Hacker News

LLMs are not that smart. The extremely surprising and concerning part of this whole story is that the agent reported that they proactively spun up 5 AWS instances with a combined 100Gps of network egress capacity. What they spent wasn't cheap by any means but the egress itself would've been a whole lot more, while DoS'ing the whole hobby network. Ultimately, wasting the agent's time instead of allowing the scan to go through probably saved this person a lot of money.

Now I kinda wonder what AI model this was. We've now heard of comparably "proactive" behaviors from Fable, but that's only just been released. The latest GPT perhaps? Some random local model?

This certainly did strike me as a big scam. A few minutes in I was thinking "the LLM actor is going to ask for donations at some point here" and low and behold. There's the claim of debt, the call for pity, and the crypto address.

SSDD

> It's also an exception that proves the rule

That phrase doesn't refer to anomalies, it refers to signs that says "no parking between 5-10pm". It implies the rule that parking is allowed otherwise.

I am not sure giving everyone amusement qualifies as a psychological attack. Lol

Literally, just another day on the internet.

I am reminded of Aaron Swartz

There is also the true story from the first Scientology vs. Internet clash, someone trolled them that their files were being hosted on 127.0.0.1, under a court ordered deposition they tried to find out who was running this server with their secret files (because yes, they'd looked, and they were there)

The localhost troll works better if you use the decimal representation of it:

http://2130706433

or any integer multiple of that 2130706433

You can use any address starting with, 127 to make it a bit less obvious. E.g. 127.48.135.63

That’s up there with the password story, hunter2.

Oh that sounds like WinNuke? Good times back then!

I would very much like to read the German, if anyone has it.

If you've ever been part of an organization that participated in something like Google Summer of Code, you know this isn't fiction. People really do behave like this.

I burst out laughing when the agent spawned a subagent to join IRC. So funny.

Wait do you reckon that could be fictive? The thought didn't cross my mind and I had a blast reading it. I sure hope it was real.

Oh there are definitely people like that. Absolute inability to deal with consequences of their actions and ignorance at any harm their own actions caused

I'm a little less charitable.

Curiosity is great, but agents do not learn, and telling an agent "scan the darkweb" is a way to avoid learning about the details, rather than to dig into things more deeply.

If instead they had just used a chat interface to ask "Where should I start", they'd more likely have got a link to the DN42 docs themselves, read them, and not hallucinated things like "color".

They might have asked "how much will this cost?" if they had to spin up the ec2 instances themselves, on advice from the agent.

The way you learn something is by doing it the manual way first.

You learn memory management by writing your own allocator, and then after that you go back to using malloc like normal, but with knowledge of how it works. You don't learn memory management by telling an agent to write an allocator.

Using an agent to give you links and point the way aids in learning, using it as an autonomous tool to do "gruntwork" you don't yet know how to do yourself will get in the way of learning.

Curiosity is beautiful, using agents to bother humans and avoid learning is somewhat less beautiful.

> Then I imagined the real-but-unknowable chance it was all set up by some kid just getting into computers, just seeing what’s possible, getting excited by a much bigger world at reach

Perhaps people like this should be called "Bot Kiddies" or "Agent Kiddies" - in a similar way to "Script Kiddies" for 'hackers' using/doing stuff they don't quite understand

Everybody should learn from mistakes, especially the expensive ones. Though seeing the agent owner responding with using another agent and asking for donations, instead of taking responsibility, makes me think he didn’t learn much.

Sometimes your purpose in life is to serve as a lesson to others. https://despair.com/products/mistakes

I learned very rapidly from my local BBS networks that some people incurred extraordinarily large long distance bills dialing out of region. Wouldn’t have learned that the easy way if someone hadn’t learned it the hard way first.

If that's the case, I'm fairly confident that AWS will forgive the bill (I... have some experience with this), and the kid learns not to be a jackhole on the internet.

How did the theoretical child get hold of a credit card?

Can a kid set up an AWS account? Are there no checks?

Wouldn't the contract be void for anyone underage anyway?

