In my recent post on idealism and identity, I mentioned my attraction to the philosophy of personalism, with its emphasis on human dignity. It is perhaps a little-known fact that Martin Luther King, Jr., was greatly influenced by that very philosophy. Early in life he ventured north to study at Boston University, then the center of personalist thought in America, where he completed his doctorate under theologian Edgar Sheffield Brightman. We can see the deep influence of personalism on King's views in two quotes from his famous "I Have a Dream" speech:...
Personal identity is a deep, and deeply meaningful, subject: at some level, what's more important than what makes you you? Paradoxically, throughout history and across cultures, often personal identity has been a social construct, tied closely to tribe, clan, family, ethnic group, race, caste, class, societal role, and so on - usually in opposition to some Other ("I'm a Capulet, not a Montague", "I'm a proletarian, not a bourgeois", etc.)....
We are pleased to announce a new minor release from our stable branch.
This is a security release that addresses a denial-of-service vulnerability in
Prosody’s mod_websocket. For more information, refer to the
20220113 advisory.
A summary of changes in this release:
Security
util.xml: Do not allow doctypes, comments or processing instructions
Download
As usual, download instructions for many platforms can be found on our download page
If you have any questions, comments or other issues with this release, let us know!
A security flaw has been found and fixed in a core component of the
Snikket server software, Prosody. A fix has been released today, and it
is recommended that everyone upgrades as soon as possible to receive the
fix.
The flaw would allow an attacker to trigger the Snikket server to consume
extreme amounts of resources (CPU and RAM), resulting in a denial of
service.
Upgrading
You can find instructions for upgrading to the latest release in our
upgrade guide.
If you are a Snikket hosting customer, you will receive an email with
information about upgrading your instance.
Questions
What is a “Denial of Service” attack?
A “Denial of Service” attack (DoS) is any attack that causes an internet
service (such as Snikket) to become unavailable to its users, i.e.
unable to handle requests. In Snikket’s case, this means users would be
temporarily unable to exchange messages, make calls, or share media and
files.
Is any data at risk?
This flaw does not expose any data to the attacker. It simply causes
Snikket to consume large amounts of memory and stop responding.
What is the impact of this issue?
Snikket may use large amounts of CPU and RAM while trying to handle
traffic that has been specially crafted by an attacker to trigger this
flaw. If Snikket is running on a server alongside other services,
Snikket’s excessive use of resources may negatively impact those
services as well.
How was this issue discovered?
The issue was discovered by the Prosody development team during a review
of the code. It is not known to have been actively exploited by anyone.
However, now that the fix has been published, it may bring more
attention to the flaw. It is recommended that you upgrade as soon as
possible.
What other changes are in this release?
This security release only contains changes that fix the security issue.
No features or other fixes have been introduced in this release.
Is there a workaround?
If you cannot upgrade immediately, you can run the following command in
your Snikket directory (where docker-compose.yml is located) to disable
WebSocket support temporarily:
WebSockets are enabled by default, but not used by any of the official
clients; they are only needed for Web-based clients. Web-based clients
should in addition be able to (be configured to) fall back to the
unaffected BOSH endpoint.
Note that the above workaround is temporary - it will be reset if you
restart Snikket for any reason. It is recommended to upgrade Snikket to
achieve a permanent fix.
How can I tell if my version is affected?
The fix has been released in ‘beta.20220113’.
To check your version, log in to the Snikket web portal with your admin
account. Then click on the “Snikket service” text at the bottom of the
page. View the section “Software Versions” and ensure that the ‘Prosody’
component reports Snikket test 48-3d061. If you see 0.dev, 37-e5d49
or any number lower than 48 then your Snikket is not up to date yet.
Follow the upgrade guide.
The Soprani.ca project, and Cheogram in particular, is pretty big on bidirectional gateways. The most popular Cheogram-hosted instance, so popular that it gets to own Jabber IDs on cheogram.com, is a bidirectional gateway to the telephone network. How is it bidirectional? Don’t you need a Jabber ID to use it? Of course not!
Sending a Message
From any SMS-enabled device, add +12266669977, which is the gateway’s phone number. Send the following SMS:
/msg someone@server.tld Hello!
The user with Jabber ID someone@server.tld should shortly receive your message. If they reply, what you see will depend on their relationship to the gateway. If they have a backend route set (such as JMP, Vonage, or Twilio) then you will get an SMS from their associated phone number. If not, you will get a message from the gateway’s number like this:
<someone@server.tld says> Oh, fun!
Joining a Chatroom
An SMS user can also join exactly one chatroom at a time. Send this to the gateway’s number:
/join someroom@conference.server.tld
You should receive a message with the current list of participants, after which you will start seeing messages sent to the room. After this point, any SMS send to the gateway’s number that is not a valid command (such as /msg) will be sent to your joined room as a message. You can send /help at any time to get a list of other commands for leaving, setting your nickname, etc.
