Software Huddle - V0 by Vercel, Bun, RCS on Apple Devices, Retool Breach, & more
Episode Date: September 19, 2023Our special episode is here, and it's all about the latest news. Join Sean and Alex for an in-depth discussion. Follow Alex: https://twitter.com/alexbdebrie Follow Sean: https://twitter.com/seanfalco...ner Software Huddle ⤵︎ X: https://twitter.com/SoftwareHuddle LinkedIn: https://www.linkedin.com/company/softwarehuddle Substack: https://softwarehuddle.substack.com/
Transcript
Discussion (0)
Hey, welcome to Software Huddle. My name is Sean Faulkner, and with me is Alex Debris. Alex, how are you doing?
Sean, I'm doing well. Good to see you.
Yeah, I guess you're my co-host, co-sponsor in this little endeavor that we're doing.
We haven't really sort of figured out what our official relationship is, but since we were here today,
with a little bit of a different sort of non-canonical episode that we're trying out,
a typical format for one of our episodes is usually Alex or myself is kind of doing a deep dive interview style with someone in the tech industry on engineering topics, technology, different types of things that impact our industry that are interesting to us or interesting to the guests.
And it's really sort of a deep dive with an expert. And today, what we're doing is a little bit different where we're, you know, joining forces and we're kind of
going to discuss some of the things that are going on and with recent episodes and dive into what's
happening in tech and maybe some, a little bit about what we're doing in our own lives outside
of recording podcasts. Yeah, excited. I mean, I'm excited to talk about it. Excited, you know,
I've been loving the episode so far that you've been doing and just, yeah, excited to catch up on the news and all that kind of stuff.
Yeah.
And if you're, if you have ideas for the show or, you know, you're listening and you want to reach out to us, you can reach us on Twitter.
I'm at Sean Faulkner.
There's also, we have at Software Huddle.
So feel free to reach out there.
You can, you know, reach over email and I'm, you know, available on sort of all major social media platforms.
And Alex, I believe that's the same for you.
Yep, likewise.
Yeah, you can find me, Alex B. Debris, on Twitter.
My email's available, all that stuff you can find me.
All right.
So maybe to start, what have you been up to lately, Alex,
outside of actually recording Huddle episodes?
Yeah, exactly.
So, I mean, the big thing going on for me is tomorrow I'm actually leaving for Japan.
I'm going to be doing a few conference talks there.
So sort of just been prepping for that, both prepping the conference talk and prepping the travel as well.
My wife's going with me.
It'll be, you know, our first time anywhere in that area of the world.
So excited to like check it out and, you know, eat some good food, see some sites and talk to some people over there.
So that's been like dominating my life for the last week or two, trying to get that all figured out.
Yeah, what about you?
Well, that's awesome.
Before we get to me,
what conferences are you speaking at?
Yeah, so I'm going to be speaking at
Serverless Days Tokyo
is the main one I'm going over for.
And then while I'm there,
I'll speak at an AWS office.
I'll do like a no-SQL night.
We'll talk about DynamoDB there.
So Serverless Days Tokyo,
just sort of talking about like, hey, what's going on in the serverless world? he'll do like a no sequel night. We'll talk about DynamoDB there. So serverless days, Tokyo, just sort of talking about like,
Hey,
what's going on in the serverless world?
What,
what trends are we seeing?
Also just like the talk I'm doing,
it's called serverless now and then.
So like,
you know,
what's it look like now?
What did it look like in the original beginning?
And what sort of,
sort of some threads we see through that and how the space is evolving there.
Yeah.
And then the no sequel one,
just some,
so some typical DynamoDB stuff,
just introducing that to folks that maybe aren't
familiar with Dynamo. I do a lot with
Dynamo, and so if you're
coming from a relational world or Mongo
or Cassandra, just how does Dynamo compare
and how can you use it?
Okay, awesome. And then I actually
you know, I've only been to Japan
once. It was now over 10 years
ago, but I loved it. I was also years ago, but I, I loved it.
I was also there for a conference and I loved it so much that I actually tried to move there
afterwards.
Really?
Yeah.
To do my research, but I couldn't find anything that was like relevant to the research that
I was doing.
So I never was able to pull the trigger on it, but I just absolutely fell in love with
the country.
Yeah.
So, so it's been 10 years, but like any recommendations and stuff we like absolutely have to do or
try or anything like that.
So I had a little bit of a unique experience there because I stayed with a local family and I was also not in sort of a like the main tourist area.
So I was in Fukuoka, which is like in Southern Japan.
So there's a lot less like foreigners there.
And the most amazing thing that I did while I was there and probably one of the most amazing experiences I've ever had in my life was the father and the family took me golfing to like a local golf course. And like, I had to dress up, they have like ballet service
and we, we, they had full like Japanese bath in this bath house in this golf course. Uh, the,
it was like the laziest game of golf I've ever played where I had a caddy assigned to me.
There was conveyor belts that would take you up, hills um so like we golfed like 36 holes but
i felt like that they really did nothing it's a piece of cake yeah yeah and there was snacks
every like couple of uh couple of holes like amazing like uh like like fresh made japanese
food and stuff so is this like ruined the golf experience in north america for me for the rest
exactly yeah i can't go back to sluffing it over here. Yeah, exactly. So I'm actually gearing up for travel as well.
I'm leaving tomorrow night to go to Croatia
and then for Infobib Ship where I'm speaking.
And then I'm taking off Tuesday night
to go to London for Big Data London.
So they are both conferences I'm talking about.
Essentially, safeguarding sensitive data
in the age of generative AI.
