Security. Cryptography. Whatever. Fri, 25 Nov 2022 17:31:01 -0500 https://securitycryptographywhatever.com en-us © 2022 Security. Cryptography. Whatever. yes 867836ea-7d1d-5bf7-9fd1-7f76415d62ab Deirdre Connolly, Thomas Ptacek, David Adrian episodic true security, cryptography, whatever Deirdre Connolly, Thomas Ptacek, David Adrian https://storage.buzzsprout.com/variants/frpkkktyji9epsau1rvyvzig8e2s/60854458c4d1acdf4e1c2f79c4137142d85d78e379bdafbd69bd34c85f5819ad.jpg Security. Cryptography. Whatever. https://securitycryptographywhatever.com Software Safety and Twitter, with Kevin Riggle Software Safety and Twitter, with Kevin Riggle We talk to Kevin Riggle (@kevinriggle) about complexity and safety. We also talk about the Twitter acquisition. While recording, we discovered a new failure mode where Kevin couldn't hear Thomas, but David and Deirdre could, so there's not much Thomas this episode. If you ever need to get Thomas to voluntarily stop talking, simply mute him to half the audience!

https://twitter.com/kevinriggle

Transcript: https://beta-share.descript.com/view/WTrQGK4xEVj

Errata

  • It was the Mars Climate Orbiter that crashed due to a units mismatch
  • David confused the Dreamliner with the 737 Max

Links

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> We talk to Kevin Riggle (@kevinriggle) about complexity and safety. We also talk about the Twitter acquisition. While recording, we discovered a new failure mode where Kevin couldn't hear Thomas, but David and Deirdre could, so there's not much Thomas this episode. If you ever need to get Thomas to voluntarily stop talking, simply mute him to half the audience!

https://twitter.com/kevinriggle

Transcript: https://beta-share.descript.com/view/WTrQGK4xEVj

Errata

  • It was the Mars Climate Orbiter that crashed due to a units mismatch
  • David confused the Dreamliner with the 737 Max

Links

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> Buzzsprout-11753287 Thu, 24 Nov 2022 03:00:00 -0500 3516 2 7 full false Matrix, with Martin Albrecht & Dan Jones Matrix, with Martin Albrecht & Dan Jones No not the movie: the secure group messaging protocol! Or rather all the bugs and vulns that a team of researchers found when trying to formalize said protocol. Martin Albrecht and Dan Jones joined us to walk us through "Practically-exploitable Cryptographic
Vulnerabilities in Matrix".

Links: 

  • https://nebuchadnezzar-megolm.github.io/static/paper.pdf
  • https://nebuchadnezzar-megolm.github.io
  • Signal Private Group system: https://eprint.iacr.org/2019/1416.pdf
  • https://signal.org/blog/signal-private-group-system/
  • https://spec.matrix.org/latest/
  • WhatsApp Security Whitepaper: https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf
  • https://www.usenix.org/conference/usenixsecurity21/presentation/albrecht FS, PCS etc
  • Other clients: https://nvd.nist.gov/vuln/detail/CVE-2022-39252 https://nvd.nist.gov/vuln/detail/CVE-2022-39254 https://nvd.nist.gov/vuln/detail/CVE-2022-39264 
  • https://dadrian.io/blog/posts/roll-your-own-crypto/
  • https://podcasts.apple.com/us/podcast/the-great-roll-your-own-crypto-debate-feat-filippo-valsorda/id1578405214?i=1000530617719 
  • WhatsApp End-to-End Encrypted Backups: https://blog.whatsapp.com/end-to-end-encrypted-backups-on-whatsapp
  • Roll your own and Telegram: https://mtpsym.github.io/ 


Transcript: https://beta-share.descript.com/view/u3VFzjvqrql

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly, Thomas Ptacek, and David Adrian.


"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> No not the movie: the secure group messaging protocol! Or rather all the bugs and vulns that a team of researchers found when trying to formalize said protocol. Martin Albrecht and Dan Jones joined us to walk us through "Practically-exploitable Cryptographic
Vulnerabilities in Matrix".

Links: 

  • https://nebuchadnezzar-megolm.github.io/static/paper.pdf
  • https://nebuchadnezzar-megolm.github.io
  • Signal Private Group system: https://eprint.iacr.org/2019/1416.pdf
  • https://signal.org/blog/signal-private-group-system/
  • https://spec.matrix.org/latest/
  • WhatsApp Security Whitepaper: https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf
  • https://www.usenix.org/conference/usenixsecurity21/presentation/albrecht FS, PCS etc
  • Other clients: https://nvd.nist.gov/vuln/detail/CVE-2022-39252 https://nvd.nist.gov/vuln/detail/CVE-2022-39254 https://nvd.nist.gov/vuln/detail/CVE-2022-39264 
  • https://dadrian.io/blog/posts/roll-your-own-crypto/
  • https://podcasts.apple.com/us/podcast/the-great-roll-your-own-crypto-debate-feat-filippo-valsorda/id1578405214?i=1000530617719 
  • WhatsApp End-to-End Encrypted Backups: https://blog.whatsapp.com/end-to-end-encrypted-backups-on-whatsapp
  • Roll your own and Telegram: https://mtpsym.github.io/ 


Transcript: https://beta-share.descript.com/view/u3VFzjvqrql

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly, Thomas Ptacek, and David Adrian.


