Security Cryptography Whatever

Migrating the US government to quantum-resistant cryptography is hard, luckily the gamer presidents are on it. This episode is extremely not safe for work, nor does it reflect the political opinions of, well, anybody."Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Apple has pulled the availability of their opt-in iCloud end-to-end encryption feature, called Advanced Data Protection, in the UK. This doesn't only affect UK Apple users, however. To help us make sense of this surprising move from the fruit company, we got Matt Green, Associate Professor at Johns Hopkins, and Joe Hall, Distinguished Technologist at the Internet Society, on the horn. Recorded Saturday February 22nd, 2025.Transcript: https://securitycryptographywhatever.com/2025/02/24/apple-pulls-adp-in-uk/Watch episode on YouTube: https://youtu.be/LAn_yOGUkR0Links:- https://www.lawfaremedia.org/article/apples-cloud-key-vault-and-secure-law-enforcement-access- https://www.androidcentral.com/how-googles-backup-encryption-works-good-bad-and-ugly- https://gdpr.eu/right-to-be-forgotten/- https://www.legislation.gov.uk/id/ukpga/2024/9- https://www.nytimes.com/2021/05/17/technology/apple-china-censorship-data.html- https://en.wikipedia.org/wiki/Salt_Typhoon- Salt Typhoon: https://www.cisa.gov/news-events/news/strengthening-americas-resilience-against-prc-cyber-threats- https://www.bloomberg.com/news/articles/2025-02-21/apple-removes-end-to-end-encryption-feature-from-uk-after-backdoor-order- https://support.apple.com/en-us/102651"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Nicholas Carlini, an AI security researcher specializing in machine learning vulnerabilities, joins the discussion. He delves into the mathematical underpinnings of LLM vulnerabilities, highlighting risks like model poisoning and instruction injection. Carlini explores the parallels between cryptographic attacks and AI model vulnerabilities, emphasizing the importance of robust security frameworks. He also outlines key defense strategies against data extraction and shares insights on the fragility of current AI defenses, urging a critical evaluation of security practices in an evolving digital landscape.

Just a few days before turning off the lights, the Biden administration dropped a huge cybersecurity executive order including a lot of good stuff, that hopefully [cross your fingers, knock wood, spin around three times and spit] will last into future administrations. We snagged some time with Carole House, outgoing Special Advisor and Acting Senior Director for Cybersecurity and Critical Infrastructure Policy, National Security Council in the Biden-Harris White House, to give us a brain dump.And now due to popular demand, with video of our actual human¹ faces! https://youtu.be/Pqw0W2crQiMTranscript: https://securitycryptographywhatever.com/2025/01/20/bidens-cyber-everything-bagel-carole-house/Links:- https://www.federalregister.gov/d/2025-01470- https://www.wired.com/story/biden-executive-order-cybersecurity-ai-and-more/- 2022 EO: https://archive.ph/hvzWd- 2023 EO: https://www.whitehouse.gov/wp-content/uploads/2023/06/M-23-16-Update-to-M-22-18-Enhancing-Software-Security-1.pdf- 2021 EO: https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity- NIST SSDF: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf- https://www.federalregister.gov/documents/2015/04/02/2015-07788/blocking-the-property-of-certain-persons-engaging-in-significant-malicious-cyber-enabled-activities- IEEPA: https://www.govinfo.gov/content/pkg/USCODE-2023-title50/pdf/USCODE-2023-title50-chap35-sec1701.pdf¹ Actual human faces not guaranteed in all cases"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

THE QUANTUM COMPUTERS ARE COMING...right? We got Samuel Jacques and John Schanck at short notice to answer that question plus a bunch of other about error correcting codes, logical qubits, T-gates, and more about Google's new quantum computer Willow.Transcript: https://securitycryptographywhatever.com/2024/12/18/quantum-willowLinks:- https://blog.google/technology/research/google-willow-quantum-chip/ - https://research.google/blog/making-quantum-error-correction-work/- https://blog.google/technology/google-deepmind/alphaqubit-quantum-error-correction/  - https://www.nature.com/articles/s41586-024-08449-y- Sam’s ‘Landscape of Quantum Computing’ chart: https://sam-jaques.appspot.com/quantum\_landscape\_2024  - The above, originally published in 2021: https://sam-jaques.appspot.com/quantum\_landscape- https://sam-jaques.appspot.com- https://jmschanck.info/"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Matthew Green, a renowned cryptographer known for his passionate takes on security, joins Justin Schuh to dissect the controversial Dual_EC_DRBG. They debate whether this random number generator was a deliberate backdoor by the NSA or merely a colossal blunder. The conversation uncovers the ethical dilemmas of cryptographic standards, the NSA's questionable practices, and the erosion of public trust in secure communications. Their insights blend humor and serious analysis, illuminating the complexities of cryptography in today's world.

