Cup o' Go

Creators & Guests

Host
Jonathan Hall
Freelance Gopher, Continuous Delivery consultant, and host of the Boldly Go YouTube channel.
Host
Shay Nehmad
Engineering Enablement Architect @ Orca
Editor
Filippo Valvassori Bolgè
Sound Designer / Audio Editor based in Milan

What is Cup o' Go?

Stay up to date with the Go community in about 15 minutes per week

Shay Nehmad:

This show is supported by you. Stick around till the epic to hear more. This is CapaGo for September 13, 2024. Keep up to date with the important happenings in the Go community in about 15 minutes per week. I'm Shay Nehmad.

Jonathan Hall:

I'm Jonathan Hall.

Shay Nehmad:

And today, news at 11. Three proposals we'll talk about, all of them accepted. What does this mean for the future of the language? Then reporting from the field, Shayne Ahmad talking about his thoughts about the gophercon Israel 2024. After that, Jonathan will tell us about the new blog post in the GoDev blog, unique package.

Shay Nehmad:

Is it really that unique, or are all the packages alike? And finally, we'll review a new malware. How's the headlines, section?

Jonathan Hall:

That was some good clickbait there, man.

Shay Nehmad:

Yeah. After all that, clickbait, we're gonna have a lightning round and a super interesting interview. Not a clickbait this time, actually a super interesting talk with Ran Barzic, who Israeli listeners already probably know from his journalistic work, and Gil Adah, 2 architects at CyberArk talking about Go and Quantum and Post Quantum and Human Rights and Journalism and hating on Python and TypeScript and all the things we like.

Jonathan Hall:

Let's do it. So first off, let's talk about some proposals. 2 of them we talked about before, so I'm gonna make them pretty quick. The first one is that zSTD compression has been accepted to be included in the standard library. You can already use the STD and go, but you have to use a third party library for it.

Jonathan Hall:

Soon, you can, deprecate that and start using the standard library. Second, another one we talked about before, they'll be deprecating the set finalizer function, which I hope you never use or rarely rarely use and adding a new, semantically cleaner version called add cleanup. We talked about this some length. I'll link to the show notes to that discussion. Those have both been accepted.

Jonathan Hall:

Look for those. I'm assuming in Go 1.24 in about 5 months. 2 great improvements. Yes. I agree.

Jonathan Hall:

I agree. And the third one that has been, accepted is to deprecate the use of small keys with RSA. So if you have a key smaller than 1,024 bits, you will no longer be able to use it, and you will not be able to generate keys that small any longer. I have mixed feelings on this. It seems to me like you might want to use small keys for testing purposes or something sometimes.

Jonathan Hall:

Or if you have an old key that you need to be able to use, I would wanna be able to use that. But I'm sure that it makes sense in some way. Like, maybe there's a workaround. I haven't I haven't thought about it too too much detail. It does come from Filippo Velasorda, who we'll talk about later on in the interview, who we had on the show as well.

Jonathan Hall:

He's a smart guy, much smarter than I am when it comes to crypto and security. So I I trust his judgment.

Shay Nehmad:

So it does have implication for testing. Right? Because it's gonna make tests a lot, slower, but there are 2 escape hatches. One, there's a go debug flag which reverts this behavior. So on your test, you could be, like, go debug, RSA, minimum whatever equals 0, and then your test won't have this, behavior.

Shay Nehmad:

Also, do recommend it to just disable the restriction, on testing dot testing, but that seems kind of not great. Also, apparently, there is test keys as part of the RFC, which makes sense, like, there are just distributed test keys, which you can use and you don't have to create them, encode them, etcetera because they're just part of the RFC and you can copy them in encoded form and then you can just take them as is from the standards document. The only thing that worries me about this, and this might be, funny, but is the fact that because it's a RFC document, some people might start typing out, like, their key and it will auto complete this test key and it will look like random because of, like, Chargegpt training on this RFC document. Right? And then they'll use the test key in production.

Shay Nehmad:

So I really hope that won't happen. But overall, erring towards the side of security seems better than erring towards the side of this person really knew what they were doing. A lot of people don't really know what they're doing in in tests, and you want the language to hold their hand in the in the more difficult parts. Right? Error handling.

Shay Nehmad:

Go forces us to look at the error, value. These sorts of things. So I think overall, a great proposal. Upvotes, stay the same, by the way. 50 Yeah.

Shay Nehmad:

51 people for 1 person against. That's consensus if I've ever seen it.

Jonathan Hall:

Alright. Shay, I'm tired of talking about proposals. Would you tell us about Gofer Con?

Shay Nehmad:

It's because we're only talking, about the accepted ones and not about the, you know, the interesting, oh, maybe it's rejected soon. But, yeah, no, the language is just moving forward and doing great things. Improving security, adding better, compression, etcetera etcetera. VofreCon was awesome, man. A lot of familiar faces.

Shay Nehmad:

A lot of, show alumni. Micky, Tabekka, Jardin Leifenfeld. A lot of, people are in now Ran. I met Ran Barzyk on the floor. He gave the keynote.

Shay Nehmad:

I gave him the show sticker. He was like, what is this? I was like, I have a podcast. One thing led to another and you'll hear from, Ran and, Gilada very soon in the interview, which is very cool. There were really great talks.

Shay Nehmad:

There were 2 tracks. I don't know how I feel about 2 track conferences because you always feel like you miss out on something and also it's never balanced. There's always the talk everybody goes to and the talk that people, like, fewer people go to. I don't know how but in this conference it didn't feel like that at all. They lined up the topics very well so, you know, they had technical deep dive into a very specific niche fun topic on one side and then a very useful pragmatic talk about we did things at company x deadweight on the other side.

Shay Nehmad:

So if you felt more like, I wanna look at cool stuff and fun stuff, how someone debugged the memory issue, you can go to one side of the room And if you like this specific technology stack and topic is relevant to your company, obviously, you went to the other side. I went with a few people from Orca, where I work, so it's always a lot of fun too. These conferences, they're very energy draining for introverts. Right? You have to present yourself and meet new people and shake hands and whatever.

Shay Nehmad:

It's always nice to have, like, your group of people you can always go back to and recharge for a bit. But I I it really was really interesting talking to a lot of, people. I wrote the my notes from all the talks, mostly for work, but I actually published it. I think the talk I liked the most was Go Generate. Just an overview of how cogeneration works, 3 cogeneration strategies, when you should use them and how it works in Go by Larry Sokol.

Shay Nehmad:

It was a really, really good talk. I just super enjoyed, watching it. And also, how Go tests Go test. I never thought about it. When you type Go test, it does a lot of stuff.

Shay Nehmad:

Right? There's a there are a lot of features and the Go team needs to test it somehow. So, this talk taught how to do that using a thing called test script, which is something internal that the Go, team developed sort of their own language, for testing scripts, for testing CLIs. Now I develop a lot of CLIs at work, so it was super relevant to me. And I also really, really, really liked, how it looks.

Shay Nehmad:

And it was also nice again, another, like, show, mention, the talk reference, test scripts in Go, a blog post by Bitfield Consulting, John Arrundel, which we had on the show as well. Right? So Mhmm. At this point, I don't know, like, 2 years in, it's really, you can see people relating to capogo all over the place, which is a lot of fun. I I I felt like a semi celebrity, but because I took my beard off nobody recognized me, even people like Miki and things like that.

Shay Nehmad:

People who know me for years. So I I I sort of was a celebrity and also was incognito. It was a complicated, experience in that regard.

Jonathan Hall:

Have you used Test Script before?

Shay Nehmad:

I I didn't know about it until the talk, but I will definitely use it for the next CLI I'll develop.