So a lot of stuff on LLMs and how do you actually protect
information that goes in and out of models.
Yep, yep.
What's that look like?
You've just done so many conferences lately.
Do you do the same talk for a lot of them?
Do you tweak them a little bit?
Do you have new talks for each one?
What does that process look like for you?
I usually do some things somewhat unique,
but there will sometimes be overlaps.
Like the one that I'm giving in Croatia and London are basically the same talks.
But then a lot of times I'll modify them depending on like what the, you know, conference is focused on and what I want to talk about up enough like sort of talk tracks around the the space of like data privacy
that I can go in a lot of different directions and kind of fit in wherever and adapt some of
the stuff that I may have done in the past to kind of fit the format or essentially you know
come up with something new it's always fun to like try to do something new so it doesn't just
feel like I'm doing like the same you know roadshow over and over again yeah exactly that's how I felt it's weird even though like most of the people there probably
haven't seen your other talks and be fine it's like it's boring for you kind of to like give
the same talk all the time um yeah I used to be in that that mode of like doing lots of different
talks especially during COVID everyone's just like meetups to like give us someone to come talk so
so I would do a lot of them and then I mean it just got so easy to like put a talk together. I'm a little bit out of practice now.
I'm just not doing them quite as much. So it's been like more of a struggle to put together talks,
but I do like doing it. Yeah. And I always try to have like a live component of it. I love giving
live demos. I feel like, you know, if I don't risk failing massively, I don't have everybody.
And generally like nobody, very few people will give live demos at conferences.
So it's, uh, it kind of like sets me apart with it with that.
Yeah.
That is cool.
I'm impressed.
Yeah.
I'm always impressed by the live demo folks.
Yeah.
I saw that your, you got accepted also the speaking at re-invent.
How many times have you spoken at AWS re-invent now?
So this will be, um, I think 19 was my first one.
So 19, 20, 21, 22, 28.
So five.
Four of those were in person
and then there was one that was canceled.
It sort of just rose up accidentally.
Like I got in through the community track.
I was doing hero stuff
and not that many people were talking about DynamoDB.
Even like PWS people, not that many people were.
So that went well
and then they just like kept inviting me back to do it.
So I don't know how long that'll last but I love doing it and yeah it's a good
time to meet people and that's yeah that's a fun one to do well maybe we'll
actually get to meet live in person exactly I'm sure yeah yeah all right so
we had a you know handful episodes that have come out so far you know the I
really enjoyed the episode you did on planet scale what was what's the
founders name Sam Lambert so he's not the who what's the founder's name sam lambert so
he's not the founder he's the ceo okay but yeah it was founded originally like by the the creators of
the test i believe uh which is like the you know horizontally scalable uh mysql solution um so i
think they made that at i want to say youtube initially and they started a company he came on
as like chief product and eventually became um ceo and he's been running that for a while.
I'd say like, you know, for the last, I think four or five years, he's been running it and like through a lot of their growth phase and stuff like that.
But yeah, just super interesting background. um you know started as a dba at github like very early there and just sort of rose up the ranks vp
i mean the engineering there then did some stuff at facebook meta for a while and then and then
joined planet scale and just like a a really interesting cool impressive guy to talk to
yeah i think there was a lot of uh obviously like sort of like technical depth to the conversation
and i liked the uh you, sort of the focus on building
this like cloud native,
you know, MySQL database
that can be basically infinitely scalable.
But I also really loved his,
you know, perspective essentially
on like building elite companies.
And, you know, one of the quotes
that he said in that
that really stuck with me
was that like average people
with too much time can just,
you know, run amok around
their organization and ruin it. And it's like's like it's brutal but like the reality is like
startups are kind of brutal and uh you know they're if you want to build essentially exceptional
companies you need exceptional people and it's just completely different ball game than necessarily
being in like a you know maybe a larger technology tech organization or one that's like less ambitious essentially yeah and you know one of the things that i talked about in my
interview with ben popper from stack overflow where we're talking about like this transition
from big tech to the startups is that sort of time to prove yourself in a startup is really small too
where you basically have to have be able to have impact from the beginning because you might be
one of you know 10 people
25 people even 100 people and every single one of those people is expected to essentially have
like company level impact because there's just like such a precious like right head counter
resource to the company and if you're not essentially meeting the bar of the expectations
like you're you know you're it's obvious and you're like really hurting yeah you're really
hurting everyone else and it's interesting being even just seeing the change in the last couple of years.
Cause you talk about the difference between like startup and big tech, but even startups
from five, six years ago, where there was just so much more cash flowing around that
I think a lot of stuff was, was tolerated or it's just like, Hey, we have a lot of runway.
We can be fine with not having the sort of adoption and growth and progress that we should
be seeing at this point with with
this team and these resources and things like that so um yeah it's been interesting to like see that
shift i thought that was that was super useful uh from ben like you know understand that perspective
between between startups and big tech as well yeah and i think when companies are like flush with
cash you know they're they're maybe not as concerned about like the the burn rate on people who are maybe not performing at the level that they need to be.
And you saw in essentially the last year and a half of the downturn in the market, like
companies cutting like, you know, Matt, you know, 30%, you know, 15% and really like not that much
actually happening like impact wise to the company because, you know, they're most likely cutting the
people who are, you know, meeting the performance bar.
Yeah, yeah, exactly.
So, yeah, it's a different world.
I'm going to see like some ways to sort of navigate that from Ben and all that.
And then I just love the Vercel one as well with Hassan.
Like, you know, I've been following the work he's been doing.
And it's just like amazing.
