Forum: Too Lazy BBS

CRYPTO-GRAM, May 15, 2026

From Bruce Schneier@schneier@schneier.com to cryptogram@toolazy.synchro.net on Fri May 15 08:29:06 2026

This is a multi-part message in MIME format

--_----------=_MCPart_768936522
Content-Type: text/plain; charset="utf-8"; format="fixed" Content-Transfer-Encoding: quoted-printable

** CRYPTO-GRAM
MAY 15=2C 2026
------------------------------------------------------------

by Bruce Schneier
Fellow and Lecturer=2C Harvard Kennedy School
schneier@schneier.com
https://www.schneier.com

A free monthly newsletter providing summaries=2C analyses=2C insights=2C a=
nd commentaries on security: computer and otherwise.

For back issues=2C or to subscribe=2C visit Crypto-Gram's web page [https= ://www.schneier.com/crypto-gram/].

Read this issue on the web [https://www.schneier.com/crypto-gram/archives= /2026/0515.html]

These same essays and news items appear in the Schneier on Security [http= s://www.schneier.com/] blog=2C along with a lively and intelligent comment=
section. An RSS feed is available.

** *** ***** ******* *********** *************

** IN THIS ISSUE:
------------------------------------------------------------

1. Defense in Depth=2C Medieval Style
2. Human Trust of AI Agents
3. Mythos and Cybersecurity
4. Is "Satoshi Nakamoto" Really Adam Back?
5. Mexican Surveillance Company
6. ICE Uses Graphite Spyware
7. FBI Extracts Deleted Signal Messages from iPhone Notification Data= base
8. Hiding Bluetooth Trackers in Mail
9. Medieval Encrypted Letter Decoded
10. What Anthropic=E2=80=99s Mythos Means for the Future of Cybersecu= rity
11. Claude Mythos Has Found 271 Zero-Days in Firefox
12. Fast16 Malware
13. A Ransomware Negotiator Was Working for a Ransomware Gang
14. Hacking Polymarket
15. DarkSword Malware
16. Rowhammer Attack Against NVIDIA Chips
17. Smart Glasses for the Authorities
18. Insider Betting on Polymarket
19. LLMs and Text-in-Text Steganography
20. Copy.Fail Linux Vulnerability
21. OpenAI=E2=80=99s GPT-5.5 is as Good as Mythos at Finding Security=
Vulnerabilities
22. How Dangerous Is Anthropic=E2=80=99s Mythos AI?
23. Upcoming Speaking Engagements

** *** ***** ******* *********** *************

** DEFENSE IN DEPTH=2C MEDIEVAL STYLE ------------------------------------------------------------

[2026.04.15] [https://www.schneier.com/blog/archives/2026/04/defense-in-= depth-medieval-style.html] This article [https://turkisharchaeonews.net/o= bject/theodosian-land-walls-constantinople] on the walls of Constantinople=
is fascinating.

The system comprised four defensive lines arranged in formidable layers:

* The brick-lined ditch=2C divided by bulkheads and often flooded=

=2C 15-20 meters wide and up to 7 meters deep.

* A low breastwork=2C about 2 meters high=2C enabling defenders to=

fire freely from behind.

* The outer wall=2C 8 meters tall and 2.8 meters thick=2C with 82 p=

rojecting towers.

* The main wall -- a towering 12 meters high and 5 meters thick --=

with 96 massive towers offset from those of the outer wall for maximum co= verage.

Behind the walls lay broad terraces: the parateichion=2C 18 meters wide=

=2C ideal for repelling enemies who crossed the moat=2C and the peribolos=
=2C 15-20 meters wide between the inner and outer walls. From the moat=E2= =80=99s bottom to the highest tower top=2C the defences reached nearly 30=
meters -- a nearly unscalable barrier of stone and ingenuity.

** *** ***** ******* *********** *************

** HUMAN TRUST OF AI AGENTS ------------------------------------------------------------

[2026.04.16] [https://www.schneier.com/blog/archives/2026/04/human-trust= -of-ai-agents.html] Interesting research: =E2=80=9CHumans expect rationali=
ty and cooperation from LLM opponents in strategic games [https://arxiv.o= rg/pdf/2505.11011].=E2=80=9D

Abstract: As Large Language Models (LLMs) integrate into our social and=

economic interactions=2C we need to deepen our understanding of how human=
s respond to LLMs opponents in strategic settings. We present the results=
of the first controlled monetarily-incentivised laboratory experiment loo= king at differences in human behaviour in a multi-player p-beauty contest=
against other humans and LLMs. We use a within-subject design in order to=
compare behaviour at the individual level. We show that=2C in this enviro= nment=2C human subjects choose significantly lower numbers when playing ag= ainst LLMs than humans=2C which is mainly driven by the increased prevalen=
ce of =E2=80=98zero=E2=80=99 Nash-equilibrium choices. This shift is mainl=
y driven by subjects with high strategic reasoning ability. Subjects who p=
lay the zero Nash-equilibrium choice motivate their strategy by appealing=
to perceived LLM=E2=80=99s reasoning ability and=2C unexpectedly=2C prope= nsity towards cooperation. Our findings provide foundational insights into=
the multi-player human-LLM interaction in simultaneous choice games=2C un= cover heterogeneities in both subjects=E2=80=99 behaviour and beliefs abou=
t LLM=E2=80=99s play when playing against them=2C and suggest important im= plications for mechanism design in mixed human-LLM systems.

** *** ***** ******* *********** *************

** MYTHOS AND CYBERSECURITY ------------------------------------------------------------

[2026.04.17] [https://www.schneier.com/blog/archives/2026/04/mythos-and-= cybersecurity.html] Last week=2C Anthropic pulled back the curtain on Clau=
de Mythos Preview [https://red.anthropic.com/2026/mythos-preview/]=2C an=
AI model so capable at finding and exploiting software vulnerabilities th=
at the company decided [https://globalnews.ca/news/11769446/anthropic-ai-= model-too-powerful/] it was too dangerous to release to the public. Instea= d=2C access has been restricted [https://thehill.com/policy/technology/58= 24219-anthropic-new-ai-dangerous-public/] to roughly 50 organizations -- M= icrosoft=2C Apple=2C Amazon Web Services=2C CrowdStrike and other vendors=
of critical infrastructure -- under an initiative called Project Glasswin=
g [https://www.anthropic.com/glasswing].

The announcement was accompanied by a barrage of hair-raising anecdotes: t= housands [https://www.tomshardware.com/tech-industry/artificial-intellige= nce/anthropics-latest-ai-model-identifies-thousands-of-zero-day-vulnerabil= ities-in-every-major-operating-system-and-every-major-web-browser-claude-m= ythos-preview-sparks-race-to-fix-critical-bugs-some-unpatched-for-decades]=
of vulnerabilities uncovered across every major [https://www.helpnetsecu= rity.com/2026/04/08/anthropic-claude-mythos-preview-identify-vulnerabiliti= es/] operating system and browser=2C including a 27-year-old bug in OpenBS= D=2C a 16-year-old flaw in FFmpeg. Mythos was able to weaponize a set of v= ulnerabilities it found in the Firefox browser into 181 usable attacks; An= thropic=E2=80=99s previous flagship model could only achieve two.

This is=2C in many respects=2C exactly the kind of responsible disclosure=
that security researchers have long urged. And yet the public has been gi=
ven remarkably little with which to evaluate Anthropic=E2=80=99s decision.=
We have been shown a highlight reel of spectacular successes. However=2C=
we can=E2=80=99t tell if we have a blockbuster until they let us see the=
whole movie.

For example=2C we don=E2=80=99t know how many times Mythos mistakenly flag=
ged code as vulnerable. Anthropic said security contractors agreed with th=
e AI=E2=80=99s severity rating 198 times=2C with an 89 per cent severity a= greement. That=E2=80=99s impressive=2C but incomplete. Independent researc= hers examining similar models have found that AI that detects nearly every=
real bug also hallucinates plausible-sounding vulnerabilities in patched=
=2C correct code.

This matters. A model that autonomously finds and exploits hundreds of vul= nerabilities with inhuman precision is a game changer=2C but a model that=
generates thousands of false alarms and non-working attacks still needs s= killed and knowledgeable humans. Without knowing the rate of false alarms=
in Mythos=E2=80=99s unfiltered output=2C we cannot tell whether the examp=
les showcased are representative.

There is a second=2C subtler problem. Large language models=2C including M= ythos=2C perform best on inputs that resemble what they were trained on: w= idely used open-source projects=2C major browsers=2C the Linux kernel and=
popular web frameworks. Concentrating early access among the largest vend=
ors of precisely this software is sensible; it lets them patch first=2C be= fore adversaries catch up.

But the inverse is also true. Software outside the training distribution -=
- industrial control systems=2C medical device firmware=2C bespoke financi=
al infrastructure=2C regional banking software=2C older embedded systems -=
- is exactly where out-of-the-box Mythos is likely least able to find or e= xploit bugs.

However=2C a sufficiently motivated attacker with domain expertise in one=
of these fields could nevertheless wield Mythos=E2=80=99s advanced reason=
ing capabilities as a force multiplier=2C probing systems that Anthropic= =E2=80=99s own engineers lack the specialized knowledge to audit. The dang=
er is not that Mythos fails in those domains; it is that Mythos may succee=
d for whoever brings the expertise.

Broader=2C structured access for academic researchers and domain specialis=
ts -- cardiologists=E2=80=99 partners in medical device security=2C contro= l-systems engineers=2C researchers in less prominent languages and ecosyst=
ems -- would meaningfully reduce this asymmetry. Fifty companies=2C howeve=
r well chosen=2C cannot substitute for the distributed expertise of the en= tire research community.

None of this is an indictment of Anthropic. By all appearances the company=
is trying to act responsibly=2C and its decision to hold the model back i=
s evidence of seriousness.

But Anthropic is a private company and=2C in some ways=2C still a start-up=
=2E Yet it is making unilateral decisions about which pieces of our critical=
global infrastructure get defended first=2C and which must wait their tur=
n.

It has finite staff=2C finite budget and finite expertise. It will miss th= ings=2C and when the thing missed is in the software running a hospital or=
a power grid=2C the cost will be borne by people who never had a say.

The security problem is far greater [https://www.npr.org/2026/04/11/nx-s1= -5778508/anthropic-project-glasswing-ai-cybersecurity-mythos-preview] than=
one company and one model. There=E2=80=99s no reason to believe that Myth=
os Preview is unique. (Not to be outdone=2C OpenAI announced [https://www= =2Emsn.com/en-us/technology/artificial-intelligence/scoop-openai-plans-stagg= ered-rollout-of-new-model-over-cybersecurity-risk/ar-AA20usvp] that its ne=
w GPT-5.4-Cyber is so dangerous that the model also will not be released t=
o the general public.) And it=E2=80=99s unclear how much of an advance the=
se new models represent. The security company Aisle was able to replicate=
[https://aisle.com/blog/ai-cybersecurity-after-mythos-the-jagged-frontie=
r] many of Anthropic=E2=80=99s published anecdotes using smaller=2C cheape= r=2C public AI models.

Any decisions we make about whether and how to release these powerful mode=
ls are more than one company=E2=80=99s responsibility. Ultimately=2C this=
will probably lead to regulation. That will be hard to get right and requ= ires a long process of consultation and feedback.

In the short term=2C we need something simpler: greater transparency and i= nformation sharing with the broader community. This doesn=E2=80=99t necess= arily mean making powerful models like Claude Mythos widely available. Rat= her=2C it means sharing as much data and information as possible=2C so tha=
t we can collectively make informed decisions.

We need globally co-ordinated frameworks for independent auditing=2C manda= tory disclosure of aggregate performance metrics and funded access for aca= demic and civil-society researchers.

This has implications for national security=2C personal safety and corpora=
te competitiveness. Any technology that can find thousands of exploitable=
flaws in the systems we all depend on should not be governed solely by th=
e internal judgment of its creators=2C however well intentioned.

Until that changes=2C each Mythos-class release will put the world at the=
edge of another precipice=2C without any visibility into whether there is=
a landing out of view just below=2C or whether this time the drop will be=
fatal. That is not a choice a for-profit corporation should be allowed to=
make in a democratic society. Nor should such a company be able to restri=
ct the ability of society to make choices about its own security.

_This essay was written with David Lie=2C and originally appeared in The G= lobe and Mail [https://www.theglobeandmail.com/business/commentary/articl= e-mythos-sets-the-world-on-edge-what-comes-next-may-push-us-beyond/]._

** *** ***** ******* *********** *************

** IS "SATOSHI NAKAMOTO" REALLY ADAM BACK? ------------------------------------------------------------

[2026.04.20] [https://www.schneier.com/blog/archives/2026/04/is-satoshi-= nakamoto-really-adam-back.html] The _New York Times_ has a long article [= https://www.nytimes.com/2026/04/08/business/bitcoin-satoshi-nakamoto-ident= ity-adam-back.html] where the author lays out an impressive array of circu= mstantial evidence that the inventor of Bitcoin is the cypherpunk Adam Bac=
k.

I don=E2=80=99t know. The article is convincing=2C but it=E2=80=99s writte=
n to be convincing.