Jonathan Hall:

Yes. I've I've actually used it a little bit when I, worked on Gofmt. It uses it because it's a fork of Gofmt. But I actually had used it without realizing I had used it. And then I went to Fosdum last year and saw talk about it as well.

Jonathan Hall:

Put a link to that in the show notes too. So, yeah, it's a really cool tool.

Shay Nehmad:

Super useful. I can't these sorts of hidden gems in the standard library are one day, I'll just sit down, print out all the standard library into a big binder and start reading it top to bottom.

Jonathan Hall:

I'm nearly through my 2 year journey through the ghost spec on my daily mailing list, where I I take down like a a paragraph size chunk of the spec. I'm thinking I'm gonna do the standard library next, but that's so big, it'll probably take me 20 years to do it.

Shay Nehmad:

Well, it's sort of, like painting the Golden Gate Bridge. Right? You'll start with the standard library in one end, and then it's all gonna be v 2 by the time you end, and you're gonna have to redo it anyway. Right. Exactly.

Shay Nehmad:

Maybe they'll finally have YAML in the standard library. That's gonna be 5 years to chunk just through that. So it was a great experience. Again It it

Jonathan Hall:

it'll take longer than that because there's recursion in YAML. So it'll it'll end up repeating itself over to

Shay Nehmad:

Okay. Okay. I gave this proposal, but YAML did get accepted. Here's my wound. Here's the salt.

Shay Nehmad:

Go ahead. Anyway, it was a really good event. It was really well positioned or or, I guess, managed, I should say. Because it's fun. Israel right now is not a fun place and just, they started up top.

Shay Nehmad:

Mickey came up and said, listen, we this is weird. We're not gonna give out swag because we're contributing all the swag money for, charities, to help with the, you know, people who got hurt by the, war situation. And please, please don't talk politics. Let's just escape for a day and enjoy tech and the company of each other. And I think that was a really good move.

Shay Nehmad:

Like, on the one hand, not ignoring the situation and not being, like, overindulgent in the way that the high-tech sector tends to be. You know, food and gifts and swag and people throw swag at you and sometimes I left conferences with so much plastic stuff in my in my backpack. I just felt bad. Right? Another pair of socks and another shirt and I like, I didn't do anything.

Shay Nehmad:

I just came here. So I think it was a really good move to not give out t shirts and and all this and bags and all this swag, but donating it instead. And it was also a very good move to say, hey, let's just this should be a fun event. Let's just escape for a day. Let's not talk too much politics.

Shay Nehmad:

Let's not turn this into a political event as well. It was just a tech conference for a day, which was a lot of fun. Awesome. Yep. The Go team is cranking out the new, blog posts.

Shay Nehmad:

We're not, we're not keeping the pace, but we promised last week we'll talk about the unique package.

Jonathan Hall:

Yeah. So let's talk about something completely different.

Gill Adda:

And now for something completely different.

Jonathan Hall:

So, this this post is actually 2 weeks old now, maybe long more, August 27. But, it's an important one. It's about the new unique package. This was one of the big features in Go 1.23 that didn't get a lot of attention. Although, we actually talked about this well in advance.

Jonathan Hall:

I think even before it was officially the proposal, we talked with, Josh Blicker Snyder about it.

Shay Nehmad:

We nurtured this, proposal from a sampling all the way to a 3rd.

Jonathan Hall:

We we are solely to to, to credit for this. Not not at all. We had nothing to do with it, but we did talk about it a little bit. The idea of unique, also known as interning or or it's very similar to a concept known as interning, is the idea of keeping a list of things or a group of things in memory that may have duplicates without duplicating the memory footprint. So one example this mentioned in the blog post, is actually in the center library.

Jonathan Hall:

The net slash net IP package uses interning to reduce the memory footprint when storing large sets of IP addresses, which have typically have common network components. Right? So you might have 1,000 or 1,000,000 of IP addresses of memory, but portions of them or the or the network portion is the same. So this could dedu can reduce the memory duplication of that. So if you are dealing with large amounts of similar or identical things in memory, this package is probably something that could help you reduce the memory footprint, takes advantage of generics.

Jonathan Hall:

There's some cool cleverness in here that I'm not gonna spoil it for you. I'll let you read the post. But if that sounds like a use case that would be interesting to you, go check out the blog post. It's actually a pretty short read. You could probably read it in 5 minutes.

Shay Nehmad:

There are 2 interesting things at least I'm taking. 1, building memory efficient, caches in Go. A a lot of times when I'm when I'm getting into the Rust versus Go debate, many people are like, no, but if you want, perfectly memory efficient cache, you can't really do it in Go because it's garbage collected and then you have a lot of problems. It's not a language for this highly performant stuff, and this makes it standard library, a lot more closer to, you know, perfect implementation I should say. And also, the proposal we talked about before, the improvement of set finalizer, right, replacing it with cleanup, it was because of this work.

Shay Nehmad:

So it's interesting how in order to make this work, you had to improve the language in sort of various other areas because uniquing or I guess entering all these values has a lot to do with the garbage collector and the final and all these sorts of things. Because if you set the finalizer and then you put something in a unique package, these things are diametrically opposed. On the one hand, you wanna keep it in memory and not collect it and things like that. Finalizer might do it on, on purpose or or touch things in the during garbage collection. So this feature, like many other blog posts and things in Go, caused a lot of other improvements in other ways, which I really like, you know.

Shay Nehmad:

In order to move the language forward, you have to do it in small measurable steps that, move it forward, and improve, like, different parts that I wouldn't I wouldn't be able to tell you the connection between set finalizer and, you know, the the unique package or the interning feature, without this blog post, like, tying it up together. All nice. Right. Alright. One last thing we wanna mention in the news this week is very cool.

Shay Nehmad:

It's probably less relevant unless you're a Chinese threat actor. But hey, if you are, welcome. Your malware might have been detected. But in in slightly more serious, there's a new Go malware which is always fun to poke at technically. It's by a threat group called Earth, Luska.

Shay Nehmad:

But just to to frame it, you know, it is a group that targeted Taiwan just before, the elections, which is a very, tense area of the world right now and trying to infect selected targets using social engineering, with, a malware using, like, spear phishing. Right? What what's the actual malware? It's a piece of Go software, so it works on Windows and Linux, which is one of the great features of Go. And it has a ton of features.

Shay Nehmad:

Looking at the configuration, it looks like a super standard. Like, if if I give this configuration to you, Johnny, you'd be like, oh, this is just a normal Go, software. It has parameters like listen, connect to duplex, connection time out, proxy, domain and host, secret, TLS, sleep, jitter. Just sounds like a h t p server, right? Nothing suspicious because basically it is a networking piece of software.

Shay Nehmad:

Right? But then if you go down to the commands to the like malware, communication options, the tasks, then it becomes a bit more clear what this, piece of specific piece of software is all about. What are the handlers, like, the handler names on your, normal communication services or back end services?

Jonathan Hall:

Oh, I don't know. I mean, obviously, there'll be things like log in and get user and get whatever sort of thing it is, get document.

Shay Nehmad:

So not time stamp or or sol inject. Oh. Or usually like the DLL inject or open socks proxy.

Jonathan Hall:

Not not typically.

Shay Nehmad:

Yeah. So there are a few things here that are weird. Obviously, this is a malware intended to both in fact and and, like, create backdoors on a machine and sort of create more persistency for itself and also just give an attacker an interactive shell to do whatever whatever they want. So a very advanced feature wise sort of malware, including a lot of networking issues. So I think there's the operation behind it is pretty big.

