can use I believe there was something um but yeah he he's the person to talk to if you really want to go into the nitty-gritty details of how can I protect my application best against especially legitimately looking traffic yeah yeah I I actually have had this issue in my apps I found the best thing that I did it was a really easy one I just changed the or I updated the change set to increase like the number of minimum characters for certain Fields um and that was enough to stop 95 % of the the Bots wait how go in how does that work uh so like like on the eagle mm like contact us form yeah I think there's it's like it tells your problem type of thing why why even reaching out to us type of uh type of input and all the Bots would put in like five six characters of just garbage oh okay so I just increased the minimum character limit there to 12 or 15 that was enough to stop 95% of the B that's so yeah okay interesting yeah yeah so that's one idea and the other thing also what you can use is uh a a recapture uh Security check so something like recapture from Google you can also use please please don't use recapture from Google I hate it so bad don't use recapture from Google uh what I have I have to if I have to find one more bicycle I'm gonna lose but how many bridges are in this in these pictures Alex find all the bridges I I don't know if I'm getting older or these are just getting harder but you know what what what I hate actually is if you have the the one image and it's kind of like chunked into quadrants and you have to select all the quadrants that show like a motorcycle and then you have like a tiny little hook that is just in the other quadrant just just on the edge it's like is it not part or not and then you press it and of course it's wrong so you have to do the whole thing again and I me I had like five rounds of those damn pictures you know just to like submit a damn form yeah but I to turn this around to a serious note like all a lot of these commercial tools are just overly aggressive and really intrusive into your apps like you with Cloud flare a lot of times you get that like redirect screen where you'll just sit there spinning yeah and for a user that's not a very good experience seeing like they go to your website and the first thing they see is 3 seconds of loading because CAD Flair is trying to profile you or trying to submit a form and that stupid uh recapture pops up and you know somebody just can't fill out the pictures and like screw you I'm not I'm not I'm not gonna inquire about your service because I can't spill out the damn thing I don't care so I mean on a serious note it it is a balance of trying to find something that could protect your app you know from the majority of cases and then not hindering usage there's that famous graph where it's like security goes up usability goes down as as an inverse relationship it's true I mean the Yeah the more you the more you sit there and you lock down stuff the less usable it is so yeah that's true yeah and we also got a from s sorry if I pr pronounced that name wrong he says oh sorry this person says I use Hammer to protect login forms and compare against Blacklist or blocklist the public ones that's a smart use too like to use Hammer the rate limiting Library uh and then to compare it against the uh public block list yeah maybe we should do that like use a well I mean the blocklist we have on the road map but uh how do you feel about rate limiting that kind of idea um I don't I don't think we're going to pull rate limiting into Phoenix to band just I mean because things like hammer exist um like there I don't necessarily feel the need to recreate the wheel like Hammer does a good job yeah then I think it's written by is it uh Is It Michael muscala or well could be yeah I don't remember I mean Hammer is one of the old Elixir libraries from yeah you know 2015s 2016's ex hammer okay it wasn't Michael M yeah but yeah either way yeah I mean if you need rate limiting I would just use I would just use hammer I I don't suspect we'll be pulling that functionality into Phoenix the band yeah I think Phoenix the band's going to be very much focused on like bot protection you malicious IP protection uh more application firewall stuff as opposed to rate limiting yeah true I mean if we would go into rate limiting eventually I have this one idea which I think nobody really supports which is the websocket uh message rate limiting basically because I mean like the http Quest Rate limiting that is something that you can do with hammer and you know that is pretty simple to do as well but then when it comes to the webs connection because you know you might actually literally have like a public website like your landing page and it might be a live view so that means that you establish a webs connection to whoever goes to your website and if they are if they have a malicious intent they could go into the web socket and just blast you with random messages yeah uh and even if they would figure out like a working message they could just send them the the valid message over and over and over again just to you know mess with your memory usage and if they have a couple of processors doing that at the same time that might actually kind of DS you in that