Making a Voice Call
To call a Jabber ID, first enter it into this form then dial one of the access numbers and follow it up with the extension generated by the form.
The extensions are often very long, so the easiest way to dial them on Android is to create a contact with a phone number of the form:
+access_number,*10816etc
If you have trouble with one access number, try another one. If the Jabber ID you wish to call is very long some access numbers may time-out waiting for you to dial all the digits.
In my drive to hold fewer opinions (or at least hold them less strongly), for a while I tried to cultivate a healthy skepticism about things I believe - for instance, by attempting to question one opinion every week. This didn't work, at least for me, because it felt too negative. Instead, now I'm working to cultivate curiosity. Here are a few thoughts on the process....
Openfire 4.5.6 has been released, that addresses an annoying issue that was affecting the earlier 4.5.5 release. We’ve updated the bundled log4j library to version 2.17.1 for good measure.
The changelog denotes the two Jira issues closed by this release. You can find Openfire build artifacts available for download here and they have the following sha256sum values
Subscribeto receive FinTech Matters and other great content, notifications of events and more to your inbox, we will only send you relevant, high-quality content and you can unsubscribe at any time.
Read on to discover what really matters for tech in financial services right now for the Erlang ecosystem and beyond.
We’re avoiding any fintech predictions for 2022, because who knows what will happen, right?
Lloyds on-site technology is “not fit for purpose” according to their own senior exec, leaked video exposes problems at the bank
A recorded internal meeting made its way to the Mail on Sunday newspaper in the UK and indicates digital transformation to be a major concern at the bank. Nick Williams, group transformation director at Lloyds, is on the call speaking to employees about ‘real concern’ over some legacy infrastructure.
Amazon announced back in November that they would stop accepting Visa branded credit cards for purchases in the UK. While the bigger picture is surely more complicated than negotiation leverage over high processing fees and reducing costs, this is still quite an aggressive move. It is more to do with the changing face of online payments and the growth of buy-now-pay-later and (potentially) mainstream acceptance of cryptocurrency. Of course, both the ecommerce/retail and payments industries will be watching how things play out as it will inform decisions by other players down the line.
Product Development in Healthtech – we returned to in-person events at Barclays Rise in London recently to present this case study with the team from Trifork, our parent company. [View the Slide Deck]
Complyteq – we were also joined at Rise by CEO and founder Eske Gerup to discuss the latest in digital ID and onboarding technology. [More About Complyteq]
Christmas cheer was in short supply in Ghana’s parliament as things got out of hand during a vote to add a new tax on mobile payments.
JPMorgan Chase fined $200 million for conducting business on WhatsApp
This substantial penalty was for a failure to follow US federal record-keeping laws by allowing Wall Street employees to use apps including WhatsApp. Employees also used text messages and personal email accounts to communicate about sensitive business matters.
ElixirConf EU 2022 – Returns as a hybrid event 7-8 April from London and online. Elixir runs on the BEAM VM – the same virtual machine as Erlang – and can be adopted right throughout the tech stack. It’s been used to build the systems at the likes of Klarna, SumUp and Memo Bank. [Find out more]
To make sure you don’t miss out on any of our leading FinTech content, events and news, do subscribe for regular updates.We will only send you relevant high-quality content and you can unsubscribe at any time.
Openfire 4.6.7 has been released with only a single change to bump the bundled log4j library to version 2.17.1. Whilst we do not believe Openfire to be vulnerable to the CVEs associated with the log4j 2.17.0 and 2.17.1 releases, we realize that many folks are running naive security scanners that are simply checking for bundled jar versions.
The changelog denotes the one Jira issue closed by this release. You can find Openfire build artifacts available for download here and they have the following sha256sum values
At this point and due to limited community usage, we do not plan to create an additional 4.5 series release with this associated change. Please note that the 4.7.0-beta release of Openfire was made prior to all the security vulnerabilities associated with log4j and is thus vulnerable. We hope to finalize a 4.7.0 release very soon, which will also bring log4j to version 2.17.1. Update: we needed a 4.5 release for a different issue. We pulled in the log4j update as we were releasing anyway.
If you ask those I work with or mentor what my distinctive personal qualities are, I suspect that on the short list you might find empathy. For instance, I often reach out to work colleagues if I know that they face significant challenges, if their skills aren't being fully utilized, if they're not appreciated as much as they should be, if someone on their team has resigned, or on the positive side if they've been doing great work....
Close to the end of 2021 I’m excited to announce the release of PGPainless version 1.0.0! After a series of release candidates, it is finally time to party! The OpenPGP library successfully underwent a security audit in late November and I feel like it finally reached a state of sufficient maturity to be worthy of a major release with a “1” at the front.
