Schneier on Security

Clive Robinson • April 25, 2026 12:24 PM

@ Untitled, Jan van Prooijen,

With regards getting at “temperature sensors”.

It’s all to easy to do these days… Just remember “heat” is the ultimate form of pollution. All “work” is by definition “inefficient” and the “inefficiency becomes heat” by “radiation transport” etc.

The hard part used to be distance / accuracy untill fairly recently.

Now high power lasers used for welding and 3D cutting have solved that problem…

You just shine them on the temperature sensor casing and it’s internal temperature follows fairly quickly…

With regards,

“… the difficult part would be limiting the temperature jump to something realistic!”

Actually not as hard as you think have a look at Laser/IR Thermometers and FLIR cameras you can now get as add ons for mobile phones and Single Board Computers like Raspberry Pi’s.

All you do is “pulse modulate” the drive to the high power laser and use the IR / FLIR temperature sensor in a feed-back loop that controls the On to Off period of the high power laser.

If you don’t want to risk high power lasers, you can make a HERF (High Energy Radio Frequency) Gun using the magnetron out of a microwave oven to likewise generate heat “as a waste product” at the temperature sensor.

Though personally I’d give any High Energy RF system a very wide birth as they can be quite dangerous for a whole heap of reasons.

Clive Robinson • April 25, 2026 10:58 PM

@ ALL,

A few days ago I mentioned that there had been civil disturbance in a Market town in Surrey UK, a little ways south of South West London.

It started because of an “alleged” attack that Surrey Police had “asked for witnesses” got pushed by social media algorithms, and the unfortunate problem that UK seniors in politics and policing have pushed certain agendas onto the Police that were at best inadvisable and had in effect been created by demand from earlier media reporting that had given rise to other significant social unrest.

The UK BBC has released an update which indicates the alleged attack on a young woman that was “under police investigation”, that the police had “asked the public for witnesses” for as a “standard procedure”, the Police have not so far found any evidence for the attack,

https://www.bbc.co.uk/news/articles/c9370jqxy18o

What the incident does clearly show however is that there is an issue with Social Media Algorithms that “go viral world wide” and a growing degree of civil unrest that can turn violent, being stirred up by the algorithms. With a “Damned if you do Damned if you don’t” dilemma arising for civil authorities, looking for witnesses etc that in the long term is most likely to result in the withholding of any disclosure that in turn will hamper the open / public justice process.

Clive Robinson • April 26, 2026 6:48 AM

@ ALL,

Part 2.

I left out the link on the absurdity of OpenAI and Oracle as sometimes URL’s wake up the auto-mod.

But this is worth a read,

https://garymarcus.substack.com/p/peak-absurdity-part-ii

And yes I would like to joke that the last part is,

“A load of old cobblers”

But “Allbirds” does currently make shoes / fashion trainers with low environmental impact and not AI systems to rent…

So why the switch…

Well Allbirds once worth $4billion got sold for a tiny fraction of that to a VC type organisation. On anouncnent of the “pivot to AI” the share price went up by ~400%…

Read,

https://www.engadget.com/ai/shoe-company-pivots-to-ai-compute-in-sign-of-a-totally-normal-and-healthy-economy-161449196.html

As it will tell you why Allbirds are pivoting, and thus why we can expect loads of other US corporates to make similar announcements in the near future.

I will just note that there is no real investment money to support such behaviours. But neither is their datacenter premises, or the power generation, water for cooling or chips to turn KW into Steam as a by product of current US AI LLM and ML systems.

The fact that China has the chips and the power and communications technology “ready to go” and now apparently more efficient AI systems…

I guess the US will try to “sell intangible paper” to try to meet AI commitments or more likely just go bankrupt trying and bring down the US economy and similar.

Clive Robinson • April 27, 2026 12:20 PM

@ ALL,

If the UK’s “The Register” is correct anthropics MythOS is a waste of time “hyped up nothing burger” without even the benefit of some bread…

https://www.theregister.com/2026/04/27/anthropics_magic_codesniffer_more_swiss/

https://www.theregister.com/2026/04/22/anthropic_mythos_hype_nothingburger/

The quote that tells you what I mentioned days ago on why it was not likely to be of any real use is,

“It is very good at finding classes of vulnerability that humans know about, while not finding ones that they don’t.“

Fully as I said would happen.

For this prediction I claim no real skill, just knowing sufficient about Current AI LLM and ML systems work as “adaptive filters”… And realising how that “pattern matching” LLM tech on top of not very good ML training data would “wash out”.

Can it be improved?

Simple answer boils down to training data and how it is collated for use.

But whilst it might start catching “new instances of vulnerability” don’t expect them to be very far from existing “classes of vulnerability”. And further don’t expect it in any way to “reason out” new classes or more distant vulnerabilities, the maths of probabilities tends to make this improbable.

Clive Robinson • April 29, 2026 4:23 AM

@ ResearcherZero,

Part 2.

