So here's the other thing that bothers me about all this. Regardless of the eventual results, this thing they're doing is *incredibly* resource intensive. They routinely spend billions of dollars on training these models, and billions more on operating them. It's not simple to parse out what fraction of that is directly attributable to the massive scale vuln finder/fabricator. But for the sake of argument lets just pick a plausible number, and call it 50-100 million dollars.

What could we have gotten for 50-100 million dollars of sponsorship for security audits? Prior to this, the largest single investment into FOSS security I'm aware of was the 2015 audit of openssl, after the heartbleed incident. It's hard to find precise costs for that, but I found a few sources estimating 1.2 million dollars, and that is arguably the most security critical piece of software in the world.

But suddenly there's 100x more resources available to do this work, now that producing the artifact can be done with stolen labor? Now that they can externalize the cost of false positives onto the already mostly unpaid maintainers of these projects? Even if their claims are true, which we have no reason to believe and very good reason not to, it's still a travesty

I've spent most of my adult life writing code—not because I had to, but because I love the process. And I've taught hundreds of students (thousands through courses) to love it too. There's a beauty in expressing human reasoning in code, just as there is in mathematics. You can put care into even the most mundane of tasks.

I know not everyone feels that way about it. I know for many, maybe most, it's just a job. It's just business.

But god damn, we created a wholly new form of expression here. I don't think it's that different from others. It just sells better, so "art" is hard to assign to it.

I still think it can be beautiful. But the beauty comes first from the creator's hand.