You may not be rewriting the world in Rust, but if you follow the findings of the Android team and our guest Jeff Vander Stoep, you'll drive down your memory-unsafety vulnerabilities more than 2X below the industry average over time! 🎉Transcript: https://securitycryptographywhatever.com/2024/10/15/a-little-bit-of-rust-goes-a-long-way/Links:- https://security.googleblog.com/2024/09/eliminating-memory-safety-vulnerabilities-Android.html- “Safe Coding”: https://dl.acm.org/doi/10.1145/3651621- “effectiveness of security design”: https://docs.google.com/presentation/d/16LZ6T-tcjgp3T8_N3m0pa5kNA1DwIsuMcQYDhpMU7uU/edit#slide=id.g3e7cac054a_0_89- https://security.googleblog.com/2024/02/improving-interoperability-between-rust-and-c.html- https://github.com/google/crubit- https://github.com/google/autocxx- https://en.wikipedia.org/wiki/Stagefright_(bug)- https://security.googleblog.com/2021/04/rust-in-android-platform.html- https://chromium.googlesource.com/chromium/src/+/master/docs/security/rule-of-2.md- https://www.usenix.org/conference/usenixsecurity22/presentation/alexopoulos-https://kb.meinbergglobal.com/kb/time_sync/ntp/ntp_vulnerabilities_reported_2023-04- https://blog.isosceles.com/the-legacy-of-stagefright/- https://research.google/pubs/secure-by-design-googles-perspective-on-memory-safety/- https://www.youtube.com/watch?v=QrrH2lcl9ew- https://source.android.com/docs/setup/build/rust/building-rust-modules/overview- https://github.com/rust-lang/rust-bindgen- https://security.googleblog.com/2021/06/rustc-interop-in-android-platform.html"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

In this discussion with a seasoned cybersecurity expert, who has protected U.S. presidential campaigns since 2004, the complexities of election security come to light. They dive into the chaotic dynamics of campaign financing and foreign threats. Personal anecdotes reveal the tension of thwarting phishing attacks and evolving mobile security practices. The conversation also touches on how threats are becoming more sophisticated, highlighting the significance of strong security measures in an unpredictable digital landscape.

Matthew Green, a leading cryptography expert, dives into the controversial security flaws of Telegram, especially after CEO Pavel Durov's arrest in France. He debunks Telegram’s reputation as a secure messaging app, discussing its non-standard encryption methods and lack of transparency. Green presents alarming critiques of the MT Proto 2.0 protocol and compares it unfavorably to superior platforms like Signal. The conversation also touches on the legal implications of messaging apps in the context of privacy and government oversight.

Are you going to be in Vegas during BlackHat / DEF CON? We're hosting a mixer, sponsored by Observa! We have limited capacity, so please only register if you can actually come. Location details are in the confirmation email. Tickets will be released in batches, so if you get waitlisted, there's a good chance you still get in. Looking forward to seeing you in Vegas!Ticket Link: https://www.eventbrite.com/e/scwpod-vegas-2024-tickets-946939099337We talk about CrowdStrike in this episode, but we know we made some mistakes:The sys files may be code in addition to data.The bug might be bigger than "just" a null pointer exception.Luckily, none of that is actually relevant to the main issues we discuss.Show page: https://securitycryptographywhatever.com/2024/07/24/summertime-sadness/Other Links:https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardizationhttps://dadrian.io/blog/posts/pqc-signatures-2024/https://dadrian.io/blog/posts/cto/https://www.blackhat.com/us-24/briefings/schedule/https://terrapin-attack.com/https://www.youtube.com/watch?v=-AqayGm0_pwMore like ClownStrike, amirite?"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)