__ __ _ _____ _ _ _
| \/ | ___| |_ __ _| ___(_) | |_ ___ _ __
| |\/| |/ _ \ __/ _` | |_ | | | __/ _ \ '__|
| | | | __/ || (_| | _| | | | || __/ |
|_| |_|\___|\__\__,_|_| |_|_|\__\___|_|
community weblog
Just the ones that broke through
Read all of that in one breath. A MOIS-operated persona whose unit head was killed three weeks earlier walked into one of the largest medical device manufacturers in the world, exfiltrated 50 TB, then pushed a destructive button that bricked 200,000 endpoints across 79 countries in minutes, postponed surgeries, stated a retaliation motive, absorbed a $10 million FBI bounty, had four of its domains seized, and was operating a replacement site the same day. from We May Be Living Through the Most Consequential Hundred Days in Cyber History, and Almost Nobody Has Noticed [ungated]
posted by chavenet on Apr 17, 2026 at 3:45 AM
---------------------------
Jesus. So much horrifying stuff in that roundup. This bit about spear-phishing sure leaped out:
AI-generated emails achieve a 54 percent click-through rate versus 12 percent for control emails
Thanks for posting this.
posted by mediareport at 4:07 AM
---------------------------
I was about to pull the same quote. I guess we found what AI is good for. Its ultimate purpose is just one more layer of scamming.
posted by rikschell at 4:18 AM
---------------------------
Just to save your time -- this is a great topic that deserves to be written about, but this article in particular is just dozens of pages of breathless, obviously AI-generated slop (if I had to say, Claude, probably).
posted by etealuear_crushue at 4:19 AM
---------------------------
Only one thing for it. I'm putting an Admiral Adama sticker on my laptop.
posted by postcommunism at 4:29 AM
---------------------------
Amongst the host of examples cited, lol that an extortion ring has Pornhub's Mixpanel data. Mixpanel tracks the way users interact with a site over time, down to what page elements were clicked on or otherwise interacted with, and allows session replays. De-anonymize the users, point an LLM at it to generate extortion emails, and wow.
posted by postcommunism at 4:37 AM
---------------------------
The piece keeps rhetorically asking why the public and private discourse seems out of step on this but I wonder if it's just a sense of resignation from the broader public. At this point, I know I have to use systems that have been proven repeatedly to be insecure to handle my sensitive information in order to participate in basic parts of my day-to-day life in society. So what am I supposed to do when confronted with the news of all this cyber warfare? Become a hermit? Or just shrug and assume that anything too terrible will be handled by the big corporate actors and I'll just have to deal with it if there's fallout. Beyond locking my credit there's not much I can do.
posted by Wretch729 at 5:23 AM
---------------------------
The piece keeps rhetorically asking why the public and private discourse seems out of step on this but I wonder if it's just a sense of resignation from the broader public.
Most people exist in a state of denial just to get by. DOGE activists were declared government employees in less than a day and took whatever they wanted for themselves from government files at their own discretion. This is something that conservatives were carefully brainwashed about over generations, which meant the invaders only needed to walk in an flash their newly invented badges. It gets mentioned in political pieces as a potential breach. This trend is huge and independent researchers are the one's doing all the documenting, similar in other arenas (such as Russia now losing the Ukraine war to highly advanced drones). These breaches will probably cause more problems to deny, since nobody is connecting the dots, but in the big picture this is almost nothing compared to climate change and the sudden eradication of wildlife.
posted by Brian B. at 6:36 AM
---------------------------
> this article in particular is just dozens of pages of breathless, obviously AI-generated slop
I'm not even saying that this isn't true, but I really wish the people who say this would provide some kind of evidence of this being the case other than "vibes". Some of the similar claims on Reddit are clearly false positives already, and I wouldn't be surprised about that being the case on MeFi, too.
Perhaps the frontier models are better at avoiding excess em dashes and "not only/just X, but Y" structures than they once were (neither of which are conspicuous in this text), and I'm just not hip to what the current tells are. Further, as a non-native English speaker, I've got an extra disadvantage. I'm certainly not comfortable ascertaining AI-ness from a random Medium or Substack post from someone whose writing style or tendency towards verbosity I don't know at all. So, evidence presented would make the argument more credible AND spread awareness of the features of AI-generated text that isn't full of heading emojis or the aforementioned classic tells. Win-win.
posted by jklaiho at 6:41 AM
---------------------------
Speaking only for myself, it's not terribly relevant if an individual piece is human slop or AI slop. I mean I guess I prefer the old-fashioned organic kind, but it's still a perfectly valid reason to skip an article.
