Saturday, May 9, 2026
TrendNew Politics. Diplomacy. Markets. Tech. What matters.
Tech 6 min read

The Security House is Burning and We're Arguing About the Arson

From quantum encryption to AI exploit-finding, the infrastructure holding up the internet just got a lot more fragile—and the companies building it are acting very strange

By TrendNew Staff
The Security House is Burning and We're Arguing About the Arson

We’re living through a security inflection point and nobody’s talking about it like it matters.

In the last month, we’ve watched Russia’s military hack thousands of consumer routers. Iran-linked groups disrupted US critical infrastructure. There’s a new GPU attack that gives hackers complete machine control. Quantum computers are apparently going to break encryption faster and cheaper than we thought. And meanwhile, the AI labs are releasing products that climb 52 spots on the App Store in days while simultaneously refusing to release other models because—they claim—those models are too good at finding security holes.

The story here isn’t any single headline. It’s the pattern. The infrastructure is cracking. The defenders are getting outpaced. And the companies at the frontier are making moves that look less like security precaution and more like competitive gatekeeping dressed up in safety language.

A determined firefighter fights a raging fire amidst thick smoke, highlighting bravery and courage. Photo by Francesco Sommacal / Pexels

The Old Guard Gets Pwned

Let’s start with what actually happened. Iran-linked hackers disrupted operations at US critical infrastructure sites. Russia’s military compromised thousands of consumer routers. These aren’t theoretical attacks or lab demos. These are working intrusions at the systems that keep the grid lit, pipes flowing, and networks humming.

The router compromises are particularly bad because they’re so banal. Consumer routers aren’t sophisticated targets. They’re commodity hardware running dated firmware. The fact that Russia’s military—not some random cybercrime gang, but state-level operators—is bothering with mass router compromises tells you something: they’re building infrastructure for larger operations. Persistence. Reconnaissance. Staging points for lateral movement into actual targets.

This is different from 2016. Different from 2020. The attacks have moved from “let’s steal credit cards” to “let’s establish permanent presence in the networks of our adversaries.” That’s a different threat model. That’s patient, operational, and funded.

The Math Got Worse

Then there’s the quantum encryption thing, which is being massively under-covered.

For years, the NIST timeline was: quantum computers would take decades to mature, encryption standards would transition gradually, everyone would sleep fine. Now? Quantum computers need “vastly fewer resources than thought” to break vital encryption. The economic problem—the thing we were counting on to buy time—just evaporated.

This isn’t immediately catastrophic for banking or military systems with proper key rotation. But it absolutely is for anything encrypted right now with the assumption it’ll stay secret for 20+ years. Medical records. Patent filings. Government communications. Diplomatic cables. Someone’s recording these encrypted streams right now, betting that in 10-15 years, a quantum computer will decrypt them retroactively. That’s not paranoia. That’s basic SIGINT tradecraft.

The timeline just compressed. Not from “eventually” to “soon.” From “soon” to “oh shit, we might’ve already waited too long.”

Close-up of hands holding a smartphone displaying 'Announcing Grok 3' on a dark background. Photo by UMA media / Pexels

The GPU Trap

The Rowhammer attack on Nvidia GPUs is the kind of thing that makes me genuinely uncertain about the resilience of modern infrastructure.

Rowhammer exploits have been around since 2014. They’re a physics problem—DRAM cells leak charge, you hammer nearby cells with read patterns, you flip bits in adjacent memory. Theoretically fixable. In practice? Still happening. Now it’s happening at scale on GPUs, which are increasingly central to everything: AI inference, cryptocurrency, scientific computing, you name it.

“Complete control of machines running Nvidia GPUs” isn’t an exaggeration. If you can flip arbitrary bits in GPU memory, you own the machine. And if you can own the GPU, you can own the systems around it. This matters because GPUs are now in data centers running your cloud services, your AI models, your backups.

I don’t know if there’s a practical patch or if this is a permanent hardware vulnerability class. That uncertainty alone should be terrifying.

