Artem Golubin

Do not fall for complex technology

Thu, 22 Jan 2026 17:14:08 -0000

Fifteen years ago, I wanted to set up a note-taking system. At the time, Evernote was the tool everyone was talking about, so choosing it seemed like the right and easy decision.

After storing around 500 notes for eight years, Evernote became a mess to use. It was bloated, heavily monetized, and slow to work with. So I wanted to switch.

About that time came Notion. Everyone was talking about it. I jumped on the bandwagon and migrated a few hundred of my notes to it that were still relevant. It did not even occur to me that switching from a bloated and slow app to a web app would result in a similar outcome later. I followed a popular choice again.

After struggling for a year, I switched to Markdown notes and a plugin for an editor that renders inline images. I'm still using this to this day. It is simple, and I will be able to open my notes 10-20 years later. I can edit them in any editor. It works offline and does not depend on commercial products. I encrypt my notes locally so they can be stored safely on any cloud service.

[......]

How ClickHouse handles strings

Fri, 16 Jan 2026 17:14:08 -0000

At my work, we use ClickHouse to process billions of records and hundreds of terabytes of data. ClickHouse is fast, and its speed got me curious to learn some of its internals.

Let's look at a few queries:

SELECT count(*)
FROM cluster.feed
WHERE state = 'unknown'

   ┌──────count()─┐
1. │ 129375618342 │ -- 129.38 billion[......]



You probably don't need Oh My Zsh
Fri, 09 Jan 2026 17:14:08 -0000
Oh My Zsh is still getting recommended a lot.
The main problem with Oh My Zsh is that it adds a lot of unnecessary bloat that affects shell startup time.
Since OMZ is written in shell scripts, every time you open a new terminal tab, it has to interpret all those scripts.
Most likely, you don't need OMZ at all.
Here are the timings from the default setup with a few plugins (git, zsh-autosuggestions, zsh-autocomplete) that are usually recommended:
➜  ~ /usr/bin/time -f "%e seconds" zsh -i -c exit
0.38 seconds


And that's only for prompt and a new shell instance, without actually measuring the git plugin and virtual env plugins (which are often used for Python).[......]


Recent optimizations in Python's Reference Counting
Sun, 04 Jan 2026 17:14:08 -0000
It's been a while since I've written about CPython internals and its optimizations.
My last article on garbage collection was written 8 years ago.
A lot of small optimizations were added since then. In this article, I will highlight a new optimization for
reference counting that uses a static lifetime analysis.
Background on reference counting in CPython
Reference counting is the primary memory management technique used in CPython.
In short, every Python object (the actual value behind a variable) has a reference counter field that tracks how many references point to it.
When an object's reference count drops to zero, the memory occupied by that object is immediately deallocated.
For hot loops, this can lead to significant overhead due to the frequent incrementing and decrementing of reference counts.
The counter must be updated whenever an object is referenced or dereferenced, which hurts performance and trashes CPU caches.
So, when you read a variable in Python, you actually write to the memory as well.[......]


Hash tables in Go and advantage of self-hosted compilers
Sun, 14 Dec 2025 17:14:08 -0000
Recently, I was looking at the Go codebase that was using map[int]bool to track unique values.
As some of you may know, Go has no set data structure. Instead, developers usually use hash maps (key-value data structure).
The first idea that comes to mind is to use map[int]bool, where keys are integers and values are booleans.
But experienced Go developers know that Go has an empty-struct type that can be used for maps: map[int]struct{}.
The benefit of such a type is that it occupies zero bytes in memory; it's a so-called zero-sized type.
The compiler knows this and uses it to your advantage when it can. In this case, it should omit storing values and
keep only keys.
So when I saw the bool struct, my first thought was to switch to map[int]struct{} to save some memory.
In theory, that map can hold more than 100 000 integers.
To my surprise, this change had no effect on memory consumption when running in production.[......]