"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> Security, Cryptography, Whatever Buzzsprout-11614796 Wed, 02 Nov 2022 01:00:00 -0400 3984 2 6 full false SOC2, with Sarah Harvey SOC2, with Sarah Harvey We have Sarah Harvey (@worldwise001 on Twitter) to talk about SOC2, what it means, how to get it, and if it's important or not. The discussion centers around two blog posts written by Thomas:

  • SOC2 Starting Seven: https://latacora.micro.blog/2020/03/12/the-soc-starting.html
  • SOC2 at Fly: https://fly.io/blog/soc2-the-screenshots-will-continue-until-security-improves/

Links:

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly, Thomas Ptacek, and David Adrian.

Transcript: https://beta-share.descript.com/view/XF24jrLSOX9

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> We have Sarah Harvey (@worldwise001 on Twitter) to talk about SOC2, what it means, how to get it, and if it's important or not. The discussion centers around two blog posts written by Thomas:

  • SOC2 Starting Seven: https://latacora.micro.blog/2020/03/12/the-soc-starting.html
  • SOC2 at Fly: https://fly.io/blog/soc2-the-screenshots-will-continue-until-security-improves/

Links:

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly, Thomas Ptacek, and David Adrian.

Transcript: https://beta-share.descript.com/view/XF24jrLSOX9

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> Security, Cryptography, Whatever Buzzsprout-11510254 Sun, 16 Oct 2022 17:00:00 -0400 3697 2 5 full false Nate Lawson II Nate Lawson II This episode got delayed because David got COVID. Anyway, here's Nate Lawson: The Two Towers.


"Security. Cryptography. Whatever." is hosted by Deirdre Connolly, Thomas Ptacek, and David Adrian.

Transcript: https://share.descript.com/view/0KOcX9TR05p

Errata:

  • Pedram Amini did in fact do Pai Mei

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> This episode got delayed because David got COVID. Anyway, here's Nate Lawson: The Two Towers.


"Security. Cryptography. Whatever." is hosted by Deirdre Connolly, Thomas Ptacek, and David Adrian.

Transcript: https://share.descript.com/view/0KOcX9TR05p

Errata:

  • Pedram Amini did in fact do Pai Mei

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> Security, Cryptography, Whatever Buzzsprout-11410130 Thu, 29 Sep 2022 17:00:00 -0400 4999 2 4 full false Nate Lawson: Part 1 Nate Lawson: Part 1 We bring on Nate Lawson of Root Labs to talk about a little bit of everything, starting with cryptography in the 1990s.

References

  • IBM S/390: https://ieeexplore.ieee.org/document/5389176
  • SSLv2 Spec: https://www-archive.mozilla.org/projects/security/pki/nss/ssl/draft02.html
  • Xbox 360 HMAC: https://beta.ivc.no/wiki/index.php/Xbox_360_Timing_Attack
  • Google Keyczar HMAC bug (reported by Nate): https://rdist.root.org/2009/05/28/timing-attack-in-google-keyczar-library/

Errata

  • HMAC actually published in 1996, not 1997
  • "That was one of the first, I think hardware applications of DPA was, was, um, satellite TV cards." Not true, they first were able to break Mondex, a MasterCard smart card


"Security. Cryptography. Whatever." is hosted by Deirdre Connolly, Thomas Ptacek, and David Adrian.

Transcript: https://share.descript.com/view/lhzrbt6hDeL

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> We bring on Nate Lawson of Root Labs to talk about a little bit of everything, starting with cryptography in the 1990s.

References

  • IBM S/390: https://ieeexplore.ieee.org/document/5389176
  • SSLv2 Spec: https://www-archive.mozilla.org/projects/security/pki/nss/ssl/draft02.html
  • Xbox 360 HMAC: https://beta.ivc.no/wiki/index.php/Xbox_360_Timing_Attack
  • Google Keyczar HMAC bug (reported by Nate): https://rdist.root.org/2009/05/28/timing-attack-in-google-keyczar-library/

Errata

  • HMAC actually published in 1996, not 1997
  • "That was one of the first, I think hardware applications of DPA was, was, um, satellite TV cards." Not true, they first were able to break Mondex, a MasterCard smart card


"Security. Cryptography. Whatever." is hosted by Deirdre Connolly, Thomas Ptacek, and David Adrian.

