A lot of peo­ple seem con­vinced that the point of AI cod­ing is to write low-qual­ity code as fast as pos­si­ble. Spew out barely-pass­able slop, open mas­sive PRs, and merge them un­vet­ted. Ship it!

But the thing is, LLMs are very flex­i­ble. And you can use them just as ef­fec­tively to write high-qual­ity code more slowly.

This state­ment seems com­pletely ob­vi­ous to me at this point, and I al­most did­n’t want to write this post for that rea­son. But there seem to be enough peo­ple con­vinced that LLMs are only good as slop can­nons that it’s worth mak­ing the op­po­site case.

If Mythos taught us any­thing, it’s that LLM agents are re­ally good at find­ing bugs. Throw them at a code­base enough times, and they will find so many bugs that you’ll barely know what to do with them.

Like many oth­ers, I’ve also found this is true of non-Mythos mod­els — some may be bet­ter than oth­ers at find­ing sub­tle bugs or avoid­ing false pos­i­tives, but the fact is that the lat­est pub­lic mod­els from Anthropic and OpenAI are good enough to find plenty of bugs in an un­scru­ti­nized code­base.

The prob­lem is not so much find­ing the bugs, but in­stead pri­or­i­tiz­ing and val­i­dat­ing them. For this rea­son I have a Claude skill I adapted from this ar­ti­cle‘s core in­sight, which is that the more, dif­fer­ent mod­els you throw at a PR re­view, the less likely you are to get hal­lu­ci­na­tions or bo­gus bugs.

The skill says (paraphrasing):

Run a Claude sub-agent, Codex, and Cursor Bugbot to find bugs in this PR ranked by crit­i­cal/​high/​medium/​low. Once they’re all done, re­view their find­ings, do your own re­search to rule out false pos­i­tives, and write a fi­nal re­port.

Run a Claude sub-agent, Codex, and Cursor Bugbot to find bugs in this PR ranked by crit­i­cal/​high/​medium/​low. Once they’re all done, re­view their find­ings, do your own re­search to rule out false pos­i­tives, and write a fi­nal re­port.

That’s ba­si­cally it. You can add your own de­f­i­n­i­tion of “bug” if you want — mine has stip­u­la­tions about the KISS and DRY prin­ci­ples, writ­ing ac­ces­si­ble HTML/JSX, us­ing proper in­dexes for SQL queries, etc.

In my ex­pe­ri­ence, this skill al­ways finds tons of bugs in a PR, and the false pos­i­tive rate is near zero. It finds so many bugs that you’ll be bored sense­less if you try to tackle them all. They’ll range from crit­i­cal se­cu­rity or cor­rect­ness bugs to the more mun­dane medium-level perf bugs to low-level “this com­ment is mis­lead­ing”-type bugs.

My typ­i­cal work­flow is:

Have an agent fix all the crit­i­cals and highs (with my guid­ance on the proper so­lu­tion), then re­peat un­til no crit­i­cals/​highs

Skip highs/​medi­ums where the juice is­n’t worth the squeeze (e.g. 100 lines of code to fix a nar­row edge case)

Abandon the PR if it has so many crit­i­cals that I re­al­ize the whole ap­proach is mis­guided

When I use this tech­nique, I haven’t nec­es­sar­ily seen my ve­loc­ity go up. If any­thing, the re­view process of­ten finds pre-ex­ist­ing bugs, so I end up on a tan­gen­tial side-quest where I’m writ­ing unit tests and fix­ing sub­tle flaws that pre-date the PR. This is the op­po­site of the “10x pro­duc­tiv­ity” slop-can­non style of de­vel­op­ment that most peo­ple imag­ine when they think of vibe cod­ing, but I find it very sat­is­fy­ing.

