| ▲ | simonw 16 hours ago |
| Drew Breunig published a very relevant piece yesterday that came to the opposite conclusion: https://www.dbreunig.com/2026/04/14/cybersecurity-is-proof-o... Since security exploits can now be found by spending tokens, open source is MORE valuable because open source libraries can share that auditing budget while closed source software has to find all the exploits themselves in private. > If Mythos continues to find exploits so long as you keep throwing money at it, security is reduced to a brutally simple equation: to harden a system you need to spend more tokens discovering exploits than attackers will spend exploiting them. |
|
| ▲ | dang 12 hours ago | parent | next [-] |
| Thanks - I've re-upped* that one here: Cybersecurity looks like proof of work now - https://news.ycombinator.com/item?id=47769089 (no comments yet) * a la https://news.ycombinator.com/item?id=26998308 |
|
| ▲ | DrammBA 16 hours ago | parent | prev | next [-] |
| I have a feeling the real reason is them trying to avoid someone using AI to copyright-wash their product, they're just using security as the excuse. |
| |
| ▲ | OsrsNeedsf2P 13 hours ago | parent | next [-] | | An app like Cal.com can be vibe coded in a few evenings with a Chrome MCP server pointed to their website to figure out all the nooks and crannys. The moat of Cal.com is not the code, it's the users who don't want to migrate. The real answer is they are likely having a hard time converting people to paid plans | | |
| ▲ | notnullorvoid 11 hours ago | parent | next [-] | | > The moat of Cal.com is not the code, it's the users who don't want to migrate. That's a very weak moat unless you have something else like the friction of network dependence similar to a social network. | | |
| ▲ | philipov 9 hours ago | parent [-] | | Sunk cost is sufficient friction for most people even without network dependence. | | |
| ▲ | shimman 6 hours ago | parent [-] | | For a meeting scheduler site? I feel like you're overestimating the capabilities of something that is akin to college graduate project. This company does not seem healthy at all: https://getlatka.com/companies/calcom I agree with the other poster that mention this is likely a publicity stunt but all it's really showing is that VC is still incredibly stupid with their money. All the more reason to seize it from them then properly fund useful software and not subsidize vanity projects for stanford grads. | | |
| ▲ | cootsnuck 5 hours ago | parent [-] | | About the friction, not the capabilities...I haven't switched off my biz calendar/appointment provider I'm paying for even though I've kinda outgrown it. I wouldn't under estimate switching friction. | | |
| ▲ | hrimfaxi 4 hours ago | parent [-] | | How much does your friction avoidance cost, if you don't mind my asking? |
|
|
|
| |
| ▲ | opem 5 hours ago | parent | prev | next [-] | | For real, one of the reasons I use cal.com is because it's open source. Time to migrate. | | |
| ▲ | lrvick 12 minutes ago | parent [-] | | Same. I expect in a misguided effort to save customers, they are going to lose a lot more. My two companies will be canceling over this. |
| |
| ▲ | indianmouse 6 hours ago | parent | prev | next [-] | | May be trying creating one and see how much effort and time is required to clone such a functionality to a proper working state! Something for personal use can be created in about 5-10 days, but even then the skill that is required and the amount of tokens to burn, hosting and security etc, will easily kill. This is exactly the thought process of many, but it will surely kill many opensource contributors. I've stopped committing anything to any open source repos as a personal choice. I do not want to train a LLM which will eventually create more slop and headaches since for me, time is the only important factor which holds the maximum value! Nothing else! | |
| ▲ | j45 7 hours ago | parent | prev [-] | | Coding something vs maintaining it can be quite different things. |
| |
| ▲ | theahura 6 hours ago | parent | prev | next [-] | | At risk of self promotion, I think more people should adopt something like the Ship of Theseus license (https://github.com/tilework-tech/nori-skillsets/pull/465/cha...). It's not obvious if this will patch the clean room hole in licensing, but I'd rather see it play out in court than assume opensource is just fully dead | | |
| ▲ | hrimfaxi 4 hours ago | parent | next [-] | | > It's not obvious if this will patch the clean room hole in licensing, but I'd rather see it play out in court than assume opensource is just fully dead Are you willing to bear the burden of litigation? | |
| ▲ | klempner 3 hours ago | parent | prev | next [-] | | I am incredibly skeptical that license is legally meaningful. (but obligatory IANAL.) Generally speaking it is very very difficult to have a license redefine legal terms. Either this theseus copy is legally a derivative work or it isn't, and text of a license is going to do at most very very little to change that. | |
| ▲ | devmor 6 hours ago | parent | prev [-] | | I cannot imagine that license addendum is legally enforceable (let alone provable) in most jurisdictions on earth but it is interesting. | | |