regard right so yeah I think that is that's the problem that literally nobody has solved that even if you go through Cloud flare or other protectors like that like they they don't tap into your web cycle connections right so that might be something yeah we could that's a feature that we should definitely add yeah yeah Phoenix to hammer so H ham hammer it hammer time yeah who knows yeah serpent also says he's uh serpent prefers self-hosted Solutions and I agree with that um I also think like the more I can pull into my own um into my own like application you know and if it's not too much a hassle to maintain then I'm I'm more than happy to do that actually yeah yeah yeah then I mean it it also it works nicely with hosting Solutions where you don't necessarily have access to the the you know the host itself so like if you're running on fly yeah you don't have access to their load balancers uh you can't really do much aside from you know exposing a port and then it takes care of the rest which you on the one hand makes it very easy to deploy but on the other hand if you want to have some sort of a like a security proxy or a filter layer you don't necessarily have that option unless you're also deploying that container and now you need to have them all talk together and then you've you know you've wasted a few hours trying to get all that running yeah versus Phoenix to ban three lines of code and you're up and running and you have more or less the same thing yeah I mean like I said you know you're still running everything in Elixir so okay you could say you're uh you know it's not it's not gonna be as fast as a c or C++ implementation of a firewall okay fair but you've also saved yourself hours of of tedious labor yeah exactly and the maintenance that comes with it and everything and yeah and yeah yeah exactly and we build Fenix the Banas in such a way that it actually almost doesn't affect your traffic a lot almost like it I I don't think it will be noticeable too much it's it's it's negligible because the way and I can dive into the architecture here so the way it works is uh so we have that plug that you put into your your endpoint file but um what that will do is it'll see if the incoming request is on the block list and uh that check is Just One X call it just says hey does this does this key exist in the block ET table so that that's all of one I mean it does it does in Elixir land it doesn't get any faster than just to look up in ETS if the key exists yeah true so that that's all that happens that's that's the only overhead that's added when the request comes in um the the actual analysis of the the you know the incoming request happens synchronously so it's not as if the request come in request comes in we analyze it and see if it's valid and then it proceeds that would that would that would kill performance which is you don't want to do that so the request comes in you check if it exists in in the block list and X if it doesn't cast the data to the you know the the analysis portion of the supervision tree and then just carry on uh and then in the analysis portion of the the supervision tree we have a partition supervisor and there's a whole bunch of workers there that are analyzing all your track trffic and and making sure what's valid what's invalid and stuff like that and then updating the at stable yeah so yeah doing it asynchronously minimal minimal overhead exactly yeah and and also I mean the actual work you have to do in the acing process is also you you you will barely notice it in your application right it's not that we spin up like millions of processes that do very heavy LIF no yeah yeah it's it's it's very minimal like all the all the rules that we have right now are uh like I actually I went through through all the Phoenix or the fail to Bam uh redx rules and kind of converted those into ones that uh I found relevant for for Phoenix event so it's just it's just doing a bunch of rejects to see is the request path invalid path based on you know WordPress rules and Drupal rules and python rules and windows rules yeah yeah so so how would one is it possible to extend these rules if you want to write your own rules maybe yeah yeah so we have that uh I think that's Phoenix the band that rule is the module but uh yeah that one defines the behavior and then I think it's two two or three functions that you have to implement for that behavior yeah and then that's it and then include it in your configuration as an additional Rule and boom now you have your own traffic analysis uh rule yeah uh and we don't so in the um uh in that behavior we don't pass the entire plug con because there's actually a lot of data in plug con so we actually take take a subset of that data so that we're not we're not blowing a bunch of memory passing back and forth copies of the entire struct yeah so you can use the subset of data that we have we we have a struct for that I can't remember the name of it but uh you the nice thing is since this is a premium paid Library if you email us and say Hey you know we also want this field in the in the struct we will most likely include it but I I I went through the entire construct and found uh what I would suspect is is the most useful stuff in there for for analyzing traffic