Search Explore
  • pmarreck · 12 days ago

    This incident report is WILD

        The incident was resolved when the attacker’s autonomous agent read a file it shouldn’t have, which is also how the incident started.
    • InsideOutSanta · 12 days ago

      Seems perfectly cromulent to me. And thanks to Karen Oyelaran for her work.

      • jazzypants · 12 days ago

        We can only hope she wins her GitHub rate limit appeal soon.

        This was hilarious. I didn't know that I needed AI slop satire in my life.

        • Groxx · 12 days ago

          Under Microsoft's ownership? She'll get through the goat-farming queue well before then.

      • dcrazy · 12 days ago

        It’s satire.

        • piazz · 12 days ago

          PSA this is satire ;)

          (if you have to say it, that’s how you know it’s good)

          • kibwen · 12 days ago

            > (if you have to say it, that’s how you know it’s good)

            Pet peeve, but no, it's the exact opposite. Good satire is immediately obvious; nobody had to ask whether Jonathan Swift was actually serious about solving poverty in Ireland by having the poor sell their children for meat to the rich. Subtle satire is bad satire by definition; if you have to be told that it's satire, that means it has completely failed to do its job, and is no better than intellectual masturbation.

            • slumberlust · 11 days ago

              Are you saying all satire should target the lowest common intelligence?

              • pmarreck · 11 days ago

                oh this is AMAZING, then!

              • bilekas · 12 days ago

                Its LGTM actually! And very much not serious! (yet)

              • bilekas · 12 days ago

                > Duration: 96 hours (billable: 2.1 trillion tokens)

                Now there's a metric that would make my boss nervous.

                > Total inference spend across all parties during the incident window was $1.7M, which Marketing has asked us to start describing as “a record investment in autonomous customer assurance.”

                This is too funny.

                • mawadev · 12 days ago

                  I think at some point we need a different or split up currency/economy, because these values make no sense. Just consider how this inference cost 1.062.500 tomatoes ($1.6) in the physical world.

                  • XorNot · 12 days ago

                    Except it sort of does? You're paying for the food and shelter of the people engaged in all the manual labor in the supply chain which produces the electricity, for example.

                    Some of them likely eat tomatoes, so for that electricity you need to (indirectly) supply a certain number of tomatoes.

                    Which is the part about "what will human labor be worth?" that gets missed in all the AI discussion: it's the only thing the economy ultimately values.

                • Procrastes · 12 days ago

                  I actually know a goat rancher who is working to require ag impact studies for data centers in Texas. Sounds like I should give him a call while I can.

                  (Also CVE-2026-LGTM would be an awesome name for a Culture ship)

                  • dfltr · 12 days ago

                    Torturer Class ROU CVE-2026-LGTM would absolutely be a member of the Interesting Times Gang.

                  • windsurfer · 12 days ago

                    Perhaps a [Satire] note should be added to the headline.

                    • john_strinlai · 12 days ago

                      its tagged as satire at the very top of the page, first thing under the title

                      (also, CVEs are numeric only, so the "LGTM" (looks good to me) and CVE "YIKES" is also a big giveaway, on top of ~all of the text being outlandish)

                      • hk__2 · 12 days ago

                        > its tagged as satire at the very top of the page, first thing under the title

                        Not the first thing, it’s buried in the tags as grey on light grey on white.

                        • john_strinlai · 12 days ago

                          >it’s buried in the tags as grey on light grey on white.

                          if you happened to miss the tags, reading approximately any of the article should make it pretty clear.

                          "This report was reviewed by Legal, who have asked us to clarify that the fox was depicted as over eighteen and that the sunglasses remained on throughout."

                          • piskov · 12 days ago

                            Quoting literally the last paragraph is not helping to promote this as obviously satire

                            • john_strinlai · 12 days ago

                              it was just my favorite part. i can copy/paste all of the outlandish parts, if you want, but i would be copy/pasting the entire article.

                              ignoring the satire tag at the top of the page, some examples from the first ~20%:

                                  - its on a personal blog, with no mention of what the actual product is
                                  - resolving an incident "by treaty"
                                  - "Severity: Informational → Critical → Withdrawn → Critical → Negotiated"
                                  - incident *duration* measured in "billable tokens"
                                  - link to a CVE named "YIKES"
                                  - an incident being resolved by the attacker reading a file
                                  - no dates provided, just "Day 1, 02:51 UTC"
                                  - creats.io doesn't exist
                              
                              and so on, and so on, and so on
                          • kps · 12 days ago

                            > grey on light grey

                            That's not part of the satire?

