Some cryptography & security people talk about security, cryptography, and whatever else is happening.
Listen to episodes
60 recent
June 15, 2026Episode 61 hr 11 min
Facing the Vulnpocalypse with lcamtuf
We talk to Michał Zalewski (lcamtuf) about the vulnpocalypse and if we even need fuzzers anymore. This episode may be export controlled at a future date.Watch on YouTube: https://www.youtube.com/watch?v=uI9CSgB4p9oTranscript: https://securitycryptographywhatever.com/2026/06/14/facing-the-vulnpocalypse-with-lcamtufhttps://github.com/google/aflhttps://www.reddit.com/r/claude/comments/1tqtenf/anthropic_said_today_that_mythos_is_coming_to_all/https://github.com/google/clusterfuzzhttps://en.wikipedia.org/wiki/Jevons_paradoxhttps://en.wikipedia.org/wiki/XZ_Utils_backdoorhttps://en.wikipedia.org/wiki/Brighton_hotel_bombinghttps://curl.se/https://ftp.openbsd.org/pub/OpenBSD/patches/7.8/common/025_sack.patch.sighttps://www.wired.com/story/last-pass-vulnerability-password-safe/https://nostarch.com/tangledwebhttps://nostarch.com/silence.htmhttps://nostarch.com/practical-doomsdayhttps://nostarch.com/secret-life-of-circuitshttps://www.youtube.com/c/3blue1brown"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@dadrian)
March 26, 2026Episode 51 hr 16 min
AI Finds Vulns You Can't With Nicholas Carlini
Returning champion Nicholas Carlini comes back to talk about using Claude for vulnerability research, and the current vulnpocalypse. It's all very high-brow stuff, and the gang learns some bitter lessons.Watch on YouTube: https://www.youtube.com/watch?v=_IDbFLu9Ug8Transcript: https://securitycryptographywhatever.com/2026/03/25/ai-bug-finding/Links:- https://red.anthropic.com/2026/zero-days/- https://unpromptedcon.org/- Black-hat LLMs - https://red.anthropic.com/2026/firefox/"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@dadrian)
March 10, 2026Episode 48 min
Standardizing Pure PQC
Standardizing cryptography involves a lot of opinions. Luckily, the gamer presidents are on it. Come on, you all know the drill.This is the last time I do this."Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@dadrian)
February 2, 2026Episode 31 hr 12 min
Python Cryptography Breaks Up with OpenSSL with Paul Kehrer and Alex Gaynor
The Python cryptography module, pyca/cryptography, has mostly been a sane wrapper around a pile of C, so that users get performant cryptography on the many, many platforms Python targets. Therefore its maintainers, Alex Gaynor and Paul Kehrer, have become intimately familiar with OpenSSL. Recently, they declared that after many years of trying to make it work, they announced pyca/cryptography would be moving away from OpenSSL when supporting new functionality and exploring adding other backends instead. We invited them on to tell us about what has happened to OpenSSL, even after the investments and improvements following Heartbleed. No guests on this pod represent anyone besides themselves.Watch on YouTube: https://www.youtube.com/watch?v=dEKBHI3rodYTranscript: https://securitycryptographywhatever.com/2026/02/01/python-cryptography-breaks-up-with-opensslLinks:- https://cryptography.io/en/latest/statements/state-of-openssl/- Py Cryptography: https://cryptography.io- https://archive.openssl-conference.org/2025/presentations/Alex_Gaynor_Paul_Kehrer_The_Python_Cryptographic_Authoritys_OpenSSL_Experience.pdf- https://securitycryptographywhatever.com/2025/08/16/alex-gaynor/- https://packages.gentoo.org/packages/media-libs/libsdl- https://www.youtube.com/watch?v=RUIguklWwx0- https://datatracker.ietf.org/doc/rfc9180/- https://docs.openssl.org/3.3/man3/OSSL_PARAM/- https://openssl.foundation/- https://github.com/openssl/openssl/issues/17064- https://www.feistyduck.com/newsletter/issue_132_openssl_performance_still_under_scrutiny- https://github.com/topazproject/topaz- https://github.com/actions/runner/issues/1069- https://crystalhotsauce.com/- https://openssl-library.org/news/vulnerabilities/#CVE-2025-15467- https://en.wikipedia.org/wiki/Ship_of_Theseus- https://boringssl.googlesource.com/boringssl/+/aa202db1d7091b88b80f0a58c630c5c1aefc817d- https://www.ibm.com/products/open-sdk-for-rust-aix- https://dadrian.io/blog/posts/corporate-support-xz/- https://peps.python.org/- https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ed448/- https://go.dev/blog/fips140- https://dadrian.io/blog/posts/roll-your-own-crypto/"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@dadrian)
December 31, 2025Episode 256 min
The IACR Can't Decrypt with Matt Bernhard
The International Association of Cryptologic Research held their regular election using secure voting software called Helios…and lost the keys to decrypt the results, leaving them with no choice but to throw out the vote and call a new election. Hilarity ensues. We welcome special guest Matt Bernhard who actually works on secure voting systems to explain which bits are homomorphically additive or not.Watch on YouTube: https://www.youtube.com/watch?v=euw_yqAQFI8Transcript: https://securitycryptographywhatever.com/2025/12/30/iacr-heliosLinks:- NYT: https://www.nytimes.com/2025/11/21/world/cryptography-group-lost-election-results.html- IACR Memo: https://www.iacr.org/news/item/27138- https://www.iacr.org/elections/- https://vote.heliosvoting.org/faq- https://github.com/Election-Tech-Initiative/electionguard- https://www.usenix.org/legacy/events/sec08/tech/full_papers/adida/adida.pdf- https://www.iacr.org/elections/eVoting/about-helios.html- https://www.iacr.org/elections/eVoting/- https://crypto.ethz.ch/publications/files/CrGeSc97b.pdf- https://electionguard.vote/- https://eprint.iacr.org/2025/1901- https://freeandfair.us/blog/open-free-election-technology/- https://www.starvoting.org/- https://mbernhard.com/"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@dadrian)
October 31, 2025Episode 156 min
Apple’s Memory Integrity Enforcement
Apple announced its new suite of memory security improvements from the top of the stack all the way to the bottom, so we dug through what they did and how they did it (performantly). Watch on YouTube: https://www.youtube.com/watch?v=9FJwOI2PliUTranscript: https://securitycryptographywhatever.com/2025/10/31/apple-mieLinks:- https://security.apple.com/blog/memory-integrity-enforcement/- Secure Page Table Monitor and Trusted Execution Monitor: https://support.apple.com/guide/security/operating-system-integrity-sec8b776536b/1/web/1#secd022396fb- https://security.apple.com/blog/towards-the-next-generation-of-xnu-memory-safety/- https://developer.apple.com/documentation/xcode/adopting-type-aware-memory-allocation- https://security.apple.com/blog/what-if-we-had-sockpuppet-in-ios16/- https://arxiv.org/pdf/2510.09272- https://googleprojectzero.blogspot.com/2023/11/first-handset-with-mte-on-market.html- https://developer.apple.com/documentation/xcode/adopting-type-aware-memory-allocation- https://arxiv.org/pdf/2510.09272- https://spectreattack.com/spectre.pdf"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@dadrian)
August 23, 2025Episode 121 hr 11 min
Stop Using Encrypted Email with William Woodruff
