MIND the gap, the buffer, and the GC; interview with Guy Gofman
The show is supported by you. Keep that in mind until after the show when we talk about that.
Shay Nehmad:That's foreshadowing.
Jonathan Hall:This is Cup o' Go for 11/14/2025. Keep up to date with important happenings in the Go community in about fifteen minutes per week and sometimes interview as we have this time. Keep that in mind.
Shay Nehmad:Oh, that's foreshadowing
Jonathan Hall:I'm Jonathan Hall, by the way.
Shay Nehmad:And I'm your co host, Shay Nehmad. Hey, Someone sent me our, like, fourth episode.
Jonathan Hall:Okay.
Shay Nehmad:Yeah, on LinkedIn, he was like, oh, I'm listening to the whole thing, from the beginning. And I I like clicked on the link and I was like, oh, that'll be a fun, like trip down memory lane. And I remember that we used to say, I'm your co host, Jonathan Hall, and I'm your co host, Shine Akman. Since then, we've dropped the titles. So before we jump into this week's news, would like to ask you, what is your title in the Cup of Go, you know, conglomerate?
Jonathan Hall:I think I'm just a cup of gopher.
Shay Nehmad:Cup of gopher? Yeah. I would like to be a chief of staff, CTO, CEO, vice president, president, emperor, the god king.
Jonathan Hall:Oh, I will grant you all of those titles as long as you put it in your LinkedIn profile. Actually,
Shay Nehmad:my LinkedIn profile is a little bit full already because I put a ton of hidden Unicode characters in it to prompt inject the scrapers. But I might. I might. I have just a boring, like, oh, founding engineer at company x. I could do, like, god king at at Capagun.
Jonathan Hall:I used to be the one of the leading members of the Air Capital Linux users group, aka a kludge. That was in Wichita. And one of the guys, he called himself dictator for life.
Shay Nehmad:Don't know
Jonathan Hall:if Not even benevolent. Yeah. Not he didn't even claim to be benevolent. He was just dictator for life. I I suppose that means he still is.
Jonathan Hall:If you're listening, Clint, let us know.
Shay Nehmad:Hi, Clint. Of kludge. Okay. So now that the title discussion is aside, we can do salaries, later. Yeah.
Shay Nehmad:Let's do some GO news.
Jonathan Hall:Let's talk about security.
Shay Nehmad:Yeah, let's, let's. We have actually a pretty security heavy episode. I wanna leave with the fact that we have an interview with a guy from, Mind, which was lot of fun.
Jonathan Hall:You say a guy from Mine?
Shay Nehmad:No, just Guy.
Jonathan Hall:That's just Guy. It's a guy called Okay, got it.
Shay Nehmad:Guy Goffman from, Mind. But we actually have a security release that's, going to come out on Wednesday, November 19. So it's like a fixed pre announcement to the crypto package. And looking up the CVEs, I was, like, kinda concerned. There's a null pointer dereference in Calypso with the same number of CV, which is already published, but I can't understand how it's related to Go because it's like internal c code in Linux.
Shay Nehmad:So I don't know if it's just a CV number mixed up on the security pre announcement or if it's actually related. I'll try to make a note to get back to it, but it's a vulnerability, in the Calypso library within Linux, specifically a null pointer dereference one. I thought it would be a good opportunity to bring our listeners into some drama from other languages because, you know, and other like ecosystems. Have you heard about this recent like Linux things?
Jonathan Hall:No, I haven't. I mean, use Linux, but I don't follow the news that closely.
Shay Nehmad:Have you used the sudo command in Linux?
Jonathan Hall:Oh, yeah.
Shay Nehmad:For many, many, many years, I assume.
Jonathan Hall:Yes.
Shay Nehmad:So you'd probably be surprised to know they're rewriting it. They're rewriting it in Rust.
Jonathan Hall:Oh, okay.
Shay Nehmad:And there's a whole movement of, like, rewriting a lot of the Linux kernel in Rust to make it memory safe, exactly to avoid vulnerabilities like the one I think the pre announcement accidentally mixed up in the numbers, like a null pointer dereference in the Calypso library within Linux, which is like a networking IPv6 thing. Yeah. Okay. These things won't happen if you use a memory safe, like, completely memory safe language, like, Rust, right?
Jonathan Hall:I guess that's the idea, right?
Shay Nehmad:So Yeah. That's the whole point, basically.
Jonathan Hall:Yeah. Exactly.
Shay Nehmad:So everybody's happy and there's no drama as you can
Jonathan Hall:Of course not. There's never drama about which
Shay Nehmad:So language to there's a rewrite of sudo called sudo rs, which has been deployed to the recent Ubuntu distributions and it has vulnerabilities. Not like memory vulnerabilities, not like null pointed reference, just like security vulnerabilities, like all normal ones. And people are up in arms because, you know, the original software has been written in C and it's super battle tested. You know, it's been out there for years and years, and now people are running in rust and very angry. But on the other hand, if you don't do this stuff, you get CVs like this.
Jonathan Hall:Right.
Shay Nehmad:Go is obviously not a contender for these, like, very low level operating system things. Right? Nobody would write a desktop software in Go. Nobody in the right mind.
Jonathan Hall:Why why foreshadowing again?
Shay Nehmad:But, yeah, I I thought it was interesting. Usually, these security buildings are more like you search for the CVE, you can't find it. But now I found it, so I don't understand what's going on. And I'll we'll we'll I'm I'll make a note to follow-up next week. Yeah.
Shay Nehmad:And understand what happened.
Jonathan Hall:Next week, we'll we'll let you know if they made a mistake or if if we made
Shay Nehmad:a mistake. It's actually related somehow to this problem? Possibly. I don't know. Anyway, on, November 19, if you use the crypto, x crypto, x crypto SSH or x crypto SSH agent libraries, you should probably upgrade.
Jonathan Hall:Probably should. In other news, something you might wanna update far, far into the future, there's been a new proposal that is currently unlikely accept stage. I don't think this would probably make it into 1.26, though it technically might because the freeze doesn't happen for two more weeks. But I imagine this is more likely to be in 1.27. The proposal is to remove cycle restriction for type parameters.
