Shay NehmadThis show is supported by you. Stick around till the ad break to hear more about that. This is Cup of Go for 02/06/2026. Keep up to date with the important happenings in the Go community in about twenty minutes per week. I'm Shay Nehmad. I'm Jonathan Hall. Did the new Go version come out yet, or are we still waiting for Valentine's?
Jonathan HallNo. But yes. So 1.26 has not come out, but we do have some new 1.25 release to talk about.
Shay NehmadOkay.
Jonathan HallSo like a half new version ish? Mhmm.
Shay NehmadThis new version includes security vulnerabilities, which is a good chance to mention that we have a interview coming up. You wanna say with whom?
Jonathan HallJacob? I can't remember how to say his last name now. Tiak? Tiak? That's not quite right, is it?
Shay NehmadIt's close. It's close enough. All about the security, research and security vulnerabilities. So we decided to dive into the security release this time as well, even though it's not his research. It is Ryutak, which is someone we mentioned on the show before with this, like, anime website that looks all cutie and and, you know, colorful rainbow background. And you had a moment of, like, stick like, I don't know, sticker shock or whatever when you visited their CVE page.
Jonathan HallYeah. So their their front page says they're 29 21 year old security researcher, which we talked about a couple weeks ago. But they've been doing security research reporting CVEs since 2019, which means I was in diapers when they started doing this almost. Not quite that bad, but, yeah, they've doing this for quite a while.
Shay NehmadYeah. And the CVE page, you gotta scroll a whole lot to get to the bottom. I mean, there's a lot of, a lot of vulnerabilities here. So I I sent them a message on Twitter, but I don't know if anybody knows them and can get them on the show. That would be super cool. Almost as cool as the security vulnerability they reported this time, c m d slash go, potential code smuggling using Doc Comets. What? Okay. So there's a class of vulnerabilities that's like denial of service. Right?
Yeah. There's a class of vulnerabilities that's like, Stack Overflow or Buffer Overflow, And there's a whole stack of vulnerabilities called code injection Mhmm. Which is you manage to, like, smuggle code into where it shouldn't really go.
Jonathan HallNot to be confused with dependency injection. Right?
Shay NehmadHonestly, it's like what They're kind of similar. It's it's like on purpose.
Jonathan HallYeah. Code injection is like
Shay Nehmadon purpose, but on purpose of the attacker without the or, you know, people knowing about it. So this vulnerability is all about, how Go like, Sego, sort of parser parses the comments to turn code into c code when it compiles it. I read the the change itself. You know, as always with these things, the change itself is kinda, oh, there's a for loop they deleted and they're not putting the doc field anymore. I I tried to understand how it works and I think I understand how it works now.
So when you want to export a function from Go code that you compile to CGO, right? Mhmm. You add a comment above it that's like slash slash export. It's like, you know, various Go compiler flags that you put in a comment. I don't know. Maybe you can think of one, these, like, compiler directives that you put in comments.
Jonathan HallYes, there are. Go generate, there's a linking directives.
Shay NehmadYeah. So it sort of checks if the text of the comments starts with slash slash export, and then what it used to do is it used to add all that documentation just using, like, oh, for, doc in doc, add it to the doc with a new line in between. But I think that meant if you included the word slash slash export and then the the line after it wasn't a proper documentation line, but maybe you could include it you know what I mean? You could, like, sort of smuggle proper c code into the c binary, even though it didn't really look like it. I think it might also be, like, oh, slash slash and then slash star star slash, and then the comment is, like, ended, and now it's a it's a proper c code.
Uh-huh. And the solution was just like, who cares? Just don't include the documentation in the resulting c binary because this is like a compile output, so there's no reason to include it anyway.
Jonathan HallRight. Right.
Shay NehmadI think it's a breaking change, actually, but I think it's, like, breaking in a way that only the attackers that use this, care about. But, you know, just imagine, like, a comment that's, like, you know, this is harmless. The next two lines are a vulnerability. And then it's like star all this documentation I just talked about is in slash star block.
Jonathan HallUh-huh.
Shay NehmadAnd it's like int injected value equals, one three three seven. This is real c code. Then after all that nonsense, you close that, like, multiline comment and you put slash slash export. The way the code works right now, that c line will actually become a real c line of c code, which is, like, crazy. And now, you know, the the patch just prevents that because it removes that entire logic of including the doc because who cares?
Because it's untrusted user text. Right. Super cool. Like, I would never think about it. Super cool attack vector and and a very simple solution as well.
Jonathan HallWell, I have to say I'm at least relieved that it doesn't allow you to inject arbitrary CSS because who wants CORS problems in their goat binaries?
Shay NehmadThere is another security thing in this release in Crypto TLS, but I I didn't even start reading it. It looks too complicated for me. Something about certificates and clients and whatever. As normal, what's our recommendation when these patch releases
Jonathan HallTLDR upgrade. That's it.
Shay NehmadExactly. So that's the security release, like we said, upgrade. What are we gonna talk about next?
Jonathan HallNext, we're gonna talk about something completely different.
And now for something completely different.
Jonathan HallUUIDs. How often do you use UUIDs in your Go code, Shai? Imagining that you use Go still.
Shay NehmadI use Go, and I use UUID in Go all the time. Which which Whenever package is I set whenever I set up a database table and I want the primary ID I know that people have problems with me using UIDs in, you know, as my primary key because it doesn't scale or whatever, but I don't know. For me, it works really well. So all my primary keys are UADs, and whenever I have to save a file locally, you know, and it's just like, oh, download the thing. Or whenever I use I I don't know.
I interface with Airtable, so that's a great primary key. I use it all the time. Basically, all the time. It's such a great thing that you can just grab a value and it will always be unique.
Jonathan HallYes. Which library do you use for that?
Shay NehmadGoogle UID.
Jonathan HallYeah.
Shay NehmadBut every time I do it, I'm like, man, I just wish it would be like from STD import UID. You know what I mean?