There was a bug in an OpenPGP library which finally gave us an excuse to tear encrypted email via PGP to shreds. Our special guest William Woodruff joined us to help explain the vuln and indulge our gnashing of teeth on why email was never meant to be encrypted and how other modern tools do the job much, much better.Watch on YouTube: https://www.youtube.com/watch?v=IoL3LfIozJoTranscript: https://securitycryptographywhatever.com/2025/08/22/stop-using-encrypted-email-with-william-woodruffLinks:- William Woodruff: https://yossarian.net/- https://www.latacora.com/blog/2020/02/19/stop-using-encrypted/- https://www.rfc-editor.org/rfc/rfc4880- https://codeanlabs.com/blog/research/cve-2025-47934-spoofing-openpgp-js-signatures/- https://www.mailpile.is/blog/2014-10-07_Some_Thoughts_on_GnuPG.html- https://www.rfc-editor.org/rfc/rfc9580.html- https://www.tumblr.com/accidentallyquadratic- https://www.w3.org/TR/xmldsig-core/- https://support.yubico.com/hc/en-us/articles/360013790259-Using-Your-YubiKey-with-OpenPGP- https://www.rfc-editor.org/rfc/rfc9580.html#name-signature-packet-type-id-2- https://www.rfc-editor.org/rfc/rfc9580.html#name-key-derivation-function- https://en.wikipedia.org/wiki/S/MIME- https://delta.chat- https://signal.org/blog/the-ecosystem-is-moving/- https://phakeobj.netlify.app/posts/gigacage/- https://x.com/dakami-----BEGIN PGP MESSAGE-----U2FsdGVkX1/OF+EynrukxZnSAXwgksTGSIkQ6s4X9Ns7JgQ2ZymeQAp8uD09MtkJce5HOKcjhUkZOMbJl3I5iOcPgSxCGG8KccNXcY6msdAD3pdlmR5cWJpn6+qGwqvoKCsj+DYwFW6tltLBXP/cdnh9z8ktRXqfwQW+uhB5Zcaw28pzmNz/rA0cb0cLGiaXuxp9A0iWhwf2gFpUSiIJyXGLJAc8eeI1LXfISXi7IkowDMp4x+iDbOlrR0d6zCkpIKpNGReokcWhUrlGVONiVUrApZS2fvxQoHgaIvwLl5FM1WdrbQIV41DB+rgtZJhENSgMkhQ0y1bBAOM25ykRjC/UUS/q0ddXz1ThGi6vRIp4/8vkqOsEXHv5M1oT9FQTUGK3zyffq0FqGBFj6kwVZ0X0JQFmtydZKhSYEPE9s4mcfvxKNQsySK7wlxMerKrff9ZxOR7rHjE3IfqtoizX8EH+MYy2lRCoCKeLbZd0G1LcVhBhRpoXfqL2IboAWqT+U8R2eyts7qiNuWQUtmCzKNmaJMS+1M+pVN5ZXAdSqK2OJVJZgO8Ie7q4HVZeAd3GHzP7owf+VerCguOYN41cxGle1QpeFi0xcYHNna1bgbodFZ8eGDOq5yCuvmQa04XyJ4vRv7xcp/v16CniL1rN6KhnzdW2gLky8depnYyhm8NvdMFETA6K6eIYm1roD+C2wwOOKRxUpTI54ov+HYDDU+HUmpFykSesHQJ75o9m0w7V2kR/+E46olFMhHo8JWnLNsGd5QlD/fyedMXHAjimXuFk/YFnwa1lh4XwSwYm+c8ZnIfrS6oEEdUSwXMCwwVT7/tMw+ab0YRsx19hBLS41oxMz+DCah+/KDMEHv0I+VxaCH8ZfaKD4tRhduSvcWknNat3Xp8/MAmO5xN1U8s1dFvrlnt+yqDz7Wn0kVDiax2dTJVgftetqOkoSVvGdMex9K0ILUUMEpHYBISIaAc7NjoG4BieSeK7wuzBXdhHutVZVKp2ty+mAd8xPlrmemsXlzBhV/kcmF4rcG4eqoWcKpZQY8ZUDufwhIcNqIZEA+wQoKbmBQCR/NradwUrCAIsAQFMVhSYmr7ffA6Ty0twSWeVMDQmxdW+6gKA3EiTAJkFXPpdkhBUzuZHC7Eeph7DF0Ks8Vu/wzOhNsd2s2wYYF6Dl3xctcOj7eMw8VS1HtExszulM57TnqTDaLGPcX6om8NORwMEtQrCbJd/fdmoNPN/cXzLPHQj3qVZ0F50iNec6zSnmBLIRX4SAYOqzN/2icvr98Caa1oX3pUlm9W2Hcz30SXJDxOf+mqH6zL4QTAMs3/K9OkaO9nmyPelwoCwVI1q/PsMpqQhGikdM5hrzg6IcEOg5zpLB6N+wqkcGyXFzI2gSQTWYOv4thrIxPY5G9yNi4dhU+2+KJCa6aoPyAlyc41Yd3ARTeahHEjtdj6PcueRPQdVm+qWCRp09bp3oic7ljzMVrPRgdbRrzFyEAIhN9Fi4QZ08/yCLEt/BPG+N8j0cZixoj54SKi07uSOWRDrzGvgSegGCCIFKjAsq9ay0sBm61XLcZqdtj57NpNzd/y/yFYvjEQLyyn8VnFARwOaM3zjrufNC+kYVkHCYzfvu+JopScZjMiuBXI9v8OTOXlj+Ai97bnftwmpQ2635vyearRHCNATFNa96Sxd1cLjV+ECUlD4hAZQPyel8groXsyjKaMxoOkaZjG/5MDQ8KPtes32kjTmneyLSzrUaAD0F4l/iltBXzDNiT6BHD7HJmERbdkoab7+DC1hxxC1VuOHOX+G/U5NUNjxAercuFOY6kgAH5HM+woGjLUsoc5LESqyPdddeg==-----END PGP MESSAGE-----"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@dadrian)
August 16, 2025Episode 111 hr 25 min
Alex Gaynor
