Épisodes

  • A Little Bit of Rust Goes a Long Way with Android's Jeff Vander Stoep
    Oct 15 2024

    You may not be rewriting the world in Rust, but if you follow the findings of the Android team and our guest Jeff Vander Stoep, you'll drive down your memory-unsafety vulnerabilities more than 2X below the industry average over time! 🎉

    Transcript: https://securitycryptographywhatever.com/2024/10/15/a-little-bit-of-rust-goes-a-long-way/

    Links:
    - https://security.googleblog.com/2024/09/eliminating-memory-safety-vulnerabilities-Android.html
    - “Safe Coding”: https://dl.acm.org/doi/10.1145/3651621
    - “effectiveness of security design”: https://docs.google.com/presentation/d/16LZ6T-tcjgp3T8_N3m0pa5kNA1DwIsuMcQYDhpMU7uU/edit#slide=id.g3e7cac054a_0_89
    - https://security.googleblog.com/2024/02/improving-interoperability-between-rust-and-c.html
    - https://github.com/google/crubit
    - https://github.com/google/autocxx
    - https://en.wikipedia.org/wiki/Stagefright_(bug)
    - https://security.googleblog.com/2021/04/rust-in-android-platform.html
    - https://chromium.googlesource.com/chromium/src/+/master/docs/security/rule-of-2.md
    - https://www.usenix.org/conference/usenixsecurity22/presentation/alexopoulos
    -https://kb.meinbergglobal.com/kb/time_sync/ntp/ntp_vulnerabilities_reported_2023-04
    - https://blog.isosceles.com/the-legacy-of-stagefright/
    - https://research.google/pubs/secure-by-design-googles-perspective-on-memory-safety/
    - https://www.youtube.com/watch?v=QrrH2lcl9ew
    - https://source.android.com/docs/setup/build/rust/building-rust-modules/overview
    - https://github.com/rust-lang/rust-bindgen
    - https://security.googleblog.com/2021/06/rustc-interop-in-android-platform.html


    "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

    Afficher plus Afficher moins
    1 h et 14 min
  • Campaign Security with [REDACTED]
    Oct 13 2024

    With the 2024 United States Presidential Election right around the corner, we talk to an unnamed guest who has worked on cybersecurity for political campaigns in the United States since 2004. We recorded this in late August, 2024.

    Transcript: https://securitycryptographywhatever.com/2024/10/13/campaign-security/

    Links:

    - Active Measures by Thomas Rind: https://us.macmillan.com/books/9780374287269/activemeasures
    - Aurora: https://en.wikipedia.org/wiki/Operation\_Aurora
    - Google APP announcement, October 2017: https://www.wired.com/story/google-advanced-protection-locks-down-accounts/
    - XXD: https://linux.die.net/man/1/xxd
    - Adobe Reader October 2016 Security Update: https://helpx.adobe.com/security/products/acrobat/apsb16-33.html


    "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

    Afficher plus Afficher moins
    1 h et 24 min
  • Telegram with Matthew Green
    Sep 7 2024

    We finally have an excuse to tear down Telegram! Their CEO got arrested by the French, apparently not because the cryptography in Telegram is bad, but special guest Matt Green joined us to talk about how the cryptography is bad anyway, and you probably shouldn't use Telegram as a secure messenger of any kind!


    Transcript: https://securitycryptographywhatever.com/2024/09/06/telegram

    Links:

    - https://blog.cryptographyengineering.com/2024/08/25/telegram-is-not-really-an-encrypted-messaging-app/
    - Lavabit / Ladar Levinson: https://en.wikipedia.org/wiki/Lavabit
    - Pavel Durov indictment statement from French authorities: https://www.tribunal-de-paris.justice.fr/sites/default/files/2024-08/2024-08-28%20-%20CP%20TELEGRAM%20mise%20en%20examen.pdf
    - MTProto 2.0 protocol spec: https://core.telegram.org/api/end-to-end
    - https://words.filippo.io/dispatches/telegram-ecdh/
    - MTProto 1.0 (old no longer used): - https://web.archive.org/web/20131220000537/https://core.telegram.org/api/end-to-end#key-generation
    - OTR: https://otr.cypherpunks.ca/otr-wpes.pdf
    - AES and sha2 used in ‘Infinite Garble Extension’ mode: https://eprint.iacr.org/2015/1177.pdf
    - Four Attacks and a Proof for Telegram: https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9833666
    - History of Telegram e2ee chats availability: https://en.wikipedia.org/wiki/Telegram_(software)#Architecture
    - https://securitycryptographywhatever.com/2023/01/27/threema/
    - https://securitycryptographywhatever.com/2022/11/02/Matrix-with-Martin-Albrecht-Dan-Jones/
    - https://en.wikipedia.org/wiki/Matrix_(protocol), introduced in September 2014


    "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

    Afficher plus Afficher moins
    1 h et 4 min
  • Summertime Sadness
    Jul 25 2024

    Are you going to be in Vegas during BlackHat / DEF CON? We're hosting a mixer, sponsored by Observa! We have limited capacity, so please only register if you can actually come. Location details are in the confirmation email. Tickets will be released in batches, so if you get waitlisted, there's a good chance you still get in. Looking forward to seeing you in Vegas!

