About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.

Memory Safety revisited

René Pfeiffer/ March 4, 2024/ Conference/ 0 comments

Memory safety is the most important problem in information security. This is something the White House and the NSA want you to believe. The recommendation is to use a different programming language, and all our problems will magically disappear. The proposal sounds a lot like the typical magical bullet solution, just like one of the many marketing promises of vendors since the 1990s. Attacks on memory buffers is the least of your current problems. Attackers use „living off the land“ attacks which use memory-safe scripting languages. If you look at the CWE statistics, then there are lots and lots of input validation errors that will bring down the security of many applications. Most web applications use questionable frameworks that are neither mature nor well-tested. Access to storage systems (SQL or NoSQL) still feature injections

Read More

Encryption refreshed, Plans for 2024

René Pfeiffer/ February 6, 2024/ Conference/ 0 comments

Computer science is all about automation. Repetitive tasks are best done by machines. This is true for our TLS certificate, but maybe you noticed it expired a few days ago. As always, this was because of an automated task that didn’t do what it was supposed to do. We changed parts of our infrastructure, so a few lines of code were not running on the new hardware. Blame it on ChatGPT, but your browser can trust our certificate again. Last year’s DeepSec conference had a focus on the zoo of artificial intelligence algorithms. The AI revolution has so far only pushed the Large Language Model (LLM) algorithms and a discussion about copyright. The battlefield is real. Researchers from the University of Chicago have published the Glaze and Nightshade algorithms to counter unrestricted harvesting by

Read More

DeepSec wishes a Happy New Year 2024!

René Pfeiffer/ December 31, 2023/ Administrivia, Communication/ 0 comments

We have been radio-silent throughout the December, because post-processing DeepSec and DeepINTEL 2023 took longer than usual. For everyone doing system maintenance, the month of December is also a wonderful opportunity to do some work behind the scenes. Thanks to the security bulletin about SMTP smuggling, there were some additional workarounds that needed attention. There will be another pause until we announce the next call for papers in February 2024. We have not yet decided on the focus. If you have some ideas, let us know. Enjoy the quiet days, and have a good transition into the new year 2024!

Thanks for attending DeepSec and DeepINTEL 2023!

René Pfeiffer/ November 24, 2023/ Administrivia, Conference, DeepIntel/ 0 comments

DeepSec 2023 ended a week ago, and it was amazing! We shout out a big thanks to all the speakers and all the attendees that made the conference memorable! Usually there is a period of several days after the conference where you hear nothing from us. We are not hibernating; we are in full post-production mode. Office life has caught up. The video material is currently being prepared for upload. Everyone who attended the conference will get early access to the presentations. Bear with us. We will send a notification once everything is ready. For everyone who missed the closing presentation, here are the dates for our events in 2024. Open your calendar, mark the dates. Also, do not forget to book early! We have a limit because of the conference venue safety regulations.

Read More

DeepSec 2023 – ENOMEM/EFBIG – Tickets sold out!

René Pfeiffer/ November 8, 2023/ Administrivia, Conference/ 0 comments

This is the first time for us. The tickets for attending DeepSec on-site at the conference hotel are exhausted. We have no room to spare. You can only book training tickets (i.e. training without the conference) or tickets for accessing the live streams. Existing orders are still valid and will be processed. We have to take this step, because the space at the conference hotel gets too crowded. Furthermore, we have some limits regarding event security, and contrary to cloud platforms, we cannot sell more capacity than we have. Please consider accessing the live streams if you want to follow the presentations. You will also have the means to comment and ask questions. The stream access will also give you full access to all the recordings once we finished post-processing.

