About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.

2401, 2018

Save the Dates for DeepSec 2018 and DeepINTEL 2018

René Pfeiffer/ January 24, 2018/ Administrivia, Conference

While everyone was busy with the holidays, Meltdown and Spectre, we did some updates behind the scenes. DeepSec 2018 will be held from 27 to 30 November 2018. We tried not to collide with Thanksgiving, so that you can come to Vienna after being with your family. As always, the first two days will be the trainings followed by two days of conference. DeepINTEL 2018 will be on 17 / 18 September 2018. We have a topical focus for both events and will present each of them in a separate article. There still some details to work out. Wordsmithing and administrivia are the equivalence of dependencies and patches in software development – necessary, but they take time. It’s worth it, you will see for yourself. We have a special message for anyone who intends

Read More

0601, 2018

Meltdown & Spectre – Processors are Critical Infrastructure too

René Pfeiffer/ January 6, 2018/ Discussion, High Entropy

Information security researchers like to talk about and to analyse critical infrastructure. The power grid belongs to this kind of infrastructure, so does the Internet (or networks in general). Basically everything we use has components. Software developers rely on libraries. Usually you don’t want to solve a problem multiple times. Computer systems are built with many components. Even a System on a Chip (SoC) has components, albeit smaller and close to each other. 2018 begins with critical bugs in critical infrastructure of processors. Meltdown and Spectre haunt the majority of our computing infrastructure, be it the Cloud, local systems, servers, telephones, laptops, tablets, and many more. Information security relies on the weakest link. Once your core components have flaws, then the whole platform may be in jeopardy. In 2017 malicious hypervisors in terms of

Read More

0112, 2017

DeepSec 2017 Presentation Slides

René Pfeiffer/ December 1, 2017/ Administrivia, Conference

While the videos are on their way to the rendering farm, the presentation slides for DeepSec 2017 can already be downloaded. We put them online as soon as we get the final version from our speakers. If you do some guessing URL-wise you can also find the presentations of past conferences at the very same spot. Since we collect the final slides after the conference and not ask speakers to put USB sticks into their computers during the conference, the download repository will fill in time. Unfortunately we cannot speed up this process. So bear with us, we are as curious as you (especially since some of us never get the see any presentation at DeepSec because there is too much to do). As for the videos, all speakers and attendees will also get

Read More

2211, 2017

DeepSec 2017 thanks you and DeepSec 2018 is almost ready

René Pfeiffer/ November 22, 2017/ Administrivia, Conference, Mission Statement

We caught up on sleep and are right in the middle of post-processing DeepSec 2017. Thanks to you all for attending, presenting, sending feedback, and being part of a great event. The slides will be online soon. The videos are being converted. We will upload them as bandwidth permits. All speakers and attendees will get a code to access them early. Thanks for your feedback as well! We listen, and we have some plans to address the issues you reported. 2018 will see a lot of improvements. We will announce the dates for DeepSec and DeepINTEL 2018 soon. The events will stay in November and September. We just need to coordinate with the venue and will let you know as soon as possible. The Calls for Papers open early in 2018, as does the

Read More

1411, 2017

Notes on the ROOTS Schedule and the Conference

René Pfeiffer/ November 14, 2017/ Administrivia, Conference, Discussion

We are all set for the conference on Thursday. We did some last minute changes to the schedule due to some speakers running into issues, but we can confirm almost all presentations.You may have noticed the ROOTS schedule. It’s a bit shorter than DeepSec’s, but both events are not competing. The review for ROOTS is a lot harder, because the presentation is about a scientific publication. This means your submission gets peer-reviewed and voted by the programme committee. We received some content more suitable for, let’s say, standard events. This won’t do, and this is why you see the best submissions of ROOTS published in the schedule. All in all we are very glad to present you high quality presentations from speakers who really know information security. Enjoy! See you at DeepSec!

