Discord's age verification rollout has been met with... shall we say, dismay by many users of the platform, with many hunting for a better, more privacy-focused alternative.

The news was even less well-received when Discord informed some UK users that they may be part of an "experiment" with an age verification provider called Persona, the lead investor of which, in its most recent rounds of capital funding, was a venture fund co-founded and directed by none other than Peter Thiel.

You know, the co-founder of Palantir, a surveillance technology firm that's been hitting headlines recently for working on apps to help track targets of the US government's deportation efforts. And claims that it may compile databases from the private information of US citizens. Naturally.

Discord later said that it had concluded testing with Persona's platform. Anyway, security and private data concerns around Persona's data verification efforts have been spreading, and now three security researchers say they've discovered a Persona frontend that was exposed to the open internet on a US government-authorised server (via Rage).

Quoting directly from the researcher's blog, the team says its work was supposed to be a "passive recon investigation," which quickly turned into "a rabbit hole deep dive into how commercial AI and federal government operations work together to violate our privacy every waking second."

"We didn’t even have to write or perform a single exploit, the entire architecture was just on the doorstep," claims the team.

"53 megabytes of unprotected source maps on a FedRAMP government endpoint, exposing the entire codebase of a platform that files Suspicious Activity Reports with FinCEN, compares your selfie to watchlist photos using facial recognition, screens you against 14 categories of adverse media from terrorism to espionage, and tags reports with codenames from active intelligence programs.

"2,456 source files containing the full TypeScript codebase," the blog continues. "Every permission, every API endpoint, every compliance rule, every screening algorithm. Sitting unauthenticated on the public internet. On a government platform no less."

Beyond the astonishing thought that such data could be accessed so easily, it certainly seems like Persona operates more deeply than anyone would reasonably expect. The researchers say that the full verification program performs 269 individual verification checks across 14 check types, including "SelfieSuspiciousEntityDetection".

"What makes a face 'suspicious?'", say the researchers. "The code doesn't say. The users aren't told."

What we're often told, however, is that age verification is in our best interests, in an effort to prevent children from watching harmful content. Still, it doesn't take a genius to realise that there's a whole lot more value in facial recognition data than simply verifying that someone's old enough to view adult material.

How much of this leak applies to Discord's earlier testing is unclear. However, it's an excellent example of why privacy advocates have been vocally uncomfortable with the idea of current digital age verification methods, and why you should be very, very picky about who you hand your data over to. If, let's be honest, anyone at all.

If you thought the AI industry deals with big numbers—millions of tokens, giga-zigga-exa-flexa-FLOPs (a very real metric, I tell you)—wait until you hear about the internet. That thing has been taking an absolute beating over the last year. We've seen very visible effects of this with various memorable outages, but now we've also got some numbers to put to it, in the form of "hyper-volumetric" DDoS attacks.

Giant content delivery network (CDN) Cloudflare has released some somewhat troubling stats and info regarding the past year of distributed denial of service (DDoS) attacks. These are essentially attacks that attempt to flood a target service with packets of data to overload and overwhelm it and prevent it from doing the work it's actually meant to be doing, such as providing an internet connection to customers or displaying webpages.

According to Cloudflare, DDoS attacks are up 170% to 36.2 million in 2025 compared to 2024. To zoom in a little, the company says that in the third quarter of 2025, it "mitigated an average of 3,780 DDoS attacks every hour." That's 63 DDoS attacks each minute, or about one every second.

Not every DDoS attack is a noteworthy one, of course, but there have been a few noteworthy ones over the past few months. In particular, a few were highlighted by Cloudflare over the last couple of months as consecutive record breakers (woo?).

In the weeks leading up to September there was a DDoS attack that attempted to flood its target with 11.5 Tbps of data. Then, in late September, there was one that topped this with an attempt to flood its target with 22.2 Tbps of data, which equated to 10.6 billion packets of data per second. And then there was one in early October that saw a new record 29.6 Tbps flung at its target. These attacks each lasted less than a minute.

Those small timeframes are a real problem if you don't have automated defenses in place: "most attacks, 71% of HTTP DDoS and 89% of network-layer, end in under 10 minutes. That's too fast for any human or on-demand service to react. A short attack may only last a few seconds, but the disruption it causes can be severe, and recovery takes far longer."

We've seen how long it can take for simple mistakes to be cleaned up and service to be restored. Cloudflare's recent outage, for instance, was caused by a double-sized file propagating throughout the network. This likely happened quite quickly, but it took hours for service to be restored to full, normal functionality.

To simplify probably far too much, DDoS attacks are generally defended by figuring out which packets of data coming in are illegitimate and then simply not processing them. Cloudflare's defenses seem to have done a good job at this, given these big attacks were defended.

But as Cloudflare's quarterly and yearly stats show, the number and the scale of these attacks seems to be exponentially increasing. According to Krebs on Security, linked previously, the Aisuru botnet responsible for the latest record-breaking DDoS attack apparently caused widespread internet disruption in the US simply due to attempted DDoSing, that's all without the attack succeeding.

A botnet, if you weren't aware, is like a hivemind of connected computers that are usually connected together unbeknownst to their users. All the systems can, at the behest of the attacker(s) in control of the botnet, be prompted to dish out some packets of data that, when combined with all the packets from other computers in the secret network, makes for a giant mass. A mass that barrages a target with, say, 29.6 terabytes per second of data. In "distributed" fashion, ergo, "distributed denial of service."

In other words, lovely stuff to help us sleep at night. It does make me hope my PC isn't some kind of sleeper agent. I'll keep my side-eye firmly planted on its suspiciously unassuming chassis, just in case.