The Great Unraveling: When Software Eats Itself
Google moves Q Day to 2029, supply chains get poisoned, and users revolt against AI. The foundation is cracking.
The call is coming from inside the house.
While everyone’s been fixated on ChatGPT writing poetry and autonomous cars maybe working someday, the actual infrastructure that runs our digital world is quietly falling apart. Google just moved quantum supremacy’s “Q Day” up to 2029 — five years ahead of most estimates. Self-propagating malware is poisoning open source repositories and wiping machines across Iran. The Trivy scanner, used by millions to check for vulnerabilities, got compromised in its own supply-chain attack.
Meanwhile, federal cyber experts are calling Microsoft’s cloud offerings “a pile of shit” while approving them anyway. And in perhaps the most telling sign of where we’re headed, Bluesky users have blocked an AI tool called Attie more than any account except J.D. Vance.
Something is breaking. The question is whether we can see it coming.
The Quantum Countdown Nobody Asked For
Google’s acceleration of Q Day to 2029 should terrify anyone who understands what it means. For the uninitiated: Q Day is the moment when quantum computers become powerful enough to crack RSA encryption — the mathematical foundation that secures everything from your banking app to state secrets.
Five years.
That’s not “someday in the distant future” anymore. That’s within the current presidential term plus one more. Every security protocol, every encrypted hard drive, every HTTPS connection relies on math that will become trivial for quantum machines to solve. The NSA started warning about this in 2015, recommending organizations begin transitioning to quantum-resistant algorithms. Most ignored them.
I’ve been tracking quantum progress since IBM first put a 5-qubit machine on the cloud in 2016. The advancement curve looked safely exponential back then — impressive in labs, decades from practical threat. But Google’s new timeline suggests they’ve hit some breakthrough that’s not public yet. Maybe better error correction. Maybe a new qubit architecture. Maybe both.
The really ugly part? Post-quantum cryptography standards only got finalized by NIST in 2024. Most companies haven’t even started implementing them. Financial institutions are still running systems built in the early 2000s. Government agencies are worse.
Photo by Daniil Komov / Pexels
When Software Attacks Itself
While we’re counting down to quantum doomsday, today’s attacks are getting more sophisticated in ways that should scare everyone building software.
The self-propagating malware targeting Iran demonstrates something new: attacks that specifically hunt for and poison open source dependencies. This isn’t random vandalism. It’s systematic infrastructure warfare designed to corrupt the building blocks that all modern software depends on.
Think about your last project. How many npm packages did you pull down? How many Python libraries? Ruby gems? Maven dependencies? Now multiply that by every developer in your organization, every CI/CD pipeline, every Docker image. Each one is a potential attack vector.
The Trivy scanner compromise makes this even more insidious. Trivy is specifically designed to find vulnerabilities in container images and codebases. Organizations trust it to tell them what’s safe. But if the security scanner itself is compromised, you’re not just missing threats — you’re potentially introducing them while thinking you’re being careful.
I spent three years at a container security startup. The number of enterprises that blindly trust scanning tools without verifying the scanners themselves would make you never use software again. Most security teams treat these tools like gospel. “Trivy says it’s clean” becomes the end of the conversation.
The Iran targeting adds a geopolitical dimension that’s new for supply-chain attacks. Previous incidents like SolarWinds or the Kaseya compromise were mostly about espionage or ransomware revenue. This looks more like digital sabotage — malware designed to destroy rather than steal. It’s a preview of what software warfare looks like when nation-states start treating code repositories as legitimate military targets.
The Cloud That Nobody Wants to Admit Sucks
Federal cyber experts calling Microsoft’s cloud “a pile of shit” while approving it anyway perfectly captures where enterprise IT is in 2024. Everyone knows the emperor has no clothes, but the tailors are the only game in town.
Microsoft’s Azure has been plagued by security incidents for years. The 2021 breach exposed tens of thousands of customers. The 2023 Storm-0558 attack let Chinese hackers read State Department emails. Earlier this year, Russian groups accessed Microsoft corporate systems and read senior leadership communications.
But what choice do organizations have? AWS dominates infrastructure, but Microsoft owns the office productivity stack that runs most of corporate America. Google Cloud is growing but still third. The switching costs are enormous, and the alternatives aren’t necessarily better.
This creates a dangerous monoculture where critical infrastructure depends on systems that even the experts know are fundamentally flawed. It’s like living in a city where all the buildings were constructed by the same contractor, and everyone knows he cuts corners, but it would cost too much to rebuild.
The VMware situation makes this worse. Cloud service providers are asking EU regulators to reinstate VMware’s partner program, which tells you how dependent the entire industry has become on VMware’s virtualization stack. When one company’s licensing decisions can threaten an entire ecosystem, you don’t have a healthy market — you have a critical dependency masquerading as choice.
Photo by UMA media / Pexels
The Great AI Rejection
Here’s what nobody in Silicon Valley wants to talk about: users are starting to reject AI tools en masse, and Bluesky’s Attie is just the beginning.
