'Let us model our large language model as a hash function—' Sold.Our special guest Nicholas Carlini joins us to discuss differential cryptanalysis on LLMs and other attacks, just as the ones that made OpenAI turn off some features, hehehehe.Watch episode on YouTube: https://youtu.be/vZ64xPI2Rc0Transcript: https://securitycryptographywhatever.com/2025/01/28/cryptanalyzing-llms-with-nicholas-carlini/Links:- https://nicholas.carlini.com- “Stealing Part of a Production Language Model”: https://arxiv.org/pdf/2403.06634- ‘Why I attack"’: https://nicholas.carlini.com/writing/2024/why-i-attack.html- “Cryptanalytic Extraction of Neural Network Models”, CRYPTO 2020: https://arxiv.org/abs/2003.04884- “Stochastic Parrots”: https://dl.acm.org/doi/10.1145/3442188.3445922- https://help.openai.com/en/articles/5247780-using-logit-bias-to-alter-token-probability-with-the-openai-api- https://community.openai.com/t/temperature-top-p-and-top-k-for-chatbot-responses/295542- https://opensource.org/license/mit- https://github.com/madler/zlib- https://ai.meta.com/blog/yann-lecun-ai-model-i-jepa/- https://nicholas.carlini.com/writing/2024/how-i-use-ai.html"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
--------
1:20:42
Biden’s Cyber-Everything Bagel with Carole House
Just a few days before turning off the lights, the Biden administration dropped a huge cybersecurity executive order including a lot of good stuff, that hopefully [cross your fingers, knock wood, spin around three times and spit] will last into future administrations. We snagged some time with Carole House, outgoing Special Advisor and Acting Senior Director for Cybersecurity and Critical Infrastructure Policy, National Security Council in the Biden-Harris White House, to give us a brain dump.And now due to popular demand, with video of our actual human¹ faces! https://youtu.be/Pqw0W2crQiMTranscript: https://securitycryptographywhatever.com/2025/01/20/bidens-cyber-everything-bagel-carole-house/Links:- https://www.federalregister.gov/d/2025-01470- https://www.wired.com/story/biden-executive-order-cybersecurity-ai-and-more/- 2022 EO: https://archive.ph/hvzWd- 2023 EO: https://www.whitehouse.gov/wp-content/uploads/2023/06/M-23-16-Update-to-M-22-18-Enhancing-Software-Security-1.pdf- 2021 EO: https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity- NIST SSDF: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf- https://www.federalregister.gov/documents/2015/04/02/2015-07788/blocking-the-property-of-certain-persons-engaging-in-significant-malicious-cyber-enabled-activities- IEEPA: https://www.govinfo.gov/content/pkg/USCODE-2023-title50/pdf/USCODE-2023-title50-chap35-sec1701.pdf¹ Actual human faces not guaranteed in all cases"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
--------
57:14
Quantum Willow with John Schanck and Samuel Jacques
THE QUANTUM COMPUTERS ARE COMING...right? We got Samuel Jacques and John Schanck at short notice to answer that question plus a bunch of other about error correcting codes, logical qubits, T-gates, and more about Google's new quantum computer Willow.Transcript: https://securitycryptographywhatever.com/2024/12/18/quantum-willowLinks:- https://blog.google/technology/research/google-willow-quantum-chip/ - https://research.google/blog/making-quantum-error-correction-work/- https://blog.google/technology/google-deepmind/alphaqubit-quantum-error-correction/ - https://www.nature.com/articles/s41586-024-08449-y- Sam’s ‘Landscape of Quantum Computing’ chart: https://sam-jaques.appspot.com/quantum\_landscape\_2024 - The above, originally published in 2021: https://sam-jaques.appspot.com/quantum\_landscape- https://sam-jaques.appspot.com- https://jmschanck.info/"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
--------
53:36
Dual_EC_DRBG with Justin Schuh and Matthew Green