The UK “Red Top Daily” scandal sheet you call “The Mirror” has always been “odd” look up Piers Morgan to see one reason. Oh and this might explain a lot,

https://www.independent.co.uk/news/media/mirror-editor-sacked-in-row-over-fake-photos-563510.html

It later came to light that the Mirror had not been “misled” in the slightest, they just grabbed and published… Something that a newspaper he had previously worked at and had implemented the same policy there “crashed and was burned” over. That was the Rupert “the bare faced liar” Murdoch organ “The News of the World”.

Oh and this gives another aspect of his very fragil ego/personality,

‘https://www.mirror.co.uk/3am/celebrity-news/photo-piers-morgans-wifes-triggered-36896785

Similar nonsense going back years is why I wrote the Mirror off as the most “canary yellow” of “Yellow sheet journalism” many years ago. And it’s probably the reason I just ignore it’s “bleatings” and “faux it bleeds” stories to grab at lets just call them “a certain type of reader”. Which is why this is so funny,

‘https://www.mirror.co.uk/news/weird-news/bikini-wearing-maga-influencer-hiding-37051775

But the red top’s journalist and AI woes goes back a surprisingly long way when you consider just how “current news” AI actually is in the general population.

As you can see “strike action” was on the agenda half a year ago so goes back a year or so before that at least,

https://www.nuj.org.uk/resource/journalists-at-the-mirror-vote-to-strike.html

Clive Robinson • April 30, 2026 9:50 AM

@ Winter,

With regards the “EU Age Check Tool”,

You can only prove a point on the line of something that has a sufficient range if it can be measured on both the line and in the tangible physical world…

That is if there is a way to,

1, Fundamentally prove an objects attribute,
2, Against a sufficiently quantifiable measure,
3, That can be applied with sufficient accuracy.

None of which can be reliably done by science with a human being growing through puberty.

Everything to do with “human age” is taken from a legal definition of the start of the “postpartum period”.

And that has so many definitions it kind of qualifies under,

“Make it up as you go along”

or the older

“You know it when you see it”.

But it can depending on how you think of it vary by several hours so has a reasonable chance of randomly being one side of a change of date, let alone any given hour or minute.

This “random time” gets written down as a piece of “information” and thus becomes the “official” not “biological” reference point of “age”.

But also consider “elapsed official age” makes little sense either when you can be born in one time zone and have it apply in a completely different time zone.

Yet not apply to your actual physical and mental development which arguably are down to genetics, environment and learning / life experience.

So this “age measure” is a falsity in so many ways it is in effect meaningless other than as a “bureaucratic nonsense” that is being used as a form of “identifier”

Or put another way, as far as official record keeping goes no person has a single value that makes a “Primary Key” to identify them by.

So one is constructed by various parts chained together to a point where it can be turned into a supposedly unique sequence / serial number that the person is supposed to remember for the rest of their life (fun thing, I can remember my Military “serial number” but my “social number” nope not a chance).

If you strip away the lies and fudging, this EU system still requires “traceable proof” back to “official documentation” by a system you as an individual can not verify.

So the question arises,

“Does it matter if the checking is done by,

1, Government entity,
2, Commercial entity,
3, Mixture of both.

Just once or multiple times?”

The answer is “they are all as bad as each other” as far as your “privacy” is concerned. But also as far as your “security” is concerned they all have very lousy records when it comes to “loosing confidential data” or worse “using it to make profit” by.

So you have to then ask,

“Why does “proof of age” to when the clock strikes midnight where you happen to be matter?”

Strip away the “dog whistle nonsense” of “think of the children” and it then becomes clear it’s a rather nasty way to “strip anonymity for “political authoritarian and persecution” reasons, which history of less than a hundred years ago tells us is a very very bad idea.

Now ask yourself a question,

“Aside from authoritarians and their guard labour, does anyone else actually care about your ‘official biological age'”

And the answer is effectively “NO” for nearly everything in a society that has not been “enforced by authoritarians” or worse.

So accepting all of that do I care about “official identifying age”?

The answer is no… What concerns me is actual “harms” and that is often at best only vaguely “calender based age related”. But is fairly tied to “developmental age” which has little or nothing to do with time since postpartum…

Thus the question that should be being asked by everyone is,

“How do we measure developmental age?”

And as of yet I’ve seen no acceptable answer…

So as far as “harms” are concerned it’s probably best to just<

“outright ban the activities that cause harms regardless of age”

After all outside of silicon Valley and the parasites attached –mostly in the US– who will be harmed by an outright ban on Social Media and the like?

After all it’s a modern tech disaster that society never needed throughout history and still does not need in the early stages of this century.

My vote would be,

“Ban the lot, to get rid of the direct cause of the harms that effect so many of all developmental ages.”

(If people disagree they should have a sound argument otherwise not bother).

Clive Robinson • April 30, 2026 5:12 PM

@ Winter,

With regards,

“Obviously, the easier route is to ban children from the internet.”

No, the easiest and safest thing is to,

“outright ban the activities that cause harms regardless of age”

That is to make the harmful capitalist activities entirely illegal regardless of any potential victims age.

Look at it this way if “Linkedin” and “Meta” were made illegal would anyone actually come to harm by their loss?