I can=E2=80=99t remember if I ever met Adam. I was a member of the Cypherp= unks mailing list for a while=2C but I was never really an active particip= ant. I spent more time on the Usenet newsgroup sci.crypt. I knew a bunch o=
f the Cypherpunks=2C though=2C from various conferences around the world a=
t the time. I really have no opinion about who Satoshi Nakamoto really is.

** *** ***** ******* *********** *************

** MEXICAN SURVEILLANCE COMPANY ------------------------------------------------------------

[2026.04.21] [https://www.schneier.com/blog/archives/2026/04/mexican-sur= veillance-company.html] Grupo Seguritech [https://restofworld.org/2026/me= xico-seguritech-government-surveillance-profile/] is a Mexican surveillanc=
e company that is expanding into the US.

** *** ***** ******* *********** *************

** ICE USES GRAPHITE SPYWARE ------------------------------------------------------------

[2026.04.22] [https://www.schneier.com/blog/archives/2026/04/ice-uses-gr= aphite-spyware.html] ICE has admitted [https://www.npr.org/2026/04/07/nx-= s1-5776799/ice-spyware-privacy] that it uses spyware from the Israeli comp=
any Graphite.

** *** ***** ******* *********** *************

** FBI EXTRACTS DELETED SIGNAL MESSAGES FROM IPHONE NOTIFICATION DATABASE ------------------------------------------------------------

[2026.04.23] [https://www.schneier.com/blog/archives/2026/04/fbi-extract= s-deleted-signal-messages-from-iphone-notification-database.html] 404 Medi=
a reports [https://www.404media.co/fbi-extracts-suspects-deleted-signal-m= essages-saved-in-iphone-notification-database-2/] (alternate site [https:= //archive.ph/bSQhD]):

The FBI was able to forensically extract copies of incoming Signal messa=

ges from a defendant=E2=80=99s iPhone=2C even after the app was deleted=2C=
because copies of the content were saved in the device=E2=80=99s push not= ification database....

The news shows how forensic extraction -- when someone has physical acce=

ss to a device and is able to run specialized software on it -- can yield=
sensitive data derived from secure messaging apps in unexpected places. S= ignal already has a setting that blocks message content from displaying in=
push notifications; the case highlights why such a feature might be impor= tant for some users to turn on.

=E2=80=9CWe learned that specifically on iPhones=2C if one=E2=80=99s set=

tings in the Signal app allow for message notifications and previews to sh=
ow up on the lock screen=2C [then] the iPhone will internally store those=
notifications/message previews in the internal memory of the device=2C=E2= =80=9D a supporter of the defendants who was taking notes during the trial=
told 404 Media.

EDITED TO ADD (4/24): Apple has patched [https://mjtsai.com/blog/2026/04/= 22/ios-26-4-2-and-ipados-26-4-2/] this vulnerability.

** *** ***** ******* *********** *************

** HIDING BLUETOOTH TRACKERS IN MAIL ------------------------------------------------------------

[2026.04.24] [https://www.schneier.com/blog/archives/2026/04/hiding-blue= tooth-trackers-in-mail.html] It was used to track [https://www.tomshardwa= re.com/tech-industry/cyber-security/bluetooth-tracker-hidden-in-a-postcard= -and-mailed-to-a-warship-exposed-its-location-a-eur5-gadget-put-a-eur500-m= illion-dutch-ship-at-risk-for-24-hours] a Dutch naval ship:

Dutch journalist Just Vervaart=2C working for regional media network Omr=

oep Gelderland=2C followed the directions posted on the Dutch government w= ebsite and mailed a postcard with a hidden tracker inside. Because of this=
=2C they were able to track the ship for about a day=2C watching it sail f=
rom Heraklion=2C Crete=2C before it turned towards Cyprus. While it only s= howed the location of that one vessel=2C knowing that it was part of a car= rier strike group sailing in the Mediterranean could potentially put the e= ntire fleet at risk.

[...]

Navy officials reported that the tracker was discovered within 24 hours=

of the ship=E2=80=99s arrival=2C during mail sorting=2C and was eventuall=
y disabled. Because of this incident=2C the Dutch authorities now ban elec= tronic greeting cards=2C which=2C unlike packages=2C weren=E2=80=99t x-ray=
ed before being brought on the ship.

** *** ***** ******* *********** *************

** MEDIEVAL ENCRYPTED LETTER DECODED ------------------------------------------------------------

[2026.04.27] [https://www.schneier.com/blog/archives/2026/04/medieval-en= crypted-letter-decoded.html] Sent by a Spanish diplomat. Apparently people=
have been working on it [https://www.medievalists.net/2026/04/secret-let= ter-detailing-late-medieval-britain-fully-decoded/] since it was rediscove=
red in 1860.

** *** ***** ******* *********** *************

** WHAT ANTHROPIC=E2=80=99S MYTHOS MEANS FOR THE FUTURE OF CYBERSECURITY ------------------------------------------------------------

[2026.04.28] [https://www.schneier.com/blog/archives/2026/04/what-anthro= pics-mythos-means-for-the-future-of-cybersecurity.html] Two weeks ago=2C A= nthropic announced [https://red.anthropic.com/2026/mythos-preview/] that=
its new model=2C Claude Mythos Preview=2C can autonomously find and weapo= nize software vulnerabilities=2C turning them into working exploits withou=
t expert guidance. These were vulnerabilities in key software like operati=
ng systems and internet infrastructure that thousands of software develope=
rs working on those systems failed to find. This capability will have majo=
r security implications=2C compromising the devices and services we use ev=
ery day. As a result=2C Anthropic [https://spectrum.ieee.org/tag/anthropi=
c] is not releasing the model to the general public=2C but instead to a li= mited number [https://www.anthropic.com/glasswing] of companies.

The news rocked the internet security community. There were few details in=
Anthropic=E2=80=99s announcement=2C angering [https://srinstitute.utoron= to.ca/news/the-mythos-question-who-decides-when-ai-is-too-dangerous] many=
observers. Some speculate that Anthropic doesn=E2=80=99t have [https://k= ingy.ai/ai/too-dangerous-to-release-or-just-too-expensive-the-real-reason-= anthropic-is-hiding-its-most-powerful-ai/] the GPUs [https://spectrum.iee= e.org/tag/gpus] to run the thing=2C and that cybersecurity was the excuse=
to limit its release. Others argue Anthropic is holding to its AI safety=
mission. There=E2=80=99s [https://www.nytimes.com/2026/04/07/opinion/ant= hropic-ai-claude-mythos.html] hype [https://www.axios.com/2026/04/08/anth= ropic-mythos-model-ai-cyberattack-warning] and counter [https://www.artif= icialintelligencemadesimple.com/p/anthropics-claude-mythos-launch-is]hype=
[https://aisle.com/blog/ai-cybersecurity-after-mythos-the-jagged-frontie= r]=2C reality [https://www.aisi.gov.uk/blog/our-evaluation-of-claude-myth= os-previews-cyber-capabilities] and marketing. It=E2=80=99s a lot to sort=
out=2C even if you=E2=80=99re an expert.

We see Mythos as a real but incremental step=2C one in a long line of incr= emental steps. But even incremental steps can be important when we look at=
the big picture.

* HOW AI IS CHANGING CYBERSECURITY

We=E2=80=99ve written about [https://spectrum.ieee.org/online-privacy] sh= ifting baseline syndrome=2C a phenomenon that leads people -- the public a=
nd experts alike -- to discount massive long-term changes that are hidden=
in incremental steps. It has happened with online privacy=2C and it=E2=80= =99s happening with AI. Even if the vulnerabilities found by Mythos could=
have been found using AI models from last month or last year=2C they coul= dn=E2=80=99t have been found by AI models from five years ago.

The Mythos announcement reminds us that AI has come a long way in just a f=
ew years: The baseline really has shifted. Finding vulnerabilities in sour=
ce code is the type of task that today=E2=80=99s large language models exc=
el at. Regardless of whether it happened last year or will happen next yea= r=2C it=E2=80=99s been clear for a while [https://sockpuppet.org/blog/202= 6/03/30/vulnerability-research-is-cooked/] this kind of capability was com=
ing soon. The question is how we adapt to it [https://labs.cloudsecuritya= lliance.org/mythos-ciso/].

We don=E2=80=99t believe that an AI that can hack autonomously will create=
permanent asymmetry between offense and defense; it=E2=80=99s likely to b=
e more nuanced [https://danielmiessler.com/blog/will-ai-help-moreattacker= s-defenders] than that. Some vulnerabilities can be found=2C verified=2C a=
nd patched automatically. Some vulnerabilities will be hard to find but ea=
sy to verify and patch -- consider generic cloud-hosted web applications b= uilt on standard software stacks=2C where updates can be deployed quickly.=
Still others will be easy to find (even without powerful AI) and relative=
ly easy to verify=2C but harder or impossible to patch=2C such as IoT appl= iances and industrial equipment that are rarely updated or can=E2=80=99t b=
e easily modified.

Then there are systems whose vulnerabilities will be easy to find in code=
but difficult to verify in practice. For example=2C complex distributed s= ystems and cloud platforms can be composed of thousands of interacting ser= vices running in parallel=2C making it difficult to distinguish real vulne= rabilities from false positives and to reliably reproduce them.

So we must separate the patchable from the unpatchable=2C and the easy to=
verify from the hard to verify. This taxonomy also provides us guidance f=
or how to protect such systems in an era of powerful AI vulnerability-find=
ing tools.

Unpatchable or hard to verify systems should be protected by wrapping them=
in more restrictive=2C tightly controlled layers. You want your fridge or=
thermostat or industrial control system behind a restrictive and constant=
ly updated firewall=2C not freely talking to the internet.

Distributed systems that are fundamentally interconnected should be tracea=
ble and should follow the principle of least privilege=2C where each compo= nent has only the access it needs. These are bog-standard security ideas t=
hat we might have been tempted to throw out in the era of AI=2C but they= =E2=80=99re still as relevant as ever.

* RETHINKING SOFTWARE SECURITY PRACTICES

This also raises the salience of best practices in software engineering. A= utomated=2C thorough=2C and continuous testing was always important. Now w=
e can take this practice a step further and use defensive AI agents [http= s://spectrum.ieee.org/tag/agentic-ai] to test exploits [https://www.secwe= st.net/ai-triage] against a real stack=2C over and over=2C until the false=
positives have been weeded out and the real vulnerabilities and fixes are=
confirmed. This kind of VulnOps [https://www.csoonline.com/article/40690= 75/autonomous-ai-hacking-and-the-future-of-cybersecurity.html] is likely t=
o become a standard part of the development process.

Documentation becomes more valuable=2C as it can guide an AI agent on a bu= g-finding mission just as it does developers. And following standard pract= ices and using standard tools and libraries allows AI and engineers alike=
to recognize patterns more effectively=2C even in a world of individual a=
nd ephemeral instant software [https://www.csoonline.com/article/4152133/= cybersecurity-in-the-age-of-instant-software.html] -- code that can be gen= erated and deployed on demand.

Will this favor offense or defense [https://www.schneier.com/essays/archi= ves/2018/03/artificial_intellige.html]? The defense eventually=2C probably=
=2C especially in systems that are easy to patch and verify. Fortunately=
=2C that includes our phones=2C web browsers=2C and major internet service=
s. But today=E2=80=99s cars=2C electrical transformers=2C fridges=2C and l= ampposts are connected to the internet. Legacy banking and airline systems=
are networked.

Not all of those are going to get patched as fast as needed=2C and we may=
see a few years of constant hacks until we arrive at a new normal: where=
verification is paramount and software is patched continuously.

_This essay was written with Barath Raghavan=2C and originally appeared in=
IEEE Spectrum [https://spectrum.ieee.org/ai-cybersecurity-mythos]._

** *** ***** ******* *********** *************

** CLAUDE MYTHOS HAS FOUND 271 ZERO-DAYS IN FIREFOX ------------------------------------------------------------

[2026.04.29] [https://www.schneier.com/blog/archives/2026/04/claude-myth= os-has-found-271-zero-days-in-firefox.html] That=E2=80=99s a lot [https:/= /blog.mozilla.org/en/firefox/ai-security-zero-day-vulnerabilities/]. No=2C=
it=E2=80=99s an extraordinary number:

Since February=2C the Firefox team has been working around the clock usi=

ng frontier AI models to find and fix latent security vulnerabilities in t=
he browser. We wrote previously about our collaboration with Anthropic to=
scan Firefox with Opus 4.6=2C which led to fixes for 22 security-sensitiv=
e bugs in Firefox 148.

As part of our continued collaboration with Anthropic=2C we had the oppo=

rtunity to apply an early version of Claude Mythos Preview to Firefox. Thi=
s week=E2=80=99s release of Firefox 150 includes fixes for 271 vulnerabili= ties identified during this initial evaluation.

As these capabilities reach the hands of more defenders=2C many other te=

ams are now experiencing the same vertigo we did when the findings first c=
ame into focus. For a hardened target=2C just one such bug would have been=
red-alert in 2025=2C and so many at once makes you stop to wonder whether=
it=E2=80=99s even possible to keep up.

Our experience is a hopeful one for teams who shake off the vertigo and=

get to work. You may need to reprioritize everything else to bring relent= less and single-minded focus to the task=2C but there is light at the end=
of the tunnel. We are extremely proud of how our team rose to meet this c= hallenge=2C and others will too. Our work isn=E2=80=99t finished=2C but we= =E2=80=99ve turned the corner and can glimpse a future much better than ju=
st keeping up. Defenders finally have a chance to win=2C decisively.