How I am using Helix editor
Sat, 11 Oct 2025 20:28:08 -0000
I've been using Helix as my editor to develop on remote servers for quite some time now.
There are a lot of emerging supply-chain attacks, and I simply don't like the idea of installing tens of plugins to Vim/Neovim to make the editor usable.
To make the switch from Neovim easier, I had to make some changes to the configuration.
I want to share them to save you some time, because discovering them is not straightforward.
Tmux setup
I use tmux as a terminal multiplexer.
One thing that I miss from Neovim setup is a good file manager and TUI for git.
I rarely use a file manager, but when I need to, I usually want to move a bunch of selected files quickly. Unfortunately, Helix does not support file editing in the explorer. You can only view them.
To overcome it, I added new keybindings to my tmux config:
# Yazi related
set -g allow-passthrough on[......]


Tracking malicious code execution in Python
Mon, 25 Aug 2025 11:14:08 -0000
Recently, I have been working on a new library that statically analyzes Python scripts and detects malicious or harmful code.
It's called hexora.
Supply chain attacks have become increasingly common. More than 100 incidents were reported in the past five years for PyPi alone.
Let's consider a scenario where a threat actor attempts to upload a malicious package to PyPi.
Usually, malicious packages attempt to imitate a legitimate library so that the main code works as expected.
The malicious part is usually inserted into one of the files of the library and executed on import silently.
If the actor lacks experience, he will likely not obfuscate his code at all.
Experienced actors usually obfuscate their code or try to avoid simple heuristics such as regexes.
Regexes are fragile and can be fooled by using simple tricks, but it's not possible to know them in advance.
One of the problems is that the harder you obfuscate the code, the easier it can be detected.[......]


Threat Hunting Introduction: Cobalt Strike
Mon, 23 Jun 2025 20:28:08 -0000
Cobalt Strike is a threat simulation tool that is used by red teams to perform
penetration tests (simulate cyber-security attacks).
However, it is also used by malicious actors to perform real-world attacks.
In this article, I will demonstrate how anyone can find Cobalt Strike servers on the internet and retrieve metadata from them.
After reading this article, you will be able to peek inside the Cobalt Strike servers and see how big
companies or malicious actors are using it.
Doing this can be pretty fun, it's like being able to hack into hackers or security experts.
I will also introduce you to my tool written in Rust, called SigStrike,
which I wrote to increase crawling speed by 20x.
Threat Hunting
Threat hunting is a proactive process of searching for threats that can potentially attack your company.
The part of the threat-hunting process consists of the collection of so-called IoCs (Indicators of Compromise).[......]


Shady economics of proxy services
Wed, 04 May 2022 16:28:08 -0000
Residential proxies are the most demanded type of proxies on the proxy market. Their price increases each year.
In this article, I want to write down my understanding of the economics of proxy services. In particular, I describe types of proxy offerings, their typical clients, and why the majority of the market is supplied by malware.
Proxy types
There are two distinctive types of proxies on the market:

Data center (server) proxies
Residential proxies (broadband and mobile)

Data center proxies
As the name implies — such proxies reside in data centers. To create a pool of proxies, proxy providers lease or buy IPV4 subnets. Usually, they are relatively cheap when compared to residential proxies.
Due to IPv4 address exhaustion, providers of such proxies have a limited amount of IP addresses and fixed geographical locations. Buying an IPv4 subnetwork is also tricky nowadays. Hence, proxy providers usually lease them from small owners. Additionally, leasing gives flexibility and allows them to replace or abandon old IPv4 subnetworks.[......]


How masscan works
Sat, 30 Apr 2022 15:06:22 -0000
Masscan is a fast port scanner capable of scanning the entire IPv4 internet in under five minutes. To achieve maximum speed,  it requires a stable 10 Gigabit link and a custom network driver for Linux. In comparison, it can take weeks or even months for the naive implementation of port scanners. This article describes key features behind the internal design of masscan.
What is port scanning?
Port scanning is a method to determine which ports on a specified list of IPs are open and accept connections. People use it to find web servers, proxy servers, databases, and other internet services for security research. Usually, port scanners target the TCP/IP protocol. Although, UDP port scanning is also possible. This article will only focus on the TCP/IP (IPv4) running under the Linux platform since only the Linux version can handle more than two million packets per second.[......]