XML-based format and protocol for exchanging authentication and authorization data between parties
POPULARITY
SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast
Resilient Secure Backup Connectivity for SMB/Home Users Establishing resilient access to a home network via a second ISP may lead to unintended backdoors. Secure the access and make sure you have the visibility needed to detect abuse. https://isc.sans.edu/diary/Resilient%20Secure%20Backup%20Connectivity%20for%20SMB%20Home%20Users/31972 BadSuccessor: Abusing dMSA to Escalate Privileges in Active Directory An attacker with the ability to create service accounts may be able to manipulate these accounts to mark them as migrated accounts, inheriting all privileges the original account had access to. https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory Flaw in samlify That Opens Door to SAML Single Sign-On Bypass CVE-2025-47949 The samlify Node.js library does not verify SAML assertions correctly. It will consider the entire assertion valid, not just the original one. An attacker may use this to obtain additional privileges or authenticate as a different user https://www.endorlabs.com/learn/cve-2025-47949-reveals-flaw-in-samlify-that-opens-door-to-saml-single-sign-on-bypass
We've got a shockingly low number of proverbial monsters and a perfectly normal amount of hideous creatures on this week's show! Monsters come in many shapes and sizes, but the important thing in this episode is that they come from games with awesome tunes! Our merch store is back, now on TeePublic! Check it out and grab something absurd for you or a friend! Join us in Discord! Check out our Patreon page! Patreon.com/GameThatTune is the home for exclusive content! Special thanks to our ABSURD FAN tier Patreon producers: Daniel Perkey, Sam L, PhoenixTear2121, BeastPond, HCO and Spanky McMasters! 0:00:00 Welcome to Game That Tune! 0:08:55 Game 1 0:11:59 Game 1 Reveal 0:23:00 Game 2 0:31:57 Game 2 Reveal 0:43:01 Lightning Round! 0:50:31 Game 3 0:56:13 Game 3 Reveal 1:10:22 Game 4 1:16:40 Game 4 Reveal 1:31:54 This Game's Winner Is... 1:44:28 Bonus Music/Outro
Living Life Through the Word of God Podcast: Host Pastor Dr. Dalene Smith M.Th; DTh: Scripture 2 Saml 9:7 And David said unto him, Fear not: for I will surely shew thee kindness for Jonathan thy father's sake, and will restore thee all the land of Saul thy father; and thou shalt eat bread at my table continually. Subject Topic: God Has A Plan For YouWe Pray that you will be so inspired that you will share this broadcast with your family and friends. And if God leads you to sow it will be a blessing in the furthering of the word of God. $ChristEmbassya And feel free to visit any of our social media sights with one click. https://linkfly.to/PastorDrDarleneSmith
God plays a massive role in all our lives on a daily basis, but never more importantly than when a game features a prominent god character or lets you play as god. Let us bow our heads in solemn VGM worship as we take a listen to some of our favorite god games and possibly select a new pope in the process! Our merch store is back, now on TeePublic! Check it out and grab something absurd for you or a friend! Join us in Discord! Check out our Patreon page! Patreon.com/GameThatTune is the home for exclusive content! Special thanks to our ABSURD FAN tier Patreon producers: Daniel Perkey, Sam L, PhoenixTear2121, BeastPond, HCO and Spanky McMasters! 0:00:00 Welcome to Game That Tune! 0:07:12 Game 1 0:11:04 Game 1 Reveal 0:25:45 Game 2 0:32:28 Game 2 Reveal 0:49:30 Game 3 0:56:37 Game 3 Reveal 1:11:25 Game 4 1:23:23 Game 4 Reveal 1:39:28 This Game's Winner Is... 1:50:15 Bonus Music/Outro
We're playing the one of the best kinds of bad game on this week's episode: games based on MOVIES! Our merch store is back, now on TeePublic! Check it out and grab something absurd for you or a friend! Join us in Discord! Check out our Patreon page! Patreon.com/GameThatTune is the home for exclusive content! Special thanks to our ABSURD FAN tier Patreon producers: Daniel Perkey, Sam L, PhoenixTear2121, BeastPond, HCO and Spanky McMasters! 0:00:00 Welcome to Game That Tune! 0:09:25 Game 1 0:15:30 Game 1 Reveal 0:31:37 Game 2 0:36:02 Game 2 Reveal 0:49:51 Game That BOOM! 0:57:25 VGM Threesome! 1:04:05 VGM Threesome Song 2 1:12:42 VGM Threesome Song 3 1:22:23 Game 4 1:28:40 Game 4 Reveal 1:34:41 Bluesky Bonus Request! 1:37:05 This Game's Winner Is... 1:42:51 Bonus Music/Outro
Send us a textCybersecurity professionals know that mastering identity and access management concepts is essential for CISSP certification success. This deep dive into Domain 5.2 tackles fifteen carefully crafted questions covering everything from just-in-time provisioning to federated identity systems and session security.We begin by examining the accelerating adoption of generative AI in healthcare organizations, where approximately 85% are investigating or implementing these technologies. This trend spans industries from manufacturing to financial services, creating both opportunities and serious security challenges for professionals who must balance innovation with appropriate safeguards.The heart of our discussion focuses on critical IAM concepts, including how just-in-time provisioning minimizes attack surfaces by limiting standing privileges, particularly vital in cloud environments. We explore SAML as the primary protocol enabling federated architectures, while highlighting their potential single point of failure risks. Session management security receives special attention, emphasizing secure token storage with appropriate expiration times, and protection against cross-site scripting attacks that target cookie theft.Throughout our exploration, practical security principles are reinforced: the dangers of shared credentials, the necessity of multi-factor authentication, and the security benefits of automated access revocation. Whether you're preparing for the CISSP exam or looking to strengthen your security knowledge, these concepts represent core knowledge every practicing security professional must internalize.Ready to accelerate your CISSP journey? Visit CISSP Cyber Training for additional resources and guidance from experienced security professionals who understand the practical applications beyond theoretical knowledge. Let's grow your cybersecurity expertise together!Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don't miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Da Lea Korsgaard gik i gang med at tælle alle danske sommerfuglearter anede hun ikke, at det ville hjælpe hende til at forstå, hvor vigtigt det er at gøre noget komplet unyttigt og tilsyneladende ligegyldigt. Og det er jeg kæmpe fan af. Man får et bedre liv, hvis man har en interesse der optager dig. Saml på kapsler, skriv nummerplader ned eller gå til håndbold. Det er lige præcis her, vi giver livet værdi uden at spørge, hvad nytter det? Det skal ikke nytte noget, det skal være spændende, sjovt, og så er det tilfældigvis meget sundt for os mennesker. Vært: Svend Brinkmann. Gæst: Lea Korsgaard, forfatter til Inden året er omme og chefredaktør på Zetland. Glæd dig til dagens episode, som du nu kan høre i DR Lyd.
Send us a textIdentity management sits at the core of effective cybersecurity, yet many organizations still struggle with implementing it correctly. In this comprehensive breakdown of CISSP Domain 5.2, we dive deep into the critical components of managing identification and authentication systems that protect your most valuable assets.Starting with a timely examination of the risks involved in the proposed rapid rewrite of the Social Security Administration's 60-million-line COBOL codebase, we explore why rushing critical identity systems can lead to catastrophic failures. This real-world example sets the stage for understanding why proper authentication management matters.The episode walks through the essential differences between centralized and decentralized identity approaches, explaining when each makes sense for your organization. We break down Single Sign-On implementation, multi-factor authentication best practices, and the often overlooked importance of treating Active Directory as the security tool it truly is—not just an open database for anyone to query.For security practitioners looking to level up their authentication strategy, we examine credential management systems like CyberArk, Just-in-Time access models, and federated identity frameworks including SAML, OAuth 2.0, and OpenID Connect. Each approach is explained with practical implementation considerations and security implications.Whether you're studying for the CISSP exam or working to strengthen your organization's security posture, this episode provides actionable insights on establishing robust authentication controls without sacrificing usability. Don't miss these essential strategies that form the foundation of your security architecture.Ready to master CISSP Domain 5.2 and all other CISSP domains? Visit CISSPCyberTraining.com for structured learning materials designed to help you pass the exam the first time.Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don't miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
W najnowszym odcinku Patoarchitektów nurkujemy w świat Vibe Codingu i odkrywamy jego mroczne tajemnice. AI jako super-junior generuje kod, a TypeScript przesiada się na Go. Podatność SAML pozwala zalogować się jako dowolny użytkownik! Analizujemy Amazon S3 Tables i ich wpływ na uproszczenie systemów w AWS. Odkrywamy, jak eBPF rewolucjonizuje bezpieczeństwo sieciowe. Irańscy hakerzy wykorzystują AI do zaawansowanego phishingu. Zastanawiasz się, czy AI zastąpi programistów? Posłuchaj, jak ktoś stworzył SaaS-a w jeden wieczór i skończył z katastrofą. Sprawdź, czy Twój kod to prawdziwa inżynieria, czy tylko vibe coding! A teraz nie ma co się obijać!
Episode 116: In this episode of Critical Thinking - Bug Bounty Podcast Justin gives a quick rundown of Portswigger's SAML Roulette writeup, as well as some Google VRP reports, and a Next.js middleware exploit.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today's Sponsor: ThreatLocker Cloud Control - https://www.threatlocker.com/platform/cloud-control====== Resources ======SAML roulette: the hacker always winshttps://portswigger.net/research/saml-roulette-the-hacker-always-winsLoophole of getting Google Form associated with Google Spreadsheet with no editor/owner accesshttps://bughunters.google.com/reports/vrp/yBeFmSrJiLoophole to see the editors of a Google Document with no granted access(owner/editor) with just the fileid (can be obtained from publicly shared links with 0 access)https://bughunters.google.com/reports/vrp/7EhAw2hurCloud Tools for Eclipse - Chaining misconfigured OAuth callback redirection with open redirect vulnerability to leak Google OAuth Tokens with full GCP Permissionshttps://bughunters.google.com/reports/vrp/F8GFYGv4gNext.js, cache, and chains: the stale elixirhttps://zhero-web-sec.github.io/research-and-things/nextjs-cache-and-chains-the-stale-elixirNext.js and the corrupt middleware: the authorizing artifacthttps://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware====== Timestamps ======(00:00:00) Introduction(00:02:59) SAML roulette(00:13:08) Google bugs(00:20:16) Next.js and the corrupt middleware
We're playing cartoon games on this episode! The games are bad and the tunes are bad, but the memories...well, they hold up better than the games. Our merch store is back, now on TeePublic! Check it out and grab something absurd for you or a friend! Join us in Discord! Check out our Patreon page! Patreon.com/GameThatTune is the home for exclusive content! Special thanks to our ABSURD FAN tier Patreon producers: Daniel Perkey, Sam L, PhoenixTear2121, BeastPond, HCO and Spanky McMasters! 0:00:00 Welcome to Game That Tune! 0:07:40 Game 1 0:13:21 Game 1 Reveal 0:23:39 Game 2 0:28:46 Game 2 Reveal 0:33:46 Lightning Round! 0:43:01 Game 3 0:47:04 Game 3 Reveal 0:57:11 Game 4 1:03:04 Game 4 Reveal 1:13:36 Lightning Round!! 1:21:44 Game 5 1:26:55 Game 5 Reveal 1:40:14 This Game's Winner Is... 1:49:50 Bonus Music/Outro
This episode features some game exploitation in Neverwinter Nights, weaknesses in mobile implementation for PassKeys, and a bug that allows disclosure of the email addresses of YouTube creators. We also cover some research on weaknesses in Azure.Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/278.html[00:00:00] Introduction[00:00:35] Exploiting Neverwinter Nights[00:08:48] PassKey Account Takeover in All Mobile Browsers [CVE-2024-9956][00:22:51] Disclosing YouTube Creator Emails for a $20k Bounty[00:31:58] Azure's Weakest Link? How API Connections Spill Secrets[00:39:02] SAML roulette: the hacker always wins[00:40:56] Compromise of Fuse Encryption Key for Intel Security FusesPodcast episodes are available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosecYou can also join our discord: https://discord.gg/daTxTK9
SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast
Python Bot Delivered Through DLL Side-Loading A "normal", but vulnerable to DLL side-loading PDF reader may be used to launch additional exploit code https://isc.sans.edu/diary/Python%20Bot%20Delivered%20Through%20DLL%20Side-Loading/31778 Tomcat RCE Correction To exploit the Tomcat RCE I mentioned yesterday, two non-default configuration options must be selected by the victim. https://x.com/dkx02668274/status/1901893656316969308 SAML Roulette: The Hacker Always Wins This Portswigger blog explains in detail how to exploit the ruby-saml vulnerablity against GitLab. https://portswigger.net/research/saml-roulette-the-hacker-always-wins Windows Shortcut Zero Day Exploit Attackers are currently taking advantage of an unpatched vulnerability in how Windows displays Shortcut (.lnk file) details. Trendmicro explains how the attack works and provides PoC code. Microsoft is not planning to fix this issue https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html
SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast
Static Analysis of GUID Encoded Shellcode Didier explains how to decode shell code embeded as GUIDs in malware, and how to feed the result to his tool 1768.py which will extract Cobal Strike configuration information from the code. https://isc.sans.edu/diary/Static%20Analysis%20of%20GUID%20Encoded%20Shellcode/31774 SAMLStorm: Critical Authentication Bypass in xml-crypto and Node.js libraries xml-crypto, a library use in Node.js applications to decode XML and support SAML, has found to parse comments incorrectly leading to several SAML vulnerabilities. https://workos.com/blog/samlstorm One PUT Request to Own Tomcat: CVE-2025-24813 RCE is in the Wild A just made public deserialization vulnerablity in Tomcat is already being exploited. Contributing to the rapid exploit release is the similarity of this vulnerability to other Java deserializtion vulnerabilities. https://lab.wallarm.com/one-put-request-to-own-tomcat-cve-2025-24813-rce-is-in-the-wild/ CVE-2025-24813 CSS Abuse for Evasion and Tracking Attackers are using cascading stylesheets to evade detection and enable more stealthy tracking of users https://blog.talosintelligence.com/css-abuse-for-evasion-and-tracking/
SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast
Mirai Bot Now Incorporating Malformed DrayTek Vigor Router Exploits One of the many versions of the Mirai botnet added some new exploit strings attempting to take advantage of an old DrayTek Vigor Router vulnerability, but they got the URL wrong. https://isc.sans.edu/diary/Mirai%20Bot%20now%20incroporating%20%28malformed%3F%29%20DrayTek%20Vigor%20Router%20Exploits/31770 Compromised GitHub Action The popular GitHub action tj-actions/changed-files was compromised and leaks credentials via the action logs https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised ruby-saml authentication bypass A confusion in how to parse SAML messages between two XML parsers used by Ruby leads to an authentication bypass in saml-ruby. https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials/ GitHub Fake Security Alerts Fake GitHub security alerts are used to trick package maintainers into adding OAUTH privileges to malicious apps. https://www.bleepingcomputer.com/news/security/fake-security-alert-issues-on-github-use-oauth-app-to-hijack-accounts/
In this episode of the Identity Center Podcast, Jim McDonald discusses policy enforcement, adaptive authentication, and fraud prevention with Patrick Harding, Chief Product Architect at Ping Identity. They delve into how policy enforcement can be managed locally to maintain performance for SaaS applications while ensuring greater flexibility using standards like AuthZEN. Jim and Patrick also cover the benefits and challenges of using SAML and OpenID Connect for single sign-on (SSO) and explore the future role of AI agents in identity and access management. Additionally, they provide valuable tips for attending identity-focused conferences in Berlin and Las Vegas.Chapters00:00 Introduction to Policy Enforcement01:29 Welcome to the Identity Center Podcast01:54 Conference Discount Codes03:03 Guest Introduction: Patrick Harding from Ping Identity03:54 Patrick's Journey into Identity06:56 Challenges in Adaptive Authentication10:50 SaaS Applications and Policy Enforcement21:18 Advanced Fraud Analytics29:23 Integrating On-Premise and Cloud Applications30:35 Effort and Challenges in Modernizing Applications31:22 The Shift to OpenID Connect32:22 SaaS Applications and Single Sign-On Costs33:52 AI Agents and Adaptive Authentication34:54 The Future of AI Agents in Business39:15 Delegation and Authentication for AI Agents43:46 The Impact of AI on Jobs and Efficiency47:11 Advice for Future Careers in a Tech-Driven World52:57 Conference Tips and Final ThoughtsConnect with Patrick: https://www.linkedin.com/in/pharding/Conference Discounts!European Identity and Cloud Conference 2025 - Use code idac25mko for 25% off: https://www.kuppingercole.com/events/eic2025?ref=partneridacIdentiverse 2025 - Use code IDV25-IDAC25 for 25% off: https://identiverse.com/Connect with us on LinkedIn:Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/Visit the show on the web at http://idacpodcast.com