Like, you know, there's some like goofy tweet threads or little demos and stuff like that about doing stuff with AI, but he's like building some like actual cool real products there and just like seeing how some of that stuff works. So that was, was so fascinating there. So I, I love that
episode. Yeah. And I, I like that. He's, he's just like, sort of like banging these out on the
weekend. Like he just does like a weekend sprint, basically he's just like, here's this thing I'm
interested in and I'm just going to build it. you know maybe it is something other people are interested in it's done from such a like
authentic place and authentic like essentially just like curiosity and i think that's why
it's been so impactful in terms of like they they've you know gone viral or has really raised
his like profile and it of course it also benefits the work that he does at vercell because he now
has like this like following and platform to really advertise what Vercel is doing.
Yep, yep.
And speaking of that, on that note, talking about what's happening in Gen I and I, did you see the Vercel v0 thing that came out today?
I saw a tweet about it that I was going to look at, and I haven't actually taken a look at it.
Yeah, okay.
So this is, we're recording this September 14th. Um, but they just released this thing they call V zero and that
you can basically go to it and you can describe a react component that you
want and it'll just like build it out for you, show the show like a preview,
what it looks like and give you all the code for it just very easy.
And it's like very, very well done.
It uses this, um, this like react component library ish type thing from this guy.
Shad Cian.
I don't know.
I don't know that I can know how to say it, but Shad Cian slash UI, which like he
makes all these components in Tailwind.
And then he says like, rather than sort of like, I think a lot of component
libraries, you're like, Hey, install it into your framework.
And then it's kind of a pain because it's like not your
source code in different ways. He's like, hey, take this
component and actually just copy paste it into your, you know, into your source code. So now
it's like your component and you own it. So it's like you have this nice template and thing that
looks nice. But if you need to tweak it in certain ways, you can do it rather than having to like
make some goofy CSS rule that's like super specific to a specific class to like override something and have to do an important
or whatever like that.
So using that,
but then just like
this v0 thing,
it was amazing
just some of the examples
like, you know,
a SaaS pricing page type thing
or like a form
or just like different things
and you could just describe it
and it would make it for you.
It's pretty impressive
what they're doing there.
So how did they go
from description to creating it?
Are they using some sort of
AI that's involved in it? Yeah, I think it's like, yeah, they're using, did they go from description to creating it are they using some sort of ai that's involved yeah i think i think it's like yeah they're using you know
probably open ai under the hood to do that but you just describe it and do it and you can sort
of make edits to it if you want what like i love the navy on it v0 right because it's sort of just
like hey like make something like give me give me started and then you like it's not going to be
perfect but then you can sort of tweak it and it gets you down the road for it and then just like the way you
interact with it like you can just copy paste the code there if you want but you can also do
um so you're familiar with like npx in like the npm okay npx you can like run us running
executable right and so they basically have this command it's like npx v0 add and then there's
like a hash so whatever thing you created they're
going to assign a hash to it you can run that and i'm just going to like drop it into your
library for you so just like super clean um yeah it's it's pretty well dotted it's like
i remember you know six or eight months ago i was like man are we going to replace all programmers
with with computers and i was like no we're not going to and now we're like between like cursor and v0 and all of a sudden like man uh you know the the amount of stuff that one programmer
can do now is just like pretty amazing how quick yeah i think a lot of it's about scale right like
even like what you're talking about this concept of like v0 it's like it's it's not necessarily
the end product you still need somebody who has like you know deeper level understanding to go
in there and like kind of massage it into something that's going to work. And Streamlets, I think
recently released something similar where you can basically describe what you want from like a data
application and like the Streamlet code just gets like written and then you're like off the races.
So even then you don't even need to go to like your data engineering team to like build your
data app, which is really easy in Streamlet. It's now like anybody can basically do it.
But, you know, there's been, I think,
like webpage creators that are either low-code,
no-code or descriptive for a long time,
but they don't, you know,
they're not going to like solve the full problem.
But I do think though that we're very much
in sort of the toddler phase of like gen AI.
So who knows
when when these things grow up to being teenagers maybe they will like written be go beyond sort of
the prototype or like the sort of first cut to something that's even more evolved but i think
it's just going to shift a lot of the work that we start to do as engineers is like there's going
to be less of sort of uh pushing pulling data, like figuring out, like, you know, going and twiddling like CSS parameters.
Yeah.
I do think that this will have an impact on certain types of engineering careers.
Like, if you're, I think, like, folks that graduate, like, I think, like, 80% of people graduate from, like, boot camps or, like, front-end engineers.
And if your only experience really is, like, calling APIs, coding in React, maybe a little bit of like Tailwind
or something like that,
I think that could be something that,
you know,
maybe it doesn't completely replace,
but suddenly one of those people
can do what five did previously.
Yeah, yeah, exactly.
I think that's probably right.
I had a point in there
when you were saying,
I can't remember it,
but oh, I just think like,
yeah, what gets valued
or like what skills are going to, you know, see the returns now?
Like if you have good product sense, um, I think there's like huge returns to that, to
where you can visualize something, think about what it looks like.
It's like, you know, now the actual implementation is less of a impediment that it used to be,
you know, you can really get that cranked out quickly or have someone like that.
So I just think like having product sense or just like being able to architect really well
and understanding how pieces fit together pretty well,
I think will be helpful.
And then, you know, the low-level implementation
can be done by these tools a lot of times.
Yeah.
And I think this is a good kicking off place
to like the first sort of section I wanted to jump into,
which is like this week in Gen AI,
which we've already kind of touched on.
But the other one that I was thinking of is like Dreamforce is going on right
now, which is, you know, advertising itself is like the AI event of the year. I'm not there,
but a bunch of my colleagues are there this week and I've been paying attention to him.
