This year’s insane timeline of hacks

4/13/2026 at 4:49:19 PM

As part of my work in technical diligence, I create medium-long form content marketing material on topics germane to PE investment in tech. In the last six months I did a series (not yet published) on the state of security in the age of gen-AI.

Basically, we are entering the ransomware apocalypse. It is insane what a godsend gen-AI has been to the cybercrime sector. When all you need to do is make something good enough to fool some of the people some of the time, genAI is perfect.

Things that used to work reliably - like trusting google ads or sponsored links not to be malvertizing sites - are meaningless now that gangs can trivially spin up networks of thousands of fake interacting sites and linked profiles to sneak by fraud detection. Phishing attacks are ridiculously sophisticated, combining voice, text, and video impersonation. Supply chain attacks are going to mean package managers are handgrenades. Ransomware gangs are running full on SaSS services allowing script kiddies access to big gun material. Attacks that were previously only in reach of nation-state-sponsored actors are now available for peanuts. And all of this is going to worse because of everyone and their dog using gen-AI to pump out huge amounts of vulnerable code. And then there is the world of prompt engineering for data exfiltration...

If you are young and wanting a promising trade in tech, security would absolutely be a good choice. Shit is going to get CRAZY.

by iainctduncan

4/13/2026 at 7:03:56 PM

I get amused that people don't realize that genAI is an existential threat to the internet and everything that has been built on it.

1) One can no longer trust things out on the web. 2) One no longer needs things out on the web.

For 1), I hope the defense mechanism kicks in time to bake security into our computing culture and pervades throughout the stack.

by sifar

4/13/2026 at 7:54:00 PM

You were trusting things on the internet before LLM's?

by ellg

4/13/2026 at 9:23:31 PM

Careful system administration and web browsing were relatively safe; nowadays, even upgrading the local libraries carries risk that must be assessed.

by pizza234

4/14/2026 at 1:32:55 PM

It has always been that way. Literally the only distro that encourages an update process with the requisite effort you should be putting in is Slackware. You should be reading the source code you build. You should be building from source. You should fully understand your toolchains. Binary only distros have always been the equivalent of wearing a condom to have sex. Usually fine, but technically outsourcing the hard work to someone that lets be real, 90% never get to know well enough to credibly trust to any degree. NPM & proglang level package management just doubled down on the real-estate you had to shift through.

Being a responsible programmer/sys admin has always been read heavy, as long as I've been alive. Write only code is antithetical to the basis of running a trustworthy system.

by salawat

4/13/2026 at 8:58:37 PM

The Internet is quite fine at delivering packages over encrypted channels which I can trust. (Except where interdicted by governments, like in China, India, Russia, Turkyie,..)

The Web is a rather different beast, but the question is not "can you trust the Internet", but "can you trust a random website", and now even "can you trust a previously trustworthy website".

You of course should not trust any pictures or videos as critical evidence, they should be corroborated by other means. But this has been true for several years now.

by nine_k

4/13/2026 at 9:17:46 PM

To clarify, I meant it from a lay person's perspective. I do realize that one can argue if the average person will have developed this awareness now. The difference this time, I feel, is that the genAI tools are widely available for normal people to experiment with which will hopefully help develop this visceral feeling.

by sifar

4/13/2026 at 9:34:59 PM

While there genuinely was fake content and astroturfed material on the web prior to LLMs, the cost to produce this stuff has fallen enormously. A major corporation or a state actor might pay a bunch of money for inorganic content but it was hard for some rando in Estonia to spin up a network of fake content to monetize on tiktok or whatever. This leads to way more fake content about a much wider range of topics.

by UncleMeat

4/14/2026 at 11:45:26 AM

I can't see an existential threat as in the internet as in it no longer existing. It's busier than ever although maybe with more junk.

by tim333

4/13/2026 at 8:15:20 PM

> 1) One can no longer trust things out on the web.

I assume you mean software, because we haven't been trusting other things on the web already for decades.

As for software, everybody interested knew about inherent insecurity of supply chain of modern software but the solutions proposed were too expensive. We need an order of magnitude more money lost for organizations to start switching from today's security theater to a model with security built in.

by dvfjsdhgfv

4/13/2026 at 9:24:28 PM

In general and for software in particular too :). For general see my response to ellg.

Even though we were aware of the insecurity of the supply chain, 1) In practice we tend to ignore it except for mission critical cases. We still do. 2) Autonomous vulnerability/exploitation at scale was difficult and reserved for high value targets.

What you said will be accelerated by 2) now.

by sifar

4/13/2026 at 7:16:32 PM

I can't tell if this is satire or not

by zolland

4/13/2026 at 9:48:28 PM

> If you are young and wanting a promising trade in tech, security would absolutely be a good choice. Shit is going to get CRAZY.

I personally would still recommend software engineering. Security in far majority of places is still checkbox and cost driven. Outrage happens around incidents, but rarely are people willing to invest meaningful in their people. Security SaaS on the other hand, is doing great, so anything driving revenue there is good.

by mmarian

4/13/2026 at 7:05:43 PM

> If you are young and wanting a promising trade in tech, security would absolutely be a good choice.

If AI is capable of performing these attacks, what would stop AI from replacing the security engineers?

by strombofulous

4/13/2026 at 7:26:47 PM

> If AI is capable of performing these attacks, what would stop AI from replacing the security engineers?

Because the threat model is one-sided - if an AI attack fails, the controller simply moves to the next target. If an AI defense fails, the victim is fucked.

Therefore, there is still value in being the human in Cyber Security (however you are supposed to capitalise that!)

There are still protections and mitigations that targets can do, but those things require humans. The things that attackers can do require no humans in the loop.

by lelanthran

4/14/2026 at 4:37:07 PM

>Because the threat model is one-sided - if an AI attack fails, the controller simply moves to the next target. If an AI defense fails, the victim is fucked.

This was always the case? Security is asymmetric and attacker only needs to succeed once.

by integralid

4/14/2026 at 6:18:23 AM

> Therefore, there is still value in being the human in Cyber Security

Why? Your logic applies equally well to humans. If the AI attacker fails they move onto the next target, if the human defence fails the victim is fucked.

> There are still protections and mitigations that targets can do, but those things require humans.

Which things would you point to here?

by AlecSchueler

4/14/2026 at 6:25:48 AM

> Why? Your logic applies equally well to humans. If the AI attacker fails they move onto the next target, if the human defence fails the victim is fucked.

I didn't claim that the human defence is the only layer. Your analogy is only valid if my claim is that it's AI attackers vs Human defenders. It's not. It's AI attackers vs AI + Human defenders.

> Which things would you point to here?

If you cannot imagine any value that a human can add to an AI defence, then this conversation is effectively over; I am not in the mood to enumerate the value that a human can add to AI defence.

by lelanthran

4/13/2026 at 7:32:52 PM

Red team has to be lucky once, blue team has to be perfect. How many places take red teaming seriously now?

Compare how fast real attackers could iterate vs the defenders.

by _aavaa_

4/13/2026 at 9:37:48 PM

This is less true than it seems. It is pretty rare to go from vuln to simple exploit for systems that people care about. There are plenty of vulns in chrome or whatever that were difficult to actually weaponize because you need just the right kind of gadgets to create a sandbox escape and the vuln only lets you write to ineffective memory addresses.

by UncleMeat

4/13/2026 at 7:53:05 PM

Stealing a bitcoin wallet by cracking the private key for it also requires red team to be lucky once. Once AI security gets to the point where the probability is infinitesimal for causing actual harm to the business it will be fine.

by charcircuit

4/13/2026 at 8:45:37 PM

Yes, and on an infinite time horizon we are all dead.

It’s the time between then and now that we’re talking about.

by _aavaa_

4/13/2026 at 9:52:12 PM

Existing concepts like defense in depth make it exponentially harder for an AI to build a full exploit chain. Even with a full exploit chain with one mistake you'll trigger a detection system which can fool your attack.

by charcircuit

4/13/2026 at 7:18:18 PM

The more I use AI and my workplace buys into it, the more I’m doing person to person work in a security context.

by chucky_z

4/13/2026 at 7:43:56 PM

exactly

by iainctduncan

4/13/2026 at 8:26:58 PM

They're not and they won't. I'm from genx and have a background in infosec. I don't agree that AI is the cause of this sudden surge in activity or if this is even a sudden surge. This stuff was always occurring if you were paying attention. It just making the mainstream news now.

Geopolitics is the cause of the recent uptick in activity. Many of these groups are state sponsored or just fronts for nation-states themselves. genAI just makes it easier for people further down the chain to go after low hanging fruit.