Jonathan Hall:You know how Go doesn't like circular dependencies and things like that? Yeah. It also doesn't allow a circular type parameters. So you can't create a generic type T that either directly or indirectly through other types refers to itself.
Shay Nehmad:That makes sense to me because how would you resolve it?
Jonathan Hall:Well, have figured out how to resolve it and they wanted to remove that restriction. Oh. That you could have circular type definitions for type parameters. So that's, yeah, I don't know the maths behind solving that problem,
Shay Nehmad:but it seems
Jonathan Hall:like it could be, forthcoming.
Shay Nehmad:What's the use case for, like, it's always hard for me to come up with a use case for generics anyway. But with one generic parameter or two generic parameters, can still visualize it, you know. But do you have any specific use case where you would use recursive, like, I don't know if it's recursive, but like cyclic type parameters? What's the Who's asking for this basically is what I'm asking.
Jonathan Hall:Yeah, I don't know what the specific use case is, but if I wanted to do this, I would probably consider like a tree walking or like an AST type of thing as a likely candidate for that. Or you have nodes that can reference different node types that reference themselves and, you know, something like that.
Shay Nehmad:So like linked list and all these sorts of things, you want to define them, if you want to define an operator on them, so like an element in the list has a less than function. You want to define an interface, but then you could do like element, e, element e sort of thing.
Jonathan Hall:Could be. But actually
Shay Nehmad:t, element t.
Jonathan Hall:There are some examples actually here in the issue. So one is, this is obviously a toy example, but an addable interface that takes a type parameter that returns a value that needs to be able to add to itself. I think it's hard to visualize that, but if you really want to go look at the the issue, it makes more sense when you're looking at it than I know how to explain verbally.
Shay Nehmad:Yeah. The the spec the final update on this from, Robert Griesmer is like, oh, Gopher bot closed it a bit too early, but it's it definitely seems like it's going to get implemented, like, going to be accepted soon. Yeah. And honestly, like, who would be against it?
Jonathan Hall:Yeah. I mean, if it's if it's reasonable to do it, then I think you should allow it. The only reason not to is if it's if it like creates infinite loops or whatever in the resolving algorithm, right?
Shay Nehmad:I mean, yes, I don't love the fact that a lot of people in the language are fussing with like edge cases of generics instead of improving more concrete things. Like, I don't love that that's where the attention is going because I haven't used them yet. That's crazy. But I think I've defined, like, two generic things with Go. Like, I'm just not finding myself using this stuff for my day to day.
Shay Nehmad:So and it's been a while. Like, it's not like they released it yesterday and I'm not immediately replacing. It's okay. I'm not saying it's not okay for them to not to, like, use this stuff, but, to work on this stuff. But I wonder how much of the mindshare should actually go to generics and, like, finalizing that or can we say, ah, it's fine, whatever, let's focus on other things.
Shay Nehmad:I've never seen that in the proposal process. Just like, yeah, this looks okay, but we just don't wanna do it because it's not important.
Jonathan Hall:I suspect that happens because there's lots of open proposals, I know this because I've created a few, that are neither closed nor getting attention. So they're just sitting there. I think that that's what happens when it's the kind of thing that they think is not important.
Shay Nehmad:And I think, you know, it's sensories and when you have a bunch of language developers that they would love to nerd out about developing languages. And to be fair, Go is doing a lot of like good, useful, concrete things all the time.
Jonathan Hall:I just wish they would add enums.
Shay Nehmad:Yeah, I saw you complain about that today, this week.
Jonathan Hall:Let's move on.
Shay Nehmad:Let's move on. Proposal rejected, add enums, please. Yes. I'm just kidding. We have another accepted proposal
Jonathan Hall:about Another proposal I'd like to talk about. We might have mentioned this before. I can't recall. This one's accepted. It's already been fixed or resolved.
Jonathan Hall:So I imagine this is coming in 01/1926 in February. It's just to add the peak method on byte stop buffer. This isn't about being a peeping Tom. Well, maybe it is. I don't know.
Jonathan Hall:I guess it depends on what's in your buffer, right?
Shay Nehmad:What's in your buffer? The
Jonathan Hall:idea of peak is that you can see what the next byte is in the buffer without incrementing to the next byte. Useful for certain types of parsing where you need to know like is the next character, does represent the beginning of a new object or is it a continuation of this string or whatever, depending on what kind of parsing you're doing. So this is something I would actually use, not frequently, but there are times when I've had to do this peaking and peaking without peak is difficult. It's possible, but it's difficult.
Shay Nehmad:So That seems super reasonable. I also like I can imagine it's useful for a lot of the stuff that Google is doing because they use protobuf and you have the type information, like the fields and whatever up top, right at the beginning of the, it's like a few magic bytes when you serialize a Yeah. Protobuf. File indicate, you know what I mean? Like, file magic bytes are usually at the beginning.
Shay Nehmad:Yep. If you wanna see if something is valid JSON, a good way is to open it and see, like if it's gonna be an object or an array, if that's the two things you're expecting. Speaking of that thing and just looking to see if it starts with curly braces or brands, just seems like super useful. Yep. Why is it difficult to do it without it though?
Shay Nehmad:Can they just like read the buffer?
Jonathan Hall:So you can read the buffer, but then your buffer has been read and you can't like it, in particular, if you need to pass that back or maybe, let's say that the operation is you're trying to read a string from JSON and you're and you get this this reader and you're like, if the next thing on the buffer is a string, I'm gonna read it. If it's not, I'm gonna I'm gonna do nothing. You can't do literally nothing at all. It's not possible. You have to do something.
Shay Nehmad:Oh, and then you like sort of invalidated the reader and you have Exactly. To reset Got it. Got it. All right. Is there any work left if it's accepted and there's already a change list or is it like all done?
Jonathan Hall:I think it's done, it's closed. Gopher Bot said it was completed two weeks ago.
