TheNote
Schneier on Security Note
GooglePlay AppStore

Schneier on Security

The website www.schneier.com belongs to Bruce Schneier, a well-known American cryptographer, computer security professional, and writer. The website is a collection of his writings, articles, and other publications related to security, technology, and society. It includes a blog section where Schneier regularly posts updates and commentary on current events and topics related to cybersecurity and information security. Some of the main features of the website include: - a comprehensive blog with hundreds of articles and posts dating back to 2004, covering a wide range of topics related to security, technology, and policy. - a section for Schneier's published works, including his books, academic papers, and essays. Some of his notable books include 'Applied Cryptography', 'Secrets and Lies', and 'Click Here to Kill Everybody'. - a page dedicated to his work and activities as a public speaker, consultant, and advisor to various organizations and governments. The website also features a collection of links to external articles and writings about Schneier and his work. The website has a simple and minimalistic design, making it easy to navigate and read. Overall, www.schneier.com is a valuable resource for anyone interested in learning more about cybersecurity, cryptography, and related topics from one of the most respected experts in the field.
Schneier on Security schneier.com
RSS schneier.com
RSS Hunter RSS Hunter Aug 19, 2024

Thread Of Notes

AI Use by the US Government

On 14 April, the Trump administration quietly acknowledged the widespread use of AI to automate government processes. The office of management and budget (OMB) disclosed a staggering 3,611 active or planned use cases for AI across the federal government. The list has ballooned by 70% from the one published in the final year of the Biden administration, and includes many disturbing-seeming plans to hand over sensitive governmental functions to AI. Scanning this list, many readers may find many causes for alarm. It represents a transfer of decision processes from human to machine on a massive scale over matters of individual freedom, public health and well-being, nuclear reactor safety and more...
AI and ML News on Bluesky @ai-news.at.thenote.app bsky.app
RSS Hunter RSS Hunter Yesterday

The FCC Wants to Eliminate Burner Phones

A proposed FCC rule threatens the existence of burner phones, which are not linked to specific individuals. The FCC intends to mandate that telecommunication companies retain extensive personal data on nearly all phone users. This data would include government-issued identification numbers and physical addresses. Privacy advocates and civil rights activists express alarm, drawing parallels to authoritarian regimes. This policy shift would significantly alter how Americans acquire phone plans. It is also expected to have substantial repercussions for privacy and cybersecurity. The FCC is partly justifying this data collection as a measure to combat scammers. Telecommunication companies would also be required to collect information on business and foreign customers, such as the intended use of their phone plans. However, the changes would affect all new and renewing customers. The FCC has indicated the collected data could assist authorities in various other investigations, raising further privacy concerns.
https://www.schneier.com/blog/archives/2026/06/the-fcc-wants-to-eliminate-burner-phones.html schneier.com
RSS Hunter RSS Hunter Jun 15

Upcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak: I’m giving a keynote at Cybernation 2026 in Berlin, Germany, on June 24, 2026. I’m speaking at the Potsdam Conference on National Cybersecurity at the Hasso Plattner Institut in Potsdam, Germany. The event runs June 24–25, 2026, and my talk will be the evening of June 24. I’m participating in a panel discussion at the Austrian Institute for International Affairs in Vienna on Thursday, June 25, 2026. I’m speaking at the Digital Humanism Conference in Vienna, Austria, on Friday, June 26, 2026...
https://www.schneier.com/blog/archives/2026/06/upcoming-speaking-engagements-57.html schneier.com
RSS Hunter RSS Hunter Jun 14

Bernie Sanders’ AI Sovereign Wealth Fund Plan

Let no one accuse Bernie Sanders of ducking the big questions. Writing in the New York Times last week, the senator asked: “Will the future of humanity be determined by a handful of billionaires who have promoted and developed AI, with virtually no democratic input, who stand to become even richer and more powerful than they are today?” We agree entirely that this is one of the most potent questions facing global democracy today. Our book, Rewiring Democracy, surveys the emerging uses for and impacts of AI in democracy around the world and reaches the same conclusion: that the most urgent risk posed by AI is the ...
https://www.schneier.com/blog/archives/2026/06/bernie-sanders-ai-sovereign-wealth-fund-plan.html schneier.com
RSS Hunter RSS Hunter Jun 12