The most significant impact genAI is having on infosec is creating work for those people in infosec through vibe coding and turning untested AI systems loose on internal networks. genAI just lets developers and admins shoot themselves in the foot faster. genAI is an artificial intern.

by weare138

4/13/2026 at 8:17:52 PM

LLM-based software is just another layer to be hacked.

by dvfjsdhgfv

4/13/2026 at 6:39:51 PM

This just seems like the result is people are going to be driven off the internet. It will simply not be safe for the layperson.

by operatingthetan

4/13/2026 at 8:01:47 PM

Literally the Blackwall from Cyberpunk 2077.

by yoyohello13

4/13/2026 at 9:56:00 PM

Most people's internet is Instagram + Games from AppStore + TikTok + Netflix + Banking Apps. Everything is within specific walls and guardrails.

by tokioyoyo

4/13/2026 at 8:41:17 PM

Sounds like an ultimately good thing to me. It was an interesting experiment, but the negatives largely outweigh the positives at this point.

(I do realize the irony of writing this on HN, but I digress)

by pesus

4/13/2026 at 9:51:49 PM

Just in general, the outcome of where technology is going may spur many to reduce their usage in favor of "the real world"; I agree it might be a good thing.

by babycheetahbite

4/13/2026 at 8:33:13 PM

It might not be a bad thing if we have an Internet for humans, and a segmented Internet for AI.

by PradeetPatel

4/13/2026 at 8:44:44 PM

Who's enforcing that rule?

by kgwxd

4/13/2026 at 7:37:38 PM

No man lands between walled gardens

by idiotsecant

4/13/2026 at 5:50:02 PM

> If you are young and wanting a promising trade in tech, security would absolutely be a good choice. Shit is going to get CRAZY.

Yes, but you can't be a CISSP or SOC monkey - that has no future.

You need to be an actual Software Engineer who understands development fundamentals, OS internals, web dev fundamentals, algorithms, etc as well as offensive and defensive concepts.

To many "cybersecurity" graduates in North America aren't even qualified to do L1 IT Helpdesk, which is a shame because the IT to Security talent pipeline is critical (along with the SRE, SWE, and ML to security pipeline).

by alephnerd

4/13/2026 at 10:18:46 PM

As an “actual” software engineer, what do you recommend me to read to work in cybersecurity? Assume I have a solid background in OS internals, algos, networking, software engineering. I have never worked in cybersecurity though (I have never reversed engineered anything)

by sdevonoes

4/13/2026 at 11:49:55 PM

What do you specialize in as a SWE? Can you identify architectural or implementation bugs and think about how an attacker can exploit that to laterally move across your environment?

Cybersecurity is basically a wholistic architectural review of software that takes business, engineering, and operational context into account to make a qualified judgment about risk.

by alephnerd

4/14/2026 at 1:47:13 AM

i'm one of these developers who found myself doing a lot of security-oriented devops work. how do i get away from compliance? i hate checking boxes, feels like it creates some pointless work sometimes. compliance alone makes me never want to do cybersecurity but i enjoy the architecture stuff and thinking about threats

by greenie_beans

4/14/2026 at 1:52:11 AM

> i hate checking boxes

> hate checking boxes, feels like it creates some pointless work sometimes

Everyone does. It doesn't actually help reduce tangible risk, but it helps you understand the operational and liability aspect of cybersecurity which is critical as well.

> compliance alone makes me never want to do cybersecurity

Compliance =/= Cybersecurity. If you work in an organization where security actually means compliance, then leave.

---

Honestly, it's region and industry dependent. If you are east coast, transition into a JPMC or GS tier bank (yes, banks are bleeding edge security personas).

If you are west coast, it shouldn't be difficult for a SRE/DevOps/Cloud type to become a SWE or Solutions Engineer at a cybersecurity company.

If you are in Europe, get an H1B and leave. I literally helped sponsor 2 O-1s today from European cybersecurity founders who wanted to leave becuase of subpar terms and bureaucracy.

by alephnerd

4/13/2026 at 6:17:48 PM

Definitely agree. I guess I should have specified I meant "real programmer who wants a career". ;-)

by iainctduncan

4/13/2026 at 10:59:27 PM

The crazy part is that none of this is unexpected.

This was exactly the reason why GPT-2 was restricted for general release in 2019.

Check out section 4 - https://cdn.openai.com/GPT_2_August_Report.pdf

by meander_water

4/13/2026 at 6:41:54 PM

Oh, we're back to not being able to trust Google Ads again?

I recall there being Malvertising campaign problems ~12-15 years ago or so, and then they seemed to get on top of it.

by RajT88

4/13/2026 at 7:44:32 PM

typosquatting is shaping up to be a serious problem again.

by iainctduncan

4/13/2026 at 10:31:51 PM

Do you have some pointers to start advancing in security world?

by zakki

4/13/2026 at 7:36:15 PM

How can open source software possibly survive this?

by idiotsecant

4/13/2026 at 8:03:29 PM

There’s no closed source software anymore, clankers are mighty good at decompiling.

by baq

4/13/2026 at 7:39:44 PM

Open source has advantages over closed source: You can demonstrate your sSDLC whereas with closed source you have to believe the vendor.

by Tepix

4/13/2026 at 9:24:48 PM

in the upside, the current Adminstration is making most of that legit grift, so investing in homegrown fruad should be on every PE's 2026 wishlist

by cyanydeez

4/13/2026 at 4:48:56 PM

The strangest thing I found is:

> on April 7, 2026 … U.S. Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell convened an urgent, in-person meeting in Washington with the chief executives of [major US banks] to brief them directly on the cyber risks posed by [Anthropic’s] Mythos

Then a similar meeting happened with the Canadian Financial Sector Resiliency Group (i.e. the Bank of Canada, the Canadian government’s Department of Finance, the Canadian Deposit Insurance Corporation (Canada’s FDIC) and Canada’s six major banks).

Multiple central banks don’t usually do that right?

https://www.ctvnews.ca/sci-tech/article/anthropics-new-ai-mo...

by ckcheng

4/13/2026 at 5:08:13 PM

Two possibilities:

1. Fear that a major vulnerability is found in a commonly used software package that puts multiple major banks and e-commerce sites at risk

2. Fear that major vulnerabilities are found in multiple, widely used software packages that lead to market downturn as IT company stocks crash.

Probably others as well. Sounds more like a brief on worst-case scenarios that may happen and how they would effect the US banking sector. This is an important mid-year election this year too, so any big economic shock would be bad for the GOP.

by sybercecurity

4/13/2026 at 5:30:24 PM

That, or, not completely unlikely, he was shown all the vulnerabilities across all old software that banking, finance et al use daily and are unlikely to ever update. I am only half joking. There is a reason I think some people should stick to their areas of expertise.

by iugtmkbdfil834

4/13/2026 at 6:29:27 PM

It currently works because those vulnerabilities are not exploited en masse. With AI, they can. It does change the game.

by eastbound

4/13/2026 at 6:38:24 PM

I am personally of several minds about it. However, I am not an expert in the field. I can somewhat reliably opine on humans and human behavior in general, but I concede that is harder to consider the impact in aggregate.

by iugtmkbdfil834

4/13/2026 at 10:38:07 PM

How can money stolen from bank accounts even be offramped? It makes perfect sense to me how it works within crypto—transactions are not reversible. But how does this work in trad-fi, can't any money transferred just be sent back by the banks by editing the ledgers?

by Cider9986

4/13/2026 at 11:18:11 PM

>can't any money transferred just be sent back by the banks by editing the ledgers?

No, traditional western finance isn't like a unified database, but rather many controlled by different parties in different countries. In theory you could write it back, but it's closer to bittorrent - if someone downloads a song from you then you can't just take it back.

Some stuff can be voided and there are clearing house mechanisms but if money moves fast enough across enough borders then getting it back is near impossible

by Havoc

4/14/2026 at 12:50:11 AM

Stealing is one possible problem (transactions out of country are really hard to claw back), but the major fear is probably stability. You won't like the consequences if a significant percentage of your countries banks are down for a few days...

by alphager

4/13/2026 at 10:35:34 PM

Good job Anthropic products can't be used by the government then.

by dboreham

4/13/2026 at 8:15:24 PM

[dead]

by tosser12344321

4/13/2026 at 6:39:11 PM

Almost all those events were on Hacker News. This hasn't been a secret.

Companies need to get serious about levels of security. Only some things need to be protected, and you have to accept a substantial level of inconvenience and cost for those items. In my aerospace days, we had a bidding rule of thumb that running a project at SECRET doubled the cost. Running a project at TOP SECRET had an even bigger cost multiplier. A surprising amount of material was not classified at all, for cost reasons.