Transcript: https://share.descript.com/view/lhzrbt6hDeL

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> Security, Cryptography, Whatever Buzzsprout-11291490 Fri, 09 Sep 2022 16:00:00 -0400 4811 2 3 full false Hot Cryptanalytic Summer feat. Steven Galbraith Hot Cryptanalytic Summer feat. Steven Galbraith Are the isogenies kaput?! There's a new attack that breaks all the known parameter sets for SIDH/SIKE, so Steven Galbraith helps explain where the hell this came from, and where isogeny crypto goes from here.

Transcript: https://share.descript.com/view/Xiv307FvOPA

Merch: https://merch.scwpodcast.com

Links:


"Security. Cryptography. Whatever." is hosted by Deirdre Connolly, Thomas Ptacek, and David Adrian

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> Are the isogenies kaput?! There's a new attack that breaks all the known parameter sets for SIDH/SIKE, so Steven Galbraith helps explain where the hell this came from, and where isogeny crypto goes from here.

Transcript: https://share.descript.com/view/Xiv307FvOPA

Merch: https://merch.scwpodcast.com

Links:


"Security. Cryptography. Whatever." is hosted by Deirdre Connolly, Thomas Ptacek, and David Adrian

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> Security, Cryptography, Whatever Buzzsprout-11123170 Thu, 11 Aug 2022 14:00:00 -0400 3155 2 2 full false Passkeys feat. Adam Langley Passkeys feat. Adam Langley Adam Langley (Google) comes on the podcast to talk about the evolution of WebAuthN and Passkeys!

David's audio was a little finicky in this one. Believe us, it sounded worse before we edited it. Also, we occasionally accidentally refer to U2F as UTF. That's because we just really love strings.

Transcript: https://share.descript.com/view/pBAXADn8gKW

Links:


Don't forget about merch! https://merch.securitycryptographywhatever.com/

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly, Thomas Ptacek, and David Adrian

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> Adam Langley (Google) comes on the podcast to talk about the evolution of WebAuthN and Passkeys!

David's audio was a little finicky in this one. Believe us, it sounded worse before we edited it. Also, we occasionally accidentally refer to U2F as UTF. That's because we just really love strings.

Transcript: https://share.descript.com/view/pBAXADn8gKW

Links:


Don't forget about merch! https://merch.securitycryptographywhatever.com/

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly, Thomas Ptacek, and David Adrian

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> Deirdre Connolly, Thomas Ptacek, David Adrian Buzzsprout-11122508 Thu, 11 Aug 2022 12:00:00 -0400 3781 2 1 full false Hertzbleed Hertzbleed Side channels! Frequency scaling! Key encapsulation, oh my! We're talking about the new Hertzbleed paper, but also cryptography conferences, 'passkeys', and end-to-end encrypting yer twitter.com DMs.

Transcript: https://share.descript.com/view/lPM4lsxha63

 Links:

Merch: https://merch.scwpodcast.com

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly, Thomas Ptacek, and David Adrian

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> Side channels! Frequency scaling! Key encapsulation, oh my! We're talking about the new Hertzbleed paper, but also cryptography conferences, 'passkeys', and end-to-end encrypting yer twitter.com DMs.

Transcript: https://share.descript.com/view/lPM4lsxha63

 Links:

Merch: https://merch.scwpodcast.com

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly, Thomas Ptacek, and David Adrian

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> Security, Cryptography, Whatever Buzzsprout-10812724 Fri, 17 Jun 2022 22:00:00 -0400 3519 full false OMB Zero Trust Memo, with Eric Mill OMB Zero Trust Memo, with Eric Mill The US government released a memo about moving to a zero-trust network architecture. What does this mean? We have one of the authors, Eric Mill, on to explain it to us.

As always, your @SCWPod hosts are Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

Transcript: https://share.descript.com/view/UayEVA596OK

Links:

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> The US government released a memo about moving to a zero-trust network architecture. What does this mean? We have one of the authors, Eric Mill, on to explain it to us.

As always, your @SCWPod hosts are Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

Transcript: https://share.descript.com/view/UayEVA596OK

Links:

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> Deirdre Connolly, Thomas Ptacek, David Adrian Buzzsprout-10767220 Fri, 10 Jun 2022 21:00:00 -0400 3633 full false Tink, with Sophie Schmieg Tink, with Sophie Schmieg We talk about Tink with Sophie Schmieg, a cryptographer and algebraic geometer at Google.