But the keynote at Dreamforce was a lot around AI and they just launched Einstein One, the AI
platform that like aggregates data from a bunch
of different Salesforce properties. They now have like Databricks plus Salesforce data cloud can
access the same data with essentially no ETL. Back in June, Salesforce launched the Einstein Trust
layer. And essentially, you know, AI is really really all about data and that's sort of the
thing that they're emphasizing is like you don't have lms you don't have gen ai all this sort of
stuff without data and salesforce is like keyed into like providing ways to access that data and
make it easy to build some of these experiences and they even you know come out with their own
like co-pilot experience that's built directly into the in the application but
one of the big things that they talked a lot about in the keynote which is something that you know i
spend a lot of my time thinking about is what my talks about are coming up is around like trust and
privacy with ai and how do you essentially go beyond prototype or demo especially in the enterprise
in a way that is essentially you know privacy safe safe and is going to be compliant and all those sort of stuff. And that's like where we've seen, you know,
Samsung shut down access for a little while to like chat GPT and Italy shut down access and
stuff like that. So I thought that was really interesting. Just there's so much focus, I think,
on what you can do. But now there's also a lot of focus on like kind of slowing down and looking at
the potential impacts of how you're actually handling the data and building these experiences.
Yep. And with the people that you're talking to, I assume you just see just a vastly different scope and side of the market than I do.
Like, are they using open AI tools? Are they too worried about sending stuff there? Are they hosting their own models?
Like, what is their sort of AI strategy look like there, especially around privacy? So there's a combination. So I think the ideal world is that people leverage existing open
foundation models, but it's kind of similar to like the early days of the cloud where people
feared the data security of like public cloud. And then all these different companies thought like,
Hey, we, we don't need AWS. We don't need, you know, um, Azure and the public cloud. And then all these different companies thought like, hey, we don't need AWS. We don't need, you know,
Azure and the public cloud.
We'll go build our own cloud because of that.
And now like even the banks are moving to the public cloud
because they finally realized,
okay, well, like realistically,
no one's going to be able to build AWS by AWS.
It's going to be essentially like three or four companies
that kind of own public cloud.
And also all the incumbents have addressed whatever, you know, potentially security concerns there are.
And there's all kinds of different ways of sort of like running securely within cloud.
And arguably, I'd say it's much more secure than trying to run your own Quaid cloud data center anyway.
And then I think we're in a similar space right now with LLM where it's so new, but there's a lot of companies
are thinking like, I can't trust the open models. And additionally, Microsoft, Google,
Snowflake is kind of putting forth the narrative, you know, which is somewhat self-serving that you
should run private LLM and let's do it, you know, infrastructure in our cloud yep and um but the reality is like private
lm sounds good but it's not actual privacy because privacy really comes down to how can i as a user
especially if i'm a customer and my customer and my data is in there how can i control access to it
how do i make sure that you know alex doesn't have access to my customer records when we're
talking to the same lm even though both of our records were used to train the LLM in some way.
And private LLM doesn't solve that problem, especially if you're doing something like an
internal tool. Let's say that you're, I don't know, you're Apple and you're using internal
documents to train an LLM. Apple's a very secretive company. They don't want, you know,
a project owner on one project knowing about what's going on with another project, right?
And how do you essentially govern access? That's like the real problem is how do you know, a project owner on one project knowing about what's going on with another project, right? And how do you essentially govern access?
That's like the real problem is how do I know or essentially control, you know, what, when,
where, how information is accessed?
And private LLM doesn't solve that problem.
Yeah.
And then, so you're talking a lot about Salesforce and Dreamforce, and I'm just not that familiar
with that world.
Are most of those tools aimed towards salespeople and people using Salesforce for sort of, you know, CRM type stuff?
Or is it for lots of different, like, what are those Einstein tools being used for?
So they're primarily being used for, so there's some stuff that's built into like the sort of like customer facing Salesforce products. But then also Salesforce has a very big marketplace
where people build applications on top of Salesforce.
Like people have built, you know,
million dollar companies based on building
on top of Salesforce because Salesforce has all this data.
So then it's like, well, if they want to continue to be,
you know, leaders and innovators,
then they need to be able to support easy to integrate like out of
the box lm uh um experiences same thing with snowflake snowflake that's why snowflake's
driving so hard on i think they're like gen i tooling is they want anybody who's like going
to be building these experiences that have data and snowflake to be able to leverage that data
in a really easy way so that they don't move it over to like you know databricks or something
like that to do it yeah yeah okay yeah that's interesting yeah i'm
just like not familiar with that world um it's been fun to like just see the different like
mostly adopt or like the the people i follow the world i mean are more like startup or like
i would say like serverless full stack type developer type things like more versell world
or like serverless AWS
world like smaller tech companies and what are they doing with with this stuff but then there's
just like a whole other category of of privacy concerns that you're talking about when you're
at these big companies that have so much existing data and things like that yeah I think the
challenge though for the smaller companies is if they are a startup in the space like uh you know
YC uh just had their demo day
with like over 200 demos
and probably like 99% of them were all JNI demos.
And the, but like for them
to basically sell into other companies
and for those to come, you know,
go beyond essentially demo or, you know, proof of concept,
they'll need to have an answer to the privacy question.
And it's going to be ridiculous for them
to try to build their own foundation model
or run private LLM.
It's just too expensive, right?
And then you run into the whole updating problem too.
If you're running a private instance,
it's not going to be as up-to-date.
That just becomes this huge maintenance nightmare,
which is also the problem with essentially
an on-prem data center.