Banks and credit card processors get this. Most other businesses don't.

by Animats

4/13/2026 at 7:51:55 PM

They've been on HN, but that's the author's point. Even this article on HN- the top comment is a series of complaints about "hurr durr ai needs to get off muh lawn"

The point is that the people, who self-identify as the ones the author is supposedly asking for help, are the ones who are refusing to acknowledge the elephant in the room so they can feel smug. Just like your "but i read about every incident mentioned, where's my cookie"

by halJordan

4/14/2026 at 3:12:44 AM

I don't think the author is asking HN for help. Just pointing out that the sky is falling

by culi

4/14/2026 at 5:43:39 AM

The most effective security practice you can do is to strictly isolate any internet connected PC from computers handling important data. But this requires that people have two (or more!) different computers and is rather annoying.

More convenient is to only allow internet access from ephemeral VMs connected to via RDP or similar protocol.

by UltraSane

4/13/2026 at 5:50:37 PM

I'm a head of security, great career, did engineering into management, made a tidy living doing advanced work as a risk plumber across companies that have been relevant. I've built great teams, met and solved hard IR, delved into the real reaches of vuln research, other neckbeard things, got paid very well along the way. Seen and worked on the APT issues.

More or less, I am the attractive resume, and: the game has changed folks.

For what it is worth, I am taking my ball and going home in about 12 months. I've saved enough, locked in a perma-middle class lifestyle in a great nondescript city, and swapping over to offensive consulting and a AI-free, non-tech trade that won't take too long to get into - think a PA, nurse, plumber, etc.

I'm not quite old enough and with the end of responsibilities as to FIRE, but I can read the writing on the wall enough to understand an AI-proof FI needs to be locked in before everyone else realizes the same. Many others in sec are feeling this.

I think tech will find security pros willing to throw themselves into the fray for pay and optimism. There are others like me who are extracting their final nuts. There are others who have golden-handcuffed themselves into this ride with their mortgages and private school tuitions. And I'm sure some others will stick it out. There will also be an AI-enabled version of sec eng soon enough.

But if private sector doesn't wake up to AI integrations - internal doc rollouts hoovering up PII that wasn't supposed to be stored there, externally-facing customer support portals social engineered and pivoted into, PRs via Slack comment via marketing hires who are ATO'd - this is going to be a 1990's-style BBQ where 0days on critical systems are dropped at happy hours at conferences nightly.

And: your security teams are going to be burned out, banking up, and quitting. The risk acceptances, the double-speak, the slow-rolling, the half-baked risk thinking for engineering and product leads, the corners cut, the public endpoints opened up just this one time - that's going to be enough rope, and already is enough, to hang yourself in this offensive context that's building now.

It is deeply humorous that SWE and engineering leadership has worked itself into this position via its AI push to unemploy itself while thinking it's the 1x white collar job exempt from automation threats.

All it'll take is another recession like '08, and the leaves get shaken off the trees finally. Thankfully there is only one (wait, there are two probably), thankfully there are only two-to-three (wait, there are like 10) systemic market threats right now.

by tosser12344321

4/13/2026 at 7:00:32 PM

I totally appreciate this take and have thought something similar but I am old enough to be familiar with the part of my brain responsible for these thoughts and know it has a long track record of being horribly wrong.

Sure, hedge your bets. Get financially secure. But also consider that "nothing ever happens" is usually correct and the world has a way of ensuring things keep going in the direction they have to in order to give stability to the establishment (which we are generally a part of).

by 01100011

4/13/2026 at 7:13:25 PM

I've thought about that as well - what derails this, what invalidates the unstoppable forward march? That is often how the world works. City real estate costs were flying up year after year after year, and others rust-belting, until Covid and remote work, for example.

So, what can derail AI out of left field? Maybe building DCs for it in Arizona and EMEA can, for one.... choosing very "water-rich" locations there for water-cooled systems.

So, how could this land longterm, assuming AI works sort of good, sort of bad against the use cases? The real questions here for industry people though should be this:

1) How does this play out, over the 5-10 yrs we have to see it occur of trying it/redoing it/trying a new version/going back to the old version, all the while it's occurring over my career, all the while when I have bills to pay and relationships to maintain.

Ans: I think that's a hell of a lot of financial and employment stress induced on us by people who don't understand the tech they're rolling out, the state change that's occurring, and don't need to deal with the consequences. All the while, I go mid career, to late career, dealing with what AI can actually do in the background.

2) What is actually going to work wrt being relevant to my job?

Ans: I think what actually works is the vuln research aspect of AI, feedback loops rapidly, rapidly speeding up on that.

And, what is the most stressful, obnoxious, high burnout part of the job - sec arch and vuln remediation, or IR and vuln response. Both about to go on overddrive, and already are if you're minding bug bounties and IR these days.

3) Has this happened to other industries, how did it go?

Ans: trading, trading, trading, trading. Check it out.

by tosser12344321

4/13/2026 at 9:39:25 PM

I don't know what derails it, I just know that the line on the chart going up or down rarely goes straight. AI might finally be the thing that results in permanent exponential growth and not a sigmoid, or maybe it hits some limits. Maybe those limits are on the human side(our ability to use it, regulatory, social backlash, etc). Maybe management tries to cut out the tech folks only to result in a tangled mess of crap that only we can help them untangle? Maybe the folks with background knowledge will suddenly be needed en masse to control and leverage AI?

We are, for example, about to grow the reach of tech even further thanks to AI. A large percentage of future warfare, for instance, will now be taken over by tech. If humanoid robots get gud, there's a whole 'nother world of applications that will probably need people to specify, test, improve, etc.

Sure, on the one hand I think the value of writing code will probably go to zero in ten years(although some applications explicitly forbid AI coding like some critical infra or space stuff), but writing code is a small part of many SWE's jobs. AI currently still needs to be told what to build and how to make a cohesive, sensible product. Maybe that changes, maybe it doesn't. But the path to eliminating human work is not short or clear-cut.

by 01100011

4/13/2026 at 5:55:53 PM

> a AI-free, non-tech trade that won't take too long to get into - think a PA, nurse, plumber, etc.

I'm not sure if personal assistant or nurse are going to be AI-free. Plumber, welder, bricklayer, pest exterminator, sure. Don't underestimate the downsides of physical labor, though. Low pay and backbreaking.

What writing on the wall? If anything, I think you'll be more needed, not less, in times to come.

by theturtlemoves

4/13/2026 at 6:08:18 PM

> I think you'll be more needed, not less, in times to come

Ya I get the need but you miss the point - no, you can't pay me anymore to wade into that and own risk, beyond a consulting context with low skin in the game.

There is a wave of senior leads thinking like this, because the knife's edge of "enough risk to game it for pay" finally tilted too far, and the career has changed.

In terms of going home after work and not yelling at my kids and spouse due to work stress due to the 10th 0day in a week on my corporate VPN/my retail-facing app/my..., there's a real QoL issue to consider. Many outside of security consistently misunderstands the mental health/career satisfaction/pay triad.

by tosser12344321

4/13/2026 at 7:04:09 PM

> beyond a consulting context

"Consulting, if you're not a part of the solution there's money to be made prolonging the problem" - Despair.com :)

/i'm a consultant

by chasd00

4/13/2026 at 7:20:52 PM

The well-paved path into vCISO life

by tosser12344321

4/14/2026 at 6:23:13 AM

Fair point, hadn't looked at it that way.

(Edit: Word of warning though, my father was a bricklayer and he also screamed at his kids whenever he came home overworked. I'm not saying I know the answer here but every job has its "they don't pay me enough for this shit")

by theturtlemoves

4/13/2026 at 6:45:40 PM

>Ya I get the need but you miss the point - no, you can't pay me anymore to wade into that and own risk, beyond a consulting context with low skin in the game.

In a situation of triage, "owning risk" is off the table.

by operatingthetan

4/13/2026 at 9:53:29 PM

> Low pay

I see you haven't hired a tradesman in the USA lately...