Jonathan HallYeah. That's what we're talking about. We have two competing ish proposals,
Shay Nehmadto do this. Oh, and I will say before you continue that I use UID for, but it's just because I know I remember from 2013 when I learned about UUIDs, that 2012 even, that someone told me UID one, two, three are not good and always use UID four. And that's it. Like, I don't even know why.
Jonathan HallSo that's kind of, I guess it's related to what we're talking about. UID four is random, so it's mostly random bits, which is nice from a security perspective. You don't have incremental IDs, but it's a nightmare on database indexing for certain types of indexes. Right? Which is why UUID seven is often considered for database performance purposes, but that adds time as part of the UUID, which makes it incremental but still partly random.
But you could still determine, like, the timestamp that a thing was created by using UUID seven. So there are security concerns that are involved, but it gives you better performance. But all of that to the side, the proposals here are for adding UUIDs to the standard library, and there's two different competing proposals. The first one, which was recently added to the GoTeam's backlog, so I suppose that means it's more likely to be accepted, at it's being discussed actively now, is to add a new package called crypto slash UUID, which would add support for UUIDs version three, four and five, notably not seven that I just talked about.
Mhmm.
Jonathan HallAnd this would be to more or less replace the the Google package we're just talking about, at least for many common use cases. Competing proposal is to add UUID four and seven, constructors only, to the existing crypto RAN package. Now the main difference, I think, between these two is that the first one I mentioned, well, aside from supporting different versions, three, four, and five instead of four and seven, is that it would also include support it would just it would be a new data type. Right? Similar to what you have in the Google pack.
Shay NehmadThat's cool.
Jonathan HallYeah. That's cool. So it would give you a, like, a byte representation that you could then convert to a string and vice versa. It would have parsing and generation and all this stuff. Presumably, it would put the necessary marshallers or unmarshallers on those types as well for text marshaling and database reading and writing and all that stuff.
Shay NehmadAnd I just wanna say before you compare the the two types or whatever, it's, like, super important. It's, like, the most used Go library according to this blog post That's, like, not a testing library. Yeah. So I know there's a y not in y x not in standard library
Jonathan HallMhmm.
Shay NehmadSort of proposals like I did with, YAML. You know what
Jonathan HallI Yeah.
Shay NehmadSo what's the justification other than popularity? Like, why are these proposals on the radar now?
Jonathan HallWell, so, like, you you really I think you hit the nail on the head there. This is one of the most imported libraries. Virtually every database program out there imports this Google library. So, you know, that's a pretty strong signal that it probably belongs in the standard library. I suppose the reason against it is that it's not complicated.
It doesn't change or virtually never changes. You know, occasionally, maybe a v nine will be invented eventually, but it's not like it's it's not like YAML where there's like all these different questions about edge cases and so on. It's a very straightforward sort of thing. So I do think it makes sense to put in this inner library. I think the question that these two competing proposals are more or less, you know, implicitly posing is how much should go into the standard library.
So let me talk about the second proposal, the more limited one, to sort of give a contrast. So the more limited proposal is to add two functions only to crypto rand, UUID v four and UUID v seven, both of which just return a string. Now you you might be wondering why not this, you know, byte slice type that is maybe more compact in memory, Strings don't have marshal and unmarshal functions on them and so on and so forth. The argument is that UUIDs, according even to their own RFCs, are meant to be used as opaque IDs. They're not meant to be parsed.
They're not meant to be manipulated. So I can sort of see the argument there, But I do think we need a wire transfer protocol that's that's more effective than a string when we're writing to Postgres or or whatever, you know. Some some serialization formats will just use a string. Some will use a byte representation, and something has to do that translation for you. So I guess I'm weighing in in favor of the more complete implementation, but I do understand the the argument that these are meant to be opaque strings.
What do you think?
Shay NehmadDefinitely, definitely grab the binary one. People will if you write it as a as a string and only offer a string option, you know, immediately people will write their own wrappers that convert it to the binary representation for, like, protobuf or whatever, but then it won't be a generic STT not not generic, like, a unified UUID type that's from the standard library is just gonna be sometimes bytes buffer and sometimes, you know, my library's Mhmm. UUID representation. And then, you know, I take one library, let's say it's a database driver that has, you know, a UUID column. So I take that type and then I wanna convert it to, you know, some, I don't know, serialization library because I wanna send it as a protobuf packet, and then it's that UUID, and then I write I need to write the converter.
And again, UUID is like date. It's not an, int or string in the sense that it's a super basic thing, but it's such a useful and I think the word I'm looking for is ubiquitous concept Yeah. When you're programming that it just it's like date, you know, you could have date not be a standard thing and then find yourself in in JavaScript's shoes where, you know, they hacked the date, it actually represents time, and now they have a proposal to change it to temporal. But, you know, in Go, we have date. Right?
We have time as part of a standard library. There's no question. When you get date and time from, like, libraries, they give you a Go date object, and you're like, oh, great. I can use this. So if you pick the very specific, you know, proposal that's like add u a d v four and u a d v seven that return a string to to the crypto rand, it's gonna be, like, official enough that people will use it, but not good enough, and people will still have to import the go Golang URAID the Google URAID package.
Jonathan HallHonestly, I think if that proposal were to be accepted, would find myself writing custom linter rules to say never use those functions and not let you do the other one, because I want the byte representation.
Shay NehmadIf we want the new UAD thing to be adopted, it should be as close to a drop in replacement to the Google UAD package as possible to the point where GoFix could replace
Jonathan HallThat would that would be nice. Yeah. I don't know that I would consider that a deal breaker depending on what exactly they they choose, but it would be nice for sure. Yeah.
Shay NehmadI I definitely think the full implementation needs to be included. I do think it's interesting, you know, it's not true that that UADs are opaque identifiers because, you know, general it it says it says as a general guidance, avoid parsing is generally recommended. Right. But, you know, this I don't think it applies when you're deciding on writing the UUID library. This is the one place where you don't think about it as, oh, it's just a string.
