Concurrency

Goroutines

Goroutine: a lightweight thread managed by the Go runtime.

It’s pretty simple to execute a function call as a new goroutine:

go f(param1, param2)

The program is terminated when the main goroutine finishes.

What?

• statically typed (w/ type inference)
• compiled (statically linked)
• memory safety, garbage collection
• built in dependency management
• concurrency:
  • goroutines (~coroutines/threads)
  • channels
  • select (for channels)
• interfaces for “virtual inheritance”, type embedding
• standardized formatting (gofmt)
• multiple implementations (gc, gccgo, gollvm, gopherjs, …)

• 2019, https://matrix.org/
• not the movie, but the “matrixed communication”
• open standard: spec
• non-profit Matrix.org Foundation
• decentralized
• end-to-end encryption
  • olm, megolm
  • based on Signal’s double ratchet
  • extended to support encrypted rooms
• messaging (IM, rooms, bots, even IoT devices)
• signaling (for WebRTC, VoiP, video calls)
• bridging to other IM networks (XMPP, Slack, IRC, Discord, Facebook, …)
• HTTPS+JSON based by default, but a much lighter UDP based demo was already created for ~100bps (!) networks

Why?

• DoS - Denial of Service attacks
• Brute Force attacks
  • collect customer email addresses (signup)
  • reveal username/password pairs (login)
  • send emails (contact us, gift card)

CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.

Data (from untrusted source) gets into the application, then this data is later displayed in the website without being properly validated/sanitized/escaped.

Modern browsers apply the same-origin policy to some resources, meaning they refuse to load or restrict access to resources coming from other origins than the loaded website. Servers can implement CORS to describe which origins are permitted to load their resources.

For some HTTP requests, browsers issue a “preflight” request (HTTP OPTIONS) to check whether the resource is available for the given origin.

PGP: Pretty Good Privacy

GPG: GNU Privacy Guard

PGP

• from 1991
• cryptographically sign/verify, encrypt/decrypt files, emails, etc.
• OpenPGP standard, RFC 4880
• key “verification” via fingerprints, Web of trust
• public/private keys

Random points

• true randomness is hard
• pseudo random number generators usually don’t have even distribution
  • or “slow”
  • or cannot be used in a parallel way
• OpenGL does not have random API (reasons above)

And in most cases higher “entropy” is more pleasant to the eyes.

Backend

• app to the server
  • scp
  • git
  • maven/npm/pip/whatever
• start it
  • prefer using a “webapp container” like tomcat or gunicorn
  • on a “high” port like 5000, 8000, 8080
• make it start on reboot
  • systemd
  • supervisord/pm2
  • …