Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
geoffschmidt 7 hours ago

https://cal.com/blog/cal-com-goes-closed-source-why

rectang 7 hours ago | parent [-]

I'm unpersuaded by the assertion that closing the source is an effective security bulwark.

From that page:

> Today, AI can be pointed at an open source codebase and systematically scan it for vulnerabilities.

Yeah, and AI can also be pointed at closed source as soon as that source leaks. The threat has increased for both open and closed source in roughly the same amount.

In fact, open source benefits from white hat scanning for vulnerabilities, while closed source does not. So when there's a vuln in open source, there will likely be a shorter window between when it is known by attackers and when authors are alerted.

goodmythical 5 hours ago | parent | next [-]

The HN discussion on the announcement is just 90% posts of the theme "if a student can brute force your FOSS for $100, they can do you proprietary code for $200" and "if it's that cheap to find exploits, why don't you just do it yourself before pushing the code to prod?"

I believe that the reason the chose to close the source is just security theater to demonstrate to investors and clients. "Look at all these FOSS projects getting pwned, that's why you can trust us, because we're not FOSS". There is, of course, probably a negative correlation between closing source and security. I'd argue that the most secure operating systems, used in fintech, health, government, etc, got to be so secure specifically by allowing tens or hundreds of thousands of people to poke at their code and then allowing thousands or tens of thousands of people to fix said vulns pro bono.

I'd be interested to see an estimation of the financial value of the volunteer work on say the linux or various bsd kernels. Imagine the cost of PAYING to produce the modern linux kernel. Millions and possibly billions of dollars just assuming average SWE compensation rates, I'd wager.

Too bad cal.com is too short sighted to appreciate volunteers.

msteffen 5 hours ago | parent [-]

> Millions and possibly billions of dollars just assuming average SWE compensation rates

Yeah, and average kernel devs are not average SWEs

bee_rider 5 hours ago | parent | prev | next [-]

How are LLMs at reading assembly? I assumed they’d be able to read assembly about as well as any other language…

Is there such a thing as a closed source program anymore?

lrvick 5 hours ago | parent [-]

Not only are they good at reading and writing machine code now, they are actively being used to turn video game cartridge dumps back into open source code the community can then compile for modern platforms.

There is no moat anymore.

hungryhobbit 6 hours ago | parent | prev [-]

If you believe they really did it for security, I have a very nice bridge to sell you for an extremely low price ...

Look, tech companies lie all the time to make their bad decisions sound less bad. Simple example: almost every "AI made us more efficient" announcement is really just a company making (unpopular) layoffs, but trying to brand them as being part of an "efficiency effort".

I'd bet $100 this company just wants to go closed source for business reasons, and (just like with the layoffs masquerading as "AI efficiency") AI is being used as the scapegoat.

rectang 6 hours ago | parent [-]

Who says I believe it? ;)

I'm just choosing to focus on the substance of the argument itself, which I think is risible regardless of who makes it and why.