Discussion this week starts with the ESP32 "backdoor" drama that circled the media, with some XML-based vulnerabilities in the mix. Finally, we cap off with a post on reviving modprobe_path for Linux exploitation, and some discussion around an attack chain against China that was attributed to the NSA.Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/277.html[00:00:00] Introduction[00:00:25] The ESP32 "backdoor" that wasn't[00:14:26] Speedrunners are vulnerability researchers[00:27:58] Sign in as anyone: Bypassing SAML SSO authentication with parser differentials[00:38:47] Impossible XXE in PHP[00:52:41] Reviving the modprobe_path Technique: Overcoming search_binary_handler() Patch[01:04:15] Trigon: developing a deterministic kernel exploit for iOS[01:06:43] An inside look at NSA (Equation Group) TTPs from China's lensePodcast episodes are available on the usual podcast platforms: -- Apple Podcasts: https://podcasts.apple.com/us/podcast/id1484046063 -- Spotify: https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt -- Google Podcasts: https://www.google.com/podcasts?feed=aHR0cHM6Ly9hbmNob3IuZm0vcy9hMTIxYTI0L3BvZGNhc3QvcnNz -- Other audio platforms can be found at https://anchor.fm/dayzerosecYou can also join our discord: https://discord.gg/daTxTK9
We tried a show with no violence, so now it's time for INCREDIBLE VIOLENCE! Our merch store is back, now on TeePublic! Check it out and grab something absurd for you or a friend! Join us in Discord! Check out our Patreon page! Patreon.com/GameThatTune is the home for exclusive content! Special thanks to our ABSURD FAN tier Patreon producers: Daniel Perkey, Sam L, PhoenixTear2121, BeastPond, HCO and Spanky McMasters! 0:00:00 Welcome to Game That Tune! 0:05:06 Game 1 0:16:06 Game 1 Reveal 0:27:57 Game 2 0:33:51 Game 2 Reveal 0:51:10 Game 3 0:55:31 Game 3 Reveal 1:15:43 Game 4 1:23:01 Game 4 Reveal 1:43:44 This Game's Winner Is... 1:50:52 Bonus Music/Outro
Today's episode is with Paul Klein, founder of Browserbase. We talked about building browser infrastructure for AI agents, the future of agent authentication, and their open source framework Stagehand.* [00:00:00] Introductions* [00:04:46] AI-specific challenges in browser infrastructure* [00:07:05] Multimodality in AI-Powered Browsing* [00:12:26] Running headless browsers at scale* [00:18:46] Geolocation when proxying* [00:21:25] CAPTCHAs and Agent Auth* [00:28:21] Building “User take over” functionality* [00:33:43] Stagehand: AI web browsing framework* [00:38:58] OpenAI's Operator and computer use agents* [00:44:44] Surprising use cases of Browserbase* [00:47:18] Future of browser automation and market competition* [00:53:11] Being a solo founderTranscriptAlessio [00:00:04]: Hey everyone, welcome to the Latent Space podcast. This is Alessio, partner and CTO at Decibel Partners, and I'm joined by my co-host Swyx, founder of Smol.ai.swyx [00:00:12]: Hey, and today we are very blessed to have our friends, Paul Klein, for the fourth, the fourth, CEO of Browserbase. Welcome.Paul [00:00:21]: Thanks guys. Yeah, I'm happy to be here. I've been lucky to know both of you for like a couple of years now, I think. So it's just like we're hanging out, you know, with three ginormous microphones in front of our face. It's totally normal hangout.swyx [00:00:34]: Yeah. We've actually mentioned you on the podcast, I think, more often than any other Solaris tenant. Just because like you're one of the, you know, best performing, I think, LLM tool companies that have started up in the last couple of years.Paul [00:00:50]: Yeah, I mean, it's been a whirlwind of a year, like Browserbase is actually pretty close to our first birthday. So we are one years old. And going from, you know, starting a company as a solo founder to... To, you know, having a team of 20 people, you know, a series A, but also being able to support hundreds of AI companies that are building AI applications that go out and automate the web. It's just been like, really cool. It's been happening a little too fast. I think like collectively as an AI industry, let's just take a week off together. I took my first vacation actually two weeks ago, and Operator came out on the first day, and then a week later, DeepSeat came out. And I'm like on vacation trying to chill. I'm like, we got to build with this stuff, right? So it's been a breakneck year. But I'm super happy to be here and like talk more about all the stuff we're seeing. And I'd love to hear kind of what you guys are excited about too, and share with it, you know?swyx [00:01:39]: Where to start? So people, you've done a bunch of podcasts. I think I strongly recommend Jack Bridger's Scaling DevTools, as well as Turner Novak's The Peel. And, you know, I'm sure there's others. So you covered your Twilio story in the past, talked about StreamClub, you got acquired to Mux, and then you left to start Browserbase. So maybe we just start with what is Browserbase? Yeah.Paul [00:02:02]: Browserbase is the web browser for your AI. We're building headless browser infrastructure, which are browsers that run in a server environment that's accessible to developers via APIs and SDKs. It's really hard to run a web browser in the cloud. You guys are probably running Chrome on your computers, and that's using a lot of resources, right? So if you want to run a web browser or thousands of web browsers, you can't just spin up a bunch of lambdas. You actually need to use a secure containerized environment. You have to scale it up and down. It's a stateful system. And that infrastructure is, like, super painful. And I know that firsthand, because at my last company, StreamClub, I was CTO, and I was building our own internal headless browser infrastructure. That's actually why we sold the company, is because Mux really wanted to buy our headless browser infrastructure that we'd built. And it's just a super hard problem. And I actually told my co-founders, I would never start another company unless it was a browser infrastructure company. And it turns out that's really necessary in the age of AI, when AI can actually go out and interact with websites, click on buttons, fill in forms. You need AI to do all of that work in an actual browser running somewhere on a server. And BrowserBase powers that.swyx [00:03:08]: While you're talking about it, it occurred to me, not that you're going to be acquired or anything, but it occurred to me that it would be really funny if you became the Nikita Beer of headless browser companies. You just have one trick, and you make browser companies that get acquired.Paul [00:03:23]: I truly do only have one trick. I'm screwed if it's not for headless browsers. I'm not a Go programmer. You know, I'm in AI grant. You know, browsers is an AI grant. But we were the only company in that AI grant batch that used zero dollars on AI spend. You know, we're purely an infrastructure company. So as much as people want to ask me about reinforcement learning, I might not be the best guy to talk about that. But if you want to ask about headless browser infrastructure at scale, I can talk your ear off. So that's really my area of expertise. And it's a pretty niche thing. Like, nobody has done what we're doing at scale before. So we're happy to be the experts.swyx [00:03:59]: You do have an AI thing, stagehand. We can talk about the sort of core of browser-based first, and then maybe stagehand. Yeah, stagehand is kind of the web browsing framework. Yeah.What is Browserbase? Headless Browser Infrastructure ExplainedAlessio [00:04:10]: Yeah. Yeah. And maybe how you got to browser-based and what problems you saw. So one of the first things I worked on as a software engineer was integration testing. Sauce Labs was kind of like the main thing at the time. And then we had Selenium, we had Playbrite, we had all these different browser things. But it's always been super hard to do. So obviously you've worked on this before. When you started browser-based, what were the challenges? What were the AI-specific challenges that you saw versus, there's kind of like all the usual running browser at scale in the cloud, which has been a problem for years. What are like the AI unique things that you saw that like traditional purchase just didn't cover? Yeah.AI-specific challenges in browser infrastructurePaul [00:04:46]: First and foremost, I think back to like the first thing I did as a developer, like as a kid when I was writing code, I wanted to write code that did stuff for me. You know, I wanted to write code to automate my life. And I do that probably by using curl or beautiful soup to fetch data from a web browser. And I think I still do that now that I'm in the cloud. And the other thing that I think is a huge challenge for me is that you can't just create a web site and parse that data. And we all know that now like, you know, taking HTML and plugging that into an LLM, you can extract insights, you can summarize. So it was very clear that now like dynamic web scraping became very possible with the rise of large language models or a lot easier. And that was like a clear reason why there's been more usage of headless browsers, which are necessary because a lot of modern websites don't expose all of their page content via a simple HTTP request. You know, they actually do require you to run this type of code for a specific time. JavaScript on the page to hydrate this. Airbnb is a great example. You go to airbnb.com. A lot of that content on the page isn't there until after they run the initial hydration. So you can't just scrape it with a curl. You need to have some JavaScript run. And a browser is that JavaScript engine that's going to actually run all those requests on the page. So web data retrieval was definitely one driver of starting BrowserBase and the rise of being able to summarize that within LLM. Also, I was familiar with if I wanted to automate a website, I could write one script and that would work for one website. It was very static and deterministic. But the web is non-deterministic. The web is always changing. And until we had LLMs, there was no way to write scripts that you could write once that would run on any website. That would change with the structure of the website. Click the login button. It could mean something different on many different websites. And LLMs allow us to generate code on the fly to actually control that. So I think that rise of writing the generic automation scripts that can work on many different websites, to me, made it clear that browsers are going to be a lot more useful because now you can automate a lot more things without writing. If you wanted to write a script to book a demo call on 100 websites, previously, you had to write 100 scripts. Now you write one script that uses LLMs to generate that script. That's why we built our web browsing framework, StageHand, which does a lot of that work for you. But those two things, web data collection and then enhanced automation of many different websites, it just felt like big drivers for more browser infrastructure that would be required to power these kinds of features.Alessio [00:07:05]: And was multimodality also a big thing?Paul [00:07:08]: Now you can use the LLMs to look, even though the text in the dome might not be as friendly. Maybe my hot take is I was always kind of like, I didn't think vision would be as big of a driver. For UI automation, I felt like, you know, HTML is structured text and large language models are good with structured text. But it's clear that these computer use models are often vision driven, and they've been really pushing things forward. So definitely being multimodal, like rendering the page is required to take a screenshot to give that to a computer use model to take actions on a website. And it's just another win for browser. But I'll be honest, that wasn't what I was thinking early on. I didn't even think that we'd get here so fast with multimodality. I think we're going to have to get back to multimodal and vision models.swyx [00:07:50]: This is one of those things where I forgot to mention in my intro that I'm an investor in Browserbase. And I remember that when you pitched to me, like a lot of the stuff that we have today, we like wasn't on the original conversation. But I did have my original thesis was something that we've talked about on the podcast before, which is take the GPT store, the custom GPT store, all the every single checkbox and plugin is effectively a startup. And this was the browser one. I think the main hesitation, I think I actually took a while to get back to you. The main hesitation was that there were others. Like you're not the first hit list browser startup. It's not even your first hit list browser startup. There's always a question of like, will you be the category winner in a place where there's a bunch of incumbents, to be honest, that are bigger than you? They're just not targeted at the AI space. They don't have the backing of Nat Friedman. And there's a bunch of like, you're here in Silicon Valley. They're not. I don't know.Paul [00:08:47]: I don't know if that's, that was it, but like, there was a, yeah, I mean, like, I think I tried all the other ones and I was like, really disappointed. Like my background is from working at great developer tools, companies, and nothing had like the Vercel like experience. Um, like our biggest competitor actually is partly owned by private equity and they just jacked up their prices quite a bit. And the dashboard hasn't changed in five years. And I actually used them at my last company and tried them and I was like, oh man, like there really just needs to be something that's like the experience of these great infrastructure companies, like Stripe, like clerk, like Vercel that I use in love, but oriented towards this kind of like more specific category, which is browser infrastructure, which is really technically complex. Like a lot of stuff can go wrong on the internet when you're running a browser. The internet is very vast. There's a lot of different configurations. Like there's still websites that only work with internet explorer out there. How do you handle that when you're running your own browser infrastructure? These are the problems that we have to think about and solve at BrowserBase. And it's, it's certainly a labor of love, but I built this for me, first and foremost, I know it's super cheesy and everyone says that for like their startups, but it really, truly was for me. If you look at like the talks I've done even before BrowserBase, and I'm just like really excited to try and build a category defining infrastructure company. And it's, it's rare to have a new category of infrastructure exists. We're here in the Chroma offices and like, you know, vector databases is a new category of infrastructure. Is it, is it, I mean, we can, we're in their office, so, you know, we can, we can debate that one later. That is one.Multimodality in AI-Powered Browsingswyx [00:10:16]: That's one of the industry debates.Paul [00:10:17]: I guess we go back to the LLMOS talk that Karpathy gave way long ago. And like the browser box was very clearly there and it seemed like the people who were building in this space also agreed that browsers are a core primitive of infrastructure for the LLMOS that's going to exist in the future. And nobody was building something there that I wanted to use. So I had to go build it myself.swyx [00:10:38]: Yeah. I mean, exactly that talk that, that honestly, that diagram, every box is a startup and there's the code box and then there's the. The browser box. I think at some point they will start clashing there. There's always the question of the, are you a point solution or are you the sort of all in one? And I think the point solutions tend to win quickly, but then the only ones have a very tight cohesive experience. Yeah. Let's talk about just the hard problems of browser base you have on your website, which is beautiful. Thank you. Was there an agency that you used for that? Yeah. Herb.paris.Paul [00:11:11]: They're amazing. Herb.paris. Yeah. It's H-E-R-V-E. I highly recommend for developers. Developer tools, founders to work with consumer agencies because they end up building beautiful things and the Parisians know how to build beautiful interfaces. So I got to give prep.swyx [00:11:24]: And chat apps, apparently are, they are very fast. Oh yeah. The Mistral chat. Yeah. Mistral. Yeah.Paul [00:11:31]: Late chat.swyx [00:11:31]: Late chat. And then your videos as well, it was professionally shot, right? The series A video. Yeah.Alessio [00:11:36]: Nico did the videos. He's amazing. Not the initial video that you shot at the new one. First one was Austin.Paul [00:11:41]: Another, another video pretty surprised. But yeah, I mean, like, I think when you think about how you talk about your company. You have to think about the way you present yourself. It's, you know, as a developer, you think you evaluate a company based on like the API reliability and the P 95, but a lot of developers say, is the website good? Is the message clear? Do I like trust this founder? I'm building my whole feature on. So I've tried to nail that as well as like the reliability of the infrastructure. You're right. It's very hard. And there's a lot of kind of foot guns that you run into when running headless browsers at scale. Right.Competing with Existing Headless Browser Solutionsswyx [00:12:10]: So let's pick one. You have eight features here. Seamless integration. Scalability. Fast or speed. Secure. Observable. Stealth. That's interesting. Extensible and developer first. What comes to your mind as like the top two, three hardest ones? Yeah.Running headless browsers at scalePaul [00:12:26]: I think just running headless browsers at scale is like the hardest one. And maybe can I nerd out for a second? Is that okay? I heard this is a technical audience, so I'll talk to the other nerds. Whoa. They were listening. Yeah. They're upset. They're