Translated Press Release: Covid-19 Apps show Software Development in Crisis

In November, the DeepSec security conference will highlight the software masquerade.

In everyday language there is the saying “There’s an app for that!”. The phrase is often used as a joke, even outside the IT industry. The current Covid-19 crisis has once again addressed computer code as a universal solution to problems that are not exclusively related to information technology. Generic digitization seems to be the answer to all problems. Of course, data processing can help. The prerequisite for this, however, is the existence of real data that has also been collected in a comprehensible and careful manner. This is exactly why many projects fail.

Magical phones with infinite Intelligence

The call for apps has been repeated again and again in recent years. The visions are in no way inferior to the creative ideas in scripts for feature films and series. Software that runs on small portable phones is said to solve the most complex tasks and, with a simple swipe of your fingers, deliver results that could only be achieved through years of work in the past. In fact, most applications only scratch the surface. One tiny detail is often forgotten: What does the code do without an Internet connection to huge server farms and databases that you can’t even see on the touchscreen? Apps are just a shift in the facts. If the smartphone stays cool and the battery lasts a long time, the magic actually happens somewhere else. Almost nothing on the end device is smart, due to the lack of available performance.

It’s about the complexity of building an infrastructure behind the actual app you see. Without interaction with the big siblings in data centers, the applications on the phone in hand are reduced very quickly. In this scenario, data is not just crude oil, it is also the fuel of digitization. However, the drive does not work as you think. End users are the source of digital gold. You are not at the wheel, but deep in the borehole.

Lack of Security Design

Modern code does not come from nowhere. When developing applications, you either have to build on existing code or create libraries yourself. Even with a mixed construction, at least months pass to halfway achieve a tested design. When there is a lot of pressure on completion, software development likes to take shortcuts. To make matters worse, the design begins with the questions of the problem to be solved and focuses on features right from the start. The implementation of secure code and secure design is usually left behind. Such developments are very common in the field of smart home devices.

A frequently used argument is the controlled publication of applications via the manufacturers’ app stores. Of course, tests run there, but a checklist that runs in less than a minute can hardly detect any security weaknesses or even design errors. In view of the large number of programs available in the virtual stores, something will inevitably slip through inconspicuously. Finding gaps and threats is much more time consuming. Security experts are often asked whether a certain product is safe. An immediate response is expected. This is not realistic and only works in the movie scripts mentioned at the beginning.

Software as a Masquerade

Promise and reality are rarely close to each other in digitization. There has been a lot of discussion about the Austrian Corona Tracing app in the past few weeks. It was primarily about privacy and app security concerns. If you go back several steps and question the quality of the data that this app is supposed to collect, the result shows a completely different picture. Ross Anderson, a British computer scientist at the University of Cambridge, analyzed the accuracy of the smartphone platform in an article entitled “Contact Tracing in the Real World” (published in the Light Blue Touchpaper blog of the computer science institute). His conclusion: The development of an app ties up more resources than the benefits of such an application can outweigh. Bruce Schneier, an American expert in cryptography and computer security, writes on his blog about the effects of positive and negative false reports from a Corona app. Looking at this aspect alone disqualifies the app for use in the real world. Security and data protection have not yet been considered in this analysis. Schneier’s article “Me on COVID-19 Contact Tracing Apps” can be read online.

Furthermore, a smartphone is an unsuitable platform for infectious diseases. Since GPS is too imprecise, one tries to use Bluetooth for the measurement of presence and distance. Bluetooth LE (Low Energy) is often used on the devices to extend the battery life. However, the measurement of the signal strength with Bluetooth LE is only suitable for a passable resolution if people are separated by massive structural measures, such as reinforced concrete. Materials such as wood, plaster or thin stone are permeable to the measurement. In addition, you have to fight with reflections that distort direction and range. According to data sheets from the chip manufacturers, the reception power fluctuates in some cases by a factor of 100. Furthermore, Bluetooth LE is designed as a system with a single antenna. This means that the direction of the signal cannot actually be determined. This requires several antennas. On top of that, people like to hold their smartphone in different positions, which introduces another blur. Even in the laboratory the localization errors are so high that this technology is eliminated. Scenarios such as local public transport, shops or restaurants were not considered at all, let alone walking on the street or in narrow stairwells (where Bluetooth LE signals can be measured behind every door). The key rings already mentioned publicly should not give the situation any significant improvement. Physics is very ruthless here.