| ▲ | kaashif 36 minutes ago | parent [-] | | As long as it doesn't cost me anything, I'd like to see it play out in court and know for sure. But that is very unlikely even if everyone adopted it, which they won't. |
|
| |
| ▲ | lisperforlife 12 hours ago | parent | prev | next [-] | | Exactly this! Classic open source bait and switch. | |
| ▲ | bit1993 12 hours ago | parent | prev [-] | | Called this 9 months ago
https://news.ycombinator.com/item?id=44559840 "AI slop is rapidly destroying the WWW, most of the content is becoming more and more low-quality and difficult to tell if its true or hallucinated. Pre-AI web content is now more like the golden-standard in terms of correctness, browsing the Internet Archive is much better. This will only cause content to go behind pay-walls, allot of open-source projects will be closed source not only because of the increased work maintainers have to do to not only review but also audit patches for potential AI hallucinations but also because their work is being used to train LLMs and re-licensed to proprietary." | | |
| ▲ | teleforce 7 hours ago | parent [-] | | Typical FUD. Replace AI with "open source and Linux", and "open source" with "Windows" in the statements. That's what Microsoft's PR team would have said about open source and Linux about 20 years back in the 2000s. After the unsuccessful FUD era, now Microsoft is running away with Linux by running its Windows alongside via WSL to combat MacOS Unix-like popularity, and due to Linux and open source dominance in the cloud OS demographic. |
|
|
|
| ▲ | pietz 16 hours ago | parent | prev | next [-] |
| This conclusion makes more sense to me, but maybe I'm too naive. The media momentum of this threat really came with Mythos, which was like 2 or 3 weeks ago? That seems like a fairly short time to pivot your core principles like that. It sounds to me like they wanted to do this for other business related reasons, but now found an excuse they can sell to the public. (I might be very wrong here) |
|
| ▲ | MerrimanInd 2 hours ago | parent | prev | next [-] |
| I wonder if we could find a way to donate unused tokens or even local compute resources to open-source projects we support. Especially for security auditing where it could probably be somewhat more asynchronous and disconnected than the open-source developers' personal tool choices. |
| |
| ▲ | jeroenhd 2 hours ago | parent | next [-] | | "unused tokens" are the force driving token cost down. If everyone used all of the tokens they thought they were paying for, prices would explode. People with subscriptions that don't get out everything they can are subsidizing the system. There are ways to use LLM service providers that leave no tokens unused, by just billing per token. Unsurprisingly, this quickly becomes much more expensive than subscriptions. | | | |
| ▲ | throwuxiytayq 2 hours ago | parent | prev [-] | | “Unused tokens” are a weird, fragile concept that I wouldn’t want to build upon. You can just donate money, you know. That’s what money’s for - it’s the universal exchange thingy. | | |
| ▲ | rswail 18 minutes ago | parent [-] | | Maybe if we reframed money as a "fungible token" people would start understanding its use again? |
|
|
|
| ▲ | mgdev 16 hours ago | parent | prev | next [-] |
| This is an economically sound conclusion. It also means that you need to extract enough value to cover the cost of said tokens, or reduce the economic benefit of finding exploits. Reducing economic benefit largely comes down to reducing distribution (breadth) and reducing system privilege (depth). One way to reduce distribution is to, raise the price. Another is to make a worse product. Naturally, less valuable software is not a desirable outcome. So either you reduce the cost of keeping open (by making closed), or increase the price to cover the cost of keeping open (which, again, also decreases distribution). The economics of software are going to massively reconfigure in the coming years, open source most of all. I suspect we'll see more 'open spec' software, with actual source generated on-demand (or near to it) by models. Then all the security and governance will happen at the model layer. |
| |
| ▲ | cassianoleal 14 hours ago | parent | next [-] | | > I suspect we'll see more 'open spec' software, with actual source generated on-demand (or near to it) by models. Then all the security and governance will happen at the model layer. So each time you roll the dice you gamble on getting a fresh set of 0-days? I don't get why anyone would want this. | | |
| ▲ | mgdev 14 hours ago | parent [-] | | You already do this with human-authored code, just slowly. Project model capabilities out a few years. Even if you only assume linear improvement at some point your risk-adjusted outcome lines cross each other and this becomes the preferred way of authoring code - code nobody but you ever sees. Most enterprises already HATE adopting open source. They only do it because the economic benefit of free reuse has traditionally outweighed the risks. If you need a parallel: we already do this today for JIT compilers. Everything is just getting pushed down a layer. |
| |
