Claim Ownership

Author:

Subscribed: 0Played: 0
Share

Description

 Episodes
Reverse
We talk to Kevin Riggle (@kevinriggle) about complexity and safety. We also talk about the Twitter acquisition. While recording, we discovered a new failure mode where Kevin couldn't hear Thomas, but David and Deirdre could, so there's not much Thomas this episode. If you ever need to get Thomas to voluntarily stop talking, simply mute him to half the audience!https://twitter.com/kevinriggleTranscript: https://beta-share.descript.com/view/WTrQGK4xEVj ErrataIt was the Mars Climate Orbiter that crashed due to a units mismatchDavid confused the Dreamliner with the 737 MaxLinkshttps://free-dissociation.com/blog/posts/2018/08/why-is-it-so-hard-to-build-safe-software/https://complexsystems.group/https://how.complexsystems.fail/https://noncombatant.org/2016/06/20/get-into-security-engineering/https://blog.nelhage.com/2010/03/security-doesnt-respect-abstraction/http://sunnyday.mit.edu/safer-world.pdfhttps://www.adaptivecapacitylabs.com/john-allspaw/https://www.etsy.com/codeascraft/blameless-postmortemshttps://increment.com/security/approachable-threat-modeling/https://www.nytimes.com/2022/11/17/arts/music/taylor-swift-tickets-ticketmaster.htmlhttps://www.hillelwayne.com/post/are-we-really-engineers/https://www.hillelwayne.com/post/we-are-not-special/https://www.hillelwayne.com/post/what-we-can-learn/https://lotr.fandom.com/wiki/Denethor_IIhttps://twitter.com/sarahjeong/status/1587597972136546304"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
No not the movie: the secure group messaging protocol! Or rather all the bugs and vulns that a team of researchers found when trying to formalize said protocol. Martin Albrecht and Dan Jones joined us to walk us through "Practically-exploitable CryptographicVulnerabilities in Matrix".Links: https://nebuchadnezzar-megolm.github.io/static/paper.pdfhttps://nebuchadnezzar-megolm.github.ioSignal Private Group system: https://eprint.iacr.org/2019/1416.pdfhttps://signal.org/blog/signal-private-group-system/https://spec.matrix.org/latest/WhatsApp Security Whitepaper: https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdfhttps://www.usenix.org/conference/usenixsecurity21/presentation/albrecht FS, PCS etcOther clients: https://nvd.nist.gov/vuln/detail/CVE-2022-39252 https://nvd.nist.gov/vuln/detail/CVE-2022-39254 https://nvd.nist.gov/vuln/detail/CVE-2022-39264 https://dadrian.io/blog/posts/roll-your-own-crypto/https://podcasts.apple.com/us/podcast/the-great-roll-your-own-crypto-debate-feat-filippo-valsorda/id1578405214?i=1000530617719 WhatsApp End-to-End Encrypted Backups: https://blog.whatsapp.com/end-to-end-encrypted-backups-on-whatsappRoll your own and Telegram: https://mtpsym.github.io/ Transcript: https://beta-share.descript.com/view/u3VFzjvqrql"Security. Cryptography. Whatever." is hosted by Deirdre Connolly, Thomas Ptacek, and David Adrian."Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
SOC2 with Sarah Harvey

SOC2 with Sarah Harvey

2022-10-1601:01:37

We have Sarah Harvey (@worldwise001 on Twitter) to talk about SOC2, what it means, how to get it, and if it's important or not. The discussion centers around two blog posts written by Thomas:SOC2 Starting Seven: https://latacora.micro.blog/2020/03/12/the-soc-starting.htmlSOC2 at Fly: https://fly.io/blog/soc2-the-screenshots-will-continue-until-security-improves/Links:Tailscale recent post on getting SOC2’d: https://tailscale.com/blog/soc2-type2/SSO Tax: https://sso.taxDavid’s previous job: https://getnametag.comDavid's other startup: https://censys.ioThomas works at https://fly.ioTranscript: https://beta-share.descript.com/view/XF24jrLSOX9"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
Nate Lawson II