The excursion makes it clear: Unfortunately, software is no longer only used to solve problems. It is often used to mask open questions and to fake solutions. This is a masquerade that we find in many areas of modern society. The task of security experts is to see through this masquerade. Without the distribution of Sars-Cov-2, “Masquerade” was therefore chosen as the motto for the DeepSec In-Depth Security Conference taking place in November. Information security is always about a look behind the scenes. Code needs to be de-constructed and analysed. Software architecture has to be questioned. Weaknesses in design have to be identified.

Disenchanted Digitization as a Blueprint for Improvement

The arguments and approaches given here are not a blueprint for the price increase in digitization. The declared aim of the DeepSec conference is to bring people who are entrusted with various aspects of modern information technology to one table and to get them to exchange ideas. The approaches mentioned for a corona tracing app are just a striking example. Security experts regularly warn that a solid – secure – design is essential for applications. One is therefore well advised to consult the experts before talking yourself into a dead end.

Digitization can only bring progress if the underlying approach is carefully thought out. Every trip to the cinema can easily illustrate this: No film with a bad script gets better if you show it to the audience in high resolution or even 3D. You then unfortunately only see an expensively produced fiasco – as sometimes in software development. Despite its motto, the DeepSec conference therefore does not want to offer a masquerade, but rather to give all participants the opportunity to exchange ideas with experts. It is about looking behind the mask and evaluating what is really behind a technology. For this purpose, trainings are also offered that offer highly concentrated hands-on, usable knowledge in two days. The first training units are already online and can be booked.

Take the opportunity before your product fails even before it is on the market. It should be noted that this sentence applies particularly to decision-makers outside the market who want to digitize companies and citizens at another level. Writing down digitization as a word and constantly repeating it all by itself is not enough.

Programs and Booking

The DeepSec 2020 conference days are November 19th and 20th.

The DeepSec trainings take place on the previous two days, November 17th and 18th.

DeepSec is located at the hotel The Imperial Riding School Vienna – A Renaissance Hotel, Ungargasse 60, 1030 Vienna.

You can order tickets for the DeepSec conference itself and the training sessions at any time under the link https://deepsec.net/register.html.

Sources of the quoted articles by Ross Anderson and Bruce Schneier:

https://www.lightbluetouchpaper.org/2020/04/12/contact-tracing-in-the-real-world/

https://www.schneier.com/blog/archives/2020/05/me_on_covad-19_.html

Update on DeepSec / DeepINTEL / ROOTS 2020 with regards to Covid-19

Bio reactor, source: https://commons.wikimedia.org/wiki/File:Bioreaktor_quer2.jpgLacking time travel we have no way to know what will happen in November 2020. That’s not news to us. We closely follow the development of the current Covid-19 crisis, and we constantly evaluate our plans for DeepSec, DeepINTEL, and ROOTS 2020. Given the current state of affairs and the experiments in various countries (including Austria) with lowering the restrictions for business and public life, we believe that our conferences can take place in November. There may be restrictions still present in November with regard to travel and protection measures at our venue. We have developed a schedule for keeping you informed. Additionally we have plans for changing the schedule in order to guarantee the minimum level of content required by our call for papers process. Updates regarding the state of our events in November will be published on our blog on a monthly basis.

Most of our content does not work via remote access, teleconferencing, or video/audio streams. Nevertheless we plan to create infrastructure for relaying content and conducting video/audio conferencing via the Internet. We intend to offer teleconferencing methods to our trainers, so that trainings can be done with a mixture of on-site and remote attendees. If and to which extent a training can make use of the additional infrastructure is decided by our trainers.

Our monthly reminder: The call for papers are open! If you have submissions of content and presentations, please submit as early as possible. The submission form will stay open at least until 31 July 2020.

First DeepSec 2020 Trainings confirmed

Tawakkol Karman's megaphone at the Nobel Museum, source: https://commons.wikimedia.org/wiki/File:Tawakkol_Karman%27s_megaphone_at_the_Nobel_Museum_(51980).jpgWe haven’t been idle in the past weeks. The Austrian government is reducing the lock-down rules to see how normal business and private life can go on. We take this as an opportunity to announce the first three confirmed trainings for DeepSec 2020. The preliminary descriptions can be found on our schedule web site.

