About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.

DeepSec Schedule updated, Time-Shift introduced, Theory of General Relativity still valid

René Pfeiffer/ November 18, 2020/ Conference/ 0 comments

We have verified the DeepSec schedule and did some changes. The layout looks a bit shifted. The reason is a time-shift between the two DeepSec main tracks Left Pirouette and Right Pirouette (named after the rooms in our long-time conference hotel). Since we have set up our mission control in our office and lack the space to have two session chairs use the stage and the camera feed simultaneously the two tracks need to be time-shifted. The presentations in the Left Pirouette start 20 minutes later than the presentations in the Right Pirouette. We tried hard to avoid this, but the current configuration requires adding this feature to the schedule. The two tracks overlap any way, so if you are interested in either talk, then you have to make up your mind with or

Read More

DeepSec Keynote: DevSecBioLawOps and the current State of Information Security

René Pfeiffer/ November 13, 2020/ Conference/ 0 comments

Technology is evolving. This is especially true for computer science and the related information technology branch. When everything is outdated after a couple of months, the wind of change turns into a storm. It also affects the way we work, processes which enable us to get work done, and changes perspectives how we see the world, code, and its applications. Dev, DevOps, and DevSecOps is a good example how these changes look like at the top of the iceberg. Subjectively information security is always a few steps behind the bleeding edge. The word „bleeding“ is a good indication of why this is the case. However, security professionals cannot turn back time and ignore the way the world works. New technology will always get pushed into all areas of our lives until its creators realise

Read More

A Story of Crypto Wars, the Growth on the Internet, and possible future Regulations

René Pfeiffer/ November 9, 2020/ Discussion, High Entropy/ 0 comments

The discussion about how to tackle end-to-end encryption (E2EE) and how to reconcile it with surveillance is almost 30 years old. The very first Crypto War was sparked by the Comprehensive Counter-Terrorism Act of 1991 (no, there is no mention of cryptography in it, because it was the first draft of a series of legislative texts dealing with a reform of the US justice system; have a look at the author of the act). In the following years things like strong cryptography, export bans on mathematics, or the creation of Phil Zimmerman’s Pretty Good Privacy (PGP) were a follow-up. Even the proposal of having the Clipper chip present in telecommunication devices and the concept of key escrow was discussed in the wake of the reform. Sometimes laws have to grow with the technology. All

Read More

Condolences and Sympathies to Families of the Victims #wienATTACK #0211w

René Pfeiffer/ November 3, 2020/ Conference

We wish to express our deepest condolences and sympathies to the families of the victims and wish a speedy recovery to the injured of last nights attacks in Vienna. Our thoughts are with them and the many women and men protecting the everyday life in the city. Vienna is one of the safest cities in Europe. Since 2007 the DeepSec team enjoys bringing you all to this wonderful city. We will continue to do this. Information security is a team effort and so is creating safe places for everyone. Don’t give the extremists the stage. Ignore them and care about the ones deserving your attention. Stay safe, stay healthy!

Administrivia: Update on COVID-19 Regulations concerning DeepINTEL and DeepSec

René Pfeiffer/ November 2, 2020/ Conference

On 31 October 2020 at 1730 the Austrian government held a press release to announce new COVID-19 regulations. Since this press release was only the political message and the actual legally binding regulation is still not published we cannot give you an update yet. We don’t know when the regulation will be published. Given these circumstances we cannot give you any more details, but we are working on it. We hope to have more details on Tuesday/Wednesday. We assure you that we have contingency plans, because we expected this situation a few months ago.

World of Metrics: Trick or Threat? How do you know for sure?

René Pfeiffer/ October 31, 2020/ Conference

Today begins the „darker half“ of the year. The harvesting season has ended. The year ends as well (depending on how you count the days and mark the start of the year). People celebrate Samhain, Halloween, or other festive days. In information security there is always a harvest season, and there is no darker half of the year. 2020 is no exception despite the extraordinary situation given the SARS-CoV-2 outbreak. So how do you decide what exceptions look like? What is a trick? What’s the difference between a trick and a threat? If you supervise any kind of digital infrastructure or set of systems, then these questions are very important. Metrics is a hot topic – an euphemism for a dirty word – in computer science. It is used in other fields as well.

Read More

Administrivia: Welcome to the Vienna Marriott Hotel – DeepSec & DeepINTEL move to a new Location

René Pfeiffer/ October 27, 2020/ Conference

Interesting times call for extraordinary measures. Due to current restrictions DeepSec and DeepINTEL move to a new location. Both conferences will be at the Vienna Marriott Hotel right next to the inner city. The conference is easy to reach and a lot of historic places are in walking distance. Inside the hotel DeepSec and DeepINTEL will be conducted as a hybrid conference. We will have a mixture of on-site and virtual presentations. Information about participating (links and codes) will be sent to you after registration.