Nate Lawson II

2022-09-2901:23:19

This episode got delayed because David got COVID. Anyway, here's Nate Lawson: The Two Towers.Steven Chu: https://en.wikipedia.org/wiki/Steven_ChuCFB: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher_feedback_(CFB)CCFB: https://link.springer.com/chapter/10.1007/11502760_19XXTEA: https://en.wikipedia.org/wiki/XXTEACHERI: https://cseweb.ucsd.edu/~dstefan/cse227-spring20/papers/watson:cheri.pdf"Security. Cryptography. Whatever." is hosted by Deirdre Connolly, Thomas Ptacek, and David Adrian.Transcript: https://share.descript.com/view/0KOcX9TR05pErrata:Pedram Amini did in fact do Pai Mei"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
Nate Lawson: Part 1

Nate Lawson: Part 1

2022-09-0901:20:11

We bring on Nate Lawson of Root Labs to talk about a little bit of everything, starting with cryptography in the 1990s.ReferencesIBM S/390: https://ieeexplore.ieee.org/document/5389176SSLv2 Spec: https://www-archive.mozilla.org/projects/security/pki/nss/ssl/draft02.htmlXbox 360 HMAC: https://beta.ivc.no/wiki/index.php/Xbox_360_Timing_AttackGoogle Keyczar HMAC bug (reported by Nate): https://rdist.root.org/2009/05/28/timing-attack-in-google-keyczar-library/ErrataHMAC actually published in 1996, not 1997"That was one of the first, I think hardware applications of DPA was, was, um, satellite TV cards." Not true, they first were able to break Mondex, a MasterCard smart cardTranscript: https://share.descript.com/view/lhzrbt6hDeL"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
Are the isogenies kaput?! There's a new attack that breaks all the known parameter sets for SIDH/SIKE, so Steven Galbraith helps explain where the hell this came from, and where isogeny crypto goes from here.Transcript: https://share.descript.com/view/Xiv307FvOPAMerch: https://merch.scwpodcast.comLinks:https://eprint.iacr.org/2022/975.pdfhttps://eprint.iacr.org/2022/1026.pdfhttps://ellipticnews.wordpress.com/2022/07/31/breaking-supersingular-isogeny-diffie-hellman-sidh/GPST active adaptive attack against SIDH: https://eprint.iacr.org/2016/859.pdfFailing to hash into supersingular isogeny graphs: https://eprint.iacr.org/2022/518.pdfhttps://research.nccgroup.com/2022/08/08/implementing-the-castryck-decru-sidh-key-recovery-attack-in-sagemath/Kuperberg attack via Peikert: https://eprint.iacr.org/2019/725.pdfSQISign: https://eprint.iacr.org/2020/1240.pdf(Post recording)  Breaking SIDH in polynomial time:https://eprint.iacr.org/2022/1038.pdf"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
Passkeys with Adam Langley

Passkeys with Adam Langley

2022-08-1101:03:01

Adam Langley (Google) comes on the podcast to talk about the evolution of WebAuthN and Passkeys!David's audio was a little finicky in this one. Believe us, it sounded worse before we edited it. Also, we occasionally accidentally refer to U2F as UTF. That's because we just really love strings.Transcript: https://share.descript.com/view/pBAXADn8gKWLinks:GoogleIO PresentationWWDC PresentationW3C WebAuthNAdam's blog on passkeys and CABLECable / Hybrid PRCTAP spec from FIDONoise NKPSKDERPDon't forget about merch! https://merch.securitycryptographywhatever.com/"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
Hertzbleed

Hertzbleed

2022-06-1858:39

Side channels! Frequency scaling! Key encapsulation, oh my! We're talking about the new Hertzbleed paper, but also cryptography conferences, 'passkeys', and end-to-end encrypting yer twitter.com DMs.Transcript: https://share.descript.com/view/lPM4lsxha63 Links:Hertzbleed Attack | ellipticnews (wordpress.com)https://www.hertzbleed.com/hertzbleed.pdfhttps://papers.ssrn.com/sol3/papers.cfm?abstract_id=3920031Merch: https://merch.scwpodcast.com"Security. Cryptography. Whatever." is hosted by Deirdre Connolly, Thomas Ptacek, and David Adrian. "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
The US government released a memo about moving to a zero-trust network architecture. What does this mean? We have one of the authors, Eric Mill, on to explain it to us.As always, your @SCWPod hosts are Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).Transcript: https://share.descript.com/view/UayEVA596OKLinks:OMB MemoExecutive order on cybersecurity PIV card Derived PIVBeyondCorpHSTS Preloading.gov preloading Neither Rain, Nor Snow, Nor MITMEDR memoTechnology Transformation Services (TTS)Is it Christmas?"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
Tink with Sophie Schmieg