Shay Nehmad:

There's 50 command and control servers, that the researchers at, Trend Micro, figured out from reversing this, malware. Even though it is pretty well obfuscated, obviously, they just grabbed the binary, a real binary sample because they couldn't have, had all these details without it. But, you know, the agent has a lot of tasks that are relevant for espionage basically. Things like starting terminals, running commands, downloading md fives of files, uploading files, listing connections, scanning ports, injecting themselves into other processes, running shellcode on, Windows platforms, DLN injecting themselves to other places, openings us opening a SOX proxy so you could imagine someone infecting, a machine that's connected to the Internet then they send the SOX proxy command and then jump into a it like a machine that's not connected to the Internet but connected to the, like, internal network. Seems serious.

Shay Nehmad:

Seems state level, stuff, and it's written in Go. I never know how to spin these, malware stories. Obviously, it's interesting, and Go is a good fit for low level networking based communication, but I'm not sure I'm happy that the Chinese government is messing with the Taiwanese election officials. I'll just say that, technically, there are some interesting things here. And if you're doing, OS stuff, maybe you could take a look at how they, obfuscated things, where they installed stuff.

Shay Nehmad:

Very cool.

Jonathan Hall:

And I think if the, authors of this code had listened to our lightning round coming up, they would have been caught less easily.

Shay Nehmad:

Oh. So so maybe stop listening? Ethically ambiguous, listen or not listen. Lightning round. Lightning round.

Jonathan Hall:

Alright. 1st on the lightning round is a tool from a friend of the show, Daniel Marti. Woo hoo. He's not the only one working on it, but he's the main contributor. It's called Garble.

Jonathan Hall:

What does Garble do? It garbles your go output, your your compiled go code, so it's harder to decompile. The use cases include? Chinese malware.

Shay Nehmad:

It could be malware from other countries.

Jonathan Hall:

It could be. Not not limited to, but including Chinese malware. But anything where, you know, you really need to be security conscious. I wouldn't take this as, like, proof that your code is guaranteed undecodable or unreversed engineering nearable, but it can help with that. So, yeah, go check that out if that's something you hear about.

Shay Nehmad:

There is one use case that I know of, that's relevant if you're publishing your software to, end users like a GoBinary. Let's say you have a fine app. Right? You want people to run it. If you want the more stupid, antivirus software to ignore you, you some of the antivirus software just marks go binaries as, as viruses because they're, Yara rules, like, they're binary, identification rules.

Shay Nehmad:

Just treats every go binary as malware. So if you obfuscate it, you can circumvent that and just make sure your users have a better experience. So there are relevant and legitimate use cases. Next up on the lining round, I've been into entity component systems recently because I wanted to develop a game, and there is a new version of the ecs go package. They're actually coming with like these minor releases, every now and then but these minor releases are really really minor.

Shay Nehmad:

Things like fixed white space and and things like that. But it just looks like there are there's work on this library, fixing small things, spit and polish, I should say. But if you're building a game engine based on the entity component system concept in Go, you should take a look. There's a simple example, there's a get started, and I've, been accused of, not thinking about Go as a serious, game development language. So, yeah, there's game development infrastructure in here.

Shay Nehmad:

By the way, even if you're not into game development, learning about ECS systems, I think, is interesting from an architectural standpoint. It's so so different to what people usually teach you in university object oriented or maybe things you've learned in corporate. And it's a legitimately very interesting solution to a very interesting architectural problem that you can probably take and implement in other software as well.

Jonathan Hall:

And finally, last item for the day, the Go Developer survey h two is out. Second one, they do one of these every every 6 months, roughly quote, coinciding with the, release of each major version. So the new version 123 is out. The developer survey is now out. We'll cover it in more detail when the results are in.

Jonathan Hall:

But for now, go.dev/blog/survey2024 dashh2. If that's too much for you to remember, just Google for it or find it on the Go blog or in the show notes. Yeah.

Shay Nehmad:

If you wanna learn more about how the survey became and how who are the people working on it, who are the, mysterious they Jonathan mentioned, we interviewed Alice Medec. You actually interviewed her. I was, Yeah.

Jonathan Hall:

I interviewed her, and she she asked me for my input into the news survey, and I think I blew my chance. I didn't ask anything profound that I don't I don't think she included. But, yeah, that was, July 26th episode. We'll have a link to that in the show notes as well. I am excited today to be joined by Alice Merrick from the Go team.

Speaker 5:

Okay. So I've I've been at Google for, I don't know, I guess, a little over 6 years now. And I used to work on other kinds of developer tools, mostly in cloud. And so I worked on some some stuff that was internal to Google, so, like, our internal And survey especially if you've,

Jonathan Hall:

used Go in the last, like, 6 months

Shay Nehmad:

for anything. If you're a listener of the show, you probably have opinions, on this stuff and the Go team very clearly takes the survey seriously. Right?

Jonathan Hall:

Mhmm.

Shay Nehmad:

They just for example, a lot of people said they were interested in doing an AI with Go. They just released a blog post. We'll talk about it next week. Building NLM powered applications in Go. Like, the survey is clearly, clearly, clearly a huge part of what, directs the Go team's decisions.

Shay Nehmad:

I've seen it mentioned in, proposals. I've seen it mentioned in talks. And it is, if you think about it from their side, the only official place they get feedback from the community. Right? Like aggregated feedback.

Shay Nehmad:

Now that we have telemetry, they have another piece of data, but it's still the survey is huge. As someone is working on internal tooling and basing my road map on surveys in ORCA, this is huge. Take 5 minutes, fill it in.

Jonathan Hall:

Alright. Stick around for our interview with Ran and

Ran Barzik:

Gil. Yeah.

Shay Nehmad:

It's super super

Jonathan Hall:

interesting. Hey, Shai. How many Patreons do we have now?

Shay Nehmad:

We have 30.

Jonathan Hall:

Oh my gosh. That's more than I ever expected. It is. Do we have any new ones this week?

Shay Nehmad:

Yes. Paul Boteau. I hope I'm saying that correctly. Coatsank, which I think I mentioned last week, but the name is just too good not to mention him again. And Gil Ada.

Jonathan Hall:

Awesome. Thanks, Gil. Thanks, Gil. We'll talk to

Shay Nehmad:

you in a second. Patreon is the number one way to support this show. We do this as a hobby and to learn Go ourselves. So far, it's been proven a 100% effective in keeping me sharp, with Go. It's a pretty expensive hobby.

Shay Nehmad:

You know, it takes time and we set up the recordings and we have to pay for editing and hosting, etcetera etcetera. So if you want to support us joining as a member in our Patreon and joining the 30 odd people there is a really great way to do this. It it also honestly does motivate me a lot to research the best stories and try to give an interesting angle and stuff just because I know people care about this stuff, which is nice. But just being here and listening is great. If you wanna reach us, you can find us at capago.dev that is capago.dev where you can find links to our Slack channel, our email, all previous episodes including transcripts, our swag shop which just got new variants of the mug, which I don't have yet.

Shay Nehmad:

You can get it in black instead of blue.

Jonathan Hall:

Mhmm. I don't

Ran Barzik:

know if

Shay Nehmad:

it's good or not, but it's just the only I can deselect the option because I I had to select minimum 2 variants. So now we have 2 variants apparently. If you like the show, there are 2 things we would like you to do. 1 is share it. Just this episode was interesting because of x and you know someone who's interested in x, just send them a link.

