Schneier on Security

Clive Robinson • May 9, 2026 12:36 PM

@ ALL,

The AI Death Roll Bite on Corps

As some will know the likes of crocodiles take time with turning “Live prey” into “Dead meat” to go in their “meat locker”. It’s considered one of the less pleasant ways to become the “lunch” of a dinosaur…

The industry is talking a lot about Broadcom and VMware and similar “lock in” before pricing goes orbital.

Well less obvious MSM and Trade press wise is that AI is now “putting the bite on” the only real question is,

“Who pays the price of the Death Roll?”

1, The investors
2, The AI Corps
3, The AI users and,
4, The tail end customers

Such as you or I, who get it foisted upon us by the likes of Google and Microsoft.

There is hundreds of billions if not tens of trillions of “ROI” to be paid if the AI market place is not to collapse.

So something I missed the otherday that others should think about as well,

Locked, stocked, and losing budget: AI vendor lock-in bites back

Execs in the C-suite thought they could swap models in a week. They were hallucinating

…

“
AI + ML

Locked, stocked, and losing budget: AI vendor lock-in bites back
Execs in the C-suite thought they could swap models in a week. They were hallucinating

Steven J. Vaughan-Nichols
52
Tue 28 Apr 2026 // 09:15 UTC
OPINION The days when you could jump from one frontier AI model to another at the drop of a hat are going away as vendor lock-in starts to kick in, and prices increase.

Once upon a time, say last month, people thought nothing of jumping from one AI frontier model to another. One week, the hottest AI model was Gemini 3.1 Pro, then it was Claude 4.6, now, maybe, it’s GPT-5.5. Next month? Who knows. That’s fine for Joe Amateur Programmer, but for Janet Pro Programmer, it’s another story.

money
Tokenmaxxing isn’t an AI strategy
Read more
You see, enterprise AI buyers face two converging problems. First, it’s proving much harder to switch between AI vendors than people expected. At the same time, AI vendors are pushing through price increases that are reshaping software economics. We always knew this would happen. AI prices have been loss leaders for years now, and the bills are finally coming due.

A recent survey by AI orchestration platform provider Zapier of 542 US executives with active AI vendor contracts, found that nearly 90 percent believed they could switch AI vendors within four weeks, and 41 percent said they could do it in just 2–5 business days. Now who’s hallucinating?

I’ve long thought that behind all the lip service company brass gives AI, most senior executives are completely clueless about what AI is and how to deploy it. This kind of delusional thinking is proof.“

https://www.theregister.com/software/2026/04/28/locked-stocked-and-losing-budget-ai-vendor-lock-in-bites/5229050

The final paragraph in the above quote should tell you most of what you need to know.

But in the more general sense the economics involved are very much against Current AI LLM and ML Systems being more “cost effective” at just about anything.

Thus the question of a “shake up” is overdue…

So you start to look around and find,

Breaking news: “they hadn’t figured out how OpenAI would pay for it”

…

“NEW: When OpenAI and Broadcom announced they would make 10 GW of custom AI chips together, they positioned it as a done deal.

What they didn’t say was that they hadn’t figured out how OpenAI would pay for it.

Months later, the firms are negotiating an agreement for Broadcom…“

https://garymarcus.substack.com/p/breaking-news-they-hadnt-figured

Opps… Back when the deal for OpenAI and Broadcom was first punted, nobody knew anything and it was “deemed as unlikely” and just more “pump the bubble up” hype.

Don’t be surprised if this disappears in the near future, or in some other way does not come to fruition.

Clive Robinson • May 9, 2026 10:36 PM

@ ALL,

Layoffs for AI does not create returns, it just creates vacancies and lost capabilities.

Is the findings / results of an investigation by Gartner Analysts into AI and staffing reductions…

It’s actually not an unexpected result based on Gartner’s earlier report showing that AI agents get office tasks wrong about 70 percent of the time… Thus going on to predict many of these AI projects will collapse by the end of 2027. Due to such factors as,

1, Rapidly rising AI related costs 2, Unclear or incorrect business value.
3, Senior management implementing inadequate risk controls.

(All of which we are now seeing).

