Schneier on Security

Clive Robinson • April 10, 2026 9:45 PM

@ Bruce, ALL,

Don’t say you were not warned!

Another casualty of the “War on Stupidity” is the supply of Helium.

As I’ve mentioned before Helium is actually a “strategic reserve gas” and the US Government held a reserve but “as stupid does” in a neo-con Government they “sold it off”…

Now that particular chicken 5h1t action has “come home to roost” crowing loudly…

Helium Is Hard to Replace

The war in Iran, and the subsequent closure of the Strait of Hormuz, has unfortunately made us all familiar with details of the petroleum supply chain that we could formerly happily ignore. Every day we get some new story about some good or service that depends on Middle East petroleum and the production of which has been disrupted by the war. Fertilizer production, plastics, aluminum, the list goes on.

“What I find interesting about helium is that in many cases, it’s very hard to substitute for. Helium has a unique set of properties — in particular, it has a lower melting point and boiling point than any other element — and technologies and processes that rely on those properties can’t easily switch to some other material.“

https://www.construction-physics.com/p/helium-is-hard-to-replace

Note the last sentence quoted above about “a unique set of properties”.

The reality is in most cases helium simply can not be replaced with another gas such as hydrogen.

Virtually every “quantum device” used in medical imaging and physics research including “Quantum Computing” are very much dependent on it. As is the more high tech end of “Semiconductor production”. With any shortage in the supply producing price rises way way higher than capacity lost, thus even the price of PC’s and Motor Cars now disproportionately effected.

So loosing 1/3rd of World Production is having a significant disproportionate effect.

Whilst the article is “low key” on the effects to mankind it’s a very serious problem.

Clive Robinson • April 10, 2026 11:20 PM

@ Bruce, ALL,

If you “know not the tools” then hidden “client Side” will bite.

As I’ve repeatedly pointed out about “signal” and other “secure messaging apps” they are not secure if you do not correctly understand and secure “the whole system” they form a part of.

Yes my viewpoint was “unpopular” with “fanboi’s and even “supposed security gurus” indicating I was wrong / paranoid (yet again). But I’ve maintained my assertion that “Signal and other secure apps are a liability” for the average user and always will be when “used as the system designers” like Moxie Marlinspike etc intended on consumer and commercial devices.

The result of people “not listening and understanding” has been recently seen in Criminal Prosecutions,

FBI used iPhone notification data to retrieve deleted Signal messages

A new report from 404 Media reveals that the FBI was able to recover deleted Signal messages from an iPhone by extracting data stored in the device’s notification database.

“Notification history was accessed even after Signal was deleted

According to 404 Media, testimony in a recent trial involving “a group of people setting off fireworks and vandalizing property at the ICE Prairieland Detention Facility in Alvarado, Texas,” showed that the FBI was able to recover content of incoming Signal messages from a defendant’s iPhone, even though Signal had been removed from the device“

https://9to5mac.com/2026/04/09/fbi-used-iphone-notification-data-to-retrieve-deleted-signal-messages/

(Yes the formatting of this article smacks of being AI generated, but so do many of their much older effectively Pre-LLM articles).

The important point to note the reality of what has happened is what “Client Side Scanning” that Apple and Microsoft are now forcing onto users at the OS Level will give the “Guard Labour” to put you away, they don’t need E2EE “back-doors” with such access.

But I’ve already repeatedly given warning about this and in some respects how to avoid it effecting you. But it requires “diligent OpSec” and few know how to do this or have the ability to maintain it.

The Government “Guard Labour” of Iran and China found ways to “identify CIA informants” due to the CIA not understanding technology sufficiently well to even establish even minimal “ICT OpSec” with the result many people were killed or in other ways harmed.

Does the average reader here think they know how to do things better than the CIA or FBI in all aspects of secure communications via consumer devices and services?

I suspect on sober reflection nobody who reads this is capable of setting up that type of OpSec or maintaining it in general use.

So heed the message about just how insecure consumer systems and “supposedly secure apps” really are and don’t become the next,

“Prime example of an idiot off to jail”

Or worse.

Clive Robinson • April 11, 2026 10:04 AM

@ ALL,

More on FCC “US Only” Router Nonsense.

As foljs should know the FCC issued a highly questionable generalised ban on routers not originating fully in the US.

1, Some put this as attempts at grift by the Executive.

2, Others put it as trying to “onshore” production again.

3, Those with a little memory suspect it is an attempt to disrupt standards processes in the rest of the world.

My own view is that in all the above,

“It takes a hot ember to emit smoke, thus be a danger to all…”

But I’m not the only one who thinks that trying to “on shore” router production is not really going to happen any time soon, because “expertise” has been lost.

See,

Electronics industry says FCC’s foreign-made router policy is a bit of a mesh

Trade group warns onshoring demands will leave Americans stuck with older gear

“The Global Electronics Association (GEA) warns that the US ban on foreign-made network routers is impractical because few are made domestically, leaving consumers with little choice and delaying access to next-gen products, just as Wi-Fi 7 adoption should be ramping up.

