The Summer Your Router Became an Espionage Tool
Quantum threats, VMware exodus, and the infrastructure we forgot to patch—the tech industry's security bills are coming due all at once
Your home router is probably compromised right now. Not “might be.” Probably is.
Russia’s military has spent the last year quietly hacking thousands of consumer routers—the beige boxes most people ignore until the Wi-Fi drops. These aren’t sophisticated intrusions targeting government networks. They’re mass-market devices sitting in living rooms, connecting to your laptop, your phone, your smart TV. And if you haven’t updated the firmware since 2022, you’re running on borrowed time.
This isn’t separate from the other things breaking in tech right now. It’s all the same problem wearing different masks.
When the Foundation Cracks
Big Tech is allegedly “closer to the Q-Day danger zone” with recent quantum computing advances. For those who’ve successfully avoided this conversation: Q-Day is when quantum computers become powerful enough to shatter the encryption protecting everything from your bank account to nuclear weapons infrastructure. We’re talking about a world where old encrypted data—stuff that’s worthless today—becomes valuable again the second the math changes. Intelligence agencies have been harvesting encrypted communications for years, betting they’ll crack them eventually.
The timeline for this was supposed to be 10+ years away. Now it apparently isn’t.
Meanwhile, Iran-linked hackers have been systematically disrupting operations at US critical infrastructure sites. Not stealing. Not testing. Actually disrupting. Hospitals, power grids, water systems—the stuff that fails quietly in a way nobody notices until people can’t get dialysis or traffic lights stop working.
And then there’s Broadcom’s acquisition of VMware, which has apparently been so unpopular that thousands of companies are actively migrating away. A “rival” (the unnamed competitor in that headline) is claiming this exodus is happening because customers have “negative” views of Broadcom. That’s corporate-speak for “Broadcom is actively destroying customer trust,” which in enterprise software is basically a death sentence.
Photo by Jakub Zerdzicki / Pexels
These aren’t isolated incidents. They’re symptoms of the same disease: the tech industry has been optimizing for speed, scale, and shareholder returns while security, stability, and maintenance have become afterthoughts.
The Everything App Meets the Security Void
Uber is now picking up your returns from your doorstep. This is positioned as “the latest effort to become an everything app”—their phrase, not mine. Anthropic just launched Claude Design to help non-designers pitch ideas without hiring a designer. Google’s AI now helps you track specific hotel prices and find products in stock nearby.
These are all real products, all shipping this quarter. And they’re all operating in an environment where the basic security infrastructure is crumbling.
Here’s my honest read: the push to become “everything apps” is happening because growth in core products has stalled. AWS grows single digits now. Google’s search margins are under pressure. Uber’s ride-sharing is mature. So the entire industry is simultaneously trying to expand surface area and add new revenue streams—which means more code, more integrations, more APIs, and mathematically more security surface for bad actors to exploit.
You can’t build an everything app on a foundation that’s being actively undermined.
The Surveillance Question Nobody Wants to Answer
Section 702 of the Foreign Intelligence Surveillance Act is set to expire in April. This is the legal basis for warrantless surveillance that’s been used by the FBI, NSA, and local law enforcement for years—often against people with zero connection to actual threats. The law has been repeatedly abused. Multiple administrations have run roughshod over the very thin legal guardrails.
But here’s the catch: even if Section 702 expires, the government’s spy powers won’t automatically lapse. They’ll find another legal hook. Or they won’t bother with legal hooks at all.
The fact that lawmakers are “split” on reform tells you everything you need to know. There’s no stomach for actually curtailing surveillance infrastructure once it exists. Congress will argue about it, maybe water it down, then reauthorize it in some form. The game is already lost—we’re just negotiating the terms of surrender.
And meanwhile, your router is being used to spy on you.
Photo by UMA media / Pexels
Bluesky Gets DDoS’d; Nobody’s Surprised
Bluesky, the Twitter alternative that everyone’s been hyping, experienced a DDoS attack that knocked the service offline. They’ve confirmed it. They’re fixing it. Moving on.
This is almost quaint compared to everything else happening. A small-ish social platform got attacked by someone and stopped working for a few hours. This used to be news. Now it’s a footnote.
What it actually represents: the decentralized web we’ve been promised for fifteen years still can’t handle basic operational challenges. Bluesky runs on proprietary infrastructure despite its open-source positioning. When something goes wrong, you’re waiting for the team to fix it—same as Twitter, same as every centralized platform.
The promise was different. The reality is always the same.
My Actual Take
I think we’re about to see 18-24 months of very expensive corporate reckoning.
Companies are going to have to choose between continuing the everything-app expansion race or actually securing their core infrastructure. They won’t do both. The math doesn’t work. You can hire ten new product managers to ship features, or you can hire security engineers to patch legacy systems. The incentive structure pushes you toward features.
Quantum computing timelines slipping forward means enterprises need to start migrating encryption systems now if they want to be done in 5-7 years. Most of them haven’t even started thinking about it. When they do, it’s going to consume engineering resources the way Y2K did in the late ’90s.
The VMware exodus is the first domino. When customers start voting with their feet, others follow. Broadcom will either course-correct or slowly bleed out. This matters because VMware is infrastructure—like routers. When infrastructure providers lose customer confidence, you get a period where migration costs are astronomical and security gets worse before it gets better.
And the surveillance infrastructure keeps expanding regardless of what Congress does because the incentives are all pointed in one direction.
What I genuinely don’t know: whether the router hacks are a precursor to something larger, or if they’re just opportunistic. If they’re a trial run for something more coordinated, we’re probably not going to know until after it happens.
Photo by Denys Gromov / Pexels
What I’m Watching
-
VMware migration velocity through Q3 2024. If the exodus accelerates beyond “thousands” into “tens of thousands,” that’s the signal that enterprise customers have fundamentally lost faith. Watch for which sectors are leaving first—financial services and healthcare migrate early, followed by everyone else.
-
Quantum timeline announcements from IBM, Google, or other NIST competitors. The next credible announcement that pushes realistic Q-Day estimates closer than “10 years” will trigger actual encryption migration budgets. Watch for government procurement RFPs starting to mention quantum-resistant cryptography as a requirement.
-
Section 702 reauthorization details in April. Specifically, whether Congress adds any meaningful oversight mechanisms or whether they just rubberstamp an extension. If there’s actual reform language in the bill, it suggests someone in government understands the problem. If it’s a clean reauth, surveillance wins and we move on.
-
Bluesky and other decentralized platforms’ DDoS mitigation success rates. If Bluesky can’t solve basic resilience problems by Q3, it validates that federated social media still isn’t ready for scale. That matters because it’s supposed to be the alternative to corporate platforms. If it keeps failing, centralization wins again.
The routers will keep getting hacked. That’s almost certainly going to keep happening until someone makes it economically painful for manufacturers to ship insecure defaults. Spoiler: that won’t happen voluntarily.