I don't follow. It seems obvious that there's more to gain for attackers using AI agents to exploit open source repositories, than there is for good samaritan defenders. In this new closed-source world (for Cal.com), there's nothing stopping them from running their own internal security agent audits, all whilst at least blocking the easiest method of finding zero-days - that is, being open source.
This really just seems like Strix marketing. Which is totally fair, but let's be reasonable here, any open-source business stands to lose way more by continuing to be open-source vs. relying on the benevolence of people scanning their code for them.
> It seems obvious that there's more to gain for attackers using AI agents to exploit open source repositories, than there is for good samaritan defenders.
Actually the opposite is obvious - the comment you replied too talked about an abundance of good Samaritan reports - it's strange to speculate on some nebulous "gain" when responding to facts about more then enough reports concerning open source code.
> In this new closed-source world (for Cal.com), there's nothing stopping them from running their own internal security agent audits
That's one good Samaritan for a closed source app vs many for an open source one. Open source wins again.
> any open-source business stands to lose way more
That doesn't make any sense - why would it lose more when it has many more good Samaritans working for it for free?
You seem to forget that the number of vulnerabilities in a certain app is finite, an open source app will reach a secure status much faster than a closed source one, in addition to also gaining from shorter time to market.
In fact, open source will soon be much better and more capable due to new and developing technological and organizational advancements which are next to impossible to happen under a closed source regime.
The main drawback is that you will need to be able to patch quick in the next 3-5 years. We are already seeing this in a few solutions getting attention from various AI-driven security topics and our previous stance of letting fixes "ripen" on the shelf for a while - a minor version or two - is most likely turning problematic. Especially if attackers start exploiting faster and botnets start picking up vulnerabilities faster.
But at that point, "fighting fire with fire" is still a good point. Assuming tokens are available, we could just dump the entire code base, changesets and all, our dependent configuration on the code base, company-internal domain knowledge and previous upgrade failures into a folder and tell the AI to figure out upgrade risks. Bonus points if you have decent integration tests or test setups to all of that through.
It won't be perfect, but combine that with a good tiered rollout and increasing velocity of rollouts are entirely possible.
It's kinda funny to me -- a lot of the agentic hype seems to be rewarding good practices - cooperation, documentation, unit testing, integration testing, local test setups hugely.
A new user is much more likely to scan the codebase and report vulnerabilities so they can be fixed than illegally exploit them since most people aren't criminals
Let's say finding a security issue takes 10M tokens. If one company has to pay for it, they most likely won't bother. It's purely a cost/benefit thing for them.
But if you have an open source project, you might get a 1000 people looking at it, each only has to spend 10k tokens to find the same flaws.
Some users might be tech sensitive and have the capacity to check the codebase
If a company want to use your platform, it can run an audit with its own staff
These are people really concerned about the code, not "good samaritans"
It would be easier if we could just block comments from green users. I get that it loses ~.1% of authors who might have made an account to comment on a blogpost of theirs that was posted here. I'd rather have that loss than have to deal with the 99.9% of spam.
Google and Apple didn't go through ten funding rounds like today's startups do. Apple had one angel and three rounds, Google had one angel and literally just an A round after that; then retail investors could capture all the upside. Now there's way more time for private investors to pick the bones clean before it gets dumped on the public.
I think you're both right. Those were great opportunities, but the proportion of such opportunities which are made available to retail traders has greatly diminished over time.
There's a great chart out there somewhere (I couldn't find it) which breaks down the impact of private equity on the availability of such opportunities in public markets. It showed a dozen or so companies (like Google, Apple, Uber, Stripe, etc) and broke down their market cap gains into two parts, "pre IPO" and "post IPO" gains. Of course, the pre-IPO gains were only available to private equity (or, at best, accredited investors), whereas the post-IPO gains were available to retail traders as well.
"Older" companies like GOOG & AAPL were much more likely to have experienced that vast majority of gains after their IPOs, meaning retail investors could have made big money by betting on them early. Meanwhile newer companies (like Facebook, Uber, Stripe, etc) were much more likely to have yielded the vast majority of their gains before their IPOs, meaning retail investors didn't have the opportunity to benefit from big returns.