More than 125,000 Bluesky users blocked Attie within days of its launch. For context, that’s more blocks than any account except J.D. Vance — and J.D. Vance is the Vice President of the United States with decades of political baggage. An AI tool managed to become more universally despised than one of the most polarizing political figures in America.
This isn’t about the technology being bad. Attie probably works fine at whatever it’s designed to do. This is about trust, consent, and users finally having a platform where they can effectively say no to algorithmic manipulation.
The rejection is particularly notable because it’s happening on Bluesky — a platform that attracted users specifically seeking alternatives to algorithmic timelines and AI-driven engagement. These aren’t Luddites. They’re often technical users who understand how these systems work and have made a conscious choice to avoid them.
I think we’re seeing the beginning of a broader backlash against pervasive AI integration. After two years of every software company cramming chatbots into their products whether users want them or not, people are getting tired of being test subjects for half-baked AI features.
The Apple email situation reinforces this tension around AI and privacy. Apple will hide your email address from apps and websites — a genuinely useful privacy feature — but not from law enforcement. It’s privacy theater that makes users feel protected while maintaining government access. As AI systems get better at connecting disparate data points, these partial privacy measures become even more meaningless.
The Infrastructure Crisis Nobody’s Pricing In
ScaleOps raising $130 million to solve GPU shortages and AI cloud costs is a symptom of a much bigger problem: the infrastructure requirements for AI are fundamentally unsustainable at current adoption rates.
Every major tech company is burning through GPU capacity like it’s 1999 and they’re buying servers with monopoly money. NVIDIA’s H100s are backordered for months. Cloud providers are rationing GPU time. The power requirements are getting ridiculous — some AI training runs consume more electricity than small cities.
ScaleOps is betting they can optimize this mess through better automation and resource management. Maybe they can squeeze more efficiency out of existing hardware. But they’re trying to solve a mathematical problem with engineering, and the math might not work out.
The fundamental issue is that modern AI architectures are incredibly wasteful. Transformer models require massive parallel computation for tasks that humans do efficiently with wetware that consumes about 20 watts. We’re essentially using nuclear reactors to power light bulbs because we haven’t figured out how to build better light bulbs.
This creates a weird dynamic where AI capabilities are advancing faster than the infrastructure can sustainably support them. Companies are making promises about AI integration that assume infinite cheap compute, while the actual costs are spiraling toward unsustainable levels.
Mantis Biotech’s approach to building “digital twins” of humans shows where this leads. They’re creating synthetic datasets to train medical AI because real data is too expensive, too scarce, or too legally problematic to use. It’s simulation all the way down — AI trained on fake data to solve real problems.
Photo by Monstera Production / Pexels
What This Means for the Next Five Years
My read is that we’re entering a period of forced consolidation and infrastructure reality-checking that’s going to be painful for everyone who’s been assuming the current trajectory continues forever.
The quantum timeline forces a security reckoning that most organizations aren’t prepared for. The supply-chain attacks demonstrate that our development practices are fundamentally insecure. The cloud monoculture creates systemic risks that nobody wants to acknowledge. The AI backlash suggests users are getting tired of being beta testers. And the infrastructure costs are approaching levels that only the largest companies can sustain.
These aren’t separate problems. They’re all symptoms of the same underlying issue: we’ve built a digital infrastructure that prioritized growth and convenience over security, resilience, and sustainability. Now the bills are coming due simultaneously.
The companies that survive the next five years will be the ones that treat these as systemic challenges rather than individual problems to solve. Security can’t be an afterthought when quantum computers can crack your encryption. Supply chains can’t be black boxes when malware can propagate through dependencies. AI can’t be mandatory when users are actively rejecting it. And infrastructure costs can’t be ignored when they’re growing faster than revenue.
I expect we’ll see a return to more conservative, security-first development practices. More companies will bring critical functions in-house rather than depending on external services. The AI bubble will deflate as organizations realize that most AI features don’t actually solve problems users have.
The irony is that this correction might actually lead to better technology. When you can’t just throw more GPUs at a problem, you have to build more efficient solutions. When you can’t trust external dependencies, you write cleaner, more maintainable code. When users can reject features they don’t want, you focus on building things they actually need.
But the transition is going to be messy, expensive, and probably involve some spectacular failures along the way.
What I’m Watching
- Post-quantum crypto adoption rates — If major financial institutions and cloud providers don’t start serious migrations by mid-2025, the Q Day transition will be catastrophic
- Supply-chain attack sophistication — Whether the self-propagating malware techniques spread beyond geopolitical targets to criminal operations
- User revolt metrics — If the Attie blocking pattern appears on other platforms as AI features get pushed more aggressively
- GPU capacity vs. AI demand — Whether the infrastructure scaling problems force a consolidation in AI capabilities or genuine efficiency breakthroughs
The foundation is cracking, but most people are still building on top of it like nothing’s wrong.