DiscoverSecurity. Cryptography. Whatever.
Security. Cryptography. Whatever.
Claim Ownership

Security. Cryptography. Whatever.

Author: Deirdre Connolly, Thomas Ptacek, David Adrian

Subscribed: 21Played: 129
Share

Description

Some cryptography & security people talk about security, cryptography, and whatever else is happening.
7 Episodes
Reverse
"Patch, Damnit!"

"Patch, Damnit!"

2021-09-2001:14:56

A lot of fixes got pushed in the past week! Please apply your updates! Apple, Chrome, Matrix, Azure, and more nonsense.Find us at:https://twitter.com/scwpodhttps://twitter.com/durumcrustulumhttps://twitter.com/tqbfhttps://twitter.com/davidcadrianLinks!The accuvant story in MIT Technology ReviewAll the Apple platforms patched FORCEDENTRY no-click 0-dayChrome patched some 0-days that were being exploited in the wildPASETO update Transcript: https://share.descript.com/view/Um4im6a3dqj
Not the hero the internet deserves, but the one we need: it's Ryan Sleevi!We get into the weeds on becoming a certificate authority, auditing said authorities, DNSSEC, DANE, taking over country code top level domains, Luxembourg, X.509, ASN.1, CBOR, more JSON (!), ACME, Let's Encrypt, and more, on this extra lorge episode with the web PKI's Batman.Find us at:https://twitter.com/scwpodhttps://twitter.com/durumcrustulumhttps://twitter.com/tqbfhttps://twitter.com/davidcadrian
We're talking about Apple's new proposed client-side CSAM detection system. We weren't sure if we were going to cover this, and then we realized that not all of us have been paying super close attention to what the hell this thing is, and have a lot of questions about it. So we're talking about it, with our special guest Professor Matthew Green.We cover how Apple's system works, what it does (and doesn't), where we have unanswered questions, and where some of the gaps are.Find us at:https://twitter.com/scwpodhttps://twitter.com/durumcrustulumhttps://twitter.com/tqbfhttps://twitter.com/davidcadrianLinks:https://www.apple.com/child-safety/pdf/CSAM_Detection_Technical_Summary.pdfhttps://www.apple.com/child-safety/pdf/Apple_PSI_System_Security_Protocol_and_Analysis.pdfhttps://www.law.cornell.edu/uscode/text/18/2258Ahttps://www.missingkids.org/content/dam/missingkids/gethelp/2020-reports-by-esp.pdfhttps://www.reuters.com/article/us-apple-fbi-icloud-exclusive/exclusive-apple-dropped-plan-for-encrypting-backups-after-fbi-complained-sources-idUSKBN1ZK1CThttps://en.wikipedia.org/wiki/The_purpose_of_a_system_is_what_it_doeshttps://research.fb.com/blog/2021/02/understanding-the-intentions-of-child-sexual-abuse-material-csam-sharers/https://www.nytimes.com/interactive/2019/11/09/us/internet-child-sex-abuse.htmlhttps://www.apple.com/child-safety/pdf/Expanded_Protections_for_Children_Frequently_Asked_Questions.pdf
We did not run out of things to talk about: Chrome vs. Safari vs. Firefox. Rust vs. C++. Bug bounties vs. exploit development. The Peace Corps vs. The Marine Corps.Find us at:https://twitter.com/scwpodhttps://twitter.com/durumcrustulumhttps://twitter.com/tqbfhttps://twitter.com/davidcadrian
🔥JWT🔥We talk about all sorts of tokens: JWT, PASETO, Protobuf Tokens, Macaroons, and Biscuits. With the great Jonathan Rudenberg!After we recorded this, Thomas went deep on tokens even beyond what we talked about here: https://fly.io/blog/api-tokens-a-tedious-survey/Find us at:https://twitter.com/durumcrustulumhttps://twitter.com/tqbfhttps://twitter.com/davidcadrianhttps://twitter.com/scwpod
Special guest Filippo Valsorda joins us to debate with Thomas on whether one should or should not "roll your own crypto", and how to produce better cryptography in general.After we recorded this, David went even deeper  on 'rolling your own crypto' in a blog post here: https://dadrian.io/blog/posts/roll-your-own-crypto/Links:https://peter.website/meow-hash-cryptanalysishttps://arxiv.org/pdf/2107.04940.pdfhttps://ristretto.grouphttps://filippo.io/heartbleedFind us at:https://twitter.com/durumcrustulumhttps://twitter.com/tqbf https://twitter.com/davidcadrian
Deirdre, Thomas and David talk about NSO group, Pegasus,  whether iOS a burning trash fire, the zero-day market, and whether rewriting all of iOS in Swift is a viable strategy for reducing all these vulns.Find us at:https://twitter.com/durumcrustulumhttps://twitter.com/tqbf https://twitter.com/davidcadrian
Comments 
Download from Google Play
Download from App Store