The audit was carried out over a period of 2 weeks by the nice folks of cure53.de. The team swiftly discovered some security flaws most of which were quickly fixed in the library. Some other issues (such as lacking brute-force protection) were declared out of scope, as they are better fixed on the application level. Others unfortunately are the direct consequence of compliance to the OpenPGP standard, e.g. the fact that secret keys are not encrypted using authenticated encryption (this will hopefully change soon). The results of the security audit are publicly available for anyone to read.
In the light of the recent Log4j related events, I’d like to explicitly express my gratitude towards the fine folks of FlowCrypt, which perpetually financially support my work on PGPainless. Particularly they sponsored the security audit. Their support makes PGPainless a sustainable free software project and is a significant factor for its success. Thank you so much!
Throughout its development PGPainless has now reached a steady JUnit test coverage of 90% and around 90+% agreement with the OpenPGP Interoperability Test Suite. Furthermore, the project is now reuse compliant!
As always, the new release is available on Maven Central for you to download. Since the binaries are reproducible, you can also grab the sourcecode, build them yourselves and compare the hashes against the known-good values.
Now whats left for me is to wish everyone a Better New Year 2022! Stay safe and encrypted!
Consider the following statements... "There are no answers, only questions." "Life is all about the journey, not the destination." "A teacher or a counselor should encourage dialogue, not provide direction." All true as far as they go. And yet....
As best I can reconstruct it, here are the books I read in 2021. Not included are scholarly papers, essays, and other short works. I've provided links to books that are available online at my monadnock.net website for works in the public domain....
Although I don't make New Year's resolutions, at this time of year I do tend to reconsider some of my goals and practices. One thing I'd like to improve on is the frequency of entries in my online journal, because writing them pushes me to think about how I'm living and what I'm learning. Thus going forward I'll strive to post such reflections at least once a week - most likely on Friday evenings or over the weekend, when it's easier to find time for reflection. You can receive these missives in your inbox by visiting my philosopher.coach website and typing your email address in the subscription form at the bottom of the page....
In meditation #7 of this series, I took note of some similarities between the aesthetics of Aristotle and the music of Bach. Another intriguing influence might be the monadology of Gottfried Wilhelm Leibniz (1646-1716), who directly influenced philosophers and musical theorists in the Bach's orbit: for instance, Bach's student Lorenz Mizler (1711-1778) was a follower of the Leibniz scholar Christian Wolff (1679-1754). In chapter 5 of his book Music in the Culture of the Renassiance and Other Essays, Edward Lowinsky makes the following observations:...
MongooseIM is a robust instant messaging server focused on scalability and performance. It makes use of XMPP (Extensible Messaging and Presence Protocol), an open technology used mainly to develop instant messaging solutions. The protocol is highly extensible and has a very active community supporting it, which results in a variety of possible use cases, be it one-to-one text messaging, mobile group chat or collecting data from IoT sensors.
MongooseIM is an XMPP server that is constantly evolving to meet the rapidly changing demands while remaining highly scalable to handle millions of messages per minute, which is confirmed by both our load tests and the existing production installations. Recently we have seen a growing demand for massive multi-tenancy, where one MongooseIM cluster would handle more and more independent XMPP domains. We have been working tirelessly for many months on this and the result is our latest 5.0 release, which implements a completely new concept of dynamic XMPP domains. This feature allows you to have literally thousands of XMPP servers in one. To see the difference it makes, let us start with the original concept of XMPP when one server used to equal one domain.
Single-domain setup
A typical use case of XMPP is for a mobile instant messaging app. Each user is identified by their JID (Jabber Identifier), which has a form similar to an email address, e.g. alice@example.com can communicate with bob@example.com by connecting to the server example.com. It is very easy to configure this in MongooseIM with the TOML configuration file. The default file already contains the basic configuration, but in this example, we will write it from scratch. Let’s start with the minimal general section with the domain example.com defined in the list of static hosts:
The default_server_domain is the domain that appears as the sender of XMPP stream errors returned by the server when a user cannot connect and the XMPP domain of the client is not known yet. To make this example complete, let’s add the auth section to the file, enabling user authentication with their accounts stored in a relational database, e.g. PostgreSQL:
[auth]
methods = ["rdbms"]
[auth.rdbms]
We also need to define the default connection pool, so MongooseIM can connect to the database.
Finally, we need to define a client-to-server (c2s) listener to allow the clients to connect:
[[listen.c2s]]
port = 5222
Now you can start MongooseIM, create an account for alice@example.com and use an XMPP client app to connect to the server. This setup is very minimalistic and certainly not secure enough for production use (there is no TLS), please see the documentation for more details.