Early Bird tickets are available. Given the unusual start into 2020 we ask you to consider buying Early Bird tickets (especially for the trainings). We are exploring special attendee tickets for remote attendance of the trainings. A more detailed description of the content of the trainings will follow in separate articles.

Contact Tracing and the Security of Things

Logo of the Bell Telephone Company between 1889 and 1900, source: https://commons.wikimedia.org/wiki/File:Bell_System_hires_1889_logo.PNGThe spread of Sars-Cov-2 keeps everyone on their toes. Given the emotional state after weeks and months of physical distancing (which we recommend; social distancing has been the norm for decades). We have closed our office in March and heavily rely on telecommunication. Fortunately we did not need to reinvent the Internet. Many of you have probably done the same. We hope that you manage to stay healthy until things can get back to “normal”. Speaking of communication and normality, there are some aspects of the current situation we like to point out.

Every security conference features presentations shedding light on important tools, libraries, applications, or protocols people rely on. Humans like to communicate. The degree varies, but essentially few can do without talking, writing, hearing, or seeing stuff (i.e. messages). This is even more true for companies, governments, health care, the military, and other organisations. The spread of Covid-19 has sparked a massive interest in all things tele, remote,  and networked. Suddenly the meetings need to be virtual. Applications and infrastructure for audio/video conferences and screen sharing has existed before. You have a long list of companies that offer services in this area. Then there is WebRTC (Web Real-Time Communication), an open standard for real-time communication defining a set of application programming interfaces (APIs). Additionally we have a plethora of messengers, communications systems for gamers, and web platforms integrating their share of communication. Not surprisingly the rush on all of these solutions has sparked interest in the security. A few months ago we were fairly confident that a private meeting wouldn’t leave the room. Now the room is gone. What does this mean?

First of all it means that not every platform held its promises. Getting end-to-end encryption right for a group chat is hard. Doing the same for real-time communication is even harder. Signalling is the next problem. How do you connect all participants? How do you make sure that only the right people are „in the room“? There are some answers to these problems, but a fair share of the conference applications suffer from a bad security design, badly maintained code, or other issues.
Secondly, the Crypto Wars come back to haunt us. The Signal developers pointed out the dangers of the US EARN IT bill. Securing communication is under attack by laws making protection impossible. The EARN IT bill is not the only example. China, Russia, Turkey, and Australia have banned end-to-end encryption. UK has similar laws. It’s not a good idea to turn the clock back in time with regards to secure communication.

Lastly, there is talk about contact tracing to get things faster to “normal” again. Of course, „There’s an app for that!“ Ross Anderson thinks differently, so we recommend his article about how this works in the real world.

Well, time for the good news. The calls for paper for DeepSec 2020 and DeepINTEL 2020 are still open! If you have some time and quiet to think about your research or your ongoing projects, let us know! We already got some submissions. Current reviews look good, so we might publish the first trainings for November next week! Looking forward to hear from you! Stay healthy!

It’s April Fool’s Day – 7/24 and 365 Days of the Year

Illustration of conventional comedy and tragedy theatrical masks. Source: https://commons.wikimedia.org/wiki/File:Comedy_and_tragedy_masks_without_background.svgThe first day of April is typically the time where you hide well-written pieces of misinformation to trick people into believing something that isn’t true. We published our share of April Fool’s Day articles in the past. While this was and still is fun we believe that it is time to break with this tradition. Hiding something that isn’t true within a stream of informative articles or news items has become a major way of influencing opinion. Good comedy does the same, but the outcome is different. Satirical news are a means to criticise by exaggerating or focussing on an issue. The typical audience of comedy expects this. The distinction between satire and reality have almost disappeared in the past decade. So if you are looking for entertainment there are plenty of other sources which probably work a lot better.

The other motivation is the discussion about facts and figures we had in the past weeks. Unless you have been living in a cave for the past months (which might not a bad idea after all) you probably heard of Sars-Cov-2 and the Covid-19 disease. The current countermeasures put the society and the economy on a big strain. Lacking things to do people put a lot of effort into the analysis of infected persons, cured persons, patient deaths, and more widely available data. Even if you have the source of the data you are working with you still need to figure out how the measurement was done. Just because the unit fits you don’t have data sets that can be compared. You can still do a qualitative analysis, but you cannot predict the future with it. The Internet is full of epidemiological models with varying degrees of relations to reality. Getting scientific research is hard. Getting scientific sound results with severe time constraints is even harder. While most businesses run fine without academic research, the decisions in their are are often less critical than in health care (or climate research to mention a wildly unpopular topic). The companies running critical infrastructure are excluded to some extent. However event logs and history is full of decisions which might have been better informed if time travel was real.