Shay Nehmad:Well, Gopher Bot we saw from the previous, he's a little trigger happy. Cool. Well, I hope we'll see this in the draft release notes, But I'm I'm just waiting for Anton to really see some of that. Checking the block. All right.
Shay Nehmad:One last thing I wanna bring up is actually two things. I want to bring up one very stupid way to compare languages and one very smart way to compare languages. The stupid way is the t I o b e index. I saw this actually on Twitter. Someone was like, what?
Shay Nehmad:Go is, is only number whatever it is on this index and it's going down, it's very surprising. And I was surprised because obviously I'm biased, but I don't know if you feel it as well, but I feel like Go is having a pretty good moment. The TypeScript compilers in Go, a lot of AI related code, people realize it's just like chaining network calls together and are reverting from Python frameworks to Go frameworks. I feel like I was having a pretty good moment. It's not like in decline.
Jonathan Hall:Okay, so I wouldn't feel bad about Go being in on number 11 until I realized that Pearl is at number nine. I'm like, what in the world is this measuring?
Shay Nehmad:And Delphi? I've never literally never saw, I never saw a line of Delphi
Jonathan Hall:and the Visual Basic isn't number seven? My goodness, what is this?
Shay Nehmad:So I was surprised and then I understood the definition and then the definition of this index. Even though they claim it's like, oh, Python, you know, you can use this as an indicator of popularity and choose whether you should program your programming skills are up to date, make a strategic decision. You said it's a good index for non programmers because it actually just searches for language programming. So like people who search for Delphi programming or Pro programming or Go programming. And you had an in by the way, SQL, like who says SQL programming?
Jonathan Hall:Not programmers, I can tell you that.
Shay Nehmad:Yeah, I don't know. And by the way, you see like on number 16 or whatever, you see Scratch and MATLAB, so if and R. So I feel like this gives a pretty good indication of what this actually means. You you said this is like something like programming languages, but not for programmers or something like that?
Jonathan Hall:Yeah. I I think this is more or less measuring the popularity or maybe the interest in programming languages by non programmers. Because who else searches for Python programming 23% of the time? It's gotta be data scientists and and, you know, data analysts and stuff like that, people who aren't really vibegrammers.
Shay Nehmad:Vibe coders. Or or like university students, you know, or high school students or like Scratch, I think it's being taught in like middle school even. So it's like middle schoolers going through their library's computer and being like Scratch programming. I don't know. Anyway, this was kind of weird.
Shay Nehmad:And in contrast, I wanna give a pretty good resource for actually comparing languages, which is a short blog post, called Rust versus Go Memory, which is just a pretty short, blog post about memory managements in Rust versus Go. If you've heard about the differences between Rust and Go, you wanna understand them a bit more deeply, but you don't want like a super long blog post. This is like a good way to spend seven to ten minutes and just like understand very quickly what's the stack, what's the heap, what's the trade offs, why use this, why use that. And you know, if you need to decide if you want to do Rust or Go, which is a thing that I show, I see on the Reddit, the Go Reddit like once a week. Should I do Go or Rust?
Shay Nehmad:Should I do Rust or Go? What should I invest in? It's a big decision, I get it. But maybe read this and make an informed decision just based on the technical merits of both languages and your taste versus, you know, random opinions of people on the internet or really, really un, non elegant indexes. I'm sorry I said stupid.
Shay Nehmad:Like, they they put it out. It's okay. It's just not exactly showing what it's supposed to show, what it's claiming to to to show. And the blog post, obviously, it's in the, show notes, so feel free to go check it out. So that's what I think about all this comparing languages thing.
Shay Nehmad:One other thing to consider is where you run them. Right? Like, obviously, Go is a sort of a backend V language and there's no other place you would use it, right, John? Actually.
Jonathan Hall:Actually. I need to say it in a more condescending way. Well, actually, Shai.
Shay Nehmad:Actually.
Jonathan Hall:So I worked with a client a few years ago before I moved to The US who used Go on Mac and Windows machines, maybe even Linux desktops too. So they installed a sort of a daemon, a service, whatever. However, all it really did was download the main app, which was written in the native, you know, for the native operating system. But it interesting. And the reason of course this came up is because we're going to be talking with a guy from Mind who's doing some of the same sort of stuff.
Jonathan Hall:They're building services that run on Windows and Mac desktops, which is kind of fascinating. It's an interesting sort of niche case for using Go.
Shay Nehmad:Yeah, so we're gonna have a short break and then go straight into the AWS, stick around. Thank you all for supporting this show. This is a hobby, we do it for fun and to learn, about various, things such as stupid indexes and peaking and rest of the silly nonsense. But it's kind of an expensive hobby, takes out of our time and we pay for hosting and editing fees. So the best way to support the show is to join our Patreon.
Shay Nehmad:Kick in a few bucks a month via Patreon. If you wanna find the Swag Store, previous episodes, our Slack channel, our email, all the links, can find everything at cupogo.dev. And other than that, to support the show, can just share it with other people or leave a review on Spotify, Apple Podcasts, wherever you listen to your podcast, or write about it like in your blog or newsletter or internal Slack of your company or, I don't know, WhatsApp group, Telegram group, Signal group. I don't know what other, groups people are into. Discord, Discord Do you remember that?
Shay Nehmad:Barely. Oh my god. Any AOL, if anybody's still using it, you've got mail. And I'll just share the show to, you know, to other people you think would appreciate it. We want to talk we have a little bit of a programming note before we go not programming.
Shay Nehmad:Well, you know what I mean? Like programming, like the program, not programming like the language.
Jonathan Hall:Now I know how we're gonna confuse that TOB index.
Shay Nehmad:Yeah. Yeah. So next week, it's a normal episode. Week after that, it's, Thanksgiving. It's my first, Thanksgiving in The US.
Shay Nehmad:I'm very excited. I'm flying out to Chicago. That's the plan, at least. Unless you all decide to do more shutdowns.
Jonathan Hall:That'll never happen.