Tink with Sophie Schmieg

2022-05-2801:07:02

We talk about Tink with Sophie Schmieg, cryptographer and algebraic geometer at Google.Transcript: https://beta-share.descript.com/view/v2Q5Ix8pvbDLinks:Sophie: https://twitter.com/SchmiegSophieTink: https://github.com/google/tinkRWC talk: https://youtube.com/watch?t=1028&v=CiH6iqjWpt8Where to store keys: https://twitter.com/SchmiegSophie/status/1413502566797778948EAX mode: https://en.wikipedia.org/wiki/EAX_modeAES-GCM-SIV: https://en.wikipedia.org/wiki/AES-GCM-SIVDeterministic AEADs: https://github.com/google/tink/blob/master/docs/PRIMITIVES.md#deterministic-authenticated-encryption-with-associated-dataThai Duong: https://twitter.com/XorNinjaAWS-SDK Vuln: https://twitter.com/XorNinja/status/1310587707605659649"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
Live from Amsterdam, it's cancellable crypto hot takes! A fun little meme, plus a preview of the Real World Crypto program!Transcript: https://share.descript.com/view/GiVlw4qKV2iLinks:Tony's twete: https://twitter.com/bascule/status/1512539700220805124Real World Crypto 2022: https://rwc.iacr.org/2022Merch! https://merch.scwpodcast.comFind us at:https://twitter.com/scwpodhttps://twitter.com/durumcrustulumhttps://twitter.com/tqbfhttps://twitter.com/davidcadrian"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
We're back! With an episode on lattice-based cryptography, with Professor Chris Peikert of the University of Michigan, David's alma mater. When we recorded this, Michigan football had just beaten Ohio for the first time in a bajillion years, so you get a nerdy coda on college football this time!Transcript: https://share.descript.com/view/El2a4Z7OLsdSlides: https://web.eecs.umich.edu/~cpeikert/pubs/slides-qcrypt.pdfLinks:He Gives C-Sieves on the CSIDH: https://eprint.iacr.org/2019/725Lattice-based Cryptography: https://cims.nyu.edu/~regev/papers/pqc.pdfNIST PQC Competition: https://csrc.nist.gov/Projects/post-quantum-cryptography The 2nd Bar Ilan Winter School on Cryptography Lattice- Based Cryptography and Applications: https://www.youtube.com/playlist?list=PL8Vt-7cSFnw2OmpCmPLLwSx0-Yqb2ptqOA Decade of Lattice Cryptography: https://eprint.iacr.org/2015/939.pdfFind us at:https://twitter.com/scwpodhttps://twitter.com/durumcrustulumhttps://twitter.com/tqbfhttps://twitter.com/davidcadrian"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
We've trashed JWTs, discussed PASETO, Macaroons, and now, Biscuits! Actually, multiple iterations of Biscuits! Pairings and gamma signatures and Datalog, oh my! 🍪 Transcript: https://beta-share.descript.com/view/jHZJPab0n4gLinks:Biscuits V2: https://www.biscuitsec.orgExperiments iterating on  Biscuits: https://github.com/biscuit-auth/biscuit/tree/master/experimentationsApache Pulsar: https://pulsar.apache.orgSpec: https://github.com/biscuit-auth/biscuit/blob/master/SPECIFICATIONS.mdFind us at:https://twitter.com/scwpodhttps://twitter.com/durumcrustulumhttps://twitter.com/tqbfhttps://twitter.com/davidcadrian"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
“Can I Tailscale my Chromecast?” You love Tailscale, I love Tailscale, we loved talking to Avery Pennarun and Brad Fitzpatrick from Tailscale about, I dunno, Go generics. Oh, and TAILSCALE! And DNS. And WASM.People:Avery Pennarun (@apenwarr)Brad Fitzpatrick (@bradfitz)Deirdre Connolly (@durumcrustulum)Thomas Ptacek (@tqbf)David Adrian (@davidcadrian)@SCWPodLinks:DERP server: https://github.com/tailscale/tailscale/tree/main/derphttps://xtermjs.org/The Tail at Scale : https://research.google/pubs/pub40801/Raft: https://raft.github.io/Litestream: https://litestream.io/MagicDNS: https://tailscale.com/kb/1081/magicdns/Netstack: https://github.com/google/netstackTranscript: https://share.descript.com/view/2NAe5jEcEqB"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
We recorded this months ago, and now it's finally up! Colm MacCárthaigh joined us to chat about all things TLS, S2N, MTLS, SSH, fuzzing, formal verification, implementing state machines, and of course, DNSSEC.Transcript: https://share.descript.com/view/tjrQu8wZKT0Find us at:https://twitter.com/scwpodhttps://twitter.com/durumcrustulumhttps://twitter.com/tqbfhttps://twitter.com/davidcadrian"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
Happy New Year! Feliz Navidad! Merry Yule! Happy Hannukah! Pour one out for the log4j incident responders!We did a call-in episode on Twitter Spaces and recorded it, so that's why the audio sounds different. We talked about BLOCKCHAIN/Web3 (blech), testing, post-quantum crypto, client certificates, ssh client certificates, threshold cryptography, U2F/WebAuthn, car fob attacks, geese, and more!Transcript: https://share.descript.com/view/N9ROtj1AiW0Find us at:https://twitter.com/scwpodhttps://twitter.com/durumcrustulumhttps://twitter.com/tqbfhttps://twitter.com/davidcadrian "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
Hey, a new episode! We had a fantastic conversation with Jason Donenfeld, creator of our favorite modern VPN protocol: WireGuard! We touched on kernel hacking, formal verification, post-quantum cryptography, developing with disassemblers, and more!Transcript: https://share.descript.com/view/olVgXGtRpsYLinks: WireGuard: https://www.wireguard.comTamarin: https://tamarin-prover.github.ioIDApro: https://hex-rays.com/ida-proNIST PQC: https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissionsWireGuard Patreon: https://www.patreon.com/zx2c4"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
A conversation that started with PAKEs (password-authenticated key exchanges) and touched on some cool math things: PRFs, finite fields, elliptic curve groups, anonymity protocols, hashing to curve groups, prime order groups, and more. With special guest, George Tankersley!Transcript: https://share.descript.com/view/X8x8oO2Q8TwLinks: SRP deprecation: https://blog.cryptographyengineering.com/should-you-use-srpOPAQUE: https://www.ietf.org/id/draft-irtf-cfrg-opaque-06.htmlobfs: https://github.com/shadowsocks/simple-obfsElligator: https://elligator.cr.yp.toHash to Curve: https://www.ietf.org/archive/id/draft-irtf-cfrg-hash-to-curve-12.htmlMagic Wormhole: https://github.com/magic-wormhole/magic-wormholeBiscuits: https://github.com/CleverCloud/biscuitRistretto: https://ristretto.groupMonero signature bug: https://www.getmonero.org/ru/2017/05/17/disclosure-of-a-major-bug-in-cryptonote-based-currencies.htmlSIDH smooth-order supersingular curves: https://link.springer.com/chapter/10.1007/978-3-662-53018-4_21"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
"Patch, Damnit!"