In a report, the body representing the international electronics industry argues that the policy is wrong-headed from the start, since vulnerabilities and security flaws are not limited to any particular geography, but appear across different brands and countries of origin worldwide.“

https://www.theregister.com/2026/04/10/gea_fcc_routers/

In short the FCC is making life worse for 100million US people, with no foreseeable upside now, in the medium term, or longterm future. And if the policy is stupidly left in place, then the US market will,

1, Remain crippled
2, And vulnerable
3, And stuck in the technology slow lane
4, At much greater cost

Thus leaving the US behind the rest of the world and at much greater cost Indefinitely…

Which will be the opposite of the supposed intent.

Clive Robinson • April 11, 2026 2:49 PM

@ ALL,

France rejects “Freedom Fries” and all that US bombastic nonsense.

The notion of “Digital Sovereignty” both in the EU and in Europe more generally has been on the rise for a while.

Even the UK Gov is looking to give “Microsoft worming powder” after it became clear UK Members of Parliament and Civil Government had no “out” from US Guard Labour “snooping” and that all Microsoft Executives would “bend over and touch their toes” to trump and co.

Which is why you find more and more articles such as,

https://www.xda-developers.com/frances-government-ditching-windows-for-linux/

Whilst I know how to give SOHO and above separation from “SaaS etc” from the big US corps the level of “convenience” does initially drop for a short while.

But it actually promises to be less than a Win10 to Win11 upgrade so you have to ask the $64,000 question,

“Why has M$ made it so easy for people to want to leave?”

@Clive Robinson • April 11, 2026 3:08 PM

I thought that they’re shutting down Windows.

Clive Robinson • April 12, 2026 10:01 AM

@ Winter, ALL,

With regards,

“Both strategies can only work by inconveniencing their current customers.

Enter Windows 11.”

The implication of that is that Microsoft believe the people who comprise “their current customers” believe that they actually,

“have no choice”

I’ll be honest and say as far as I can remember back for each MS-OS upgrade, this time around there are many many more times as many articles not just advising people not to upgrade to Win 11 but actively informing how to “migrate away” to GNU / Linux and BSD or other *nix systems safely and securely.

The only one of which I don’t recall seeing off the top of my head, is an article for Polish Security developer Joanna Rutkowska’s “Qubes OS”, that provides enhanced security by “segregation”.

Though finding the likes of,

https://linuxmind.dev/2025/09/02/how-to-install-the-operating-system-qubes-os/

Is not exactly hard…

And for those that can afford to run two “Energy Gapped” and “Segmented” systems, one that is for “OFF-Line Private work” and the other for “ON-Line Insecure External Communications” with suitably instrumented and mandated “Choke Point” “Gap Crossing” would be advised (especially with the second behind a “Garden Path” style security isolating mechanism from the Internet).

Clive Robinson • April 13, 2026 4:44 AM

@ Ismar, ALL

With regards “”

You firstly note,

“The Problem: Systems Can’t Define Their Own Truth”

This was proved back in the early 1930’s on earlier thinking by Kurt Gödel that I mention from time to time.

Because one implication of it is a Turing Engine computer can not “know” if it is “telling the truth” about it’s internal state or just saying what “malware” tells it to say. Thus Anti-Virus software that of the sort we commonly use that runs on the computer is effectively useless.

Secondly you go on to note,

‘From a systems architecture perspective, a system that validates its own output has no “External Oracle.”’

However any “External Oracle” suffers from the “observer problem” which I’ve mentioned for quite some years on this blog…

Behind it is a problem to do with the work of Claude Shannon in the 1930’s through to late 1940’s that gave birth to “information theory”. In that he proved that for information to be “communicated” in a Shannon Channel there must be “redundancy”.

In the 1980’s Gus Simmons proved that where there is “redundancy” you can create a Shannon Channel within a “Shannon Channel” and importantly the new Channel can via Shannon Perfect Secrecy be secure against any observer.

I’ve shown that by using further redundancy, not only is the new channel closed to an external “observer” hence the observer problem it can be fully “covert” thus oblivious unprovable to the observer provided the first and second communicating parties follow two basic OpSec steps,

1, Maintain “Perfect Secrecy” rules (ie those of OTP usage).

2, Ensure there is no “correlation” between messages and activities (that is not just “message security” but “traffic security”).

Very recently exactly the same argument has been used by others to provide positive proof that any “guide rails” on Current and Future AI LLM and ML Systems will always be vulnerable to “prompt attacks” “input data bias” and many other illicit/malicious attacks.

Therefore we never will be able to “trust” in the rather more strict than “human sense” AI systems…

So as Ivso often observe “this blog is well ahead of the field”

On average it’s around 8 years ahead.

