AIM INTERVIEWS

Who are you?

I'm an entrepreneur, programmer, and long-time open source developer. These days, I'm the founder and CEO of Socket, a company focused on protecting the software supply chain. I've been in the open source world for over a decade – in that time I created projects like WebTorrent (a BitTorrent client for the web) and StandardJS (a JavaScript style guide), along with hundreds of other packages. In fact, the open-source code I've published is downloaded more than 1 billion million times a month. I also sometimes teach a web security course at Stanford University, which is a great way for me to share my passion for security with students.

At my core, I still think of myself as an open source maintainer. I got my start building fun websites and projects as a teenager, which taught me a ton. That eventually led me to work on bigger projects – WebTorrent was one of those early passions that blew up into a much larger endeavor. Through those experiences, I accidentally became the maintainer of many open source modules and realized how much I love building things and sharing them. Being able to create something and have it used by people all over the world is incredibly rewarding. That thrill is a big part of who I am.

Why did you start Socket? Was there any inspiration?

I started Socket because I kept running into the same problem and realized no one had a good solution for it. As an open source developer, I often use many third-party packages in my apps. When a few friends and I were building Wormhole (an end-to-end encrypted file sharing app we created before Socket), we saw firsthand how hard it was to vet all our dependencies. In the Node.js ecosystem, installing just one package can pull in dozens of others – on average about 79 transitive dependencies come along with a single npm package, maintained by roughly 39 different people. That means you're implicitly trusting a huge number of strangers' code every time you `npm install`. We found that both amazing and scary. It became painfully clear that the more we rely on open source, the more we need to know what's in our software.

Around that time, software supply chain attacks were starting to make headlines – it felt like every other month there was news of a popular library getting hijacked or compromised. Traditional security scanners weren't catching these attacks because they mostly look for known vulnerabilities, not new malicious behavior. I remember thinking, why isn't there a tool that watches for weird or suspicious changes in our dependencies? I ultimately came to believe that the huge network of dependencies in modern apps poses risks that existing tools just don't handle. There was this lack of visibility into what our dependencies were actually doing under the hood. And as a developer who loves open source, I found that really concerning. I didn't want trust in open source to erode just because a few bad actors were slipping malware into the ecosystem. If people lose trust, they'd use less open source, and that would be a step backward for everyone.

So, inspiration for Socket came from that mix of alarm and love: alarm at how vulnerable the supply chain had become, and love for the open source ecosystem that I wanted to help protect. We set out to build a tool that could proactively detect suspicious package behavior – like if a new release suddenly starts installing a binary, making network requests, or touching the file system when it never did before. By scanning every open source package for red flags, Socket aims to catch supply chain attacks early and prevent them from harming developers. In short, I started Socket to preserve the trust in open source and give developers a fighting chance to secure their apps without giving up the tools and packages that make modern development so powerful.

What was the most surprising thing that happened while working on Socket?

Building Socket has been full of surprises (and lessons). One big surprise has been just how much crazy stuff is out there in open source once you start looking for it. We built this system to scan packages, and almost immediately we started uncovering some wild malicious packages in the npm ecosystem (and beyond). For example, we found npm libraries that were essentially booby-trapped – one even had a hidden "kill switch" that would delete all your files if a certain condition was met. That blew my mind (and not in a good way!). We also saw attackers getting really creative with obfuscation. I knew theoretically that malware in open source was a problem, but seeing the variety and creativity of these attacks up close was eye-opening. It's sobering to realize how many sneaky attempts are happening under the radar, and it reinforced why Socket's mission is important.

On the positive side, I've also been surprised (in the best way) by how quickly the developer community and even companies have rallied around this problem. When we first launched, we thought a few security-conscious teams would care. But now thousands of organizations rely on Socket to help audit and manage their open source code at scale. The demand for a solution was much bigger than I anticipated. Hearing from maintainers who are thankful that we caught something weird in their package, or from developers who say they feel safer using open source with Socket watching their back – those moments have been pleasantly surprising and rewarding. It showed me that if you address a real need, people will embrace it and even help you make it better. So, the journey has had its share of "wow, I did not see that coming" moments, both with scary malware discoveries and with the amazing community support for what we're doing.

