Open source is dead now?#

Summary & Key Takeaways#

The speaker is a stronger advocate for open source and the importance of supporting open source communities and building systems that can build on top of each other.
The speaker is concerned about the possibility of open source being shut down, citing the example of Cal.com closing its source code.
The rise of AI has fundamentally altered the security landscape, making transparency a risk, and this is driving some entities to close core codebases.
The interaction between AI and security research is changing the landscape, potentially lowering the barrier for finding exploits, which is scary.
The future of security may involve a system where cybersecurity is framed as proof of work, requiring spending more tokens to find exploits.

Cal.com is an open-source alternative to Calendarly, and it is no longer open source.
Cal.com is cited as an example of a good full-stack TypeScript application and a leading example of a big open-source fullstack TypeScript next app.
The speaker expresses fear that closing the source code of such projects might doom the future of software.
The speaker has discussed this issue with the Cal.com team and has failed to prevent the change.

AI has fundamentally altered the security landscape by allowing security tasks to be automated at scale.
Code is no longer just read; it is scanned, mapped, and exploited at near zero cost, making transparency a risk at scale.
The decision to close the corec.com codebase is framed as a response to the risks AI is making possible, not a rejection of open source.
The speaker points to Project Glass Wing as something worth considering in this context.

Finding exploits requires both security knowledge and domain-specific knowledge.
Historically, the lack of knowledge in one area (like full-stack TypeScript) meant that open source didn't meaningfully change the average security researcher's capability in that domain.
AI can now bridge this gap: it can understand the domain-specific stuff, meaning the barrier for finding exploits is shifting from requiring high domain knowledge to requiring more security knowledge.
The speaker notes that the AI has made the amount of domain-specific knowledge hit a floor, and the only remaining blocker is security knowledge.

The speaker introduces the concept of cybersecurity looking like proof of work.
This concept suggests that security requires spending more tokens to discover exploits than attackers spend trying to exploit them.
This mirrors cryptocurrency's proof of work, where success is tied to raw computational work.
The goal is to make attacking a service expensive by requiring real processing power to prove the work.

The speaker argues that open source remains critically important and needs to be supported.
Open source projects face an additional burden to deal with security reports, which is "thankless work."
The speaker calls for companies to convince others that keeping things open is the right call going forward.
The speaker suggests a three-phase cycle for agents: Development, Review, and Hardening, where human input limits the first phase and money limits the last.
The final message is to keep fighting for open source and ensure that the tools we rely on remain secure, reliable, and great.