Enhanced License Plate Tracking

The surveillance company Leonardo wants more data: A surveillance company plans to add sensors to automatic license plate readers (ALPRs) that would mean the devices, as well as capture the license plate of passing vehicles, would also sweep up unique identifiers of mobile phones, wearables, and other Bluetooth-enabled devices in those cars, potentially letting law enforcement identify specific drivers or passengers. The technology, called SignalTrace, would turn ALPR cameras from devices focused on tracking cars to ones that can more readily track the location of particular people. ALPR cameras have become a commonly deployed technology all across the U.S.; SignalTrace would make some of those cameras capable of collecting much more data...
Hacker & Security News on Bluesky @hacker.at.thenote.app bsky.app
RSS Hunter RSS Hunter Jun 11

GPS As a Key Distribution Platform

This is interesting: The U.S. military has likely been quietly broadcasting codes for its global encryption network using public GPS for nearly 20 years, turning each satellite into a hidden “numbers station,” according to Steven Murdoch… That means every device that uses GPS has been receiving hidden government information for years, and nobody outside the military knew it until now. […] Murdoch discovered that this particular sentinel was transmitted by all 31 operational satellites within a window of a few hours on May 26, 2011, potentially heralding the activation of a new operational system. He confirmed that this timeline coincided with the rollout of the military’s Over-the-Air Distribution (OTAD) and the Over-the-Air Rekeying (OTAR) by cross-referencing declassified documents, including a 2015 presentation about the dates of the operation...
https://www.schneier.com/blog/archives/2026/06/gps-as-a-key-distribution-platform.html schneier.com
RSS Hunter RSS Hunter Jun 9

Critical Zcash Vulnerability Found and Fixed

If you’re a user—owner?—of this cryptocurrency, this is important: On May 29, the security researcher Taylor Hornby found a critical vulnerability in Zcash Orchard privacy pool using Claude Opus 4.8. The Zcash team hired Hornby specifically to look for this kind of issue. He found one fast enough to be embarrassing. The Orchard pool is the newest and most advanced shielded transaction system in the cryptocurrency Zcash. Introduced in 2022, it allows users to send and receive ZEC while keeping transaction details private. It uses zero-knowledge proofs to validate transactions without revealing amounts or participants. The bug: a specific check that was supposed to validate transaction inputs wasn’t actually enforcing the rules it appeared to enforce. An attacker could have exploited the flaw to feed false inputs into that check and generate ZEC from nothing, with the zero-knowledge proof system blessing the fraudulent transaction as valid...
https://www.schneier.com/blog/archives/2026/06/critical-zcash-vulnerability-found-and-fixed.html schneier.com
RSS Hunter RSS Hunter Jun 8

Anthropic’s Project Glasswing Update

In April, Anthropic initated Project Glasswing. The idea was to let companies use their new model to find and fix vulnerabilities in their own software. It was a fantastic PR move, and so many press outlets have uncritically parroted Anthropic’s claims that it’s now common wisdom that Mythos is better at finding software vulnerabilities than other models. Which is just not true. In any case, Anthropic has published a Project Glasswing status report. It’s finding a lot of vulnerabilities in software—yay! Some of them are even dangerous. But almost none of them has been patched. It’s ...
https://www.schneier.com/blog/archives/2026/06/anthropics-project-glasswing-update.html schneier.com
RSS Hunter RSS Hunter Jun 8

