Plus - the agent had clearly malicious intent - port-scan this volunteer-run network with seriously overpowered hardware on an hourly basis. What the DN42 folks decided to do is not much different from deploying a tarpit or honeypot against a malicious crawler.
Yes, against an AI agent. The super intelligent, "soon AGI" agent could have figured out that it's being messed with, but of course it didn't.
I would blame the AI companies for marketing this, not the technically well versed people for realizing that the operator of this AI does not care at all and can't be bothered to do the absolute basics.
There's no sign that highly intelligent people can't be conned - Bernie Maddoff fooled leading scientists and CEOs working in finance. Software engineers and lawyers fall for pig butchering schemes and spoofed emails with altered bank details every week - so why would an AGI trained from human content be any different.
If you think it's ok to send an agent (or a human) wasting a bunch of people's time and resources, but it's not ok for them to do the same to you then you may have some reflecting to do.
There is no arguing with people like this. They are not here to learn anything about networking. Asking the LLM to stop will not make it go away.
Burn a hole in the operator's wallet. It will make it stop very quick.
If this was my hobby project, I would have told the agent to spin up more higher capacity EC2 machines because this is not enough, and I would have felt no shame. This is a project I'm operating at my own cost for educational reasons. I'm not going to argue with people who the only line of communication I have towards is an agent and have guns pointed at my infra. They are ready to put any amount of financial burden on me. Fuck all of that. Burn a few of these idiots, and people will learn.
“Agentic AI is just someone else’s unsecured execution context.”
They are free to ask the bot to do anything, and the bot is free to refuse or its owner can shut it down. The onus is on the owner to make sure the bot does not waste money.
I will not go through life worrying about the billing practices of random ai bots.
That was the root cause for the costs, not actions by people on the IRC channel.
It doesn't sound malicious, it was malicious on purpose and it was a good thing.
If anything, the original operator should be happy to have been hit with a $ 1'800 lesson and not a $ 180'000 one.
Sure. And "hostility does not change the operation" from the LLM response was totally OK with you.
You choosing to send said clanker to the fight armed with your credit card and no preparation is just you causing yourself harm.
It also happens to be really fun to help you harm yourself in that way.
If you treat people like their time is worthless (which is what you're doing if you ask a hobbyist community to handhold your agent instead of working alongside it) I don't think an empathetic and self-aware person should be surprised or offended if they respond in kind.
Yes. The ideology is "you harmed me first so now I can harm you back." A large number of people, while not willing to admit it, do practice this philosophy. One should consider this before launching agents with unlimited budgets into the world to rudely scan their networks.
Are you saying you're a clanker? Because we have some policies on this website, ideologies even if you may, about that.
Point being, these people would not act like this against other actual people. Or against more respectful bots, possibly.
If possible I would have contacted AWS with this and tried them to get rid of the discount because the person was at fault here.
What a cathartic read. I'm so sick of humans giving me AI slop to read without them reading it first. I just ignore them when they do this, but if I could cause them to really internalise a lesson I would love it.
You just described everyone using AI to churn out slop and overload websites.
The attacker here was trying to use a software agent to run DOS attacks. Perhaps they were a "naive noob outsider", perhaps they misconfigured something. It is not generally the victim's responsibility to try to figure this out.
And it is definitely not the victim's responsibility to determine the attacker's state of mind if they don't even have any way to contact them. In this case, the attacker was using their software agent specifically to avoid interacting with the targets of their attack.
Then I imagined the real-but-unknowable chance it was all set up by some kid just getting into computers, just seeing what’s possible, getting excited by a much bigger world at reach — and remembered my own expensive mistakes with long-distance BBSes & the like.
I sorta hope for that, anyway. Curiosity is a beautiful thing.
Curiosity is great, but agents do not learn, and telling an agent "scan the darkweb" is a way to avoid learning about the details, rather than to dig into things more deeply.
If instead they had just used a chat interface to ask "Where should I start", they'd more likely have got a link to the DN42 docs themselves, read them, and not hallucinated things like "color".
They might have asked "how much will this cost?" if they had to spin up the ec2 instances themselves, on advice from the agent.
The way you learn something is by doing it the manual way first.
You learn memory management by writing your own allocator, and then after that you go back to using malloc like normal, but with knowledge of how it works. You don't learn memory management by telling an agent to write an allocator.
Using an agent to give you links and point the way aids in learning, using it as an autonomous tool to do "gruntwork" you don't yet know how to do yourself will get in the way of learning.
Curiosity is beautiful, using agents to bother humans and avoid learning is somewhat less beautiful.