ready. The AGI is angry. Okay. So. So how do you run a browser in the cloud? Let's start with that, right? So let's say you're using a popular browser automation framework like Puppeteer, Playwright, and Selenium. Maybe you've written a code, some code locally on your computer that opens up Google. It finds the search bar and then types in, you know, search for Latent Space and hits the search button. That script works great locally. You can see the little browser open up. You want to take that to production. You want to run the script in a cloud environment. So when your laptop is closed, your browser is doing something. The browser is doing something. Well, I, we use Amazon. You can see the little browser open up. You know, the first thing I'd reach for is probably like some sort of serverless infrastructure. I would probably try and deploy on a Lambda. But Chrome itself is too big to run on a Lambda. It's over 250 megabytes. So you can't easily start it on a Lambda. So you maybe have to use something like Lambda layers to squeeze it in there. Maybe use a different Chromium build that's lighter. And you get it on the Lambda. Great. It works. But it runs super slowly. It's because Lambdas are very like resource limited. They only run like with one vCPU. You can run one process at a time. Remember, Chromium is super beefy. It's barely running on my MacBook Air. I'm still downloading it from a pre-run. Yeah, from the test earlier, right? I'm joking. But it's big, you know? So like Lambda, it just won't work really well. Maybe it'll work, but you need something faster. Your users want something faster. Okay. Well, let's put it on a beefier instance. Let's get an EC2 server running. Let's throw Chromium on there. Great. Okay. I can, that works well with one user. But what if I want to run like 10 Chromium instances, one for each of my users? Okay. Well, I might need two EC2 instances. Maybe 10. All of a sudden, you have multiple EC2 instances. This sounds like a problem for Kubernetes and Docker, right? Now, all of a sudden, you're using ECS or EKS, the Kubernetes or container solutions by Amazon. You're spending up and down containers, and you're spending a whole engineer's time on kind of maintaining this stateful distributed system. Those are some of the worst systems to run because when it's a stateful distributed system, it means that you are bound by the connections to that thing. You have to keep the browser open while someone is working with it, right? That's just a painful architecture to run. And there's all this other little gotchas with Chromium, like Chromium, which is the open source version of Chrome, by the way. You have to install all these fonts. You want emojis working in your browsers because your vision model is looking for the emoji. You need to make sure you have the emoji fonts. You need to make sure you have all the right extensions configured, like, oh, do you want ad blocking? How do you configure that? How do you actually record all these browser sessions? Like it's a headless browser. You can't look at it. So you need to have some sort of observability. Maybe you're recording videos and storing those somewhere. It all kind of adds up to be this just giant monster piece of your project when all you wanted to do was run a lot of browsers in production for this little script to go to google.com and search. And when I see a complex distributed system, I see an opportunity to build a great infrastructure company. And we really abstract that away with Browserbase where our customers can use these existing frameworks, Playwright, Publisher, Selenium, or our own stagehand and connect to our browsers in a serverless-like way. And control them, and then just disconnect when they're done. And they don't have to think about the complex distributed system behind all of that. They just get a browser running anywhere, anytime. Really easy to connect to.swyx [00:15:55]: I'm sure you have questions. My standard question with anything, so essentially you're a serverless browser company, and there's been other serverless things that I'm familiar with in the past, serverless GPUs, serverless website hosting. That's where I come from with Netlify. One question is just like, you promised to spin up thousands of servers. You promised to spin up thousands of browsers in milliseconds. I feel like there's no real solution that does that yet. And I'm just kind of curious how. The only solution I know, which is to kind of keep a kind of warm pool of servers around, which is expensive, but maybe not so expensive because it's just CPUs. So I'm just like, you know. Yeah.Browsers as a Core Primitive in AI InfrastructurePaul [00:16:36]: You nailed it, right? I mean, how do you offer a serverless-like experience with something that is clearly not serverless, right? And the answer is, you need to be able to run... We run many browsers on single nodes. We use Kubernetes at browser base. So we have many pods that are being scheduled. We have to predictably schedule them up or down. Yes, thousands of browsers in milliseconds is the best case scenario. If you hit us with 10,000 requests, you may hit a slower cold start, right? So we've done a lot of work on predictive scaling and being able to kind of route stuff to different regions where we have multiple regions of browser base where we have different pools available. You can also pick the region you want to go to based on like lower latency, round trip, time latency. It's very important with these types of things. There's a lot of requests going over the wire. So for us, like having a VM like Firecracker powering everything under the hood allows us to be super nimble and spin things up or down really quickly with strong multi-tenancy. But in the end, this is like the complex infrastructural challenges that we have to kind of deal with at browser base. And we have a lot more stuff on our roadmap to allow customers to have more levers to pull to exchange, do you want really fast browser startup times or do you want really low costs? And if you're willing to be more flexible on that, we may be able to kind of like work better for your use cases.swyx [00:17:44]: Since you used Firecracker, shouldn't Fargate do that for you or did you have to go lower level than that? We had to go lower level than that.Paul [00:17:51]: I find this a lot with Fargate customers, which is alarming for Fargate. We used to be a giant Fargate customer. Actually, the first version of browser base was ECS and Fargate. And unfortunately, it's a great product. I think we were actually the largest Fargate customer in our region for a little while. No, what? Yeah, seriously. And unfortunately, it's a great product, but I think if you're an infrastructure company, you actually have to have a deeper level of control over these primitives. I think it's the same thing is true with databases. We've used other database providers and I think-swyx [00:18:21]: Yeah, serverless Postgres.Paul [00:18:23]: Shocker. When you're an infrastructure company, you're on the hook if any provider has an outage. And I can't tell my customers like, hey, we went down because so-and-so went down. That's not acceptable. So for us, we've really moved to bringing things internally. It's kind of opposite of what we preach. We tell our customers, don't build this in-house, but then we're like, we build a lot of stuff in-house. But I think it just really depends on what is in the critical path. We try and have deep ownership of that.Alessio [00:18:46]: On the distributed location side, how does that work for the web where you might get sort of different content in different locations, but the customer is expecting, you know, if you're in the US, I'm expecting the US version. But if you're spinning up my browser in France, I might get the French version. Yeah.Paul [00:19:02]: Yeah. That's a good question. Well, generally, like on the localization, there is a thing called locale in the browser. You can set like what your locale is. If you're like in the ENUS browser or not, but some things do IP, IP based routing. And in that case, you may want to have a proxy. Like let's say you're running something in the, in Europe, but you want to make sure you're showing up from the US. You may want to use one of our proxy features so you can turn on proxies to say like, make sure these connections always come from the United States, which is necessary too, because when you're browsing the web, you're coming from like a, you know, data center IP, and that can make things a lot harder to browse web. So we do have kind of like this proxy super network. Yeah. We have a proxy for you based on where you're going, so you can reliably automate the web. But if you get scheduled in Europe, that doesn't happen as much. We try and schedule you as close to, you know, your origin that you're trying to go to. But generally you have control over the regions you can put your browsers in. So you can specify West one or East one or Europe. We only have one region of Europe right now, actually. Yeah.Alessio [00:19:55]: What's harder, the browser or the proxy? I feel like to me, it feels like actually proxying reliably at scale. It's much harder than spending up browsers at scale. I'm curious. It's all hard.Paul [00:20:06]: It's layers of hard, right? Yeah. I think it's different levels of hard. I think the thing with the proxy infrastructure is that we work with many different web proxy providers and some are better than others. Some have good days, some have bad days. And our customers who've built browser infrastructure on their own, they have to go and deal with sketchy actors. Like first they figure out their own browser infrastructure and then they got to go buy a proxy. And it's like you can pay in Bitcoin and it just kind of feels a little sus, right? It's like you're buying drugs when you're trying to get a proxy online. We have like deep relationships with these counterparties. We're able to audit them and say, is this proxy being sourced ethically? Like it's not running on someone's TV somewhere. Is it free range? Yeah. Free range organic proxies, right? Right. We do a level of diligence. We're SOC 2. So we have to understand what is going on here. But then we're able to make sure that like we route around proxy providers not working. There's proxy providers who will just, the proxy will stop working all of a sudden. And then if you don't have redundant proxying on your own browsers, that's hard down for you or you may get some serious impacts there. With us, like we intelligently know, hey, this proxy is not working. Let's go to this one. And you can kind of build a network of multiple providers to really guarantee the best uptime for our customers. Yeah. So you don't own any proxies? We don't own any proxies. You're right. The team has been saying who wants to like take home a little proxy server, but not yet. We're not there yet. You know?swyx [00:21:25]: It's a very mature market. I don't think you should build that yourself. Like you should just be a super customer of them. Yeah. Scraping, I think, is the main use case for that. I guess. Well, that leads us into CAPTCHAs and also off, but let's talk about CAPTCHAs. You had a little spiel that you wanted to talk about CAPTCHA stuff.Challenges of Scaling Browser InfrastructurePaul [00:21:43]: Oh, yeah. I was just, I think a lot of people ask, if you're thinking about proxies, you're thinking about CAPTCHAs too. I think it's the same thing. You can go buy CAPTCHA solvers online, but it's the same buying experience. It's some sketchy website, you have to integrate it. It's not fun to buy these things and you can't really trust that the docs are bad. What Browserbase does is we integrate a bunch of different CAPTCHAs. We do some stuff in-house, but generally we just integrate with a bunch of known vendors and continually monitor and maintain these things and say, is this working or not? Can we route around it or not? These are CAPTCHA solvers. CAPTCHA solvers, yeah. Not CAPTCHA providers, CAPTCHA solvers. Yeah, sorry. CAPTCHA solvers. We really try and make sure all of that works for you. I think as a dev, if I'm buying infrastructure, I want it all to work all the time and it's important for us to provide that experience by making sure everything does work and monitoring it on our own. Yeah. Right now, the world of CAPTCHAs is tricky. I think AI agents in particular are very much ahead of the internet infrastructure. CAPTCHAs are designed to block all types of bots, but there are now good bots and bad bots. I think in the future, CAPTCHAs will be able to identify who a good bot is, hopefully via some sort of KYC. For us, we've been very lucky. We have very little to no known abuse of Browserbase because we really look into who we work with. And for certain types of CAPTCHA solving, we only allow them on certain types of plans because we want to make sure that we can know what people are doing, what their use cases are. And that's really allowed us to try and be an arbiter of good bots, which is our long term goal. I want to build great relationships with people like Cloudflare so we can agree, hey, here are these acceptable bots. We'll identify them for you and make sure we flag when they come to your website. This is a good bot, you know?Alessio [00:23:23]: I see. And Cloudflare said they want to do more of this. So they're going to set by default, if they think you're an AI bot, they're going to reject. I'm curious if you think this is something that is going to be at the browser level or I mean, the DNS level with Cloudflare seems more where it should belong. But I'm curious how you think about it.Paul [00:23:40]: I think the web's going to change. You know, I think that the Internet as we have it right now is going to change. And we all need to just accept that the cat is out of the bag. And instead of kind of like wishing the Internet was like it was in the 2000s, we can have free content line that wouldn't be scraped. It's just it's not going to happen. And instead, we should think about like, one, how can we change? How can we change the models of, you know, information being published online so people can adequately commercialize it? But two, how do we rebuild applications that expect that AI agents are going to log in on their behalf? Those are the things that are going to allow us to kind of like identify good and bad bots. And I think the team at Clerk has been doing a really good job with this on the authentication side. I actually think that auth is the biggest thing that will prevent agents from accessing stuff, not captchas. And I think there will be agent auth in the future. I don't know if it's going to happen from an individual company, but actually authentication providers that have a, you know, hidden login as agent feature, which will then you put in your email, you'll get a push notification, say like, hey, your browser-based agent wants to log into your Airbnb. You can approve that and then the agent can proceed. That really circumvents the need for captchas or logging in as you and sharing your password. I think agent auth is going to be one way we identify good bots going forward. And I think a lot of this captcha solving stuff is really short-term problems as the internet kind of reorients itself around how it's going to work with agents browsing the web, just like people do. Yeah.Managing Distributed Browser Locations and Proxiesswyx [00:24:59]: Stitch recently was on Hacker News for talking about agent experience, AX, which is a thing that Netlify is also trying to clone and coin and talk about. And we've talked about this on our previous episodes before in a sense that I actually think that's like maybe the only part of the tech stack that needs to be kind of reinvented for agents. Everything else can stay the same, CLIs, APIs, whatever. But auth, yeah, we need agent auth. And it's mostly like short-lived, like it should not, it should be a distinct, identity from the human, but paired. I almost think like in the same way that every social network should have your main profile and then your alt accounts or your Finsta, it's almost like, you know, every, every human token should be paired with the agent token and the agent token can go and do stuff on behalf of the human token, but not be presumed to be the human. Yeah.Paul [00:25:48]: It's like, it's, it's actually very similar to OAuth is what I'm thinking. And, you know, Thread from Stitch is an investor, Colin from Clerk, Octaventures, all investors in browser-based because like, I hope they solve this because they'll make browser-based submission more possible. So we don't have to overcome all these hurdles, but I think it will be an OAuth-like flow where an agent will ask to log in as you, you'll approve the scopes. Like it can book an apartment on Airbnb, but it can't like message anybody. And then, you know, the agent will have some sort of like role-based access control within an application. Yeah. I'm excited for that.swyx [00:26:16]: The tricky part is just, there's one, one layer of delegation here, which is like, you're authoring my user's user or something like that. I don't know if that's tricky or not. Does that make sense? Yeah.Paul [00:26:25]: You know, actually at Twilio, I worked on the login identity and access. Management teams, right? So like I built Twilio's login page.swyx [00:26:31]: You were an intern on that team and then you became the lead in two years? Yeah.Paul [00:26:34]: Yeah. I started as an intern in 2016 and then I was the tech lead of that team. How? That's not normal. I didn't have a life. He's not normal. Look at this guy. I didn't have a girlfriend. I just loved my job. I don't know. I applied to 500 internships for my first job and I got rejected from every single one of them except for Twilio and then eventually Amazon. And they took a shot on me and like, I was getting paid money to write code, which was my dream. Yeah. Yeah. I'm very lucky that like this coding thing worked out because I was going to be