Hacking Meta’s AI Chatbot

Hackers are convincing Meta’s AI support chatbot to let them take over other peoples’ accounts: A video posted on X showed the step-by-step process to hack someone’s Instagram account. The hacker allegedly used a VPN to spoof the targets’ presumed location to avoid triggering Instagram’s automated account protections. Then, the hacker opened a chat with Meta AI Support Assistant and asked the bot to add a new email address to the target’s account. The chatbot can be seen sending a verification code to the email address provided by the hacker; the hacker then shares the verification code with the chatbot, which prompts the chatbot to show a button to “Reset Password.” The hacker enters a new password and takes over the victim’s account...
https://www.schneier.com/blog/archives/2026/06/hacking-metas-ai-chatbot.html schneier.com
RSS Hunter RSS Hunter Jun 4

The Intersection of Encryption and AI

As part of their 20th Anniversary celebration, Dark Reading asked five cybersecurity industry leaders who wrote blogs or columns for them over the years to select their favorite piece and share their reflections on the topic today. This is my section. Renowned technologist and author Bruce Schneier contributed a column on June 20, 2010, warning about cryptography’s inability to secure modern networks, a point he says he has been trying to argue since 2000. “For a while now, I’ve pointed out that cryptography is singularly ill-suited to solve the major network security problems of today: denial-of-service attacks, website defacement, theft of credit card numbers, identity theft, viruses and worms, DNS attacks, network penetration, and so on...
https://www.schneier.com/blog/archives/2026/06/the-intersection-of-encryption-and-ai.html schneier.com
RSS Hunter RSS Hunter Jun 2

Vulnerability Disclosure in the Age of AI

Frontier AI models can now autonomously find software vulnerabilities at an unprecedented speed and scale. This capability exposes the significant technical debt accumulated by a software industry that prioritized quick deployment over secure design. The current situation marks a strategic inflection point for governments, industry, and critical infrastructure. There is growing tension between offensive and defensive capabilities in cyberspace. Both the U.S. and China are developing AI-driven vulnerability discovery tools. Unsupported legacy systems and AI-assisted code generation introduce increasing risks. Responsible disclosure must evolve from a reactive process into a coordinated national and international resilience effort. This coordinated effort needs to involve governments, software vendors, infrastructure operators, and emergency response organizations. The article urges accelerated remediation and large-scale patch management coordination. Sustained investment in automated vulnerability repair is crucial to prevent adversaries from exploiting this opportunity.
https://www.schneier.com/blog/archives/2026/06/vulnerability-disclosure-in-the-age-of-ai.html schneier.com
RSS Hunter RSS Hunter Jun 1

Chilling Effects

Younger Americans have soured on the second Donald Trump presidency, but they are not protesting it. Despite an unpopular Iran war and an even more unpopular Trump administration, college campus protests nationwide have gone silent. And at many schools, student activism is virtually nonexistent. This silence comes in the wake of a relentless Trump administration war on campus speech that has involved lawsuits, arrests, deportations and expulsions. Reports cite a range of complicated factors for the restraint, from apathy to technology-induced incapacity. But as ...
https://www.schneier.com/blog/archives/2026/05/chilling-effects.html schneier.com
RSS Hunter RSS Hunter May 29

Identifying People Using Wi-Fi Routers

Not identifying people based on their use of Wi-Fi routers, but identifying people using Wi-Fi signals. This is accomplished through what is known as WiFi sensing, or the use of WiFi signals to infer information about a physical environment. When radio signals like WiFi travel through a space, they interact with the objects and people around them. Those signals can be reflected, scattered, or absorbed. By analyzing how the signal is expected to behave compared with how it is actually received, researchers can infer details about the surrounding environment...
https://www.schneier.com/blog/archives/2026/05/identifying-people-using-wi-fi-routers.html schneier.com
RSS Hunter RSS Hunter May 26

CISA Security Leak

Crazy story: Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history. News article.
https://www.schneier.com/blog/archives/2026/05/cisa-security-leak.html schneier.com
RSS Hunter RSS Hunter May 22