And the value of using essentially public cloud
or public models
is that stuff's taken off your hands.
So you need some solution for doing that.
So then like, how do you essentially like fine tune
and craft the model into something
that's going to like be able to serve
whatever it is that your product is
in a way that's essentially like safe.
Like, you know, there's companies that,
you know, I've talked to that are using
like doctor's notes as training material to build a like model in digital health.
And it's like, well, that's a lot of really sensitive information.
Yeah, it is.
How do you essentially do that in a way that's, you know, privacy safe?
Yeah, that's super interesting.
And I wonder, like you mentioned the sort of knowledge problems and things like that. I'm going to be so curious to see if we can get it better to where
update, like, you know,
ChetGBT now being two years out
of date with sort of just like basic knowledge
of what's happened and things like that, which
in some cases is not a big deal
at all. And in some cases, especially if you're talking about
like writing code and what new libraries
and tools and patterns are available,
like, you know, it's a big deal to not
have those. So we, like, I'm curious to see, like, it's a big deal to not have those. So I'm curious to see.
It's interesting because GitHub Copilot
seems so much better about newer stuff
than just sort of bare ChatGPT or something like that.
So they must have figured out some way to deal with that.
And I'll be curious to see what that looks like
sort of going forward.
Yeah, there's a lot of challenges
from the updating, safeguarding, ethics.
There's a lot of stuff to figure out, essentially.
Oh, yeah.
So at least, I mean, the good thing is that means there's job security for people running
the space.
Yeah.
All right.
So let's jump into some non-gen AI-related news.
So I know one of the things that you wanted to talk about was Bunn.
Bunn?
Yeah.
Let's do Bun.
So just, you know, there's always drama in the JavaScript ecosystem.
Have you paid attention?
Do you know what Bun is?
Are you aware of Bun?
It looks to me, when I was kind of taking a look at it, that it's like Node without TechDev.
That's a great explanation for it so I would say like in the last couple years there's been
Deno and Bun which are both like JavaScript E like you know varying levels of compatibility
with the sort of JavaScript language with like the Node runtime and things like that so
Deno is a runtime that's created by Ryan Dahl who's like the original creator of Node.js he's
like man I made all these mistakes in Node.
Here's like sort of how I would do it differently with Deno.
I think TypeScript first and all that sort of stuff.
And then Bun is a guy, Jared Sumner.
I believe he was at Stripe.
And then he's just like, I just want to make a much faster Node.
So he'd been sort of working on that for the last year or so.
Released it with this B1 post.
And the post is just, it's like amazing to read it's
super long and it's just like all these areas it's like hey here's install time um you know
comparing bun verse npm verse yarn it's just like bun is way faster here's bundle time um but it's
way faster here's like run like all these things where bun is way faster and the thing i would say
like like when you're reading it, it's just overwhelming.
You're like, wow, this is quite amazing
that so much stuff was done.
I think over the last couple days,
a few things have come out.
Number one, some of those are not quite accurate comparisons.
You're looking at Bunn install versus NPM install.
One thing Bunn install will do
is basically keep a global cache on your machine
and just sort of like symlink to that if it's already available.
So then it's doing a comparison to a network request with MBM versus just a local cache on your local file system lookup.
So that's not a fair comparison at all because if you're on a new machine that doesn't have that or you're on their CI machine, it's not going to have that.
It's not going gonna be that fast um the other thing is like it doesn't have full compatibility
with stuff and that's that's like one of the things that node has to think about forever just
like maintaining compatibility for all these different types of applications that are running
all over the place and try to not make that a headache and if you drop some of that stuff it
makes it a lot easier um i don't know like how much bun wants to be fully compatible forever or if they're just like hey there's this
area where like we're not going to support that you know pulling a third-party library if you
need that or something i don't know exactly the specifics on that but it's interesting to see i
like to see the um you know just the innovation and focus and attention in this ecosystem i do
like feel a little bad for like Node.js maintainers this week.
They're sort of pushing back a little bit.
It just feels crappy to have that happen,
especially most of them are unpaid maintainers.
They're doing this volunteer work,
and they're focusing on a lot of different things,
not just the pure performance,
whereas if you're maniacally focused on performance,
you have different constraints.
That makes it easier there. Yeah, I i mean it seemed like a cool project but it also
felt to me like somewhat like a specialized project like that where uh you know performance
of like your package installs and and all these sort of like if you like i don't know you have a
crazy big project or it's really complicated like maybe it makes sense but does the majority like does it deliver essentially enough value for somebody to switch
from from node and i think that's the big challenge when any of these kind of like you know frameworks
or you know languages take off is like the switching costs for a company is like massive so
the value needs to be really really high to warrant like moving essentially from one system to another yep and
that's true and that's the thing with like being like 98 compatible with node it's just not enough
for most because there's like you know if it's something like i remember when like yarn came out
to replace npm it was just like it works the exact same way it's just like faster right and and that
was great because first of all it's in a build step it's not like in your actual application so
you can still run your tests to make sure it works.
But also it was like very compatible with NPM.
But like now if we're talking runtime and it's not totally compatible,
it's just like you got to find out in production
that like all of a sudden this thing's not there.
Like that's a hard thing.
So I'll be curious to see like how it goes.
But like it's definitely very interesting to see.
And, you know, the Node ecosystem just like continually has these things.
I don't know if you remember like IOJS when, when node forked like a long time
ago and they sort of came back together and even like NPM and yarn, they sort
of came back together after a while.
And so, yeah, it's sort of like goes through these phases.
I wonder if bun will sort of get subsumed into it or somehow come back together.