Shay Nehmad:So we're gonna take a break. We're gonna take a Thanksgiving break, give you a couple go less a week. So prepare, make sure to prep, download some episodes in advance, synthesize our voices using AI and generate an episode live because we're not gonna record one. Anything else for the break or can we jump to the interview?
Jonathan Hall:Let's jump to the interview.
Shay Nehmad:All right. Jonathan, how you feeling? How is the fabric on your shirt feeling against your body right now?
Jonathan Hall:This is getting personal.
Shay Nehmad:Your headphones on your head, you feel them?
Jonathan Hall:I do, yeah.
Shay Nehmad:That's good. I've been trying to practice mindfulness recently. If only I had something who someone on the show who knew a little bit about like mine. Oh, guy.
Guy Gorman:Oh, hello. That was tough and top intro of the year. Hey, guys.
Jonathan Hall:I don't know if that's the worst we've had or or not, but
Shay Nehmad:It's it's definitely we've the three.
Guy Gorman:Down the yeah.
Jonathan Hall:Alright. What are we talking about today since since we took all this time to get Guy here?
Shay Nehmad:Hello, Guy.
Guy Gorman:Hello. Nice to meet you guys.
Shay Nehmad:We're Guy Goffman. Guy, how about you introduce yourself?
Guy Gorman:Hey. So I'm Guy, Guy Goffman from Tel Aviv. I'm an engineering team lead at MIND Security. Started working with Go when I joined this company a few years back. Before that, my experience was mostly C, assembly, Python, usually for low level programming purposes.
Guy Gorman:So, anything from bare metal to Linux and reverse engineering. So quite a switch. Yeah. And now I'm a gofer like you guys.
Shay Nehmad:Welcome. Well, if it's a 180, degrees switch from reverse engineering just to normal engineering, it's exactly it's reverse reverse engineering.
Guy Gorman:Suddenly you actually write some write code that does something useful for the world.
Shay Nehmad:Yeah. Now just open it up in IDA. Yeah. You like Man, I love AIDA. Have you ever opened AIDA, Jonathan?
Jonathan Hall:Have you asked me that before?
Shay Nehmad:I didn't think Yeah.
Jonathan Hall:And I and I think I didn't know what it was then either.
Shay Nehmad:It's the best. I love that software, man. Whenever I see some my wife is doing some, like malware analysis right now, so I'll go in at home and she'll like, can you make dinner? I'll like, look over her shoulder on the monitor, it's eye to open, it's like, maybe I can do the malware analysis and you'll go cook eggs. This looks like so much fun.
Shay Nehmad:Anyway, sorry, distraction. Guy, welcome to the show and welcome to being a gopher. We actually met. I I did something for Mind. It was called something else then.
Shay Nehmad:I don't know if the previous name is like a secret.
Guy Gorman:No. We were called Tanin Security, which sounds pretty bad in Hebrew because in English, it's like the tannins of the wine or something like that.
Jonathan Hall:Yeah. Yeah.
Guy Gorman:In Hebrew, Tanin is a crocodile. I had to explain to people, yeah, come work with me. I work for Tanin, not the crocodile, the thing in the wine. Yeah. Rebranding was required before we got out of sales.
Shay Nehmad:I'm the The only thing I'm worried about when you name security companies now is I try to take the word and add security later because you're like, oh, Crocs security, it's like, okay, I secure the shoes, the little plastic shoes with the holes. So we wanna talk about how you use Go in mind, Mind security. But I think most of our listeners don't really know what Mind is because you all are pretty young startups still.
Jonathan Hall:Not only do most of our listeners probably not know, but half of our hosts don't even know.
Shay Nehmad:Yeah. Close to 50% of the hosts of Kabago don't know my idea.
Guy Gorman:How do you know that? Did you open the Go survey or something?
Shay Nehmad:Yeah. There's a lot of question at the end. Security?
Guy Gorman:Yeah, so for sure. Good question. So, Mind, we're building a DLP, a modern DLP solution. For those who are less familiar with what DLP is, it's a data loss prevention. Say you're an organisation, whether it's small or a big enterprise, you have plenty of data you want to secure, whether it's sensitive customer data, financial stuff, your own, I don't know, a private recipe that you want to keep secret, else your competition is going catch up.
Guy Gorman:And that data is all over the place, right? It's in the cloud like Google Drive, OneDrive. It's on the endpoint. So your individual workers, your employees have it on their computer, in whatever folders. It can be on a classic, like on premise file shares, if you're maybe a more legacy organisation, an email.
Guy Gorman:So, the data is everywhere and we want to help you prevent it from leaking. That's what DLP is all about. Specifically at Mind, we want to bring back actual security value to this specific genre of security products because DLP is an old concept. There's plenty. It has plenty of history and it's usually seen as more of a checkbox to get compliance.
Guy Gorman:Yeah, I have DLP. So we want to actually help you prevent leaks, help you find where your data is going. Yeah, that's what we do.
Shay Nehmad:Cool. So like a cybersecurity product that helps companies protect their sensitive data.
Guy Gorman:Yeah. And I didn't even say AI once in this intro, even though we do use it for classification. We have like tailor made classification per company. Maybe you want to protect the way you produce your, I don't know, electrical machinery. We use AI for that.
Shay Nehmad:And you all are also protecting Gen AI usage, I've seen.
Guy Gorman:Yeah, we are. I mean, it's all the buzz, right? I mean, it's what your company is also doing.
Shay Nehmad:Sounds like good business. I'll just say that. Yeah,
Guy Gorman:it might be a bit of a bubble. I'm not an analyst enough to say that, but we see protecting GenAI products as a feature of our general strategy to protect data. It can leak to GenAI, of course. It can also leak to your private email. It can leak to a private Google Drive.
Guy Gorman:It's the same for us.