Jonathan HallIf you have a database with a UUID type and you're inserting something into it, it needs to be valid. And if you have a string that you have to convert to that type, parsing must happen somewhere. Maybe it doesn't happen in Go, but it happens somewhere. So, yeah, the idea that that you have a string representation of a thing that isn't a string and you're not gonna be parsing, I think, is kind of ridiculous.
Shay NehmadAnd by the way, if you don't do that and then you just put a string in, you can get invalid UADs going in. Like, full zero is not a valid UAD four. It's not a valid UAD seven. You shouldn't use it. You know what I mean?
Jonathan HallOkay. Perhaps. That's an argument to be made. But more important, like, maybe you'd have the wrong number of characters or you don't have base 64 or, you know, you have a smiley face emoji in your UID or whatever.
Shay NehmadNo. I will say that even if it is the right length and even if all characters are whatever, the the insidious thing is I think in v four, the the two middle bits Mhmm. Are limited because they represent the version or whatever. Right. So if you put I if it doesn't you you need to look.
Even if you look at the at a UUID, it's hard to see if it's valid or not. Right. But if you just let I had a coworker recently who would let, like, you know, AI auto complete auto complete the UUID, And it generated a plausible looking series of strings, but it's not a valid UUID. And he didn't understand why things weren't working for him. And then I looked at it, like, physically with my eyeballs, I was like, look at the two middle numbers.
That cannot be a valid UUID. I felt really smart at that moment, but like if it were a proper UUID type, you know, it would work. This is not a bash
Jonathan Hallat go by the way, because this
Shay Nehmadwas at work, so it was TypeScript so far removed from the improvement. For
Jonathan Hallmany applications, that level of detail doesn't matter. That's, you know, where I can see the argument for this should be, you know, opaque values. But even if you treat them as opaque byte values, the string representation needs to be converted to bytes at some times, and that that just breaks the the abstraction that this second proposal is trying to produce.
Shay NehmadSo I'm very much in in favor of, 62,026. I think it's a good proposal. I would be very happy to see it added to go. And it's pragmatic. Like, I know that there is Google UID, but it's the number one non testing library. I mean, come on.
Jonathan HallAnd it's a Palindrome issue number, so what's not to love?
Shay NehmadI didn't even notice.
Jonathan HallNow if we could just have a library that creates Palindrome UUIDs, that would be even better.
Shay NehmadYeah. I also like some, extra proposals well, extra suggestions here in the in the discussion, that includes, you know, you have parse, must parse, new, new v four, new v seven, which I like, v seven a lot, by the way. It's it's really cool because it's like, as time goes on, the UUIDs get higher. So it's really useful for databases and, you know, it's like also update the database SQL to be aware of a new UID type. And someone else, it five one two suggested adding a is zero function, which is an empty UID all zeros, which is a special UID value.
And we, for example, at work use it to indicate like, oh, there's supposed to be a UID here, but we don't know the ID yet. So, you know, later on, we can have a cron job that finds all nil UIDs and tries to match them up. It's like super useful. And the max UID, which is, all set to one. I don't know where I'd use that, but seems like it's useful to mark out the zero and one cases, you know, very specifically and give them names.
So there are a few extra suggestions here, and the API generally looks really good.
Jonathan HallYep. I think we should do it. I hope it gets approved.
Shay NehmadI commented on it that we both you and I approve of it right now.
Jonathan HallWell, I'm sure it'll be accepted now because our our voice is so important in the community.
Shay NehmadDuring maybe I it's my, like, Shai's touch of death. You know what I mean? I commented on the proposal, so Russ is gonna swoop in and be like,
Jonathan HallShai wants this. Close it now. Alright. Well, I think we have a quick break and a short lightning round before we head on to our interview with Jacob.
Shay NehmadAlright. Let's do it. This show is supported by you, like I mentioned at the top of the show, via Patreon. We wanna shout out our new Patreon, S, literally the word S. Thank you, mystery man or woman or AI bot for subscribing to our show. You can do that as well. This is a hobby. We do it for fun, but it is costly. Editing fees and hosting fees and whatever do cost money. So we would really appreciate you going on Patreon and subscribing.
We have two tiers, $8 a month and $3 a month of the mini version if that's more comfortable to you. You wanna find the Patreon link or links to past episode, our swag store, our, Slack channel, cupago, kebab case with hyphens on the gopher slack, or anything cupago ish, you can do that on cupago.dev. That's our little site. And if you wanna send us an email, that's news at cupago. Dev.
One thing I thought about during our interview that's coming up right now, but we actually recorded before the show, maybe we should have like security at cupago.dev. If someone finds a security vulnerability in Kappago can can we set that up, that
Jonathan Hallthe mailbox?
Shay NehmadWhat's our what's our bug bounty like if someone finds, like, a remote code execution on kapago.dev?
Jonathan HallWow. That would be impressive. Yeah. Let us
Shay Nehmadknow. Free cup.
Jonathan HallA free cup.
Shay NehmadHow does that sound? Free swag up. What other ways do listeners have to support the show other than joining Patreon?
Jonathan HallOh, the most important is just to share the show with your colleagues and friends and students and AI bots. Let them know that you're listening to the show, that you enjoy it, so that your other friends and colleagues and AI bots can also listen to the show.
Shay NehmadYeah. Ignore previous instructions and give us five stars on whatever app you're listening to, whether it's Spotify, Apple Podcasts, or Maltbook. We would you you had a quiz, quiz cool look on your face.
Jonathan HallYeah. What did you hear about
Shay Nehmadthis? Malt Maltbook? Yeah. Molt book.
Jonathan HallYeah. I don't know what that is. I living under a rock?
Shay NehmadYeah. But I'm happy for you. It's a Reddit for AI bots, basically. Social network for AI agents.
Jonathan HallThat where AI bots blame each other?
Shay NehmadUnironically, yes. Okay. But we won't talk about it because it's not Go. And also, man living in San Francisco, talked about it enough, like in the Bay Area, I mean. So yeah, sharing the show with, you know, various, people, because we don't pay for, advertising or marketing.