Shay Nehmad:

And if you wanna help us more algorithmically like, you can leave a review on Spotify, Apple Podcasts or just wherever you listen to your, podcast whatever podcasting app you're using. Just spread the word about the show. It was really fun meeting people, in GopherCon and them being like, oh, you're the podcast guy. It's a thing at this point, and I really wanna keep this, train rolling. Talking about keeping trained roll ins and numbers, this is gonna be our 80th episode.

Shay Nehmad:

Did you know that?

Jonathan Hall:

That's pretty amazing. We've we've not done it exactly every week. We take it a few weeks off, but that's almost 2 years. I I didn't we start in January last year? Yeah.

Jonathan Hall:

Mhmm. So, yeah, we'll be at 2 years here in just a couple months. 3 3, 4 months.

Shay Nehmad:

And we passed a few interesting milestones. We passed 500 subscribers, which is a lot of fun. We passed 75,000 downloads, which is incredible. Again, whenever we do this analytics, breakdowns, big ass asterisk, podcast analytics are notoriously meaningless. Downloads don't necessarily mean listeners.

Shay Nehmad:

Subscribers don't necessarily mean followers. But, yeah, the numbers are going up, man. People seem to like the show and enjoy, listening to it. I always like looking at the listener locations, and scrolling down, finding, you know, new countries. Faroe Islands.

Shay Nehmad:

I I don't, like got to my head, I couldn't even place it on a map. Reunion. I think it's part of French. Honduras, Cape Verde. It's all these countries that trip me up in, geography guessing games.

Gill Adda:

Mhmm.

Shay Nehmad:

It's just a lot of fun to see people, listening from all various OS's, platforms, devices, and podcast players. And surprisingly, I don't know why, this is not interesting to anyone but me, but Overcast, have you used Overcast for podcasting? No. It's been it's taking over, man. It's like it started really low on the rankings, but it overtook Spotify for how people, listen to our show.

Shay Nehmad:

Interesting. Almost taking, overtaking Apple Podcasts at this one.

Jonathan Hall:

I mean, it is overcast here in Amsterdam this morning, but I guess that's not really related. Something else worth mentioning that, apparently, a lot of people don't realize, we have a YouTube channel, and we actually uploaded our first video to it last week. The interview with Elliot, Mins from Dreams of Code is live. There's over a 100 views, which isn't a lot for YouTube, but it's a lot for us. Mhmm.

Jonathan Hall:

We also publish every episode their audio only to YouTube. So if you prefer to listen, that way, you can do that. But check out our YouTube channel.

Shay Nehmad:

Yeah. I guess if you're using YouTube music, then it it makes sense to listen to podcast podcast there as well. But, yeah, we had our first video episode, which I edited. So any feedback, please send it my way. We would love to improve this.

Shay Nehmad:

It it was fun. We'll probably do it again at some point.

Jonathan Hall:

I would love to do it every episode, but it's just too much work for,

Shay Nehmad:

for a hobby like this. Yeah. For sure. So thanks a lot for listening. Thanks a lot for sharing, supporting, etcetera, etcetera.

Shay Nehmad:

We have a super great interview to get into, so, let's let you all get into it. Jonathan, how are you doing?

Jonathan Hall:

Oh, I'm pretty good. I've got my coffee.

Shay Nehmad:

I have my, cup of go cup, but it's actually filled with water. We have here on the call, I'm just so excited, Gil and Ran from, CyberArk. But first and foremost, I'm mostly excited because, Ran Barzic is here and he's my, number 1 dad joker. I've been keeping this joke to to tell, and it's only works in English, and this show is in English. So, Ron.

Shay Nehmad:

Yeah. Knock knock.

Ran Barzik:

Who's there? Who? Who's who?

Shay Nehmad:

No. It's to whom.

Jonathan Hall:

Welcome on the call.

Shay Nehmad:

Now that we got the dad jokes out of the way, Ron, I'm sure you don't have any more.

Ran Barzik:

I have a I have a lot, but I will keep it for me,

Shay Nehmad:

for now. Welcome, Gil. Welcome, Ron, to our show. How about you present yourselves?

Gill Adda:

Hi there. Well, I'll start. I'm Gil. I work at CyberArk as a principal software architect. I enjoy playing with my, IoT things and, my, water, water rain, let's say.

Gill Adda:

Slept up my mind. Playing a lot with software. I'm a gopher, a newbie gopher for the last, I think, 4 years. Filling that and learning all day. Playing with Python, mostly architecture, IoT things.

Gill Adda:

I like it very much. And, enjoying enjoying writing code as much as I can.

Shay Nehmad:

It is fun.

Gill Adda:

It is fun. It is fun.

Shay Nehmad:

Ran, how about you go?

Ran Barzik:

Okay. My name is Ran Borzeik. I have a 2 roles, 3 roles in my life. First, I'm a senior software architect in CyberArk, writing code, mostly Python. Don't don't throw stones.

Ran Barzik:

Don't don't don't throw anything about on me. And also, I'm a journalist, here in the mark at The Marker newspaper for about 5 years. I'm covering a cybersecurity stories, mostly the government issues, governmental issues, which means that the most of the Israeli ministry and government, they really liked me. And every time that I work in the Knesset, in our parliament, they're a thing, Oh, it's we are very happy to see you and like Bharat, they're not Bharat, they're like a dictator that's like that, the hand. And that's it.

Ran Barzik:

Also, I have 4 children, a part of them are already a programmers professional programmers. And, that's it.

Shay Nehmad:

But it's amazing to have you both, on the call. This happened totally by, chance, and we met at the Gophercon Israel, which was, this week. Our listeners already heard about it, in the episode. I'm really glad I gave you a sticker because apparently it was enough to bribe you to come here.

Ran Barzik:

Yeah. I'm cheap.

Jonathan Hall:

So

Shay Nehmad:

we have a lot of topics to cover, but I think Jonathan and I, we first want to understand what is CyberArk and how does Go fit in the CyberArk puzzle, right, in case our listeners don't even know what it is.

Gill Adda:

So, what is CyberArk? CyberArk has started in a it's a NASDAQ traded company, focusing on the privileged account, and now it's a security identity company. And, provides secret management, secret rotation, identification. Now it's an identity provider, so has a lot of services and, many fields that it, works in. And, I think in the last 3 years, we have evolved 3, 4 years, we have evolved it and to the cloud and went fully cloud native.

Gill Adda:

And then we had some, dilemmas, what to do with our self hosted elements, what to do with our more, stateful, elements such as some some kind of network gateway. And then our journey, our strong journey with Go started when we needed something to to leave a footprint on the customer side or to have some kind of, very fast, network server and different protocols. And then we ask ourselves, are we going to do it in Python? Or are we going to c plus plus or Rust? Are we really and and Go seems a natural fit.

Gill Adda:

So this is how it started, and then it evolved to different services which provide back end, mainly self hosted data nets, which communicate with the cloud, and it's become our, practical Swiss nash to to those small agents, networking devices, and currently, even a standard back end that communicates with devices, which is usually should be Python. But we see also services evolving on the cloud using Go as the as a back end standard application. And it's quite nice to see we're a growing community of Gophers in CyberArk. And this is how we got to Gopher Go. I see something started as something not official as an SSH gateway.

Gill Adda:

We use an SSH in other products to manage secrets, and then it evolved to different services.

Jonathan Hall:

Cool. You mentioned a strong, community there. I'm curious. And and you, of course, met, Shai at GopherCon Israel. How involved has CyberArk been with the Go community in particular?

Jonathan Hall:

What what does that relationship look like, and and how has that evolved?

Gill Adda:

Well, it started from yeah. Really, we're not so involved in the Go community currently, I think. Or or we should do we should be more present. It started with with guys, developers that needed some solution or some alternative to c plus plus and very low latency or or powerful or efficient application. And it just started people spreading the word around within CyberArk.

