Crypto-Gram
June 15, 2025

by Bruce Schneier
Fellow and Lecturer, Harvard Kennedy School schneier@schneier.com
https://www.schneier.com

A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit Crypto-Gram's web page.

Read this issue on the web

These same essays and news items appear in the Schneier on Security blog, along
with a lively and intelligent comment section. An RSS feed is available.

** *** ***** ******* *********** *************

In this issue:

If these links don't work in your email client, try reading this issue of
Crypto-Gram on the web.

Communications Backdoor in Chinese Power Inverters The NSAΓÇÖs "Fifty Years of
Mathematical Cryptanalysis (1937ΓÇô1987)" DoorDash Hack
More AIs Are Taking Polls and Surveys The Voter Experience
Signal Blocks Windows Recall
Chinese-Owned VPNs
Location Tracking App for Foreigners in Moscow Surveillance Via Smart Toothbrush
Why Take9 WonΓÇÖt Improve Cybersecurity Australia Requires Ransomware Victims to
Declare Payments New Linux Vulnerabilities
The Ramifications of UkraineΓÇÖs Drone Attack Report on the Malicious Uses of AI
Hearing on the Federal Government and AI New Way to Covertly Track Android Users
Airlines Secretly Selling Passenger Data to the Government Paragon Spyware Used
to Spy on European Journalists Upcoming Speaking Engagements
** *** ***** ******* *********** *************

Communications Backdoor in Chinese Power Inverters

[2025.05.16] This is a weird story:

U.S. energy officials are reassessing the risk posed by Chinese-made devices
that play a critical role in renewable energy infrastructure after unexplained
communication equipment was found inside some of them, two people familiar with
the matter said.

[...]

Over the past nine months, undocumented communication devices, including
cellular radios, have also been found in some batteries from multiple Chinese
suppliers, one of them said.

Reuters was unable to determine how many solar power inverters and batteries
they have looked at.

The rogue components provide additional, undocumented communication channels
that could allow firewalls to be circumvented remotely, with potentially
catastrophic consequences, the two people said.

The article is short on fact and long on innuendo. Both more details and
credible named sources would help a lot here.

** *** ***** ******* *********** *************

The NSAΓÇÖs "Fifty Years of Mathematical Cryptanalysis (1937 -- 1987)"

[2025.05.19] In response to a FOIA request, the NSA released ΓÇ£Fifty Years of
Mathematical Cryptanalysis (1937-1987),ΓÇ¥ by Glenn F. Stahly, with a lot of
redactions.

Weirdly, this is the second time the NSA has declassified the document. John
Young got a copy in 2019. This one has a few less redactions. And nothing that
was provided in 2019 was redacted here.

If you find anything interesting in the document, please tell us about it in the
comments.

** *** ***** ******* *********** *************

DoorDash Hack

[2025.05.20] A DoorDash driver stole over $2.5 million over several months:

The driver, Sayee Chaitainya Reddy Devagiri, placed expensive orders from a
fraudulent customer account in the DoorDash app. Then, using DoorDash employee
credentials, he manually assigned the orders to driver accounts he and the
others involved had created. Devagiri would then mark the undelivered orders as
complete and prompt DoorDashΓÇÖs system to pay the driver accounts. Then heΓÇÖd
switch those same orders back to ΓÇ£in processΓÇ¥ and do it all over again.
Doing this ΓÇ£took less than five minutes, and was repeated hundreds of times
for many of the orders,ΓÇ¥ writes the US AttorneyΓÇÖs Office.

Interesting flaw in the software design. He probably would have gotten away with
it if heΓÇÖd kept the numbers small. ItΓÇÖs only when the amount missing is too
big to ignore that the investigations start.

** *** ***** ******* *********** *************

More AIs Are Taking Polls and Surveys

[2025.05.21] I already knew about the declining response rate for polls and
surveys. The percentage of AI bots that respond to surveys is also increasing.

Solutions are hard:

1. Make surveys less boring.

We need to move past bland, grid-filled surveys and start designing experiences
people actually want to complete. That means mobile-first layouts, shorter
runtimes, and maybe even a dash of storytelling. TikTok or dating app style
surveys wouldnΓÇÖt be a bad idea or is that just me being too much Gen Z?

2. Bot detection.

ThereΓÇÖs a growing toolkit of ways to spot AI-generated responses -- using
things like response entropy, writing style patterns or even metadata like
keystroke timing. Platforms should start integrating these detection tools more
widely. Ideally, you introduce an element that only humans can do, e.g., you
have to pick up your price somewhere in-person. Btw, note that these bots can
easily be designed to find ways around the most common detection tactics such as
CaptchaΓÇÖs, timed responses and postcode and IP recognition. Believe me, way
less code than you suspect is needed to do this.

3. Pay people more.

If youΓÇÖre only offering 50 cents for 10 minutes of mental effort, donΓÇÖt be
surprised when your respondent pool consists of AI agents and sleep-deprived gig
workers. Smarter, dynamic incentives -- especially for underrepresented groups
-- can make a big difference. Perhaps pay-differentiation (based on simple
demand/supply) makes sense?

4. Rethink the whole model.

Surveys arenΓÇÖt the only way to understand people. We can also learn from
digital traces, behavioral data, or administrative records. Think of it as
moving from a single snapshot to a fuller, blended picture. Yes, itΓÇÖs messier
-- but itΓÇÖs also more real.

** *** ***** ******* *********** *************

The Voter Experience

[2025.05.22] Technology and innovation have transformed every part of society,
including our electoral experiences. Campaigns are spending and doing more than
at any other time in history. Ever-growing war chests fuel billions of voter
contacts every cycle. Campaigns now have better ways of scaling outreach methods
and offer volunteers and donors more efficient ways to contribute time and
money. Campaign staff have adapted to vast changes in media and social media
landscapes, and use data analytics to forecast voter turnout and behavior.

Yet despite these unprecedented investments in mobilizing voters, overall trust
in electoral health, democratic institutions, voter satisfaction, and electoral
engagement has significantly declined. What might we be missing?

In software development, the concept of user experience (UX) is fundamental to
the design of any product or service. ItΓÇÖs a way to think holistically about
how a user interacts with technology. It ensures that products and services are
built with the usersΓÇÖ actual needs, behaviors, and expectations in mind, as
opposed to what developers think users want. UX enables informed decisions based
on how the user will interact with the system, leading to improved design, more
effective solutions, and increased

--- BBBS/LiR v4.10 Toy-7
 * Origin: TCOB1: https/binkd/telnet binkd.rima.ie (618:500/1)