So to give you some kind of summary: Yes, we still like humour, and we still actively support (information security) researchers trying to point out critical flaws in code and design. No, we don’t want to say that things are difficult. They are, but that’s how we wanted it. We just skip making fun of stuff just because the calendar says so. Our calendar says that the call for paper is still open, so please consider submitting your research results for DeepINTEL and DeepSec.

The most important point is our reference on proper (data) science. Measurements only have meaning if you know how the data was obtained, what the error rates are, and how big your sample sizes were. No system administrator will consider your request if you claim that once upon a time in the past the latency between two points in the network was 623 milliseconds and the packet loss was about 23%. Keep this in mind when you read articles drawing highly complex conclusions from a couple of highly doubtful (or error prone) figures. That’s great for gaining followers. Reality just doesn’t work this way.

Status Update with regard to the current Sars-Cov-2 / Covid-19 Emergency

We wrote in an earlier blog article about the current Sars-Cov-2 / Covid-19 emergency. Mathematics and biology didn’t stop, so you (hopefully) live in an area with restrictions regarding crowds and place where people can’t keep a safe distance. We, the organisation team of DeepSec, are in close contact with peers, members of the community, and reliable sources of information regarding countermeasures by the Austrian government.

Given the current state of affairs the November dates of our events are still in the far future. This means that nothing has changed for our plans. Our calls for papers are still open. The only change will be no marketing messages and advertising for DeepSec and DeepINTEL. We don’t think that a crisis should be used for one’s own advantage. Please stick to facts and verified sources – regardless what message you want to publish or which information you like to relay. Disinformation will cost lives, now and in the future. All event and conference organisers have to follow regulations, so everything that happens to current or future events is up to the regulations and the state of your health (and your national health care system).

Please stay healthy, stay sane, and we hope to see all of you as soon as possible!

Translated Article: Coup de grace beat Attackers of the Austrian Federal Ministry for European and International Affairs

Cyberhusarenstück schlug Angreifer im Außenministerium for fm4 by Erich Moechel

[We translated this article, because DeepSec actively supports young talents and students. We are looking for organisation and companies that would like to help us in our support. Furthermore, we like to make Erich’s well-researched and well-written articles available for a wider audience.]

It was young Technicians who fended off the dreaded cyber Troop Turla. After a short Time they cracked the tricky Encryption of the Turla Trojan.

The National Security Council, which the NEOS party convened to discuss the cyberattack on the Federal Ministry for European and International Affairs, meets on Friday. NEOS criticize the cumbersome structures in cyber defence and, above all, that it is not ready to work properly. The quick defence of the notorious cyber troop (APT) Turla is rather not due to the solid defence structures in Austria.

This first cyber attack on Austria the defence relied on improvisation and technical skill. A diverse team of technicians from three ministries had this super-class APT under control after only 10 days. This emerges from new information available to ORF.at. The deciding factor was the coup de grace of young technicians of the Federal Ministry of the Interior who are more hackers than police officers.

Attackers’ Encryption hacked

A very young “Blue Team” from the battered BVT (Office for the Protection of the Constitution and Counter-Terrorism) of all places managed to break the encryption of the data traffic between the Turla Trojan on the Federal Ministry for European and International Affairs network and the command control servers on the Internet just two days after the burglary was discovered. This is an astonishing achievement, because the Turla Group is known for constantly changing the algorithms used for encryption and for doing so in an extremely tricky way.

The first challenge was to recognize which encryption method was being used. This allowed the defenders to read the data traffic between the elements of the malware and identify all new modules of the malware that were being reloaded. The match was overturned after a few days, because from then on the attackers were on the defensive. The Turla team did try to reload another rootkit, but was unable to activate it.