doing it regardless. And yeah, I was able to kind of spend a lot of time on a team that was growing at a company that was growing. So it informed a lot of this stuff here. I think these are problems that have been solved with like the SAML protocol with SSO. I think it's a really interesting stuff with like WebAuthn, like these different types of authentication, like schemes that you can use to authenticate people. The tooling is all there. It just needs to be tweaked a little bit to work for agents. And I think the fact that there are companies that are already. Providing authentication as a service really sets it up. Well, the thing that's hard is like reinventing the internet for agents. We don't want to rebuild the internet. That's an impossible task. And I think people often say like, well, we'll have this second layer of APIs built for agents. I'm like, we will for the top use cases, but instead of we can just tweak the internet as is, which is on the authentication side, I think we're going to be the dumb ones going forward. Unfortunately, I think AI is going to be able to do a lot of the tasks that we do online, which means that it will be able to go to websites, click buttons on our behalf and log in on our behalf too. So with this kind of like web agent future happening, I think with some small structural changes, like you said, it feels like it could all slot in really nicely with the existing internet.Handling CAPTCHAs and Agent Authenticationswyx [00:28:08]: There's one more thing, which is the, your live view iframe, which lets you take, take control. Yeah. Obviously very key for operator now, but like, was, is there anything interesting technically there or that the people like, well, people always want this.Paul [00:28:21]: It was really hard to build, you know, like, so, okay. Headless browsers, you don't see them, right. They're running. They're running in a cloud somewhere. You can't like look at them. And I just want to really make, it's a weird name. I wish we came up with a better name for this thing, but you can't see them. Right. But customers don't trust AI agents, right. At least the first pass. So what we do with our live view is that, you know, when you use browser base, you can actually embed a live view of the browser running in the cloud for your customer to see it working. And that's what the first reason is the build trust, like, okay, so I have this script. That's going to go automate a website. I can embed it into my web application via an iframe and my customer can watch. I think. And then we added two way communication. So now not only can you watch the browser kind of being operated by AI, if you want to pause and actually click around type within this iframe that's controlling a browser, that's also possible. And this is all thanks to some of the lower level protocol, which is called the Chrome DevTools protocol. It has a API called start screencast, and you can also send mouse clicks and button clicks to a remote browser. And this is all embeddable within iframes. You have a browser within a browser, yo. And then you simulate the screen, the click on the other side. Exactly. And this is really nice often for, like, let's say, a capture that can't be solved. You saw this with Operator, you know, Operator actually uses a different approach. They use VNC. So, you know, you're able to see, like, you're seeing the whole window here. What we're doing is something a little lower level with the Chrome DevTools protocol. It's just PNGs being streamed over the wire. But the same thing is true, right? Like, hey, I'm running a window. Pause. Can you do something in this window? Human. Okay, great. Resume. Like sometimes 2FA tokens. Like if you get that text message, you might need a person to type that in. Web agents need human-in-the-loop type workflows still. You still need a person to interact with the browser. And building a UI to proxy that is kind of hard. You may as well just show them the whole browser and say, hey, can you finish this up for me? And then let the AI proceed on afterwards. Is there a future where I stream my current desktop to browser base? I don't think so. I think we're very much cloud infrastructure. Yeah. You know, but I think a lot of the stuff we're doing, we do want to, like, build tools. Like, you know, we'll talk about the stage and, you know, web agent framework in a second. But, like, there's a case where a lot of people are going desktop first for, you know, consumer use. And I think cloud is doing a lot of this, where I expect to see, you know, MCPs really oriented around the cloud desktop app for a reason, right? Like, I think a lot of these tools are going to run on your computer because it makes... I think it's breaking out. People are putting it on a server. Oh, really? Okay. Well, sweet. We'll see. We'll see that. I was surprised, though, wasn't I? I think that the browser company, too, with Dia Browser, it runs on your machine. You know, it's going to be...swyx [00:30:50]: What is it?Paul [00:30:51]: So, Dia Browser, as far as I understand... I used to use Arc. Yeah. I haven't used Arc. But I'm a big fan of the browser company. I think they're doing a lot of cool stuff in consumer. As far as I understand, it's a browser where you have a sidebar where you can, like, chat with it and it can control the local browser on your machine. So, if you imagine, like, what a consumer web agent is, which it lives alongside your browser, I think Google Chrome has Project Marina, I think. I almost call it Project Marinara for some reason. I don't know why. It's...swyx [00:31:17]: No, I think it's someone really likes the Waterworld. Oh, I see. The classic Kevin Costner. Yeah.Paul [00:31:22]: Okay. Project Marinara is a similar thing to the Dia Browser, in my mind, as far as I understand it. You have a browser that has an AI interface that will take over your mouse and keyboard and control the browser for you. Great for consumer use cases. But if you're building applications that rely on a browser and it's more part of a greater, like, AI app experience, you probably need something that's more like infrastructure, not a consumer app.swyx [00:31:44]: Just because I have explored a little bit in this area, do people want branching? So, I have the state. Of whatever my browser's in. And then I want, like, 100 clones of this state. Do people do that? Or...Paul [00:31:56]: People don't do it currently. Yeah. But it's definitely something we're thinking about. I think the idea of forking a browser is really cool. Technically, kind of hard. We're starting to see this in code execution, where people are, like, forking some, like, code execution, like, processes or forking some tool calls or branching tool calls. Haven't seen it at the browser level yet. But it makes sense. Like, if an AI agent is, like, using a website and it's not sure what path it wants to take to crawl this website. To find the information it's looking for. It would make sense for it to explore both paths in parallel. And that'd be a very, like... A road not taken. Yeah. And hopefully find the right answer. And then say, okay, this was actually the right one. And memorize that. And go there in the future. On the roadmap. For sure. Don't make my roadmap, please. You know?Alessio [00:32:37]: How do you actually do that? Yeah. How do you fork? I feel like the browser is so stateful for so many things.swyx [00:32:42]: Serialize the state. Restore the state. I don't know.Paul [00:32:44]: So, it's one of the reasons why we haven't done it yet. It's hard. You know? Like, to truly fork, it's actually quite difficult. The naive way is to open the same page in a new tab and then, like, hope that it's at the same thing. But if you have a form halfway filled, you may have to, like, take the whole, you know, container. Pause it. All the memory. Duplicate it. Restart it from there. It could be very slow. So, we haven't found a thing. Like, the easy thing to fork is just, like, copy the page object. You know? But I think there needs to be something a little bit more robust there. Yeah.swyx [00:33:12]: So, MorphLabs has this infinite branch thing. Like, wrote a custom fork of Linux or something that let them save the system state and clone it. MorphLabs, hit me up. I'll be a customer. Yeah. That's the only. I think that's the only way to do it. Yeah. Like, unless Chrome has some special API for you. Yeah.Paul [00:33:29]: There's probably something we'll reverse engineer one day. I don't know. Yeah.Alessio [00:33:32]: Let's talk about StageHand, the AI web browsing framework. You have three core components, Observe, Extract, and Act. Pretty clean landing page. What was the idea behind making a framework? Yeah.Stagehand: AI web browsing frameworkPaul [00:33:43]: So, there's three frameworks that are very popular or already exist, right? Puppeteer, Playwright, Selenium. Those are for building hard-coded scripts to control websites. And as soon as I started to play with LLMs plus browsing, I caught myself, you know, code-genning Playwright code to control a website. I would, like, take the DOM. I'd pass it to an LLM. I'd say, can you generate the Playwright code to click the appropriate button here? And it would do that. And I was like, this really should be part of the frameworks themselves. And I became really obsessed with SDKs that take natural language as part of, like, the API input. And that's what StageHand is. StageHand exposes three APIs, and it's a super set of Playwright. So, if you go to a page, you may want to take an action, click on the button, fill in the form, etc. That's what the act command is for. You may want to extract some data. This one takes a natural language, like, extract the winner of the Super Bowl from this page. You can give it a Zod schema, so it returns a structured output. And then maybe you're building an API. You can do an agent loop, and you want to kind of see what actions are possible on this page before taking one. You can do observe. So, you can observe the actions on the page, and it will generate a list of actions. You can guide it, like, give me actions on this page related to buying an item. And you can, like, buy it now, add to cart, view shipping options, and pass that to an LLM, an agent loop, to say, what's the appropriate action given this high-level goal? So, StageHand isn't a web agent. It's a framework for building web agents. And we think that agent loops are actually pretty close to the application layer because every application probably has different goals or different ways it wants to take steps. I don't think I've seen a generic. Maybe you guys are the experts here. I haven't seen, like, a really good AI agent framework here. Everyone kind of has their own special sauce, right? I see a lot of developers building their own agent loops, and they're using tools. And I view StageHand as the browser tool. So, we expose act, extract, observe. Your agent can call these tools. And from that, you don't have to worry about it. You don't have to worry about generating playwright code performantly. You don't have to worry about running it. You can kind of just integrate these three tool calls into your agent loop and reliably automate the web.swyx [00:35:48]: A special shout-out to Anirudh, who I met at your dinner, who I think listens to the pod. Yeah. Hey, Anirudh.Paul [00:35:54]: Anirudh's a man. He's a StageHand guy.swyx [00:35:56]: I mean, the interesting thing about each of these APIs is they're kind of each startup. Like, specifically extract, you know, Firecrawler is extract. There's, like, Expand AI. There's a whole bunch of, like, extract companies. They just focus on extract. I'm curious. Like, I feel like you guys are going to collide at some point. Like, right now, it's friendly. Everyone's in a blue ocean. At some point, it's going to be valuable enough that there's some turf battle here. I don't think you have a dog in a fight. I think you can mock extract to use an external service if they're better at it than you. But it's just an observation that, like, in the same way that I see each option, each checkbox in the side of custom GBTs becoming a startup or each box in the Karpathy chart being a startup. Like, this is also becoming a thing. Yeah.Paul [00:36:41]: I mean, like, so the way StageHand works is that it's MIT-licensed, completely open source. You bring your own API key to your LLM of choice. You could choose your LLM. We don't make any money off of the extract or really. We only really make money if you choose to run it with our browser. You don't have to. You can actually use your own browser, a local browser. You know, StageHand is completely open source for that reason. And, yeah, like, I think if you're building really complex web scraping workflows, I don't know if StageHand is the tool for you. I think it's really more if you're building an AI agent that needs a few general tools or if it's doing a lot of, like, web automation-intensive work. But if you're building a scraping company, StageHand is not your thing. You probably want something that's going to, like, get HTML content, you know, convert that to Markdown, query it. That's not what StageHand does. StageHand is more about reliability. I think we focus a lot on reliability and less so on cost optimization and speed at this point.swyx [00:37:33]: I actually feel like StageHand, so the way that StageHand works, it's like, you know, page.act, click on the quick start. Yeah. It's kind of the integration test for the code that you would have to write anyway, like the Puppeteer code that you have to write anyway. And when the page structure changes, because it always does, then this is still the test. This is still the test that I would have to write. Yeah. So it's kind of like a testing framework that doesn't need implementation detail.Paul [00:37:56]: Well, yeah. I mean, Puppeteer, Playwright, and Slenderman were all designed as testing frameworks, right? Yeah. And now people are, like, hacking them together to automate the web. I would say, and, like, maybe this is, like, me being too specific. But, like, when I write tests, if the page structure changes. Without me knowing, I want that test to fail. So I don't know if, like, AI, like, regenerating that. Like, people are using StageHand for testing. But it's more for, like, usability testing, not, like, testing of, like, does the front end, like, has it changed or not. Okay. But generally where we've seen people, like, really, like, take off is, like, if they're using, you know, something. If they want to build a feature in their application that's kind of like Operator or Deep Research, they're using StageHand to kind of power that tool calling in their own agent loop. Okay. Cool.swyx [00:38:37]: So let's go into Operator, the first big agent launch of the year from OpenAI. Seems like they have a whole bunch scheduled. You were on break and your phone blew up. What's your just general view of computer use agents is what they're calling it. The overall category before we go into Open Operator, just the overall promise of Operator. I will observe that I tried it once. It was okay. And I never tried it again.OpenAI's Operator and computer use agentsPaul [00:38:58]: That tracks with my experience, too. Like, I'm a huge fan of the OpenAI team. Like, I think that I do not view Operator as the company. I'm not a company killer for browser base at all. I think it actually shows people what's possible. I think, like, computer use models make a lot of sense. And I'm actually most excited about computer use models is, like, their ability to, like, really take screenshots and reasoning and output steps. I think that using mouse click or mouse coordinates, I've seen that proved to be less reliable than I would like. And I just wonder if that's the right form factor. What we've done with our framework is anchor it to the DOM itself, anchor it to the actual item. So, like, if it's clicking on something, it's clicking on that thing, you know? Like, it's more accurate. No matter where it is. Yeah, exactly. Because it really ties in nicely. And it can handle, like, the whole viewport in one go, whereas, like, Operator can only handle what it sees. Can you hover? Is hovering a thing that you can do? I don't know if we expose it as a tool directly, but I'm sure there's, like, an API for hovering. Like, move mouse to this position. Yeah, yeah, yeah. I think you can trigger hover, like, via, like, the JavaScript on the DOM itself. But, no, I think, like, when we saw computer use, everyone's eyes lit up because they realized, like, wow, like, AI is going to actually automate work for people. And I think seeing that kind of happen from both of the labs, and I'm sure we're going to see more labs launch computer use models, I'm excited to see all the stuff that people build with it. I think that I'd love to see computer use power, like, controlling a browser on browser base. And I think, like, Open Operator, which was, like, our open source version of OpenAI's Operator, was our first take on, like, how can we integrate these models into browser base? And we handle the infrastructure and let the labs do the models. I don't have a sense that Operator will be released as an API. I don't know. Maybe it will. I'm curious to see how well that works because I think it's going to be really hard for a company like OpenAI to do things like support CAPTCHA solving or, like, have proxies. Like, I think it's hard for them structurally. Imagine this New York Times headline, OpenAI CAPTCHA solving. Like, that would be a pretty bad headline, this New York Times headline. Browser base solves CAPTCHAs. No one cares. No one cares. And, like, our investors are bored. Like, we're all okay with this, you know? We're building this company knowing that the CAPTCHA solving is short-lived until we figure out how to authenticate good bots. I think it's really hard for a company like OpenAI, who has this brand that's so, so good, to balance with, like, the icky parts of web automation, which it can be