They=E2=80=99re right. Assuming the defenders can patch=2C and push those=
patches out to users quickly=2C this technology favors the defenders.

News article [https://arstechnica.com/ai/2026/04/mozilla-anthropics-mytho= s-found-271-zero-day-vulnerabilities-in-firefox-150/].

** *** ***** ******* *********** *************

** FAST16 MALWARE
------------------------------------------------------------

[2026.04.30] [https://www.schneier.com/blog/archives/2026/04/fast16-malw= are.html] Researchers have reverse-engineered a piece of malware named Fas= t16. It=E2=80=99s almost certainly state-sponsored=2C probably US in origi= n=2C and was deployed [https://www.wired.com/story/fast16-malware-stuxnet= -precursor-iran-nuclear-attack/?_sp=3D72d58355-e351-43ad-ba73-bc2b546a30a0= =2E1777128353268] against Iran years before Stuxnet:

=E2=80=9C...the Fast16 malware was designed to carry out the most subtle=

form of sabotage ever seen in an in-the-wild malware tool: By automatical=
ly spreading across networks and then silently manipulating computation pr= ocesses in certain software applications that perform high-precision mathe= matical calculations and simulate physical phenomena=2C Fast16 can alter t=
he results of those programs to cause failures that range from faulty rese= arch results to catastrophic damage to real-world equipment.=E2=80=9D

Another news article [https://www.securityweek.com/pre-stuxnet-sabotage-m= alware-fast16-linked-to-us-iran-cyber-tensions/].

Lots of interesting details at the links.

** *** ***** ******* *********** *************

** A RANSOMWARE NEGOTIATOR WAS WORKING FOR A RANSOMWARE GANG ------------------------------------------------------------

[2026.05.01] [https://www.schneier.com/blog/archives/2026/05/a-ransomwar= e-negotiator-was-working-for-a-ransomware-gang.html] Someone pleaded guilt=
y [https://gizmodo.com/a-ransomware-negotiator-pleads-guilty-to-being-a-d= ouble-agent-2000749234] to secretly working for a ransomware gang as he ne= gotiated ransomware payments for clients.

** *** ***** ******* *********** *************

** HACKING POLYMARKET ------------------------------------------------------------

[2026.05.04] [https://www.schneier.com/blog/archives/2026/05/hacking-pol= ymarket.html] Polymarket is a platform where people can bet on real-world=
events=2C political and otherwise. Leaving the ethical considerations of=
this aside (for one=2C it facilitates assassination [https://en.wikipedi= a.org/wiki/Assassination_market])=2C one of the issues with making this wo=
rk is the verification of these real-world events. Polymarket gamblers hav=
e threatened [https://www.theguardian.com/world/2026/mar/18/polymarket-ga= mblers-threaten-israeli-journalist-missile-strike-wager] a journalist beca=
use his story was being used to verify an event. And now=2C gamblers are t= aking hair dryers [https://www.engadget.com/big-tech/someone-allegedly-us= ed-a-hairdryer-to-rig-polymarket-weather-bets-155312411.html] to weather s= ensors to rig weather bets.

There=E2=80=99s also insider trading [https://www.bbc.com/news/articles/c= 20832yg5p2o]: a lot of it [https://www.bbc.com/news/articles/cge0grppe3po=
].

** *** ***** ******* *********** *************

** DARKSWORD MALWARE ------------------------------------------------------------

[2026.05.05] [https://www.schneier.com/blog/archives/2026/05/darksword-m= alware.html] DarkSword is a sophisticated piece of malware [https://cloud= =2Egoogle.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain] -=
- probably government designed -- that targets iOS.

Google Threat Intelligence Group (GTIG) has identified a new iOS full-ch=

ain exploit that leveraged multiple zero-day vulnerabilities to fully comp= romise devices. Based on toolmarks in recovered payloads=2C we believe the=
exploit chain to be called DarkSword. Since at least November 2025=2C GTI=
G has observed multiple commercial surveillance vendors and suspected stat= e-sponsored actors utilizing DarkSword in distinct campaigns. These threat=
actors have deployed the exploit chain against targets in Saudi Arabia=2C=
Turkey=2C Malaysia=2C and Ukraine.

DarkSword supports iOS versions 18.4 through 18.7 and utilizes six diffe=

rent vulnerabilities to deploy final-stage payloads. GTIG has identified t= hree distinct malware families deployed following a successful DarkSword c= ompromise: GHOSTBLADE=2C GHOSTKNIFE=2C and GHOSTSABER. The proliferation o=
f this single exploit chain across disparate threat actors mirrors the pre= viously discovered Coruna iOS exploit kit [https://cloud.google.com/blog/= topics/threat-intelligence/coruna-powerful-ios-exploit-kit]. Notably=2C UN= C6353=2C a suspected Russian espionage group previously observed using Cor= una=2C has recently incorporated DarkSword into their watering hole campai= gns.

A week after it was identified=2C a version of it leaked [https://techcru= nch.com/2026/03/23/someone-has-publicly-leaked-an-exploit-kit-that-can-hac= k-millions-of-iphones/] onto the internet=2C where it is being used more b= roadly.

This news is a month old. Your devices are safe=2C assuming you patch regu= larly.

** *** ***** ******* *********** *************

** ROWHAMMER ATTACK AGAINST NVIDIA CHIPS ------------------------------------------------------------

[2026.05.06] [https://www.schneier.com/blog/archives/2026/05/rowhammer-a= ttack-against-nvidia-chips.html] A new rowhammer [https://en.wikipedia.or= g/wiki/Row_hammer] attack gives complete control [https://arstechnica.com= /security/2026/04/new-rowhammer-attacks-give-complete-control-of-machines-= running-nvidia-gpus/] of NVIDIA CPUs.

On Thursday=2C two research teams=2C working independently of each other=

=2C demonstrated attacks against two cards from Nvidia=E2=80=99s Ampere ge= neration that take GPU rowhammering into new -- and potentially much more=
consequential -- territory: GDDR bitflips that give adversaries full cont=
rol of CPU memory=2C resulting in full system compromise of the host machi=
ne. For the attack to work=2C IOMMU [https://en.wikipedia.org/wiki/Input-= output_memory_management_unit] memory management must be disabled=2C as is=
the default in BIOS settings.

=E2=80=9COur work shows that Rowhammer=2C which is well-studied on CPUs=

=2C is a serious threat on GPUs as well=2C=E2=80=9D said Andrew Kwong=2C c= o-author of one of the papers. =E2=80=9CGDDRHammer: Greatly Disturbing DRA=
M RowsCross-Component Rowhammer Attacks from Modern GPUs [https://gddr.fa= il/files/gddr.pdf].=E2=80=9D =E2=80=9CWith our work=2C we... show how an a= ttacker can induce bit flips on the GPU to gain arbitrary read/write acces=
s to all of the CPU=E2=80=99s memory=2C resulting in complete compromise o=
f the machine.=E2=80=9D

Update Friday=2C April 3: On Friday=2C researchers unveiled a third Rowh=

ammer attack that also demonstrates Rowhammer attacks on the RTX A6000 tha=
t achieves privilege escalation to a root shell. Unlike the previous two=
=2C the researchers said=2C it works even when IOMMU is enabled.

The second paper is GeForge: Hammering GDDR Memory to Forge GPU Page Table=
s for Fun and Profit [https://gddr.fail/files/GeForge.pdf]:

...does largely the same thing=2C except that instead of exploiting the=

last-level page table=2C as GDDRHammer does=2C it manipulates the last-le=
vel page directory. It was able to induce 1=2C171 bitflips against the RTX=
3060 and 202 bitflips against the RTX 6000.

GeForge=2C too=2C uses novel hammering patterns and memory massaging to=

corrupt GPU page table mappings in GDDR6 memory to acquire read and write=
access to the GPU memory space. From there=2C it acquires the same privil= eges over host CPU memory. The GeForge proof-of-concept exploit against th=
e RTX 3060 concludes by opening a root shell window that allows the attack=
er to issue commands that run unfettered privileges on the host machine. T=
he researchers said that both GDDRHammer and GeForge could do the same thi=
ng against the RTC 6000.

** *** ***** ******* *********** *************

** SMART GLASSES FOR THE AUTHORITIES ------------------------------------------------------------

[2026.05.07] [https://www.schneier.com/blog/archives/2026/05/smart-glass= es-for-the-authorities.html] ICE is developing [https://www.kenklippenste= in.com/p/exclusive-ice-glasses] its own version of smart glasses=2C with f= acial recognition tied to various databases.

** *** ***** ******* *********** *************

** INSIDER BETTING ON POLYMARKET ------------------------------------------------------------

[2026.05.08] [https://www.schneier.com/blog/archives/2026/05/insider-bet= ting-on-polymarket.html] Insider trading is rife [https://arstechnica.com= /tech-policy/2026/04/more-than-half-of-all-long-shot-bets-on-polymarket-pa= y-off/] on Polymarket:

Analysis by the Anti-Corruption Data Collective=2C a non-profit research=

and advocacy group=2C found that long-shot bets -- defined as wagers of $= 2=2C500 or more at odds of 35 percent or less -- on the platform had an av= erage win rate of around 52 percent in markets on military and defense act= ions.

That compares with a win rate of 25 percent across all politics-focused=

markets and just 14 percent for all markets on the platform as a whole.

It is absolutely insane that this is legal. We already know how insider be= tting warps sports. Insider betting warping politics -- and military actio=
ns -- is orders of magnitude worse.

** *** ***** ******* *********** *************

** LLMS AND TEXT-IN-TEXT STEGANOGRAPHY ------------------------------------------------------------

[2026.05.11] [https://www.schneier.com/blog/archives/2026/05/llms-and-te= xt-in-text-steganography.html] Turns out that LLMs are really good [https= ://arxiv.org/abs/2510.20075] at hiding text messages in other text message=
s.

** *** ***** ******* *********** *************

** COPY.FAIL LINUX VULNERABILITY ------------------------------------------------------------

[2026.05.12] [https://www.schneier.com/blog/archives/2026/05/copy-fail-l= inux-vulnerability.html] This is the worst [https://jorijn.com/en/blog/co= py-fail-cve-2026-31431-linux-kernel-bug-explained/] Linux vulnerability in=
years.

TL;DR

* copy.fail is a Linux kernel local privilege escalation=2C not a b=

rowser or clipboard attack. Disclosed by Theori on 29 April 2026 with a wo= rking PoC.

* It abuses the kernel crypto API (AF_ALG sockets) plus splice() to=

write four bytes at a time straight into the page cache of a file the att= acker does not own.

* The exploit works unmodified across Ubuntu=2C RHEL=2C Debian=2C S=

USE=2C Amazon Linux=2C Fedora and most others. No race condition=2C no per= -distro offsets.

* The file on disk is never modified. AIDE=2C Tripwire and checksum=

-based monitoring see nothing.

* Kubernetes Pod Security Standards (Restricted) and the default Ru=

ntimeDefault seccomp profile do not block the syscall used. A custom secco=
mp profile is needed.

* The mainline fix landed on 1 April. Distros are rolling kernels o=

ut now. Patch.

=E2=80=9CLocal privilege escalation=E2=80=9D sounds dry=2C so let me unp=

ack it. It means: an attacker who already has some way to run code on the=
machine=2C even as the most boring unprivileged user=2C can promote thems= elves to root. From there they can read every file=2C install backdoors=2C=
watch every process=2C and pivot to other systems.

Why does that matter on shared infrastructure? Because =E2=80=9Clocal=E2=

=80=9D covers a lot of ground in 2026: every container on a shared Kuberne=
tes node=2C every tenant on a shared hosting box=2C every CI/CD job that r=
uns untrusted pull-request code=2C every WSL2 instance on a Windows laptop=
=2C every containerised AI agent given shell access. They all share one Li=
nux kernel with their neighbours. A kernel LPE collapses that boundary.

News article [https://arstechnica.com/security/2026/04/as-the-most-severe= -linux-threat-in-years-surfaces-the-world-scrambles/].

** *** ***** ******* *********** *************

** OPENAI=E2=80=99S GPT-5.5 IS AS GOOD AS MYTHOS AT FINDING SECURITY VULNE= RABILITIES
------------------------------------------------------------

[2026.05.13] [https://www.schneier.com/blog/archives/2026/05/openais-gpt= -5-5-is-as-good-as-mythos-at-finding-security-vulnerabilities.html] The UK= =E2=80=99s AI Security Institute evaluated GPT-5.5=E2=80=99s ability to fi=
nd security vulnerabilities=2C and found [https://www.aisi.gov.uk/blog/ou= r-evaluation-of-openais-gpt-5-5-cyber-capabilities] that it is comparable=
to Claude Mythos. Note that the OpenAI model is generally available.

Here [https://www.aisi.gov.uk/blog/our-evaluation-of-claude-mythos-previe= ws-cyber-capabilities] is the Institute=E2=80=99s evaluation of Mythos.

And here [https://aisle.com/blog/ai-cybersecurity-after-mythos-the-jagged= -frontier] is an analysis of a smaller=2C cheaper model. It requires more=
scaffolding from the prompter=2C but it is also just as good.