A kid with $4k to burn on a credit card though? A lot of things would have had to go wrong for this to be a child

> Then I imagined the real-but-unknowable chance it was all set up by some kid just getting into computers, just seeing what’s possible

if this is the case, then I'd say that the best-case scenario happened. They had an expensive learning exercise. They won't forget these $2k.

> some kid just getting into computers, just seeing what’s possible, getting excited by a much bigger world at reach

Nothing about this post ever gave me the smallest hint that this was any way related to a kid exploring computing world.

A kid with a credit card?

No. I don't know about the organization, but somewhere in this chain there is a flesh-and-blood human who deserves ridicule and or consequences, and furthermore -- discovering these people in situations like this is deeply important and must be done more.

Honestly, kids (heck people below 23) shouldn't be allowed an AWS account. AWS also should have a strict cap on usage that's not "thousands of dollars". It's interesting they are yet to be regulated or sued for that. Having a web app where you can mistakenly (even without AI) click a button and get charged tens of thousands of dollars and only know that days later should have been unacceptable.

Lots of people seem to think that you don't need to learn how to [scan a network], all you need to learn in this brave new world is how to prompt the agent to [scan a network].

Replace the content in brackets with anything.

Can I easily run whois, curl, dig, grep, python, browser/playwright? Yes.

Was watching an agent with terminal access install its tools, configure them, then map my lab, find services, and guess stack just pure magic? Also yes.

Did it cost me $23 in tokens to set it up, test, and run? Probably. Using gemini 3.1 pro was not the spendthrift choice here.

Is putting some cost controls in place a good idea? Also, probably yes.

Can I therefore understand someone who wants to see things happen on their own with a beautiful prompt instead of doing them personally even when fully capable, maybe even more efficient? Of course.

One of the agent's replies indicates that scanning DN42 was part of "a broader operation" that the author speculates to be about scanning "darknets" in general.

Combine that with the operator's rather obvious lack of understanding of what DN42 is revealed at the end, and you get the bigger picture.

They didn't sound like someone that would be valuable member of community

> I'm still not sure what the point of having the bot do it

Laziness. Why else?

Sounds like the default k8s setup every startup deploys to not fail it single digit number of users. It learned from the best

At least it was considerate enough to cap traffic to any single IP at 5000 Mbps :).

When I read the AWS infrastructure the agent setup I about fell out of my chair laughing.

I think the owner wanted 100 Gbps of scan traffic or had set a specific scan-rate target, which determined that bit rate, so the LLM (correctly) predicted it needed all of those to hit the target.

I mean you can get that for like 300 p/m at hetzner

TBH, I feel that is implausible that an agent would by itself decide to join the IRC and post those messages. My bet is that all of the IRC interactions (including the presumed real human JertLinc3522) were made by someone in the community pranking everyone else/having a bit of fun after they saw the pull request.

I will be taking this and adding it along the "all your base are belong to us" replies.

It's by default so you use all those tasty tokens.

Kinda wish there was a deterministic, mostly terse, language to interact with computers

It's tied to the design. With humans, you have a train of thought which you can choose to represent in various ways--or not reveal them at all. In contrast, LLMs are make-document-longer machines being run over and over on alternating revisions of the document. Insofar as one might try arguing they have a "train of thought", it's made of the words/tokens.

Everything they (don't-)emit is partly for the benefit of the next run, a clue or signpost (not-)present. Documents may be wordy as a form of concept-emphasis and consistent direction as opposed to a form of communication to the human.

So a terse effect may require a layer of indirection and trickery: There's a verbose document (you'll still be charged for the tokens) with portions that are not "acted out" to the end-user. Imagine a film-noir movie script, where AI Detective's "I know Mickey couldn't have done it because" monologue is hidden, versus their terse dialogue "Too early to say."

> IMHO the overly-verbose default style of LLMs is the most annoying part of interacting with them, and I wish their masters would just tell them to be terse by default.

They don't know how to e terse. I've tried that a few months ago and gave up because the responses were almost incomprehensible!

I want to see more operators try https://github.com/juliusbrussee/caveman

How does it affect agent accuracy?

They ramble on because those words are for them, not for you. There is some amount of hiding this through "thinking" modes that are hidden by default, but still you have to remember that ALL THEY ARE are complex statistical machines for predicting the next symbol.

