About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.

0112, 2024

DeepSec 2024 Keynote – The Mind Bomb

René Pfeiffer/ December 1, 2024/ Conference/ 0 comments

DeepSec 2024 ended on 22 November 2024. We took a week off to post-process the event in terms of video material and dialogues. Usually only participants get first access to the video recordings, but because of the threat of disinformation from nation states, we published the keynote early and freely. Randahl Fink explained his take on manipulation of elections and entire societies. Russia, among others, is very proficient in creating election results that keep on surprising politicians and analysts alike. The Mind Bomb is real, and it is about to explode in Western democracies. You can watch the video online on Randahl’s YouTube channel, his Patreon site, or on our Vimeo account. Presenters at conferences are storytellers. They make topics come alive, create links between seemingly unrelated aspects, teach new knowledge, and hopefully make

Read More

2111, 2024

DeepSec 2024 Opening – Conference Days are now live

René Pfeiffer/ November 21, 2024/ Conference/ 0 comments

DeepSec 2024 has opened. Enjoy the two days of presentations, discussions, and insights into how to improve the security of your information technology infrastructure. Our keynote will deep dive into the dangerous world of mind manipulation. Social engineering is a threat from the past. Political engineering is the new kid on the block, and it has the power to reshape and destroy nation states and societies. Fake news, propaganda, and outright lies have become the standard tool of radical parties, be it left, right, or centre. Randahl Fink explores the power of the mind bomb in his keynote presentation. For everyone attending: Our only social media presence is in the Fediverse. Please use our @DeepSec handle and the #DeepSec hash tag for referencing content and discussions. Do not use Twitter/X or similar platforms. Thank

Read More

2011, 2024

DeepINTEL 2024 – a full Day all about Security Intelligence

René Pfeiffer/ November 20, 2024/ Conference, DeepIntel/ 0 comments

The DeepINTEL 2024 security intelligence has begun. The day holds a full day of presentation about current and future threats. It is difficult to describe a TLP:AMBER event, because we do not publish the schedule for DeepINTEL. The term security intelligence has a wide spectrum. Basically, it includes all informations that will help you improve your defence, understand your adversaries, and how attacking groups operate. The sources are probes, monitoring systems, reports from attacks and their analysis. We are looking forward to provide the next iteration of DeepINTEL as a unique forum where security experts can get crucial updates. Grab your coffee, listen, and contribute!

0911, 2024

BSides København – Meaningful Metrics in Information Security

René Pfeiffer/ November 9, 2024/ Development, Security/ 0 comments

The next BSides København will take place on 9 November 2024. There is one presentation in the schedule about the use of metrics in information security. Computers allow us to create documents, charts, and statistical values easily from any data collection we like. Therefore, the World Wide Web is full of graphs, tables with numbers, predictions, and all kinds of results. The problem is that not everything you can count is a suitable metric tied to real-life observations. Finding a metric is a science on its own. This presentation will give you some examples of how to measure meaningful attributes of computer systems and networks. You will also get to know the term metric more closely. Using proper metrics and assessing customer-provided reports will help you immensely when dealing with information security decisions. The

Read More

1908, 2024

DeepSec publishes preliminary Schedule

René Pfeiffer/ August 19, 2024/ Conference, DeepIntel/ 0 comments

We are happy and proud to present the preliminary schedule for DeepSec 2024! Again, the many submissions overwhelmed us. We could have filled the schedules for two or three conferences. The range of topics matches current events, your needs for improving digital defence, and insights into how vulnerable systems and humans are. Organic intelligence created all presentations 100%. No previous instructions had to be ignored. Also look at the trainings. We have selected very useful topics and feature expert trainers to guide you through the content. As usual, the schedule for DeepINTEL is only available on request. We hope to see you all in Vienna!

1808, 2024

Update on DeepSec, DeepINTEL, CfP Review, and the Things behind the Stage

René Pfeiffer/ August 18, 2024/ Administrivia/ 0 comments

We have been more radio silent than usual in the past months. The main reason was a high workload on various ongoing projects. Given that more and more companies need to address IT security, there were policies to write and security controls to design. Furthermore, the looming NIS Directive II has put some managements into overdrive. And then there is and was the Summer heat. Climate change also impacts work in IT security. Not all environments have air conditioning. Mental work gets hard in hot temperatures. If you need to write code, policies, or technical documentation, then output is slower than usual. By the way, ISO has added climate change risks to businesses to its standards. Companies need to think about how the climate will impact risks to their business processes. It’s not the

Read More

0108, 2024

DeepSec Call for Papers has officially ended – Review Phase opened

René Pfeiffer/ August 1, 2024/ Call for Papers, Conference/ 0 comments

The call for papers process for DeepSec has officially ended. We tried to keep track with your submissions, but now we will deep dive into the review phase. You may have noticed that the trainings have already been published online. Usually, we publish the training slots earlier. We try to do this before the Summer, but this year the training review was delayed, because all reviewers were very busy. Now we have even more work because of the number of proposals for talks. Thank you all for your contributions! Creating the schedule will be hard, so bear with us and allow for one to two weeks for the reviews. We promise that all of you will receive either a confirmation when accepted or a message if your submission was declined. Don’t be discouraged or

Read More

1207, 2024

Reminder: Call for Papers DeepSec/DeepINTEL is still open!

