I’m trying to get as much of Cloudfest 2026 Gen Xfest 2026 out of my head and on to the blog before it all disappears. I was new to this conference and knew absolutely no one. Add to that I attended alone, so I had nothing to do but sit in on sessions. So that’s what I did. I must have sat through 40+ sessions over 4 days.*
Anyway, I covered two of the major themes at the conference in my previous posts about digital sovereignty in Europe and the AI bonanza, so this one will be about the third major theme running through most sessions: security [gasp!]. This one will be pretty easy in some ways because there was a truism going around that while in the before times malware and other malicious code would generally take weeks, or even months, before being exploited.
This meant that patching could actually work and you might have a snowball’s chance in hell at keeping things secure. Now, in the after AI times, malicious code is being exploited, on average, 5 hours after it hits the server. That means all sysadmins have to sleep in 4-hour shifts now. Or better yet, buy predictive software with three million pre-cogs in a pool somewhere that can stop the crime before it happens. Security has gone just as batshit crazy as AI, or maybe because of AI.
I have enough anxiety about our server fleet at night already, I don’t need any more. We’re not stupid, we buy all the software, but the whole security/AI arms race is getting out of control. Another oft-repeated phrase “with AI the attack surface is much larger.” Translation, all these apps, plugins, and themes vibe-coded into existence can be huge attack vectors.
The “attack surface” line is usually followed by: “with AI able to help folks easily create and update malware at a rate heretofore unimaginable, we need more AI to fight that AI.” The arms race in security is already hard at work. It’s so easy to see how AI can quickly create as many problems as it solves in this department.
One of the most salient questions asked on a security panel—mostly delivered by vendors, so with the usual dose of fear, uncertainty, and doubt—was this:
As risks scale exponentially, are we funding open source maintainers to help stem the tide?
Crickets.†
That really highlighted no matter how much money you throw at the predictive security game, the underlying infrastructure the internet runs on is fundamentally at risk because it’s underfunded. It’s funny how software reflects the same problems as society: concentration of wealth, chronic underfunding, and just enough fear and uncertainty to keep us all in line.
________________________________________
*I’ll do a quick post at some point where I just quickly jot as many of them down as possible for memories sake. The other piece about Gen Xfest worth noting is I didn’t join any of the extra-curriculars. I was all business all the time. I’m sure I missed a whole different side of the conference. But I just didn’t have it in me, I needed to read and write—so that’s what I did.
†The age-old problems of folks making money on top of open source without contributing reared its uncomfortable head. This is why Matt Mullenweg went nuclear a couple of years ago. His methods were extreme and ultimately backfired, but his core sense of being pissed off and fed up was right-on. I imagine his ire grows greater and greater everyday with all the agentic AI web building shit for WordPress being pushed to market faster than big American banks could take a bonus before begging for a bailout.
The non-funding that led to the Heartbleed bug in 2014 was the reason I started the “Open Source Contribution Fund” at the BC Libraries COoperative in 2014, which just celebrated its 12th year of donations https://bc.libraries.coop/news/2025-open-source-contribution-fund/. It’s a pittance, we are a small Coop supporting libraries after all, but I had hoped to inspire others to take similar actions. The result – mostly crickets.
That is very cool, and provides a great model. If Monte small organizational fir and non-profits did just that it would make a big difference. Let’s Encrypt has done a good job pushing companies to contribute, and I wonder if there’s a lesson there. Maybe AI will help solve this problem, but from what I’ve heard it’s just spreading those folks that much thinner. Sometimes the fragility of it all is all too apparent and wonder if we are heading for an internet Chernobyl.