In short what some would describe as “CEO driven” “Ineffective Leadership” and thus cause them to carry out appropriate steps…

You can see more at,

AI layoffs backfire as cutting staff doesn’t cut it, firms warned

Replacing meatbags with failure prone agents isn’t the gold mine some CEOs hoped for

“Bosses betting on AI to slash headcount and boost margins are discovering an uncomfortable truth: the strategy isn’t working.

New research from Gartner lays out the problem in stark terms. The analyst firm surveyed 350 global businesses – all with annual revenues above $1 billion, all piloting or deploying intelligent automation – and found that around 80 percent had cut staff as a result.

The returns? Elusive. Companies that reduced their workforces were just as likely to see negative outcomes or marginal gains as they were to generate any meaningful return on investment (ROI).

The conclusion? Layoffs don’t create returns, they just create vacancies.“

https://www.theregister.com/ai-and-ml/2026/05/06/ai-layoffs-backfire-as-cutting-staff-doesnt-cut-it-firms-warned/5230631

The article[1] goes on to say,

“The organizations actually seeing results are doing the opposite of cutting, they’re investing aggressively in new skills, new roles, and operating models built around humans guiding and scaling autonomous systems.

Which is actually not so surprising… as long history shows, with other “staff head count cuts for budget room space” measures, such as the “Business Process Reorganisation” fad last century, “it does not work even in the short term”.

Or as the article puts it,

The message to the slash-and-replace crowd is you’re not just being cruel, you’re being strategically wrong.”

I wonder how many C Corridor types will actually listen in time?

History suggests that many will not and those businesses in their control will at best not flourish, but fail, and fail badly if not terminally often in a short time period…

Something those “investing” should investigate and take on board.

But also consider as I’ve oft pointed out, ultimately a businesses employees are “customers” or create “custom” for the business via “economic churn”. In an environment of cutting workforces the economy almost always goes into a downward trend, if not spiral and a recession follows. The depth of which can be such it’s difficult to stop becoming a depression or similar.

The real trick for management is ensuring that their workforce remains relevant and adequately and effectively matches the actual work required for sustainability and growth, not some hype or fad being pushed by VC companies and the like.

[1] Things have not been stable over at The Register over the past couple of weeks. To “the Eagle Eyed” it was clear something was happening… Apparently they have gone through a re-preen with a “site upgrade”…

https://www.theregister.com/site-news/2026/05/06/weve-only-gone-and-done-it-changed-what-youre-used-to/5230826

One result of this is some articles have in effect “popped up” or become more prominent that were previously effectively out of sight.

Clive Robinson • May 10, 2026 6:45 AM

@ Weather,

Caltrops are often used as “area denial weapons” and have been used by the Persians against camels and all manner of creatures from dogs to elephants being used to pull “engines of war”. And similarly against human troops that for much of history wore traditional footwear.

They are still being used by Ukrainians[1] dropping them from drones across roadways so causing Russian vehicles to become immobilised or slowed down so easier targets for “loitering munitions”

A not new idea, as there have been 500lb bomb equivalents loaded with caltrops and a small explosive dispersion device triggered by a fuze that can be set for height above ground.

Some modern versions are made from two metal tubes with ends cut at 45degrees to for points at either end, that also have a 120 degree bend and a hole at the mid point. When spot welded together the resulting caltrop works against all inflated tires especially those regarded as “self sealing”.

If you look at photos of WWII beaches caltrops of various forms were set to stop landing craft and tanks.

Simple caltrops have been made from wood and other natural materials and used in unlawful hunting on Royal and similar lands by “woodsmen” during quite a bit of feudal history. Used against both large game and those mounted on horses or wearing soft footware who tried to capture the woodsmen.

The result is that in some places just possessing a caltrop was a crime punishable by death or worse…

So caltrops are an old weapon that gets re-invented for use with each new type of warfare involving “boots on the ground” forces and “area denial”.

[1] US article on Ukranian use of caltrops and their legality in war,

https://lieber.westpoint.edu/caltrop-ancient-weapon-modern-warfare/

Clive Robinson • May 11, 2026 4:03 AM

@ ALL,

AI makes your bulb dim?

As we should all know by now AI is at best an Environmental Disaster in the making for little or no return.

But others are considering if AI use turns the lights down / out in a more personal way.