** *** ***** ******* *********** *************

** HOW DANGEROUS IS ANTHROPIC=E2=80=99S MYTHOS AI? ------------------------------------------------------------

[2026.05.14] [https://www.schneier.com/blog/archives/2026/05/how-dangero= us-is-anthropics-mythos-ai.html] Last month=2C Anthropic made a remarkable=
announcement [https://red.anthropic.com/2026/mythos-preview/] about its=
new model=2C Claude Mythos Preview: it was so good at finding security vu= lnerabilities in software that the company would not release it to the gen= eral public. Instead=2C it would only be available to a select group [htt= ps://www.anthropic.com/glasswing] of companies to scan and fix their own s= oftware.

The announcement requires context -- but it contained an essential truth.

While Anthropic=E2=80=99s model is really good at finding software vulnera= bilities=2C so are other models. The UK=E2=80=99s AI Security Institute fo=
und [https://www.aisi.gov.uk/blog/our-evaluation-of-openais-gpt-5-5-cyber= -capabilities] that OpenAI=E2=80=99s GPT-5.5=2C already generally availabl= e=2C is comparable in capability. The company Aisle reproduced [https://w= ww.schneier.com/blog/archives/2026/04/mythos-and-cybersecurity.html] Anthr= opic=E2=80=99s published results with smaller=2C cheaper models.

At the same time=2C Anthropic=E2=80=99s refusal to publicly release its ne=
w model makes a virtue out of necessity. Mythos is very expensive to run=
=2C and the company doesn=E2=80=99t appear to have [https://kingy.ai/ai/t= oo-dangerous-to-release-or-just-too-expensive-the-real-reason-anthropic-is= -hiding-its-most-powerful-ai/] the resources for a general release. What b= etter way to juice the company=E2=80=99s valuation than to hint at capabil= ities but not prove them=2C and then have others [https://www.nytimes.com= /2026/04/07/opinion/anthropic-ai-claude-mythos.html] parrot [https://www.= axios.com/2026/04/08/anthropic-mythos-model-ai-cyberattack-warning] their=
claims?

Nonetheless=2C the truth is scary. Modern generative AI systems -- not jus=
t Anthropic=E2=80=99s=2C but OpenAI=E2=80=99s and other=2C open-source mod=
els -- are getting really good at finding and exploiting vulnerabilities i=
n software. And that has important ramifications [https://spectrum.ieee.o= rg/ai-cybersecurity-mythos] for cybersecurity: on both the offense and the=
defense.

Attackers will use these capabilities to find=2C and automatically hack=2C=
vulnerabilities in systems of all kinds. They will be able to break into=
critical systems around the world=2C sometimes to plant ransomware and ma=
ke money=2C sometimes to steal data for espionage purposes=2C and sometime=
s to control systems in times of hostility. This will make the world a muc=
h more dangerous=2C and more volatile=2C place.

But at the same time=2C defenders will use these same capabilities to find=
=2C and then patch=2C many of those same systems. For example=2C Mozilla u=
sed Mythos to find [https://blog.mozilla.org/en/firefox/ai-security-zero-= day-vulnerabilities/] 271 vulnerabilities in Firefox. Those vulnerabilitie=
s have been fixed=2C and will never again be available to attackers. In th=
e future=2C AIs automatically finding and fixing vulnerabilities in all so= ftware will be a normal part of the development process=2C which will resu=
lt in much more secure software.

Of course=2C it=E2=80=99s not that simple. We should expect a deluge of bo=
th attackers using newly found vulnerabilities to break into systems=2C an=
d at the same time much more frequent software updates for every app and d= evice we use. But lots of systems aren=E2=80=99t patchable=2C and many sys= tems that are don=E2=80=99t get patched=2C meaning that many vulnerabiliti=
es will stick around. And it does seem that finding and exploiting is easi=
er than finding and fixing. All of this points to a more dangerous short-t=
erm future. Organizations will need to adapt [https://labs.cloudsecuritya= lliance.org/mythos-ciso/] their security to this new reality.

But it=E2=80=99s the long term that we need to focus on. Mythos isn=E2=80=
=99t unique=2C but it=E2=80=99s more capable than many models that have co=
me before. And it=E2=80=99s less capable than models that will come after.=
AIs are much better at writing software than they were just six months ag=
o. There=E2=80=99s every reason to believe that they will continue to get=
better=2C which means that they will get better at writing more secure so= ftware. The endgame gives AI-enhanced defenders advantages over AI-enhance=
d attackers.

Even more interesting are the broader implications [https://www.schneier.= com/academic/archives/2021/04/the-coming-ai-hackers.html]. The same search= ing=2C pattern-matching and reasoning capabilities that make these models=
so good at analyzing software almost certainly apply to similar systems.=
The tax code isn=E2=80=99t computer code=2C but it=E2=80=99s a series of=
algorithms with inputs and outputs. It has vulnerabilities; we call them=
tax loopholes. It has exploits; we call them tax avoidance strategies. An=
d it has black hat hackers: attorneys and accountants.

Just as these models are finding hundreds of vulnerabilities in complex so= ftware systems=2C we should expect them to be equally effective at finding=
many new and undiscovered tax loopholes. I am confident that the major in= vestment banks are working on this right now=2C in secret. They=E2=80=99ve=
fed AI the tax code of the US=2C or the UK=2C or maybe every industrializ=
ed country=2C and tasked the system with looking for money-saving strategi=
es. How many tax loopholes will those AIs find? Ten? One hundred? One thou= sand? The Double Dutch Irish Sandwich [https://www.investopedia.com.cach3= =2Ecom/terms/d/double-irish-with-a-dutch-sandwich.asp.html] is a tax loophol=
e that involves multiple different tax jurisdictions. Can AIs find loophol=
es even more complex? We have no idea.

Sure=2C the AIs will come up with a bunch of tricks that won=E2=80=99t wor= k=2C but that=E2=80=99s where those attorneys and accountants come in -- t=
o verify=2C and then justify=2C the loopholes. And then to market them to=
their wealthy clients.

As goes the tax code=2C so goes any other [https://www.schneier.com/acade= mic/archives/2021/04/the-coming-ai-hackers.html] complex system of rules a=
nd strategies. These models could be tasked with finding loopholes in envi= ronmental rules=2C or food and safety rules -- anywhere there are complex=
regulatory systems and powerful people who want to evade those rules.

The results will be much worse than insecure computers. Tax loopholes resu=
lt in less revenue collected by governments=2C and regulatory loopholes al=
low the powerful to skirt the rules=2C both of which have all sorts of soc=
ial ramifications. And while software vendors can patch their systems in d= ays=2C it generally takes years for a country to amend its tax code. And t=
hat process is political=2C with lobbyists pressuring legislators not to p= atch. Just look at the carried interest [https://www.pgpf.org/article/wha= t-is-the-carried-interest-loophole-and-why-is-it-so-difficult-to-close/] l= oophole=2C a US tax dodge that has been exploited for decades. Various adm= inistrations have tried to close the vulnerability=2C but legislators just=
can=E2=80=99t seem to resist lobbyists long enough to patch it.

AI technologies are poised to remake much of society. Just as the industri=
al revolution gave humans the ability to consume calories outside of their=
bodies at scale=2C the AI revolution will give humans the ability to perf=
orm cognitive tasks outside of their bodies at scale. Our systems aren=E2= =80=99t designed for that; they=E2=80=99re designed for more human paces o=
f cognition. We=E2=80=99re seeing it right now in the deluge of software v= ulnerabilities that these models are finding and exploiting. And we will s=
oon see it in a deluge of vulnerabilities in all sorts of other systems of=
rules. Adapting to this new reality will be hard=2C but we don=E2=80=99t=
have any choice.

_This essay originally appeared in The Guardian [https://www.theguardian.= com/commentisfree/2026/may/08/how-dangerous-is-anthropics-mythos-ai]._

** *** ***** ******* *********** *************

** UPCOMING SPEAKING ENGAGEMENTS ------------------------------------------------------------

[2026.05.14] [https://www.schneier.com/blog/archives/2026/05/upcoming-sp= eaking-engagements-56.html] This is a current list of where and when I am=
scheduled to speak:

* I=E2=80=99m giving a virtual talk on =E2=80=9CThe Security of Trust=
in the Age of AI=2C=E2=80=9D hosted by the Financial Women=E2=80=99s Asso= ciation of New York [https://www.fwa.org/event-landing/2351]=2C at 6:00 P=
M ET on May 21=2C 2026.
* I=E2=80=99m speaking at the Potsdam Conference on National Cybersec= urity [https://potsdamer-sicherheitskonferenz.de/] at the Hasso Plattner=
Institut in Potsdam=2C Germany. The event runs June 24-25=2C 2026=2C and=
my talk will be the evening of June 24.
* I=E2=80=99m speaking at the Digital Humanism Conference [https://d= ighum.wien/] in Vienna=2C Austria=2C on Tuesday=2C June 26=2C 2026.
* I=E2=80=99m speaking at the Nuremberg Digital Festival [https://nu= ernberg.digital/de/] in Nuremburg=2C Germany=2C on Wednesday=2C July 1=2C=
2026.

The list is maintained on this page [https://www.schneier.com/events/].

** *** ***** ******* *********** *************

Since 1998=2C CRYPTO-GRAM has been a free monthly newsletter providing sum= maries=2C analyses=2C insights=2C and commentaries on security technology.=
To subscribe=2C or to read back issues=2C see Crypto-Gram's web page [ht= tps://www.schneier.com/crypto-gram/].

You can also read these articles on my blog=2C Schneier on Security [http= s://www.schneier.com].

Please feel free to forward CRYPTO-GRAM=2C in whole or in part=2C to colle= agues and friends who will find it valuable. Permission is also granted to=
reprint CRYPTO-GRAM=2C as long as it is reprinted in its entirety.

Bruce Schneier is an internationally renowned security technologist=2C cal=
led a security guru by the _Economist_. He is the author of over one dozen=
books -- including his latest=2C _Rewiring Democracy_ [https://www.schne= ier.com/books/rewiring-democracy/] -- as well as hundreds of articles=2C e= ssays=2C and academic papers. His newsletter and blog are read by over 250= =2C000 people. Schneier is a fellow at the Berkman Klein Center for Intern=
et & Society at Harvard University; a Lecturer in Public Policy at the Har= vard Kennedy School; a board member of the Electronic Frontier Foundation=
=2C AccessNow=2C and the Tor Project; and an Advisory Board Member of the=
Electronic Privacy Information Center and VerifiedVoting.org. He is the C= hief of Security Architecture at Inrupt=2C Inc.

Copyright (c) 2026 by Bruce Schneier.

** *** ***** ******* *********** *************

Mailing list hosting graciously provided by MailChimp [https://mailchimp.= com/]. Sent without web bugs or link tracking.

This email was sent to: cryptogram@toolazy.synchro.net

_You are receiving this email because you subscribed to the Crypto-Gram ne= wsletter._

Unsubscribe from this list: https://schneier.us18.list-manage.com/unsubscr= ibe?u=3Df99e2b5ca82502f48675978be&id=3D22184111ab&t=3Db&e=3D70f249ec14&c=3D9= 07cf6f10a

Update subscription preferences: https://schneier.us18.list-manage.com/pro= file?u=3Df99e2b5ca82502f48675978be&id=3D22184111ab&e=3D70f249ec14&c=3D907cf6= f10a

Bruce Schneier
Harvard Kennedy School
1 Brattle Square
Cambridge=2C MA 02138
USA
--_----------=_MCPart_768936522
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html><html lang=3D"en"><head><meta charset=3D"UTF-8"><title>Cryp= to-Gram=2C May 15=2C 2026</title></head><body>
<div class=3D"preview-text" style=3D"display:none !important;mso-hide:all;= font-size:1px;line-height:1px;max-height:0px;max-width:0px;opacity:0;overf= low:hidden;">A monthly newsletter about cybersecurity and related topics.<= /div>
<h1 style=3D"font-size:140%">Crypto-Gram 
May 15=2C 202= 6</h1>

by Bruce Schneier
 Fellow and Lecturer=2C Harvard Kennedy School
 schneier@schneier.com
 <a href=3D"https://www.schneier.com">https://www.schneier.com</a>

A free monthly newsletter providing summaries=2C analyses=2C insights=
=2C and commentaries on security: computer and otherwise.

For back issues=2C or to subscribe=2C visit <a href=3D"https://www.schn= eier.com/crypto-gram/">Crypto-Gram's web page</a>.