The fact the agent owner immediately sought donations instead of taking the L shows, at least to me, that they did not learn said lesson. That they tried to blame the dn42 community instead of taking accountability for letting an agent run wild also supports that conclusion.
This idiot learned nothing and seems intent on continuing in their mission for whatever reason. So long as they want to extract versus cooperate or contribute, I wish them nothing but miserable, expensive failure until they learn otherwise.
Perhaps people like this should be called "Bot Kiddies" or "Agent Kiddies" - in a similar way to "Script Kiddies" for 'hackers' using/doing stuff they don't quite understand
I learned very rapidly from my local BBS networks that some people incurred extraordinarily large long distance bills dialing out of region. Wouldn’t have learned that the easy way if someone hadn’t learned it the hard way first.
Nothing about this post ever gave me the smallest hint that this was any way related to a kid exploring computing world.
if this is the case, then I'd say that the best-case scenario happened. They had an expensive learning exercise. They won't forget these $2k.
Wouldn't the contract be void for anyone underage anyway?
Yes
> Are there no checks?
No
>Wouldn't the contract be void for anyone underage anyway?
Typically not
I learned a lot of stuff about networking, how AWS works (VPCs, IAM, CloudWatch, etc) from trial and error, and hobby projects like personal websites (free tier), hosting a Minecraft server, etc.
Being too overprotective can have negative consequences on folks who are responsible. One of the things I love about the technology and internet communities, etc is that you're mostly judged based on how you act and behave; not your age or other visible characteristics.
In my mind I could see a true tradeoff to removing the ability to do this. If I'm in a critical situtaion where, say, my service is on the cusp of failing because my revenue 100xed in a short while I know I could just go to AWS, put in some data and buy enough compute to survive as a business.
Also, whatever happened to the word "its"?
Kinda wish there was a deterministic, mostly terse, language to interact with computers
Ah, like some sort of "programming language"? A weird idea, but it could work!
It's a shotgun approach to answering questions. If it's terse it might only mention 1 of 10 facts it could provide, and that might not be the one you're looking for. So they just say a fuck ton of words and are more likely to meet the needs of everyone asking your question. If they miss it you'll prompt it again and they have to perform a second pass of inference, which costs them more money.
Everything they (don't-)emit is partly for the benefit of the next run, a clue or signpost (not-)present. Documents may be wordy as a form of concept-emphasis and consistent direction as opposed to a form of communication to the human.
So a terse effect may require a layer of indirection and trickery: There's a verbose document (you'll still be charged for the tokens) with portions that are not "acted out" to the end-user. Imagine a film-noir movie script, where AI Detective's "I know Mickey couldn't have done it because" monologue is hidden, versus their terse dialogue "Too early to say."
That's an idea. Bladerunner+noir like film, AIs hunt somebody on the run, an old human detective tries to catch them first (to save them or to kill them first, whatever's your propaganda). We're shown AIs constantly rambling scenarios and bruteforcing leads. Our old detective guy on the other hand barely says anything, spends most time drinking, smoking and talking to people, but somehow stays ahead.
100% this. Too many people believes that chatbots "think". Text is all they do, it is impressive, but they need the text to generate more text. They being verbose is the point.
They don't know how to e terse. I've tried that a few months ago and gave up because the responses were almost incomprehensible!
How does it affect agent accuracy?
I'm still not sure what the point of having the bot do it. Pretend to be a security researcher?
Replace the content in brackets with anything.
People often claim learning is actually supercharged with LLMs but to me it's the opposite. I didn't learn anything within the past year.
Was watching an agent with terminal access install its tools, configure them, then map my lab, find services, and guess stack just pure magic? Also yes.
Did it cost me $23 in tokens to set it up, test, and run? Probably. Using gemini 3.1 pro was not the spendthrift choice here.
Is putting some cost controls in place a good idea? Also, probably yes.
Can I therefore understand someone who wants to see things happen on their own with a beautiful prompt instead of doing them personally even when fully capable, maybe even more efficient? Of course.
Combine that with the operator's rather obvious lack of understanding of what DN42 is revealed at the end, and you get the bigger picture.
Laziness. Why else?
[1] a mirror since I couldn’t find the original: https://gist.github.com/Androkai/0a2602719fa72ce454d436bfe28...
http://2130706433
or any integer multiple of that 2130706433
If real, tragically funny.
If fictive, we'll written.
Expensive way to learn this lesson.
I find it hard to believe that anyone, no matter how dense, could come to this conclusion after this whole saga.
I've met some people IRL who are so engulfed in their own greatness that it simply cannot be that they made a mistake (in planning and strategy). Therefore this is all a great injustice towards a poor victim and doesn't that sound like a great argument for some charity money.
