About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.

1903, 2021

Secure Operation of IT Systems requires Skills, no Shortcuts

René Pfeiffer/ March 19, 2021/ Discussion, High Entropy

The recent vulnerability in the Microsoft® Exchange server application has sparked many discussions. One of the topics is connected to the skills of IT departments responsible for patching systems in time. How can n weeks or months pass until upgrades are rolled out and in place? Well, the answer is easy. Some upgrades do not work flawlessly. In anticipation of problems during the change, IT departments need a copy of the live system and time to test the updates. This takes time, even if you have the budget to run additional copies of your systems. Furthermore, sometimes upgrades go wrong. Theoretically, these changes should just eliminate security problems and enable the application to work as before. IT departments bitten by the “this should not have happened but it did anyway” situation will hesitate to

Read More

1503, 2021

Bug Disclosure Policies and the Eternal Discussion about Security ♨

René Pfeiffer/ March 15, 2021/ Discussion, High Entropy, Security

In theory, there is the evolution from bug over to weakness, vulnerability and finally the exploit. Errors in code and application behaviour are interesting for any serious developer. Security researchers also look for bugs and ways to make code do something it wasn’t designed for. In the absence of critical failures in applications, the process of reporting bugs and getting them fixed everything is smooth and less prone to heated discussions (YMMV, some software projects feature persons with very strong opinions). All of this changes when the code can be remotely exploited. Enter the recent CVEs regarding the Microsoft® Exchange server. CVE-2021-26855 is as bad as it sounds. It is a remote code execution with low complexity requiring no user interaction and no privileges. Disclosure of bugs impacting security has a long history. Knowing

Read More

0103, 2021

DeepSec 2021 – Call for Papers is open

René Pfeiffer/ March 1, 2021/ Call for Papers, Conference

DeepSec 2021 is looking for your ideas, solutions, incident reports, insights, and expertise. The call for papers is open. You can submit your contribution via our call for papers manager online. If you have questions or want to submit additional material, please use the online form and send an email to us. DeepSec has always presented a mix of attack and defence presentations. The motto for 2021 connects both approaches. Studying how adversaries work, what tools they employ, how they plan their attack, and what they do once they get access is vital to your defence. IT infrastructure has grown over the years. Defence has a lot to take care of. If you have any ideas how to help the defenders, please let us know. Topics covering attacks should always contain some advice on

Read More

2802, 2021

Management Console Access – Obscurity by Security and vice versa

René Pfeiffer/ February 28, 2021/ Discussion, Security

Every discussion about security sooner or later connects to the wonderful word obscurity. Mentioning security by obscurity is a guaranteed way of losing sight of the facts. It is vital to actually fix weaknesses and introduce strong separation of systems when implementing security. Furthermore, the leakage of useful information to potential adversaries should be eliminated. That’s the theory. Enter the discussions we have witnessed in real life and in the Internet. A common tactic is to strip information from communication protocols that is not needed for transporting the message. Version numbers, host names, addresses, and other pieces of data are often removed when a server answers requests. Especially web applications send a ton of useful information to clients. You can see the structure of the web space, components used for rendering, server systems involved,

Read More

0402, 2021

The Art of testing Code

René Pfeiffer/ February 4, 2021/ Discussion, High Entropy, Security

The Twitterverse, various blogs, and some news portals published discussions about a bug in libgcrypt. The code contained a loop which could read past the end of a buffer. The error condition was found by using a test suite. Given the C code base of libgcrypt cases like this can often be found by using the static code analysing features of modern compilers. If you read the ticket concerning the particular overrun bug, then you will notice that it contains more than just the error description. The reason for emotional discussion around bugs are the many ways to find them. Modern compilers contain a lot of helpful tools to audit your code. Even if the compiler lacks auditing/testing features, you can resort to other tools such as Valgrind (which turned 20 years of age

Read More

0202, 2021

DeepSec / DeepINTEL 2021 Preparations – Save the Dates! Document your Projects!

René Pfeiffer/ February 2, 2021/ Administrivia

Usually we are radio silent during December and the beginning of January. This is due to some well-deserved rest, infrastructure updates (we run a lot ourselves), content creation (in our own projects), and the general Christmas holidays. The COVID-19 lock-down made it different to tell if there are holidays or not. Every day looks mostly like yesterday. We would like to change this. So please keep the following dates in your mind and in your calendar: DeepSec 2021 Trainings – 16 / 17 November 2021 DeepSec 2021 Conference – 18 / 19 November 2021 (including ROOTS & ACOD) DeepINTEL 2021 Conference – 18 November 2021 The Call for Papers will open soon and will be published here in our blog (along with push messages to Twitter and Xing). If you are interested in getting

Read More

2011, 2020

DeepSec 2020 Mission Control – Behind the Scenes

René Pfeiffer/ November 20, 2020/ Administrivia, Conference

The fully virtual DeepSec conference was very different from the usual configuration and setting. While we learned a lot over the years, there is one constant: What’s the difference between hardware and software? Well, hardware can be kicked. There is always one converter, one computer, one network devices, one USB device, or something else that doesn’t quite fit into the ensemble. Then there are the many desktop oddities and multimedia formats. So we had to do some damage control during the first day of streaming (having damage control teams and replacement parts ready is not just for ships). Networking did its own magic by introducing delays between the speaker’s feed and the live stream. Fortunately the stream connections held, and we had no losses in terms of connectivity. Mission control at the office used

Read More

2011, 2020

Thanks for attending and contributing to DeepSec 2020!

