About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.

2811, 2018

Discussing Threat Intelligence in the City of Spies – DeepINTEL 2018 has started

René Pfeiffer/ November 28, 2018/ Conference, DeepIntel

What’s the best place to discuss security and threat intelligence? Well, according to Austrian investigative journalist Emil Bobi there are over 7,000 spies living and working in Vienna. To quote the article: „Austria has been an international spy hub since the late 19th Century, when people from all parts of the Austro-Hungarian empire flocked to the city.“ Basically it’s ancient tradition going back to the 19th century. During DeepINTEL we will discuss modern threats – advanced, persistent, networked, or otherwise. The focus will be on indicators of suspicious behaviour, the human component of information security, challenges by drone technology, and how to protect sources of information.  

2111, 2018

(Almost) (Pretty) Final ROOTS 2018 Schedule (last beta version) published!

René Pfeiffer/ November 21, 2018/ Administrivia, ROOTS

We have rearranged the ROOTS 2018 schedule to its final form. You may have noticed that it is more condensed. We thought it would be easier to connect, to discuss, and to exchange ideas without the stretch over two days. Furthermore it is easier to have sessions with a specific focus when there is more unallocated time to use. ROOTS 2018 will get its own keynote presentation, too. We are currently sorting out the details. You may wonder why there are so many empty slots. The reason is simple. ROOTS is an academic workshop. All presentations must be submitted formally correct. Then they are reviewed by the programme committee. The submitted content is graded according to the scientific methods used, research topic, evaluation of the results, the conclusion, and so on. After that there

Read More

1911, 2018

Special Offer for “Mastering Web Attacks with Full-Stack Exploitation” Training – get 3 for the Price of 1

René Pfeiffer/ November 19, 2018/ Conference

The DeepSec training Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation by Dawid Czagan has some seats left. Dawid has agreed to give away free access to two of his online courses for everyone booking tickets until Wednesday, 21 November 2018 (2359 CET). This gives you a perfect preparation for penetration testing, software development, and an edge for any bug bounty programmes out there. You can get a glimpse of the online trainings, well, online of course. Every penetration test and every attempt to defend your own assets can’t do without knowledge of web technologies. Since the Web has evolved from being simple HTML content, you absolutely have to know about all layers modern web applications use. The training will give you the means to understand what’s going on, to find bugs, and

Read More

0911, 2018

Last Call for your Web Application Security Training – Break all teh Web and enjoy it!

René Pfeiffer/ November 9, 2018/ Conference, Security

The Internet is full of web applications. Sysadmins used to joke that HTTP is short for Hypertext Tunnelling Protocol, because anything but web content is transported via HTTP these days. It’s the best way to break out of restricted environment, too. So the chances are good that you will need the skills for dealing with all kinds web. Fortunately our training Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation conducted by Dawid Czagan has a few seats left. Don’t get distracted by the title. Focus on the phrase full-stack exploitation. It’s not just about sending HTTP requests and seeing what the application does. It’s all about using the full spectrum of components and technologies used for modern web applications. The training is not only suited for information security researchers. The course addresses REST

Read More

0611, 2018

Binary Blob Apocalypse – Firmware + Cryptography = less Security

René Pfeiffer/ November 6, 2018/ High Entropy, Security

A couple of years ago we had a chat with one of our sponsors, Attingo. They are specialised in data recovery from all kinds of media and in all kinds of conditions. Since vendors keep secrets from the rest of the world, the data rescuers do a lot of reverse engineering in order to decode the mysteries of firmware blobs. Guess what they recommend: Don’t trust important tasks to firmware code! It’s the worst software written on this planet. If software gets something wrong, firmware is the best candidate for big SNAFUs. Solid state disks (SSDs) have recently joined the gallery of failures. Carlo Meijer and Bernard van Gastel have published an article titled Self-encrypting deception: weaknesses in the encryption of solid state drives (SSDs). They analysed the implementation of hardware full-disk encryption of