Sure, my body would hate me for it, but as a plumber I could make about half what I make as a SWE and given the progressive tax structure and business write-offs I'd probably net a comparable salary.

by 01100011

4/14/2026 at 12:26:21 PM

Self-employment is more expensive than you think. On the positive side, generous IRA limits. In the negative side, health insurance costs. In my experience, that’s what gets ya. Tax differences are fairly minor and not enough to cover the gap.

by jdlshore

4/14/2026 at 6:22:34 AM

Really? Time to move to the USA I guess. Here in Europe it seems to me there's a big gap between minimum wage and high paying jobs. Not much in between

(Afterthought: Don't forget the time and cost of retraining. I don't doubt your statement that you'll make just as much but I doubt it'll be right off the bat)

by theturtlemoves

4/14/2026 at 3:32:47 PM

Union electricians make about $60/hr in my metro area of 3M in the upper Midwest, union plumbers, sheetmetal workers, and pipefitters are all around there or higher. The total pay package is over $100/hr if you include health insurance, vacation, and pension.

by quickthrowman

4/13/2026 at 6:50:15 PM

This is huge and something I've been hearing a lot of rumblings about.

I just did some quick research:

- ~4.8 million unfilled cybersecurity roles globally as of 2025–2026

- Global workforce ~5.5 million, but ~10.2 million needed to meet demand

Not to mention the growth in the industry has slowed to ~0.1% year over year and you're seeing those shortages are outpacing the current workforce. Add in the most senior folks like yourself are just noping out and leaving the industry wholesale is troubling and unsettling.

Its not surprising we're seeing an unprecedented level of successful attacks. We simply don't have the resources to keep up with the criminals/hackers out there who are moving significantly faster than the companies they are targeting.

As others have pointed out, I'm not sure how this can get anything other than much worse in the near future.

by burningChrome

4/13/2026 at 9:23:11 PM

Being a cyber criminal pays many multiplies of working in cyber, as it already is with legal offensive cyber paying far better than defensive cyber. Capitalism going to capitalism. Especially since the risk of cyber crime is so much lower than physical crime, with your ability to commit it cross border, and backed by a nation state it is unsurprising it is a growing problem.

by zipy124

4/13/2026 at 6:11:12 PM

I'm starting to think anyone who knows anything about software engineering has a moral obligation to step up and defend against what's coming. I think the world needs us more than ever, this is a critical time that can go one way or the other. We need to use AI to defend and protect ourselves and the ones who can't protect themselves against malevolent AI and its users.

by bottlepalm

4/14/2026 at 4:36:11 AM

Who is paying my mortgage while I step up?

by lelanthran

4/13/2026 at 6:13:40 PM

I wish there was a medium that would feel like it would work for this.

by tosser12344321

4/13/2026 at 10:41:32 PM

Like we did for electronic voting?

by dboreham

4/13/2026 at 9:14:41 PM

How?

by semiquaver

4/13/2026 at 9:19:19 PM

Working for companies doing it already, starting companies to do it, working free on open source project to hammer them down, or creating your own open source software to aid in AI defense.

by bottlepalm

4/14/2026 at 7:22:37 AM

Does switching to Qubes OS count?

by fsflover

4/14/2026 at 2:52:16 PM

No, but contributing to it does, or more so the packages it depends on which are more cross cutting.

by bottlepalm

4/13/2026 at 6:26:59 PM

There are two polar opposite vibes in this comment section: one guy above is calling FOMO, we should all get into the security trade, and yours is FUD.

I hope this all lands somewhere in the middle but honestly who knows at this point.

by rtdq

4/13/2026 at 6:30:51 PM

I'd suggest talking to people in the security trade!

And if you're planning it, plan it soon b/c vendors like Dropzone are carving out the entry sec eng ops/ir jobs in-house or at the MSPs, and Trail of Bits skills foss on GH are carving out the 2-3x extra $3-400k TC line sec eng roles .

by tosser12344321

4/13/2026 at 7:09:29 PM

i've been saying there's going to be some interesting "computer glitches" in the news over the next few years. We've already had one where someone convinced an AI to sell them airline tickets for $1. I expect many more strange bugs, some being very bad, in the future.

by chasd00

4/13/2026 at 7:22:09 PM

Feels like that there was a World War started on smaller spark than some of those in the OP in a tense world. And this world is tense again, very tense.

by mihaaly

4/13/2026 at 3:40:47 PM

Not too long ago, a few gigabytes of data being stolen was a big friggin deal. Now they're swiping data in the terabytes or even petabytes.

by nirav72

4/13/2026 at 6:46:59 PM

Bad news: All your data with data brokers will be public soon.

Good news: All the data of elected officials will be public soon, and we may finally get some regulation.

by RajT88

4/14/2026 at 3:25:17 PM

> Mythos had identified thousands of previously-unknown zero-day vulnerabilities in every major operating system and every major web browser, along with a range of other critical software.

I think we can assume that the alphabet agencies already got their hands on this and are working to use it. No more backdoors necessary, they can crack open every computer on earth with this.

Did OS/software vendors get a list of their vulnerabilities? Will they ever?

by 0rbiter

4/14/2026 at 2:04:15 PM

Hard to read due to LLMisms (it's not x, it's y), just a few examples:

> The silence has not broken in mainstream public discourse. It has clearly broken in private, at the top of the U.S. government, in classified briefings and emergency convenings the public is mostly not seeing.

> The historian’s question is no longer whether the cyber community is being quiet. The historian’s question is why the public conversation is so thoroughly out of sync with what is clearly being discussed behind closed doors at the level of the Treasury and the Federal Reserve.

> That obscurity is the part of this section that matters most. It is not the AI numbers. It is the silence around them.

by croemer

4/13/2026 at 4:57:03 PM

Anthropic's marketing team are terrifyingly good. I wonder if Opus came up with this plan?

by __alexs

4/13/2026 at 6:20:43 PM

Cultivating and leveraging fear is truly a cornerstone of Security™.

I don't think the claims about capability are ridiculous. The idea that the general capability is proprietary and that it will be exclusive to the trusted partners of one company is ridiculous.

by theincredulousk

4/13/2026 at 8:14:13 PM

All the big tech companies are getting access to mythos. If anthropic is blowing smoke with regards to its ability to find vulnerabilities it will leak very soon.

by HDThoreaun

4/14/2026 at 5:21:20 AM

> All the big tech companies are getting access to mythos. If anthropic is blowing smoke with regards to its ability to find vulnerabilities it will leak very soon.

Will it? All the big companies are invested in AI anyway; the people getting exclusive access to this are going to be under an NDA anyway.

It will leak eventually, but the news that is isn't much better than current models news may not be enough to dispel the original claims.

by lelanthran

4/14/2026 at 7:19:32 AM

No need to leak. If we don't see a very public flow of various CVE's across the industry then it was a nothing-burger.

by attentive

4/13/2026 at 5:28:55 PM

This AI and security genre really has legs.

by 0xdeadbeefbabe

4/14/2026 at 10:59:51 AM

It really hasn't been insane, that is just recency bias. Better spam, some niche capabilities like voice cloning, some scalability to applying an exploit to more targets at once.

Anthropic et al having better exploit dev is a capability which aids both sides. But regardless, most exploits use n-days not 0-days.

by angry_octet

4/13/2026 at 3:37:01 PM

> In August 2025, three of the most notorious financially-motivated crews on the planet, ShinyHunters, Scattered Spider, and LAPSUS$, formally combined into a coordinated alliance widely tracked as Scattered LAPSUS$ Hunters (SLH), sometimes called “the Trinity of Chaos” (Resecurity; Cyberbit; Infosecurity Magazine; The Hacker News; Computer Weekly; ReliaQuest). Scattered Spider provides initial access through highly-effective social engineering and vishing. ShinyHunters handles exfiltration, leak-site management, and extortion. LAPSUS$ contributes its own brand of identity-system compromise.

Lmao that cybercriminals are closing M&A deals to create vertically integrated SaaS companies.

Do you think anyone was made redundant through kinetic means?

by jjmarr

4/13/2026 at 5:48:08 PM

These kinds of groups operate as businesses and in some cases government agencies. It would be the same experience as working for any other tech company.

by alephnerd

4/13/2026 at 6:21:12 PM

I know. There's a sense of schadenfreude that the Russian hackers are suffering through a big re-org right now.

by jjmarr

4/13/2026 at 6:33:41 PM

Yep, but they'll land on their feet. Probably negotiate an ML Infra or SecEng role at Yandex.

by alephnerd

4/13/2026 at 8:25:06 PM

A couple of days ago I was thinking about something related to this: How would the "computing" space look like once we get to the ultimate evolution/development of the AI/LLMs or whatever comes after it?

Say in 10 years, once we have things like a Claude Mythos (or better) model running on "real time" at the speed of how Taalas runs ollama now.