yeah sure yeah and I mean if you have a great idea for adding a a rule that you think we should just have and you don't want to implement yourself also just send us an email uh let us know and we're more than happy I mean this is really just the MVP version 1.0 it will protect you you know it won't protect the entire application it won't protect you in every Edge case but we're working on that so you know it and it will actually happen pretty fast like in the next couple of weeks maybe one or two months before Christmas certainly uh that is going to be the like our timeline for the for the missing featur so to say for the big ones yeah thank you for it a Merry Christmas yeah it's going to be exactly it's going to be Christmas yeah because I mean security is one of these things where people like everybody says it's important but nobody really wants to spend time and money on it and um I think that was our approach as well right I mean we just said well let's just build this thing for ourselves and and then you know we we just added to our dependencies we add like three fields and that's it and then we we don't have to think about it anymore you know that that was I think the approach here yeah yeah and I mean it's it solved all my problems that I had where like my logs and metrics were all just getting demolished with uh with junk traffic um because yeah I use promic in my in my business and uh yeah yeah I have the Phoenix dashboard and it gives you the what's it called like I can't remember the name of it there's a field met that tells like the health of the app based on you know how many 400s and 500s and 200s you're sending out and uh those metrics would always be skewed you know come the morning yeah because overnight I got like you know 10,000 404s for people looking for every single possible WordPress extension yeah true so like it cleaned up my logs it cleaned up my metrics you know now I'm not wasting as much CPU time on those junk requests like it all my problems are solved by this which I think is one of the best products right you scratch your own itch you release into the into the world exactly yeah that's true oh thanks uh Mr CER person CER thanks for dropping by sorry that you had to go yeah uh yeah another question to the chat like do you have any other questions for us um did we answer all your questions what what what do you think about fer band like are you willing to buy it to add it to your application and honestly we're also you know more than interested in hearing your opinion about paid libraries in general about the like because it's it's a paid library for now and I mean Alex has already created so many libraries I think like Al one of Alex's libraries will be almost on every single application that is ever built I believe he has so many out there um so there was also one of the reasons why we said for this one we're going to make it paid because we really want to take the time to make it good and to make it you know safe for you and we can only do that like if we get a little bit of money out of it right because we all have like limited time the question is how do you you know how do you like allocate that that limited time especially if you have lots of kids You Gotta Buy you gotta buy some of your time back yeah exactly yeah and uh but I mean we really decided to like not make it a subscription you know not even a very high what we think onetime payment I mean right now it's at $99 that might go up to$ 149 once we have all the features in place um yeah thanks somebody says the model seems fair and again like we also don't limit you to the amount of projects or how long you can use it you know you can use it in as many projects as you want you can have have it in in commercial products so for your business for your Enterprise but you can also have it in your hobby projects um and doesn't matter like if you have an issue with your hobby project just hly help you but of course if you're an Enterprise customer and you would like to have a bit more support maybe you know shoot us a message and we can talk about it I think Alex has a couple of minutes to spare every day no worries right yeah uh yeah so let us know what what what you think about that pricing model and and also like about the price right maybe you think the price is too high maybe it should be higher maybe it should be lower maybe what do you think what be what would be a price you were willing to pay for it yeah and while we wait for the for the messages to for the answers to trickle in uh I think that's was one thing we forgot to mention in terms of the road map which is the like kind of what failed to band us right but we like with the 400 uh analysis oh yeah yeah so like have failed to ban even works yeah basically we we probably should have started with that maybe we we call it a fail to ban and alter alternative but it's not really is it yeah so fail to ban I didn't know fail to ban written I think it's in Python it's in Python yeah but it's a python right okay so yeah fail to ban is something that you install in your your Linux box and you essentially tell it where to look in your like VAR logs directory for like your Apache logs or your engine X logs or postest logs like whatever you just you just tell