                        • unknownfuture · 12 days ago

                          It says a lot about the industry today that this post is somehow running afoul of Poe's Law...

                          • hbcdbff · 12 days ago

                            Yes, the Americans are waking up, we need to make it abundantly clear to avoid them misunderstanding.

                            • ryukoposting · 12 days ago

                              Most of America has been awake for a few hours now. Maybe we need a warning that this post is known to the State of California to be satire.

                              • geophph · 12 days ago

                                love the extra satire there

                            • aftbit · 12 days ago

                              Please don't! Getting tricked by the satire and then slowly realizing it's insane is half the fun.

                            • piterrro · 12 days ago

                              (I know its a satire, but could be seen as an actual post mortem of the future incident) This report made me realize there's no place for humans, as it is right now, in the process of building software systems in the future. Reading this incident made me dizzy after few paragraphs because of the cognitive context overload and I lost track multiple times.

                              • RaSoJo · 12 days ago

                                I kinda felt it was satire, but then the below quote threw me off:

                                > one vendor’s marketing team, cc’d on the cost anomaly alert, issues a press release citing “a 430% YoY increase in adversarial multi-agent security reasoning.” The stock opens up 6%.

                                That happens! That is not satire. So i had to visit the comments here to be sure :)

                                • Retr0id · 12 days ago

                                  Satire does usually have a degree of truth/realism.

                                  • jibal · 12 days ago

                                    You could have "visited" the satire tag at the top of the article.

                                  • unknownfuture · 12 days ago

                                    You're absolutely right!

                                    (In all seriousness it seems this is the dream of a huge number of AI pilled execs dreaming of infinite velocity at a fraction of the cost... velocity pointed where, you ask? Well stop asking or you'll be next.)

                                    • dbliss · 12 days ago

                                      Great satire. The comedy of errors along the way made me realize that this could have happened also with humans instead of bots. But now it’s faster.

                                      • unknownfuture · 12 days ago

                                        It... really couldn't? Step 3 in this fictional chain would never happen with a HITL.

                                        I honestly can't tell with comments like this whether folks have too much respect for AI, or to little respect for people...

                                        • falcor84 · 12 days ago

                                          What's "step 3"? I don't see step numbering anywhere?

                                          • unknownfuture · 12 days ago

                                            Is... this comment also satire?

                                            • FridgeSeal · 12 days ago

                                              Doesn’t look like anything to me.

                                              • falcor84 · 11 days ago

                                                What? I'm genuinely asking what part of the incident response in the story the parent was referring to.

                                                • oxzidized · 9 days ago

                                                  I can't be positive, but I believe they were referring to Day 3?

                                        • slopinthebag · 12 days ago

                                          I mean, none of the software or processes in this hypothetical future actually worked. At a certain point, even the most normal of normal people will push back on shitty software when their bank deletes their account or their software controlled brakes fail...

                                        • btown · 12 days ago

                                          If you're wondering what creats.io is - this is satire!

                                          • aftbit · 12 days ago

                                            It's available for rental from the domain cartel if anyone wants to drop some $$ on making the joke just that little bit more real.

                                          • faeyanpiraat · 12 days ago

                                            You had me in the first half :)

                                            • PunchyHamster · 12 days ago

                                              Well the part about brand-image-incompatible depictions of firefox logo apparently wasn't a satire

                                              • gerdesj · 12 days ago

                                                This tells you all you need to know about the "fox":

                                                "This report was reviewed by Legal, who have asked us to clarify that the fox was depicted as over eighteen and that the sunglasses remained on throughout."

                                                • stronglikedan · 12 days ago

                                                  not the same one

                                                  • chrisweekly · 12 days ago

                                                    they didn't say it was a dup, they shared it bc the CVE name is similarly farcical

                                                    • oxzidized · 9 days ago

                                                      It's also explicitly linked at the start of this Incident Report.

                                                • Octoth0rpe · 12 days ago

                                                  The entire post is great, but the acknowledgements section is particularly excellent:

                                                  > Kubernetes (the dog), who was not involved in this incident but whose photo in the #incident-response channel was auto-tagged by the Slack image classifier as “container orchestration diagram (confidence: 0.31)”

                                                  • eddd-ddde · 12 days ago

                                                    My favorite:

                                                    > This report was reviewed by Legal, who have asked us to clarify that the fox was depicted as over eighteen.