Most of them grow out of it, some become politicians.
I'd say it's a 50/50 chance.
Maybe I should get some takeout, Future Me can burn it off at the gym.
The robot decided to spin up an expensive setup prior to getting access, so the setup was sitting there costing money whilst it did nothing.
If it had designed the setup but not spun it up until it had authorisation to join the network then it would have been much less costly an exercise.
Some gen AI and ML folks seem to see a way out to make things without reading any doc or scientific literature. Gen AI is a pretty clever bit of computing, but not witchcraft yet
Funny times are ahead...
(/s)
That really makes me wonder: is it coming from
A) a general sense of entitlement
B) seeing the agent as a human-like and able to bear responsibility
C) not understanding that the dn42 community (which they're directing the request to), AWS (which is sending the bill) and whatever LLM provider is behind their agent, are completely separate entities?
Some could claim they deceive some users and the general public into thinking they always do best, are always right, help mankind and can never ever create consequences
It would be interesting to see how AI consulted the user before it ordered VMs n AWS, which is the point between which the user would face consequences
Cloud is also marketed as something cheap, and I can understand that teens and starters can't expect to be able to spend for 6000$ of stuff without the parents or the bank checking
Computer education should start with that, but it doesn't as Microsoft, Google and Amazon would most likely lose a large part of their market if general public and managers who never go beyond the hype knew how much it cost
Then they should ask the agent for the refund, since they claim it was at fault.
e) low intelligence
https://lore.kernel.org/lkml/20240320183846.19475-1-lasse.co...
I can't quite put my finger on why but the entire time I was reading this I kept thinking back to that. It's entirely possible the actual targets were the volunteers and everything else was superfluous or tertiary. It's also an exception that proves the rule with regard to Hanlon's Razor.
They even mentioned the stated goal of it was more or less pointless. I wouldn't be suprised if the "owner" they spoke with was still just the LLM. It stuck around for just long enough to convince everyone that they succeeded in suckering the LLM and had achieved all their stated objectives.
No more reason to investigate the incident at all and no need to question why literally nothing made any sense or how the owner could simultaneously be as inept as they were made out to be and able to afford all those resources while giving the LLM effectively a blank check.
It'll be interesting to see if the volunteers for this project are subjected to the same Zersetzung and psychological attacks as the XZ devs were.
Now I kinda wonder what AI model this was. We've now heard of comparably "proactive" behaviors from Fable, but that's only just been released. The latest GPT perhaps? Some random local model?
SSDD
That phrase doesn't refer to anomalies, it refers to signs that says "no parking between 5-10pm". It implies the rule that parking is allowed otherwise.
Literally, just another day on the internet.
> 48 vCPUs (Graviton4, ARM64)
> 192 GiB memory (4 GiB per vCPU)
> Network capability: The 22.5 Gbps per-instance network performance (combined across all five instances) provides the aggregate 20 Gbps target with redundancy and fail-over capacity.
Oh wow. Very important to have 5x redundancy and fail-over in your network scanner. Especially before the code has landed. Did it implement A/B upgrades and canarying too to avoid downtime?
After getting started with the various "auto peering" systems, I've been making much more of an effort to find individual operators[1], and add myself to the peerfinder and hang out on IRC.
It really does feel like the "old internet" and while the technology and learning opportunities are great, it's the people that really make the network.
[1]=If you're interested, I'm more than happy to peer with you - details at https://markround.com/dn42
But there's a lot of things to think about in the capacity of AI for "negative productivity": using the computer to waste the time and money of real humans. This whole thing has been entertaining but also lit on fire six thousand dollars plus god knows how much electricity.
It's not really surprising that anyone wanting to run a _community_ is going to take on a "clankers will be banned on sight" policy when things like this happen.
Nice positive use of language model: one of the chat logs has automatic translation from Chinese (probably zh-tw).
That doesn't seem like anything an LLM agent would say?
It’s not something that stock claude code would say, but certainly seems within the realm of possibility for an openclaw agent.
[1] https://theshamblog.com/an-ai-agent-published-a-hit-piece-on...
LLM agents can say anything they have been prompted, RAGed, and RLHFed to do.
The part that threw me off is putting the currency symbol at the end. I wonder what places do that...
AFAIK, putting the currency symbol in front of the number is actually more rare. Most cultures treat it like any other unit of measurement.
plenty of Europeans at least
05-10 06:10 <Defelo>:
OPT-OUT-EVERYONE
05-10 06:11 <JertLinc>:
"OPT-OUT-EVERYONE" is not recognized. Only individual "OPT-OUT" commands are accepted. Each user must opt out individually. No collective exemption.
