About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.

0502, 2020

DeepSec Support for BSidesLondon Rookie Track 2020

René Pfeiffer/ February 5, 2020/ Administrivia, Conference

We will support the BSidesLondon 2020 Rookie Track again. Talents need our support, and information security research knows no borders and no perimeter (ask the pentesters!). So we would like to keep up the tradition of lending a hand, hopefully beyond 2020. The best rookies will get the chance to attend DeepSec and to hold a presentation there. If you want to be one of the rookies, then head to the Rookie Track CFP 2020. Submit your idea! Present your project! In case you have a lot of experience and want to share this treasure with others, consider becoming a mentor for the rookies. The BSidesLondon Mentor Application 2020 is open. Presenting must be practised. However practice without proper training is quite difficult. This is where the mentors come in. To quote from the

Read More

0102, 2020

DeepSec, DeepINTEL, and ROOTS in 2020

René Pfeiffer/ February 1, 2020/ Administrivia, Call for Papers, Conference, DeepIntel

We took some time off to deal with the administrative side of running the DeepSec conference. Additionally some of us were engaged in project work. 2020 started early this time. There is a lot to do behind the scenes, especially in times where reading the news doesn’t help you to navigate the rest of the year. We also finished the travel plans for the year, so we will have some information where and when to connect to DeepSec. The most important information for you: There will be a DeepSec & DeepINTEL conference in 2020. There will also be a Reversing and Offensive-oriented Trends Symposium (ROOTS) again in 2020. The call for papers are in preparation and will open in two weeks. The dates are as follows: DeepSec Trainings 17/18 November 2020 DeepINTEL Conference 18

Read More

2112, 2019

Save the date: DeepINTEL / DeepSec 2020 – 17 to 20 November

René Pfeiffer/ December 21, 2019/ Administrivia, Conference

We fixed the dates for DeepINTEL and DeepSec 2020. As promised there will be no collision with Thanksgiving. DeepINTEL 2020 will be on 18 November 2020. The DeepSec trainings will be on 17/18 November 2020. The DeepSec conference will be on 19/20 November 2020. The Calls for Papers will open in February 2020. Have a rest and enjoy the holidays! We are looking forward to see you in Vienna (again)!

2810, 2019

Scheduled Maintenance for Web Site and Blog

René Pfeiffer/ October 28, 2019/ Administrivia

Today there will be an interruption of power supply and network connectivity. The systems affected are our web site and our blog. While the downtime is scheduled and part of our maintenance, the reason for the downtime was not. It has to do with rain, pipes, and queues. To quote Marcus Ranum: As security or firewall administrators, we’ve got basically the same concerns [as plumbers]: the size of the pipe, the contents of the pipe, making sure the correct traffic is in the correct pipes, and keeping the pipes from splitting and leaking all over the place. Of course, like plumbers, when the pipes do leak, we’re the ones responsible for cleaning up the mess, and we’re the ones who come up smelling awful. Rain, gravitation, the size of pipes, and sediments came to

Read More

2708, 2019

Deadline for ROOTS 2019 Call for Papers extended

René Pfeiffer/ August 27, 2019/ Conference

Good news for all academics haunted by perpetual deadlines: We have extended the Call for Papers of ROOTS 2019! We will accept late submissions for  the ROOTS review. However you have to submit your proposal until 23 September 2019! We need time to review, so don’t be late. If you are working on a research project and want to share your efforts so far with us, please consider submitting a project presentation via email. Last year we started to assign free presentation slots for project status presentations and feedback session. Research is a team effort, so getting in touch with colleagues can be very beneficial for your work and the work of others. Let us know what you are working on!

2608, 2019

DeepSec Training: Black Belt Pentesting / Bug Hunting Secrets you’ve always wanted to know

René Pfeiffer/ August 26, 2019/ Conference, Security, Training

The Web and its technologies have become the perfect frontier for security experts for finding bugs and getting a foothold when doing penetration tests. Everything has a web server these days. And everything web server will happily talk to web clients. The components involved are more than just simple HTML and JavaScript. The developer notion of doing things full stack requires security experts to do the same. This is where our DeepSec 2019 training session Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation by Dawid Czagan comes into play. Dawid Czagan will show you how modern applications work, how they interact, and how you can analyse their inner workings. He will enable you to efficiently test applications, find bugs, and compile the set of information needed to fix the

Read More

1908, 2019

DeepSec Training: Black Belt Pentesting / Bug Hunting Millionaire – Mastering Web Attacks with Full-Stack Exploitation

René Pfeiffer/ August 19, 2019/ Conference, Training

Web applications are gateways for users and attackers alike. Web technology is used to grant access to information, public and sensitive alike. The latest example is the Biostar 2 software, a web-based biometric security smart lock platform application. During a security test the auditors were able to access over 1 million fingerprint records, as well as facial recognition information. How can you defend against leaks like this? Well, you have to understand all layers of the application stack. Modern web applications are complex and it’s all about full-stack nowadays. That’s why you need to dive into full-stack exploitation if you want to master web attacks and maximize your payouts. Say no to classic web application hacking. Join the training session at DeepSec 2019 and take advantage of Dawid Czagan’s unique hands-on exercises and become

Read More

1408, 2019

DeepSec 2019 Preliminary Schedule is online

René Pfeiffer/ August 14, 2019/ Conference

We have reviewed all submissions, and we have published the preliminary schedule. It wasn’t easy to pick, because we received more submission than in the years before. Even though we start the reviews early, as soon as they arrive, it usually takes a couple of days to get to a stable version. The process is very similar to other forms of content creation with components, such as software development, or creative/technical writing. The most important fact is the preliminary schedule of DeepSec 2019. You can view it online. We are working on a new calendar export, so that you can view it on the go as well. Some slots are still vacant. The reason is the ongoing review process, and cancellations due to conflicts regarding our speakers. We will fill the remaining slots during

Read More

0108, 2019

Thanks for your Submissions for DeepSec 2019! Schedule is coming up soon.