René Pfeiffer/ November 20, 2020/ Conference

The past four days were quite busy for the DeepSec Organisation Team. We had to prepare the realspace implementation of our mission control in our office. We had to fight some gremlins in hardware and software, but we managed to create the stream feeds. We hope you enjoyed the presentations! The streams were recorded, and we will start with the post-processing. Due to the dual-track – and the ROOTS event – one always has to decide which presentation to watch. In our long-time tradition attendees and speakers will get to watch the videos first (for quality assurance), and then we will release the whole DeepSec 2020 collection. We recommend your favourite lounge, drink, and company for watching the recordings later. A very big thanks go to everyone contributing content, being part of the events,

Read More

1911, 2020

Administrivia: New Stream Link for DeepSec 2020 Right Pirouette!

René Pfeiffer/ November 19, 2020/ Conference

The stream link for the DeepSec 2020 Right Pirouette track has changed. Somehow the cloud ate our old link (end event). No recordings were lost, just the link to the streaming platform. We apologies for this change, but there is not much we can investigate. The password is the same. For a complete list: DeepSec 2020 Right Pirouette track – https://vimeo.com/481384818 DeepSec 2020 Left Pirouette track – https://vimeo.com/event/475468 The closing presentation will be after the last presentation in the Right Pirouette (as always when on-site at the conference hotel).

1811, 2020

DeepSec Schedule updated, Time-Shift introduced, Theory of General Relativity still valid

René Pfeiffer/ November 18, 2020/ Conference

We have verified the DeepSec schedule and did some changes. The layout looks a bit shifted. The reason is a time-shift between the two DeepSec main tracks Left Pirouette and Right Pirouette (named after the rooms in our long-time conference hotel). Since we have set up our mission control in our office and lack the space to have two session chairs use the stage and the camera feed simultaneously the two tracks need to be time-shifted. The presentations in the Left Pirouette start 20 minutes later than the presentations in the Right Pirouette. We tried hard to avoid this, but the current configuration requires adding this feature to the schedule. The two tracks overlap any way, so if you are interested in either talk, then you have to make up your mind with or

Read More

1311, 2020

DeepSec Keynote: DevSecBioLawOps and the current State of Information Security

René Pfeiffer/ November 13, 2020/ Conference

Technology is evolving. This is especially true for computer science and the related information technology branch. When everything is outdated after a couple of months, the wind of change turns into a storm. It also affects the way we work, processes which enable us to get work done, and changes perspectives how we see the world, code, and its applications. Dev, DevOps, and DevSecOps is a good example how these changes look like at the top of the iceberg. Subjectively information security is always a few steps behind the bleeding edge. The word „bleeding“ is a good indication of why this is the case. However, security professionals cannot turn back time and ignore the way the world works. New technology will always get pushed into all areas of our lives until its creators realise

Read More

0911, 2020

A Story of Crypto Wars, the Growth on the Internet, and possible future Regulations

René Pfeiffer/ November 9, 2020/ Discussion, High Entropy

The discussion about how to tackle end-to-end encryption (E2EE) and how to reconcile it with surveillance is almost 30 years old. The very first Crypto War was sparked by the Comprehensive Counter-Terrorism Act of 1991 (no, there is no mention of cryptography in it, because it was the first draft of a series of legislative texts dealing with a reform of the US justice system; have a look at the author of the act). In the following years things like strong cryptography, export bans on mathematics, or the creation of Phil Zimmerman’s Pretty Good Privacy (PGP) were a follow-up. Even the proposal of having the Clipper chip present in telecommunication devices and the concept of key escrow was discussed in the wake of the reform. Sometimes laws have to grow with the technology. All

Read More

0311, 2020

Condolences and Sympathies to Families of the Victims #wienATTACK #0211w

René Pfeiffer/ November 3, 2020/ Conference

We wish to express our deepest condolences and sympathies to the families of the victims and wish a speedy recovery to the injured of last nights attacks in Vienna. Our thoughts are with them and the many women and men protecting the everyday life in the city. Vienna is one of the safest cities in Europe. Since 2007 the DeepSec team enjoys bringing you all to this wonderful city. We will continue to do this. Information security is a team effort and so is creating safe places for everyone. Don’t give the extremists the stage. Ignore them and care about the ones deserving your attention. Stay safe, stay healthy!

0211, 2020

Administrivia: Update on COVID-19 Regulations concerning DeepINTEL and DeepSec

René Pfeiffer/ November 2, 2020/ Conference

On 31 October 2020 at 1730 the Austrian government held a press release to announce new COVID-19 regulations. Since this press release was only the political message and the actual legally binding regulation is still not published we cannot give you an update yet. We don’t know when the regulation will be published. Given these circumstances we cannot give you any more details, but we are working on it. We hope to have more details on Tuesday/Wednesday. We assure you that we have contingency plans, because we expected this situation a few months ago.

3110, 2020

World of Metrics: Trick or Threat? How do you know for sure?

René Pfeiffer/ October 31, 2020/ Conference

Today begins the „darker half“ of the year. The harvesting season has ended. The year ends as well (depending on how you count the days and mark the start of the year). People celebrate Samhain, Halloween, or other festive days. In information security there is always a harvest season, and there is no darker half of the year. 2020 is no exception despite the extraordinary situation given the SARS-CoV-2 outbreak. So how do you decide what exceptions look like? What is a trick? What’s the difference between a trick and a threat? If you supervise any kind of digital infrastructure or set of systems, then these questions are very important. Metrics is a hot topic – an euphemism for a dirty word – in computer science. It is used in other fields as well.

Read More