I have a feeling that "cyberspace" (however we want to call it) won't matter anymore. "Computing" won't matter anymore. Say, I want to implement a Massive Multiplayer Lemmings like game, it's done at the snap of my fingers. Say I want to find a way to "crack" X software? done. Say I want to find a vulnerability in Y website? easy peasy. Say I want to build a "Powerpoint" clone, done (not that it matters, as making a presentation will be as simple as saying "Mythos5, make a presentation about X,Y,Z with nice and meaningful transitions".

Same with music, video, images, etc. Once everything can be created automagically... what happens? (say, "Make me a film like the original John Wick but with the wit and style of Kingsman, make a young Sean Connery the main actor).

So, ultimately cyberspace will be so chaotic with the current "rails", that it will be completely different to what we know now.

At the risk of being booed here in HN, I also have a hunch that the more we go there, the more stuff like "trustless computing" or "proof of N" (having to SPEND something, some real life, finite effort, to do things online) will gain more force. Somehow, Hashcash was conceived to deal with spam/automation type of attacks, so I assume a version of that will have to be used to "structure" Cyberspace in the future.

My hypothesis is that this will take us back to "the real world" due to "surfeit": Kind of what happens once you add a "trainer" to a game and suddenly you have all the money/resources, and then it becomes boring. Once the "digital" stuff is solved, we will go back to the real world.

Very exciting times.

by xtracto

4/13/2026 at 9:10:19 PM

> Say I want to find a way to "crack" X software? done. Say I want to find a vulnerability in Y website? easy peasy.

OTOH, such a powerful model might be able to do formal verification practical, too. So your model might say "Can't get RCE on that software because the model that developed it also created a proof that that's impossible".

> Once everything can be created automagically... what happens?

The people who can come up with novel concepts would matter a lot more then than they do now. Like how image models can create pictures in the style of van Gogh, but they wouldn't if van Gogh hadn't existed. So we'd need "van Goghs" to come up with the new things that the models would create a thousand varieties of.

> Somehow, Hashcash was conceived to deal with spam/automation type of attacks, so I assume a version of that will have to be used to "structure" Cyberspace in the future.

"Proof of N" doesn't need to involve spending something. It could be "proof of citizenship" (or some other "proof of offline identity") combined with rate-limiting per identity. The right cryptographic protocols could do it without revealing your identity to the service you're interacting with.

by levek

4/14/2026 at 2:30:27 AM

van Gogh didn't become van Gogh by prompting LLM.

by johnmaguire

4/14/2026 at 5:16:48 AM

   "Mythos5, make a presentation about X,Y,Z with nice and meaningful transitions"

The only way this could possibly produce acceptable output is if nobody was going to care or pay attention to your presentation in the first place.

by frankzinger

4/13/2026 at 3:20:56 PM

>Stacked on top of each other across roughly a hundred days, these events are something a historian of computing security writing in 2050 will probably file as a turning point, regardless of what else happens between now and then.

And yet, the public conversation around them has been quiet to the point of being strange.

There's a lot current events that once would have been considered historical: trip around the Moon, war out of nowhere, unprecedented explosion of kleptocracy l, enormously scandals and so long. Noone of these are moving much of the needle among general public.

Why? I think such indifference or rather apathy/torpor is a result of people becoming tired of constant stream of crises (either imaginary or real) that we're being flooded by. The capacity to react with something more than a shrug is finite. And I think we are being drained.

by ArekDymalski

4/13/2026 at 3:26:19 PM

The idiocy out of the Whitehouse is an intentional strategy to flood the zone with crap that sucks all the air out of the room. They have intentionally broken the ability of the public to become informed through a number of means: attention atrophy, lowest-common-denominator mudslinging, and massive, manufactured, stupid global crises. People have become deaf and desensitized.

The fact that humanity sent people back to the moon barely even registered. Crazy times.

by titzer

4/13/2026 at 4:12:47 PM

> The fact that humanity sent people back to the moon barely even registered.

Are you sure that people would have cared much even in better times?

Although I'm just as subject to the fatigue as everyone else, this just isn't a pursuit that I see as important.

TBH I think dealing with global warming, cancer, homelessness, AI impact on human cognitive development, and the loneliness epidemic are far higher priorities.

by CoastalCoder

4/13/2026 at 4:13:56 PM

If I recall correctly opinion polling on the original Apollo program wasn't universally positive either. Space missions don't impress people who want money spent on the ground, it etc

by nemomarx

4/13/2026 at 7:59:45 PM

The famous spoken word poem Whitey on the Moon was on exactly this topic.

"Accompanied by conga drums, Scott-Heron's narrative tells of medical debt, high taxes and poverty experienced at the time of the Apollo Moon landings. The poem critiques the resources spent on the space program while Black Americans were experiencing social and economic disparities at home."

https://en.wikipedia.org/wiki/Whitey_on_the_Moon

by fhdkweig

4/13/2026 at 4:13:31 PM

"Amusing ourselves to death" was eerily prescient. Now that the amusement stopped, what might happen next? Not the metaverse, that's for sure.

by RGamma

4/13/2026 at 4:22:56 PM

I think nobody cares about the moon thing because 1) they aren't landing, and (this one's more for people who are paying some attention to this stuff to begin with) 2) it's basically the same mission they already ran on auto-pilot, but with people on board, so... I dunno, hard to get excited about some very-expensive passengers on an automated ride.

I mean, part of why they cut the Apollo program short was because nobody cared back then either, after the first ~2 landings, so they muddled on a while longer but support simply vanished in a hurry. It'd be surprising if people started caring more now. I suppose if we land people on the moon it'll be a bit more of an event than this one (the landing, not the launch) but I'd expect interest to plummet again after that. Hopefully they have better-selected video feeds for the landing than they did for this launch, I had my kids watch it and it was bad enough I think I'll have trouble getting them to sit down for another NASA launch stream.

by lamasery

4/13/2026 at 8:06:08 PM

I'm interested in it as a means to an end. Supposedly this is to get ready for a lunar base. I would love to see that in my lifetime. Also, while it is not a mission objective, I want to see a space elevator which currently we can only do on the moon. Due to the lower gravity and slower spin, it is possible to make a space elevator out of Kevlar rope, which we can reliably make in bulk.

by fhdkweig

4/13/2026 at 4:38:45 PM

> Why? I think such indifference or rather apathy/torpor is a result of people becoming tired of constant stream of crises (either imaginary or real) that we're being flooded by. The capacity to react with something more than a shrug is finite. And I think we are being drained.

I think it's more that the impact of all these constant string of "crises" ends up having very little impact on the average American's lifestyle. Groceries a bit more expensive, gas higher, rent continues to creep up. Some giant incomprehensible national debt number gets higher. Those all suck and people complain about them - but they are complaining about them in packed bars while they drink $7 beers and eat $30 burgers and fries.

You can only yell so many times that the world is ending before people tune it out since their day to day lives are largely unchanged. Just look at the focus on complaining about almost irrelevant things like the price of eggs or whatever totally irrelevant culture war topic of the day. It's societal bike shedding.

I am firmly of the belief (and have been for quite some time) that the "average" middle class American is going to need severe pain - as in widespread great depression level pain - before anything really changes at all at the ground level. Americans have simply become so used to living the lifestyle being part of an insulated hegemonic superpower empire that they have taken that for granted as how things generally will always be no matter what happens. There is zero consideration for the amount of sheer effort, will, and constant vigilance it took to build and maintain such a state of being.

Or put another way: Inertia is a hell of a drug.

by phil21

4/13/2026 at 10:09:01 PM

Because it doesn't really matter and has no legs? Over the past 15 years, we had a lot of data exfiltrations, lots of breaches, hacks, and etc. Nothing really happened, world moved on, people figured out a way to live around it. People who work at those companies get affected, but in general, unless the entirety of banking system collapses because of the hacks... nobody will really care. Even during the hay days of Equifax hack people were chatting how things will "happen this time". Nothing did.

by tokioyoyo

4/13/2026 at 3:24:09 PM

Agreed, call it future shock or the Singularity or just overall outrage fatigue, people just aren't reacting to these kinds of things at a level commensurate with their risk or danger.

by mwigdahl

4/13/2026 at 4:21:32 PM

> people becoming tired of constant stream of crises

They aren't tired, they're distracted. X/TikTok/et. al. are all fire and motion mechanisms.

by SoftTalker

4/13/2026 at 7:12:57 PM

Yeah, it's not indifference or apathy. It is overwhelm. There are too many things that need attention and not enough attention.

by jmcqk6

4/13/2026 at 7:21:56 PM

One word, Hypernormalization.

by atkrista

4/13/2026 at 8:12:28 PM

I know for my part I am so tired of the constant crises. At this point I just want the inevitable collapse to hurry up and happen already so we can just focus on picking up the pieces and move the fuck on.

by yoyohello13

4/13/2026 at 4:20:46 PM

[flagged]

by TacticalCoder

4/13/2026 at 4:27:09 PM

The precipitous drop in fertility even in low income countries. The rise in populism and fear.

