About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.

1511, 2022

Reminder for virtual Training: Exploiting Race Conditions

René Pfeiffer/ November 15, 2022/ Security, Training

A race condition attack is one of the most dangerous and underestimated attacks on modern web applications. It’s related to concurrency and multi-threading. Because of this attack, an attacker who has $1000 in his bank account can transfer more than $1000 from his bank account. This is just one example, but it clearly shows how dangerous this attack is. In a free video Dawid Czagan (DeepSec instructor) will show you step by step how this attack works and will tell you how to prevent this attack from happening. Watch this free video and feel the taste of Dawid Czagan’s live online training ”Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation”- Because of our hybrid configuration of DeepSec for trainings and the conference, the Mastering Web Attacks with Full-Stack Exploitation

Read More

1511, 2022

DeepSec 2022 Trainings have started

René Pfeiffer/ November 15, 2022/ Security, Training

The DeepSec trainings have started. Today is the first day. The topics cover attacking modern desktop applications, network threat hunting, incident response, creating malicious office documents for offensive tests, and secure code review. The spectrum covers a lot of content, and it will be very helpful for defending the information security landscape. One of our trainings can still be booked. The workshop titled “Web Hacking Expert: Full-Stack Exploitation Mastery” by Dawid Czagan has been postponed to 28/29 November 2022. It will be an online training. You can take part virtually. Bookings are still possible via our ticket shop.

0811, 2022

DeepSec 2022 Keynote: Complexity killed the Cat

René Pfeiffer/ November 8, 2022/ Conference

Complex systems is not a term indicating that you have stopped to understand something. The colloquial phrase „it’s complicated“ is often used as a joke. Complex systems have their own science. Information technology has managed to make our daily life easier. Applications manage vast amount of data, communication protocols transport countless numbers of messages, systems just work, and everything is fine. The problem is that code usually grows and never shrinks. This has implication for software development and for information security. The keynote will take you on a tour through complex systems, complexity, the limits of growth, and how the consequences can be managed in a sane way. The presentation will also try to remind you to ask questions, think twice about selecting appropriate metrics, and how to apply this approach to the tools

Read More

3110, 2022

We have a Mastodon account – please come and follow us!

René Pfeiffer/ October 31, 2022/ Conference

The swinging moods of billionaires have hit Twitter. 230 million users have switched ownership and now follow the erratic decisions of a single person. „Mars first!”, or something. DeepSec is using Twitter as a channel to link to blog posts and to share information about ongoing events. This will not change for the moment. However, we have created a new Mastodon account to be on the safe side. The account name is already visible on our Twitter profile page. Please follow us, if you want to receive further news without interruption. DeepSec is fond of decentralised communication channels. While this means more effort to filter and selecting sources, it is true to the original character of the Internet. We also maintain our own mailing lists which cover press releases, random scuttlebutt behind the scenes,

Read More

1609, 2022

Scuttlebutt – Musings about the Energy Cost of Information Security

René Pfeiffer/ September 16, 2022/ Conference, Discussion, High Entropy, Scuttlebutt

[Of course, this is the August 2022 article from the DeepSec Scuttlebutt mailing list. We publish the postings one month later on our blog. For timely scuttlebutt, please subscribe to the mailing list.] Dear readers, the Summer is burning Europe and other parts of the world. The climate is changing and poses the biggest challenge to all aspects of our society. And this is without other man-made catastrophes, such as war, lack of raw materials, logistics, health protection, and many more trouble spots. DeepSec is about information security, so I will stick to the digital parts of the story. There are already too much “experts” on social media. No need to add more. Have you ever wondered what amount of energy is used for digital security measures? Have you ever tried an estimate? I

Read More

1209, 2022

44CON Reloaded – get you dose of Information Security!

René Pfeiffer/ September 12, 2022/ Conference

44CON is back! Make sure that you get your ticket, because information security is all about getting the edge over your adversaries. This is best done by keeping up-to-date. 44CON has the right schedule for you. It’s full of goodies dealing with Kerberos, forensic code-breaking, attacks on e-ticketing portals, incident response with the Log4J showcase, kernel exploits, and sensibly using security scanners on AWS. The programme also features a hands-on exercise in the form of Trace Labs’ Capture the Flag. 44CON begins on 15 September 2022 at 0915 (BST).

0509, 2022

DeepSec 2022 Focus Topics and an almost final Schedule

René Pfeiffer/ September 5, 2022/ Administrivia, Conference

If you are a regular visitor of our conference or our blog, then you probably know about the different phases of our schedule. We are now in the preliminary stage. Reviews are still being done, and we sort out questions to and answer from our speakers. You may have noticed the free slots. These are still under review. Hopefully, we will have everything sorted out in the course of the next weeks. DeepSec has some internal rules for reviewing presentation submissions. We usually do not accept persons of the same organisation, so that one organisation can have one presentation in the programme. This makes the reviews hard, because you always send us top quality material. We could easily conduct two or three conferences instead of one. For 2022, we have accepted multiple speakers from

Read More

1508, 2022

DeepSec and DeepINTEL 2022 Schedule – Reviews almost done

René Pfeiffer/ August 15, 2022/ Conference, Training

The yearly review of submissions is the hardest task of the year. Thanks a lot for your contributions. DeepSec would need to be a full week to accommodate all submitted material. Thanks a lot! We are still stuck in the final reviews, so it will take a week or two to fill all the slots. You may have noticed that the schedule on our website is already alive and kicking. There will be some more rearrangements regarding the presentation slots. The DeepINTEL schedule is available on request since DeepINTEL is a TLP:AMBER event. We have some interesting insights into current campaigns and the capabilities of selected adversaries for you. Effective defence needs well-prepared data and reconnaissance. So we highly recommend attending DeepINTEL 2022. Looking forward to see you in Vienna!

