About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.

Mind2Mind Event I/2011 – „Wir werden Sie belauschen!“

René Pfeiffer/ February 3, 2011/ Veranstaltung

Wir beginnen im März mit der ersten Mind2Mind Veranstaltung. Es handelt sich dabei um lokale Events in Wien, bei der wir ein bestimmtes Thema mit Bezug auf Sicherheit miteinander und gegeneinander diskutieren möchten. Der erste Mind2Mind Vortrag handelt um alltäglichen Lauschangriff, den viele unterschätzen: Der elektronische Lauschangriff ist nicht nur ein Instrument von Behörden oder Politik. Oder etwa doch? Lassen Sie uns Fiktion und Wirklichkeit mit handfesten Fakten vergleichen. Der Experte Wolfgang K. Meister der Firma VOXCOM möchte Unternehmer, Angestellte und weitere Betroffene über die Situation fernab von Spielfilmen aufklären. Hollywood ist nicht die Realität. Jedoch sind nicht nur ehemalige Finanzminister potentielle Ziele von Abhöraktionen, es kann auch uns betreffen, wenn auch vielleicht nicht direkt. Zwei große Firmen wollen die Machenschaften des jeweils andren auspionieren? Warum nicht über eine Überwachung eines gemeinsamen Nenners? Vielleicht

Read More

FIRST Conference in Vienna

René Pfeiffer/ January 15, 2011/ Conference

2011 is already in full swing. That’s why we have an announcement for you. The 23rd annual FIRST Conference will take place in Vienna, Austria. We strongly recommend to participate. IT security never sleeps, and neither should you – at least when it comes to getting new ideas and get into touch with others. We will be there, so it would be great to meet you. Make sure you drop us a line, so we know you are around. If you have material for a lightning talk, there’s still time to get a slot. You just have to contact the conference office by e-mail. The address can be found on the conference program web site.

Welcome to 2011!

René Pfeiffer/ January 1, 2011/ Misc

Welcome to the new year 2011! Hopefully you have arrived safely and in the best of spirits. We wish you a happy new year! And we look forward to see if the forecast with predicted security nightmares for 2011 will turn into reality. There’s definitely a chance.

27C3 and Misunderstandings about Security

René Pfeiffer/ December 27, 2010/ Conference, Security

We’ve hooked a computer to the video stream of the 27C3 conference. Currently we’re listening to the keynote speech which touches a relevant topic for security issue. Are you happy or are you unhappy? It sounds a bit strange, but usually happy people have nothing to worry about. So in turn it does make sense not to worry people. The examples given in the keynote were electronic voting machines. The process of selecting a government by anonymous voting is a cornerstone of democracies. This is exactly why electronic voting must not happen through black boxes. India has already threatened (and arrested) security researchers who analyse the security of the voting machines used in the country. Electronic voting is only one example. Another one is the publication about the broken chip and PIN design of

Read More

Conference aftermath, slides and more

René Pfeiffer/ December 16, 2010/ Administrivia

We have been busy dealing with the aftermath of the conference. This has been mainly collecting the presentation materials and preparing the speaker reimbursements. We aim to get as much done as possible in December. So far there haven’t been any nasty suprises or delays. Some of you have asked for the slides of the talks. The speakers gave us more than two thirds of the material yet. We’re still collecting and reminding. We have planned to publish the whole collection (including the archives from DeepSec 2007, 2008 and 2009) in February 2011 along with our new web site. There’s too much cruft in our web tubes to handle this differently. If you really want the documents in advance, let’s say for your long and boring Winter evenings, then drop us a few lines

Read More

Press Conference – Impressions and Links

René Pfeiffer/ November 27, 2010/ Press

We’ve got some news from yesterday’s press conference with Ivan Ristić (Qualys), Sharon Conheady (First Defence Information Security Ltd.) and Harald Welte (hmw-consulting) followed by a seven interviews with speakers was a great success. The spirit of DeepSec – bringing people (security experts and journalists in this case) together to talk to each other – was felt every second. Here are the first links to coverage in German media: “Unverschlüsselte Internet-Kommunikation ist fahrlässig” Deepsec 2010: Sicherheitskonferenz im Zeichen mobiler Systeme DeepSec: Faktor Mensch als Sicherheitslücke DeepSec 2010: Interview mit Sharon Conheady zum Thema Social Engineering Krieg von der Couch

The workshops have started!

René Pfeiffer/ November 23, 2010/ Administrivia

We’re near the end of the first day of workshops. We got a smooth start and the mood is great. Wi-Fi is up and running, we got a radio uplink with 32 MBit/s in both directions.¹ The GSM guys have their demonstration set-up up and running. We suspect the social engineering goes well (we can’t tell, we only see smiling faces and awfully nice persons in there). Our ISP enabled Marc to set-up the 6to4 tunnel for the IPv6 security/pentesting workshop. Mariano teaches his class how to determine if their (or your) business-critical SAP implementation is secure. If you are a really late booker, we still accept registrations for the conference, either by our online ticketing service or by ¹ When on site, look for ESSIDs DeepSec2010, DeepSec2010a, DeepSec2010g and DeepSec2010N (no encryption, bring