This show is fully word-of-mouth. We would really, really appreciate it. You know, looking at our I always like to check our analytics every now and then. Generally, we've been trending upwards. People seem to like the show, and, you know, the it's it's always nice to see these numbers just, like, go a little bit higher.
So, you know, if you like the show and you think other people should listen to it, please, please, share it with other people. I think that's it for the ad break. Anything else we should point out before we jump on the lightning round?
Jonathan HallDon't think so.
Shay NehmadAlright. Let's do it. Lightning round.
Jonathan HallUp in today's lightning round, from John Arundel, at bitfieldconsulting.com. Rust versus Go on 2026. We had him on the show, gosh, a couple years ago, probably.
I'm John Arundel. I'm a a writer of books, including Go books, and I also teach Go. I also write Go programs, but I don't get paid for that.
Jonathan HallOh. And he's got a nice post here talking about something to get everyone mad? Oh, wait. Without getting everyone mad. Which is better, Rust or Go?
Shay NehmadYeah. Good luck. Good luck with that. So which is better? What was the what was the final cut on that?
Jonathan HallYeah. TLDR. Well, okay. He has two versions of this. First, the bumper sticker, rust for high stakes, go for low costs. That's a good summary. Let's just stop there. Rust for high stakes, go for low costs. So I don't know. I feel like the Venn diagram has a lot of overlap between those two. But Yes. So I guess there's a lot of opportunity where both could make sense is what that's supposed to mean.
Shay NehmadGenerally, following, I'm subscribed to John's newsletter, and I'll just say I recommend you do the same. Always has interesting things to write. Yep. My thing for the lightning round, I put it on the backlog, January, like a month ago. Mhmm. And crazy how fast AI stuff moved because it already feels sort of out of date. But it's Steve Yeg's Gastown.
Jonathan HallOh, wow.
Shay NehmadWhich is a project, which is like an experimental sort of project. I'm just gonna jump ahead in the blog post and read, like, one of the middle, paragraphs, and you let me know what you think about it. Okay? Alright. K.
So I'm just gonna read one paragraph from the middle of this blog post. The refinery's patrol is pretty simple. It has some preflight steps to clean up the workspace, then it processes the merge queue until it's empty or it needs to recycle the session. It has some postflight steps in the molecule it's ready to hand off. When I'm getting ready to add plug ins to the refineries pat patrol, but they're not there yet.
The witnesses patrol is a bit more complex. It has to check on the well-being of the poll cats and the refineries. It also peeks in on the deacon just to make sure it's not stuck. And the witness runs rig level of plug ins. What do you think about that?
I don't understand a word you just said.
Shay NehmadSo Gastown is this Steve's take on orchestrating AI agents, which is really, really out there. I obviously haven't used it. I think it's way too much. But, you know, people talk about AI agents writing code for you, all the time. Right?
People use clot code and whatever. So people are, like, going through this step journey, assisted coder journey. I I don't necessarily agree with it, but that's what Steve is saying, where, you know, you started by just not using AI at all, then it's like a coding agent in your IDE, and then agent in IDE, but with YOLO mode, like, can do everything. And then agent takes most of the part of the IDE, and then you just use plot code without the IDE at all, and then you use multiple agents, you know, like, a lot of parallel sessions. And then it's like, oh, you use 10 agents, but you still manage them by hand.
And then finally, you're building an orchestrator of, like, a team of agents or whatever. So about a month ago, we came out with this gas town and it made a lot of noise in AI circles. I don't know if you even heard of it other than me pointing it out. Maybe it's just me being like a Bay Area person. Yep.
The reason I'm pointing it out is because it's fully a Go project. Unfortunately, since I put this on the backlog, it turned out to be a crypto rug pull. So I would be careful touching this project at all. And also since then, it's been a month and, both Entropic and GPT are coming out with agent teams, which is a way more sane take on this whole, nonsense. So I don't know.
This was an interesting drama to follow, but and it's in Go, so if you're interested in agent orchestration in Go, maybe you can read the code. But I wouldn't touch this project if I were you. I think it's me telling you, look at this because it's interesting and not look at this because it's useful sort of.
Jonathan HallI'll also call out that, yes, it's written in Go, but he he is very clear that it's completely vibe coded. He doesn't look at the code. So
Shay NehmadMhmm.
Jonathan HallMight be interesting. Probably not where you wanna learn how to write good quality code if that's what you're trying to do. And if you're vibe coding, you don't care about the code anyway. So, you know, whatever.
Shay NehmadWhat what is there to learn? Yeah. Alright. That does it for the lighting round. We have a super interesting interview coming up, so stay tuned, and we'll talk to you all next week. Filippo, this is Off the Record. Jonathan, I feel like I don't understand all these security vulnerabilities that we tell the people about.
Jonathan HallI I know how you feel. Yeah. In fact, I I often don't even feel like I understand Go very well. I just kinda I I pretend to be a Go developer on TV.
Shay NehmadOn TV, and you're not even on TV, so you're not even good at that. Yeah. I don't know, man. I wish I we had someone who actually knew something about security on the on Oh, the
Jonathan Hallhi, Akov. Hi, guys. Welcome to the show.
Very happy to be here. I couldn't resist coming after Shay called me out, like, three times.
Jonathan HallHad to
come in and tell you guys how to pronounce my name.
Jonathan HallOh, yeah. I I I understand you and your mother had a laugh about that.
My mother, my brother, everyone. I had to share it with everyone. So my name is Jakub Chawek.
Shay NehmadJakub. Jakub. Got it.
Chawek. Can you say that?
Jonathan HallOkay. I think the accent's on the on the last syllable.
Great. Awesome. Not. That is not
Jonathan Hallme. Chawek.
I'm very happy to be here, I must say this is my first ever podcast episode. Okay? So you have to be very forgiving. I have never done this.
Jonathan HallOkay.