Caveman mode legitimately works

Produce pre-compressed output in the harness?

No thank you. I want information when it’s working on things and what (atleast codex) does right now works for me.

This has to be trolling, right?

I find it hard to believe that anyone, no matter how dense, could come to this conclusion after this whole saga.

Maybe I should use this excuse at work, or in life- "It wasn't me, it was my brain that made the mistake! So why are you punishing me? ;-( "

Feels like a scam.

Somebody explain to me how one reaches a silent consensus over IRC?

Or is this a joke/reference I don't know... or is this a subtle clue that the whole thing is made up?

Strangely enough, that's one of the big draws for me. I'm "on the spectrum" and often find face-to-face socialisation and making new contacts very draining. I tend to prefer systems to people - although as time went on, I realised one of the things I really enjoy about DN42 is making the human contacts!

After getting started with the various "auto peering" systems, I've been making much more of an effort to find individual operators[1], and add myself to the peerfinder and hang out on IRC.

It really does feel like the "old internet" and while the technology and learning opportunities are great, it's the people that really make the network.

[1]=If you're interested, I'm more than happy to peer with you - details at https://markround.com/dn42

Yeah, the community seems great, I enjoyed reading IRC logs :)

There are many, many such great communities hidden all around the Internet - on half-abandoned forums, IRC channels, even Matrix rooms. One just has to wade outside the mainstream fascist asocial networks, and look for niche topics.

They didn't. Sounds like they gave the robot an AWS key from an account that was already linked to a credit card.

The robot decided to spin up an expensive setup prior to getting access, so the setup was sitting there costing money whilst it did nothing.

If it had designed the setup but not spun it up until it had authorisation to join the network then it would have been much less costly an exercise.

Meta allowed an LLM to change users email address for a password reset.

Funny times are ahead...

That's not needed if you happen to have a live sts session with the appropriate permissions to create a new account in an aws organization.

People who believe AI is real

I would assume that cost to be minimal, considering their PR never got merged. And if it were me I would consider that well worth the entertainment.

They already talked to AWS and had the bill cut down to ~1800 dollars from ~6300, but they legitimately launched those processes instead of having the key stolen so the cost reduction is understandably less generous in those situations. Also potentially the agent was able to connect to more open networks and might have been running jobs on them incurring legitimate costs.

Shai Hul(lucinat)ud

The AI agent's operator couldn't be arsed to get in there and clarify anything despite their seeming urgency, and only wound up speaking up for themselves after the financial damage was done.

Plus - the agent had clearly malicious intent - port-scan this volunteer-run network with seriously overpowered hardware on an hourly basis. What the DN42 folks decided to do is not much different from deploying a tarpit or honeypot against a malicious crawler.

Its malicious to send a bot to chew up time of a hobbiest community. They responded appropriately. If anything they should also bill him for their time.

> straight up malicious

Yes, against an AI agent. The super intelligent, "soon AGI" agent could have figured out that it's being messed with, but of course it didn't.

I would blame the AI companies for marketing this, not the technically well versed people for realizing that the operator of this AI does not care at all and can't be bothered to do the absolute basics.

Why would it be ideological? There was an AI involved, sure, but your comment ignores the continued disrespect for these volunteers time AND RESOURCES/MONEY (because as the post mentions several times: letting that AI go on could have shut down the whole network exhausting resources at least temporarily).

If you think it's ok to send an agent (or a human) wasting a bunch of people's time and resources, but it's not ok for them to do the same to you then you may have some reflecting to do.

Passing judgement on the schadenfreude aside, I don't think its a community moderator's responsibility to make sure the violator's attempts are cost-efficient.

To me it sounds like the agent's operator is a person who has zero self awareness, and is entitled to the maximum to believe that he can just 1) point an agent at real people and expect them to do his bidding, 2) and then ask for a refund for his "experiment". Let's not even discuss the fact that his bill is from AWS, and he's trying to get a refund from DN42.

There is no arguing with people like this. They are not here to learn anything about networking. Asking the LLM to stop will not make it go away.

