Risky Bulletin – Between Two Nerds: Why We Are Doomed to Insecurity
Date: February 9, 2026
Hosts: Tom Uren (A) & The Gruk (B)
Overview
This episode of "Between Two Nerds" dives into the uncomfortable reality that society is, and perhaps always will be, fundamentally insecure when it comes to cybersecurity. Tom Uren and The Gruk explore why most people—and organizations—don’t really care about security, why this is the rational outcome of our collective incentives, who actually should care, and why meaningful improvements remain so elusive. The discussion is peppered with industry anecdotes, war stories, and a sobering acknowledgment that security, in the real world, is a tradeoff society is largely willing to lose.
Main Topics & Key Insights
1. Nobody Cares, and That's (Sort of) Fine
- Hunter Brook & the "Ubiquity" Incident (01:06–04:35)
- Tom recounts a hedge fund's exposé on Ubiquiti devices allegedly used by the Russian military. Despite supposed sanctions violations and "smoking gun" evidence, the market didn’t care: stock price barely moved.
- “...the market doesn't care about sanctions in this case.” – Tom Uren (03:52)
- Historical Parallel: St. Jude Medical (04:35–05:54)
- Similar tactics—exposing cybersecurity flaws to profit from share price dips—haven't driven lasting security improvement.
- “I couldn't sleep at night knowing that we had done this. It would sit badly with me.” – The Gruk (05:31)
2. Real-World Consequences are Rare
-
Medical Device Hacking – Hype vs. Reality (05:54–07:01)
- Media scares notwithstanding, there are few, if any, real-world cases where device vulnerabilities led to physical harm.
- “I don't think a nation state needs to do that. If they want to kill someone, they have a lot of options.” – The Gruk (06:35)
-
Security Practices of High-Risk Individuals (07:01–08:03)
- Government leaders (e.g., Dick Cheney, Kamala Harris) sometimes take extra security measures, but for most people, that's overkill.
3. Security vs. Convenience
- Most People Don’t, and Shouldn’t, Care (08:04–09:49)
- “For the vast majority of people, most of the time, good security in things is not that important…” – Tom Uren (08:04)
- Exceptions Exist: Vulnerable Minorities (08:32–10:20)
- People targeted for stalking, holding cryptocurrency, or in specific high-risk professions do have motivated adversaries.
- “For a significant minority of the population that is a problem. But…the dynamic is that it's hard for a minority to get the majority to invest a lot in better security...” – Tom Uren (09:58)
- The Tradeoff: Friction vs. Freedom (10:20–12:44)
- “The security trade off is between friction and freedom… The more security you have, the higher friction you deal with.” – The Gruk (10:20)
- E.g., Ukrainian soldiers use stricter security due to heightened threat, but this level of effort would be intolerable for regular users.
4. Society’s Chosen Status Quo
- A Pervasive Yet Unremarkable Insecurity (12:44–15:28)
- Intelligence professionals and a few other demographics genuinely need more security, but can’t enforce it everywhere or for everyone.
- “It's very difficult to protect your pattern of life if everything else is…effectively an open book...” – Tom Uren (15:28)
- Systemic Vulnerability: The OPM & Related Hacks (13:25–15:28)
- Even elite government workers are at risk due to vulnerabilities in shared services (insurance, airlines, hotels).
- “There's a small amount of people who care that their medical insurance provider was vulnerable to getting hacked… I don't think that those people have enough clout to change it.” – The Gruk (14:48)
5. Do States Care Enough?
- States React When They Suffer—Not Before (15:52–18:08)
- Security generally receives focus only after a high-profile incident (e.g., Albania, Russia post-attacks).
- “You will be vulnerable for that first bit and that will suck, but then you get better and it doesn't matter anymore.” – The Gruk (17:55)
- The Economic Perspective: Security Slows Innovation (18:22–19:02)
- Investments in security are a tradeoff against economic speed and efficiency.
- “It's not clear to me that more security would have left us in a better place today.” – Tom Uren (18:56)
6. Ransomware: The Relentless Incentive
- Ransomware: Perverse Yet Powerful Motivator (19:45–21:41)
- “Ransomware provides this sort of opportunistic adversary, which in theory should mean that the lowest of low hanging fruit has an incentive to do the bare minimum.” – The Gruk (19:45)
- Unlike targeted short-selling schemes (Hunter Brook, Muddy Waters), ransomware has enduringly driven basic improvements.
- Bug Bounties Are Limited (21:26–22:06)
- “Bug bounties are a proactive feature, whereas I think ransomware is passive.” – The Gruk (21:29)
7. The Truly Vulnerable—and the Limits of Solutions
- No Fix for Physical World Threats (22:03–22:46)
- “If someone's going to cut your finger off to get money from you, I don't know if changing your password is necessarily the security solution that will work.” – The Gruk (22:46)
- Powerful Minorities Can Sometimes Force Basic Improvements (23:00–24:14)
- E.g., politicians and military exert some leverage on core infrastructure security (carriers, telcos).
Notable Quotes & Memorable Moments
- On Security vs Convenience:
"The opposite of security is not insecurity, it's convenience." – Tom Uren (11:26) - On Policy Making:
“It seems like the world is ending or it should end because of how bad everything is. But it's been like that since like the 90s, right. It's always just like things are so bad. We could like at any point this sort of cyber apocalypse can hit us. And the fact that it hasn't, I think doesn't reflect that it's not possible, but rather that no one benefits from doing it who could actually do it.” – The Gruk (25:38) - On Industry Cynicism:
“I think after like 20 years, you suddenly go, right, yeah, I don't really care that much about security.” – The Gruk (26:54)
Episode Timestamps
- 00:03–01:06 — Opening & Introduction to Hunter Brook/Ubiquity case
- 02:03–03:29 — Ubiquiti’s market response & government sanctions
- 04:35–05:54 — St. Jude’s Medical, short-selling, real-world impact
- 07:46–08:04 — Everyday security habits & government caution
- 10:20–12:44 — Friction vs. freedom, usability vs. security
- 13:25–15:28 — Systemic vulnerabilities, OPM, insurance & airline hacks
- 15:52–18:08 — Why states only tackle security reactively
- 19:45–21:41 — Ransomware as a driver for baseline security
- 21:41–22:46 — Bug bounties vs. ransomware, why neither solves the 'hard' minority use cases
- 23:00–24:14 — Minorities with power pushing for network-level improvements
- 25:38–26:54 — “Cyber apocalypse” hasn’t happened and why
- 26:54–27:07 — Final remarks, "cyber sensei" stage of resignation
Tone & Style
Throughout, Tom and The Gruk are wry, self-deprecating, and candid, combining humor (“Welcome to the last episode of Between Two Nerds”) with deep industry insight. Their resignation about the state of security is offset by their clear-eyed, matter-of-fact explanations of why we’ve ended up this way.
Key Takeaways
- Mass security improvement is unlikely because most people don’t, and rationally shouldn’t, care.
- Most breaches and insecurities only matter to a tiny, vulnerable minority—who lack the leverage for systemic change.
- Major improvements only happen after significant pain; otherwise, society tolerates endemic insecurity.
- Tradeoffs between innovation and security are real, and our status quo reflects that balance.
- There is no grand cyber apocalypse—just a persistent, manageable background level of compromise.
This episode is a must-listen (or must-read) for anyone seeking to understand the deep-rooted reasons behind society’s enduring digital insecurity—and maybe to feel a little less guilty about it.