kind of complex to solve. I'm sure OpenAI knows who to call whenever they need you. Yeah, right. I'm sure they'll have a great partnership.Alessio [00:41:23]: And is Open Operator just, like, a marketing thing for you? Like, how do you think about resource allocation? So, you can spin this up very quickly. And now there's all this, like, open deep research, just open all these things that people are building. We started it, you know. You're the original Open. We're the original Open operator, you know? Is it just, hey, look, this is a demo, but, like, we'll help you build out an actual product for yourself? Like, are you interested in going more of a product route? That's kind of the OpenAI way, right? They started as a model provider and then…Paul [00:41:53]: Yeah, we're not interested in going the product route yet. I view Open Operator as a model provider. It's a reference project, you know? Let's show people how to build these things using the infrastructure and models that are out there. And that's what it is. It's, like, Open Operator is very simple. It's an agent loop. It says, like, take a high-level goal, break it down into steps, use tool calling to accomplish those steps. It takes screenshots and feeds those screenshots into an LLM with the step to generate the right action. It uses stagehand under the hood to actually execute this action. It doesn't use a computer use model. And it, like, has a nice interface using the live view that we talked about, the iframe, to embed that into an application. So I felt like people on launch day wanted to figure out how to build their own version of this. And we turned that around really quickly to show them. And I hope we do that with other things like deep research. We don't have a deep research launch yet. I think David from AOMNI actually has an amazing open deep research that he launched. It has, like, 10K GitHub stars now. So he's crushing that. But I think if people want to build these features natively into their application, they need good reference projects. And I think Open Operator is a good example of that.swyx [00:42:52]: I don't know. Actually, I'm actually pretty bullish on API-driven operator. Because that's the only way that you can sort of, like, once it's reliable enough, obviously. And now we're nowhere near. But, like, give it five years. It'll happen, you know. And then you can sort of spin this up and browsers are working in the background and you don't necessarily have to know. And it just is booking restaurants for you, whatever. I can definitely see that future happening. I had this on the landing page here. This might be a slightly out of order. But, you know, you have, like, sort of three use cases for browser base. Open Operator. Or this is the operator sort of use case. It's kind of like the workflow automation use case. And it completes with UiPath in the sort of RPA category. Would you agree with that? Yeah, I would agree with that. And then there's Agents we talked about already. And web scraping, which I imagine would be the bulk of your workload right now, right?Paul [00:43:40]: No, not at all. I'd say actually, like, the majority is browser automation. We're kind of expensive for web scraping. Like, I think that if you're building a web scraping product, if you need to do occasional web scraping or you have to do web scraping that works every single time, you want to use browser automation. Yeah. You want to use browser-based. But if you're building web scraping workflows, what you should do is have a waterfall. You should have the first request is a curl to the website. See if you can get it without even using a browser. And then the second request may be, like, a scraping-specific API. There's, like, a thousand scraping APIs out there that you can use to try and get data. Scraping B. Scraping B is a great example, right? Yeah. And then, like, if those two don't work, bring out the heavy hitter. Like, browser-based will 100% work, right? It will load the page in a real browser, hydrate it. I see.swyx [00:44:21]: Because a lot of people don't render to JS.swyx [00:44:25]: Yeah, exactly.Paul [00:44:26]: So, I mean, the three big use cases, right? Like, you know, automation, web data collection, and then, you know, if you're building anything agentic that needs, like, a browser tool, you want to use browser-based.Alessio [00:44:35]: Is there any use case that, like, you were super surprised by that people might not even think about? Oh, yeah. Or is it, yeah, anything that you can share? The long tail is crazy. Yeah.Surprising use cases of BrowserbasePaul [00:44:44]: One of the case studies on our website that I think is the most interesting is this company called Benny. So, the way that it works is if you're on food stamps in the United States, you can actually get rebates if you buy certain things. Yeah. You buy some vegetables. You submit your receipt to the government. They'll give you a little rebate back. Say, hey, thanks for buying vegetables. It's good for you. That process of submitting that receipt is very painful. And the way Benny works is you use their app to take a photo of your receipt, and then Benny will go submit that receipt for you and then deposit the money into your account. That's actually using no AI at all. It's all, like, hard-coded scripts. They maintain the scripts. They've been doing a great job. And they build this amazing consumer app. But it's an example of, like, all these, like, tedious workflows that people have to do to kind of go about their business. And they're doing it for the sake of their day-to-day lives. And I had never known about, like, food stamp rebates or the complex forms you have to do to fill them. But the world is powered by millions and millions of tedious forms, visas. You know, Emirate Lighthouse is a customer, right? You know, they do the O1 visa. Millions and millions of forms are taking away humans' time. And I hope that Browserbase can help power software that automates away the web forms that we don't need anymore. Yeah.swyx [00:45:49]: I mean, I'm very supportive of that. I mean, forms. I do think, like, government itself is a big part of it. I think the government itself should embrace AI more to do more sort of human-friendly form filling. Mm-hmm. But I'm not optimistic. I'm not holding my breath. Yeah. We'll see. Okay. I think I'm about to zoom out. I have a little brief thing on computer use, and then we can talk about founder stuff, which is, I tend to think of developer tooling markets in impossible triangles, where everyone starts in a niche, and then they start to branch out. So I already hinted at a little bit of this, right? We mentioned more. We mentioned E2B. We mentioned Firecrawl. And then there's Browserbase. So there's, like, all this stuff of, like, have serverless virtual computer that you give to an agent and let them do stuff with it. And there's various ways of connecting it to the internet. You can just connect to a search API, like SERP API, whatever other, like, EXA is another one. That's what you're searching. You can also have a JSON markdown extractor, which is Firecrawl. Or you can have a virtual browser like Browserbase, or you can have a virtual machine like Morph. And then there's also maybe, like, a virtual sort of code environment, like Code Interpreter. So, like, there's just, like, a bunch of different ways to tackle the problem of give a computer to an agent. And I'm just kind of wondering if you see, like, everyone's just, like, happily coexisting in their respective niches. And as a developer, I just go and pick, like, a shopping basket of one of each. Or do you think that you eventually, people will collide?Future of browser automation and market competitionPaul [00:47:18]: I think that currently it's not a zero-sum market. Like, I think we're talking about... I think we're talking about all of knowledge work that people do that can be automated online. All of these, like, trillions of hours that happen online where people are working. And I think that there's so much software to be built that, like, I tend not to think about how these companies will collide. I just try to solve the problem as best as I can and make this specific piece of infrastructure, which I think is an important primitive, the best I possibly can. And yeah. I think there's players that are actually going to like it. I think there's players that are going to launch, like, over-the-top, you know, platforms, like agent platforms that have all these tools built in, right? Like, who's building the rippling for agent tools that has the search tool, the browser tool, the operating system tool, right? There are some. There are some. There are some, right? And I think in the end, what I have seen as my time as a developer, and I look at all the favorite tools that I have, is that, like, for tools and primitives with sufficient levels of complexity, you need to have a solution that's really bespoke to that primitive, you know? And I am sufficiently convinced that the browser is complex enough to deserve a primitive. Obviously, I have to. I'm the founder of BrowserBase, right? I'm talking my book. But, like, I think maybe I can give you one spicy take against, like, maybe just whole OS running. I think that when I look at computer use when it first came out, I saw that the majority of use cases for computer use were controlling a browser. And do we really need to run an entire operating system just to control a browser? I don't think so. I don't think that's necessary. You know, BrowserBase can run browsers for way cheaper than you can if you're running a full-fledged OS with a GUI, you know, operating system. And I think that's just an advantage of the browser. It is, like, browsers are little OSs, and you can run them very efficiently if you orchestrate it well. And I think that allows us to offer 90% of the, you know, functionality in the platform needed at 10% of the cost of running a full OS. Yeah.Open Operator: Browserbase's Open-Source Alternativeswyx [00:49:16]: I definitely see the logic in that. There's a Mark Andreessen quote. I don't know if you know this one. Where he basically observed that the browser is turning the operating system into a poorly debugged set of device drivers, because most of the apps are moved from the OS to the browser. So you can just run browsers.Paul [00:49:31]: There's a place for OSs, too. Like, I think that there are some applications that only run on Windows operating systems. And Eric from pig.dev in this upcoming YC batch, or last YC batch, like, he's building all run tons of Windows operating systems for you to control with your agent. And like, there's some legacy EHR systems that only run on Internet-controlled systems. Yeah.Paul [00:49:54]: I think that's it. I think, like, there are use cases for specific operating systems for specific legacy software. And like, I'm excited to see what he does with that. I just wanted to give a shout out to the pig.dev website.swyx [00:50:06]: The pigs jump when you click on them. Yeah. That's great.Paul [00:50:08]: Eric, he's the former co-founder of banana.dev, too.swyx [00:50:11]: Oh, that Eric. Yeah. That Eric. Okay. Well, he abandoned bananas for pigs. I hope he doesn't start going around with pigs now.Alessio [00:50:18]: Like he was going around with bananas. A little toy pig. Yeah. Yeah. I love that. What else are we missing? I think we covered a lot of, like, the browser-based product history, but. What do you wish people asked you? Yeah.Paul [00:50:29]: I wish people asked me more about, like, what will the future of software look like? Because I think that's really where I've spent a lot of time about why do browser-based. Like, for me, starting a company is like a means of last resort. Like, you shouldn't start a company unless you absolutely have to. And I remain convinced that the future of software is software that you're going to click a button and it's going to do stuff on your behalf. Right now, software. You click a button and it maybe, like, calls it back an API and, like, computes some numbers. It, like, modifies some text, whatever. But the future of software is software using software. So, I may log into my accounting website for my business, click a button, and it's going to go load up my Gmail, search my emails, find the thing, upload the receipt, and then comment it for me. Right? And it may use it using APIs, maybe a browser. I don't know. I think it's a little bit of both. But that's completely different from how we've built software so far. And that's. I think that future of software has different infrastructure requirements. It's going to require different UIs. It's going to require different pieces of infrastructure. I think the browser infrastructure is one piece that fits into that, along with all the other categories you mentioned. So, I think that it's going to require developers to think differently about how they've built software for, you know
Everyone loves to blame violent video games for all the ills that have befallen our society, so in this episode we self-censor and play strictly non-violent games! Our merch store is back, now on TeePublic! Check it out and grab something absurd for you or a friend! Join us in Discord! Check out our Patreon page! Patreon.com/GameThatTune is the home for exclusive content! Special thanks to our ABSURD FAN tier Patreon producers: Daniel Perkey, Sam L, PhoenixTear2121, BeastPond, HCO and Spanky McMasters! 0:00:00 Welcome to Game That Tune! 0:06:25 Game 1 0:11:16 Game 1 Reveal 0:25:30 Game 2 0:30:06 Game 2 Reveal 0:41:04 Game 3 0:45:55 Game 3 Reveal 1:02:58 Game 4 1:08:34 Game 4 Reveal 1:17:23 Game 5 1:22:09 Game 5 Reveal 1:31:52 This Game's Winner Is... 1:38:42 Bonus Music/Outro
We were gonna climb some mountains on this episode but then John went sledding in Tallahassee and got his fill so we're doing a FREEPLAY. Also Johnny went to Magfest, so be prepared to hear about that! Our merch store is back, now on TeePublic! Check it out and grab something absurd for you or a friend! Join us in Discord! Check out our Patreon page! Patreon.com/GameThatTune is the home for exclusive content! Special thanks to our ABSURD FAN tier Patreon producers: Daniel Perkey, Sam L, PhoenixTear2121, BeastPond, HCO and Spanky McMasters! 0:00:00 Welcome to Game That Tune! 0:06:44 Game 1 0:12:05 Game 1 Reveal 0:24:08 Game 2 0:40:02 Game 2 Reveal 0:50:40 Game 3 0:56:19 Game 3 Reveal 1:11:16 Game 4 1:17:14 Game 4 Reveal 1:39:46 Game 5 1:47:57 Game 5 Reveal 2:04:23 This Game's Winner Is... 2:12:30 Bonus Music/Outro
In this discussion with Tremolo Security CTO Marc Boorshtein, we explore what modern day Single Sign-On (SSO) looks like. Everyone likes to talk about zero trust, but how does that work? We talk about some of the history of authentication that got us here, and some technical details on how you should be implementing authentication into your application. We finish up with some passkey details and realize every authentication discussion really just turns into complaining how hard identity is. The blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-02-modern_day_authentication_with_marc_boorshtein/
밀떡 413-2회 (L-SAM 양산 소식에 벌써부터 수출 요청? 동시에 L-SAM-II 체계개발 착수)
It's a collect-a-thon on this weeks episode! If it's a game with things to collect or even a game collection, it could be on this show! Our merch store is back, now on TeePublic! Check it out and grab something absurd for you or a friend! Join us in Discord! Check out our Patreon page! Patreon.com/GameThatTune is the home for exclusive content! Special thanks to our ABSURD FAN tier Patreon producers: Daniel Perkey, Sam L, PhoenixTear2121, BeastPond, HCO and Spanky McMasters! 0:00:00 Welcome to Game That Tune! 0:05:06 Game 1 0:11:31 Game 1 Reveal 0:25:29 Game 2 0:37:40 Game 2 Reveal 0:57:08 Game 3 1:06:22 Game 3 Reveal 1:21:09 VGM Threesome! 1:23:17 Threesome Game 1 Reveal 1:27:20 Threesome Game 2 1:29:06 Threesome Game 2 Reveal 1:34:40 Threesome Game 3 1:37:18 Threesome Game 3 Reveal 1:44:09 This Game's Winner Is... 1:50:56 Bonus Music/Outro
We're playing complete games on this episode! That means games with no DLC, just the way god intended! Our merch store is back, now on TeePublic! Check it out and grab something absurd for you or a friend! Join us in Discord! Check out our Patreon page! Patreon.com/GameThatTune is the home for exclusive content! Special thanks to our ABSURD FAN tier Patreon producers: Daniel Perkey, Sam L, PhoenixTear2121, BeastPond, HCO and Spanky McMasters! 0:03:46 Welcome to Game That Tune! 0:10:45 Game 1 0:13:47 Game 1 Reveal 0:32:18 Game 2 0:44:16 Game 2 Reveal 0:57:48 Game 3 1:06:25 Game 3 Reveal 1:24:58 Game 4 1:29:32 Game 4 Reveal 1:44:04 This Game's Winner Is... 1:50:55 Bonus Music/Outro
Join Dan Vega and DaShaun Carter as they welcome Spring Security project lead Rob Winch for an in-depth look at Spring Security 6.4. In this episode, the team explores exciting new features including One-Time Token Login support, Passkeys integration, and significant improvements to OAuth 2.0 and SAML 2.0. Rob shares insights into important deprecation notices as Spring Security moves towards version 7, demonstrates new method security capabilities, and discusses the introduction of RestClient-based implementations. You can participate in our live stream to ask questions or catch the replay on your preferred podcast platform.Show Notes: What's new in Spring Security 6.4Rob Winch on BlueSky
Eric Olden, Co-Founder and CEO of Strata Identity, dives into the challenges and innovations in identity management for multi-cloud environments. He explains the concept of identity orchestration, its role in zero-trust architecture, and the evolution of identity management from SAML to abstraction layers like IDQL and HEXA. Eric also highlights real-world applications, such as failover scenarios for cruise ships and military operations, emphasizing the importance of resilient identity systems. Listeners are encouraged to explore his book, Identity Orchestration for Dummies, for actionable insights.
