I wrote something: sockpuppet.org/blog/2026/03...

AI Finds Vulns You Can't With Nicholas Carlini YouTube video by Security Cryptography Whatever

NEW EPISODE!

The gang learns a bitter lesson about AI and bug finding! Returning champion Nicholas Carlini is back to talk about Claude for vulnerability research.

securitycryptographywhatever.com/2026/03/25/a...
www.youtube.com/watch?v=_IDb...

Extremely psyched about two upcoming SCW guests, one of them this week. We've got very crunch vulnerability research and cryptography stuff coming.

I finally reached the end. This was a super good episode and it gave me all the warm fuzzies about my internal reactions to getting started with Ossl3 for PQC.

As a former windows NCrypt provider maintainer, I really thought all my “magic strings to throw at a generic API” was behind me 😭

Python Cryptography Breaks Up with OpenSSL with Paul Kehrer and Alex Gaynor YouTube video by Security Cryptography Whatever

www.youtube.com/watch?v=dEKB...

www.youtube.com/watch?v=dEKB...

only the best things

dunno! been nearly a year

Python Cryptography Breaks Up with OpenSSL with Paul Kehrer and Alex Gaynor YouTube video by Security Cryptography Whatever

www.youtube.com/watch?v=dEKB...

obviously you have to do a string compare to load a nonce key in openssl 3

Python Cryptography Breaks Up with OpenSSL with Paul Kehrer and Alex Gaynor YouTube video by Security Cryptography Whatever

NEW EPISODE!

The maintainers of py/cryptography declared that after many years of trying to make it work, they would be moving away from OpenSSL when supporting new functionality and exploring adding other backends:

securitycryptographywhatever.com/2026/02/01/p...
www.youtube.com/watch?v=dEKB...

Just recorded the premiere episode of Season VIII of Security Cryptography & W/evs, this time with Alex Gaynor and Paul Kehrer, who have a momentous announcement about pyca/cryptography and OpenSSL.

Threshold decryption.... I struggled with that one and still do. Obviously it's a point of fragility to allow one lost share to cancel the election. But true DKG with parties spread across the world is also not obviously easy to implement.

Yes, it's finite fields, in large part because implementing over elliptic curves, especially with proper hashing for NIZKs, was more complexity than I could handle. Would likely make sense to upgrade to EC at some point but also probably not a huge priority? Happy to hear counter arguments!

Yes, Helios definitely uses NIZKs to prove proper ballot form. Implemented in 2008 browser JavaScript, which was a fun challenge.

I abandoned mixnets in Helios v2+ in favor of homomorphic aggregation because of the operational complexity of mixnets.

Explained in the 2009 paper:
csrc.nist.gov/csrc/media/e...

aww 💜

Final SCW of 2025! We had Matt Bernhard on to talk about cryptographic voting systems, in the wake of the IACR election. (Everybody I voted for in the new election won! Woo!)

@scwpod.bsky.social did the impossible and converted me to a podcast gxrlie

The IACR Can The International Association of Cryptologic Research (IACR) held their regular election using secure voting software called Helios…and lost the keys to decr...

NEW EPISODE!

The IACR lost the keys to decrypt their encrypted election results. We welcome Matt Bernhard who works on secure voting systems to explain which Helios bits are homomorphically additive or not and more:

securitycryptographywhatever.com/2025/12/30/i...
www.youtube.com/watch?v=euw_...

💀

Apple’s Memory Integrity Enforcement YouTube video by Security Cryptography Whatever

NEW EPISODE!

Apple did a new security thing for their latest phones with memory integrity enforcement, we did a deep a dive as we could given that we couldn't get anyone from Apple to come on our podcast 😭

podcasts.apple.com/us/podcast/a...
open.spotify.com/episode/0DhC...
youtu.be/9FJwOI2PliU

yw

Chapter view of a podcast app showing chapters named “pgp for encrypted email”, “fcking metadata”, “m-m-m-metadata”, “SMTP m-m-m-metadata”, and “dkim, spam”

I have just today discovered that podcasts can be chapterised, and that apparently @scwpod.bsky.social is painstakingly broken into chapters with often-joke names

Come for the PGP dunks, stay for the broader discussion of why encrypted email doesn’t make sense

Stop Using Encrypted Email with William Woodruff YouTube video by Security Cryptography Whatever

NEW EPISODE!

An OpenPGP.js bug gave us an excuse to tear encrypted email via PGP to shreds. William Woodruff joined us to explain the vuln & indulge our gnashing of teeth on why email was never meant to be encrypted:

securitycryptographywhatever.com/2025/08/22/s...
www.youtube.com/watch?v=IoL3...

The first part of this interview with my ex-colleague Alex is a great listen if you're a software engineer (or otherwise technical) and are interested in what we were working on as technologists at the Federal Trade Commission.

Alex Gaynor YouTube video by Security Cryptography Whatever

NEW EPISODE!

We chat with friend of the pod and special guest Alex Gaynor, former deputy chief technologist at the FTC and all around good Security Person™. Join for nerdery about WebAuthn, stay for accidentally melting down GitHub APIs around November 2020!

youtu.be/gBoGvyvsSi4

First round of invites going out tonight!

Vegas, Baby! We’re throwing a party in Vegas! Someone called it SCWPodCon last year, and the name stuck. It’s sponsored by Teleport, the infrastructure identity company. ...

Transcript: securitycryptographywhatever.com/2025/07/29/v...