Static multi-domain setup
One service provider might maintain the XMPP servers for a few companies, each of them having their own XMPP domain, just like for email addresses. Similarly to email, these companies might share one server installation, which can be easier and cheaper than having one server per business. This is why several domains would be hosted on a single server. Let’s update the general section in the configuration file to introduce two more domains. [1]
It is possible to configure each domain differently, e.g. example.com can have message archive management (MAM) enabled to allow the users to retrieve stored chat messages. To do this, let’s enable the mod_mam_meta extension module.[2] The module should be specified in the host_config section to enable it only for one domain:
Software as a service (SaaS) has become the standard way of providing IT services. In this scenario, we can imagine not just a few large companies, but thousands of small businesses (e.g. with up to 100 users each) using the same corporate chat solution built with MongooseIM. Each business would need their own XMPP domain, but they would neither want nor need their own MongooseIM installations, so instead they could pay for a hosted SaaS solution. The provider of such a solution would need to host hundreds or even thousands of domains on a single XMPP server.
To do this with a typical XMPP server (and with MongooseIM before version 5.0), one would have to edit the configuration file and restart the server for the changes to take effect. This is best done as a rolling upgrade, restarting one node at a time, but this procedure is quite tedious and takes some time. Another issue is that for each statically configured domain there are multiple resources allocated as all extension modules are started independently for each domain. Furthermore, the configuration file would become unmanageably large. To solve this problem, we could use the latest feature of MongooseIM 5.0.0: dynamic XMPP domains. Instead of defining thousands of hosts in the configuration file, we list only one host type – let’s call it basic. All we need to do is to modify the general section of the configuration file[3]:
We still need a static default_server_domain to be able to respond with XMPP stream errors. To allow domain management, we need to enable a service called service_domain_db – by default it will reuse the globally defined default DB pool that we already defined. The domains will be stored in our PostgreSQL database.
[services.service_domain_db]
The last step is to define the HTTP listener that will handle the REST requests[4]. Let’s set it up only on the loopback interface for localhost:
Such a request might be sent by a web server that would expose a GUI used to manage the domains. To cut off the inter-domain traffic we could separate them with an extension module called mod_domain_isolation. You can have multiple host types, which may correspond to different levels of service, e.g. when a distinction between standard and premium services is needed, we would add an advanced host type for the premium customers by editing the general section once more:
You can use static and dynamic domains at the same time – for example, for a big company that would have its own unique set of configuration options, such as a separate database or other special features, the domain can be configured statically:
The diagram above summarizes the resulting setup, showing some client connections as well. Please refer to the documentation for more details regarding your MongooseIM configuration.
Performance of dynamic domains
When it comes to performance testing, we always push MongooseIM to the limits using amoc, our load testing tool, and amoc-arsenal-xmpp, a set of scenarios designed for testing XMPP servers. For dynamic domains we decided to run several scenarios targeted at different metrics, increasing the load to the point of failure. The number of users was up to 100 k for the one-to-one messaging test and these users were actively chatting, resulting in high message rates[5]. We also decided that the system under load should be a three-node cluster of c5ad.xlarge AWS EC2 machines with an xlarge RDS instance of PostgreSQL, which is quite a small setup, to show that even this modest installation can handle a heavy load.
Initially, every test was executed for one static domain – the performance of version 5.0 was identical to the one of version 4.2. Then, the users got evenly distributed among 1,000 different domains, which did not result in any performance drop. Finally, the scenario was pushed to the extremes with as many domains as users. This meant up to 100,000 domains, but even that high number was not enough to cause any fall in performance other than a slight increase in memory usage. Domains were created on the fly at rates of up to 24 k / min without putting significant additional stress on the system. Selected test results are shown below. There were many more configurations tested, but they are omitted for the sake of simplicity. Results would vary with any difference in the setup, so if you need to determine the limits of your installation, please contact us.
MAM request rate with 5 messages returned per request
360 k / min
MAM lookup for one-to-one and group chat archives
Rate of messages returned from MAM archive
1.8 M / min
Conclusion
Some XMPP servers allow you to add virtual hosts – this is usually done with configuration files and does not allow grouping domains into host types. What sets MongooseIM 5.0 apart is that the dynamic domains are seamlessly integrated with almost all[6] features and extensions, making it possible to easily set up and maintain thousands of domains without any performance penalty.
Load test results show that you can expect high performance from MongooseIM, no matter if you need to host one huge domain or thousands of smaller ones. The only thing to worry about is the design and implementation of your front-end application and MongooseIM will certainly take care of the traffic generated by the millions of connected devices.
If you would like to talk to us about how your project can benefit from using MongooseIM, you can contact us at general@erlang-solutions.com and one of our expert team will get right back to you.
[1] default_server_domain can be one of the defined hosts, but it can be a different domain name as well.
[2] Such modules enable optional features of MongooseIM and they usually implement XMPP extension protocols, e.g. mod_mam_meta implements XEP-0313. More information about it can be found in the documentation.
[3] If you are following the examples, it is best to remove the host_config section as well, as it is no longer relevant.
[4] This listener is already enabled in the default configuration file.