Where the AI Labs Get Weird

Here’s where I lose patience with the narrative being fed to us.

OpenAI is under investigation by Florida’s AG over ChatGPT allegedly being used to plan an attack that killed people. That’s real. That’s serious. That’s a legitimate reason to examine how these tools are being deployed and safeguarded. I get it. I don’t love it, but I get it.

But then Anthropic announces it’s limiting the release of Mythos because the model is “too capable of finding security exploits.”

And Meta’s AI app bounces from #57 to #5 on the App Store.

And nobody’s asking the obvious question: if Mythos is dangerous because it can find exploits, why is Meta’s AI app finding its way into a million hands?

My read is this: Anthropic is using a legitimate security concern as cover for competitive gatekeeping. Here’s why I think that. If you believe a model is genuinely dangerous because it finds exploits well, then the move isn’t to “limit release”—it’s to not release it at all, or to give it to vetted security researchers under strict protocols. Instead, they’re putting themselves in the position of arbiter of who gets access to this capability. That’s power. That’s control.

Meanwhile, if Meta’s AI app is safe enough to push to millions of users at breakneck velocity, then Anthropic’s safety argument gets a lot shakier. Either these models are dangerous or they’re not. The inconsistency suggests something else is driving the decision.

I could be wrong about their motives. But the pattern is real: frontier labs claiming safety restrictions while racing to capture consumer market share. That’s not security. That’s competition wearing a safety costume.

Glowing digital globe display at night in Dubai Expo, showcasing illuminated continents. Photo by Denys Gromov / Pexels

What Actually Scares Me

The StubHub settlement is almost irrelevant except for what it signals. An AI company got away with deceptive fee structures for years because enforcement was slow and fines were small relative to revenue. Now imagine that same dynamic but applied to security. How long until we discover an AI lab knew about a vulnerability, kept it quiet to maintain advantage, and by the time anyone found out, nation-states had already weaponized it?

The Mercor breach is a startup getting destroyed after a data compromise and losing customers. That’ll happen more. Companies aren’t going to spend on security until they’ve already gotten breached and it costs them everything. The market doesn’t fix this. Insurance doesn’t fix this. Only regulation and architecture changes fix this. Neither is happening fast enough.

And the Iranian and Russian intrusions are just the opening bell. If state actors can compromise routers and critical infrastructure now, they’re testing capabilities they’ll use at scale later. This is the reconnaissance phase.

We’re two or three years away from something that makes 2016 DNC email dumps look quaint. And we’re spending cognitive energy arguing about whether an AI lab’s safety claims are genuine while the actual infrastructure holding everything up gets quietly perforated.

I think this ends one of two ways: either we get serious about security architecture—actually serious, meaning redesign-level work—or we accept that major internet services and critical infrastructure are going to experience significant breaches as a normal operating condition. We’re not going to prevent them. We’re just going to absorb them.

What I’m Watching

  • Quantum encryption transition timelines from NIST. If they’re moving the deadline up more than 18 months from current projections, that’s the signal that the math got worse faster than expected. Watch for announcements around the post-quantum cryptography standards this quarter.

  • Whether Anthropic actually restricts Mythos access or opens it up under pressure. If they release it within 6 months to any significant group, the safety argument was theater. If they keep it restricted past Q2 2025, then maybe they meant it. Either way, that tells us something about frontier safety culture.

  • The next critical infrastructure incident’s response time. When Iran or Russia hits something real—not a test probe but an actual operation against grid or water systems—how fast do we find out? How long does recovery take? That latency is our actual defense capability.

  • Whether the Mercor lawsuits settle for more than 5% of the company’s $10B valuation. If they do, that’s a signal that data breach liability is becoming material enough to change behavior. If they settle cheap, we know the market still doesn’t price security as real risk.

The house isn’t just burning. We’ve stopped noticing the smell of smoke.

cybersecurityAIencryptioninfrastructure

Sources & Further Reading