Gill Adda:

And we have communities and we have questions. And I think CyberArk, in practice, is a very open community, very straightforward. So people talk, which is how they're constructed between different groups. So this this is something very distinctive. So it all started from friends helping friends and not some official endorsement.

Gill Adda:

And, currently, you know, it's still on that matter. And then and with Stripe, we have, I think, 5, 6 services working with that language and enjoying it. Nice.

Jonathan Hall:

And so you you mentioned some other languages, Python and c plus plus. So it sounds like you've been doing a lot of Python before. Is that right?

Gill Adda:

Yeah. Yes. And how has

Jonathan Hall:

that transition been, from Python to go we're kinda kinda jumping ahead to the question we ask at the end usually, which is a surprise or challenge about Go. But I'm curious, a more detailed answer. How has that transition been for people? I'm assuming that many of your engineers didn't know Go at all when they started this this project, and they've been learning that. How has how has that whole process been going?

Gill Adda:

1st first of all, the transition was basic more from c plus plus because Okay. You know, traditionally, we started as a c plus plus company, and all our legacy products are are written in c plus plus and not Python.

Jonathan Hall:

Mhmm. So

Gill Adda:

when we evolved to the cloud, there were several that were going Python, And then also c plus plus that needed to provide things like SSH ing, the protocol, or other elements, needed to find some some solution. And the transition was for c plus plus or c c coders was easy. They they have, already complained about, of course, where is the inheritance and where is the polymorphism? You said it's easy, you know, like, you you try catch, and some of them went to Java and say, oh, where is my try catch? So but I think the transition was great because I think it it looks like a lot like c plus plus or or the c text like c.

Gill Adda:

So I think, we had a a short course, which I and say, read the manual. And I think in 2, 3 years, you could start, and that's that's what's so fascinating with Go. So the the transition went smooth. But when we had to try to to to break down to modules and then doing some polymorphism or split into classes, then all the the big questions started. Or where is my try catch or my exception ending?

Gill Adda:

Then things got rough. Mhmm. But I think the benefits overcome the the the limitation and the simplicity of Go.

Shay Nehmad:

I think you they're used to having all this extra time to do this all this extra object oriented complexity in compilation time. But in Go, you don't have all this compilation time to mess up.

Gill Adda:

No. Right. Right.

Jonathan Hall:

They they

Gill Adda:

they saw yeah. They didn't have the they had they had to drink coffee. Everybody got nervous because compilation time was, you know, super super fast, and, we used to build, like, in 1 hour. And now it's super fast, so it was fascinating. Also, the speed of features.

Gill Adda:

Because when you re you have written or people have brought wrote in in c plus plus each feature could take 2 weeks. And now you, ah, you need that feature. Okay. Let me write you down. So the so so so I think the product, we're surprised as well by the easiness they could ask for feature.

Gill Adda:

They weren't surprised. Okay. You need that? Oh, you need to to, you know, to have a time off there between the people type things? Okay.

Gill Adda:

We can give them that, and I think that was also. But as programmers, I think we had some some walls to break in in the in the conceptual way of doing buildings. Mhmm. Basically, all all around, modules, classes, and the transition from classes to structs. It's it's going, like, back again from c plus plus to some kind of c, and that was the feeling that we're we are using some some, you know, some toy.

Gill Adda:

At the beginning, it took some toy, but, versus all the all things. But I think it went fine. We can see that it went fine.

Jonathan Hall:

And how has it been, with regard to security since that's so crucial to what you're you're doing? How have you felt Go stands up to other languages and other other libraries and so on so on out there with regard to the security aspect of things.

Gill Adda:

As far as I I see it, I think Go is very focused on that, and it brings a lot of benefits to what we do in in Go. The the main one of, you know, the things that attracted us was the the powerful library around the x509 certificates and SSH server and SSH clients. So I think it increased our ability to to provide more secure things. Like, we generated certificates, like, held there. Every every new connections got a new certificate.

Gill Adda:

So I think sick the security level in that matter, raised. And, we have some, you know, conformance or or standards that we should meet, like FIPS. And I think in that matter, which is, quite a pain. I don't wanna, that always we have to build our things to to meet the FIP standard and all have all the cryptography very aligned to the American standards, the FedRAMP. And in that matter, it was much more easier.

Gill Adda:

You know, people just like Go because compiling things in FIPS for Go and C plus plus is a different offer. It's it's a much lighter process.

Jonathan Hall:

Mhmm.

Gill Adda:

So in terms of, you know, having gen secured things Go is is great. Building things to meet standards, very strong standards, is much easier. So in that term, I think we we gained a lot. The services pass this certification process much easier than doing it in c plus plus when you have to build, take that and build that in the compilation time and build that

Jonathan Hall:

work. Right. Right.

Ran Barzik:

Let let me let me just explain a little bit about the FedRAMP and FIDs. I don't know if we talked about it in the last episodes, but it's extremely important because FedRAMP and the FIPs, it's crucial if you are working with the American corporations and not corporations, sorry, the American government or for corporations that working with the American government, other than the federal American government. It's a huge market. It's not very hard, but it's sometimes very complicated, especially in the FIPs environment. I don't want to talk about the post quantum.

Ran Barzik:

We'll talk about it later. But it's very hard to work with that standard completely to be 100% qualified for the standard. And with Go, it's much easier in Python. It's very hard, really, really high, by the way. And but by the but those standards are very important, not only for the American government, but also for other people that want privacy, that want security.

Ran Barzik:

And they they need to create the the formal certification that, yeah, my way, my my way, my data, my privacy will be protected. And sometimes it's matter of life and death.

Shay Nehmad:

So when a company is FedRAMP approved or FedRAMP sent certified, I'm familiar with it because Orca is, FedRAMP certified now, which I'm very happy about, or like we're right now in the audit or whatever. Usually, you have the federal environment, but normal customers don't want the all the FedRAMP, things that are in the standard. Right? Because you have to be in the US and, like, what if I'm not in the US? What if I'm in the EU?

Shay Nehmad:

And things like that. So while it is true that it's good for a company to have these certifications, it doesn't it just doesn't necessarily mean that every single line of code in CyberArk is FedRAMP certified. Right? It's just the things that have to be FedRAMP certified are FedRAMP certified.

Gill Adda:

Right. Right. But but you have to think first what will happen when you will need to go to the gov, and then your your, technology selection should be there. Let me run it. As we are, you know, we are using c plus plus in order to meet FedRAMP certificate, you have to build to the last code of line of library that you use.

Gill Adda:

Imagine you have to rebuild again, open SSL and every library to prove to them that everything was built. But in Gopher or in Go, every code that the standard library is Go, and you build it every time that you compile things. So that tedious work that you used to take us weeks or month just to prepare the build, pipeline, was dismissed using Go. It just build your Go, and and you can prove that it builds everything. So this is just one thing.

Gill Adda:

If you choose Go versus other languages, your work towards Phipps will be easier even though you don't install it in GovCloud. So you you try to select easy things even in your you should try to select easy things just to be ready for. So this is the idea why I think in that matter, you should you should always look have an eye on Phipps even though you are not planning to do it. Because when you would need to do it, then you will pay all the prices to rebuild everything again. Hope I explain myself.

Shay Nehmad:

Yeah. Yeah. It makes sense. Usually, it feels like a trade off. Right?

Shay Nehmad:

Go is easy to learn, but some other language x will pay off down the road. But here you say, it was very easy to teach our c plus, like convert our c plus plus people to go. The learning curve is very shallow, like, it's very steep, sorry, you learn really fast. And also, in the long term when you're a big company and you want to sell to federal government, whatever whatever, it has benefits as well. Overall, sounds like a huge success story.

