About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.

0911, 2016

Screening of “A Good American” in Vienna with Bill Binney

René Pfeiffer/ November 9, 2016/ Discussion, High Entropy, Security Intelligence

There will be a screening of the documentary A Good American in Vienna tomorrow. We highly recommend watching this film, even if you are not directly connected to information security. Threat intelligence has far-reaching consequences, and in the case of the world’s biggest intelligence agency it also affects you. A Good American will be shown at 1000, Village Cinema Wien Mitte, and at 1600, Audimax of the Technische Universität Wien (you need to send an email with a RSVP to attend). All of this takes place in the course of a lecture about the topic. Markus Huber and Martin Schmiedecker have kindly organised everything. Bill Binney will be present, too. So you can directly talk to him and ask him questions. We highly recommend not to miss this opportunity.

0311, 2016

IT-SeCX 2016: Talk about Relationship between Software Development and IT Security

René Pfeiffer/ November 3, 2016/ Discussion, Veranstaltung

The IT-SeCX 2016 event takes place on 4 November at the St. Pölten University of Applied Sciences LLC. It’s a night of security talks, held by various speakers from the industry, academic world, and other institutions. We will give a presentation exploring the relationship between the fine art of software development and the dark art of information security. We all know about bugs, glitches, error conditions, and flat failures of software design. There are links between the development cycle and the work of information security experts (or sysadmins who always have to deal with things that break). If you deal with any of these professions mentioned, you should drop by and attend the talk. IT-Security Community Exchange 2016, 4 November 2016, at 1915 – Wechselwirkungen zwischen Softwareentwicklung und IT Security FH St. Pölten Matthias

Read More

0211, 2016

Why you should attend DeepSec 2016 – Last Call

René Pfeiffer/ November 2, 2016/ Conference

There are many reasons to go to DeepSec this year. It doesn’t matter if you worked on your presentation slides on the way to work, got hacked by a nation state, own a smart device, defused cyber weapons, or simply fight the T-Virus in a hospital. The DeepSec conference is the place to be for exchanging war stories (hey, everyone is at cyber war with someone these days) or talking about ideas to do the next project right. Plus we have to celebrate 10 years of DeepSec conferences! Tickets are still available via our online booking service. In case you have problems booking online, please get in contact with us. We can work something out. Looking forward to see all of you in Vienna next week!

0111, 2016

FHOÖ supports DeepSec 2016 Conference!

René Pfeiffer/ November 1, 2016/ Conference

We are glad to announce that the University of Applied Sciences Upper Austria supports the DeepSec 2016 conference! Their motto teaching and learning with pleasure – researching with curiosity fits perfectly to information security. Their courses cover more than just computer science. If you are interested in engineering, economics, management, media, communications, environment, or energy, then you should take a look at their courses. You can talk to students and staff at their booth. They will show your a selection of projects from the field of information security. Don’t hesitate, ask them with curiosity!

2709, 2016

CERT.at supports the DeepSec 2016 Conference

René Pfeiffer/ September 27, 2016/ Conference, Security

We welcome the Computer Emergency Response Team Austria as a support of DeepSec 2016! CERT.at is the primary contact point for IT-security in a national context. CERT.at will coordinate other CERTs operating in the area of critical infrastructure or communication infrastructure. When it comes to incident response, the coordination of any information regarding the event is crucial. CERT.at fulfils this role since 2008. In addition CERT.at is actively involved in security research. Minibis is a tool for automatically building an automated malware analysis station based on a concept introduced in the paper “Mass Malware Analysis: A Do-It-Yourself Kit”. Have a chat with them during the conference. They will host demonstrations and let you see their software tools in action. Of course, in case you ever have to handle incidents you should talk to them

Read More

2009, 2016

Last Call for Early Bird Tickets – DeepSec 2016

René Pfeiffer/ September 20, 2016/ Administrivia, Conference

We are back from 44CON and thoroughly enjoyed our time in London. The keynotes were great. The presenters showed a lot of interesting thoughts and facts you can use for attack and defence. Furthermore the conversations with attendees and speakers were very fruitful. You really cannot plan what you will be talking about. This is why you should attend conferences. And this is why you should book your DeepSec tickets now! Early bird registration is still possible. Make the most out of it. Don’t wait until the last minute! If you are interested in attending workshops, book as soon as possible! Trainings have a minimum number of participants. You have been warned. Either way, we are looking forward to see you at DeepSec 2016!

1009, 2016

Firmware Threats – House of Keys

René Pfeiffer/ September 10, 2016/ Discussion, Security

SEC Consult, our long-term supporter, has updated a report on the use of encryption keys in firmware. These hardcoded cryptographic secrets pose a serious threat to information security. The report features 50 different vendors and has some interesting statistics. The results were coordinated with CERT/CC in order to inform the vendors about the problem. The highlights of the research includes: 40% increase in devices on the web using known private keys for HTTPS server certificates 331 certificates and 553 individual private keys (accessible via Github) some crypto material is used by 500,000 and 280,000 devices on the web as of now The recommendations are crystal clear: Make sure that each device uses random and unique cryptographic material. If operating systems can change account passphrases after initialisation, so can your device. Take care of management