Are there any people or products you particularly admire?

Absolutely. I draw inspiration from a lot of people in tech and beyond. I really admire the pioneers of the Internet – people like Vint Cerf and Sir Tim Berners-Lee who laid the groundwork for the web as we know it. Without their vision of an open, interconnected network, I literally wouldn't have a career (or even a hobby!) in this field. I also have a ton of respect for the unsung heroes of open source. Maintainers of critical projects like Linux, OpenSSL, or even those one-man projects deep in the dependency tree – these folks work tirelessly to build the tools the rest of us rely on, often without much glory. Their dedication is something I really look up to.

In terms of products, I admire products that empower people and uphold strong principles. For example, I'm a fan of Signal – the secure messaging app – for showing that you can deliver a great product that also respects user privacy and security. I also love technologies like BitTorrent (and its various implementations) for how they enabled peer-to-peer sharing on a massive scale. Closer to my world, I admire npm itself (and now the broader package manager ecosystems) for making software sharing so accessible – it's not a perfect system, but it fundamentally changed how developers collaborate. And I have to mention the web browser as a "product" – it's an incredible platform that lets anyone publish something that can reach millions. Overall, I admire people and products that make knowledge more accessible, because that tends to elevate everyone. Whether it's a person who open-sources their library or a product that puts powerful technology in users' hands, those are the things that make me go "wow, that's awesome."

If you had unlimited resources (time, money, etc.), how would you spend your time?

Honestly, not that differently from how I spend it now – I'd still be building things. I've always been the type of person who codes for fun. Even if I won the lottery tomorrow, you'd probably find me the next day tinkering on some open source project or hacking on a new idea. Writing code and solving problems is something I enjoy so much that I do it for its own sake. So with unlimited resources, I'd give myself the freedom to pursue all the passion projects on my list without worrying about whether they make money or not. I'd dive into crazy experiments in software, maybe explore new protocols or peer-to-peer ideas, build useful tools and release them for free – basically more of the creative coding that got me into tech in the first place.

That said, unlimited time and money would also let me give back more. I'd spend more time mentoring and teaching. I really enjoy teaching (hence the Stanford gig), and I'd love to expand that – and maybe create support/funding programs that help the next generation of hackers and open source maintainers. I might also contribute more to other open source projects that I use and love, since so many maintainers could use a hand. And sure, I'd take some time to travel, see the world, spend time with family and friends, all that good stuff too. But I suspect after a bit of relaxation, I'd be itching to get back to creating something. The bottom line is I'd use the freedom that unlimited resources afford to work on things that I find meaningful or fun, without constraints. Luckily, many of those things don't actually require unlimited money – mostly just time, curiosity, and the joy of coding.

What's a message you have for the world?

I believe the world (especially the tech world) needs to hear that anyone can create something amazing and share it. There's something about the web that I fell in love with early on – anyone can build something and put it online for the world to see, and it sits right there next to the biggest sites on the internet. There are essentially no barriers to entry for getting your creation out there. I experienced that firsthand with my early projects, and it was life-changing. So my message is: take advantage of that openness. If you have an idea, or something you're passionate about, go ahead and make it a reality. You don't need permission to contribute or to innovate. Write that app, start that website, share your art or code or thoughts. The tools and platforms available today make it possible for a single person to reach millions. That's truly magical, and it's more possible now than ever before in human history.

Along with that empowerment comes a responsibility: we all should strive to keep the internet and open source open and trustworthy. The openness only works if we maintain a level of trust and collaboration. So I'd also encourage people to be good to each other – help others learn, share your knowledge, and stand up for a web that remains free and accessible. I often say I love open source, not just because it's cool tech, but because it's a community and a philosophy of sharing. If we can't trust what we download or we start closing ourselves off, we lose something really special. So let's keep that spirit alive. Be curious, be creative, and build things – and while you do, try to leave the community a little better than you found it. That, in my view, is how we all move forward together.