FRESH
Hacker News
Hacker News Hacker NewsBasically, we are entering the ransomware apocalypse. It is insane what a godsend gen-AI has been to the cybercrime sector. When all you need to do is make something good enough to fool some of the people some of the time, genAI is perfect.
Things that used to work reliably - like trusting google ads or sponsored links not to be malvertizing sites - are meaningless now that gangs can trivially spin up networks of thousands of fake interacting sites and linked profiles to sneak by fraud detection. Phishing attacks are ridiculously sophisticated, combining voice, text, and video impersonation. Supply chain attacks are going to mean package managers are handgrenades. Ransomware gangs are running full on SaSS services allowing script kiddies access to big gun material. Attacks that were previously only in reach of nation-state-sponsored actors are now available for peanuts. And all of this is going to worse because of everyone and their dog using gen-AI to pump out huge amounts of vulnerable code. And then there is the world of prompt engineering for data exfiltration...
If you are young and wanting a promising trade in tech, security would absolutely be a good choice. Shit is going to get CRAZY.
> on April 7, 2026 … U.S. Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell convened an urgent, in-person meeting in Washington with the chief executives of [major US banks] to brief them directly on the cyber risks posed by [Anthropic’s] Mythos
Then a similar meeting happened with the Canadian Financial Sector Resiliency Group (i.e. the Bank of Canada, the Canadian government’s Department of Finance, the Canadian Deposit Insurance Corporation (Canada’s FDIC) and Canada’s six major banks).
Multiple central banks don’t usually do that right?
https://www.ctvnews.ca/sci-tech/article/anthropics-new-ai-mo...
Companies need to get serious about levels of security. Only some things need to be protected, and you have to accept a substantial level of inconvenience and cost for those items. In my aerospace days, we had a bidding rule of thumb that running a project at SECRET doubled the cost. Running a project at TOP SECRET had an even bigger cost multiplier. A surprising amount of material was not classified at all, for cost reasons.
Banks and credit card processors get this. Most other businesses don't.
More or less, I am the attractive resume, and: the game has changed folks.
For what it is worth, I am taking my ball and going home in about 12 months. I've saved enough, locked in a perma-middle class lifestyle in a great nondescript city, and swapping over to offensive consulting and a AI-free, non-tech trade that won't take too long to get into - think a PA, nurse, plumber, etc.
I'm not quite old enough and with the end of responsibilities as to FIRE, but I can read the writing on the wall enough to understand an AI-proof FI needs to be locked in before everyone else realizes the same. Many others in sec are feeling this.
I think tech will find security pros willing to throw themselves into the fray for pay and optimism. There are others like me who are extracting their final nuts. There are others who have golden-handcuffed themselves into this ride with their mortgages and private school tuitions. And I'm sure some others will stick it out. There will also be an AI-enabled version of sec eng soon enough.
But if private sector doesn't wake up to AI integrations - internal doc rollouts hoovering up PII that wasn't supposed to be stored there, externally-facing customer support portals social engineered and pivoted into, PRs via Slack comment via marketing hires who are ATO'd - this is going to be a 1990's-style BBQ where 0days on critical systems are dropped at happy hours at conferences nightly.
And: your security teams are going to be burned out, banking up, and quitting. The risk acceptances, the double-speak, the slow-rolling, the half-baked risk thinking for engineering and product leads, the corners cut, the public endpoints opened up just this one time - that's going to be enough rope, and already is enough, to hang yourself in this offensive context that's building now.
It is deeply humorous that SWE and engineering leadership has worked itself into this position via its AI push to unemploy itself while thinking it's the 1x white collar job exempt from automation threats.
All it'll take is another recession like '08, and the leaves get shaken off the trees finally. Thankfully there is only one (wait, there are two probably), thankfully there are only two-to-three (wait, there are like 10) systemic market threats right now.
[1]: https://idtechwire.com/opinion-in-an-ai-world-every-attack-i...
And yet, the public conversation around them has been quiet to the point of being strange.
There's a lot current events that once would have been considered historical: trip around the Moon, war out of nowhere, unprecedented explosion of kleptocracy l, enormously scandals and so long. Noone of these are moving much of the needle among general public.
Why? I think such indifference or rather apathy/torpor is a result of people becoming tired of constant stream of crises (either imaginary or real) that we're being flooded by. The capacity to react with something more than a shrug is finite. And I think we are being drained.
Lmao that cybercriminals are closing M&A deals to create vertically integrated SaaS companies.
Do you think anyone was made redundant through kinetic means?
Look, love or hate it, here's what happened; a LONG time ago (in tech terms) Microsoft and others normalized some very stupid practices; when I teach about it I basically illustrate it like this: "If I handed you a piece of paper that said 'Go jump off a bridge'" will you survive this encounter with me? Because a very large, perhaps majority, of computer infrastructure will not.