Transcript: https://beta-share.descript.com/view/v2Q5Ix8pvbD

Links:

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly, Thomas Ptacek, and David Adrian

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> We talk about Tink with Sophie Schmieg, a cryptographer and algebraic geometer at Google.

Transcript: https://beta-share.descript.com/view/v2Q5Ix8pvbD

Links:

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly, Thomas Ptacek, and David Adrian

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> Security Cryptography Whatever Buzzsprout-10697566 Sat, 28 May 2022 17:00:00 -0400 4022 full false Cancellable Crypto Takes, and Real World Crypto Cancellable Crypto Takes, and Real World Crypto Live from Amsterdam, it's cancellable crypto hot takes! A fun little meme, plus a preview of the Real World Crypto program!

Transcript: https://share.descript.com/view/GiVlw4qKV2i

Links:

Tony's twete: https://twitter.com/bascule/status/1512539700220805124
Real World Crypto 2022: https://rwc.iacr.org/2022
Merch! https://merch.scwpodcast.com

Find us at:
https://twitter.com/scwpod
https://twitter.com/durumcrustulum
https://twitter.com/tqbf
https://twitter.com/davidcadrian

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> Live from Amsterdam, it's cancellable crypto hot takes! A fun little meme, plus a preview of the Real World Crypto program!

Transcript: https://share.descript.com/view/GiVlw4qKV2i

Links:

Tony's twete: https://twitter.com/bascule/status/1512539700220805124
Real World Crypto 2022: https://rwc.iacr.org/2022
Merch! https://merch.scwpodcast.com

Find us at:
https://twitter.com/scwpod
https://twitter.com/durumcrustulum
https://twitter.com/tqbf
https://twitter.com/davidcadrian

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> Security, Cryptography, Whatever Buzzsprout-10428127 Tue, 12 Apr 2022 20:00:00 -0400 4264 full false Lattices and Michigan Football, feat. Chris Peikert Lattices and Michigan Football, feat. Chris Peikert We're back! With an episode on lattice-based cryptography, with Professor Chris Peikert of the University of Michigan, David's alma mater. When we recorded this, Michigan football had just beaten Ohio for the first time in a bajillion years, so you get a nerdy coda on college football this time!

Transcript: https://share.descript.com/view/El2a4Z7OLsd

Slides: https://web.eecs.umich.edu/~cpeikert/pubs/slides-qcrypt.pdf

Links:

He Gives C-Sieves on the CSIDH: https://eprint.iacr.org/2019/725
Lattice-based Cryptography: https://cims.nyu.edu/~regev/papers/pqc.pdf
NIST PQC Competition: https://csrc.nist.gov/Projects/post-quantum-cryptography
The 2nd Bar Ilan Winter School on Cryptography Lattice- Based Cryptography and Applications: https://www.youtube.com/playlist?list=PL8Vt-7cSFnw2OmpCmPLLwSx0-Yqb2ptqO
A Decade of Lattice Cryptography: https://eprint.iacr.org/2015/939.pdf

Find us at:
https://twitter.com/scwpod
https://twitter.com/durumcrustulum
https://twitter.com/tqbf
https://twitter.com/davidcadrian

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> We're back! With an episode on lattice-based cryptography, with Professor Chris Peikert of the University of Michigan, David's alma mater. When we recorded this, Michigan football had just beaten Ohio for the first time in a bajillion years, so you get a nerdy coda on college football this time!

Transcript: https://share.descript.com/view/El2a4Z7OLsd

Slides: https://web.eecs.umich.edu/~cpeikert/pubs/slides-qcrypt.pdf

Links:

He Gives C-Sieves on the CSIDH: https://eprint.iacr.org/2019/725
Lattice-based Cryptography: https://cims.nyu.edu/~regev/papers/pqc.pdf
NIST PQC Competition: https://csrc.nist.gov/Projects/post-quantum-cryptography
The 2nd Bar Ilan Winter School on Cryptography Lattice- Based Cryptography and Applications: https://www.youtube.com/playlist?list=PL8Vt-7cSFnw2OmpCmPLLwSx0-Yqb2ptqO
A Decade of Lattice Cryptography: https://eprint.iacr.org/2015/939.pdf

Find us at:
https://twitter.com/scwpod
https://twitter.com/durumcrustulum
https://twitter.com/tqbf
https://twitter.com/davidcadrian

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> Security, Cryptography, Whatever Buzzsprout-10238739 Sat, 12 Mar 2022 22:00:00 -0500 4201 full false Biscuits, feat. Geoffroy Couprie Biscuits, feat. Geoffroy Couprie We've trashed JWTs, discussed PASETO, Macaroons, and now, Biscuits! Actually, multiple iterations of Biscuits! Pairings and gamma signatures and Datalog, oh my! 🍪 