I don't know.
Like, I don't want to see that ecosystem just sort of splinter to where you're either like a bun user or node user so
yeah i hope i hope it turns out well i mean is essentially the approach maybe you don't know
this but is the approach with bun such like essentially a foundational shift that it node
wouldn't be able to adopt some of the ideas from it to you know essentially meet whatever
requirement button is meeting that's a good question i know like just a few things i know
is it's written in a different language like it's written in zig which is like you know c
sort of like a new style c um you know if rust is like the new style c++ zig is like the new c so
so i don't and um so there's that it's also I believe like it's not using
v8 the v8 engine it's
using like javascript core or something
like that which I believe is like maybe in webkit
or something like that I'm not exactly sure
so I don't know enough about those specifics like
is that something that can be pulled
over or not and
or is it just like
maybe there's some ideas we could pull over
that's a great question.
I don't really know what that, what that sort of future looks like.
And it's, it's interesting to see cause bun is like funded, you know, I can't remember
if like Sequoia or Andreessen or somebody gave him like $7 million.
What's that sort of like, what does it look like to, to have a runtime?
Uh, are you going to provide hosting?
Are you just hoping to get bought by somebody or, or maybe everyone will come together and
just be like, Hey, uh, this is, this is Node now and we'll pay you off or something.
Yeah, I don't know what that future looks like.
Yeah, well, we'll let them monthly button check in.
Yep, exactly.
You know, there used to be a lot of talk about Deno a few years ago.
I hear a lot less about it now.
So maybe that's what's going to happen with Bun as well, although Bun much more compatible so um yeah we'll see cool all right so one of the
things that uh stories i saw in the news i really wanted to talk about was the story around whether
ics rcs messaging will actually come to iphones which came out like a week or so ago from the
time of this recording and the reason i was so interested in this is because i used to work in
uh rcs world when i worked for google so I kind of have a lot of like context and backstory.
And can you tell me, I don't like pay attention to this world, what is RCS?
Yeah, so RCS stands for Rich Communication Services. And it's essentially a communication
protocol standard, just like SMS or MMS. So this isn't owned by like Google or anything,
like it's an actual telco standard. But it gives you similar functionality that you would see in something
like iMessage or WhatsApp or any modern messaging system. So like typing indicators, group chat,
reactions, images, video. But instead, it's not a proprietary protocol like iMessage is.
It's an open standard. And the project owner is the GSMA, which is the Global System
of Mobile Communications Association. It's been around for over 10 years. And it wasn't
really something that had caught on. Because working with the telco industry, carriers,
phones, it's a slow-moving world. And that's one of the reasons probably Apple went over
the top, essentially, with iMessage and but google eventually reached a place with android where they had
this super fragmented communication experience so they had a bunch of bats to try to like fix that
and one of the number one reasons that people leave android or stick with uh with a with an
iphone is because of the iMessaging experience. Oh yeah, for sure. So Google had like, they did a couple of different,
you know, attempts at,
they had a messaging app called Allo, I believe,
and which was kind of like a WhatsApp competitor.
And it never grew like beyond like 10 million users
or something like that, so they like killed it.
But they also acquired a company called Jibe,
which built RCS, like backends
for my carriers, essentially. So they would go build this like
RCS infrastructure. And then they would like deploy it for a
carrier so they could enable the carrier on RCS. And that so
Google essentially bought that company, and then they adapted
their existing SMS messaging product, and created Messages that would support RCS.
And that kind of like started this process.
And that was like in 2016, 2017, somewhere around there.
And essentially, it was like in the early days with RCS, only small phone manufacturers were essentially agreed to use Google's like messaging for
it.
Cause most of the phone manufacturers like, why would I use yours?
Like I have my own crappy version that like sucks.
And then also like most carriers were like sort of resistant to the idea because they
didn't know like, was Google gonna like, you know, like screw them over or like, or they
felt like they owned owned they own messaging
they didn't want to just be like a like a dumb pipe for for google so they were kind of resistant
to that but there's other companies that would offer rcs but of course google was like the biggest
but eventually google got more momentum and then they were able to kind of um they got samsung
while i was still there samsung agreed to like all their new phones would essentially carry
google's messaging product.
Because eventually everyone was waking up to the fact that they are like losing out to WhatsApp and they're losing out to iPhones by having this like super fragmented experience that's like 20 years out of date.
And then all the big carriers in the U.S., originally they said that like, oh, we're going to run our own RCS infrastructure.
Then they realized after a year that they couldn't, like, do that.
Like, it would take, there was going to be a failed project, basically.
And then they let Google come in and essentially, like,
deploy RCS architecture.
So now there's, like, over, like, a billion people,
or I'm guessing, but, like, probably close to a billion people
that are running on RCS messaging for Android devices.
So now there's like increasing pressure
for iPhone to support this
because historically Apple was like,
there's not enough people on it
for us to like prioritize it
was always their default.
Of course, there's like business reasons.
It's the self-interested reason.
Yeah, the self-interested reasons for not doing it.
But now essentially what this article touches on
is that the, essentially the eu which is of course
you know very sensitive to uh like um yeah uh competition competition yeah and like you know
being fair standards and stuff like that they're putting a lot of pressure on apple to essentially
uh like make a move to adopt rcs and they already support like SMS and MMS. So it's not like they would probably just do like SMS, MMS, RSS, RCS, and iMessage.
And then maybe they would like enhance iMessage to be somewhat different than RCS in some
fashion.
Yeah.
Gotcha.
Interesting.
And then so Google's work to sort of get people on board, they had to get both sort of like
telcos and like the hardware folks to be on board for this or sort of just one side or the other?
