Security Cryptography Whatever

William Woodruff, founder of Yossarian.net, joins the discussion to dismantle the myths surrounding encrypted email, especially PGP. He reveals a significant bug in an OpenPGP library, arguing that email was never designed for encryption. The conversation dives into operational security, criticizing outmoded methods like PGP and S/MIME. They explore the risks of metadata leaks and the limitations of federated systems, advocating for modern secure messaging alternatives like Signal over traditional email. Woodruff emphasizes the need for better understanding of digital threat models.

Join Alex Gaynor, a core developer of Python and Django and former chief technologist at the FTC, as he dives into tech transformations in government, sharing stories from the Affordable Care Act's rollout. He covers the complexities of legal battles in tech, including Oracle v. Google, and discusses the challenges of integrating Rust into popular software. Alex also sheds light on innovative open-source funding structures and reflects on his impactful election tracking website that became a go-to during the 2020 election.

Excitement is brewing for SCW PodCon in Las Vegas, featuring a fun party sponsored by Teleport. The hosts delve into the quirky differences between SSH certificates and X.509, while sharing personal stories from their Vegas adventures. They also discuss the latest cryptographic challenges highlighted at Black Hat and DEF CON, including vulnerabilities that could exploit even solid algorithms. The conversation touches on federated security protocols, quantum threats, and the implications of the Fiat Shamir transform, keeping listeners on the edge of their seats.

It seems like everyone that tries to deploy end-to-end encrypted cloudstorage seems to mess it up, often in new and creative ways. Our specialguests Matilda Backendal, Jonas Hofmann, and Kien Tuong Truong give us a tour through the breakage and discuss a new formal model of how to actually build a secure E2EE storage system.Watch on YouTube: https://youtu.be/sizLiK_byCwTranscript: https://securitycryptographywhatever.com/2025/05/19/e2ee-storage/Links:- https://brokencloudstorage.info- https://eprint.iacr.org/2024/1616.pdf- https://www.sync.com- https://www.pcloud.com- https://icedrive.net- https://seafile.com- https://tresorit.com- https://eprint.iacr.org/2024/989.pdf"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Migrating the US government to quantum-resistant cryptography is hard, luckily the gamer presidents are on it. This episode is extremely not safe for work, nor does it reflect the political opinions of, well, anybody."Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Apple has pulled the availability of their opt-in iCloud end-to-end encryption feature, called Advanced Data Protection, in the UK. This doesn't only affect UK Apple users, however. To help us make sense of this surprising move from the fruit company, we got Matt Green, Associate Professor at Johns Hopkins, and Joe Hall, Distinguished Technologist at the Internet Society, on the horn. Recorded Saturday February 22nd, 2025.Transcript: https://securitycryptographywhatever.com/2025/02/24/apple-pulls-adp-in-uk/Watch episode on YouTube: https://youtu.be/LAn_yOGUkR0Links:- https://www.lawfaremedia.org/article/apples-cloud-key-vault-and-secure-law-enforcement-access- https://www.androidcentral.com/how-googles-backup-encryption-works-good-bad-and-ugly- https://gdpr.eu/right-to-be-forgotten/- https://www.legislation.gov.uk/id/ukpga/2024/9- https://www.nytimes.com/2021/05/17/technology/apple-china-censorship-data.html- https://en.wikipedia.org/wiki/Salt_Typhoon- Salt Typhoon: https://www.cisa.gov/news-events/news/strengthening-americas-resilience-against-prc-cyber-threats- https://www.bloomberg.com/news/articles/2025-02-21/apple-removes-end-to-end-encryption-feature-from-uk-after-backdoor-order- https://support.apple.com/en-us/102651"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Nicholas Carlini, an AI security researcher specializing in machine learning vulnerabilities, joins the discussion. He delves into the mathematical underpinnings of LLM vulnerabilities, highlighting risks like model poisoning and instruction injection. Carlini explores the parallels between cryptographic attacks and AI model vulnerabilities, emphasizing the importance of robust security frameworks. He also outlines key defense strategies against data extraction and shares insights on the fragility of current AI defenses, urging a critical evaluation of security practices in an evolving digital landscape.

Just a few days before turning off the lights, the Biden administration dropped a huge cybersecurity executive order including a lot of good stuff, that hopefully [cross your fingers, knock wood, spin around three times and spit] will last into future administrations. We snagged some time with Carole House, outgoing Special Advisor and Acting Senior Director for Cybersecurity and Critical Infrastructure Policy, National Security Council in the Biden-Harris White House, to give us a brain dump.And now due to popular demand, with video of our actual human¹ faces! https://youtu.be/Pqw0W2crQiMTranscript: https://securitycryptographywhatever.com/2025/01/20/bidens-cyber-everything-bagel-carole-house/Links:- https://www.federalregister.gov/d/2025-01470- https://www.wired.com/story/biden-executive-order-cybersecurity-ai-and-more/- 2022 EO: https://archive.ph/hvzWd- 2023 EO: https://www.whitehouse.gov/wp-content/uploads/2023/06/M-23-16-Update-to-M-22-18-Enhancing-Software-Security-1.pdf- 2021 EO: https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity- NIST SSDF: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf- https://www.federalregister.gov/documents/2015/04/02/2015-07788/blocking-the-property-of-certain-persons-engaging-in-significant-malicious-cyber-enabled-activities- IEEPA: https://www.govinfo.gov/content/pkg/USCODE-2023-title50/pdf/USCODE-2023-title50-chap35-sec1701.pdf¹ Actual human faces not guaranteed in all cases"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

THE QUANTUM COMPUTERS ARE COMING...right? We got Samuel Jacques and John Schanck at short notice to answer that question plus a bunch of other about error correcting codes, logical qubits, T-gates, and more about Google's new quantum computer Willow.Transcript: https://securitycryptographywhatever.com/2024/12/18/quantum-willowLinks:- https://blog.google/technology/research/google-willow-quantum-chip/ - https://research.google/blog/making-quantum-error-correction-work/- https://blog.google/technology/google-deepmind/alphaqubit-quantum-error-correction/  - https://www.nature.com/articles/s41586-024-08449-y- Sam’s ‘Landscape of Quantum Computing’ chart: https://sam-jaques.appspot.com/quantum\_landscape\_2024  - The above, originally published in 2021: https://sam-jaques.appspot.com/quantum\_landscape- https://sam-jaques.appspot.com- https://jmschanck.info/"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Matthew Green, a renowned cryptographer known for his passionate takes on security, joins Justin Schuh to dissect the controversial Dual_EC_DRBG. They debate whether this random number generator was a deliberate backdoor by the NSA or merely a colossal blunder. The conversation uncovers the ethical dilemmas of cryptographic standards, the NSA's questionable practices, and the erosion of public trust in secure communications. Their insights blend humor and serious analysis, illuminating the complexities of cryptography in today's world.