It's the phones, humans are being DDoSd. We need government intervention against many aspects of modern technology.

The profit motive works when it comes to reducing manufacturing costs and passing some of that on to consumers through the beauty of competition. It doesn't work so great when it's X training a transformer model to maximize the amount of time you spend doom scrolling so they can feed you gambling advertisements.

by energy123

4/13/2026 at 5:12:24 PM

Total fertility rates dropped long before smartphones.

by lotsofpulp

4/13/2026 at 4:45:23 PM

Well society had to go and get rid of religion, so people needed another opiate.

by scottyah

4/13/2026 at 5:15:50 PM

Considering how attached to his phone my hyper religious evangelical father-in-law is ... I don't buy it. If there is a causal relationship between those things, it goes the other way.

by rootusrootus

4/13/2026 at 4:42:53 PM

[dead]

by gulfofamerica

4/13/2026 at 10:02:15 PM

I wonder, how long until that certain CrowdStrike kernel level plugin that brought down a third of the world's Windows comptuers gets hijacked by a malicious actor.

by xtracto

4/13/2026 at 7:09:56 PM

Combine every attack being a social engineering attack plus foundational model hacking-fu and we're in a shocking interesting place. Identity itself becomes a pretty interesting opportunity/threat. Wrote an oped [1] with friends from Badge on this topic 6 months ago.

[1]: https://idtechwire.com/opinion-in-an-ai-world-every-attack-i...

by CoryOndrejka

4/13/2026 at 3:22:07 PM

>And yet, the public conversation around them has been quiet to the point of being strange.

i dont think its that strange. there are multiple wars raging on, with many people fearing the breakout of a global conflict. a giant pedophile ring has been exposed that no one in power seems interested in doing anything about. prices for everything are haywire. markets are an absolute rollercoaster, hinging completely on one mans late night tweets. and so on.

people just dont have the bandwidth to also learn about what an npm or github is, and why a hack of it is important. news stations are going to pick the news that results in the most people tuning in to watch. that is war, not whatever a mercor is.

the non-tech (and many of the tech) people in my life are also just plain tired of hearing about hacks. they have heard that their information has been stolen 10 times or whatever in the last 5 years. they have heard 100s of "this company was hacked" stories. "another hack? who cares?".

by john_strinlai

4/13/2026 at 4:03:18 PM

The issue is also one of agency: the public has absolutely no agency in this. There is nothing an ordinary member of the public can do to avoid having their data exposed, there is nothing they can do to cause corporations to have more robust security models nor to cause actual consequences for all the executives that chose profit over security at every possible decision point.

To the public this becomes like the risk of being hit by lightning or being in a car accident, just background noise we avoid thinking about as much as possible. It is just the cost of living in this economy.

by jgeada

4/13/2026 at 3:47:43 PM

> a giant pedophile ring has been exposed that no one in power seems interested in doing anything about

But that's not true. The European Union and many other countries are taking extreme measures to ensure that what happened in the United States never happens with them and they are introducing a bunch of different measures to strengthen control over society, the media sphere, and other measures to ensure that no pedophile rings could be exposed.

by Ray20

4/13/2026 at 3:51:13 PM

Really? The UK never even did anything except sweep the LAST pedophile ring uncovered under the rug too!

https://en.wikipedia.org/wiki/Rotherham_child_sexual_exploit...

https://en.wikipedia.org/wiki/Rochdale_child_sex_abuse_ring

https://en.wikipedia.org/wiki/Investigations_into_the_Rother...

"A 2024 report on child sex exploitation in Rochdale from 2004 to 2013 found that there was "compelling evidence" of widespread abuse, and that Greater Manchester Police and Rochdale Council had failed to properly investigate these cases, leaving girls "at the mercy of their abusers". While there were successful prosecutions, the report said that the investigations carried out during the period covered by the report only "scraped the surface" of what had happened, and that many abusers had gone unpunished."

by Der_Einzige

4/13/2026 at 4:00:28 PM

>The UK never even did anything except sweep the LAST pedophile ring uncovered under the rug too!

the comment you are replying to is written sarcastically, ending with: "to ensure that no pedophile rings could be exposed"

in other words, they agree with what you have written. your reply appears to assume the opposite.

by john_strinlai

4/13/2026 at 4:01:01 PM

Read again what you are responding to.

by pfdietz

4/13/2026 at 3:49:52 PM

As fatiguing as legal breach notices are to lay people, it's equally frustrating as a dev because security is not a distinguishing feature we can advertise in our product so we can't prioritize it at all. Let the lawyers figure it out later seems to be best practice now.

And of course vuln finding is now automated so even if we do a good job locking it down this morning, nothing will not keep out the next wave tonight.

Plus, our current political atmosphere encourages digital chaos, for example gutting CISA.

by imglorp

4/13/2026 at 3:33:16 PM

HN is a bit of a bubble in that people here tend to be quite privacy focused and would be horrified at the prospect of their details being leaked.

For a lot of normal people that's not the case and as long as they don't get someone actually stealing their identity etc. they aren't really concerned about these kind of things

by ifwinterco

4/13/2026 at 3:27:48 PM

Its the tech worlds equivalent to eating X causes cancer.

by tokai

4/13/2026 at 3:36:03 PM

Frustratingly, I have my foot in both worlds to a degree. I'm interested enough in tech to pay attention and often lurk the tech bubble that is HN and hear about the raging dumpster fires from the folks who live and work in that domain. But I exist in a mostly non-tech world IRL where this exists among the other burning dumpster fires to the point that I can't care about another data hack, and i hate that I don't have the bandwidth to care. To a more acute degree, my mother was nearly wiped of half her life savings by "hackers"/fraudsters posing as employees of her bank. Being "hacked" is a part of life now, and outrage fatigue is real.

by hydrogen7800

4/13/2026 at 4:03:10 PM

> a giant pedophile ring has been exposed that no one in power seems interested in doing anything about

This was one of the things Trump got 2024 elected on - many Republican voters were extremely keen on this being addressed. I'm glad Trump's fumbled it now so the Democrats are interested in addressing it, though for the wrong reasons.

by philipallstar

4/13/2026 at 6:29:30 PM

> so the Democrats are interested in addressing it

They're not any more interested in addressing it than the existing administration - it's just a talking point like everything else. Ammunition to get elected and then put away in a dark closet.

by vdqtp3

4/13/2026 at 10:11:35 PM

Finally we know what AI is good for! And It’s not about make mundane developers more productive

by sdevonoes

4/13/2026 at 4:29:00 PM

[flagged]

by jrm4

4/13/2026 at 4:47:20 PM

>As someone who's older, and is just generally gobsmacked all the time by the sloppiness in cybersecurity, all of this is just not surprising.

as someone who used to work in cybersec (and is also older), most of the time (in my experiences) it isnt sloppiness.

1) people fight tooth and nail against anything that inconveniences them. security is almost always going to be an inconvenience tradeoff, so it is always fought against. from every person and every department. rolling out 2fa was worse than pulling teeth, despite it being a single button press ("approve") on the phone, once or twice a day (or less). c-suite is the worst, demanding exclusions and bypasses. its hard to say no to your bosses boss when they refuse to use a password manager, refuse to setup 2fa, or whatever the case is.

2) security offers no immediate or visible return on investment. so, it gets little to no positive attention by c-suite and even less budget. you end up with underpaid, under-qualified, over-worked people trying to figure out which thing they might be able secure out of the 10 things that need securing. half of them will be tied up trying to explain to someone why they cant use the company name as their password or begging someone to use the password manager.

even here, a forum of hackers, security is often put in scare quotes and almost always mentioned beside the word "theater". people brag about still running windows 7, because it was the last good windows. antiviruses arent needed. X security feature is just a lie so that company Z can control my device. people get big mad when a company rolls out mandatory 2fa. and so on.

edit: case in point, on this thread a comment was just posted with "I think you can argue that cybersecurity doesn't really matter, in the grand scheme of things."

by john_strinlai

4/13/2026 at 6:43:18 PM

> once or twice a day (or less).

If that was all it was, people would be a lot less annoyed by it.

by BobaFloutist

4/13/2026 at 5:44:59 PM

Freedom, Security, Convenience. Choose two.

by gdrift

4/13/2026 at 8:57:27 PM

[flagged]

by jrm4

4/13/2026 at 5:35:32 PM

> We managed to put buttons on appliances that don't make the appliance explode, but failed to do that in email links, which are just buttons.