Read More

0311, 2018

DeepINTEL 2018 Security Intelligence Event – Preliminary Schedule is available

René Pfeiffer/ November 3, 2018/ Conference, DeepIntel

It took us longer than anticipated, but the schedule for DeepINTEL 2018 is final and available. The topics covered are ICT risk assessment in interconnected and complex environments, drone threats (to critical infrastructure), drone countermeasures, assessment of digital black markets (you can call them darkweb/crypto markets if you must), live threats to the information industry (based on finding and working with reliable sources in the field), framing HUMINT as an information gathering technique, and how to get started in modern cyber threat intelligence. The speakers will bring in-depth examples from their field of expertise. Given the format of DeepINTEL, the presentation are meant to turn into dialogues where you can directly ask questions and hopefully get answers helping you to understand how to detect and counter threats, and how to collect meaningful data for

Read More

1910, 2018

ROOTS Schedule almost ready, mind your DeepSec Training Tickets, DeepINTEL Schedule is coming up

René Pfeiffer/ October 19, 2018/ Administrivia, Conference

The review process for ROOTS has been completed a few days ago. Proper reviews are hard, this is why it took a bit longer. The accepted papers will be in the schedule at the beginning of next week for we need the redacted abstracts of all presentations. The research topics are worth it, so make sure to check the schedule next week. For all of you looking for in-depth knowledge and hands-on training – please book tickets for our trainings as soon as possible! This is not meant to rush you. We just want to make sure that you get the training you want. Booking last minute is a sure way of making it hard to plan ahead. Furthermore the first courses are filling up. You might not get a seat if you wait

Read More

0910, 2018

Translated Press Release: Systemic Errors as Vulnerabilities – Backdoors and Trojan Horses

René Pfeiffer/ October 9, 2018/ Conference, Discussion, Press, Security

DeepSec and Privacy Week highlight consequences of backdoors in IT Vienna (pts009/09.10.2018/09:15) – Ever since the first messages were sent, people try to intercept them. Today, our modern communication society writes more small, digital notes than one can read along. Everything is protected with methods of mathematics – encryption is omnipresent on the Internet. The state of security technology is the so-called end-to-end encryption, where only the communication partners have access to the conversation content or messages. Third parties can not read along, regardless of the situation. The introduction of this technology has led to a battle between security researchers, privacy advocates and investigators. Kick down doors with Horses In end-to-end encryption the keys to the messages, as well as the content itself, remain on the terminal devices involved in the conversation. This is

Read More

2609, 2018

DeepSec 2018 Talk: IoD – Internet of Dildos, a Long Way to a Vibrant Future – Werner Schober

René Pfeiffer/ September 26, 2018/ Conference, Internet, Security

The Internet of Things has grown. Interconnected devices have now their own search engine. Besides power plants, air conditioning systems, smart (or not so smart) TV sets, refrigerators, and other devices there are a lot smaller and more personal things connected to the Internet. Your smartphone includes a lot of personal conversations, most probably pictures, sound recordings, and a treasure trove of data for profiling. Let’s get more personal. Let’s talk about teledildonics. Teledildonics is the art and technology of remote sex. Call it cybersex (apologies to William Gibson), cyberdildonics (again, sorry, Mr Gibson), or whatever you like. It’s been around for a long time, think decades. The term was used in 1975 by Ted Nelson in his book Computer Lib/Dream Machines. It even has its own conference, called Arse Elektronika (which was first

Read More

2409, 2018

DeepSec 2018 Training: Professional Bug Hunting for Early Bird Millionaires – Sensitive Data Exposure

René Pfeiffer/ September 24, 2018/ Training

DeepSec’s Early Bird Tariff is still valid for today. If you are interested in bug hunting for money, i.e. bug bounties, then you should hurry. Dawid Czagan is conducting a training at DeepSec 2018 where you can learn all you need to get started. If you don’t know what to expect, we recommend one of Dawid’s online courses to get into the mindset. His tutorial on finding sensitive data exposure is available via his web site. In case you are interested, please head over to our ticket shop. Early bird tickets are still available until midnight! 