what logs to look at and it'll it'll look at them uh and then fails man also has a whole bunch of redx rules so it's scanning your logs to find certain signatures and you know based on those signatures we'll say okay time to ban this IP address because it's attempted to uh uh you know log into postrest for example or engine X or do something malicious X number of times so it kind of you know we got a lot of inspiration from fail to ban and Phoenix to ban right so fail to ban also works in that asynchronous fashion it's not as if it's sitting there as a middleware you know analyzing every bit of traffic before it allows it to pass through uh it's you know it's working in the background and then I think it updates like uh like U ufw or whatever on Linux when it finds rules that uh MH um you that that fit various signatures interesting but you really need to set up a lot to use it right I mean first of all you need to have a lock file on your server that that is not something that runs out of the box with Phoenix like you don't have a file um a logging file at least right yeah yeah yeah then you would also have to write your own fail to ban rules to to catch the various Reds but like you know redx now you're working in kind of like a undetermined the you know the the the output of my logs what if engine X has a you know has a deployment or a new release version and they've slightly tweaked the yeah the logs I me again unlikely because I think people that work on engine X knows that you know that these kinds of tools exist and they don't they don't Tinker with the with the signatures of things but but still that is a possibility right versus if it's in the application layer and we're hooking into Telemetry events or we're working with structs that's all well structured data we're now out of the realm of uh you know non-deterministic behavior and we can you know we know for a fact right this is the exact field this is the exact uh you know response status code uh there's no guesswork there's no reject when it comes to finding things it's just I look it up I look up that field and that's struck and that's it yeah interesting I'm just thinking like how would you even set that up if you would deploy to fly for example because you you deploy a Docker file you don't even have access to the actual server um you might be able to to create that lock file inside the docker container that you run but then so I think what you'd have to like if if you were dead set on running fail to ban in fly um I think you would probably have to deploy like an engine x uh box or an engine X container that's running engine X and fail to Bam right and then proc to your oh wow to your your Phoenix app yeah and that's everything that I mean fly does that already for you the proxying they have their own proxy so yeah yes it's not if you can hook into their Pro you know again maybe this offering exists from fly I don't know I'm just saying based on what I know about fly I would suspect you'd have to deploy an entirely different container yeah and then and then proxy which at that point like let's say let's say that service is written in the fastest language like let's say that's handcrafted assembly code and it's the fastest firewall known to man you still need to make a network cop now and so all all performance has just been thrown out the window so you can just as well write it in Python like failed to B yeah yeah so yeah yeah so yeah like as soon as you have the proxy now you're dealing with network and you've you've added overhead now so it doesn't matter what language it's written in yeah that's actually true yeah and and that's that's a a common like argument that I saw in a couple of messages we especially got on reddit reddit was very interested in our Solutions I to say um but you know like a lot of these messages were kind of like well why don't you just deploy this thing and I'm like well in order to do that I need to have my own proxy in place which I don't like I use fly I you know have their proxy even if I would deploy something something like digital Ocean or even AWS I mean then you still need to set up that architecture all like the with the only reason that you want to set up something like fail to ban or you know whatever else is out there so that is such an overhead like nobody would do that right I I don't think so yeah yeah and like you could yeah but it's gonna take you hours versus this is like minutes like I I like once the hardest part of getting all this out to production was creating our own he our private hex repo and stuff like that once once that was done like I L just added two lines of uh you know whatever to my endpoint EX in my ex file yeah and then one line to mix EXs and then added one thing to my super provision Tre so three lines of code and it's done and it's it solved all my issues yeah and you can even change platform like you can go from fly to digital Ocean or head snar and you don't need to change anything it's running inside your application yeah you should change the underlying operating system of your Docker container don't worry about it you know all that kind of stuff so yeah yeah um I I think you know I think for the tradeoffs that I was you know concerned about it solved it solved