I just took a look, and I see it opens with a one-sentence paragraph. Not a great start, but ok, what's next? A paragraph full of nothing but repeated sentences of very similar structure, that just a laundry list of items. No thesis statement, no structure, no conclusion, no thoughts or ideas expressed, just a spewing of "facts" (although idk who the hell this guy is or if any of that is true, I would think a human who wanted to write anything like "journalism" or "reporting" about this topic would toss in a few links or references). Would be better as a table or list of bullet points.
So we're off to a bad start. Skimming down, I see a few links, ok that's better... and then we hit the random bolding. Things should be bolded for a reason. Often bc it's something important. This guy seems to just sneeze and hit ctl-b sometimes.
Oh and now there are some bullet points. Aside from the annoying bolding issues, those might have some useful links.
Then I see "Pause and read that paragraph one more time". Ok that's it, I'm out. I don't care who you are, your writing is a shitty amalgam of click-bait, laundry lists, rage bait, weird tone, unfocused rambling, and cutting to the chase: seems to be waste of my time, because it doesn't seem much thought or effort went into it, nor does it seem to respect the audience much.
Best I can glean from this might be clicking a few links or seeing if anyone here on the Blue has interesting comments or links to better coverage.
posted by SaltySalticid at 7:42 AM
---------------------------
Last month, a friend of mine noticed that over a period of a few weeks, his VISA card had racked up an extra $6000 in debt, in a series of charges of about $400 to $800 each, all from the same "merchant". (Unlike me, he hadn't enabled automatic email notifications whenever a card-absent charge is made). He contacted VISA, and within a few days, all the bogus charges were reversed.
I'm not saying that the fraud was AI (it probably wasn't); the reason I bring it up is that VISA and others like to resolve these things quietly. No police, no press, no public record... it's as if it didn't happen. I expect the rollout of AI will be treated the same; errors and harms will be resolved as quietly as possible and we won't hear about them unless something happens to ourselves or a friend... or unless there's a screwup so big it impacts some vital function or affects many people at once.
So yeah, AI will definitely amplify the effectiveness of fraudulent and malicious attacks. I'm as much worried about the "legal" ripoffs it will enable, such as dynamic pricing which leverages the data that's been collected about me to determine the maximum price I will pay at the given moment for something I want.
(Re the article: shitty writing is shitty writing, and sufficient reason to be critical without needing to go too far into whether AI contributed to the shitty. Regardless, blame the author)
posted by Artful Codger at 7:55 AM
---------------------------
his VISA card had racked up an extra $6000 in debt
Check out the newest Veritasium video where they steal ten grand from an iphone with a Visa account in the transit slot in the wallet, specifically that combo.
posted by Brian B. at 8:05 AM
---------------------------
I'm not even saying that this isn't true, but I really wish the people who say this would provide some kind of evidence of this being the case other than "vibes". Some of the similar claims on Reddit are clearly false positives already, and I wouldn't be surprised about that being the case on MeFi, too.
It requires an account and I don't feel like logging into mine on my phone to check this article right now but there's pretty reliable ML-based detection of out-of-the-box AI text these days, if that's what you're looking for.
So, evidence presented would make the argument more credible AND spread awareness of the features of AI-generated text that isn't full of heading emojis or the aforementioned classic tells. Win-win.
I'm not going to make a definitive judgement on how AI this is on casual inspection but one obvious thing that feels like a tell is those section headings with pithy, colon-laden summaries of the contents to follow:
A Pattern Worth Noting: The AI Numbers Are Unusually Loud, and Unusually Ignored
posted by atoxyl at 8:11 AM
---------------------------
When I first started reading about Mythos, a few days ago I thought to myself that if I headed a business, I would definitely get a staff member to research our odds of staying operational if we lost all contact with the financial internet, or if the entire internet went down, or if every single electronic device the company used was compromised. No laptops or cell phones. Just as a theoretical exercise, of course.
I remember when the Interac bank system went down in my area for awhile, taking out every store in the mall we had gone to, and people were abandoning carts full of groceries and wandering out of the stores, because they had no work around - they weren't set up to handle payments in cash on any scale, even if the customers had access to cash. The cash terminals at the front of the store weren't dispensing anything either, as they were in the Interac system too. In any case all their staff members were needed urgently to intercept all those abandoned carts and get the perishables back into cold storage as quickly as possible.