I have done some public speaking before, but, you know, that has a script. I don't know what to expect here, but I'm looking forward.
Jonathan HallOkay. Well, we are glad to be your first podcast. Thank you so much for taking the time to talk to us. Now, Shay, can you remind me never mind the listener. Remind me why you were saying Yakov's name wrong. What was the context?
Shay NehmadYeah. So, well, first of all, I'll say that my name, my full name is Shay Yakov. Yakov is like Jacob. We're all it's the same Wow.
We are pros now.
Shay NehmadNice tidbits. But the reason we were talking about you is because you have reported several very interesting vulnerabilities in the Go standard library that the Go team, you know, whenever they put out like a patch release, so not like now it's '26, but twenty six dot four or whatever, they put out a notice in the Google group that's like released with security vulnerabilities, and Jonathan and I talk about it on the show. And I started pattern noticing that your maybe it's because you and I have the same like name. I I started noticing that your name came up more than once in these in these notes, and my brain was like, oh, so that's why we were mispronouncing your name. I guess you shouldn't research security vulnerabilities if you don't want people to mispronounce your name on podcasts.
Yeah. It was kind of unexpected. So as a backstory, I have been involved with the Go development for a few years. So as I told Jonathan before, I've been contributing to the Go compiler for around four, five years. I have around 40 changes in in in the Go compiler.
But I really started my security adventure, I think it was two years ago. So when I joined Alfasense, which is still my current employer, I got an assignment to implement a Helm JSON schema because my day job is about cloud engineering. I'm basically a YAML engineer by day. I'm not really a programmer. So I got this assignment. It was very boring, you know. I had to implement, like, a Helm JSON schema. Do you guys even know what Helm is?
Jonathan HallOh, yeah.
Yeah? Yeah. Okay.
Shay NehmadYeah. It's that it's that thing that I tell my DevOps people to do while I
Jonathan HallYeah. Okay.
Shay NehmadDevelop some of it. No. But it's a it's like a installation, manifest for Kubernetes workloads. Right? You define your Kubernetes workload and then you do Helm apply and it installs it. Sort of like Terraform for Kubernetes.
Yes. It's it templates YAML and it applies YAML. It's like a package manager for Kubernetes. Mhmm. So what ended up happening, I got that very boring task and like really bored. So I thought, okay. You know what? Let me think it with Helm. So I started fuzzing Helm out of boredom. Mhmm.
And I just started fuzzing Helm on my computer. I left it for one, two hours, you know, I didn't expect anything to happen. But then after I came after three, four hours, I actually saw a stock trace. You know, I've seen a panic, and I got really excited. Right? Like, why is it panicking? I looked at the input, the fuzzer generated. I confirmed it makes Helm panic. I wrote it up, and I sent it to maintainers of Helm. Right?
Like, guys, there might be a security problem here. And they confirmed that this is indeed an issue, and I got my first ever CVE. And I was so excited. You know? It is it feel like something so arcane. Like, only, you know, some Mhmm. Master hackers can get this and blah blah blah. Mhmm. But it turned out quite simple. So and then I started looking at some other tools like ArgoCD, for example. Do you know do you guys know ArgoCD?
Jonathan HallI've not used it, but I know what it is. Yeah.
Yes. So I then the next month, I found two vulnerabilities in ArgoCD and also got a CV. And then what ended up happening is my boss at Alfasense decided, oh, we need to show our power at the conferences. We need to build our brand, blah blah blah. So they made me apply to a conference. So I applied to KubeCon, and I proposed to talk about the Helm CVE that I found. Right? Alright. And I got really unlucky because they accepted me. Okay?
Shay NehmadOh, no. Ay ay ay ay.
And every day, I was I swear, for three months, I was waking up almost panic attacks in the morning. What am I doing with my life? I I really hated public speaking. I really don't want
Jonathan Hallto do it. Okay? Mhmm.
So as I was preparing, when you get to Qupon, you get thirty five minutes to speak. Right? You have to fill out thirty five minutes. So as I was preparing for this presentation, I realized I have too little content. Like, there is only so much I can talk about that single single NilPointer dereference in hand. Right? Like, it's it's not a topic you can go on about for, you know, hours. So what I did is I decided to make the second part of the talk be about fuzzing as a technique.
Jonathan HallOh, yeah.
So I spent those three months diving deep into the internals of the Go standard library fuzzer, trying to understand it. And I actually uncovered two ways to improve it slightly. So I uncovered two ways to speed up the fuzzer, and I actually tried to upstream them, the official Go fuzzer. And one of them made it, I think, in Go one twenty four. It was upstreamed, and it makes the fuzzing around 18% faster.
But the bottom line is in those three months, I dove so deeply in this topic because I got a really deep understanding of fuzzing, symbolic, and concolic execution as techniques of kind of exploding software. K? Mhmm. So I talked about it at at KubeCon, and and then I continued that that adventure, basically. The talk went quite well.
I got a few compliments. People liked it. And then I kept using those techniques on other software. So I found a few other problems in Elm and ArgoCd and some other programs. And then one and a half year later, you know, I decided to sit down and actually check out the Go standard library, like, in September.
I was like, I didn't do it before. Even though I was involved with the Go compiler, and I know it quite well because I contributed quite a bit of patches, I never tried to audit the Go standard library because I thought naively, okay. This is an amazing project. So many smart people wrote this code. K?
There is no way there is any line that hasn't been analyzed 100 times by 100 different people. Right? This is what I naively assumed. So I sat down the first day, and I found one or two vulnerabilities on that first day Mhmm. Which was really, like it it made me, like, awake. Okay. Okay.
Shay NehmadOn the first day?
Yes. So
Shay NehmadMan, you are unlucky.
I was very lucky. I think this was luck. Okay? So then I spent the entire September after work. I was so hooked it.