Shay Nehmad:Cool. Cool. How long have you been with mine? Since the beginning, actually, if we met
Guy Gorman:Beginning, I'm one of the founding guys. Second or third, depends who you ask. So, yeah, I've been here for three years. Built it from scratch with the others, learned Go on the way, on the job and React and all that stuff. That's actually
Shay Nehmad:an interesting If you're one of the founding members of the team, you said you learned Go in Mine. So it's not like you came with Go experience and you said, oh, that's what we should use. So I guess the team was already pretty opinionated on using Go from the get go.
Guy Gorman:Yeah, it's a good question. I think our VP of R and D, one of the founders, Hod, he came from another cybersecurity startup where they used Go to great effect. And he liked it. I think he also likes the strongly typed stuff and performance languages. So I don't I wasn't actually part of the conversation on whether we should use Go, but I learned it on the job.
Guy Gorman:And we did have some code in Python at the beginning that we converted to Go, like religious ceremony. Now we're mostly a Go shop.
Jonathan Hall:So I'm curious now in retrospect, would you have chosen Go or are you happy with that choice? Do you think a different decision would have been better?
Guy Gorman:So I'll give a personal answer, but I do like Go a lot because I came from mostly C. Like if I had to write code, it was mostly C code. And there are some similarities. Like the things I like from C are present in Go, like having to check the return code or the error after every function call, not much keywords or ways to do things, but it is straightforward language. So I'm happy with Go.
Guy Gorman:I think it suits us well. And we have to be performant because we have a lot of incoming data from all those places I mentioned, from the cloud, from on premise file shares. So, Go works well for us. I'm happy we chose it.
Shay Nehmad:You're a part of the big block of the survey, of GovSurvey. That's like, yeah, Go is good. I like it. Which is I think like at least the survey shows it's most people.
Guy Gorman:Yeah. I mean, I can compare it to Python mostly because we did have Python for the data pipeline in mind at the beginning. Like someone had to write a script to fetch some initial data from our first customers. And we changed that to Go. I think that was a good decision.
Guy Gorman:Nothing against Python. Mean, used it quite often before, but having one language for everything is a pretty big pro. I mean, we had same class same libraries common across our back end and data pipeline. That's a big up. And I feel maybe it's just because I don't use Python well enough.
Guy Gorman:Maybe I'm more from a background where I use Python for testing and scripting. But I feel with Go, I write better production code. There are with Python, I make it work, but then monitoring it, fixing stuff, that's the hard part for me.
Shay Nehmad:I I agree with that completely. Like, I've been writing Python for production stuff since 2013 pretty much, and switching between like Python and other languages, mostly Go. And it just happens, especially when the team grows a bit, it's just very easy to make bad decisions in Python, starting from, you know, you define your your structs. Oh, well, you have to import pydantic and you have to, like, know a whole thing and enforce a whole style. And it's very easy to just do dot as dict and, okay, now I I don't enforce anything anymore.
Shay Nehmad:Monitoring, logging, it's, like, always a pain. You have to pick a library and it's very easy to undo that library. And, oh, I set the logging level at the wrong place and suddenly all my output includes every single HTTP request and response, blah, blah, blah. It's hard to do the right thing. It's harder to do the right thing.
Shay Nehmad:And it's harder to maintain. Everything's magic. It's like text running in an interpreter. What the hell?
Guy Gorman:Yeah, I do like that Go is opinionated and I don't have to argue with my team members about spacing and formatting and brackets.
Jonathan Hall:Oh, All
Guy Gorman:that stuff. It sounds like trivial things, but my previous job, that's half of our conversations, you know, half politics and half where to put the space.
Shay Nehmad:Well, our conversations, we Jonathan still found something to bike shed on. It's Naked Returns. So it's like that awkward part of every interview where we ask, what do you think about Naked Returns in Go?
Guy Gorman:I just don't like adding, sudden rules to the language after we have a certain style. Then you have to go and modernize it, you know, go modernize everything. But I don't mind really. I never felt this definition.
Jonathan Hall:So how are you using Go primarily? And maybe you don't know the answer to this, but like, why was it chosen? Was it for technical reasons or was it because somebody just liked it? I don't know. You know what, start over.
Jonathan Hall:I don't like that question because I mixed two questions up. Let's stick with the one that Shai mentioned. So how are you using Go at Mind? Are you doing anything interesting with it? Or is it
Shay Nehmad:Classic backend like stuff.
Jonathan Hall:Classic backend REST APIs.
Guy Gorman:Of course, every company got to have their classic backend crowd, talk to the DB and let me know what happened. Yeah. Our backend isn't written in Go. But we also have, I think, more interesting use cases in the company where we do use Go, where it's less obvious. Actually, my part of the company, we do the endpoint DLP.
Guy Gorman:So, just a little background. We want to prevent sensitive data from employees' computers from leaking out, whether it's to USB, printer, airdrop, browser and native apps. So for that, we have a browser extension, which is written in TypeScript. That's okay, though, because we have the native agent, which is written in Go for Mac and Windows. I think we had to make a big decision there whether we pivot to Rust or something more OS y.
Guy Gorman:We went with Go for a few reasons. One One is we already had the backend and the data pipeline written in Go. So, we could reuse the classifier, which is a big part of our product, determining whether data is sensitive or not. And we could reuse the policy engine that given a sensitive file determines whether that's an issue if it's being uploaded somewhere. So, we went from nothing to a basic agent that can protect your computer in like really a couple of weeks.
Guy Gorman:I don't think we could have done that with a different language.
Shay Nehmad:Yeah. Usually people don't associate Go with like on device, except Andy, like who's doing the fine stuff. I don't think people usually associate to go with, oh, that's a language I would use to basically build desktop apps. That's what the the agent is. But, I'm surprised to hear you, like, I obviously understand the benefit of, yeah, all the team is using one language, so the tooling and the stuff is better, but I'm surprised to hear you talking about reuse.
Shay Nehmad:So you're basically saying the cloud things and the backend things are in Go. So I and you said you had a script for data pipeline that used to be written in Python also written in Go, so fetching stuff from customers. But what I'm surprised to hear that you're running workloads like classification or policy engines on device. Oh. Or is or is that not actually what's going on?
