I get amused that people don't realize that genAI is an existential threat to the internet and everything that has been built on it.

1) One can no longer trust things out on the web. 2) One no longer needs things out on the web.

For 1), I hope the defense mechanism kicks in time to bake security into our computing culture and pervades throughout the stack.

> If you are young and wanting a promising trade in tech, security would absolutely be a good choice.

If AI is capable of performing these attacks, what would stop AI from replacing the security engineers?

Oh, we're back to not being able to trust Google Ads again?

I recall there being Malvertising campaign problems ~12-15 years ago or so, and then they seemed to get on top of it.

This just seems like the result is people are going to be driven off the internet. It will simply not be safe for the layperson.

> If you are young and wanting a promising trade in tech, security would absolutely be a good choice. Shit is going to get CRAZY.

Yes, but you can't be a CISSP or SOC monkey - that has no future.

You need to be an actual Software Engineer who understands development fundamentals, OS internals, web dev fundamentals, algorithms, etc as well as offensive and defensive concepts.

To many "cybersecurity" graduates in North America aren't even qualified to do L1 IT Helpdesk, which is a shame because the IT to Security talent pipeline is critical (along with the SRE, SWE, and ML to security pipeline).

How can open source software possibly survive this?

It's so firmly established that, just like crypto, making a stink about it says more about the objector. I don't like it either! "Cyber" is cringe, and "crypto" should mean "cryptography". But I'm not the king of usage, and both those terms have new meanings.

Wanna cyber?

As an old school hacker ... I feel your pain.

Words change meaning all the time. I vividly remember when 'coder' was used as a diminutive, much like the later script-kiddie or code-monkey - "A software developer of little skill or knowledge". Today, people habitually call themselves that.

"order of magnitude" seems to also be silly-speak very often, trying to sound more technical than "ten times".

i suppose it is similar to "exponentially" being used when it doesn't mean exponentially.

Two possibilities:

1. Fear that a major vulnerability is found in a commonly used software package that puts multiple major banks and e-commerce sites at risk

2. Fear that major vulnerabilities are found in multiple, widely used software packages that lead to market downturn as IT company stocks crash.

Probably others as well. Sounds more like a brief on worst-case scenarios that may happen and how they would effect the US banking sector. This is an important mid-year election this year too, so any big economic shock would be bad for the GOP.

[dead]

They've been on HN, but that's the author's point. Even this article on HN- the top comment is a series of complaints about "hurr durr ai needs to get off muh lawn"

The point is that the people, who self-identify as the ones the author is supposedly asking for help, are the ones who are refusing to acknowledge the elephant in the room so they can feel smug. Just like your "but i read about every incident mentioned, where's my cookie"

I totally appreciate this take and have thought something similar but I am old enough to be familiar with the part of my brain responsible for these thoughts and know it has a long track record of being horribly wrong.

Sure, hedge your bets. Get financially secure. But also consider that "nothing ever happens" is usually correct and the world has a way of ensuring things keep going in the direction they have to in order to give stability to the establishment (which we are generally a part of).

This is huge and something I've been hearing a lot of rumblings about.

I just did some quick research:

- ~4.8 million unfilled cybersecurity roles globally as of 2025–2026

- Global workforce ~5.5 million, but ~10.2 million needed to meet demand

Not to mention the growth in the industry has slowed to ~0.1% year over year and you're seeing those shortages are outpacing the current workforce. Add in the most senior folks like yourself are just noping out and leaving the industry wholesale is troubling and unsettling.

Its not surprising we're seeing an unprecedented level of successful attacks. We simply don't have the resources to keep up with the criminals/hackers out there who are moving significantly faster than the companies they are targeting.

As others have pointed out, I'm not sure how this can get anything other than much worse in the near future.

I'm starting to think anyone who knows anything about software engineering has a moral obligation to step up and defend against what's coming. I think the world needs us more than ever, this is a critical time that can go one way or the other. We need to use AI to defend and protect ourselves and the ones who can't protect themselves against malevolent AI and its users.

> a AI-free, non-tech trade that won't take too long to get into - think a PA, nurse, plumber, etc.

I'm not sure if personal assistant or nurse are going to be AI-free. Plumber, welder, bricklayer, pest exterminator, sure. Don't underestimate the downsides of physical labor, though. Low pay and backbreaking.

What writing on the wall? If anything, I think you'll be more needed, not less, in times to come.

i've been saying there's going to be some interesting "computer glitches" in the news over the next few years. We've already had one where someone convinced an AI to sell them airline tickets for $1. I expect many more strange bugs, some being very bad, in the future.

There are two polar opposite vibes in this comment section: one guy above is calling FOMO, we should all get into the security trade, and yours is FUD.

I hope this all lands somewhere in the middle but honestly who knows at this point.

Feels like that there was a World War started on smaller spark than some of those in the OP in a tense world. And this world is tense again, very tense.

Bad news: All your data with data brokers will be public soon.

Good news: All the data of elected officials will be public soon, and we may finally get some regulation.

All the big tech companies are getting access to mythos. If anthropic is blowing smoke with regards to its ability to find vulnerabilities it will leak very soon.

