The Year Security Theater Stops Working
Quantum deadlines are shrinking, your GPU is a liability, and Iran's already inside. Welcome to 2025's actual threat model.
Google just moved Q Day—the moment quantum computers can break current encryption—from “sometime after 2030” to 2029. That’s not a refinement. That’s a fire alarm.
The same week, researchers published new Rowhammer attacks that give complete control of machines running Nvidia GPUs. Not some edge case. Control. Of machines the entire AI industry is built on.
Meanwhile, self-propagating malware is poisoning open source software repositories. And Iranian state hackers are actively targeting American critical infrastructure with “escalated” tactics, according to a joint FBI, NSA, and CISA advisory.
These aren’t separate stories. They’re chapters in the same book: the one where the security assumptions we’ve been living under for thirty years collapse almost simultaneously.
Photo by Abhijit Dey / Pexels
The Encryption Problem Got Worse (And Closer)
Here’s what bothered me when I first read the quantum headlines: the framing was “it won’t be as expensive as we thought.” That’s not reassuring. That’s terrifying.
For years, the quantum threat felt theoretical. Yes, your RSA-2048 encryption could theoretically be broken by a sufficiently large quantum computer. But those machines would cost billions, require expert operators, and exist in maybe five places on Earth. The timeline was vague enough that everyone could pretend it was Someone Else’s Problem.
Google’s 2029 deadline changes the math. Not because we’re suddenly building working quantum computers at scale (we’re not). But because the engineers and cryptographers who actually build this stuff now think the window is seven years, not fifteen. When your threat model shrinks by half, you stop procrastinating.
The real damage isn’t 2029 anyway. It’s “harvest now, decrypt later”—a technique that’s already happening. Bad actors are vacuuming up encrypted data today, betting they’ll be able to read it in five years. Your bank statements. Your medical records. Your private keys. Sitting in someone’s server, waiting.
I think most of corporate America hasn’t actually processed this yet. They’re still doing the mandatory compliance theater—updating their encryption policies, checking boxes on audits. By the time they realize the stuff they encrypted five years ago is worthless, it’ll be too late.
Your GPU Isn’t a Computer Anymore
The Rowhammer news landed quieter than it should have.
These attacks exploit a hardware vulnerability that’s been known for a decade, but the new variants specifically target Nvidia GPUs. That matters because every major AI system you’ve heard of—every LLM training run, every inference cluster, every data center—runs on Nvidia silicon.
Rowhammer works by rapidly accessing specific memory locations, causing bit flips in adjacent cells. From there, an attacker can escalate privileges, escape sandboxes, or run arbitrary code. “Complete control” isn’t hyperbole.
The threat isn’t theoretical either. The researchers demonstrated it. And unlike quantum encryption, this doesn’t require waiting for better hardware. It works today.
My read: this is going to be the infrastructure security story of 2025 that almost nobody outside of ops teams will hear about. You’ll see some security vendor drop a firmware patch. Some enterprises will apply it. Most will deprioritize it because “we’re not seeing active exploits in the wild yet.” Then someone will, and it’ll be Sunday night when they realize they can’t patch 50,000 machines before Monday.
Photo by UMA media / Pexels
The Open Source Poison Is Already In the Well
Self-propagating malware that poisons open source repositories. That one sentence should keep every CTO up at night.
Open source is how the entire modern software stack gets built. Kubernetes, Linux, the ML frameworks everyone’s using—it’s all community-maintained code that flows into enterprise systems with minimal friction. The assumption has always been: “Many eyes on it means someone catches the bad stuff.”
That assumption is broken now.
When malware can spread through repositories and literally wipe machines (they specifically targeted Iran-based infrastructure), you’ve crossed from “bug” to “structural vulnerability.” The vector isn’t a zero-day. It’s the assumption that open source communities can police themselves fast enough to matter.
Here’s what makes it worse: the attacker demonstrated capability and precision. They didn’t trash random servers. They targeted Iran-based machines specifically. That’s not spray-and-pray malware. That’s a nation-state with enough reach to poison the well and enough patience to wait for it to propagate downstream into critical systems.
I genuinely don’t know how you fix this at scale. Code review harder? Audit every dependency? Most enterprises can’t even tell you what’s running in their containers, let alone who wrote it and whether that person’s been compromised. We’ve built a global software supply chain on trust, and trust just got a lot more expensive.
Why Everything’s Connected
This is where it gets grim. These aren’t isolated incidents—they’re symptoms of a system where every layer is simultaneously getting cheaper to attack and harder to defend.
Quantum threatens encryption. Rowhammer threatens the hardware that encryption runs on. Malware threatens the source code that everything uses. And meanwhile, actual nation-states are actively probing American infrastructure.
The Iranian hacker warning isn’t new intel. It’s a public acknowledgment that the threshold for government-level cyberattacks has dropped so far that they’re just… happening. Against grid infrastructure. Against hospitals. Against networks that keep the lights on.
A few years ago, this would’ve been framed as a security crisis requiring emergency funding. Today it’s a Friday morning news item before market open.
Google’s Offline AI Dictation Is a Tell
Here’s a weird thing: Google launched a new offline-first dictation app using Gemma AI models. No cloud. No internet required. Works on your device.
That’s not innovation theater. That’s a company building infrastructure for a world where they can’t guarantee cloud availability or privacy in transit. Why else make offline-first a feature? Because online-first is becoming a liability.
Arcee, a 26-person startup, built a high-performing open source LLM that’s gaining adoption among users worried about security and control. They’re not winning on speed or scale. They’re winning because people are starting to understand that depending entirely on cloud AI from massive corporations might be… not great.
The Money Still Flows (For Now)
Eclipse just raised a $1.3B fund for “physical AI” startups. Firmus, an Nvidia-backed Asia data center provider, hit a $5.5B valuation after raising $1.35B in six months.
Capital is still flowing toward building more infrastructure. Bigger chips. More data centers. Faster networks.
But I think we’re in a weird moment where the VC narrative and the technical reality are diverging. Everyone knows the threat surface is expanding. Quantum’s coming. Hardware’s vulnerable. Supply chains are poisoned. Yet the consensus strategy is still “build bigger, move faster, ship harder.”
That works until it doesn’t.
What I’m Watching
-
Google’s 2029 deadline vs. actual crypto migration timelines: Watch whether enterprises start announcing quantum-safe encryption rollouts in 2025. If it’s still radio silence by Q3, the “harvest now, decrypt later” harvest is going to be massive.
-
Rowhammer patches in the wild: Specific trigger—when the first major enterprise discloses an active Rowhammer exploit against their infrastructure, the entire data center industry recalibrates overnight. That conversation’s probably happening behind closed doors right now.
-
How fast malware actually propagates through open source: If we see a second poisoning incident in the next 18 months, the entire model of “trust the commons” collapses. We’ll pivot to either hyper-centralized package management or accept that dependencies are security theater.
-
Iranian cyberattack escalation against U.S. infrastructure: The real threshold to watch isn’t another advisory. It’s an actual successful outage—power grid, telecom, water system. Not a probe. An actual hit. That’s when government starts moving from warning to action.