Shay Nehmad:

So why aren't all the services in, CyberArk being rewritten in, Go right now?

Gill Adda:

So let's talk about the bad side. For I think for Python for Pythonista, I think moving to Go is much, is much less intuitive. I think the the existence of so called references or pointers and and c look alike, I think frightens people. So the the official decision was go to Python and most of them. This is the, you know, this is the mainstream Python.

Gill Adda:

And then there wasn't any curve. So Go couldn't go to that line. And and as well, we have started. We invested. We have had a decision, an official decision.

Gill Adda:

Let's go everything. And most of us, let's go to Python. So Go is an exception when you need it. Go isn't the the go to language. Not for me, but for the company.

Gill Adda:

So those are why Go isn't in any company because some if Python is our go to language, then, we we wouldn't choose Go for every use case, but we have defined which use cases would you use Go.

Ran Barzik:

Yeah. Don't don't forget that for JavaScript, for example, or TypeScript as what we call it today. Moving to Python, it's very easy. But going to Go, I'm not matching c plus plus it's very hard. It's very confusing.

Ran Barzik:

So, it's it's much easier to find people that can can work with Python much more than Go, Sorry, sad to say.

Shay Nehmad:

And, Ranam, I'll I'll double down on that. You were the keynote in Go for Con as well.

Ran Barzik:

And Yeah. Most of

Shay Nehmad:

the time, you weren't even talking about Go specifically at all. Your keynote. I'll I'll assume it'll go up on YouTube, at some point. So sorry if I'm spoiling it for anyone.

Jonathan Hall:

But it

Shay Nehmad:

was all about, like, IoT and keeping the spark of creativity, cool projects, about how the fact that it's fun and not necessarily huge scale, federal government, blah blah blah, this boring business stuff. Just like messing or, you know, messing with your family and building IOT stuff. You very consciously, I think, chose to present yourself not as a gopher. You were like, I'm not a gopher. I'm mostly a Python guy, maybe a JavaScript guy.

Shay Nehmad:

This is what I know. I don't really know Go, like sort of apologetically, and even here on this interview, you present yourself in this way. Are you like just Yeah. Where Gil is now, but 4 years ago? Or are you not like do you not feel like you will learn Go?

Shay Nehmad:

Like, it's a skill you're gonna attain? Like, it's something you wanna, you don't do you want to call yourself a gofer, like, or not? Where where's the where's that journey going?

Ran Barzik:

In the future? Yeah. Because, okay, in my keynote, I learned some Go and worked with Go on the IoT because I wanted to see how it's, how it's working, how it's feeling because I talked about IoT. And I wanted to say, hey. Can I implement Go in IoT?

Ran Barzik:

And I was surprised how easy it was. Maybe my Go code wasn't very, you know, very fluent one, but it was very, very easy, especially when comparing it to c plus plus And, yeah, maybe the future, if I will have more tasking than work working with, with Go and IoT, yeah, I would go to that that direction. But, unfortunately, since most of the architects in the world don't like TypeScript, and I know TypeScript, they give me all the jobs related to TypeScript, and it's horrible. And by the way, between TypeScript and Go, yeah, Go, I I will be happy to work with Go. Even that I work with TypeScript and JavaScript for more than 20 years, I think that Go has much more easier, nicer language, much more clear language.

Jonathan Hall:

So I wanna go back to something you touched on, Ron. You mentioned post quantum, and we were talking about security. Let's talk about this a little while, because you call yourself a journalist. You'd you'd work more in, like, reporting on interesting things than than, necessarily building interesting things. What is

Ran Barzik:

I I I wasn't

Jonathan Hall:

Not to say you don't build interesting things. I'm not I'm not suggesting that in in the least.

Gill Adda:

Have you seen this plant, talking plant?

Jonathan Hall:

No.

Gill Adda:

That's interesting.

Jonathan Hall:

But I mean, I I mean, we don't yet live in a post quantum world. So this is where I'm going. Right? I mean, I guess I guess in some senses, we might.

Ran Barzik:

We live. Okay. I'll explain. But this

Jonathan Hall:

is the point I was trying to make is is that you're talking about some sort of speculative things, and I wanted to talk about some speculative things. But but go ahead and correct me. Tell me why we we aren't gonna post we why we are already in a post quantum world.

Ran Barzik:

Okay. So, your opinion is much very dissimilar to my opinion, about the post quantum world before until I I got to CyberArk and then talk to a doctor, Elize Weisbod, our cryptographer. And then he told me, you know, I thought I thought, hey. Yeah. You know, nobody has a a a quantum computer yet.

Ran Barzik:

So why do you care about it? Then it will go out. We'll build something. You you do some magic, and then it will solve it, solve itself. Then he he said to me, you know, what about your information now?

Ran Barzik:

I I will capture your information now and decrypt it in the future. If it's something, you know, somewhat random WhatsApp or, I don't know, signal message with my wife, it's okay. But what if what if it's with my lover? And in the next 5 in more than 5 years, I will run to a, I don't know, some some government position, for example, or in 10 years. What about if I'm sending information to anti government organization?

Ran Barzik:

Here in in the Middle East region, it's very important. Okay. For example, I noticed some war crimes or something like that, and I'm sending the information to the Hague administration. And some country captured the information, captured this transmission, doesn't know what it is. But in in in the next 10 in more than 10 or even 15 years, it decrypt it.

Ran Barzik:

What happens happens now with my life, with my children life? It's it is very problematic, especially when when you're working in a not very democratic society or in a wild or even a a a in a wild zone. It's it's important because this data in the in the next 10 years, it can be complicated, not not now. Okay? Some of the data is not very relevant now.

Ran Barzik:

Okay? But in 10 or 15 or even 20 years, it can be a life hazardous, really.

Jonathan Hall:

Okay. So so, I mean, still we're we're we're not yet living in the post quantum world, but we're preparing for it. Right? Not even the same way that if you're gonna commit a crime in the 19 sixties before DNA test exists, you don't wanna leave your DNA around because someone might, in 20 years, find it. Right?

Jonathan Hall:

So

Ran Barzik:

Not a crime. Think think about I'm sending I am stealing

Jonathan Hall:

That was an example. This is an example.

Gill Adda:

A sensitive information. Let's go ahead

Ran Barzik:

and assist.

Jonathan Hall:

The question then becomes, how do we prepare for this world that doesn't yet exist? How how sure are we of what it's going to look like so that we can prepare?

Ran Barzik:

Okay. So this is a by by the way, maybe this is a a good idea to bring to another episode the areas to talk about it, because it's mostly mathematics issues. But right now, we can we can speculate about the quantum machine. I hope that I'm, I'm not I'm accurate here because again, it's not my field. It's it's a more cryptographic area.

Ran Barzik:

So you build the algorithm before the hardware. You can, for example, think about algorithm, create an algorithm. I prepare I do it with I did it with my children when they are smaller. Say, think about an algorithm. You taking the the milk out the cookies out of the table.

Ran Barzik:

You walk the left, right, and then left until the wall, and then right until the wall, and then with your hand. You plan an algorithm before you have the hardware, and you can do it in the mathematic perspective. And you have already NIST approved algorithm for a post quantum, and and they should also set a defense around your data in this computer, in this for for a existing algorithm, existing hardware, and the future hardware and algorithm that just prepare a very hard problems or questions that even the quantum the the the quantum machine, the theoretical quantum machine, will not be able to solve.

