Security Cryptography Whatever

Deirdre Connolly, Thomas Ptacek, David Adrian

Some cryptography & security people talk about security, cryptography, and whatever else is happening.

  1. 6 DAYS AGO

    Stop Using Encrypted Email with William Woodruff

    There was a bug in an OpenPGP library which finally gave us an excuse to tear encrypted email via PGP to shreds. Our special guest William Woodruff joined us to help explain the vuln and indulge our gnashing of teeth on why email was never meant to be encrypted and how other modern tools do the job much, much better. Watch on YouTube: https://www.youtube.com/watch?v=IoL3LfIozJo Transcript: https://securitycryptographywhatever.com/2025/08/22/stop-using-encrypted-email-with-william-woodruff Links: - William Woodruff: https://yossarian.net/ - https://www.latacora.com/blog/2020/02/19/stop-using-encrypted/ - https://www.rfc-editor.org/rfc/rfc4880 - https://codeanlabs.com/blog/research/cve-2025-47934-spoofing-openpgp-js-signatures/ - https://www.mailpile.is/blog/2014-10-07_Some_Thoughts_on_GnuPG.html - https://www.rfc-editor.org/rfc/rfc9580.html - https://www.tumblr.com/accidentallyquadratic - https://www.w3.org/TR/xmldsig-core/ - https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP - https://www.rfc-editor.org/rfc/rfc9580.html#name-signature-packet-type-id-2 - https://www.rfc-editor.org/rfc/rfc9580.html#name-key-derivation-function - https://en.wikipedia.org/wiki/S/MIME - https://delta.chat - https://signal.org/blog/the-ecosystem-is-moving/ - https://phakeobj.netlify.app/posts/gigacage/ - https://x.com/dakami -----BEGIN PGP MESSAGE----- U2FsdGVkX1/OF+EynrukxZnSAXwgksTGSIkQ6s4X9Ns7JgQ2ZymeQAp8uD09MtkJ ce5HOKcjhUkZOMbJl3I5iOcPgSxCGG8KccNXcY6msdAD3pdlmR5cWJpn6+qGwqvo KCsj+DYwFW6tltLBXP/cdnh9z8ktRXqfwQW+uhB5Zcaw28pzmNz/rA0cb0cLGiaX uxp9A0iWhwf2gFpUSiIJyXGLJAc8eeI1LXfISXi7IkowDMp4x+iDbOlrR0d6zCkp IKpNGReokcWhUrlGVONiVUrApZS2fvxQoHgaIvwLl5FM1WdrbQIV41DB+rgtZJhE NSgMkhQ0y1bBAOM25ykRjC/UUS/q0ddXz1ThGi6vRIp4/8vkqOsEXHv5M1oT9FQT UGK3zyffq0FqGBFj6kwVZ0X0JQFmtydZKhSYEPE9s4mcfvxKNQsySK7wlxMerKrf f9ZxOR7rHjE3IfqtoizX8EH+MYy2lRCoCKeLbZd0G1LcVhBhRpoXfqL2IboAWqT+ U8R2eyts7qiNuWQUtmCzKNmaJMS+1M+pVN5ZXAdSqK2OJVJZgO8Ie7q4HVZeAd3G HzP7owf+VerCguOYN41cxGle1QpeFi0xcYHNna1bgbodFZ8eGDOq5yCuvmQa04Xy J4vRv7xcp/v16CniL1rN6KhnzdW2gLky8depnYyhm8NvdMFETA6K6eIYm1roD+C2 wwOOKRxUpTI54ov+HYDDU+HUmpFykSesHQJ75o9m0w7V2kR/+E46olFMhHo8JWnL NsGd5QlD/fyedMXHAjimXuFk/YFnwa1lh4XwSwYm+c8ZnIfrS6oEEdUSwXMCwwVT 7/tMw+ab0YRsx19hBLS41oxMz+DCah+/KDMEHv0I+VxaCH8ZfaKD4tRhduSvcWkn Nat3Xp8/MAmO5xN1U8s1dFvrlnt+yqDz7Wn0kVDiax2dTJVgftetqOkoSVvGdMex 9K0ILUUMEpHYBISIaAc7NjoG4BieSeK7wuzBXdhHutVZVKp2ty+mAd8xPlrmemsX lzBhV/kcmF4rcG4eqoWcKpZQY8ZUDufwhIcNqIZEA+wQoKbmBQCR/NradwUrCAIs AQFMVhSYmr7ffA6Ty0twSWeVMDQmxdW+6gKA3EiTAJkFXPpdkhBUzuZHC7Eeph7D F0Ks8Vu/wzOhNsd2s2wYYF6Dl3xctcOj7eMw8VS1HtExszulM57TnqTDaLGPcX6o m8NORwMEtQrCbJd/fdmoNPN/cXzLPHQj3qVZ0F50iNec6zSnmBLIRX4SAYOqzN/2 icvr98Caa1oX3pUlm9W2Hcz30SXJDxOf+mqH6zL4QTAMs3/K9OkaO9nmyPelwoCw VI1q/PsMpqQhGikdM5hrzg6IcEOg5zpLB6N+wqkcGyXFzI2gSQTWYOv4thrIxPY5 G9yNi4dhU+2+KJCa6aoPyAlyc41Yd3ARTeahHEjtdj6PcueRPQdVm+qWCRp09bp3 oic7ljzMVrPRgdbRrzFyEAIhN9Fi4QZ08/yCLEt/BPG+N8j0cZixoj54SKi07uSO WRDrzGvgSegGCCIFKjAsq9ay0sBm61XLcZqdtj57NpNzd/y/yFYvjEQLyyn8VnFA RwOaM3zjrufNC+kYVkHCYzfvu+JopScZjMiuBXI9v8OTOXlj+Ai97bnftwmpQ263 5vyearRHCNATFNa96Sxd1cLjV+ECUlD4hAZQPyel8groXsyjKaMxoOkaZjG/5MDQ 8KPtes32kjTmneyLSzrUaAD0F4l/iltBXzDNiT6BHD7HJmERbdkoab7+DC1hxxC1 VuOHOX+G/U5NUNjxAercuFOY6kgAH5HM+woGjLUsoc5LESqyPdddeg== -----END PGP MESSAGE----- "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