my issues yeah yeah yeah I I think like you know this is this is our MVP like we we both are very happy with it actually it's helped our use case already so you know but know we will continue working on it actually but are there any other questions for the uh for Phoenix the ban easy sweet I mean also about me or Alex like if you want to ask anything personal we're here to to answer yeah and don't forget also that we have our docks for Phoenix the band they are public so if you go to easys s.de um you can just go to the doc uh header in the navigation bar and you can read you you can see all the modules that we have you can't see the code obviously but you can see the modules you can see the module documentation uh you can kind of see you know how it's set up and obviously if you buy it you can download the whole source code and look at it as long as you want you know until your eyes bleed I guess nah they won't bleed they will be in awe they like the most beautiful code I've ever seen that's what everybody's going to say there's some Elixir Elixir gems in there I think I think so too yeah do do you want to tease on some I I think that's at least one that that you could tease on uh oh the hyper hyper log log yeah definitely yeah yeah so yeah so in computer science there's a class of like data structures called probabilistic data structures and they they essentially make the trade-off of you know being 100% accurate and precise to it's close enough but now you know you don't you no longer need to store all the data right you're you're storing hashes of data parts of data and so you get you know 98% accuracy 99% accuracy and now you saved gigabytes of uh of disk storage uh so for for our live dashboard plugin uh we actually have one of those probabilistic data structures running collecting metrics in the background and it's called hyper law log and what it does is it's a fast cardinality counter so if you throw an IP address at hyper log log it will know okay I've already tallied this this IP address I no longer need to tally it so if you get you know 10,000 requests maybe hyper log log shows you like 9,998 because again it's based on hashes it's not 100% accurate but uh yes we use that data structure in order to give you those nice line graphs in uh in live dashboards you know how many unique IP addresses access your server in you know one hour buckets for for 24 hours and that's a rolling window too so we have a a ring buffer running in um in Phoenix sedan with 24 buckets and they just keep getting cycled out so you'll have data for running 24 hours and whichever like whichever hour you're currently on so the the head of the the ring buffer uh that one is a hyper log log um data structure and it's getting incremented as requests come in and then after that bucket uh switches hour you know we tabulate the the number of requests and now the new head of the Ring buffer is uh another hyper log log it's empty then again I just like saying hyper log hyper log l do you know why it's called called hyperlock lock is it what's the reason behind it it's just funny name I I have no idea about the history of hyper lock loog also why times why two times lock you could just say hyperlock no maybe this maybe there was hyper log and somebody was like it's like C++ it's I'm G to do I'm going to do one better instead of hyper log it'll be hyper log log yeah but I think I think there's also like a hyper log log plus implementation too let me see let me look on Wikipedia hyper lock lock if you uh question to the chat has anybody ever work with probabilistic data structures because I wasn't aware that those existed until I saw Alex's code I think Bloom filter is another one maybe that's something people heard about right a bloom filter yeah so so actually the first implementation of Phoenix to ban it actually used the cuckoo filter which is like Bloom filter Bloom filters came out first if I recall correctly the the computer science history I think Bloom filters came out first and then like cuckoo filters are a slight variation on on Bloom filters I don't remember the exact differences I think I think cucko filters you can merge like if you have two separate cucko filters they can you can merge them and then you have one you like one aggregate cuckoo filter as opposed to suppos to and I think also from cuckoo filters you can remove elements from the set right as opposed to bloom filters you can you can't remove items from the set but yeah cuckoo filters Bloom filters that is essentially a probabilistic data structure version of like map set right so like in a map set you throw items in the map set and then you can make the call to was it contains I think it is or member I can't remember the the function but you could check to see hey does this exist in my in my set so uh Bloom filters and cuu filters work the same way they can't tell you exactly what's in the set like I I can't tell it hey it's the number one in this set but it can tell me for a fact does this exist in the set or not so I can't get a list of all the output back from the bloom filter cucko filter but I can make that check to say does this exist or not and then I think you can get false positives you can't get false negatives so as long as you check as