We should be aware of how many singles are apparently using AI as an alternative to social interaction.

But some researchers think that it is not just social but cognitive decline / dimming that is also happening…

So they ran some experiments and, found evidence to suggest there may be cause for concern,

AI Assistance Reduces Persistence and Hurts Independent Performance

“People often optimize for long-term goals in collaboration: A mentor or companion doesn’t just answer questions, but also scaffolds learning, tracks progress, and prioritizes the other person’s growth over immediate results. In contrast, current AI systems are fundamentally short-sighted collaborators – optimized for providing instant and complete responses, without ever saying no (unless for safety reasons). What are the consequences of this dynamic? Here, through a series of randomized controlled trials on human-AI interactions (N = 1,222), we provide causal evidence for two key consequences of AI assistance: reduced persistence and impairment of unassisted performance. Across a variety of tasks, including mathematical reasoning and reading comprehension, we find that although AI assistance improves performance in the short-term, people perform significantly worse without AI and are more likely to give up. Notably, these effects emerge after only brief interactions with AI (approximately 10 minutes). These findings are particularly concerning because persistence is foundational to skill acquisition and is one of the strongest predictors of long-term learning. We posit that persistence is reduced because AI conditions people to expect immediate answers, thereby denying them the experience of working through challenges on their own. These results suggest the need for AI model development to prioritize scaffolding long-term competence alongside immediate task completion.“

https://arxiv.org/abs/2604.04721

https://ai-project-website.github.io/AI-assistance-reduces-persistence/

The question thus arises much as it did over the use of electronic calculators in schools back last century is,

“Does it dim us or just alter us?”

If it’s “dim us” then the age of AI supremacy etc may be closer than some think 😉

Clive Robinson • May 11, 2026 6:04 AM

Split into parts due to auto-mod

Part 2,

However over in Taiwan apparantly a University student took down their bullet train network using a “SDR filter” (which looks like a “lost in translation” issue or with inept journalist/editors just making it up).

However one more technically competent journalist has written an opinion piece,

Taiwan’s train cyber-trauma reveals a global system that’s coming off the tracks

That’s not a radio. THIS is a radio

“There are three little words to make the heart beat faster in anyone who knows what they mean: critical infrastructure resilience. If you run that infrastructure or a country dependent on it, you need energy, communication and transport to be impregnable to cyber attacks.

This is doubly so if that country is five minutes by incoming missile from an implacable hyper-competent enemy sworn to invade you. One that is building and equipping its military as fast as it can with this one thing in mind. One with the most invasive and brazen state hacking machinery on the planet.“

https://www.theregister.com/security/2026/05/11/taiwans-train-cyber-trauma-reveals-a-global-system-thats-coming-off-the-tracks/5237248

Clive Robinson • May 11, 2026 6:11 AM

Split into parts due to auto-mod

Part 4,

However what many do not realise is that France has quite a grip on the electro technical committees that design EU radio standards.

‘https://www.etsi.org/technical-groups/tcce/

It’s been mentioned on this blog before how the French backdoor ETSI and other standards.

What has happened in Taiwan can be put down to that French behaviour, what has happened in the UK we’ve yet to find sufficient technical details to say.

But we know that other EU railway networks such as Poland have been brought down due to foreign nation medaling even if a lot less sophisticated,

‘https://www.wired.com/story/poland-train-radio-stop-attack/

Thus baring in mind the “known opponent” of that attack and their current desperation, we really should take measures to improve the security of infrastructure.

Clive Robinson • May 12, 2026 6:37 AM

@ ALL,

The Myth of Mythos Hype…

As most should know Anthropic raised the “scary scary” about Mythos and in effect invoked the Austin Powers “Too Dangerous to Live” joke based on something very very old.

It turns out that the reports coming back through “glasswing” etc are not as Stella as might be hoped, especially in more stable code bases.

Anthropic’s bug-hunting Mythos was greatest marketing stunt ever, says cURL creator

After all that hype, AI scanner found one low-severity cURL flaw

“cURL developer Daniel Stenberg has seen Anthropic’s Mythos, a model the AI biz has suggested is too capable at finding security holes to release publicly, scan his popular open source project. But after the system turned up just a single vulnerability, he concluded the hype around Mythos was “primarily marketing” rather than a major AI security breakthrough.