If you want to read more on these “failings” have a look at what I called “probabilistic security” that arose from my research work on what lead up to the “Castle -v- Prison” model that I discussed in quite some depth on this blog with the likes of @Wael, @Nick P, @RobertT, and many others of the old “usual suspects”.

Though kind and attentive, they were a tough audience and “defending a PhD Thesis” would probably have been easier 😉

Clive Robinson • April 14, 2026 3:22 AM

@ ALL,

AI report is in it’s nolonger “Mostly Harmless” but yes it is Paranoid

Whilst it might have be fun to joke as Douglas Adams once did about AI with,

“The Encyclopedia Galactica defines a robot as a mechanical apparatus designed to do the work of a man. The marketing division of the Sirius Cybernetics Corporation defines a robot as “Your Plastic Pal Who’s Fun to Be With. The Hitchhiker’s Guide to the Galaxy defines the marketing division of the Sirius Cybernetic Corporation as “a bunch of mindless jerks who’ll be the first against the wall when the revolution comes”

It does encapsulate some of the fears and unexpected directions even Current AI LLM and ML systems are going.

And a report to the actual state of affairs is “hot off the laser printer”,

<

blockquote>The votes are in: AI will hurt elections and relationships

Latest report from Stanford’s AI boffins finds unsafe usage practices, widespread anxiety about impacts, and China catching up to the USA

“Artificial intelligence has achieved mass adoption faster than the personal computer or the internet, reaching 53 percent of the population in just three years. The number of harmful AI incidents has increased correspondingly. And both experts and laypeople believe the impact will be felt in two areas: Elections and relationships.

Documented AI incidents – defined as “harms or near harms realized in the real world by the deployment of artificial intelligence systems” by the AI Incident Database – reached 362 in 2025, up from 233 in 2024, the report says.”

<

blockquote>

https://www.theregister.com/2026/04/14/ai_report_2026_stanford_hai/

The obvious first question is,

“Is this unexpected?”

Especially as usage of AI is so high even though it’s not even making it as far as being as bright as a real “Stochastic Parrot” in the intelligence scales. With Current AI systems still showing distinct lack of “reasoning” and/or “real world” knowledge cognition. It is apparently further off than it ever has been as the size pile of “Soft Bullshit” / hallucinations is actually still on the rise…

Thus the second thought that arises is,

“Where is the failing, is it on the AI or human side of the divide?”

The answer should perhaps be visible by looking at the industry speakers to investors… People are still locking as to what Sam Altman and Co have done with the truth…

But read carefully and you will find the early signs of psychological sickness in users that is already leading to deaths…

It would be way to easy to write this off as in times past in the US on “the feeble minded” and “cult followers” and more recently “Doom Scrollers” of Social Media. But what ever you do don’t mention what is sacrilegious, that is it is actually the US social system that actively causes this to be the problem it is.

So the report “thick as it is” has “a long way to go”.

Clive Robinson • April 16, 2026 6:02 AM

@ maqp,

Glad to hear you are still mobile enough to “kick” those who need it 😉

As for me, I’m just out of hospital again… And I’ve acquired a respiratory infection whilst being in there, so can now cough up a good supply of bathroom tile adhesive ={

The annoying thing is it was all very unnecessary due to “politics”.

In the past I was given anti-biotics in advance as a pre-prescription, so I had them on hand. Such that at the first sign of trouble likely to lead to sepsis[1] I could get on top of it fast and stop it in it’s tracks, whilst the medicos caught up with what other wise is a rapidly spreading infection (atypical cellulitis leading to sepsis and worse).

But now such pre-prescribing is nolonger allowed in the UK so by the time I get to see a prescriber even through A&E I’m well into the danger zone… So get not just admitted for several days but very expensive anti-biotics. So hundreds of times the cost of a pre-prescription of out of patent meds that cost more for the packaging they come in than the meds themselves…

But it gets worse… As I started in A&E got put into isolation where another event happened, I actually ended up on a Cardiac ward and thus my “discharge notes” make no real sense at all…

So perhaps unsurprisingly I get a bit grumpy over the idiocy clearly on display…

Especially as now “due to the new meds” they can not get blood out of me for very important tests to adjust other meds to stop strokes, TIAs, CEs, PEs and other DVT type blood clotting events that could easily lead to something called DIC[2].

[1] Sepsis is a world wide mass killer and sadly many Drs still don’t take it as seriously as they should,

https://en.wikipedia.org/wiki/Sepsis

I’ve had it sufficient number of times to make me quite the “statistical outlier” and what some Drs call an “Expert Patient” which is actually quite a derogatory term when you think about it.

[2] Outside of “critical care” DIC “Disseminated intravascular coagulation” or as the dark humour the Medical profession call it “Death is Coming” is not really known to many and something you really don’t want.

It is to put it simply, blood clots and lack of platelets in the internal organs giving rise to systemic and unrecoverable organ failure,

https://bestpractice.bmj.com/topics/en-gb/184