About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.

0208, 2021

Thanks for your submission! We are working on final reviews.

René Pfeiffer/ August 2, 2021/ Conference

In the past months we kept blogging about various issues in information security and news regarding our event in November. The Summer months are hard on the process of following news with articles. A lot of things happen, and software still has security-relevant bugs. It’s just that fewer people (than usual) care. We care, and therefore we will complete the reviews of your submissions. The preliminary schedule will be published soon. Thanks for taking your time! We appreciate your contributions. You have made the reviews very hard, as every year. 😉 If you still have some ideas, feel free to submit them!

2707, 2021

Reminder +++ DeepSec and DeepINTEL 2021 Call for Papers +++ Reminder

René Pfeiffer/ July 27, 2021/ Conference

The call for papers of DeepSec and DeepINTEL 2021 have their first deadline on 31 July 2021. Use the remaining days to send us your idea for your presentation. We are interested in your research, your ideas, and your reports about new threats. If you can’t find the time for writing your submission in the scorching heat, let the Pegasus malware take care of your personal communication for a while. We passed on the opportunity to write about surveillance gone out of control, because we wrote about security failures regularly since 2007. That being said, the Pegasus malware is of course a hot topic for DeepINTEL. High-powered and unchecked surveillance software can do a lot of damage to businesses and national security. Code has a significant impact on society and politics alike. Let’s hear

Read More

2007, 2021

Secure Communication as an endangered Species

René Pfeiffer/ July 20, 2021/ Conference

Communication is a vital part of modern life and business processes around the world. The rise of the Internet has put sending and receiving information at the centre of most activities. Anyone who has access to personal messages can use them to a significant advantage. Messengers live on billions of smartphones around the world. A compromised telephone opens the door to a treasure trove of highly valuable data. Welcome to the world of information warfare! Repeatedly we issued press articles covering broken secure communication and backdoors to devices. The most recent publications cover the initiative of the German government for mandatory security vulnerabilities in digital infrastructure. Information security cannot distinguish between the purpose of how technology is used. Especially the integrity of computer systems is either preserved or destroyed. There is no middle ground.

Read More

0807, 2021

2021 – The Year of the Supply Chain

René Pfeiffer/ July 8, 2021/ Conference

Logistics and supplies are the fuel that keeps modern society rolling. The COVID-19 pandemic has shown that delivery of goods, medical supplies, and work place administration is a part of our daily lives. The container ship Ever Given blocking the Suez Canal serves as an illustration of how important these lifelines are. Even the digital world is based on supply chains. The computer you use receives updates regularly. Chances are high that you even have some data in online platforms (a.k.a. The Cloud™) somewhere. Thinking in terms of information security, these dependencies are a natural target for attackers. Swedish supermarket customers currently suffer from a digital attack on the US-American company Kaseya. The company develops software for managing IT infrastructure. The REvil malware hit them and disabled clients using the VSA remote managing software

Read More

0607, 2021

Reminder: DeepSec and DeepINTEL 2021 Call for Papers is still open!

René Pfeiffer/ July 6, 2021/ Conference

The year 2021 features some milestone anniversaries. Some of these anniversaries are tragedies. Others are milestones for change. A lot of them affect the world of information security. Technologies come and go, because more often than not we find better solutions. Implementations mature. Some don’t. So let’s take the anniversary of the RSA SecureID faux pas and combine it with the deleted tweet suggesting to replace TCP/IP with Something Based On Blockchain™. In order to grow and develop better applications, we should strife to improve how we approach the challenges of information security. Here is how we will do this. Read on. The DeepSec and DeepINTEL 2021 call for papers are still open. If you have in-depth content or have some observations to share, please submit your ideas! DeepSec is a 100% blockchain-free zone,

Read More

1806, 2021

Deadline for Scholarship Program extended until 31 July 2021

René Pfeiffer/ June 18, 2021/ Conference

Being curious is the first step of answering a question. DeepSec has a long history of pushing the results of research on a public stage. Information security is a branch of computer science. Therefore, the scientific approach is the best way to tackle digital security. Past conferences have featured presentations about the work of dedicated groups of curious people. Now it’s your turn to get some extra support for your project. We have extended the deadline for the DeepSec scholarship program until the end of July 2021. We felt that having some extra time is never a bad idea. So if you have an idea for a research project, please let us know. Drop us an email or a message in a bottle.

1205, 2021

First DeepSec 2021 Trainings published

René Pfeiffer/ May 12, 2021/ Conference, Training

We dug through the submissions and selected trainings for the preliminary schedule. It’s just the trainings, and the intention is to give you some information for planning the rest of the year. We intend the trainings to be on site at the conference hotel. We will also explore ways to offer a virtual training or to attend the course virtually. The topics range from attacking modern desktop applications, in-depth network security (mobile networks and traffic analysis), penetration testing industrial control systems over to how to break and secure single-sign on systems. The entire collection of content aims to educate your IT department and your development team regarding the current state of affairs in companies with employees connected in home office. All technologies and tools are vital parts of the workplace. We included attacking industrial

Read More

1005, 2021

ROOTS 2021 – Call for Papers

René Pfeiffer/ May 10, 2021/ Conference

The Reversing and Offensive-oriented Trends Symposium, an academic workshop, is again co-located with the DeepSec conference in its fifth year. ROOTS solicits contributions that focus on theorems and root shells: In security, two things you absolutely cannot argue with. Security is hard to define. Most often, security is defined by its absence. For scientists, this is particularly unsatisfactory. A lack of definition increases the difficulty to find suitable quantitive and qualitative models. Even though the overall landscape is blurry at best; exploitation, reverse engineering, and offensive techniques have their place. ROOTS aims to explore this territory. The first European symposium of its kind, ROOTS aims to provide an industry-friendly academic platform to discuss trends in exploitation, reversing, offensive techniques, and effective protections. Submissions should provide novel attack forms, describe novel reversing techniques, or effective