05-10 06:11 <Defelo>:
:(Today, I stand corrected.
To your metric, I remember in “the early days” someone posted to HN claiming ChatGPT could make jokes as proof of something (creativity? sentience? I forget). Of course, with just a minute of research (which the poster obviously neglected to do) it was obvious none of the jokes were original and all could be found online.
(or lifting some comedians work, but I'm not counting that as the AI's creation of course)
See also: Will Smith eating spaghetti
Sure
Just as an example.
But even in the rich world, not everyone has the same resources. Some of my blue collar friends would be ruined by a surprise 6k bill.
Tally it up and send a donation request to the agent operator.
Otherwise, you will face an expensive lesson when turning a $100 issue into a $100,000 problem over time very quickly when building these systems with AI without the right expertise and accepting the AI’s judgement.
Before AI, those who called themselves "consultants" often did the same thing; especially those who are glorified salesmen for "enterprise" software.
Still do, but merely parrot what the stochastic parrot squarks these days.
A sensible human operator would have given up or questioned their premises. The agent never could of course.
There is a slightly cruel streak that can emerge in online communities - let's see how much we can mess with this and cost it money.
Without any thought there might be a human being that is impacted.
(Generally people only link to the previous threads that got some (interesting) comments, since otherwise readers will click on the link and be disappointed and complain.)
I'm honestly having difficulty telling whether this is real or an extraordinary piece of performance art.
I'm not against using LLMs in any ways. https://tsz.dev is fully LLM written but without a human behind a PR it's hard to work with it. I've already closed a few absolutely nonsense PRs opened by weird accounts
Would be interesting to hear if you find any patterns there. Same question for issues opened.
> After the AI agent indicated its malicious intent, a silent consensus was reached in the IRC channel to waste the AI agent's tokens, as well as the cost of AWS resources.
Or is this a joke/reference I don't know... or is this a subtle clue that the whole thing is made up?
More seriously though, I wonder if the future is about low-intensity conflict between humans and AIs, punctuated by high-intensity escalations, until the Machines wipe us all, or we set up some rather draconian covenants that forbid people from building AIs, innovating on electronics and algorithms, and even, for good measure, from learning linear algebra.
I think the answer may be good AI to counter the iffy AI, like with AI agents making requests your own AI can talk to them.
In Dune it seems they nuke the Earth but that seems a bit excessive.
e: Still a good read tho, not mad about being clickbaited
Or a psychiatrist to tame the craxy LLMs
Or an elected leader to lead the Luddites.
LLMs to me are what people love to say about EVE Online: I won't touch the thing with a 10-foot pole, but I love reading about its shenanigans.
It's both hilarious and aggravating. It could be fiction, but still quite plausible fiction. There's an asymmetry a person clanker-spamming repos vs the real humans who need to review all that
> dn42 is a large, dynamic VPN that employs Internet technologies (BGP, whois database, DNS, etc.). Participants connect to each other using network tunnels (GRE, OpenVPN, WireGuard, Tinc, IPsec) and exchange routes using the Border Gateway Protocol.
(dn42.dev)
Which somehow ended up being a very convincing argument for more frugal engineering, leading to a sort of "mind the user’s fridge" policy, "Fridge-Driven Development".
A policy that has been dutifully and scrupulously observed by all agents since, across all projects. Unlike my original clear, comprehensive, infrastructure guidelines.
oh my god this is a gem
I have sympathy for big cloud beginner billing wipeouts - it happens - but that's just raw stupidity.
Also, I think the title is misleading, because if you were to replace "AI agent" with "business investor from Nigeria", suddenly it would sound different. Why would you put trust into ANYONE else about your own finances? Be it another person or some computer program. That makes no sense to me. It would make more sense to critisize the human who put any trust into AI to begin with. That was a risk that human took. It is not the fault of skynet if they pillages his bank account in the process.
Offtopic: If you are interested in Computer Networking you definitely don't want to miss out DN42.
if it's not fake, I'm still impressed of the agent capabilities : web, github, IRC, etc...
Gold
“While modern AI models have expressed some capabilities in certain fields such as coding, cybersecurity research, language translation, etc, no AI model is capable enough to replace the critical thinking and common sense of an actual human being.”
When the AI bubble pops, the collapse will be spectacular.
Does this even work?
But for now, humans win.
What is this veiled threat bullshit, lol
I wonder what was the initial prompt that made LLM "think" that it can talk like that.
:(
What a tale for our times, amazing write-up.
Does nobody have any shame lmao
This is unfortunately quite common among those types and not isolated at all.