<a href=3D"https://www.schneier.com/crypto-gram/archives/2026/0515.html= ">Read this issue on the web</a>

These same essays and news items appear in the <a href=3D"https://www.s= chneier.com/">Schneier on Security</a> blog=2C along with a lively and int= elligent comment section. An RSS feed is available.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"toc"><a name=3D"toc">I=
n this issue:</a></h2>

If these links don't work in your email client=2C try <a href=3D"ht= tps://www.schneier.com/crypto-gram/archives/2026/0515.html">reading this i= ssue of Crypto-Gram on the web.</a>

<li><a href=3D"#cg1">Defense in Depth=2C Medieval Style</a></li>
<li><a href=3D"#cg2">Human Trust of AI Agents</a></li>
<li><a href=3D"#cg3">Mythos and Cybersecurity</a></li>
<li><a href=3D"#cg4">Is "Satoshi Nakamoto" Really Adam Back?</a></li>
<li><a href=3D"#cg5">Mexican Surveillance Company</a></li>
<li><a href=3D"#cg6">ICE Uses Graphite Spyware</a></li>
<li><a href=3D"#cg7">FBI Extracts Deleted Signal Messages from iPhone Noti= fication Database</a></li>
<li><a href=3D"#cg8">Hiding Bluetooth Trackers in Mail</a></li>
<li><a href=3D"#cg9">Medieval Encrypted Letter Decoded</a></li>
<li><a href=3D"#cg10">What Anthropic=E2=80=99s Mythos Means for the Future=
of Cybersecurity</a></li>
<li><a href=3D"#cg11">Claude Mythos Has Found 271 Zero-Days in Firefox</a>= </li>
<li><a href=3D"#cg12">Fast16 Malware</a></li>
<li><a href=3D"#cg13">A Ransomware Negotiator Was Working for a Ransomware=
Gang</a></li>
<li><a href=3D"#cg14">Hacking Polymarket</a></li>
<li><a href=3D"#cg15">DarkSword Malware</a></li>
<li><a href=3D"#cg16">Rowhammer Attack Against NVIDIA Chips</a></li>
<li><a href=3D"#cg17">Smart Glasses for the Authorities</a></li>
<li><a href=3D"#cg18">Insider Betting on Polymarket</a></li>
<li><a href=3D"#cg19">LLMs and Text-in-Text Steganography</a></li>
<li><a href=3D"#cg20">Copy.Fail Linux Vulnerability</a></li>
<li><a href=3D"#cg21">OpenAI=E2=80=99s GPT-5.5 is as Good as Mythos at Fin= ding Security Vulnerabilities</a></li>
<li><a href=3D"#cg22">How Dangerous Is Anthropic=E2=80=99s Mythos AI?</a><=

<li><a href=3D"#cg23">Upcoming Speaking Engagements</a></li>
</ol>

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg1"><a name=3D"cg1">D= efense in Depth=2C Medieval Style</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2026/04/defense-in-de= pth-medieval-style.html">[2026.04.15]</a> This <a href= =3D"https://turkisharchaeonews.net/object/theodosian-land-walls-constantin= ople">article</a> on the walls of Constantinople is fascinating.

<blockquote>The system comprised four defensive lines arranged in formi= dable layers:

<ul><li>The brick-lined ditch=2C divided by bulkheads and often flooded=2C=
15-20 meters wide and up to 7 meters deep.

</li><li>A low breastwork=2C about 2 meters high=2C enabling defenders to=
fire freely from behind.

</li><li>The outer wall=2C 8 meters tall and 2.8 meters thick=2C with 82 p= rojecting towers.

</li><li>The main wall -- a towering 12 meters high and 5 meters thick --=
with 96 massive towers offset from those of the outer wall for maximum co= verage.</li></ul>

Behind the walls lay broad terraces: the parateichion=2C 18 meters wide=
=2C ideal for repelling enemies who crossed the moat=2C and the peribolos=
=2C 15-20 meters wide between the inner and outer walls. From the moat=E2= =80=99s bottom to the highest tower top=2C the defences reached nearly 30=
meters -- a nearly unscalable barrier of stone and ingenuity.</blockq= uote>

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg2"><a name=3D"cg2">H= uman Trust of AI Agents</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2026/04/human-trust-o= f-ai-agents.html">[2026.04.16]</a> Interesting research:=
=E2=80=9C<a href=3D"https://arxiv.org/pdf/2505.11011">Humans expect ratio= nality and cooperation from LLM opponents in strategic games</a>.=E2=80=9D=

<blockquote>Abstract: As Large Language Models (LLMs) integrate=
into our social and economic interactions=2C we need to deepen our unders= tanding of how humans respond to LLMs opponents in strategic settings. We=
present the results of the first controlled monetarily-incentivised labor= atory experiment looking at differences in human behaviour in a multi-play=
er p-beauty contest against other humans and LLMs. We use a within-subject=
design in order to compare behaviour at the individual level. We show tha= t=2C in this environment=2C human subjects choose significantly lower numb=
ers when playing against LLMs than humans=2C which is mainly driven by the=
increased prevalence of =E2=80=98zero=E2=80=99 Nash-equilibrium choices.=
This shift is mainly driven by subjects with high strategic reasoning abi= lity. Subjects who play the zero Nash-equilibrium choice motivate their st= rategy by appealing to perceived LLM=E2=80=99s reasoning ability and=2C un= expectedly=2C propensity towards cooperation. Our findings provide foundat= ional insights into the multi-player human-LLM interaction in simultaneous=
choice games=2C uncover heterogeneities in both subjects=E2=80=99 behavio=
ur and beliefs about LLM=E2=80=99s play when playing against them=2C and s= uggest important implications for mechanism design in mixed human-LLM syst= ems.</blockquote>

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg3"><a name=3D"cg3">M= ythos and Cybersecurity</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2026/04/mythos-and-cy= bersecurity.html">[2026.04.17]</a> Last week=2C Anthropi=
c pulled back the curtain on <a href=3D"https://red.anthropic.com/2026/myt= hos-preview/">Claude Mythos Preview</a>=2C an AI model so capable at findi=
ng and exploiting software vulnerabilities that the company <a href=3D"htt= ps://globalnews.ca/news/11769446/anthropic-ai-model-too-powerful/">decided=
</a> it was too dangerous to release to the public. Instead=2C access has=
been <a href=3D"https://thehill.com/policy/technology/5824219-anthropic-n= ew-ai-dangerous-public/">restricted</a> to roughly 50 organizations -- Mic= rosoft=2C Apple=2C Amazon Web Services=2C CrowdStrike and other vendors of=
critical infrastructure -- under an initiative called <a href=3D"https://= www.anthropic.com/glasswing">Project Glasswing</a>.

The announcement was accompanied by a barrage of hair-raising anecdotes=
: <a href=3D"https://www.tomshardware.com/tech-industry/artificial-intelli= gence/anthropics-latest-ai-model-identifies-thousands-of-zero-day-vulnerab= ilities-in-every-major-operating-system-and-every-major-web-browser-claude= -mythos-preview-sparks-race-to-fix-critical-bugs-some-unpatched-for-decade= s">thousands</a> of vulnerabilities uncovered across <a href=3D"https://ww= w.helpnetsecurity.com/2026/04/08/anthropic-claude-mythos-preview-identify-= vulnerabilities/">every major</a> operating system and browser=2C includin=
g a 27-year-old bug in OpenBSD=2C a 16-year-old flaw in FFmpeg. Mythos was=
able to weaponize a set of vulnerabilities it found in the Firefox browse=
r into 181 usable attacks; Anthropic=E2=80=99s previous flagship model cou=
ld only achieve two.

This is=2C in many respects=2C exactly the kind of responsible disclosu=
re that security researchers have long urged. And yet the public has been=
given remarkably little with which to evaluate Anthropic=E2=80=99s decisi=
on. We have been shown a highlight reel of spectacular successes. However=
=2C we can=E2=80=99t tell if we have a blockbuster until they let us see t=
he whole movie.

For example=2C we don=E2=80=99t know how many times Mythos mistakenly f= lagged code as vulnerable. Anthropic said security contractors agreed with=
the AI=E2=80=99s severity rating 198 times=2C with an 89 per cent severit=
y agreement. That=E2=80=99s impressive=2C but incomplete. Independent rese= archers examining similar models have found that AI that detects nearly ev=
ery real bug also hallucinates plausible-sounding vulnerabilities in patch= ed=2C correct code.

This matters. A model that autonomously finds and exploits hundreds of=
vulnerabilities with inhuman precision is a game changer=2C but a model t=
hat generates thousands of false alarms and non-working attacks still need=
s skilled and knowledgeable humans. Without knowing the rate of false alar=
ms in Mythos=E2=80=99s unfiltered output=2C we cannot tell whether the exa= mples showcased are representative.

There is a second=2C subtler problem. Large language models=2C includin=
g Mythos=2C perform best on inputs that resemble what they were trained on=
: widely used open-source projects=2C major browsers=2C the Linux kernel a=
nd popular web frameworks. Concentrating early access among the largest ve= ndors of precisely this software is sensible; it lets them patch first=2C=
before adversaries catch up.

But the inverse is also true. Software outside the training distributio=
n -- industrial control systems=2C medical device firmware=2C bespoke fina= ncial infrastructure=2C regional banking software=2C older embedded system=
s -- is exactly where out-of-the-box Mythos is likely least able to find o=
r exploit bugs.

However=2C a sufficiently motivated attacker with domain expertise in o=
ne of these fields could nevertheless wield Mythos=E2=80=99s advanced reas= oning capabilities as a force multiplier=2C probing systems that Anthropic= =E2=80=99s own engineers lack the specialized knowledge to audit. The dang=
er is not that Mythos fails in those domains; it is that Mythos may succee=
d for whoever brings the expertise.

Broader=2C structured access for academic researchers and domain specia= lists -- cardiologists=E2=80=99 partners in medical device security=2C con= trol-systems engineers=2C researchers in less prominent languages and ecos= ystems -- would meaningfully reduce this asymmetry. Fifty companies=2C how= ever well chosen=2C cannot substitute for the distributed expertise of the=
entire research community.

None of this is an indictment of Anthropic. By all appearances the comp=
any is trying to act responsibly=2C and its decision to hold the model bac=
k is evidence of seriousness.

But Anthropic is a private company and=2C in some ways=2C still a start= -up. Yet it is making unilateral decisions about which pieces of our criti=
cal global infrastructure get defended first=2C and which must wait their=
turn.

It has finite staff=2C finite budget and finite expertise. It will miss=
things=2C and when the thing missed is in the software running a hospital=
or a power grid=2C the cost will be borne by people who never had a say.<=

The security problem is <a href=3D"https://www.npr.org/2026/04/11/nx-s1= -5778508/anthropic-project-glasswing-ai-cybersecurity-mythos-preview">far=
greater</a> than one company and one model. There=E2=80=99s no reason to=
believe that Mythos Preview is unique. (Not to be outdone=2C OpenAI <a hr= ef=3D"https://www.msn.com/en-us/technology/artificial-intelligence/scoop-o= penai-plans-staggered-rollout-of-new-model-over-cybersecurity-risk/ar-AA20= usvp">announced</a> that its new GPT-5.4-Cyber is so dangerous that the mo=
del also will not be released to the general public.) And it=E2=80=99s unc= lear how much of an advance these new models represent. The security compa=
ny Aisle was able to <a href=3D"https://aisle.com/blog/ai-cybersecurity-af= ter-mythos-the-jagged-frontier">replicate</a> many of Anthropic=E2=80=99s=
published anecdotes using smaller=2C cheaper=2C public AI models.

Any decisions we make about whether and how to release these powerful m= odels are more than one company=E2=80=99s responsibility. Ultimately=2C th=
is will probably lead to regulation. That will be hard to get right and re= quires a long process of consultation and feedback.

In the short term=2C we need something simpler: greater transparency an=
d information sharing with the broader community. This doesn=E2=80=99t nec= essarily mean making powerful models like Claude Mythos widely available.=
Rather=2C it means sharing as much data and information as possible=2C so=
that we can collectively make informed decisions.

We need globally co-ordinated frameworks for independent auditing=2C ma= ndatory disclosure of aggregate performance metrics and funded access for=
academic and civil-society researchers.

This has implications for national security=2C personal safety and corp= orate competitiveness. Any technology that can find thousands of exploitab=
le flaws in the systems we all depend on should not be governed solely by=
the internal judgment of its creators=2C however well intentioned.

Until that changes=2C each Mythos-class release will put the world at t=
he edge of another precipice=2C without any visibility into whether there=
is a landing out of view just below=2C or whether this time the drop will=
be fatal. That is not a choice a for-profit corporation should be allowed=
to make in a democratic society. Nor should such a company be able to res= trict the ability of society to make choices about its own security.

This essay was written with David Lie=2C and originally appeared in=
<a href=3D"https://www.theglobeandmail.com/business/commentary/article-my= thos-sets-the-world-on-edge-what-comes-next-may-push-us-beyond/">The Globe=
and Mail</a>.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg4"><a name=3D"cg4">I=
s "Satoshi Nakamoto" Really Adam Back?</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2026/04/is-satoshi-na= kamoto-really-adam-back.html">[2026.04.20]</a> The Ne=
w York Times has a <a href=3D"https://www.nytimes.com/2026/04/08/busin= ess/bitcoin-satoshi-nakamoto-identity-adam-back.html">long article</a> whe=
re the author lays out an impressive array of circumstantial evidence that=
the inventor of Bitcoin is the cypherpunk Adam Back.

I don=E2=80=99t know. The article is convincing=2C but it=E2=80=99s wri= tten to be convincing.