Transcript: https://beta-share.descript.com/view/jHZJPab0n4g

Links:

Biscuits V2: https://www.biscuitsec.org

Experiments iterating on  Biscuits: https://github.com/biscuit-auth/biscuit/tree/master/experimentations

Apache Pulsar: https://pulsar.apache.org

Spec: https://github.com/biscuit-auth/biscuit/blob/master/SPECIFICATIONS.md


Find us at:
https://twitter.com/scwpod
https://twitter.com/durumcrustulum
https://twitter.com/tqbf
https://twitter.com/davidcadrian

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> We've trashed JWTs, discussed PASETO, Macaroons, and now, Biscuits! Actually, multiple iterations of Biscuits! Pairings and gamma signatures and Datalog, oh my! 🍪 

Transcript: https://beta-share.descript.com/view/jHZJPab0n4g

Links:

Biscuits V2: https://www.biscuitsec.org

Experiments iterating on  Biscuits: https://github.com/biscuit-auth/biscuit/tree/master/experimentations

Apache Pulsar: https://pulsar.apache.org

Spec: https://github.com/biscuit-auth/biscuit/blob/master/SPECIFICATIONS.md


Find us at:
https://twitter.com/scwpod
https://twitter.com/durumcrustulum
https://twitter.com/tqbf
https://twitter.com/davidcadrian

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> Security, Cryptography, Whatever Buzzsprout-9973086 Sat, 29 Jan 2022 01:00:00 -0500 3535 full false Tailscale, feat. Avery Pennarun and Brad Fitzpatrick Tailscale, feat. Avery Pennarun and Brad Fitzpatrick “Can I Tailscale my Chromecast?” 

You love Tailscale, I love Tailscale, we loved talking to Avery Pennarun and Brad Fitzpatrick from Tailscale about, I dunno, Go generics. Oh, and TAILSCALE! And DNS. And WASM.

People:

  • Avery Pennarun (@apenwarr)
  • Brad Fitzpatrick (@bradfitz)
  • Deirdre Connolly (@durumcrustulum)
  • Thomas Ptacek (@tqbf)
  • David Adrian (@davidcadrian)
  • @SCWPod

Links:

Transcript: https://share.descript.com/view/2NAe5jEcEqB

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> “Can I Tailscale my Chromecast?” 

You love Tailscale, I love Tailscale, we loved talking to Avery Pennarun and Brad Fitzpatrick from Tailscale about, I dunno, Go generics. Oh, and TAILSCALE! And DNS. And WASM.

People:

  • Avery Pennarun (@apenwarr)
  • Brad Fitzpatrick (@bradfitz)
  • Deirdre Connolly (@durumcrustulum)
  • Thomas Ptacek (@tqbf)
  • David Adrian (@davidcadrian)
  • @SCWPod

Links:

Transcript: https://share.descript.com/view/2NAe5jEcEqB

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> Security, Cryptography, Whatever Buzzsprout-9890092 Sat, 15 Jan 2022 04:00:00 -0500 4702 full true The feeling's mutual: mTLS, feat. Colm MacCárthaigh The feeling's mutual: mTLS, feat. Colm MacCárthaigh We recorded this months ago, and now it's finally up!
 
Colm MacCárthaigh joined us to chat about all things TLS, S2N, MTLS, SSH, fuzzing, formal verification, implementing state machines, and of course, DNSSEC.

Transcript: https://share.descript.com/view/tjrQu8wZKT0

Find us at:
https://twitter.com/scwpod
https://twitter.com/durumcrustulum
https://twitter.com/tqbf
https://twitter.com/davidcadrian


"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> We recorded this months ago, and now it's finally up!
 
Colm MacCárthaigh joined us to chat about all things TLS, S2N, MTLS, SSH, fuzzing, formal verification, implementing state machines, and of course, DNSSEC.

Transcript: https://share.descript.com/view/tjrQu8wZKT0

Find us at:
https://twitter.com/scwpod
https://twitter.com/durumcrustulum
https://twitter.com/tqbf
https://twitter.com/davidcadrian


"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> Security, Cryptography, Whatever Buzzsprout-9801340 Wed, 29 Dec 2021 01:00:00 -0500 4231 full false Holiday Call-in Spectacular! Holiday Call-in Spectacular! Happy New Year! Feliz Navidad! Merry Yule! Happy Hannukah! Pour one out for the log4j incident responders!

We did a call-in episode on Twitter Spaces and recorded it, so that's why the audio sounds different. We talked about BLOCKCHAIN/Web3 (blech), testing, post-quantum crypto, client certificates, ssh client certificates, threshold cryptography, U2F/WebAuthn, car fob attacks, geese, and more!