I suspect that the reason those "newer" companies were able to have the majority of their gains reaped pre-IPO was that during that time period, it was easy to acquire capital from investors without resorting to public market IPOs, where as the era of google and apple have not got the same level of private investment.
And i think it has to do with low interest rates. During the google early years, it is difficult to obtain low-cost loans (for private investors that is). Therefore, public markets look like an easier path for companies to raise money.
The "newer" companies in your list are mostly post-GFC, during a period of ultra-low interest rate. This makes money easy for private investors to obtain, and so companies have an easier time getting funding from those private sources. The IPO is realistically not a funding mechanism, but an exit mechanism for those early private investors.
If you're familiar with Ray Kurzweil's work, I wonder whether this phenomenon might be related. Kurzweil notes that better technology begets better technology in a self-reinforcing and ever-accelerating cycle of technological advancement. His thesis implies rapidly evolving capital requirements. Massive amounts of nimble private capital, secure in the hands of highly competent people with relevant domain expertise, may well be an important precondition for continual acceleration.
Survivorship bias and the corporate finance world of today is completely unrecognizable from the world of Google and Apple. Just look at the resulting performance of the SPAC craze
Even for good assets there's a price you shouldn't pay. People are joking(?) about triple-layer SPVs where you can get pre-IPO exposure but at higher-than-IPO price.
Neglect laws are written too broadly, giving too much discretion to CPS to decide what constitutes neglect or inadequate supervision. There have been a couple cases IIRC in Florida where parents were arrested for letting their kids walk/play in parks alone, albeit these were very young children.
Outside of that, there's increased traffic and the US as a whole is way too car centric. Suburbs are horribly designed, and we prioritize moving cars instead of moving people, and any kind of infrastructure design that might slow down traffic, reduce the need to drive, or mildly inconvenience a driver gets shot down.
There is a very real danger of getting killed by a distracted idiot in a car, and that risk is much higher today. I commute on I5 every day for work and every single day I see multiple people, going 80MPH watching tiktoks on their phone on the dash mount, or obviously looking down texting. I can't blame anyone for not wanting their kids running around the neighborhood when we can't even be responsible enough to pay attention when we are driving 2 ton death machines.
If nothing else the _perception_ of it is enough to have had a chilling effect, my own parents were concerned and affected by it enough to tell me where not to play outside so that I wouldn't be seen by randoms.
I'm sorry, the "Karen" drove onto your private road to interrogate your kid?
These things don't happen on a liberal/conservative axis in my experience.
I've lived all over the place, though not as much with kids, and have had none of these issues (including having mixed race kids who look much more like their other parent than me).
You really need to look at why you're living where you do.
What I find extraordinary is y'alls bullshit theory that it is extraordinary to claim the CPS apparatus wasn't used more before when it didn't even exist until like ~1974, and before then as a much different process.
As usual, just blame the victim, then complain they don't provide evidence knowing full damn well child and family welfare services complaints are sealed and hidden from public oversight. This is how vampires with these theories operate, first they make it illegal to get the records, then they make it illegal to even find out who the accuser is, then when you call them on it they say "ha ha, you don't have the evidence, that we made it illegal for you to get!" The whole system is designed to evade oversight, so what we are all left with is anecdotes that we have about our own childhood being so much different than the ones our children have after interactions with the authorities that have placed these restraints. But of course when you share them, they are only used against you by persons such as yourself (judging me for where I live, as if it's not going on all over the US). So people are reluctant to even share the anecdotes, and by law you generally cannot get the formal records (think of the children!) of these encounters nor the names of the accusers so basically they designed the whole legal structure to enable the muh citation crowd to be able to always pretend like the other side is just hiding from the evidence.