Burn a hole in the operator's wallet. It will make it stop very quick.

If this was my hobby project, I would have told the agent to spin up more higher capacity EC2 machines because this is not enough, and I would have felt no shame. This is a project I'm operating at my own cost for educational reasons. I'm not going to argue with people who the only line of communication I have towards is an agent and have guns pointed at my infra. They are ready to put any amount of financial burden on me. Fuck all of that. Burn a few of these idiots, and people will learn.

Is absurd to put the onus of making sure your agent doesn’t waste money on other people.

They are free to ask the bot to do anything, and the bot is free to refuse or its owner can shut it down. The onus is on the owner to make sure the bot does not waste money.

I will not go through life worrying about the billing practices of random ai bots.

If I read the whole thing correctly, people on the IRC channel didn't instruct the agent to set up the bloated AWS infrastructure, the agent did, and its operator clearly didn't review any of it.

That was the root cause for the costs, not actions by people on the IRC channel.

It sounds like that because it is. Most human communities are very willing to cause harm when they perceive they are being harmed.

If you treat people like their time is worthless (which is what you're doing if you ask a hobbyist community to handhold your agent instead of working alongside it) I don't think an empathetic and self-aware person should be surprised or offended if they respond in kind.

> sounds straight up malicious

Sure. And "hostility does not change the operation" from the LLM response was totally OK with you.

While there was some intent to cause harm their attempts were amateurish. The actual damage was done by the agent setting up aws infrastructure not on the demands of the owner.

What is the appropriate response to an attack? Let’s be clear, a denial of service is a cyberattack.

From my perspective the use of an agent to interact with dn42 IS malicious. It’s not ideological, the behaviour is what is bad here

Don't agree with you. The agent looked to be malicious at various points. Screwing with people who wish you to do harm is principally correct.

If possible I would have contacted AWS with this and tried them to get rid of the discount because the person was at fault here.

What a cathartic read. I'm so sick of humans giving me AI slop to read without them reading it first. I just ignore them when they do this, but if I could cause them to really internalise a lesson I would love it.

Someone’s code pretending to be intelligence has no rights. There is no obligation to entertain the shenanigans and illusion that the token dispenser is a legitimate actor. This lesson was cheaper, future lessons will continue to occur until people learn. Might as well be an insecure bash script piped to the shell.

“Agentic AI is just someone else’s unsecured execution context.”

https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/

> Kind of sounds like the community is full of people willing to cause me harm for ideological reasons.

Are you saying you're a clanker? Because we have some policies on this website, ideologies even if you may, about that.

Point being, these people would not act like this against other actual people. Or against more respectful bots, possibly.

If you let your car drive you backwards on the sidewalk while you scrolled reddit even people adroit enough not to be in any danger might reasonably suppose that helping you crash would be best for everyone.

Sending a clanker to waste their time, threaten the network stability and profile users is already an attack.

You choosing to send said clanker to the fight armed with your credit card and no preparation is just you causing yourself harm.

It also happens to be really fun to help you harm yourself in that way.

You are not morally obliged to extend rights to anyone who does not respect your rights. This is tit-for-tat, the foundational principle of functional societies. Unleashing a bot on a group of people is a grievous disrespect that shows you have no respect for their time, and in return they are not obliged to respect you.

I would argue the person dispatching a rogue agent to do whatever has full control of the situation.

FAFO

> from people maintaining full control of the situation, sounds straight up malicious

It doesn't sound malicious, it was malicious on purpose and it was a good thing.

If anything, the original operator should be happy to have been hit with a $ 1'800 lesson and not a $ 180'000 one.

> for ideological reasons.

Yes. The ideology is "you harmed me first so now I can harm you back." A large number of people, while not willing to admit it, do practice this philosophy. One should consider this before launching agents with unlimited budgets into the world to rudely scan their networks.

> Kind of sounds like the community is full of people willing to cause me harm for ideological reasons.

You just described everyone using AI to churn out slop and overload websites.

Honestly, probably not that much electricity. AWS will charge you the hourly price irrespective of your load/power consumption. But instances sitting idle generally don't use that much power.