Cultivating and leveraging fear is truly a cornerstone of Security™.

I don't think the claims about capability are ridiculous. The idea that the general capability is proprietary and that it will be exclusive to the trusted partners of one company is ridiculous.

This AI and security genre really has legs.

The idiocy out of the Whitehouse is an intentional strategy to flood the zone with crap that sucks all the air out of the room. They have intentionally broken the ability of the public to become informed through a number of means: attention atrophy, lowest-common-denominator mudslinging, and massive, manufactured, stupid global crises. People have become deaf and desensitized.

The fact that humanity sent people back to the moon barely even registered. Crazy times.

I know for my part I am so tired of the constant crises. At this point I just want the inevitable collapse to hurry up and happen already so we can just focus on picking up the pieces and move the fuck on.

Yeah, it's not indifference or apathy. It is overwhelm. There are too many things that need attention and not enough attention.

> people becoming tired of constant stream of crises

They aren't tired, they're distracted. X/TikTok/et. al. are all fire and motion mechanisms.

Agreed, call it future shock or the Singularity or just overall outrage fatigue, people just aren't reacting to these kinds of things at a level commensurate with their risk or danger.

One word, Hypernormalization.

> Why? I think such indifference or rather apathy/torpor is a result of people becoming tired of constant stream of crises (either imaginary or real) that we're being flooded by. The capacity to react with something more than a shrug is finite. And I think we are being drained.

I think it's more that the impact of all these constant string of "crises" ends up having very little impact on the average American's lifestyle. Groceries a bit more expensive, gas higher, rent continues to creep up. Some giant incomprehensible national debt number gets higher. Those all suck and people complain about them - but they are complaining about them in packed bars while they drink $7 beers and eat $30 burgers and fries.

You can only yell so many times that the world is ending before people tune it out since their day to day lives are largely unchanged. Just look at the focus on complaining about almost irrelevant things like the price of eggs or whatever totally irrelevant culture war topic of the day. It's societal bike shedding.

I am firmly of the belief (and have been for quite some time) that the "average" middle class American is going to need severe pain - as in widespread great depression level pain - before anything really changes at all at the ground level. Americans have simply become so used to living the lifestyle being part of an insulated hegemonic superpower empire that they have taken that for granted as how things generally will always be no matter what happens. There is zero consideration for the amount of sheer effort, will, and constant vigilance it took to build and maintain such a state of being.

Or put another way: Inertia is a hell of a drug.

[flagged]

The precipitous drop in fertility even in low income countries. The rise in populism and fear.

It's the phones, humans are being DDoSd. We need government intervention against many aspects of modern technology.

The profit motive works when it comes to reducing manufacturing costs and passing some of that on to consumers through the beauty of competition. It doesn't work so great when it's X training a transformer model to maximize the amount of time you spend doom scrolling so they can feed you gambling advertisements.

These kinds of groups operate as businesses and in some cases government agencies. It would be the same experience as working for any other tech company.

Even that may not work. See Stuxnet.[1]

[1] https://en.wikipedia.org/wiki/Stuxnet

>As someone who's older, and is just generally gobsmacked all the time by the sloppiness in cybersecurity, all of this is just not surprising.

as someone who used to work in cybersec (and is also older), most of the time (in my experiences) it isnt sloppiness.

1) people fight tooth and nail against anything that inconveniences them. security is almost always going to be an inconvenience tradeoff, so it is always fought against. from every person and every department. rolling out 2fa was worse than pulling teeth, despite it being a single button press ("approve") on the phone, once or twice a day (or less). c-suite is the worst, demanding exclusions and bypasses. its hard to say no to your bosses boss when they refuse to use a password manager, refuse to setup 2fa, or whatever the case is.

2) security offers no immediate or visible return on investment. so, it gets little to no positive attention by c-suite and even less budget. you end up with underpaid, under-qualified, over-worked people trying to figure out which thing they might be able secure out of the 10 things that need securing. half of them will be tied up trying to explain to someone why they cant use the company name as their password or begging someone to use the password manager.

even here, a forum of hackers, security is often put in scare quotes and almost always mentioned beside the word "theater". people brag about still running windows 7, because it was the last good windows. antiviruses arent needed. X security feature is just a lie so that company Z can control my device. people get big mad when a company rolls out mandatory 2fa. and so on.

edit: case in point, on this thread a comment was just posted with "I think you can argue that cybersecurity doesn't really matter, in the grand scheme of things."

> We managed to put buttons on appliances that don't make the appliance explode, but failed to do that in email links, which are just buttons.

Reminds me of the time I accidentally entered my bank PIN into my washing machine and hackers ran off with $500 of my money.

What puzzled me most was the time and energy put into the attack, all for the off chance of a successful attack. Security footage showed them removing my washing while I was at work and replacing it with one the hackers controlled. This "phishing machine"-- as I now call it-- was apparently fitted with some kind of LoraWAN device waiting for me to unwittingly enter my PIN to unlock. Something my washing machine never asked me to do before, btw, but I did it anyway (like an idiot).

I changed my bank PIN, but I still use the old PIN to run the phishing machine-- funny enough it's fully functional and in fact works better than the old one.