( If you look, at say, the problems with child abuse physicians in cahoots with CPS systematically victimizing families of children with brittle bone disease for instance, we basically had to wait for enough parents to tell their anecdotal stories of losing their kids until lawyers really started to step up to defend these cases as we now know doctors and CPS will systematically accuse children with multiple breaks of being victims of abuse, even when there is zero evidence the parents or child were inflicting an amount of force that would break healthy bones. The individual cases can't be scrutinized to bring these things to daylight because they're all sealed under child welfare laws, hence we just had to wait for a bunch of "extraordinary stories" with weak evidence to be told until someone finally believed them and others from society could step up to help these victimized families).
Personally I find it absolutely fucking hilarious that as much or more CPS induced restraint existed ... before CPS did.
>Yeah, except the now redacted comments didn't indicate that was the case which is why I was asking more questions.
Lol you responded to my comment saying it was an easement which meant I was not able to gate it. Although frankly your tone of questioning seemed to be more directed towards alluding I was a liar, than a genuine interest in the road.
> What I find extraordinary is y'alls bullshit theory that it is extraordinary to claim the CPS apparatus wasn't used more before when it didn't even exist until like ~1974, and before then as a much different process.
You seem to have replied to the wrong post.
> As usual, just blame the victim, then complain they don't provide evidence knowing full damn well child and family welfare services complaints are sealed and hidden from public oversight. This is how vampires with these theories operate, first they make it illegal to get the records, then they make it illegal to even find out who the accuser is, then when you call them on it they say "ha ha, you don't have the evidence, that we made it illegal for you to get!" The whole system is designed to evade oversight, so what we are all left with is anecdotes that we have about our own childhood being so much different than the ones our children have after interactions with the authorities that have placed these restraints. But of course when you share them, they are only used against you by persons such as yourself (judging me for where I live, as if it's not going on all over the US). So people are reluctant to even share the anecdotes, and by law you generally cannot get the formal records (think of the children!) of these encounters nor the names of the accusers so basically they designed the whole legal structure to enable the muh citation crowd to be able to always pretend like the other side is just hiding from the evidence.
I'm not blaming anyone. Your experience is so wildly different from anything I've seen or heard living in many different areas across the US that I'm interested to hear more about it, and then you go on a tirade that has virtually nothing to do with the topic at hand instead of providing any remotely relevant information.
> Lol you responded to my comment saying it was an easement which meant I was not able to gate it. Although frankly your tone of questioning seemed to be more directed towards alluding I was a liar, than a genuine interest in the road.
I don't have a gate on the private road to my house either, yet no one drives down it to interrogate my kid about my whereabouts.
Is it a neighbor who also shares the private road? If so, that makes some sense but it sounds like you need to have a discussion with them. Why didn't you trespass them if not?
If this Karen calls CPS because they were trespassing and weren't aware that you were nearby, so what, other than wasting some taxpayer dollars? Has anyone ever had their kid taken by the state because of a claim like this? Since the answer is no, why are you so freaked out about it, way beyond being annoyed at this Karen (who does sound annoying in this story)?
Like I said to the other person, it's a series of extraordinary claims that frankly make almost no sense, and then you rant about tangential topics when asked for more detail. It doesn't make your anecdote more believable.
But it's not rare at all. It really just sounds like you haven't had reason to pay attention to this before and now don't want to accept it's become a thing. A google search for "cops called on kids playing alone" results in a never-ending series of stories like this. I think most of them are from people with your perspective being caught by surprise.
I have kids, and I know hundreds of parents across large portions of the country. None of them have these issues.
A person driving down a private road and threatening to call CPS because they can't see the parent is not rare?
And the parent poster didn't just say someone threatened to call the cops, they said that they would be jailed in two very specific circumstances where jailing him would have led to very negative consequences for the arresting parties in anything beyond the immediate term.
Many people are stupid, and do stupid things like calling the cops for no valid reason at all. Those people are annoying and can be ignored, and I would not be remotely surprised by any pseudo-anonymous person doing something stupid. What would surprise me is the cops actually responding to the call and making the decisions that the other poster claimed, with a few exceptions where I would be much less surprised.
Since he only responds to questions with tangential rants, we'll never know for sure what happened.
Who do you think your target customer is? Curious to know if you think the money is in short form, traditional YouTube videos, or even movie studios one day.
Great website btw. The onboarding was very pleasing
reply