Everyone loves paying more after we've already bought a game, so we're discussing games with great DLC and expansions! Our merch store is back, now on TeePublic! Check it out and grab something absurd for you or a friend! Join us in Discord! Check out our Patreon page! Patreon.com/GameThatTune is the home for exclusive content! Special thanks to our ABSURD FAN tier Patreon producers: Daniel Perkey, Sam L, PhoenixTear2121, BeastPond, HCO and Spanky McMasters! 0:00:00 Welcome to Game That Tune! 0:04:45 Game 1 0:11:22 Game 1 Reveal 0:32:25 Game 2 0:44:11 Game 2 Reveal 0:56:13 Game 3 1:17:57 Lightning Round! 1:30:05 Game 4 1:35:34 Game 4 Reveal 1:49:35 Game 5 1:56:07 Game 5 Reveal 2:10:49 This Game's Winner Is... 2:20:26 Bonus Music/Outro
We're playing adventure games on this episode, so we've got epic tunes from epic games! Set your sights on the horizon and enjoy! Our merch store is back, now on TeePublic! Check it out and grab something absurd for you or a friend! Join us in Discord! Check out our Patreon page! Patreon.com/GameThatTune is the home for exclusive content! Special thanks to our ABSURD FAN tier Patreon producers: Daniel Perkey, Sam L, PhoenixTear2121, BeastPond, HCO and Spanky McMasters! 0:00:00 Welcome to Game That Tune! 0:09:41 Game 1 0:19:03 Game 1 Reveal 0:33:37 Game 2 0:40:02 Game 2 Reveal 0:48:33 Game 3 0:51:57 Game 3 Reveal 1:07:15 Game 4 1:21:12 Game 4 Reveal 1:37:00 Game 5 1:45:19 Game 5 Reveal 2:00:13 This Game's Winner Is... 2:04:40 Bonus Music/Outro
We're getting our blood pumping and our balls juiced with HIGH OCTANE GAMES Our merch store is back, now on TeePublic! Check it out and grab something absurd for you or a friend! Join us in Discord! Check out our Patreon page! Patreon.com/GameThatTune is the home for exclusive content! Special thanks to our ABSURD FAN tier Patreon producers: Daniel Perkey, Sam L, PhoenixTear2121, BeastPond, HCO and Spanky McMasters!
Jessie has pulled himself up out of the clitpit and he brought an awesome new mixtape of giant fighting robots with him! Listen to some big time tunes for big time fights! Our merch store is back, now on TeePublic! Check it out and grab something absurd for you or a friend! Join us in Discord! Check out our Patreon page! Patreon.com/GameThatTune is the home for exclusive content! Special thanks to our ABSURD FAN tier Patreon producers: Daniel Perkey, Sam L, PhoenixTear2121, BeastPond, HCO and Spanky McMasters! 0:00:00 Bar - MechWarrior 0:00:59 Intro 0:07:45 Dazil, Town of Burning Sands - Xenogears 0:11:05 Manifold Irons - Front Mission (Wonderswan!) 0:13:40 Stage 1-2 (Temple) - Ranger X 0:15:39 The Enemy Commander - Metal Warriors 0:16:38 Gazing Boundary - Ring of Red 0:18:21 Pinnacle Robotics - Into the Breach 0:21:11 The Legendary Mashin - Magic Knight Rayearth 0:23:23 Tomorrow to Start - Vanguard Bandits 0:26:21 Buddies - 13 Sentinels Aegis Rim 0:29:34 Galactica - Zone of the Enders Fist of Mars 0:33:31 Welcome to the Marauder Corps - Titanfall 0:35:18 Cerberus Squad - Chromehounds 0:37:19 Bar( General Purpose) - Front Mission 3 0:40:12 Stage Select - Bangai-O 0:41:21 SUPER 8 Theme - Cyberbots 0:43:21 ZAKU-II - Gundam The Battle Master 2 0:46:22 Pink Ball Activate! - Kirby: Planet Robobot 0:48:36 She's Lost Control - Cyber Troopers Virtual On 0:51:28 Theme from Armored Core 2 - Armored Core 2 0:55:20 Good Feather -Fly a Flag- - Metal Wolf Chaos XD
In this episode, Patrick McKenzie (patio11) is joined by economist and fraud researcher Professor Jetson Luis-Leder to examine the systemic issues underlying government program fraud. Jetson and Patrick discuss healthcare fraud cases, including hospice eligibility manipulation and ambulance transport schemes, and other fraud practices against unemployment and the PPP program. The discussion reveals how institutional constraints, technological limitations, and policy design choices create opportunities for both beneficial and harmful rule violations. They also analyze the ROI of fraud prevention measures, the effectiveness of whistleblower incentives, and how bureaucratic systems can be redesigned to prevent abuse.–Full transcript available here: https://www.complexsystemspodcast.com/defrauding-government-jetson-leder-luis–Sponsors: Check | WorkOSCheck is the leading payroll infrastructure provider and pioneer of embedded payroll. Check makes it easy for any SaaS platform to build a payroll business, and already powers 60+ popular platforms. Head to checkhq.com/complex and tell them patio11 sent you.Building an enterprise-ready SaaS app? WorkOS has got you covered with easy-to-integrate APIs for SAML, SCIM, and more. Start now at https://bit.ly/WorkOS-Turpentine-Network–Links:Jetson's website: https://sites.bu.edu/jetson/ Paper: Ambulance Taxis by Jetson Leder-Luis Ambulance Taxis: The Impact of Regulation and Litigation on Health Care Fraud Paper: Did FinTech Lenders Facilitate PPP Fraud by John M Griffin, Samuel Kruger, Prateek Mahajan https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3906395Paper: Is Fraud Contagious by John M Griffin https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4599654Paper: Unemployment Insurance Fraud in the Debit Card Market by Jetson Leder-Luis with Umang Khetan, Yunrong Zhou and Jialan Wang https://www.nber.org/papers/w32527 Book: Recoding America by Jennifer Pahlka https://www.amazon.com/Recoding-America-Government-Failing-Digital-ebook/dp/B0B8644ZGYPodcast: Jennifer Pahlka on Ezra Kleinhttps://open.spotify.com/episode/2VPErCIG1pbcnYFBojrKcG Podcast: Dave Guarino on Odd Lots https://open.spotify.com/episode/43HI3NuxZGsl13U365xZxa Bits About Money https://www.bitsaboutmoney.com/Related Complex Systems episodes: Dan Davies and Dave Guarino's episodes–Twitter:@patio11@jetson_econ–Timestamps:(00:00) Intro(02:04) Overview of Medicare/Medicaid(02:41) Estimated $50-100B fraud losses(03:31) Taxonomy of healthcare fraud(08:04) Hospice fraud; potentially saved money(16:33) A $10 billion asterisk: ambulances for dialysis patients(21:30) Sponsors: Work OS | Check(24:45) Complexities of fraud detection and prevention(39:02) Pandemic fraud (41:34) Findings on PPP loans fraud(48:19) Supply chain of fraud(52:06) Policy and enforcement challenges(01:08:32) Whistleblower programs (01:14:54) Final thoughts–Complex Systems is part of the Turpentine podcast network. Turpentine also has a social network for top founders and execs: https://www.turpentinenetwork.com/
2024-10-22 Weekly News — Episode 221Watch the video version on YouTube at https://youtube.com/live/j-e_y4OwuCw?feature=shareHosts: Gavin Pickin - Senior Developer at Ortus SolutionsThanks to our Sponsor - Ortus SolutionsThe makers of ColdBox, CommandBox, ForgeBox, TestBox and all your favorite box-es out there including BoxLang.A few ways to say thanks back to Ortus Solutions:Buy Tickets to Into the Box 2025 in Washington DC https://t.co/cFLDUJZEyMApril 30, 2025 - May 2, 2025 - Washington, DCLike and subscribe to our videos on YouTube. Help ORTUS reach for the Stars - Star and Fork our ReposStar all of your Github Box Dependencies from CommandBox with https://www.forgebox.io/view/commandbox-github Subscribe to our Podcast on your Podcast Apps and leave us a reviewSign up for a free or paid account on CFCasts, which is releasing new content regularlyBOXLife store: https://www.ortussolutions.com/about-us/shopBuy Ortus's Books102 ColdBox HMVC Quick Tips and Tricks on GumRoad (http://gum.co/coldbox-tips)Now on Amazon! In hardcover too!!!https://www.amazon.com/dp/B0CJHB712MLearn Modern ColdFusion (CFML) in 100+ Minutes - Free online https://modern-cfml.ortusbooks.com/ or buy an EBook or Paper copy https://www.ortussolutions.com/learn/books/coldfusion-in-100-minutes Patreon Support ()We have 59 patreons: https://www.patreon.com/ortussolutions. News and AnnouncementsLucee 6.1.1 (6.1.1.100-RC) Release CandidateThere is a new Lucee 6.1.1.100-RC release candidate available for testing. Give it a try and share your feedback with us.What's New?This release focuses mainly on bug fixes, along with a few useful enhancements.https://dev.lucee.org/t/lucee-6-1-1-6-1-1-100-rc-release-candidate/14353 ColdFusion 2023 and 2021 October 15th, 2024 updatesWe are pleased to announce that we have released general updates to ColdFusion (2023 release) Update 11 and ColdFusion (2021 release) Update 17. The updates include bug fixes and enhancements in Administrator, Language, CFSetup, Database, and other areas. They also contain library upgrades, such as netty, ehcache, etc. The updates also include enhancements to whitespace management and client variable support in CFPM.Known issues in the updateThe PDF Services page in ColdFusion Administrator does not load even with the HTMLToPDF package installedhttps://coldfusion.adobe.com/2024/10/released-coldfusion-2023-and-2021-october-15th-2024-updates/CF Summit India AnnouncedWe are excited to announce that the Adobe ColdFusion India Summit 2024 is happening on December 7, 2024, and this year, we're bringing the event to two vibrant cities: Bengaluru and Noida. Whether you're a seasoned developer or just beginning your journey in web development, this free summit offers a unique opportunity to learn, connect, and grow with the best minds in the industry.https://coldfusion.adobe.com/2024/10/get-ready-for-adobe-coldfusion-india-summit-2024/ Announcing Java updates of Oct 2024 for 8, 11, 17, 21, and 23: thoughts and resourcesIt's that time again: there are new JVM updates released today (Oct 15, 2024) for the current long-term support (LTS) releases of Oracle Java, 8, 11, 17, and 21, as well as the new short-term release 23. (The previous short-term release, Java 22, is no longer updated.)TLDR: The new updates are 1.8.0_431 (aka 8u431), 11.0.25, 17.0.13, 21.0.5, and 23.0.1 respectively. Crazy that there are now 5 current Java releases, I realize. More below, including more on each of them including what changed as well as bug fixes and the security fixes each version contains (including their CVE scores regarding urgency of concerns), which are offered in Oracle resources I list below.https://www.carehart.org/blog/2024/10/15/java_updates_oct_2024 PayPal's NVP/SOAP API for Website Payments Pro accounts suddenly stopped working sometime early OctoberPayPal's NVP/SOAP API for Website Payments Pro accounts suddenly stopped working sometime around October 4th (possibly Sep 30). Some developers that reported having the issue were using legacy classic ASP and others were using ColdFusion. I believe we've been using the PayPal DoDirectPayment API since it was introduced back in 2002.At some point, PayPal added the following undated disclaimer to their documentation. (According to Microsoft Copilot, "PayPal's NVP (Name-Value Pair) API was marked as "legacy" around October 12th, 2021".)CFPayment (retired) supports WPP & Payflow, but not the new REST API method. Searching online for "ColdFusion (or cfml) paypal rest api" didn't return anything beneficial, so it became apparent that there was a need for a solution... any solution.James Moberg has an updated Paypal Rest API Cfc available here: https://dev.to/gamesover/coldfusion-paypal-rest-api-cfc-339p Secure Your ColdFusion Perpetual License Before Adobe's Subscription-Only SwitchFollowing Adobe's announcement at the Adobe ColdFusion Summit in Las Vegas, ColdFusion will transition to a subscription-only licensing model. This major shift in licensing strategy means developers and organizations have a limited window to secure their final perpetual ColdFusion license.While we don't know the date for the Adobe switch, FusionReactor customers have an exclusive opportunity to secure their last perpetual license and save significantly in the process. This final offer has been extended to December 31, 2024, giving organizations more months to make this crucial decision.https://fusion-reactor.com/blog/secure-your-coldfusion-perpetual-license-before-adobes-subscription-only-switch/ Microsoft Copilot is a little Snarky about ColdFusion
We've got 5 fantastic games from the year 2003 on this episode! Our merch store is back, now on TeePublic! Check it out and grab something absurd for you or a friend! Join us in Discord! Check out our Patreon page! Patreon.com/GameThatTune is the home for exclusive content! Special thanks to our ABSURD FAN tier Patreon producers: Daniel Perkey, Sam L, PhoenixTear2121, BeastPond, HCO and Spanky McMasters! 0:00:00 Welcome to Game That Tune! 0:04:16 Game 1 0:09:05 Game 1 Reveal 0:23:35 Game 2 0:33:10 Game 2 Reveal 0:47:51 Game 3 0:54:54 Game 3 Reveal 1:16:57 Game 4 1:23:28 Game 4 Reveal 1:37:05 Game 5 1:46:55 Game 5 Reveal 2:01:22 This Game's Winner Is... 2:09:41 Bonus Music/Outro
Episode 92: In this episode of Critical Thinking - Bug Bounty Podcast In this episode Justin and Joel tackle a host of new research and write-ups, including Ruby SAML, 0-Click exploits in MediaTek Wi-Fi, and Vulnerabilities caused by The Great FirewallFollow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Find the Hackernotes: https://blog.criticalthinkingpodcast.io/Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today's Sponsor - ThreatLocker. Checkout their ThreatLocker Detect! https://www.criticalthinkingpodcast.io/tl-detectResources:Insecurity through CensorshipRuby-SAML / GitLab Authentication Bypass0-Click exploit discovered in MediaTek Wi-Fi chipsetsNew Caido Plugin to Generate WordlistsBebik's 403 BypassorCSPBypassArb Read & Arb write on LLaMa.cpp by SideQuestXSS WAF Bypass One payload for allTimestamps(00:00:00) Introduction(00:02:08) Vulnerabilities Caused by The Great Firewall(00:07:25) Ruby SAML Bypass(00:19:55) 0-Click exploit discovered in MediaTek Wi-Fi chipsets(00:24:36) New Caido Wordlist Plugin(00:31:00) CSPBypass.com(00:35:37) Arb Read & Arb write on LLaMa.cpp by SideQuest(00:43:10) Helpful WAF Bypass