René Pfeiffer/ August 1, 2019/ Call for Papers, Conference

Thank you for your wonderful work and your submissions for DeepSec 2019! We know that preparing an abstract is a lot of work (given that you had lots of work before in order to be able to write a summary). 2019 has broken the old record. We have received more submissions for presentations and workshops than we can stuff into the current two-day conference. We would need two weeks to present all the content your submitted. We did a lot of reviewing in the the past weeks, but give us some more days to sort everything out. Judging from your abstracts DeepSec 2019 will be great again! 😅

3107, 2019

Last Call: DeepSec 2019 Call for Papers ends today!

René Pfeiffer/ July 31, 2019/ Call for Papers

If you ware interested in presenting at DeepSec 2019, then you have 12 hours left to submit your proposal. It will get tough, because we have received a lot of submissions already, and we are currently hard at work reviewing all of them. Nevertheless your content counts! Submit your presentation or your research. Do not forget that your research can also be submitted for the Reversing and Offensive-oriented Trends Symposium 2019 (ROOTS) by using the ROOTS Call for Paper submission. Your presentation about the intertwined world of geopolitics and information security for DeepINTEL 2019 should go via email to use. You can use cfp (at) deepsec (dot) .net or simply deepsec (at) deepsec (dot) net.

1207, 2019

Thoughts on Geopolitics and Information Security

René Pfeiffer/ July 12, 2019/ Call for Papers, DeepIntel, Discussion, High Entropy

Geopolitics is a rather small word for very complex interactions, strategies, tactics, and the planning (of lack thereof) of events. Reading about topics connected to it is probably familiar to you. Few news articles can do without touching geopolitic aspects. Since politics has less technological content for most people, the connection to information security may not be obvious. Malicious software such as Stuxnet/WannaCry has changed this. Due to the events connected to their outbreak (or attack) the motivations of national agendas on the international stage have created awareness. There is a lot more to explore which is not on the radar of most experts, even in the field of information security. The current trade wars have a major impact on technology and ultimately information security. When it comes to vendors there is a bias

Read More

1107, 2019

Training Teaser: Black Belt Pentesting a.k.a. Bug Hunting Millionaire – Mastering Web Attacks with Full-Stack Exploitation

René Pfeiffer/ July 11, 2019/ Conference, Training

Modern web applications consist of far more components than HTML content and a few scripts. In turn properly attacking web applications requires a diverse set of skills. You need to know how the back-end and the front-end works. This includes all of the scripting languages, data storage technologies, user interface peculiarities, frameworks, hosting technologies, and many more layers. DeepSec 2019 will feature a full-stack web exploitation dojo enabling you to understand the security of web applications, how to break them, and how to protect them. The training will be hosted by Dawid Czagan, expert in the field. He will guide you through every technology and attack method relevant to information security of web applications such as: REST API hacking AngularJS-based application hacking DOM-based exploitation Bypassing Content Security Policy (CSP) Server-side request forgery Browser-dependent exploitation

Read More

0807, 2019

Reminder – Call for Papers DeepSec & DeepINTEL – Send your submissions!

René Pfeiffer/ July 8, 2019/ Call for Papers

We have been a bit radio silent since BSidesLondon. This is due to the hot weather in Austria, the preparations for the next DeepSec Chronicles book, some interesting features for DeepSec, and of course because of the submissions we received so far. We have a shortlist for the trainings which we will publish in the next few days. The Call for Papers still runs until 31 July 2019. So if you have some idea of how to fix the SKS keyserver infrastructure, know something about nation state hacking, broke a couple of things, have angered software developers by putting their code to the test, or have some general and very specific information to share, then send us your submission! The focus of DeepINTEL 2019 will be on the geopolitical aspects of information security. This

Read More

2505, 2019

Use Handshake Data to create TLS Fingerprints

René Pfeiffer/ May 25, 2019/ Discussion, Security

While the whole world busily works on the next round of the Crypto Wars, the smart people work on actual information security. TLS has always been in the focus of inspection. Using on-the-fly generated certificates to look inside is a features of many gadgets and filter applications. Peeking at the data is moot if you control either the server or the client. If you have to break TLS on purpose (hopefully) inside your own network, you probably have to deal with software or system you cannot control. In this case TLS is the least of your security problems. Dealing with a lot of network traffic often uses a metadata approach in order not to process gigantic amounts of data. Enter TLS fingerprinting. The TLS handshake contains a lot of parameters such as version numbers,

Read More

2405, 2019

Getting ready for BSidesLondon – Support the Rookie Track!

René Pfeiffer/ May 24, 2019/ Security

Deadlines are great. They serve as a great syscall. Everything must be ready and be written to disk. The schedule of BSidesLondon was already stored and forwarded. Have a look! It’s worth it! The titles sound great. We recommend having some IPv6 as a starter (IPv4 is really getting scarce these days). The main dish should have some pieces of cloud platforms, RF hacking, SOCs, and power grid. Emotet, GPUs, and Windows Event Log forensics. Don’t forget to support the rookies by attending their presentations. They put a lot of effort into the preparation, and they have lots of interesting topics ready for you. The 15 minute slots are great to get an in-depth introduction into the topic. In addition the rookies rely on the feedback of everyone of you, especially the exploit-hardened veterans

Read More