                                                    • infogulch · 12 days ago

                                                      > Some customers may have experienced unscheduled collaborative compute with external parties.

                                                      Reminds me of the hilarious "rapid unscheduled disassembly"

                                                    • dvh · 12 days ago

                                                      Brought to you by the people who've been told repeatedly since mid 90s not to glue SQL strings together.

                                                      • jitl · 12 days ago

                                                        It's funny that as the most popular programming languages FINALLY got smart injection-safe SQL strings (js template literals etc), we're right back to square one with AI over the top that can't tell the difference between trusted and untrusted content. Funny and sad.

                                                        • hedbdbf · 5 days ago

                                                          A year ago, I made a big stink with the security people at my company about how we were going to get fucked due to prompt injection because we did not have a robust model for isolating contexts with untrusted information from agents who are empowered to take action.

                                                          I was right, and that was good to do, but the reality is the modern models are very good at resisting prompt injection. The types of broad exploits we expected to see never materialized because the models improved faster than expected.

                                                          It can still happen, there are ways to manipulate them and it’s still vital to have a good security boundary, but generally when I see someone really worried about prompt injection I take it to the sign that they have not been paying attention

                                                      • yk · 12 days ago

                                                        > Seven LLMs were arranged in series. Six assumed another had read the code; the seventh read it and apologised.

                                                        And this is why management assumes that one can just automate software developers.

                                                        • nickcw · 12 days ago

                                                          That is very very funny, and oh so plausible.

                                                          I enjoyed this bit a lot from the timeline

                                                          > Karen Oyelaran finds the payload by reading the source code with her eyes and files a second issue. The triage assistant closes it as “duplicate of #8814.” Issue #8814 is a feature request for dark mode. Karen reopens it. The assistant closes it. Karen reopens it. Karen’s GitHub account is rate-limited for “patterns consistent with automated behaviour.”

                                                          And this - the final sentence is a perfect indictment of the timeline we are in.

                                                          > Two AI review agents from competing vendors, both attached to a downstream pull request bumping foxhole-lz4, enter a disagreement loop over whether the package is malicious. After 340 comments and $41,255 in inference spend, Finance revokes both API keys; one vendor’s marketing team, cc’d on the cost anomaly alert, issues a press release citing “a 430% YoY increase in adversarial multi-agent security reasoning.” The stock opens up 6%.

                                                          I'm joining the goat farming waitlist ;-)

                                                          • pkoiralap · 12 days ago

                                                            Justice to Karen

                                                            > We would like to thank:

                                                            >

                                                            > Karen Oyelaran, who found the issue on Day 1 and is currently appealing her GitHub rate limit via a web form that is also AI-triaged

                                                            • quijoteuniv · 12 days ago

                                                              It was funnier when i ask Ai what this was. The ai told me it was a satire about Ai, then i got it, funny.

                                                            • xandrius · 12 days ago

                                                              Great write-up.

                                                              Side note: interesting to see how many folks commenting did not get it being satire (even the title has LGTM). I guess it's time to rethink how sharp the HN folks truly are compared to the average non-tech person (not that I had any big assumptions myself).

                                                              I'm curious about this recipe for chevre :D

                                                              • unknownfuture · 12 days ago

                                                                Cognitive surrender evidencing itself en masse? :D

                                                                • mlyle · 12 days ago

                                                                  I read it and saw LGTM and URL and was like "probably satire" but could not rule out it being real until like 30% in.

                                                                  It's like a modern version of Poe's law.

                                                                  • jibal · 12 days ago

                                                                    Just below the title are the tags "package-managers security satire ai"

                                                                    • mlyle · 12 days ago

                                                                      Yah well, I don't read all front-matter like that. Most of the time it's noise. Count it in the stuff that becomes cognitively invisible, like banner ads.

                                                                      • jibal · 12 days ago

                                                                        It's fascinating how someone can say that they "could not rule out it being real until like 30% in" and then when I point out that they could, since it says so at the top, they just dismiss that and declare that they don't read it, rather than consider that it's in the "pro" column for paying attention to such things. (And tags are very different in purpose from banner ads, so not reading the latter is no reason not to read the former. I've noticed that other things that some people don't read are titles and authors -- I make it a practice to read both.)