Read More

0105, 2021

Export of Blog Articles on Medium

René Pfeiffer/ May 1, 2021/ Administrivia

The Internet was invented for sharing information. Publishing articles and raw data is still the main use case for networks. We use our blog for publishing articles covering topics of information security. It is the primary source of information. Article publications will be announced on our Twitter feed once the text is online. A while ago we started to publish our blog articles on Medium in parallel. The publication pipeline broken when Medium stopped supporting the plugin for our blog application. Re-publishing has since been done manually (hence the backlog on Medium). We occasionally update our Medium channel. Now this channel has a new link. If you prefer to read our articles on Medium, please use https://deepsec.medium.com/. Keep in mind that our blog articles published here will never hide behind a paywall or a

Read More

2104, 2021

Project Covert Operations and Zero Days – Controlled Compromise of Infrastructure and Code

René Pfeiffer/ April 21, 2021/ Discussion, High Entropy, Security

Once you collect information, you will eventually have to decide on when to use which part for what reason. This is the dilemma of intercepting intelligence from an adversary and using it for defence (or offence). Once you act on your the knowledge no one else is supposed to have, then you will also disclose your capabilities. The digital world is full of these scenarios. The most recent case is a disclosure of Google’s Project Zero. The publication covered vulnerabilities dating back to the first half of 2020. As it turned out the discovery comprised 11 powerful weaknesses used to compromise iOS, Android and Microsoft® Windows devices. By publishing these vulnerabilities Project Zero essentially shut down a nine-month digital hacking operation by a Western government. Bugs in software have no labels. They may be

Read More

1904, 2021

DeepSec, ROOTS and DeepINTEL Update – Call for Papers open

René Pfeiffer/ April 19, 2021/ Administrivia, Call for Papers, Conference, DeepIntel

Planning events is still challenging. The COVID-19 pandemic celebrated its first birthday. Despite efforts not to have the second birthday of the pandemic, the ever changing regulations and statues updates regarding the infections make preparations for conferences very hard. We know you want to plan as well, therefore we have an update for you. DeepSec, ROOTS, and DeepINTEL will happen on-site here in Vienna. We closely coordinate with our conference hotel. Their staff is eager to reopen. Everything depends on the rate of vaccination and the regulations issued by the European and Austrian authorities. There is not much we can influence. Given our health protection measure we worked out last year, we are well prepared to handle everything short of a total lockdown. We don’t do any forecasts at the moment. The next months

Read More

0804, 2021

Software Architecture, Code, and Information Security

René Pfeiffer/ April 8, 2021/ Conference

Information security is tightly linked with the code running on platforms and decisions made during the software architecture planning phase. One can trace a lot of results in penetration tests to workarounds caused by inadequate tools, bad design choices, trends in software development, legacy applications, and too optimistic testing strategies. Let’s visit some of the accident sites by example. Implementing the basic principles of information security can be hard. The dreaded undefined behaviour or the lack of graceful failures in error conditions happens frequently. A recent presentation about autonomous systems illustrates what we expected from your code – it must be completely self-reliant. Doing n restarts and halting is not the best way of dealing with unexpected situations. Rejecting dangerous states and input is always an option, but sysadmins frequently need to bash applications

Read More

3103, 2021

All your Content are belong to Us – how the Crypto Wars continue

René Pfeiffer/ March 31, 2021/ Discussion, High Entropy, Internet, Legal

Encryption is one of our favourite topics. This blog and our events feature discussions, tools, and content regarding cryptography. The first DeepSec conference in 2007 even had a presentation about a practical attack on GSM’s A5/1 algorithm. Subsequent conferences followed up on this, for example, the state of affairs of mobile network security in 2010. We use encryption and high levels of privacy in our own communication. Certain published documents emphasize the importance of using uncompromised and modern encryption algorithms. In the meantime, users have moved to messengers using TCP/IP on top of the mobile network transmissions. This enables full end-to-end encryption and privacy. The problems are still the same as in the 1990s. Enter the continuation of the Crypto Wars. On 23 March the Oberlandesgericht (Higher Regional Court) Rostock in Germany argued that

Read More

2403, 2021

Call for IoT Trainings: Secure Development for embedded Devices

René Pfeiffer/ March 24, 2021/ Discussion, Training

The world is much easier to handle without limits. If you have all your frameworks freely available and have the luxury of running your code with a multi-MB (or -GB) runtime environment, then you are in paradise. The world of embedded devices and the Internet of Things looks different. Saving energy is the prime directive. The power supply might be a battery or the connector pin of another device. Multiple cores are rare, memory is even rarer. If you are acquainted with the container and cloud lifestyle, then embedded systems will be a culture shock. Think kilo instead of mega or giga. Small devices run code, too. So this is where security comes into play. What can you do to design your embedded code to be small and secure? Secure design and coding have

Read More

1903, 2021

Secure Operation of IT Systems requires Skills, no Shortcuts

René Pfeiffer/ March 19, 2021/ Discussion, High Entropy

The recent vulnerability in the Microsoft® Exchange server application has sparked many discussions. One of the topics is connected to the skills of IT departments responsible for patching systems in time. How can n weeks or months pass until upgrades are rolled out and in place? Well, the answer is easy. Some upgrades do not work flawlessly. In anticipation of problems during the change, IT departments need a copy of the live system and time to test the updates. This takes time, even if you have the budget to run additional copies of your systems. Furthermore, sometimes upgrades go wrong. Theoretically, these changes should just eliminate security problems and enable the application to work as before. IT departments bitten by the “this should not have happened but it did anyway” situation will hesitate to

Read More