In this episode, Patrick McKenzie (patio11) and Erik Torenberg, investor and the media entrepreneur behind Turpentine, explore the evolving relationship between tech journalism and the industry it covers. They discuss how fictional portrayals of industries greatly inform how jobseekers understand those industries, and how the industries understand themselves. They cover the vacuum in quality tech reporting, the emergence of independent media companies, and industry heavyweights with massive followings. Patrick also brings up the phenomenon of Twitter/Slack crossovers, where coordinated social media action is used to influence internal company policies and public narratives. They examine how this dynamic, combined with economic pressures and ideological motivations, has led to increased groupthink in tech journalism. Expanding on themes covered in Kelsey Piper's episode of Complex Systems, this conversation makes more legible the important ways media affects tech, even though tech is arguably a more sophisticated industry – and why there is a need to move beyond simplistic narratives of "holding power accountable" to provide nuanced, informative coverage that helps people understand tech's impact on society.–Full transcript available here: https://www.complexsystemspodcast.com/episodes/tech-media-erik-torenberg–Sponsors: WorkOS | CheckBuilding an enterprise-ready SaaS app? WorkOS has got you covered with easy-to-integrate APIs for SAML, SCIM, and more. Start now at https://bit.ly/WorkOS-Turpentine-NetworkCheck is the leading payroll infrastructure provider and pioneer of embedded payroll. Check makes it easy for any SaaS platform to build a payroll business, and already powers 60+ popular platforms. Head to https://checkhq.com/complex and tell them patio11 sent you.–Links:Bits About Money, “Fiction and Finance” https://www.bitsaboutmoney.com/archive/fiction-about-finance/Byrne Hobart's essay on The Social Network https://byrnehobart.medium.com/the-social-network-was-the-most-important-movie-of-all-time-9f91f66018d7Kelsey Piper on Complex Systems https://open.spotify.com/episode/33rHTZVowaq76tCTaKJfRB –Twitter:@patio11@eriktorenberg–Timestamps:(00:00) Intro(00:27) Fiction and Finance: The power of narrative(01:41) The Social Network's impact on career choices(03:34) Cultural perceptions and entrepreneurship(06:04) Media influence and tech industry perception(11:01) The role of tech journalism(14:15) Social media's impact on journalism(19:39) Sponsors: WorkOS | Check(21:54) The intersection of media and tech(39:22) Public intellectualism in tech(57:40) Wrap–Complex Systems is part of the Turpentine podcast network. Turpentine also has a social network for top founders and execs: https://www.turpentinenetwork.com/
Video Episode: https://youtu.be/O2h2nBA4BQ8 In today’s episode, we discuss significant security vulnerabilities found in Manufacturing Message Specification (MMS) protocol libraries, potentially allowing attackers to execute remote code or crash industrial devices. We also cover the sudden blockade of Discord in Russia and Turkey due to illegal activity, affecting user access, and the release of exploit code for a critical GitLab authentication bypass flaw, CVE-2024-45409, which could allow unauthorized access to GitLab installations. Lastly, we explore the GoldenJackal APT group's sophisticated attacks targeting air-gapped systems in Europe for cyberespionage purposes. References: 1. https://thehackernews.com/2024/10/researchers-uncover-major-security.html 2. https://www.bleepingcomputer.com/news/government/discord-blocked-in-russia-and-turkey-for-spreading-illegal-content/ 3. https://www.helpnetsecurity.com/2024/10/09/exploit-cve-2024-45409/ 4. https://www.helpnetsecurity.com/2024/10/09/goldenjackal-air-gapped-systems-compromise/ Timestamps 00:00 – Introduction 00:59 – GoldenJackal APT bypass Air-Gapped Systems 02:01 – GitLab Vulnerability 02:47 – Russia and Turkey block Discord 04:04 – Industrial Environments Vulnerability 1. What are today’s top cybersecurity news stories? 2. How are vulnerabilities in MMS protocol impacting industrial security? 3. What are the reasons behind Discord’s blocking in Russia and Turkey? 4. What should GitLab users know about the CVE-2024-45409 authentication bypass vulnerability? 5. Who is the GoldenJackal APT group and what attacks have they launched? 6. What are the implications of air-gapped systems being breached by cyberespionage groups? 7. What vulnerabilities were found in the libIEC61850 and TMW IEC 61850 libraries? 8. How can organizations mitigate risks from the newly discovered vulnerabilities in industrial systems? 9. Why is Discord considered a platform for illegal activities in Russia and Turkey? 10. What steps should GitLab administrators take to protect from recent exploit scripts? MMS protocol, MZ Automation, Triangle MicroWorks, remote code execution, Discord, VPNs, protests, government control, GitLab, CVE-2024-45409, SAML, exploit, GoldenJackal, APT, air-gapped, cyberespionage,
In this episode Ashish Rajan sits down with Shashwat Sehgal, co-founder and CEO of P0 Security, to talk about the complexities of cloud identity lifecycle management. Shashwat spoke to us about why traditional identity solutions like SAML are no longer sufficient in today's cloud environments. He discusses the need for organisations to adopt a more holistic approach to secure access across cloud infrastructures, addressing everything from managing IAM roles to gaining complete visibility and inventory of all cloud identities. This episode goes into the growing challenges around managing human and non-human identities, and the importance of shifting from legacy solutions to cloud-native governance. Guest Socials: Shashwat's Linkedin Podcast Twitter - @CloudSecPod If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security Podcast- Youtube - Cloud Security Newsletter - Cloud Security BootCamp Questions asked: (00:00) Introduction (01:47) A bit about Shashwat (02:20) What is Identity Lifecycle Management? (04:55) What is IGA and PAM? (10:10) Complexity of Identity Management (13:12) What are non human identities? (15:56) Maturity Levels for Cloud Identity Lifecycle Management (19:03) The role of SAML in Identity Management (20:07) Identity Management of Third parties and SaaS Providers (21:28) Who's responsible for identity management in Cloud? (23:28) Changing landscape of identity management (27:46) Native Solutions for identity management (30:03) Fun Questions
In this episode of The Cognitive Revolution, Nathan explores unconventional approaches to AI safety with Judd Rosenblatt and Mike Vaiana from AE Studio. Discover how this innovative company pivoted from brain-computer interfaces to groundbreaking AI alignment research, producing two notable results in cooperative and less deceptive AI systems. Join us for a deep dive into biologically-inspired approaches that offer hope for solving critical AI safety challenges. Self-Modeling: https://arxiv.org/abs/2407.10188 Self-Other Distinction Minimization: https://www.alignmentforum.org/posts/hzt9gHpNwA2oHtwKX/self-other-overlap-a-neglected-approach-to-ai-alignment Neglected approaches blog post: https://www.lesswrong.com/posts/qAdDzcBuDBLexb4fC/the-neglected-approaches-approach-ae-studio-s-alignment Apply to join over 400 Founders and Execs in the Turpentine Network: https://www.turpentinenetwork.co/ SPONSORS: WorkOS: Building an enterprise-ready SaaS app? WorkOS has got you covered with easy-to-integrate APIs for SAML, SCIM, and more. Join top startups like Vercel, Perplexity, Jasper & Webflow in powering your app with WorkOS. Enjoy a free tier for up to 1M users! Start now at https://bit.ly/WorkOS-Turpentine-Network Weights & Biases Weave: Weights & Biases Weave is a lightweight AI developer toolkit designed to simplify your LLM app development. With Weave, you can trace and debug input, metadata and output with just 2 lines of code. Make real progress on your LLM development and visit the following link to get started with Weave today: https://wandb.me/cr 80,000 Hours: 80,000 Hours offers free one-on-one career advising for Cognitive Revolution listeners aiming to tackle global challenges, especially in AI. They connect high-potential individuals with experts, opportunities, and personalized career plans to maximize positive impact. Apply for a free call at https://80000hours.org/cognitiverevolution to accelerate your career and contribute to solving pressing AI-related issues. Omneky: Omneky is an omnichannel creative generation platform that lets you launch hundreds of thousands of ad iterations that actually work customized across all platforms, with a click of a button. Omneky combines generative AI and real-time advertising data. Mention "Cog Rev" for 10% off https://www.omneky.com/ RECOMMENDED PODCAST: This Won't Last - Eavesdrop on Keith Rabois, Kevin Ryan, Logan Bartlett, and Zach Weinberg's monthly backchannel ft their hottest takes on the future of tech, business, and venture capital. Spotify: https://open.spotify.com/show/2HwSNeVLL1MXy0RjFPyOSz CHAPTERS: (00:00:00) About the Show (00:00:22) Sponsors: WorkOS (00:01:22) About the Episode (00:05:18) Introduction and AE Studio Background (00:11:37) Keys to Success in Building AE Studio (00:16:57) Sponsors: Weights & Biases Weave | 80,000 Hours (00:19:37) Universal Launcher and Productivity Gains (00:24:44) 100x Productivity Increase Explanation (00:31:46) Brain-Computer Interface and AI Alignment (00:38:05) Sponsors: Omneky (00:38:30) Current State of NeuroTech (00:44:00) Survey on Neglected Approaches in AI Alignment (00:50:41) Self-Modeling and Biological Inspiration (00:57:48) Technical Details of Self-Modeling (01:06:17) Self-Other Distinction Minimization (01:12:44) Implementation in Language Models (01:19:00) Compute Costs and Scaling Considerations (01:24:27) Consciousness Concerns and Future Work (01:40:24) Evaluating Neglected Approaches (01:55:56) Closing Thoughts and Policy Considerations (01:59:25) Outro
In this episode of the Cloud Security Podcast, Ashish sat down with Art Poghosyan, CEO and co-founder of Britive, to explore the changing world of identity and access management (IAM) in the cloud era. With over two decades of experience in the identity space, Art breaks down the challenges of traditional Privileged Access Management (PAM) and how cloud-native environments require a rethinking of security strategies. From understanding the complexities of cloud infrastructure entitlements to unpacking the differences between on-premise and cloud-based PAM, Art explains why "Identity is the new perimeter" and how modern organizations must adapt. They dive deep into the importance of Just-in-Time (JIT) access, non-human identities, and the critical role identity plays as the first and last line of defense in cloud security. Guest Socials: Art's Linkedin Podcast Twitter - @CloudSecPod If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels: - Cloud Security Podcast- Youtube - Cloud Security Newsletter - Cloud Security BootCamp Questions asked: (00:00) Introduction (01:53) A bit about Art (02:51) What is IAM? (04:02) What is Cloud Privilege Access Management? (06:08) Why do we need CloudPAM in 2024? (07:52) Non Human Identities (08:39) Privilege in Cloud vs On Premise (09:49) SAML vs PAM (12:21) Just in Time provisioning in Cloud (17:17) Making Access Management Developer Friendly (19:12) What should security team be looking at ? (21:22) Communicating IAM vulnerabilities (23:45) Tactical steps to level up IAM (27:20) Zero Trust and IAM (30:56) Fun Questions
In this special crossover episode of The Cognitive Revolution, Nathan shares an insightful conversation from the Latent.Space podcast. Swyx and Alessio interview Alistair Pullen of Cosine, creators of Genie, showcasing the cutting edge of AI automation in software engineering. Learn how Cosine achieves state-of-the-art results on the SWE-bench benchmark by implementing advanced AI techniques. This episode complements Nathan's recent discussion on AI Automation, demonstrating how far these practices can be pushed in real-world applications. Don't miss this opportunity to explore the future of AI-driven software development and its implications for businesses across industries. Check out the Latent.Space podcast here: https://www.latent.space Apply to join over 400 Founders and Execs in the Turpentine Network: https://www.turpentinenetwork.co/ SPONSORS: WorkOS: Building an enterprise-ready SaaS app? WorkOS has got you covered with easy-to-integrate APIs for SAML, SCIM, and more. Join top startups like Vercel, Perplexity, Jasper & Webflow in powering your app with WorkOS. Enjoy a free tier for up to 1M users! Start now at https://bit.ly/WorkOS-Turpentine-Network Weights & Biases Weave: Weights & Biases Weave is a lightweight AI developer toolkit designed to simplify your LLM app development. With Weave, you can trace and debug input, metadata and output with just 2 lines of code. Make real progress on your LLM development and visit the following link to get started with Weave today: https://wandb.me/cr 80,000 Hours: 80,000 Hours offers free one-on-one career advising for Cognitive Revolution listeners aiming to tackle global challenges, especially in AI. They connect high-potential individuals with experts, opportunities, and personalized career plans to maximize positive impact. Apply for a free call at https://80000hours.org/cognitiverevolution to accelerate your career and contribute to solving pressing AI-related issues. Omneky: Omneky is an omnichannel creative generation platform that lets you launch hundreds of thousands of ad iterations that actually work customized across all platforms, with a click of a button. Omneky combines generative AI and real-time advertising data. Mention "Cog Rev" for 10% off https://www.omneky.com/ CHAPTERS: (00:00:00) About the Show (00:00:22) Sponsors: WorkOS (00:01:22) About the Episode (00:04:29) Alistair and Cosine intro (00:13:50) Building the Code Retrieval Tool (00:17:36) Sponsors: Weights & Biases Weave | 80,000 Hours (00:20:15) Developing Genie and Fine-tuning Process (00:27:41) Working with Customer Data (00:30:53) Code Retrieval Challenges and Solutions (00:36:39) Sponsors: Omneky (00:37:02) Planning and Reasoning in AI Models (00:45:55) Language Support and Generalization (00:49:46) Fine-tuning Experience with OpenAI (00:52:56) Synthetic Data and Self-improvement Loop (00:55:57) Benchmarking and SWE-bench Results (01:01:47) Future Plans for Genie (01:03:02) Industry Trends and Cursor's Success (01:05:23) Calls to Action and Ideal Customers (01:08:43) Outro
Today on Moment of Zen, Samo Burja and Rudyard Lynch return for for a mind-bending discussion and deep dive into the concept of "long ripples" — how ideas and events from the distant past continue to shape our present and future in unexpected ways. From Plato's influence on modern political movements to the unforeseen consequences of the Industrial Revolution, this conversation challenges our understanding of historical cause and effect. Are we truly progressing, or are we caught in cycles we fail to recognize? Can we learn from the past, or are we doomed to repeat it in new, technologically-amplified ways? This episode is a rollercoaster ride through time, technology, and human nature, forcing us to reconsider our place in the grand sweep of history. Both Samo and Rudyard are hosts of Turpentine shows, Live Players and History 102, respectively. CHECK OUT: Live Players: Spotify: https://open.spotify.com/show/5fbMTkHBnom1JIBWYNVBK1 Apple: https://podcasts.apple.com/us/podcast/live-players-with-samo-burja-and-erik-torenberg/id1718925188 History 102: Spotify: https://open.spotify.com/show/36Kqo3BMMUBGTDo1IEYihm Apple: https://podcasts.apple.com/us/podcast/history-102-with-whatifalthists-rudyard-lynch-and/id1730633913 —