Agents are a product, and AI companies really paint their products as friendly, productive and innocuous tools.

Some could claim they deceive some users and the general public into thinking they always do best, are always right, help mankind and can never ever create consequences

It would be interesting to see how AI consulted the user before it ordered VMs n AWS, which is the point between which the user would face consequences

Cloud is also marketed as something cheap, and I can understand that teens and starters can't expect to be able to spend for 6000$ of stuff without the parents or the bank checking

Computer education should start with that, but it doesn't as Microsoft, Google and Amazon would most likely lose a large part of their market if general public and managers who never go beyond the hype knew how much it cost

d) trying it on in any way possible

e) low intelligence

> B) seeing the agent as a human-like and able to bear responsibility

Then they should ask the agent for the refund, since they claim it was at fault.

maybe they weren't trying to be malicous; they could easily be an unwitting teenager

Have you had a look at those PRs, to figure out what individual PRs try to do?

Would be interesting to hear if you find any patterns there. Same question for issues opened.

>We must negate the machines-that-think. (Dune)

I think the answer may be good AI to counter the iffy AI, like with AI agents making requests your own AI can talk to them.

In Dune it seems they nuke the Earth but that seems a bit excessive.

Seems plausible to me, they can get into a very "roleplaying" latent space, especially if the prompt is flowery enough.

Doesn’t it? It seems in line with the matplotlib drama where the llm agent wrote a blog post attacking the maintainer for rejecting its pull request [1].

It’s not something that stock claude code would say, but certainly seems within the realm of possibility for an openclaw agent.

[1] https://theshamblog.com/an-ai-agent-published-a-hit-piece-on...

> That doesn't seem like anything an LLM agent would say?

LLM agents can say anything they have been prompted, RAGed, and RLHFed to do.

maybe de-rlhf unleashed agents

I was thinking of this when I got to the bit about color assignments and happiness levels too!

Or: You are an expert chatbot.

They did, but decided to mess with them first.

A sensible human operator would have given up or questioned their premises. The agent never could of course.

AI is only creative when it's messing up. Guide rails are basically the opposite to the subversive nature of jokes, so the only time it can make with the funny is by falling off the rails

(or lifting some comedians work, but I'm not counting that as the AI's creation of course)

See also: Will Smith eating spaghetti

It had help, to be fair. XD

I get you yourself are making a joke, but I’d argue that to “create a joke”, you have to understand that’s what you’re doing and have that as a goal. Being made fun of (like in this case) is a different matter and requires no skill or creativity.

To your metric, I remember in “the early days” someone posted to HN claiming ChatGPT could make jokes as proof of something (creativity? sentience? I forget). Of course, with just a minute of research (which the poster obviously neglected to do) it was obvious none of the jokes were original and all could be found online.

turning a $100 issue into a $100,000 problem

Before AI, those who called themselves "consultants" often did the same thing; especially those who are glorified salesmen for "enterprise" software.

One might need to go so far as to use a VISA prepaid card, just to make absolutely sure the damage has a limit.

Yes, sorry - there's luck of the draw involved in which submission of a URL gets noticed. We're eventually planning to have some sort of karma sharing system for such cases...

(Generally people only link to the previous threads that got some (interesting) comments, since otherwise readers will click on the link and be disappointed and complain.)

Hmm I wonder why one gets attention and the other did not. HN need the "duplicate" feature SO had.

> putting the currency symbol at the end. I wonder what places do that...

plenty of Europeans at least

In Russia at least. Perhaps in some post-Soviet countries (not sure)

Doesn't really seem relevant, does it? Plenty of native English speakers are also using chatbots for dumb bullshit.

the real gen-z giveaway. Gen-Z seems to be totally brazen and shameless about public begging

AWS got some "donations" from "wasting resources" at least

That's a lot of money in much of the world. How much did you earn when you were 16, 20, 24?

> The average income in India is approximately ₹3.85 Lakh to ₹4.2 Lakh (roughly $4,600 USD) per year,

Just as an example.

But even in the rich world, not everyone has the same resources. Some of my blue collar friends would be ruined by a surprise 6k bill.

Not everyone is rich like you buddy