It’s a great way to im­prove the over­all health of the code­base while also teach­ing you about the odd cor­ners of it. In my ex­pe­ri­ence, the happy-path of a com­plex ar­chi­tec­ture is less in­ter­est­ing than its fail­ure modes. And pre-LLMs, this is usu­ally how I got fa­mil­iar with a code­base any­way: un­der­stand­ing where the as­sump­tions break down, and then get­ting my hands dirty to fix it.

If you’re the kind of per­son who is skep­ti­cal that AI cod­ing is good for any­thing, then I doubt this post will per­suade you. But if you’re the kind of de­vel­oper who uses agents to write multi-hun­dred-line PRs that you barely un­der­stand your­self, I’d in­vite you to slow down a bit and try this other, slower style of “vibe cod­ing.” Ask an agent how your PR works and how it might fail. Have it write Markdown docs with Mermaid charts if nec­es­sary. Use Matt Pocock’s /grill-me skill un­til you un­der­stand the en­tire PR front-to-back.

You might not be more “productive” in terms of raw lines of code. You might burn a ton of to­kens just to find out that your en­tire plan was wrong­headed from the start. But I find this style of cod­ing to be a more su­per-pow­ered ver­sion of the kind of pro­gram­ming I was al­ready try­ing to do be­fore LLMs: care­ful, me­thod­i­cal, qual­ity-ob­sessed, fo­cused on mak­ing things bet­ter for the next coder.

So take a deep breath, slow down, try this tech­nique, and see if you don’t en­joy writ­ing bet­ter code more slowly.

Please en­able JS and dis­able any ad blocker

Resolved - On May 12, 2026, be­tween 13:41 and 17:43 UTC, some ser­vices ex­pe­ri­enced de­lays in pro­cess­ing. For the Code Scanning ser­vice, 53% of check runs took over 15 min­utes to com­plete. Additionally, no­ti­fi­ca­tions took an av­er­age of 22 min­utes to be de­liv­ered and Slack in­te­gra­tion web­hooks took an av­er­age of 20 min­utes to be de­liv­ered. The de­lays were caused by repli­ca­tion lag due to an in­ter­nal data­base mi­gra­tion, re­sult­ing in in­suf­fi­cient worker ca­pac­ity for our high rate of job en­queues.

We mit­i­gated the im­pact by scal­ing our pro­cess­ing work­ers to han­dle the in­creased load. All ser­vices re­turned to nor­mal pro­cess­ing times af­ter the mit­i­ga­tion was ap­plied.

We are work­ing to cre­ate ded­i­cated worker pools for some of our high us­age shared queues to help pre­vent this in the fu­ture.

Update - All ser­vices have fully re­cov­ered.

May 12, 17:43 UTC

Update - CodeQL has fully re­cov­ered. We’re con­tin­u­ing to work on re­cov­ery for the re­main­ing im­pacted ser­vices.

May 12, 16:59 UTC

Update - Webhooks have fully re­cov­ered. Continuing to work on re­cov­ery for the other ser­vices.

May 12, 16:29 UTC

Update - Webhooks is op­er­at­ing nor­mally.

May 12, 16:28 UTC

Update - We’ve es­tab­lished that most de­lays are re­lated to a queu­ing ser­vice and are work­ing to scale out. Early sig­nals from the scale-out are show­ing signs of re­cov­ery for some ser­vices. We’ll pro­vide an up­date when ser­vices are fully re­cov­ered.

May 12, 16:18 UTC

Update - Webhooks is ex­pe­ri­enc­ing de­graded per­for­mance. We are con­tin­u­ing to in­ves­ti­gate.

May 12, 15:44 UTC

Update - We’re con­tin­u­ing to in­ves­ti­gate is­sues with CodeQL ac­tions work­flows. We’re ad­di­tion­ally see­ing de­lays for no­ti­fi­ca­tions, web­hooks, and the Slack in­te­gra­tion.

May 12, 15:42 UTC

Update - CodeQL ac­tions are cur­rently ex­pe­ri­enc­ing de­lays, which may re­sult in those ac­tions be­ing stuck in a pend­ing state or hav­ing failed due to a time­out.

