Simon Willison’s Weblog


28 items tagged “bruce-schneier”


But unlike the phone system, we can’t separate an LLM’s data from its commands. One of the enormously powerful features of an LLM is that the data affects the code. We want the system to modify its operation when it gets new training data. We want it to change the way it works based on the commands we give it. The fact that LLMs self-modify based on their input data is a feature, not a bug. And it’s the very thing that enables prompt injection.

Bruce Schneier

# 15th May 2024, 1:34 pm / prompt-injection, security, generative-ai, bruce-schneier, ai, llms


AI and Trust. Barnstormer of an essay by Bruce Schneier about AI and trust. It’s worth spending some time with this—it’s hard to extract the highlights since there are so many of them.

A key idea is that we are predisposed to trust AI chat interfaces because they imitate humans, which means we are highly susceptible to profit-seeking biases baked into them.

Bruce suggests that what’s needed is public models, backed by government funds: “A public model is a model built by the public for the public. It requires political accountability, not just market accountability.”

# 5th December 2023, 9:43 pm / bruce-schneier, llms, ai, generative-ai, trust


Private blockchains are completely uninteresting. (By this, I mean systems that use the blockchain data structure but don't have the above three elements.) In general, they have some external limitation on who can interact with the blockchain and its features. These are not anything new; they're distributed append-only data structures with a list of individuals authorized to add to it. Consensus protocols have been studied in distributed systems for more than 60 years. Append-only data structures have been similarly well covered. They're blockchains in name only, and -- as far as I can tell -- the only reason to operate one is to ride on the blockchain hype.

Bruce Schneier

# 12th February 2019, 7:14 pm / blockchain, bruce-schneier


Schneier on Stuxnet. Stuxnet now rivals Wikileaks as the real life plot most likely to have leaked from science fiction.

# 9th October 2010, 10:57 am / bruce-schneier, security, stuxnet, recovered


Intercepting Predator Video. Bruce Schneier’s take on the unencrypted Predator UAV story. A fascinating discussion of key management and the non-technical side of cryptography.

# 24th December 2009, 9:26 pm / bruce-schneier, security, cryptography, nsa, drones, military

Whenever you build a security system that relies on detection and identification, you invite the bad guys to subvert the system so it detects and identifies someone else. [...] Build a detection system, and the bad guys try to frame someone else. Build a detection system to detect framing, and the bad guys try to frame someone else framing someone else. Build a detection system to detect framing of framing, and well, there's no end, really.

Bruce Schneier

# 17th October 2009, 4:55 pm / bruce-schneier, security, framing

On the Anonymity of Home/Work Location Pairs. Most people can be uniquely identified by the rough location of their home combined with the rough location of their work. US Census data shows that 5% of people can be uniquely identified by this combination even at just census tract level (1,500 people).

# 24th May 2009, 1:14 pm / bruce-schneier, privacy, location, census

Raising Octopus from Eggs (via) I love that forums like this exist.

# 17th January 2009, 2:59 pm / octopus, forums, bruce-schneier


"Digital Manners Policies" is a marketing term. Let's call this what it really is: Selective Device Jamming. It's not polite, it's dangerous. It won't make anyone more secure - or more polite.

Bruce Schneier

# 1st July 2008, 2:51 pm / marketing, security, bruce-schneier

Since 9/11, approximately three things have potentially improved airline security: reinforcing the cockpit doors, passengers realizing they have to fight back and - possibly - sky marshals. Everything else - all the security measures that affect privacy - is just security theater and a waste of effort.

Bruce Schneier

# 29th January 2008, 12:14 pm / bruce-schneier, privacy, security, securitytheatre


I don't understand why the NSA was so insistent about including Dual_EC_DRBG in the standard. It makes no sense as a trap door: It's public, and rather obvious. It makes no sense from an engineering perspective: It's too slow for anyone to willingly use it. And it makes no sense from a backwards-compatibility perspective: Swapping one random-number generator for another is easy.

Bruce Schneier

# 16th November 2007, 10:25 am / nsa, cryptography, security, dualecdrbg, randomnumbers, bruce-schneier

A school in the UK is using RFID chips in school uniforms to track attendance. So now it's easy to cut class; just ask someone to carry your shirt around the building while you're elsewhere.

Bruce Schneier

# 24th October 2007, 8:36 pm / security, uk, rfid, schools, bruce-schneier

Global Hackers Create a New Online Crime Economy (via) Fascinating, detailed look at the evolution of the hacker service economy. Of particular interest: a web application that sells access to hacked machines to identity thieves on a timeshare basis.

# 17th October 2007, 9:46 pm / identitytheft, hackers, security, bruce-schneier

The Storm Worm. Bruce Schneier describes the Storm Worm, a fantastically advanced piece of malware that’s been spreading for nearly a year and is proving almost impossible to combat. Its effects are virtually invisible but infected machines are added to a multi-million machine botnet apparently controlled by anonymous Russian hackers.

# 6th October 2007, 12:25 am / malware, bruce-schneier, botnets, hackers, security, storm, worm

Bruce Schneier interviews Kip Hawley. The head of the Transportation Security Administration in conversation with one of his most eloquent critics.

# 7th August 2007, 3:23 pm / bruce-schneier, interview, kip-hawley, security, tsa

The Psychology of Security. I haven’t even started on this yet, but I bet it’s worth reading.

# 9th February 2007, 1:27 am / bruce-schneier, security, psychology

Choosing Secure Passwords. Bruce Schneier describes the state of the art in password cracking software.

# 11th January 2007, 2:55 pm / passwords, security, bruce-schneier


Real-World Passwords. Random passwords phished from MySpace are surprisingly decent.

# 14th December 2006, 2:14 pm / bruce-schneier, passwords, myspace, security, phishing

Bruce Schneier Facts. “SSL is invulnerable to man-in-the-middle attacks. Unless that man is Bruce Schneier.”

# 17th August 2006, 2:19 pm / bruce-schneier, security, funny

Schneier on Security: New Airline Security Rules. “I’m sure glad I’m not flying anywhere this week” says Bruce. Now I wish I wasn’t!

# 10th August 2006, 4:26 pm / bruce-schneier, security, airlines


Schneier on Security: Cryptanalysis of SHA-1. If you want to understand the “breaking” of SHA-1, this is the place to go. Surprisingly accessible.

# 19th February 2005, 3:12 pm / security, cryptanalysis, sha, hashing, bruce-schneier


Bruce vs. Bruce (via) Schneier and Sterling discuss security and technology.

# 15th June 2004, 10:04 pm / bruce-schneier, brucesterling, security

Bruce Schneier: We are all security customers. How can the US get the best return on investment for homeland security?

# 4th May 2004, 6:34 pm / bruce-schneier, security


Blaster and the great blackout (via) Bruce Schneier writes for

# 17th December 2003, 3:10 am / bruce-schneier, security, worm

High security is low security

Via Crypto-Gram, a great piece from Bruce Tognazzini about how tough security measures can actively reduce the security of a system:

[... 225 words]