About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.

2011, 2024

DeepINTEL 2024 – a full Day all about Security Intelligence

René Pfeiffer/ November 20, 2024/ Conference, DeepIntel/ 0 comments

The DeepINTEL 2024 security intelligence has begun. The day holds a full day of presentation about current and future threats. It is difficult to describe a TLP:AMBER event, because we do not publish the schedule for DeepINTEL. The term security intelligence has a wide spectrum. Basically, it includes all informations that will help you improve your defence, understand your adversaries, and how attacking groups operate. The sources are probes, monitoring systems, reports from attacks and their analysis. We are looking forward to provide the next iteration of DeepINTEL as a unique forum where security experts can get crucial updates. Grab your coffee, listen, and contribute!

0911, 2024

BSides København – Meaningful Metrics in Information Security

René Pfeiffer/ November 9, 2024/ Development, Security/ 0 comments

The next BSides København will take place on 9 November 2024. There is one presentation in the schedule about the use of metrics in information security. Computers allow us to create documents, charts, and statistical values easily from any data collection we like. Therefore, the World Wide Web is full of graphs, tables with numbers, predictions, and all kinds of results. The problem is that not everything you can count is a suitable metric tied to real-life observations. Finding a metric is a science on its own. This presentation will give you some examples of how to measure meaningful attributes of computer systems and networks. You will also get to know the term metric more closely. Using proper metrics and assessing customer-provided reports will help you immensely when dealing with information security decisions. The

Read More

1908, 2024

DeepSec publishes preliminary Schedule

René Pfeiffer/ August 19, 2024/ Conference, DeepIntel/ 0 comments

We are happy and proud to present the preliminary schedule for DeepSec 2024! Again, the many submissions overwhelmed us. We could have filled the schedules for two or three conferences. The range of topics matches current events, your needs for improving digital defence, and insights into how vulnerable systems and humans are. Organic intelligence created all presentations 100%. No previous instructions had to be ignored. Also look at the trainings. We have selected very useful topics and feature expert trainers to guide you through the content. As usual, the schedule for DeepINTEL is only available on request. We hope to see you all in Vienna!

1808, 2024

Update on DeepSec, DeepINTEL, CfP Review, and the Things behind the Stage

René Pfeiffer/ August 18, 2024/ Administrivia/ 0 comments

We have been more radio silent than usual in the past months. The main reason was a high workload on various ongoing projects. Given that more and more companies need to address IT security, there were policies to write and security controls to design. Furthermore, the looming NIS Directive II has put some managements into overdrive. And then there is and was the Summer heat. Climate change also impacts work in IT security. Not all environments have air conditioning. Mental work gets hard in hot temperatures. If you need to write code, policies, or technical documentation, then output is slower than usual. By the way, ISO has added climate change risks to businesses to its standards. Companies need to think about how the climate will impact risks to their business processes. It’s not the

Read More

0108, 2024

DeepSec Call for Papers has officially ended – Review Phase opened

René Pfeiffer/ August 1, 2024/ Call for Papers, Conference/ 0 comments

The call for papers process for DeepSec has officially ended. We tried to keep track with your submissions, but now we will deep dive into the review phase. You may have noticed that the trainings have already been published online. Usually, we publish the training slots earlier. We try to do this before the Summer, but this year the training review was delayed, because all reviewers were very busy. Now we have even more work because of the number of proposals for talks. Thank you all for your contributions! Creating the schedule will be hard, so bear with us and allow for one to two weeks for the reviews. We promise that all of you will receive either a confirmation when accepted or a message if your submission was declined. Don’t be discouraged or

Read More

1207, 2024

Reminder: Call for Papers DeepSec/DeepINTEL is still open!

René Pfeiffer/ July 12, 2024/ Conference/ 0 comments

It’s this time of the year again where the hot weather and deadlines collide. The call for papers for both DeepSec and DeepINTEL is still open! We are looking for original content, your creative ideas, and your invaluable experience. Please submit your proposal to our CfP manager. As always, we have a variety of topics we are interested in. The wonderful world of „artificial intelligence“ has taken the world and its CO2 output by storm. Large Language Models (LLMs) have „learned“ the Internet multiple times. Companies offering their LLM-based services promise to solve all kinds of tasks. What does this mean for IT security? Disinformation and propaganda are a big topic. Europe has already seen elections where structural disinformation played (and plays!) a vital role. Using false information in order to influence the voting

Read More

1207, 2024

IT Security, Standards, and Compliance

René Pfeiffer/ July 12, 2024/ Call for Papers, Conference, Legal/ 0 comments

You can often see the classic divide between technical and compliance persons in information technology within teams or organisations. Writing guidelines and writing configurations for implementation seem very different, with no overlaps. In reality, everyone has procedures. While they might not be written or follow a standardized format, having your ways of doing things is crucial to succeed in IT. The same goes for security. Creating policy documents and describing procedures in a way that technical minds can actually use them is a challenge. There is a crossover with the profession of writers who are experts in conveying nonfiction stories. And this is the origin of the schism between technicians and the compliance world. Badly written policies are a security risk, because no one takes them seriously. The purpose of your procedure documentation is