[5] MongooseIM can handle many more connected users, especially on bigger instances, see our blog post on scalability. However, an extremely high number of users makes tests difficult to repeat, so it is better to have a lower number of users and a higher message rate per user. One could always add a lot of inactive users to the test, but there is little point in doing so.
[6] Please see the documentation for a complete list of exceptions.
This is this third part of our ‘Making Sense of Blockchain’ blog post series, here we look back at a post originally authored by Dominic Perini on how our attitudes to ownership are changing and how this relates to the value we attach to digital assets in the blockchain space. You can read part 1 of this series on ‘6 Blockchain Principles’ here.
Join our FinTech mailing list for more great content and industry and events news, sign up here >>
Theme III
Digital Assets: Ownership in the Era of Blockchain
Ownership, provenance and handling While physical goods contain an abstract element: the design, the capacity to model it, package it and make it appealing to the owners or consumers. Digital assets have a far stronger element of abstraction which defines their value while their physical element is often negligible and replaceable (e.g. software can be stored on disk, transferred or printed). These types of assets typically stimulate our intellect and imagination.
The peculiarity of digital goods is that they can be copied exactly at a very low cost: for example, they can be easily reproduced in multiple representations on heterogeneous physical platforms or substrates thanks to the discrete nature in which we store them (using a simplified binary format). The perceivable form can be reconstructed and derived from these equal representations an infinite number of times. This is a feature that dramatically influences how we value digital assets. The opportunity to create replicas implies that it is not the copy nor the rendering that should be valued, but rather the original digital work. In fact, this is one of the primary achievements that blockchain has introduced via the hash lock inherent to its data structure.
If used correctly the capacity to clone a digital item can increase confidence that it will exist indefinitely and therefore maintain its value. However, the immutability and perpetual existence of digital goods are not immune from facing destruction, as at present there is a dependence on a physical medium (e.g. hard disk storage) that is potentially subject to alteration, degradation or obsolescence.
A blockchain, such as that of the Bitcoin network, represents a model for vast replication and reinforcement of digital information via Distributed Ledger Technology (DLT). Here, repair mechanisms can intervene in order to restore integrity in the event that data gets corrupted by a degrading physical support (i.e. a hard disk failure) or a malicious actor.
However, as genetic evolution suggests, clones with equal characteristics can all face extinction by the introduction of an actor that makes the environment unfit for survival. Thus, it might be sensible to introduce heterogeneous types of ledgers to ensure their continued preservation on a variety of physical platforms and therefore enhance the likelihood of survival of information.
The evolution of services and their automation
Now let’s consider how we have started to attach value to services and how we are becoming increasingly demanding about their performance and quality.
Services are a form of abstract valuable commonly traded on the market. They represent the actions bound to the contractual terms under which a transformation takes place. This transformation can apply to physical goods, digital assets, other services themselves or to individuals. What we trade is the potential to exercise a transformation, which in some circumstances might have been applied already. For instance, a transformed commodity, such as refined oil, has already undergone a transformation from its original raw form.
As transformations are being automated more and more, and the human element is progressively being removed, even services are gradually taking the shape of automated algorithms that are yet another form of digital asset, as is the case with smart contracts. Note, however, that in order to apply the transformation, an algorithm is not enough, we need an executor such as a physical or virtual machine.
Sustainability and access to resources
Stimulation of the intellect and/or imagination isn’t the only motivator that explains the increasing interest in digital goods and consequently their rising market value. Physical goods are known to be quite costly to handle. In order to create, trade, own and preserve them there is a significant expenditure required for storage, transport, insurance, maintenance, extraction of raw materials etc.
There is a competitive and environmental cost involved, which makes access to physical resources inherently non-scalable and occasionally prohibitive, especially in concentrated urban areas. As a result, people are incentivised to own and trade digital goods and services.
The high power consumption required by the Bitcoin network’s method of consensus would potentially negate these environmental benefits. However, Keith Bear from the Cambridge Centre for Alternative Finance (CCFA) recently discussed their publication of the Bitcoin Power Index with us. He told us that although power consumption is a concern it should be remembered that blockchain technology can act as a force for good, being used for environmentally beneficial projects.
Services traditionally require resources to be delivered (e.g. raw material processing). However, a subset of these (such as those requiring non-physical effort, for instance, stock market trading, legal or accounting services) are ideally suited to being carried out at a significantly lower cost via the application of algorithmic automation (assuming that the high carbon footprint required to drive the ‘Proof of Work’ consensus mechanism used in many DLT ecosystems can be avoided).
Barriers to acceptance of digital assets
Whereas it is sensible to forecast a significant expansion of the digital assets market in the coming years, it is also true that, at present, there are still several psychological barriers to overcome in order to get broader traction in the market.
