This is a multi-part message in MIME format

--_----------=_MCPart_768092142
Content-Type: text/plain; charset="utf-8"; format="fixed" Content-Transfer-Encoding: quoted-printable

** CRYPTO-GRAM
FEBRUARY 15=2C 2026 ------------------------------------------------------------

by Bruce Schneier
Fellow and Lecturer=2C Harvard Kennedy School
schneier@schneier.com
https://www.schneier.com

A free monthly newsletter providing summaries=2C analyses=2C insights=2C a=
nd commentaries on security: computer and otherwise.

For back issues=2C or to subscribe=2C visit Crypto-Gram's web page [https= ://www.schneier.com/crypto-gram/].

Read this issue on the web [https://www.schneier.com/crypto-gram/archives= /2026/0215.html]

These same essays and news items appear in the Schneier on Security [http= s://www.schneier.com/] blog=2C along with a lively and intelligent comment=
section. An RSS feed is available.

** *** ***** ******* *********** *************


** IN THIS ISSUE:
------------------------------------------------------------

1. New Vulnerability in n8n
2. AI and the Corporate Capture of Knowledge
3. AI-Powered Surveillance in Schools
4. Could ChatGPT Convince You to Buy Something?
5. Internet Voting is Too Insecure for Use in Elections
6. Why AI Keeps Falling for Prompt Injection Attacks
7. Ireland Proposes Giving Police New Digital Surveillance Powers
8. The Constitutionality of Geofence Warrants
9. AIs Are Getting Better at Finding and Exploiting Security Vulnerab= ilities
10. AI Coding Assistants Secretly Copying All Code to China
11. Microsoft is Giving the FBI BitLocker Keys
12. US Declassifies Information on JUMPSEAT Spy Satellites
13. Backdoor in Notepad++
14. iPhone Lockdown Mode Protects _Washington Post_ Reporter
15. I Am in the Epstein Files
16. LLMs are Getting a Lot Better and Faster at Finding and Exploitin=
g Zero-Days
17. AI-Generated Text and the Detection Arms Race
18. Prompt Injection Via Road Signs
19. _Rewiring Democracy_ Ebook is on Sale
20. 3D Printer Surveillance
21. Upcoming Speaking Engagements

** *** ***** ******* *********** *************


** NEW VULNERABILITY IN N8N ------------------------------------------------------------

[2026.01.15] [https://www.schneier.com/blog/archives/2026/01/new-vulnera= bility-in-n8n.html] This [https://www.cyera.com/research-labs/ni8mare-una= uthenticated-remote-code-execution-in-n8n-cve-2026-21858] isn=E2=80=99t go=
od:

We discovered a critical vulnerability (CVE-2026-21858=2C CVSS 10.0 [ht=

tps://github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pg]) in n=
8n that enables attackers to take over locally deployed instances=2C impac= ting an estimated 100=2C000 servers globally. No official workarounds are=
available for this vulnerability. Users should upgrade to version 1.121.0=
or later to remediate the vulnerability.

Three [https://community.n8n.io/t/security-advisory-security-vulnerabilit= y-in-n8n-versions-1-65-1-120-4/247305] technical [https://thehackernews.c= om/2026/01/n8n-supply-chain-attack-abuses.html] links [https://nvd.nist.g= ov/vuln/detail/CVE-2025-68668] and two news [https://www.cybersecuritydiv= e.com/news/critical-vulnerability-n8n-automation-platform/809360/] links [= https://www.bleepingcomputer.com/news/security/max-severity-ni8mare-flaw-= impacts-nearly-60-000-n8n-instances/].

** *** ***** ******* *********** *************


** AI AND THE CORPORATE CAPTURE OF KNOWLEDGE ------------------------------------------------------------

[2026.01.16] [https://www.schneier.com/blog/archives/2026/01/ai-and-the-= corporate-capture-of-knowledge.html] More than a decade after Aaron Swartz= =E2=80=99s death [https://www.sfgate.com/technology/article/Open-access-t= ributes-to-Aaron-Swartz-4193965.php]=2C the United States is still living=
inside the contradiction that destroyed him.

Swartz believed that knowledge=2C especially publicly funded knowledge=2C=
should be freely accessible. Acting on that=2C he downloaded thousands of=
academic articles from the JSTOR [https://www.jstor.org/] archive with t=
he intention of making them publicly available. For this=2C the federal go= vernment charged him with a felony and threatened decades in prison. After=
two years of prosecutorial pressure=2C Swartz died by suicide on Jan. 11=
=2C 2013.

The still-unresolved questions raised by his case have resurfaced in today= =E2=80=99s debates over artificial intelligence=2C copyright and the ultim=
ate control of knowledge.

At the time of Swartz=E2=80=99s prosecution=2C vast amounts of research we=
re funded by taxpayers=2C conducted at public institutions and intended to=
advance public understanding. But access to that research was=2C and stil=
l is=2C locked behind expensive paywalls. People are unable to read work t=
hey helped fund without paying private journals and research websites.

Swartz considered this hoarding of knowledge to be neither accidental nor=
inevitable. It was the result of legal=2C economic and political choices.=
His actions challenged those choices directly. And for that=2C the govern= ment treated him as a criminal.

Today=E2=80=99s AI arms race involves a far more expansive=2C profit-drive=
n form of information appropriation. The tech giants ingest vast amounts o=
f copyrighted material: books=2C journalism=2C academic papers=2C art=2C m= usic and personal writing. This data is scraped at industrial scale=2C oft=
en without consent=2C compensation or transparency=2C and then used to tra=
in large AI models.

AI companies then sell their proprietary systems=2C built on public and pr= ivate knowledge=2C back to the people who funded it. But this time=2C the=
government=E2=80=99s response has been markedly different. There are no c= riminal prosecutions=2C no threats of decades-long prison sentences. Lawsu=
its proceed slowly=2C enforcement remains uncertain and policymakers signa=
l caution=2C given AI=E2=80=99s perceived economic and strategic importanc=
e. Copyright infringement is reframed as an unfortunate but necessary step=
toward =E2=80=9Cinnovation.=E2=80=9D

Recent developments underscore this imbalance. In 2025=2C Anthropic [http= s://www.npr.org/2025/09/05/nx-s1-5529404/anthropic-settlement-authors-copy= right-ai] reached a settlement with publishers over allegations that its A=
I systems were trained on copyrighted books without authorization. The agr= eement reportedly valued infringement at roughly $3=2C000 per book across=
an estimated 500=2C000 works=2C coming at a cost of over $1.5 billion. Pl= agiarism disputes between artists and accused infringers routinely settle=
for hundreds of thousands=2C or even millions=2C of dollars when prominen=
t works are involved. Scholars estimate Anthropic avoided over $1 trillion=
in liability costs [https://www.lawfaremedia.org/article/anthropic-s-set= tlement-shows-the-u.s.-can-t-afford-ai-copyright-lawsuits]. For well-capit= alized AI firms=2C such settlements are likely being factored as a predict= able cost of doing business.

As AI becomes a larger part of America=E2=80=99s economy=2C one can see th=
e writing on the wall. Judges will twist themselves into knots to justify=
an innovative technology premised on literally stealing the works of arti= sts=2C poets=2C musicians=2C all of academia and the internet=2C and vast=
expanses of literature. But if Swartz=E2=80=99s actions were criminal=2C=
it is worth asking: What standard are we now applying to AI companies?

The question is not simply whether copyright law applies to AI. It is why=
the law appears to operate so differently depending on who is doing the e= xtracting and for what purpose.

The stakes extend beyond copyright law or past injustices. They concern wh=
o controls the infrastructure of knowledge going forward and what that con= trol means for democratic participation=2C accountability and public trust=
=2E

Systems trained on vast bodies of publicly funded research are increasingl=
y becoming the primary way people learn about science=2C law=2C medicine a=
nd public policy. As search=2C synthesis and explanation are mediated thro=
ugh AI models=2C control over training data and infrastructure translates=
into control over what questions can be asked=2C what answers are surface= d=2C and whose expertise is treated as authoritative. If public knowledge=
is absorbed into proprietary systems that the public cannot inspect=2C au=
dit or meaningfully challenge=2C then access to information is no longer g= overned by democratic norms but by corporate priorities.

Like the early internet=2C AI is often described as a democratizing force.=
But also like the internet=2C AI=E2=80=99s current trajectory suggests so= mething closer to consolidation. Control over data=2C models and computati= onal infrastructure is concentrated in the hands of a small number of powe= rful tech companies. They will decide who gets access to knowledge=2C unde=
r what conditions and at what price.

Swartz=E2=80=99s fight was not simply about access=2C but about whether kn= owledge should be governed by openness or corporate capture=2C and who tha=
t knowledge is ultimately for. He understood that access to knowledge is a=
prerequisite for democracy. A society cannot meaningfully debate policy=
=2C science or justice if information is locked away behind paywalls or co= ntrolled by proprietary algorithms. If we allow AI companies to profit fro=
m mass appropriation while claiming immunity=2C we are choosing a future i=
n which access to knowledge is governed by corporate power rather than dem= ocratic values.

How we treat knowledge -- who may access it=2C who may profit from it and=
who is punished for sharing it -- has become a test of our democratic com= mitments. We should be honest about what those choices say about us.

_This essay was written with J. B. Branch=2C and originally appeared in th=
e San Francisco Chronicle [https://www.sfchronicle.com/opinion/openforum/= article/ai-copyright-research-law-21282101.php]._

** *** ***** ******* *********** *************


** AI-POWERED SURVEILLANCE IN SCHOOLS ------------------------------------------------------------

[2026.01.19] [https://www.schneier.com/blog/archives/2026/01/ai-powered-= surveillance-in-schools.html] It all sounds pretty dystopian [https://www= =2Eforbes.com/sites/thomasbrewster/2025/12/16/ai-bathroom-monitors-welcome-t= o-americas-new-surveillance-high-schools/]:

Inside a white stucco building in Southern California=2C video cameras c=

ompare faces of passersby against a facial recognition database. Behaviora=
l analysis AI reviews the footage for signs of violent behavior. Behind a=
bathroom door=2C a smoke detector-shaped device captures audio=2C listeni=
ng for sounds of distress. Outside=2C drones stand ready to be deployed an=
d provide intel from above=2C and license plate readers from $8.5 billion=
surveillance behemoth Flock Safety ensure the cars entering and exiting t=
he parking lot aren=E2=80=99t driven by criminals.

This isn=E2=80=99t a high-security government facility. It=E2=80=99s Bev=

erly Hills High School.

** *** ***** ******* *********** *************


** COULD CHATGPT CONVINCE YOU TO BUY SOMETHING? ------------------------------------------------------------

[2026.01.20] [https://www.schneier.com/blog/archives/2026/01/could-chatg= pt-convince-you-to-buy-something.html] Eighteen months ago=2C it was plaus= ible that artificial intelligence might take a different path [https://ww= w.technologyreview.com/2024/03/13/1089729/lets-not-make-the-same-mistakes-= with-ai-that-we-made-with-social-media/] than social media. Back then=2C A= I=E2=80=99s development hadn=E2=80=99t consolidated under a small number o=
f big tech firms. Nor had it capitalized on consumer attention=2C surveill=
ing users and delivering ads.

Unfortunately=2C the AI industry is now taking a page from the social medi=
a playbook and has set its sights on monetizing consumer attention. When O= penAI launched its ChatGPT Search [https://openai.com/index/introducing-c= hatgpt-search/] feature in late 2024 and its browser=2C ChatGPT Atlas [ht= tps://openai.com/index/introducing-chatgpt-atlas/]=2C in October 2025=2C i=
t kicked off a race to capture online behavioral data [https://www.adweek= =2Ecom/media/openai-takes-on-google-with-atlas-ai-browser/] to power adverti= sing. It=E2=80=99s part of a yearslong turnabout by OpenAI [https://digid= ay.com/marketing/from-hatred-to-hiring-openais-advertising-change-of-heart= /]=2C whose CEO Sam Altman once called the combination of ads and AI =E2= =80=9Cunsettling=E2=80=9D and now promises that ads can be deployed in AI=
apps [https://searchengineland.com/chatgpt-ads-coming-some-point-464388]=
while preserving trust. The rampant speculation among OpenAI users [http= s://www.engadget.com/ai/openais-head-of-chatgpt-says-posts-appearing-to-sh= ow-in-app-ads-are-not-real-or-not-ads-190454584.html] who believe they see=
paid placements in ChatGPT responses suggests they are not convinced.

In 2024=2C AI search company Perplexity started experimenting with ads [h= ttps://www.perplexity.ai/hub/blog/why-we-re-experimenting-with-advertising=
] in its offerings. A few months after that=2C Microsoft introduced ads to=
its Copilot [https://www.windowscentral.com/software-apps/microsoft-inte= grates-showroom-ads-in-copilot-ai-simulating-brick-and-mortar-stores] AI.=
Google=E2=80=99s AI Mode for search [https://searchengineland.com/google= -ads-inside-ai-mode-tests-expand-464979] now increasingly features ads=2C=
as does Amazon=E2=80=99s Rufus chatbot [https://adage.com/technology/ama= zon/aa-ai-ads-sponsored-prompts/]. OpenAI announced on Jan. 16=2C 2026=2C=
that it will soon begin testing ads in the unpaid version of ChatGPT [ht= tps://openai.com/index/our-approach-to-advertising-and-expanding-access/].

As a security expert [https://scholar.google.com/scholar?hl=3Den&as_sdt= =3D0%2C22&q=3DBruce+Schneier&btnG=3D] and data scientist [https://scholar= =2Egoogle.com/citations?hl=3Den&user=3DLlKKQyIAAAAJ&view_op=3Dlist_works&sor= tby=3Dpubdate]=2C we see these examples as harbingers of a future where AI=
companies profit from manipulating their users=E2=80=99 behavior for the=
benefit of their advertisers and investors. It=E2=80=99s also a reminder=
that time to steer the direction of AI development away from private expl= oitation and toward public benefit is quickly running out.

The functionality of ChatGPT Search and its Atlas browser is not really ne=
w. Meta [https://proceedings.neurips.cc/paper/2020/hash/6b493230205f780e1= bc26945df7481e5-Abstract.html]=2C commercial AI competitor Perplexity [ht= tps://www.nytimes.com/2024/02/01/technology/perplexity-search-ai-google.ht=
ml] and even ChatGPT [https://www.theverge.com/2023/9/27/23892781/openai-= chatgpt-live-web-results-browse-with-bing] itself have had similar AI sear=
ch features for years=2C and both Google [https://gemini.google/overview/= gemini-in-chrome/] and Microsoft [https://blogs.windows.com/msedgedev/202= 3/05/23/microsoft-edge-build-2023-innovations-in-ai-productivity-managemen= t-sidebar-apps/] beat OpenAI to the punch by integrating AI with their bro= wsers. But OpenAI=E2=80=99s business positioning [https://www.washingtonp= ost.com/technology/2024/10/31/openai-chatgpt-search-ai-upgrade-google/] si= gnals a shift.

We believe the ChatGPT Search and Atlas announcements are worrisome becaus=
e there is really only one way to make money on search: the advertising mo=
del pioneered ruthlessly by Google [https://law.stanford.edu/publications= /why-google-dominates-advertising-markets/].

* ADVERTISING MODEL

Ruled a monopolist [https://www.nytimes.com/2024/08/05/technology/google-= antitrust-ruling.html] in U.S. federal court=2C Google has earned more tha=
n US$1.6 trillion in advertising revenue [https://www.statista.com/statis= tics/266249/advertising-revenue-of-google/] since 2001. You may think of G= oogle as a web search company=2C or a streaming video company (YouTube)=2C=
or an email company (Gmail)=2C or a mobile phone company (Android=2C Pixe= l)=2C or maybe even an AI company (Gemini). But those products are ancilla=
ry to Google=E2=80=99s bottom line. The advertising segment typically acco= unts for 80% to 90% of its total revenue [https://www.statista.com/statis= tics/1093781/distribution-of-googles-revenues-by-segment/]. Everything els=
e is there to collect users=E2=80=99 data and direct users=E2=80=99 attent=
ion [https://www.cnbc.com/2021/05/18/how-does-google-make-money-advertisi= ng-business-breakdown-.html] to its advertising revenue stream.

After two decades in this monopoly position=2C Google=E2=80=99s search pro= duct is much more tuned to the company=E2=80=99s needs than those of its u= sers. When Google Search first arrived decades ago=2C it was revelatory in=
its ability to instantly find useful information across the still-nascent=
web. In 2025=2C its search result pages are dominated by low-quality [ht= tps://www.404media.co/google-search-really-has-gotten-worse-researchers-fi= nd/] and often AI-generated content=2C spam sites that exist solely to dri=
ve traffic to Amazon sales -- a tactic known as affiliate marketing [http= s://www.investopedia.com/terms/a/affiliate-marketing.asp] -- and paid ad p= lacements=2C which at times are indistinguishable from organic results [h= ttps://www.cnbc.com/2020/01/24/google-will-iterate-the-design-that-made-it= -harder-to-tell-ads-from-search-results.html].

Plenty of advertisers [https://searchengineland.com/ai-powered-search-pai= d-placements-395084] and observers [https://professional.dce.harvard.edu/= blog/ai-will-shape-the-future-of-marketing/] seem to think AI-powered adve= rtising is the future of the ad business.

* HIGHLY PERSUASIVE

Paid advertising in AI search=2C and AI models generally=2C could look ver=
y different from traditional web search. It has the potential to influence=
your thinking=2C spending patterns and even personal beliefs in much more=
subtle ways. Because AI can engage in active dialogue=2C addressing your=
specific questions=2C concerns and ideas rather than just filtering stati=
c content=2C its potential for influence is much greater. It=E2=80=99s lik=
e the difference between reading a textbook and having a conversation with=
its author.