Yeah, so essentially there was a couple of things that they did.
So they had to get the phone manufacturers on board because Google manufactures the Pixel, but most Android devices are manufactured by other carriers.
I'm sorry, other like hardware manufacturers.
And most phones in the world are Samsung phones.
So they're like the biggest.
And most of their messaging applications on those devices didn't support RCS.
So they either needed to build RCS support into their own messaging application or use
Google's or maybe somebody else's.
But Google, the way, one of the reasons Google got momentum was they just kept improving the application
to the point where it would have been very hard,
especially if you're a small manufacturer,
to have essentially the software engineering chops
to like build that application and do it at scale.
And then once that started to happen
where there was enough sort of Google messages users,
that also created a potential for Google
to kind of go like over the top,
at least between messages users.
Like if there's only 10 million people on it,
that's not that big a deal.
But if you have 500 million people,
then suddenly you can kind of like
go around the carriers if you want.
So that creates a lot of pressure
for the carriers to do something.
And essentially like Google like offered like,
hey, you can run your own rcs
backend you can use our rcs backend like there's a lot of sort of options there and then of course
there's also a lot of like financial opportunities going on there with um there's a business product
that's built on this which is what i worked on which is rcs business messaging which is
essentially like a business protocol similar to WhatsApp business messaging and Apple business
chat where you can actually create like a send have like a chatbot experience essentially inside
a native messaging app. Gotcha. Okay. And then so if this sort of went through and Apple's on it,
do you think that would like is that going to severely hurt WhatsApp and sort of like and
these like ancillary messaging? Like I feel like I have like four messaging apps each one is like for one person and I happen to connect with like our yeah what
does that look like yeah I think it's an interesting question like I think in some ways it might be too
late with like WhatsApp like there's I think over two billion people on WhatsApp yeah and like what
is this the biggest advantage the biggest advantage that Google would have and I guess like iPhone as
well is that their apps are native so you don't have to install anything it's like right there The biggest advantage that Google would have, and I guess like iPhone as well,
is that their apps are native.
So you don't have to install anything. It's like right there.
So even though you might use WhatsApp,
if you're on an Android device,
you still do a lot of SMS as well.
And especially like a lot of business messaging
is goes over SMS, which is a super insecure channel,
but it's still like used a lot all over the world.
And it's like a multi-billion dollar, it's like a i don't know 70 billion dollar worldwide industry so and that's continuing
to grow so if you can basically bring more money and value to that over like the rcf protocol then
that devalues whatsapp at least from like a business sense so there's a bunch of things that
could potentially happen but i'm curious to see like whatsapp also like it's just, it's probably going to be a situation
where people just have like both applications
and maybe WhatsApp becomes one type of use.
Just like, you know,
you have LinkedIn that you might use
for your sort of like work identity.
And then you have other social media platforms
that are more for like your friends and family
and messaging could end up in a similar state.
Yep. Interesting.
Well, maybe Google will just have to pay off Apple
to start using,
like they do with the Google search engine Safari
and pay them like 10 million a year or whatever
to make that default.
Maybe they'll have to do the same thing for this RCS
to finally get Apple to make the switch there.
Yeah, or the EU is just going to like...
Yeah, exactly.
Basically cut off Apple sales in Europe or something like that.
Yeah.
Yeah.
It's pretty wild though.
Like I think, I think Google pays like 10 billion a year for the, the Google
search engine to be the default on Safari and Apple's entire M and a budget for the
year is like 12 to 15 million.
And if you think of like what they're doing with chips and like vision pro and
all that stuff and realize it's like almost entirely funded by
google being the default search engine it's like it's it's just crazy how that works out yeah yeah
yeah it's insane yep all right so what's uh let's talk about retool okay yeah this is a good one i
want to hear your perspective on it because you work more like in the security privacy space but
like i read this yesterday i was like i it just it just blew my mind so retool which is um it's a tool with like managed internal tooling software is like what i
think is like the core use case right i can imagine you have like customer support workflows someone
calls in or whatever and they want to see like why they exceed a limit or something like that
you can build out like dashboards or tools for your customer support team to view into your
application to alter stuff, things like that.
It has a bunch of other use cases, but that's what I, I sort of think of it for.
But Retool anyway, they, they announced they sort of were hacked, right?
Like 27 other customers were accessed in this unauthorized way.
And I was just blown away by like the, the like complexity of the, of the
hack and how good the hackers were.
So basically this is what happened
retool had recently switched their short single sign-on i believe over to octa so they had like
this new login portal so they're sort of like it's an area of a time of confusion anyway
a bunch of employees receive a text message from someone from it claiming to be from it you know
saying hey there's an issue with your open enrollment health insurance type stuff this is
probably like you know renewal time and things like that they say hey go to your portal and sign
in they they go to a place that looks like the octa portal but is not the new octa portal one
of the employees actually does it which triggers like a an mfa request right and and then that
employee gets a call from someone saying hey give me your MFA code saying they're an IT employee.
They had deep faked the IP employees boys, which I can't even imagine how that happened.
They said the person that called was familiar with the floor plan of the office with coworkers that
work there with all kinds of internal processes at the company. And I just like, can't a met like
this is Retool, which is like a big company, but it's also not like Google or microsoft or amazon or something like that which is just like if you could get in you know some
some crazy stuff so the amount of depth they went into and then once they sort of got that one mm
that mfa and got in that person had um they're using like a google authenticator app and they
chose to back up all their mfa codes into the cloud and Google, which
now this person was able to access all those, basically giving them the keys
to the kingdom and just looked over, you know, looked over data for 27 customers,
which I think they said were all in the crypto industry and stuff like that.
