The Week Crypto Met Ransomware Met Email, and Nothing Got Better
A ransomware negotiator went rogue, quantum crypto fears are overblown, and Big Tech is quietly redesigning how we communicate. Here's what actually matters.
We’re watching the security industry eat itself while pretending everything’s fine.
This week served up a perfect microcosm of how Silicon Valley’s threat models are completely backwards. A ransomware negotiator—someone literally hired to reduce criminal payouts—pleaded guilty to helping ransomware gangs maximize their cuts. A former Pinterest team shipped a genuinely thoughtful email client. YouTube expanded deepfake detection. Iran-linked hackers hit US critical infrastructure. And everyone’s still arguing about whether 128-bit encryption will survive the quantum apocalypse.
The disconnect is wild. We’re obsessing over theoretical future threats while the present ones are being helped along by people inside the security industry itself.
The Insider Job Nobody’s Talking About
Let’s start here: a ransomware negotiator worked for a cybersecurity firm. Their literal job was to talk down criminals demanding ransom payments. Instead, they flipped—helping the gangs understand how to extract maximum value from victims, then taking a cut.
This isn’t sophisticated. It’s not a zero-day exploit or a supply chain compromise. It’s basic corruption, and it’s the kind of thing that should terrify corporate security teams way more than it does.
Here’s why it matters: ransomware economics depend on uncertainty. Victims don’t know what’s realistic to pay. Gangs don’t know what they can actually extract. Negotiators exist to collapse that uncertainty downward, saving victims money. When someone inside that process flips, they’ve basically turned the victim side’s informational advantage into an informational disadvantage. It’s like having the opposing team’s playbook—except it actually works.
The scariest part? This person was trusted. They had access. They weren’t a rogue state actor or a teenager in a basement—they were part of the established security infrastructure. If one person did this, how many others have quietly done the same?
Photo by www.kaboompics.com / Pexels
Why Your Quantum Panic Is Premature (But Not Wrong)
The headlines this week hit both sides of the quantum crypto debate. One says AES-128 is “just fine” post-quantum. Another warns that “Big Tech is closer to the Q-Day danger zone.”
Both are technically true, which means both are useless without context.
Here’s the actual engineering read: quantum computers will break RSA and other public-key systems. That’s not theoretical—it’s a mathematical certainty if someone builds a sufficiently large quantum computer. When (not if) that happens, all the encrypted traffic intercepted today could theoretically be decrypted tomorrow. That’s the real threat: harvest now, decrypt later.
But symmetric encryption like AES? That’s different. You’d need quantum computers roughly twice as powerful to crack it through brute force as classical computers, and the computational overhead is so steep that it’s not actually a practical attack vector. The headline’s right—AES-128 will be fine.
The catch: most people aren’t actually using AES-128 for everything. They’re using RSA for key exchange, then AES for bulk encryption. RSA is dead in a post-quantum world. You need to swap it out before quantum computers arrive, because any encrypted data captured today becomes vulnerable retroactively.
My read: the panic is misdirected. We’re not actually in the danger zone yet, but we should have already started transitioning. Instead, most enterprises are still running the same infrastructure they deployed in 2015. That’s the real Q-Day risk—not that encryption is suddenly weak, but that we’ll still be using quantum-vulnerable algorithms when the first practical quantum computers show up.
The Great VMware Exodus Is Actually a Trust Thing
Broadcom bought VMware. Now “thousands” of enterprises are migrating off VMware infrastructure because of negative views of Broadcom.
That’s a wild statement. Not because it’s shocking—enterprise sentiment shifts fast—but because it suggests the acquisition fundamentally broke something that had nothing to do with the actual product.
VMware’s virtualization tech didn’t get worse when Broadcom took over. The code is the same. The performance is the same. But the social contract changed. Enterprises aren’t just buying software; they’re betting their entire infrastructure on a company’s continued investment and non-predatory pricing. Broadcom’s reputation apparently makes customers think that bet is risky.
This is what happens when Big Tech consolidation finally hits a nerve. Not because the product sucks, but because the owner’s incentives seem misaligned with the customer’s needs.
Photo by UMA media / Pexels
Email Redesigned (Seriously)
Meanwhile, some former Pinterest engineers shipped Extra, an email client that isn’t terrible.
I mention this because it’s funny and also important. Email in 2024 is still largely the same as email in 2004. We’ve bolted on filters, labels, AI summaries, and search. But the fundamental model—a reverse-chronological inbox where notifications compete for your attention—is ancient.
Extra supposedly flips this: it’s built around your life, not your mailbox. I haven’t used it, and I’m skeptical that a new email client solves email’s real problem (too much of it), but the fact that serious engineers are taking another shot at this suggests the market knows something’s broken.
It’s the inverse of the VMware story. Broadcom inherited a trusted product and fumbled the trust. These designers inherited a broken category and are trying to fix the fundamentals.
The Larger Pattern
This week’s news isn’t about any single threat. It’s about institutions failing in different directions.
Security firms that hire people they can’t trust. Enterprises running obsolete encryption while arguing about quantum timelines. Infrastructure getting hit by state-sponsored ransomware because the basic defenses aren’t in place. Meanwhile, some good people are trying to fix small things (email) and new platforms are trying to break users out of doomscrolling habits.
It’s not coherent. It’s not optimizing. It’s just… happening.
What I’m Watching
1. Broadcom’s customer retention numbers through Q3 2024. If the “thousands” migrating off VMware becomes tens of thousands, we’re looking at the first real crack in the Big Tech consolidation model. Watch for specific announcements from major clouds (AWS, Azure, Google Cloud) about VMware alternatives becoming production-ready.
2. NIST’s Post-Quantum Cryptography timeline and enterprise adoption. The government recommended transitioning to quantum-resistant algorithms. If we hit 2025 and Fortune 500 companies still haven’t started pilot programs, Q-Day just got closer. Watch for the first mandatory customer deadline from a major cloud provider.
3. The ransomware negotiator case’s sentencing and what it triggers. If the punishment is light, this becomes a profitable side hustle for security insiders. If it’s harsh, it might actually deter people. Either way, watch whether other firms audit their negotiators for similar corruption. The silence would be the real tell.
4. Whether Extra or Bond actually reduce how much time people spend in apps. These are both betting that better UX can change behavior. I’m skeptical, but if either one gets north of a million engaged users, it’s evidence that people actually want different defaults—and that changes what the next generation of apps should optimize for.
The ransomware negotiator is in a cell because they chose profit over position. Broadcom is watching customers leave because they chose consolidation over trust. And a few smart people are building alternatives because they think institutions can still be fixed. One of those bets is going to look obviously right in a year. I just don’t know which one yet.