0311, 2017

Screening of “The Maze” at DeepSec 2017

René Pfeiffer/ November 3, 2017/ Administrivia, Conference, High Entropy

We have some news for you. Everyone attending DeepSec 2017 will get a cinematic finish on the last day of the conference. We will be showing The Maze by Friedrich Moser. For all who don’t know Friedrich’s works: He is the director of A Good American which was screened at DeepSec 2015. The Maze is a documentary covering terrorism, counter-terrorism, surveillance, business, and politics. So it’s basically information security in a nutshell. Right after the closing of DeepSec you can enjoy The Maze – with popcorn and hopefully everyone who is attending DeepSec. We have seen the documentary before, and we highly recommend it! The Maze from Friedrich Moser on Vimeo.

3010, 2017

The only responsible Encryption is End-to-End Encryption

René Pfeiffer/ October 30, 2017/ High Entropy, Security

Last week the Privacy Week 2017 took place. Seven days full of workshops and presentations about privacy. This also included some security content as well. We provided some background information about the Internet of Things, data everyone of us leaks, and the assessment of backdoors in cryptography and operating systems. It’s amazing to see for how long the Crypto Wars have been raging. The call for backdoors and structural weaknesses in encryption was never silenced. Occasionally the emperor gets new clothes, but this doesn’t change the fact that some groups wish to destroy crypto for all of us. The next battle is fought under the disguise of responsible encryption. Deputy Attorney General Rod J. Rosenstein invented this phrase to come up with a new marketing strategy for backdoors. Once you have backdoors in any

Read More

1210, 2017

Science First! – University of Applied Sciences Upper Austria (FHOOe) supports DeepSec

René Pfeiffer/ October 12, 2017/ Conference, Security

The motto of DeepSec 2017 is „Science first!“. This is expressed by the co-located ROOTS workshop, many speakers from academics, topics fresh from the front lines of research, and a mindset that favours facts over fake content or showmanship. This is why we want to thank the University of Applied Sciences Upper Austria for their continued support of DeepSec! Their motto is Teaching and learning with pleasure – researching with curiosity, which fits nicely into the mindset of most information security researchers. They have a wide range of very interesting research projects. If you are interested in courses or collaboration as a company, let them now. We are happy to support you with your enquiry. Lest you forget: DeepSec offers a steep discount for anyone in academic research – be it student or professor.

Read More

1210, 2017

DeepSec 2017 Workshop: Hunting The Adversary – Developing And Using Threat Intelligence – John Bambenek

René Pfeiffer/ October 12, 2017/ Conference, Security Intelligence, Training

The arsenal of components you can use for securing your organisation’s digital assets is vast. The market offers a sheer endless supply of application level gateways (formerly know as „firewalls“), network intrusion detection/prevention systems, anti-virus filters for any kind of platform (almost down to the refrigerator in the office), security tokens, biometrics, strong cryptography (just stay away from the fancy stuff), and all kinds of Big Data applications that can turn shoddy metrics into beautiful forecasts of Things to Come™ (possibly with a Magic Quadrant on top, think cherry). What could possibly go wrong? Well, it seems attackers still compromise systems, copy protected data, and get away with it. Why is that? Easy: You lack threat intelligence. Security often doesn’t „add up“, i.e. you cannot improve your „security performance“ by buying fancy appliances/applications and

Read More

1210, 2017

Google supports DeepSec 2017

René Pfeiffer/ October 12, 2017/ Conference, Internet

You have probably heard of Google. Well, you will be hearing more from them if you come to DeepSec 2017. They have agreed to support our conference. They will be on site, and you will be able to talk to them. Every year we aim to give you opportunities for a short-cut, for exchanging ideas, and for thinking of ways to improve information security. A big part of this process is fulfilled by vendors and companies offering service in the information security industry. This includes the many good people at CERTs and the countless brave individuals in the respective security team. So we hope you take advantage of Google’s presence at DeepSec. See you in Vienna!