    1h 11m

  2. 16 AUG

    Alex Gaynor

    We chat with friend of the pod and special guest Alex Gaynor, former deputy chief technologist at the FTC and all around good Security Person™. Join for nerdery about WebAuthn, stay for accidentally melting down GitHub APIs around November 2020!  Watch on YouTube: https://www.youtube.com/watch?v=gBoGvyvsSi4 Transcript: https://securitycryptographywhatever.com/2025/08/16/alex-gaynor Links: - https://knowyourmeme.com/memes/no-take-only-throw - https://alexgaynor.net/2025/jan/13/challenges-funding-open-source/ - https://alexgaynor.net/2025/apr/08/putting-a-price-tag-on-open-source/ - https://dadrian.io/blog/posts/corporate-support-xz/ - https://alex.github.io/nyt-2020-election-scraper/battleground-state-changes.html - https://github.com/alex/nyt-2020-election-scraper "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

    1h 25m

  3. 29 JUL

    Vegas, Baby!

    We’re throwing a party in Vegas! Someone called it SCWPodCon last year, and the name stuck. It’s sponsored by Teleport, the infrastructure identity company. Get SSO for SSH! If Thomas was here, I’m sure he’d tell you that Fly.io uses Teleport internally. Oh also there's some thing called Black..pill? Black Pool? Something like that happening in Vegas, with crypto talks, so we chatted about them a bit, plus some other stuff SCWPodCon 2025: https://securitycryptographywhatever.com/events/blackhat Transcript: https://securitycryptographywhatever.com/2025/07/29/vegas-baby/ Links: - Fault Injection attacks on PQCS signatures: https://www.blackhat.com/us-25/briefings/schedule/index.html#bypassing-pqc-signature-verification-with-fault-injection-dilithium-xmss-sphincs-46362 - Another attack on TETRA: https://www.blackhat.com/us-25/briefings/schedule/index.html#2-cops-2-broadcasting-tetra-end-to-end-under-scrutiny-46143 - Attacks on SCADA / ICS protocols (OPC UA): https://www.blackhat.com/us-25/briefings/schedule/index.html#no-vpn-needed-cryptographic-attacks-against-the-opc-ua-protocol-44760 - Attacks on Nostr:  https://www.blackhat.com/us-25/briefings/schedule/index.html#not-sealed-practical-attacks-on-nostr-a-decentralized-censorship-resistant-protocol-45726 - https://signal.org/blog/the-ecosystem-is-moving/ - https://en.wikipedia.org/wiki/Nostr - https://eurosp2025.ieee-security.org/program.html - https://cispa.de/en/research/publications/84648-attacking-and-fixing-the-android-protected-confirmation-protocol - https://hal.science/hal-05038009v2/file/main.pdf - 8-bit, abacus, and a dog: https://eprint.iacr.org/2025/1237.pdf - https://www.youtube.com/watch?v=Dlsa9EBKDGI - https://www.quantamagazine.org/computer-scientists-figure-out-how-to-prove-lies-20250709/ - https://eprint.iacr.org/2025/118 "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

    1h 1m

  4. 19 MAY

    E2EE Storage Done Right with Matilda Backendal Jonas Hofmann and Kien Tuong Truong

    It seems like everyone that tries to deploy end-to-end encrypted cloud storage seems to mess it up, often in new and creative ways. Our special guests Matilda Backendal, Jonas Hofmann, and Kien Tuong Truong give us a tour through the breakage and discuss a new formal model of how to actually build a secure E2EE storage system. Watch on YouTube: https://youtu.be/sizLiK_byCw Transcript: https://securitycryptographywhatever.com/2025/05/19/e2ee-storage/ Links: - https://brokencloudstorage.info - https://eprint.iacr.org/2024/1616.pdf - https://www.sync.com - https://www.pcloud.com - https://icedrive.net - https://seafile.com - https://tresorit.com - https://eprint.iacr.org/2024/989.pdf "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