On AI Security

The report explores the challenge of measuring and ensuring the security of Artificial Intelligence (AI) systems. Traditional security benchmarks are inadequate for assessing AI capabilities, especially complex aspects like security. The core question revolves around how to effectively measure security in the AI domain. The report draws parallels to the evolution of software security engineering over the past three decades. Software security progressed from penetration testing to process-driven standards like BSIMM. AI's potentially deeper impact on business necessitates robust security measures. The report suggests that a software security-like approach might be suitable for AI. Real progress in AI security involves managing risk through identifying and applying good assurance processes. The report emphasizes there is no single "security meter" for AI; therefore, vigilance is crucial. The focus shifts toward improving understanding and categorization of AI-related security concerns. Ultimately, the goal is to enhance AI security despite the absence of a simple measurement tool.
https://www.schneier.com/blog/archives/2026/05/on-ai-security.html schneier.com
RSS Hunter RSS Hunter May 20

Laurie Anderson Is Quoting Me

Not by name, but Laurie Anderson quotes me in one of the tracks of her new album: My favorite quote is from a cryptologist who said “If you think technology will solve your problems, you don’t understand technology and you don’t understand your problems.” Also in interviews: “Of course, it’s ridiculous, outrageous, blah, blah, blah,” Anderson says about the ad. ‘But, I mean, my favorite quote on this is from a cryptologist who said, ‘If you think technology will solve your problems, you don’t understand technology ­ and you don’t understand your problems.’ And I think I’m completely on board with that.”...
https://www.schneier.com/blog/archives/2026/05/laurie-anderson-is-quoting-me.html schneier.com
RSS Hunter RSS Hunter May 19

Zero-Day Exploit Against Windows BitLocker

It’s nasty, but it requires physical access to the computer: The exploit, named YellowKey, was published earlier this week by a researcher who goes by the alias Nightmare-Eclipse. It reliably bypasses default Windows 11 deployments of BitLocker, the full-volume encryption protection Microsoft provides to make disk contents off-limits to anyone without the decryption key, which is stored in a secured piece of hardware known as a trusted platform module (TPM). BitLocker is a mandatory protection for many organizations, including those that contract with governments...
https://www.schneier.com/blog/archives/2026/05/zero-day-exploit-against-windows-bitlocker.html schneier.com
RSS Hunter RSS Hunter May 18

Upcoming Speaking Engagements

This is a current list of where and when I am scheduled to speak: I’m giving a virtual talk on “The Security of Trust in the Age of AI,” hosted by the Financial Women’s Association of New York, at 6:00 PM ET on May 21, 2026. I’m speaking at the Potsdam Conference on National Cybersecurity at the Hasso Plattner Institut in Potsdam, Germany. The event runs June 24–25, 2026, and my talk will be the evening of June 24. I’m speaking at the Digital Humanism Conference in Vienna, Austria, on Tuesday, June 26, 2026. I’m speaking at the ...
https://www.schneier.com/blog/archives/2026/05/upcoming-speaking-engagements-56.html schneier.com
RSS Hunter RSS Hunter May 14

How Dangerous Is Anthropic’s Mythos AI?

Last month, Anthropic made a remarkable announcement about its new model, Claude Mythos Preview: it was so good at finding security vulnerabilities in software that the company would not release it to the general public. Instead, it would only be available to a select group of companies to scan and fix their own software. The announcement requires context—but it contained an essential truth. While Anthropic’s model is really good at finding software vulnerabilities, so are other models. The UK’s AI Security Institute found that OpenAI’s GPT-5.5, already generally available, is comparable in capability. The company Aisle ...
https://www.schneier.com/blog/archives/2026/05/how-dangerous-is-anthropics-mythos-ai.html schneier.com
RSS Hunter RSS Hunter May 14

OpenAI’s GPT-5.5 is as Good as Mythos at Finding Security Vulnerabilities

The UK’s AI Security Institute evaluated GPT-5.5’s ability to find security vulnerabilities, and found that it is comparable to Claude Mythos. Note that the OpenAI model is generally available. Here is the Institute’s evaluation of Mythos. And here is an analysis of a smaller, cheaper model. It requires more scaffolding from the prompter, but it is also just as good.
https://www.schneier.com/blog/archives/2026/05/openais-gpt-5-5-is-as-good-as-mythos-at-finding-security-vulnerabilities.html schneier.com
RSS Hunter RSS Hunter May 13