René Pfeiffer/ July 12, 2024/ Conference/ 0 comments

It’s this time of the year again where the hot weather and deadlines collide. The call for papers for both DeepSec and DeepINTEL is still open! We are looking for original content, your creative ideas, and your invaluable experience. Please submit your proposal to our CfP manager. As always, we have a variety of topics we are interested in. The wonderful world of „artificial intelligence“ has taken the world and its CO2 output by storm. Large Language Models (LLMs) have „learned“ the Internet multiple times. Companies offering their LLM-based services promise to solve all kinds of tasks. What does this mean for IT security? Disinformation and propaganda are a big topic. Europe has already seen elections where structural disinformation played (and plays!) a vital role. Using false information in order to influence the voting

Read More

1207, 2024

IT Security, Standards, and Compliance

René Pfeiffer/ July 12, 2024/ Call for Papers, Conference, Legal/ 0 comments

You can often see the classic divide between technical and compliance persons in information technology within teams or organisations. Writing guidelines and writing configurations for implementation seem very different, with no overlaps. In reality, everyone has procedures. While they might not be written or follow a standardized format, having your ways of doing things is crucial to succeed in IT. The same goes for security. Creating policy documents and describing procedures in a way that technical minds can actually use them is a challenge. There is a crossover with the profession of writers who are experts in conveying nonfiction stories. And this is the origin of the schism between technicians and the compliance world. Badly written policies are a security risk, because no one takes them seriously. The purpose of your procedure documentation is

Read More

1906, 2024

Creative Writing is beneficial for Information Security

René Pfeiffer/ June 19, 2024/ Security, Stories

Do you like a good movie? Do you enjoy a good book? Your favourites most probably began as a piece of writing. There is a surprising overlap between creative writing, writing code, doing mathematics, and enjoying a well-defined information security configuration. Everything meets at the written word. IT documentation has a terrible reputation. Since it is always one or more steps behind the actual configuration, people prefer reading configurations instead. The magic is to keep changes in sync with your documentation. Another ingredient is to write concisely and to create the right structure. While documenting IT infrastructure is not like writing a script for a movie, it requires describing everything in the right order. You need to make sure people can look things up and find systems and controls required for security. An IT

Read More

1706, 2024

Online Security is threatened by Politics in the EU

René Pfeiffer/ June 17, 2024/ Communication, Security

A vote for the EU Chat Control disaster is scheduled again. If the vote passes, then this chat control system will destroy the security of communication platforms for all Internet users, organisation, and companies. Chat control basically disables end-to-end-encryption (E2EE). The proposals have been widely discussed, but it seems that the Belgian presidency decided to rush the topic right before the Summer break. Secure communications platforms such as Signal and Threema warned lawmakers. EuroISPA has published a statement of protest as well. E2EE is a cornerstone of information security. The chat control regulation would only affect citizens and businesses. Criminals will always have a way around this. The proposed mass surveillance is a security risk by itself. Nation state conducting espionage will welcome the weakening of the security posture and use it against the

Read More

2505, 2024

Science Fictions meets Large Language Models

René Pfeiffer/ May 25, 2024/ Conference

Given the advertising of the manufacturers using a Large Language Model (LLM) is just like having a conversation with a person. The reality looks different. Google’s AI search has recently recommended to glue pizza together, eats rocks, or jump off the Golden Gate bridge when being depressed. This is clearly bad advice. Apparently these answers are or were part of the learning process. Incidents like this and the hallucinations of LLM algorithms have been discussed already. Science fictions fans will recall conversations with computer or AI simulations where someone tries to trick the machine do override security checks. The Open Worldwide Application Security Project (OWASP) created a list of threats to LLM applications. The target audience are developers, designers, architects, managers, and organizations. Marc Pesce wrote an article about tests with different LLM implementations.

Read More

3003, 2024

Ross Anderson has died

René Pfeiffer/ March 30, 2024/ High Entropy, Misc

We mourn the loss of security researcher Ross Anderson. His contribution to information security and digital privacy was significant. His book Security Engineering is a cornerstone for everyone diving into the complex world of digital security. Ross taught at the University of Cambridge and Edinburgh University. He was a very prolific writer and published insights into the technological aspects of information security. He will be missed.

2903, 2024

DeepSec and DeepINTEL 2024 Call for Papers is open

René Pfeiffer/ March 29, 2024/ Call for Papers

The call for papers is open! DeepSec and DeepINTEL are waiting for your input. We are looking for your talks and trainings. Tell us what you found and tell our trainees how to defend against attacks. Please submit proposals for trainings as early as possible. We try to fill at least half of the trainings slots before the Summer, so interested persons have some more time to plan their attendance. Our main aim for 2024 is to examine the weaknesses of Large Language Models (LLMs) and explore their potential for exploitation. The obvious way is to use the prompt, but there are ways to influence of poison the training data. We have seen publications and nascent source code doing this. The less obvious way of weaponising these algorithms is to spread disinformation. Generated content

Read More

0403, 2024

Memory Safety revisited

René Pfeiffer/ March 4, 2024/ Conference

Memory safety is the most important problem in information security. This is something the White House and the NSA want you to believe. The recommendation is to use a different programming language, and all our problems will magically disappear. The proposal sounds a lot like the typical magical bullet solution, just like one of the many marketing promises of vendors since the 1990s. Attacks on memory buffers is the least of your current problems. Attackers use „living off the land“ attacks which use memory-safe scripting languages. If you look at the CWE statistics, then there are lots and lots of input validation errors that will bring down the security of many applications. Most web applications use questionable frameworks that are neither mature nor well-tested. Access to storage systems (SQL or NoSQL) still feature injections

Read More