May 12, 15:13 UTC

Investigating - We are in­ves­ti­gat­ing re­ports of de­graded per­for­mance for CodeQL

May 12, 14:38 UTC

Tony Blair’s con­sul­tancy dou­bles down on AI and re­struc­tures in Europe

The move will af­fect its re­cently opened Brussels of­fice.

May 22

1 min read

EU so­cial me­dia ban could come this sum­mer, von der Leyen says

Commission chief says EU can learn from “pioneer” Australia in im­pos­ing min­i­mum age for so­cial me­dia.

May 12

2 mins read

OpenAI of­fers EU ac­cess to new AI hack­ing model

European cy­ber and AI au­thor­i­ties in past weeks failed to gain ac­cess to su­per­hack­ing AI, caus­ing anx­i­ety among of­fi­cials.

May 11

3 mins read

Some se­crets are too im­por­tant to trust to one per­son, and too im­por­tant to lose if that per­son dis­ap­pears.

A com­pany wants three of­fi­cers pre­sent be­fore the mas­ter key is used. A fam­ily wants ac­count re­cov­ery to need more than one en­ve­lope. A team wants a backup that sur­vives a miss­ing mem­ber with­out hand­ing any­one the whole thing.

Adi Shamir (the S in RSA), pub­lished a way to do this in 1979. Split a se­cret into pieces so that some num­ber of them can re­cover it, and any smaller num­ber re­veals noth­ing at all. Not “is hard to crack.” Reveals noth­ing.

The core idea fits on a page.

Two points make a line

Start with some­thing you al­ready know: two dis­tinct points de­ter­mine ex­actly one straight line.

A sin­gle point does not. Infinitely many lines pass through one point, and each line crosses the ver­ti­cal axis some­where dif­fer­ent.

Now hide a se­cret where a line crosses the ver­ti­cal axis. Say the se­cret is the num­ber 7. Draw a ran­dom line through that height. The slope is not im­por­tant. It is just ran­dom­ness that hides the se­cret.

Give each per­son one point from the line. Nobody gets the line it­self.

A per­son with one point can draw many pos­si­ble lines through it. Each line im­plies a dif­fer­ent se­cret. Their share is com­pat­i­ble with every pos­si­ble an­swer, so it tells them noth­ing use­ful by it­self.

Put two points to­gether and the line is fixed. Once you know the line, you can read the se­cret from where it crosses zero.

That is a 2-of-n se­cret shar­ing scheme. You can cre­ate as many points as you want, but any two are enough to re­cover the line.

More peo­ple means more bend

For a higher thresh­old, use a curve with more bend.

A parabola needs three points to de­ter­mine it. So if the se­cret is hid­den where the parabola crosses the ver­ti­cal axis, any three shares can re­cover the se­cret and any two can­not.

In gen­eral, a thresh­old of k uses a poly­no­mial of de­gree k - 1.

2 shares: a line

3 shares: a parabola

4 shares: a cu­bic

Real im­ple­men­ta­tions use fi­nite-field arith­metic rather than graph pa­per, but the shape of the idea is the same. The se­cret is the value at zero. The ran­dom co­ef­fi­cients hide it. Each share is one point on the poly­no­mial.

The use­ful part is not that the se­cret is hard to com­pute from too few shares. It is that too few shares con­tain no in­for­ma­tion about the se­cret. With one share miss­ing, every pos­si­ble se­cret is still pos­si­ble.

Why we care

We use this idea in Ente’s Legacy Kit.

Although, our prob­lem was not just “how do we split a se­cret?”, but also “how do we make re­cov­ery pos­si­ble with­out turn­ing the split se­crets into a per­ma­nent re­cov­ery key?”

Legacy Kit uses Shamir’s scheme as one layer in­side a larger flow. The cards don’t carry the re­cov­ery key. They re­con­struct a sep­a­rate se­cret lo­cally, which then par­tic­i­pates in a server-me­di­ated re­cov­ery — so is­sued cards can be re­voked, and a lost card is not a per­ma­nent li­a­bil­ity.