What the Federal Ministry of the Interior does (not) say

Such upper-class attacks are only partially automated, so that “Red Team” and “Blue Team” actually faced each other directly in the Federal Ministry for European and International Affairs. All of this has already taken place around the turn of the year or in the first week of the new year. Subsequently, the Federal Ministry of the Interior was asked for more information about this technical team of the BVT. “We ask for your understanding that, for operational reasons, no further details about the personnel and investigations will be disclosed,” was the answer, of course, because the news embargo on technical information is still in effect.

However, it also said in addition: “With regard to your request, we may inform you that the staff employed in the BVT’s cyber security area are generally not being recruited from within the police force, but from universities or universities of applied sciences as well as in competitions like this ‘Cyber Security Challenge’. ”According to information available to ORF.at, even the majority of these BVT technicians had completed the Cyber Security Challenge of the Bundesheer, BKA and Cybersecurity Austria, and among the army technicians who joined them, were graduates of this competition as well.

Where did the Defenders come from?

This international talent competition, which Austrian teams have won several times, has been around for ten years. Every year the participants are around twenty years, mostly from HTLs (Höhere Technische Lehranstalt) and comparable schools or at the beginning of a technical degree. This means that the BVT security technicians and all other graduates were mostly under thirty. The matches of this challenge are all of the type of “Capture the Flag” or “Blue Team” (defender) versus “Read Team” (attacker), which is particularly popular with hackers. At the Ministry of Foreign Affairs more or less the same match has been going on, but for real.

The Federal Ministry for European and International Affairs’ network was scanned thoroughly in the five weeks after the Turla group was temporarily neutralized. Artifacts and other traces of Turla were apparently only found on the mail servers, because the attackers had not yet tried to penetrate the internal network of the Ministry of Foreign Affairs. In order to ensure that no further hacked email accounts had been overlooked, the decision was made to reset all passwords in the entire mail system of the Federal Ministry for European and International Affairs. In addition to all embassies, this network also connects all other diplomatic institutions of the Republic.

Strategic Conclusions

One of the most dangerous cyber troops worldwide was neutralized in record time, and much faster than in Germany in 2017. The Austrian cyber strategy has worked perfectly.

It would be a fine thing if this had been the case.

In fact, the Republic was extremely lucky. As shown in the first two parts, a few very favourable circumstances came together from the rapid discovery onwards. As a result, the Turla group was unable to display its dreaded penetrating power. And it was the gentlemen from Turla who battled the defenders with updates for weeks, but are known for not destroying anything on purpose.

The attack has tied up a large part of all state cyber defences available and hit a large, but only one, network. If the clients behind the attack had actually wanted to frighten the Republic for some reason, they would not have sent Turla. In 2015, APT 28 alias Fancy Bear had contaminated the IT of the German Bundestag to such an extent that in the end 20,000 PCs had to be replaced.

While the attack on the Ministry of Foreign Affairs was ongoing, ELAK, the nationwide system of electronic file processing and more than 300 other large networks in Austria were open for weeks due to a fatal security vulnerability. A single, nicely packaged encryption Trojan would have been enough to paralyse the offices and authorities connected to the ELAK in one fell swoop. If attackers would have wanted it, half the republic’s IT would have been on fire.

War Dialing Video Conference Systems

IBM PCMCIA modem, source: https://commons.wikimedia.org/wiki/File:IBM_PCMCIA_Data-Fax_Modem_V.34_FRU_42H4326-8920.jpgDo you remember the Golden Age of Wardialing? The idea back then was to try calling phone numbers and to see if a computer systems answers. This methods still works, because you can wardial any system with a suitable addressing scheme. VoIP wardialing is a lot easier since you do not need a modem. You just need to send signalling messages. Video conferencing systems are no exception. They have to do signalling, too. Furthermore, participants of a meeting need to join and leave. For joining there must be a process that authenticates participants. Usually you get a conference identification number and maybe a PIN code. Other systems require an account, so that you have to log in first. Finding conference rooms gets real easy if you just need an URL.

The Bavarian Ministry of the Interior uses a conference system that uses URLs. The scheme of finding a conference or a room is very easy to figure out. It uses https://video.top.url/path/roomnumber where path is a combination of a few letters and roomnumber consists of six digits. This gives you the address space of the virtual conference rooms. Physical rooms have their counterpart in the addressing scheme, and the system is configured to provide permanent discussion slots. The problem was  that the authentication was missing (the system now requires a PIN). The German IT magazine c’t has discovered that it was easy to join existing conferences (article is in German) and to listen without being invited.

