Security Cryptography Whatever

We talk to Michał Zalewski (lcamtuf) about the vulnpocalypse and if we even need fuzzers anymore. This episode may be export controlled at a future date.
Watch on YouTube: https://www.youtube.com/watch?v=uI9CSgB4p9o
Transcript: https://securitycryptographywhatever.com/2026/06/14/facing-the-vulnpocalypse-with-lcamtuf
https://github.com/google/afl
https://www.reddit.com/r/claude/comments/1tqtenf/anthropic_said_today_that_mythos_is_coming_to_all/
https://github.com/google/clusterfuzz
https://en.wikipedia.org/wiki/Jevons_paradox
https://en.wikipedia.org/wiki/XZ_Utils_backdoor
https://en.wikipedia.org/wiki/Brighton_hotel_bombing
https://curl.se/
https://ftp.openbsd.org/pub/OpenBSD/patches/7.8/common/025_sack.patch.sig
https://www.wired.com/story/last-pass-vulnerability-password-safe/
https://nostarch.com/tangledweb
https://nostarch.com/silence.htm
https://nostarch.com/practical-doomsday
https://nostarch.com/secret-life-of-circuits
https://www.youtube.com/c/3blue1brown

"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@dadrian)

Returning champion Nicholas Carlini comes back to talk about using Claude for vulnerability research, and the current vulnpocalypse. It's all very high-brow stuff, and the gang learns some bitter lessons.
Watch on YouTube: https://www.youtube.com/watch?v=_IDbFLu9Ug8
Transcript: https://securitycryptographywhatever.com/2026/03/25/ai-bug-finding/

Links:

- https://red.anthropic.com/2026/zero-days/
- https://unpromptedcon.org/
- Black-hat LLMs  
- https://red.anthropic.com/2026/firefox/

"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@dadrian)

Standardizing cryptography involves a lot of opinions. Luckily, the gamer presidents are on it. Come on, you all know the drill.
This is the last time I do this.

"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@dadrian)

The Python cryptography module, pyca/cryptography, has mostly been a sane wrapper around a pile of C, so that users get performant cryptography on the many, many platforms Python targets. Therefore its maintainers, Alex Gaynor and Paul Kehrer, have become intimately familiar with OpenSSL. Recently, they declared that after many years of trying to make it work, they announced pyca/cryptography would be moving away from OpenSSL when supporting new functionality and exploring adding other backends instead. We invited them on to tell us about what has happened to OpenSSL, even after the investments and improvements following Heartbleed. No guests on this pod represent anyone besides themselves.
Watch on YouTube: https://www.youtube.com/watch?v=dEKBHI3rodY

Transcript: https://securitycryptographywhatever.com/2026/02/01/python-cryptography-breaks-up-with-openssl

Links:
- https://cryptography.io/en/latest/statements/state-of-openssl/
- Py Cryptography: https://cryptography.io
- https://archive.openssl-conference.org/2025/presentations/Alex_Gaynor_Paul_Kehrer_The_Python_Cryptographic_Authoritys_OpenSSL_Experience.pdf
- https://securitycryptographywhatever.com/2025/08/16/alex-gaynor/
- https://packages.gentoo.org/packages/media-libs/libsdl
- https://www.youtube.com/watch?v=RUIguklWwx0
- https://datatracker.ietf.org/doc/rfc9180/
- https://docs.openssl.org/3.3/man3/OSSL_PARAM/
- https://openssl.foundation/
- https://github.com/openssl/openssl/issues/17064
- https://www.feistyduck.com/newsletter/issue_132_openssl_performance_still_under_scrutiny
- https://github.com/topazproject/topaz
- https://github.com/actions/runner/issues/1069
- https://crystalhotsauce.com/
- https://openssl-library.org/news/vulnerabilities/#CVE-2025-15467
- https://en.wikipedia.org/wiki/Ship_of_Theseus
- https://boringssl.googlesource.com/boringssl/+/aa202db1d7091b88b80f0a58c630c5c1aefc817d
- https://www.ibm.com/products/open-sdk-for-rust-aix
- https://dadrian.io/blog/posts/corporate-support-xz/
- https://peps.python.org/
- https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ed448/
- https://go.dev/blog/fips140
- https://dadrian.io/blog/posts/roll-your-own-crypto/

"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@dadrian)

The International Association of Cryptologic Research held their regular election using secure voting software called Helios…and lost the keys to decrypt the results, leaving them with no choice but to throw out the vote and call a new election. Hilarity ensues. We welcome special guest Matt Bernhard who actually works on secure voting systems to explain which bits are homomorphically additive or not.

Watch on YouTube: https://www.youtube.com/watch?v=euw_yqAQFI8

Transcript: https://securitycryptographywhatever.com/2025/12/30/iacr-helios

Links:
- NYT: https://www.nytimes.com/2025/11/21/world/cryptography-group-lost-election-results.html
- IACR Memo: https://www.iacr.org/news/item/27138
- https://www.iacr.org/elections/
- https://vote.heliosvoting.org/faq
- https://github.com/Election-Tech-Initiative/electionguard
- https://www.usenix.org/legacy/events/sec08/tech/full_papers/adida/adida.pdf
- https://www.iacr.org/elections/eVoting/about-helios.html
- https://www.iacr.org/elections/eVoting/
- https://crypto.ethz.ch/publications/files/CrGeSc97b.pdf
- https://electionguard.vote/
- https://eprint.iacr.org/2025/1901
- https://freeandfair.us/blog/open-free-election-technology/
- https://www.starvoting.org/
- https://mbernhard.com/

"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@dadrian)