We May Be Living Through the Most Consequential Hundred Days in Cyber History

A couple of days ago I was thinking about something related to this: How would the "computing" space look like once we get to the ultimate evolution/development of the AI/LLMs or whatever comes after it?

Say in 10 years, once we have things like a Claude Mythos (or better) model running on "real time" at the speed of how Taalas runs ollama now.

I have a feeling that "cyberspace" (however we want to call it) won't matter anymore. "Computing" won't matter anymore. Say, I want to implement a Massive Multiplayer Lemmings like game, it's done at the snap of my fingers. Say I want to find a way to "crack" X software? done. Say I want to find a vulnerability in Y website? easy peasy. Say I want to build a "Powerpoint" clone, done (not that it matters, as making a presentation will be as simple as saying "Mythos5, make a presentation about X,Y,Z with nice and meaningful transitions".

Same with music, video, images, etc. Once everything can be created automagically... what happens? (say, "Make me a film like the original John Wick but with the wit and style of Kingsman, make a young Sean Connery the main actor).

So, ultimately cyberspace will be so chaotic with the current "rails", that it will be completely different to what we know now.

At the risk of being booed here in HN, I also have a hunch that the more we go there, the more stuff like "trustless computing" or "proof of N" (having to SPEND something, some real life, finite effort, to do things online) will gain more force. Somehow, Hashcash was conceived to deal with spam/automation type of attacks, so I assume a version of that will have to be used to "structure" Cyberspace in the future.

My hypothesis is that this will take us back to "the real world" due to "surfeit": Kind of what happens once you add a "trainer" to a game and suddenly you have all the money/resources, and then it becomes boring. Once the "digital" stuff is solved, we will go back to the real world.

Very exciting times.

As part of my work in technical diligence, I create medium-long form content marketing material on topics germane to PE investment in tech. In the last six months I did a series (not yet published) on the state of security in the age of gen-AI. Basically, we are entering the ransomware apocalypse. It is insane what a godsend gen-AI has been to the cybercrime sector.

Things that used to work reliably - like trusting google ads or sponsored links not to be malvertizing sites - are meaningless now that gangs can trivially spin up networks of thousands of fake interacting sites and linked profiles to sneak by fraud detection. Phishing attacks are ridiculously sophisticated. Supply chain attacks are going to mean package managers are handgrenades. Ransomware gangs are running full on SaSS services allowing script kiddies access to big gun material. Attacks that were previously only in reach of nation-state-sponsored actors are now available for peanuts. And all of this is going to worse because of everyone and their dog using gen-AI to pump out huge amounts of vulnerable code. And then there is the world of prompt engineering for data exfiltration...

If you are young and wanting a promising trade in tech, security would absolutely be a good choice. Shit is going to get CRAZY.

I know this ship has sailed but the modern term “cyber” usually referring to offensive or defensive software technology (presumably short for cybersecurity) drives me up a wall. It’s even worse than “crypto”. I find that people who use this term are, ceteris paribus, likelier to be full of crap.

The strangest thing I found is:

> on April 7, 2026 … U.S. Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell convened an urgent, in-person meeting in Washington with the chief executives of [major US banks] to brief them directly on the cyber risks posed by [Anthropic’s] Mythos

Then a similar meeting happened with the Canadian Financial Sector Resiliency Group (i.e. the Bank of Canada, the Canadian government’s Department of Finance, the Canadian Deposit Insurance Corporation (Canada’s FDIC) and Canada’s six major banks).

Multiple central banks don’t usually do that right?

https://www.ctvnews.ca/sci-tech/article/anthropics-new-ai-mo...

I'm a head of security, great career, did engineering into management, made a tidy living doing advanced work as a risk plumber across companies that have been relevant. I've built great teams, met and solved hard IR, delved into the real reaches of vuln research, other neckbeard things, got paid very well along the way. Seen and worked on the APT issues.

More or less, I am the attractive resume, and: the game has changed folks.

For what it is worth, I am taking my ball and going home in about 12 months. I've saved enough, locked in a perma-middle class lifestyle in a great nondescript city, and swapping over to offensive consulting and a AI-free, non-tech trade that won't take too long to get into - think a PA, nurse, plumber, etc.

I'm not quite old enough and with the end of responsibilities as to FIRE, but I can read the writing on the wall enough to understand an AI-proof FI needs to be locked in before everyone else realizes the same. Many others in sec are feeling this.

I think tech will find security pros willing to throw themselves into the fray for pay and optimism. There are others like me who are extracting their final nuts. There are others who have golden-handcuffed themselves into this ride with their mortgages and private school tuitions. And I'm sure some others will stick it out. There will also be an AI-enabled version of sec eng soon enough.

But if private sector doesn't wake up to AI integrations - internal doc rollouts hoovering up PII that wasn't supposed to be stored there, externally-facing customer support portals social engineered and pivoted into, PRs via Slack comment via marketing hires who are ATO'd - this is going to be a 1990's-style BBQ where 0days on critical systems are dropped at happy hours at conferences nightly.