Read More

0509, 2016

Of Clouds & Cyber: A little Story about Wording in InfoSec

René Pfeiffer/ September 5, 2016/ Discussion, High Entropy

In case you ever received a message about our calls for papers, you may have noticed that we do not like the word cyber. Of course we know that it is used widely. Information security experts are divided if it should be used. Some do it, some reject it, some don’t know what to do about it. We use it mostly in italics or like this: „cyber“. There is a reason why, but first let’s take a look where the word comes from. The Oxford Dictionaries blog mentions the origin in the word cybernetics. This word was used in the 1940 by scientists from the fields of engineering, social sciences, and biology. Cybernetics deals with the study of communication and control systems in living beings and machines. Hence the word is derived from the

Read More

0109, 2016

DeepSec 2016 Schedule explained in a Series of Articles

René Pfeiffer/ September 1, 2016/ Administrivia, Conference, Schedule

We have almost finished the reviews of the submissions for DeepSec 2016. The preliminary schedule is already online. Our staff got quite some impatient requests about what to expect from the conference. Due to the sheer amount of submissions it was very difficult to review the content. We really read what you submit. We ask questions; we discuss the focus of the conference. While we try to suggest a motto when sending out the Call for Papers, we never know what the focus will be. It all depends on the presenters and trainers. Hopefully we found the right balance for all of you. Since the schedule is a short summary we have started to compile material about every talk and workshop. The series of articles will start tomorrow. It is a good way to

Read More

3108, 2016

Buy your ticket for 44CON – and go to prison for free!

René Pfeiffer/ August 31, 2016/ Administrivia, Conference, Security

Forget Winter! 44CON is coming! The conference will be 14 to 16 September 2016 in London. The schedule is online. Take a look! This year’s 44CON also features a Capture The Flag (CTF) contest. It is hosted by the UK Ministry of Justice. Your mission, should you decide to accept it, consists of breaking into a prison! 20 teams have announced to participate. Sounds terrific, if you ask us. We will be there as well. So grab a ticket, cross the Channel, and we’ll meet in the lobby or, better yet, at the registration desk. Spread the word!

3108, 2016

Information Warfare: “Breaking News” considered harmful

René Pfeiffer/ August 31, 2016/ Discussion, High Entropy

Eight years ago the stocks of UAL took a dive. Apparently a six year old news article resurfaced via Google. Googlebot, which is used to index news sites, confused one of the most popular web articles of The Sun-Sentinel with breaking news. The story contained the words United Airlines Files for Bankruptcy. Unfortunately a software error turned the date of the original story from 10 December 2002 to 6 September 2008. And so this little piece of misinformation due to the time travel caused a lot of havoc with UAL’s stock price. A little misunderstanding. Fortunately it was not a cyber attack, because the word was used rarely back then. Breaking news can break things, hence the name. It happens with data leaks, password leaks/breaches (depending on which side you are), incomplete reports, social

Read More

2108, 2016

Transforming Secure Coding into Secure Design

René Pfeiffer/ August 21, 2016/ Discussion, High Entropy, Security

Secure Coding is the way to go when you develop applications for the real world. Rename errors and bugs into failures. Turn #fail to #win. Instant karma. In addition there are lots of best practices, checklists, and documents around that will tell you what to anticipate. However the design of an application precedes the code itself. Given the scope and purpose of your product implementing security at the coding stage might be too late. Let us consider an example. The Internet of Things (IoT) is all around us, especially in the information security news sections. While connecting devices to make one’s life easier isn’t a bad idea (just think about writing this article on a networked device and you reading it! Cool, eh?), the connecting parts and the security design should be sound. Smart

Read More

2008, 2016

Preliminary Schedule of DeepSec 2016 – almost done

René Pfeiffer/ August 20, 2016/ Administrivia, Call for Papers, Conference, Schedule

We got over 100 submissions for DeepSec 2016! This is a new record. Consider that we have only room for about 40% of the content. While you may be impatient to hear about the trainings and the talks, please bear with us. We are in the final round of reviews and will have the preliminary schedule ready the day after tomorrow. You will be able to enjoy reading the announcement during your morning coffee break. Promised. To give you a little sneak preview, here are the main topics we will be addressing with the content: cryptography, Internet of Things (IoT), social engineering, threat hunting, the current state of affairs in information security, networking stuff (both wired and wireless), penetration testing, exploit automation, attacking web applications, iOS exploits, physical security, world domination a.k.a. „cyber“ threats,

Read More

0608, 2016

DeepSec 2016 – Thank you for all your submissions!

René Pfeiffer/ August 6, 2016/ Conference, Security

The DeepSec Call for Papers closed on 31 July 2016. We are currently reviewing the content. Thank you very much for your participation! The talks and workshops look awesome. We have a hard time deciding what will be part of the schedule and what has to be postponed. For everyone who has missed the deadline, you can  still submit your talk or training. However we will consider all the others first. Prepare for a fantastic DeepSec 2016!

3007, 2016

DeepSec 2016 Call for Papers – Reminder – 24h to go!

René Pfeiffer/ July 30, 2016/ Call for Papers, Conference, Security

The Call for Papers for the tenth DeepSec conference officially ends in 24 hours. This is a gentle reminder to submit your presentation or your kick-ass workshop.