Security Cryptography Whatever

The Python cryptography module, pyca/cryptography, has mostly been a sane wrapper around a pile of C, so that users get performant cryptography on the many, many platforms Python targets. Therefore its maintainers, Alex Gaynor and Paul Kehrer, have become intimately familiar with OpenSSL. Recently, they declared that after many years of trying to make it work, they announced pyca/cryptography would be moving away from OpenSSL when supporting new functionality and exploring adding other backends instead. We invited them on to tell us about what has happened to OpenSSL, even after the investments and improvements following Heartbleed. No guests on this pod represent anyone besides themselves. Watch on YouTube: https://www.youtube.com/watch?v=dEKBHI3rodY Transcript: https://securitycryptographywhatever.com/2026/02/01/python-cryptography-breaks-up-with-openssl Links: - https://cryptography.io/en/latest/statements/state-of-openssl/ - Py Cryptography: https://cryptography.io - https://archive.openssl-conference.org/2025/presentations/Alex_Gaynor_Paul_Kehrer_The_Python_Cryptographic_Authoritys_OpenSSL_Experience.pdf - https://securitycryptographywhatever.com/2025/08/16/alex-gaynor/ - https://packages.gentoo.org/packages/media-libs/libsdl - https://www.youtube.com/watch?v=RUIguklWwx0 - https://datatracker.ietf.org/doc/rfc9180/ - https://docs.openssl.org/3.3/man3/OSSL_PARAM/ - https://openssl.foundation/ - https://github.com/openssl/openssl/issues/17064 - https://www.feistyduck.com/newsletter/issue_132_openssl_performance_still_under_scrutiny - https://github.com/topazproject/topaz - https://github.com/actions/runner/issues/1069 - https://crystalhotsauce.com/ - https://openssl-library.org/news/vulnerabilities/#CVE-2025-15467 - https://en.wikipedia.org/wiki/Ship_of_Theseus - https://boringssl.googlesource.com/boringssl/+/aa202db1d7091b88b80f0a58c630c5c1aefc817d - https://www.ibm.com/products/open-sdk-for-rust-aix - https://dadrian.io/blog/posts/corporate-support-xz/ - https://peps.python.org/ - https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ed448/ - https://go.dev/blog/fips140 - https://dadrian.io/blog/posts/roll-your-own-crypto/ "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

The International Association of Cryptologic Research held their regular election using secure voting software called Helios…and lost the keys to decrypt the results, leaving them with no choice but to throw out the vote and call a new election. Hilarity ensues. We welcome special guest Matt Bernhard who actually works on secure voting systems to explain which bits are homomorphically additive or not. Watch on YouTube: https://www.youtube.com/watch?v=euw_yqAQFI8 Transcript: https://securitycryptographywhatever.com/2025/12/30/iacr-helios Links: - NYT: https://www.nytimes.com/2025/11/21/world/cryptography-group-lost-election-results.html - IACR Memo: https://www.iacr.org/news/item/27138 - https://www.iacr.org/elections/ - https://vote.heliosvoting.org/faq - https://github.com/Election-Tech-Initiative/electionguard - https://www.usenix.org/legacy/events/sec08/tech/full_papers/adida/adida.pdf - https://www.iacr.org/elections/eVoting/about-helios.html - https://www.iacr.org/elections/eVoting/ - https://crypto.ethz.ch/publications/files/CrGeSc97b.pdf - https://electionguard.vote/ - https://eprint.iacr.org/2025/1901 - https://freeandfair.us/blog/open-free-election-technology/ - https://www.starvoting.org/ - https://mbernhard.com/ "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Apple announced its new suite of memory security improvements from the top of the stack all the way to the bottom, so we dug through what they did and how they did it (performantly). Watch on YouTube: https://www.youtube.com/watch?v=9FJwOI2PliU Transcript: https://securitycryptographywhatever.com/2025/10/31/apple-mie Links: - https://security.apple.com/blog/memory-integrity-enforcement/ - Secure Page Table Monitor and Trusted Execution Monitor: https://support.apple.com/guide/security/operating-system-integrity-sec8b776536b/1/web/1#secd022396fb - https://security.apple.com/blog/towards-the-next-generation-of-xnu-memory-safety/ - https://developer.apple.com/documentation/xcode/adopting-type-aware-memory-allocation - https://security.apple.com/blog/what-if-we-had-sockpuppet-in-ios16/ - https://arxiv.org/pdf/2510.09272 - https://googleprojectzero.blogspot.com/2023/11/first-handset-with-mte-on-market.html - https://developer.apple.com/documentation/xcode/adopting-type-aware-memory-allocation - https://arxiv.org/pdf/2510.09272 - https://spectreattack.com/spectre.pdf "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

