We’re throwing a party in Vegas! Someone called it SCWPodCon last year, and the name stuck. It’s sponsored by Teleport, the infrastructure identity company. Get SSO for SSH! If Thomas was here, I’m sure he’d tell you that Fly.io uses Teleport internally. Oh also there's some thing called Black..pill? Black Pool? Something like that happening in Vegas, with crypto talks, so we chatted about them a bit, plus some other stuffSCWPodCon 2025: https://securitycryptographywhatever.com/events/blackhatTranscript: https://securitycryptographywhatever.com/2025/07/29/vegas-baby/Links:- Fault Injection attacks on PQCS signatures: https://www.blackhat.com/us-25/briefings/schedule/index.html#bypassing-pqc-signature-verification-with-fault-injection-dilithium-xmss-sphincs-46362- Another attack on TETRA: https://www.blackhat.com/us-25/briefings/schedule/index.html#2-cops-2-broadcasting-tetra-end-to-end-under-scrutiny-46143- Attacks on SCADA / ICS protocols (OPC UA): https://www.blackhat.com/us-25/briefings/schedule/index.html#no-vpn-needed-cryptographic-attacks-against-the-opc-ua-protocol-44760- Attacks on Nostr: https://www.blackhat.com/us-25/briefings/schedule/index.html#not-sealed-practical-attacks-on-nostr-a-decentralized-censorship-resistant-protocol-45726- https://signal.org/blog/the-ecosystem-is-moving/- https://en.wikipedia.org/wiki/Nostr- https://eurosp2025.ieee-security.org/program.html- https://cispa.de/en/research/publications/84648-attacking-and-fixing-the-android-protected-confirmation-protocol- https://hal.science/hal-05038009v2/file/main.pdf- 8-bit, abacus, and a dog: https://eprint.iacr.org/2025/1237.pdf- https://www.youtube.com/watch?v=Dlsa9EBKDGI- https://www.quantamagazine.org/computer-scientists-figure-out-how-to-prove-lies-20250709/- https://eprint.iacr.org/2025/118"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
--------
1:00:56
--------
1:00:56
E2EE Storage Done Right with Matilda Backendal Jonas Hofmann and Kien Tuong Truong
It seems like everyone that tries to deploy end-to-end encrypted cloudstorage seems to mess it up, often in new and creative ways. Our specialguests Matilda Backendal, Jonas Hofmann, and Kien Tuong Truong give us a tour through the breakage and discuss a new formal model of how to actually build a secure E2EE storage system.Watch on YouTube: https://youtu.be/sizLiK_byCwTranscript: https://securitycryptographywhatever.com/2025/05/19/e2ee-storage/Links:- https://brokencloudstorage.info- https://eprint.iacr.org/2024/1616.pdf- https://www.sync.com- https://www.pcloud.com- https://icedrive.net- https://seafile.com- https://tresorit.com- https://eprint.iacr.org/2024/989.pdf"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
--------
1:02:25
--------
1:02:25
Picking Quantum Resistant Algorithms
Migrating the US government to quantum-resistant cryptography is hard, luckily the gamer presidents are on it. This episode is extremely not safe for work, nor does it reflect the political opinions of, well, anybody."Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
--------
14:56
--------
14:56
Apple Pulls Advanced Data Protection in the UK with Matt Green and Joe Hall
Apple has pulled the availability of their opt-in iCloud end-to-end encryption feature, called Advanced Data Protection, in the UK. This doesn't only affect UK Apple users, however. To help us make sense of this surprising move from the fruit company, we got Matt Green, Associate Professor at Johns Hopkins, and Joe Hall, Distinguished Technologist at the Internet Society, on the horn. Recorded Saturday February 22nd, 2025.Transcript: https://securitycryptographywhatever.com/2025/02/24/apple-pulls-adp-in-uk/Watch episode on YouTube: https://youtu.be/LAn_yOGUkR0Links:- https://www.lawfaremedia.org/article/apples-cloud-key-vault-and-secure-law-enforcement-access- https://www.androidcentral.com/how-googles-backup-encryption-works-good-bad-and-ugly- https://gdpr.eu/right-to-be-forgotten/- https://www.legislation.gov.uk/id/ukpga/2024/9- https://www.nytimes.com/2021/05/17/technology/apple-china-censorship-data.html- https://en.wikipedia.org/wiki/Salt_Typhoon- Salt Typhoon: https://www.cisa.gov/news-events/news/strengthening-americas-resilience-against-prc-cyber-threats- https://www.bloomberg.com/news/articles/2025-02-21/apple-removes-end-to-end-encryption-feature-from-uk-after-backdoor-order- https://support.apple.com/en-us/102651"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
--------
48:30
--------
48:30
Cryptanalyzing LLMs with Nicholas Carlini
'Let us model our large language model as a hash function—' Sold.Our special guest Nicholas Carlini joins us to discuss differential cryptanalysis on LLMs and other attacks, just as the ones that made OpenAI turn off some features, hehehehe.Watch episode on YouTube: https://youtu.be/vZ64xPI2Rc0Transcript: https://securitycryptographywhatever.com/2025/01/28/cryptanalyzing-llms-with-nicholas-carlini/Links:- https://nicholas.carlini.com- “Stealing Part of a Production Language Model”: https://arxiv.org/pdf/2403.06634- ‘Why I attack"’: https://nicholas.carlini.com/writing/2024/why-i-attack.html- “Cryptanalytic Extraction of Neural Network Models”, CRYPTO 2020: https://arxiv.org/abs/2003.04884- “Stochastic Parrots”: https://dl.acm.org/doi/10.1145/3442188.3445922- https://help.openai.com/en/articles/5247780-using-logit-bias-to-alter-token-probability-with-the-openai-api- https://community.openai.com/t/temperature-top-p-and-top-k-for-chatbot-responses/295542- https://opensource.org/license/mit- https://github.com/madler/zlib- https://ai.meta.com/blog/yann-lecun-ai-model-i-jepa/- https://nicholas.carlini.com/writing/2024/how-i-use-ai.html"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)