Learn Incident Response by playing a Role-Playing Game

René Pfeiffer/ November 6, 2023/ Security/ 0 comments

Simulations can be boring. What about combining a thought experiment with a game that brings fun? Enter role-playing games for incident response! Klaus Agnoletti will show you how this works. He will host an incident response role-playing session on the first conference day (16 November 2023) at 1900. The session will take place in the Third Person track. The game is heavily inspired by the (Advanced) Dungeons & Dragons games. You do not need to bring anything except your interest and some curiosity. The session simulates an incident in a fictitious company and players have roles like CMO, CISO, CFO, System architect, etc. The aspects of the incident gameplay are explored broadly and aren’t just limited to the technical parts of an incident. The session lasts about two to three hours, depending on your

Read More

DeepSec on Air – Live on Radio Orange, 1000 (CEST), 6 November 2023

René Pfeiffer/ November 4, 2023/ Communication, Conference/ 0 comments

We do not maintain a podcast or a video streaming channel. It’s hard to keep up with writing texts. On Monday, 6 November 2023, at 1000 (CEST) there will be a live broadcast. We will talk about the upcoming DeepSec and DeepINTEL events, the topics on the DeepSec schedule, and many more aspects. If you can spare an hour of your time, you can listen to us. The conversation will be in German, though. Maybe some stochastic parrot with a filter can produce a transcript later. The show announcement can be found on the Radio Orange web site. For the sake of convenience, here is a quote: 14. bis 17. November findet die DeepSec 2023 statt, am 15. folgt die DeepINTEL, dazwischen treibt der Third-Person-Track sein Wesen. Vier Tage, an denen im Rahmen von

Read More

Fight the EU Law for attacking Cryptography

René Pfeiffer/ November 4, 2023/ Security/ 1 comments

The Crypto Wars have been one topic that DeepSec keeps addressing in public. The conference and our blog documents countless attempts to weaken algorithms, introduce mandatory back-doors, and compromise of operating systems. The European eIDAS (electronic IDentification, Authentication and trust Services) regulation is a proposal that all web browsers distributed in Europe will be required to trust the certificate authorities and cryptographic keys selected by EU governments. This destructively changes the IT security landscape. To quote from Mozilla’s open letter: These changes radically expand the capability of EU governments to surveil their citizens by ensuring cryptographic keys under government control can be used to intercept encrypted web traffic across the EU. Any EU member state has the ability to designate cryptographic keys for distribution in web browsers and browsers are forbidden from revoking trust

Read More

Global Encryption Day 2023

René Pfeiffer/ October 21, 2023/ Security/ 0 comments

Wshpq mu Fknadp Icuvaoshnq Hen. Wreqxoslsr xk spd ne ski fjapfhmf aosgzk sh hmenuqeiasp rdbtumxn. Omvgnts hrggqtvhnm, skivt oswkc ad qs att wjnor, mr wirmvg ldrrdkmcy, rq dkdbwvscag dzmjhqk, rd hvqsdbslsr dx wgbqdsv altf xtzmrehvvxfk cmc rsrvmcy mpenqldxmdf. HgdoRdf lehs pqmf sqdhmiasp ne roheoxfk km ezuryv dx gtxosnjveezc. Yd gzc ryv usmt rgzqh sj ejiudmszwmsck hgzkhmj amiz ftdzjhqk eaysthsglv ers xmpchmf ipelk mp sgdl. Wli umpn eqnmwep plxcbj ax wli Tmvqodzm Fsqbawuhnm nq irrjcrshnm ec esvmpf azbnhsdjw vn bnlpyrxuevhnm chzmrww ugnvr wlei kietqd brqqjfmezshnq mw cgx c fhudq vmvzx. Ks ltrw fi swjgmcdc wshpq, xqlnqqra, ecv mp sgd exxygw. Ipbqxowmsc xeedr sguieik, fqsg nkg ers fiy. Lzjd bsyg nskbd gddvh pfh vdkk hw xs izi ynqkc! Rv ftlxgq xds: Fsrijmdtsd slqi, uarcmbhzo wyehsts, nq tvi icuvaoshnq mr ejsftbsr dpp dx xjd shlh. Hikwpqodqr uipn