After all way less than an adult life time ago they did not exist, so they were causing no harm. But also it’s clear they are in no way a “societal necessity”.

Thus when you consider,

“The harm they cause -v- their entire lack of societal necessity”

they give an overwhelming capability for harm…

Clive Robinson • April 30, 2026 7:20 PM

@ ALL,

Not a good time for Linux Security.

As reported by @Bilbo Baggins as,

“9-Year-Old Linux Kernel Vulnerability “Copy Fail” Enables Full Root Access”

Over on,

https://www.schneier.com/blog/archives/2026/04/fast16-malware.html/#comment-454112

There is now another issue reported by The Register,

Bug of the year (so far): Nasty cPanel vulnerability probably exploited as a 0-day

Emergency patches out now for those managing the millions of domains assumed to be affected

“Emergency patches are available for a critical vulnerability in cPanel and WHM that allows attackers to bypass authentication and gain root access to servers managed using it.

…

For the uninitiated, cPanel and WHM are both Linux-based control panels. The former is used to manage websites, databases, file transfers, email configurations, and domains, while WHM is used for servers.

They are both backbones of the internet. Breaking into them would provide an attacker with unfettered access to all the secrets associated with these functions.

Or, as watchTowr put it: “Think of it as the keys to the kingdom, and then the keys to every individual apartment inside the kingdom. If the kingdom were the internet and the apartments were websites. For everything.”“

https://www.theregister.com/2026/04/30/cpanel_whn_cves/

But read a little further and you get a cold water down the spine moment,

“Perhaps the worst part is that early signals from defenders, such as KnownHost CEO Daniel Pearson, suggest it may have been exploited as a zero-day for at least 30 days.

Or maybe worse still is the nature of the vulnerability itself – that attackers can gain root access while bypassing all kinds of authentication – a feat worthy of the near-maximum CVSS.”

Hmm so all of this is just not the sort of thing Linux needs right now as people are thinking of migrating away from “MicroSlop AI up the whoosy and beyond”…

In a way it’s like the saying from the James Bond book Goldfinger,

“Mr. Bond, they have a saying in Chicago: ‘Once is happenstance, twice is coincidence, the third time it’s enemy action.'”

What is the betting on “enemy action”?

Clive Robinson • May 1, 2026 8:09 AM

@ ResearcherZero,

There is a “reason” behind everything…

That is science at the human and above scale accepts that a “cause” creates an “effect”.

The same is accepted by those studying human interaction and mentality every “reaction” is to a “causal factor”.

The thing is it’s not fundamental to the laws of nature, it’s actually statistical, just as Brownian Motion is. It describes not individual particles paths and energies, but the average of trillions of particles. The result “clocks run down”, “water runs down hill” and so on, the over all energy state decreases with time and activity.

But for an “average” to be where it is there must be as just as much up at any point in time as there is down at the sub macro level.

Which means that for some the instant outcome is they “go up” whilst others “go down”. For some probability or random chance gives them a run of ups, whilst others on mass get downs.

These for which probability has fallen in their favour thing they must be gifted or clever.

In general they are like all gamblers on a “lucky streak” heading for a fall that as a minimum normalises them down to the average.

However as with gamblers the “cognative bias” has set in, and they think they must be different in some way and this almost always makes them “self entitled” with a very “short term” outlook.

As a group they develop “mantras” that defy logic and the lessons nature teaches, that are based on basic simple maths.

You hear me mention what some call “the 2/3rds rule” (it’s actually not 2/3rds but close enough). Basically nature has found that it is unwise to make anything more than 2/3rds efficient. That is the ups and the downs follow an exponential pattern not a linear one and in a random environment that gives you the best survival pattern.

Most of the time it looks “inefficient” but in extremis it “carries you through” for all but the most extream cases.

The neo-cons are some of the most short term and self entitled of those with such cognative bias… Thus they feel that supply chains can be made 100% efficient or better based on very imperfect recall.

They also believe trends will continue thus “borrow till you die” type thinking that funds things like the housing crisis and every other crisis. Donald Trump cares not if his mad plans make money, only that he can leverage banks or others to give him more money on demand to stop the inevitable bankruptcy after bankruptcy having the “natural selection” effect it should (and does on most others).

Other neo-cons thus have the “don’t leave money on the table/floor” mentalities.

Put simply they borrow immense amounts that can not be repaid to aquire a business with assets on which other loans can be raised…

They then take the loans to by other businesses with assets to perpetuate the debt, but importantly keep the debt on others ie “in the business” whilst the loans go out of the business into their own pockets via “investments” or similar…

There are many other similar scams, and the reason they are not “crimes” is that some of that “investment” is via “lobbyists” who’s sole purpouse is to “launder money into legislators pockets” to buy the legislation that is not what society needs but they do to distort the probabilities…

But it’s not just legislators that have to be “bought off” it’s “economists” and “business students”. Otherwise there would not be sufficient “players” to make it look like a business not a racket.

But hey… It’s “Capitalism” as taught to all US Children as “The American way”. Which is why I’ve in the past said “The American Dream” is all about “criminal activity” (it’s the only way the maths works for a “self entitled” few).