There was a bug in an OpenPGP library which finally gave us an excuse to tear encrypted email via PGP to shreds. Our special guest William Woodruff joined us to help explain the vuln and indulge our gnashing of teeth on why email was never meant to be encrypted and how other modern tools do the job much, much better. Watch on YouTube: https://www.youtube.com/watch?v=IoL3LfIozJo Transcript: https://securitycryptographywhatever.com/2025/08/22/stop-using-encrypted-email-with-william-woodruff Links: - William Woodruff: https://yossarian.net/ - https://www.latacora.com/blog/2020/02/19/stop-using-encrypted/ - https://www.rfc-editor.org/rfc/rfc4880 - https://codeanlabs.com/blog/research/cve-2025-47934-spoofing-openpgp-js-signatures/ - https://www.mailpile.is/blog/2014-10-07_Some_Thoughts_on_GnuPG.html - https://www.rfc-editor.org/rfc/rfc9580.html - https://www.tumblr.com/accidentallyquadratic - https://www.w3.org/TR/xmldsig-core/ - https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP - https://www.rfc-editor.org/rfc/rfc9580.html#name-signature-packet-type-id-2 - https://www.rfc-editor.org/rfc/rfc9580.html#name-key-derivation-function - https://en.wikipedia.org/wiki/S/MIME - https://delta.chat - https://signal.org/blog/the-ecosystem-is-moving/ - https://phakeobj.netlify.app/posts/gigacage/ - https://x.com/dakami "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

We chat with friend of the pod and special guest Alex Gaynor, former chief technologist at the FTC and all around good Security Person™. Join for nerdery about WebAuthn, stay for accidentally melting down GitHub APIs around November 2020! Watch on YouTube: https://www.youtube.com/watch?v=gBoGvyvsSi4 Transcript: https://securitycryptographywhatever.com/2025/08/16/alex-gaynor Links: - https://knowyourmeme.com/memes/no-take-only-throw - https://alexgaynor.net/2025/jan/13/challenges-funding-open-source/ - https://alexgaynor.net/2025/apr/08/putting-a-price-tag-on-open-source/ - https://dadrian.io/blog/posts/corporate-support-xz/ - https://alex.github.io/nyt-2020-election-scraper/battleground-state-changes.html - https://github.com/alex/nyt-2020-election-scraper "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

We’re throwing a party in Vegas! Someone called it SCWPodCon last year, and the name stuck. It’s sponsored by Teleport, the infrastructure identity company. Get SSO for SSH! If Thomas was here, I’m sure he’d tell you that Fly.io uses Teleport internally. Oh also there's some thing called Black..pill? Black Pool? Something like that happening in Vegas, with crypto talks, so we chatted about them a bit, plus some other stuff SCWPodCon 2025: https://securitycryptographywhatever.com/events/blackhat Transcript: https://securitycryptographywhatever.com/2025/07/29/vegas-baby/ Links: - Fault Injection attacks on PQCS signatures: https://www.blackhat.com/us-25/briefings/schedule/index.html#bypassing-pqc-signature-verification-with-fault-injection-dilithium-xmss-sphincs-46362 - Another attack on TETRA: https://www.blackhat.com/us-25/briefings/schedule/index.html#2-cops-2-broadcasting-tetra-end-to-end-under-scrutiny-46143 - Attacks on SCADA / ICS protocols (OPC UA): https://www.blackhat.com/us-25/briefings/schedule/index.html#no-vpn-needed-cryptographic-attacks-against-the-opc-ua-protocol-44760 - Attacks on Nostr: https://www.blackhat.com/us-25/briefings/schedule/index.html#not-sealed-practical-attacks-on-nostr-a-decentralized-censorship-resistant-protocol-45726 - https://signal.org/blog/the-ecosystem-is-moving/ - https://en.wikipedia.org/wiki/Nostr - https://eurosp2025.ieee-security.org/program.html - https://cispa.de/en/research/publications/84648-attacking-and-fixing-the-android-protected-confirmation-protocol - https://hal.science/hal-05038009v2/file/main.pdf - 8-bit, abacus, and a dog: https://eprint.iacr.org/2025/1237.pdf - https://www.youtube.com/watch?v=Dlsa9EBKDGI - https://www.quantamagazine.org/computer-scientists-figure-out-how-to-prove-lies-20250709/ - https://eprint.iacr.org/2025/118 "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