Transcript: https://share.descript.com/view/N9ROtj1AiW0

Find us at:
https://twitter.com/scwpod
https://twitter.com/durumcrustulum
https://twitter.com/tqbf
https://twitter.com/davidcadrian

 

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> Happy New Year! Feliz Navidad! Merry Yule! Happy Hannukah! Pour one out for the log4j incident responders!

We did a call-in episode on Twitter Spaces and recorded it, so that's why the audio sounds different. We talked about BLOCKCHAIN/Web3 (blech), testing, post-quantum crypto, client certificates, ssh client certificates, threshold cryptography, U2F/WebAuthn, car fob attacks, geese, and more!

Transcript: https://share.descript.com/view/N9ROtj1AiW0

Find us at:
https://twitter.com/scwpod
https://twitter.com/durumcrustulum
https://twitter.com/tqbf
https://twitter.com/davidcadrian

 

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> Security, Cryptography, Whatever Buzzsprout-9767820 Tue, 21 Dec 2021 21:00:00 -0500 4929 full false WireGuard, feat. Jason Donenfeld WireGuard, feat. Jason Donenfeld Hey, a new episode! We had a fantastic conversation with Jason Donenfeld, creator of our favorite modern VPN protocol: WireGuard! We touched on kernel hacking, formal verification, post-quantum cryptography, developing with disassemblers, and more!

Transcript: https://share.descript.com/view/olVgXGtRpsY

Links: 

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> Hey, a new episode! We had a fantastic conversation with Jason Donenfeld, creator of our favorite modern VPN protocol: WireGuard! We touched on kernel hacking, formal verification, post-quantum cryptography, developing with disassemblers, and more!

Transcript: https://share.descript.com/view/olVgXGtRpsY

Links: 

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> Security, Cryptography, Whatever Buzzsprout-9667632 Sun, 05 Dec 2021 17:00:00 -0500 4866 full true PAKEs, oPRFs, algebra, feat. George Tankersley PAKEs, oPRFs, algebra, feat. George Tankersley A conversation that started with PAKEs (password-authenticated key exchanges) and touched on some cool math things: PRFs, finite fields, elliptic curve groups, anonymity protocols, hashing to curve groups, prime order groups, and more.

With special guest, George Tankersley!

Transcript: https://share.descript.com/view/X8x8oO2Q8Tw

Links: 

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> A conversation that started with PAKEs (password-authenticated key exchanges) and touched on some cool math things: PRFs, finite fields, elliptic curve groups, anonymity protocols, hashing to curve groups, prime order groups, and more.

With special guest, George Tankersley!

Transcript: https://share.descript.com/view/X8x8oO2Q8Tw

Links: 

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> Security, Cryptography, Whatever Buzzsprout-9439685 Tue, 26 Oct 2021 19:00:00 -0400 4509 full false "Patch, Damnit!" "Patch, Damnit!" A lot of fixes got pushed in the past week! Please apply your updates!
Apple, Chrome, Matrix, Azure, and more nonsense.

Find us at:
https://twitter.com/scwpod
https://twitter.com/durumcrustulum
https://twitter.com/tqbf
https://twitter.com/davidcadrian

Links!
The accuvant story in MIT Technology Review
All the Apple platforms patched FORCEDENTRY no-click 0-day
Chrome patched some 0-days that were being exploited in the wild
PASETO update

Transcript:
https://share.descript.com/view/Um4im6a3dqj


"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> A lot of fixes got pushed in the past week! Please apply your updates!
Apple, Chrome, Matrix, Azure, and more nonsense.

Find us at:
https://twitter.com/scwpod
https://twitter.com/durumcrustulum
https://twitter.com/tqbf
https://twitter.com/davidcadrian

Links!
The accuvant story in MIT Technology Review
All the Apple platforms patched FORCEDENTRY no-click 0-day
Chrome patched some 0-days that were being exploited in the wild
PASETO update

Transcript:
https://share.descript.com/view/Um4im6a3dqj


"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> Security, Cryptography, Whatever Buzzsprout-9225773 Mon, 20 Sep 2021 04:00:00 -0400 4496 full false How to be a Certificate Authority, feat. Ryan Sleevi How to be a Certificate Authority, feat. Ryan Sleevi Not the hero the internet deserves, but the one we need: it's Ryan Sleevi!

We get into the weeds on becoming a certificate authority, auditing said authorities, DNSSEC, DANE, taking over country code top level domains, Luxembourg, X.509, ASN.1, CBOR, more JSON (!), ACME, Let's Encrypt, and more, on this extra lorge episode with the web PKI's Batman.


Transcript: https://share.descript.com/view/61pZGOJlqu6

Find us at:
https://twitter.com/scwpod
https://twitter.com/durumcrustulum
https://twitter.com/tqbf
https://twitter.com/davidcadrian

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> Not the hero the internet deserves, but the one we need: it's Ryan Sleevi!

