The Week Open Source Broke, AI Diagnosed Better Than Doctors, and a TikToker Nearly Bought an Airline
Why this chaotic week reveals the real fragility of tech's foundation—and where the actual power is shifting
Ubuntu’s infrastructure went dark for over a day. A Linux vulnerability so severe it caught the entire industry flat-footed. An open-source package with a million monthly downloads quietly harvested credentials. A supply-chain attack specifically targeted security firms—the ones we’re supposed to trust to keep us safe.
And then a TikToker spun up a janky website in an hour and got 36,000 people to pledge $23 million to buy Spirit Airlines before his servers crashed.
This week wasn’t just chaotic. It was instructive. It showed us exactly where the tech industry’s confidence is misplaced and where real leverage actually lives.
The Open Source Unraveling
Let’s start with the obvious: open source is broken in ways we’re only now willing to admit out loud.
The most severe Linux threat in years hit, and the industry wasn’t ready. That’s not a metaphor—Ubuntu went down. The infrastructure that underpins cloud computing, DevOps, half the internet’s backend: offline for a day-plus. That’s not a glitch. That’s a stress test we failed.
Then there’s the supply-chain attack on Checkmarx and Bitwarden. This is the part that should keep CISO’s awake. These aren’t random targets. These are security companies. Companies whose entire job is to prevent exactly this. The attackers went after the gate-keepers, which means either the gate-keepers have a vulnerability the attackers exploited, or—more likely—they just walked through the front door because nobody was checking IDs properly.
And then the package with a million monthly downloads started stealing credentials. A million downloads. Not a niche library. Something embedded in thousands of production systems, probably right now, in your company’s codebase somewhere. Maybe you’ve got it running on your infrastructure. You won’t know unless you actually looked.
My read: Open source maintainers have been running on fumes and hope for years. A few volunteers patching code in their spare time, no accountability structure, no real security review process—just the collective assumption that “many eyes make all bugs shallow.” That’s Linus’s Law, and it’s beautiful in theory. In practice? The eyes stopped showing up around 2015, and we’ve been coasting on reputation ever since.
The industry will respond with the usual: more security scanning tools, maybe some funding initiatives, a few op-eds about sustainability. None of that addresses the core problem, which is that we’ve built the entire digital foundation on volunteer labor and then act shocked when it cracks.
Photo by Markus Winkler / Pexels
AI Diagnosing Better Than the Doctor
Now flip to the other side of this week: Harvard researchers found that at least one large language model offered more accurate emergency room diagnoses than human doctors.
Not marginally more accurate. Reportedly better. On real ER cases.
This is the moment where the hype and reality start occupying the same space in a way that makes both defenders and critics uncomfortable. We’ve spent years hearing “AI will replace radiologists!” followed by quick corrections that “no actually radiologists will use AI as a tool.” Both statements feel safer than what the Harvard study actually suggests: in at least one critical domain, the machine made better decisions than the human.
I’m genuinely uncertain what this means operationally. Does it mean hospitals should trust the model’s diagnosis over their ER doc’s? Obviously not—one study isn’t epidemiology. But it does mean we’re past the “AI is interesting for medicine” phase and into the “AI might be better at some things than we are” phase. That’s philosophically different.
The weird part? We’re simultaneously tightening security around medical AI and loosening the guardrails everywhere else. Emergency room diagnosis is high-stakes; we’ll probably regulate it heavily. Meanwhile, we’re letting open-source packages with a million users run unvetted in critical infrastructure. The risk-distribution makes no sense.
Photo by UMA media / Pexels
When Confidence Outpaces Reality
Here’s what ties these stories together: we’ve built a technology industry that’s split between paranoia and magical thinking, and we don’t know which side of the split any given person is on.
Security teams are rightfully paranoid about supply-chain attacks and Linux vulnerabilities. They’re checking logs at 3 AM. They’re sweating.
But venture capitalists, founders, and the press are living in magical-thinking mode. A TikToker creates a landing page on Sunday and raises $23 million in pledges by Monday. An AI startup steals art from a “This is Fine” meme creator and puts it on billboards saying “stop hiring humans”—and the story is treated as amusing rather than obviously contemptible. Universities are serving porn because “shoddy housekeeping.” We’ve normalized incompetence so thoroughly that actual infrastructure failures read like comedy.
The ticket-to-robotaxi question—“how do you issue a ticket to a robotaxi?”—isn’t actually a technical question. It’s a regulatory one. And we haven’t answered it, which means we’re rolling out robotaxis in a legal gray zone while simultaneously panicking about open-source malware.
This is the actual fragility: not that the code is broken (it is), but that we can’t hold two thoughts in our heads at once.
The Confidence Trap
The TikToker with $23 million in pledges is the metaphor I keep returning to. He built it in an hour. It crashed immediately. The entire thing is held together with duct tape and genuine interest from people who trust him more than they trust actual institutions.
That’s not confidence. That’s the absence of alternatives.
We trust a YouTuber to maybe buy an airline because we’ve completely lost faith in the institutions that are supposed to handle these things. We trust an LLM to diagnose ER cases because we’re not sure we trust the humans anymore. We don’t trust open-source maintainers, but we use their code anyway because there’s no other option.
The actual story of this week isn’t “security is broken” or “AI is miraculous” or “TikTok is powerful.” It’s: the foundations are cracking, we know it, and we’re either panicking or pretending it’s fine—sometimes both simultaneously.
My prediction: Within the next six months, we’ll see either a major supply-chain attack that affects something critical enough to trigger actual regulation (not just meetings and committees), or we’ll see an LLM diagnosis that’s wrong in a way that kills someone and creates a legal precedent. Maybe both. When that happens, the magical thinking phase ends.
The paranoia phase, though—that’s going to get worse before it gets better.
What I’m Watching
-
Ubuntu and the Linux ecosystem’s actual response timeline. Did this week produce real systemic changes or just patches? Watch whether major distributions announce new security governance structures by Q2 2024. If not, the crisis was entertainment, not catalyst.
-
The next high-profile open-source breach. Not if—when. Track which company it hits and whether it’s something embedded in infrastructure (like this week’s million-download package) or something more visible. Visibility determines whether regulation follows.
-
How hospitals actually use the Harvard LLM study. One paper that says models beat doctors gets released, and within months you’ll see either cautious integration protocols or zero uptake. That ratio tells you whether medicine is ready for AI or just talking about it.
-
Robotaxi ticketing infrastructure. Seriously. Watch for the first major jurisdiction to issue a citation to an autonomous vehicle and see what actually happens. That moment clarifies whether we’re shipping products or philosophy.