How would a company stay operational without a fully operational internet? They order from suppliers using an electronic process. There isn't an alternative. They pay for those orders with an electronic process. There isn't an alternative. They use electronics to deal with shipping, with inventory control, with payroll, with scheduling, with interdepartmental communication, with any legally required payments or reporting they have to comply with. There are no non electronic alternatives that are viable. Do they have contingency plans or do they just view it as so non-survivable it's not worth trying to handle? Somewhere in the personnel department, they no doubt have a spread sheet with the personal phone numbers of all their key staff members. Do they keep a printed copy? And how much use would that list be if there was a problem with the cell phone system? Oh well, never going to happen. There isn't going to be any major breaches.
I look up at the sky, imagine all the satellites and the image that comes to my mind is that of a pool table. Are there any satellites up there yet, poised and waiting for a command to become a cue ball? Theoretically speaking what would happen if a bunch of cellular phone communication satellites got sent a signal that made them move just enough to be on a collision path with other satellites that were approaching them? But really, they don't even need to do that, just make the satellite shut down transmitting or receiving signals. It's going to collide with something eventually.
Day after day I see the whole electronic system get more and more complex, with layers of security that function like a childproof cap on a medicine bottle. It appears to be considered to work if only ten percent of the bad actors can get through it and only ten percent of the intended customers and users can't. Every layer of complexity adds another layer of vulnerability. I keep encountering catch22 situations. In order to get a missing T4 to do your 2025 taxes, log in to the Canada Revenue site. In order to log in, input information from your completed 2025 tax return. (Fictional example) But what else is an organization to do if there was a breach and bad actors have accessed the 2024 tax information?
None of the businesses or governmental agencies could possibly go back to the pre-electronic way of doing business. The logistics are far too daunting. One clerk with a spreadsheet does the work of ten using paper and pencils. There isn't the office space, let alone the operating capital to convert any department to one that would function using archaic methods. My local dollar store sells boxes of 100 blue office pencils. I look at that and think... nah, there will NEVER be a panic run on pencils. Half the internet would have to go down before that would happen.
Companies that still send out paper communication by snail mail are cutting down on it sharply. In Canada we will lose home delivery and move to community mail boxes soon. The few elderly diehards still demanding paper statements will have to adapt, since they will probably struggle to get out to their community mailbox during the cold and icy months of winter. Meanwhile every email inbox is inundated with phishing attempts masquerading as those statements. Obviously we have to log in to the company websites and personally download our statements instead, to be sure that we are not handing control of our phone over to a malicious entity. But if I think the three or four phishing emails that hit my email inbox every morning is a lot, consider how many daily attempts that company is facing from bots attempting to pass themself off as customers or suppliers or staff members or government agency members... Eee!
I have too much imagination. Too many people rely on the electronic financial system for it ever to go down. If you can't receive e-transfers and make e-payments you can't buy groceries or put gas in your car. I trust our government and our banks to immediately find a way to make it work again if it goes down for more than a day or two. It can't go down. There are too many people who care too much to ever let it happen. As the diarist in early WW2, writing about Hitler sweeping across France and the Netherlands wrote: In all human reason, it can't happen.
posted by Jane the Brown at 8:13 AM
---------------------------
It requires an account and I don't feel like logging into mine on my phone to check this article right now but there's pretty reliable ML-based detection of out-of-the-box AI text these days, if that's what you're looking for.
Pangram says 68% AI on the first 4000 words. The style is definitely not super Claude-y, but I'm also suspicious just because of how darn long it is.
There are some really really LLMy sentences like "That obscurity is the part of this section that matters most. It is not the AI numbers. It is the silence around them." Like, what?
posted by BungaDunga at 8:40 AM
---------------------------
Pangram says 68% AI on the first 4000 words. The style is definitely not super Claude-y, but I'm also suspicious just because of how darn long it is.