The primary challenge relates to trust. A purchaser wants some guarantees that traded assets are genuine and that the seller owns them or acts on behalf of the owner. DLT provides a solid way to work out the history of a registered item without interrogating a centralised trusted entity. Provenance and ownership are inferable and verifiable from a number of replicated ledgers while block sequences can help ensure there is no double spending or double sale taking place within a certain time frame.
The second challenge is linked to the meaning of ownership outside of the context of a specific market. A good example of this is provided by the closure of Microsoft’s ebook store. Microsoft’s decision to pull out of the ebook market, presumably motivated by a lack of profit, could have an impact on all ebook purchases that were made on that platform. The perception of the customer was obviously that owning an ebook was the same as owning a physical book. What Microsoft might have contractually agreed through its End-User License Agreement (EULA), however, is that this is true only within the contextual existence of its platform.
There is a push, in this sense, towards forms of ownership that can break out from the restrictions of a specific market and be maintained in a broader context. Blockchain’s DLT in conjunction with smart contracts, that exist potentially indefinitely, can be used to serve this purpose allowing people to effectively retain their digital items’ use across multiple applications.
The transition to these new notions of ownership is particularly demanding when it comes to digital non-fungible assets. Meanwhile, embracing fungible assets, such as a cryptocurrency, has been somewhat easier for customers who are already used to relating to financial instruments. This is probably because fungible assets serve the unique function of paying for something, while in the case of non-fungible assets there is a range of functions that define their meaning in the digital or physical space.
What this will mean for blockchain adopters
In discussing the major emerging innovation that blockchain technology has influenced dramatically over the last two years, the ownership of digital assets, it is clear that what we are witnessing is a new era that is likely to revolutionise the perception of ownership and reliance on trusted and trustless forms of automation. This is driven by the need to increase interoperability, cost compression, sustainability, performance and customisation.
Stay tuned for the final part of this deep dive blockchain series where we make the case for Erlang and Elixir programming languages to innovate with blockchain.
It is said that when the ancient Greek philosopher Epicurus died, he left behind thousands of friends. This was 2300 years before Facebook, so how could he have befriended so many people?...
As we’re monitoring developments around the recent Log4j vulnerabilities, we’ve decided to provide another update for Openfire to pull in the latests available updates from Log4j.
Since the previous release, the Log4j team released a new version (2.16.0) of their library, that provides better protection against the original vulnerability (CVE-2021-44228), but also guards against a newly discovered vulnerability (CVE-2021-45046) in Log4j.
The Ignite Realtime community has decided to immediately make available new releases of Openfire that include this newer version of Log4j: Openfire 4.6.6 and Openfire 4.5.5.
In addition to upgrading the Log4j libraries to version 2.16.0, we have put in place the mitigation measures that were defined for these CVEs. It’s important to note that these mitigation measures are known to be insufficient to fully protect against the vulnerabilities. However, the update to version 2.16.0 of Log4j makes these measures redundant. We have opted to include them anyway, as we know that many of you modify Openfire to a great extent. If such modifications would inadvertently re-introduce a vulnerable version of Log4j, at least some mitigation is in place. No changes other than these Log4j-related changes are included in the releases that we are publishing today.
We are aware that for some, the process of deploying a new major version of Openfire is not a trivial matter, as it may encompass a lot more than only performing the update of the executables. Depending on regulations that are in place, this process can require a lot of effort and take a long time to complete. To facilitate users that currently use an older version of Openfire, we are also making available a new release in the older 4.5 branch of Openfire that pulls in the Log4j update. An upgrade to that version will, for some, require a lot less effort. Note well: although we are making available a new version in the 4.5 branch of Openfire, we strongly recommend that you upgrade to the latest version of Openfire (currently in the 4.6 branch), as that includes important fixes and improvements that are not available in 4.5.
The following sha256 checksums are valid for the Openfire 4.6.6 distributables:
The process of upgrading is outlined in the Openfire upgrade guide. If you would prefer to enlist support in applying this update, various professional partners are available that can help.
We are always happy to hear about your experiences, good or bad! Please consider dropping a note in the community forums or hang out with us in our web support groupchat.
It’s tempting to say that SpawnFest is an event that doesn’t need an introduction, but we’ll give it one anyway. SpawnFest is an annual remote hackathon, where teams have exactly one weekend (48 hours to be exact) to create the best BEAM-related applications they can. It is the biggest event of its kind in the Erlang and Elixir community, with fantastic sponsors, prizes, participants and judges coming together to learn, inspire and hack. This year, we’re extremely proud to announce that our very own Aleksander Lisiecki claimed a podium finish in a number of categories for his project eArangoDB. His final haul was: Maintainability – 1st , Correctness – 2nd and Completion – 3rd . You can see the full results for overall winners and other categories here. We invited Aleksander to the blog to share more about his project, the inspiration and the competition as a whole:
Why did you enter the competition?