We get into the weeds on becoming a certificate authority, auditing said authorities, DNSSEC, DANE, taking over country code top level domains, Luxembourg, X.509, ASN.1, CBOR, more JSON (!), ACME, Let's Encrypt, and more, on this extra lorge episode with the web PKI's Batman.


Transcript: https://share.descript.com/view/61pZGOJlqu6

Find us at:
https://twitter.com/scwpod
https://twitter.com/durumcrustulum
https://twitter.com/tqbf
https://twitter.com/davidcadrian

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> Security, Cryptography, Whatever Buzzsprout-9146390 Mon, 06 Sep 2021 04:00:00 -0400 5651 full false Apple's CSAM Detection, feat. Matthew Green Apple's CSAM Detection, feat. Matthew Green We're talking about Apple's new proposed client-side CSAM detection system. We weren't sure if we were going to cover this, and then we realized that not all of us have been paying super close attention to what the hell this thing is, and have a lot of questions about it. So we're talking about it, with our special guest Professor Matthew Green.

We cover how Apple's system works, what it does (and doesn't), where we have unanswered questions, and where some of the gaps are.

Transcript: https://share.descript.com/view/cEni6L9rMxI

Find us at:
https://twitter.com/scwpod
https://twitter.com/durumcrustulum
https://twitter.com/tqbf
https://twitter.com/davidcadrian

Links:
https://www.apple.com/child-safety/pdf/CSAM_Detection_Technical_Summary.pdf

https://www.apple.com/child-safety/pdf/Apple_PSI_System_Security_Protocol_and_Analysis.pdf

https://www.law.cornell.edu/uscode/text/18/2258A

https://www.missingkids.org/content/dam/missingkids/gethelp/2020-reports-by-esp.pdf

https://www.reuters.com/article/us-apple-fbi-icloud-exclusive/exclusive-apple-dropped-plan-for-encrypting-backups-after-fbi-complained-sources-idUSKBN1ZK1CT

https://en.wikipedia.org/wiki/The_purpose_of_a_system_is_what_it_does

https://research.fb.com/blog/2021/02/understanding-the-intentions-of-child-sexual-abuse-material-csam-sharers/

https://www.nytimes.com/interactive/2019/11/09/us/internet-child-sex-abuse.html

https://www.apple.com/child-safety/pdf/Expanded_Protections_for_Children_Frequently_Asked_Questions.pdf


"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> We're talking about Apple's new proposed client-side CSAM detection system. We weren't sure if we were going to cover this, and then we realized that not all of us have been paying super close attention to what the hell this thing is, and have a lot of questions about it. So we're talking about it, with our special guest Professor Matthew Green.

We cover how Apple's system works, what it does (and doesn't), where we have unanswered questions, and where some of the gaps are.

Transcript: https://share.descript.com/view/cEni6L9rMxI

Find us at:
https://twitter.com/scwpod
https://twitter.com/durumcrustulum
https://twitter.com/tqbf
https://twitter.com/davidcadrian

Links:
https://www.apple.com/child-safety/pdf/CSAM_Detection_Technical_Summary.pdf

https://www.apple.com/child-safety/pdf/Apple_PSI_System_Security_Protocol_and_Analysis.pdf

https://www.law.cornell.edu/uscode/text/18/2258A

https://www.missingkids.org/content/dam/missingkids/gethelp/2020-reports-by-esp.pdf

https://www.reuters.com/article/us-apple-fbi-icloud-exclusive/exclusive-apple-dropped-plan-for-encrypting-backups-after-fbi-complained-sources-idUSKBN1ZK1CT

https://en.wikipedia.org/wiki/The_purpose_of_a_system_is_what_it_does

https://research.fb.com/blog/2021/02/understanding-the-intentions-of-child-sexual-abuse-material-csam-sharers/

https://www.nytimes.com/interactive/2019/11/09/us/internet-child-sex-abuse.html

https://www.apple.com/child-safety/pdf/Expanded_Protections_for_Children_Frequently_Asked_Questions.pdf


"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> Deirdre Connolly, Thomas Ptacek, David Adrian Buzzsprout-9099774 Fri, 27 Aug 2021 23:00:00 -0400 3177 full false Platform Security Part Deux, feat. Justin Schuh Platform Security Part Deux, feat. Justin Schuh We did not run out of things to talk about: Chrome vs. Safari vs. Firefox. Rust vs. C++. Bug bounties vs. exploit development. The Peace Corps vs. The Marine Corps.