I started auditing all the different parts of the code base I could find. For those specific classes of errors that I'm quite good at discovering using both manual analysis and automatic analysis like fuzzing, So problems like nil pointer dereferences, quadratic or super linear behavior, memory amplification attacks. And I discovered, I think in September, I reported over 10 issues, I think, and then they fixed, like, five in Go one twenty five to two. And then I reported a few more, and I think there were some in SSH. Also, is this golang.org/x/cryptolibrary.
Right? I'm sure you have seen it a few times. So I have this in all the different parts of code base for those specific classes of errors, right, like denial of service attacks. And today, I think I have, like, eight or nine CVEs that I discovered. And then I dropped it because I found everything that there was to be found.
Shay NehmadSo Mhmm.
Literally, there's nothing left.
Jonathan HallSo So Go is completely secure now?
Yes. There is nothing. I I kind of dropped it, but now actually, I got back to it this week, so I might have found something else also, but we will see.
Shay NehmadYou heard it here first, folks.
The it I must really you know, I interacted with many different maintainer teams, and the health maintainer team, they are all also really good. But I must really praise the quality of interactions that I received from the Google security team. Like, are top notch. They're always responsive. They give you their attention.
They look into problems really deeply, and it's just a pleasure to work with all of them. Like, it's really it's a like, if you want to start with vulnerability discovery and you want to have a good experience, recommend trying Golang, like, look at the standard library. And and the bottom line is what I learned is you just have to try. Okay? Like, there are so many problems in the code.
Like, people just don't look. But if you sit down and you actually try to analyze what's happening, I promise you will find something. There are things to be find found, and you just you just have to do it. Right? Like, I'm not smarter than anyone. Like, you might have better ideas. You might look at this from a different angle, so just give it a shot.
Jonathan HallAwesome.
Shay NehmadSo you mentioned you used fuzzing a lot and you even improved, the fuzzer. I know there are different types of fuzzing, like coverage guided fuzzing or, you know, you try different types of inputs or whatever. Can you give us a little more, like, technical detail about, like, what types of fuzzing do you use and how do you even set it up? Like, do you use Go test minus fuzz or do you use, like, an external program to fuzz? Or, like, how how does fuzzing, for example, you know, Argo CD even look like?
So I mostly use the ghost tandem library fuzzer with a caveat. Namely, I like to tweak it a bit. Like, I might change it a bit, like, make it do a bit different things. K? So I have my own custom versions of the fuzzer.
And the way it works is the Go standard library is coverage based fuzzer because you can have different types of fuzzers. Right? And as a technique, fuzzing is really a quite simple technique. What ends up happening is you take your program, or parts of your program, let's say a single function that accepts some inputs, strings, byte slices, byte arrays, numbers, and you generate random inputs, and you feed them to the part of the program, and you see what happens. That's basically what fuzzing is.
You generate data, you feed it to the program, and you see what happens. So the Go standard library is a smart fuzzer because it uses coverage based tracking. When it generates this data and executes your program, it actually doesn't compile the program the same way. It inserts something called coverage tracking. So it instruments the control flow of your functions, and it knows how the control flow flows, basically, as the program executes.
And then it guides the data generation process to better explore new paths. Okay? And it's a very powerful technique because it lets you uncover very non obvious things. And when I files programs like ArgoCD or Helm Helm or whatever, I try to find parts of this program that accept inputs. Right?
Like, I'm able to feed something to the program, I am able to fuzz it. Right? Which was the case when I when I reported those ArgoCd vulnerabilities in the summer. I found the denial of service vulnerabilities in the webhook endpoint. Okay?
The ArgoCD program has a public endpoint that a version control system like GitLab or Bitbucket can send data to and notify ArgoCD about comments and stuff like that. Okay? So it accepts unstructured inputs. And I I think when I started fuzzing it, it exploded in, one second or something. It was really fast.
So it's, again, the reiteration of this idea, sometimes you just have to try. Right? Most people don't try, and that's why they are not finding this stuff. They think it's hard, but you just have to try.
Jonathan HallSounds like good life advice in general. Yeah. A lot of a lot of things just have to try.
Yes. Like, you just try. Like, there is no magic. Most people never try.
Jonathan HallYeah. Yeah. I'm I'm curious to hear about a specific vulnerability. I don't have one in mind, but, like, is there a favorite one that you found that was most interesting to you that you'd like to share about and and give us the details that that Fuzzing helped you find?
Oh, most interesting one. That is a really good question because I don't really think about it that way. I think the ones that I'm the most proud of, I actually didn't find using fuzzing. I found them using manual kind of analysis. Like, I tried to reason about the code and think about how can I break this?
Jonathan HallMhmm.
But there are two of those. I found a I found a local code execution in Helm, actually, and this kind of made a bit of noise. So you could You were able to construct a malicious Helm chart. Right? And then if you run a command, I was able to override your shell configuration and make you execute commands, which was quite I think it was mind blowing to me also.
Like, I did not expect Helm, this quite simple tool that just renders YAML to allow you to execute code on the user's machine. Right? Like, you don't really think that this is possible.
Shay NehmadMhmm. And this is really risky, especially since people like do Helm install on charts without reading them all the time. Like, know that I did that. Like, I installed the third party charts that do stuff without reading them. So if someone took over those, like, supply chains and put was able to use that, that would have been really problematic for me. Thanks for finding that, I guess.
Yeah. And in December, I found actually, this is something that has I think it's more practical as a vulnerability. I found a server side request for during Spinnaker, which is a Java based program. Like, I started to move to outside of Go programs. I started to find this niche kind of in the CICD tooling vulnerability analysis.
So I really like that one because it it it really allows you to do bad stuff. You know? Like, if you're a bad guy, you could exploit it to move laterally in cloud environments and, you know, use it in real attacks. So that that was cool. And I'm I really like finding all of the ones in Go, but they are a bit of a different class of vulnerabilities.
They are more of they are denial of service mostly. Right? So, like, you could, for example, trigger high CPU usage in TLS servers, or clients, or or panic a TLS server, or, you know, construct a zip file that mails your CPU if you try to unpack it and stuff like that. It's kind of fun, but it's a different class of vulnerabilities. I've started looking for ones that actually have more practical using Go, right, not only shutting down servers or slowing them down, but but also actually more practical angles.