We chat with friend of the pod and special guest Alex Gaynor, former deputy chief technologist at the FTC and all around good Security Person™. Join for nerdery about WebAuthn, stay for accidentally melting down GitHub APIs around November 2020! Watch on YouTube: https://www.youtube.com/watch?v=gBoGvyvsSi4Transcript: https://securitycryptographywhatever.com/2025/08/16/alex-gaynorLinks:- https://knowyourmeme.com/memes/no-take-only-throw- https://alexgaynor.net/2025/jan/13/challenges-funding-open-source/- https://alexgaynor.net/2025/apr/08/putting-a-price-tag-on-open-source/- https://dadrian.io/blog/posts/corporate-support-xz/- https://alex.github.io/nyt-2020-election-scraper/battleground-state-changes.html- https://github.com/alex/nyt-2020-election-scraper"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@dadrian)
July 29, 2025Episode 101 hr 0 min
Vegas, Baby!
We’re throwing a party in Vegas! Someone called it SCWPodCon last year, and the name stuck. It’s sponsored by Teleport, the infrastructure identity company. Get SSO for SSH! If Thomas was here, I’m sure he’d tell you that Fly.io uses Teleport internally. Oh also there's some thing called Black..pill? Black Pool? Something like that happening in Vegas, with crypto talks, so we chatted about them a bit, plus some other stuffSCWPodCon 2025: https://securitycryptographywhatever.com/events/blackhatTranscript: https://securitycryptographywhatever.com/2025/07/29/vegas-baby/Links:- Fault Injection attacks on PQCS signatures: https://www.blackhat.com/us-25/briefings/schedule/index.html#bypassing-pqc-signature-verification-with-fault-injection-dilithium-xmss-sphincs-46362- Another attack on TETRA: https://www.blackhat.com/us-25/briefings/schedule/index.html#2-cops-2-broadcasting-tetra-end-to-end-under-scrutiny-46143- Attacks on SCADA / ICS protocols (OPC UA): https://www.blackhat.com/us-25/briefings/schedule/index.html#no-vpn-needed-cryptographic-attacks-against-the-opc-ua-protocol-44760- Attacks on Nostr: https://www.blackhat.com/us-25/briefings/schedule/index.html#not-sealed-practical-attacks-on-nostr-a-decentralized-censorship-resistant-protocol-45726- https://signal.org/blog/the-ecosystem-is-moving/- https://en.wikipedia.org/wiki/Nostr- https://eurosp2025.ieee-security.org/program.html- https://cispa.de/en/research/publications/84648-attacking-and-fixing-the-android-protected-confirmation-protocol- https://hal.science/hal-05038009v2/file/main.pdf- 8-bit, abacus, and a dog: https://eprint.iacr.org/2025/1237.pdf- https://www.youtube.com/watch?v=Dlsa9EBKDGI- https://www.quantamagazine.org/computer-scientists-figure-out-how-to-prove-lies-20250709/- https://eprint.iacr.org/2025/118"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@dadrian)
May 19, 2025Episode 91 hr 2 min
E2EE Storage Done Right with Matilda Backendal Jonas Hofmann and Kien Tuong Truong
It seems like everyone that tries to deploy end-to-end encrypted cloudstorage seems to mess it up, often in new and creative ways. Our specialguests Matilda Backendal, Jonas Hofmann, and Kien Tuong Truong give us a tour through the breakage and discuss a new formal model of how to actually build a secure E2EE storage system.Watch on YouTube: https://youtu.be/sizLiK_byCwTranscript: https://securitycryptographywhatever.com/2025/05/19/e2ee-storage/Links:- https://brokencloudstorage.info- https://eprint.iacr.org/2024/1616.pdf- https://www.sync.com- https://www.pcloud.com- https://icedrive.net- https://seafile.com- https://tresorit.com- https://eprint.iacr.org/2024/989.pdf"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@dadrian)
Is this your show?
Claim this listing to keep it up to date, reach guests who want to pitch you, and manage bookings with Guestify.