Administrivia: DeepSec and DeepINTEL Preparations, Anti-Virus Issues, Schedule, and digital Conference

René Pfeiffer/ October 8, 2020/ Conference

We have been stuck in administrative tasks for the past weeks. So to break the radio silence: Yes, DeepSec and DeepINTEL will happen. We currently prepare the hybrid configuration for the streams and the virtual platforms to bring speakers to the audience and vice versa. The conference hotel has confirmed that we can conduct the event at the usual location. Claiming that things look good is a bit of an exaggeration. Nevertheless we would like to go forward. Exchanging ideas and discussing current threats has never been more important than now. We hope to give you this opportunity, and we hope that you are able to participate. We have also created a couple of mailing lists for informal news, official press releases/articles, and future Calls for Papers to keep you informed. All lists are

Read More

Administrivia: DeepSec 2020 will turn into a hybrid conference

René Pfeiffer/ September 22, 2020/ Administrivia, Conference

The current travel warnings and COVID-19 statistics have an impact on the DeepSec 2020 conference. As we expected, travel is the major obstacle. This means that DeepSec 2020, ROOTS, and DeepINTEL will turn into a hybrid event. We will still be on-site at the conference hotel. Presentations will be on-site and available by our conference streaming platform in parallel. Speakers that cannot be in Vienna will stream their presentations. Everything will be live, and everyone attending physically and virtually can participate. Furthermore, we constantly update our COVID-19 health protection in order to keep you and everyone here in Vienna at the conference safe. Two trainings are already virtually (right from the start). We are exploring which trainings can switch to a virtual mode and will update the schedule accordingly. In case you are interested

Read More

Administrivia: DeepSec 2020, Virtual Content, Travel Warnings, Trainings

René Pfeiffer/ September 16, 2020/ Conference

Reading the news can be very frustrating these days. Not that it was ever fun. We are monitoring the current COVID-19 situation in Europe and abroad. Given the questionable start of the Corona Traffic Light system in Austria, we want to offer you some facts. The training Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation and Mobile Security Testing Guide Hands-On will be virtual. This has been our and the trainer’s decision from the start due to travel regulations. Depending on the travel situation other trainings may switch to a virtual training as well. It depends on the content, and the trainers need to agree. Some of the DeepSec 2020 presentations will be virtual. Again this is due to travel regulations. Most of the presentation will still be on-site

Read More

Reminder for your Training @ DeepSec 2020: Exploiting Race Conditions – Dawid Czagan

René Pfeiffer/ September 15, 2020/ Conference

A race condition attack is one of the most dangerous and underestimated attacks on modern web applications. It’s related to concurrency and multithreading.  As a result of this attack an attacker, who has $1000 in his bank account, can transfer way more than $1000 from his bank account. This is just one example, but it clearly shows how dangerous this attack is. If you develop or use software connected to a network, then this is for you. In a free video Dawid Czagan (DeepSec Instructor) will show you step-by-step how this attack works and tell you how to prevent this attack from happening. Watch this free video and feel the taste of Dawid Czagan’s Live Online Training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation” (DeepSec 2020; mind the date

Read More

Administrivia: COVID-19 and Schedule Update

René Pfeiffer/ September 15, 2020/ Conference

We have been busy working on the schedule, the preparations for DeepSec/DeepINTEL, and our COVID-19 protection plan. As you may know, Austria has introduced a Corona „traffic light“ system to mark the spread of COVID-19 cases. We have added a section to our COVID-19 countermeasures describing what the traffic light colours mean. Since we rely on our own protection measures based on guidelines by health experts, DeepSec and DeepINTEL can happen unless a total lock-down is in place. The schedule has some updates. We have added two new presentations. Denis Kolegov will dissect IPSec UDP, a custom undocumented VPN protocol. It lacks the cryptographic strength and perfect forward secrecy. The protocol has severe flaws which allows attackers to reconstruct the keys and decrypt the whole network traffic. In addition Paula de la Hoz will

Read More

Reminder for your Training @ DeepSec 2020: Bypassing CSP via ajax.googleapis.com – Dawid Czagan

René Pfeiffer/ September 11, 2020/ Conference

Content Security Policy (CSP) is the number one defensive technology in modern web applications. A good CSP offers a lot of possibilities, but it is hard to develop. Mistakes are common, too. Many developers add ajax.googleapis.com to CSP definitions, because they use libraries from this very popular content distributions network (CDN) in their web applications. The problem is that it completely bypasses the CSP and obviously you don’t want that to happen. Since CSP should be part of any modern application, you better get to work and brush up your knowledge. In a free video Dawid Czagan (DeepSec Instructor) will show you step-by-step how your CSP can be bypassed by hackers. Watch this free video and feel the taste of Dawid Czagan’s Live Online Training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web

Read More

Administrivia: Updated COVID-19 counter measures document

René Pfeiffer/ September 9, 2020/ Conference

In software development and system administration some data sets are periodically updated. This is true for our COVID-19 counter measures document. We updated some sections and whacked our reverse proxy a bit (i.e. reduced the caching limits). We can’t do much about the travel regulations and your company policy, but we gone through great efforts to make your stay at DeepSec and DeepINTEL as safe as possible. 1918 is the new 1984. Stay healthy! Keep yourself air-gapped!

Reminder for your Training @ DeepSec 2020: Token Hijacking via PDF – Dawid Czagan

René Pfeiffer/ September 9, 2020/ Conference

PDF files are everywhere. No day goes by without someone having used a PDF document. This is why PDF files are the perfect hacking tool. They can even be used to hack your web application. Imagine that the attacker prepares a malicious PDF file which steals sensitive data from a user. The PDF file is uploaded to the web application, the user reads this PDF file, and finally sensitive data is exfiltrated from the user’s browser. It’s scary, isn’t it? In a free video Dawid Czagan (DeepSec Instructor) will show you-step-by step how this attack works and how you can check if your web application is vulnerable to this attack. Watch this free video and feel the taste of Dawid Czagan’s Live Online Training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with

Read More