Due to the current coronavirus outbreak many of us have to rely on remote conferencing systems and similar ways of communication. Even without wardialing or missing authentication, the PIN and conference codes are sensitive data. Some systems allow multiple joins of participants. Members of Anonymous used the credentials of a conference call to „intercept“ a discussion between the Federal Bureau of Investigation (FBI) and Scotland Yard. So please be careful when sharing call appointments. Make sure you use a trusted communication channel. In turn verify your call peers. Having video helps, but sometimes video information is not what it seems. In turn please be very careful when receiving links to conference calls. You might be lured into a fake call by a phishing campaign.

When? Where? What? Introducing https://deepsec.events/

Observer in special relativity, source: https://commons.wikimedia.org/wiki/File:Observer_in_special_relativity.svgReading the calendar gets difficult given the many places people – including us – post dates. Furthermore, we have a habit of not detecting typos and not putting our dates in proper variables and rendering them out to the web consistently. So we create a little jump page called DeepSec Events. On this web site you will find all the most important facts about everything DeepSec. Our graphic designer went a bit overboard, but we hope the design is pleasing to your eyes.

Complexity of Dependencies in Multidimensional Systems – Corona Virus

Illustration created at the Centers for Disease Control and Prevention (CDC). Source: https://en.wikipedia.org/wiki/File:2019-nCoV-CDC-23312_without_background.pngThis blog is often silent. Our policy is to publish if there is real information to send out. DeepSec is all about facts. We don’t do speculation. Sometimes it is hard to idly watch „news“ being published, revised, withdrawn, altered, commented, and even deleted. We, to the best of our abilities, try not to publish something which doesn’t hold. But we read and watch a lot or articles, opinion, and other sources. For the rare cases where we need to publish our opinion we have created the High Entropy category in this blog. This category is all about the things we like to discuss. This time it’s about biology, containment, and IT security defence. Let’s have a look at the current coronavirus.

We are in touch with various partners in different countries. You may have noticed that we plan the DeepSec 2020 and DeepINTEL 2020 events in November. The planning phase usually starts after our break in December. Given our policy you won’t notice much of it yet, because we publish when we have something to say. The facts are that DeepSec and DeepINTEL will be on 17/18/19/20 November 2020 as scheduled. Our call for papers is open. You can buy tickets in our tickets shops (one for every event) or by requesting an offer and receiving an invoice for your purchase order. That’s the plan. The current events around the spread of SARS-CoV-2 is out of our hands. We can’t do much about what measures which individual government puts into place. We can’t say if the long chain of dependencies our conferences rely on gets interrupted – and there are a lot of ifs to check until November. Don’t forget: The influenza viruses no one talks about are dangerous too. If you are prepared for influenza viruses, then you are also prepared for SARS-CoV-2.

Sticking to the facts is actually the bright side. We created all the facts necessary to plan and to announce DeepSec and DeepINTEL 2020. Since 2007 no DeepSec conference was ever cancelled. We had a close shave with the Lehman Brothers Holdings Inc. crash (which will repeat sooner or later, because nothing has changed structurally in our economy), the eruption of Eyjafjallajökull (we could also talk about future eruptions of other volcanoes which are overdue), and with some efforts by unnamed third parties to make life hard for smaller IT security  events (no conspiracy here, just a collision of plans, apparently). Bear in mind that the global and local economy is not designed to handle failures well. In the context of IT security this is a weakness, but the systems are too big to fix.

So we will keep you updated. However keep your sanity, don’t panic, and stick to the facts. There are a lot of far worse threats out there. Chemistry, biology, and physics will keep trying to make our lives miserable. That’s part of a blue team‘s daily grind.

Continuous Integration Ticket Shop for Conference Tickets is now open – book often, book early!

Schiffsglocke der Danmark, source: https://commons.wikimedia.org/wiki/File:Schiffsglocke_Danmark.JPGRunning an event is a highly dynamic operation. This is especially true for (information security) conferences, even more so for trainings. We have seen our share of sad faces when the training of your choice didn’t happen, because people booked the ticket too late. In order to avoid great disappointments, the ticket shops for DeepSec and DeepINTEL are now open. Spread the word! And put some SDL into your tickets – book early, book often!

