Open source is dead now?

The speaker expresses strong support for open source, emphasizing its importance for software development and community growth. They voice concern about a future where software becomes worse and harder to fix if open sourcing declines. This concern is amplified by the recent decision of Cal.com, an open-source Calendly alternative, to close its source code. Cal.com was a prominent example of a T3 stack application and a valuable full-stack TypeScript project used for various demonstrations and tests. The speaker shares personal insights, having discussed this issue with the Cal.com team and even referencing Cal.com in their previous videos advocating for open source in business, hoping to influence their decision. Despite these efforts, the change has occurred, prompting a deeper discussion on why Cal.com believes closing their source is the best approach and the potential negative implications for the future of software. The core of Cal.com's decision, as explained in their announcement, stems from the evolving security landscape due to AI. They argue that AI has automated the discovery of vulnerabilities, turning transparency into exposure. Code is no longer just read but scanned and exploited at near-zero cost. To protect their customers and community, they have closed the core codebase, though they will release the core code under a new MIT-licensed project called Cal.DIY for hobbyists. The speaker elaborates on how AI has fundamentally changed software security. Historically, exploiting software required a high level of both security expertise and domain-specific knowledge. This dual expertise was rare, making complex full-stack applications like Cal.com difficult targets for the average security researcher. However, AI models, with their vast domain knowledge across many areas, now require significantly less security expertise to find vulnerabilities. A developer with even a basic understanding of security and access to AI can identify exploits that previously required deep expertise. This is illustrated by the example of Anthropic's Mythos LLM, which, when tasked with finding vulnerabilities, could identify significant flaws in highly secure codebases like OpenBSD. The AI's ability to systematically analyze code, file by file, and trace system interactions, is amplified when it has direct access to source code. While AI can deobfuscate compiled code, it is far more effective with direct source access. By closing their source, Cal.com is attempting to temporarily raise the bar for exploit discovery, requiring more effort in reverse engineering and deobfuscation, which AI is currently less adept at compared to parsing known source code. However, the speaker argues that this is a temporary measure. AI's capabilities in deobfuscation are improving, and even without direct source access, AI can gather significant information from front-end clients and backend endpoints through scraping. Furthermore, the concept of "proof of work" in cybersecurity is introduced, suggesting that security is becoming an economic arms race. Defenders must spend more resources (tokens) discovering exploits than attackers spend to execute them. The cost of exploits is being driven down by AI, making it cheaper to attack. The speaker highlights the economic implications: if it costs less to exploit a system than the value gained, exploitation becomes widespread. This is exemplified by the analysis of LLMs' performance in network attack simulations, where models like Mythos can complete complex attacks, and the cost of finding exploits with AI is significant but potentially lower than the value of successful attacks. This "proof of spend" model suggests that security is increasingly tied to who can afford to invest more resources. In this context, the speaker discusses the value of open source. While some, like Andrej Karpathy, question the reliance on dependencies, the speaker argues that open source can be a collective defense mechanism. If multiple organizations contribute to securing open-source projects by spending resources on exploit discovery, it can create a stronger defense than individual proprietary efforts. However, this also incentivizes attackers to target widely used open-source projects due to their higher potential return. The speaker also touches upon the evolving development process, suggesting a future three-phase cycle: development, review, and hardening. Hardening, driven by AI, will become a constant and budget-limited phase. The speaker criticizes companies that view open source solely as a growth strategy without a commitment to its philosophy. They also point to the problematic attitude of some open-source maintainers, like FFmpeg, who dismiss security reports from AI-driven analysis as "CVE slop," hindering the crucial process of code hardening. Ultimately, the speaker understands Cal.com's fear but laments the loss of a valuable open-source project. They believe this trend of closing source code due to security fears will continue and urge continued support for open source. The core message is that fear-mongering should not kill open source, and a collective effort is needed to keep open-source tools secure, reliable, and accessible.