We finally have an excuse to tear down Telegram! Their CEO got arrested by the French, apparently not because the cryptography in Telegram is bad, but special guest Matt Green joined us to talk about how the cryptography is bad anyway, and you probably shouldn't use Telegram as a secure messenger of any kind!


Transcript: https://securitycryptographywhatever.com/2024/09/06/telegram

Links:

- https://blog.cryptographyengineering.com/2024/08/25/telegram-is-not-really-an-encrypted-messaging-app/
- Lavabit / Ladar Levinson: https://en.wikipedia.org/wiki/Lavabit
- Pavel Durov indictment statement from French authorities: https://www.tribunal-de-paris.justice.fr/sites/default/files/2024-08/2024-08-28%20-%20CP%20TELEGRAM%20mise%20en%20examen.pdf
- MTProto 2.0 protocol spec: https://core.telegram.org/api/end-to-end
- https://words.filippo.io/dispatches/telegram-ecdh/
- MTProto 1.0 (old no longer used): - https://web.archive.org/web/20131220000537/https://core.telegram.org/api/end-to-end#key-generation
- OTR: https://otr.cypherpunks.ca/otr-wpes.pdf
- AES and sha2 used in ‘Infinite Garble Extension’ mode: https://eprint.iacr.org/2015/1177.pdf
- Four Attacks and a Proof for Telegram: https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9833666
- History of Telegram e2ee chats availability: https://en.wikipedia.org/wiki/Telegram_(software)#Architecture
- https://securitycryptographywhatever.com/2023/01/27/threema/
- https://securitycryptographywhatever.com/2022/11/02/Matrix-with-Martin-Albrecht-Dan-Jones/
- https://en.wikipedia.org/wiki/Matrix_(protocol), introduced in September 2014

"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

Are you going to be in Vegas during BlackHat / DEF CON? We're hosting a mixer, sponsored by Observa! We have limited capacity, so please only register if you can actually come. Location details are in the confirmation email. Tickets will be released in batches, so if you get waitlisted, there's a good chance you still get in. Looking forward to seeing you in Vegas!

Ticket Link: https://www.eventbrite.com/e/scwpod-vegas-2024-tickets-946939099337

We talk about CrowdStrike in this episode, but we know we made some mistakes:

• The sys files may be code in addition to data.
• The bug might be bigger than "just" a null pointer exception.

Luckily, none of that is actually relevant to the main issues we discuss.

Show page: https://securitycryptographywhatever.com/2024/07/24/summertime-sadness/

Other Links:

• https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization
• https://dadrian.io/blog/posts/pqc-signatures-2024/
• https://dadrian.io/blog/posts/cto/
• https://www.blackhat.com/us-24/briefings/schedule/
• https://terrapin-attack.com/
• https://www.youtube.com/watch?v=-AqayGm0_pw

More like ClownStrike, amirite?

"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

We have Mark Dowd on, founder of Aziumuth Security and one of the authors of The Art of Software Security Assessment, to talk about the market for zero day vulnerabilities, and how mitigations affect monetizing offensive security work.

Transcript: https://securitycryptographywhatever.com/2024/06/24/mdowd/

Links:

• https://www.azimuthsecurity.com/
• https://www.vigilantlabs.com/
• https://github.com/mdowd79/presentations/blob/main/bluehat2023-mdowd-final.pdf
• https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Hack-Different-Pwning-IOS-14-With-Generation-Z-Bug-wp.pdf
• https://i.blackhat.com/USA-19/Wednesday/us-19-Shwartz-Selling-0-Days-To-Governments-And-Offensive-Security-Companies.pdf

"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)