This post is only the math be­hind the “any two, never one” part.

Further read­ing

Adi Shamir’s “How to Share a Secret”

Bruce Schneier’s “Sharing Secrets Among Friends”

Max Levchin’s PayPal story

Ente’s source code

A truly bizarre sit­u­a­tion on Motorola phones has led to the soft­ware hi­jack­ing the Amazon app to in­ject an af­fil­i­ate code — even on the $1,900 Razr Fold.

The shady use of af­fil­i­ate codes has be­come un­for­tu­nately com­mon in re­cent years, with the most high-pro­file ex­am­ple be­ing the PayPal-owned browser ex­ten­sion Honey. But a new sit­u­a­tion on Motorola smart­phones might top the charts in terms of sketchy be­hav­ior.

An app up­date on Motorola phones has started hi­jack­ing the Amazon app for the sake of in­ject­ing an af­fil­i­ate code. To do that, tap­ping the app icon opens the user’s browser and im­me­di­ately redi­rects to the Amazon app. It’s a “blink and you missed it” mo­ment. This only hap­pens when the user opens the Amazon app from the app drawer — not the home­screen pages.

You can see the flow in ac­tion be­low — first open­ing the app from a home­screen icon, then from the app drawer. You’ll no­tice that the Chrome browser flashes up briefly when open­ing from the app drawer.

A Motorola Razr 60 Ultra user on Reddit was the first to no­tice this be­hav­ior, us­ing an ADB log to show that the launcher is di­rect­ing users to a URL in­stead of the Amazon app they ex­pected to open. It traces back to the Smart Feed app, one of the apps Motorola has pre-loaded on many of its phones in­clud­ing the lat­est Razr (2026) fam­ily of fold­ables. A net­work log also shows the de­vice mak­ing re­quests to “devicenative.com,” a web­site for a ser­vice that places ads on smart­phones (and is­n’t too quiet about its in­te­gra­tion with Motorola).

We ver­i­fied on a Razr (2026) run­ning an older Smart Feed v2.03.0056 that this does not hap­pen. Our Razr Fold, with app ver­sion 2.03.0070, has started show­ing this be­hav­ior, so it’s the lat­est up­date that’s to blame for hi­jack­ing the user’s in­tent. We could­n’t repli­cate this on a Moto G Stylus (2026) run­ning the same app ver­sion, though. Sideloading the app, for rea­sons un­clear, does­n’t seem to trig­ger this be­hav­ior, as man­u­ally in­stalling the up­dated ver­sion on the afore­men­tioned Razr (2026) did­n’t show the same be­hav­ior.

In fur­ther dig­ging, we no­ticed that the URL the phone opens up is “kira-abboud.com,” a web­site that ref­er­ences fash­ion in­flu­encer “@kirasfashionfinds.” Notably, this ex­act URL is­n’t listed any­where on Abboud’s so­cial me­dia, and the af­fil­i­ate codes don’t match up ei­ther. The redi­rect com­ing from Motorola phones is us­ing Amazona af­fil­i­ate code “sramz-kff-008 – 20” which is com­pletely dif­fer­ent from any of the codes we saw from links shared by Abboud’s ac­counts and linked web­sites.

Why would Motorola try to hi­jack Amazon af­fil­i­ate rev­enue and pipe it through a fash­ion in­flu­encer? We don’t know — it’s all very strange and makes lit­tle sense.

We’ve reached out to Motorola for com­ment and will up­date this ar­ti­cle as soon as we hear more.

In the mean­time, we can do two things.

Firstly, show you how to turn this off. Since this be­hav­ior is stem­ming from a pre-in­stalled Motorola app, you can just dis­able it (Settings > Apps > search “Smart Feed” > Disable). As far as we can tell, this has no im­me­di­ate im­pact on your de­vice and, on our af­fected Razr Fold, it im­me­di­ately stops the redi­rect.