0108, 2022

DeepSec and DeepINTEL Schedule is currently in Review – Preliminary Schedule will be published soon

René Pfeiffer/ August 1, 2022/ Conference

Our calls for papers have official closed. We are currently in the final phase of reviewing all your submissions. Thanks for all your efforts to send us your material on time. Our goal is to publish the preliminary schedule within the next two weeks. In case you missed the deadline, we will still accept your submissions. You can use our call for papers manager to send us your proposal. We will review your contribution. We will just start with all earlier submissions first.

0807, 2022

DeepSec, DeepINTEL, and ROOTS Call for Papers still open!

René Pfeiffer/ July 8, 2022/ Conference

Did you find some interesting bugs lately? Have you broken something which wasn’t supposed to be broken? Can you hack a nation state just by using a phone call? Do you dream of writing a smartphone app in Malbolge just for fun? If the answer is yes, then you should definitely submit a presentation for DeepSec 2022! We are still looking for your contribution. Share your insights, enlighten our audience. We are also looking for talks for DeepINTEL 2022. We would like to explore the geopolitical side of information security again. Attacks on critical infrastructure, gauging capabilities of adversaries, digital operations in terms of disinformation, and strategic defence of digital infrastructure are the focus of our next security intelligence event. If you work in this field, please get in touch with us. Security research

Read More

2606, 2022

Preliminary Schedule DeepSec 2022 – Trainings

René Pfeiffer/ June 26, 2022/ Conference, Training

👨‍🎓 👩‍🎓 The „full preliminary“ schedule of DeepSec 2022 is due in mid-August. Until then, we have some training options for you. The remaining trainings will be published as soon as we have the confirmation from the trainers. The following courses have been confirmed: Hacking JavaScript Desktop apps: Master the Future of Attack Vector – The desktop is the entry to organisations and companies. Employees are connected to the resources attackers look for. The training illustrates how modern desktop applications work, how they connect to the outside world, and how you can use them to gain access to the internal networks (or the cloud platforms used by the code). Mobile Security Testing Guide Hands-On – This course tells you all you need to know about the desktop-to-go versions of applications. Mobiles devices are a

Read More

1406, 2022

Reminder DeepSec and DeepINTEL Call for Papers

René Pfeiffer/ June 14, 2022/ Administrivia, Call for Papers, Conference

We have been radio silent for quite a while. This is not because of the lack of content or ideas. Information security has long attained mainstream status. We all rely on software and hardware all the time. Instead, we were stuck in administrative tasks. We have found a new location for the conference. In addition, we are working behind the scenes on code updates of our web page. The call for papers manager, the functions that create the schedule and render the website have aged. Speaking of the call for papers, it is still open! We are looking for presentations about the current state of security. If you found a bug or a design flaw, let’s hear about it. There are lots of applications out there. There must be something that’s broken. CVE has

Read More

0104, 2022

IT Energy Security – Electric Power makes Cyber go around

René Pfeiffer/ April 1, 2022/ Conference

This is not a typical 1 April posting. We have stopped the habit of writing satirical articles, because the actual news stories are better than any comedy these days.  Instead of having a laugh, let’s look at the core of information technology – electrical power. The energy prices have been rising for a while now. Russia’s invasion of Ukraine has put Europe’s supply of fossil fuels into the spotlight, because it is used to force political decisions. Using renewable energy sources could have been sped up twenty years ago. It hasn’t. Now the price for electrical power is rising. Information technology relies on electrical power. Computers, servers, networks, smartphones, and display devices can’t do without. The same goes for information security. Adding countermeasures to defend your digital assets and to introduce secure coding requires

Read More

1703, 2022

Information Warfare

René Pfeiffer/ March 17, 2022/ Conference

[This is the March update from our DeepSec scuttlebutt mailing list. Subscribers received this article already.] Filling a blog with articles is both hard and very easy these days. In theory, information security is more present in the news than ever. In practice, you will find few articles with in-depth content. A few days ago I had a discussion with a friend about the many web pages with the title scheme “n reasons why something is great” or “k ways to do web application filtering”. We both agreed that the title is a definite warning not to read the article. Also, most articles just give you a brief introduction into a topic and suddenly end after a few paragraphs. The term clickbait comes to mind. A lot of publishing systems use fancy techniques to

Read More

0103, 2022

To Join or not to Join a Cyberwar – Hacking Back and Hack Attacks

René Pfeiffer/ March 1, 2022/ Conference

The Russian invasion of Ukraine has put the digital sidelines into the spotlight. The world of cyber is part of conflicts, politics, and military operations. This has become very clear if you look for preparations of the current military actions in Ukraine. Information warfare most likely predates the tanks and missiles by year or even decades. This is not the focus of this article. There have been calls to attack networked targets in order to help. Is this a good idea? Let’s see. Information warfare is one aspect of the digital domain. Then there are sabotage, disrupting networks, exploiting vulnerabilities, getting access to data, and many more aspects. Joining either side of a conflict is usually a bad idea. Everything starts with the targets. Who runs a system you have decided to attack? It’s

Read More