The Mess We're Making: Security Theater, Fraud Blindspots, and Where the Real Problems Hide

---

The quantum-safe ransomware headline landed this week like a press release everyone was supposed to care about, and I spent 20 minutes trying to figure out why. A ransomware family is now quantum-resistant. Great. Except we’re not in a quantum computing era yet, which means someone optimized for a problem that won’t exist for another decade while we’re still getting ransacked by techniques from 2015.

This is the state of tech security in 2024: we’re running at full sprint toward the wrong finish line.

Photo by Ibnu Maulana / Pexels

When the Basics Aren’t Basic Anymore

Start with the university websites. Top-tier institutions—the places where 17-year-olds submit their social security numbers and parents wire tuition payments—are serving pornography to visitors. Not maliciously injected content. Just… bad housekeeping. Outdated plugins. Domains they own but forgot to renew. Abandoned subdomains pointing at ad networks that’ve turned into sewers.

This isn’t a vulnerability in the sophisticated sense. It’s institutional negligence wearing a tech costume.

Microsoft had to emergency-patch ASP.NET on macOS and Linux because of an unspecified threat. Palantir is helping the IRS investigate financial crimes using software that’s apparently been doing so since at least 2018—a detail buried deep in reporting that nobody seemed shocked by. A US-sanctioned currency exchange says a $15 million heist was done by “unfriendly states,” which is both specific and completely vague in the way that makes me think they’re not actually sure who stole it.

The actual security problem isn’t the algorithms. It’s execution. It’s the person who inherits a university’s web infrastructure and doesn’t know what half the domains do. It’s the developer who patches systems on Tuesday but doesn’t update the load balancer config. It’s the executive who buys a $200 million data-analysis tool without actually understanding what data it can see.

AES-128 encryption is perfectly fine for post-quantum scenarios, by the way—the cryptography researchers are clear on this. But that headline got less attention than the quantum-safe ransomware story, because “we already solved this five years ago” doesn’t move the needle. Bad news is invisible. Good news about how you don’t need to panic yet doesn’t sell.

Photo by UMA media / Pexels

When VCs Become Victims

Steve Ballmer got duped by Joseph Sanberg and wrote a letter to the judge about it. Ballmer. One of the sharpest operators in tech history. A guy who built his wealth by ruthlessly seeing through nonsense. And he still got taken.

This tells you something darker than fraud statistics ever could. If Ballmer can get fooled, the vetting process is theater. Due diligence is a ritual that makes people feel like they did their homework. It’s not actually stopping the cons.

What gets interesting is that Ballmer was clear about feeling silly. That matters. The culture in VC right now is to rationalize losses as “learning experiences” or market cycles. Ballmer named the thing—“I was duped”—in a way that acknowledges the actual failure instead of wrapping it in startup mythology. But that letter didn’t change anything about how VCs pick founders. Tomorrow, someone else gets taken.

The Pronto news—a house-help startup potentially doubling its valuation to $200 million in weeks based on a rumor from sources—sits in the exact same territory. The speedrun from $100M to $200M isn’t driven by unit economics or some breakthrough in how domestic staffing works. It’s driven by Lachy Groom’s reputation, which itself is based on past wins that worked out. The prediction that worked once becomes the credential that closes the next round, regardless of whether the conditions have changed.

My read: we’re in a phase where capital is flowing fastest to people with the shiniest track records, which means the people most likely to get conned are the ones with the most to lose. Ballmer can afford Sanberg. But smaller LPs buying into funds run by operators with one or two hits? They’re the actual victims we’re not talking about.

The Weird Mergers Nobody’s Talking About

Cohere swallowing Aleph Alpha to create a “transatlantic AI powerhouse” is the kind of announcement that’s technically a merger but functionally an acquihire with a press release. Two companies building AI for regulated industries in different continents combine to… build AI for regulated industries in both continents. There’s probably synergy there. There’s also probably a bunch of redundant infrastructure and overlapping customer bases.

What’s interesting is the timing. We’re six months past the “every startup needs AI” mania cooling down to “okay, but which AI actually works.” Cohere’s move reads like: we can’t compete with OpenAI or Anthropic in the raw model space, so we’ll own the “safe for compliance” lane by combining our Canadian legitimacy with German regulatory credibility. It’s defensible strategy. It’s also quieter than Cohere announcing some breakthrough model would’ve been.

Two college kids raising $5.1 million pre-seed for an iMessage social network is the flip side of the same coin. Series grew popular on college campuses, which is where every social app starts. But iMessage-native social apps have a structural ceiling—you’re always one iOS update away from Apple cutting off your oxygen. That’s not a moat. That’s a lease.

Yet it raised $5.1 million from serious investors. Why? Because college-campus adoption is still the clearest signal we have that something might work. It’s a proxy that’s losing credibility fast, but it’s the proxy we’ve got.

Photo by Monstera Production / Pexels

What Actually Matters

Here’s what I think is happening: we’ve built such complex security infrastructure that we’ve stopped noticing when the simple stuff breaks. We’re obsessed with quantum threats while university websites leak porn. We’re funding transatlantic AI mergers while fraud vetting still boils down to “did this person’s last company work out?”

The ransomware that’s quantum-safe? It’ll be a speed bump in a post-quantum world, assuming we ever get there. The real threat is still the unpatched server. The still-active AWS key someone committed to GitHub in 2019. The admin password that’s “Password123” in seventeen spreadsheets.

Palantir helping the IRS since 2018 without massive public outcry says something interesting about how far we’ve let government data analysis go without a real fight. Not that it shouldn’t happen—financial crime is real. But the fact that it’s been happening quietly for six years is the actual story, not the fact that we’re hearing about it now.

I’m genuinely uncertain whether the Pronto valuation spike signals a return to earlier-stage hype or just normal growth for something that’s apparently working. That’s the honest read. If it hits $200M, it means capital’s returning to pre-2023 patterns. If it stalls, it means we’ve actually learned something about differentiation.

What I’m Watching

• Microsoft’s emergency patches. Track whether these become a pattern or a one-off. If ASP.NET keeps requiring emergency updates, that’s a sign the codebase has gotten too complex to maintain safely. Specifically: watch for a pattern of 30-day intervals between major patches.

• Whether Ballmer’s letter changes VC due diligence. It won’t, but I’m watching to see if any major fund announces new vetting requirements in response to fraud cases. If you see that in Q2 2024, it means the industry is actually scared rather than just embarrassed.

• How long Cohere stays independent. If they’re acquired by a larger AI company within 18 months, the merger was basically a holding pattern before an exit. If they’re still standalone in 2026, it means the compliance-AI lane is viable.

• Series’ next funding round. If they raise a Series A at above $500M valuation, it means iMessage-native apps have crossed into legitimate category status. Below that, and it means the pre-seed was a lottery ticket, not a trend.