2609, 2017

DeepSec 2017 Schedule Update, Review Status, Disputes, and Trainings

René Pfeiffer/ September 26, 2017/ Administrivia, Conference, High Entropy

The DeepSec 2017 schedule is still preliminary. We are almost done, and we have a small update. Some of you have noticed that the schedule featured a training about mobile security. The outline as shown as in the schedule was identical to a different course from a different trainer. We received a complaint, we got the course materials to compare, and it turned out that only the outline of the workshop as shown online was identical, and the original table of contents was not part of the submission we received during the call for papers. The dispute has been settled. The trainer has apologised to the creator of the original table of contents. Nevertheless the trainer has asked to withdraw his submission. This means we will try to replace the slot in the schedule

Read More

2209, 2017

DeepSec 2017 Early Bird Tariff ends on 25 September

René Pfeiffer/ September 22, 2017/ Administrivia, Conference

The early bird tariff for DeepSec 2017 (and ROOTS) ends on 25 September 2017. We recommend buying your ticket now. Save some money! In addition we ask you to book the workshop you want to visit as early as possible! Every year we see sad faces, because the workshop of your choice had to be cancelled. Our trainers need a minimum number of attendees. Some trainers need to catch flights and spend good parts of a whole day travelling. They can’t come to Vienna if the minimum number of trainees is not met. So do yourself a favour, make up your mind now, and book the training you want to have. In case you cannot use online payment, let us know. We can invoice the ticket to you directly, if needed. Just drop us

Read More

2009, 2017

Workshops, Trainings, Talks: DeepSec and ROOTS Schedule Update

René Pfeiffer/ September 20, 2017/ Administrivia, Conference

As you might have noticed, the DeepSec schedule is not complete yet. Furthermore the ROOTS schedule is not published at all. The reason for this are the still pending reviews. The major part concerns ROOTS. ROOTS is an academic workshop where academic publications are presented. There has been some confusion about the term workshop. In the context of ROOTS this means presentations. This is why we have replaced the word workshops on the DeepSec web site and in (hopefully) all texts with the word training. Trainings are the two-day, well, trainings in advance of the DeepSec conference days. ROOTS features presentations, also called workshops in ROOTS-context, as does the DeepSec conference (on the conference days). So we have trainings (the two-day training courses; one, the ARM exploit laboratory is for three days, be careful)

Read More

2009, 2017

44CON revisited: Secure Design in Software is still a new Concept

René Pfeiffer/ September 20, 2017/ High Entropy, Interview, Security

We have been to 44CON, and we returned with lots of ideas and scary news about the state of security in devices and applications. Given the ever spreading Internet of Things (IoT) you can see why connecting random devices via a network with no second thoughts about design, updates, or quality control is a bad idea. Don Bailey illustrated this perfectly in the keynote titled The Internet of Us. His presentation touched all of information security, but IoT featured a prominent role. We are really surrounded by the Internet of SIM cards (sadly which we cannot call IoS). This opens up a new perspective and demystifies the IoT hype. You should watch Matt Wixey’s talk Hacking invisibly and silently with light and sound as soon as the videos are published. Matt discussed hardware hacking

Read More

2908, 2017

DeepSec 2017 Training: The ARM IoT Exploit Laboratory

René Pfeiffer/ August 29, 2017/ Conference, Security, Training

If the Internet of Things (IoT) will ever leave puberty, it has to deal with the real world. This means dealing with lies, fraud, abuse, exploits, overload, bad tempered clients (and servers), and much more. Analysing applications is best done by looking at what’s behind the scenes. IoT devices, their infrastructure, billions of mobile devices, and servers are powered by processors using the Advanced RISC Machine (ARM) architecture. This design is different from the (still?) widespread Intel® x86 or the AMD™ AMD64 architecture. For security researchers dealing with exploits the change of design means that the assembly language and the behaviour of the processor is different. Developing ways to inject and modify code requires knowledge. Now for everyone who has dealt with opcodes, registers and oddities of CPUs, this is nothing new. Grab the

Read More