Security Cryptography Whatever

Apple announced its new suite of memory security improvements from the top of the stack all the way to the bottom, so we dug through what they did and how they did it (performantly). Watch on YouTube: https://www.youtube.com/watch?v=9FJwOI2PliUTranscript: https://securitycryptographywhatever.com/2025/10/31/apple-mieLinks:- https://security.apple.com/blog/memory-integrity-enforcement/- Secure Page Table Monitor and Trusted Execution Monitor: https://support.apple.com/guide/security/operating-system-integrity-sec8b776536b/1/web/1#secd022396fb- https://security.apple.com/blog/towards-the-next-generation-of-xnu-memory-safety/- https://developer.apple.com/documentation/xcode/adopting-type-aware-memory-allocation- https://security.apple.com/blog/what-if-we-had-sockpuppet-in-ios16/- https://arxiv.org/pdf/2510.09272- https://googleprojectzero.blogspot.com/2023/11/first-handset-with-mte-on-market.html- https://developer.apple.com/documentation/xcode/adopting-type-aware-memory-allocation- https://arxiv.org/pdf/2510.09272- https://spectreattack.com/spectre.pdf"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

There was a bug in an OpenPGP library which finally gave us an excuse to tear encrypted email via PGP to shreds. Our special guest William Woodruff joined us to help explain the vuln and indulge our gnashing of teeth on why email was never meant to be encrypted and how other modern tools do the job much, much better.Watch on YouTube: https://www.youtube.com/watch?v=IoL3LfIozJoTranscript: https://securitycryptographywhatever.com/2025/08/22/stop-using-encrypted-email-with-william-woodruffLinks:- William Woodruff: https://yossarian.net/- https://www.latacora.com/blog/2020/02/19/stop-using-encrypted/- https://www.rfc-editor.org/rfc/rfc4880- https://codeanlabs.com/blog/research/cve-2025-47934-spoofing-openpgp-js-signatures/- https://www.mailpile.is/blog/2014-10-07_Some_Thoughts_on_GnuPG.html- https://www.rfc-editor.org/rfc/rfc9580.html- https://www.tumblr.com/accidentallyquadratic- https://www.w3.org/TR/xmldsig-core/- https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP- https://www.rfc-editor.org/rfc/rfc9580.html#name-signature-packet-type-id-2- https://www.rfc-editor.org/rfc/rfc9580.html#name-key-derivation-function- https://en.wikipedia.org/wiki/S/MIME- https://delta.chat- https://signal.org/blog/the-ecosystem-is-moving/- https://phakeobj.netlify.app/posts/gigacage/- https://x.com/dakami-----BEGIN PGP MESSAGE-----U2FsdGVkX1/OF+EynrukxZnSAXwgksTGSIkQ6s4X9Ns7JgQ2ZymeQAp8uD09MtkJce5HOKcjhUkZOMbJl3I5iOcPgSxCGG8KccNXcY6msdAD3pdlmR5cWJpn6+qGwqvoKCsj+DYwFW6tltLBXP/cdnh9z8ktRXqfwQW+uhB5Zcaw28pzmNz/rA0cb0cLGiaXuxp9A0iWhwf2gFpUSiIJyXGLJAc8eeI1LXfISXi7IkowDMp4x+iDbOlrR0d6zCkpIKpNGReokcWhUrlGVONiVUrApZS2fvxQoHgaIvwLl5FM1WdrbQIV41DB+rgtZJhENSgMkhQ0y1bBAOM25ykRjC/UUS/q0ddXz1ThGi6vRIp4/8vkqOsEXHv5M1oT9FQTUGK3zyffq0FqGBFj6kwVZ0X0JQFmtydZKhSYEPE9s4mcfvxKNQsySK7wlxMerKrff9ZxOR7rHjE3IfqtoizX8EH+MYy2lRCoCKeLbZd0G1LcVhBhRpoXfqL2IboAWqT+U8R2eyts7qiNuWQUtmCzKNmaJMS+1M+pVN5ZXAdSqK2OJVJZgO8Ie7q4HVZeAd3GHzP7owf+VerCguOYN41cxGle1QpeFi0xcYHNna1bgbodFZ8eGDOq5yCuvmQa04XyJ4vRv7xcp/v16CniL1rN6KhnzdW2gLky8depnYyhm8NvdMFETA6K6eIYm1roD+C2wwOOKRxUpTI54ov+HYDDU+HUmpFykSesHQJ75o9m0w7V2kR/+E46olFMhHo8JWnLNsGd5QlD/fyedMXHAjimXuFk/YFnwa1lh4XwSwYm+c8ZnIfrS6oEEdUSwXMCwwVT7/tMw+ab0YRsx19hBLS41oxMz+DCah+/KDMEHv0I+VxaCH8ZfaKD4tRhduSvcWknNat3Xp8/MAmO5xN1U8s1dFvrlnt+yqDz7Wn0kVDiax2dTJVgftetqOkoSVvGdMex9K0ILUUMEpHYBISIaAc7NjoG4BieSeK7wuzBXdhHutVZVKp2ty+mAd8xPlrmemsXlzBhV/kcmF4rcG4eqoWcKpZQY8ZUDufwhIcNqIZEA+wQoKbmBQCR/NradwUrCAIsAQFMVhSYmr7ffA6Ty0twSWeVMDQmxdW+6gKA3EiTAJkFXPpdkhBUzuZHC7Eeph7DF0Ks8Vu/wzOhNsd2s2wYYF6Dl3xctcOj7eMw8VS1HtExszulM57TnqTDaLGPcX6om8NORwMEtQrCbJd/fdmoNPN/cXzLPHQj3qVZ0F50iNec6zSnmBLIRX4SAYOqzN/2icvr98Caa1oX3pUlm9W2Hcz30SXJDxOf+mqH6zL4QTAMs3/K9OkaO9nmyPelwoCwVI1q/PsMpqQhGikdM5hrzg6IcEOg5zpLB6N+wqkcGyXFzI2gSQTWYOv4thrIxPY5G9yNi4dhU+2+KJCa6aoPyAlyc41Yd3ARTeahHEjtdj6PcueRPQdVm+qWCRp09bp3oic7ljzMVrPRgdbRrzFyEAIhN9Fi4QZ08/yCLEt/BPG+N8j0cZixoj54SKi07uSOWRDrzGvgSegGCCIFKjAsq9ay0sBm61XLcZqdtj57NpNzd/y/yFYvjEQLyyn8VnFARwOaM3zjrufNC+kYVkHCYzfvu+JopScZjMiuBXI9v8OTOXlj+Ai97bnftwmpQ2635vyearRHCNATFNa96Sxd1cLjV+ECUlD4hAZQPyel8groXsyjKaMxoOkaZjG/5MDQ8KPtes32kjTmneyLSzrUaAD0F4l/iltBXzDNiT6BHD7HJmERbdkoab7+DC1hxxC1VuOHOX+G/U5NUNjxAercuFOY6kgAH5HM+woGjLUsoc5LESqyPdddeg==-----END PGP MESSAGE-----"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