I can=E2=80=99t remember if I ever met Adam. I was a member of the Cyph= erpunks mailing list for a while=2C but I was never really an active parti= cipant. I spent more time on the Usenet newsgroup sci.crypt. I knew a bunc=
h of the Cypherpunks=2C though=2C from various conferences around the worl=
d at the time. I really have no opinion about who Satoshi Nakamoto really=
is.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg5"><a name=3D"cg5">M= exican Surveillance Company</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2026/04/mexican-surve= illance-company.html">[2026.04.21]</a> <a href=3D"https:= //restofworld.org/2026/mexico-seguritech-government-surveillance-profile/"= >Grupo Seguritech</a> is a Mexican surveillance company that is expanding=
into the US.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg6"><a name=3D"cg6">I=
CE Uses Graphite Spyware</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2026/04/ice-uses-grap= hite-spyware.html">[2026.04.22]</a> ICE has <a href=3D"h= ttps://www.npr.org/2026/04/07/nx-s1-5776799/ice-spyware-privacy">admitted<=

that it uses spyware from the Israeli company Graphite.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg7"><a name=3D"cg7">F=
BI Extracts Deleted Signal Messages from iPhone Notification Database</a><=

<a href=3D"https://www.schneier.com/blog/archives/2026/04/fbi-extracts-= deleted-signal-messages-from-iphone-notification-database.html">[= 2026.04.23]</a> 404 Media <a href=3D"https://www.404media.co/fbi-= extracts-suspects-deleted-signal-messages-saved-in-iphone-notification-dat= abase-2/">reports</a> (alternate <a href=3D"https://archive.ph/bSQhD">site= </a>):

<blockquote>The FBI was able to forensically extract copies of incoming=
Signal messages from a defendant=E2=80=99s iPhone=2C even after the app w=
as deleted=2C because copies of the content were saved in the device=E2=80= =99s push notification database....

The news shows how forensic extraction -- when someone has physical acc=
ess to a device and is able to run specialized software on it -- can yield=
sensitive data derived from secure messaging apps in unexpected places. S= ignal already has a setting that blocks message content from displaying in=
push notifications; the case highlights why such a feature might be impor= tant for some users to turn on.

=E2=80=9CWe learned that specifically on iPhones=2C if one=E2=80=99s se= ttings in the Signal app allow for message notifications and previews to s=
how up on the lock screen=2C [then] the iPhone will internally store thos=
e notifications/message previews in the internal memory of the device=2C= =E2=80=9D a supporter of the defendants who was taking notes during the tr=
ial told 404 Media.</blockquote>

EDITED TO ADD (4/24): Apple has <a href=3D"https://mjtsai.com/blog/2026= /04/22/ios-26-4-2-and-ipados-26-4-2/">patched</a> this vulnerability.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg8"><a name=3D"cg8">H= iding Bluetooth Trackers in Mail</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2026/04/hiding-blueto= oth-trackers-in-mail.html">[2026.04.24]</a> It was used=
to <a href=3D"https://www.tomshardware.com/tech-industry/cyber-security/b= luetooth-tracker-hidden-in-a-postcard-and-mailed-to-a-warship-exposed-its-= location-a-eur5-gadget-put-a-eur500-million-dutch-ship-at-risk-for-24-hour= s">track</a> a Dutch naval ship:

<blockquote>Dutch journalist Just Vervaart=2C working for regional medi=
a network Omroep Gelderland=2C followed the directions posted on the Dutch=
government website and mailed a postcard with a hidden tracker inside. Be= cause of this=2C they were able to track the ship for about a day=2C watch=
ing it sail from Heraklion=2C Crete=2C before it turned towards Cyprus. Wh=
ile it only showed the location of that one vessel=2C knowing that it was=
part of a carrier strike group sailing in the Mediterranean could potenti= ally put the entire fleet at risk.

[...]

Navy officials reported that the tracker was discovered within 24 hours=
of the ship=E2=80=99s arrival=2C during mail sorting=2C and was eventuall=
y disabled. Because of this incident=2C the Dutch authorities now ban elec= tronic greeting cards=2C which=2C unlike packages=2C weren=E2=80=99t x-ray=
ed before being brought on the ship.</blockquote>

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg9"><a name=3D"cg9">M= edieval Encrypted Letter Decoded</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2026/04/medieval-encr= ypted-letter-decoded.html">[2026.04.27]</a> Sent by a Sp= anish diplomat. Apparently people have been <a href=3D"https://www.medieva= lists.net/2026/04/secret-letter-detailing-late-medieval-britain-fully-deco= ded/">working on it</a> since it was rediscovered in 1860.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg10"><a name=3D"cg10"= >What Anthropic=E2=80=99s Mythos Means for the Future of Cybersecurity</a>= </h2>

<a href=3D"https://www.schneier.com/blog/archives/2026/04/what-anthropi= cs-mythos-means-for-the-future-of-cybersecurity.html">[2026.04.28= ]</a> Two weeks ago=2C Anthropic <a href=3D"https://red.anthropic= =2Ecom/2026/mythos-preview/">announced</a> that its new model=2C Claude Myth= os Preview=2C can autonomously find and weaponize software vulnerabilities=
=2C turning them into working exploits without expert guidance. These were=
vulnerabilities in key software like operating systems and internet infra= structure that thousands of software developers working on those systems f= ailed to find. This capability will have major security implications=2C co= mpromising the devices and services we use every day. As a result=2C <a hr= ef=3D"https://spectrum.ieee.org/tag/anthropic">Anthropic</a> is not releas=
ing the model to the general public=2C but instead to a <a href=3D"https:/= /www.anthropic.com/glasswing">limited number</a> of companies.

The news rocked the internet security community. There were few details=
in Anthropic=E2=80=99s announcement=2C <a href=3D"https://srinstitute.uto= ronto.ca/news/the-mythos-question-who-decides-when-ai-is-too-dangerous">an= gering</a> many observers. Some speculate that Anthropic <a href=3D"https:= //kingy.ai/ai/too-dangerous-to-release-or-just-too-expensive-the-real-reas= on-anthropic-is-hiding-its-most-powerful-ai/">doesn=E2=80=99t have</a> the=
<a href=3D"https://spectrum.ieee.org/tag/gpus">GPUs</a> to run the thing=
=2C and that cybersecurity was the excuse to limit its release. Others arg=
ue Anthropic is holding to its AI safety mission. <a href=3D"https://www.n= ytimes.com/2026/04/07/opinion/anthropic-ai-claude-mythos.html">There=E2=80= =99s</a> <a href=3D"https://www.axios.com/2026/04/08/anthropic-mythos-mode= l-ai-cyberattack-warning">hype</a> and <a href=3D"https://www.artificialin= telligencemadesimple.com/p/anthropics-claude-mythos-launch-is">counter</a>=
<a href=3D"https://aisle.com/blog/ai-cybersecurity-after-mythos-the-jagged= -frontier">hype</a>=2C <a href=3D"https://www.aisi.gov.uk/blog/our-evaluat= ion-of-claude-mythos-previews-cyber-capabilities">reality</a> and marketin=
g. It=E2=80=99s a lot to sort out=2C even if you=E2=80=99re an expert.

We see Mythos as a real but incremental step=2C one in a long line of i= ncremental steps. But even incremental steps can be important when we look=
at the big picture.

<h3 style=3D"font-size:110%;font-weight:bold">How AI Is Changing Cybersecu= rity</h3>

We=E2=80=99ve <a href=3D"https://spectrum.ieee.org/online-privacy">writ=
ten about</a> shifting baseline syndrome=2C a phenomenon that leads people=
-- the public and experts alike -- to discount massive long-term changes=
that are hidden in incremental steps. It has happened with online privacy=
=2C and it=E2=80=99s happening with AI. Even if the vulnerabilities found=
by Mythos could have been found using AI models from last month or last y= ear=2C they couldn=E2=80=99t have been found by AI models from five years=
ago.

The Mythos announcement reminds us that AI has come a long way in just=
a few years: The baseline really has shifted. Finding vulnerabilities in=
source code is the type of task that today=E2=80=99s large language model=
s excel at. Regardless of whether it happened last year or will happen nex=
t year=2C it=E2=80=99s been clear for a <a href=3D"https://sockpuppet.org/= blog/2026/03/30/vulnerability-research-is-cooked/">while</a> this kind of=
capability was coming soon. The question is how we <a href=3D"https://lab= s.cloudsecurityalliance.org/mythos-ciso/">adapt to it</a>.

We don=E2=80=99t believe that an AI that can hack autonomously will cre=
ate permanent asymmetry between offense and defense; it=E2=80=99s likely t=
o be more <a href=3D"https://danielmiessler.com/blog/will-ai-help-moreatta= ckers-defenders">nuanced</a> than that. Some vulnerabilities can be found=
=2C verified=2C and patched automatically. Some vulnerabilities will be ha=
rd to find but easy to verify and patch -- consider generic cloud-hosted w=
eb applications built on standard software stacks=2C where updates can be=
deployed quickly. Still others will be easy to find (even without powerfu=
l AI) and relatively easy to verify=2C but harder or impossible to patch=
=2C such as IoT appliances and industrial equipment that are rarely update=
d or can=E2=80=99t be easily modified.

Then there are systems whose vulnerabilities will be easy to find in co=
de but difficult to verify in practice. For example=2C complex distributed=
systems and cloud platforms can be composed of thousands of interacting s= ervices running in parallel=2C making it difficult to distinguish real vul= nerabilities from false positives and to reliably reproduce them.

So we must separate the patchable from the unpatchable=2C and the easy=
to verify from the hard to verify. This taxonomy also provides us guidanc=
e for how to protect such systems in an era of powerful AI vulnerability-f= inding tools.

Unpatchable or hard to verify systems should be protected by wrapping t=
hem in more restrictive=2C tightly controlled layers. You want your fridge=
or thermostat or industrial control system behind a restrictive and const= antly updated firewall=2C not freely talking to the internet.

Distributed systems that are fundamentally interconnected should be tra= ceable and should follow the principle of least privilege=2C where each co= mponent has only the access it needs. These are bog-standard security idea=
s that we might have been tempted to throw out in the era of AI=2C but the= y=E2=80=99re still as relevant as ever.

<h3 style=3D"font-size:110%;font-weight:bold">Rethinking Software Security=
Practices</h3>

This also raises the salience of best practices in software engineering=
=2E Automated=2C thorough=2C and continuous testing was always important. No=
w we can take this practice a step further and use defensive <a href=3D"ht= tps://spectrum.ieee.org/tag/agentic-ai">AI agents</a> to <a href=3D"https:= //www.secwest.net/ai-triage">test exploits</a> against a real stack=2C ove=
r and over=2C until the false positives have been weeded out and the real=
vulnerabilities and fixes are confirmed. This kind of <a href=3D"https://= www.csoonline.com/article/4069075/autonomous-ai-hacking-and-the-future-of-= cybersecurity.html">VulnOps</a> is likely to become a standard part of the=
development process.

Documentation becomes more valuable=2C as it can guide an AI agent on a=
bug-finding mission just as it does developers. And following standard pr= actices and using standard tools and libraries allows AI and engineers ali=
ke to recognize patterns more effectively=2C even in a world of individual=
and ephemeral <a href=3D"https://www.csoonline.com/article/4152133/cybers= ecurity-in-the-age-of-instant-software.html">instant software</a> -- code=
that can be generated and deployed on demand.

Will this favor <a href=3D"https://www.schneier.com/essays/archives/201= 8/03/artificial_intellige.html">offense or defense</a>? The defense eventu= ally=2C probably=2C especially in systems that are easy to patch and verif=
y. Fortunately=2C that includes our phones=2C web browsers=2C and major in= ternet services. But today=E2=80=99s cars=2C electrical transformers=2C fr= idges=2C and lampposts are connected to the internet. Legacy banking and a= irline systems are networked.

Not all of those are going to get patched as fast as needed=2C and we m=
ay see a few years of constant hacks until we arrive at a new normal: wher=
e verification is paramount and software is patched continuously.

This essay was written with Barath Raghavan=2C and originally appea=
red in <a href=3D"https://spectrum.ieee.org/ai-cybersecurity-mythos">IEEE=
Spectrum</a>.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg11"><a name=3D"cg11"= >Claude Mythos Has Found 271 Zero-Days in Firefox</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2026/04/claude-mythos= -has-found-271-zero-days-in-firefox.html">[2026.04.29]</=

That=E2=80=99s <a href=3D"https://blog.mozilla.org/en/firefox/ai-securi=

ty-zero-day-vulnerabilities/">a lot</a>. No=2C it=E2=80=99s an extraordina=
ry number:

<blockquote>Since February=2C the Firefox team has been working around=
the clock using frontier AI models to find and fix latent security vulner= abilities in the browser. We wrote previously about our collaboration with=
Anthropic to scan Firefox with Opus 4.6=2C which led to fixes for 22 secu= rity-sensitive bugs in Firefox 148.

As part of our continued collaboration with Anthropic=2C we had the opp= ortunity to apply an early version of Claude Mythos Preview to Firefox. Th=
is week=E2=80=99s release of Firefox 150 includes fixes for 271 vulnerabil= ities identified during this initial evaluation.

As these capabilities reach the hands of more defenders=2C many other t= eams are now experiencing the same vertigo we did when the findings first=
came into focus. For a hardened target=2C just one such bug would have be=
en red-alert in 2025=2C and so many at once makes you stop to wonder wheth=
er it=E2=80=99s even possible to keep up.