Aleksander: I enjoy the convenience of participating in a remote competition, which is self-explanatory regarding the current COVID situation. Another advantage is that all teams are accepted, which is not the case in other hackathons. And last but not least the prizes this year are awesome!
What inspired this project?
I have had an interest in graph databases for a while. The possibilities they give are exciting, and they can be used in a variety of really interesting ways from social media modelling to fraud detection and many more. In last year’s SpawnFest I worked on a project to provide an API from Erlang to Noe4j, a graph database. This year I wanted to try doing a similar concept but for ArangoDB. It is a more complex challenge as it is not a pure graph but a multi-model database. There were many more API calls to be implemented. I wanted to have an option to choose between different databases picking the best one depending on the use case and requirements.
The judges loved your project, how did you feel it went?
Overall I am satisfied with the result. I managed to implement the main part of my project. There are some rough edges here and there, but that is always the case with hackathon-style projects.
Any thoughts for adding on how this project could be improved in the future?
There is always space for improvements. The competition only lasts for 48 hours, which means that you are not able to polish the project with a shiny finish, but it is important to have the basic concept working. In the future, I think it will be beneficial to use property-based testing in test suites. Another thing left to do is to implement some validation options and some helpers regarding response handling, especially focusing on more readable error messages. The project might also benefit from adding logging or, even better, adding telemetry events.
How do you find remote vs in-person hackathons?
In a remote hackathon usually, all teams are accepted. That is not the case in most hackathons, as they happen in person, and organisers have to limit the number of participants due to limited room size. Moreover, you work from the comfort of your desk, using the equipment setup you have built and improved over the years. Last but not least, you can sleep in your bed, which is not the case for in-person hackathons. On the other hand, if a hackathon happens in person, there are some extra attractions available like free pizza and coffee, some games to be played in the break like foosball or some board games.
Any advice for participants for next year?
SpawnFest, like any other hackathon, is about two things: a great idea and bringing the idea to life, or at least a prototype of it. I highly recommend you start thinking about ideas as soon as possible. Do not go too big, it is better to pick a slightly smaller project and deliver it within a limited time than it is to try to implement a huge idea that you won’t have time to finish. Read the rules carefully and check what the prizes are awarded for, and focus on those aspects of your project.
Last but not least, do not forget that it is about having fun! See you next year at SpawnFest!
With the potential for new technologies to cause interference to traditional communications networks and even space itself at the risk of becoming weaponised, it is important to make sure that you always have a backup plan for your communications ready and waiting.
Should the worst happen and your primary network, typically SatCom, go down you need to ensure that you can still communicate with your forces wherever they are, and that communication needs to be fast, simple and reliable. It also needs to be suitable for operation within degraded and denied environments.
That’s where HF Radio has a distinct advantage, utilising the ionosphere itself to relay communications and long-range radio signals. If you’re interested you can read more about the benefits of communications over HF Radio and how Isode is developing HF technology here.
When implementing new technologies, one of the challenges you can always expect to face is how you manage them and control how the important systems connect with one another. For HF Radio, that has always been a factor limiting its deployment, how do you ensure that mobile units remain connected to your HF network as they move from one location to the next?
This can now be done by our latest HF Radio enhancement product, Icon Topo.
Icon Topo is a state of the art, web-based management system for HF Radio networks. The management system allows an operator to monitor and control the location of Mobile Units such as ships or aircraft, ensuring that as they move from one HF Access Point to another they can remain connected to your communications network.
The Icon Topo system allows you to manage your Mobile Units across multiple HF Networks, and plan a connection route for them as they do so, all from an easy forms-based interface. Removing any interruptions to service or downtime from applications as the MU moves across its intended path.
Alongside our HF management system, we have also recently developed our Red/Black solution to manage encrypted data over HF networks.
Red/Black is a Web-based server that can provide control and monitoring of different devices and servers. This is intended to complement, not replace, primary device management tools. Red/Black servers can operate in a pair, to monitor and control devices across a secure boundary.
Our Red/Black servers are designed to support HF radio systems through the display and management of communication chains, as seen below. They allow separation of, and passage for encrypted information across restricted networks from a ‘high’ side to a ‘low’ side.
You can read more about our Red/Black solution here
The above two products give you full oversight over your HF networks so that you can be confident you will retain complete control over what gets to connect to your HF network and how exactly they do it.
If you’d like more information on our HF products, or are interested in a product demo then get in touch with us on sales@isode.com, alternatively you can fill out a contact form on our website and one of our team will get back to you.
Although we’re preparing for the Openfire 4.7.0 release, the recently discovered vulnerability in the Apache Log4j utility prompted us to push an immediate release of Openfire to address that issue. This release, Openfire 4.6.5, is available now.
We urge you to update as soon as possible. If that’s not feasible, then we advise you to apply the documented workaround (in the form of adding the following argument in the start script for Openfire: -Dlog4j2.formatMsgNoLookups=true) and/or look into applying other mitigating actions.