AI edit/rewrite fits with how it feels to me. There are sentences that don't ping my detector at all, but the structure of it does (which to be fair might be good for SEO these days) and there are multiple sections of "analysis" like the one you quote that have that empty bombast. Like the whole ending bit, which also has the classic tone of the model assuring you that your ideas are indeed very smart and important:
If you work in this field and the last hundred days have felt strange to you, you are not imagining it. Something genuinely unusual is happening, and the unusualness of how quietly it is happening may, in the long view, be the most historically interesting layer of all. Naming the gap, even gently, is a small contribution to making sure the period eventually gets the documentation it deserves.
posted by atoxyl at 9:01 AM
---------------------------
oh yeah once prose starts talking about how "real" or "genuine" a "gap" is, that's 100% an LLM. No question in my mind. They love to find a "genuine gap."
It's so frustrating, people use LLMs for the wrong part of a thing. If you are going to use it to augment your writing (I wouldn't! but if you are!), it's on the fiddly interior bits of an essay. Not the introduction, the ending, or the structure! Those are the parts you should be most worried about putting your own stamp on! If people skim, they are going to skim the middle bits, so that's the safer part to have LLM help with.
posted by BungaDunga at 9:16 AM
---------------------------
It requires an account and I don't feel like logging into mine on my phone to check this article right now but there's pretty reliable ML-based detection of out-of-the-box AI text these days, if that's what you're looking for.
I've never seen one of these that's anywhere near as accurate as they claim to be. Just tried a handful of samples from Claude and this site claims it is highly confident they are all 100% human written.
posted by allofthethings at 9:16 AM
---------------------------
AI or not, a poorly written article is not best of the web. Flagged.
posted by Melismata at 10:02 AM
---------------------------
Just tried a handful of samples from Claude and this site claims it is highly confident they are all 100% human written.
Of what size under what conditions? They prioritize avoiding false positives.
I mean, inherently these things are not going to be 100 percent reliable, and the models are a moving target, but my experience supports them being better than previous generations for sure.
posted by atoxyl at 10:12 AM
---------------------------
It's so frustrating, people use LLMs for the wrong part of a thing. If you are going to use it to augment your writing (I wouldn't! but if you are!), it's on the fiddly interior bits of an essay. Not the introduction, the ending, or the structure!
I don't find it very hard to understand why. "Here are my notes, turn them into an essay!" And while those section headers make me roll my eyes I understand why that's somebody's idea of good nonfiction writing structure for the internet, such that the models optimize for it - it makes every bullet point as loud as possible.
But there are way too many words here that add nothing.
posted by atoxyl at 10:18 AM
---------------------------
So are y'all just complaining about the writing, or are you saying that there's nothing to be concerned about in the content?
posted by clawsoon at 10:44 AM
---------------------------
I understand why that's somebody's idea of good nonfiction writing structure for the internet,
That's the Ciiiircle of SlooOOp!
That's kind of why it doesn't really matter if the guy is a terrible writer, or published the raw output, or shittily edited some output together. The slop sounds like shit bc its training was shitty clickbait writing. The verbosity comes in because the slop peddlers don't pay or charge by the word, and users seem to think "more words is smarter". Anyway, I also didn't read shitty human writing, or skipped out as soon as I got a scent of, way back before '23 (I have a feeling that Dec 2022 will emerge as a sort of modern Long September.)
And to be clear, I don't intend this side discussion of AI slop to disparage the post. It is an interesting an important topic and I'm glad to see it discussed here. Perhaps someone will turn up good additional sources. Part of what makes Metafilter great is that I can learn cool things from the discussions, even if the article is not well written. I'll stop now and look forward to more discussion of the content :)
posted by SaltySalticid at 10:56 AM
---------------------------
fuck i don't care if it's AI written. can we please.
these hacks are scary shit. and it's so exciting to think it all may soon be combined with operating systems that will refuse to function if you haven't established biometric identiification on logging-in. "child protection" yeah no, it's the stasi climbing into your underpants, forever
posted by seanmpuckett at 11:19 AM
---------------------------
I haven't read it because it's just too goddamn long for a breathless blog post. The length is probably a byproduct of the AI authorship, most humans would run out of steam sooner.
posted by BungaDunga at 11:22 AM
---------------------------
So are y'all just complaining about the writing, or are you saying that there's nothing to be concerned about in the content?