Reminds me of the time I accidentally entered my bank PIN into my washing machine and hackers ran off with $500 of my money.

What puzzled me most was the time and energy put into the attack, all for the off chance of a successful attack. Security footage showed them removing my washing while I was at work and replacing it with one the hackers controlled. This "phishing machine"-- as I now call it-- was apparently fitted with some kind of LoraWAN device waiting for me to unwittingly enter my PIN to unlock. Something my washing machine never asked me to do before, btw, but I did it anyway (like an idiot).

I changed my bank PIN, but I still use the old PIN to run the phishing machine-- funny enough it's fully functional and in fact works better than the old one.

All said, the hackers probably lost $1000 on the deal. Police said this is a very common attack on washing machine buttons throughout the Southeast, so I'm wondering if part of our current economic stagnation is due hackers going into bankruptcy from this.

by jancsika

4/13/2026 at 4:43:59 PM

> And then, we still have yet to punish or hold accountable any large party who made things this way. Until we do that, keep expecting this.

This is the key. No incentive to change. It's always "the hacker's fault" and never "the manufacturer's negligence" or "the developer's carelessness" or "the user's gullibility." Combine this with the currently-prevailing Don't Blame The Victim mentality, and it's the perfect environment for never improving cybersecurity.

by ryandrake

4/13/2026 at 5:03:29 PM

But yet, the pigs who built the houses of straw and sticks got eaten. The pig who built the house of bricks is seen as responsible, even though it took longer and cost more; he made the right choice.

The wolf is seen as ever-present. Failure to consider the wolf when choosing building materials has consequences.

It blows my mind that this story has been part of our culture for centuries, yet we apply exactly the opposite model to cybersecurity.

by myself248

4/13/2026 at 5:23:28 PM

But have you thought about the bonus you can get by reducing house building costs in Q3?

by IsTom

4/13/2026 at 6:00:13 PM

Yea, CyberSecurity will get fixed when companies are held responsible to the point that data breaches have severe impact on bottom line.

by stackskipton

4/13/2026 at 5:52:58 PM

We just caught our company president, CFO, and head of sales using smuggled Starlink dishes on the roof with wide open wifi because our firewall "broke things".

Thank goodness for all the other layers... the firewall is just doing basic hygiene. The SASE and zero trust policies are doing the heavy lifting.

No one want's to follow any rules and when caught out do not want to take respnsibility for their own actions.

Since it was an open wifi, I hope we get nailed for hosting child porn or cryptocoin scams... ffs

by FuriouslyAdrift

4/13/2026 at 6:40:11 PM

>>> We just caught our company president, CFO, and head of sales using smuggled Starlink dishes on the roof with wide open wifi because our firewall "broke things".

Wait, what?!?! I gotta hear this story. I have so many questions like how in the hell do you casually smuggle in not one, but several Starlink dishes?

by burningChrome

4/14/2026 at 12:49:21 PM

Well.. they pay the checks so it was easy to go shadow IT. They paid the company that manages the physical building to install access pipes on the roof and run the cables between the dish and the routers. Dishes sitting on the roof and routers above the drop ceiling.

Didn't even notice until the wifi rogue detector flagged the SSID due to it's relative strength (we're in a highly contested area for 2.4 and 5 Ghz).

by FuriouslyAdrift

4/13/2026 at 8:30:02 PM

Yes, AI is getting better at finding exploits and cracking software, but it will also get just as adept at defense. It will all escalate, but mostly maintain parity.

by thordenmark

4/13/2026 at 9:15:06 PM

An attacker only has to win once. A defender must win every time

by fzzzy

4/13/2026 at 6:37:10 PM

I miss the days when the big security concern was quantum breaking contemporary encryption. Air gaps and local stacks are overdue for a comeback.

by KIFulgore

4/13/2026 at 6:46:09 PM

Even that may not work. See Stuxnet.[1]

[1] https://en.wikipedia.org/wiki/Stuxnet

by Animats

4/13/2026 at 6:50:19 PM

Yep, there is always the human factor. Leave a USB drive in a parking lot, someone will insert it. You don't even need an obvious drive anymore, a malicious cable will suffice.

by KIFulgore

4/13/2026 at 3:23:50 PM

> Cisco’s private GitHub was cloned.

From this,

https://www.sdxcentral.com/news/cisco-source-code-breach-lea...

It sounds like they were/are using GitHub to host company-private source code, presumably of high-value.

While it's hard to know exactly the setup (e.g. maybe they are running their own instance of GitHub internally), this is your reminder that public clouds are not secure, no matter how much you pay the maintainers of said clouds.

Internal network compromise is of course always possible, but sheesh, it sounds like this list has lots of public cloud failures.

by titzer

4/13/2026 at 5:10:43 PM

If cybersecurity is slowly ramping up in complexity, isn’t the statement “we’re living through the most consequential hundred days in history” always trivially true?

by gcr

4/13/2026 at 5:39:59 PM

Yep.

by tptacek

4/13/2026 at 4:47:53 PM

If I can play devils advocate in favor of public disinterest about these events, I think you can argue that cybersecurity doesn't really matter, in the grand scheme of things. At least data exfiltration.

What would the consequences for humanity be if every single electronic patient record was leaked onto the internet? Immediately hugely bad for some groups, unfortunately. After a good deal of embarrassment and drama however, some severe, perhaps the net effect is positive. It would most likely facilitate a lot of scientific inquiry. A lot of people, especially in medical deserts, also use Chatgpt as an md. Providing AI companies with high quality medical data is actually a public service.

So it goes for many things in life, and except for financial and destructive wipe attacks, data security is mostly about protecting the IP of incumbents, which is somewhere between irrelevant and a net negative. It's hard to say what the long term consequences of the IP system breaking down would be, but there is a good argument to be made that it's not necessarily bad.

As for individual people, most don't really care or are resigned to the fact that Google already knows everything about them, and probably abstractly enjoy the fact that a major company gets brought down to their reality. Plenty of societies have extremely collectivistic mindsets of public info being shared, like Scandinavian countries having public tax filings, and they work just fine.

I think most people would secretly relish the outcomes of everything leaking everywhere. Just like people relish the Epstein files being released, and probably would have loved an unredacted version being leaked. Secrets are something human beings naturally gravitate towards to dig up and sharing, and this is actually for good, sensible reasons. Evolution has simply favored groups that did not hoard knowledge, at least not internally. There is a reason the scientific method has openness as a virtue, and is arguably one of the pillars that has carried humanity out of the dark ages.

by stalfie

4/13/2026 at 5:05:21 PM

It would be terrible, I don’t think you’re thinking about what kinds of discrimination can happen due to things like medical records. You can have laws in place to prevent it but if someone can freely see your entire medical history then people WILL take advantage of that. Not to mention how things like citizens traveling to states where abortion is legal, or if a parent disagrees with an operation could affect someone if things are public. This is only talking about medical records, too, the implications of other kinds of espionage have significant repercussions as well. Cybersecurity absolutely does matter

by bradishungry

4/13/2026 at 5:49:58 PM

Actually you're right, upon reflection the medical records example is a terrible one, given the proclivities of many governments and/or vindictive mobs. Although the greater issue here is that there exists governments that care about abortions, and the fact people accept living under their reign one way or another. Unfortunately those government are often in positions of power to figure this out and punish individuals no matter what.

And I'd just like to underline the fact that this is truly a devil's advocate position, not something I'd argue strongly for.

But for the LLM training data company, does that leak matter? I guess that depends on your stance about AI proliferation and safety. But if you don't it's at worst a boost for open source LLMs. Rockstar? A great deal of hard work has surely gone into GTA-6 between all the union busting but, but it hardly matters for humanity what particular game people use to entertain themselves. And the medical device company, although the wipe part is truly just senseless destruction, actually might benefit humanity more if a few bootleg factories of their products appear.

Many of these are very stretched scenarios. But for instance in the case of espionage, the problem is not the fact that people are spying, the problem is that there is a war. And the more nefarious regimes tend to depend more on secrecy and lies in order to perpetuate themselves. If total transparency was applied to all governments equally, most democracies would be positively affected. The problem is not the leakage of the Epstein files. It's that this kind of activity could occur in secret and remained covered up.

by stalfie

4/13/2026 at 6:22:36 PM

This is the most pragmatic answer. It was valued fairly. Those who stand to lose got spooked. For consumers we're looking at less privacy/new dangers in a globally connected world. We'll need to adapt, these corporations are trying to adapt to new risks. The labs will be held liable for corporate and sovereign losses when the damage is big enough, like meta/facebook recently

by redanddead

4/13/2026 at 6:52:56 PM

It's very different for Google, the giant faceless corporation, to know someone's search history. Making it _public_ is a different ballgame.