Guy Gorman:It is actually what's going on. So Oh, cool. I'll say I said a lot of positive things. I also have negative things about Go when it comes to Endpoint, of course, especially once you go deeper into the OS.
Jonathan Hall:Are we allowed to talk about negative things about Go on this broadcast?
Shay Nehmad:I think it's journalistic Of are. Course journalistic integrity. You know what
Jonathan Hall:I mean?
Shay Nehmad:Intellectual Yeah. Integrity. Forget journalism. So,
Guy Gorman:yeah, we we do the classification stuff on device to be quick. I mean, we want to have an answer as soon as possible to make decisions without hurting the end user. I mean, one of the biggest pains of DLP products that they sometimes prevent employees from working if they break the machine. You know, we can easily cause programs to crash or performance to slow down and people will complain and the customer will demand the money back. So we try to do whatever we can on device within the bounds of reason.
Guy Gorman:I mean, we can't run an AI model yet, at least on device. So we have some tricks where the back end does the heavy lifting and we communicate with it to get quick answers. But a lot of it is on device.
Shay Nehmad:Awesome. Wait, you said you had negative things to say about Go. Yeah. Let us know. We might change podcasts.
Shay Nehmad:Might switch themes.
Jonathan Hall:A couple of Rust coming up next week. Yeah. Stick
Guy Gorman:I don't actually know Rust. I only know C in this category of languages. So don't worry. Yeah, a few of the issues we encountered with Gopher, the endpoint is once you try to use things like Windows API or Mac endpoint security framework and low level stuff. You may want to listen to security events that the machine emits so that you can make decisions quickly.
Guy Gorman:Go doesn't really have much of an ecosystem, sort of like the AI thing where people say, I use Python instead of Go for AI because there's so much of an ecosystem there. It's the same with the low level stuff. Say we were looking for maybe a library that's already handled things like ETW, the Windows events. But the best thing we found was last commit three years ago, 40 stars. You you have to write a lot of things from the ground up.
Guy Gorman:That's one of the things we encountered. Another example I have is you really struggle not to use C Go. I mean, to keep the benefit of Go, which is cross compilation being easy, just one flag when you're building, you have to avoid CGO. And, the Mac framework I mentioned, the endpoint security framework, that's how Mac, Apple wants you to interact with Mac when you're building a security product. And there's no, there are no native bindings for that in Go.
Guy Gorman:So you have to use CGO or write a separate plugin, which is what we're doing in a different language that communicates with the main Go agent.
Shay Nehmad:Mhmm. I wonder, like, these are shortcomings, not of like technical decisions in Go, but more of the fact that the Go community around people writing like, you know, desktop software or cybersecurity agents is either very cagey about its contribution or it's just not that large. Now y'all are 30 person startups, I don't expect you to like steward a huge open source effort within that. And also I think it's just a competitive disadvantage for you to invest any resources into making, writing, agents for Mac easier or whatever. But can you imagine, like, at what size of of company or team or capital would you be like, okay.
Shay Nehmad:I'll contribute this back to the Go ecosystem? Because this is something that's missing in the ecosystem, not technically in the language. You can't do it because, you know, oh, because of the way we the panic is implemented. It's more like there aren't enough libraries and there isn't enough support, right?
Guy Gorman:Yes and no. So I got two questions from you there. One is, are you going to contribute to open source things to make the ecosystem better? And one is, are there any actual technological gaps in Go, not just the ecosystem that are preventing
Shay Nehmad:I that's right. But I'm not trying to I'm not trying to put you on the spot. Like, first question is the leading Yeah. Yeah.
Guy Gorman:Yeah. We didn't really give much thought to contributing to open source libraries for the low level stuff. And not because of any competitive thing. It's just new to us. So we don't have it nailed down yet internally that well.
Guy Gorman:I think once we get our traction and have a lot of experience on how to work with Windows or how to work with Mac with Go, then we might step it up and help others do it, if that makes any sense. And about the technical gaps, actually, there are some major things that we encountered, especially around Windows. So, one of the major things is the garbage collector of Go is working against you. It's a feature, I mean. Right?
Guy Gorman:But, if you're letting Windows allocate memory for you, for example, you're calling, hey, Windows, open some buffer, give me some information from the kernel, then Windows is doing the allocation, and Go isn't really aware of the memory that it's supposed to be protecting. So it might and we've seen this happen. It might clean up our buffers before they're actually used, giving us panics. Or, for example, if I pass a slice to a Windows API call, Go I mean, Windows fills the buffer up, but the slice is still at capacity and length zero because Windows isn't aware of those internal things that Go has. And then Go might reallocate the memory or switch it around.
Guy Gorman:So we have to go use things like a pinner in Go, which tell you have to explicitly tell the garbage collector, hey, this memory is in use. I got this. Which isn't that obvious.
Shay Nehmad:That's weird. But, you know, we had a George Adams from Microsoft, on the show, in August, episode one twenty one. You we could you could probably reach out to him and be like because they have a specific Microsoft build of Go. I think it's mostly for back end, you know, crypto, gov, compliance. But maybe they maybe they can set up some, you know what I mean, make Windows cooperate better with it.
Shay Nehmad:Maybe it's a bit too low level and I'm, like, misunderstanding it. But I'm sure, like, the GOAT team at Microsoft is the people you'd want to talk to about.
Guy Gorman:Yeah. That's a good idea actually. I mean, we have some heavy lifters for Windows in our team, like really GOAT guys that I trust to know when memory is safe or not. But yeah, actually Microsoft might be the best place to go for Windows. Yeah, the memory stuff is one issue.
Guy Gorman:Also a lot of Windows API calls require you to stay on the same OS thread. You open an object, you read and send messages and then you close it. It all must be on the same thread. Go doesn't really care about threads in that way. Goroutines can move about.
Guy Gorman:So you have to either lock threads and then you might affect some other workload you're running. It's a it's tricky. It's easy to get wrong. That's what I'm saying.