    Ticket Link: https://www.eventbrite.com/e/scwpod-vegas-2024-tickets-946939099337

    We talk about CrowdStrike in this episode, but we know we made some mistakes:

    • The sys files may be code in addition to data.
    • The bug might be bigger than "just" a null pointer exception.

    Luckily, none of that is actually relevant to the main issues we discuss.

    Show page: https://securitycryptographywhatever.com/2024/07/24/summertime-sadness/

    Other Links:

    • https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization
    • https://dadrian.io/blog/posts/pqc-signatures-2024/
    • https://dadrian.io/blog/posts/cto/
    • https://www.blackhat.com/us-24/briefings/schedule/
    • https://terrapin-attack.com/
    • https://www.youtube.com/watch?v=-AqayGm0_pw

    More like ClownStrike, amirite?


    "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

    Afficher plus Afficher moins
    57 min
  • Zero Day Markets with Mark Dowd
    Jun 24 2024

    We have Mark Dowd on, founder of Aziumuth Security and one of the authors of The Art of Software Security Assessment, to talk about the market for zero day vulnerabilities, and how mitigations affect monetizing offensive security work.

    Transcript: https://securitycryptographywhatever.com/2024/06/24/mdowd/

    Links:

    • https://www.azimuthsecurity.com/
    • https://www.vigilantlabs.com/
    • https://github.com/mdowd79/presentations/blob/main/bluehat2023-mdowd-final.pdf
    • https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Hack-Different-Pwning-IOS-14-With-Generation-Z-Bug-wp.pdf
    • https://i.blackhat.com/USA-19/Wednesday/us-19-Shwartz-Selling-0-Days-To-Governments-And-Offensive-Security-Companies.pdf


    "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

    Afficher plus Afficher moins
    1 h et 26 min
  • ekr
    May 24 2024

    iykyk

    Transcript: https://securitycryptographywhatever.com/2024/05/25/ekr/

    Links:
    - https://hovav.net/ucsd/dist/draft-shacham-tls-fasttrack-00.txt
    - https://crypto.stanford.edu/~dabo/pubs/papers/fasttrack.pdf
    - https://datatracker.ietf.org/doc/html/rfc8446
    - SoK: SCT Auditing in Certificate Transparency: https://arxiv.org/pdf/2203.01661
    - A hard look at Certificate Transparency, Part I: Transparency Systems: https://educatedguesswork.org/posts/transparency-part-1/
    - A hard look at Certificate Transparency: CT in Reality: https://educatedguesswork.org/posts/transparency-part-2/
    - E2EE on the web: is the web really that bad? https://emilymstark.com/2024/02/09/e2ee-on-the-web-is-the-web-really-that-bad.html
    - Launching Default End-to-End Encryption on Messenger: https://about.fb.com/news/2023/12/default-end-to-end-encryption-on-messenger/
    - ekr's newsletter: https://educatedguesswork.org
    - Over 25 years of ekr RFCs: https://www.rfc-editor.org/search/rfc_search_detail.php?sortkey=Date&sorting=DESC&page=All&author=rescorla&pubstatus[]=Any&pub_date_type=any

    Subscribe to his newsletter at https://educatedguesswork.org/


    "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

    Afficher plus Afficher moins
    1 h et 48 min
  • STIR/SHAKEN with Paul Grubbs and Josh Brown
    Apr 30 2024

    Josh Brown and Paul Grubbs join us to describe how those damned spam calls work, and how STIR/SHAKEN is supposed to try to stop them, but have other privacy and security implications as well.

    Transcript: https://securitycryptographywhatever.com/2024/04/30/stir-shaken/

    Links:
    - https://iacr.org/submit/files/slides/2024/rwc/rwc2024/98/slides.pdf
    - https://www.youtube.com/watch?v=3trxXF0-fRU
    - Paul Grubbs: https://web.eecs.umich.edu/~paulgrub/


    "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

    Afficher plus Afficher moins
    1 h et 2 min
  • Cryptography Tier List
    Mar 23 2024

    (NSFW) Three AI-generated guests rank cryptography things into a tier list. Play along at home and make your own tier list: https://tiermaker.com/create/cryptography-15683166

    This episode is definitely not safe for work and definitely a parody. Do not base your decision in the 2024 election off of this podcast episode. No campaigns have endorsed this podcast.


    "Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

    Afficher plus Afficher moins
    19 min