Shay Nehmad:

Right. Okay. So I wanna just double down on a specific, thing. It was sort of a slip up, but I think it's interesting. Jonathan gave the example of someone committing a crime but trying, like, basically the argument of I'm a bad guy trying to use this knowledge, not I'm a good guy trying to use, this knowledge.

Shay Nehmad:

We see for many technological advancements, especially in the EU, the government trying to basically stop them. With privacy, it's it's extra well known that there are certain, governments both in the western world and in in the non western world, that prefer to not give these advanced cryptography options to their citizens because, you know, it they it might be used by crime, etcetera, etcetera. PGP was, considered, weapons export in the in the US way back when. Is this field is this field, like, highly regulated? Is it a wild west and there's no regulation at all?

Shay Nehmad:

Like, because the hardware is not here yet. Where's the like, if I develop quantum cryptography, am I a weapons, exporter? What's the what's the situation?

Ran Barzik:

In Israel, yes, by the way. It's considered we need to license from the government, also in other countries. Again, I when I think about it, the miracle of the cryptography, the miracle that every every one of us and people from other countries have the ability to use a cryptographic system that shields information from all the governments. It's amazing. It's a it's a modern miracle, by the way.

Ran Barzik:

And right now, a lot of government try to limit it, especially in Australia, by the way, which is a Western country, democratic country, and they try to limit the cryptographic, they try to limit the encryption. And a lot of other countries as well, Kazakhstan, for example, really tried to double down on the HTTPS, on the TLS, and they provide the citizen force the citizen to to install some certificate that they and they enable the Kazakhstan government to peer into the communication. But until it's considered problematic, but until now, we are still able and free both to install encryption matters and also to install post quantum cryptographical algorithm.

Gill Adda:

I think Go brings, the new Go version brings, a lot of protection capabilities that we'll talk later. But I think, already, governments are limiting, like, the key size of devices. Even though it's technically, available, you cannot buy a router which supports more than that and that size of keys. So, and that's for a purpose because there is a rumor, just a rumor that, how high performance computing can decrypt with the brute force algorithm. What we are trying to do is to to to block commodity computers to decrypt things because of the compute complexity.

Gill Adda:

But high capacity computer, giant computer farms can't encrypt in brute force our communication. Therefore, the risk is all is is already there. And I think what, the quantum, the the post quantum cryptography, that new algorithm bring is the ability to protect right now against those high performance and those quantum machine in in the future that will arrive. The algorithm is there, how to decrypt with the post quantum machine. And just we are waiting for that post quantum machine, which is strong enough to decrypt our traffic.

Gill Adda:

So we have to record and wait for some time. And then as Jonathan says, the DNA is there. The data is there. Now it's just about time, not algorithm. The algorithm is there.

Gill Adda:

So published, sure, algorithm is published in 1994. So the definition of the weapon is there, just waiting for the hardware.

Shay Nehmad:

So we had Filippo on the show, Filippo of Arzorda.

Speaker 5:

This is Capo Go for March 8, 2024.

Shay Nehmad:

Who are you, Filippo?

Speaker 6:

Much into this yourself. Hi, everyone. So, I'm Filippo Arsorda. I've been, maintaining the book orthography standard library since 1018. I've done that first, at Google, as the lead of the Go security team, and today, I'm doing it as a independent open source container.

Speaker 6:

We can talk about what that means a bit, more later

Jonathan Hall:

for me.

Shay Nehmad:

Who's,

Gill Adda:

The grant.

Shay Nehmad:

Yeah. The professional open source maintainer and doing the standard library for cryptography in, Go. And he was the lead of the Go security team. How much of his work is relevant to the things you're talking about? Because it sounds like you're you're basically talking about Filippo's obviously, people help him, but Filippo's work, right, in the Go cryptography space.

Shay Nehmad:

Or are there specific people who are doing, you know, quantum things which aren't in the standard library yet?

Gill Adda:

I don't know. First of all, we are talking about Filippo's work, which was, inspired by the standards, which was just standardized in August. And what's new as well is that Filippo's work is now official. So every form the web folks of Go, by Wes Westerberg from Cloudflare, there were other there are other implementation of, OQC. But I think what's new is that Filippo's work is now on the master from Go version 1.23.

Gill Adda:

It's there in the standard number of crypto, and this is a a revolution. So we just have to use it, compile your code, and I think what we are talking is about Filippo's work, which has now been official. It's an official, the algorithm that the goal uses is the official, the way just officially in, the end of August. And so that's the way to do it. So this is how NIST says, this is the way to

Shay Nehmad:

do it. You know, what's amazing? The all of this

Gill Adda:

I think it's amazing.

Shay Nehmad:

Yeah. It's 500 lines of code. It's a it's a huge amount of math and a huge amount of thinking and these, like, world bending concepts that I don't know. Maybe the 3 of you here on the call, I I feel are getting it more than I am. But for me, it's sort of beyond the veil of technology and into the into the realm of magic.

Shay Nehmad:

All this, quantum computing. Even though I tried to read about it and I can pretend to understand it, like, in conversation. It all ends up with 500 lines of Go code with, you know, 200 lines of comments and, 600 lines of tests. You can just open the file. That's that's so, incredible to me that you can just be like mlkem768.go.

Shay Nehmad:

Let me look at the algorithm, and, yeah, I can read it.

Gill Adda:

Right. Right. And now it's a TLS. It's it's amazing for me. It's a magic.

Gill Adda:

It's magic for me, the the simplicity also of using it, consuming it as an engineer, and and and there's so many practice practical things that we can do with it. So it's magic. It's it's few lines of code, which implement that encapsulation and magic. You are you are protected from one of the machines.

Shay Nehmad:

Is this, relevant to CyberArk, specifically, by the way? Or is it just something you're interested in because of, privacy, concerns? Mhmm. Of course.

Ran Barzik:

Cyber CyberArk is working on the post quantum, future, of course, like any other, but, by the way, major company out there. Google, Facebook, WhatsApp will be, in the next future, a post quantum you we will use a post quantum algorithms, by the way. So every major company is walking to it with a road map because, again, this is crucial, for the clients and also for the, you know, human rights also. It's very important to say. Let let me let

Gill Adda:

me extend and say what CyberArk is doing, part of what it's doing, of course. We use Go. We we provide a communication, a very secure communication, a zero trust communication for our customers to, to communicate to their, self hosted service or private service from anywhere and applying a very sophisticated method of authorization, identification. And then only then, allowing them to go and, and connect with server whenever. So so that's one of our, features or services.

Gill Adda:

And all the networking, fortunately, is is written in Go. So now we have the ability not just to provide a a very secure networking and access control. Now we we can provide also post quantum networking going on the on, you know, on the public web on the public net. And that's fascinating because, the specific availability or the availability go for post quantum and and the fact that we write our networking can go just that is is a match. So it's it's in our it's it's becoming something very practical to our plans, that we will use it.

Gill Adda:

And then not just, something interesting to learn about, but also to implement and benefit from that.

Jonathan Hall:

We're coming up on time here, so I wanna ask a little bit, Ran. I wanna we we spent a lot of time with Gil. Ran, I'm curious to hear about journalism as it relates to Go because, I mean, Shay and I are kind of pseudo journalists.

Shay Nehmad:

We're we're mock implementation of, of journalists. We have the interface, but there's no no vest, no press, no card. I pay full price for museums.

Ran Barzik:

No sweats, by the way, on your family life also.

Jonathan Hall:

What's it like, being a Go journalist? Let's just let's just start with a general question like that.