The process of upgrading is outlined in the Openfire upgrade guide. Please note that, if desired, a significant amount of professional partners is available that can provide commercial support.
You can find Openfire release artifacts on the download page. These are the the applicable sha256sums:
Apart from addressing the log4j issue, this release includes a small number of other modifications, as documented in the changelog.
We’re always happy to hear about your experiences, good or bad! Please consider dropping a note in the community forums or hang out with us in our web support groupchat.
This new ejabberd 21.12 release comes after five months of work, contains more than one hundred changes, many of them are major improvements or features, and several bug fixes.
When upgrading from previous versions, please notice: there’s a change in mod_register_web behaviour, and PosgreSQL database, please take a look if they affect your installation.
A more detailed explanation of those topics:
Optimized MucSub and Multicast processing
More efficient processing of MucSub and Multicast (XEP-0033) messages addressed to big number of addresses.
Support MUC Hats
MUC Hats (XEP-0317) defines a more extensible model for roles and affiliations in Multi-User Chat rooms. This protocol was deferred, but it is supported by several clients and servers. ejabberd’s implementation supports both the XEP schema, and also the Conversejs/Prosody custom schema.
New mod_conversejs
This module serves a simple page to allow the Converse.js XMPP web browser client connect to ejabberd. It can use ejabberd’s Websockets or BOSH (HTTP-Bind).
By default this module points to the public online client available at converse.js. Alternatively, you can download the client and host it locally with a configuration like this:
Add delete_old_pubsub_items command.
Add a command for keeping only the specified number of items on each node and removing all older items. This might be especially useful if nodes may be configured to have no ‘max_items’ limit.
Add delete_expired_pubsub_items command
Support XEP-0060’s pubsub#item_expire feature by adding a command for deleting expired PubSub items.
Fix get_max_items_node/1 specification
Make it explicit that the get_max_items_node/1 function returns ?MAXITEMS if the ‘max_items_node’ option isn’t specified. The function didn’t actually fall back to ‘undefined’ (but to the ‘max_items_node’ default; i.e., ?MAXITEMS) anyway. This change just clarifies the behavior and adjusts the function specification accordingly.
Improvements in the ejabberd Documentation web
Added many cross-links between modules, options, and specific sections.
Added a new API Tags page similar to “ejabberdctl help tags”.
Improved the API Reference page, so commands show the tags and the definer module.
Configuration changes
mod_register_web is now affected by the restrictions that you configure in mod_register (#3688).
mod_register gets a new option, allow_modules, to restrict what modules can register new accounts. This is useful if you want to allow only registration using mod_register_web, for example.
PosgreSQL changes
Added to PgSQL’s new schema missing SQL migration for table push_session (#3656)
Fixed in PgSQL’s new schema the vcard_search definition (#3695).
How to update an existing database:
ALTER TABLE vcard_search DROP CONSTRAINT vcard_search_pkey;
ALTER TABLE vcard_search ADD PRIMARY KEY (server_host, lusername);
Summary of changes:
Commands
create_room_with_opts: Fixed when using SQL storage (#3700)
change_room_option: Add missing fields from config inside mod_muc_admin:change_options
piefxis: Fixed arguments of all commands
Modules
mod_caps: Don’t forget caps on XEP-0198 resumption
mod_conversejs: New module to serve a simple page for Converse.js
mod_http_upload_quota: Avoid ‘max_days’ race
mod_muc: Support MUC hats (XEP-0317, conversejs/prosody compatible)
mod_muc: Optimize MucSub processing
mod_muc: Fix exception in mucsub {un}subscription events multicast handler
mod_multicast: Improve and optimize multicast routing code
mod_offline: Allow storing non-composing x:events in offline
mod_ping: Send ping from server, not bare user JID (#3658)
mod_push: Fix handling of MUC/Sub messages (#3651)
mod_register: New allow_modules option to restrict registration modules
mod_register_web: Handle unknown host gracefully
mod_register_web: Use mod_register configured restrictions (#3688)
PubSub
Add delete_expired_pubsub_items command
Add delete_old_pubsub_items command
Optimize publishing on large nodes (SQL)
Support unlimited number of items
Support ‘max_items=max’ node configuration (#3666)
Bump default value for ‘max_items’ limit from 10 to 1000 (#3652)
Use configured ‘max_items’ by default
node_flat: Avoid catch-all clauses for RSM
node_flat_sql: Avoid catch-all clauses for RSM
SQL
Use INSERT … ON CONFLICT in SQL_UPSERT for PostgreSQL >= 9.5
mod_mam export: assign MUC entries to the MUC service (#3680)
Photo by 
, Correctness – 2nd 
and Completion – 3rd 
. You can see the full results for overall winners and other categories 