long as you check does this not exist in here you will 100% guarantee that it doesn't exist in there versus the other way around right uh if you would you might get a false POS if you would ask does this exist in the hyperlock loog you might get a false positive like it might tell you yes in the bloom filter the bloom filter the bloom filter might tell you yes it exists but actually doesn't exist but as long as you ask does it not exist then this is 100% accurate yes yeah yeah it's one of those I can't I can't remember which way I always look it up yeah okay well you do this once and then it's like it's like a bash script I always forget the well it is a class on uni right so uh or in college yeah yeah but yeah there's there's a whole yeah there's there's books written on probabilistic data structures and they're generally useful in scenarios where you don't you don't necessarily care about all the data being like accessible but what you care more about is you know the the summary of the data you maybe you can tolerate some uh some inaccuracy yeah true yeah I I learned a lot and uh maybe we we will also write a blog post about that because I found that quite interesting to be honest hyper probabil to their structures are fun yeah definitely yeah I didn't know about them yeah all right uh before we wrap it up are there any more questions any anybody in the chat do you have any questions about like Phoenix the ban easy sweet you know Alex and I how we met why we actually stick together what's the what's the secret to our marriage is it maybe that I have a picture of him in my office now look now you have two [Laughter] alexes yeah yeah it was funny I used it for the video for the announcement video and you know if enough people I promise here now yeah if if enough people buy Phoenix the band I will print this picture on like a real life siiz uh cutout I think it's called I'm going to put it in the corner there yeah the cardboard cutout the cardboard cutout yeah and uh yeah Alex is actually also my boss so to say so uh he will he'll be looking over my shoulder all day then all right yeah I don't think there any more questions here so uh cool yeah well thanks everybody for joining us um if you want to learn more go to easys s.de I'm also going to write it in the chat one last time so that you know how to write it and uh check that out we have all our documentation there we also got an email otherwise you can reach us on Blue Sky you know I'm available on Blue Sky Alex is still on Twitter on the old X you can't let go of the X somehow you got to move on at one point Alex ah whatever as long as long as you're just like I just post technical stuff there I consume technical stuff there I've I've created all the filters to just just technical to just e echo echo chamber myself just to detect stuff there yeah I I know that feeling actually I I had the same but I don't know now I don't I I I'm much more happy on Blue Sky because I I did miss these messages that you get from other people that you don't know that are just like part of your wider Network or even not related to it all and you know somebody just shared something really interesting about something you never heard about right and you're like that was worth my time and I didn't find that anymore on Twitter unfortunately it was only Elixir Elixir Elixir and I love Elixir but you know when I go to social media I kind of want to just you know uh like have some free time you know just like have some input from different parts yeah oh uh I'm on both yeah he's on both he's on both mostely yeah there's a question actually I'd like to know Alex's thoughts on The Elixir patterns talk that y gave do you did you see that one haven't watched I haven't watched that talk yet it's on my list I have a list of like YouTube videos that I need to watch but uh yeah I just I don't watch watch YouTube no actually I was there it was on lisban it was a really good talk um but I think the question here stems also from the fact that you wrote the book Elixir patterns and then you say gave a talk about Elixir patterns well not quite Elixir patterns you gave it talk about the big gang of four uh El patterns software patterns but they're not related to Elixir patterns I believe yeah um so I'm gonna make some stuff up based on that description you gave me I may put words in Jose's mouth I mean I have no idea um yeah I would I would suspect that a lot of the patterns from G of four or G of four does not apply like to Elixir and like it's it's tough to replicate those things because um like I mean a lot of times with with gang of four patterns you're dealing with mutable data versus we have immutable data in in Elixir given that it's a functional language so I'd say that you know a lot of those patterns don't necessarily carry over uh from gang of four and it might be like you're you're trying to shoehorn stuff into your Elixir application but on the other hands I mean I think like adapter pattern I think in gang of four yeah um like you could you could very easily do that with with behaviors right because in gang of four they use the use interfaces uh you know in Alexa we have we have behaviors where which are more or less the same thing so I think there are some patterns that