1209, 2018

Translated Press Release: Bug Bounty Programs – Vulnerabilities as a worthwhile Investment

René Pfeiffer/ September 12, 2018/ Conference, Press

DeepSec Conference offers trainings for security researchers Vienna (pts010 / 04.09.2018 / 08:30) – This year, in addition to lectures about the failing of security measures, the DeepSec In-Depth Security Conference will offer a workshop for finding vulnerabilities. Unfortunately the testing of software in the context of quality assurance is no longer sufficient in the modern, networked world. The prefix “Smart” does not change anything about existing weaknesses. The training is therefore aimed at professionals, already working in development, and at security experts, to specifically strengthen the development of safer products in industry and companies. Complex Technologies and their Susceptibility to Errors Not only since the birth of the Internet of Things modern products can’t manage without software. If you add networking and the high level of complexity of individual parts, this is a

Read More

1109, 2018

Translated Press Release: Intelligence Agencies want to abolish Information Security

René Pfeiffer/ September 11, 2018/ Conference, Press

https://www.pressetext.com/news/deepsec-konferenz-veroeffentlicht-programm-fuer-2018.html DeepSec Conference criticizes the open Attack on secure End-to-End Encryption Vienna (pts014/21.08.2018/09:25) – Ever since security measures have been in existence, there have been discussions about their benefits and their strength. In digital communication, the topic of back doors keeps coming up. In the analog world high quality locks are desired to protect against theft. In the digital world this may now change. The Five Eyes (i.e. the intelligence services of the United States, the United Kingdom, Australia, New Zealand, and Canada) want to force all countries around the world to implement duplicate keys, thus to implement back doors, in their encrypted communication. For this purpose, at the end of August, a meeting of the Five Eyes Ministers of the Interior took place in Australia. This proposal has serious disadvantages for the economy

Read More

1109, 2018

Whatever happened to CipherSaber?

René Pfeiffer/ September 11, 2018/ High Entropy

Some of you still know how a modem sounds. Back in the days of 14400 baud strong encryption was rare. Compression was king. Every bit counted. And you had to protect yourself. This is where CipherSaber comes into play. Given the exclusive use of strong cryptographic algorithms by government authorities, the CipherSaber algorithm was meant to be easy enough to be memorised, and yet strong enough to protect messages from being intercepted in clear. It is based on the RC4 algorithm. According to the designer CipherSaber can be implemented in a few lines of code. Basically you have crypto to go which cannot be erased from the minds of the public, because it is readily available. That’s where the name came from. It is modelled after the light sabers found in the Star Wars

Read More

0709, 2018

DeepSec Training: Bug Bounty Hunting – How Hackers Find SQL Injections in Minutes with Sqlmap

René Pfeiffer/ September 7, 2018/ Security, Training

In a previous article we talked about the Bug Bounty Hunting training by Dawid Czagan at DeepSec 2018. In case you do now know what to expect, there is a little teaser consisting of a full blown tutorial for you. Dawid has published as video tutorial that shows you how to use Sqlmap in order to find SQL injections. It serves as a perfect example of what to expect from his two-day training and what you absolutely need to play with for preparation. DeepSec trainings are in-depth, not superficial. Dawid’s training will go into much deeper detail. Software developers are well advised to use attack tools against their own creations. It helps to understand what error conditions your code might be in and what you have to do when sanitising data. SQL injection attacks

Read More

0609, 2018

Translated Press Release: DeepSec Conference releases Schedule for 2018

René Pfeiffer/ September 6, 2018/ Conference, Press

Focusing on the Insecurity of Things and infrastructure Vienna (pts014 / 21.08.2018 / 09:25) – This year’s DeepSec In-Depth Security Conference will focus on the topic of Insecurity of Things (IoT) and components of everyday infrastructure. The ever-advancing networking opens up completely new ways for attackers – faster than developers and manufacturers can fix bugs. Instead of using secure design for products and code, machine learning and artificial intelligence are integrated – unfortunately, implemented using convenient statistics and the algorithm of the week from the daily menu of the development kit. The presentations at the DeepSec conference will therefore put the alleged technologies of the future to the test. Mobile networks, the Internet of Things, collaboration platforms in the cloud, customer relationship management systems and the human factor are in the cross-hairs. Smart is

Read More