Stenberg explained in a Monday blog post that he was promised access to Anthropic’s Mythos model – sort of – through the AI biz’s Project Glasswing program. Part of Glasswing involves giving high-profile open source projects access via the Linux Foundation, but while Stenberg signed up to try Mythos, he said he never actually received direct access to the model. Instead, someone else with access ran Mythos against curl’s codebase and later sent him a report.“

https://www.theregister.com/security/2026/05/11/anthropics-bug-hunting-mythos-was-greatest-marketing-stunt-ever-says-curl-creator/5238111

With the point being made that Mythos is not finding anything new just finding the old maybe faster (and as we know at great cost to the environment etc).

Read the whole piece but note things like,

“I see no evidence that this setup finds issues to any particular higher or more advanced degree than the other tools have done before Mythos.”

Note that is including early LLM systems, that came with vast amounts of AI-Slop that caused the project to close it’s bug bounty programme to AI.

But he goes on to make the same note I have, that really really should be obvious to every one but somehow is not,

“AI tools find the usual and established kind of errors we already know about. It just finds new instances of them,” Stenberg said. “We have not seen any AI so far report a vulnerability that would somehow be of a novel kind or something totally new.”

Whilst Mythos is not a “nothing burger” there are questions that are not being asked…

If it gets integrated in a CI/CD pipeline where it would be most effective is right at the begining thus it will be run very frequently…

“What will be the actual cost?”

In terms of usage we should now know it will be immense as there is no other way there can be an ROI to the AI corps shareholders / investors…

With the secondary question of,

“What harm to the environment will such CI/CD use cause?”

And the answers in both cases will be sufficiently immense that it will cost more than using humans…

But without the bonus that humans can “reason forward” whilst Current AI LLM can only “pattern match from the past” of training data that went into the Current AI ML build.

As we know each new ML build of weights cost many millions, so won’t be done very often, which means as a CI/CD tool Current AI LLM and ML Systems are going to be quite a way behind the leading edge…

Which gives a significant window of opportunity to attackers not defenders.

Worse skilled defenders will be considerably less numerous as they won’t get the “basic training” that leads to bringing forth the “thinking hinky” of “reasoning” that Current AI LLM and ML Systems lack…

Clive Robinson • May 15, 2026 6:15 AM

@ Bruce, ALL,

Zero Knowledge Proofs are for many an archain part of mathmatics and in more recent times cryptography.

A “university student” Rahul Ilango came up with a new variation on this based in part on the 1930’s papers of Kurt Gödel and published a paper about a year ago,

‘https://eprint.iacr.org/2025/1296

And presented it last year at the IEEE 66th Annual Symposium on “Foundations of Computer Science” (FOCS)

https://ieee-focs.org/FOCS-2025-Papers/pdfs/FOCS2025-4pLZMZRP5BPG9n0GSua5T9/713200a585/713200a585.pdf

I must admit my aged brain is taking longer than I expected to work through it (but based on Kurt Gödel work… Is my excuse :-).

However for some reason it’s popped up in two popular places in the past few days,

https://www.quantamagazine.org/how-unknowable-math-can-help-hide-secrets-20260511/

‘https://www.scientificamerican.com/article/how-effectively-zero-knowledge-proofs-could-transform-cryptography/

So for some reason people are taking an interest in it –some of the claims about it suggest it might be cause enough– so questions might come up.

Clive Robinson • May 15, 2026 12:36 PM

@ ALL,

In the past I’ve described what to me is “basic OpSec” for “crossing borders”.

Basically take nothing with you and bring nothing back, that can cause you to be “surveilled upon or setup to be detained”.

One I’ve made repeatedly clear is about “burner phones”.

Well even though it’s known not only have I designed phones, I’ve also designed high end LPI type surveillance devices back last century, but over the years I’ve had it firstly suggested that I am “paranoid” and it’s become over three decades later more accepted.

Well how about this for “acceptance” of the situation,
https://techcrunch.com/2026/05/15/us-orders-travelers-on-air-force-one-to-throw-away-gifts-pins-and-burner-phones-after-china-trip/

Can we all now just “put this to bed” and accept that “being targeted at border crossings and abroad is now normal” and just act appropriately?