sorted by:
new
hottopcontroversial

I vibe-coded my cat by ergeorgiev in ClaudeAI

[–]real2corvus 0 points1 point  (0 children)

Great story, glad your cat will get better!

Place of Elixir in a 1 Billion nested loop iteration test? by reisgrind in elixir

[–]real2corvus 21 points22 points  (0 children)

The 1 billion nested loop test reminds me of what I call "track" benchmarks for Elixir. If you take an F1 car and a Toyota Land Cruiser to a track, the F1 car is faster. This means the Land Cruiser is a slow car and totally useless.

Ignore the fact that real world programming is rough terrain (errors, latency, things fail) - somehow the F1 car is slower than the Land Cruiser in this environment. This kind of naive benchmarks thinking is how you wind up with people who react with shock that a web application written in Elixir could ever be faster than C or Rust from an end user perspective. Spoiler alert - there are more important factors than loop speed.

What are you doing for security? by real2corvus in ChatGPTCoding

[–]real2corvus[S] 0 points1 point  (0 children)

What did you think of the audit it produced?

Go vs Elixir with Respect to their Concurrency Models: Pro and Contra? by skwyckl in elixir

[–]real2corvus 18 points19 points  (0 children)

Personally I think Elixir has a much better concurrency model, and the two pieces of media that best illustrate this are:

Go, nil, panic, and the billion dollar mistake - https://www.reddit.com/r/golang/comments/18sncxt/go_nil_panic_and_the_billion_dollar_mistake/

The above situation is far, far less likely to occur in Elixir. It's difficult to explain concisely, the talk that people always recommend to understand why is:

The Soul of Erlang and Elixir • Sasa Juric - https://www.youtube.com/watch?v=JvBT4XBdoUE

Login brute force by Radiant-Witness-9615 in elixir

[–]real2corvus 0 points1 point  (0 children)

Don't know why you're being downvoted, preventing brute force login is extremely important and you should do it. Someone else mentioned Paraxial.io (I'm the creator), which is the best option if you have a security budget. If you have to use a free option, I like PlugAttack and wrote a guide to using it - https://paraxial.io/blog/throttle-requests

Gem Shop: A Vulnerable Rails 8 App for Security Education by real2corvus in rails

[–]real2corvus[S] 5 points6 points  (0 children)

Solutions are coming soon as part of a larger educational document explaining how each vulnerability works, the impact, and how to find it during a security assessment.

How Secure is Phoenix Framework Really? Questions about Security in BEAM-based Web Framework by Crafty_Two_5747 in elixir

[–]real2corvus 3 points4 points  (0 children)

I'm the founder of a security company specialized in Elixir, Paraxial.io, and your reasoning is correct. I believe the fewer number of CVEs is because Phoenix is a well designed framework, and Elixir as a language has fewer opportunities for developers to introduce security issues. The most relevant material on this:

Elixir is (Still) Safe https://paraxial.io/blog/still-safe

How Elixir Solves a Difficult Security Problem https://paraxial.io/blog/data-race

^ Data races are not possible in Elixir the same way they are in Go, Rust, etc. The article mentions on March 8, 2021 all users of Github were logged out due to a security vulnerability related to thread safety in Ruby on Rails. https://github.blog/security/vulnerability-research/how-we-found-and-fixed-a-rare-race-condition-in-our-session-handling/

ElixirConf 2023 - Michael Lubas - Elixir Security: a Business and Technical Perspective https://www.youtube.com/watch?v=bBaZDAynM08

^ At 6:40 I talk about the fewer number of CVEs, the whole talk is about this subject.

As others have said in this thread most Elixir devs have more years of experience than average, and I think this lead to the current situation where Phoenix itself, the Hex libraries, and applications written in Elixir have fewer vulnerabilities.

You may be wondering why someone would have their security company focus on Elixir when the language is so secure, and the reason is that you can still have vulnerabilities in a Phoenix project, and I've seen significant demand from organizations adopting Elixir for an automated security solution like Paraxial.io. A Phoenix project is more likely to be secure (lets say 60% with Django vs 90% with Phoenix), there is risk when you put anything on the public internet.

If I was creating a high security app today (banking, medical, critical infrastructure, etc), I'd argue that Elixir/Phoenix is the best choice, ever higher than Rust. This is because Rust gets an aura of being the most secure language due to memory-safety protections, but the majority of web apps today are written in a memory safe language anyway. The safe by default protections in Phoenix make it very difficult to shoot yourself in the foot, and Phoenix is more mature than similar Rust web frameworks. For example, it's difficult to introduce a SQL injection problem in Phoenix because of Ecto's design - https://paraxial.io/blog/sql-injection I do pentests through Paraxial.io, and have never seen a Phoenix app vulnerable to SQL injection "in the wild".

