Schneier on Security

Clive Robinson • May 5, 2026 9:45 AM

@ Bruce,

“Your devices are safe, assuming you patch regularly.”

Err that is a “full on admission” that they are,

1, Not safe now.
2, For any given level of useful utility they never will be safe.

Which is a point I’ve been making for a while now.

@ Alan, ALL,

Which is why I suspect @Alan notes,

“They were never safe and still aren’t. There are surely more exploits actively being used and yet to be developed.”

As I’ve noted and indicated there is actually proof that software beyond a certain point can not be trusted, and will always be vulnerable in some way.

Worse the more complex the software the more likely it is to be not just vulnerable but untrustworthy.

Arguably this is why Current AI LLM and ML Systems” are failures in so many important ways.

For those that want some of the reasoning behind this, I gave it again just yesterday…,

https://www.schneier.com/blog/archives/2026/05/hacking-polymarket.html/#comment-454200

But aside from the nitty gritty details of the proof, for quite some time now I’ve talked about “instances” of vulnerabilities falling in “classes” of vulnerability attributes thus we have over all, in terms of “instances, classes”,

1, “Known, Knowns”
2, “Unknown, Knowns”
3, “Unknown, Unknowns”

Where the “Known, Knowns” can be found by “search and match” methods that LLM’s can do provided sufficient “class” information gets fed into the ML stage.

Some “Unknown Knowns” can be found by semi stochastic methods that are in effect “fuzzing”. Whilst LLM systems can find a few of these, the number falls of quite rapidly down to a base probability. Humans can apply various forms of “reasoning” and the new classes and instants thus reasoned out are known as “black swans”.

As for “unknown unknowns” this needs “reasoning” about attributes that form new classes in which new instants will fall. These are beyond even “black swans” that can be reasoned out.

A classic description of this “beyond reasoning” is the “Duck-Billed Platypus”(Ornithorhynchus anatinus). Which unlike a “black swan” that can be reasonably reasoned out, the platypus is an animal of such mixed and unrelated attributes, you would not be capable of reasoning it out logically thus would assume it was a “fantastical creature” on hearing it described,

https://en.wikipedia.org/wiki/Platypus

The point is software is such these days that it is not “reasoned out” by logic, it is just “stitched together” from odd unrelated parts…

As such the joining seams will almost always not match or fit together securely, thus leaving problems, many of which have not been, nor can be, envisioned currently or in the future…