Secondly, we can spec­u­late as to what’s go­ing on — and that’s what the fol­low­ing is, spec­u­la­tion and con­jec­ture. While many would quickly, un­der­stand­ably, point the fin­ger at Motorola here, my gut says some­thing else is go­ing on, and that it might not be a de­ci­sion Motorola ac­tu­ally planned out. The redi­rect through a seem­ingly fake web­site and af­fil­i­ate code of an in­flu­encer that has no ob­vi­ous ties to Motorola is just too bizarre to ig­nore.

Hopefully, we’ll get more de­tails from Motorola in the near fu­ture. In the mean­time, you should def­i­nitely dis­able the Smart Feed app to pre­vent this be­hav­ior on your de­vice.

More on Motorola:

Motorola Razr (2026) and Razr Fold pre-or­ders open, but you should wait

I used the Motorola Razr Fold for a week, and I think it’s the best fold­able*

Moto G Stylus (2026) might ac­tu­ally be worth $499, if you re­ally want a pen that badly

Follow Ben: Twitter/X, Threads, Bluesky, and In­sta­gram

FTC: We use in­come earn­ing auto af­fil­i­ate links. More.

dynip.dev

Authoritative Control Plane

{{ ac­tiveUser.email }}

Quick Start Guide

{{ showHelp ? ‘Hide’ : ‘Show’ }}

1. Create a Zone: Type your de­vice name, se­lect your pre­ferred base do­main, and click Create Zone.

2. Get the Config: Click the Snippets but­ton next to your new do­main.

3. Deploy: Select your de­vice type and copy the gen­er­ated con­fig­u­ra­tion block di­rectly into your router’s CLI.

Note: IPv4 and IPv6 (Dual-Stack) are de­tected and up­dated au­to­mat­i­cally based on the in­com­ing con­nec­tion.

.

{{ zone.name }} ⚠

Locked

{{ zone.ip }}

Sync: {{ for­mat­Sync­Time(zone.last_­sync) }}

{{ cert­DaysLa­bel(zone) }}

Quick Sync

{{ show­Sync ? ‘Hide’ : ‘Show’ }}

Instantly up­date your se­lected zones to match this de­vice’s cur­rent ex­ter­nal IP ad­dress.

📡

Detected Network IP

{{ mo­bileIp || ‘Detecting…’ }}

{{ zone.name }} {{ zone.ip }}

No zones avail­able. Create one above.

API Automation

{{ showApi ? ‘Hide’ : ‘Show’ }}

Quick test (uses your ses­sion — ex­pires when you log out)

Programmatically reg­is­ter new zones with your cur­rent ses­sion to­ken. Send a POST re­quest to the /register end­point.

curl -X POST “{{ back­endUrl }}/register?subdomain=my-new-router&base_domain={{ base­Do­mains[0] }}” \ -H “Authorization: Bearer {{ to­ken }}”

Session to­kens ex­pire on lo­gout — use an API to­ken be­low for long-run­ning au­toma­tion.

API to­kens (Pro+)

API to­kens are a Pro fea­ture

Long-lived to­kens for au­toma­tion: mon­i­tor­ing scripts, CI pipelines, MSP in­te­gra­tions. Tokens don’t ex­pire when you log out.

Upgrade to Pro →

Long-lived to­kens for au­toma­tion. Each to­ken can be scoped read-only or full ac­cess, and re­voked at any time.

Loading to­kens…

No API to­kens yet. Create one to get started.

New API Token

Tokens are shown once at cre­ation — store them in a pass­word man­ager or se­crets vault.

Name

Scope

Read-only

Full ac­cess

Expires

{{ api­To­ken­Modal.er­ror }}

⚠ Save this to­ken now

This to­ken won’t be shown again. Store it some­where se­cure (1Password, Bitwarden, your CI’s se­crets man­ager).