We chat with friend of the pod and special guest Alex Gaynor, former deputy chief technologist at the FTC and all around good Security Person™. Join for nerdery about WebAuthn, stay for accidentally melting down GitHub APIs around November 2020! Watch on YouTube: https://www.youtube.com/watch?v=gBoGvyvsSi4Transcript: https://securitycryptographywhatever.com/2025/08/16/alex-gaynorLinks:- https://knowyourmeme.com/memes/no-take-only-throw- https://alexgaynor.net/2025/jan/13/challenges-funding-open-source/- https://alexgaynor.net/2025/apr/08/putting-a-price-tag-on-open-source/- https://dadrian.io/blog/posts/corporate-support-xz/- https://alex.github.io/nyt-2020-election-scraper/battleground-state-changes.html- https://github.com/alex/nyt-2020-election-scraper"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

We’re throwing a party in Vegas! Someone called it SCWPodCon last year, and the name stuck. It’s sponsored by Teleport, the infrastructure identity company. Get SSO for SSH! If Thomas was here, I’m sure he’d tell you that Fly.io uses Teleport internally. Oh also there's some thing called Black..pill? Black Pool? Something like that happening in Vegas, with crypto talks, so we chatted about them a bit, plus some other stuffSCWPodCon 2025: https://securitycryptographywhatever.com/events/blackhatTranscript: https://securitycryptographywhatever.com/2025/07/29/vegas-baby/Links:- Fault Injection attacks on PQCS signatures: https://www.blackhat.com/us-25/briefings/schedule/index.html#bypassing-pqc-signature-verification-with-fault-injection-dilithium-xmss-sphincs-46362- Another attack on TETRA: https://www.blackhat.com/us-25/briefings/schedule/index.html#2-cops-2-broadcasting-tetra-end-to-end-under-scrutiny-46143- Attacks on SCADA / ICS protocols (OPC UA): https://www.blackhat.com/us-25/briefings/schedule/index.html#no-vpn-needed-cryptographic-attacks-against-the-opc-ua-protocol-44760- Attacks on Nostr:  https://www.blackhat.com/us-25/briefings/schedule/index.html#not-sealed-practical-attacks-on-nostr-a-decentralized-censorship-resistant-protocol-45726- https://signal.org/blog/the-ecosystem-is-moving/- https://en.wikipedia.org/wiki/Nostr- https://eurosp2025.ieee-security.org/program.html- https://cispa.de/en/research/publications/84648-attacking-and-fixing-the-android-protected-confirmation-protocol- https://hal.science/hal-05038009v2/file/main.pdf- 8-bit, abacus, and a dog: https://eprint.iacr.org/2025/1237.pdf- https://www.youtube.com/watch?v=Dlsa9EBKDGI- https://www.quantamagazine.org/computer-scientists-figure-out-how-to-prove-lies-20250709/- https://eprint.iacr.org/2025/118"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

It seems like everyone that tries to deploy end-to-end encrypted cloudstorage seems to mess it up, often in new and creative ways. Our specialguests Matilda Backendal, Jonas Hofmann, and Kien Tuong Truong give us a tour through the breakage and discuss a new formal model of how to actually build a secure E2EE storage system.Watch on YouTube: https://youtu.be/sizLiK_byCwTranscript: https://securitycryptographywhatever.com/2025/05/19/e2ee-storage/Links:- https://brokencloudstorage.info- https://eprint.iacr.org/2024/1616.pdf- https://www.sync.com- https://www.pcloud.com- https://icedrive.net- https://seafile.com- https://tresorit.com- https://eprint.iacr.org/2024/989.pdf"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)