    1h 2m

  5. 24 MAR

    Picking Quantum Resistant Algorithms

    Migrating the US government to quantum-resistant cryptography is hard, luckily the gamer presidents are on it. This episode is extremely not safe for work, nor does it reflect the political opinions of, well, anybody. "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

    15 min

  6. 25 FEB

    Apple Pulls Advanced Data Protection in the UK with Matt Green and Joe Hall

    Apple has pulled the availability of their opt-in iCloud end-to-end encryption feature, called Advanced Data Protection, in the UK. This doesn't only affect UK Apple users, however.  To help us make sense of this surprising move from the fruit company, we got Matt Green, Associate Professor at Johns Hopkins, and Joe Hall, Distinguished Technologist at the Internet Society, on the horn.  Recorded Saturday February 22nd, 2025. Transcript: https://securitycryptographywhatever.com/2025/02/24/apple-pulls-adp-in-uk/ Watch episode on YouTube: https://youtu.be/LAn_yOGUkR0 Links: - https://www.lawfaremedia.org/article/apples-cloud-key-vault-and-secure-law-enforcement-access - https://www.androidcentral.com/how-googles-backup-encryption-works-good-bad-and-ugly - https://gdpr.eu/right-to-be-forgotten/ - https://www.legislation.gov.uk/id/ukpga/2024/9 - https://www.nytimes.com/2021/05/17/technology/apple-china-censorship-data.html - https://en.wikipedia.org/wiki/Salt_Typhoon - Salt Typhoon: https://www.cisa.gov/news-events/news/strengthening-americas-resilience-against-prc-cyber-threats - https://www.bloomberg.com/news/articles/2025-02-21/apple-removes-end-to-end-encryption-feature-from-uk-after-backdoor-order - https://support.apple.com/en-us/102651 "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

    49 min

  7. 28 JAN

    Cryptanalyzing LLMs with Nicholas Carlini

    'Let us model our large language model as a hash function—'  Sold. Our special guest Nicholas Carlini joins us to discuss differential cryptanalysis on LLMs and other attacks, just as the ones that made OpenAI turn off some features, hehehehe. Watch episode on YouTube: https://youtu.be/vZ64xPI2Rc0 Transcript: https://securitycryptographywhatever.com/2025/01/28/cryptanalyzing-llms-with-nicholas-carlini/ Links: - https://nicholas.carlini.com - “Stealing Part of a Production Language Model”: https://arxiv.org/pdf/2403.06634 - ‘Why I attack"’: https://nicholas.carlini.com/writing/2024/why-i-attack.html - “Cryptanalytic Extraction of Neural Network Models”, CRYPTO 2020: https://arxiv.org/abs/2003.04884 - “Stochastic Parrots”: https://dl.acm.org/doi/10.1145/3442188.3445922 - https://help.openai.com/en/articles/5247780-using-logit-bias-to-alter-token-probability-with-the-openai-api - https://community.openai.com/t/temperature-top-p-and-top-k-for-chatbot-responses/295542 - https://opensource.org/license/mit - https://github.com/madler/zlib - https://ai.meta.com/blog/yann-lecun-ai-model-i-jepa/ - https://nicholas.carlini.com/writing/2024/how-i-use-ai.html "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

    1h 21m

  8. 21 JAN

    Biden’s Cyber-Everything Bagel with Carole House

    Just a few days before turning off the lights, the Biden administration dropped a huge cybersecurity executive order including a lot of good stuff, that hopefully [cross your fingers, knock wood, spin around three times and spit] will last into future administrations. We snagged some time with Carole House, outgoing Special Advisor and Acting Senior Director for Cybersecurity and Critical Infrastructure Policy, National Security Council in the Biden-Harris White House, to give us a brain dump. And now due to popular demand, with video of our actual human¹ faces! https://youtu.be/Pqw0W2crQiM Transcript: https://securitycryptographywhatever.com/2025/01/20/bidens-cyber-everything-bagel-carole-house/ Links: - https://www.federalregister.gov/d/2025-01470 - https://www.wired.com/story/biden-executive-order-cybersecurity-ai-and-more/ - 2022 EO: https://archive.ph/hvzWd - 2023 EO: https://www.whitehouse.gov/wp-content/uploads/2023/06/M-23-16-Update-to-M-22-18-Enhancing-Software-Security-1.pdf - 2021 EO: https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity - NIST SSDF: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf - https://www.federalregister.gov/documents/2015/04/02/2015-07788/blocking-the-property-of-certain-persons-engaging-in-significant-malicious-cyber-enabled-activities - IEEPA: https://www.govinfo.gov/content/pkg/USCODE-2023-title50/pdf/USCODE-2023-title50-chap35-sec1701.pdf ¹ Actual human faces not guaranteed in all cases "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

    57 min
See All (58)

About

Some cryptography & security people talk about security, cryptography, and whatever else is happening.

Information

  • Creator
    Deirdre Connolly, Thomas Ptacek, David Adrian
  • Years Active
    2021 - 2025
  • Episodes
    58
  • Rating
    Explicit
  • Copyright
    © 2025 Security Cryptography Whatever
  • Show Website
    Security Cryptography Whatever

You Might Also Like