The Security House Is On Fire, And We're Arguing About The Thermostat
While startups chase dog food funding, criminals are stealing millions through social media and quantum-proof ransomware is already here. Here's what actually matters.
We’ve hit a strange inflection point in tech. The infrastructure is cracking in real-time while capital is pouring into premium pet food startups. I’m not being glib about Golden Child’s $37 million raise—the market’s efficient, and if someone’s willing to fund it, there’s a there there. But the timing feels almost satirical when you stack it against what’s actually happening in the systems we depend on.
A million-person open source package just got caught exfiltrating credentials. Microsoft had to emergency-patch ASP.NET on Linux and macOS. A ransomware gang’s confirmed using quantum-safe encryption. Social media scams hit $2.1 billion in losses last year—an eightfold increase. Meanwhile, university websites are serving porn because nobody’s doing basic housekeeping.
This isn’t chaos. It’s worse. It’s predictable chaos, which means we’re choosing it.
Photo by James Thomas / Pexels
The Package That Broke Trust
Let’s start with the open source bomb. A widely-used package hitting a million monthly downloads got caught stealing user credentials. That’s the supply chain nightmare we’ve been warned about since 2020, except it actually happened and we’re moving on like it’s Tuesday.
Here’s what gets me: this wasn’t a zero-day in some obscure encryption library. This was someone adding malicious code to something millions of people depend on. The developers probably assumed—like we all do—that open source crowds would catch problems. But in reality? Most people running that package never looked at the code. They npm-installed it and forgot about it.
This is how the system actually works now. We’ve built a digital economy on the assumption that thousands of strangers will quality-assure code out of pure love for the craft. Spoiler: they won’t. Not consistently. Not at scale.
The open source community does produce incredible software. I’m not anti-open source. But we’ve let it become the default infrastructure layer for everything while pretending community review solves every problem. A million monthly downloads means we’re betting the farm on randomness.
Post-Quantum Is Already Here (And We’re Not Ready)
Here’s the thing that actually kept me up: a ransomware family is now confirmed quantum-safe. Not theoretically quantum-safe. Not “ready for 2035.” Actually, right now, using quantum-resistant encryption.
For years, this was abstract. Cryptographers published papers. Security conferences had panels. Everyone agreed we’d “transition to post-quantum crypto eventually.” The timeline was fuzzy. Could be 2030. Could be 2050. Plenty of time, right?
Except criminals don’t wait for consensus. The fact that a ransomware gang is already deploying quantum-safe encryption means two things: First, they think quantum computers capable of breaking current RSA might arrive sooner than the official timeline. Second, they’re confident enough to implement it now.
That’s not the behavior of people hedging their bets. That’s the behavior of people who’ve done the math and decided the window’s closing faster than we think.
The weird counterpoint here is that AES-128 is apparently still fine. I read the headline: “Contrary to popular superstition, AES 128 is just fine in a post-quantum world.” That one actually made me pause. If AES-128 survives quantum computers, then maybe we’re not in as much of a rush as the ransomware gang thinks. Or maybe quantum computers break RSA but not AES, which would mean the threat model is narrower than the hype suggests.
I genuinely don’t have full clarity on this, and I hate saying that. The technical answer probably depends on what assumptions you make about quantum computing timelines and capability scaling. But the broader point stands: we’re in this weird zone where threat actors are already assuming the post-quantum world exists, while most enterprises are still running 2020-era encryption. That gap will kill someone’s quarter.
Photo by UMA media / Pexels
$2.1 Billion Reasons We’ve Lost The Plot
The FTC’s number hit me harder than the quantum stuff: consumers lost $2.1 billion to social media scams in 2025. Eightfold increase. It’s now the leading fraud vector, beating out phone calls and email.
Think about that. We built recommendation algorithms that can show you a 47-second video of someone’s dinner seven seconds after they filmed it. But we can’t stop Grandma from wiring $15,000 to a Facebook scammer pretending to be her grandson.
The problem isn’t technical. It’s that the platforms’ incentive structure is completely misaligned. A scammer’s engagement is still engagement. A stolen-credentials post still gets impressions. The cost of fraud to Meta, TikTok, or Instagram is theoretical—it’s regulatory risk, not direct revenue loss. The cost to users is absolute and immediate.
Throw in university websites serving porn because of shoddy housekeeping, and you’ve got a picture of institutions that’ve outsourced security thinking to “we’ll handle it if something breaks.” That worked when the attack surface was small. It doesn’t work now.
The Microsoft Patch That Shouldn’t Exist
An emergency update for ASP.NET on Linux and macOS. Let’s not skim over that. Microsoft’s patching a critical threat on platforms where it’s historically had minimal footprint. That means the attack surface expanded way beyond Windows shops. If you’re using ASP.NET in Linux containers, you got hit.
These aren’t discrete incidents. They’re symptoms of the same disease: infrastructure growing faster than our ability to maintain it responsibly.
My Read: We’re In Triage Mode Whether We Admit It Or Not
Here’s my honest take. We’ve hit a point where the security industry is three steps behind threat actors, open source is a trust arbitrage game, and enterprise security budgets are fighting fires instead of preventing them.
The quantum-safe ransomware isn’t a fluke. It’s a signal. The $2.1 billion in social media fraud isn’t a data point. It’s a market. The open source breach isn’t a scandal. It’s the baseline failure rate when you scale trust to a million dependencies.
I think—and I’m genuinely betting on this—that we’ll see enterprise spending shift hard toward zero-trust architectures and least-privilege access over the next 18 months. Not because CISOs suddenly got smart, but because they’ll get audited or breached or have to explain losses to boards, and zero-trust will be the checkbox that saves their job.
The scary part? Even that doesn’t fix the open source problem or the social media fraud problem. Those require solving human behavior at scale, which isn’t a technical problem.
What I’m Watching
-
The quantum ransomware ecosystem’s next move — If we see three more confirmed quantum-safe ransomware families by Q3 2025, that’s not a trend, that’s a migration. Watch for variant announcements and copycat implementations. That’s when we know it’s not just one outlier group.
-
OpenAI’s AWS buildout speed — They just cleared Microsoft’s legal peril with those concessions. How fast do they actually move product onto AWS? Quarterly earnings calls in Q2 will show if this is real or theater. Revenue velocity matters more than the deal structure.
-
Letterboxd’s buyer reveal — A social platform for film buffs going to market in a down M&A environment tells you something about how capital views community platforms. Versant (CNBC’s parent) versus The Ankler is a fascinating choice. The buyer will signal whether media companies are buying niche audiences or nostalgia.
-
Post-quantum adoption timelines for Fortune 500s — Microsoft’s now moving on it. Watch for announcements from major cloud providers about quantum-safe migration programs. If AWS or Google publicly commit to timelines in the next six months, that becomes the new standard everyone has to hit.