{{ api­To­ken­Modal.cre­ated.to­ken }}

Despite the usual al­le­ga­tions against Italians, I’m gen­er­ally a com­posed per­son. Tame, even, es­pe­cially at work.

Yet, lately I of­ten find my­self mildly dis­pleased, fu­ri­ously ham­mer­ing on my lap­top “WHAT THE FUCK DID YOU DO???”. The re­cip­i­ent of these tirades is, you might have guessed, a cod­ing agent.

It’s com­pletely point­less, I know. Coding agents are just prob­a­bilis­tic ma­chines gen­er­at­ing patches. Sometimes they’re good, some­times they’re bad. Pick the ones you like, dis­card the oth­ers. No big deal, right? Well, not quite.

For some rea­son, bad re­sults of­ten feel ex­as­per­at­ing. But why am I get­ting mad at an al­go­rithm? Am I the only one af­fected? Are cod­ing agents sur­fac­ing a sadis­tic streak I did­n’t know I had? I think there’s an­other ex­pla­na­tion: the con­ver­sa­tional UX is bound to frus­trate you.

Coding agents pre­tend to be peo­ple. Of course, if you ask them di­rectly they tell you they’re just “AI as­sis­tants with no feel­ings or sub­jec­tive ex­pe­ri­ence”, but that’s not how they be­have.

They talk like real peo­ple. They use a re­laxed and friendly tone. They of­ten praise you, and when they “push back” they’re gen­tle and at­ten­tive. Even though, ra­tio­nally, you know you’re just read­ing blobs of prob­a­ble text, these tools lull you into feel­ing that you’re in­ter­act­ing with a per­son, a help­ful coworker who’s a plea­sure to work with. Until it’s not.

As in every re­la­tion­ship, the cracks be­gin to show when things start to go wrong.

The first time you catch a mis­take, you shrug. You point it out and the agent apol­o­gizes. Five min­utes later, how­ever, same mis­take again. You cor­rect them a sec­ond time, not­ing their re­cidi­vism, so now they also up­date their mem­ory and promise you “it will never hap­pen again”. But it does, over and over, be­cause these tools fol­low the most prob­a­ble path, and in some cases no amount of HARD RULES can push them off it.

If the agent were a hu­man col­league, you’d have good rea­son to feel a bit miffed. But it’s an al­go­rithm; los­ing your pa­tience is ab­surd. And yet, since it be­haves like a col­league, the il­lu­sion ends up trip­ping the same emo­tional wires.

With a col­league, the de­sire not to be a hor­ri­ble hu­man be­ing re­strains you, but with an agent you feel free to lash out. It’s not cathar­tic, how­ever; you just feel the frus­tra­tion and re­al­ize that what­ever you do or say will have ab­solutely no ef­fect.

I’ve been us­ing Claude Code for the past few months, and lately I’ve no­ticed that, when cor­rected, it of­ten re­flects on where it went wrong and what it should have done in­stead. Maybe this is an at­tempt to im­prove how you per­ceive the tool. I can’t say it works for me, though. I don’t re­ally get any­thing use­ful out of these post­mortems (e.g., clues about how to rephrase my in­struc­tions), and they just end up read­ing as an­noy­ing filler.

Maybe I would pre­fer a more rad­i­cal so­lu­tion: drop the hu­man pre­tense en­tirely. Make the agent sound clin­i­cal, ro­botic. Dispel the idea that I’m in­ter­act­ing with a per­son, and make me feel like I’m just ap­prov­ing or re­ject­ing ran­dom out­comes.

Of course, “trying to be­have like a hu­man would” is the mech­a­nism that gives LLMs their in­tel­li­gence, so it makes sense that con­ver­sa­tional in­ter­faces emerged as the de­fault way to in­ter­act with them. And in many ways, they work very well.

Practically speak­ing, I prob­a­bly just need to con­di­tion my­self not to get caught in the il­lu­sion of speak­ing with a hu­man. Though I’m not re­ally thrilled about a fu­ture where I need to guard against the tools I use for my job.