Shay Nehmad:Mhmm. Yeah. It's a it sounds a bit awkward. The Microsoft like, I remember the the Win32 API stuff was almost impossible to integrate with. I think I actually gave up when I tried to do it and, like, switched to C plus plus when I just tried tried to write something with a Docker two Win API.
Shay Nehmad:Was like, whatever.
Guy Gorman:Yeah, there's
Shay Nehmad:But that was that was many years ago, so if that's still the experience, it's interesting.
Guy Gorman:There is a library, like an official one, axe syswindows, that has a lot of the wrappers for syscalls.
Jonathan Hall:So you
Guy Gorman:can just call it as a function, but many things aren't there. You just have to create your own wrappers and make mistakes usually. Because, for example, you're used in Go to receive an error and then check it. Right? But we're using those WinAPI functions.
Guy Gorman:You have an integer that you have to check and then you can use the error. Sometimes the error is not non nil, but it's just the operation finished successfully, which is quite confusing.
Shay Nehmad:The Right. The X Jonathan, I always forget this. The X libraries, are they official? Or are they official ish? What what's the what's the verdict on that?
Jonathan Hall:I guess it depends on how you define official. They're not part of the standard library, so they're not held to the same compatibility guarantees and stuff like that. Some of the standard library depends on the X libraries, though, especially these WinSyscall type things, which is interesting. But what that effectively means is that they have a different release cadence. They can be released more frequently than the standard library and that the API isn't guaranteed to be stable from Go one point zero forward.
Jonathan Hall:So they can interest breaking changes so long as it doesn't break standard library calls on old versions of Go. So there's a weird relationship there.
Shay Nehmad:It sounds a bit funky. One question I'm interested in is, and this is sort of by the way leading to something you probably want to talk about anyway. You're hiring for low level engineers and engineers in general for my, which is awesome. Have you been able to find like low level engineers who wants to work with, Go?
Guy Gorman:Oh, that's a great question. Yeah. We're hiring I don't like to say we're hiring only low level engineers. I can if I get
Shay Nehmad:No, I mean, your team is.
Guy Gorman:Yeah. My team also, if I get a talented software engineer that never had anything to do with low level stuff, I think I can work with him. Half my team were in the back. Like we were one team at the beginning of the company, and then we split up to endpoint and the rest. So many of my guys don't have the background, but it still works if they're all good guys and they're good with computers, you know, so they can understand that.
Guy Gorman:Yeah. We It's a good question about whether they want like they're real heavy, heavy lifters that know operating systems, whether they want to work with us or work with Go more specifically. The best guy or one of the best guys I've ever seen for Windows, he's working with us. He was really frustrated at first with the language. He wanted to switch to RAF or something else.
Guy Gorman:But it ended up working fine because the kernel stuff or DLLs, We do write in CPP. We're not Puritans. Yeah. If we do something really low level and that's the most efficient way to do it, then let's write it in whatever language is most appropriate. And our agent that is written in Go will serve sort of as a web service.
Guy Gorman:Right. Right. So on local host or via inter process communication, those native parts can talk with the main Go agent that access the brain. So I don't think that's a using Go is something that scares away low level engineers.
Shay Nehmad:Cool. Just to highlight this, mind is hiring. I I visited your offices. I feel very comfortable shouting y'all on. And I also know Hod and Ohad and whatever, in Itay.
Shay Nehmad:Yeah. Really, really good people. So if you're in Tel Aviv, they're hiring engineers of all sorts, I guess I should say, and and a technical writer, for product management. And in The US, social media managers and technical account managers and directors of sales and all the usual GTM functions. Although I'll be super surprised if a director of sales engineering engineering is listening to us complaining about calling Win32 APIs within Go processes.
Shay Nehmad:Although if there was ever a director of sales engineering that you would hire, it would be that one, right?
Guy Gorman:Yeah, we're hiring. So, mind. Iocareers. Looking for fun people to work with. Yeah.
Guy Gorman:Cool.
Jonathan Hall:Cool. Cool.
Guy Gorman:Just to shout ourselves out, the top person in the hall of fame for Shy's git capture the flag is still one of our guys. Undefeated. Yeah.
Shay Nehmad:Mine are undefeated. I actually showed someone the I did a walkthrough of the entire thing, like, kind of quickly for someone and I didn't beat Ohatstein. It's
Guy Gorman:good to meet him. I don't know what he was taking, man.
Jonathan Hall:I hear some inside references happening here. Can you explain what we're talking about?
Shay Nehmad:Yes. I have a little CTF capture the flag challenge that I used to I used to do it more often. I should get back into it. I don't know. People are less interested in like mastering tools now because of AI, but it like teaches you git commands and whatever.
Shay Nehmad:And a lot of people have solved it, but only one person has solved it so fast that I was like, I literally felt like apologetic that he's not, like, not getting his money's worth. And that person is, one of the founding people over at mine, First name, Odd.
Jonathan Hall:Got it.
Shay Nehmad:I think it was like twenty four minutes, something crazy like that. Jonathan, you should try that CTF sometimes. I know you're bit
Jonathan Hall:Well, you need to put a link in the show notes so anybody can try it.
Shay Nehmad:Oh, I definitely will. That's a good idea. That's a good idea. It's fun. I should update it at some point.
Shay Nehmad:It doesn't include, like, new commands because I don't use them because I just, like, learn the get off my lawn type of mindset. No. I'll never use git switch. I'll just I know git checkout and that's it. Anyway, cool.
Shay Nehmad:I highly recommend if you're looking for a job right now talking to Mike. They're a good couple.
Jonathan Hall:Alright. I have I think I have probably one last question for you here. So I think most of our listeners are accustomed to writing back end software. They probably deploy to Kubernetes, to Docker, to Lambda, something like that. How do you manage all that on your on these desktop machines?
Jonathan Hall:Are you are you installing Kubernetes? That must be what you're doing, right?
Guy Gorman:Not yet. Not yet. I think it came up at one point.