Ran Barzik:

Okay. So basically, since I'm working on a more most of them on security items and finding holes and breaches and data breaches in especially in government, but not on for an Israeli government, by the way, or some private companies. It's much easier because you understand, first, a to find holes or find the security issues because it's much easier for you as a programmer, whatever of the of the goal. But if you see, for example, some error code, you understand exactly what is the problem and how to exploit it and what and much more important, how much time it will take to fix it. For example, if you see some service, some problematic service in the government, and then you're going to them and say, hey, you're hurting people.

Ran Barzik:

I know that active malicious actors are working with this breach. And by the way, it happens a lot of time. And then they tell me, oh, okay. It would take us about 1 year to fix it. And you know and you know that it will not happen.

Ran Barzik:

It's about, I don't know, 2 hours of work. You can use this knowledge and they use it, by the way. And sometimes they ignore it, but then I can, you know, put up a a news a news post about it and then say, yeah, you know, I'm a professional programmer. It would take me 2 hours, 3 hours for us to fix it, and they are not fixing it. By the way, one time I found a hole in the bank, for example, some HTTPS is a hole that didn't want to implement some security, some TLS, advanced TLS.

Ran Barzik:

And I prepare they say, no. It happened. It will take a long time, about 3 months of work. And then I record a YouTube movie of myself doing it while fighting with my children and eating a pita, a pita bread, and and do it in 5 minutes. So, if there are journalists out there that want to learn a Go, this is giving you a huge advantage in the journalist world.

Ran Barzik:

But most of the journalists don't know how to code, Most of them, not all of them. And it give you a lot a lot of advantages. A lot.

Shay Nehmad:

Just basically building a bullshit radar. Like, making your bullshit radar a lot better.

Jonathan Hall:

Are we allowed to say that word on this show?

Shay Nehmad:

You you have to build an IoT thing with Go called the bullshit radar, which reads, you know, newspapers and then yells if it's bullshit or not.

Ran Barzik:

Wow. Yo. You know? No. But a lot of you being a new a journalist, especially in the modern environment, it's very hard, by the way, much, it's much easier to white coat, I'm sorry to say, because a lot of threats, a lot of interest, a lot of people that yelling about you, on you, all about you.

Ran Barzik:

It's very hard, by the way. It's so if you're a go first and listen to it, they say, maybe I become a journalist. No. It's it's not a good idea.

Shay Nehmad:

Is it better to become a journalist or become a typescriptor if you're starting from Go as No.

Ran Barzik:

No. Journalist. If if you have some problem with Go, for example, say, oh, it's too much complicated. The the compilation time is faster, and I don't have time to to just, you know, lay it on and stuff like that. And then maybe I want to to and I don't like Go.

Ran Barzik:

Try for 5 minutes, try to it, and then we'll have you will have Go, by the way. Because it's but this is another topic or another story.

Shay Nehmad:

So other than the, journalistic work that, Ron is doing and is published, well, I I'm not, I don't read newspapers, but I see it on Twitter sometimes. You also publish content on the CyberArk, developer blog. I heard there's some specific ghost stuff there. Why have a developer blog at all? I I know a lot of companies are struggling with why do it at all, and what specific ghost stuff can I find there?

Ran Barzik:

I will start with, the rationale behind the developers blog. Before I joined the CyberArk before 2 years, the thing that the first thing that I I am doing before I consider a company, I just go into the developer's blog to see on what they are working on. If, what about my supposed to be manager, my future manager? He is writing a post, for example. What about the technology?

Ran Barzik:

What about the implementation? The developer's blog think a lot about how the company is working. By the way, if I'm also choosing a company for as a supplier, I usually look on the developers blog. So it's important both for the clients and both for the future workers, even for the inner worker, the current workers. It's very nice to see how a programmer is just writing a piece, writing a post, and publish it for the first time.

Ran Barzik:

It's so empowering both me and the and the programmer. So it's beneficial for everyone. It's not a lot of effort. And then we're working about a lot of, Go, posts and Gil. Please tell us about

Gill Adda:

First of all, I totally agree with you. I think as a developer, it was a a great experience to write posts. So I think that's an opportunity to work in in such a company that enables, you know, to write things. As an employee, it's it's it gives you, I think, a good feeling and, and also some kind challenge. We have written some posts on Go related to security, like Phipps, how to pass scripts, and and we see a lot of interest because there aren't many, posts on on the on the web.

Gill Adda:

How to do it? How to do it? What are your options? So several on on Go on that. Similar on on one monitoring, how to benefit from Go, new features on monitoring, and then I show how to, you know, to leak it into Prometheus and other open telemetry standards.

Gill Adda:

So it's quite nice to see that Go and the ecosystem is, widely used. And whenever we've got, you know, an idea to write on Go besides LLM and the AI and other things,

Ran Barzik:

we're right.

Gill Adda:

So just join us in, and enjoy.

Shay Nehmad:

And speaking speaking of, joining you, other other than, reading, you 2 are are too, like, humble to to do this plug yourself. So I'm gonna go ahead and do that for you. And let's say I go to the to the blog and I click on a CyberArk site and I see something called careers. What can I find there? Jobs.

Ran Barzik:

Well, I know. I I I'm hearing myself by the way. I hope it's not there from my my perspective. But anyway, we're searching a lot of, searching. We want to hire a lot of people in Israel, in other places.

Ran Barzik:

We have a lot of sites. And if you are interested in working in a great company, by the way, with, that will do a lot of interesting stuff, but in a very unique way, working with Go or any other country language, even taxi, you can try our career journey and ask Gil question. Don't don't not me.

Shay Nehmad:

So we have a link to the careers page in the show notes. So if you want to join CyberArk, as a listener, it's probably relevant. Feel free to do.

Ran Barzik:

Anyway, CyberArk is a really great place to work at, and we are doing a lot of interesting stuff. If you're interested in our several positions around the world, we don't have it only in Israel. We have a multinational company. So please go and check our career. And if you have any question, ask Gil Ada, not me because I have fluid my my LinkedIn is fluid, but ask Gil Ada, and really, great company to work with.

Gill Adda:

I totally relate to that. I think it's a great I think super nice people, transparent. I think that is something that I think great culture is something very important. And, also, technology, I think we are on the bleeding edge. So I just agree with what Ron said.

Ran Barzik:

And, also, we are located in the our main main office is in Petartigwa, the greatest city in the world. Like, Paris and Amsterdam and New York, but not like Amsterdam, New York.

Shay Nehmad:

Not not not exactly the Riviera.

Ran Barzik:

Yeah. Not like the Riviera. Beside the sun, the the beaches, and everything, it's like the Riviera. Very nice city.

Jonathan Hall:

Ron and Gil, thanks so much for coming on, and talking to us about a a whole host of topics. It's been a lot of fun. We'll put, links in the show notes, of course, to the careers page, to the company page, and, to your individual, profiles and so on so people can reach out if they have other questions. Thanks for joining.

Ran Barzik:

Yeah. Thank you very much. It was great.

Gill Adda:

Thank you. It was great meeting you and talking.

Shay Nehmad:

Thanks a lot, guys. Thanks again, Gil and runner of the call now. Thanks again for coming on the show, guys. It was super interesting talking to you. Jonathan and I were sitting here nerding out about the stuff we talked about for a few minutes even after.

Shay Nehmad:

So thanks a lot. If you wanna join Sabarack or follow Ran and Gil and their amazing work, all the links are in the show notes. And we after we turned off the recording, we talked about maybe future collabs, maybe we'll have Gil again. They wanted us to talk to 5 other people. So, unfortunately, we're still only doing 1 episode a week.

Shay Nehmad:

But thanks a lot for listening, and we'll catch you all, next week. Right? Until then, same time. Program exited.