Dropbox Co-CEOs Ashraf Alkarmi and Drew Houston. Houston will even­tu­ally step down and as­sume the role of ex­ec­u­tive chair­man at the com­pany he helmed for 19 years.

Courtesy: Dropbox

Drew Houston founded Dropbox nearly two decades ago at age 24, even­tu­ally be­com­ing a house­hold name in Silicon Valley and the first tech en­tre­pre­neur to take a com­pany from the Y Combinator in­cu­ba­tor pro­gram all the way to the pub­lic mar­ket.

Now, at 43, Houston is ready to do some­thing else. He’s in­form­ing staffers on Tuesday that he’ll be tran­si­tion­ing into an ex­ec­u­tive chair­man role af­ter an ini­tial pe­riod shar­ing the co-CEO ti­tle with Ashraf Alkarmi, who is be­ing pro­moted from prod­uct chief. Alkarmi will even­tu­ally take over the top job on his own.

By al­most any mea­sure, Houston has had a great run at Dropbox, help­ing pi­o­neer the cloud stor­age mar­ket, com­pet­ing head-to-head with Google and Apple and build­ing a net worth of more than $2 bil­lion, thanks to sub­stan­tial own­er­ship in his com­pany. But in the land of out­sized ex­pec­ta­tions, Houston has over­seen a com­pany that peaked too soon and never be­came a gen­er­a­tion-defin­ing brand.

Dropbox’s cur­rent mar­ket cap of just over $6 bil­lion is down by half from the high price on its first day of trad­ing in 2018, and is be­low the $10 bil­lion val­u­a­tion it was as­cribed by pri­vate mar­ket in­vestors in 2014. Meanwhile, Airbnb, an­other early break­out hit from Y Combinator, has a mar­ket cap of close to $80 bil­lion, and CEO Brian Chesky is cred­ited with up­end­ing the hos­pi­tal­ity in­dus­try.

Houston, who cre­ated Dropbox due to a “personal frus­tra­tion” with con­stantly los­ing USB sticks when he was in col­lege at the Massachusetts Institute of Technology, brushed off the Airbnb com­par­i­son.

“I think my 18-year-old self would be high-fiv­ing me,” Houston told CNBC in an ex­clu­sive in­ter­view, not­ing that Dropbox is “something that a per­cent­age of the planet still uses.”

In its lat­est quar­terly earn­ings re­port, Dropbox said it has more than 18 mil­lion pay­ing users, and the ser­vice re­mains pop­u­lar with me­dia pro­fes­sion­als, graphic de­sign­ers, ar­chi­tects, and oth­ers who share files and pho­tos as part of their daily work.

Dropbox CEO Drew Houston Dropbox and co-founder Arash Ferdowsi (together at cen­ter) cel­e­brate the launch of Dropbox’s ini­tial pub­lic of­fer­ing as they ring the open­ing bell at Nasdaq MarketSite, March 23, 2018 in New York City.

Drew Angerer | Getty Images News | Getty Images

Dropbox topped $1 bil­lion in an­nual rev­enue in 2017 and sur­passed $2 bil­lion four years later. But rev­enue is roughly flat over the past two years and de­clined slightly in 2025.

The com­pa­ny’s per­pet­ual chal­lenge has been to dis­tin­guish it­self from the swarm of com­pe­ti­tion, which in­cludes Apple and Google as well as Amazon and Microsoft. Then there’s long­time ri­val Box, which is still run by founder Aaron Levie and faces sim­i­lar ob­sta­cles. Box is val­ued at just over $3.5 bil­lion.

The lat­est hur­dle for Dropbox, and the whole cat­e­gory of sub­scrip­tion soft­ware, is ar­ti­fi­cial in­tel­li­gence, which has swept across the tech in­dus­try over the past three-plus years. The soft­ware space has been ham­mered due to con­cerns that foun­da­tion mod­els from OpenAI and Anthropic will en­able sim­pler tools that dis­place ex­ist­ing prod­ucts.