But Tommy, two things that stuck out to me there is just number one, the
complexity of, of that attack and it's just like, how do you even protect against something like that
when it's that hard, other than just like extreme vigilance and training
with your employees, it's just like, Hey, if someone calls you, you got to
say, no, I'll call you back and you know, that, and then also this trend
of sort of like MFA becoming single factor again, which, you know, you're
seeing with Google allowing you to back this up for convenience
purposes, but now it's easy to get them all. Or I use 1Password and they allow me to store
my one-time password configuration in 1Pass. So now my password's there, my MFA token's there.
It's like, well, now it's not MFA, it's single FA. So I don't know your thoughts on this. What do you see in this space?
Is this surprising to you?
What do you think?
I think what I was mostly surprised by
was how sophisticated it seemed like targeted this attack was.
Because a lot of breach attacks are opportunistic,
where it's like a known exploit,
and they're kind of just like like scattering out like
who's like got an old piece of like software running or like old piece of hardware and like
they go after them and get in whereas this was like you know clearly like a lot of research went
into this and like why retool like yeah exactly right but i think like the other thing that i was
really and probably one of the reasons they were so open about like talking about it was the actual impact of the breach was pretty
minimal like the person got a hold of like 27 customers like in the grand scheme of things
that's not that much data they shut it down pretty quickly and i think it actually spoke a lot to like
their approach with like zero trust um as well as um essentially like data isolation that they do
through like on-prem installs and stuff which is something that like the technology that is part of
my day job at skyflow is is built on essentially the principles of isolation and also zero trust
so like it was it's kind of like satisfying to see those things like work in action yeah and like if
you compare to like other types of breaches that happen, like Robinhood's
like a famous one from two years ago, like again, a social engineering thing where customer
support agent got tricked into giving up their credentials, but then that person had access
to 6 million plain text records.
So like that is way more embarrassing for the company than what happened at Retool.
And the reality is, if someone's like determined enough
to target a company
and they also are like,
you know, sophisticated enough,
they can basically get into any company.
But what the company has control over
a lot of time is like,
what is the severity of that impact?
And that's kind of like
where the modern best practices
around like zero trust,
principles of isolation,
all these types of things,
like essentially never trust,
always verify,
really start to come into control.
Because the historic approach is you're basically building a perimeter, a fence around your data, your infrastructure.
But once someone's in that fence, everybody's trusted at the same level.
And that's where you get the Robin Hood problems.
Why does a customer support agent need access to every single customer record?
They don't. And like, if you compare, there was also a attack on MGM, the hotel chain recently.
And in the same, by this, I think they're called Scattered Spider is the name of the like hacking group.
But the same thing, social engineering, they use employees profiles to like social media profiles to kind of like be able to have enough information to like trick people. But you think of like a company with MGM, like they're not even a technology company, like in the sense of like retool and probably like thousands of employees, like you these different like disconnected systems to like stop the attack.
Like they had to shut down their,
you know,
their lotto machines,
slot machine.
Like they probably,
they must've lost like million,
like every minute in Vegas is probably like million dollars.
So like the,
like the impact of that is like massive.
And they probably like,
even if they wanted to try to fix that at this point,
like they're sort of like
knowledge infrastructure so like convoluted and complicated and the data everywhere like they
probably have like it's just like an intractable problem for them and and this is something i see
in in my day job all the time um i also just wonder like how prevalent these attacks are for
much smaller ones that we never hear about like i was i was talking to a
friend this probably been six months ago i never followed up but he's like yeah our company like
is basically being held held ransom right now and we're trying to figure out like they want
this much bitcoin or whatever we're trying to figure out what to do and and how to how to
handle that sort of thing i never followed up on like what happened there but it definitely didn't
make the news like i never saw it so just like i wonder many little companies, especially like that aren't tech companies that are just
like tiny little guy, tiny little people out there doing this and just get held ransom.
And it's just like, man. Yeah. If the breach is below a certain, I can't remember the amounts,
but like a certain, uh, like the count of essentially compromised, uh, records, then
you don't have to like publicly report it. And then the other thing too, is like the,
like in engineering, we, a lot of too is like the like in engineering we a lot
of times we get this like false sense of security from hey the data is encrypted so like you can't
do anything with it but they're still essentially liable like this is what happened with um was it
what the last pass where the backups got stolen and it's encrypted but essentially like in in
theory someone has all the time in the world
to essentially like break the encryption.
That's right.
And like, that might not happen, but like you still have to respond because
you can't even do anything.
It's not like you can rotate the encryption key.
Like they physically have like encrypted data so they can
do whatever they want with it.
So it takes a lot more like sophistication beyond just like encryption. Um essentially, we end up with like this data everywhere. And it just becomes
like a nightmare to try to like, like, control access to it. Oh, my goodness. Yeah. What a
mess of a world just like the security and trust stuff. Yeah, I can't even imagine pretty well.
Well, awesome. Well, on that doomsday note, I think this is a good place to start to wrap up.
Uh, again, if, uh, as I said at the top of the show, if you have ideas for, uh,
guests for software huddle for, you know, either myself or for Alex, uh, ideas for,
you know, these, uh, non canonical episodes, we're all here so you can reach
out to us, you know, on Twitter at software huddle or, you know, at,
at our namesakes as well.
Alex, say anything before we wrap up?
Yeah, absolutely.
Yeah.
Thanks for being with us, Sean.
I hope the, the travel and the talks go well and yeah, we'll, we'll
see you again in a month or so.
Awesome.
All right.
Cheers.