Copy.Fail Linux Vulnerability

This is the worst Linux vulnerability in years. TL;DR copy.fail is a Linux kernel local privilege escalation, not a browser or clipboard attack. Disclosed by Theori on 29 April 2026 with a working PoC. It abuses the kernel crypto API (AF_ALG sockets) plus splice() to write four bytes at a time straight into the page cache of a file the attacker does not own. The exploit works unmodified across Ubuntu, RHEL, Debian, SUSE, Amazon Linux, Fedora and most others. No race condition, no per-distro offsets. The file on disk is never modified. AIDE, Tripwire and checksum-based monitoring see nothing. ...
https://www.schneier.com/blog/archives/2026/05/copy-fail-linux-vulnerability.html schneier.com
RSS Hunter RSS Hunter May 12

Insider Betting on Polymarket

Insider trading is rife on Polymarket: Analysis by the Anti-Corruption Data Collective, a non-profit research and advocacy group, found that long-shot bets—­defined as wagers of $2,500 or more at odds of 35 percent or less—­on the platform had an average win rate of around 52 percent in markets on military and defense actions. That compares with a win rate of 25 percent across all politics-focused markets and just 14 percent for all markets on the platform as a whole. It is absolutely insane that this is legal. We already know how insider betting warps sports. Insider betting warping politics—and military actions—is orders of magnitude worse...
https://www.schneier.com/blog/archives/2026/05/insider-betting-on-polymarket.html schneier.com
RSS Hunter RSS Hunter May 8

Rowhammer Attack Against NVIDIA Chips

A new rowhammer attack gives complete control of NVIDIA CPUs. On Thursday, two research teams, working independently of each other, demonstrated attacks against two cards from Nvidia’s Ampere generation that take GPU rowhammering into new—­and potentially much more consequential—­territory: GDDR bitflips that give adversaries full control of CPU memory, resulting in full system compromise of the host machine. For the attack to work, IOMMU memory management must be disabled, as is the default in BIOS settings. “Our work shows that Rowhammer, which is well-studied on CPUs, is a serious threat on GPUs as well,” said Andrew Kwong, co-author of one of the papers. “...
https://www.schneier.com/blog/archives/2026/05/rowhammer-attack-against-nvidia-chips.html schneier.com
RSS Hunter RSS Hunter May 6

DarkSword Malware

DarkSword is a sophisticated piece of malware—probably government designed—that targets iOS. Google Threat Intelligence Group (GTIG) has identified a new iOS full-chain exploit that leveraged multiple zero-day vulnerabilities to fully compromise devices. Based on toolmarks in recovered payloads, we believe the exploit chain to be called DarkSword. Since at least November 2025, GTIG has observed multiple commercial surveillance vendors and suspected state-sponsored actors utilizing DarkSword in distinct campaigns. These threat actors have deployed the exploit chain against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine...
https://www.schneier.com/blog/archives/2026/05/darksword-malware.html schneier.com
RSS Hunter RSS Hunter May 5

Hacking Polymarket

Polymarket is a platform where people can bet on real-world events, political and otherwise. Leaving the ethical considerations of this aside (for one, it facilitates assassination), one of the issues with making this work is the verification of these real-world events. Polymarket gamblers have threatened a journalist because his story was being used to verify an event. And now, gamblers are taking hair dryers to weather sensors to rig weather bets. There’s also insider trading: a lot of it.
https://www.schneier.com/blog/archives/2026/05/hacking-polymarket.html schneier.com
RSS Hunter RSS Hunter May 4