It seems like everyone that tries to deploy end-to-end encrypted cloud storage seems to mess it up, often in new and creative ways. Our special guests Matilda Backendal, Jonas Hofmann, and Kien Tuong Trong give us a tour through the breakage and discuss a new formal model of how to actually build a secure E2EE storage system. Watch on YouTube: https://youtu.be/sizLiK_byCw Transcript: https://securitycryptographywhatever.com/2025/05/19/e2ee-storage/ Links: - https://brokencloudstorage.info - https://eprint.iacr.org/2024/989.pdf - https://www.sync.com - https://www.pcloud.com - https://icedrive.net - https://seafile.com - https://tresorit.com "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Migrating the US government to quantum-resistant cryptography is hard, luckily the gamer presidents are on it. This episode is extremely not safe for work, nor does it reflect the political opinions of, well, anybody. "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Apple has pulled the availability of their opt-in iCloud end-to-end encryption feature, called Advanced Data Protection, in the UK. This doesn't only affect UK Apple users, however. To help us make sense of this surprising move from the fruit company, we got Matt Green, Associate Professor at Johns Hopkins, and Joe Hall, Distinguished Technologist at the Internet Society, on the horn. Recorded Saturday February 22nd, 2025. Transcript: https://securitycryptographywhatever.com/2025/02/24/apple-pulls-adp-in-uk/ Watch episode on YouTube: https://youtu.be/LAn_yOGUkR0 Links: - https://www.lawfaremedia.org/article/apples-cloud-key-vault-and-secure-law-enforcement-access - https://www.androidcentral.com/how-googles-backup-encryption-works-good-bad-and-ugly - https://gdpr.eu/right-to-be-forgotten/ - https://www.legislation.gov.uk/id/ukpga/2024/9 - https://www.nytimes.com/2021/05/17/technology/apple-china-censorship-data.html - https://en.wikipedia.org/wiki/Salt_Typhoon - Salt Typhoon: https://www.cisa.gov/news-events/news/strengthening-americas-resilience-against-prc-cyber-threats - https://www.bloomberg.com/news/articles/2025-02-21/apple-removes-end-to-end-encryption-feature-from-uk-after-backdoor-order - https://support.apple.com/en-us/102651 "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

'Let us model our large language model as a hash function—' Sold. Our special guest Nicholas Carlini joins us to discuss differential cryptanalysis on LLMs and other attacks, just as the ones that made OpenAI turn off some features, hehehehe. Watch episode on YouTube: https://youtu.be/vZ64xPI2Rc0 Transcript: https://securitycryptographywhatever.com/2025/01/28/cryptanalyzing-llms-with-nicholas-carlini/ Links: - https://nicholas.carlini.com - “Stealing Part of a Production Language Model”: https://arxiv.org/pdf/2403.06634 - ‘Why I attack"’: https://nicholas.carlini.com/writing/2024/why-i-attack.html - “Cryptanalytic Extraction of Neural Network Models”, CRYPTO 2020: https://arxiv.org/abs/2003.04884 - “Stochastic Parrots”: https://dl.acm.org/doi/10.1145/3442188.3445922 - https://help.openai.com/en/articles/5247780-using-logit-bias-to-alter-token-probability-with-the-openai-api - https://community.openai.com/t/temperature-top-p-and-top-k-for-chatbot-responses/295542 - https://opensource.org/license/mit - https://github.com/madler/zlib - https://ai.meta.com/blog/yann-lecun-ai-model-i-jepa/ - https://nicholas.carlini.com/writing/2024/how-i-use-ai.html "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Just a few days before turning off the lights, the Biden administration dropped a huge cybersecurity executive order including a lot of good stuff, that hopefully [cross your fingers, knock wood, spin around three times and spit] will last into future administrations. We snagged some time with Carole House, outgoing Special Advisor and Acting Senior Director for Cybersecurity and Critical Infrastructure Policy, National Security Council in the Biden-Harris White House, to give us a brain dump. Transcript: https://securitycryptographywhatever.com/2025/01/20/bidens-cyber-everything-bagel-carole-house/ Links: - https://www.federalregister.gov/d/2025-01470 - https://www.wired.com/story/biden-executive-order-cybersecurity-ai-and-more/ - 2022 EO: https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf - 2023 EO: https://www.whitehouse.gov/wp-content/uploads/2023/06/M-23-16-Update-to-M-22-18-Enhancing-Software-Security-1.pdf - 2021 EO: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ - NIST SSDF: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf - https://www.federalregister.gov/documents/2015/04/02/2015-07788/blocking-the-property-of-certain-persons-engaging-in-significant-malicious-cyber-enabled-activities - IEEPA: https://www.govinfo.gov/content/pkg/USCODE-2023-title50/pdf/USCODE-2023-title50-chap35-sec1701.pdf "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