And: your security teams are going to be burned out, banking up, and quitting. The risk acceptances, the double-speak, the slow-rolling, the half-baked risk thinking for engineering and product leads, the corners cut, the public endpoints opened up just this one time - that's going to be enough rope, and already is enough, to hang yourself in this offensive context that's building now.

It is deeply humorous that SWE and engineering leadership has worked itself into this position via its AI push to unemploy itself while thinking it's the 1x white collar job exempt from automation threats.

All it'll take is another recession like '08, and the leaves get shaken off the trees finally. Thankfully there is only one (wait, there are two probably), thankfully there are only two-to-three (wait, there are like 10) systemic market threats right now.

Almost all those events were on Hacker News. This hasn't been a secret.

Companies need to get serious about levels of security. Only some things need to be protected, and you have to accept a substantial level of inconvenience and cost for those items. In my aerospace days, we had a bidding rule of thumb that running a project at SECRET doubled the cost. Running a project at TOP SECRET had an even bigger cost multiplier. A surprising amount of material was not classified at all, for cost reasons.

Banks and credit card processors get this. Most other businesses don't.

Not too long ago, a few gigabytes of data being stolen was a big friggin deal. Now they're swiping data in the terabytes or even petabytes.

Anthropic's marketing team are terrifyingly good. I wonder if Opus came up with this plan?

Combine every attack being a social engineering attack plus foundational model hacking-fu and we're in a shocking interesting place. Identity itself becomes a pretty interesting opportunity/threat. Wrote an oped [1] with friends from Badge on this topic 6 months ago.

[1]: https://idtechwire.com/opinion-in-an-ai-world-every-attack-i...

>Stacked on top of each other across roughly a hundred days, these events are something a historian of computing security writing in 2050 will probably file as a turning point, regardless of what else happens between now and then.

And yet, the public conversation around them has been quiet to the point of being strange.

There's a lot current events that once would have been considered historical: trip around the Moon, war out of nowhere, unprecedented explosion of kleptocracy l, enormously scandals and so long. Noone of these are moving much of the needle among general public.

Why? I think such indifference or rather apathy/torpor is a result of people becoming tired of constant stream of crises (either imaginary or real) that we're being flooded by. The capacity to react with something more than a shrug is finite. And I think we are being drained.

> In August 2025, three of the most notorious financially-motivated crews on the planet, ShinyHunters, Scattered Spider, and LAPSUS$, formally combined into a coordinated alliance widely tracked as Scattered LAPSUS$ Hunters (SLH), sometimes called “the Trinity of Chaos” (Resecurity; Cyberbit; Infosecurity Magazine; The Hacker News; Computer Weekly; ReliaQuest). Scattered Spider provides initial access through highly-effective social engineering and vishing. ShinyHunters handles exfiltration, leak-site management, and extortion. LAPSUS$ contributes its own brand of identity-system compromise.

Lmao that cybercriminals are closing M&A deals to create vertically integrated SaaS companies.

Do you think anyone was made redundant through kinetic means?

I miss the days when the big security concern was quantum breaking contemporary encryption. Air gaps and local stacks are overdue for a comeback.

As someone who's older, and is just generally gobsmacked all the time by the sloppiness in cybersecurity, all of this is just not surprising.

Look, love or hate it, here's what happened; a LONG time ago (in tech terms) Microsoft and others normalized some very stupid practices; when I teach about it I basically illustrate it like this: "If I handed you a piece of paper that said 'Go jump off a bridge'" will you survive this encounter with me? Because a very large, perhaps majority, of computer infrastructure will not.

We managed to put buttons on appliances that don't make the appliance explode, but failed to do that in email links, which are just buttons.

And then, we still have yet to punish or hold accountable any large party who made things this way. Until we do that, keep expecting this.

>And yet, the public conversation around them has been quiet to the point of being strange.

i dont think its that strange. there are multiple wars raging on, with many people fearing the breakout of a global conflict. a giant pedophile ring has been exposed that no one in power seems interested in doing anything about. prices for everything are haywire. markets are an absolute rollercoaster, hinging completely on one mans late night tweets. and so on.

people just dont have the bandwidth to also learn about what an npm or github is, and why a hack of it is important. news stations are going to pick the news that results in the most people tuning in to watch. that is war, not whatever a mercor is.

the non-tech (and many of the tech) people in my life are also just plain tired of hearing about hacks. they have heard that their information has been stolen 10 times or whatever in the last 5 years. they have heard 100s of "this company was hacked" stories. "another hack? who cares?".

> Cisco’s private GitHub was cloned.

From this,

https://www.sdxcentral.com/news/cisco-source-code-breach-lea...

It sounds like they were/are using GitHub to host company-private source code, presumably of high-value.