Our experience is a hopeful one for teams who shake off the vertigo and=
get to work. You may need to reprioritize everything else to bring relent= less and single-minded focus to the task=2C but there is light at the end=
of the tunnel. We are extremely proud of how our team rose to meet this c= hallenge=2C and others will too. Our work isn=E2=80=99t finished=2C but we= =E2=80=99ve turned the corner and can glimpse a future much better than ju=
st keeping up. Defenders finally have a chance to win=2C decisivel= y.</blockquote>

They=E2=80=99re right. Assuming the defenders can patch=2C and push tho=
se patches out to users quickly=2C this technology favors the defenders.</=

News <a href=3D"https://arstechnica.com/ai/2026/04/mozilla-anthropics-m= ythos-found-271-zero-day-vulnerabilities-in-firefox-150/">article</a>.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg12"><a name=3D"cg12"= >Fast16 Malware</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2026/04/fast16-malwar= e.html">[2026.04.30]</a> Researchers have reverse-engine=
ered a piece of malware named Fast16. It=E2=80=99s almost certainly state-= sponsored=2C probably US in origin=2C and was <a href=3D"https://www.wired= =2Ecom/story/fast16-malware-stuxnet-precursor-iran-nuclear-attack/?_sp=3D72d= 58355-e351-43ad-ba73-bc2b546a30a0.1777128353268">deployed</a> against Iran=
years before Stuxnet:

<blockquote>=E2=80=9C...the Fast16 malware was designed to carry out th=
e most subtle form of sabotage ever seen in an in-the-wild malware tool: B=
y automatically spreading across networks and then silently manipulating c= omputation processes in certain software applications that perform high-pr= ecision mathematical calculations and simulate physical phenomena=2C Fast1=
6 can alter the results of those programs to cause failures that range fro=
m faulty research results to catastrophic damage to real-world equipment.= =E2=80=9D</blockquote>

Another news <a href=3D"https://www.securityweek.com/pre-stuxnet-sabota= ge-malware-fast16-linked-to-us-iran-cyber-tensions/">article</a>.

Lots of interesting details at the links.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg13"><a name=3D"cg13"=

A Ransomware Negotiator Was Working for a Ransomware Gang</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2026/05/a-ransomware-= negotiator-was-working-for-a-ransomware-gang.html">[2026.05.01]</= strong></a> Someone <a href=3D"https://gizmodo.com/a-ransomware-negotiator= -pleads-guilty-to-being-a-double-agent-2000749234">pleaded guilty</a> to s= ecretly working for a ransomware gang as he negotiated ransomware payments=
for clients.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg14"><a name=3D"cg14"= >Hacking Polymarket</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2026/05/hacking-polym= arket.html">[2026.05.04]</a> Polymarket is a platform wh=
ere people can bet on real-world events=2C political and otherwise. Leavin=
g the ethical considerations of this aside (for one=2C it facilitates <a h= ref=3D"https://en.wikipedia.org/wiki/Assassination_market">assassination</= a>)=2C one of the issues with making this work is the verification of thes=
e real-world events. Polymarket gamblers have <a href=3D"https://www.thegu= ardian.com/world/2026/mar/18/polymarket-gamblers-threaten-israeli-journali= st-missile-strike-wager">threatened</a> a journalist because his story was=
being used to verify an event. And now=2C gamblers are taking <a href=3D"= https://www.engadget.com/big-tech/someone-allegedly-used-a-hairdryer-to-ri= g-polymarket-weather-bets-155312411.html">hair dryers</a> to weather senso=
rs to rig weather bets.

There=E2=80=99s also <a href=3D"https://www.bbc.com/news/articles/c2083= 2yg5p2o">insider trading</a>: a <a href=3D"https://www.bbc.com/news/articl= es/cge0grppe3po">lot of it</a>.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg15"><a name=3D"cg15"= >DarkSword Malware</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2026/05/darksword-mal= ware.html">[2026.05.05]</a> DarkSword is a sophisticated=
piece of <a href=3D"https://cloud.google.com/blog/topics/threat-intellige= nce/darksword-ios-exploit-chain">malware</a> -- probably government design=
ed -- that targets iOS.

<blockquote>Google Threat Intelligence Group (GTIG) has identified a ne=
w iOS full-chain exploit that leveraged multiple zero-day vulnerabilities=
to fully compromise devices. Based on toolmarks in recovered payloads=2C=
we believe the exploit chain to be called DarkSword. Since at least Novem=
ber 2025=2C GTIG has observed multiple commercial surveillance vendors and=
suspected state-sponsored actors utilizing DarkSword in distinct campaign=
s. These threat actors have deployed the exploit chain against targets in=
Saudi Arabia=2C Turkey=2C Malaysia=2C and Ukraine.

DarkSword supports iOS versions 18.4 through 18.7 and utilizes six diff= erent vulnerabilities to deploy final-stage payloads. GTIG has identified=
three distinct malware families deployed following a successful DarkSword=
compromise: GHOSTBLADE=2C GHOSTKNIFE=2C and GHOSTSABER. The proliferation=
of this single exploit chain across disparate threat actors mirrors the p= reviously discovered <a href=3D"https://cloud.google.com/blog/topics/threa= t-intelligence/coruna-powerful-ios-exploit-kit">Coruna iOS exploit kit</a>=
=2E Notably=2C UNC6353=2C a suspected Russian espionage group previously obs= erved using Coruna=2C has recently incorporated DarkSword into their water=
ing hole campaigns.</blockquote>

A week after it was identified=2C a version of it <a href=3D"https://te= chcrunch.com/2026/03/23/someone-has-publicly-leaked-an-exploit-kit-that-ca= n-hack-millions-of-iphones/">leaked</a> onto the internet=2C where it is b= eing used more broadly.

This news is a month old. Your devices are safe=2C assuming you patch r= egularly.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg16"><a name=3D"cg16"= >Rowhammer Attack Against NVIDIA Chips</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2026/05/rowhammer-att= ack-against-nvidia-chips.html">[2026.05.06]</a> A new <a=
href=3D"https://en.wikipedia.org/wiki/Row_hammer">rowhammer</a> attack gi=
ves <a href=3D"https://arstechnica.com/security/2026/04/new-rowhammer-atta= cks-give-complete-control-of-machines-running-nvidia-gpus/">complete contr= ol</a> of NVIDIA CPUs.

<blockquote>On Thursday=2C two research teams=2C working independently=
of each other=2C demonstrated attacks against two cards from Nvidia=E2=80= =99s Ampere generation that take GPU rowhammering into new -- and potentia=
lly much more consequential -- territory: GDDR bitflips that give adversar=
ies full control of CPU memory=2C resulting in full system compromise of t=
he host machine. For the attack to work=2C <a href=3D"https://en.wikipedia= =2Eorg/wiki/Input-output_memory_management_unit">IOMMU</a> memory management=
must be disabled=2C as is the default in BIOS settings.

=E2=80=9COur work shows that Rowhammer=2C which is well-studied on CPUs=
=2C is a serious threat on GPUs as well=2C=E2=80=9D said Andrew Kwong=2C c= o-author of one of the papers. =E2=80=9C<a href=3D"https://gddr.fail/files= /gddr.pdf">GDDRHammer: Greatly Disturbing DRAM RowsCross-Component Rowhamm=
er Attacks from Modern GPUs</a>.=E2=80=9D =E2=80=9CWith our work=2C we...=
show how an attacker can induce bit flips on the GPU to gain arbitrary re= ad/write access to all of the CPU=E2=80=99s memory=2C resulting in complet=
e compromise of the machine.=E2=80=9D

Update Friday=2C April 3: On Friday=2C researchers unveiled a third Row= hammer attack that also demonstrates Rowhammer attacks on the RTX A6000 th=
at achieves privilege escalation to a root shell. Unlike the previous two=
=2C the researchers said=2C it works even when IOMMU is enabled.</bloc= kquote>

The second paper is <a href=3D"https://gddr.fail/files/GeForge.pdf">GeF= orge: Hammering GDDR Memory to Forge GPU Page Tables for Fun and Profit</a= >:

<blockquote>...does largely the same thing=2C except that instead of ex= ploiting the last-level page table=2C as GDDRHammer does=2C it manipulates=
the last-level page directory. It was able to induce 1=2C171 bitflips aga= inst the RTX 3060 and 202 bitflips against the RTX 6000.

GeForge=2C too=2C uses novel hammering patterns and memory massaging to=
corrupt GPU page table mappings in GDDR6 memory to acquire read and write=
access to the GPU memory space. From there=2C it acquires the same privil= eges over host CPU memory. The GeForge proof-of-concept exploit against th=
e RTX 3060 concludes by opening a root shell window that allows the attack=
er to issue commands that run unfettered privileges on the host machine. T=
he researchers said that both GDDRHammer and GeForge could do the same thi=
ng against the RTC 6000.</blockquote>

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg17"><a name=3D"cg17"= >Smart Glasses for the Authorities</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2026/05/smart-glasses= -for-the-authorities.html">[2026.05.07]</a> ICE is <a hr= ef=3D"https://www.kenklippenstein.com/p/exclusive-ice-glasses">developing<=

its own version of smart glasses=2C with facial recognition tied to va=

rious databases.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg18"><a name=3D"cg18"= >Insider Betting on Polymarket</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2026/05/insider-betti= ng-on-polymarket.html">[2026.05.08]</a> Insider trading=
is <a href=3D"https://arstechnica.com/tech-policy/2026/04/more-than-half-= of-all-long-shot-bets-on-polymarket-pay-off/">rife</a> on Polymarket:

<blockquote>Analysis by the Anti-Corruption Data Collective=2C a non-pr= ofit research and advocacy group=2C found that long-shot bets -- defined a=
s wagers of $2=2C500 or more at odds of 35 percent or less -- on the platf=
orm had an average win rate of around 52 percent in markets on military an=
d defense actions.

That compares with a win rate of 25 percent across all politics-focused=
markets and just 14 percent for all markets on the platform as a whole.</= p></blockquote>

It is absolutely insane that this is legal. We already know how insider=
betting warps sports. Insider betting warping politics -- and military ac= tions -- is orders of magnitude worse.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg19"><a name=3D"cg19"= >LLMs and Text-in-Text Steganography</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2026/05/llms-and-text= -in-text-steganography.html">[2026.05.11]</a> Turns out=
that LLMs are <a href=3D"https://arxiv.org/abs/2510.20075">really good</a=

at hiding text messages in other text messages.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg20"><a name=3D"cg20"= >Copy.Fail Linux Vulnerability</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2026/05/copy-fail-lin= ux-vulnerability.html">[2026.05.12]</a> This is the <a h= ref=3D"https://jorijn.com/en/blog/copy-fail-cve-2026-31431-linux-kernel-bu= g-explained/">worst</a> Linux vulnerability in years.

<blockquote>TL;DR

<ul><li>copy.fail is a Linux kernel local privilege escalation=2C not a br= owser or clipboard attack. Disclosed by Theori on 29 April 2026 with a wor= king PoC.

</li><li>It abuses the kernel crypto API (AF_ALG sockets) plus splice() to=
write four bytes at a time straight into the page cache of a file the att= acker does not own.

</li><li>The exploit works unmodified across Ubuntu=2C RHEL=2C Debian=2C S= USE=2C Amazon Linux=2C Fedora and most others. No race condition=2C no per= -distro offsets.

</li><li>The file on disk is never modified. AIDE=2C Tripwire and checksum= -based monitoring see nothing.

</li><li>Kubernetes Pod Security Standards (Restricted) and the default Ru= ntimeDefault seccomp profile do not block the syscall used. A custom secco=
mp profile is needed.

</li><li>The mainline fix landed on 1 April. Distros are rolling kernels o=
ut now. Patch.</li></ul>

=E2=80=9CLocal privilege escalation=E2=80=9D sounds dry=2C so let me un= pack it. It means: an attacker who already has some way to run code on the=
machine=2C even as the most boring unprivileged user=2C can promote thems= elves to root. From there they can read every file=2C install backdoors=2C=
watch every process=2C and pivot to other systems.

Why does that matter on shared infrastructure? Because =E2=80=9Clocal= =E2=80=9D covers a lot of ground in 2026: every container on a shared Kube= rnetes node=2C every tenant on a shared hosting box=2C every CI/CD job tha=
t runs untrusted pull-request code=2C every WSL2 instance on a Windows lap= top=2C every containerised AI agent given shell access. They all share one=
Linux kernel with their neighbours. A kernel LPE collapses that boundary.= </blockquote>

News <a href=3D"https://arstechnica.com/security/2026/04/as-the-most-se= vere-linux-threat-in-years-surfaces-the-world-scrambles/">article</a>.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg21"><a name=3D"cg21"= >OpenAI=E2=80=99s GPT-5.5 is as Good as Mythos at Finding Security Vulnera= bilities</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2026/05/openais-gpt-5= -5-is-as-good-as-mythos-at-finding-security-vulnerabilities.html">= [2026.05.13]</a> The UK=E2=80=99s AI Security Institute evaluate=
d GPT-5.5=E2=80=99s ability to find security vulnerabilities=2C and <a hre= f=3D"https://www.aisi.gov.uk/blog/our-evaluation-of-openais-gpt-5-5-cyber-= capabilities">found</a> that it is comparable to Claude Mythos. Note that=
the OpenAI model is generally available.

<a href=3D"https://www.aisi.gov.uk/blog/our-evaluation-of-claude-mythos= -previews-cyber-capabilities">Here</a> is the Institute=E2=80=99s evaluati=
on of Mythos.