THE QUANTUM COMPUTERS ARE COMING...right? We got Samuel Jacques and John Schanck at short notice to answer that question plus a bunch of other about error correcting codes, logical qubits, T-gates, and more about Google's new quantum computer Willow. Transcript: https://securitycryptographywhatever.com/2024/12/18/quantum-willow Links: - https://blog.google/technology/research/google-willow-quantum-chip/ - https://research.google/blog/making-quantum-error-correction-work/ - https://blog.google/technology/google-deepmind/alphaqubit-quantum-error-correction/ - https://www.nature.com/articles/s41586-024-08449-y - Sam’s ‘Landscape of Quantum Computing’ chart: https://sam-jaques.appspot.com/quantum\_landscape\_2024 - The above, originally published in 2021: https://sam-jaques.appspot.com/quantum\_landscape - https://sam-jaques.appspot.com - https://jmschanck.info/ "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Nothing we have ever recorded on SCW has brought so much joy to David. However, at several points during the episode, we may have witnessed Matthew Green's soul leave his body. Our esteemed guests Justin Schuh and Matt Green joined us to debate whether `Dual_EC_DRBG` was intentionally backdoored by the NSA or 'just' a major fuckup. Transcript: https://securitycryptographywhatever.com/2024/12/07/dual-ec-drbg Links: - Dicky George at InfiltrateCon 2014, 'Life at Both Ends of the Barrel - An NSA Targeting Retrospective': [https://youtu.be/qq-LCyRp6bU?si=MyTBKomkIVaxSy1Q](https://youtu.be/qq-LCyRp6bU?si=MyTBKomkIVaxSy1Q) - Dicky George: [https://www.nsa.gov/Press-Room/Digital-Media-Center/Biographies/Biography-View-Page/Article/3330261/richard-dickie-george/](https://www.nsa.gov/Press-Room/Digital-Media-Center/Biographies/Biography-View-Page/Article/3330261/richard-dickie-george/) - NYTimes on Sigint Enabling Project: [https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html](https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html) - On the Practical Exploitability of Dual EC in TLS Implementations: [https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-checkoway.pdf](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-checkoway.pdf) - Wired - Researchers Solve Juniper Backdoor Mystery; Signs Point to NSA [https://www.wired.com/2015/12/researchers-solve-the-juniper-mystery-and-they-say-its-partially-the-nsas-fault/](https://www.wired.com/2015/12/researchers-solve-the-juniper-mystery-and-they-say-its-partially-the-nsas-fault/) - ProPublica - Revealed: The NSA's Secret Campaign to Crack, Undermine Internet Security [https://www.propublica.org/article/the-nsas-secret-campaign-to-crack-undermine-internet-encryption](https://www.propublica.org/article/the-nsas-secret-campaign-to-crack-undermine-internet-encryption) - DDoSecrets - Sigint Enabling Project: [https://data.ddosecrets.com/Snowden%20archive/sigint-enabling-project.pdf](https://data.ddosecrets.com/Snowden%20archive/sigint-enabling-project.pdf) - IAD: [https://www.iad.gov/](https://www.iad.gov/) - Ars Technica - “Unauthorized code” in Juniper firewalls decrypts encrypted VPN traffic: [https://web.archive.org/web/20151222023311/http://arstechnica.com/security/2015/12/unauthorized-code-in-juniper-firewalls-decrypts-encrypted-vpn-traffic/](https://web.archive.org/web/20151222023311/http://arstechnica.com/security/2015/12/unauthorized-code-in-juniper-firewalls-decrypts-encrypted-vpn-traffic/) - 2015 IMPORTANT JUNIPER SECURITY ANNOUNCEMENT: [https://web.archive.org/web/20151221171526/http://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554](https://web.archive.org/web/20151221171526/http://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554) - Extended Random Values for TLS: [https://datatracker.ietf.org/doc/html/draft-rescorla-tls-extended-random-00](https://datatracker.ietf.org/doc/html/draft-rescorla-tls-extended-random-00) - The Art of Software Security Assessment: [https://www.amazon.com/Art-Software-Security-Assessment-Vulnerabilities/dp/0321444426](https://www.amazon.com/Art-Software-Security-Assessment-Vulnerabilities/dp/0321444426) "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