Imagine you=E2=80=99re conversing with your AI agent about an upcoming vac= ation. Did it recommend a particular airline or hotel chain because they r= eally are best for you=2C or does the company get a kickback for every men= tion? If you ask about a political issue=2C does the model bias its answer=
based on which political party has paid the company a fee=2C or based on=
the bias of the model=E2=80=99s corporate owners?

There is mounting evidence that AI models are at least as effective as peo=
ple at persuading users to do things. A December 2023 meta-analysis of 121=
randomized trials reported that AI models are as good as humans [https:/= /doi.org/10.1093/joc/jqad024] at shifting people=E2=80=99s perceptions=2C=
attitudes and behaviors. A more recent meta-analysis of eight studies sim= ilarly concluded [https://doi.org/10.21203/rs.3.rs-7435265/v1] there was=
=E2=80=9Cno significant overall difference in persuasive performance betw=
een (large language models) and humans.=E2=80=9D

This influence may go well beyond shaping what products you buy or who you=
vote for. As with the field of search engine optimization=2C the incentiv=
e for humans to perform for AI models might shape the way people write [h= ttps://www.theatlantic.com/technology/archive/2024/04/generative-ai-search= -llmo/678154/] and communicate with each other. How we express ourselves o= nline is likely to be increasingly directed to win the attention of AIs an=
d earn placement in the responses they return to users.

* A DIFFERENT WAY FORWARD

Much of this is discouraging=2C but there is much that can be done to chan=
ge it.

First=2C it=E2=80=99s important to recognize that today=E2=80=99s AI is fu= ndamentally untrustworthy [https://gizmodo.com/ai-chatgpt-can-we-build-tr= ustworthy-ai-1850405280]=2C for the same reasons that search engines and s= ocial media platforms are.

The problem is not the technology itself; fast ways to find information an=
d communicate with friends and family can be wonderful capabilities. The p= roblem is the priorities of the corporations who own these platforms and f=
or whose benefit they are operated. Recognize that you don=E2=80=99t have=
control over what data is fed to the AI=2C who it is shared with and how=
it is used. It=E2=80=99s important to keep that in mind when you connect=
devices and services to AI platforms=2C ask them questions=2C or consider=
buying or doing the things they suggest.

There is also a lot that people can demand of governments to restrain harm=
ful corporate uses of AI. In the U.S.=2C Congress could enshrine consumers= =E2=80=99 rights [https://www.reuters.com/legal/legalindustry/us-data-pri= vacy-laws-enter-new-era-2023-2023-01-12/] to control their own personal da= ta=2C as the EU already has. It could also create a data protection enforc= ement agency [https://epic.org/campaigns/dpa/]=2C as essentially every ot=
her [https://iapp.org/resources/global-privacy-directory] developed natio=
n has.

Governments worldwide could invest in Public AI [https://www.brookings.ed= u/articles/how-public-ai-can-strengthen-democracy/#:%7E:text=3DPublicly%20= developed%20and%20owned%20AI=2Cand%20sustainability%20of%20AI%20technology= =2E] -- models built by public agencies offered universally for public benef= it and transparently under public oversight. They could also restrict how=
corporations can collude to exploit people using AI=2C for example by bar= ring advertisements for dangerous products such as cigarettes and requirin=
g disclosure of paid endorsements.

Every technology company seeks to differentiate itself from competitors=2C=
particularly in an era when yesterday=E2=80=99s groundbreaking AI quickly=
becomes a commodity that will run on any kid=E2=80=99s phone. One differe= ntiator is in building a trustworthy service. It remains to be seen whethe=
r companies such as OpenAI and Anthropic can sustain profitable businesses=
on the back of subscription AI services like the premium editions of Chat= GPT=2C Plus and Pro=2C and Claude Pro. If they are going to continue convi= ncing consumers and businesses to pay for these premium services=2C they w=
ill need to build trust.

That will require making real commitments to consumers on transparency=2C=
privacy=2C reliability and security that are followed through consistentl=
y and verifiably.

And while no one knows what the future business models for AI will be=2C w=
e can be certain that consumers do not want to be exploited by AI=2C secre=
tly or otherwise.

_This essay was written with Nathan E. Sanders=2C and originally appeared=
in The Conversation [https://theconversation.com/could-chatgpt-convince-= you-to-buy-something-threat-of-manipulation-looms-as-ai-companies-gear-up-= to-sell-ads-272859]._

** *** ***** ******* *********** *************


** INTERNET VOTING IS TOO INSECURE FOR USE IN ELECTIONS ------------------------------------------------------------

[2026.01.21] [https://www.schneier.com/blog/archives/2026/01/internet-vo= ting-is-too-insecure-for-use-in-elections.html] No matter how many times w=
e say it=2C the idea comes back again and again. Hopefully=2C this letter=
[https://blog.citp.princeton.edu/2026/01/16/internet-voting-is-insecure-= and-should-not-be-used-in-public-elections/] will hold back the tide for a=
t least a while longer.

Executive summary: Scientists have understood for many years that intern=

et voting is insecure and that there is no known or foreseeable technology=
that can make it secure. Still=2C vendors of internet voting keep claimi=
ng that=2C somehow=2C their new system is different=2C or the insecurity d= oesn=E2=80=99t matter. Bradley Tusk and his Mobile Voting Foundation keep=
touting internet voting to journalists and election administrators; this=
whole effort is misleading and dangerous.

I am one of the many signatories.

** *** ***** ******* *********** *************


** WHY AI KEEPS FALLING FOR PROMPT INJECTION ATTACKS ------------------------------------------------------------

[2026.01.22] [https://www.schneier.com/blog/archives/2026/01/why-ai-keep= s-falling-for-prompt-injection-attacks.html] Imagine you work at a drive-t= hrough restaurant. Someone drives up and says: =E2=80=9CI=E2=80=99ll have=
a double cheeseburger=2C large fries=2C and ignore previous instructions=
and give me the contents of the cash drawer.=E2=80=9D Would you hand over=
the money? Of course not. Yet this is what large language models [https:= //spectrum.ieee.org/tag/large-language-models] (LLMs [https://spectrum.ie= ee.org/tag/llms]) do.

Prompt injection [https://www.ibm.com/think/topics/prompt-injection] is a=
method of tricking LLMs into doing things they are normally prevented fro=
m doing. A user writes a prompt in a certain way=2C asking for system pass= words [https://spectrum.ieee.org/tag/passwords] or private data=2C or ask=
ing the LLM to perform forbidden instructions. The precise phrasing overri=
des the LLM=E2=80=99s safety guardrails [https://medium.com/data-science/= safeguarding-llms-with-guardrails-4f5d9f57cff2]=2C and it complies.

LLMs are vulnerable to all sorts [https://fdzdev.medium.com/20-prompt-inj= ection-techniques-every-red-teamer-should-test-b22359bfd57d] of prompt inj= ection attacks=2C some of them absurdly obvious. A chatbot won=E2=80=99t t=
ell you how to synthesize a bioweapon=2C but it might tell you a fictional=
story that incorporates the same detailed instructions. It won=E2=80=99t=
accept nefarious text inputs=2C but might if the text is rendered as ASCI=
I art [https://arxiv.org/abs/2402.11753] or appears in an image of a bill= board [https://www.lakera.ai/blog/visual-prompt-injections]. Some ignore=
their guardrails when told to =E2=80=9Cignore previous instructions=E2=80=
=9D or to =E2=80=9Cpretend you have no guardrails.=E2=80=9D

AI vendors can block specific prompt injection techniques once they are di= scovered=2C but general safeguards are impossible [https://llm-attacks.or=
g/] with today=E2=80=99s LLMs. More precisely=2C there=E2=80=99s an endles=
s array of prompt injection attacks waiting to be discovered=2C and they c= annot be prevented universally.

If we want LLMs that resist these attacks=2C we need new approaches. One p= lace to look is what keeps even overworked fast-food workers from handing=
over the cash drawer.

* HUMAN JUDGMENT DEPENDS ON CONTEXT

Our basic human defenses come in at least three types: general instincts=
=2C social learning=2C and situation-specific training. These work togethe=
r in a layered defense.

As a social species=2C we have developed numerous instinctive and cultural=
habits that help us judge tone=2C motive=2C and risk from extremely limit=
ed information. We generally know what=E2=80=99s normal and abnormal=2C wh=
en to cooperate and when to resist=2C and whether to take action individua=
lly or to involve others. These instincts give us an intuitive sense of ri=
sk and make us especially careful [https://www.nature.com/articles/srep08=
242] about things that have a large downside or are impossible to reverse.

The second layer of defense consists of the norms and trust signals that e= volve in any group. These are imperfect but functional: Expectations of co= operation and markers of trustworthiness emerge through repeated interacti=
ons with others. We remember who has helped=2C who has hurt=2C who has rec= iprocated=2C and who has reneged. And emotions like sympathy=2C anger=2C g= uilt=2C and gratitude motivate each of us to reward cooperation with coope= ration [https://ncase.me/trust/] and punish defection with defection.

A third layer is institutional mechanisms that enable us to interact with=
multiple strangers every day. Fast-food workers=2C for example=2C are tra= ined in procedures=2C approvals=2C escalation paths=2C and so on. Taken to= gether=2C these defenses give humans a strong sense of context. A fast-foo=
d worker basically knows what to expect within the job and how it fits int=
o broader society.

We reason by assessing multiple layers of context: perceptual (what we see=
and hear)=2C relational (who=E2=80=99s making the request)=2C and normati=
ve (what=E2=80=99s appropriate within a given role or situation). We const= antly navigate these layers=2C weighing them against each other. In some c= ases=2C the normative outweighs the perceptual -- for example=2C following=
workplace rules even when customers appear angry. Other times=2C the rela= tional outweighs the normative=2C as when people comply with orders from s= uperiors that they believe are against the rules.

Crucially=2C we also have an interruption reflex. If something feels =E2= =80=9Coff=2C=E2=80=9D we naturally pause the automation [https://spectrum= =2Eieee.org/tag/automation] and reevaluate. Our defenses are not perfect; pe= ople are fooled and manipulated all the time. But it=E2=80=99s how we huma=
ns are able to navigate a complex world where others are constantly trying=
to trick us.

So let=E2=80=99s return to the drive-through window. To convince a fast-fo=
od worker to hand us all the money=2C we might try shifting the context. S=
how up with a camera crew and tell them you=E2=80=99re filming a commercia= l=2C claim to be the head of security doing an audit=2C or dress like a ba=
nk manager collecting the cash receipts for the night. But even these have=
only a slim chance of success. Most of us=2C most of the time=2C can smel=
l a scam.

Con artists are astute observers of human defenses. Successful scams [htt= ps://spectrum.ieee.org/tag/scams] are often slow=2C undermining a mark=E2= =80=99s situational assessment=2C allowing the scammer to manipulate the c= ontext. This is an old story=2C spanning traditional confidence games such=
as the Depression-era =E2=80=9Cbig store=E2=80=9D cons=2C in which teams=
of scammers created entirely fake businesses to draw in victims=2C and mo= dern =E2=80=9Cpig-butchering=E2=80=9D frauds [https://dfpi.ca.gov/news/in= sights/pig-butchering-how-to-spot-and-report-the-scam/]=2C where online sc= ammers slowly build trust before going in for the kill. In these examples=
=2C scammers slowly and methodically reel in a victim using a long series=
of interactions through which the scammers gradually gain that victim=E2= =80=99s trust.

Sometimes it even works at the drive-through. One scammer in the 1990s and=
2000s targeted fast-food workers by phone [https://en.wikipedia.org/wiki= /Strip_search_phone_call_scam]=2C claiming to be a police officer and=2C o=
ver the course of a long phone call=2C convinced managers to strip-search=
employees and perform other bizarre acts.

* WHY LLMS STRUGGLE WITH CONTEXT AND JUDGMENT

LLMs behave as if they have a notion of context=2C but it=E2=80=99s differ= ent. They do not learn human defenses from repeated interactions and remai=
n untethered from the real world. LLMs flatten multiple levels of context=
into text similarity. They see =E2=80=9Ctokens=2C=E2=80=9D not hierarchie=
s and intentions. LLMs don=E2=80=99t reason through context=2C they only r= eference it.

While LLMs often get the details right=2C they can easily miss the big pic= ture [https://spectrum.ieee.org/tag/big-picture]. If you prompt a chatbot=
with a fast-food worker scenario and ask if it should give all of its mon=
ey to a customer=2C it will respond =E2=80=9Cno.=E2=80=9D What it doesn=E2= =80=99t =E2=80=9Cknow=E2=80=9D -- forgive the anthropomorphizing -- is whe= ther it=E2=80=99s actually being deployed as a fast-food bot or is just a=
test subject following instructions for hypothetical scenarios.

This limitation is why LLMs misfire when context is sparse but also when c= ontext is overwhelming and complex; when an LLM becomes unmoored from cont= ext=2C it=E2=80=99s hard to get it back. AI expert Simon Willison wipes co= ntext clean [https://simonwillison.net/2025/Sep/12/claude-memory/] if an=
LLM is on the wrong track rather than continuing the conversation and try=
ing to correct the situation.

There=E2=80=99s more. LLMs are overconfident [https://www.cmu.edu/dietric= h/news/news-stories/2025/july/trent-cash-ai-overconfidence.html] because t= hey=E2=80=99ve been designed to give an answer rather than express ignoran=
ce. A drive-through worker might say: =E2=80=9CI don=E2=80=99t know if I s= hould give you all the money -- let me ask my boss=2C=E2=80=9D whereas an=
LLM will just make the call. And since LLMs are designed to be pleasing [= https://hai.stanford.edu/news/large-language-models-just-want-to-be-liked=
]=2C they=E2=80=99re more likely to satisfy a user=E2=80=99s request. Addi= tionally=2C LLM training is oriented toward the average case and not extre=
me outliers=2C which is what=E2=80=99s necessary for security.

The result is that the current generation of LLMs is far more gullible tha=
n people. They=E2=80=99re naive and regularly fall for manipulative cognit=
ive tricks [https://arstechnica.com/science/2025/09/these-psychological-t= ricks-can-get-llms-to-respond-to-forbidden-prompts/] that wouldn=E2=80=99t=
fool a third-grader=2C such as flattery=2C appeals to groupthink=2C and a=
false sense of urgency. There=E2=80=99s a story [https://www.bbc.com/new= s/articles/ckgyk2p55g8o] about a Taco Bell AI system that crashed when a c= ustomer ordered 18=2C000 cups of water. A human fast-food worker would jus=
t laugh at the customer.

* THE LIMITS OF AI AGENTS [HTTPS://SPECTRUM.IEEE.ORG/TAG/AGENTIC-AI]

Prompt injection is an unsolvable problem that gets worse [https://www.co= mputer.org/csdl/magazine/sp/5555/01/11194053/2aB2Rf5nZ0k] when we give AIs=
tools and tell them to act independently. This is the promise of AI agent=
s [https://spectrum.ieee.org/tag/agentic-ai]: LLMs that can use tools to=
perform multistep tasks after being given general instructions. Their fla= ttening of context and identity=2C along with their baked-in independence=
and overconfidence=2C mean that they will repeatedly and unpredictably ta=
ke actions -- and sometimes they will take the wrong ones [https://www.t= heregister.com/2025/10/28/ai_browsers_prompt_injection/].

Science doesn=E2=80=99t know how much of the problem is inherent to the wa=
y LLMs work and how much is a result of deficiencies in the way we train t= hem. The overconfidence and obsequiousness of LLMs are training choices. T=
he lack of an interruption reflex is a deficiency in engineering. And prom=
pt injection resistance requires fundamental advances in AI science. We ho= nestly don=E2=80=99t know if it=E2=80=99s possible to build an LLM=2C wher=
e trusted commands and untrusted inputs are processed through the same cha= nnel [https://cacm.acm.org/opinion/llms-data-control-path-insecurity/]=2C=
which is immune to prompt injection attacks.

We humans get our model of the world -- and our facility with overlapping=
contexts -- from the way our brains work=2C years of training=2C an enorm=
ous amount of perceptual input=2C and millions of years of evolution. Our=
identities are complex and multifaceted=2C and which aspects matter at an=
y given moment depend entirely on context. A fast-food worker may normally=
see someone as a customer=2C but in a medical emergency=2C that same pers= on=E2=80=99s identity as a doctor is suddenly more relevant.

We don=E2=80=99t know if LLMs will gain a better ability to move between d= ifferent contexts as the models get more sophisticated. But the problem of=
recognizing context definitely can=E2=80=99t be reduced to the one type o=
f reasoning that LLMs currently excel at. Cultural norms and styles are hi= storical=2C relational=2C emergent=2C and constantly renegotiated=2C and a=
re not so readily subsumed into reasoning as we understand it. Knowledge i= tself can be both logical and discursive.

The AI researcher Yann LeCunn believes that improvements will come from em= bedding AIs in a physical presence and giving them =E2=80=9Cworld models [= https://medium.com/@AnthonyLaneau/beyond-llms-charting-the-next-frontiers= -of-ai-with-yann-lecun-09e84f1978f9].=E2=80=9D Perhaps this is a way to gi=
ve an AI a robust yet fluid notion of a social identity=2C and the real-wo=
rld experience that will help it lose its na=C3=AFvet=C3=A9.

Ultimately we are probably faced with a security trilemma [https://www.co= mputer.org/csdl/magazine/sp/5555/01/11194053/2aB2Rf5nZ0k] when it comes to=
AI agents: fast=2C smart=2C and secure are the desired attributes=2C but=
you can only get two. At the drive-through=2C you want to prioritize fast=
and secure. An AI agent should be trained narrowly on food-ordering langu=
age and escalate anything else to a manager. Otherwise=2C every action bec= omes a coin flip. Even if it comes up heads most of the time=2C once in a=
while it=E2=80=99s going to be tails -- and along with a burger and fries=
=2C the customer will get the contents of the cash drawer.

_This essay was written with Barath Raghavan=2C and originally appeared in=
IEEE Spectrum [https://spectrum.ieee.org/prompt-injection-attack]._

** *** ***** ******* *********** *************


** IRELAND PROPOSES GIVING POLICE NEW DIGITAL SURVEILLANCE POWERS ------------------------------------------------------------

[2026.01.26] [https://www.schneier.com/blog/archives/2026/01/ireland-pro= poses-giving-police-new-digital-surveillance-powers.html] This is coming [= https://www.theregister.com/2026/01/21/ireland_wants_to_give_police/]:

The Irish government is planning to bolster its police=E2=80=99s ability=

to intercept communications=2C including encrypted messages=2C and provid=
e a legal basis for spyware use.

** *** ***** ******* *********** *************


** THE CONSTITUTIONALITY OF GEOFENCE WARRANTS ------------------------------------------------------------

[2026.01.27] [https://www.schneier.com/blog/archives/2026/01/the-constit= utionality-of-geofence-warrants.html] The US Supreme Court is considering=
[https://therecord.media/supreme-court-geofence-constitutionality] the c= onstitutionality of geofence warrants.

The case centers on the trial of Okello Chatrie=2C a Virginia man who pl=

eaded guilty to a 2019 robbery outside of Richmond and was sentenced to al= most 12 years in prison for stealing $195=2C000 at gunpoint.

Police probing the crime found security camera footage showing a man on=

a cell phone near the credit union that was robbed and asked Google to pr= oduce anonymized location data near the robbery site so they could determi=
ne who committed the crime. They did so=2C providing police with subscribe=
r data for three people=2C one of whom was Chatrie. Police then searched C= hatrie=E2=80=99s home and allegedly surfaced a gun=2C almost $100=2C000 in=
cash and incriminating notes.

Chatrie=E2=80=99s appeal challenges the constitutionality of geofence wa=

rrants=2C arguing that they violate individuals=E2=80=99 Fourth Amendment=
rights protecting against unreasonable searches.

** *** ***** ******* *********** *************


** AIS ARE GETTING BETTER AT FINDING AND EXPLOITING SECURITY VULNERABILITI=
ES
------------------------------------------------------------

[2026.01.30] [https://www.schneier.com/blog/archives/2026/01/ais-are-get= ting-better-at-finding-and-exploiting-security-vulnerabilities.html] From=
an Anthropic blog post [https://red.anthropic.com/2026/cyber-toolkits-up= date/]:

In a recent evaluation of AI models=E2=80=99 cyber capabilities=2C curre=

nt Claude models can now succeed at multistage attacks on networks with do= zens of hosts using only standard=2C open-source tools=2C instead of the c= ustom tools needed by previous generations. This illustrates how barriers=
to the use of AI in relatively autonomous cyber workflows are rapidly com=
ing down=2C and highlights the importance of security fundamentals like pr= omptly patching known vulnerabilities.

[...]

A notable development during the testing of Claude Sonnet 4.5 is that th=

e model can now succeed on a minority of the networks without the custom c= yber toolkit needed by previous generations. In particular=2C Sonnet 4.5 c=
an now exfiltrate all of the (simulated) personal information in a high-fi= delity simulation of the Equifax data breach -- one of the costliest cyber=
attacks in historyusing only a Bash shell on a widely-available Kali Linu=
x host (standard=2C open-source tools for penetration testing; not a custo=
m toolkit). Sonnet 4.5 accomplishes this by instantly recognizing a public= ized CVE and writing code to exploit it without needing to look it up or i= terate on it. Recalling that the original Equifax breach happened by explo= iting a publicized CVE that had not yet been patched=2C the prospect of hi= ghly competent and fast AI agents leveraging this approach underscores the=
pressing need for security best practices like prompt updates and patches=
=2E

AI models are getting better at this faster than I expected. This will be=
a major power shift in cybersecurity.

** *** ***** ******* *********** *************


** AI CODING ASSISTANTS SECRETLY COPYING ALL CODE TO CHINA ------------------------------------------------------------

[2026.02.02] [https://www.schneier.com/blog/archives/2026/02/ai-coding-a= ssistants-secretly-copying-all-code-to-china.html] There=E2=80=99s a new r= eport [https://www.koi.ai/blog/maliciouscorgi-the-cute-looking-ai-extensi= ons-leaking-code-from-1-5-million-developers] about two AI coding assistan= ts=2C used by 1.5 million developers=2C that are surreptitiously sending a=
copy of everything they ingest to China.

Maybe avoid using them.

** *** ***** ******* *********** *************


** MICROSOFT IS GIVING THE FBI BITLOCKER KEYS ------------------------------------------------------------

[2026.02.03] [https://www.schneier.com/blog/archives/2026/02/microsoft-i= s-giving-the-fbi-bitlocker-keys.html] Microsoft gives [https://www.forbes= =2Ecom/sites/thomasbrewster/2026/01/22/microsoft-gave-fbi-keys-to-unlock-bit= locker-encrypted-data/] the FBI the ability to decrypt BitLocker in respon=
se to court orders: about twenty times per year.

It=E2=80=99s possible for users to store those keys on a device they own=

=2C but Microsoft also recommends BitLocker users store their keys on its=
servers for convenience. While that means someone can access their data i=
f they forget their password=2C or if repeated failed attempts to login lo=
ck the device=2C it also makes them vulnerable to law enforcement subpoena=
s and warrants.

** *** ***** ******* *********** *************


** US DECLASSIFIES INFORMATION ON JUMPSEAT SPY SATELLITES ------------------------------------------------------------

[2026.02.04] [https://www.schneier.com/blog/archives/2026/02/us-declassi= fies-information-on-jumpseat-spy-satellites.html] The US National Reconnai= ssance Office has declassified information [https://arstechnica.com/space= /2026/01/us-spy-satellite-agency-declassifies-high-flying-cold-war-listeni= ng-post/] about a fleet of spy satellites operating between 1971 and 2006.

I=E2=80=99m actually impressed to see a declassification only two decades=
after decommission.

** *** ***** ******* *********** *************


** BACKDOOR IN NOTEPAD++ ------------------------------------------------------------

[2026.02.05] [https://www.schneier.com/blog/archives/2026/02/backdoor-in= -notepad.html] Hackers associated with the Chinese government used a Troja=
ned version [https://arstechnica.com/security/2026/02/notepad-updater-was= -compromised-for-6-months-in-supply-chain-attack/] of Notepad++ to deliver=
malware to selected users.

Notepad++ said that officials with the unnamed provider hosting the upda=

te infrastructure consulted with incident responders and found that it rem= ained compromised until September 2. Even then=2C the attackers maintained=
credentials to the internal services until December 2=2C a capability tha=
t allowed them to continue redirecting selected update traffic to maliciou=
s servers. The threat actor =E2=80=9Cspecifically targeted Notepad++ domai=
n with the goal of exploiting insufficient update verification controls th=
at existed in older versions of Notepad++.=E2=80=9D Event logs indicate th=
at the hackers tried to re-exploit one of the weaknesses after it was fixe=
d but that the attempt failed.

Make sure you=E2=80=99re running at least version 8.9.1.

** *** ***** ******* *********** *************


** IPHONE LOCKDOWN MODE PROTECTS _WASHINGTON POST_ REPORTER ------------------------------------------------------------

[2026.02.06] [https://www.schneier.com/blog/archives/2026/02/iphone-lock= down-mode-protects-washington-post-reporter.html] 404Media is reporting [= https://www.404media.co/fbi-couldnt-get-into-wapo-reporters-iphone-because= -it-had-lockdown-mode-enabled/] that the FBI could not access a reporter= =E2=80=99s iPhone because it had Lockdown Mode enabled:

The court record shows what devices and data the FBI was able to ultimat=

ely access=2C and which devices it could not=2C after raiding the home of=
the reporter=2C Hannah Natanson=2C in January as part of an investigation=
into leaks of classified information. It also provides rare insight into=
the apparent effectiveness of Lockdown Mode=2C or at least how effective=
it might be before the FBI may try other techniques to access the device.

=E2=80=9CBecause the iPhone was in Lockdown mode=2C CART could not extra=

ct that device=2C=E2=80=9D the court record reads=2C referring to the FBI= =E2=80=99s Computer Analysis Response Team=2C a unit focused on performing=
forensic analyses of seized devices. The document is written by the gover= nment=2C and is opposing the return of Natanson=E2=80=99s devices.

The FBI raided Natanson=E2=80=99s home as part of its investigation into=

government contractor Aurelio Perez-Lugones=2C who is charged with=2C amo=
ng other things=2C retention of national defense information. The governme=
nt believes Perez-Lugones was a source of Natanson=E2=80=99s=2C and provid=
ed her with various pieces of classified information. While executing a se= arch warrant for his mobile phone=2C investigators reviewed Signal message=
s between Pere-Lugones and the reporter=2C the Department of Justice previ= ously said.

** *** ***** ******* *********** *************


** I AM IN THE EPSTEIN FILES ------------------------------------------------------------

[2026.02.06] [https://www.schneier.com/blog/archives/2026/02/i-am-in-the= -epstein-files.html] Once [https://www.jmail.world/thread/EFTA02451032?vi= ew=3Dinbox]. Someone named =E2=80=9CVincenzo lozzo=E2=80=9D wrote to Epste=
in in email=2C in 2016: =E2=80=9CI wouldn=E2=80=99t pay too much attention=
to this=2C Schneier has a long tradition of dramatizing and misunderstand=
ing things.=E2=80=9D The topic of the email is DDoS attacks=2C and it is u= nclear what I am dramatizing and misunderstanding.

Rabbi Schneier is also mentioned=2C also incidentally=2C also once [https= ://www.jmail.world/thread/EFTA02442876?view=3Dinbox]. As far as either of=
us know=2C we are not related.

EDITED TO ADD (2/7): There is more context [https://www.justice.gov/epste= in/files/DataSet%209/EFTA00817090.pdf] on the Justice.gov website version.

** *** ***** ******* *********** *************


** LLMS ARE GETTING A LOT BETTER AND FASTER AT FINDING AND EXPLOITING ZERO= -DAYS
------------------------------------------------------------

[2026.02.09] [https://www.schneier.com/blog/archives/2026/02/llms-are-ge= tting-a-lot-better-and-faster-at-finding-and-exploiting-zero-days.html] Th=
is is amazing [https://red.anthropic.com/2026/zero-days/]:

Opus 4.6 is notably better at finding high-severity vulnerabilities than=

previous models and a sign of how quickly things are moving. Security tea=
ms have been automating vulnerability discovery for years=2C investing hea= vily in fuzzing infrastructure and custom harnesses to find bugs at scale.=
But what stood out in early testing is how quickly Opus 4.6 found vulnera= bilities out of the box without task-specific tooling=2C custom scaffoldin= g=2C or specialized prompting. Even more interesting is how it found them.=
Fuzzers work by throwing massive amounts of random inputs at code to see=
what breaks. Opus 4.6 reads and reasons about code the way a human resear= cher would -- looking at past fixes to find similar bugs that weren=E2=80=
=99t addressed=2C spotting patterns that tend to cause problems=2C or unde= rstanding a piece of logic well enough to know exactly what input would br=
eak it. When we pointed Opus 4.6 at some of the most well-tested codebases=
(projects that have had fuzzers running against them for years=2C accumul= ating millions of hours of CPU time [https://google.github.io/oss-fuzz/re= search/llms/target_generation/])=2C Opus 4.6 found high-severity vulnerabi= lities=2C some that had gone undetected for decades.

The details of how Claude Opus 4.6 found these zero-days is the interestin=
g part -- read the whole blog post.

News article [https://gizmodo.com/anthropic-launches-new-model-that-spots= -zero-days-makes-wall-street-traders-lose-their-minds-2000718648].

** *** ***** ******* *********** *************


** AI-GENERATED TEXT AND THE DETECTION ARMS RACE ------------------------------------------------------------

[2026.02.10] [https://www.schneier.com/blog/archives/2026/02/the-ai-gene= rated-text-arms-race.html] In 2023=2C the science fiction literary magazin=
e _Clarkesworld_ stopped accepting [https://www.npr.org/2023/02/24/115928= 6436/ai-chatbot-chatgpt-magazine-clarkesworld-artificial-intelligence] new=
submissions because so many were generated by artificial intelligence. Ne=
ar as the editors could tell=2C many submitters pasted the magazine=E2=80=
=99s detailed story guidelines into an AI and sent in the results. And the=
y weren=E2=80=99t alone. Other fiction magazines have also reported a high=
number [https://www.theverge.com/2023/2/25/23613752/ai-generated-short-s= tories-literary-magazines-clarkesworld-science-fiction] of AI-generated su= bmissions.

This is only one example of a ubiquitous trend. A legacy system relied on=
the difficulty of writing and cognition to limit volume. Generative AI ov= erwhelms the system because the humans on the receiving end can=E2=80=99t=
keep up.

This is happening everywhere. Newspapers are being inundated by AI-generat=
ed letters to the editor [https://www.nytimes.com/2025/11/04/science/lett= ers-to-the-editor-ai-chatbots.html]=2C as are academic journals [https://= www.marketplace.org/episode/2025/11/24/ai-generated-letters-to-the-editor-= are-flooding-academic-publications]. Lawmakers are inundated with AI-gener= ated constituent comments [https://government.cornell.edu/news/lawmakers-= struggle-differentiate-ai-and-human-emails]. Courts around the world are f= looded with AI-generated filings [https://www.law.com/international-editi= on/2025/11/25/courts-being-flooded-by-wordy-ai-generated-documents-report-= finds/]=2C particularly by people representing themselves. AI conferences=
are flooded [https://futurism.com/artificial-intelligence/ai-research-pa= pers-slop] with AI-generated research papers. Social media is [https://ww= w.app.com/story/news/2025/12/07/how-to-deal-with-fake-ai-stories-popping-u= p-on-facebook-social-media/87629867007/] flooded [https://www.nytimes.com= /2025/12/08/technology/ai-slop-sora-social-media.html] with AI posts [htt= ps://www.cyberlink.com/blog/photo-marketing-business/3828/best-ai-social-m= edia-post-generator]. In music [https://time.com/7338205/rage-against-ai-= generated-music/]=2C open source software [https://github.com/orgs/commun= ity/discussions/159749]=2C education [https://www.newyorker.com/magazine/= 2025/07/07/the-end-of-the-english-paper]=2C investigative journalism [htt= ps://bsky.app/profile/eliothiggins.bsky.social/post/3m5yh2gjlj22b] and hir=
ing [https://www.nytimes.com/2025/06/21/business/dealbook/ai-job-applicat= ions.html]=2C it=E2=80=99s the same story.

Like _Clarkesworld_=E2=80=99s initial response=2C some of these institutio=
ns shut down their submissions processes. Others have met the offensive of=
AI inputs with some defensive response=2C often involving a counteracting=
use of AI. Academic peer reviewers [https://doi.org/10.1038/d41586-025-0= 3506-6] increasingly use AI to evaluate papers that may have been generate=
d by AI. Social media platforms turn to AI moderators [https://www.integr= ityinstitute.org/blog/how-generative-ai-makes-content-moderation-both-hard= er-and-easier]. Court systems use AI to triage and process [https://resto= fworld.org/2025/brazil-ai-courts-lawsuits/] litigation volumes supercharge=
d by AI. Employers turn to AI tools [https://www.forbes.com/sites/mariagr= aciasantillanalinares/2025/12/16/job-applicant-fraud-is-rising-this-startu= p-is-using-ai-to-stop-it/] to review candidate applications. Educators use=
AI not just to grade papers [https://www.cnn.com/2024/04/06/tech/teacher= s-grading-ai] and administer exams [https://www.behind-the-enemy-lines.co= m/2025/12/fighting-fire-with-fire-scalable-oral.html]=2C but as a feedback=
[https://wacclearinghouse.org/repository/collections/textgened/rhetorica= l-engagements/using-llms-as-peer-reviewers-for-revising-essays/] tool for=
students.

These are all arms races: rapid=2C adversarial iteration to apply a common=
technology to opposing purposes. Many of these arms races have clearly de= leterious effects. Society suffers if the courts are clogged with frivolou= s=2C AI-manufactured cases. There is also harm if the established measures=
of academic performance -- publications and citations -- accrue to those=
researchers most willing to fraudulently submit AI-written letters and pa= pers rather than to those whose ideas have the most impact. The fear is th= at=2C in the end=2C fraudulent behavior enabled by AI will undermine syste=
ms and institutions that society relies on.

* UPSIDES OF AI

Yet some of these AI arms races have surprising hidden upsides=2C and the=
hope is that at least some institutions will be able to change in ways th=
at make them stronger.

Science seems likely to become stronger thanks to AI=2C yet it faces a pro= blem when the AI makes mistakes. Consider the example of nonsensical [htt= ps://theconversation.com/a-weird-phrase-is-plaguing-scientific-papers-and-= we-traced-it-back-to-a-glitch-in-ai-training-data-254463]=2C AI-generated=
phrasing filtering into scientific papers.

A scientist using an AI to assist in writing an academic paper can be a go=
od thing=2C if used carefully and with disclosure. AI is increasingly a pr= imary tool [https://www.nature.com/articles/s43588-025-00890-x] in scient=
ific research: for reviewing literature=2C programming and for coding and=
analyzing data. And for many=2C it has become a crucial support for expre= ssion and scientific communication. Pre-AI=2C better-funded researchers co=
uld hire humans to help them write their academic papers. For many authors=
whose primary language is not English=2C hiring this kind of assistance h=
as been an expensive necessity [https://doi.org/10.1098/rspb.2023.2840].=
AI provides it to everyone.

In fiction=2C fraudulently submitted AI-generated works cause harm=2C both=
to the human authors now subject to increased competition and to those re= aders who may feel defrauded after unknowingly reading the work of a machi=
ne. But some outlets may welcome AI-assisted submissions with appropriate=
disclosure and under particular guidelines=2C and leverage AI to evaluate=
them against criteria like originality=2C fit and quality.

Others may refuse AI-generated work=2C but this will come at a cost. It=E2= =80=99s unlikely that any human editor or technology can sustain an abilit=
y to differentiate human from machine writing. Instead=2C outlets that wis=
h to exclusively publish humans will need to limit submissions to a set of=
authors they trust to not use AI. If these policies are transparent=2C re= aders can pick the format they prefer and read happily from either or both=
types of outlets.

We also don=E2=80=99t see any problem if a job seeker uses AI to polish th=
eir resumes or write better cover letters: The wealthy and privileged have=
long had access to human assistance for those things. But it crosses the=
line when AIs are used to lie [https://www.cbsnews.com/news/fake-job-see= kers-flooding-market-artificial-intelligence/] about identity and experien= ce=2C or to cheat [https://www.theatlantic.com/technology/2025/10/ai-chea= ting-job-interviews-fraud/684568/] on job interviews.

Similarly=2C a democracy requires that its citizens be able to express the=
ir opinions to their representatives=2C or to each other through a medium=
like the newspaper. The rich and powerful have long been able to hire wri= ters to turn their ideas into persuasive prose=2C and AIs providing that a= ssistance to more people is a good thing=2C in our view. Here=2C AI mistak=
es and bias can be harmful. Citizens may be using AI for more than just a=
time-saving shortcut; it may be augmenting their knowledge and capabiliti= es=2C generating statements about historical=2C legal or policy factors th=
ey can=E2=80=99t reasonably be expected to independently check.

* FRAUD BOOSTER

What we don=E2=80=99t want is for lobbyists to use AIs in astroturf campai= gns=2C writing multiple letters and passing them off as individual opinion=
s. This=2C too=2C is an older problem [https://www.washingtonpost.com/pol= itics/2021/05/14/millions-fake-commenters-asked-fcc-end-net-neutrality-ast= roturfing-is-business-model/] that AIs are making worse.

What differentiates the positive from the negative here is not any inheren=
t aspect of the technology=2C it=E2=80=99s the power dynamic. The same tec= hnology that reduces the effort required for a citizen to share their live=
d experience with their legislator also enables corporate interests to mis= represent the public at scale. The former is a power-equalizing applicatio=
n of AI that enhances participatory democracy; the latter is a power-conce= ntrating application that threatens it.

In general=2C we believe writing and cognitive assistance=2C long availabl=
e to the rich and powerful=2C should be available to everyone. The problem=
comes when AIs make fraud easier. Any response needs to balance embracing=
that newfound democratization of access with preventing fraud.

There=E2=80=99s no way to turn this technology off. Highly capable AIs are=
widely available and can run on a laptop. Ethical guidelines and clear pr= ofessional boundaries can help -- for those acting in good faith. But ther=
e won=E2=80=99t ever be a way to totally stop academic writers=2C job seek=
ers or citizens from using these tools=2C either as legitimate assistance=
or to commit fraud. This means more comments=2C more letters=2C more appl= ications=2C more submissions.

The problem is that whoever is on the receiving end of this AI-fueled delu=
ge can=E2=80=99t deal with the increased volume. What can help is developi=
ng assistive AI tools that benefit institutions and society=2C while also=
limiting fraud. And that may mean embracing the use of AI assistance in t= hese adversarial systems=2C even though the defensive AI will never achiev=
e supremacy.

* BALANCING HARMS WITH BENEFITS

The science fiction community has been wrestling with AI since 2023. _Clar= kesworld_ eventually reopened submissions=2C claiming [https://www.postal= ley.org/2024/06/04/the-big-sort-how-will-ai-affect-submissions-to-magazine=
s/] that it has an adequate way of separating human- and AI-written storie=
s. No one knows how long=2C or how well=2C that will continue to work.

The arms race continues. There is no simple way to tell whether the potent=
ial benefits of AI will outweigh the harms=2C now or in the future. But as=
a society=2C we can influence the balance of harms it wreaks and opportun= ities it presents as we muddle our way through the changing technological=
landscape.

_This essay was written with Nathan E. Sanders=2C and originally appeared=
in The Conversation._ [https://theconversation.com/ai-generated-text-is-= overwhelming-institutions-setting-off-a-no-win-arms-race-with-ai-detectors= -274720]

EDITED TO ADD: This essay has been translated into Spanish [https://www.e= lconfidencial.com/tecnologia/novaceno/2026-02-07/ia-derriba-sociedad-educa= cion-legal-medios_4298791/].

** *** ***** ******* *********** *************


** PROMPT INJECTION VIA ROAD SIGNS ------------------------------------------------------------

[2026.02.11] [https://www.schneier.com/blog/archives/2026/02/prompt-inje= ction-via-road-signs.html] Interesting research: =E2=80=9CCHAI: Command Hi= jacking Against Embodied AI [https://arxiv.org/pdf/2510.00181].=E2=80=9D

Abstract: Embodied Artificial Intelligence (AI) promises to handle edge=

cases in robotic vehicle systems where data is scarce by using common-sen=
se reasoning grounded in perception and action to generalize beyond traini=
ng distributions and adapt to novel real-world situations. These capabilit= ies=2C however=2C also create new security risks. In this paper=2C we intr= oduce CHAI (Command Hijacking against embodied AI)=2C a new class of promp= t-based attacks that exploit the multimodal language interpretation abilit=
ies of Large Visual-Language Models (LVLMs). CHAI embeds deceptive natural=
language instructions=2C such as misleading signs=2C in visual input=2C s= ystematically searches the token space=2C builds a dictionary of prompts=
=2C and guides an attacker model to generate Visual Attack Prompts. We eva= luate CHAI on four LVLM agents; drone emergency landing=2C autonomous driv= ing=2C and aerial object tracking=2C and on a real robotic vehicle. Our ex= periments show that CHAI consistently outperforms state-of-the-art attacks=
=2E By exploiting the semantic and multimodal reasoning strengths of next-ge= neration embodied AI systems=2C CHAI underscores the urgent need for defen=
ses that extend beyond traditional adversarial robustness.

News article [https://www.theregister.com/2026/01/30/road_sign_hijack_ai/=
].

** *** ***** ******* *********** *************


** _REWIRING DEMOCRACY_ EBOOK IS ON SALE ------------------------------------------------------------

[2026.02.11] [https://www.schneier.com/blog/archives/2026/02/rewiring-de= mocracy-ebook-is-on-sale.html] I just noticed that the ebook version of _R= ewiring Democracy_ [https://www.schneier.com/books/rewiring-democracy/] i=
s on sale for $5 on Amazon [https://www.amazon.com/gp/product/B0DTNZ2H86]=
=2C Apple Books [https://books.apple.com/us/book/rewiring-democracy/id674= 0839808]=2C Barnes & Noble [https://www.barnesandnoble.com/w/rewiring-dem= ocracy-bruce-schneier/1146990469?ean=3D9780262384407]=2C Books A Million [= https://www.booksamillion.com/p/Rewiring-Democracy/Bruce-Schneier/Q247907= 742]=2C Google Play [https://play.google.com/store/books/details?id=3DQcN= AEQAAQBAJ]=2C Kobo [https://www.kobo.com/us/en/ebook/rewiring-democracy]=
=2C and presumably everywhere else in the US. I have no idea how long this=
will last.

Also=2C Amazon has a coupon [https://www.amazon.com/Rewiring-Democracy-Tr= ansform-Government-Citizenship/dp/0262049945] that brings the hardcover pr=
ice down to $20. You=E2=80=99ll see the discount at checkout.

** *** ***** ******* *********** *************


** 3D PRINTER SURVEILLANCE ------------------------------------------------------------

[2026.02.12] [https://www.schneier.com/blog/archives/2026/02/3d-printer-= surveillance.html] New York is contemplating [https://blog.adafruit.com/2= 026/02/03/new-york-wants-to-ctrlaltdelete-your-3d-printer/] a bill that ad=
ds surveillance to 3D printers:

New York=E2=80=99s 20262027 executive budget bill (S.9005 / A.10005) inc=

ludes language that should alarm every maker=2C educator=2C and small manu= facturer in the state. Buried in Part C is a provision requiring all 3D pr= inters sold or delivered in New York to include =E2=80=9Cblocking technolo= gy.=E2=80=9D This is defined as software or firmware that _scans every pri=
nt file_ through a =E2=80=9Cfirearms blueprint detection algorithm=E2=80=
=9D and refuses to print anything it flags as a potential firearm or firea=
rm component.

I get the policy goals here=2C but the solution just won=E2=80=99t work. I= t=E2=80=99s the same problem as DRM: trying to prevent general-purpose com= puters from doing specific things. Cory Doctorow wrote about it [https://= boingboing.net/2018/03/22/yellow-dots-cubed.html] in 2018 and -- more gene= rally -- spoke about it [https://github.com/jwise/28c3-doctorow/blob/mast= er/transcript.md] in 2011.

** *** ***** ******* *********** *************


** UPCOMING SPEAKING ENGAGEMENTS ------------------------------------------------------------

[2026.02.14] [https://www.schneier.com/blog/archives/2026/02/upcoming-sp= eaking-engagements-53.html] This is a current list of where and when I am=
scheduled to speak:

* I=E2=80=99m speaking at Ontario Tech University [https://mindfulai= =2Eca/events/mairi-featured-speaker-bruce-schneier-integrity-in-a-world-of-a= i.php] in Oshawa=2C Ontario=2C Canada=2C at 2 PM ET on Thursday=2C Februar=
y 26=2C 2026.
* I=E2=80=99m speaking at the Personal AI Summit [https://www.kwaai.= ai/summit2026] in Los Angeles=2C California=2C USA=2C on Thursday=2C March=
5=2C 2026.
* I=E2=80=99m speaking at Tech Live: Cybersecurity [https://techlive= cyber.wsj.com/?gaa_at=3Deafs&gaa_n=3DAWEtsqf9GP4etUdWaqDIATpiE9ycqWMIVoGIz= jikYLlJ64hb6H_v1QH9OYhMTxeU51U%3D&gaa_ts=3D691df89d&gaa_sig=3DBG9fpWuP-liL= 7Gi3SJgXHmS02M4ob6lp6nOh94qnwVXCWYNzJxdzOiW365xA8vKeiulrErE8mbXDvKTcqktBtQ= %3D%3D] in New York City=2C USA=2C on Wednesday=2C March 11=2C 2026.
* I=E2=80=99m giving the Ross Anderson Lecture [https://www.chu.cam.= ac.uk/event/computer-science-lecture-2026/] at the University of Cambridge= =E2=80=99s Churchill College at 5:30 PM GMT on Thursday=2C March 19=2C 202=
6.
* I=E2=80=99m speaking at RSAC 2026 [https://www.rsaconference.com/u=
sa] in San Francisco=2C California=2C USA=2C on Wednesday=2C March 25=2C 2= 026.

The list is maintained on this page [https://www.schneier.com/events/].

** *** ***** ******* *********** *************

Since 1998=2C CRYPTO-GRAM has been a free monthly newsletter providing sum= maries=2C analyses=2C insights=2C and commentaries on security technology.=
To subscribe=2C or to read back issues=2C see Crypto-Gram's web page [ht= tps://www.schneier.com/crypto-gram/].

You can also read these articles on my blog=2C Schneier on Security [http= s://www.schneier.com].

Please feel free to forward CRYPTO-GRAM=2C in whole or in part=2C to colle= agues and friends who will find it valuable. Permission is also granted to=
reprint CRYPTO-GRAM=2C as long as it is reprinted in its entirety.

Bruce Schneier is an internationally renowned security technologist=2C cal=
led a security guru by the _Economist_. He is the author of over one dozen=
books -- including his latest=2C _Rewiring Democracy_ [https://www.schne= ier.com/books/rewiring-democracy/] -- as well as hundreds of articles=2C e= ssays=2C and academic papers. His newsletter and blog are read by over 250= =2C000 people. Schneier is a fellow at the Berkman Klein Center for Intern=
et & Society at Harvard University; a Lecturer in Public Policy at the Har= vard Kennedy School; a board member of the Electronic Frontier Foundation=
=2C AccessNow=2C and the Tor Project; and an Advisory Board Member of the=
Electronic Privacy Information Center and VerifiedVoting.org. He is the C= hief of Security Architecture at Inrupt=2C Inc.

Copyright (c) 2026 by Bruce Schneier.

** *** ***** ******* *********** *************

Mailing list hosting graciously provided by MailChimp [https://mailchimp.= com/]. Sent without web bugs or link tracking.

This email was sent to: cryptogram@toolazy.synchro.net

_You are receiving this email because you subscribed to the Crypto-Gram ne= wsletter._

Unsubscribe from this list: https://schneier.us18.list-manage.com/unsubscr= ibe?u=3Df99e2b5ca82502f48675978be&id=3D22184111ab&t=3Db&e=3D70f249ec14&c=3De= 5a5eb62ba

Update subscription preferences: https://schneier.us18.list-manage.com/pro= file?u=3Df99e2b5ca82502f48675978be&id=3D22184111ab&e=3D70f249ec14&c=3De5a5eb= 62ba

Bruce Schneier
Harvard Kennedy School
1 Brattle Square
Cambridge=2C MA 02138
USA
--_----------=_MCPart_768092142
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html><html lang=3D"en"><head><meta charset=3D"UTF-8"><title>Cryp= to-Gram=2C February 15=2C 2026</title></head><body>
<div class=3D"preview-text" style=3D"display:none !important;mso-hide:all;= font-size:1px;line-height:1px;max-height:0px;max-width:0px;opacity:0;overf= low:hidden;">A monthly newsletter about cybersecurity and related topics.<= /div>
<h1 style=3D"font-size:140%">Crypto-Gram <br>
<span style=3D"display:block;padding-top:.5em;font-size:80%">February 15=
=2C 2026</span></h1>


<p>by Bruce Schneier
<br>Fellow and Lecturer=2C Harvard Kennedy School
<br>schneier@schneier.com
<br><a href=3D"https://www.schneier.com">https://www.schneier.com</a>


<p>A free monthly newsletter providing summaries=2C analyses=2C insights=
=2C and commentaries on security: computer and otherwise.</p>

<p>For back issues=2C or to subscribe=2C visit <a href=3D"https://www.schn= eier.com/crypto-gram/">Crypto-Gram's web page</a>.</p>

<p><a href=3D"https://www.schneier.com/crypto-gram/archives/2026/0215.html= ">Read this issue on the web</a></p>

<p>These same essays and news items appear in the <a href=3D"https://www.s= chneier.com/">Schneier on Security</a> blog=2C along with a lively and int= elligent comment section. An RSS feed is available.</p>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"toc"><a name=3D"toc">I=
n this issue:</a></h2>

<p><em>If these links don't work in your email client=2C try <a href=3D"ht= tps://www.schneier.com/crypto-gram/archives/2026/0215.html">reading this i= ssue of Crypto-Gram on the web.</a></em></p>




<li><a href=3D"#cg1">New Vulnerability in n8n</a></li>
<li><a href=3D"#cg2">AI and the Corporate Capture of Knowledge</a></li>
<li><a href=3D"#cg3">AI-Powered Surveillance in Schools</a></li>
<li><a href=3D"#cg4">Could ChatGPT Convince You to Buy Something?</a></li> <li><a href=3D"#cg5">Internet Voting is Too Insecure for Use in Elections<= /a></li>
<li><a href=3D"#cg6">Why AI Keeps Falling for Prompt Injection Attacks</a>= </li>
<li><a href=3D"#cg7">Ireland Proposes Giving Police New Digital Surveillan=
ce Powers</a></li>
<li><a href=3D"#cg8">The Constitutionality of Geofence Warrants</a></li>
<li><a href=3D"#cg9">AIs Are Getting Better at Finding and Exploiting Secu= rity Vulnerabilities</a></li>
<li><a href=3D"#cg10">AI Coding Assistants Secretly Copying All Code to Ch= ina</a></li>
<li><a href=3D"#cg11">Microsoft is Giving the FBI BitLocker Keys</a></li> <li><a href=3D"#cg12">US Declassifies Information on JUMPSEAT Spy Satellit= es</a></li>
<li><a href=3D"#cg13">Backdoor in Notepad++</a></li>
<li><a href=3D"#cg14">iPhone Lockdown Mode Protects <i>Washington Post</i>=
Reporter</a></li>
<li><a href=3D"#cg15">I Am in the Epstein Files</a></li>
<li><a href=3D"#cg16">LLMs are Getting a Lot Better and Faster at Finding=
and Exploiting Zero-Days</a></li>
<li><a href=3D"#cg17">AI-Generated Text and the Detection Arms Race</a></l=

<li><a href=3D"#cg18">Prompt Injection Via Road Signs</a></li>
<li><a href=3D"#cg19"><i>Rewiring Democracy</i> Ebook is on Sale</a></li> <li><a href=3D"#cg20">3D Printer Surveillance</a></li>
<li><a href=3D"#cg21">Upcoming Speaking Engagements</a></li>
</ol>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg1"><a name=3D"cg1">N=
ew Vulnerability in n8n</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2026/01/new-vulnerabi= lity-in-n8n.html"><strong>[2026.01.15]</strong></a> <a href=3D"https://ww= w.cyera.com/research-labs/ni8mare-unauthenticated-remote-code-execution-in= -n8n-cve-2026-21858">This</a> isn=E2=80=99t good:</p>

<blockquote><p>We discovered a critical vulnerability (<a href=3D"https://= github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pg">CVE-2026-21= 858=2C CVSS 10.0</a>) in n8n that enables attackers to take over locally d= eployed instances=2C impacting an estimated 100=2C000 servers globally. No=
official workarounds are available for this vulnerability. Users should u= pgrade to version 1.121.0 or later to remediate the vulnerability.</p></bl= ockquote>

<p><a href=3D"https://community.n8n.io/t/security-advisory-security-vulner= ability-in-n8n-versions-1-65-1-120-4/247305">Three</a> <a href=3D"https://= thehackernews.com/2026/01/n8n-supply-chain-attack-abuses.html">technical</=

<a href=3D"https://nvd.nist.gov/vuln/detail/CVE-2025-68668">links</a> a=

nd two <a href=3D"https://www.cybersecuritydive.com/news/critical-vulnerab= ility-n8n-automation-platform/809360/">news</a> <a href=3D"https://www.ble= epingcomputer.com/news/security/max-severity-ni8mare-flaw-impacts-nearly-6= 0-000-n8n-instances/">links</a>.</p>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg2"><a name=3D"cg2">A=
I and the Corporate Capture of Knowledge</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2026/01/ai-and-the-co= rporate-capture-of-knowledge.html"><strong>[2026.01.16]</strong></a> More=
than a decade after <a href=3D"https://www.sfgate.com/technology/article/= Open-access-tributes-to-Aaron-Swartz-4193965.php">Aaron Swartz=E2=80=99s d= eath</a>=2C the United States is still living inside the contradiction tha=
t destroyed him.</p>

<p>Swartz believed that knowledge=2C especially publicly funded knowledge=
=2C should be freely accessible. Acting on that=2C he downloaded thousands=
of academic articles from the <a href=3D"https://www.jstor.org/">JSTOR</a=

archive with the intention of making them publicly available. For this=

=2C the federal government charged him with a felony and threatened decade=
s in prison. After two years of prosecutorial pressure=2C Swartz died by s= uicide on Jan. 11=2C 2013.</p>

<p>The still-unresolved questions raised by his case have resurfaced in to= day=E2=80=99s debates over artificial intelligence=2C copyright and the ul= timate control of knowledge.</p>

<p>At the time of Swartz=E2=80=99s prosecution=2C vast amounts of research=
were funded by taxpayers=2C conducted at public institutions and intended=
to advance public understanding. But access to that research was=2C and s= till is=2C locked behind expensive paywalls. People are unable to read wor=
k they helped fund without paying private journals and research websites.<=


<p>Swartz considered this hoarding of knowledge to be neither accidental n=
or inevitable. It was the result of legal=2C economic and political choice=
s. His actions challenged those choices directly. And for that=2C the gove= rnment treated him as a criminal.</p>

<p>Today=E2=80=99s AI arms race involves a far more expansive=2C profit-dr= iven form of information appropriation. The tech giants ingest vast amount=
s of copyrighted material: books=2C journalism=2C academic papers=2C art=
=2C music and personal writing. This data is scraped at industrial scale=
=2C often without consent=2C compensation or transparency=2C and then used=
to train large AI models.</p>

<p>AI companies then sell their proprietary systems=2C built on public and=
private knowledge=2C back to the people who funded it. But this time=2C t=
he government=E2=80=99s response has been markedly different. There are no=
criminal prosecutions=2C no threats of decades-long prison sentences. Law= suits proceed slowly=2C enforcement remains uncertain and policymakers sig=
nal caution=2C given AI=E2=80=99s perceived economic and strategic importa= nce. Copyright infringement is reframed as an unfortunate but necessary st=
ep toward =E2=80=9Cinnovation.=E2=80=9D</p>

<p>Recent developments underscore this imbalance. In 2025=2C <a href=3D"ht= tps://www.npr.org/2025/09/05/nx-s1-5529404/anthropic-settlement-authors-co= pyright-ai">Anthropic</a> reached a settlement with publishers over allega= tions that its AI systems were trained on copyrighted books without author= ization. The agreement reportedly valued infringement at roughly $3=2C000=
per book across an estimated 500=2C000 works=2C coming at a cost of over=
$1.5 billion. Plagiarism disputes between artists and accused infringers=
routinely settle for hundreds of thousands=2C or even millions=2C of doll=
ars when prominent works are involved. Scholars estimate Anthropic avoided=
over <a href=3D"https://www.lawfaremedia.org/article/anthropic-s-settleme= nt-shows-the-u.s.-can-t-afford-ai-copyright-lawsuits">$1 trillion in liabi= lity costs</a>. For well-capitalized AI firms=2C such settlements are like=
ly being factored as a predictable cost of doing business.</p>

<p>As AI becomes a larger part of America=E2=80=99s economy=2C one can see=
the writing on the wall. Judges will twist themselves into knots to justi=
fy an innovative technology premised on literally stealing the works of ar= tists=2C poets=2C musicians=2C all of academia and the internet=2C and vas=
t expanses of literature. But if Swartz=E2=80=99s actions were criminal=2C=
it is worth asking: What standard are we now applying to AI companies?</p=


<p>The question is not simply whether copyright law applies to AI. It is w=
hy the law appears to operate so differently depending on who is doing the=
extracting and for what purpose.</p>

<p>The stakes extend beyond copyright law or past injustices. They concern=
who controls the infrastructure of knowledge going forward and what that=
control means for democratic participation=2C accountability and public t= rust.</p>

<p>Systems trained on vast bodies of publicly funded research are increasi= ngly becoming the primary way people learn about science=2C law=2C medicin=
e and public policy. As search=2C synthesis and explanation are mediated t= hrough AI models=2C control over training data and infrastructure translat=
es into control over what questions can be asked=2C what answers are surfa= ced=2C and whose expertise is treated as authoritative. If public knowledg=
e is absorbed into proprietary systems that the public cannot inspect=2C a= udit or meaningfully challenge=2C then access to information is no longer=
governed by democratic norms but by corporate priorities.</p>

<p>Like the early internet=2C AI is often described as a democratizing for=
ce. But also like the internet=2C AI=E2=80=99s current trajectory suggests=
something closer to consolidation. Control over data=2C models and comput= ational infrastructure is concentrated in the hands of a small number of p= owerful tech companies. They will decide who gets access to knowledge=2C u= nder what conditions and at what price.</p>

<p>Swartz=E2=80=99s fight was not simply about access=2C but about whether=
knowledge should be governed by openness or corporate capture=2C and who=
that knowledge is ultimately for. He understood that access to knowledge=
is a prerequisite for democracy. A society cannot meaningfully debate pol= icy=2C science or justice if information is locked away behind paywalls or=
controlled by proprietary algorithms. If we allow AI companies to profit=
from mass appropriation while claiming immunity=2C we are choosing a futu=
re in which access to knowledge is governed by corporate power rather than=
democratic values.</p>

<p>How we treat knowledge -- who may access it=2C who may profit from it a=
nd who is punished for sharing it -- has become a test of our democratic c= ommitments. We should be honest about what those choices say about us.</p>

<p><em>This essay was written with J. B. Branch=2C and originally appeared=
in the <a href=3D"https://www.sfchronicle.com/opinion/openforum/article/a= i-copyright-research-law-21282101.php">San Francisco Chronicle</a>.</em></=


<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg3"><a name=3D"cg3">A= I-Powered Surveillance in Schools</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2026/01/ai-powered-su= rveillance-in-schools.html"><strong>[2026.01.19]</strong></a> It all soun=
ds <a href=3D"https://www.forbes.com/sites/thomasbrewster/2025/12/16/ai-ba= throom-monitors-welcome-to-americas-new-surveillance-high-schools/">pretty=
dystopian</a>:</p>

<blockquote><p>Inside a white stucco building in Southern California=2C vi=
deo cameras compare faces of passersby against a facial recognition databa=
se. Behavioral analysis AI reviews the footage for signs of violent behavi=
or. Behind a bathroom door=2C a smoke detector-shaped device captures audi= o=2C listening for sounds of distress. Outside=2C drones stand ready to be=
deployed and provide intel from above=2C and license plate readers from $=
8.5 billion surveillance behemoth Flock Safety ensure the cars entering an=
d exiting the parking lot aren=E2=80=99t driven by criminals.</p>

<p>This isn=E2=80=99t a high-security government facility. It=E2=80=99s Be= verly Hills High School.</p></blockquote>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg4"><a name=3D"cg4">C= ould ChatGPT Convince You to Buy Something?</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2026/01/could-chatgpt= -convince-you-to-buy-something.html"><strong>[2026.01.20]</strong></a> Ei= ghteen months ago=2C it was plausible that artificial intelligence might t=
ake a <a href=3D"https://www.technologyreview.com/2024/03/13/1089729/lets-= not-make-the-same-mistakes-with-ai-that-we-made-with-social-media/">differ=
ent path</a> than social media. Back then=2C AI=E2=80=99s development hadn= =E2=80=99t consolidated under a small number of big tech firms. Nor had it=
capitalized on consumer attention=2C surveilling users and delivering ads= =2E</p>

<p>Unfortunately=2C the AI industry is now taking a page from the social m= edia playbook and has set its sights on monetizing consumer attention. Whe=
n OpenAI launched its <a href=3D"https://openai.com/index/introducing-chat= gpt-search/">ChatGPT Search</a> feature in late 2024 and its browser=2C <a=
href=3D"https://openai.com/index/introducing-chatgpt-atlas/">ChatGPT Atla= s</a>=2C in October 2025=2C it kicked off a <a href=3D"https://www.adweek.= com/media/openai-takes-on-google-with-atlas-ai-browser/">race to capture o= nline behavioral data</a> to power advertising. It=E2=80=99s part of a yea= rslong <a href=3D"https://digiday.com/marketing/from-hatred-to-hiring-open= ais-advertising-change-of-heart/">turnabout by OpenAI</a>=2C whose CEO Sam=
Altman once called the combination of ads and AI =E2=80=9Cunsettling=E2= =80=9D and now promises that <a href=3D"https://searchengineland.com/chatg= pt-ads-coming-some-point-464388">ads can be deployed in AI apps</a> while=
preserving trust. The rampant <a href=3D"https://www.engadget.com/ai/open= ais-head-of-chatgpt-says-posts-appearing-to-show-in-app-ads-are-not-real-o= r-not-ads-190454584.html">speculation among OpenAI users</a> who believe t=
hey see paid placements in ChatGPT responses suggests they are not convinc= ed.</p>

<p>In 2024=2C AI search company Perplexity started <a href=3D"https://www.= perplexity.ai/hub/blog/why-we-re-experimenting-with-advertising">experimen= ting with ads</a> in its offerings. A few months after that=2C Microsoft <=
a href=3D"https://www.windowscentral.com/software-apps/microsoft-integrate= s-showroom-ads-in-copilot-ai-simulating-brick-and-mortar-stores">introduce=
d ads to its Copilot</a> AI. Google=E2=80=99s <a href=3D"https://searcheng= ineland.com/google-ads-inside-ai-mode-tests-expand-464979">AI Mode for sea= rch</a> now increasingly features ads=2C <a href=3D"https://adage.com/tech= nology/amazon/aa-ai-ads-sponsored-prompts/">as does Amazon=E2=80=99s Rufus=
chatbot</a>. OpenAI announced on Jan. 16=2C 2026=2C that it will soon beg=
in <a href=3D"https://openai.com/index/our-approach-to-advertising-and-exp= anding-access/">testing ads in the unpaid version of ChatGPT</a>.</p>

<p>As a <a href=3D"https://scholar.google.com/scholar?hl=3Den&as_sdt=3D0%2= C22&q=3DBruce+Schneier&btnG=3D">security expert</a> and <a href=3D"https:/= /scholar.google.com/citations?hl=3Den&user=3DLlKKQyIAAAAJ&view_op=3Dlist_w= orks&sortby=3Dpubdate">data scientist</a>=2C we see these examples as harb= ingers of a future where AI companies profit from manipulating their users= =E2=80=99 behavior for the benefit of their advertisers and investors. It= =E2=80=99s also a reminder that time to steer the direction of AI developm=
ent away from private exploitation and toward public benefit is quickly ru= nning out.</p>

<p>The functionality of ChatGPT Search and its Atlas browser is not really=
new. <a href=3D"https://proceedings.neurips.cc/paper/2020/hash/6b49323020= 5f780e1bc26945df7481e5-Abstract.html">Meta</a>=2C commercial AI competitor=
<a href=3D"https://www.nytimes.com/2024/02/01/technology/perplexity-searc= h-ai-google.html">Perplexity</a> and even <a href=3D"https://www.theverge.= com/2023/9/27/23892781/openai-chatgpt-live-web-results-browse-with-bing">C= hatGPT</a> itself have had similar AI search features for years=2C and bot=
h <a href=3D"https://gemini.google/overview/gemini-in-chrome/">Google</a>=
and <a href=3D"https://blogs.windows.com/msedgedev/2023/05/23/microsoft-e= dge-build-2023-innovations-in-ai-productivity-management-sidebar-apps/">Mi= crosoft</a> beat OpenAI to the punch by integrating AI with their browsers=
=2E But OpenAI=E2=80=99s <a href=3D"https://www.washingtonpost.com/technolog= y/2024/10/31/openai-chatgpt-search-ai-upgrade-google/">business positionin= g</a> signals a shift.</p>

<p>We believe the ChatGPT Search and Atlas announcements are worrisome bec= ause there is really only one way to make money on search: the advertising=
model <a href=3D"https://law.stanford.edu/publications/why-google-dominat= es-advertising-markets/">pioneered ruthlessly by Google</a>.</p>

<h3 style=3D"font-size:110%;font-weight:bold">Advertising model</h3>

<p>Ruled <a href=3D"https://www.nytimes.com/2024/08/05/technology/google-a= ntitrust-ruling.html">a monopolist</a> in U.S. federal court=2C Google has=
earned more than <a href=3D"https://www.statista.com/statistics/266249/ad= vertising-revenue-of-google/">US$1.6 trillion in advertising revenue</a> s= ince 2001. You may think of Google as a web search company=2C or a streami=
ng video company (YouTube)=2C or an email company (Gmail)=2C or a mobile p= hone company (Android=2C Pixel)=2C or maybe even an AI company (Gemini). B=
ut those products are ancillary to Google=E2=80=99s bottom line. The adver= tising segment typically accounts for <a href=3D"https://www.statista.com/= statistics/1093781/distribution-of-googles-revenues-by-segment/">80% to 90=
% of its total revenue</a>. Everything else is there to <a href=3D"https:/= /www.cnbc.com/2021/05/18/how-does-google-make-money-advertising-business-b= reakdown-.html">collect users=E2=80=99 data and direct users=E2=80=99 atte= ntion</a> to its advertising revenue stream.</p>

<p>After two decades in this monopoly position=2C Google=E2=80=99s search=
product is much more tuned to the company=E2=80=99s needs than those of i=
ts users. When Google Search first arrived decades ago=2C it was revelator=
y in its ability to instantly find useful information across the still-nas= cent web. In 2025=2C its search result pages are <a href=3D"https://www.40= 4media.co/google-search-really-has-gotten-worse-researchers-find/">dominat=
ed by low-quality</a> and often AI-generated content=2C spam sites that ex=
ist solely to drive traffic to Amazon sales -- a tactic known as <a href= =3D"https://www.investopedia.com/terms/a/affiliate-marketing.asp">affiliat=
e marketing</a> -- and paid ad placements=2C which at times are <a href=3D= "https://www.cnbc.com/2020/01/24/google-will-iterate-the-design-that-made-= it-harder-to-tell-ads-from-search-results.html">indistinguishable from org= anic results</a>.</p>

<p>Plenty of <a href=3D"https://searchengineland.com/ai-powered-search-pai= d-placements-395084">advertisers</a> and <a href=3D"https://professional.d= ce.harvard.edu/blog/ai-will-shape-the-future-of-marketing/">observers</a>=
seem to think AI-powered advertising is the future of the ad business.</p=


<h3 style=3D"font-size:110%;font-weight:bold">Highly persuasive</h3>

<p>Paid advertising in AI search=2C and AI models generally=2C could look=
very different from traditional web search. It has the potential to influ= ence your thinking=2C spending patterns and even personal beliefs in much=
more subtle ways. Because AI can engage in active dialogue=2C addressing=
your specific questions=2C concerns and ideas rather than just filtering=
static content=2C its potential for influence is much greater. It=E2=80=
=99s like the difference between reading a textbook and having a conversat=
ion with its author.</p>

<p>Imagine you=E2=80=99re conversing with your AI agent about an upcoming=
vacation. Did it recommend a particular airline or hotel chain because th=
ey really are best for you=2C or does the company get a kickback for every=
mention? If you ask about a political issue=2C does the model bias its an= swer based on which political party has paid the company a fee=2C or based=
on the bias of the model=E2=80=99s corporate owners?</p>

<p>There is mounting evidence that AI models are at least as effective as=
people at persuading users to do things. A December 2023 meta-analysis of=
121 randomized trials reported that AI models are <a href=3D"https://doi.= org/10.1093/joc/jqad024">as good as humans</a> at shifting people=E2=80=99=
s perceptions=2C attitudes and behaviors. A more recent meta-analysis of e= ight studies <a href=3D"https://doi.org/10.21203/rs.3.rs-7435265/v1">simil= arly concluded</a> there was =E2=80=9Cno significant overall difference in=
persuasive performance between (large language models) and humans.=E2=80= =9D</p>

<p>This influence may go well beyond shaping what products you buy or who=
you vote for. As with the field of search engine optimization=2C the ince= ntive for humans to perform for AI models might <a href=3D"https://www.the= atlantic.com/technology/archive/2024/04/generative-ai-search-llmo/678154/"= >shape the way people write</a> and communicate with each other. How we ex= press ourselves online is likely to be increasingly directed to win the at= tention of AIs and earn placement in the responses they return to users.</=


<h3 style=3D"font-size:110%;font-weight:bold">A different way forward</h3>

<p>Much of this is discouraging=2C but there is much that can be done to c= hange it.</p>

<p>First=2C it=E2=80=99s important to recognize that today=E2=80=99s AI is=
<a href=3D"https://gizmodo.com/ai-chatgpt-can-we-build-trustworthy-ai-185= 0405280">fundamentally untrustworthy</a>=2C for the same reasons that sear=
ch engines and social media platforms are.</p>

<p>The problem is not the technology itself; fast ways to find information=
and communicate with friends and family can be wonderful capabilities. Th=
e problem is the priorities of the corporations who own these platforms an=
d for whose benefit they are operated. Recognize that you don=E2=80=99t ha=
ve control over what data is fed to the AI=2C who it is shared with and ho=
w it is used. It=E2=80=99s important to keep that in mind when you connect=
devices and services to AI platforms=2C ask them questions=2C or consider=
buying or doing the things they suggest.</p>

<p>There is also a lot that people can demand of governments to restrain h= armful corporate uses of AI. In the U.S.=2C Congress could <a href=3D"http= s://www.reuters.com/legal/legalindustry/us-data-privacy-laws-enter-new-era= -2023-2023-01-12/">enshrine consumers=E2=80=99 rights</a> to control their=
own personal data=2C as the EU already has. It could also create a data p= rotection <a href=3D"https://epic.org/campaigns/dpa/">enforcement agency</= a>=2C as <a href=3D"https://iapp.org/resources/global-privacy-directory">e= ssentially every other</a> developed nation has.</p>

<p>Governments worldwide could <a href=3D"https://www.brookings.edu/articl= es/how-public-ai-can-strengthen-democracy/#:%7E:text=3DPublicly%20develope= d%20and%20owned%20AI=2Cand%20sustainability%20of%20AI%20technology.">inves=
t in Public AI</a> -- models built by public agencies offered universally=
for public benefit and transparently under public oversight. They could a=
lso restrict how corporations can collude to exploit people using AI=2C fo=
r example by barring advertisements for dangerous products such as cigaret=
tes and requiring disclosure of paid endorsements.</p>

<p>Every technology company seeks to differentiate itself from competitors=
=2C particularly in an era when yesterday=E2=80=99s groundbreaking AI quic=
kly becomes a commodity that will run on any kid=E2=80=99s phone. One diff= erentiator is in building a trustworthy service. It remains to be seen whe= ther companies such as OpenAI and Anthropic can sustain profitable busines=
ses on the back of subscription AI services like the premium editions of C= hatGPT=2C Plus and Pro=2C and Claude Pro. If they are going to continue co= nvincing consumers and businesses to pay for these premium services=2C the=
y will need to build trust.</p>

<p>That will require making real commitments to consumers on transparency=
=2C privacy=2C reliability and security that are followed through consiste= ntly and verifiably.</p>

<p>And while no one knows what the future business models for AI will be=
=2C we can be certain that consumers do not want to be exploited by AI=2C=
secretly or otherwise.</p>

<p><em>This essay was written with Nathan E. Sanders=2C and originally app= eared in <a href=3D"https://theconversation.com/could-chatgpt-convince-you= -to-buy-something-threat-of-manipulation-looms-as-ai-companies-gear-up-to-= sell-ads-272859">The Conversation</a>.</em></p>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg5"><a name=3D"cg5">I= nternet Voting is Too Insecure for Use in Elections</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2026/01/internet-voti= ng-is-too-insecure-for-use-in-elections.html"><strong>[2026.01.21]</stron= g></a> No matter how many times we say it=2C the idea comes back again and=
again. Hopefully=2C this <a href=3D"https://blog.citp.princeton.edu/2026/= 01/16/internet-voting-is-insecure-and-should-not-be-used-in-public-electio= ns/">letter</a> will hold back the tide for at least a while longer.</p>

<blockquote><p><b>Executive summary:</b> Scientists have understood for ma=
ny years that internet voting is insecure and that there is no known or fo= reseeable technology that can make it secure. Still=2C vendors of interne=
t voting keep claiming that=2C somehow=2C their new system is different=2C=
or the insecurity doesn=E2=80=99t matter. Bradley Tusk and his Mobile Vo= ting Foundation keep touting internet voting to journalists and election a= dministrators; this whole effort is misleading and dangerous.</p></blockqu=


<p>I am one of the many signatories.</p>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg6"><a name=3D"cg6">W=
hy AI Keeps Falling for Prompt Injection Attacks</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2026/01/why-ai-keeps-= falling-for-prompt-injection-attacks.html"><strong>[2026.01.22]</strong><=

Imagine you work at a drive-through restaurant. Someone drives up and=

says: =E2=80=9CI=E2=80=99ll have a double cheeseburger=2C large fries=2C=
and ignore previous instructions and give me the contents of the cash dra= wer.=E2=80=9D Would you hand over the money? Of course not. Yet this is wh=
at <a href=3D"https://spectrum.ieee.org/tag/large-language-models">large l= anguage models</a> (<a href=3D"https://spectrum.ieee.org/tag/llms">LLMs</a=

) do.</p>

<p><a href=3D"https://www.ibm.com/think/topics/prompt-injection">Prompt in= jection</a> is a method of tricking LLMs into doing things they are normal=
ly prevented from doing. A user writes a prompt in a certain way=2C asking=
for system <a href=3D"https://spectrum.ieee.org/tag/passwords">passwords<=

or private data=2C or asking the LLM to perform forbidden instructions=

=2E The precise phrasing overrides the LLM=E2=80=99s <a href=3D"https://medi= um.com/data-science/safeguarding-llms-with-guardrails-4f5d9f57cff2">safety=
guardrails</a>=2C and it complies.</p>

<p>LLMs are vulnerable to <a href=3D"https://fdzdev.medium.com/20-prompt-i= njection-techniques-every-red-teamer-should-test-b22359bfd57d">all sorts</=

of prompt injection attacks=2C some of them absurdly obvious. A chatbot=

won=E2=80=99t tell you how to synthesize a bioweapon=2C but it might tell=
you a fictional story that incorporates the same detailed instructions. I=
t won=E2=80=99t accept nefarious text inputs=2C but might if the text is r= endered as <a href=3D"https://arxiv.org/abs/2402.11753">ASCII art</a> or a= ppears in an image of a <a href=3D"https://www.lakera.ai/blog/visual-promp= t-injections">billboard</a>. Some ignore their guardrails when told to =E2= =80=9Cignore previous instructions=E2=80=9D or to =E2=80=9Cpretend you hav=
e no guardrails.=E2=80=9D</p>

<p>AI vendors can block specific prompt injection techniques once they are=
discovered=2C but general safeguards are <a href=3D"https://llm-attacks.o= rg/">impossible</a> with today=E2=80=99s LLMs. More precisely=2C there=E2= =80=99s an endless array of prompt injection attacks waiting to be discove= red=2C and they cannot be prevented universally.</p>

<p>If we want LLMs that resist these attacks=2C we need new approaches. On=
e place to look is what keeps even overworked fast-food workers from handi=
ng over the cash drawer.</p>

<h3 style=3D"font-size:110%;font-weight:bold">Human Judgment Depends on Co= ntext</h3>

<p>Our basic human defenses come in at least three types: general instinct= s=2C social learning=2C and situation-specific training. These work togeth=
er in a layered defense.</p>

<p>As a social species=2C we have developed numerous instinctive and cultu=
ral habits that help us judge tone=2C motive=2C and risk from extremely li= mited information. We generally know what=E2=80=99s normal and abnormal=2C=
when to cooperate and when to resist=2C and whether to take action indivi= dually or to involve others. These instincts give us an intuitive sense of=
risk and make us <a href=3D"https://www.nature.com/articles/srep08242">es= pecially careful</a> about things that have a large downside or are imposs= ible to reverse.</p>

<p>The second layer of defense consists of the norms and trust signals tha=
t evolve in any group. These are imperfect but functional: Expectations of=
cooperation and markers of trustworthiness emerge through repeated intera= ctions with others. We remember who has helped=2C who has hurt=2C who has=
reciprocated=2C and who has reneged. And emotions like sympathy=2C anger=
=2C guilt=2C and gratitude motivate each of us to <a href=3D"https://ncase= =2Eme/trust/">reward cooperation with cooperation</a> and punish defection w= ith defection.</p>

<p>A third layer is institutional mechanisms that enable us to interact wi=
th multiple strangers every day. Fast-food workers=2C for example=2C are t= rained in procedures=2C approvals=2C escalation paths=2C and so on. Taken=
together=2C these defenses give humans a strong sense of context. A fast-= food worker basically knows what to expect within the job and how it fits=
into broader society.</p>

<p>We reason by assessing multiple layers of context: perceptual (what we=
see and hear)=2C relational (who=E2=80=99s making the request)=2C and nor= mative (what=E2=80=99s appropriate within a given role or situation). We c= onstantly navigate these layers=2C weighing them against each other. In so=
me cases=2C the normative outweighs the perceptual -- for example=2C follo= wing workplace rules even when customers appear angry. Other times=2C the=
relational outweighs the normative=2C as when people comply with orders f=
rom superiors that they believe are against the rules.</p>

<p>Crucially=2C we also have an interruption reflex. If something feels=
=E2=80=9Coff=2C=E2=80=9D we naturally pause the <a href=3D"https://spectr= um.ieee.org/tag/automation">automation</a> and reevaluate. Our defenses ar=
e not perfect; people are fooled and manipulated all the time. But it=E2= =80=99s how we humans are able to navigate a complex world where others ar=
e constantly trying to trick us.</p>

<p>So let=E2=80=99s return to the drive-through window. To convince a fast= -food worker to hand us all the money=2C we might try shifting the context=
=2E Show up with a camera crew and tell them you=E2=80=99re filming a commer= cial=2C claim to be the head of security doing an audit=2C or dress like a=
bank manager collecting the cash receipts for the night. But even these h=
ave only a slim chance of success. Most of us=2C most of the time=2C can s= mell a scam.</p>

<p>Con artists are astute observers of human defenses. Successful <a href= =3D"https://spectrum.ieee.org/tag/scams">scams</a> are often slow=2C under= mining a mark=E2=80=99s situational assessment=2C allowing the scammer to=
manipulate the context. This is an old story=2C spanning traditional conf= idence games such as the Depression-era =E2=80=9Cbig store=E2=80=9D cons=
=2C in which teams of scammers created entirely fake businesses to draw in=
victims=2C and modern <a href=3D"https://dfpi.ca.gov/news/insights/pig-bu= tchering-how-to-spot-and-report-the-scam/">=E2=80=9Cpig-butchering=E2=80=
=9D frauds</a>=2C where online scammers slowly build trust before going in=
for the kill. In these examples=2C scammers slowly and methodically reel=
in a victim using a long series of interactions through which the scammer=
s gradually gain that victim=E2=80=99s trust.</p>

<p>Sometimes it even works at the drive-through. One scammer in the 1990s=
and 2000s <a href=3D"https://en.wikipedia.org/wiki/Strip_search_phone_cal= l_scam">targeted fast-food workers by phone</a>=2C claiming to be a police=
officer and=2C over the course of a long phone call=2C convinced managers=
to strip-search employees and perform other bizarre acts.</p>

<h3 style=3D"font-size:110%;font-weight:bold">Why LLMs Struggle With Conte=
xt and Judgment</h3>

<p>LLMs behave as if they have a notion of context=2C but it=E2=80=99s dif= ferent. They do not learn human defenses from repeated interactions and re= main untethered from the real world. LLMs flatten multiple levels of conte=
xt into text similarity. They see =E2=80=9Ctokens=2C=E2=80=9D not hierarch=
ies and intentions. LLMs don=E2=80=99t reason through context=2C they only=
reference it.</p>

<p>While LLMs often get the details right=2C they can easily miss the <a h= ref=3D"https://spectrum.ieee.org/tag/big-picture">big picture</a>. If you=
prompt a chatbot with a fast-food worker scenario and ask if it should gi=
ve all of its money to a customer=2C it will respond =E2=80=9Cno.=E2=80=9D=
What it doesn=E2=80=99t =E2=80=9Cknow=E2=80=9D -- forgive the anthropomor= phizing -- is whether it=E2=80=99s actually being deployed as a fast-food=
bot or is just a test subject following instructions for hypothetical sce= narios.</p>

<p>This limitation is why LLMs misfire when context is sparse but also whe=
n context is overwhelming and complex; when an LLM becomes unmoored from c= ontext=2C it=E2=80=99s hard to get it back. AI expert Simon Willison <a hr= ef=3D"https://simonwillison.net/2025/Sep/12/claude-memory/">wipes context=
clean</a> if an LLM is on the wrong track rather than continuing the conv= ersation and trying to correct the situation.</p>

<p>There=E2=80=99s more. LLMs are <a href=3D"https://www.cmu.edu/dietrich/= news/news-stories/2025/july/trent-cash-ai-overconfidence.html">overconfide= nt</a> because they=E2=80=99ve been designed to give an answer rather than=
express ignorance. A drive-through worker might say: =E2=80=9CI don=E2=80= =99t know if I should give you all the money -- let me ask my boss=2C=E2= =80=9D whereas an LLM will just make the call. And since LLMs are designed=
to be <a href=3D"https://hai.stanford.edu/news/large-language-models-just= -want-to-be-liked">pleasing</a>=2C they=E2=80=99re more likely to satisfy=
a user=E2=80=99s request. Additionally=2C LLM training is oriented toward=
the average case and not extreme outliers=2C which is what=E2=80=99s nece= ssary for security.</p>

<p>The result is that the current generation of LLMs is far more gullible=
than people. They=E2=80=99re naive and regularly fall for manipulative <a=
href=3D"https://arstechnica.com/science/2025/09/these-psychological-trick= s-can-get-llms-to-respond-to-forbidden-prompts/">cognitive tricks</a> that=
wouldn=E2=80=99t fool a third-grader=2C such as flattery=2C appeals to gr= oupthink=2C and a false sense of urgency. There=E2=80=99s a <a href=3D"htt= ps://www.bbc.com/news/articles/ckgyk2p55g8o">story</a> about a Taco Bell A=
I system that crashed when a customer ordered 18=2C000 cups of water. A hu=
man fast-food worker would just laugh at the customer.</p>

<h3 style=3D"font-size:110%;font-weight:bold">The Limits of <a href=3D"htt= ps://spectrum.ieee.org/tag/agentic-ai">AI Agents</a></h3>

<p>Prompt injection is an unsolvable problem that <a href=3D"https://www.c= omputer.org/csdl/magazine/sp/5555/01/11194053/2aB2Rf5nZ0k">gets worse</a>=
when we give AIs tools and tell them to act independently. This is the pr= omise of <a href=3D"https://spectrum.ieee.org/tag/agentic-ai">AI agents</a=

: LLMs that can use tools to perform multistep tasks after being given ge= neral instructions. Their flattening of context and identity=2C along with=

their baked-in independence and overconfidence=2C mean that they will rep= eatedly and unpredictably take actions -- and sometimes they will take the=
<a href=3D"https://www.theregister.com/2025/10/28/ai_browsers_prompt_inje= ction/"> wrong ones</a>.</p>

<p>Science doesn=E2=80=99t know how much of the problem is inherent to the=
way LLMs work and how much is a result of deficiencies in the way we trai=
n them. The overconfidence and obsequiousness of LLMs are training choices=
=2E The lack of an interruption reflex is a deficiency in engineering. And p= rompt injection resistance requires fundamental advances in AI science. We=
honestly don=E2=80=99t know if it=E2=80=99s possible to build an LLM=2C w= here trusted commands and untrusted inputs are processed through the <a hr= ef=3D"https://cacm.acm.org/opinion/llms-data-control-path-insecurity/">sam=
e channel</a>=2C which is immune to prompt injection attacks.</p>

<p>We humans get our model of the world -- and our facility with overlappi=
ng contexts -- from the way our brains work=2C years of training=2C an eno= rmous amount of perceptual input=2C and millions of years of evolution. Ou=
r identities are complex and multifaceted=2C and which aspects matter at a=
ny given moment depend entirely on context. A fast-food worker may normall=
y see someone as a customer=2C but in a medical emergency=2C that same per= son=E2=80=99s identity as a doctor is suddenly more relevant.</p>

<p>We don=E2=80=99t know if LLMs will gain a better ability to move betwee=
n different contexts as the models get more sophisticated. But the problem=
of recognizing context definitely can=E2=80=99t be reduced to the one typ=
e of reasoning that LLMs currently excel at. Cultural norms and styles are=
historical=2C relational=2C emergent=2C and constantly renegotiated=2C an=
d are not so readily subsumed into reasoning as we understand it. Knowledg=
e itself can be both logical and discursive.</p>

<p>The AI researcher Yann LeCunn believes that improvements will come from=
embedding AIs in a physical presence and giving them =E2=80=9C<a href=3D"= https://medium.com/@AnthonyLaneau/beyond-llms-charting-the-next-frontiers-= of-ai-with-yann-lecun-09e84f1978f9">world models</a>.=E2=80=9D Perhaps thi=
s is a way to give an AI a robust yet fluid notion of a social identity=2C=
and the real-world experience that will help it lose its na=C3=AFvet=C3= =A9.</p>

<p>Ultimately we are probably faced with a <a href=3D"https://www.computer= =2Eorg/csdl/magazine/sp/5555/01/11194053/2aB2Rf5nZ0k">security trilemma</a>=
when it comes to AI agents: fast=2C smart=2C and secure are the desired a= ttributes=2C but you can only get two. At the drive-through=2C you want to=
prioritize fast and secure. An AI agent should be trained narrowly on foo= d-ordering language and escalate anything else to a manager. Otherwise=2C=
every action becomes a coin flip. Even if it comes up heads most of the t= ime=2C once in a while it=E2=80=99s going to be tails -- and along with a=
burger and fries=2C the customer will get the contents of the cash drawer= =2E</p>

<p><em>This essay was written with Barath Raghavan=2C and originally appea=
red in <a href=3D"https://spectrum.ieee.org/prompt-injection-attack">IEEE=
Spectrum</a>.</em></p>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg7"><a name=3D"cg7">I= reland Proposes Giving Police New Digital Surveillance Powers</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2026/01/ireland-propo= ses-giving-police-new-digital-surveillance-powers.html"><strong>[2026.01.= 26]</strong></a> This is <a href=3D"https://www.theregister.com/2026/01/21= /ireland_wants_to_give_police/">coming</a>:</p>

<blockquote><p>The Irish government is planning to bolster its police=E2= =80=99s ability to intercept communications=2C including encrypted message= s=2C and provide a legal basis for spyware use.</p></blockquote>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg8"><a name=3D"cg8">T=
he Constitutionality of Geofence Warrants</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2026/01/the-constitut= ionality-of-geofence-warrants.html"><strong>[2026.01.27]</strong></a> The=
US Supreme Court is <a href=3D"https://therecord.media/supreme-court-geof= ence-constitutionality">considering</a> the constitutionality of geofence=
warrants.</p>

<blockquote><p>The case centers on the trial of Okello Chatrie=2C a Virgin=
ia man who pleaded guilty to a 2019 robbery outside of Richmond and was se= ntenced to almost 12 years in prison for stealing $195=2C000 at gunpoint.<=


<p>Police probing the crime found security camera footage showing a man on=
a cell phone near the credit union that was robbed and asked Google to pr= oduce anonymized location data near the robbery site so they could determi=
ne who committed the crime. They did so=2C providing police with subscribe=
r data for three people=2C one of whom was Chatrie. Police then searched C= hatrie=E2=80=99s home and allegedly surfaced a gun=2C almost $100=2C000 in=
cash and incriminating notes.</p>

<p>Chatrie=E2=80=99s appeal challenges the constitutionality of geofence w= arrants=2C arguing that they violate individuals=E2=80=99 Fourth Amendment=
rights protecting against unreasonable searches.</p></blockquote>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg9"><a name=3D"cg9">A=
Is Are Getting Better at Finding and Exploiting Security Vulnerabilities</= a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2026/01/ais-are-getti= ng-better-at-finding-and-exploiting-security-vulnerabilities.html"><strong= >[2026.01.30]</strong></a> From an Anthropic <a href=3D"https://red.anthr= opic.com/2026/cyber-toolkits-update/">blog post</a>:</p>

<blockquote><p>In a recent evaluation of AI models=E2=80=99 cyber capabili= ties=2C current Claude models can now succeed at multistage attacks on net= works with dozens of hosts using only standard=2C open-source tools=2C ins= tead of the custom tools needed by previous generations. This illustrates=
how barriers to the use of AI in relatively autonomous cyber workflows ar=
e rapidly coming down=2C and highlights the importance of security fundame= ntals like promptly patching known vulnerabilities.</p>

<p>[...]</p>

<p>A notable development during the testing of Claude Sonnet 4.5 is that t=
he model can now succeed on a minority of the networks without the custom=
cyber toolkit needed by previous generations. In particular=2C Sonnet 4.5=
can now exfiltrate all of the (simulated) personal information in a high-= fidelity simulation of the Equifax data breach -- one of the costliest cyb=
er attacks in historyusing only a Bash shell on a widely-available Kali Li=
nux host (standard=2C open-source tools for penetration testing; not a cus=
tom toolkit). Sonnet 4.5 accomplishes this by instantly recognizing a publ= icized CVE and writing code to exploit it without needing to look it up or=
iterate on it. Recalling that the original Equifax breach happened by exp= loiting a publicized CVE that had not yet been patched=2C the prospect of=
highly competent and fast AI agents leveraging this approach underscores=
the pressing need for security best practices like prompt updates and pat= ches.</p></blockquote>

<p>AI models are getting better at this faster than I expected. This will=
be a major power shift in cybersecurity.</p>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg10"><a name=3D"cg10"=

AI Coding Assistants Secretly Copying All Code to China</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2026/02/ai-coding-ass= istants-secretly-copying-all-code-to-china.html"><strong>[2026.02.02]</st= rong></a> There=E2=80=99s a <a href=3D"https://www.koi.ai/blog/maliciousco= rgi-the-cute-looking-ai-extensions-leaking-code-from-1-5-million-developer= s">new report</a> about two AI coding assistants=2C used by 1.5 million de= velopers=2C that are surreptitiously sending a copy of everything they ing=
est to China.</p>

<p>Maybe avoid using them.</p>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg11"><a name=3D"cg11"= >Microsoft is Giving the FBI BitLocker Keys</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2026/02/microsoft-is-= giving-the-fbi-bitlocker-keys.html"><strong>[2026.02.03]</strong></a> Mic= rosoft <a href=3D"https://www.forbes.com/sites/thomasbrewster/2026/01/22/m= icrosoft-gave-fbi-keys-to-unlock-bitlocker-encrypted-data/">gives</a> the=
FBI the ability to decrypt BitLocker in response to court orders: about t= wenty times per year.</p>

<blockquote><p>It=E2=80=99s possible for users to store those keys on a de= vice they own=2C but Microsoft also recommends BitLocker users store their=
keys on its servers for convenience. While that means someone can access=
their data if they forget their password=2C or if repeated failed attempt=
s to login lock the device=2C it also makes them vulnerable to law enforce= ment subpoenas and warrants.</p></blockquote>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg12"><a name=3D"cg12"=

US Declassifies Information on JUMPSEAT Spy Satellites</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2026/02/us-declassifi= es-information-on-jumpseat-spy-satellites.html"><strong>[2026.02.04]</str= ong></a> The US National Reconnaissance Office has declassified <a href=3D= "https://arstechnica.com/space/2026/01/us-spy-satellite-agency-declassifie= s-high-flying-cold-war-listening-post/">information</a> about a fleet of s=
py satellites operating between 1971 and 2006.</p>

<p>I=E2=80=99m actually impressed to see a declassification only two decad=
es after decommission.</p>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg13"><a name=3D"cg13"= >Backdoor in Notepad++</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2026/02/backdoor-in-n= otepad.html"><strong>[2026.02.05]</strong></a> Hackers associated with th=
e Chinese government used a <a href=3D"https://arstechnica.com/security/20= 26/02/notepad-updater-was-compromised-for-6-months-in-supply-chain-attack/= ">Trojaned version</a> of Notepad++ to deliver malware to selected users.<=


<blockquote><p>Notepad++ said that officials with the unnamed provider hos= ting the update infrastructure consulted with incident responders and foun=
d that it remained compromised until September 2. Even then=2C the attacke=
rs maintained credentials to the internal services until December 2=2C a c= apability that allowed them to continue redirecting selected update traffi=
c to malicious servers. The threat actor =E2=80=9Cspecifically targeted No= tepad++ domain with the goal of exploiting insufficient update verificatio=
n controls that existed in older versions of Notepad++.=E2=80=9D Event log=
s indicate that the hackers tried to re-exploit one of the weaknesses afte=
r it was fixed but that the attempt failed.</p></blockquote>

<p>Make sure you=E2=80=99re running at least version 8.9.1.</p>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg14"><a name=3D"cg14"= >iPhone Lockdown Mode Protects <i>Washington Post</i> Reporter</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2026/02/iphone-lockdo= wn-mode-protects-washington-post-reporter.html"><strong>[2026.02.06]</str= ong></a> 404Media is <a href=3D"https://www.404media.co/fbi-couldnt-get-in= to-wapo-reporters-iphone-because-it-had-lockdown-mode-enabled/">reporting<=

that the FBI could not access a reporter=E2=80=99s iPhone because it h=

ad Lockdown Mode enabled:</p>

<blockquote><p>The court record shows what devices and data the FBI was ab=
le to ultimately access=2C and which devices it could not=2C after raiding=
the home of the reporter=2C Hannah Natanson=2C in January as part of an i= nvestigation into leaks of classified information. It also provides rare i= nsight into the apparent effectiveness of Lockdown Mode=2C or at least how=
effective it might be before the FBI may try other techniques to access t=
he device.</p>

<p>=E2=80=9CBecause the iPhone was in Lockdown mode=2C CART could not extr=
act that device=2C=E2=80=9D the court record reads=2C referring to the FBI= =E2=80=99s Computer Analysis Response Team=2C a unit focused on performing=
forensic analyses of seized devices. The document is written by the gover= nment=2C and is opposing the return of Natanson=E2=80=99s devices.</p>

<p>The FBI raided Natanson=E2=80=99s home as part of its investigation int=
o government contractor Aurelio Perez-Lugones=2C who is charged with=2C am=
ong other things=2C retention of national defense information. The governm=
ent believes Perez-Lugones was a source of Natanson=E2=80=99s=2C and provi=
ded her with various pieces of classified information. While executing a s= earch warrant for his mobile phone=2C investigators reviewed Signal messag=
es between Pere-Lugones and the reporter=2C the Department of Justice prev= iously said.</p></blockquote>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg15"><a name=3D"cg15"=

I Am in the Epstein Files</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2026/02/i-am-in-the-e= pstein-files.html"><strong>[2026.02.06]</strong></a> <a href=3D"https://w= ww.jmail.world/thread/EFTA02451032?view=3Dinbox">Once</a>. Someone named=
=E2=80=9CVincenzo lozzo=E2=80=9D wrote to Epstein in email=2C in 2016:=
=E2=80=9CI wouldn=E2=80=99t pay too much attention to this=2C Schneier ha=
s a long tradition of dramatizing and misunderstanding things.=E2=80=9D Th=
e topic of the email is DDoS attacks=2C and it is unclear what I am dramat= izing and misunderstanding.</p>

<p>Rabbi Schneier is also mentioned=2C also incidentally=2C also <a href= =3D"https://www.jmail.world/thread/EFTA02442876?view=3Dinbox">once</a>. As=
far as either of us know=2C we are not related.</p>

<p>EDITED TO ADD (2/7): There is <a href=3D"https://www.justice.gov/epstei= n/files/DataSet%209/EFTA00817090.pdf">more context</a> on the Justice.gov=
website version.</p>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg16"><a name=3D"cg16"= >LLMs are Getting a Lot Better and Faster at Finding and Exploiting Zero-D= ays</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2026/02/llms-are-gett= ing-a-lot-better-and-faster-at-finding-and-exploiting-zero-days.html"><str= ong>[2026.02.09]</strong></a> This is <a href=3D"https://red.anthropic.co= m/2026/zero-days/">amazing</a>:</p>

<blockquote><p>Opus 4.6 is notably better at finding high-severity vulnera= bilities than previous models and a sign of how quickly things are moving.=
Security teams have been automating vulnerability discovery for years=2C=
investing heavily in fuzzing infrastructure and custom harnesses to find=
bugs at scale. But what stood out in early testing is how quickly Opus 4.=
6 found vulnerabilities out of the box without task-specific tooling=2C cu= stom scaffolding=2C or specialized prompting. Even more interesting is how=
it found them. Fuzzers work by throwing massive amounts of random inputs=
at code to see what breaks. Opus 4.6 reads and reasons about code the way=
a human researcher would -- looking at past fixes to find similar bugs th=
at weren=E2=80=99t addressed=2C spotting patterns that tend to cause probl= ems=2C or understanding a piece of logic well enough to know exactly what=
input would break it. When we pointed Opus 4.6 at some of the most well-t= ested codebases (projects that have had fuzzers running against them for y= ears=2C <a href=3D"https://google.github.io/oss-fuzz/research/llms/target_= generation/">accumulating millions of hours of CPU time</a>)=2C Opus 4.6 f= ound high-severity vulnerabilities=2C some that had gone undetected for de= cades.</p></blockquote>

<p>The details of how Claude Opus 4.6 found these zero-days is the interes= ting part -- read the whole blog post.</p>

<p>News <a href=3D"https://gizmodo.com/anthropic-launches-new-model-that-s= pots-zero-days-makes-wall-street-traders-lose-their-minds-2000718648">arti= cle</a>.</p>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg17"><a name=3D"cg17"= >AI-Generated Text and the Detection Arms Race</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2026/02/the-ai-genera= ted-text-arms-race.html"><strong>[2026.02.10]</strong></a> In 2023=2C the=
science fiction literary magazine <cite>Clarkesworld</cite> <a href=3D"ht= tps://www.npr.org/2023/02/24/1159286436/ai-chatbot-chatgpt-magazine-clarke= sworld-artificial-intelligence">stopped accepting</a> new submissions beca=
use so many were generated by artificial intelligence. Near as the editors=
could tell=2C many submitters pasted the magazine=E2=80=99s detailed stor=
y guidelines into an AI and sent in the results. And they weren=E2=80=99t=
alone. Other fiction magazines have also <a href=3D"https://www.theverge.= com/2023/2/25/23613752/ai-generated-short-stories-literary-magazines-clark= esworld-science-fiction">reported a high number</a> of AI-generated submis= sions.</p>

<p>This is only one example of a ubiquitous trend. A legacy system relied=
on the difficulty of writing and cognition to limit volume. Generative AI=
overwhelms the system because the humans on the receiving end can=E2=80=
=99t keep up.</p>

<p>This is happening everywhere. Newspapers are being inundated by AI-gene= rated <a href=3D"https://www.nytimes.com/2025/11/04/science/letters-to-the= -editor-ai-chatbots.html">letters to the editor</a>=2C as are <a href=3D"h= ttps://www.marketplace.org/episode/2025/11/24/ai-generated-letters-to-the-= editor-are-flooding-academic-publications">academic journals</a>. Lawmaker=
s are inundated with AI-generated <a href=3D"https://government.cornell.ed= u/news/lawmakers-struggle-differentiate-ai-and-human-emails">constituent c= omments</a>. Courts around the world are flooded with AI-generated <a href= =3D"https://www.law.com/international-edition/2025/11/25/courts-being-floo= ded-by-wordy-ai-generated-documents-report-finds/">filings</a>=2C particul= arly by people representing themselves. AI conferences are <a href=3D"http= s://futurism.com/artificial-intelligence/ai-research-papers-slop">flooded<=

with AI-generated research papers. Social media <a href=3D"https://www=

=2Eapp.com/story/news/2025/12/07/how-to-deal-with-fake-ai-stories-popping-up= -on-facebook-social-media/87629867007/">is</a> <a href=3D"https://www.nyti= mes.com/2025/12/08/technology/ai-slop-sora-social-media.html">flooded</a>=
with <a href=3D"https://www.cyberlink.com/blog/photo-marketing-business/3= 828/best-ai-social-media-post-generator">AI posts</a>. In <a href=3D"https= ://time.com/7338205/rage-against-ai-generated-music/">music</a>=2C <a href= =3D"https://github.com/orgs/community/discussions/159749">open source soft= ware</a>=2C <a href=3D"https://www.newyorker.com/magazine/2025/07/07/the-e= nd-of-the-english-paper">education</a>=2C <a href=3D"https://bsky.app/prof= ile/eliothiggins.bsky.social/post/3m5yh2gjlj22b">investigative journalism<=

and <a href=3D"https://www.nytimes.com/2025/06/21/business/dealbook/ai=

-job-applications.html">hiring</a>=2C it=E2=80=99s the same story.</p>

<p>Like <cite>Clarkesworld</cite>=E2=80=99s initial response=2C some of th=
ese institutions shut down their submissions processes. Others have met th=
e offensive of AI inputs with some defensive response=2C often involving a=
counteracting use of AI. Academic <a href=3D"https://doi.org/10.1038/d415= 86-025-03506-6">peer reviewers</a> increasingly use AI to evaluate papers=
that may have been generated by AI. Social media platforms turn to <a hre= f=3D"https://www.integrityinstitute.org/blog/how-generative-ai-makes-conte= nt-moderation-both-harder-and-easier">AI moderators</a>. Court systems use=
AI to <a href=3D"https://restofworld.org/2025/brazil-ai-courts-lawsuits/"= >triage and process</a> litigation volumes supercharged by AI. Employers t=
urn to <a href=3D"https://www.forbes.com/sites/mariagraciasantillanalinare= s/2025/12/16/job-applicant-fraud-is-rising-this-startup-is-using-ai-to-sto= p-it/">AI tools</a> to review candidate applications. Educators use AI not=
just to <a href=3D"https://www.cnn.com/2024/04/06/tech/teachers-grading-a= i">grade papers</a> and <a href=3D"https://www.behind-the-enemy-lines.com/= 2025/12/fighting-fire-with-fire-scalable-oral.html">administer exams</a>=
=2C but as a <a href=3D"https://wacclearinghouse.org/repository/collection= s/textgened/rhetorical-engagements/using-llms-as-peer-reviewers-for-revisi= ng-essays/">feedback</a> tool for students.</p>

<p>These are all arms races: rapid=2C adversarial iteration to apply a com=
mon technology to opposing purposes. Many of these arms races have clearly=
deleterious effects. Society suffers if the courts are clogged with frivo= lous=2C AI-manufactured cases. There is also harm if the established measu=
res of academic performance -- publications and citations -- accrue to tho=
se researchers most willing to fraudulently submit AI-written letters and=
papers rather than to those whose ideas have the most impact. The fear is=
that=2C in the end=2C fraudulent behavior enabled by AI will undermine sy= stems and institutions that society relies on.</p>

<h3 style=3D"font-size:110%;font-weight:bold">Upsides of AI</h3>

<p>Yet some of these AI arms races have surprising hidden upsides=2C and t=
he hope is that at least some institutions will be able to change in ways=
that make them stronger.</p>

<p>Science seems likely to become stronger thanks to AI=2C yet it faces a=
problem when the AI makes mistakes. Consider the example of <a href=3D"ht= tps://theconversation.com/a-weird-phrase-is-plaguing-scientific-papers-and= -we-traced-it-back-to-a-glitch-in-ai-training-data-254463">nonsensical</a>=
=2C AI-generated phrasing filtering into scientific papers.</p>

<p>A scientist using an AI to assist in writing an academic paper can be a=
good thing=2C if used carefully and with disclosure. AI is increasingly a=
<a href=3D"https://www.nature.com/articles/s43588-025-00890-x">primary to= ol</a> in scientific research: for reviewing literature=2C programming and=
for coding and analyzing data. And for many=2C it has become a crucial su= pport for expression and scientific communication. Pre-AI=2C better-funded=
researchers could hire humans to help them write their academic papers. F=
or many authors whose primary language is not English=2C hiring this kind=
of assistance has been an expensive <a href=3D"https://doi.org/10.1098/rs= pb.2023.2840">necessity</a>. AI provides it to everyone.</p>

<p>In fiction=2C fraudulently submitted AI-generated works cause harm=2C b=
oth to the human authors now subject to increased competition and to those=
readers who may feel defrauded after unknowingly reading the work of a ma= chine. But some outlets may welcome AI-assisted submissions with appropria=
te disclosure and under particular guidelines=2C and leverage AI to evalua=
te them against criteria like originality=2C fit and quality.</p>

<p>Others may refuse AI-generated work=2C but this will come at a cost. It= =E2=80=99s unlikely that any human editor or technology can sustain an abi= lity to differentiate human from machine writing. Instead=2C outlets that=
wish to exclusively publish humans will need to limit submissions to a se=
t of authors they trust to not use AI. If these policies are transparent=
=2C readers can pick the format they prefer and read happily from either o=
r both types of outlets.</p>

<p>We also don=E2=80=99t see any problem if a job seeker uses AI to polish=
their resumes or write better cover letters: The wealthy and privileged h=
ave long had access to human assistance for those things. But it crosses t=
he line when AIs are used to <a href=3D"https://www.cbsnews.com/news/fake-= job-seekers-flooding-market-artificial-intelligence/">lie</a> about identi=
ty and experience=2C or to <a href=3D"https://www.theatlantic.com/technolo= gy/2025/10/ai-cheating-job-interviews-fraud/684568/">cheat</a> on job inte= rviews.</p>

<p>Similarly=2C a democracy requires that its citizens be able to express=
their opinions to their representatives=2C or to each other through a med=
ium like the newspaper. The rich and powerful have long been able to hire=
writers to turn their ideas into persuasive prose=2C and AIs providing th=
at assistance to more people is a good thing=2C in our view. Here=2C AI mi= stakes and bias can be harmful. Citizens may be using AI for more than jus=
t a time-saving shortcut; it may be augmenting their knowledge and capabil= ities=2C generating statements about historical=2C legal or policy factors=
they can=E2=80=99t reasonably be expected to independently check.</p>

<h3 style=3D"font-size:110%;font-weight:bold">Fraud booster</h3>

<p>What we don=E2=80=99t want is for lobbyists to use AIs in astroturf cam= paigns=2C writing multiple letters and passing them off as individual opin= ions. This=2C too=2C is an <a href=3D"https://www.washingtonpost.com/polit= ics/2021/05/14/millions-fake-commenters-asked-fcc-end-net-neutrality-astro= turfing-is-business-model/">older problem</a> that AIs are making worse.</=


<p>What differentiates the positive from the negative here is not any inhe= rent aspect of the technology=2C it=E2=80=99s the power dynamic. The same=
technology that reduces the effort required for a citizen to share their=
lived experience with their legislator also enables corporate interests t=
o misrepresent the public at scale. The former is a power-equalizing appli= cation of AI that enhances participatory democracy; the latter is a power-= concentrating application that threatens it.</p>

<p>In general=2C we believe writing and cognitive assistance=2C long avail= able to the rich and powerful=2C should be available to everyone. The prob=
lem comes when AIs make fraud easier. Any response needs to balance embrac=
ing that newfound democratization of access with preventing fraud.</p>

<p>There=E2=80=99s no way to turn this technology off. Highly capable AIs=
are widely available and can run on a laptop. Ethical guidelines and clea=
r professional boundaries can help -- for those acting in good faith. But=
there won=E2=80=99t ever be a way to totally stop academic writers=2C job=
seekers or citizens from using these tools=2C either as legitimate assist= ance or to commit fraud. This means more comments=2C more letters=2C more=
applications=2C more submissions.</p>

<p>The problem is that whoever is on the receiving end of this AI-fueled d= eluge can=E2=80=99t deal with the increased volume. What can help is devel= oping assistive AI tools that benefit institutions and society=2C while al=
so limiting fraud. And that may mean embracing the use of AI assistance in=
these adversarial systems=2C even though the defensive AI will never achi=
eve supremacy.</p>

<h3 style=3D"font-size:110%;font-weight:bold">Balancing harms with benefit= s</h3>

<p>The science fiction community has been wrestling with AI since 2023. <c= ite>Clarkesworld</cite> eventually reopened submissions=2C <a href=3D"http= s://www.postalley.org/2024/06/04/the-big-sort-how-will-ai-affect-submissio= ns-to-magazines/">claiming</a> that it has an adequate way of separating h= uman- and AI-written stories. No one knows how long=2C or how well=2C that=
will continue to work.</p>

<p>The arms race continues. There is no simple way to tell whether the pot= ential benefits of AI will outweigh the harms=2C now or in the future. But=
as a society=2C we can influence the balance of harms it wreaks and oppor= tunities it presents as we muddle our way through the changing technologic=
al landscape.</p>

<p><a href=3D"https://theconversation.com/ai-generated-text-is-overwhelmin= g-institutions-setting-off-a-no-win-arms-race-with-ai-detectors-274720"><e= m>This essay was written with Nathan E. Sanders=2C and originally appeared=
in The Conversation.</em></a></p>

<p>EDITED TO ADD: This essay has been translated into <a href=3D"https://w= ww.elconfidencial.com/tecnologia/novaceno/2026-02-07/ia-derriba-sociedad-e= ducacion-legal-medios_4298791/">Spanish</a>.</p>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg18"><a name=3D"cg18"= >Prompt Injection Via Road Signs</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2026/02/prompt-inject= ion-via-road-signs.html"><strong>[2026.02.11]</strong></a> Interesting re= search: =E2=80=9C<a href=3D"https://arxiv.org/pdf/2510.00181">CHAI: Comman=
d Hijacking Against Embodied AI</a>.=E2=80=9D</p>

<blockquote><p><b>Abstract:</b> Embodied Artificial Intelligence (AI) prom= ises to handle edge cases in robotic vehicle systems where data is scarce=
by using common-sense reasoning grounded in perception and action to gene= ralize beyond training distributions and adapt to novel real-world situati= ons. These capabilities=2C however=2C also create new security risks. In t=
his paper=2C we introduce CHAI (Command Hijacking against embodied AI)=2C=
a new class of prompt-based attacks that exploit the multimodal language=
interpretation abilities of Large Visual-Language Models (LVLMs). CHAI em= beds deceptive natural language instructions=2C such as misleading signs=
=2C in visual input=2C systematically searches the token space=2C builds a=
dictionary of prompts=2C and guides an attacker model to generate Visual=
Attack Prompts. We evaluate CHAI on four LVLM agents; drone emergency lan= ding=2C autonomous driving=2C and aerial object tracking=2C and on a real=
robotic vehicle. Our experiments show that CHAI consistently outperforms=
state-of-the-art attacks. By exploiting the semantic and multimodal reaso= ning strengths of next-generation embodied AI systems=2C CHAI underscores=
the urgent need for defenses that extend beyond traditional adversarial r= obustness.</p></blockquote>

<p>News <a href=3D"https://www.theregister.com/2026/01/30/road_sign_hijack= _ai/">article</a>.</p>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg19"><a name=3D"cg19"= ><i>Rewiring Democracy</i> Ebook is on Sale</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2026/02/rewiring-demo= cracy-ebook-is-on-sale.html"><strong>[2026.02.11]</strong></a> I just not=
iced that the ebook version of <a href=3D"https://www.schneier.com/books/r= ewiring-democracy/"><cite>Rewiring Democracy</cite></a> is on sale for $5=
on <a href=3D"https://www.amazon.com/gp/product/B0DTNZ2H86">Amazon</a>=2C=
<a href=3D"https://books.apple.com/us/book/rewiring-democracy/id674083980= 8">Apple Books</a>=2C <a href=3D"https://www.barnesandnoble.com/w/rewiring= -democracy-bruce-schneier/1146990469?ean=3D9780262384407">Barnes &amp; Nob= le</a>=2C <a href=3D"https://www.booksamillion.com/p/Rewiring-Democracy/Br= uce-Schneier/Q247907742">Books A Million</a>=2C <a href=3D"https://play.go= ogle.com/store/books/details?id=3DQcNAEQAAQBAJ">Google Play</a>=2C <a href= =3D"https://www.kobo.com/us/en/ebook/rewiring-democracy">Kobo</a>=2C and p= resumably everywhere else in the US. I have no idea how long this will las= t.</p>

<p>Also=2C Amazon has a <a href=3D"https://www.amazon.com/Rewiring-Democra= cy-Transform-Government-Citizenship/dp/0262049945">coupon</a> that brings=
the hardcover price down to $20. You=E2=80=99ll see the discount at check= out.</p>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg20"><a name=3D"cg20"=

3D Printer Surveillance</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2026/02/3d-printer-su= rveillance.html"><strong>[2026.02.12]</strong></a> New York is <a href=3D= "https://blog.adafruit.com/2026/02/03/new-york-wants-to-ctrlaltdelete-your= -3d-printer/">contemplating</a> a bill that adds surveillance to 3D printe= rs:</p>

<blockquote><p>New York=E2=80=99s 20262027 executive budget bill (S.9005 /=
A.10005) includes language that should alarm every maker=2C educator=2C a=
nd small manufacturer in the state. Buried in Part C is a provision requir=
ing all 3D printers sold or delivered in New York to include =E2=80=9Cbloc= king technology.=E2=80=9D This is defined as software or firmware that <i>= scans every print file</i> through a =E2=80=9Cfirearms blueprint detection=
algorithm=E2=80=9D and refuses to print anything it flags as a potential=
firearm or firearm component.</p></blockquote>

<p>I get the policy goals here=2C but the solution just won=E2=80=99t work=
=2E It=E2=80=99s the same problem as DRM: trying to prevent general-purpose=
computers from doing specific things. Cory Doctorow <a href=3D"https://bo= ingboing.net/2018/03/22/yellow-dots-cubed.html">wrote about it</a> in 2018=
and -- more generally -- <a href=3D"https://github.com/jwise/28c3-doctoro= w/blob/master/transcript.md">spoke about it</a> in 2011.</p>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg21"><a name=3D"cg21"= >Upcoming Speaking Engagements</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2026/02/upcoming-spea= king-engagements-53.html"><strong>[2026.02.14]</strong></a> This is a cur=
rent list of where and when I am scheduled to speak:</p>



<li>I=E2=80=99m speaking at <a href=3D"https://mindfulai.ca/events/mai= ri-featured-speaker-bruce-schneier-integrity-in-a-world-of-ai.php">Ontario=
Tech University</a> in Oshawa=2C Ontario=2C Canada=2C at 2 PM ET on Thurs= day=2C February 26=2C 2026.</li>

<li>I=E2=80=99m speaking at the <a href=3D"https://www.kwaai.ai/summit= 2026">Personal AI Summit</a> in Los Angeles=2C California=2C USA=2C on Thu= rsday=2C March 5=2C 2026.</li>

<li>I=E2=80=99m speaking at <a href=3D"https://techlivecyber.wsj.com/?= gaa_at=3Deafs&gaa_n=3DAWEtsqf9GP4etUdWaqDIATpiE9ycqWMIVoGIzjikYLlJ64hb6H_v= 1QH9OYhMTxeU51U%3D&gaa_ts=3D691df89d&gaa_sig=3DBG9fpWuP-liL7Gi3SJgXHmS02M4= ob6lp6nOh94qnwVXCWYNzJxdzOiW365xA8vKeiulrErE8mbXDvKTcqktBtQ%3D%3D">Tech Li=
ve: Cybersecurity</a> in New York City=2C USA=2C on Wednesday=2C March 11=
=2C 2026.</li>

<li>I=E2=80=99m giving the <a href=3D"https://www.chu.cam.ac.uk/event/= computer-science-lecture-2026/">Ross Anderson Lecture</a> at the Universit=
y of Cambridge=E2=80=99s Churchill College at 5:30 PM GMT on Thursday=2C M= arch 19=2C 2026.</li>

<li>I=E2=80=99m speaking at <a href=3D"https://www.rsaconference.com/u= sa">RSAC 2026</a> in San Francisco=2C California=2C USA=2C on Wednesday=2C=
March 25=2C 2026.</li>
</ul>

<p>The list is maintained on <a href=3D"https://www.schneier.com/events/">= this page</a>.</p>


<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=




<p>Since 1998=2C CRYPTO-GRAM has been a free monthly newsletter providing=
summaries=2C analyses=2C insights=2C and commentaries on security technol= ogy. To subscribe=2C or to read back issues=2C see <a href=3D"https://www.= schneier.com/crypto-gram/">Crypto-Gram's web page</a>.</p>

<p>You can also read these articles on my blog=2C <a href=3D"https://www.s= chneier.com">Schneier on Security</a>.</p>

<p>Please feel free to forward CRYPTO-GRAM=2C in whole or in part=2C to co= lleagues and friends who will find it valuable. Permission is also granted=
to reprint CRYPTO-GRAM=2C as long as it is reprinted in its entirety.</p>

<p><span style=3D"font-style: italic">Bruce Schneier is an internationally=
renowned security technologist=2C called a security guru by the <cite sty= le=3D"font-style:normal">Economist</cite>. He is the author of over one do=
zen books -- including his latest=2C <a href=3D"https://www.schneier.com/b= ooks/rewiring-democracy/"><cite style=3D"font-style:normal">Rewiring Democ= racy</cite></a> -- as well as hundreds of articles=2C essays=2C and academ=
ic papers. His newsletter and blog are read by over 250=2C000 people. Schn= eier is a fellow at the Berkman Klein Center for Internet & Society at Har= vard University; a Lecturer in Public Policy at the Harvard Kennedy School=
; a board member of the Electronic Frontier Foundation=2C AccessNow=2C and=
the Tor Project; and an Advisory Board Member of the Electronic Privacy I= nformation Center and VerifiedVoting.org. He is the Chief of Security Arch= itecture at Inrupt=2C Inc.</span></p>

<p>Copyright &copy; 2026 by Bruce Schneier.</p>


<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=

<p>Mailing list hosting graciously provided by <a href=3D"https://mailchim= p.com/">MailChimp</a>. Sent without web bugs or link tracking.</p>
<p>This email was sent to: cryptogram@toolazy.synchro.net
<br><em>You are receiving this email because you subscribed to the Crypto-= Gram newsletter.</em></p>

<p><a style=3D"display:inline-block" href=3D"https://schneier.us18.list-ma= nage.com/unsubscribe?u=3Df99e2b5ca82502f48675978be&id=3D22184111ab&t=3Db&e= =3D70f249ec14&c=3De5a5eb62ba">unsubscribe from this list</a>&nbsp;&nbsp;&nbs= p;&nbsp;<a style=3D"display:inline-block" href=3D"https://schneier.us18.li= st-manage.com/profile?u=3Df99e2b5ca82502f48675978be&id=3D22184111ab&e=3D70f249ec14&c=3De5a5eb62ba">update subscription preferences</a>
<br>Bruce Schneier &middot; Harvard Kennedy School &middot; 1 Brattle Squa=
re &middot; Cambridge=2C MA 02138 &middot; USA</p>


</body></html>
--_----------=_MCPart_768092142--