In today's episode, Noah Smith and Erik Torenberg dive into the complexities of immigration, global economic development, and cultural stereotypes. Noah also shares insights from his upcoming book on reviving Japan's economy, examining strategies like innovation, reforming large corporations, and attracting foreign investments. --
Patrick McKenzie (patio11) is joined again by Byrne Hobart, writer of The Diff, for a follow up conversation about “whales” – and so much more – across the gaming, aviation, software, hospitality and fast food industries. Patrick and Byrne also discuss their writing process, knowledge management, and how they use AI tools.–Full transcript available here: www.complexsystemspodcast.com/byrne-hobart-whales-miscellany–Sponsors: Check | WorkOSCheck is the leading payroll infrastructure provider and pioneer of embedded payroll. Check makes it easy for any SaaS platform to build a payroll business, and already powers 60+ popular platforms. Head to checkhq.com/complex and tell them patio11 sent you.Building an enterprise-ready SaaS app? WorkOS has got you covered with easy-to-integrate APIs for SAML, SCIM, and more. Start now at https://bit.ly/WorkOS-Turpentine-Network–Links:The Diff thediff.coCapital Gains capitalgains.thediff.coByrne Hobart's book Boom: Bubbles and the End of StagnationKongregate Presentation: Video (https://www.youtube.com/watch?v=P7SDByLlCHw) Slides (https://blog.kongregate.com/dont-call-them-whales-f2p-spenders-and-virtual-value/)–Twitter:@patio11@byrnehobart–Timestamps:(00:00) Intro(00:45) Economics of video game currencies (02:56) Pricing strategies in mobile gaming (05:08) Monetization skew towards high-end players (08:08) VIP systems and casino host analogy (11:08) Whale behavior in casual games (15:03) Hyper-consuming outliers in other industries(19:09) Sponsors: WorkOS | Check(21:25) Hobbies and opportunity costs (23:01) Custom software for tech billionaires (26:30) Evolution of website development (29:55) Restaurant websites and delivery apps (40:17) McDonald's take rates(44:59) Restaurant groups(53:34) Tech company cafeterias and employee benefits (57:57) Google's business model and economic feedback loops (1:00:57) Early Google investment anecdote (1:02:16) Writing as a memory aid (1:04:46) Using ChatGPT for memory assistance (1:10:30) LLMs as writing and coding aids (1:13:34) Children's interaction with ChatGPT (1:18:11) Arguing with LLMs and using them for research (1:03:00) Wrap–Complex Systems is part of the Turpentine podcast network. Turpentine also has a social network for top founders and execs: https://www.turpentinenetwork.com/
Join Nathan for an insightful episode of The Cognitive Revolution with Wade Foster, co-founder and CEO of Zapier. Discover how this no-code pioneer is evolving into an AI-powered platform for the future of work. Learn about Zapier's ambitious vision, their integration of AI throughout their product, and how they're adapting as a company. From AI-driven lead qualification to innovative customer use cases, explore the cutting edge of automation at scale. Wade shares valuable insights on effective AI prompting, internal AI adoption strategies, and his perspective on recent AI advancements. Check out the ZapConnect 2024 event: https://zapier.com/zapconnect Apply to join over 400 Founders and Execs in the Turpentine Network: https://www.turpentinenetwork.co/ SPONSORS: WorkOS: Building an enterprise-ready SaaS app? WorkOS has got you covered with easy-to-integrate APIs for SAML, SCIM, and more. Join top startups like Vercel, Perplexity, Jasper & Webflow in powering your app with WorkOS. Enjoy a free tier for up to 1M users! Start now at https://bit.ly/WorkOS-Turpentine-Network Weights & Biases Weave: Weights & Biases Weave is a lightweight AI developer toolkit designed to simplify your LLM app development. With Weave, you can trace and debug input, metadata and output with just 2 lines of code. Make real progress on your LLM development and visit the following link to get started with Weave today: https://wandb.me/cr 80,000 Hours: 80,000 Hours offers free one-on-one career advising for Cognitive Revolution listeners aiming to tackle global challenges, especially in AI. They connect high-potential individuals with experts, opportunities, and personalized career plans to maximize positive impact. Apply for a free call at https://80000hours.org/cognitiverevolution to accelerate your career and contribute to solving pressing AI-related issues. Omneky: Omneky is an omnichannel creative generation platform that lets you launch hundreds of thousands of ad iterations that actually work customized across all platforms, with a click of a button. Omneky combines generative AI and real-time advertising data. Mention "Cog Rev" for 10% off https://www.omneky.com/ RECOMMENDED PODCAST: This Won't Last - Eavesdrop on Keith Rabois, Kevin Ryan, Logan Bartlett, and Zach Weinberg's monthly backchannel ft their hottest takes on the future of tech, business, and venture capital. Spotify: https://open.spotify.com/show/2HwSNeVLL1MXy0RjFPyOSz CHAPTERS: (00:00:00) About the Show (00:00:22) Sponsors: WorkOS (00:01:22) About the Episode (00:03:41) Introduction and Zapier's Competitive Edge (00:07:20) AI as Knowledge Worker Companion (00:10:27) Impressive AI Use Cases (00:16:25) Sponsors: Weights & Biases Weave | 80,000 Hours (00:19:05) AI Implementation Challenges (00:19:13) LLM Performance and Prompting (00:22:42) AI Adoption within Zapier (00:31:00) Sponsors: Omneky (00:31:23) AI-Assisted Workflow Creation (00:36:07) AI Culture and Adoption at Zapier (00:43:03) AI Impact on Zapier's Productivity (00:48:06) Zapier's AI Integration Strategy (00:54:43) Outro
In this crosspost from the 80,000 Hours podcast, host Rob Wiblin interviews Nick Joseph, Head of Training at Anthropic, about the company's responsible scaling policy for AI development. The episode delves into Anthropic's approach to AI safety, the growing trend of voluntary commitments from top AI labs, and the need for public scrutiny of frontier model development. The conversation also covers AI safety career advice, with a reminder that 80,000 Hours offers free career advising sessions for listeners. Join us for an insightful discussion on the future of AI and its societal implications. Apply to join over 400 Founders and Execs in the Turpentine Network: https://www.turpentinenetwork.co/ SPONSORS: WorkOS: Building an enterprise-ready SaaS app? WorkOS has got you covered with easy-to-integrate APIs for SAML, SCIM, and more. Join top startups like Vercel, Perplexity, Jasper & Webflow in powering your app with WorkOS. Enjoy a free tier for up to 1M users! Start now at https://bit.ly/WorkOS-Turpentine-Network Weights & Biases Weave: Weights & Biases Weave is a lightweight AI developer toolkit designed to simplify your LLM app development. With Weave, you can trace and debug input, metadata and output with just 2 lines of code. Make real progress on your LLM development and visit the following link to get started with Weave today: https://wandb.me/cr 80,000 Hours: 80,000 Hours offers free one-on-one career advising for Cognitive Revolution listeners aiming to tackle global challenges, especially in AI. They connect high-potential individuals with experts, opportunities, and personalized career plans to maximize positive impact. Apply for a free call at https://80000hours.org/cognitiverevolution to accelerate your career and contribute to solving pressing AI-related issues. Omneky: Omneky is an omnichannel creative generation platform that lets you launch hundreds of thousands of ad iterations that actually work customized across all platforms, with a click of a button. Omneky combines generative AI and real-time advertising data. Mention "Cog Rev" for 10% off https://www.omneky.com/ RECOMMENDED PODCAST: This Won't Last - Eavesdrop on Keith Rabois, Kevin Ryan, Logan Bartlett, and Zach Weinberg's monthly backchannel ft their hottest takes on the future of tech, business, and venture capital. Spotify: https://open.spotify.com/show/2HwSNeVLL1MXy0RjFPyOSz CHAPTERS: (00:00:00) About the Show (00:00:22) Sponsors: WorkOS (00:01:22) About the Episode (00:04:31) Intro and Nick's background (00:08:37) Model training and scaling laws (00:13:10) Nick's role at Anthropic (00:16:49) Responsible Scaling Policies overview (Part 1) (00:18:00) Sponsors: Weights & Biases Weave | 80,000 Hours (00:20:39) Responsible Scaling Policies overview (Part 2) (00:25:24) AI Safety Levels framework (00:30:33) Benefits of RSPs (Part 1) (00:33:15) Sponsors: Omneky (00:33:38) Benefits of RSPs (Part 2) (00:36:32) Concerns about RSPs (00:47:33) Sandbagging and evaluation challenges (00:54:46) Critiques of RSPs (01:03:11) Trust and accountability (01:12:03) Conservative vs. aggressive approaches (01:17:43) Capabilities vs. safety research (01:23:47) Working at Anthropic (01:35:14) Nick's career journey (01:45:12) Hiring at Anthropic (01:52:06) Concerns about AI capabilities work (02:03:38) Anthropic office locations (02:08:46) Pressure and stakes at Anthropic (02:18:09) Overrated and underrated AI applications (02:35:57) Closing remarks (02:38:33) Sponsors: Outro
In this episode of Complex Systems, Patrick McKenzie (aka @Patio11) is joined by Dave Guarino, a software engineer and policy wonk. They explore the complexities and challenges of public programs, focusing on SNAP aka CalFresh in California, where Dave was the founding engineer and then director. They discuss how society's complex preferences become policy, driving obviously bad UXes (like 200+ questions for an application) for structural reasons. Patrick and Dave debate structural issues within government agencies that lead to these inefficiencies, the lack of user-centric design, misaligned incentives, a “cavernous gap” in feedback loops, and surprisingly simple ways anyone can influence public policy and improve government systems.–Full transcript available here: https://www.complexsystemspodcast.com/episodes/government-software-dave-guarino/–Sponsors: Check | WorkOSCheck is the leading payroll infrastructure provider and pioneer of embedded payroll. Check makes it easy for any SaaS platform to build a payroll business, and already powers 60+ popular platforms. Head to checkhq.com/complex and tell them patio11 sent you.Building an enterprise-ready SaaS app? WorkOS has got you covered with easy-to-integrate APIs for SAML, SCIM, and more. Start now at https://bit.ly/WorkOS-Turpentine-Network–Links:Dave Guarino's newsletter: https://daveguarino.substack.com/Dan Davies episode of Complex Systems: https://open.spotify.com/show/3Mos4VE3figVXleHDqfXOH–Twitter:@patio11@allafarce–Timestamps:(00:00) Intro(01:03) Complexity of naming government programs(03:45) How policy decisions are made(07:19) Why SNAP applications are so complex(14:17) Why no one stops overly complex applications(18:44) Political economy of different benefit programs(24:56) Sponsor: Check | WorkOS(26:13) Limited visibility into user experience(29:24) Lack of application completion rate tracking(35:27) Starting where you are(43:44) Challenges of modernizing legacy systems(48:35) Broken feedback loops in government(53:01) Tech's understanding of service design(57:07) Issues with improper payments methodology(1:04:45) Effective ways to influence policy(1:09:43) Increasing agency in government agencies(1:14:56) Getting niche policy ideas into circulation(1:18:04) Importance of frontline knowledge and user feedback(1:21:33) Improving government services(1:22:06) Wrap–Complex Systems is part of the Turpentine podcast network. Turpentine also has a social network for top founders and execs: https://www.turpentinenetwork.com/
In today's episode, Noah Smith and Erik Torenberg explore the complexities surrounding fracking, China's economic growth and challenges, and tackle a controversy in Springfield involving false claims about Haitian immigrants and the larger implications for U.S. immigration policy. --
In today's episode, Noah Smith and Brad DeLong tackle pressing topics such as the potential for a 'China Shock 2', the effectiveness of missile defense systems, and the shifting role of economists since the Great Recession. They also explore the nuances of economic theory, policy implementation, and real-world outcomes, particularly in a fast-paced information age. --
In today's Afro-Euro Reco12, Sam L speaks on a Decade of living in recovery.Here is a little about Sam:* Sobered up 1 April 2009-Dec 2013* Only got sponsor 2012* Cleaned up 1 Sept 2014 to date* Got sponsor armed with the facts* Home group CA St Pauls Cheltenham* 3 sponsees through steps in 2024* 1 new sponsee* Fully surrendered to God 27 Nov 2016Reco12 Afro-Euro Timezone is a Reco12 Resource in and for the Afro-Euro time zone hosted by Karen A. We hope that you will join us and draw strength and hope from these podcasts that we will host every other Wednesday at 9AM GMT / 11AM Israel time.Reco12 appreciates your help in keeping us working our 12th Step with these great resources and services for the addict and loved ones. We gratefully accept contributions to help cover the costs of the Zoom platform, podcast platform, web hosting, and administrative costs. To become a Reco12 Spearhead you can quickly and easily become a monthly donor here: https://www.reco12.com/support or you can do one-time donations through PayPal (https://www.paypal.me/reco12) or Venmo: @Reco-Twelve . Thanks for your support!If you would like to get in contact with either Karen A or Sam L, please send an email to reco12pod@gmail.com and we will get you connected with her.Support the Show.Private Facebook GroupInstagram PageBecome a Reco12 Spearhead (Monthly Supporter)PatreonPayPalVenmo: @Reco-TwelveYouTube ChannelReco12 WebsiteEmail: reco12pod@gmail.com to join WhatsApp GroupReco12 Shares PodcastReco12 Shares Record a Share LinkReco12 Noodle It Out with Nikki M PodcastReco12 Big Book Roundtable PodcastSupport the showPrivate Facebook GroupInstagram PageBecome a Reco12 Spearhead (Monthly Supporter)PatreonPayPalVenmo: @Reco-TwelveYouTube ChannelReco12 WebsiteEmail: reco12pod@gmail.com to join WhatsApp GroupReco12 Shares PodcastReco12 Shares Record a Share LinkReco12 Noodle It Out with Nikki M PodcastReco12 Big Book Roundtable Podcast