Read More

DeepSec Training: Improve your Pen-Testing Skills for Mobile Devices

René Pfeiffer/ September 29, 2023/ Conference, Training/ 0 comments

Mobile devices are a common tool for businesses and private users. We have become accustomed to carry Internet-enabled devices with us. How do you test if your device is secure? What is the best way to find security weaknesses? Mobile security testing requires different tools and different knowledge of the platform and the applications involved. DeepSec 2023 offers a training to get you started with pen-testing all things mobile. The focus is on Android and iOS apps. Sven Schleier will help you to analyse apps, intercept network traffic, and to identify weaknesses that can be turned into exploits. The course is a deep-dive into mobile technology. It also helps you when you need to bypass SSL pinning, Touch ID, Face ID, or similar barriers. Circumventing anti-jailbreaking technologies are covered, too. The skills are absolutely

Read More

Early Bird Tickets turn into „Last of Us“ – get them while available

René Pfeiffer/ September 15, 2023/ Conference

Grab your early bird tickets quickly before they run out! Our ticket shop will switch to the regular tickets soon (on Tuesday). If you still need out to sort your budget, here is a way to save money. You can also send us your order before the deadline in order to get the early bird tariff. Join DeepSec 2023 in November and improve your odds in beating security incidents. A good defence rests on knowledge and exchange of information. Get in contact with security experts from all over the world! See you in Vienna!

DeepSec 2023 Streaming Tickets available

René Pfeiffer/ September 12, 2023/ Conference

COVID-19 forced us to explore the wonderful world of streaming and to review our video equipment. Since 2020, all DeepSec conferences feature live streams. The processes behind the streams are now mature. This means that you can attend DeepSec virtually. Our ticket shop now has streaming video tickets for you. This ticket allows you to watch the live streams and to get early access to the post-processed presentation videos once we have uploaded them. The live streams also offer you to get into contact with the speakers by asking questions. You just use the chat function and ask what you want to know. Click and join us!

DeepSec 2023 preliminary Schedule published

René Pfeiffer/ August 25, 2023/ Administrivia, Conference

The schedule for DeepSec 2023’s first version has been published. We are still stuck in reviews, so there will be some more updates in the coming weeks. Especially the third track with technical sessions and presentations will see some updates. Read some more on the technical track in one of our next blog articles. We received a lot of submissions, so we are very grateful for your support and the great ideas you sent us. Because of the limitations of our schedule, the reviewers had a hard time making a selection. The final status of all submissions will be sent to all submitters within the next few days. The following weeks will feature every presentation in more detail with an interview or an article about the content. The mix of topics is definitely the

Read More

AI Content Harvesting without Opt-Out? Goodbye, Zoom!

René Pfeiffer/ August 7, 2023/ Conference

DeepSec has used the Zoom videoconferencing tool since 2020. It was really helpful for the 100% online conferences back then. Apparently, Zoom has changed its terms of service. The new version is completely unacceptable for any conference. This means we are leaving Zoom, and we recommend you do the same. The reason is the ongoing „AI pandemic“. Content is king, but content theft is the emperor these days. If you look at the Zoom terms of services and read chapter 10.4, you see that Zoom likes to use everything you do via the platform for any use the company can think of. There is no opt-out, it seems. We have ended our subscriptions and will delete our account. We will switch to OpenTalk, which is GDPR-compliant and hosted in European data centres. OpenTalk is

Read More

DeepSec Scuttlebutt: Fun with Fuzzing, LLMs, and Backdoors

René Pfeiffer/ July 31, 2023/ Call for Papers, Scuttlebutt

[This is the blog version of our monthly DeepSec Scuttlebutt musings. You can subscribe to the DeepSec Scuttlebug mailing list, if you want to read the content directly in your email client.] Dear readers, the Summer temperatures are rising. The year 2023 features the highest measured temperatures in measurement history. This is no surprise. The models predicting what we see and feel now have been created in the 1970s by Exxon. So far, the model has been quite accurate. What has this to do with information security? Well, infosec also uses models for attack and defence, too. The principles of information security has stayed the same, despite the various trends. These are the building blocks of our security models. They can be adapted, but the overall principles have little changed from two-hosts-networks to the

Read More