Transcript: https://share.descript.com/view/DpeqIOCREyZ

Find us at:
https://twitter.com/scwpod
https://twitter.com/durumcrustulum
https://twitter.com/tqbf
https://twitter.com/davidcadrian

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> We did not run out of things to talk about: Chrome vs. Safari vs. Firefox. Rust vs. C++. Bug bounties vs. exploit development. The Peace Corps vs. The Marine Corps.

Transcript: https://share.descript.com/view/DpeqIOCREyZ

Find us at:
https://twitter.com/scwpod
https://twitter.com/durumcrustulum
https://twitter.com/tqbf
https://twitter.com/davidcadrian

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> Security, Cryptography, Whatever Buzzsprout-9063230 Sat, 21 Aug 2021 00:00:00 -0400 4802 full false What do we do about JWT? feat. Jonathan Rudenberg What do we do about JWT? feat. Jonathan Rudenberg 🔥JWT🔥

We talk about all sorts of tokens: JWT, PASETO, Protobuf Tokens, Macaroons, and Biscuits. With the great Jonathan Rudenberg!

After we recorded this, Thomas went deep on tokens even beyond what we talked about here: https://fly.io/blog/api-tokens-a-tedious-survey/

Transcript: https://share.descript.com/view/pb428e60pPo

Find us at:
https://twitter.com/durumcrustulum
https://twitter.com/tqbf
https://twitter.com/davidcadrian
https://twitter.com/scwpod

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> 🔥JWT🔥

We talk about all sorts of tokens: JWT, PASETO, Protobuf Tokens, Macaroons, and Biscuits. With the great Jonathan Rudenberg!

After we recorded this, Thomas went deep on tokens even beyond what we talked about here: https://fly.io/blog/api-tokens-a-tedious-survey/

Transcript: https://share.descript.com/view/pb428e60pPo

Find us at:
https://twitter.com/durumcrustulum
https://twitter.com/tqbf
https://twitter.com/davidcadrian
https://twitter.com/scwpod

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> Security, Cryptography, Whatever Buzzsprout-9020991 Thu, 12 Aug 2021 16:00:00 -0400 4496 full false The Great "Roll Your Own Crypto" Debate, feat. Filippo Valsorda The Great "Roll Your Own Crypto" Debate, feat. Filippo Valsorda Special guest Filippo Valsorda joins us to debate with Thomas on whether one should or should not "roll your own crypto", and how to produce better cryptography in general.

After we recorded this, David went even deeper  on 'rolling your own crypto' in a blog post here: https://dadrian.io/blog/posts/roll-your-own-crypto/

Transcript: https://share.descript.com/view/2tqKjLxleKM

Links:
https://peter.website/meow-hash-cryptanalysis
https://arxiv.org/pdf/2107.04940.pdf
https://ristretto.group
https://filippo.io/heartbleed

Find us at:
https://twitter.com/durumcrustulum
https://twitter.com/tqbf
https://twitter.com/davidcadrian

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> Special guest Filippo Valsorda joins us to debate with Thomas on whether one should or should not "roll your own crypto", and how to produce better cryptography in general.

After we recorded this, David went even deeper  on 'rolling your own crypto' in a blog post here: https://dadrian.io/blog/posts/roll-your-own-crypto/

Transcript: https://share.descript.com/view/2tqKjLxleKM

Links:
https://peter.website/meow-hash-cryptanalysis
https://arxiv.org/pdf/2107.04940.pdf
https://ristretto.group
https://filippo.io/heartbleed

Find us at:
https://twitter.com/durumcrustulum
https://twitter.com/tqbf
https://twitter.com/davidcadrian

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> Security, Cryptography, Whatever Buzzsprout-8953842 Sat, 31 Jul 2021 18:00:00 -0400 3648 full false NSO group, Pegasus, Zero-Days, i(OS|Message) security NSO group, Pegasus, Zero-Days, i(OS|Message) security Deirdre, Thomas and David talk about NSO group, Pegasus,  whether iOS a burning trash fire, the zero-day market, and whether rewriting all of iOS in Swift is a viable strategy for reducing all these vulns.

Transcript: https://share.descript.com/view/PQRb3nsY7N4

Find us at:

https://twitter.com/durumcrustulum
https://twitter.com/tqbf
https://twitter.com/davidcadrian

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> Deirdre, Thomas and David talk about NSO group, Pegasus,  whether iOS a burning trash fire, the zero-day market, and whether rewriting all of iOS in Swift is a viable strategy for reducing all these vulns.

Transcript: https://share.descript.com/view/PQRb3nsY7N4

Find us at:

https://twitter.com/durumcrustulum
https://twitter.com/tqbf
https://twitter.com/davidcadrian

"Security. Cryptography. Whatever." is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian).

]]> Security, Cryptography, Whatever Buzzsprout-8926799 Mon, 26 Jul 2021 19:00:00 -0400 3575 full false