I can't believe I have to say this, but you can't simply delete an important facet of society (expectation of privacy) and expect things to turn out alright. People will still have hangups around prudish topics and traditions. And privacy has always worked as an escape hatch for people in bad situations, either locally (controlling parents and partners) or society-wide (facist governments, genocides).

Just because we can imagine a society where this information is public and everything still works, doesn't mean that there's a path from here to there.

by BoppreH

4/13/2026 at 6:21:32 PM

Looking at the Israeli startup scene, there is a huge surge in cybersecurity investments (especially agentic security) in the last couple of months, looks very abnormal.

https://www.calcalistech.com/ctechnews/article/hy8t7fcobe

by myth_drannon

4/13/2026 at 6:23:49 PM

There's nothing abnormal about that.

These were all funded 2-3 years ago (heck I participated in some of these). Companies only go out of stealth when they are publicly announcing their Series A (usually right around the time of a major buyer event like BSides/RSA or DEFCON/Blackhat.

Funding rounds usually happen around 5-6 months before they get announced on TechCrunch or Calcalistech becuase such information are a signal to competition about a specific approach. It's also a massive distraction from building, because then you have to deal with media, press releases, and actually have a product marketing team. You don't want to do this until you can hire a couple PMs and PMMs (which is usually around the seed-to-series A transition becuase you will have hit the $5M ARR mark by then).

This how stuff is done here in SV as well and has been for decades.

by alephnerd

4/13/2026 at 6:59:22 PM

> And yet, the public conversation around them has been quiet to the point of being strange.

These events aren't new or novel anymore. The fact that the news does or does not report on something is indicative of editorial prerogatives and nothing more.

> This is a curious observation more than a complaint.

We went from 25% of the world population using the internet to now more than 80% are on the internet. More people understand the fundamental issue, and so are uninterested by it, so for-profit publications will not cover it.

by themafia

4/13/2026 at 4:51:53 PM

I have this mental model that the natural state of the web is to act like an organism that is continuously assaulted by viruses - sometimes that is SEO spam, sometimes actual viruses, sometimes a game-changing shift like AI vulnerability scanning. The pattern is the organism gets assaulted, digests the virus and comes back a bit tougher with more layers of complexity and defensiveness.

I think right now we are waiting for the Morris worm (https://en.wikipedia.org/wiki/Morris_worm) equivalent shock to the system, but it is likely to be much, much worse and much more specific. I expect something that will make DOGE stealing SSNs look kind of tame. Something like every private GitHub exposed, every Visa card data and history exposed, every Mac injected with a rootkit, etc. It's like waiting for the plot from Sneakers to manifest.

For all the security we have built over the last 50 years, it has been impossible (or nearly so) to lock down any web-accessible content. It is a structural issue at a certain level of complexity, the surface area is just far too wide for any focused effort. Aside from direct 0 day vulnerabilities in software there are vulnerabilities in core libraries, frameworks, CI/CD, cloud services, hardware bugs, gaps between services, permission vectors, etc.

The U.S. has relied on the legal system to allow our insane credit card system to persist, where security by obscurity (knowing someone's CC#) is the main deterrent to abuse. I need a complex password to access any website, but CC#s are flying free. I think the combination of easy worldwide vulnerability scanning and U.S.'s focus on pissing every country off is going to lead to significant and unending asymmetrical warfare. If our gov't has been co-opted by big business, big business is going to become the target. As we have seen with Iran with Hormuz and Ukraine with drone strikes, it isn't so hard for small countries to fuck up global systems.

We are entering a 90s-style phase where any script kiddie can cause massive disruptions. Trump likes to threaten NUCLEAR but security issues could potentially cause even more death and destruction - overwhelm the energy grid, open dams, crash air traffic control communications, etc. There is lots of concern over the oligarchy owning AI and keeping it for themselves, but the more immediate risk is that any country can potentially lash out with disruptive actions.

There has been a retreat from globalization since COVID. I wouldn't be surprised if that extends to global internet communications as well. Internet traffic between countries might soon be severely restricted, that's the last line of defense we actually have if this goes as badly as Anthropic is implying.

by lubujackson

4/13/2026 at 4:55:41 PM

Or not

by mring33621

4/13/2026 at 5:23:14 PM

I know this ship has sailed but the modern term “cyber” usually referring to offensive or defensive software technology (presumably short for cybersecurity) drives me up a wall. It’s even worse than “crypto”. I find that people who use this term are, ceteris paribus, likelier to be full of crap.

by semiquaver

4/13/2026 at 5:38:58 PM

It's so firmly established that, just like crypto, making a stink about it says more about the objector. I don't like it either! "Cyber" is cringe, and "crypto" should mean "cryptography". But I'm not the king of usage, and both those terms have new meanings.

by tptacek

4/13/2026 at 6:46:05 PM

Each time I see “cyber” used in a headline (so far it happened once) without any other hints that it’s about security, I am initially confused. What is wrong with the term “infosec”, exactly? Clear, logical, well-known and most widely used term to mean—you guessed it—information security.

There does not have to be a term committee or term police for colloquial use, but to me referring to somebody calling it out when terminology makes no sense as “making a stink” says something about the objector.

by strogonoff

4/13/2026 at 7:42:37 PM

Cyber expands way past infosec. And that's the crux of the problem with the complainers these days. You don't understand the full picture. You've convinced yourself you do. And so you tilt at windmills like an idiot.

by halJordan

4/13/2026 at 9:53:54 PM

Ok, what’s cyber to you?

by semiquaver

4/13/2026 at 6:03:57 PM

At least this site managed to not get shut down because it appears to foster timely communication to cybercriminals :D

by foobarian

4/13/2026 at 9:03:34 PM

Is it really? I actually didn't understand the headline because I have never seen "cyber" been used this way. It's pretty stupid and I think we have all the rights to push back.

by spacechild1

4/13/2026 at 6:08:14 PM

At least we hardly ever have to hear anyone say "cyberspace" anymore

by z500

4/13/2026 at 6:04:42 PM

Wanna cyber?

by dmurray

4/13/2026 at 6:59:13 PM

only if we crypto first

by MWil

4/13/2026 at 6:27:13 PM

As an old school hacker ... I feel your pain.

Words change meaning all the time. I vividly remember when 'coder' was used as a diminutive, much like the later script-kiddie or code-monkey - "A software developer of little skill or knowledge". Today, people habitually call themselves that.

by DocTomoe

4/13/2026 at 7:51:44 PM

The way I always understood it is that "coder" is a broad term that includes writing non-turing complete languages like HTML and CSS as well as turing complete languages, whereas the term "programmer" is more specific to writing executable code.

Nowadays I'm not sure anyone is employed writing only HTML and CSS but in the 90s and 00s it was definitely a distinction worth making.

by zarzavat

4/13/2026 at 7:44:01 PM

The irony of calling yourself a hacker while complaining about new words being cringe when hacker is the epitome and grandfather of all cringe names in this domain.

by halJordan

4/13/2026 at 5:36:22 PM

"order of magnitude" seems to also be silly-speak very often, trying to sound more technical than "ten times".

i suppose it is similar to "exponentially" being used when it doesn't mean exponentially.

by jjtheblunt

4/13/2026 at 8:22:21 PM

> "order of magnitude" seems to also be silly-speak very often, trying to sound more technical than "ten times".

But these are two different things. If I hear "ten times" I assume the person actually means ten times; when they say "an order of magnitude", I'm aware they might mean 8 or 12.

by dvfjsdhgfv

4/13/2026 at 8:49:23 PM

agreed...thought of that after writing it, and thanks for noting it too.

i thought the order of magnitude is often hipster phrasing, even on HN at times, but, when actually intended, it's like saying floor(log_base10( whatever )), so the ten times thing would have to be "roughly ten times" for example, to be comparable.

Also, in some contexts the base isn't presumed to be 10, of course, though around here in loose jargon that's usually what folks are saying.

by jjtheblunt

4/13/2026 at 4:35:28 PM

[dead]

by iJohnDoe

4/13/2026 at 3:46:44 PM

Add to this the Rockwell Automation attack and you get a beautiful Chickens-Coming-Home-To-Roost stew!

https://www.cisa.gov/news-events/cybersecurity-advisories/aa...

by cols