"Patch, Damnit!"

2021-09-2001:14:56

A lot of fixes got pushed in the past week! Please apply your updates! Apple, Chrome, Matrix, Azure, and more nonsense.Find us at:https://twitter.com/scwpodhttps://twitter.com/durumcrustulumhttps://twitter.com/tqbfhttps://twitter.com/davidcadrianLinks!The accuvant story in MIT Technology ReviewAll the Apple platforms patched FORCEDENTRY no-click 0-dayChrome patched some 0-days that were being exploited in the wildPASETO update Transcript: https://share.descript.com/view/Um4im6a3dqj"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
Not the hero the internet deserves, but the one we need: it's Ryan Sleevi!We get into the weeds on becoming a certificate authority, auditing said authorities, DNSSEC, DANE, taking over country code top level domains, Luxembourg, X.509, ASN.1, CBOR, more JSON (!), ACME, Let's Encrypt, and more, on this extra lorge episode with the web PKI's Batman.Transcript: https://share.descript.com/view/61pZGOJlqu6Find us at:https://twitter.com/scwpodhttps://twitter.com/durumcrustulumhttps://twitter.com/tqbfhttps://twitter.com/davidcadrian"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
Comments (1)

Luiz Puodzius

I liked it.🤙🥇

Jan 2nd
Reply
Download from Google Play
Download from App Store