Crypto-Gram is a free monthly email newsletter that Schneier has published since 1998, making it one of the longest-running cybersecurity publications in existence. It predates the schneier-on-security-blog by six years and was the primary medium through which Schneier established his voice as a security commentator in the late 1990s and early 2000s. The newsletter continues monthly as of 2026, though the blog now carries more of the day-to-day commentary.
Origins and Context
Crypto-Gram launched in 1998, during the period between applied-cryptography's success and the writing of secrets-and-lies. At this time, Schneier was running counterpane-internet-security and moving beyond his identity as a cryptography reference author toward the broader security analysis that would characterize his subsequent career. The newsletter provided a venue for that broader commentary at a moment when blogs did not yet exist and email lists were the primary mechanism for distributing regular online writing.
The name Crypto-Gram reflected the newsletter's origins: it began as a vehicle for cryptography commentary specifically. As Schneier's focus broadened from cryptography to security generally, the newsletter broadened with it — but the name stayed, a legacy of the cryptography-era origins.
Format and Content
Crypto-Gram is published on the fifteenth of each month as a long-form email. A typical issue runs several thousand words and covers four to eight topics: security news summaries with Schneier commentary, original essays on security concepts or current issues, reader responses, and pointers to notable security research and writing. The longer length and monthly cadence give Crypto-Gram a different character from the blog — it is more considered, more editorial, and more willing to take sustained positions.
Many of the essays that eventually appeared in schneier-on-security-book and carry-on appeared first in Crypto-Gram. The newsletter is the archival record of Schneier's commentary from 1998 to the present, with all issues available on the schneier.com website, making it an unusually complete longitudinal document of twenty-plus years of security analysis.
The Newsletter and secrets-and-lies
The period of Crypto-Gram's early issues — 1998 to 2000 — corresponds to the gestation of secrets-and-lies. The newsletter can be read as Schneier working out in public the ideas that would crystallize in that book: the inadequacy of purely cryptographic security, the importance of human factors, the distinction between secure systems and secure components. The newsletter's early archives are a draft-in-public of the security-thinking-pivot.
Legacy
Crypto-Gram's longevity makes it unusual in technology publishing. Most newsletters and email lists from 1998 have long since disappeared. Crypto-Gram's persistence reflects both Schneier's discipline as a publisher and the enduring audience for rigorous, independent security commentary not attached to vendor marketing. The newsletter is distributed directly by email — no intermediary platform — which means its subscriber relationship is a direct one, not mediated by Google or Facebook or any other platform that could change terms, algorithms, or access.
This independence from platform intermediaries is itself a form of security against what Schneier would later describe in a-hackers-mind as the systemic risks of platform dependency.