All said, the hackers probably lost $1000 on the deal. Police said this is a very common attack on washing machine buttons throughout the Southeast, so I'm wondering if part of our current economic stagnation is due hackers going into bankruptcy from this.

We just caught our company president, CFO, and head of sales using smuggled Starlink dishes on the roof with wide open wifi because our firewall "broke things".

Thank goodness for all the other layers... the firewall is just doing basic hygiene. The SASE and zero trust policies are doing the heavy lifting.

No one want's to follow any rules and when caught out do not want to take respnsibility for their own actions.

Since it was an open wifi, I hope we get nailed for hosting child porn or cryptocoin scams... ffs

> And then, we still have yet to punish or hold accountable any large party who made things this way. Until we do that, keep expecting this.

This is the key. No incentive to change. It's always "the hacker's fault" and never "the manufacturer's negligence" or "the developer's carelessness" or "the user's gullibility." Combine this with the currently-prevailing Don't Blame The Victim mentality, and it's the perfect environment for never improving cybersecurity.

The issue is also one of agency: the public has absolutely no agency in this. There is nothing an ordinary member of the public can do to avoid having their data exposed, there is nothing they can do to cause corporations to have more robust security models nor to cause actual consequences for all the executives that chose profit over security at every possible decision point.

To the public this becomes like the risk of being hit by lightning or being in a car accident, just background noise we avoid thinking about as much as possible. It is just the cost of living in this economy.

As fatiguing as legal breach notices are to lay people, it's equally frustrating as a dev because security is not a distinguishing feature we can advertise in our product so we can't prioritize it at all. Let the lawyers figure it out later seems to be best practice now.

And of course vuln finding is now automated so even if we do a good job locking it down this morning, nothing will not keep out the next wave tonight.

Plus, our current political atmosphere encourages digital chaos, for example gutting CISA.

> a giant pedophile ring has been exposed that no one in power seems interested in doing anything about

But that's not true. The European Union and many other countries are taking extreme measures to ensure that what happened in the United States never happens with them and they are introducing a bunch of different measures to strengthen control over society, the media sphere, and other measures to ensure that no pedophile rings could be exposed.

HN is a bit of a bubble in that people here tend to be quite privacy focused and would be horrified at the prospect of their details being leaked.

For a lot of normal people that's not the case and as long as they don't get someone actually stealing their identity etc. they aren't really concerned about these kind of things

> a giant pedophile ring has been exposed that no one in power seems interested in doing anything about

This was one of the things Trump got 2024 elected on - many Republican voters were extremely keen on this being addressed. I'm glad Trump's fumbled it now so the Democrats are interested in addressing it, though for the wrong reasons.

Its the tech worlds equivalent to eating X causes cancer.

Frustratingly, I have my foot in both worlds to a degree. I'm interested enough in tech to pay attention and often lurk the tech bubble that is HN and hear about the raging dumpster fires from the folks who live and work in that domain. But I exist in a mostly non-tech world IRL where this exists among the other burning dumpster fires to the point that I can't care about another data hack, and i hate that I don't have the bandwidth to care. To a more acute degree, my mother was nearly wiped of half her life savings by "hackers"/fraudsters posing as employees of her bank. Being "hacked" is a part of life now, and outrage fatigue is real.

Yep.

There's nothing abnormal about that.

These were all funded 2-3 years ago (heck I participated in some of these). Companies only go out of stealth when they are publicly announcing their Series A (usually right around the time of a major buyer event like BSides/RSA or DEFCON/Blackhat.

Funding rounds usually happen around 5-6 months before they get announced on TechCrunch or Calcalistech becuase such information are a signal to competition about a specific approach. It's also a massive distraction from building, because then you have to deal with media, press releases, and actually have a product marketing team. You don't want to do this until you can hire a couple PMs and PMMs (which is usually around the seed-to-series A transition becuase you will have hit the $5M ARR mark by then).

This how stuff is done here in SV as well and has been for decades.

This is the most pragmatic answer. It was valued fairly. Those who stand to lose got spooked. For consumers we're looking at less privacy/new dangers in a globally connected world. We'll need to adapt, these corporations are trying to adapt to new risks. The labs will be held liable for corporate and sovereign losses when the damage is big enough, like meta/facebook recently

It would be terrible, I don’t think you’re thinking about what kinds of discrimination can happen due to things like medical records. You can have laws in place to prevent it but if someone can freely see your entire medical history then people WILL take advantage of that. Not to mention how things like citizens traveling to states where abortion is legal, or if a parent disagrees with an operation could affect someone if things are public. This is only talking about medical records, too, the implications of other kinds of espionage have significant repercussions as well. Cybersecurity absolutely does matter

It's very different for Google, the giant faceless corporation, to know someone's search history. Making it _public_ is a different ballgame.

I can't believe I have to say this, but you can't simply delete an important facet of society (expectation of privacy) and expect things to turn out alright. People will still have hangups around prudish topics and traditions. And privacy has always worked as an escape hatch for people in bad situations, either locally (controlling parents and partners) or society-wide (facist governments, genocides).

Just because we can imagine a society where this information is public and everything still works, doesn't mean that there's a path from here to there.