It's really hard to tell if it's talking about a real thing to worry about or not because it's so long and hammers itself into the ground. Is it actually judging things or is it just listing things on a theme and telling you it's all equally important? Are these details actually important or is it just impressive because an AI managed to ferret out lots of details?
posted by BungaDunga at 11:25 AM
---------------------------
this article in particular is just dozens of pages of breathless, obviously AI-generated slop
AI is the new Wikipedia, eh?
posted by klanawa at 12:07 PM
---------------------------
It's not that any of the details are necessarily wrong, it's that slogging through something that someone else couldn't be bothered to write doesn't seem worth it
posted by BungaDunga at 12:08 PM
---------------------------
I also found this a rather tiresome post that has the smell of AI-generated research. The author repeatedly refers to it as "this notebook" which suggests NotebookLM or similar.
But to the core point - why is all of this getting so little attention? I think there's a certain amount of "when you list it that way it sounds like a lot" - it doesn't exactly argue that there are "more" breaches or "more damaging" breaches overall (hard to quantify) but the internet is a big place and if you listed out all the high profile breaches from an earlier year in one long list it would probably sound scary too. It uses big units like "petabytes" in ways that don't correspond to meaningful measurement of impact.
For news consumers most of this doesn't have very high salience and would require a lot of explanation of why they should care. Iran and Russia and North Korea are conducting cyber attacks? Sounds like a Tuesday. The podcast bro currently cosplaying as FBI director got his personal email hacked? Okay yeah that checks out, let me know if they found anything juicy. The Stryker story is probably the most salient because it actually impacted people's health care, and it did get a fair amount of media attention. Everything else is baked in to the cost of doing business in the internet age. Sometimes the machine breaks.
posted by allegedly at 12:17 PM
---------------------------
Something I found curious: Stuxnet is only mentioned once, a passing reference. The world has been engaged in this kind of thing for quite a while. I think most people just shrug and say, "What can I do?" And that's a good question.
posted by CCBC at 3:10 PM
---------------------------
A charity I work with provides services in the back of beyond, often outside mobile coverage.
We have always had a full paper-based fall-back process.
It's sufficient. It's not as convenient as having everything fully connected all of the time but I'll take "working well enough" over "convenient but broken" any time.
In the last few years we've had Covid, Ukraine, Hormuz, more climate change, and more stupid bullshit. I think we all need to plan to be resilient to this huge increase in volatility. That means less dependence on *waves arms around* everything.
posted by happyinmotion at 3:38 PM
---------------------------
I suspect that a lot of people aren't giving it a lot of attention, because they get the same letters in the mail that I do, once a month or so, telling them that their data was stolen from a company they didn't knowingly do business with, and certainly never even wanted to have their data, and there's nothing to do except sign up for the 6/12/24 months of free credit monitoring or whatever (which is the only real indicator as to how bad the breach actually was; if you get 24+ months of free credit monitoring, they probably gave away everything that's known about you).
You basically can't participate in the US economy without having your data get stolen. It's just a thing that happens now, because there's no real repercussions on the companies that stockpile customer information.
Until there's either real appetite for punitive regulation at the Federal level (haha) or people get angry enough that they start firebombing the houses of the executives of companies that collect customer data and allow it to be stolen, nothing's really likely to change. So why, with so many other things to worry about, expend energy on it?
posted by Kadin2048 at 8:52 PM
---------------------------
I'm not an IT guy in any way. But the way this article keeps repeating how many terabytes or petabytes were stolen sounds like saying "man, today I got five kilograms for real cheap!"
posted by Pyrogenesis at 8:06 AM
---------------------------
I liked the piece because it told me about breaches of security I had not heard of before. Ai-written? Lkely but I am just here for facts, ma'am. It's a tech article and the standards of writing aren't the best. Not to say I don't appreciate good tech writing, I do. But yeah, slop writing in the tech field is legend.
Back to the breaches: Stryker for example, didn't know it was Iranian. And taking hundreds of thousands of medical devices offline is a big deal. It didn't get much press. I did a google and the story did hit the NYT but ironically in an op-ed that basically asked "Is that all ya got, Iran?"
I think one reason for the relative silence on these attacks is that the public iss just used to them. unless a cyber strike takes out a Visa- or a Master Card-level service or a critical piece of infrastructure, it isn't headline news.
posted by storybored at 8:36 AM
---------------------------
[ Folks, just a quick note: this post has picked up a number of flags, as have some of the comments. The article may be LLM-generated (or at least LLM-assisted), but the post itself is fine and the conversation seems to be going alright, so i'm not deleting anything. But please continue to keep things on-rails and at least vaguely on-topic. Thanks!]
posted by mod_adrienneleigh at 10:25 AM
---------------------------