We managed to put buttons on appliances that don't make the appliance explode, but failed to do that in email links, which are just buttons.
And then, we still have yet to punish or hold accountable any large party who made things this way. Until we do that, keep expecting this.
i dont think its that strange. there are multiple wars raging on, with many people fearing the breakout of a global conflict. a giant pedophile ring has been exposed that no one in power seems interested in doing anything about. prices for everything are haywire. markets are an absolute rollercoaster, hinging completely on one mans late night tweets. and so on.
people just dont have the bandwidth to also learn about what an npm or github is, and why a hack of it is important. news stations are going to pick the news that results in the most people tuning in to watch. that is war, not whatever a mercor is.
the non-tech (and many of the tech) people in my life are also just plain tired of hearing about hacks. they have heard that their information has been stolen 10 times or whatever in the last 5 years. they have heard 100s of "this company was hacked" stories. "another hack? who cares?".
From this,
https://www.sdxcentral.com/news/cisco-source-code-breach-lea...
It sounds like they were/are using GitHub to host company-private source code, presumably of high-value.
While it's hard to know exactly the setup (e.g. maybe they are running their own instance of GitHub internally), this is your reminder that public clouds are not secure, no matter how much you pay the maintainers of said clouds.
Internal network compromise is of course always possible, but sheesh, it sounds like this list has lots of public cloud failures.
These events aren't new or novel anymore. The fact that the news does or does not report on something is indicative of editorial prerogatives and nothing more.
> This is a curious observation more than a complaint.
We went from 25% of the world population using the internet to now more than 80% are on the internet. More people understand the fundamental issue, and so are uninterested by it, so for-profit publications will not cover it.
I think right now we are waiting for the Morris worm (https://en.wikipedia.org/wiki/Morris_worm) equivalent shock to the system, but it is likely to be much, much worse and much more specific. I expect something that will make DOGE stealing SSNs look kind of tame. Something like every private GitHub exposed, every Visa card data and history exposed, every Mac injected with a rootkit, etc. It's like waiting for the plot from Sneakers to manifest.
For all the security we have built over the last 50 years, it has been impossible (or nearly so) to lock down any web-accessible content. It is a structural issue at a certain level of complexity, the surface area is just far too wide for any focused effort. Aside from direct 0 day vulnerabilities in software there are vulnerabilities in core libraries, frameworks, CI/CD, cloud services, hardware bugs, gaps between services, permission vectors, etc.
The U.S. has relied on the legal system to allow our insane credit card system to persist, where security by obscurity (knowing someone's CC#) is the main deterrent to abuse. I need a complex password to access any website, but CC#s are flying free. I think the combination of easy worldwide vulnerability scanning and U.S.'s focus on pissing every country off is going to lead to significant and unending asymmetrical warfare. If our gov't has been co-opted by big business, big business is going to become the target. As we have seen with Iran with Hormuz and Ukraine with drone strikes, it isn't so hard for small countries to fuck up global systems.
We are entering a 90s-style phase where any script kiddie can cause massive disruptions. Trump likes to threaten NUCLEAR but security issues could potentially cause even more death and destruction - overwhelm the energy grid, open dams, crash air traffic control communications, etc. There is lots of concern over the oligarchy owning AI and keeping it for themselves, but the more immediate risk is that any country can potentially lash out with disruptive actions.
There has been a retreat from globalization since COVID. I wouldn't be surprised if that extends to global internet communications as well. Internet traffic between countries might soon be severely restricted, that's the last line of defense we actually have if this goes as badly as Anthropic is implying.
What would the consequences for humanity be if every single electronic patient record was leaked onto the internet? Immediately hugely bad for some groups, unfortunately. After a good deal of embarrassment and drama however, some severe, perhaps the net effect is positive. It would most likely facilitate a lot of scientific inquiry. A lot of people, especially in medical deserts, also use Chatgpt as an md. Providing AI companies with high quality medical data is actually a public service.
So it goes for many things in life, and except for financial and destructive wipe attacks, data security is mostly about protecting the IP of incumbents, which is somewhere between irrelevant and a net negative. It's hard to say what the long term consequences of the IP system breaking down would be, but there is a good argument to be made that it's not necessarily bad.
As for individual people, most don't really care or are resigned to the fact that Google already knows everything about them, and probably abstractly enjoy the fact that a major company gets brought down to their reality. Plenty of societies have extremely collectivistic mindsets of public info being shared, like Scandinavian countries having public tax filings, and they work just fine.
I think most people would secretly relish the outcomes of everything leaking everywhere. Just like people relish the Epstein files being released, and probably would have loved an unredacted version being leaked. Secrets are something human beings naturally gravitate towards to dig up and sharing, and this is actually for good, sensible reasons. Evolution has simply favored groups that did not hoard knowledge, at least not internally. There is a reason the scientific method has openness as a virtue, and is arguably one of the pillars that has carried humanity out of the dark ages.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa...