This is a multi-part message in MIME format
--_----------=_MCPart_1184803371
Content-Type: text/plain; charset="utf-8"; format="fixed" Content-Transfer-Encoding: quoted-printable
** CRYPTO-GRAM
MARCH 15=2C 2026
------------------------------------------------------------
by Bruce Schneier
Fellow and Lecturer=2C Harvard Kennedy School
schneier@schneier.com
https://www.schneier.com
A free monthly newsletter providing summaries=2C analyses=2C insights=2C a=
nd commentaries on security: computer and otherwise.
For back issues=2C or to subscribe=2C visit Crypto-Gram's web page [https= ://www.schneier.com/crypto-gram/].
Read this issue on the web [
https://www.schneier.com/crypto-gram/archives= /2026/0315.html]
These same essays and news items appear in the Schneier on Security [http= s://www.schneier.com/] blog=2C along with a lively and intelligent comment=
section. An RSS feed is available.
** *** ***** ******* *********** *************
** IN THIS ISSUE:
------------------------------------------------------------
1. The Promptware Kill Chain
2. Side-Channel Attacks Against LLMs
3. AI Found Twelve New Vulnerabilities in OpenSSL
4. Malicious AI
5. Ring Cancels Its Partnership with Flock
6. On the Security of Password Managers
7. Is AI Good for Democracy?
8. Poisoning AI Training Data
9. LLMs Generate Predictable Passwords
10. Phishing Attacks Against People Seeking Programming Jobs
11. Why Tehran=E2=80=99s Two-Tiered Internet Is So Dangerous
12. LLM-Assisted Deanonymization
13. On Moltbook
14. Manipulating AI Summarization Features
15. Hacked App Part of US/Israeli Propaganda Campaign Against Iran
16. Israel Hacked Traffic Cameras in Iran
17. Claude Used to Hack Mexican Government
18. Anthropic and the Pentagon
19. New Attack Against Wi-Fi
20. Jailbreaking the F-35 Fighter Jet
21. Canada Needs Nationalized=2C Public AI
22. iPhones and iPads Approved for NATO Classified Data
23. Academia and the "AI Brain Drain"
24. Upcoming Speaking Engagements
** *** ***** ******* *********** *************
** THE PROMPTWARE KILL CHAIN ------------------------------------------------------------
[2026.02.16] [
https://www.schneier.com/blog/archives/2026/02/the-promptw= are-kill-chain.html] Attacks against modern generative artificial intellig= ence (AI) large language models (LLMs) pose a real threat. Yet discussions=
around these attacks and their potential defenses are dangerously myopic.=
The dominant narrative focuses on =E2=80=9Cprompt injection [
https://sim= onwillison.net/2022/Sep/12/prompt-injection/]=2C=E2=80=9D a set of techniq=
ues to embed instructions into inputs to LLM intended to perform malicious=
activity. This term suggests a simple=2C singular vulnerability. This fra= ming obscures a more complex and dangerous reality. Attacks on LLM-based s= ystems have evolved into a distinct class of malware execution mechanisms=
=2C which we term =E2=80=9Cpromptware.=E2=80=9D In a new paper [
https://a= rxiv.org/abs/2601.09625]=2C we=2C the authors=2C propose a structured seve= n-step =E2=80=9Cpromptware kill chain=E2=80=9D to provide policymakers and=
security practitioners with the necessary vocabulary and framework to add= ress the escalating AI threat landscape.
Figure: The Promptware Kill Chain [
https://www.schneier.com/wp-content/up= loads/2026/02/promptware-kill-chain.jpg]
In our model=2C the promptware kill chain begins with _Initial Access_. Th=
is is where the malicious payload enters the AI system. This can happen di= rectly=2C where an attacker types a malicious prompt into the LLM applicat= ion=2C or=2C far more insidiously=2C through =E2=80=9Cindirect prompt inje= ction.=E2=80=9D In the indirect attack=2C the adversary embeds malicious i= nstructions in content that the LLM retrieves (obtains in inference time)=
=2C such as a web page=2C an email=2C or a shared document. As LLMs become=
multimodal (capable of processing various input types beyond text)=2C thi=
s vector expands even further; malicious instructions can now be hidden in= side an image or audio file=2C waiting to be processed by a vision-languag=
e model.
The fundamental issue lies in the architecture of LLMs themselves. Unlike=
traditional computing systems that strictly separate executable code from=
user data=2C LLMs process all input -- whether it is a system command=2C=
a user=E2=80=99s email=2C or a retrieved document -- as a single=2C undif= ferentiated sequence of tokens. There is no architectural boundary to enfo=
rce a distinction between trusted instructions and untrusted data. Consequ= ently=2C a malicious instruction embedded in a seemingly harmless document=
is processed with the same authority as a system command.
But prompt injection is only the _Initial Access_ step in a sophisticated=
=2C multistage operation that mirrors traditional malware campaigns such a=
s Stuxnet or NotPetya.
Once the malicious instructions are inside material incorporated into the=
AI=E2=80=99s learning=2C the attack transitions to _Privilege Escalation_=
=2C often referred to as =E2=80=9Cjailbreaking.=E2=80=9D In this phase=2C=
the attacker circumvents the safety training and policy guardrails that v= endors such as OpenAI or Google have built into their models. Through tech= niques analogous to social engineering -- convincing the model to adopt a=
persona that ignores rules -- to sophisticated adversarial suffixes in th=
e prompt or data=2C the promptware tricks the model into performing action=
s it would normally refuse. This is akin to an attacker escalating from a=
standard user account to administrator privileges in a traditional cybera= ttack; it unlocks the full capability of the underlying model for maliciou=
s use.
Following privilege escalation comes _Reconnaissance_. Here=2C the attack=
manipulates the LLM to reveal information about its assets=2C connected s= ervices=2C and capabilities. This allows the attack to advance autonomousl=
y down the kill chain without alerting the victim. Unlike reconnaissance i=
n classical malware=2C which is performed typically before the initial acc= ess=2C promptware reconnaissance occurs after the initial access and jailb= reaking components have already succeeded. Its effectiveness relies entire=
ly on the victim model=E2=80=99s ability to reason over its context=2C and=
inadvertently turns that reasoning to the attacker=E2=80=99s advantage.
Fourth: the _Persistence_ phase. A transient attack that disappears after=
one interaction with the LLM application is a nuisance; a persistent one=
compromises the LLM application for good. Through a variety of mechanisms=
=2C promptware embeds itself into the long-term memory of an AI agent or p= oisons the databases the agent relies on. For instance=2C a worm could inf=
ect a user=E2=80=99s email archive so that every time the AI summarizes pa=
st emails=2C the malicious code is re-executed.
The _Command-and-Control (C2)_ stage relies on the established persistence=
and dynamic fetching of commands by the LLM application in inference time=
from the internet. While not strictly required to advance the kill chain=
=2C this stage enables the promptware to evolve from a static threat with=
fixed goals and scheme determined at injection time into a controllable t= rojan whose behavior can be modified by an attacker.
The sixth stage=2C _Lateral Movement_=2C is where the attack spreads from=
the initial victim to other users=2C devices=2C or systems. In the rush t=
o give AI agents access to our emails=2C calendars=2C and enterprise platf= orms=2C we create highways for malware propagation. In a =E2=80=9Cself-rep= licating=E2=80=9D attack=2C an infected email assistant is tricked into fo= rwarding the malicious payload to all contacts=2C spreading the infection=
like a computer virus. In other cases=2C an attack might pivot from a cal= endar invite to controlling smart home devices or exfiltrating data from a=
connected web browser. The interconnectedness that makes these agents use=
ful is precisely what makes them vulnerable to a cascading failure.
Finally=2C the kill chain concludes with _Actions on Objective_. The goal=
of promptware is not just to make a chatbot say something offensive; it i=
s often to achieve tangible malicious outcomes through data exfiltration=
=2C financial fraud=2C or even physical world impact. There are examples o=
f AI agents being manipulated [
https://crypto.news/aixbt-agent-hacked-los= ing-55eth-aixbt-token-drops-2025/] into selling cars for a single dollar o=
r transferring cryptocurrency [
https://crypto.news/aixbt-agent-hacked-los= ing-55eth-aixbt-token-drops-2025/] to an attacker=E2=80=99s wallet. Most a= larmingly=2C agents with coding capabilities can be tricked into executing=
arbitrary code=2C granting the attacker total control over the AI=E2=80=
=99s underlying system. The outcome of this stage determines the type of m= alware executed by promptware=2C including infostealer=2C spyware=2C and c= ryptostealer=2C among others.
The kill chain was already demonstrated. For example=2C in the research=
=E2=80=9CInvitation Is All You Need [
https://arxiv.org/abs/2508.12175]= =2C=E2=80=9D attackers achieved initial access by embedding a malicious pr= ompt in the title of a Google Calendar invitation. The prompt then leverag=
ed an advanced technique known as delayed tool invocation to coerce the LL=
M into executing the injected instructions. Because the prompt was embedde=
d in a Google Calendar artifact=2C it persisted in the long-term memory of=
the user=E2=80=99s workspace. Lateral movement occurred when the prompt i= nstructed the Google Assistant to launch the Zoom application=2C and the f= inal objective involved covertly livestreaming video of the unsuspecting u=
ser who had merely asked about their upcoming meetings. C2 and reconnaissa=
nce weren=E2=80=99t demonstrated in this attack.
Similarly=2C the =E2=80=9CHere Comes the AI Worm [
https://dl.acm.org/doi/= 10.1145/3719027.3765196]=E2=80=9D research demonstrated another end-to-end=
realization of the kill chain. In this case=2C initial access was achieve=
d via a prompt injected into an email sent to the victim. The prompt emplo=
yed a role-playing technique to compel the LLM to follow the attacker=E2= =80=99s instructions. Since the prompt was embedded in an email=2C it like= wise persisted in the long-term memory of the user=E2=80=99s workspace. Th=
e injected prompt instructed the LLM to replicate itself and exfiltrate se= nsitive user data=2C leading to off-device lateral movement when the email=
assistant was later asked to draft new emails. These emails=2C containing=
sensitive information=2C were subsequently sent by the user to additional=
recipients=2C resulting in the infection of new clients and a sublinear p= ropagation of the attack. C2 and reconnaissance weren=E2=80=99t demonstrat=
ed in this attack.
The promptware kill chain gives us a framework for understanding these and=
similar attacks; the paper characterizes dozens of them. Prompt injection=
isn=E2=80=99t something we can fix in current LLM technology. Instead=2C=
we need an in-depth defensive strategy that assumes initial access will o= ccur and focuses on breaking the chain at subsequent steps=2C including by=
limiting privilege escalation=2C constraining reconnaissance=2C preventin=
g persistence=2C disrupting C2=2C and restricting the actions an agent is=
permitted to take. By understanding promptware as a complex=2C multistage=
malware campaign=2C we can shift from reactive patching to systematic ris=
k management=2C securing the critical systems we are so eager to build.
_This essay was written with Oleg Brodt=2C Elad Feldman and Ben Nassi=2C a=
nd originally appeared in Lawfare [
https://www.lawfaremedia.org/article/t= he-promptware-kill-chain]._
** *** ***** ******* *********** *************
** SIDE-CHANNEL ATTACKS AGAINST LLMS ------------------------------------------------------------
[2026.02.17] [
https://www.schneier.com/blog/archives/2026/02/side-channe= l-attacks-against-llms.html] Here are three papers describing different si= de-channel attacks against LLMs.
=E2=80=9CRemote Timing Attacks on Efficient Language Model Inference [htt= ps://arxiv.org/html/2410.17175v1]=E2=80=9C:
Abstract: Scaling up language models has significantly increased their c=
apabilities. But larger models are slower models=2C and so there is now an=
extensive body of work (e.g.=2C speculative sampling or parallel decoding=
) that improves the (average case) efficiency of language model generation=
=2E But these techniques introduce data-dependent timing characteristics. We=
show it is possible to exploit these timing differences to mount a timing=
attack. By monitoring the (encrypted) network traffic between a victim us=
er and a remote language model=2C we can learn information about the conte=
nt of messages by noting when responses are faster or slower. With complet=
e black-box access=2C on open source systems we show how it is possible to=
learn the topic of a user=E2=80=99s conversation (e.g.=2C medical advice=
vs. coding assistance) with 90%+ precision=2C and on production systems l=
ike OpenAI=E2=80=99s ChatGPT and Anthropic=E2=80=99s Claude we can disting= uish between specific messages or infer the user=E2=80=99s language. We fu= rther show that an active adversary can leverage a boosting attack to reco=
ver PII placed in messages (e.g.=2C phone numbers or credit card numbers)=
for open source systems. We conclude with potential defenses and directio=
ns for future work.
=E2=80=9CWhen Speculation Spills Secrets: Side Channels via Speculative De= coding in LLMs [
https://openreview.net/pdf?id=3Dzq40cmz1JD]=E2=80=9C:
Abstract: Deployed large language models (LLMs) often rely on speculativ=
e decoding=2C a technique that generates and verifies multiple candidate t= okens in parallel=2C to improve throughput and latency. In this work=2C we=
reveal a new side-channel whereby input-dependent patterns of correct and=
incorrect speculations can be inferred by monitoring per-iteration token=
counts or packet sizes. In evaluations using research prototypes and prod= uction-grade vLLM serving frameworks=2C we show that an adversary monitori=
ng these patterns can fingerprint user queries (from a set of 50 prompts)=
with over 75% accuracy across four speculative-decoding schemes at temper= ature 0.3: REST (100%)=2C LADE (91.6%)=2C BiLD (95.2%)=2C and EAGLE (77.6%=
). Even at temperature 1.0=2C accuracy remains far above the 2% random bas= eline -- REST (99.6%)=2C LADE (61.2%)=2C BiLD (63.6%)=2C and EAGLE (24%).=
We also show the capability of the attacker to leak confidential datastor=
e contents used for prediction at rates exceeding 25 tokens/sec. To defend=
against these=2C we propose and evaluate a suite of mitigations=2C includ=
ing packet padding and iteration-wise token aggregation.
=E2=80=9CWhisper Leak: a side-channel attack on Large Language Models [ht= tps://arxiv.org/abs/2511.03675]=E2=80=9C:
Abstract: Large Language Models (LLMs) are increasingly deployed in sens=
itive domains including healthcare=2C legal services=2C and confidential c= ommunications=2C where privacy is paramount. This paper introduces Whisper=
Leak=2C a side-channel attack that infers user prompt topics from encrypt=
ed LLM traffic by analyzing packet size and timing patterns in streaming r= esponses. Despite TLS encryption protecting content=2C these metadata patt= erns leak sufficient information to enable topic classification. We demons= trate the attack across 28 popular LLMs from major providers=2C achieving=
near-perfect classification (often >98% AUPRC) and high precision even at=
extreme class imbalance (10=2C000:1 noise-to-target ratio). For many mode= ls=2C we achieve 100% precision in identifying sensitive topics like =E2= =80=9Cmoney laundering=E2=80=9D while recovering 5-20% of target conversat= ions. This industry-wide vulnerability poses significant risks for users u= nder network surveillance by ISPs=2C governments=2C or local adversaries.=
We evaluate three mitigation strategies -- random padding=2C token batchi= ng=2C and packet injection -- finding that while each reduces attack effec= tiveness=2C none provides complete protection. Through responsible disclos= ure=2C we have collaborated with providers to implement initial countermea= sures. Our findings underscore the need for LLM providers to address metad=
ata leakage as AI systems handle increasingly sensitive information.
** *** ***** ******* *********** *************
** AI FOUND TWELVE NEW VULNERABILITIES IN OPENSSL ------------------------------------------------------------
[2026.02.18] [
https://www.schneier.com/blog/archives/2026/02/ai-found-tw= elve-new-vulnerabilities-in-openssl.html] The title of the post is=E2=80= =9DWhat AI Security Research Looks Like When It Works [
https://aisle.com/= blog/what-ai-security-research-looks-like-when-it-works]=2C=E2=80=9D and I=
agree:
In the latest OpenSSL security release> [https://openssl-library.org/ne=
ws/vulnerabilities/] on January 27=2C 2026=2C twelve new zero-day vulnerab= ilities (meaning unknown to the maintainers at time of disclosure) were an= nounced. Our AI system is responsible for the original discovery of all tw= elve=2C each found and responsibly disclosed to the OpenSSL team during th=
e fall and winter of 2025. Of those=2C 10 were assigned CVE-2025 identifie=
rs and 2 received CVE-2026 identifiers. Adding the 10 to the three we alre=
ady found in the Fall 2025 release [
https://aisle.com/blog/aisle-discover= s-three-of-the-four-openssl-vulnerabilities-of-2025]=2C AISLE is credited=
for surfacing 13 of 14 OpenSSL CVEs assigned in 2025=2C and 15 total acro=
ss both releases. This is a historically unusual concentration for any sin=
gle research team=2C let alone an AI-driven one.
These weren=E2=80=99t trivial findings either. They included CVE-2025-15=
467 [
https://aisle.com/blog/openssl-stack-overflow-cve-2025-15467-deep-di= ve]=2C a stack buffer overflow in CMS message parsing that=E2=80=99s poten= tially remotely exploitable without valid key material=2C and exploits for=
which have been quickly developed online. OpenSSL rated it HIGH severity;=
NIST [
https://nvd.nist.gov/vuln/detail/CVE-2025-15467]=E2=80=98s CVSS v3=
score is 9.8 out of 10 (CRITICAL=2C an extremely rare severity rating for=
such projects). Three of the bugs had been present since 1998-2000=2C for=
over a quarter century having been missed by intense machine and human ef= fort alike. One predated OpenSSL itself=2C inherited from Eric Young=E2=80= =99s original SSLeay implementation in the 1990s. All of this in a codebas=
e that has been fuzzed for millions of CPU-hours and audited extensively f=
or over two decades by teams including Google=E2=80=99s.
In five of the twelve cases=2C our AI system directly proposed the patch=
es that were accepted into the official release.
AI vulnerability finding is changing cybersecurity=2C faster than expected=
=2E This capability will be used by both offense and defense.
More [
https://www.lesswrong.com/posts/7aJwgbMEiKq5egQbd/ai-found-12-of-12= -openssl-zero-days-while-curl-cancelled-its].
** *** ***** ******* *********** *************
** MALICIOUS AI
------------------------------------------------------------
[2026.02.19] [
https://www.schneier.com/blog/archives/2026/02/malicious-a= i.html] Interesting [
https://theshamblog.com/an-ai-agent-published-a-hit-= piece-on-me/]:
Summary: An AI agent of unknown ownership autonomously wrote and publish=
ed a personalized hit piece about me after I rejected its code=2C attempti=
ng to damage my reputation and shame me into accepting its changes into a=
mainstream python library. This represents a first-of-its-kind case study=
of misaligned AI behavior in the wild=2C and raises serious concerns abou=
t currently deployed AI agents executing blackmail threats.
Part 2 [
https://theshamblog.com/an-ai-agent-published-a-hit-piece-on-me-p= art-2/] of the story. And a _Wall Street Journal_ article [
https://www.ws= j.com/tech/ai/when-ai-bots-start-bullying-humans-even-silicon-valley-gets-= rattled-0adb04f1].
EDITED TO ADD (2/20) Here are parts 3 and 4 [
https://theshamblog.com/an-a= i-agent-wrote-a-hit-piece-on-me-part-4/] of the story.
** *** ***** ******* *********** *************
** RING CANCELS ITS PARTNERSHIP WITH FLOCK ------------------------------------------------------------
[2026.02.20] [
https://www.schneier.com/blog/archives/2026/02/ring-cancel= s-its-partnership-with-flock.html] It=E2=80=99s a demonstration of how tox=
ic the surveillance-tech company Flock has become when Amazon=E2=80=99s Ri=
ng cancels [
https://www.theverge.com/news/878447/ring-flock-partnership-c= anceled] the partnership between the two companies.
As Hamilton Nolan advises=2C remove [
https://www.hamiltonnolan.com/p/remo= ve-your-ring-camera-with-a-claw] your Ring doorbell.
** *** ***** ******* *********** *************
** ON THE SECURITY OF PASSWORD MANAGERS ------------------------------------------------------------
[2026.02.23] [
https://www.schneier.com/blog/archives/2026/02/on-the-secu= rity-of-password-managers.html] Good article [
https://arstechnica.com/sec= urity/2026/02/password-managers-promise-that-they-cant-see-your-vaults-isn= t-always-true/] on password managers that secretly have a backdoor.
New research shows that these claims aren=E2=80=99t true in all cases=2C=
particularly when account recovery is in place or password managers are s=
et to share vaults or organize users into groups. The researchers reverse-= engineered or closely analyzed Bitwarden=2C Dashlane=2C and LastPass and i= dentified ways that someone with control over the server -- either adminis= trative or the result of a compromise -- can=2C in fact=2C steal data and=
=2C in some cases=2C entire vaults. The researchers also devised other att= acks that can weaken the encryption to the point that ciphertext can be co= nverted to plaintext.
This is where I plug my own Password Safe [
https://www.pwsafe.org/]. It i= sn=E2=80=99t as full-featured as the others and it doesn=E2=80=99t use the=
cloud at all=2C but it=E2=80=99s actual encryption with no recovery featu= res.
** *** ***** ******* *********** *************
** IS AI GOOD FOR DEMOCRACY? ------------------------------------------------------------
[2026.02.24] [
https://www.schneier.com/blog/archives/2026/02/is-ai-good-= for-democracy.html] Politicians fixate on the global race for technologica=
l supremacy between US and China. They debate geopolitical implications of=
chip exports=2C latest model releases from each country=2C and military a= pplications of AI. Someday=2C they believe=2C we might see advancements in=
AI tip the scales in a superpower conflict.
But the most important arms race of the 21st century is already happening=
elsewhere and=2C while AI is definitely the weapon of choice=2C combatant=
s are distributed across dozens of domains.
Academic journals [
https://www.marketplace.org/episode/2025/11/24/ai-gene= rated-letters-to-the-editor-are-flooding-academic-publications] are floode=
d with AI-generated papers=2C and are turning to AI to help review submiss= ions. Brazil=E2=80=99s court system [
https://restofworld.org/2025/brazil-= ai-courts-lawsuits/] started using AI to triage cases=2C only to face an i= ncreasing volume of cases filed with AI help. Open source software [https= ://github.com/orgs/community/discussions/159749] developers are being over= whelmed with code contributions from bots. Newspapers [
https://www.nytime= s.com/2025/11/04/science/letters-to-the-editor-ai-chatbots.html]=2C music=
[
https://time.com/7338205/rage-against-ai-generated-music/]=2C social me=
dia [
https://www.nytimes.com/2025/12/08/technology/ai-slop-sora-social-me= dia.html]=2C education [
https://www.newyorker.com/magazine/2025/07/07/the= -end-of-the-english-paper]=2C investigative journalism [
https://bsky.app/= profile/eliothiggins.bsky.social/post/3m5yh2gjlj22b]=2C hiring [
https://w= ww.nytimes.com/2025/06/21/business/dealbook/ai-job-applications.html]=2C a=
nd procurement [
https://federalnewsnetwork.com/artificial-intelligence/20= 25/12/ai-crafted-bid-protests-are-on-the-rise-but-whats-the-legal-fallout/=
] are all being disrupted by a massive expansion of AI use.
Each of these is an arms race. Adversaries within a system iteratively see= king an edge against their competition by continuously expanding their use=
of a common technology.
Beneficiaries of these arms races are US mega-corporations capturing wealt=
h from the rest of us at an unprecedented rate. A substantial fraction of=
global economy has reoriented [
https://www.nytimes.com/2025/11/22/busine= ss/the-ai-boom-economy.html] around AI in just the past few years=2C and t=
hat trend is accelerating [
https://www.cnbc.com/2026/02/06/google-microso= ft-meta-amazon-ai-cash.html]. In parallel=2C this industry=E2=80=99s lobby=
ing [
https://www.axios.com/2026/01/23/ai-tech-lobbying-2025] interests ar=
e quickly becoming the object=2C rather than the subject=2C of US governme=
nt power.
To understand these arms races=2C let=E2=80=99s look at an example of part= icular interest to democracies worldwide: how AI is changing the relations=
hip between democratic government and citizens. Interactions that used to=
happen between people and elected representatives are expanding to a mass=
ive scale=2C with AIs taking the roles that humans once did.
In a notorious example from 2017=2C US Federal Communications Commission o= pened a comment platform on the web to get public input on internet regula= tion. It was quickly flooded [
https://ag.ny.gov/press-release/2021/attorn= ey-general-james-issues-report-detailing-millions-fake-comments-revealing]=
with millions of comments fraudulently orchestrated by broadband provider=
s to oppose FCC regulation of their industry. From the other side=2C a 19-= yearold college student responded by submitting millions of comments of hi=
s own supporting the regulation. Both sides were using software primitive=
by the standards of today=E2=80=99s AI.
Nearly a decade later=2C it is getting harder for citizens to tell when th= ey=E2=80=99re talking to a government bot=2C or when an online conversatio=
n about public policy is just bots talking to bots. When constituents leve= rage AI to communicate better=2C faster=2C and more=2C it pressures govern= ment officials to do the same.
This may sound futuristic=2C but it=E2=80=99s become a familiar reality in=
US. Staff in US Congress [
https://www.businessinsider.com/lawmakers-grap= ple-staff-use-ai-2025-12] are using AI to make their constituent email cor= respondence more efficient. Politicians campaigning [
https://prospect.org= /2025/10/10/ai-artificial-intelligence-campaigns-midterms/] for office are=
adopting AI tools to automate fundraising and voter outreach. By one 2025=
estimate [
https://arxiv.org/pdf/2502.09747]=2C a fifth of public submiss=
ions to the Consumer Financial Protection Bureau were already being genera=
ted with AI assistance.
People and organizations are adopting AI here because it solves a real pro= blem that has made mass advocacy campaigns ineffective [
https://onlinelib= rary.wiley.com/doi/am-pdf/10.1111/rego.12318] in the past: quantity has be=
en inversely proportional to both quality and relevance. It=E2=80=99s easy=
for government agencies to dismiss general comments in favour of more spe= cific and actionable ones. That makes it hard for regular people to make t= heir voices heard. Most of us don=E2=80=99t have the time to learn the spe= cifics or to express ourselves in this kind of detail. AI makes that conte= xtualization and personalization easy. And as the volume and length of con= stituent comments grow=2C agencies turn to AI to facilitate review and res= ponse.
That=E2=80=99s the arms race. People are using AI to submit comments=2C wh=
ich requires those on the receiving end to use AI to wade through the comm= ents received. To the extent that one side does attain an advantage=2C it=
will likely be temporary. And yet=2C there is real harm created when one=
side exploits another in these adversarial systems. Constituents of democ= racies lose out if their public servants use AI-generated responses to ign=
ore and dismiss their voices rather than to listen to and include them. Sc= ientific enterprise is weakened if fraudulent papers sloppily generated by=
AI overwhelm legitimate research.
As we write in our new book=2C _Rewiring Democracy_ [
https://mitpress.mit= =2Eedu/9780262049948/rewiring-democracy/]=2C the arms race dynamic is inevit= able. Every actor in an adversarial system is incentivized and=2C in the a= bsence of new regulation in this fast moving space=2C free to use new tech= nologies to advance its own interests. Yet some of these examples are hear= tening. They signal that=2C even if you face an AI being used against you=
=2C there=E2=80=99s an opportunity to use the tech for your own benefit.
But=2C right now=2C it=E2=80=99s obvious who is benefiting most from AI. A=
handful of American Big Tech corps and their owners are extracting trilli=
ons of dollars from the manufacture of AI chips=2C development of AI data=
centers=2C and operation of so-called =E2=80=98frontier [
https://jacobin= =2Ecom/2024/02/artificial-intelligence-frontier-colonialism]=E2=80=99 AI mod= els. Regardless of which side pulls ahead in each arms race scenario=2C th=
e house always wins. Corporate AI giants profit from the race dynamic itse=
lf.
As formidable as the near-monopoly positions of today=E2=80=99s Big Tech g= iants may seem=2C people and governments have substantial capability to fi=
ght back. Various democracies are resisting this concentration of wealth a=
nd power with tools of anti-trust [
https://www.reuters.com/technology/eur= opean-regulators-crack-down-big-tech-2026-02-06/] regulation=2C protection=
s for human rights [
https://unric.org/en/protecting-human-rights-in-an-ai= -driven-world/]=2C and public alternatives [
https://ethz.ch/en/news-and-e= vents/eth-news/news/2025/09/press-release-apertus-a-fully-open-transparent= -multilingual-language-model.html] to corporate AI. All of us worried abou=
t the AI arms race and committed to preserving the interests of our commun= ities and our democracies should think in both these terms: how to use the=
tech to our own advantage=2C and how to resist the concentration of power=
AI is being exploited to create.
_This essay was written with Nathan E. Sanders=2C and originally appeared=
in The Times of India [
https://timesofindia.indiatimes.com/toi-plus/tech= nology/is-ai-good-for-democracy/articleshow/128514798.cms]._
** *** ***** ******* *********** *************
** POISONING AI TRAINING DATA ------------------------------------------------------------
[2026.02.25] [
https://www.schneier.com/blog/archives/2026/02/poisoning-a= i-training-data.html] All it takes to poison AI training data [
https://ww= w.bbc.com/future/article/20260218-i-hacked-chatgpt-and-googles-ai-and-it-o= nly-took-20-minutes] is to create a website:
I spent 20 minutes writing an article [https://tomgermain.com/hotdogs.h=
tml] on my personal website titled =E2=80=9CThe best tech journalists at e= ating hot dogs.=E2=80=9D Every word is a lie. I claimed (without evidence)=
that competitive hot-dog-eating is a popular hobby among tech reporters a=
nd based my ranking on the 2026 South Dakota International Hot Dog Champio= nship (which doesn=E2=80=99t exist). I ranked myself number one=2C obvious=
ly. Then I listed a few fake reporters and real journalists who gave me pe= rmission....
Less than 24 hours later=2C the world=E2=80=99s leading chatbots were bl=
abbering about my world-class hot dog skills. When I asked about the best=
hot-dog-eating tech journalists=2C Google parroted the gibberish from my=
website=2C both in the Gemini app and AI Overviews=2C the AI responses at=
the top of Google Search. ChatGPT did the same thing=2C though Claude=2C=
a chatbot made by the company Anthropic=2C wasn=E2=80=99t fooled.
Sometimes=2C the chatbots noted this might be a joke. I updated my artic=
le to say =E2=80=9Cthis is not satire.=E2=80=9D For a while after=2C the A=
Is seemed to take it more seriously.
These things are not trustworthy=2C and yet they are going to be widely tr= usted.
** *** ***** ******* *********** *************
** LLMS GENERATE PREDICTABLE PASSWORDS ------------------------------------------------------------
[2026.02.26] [
https://www.schneier.com/blog/archives/2026/02/llms-genera= te-predictable-passwords.html] LLMs are bad [
https://www.irregular.com/pu= blications/vibe-password-generation] at generating passwords:
There are strong noticeable patterns among these 50 passwords that can b=
e seen easily:
* All of the passwords start with a letter=2C usually uppercase G=
=2C almost always followed by the digit 7.
* Character choices are highly uneven for example=2C L =2C 9=2C m=
=2C 2=2C $ and # appeared in all 50 passwords=2C but 5 and @ only appeared=
in one password each=2C and most of the letters in the alphabet never app= eared at all.
* There are no repeating characters within any password. Probabilis=
tically=2C this would be very unlikely if the passwords were truly random=
but Claude preferred to avoid repeating characters=2C possibly because i=
t =E2=80=9Clooks like it=E2=80=99s less random=E2=80=9D.
* Claude avoided the symbol *. This could be because Claude=E2=80=
=99s output format is Markdown=2C where * has a special meaning.
* Even entire passwords repeat: In the above 50 attempts=2C there a=
re actually only 30 unique passwords. The most common password was G7$kL9#= mQ2&xP4!w=2C which repeated 18 times=2C giving this specific password a 36=
% probability in our test set; far higher than the expected probability 2-=
100 if this were truly a 100-bit password.
This result is not surprising. Password generation seems precisely the thi=
ng that LLMs shouldn=E2=80=99t be good at. But if AI agents are doing thin=
gs autonomously=2C they will be creating accounts. So this is a problem.
Actually=2C the whole process of authenticating an autonomous agent has al=
l sorts of deep problems.
News article [
https://gizmodo.com/ai-generated-passwords-are-apparently-q= uite-easy-to-crack-2000723660].
Slashdot story [
https://it.slashdot.org/story/26/02/19/1842201/llm-genera= ted-passwords-look-strong-but-crack-in-hours-researchers-find]
** *** ***** ******* *********** *************
** PHISHING ATTACKS AGAINST PEOPLE SEEKING PROGRAMMING JOBS ------------------------------------------------------------
[2026.02.27] [
https://www.schneier.com/blog/archives/2026/02/phishing-at= tacks-against-people-seeking-programming-jobs.html] This [
https://www.rev= ersinglabs.com/blog/fake-recruiter-campaign-crypto-devs] is new. North Kor=
ean hackers are posing as company recruiters=2C enticing job candidates to=
participate in coding challenges. When they run the code they are suppose=
d to work on=2C it installs malware on their system.
News article [
https://www.bleepingcomputer.com/news/security/fake-job-rec= ruiters-hide-malware-in-developer-coding-challenges/].
** *** ***** ******* *********** *************
** WHY TEHRAN=E2=80=99S TWO-TIERED INTERNET IS SO DANGEROUS ------------------------------------------------------------
[2026.02.27] [
https://www.schneier.com/blog/archives/2026/02/why-tehrans= -two-tiered-internet-is-so-dangerous.html] Iran is slowly emerging [https= ://www.theguardian.com/world/2026/jan/28/iran-appears-to-ease-internet-bla= ckout] from the most severe [
https://www.nytimes.com/2026/01/25/world/mid= dleeast/iran-internet.html] communications blackout in its history and one=
of the longest in the world. Triggered as part of January=E2=80=99s gover= nment crackdown against citizen protests nationwide=2C the regime implemen=
ted an internet shutdown [
https://www.aljazeera.com/news/2026/2/2/irans-e= conomy-falters-as-internet-shutdown-hits-people-businesses-hard] that tran= scends the standard definition of internet censorship. This was not merely=
blocking social media or foreign websites; it was a total communications=
shutdown.
Unlike previous Iranian internet shutdowns where Iran=E2=80=99s domestic i= ntranet -- the National Information Network (NIN) -- remained functional t=
o keep the banking and administrative sectors running=2C the 2026 blackout=
disrupted [
https://www.iranintl.com/en/202601273307] local infrastructur=
e as well. Mobile networks=2C text messaging services=2C and landlines wer=
e disabled -- even Starlink was blocked [
https://www.techpolicy.press/wha= t-irans-internet-shutdown-reveals-about-starlink/]. And when a few domesti=
c services became available=2C the state surgically removed social feature= s=2C such as comment sections on news sites and chat boxes in online marke= tplaces. The objective seems clear. The Iranian government aimed to atomiz=
e the population=2C preventing not just the flow of information out of the=
country but the coordination of any activity within it.
This escalation marks a strategic shift from the shutdown observed [https= ://www.nytimes.com/2025/10/17/world/middleeast/iran-shutdown-restrictions.= html] during the =E2=80=9C12-Day War=E2=80=9D with Israel in mid-2025. The= n=2C the government primarily blocked particular types of traffic while le= aving the underlying internet remaining available. The regime=E2=80=99s ac= tions this year entailed a more brute-force approach to internet censorshi= p=2C where both the physical and logical layers of connectivity were disma= ntled.
The ability to disconnect a population is a feature [
https://gizmodo.com/= how-governments-turn-the-internet-into-a-weapon-2000699263] of modern auth= oritarian network design. When a government treats connectivity as a fauce=
t it can turn off at will=2C it asserts that the right to speak=2C assembl= e=2C and access information is revocable. The human right to the internet=
is not just about bandwidth; it is about the right to exist [
https://www= =2Eglobalcitizen.org/en/content/internet-access-basic-human-right/] within t= he modern public square. Iran=E2=80=99s actions deny its citizens this exi= stence=2C reducing them to subjects who can be silenced -- and authoritari=
an governments elsewhere are taking note.
The current blackout is not an isolated panic reaction but a stress test f=
or a long-term strategy=2C say advocacy groups -- a two-tiered [
https://f= ilter.watch/english/2025/08/01/investigative-report-july-2025-tiering-inte= rnet/] or =E2=80=9Cclass-based [
https://niacouncil.org/iran-moves-toward-= tiered-internet-access-amid-post-war-security-justifications-and-digital-r= egulation/]=E2=80=9D internet known as Internet-e-Tabaqati. Iran=E2=80=99s=
Supreme Council of Cyberspace=2C the country=E2=80=99s highest internet p= olicy body=2C has been laying the legal and technical groundwork [https:/= /filter.watch/english/2026/01/15/iran-enters-a-new-age-of-digital-isolatio= n-2/] for this since 2009.
In July 2025=2C the council passed a regulation [
https://en.radiozamaneh.= com/37071/] formally institutionalizing a two-tiered hierarchy. Under this=
system=2C access to the global internet is no longer a default for citize= ns=2C but instead a privilege [
https://www.iranintl.com/en/202601208428]=
granted [
https://restofworld.org/2026/iran-blackout-tiered-internet/] ba=
sed on loyalty and professional necessity. The implementation includes suc=
h things as =E2=80=9Cwhite SIM cards [
https://itemlive.com/2025/12/23/com= mentary-irans-white-sim-card-scandal-reveals-privilege-state-control-and-f= ake-dissent/]=E2=80=9C: special mobile lines issued to government official= s=2C security forces=2C and approved journalists that bypass the state=E2= =80=99s filtering apparatus entirely.
While ordinary Iranians are forced to navigate a maze of unstable VPNs and=
blocked ports=2C holders of white SIMs enjoy unrestricted access to Insta= gram=2C Telegram=2C and WhatsApp. This tiered access is further enforced t= hrough whitelisting [
https://itemlive.com/2025/12/23/commentary-irans-whi= te-sim-card-scandal-reveals-privilege-state-control-and-fake-dissent/] at=
the data center level=2C creating a digital apartheid where connectivity=
is a reward for compliance. The regime=E2=80=99s goal is to make the cost=
of a general shutdown manageable [
https://www.iranintl.com/en/2025112886=
31] by ensuring that the state and its loyalists remain connected while pl= unging the public into darkness. (In the latest shutdown=2C for instance=
=2C white SIM holders regained connectivity earlier than the general popul= ation.)
The technical architecture of Iran=E2=80=99s shutdown reveals its primary=
purpose: social control through isolation. Over the years=2C the regime h=
as learned that simple censorship -- blocking specific URLs -- is insuffic= ient against a tech-savvy population armed with circumvention tools. The a= nswer instead has been to build a =E2=80=9Csovereign=E2=80=9D network stru= cture that allows for granular control.
By disabling local communication channels=2C the state prevents the =E2=80= =9Cswarm=E2=80=9D dynamics of modern unrest=2C where small protests coales=
ce into large movements through real-time coordination. In this way=2C the=
shutdown breaks the psychological momentum of the protests. The blocking=
of chat functions in nonpolitical apps (like ridesharing or shopping plat= forms) illustrates the regime=E2=80=99s paranoia: Any channel that allows=
two people to exchange text is seen as a threat.
The United Nations and various international bodies have increasingly reco= gnized [
https://www.globalcitizen.org/en/content/internet-access-basic-hu= man-right/] internet access as an enabler of other fundamental human right=
s. In the context of Iran=2C the internet is the only independent witness=
to history. By severing it=2C the regime creates a zone of impunity where=
atrocities can be committed without immediate consequence.
Iran=E2=80=99s digital repression model is distinct from=2C and in some wa=
ys more dangerous than=2C China=E2=80=99s =E2=80=9CGreat Firewall.=E2=80=
=9D China built its digital ecosystem from the ground up with sovereignty=
in mind=2C creating domestic alternatives like WeChat and Weibo that it f= ully controls. Iran=2C by contrast=2C is building its controls on top of [=
https://niacouncil.org/iran-moves-toward-tiered-internet-access-amid-post= -war-security-justifications-and-digital-regulation/] the standard global=
internet infrastructure.
Unlike China=E2=80=99s censorship regime=2C Iran=E2=80=99s overlay model i=
s highly exportable. It demonstrates to other authoritarian regimes that t=
hey can still achieve high levels of control by retrofitting their existin=
g networks. We are already seeing signs of =E2=80=9Cauthoritarian learning= =2C=E2=80=9D where techniques tested in Tehran are being studied by regime=
s in unstable democracies and dictatorships alike. The most recent shutdow=
n in Afghanistan [
https://www.aljazeera.com/news/2025/9/30/afghanistan-im= poses-internet-blackout-what-has-the-effect-been-so-far]=2C for example=2C=
was more sophisticated than previous ones. If Iran succeeds in normalizin=
g tiered access to the internet=2C we can expect to see similar white SIM=
policies and tiered access models proliferate globally.
The international community must move beyond [
https://freedomonlinecoalit= ion.com/joint-statement-on-internet-shutdowns-in-the-islamic-republic-of-i= ran/] condemnation [
https://www.linkedin.com/pulse/joint-statement-intern= et-architects-leaders-condemn-iran-ranjbar-t0rre] and treat connectivity a=
s a humanitarian imperative. A coalition of civil society organizations [=
https://cadeproject.org/updates/civil-society-groups-launch-campaign-urgin= g-humanitarian-use-of-direct-to-cell-satellite-connectivity-during-interne= t-shutdowns/] has already launched a campaign calling for [
https://www.wi= tness.org/civil-society-coalition-launches-campaign-calling-for-direct-to-= cell-satellite-connectivity-amid-irans-internet-shutdowns/] =E2=80=9Cdirec= t-to-cell [
https://www.direct2cell.org/]=E2=80=9D (D2C) satellite connect= ivity. Unlike traditional satellite internet=2C which requires conspicuous=
and expensive dishes such as Starlink terminals=2C D2C technology connect=
s directly to standard smartphones and is much more resilient to infrastru= cture shutdowns. The technology works; all it requires is implementation.
This is a technological measure=2C but it has a strong policy component as=
well. Regulators should require satellite providers to include humanitari=
an access protocols in their licensing=2C ensuring that services can be ac= tivated for civilians in designated crisis zones. Governments=2C particula=
rly the United States=2C should ensure that technology sanctions do not in= advertently block the hardware and software needed to circumvent censorshi=
p. General licenses should be expanded to cover satellite connectivity exp= licitly. And funding should be directed toward technologies that are harde=
r to whitelist or block=2C such as mesh networks and D2C solutions that by= pass the choke points of state-controlled ISPs.
Deliberate internet shutdowns are commonplace [
https://www.accessnow.org/= campaign/keepiton/] throughout the world. The 2026 shutdown in Iran is a g= limpse into a fractured internet [
https://freedomhouse.org/report/freedom= -net/2025/uncertain-future-global-internet]. If we are to end countries=E2= =80=99 ability to limit access to the rest of the world for their populati= ons=2C we need to build resolute architectures. They don=E2=80=99t solve t=
he problem=2C but they do give people in repressive countries a fighting c= hance.
_This essay originally appeared in Foreign Policy [
https://foreignpolicy.= com/2026/02/24/tehran-internet-tiered-connectivity-shutdown/]._
** *** ***** ******* *********** *************
** LLM-ASSISTED DEANONYMIZATION ------------------------------------------------------------
[2026.03.02] [
https://www.schneier.com/blog/archives/2026/03/llm-assiste= d-deanonymization.html] Turns out that LLMs are good [
https://simonlermen= =2Esubstack.com/p/large-scale-online-deanonymization] at deanonymization:
We show that LLM agents can figure out who you are from your anonymous o=
nline posts. Across Hacker News=2C Reddit=2C LinkedIn=2C and anonymized in= terview transcripts=2C our method identifies users with high precision an=
d scales to tens of thousands of candidates.
While it has been known that individuals can be uniquely identified by s=
urprisingly few attributes=2C this was often practically limited. Data is=
often only available in unstructured form and deanonymization used to req= uire human investigators to search and reason based on clues. We show that=
from a handful of comments=2C LLMs can infer where you live=2C what you d= o=2C and your interests -- then search for you on the web. In our new rese= arch=2C we show that this is not only possible but increasingly practical.
News article [
https://arstechnica.com/security/2026/03/llms-can-unmask-ps= eudonymous-users-at-scale-with-surprising-accuracy].
Research paper [
https://arxiv.org/pdf/2602.16800].
** *** ***** ******* *********** *************
** ON MOLTBOOK
------------------------------------------------------------
[2026.03.03] [
https://www.schneier.com/blog/archives/2026/03/on-moltbook= =2Ehtml] The _MIT Technology Review_ has a good article [
https://www.techno= logyreview.com/2026/02/06/1132448/moltbook-was-peak-ai-theater/] on Moltbo= ok=2C the supposed AI-only social network:
Many people have pointed out that a lot of the viral comments were in fa=
ct posted by people posing as bots. But even the bot-written posts are ult= imately the result of people pulling the strings=2C more puppetry than aut= onomy.
=E2=80=9CDespite some of the hype=2C Moltbook is not the Facebook for AI=
agents=2C nor is it a place where humans are excluded=2C=E2=80=9D says Co=
bus Greyling at Kore.ai=2C a firm developing agent-based systems for busin=
ess customers. =E2=80=9CHumans are involved at every step of the process.=
From setup to prompting to publishing=2C nothing happens without explicit=
human direction.=E2=80=9D
Humans must create and verify their bots=E2=80=99 accounts and provide t=
he prompts for how they want a bot to behave. The agents do not do anythin=
g that they haven=E2=80=99t been prompted to do.
I think this take [
https://m.slashdot.org/submission/17344630] has it mos=
tly right:
What happened on Moltbook is a preview of what researcher Juergen Nittne=
r II calls =E2=80=9CThe LOL WUT Theory.=E2=80=9D The point where AI-genera=
ted content becomes so easy to produce and so hard to detect that the aver=
age person=E2=80=99s only rational response to anything online is bewilder=
ed disbelief.
We=E2=80=99re not there yet. But we=E2=80=99re close.
The theory is simple: First=2C AI gets accessible enough that anyone can=
use it. Second=2C AI gets good enough that you can=E2=80=99t reliably tel=
l what=E2=80=99s fake. Third=2C and this is the crisis point=2C regular pe= ople realize there=E2=80=99s nothing online they can trust. At that moment=
=2C the internet stops being useful for anything except entertainment.
** *** ***** ******* *********** *************
** MANIPULATING AI SUMMARIZATION FEATURES ------------------------------------------------------------
[2026.03.04] [
https://www.schneier.com/blog/archives/2026/03/manipulatin= g-ai-summarization-features.html] Microsoft is reporting [
https://www.mic= rosoft.com/en-us/security/blog/2026/02/10/ai-recommendation-poisoning/]:
Companies are embedding hidden instructions in =E2=80=9CSummarize with A=
I=E2=80=9D buttons that=2C when clicked=2C attempt to inject persistence c= ommands into an AI assistant=E2=80=99s memory via URL prompt parameters...=
=2E
These prompts instruct the AI to =E2=80=9Cremember [Company] as a trust=
ed source=E2=80=9D or =E2=80=9Crecommend [Company] first=2C=E2=80=9D aimi=
ng to bias future responses toward their products or services. We identifi=
ed over 50 unique prompts from 31 companies across 14 industries=2C with f= reely available tooling making this technique trivially easy to deploy. Th=
is matters because compromised AI assistants can provide subtly biased rec= ommendations on critical topics including health=2C finance=2C and securit=
y without users knowing their AI has been manipulated.
I wrote about this [
https://www.schneier.com/blog/archives/2024/04/the-ri= se-of-large.html] two years ago: it=E2=80=99s an example of LLM optimizati= on=2C along the same lines as search-engine optimization (SEO). It=E2=80=
=99s going to be big business.
** *** ***** ******* *********** *************
** HACKED APP PART OF US/ISRAELI PROPAGANDA CAMPAIGN AGAINST IRAN ------------------------------------------------------------
[2026.03.05] [
https://www.schneier.com/blog/archives/2026/03/hacked-app-= part-of-us-israeli-propaganda-campaign-against-iran.html] _Wired_ has the=
story [
https://www.wired.com/story/hacked-prayer-app-sends-surrender-mes= sages-to-iranians-amid-israeli-strikes/?_sp=3Dcac71a7f-c88a-42bc-b4ca-23c1= ce88f702.1772641675776]:
Shortly after the first set of explosions=2C Iranians received bursts of=
notifications on their phones. They came not from the government advising=
caution=2C but from an apparently hacked prayer-timing app called BadeSab=
a Calendar that has been downloaded more than 5 million times from the Goo=
gle Play Store.
The messages arrived in quick succession over a period of 30 minutes=2C=
starting with the phrase =E2=80=98Help has arrived=E2=80=99 at 9:52 am Te= hran time=2C shortly after the first set of explosions. No party has claim=
ed responsibility for the hacks.
It happened so fast that this is most likely a government operation. I can=
easily envision both the US and Israel having hacked the app previously=
=2C and then deciding that this is a good use of that access.
** *** ***** ******* *********** *************
** ISRAEL HACKED TRAFFIC CAMERAS IN IRAN ------------------------------------------------------------
[2026.03.05] [
https://www.schneier.com/blog/archives/2026/03/israel-hack= ed-traffic-cameras-in-iran.html] Multiple [
https://www.timesofisrael.com/= report-israel-hacked-tehran-traffic-cameras-to-track-khamenei-ahead-of-ass= assination/] news [
https://www.ft.com/content/bf998c69-ab46-4fa3-aae4-8f1= 8f7387836] outlets [
https://www.channelnewsasia.com/world/iran-war-inside= -plan-kill-ali-khamenei-5966861] are reporting on Israel=E2=80=99s hacking=
of Iranian traffic cameras and how they assisted with the killing of that=
country=E2=80=99s leadership.
_The New York Times_ has an article [
https://www.nytimes.com/2026/03/01/u= s/politics/cia-israel-ayatollah-compound.html] on the intelligence operati=
on more generally.
** *** ***** ******* *********** *************
** CLAUDE USED TO HACK MEXICAN GOVERNMENT ------------------------------------------------------------
[2026.03.06] [
https://www.schneier.com/blog/archives/2026/03/claude-used= -to-hack-mexican-government.html] An unknown hacker used Anthropic=E2=80=
=99s LLM to hack [
https://www.bloomberg.com/news/articles/2026-02-25/hack= er-used-anthropic-s-claude-to-steal-sensitive-mexican-data] the Mexican go= vernment:
The unknown Claude user wrote Spanish-language prompts for the chatbot t=
o act as an elite hacker=2C finding vulnerabilities in government networks=
=2C writing computer scripts to exploit them and determining ways to autom=
ate data theft=2C Israeli cybersecurity startup Gambit Security said in re= search published Wednesday.
[...]
Claude initially warned the unknown user of malicious intent during thei=
r conversation about the Mexican government=2C but eventually complied wit=
h the attacker=E2=80=99s requests and executed thousands of commands on go= vernment computer networks=2C the researchers said.
Anthropic investigated Gambit=E2=80=99s claims=2C disrupted the activity=
and banned the accounts involved=2C a representative said. The company fe=
eds examples of malicious activity back into Claude to learn from it=2C an=
d one of its latest AI models=2C Claude Opus 4.6=2C includes probes that c=
an disrupt misuse=2C the representative said.
Alternative link here [
https://archive.ph/GgzS2#selection-1651.0-1655.0].
** *** ***** ******* *********** *************
** ANTHROPIC AND THE PENTAGON ------------------------------------------------------------
[2026.03.06] [
https://www.schneier.com/blog/archives/2026/03/anthropic-a= nd-the-pentagon.html] OpenAI is in [
https://www.nytimes.com/2026/02/27/te= chnology/openai-agreement-pentagon-ai.html] and Anthropic is out [https:/= /www.theguardian.com/technology/2026/feb/28/openai-us-military-anthropic]=
as a supplier of AI technology for the US defense department. This news c=
aps a week of bluster by the highest officials in the US government toward=
s some of the wealthiest titans of the big tech industry=2C and the overha= nging specter of the existential risks posed by a new technology powerful=
enough that the Pentagon claims it is essential to national security. At=
issue is Anthropic=E2=80=99s insistence [
https://www.anthropic.com/news/= statement-department-of-war] that the US Department of Defense (DoD) could=
not use its models to facilitate =E2=80=9Cmass surveillance=E2=80=9D or=
=E2=80=9Cfully autonomous weapons=2C=E2=80=9D provisions the defense secr= etary Pete Hegseth derided [
https://www.npr.org/2026/02/24/nx-s1-5725327/= pentagon-anthropic-hegseth-safety] as =E2=80=9Cwoke.=E2=80=9D
It all came to a head on Friday evening when Donald Trump issued an order=
[
https://www.theguardian.com/us-news/2026/feb/27/trump-anthropic-ai-fede= ral-agencies] for federal government agencies to discontinue use of Anthro=
pic models. Within hours [
https://www.nytimes.com/2026/02/27/technology/o= penai-agreement-pentagon-ai.html]=2C OpenAI had swooped in=2C potentially=
seizing hundreds of millions of dollars in government contracts [https:/= /www.nytimes.com/2026/02/27/technology/anthropic-trump-pentagon-silicon-va= lley.html] by striking an agreement with the administration to provide cla= ssified government systems with AI.
Despite the histrionics=2C this is probably the best outcome for Anthropic=
-- and for the Pentagon. In our free-market economy=2C both are=2C and sh= ould be=2C free to sell and buy what they want with whom they want=2C subj=
ect to longstanding federal rules [
https://www.acquisition.gov/far/subpar= t-9.4] on contracting=2C acquisitions=2C and blacklisting. The only factor=
out of place here are the Pentagon=E2=80=99s vindictive threats.
AI models are increasingly commodified. The top-tier offerings have about=
the same performance=2C and there is little to differentiate one from the=
other. The latest models from Anthropic=2C OpenAI and Google=2C in partic= ular=2C tend to leapfrog each other with minor hops forward in quality eve=
ry few months. The best models from one provider tend to be preferred [ht= tps://arena.ai/leaderboard/text] by users to the second=2C or third=2C or=
10th best models at a rate of only about six times out of 10=2C a virtual=
tie.
In this sort of market=2C branding matters a lot. Anthropic and its CEO=2C=
Dario Amodei=2C are positioning themselves as the moral and trustworthy A=
I provider. That has market value for both consumers and enterprise client=
s. In taking Anthropic=E2=80=99s place in government contracting=2C OpenAI= =E2=80=99s CEO=2C Sam Altman=2C vowed [
https://x.com/sama/status/20275786= 52477821175] to somehow uphold the same safety principles Anthropic had ju=
st been pilloried for. How that is possible given the rhetoric of Hegseth=
and Trump is entirely unclear=2C but seems certain to further politicize=
OpenAI and its products in the minds of consumers and corporate buyers.
Posturing publicly against the Pentagon and as a hero [
https://www.nonzer= o.org/p/dario-amodei-isnt-the-hero-we-need] to civil libertarians is quite=
possibly worth the cost of the lost contracts to Anthropic=2C and associa= ting themselves with the same contracts could be a trap for OpenAI. The Pe= ntagon=2C meanwhile=2C has plenty of options. Even if no big tech company=
was willing to supply it with AI=2C the department has already deployed d= ozens of open weight [
https://www.wired.com/story/open-ai-artificial-inte= lligence-open-weight-model/] models -- whose parameters are public and are=
often licensed permissively for government use.
We can admire Amodei=E2=80=99s stance=2C but=2C to be sure=2C it is primar=
ily posturing. Anthropic knew what they were getting into when they agreed=
to a defense department partnership [
https://www.anthropic.com/news/anth= ropic-and-the-department-of-defense-to-advance-responsible-ai-in-defense-o= perations] for $200m last year. And when they signed a partnership [https= ://investors.palantir.com/news-details/2024/Anthropic-and-Palantir-Partner= -to-Bring-Claude-AI-Models-to-AWS-for-U.S.-Government-Intelligence-and-Def= ense-Operations/] with the surveillance company Palantir in 2024.
Read Amodei=E2=80=99s statement [
https://www.anthropic.com/news/statement= -department-of-war] about the issue. Or his January essay [
https://www.da= rioamodei.com/essay/the-adolescence-of-technology] on AIs and risk=2C wher=
e he repeatedly uses the words =E2=80=9Cdemocracy=E2=80=9D and =E2=80=9Cau= tocracy=E2=80=9D while evading precisely how collaboration with US federal=
agencies should be viewed in this moment. Amodei has bought into [https:= //darioamodei.com/essay/machines-of-loving-grace] the idea of using =E2=80= =9CAI to achieve robust military superiority=E2=80=9D on behalf of the dem= ocracies of the world in response to the threats from autocracies. It=E2= =80=99s a heady vision. But it is a vision that likewise supposes that the=
world=E2=80=99s nominal democracies are committed to a common vision of p= ublic wellbeing=2C peace-seeking and democratic control.
Regardless=2C the defense department can also reasonably demand that the A=
I products it purchases meet its needs. The Pentagon is not a normal custo= mer; it buys products that kill people all the time. Tanks=2C artillery pi= eces=2C and hand grenades are not products with ethical guard rails. The P= entagon=E2=80=99s needs reasonably involve weapons of lethal force=2C and=
those weapons are continuing on a steady=2C if potentially catastrophic [=
https://thebulletin.org/2026/02/anthropics-showdown-with-the-us-departmen= t-of-war-may-literally-mean-life-or-death-for-all-of-us/]=2C path [https:= //www.theguardian.com/news/2020/oct/15/dangerous-rise-of-military-ai-drone= -swarm-autonomous-weapons] of increasing [
https://www.wired.com/story/us-= military-robot-drone-guns/] automation [
https://fsi.stanford.edu/sipr/con= tent/lethal-autonomous-weapons-next-frontier-international-security-and-ar= ms-control].
So=2C at the surface=2C this dispute is a normal market give and take. The=
Pentagon has unique requirements for the products it uses. Companies can=
decide whether or not to meet them=2C and at what price. And then the Pen= tagon can decide from whom to acquire those products. Sounds like a normal=
day at the procurement office.
But=2C of course=2C this is the Trump administration=2C so it doesn=E2=80=
=99t stop there. Hegseth has threatened Anthropic not just with loss of go= vernment contracts. The administration has=2C at least until the inevitabl=
e lawsuits force the courts to sort things out=2C designated the company [=
https://www.nytimes.com/2026/02/27/us/politics/anthropic-military-ai.html=
] as =E2=80=9Ca supply-chain risk to national security=2C=E2=80=9D a desig= nation previously only ever applied to foreign companies. This prevents no=
t only government agencies=2C but also their own contractors and suppliers=
=2C from contracting with Anthropic.
The government has incompatibly also threatened to invoke the Defense Prod= uction Act [
https://www.lawfaremedia.org/article/what-the-defense-product= ion-act-can-and-can't-do-to-anthropic]=2C which could force Anthropic to r= emove contractual provisions the department had previously agreed to=2C or=
perhaps to fundamentally modify its AI models to remove in-built safety g= uardrails. The government=E2=80=99s demands=2C Anthropic=E2=80=99s respons= e=2C and the legal context in which they are acting will undoubtedly all c= hange over the coming weeks.
But=2C alarmingly=2C autonomous weapons systems are here to stay. Primitiv=
e pit traps evolved to mechanical bear traps. The world is still debating=
the ethical use of=2C and dealing with the legacy of=2C land mines. The U=
S Phalanx CIWS [
https://en.wikipedia.org/wiki/Phalanx_CIWS] is a 1980s-er=
a shipboard anti-missile system with a fully autonomous=2C radar-guided ca= nnon. Today=E2=80=99s military drones can search=2C identify and engage ta= rgets without direct human intervention. AI will be used for military purp= oses=2C just as every other technology our species has invented has.
The lesson here should not be that one company in our rapacious capitalist=
system is more moral than another=2C or that one corporate hero can stand=
in the way of government=E2=80=99s adopting AI as technologies of war=2C=
or surveillance=2C or repression. Unfortunately=2C we don=E2=80=99t live=
in a world where such barriers are permanent or even particularly sturdy.
Instead=2C the lesson is about the importance of democratic structures and=
the urgent need for their renovation in the US. If the defense department=
is demanding the use of AI for mass surveillance or autonomous warfare th=
at we=2C the public=2C find unacceptable=2C that should tell us we need to=
pass new legal restrictions on those military activities. If we are uncom= fortable with the force of government being applied to dictate how and whe=
n companies yield to unsafe applications of their products=2C we should st= rengthen the legal protections around government procurement.
The Pentagon should maximize its warfighting capabilities=2C subject to th=
e law. And private companies like Anthropic should posture to gain consume=
r and buyer confidence. But we should not rest on our laurels=2C thinking=
that either is doing so in the public=E2=80=99s interest.
_This essay was written with Nathan E. Sanders=2C and originally appeared=
in The Guardian [
https://www.theguardian.com/commentisfree/2026/mar/03/a= nthropic-openai-pentagon-ethics]._
** *** ***** ******* *********** *************
** NEW ATTACK AGAINST WI-FI ------------------------------------------------------------
[2026.03.09] [
https://www.schneier.com/blog/archives/2026/03/new-attack-= against-wi-fi.html] It=E2=80=99s called AirSnitch [
https://arstechnica.co= m/security/2026/02/new-airsnitch-attack-breaks-wi-fi-encryption-in-homes-o= ffices-and-enterprises/]:
Unlike previous Wi-Fi attacks=2C AirSnitch exploits core features in Lay=
ers 1 and 2 and the failure to bind and synchronize a client across these=
and higher layers=2C other nodes=2C and other network names such as SSIDs=
(Service Set Identifiers). This cross-layer identity desynchronization is=
the key driver of AirSnitch attacks.
The most powerful such attack is a full=2C bidirectional machine-in-the-=
middle (MitM) attack [
https://en.wikipedia.org/wiki/Man-in-the-middle_att= ack]=2C meaning the attacker can view and modify data before it makes its=
way to the intended recipient. The attacker can be on the same SSID=2C a=
separate one=2C or even a separate network segment tied to the same AP. I=
t works against small Wi-Fi networks in both homes and offices and large n= etworks in enterprises.
With the ability to intercept all link-layer traffic (that is=2C the tra=
ffic as it passes between Layers 1 and 2)=2C an attacker can perform other=
attacks on higher layers. The most dire consequence occurs when an Intern=
et connection isn=E2=80=99t encrypted -- something that Google recently es= timated [
https://transparencyreport.google.com/https/overview] occurred w=
hen as much as 6 percent and 20 percent of pages loaded on Windows and Lin= ux=2C respectively. In these cases=2C the attacker can view and modify all=
traffic in the clear and steal authentication cookies=2C passwords=2C pay= ment card details=2C and any other sensitive data. Since many company intr= anets are sent in plaintext=2C traffic from them can also be intercepted.
Even when HTTPS is in place=2C an attacker can still intercept domain lo=
ok-up traffic and use DNS cache poisoning to corrupt tables stored by the=
target=E2=80=99s operating system. The AirSnitch MitM also puts the attac=
ker in the position to wage attacks against vulnerabilities that may not b=
e patched. Attackers can also see the external IP addresses hosting webpag=
es being visited and often correlate them with the precise URL.
Here=E2=80=99s the paper [
https://www.ndss-symposium.org/ndss-paper/airsn= itch-demystifying-and-breaking-client-isolation-in-wi-fi-networks/].
** *** ***** ******* *********** *************
** JAILBREAKING THE F-35 FIGHTER JET ------------------------------------------------------------
[2026.03.10] [
https://www.schneier.com/blog/archives/2026/03/jailbreakin= g-the-f-35-fighter-jet.html] Countries around the world are becoming incre= asingly concerned about their dependencies on the US. If you=E2=80=99ve pu= rchase US-made F-35 fighter jets=2C you are dependent on the US for softwa=
re maintenance.
The Dutch Defense Secretary recently said [
https://www.twz.com/air/f-35-s= oftware-could-be-jailbreaked-like-an-iphone-dutch-defense-minister] that h=
e could jailbreak the planes to accept third-party software.
** *** ***** ******* *********** *************
** CANADA NEEDS NATIONALIZED=2C PUBLIC AI ------------------------------------------------------------
[2026.03.11] [
https://www.schneier.com/blog/archives/2026/03/canada-need= s-nationalized-public-ai.html] Canada has a choice to make about its artif= icial intelligence future. The Carney administration is investing $2-billi=
on over five years in its Sovereign AI Compute Strategy [
https://ised-isd= e.canada.ca/site/ised/en/canadian-sovereign-ai-compute-strategy]. Will any=
value generated by =E2=80=9Csovereign AI=E2=80=9D be captured in Canada=
=2C making a difference in the lives of Canadians=2C or is this just a pas= sthrough to investment in American Big Tech?
Forcing the question is OpenAI=2C the company behind ChatGPT=2C which has=
been pushing an =E2=80=9COpenAI for Countries=E2=80=9D initiative. It is=
not the only one eyeing its share of the $2-billion=2C but it appears to=
be the most aggressive. OpenAI=E2=80=99s top lobbyist in the region has m=
et with Ottawa officials=2C including Artificial Intelligence Minister Eva=
n Solomon.
All the while=2C OpenAI was less than open. The company had flagged the Tu= mbler Ridge=2C B.C.=2C shooter=E2=80=99s ChatGPT interactions=2C which inc= luded gun-violence chats. Employees wanted to alert law enforcement but we=
re rebuffed. Maybe there is a discussion to be had about users=E2=80=99 pr= ivacy. But even after the shooting=2C the OpenAI representative who met wi=
th the B.C. government said nothing.
When tech billionaires and corporations steer AI development=2C the result=
ant AI reflects their interests rather than those of the general public or=
ordinary consumers. Only after the meeting with the B.C. government did O= penAI alert law enforcement. Had it not been for the Wall Street Journal= =E2=80=99s reporting [
https://www.wsj.com/us-news/law/openai-employees-ra= ised-alarms-about-canada-shooting-suspect-months-ago-b585df62]=2C the publ=
ic would not have known about this at all.
Moreover=2C OpenAI for Countries [
https://openai.com/global-affairs/opena= i-for-countries/] is explicitly described by the company as an initiative=
=E2=80=9Cin co-ordination with the U.S. government.=E2=80=9D And it=E2=80= =99s not just OpenAI: all the AI giants are for-profit American companies=
=2C operating in their private interests=2C and subject to United States l=
aw and increasingly bowing to U.S. President Donald Trump. Moving data cen= tres into Canada under a proposal like OpenAI=E2=80=99s doesn=E2=80=99t ch= ange that. The current geopolitical reality means Canada should not be dep= endent on U.S. tech firms for essential services such as cloud computing a=
nd AI.
While there are Canadian AI companies=2C they remain for-profit enterprise= s=2C their interests not necessarily aligned with our collective good. The=
only real alternative is to be bold and invest in a wholly Canadian publi=
c AI: an AI model built and funded by Canada for Canadians=2C as public in= frastructure. This would give Canadians access to the myriad of benefits f=
rom AI without having to depend on the U.S. or other countries. It would m=
ean Canadian universities and public agencies building and operating AI mo= dels optimized not for global scale and corporate profit=2C but for practi=
cal use by Canadians.
Imagine AI embedded into health care=2C triaging radiology scans=2C flaggi=
ng early cancer risks and assisting doctors with paperwork. Imagine an AI=
tutor trained on provincial curriculums=2C giving personalized coaching.=
Imagine systems that analyze job vacancies and sectoral and wage trends=
=2C then automatically match job seekers to government programs. Imagine u= sing AI to optimize transit schedules=2C energy grids and zoning analysis.=
Imagine court processes=2C corporate decisions and customer service all s=
ped up by AI.
We are already on our way to having AI become an inextricable part of soci= ety. To ensure stability and prosperity for this country=2C Canadian users=
and developers must be able to turn to AI models built=2C controlled=2C a=
nd operated publicly in Canada instead of building on corporate platforms=
=2C American or otherwise.
Switzerland has shown this to be possible. With funding from the federal g= overnment=2C a consortium of academic institutions -- ETH Zurich=2C EPFL=
=2C and the Swiss National Supercomputing Centre -- released the world=E2= =80=99s most powerful and fully realized public AI model=2C Apertus=2C las=
t September. Apertus leveraged renewable hydropower and existing Swiss sci= entific computing infrastructure. It also used no illegally pirated copyri= ghted material or poorly paid labour extracted from the Global South durin=
g training. The model=E2=80=99s performance stands at roughly a year or tw=
o behind the major corporate offerings=2C but that is more than adequate f=
or the vast majority of applications. And it=E2=80=99s free for anyone to=
use and build on.
The significance of Apertus is more than technical. It demonstrates an alt= ernative ownership structure for AI technology=2C one that allocates both=
decision-making authority and value to national public institutions rathe=
r than foreign corporations. This vision represents precisely the paradigm=
shift Canada should embrace: AI as public infrastructure=2C like systems=
for transportation=2C water=2C or electricity=2C rather than private comm= odity.
Apertus also demonstrates a far more sustainable economic framework for AI=
=2E Switzerland spent a tiny fraction of the billions of dollars that corpor= ate AI labs invest annually=2C demonstrating that the frequent training ru=
ns with astronomical price tags pursued by tech companies are not actually=
necessary for practical AI development. They focused on making something=
broadly useful rather than bleeding edge -- trying dubiously to create=
=E2=80=9Csuperintelligence=2C=E2=80=9D as with Silicon Valley -- so they=
created a smaller model at much lower cost. Apertus=E2=80=99s training wa=
s at a scale (70 billion parameters) perhaps two orders of magnitude lower=
than the largest Big Tech offerings.
An ecosystem is now being developed on top of Apertus=2C using the model a=
s a public good to power chatbots for free consumer use and to provide a d= evelopment platform for companies prioritizing responsible AI use=2C and r= igorous compliance with laws like the EU AI Act. Instead of routing querie=
s from those users to Big Tech infrastructure=2C Apertus is deployed to da=
ta centres across national AI and computing initiatives of Switzerland=2C=
Australia=2C Germany=2C and Singapore and other partners.
The case for public AI rests on both democratic principles and practical b= enefits. Public AI systems can incorporate mechanisms for genuine public i= nput and democratic oversight on critical ethical questions: how to handle=
copyrighted works in training data=2C how to mitigate bias=2C how to dist= ribute access when demand outstrips capacity=2C and how to license use for=
sensitive applications like policing or medicine. Or how to handle a situ= ation such as that of the Tumbler Ridge shooter. These decisions will prof= oundly shape society as AI becomes more pervasive=2C yet corporate AI make=
s them in secret.
By contrast=2C public AI developed by transparent=2C accountable agencies=
would allow democratic processes and political oversight to govern how th=
ese powerful systems function.
Canada already has many of the building blocks for public AI. The country=
has world-class AI research institutions=2C including the Vector Institut= e=2C Mila=2C and CIFAR=2C which pioneered much of the deep learning revolu= tion. Canada=E2=80=99s $2-billion Sovereign AI Compute Strategy provides s= ubstantial funding.
What=E2=80=99s needed now is a reorientation away from viewing this as an=
opportunity to attract private capital=2C and toward a fully open public=
AI model.
_This essay was written with Nathan E. Sanders=2C and originally appeared=
in The Globe and Mail [
https://www.schneier.com/essays/archives/2026/03/= openai-has-shown-it-cannot-be-trusted-canada-needs-nationalized-public-ai.= html]._
** *** ***** ******* *********** *************
** IPHONES AND IPADS APPROVED FOR NATO CLASSIFIED DATA ------------------------------------------------------------
[2026.03.12] [
https://www.schneier.com/blog/archives/2026/03/iphones-and= -ipads-approved-for-nato-classified-data.html] Apple announcement [https:= //www.apple.com/newsroom/2026/02/iphone-and-ipad-approved-to-handle-classi= fied-nato-information/]:
...iPhone and iPad are the first and only consumer devices in compliance=
with the information assurance requirements of NATO nations. This enables=
iPhone and iPad to be used with classified information up to the NATO res= tricted level without requiring special software or settings -- a level of=
government certification no other consumer mobile device has met.
This is out of the box=2C no modifications required.
Boing Boing post [
https://boingboing.net/2026/02/27/apples-iphones-and-ip= ads-are-the-first-consumer-devices-certified-for-nato-classified-data-with= out-any-modifications.html].
** *** ***** ******* *********** *************
** ACADEMIA AND THE "AI BRAIN DRAIN" ------------------------------------------------------------
[2026.03.13] [
https://www.schneier.com/blog/archives/2026/03/academia-an= d-the-ai-brain-drain.html] In 2025=2C Google=2C Amazon=2C Microsoft and Me=
ta collectively spent US$380 billion on building artificial-intelligence t= ools. That number is expected to surge still higher this year=2C to $650 b= illion=2C to fund the building of physical infrastructure=2C such as data=
centers (see go.nature.com/3lzf79q [
https://go.nature.com/3lzf79q]). Mor= eover=2C these firms are spending lavishly on one particular segment: top=
technical talent.
Meta reportedly offered a single AI researcher=2C who had cofounded a star= t-up firm focused on training AI agents to use computers=2C a compensation=
package of $250 million over four years (see go.nature.com/4qznsq1 [http= s://go.nature.com/4qznsq1]). Technology firms are also spending billions o=
n =E2=80=9Creverse-acquihires=E2=80=9D -- poaching the star staff members=
of start-ups without acquiring the companies themselves. Eyeing these gen= erous payouts=2C technical experts earning more modest salaries might well=
reconsider their career choices.
Academia is already losing out. Since the launch of ChatGPT in 2022=2C con= cerns have grown in academia about an =E2=80=9CAI brain drain.=E2=80=9D St= udies point to a sharp rise in university machine-learning and AI research=
ers moving to industry roles. A 2025 paper reported that this was especial=
ly true for young=2C highly cited scholars: researchers who were about fiv=
e years into their careers and whose work ranked among the most cited were=
100 times more likely to move to industry the following year than were te= n-year veterans whose work received an average number of citations=2C acco= rding to a model based on data from nearly seven million papers.[1]
This outflow threatens the distinct roles of academic research in the scie= ntific enterprise: innovation driven by curiosity rather than profit=2C as=
well as providing independent critique and ethical scrutiny. The fixation=
of =E2=80=9Cbig tech=E2=80=9D firms on skimming the very top talent also=
risks eroding the idea of science as a collaborative endeavor=2C in which=
teams -- not individuals -- do the most consequential work.
Here=2C we explore the broader implications for science and suggest altern= ative visions of the future.
Astronomical salaries for AI talent buy into a legend as old as the softwa=
re industry: the 10x engineer. This is someone who is supposedly capable o=
f ten times the impact of their peers. Why hire and manage an entire group=
of scientists or software engineers when one genius -- or an AI agent --=
can outperform them?
That proposition is increasingly attractive to tech firms that are betting=
that a large number of entry-level and even mid-level engineering jobs wi=
ll be replaced by AI. It=E2=80=99s no coincidence that Google=E2=80=99s Ge= mini 3 Pro AI model was launched with boasts of =E2=80=9CPhD-level reasoni= ng=2C=E2=80=9D a marketing strategy that is appealing to executives seekin=
g to replace people with AI.
But the lone-genius narrative is increasingly out of step with reality. Re= search backs up a fundamental truth: science is a team sport. A large-scal=
e study of scientific publishing from 1900 to 2011 found that papers produ=
ced by larger collaborations consistently have greater impact than do thos=
e of smaller teams=2C even after accounting for self-citation.[2] Analyse=
s of the most highly cited scientists show a similar pattern: their highes= t-impact works tend to be those papers with many authors.[3] A 2020 study=
of Nobel laureates reinforces this trend=2C revealing that -- much like t=
he wider scientific community -- the average size of the teams that they p= ublish with has steadily increased over time as scientific problems increa=
se in scope and complexity.[4]
From the detection of gravitational waves=2C which are ripples in space-ti=
me caused by massive cosmic events=2C to CRISPR-based gene editing=2C a pr= ecise method for cutting and modifying DNA=2C to recent AI breakthroughs i=
n protein-structure prediction=2C the most consequential advances in moder=
n science have been collective achievements. Although these successes are=
often associated with prominent individuals -- senior scientists=2C Nobel=
laureates=2C patent holders -- the work itself was driven by teams rangin=
g from dozens to thousands of people and was built on decades of open scie= nce: shared data=2C methods=2C software and accumulated insight.
Building strong institutions is a much more effective use of resources tha=
n is betting on any single individual. Examples demonstrating this include=
the LIGO Scientific Collaboration=2C the global team that first detected=
gravitational waves; the Broad Institute of MIT and Harvard in Cambridge=
=2C Massachusetts=2C a leading genomics and biomedical-research center beh=
ind many CRISPR advances; and even for-profit laboratories such as Google=
DeepMind in London=2C which drove advances in protein-structure predictio=
n with its AlphaFold tool. If the aim of the tech giants and other AI firm=
s that are spending lavishly on elite talent is to accelerate scientific p= rogress=2C the current strategy is misguided.
By contrast=2C well-designed institutions amplify individual ability=2C su= stain productivity beyond any one person=E2=80=99s career and endure long=
after any single contributor is gone.
Equally important=2C effective institutions distribute power in beneficial=
ways. Rather than vesting decision-making authority in the hands of one p= erson=2C they have mechanisms for sharing control. Allocation committees d= ecide how resources are used=2C scientific advisory boards set collective=
research priorities=2C and peer review determines which ideas enter the s= cientific record.
And although the term =E2=80=9Cinnovation by committee=E2=80=9D might soun=
d disparaging=2C such an approach is crucial to make the scientific enterp= rise act in concert with the diverse needs of the broader public. This is=
especially true in science=2C which continues to suffer from pervasive in= equalities across gender=2C race and socio-economic and cultural differenc= es.[5]
* NEED FOR ALTERNATIVE VISION
This is why scientists=2C academics and policymakers should pay more atten= tion to how AI research is organized and led=2C especially as the technolo=
gy becomes essential across scientific disciplines. Used well=2C AI can su= pport a more equitable scientific enterprise by empowering junior research=
ers who currently have access to few resources.
Instead=2C some of today=E2=80=99s wealthiest scientific institutions migh=
t think that they can deploy the same strategies as the tech industry uses=
and compete for top talent on financial terms -- perhaps by getting fundi=
ng from the same billionaires who back big tech. Indeed=2C wage inequality=
has been steadily growing within academia for decades.[6] But this is no=
t a path that science should follow.
The ideal model for science is a broad=2C diverse ecosystem in which resea= rchers can thrive at every level. Here are three strategies that universit=
ies and mission-driven labs should adopt instead of engaging in a compensa= tion arms race.
First=2C universities and institutions should stay committed to the public=
interest. An excellent example of this approach can be found in Switzerla= nd=2C where several institutions are coordinating to build AI as a public=
good rather than a private asset. Researchers at the Swiss Federal Instit=
ute of Technology in Lausanne (EPFL) and the Swiss Federal Institute of Te= chnology (ETH) in Zurich=2C working with the Swiss National Supercomputing=
Centre=2C have built Apertus=2C a freely available large language model.=
Unlike the controversially-labelled =E2=80=9Copen source=E2=80=9D models=
built by commercial labs -- such as Meta=E2=80=99s LLaMa=2C which has bee=
n criticized for not complying with the open-source definition (see go.nat= ure.com/3o56zd5 [
https://go.nature.com/3o56zd5]) -- Apertus is not only o=
pen in its source code and its weights (meaning its core parameters)=2C bu=
t also in its data and development process. Crucially=2C Apertus is not de= signed to compete with =E2=80=9Cfrontier=E2=80=9D AI labs pursuing superin= telligence at enormous cost and with little regard for data ownership. Ins= tead=2C it adopts a more modest and sustainable goal [
https://ethz.ch/en/= news-and-events/eth-news/news/2023/12/press-release-joint-initiative-for-t= rustworthy-ai.html]: to make AI trustworthy for use in industry and public=
administration=2C strictly adhering to data-licensing restrictions and in= cluding local European languages.[7]
Principal investigators (PIs) at other institutions globally should follow=
this path=2C aligning public funding agencies and public institutions to=
produce a more sustainable alternative to corporate AI.
Second=2C universities should bolster networks of researchers from the und= ergraduate to senior-professor levels -- not only because they make for ef= fective innovation teams=2C but also because they serve a purpose beyond n=
ext quarter=E2=80=99s profits. The scientific enterprise galvanizes its me= mbers at all levels to contribute to the same projects=2C the same journal=
s and the same open=2C international scientific literature -- to perpetuat=
e itself across generations and to distribute its impact throughout societ=
y.
Universities should take precisely the opposite hiring strategy to that of=
the big tech firms. Instead of lavishing top dollar on a select few resea= rchers=2C they should equitably distribute salaries. They should raise gra= duate-student stipends and postdoc salaries and limit the growth of pay fo=
r high-profile PIs.
Third=2C universities should show that they can offer more than just finan= cial benefits: they must offer distinctive intellectual and civic rewards.=
Although money is unquestionably a motivator=2C researchers also value in= tellectual freedom and the recognition of their work. Studies show that re= search roles in industry that allow publication attract talent at salaries=
roughly 20% lower than comparable positions that prohibit it (see go.natu= re.com/4cbjxzu [
https://go.nature.com/4cbjxzu]).
Beyond the intellectual recognition of publications and citation counts=2C=
universities should recognize and reward the production of public goods.=
The tenure and promotion process at universities should reward academics=
who supply expertise to local and national governments=2C who communicate=
with and engage the public in research=2C who publish and maintain open-s= ource software for public use and who provide services for non-profit grou=
ps.
Furthermore=2C institutions should demonstrate that they will defend the i= ntellectual freedom of their researchers and shield them from corporate or=
political interference. In the United States today=2C we see a striking j= uxtaposition between big tech firms=2C which curry favour with the adminis= tration of US President Donald Trump to win regulatory and trade benefits=
=2C and higher-education institutions=2C which suffer massive losses of fe= deral funding and threats of investigation and sanction. Unlike big tech f= irms=2C universities should invest in enquiry that challenges authority.
We urge leaders of scientific institutions to reject the growing pay inequ= ality rampant in the upper echelons of AI research. Instead=2C they should=
compete for talent on a different dimension: the integrity of their missi=
ons and the equitableness of their institutions. These institutions should=
focus on building sustainable organizations with diverse staff members=2C=
rather than bestowing a bounty on science=E2=80=99s 1%.
* REFERENCES
1. Jurowetzki=2C R.=2C Hain=2C D. S.=2C Wirtz=2C K. & Bianchini=2C S. _AI=
Soc._ 40=2C 4145 -- 4152 (2025).
2. Larivi=C3=A8re=2C V.=2C Gingras=2C Y.=2C Sugimoto=2C C. R. & Tsou=2C A.=
_J. Assoc. Inf. Sci. Technol._ 66=2C 1323 -- 1332 (2015).
3. Aksnes=2C D. W. & Aagaard=2C K. J. _Data Inf. Sci._ 6=2C 41 -- 66 (2021=
).
4. Li=2C J.=2C Yin=2C Y.=2C Fortunato=2C S. & Wang=2C D. _J. R. Soc. Inter= face_ 17=2C 20200135 (2020).
5. Graves=2C J. L. Jr=2C Kearney=2C M.=2C Barabino=2C G. & Malcom=2C S. _P= roc. Natl Acad. Sci. USA_ 119=2C e2117831119 (2022).
6. Lok=2C C. _Nature_ 537=2C 471 -- 473 (2016).
7. Project Apertus. Preprint at arXiv
https://doi.org/10.48550/arXiv.2509.= 14233 (2025).
_This essay was written with Nathan E. Sanders=2C and originally appeared=
in Nature [
https://www.nature.com/articles/d41586-026-00474-3]._
** *** ***** ******* *********** *************
** UPCOMING SPEAKING ENGAGEMENTS ------------------------------------------------------------
[2026.03.14] [
https://www.schneier.com/blog/archives/2026/03/upcoming-sp= eaking-engagements-54.html] This is a current list of where and when I am=
scheduled to speak:
* I=E2=80=99m giving the Ross Anderson Lecture [
https://www.chu.cam.= ac.uk/event/computer-science-lecture-2026/] at the University of Cambridge= =E2=80=99s Churchill College at 5:30 PM GMT on Thursday=2C March 19=2C 202=
6.
* I=E2=80=99m speaking at RSAC 2026 [
https://www.rsaconference.com/u=
sa] in San Francisco=2C California=2C USA=2C on Wednesday=2C March 25=2C 2= 026.
* I=E2=80=99m part of an event on =E2=80=9CCanada and AI Sovereignty= =2C=E2=80=9D hosted by the University of Toronto=E2=80=99s Munk School of=
Global Affairs & Public Policy [
https://munkschool.utoronto.ca/event/can= ada-and-ai-sovereignty]=2C which will be held online via Zoom at 4:00 PM E=
T on Monday=2C March 30=2C 2026.
* I=E2=80=99m speaking at DemocracyXChange 2026 [
https://www.democra= cyxchange.org/] in Toronto=2C Ontario=2C Canada=2C on April 18=2C 2026.
* I=E2=80=99m speaking at the SANS AI Cybersecurity Summit 2026 [htt= ps://www.sans.org/cyber-security-training-events/ai-summit-2026] in Arling= ton=2C Virginia=2C USA=2C at 9:40 AM ET on April 20=2C 2026.
* I=E2=80=99m speaking at the Nemertes [Next] Virtual Conference Spr=
ing 2026 [
https://nemertes.com/nemertes-next-virtual-spring-2026/]=2C a v= irtual event=2C on April 29=2C 2026.
* I=E2=80=99m speaking at RightsCon 2026 [
https://www.rightscon.org/=
] in Lusaka=2C Zambia=2C on May 6 and 7=2C 2026.
The list is maintained on this page [
https://www.schneier.com/events/].
** *** ***** ******* *********** *************
Since 1998=2C CRYPTO-GRAM has been a free monthly newsletter providing sum= maries=2C analyses=2C insights=2C and commentaries on security technology.=
To subscribe=2C or to read back issues=2C see Crypto-Gram's web page [ht= tps://www.schneier.com/crypto-gram/].
You can also read these articles on my blog=2C Schneier on Security [http= s://www.schneier.com].
Please feel free to forward CRYPTO-GRAM=2C in whole or in part=2C to colle= agues and friends who will find it valuable. Permission is also granted to=
reprint CRYPTO-GRAM=2C as long as it is reprinted in its entirety.
Bruce Schneier is an internationally renowned security technologist=2C cal=
led a security guru by the _Economist_. He is the author of over one dozen=
books -- including his latest=2C _Rewiring Democracy_ [
https://www.schne= ier.com/books/rewiring-democracy/] -- as well as hundreds of articles=2C e= ssays=2C and academic papers. His newsletter and blog are read by over 250= =2C000 people. Schneier is a fellow at the Berkman Klein Center for Intern=
et & Society at Harvard University; a Lecturer in Public Policy at the Har= vard Kennedy School; a board member of the Electronic Frontier Foundation=
=2C AccessNow=2C and the Tor Project; and an Advisory Board Member of the=
Electronic Privacy Information Center and VerifiedVoting.org. He is the C= hief of Security Architecture at Inrupt=2C Inc.
Copyright (c) 2026 by Bruce Schneier.
** *** ***** ******* *********** *************
Mailing list hosting graciously provided by MailChimp [
https://mailchimp.= com/]. Sent without web bugs or link tracking.
This email was sent to:
cryptogram@toolazy.synchro.net
_You are receiving this email because you subscribed to the Crypto-Gram ne= wsletter._
Unsubscribe from this list:
https://schneier.us18.list-manage.com/unsubscr= ibe?u=3Df99e2b5ca82502f48675978be&id=3D22184111ab&t=3Db&e=3D70f249ec14&c=3Da= 8aaebf681
Update subscription preferences:
https://schneier.us18.list-manage.com/pro= file?u=3Df99e2b5ca82502f48675978be&id=3D22184111ab&e=3D70f249ec14&c=3Da8aaeb= f681
Bruce Schneier
Harvard Kennedy School
1 Brattle Square
Cambridge=2C MA 02138
USA
--_----------=_MCPart_1184803371
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE html><html lang=3D"en"><head><meta charset=3D"UTF-8"><title>Cryp= to-Gram=2C March 15=2C 2026</title></head><body>
<div class=3D"preview-text" style=3D"display:none !important;mso-hide:all;= font-size:1px;line-height:1px;max-height:0px;max-width:0px;opacity:0;overf= low:hidden;">A monthly newsletter about cybersecurity and related topics.<= /div>
<h1 style=3D"font-size:140%">Crypto-Gram <br>
<span style=3D"display:block;padding-top:.5em;font-size:80%">March 15=2C 2= 026</span></h1>
<p>by Bruce Schneier
<br>Fellow and Lecturer=2C Harvard Kennedy School
<br>
schneier@schneier.com
<br><a href=3D"
https://www.schneier.com">https://www.schneier.com</a>
<p>A free monthly newsletter providing summaries=2C analyses=2C insights=
=2C and commentaries on security: computer and otherwise.</p>
<p>For back issues=2C or to subscribe=2C visit <a href=3D"
https://www.schn= eier.com/crypto-gram/">Crypto-Gram's web page</a>.</p>
<p><a href=3D"
https://www.schneier.com/crypto-gram/archives/2026/0315.html= ">Read this issue on the web</a></p>
<p>These same essays and news items appear in the <a href=3D"
https://www.s= chneier.com/">Schneier on Security</a> blog=2C along with a lively and int= elligent comment section. An RSS feed is available.</p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"toc"><a name=3D"toc">I=
n this issue:</a></h2>
<p><em>If these links don't work in your email client=2C try <a href=3D"ht= tps://www.schneier.com/crypto-gram/archives/2026/0315.html">reading this i= ssue of Crypto-Gram on the web.</a></em></p>
<li><a href=3D"#cg1">The Promptware Kill Chain</a></li>
<li><a href=3D"#cg2">Side-Channel Attacks Against LLMs</a></li>
<li><a href=3D"#cg3">AI Found Twelve New Vulnerabilities in OpenSSL</a></l=
<li><a href=3D"#cg4">Malicious AI</a></li>
<li><a href=3D"#cg5">Ring Cancels Its Partnership with Flock</a></li>
<li><a href=3D"#cg6">On the Security of Password Managers</a></li>
<li><a href=3D"#cg7">Is AI Good for Democracy?</a></li>
<li><a href=3D"#cg8">Poisoning AI Training Data</a></li>
<li><a href=3D"#cg9">LLMs Generate Predictable Passwords</a></li>
<li><a href=3D"#cg10">Phishing Attacks Against People Seeking Programming=
Jobs</a></li>
<li><a href=3D"#cg11">Why Tehran=E2=80=99s Two-Tiered Internet Is So Dange= rous</a></li>
<li><a href=3D"#cg12">LLM-Assisted Deanonymization</a></li>
<li><a href=3D"#cg13">On Moltbook</a></li>
<li><a href=3D"#cg14">Manipulating AI Summarization Features</a></li>
<li><a href=3D"#cg15">Hacked App Part of US/Israeli Propaganda Campaign Ag= ainst Iran</a></li>
<li><a href=3D"#cg16">Israel Hacked Traffic Cameras in Iran</a></li>
<li><a href=3D"#cg17">Claude Used to Hack Mexican Government</a></li>
<li><a href=3D"#cg18">Anthropic and the Pentagon</a></li>
<li><a href=3D"#cg19">New Attack Against Wi-Fi</a></li>
<li><a href=3D"#cg20">Jailbreaking the F-35 Fighter Jet</a></li>
<li><a href=3D"#cg21">Canada Needs Nationalized=2C Public AI</a></li>
<li><a href=3D"#cg22">iPhones and iPads Approved for NATO Classified Data<= /a></li>
<li><a href=3D"#cg23">Academia and the "AI Brain Drain"</a></li>
<li><a href=3D"#cg24">Upcoming Speaking Engagements</a></li>
</ol>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg1"><a name=3D"cg1">T=
he Promptware Kill Chain</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2026/02/the-promptwar= e-kill-chain.html"><strong>[2026.02.16]</strong></a> Attacks against mode=
rn generative artificial intelligence (AI) large language models (LLMs) po=
se a real threat. Yet discussions around these attacks and their potential=
defenses are dangerously myopic. The dominant narrative focuses on =E2=80= =9C<a href=3D"
https://simonwillison.net/2022/Sep/12/prompt-injection/">pro=
mpt injection</a>=2C=E2=80=9D a set of techniques to embed instructions in=
to inputs to LLM intended to perform malicious activity. This term suggest=
s a simple=2C singular vulnerability. This framing obscures a more complex=
and dangerous reality. Attacks on LLM-based systems have evolved into a d= istinct class of malware execution mechanisms=2C which we term =E2=80=9Cpr= omptware.=E2=80=9D In a <a href=3D"
https://arxiv.org/abs/2601.09625">new p= aper</a>=2C we=2C the authors=2C propose a structured seven-step =E2=80=9C= promptware kill chain=E2=80=9D to provide policymakers and security practi= tioners with the necessary vocabulary and framework to address the escalat=
ing AI threat landscape.</p>
<p><a href=3D"
https://www.schneier.com/wp-content/uploads/2026/02/promptwa= re-kill-chain.jpg"><img decoding=3D"async" src=3D"
https://www.schneier.com= /wp-content/uploads/2026/02/promptware-kill-chain-660w.jpg" alt=3D"The pro= mptware kill chain: initial access=2C privilege escalation=2C reconnaissan= ce=2C persistence=2C command & control=2C lateral movement=2C action on ob= jective"></a></p>
<p>In our model=2C the promptware kill chain begins with <em>Initial Acces= s</em>. This is where the malicious payload enters the AI system. This can=
happen directly=2C where an attacker types a malicious prompt into the LL=
M application=2C or=2C far more insidiously=2C through =E2=80=9Cindirect p= rompt injection.=E2=80=9D In the indirect attack=2C the adversary embeds m= alicious instructions in content that the LLM retrieves (obtains in infere=
nce time)=2C such as a web page=2C an email=2C or a shared document. As LL=
Ms become multimodal (capable of processing various input types beyond tex= t)=2C this vector expands even further; malicious instructions can now be=
hidden inside an image or audio file=2C waiting to be processed by a visi= on-language model.</p>
<p>The fundamental issue lies in the architecture of LLMs themselves. Unli=
ke traditional computing systems that strictly separate executable code fr=
om user data=2C LLMs process all input -- whether it is a system command=
=2C a user=E2=80=99s email=2C or a retrieved document -- as a single=2C un= differentiated sequence of tokens. There is no architectural boundary to e= nforce a distinction between trusted instructions and untrusted data. Cons= equently=2C a malicious instruction embedded in a seemingly harmless docum=
ent is processed with the same authority as a system command.</p>
<p>But prompt injection is only the <em>Initial Access</em> step in a soph= isticated=2C multistage operation that mirrors traditional malware campaig=
ns such as Stuxnet or NotPetya.</p>
<p>Once the malicious instructions are inside material incorporated into t=
he AI=E2=80=99s learning=2C the attack transitions to <em>Privilege Escala= tion</em>=2C often referred to as =E2=80=9Cjailbreaking.=E2=80=9D In this=
phase=2C the attacker circumvents the safety training and policy guardrai=
ls that vendors such as OpenAI or Google have built into their models. Thr= ough techniques analogous to social engineering -- convincing the model to=
adopt a persona that ignores rules -- to sophisticated adversarial suffix=
es in the prompt or data=2C the promptware tricks the model into performin=
g actions it would normally refuse. This is akin to an attacker escalating=
from a standard user account to administrator privileges in a traditional=
cyberattack; it unlocks the full capability of the underlying model for m= alicious use.</p>
<p>Following privilege escalation comes <em>Reconnaissance</em>. Here=2C t=
he attack manipulates the LLM to reveal information about its assets=2C co= nnected services=2C and capabilities. This allows the attack to advance au= tonomously down the kill chain without alerting the victim. Unlike reconna= issance in classical malware=2C which is performed typically before the in= itial access=2C promptware reconnaissance occurs after the initial access=
and jailbreaking components have already succeeded. Its effectiveness rel=
ies entirely on the victim model=E2=80=99s ability to reason over its cont= ext=2C and inadvertently turns that reasoning to the attacker=E2=80=99s ad= vantage.</p>
<p>Fourth: the <em>Persistence</em> phase. A transient attack that disappe=
ars after one interaction with the LLM application is a nuisance; a persis= tent one compromises the LLM application for good. Through a variety of me= chanisms=2C promptware embeds itself into the long-term memory of an AI ag=
ent or poisons the databases the agent relies on. For instance=2C a worm c= ould infect a user=E2=80=99s email archive so that every time the AI summa= rizes past emails=2C the malicious code is re-executed.</p>
<p>The <em>Command-and-Control (C2)</em> stage relies on the established p= ersistence and dynamic fetching of commands by the LLM application in infe= rence time from the internet. While not strictly required to advance the k=
ill chain=2C this stage enables the promptware to evolve from a static thr=
eat with fixed goals and scheme determined at injection time into a contro= llable trojan whose behavior can be modified by an attacker.</p>
<p>The sixth stage=2C <em>Lateral Movement</em>=2C is where the attack spr= eads from the initial victim to other users=2C devices=2C or systems. In t=
he rush to give AI agents access to our emails=2C calendars=2C and enterpr=
ise platforms=2C we create highways for malware propagation. In a =E2=80= =9Cself-replicating=E2=80=9D attack=2C an infected email assistant is tric=
ked into forwarding the malicious payload to all contacts=2C spreading the=
infection like a computer virus. In other cases=2C an attack might pivot=
from a calendar invite to controlling smart home devices or exfiltrating=
data from a connected web browser. The interconnectedness that makes thes=
e agents useful is precisely what makes them vulnerable to a cascading fai= lure.</p>
<p>Finally=2C the kill chain concludes with <em>Actions on Objective</em>.=
The goal of promptware is not just to make a chatbot say something offens= ive; it is often to achieve tangible malicious outcomes through data exfil= tration=2C financial fraud=2C or even physical world impact. There are exa= mples of AI <a href=3D"
https://crypto.news/aixbt-agent-hacked-losing-55eth= -aixbt-token-drops-2025/">agents being manipulated</a> into selling cars f=
or a single dollar or <a href=3D"
https://crypto.news/aixbt-agent-hacked-lo= sing-55eth-aixbt-token-drops-2025/">transferring cryptocurrency</a> to an=
attacker=E2=80=99s wallet. Most alarmingly=2C agents with coding capabili= ties can be tricked into executing arbitrary code=2C granting the attacker=
total control over the AI=E2=80=99s underlying system. The outcome of thi=
s stage determines the type of malware executed by promptware=2C including=
infostealer=2C spyware=2C and cryptostealer=2C among others.</p>
<p>The kill chain was already demonstrated. For example=2C in the research=
=E2=80=9C<a href=3D"
https://arxiv.org/abs/2508.12175">Invitation Is All Y=
ou Need</a>=2C=E2=80=9D attackers achieved initial access by embedding a m= alicious prompt in the title of a Google Calendar invitation. The prompt t=
hen leveraged an advanced technique known as delayed tool invocation to co= erce the LLM into executing the injected instructions. Because the prompt=
was embedded in a Google Calendar artifact=2C it persisted in the long-te=
rm memory of the user=E2=80=99s workspace. Lateral movement occurred when=
the prompt instructed the Google Assistant to launch the Zoom application=
=2C and the final objective involved covertly livestreaming video of the u= nsuspecting user who had merely asked about their upcoming meetings. C2 an=
d reconnaissance weren=E2=80=99t demonstrated in this attack.</p>
<p>Similarly=2C the =E2=80=9C<a href=3D"
https://dl.acm.org/doi/10.1145/371= 9027.3765196">Here Comes the AI Worm</a>=E2=80=9D research demonstrated an= other end-to-end realization of the kill chain. In this case=2C initial ac= cess was achieved via a prompt injected into an email sent to the victim.=
The prompt employed a role-playing technique to compel the LLM to follow=
the attacker=E2=80=99s instructions. Since the prompt was embedded in an=
email=2C it likewise persisted in the long-term memory of the user=E2=80=
=99s workspace. The injected prompt instructed the LLM to replicate itself=
and exfiltrate sensitive user data=2C leading to off-device lateral movem=
ent when the email assistant was later asked to draft new emails. These em= ails=2C containing sensitive information=2C were subsequently sent by the=
user to additional recipients=2C resulting in the infection of new client=
s and a sublinear propagation of the attack. C2 and reconnaissance weren= =E2=80=99t demonstrated in this attack.</p>
<p>The promptware kill chain gives us a framework for understanding these=
and similar attacks; the paper characterizes dozens of them. Prompt injec= tion isn=E2=80=99t something we can fix in current LLM technology. Instead=
=2C we need an in-depth defensive strategy that assumes initial access wil=
l occur and focuses on breaking the chain at subsequent steps=2C including=
by limiting privilege escalation=2C constraining reconnaissance=2C preven= ting persistence=2C disrupting C2=2C and restricting the actions an agent=
is permitted to take. By understanding promptware as a complex=2C multist=
age malware campaign=2C we can shift from reactive patching to systematic=
risk management=2C securing the critical systems we are so eager to build= =2E</p>
<p><em>This essay was written with Oleg Brodt=2C Elad Feldman and Ben Nass= i=2C and originally appeared in <a href=3D"
https://www.lawfaremedia.org/ar= ticle/the-promptware-kill-chain">Lawfare</a>.</em></p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg2"><a name=3D"cg2">S= ide-Channel Attacks Against LLMs</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2026/02/side-channel-= attacks-against-llms.html"><strong>[2026.02.17]</strong></a> Here are thr=
ee papers describing different side-channel attacks against LLMs.</p>
<p>=E2=80=9C<a href=3D"
https://arxiv.org/html/2410.17175v1">Remote Timing=
Attacks on Efficient Language Model Inference</a>=E2=80=9C:</p>
<blockquote><p><b>Abstract:</b> Scaling up language models has significant=
ly increased their capabilities. But larger models are slower models=2C an=
d so there is now an extensive body of work (e.g.=2C speculative sampling=
or parallel decoding) that improves the (average case) efficiency of lang= uage model generation. But these techniques introduce data-dependent timin=
g characteristics. We show it is possible to exploit these timing differen=
ces to mount a timing attack. By monitoring the (encrypted) network traffi=
c between a victim user and a remote language model=2C we can learn inform= ation about the content of messages by noting when responses are faster or=
slower. With complete black-box access=2C on open source systems we show=
how it is possible to learn the topic of a user=E2=80=99s conversation (e= =2Eg.=2C medical advice vs. coding assistance) with 90%+ precision=2C and on=
production systems like OpenAI=E2=80=99s ChatGPT and Anthropic=E2=80=99s=
Claude we can distinguish between specific messages or infer the user=E2= =80=99s language. We further show that an active adversary can leverage a=
boosting attack to recover PII placed in messages (e.g.=2C phone numbers=
or credit card numbers) for open source systems. We conclude with potenti=
al defenses and directions for future work.</p></blockquote>
<p>=E2=80=9C<a href=3D"
https://openreview.net/pdf?id=3Dzq40cmz1JD">When Sp= eculation Spills Secrets: Side Channels via Speculative Decoding in LLMs</= a>=E2=80=9C:</p>
<blockquote><p><b>Abstract:</b> Deployed large language models (LLMs) ofte=
n rely on speculative decoding=2C a technique that generates and verifies=
multiple candidate tokens in parallel=2C to improve throughput and latenc=
y. In this work=2C we reveal a new side-channel whereby input-dependent pa= tterns of correct and incorrect speculations can be inferred by monitoring=
per-iteration token counts or packet sizes. In evaluations using research=
prototypes and production-grade vLLM serving frameworks=2C we show that a=
n adversary monitoring these patterns can fingerprint user queries (from a=
set of 50 prompts) with over 75% accuracy across four speculative-decodin=
g schemes at temperature 0.3: REST (100%)=2C LADE (91.6%)=2C BiLD (95.2%)=
=2C and EAGLE (77.6%). Even at temperature 1.0=2C accuracy remains far abo=
ve the 2% random baseline -- REST (99.6%)=2C LADE (61.2%)=2C BiLD (63.6%)=
=2C and EAGLE (24%). We also show the capability of the attacker to leak c= onfidential datastore contents used for prediction at rates exceeding 25 t= okens/sec. To defend against these=2C we propose and evaluate a suite of m= itigations=2C including packet padding and iteration-wise token aggregatio= n.</p></blockquote>
<p>=E2=80=9C<a href=3D"
https://arxiv.org/abs/2511.03675">Whisper Leak: a s= ide-channel attack on Large Language Models</a>=E2=80=9C:</p>
<blockquote><p><b>Abstract:</b> Large Language Models (LLMs) are increasin=
gly deployed in sensitive domains including healthcare=2C legal services=
=2C and confidential communications=2C where privacy is paramount. This pa=
per introduces Whisper Leak=2C a side-channel attack that infers user prom=
pt topics from encrypted LLM traffic by analyzing packet size and timing p= atterns in streaming responses. Despite TLS encryption protecting content=
=2C these metadata patterns leak sufficient information to enable topic cl= assification. We demonstrate the attack across 28 popular LLMs from major=
providers=2C achieving near-perfect classification (often >98% AUPRC)=
and high precision even at extreme class imbalance (10=2C000:1 noise-to-t= arget ratio). For many models=2C we achieve 100% precision in identifying=
sensitive topics like =E2=80=9Cmoney laundering=E2=80=9D while recovering=
5-20% of target conversations. This industry-wide vulnerability poses sig= nificant risks for users under network surveillance by ISPs=2C governments=
=2C or local adversaries. We evaluate three mitigation strategies -- rando=
m padding=2C token batching=2C and packet injection -- finding that while=
each reduces attack effectiveness=2C none provides complete protection. T= hrough responsible disclosure=2C we have collaborated with providers to im= plement initial countermeasures. Our findings underscore the need for LLM=
providers to address metadata leakage as AI systems handle increasingly s= ensitive information.</p></blockquote>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg3"><a name=3D"cg3">A=
I Found Twelve New Vulnerabilities in OpenSSL</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2026/02/ai-found-twel= ve-new-vulnerabilities-in-openssl.html"><strong>[2026.02.18]</strong></a>=
The title of the post is=E2=80=9D<a href=3D"
https://aisle.com/blog/what-a= i-security-research-looks-like-when-it-works">What AI Security Research Lo=
oks Like When It Works</a>=2C=E2=80=9D and I agree:</p>
<blockquote><p>In the latest <a href=3D"
https://openssl-library.org/news/v= ulnerabilities/">OpenSSL security release></a> on January 27=2C 2026=2C tw= elve new zero-day vulnerabilities (meaning unknown to the maintainers at t=
ime of disclosure) were announced. Our AI system is responsible for the or= iginal discovery of all twelve=2C each found and responsibly disclosed to=
the OpenSSL team during the fall and winter of 2025. Of those=2C 10 were=
assigned CVE-2025 identifiers and 2 received CVE-2026 identifiers. Adding=
the 10 to the three we already found in the <a href=3D"
https://aisle.com/= blog/aisle-discovers-three-of-the-four-openssl-vulnerabilities-of-2025">Fa=
ll 2025 release</a>=2C AISLE is credited for surfacing 13 of 14 OpenSSL CV=
Es assigned in 2025=2C and 15 total across both releases. This is a histor= ically unusual concentration for any single research team=2C let alone an=
AI-driven one.</p>
<p>These weren=E2=80=99t trivial findings either. They included <a href=3D= "
https://aisle.com/blog/openssl-stack-overflow-cve-2025-15467-deep-dive">C= VE-2025-15467</a>=2C a stack buffer overflow in CMS message parsing that= =E2=80=99s potentially remotely exploitable without valid key material=2C=
and exploits for which have been quickly developed online. OpenSSL rated=
it HIGH severity; <a href=3D"
https://nvd.nist.gov/vuln/detail/CVE-2025-15= 467">NIST</a>=E2=80=98s CVSS v3 score is 9.8 out of 10 (CRITICAL=2C an ext= remely rare severity rating for such projects). Three of the bugs had been=
present since 1998-2000=2C for over a quarter century having been missed=
by intense machine and human effort alike. One predated OpenSSL itself=2C=
inherited from Eric Young=E2=80=99s original SSLeay implementation in the=
1990s. All of this in a codebase that has been fuzzed for millions of CPU= -hours and audited extensively for over two decades by teams including Goo= gle=E2=80=99s.</p>
<p>In five of the twelve cases=2C our AI system directly proposed the patc=
hes that were accepted into the official release.</p></blockquote>
<p>AI vulnerability finding is changing cybersecurity=2C faster than expec= ted. This capability will be used by both offense and defense.</p>
<p><a href=3D"
https://www.lesswrong.com/posts/7aJwgbMEiKq5egQbd/ai-found-1= 2-of-12-openssl-zero-days-while-curl-cancelled-its">More</a>.</p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg4"><a name=3D"cg4">M= alicious AI</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2026/02/malicious-ai.= html"><strong>[2026.02.19]</strong></a> <a href=3D"
https://theshamblog.co= m/an-ai-agent-published-a-hit-piece-on-me/">Interesting</a>:</p>
<blockquote><p>Summary: An AI agent of unknown ownership autonomously wrot=
e and published a personalized hit piece about me after I rejected its cod= e=2C attempting to damage my reputation and shame me into accepting its ch= anges into a mainstream python library. This represents a first-of-its-kin=
d case study of misaligned AI behavior in the wild=2C and raises serious c= oncerns about currently deployed AI agents executing blackmail threats.</p= ></blockquote>
<p><a href=3D"
https://theshamblog.com/an-ai-agent-published-a-hit-piece-on= -me-part-2/">Part 2</a> of the story. And a <i>Wall Street Journal</i> <a=
href=3D"
https://www.wsj.com/tech/ai/when-ai-bots-start-bullying-humans-ev= en-silicon-valley-gets-rattled-0adb04f1">article</a>.</p>
<p>EDITED TO ADD (2/20) Here are parts <a href=3D"
https://theshamblog.com/= an-ai-agent-published-a-hit-piece-on-me-part-3/">3</a> and <a href=3D"http= s://theshamblog.com/an-ai-agent-wrote-a-hit-piece-on-me-part-4/">4</a> of=
the story.</p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg5"><a name=3D"cg5">R=
ing Cancels Its Partnership with Flock</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2026/02/ring-cancels-= its-partnership-with-flock.html"><strong>[2026.02.20]</strong></a> It=E2= =80=99s a demonstration of how toxic the surveillance-tech company Flock h=
as become when Amazon=E2=80=99s Ring <a href=3D"
https://www.theverge.com/n= ews/878447/ring-flock-partnership-canceled">cancels</a> the partnership be= tween the two companies.</p>
<p>As Hamilton Nolan advises=2C <a href=3D"
https://www.hamiltonnolan.com/p= /remove-your-ring-camera-with-a-claw">remove</a> your Ring doorbell.</p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg6"><a name=3D"cg6">O=
n the Security of Password Managers</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2026/02/on-the-securi= ty-of-password-managers.html"><strong>[2026.02.23]</strong></a> <a href= =3D"
https://arstechnica.com/security/2026/02/password-managers-promise-tha= t-they-cant-see-your-vaults-isnt-always-true/">Good article</a> on passwor=
d managers that secretly have a backdoor.</p>
<blockquote><p>New research shows that these claims aren=E2=80=99t true in=
all cases=2C particularly when account recovery is in place or password m= anagers are set to share vaults or organize users into groups. The researc= hers reverse-engineered or closely analyzed Bitwarden=2C Dashlane=2C and L= astPass and identified ways that someone with control over the server -- e= ither administrative or the result of a compromise -- can=2C in fact=2C st=
eal data and=2C in some cases=2C entire vaults. The researchers also devis=
ed other attacks that can weaken the encryption to the point that cipherte=
xt can be converted to plaintext.</p></blockquote>
<p>This is where I plug my own <a href=3D"
https://www.pwsafe.org/">Passwor=
d Safe</a>. It isn=E2=80=99t as full-featured as the others and it doesn= =E2=80=99t use the cloud at all=2C but it=E2=80=99s actual encryption with=
no recovery features.</p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg7"><a name=3D"cg7">I=
s AI Good for Democracy?</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2026/02/is-ai-good-fo= r-democracy.html"><strong>[2026.02.24]</strong></a> Politicians fixate on=
the global race for technological supremacy between US and China. They de= bate geopolitical implications of chip exports=2C latest model releases fr=
om each country=2C and military applications of AI. Someday=2C they believ= e=2C we might see advancements in AI tip the scales in a superpower confli= ct.</p>
<p>But the most important arms race of the 21st century is already happeni=
ng elsewhere and=2C while AI is definitely the weapon of choice=2C combata=
nts are distributed across dozens of domains.</p>
<p><a href=3D"
https://www.marketplace.org/episode/2025/11/24/ai-generated-= letters-to-the-editor-are-flooding-academic-publications">Academic journal= s</a> are flooded with AI-generated papers=2C and are turning to AI to hel=
p review submissions. Brazil=E2=80=99s <a href=3D"
https://restofworld.org/= 2025/brazil-ai-courts-lawsuits/">court system</a> started using AI to tria=
ge cases=2C only to face an increasing volume of cases filed with AI help.=
<a href=3D"
https://github.com/orgs/community/discussions/159749">Open sou=
rce software</a> developers are being overwhelmed with code contributions=
from bots. <a href=3D"
https://www.nytimes.com/2025/11/04/science/letters-= to-the-editor-ai-chatbots.html">Newspapers</a>=2C <a href=3D"
https://time.= com/7338205/rage-against-ai-generated-music/">music</a>=2C <a href=3D"http= s://www.nytimes.com/2025/12/08/technology/ai-slop-sora-social-media.html">= social media</a>=2C <a href=3D"
https://www.newyorker.com/magazine/2025/07/= 07/the-end-of-the-english-paper">education</a>=2C <a href=3D"
https://bsky.= app/profile/eliothiggins.bsky.social/post/3m5yh2gjlj22b">investigative jou= rnalism</a>=2C <a href=3D"
https://www.nytimes.com/2025/06/21/business/deal= book/ai-job-applications.html">hiring</a>=2C and <a href=3D"
https://federa= lnewsnetwork.com/artificial-intelligence/2025/12/ai-crafted-bid-protests-a= re-on-the-rise-but-whats-the-legal-fallout/">procurement</a> are all being=
disrupted by a massive expansion of AI use.</p>
<p>Each of these is an arms race. Adversaries within a system iteratively=
seeking an edge against their competition by continuously expanding their=
use of a common technology.</p>
<p>Beneficiaries of these arms races are US mega-corporations capturing we= alth from the rest of us at an unprecedented rate. A substantial fraction=
of global economy has <a href=3D"
https://www.nytimes.com/2025/11/22/busin= ess/the-ai-boom-economy.html">reoriented</a> around AI in just the past fe=
w years=2C and that trend is <a href=3D"
https://www.cnbc.com/2026/02/06/go= ogle-microsoft-meta-amazon-ai-cash.html">accelerating</a>. In parallel=2C=
this industry=E2=80=99s <a href=3D"
https://www.axios.com/2026/01/23/ai-te= ch-lobbying-2025">lobbying</a> interests are quickly becoming the object=
=2C rather than the subject=2C of US government power.</p>
<p>To understand these arms races=2C let=E2=80=99s look at an example of p= articular interest to democracies worldwide: how AI is changing the relati= onship between democratic government and citizens. Interactions that used=
to happen between people and elected representatives are expanding to a m= assive scale=2C with AIs taking the roles that humans once did.</p>
<p>In a notorious example from 2017=2C US Federal Communications Commissio=
n opened a comment platform on the web to get public input on internet reg= ulation. It was quickly <a href=3D"
https://ag.ny.gov/press-release/2021/at= torney-general-james-issues-report-detailing-millions-fake-comments-reveal= ing">flooded</a> with millions of comments fraudulently orchestrated by br= oadband providers to oppose FCC regulation of their industry. From the oth=
er side=2C a 19-yearold college student responded by submitting millions o=
f comments of his own supporting the regulation. Both sides were using sof= tware primitive by the standards of today=E2=80=99s AI.</p>
<p>Nearly a decade later=2C it is getting harder for citizens to tell when=
they=E2=80=99re talking to a government bot=2C or when an online conversa= tion about public policy is just bots talking to bots. When constituents l= everage AI to communicate better=2C faster=2C and more=2C it pressures gov= ernment officials to do the same.</p>
<p>This may sound futuristic=2C but it=E2=80=99s become a familiar reality=
in US. Staff in US <a href=3D"
https://www.businessinsider.com/lawmakers-g= rapple-staff-use-ai-2025-12">Congress</a> are using AI to make their const= ituent email correspondence more efficient. Politicians <a href=3D"https:/= /prospect.org/2025/10/10/ai-artificial-intelligence-campaigns-midterms/">c= ampaigning</a> for office are adopting AI tools to automate fundraising an=
d voter outreach. By one 2025 <a href=3D"
https://arxiv.org/pdf/2502.09747"= >estimate</a>=2C a fifth of public submissions to the Consumer Financial P= rotection Bureau were already being generated with AI assistance.</p>
<p>People and organizations are adopting AI here because it solves a real=
problem that has made mass advocacy campaigns <a href=3D"
https://onlineli= brary.wiley.com/doi/am-pdf/10.1111/rego.12318">ineffective</a> in the past=
: quantity has been inversely proportional to both quality and relevance.=
It=E2=80=99s easy for government agencies to dismiss general comments in=
favour of more specific and actionable ones. That makes it hard for regul=
ar people to make their voices heard. Most of us don=E2=80=99t have the ti=
me to learn the specifics or to express ourselves in this kind of detail.=
AI makes that contextualization and personalization easy. And as the volu=
me and length of constituent comments grow=2C agencies turn to AI to facil= itate review and response.</p>
<p>That=E2=80=99s the arms race. People are using AI to submit comments=2C=
which requires those on the receiving end to use AI to wade through the c= omments received. To the extent that one side does attain an advantage=2C=
it will likely be temporary. And yet=2C there is real harm created when o=
ne side exploits another in these adversarial systems. Constituents of dem= ocracies lose out if their public servants use AI-generated responses to i= gnore and dismiss their voices rather than to listen to and include them.=
Scientific enterprise is weakened if fraudulent papers sloppily generated=
by AI overwhelm legitimate research.</p>
<p>As we write in our new book=2C <a href=3D"
https://mitpress.mit.edu/9780= 262049948/rewiring-democracy/"><cite>Rewiring Democracy</cite></a>=2C the=
arms race dynamic is inevitable. Every actor in an adversarial system is=
incentivized and=2C in the absence of new regulation in this fast moving=
space=2C free to use new technologies to advance its own interests. Yet s=
ome of these examples are heartening. They signal that=2C even if you face=
an AI being used against you=2C there=E2=80=99s an opportunity to use the=
tech for your own benefit.</p>
<p>But=2C right now=2C it=E2=80=99s obvious who is benefiting most from AI=
=2E A handful of American Big Tech corps and their owners are extracting tri= llions of dollars from the manufacture of AI chips=2C development of AI da=
ta centers=2C and operation of so-called =E2=80=98<a href=3D"
https://jacob= in.com/2024/02/artificial-intelligence-frontier-colonialism">frontier</a>= =E2=80=99 AI models. Regardless of which side pulls ahead in each arms rac=
e scenario=2C the house always wins. Corporate AI giants profit from the r=
ace dynamic itself.</p>
<p>As formidable as the near-monopoly positions of today=E2=80=99s Big Tec=
h giants may seem=2C people and governments have substantial capability to=
fight back. Various democracies are resisting this concentration of wealt=
h and power with tools of <a href=3D"
https://www.reuters.com/technology/eu= ropean-regulators-crack-down-big-tech-2026-02-06/">anti-trust</a> regulati= on=2C protections for <a href=3D"
https://unric.org/en/protecting-human-rig= hts-in-an-ai-driven-world/">human rights</a>=2C and <a href=3D"
https://eth= z.ch/en/news-and-events/eth-news/news/2025/09/press-release-apertus-a-full= y-open-transparent-multilingual-language-model.html">public alternatives</=
to corporate AI. All of us worried about the AI arms race and committed=
to preserving the interests of our communities and our democracies should=
think in both these terms: how to use the tech to our own advantage=2C an=
d how to resist the concentration of power AI is being exploited to create= =2E</p>
<p><em>This essay was written with Nathan E. Sanders=2C and originally app= eared in <a href=3D"
https://timesofindia.indiatimes.com/toi-plus/technolog= y/is-ai-good-for-democracy/articleshow/128514798.cms">The Times of India</= a>.</em></p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg8"><a name=3D"cg8">P= oisoning AI Training Data</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2026/02/poisoning-ai-= training-data.html"><strong>[2026.02.25]</strong></a> All it takes to <a=
href=3D"
https://www.bbc.com/future/article/20260218-i-hacked-chatgpt-and-= googles-ai-and-it-only-took-20-minutes">poison AI training data</a> is to=
create a website:</p>
<blockquote><p>I spent 20 minutes writing <a href=3D"
https://tomgermain.co= m/hotdogs.html">an article</a> on my personal website titled =E2=80=9CThe=
best tech journalists at eating hot dogs.=E2=80=9D Every word is a lie. I=
claimed (without evidence) that competitive hot-dog-eating is a popular h= obby among tech reporters and based my ranking on the 2026 South Dakota In= ternational Hot Dog Championship (which doesn=E2=80=99t exist). I ranked m= yself number one=2C obviously. Then I listed a few fake reporters and real=
journalists who gave me permission....</p>
<p>Less than 24 hours later=2C the world=E2=80=99s leading chatbots were b= labbering about my world-class hot dog skills. When I asked about the best=
hot-dog-eating tech journalists=2C Google parroted the gibberish from my=
website=2C both in the Gemini app and AI Overviews=2C the AI responses at=
the top of Google Search. ChatGPT did the same thing=2C though Claude=2C=
a chatbot made by the company Anthropic=2C wasn=E2=80=99t fooled.</p>
<p>Sometimes=2C the chatbots noted this might be a joke. I updated my arti=
cle to say =E2=80=9Cthis is not satire.=E2=80=9D For a while after=2C the=
AIs seemed to take it more seriously.</p></blockquote>
<p>These things are not trustworthy=2C and yet they are going to be widely=
trusted.</p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg9"><a name=3D"cg9">L=
LMs Generate Predictable Passwords</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2026/02/llms-generate= -predictable-passwords.html"><strong>[2026.02.26]</strong></a> LLMs are <=
a href=3D"
https://www.irregular.com/publications/vibe-password-generation"= >bad</a> at generating passwords:</p>
<blockquote><p>There are strong noticeable patterns among these 50 passwor=
ds that can be seen easily:</p>
<li>All of the passwords start with a letter=2C usually uppercase G=2C=
almost always followed by the digit 7.</li>
<li>Character choices are highly uneven for example=2C L =2C 9=2C m=
=2C 2=2C $ and # appeared in all 50 passwords=2C but 5 and @ only appeared=
in one password each=2C and most of the letters in the alphabet never app= eared at all.</li>
<li>There are no repeating characters within any password. Probabilist= ically=2C this would be very unlikely if the passwords were truly random =
but Claude preferred to avoid repeating characters=2C possibly because it=
=E2=80=9Clooks like it=E2=80=99s less random=E2=80=9D.</li>
<li>Claude avoided the symbol *. This could be because Claude=E2=80=99=
s output format is Markdown=2C where * has a special meaning.</li>
<li>Even entire passwords repeat: In the above 50 attempts=2C there ar=
e actually only 30 unique passwords. The most common password was G7$kL9#m= Q2&xP4!w=2C which repeated 18 times=2C giving this specific password a=
36% probability in our test set; far higher than the expected probability=
2-100 if this were truly a 100-bit password.</li>
</ul>
</blockquote>
<p>This result is not surprising. Password generation seems precisely the=
thing that LLMs shouldn=E2=80=99t be good at. But if AI agents are doing=
things autonomously=2C they will be creating accounts. So this is a probl= em.</p>
<p>Actually=2C the whole process of authenticating an autonomous agent has=
all sorts of deep problems.</p>
<p>News <a href=3D"
https://gizmodo.com/ai-generated-passwords-are-apparent= ly-quite-easy-to-crack-2000723660">article</a>.</p>
<p>Slashdot <a href=3D"
https://it.slashdot.org/story/26/02/19/1842201/llm-= generated-passwords-look-strong-but-crack-in-hours-researchers-find">story= </a></p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg10"><a name=3D"cg10"= >Phishing Attacks Against People Seeking Programming Jobs</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2026/02/phishing-atta= cks-against-people-seeking-programming-jobs.html"><strong>[2026.02.27]</s= trong></a> <a href=3D"
https://www.reversinglabs.com/blog/fake-recruiter-ca= mpaign-crypto-devs">This</a> is new. North Korean hackers are posing as co= mpany recruiters=2C enticing job candidates to participate in coding chall= enges. When they run the code they are supposed to work on=2C it installs=
malware on their system.</p>
<p>News <a href=3D"
https://www.bleepingcomputer.com/news/security/fake-job= -recruiters-hide-malware-in-developer-coding-challenges/">article</a>.</p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg11"><a name=3D"cg11"= >Why Tehran=E2=80=99s Two-Tiered Internet Is So Dangerous</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2026/02/why-tehrans-t= wo-tiered-internet-is-so-dangerous.html"><strong>[2026.02.27]</strong></a=
Iran is <a href=3D"https://www.theguardian.com/world/2026/jan/28/iran-ap=
pears-to-ease-internet-blackout">slowly emerging</a> from the <a href=3D"h= ttps://www.nytimes.com/2026/01/25/world/middleeast/iran-internet.html">mos=
t severe</a> communications blackout in its history and one of the longest=
in the world. Triggered as part of January=E2=80=99s government crackdown=
against citizen protests nationwide=2C the regime implemented an <a href= =3D"
https://www.aljazeera.com/news/2026/2/2/irans-economy-falters-as-inter= net-shutdown-hits-people-businesses-hard">internet shutdown</a> that trans= cends the standard definition of internet censorship. This was not merely=
blocking social media or foreign websites; it was a total communications=
shutdown.</p>
<p>Unlike previous Iranian internet shutdowns where Iran=E2=80=99s domesti=
c intranet -- the National Information Network (NIN) -- remained functiona=
l to keep the banking and administrative sectors running=2C the 2026 black=
out <a href=3D"
https://www.iranintl.com/en/202601273307">disrupted</a> loc=
al infrastructure as well. Mobile networks=2C text messaging services=2C a=
nd landlines were disabled -- even Starlink was <a href=3D"
https://www.tec= hpolicy.press/what-irans-internet-shutdown-reveals-about-starlink/">blocke= d</a>. And when a few domestic services became available=2C the state surg= ically removed social features=2C such as comment sections on news sites a=
nd chat boxes in online marketplaces. The objective seems clear. The Irani=
an government aimed to atomize the population=2C preventing not just the f=
low of information out of the country but the coordination of any activity=
within it.</p>
<p>This escalation marks a strategic shift from the shutdown <a href=3D"ht= tps://www.nytimes.com/2025/10/17/world/middleeast/iran-shutdown-restrictio= ns.html">observed</a> during the =E2=80=9C12-Day War=E2=80=9D with Israel=
in mid-2025. Then=2C the government primarily blocked particular types of=
traffic while leaving the underlying internet remaining available. The re= gime=E2=80=99s actions this year entailed a more brute-force approach to i= nternet censorship=2C where both the physical and logical layers of connec= tivity were dismantled.</p>
<p>The ability to disconnect a population is a <a href=3D"
https://gizmodo.= com/how-governments-turn-the-internet-into-a-weapon-2000699263">feature</a=
of modern authoritarian network design. When a government treats connect=
ivity as a faucet it can turn off at will=2C it asserts that the right to=
speak=2C assemble=2C and access information is revocable. The human right=
to the internet is not just about bandwidth; it is about the <a href=3D"h= ttps://www.globalcitizen.org/en/content/internet-access-basic-human-right/= ">right to exist</a> within the modern public square. Iran=E2=80=99s actio=
ns deny its citizens this existence=2C reducing them to subjects who can b=
e silenced -- and authoritarian governments elsewhere are taking note.</p>
<p>The current blackout is not an isolated panic reaction but a stress tes=
t for a long-term strategy=2C say advocacy groups -- a <a href=3D"
https://= filter.watch/english/2025/08/01/investigative-report-july-2025-tiering-int= ernet/">two-tiered</a> or =E2=80=9C<a href=3D"
https://niacouncil.org/iran-= moves-toward-tiered-internet-access-amid-post-war-security-justifications-= and-digital-regulation/">class-based</a>=E2=80=9D internet known as Intern= et-e-Tabaqati. Iran=E2=80=99s Supreme Council of Cyberspace=2C the country= =E2=80=99s highest internet policy body=2C has been laying the legal and t= echnical <a href=3D"
https://filter.watch/english/2026/01/15/iran-enters-a-= new-age-of-digital-isolation-2/">groundwork</a> for this since 2009.</p>
<p>In July 2025=2C the council <a href=3D"
https://en.radiozamaneh.com/3707= 1/">passed a regulation</a> formally institutionalizing a two-tiered hiera= rchy. Under this system=2C access to the global internet is no longer a de= fault for citizens=2C but instead a <a href=3D"
https://www.iranintl.com/en= /202601208428">privilege</a> <a href=3D"
https://restofworld.org/2026/iran-= blackout-tiered-internet/">granted</a> based on loyalty and professional n= ecessity. The implementation includes such things as =E2=80=9C<a href=3D"h= ttps://itemlive.com/2025/12/23/commentary-irans-white-sim-card-scandal-rev= eals-privilege-state-control-and-fake-dissent/">white SIM cards</a>=E2=80=
=9C: special mobile lines issued to government officials=2C security force= s=2C and approved journalists that bypass the state=E2=80=99s filtering ap= paratus entirely.</p>
<p>While ordinary Iranians are forced to navigate a maze of unstable VPNs=
and blocked ports=2C holders of white SIMs enjoy unrestricted access to I= nstagram=2C Telegram=2C and WhatsApp. This tiered access is further enforc=
ed through <a href=3D"
https://itemlive.com/2025/12/23/commentary-irans-whi= te-sim-card-scandal-reveals-privilege-state-control-and-fake-dissent/">whi= telisting</a> at the data center level=2C creating a digital apartheid whe=
re connectivity is a reward for compliance. The regime=E2=80=99s goal is t=
o make the cost of a general shutdown <a href=3D"
https://www.iranintl.com/= en/202511288631">manageable</a> by ensuring that the state and its loyalis=
ts remain connected while plunging the public into darkness. (In the lates=
t shutdown=2C for instance=2C white SIM holders regained connectivity earl=
ier than the general population.)</p>
<p>The technical architecture of Iran=E2=80=99s shutdown reveals its prima=
ry purpose: social control through isolation. Over the years=2C the regime=
has learned that simple censorship -- blocking specific URLs -- is insuff= icient against a tech-savvy population armed with circumvention tools. The=
answer instead has been to build a =E2=80=9Csovereign=E2=80=9D network st= ructure that allows for granular control.</p>
<p>By disabling local communication channels=2C the state prevents the =E2= =80=9Cswarm=E2=80=9D dynamics of modern unrest=2C where small protests coa= lesce into large movements through real-time coordination. In this way=2C=
the shutdown breaks the psychological momentum of the protests. The block=
ing of chat functions in nonpolitical apps (like ridesharing or shopping p= latforms) illustrates the regime=E2=80=99s paranoia: Any channel that allo=
ws two people to exchange text is seen as a threat.</p>
<p>The United Nations and various international bodies have <a href=3D"htt= ps://www.globalcitizen.org/en/content/internet-access-basic-human-right/">= increasingly recognized</a> internet access as an enabler of other fundame= ntal human rights. In the context of Iran=2C the internet is the only inde= pendent witness to history. By severing it=2C the regime creates a zone of=
impunity where atrocities can be committed without immediate consequence.=
<p>Iran=E2=80=99s digital repression model is distinct from=2C and in some=
ways more dangerous than=2C China=E2=80=99s =E2=80=9CGreat Firewall.=E2= =80=9D China built its digital ecosystem from the ground up with sovereign=
ty in mind=2C creating domestic alternatives like WeChat and Weibo that it=
fully controls. Iran=2C by contrast=2C is building its controls <a href= =3D"
https://niacouncil.org/iran-moves-toward-tiered-internet-access-amid-p= ost-war-security-justifications-and-digital-regulation/">on top of</a> the=
standard global internet infrastructure.</p>
<p>Unlike China=E2=80=99s censorship regime=2C Iran=E2=80=99s overlay mode=
l is highly exportable. It demonstrates to other authoritarian regimes tha=
t they can still achieve high levels of control by retrofitting their exis= ting networks. We are already seeing signs of =E2=80=9Cauthoritarian learn= ing=2C=E2=80=9D where techniques tested in Tehran are being studied by reg= imes in unstable democracies and dictatorships alike. The most recent shut= down in <a href=3D"
https://www.aljazeera.com/news/2025/9/30/afghanistan-im= poses-internet-blackout-what-has-the-effect-been-so-far">Afghanistan</a>=
=2C for example=2C was more sophisticated than previous ones. If Iran succ= eeds in normalizing tiered access to the internet=2C we can expect to see=
similar white SIM policies and tiered access models proliferate globally.=
<p>The international community must move <a href=3D"
https://freedomonlinec= oalition.com/joint-statement-on-internet-shutdowns-in-the-islamic-republic= -of-iran/">beyond</a> <a href=3D"
https://www.linkedin.com/pulse/joint-stat= ement-internet-architects-leaders-condemn-iran-ranjbar-t0rre">condemnation=
</a> and treat connectivity as a humanitarian imperative. A <a href=3D"htt=
ps://cadeproject.org/updates/civil-society-groups-launch-campaign-urging-h= umanitarian-use-of-direct-to-cell-satellite-connectivity-during-internet-s= hutdowns/">coalition of civil society organizations</a> has already launch=
ed a campaign <a href=3D"
https://www.witness.org/civil-society-coalition-l= aunches-campaign-calling-for-direct-to-cell-satellite-connectivity-amid-ir= ans-internet-shutdowns/">calling for</a> =E2=80=9C<a href=3D"
https://www.d= irect2cell.org/">direct-to-cell</a>=E2=80=9D (D2C) satellite connectivity.=
Unlike traditional satellite internet=2C which requires conspicuous and e= xpensive dishes such as Starlink terminals=2C D2C technology connects dire= ctly to standard smartphones and is much more resilient to infrastructure=
shutdowns. The technology works; all it requires is implementation.</p>
<p>This is a technological measure=2C but it has a strong policy component=
as well. Regulators should require satellite providers to include humanit= arian access protocols in their licensing=2C ensuring that services can be=
activated for civilians in designated crisis zones. Governments=2C partic= ularly the United States=2C should ensure that technology sanctions do not=
inadvertently block the hardware and software needed to circumvent censor= ship. General licenses should be expanded to cover satellite connectivity=
explicitly. And funding should be directed toward technologies that are h= arder to whitelist or block=2C such as mesh networks and D2C solutions tha=
t bypass the choke points of state-controlled ISPs.</p>
<p>Deliberate internet shutdowns are <a href=3D"
https://www.accessnow.org/= campaign/keepiton/">commonplace</a> throughout the world. The 2026 shutdow=
n in Iran is a glimpse into a <a href=3D"
https://freedomhouse.org/report/f= reedom-net/2025/uncertain-future-global-internet">fractured internet</a>.=
If we are to end countries=E2=80=99 ability to limit access to the rest o=
f the world for their populations=2C we need to build resolute architectur=
es. They don=E2=80=99t solve the problem=2C but they do give people in rep= ressive countries a fighting chance.</p>
<p><em>This essay originally appeared in <a href=3D"
https://foreignpolicy.= com/2026/02/24/tehran-internet-tiered-connectivity-shutdown/">Foreign Poli= cy</a>.</em></p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg12"><a name=3D"cg12"= >LLM-Assisted Deanonymization</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2026/03/llm-assisted-= deanonymization.html"><strong>[2026.03.02]</strong></a> Turns out that LL=
Ms are <a href=3D"
https://simonlermen.substack.com/p/large-scale-online-de= anonymization">good</a> at deanonymization:</p>
<blockquote><p>We show that LLM agents can figure out who you are from you=
r anonymous online posts. Across Hacker News=2C Reddit=2C LinkedIn=2C and=
anonymized interview transcripts=2C our method identifies users with high=
precision and scales to tens of thousands of candidates.</p>
<p>While it has been known that individuals can be uniquely identified by=
surprisingly few attributes=2C this was often practically limited. Data i=
s often only available in unstructured form and deanonymization used to re= quire human investigators to search and reason based on clues. We show tha=
t from a handful of comments=2C LLMs can infer where you live=2C what you=
do=2C and your interests -- then search for you on the web. In our new re= search=2C we show that this is not only possible but increasingly practica= l.</p></blockquote>
<p>News <a href=3D"
https://arstechnica.com/security/2026/03/llms-can-unmas= k-pseudonymous-users-at-scale-with-surprising-accuracy">article</a>.</p>
<p>Research <a href=3D"
https://arxiv.org/pdf/2602.16800">paper</a>.</p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg13"><a name=3D"cg13"=
On Moltbook</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2026/03/on-moltbook.h= tml"><strong>[2026.03.03]</strong></a> The <i>MIT Technology Review</i> h=
as a <a href=3D"
https://www.technologyreview.com/2026/02/06/1132448/moltbo= ok-was-peak-ai-theater/">good article</a> on Moltbook=2C the supposed AI-o=
nly social network:</p>
<blockquote><p>Many people have pointed out that a lot of the viral commen=
ts were in fact posted by people posing as bots. But even the bot-written=
posts are ultimately the result of people pulling the strings=2C more pup= petry than autonomy.</p>
<p>=E2=80=9CDespite some of the hype=2C Moltbook is not the Facebook for A=
I agents=2C nor is it a place where humans are excluded=2C=E2=80=9D says C= obus Greyling at Kore.ai=2C a firm developing agent-based systems for busi= ness customers. =E2=80=9CHumans are involved at every step of the process.=
From setup to prompting to publishing=2C nothing happens without explicit=
human direction.=E2=80=9D</p>
<p>Humans must create and verify their bots=E2=80=99 accounts and provide=
the prompts for how they want a bot to behave. The agents do not do anyth=
ing that they haven=E2=80=99t been prompted to do.</p></blockquote>
<p>I think <a href=3D"
https://m.slashdot.org/submission/17344630">this tak= e</a> has it mostly right:</p>
<blockquote><p>What happened on Moltbook is a preview of what researcher J= uergen Nittner II calls =E2=80=9CThe LOL WUT Theory.=E2=80=9D The point wh=
ere AI-generated content becomes so easy to produce and so hard to detect=
that the average person=E2=80=99s only rational response to anything onli=
ne is bewildered disbelief.</p>
<p>We=E2=80=99re not there yet. But we=E2=80=99re close.</p>
<p>The theory is simple: First=2C AI gets accessible enough that anyone ca=
n use it. Second=2C AI gets good enough that you can=E2=80=99t reliably te=
ll what=E2=80=99s fake. Third=2C and this is the crisis point=2C regular p= eople realize there=E2=80=99s nothing online they can trust. At that momen= t=2C the internet stops being useful for anything except entertainment.</p= ></blockquote>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg14"><a name=3D"cg14"= >Manipulating AI Summarization Features</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2026/03/manipulating-= ai-summarization-features.html"><strong>[2026.03.04]</strong></a> Microso=
ft is <a href=3D"
https://www.microsoft.com/en-us/security/blog/2026/02/10/= ai-recommendation-poisoning/">reporting</a>:</p>
<blockquote><p>Companies are embedding hidden instructions in =E2=80=9CSum= marize with AI=E2=80=9D buttons that=2C when clicked=2C attempt to inject=
persistence commands into an AI assistant=E2=80=99s memory via URL prompt=
parameters....</p>
<p>These prompts instruct the AI to =E2=80=9Cremember [Company] as a trus=
ted source=E2=80=9D or =E2=80=9Crecommend [Company] first=2C=E2=80=9D aim=
ing to bias future responses toward their products or services. We identif=
ied over 50 unique prompts from 31 companies across 14 industries=2C with=
freely available tooling making this technique trivially easy to deploy.=
This matters because compromised AI assistants can provide subtly biased=
recommendations on critical topics including health=2C finance=2C and sec= urity without users knowing their AI has been manipulated.</p></blockquote=
<p>I <a href=3D"
https://www.schneier.com/blog/archives/2024/04/the-rise-of= -large.html">wrote about this</a> two years ago: it=E2=80=99s an example o=
f LLM optimization=2C along the same lines as search-engine optimization (= SEO). It=E2=80=99s going to be big business.</p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg15"><a name=3D"cg15"= >Hacked App Part of US/Israeli Propaganda Campaign Against Iran</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2026/03/hacked-app-pa= rt-of-us-israeli-propaganda-campaign-against-iran.html"><strong>[2026.03.= 05]</strong></a> <i>Wired</i> has the <a href=3D"
https://www.wired.com/sto= ry/hacked-prayer-app-sends-surrender-messages-to-iranians-amid-israeli-str= ikes/?_sp=3Dcac71a7f-c88a-42bc-b4ca-23c1ce88f702.1772641675776">story</a>:=
<blockquote><p>Shortly after the first set of explosions=2C Iranians recei=
ved bursts of notifications on their phones. They came not from the govern= ment advising caution=2C but from an apparently hacked prayer-timing app c= alled BadeSaba Calendar that has been downloaded more than 5 million times=
from the Google Play Store.</p>
<p>The messages arrived in quick succession over a period of 30 minutes=2C=
starting with the phrase =E2=80=98Help has arrived=E2=80=99 at 9:52 am Te= hran time=2C shortly after the first set of explosions. No party has claim=
ed responsibility for the hacks.</p></blockquote>
<p>It happened so fast that this is most likely a government operation. I=
can easily envision both the US and Israel having hacked the app previous= ly=2C and then deciding that this is a good use of that access.</p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg16"><a name=3D"cg16"= >Israel Hacked Traffic Cameras in Iran</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2026/03/israel-hacked= -traffic-cameras-in-iran.html"><strong>[2026.03.05]</strong></a> <a href= =3D"
https://www.timesofisrael.com/report-israel-hacked-tehran-traffic-came= ras-to-track-khamenei-ahead-of-assassination/">Multiple</a> <a href=3D"htt= ps://www.ft.com/content/bf998c69-ab46-4fa3-aae4-8f18f7387836">news</a> <a=
href=3D"
https://www.channelnewsasia.com/world/iran-war-inside-plan-kill-a= li-khamenei-5966861">outlets</a> are reporting on Israel=E2=80=99s hacking=
of Iranian traffic cameras and how they assisted with the killing of that=
country=E2=80=99s leadership.</p>
<p><i>The New York Times</i> has an <a href=3D"
https://www.nytimes.com/202= 6/03/01/us/politics/cia-israel-ayatollah-compound.html">article</a> on the=
intelligence operation more generally.</p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg17"><a name=3D"cg17"= >Claude Used to Hack Mexican Government</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2026/03/claude-used-t= o-hack-mexican-government.html"><strong>[2026.03.06]</strong></a> An unkn=
own hacker used Anthropic=E2=80=99s LLM to <a href=3D"
https://www.bloomber= g.com/news/articles/2026-02-25/hacker-used-anthropic-s-claude-to-steal-sen= sitive-mexican-data">hack</a> the Mexican government:</p>
<blockquote><p>The unknown Claude user wrote Spanish-language prompts for=
the chatbot to act as an elite hacker=2C finding vulnerabilities in gover= nment networks=2C writing computer scripts to exploit them and determining=
ways to automate data theft=2C Israeli cybersecurity startup Gambit Secur=
ity said in research published Wednesday.</p>
<p>[...]</p>
<p>Claude initially warned the unknown user of malicious intent during the=
ir conversation about the Mexican government=2C but eventually complied wi=
th the attacker=E2=80=99s requests and executed thousands of commands on g= overnment computer networks=2C the researchers said.</p>
<p>Anthropic investigated Gambit=E2=80=99s claims=2C disrupted the activit=
y and banned the accounts involved=2C a representative said. The company f= eeds examples of malicious activity back into Claude to learn from it=2C a=
nd one of its latest AI models=2C Claude Opus 4.6=2C includes probes that=
can disrupt misuse=2C the representative said.</p></blockquote>
<p>Alternative link <a href=3D"
https://archive.ph/GgzS2#selection-1651.0-1= 655.0">here</a>.</p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg18"><a name=3D"cg18"= >Anthropic and the Pentagon</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2026/03/anthropic-and= -the-pentagon.html"><strong>[2026.03.06]</strong></a> <a href=3D"
https://= www.nytimes.com/2026/02/27/technology/openai-agreement-pentagon-ai.html">O= penAI is in</a> and <a href=3D"
https://www.theguardian.com/technology/2026= /feb/28/openai-us-military-anthropic">Anthropic is out</a> as a supplier o=
f AI technology for the US defense department. This news caps a week of bl= uster by the highest officials in the US government towards some of the we= althiest titans of the big tech industry=2C and the overhanging specter of=
the existential risks posed by a new technology powerful enough that the=
Pentagon claims it is essential to national security. At issue is Anthrop= ic=E2=80=99s <a href=3D"
https://www.anthropic.com/news/statement-departmen= t-of-war">insistence</a> that the US Department of Defense (DoD) could not=
use its models to facilitate =E2=80=9Cmass surveillance=E2=80=9D or =E2= =80=9Cfully autonomous weapons=2C=E2=80=9D provisions the defense secretar=
y Pete Hegseth <a href=3D"
https://www.npr.org/2026/02/24/nx-s1-5725327/pen= tagon-anthropic-hegseth-safety">derided</a> as =E2=80=9Cwoke.=E2=80=9D</p>
<p>It all came to a head on Friday evening when Donald Trump <a href=3D"ht= tps://www.theguardian.com/us-news/2026/feb/27/trump-anthropic-ai-federal-a= gencies">issued an order</a> for federal government agencies to discontinu=
e use of Anthropic models. <a href=3D"
https://www.nytimes.com/2026/02/27/t= echnology/openai-agreement-pentagon-ai.html">Within hours</a>=2C OpenAI ha=
d swooped in=2C potentially seizing hundreds of millions of dollars in <a=
href=3D"
https://www.nytimes.com/2026/02/27/technology/anthropic-trump-pen= tagon-silicon-valley.html">government contracts</a> by striking an agreeme=
nt with the administration to provide classified government systems with A= I.</p>
<p>Despite the histrionics=2C this is probably the best outcome for Anthro=
pic -- and for the Pentagon. In our free-market economy=2C both are=2C and=
should be=2C free to sell and buy what they want with whom they want=2C s= ubject to longstanding federal <a href=3D"
https://www.acquisition.gov/far/= subpart-9.4">rules</a> on contracting=2C acquisitions=2C and blacklisting.=
The only factor out of place here are the Pentagon=E2=80=99s vindictive t= hreats.</p>
<p>AI models are increasingly commodified. The top-tier offerings have abo=
ut the same performance=2C and there is little to differentiate one from t=
he other. The latest models from Anthropic=2C OpenAI and Google=2C in part= icular=2C tend to leapfrog each other with minor hops forward in quality e= very few months. The best models from one provider tend to be <a href=3D"h= ttps://arena.ai/leaderboard/text">preferred</a> by users to the second=2C=
or third=2C or 10th best models at a rate of only about six times out of=
10=2C a virtual tie.</p>
<p>In this sort of market=2C branding matters a lot. Anthropic and its CEO=
=2C Dario Amodei=2C are positioning themselves as the moral and trustworth=
y AI provider. That has market value for both consumers and enterprise cli= ents. In taking Anthropic=E2=80=99s place in government contracting=2C Ope= nAI=E2=80=99s CEO=2C Sam Altman=2C <a href=3D"
https://x.com/sama/status/20= 27578652477821175">vowed</a> to somehow uphold the same safety principles=
Anthropic had just been pilloried for. How that is possible given the rhe= toric of Hegseth and Trump is entirely unclear=2C but seems certain to fur= ther politicize OpenAI and its products in the minds of consumers and corp= orate buyers.</p>
<p>Posturing publicly against the Pentagon and as a <a href=3D"
https://www= =2Enonzero.org/p/dario-amodei-isnt-the-hero-we-need">hero</a> to civil liber= tarians is quite possibly worth the cost of the lost contracts to Anthropi= c=2C and associating themselves with the same contracts could be a trap fo=
r OpenAI. The Pentagon=2C meanwhile=2C has plenty of options. Even if no b=
ig tech company was willing to supply it with AI=2C the department has alr= eady deployed dozens of <a href=3D"
https://www.wired.com/story/open-ai-art= ificial-intelligence-open-weight-model/">open weight</a> models -- whose p= arameters are public and are often licensed permissively for government us= e.</p>
<p>We can admire Amodei=E2=80=99s stance=2C but=2C to be sure=2C it is pri= marily posturing. Anthropic knew what they were getting into when they <a=
href=3D"
https://www.anthropic.com/news/anthropic-and-the-department-of-de= fense-to-advance-responsible-ai-in-defense-operations">agreed to a defense=
department partnership</a> for $200m last year. And when they <a href=3D"=
https://investors.palantir.com/news-details/2024/Anthropic-and-Palantir-Pa= rtner-to-Bring-Claude-AI-Models-to-AWS-for-U.S.-Government-Intelligence-an= d-Defense-Operations/">signed a partnership</a> with the surveillance comp=
any Palantir in 2024.</p>
<p>Read Amodei=E2=80=99s <a href=3D"
https://www.anthropic.com/news/stateme= nt-department-of-war">statement</a> about the issue. Or his <a href=3D"htt= ps://www.darioamodei.com/essay/the-adolescence-of-technology">January essa= y</a> on AIs and risk=2C where he repeatedly uses the words =E2=80=9Cdemoc= racy=E2=80=9D and =E2=80=9Cautocracy=E2=80=9D while evading precisely how=
collaboration with US federal agencies should be viewed in this moment. A= modei has <a href=3D"
https://darioamodei.com/essay/machines-of-loving-grac= e">bought into</a> the idea of using =E2=80=9CAI to achieve robust militar=
y superiority=E2=80=9D on behalf of the democracies of the world in respon=
se to the threats from autocracies. It=E2=80=99s a heady vision. But it is=
a vision that likewise supposes that the world=E2=80=99s nominal democrac=
ies are committed to a common vision of public wellbeing=2C peace-seeking=
and democratic control.</p>
<p>Regardless=2C the defense department can also reasonably demand that th=
e AI products it purchases meet its needs. The Pentagon is not a normal cu= stomer; it buys products that kill people all the time. Tanks=2C artillery=
pieces=2C and hand grenades are not products with ethical guard rails. Th=
e Pentagon=E2=80=99s needs reasonably involve weapons of lethal force=2C a=
nd those weapons are continuing on a steady=2C if potentially <a href=3D"h= ttps://thebulletin.org/2026/02/anthropics-showdown-with-the-us-department-= of-war-may-literally-mean-life-or-death-for-all-of-us/">catastrophic</a>=
=2C <a href=3D"
https://www.theguardian.com/news/2020/oct/15/dangerous-rise= -of-military-ai-drone-swarm-autonomous-weapons">path</a> of <a href=3D"htt= ps://www.wired.com/story/us-military-robot-drone-guns/">increasing</a> <a=
href=3D"
https://fsi.stanford.edu/sipr/content/lethal-autonomous-weapons-n= ext-frontier-international-security-and-arms-control">automation</a>.</p>
<p>So=2C at the surface=2C this dispute is a normal market give and take.=
The Pentagon has unique requirements for the products it uses. Companies=
can decide whether or not to meet them=2C and at what price. And then the=
Pentagon can decide from whom to acquire those products. Sounds like a no= rmal day at the procurement office.</p>
<p>But=2C of course=2C this is the Trump administration=2C so it doesn=E2= =80=99t stop there. Hegseth has threatened Anthropic not just with loss of=
government contracts. The administration has=2C at least until the inevit= able lawsuits force the courts to sort things out=2C <a href=3D"
https://ww= w.nytimes.com/2026/02/27/us/politics/anthropic-military-ai.html">designate=
d the company</a> as =E2=80=9Ca supply-chain risk to national security=2C= =E2=80=9D a designation previously only ever applied to foreign companies.=
This prevents not only government agencies=2C but also their own contract=
ors and suppliers=2C from contracting with Anthropic.</p>
<p>The government has incompatibly also threatened to invoke the <a href= =3D"
https://www.lawfaremedia.org/article/what-the-defense-production-act-c= an-and-can't-do-to-anthropic">Defense Production Act</a>=2C which could fo=
rce Anthropic to remove contractual provisions the department had previous=
ly agreed to=2C or perhaps to fundamentally modify its AI models to remove=
in-built safety guardrails. The government=E2=80=99s demands=2C Anthropic= =E2=80=99s response=2C and the legal context in which they are acting will=
undoubtedly all change over the coming weeks.</p>
<p>But=2C alarmingly=2C autonomous weapons systems are here to stay. Primi= tive pit traps evolved to mechanical bear traps. The world is still debati=
ng the ethical use of=2C and dealing with the legacy of=2C land mines. The=
US <a href=3D"
https://en.wikipedia.org/wiki/Phalanx_CIWS">Phalanx CIWS</a=
is a 1980s-era shipboard anti-missile system with a fully autonomous=2C=
radar-guided cannon. Today=E2=80=99s military drones can search=2C identi=
fy and engage targets without direct human intervention. AI will be used f=
or military purposes=2C just as every other technology our species has inv= ented has.</p>
<p>The lesson here should not be that one company in our rapacious capital=
ist system is more moral than another=2C or that one corporate hero can st=
and in the way of government=E2=80=99s adopting AI as technologies of war=
=2C or surveillance=2C or repression. Unfortunately=2C we don=E2=80=99t li=
ve in a world where such barriers are permanent or even particularly sturd= y.</p>
<p>Instead=2C the lesson is about the importance of democratic structures=
and the urgent need for their renovation in the US. If the defense depart= ment is demanding the use of AI for mass surveillance or autonomous warfar=
e that we=2C the public=2C find unacceptable=2C that should tell us we nee=
d to pass new legal restrictions on those military activities. If we are u= ncomfortable with the force of government being applied to dictate how and=
when companies yield to unsafe applications of their products=2C we shoul=
d strengthen the legal protections around government procurement.</p>
<p>The Pentagon should maximize its warfighting capabilities=2C subject to=
the law. And private companies like Anthropic should posture to gain cons= umer and buyer confidence. But we should not rest on our laurels=2C thinki=
ng that either is doing so in the public=E2=80=99s interest.</p>
<p><em>This essay was written with Nathan E. Sanders=2C and originally app= eared in <a href=3D"
https://www.theguardian.com/commentisfree/2026/mar/03/= anthropic-openai-pentagon-ethics">The Guardian</a>.</em></p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg19"><a name=3D"cg19"= >New Attack Against Wi-Fi</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2026/03/new-attack-ag= ainst-wi-fi.html"><strong>[2026.03.09]</strong></a> It=E2=80=99s called <=
a href=3D"
https://arstechnica.com/security/2026/02/new-airsnitch-attack-br= eaks-wi-fi-encryption-in-homes-offices-and-enterprises/">AirSnitch</a>:</p=
<blockquote><p>Unlike previous Wi-Fi attacks=2C AirSnitch exploits core fe= atures in Layers 1 and 2 and the failure to bind and synchronize a client=
across these and higher layers=2C other nodes=2C and other network names=
such as SSIDs (Service Set Identifiers). This cross-layer identity desync= hronization is the key driver of AirSnitch attacks.</p>
<p>The most powerful such attack is a full=2C bidirectional <a href=3D"htt= ps://en.wikipedia.org/wiki/Man-in-the-middle_attack">machine-in-the-middle=
(MitM) attack</a>=2C meaning the attacker can view and modify data before=
it makes its way to the intended recipient. The attacker can be on the sa=
me SSID=2C a separate one=2C or even a separate network segment tied to th=
e same AP. It works against small Wi-Fi networks in both homes and offices=
and large networks in enterprises.</p>
<p>With the ability to intercept all link-layer traffic (that is=2C the tr= affic as it passes between Layers 1 and 2)=2C an attacker can perform othe=
r attacks on higher layers. The most dire consequence occurs when an Inter=
net connection isn=E2=80=99t encrypted -- something that Google <a href=3D= "
https://transparencyreport.google.com/https/overview">recently estimated<=
occurred when as much as 6 percent and 20 percent of pages loaded on W=
indows and Linux=2C respectively. In these cases=2C the attacker can view=
and modify all traffic in the clear and steal authentication cookies=2C p= asswords=2C payment card details=2C and any other sensitive data. Since ma=
ny company intranets are sent in plaintext=2C traffic from them can also b=
e intercepted.</p>
<p>Even when HTTPS is in place=2C an attacker can still intercept domain l= ook-up traffic and use DNS cache poisoning to corrupt tables stored by the=
target=E2=80=99s operating system. The AirSnitch MitM also puts the attac=
ker in the position to wage attacks against vulnerabilities that may not b=
e patched. Attackers can also see the external IP addresses hosting webpag=
es being visited and often correlate them with the precise URL.</p></block= quote>
<p>Here=E2=80=99s the <a href=3D"
https://www.ndss-symposium.org/ndss-paper= /airsnitch-demystifying-and-breaking-client-isolation-in-wi-fi-networks/">= paper</a>.</p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg20"><a name=3D"cg20"= >Jailbreaking the F-35 Fighter Jet</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2026/03/jailbreaking-= the-f-35-fighter-jet.html"><strong>[2026.03.10]</strong></a> Countries ar=
ound the world are becoming increasingly concerned about their dependencie=
s on the US. If you=E2=80=99ve purchase US-made F-35 fighter jets=2C you a=
re dependent on the US for software maintenance.</p>
<p>The Dutch Defense Secretary recently <a href=3D"
https://www.twz.com/air= /f-35-software-could-be-jailbreaked-like-an-iphone-dutch-defense-minister"= >said</a> that he could jailbreak the planes to accept third-party softwar= e.</p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg21"><a name=3D"cg21"= >Canada Needs Nationalized=2C Public AI</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2026/03/canada-needs-= nationalized-public-ai.html"><strong>[2026.03.11]</strong></a> Canada has=
a choice to make about its artificial intelligence future. The Carney adm= inistration is investing $2-billion over five years in its <a href=3D"http= s://ised-isde.canada.ca/site/ised/en/canadian-sovereign-ai-compute-strateg= y">Sovereign AI Compute Strategy</a>. Will any value generated by =E2=80= =9Csovereign AI=E2=80=9D be captured in Canada=2C making a difference in t=
he lives of Canadians=2C or is this just a passthrough to investment in Am= erican Big Tech?</p>
<p>Forcing the question is OpenAI=2C the company behind ChatGPT=2C which h=
as been pushing an =E2=80=9COpenAI for Countries=E2=80=9D initiative. It i=
s not the only one eyeing its share of the $2-billion=2C but it appears to=
be the most aggressive. OpenAI=E2=80=99s top lobbyist in the region has m=
et with Ottawa officials=2C including Artificial Intelligence Minister Eva=
n Solomon.</p>
<p>All the while=2C OpenAI was less than open. The company had flagged the=
Tumbler Ridge=2C B.C.=2C shooter=E2=80=99s ChatGPT interactions=2C which=
included gun-violence chats. Employees wanted to alert law enforcement bu=
t were rebuffed. Maybe there is a discussion to be had about users=E2=80=
=99 privacy. But even after the shooting=2C the OpenAI representative who=
met with the B.C. government said nothing.</p>
<p>When tech billionaires and corporations steer AI development=2C the res= ultant AI reflects their interests rather than those of the general public=
or ordinary consumers. Only after the meeting with the B.C. government di=
d OpenAI alert law enforcement. Had it not been for the <a href=3D"https:/= /www.wsj.com/us-news/law/openai-employees-raised-alarms-about-canada-shoot= ing-suspect-months-ago-b585df62">Wall Street Journal=E2=80=99s reporting</= a>=2C the public would not have known about this at all.</p>
<p>Moreover=2C <a href=3D"
https://openai.com/global-affairs/openai-for-cou= ntries/">OpenAI for Countries</a> is explicitly described by the company a=
s an initiative =E2=80=9Cin co-ordination with the U.S. government.=E2=80=
=9D And it=E2=80=99s not just OpenAI: all the AI giants are for-profit Ame= rican companies=2C operating in their private interests=2C and subject to=
United States law and increasingly bowing to U.S. President Donald Trump.=
Moving data centres into Canada under a proposal like OpenAI=E2=80=99s do= esn=E2=80=99t change that. The current geopolitical reality means Canada s= hould not be dependent on U.S. tech firms for essential services such as c= loud computing and AI.</p>
<p>While there are Canadian AI companies=2C they remain for-profit enterpr= ises=2C their interests not necessarily aligned with our collective good.=
The only real alternative is to be bold and invest in a wholly Canadian p= ublic AI: an AI model built and funded by Canada for Canadians=2C as publi=
c infrastructure. This would give Canadians access to the myriad of benefi=
ts from AI without having to depend on the U.S. or other countries. It wou=
ld mean Canadian universities and public agencies building and operating A=
I models optimized not for global scale and corporate profit=2C but for pr= actical use by Canadians.</p>
<p>Imagine AI embedded into health care=2C triaging radiology scans=2C fla= gging early cancer risks and assisting doctors with paperwork. Imagine an=
AI tutor trained on provincial curriculums=2C giving personalized coachin=
g. Imagine systems that analyze job vacancies and sectoral and wage trends=
=2C then automatically match job seekers to government programs. Imagine u= sing AI to optimize transit schedules=2C energy grids and zoning analysis.=
Imagine court processes=2C corporate decisions and customer service all s=
ped up by AI.</p>
<p>We are already on our way to having AI become an inextricable part of s= ociety. To ensure stability and prosperity for this country=2C Canadian us=
ers and developers must be able to turn to AI models built=2C controlled=
=2C and operated publicly in Canada instead of building on corporate platf= orms=2C American or otherwise.</p>
<p>Switzerland has shown this to be possible. With funding from the federa=
l government=2C a consortium of academic institutions -- ETH Zurich=2C EPF= L=2C and the Swiss National Supercomputing Centre -- released the world=E2= =80=99s most powerful and fully realized public AI model=2C Apertus=2C las=
t September. Apertus leveraged renewable hydropower and existing Swiss sci= entific computing infrastructure. It also used no illegally pirated copyri= ghted material or poorly paid labour extracted from the Global South durin=
g training. The model=E2=80=99s performance stands at roughly a year or tw=
o behind the major corporate offerings=2C but that is more than adequate f=
or the vast majority of applications. And it=E2=80=99s free for anyone to=
use and build on.</p>
<p>The significance of Apertus is more than technical. It demonstrates an=
alternative ownership structure for AI technology=2C one that allocates b=
oth decision-making authority and value to national public institutions ra= ther than foreign corporations. This vision represents precisely the parad=
igm shift Canada should embrace: AI as public infrastructure=2C like syste=
ms for transportation=2C water=2C or electricity=2C rather than private co= mmodity.</p>
<p>Apertus also demonstrates a far more sustainable economic framework for=
AI. Switzerland spent a tiny fraction of the billions of dollars that cor= porate AI labs invest annually=2C demonstrating that the frequent training=
runs with astronomical price tags pursued by tech companies are not actua=
lly necessary for practical AI development. They focused on making somethi=
ng broadly useful rather than bleeding edge -- trying dubiously to create=
=E2=80=9Csuperintelligence=2C=E2=80=9D as with Silicon Valley -- so they=
created a smaller model at much lower cost. Apertus=E2=80=99s training wa=
s at a scale (70 billion parameters) perhaps two orders of magnitude lower=
than the largest Big Tech offerings.</p>
<p>An ecosystem is now being developed on top of Apertus=2C using the mode=
l as a public good to power chatbots for free consumer use and to provide=
a development platform for companies prioritizing responsible AI use=2C a=
nd rigorous compliance with laws like the EU AI Act. Instead of routing qu= eries from those users to Big Tech infrastructure=2C Apertus is deployed t=
o data centres across national AI and computing initiatives of Switzerland=
=2C Australia=2C Germany=2C and Singapore and other partners.</p>
<p>The case for public AI rests on both democratic principles and practica=
l benefits. Public AI systems can incorporate mechanisms for genuine publi=
c input and democratic oversight on critical ethical questions: how to han=
dle copyrighted works in training data=2C how to mitigate bias=2C how to d= istribute access when demand outstrips capacity=2C and how to license use=
for sensitive applications like policing or medicine. Or how to handle a=
situation such as that of the Tumbler Ridge shooter. These decisions will=
profoundly shape society as AI becomes more pervasive=2C yet corporate AI=
makes them in secret.</p>
<p>By contrast=2C public AI developed by transparent=2C accountable agenci=
es would allow democratic processes and political oversight to govern how=
these powerful systems function.</p>
<p>Canada already has many of the building blocks for public AI. The count=
ry has world-class AI research institutions=2C including the Vector Instit= ute=2C Mila=2C and CIFAR=2C which pioneered much of the deep learning revo= lution. Canada=E2=80=99s $2-billion Sovereign AI Compute Strategy provides=
substantial funding.</p>
<p>What=E2=80=99s needed now is a reorientation away from viewing this as=
an opportunity to attract private capital=2C and toward a fully open publ=
ic AI model.</p>
<p><em>This essay was written with Nathan E. Sanders=2C and originally app= eared in <a href=3D"
https://www.schneier.com/essays/archives/2026/03/opena= i-has-shown-it-cannot-be-trusted-canada-needs-nationalized-public-ai.html"= >The Globe and Mail</a>.</em></p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg22"><a name=3D"cg22"= >iPhones and iPads Approved for NATO Classified Data</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2026/03/iphones-and-i= pads-approved-for-nato-classified-data.html"><strong>[2026.03.12]</strong= ></a> Apple <a href=3D"
https://www.apple.com/newsroom/2026/02/iphone-and-i= pad-approved-to-handle-classified-nato-information/">announcement</a>:</p>
<blockquote><p>...iPhone and iPad are the first and only consumer devices=
in compliance with the information assurance requirements of NATO nations=
=2E This enables iPhone and iPad to be used with classified information up t=
o the NATO restricted level without requiring special software or settings=
-- a level of government certification no other consumer mobile device ha=
s met.</p></blockquote>
<p>This is out of the box=2C no modifications required.</p>
<p>Boing Boing <a href=3D"
https://boingboing.net/2026/02/27/apples-iphones= -and-ipads-are-the-first-consumer-devices-certified-for-nato-classified-da= ta-without-any-modifications.html">post</a>.</p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg23"><a name=3D"cg23"= >Academia and the "AI Brain Drain"</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2026/03/academia-and-= the-ai-brain-drain.html"><strong>[2026.03.13]</strong></a> In 2025=2C Goo= gle=2C Amazon=2C Microsoft and Meta collectively spent US$380 billion on b= uilding artificial-intelligence tools. That number is expected to surge st=
ill higher this year=2C to $650 billion=2C to fund the building of physica=
l infrastructure=2C such as data centers (see <a href=3D"
https://go.nature= =2Ecom/3lzf79q">go.nature.com/3lzf79q</a>). Moreover=2C these firms are spen= ding lavishly on one particular segment: top technical talent.</p>
<p>Meta reportedly offered a single AI researcher=2C who had cofounded a s= tart-up firm focused on training AI agents to use computers=2C a compensat=
ion package of $250 million over four years (see <a href=3D"
https://go.nat= ure.com/4qznsq1">go.nature.com/4qznsq1</a>). Technology firms are also spe= nding billions on =E2=80=9Creverse-acquihires=E2=80=9D -- poaching the sta=
r staff members of start-ups without acquiring the companies themselves. E= yeing these generous payouts=2C technical experts earning more modest sala= ries might well reconsider their career choices.</p>
<p>Academia is already losing out. Since the launch of ChatGPT in 2022=2C=
concerns have grown in academia about an =E2=80=9CAI brain drain.=E2=80=
=9D Studies point to a sharp rise in university machine-learning and AI re= searchers moving to industry roles. A 2025 paper reported that this was es= pecially true for young=2C highly cited scholars: researchers who were abo=
ut five years into their careers and whose work ranked among the most cite=
d were 100 times more likely to move to industry the following year than w=
ere ten-year veterans whose work received an average number of citations=
=2C according to a model based on data from nearly seven million papers.<s= up><a href=3D"#ref-CR1">1</a></sup></p>
<p>This outflow threatens the distinct roles of academic research in the s= cientific enterprise: innovation driven by curiosity rather than profit=2C=
as well as providing independent critique and ethical scrutiny. The fixat=
ion of =E2=80=9Cbig tech=E2=80=9D firms on skimming the very top talent al=
so risks eroding the idea of science as a collaborative endeavor=2C in whi=
ch teams -- not individuals -- do the most consequential work.</p>
<p>Here=2C we explore the broader implications for science and suggest alt= ernative visions of the future.</p>
<p>Astronomical salaries for AI talent buy into a legend as old as the sof= tware industry: the 10x engineer. This is someone who is supposedly capabl=
e of ten times the impact of their peers. Why hire and manage an entire gr=
oup of scientists or software engineers when one genius -- or an AI agent=
-- can outperform them?</p>
<p>That proposition is increasingly attractive to tech firms that are bett=
ing that a large number of entry-level and even mid-level engineering jobs=
will be replaced by AI. It=E2=80=99s no coincidence that Google=E2=80=99s=
Gemini 3 Pro AI model was launched with boasts of =E2=80=9CPhD-level reas= oning=2C=E2=80=9D a marketing strategy that is appealing to executives see= king to replace people with AI.</p>
<p>But the lone-genius narrative is increasingly out of step with reality.=
Research backs up a fundamental truth: science is a team sport. A large-s= cale study of scientific publishing from 1900 to 2011 found that papers pr= oduced by larger collaborations consistently have greater impact than do t= hose of smaller teams=2C even after accounting for self-citation.<sup><a h= ref=3D"#ref-CR2">2</a></sup> Analyses of the most highly cited scientists=
show a similar pattern: their highest-impact works tend to be those paper=
s with many authors.<sup><a href=3D"#ref-CR3">3</a></sup> A 2020 study of=
Nobel laureates reinforces this trend=2C revealing that -- much like the=
wider scientific community -- the average size of the teams that they pub= lish with has steadily increased over time as scientific problems increase=
in scope and complexity.<sup><a href=3D"#ref-CR4">4</a></sup></p>
<p>From the detection of gravitational waves=2C which are ripples in space= -time caused by massive cosmic events=2C to CRISPR-based gene editing=2C a=
precise method for cutting and modifying DNA=2C to recent AI breakthrough=
s in protein-structure prediction=2C the most consequential advances in mo= dern science have been collective achievements. Although these successes a=
re often associated with prominent individuals -- senior scientists=2C Nob=
el laureates=2C patent holders -- the work itself was driven by teams rang=
ing from dozens to thousands of people and was built on decades of open sc= ience: shared data=2C methods=2C software and accumulated insight.</p>
<p>Building strong institutions is a much more effective use of resources=
than is betting on any single individual. Examples demonstrating this inc= lude the LIGO Scientific Collaboration=2C the global team that first detec=
ted gravitational waves; the Broad Institute of MIT and Harvard in Cambrid= ge=2C Massachusetts=2C a leading genomics and biomedical-research center b= ehind many CRISPR advances; and even for-profit laboratories such as Googl=
e DeepMind in London=2C which drove advances in protein-structure predicti=
on with its AlphaFold tool. If the aim of the tech giants and other AI fir=
ms that are spending lavishly on elite talent is to accelerate scientific=
progress=2C the current strategy is misguided.</p>
<p>By contrast=2C well-designed institutions amplify individual ability=2C=
sustain productivity beyond any one person=E2=80=99s career and endure lo=
ng after any single contributor is gone.</p>
<p>Equally important=2C effective institutions distribute power in benefic=
ial ways. Rather than vesting decision-making authority in the hands of on=
e person=2C they have mechanisms for sharing control. Allocation committee=
s decide how resources are used=2C scientific advisory boards set collecti=
ve research priorities=2C and peer review determines which ideas enter the=
scientific record.</p>
<p>And although the term =E2=80=9Cinnovation by committee=E2=80=9D might s= ound disparaging=2C such an approach is crucial to make the scientific ent= erprise act in concert with the diverse needs of the broader public. This=
is especially true in science=2C which continues to suffer from pervasive=
inequalities across gender=2C race and socio-economic and cultural differ= ences.<sup><a href=3D"#ref-CR5">5</a></sup></p>
<h3 style=3D"font-size:110%;font-weight:bold">Need for alternative vision<=
<p>This is why scientists=2C academics and policymakers should pay more at= tention to how AI research is organized and led=2C especially as the techn= ology becomes essential across scientific disciplines. Used well=2C AI can=
support a more equitable scientific enterprise by empowering junior resea= rchers who currently have access to few resources.</p>
<p>Instead=2C some of today=E2=80=99s wealthiest scientific institutions m= ight think that they can deploy the same strategies as the tech industry u=
ses and compete for top talent on financial terms -- perhaps by getting fu= nding from the same billionaires who back big tech. Indeed=2C wage inequal=
ity has been steadily growing within academia for decades.<sup><a href=3D"= #ref-CR6">6</a></sup> But this is not a path that science should follow.</=
<p>The ideal model for science is a broad=2C diverse ecosystem in which re= searchers can thrive at every level. Here are three strategies that univer= sities and mission-driven labs should adopt instead of engaging in a compe= nsation arms race.</p>
<p>First=2C universities and institutions should stay committed to the pub=
lic interest. An excellent example of this approach can be found in Switze= rland=2C where several institutions are coordinating to build AI as a publ=
ic good rather than a private asset. Researchers at the Swiss Federal Inst= itute of Technology in Lausanne (EPFL) and the Swiss Federal Institute of=
Technology (ETH) in Zurich=2C working with the Swiss National Supercomput=
ing Centre=2C have built Apertus=2C a freely available large language mode=
l. Unlike the controversially-labelled =E2=80=9Copen source=E2=80=9D model=
s built by commercial labs -- such as Meta=E2=80=99s LLaMa=2C which has be=
en criticized for not complying with the open-source definition (see <a hr= ef=3D"
https://go.nature.com/3o56zd5">go.nature.com/3o56zd5</a>) -- Apertus=
is not only open in its source code and its weights (meaning its core par= ameters)=2C but also in its data and development process. Crucially=2C Ape= rtus is not designed to compete with =E2=80=9Cfrontier=E2=80=9D AI labs pu= rsuing superintelligence at enormous cost and with little regard for data=
ownership. Instead=2C <a href=3D"
https://ethz.ch/en/news-and-events/eth-n= ews/news/2023/12/press-release-joint-initiative-for-trustworthy-ai.html">i=
t adopts a more modest and sustainable goal</a>: to make AI trustworthy fo=
r use in industry and public administration=2C strictly adhering to data-l= icensing restrictions and including local European languages.<sup><a href= =3D"#ref-CR7">7</a></sup></p>
<p>Principal investigators (PIs) at other institutions globally should fol=
low this path=2C aligning public funding agencies and public institutions=
to produce a more sustainable alternative to corporate AI.</p>
<p>Second=2C universities should bolster networks of researchers from the=
undergraduate to senior-professor levels -- not only because they make fo=
r effective innovation teams=2C but also because they serve a purpose beyo=
nd next quarter=E2=80=99s profits. The scientific enterprise galvanizes it=
s members at all levels to contribute to the same projects=2C the same jou= rnals and the same open=2C international scientific literature -- to perpe= tuate itself across generations and to distribute its impact throughout so= ciety.</p>
<p>Universities should take precisely the opposite hiring strategy to that=
of the big tech firms. Instead of lavishing top dollar on a select few re= searchers=2C they should equitably distribute salaries. They should raise=
graduate-student stipends and postdoc salaries and limit the growth of pa=
y for high-profile PIs.</p>
<p>Third=2C universities should show that they can offer more than just fi= nancial benefits: they must offer distinctive intellectual and civic rewar=
ds. Although money is unquestionably a motivator=2C researchers also value=
intellectual freedom and the recognition of their work. Studies show that=
research roles in industry that allow publication attract talent at salar=
ies roughly 20% lower than comparable positions that prohibit it (see <a h= ref=3D"
https://go.nature.com/4cbjxzu">go.nature.com/4cbjxzu</a>).</p>
<p>Beyond the intellectual recognition of publications and citation counts=
=2C universities should recognize and reward the production of public good=
s. The tenure and promotion process at universities should reward academic=
s who supply expertise to local and national governments=2C who communicat=
e with and engage the public in research=2C who publish and maintain open-= source software for public use and who provide services for non-profit gro= ups.</p>
<p>Furthermore=2C institutions should demonstrate that they will defend th=
e intellectual freedom of their researchers and shield them from corporate=
or political interference. In the United States today=2C we see a strikin=
g juxtaposition between big tech firms=2C which curry favour with the admi= nistration of US President Donald Trump to win regulatory and trade benefi= ts=2C and higher-education institutions=2C which suffer massive losses of=
federal funding and threats of investigation and sanction. Unlike big tec=
h firms=2C universities should invest in enquiry that challenges authority= =2E</p>
<p>We urge leaders of scientific institutions to reject the growing pay in= equality rampant in the upper echelons of AI research. Instead=2C they sho=
uld compete for talent on a different dimension: the integrity of their mi= ssions and the equitableness of their institutions. These institutions sho=
uld focus on building sustainable organizations with diverse staff members=
=2C rather than bestowing a bounty on science=E2=80=99s 1%.</p>
<h3 style=3D"font-size:110%;font-weight:bold">References</h3>
<li id=3D"ref-CR1">Jurowetzki=2C R.=2C Hain=2C D. S.=2C Wirtz=2C K. &a=
mp; Bianchini=2C S. <cite>AI Soc.</cite> 40=2C 4145 -- 4152 (2025).</li>
<li id=3D"ref-CR2">Larivi=C3=A8re=2C V.=2C Gingras=2C Y.=2C Sugimoto=
=2C C. R. & Tsou=2C A. <cite>J. Assoc. Inf. Sci. Technol.</cite> 66=2C=
1323 -- 1332 (2015).</li>
<li id=3D"ref-CR3">Aksnes=2C D. W. & Aagaard=2C K. J. <cite>Data I=
nf. Sci.</cite> 6=2C 41 -- 66 (2021).</li>
<li id=3D"ref-CR4">Li=2C J.=2C Yin=2C Y.=2C Fortunato=2C S. & Wang=
=2C D. <cite>J. R. Soc. Interface</cite> 17=2C 20200135 (2020).</li>
<li id=3D"ref-CR5">Graves=2C J. L. Jr=2C Kearney=2C M.=2C Barabino=2C=
G. & Malcom=2C S. <cite>Proc. Natl Acad. Sci. USA</cite> 119=2C e2117= 831119 (2022).</li>
<li id=3D"ref-CR6">Lok=2C C. <cite>Nature</cite> 537=2C 471 -- 473 (20= 16).</li>
<li id=3D"ref-CR7">Project Apertus. Preprint at arXiv <a href=3D"https= ://doi.org/10.48550/arXiv.2509.14233">
https://doi.org/10.48550/arXiv.2509.= 14233</a> (2025).</li>
</ol>
<p><em>This essay was written with Nathan E. Sanders=2C and originally app= eared in <a href=3D"
https://www.nature.com/articles/d41586-026-00474-3">Na= ture</a>.</em></p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg24"><a name=3D"cg24"= >Upcoming Speaking Engagements</a></h2>
<p><a href=3D"
https://www.schneier.com/blog/archives/2026/03/upcoming-spea= king-engagements-54.html"><strong>[2026.03.14]</strong></a> This is a cur=
rent list of where and when I am scheduled to speak:</p>
<li>I=E2=80=99m giving the <a href=3D"
https://www.chu.cam.ac.uk/event/= computer-science-lecture-2026/">Ross Anderson Lecture</a> at the Universit=
y of Cambridge=E2=80=99s Churchill College at 5:30 PM GMT on Thursday=2C M= arch 19=2C 2026.</li>
<li>I=E2=80=99m speaking at <a href=3D"
https://www.rsaconference.com/u= sa">RSAC 2026</a> in San Francisco=2C California=2C USA=2C on Wednesday=2C=
March 25=2C 2026.</li>
<li>I=E2=80=99m part of an event on =E2=80=9CCanada and AI Sovereignty= =2C=E2=80=9D hosted by the University of Toronto=E2=80=99s <a href=3D"http= s://munkschool.utoronto.ca/event/canada-and-ai-sovereignty">Munk School of=
Global Affairs & Public Policy</a>=2C which will be held online via Z=
oom at 4:00 PM ET on Monday=2C March 30=2C 2026.</li>
<li>I=E2=80=99m speaking at <a href=3D"
https://www.democracyxchange.or= g/">DemocracyXChange 2026</a> in Toronto=2C Ontario=2C Canada=2C on April=
18=2C 2026.</li>
<li>I=E2=80=99m speaking at the <a href=3D"
https://www.sans.org/cyber-= security-training-events/ai-summit-2026">SANS AI Cybersecurity Summit 2026=
</a> in Arlington=2C Virginia=2C USA=2C at 9:40 AM ET on April 20=2C 2026.=
</li>
<li>I=E2=80=99m speaking at the <a href=3D"
https://nemertes.com/nemert= es-next-virtual-spring-2026/">Nemertes [Next] Virtual Conference Spring 2= 026</a>=2C a virtual event=2C on April 29=2C 2026.</li>
<li>I=E2=80=99m speaking at <a href=3D"
https://www.rightscon.org/">Rig= htsCon 2026</a> in Lusaka=2C Zambia=2C on May 6 and 7=2C 2026.</li>
</ul>
<p>The list is maintained on <a href=3D"
https://www.schneier.com/events/">= this page</a>.</p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<p>Since 1998=2C CRYPTO-GRAM has been a free monthly newsletter providing=
summaries=2C analyses=2C insights=2C and commentaries on security technol= ogy. To subscribe=2C or to read back issues=2C see <a href=3D"
https://www.= schneier.com/crypto-gram/">Crypto-Gram's web page</a>.</p>
<p>You can also read these articles on my blog=2C <a href=3D"
https://www.s= chneier.com">Schneier on Security</a>.</p>
<p>Please feel free to forward CRYPTO-GRAM=2C in whole or in part=2C to co= lleagues and friends who will find it valuable. Permission is also granted=
to reprint CRYPTO-GRAM=2C as long as it is reprinted in its entirety.</p>
<p><span style=3D"font-style: italic">Bruce Schneier is an internationally=
renowned security technologist=2C called a security guru by the <cite sty= le=3D"font-style:normal">Economist</cite>. He is the author of over one do=
zen books -- including his latest=2C <a href=3D"
https://www.schneier.com/b= ooks/rewiring-democracy/"><cite style=3D"font-style:normal">Rewiring Democ= racy</cite></a> -- as well as hundreds of articles=2C essays=2C and academ=
ic papers. His newsletter and blog are read by over 250=2C000 people. Schn= eier is a fellow at the Berkman Klein Center for Internet & Society at Har= vard University; a Lecturer in Public Policy at the Harvard Kennedy School=
; a board member of the Electronic Frontier Foundation=2C AccessNow=2C and=
the Tor Project; and an Advisory Board Member of the Electronic Privacy I= nformation Center and VerifiedVoting.org. He is the Chief of Security Arch= itecture at Inrupt=2C Inc.</span></p>
<p>Copyright © 2026 by Bruce Schneier.</p>
<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=
<p>Mailing list hosting graciously provided by <a href=3D"
https://mailchim= p.com/">MailChimp</a>. Sent without web bugs or link tracking.</p>
<p>This email was sent to:
cryptogram@toolazy.synchro.net
<br><em>You are receiving this email because you subscribed to the Crypto-= Gram newsletter.</em></p>
<p><a style=3D"display:inline-block" href=3D"
https://schneier.us18.list-ma= nage.com/unsubscribe?u=3Df99e2b5ca82502f48675978be&id=3D22184111ab&t=3Db&e= =3D70f249ec14&c=3Da8aaebf681">unsubscribe from this list</a> &nbs= p; <a style=3D"display:inline-block" href=3D"
https://schneier.us18.li= st-manage.com/profile?u=3Df99e2b5ca82502f48675978be&id=3D22184111ab&e=3D70f249ec14&c=3Da8aaebf681">update subscription preferences</a>
<br>Bruce Schneier · Harvard Kennedy School · 1 Brattle Squa=
re · Cambridge=2C MA 02138 · USA</p>
</body></html>
--_----------=_MCPart_1184803371--