Like private equity, the price will need to keep going up. Bitwarden has financial targets to hit, they took $100M in VC money in 2022. LastPass is currently owned by PE as well (Francisco Partners and Elliott Management). As an investor, in this context, you're buying the lock in and inertia for customers who might take their time moving to other user secret and idp systems (because it takes time and effort to effectively move with minimal enterprise disruption).
Once these comments burn in after ~2 hours, we can of course revisit the thread in the future to see if this turns out to be an accurate prediction. I admit, I could be wrong, predicting the future is hard, but history is fairly clear how this turns out (to the point that "enshittification" was coined).
Bitwarden has to compete with LastPass, Dashlane, 1Password, etc for market share to be around. I mean what should they do not to be seen as "enshittifying"?
Also:
1. Bitwarden is open source, so for those that think it is "enshittifying", can run it for free?
2. So what isn't being "enshittified"? Anything that is open source, free, not owned by PE or VCs and will never take investment?
1Password was bootstrapped for almost 15 years without investment then took investment and suddenly now counts as being "enshittified"?
It seems that "enshittification" (by definition) is incompatible with market competition and fosters it.
Just letting you know that Sequoia invested in Deno [1][2][3][4], which is one of the reasons why Ryan is saying silly absolutist statements like this.
On top of the fact that Bun is now acquired by Anthropic, Deno is also either:
1. Pivoting to Cloud (for AI Agents to use Deno)
2. Looking for an exit to an AI lab or infrastructure partner.
Note that AI mostly does well on Python, JS and Typescript code so he has an incentive to align Deno on this angle.
It also doesn't help that Ryan has done a Google Brain residency where he studied deep learning (which boosts this "authority" on his silly absolutist statement)
Sequoia are asking Ryan "when return on investment, how can we have an exit like what Bun has done"?
The problem with this article is that after all the low hanging fruit white collar jobs (writing, programming, artists, finance, etc) are done by AI, this is next in the value chain.
WIRED has just told VCs and private equity investors alike what the new value is for budding and existing AI startups they funded to scoop the value creation ROI for their funds.
So this will end up having the opposite effect over time. It will go like this:
AI as an assistant (25% of work done by AI) + experienced electrician / plumber (75% of work done by human)
AI doing half the work (50% of work done by AI) + experienced electrician / plumber (50% of work done by human)
AI does most of the work (75% of work done by AI) + experienced electrician / plumber (25% of work done by human)
AI does almost all the work (95% of work done by AI) + experienced/junior electrician / plumber (5% of work done by human)
AI does 100% of all the work.
During this process, the VCs and investors already made a killing on the public and private markets. Returns parts or all of the fund, raises a new fund and onto the next "safe job"
My issue is it claims to be end-to-end encrypted, which is really weird. Sure, TLS between you and your bank's server is end-to-end encrypted. But that puts your trust on the service provider.
Usually in a context where a cypherpunk deploys E2EE it means only the intended parties have access to plaintexts. And when it's you having chat with a server it's like cloud backups, the data must be encrypted by the time it leaves your device, and decrypted only once it has reached your device again. For remote computing, that would require LLM handles ciphertexts only, basically, fully homomorphic encryption (FHE). If it's that, then sure, shut up and take my money, but AFAIK the science of FHE isn't nearly there yet.
So the only alternative I can see here is SGX where client verifies what the server is doing with the data. That probably works against surveillance capitalism, hostile takeover etc., but it is also US NOBUS backdoor. Intel is a PRISM partner after all, and who knows if national security requests allow compelling SGX keys. USG did go after Lavabit RSA keys after all.
So I'd really want to see this either explained, or conveyed in the product's threat model documentation, and see that threat model offered on the front page of the project. Security is about knowing the limits of the privacy design so that the user can make an informed decision.
You don’t have to use Google login though?
People building solutions like this that aim for broad adoption have to make certain compromises and this seems OK to me (just talking about offering a social login option, haven’t checked the whole project in detail)
Most people don't care about Google knowing whether they're using a particular app. If they do, they have the option not to use it. The main concern is that the chats themselves are E2E encrypted, which we have every reason to believe.
This is a perfect example of purism vs. pragmatism. Moxie is a pragmatist who builds things that the average person can actually use. If it means that millions of people who would otherwise have used ChatGPT will migrate because of the reduced friction and get better privacy as a result, that's a win even if at the margin they're still leaking one insignificant piece of metadata to Google.
The main differentiator to HackerOne is price and lower commitment (i.e. contracts). It's also a lot simpler in the UI as it's not chasing the big end of town and uses AI in a more integrated way. That said, Bugbop isn’t trying to replace HackerOne. It’s built for teams that won’t run a bug bounty otherwise.
Bypassing can be a problem but paying people overseas (and KYC) can be quite annoying. There's also less credibility without a 3rd party proving the bounties exist.
"Someone can copy you" was never going to be a moat. There's a lot more to a company than just the technical build. I'll just have to stay better than them :-)
I've priced Bugbop very competitively and making it free will be difficult with the payment processing fees.
Indisputable USP? That's hard. I think Bugbop is fairly unique in that it's a passion project of a long-time bug bounty program runner. I love this stuff and I'm happy to have a founder-to-founder calls about what bug bounty looks like in practice.
reply