Jonathan Hall:Quick anecdote. I used to work with a guy who installed Kubernetes on point of sale systems. I think it was for Sonic restaurants around The United States. And that's how they managed everything. It was like these little tiny DOS systems all ran Kubernetes locally anyway.
Shay Nehmad:Oh no.
Jonathan Hall:So it can't be done.
Shay Nehmad:Well, probably helped them a lot because I've tried Sonic since I moved to The US and the fries are absolute fine.
Jonathan Hall:Have you had their cherry limeade?
Shay Nehmad:I I haven't I haven't frequented all the fast food restaurants yet because I don't eat outside almost ever, but the few I have, like, the difference is is crazy. I guess that the real difference in taste is the local Kubernetes. Guess that's what KFC are doing. So that's
Guy Gorman:a good question. No, we don't use Kubernetes. Usually the flow is that the customer uses their MDM, their mobile device management, the way usually big enterprises have software that helps them manage their endpoints. So we give them an installer and that's it. They just run it, like decide which users they want to have the mine protection.
Guy Gorman:Once the agent is installed, registers itself as an operating system service. So, Windows services or LaunchDaemon on Mac. And then the operating system takes care of rebooting us, of starting us on when When the machine turns on. Yeah. Our philosophy is to try to use the operating system to help us with orchestration as much as we can.
Guy Gorman:For example, the updater that takes care of updating the Mind Agent is registered as a scheduled task on Windows that runs once per hour.
Jonathan Hall:Got it.
Shay Nehmad:Good. And doesn't that mean that customers can, like, go into their login items and just, like, uncheck mine?
Guy Gorman:It could mean that. But I just recently
Shay Nehmad:I just recently did that. Like, went into my Macs, you know, thing and turned off all the software. Like, I don't I like linear, I like Notion, I like Grain, I like Gnolan, I like all these. But I don't need them when I boot up the machine. When I boot up the machine, want to Well, I need to boot up as fast as possible.
Guy Gorman:Yeah. Anti tampering is a whole subject of writing code for an endpoint. Like you don't want the user to manipulate your agent, to delete it or to make it to do weird things. So, usually that's up to the customer. They can define what programs are enforced.
Guy Gorman:Same for our browser extension. It's also force installed for users. Me personally, as an employee, I might not like it because, you know, why are you spying on me? But we try to be as to respect privacy and all that and be harmless unless really a security event is happening. So no reason to delete us and no way.
Shay Nehmad:Awesome. So we, you know, to round out the interview here, we usually have what we call a stopper question, which is like the same question we ask all our guests and then it's interesting to, compare, which is, I think first year it was what you like about Go and what you don't like about Go. We ended up with a full feature list of entire, all the Go features on both columns. And then we changed it up for the second year, like when you started learning Go, but you actually answered that already. This year, it's, who's the person who influenced like your Go journey the most?
Shay Nehmad:So yeah, lay it on us, who, because you are a pretty recent gopher, so I'm interested to hear. We had people on the show. Yeah, I've started in 2001. I did inception. I incepted the Go team.
Shay Nehmad:So I was very, really happy to see it. You know what I mean? But you're a pretty recent gopher, only during the last couple of years. So who influenced your journey so far?
Guy Gorman:Yeah. So I've only been using Go for about three years. Obviously since this is all within the same company, the people who influenced me the most are from So my boss, I guess, the VP of R and D at Mind, Hod, He was a big influence, you know, aside from code reviews and the obvious stuff. He also directed me to like the Dave Chaney's blog, which is I really like it. And it's influenced the way I write Go.
Guy Gorman:And to lectures by Michel Hashimoto, where he talks about testing and how they do it at HashiCorp. So I got to credit HOD for shaping and directing me to be more than just a code monkey. Another guy
Shay Nehmad:That's going on.
Guy Gorman:Yeah. Another guy I would like to mention is Itay, Itay Schwarz. He's a CTO at Mind, which usually isn't a technical guy, but he really is. And thanks to him, all my variable names are one letter because that's how he told me Go should look like. Oh, He really influenced me.
Guy Gorman:No, just kidding. He did make me less of a guy and more of a gopher.
Jonathan Hall:It.
Guy Gorman:Good to him.
Shay Nehmad:I just got a I can't imagine the entire code base on Pyrene with single, letter variables, but then I realized they all probably have more than 26 fairy. They
Jonathan Hall:just have really small scopes.
Shay Nehmad:Yeah. Just reuse x, x equal.
Guy Gorman:I remember he came, like, to my to where I work and he said, why did you call that variable connector? C is enough. I'm like, are you sure that's enough?
Shay Nehmad:I love that. I love that. I'm just making up a straw man in my head, a programmer who learns Chinese just to keep all their variable names single characters, doesn't know Chinese at all, just knows the character names. Although I get I I hate Unicode and source code anyway. Anyway.
Jonathan Hall:But ASCII is all Unicode, Shy. What do you mean?
Shay Nehmad:Oh, that's right.
Jonathan Hall:ASCII is Unicode. ASCII is a subset of Unicode, so I don't know what you're writing in.
Shay Nehmad:Just white space.
Jonathan Hall:Alright. Well, how can how can listeners find mine? How can they find your your job board if they're in the area and wanna reach out?
Shay Nehmad:Yeah. Or if they wanna buy mine, if that sounds like, oh, I hate my old DLP solution, blah blah blah. Want something new.
Guy Gorman:Yeah. So they can go to mynd. Iocareers buy the product. Yeah. Tell tell them, guy sent you.
Guy Gorman:We're gonna get 20% more salary. Don't worry.
Jonathan Hall:Mhmm. So
Shay Nehmad:that's a strong domain, mind.io. It's a good one. Alright. Thanks a Guy, for coming on the show. Thanks for, reaching out.
Shay Nehmad:This is like all of you, man. I really appreciate it.
Guy Gorman:It was fun, guys. Yeah. Enjoyed talking with you.
Shay Nehmad:And thanks to you all for listening. We'll talk to you next week. Program exited. Program exited. Goodbye.
Creators and Guests