Read More

DeepSec: Mobile Radio Networks as Targets for Virtual Warfare

René Pfeiffer/ November 20, 2010/ Press

Vienna – The times when a mobile phone was used solely to make calls are long gone, now it’s all about making pictures and surfing the Internet. The groundbreaking success of the iPhone is just one example for the fact that mobile phones have long since outgrown their original use. Youths and adults use them every day  to get information about recent news, the weather or navigation for a future trip with the car. Having the new all-purpose information device by the hand has become a habit. But what happens if criminals or assassins attack the mobile phone network? Cyber War: Public Life in the Crosshairs “The GSM radio network is used by more than 200 countries and holds many spectacular flaws which we want to illustrate.”, explains René Pfeiffer, organiser of the international

Read More

Schedule is stable

René Pfeiffer/ November 19, 2010/ Schedule

The schedule of DeepSec 2010 has been declared stable¹. Unfortunately three speakers had to cancel their presence because of unforeseen reasons. We have managed to fill the slots, so that we have a full schedule and lots of issues to think about. The schedule on the web will now be frozen for print. Any further changes will always be reflected on our web site. We’re looking forward to see you all! ¹ We thought it would be a good idea since declaring code stable is common in software development. ☺

DeepSec: Vacance 2.0 – Risque accru de cambriolage lié aux annonces de départ en vacance sur les réseaux sociaux.

René Pfeiffer/ November 17, 2010/ Press

La conférence sur la sécurité informatique met en garde contre les risques liés aux notifications de départ. Au début des vacances de la Toussaint, beaucoup d’allemands ont parlé de leur projet de voyage sur internet , sans se rendre compte du danger d’une telle annonce. Les risques s’accentuent encore avec l’arrivée du nouveau service de localisation «facebook lieux». Les utilisateurs y indiquent, au moyen de leurs portables, le lieu où ils sont afin de tenir leurs contacts au courant. «Au moment des vacances, beaucoup d’entre eux se laissent aller à poster sur un blog, sur twitter ou Facebook. Révéler son lieu de vacance, par exemple sur Facebook Lieux, augmente d’autant les risques d’effraction chez soi» explique René Pfeiffer, organisateur de la conférence DeepSec qui aura lieu du 23 au 26 novembre 2010 à Vienne.

Read More

A Brief History of GSM A5/2 and 2G/3G Security

René Pfeiffer/ November 15, 2010/ Stories

MiKa and me shared some knowledge about the design flaws and the state of security in 2G/3G networks. The idea was to present an overview. Those networks have been shrouded in NDAs for too long. It is good to see that this is changing. Given the fact that millions of people use this technology on a daily basis, there should have been more publications and a deeper analysis many years ago. GSM features four A5 encryption algorithms. They are called A5/0, A5/1, A5/2 and A5/3. A5/0 is basically plaintext, because no encryption is used. A5/1 is the original A5 algorithm used in Europe. A5/2 is a weaker encryption algorithm created for export (the weakness is a design feature). A5/3 is a strong encryption algorithm created as part of the 3rd Generation Partnership Project. The

Read More

Conférence DeepSec: Focus sur la situation précaire de la sécurité du réseau mondial de téléphonie mobile.

René Pfeiffer/ November 12, 2010/ Press

33 interventions et 8 workshops par des experts internationaux en sécurité informatique. La conférence internationale DeepSec sur la sécurité rassemblera à Vienne, du 23 au 26 novembre 2010, l’élite mondiale dans le domaine de la sécurité des réseaux et du hacking. Cette année, l’accent sera porté sur la sécurité des systèmes mobiles et de leurs utilisateurs ainsi que sur l’infrastructure de la prochaine génération. Les sociétés d’informatique et de sécurité, les usagers, les responsables d’administrations, les chercheurs, la communauté hacker se verront à nouveau offrir la chance de participer à une programmation abondante comprenant 33 interventions et 8 workshops. «Nous sommes très heureux de permettre à tant d’experts d’échanger, pour la quatrième fois, leurs expériences et leurs idées autour du thème essentiel de la sécurité des technologies de l’information» nous explique René Pfeiffer, organisateur

Read More

Thoughts about Secure Communication and Wiretapping

René Pfeiffer/ October 12, 2010/ Communication

Secure communication is a very important cornerstone of modern network design and corporate infrastructure. The need to communicate securely is part of everyday life. Businesses, political groups, individuals, governments, non-governmental organisations, and many others use secure communication. The basic idea is that you put a decent portion of trust into the way you exchange messages. Typically the message is only seen by the sender and the recipient. Many take this property of message exchange for granted, but you have to use suitable protocols to meet this goal. Secure communication protocols usually use encryption or steganography to protect and hide the transported messages. Anyone intercepting the data transmission must not be able to decode the original message(s) sent. This is the idea, and when designing secure protocols there is no way around it. Some use

Read More

Vacation 2.0 and its Disadvantages

René Pfeiffer/ September 14, 2010/ Security

Imagine you are the CEO of a small company. You have some days off. You relax, buy a newspaper and have a coffee. After browsing through the news and financial section you stumble upon a full-page advertising of your own company. The text reads: Dear world, our office is completely deserted. No one’s working at the moment. The rooms are completely unattended. No one will pick up the phone. Only the security guards will walk by and superficially check the door handles. Although the doors are tightly locked and the windows are (probably) closed, you can be sure that no one will enter the office space until INSERT_DATE. So if you want to try picking our locks and rearranging the furniture, feel free. You can take what you want. The coffee machine is plugged

Read More