carry over and then others that you know necessar or not necessarily they just they just don't work okay but I don't I don't think you need to watch the talk anymore because you kind of just summarized it oh did I more or less yeah I mean you know you see he he looked at some of them not all of them but he looked at some of them and he made the same point as you did like he said well the oop gang of four patterns were created mostly because people were writing Java and JavaScript uh Java and net or cop um and yeah because you had that issue like in in O you have the three things which is behavior State and I always figed the third one identity something like that you have it all in one uh object you know in one data place like in one space in your memory so you have a an object basically and the object has a state so you can change the object state it has a behavior so it has functions that can you know execute stuff and change the state and it has an identity so it might have an ID or at least like a in in in like a PO post process identifier that we have in in Elixir you know would be like an ID so if you change the object it always has the same ID but it has different state right and these are like the three if you look at it from like a you know like a 3D like XYZ axis yeah XYZ like you have the the behavior you have the state and you have the identity and what you say said in the talks basically that in in functional programing languages you split these three things like state becomes its own thing right like state is just a map or something you have right now but as soon as you change it like it becomes a new thing that's what you said you have immutable data structures so like the IDE ID actually changes it's not the same anymore as before like okay if you have an an Ecto struct or something it might have the same database ID but the underlying data is not the same between changes so you don't you have state but it's you know it's also separate from behaviors which is functions so functions don't have their own State they receive state and then they pass on state but they don't have their own State and the third one's the ID which is you know the object like you can't share uh the same State between two processes you know unless you have something like an S table or so but even then it's still immutable um so so basically like he of course you see explains it better than I do now but he said by splitting these three things uh you don't have these issues anymore that people try to solve with oops with with the gang of four patterns basically so yeah yeah which is actually which is kind of what I try to tackle in the alexer patterns book uh that I wrote which was let's not let's not cover the of four patterns M let's instead talk about patterns of how to construct applications using like the OTP uh uh constructs that we have so like yeah how do we use a supervisor how do we configure it what types of Supervisors that we have available to us in Elixir like partition Dynamic you know regular old you know old school supervisor like when when do you use these you know how do you construct your your supervision trees uh you know if you if you pull in ETS and you want to configure it for you know for read concurrency how do you do that how do you configure s tables to be you know accessible from all other processes uh dealing with the permission setting on on that table so like yeah those are more of the patterns that I talk about in in the book that I wrote versus you know Builder pattern and stuff like that yeah true yeah actually I think you should watch y's talk and I should read your book because they they'll reconvene yeah we can we convene afterwards make another live stream then we we discuss this question in detail there you go all right well H with that said I think yeah we kind of reach the end of our live stream unless there any more questions but I already asked you some many times if you haven't asked your question yet Now is really the last time to ask any questions ever otherwise we will never be available ever again this is the second this is the moment forever hold your uh your pce speak up now or stay silent forever that's what they say when you get married right do they say that when you get married Alex is that a thing I only know it from the shows I think I think it's speak now or forever hold your peace okay did anybody speak up at your writing no no good I don't know yeah well I guess that is it because if you haven't spoken up yet now you have to keep your peace uh forever I guess that's how you said but uh exactly yes but I would like to thank everybody for joining to the live stream today and uh yeah check out easy S.F check out feing saan check us out on Blue Sky and Twitter we also have a newsletter you can subscribe to that one we're going to send out you know the first uh like whenever we add these features we're going to send out a new newsletter of that so check us out on all the platforms and uh get in touch and uh with that I think that's it Alex do you want to say anything no no just look into the camera straight byy byy and than you byy everybody byy okay let just that's it everybody leave now goodbye see you I do farewell farewell

Let's code some Elixir together.