While it's hard to know exactly the setup (e.g. maybe they are running their own instance of GitHub internally), this is your reminder that public clouds are not secure, no matter how much you pay the maintainers of said clouds.

Internal network compromise is of course always possible, but sheesh, it sounds like this list has lots of public cloud failures.

If cybersecurity is slowly ramping up in complexity, isn’t the statement “we’re living through the most consequential hundred days in history” always trivially true?

Looking at the Israeli startup scene, there is a huge surge in cybersecurity investments (especially agentic security) in the last couple of months, looks very abnormal.

https://www.calcalistech.com/ctechnews/article/hy8t7fcobe

> And yet, the public conversation around them has been quiet to the point of being strange.

These events aren't new or novel anymore. The fact that the news does or does not report on something is indicative of editorial prerogatives and nothing more.

> This is a curious observation more than a complaint.

We went from 25% of the world population using the internet to now more than 80% are on the internet. More people understand the fundamental issue, and so are uninterested by it, so for-profit publications will not cover it.

I have this mental model that the natural state of the web is to act like an organism that is continuously assaulted by viruses - sometimes that is SEO spam, sometimes actual viruses, sometimes a game-changing shift like AI vulnerability scanning. The pattern is the organism gets assaulted, digests the virus and comes back a bit tougher with more layers of complexity and defensiveness.

I think right now we are waiting for the Morris worm (https://en.wikipedia.org/wiki/Morris_worm) equivalent shock to the system, but it is likely to be much, much worse and much more specific. I expect something that will make DOGE stealing SSNs look kind of tame. Something like every private GitHub exposed, every Visa card data and history exposed, every Mac injected with a rootkit, etc. It's like waiting for the plot from Sneakers to manifest.

For all the security we have built over the last 50 years, it has been impossible (or nearly so) to lock down any web-accessible content. It is a structural issue at a certain level of complexity, the surface area is just far too wide for any focused effort. Aside from direct 0 day vulnerabilities in software there are vulnerabilities in core libraries, frameworks, CI/CD, cloud services, hardware bugs, gaps between services, permission vectors, etc.

The U.S. has relied on the legal system to allow our insane credit card system to persist, where security by obscurity (knowing someone's CC#) is the main deterrent to abuse. I need a complex password to access any website, but CC#s are flying free. I think the combination of easy worldwide vulnerability scanning and U.S.'s focus on pissing every country off is going to lead to significant and unending asymmetrical warfare. If our gov't has been co-opted by big business, big business is going to become the target. As we have seen with Iran with Hormuz and Ukraine with drone strikes, it isn't so hard for small countries to fuck up global systems.

We are entering a 90s-style phase where any script kiddie can cause massive disruptions. Trump likes to threaten NUCLEAR but security issues could potentially cause even more death and destruction - overwhelm the energy grid, open dams, crash air traffic control communications, etc. There is lots of concern over the oligarchy owning AI and keeping it for themselves, but the more immediate risk is that any country can potentially lash out with disruptive actions.

There has been a retreat from globalization since COVID. I wouldn't be surprised if that extends to global internet communications as well. Internet traffic between countries might soon be severely restricted, that's the last line of defense we actually have if this goes as badly as Anthropic is implying.

Or not

[dead]

If I can play devils advocate in favor of public disinterest about these events, I think you can argue that cybersecurity doesn't really matter, in the grand scheme of things. At least data exfiltration.

What would the consequences for humanity be if every single electronic patient record was leaked onto the internet? After a good deal of embarrassment and drama, probably positive. It would most likely facilitate a lot of scientific inquiry. A lot of people, especially in medical deserts, also use Chatgpt as an md. Providing AI companies with high quality medical data is actually a public service.

So it goes for most things in life, except for financial and destructive wipe attacks, data security is mostly about protecting the IP of incumbents, which is somewhere between irrelevant and a net negative. It's hard to say what the long term consequences of the IP system breaking down would be, but there is a good argument to be made that it's not necessarily bad.

As for individual people, most don't really care or are resigned to the fact that Google already knows everything about them, and probably abstractly enjoy the fact that a major company gets brought down to their reality. Plenty of societies have extremely collectivistic mindsets of public info being shared, like Scandinavian countries having public tax filings, and they work just fine.

I think most people would secretly relish the outcomes of everything leaking everywhere. Just like people relish the Epstein files being released, and probably would have loved an unredacted version being leaked. Secrets are something human beings naturally gravitate towards to dig up and sharing, and this is actually for good, sensible reasons. Evolution has simply favored groups that did not hoard knowledge, at least not internally. There is a reason the scientific method has openness as a virtue, and is arguably one of the pillars that has carried humanity out of the dark ages.

Add to this the Rockwell Automation attack and you get a beautiful Chickens-Coming-Home-To-Roost stew!

https://www.cisa.gov/news-events/cybersecurity-advisories/aa...