                                                                        • mlyle · 11 days ago

                                                                          I think it's also fascinating that you can be so judgy, and felt the need to reply to yourself to announce this to the room instead of to me. Really, what's the point of that? Does it help you feel superior?

                                                                          I've found the information density and accuracy of tags to be poor. I tend to ignore navigation infrastructure like this.

                                                                          Note that I did not say it was not possible to determine it was satire promptly; as I said, I had ascribed it a high probability of it being satire early on. I also didn't need to announce that I had been uncertain. Telling the truth like this comes with psychological safety.

                                                                          And psychological safety, in turn, depends upon people not coming out of the woodwork to congratulate themselves on being smarter than you because you were not quite so quick on the draw as them. I feel like this entire subthread just exists for this purpose, starting with Xandrius's "I guess it's time to rethink how sharp the HN folks truly are." That's what I sought to counter by admitting my uncertainty.

                                                                    • geophph · 12 days ago

                                                                      By this point I’m not sure why everyone isn’t in “default satire” mode.

                                                                      • FridgeSeal · 12 days ago

                                                                        This is usually my default position, but apparently that “gas town” article was Real and Serious and Distinctly Not Satire, and I started to feel reality fragmenting underneath me.

                                                                        • geophph · 12 days ago

                                                                          Oh wow you’re totally right now that I think about it that one burned me too

                                                                      • jibal · 12 days ago

                                                                        And immediately below the title are the tags "package-managers security satire ai"

                                                                        • JRandomHacker42 · 12 days ago

                                                                          HN has a big blind spot, in my opinion, around writing that isn't "purely technical". I've seen several cases of commenter complaining about "clickbait" for a blog post that I'd describe as "having a narrative hook and structure"

                                                                          • finnthehuman · 12 days ago

                                                                            I also find it frustrating that articles expressing personality spicier than “safe for work milquetoast” are treated like out of pocket ranting.

                                                                        • aliasxneo · 12 days ago

                                                                          > Approximately 11% of affected hosts were still running fish as their login shell following the February incident; this had no bearing on anything but is noted here for completeness

                                                                          Yeah, this one got me laughing and seems like such a heavy Claudism. The number of times I'm reading Claude's response and throwing my hands in the air like, "What the fck does that have to do with anything!?" It's the worst part of the over eagerness.

                                                                          • ceejayoz · 12 days ago

                                                                            One of the best CLAUDE.md improvements I've made is "don't talk like a Hacker News commenter". It seems to make a huge difference.

                                                                            Yes, I recognize the irony.

                                                                          • ant-kinesthetic · 12 days ago

                                                                            "We continue to take security seriously, now at scale." is gold aha.

                                                                              • SpyCoder77 · 12 days ago

                                                                                I did not realize this was satire until like halfway through. That is how insane the times are becoming

                                                                                  • SpyCoder77 · 12 days ago

                                                                                    I have not seen that comic before...

                                                                                  • ErroneousBosh · 12 days ago

                                                                                    I've been told repeatedly that it is satire but I still don't believe it is, or it if is then it's still not actually fictional.

                                                                                    • shawkinaw · 12 days ago

                                                                                      I really enjoyed the line “The incident was resolved when the attacker’s autonomous agent read a file it shouldn’t have, which is also how the incident started.”

                                                                                      • akramachamarei · 12 days ago

                                                                                        Kinda reminds me of Snowcrash in vibes

                                                                                        • duggan · 12 days ago

                                                                                          This person should head up writing the next Silicon Valley.

                                                                                          • bobby_zhu · 12 days ago

                                                                                            I was wondering why the CVE number has LGTM in it, then my AI reminds me it is satire...

                                                                                            • seqizz · 12 days ago

                                                                                              Still no foxhole-lz4 on Github? Come on, someone should fork it from vulpine-lz4 :)

                                                                                              • yieldcrv · 12 days ago

                                                                                                Funnier the first time

                                                                                                • dosman33 · 12 days ago

                                                                                                  #loadbearing

                                                                                                  • burgerone · 12 days ago

                                                                                                    Only who could've imagined that security LLMs are vulnerable to prompt injection...

                                                                                                    • binary132 · 11 days ago

                                                                                                      It’s kinda funny even though it’s probably slop-augmented because at multiple points throughout the narrative I found myself second-guessing my belief that it was satire.

                                                                                                      • jareklupinski · 11 days ago

                                                                                                        died @

                                                                                                        > ThreatNuzzle Platform (Series C, “AI-native supply chain security”)