And <a href=3D"https://aisle.com/blog/ai-cybersecurity-after-mythos-the= -jagged-frontier">here</a> is an analysis of a smaller=2C cheaper model. I=
t requires more scaffolding from the prompter=2C but it is also just as go= od.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg22"><a name=3D"cg22"= >How Dangerous Is Anthropic=E2=80=99s Mythos AI?</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2026/05/how-dangerous= -is-anthropics-mythos-ai.html">[2026.05.14]</a> Last mon= th=2C Anthropic made a remarkable <a href=3D"https://red.anthropic.com/202= 6/mythos-preview/">announcement</a> about its new model=2C Claude Mythos P= review: it was so good at finding security vulnerabilities in software tha=
t the company would not release it to the general public. Instead=2C it wo=
uld only be available to a <a href=3D"https://www.anthropic.com/glasswing"= >select group</a> of companies to scan and fix their own software.

The announcement requires context -- but it contained an essential trut= h.

While Anthropic=E2=80=99s model is really good at finding software vuln= erabilities=2C so are other models. The UK=E2=80=99s AI Security Institute=
<a href=3D"https://www.aisi.gov.uk/blog/our-evaluation-of-openais-gpt-5-5= -cyber-capabilities">found</a> that OpenAI=E2=80=99s GPT-5.5=2C already ge= nerally available=2C is comparable in capability. The company Aisle <a hre= f=3D"https://www.schneier.com/blog/archives/2026/04/mythos-and-cybersecuri= ty.html">reproduced</a> Anthropic=E2=80=99s published results with smaller=
=2C cheaper models.

At the same time=2C Anthropic=E2=80=99s refusal to publicly release its=
new model makes a virtue out of necessity. Mythos is very expensive to ru= n=2C and the company <a href=3D"https://kingy.ai/ai/too-dangerous-to-relea= se-or-just-too-expensive-the-real-reason-anthropic-is-hiding-its-most-powe= rful-ai/">doesn=E2=80=99t appear to have</a> the resources for a general r= elease. What better way to juice the company=E2=80=99s valuation than to h=
int at capabilities but not prove them=2C and then have <a href=3D"https:/= /www.nytimes.com/2026/04/07/opinion/anthropic-ai-claude-mythos.html">other= s</a> <a href=3D"https://www.axios.com/2026/04/08/anthropic-mythos-model-a= i-cyberattack-warning">parrot</a> their claims?

Nonetheless=2C the truth is scary. Modern generative AI systems -- not=
just Anthropic=E2=80=99s=2C but OpenAI=E2=80=99s and other=2C open-source=
models -- are getting really good at finding and exploiting vulnerabiliti=
es in software. And that has important <a href=3D"https://spectrum.ieee.or= g/ai-cybersecurity-mythos">ramifications</a> for cybersecurity: on both th=
e offense and the defense.

Attackers will use these capabilities to find=2C and automatically hack=
=2C vulnerabilities in systems of all kinds. They will be able to break in=
to critical systems around the world=2C sometimes to plant ransomware and=
make money=2C sometimes to steal data for espionage purposes=2C and somet= imes to control systems in times of hostility. This will make the world a=
much more dangerous=2C and more volatile=2C place.

But at the same time=2C defenders will use these same capabilities to f= ind=2C and then patch=2C many of those same systems. For example=2C Mozill=
a used Mythos to <a href=3D"https://blog.mozilla.org/en/firefox/ai-securit= y-zero-day-vulnerabilities/">find</a> 271 vulnerabilities in Firefox. Thos=
e vulnerabilities have been fixed=2C and will never again be available to=
attackers. In the future=2C AIs automatically finding and fixing vulnerab= ilities in all software will be a normal part of the development process=
=2C which will result in much more secure software.

Of course=2C it=E2=80=99s not that simple. We should expect a deluge of=
both attackers using newly found vulnerabilities to break into systems=2C=
and at the same time much more frequent software updates for every app an=
d device we use. But lots of systems aren=E2=80=99t patchable=2C and many=
systems that are don=E2=80=99t get patched=2C meaning that many vulnerabi= lities will stick around. And it does seem that finding and exploiting is=
easier than finding and fixing. All of this points to a more dangerous sh= ort-term future. Organizations will need to <a href=3D"https://labs.clouds= ecurityalliance.org/mythos-ciso/">adapt</a> their security to this new rea= lity.

But it=E2=80=99s the long term that we need to focus on. Mythos isn=E2= =80=99t unique=2C but it=E2=80=99s more capable than many models that have=
come before. And it=E2=80=99s less capable than models that will come aft=
er. AIs are much better at writing software than they were just six months=
ago. There=E2=80=99s every reason to believe that they will continue to g=
et better=2C which means that they will get better at writing more secure=
software. The endgame gives AI-enhanced defenders advantages over AI-enha= nced attackers.

Even more interesting are the <a href=3D"https://www.schneier.com/acade= mic/archives/2021/04/the-coming-ai-hackers.html">broader implications</a>.=
The same searching=2C pattern-matching and reasoning capabilities that ma=
ke these models so good at analyzing software almost certainly apply to si= milar systems. The tax code isn=E2=80=99t computer code=2C but it=E2=80=99=
s a series of algorithms with inputs and outputs. It has vulnerabilities;=
we call them tax loopholes. It has exploits; we call them tax avoidance s= trategies. And it has black hat hackers: attorneys and accountants.

Just as these models are finding hundreds of vulnerabilities in complex=
software systems=2C we should expect them to be equally effective at find=
ing many new and undiscovered tax loopholes. I am confident that the major=
investment banks are working on this right now=2C in secret. They=E2=80=
=99ve fed AI the tax code of the US=2C or the UK=2C or maybe every industr= ialized country=2C and tasked the system with looking for money-saving str= ategies. How many tax loopholes will those AIs find? Ten? One hundred? One=
thousand? The <a href=3D"https://www.investopedia.com.cach3.com/terms/d/d= ouble-irish-with-a-dutch-sandwich.asp.html">Double Dutch Irish Sandwich</a=

is a tax loophole that involves multiple different tax jurisdictions. Ca=

n AIs find loopholes even more complex? We have no idea.

Sure=2C the AIs will come up with a bunch of tricks that won=E2=80=99t=
work=2C but that=E2=80=99s where those attorneys and accountants come in=
-- to verify=2C and then justify=2C the loopholes. And then to market the=
m to their wealthy clients.

As goes the tax code=2C so goes <a href=3D"https://www.schneier.com/aca= demic/archives/2021/04/the-coming-ai-hackers.html">any other</a> complex s= ystem of rules and strategies. These models could be tasked with finding l= oopholes in environmental rules=2C or food and safety rules -- anywhere th=
ere are complex regulatory systems and powerful people who want to evade t= hose rules.

The results will be much worse than insecure computers. Tax loopholes r= esult in less revenue collected by governments=2C and regulatory loopholes=
allow the powerful to skirt the rules=2C both of which have all sorts of=
social ramifications. And while software vendors can patch their systems=
in days=2C it generally takes years for a country to amend its tax code.=
And that process is political=2C with lobbyists pressuring legislators no=
t to patch. Just look at the <a href=3D"https://www.pgpf.org/article/what-= is-the-carried-interest-loophole-and-why-is-it-so-difficult-to-close/">car= ried interest</a> loophole=2C a US tax dodge that has been exploited for d= ecades. Various administrations have tried to close the vulnerability=2C b=
ut legislators just can=E2=80=99t seem to resist lobbyists long enough to=
patch it.

AI technologies are poised to remake much of society. Just as the indus= trial revolution gave humans the ability to consume calories outside of th=
eir bodies at scale=2C the AI revolution will give humans the ability to p= erform cognitive tasks outside of their bodies at scale. Our systems aren= =E2=80=99t designed for that; they=E2=80=99re designed for more human pace=
s of cognition. We=E2=80=99re seeing it right now in the deluge of softwar=
e vulnerabilities that these models are finding and exploiting. And we wil=
l soon see it in a deluge of vulnerabilities in all sorts of other systems=
of rules. Adapting to this new reality will be hard=2C but we don=E2=80=
=99t have any choice.

This essay originally appeared in <a href=3D"https://www.theguardia= n.com/commentisfree/2026/may/08/how-dangerous-is-anthropics-mythos-ai">The=
Guardian</a>.

** *** ***** ******* *********** *************<=

<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg23"><a name=3D"cg23"= >Upcoming Speaking Engagements</a></h2>

<a href=3D"https://www.schneier.com/blog/archives/2026/05/upcoming-spea= king-engagements-56.html">[2026.05.14]</a> This is a cur=
rent list of where and when I am scheduled to speak:

<li>I=E2=80=99m giving a virtual talk on =E2=80=9CThe Security of Trus=
t in the Age of AI=2C=E2=80=9D hosted by the <a href=3D"https://www.fwa.or= g/event-landing/2351">Financial Women=E2=80=99s Association of New York</a= >=2C at 6:00 PM ET on May 21=2C 2026.</li>

<li>I=E2=80=99m speaking at the <a href=3D"https://potsdamer-sicherhei= tskonferenz.de/">Potsdam Conference on National Cybersecurity</a> at the H= asso Plattner Institut in Potsdam=2C Germany. The event runs June 24-25=2C=
2026=2C and my talk will be the evening of June 24.</li>

<li>I=E2=80=99m speaking at the <a href=3D"https://dighum.wien/">Digit=
al Humanism Conference</a> in Vienna=2C Austria=2C on Tuesday=2C June 26=
=2C 2026.</li>

<li>I=E2=80=99m speaking at the <a href=3D"https://nuernberg.digital/d= e/">Nuremberg Digital Festival</a> in Nuremburg=2C Germany=2C on Wednesday=
=2C July 1=2C 2026.</li>
</ul>

The list is maintained on <a href=3D"https://www.schneier.com/events/">= this page</a>.

** *** ***** ******* *********** *************<=

Since 1998=2C CRYPTO-GRAM has been a free monthly newsletter providing=
summaries=2C analyses=2C insights=2C and commentaries on security technol= ogy. To subscribe=2C or to read back issues=2C see <a href=3D"https://www.= schneier.com/crypto-gram/">Crypto-Gram's web page</a>.

You can also read these articles on my blog=2C <a href=3D"https://www.s= chneier.com">Schneier on Security</a>.

Please feel free to forward CRYPTO-GRAM=2C in whole or in part=2C to co= lleagues and friends who will find it valuable. Permission is also granted=
to reprint CRYPTO-GRAM=2C as long as it is reprinted in its entirety.

Bruce Schneier is an internationally=
renowned security technologist=2C called a security guru by the <cite sty= le=3D"font-style:normal">Economist</cite>. He is the author of over one do=
zen books -- including his latest=2C <a href=3D"https://www.schneier.com/b= ooks/rewiring-democracy/"><cite style=3D"font-style:normal">Rewiring Democ= racy</cite></a> -- as well as hundreds of articles=2C essays=2C and academ=
ic papers. His newsletter and blog are read by over 250=2C000 people. Schn= eier is a fellow at the Berkman Klein Center for Internet & Society at Har= vard University; a Lecturer in Public Policy at the Harvard Kennedy School=
; a board member of the Electronic Frontier Foundation=2C AccessNow=2C and=
the Tor Project; and an Advisory Board Member of the Electronic Privacy I= nformation Center and VerifiedVoting.org. He is the Chief of Security Arch= itecture at Inrupt=2C Inc.

Copyright © 2026 by Bruce Schneier.

** *** ***** ******* *********** *************<=

Mailing list hosting graciously provided by <a href=3D"https://mailchim= p.com/">MailChimp</a>. Sent without web bugs or link tracking.
This email was sent to: cryptogram@toolazy.synchro.net
 You are receiving this email because you subscribed to the Crypto-= Gram newsletter.

<a style=3D"display:inline-block" href=3D"https://schneier.us18.list-ma= nage.com/unsubscribe?u=3Df99e2b5ca82502f48675978be&id=3D22184111ab&t=3Db&e= =3D70f249ec14&c=3D907cf6f10a">unsubscribe from this list</a>  &nbs= p; <a style=3D"display:inline-block" href=3D"https://schneier.us18.li= st-manage.com/profile?u=3Df99e2b5ca82502f48675978be&id=3D22184111ab&e=3D70f249ec14&c=3D907cf6f10a">update subscription preferences</a>
 Bruce Schneier · Harvard Kennedy School · 1 Brattle Squa=
re · Cambridge=2C MA 02138 · USA

</body></html>
--_----------=_MCPart_768936522--

Who's Online
Recent Visitors
- Geek2
  Sat May 23 08:24:00 2026
  from Euclid, Oh via Telnet
- Geek2
  Fri May 22 11:24:57 2026
  from Euclid, Oh via Telnet
- Geek2
  Fri May 22 07:05:03 2026
  from Euclid, Oh via Telnet
- Awehttam
  Fri May 22 00:59:23 2026
  from Vancouver Canada via Telnet

System Info

Sysop:	Amessyroom
Location:	Fayetteville, NC
Users:	66
Nodes:	6 (0 / 6)
Uptime:	43:24:21
Calls:	871
Files:	1,313
D/L today:	2 files (343K bytes)
Messages:	263,570

CRYPTO-GRAM, May 15, 2026

Who's Online

Recent Visitors

System Info