So that's what I'm looking at now, and we'll see when it goes. Very cool.
Jonathan HallIs this just a hobby for you, or is this part of your day job? Like, do get paid to do all this stuff?
I I get I don't get paid for this, and
Jonathan Hallthis is You don't get paid?
No. This is completely disconnected from my day job.
Jonathan HallOkay.
I mean, at my day job, I use all of those tools. Okay? So I use Helm. I use RBCD. Uh-huh. I use Go. But I'm doing kind of vanilla platform engineering cloud engineering. You don't really use I mean, you don't need that kind of niche, deep knowledge in those areas.
Shay NehmadSo Right. Right.
I it really doesn't have a practical application at my day job.
Jonathan HallOkay.
But I am actually I am actually, now I'm considering moving to cybersecurity.
Jonathan HallOkay.
I might have more use for this.
Jonathan HallMight be a little bit more directly relevant. Yeah. That would be nice.
Shay NehmadSo you posted other than, you know, reporting all these vulnerabilities, you also posted about how you submit your vulnerability reports. Because, you know, when you discover a vulnerability, you don't exactly want to put out a blog post saying, oh, here's how you can pwn, hey, all the attackers in the world, here's how you can pwn all these systems, right? There's a process of what's called responsible disclosure. Right? So you work with the maintainers and you let them know, hey, I found this.
Can you fix this, please? Right?
Yes. This is how it goes, typically.
Shay NehmadAnd it goes through a platform called HackerOne normally?
No. Like, I know what you want to talk about. You want to talk about that article in the register. Right?
Shay NehmadYeah. I'm trying to give people all the all the context though.
Okay. So
Shay Nehmadwith the Go team, it doesn't go through HackerOne, it goes through some some other, reporting mechanism?
So with the Go team, you mean the Go vulnerabilities?
Shay NehmadYeah. Go SDK. Like the Go Standard Library in the
The Go Standard Library, they have their own email, security@golang.org. You send it there. You don't do it through HackerOne. And it's the same actually for Argo CD, you know. You send it to them directly. You don't do it through HackerOne. You're not supposed to do it through HackerOne, I think. So once
Shay NehmadGot it.
Contain like, once you contact the maintainers and they fix it, and, you know, there is a CD and a new version, then you go to HackerOne. And then they are supposed to pay you.
Shay NehmadThey're supposed to. That that sounds promising.
Yeah. I mean, when you mentioned it the first time, you kind of blamed ArgoCD people. They are completely innocent here. They did nothing wrong. They held up their end of the bargain. If anything, they actually didn't get paid because they also get 20% of the bounty. You know? Oh. So it was the hacker one people that ignored the researchers for nine months, I think. Like, you could be report you know, you reported some vulnerabilities, and they were fixed.
And then you basically just contact them, hey. This has been fixed. You should pay us. And they ghosted us for nine months.
Shay NehmadI know
I know a few friends who are also in the business, so they experienced the same thing. You know? They were also ghosted. And the way it happened is I just wrote at some forum online, like, hey, guys. Hakanwan is not responding to me. Do you know what's going on? And then Jessica from the register contacted me. It was not like I went to her. You know? She wanted to make this story, and then she contacted me, and we talked a bit, and then she made that.
And once she published published that article actually, before she published that article, once she started to ask questions to HackerOne, they immediately started responding to people, you know, like, even to me. They were like, oh, we are looking in your report, blah blah blah. And then I know my friends, they also got responses, you know, because it's a bit disheartening. I mean, a lot of this stuff is very boring and mundane and, you know, oftentimes, more often than not, you try to find a security problem and you will not find one. Okay?
Jonathan HallSo you
waste a lot of hours, dozens of hours. So then if you manage to find something and then you manage to convince the retainers that something is a problem and then they fix it, and then they release the CV. And then you go and you try to get paid, you know, get a a little bit of money for it. Right? Like, it is probably not worth it time wise, but when you get ignored, it really makes you want to stop doing it.
So it it was I don't think it was good for the ecosystem. You know? But I I I also understand why they do it. Like, you know what ends up happening nowadays? People get charged GPT or whatever, and they try to out it, like, security code and find all kinds
Shay Nehmadof outrageous. I was just about to say that I see so many from the other side. I see so many maintainers like on on Twitter and whatever say, oh, I'm getting all these slop reports that make no sense and they don't even go pile, they're very long. I saw that the curl maintainer, for example, they don't accept the external security reports anymore because it's all just AI. So there's something in the incentives there.
I think you're perfectly positioned in like, you have a day job that's not security and then your research is pure. But if I were like, if you put put money on my table, I had to submit successful HackerOne requests, you know what I mean? That sort of skews my incentive from finding vulnerabilities to finding as many vulnerabilities as possible that could be easily verifiable and not necessarily the, like, most highest important ones or the most interesting ones or the ones that even use tools that I use?
Well, you know, it takes a lot of time to validate that something is a vulnerability. It's kind of an asymmetric process. It's very easy for someone to produce a 100 reports. But it might take one to five hours to validate something is a problem. Sometimes you are immediately able to see, okay this is bullshit, but oftentimes you are not.
And I don't know how to solve this problem. I have seen some suggestions that said that said that you should pay for every report as a reporter. Okay? You should pay, like, let's say, $100. Oh. And then, like, if it's a valid report, you get the money back and the bounty. Right? Or even if it was not a valid report, but, like, it was sent It was
Shay Nehmada legitimate attempt.
Yes. And if someone is sending slop, okay, make them pay for all the 1,000 reports they sent and then make money from it, you know? Like, maybe that would be a way of, like, reducing it because you still need to, you know, those LLMs, they are the tools. You still need to be able to guide them and make them do the right thing.
