Security Cryptography Whatever

Returning champion Nicholas Carlini comes back to talk about using Claude for vulnerability research, and the current vulnpocalypse. It's all very high-brow stuff, and the gang learns some bitter lessons.Watch on YouTube: https://www.youtube.com/watch?v=_IDbFLu9Ug8Transcript: https://securitycryptographywhatever.com/2026/03/25/ai-bug-finding/Links:- https://red.anthropic.com/2026/zero-days/- https://unpromptedcon.org/- Black-hat LLMs  - https://red.anthropic.com/2026/firefox/"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@dadrian)

A lively debate on standardizing pure post-quantum cryptography and what still needs to be done for TLS. They dissect hybrid versus pure PQC approaches and why pure deployments matter. Political undercurrents and trust in algorithm origins come up. Standards process frustrations and whether re-running consensus would change anything are playfully examined.

The Python cryptography module, pyca/cryptography, has mostly been a sane wrapper around a pile of C, so that users get performant cryptography on the many, many platforms Python targets. Therefore its maintainers, Alex Gaynor and Paul Kehrer, have become intimately familiar with OpenSSL. Recently, they declared that after many years of trying to make it work, they announced pyca/cryptography would be moving away from OpenSSL when supporting new functionality and exploring adding other backends instead. We invited them on to tell us about what has happened to OpenSSL, even after the investments and improvements following Heartbleed. No guests on this pod represent anyone besides themselves.Watch on YouTube: https://www.youtube.com/watch?v=dEKBHI3rodYTranscript: https://securitycryptographywhatever.com/2026/02/01/python-cryptography-breaks-up-with-opensslLinks:- https://cryptography.io/en/latest/statements/state-of-openssl/- Py Cryptography: https://cryptography.io- https://archive.openssl-conference.org/2025/presentations/Alex_Gaynor_Paul_Kehrer_The_Python_Cryptographic_Authoritys_OpenSSL_Experience.pdf- https://securitycryptographywhatever.com/2025/08/16/alex-gaynor/- https://packages.gentoo.org/packages/media-libs/libsdl- https://www.youtube.com/watch?v=RUIguklWwx0- https://datatracker.ietf.org/doc/rfc9180/- https://docs.openssl.org/3.3/man3/OSSL_PARAM/- https://openssl.foundation/- https://github.com/openssl/openssl/issues/17064- https://www.feistyduck.com/newsletter/issue_132_openssl_performance_still_under_scrutiny- https://github.com/topazproject/topaz- https://github.com/actions/runner/issues/1069- https://crystalhotsauce.com/- https://openssl-library.org/news/vulnerabilities/#CVE-2025-15467- https://en.wikipedia.org/wiki/Ship_of_Theseus- https://boringssl.googlesource.com/boringssl/+/aa202db1d7091b88b80f0a58c630c5c1aefc817d- https://www.ibm.com/products/open-sdk-for-rust-aix- https://dadrian.io/blog/posts/corporate-support-xz/- https://peps.python.org/- https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ed448/- https://go.dev/blog/fips140- https://dadrian.io/blog/posts/roll-your-own-crypto/"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@dadrian)

In this episode, Matt Bernhard, a researcher in secure voting systems, dives into the hilarious debacle of the IACR Helios election, where key decryption material went missing, rendering the election results unusable. He explains the complexities of Helios's homomorphic encryption and discusses its limitations and verifiability concerns. Additionally, Matt highlights the practical challenges of internet voting, contrasts digital systems with paper ballots, and introduces ElectionGuard, a modern solution aimed at enhancing election integrity.

Dive into Apple’s latest memory security advancements! Discover how vertical integration allows for effective low-level security solutions. The hosts explore type-aware allocators and their role in preventing vulnerabilities like type confusion. Learn about Memory Tagging Extension (MTE) and its trade-offs, as well as real-world applications and challenges faced by modern browsers. They delve into new protective features that enhance performance while keeping data safe, all thanks to Apple’s innovative engineering choices.

William Woodruff, founder of Yossarian.net, joins the discussion to dismantle the myths surrounding encrypted email, especially PGP. He reveals a significant bug in an OpenPGP library, arguing that email was never designed for encryption. The conversation dives into operational security, criticizing outmoded methods like PGP and S/MIME. They explore the risks of metadata leaks and the limitations of federated systems, advocating for modern secure messaging alternatives like Signal over traditional email. Woodruff emphasizes the need for better understanding of digital threat models.

Join Alex Gaynor, a core developer of Python and Django and former chief technologist at the FTC, as he dives into tech transformations in government, sharing stories from the Affordable Care Act's rollout. He covers the complexities of legal battles in tech, including Oracle v. Google, and discusses the challenges of integrating Rust into popular software. Alex also sheds light on innovative open-source funding structures and reflects on his impactful election tracking website that became a go-to during the 2020 election.

Excitement is brewing for SCW PodCon in Las Vegas, featuring a fun party sponsored by Teleport. The hosts delve into the quirky differences between SSH certificates and X.509, while sharing personal stories from their Vegas adventures. They also discuss the latest cryptographic challenges highlighted at Black Hat and DEF CON, including vulnerabilities that could exploit even solid algorithms. The conversation touches on federated security protocols, quantum threats, and the implications of the Fiat Shamir transform, keeping listeners on the edge of their seats.

It seems like everyone that tries to deploy end-to-end encrypted cloudstorage seems to mess it up, often in new and creative ways. Our specialguests Matilda Backendal, Jonas Hofmann, and Kien Tuong Truong give us a tour through the breakage and discuss a new formal model of how to actually build a secure E2EE storage system.Watch on YouTube: https://youtu.be/sizLiK_byCwTranscript: https://securitycryptographywhatever.com/2025/05/19/e2ee-storage/Links:- https://brokencloudstorage.info- https://eprint.iacr.org/2024/1616.pdf- https://www.sync.com- https://www.pcloud.com- https://icedrive.net- https://seafile.com- https://tresorit.com- https://eprint.iacr.org/2024/989.pdf"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@dadrian)

Migrating the US government to quantum-resistant cryptography is hard, luckily the gamer presidents are on it. This episode is extremely not safe for work, nor does it reflect the political opinions of, well, anybody."Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@dadrian)