You may not be rewriting the world in Rust, but if you follow the findings of the Android team and our guest Jeff Vander Stoep, you'll drive down your memory-unsafety vulnerabilities more than 2X below the industry average over time! 🎉 Transcript: https://securitycryptographywhatever.com/2024/10/15/a-little-bit-of-rust-goes-a-long-way/ Links: - https://security.googleblog.com/2024/09/eliminating-memory-safety-vulnerabilities-Android.html - “Safe Coding”: https://dl.acm.org/doi/10.1145/3651621 - “effectiveness of security design”: https://docs.google.com/presentation/d/16LZ6T-tcjgp3T8_N3m0pa5kNA1DwIsuMcQYDhpMU7uU/edit#slide=id.g3e7cac054a_0_89 - https://security.googleblog.com/2024/02/improving-interoperability-between-rust-and-c.html - https://github.com/google/crubit - https://github.com/google/autocxx - https://en.wikipedia.org/wiki/Stagefright_(bug) - https://security.googleblog.com/2021/04/rust-in-android-platform.html - https://chromium.googlesource.com/chromium/src/+/master/docs/security/rule-of-2.md - https://www.usenix.org/conference/usenixsecurity22/presentation/alexopoulos -https://kb.meinbergglobal.com/kb/time_sync/ntp/ntp_vulnerabilities_reported_2023-04 - https://blog.isosceles.com/the-legacy-of-stagefright/ - https://research.google/pubs/secure-by-design-googles-perspective-on-memory-safety/ - https://www.youtube.com/watch?v=QrrH2lcl9ew - https://source.android.com/docs/setup/build/rust/building-rust-modules/overview - https://github.com/rust-lang/rust-bindgen - https://security.googleblog.com/2021/06/rustc-interop-in-android-platform.html "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

With the 2024 United States Presidential Election right around the corner, we talk to an unnamed guest who has worked on cybersecurity for political campaigns in the United States since 2004. We recorded this in late August, 2024. Transcript: https://securitycryptographywhatever.com/2024/10/13/campaign-security/ Links: - Active Measures by Thomas Rind: https://us.macmillan.com/books/9780374287269/activemeasures - Aurora: https://en.wikipedia.org/wiki/Operation\_Aurora - Google APP announcement, October 2017: https://www.wired.com/story/google-advanced-protection-locks-down-accounts/ - XXD: https://linux.die.net/man/1/xxd - Adobe Reader October 2016 Security Update: https://helpx.adobe.com/security/products/acrobat/apsb16-33.html "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