| ▲ | xigoi an hour ago | parent | prev [-] | | I love using software that changes every time you compile it. |
|
|
| ▲ | jstummbillig 12 hours ago | parent | prev | next [-] |
| > to harden a system you need to spend more tokens discovering exploits than attackers will spend exploiting them. That can't be right, can it? Given stable software, the relative attack surface keeps shrinking. Mythos does not produce exploits. Should be defenders advantage, token wise, no? |
| |
| ▲ | rhplus 12 hours ago | parent | next [-] | | It’s the classic asymmetric warfare problem: Defenders have to find all the holes in all their systems, while attackers just need to find one hole in one system. | | |
| ▲ | lexlambda an hour ago | parent [-] | | A slight factor differentiating security systems here is involved to the advantage of defenders: Attackers have to find a whole exploit chain, while defenders only need to fix one part of it. |
| |
| ▲ | JoshTriplett 11 hours ago | parent | prev | next [-] | | > Mythos does not produce exploits. AI in general will, don't worry. "Move fast and break things" makes more exploits than "move steadily and fix things" does. | |
| ▲ | paisawalla 12 hours ago | parent | prev [-] | | So long as that OSS keeps accumulating features, there isn't quite the equilibrium you're imagining. If you can pin to a stable version, which continues to audited, you're fine. But if the rest of the world moves on to newer versions of the software, you'll have to as well, unless you want to own the burden of hardening older versions. |
|
|
| ▲ | pllbnk 2 hours ago | parent | prev | next [-] |
| It's been a common wisdom now for decades that open source is more secure. Security is just a scapegoat here. |
|
| ▲ | flying_sheep 10 hours ago | parent | prev | next [-] |
| > to harden a system you need to spend more tokens discovering exploits than attackers will spend exploiting them This is true until certain point, unless the requirement / contract itself has loophole which the attacker can exploit it without limit. But I don't think this is the case. Let's say, if someone found an loophole in sort() which can cause denial-of-service. The cause would be the implementation itself, not the contract of sorting. People + AI will figure it out and fix it eventually. |
|
| ▲ | skybrian 16 hours ago | parent | prev | next [-] |
| This seems similar to the lesson learned for cryptographic libraries where open source libraries vetted by experts become the most trusted. Your average open source library isn’t going to get that scrutiny, though. It seems like it will result in consolidation around a few popular libraries in each category? |
| |
| ▲ | layer8 12 hours ago | parent [-] | | An important difference between SaaS offerings and open source libraries is that the latter have not liability. They can much more easily afford exhibiting vulnerabilities until those are fixed. |
|
|
| ▲ | criddell 16 hours ago | parent | prev | next [-] |
| How may open source libraries have auditing budgets? |
| |
| ▲ | simonw 16 hours ago | parent | next [-] | | I expect we're about to find that it's a lot easier to convince a company to spend money running an AI security scan of their dependencies and sharing the results with the maintainers than it is to have them give those maintainers money directly. (I just hope they can learn to verify the exploits are valid before sharing them!) | |
| ▲ | Mordisquitos 16 hours ago | parent | prev [-] | | Their commercial users have auditing budgets. | | |
| ▲ | dspillett 16 hours ago | parent [-] | | Does your ideal world have an easy path to citizenship? I might like to live there. | | |
| ▲ | raincole 10 hours ago | parent [-] | | > SAN FRANCISCO – March 17, 2026 – The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced $12.5 million in total grants from Anthropic, AWS, GitHub, Google, Google DeepMind, Microsoft, and OpenAI to strengthen the security of the open source software ecosystem. https://openssf.org/tag/google "But that's Linux, how small libraries get audit budget..." fortunately LLM has eliminated the need to have small libraires in your dependency chain. | | |
| ▲ | techpression 3 hours ago | parent [-] | | It’s almost cute how insignificantly small that amount is considering the companies named. Great for The Linux Foundation of course, but it still feels like they are being cheap as heck. |
|
|
|
|
|
| ▲ | tonymet 10 hours ago | parent | prev | next [-] |
| This may be true long term but not short term. It also assumes that white hats will be as motivated as black hats – not true. For projects with NO WARRANTY, the risk is minimal, so yes there are upsides. For a commercial project like cal.com, where a breach means massive liability, they don’t have the resources to risk breaches in the short term for potentially better software in the long term. |
|
| ▲ | not-chatgpt 16 hours ago | parent | prev | next [-] |
| Security should be a non issue in the age of AI now that auditing is cheaper than ever. I'd give them more credits if they use the AI slop unmaintainability argument. |
|
| ▲ | 9 hours ago | parent | prev | next [-] |
| [deleted] |
|
| ▲ | 16 hours ago | parent | prev | next [-] |
| [deleted] |
|
| ▲ | 16 hours ago | parent | prev [-] |
| [deleted] |