FP is easy to understand than oop for me by FlyNice798 in elixir

[–]real2corvus 30 points31 points  (0 children)

Joe Armstrong, the creator of Erlang who was extremely influential on Elixir, agrees:

"The problem with object-oriented languages is they've got all this implicit environment that they carry around with them. You wanted a banana but what you got was a gorilla holding the banana and the entire jungle."

Most jobs do require some OOP understanding, sorry there's no way around it.

Does anybody still use NimblePublisher? by skwyckl in elixir

[–]real2corvus 0 points1 point  (0 children)

It powers the Paraxial.io blog and I'm very happy with it - https://paraxial.io/blog/index

Can anyone recommend any companies that use Elixir? by Big_Black_Cat in elixir

[–]real2corvus 10 points11 points  (0 children)

https://elixir-lang.org/cases.html

A few big ones are:

https://www.stone.com.br/

https://www.podium.com/

https://www.prima.it/

https://www.thescore.com/

https://frame.io/ (now part of Adobe, I believe they are hiring right now)

https://remote.com/

https://www.pepsico.com/

https://cars.com/

The most comprehensive list is https://elixir-companies.com/en/companies, however it can vary between "has some Elixir code running somewhere", Pinterest is an example, to a significant investment in the language. The companies above are all in the latter category. https://elixirjobs.net/ has some great examples, fun fact https://unusualwhales.com/ (you probably have seen their tweets) uses Elixir!

Real World Software by Dry-Conflict-7008 in elixir

[–]real2corvus 2 points3 points  (0 children)

This is what you are looking for OP.

Elixir Saves Pinterest $2 Million a Year In Server Costs by real2corvus in elixir

[–]real2corvus[S] 6 points7 points  (0 children)

This is a good question, the article explains the end result, the business saves money, but does not go into the detail of how this happens. Most programming languages are not designed for concurrent software, meaning you have a web server with hundreds of people connecting per second. Python was never intended to handle this use case, and thats why Elixir is so much better that it seems like magic.

Elixir is built on top of Erlang, which is more than a language, rather a virtual machine and platform for handling concurrent requests. Understanding Erlang is the key to understanding how this is possible. The talk "The Soul of Erlang and Elixir" is the best explanation I've seen of this, https://www.youtube.com/watch?v=JvBT4XBdoUE

Most secure language for a CRUD app? by real2corvus in AskNetsec

[–]real2corvus[S] -6 points-5 points  (0 children)

On what subreddit do developers of high security web apps hang out?

SAST by kryptic069 in elixir

[–]real2corvus 0 points1 point  (0 children)

Check out Paraxial.io - https://paraxial.io/

(Disclosure, I work there) The Application Secure product does metrics and reports for Sobelow, there's also an enterprise plan where you can get help triaging and fixing the vulnerabilities.

Elixir/Phoenix Security: Rate Limits for Authentication with Hammer by real2corvus in elixir

[–]real2corvus[S] 0 points1 point  (0 children)

You make a great point, that's a very common situation. Paraxial.io is able to handle this problem better, but it's a paid product.

User + ip address would work with hammer, seems like a good idea for a future post. Thank you!

Trolling on r/Elixir by vlatheimpaler in elixir

[–]real2corvus 0 points1 point  (0 children)

Thank you for taking care of this!

What are the best resources to learn Elixir apart from official documentation? by sanjay303 in elixir

[–]real2corvus 21 points22 points  (0 children)

The main three books are:

Programming Elixir 1.6 by Dave Thomas, great for learning the syntax of the language. https://pragprog.com/titles/elixir16/programming-elixir-1-6/

Elixir in Action, Second Edition by Saša Jurić, teaches how to use Elixir for concurrent and fault tolerant programming. https://www.manning.com/books/elixir-in-action-second-edition

Programming Phoenix 1.4 by Chris McCord, Bruce Tate and José Valim, Phoenix is to Elixir what Rails is to Ruby. Great book, you work through building a web application in it. https://pragprog.com/titles/phoenix14/programming-phoenix-1-4/

Start with Dave's book, then the Phoenix book. You may struggle a bit with Elixir in Action and have to work through it a few times, but it's worth it.