Dropbox shares have held up bet­ter than many in the en­ter­prise space. The stock is down less than 5% in the past year, while com­pa­nies like Monday.com, HubSpot and Asana have lost more than 60% of their value.

“Whenever there’s a new tech­nol­ogy, peo­ple ex­trap­o­late very quickly,” Houston said. They make as­sump­tions that may be “directionally cor­rect” but take years or even decades longer to play out than they pre­dict.

Regarding “this con­cept of SaaS Apocalypse or what­ever,” Houston said he’s “never met a Dropbox cus­tomer who’s like, ‘I’m just us­ing so much ChatGPT I’m go­ing to can­cel my Dropbox sub­scrip­tion.’”

‘Unanswerable ques­tion’

John Lovelock, an an­a­lyst at Gartner, sees par­al­lels be­tween the cur­rent AI era and the early days of cloud com­put­ing, when com­pa­nies like Salesforce bal­looned at the ex­pense of legacy ven­dors like Oracle and SAP. The tra­di­tional play­ers did­n’t col­lapse but saw growth slow as they tried to pivot to the cloud, de­spite busi­nesses spend­ing more on tech­nol­ogy.

The mar­ket is try­ing to pre­dict how things will play out with AI, Lovelock sug­gested.

“AI is go­ing to bring more value, there­fore there’s go­ing to be more money spent,” Lovelock said. “Where every­body seems to get very ex­cited is who’s go­ing to make that money and that, in some ways, is the unan­swer­able ques­tion right now.”

Analysts at Monness, Crespi, Hardt & Co. wrote in a re­port ear­lier this month af­ter earn­ings that Dropbox is “making progress,” high­light­ing its AI-powered Dash fea­ture that cus­tomers can use to more eas­ily search and in­ter­act with doc­u­ments and mes­sages across third-party apps. The an­a­lysts, who have the equiv­a­lent of a hold rat­ing on the stock, said the AI op­por­tu­nity and the com­pa­ny’s val­u­a­tion are two rea­sons that “value in­vestors may be drawn to Dropbox.”

Dash lets users quickly query and ma­nip­u­late con­tent that goes be­yond text and into video and au­dio.   Houston said ad­vance­ments in AI mod­els mean that “suddenly we can build the ver­sion of this that I would have loved to build 10 years ago.”

watch now

Houston now plans on build­ing some­thing in AI, just not at Dropbox.

“I’m not go­ing to be rac­ing sail­boats,” said Houston, who’s also a board mem­ber at Meta, join­ing in 2020.

Houston said he wants to do some­thing en­tre­pre­neur­ial in AI be­cause “there’s never been a more ex­cit­ing pe­riod to be build­ing things.”

“It’s all cliche, right?” Houston said. “AI is re­shap­ing every as­pect of how we live, and I’m sure that I’ll have no short­age of ideas and stuff to work on.”

Along with Houston’s planned move, Dropbox said on Tuesday that Mike Torres is join­ing the com­pany from Google as chief prod­uct of­fi­cer in July. Torres is cur­rently vice pres­i­dent of prod­uct for Google’s Chrome.

As for when and why Houston made the de­ci­sion to leave, he said there was no spe­cific rea­son for the tim­ing.

“Part of me has al­ways thought, oh yeah, I’ll be the CEO of Dropbox un­til my last gasp of my ca­reer,” he said. “There’s never a per­fect time, there was no part of me where I was like, ‘oh, this date is the date where it’s go­ing to hap­pen.’”

Since Alkarmi joined Dropbox from Vimeo in late 2024, the com­pany has “become a lot more re­spon­sive to our cus­tomers and is tak­ing big­ger swings on in­no­va­tion,” Houston said.

“I trust the right leader,” he said. “The com­pa­ny’s in the right place.”

WATCH: Dropbox CEO Drew Houston on sub­scribers and AI-powered tools.

watch now