We finally have an excuse to tear down Telegram! Their CEO got arrested by the French, apparently not because the cryptography in Telegram is bad, but special guest Matt Green joined us to talk about how the cryptography is bad anyway, and you probably shouldn't use Telegram as a secure messenger of any kind! Transcript: https://securitycryptographywhatever.com/2024/09/06/telegram Links: - https://blog.cryptographyengineering.com/2024/08/25/telegram-is-not-really-an-encrypted-messaging-app/ - Lavabit / Ladar Levinson: https://en.wikipedia.org/wiki/Lavabit - Pavel Durov indictment statement from French authorities: https://www.tribunal-de-paris.justice.fr/sites/default/files/2024-08/2024-08-28%20-%20CP%20TELEGRAM%20mise%20en%20examen.pdf - MTProto 2.0 protocol spec: https://core.telegram.org/api/end-to-end - https://words.filippo.io/dispatches/telegram-ecdh/ - MTProto 1.0 (old no longer used): - https://web.archive.org/web/20131220000537/https://core.telegram.org/api/end-to-end#key-generation - OTR: https://otr.cypherpunks.ca/otr-wpes.pdf - AES and sha2 used in ‘Infinite Garble Extension’ mode: https://eprint.iacr.org/2015/1177.pdf - Four Attacks and a Proof for Telegram: https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9833666 - History of Telegram e2ee chats availability: https://en.wikipedia.org/wiki/Telegram_(software)#Architecture - https://securitycryptographywhatever.com/2023/01/27/threema/ - https://securitycryptographywhatever.com/2022/11/02/Matrix-with-Martin-Albrecht-Dan-Jones/ - https://en.wikipedia.org/wiki/Matrix_(protocol), introduced in September 2014 "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Are you going to be in Vegas during BlackHat / DEF CON? We're hosting a mixer, sponsored by Observa! We have limited capacity, so please only register if you can actually come. Location details are in the confirmation email. Tickets will be released in batches, so if you get waitlisted, there's a good chance you still get in. Looking forward to seeing you in Vegas! Ticket Link: https://www.eventbrite.com/e/scwpod-vegas-2024-tickets-946939099337 We talk about CrowdStrike in this episode, but we know we made some mistakes: Luckily, none of that is actually relevant to the main issues we discuss. Show page: https://securitycryptographywhatever.com/2024/07/24/summertime-sadness/ Other Links: https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardizationhttps://dadrian.io/blog/posts/pqc-signatures-2024/https://dadrian.io/blog/posts/cto/https://www.blackhat.com/us-24/briefings/schedule/https://terrapin-attack.com/https://www.youtube.com/watch?v=-AqayGm0_pwMore like ClownStrike, amirite? "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

We have Mark Dowd on, founder of Aziumuth Security and one of the authors of The Art of Software Security Assessment, to talk about the market for zero day vulnerabilities, and how mitigations affect monetizing offensive security work. Transcript: https://securitycryptographywhatever.com/2024/06/24/mdowd/ Links: https://www.azimuthsecurity.com/https://www.vigilantlabs.com/https://github.com/mdowd79/presentations/blob/main/bluehat2023-mdowd-final.pdfhttps://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Hack-Different-Pwning-IOS-14-With-Generation-Z-Bug-wp.pdfhttps://i.blackhat.com/USA-19/Wednesday/us-19-Shwartz-Selling-0-Days-To-Governments-And-Offensive-Security-Companies.pdf "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

iykyk Transcript: https://securitycryptographywhatever.com/2024/05/25/ekr/ Links: - https://hovav.net/ucsd/dist/draft-shacham-tls-fasttrack-00.txt - https://crypto.stanford.edu/~dabo/pubs/papers/fasttrack.pdf - https://datatracker.ietf.org/doc/html/rfc8446 - SoK: SCT Auditing in Certificate Transparency: https://arxiv.org/pdf/2203.01661 - A hard look at Certificate Transparency, Part I: Transparency Systems: https://educatedguesswork.org/posts/transparency-part-1/ - A hard look at Certificate Transparency: CT in Reality: https://educatedguesswork.org/posts/transparency-part-2/ - E2EE on the web: is the web really that bad? https://emilymstark.com/2024/02/09/e2ee-on-the-web-is-the-web-really-that-bad.html - Launching Default End-to-End Encryption on Messenger: https://about.fb.com/news/2023/12/default-end-to-end-encryption-on-messenger/ - ekr's newsletter: https://educatedguesswork.org - Over 25 years of ekr RFCs: https://www.rfc-editor.org/search/rfc_search_detail.php?sortkey=Date&sorting=DESC&page=All&author=rescorla&pubstatus[]=Any&pub_date_type=any Subscribe to his newsletter at https://educatedguesswork.org/ "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Josh Brown and Paul Grubbs join us to describe how those damned spam calls work, and how STIR/SHAKEN is supposed to try to stop them, but have other privacy and security implications as well. Transcript: https://securitycryptographywhatever.com/2024/04/30/stir-shaken/ Links: - https://iacr.org/submit/files/slides/2024/rwc/rwc2024/98/slides.pdf - https://www.youtube.com/watch?v=3trxXF0-fRU - Paul Grubbs: https://web.eecs.umich.edu/~paulgrub/ "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)