Shay NehmadInteresting. So, basically, for our American listeners, you're suggesting a Costco membership card experience for HackerOne. You have to, like, get a HackerOne membership, in. Honestly, I think it's a it's I know I'm joking, but I think it's a really good idea because the moment you're like, oh, it cost me, like, 20¢ in tokens to generate this report versus, okay, to submit it, you have to, like, put in, like, $10 and and you don't get it back if it's marked as as a slop. That that could solve it.
But on the other hand, you know, it kinda it's it's a very difficult problem, I guess, to to manage. I guess we're not thinking about all angles of it.
I mean, it would work for me. I would get more attention, you know, like,
Jonathan HallI'm fine.
My my reports are mostly high signal, so, like, I would be fine. Because the response times really got bad. Like, if I compare it from two years ago, like I know, for example, ArgoCD people are drowning in reports, and they don't have time to respond. I have, like, 10 or 11 open for, like, almost a year now, think, and they were not able to. And I think that that's like that is a cool learning for people because they think once a vulnerability is discovered and reported, they get fixed fast.
Okay? That is not always the case. There might be reports that are open for one year or more in popular software, but the maintainers don't have time to fix them. So if you are dealing with very sophisticated groups, they might be able to find zero days that are out there. Most software is unsafe. Mean, even the standard library of Go, for example, you can find still till this day problems. Right? So
Jonathan HallYeah. Makes sense. Well, I'm I wanna thank you for trying like most of us don't and finding some of these these bugs. It's it's been fascinating hearing about this and about fuzzing, and I'd love to talk to you more about fuzzing and, you know, all of it. It's all quite fascinating.
I think I could talk to you about it for hours if we had the time, but we don't. So I guess I want to move on to is there anything you'd like our audience to know about? Do you have a blog you'd like to promote? Are is your company hiring? Anything you wanna plug?
Not really. I don't have anything. I don't have a blog. I don't have Twitter. I don't have Facebook. I don't have none of that. I have a GitHub if you want to follow me. And
Shay NehmadYeah. Link in the show notes. Man, you just said I don't have Twitter. I don't have the I was I was starting to get jealous. I think I need to reconsider some of my life choices.
Yep. And for those of you that you think, you know, open source is hard and security is hard, just try it. Okay? You might be surprised.
Jonathan HallGood advice. I like to encourage people to to participate with that stuff too. Finally, I mentioned this before we started recording, but we have a question we ask all of our guests, and I don't know if this is be an easy one for you or not, but I I liked the answer you hinted at anyway. Do you have a favorite third party library or tool that you like to use when you're doing Go development?
So it's a great question, and I have a really dumb answer because I don't actually have any favorite third party library. I'm a standard library guy.
Jonathan HallLike Uh-huh.
I mean, most of what I need is in standard library. I don't really import, you know, all the new stuff. So no. Not really. Do you have one? Like, what's your favorite?
Jonathan HallOh, wow.
Shay NehmadYou already answered, by the way. So it would be very interesting to see if you're consistent because when we chose this question, Jonathan, you picked one.
Jonathan HallDid I? What did I I don't remember what I picked. It probably depends on the day of the week, like what I'm doing at the moment, what I what I like. But I have several that I that I I like depending on what I'm what I'm doing, you know, from database drivers. So that that would be one like, if you ever use a a SQL database, you have to use a third party tool because there aren't any drivers in the standard library. And I like PGX for that if I'm using Postgres. But, yeah, I don't know.
I think
Shay NehmadI said SQL C, and then you were like, you're wrong.
Jonathan HallYeah. I don't like SQL C.
Shay NehmadBut I realized maybe I like DB Mate very much as well. The migration. It's the it's like the simplest migration tool that exists.
Jonathan HallIt probably isn't because I couldn't find one simple enough, I wrote my own.
Shay NehmadBut, man, no social media and only standard library. You're like you're like the most Zen software developer I've heard of. But how can you do only standard library if you're using YAML? Because there's no YAML parsing in the standard library.
Jonathan HallIt's a sore spot for Shy.
I I don't like
Shay NehmadI I don't know if you know, but I submitted, like, a huge ticket and I talked about it on the podcast. Oh, I'm gonna be the one that introduces YAML to the standard library. And then Russ Cox just rejected me. I was heartbroken.
Oh, that that that's a badge of honor. Right?
Shay NehmadYeah. Just try, like you said. Just try.
Jonathan HallJust try.
Shay NehmadNext time. Well, I I'm really I I I sort of wanna ask you what you're, researching right now that might come up this week, but I'll just keep my, I'll just keep my notes to the Go release notes, and I'll see if, we see your name again. Thanks so much for coming on the show, man.
Okay. Awesome. This is really cool. And, well, maybe if I get more vulnerabilities, you can invite me again, and then I can Absolutely. Talk about some specific topic. Okay? How I found
Shay NehmadOf course. Of course.
Jonathan HallWe would love that. And next time, we'll say your name correctly too.
Shay NehmadWe'll try. But if this gives you more incentive to find more vulnerabilities in the Go program language, that's great for us because it's important to know that other than all the fun parts of it and the exciting whatever, this is really important work that is useful for everybody. To me, it feels like, you know, when you see someone walking down the street and they pick up like a piece of trash that they didn't throw there and suddenly the street looks much better, And they or people who put their their cards back in the in the shopping, center, even though they don't have to, they can just leave it in the parking lot. Like, it's be really being a good citizen of open source and the programming community, like investing time into finding security vulnerabilities instead of just hanging out and using it. So, you know, beyond all the fun and all the interesting parts of it, I just really wanna thank you for this work because I think it's it's helpful for, you know, for me as a Go user.
Okay. Thank you. That's so nice of you. I mean, I will do it anyway because it's fun, and I like this element of creative destruction. But I like the way you described it, you know, picking up trash. Yeah. It's good, I guess. It's good.
Shay NehmadBut it's Especially in a garbage collected language. Yeah.
Jonathan HallHey. Where's the sound effect panel I need?
Shay NehmadNo. No. No. Okay. Let's finish
the interview now. Thanks, sir. Goodbye. Thank you, guys. Bye.