Read More

1906, 2024

Creative Writing is beneficial for Information Security

René Pfeiffer/ June 19, 2024/ Security, Stories/ 0 comments

Do you like a good movie? Do you enjoy a good book? Your favourites most probably began as a piece of writing. There is a surprising overlap between creative writing, writing code, doing mathematics, and enjoying a well-defined information security configuration. Everything meets at the written word. IT documentation has a terrible reputation. Since it is always one or more steps behind the actual configuration, people prefer reading configurations instead. The magic is to keep changes in sync with your documentation. Another ingredient is to write concisely and to create the right structure. While documenting IT infrastructure is not like writing a script for a movie, it requires describing everything in the right order. You need to make sure people can look things up and find systems and controls required for security. An IT

Read More

1706, 2024

Online Security is threatened by Politics in the EU

René Pfeiffer/ June 17, 2024/ Communication, Security/ 0 comments

A vote for the EU Chat Control disaster is scheduled again. If the vote passes, then this chat control system will destroy the security of communication platforms for all Internet users, organisation, and companies. Chat control basically disables end-to-end-encryption (E2EE). The proposals have been widely discussed, but it seems that the Belgian presidency decided to rush the topic right before the Summer break. Secure communications platforms such as Signal and Threema warned lawmakers. EuroISPA has published a statement of protest as well. E2EE is a cornerstone of information security. The chat control regulation would only affect citizens and businesses. Criminals will always have a way around this. The proposed mass surveillance is a security risk by itself. Nation state conducting espionage will welcome the weakening of the security posture and use it against the

Read More

2505, 2024

Science Fictions meets Large Language Models

René Pfeiffer/ May 25, 2024/ Conference/ 0 comments

Given the advertising of the manufacturers using a Large Language Model (LLM) is just like having a conversation with a person. The reality looks different. Google’s AI search has recently recommended to glue pizza together, eats rocks, or jump off the Golden Gate bridge when being depressed. This is clearly bad advice. Apparently these answers are or were part of the learning process. Incidents like this and the hallucinations of LLM algorithms have been discussed already. Science fictions fans will recall conversations with computer or AI simulations where someone tries to trick the machine do override security checks. The Open Worldwide Application Security Project (OWASP) created a list of threats to LLM applications. The target audience are developers, designers, architects, managers, and organizations. Marc Pesce wrote an article about tests with different LLM implementations.

Read More

3003, 2024

Ross Anderson has died

René Pfeiffer/ March 30, 2024/ High Entropy, Misc

We mourn the loss of security researcher Ross Anderson. His contribution to information security and digital privacy was significant. His book Security Engineering is a cornerstone for everyone diving into the complex world of digital security. Ross taught at the University of Cambridge and Edinburgh University. He was a very prolific writer and published insights into the technological aspects of information security. He will be missed.

2903, 2024

DeepSec and DeepINTEL 2024 Call for Papers is open

René Pfeiffer/ March 29, 2024/ Call for Papers

The call for papers is open! DeepSec and DeepINTEL are waiting for your input. We are looking for your talks and trainings. Tell us what you found and tell our trainees how to defend against attacks. Please submit proposals for trainings as early as possible. We try to fill at least half of the trainings slots before the Summer, so interested persons have some more time to plan their attendance. Our main aim for 2024 is to examine the weaknesses of Large Language Models (LLMs) and explore their potential for exploitation. The obvious way is to use the prompt, but there are ways to influence of poison the training data. We have seen publications and nascent source code doing this. The less obvious way of weaponising these algorithms is to spread disinformation. Generated content

Read More

0403, 2024

Memory Safety revisited

René Pfeiffer/ March 4, 2024/ Conference

Memory safety is the most important problem in information security. This is something the White House and the NSA want you to believe. The recommendation is to use a different programming language, and all our problems will magically disappear. The proposal sounds a lot like the typical magical bullet solution, just like one of the many marketing promises of vendors since the 1990s. Attacks on memory buffers is the least of your current problems. Attackers use „living off the land“ attacks which use memory-safe scripting languages. If you look at the CWE statistics, then there are lots and lots of input validation errors that will bring down the security of many applications. Most web applications use questionable frameworks that are neither mature nor well-tested. Access to storage systems (SQL or NoSQL) still feature injections

Read More

0602, 2024

Encryption refreshed, Plans for 2024

René Pfeiffer/ February 6, 2024/ Conference

Computer science is all about automation. Repetitive tasks are best done by machines. This is true for our TLS certificate, but maybe you noticed it expired a few days ago. As always, this was because of an automated task that didn’t do what it was supposed to do. We changed parts of our infrastructure, so a few lines of code were not running on the new hardware. Blame it on ChatGPT, but your browser can trust our certificate again. Last year’s DeepSec conference had a focus on the zoo of artificial intelligence algorithms. The AI revolution has so far only pushed the Large Language Model (LLM) algorithms and a discussion about copyright. The battlefield is real. Researchers from the University of Chicago have published the Glaze and Nightshade algorithms to counter unrestricted harvesting by

Read More

3112, 2023

DeepSec wishes a Happy New Year 2024!

René Pfeiffer/ December 31, 2023/ Administrivia, Communication

We have been radio-silent throughout the December, because post-processing DeepSec and DeepINTEL 2023 took longer than usual. For everyone doing system maintenance, the month of December is also a wonderful opportunity to do some work behind the scenes. Thanks to the security bulletin about SMTP smuggling, there were some additional workarounds that needed attention. There will be another pause until we announce the next call for papers in February 2024. We have not yet decided on the focus. If you have some ideas, let us know. Enjoy the quiet days, and have a good transition into the new year 2024!