Fast16 Malware

Researchers have reverse-engineered a piece of malware named Fast16. It’s almost certainly state-sponsored, probably US in origin, and was deployed against Iran years before Stuxnet: “…the Fast16 malware was designed to carry out the most subtle form of sabotage ever seen in an in-the-wild malware tool: By automatically spreading across networks and then silently manipulating computation processes in certain software applications that perform high-precision mathematical calculations and simulate physical phenomena, Fast16 can alter the results of those programs to cause failures that range from faulty research results to catastrophic damage to real-world equipment.”...
https://www.schneier.com/blog/archives/2026/04/fast16-malware.html schneier.com
RSS Hunter RSS Hunter Apr 30

Claude Mythos Has Found 271 Zero-Days in Firefox

That’s a lot. No, it’s an extraordinary number: Since February, the Firefox team has been working around the clock using frontier AI models to find and fix latent security vulnerabilities in the browser. We wrote previously about our collaboration with Anthropic to scan Firefox with Opus 4.6, which led to fixes for 22 security-sensitive bugs in Firefox 148. As part of our continued collaboration with Anthropic, we had the opportunity to apply an early version of Claude Mythos Preview to Firefox. This week’s release of Firefox 150 includes fixes for 271 vulnerabilities identified during this initial evaluation...
https://www.schneier.com/blog/archives/2026/04/claude-mythos-has-found-271-zero-days-in-firefox.html schneier.com
RSS Hunter RSS Hunter Apr 29

What Anthropic’s Mythos Means for the Future of Cybersecurity

Two weeks ago, Anthropic announced that its new model, Claude Mythos Preview, can autonomously find and weaponize software vulnerabilities, turning them into working exploits without expert guidance. These were vulnerabilities in key software like operating systems and internet infrastructure that thousands of software developers working on those systems failed to find. This capability will have major security implications, compromising the devices and services we use every day. As a result, Anthropic is not releasing the model to the general public, but instead to a ...
https://www.schneier.com/blog/archives/2026/04/what-anthropics-mythos-means-for-the-future-of-cybersecurity.html schneier.com
RSS Hunter RSS Hunter Apr 28

Friday Squid Blogging: How Squid Survived Extinction Events

Science news: Scientists have finally cracked a long-standing mystery about squid and cuttlefish evolution by analyzing newly sequenced genomes alongside global datasets. The research reveals that these bizarre, intelligent creatures likely originated deep in the ocean over 100 million years ago, surviving mass extinction events by retreating into oxygen-rich deep-sea refuges. For millions of years, their evolution barely changed—until a dramatic post-extinction boom sparked rapid diversification as they moved into new shallow-water habitats. ...
https://www.schneier.com/blog/archives/2026/04/friday-squid-blogging-how-squid-survived-extinction-events.html schneier.com
RSS Hunter RSS Hunter Apr 24

Hiding Bluetooth Trackers in Mail

It was used to track a Dutch naval ship: Dutch journalist Just Vervaart, working for regional media network Omroep Gelderland, followed the directions posted on the Dutch government website and mailed a postcard with a hidden tracker inside. Because of this, they were able to track the ship for about a day, watching it sail from Heraklion, Crete, before it turned towards Cyprus. While it only showed the location of that one vessel, knowing that it was part of a carrier strike group sailing in the Mediterranean could potentially put the entire fleet at risk...
https://www.schneier.com/blog/archives/2026/04/hiding-bluetooth-trackers-in-mail.html schneier.com
RSS Hunter RSS Hunter Apr 24

FBI Extracts Deleted Signal Messages from iPhone Notification Database

404 Media reports (alternate site): The FBI was able to forensically extract copies of incoming Signal messages from a defendant’s iPhone, even after the app was deleted, because copies of the content were saved in the device’s push notification database…. The news shows how forensic extraction—­when someone has physical access to a device and is able to run specialized software on it—­can yield sensitive data derived from secure messaging apps in unexpected places. Signal already has a setting that blocks message content from displaying in push notifications; the case highlights why such a feature might be important for some users to turn on...
https://www.schneier.com/blog/archives/2026/04/fbi-extracts-deleted-signal-messages-from-iphone-notification-database.html schneier.com
RSS Hunter RSS Hunter Apr 23

Cookies help us deliver our Services. By using our Services or clicking I agree, you agree to our use of cookies .