Nothing we have ever recorded on SCW has brought so much joy toDavid. However, at several points during the episode, we may have witnessed Matthew Green's soul leave his body.Our esteemed guests Justin Schuh and Matt Green joined us to debate whether `Dual_EC_DRBG` was intentionally backdoored by the NSA or 'just' a major fuckup.Transcript: https://securitycryptographywhatever.com/2024/12/07/dual-ec-drbgLinks:- Dicky George at InfiltrateCon 2014, 'Life at Both Ends of the Barrel - An NSA Targeting Retrospective': [https://youtu.be/qq-LCyRp6bU?si=MyTBKomkIVaxSy1Q](https://youtu.be/qq-LCyRp6bU?si=MyTBKomkIVaxSy1Q)- Dicky George: [https://www.nsa.gov/Press-Room/Digital-Media-Center/Biographies/Biography-View-Page/Article/3330261/richard-dickie-george/](https://www.nsa.gov/Press-Room/Digital-Media-Center/Biographies/Biography-View-Page/Article/3330261/richard-dickie-george/)- NYTimes on Sigint Enabling Project: [https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html](https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html)- On the Practical Exploitability of Dual ECin TLS Implementations: [https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-checkoway.pdf](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-checkoway.pdf)- Wired - Researchers Solve Juniper Backdoor Mystery; Signs Point to NSA [https://www.wired.com/2015/12/researchers-solve-the-juniper-mystery-and-they-say-its-partially-the-nsas-fault/](https://www.wired.com/2015/12/researchers-solve-the-juniper-mystery-and-they-say-its-partially-the-nsas-fault/)- ProPublica - Revealed: The NSA's Secret Campaign to Crack, Undermine Internet Security [https://www.propublica.org/article/the-nsas-secret-campaign-to-crack-undermine-internet-encryption](https://www.propublica.org/article/the-nsas-secret-campaign-to-crack-undermine-internet-encryption)- DDoSecrets - Sigint Enabling Project: [https://data.ddosecrets.com/Snowden%20archive/sigint-enabling-project.pdf](https://data.ddosecrets.com/Snowden%20archive/sigint-enabling-project.pdf)- IAD: [https://www.iad.gov/](https://www.iad.gov/)- Ars Technica - “Unauthorized code” in Juniper firewalls decrypts encrypted VPN traffic: [https://web.archive.org/web/20151222023311/http://arstechnica.com/security/2015/12/unauthorized-code-in-juniper-firewalls-decrypts-encrypted-vpn-traffic/](https://web.archive.org/web/20151222023311/http://arstechnica.com/security/2015/12/unauthorized-code-in-juniper-firewalls-decrypts-encrypted-vpn-traffic/)- 2015 IMPORTANT JUNIPER SECURITY ANNOUNCEMENT: [https://web.archive.org/web/20151221171526/http://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554](https://web.archive.org/web/20151221171526/http://forums.juniper.net/t5/Security-Incident-Response/Important-Announcement-about-ScreenOS/ba-p/285554)- Extended Random Values for TLS: [https://datatracker.ietf.org/doc/html/draft-rescorla-tls-extended-random-00](https://datatracker.ietf.org/doc/html/draft-rescorla-tls-extended-random-00)- The Art of Software Security Assessment: [https://www.amazon.com/Art-Software-Security-Assessment-Vulnerabilities/dp/0321444426](https://www.amazon.com/Art-Software-Security-Assessment-Vulnerabilities/dp/0321444426)"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
--------
1:07:45
A Little Bit of Rust Goes a Long Way with Android's Jeff Vander Stoep
You may not be rewriting the world in Rust, but if you follow the findings of the Android team and our guest Jeff Vander Stoep, you'll drive down your memory-unsafety vulnerabilities more than 2X below the industry average over time! 🎉Transcript: https://securitycryptographywhatever.com/2024/10/15/a-little-bit-of-rust-goes-a-long-way/Links:- https://security.googleblog.com/2024/09/eliminating-memory-safety-vulnerabilities-Android.html- “Safe Coding”: https://dl.acm.org/doi/10.1145/3651621- “effectiveness of security design”: https://docs.google.com/presentation/d/16LZ6T-tcjgp3T8_N3m0pa5kNA1DwIsuMcQYDhpMU7uU/edit#slide=id.g3e7cac054a_0_89- https://security.googleblog.com/2024/02/improving-interoperability-between-rust-and-c.html- https://github.com/google/crubit- https://github.com/google/autocxx- https://en.wikipedia.org/wiki/Stagefright_(bug)- https://security.googleblog.com/2021/04/rust-in-android-platform.html- https://chromium.googlesource.com/chromium/src/+/master/docs/security/rule-of-2.md- https://www.usenix.org/conference/usenixsecurity22/presentation/alexopoulos-https://kb.meinbergglobal.com/kb/time_sync/ntp/ntp_vulnerabilities_reported_2023-04- https://blog.isosceles.com/the-legacy-of-stagefright/- https://research.google/pubs/secure-by-design-googles-perspective-on-memory-safety/- https://www.youtube.com/watch?v=QrrH2lcl9ew- https://source.android.com/docs/setup/build/rust/building-rust-modules/overview- https://github.com/rust-lang/rust-bindgen- https://security.googleblog.com/2021/06/rustc-interop-in-android-platform.html"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)
Sverige