DeepSec 2020 Call for Papers is open!

A curious raccoon in the Florida Everglades approaches a group of humans, hoping to be fed. Source: https://commons.wikimedia.org/wiki/File:Curious_Raccoon.jpgWe are looking for presentations and trainings for the next DeepSec In-Depth Security Conference. DeepSec 2020 will explore the focus masquerade. Attribution is hard. To make matters worse for everyone connected to information security – masquerade is ubiquitously present in hardware and software. You might also call some of it disinformation, which was the world of the year 2019. Security-wise many things hide behind a façade. Disinformation is the tool of the trade these days. So DeepSec 2020 has chosen the motto “Masquerade” for this year. Tell us where the veils are, what camouflages are used, and expose the real threats!

You can submit your content via our call for papers page on our web site. We have also a special email address for content submissions. You can either use cfp [at] deepsec [dot] net (or just deepsec [at] deepsec [dot] net, because this email address is tied to a GPG key).

Not quite coincidentally DeepINTEL 2020 has also an open call for papers. Please submit your content by email to us. You are encouraged to (always) use (end-to-end) encryption when communicating with us.

BSidesLondon – Mentors wanted!

Meme "How To Draw an Owl"You may have heard of the BSides London Rookie Track. It’s the track with the 15 minutes presentation slots where people who have never presented at a security conference before can give it a try. Take me word for it, preparing these 15 minutes is hard work. Even if you had your share of presentations you still have to put some thought into the structure, the material, and the way you want to make your point(s). It’s easier for veterans. It’s hell for rookies. Even with a moderately cleaned pile of information the first drafts of your presentation take ages. In addition you probably make all the mistakes we all made before. This is where the mentors come in. Mentors are experts in their field and have presented before. And mentors we want!

Why mentors? Well, Niels Bohr put it nicely: „An expert is a man who has made all the mistakes which can be made, in a narrow field.“ Rookies need some guidance to get on track. While you have experience, they are still gaining it. So if you have some time to spare and want to help someone, rush to the registration site and get involved! Don’t worry! It’s called BSides London Mentor Application 2020, not BSides London Mental Application 2020. You are safe.

Rookie Track Registration BSidesLondon – don’t miss the deadlines!

Photograph of presentation at DeepSec 2018, © 2018 Joanna Pianka, http://www.300dpi.at/BSidesLondon has opened the Rookie Track registration. Submit your project ideas. Get a chance to present at an information security event. Let mentors guide you to the stage. We are pretty sure that you have something to share with us.

This won’t be the last reminder. Deadlines are closer than you think, quite similar to objects in the rear view mirror. We enjoyed many Rookie presentations at BSidesLondon, and your content is valuable to the audience. The fact that seats get scarce very quickly is a good indicator that your contribution should be submitted to the Rookie Track registration before the call for presentation closes.

The best two rookies will get the opportunity to travel to Vienna in November and attend DeepSec 2020. The first rookie can relax and enjoy our conference. The second place requires a bit more work, because we offer to present your content in a full presentation slot (that’s 45 minutes). As for the Rookie Track we also offer support and guidance. Don’t be intimidated! Everything has to start somewhere. So grab your calendar, mark the deadline, and submit to the Rookie Track registration!

DeepSec 2020 Scholar Program – Call for Applications

ACOD LogoDeepSec 2020 wants to support your project. We have teamed up with partners to foster research in information security. We already support the BSidesLondon Rookie Track, support the Reversing and Offensive-oriented Trends Symposium (ROOTS), publish the DeepSec Chronicles, and support individuals in their research. Now we want to go one step further.

Purpose: To encourage research by young professionals and academics on new and emerging cyber security issues, information security, new ways to use technology, defence, offence, and weaknesses in hardware/software/designs.

Suggested Topics: Vulnerabilities in mobile devices, vulnerabilities in the Internet of Things (IoT), advances in polymorphic code, software attacks on hardware wallets, side channel attacks, hacking industrial control systems and smart cities, quantum and post quantum computing, penetration testing – defining what it means and standardization, and related topics. Let your creativity run free.

Application Requirements:

  • Submit a proposal with a unique cybersecurity related topic in paragraph or outline form
  • CV / Resume
  • One paragraph on how your research will advance or contribute to the research and understanding of your topic and your own professional interests
  • Confirmed availability to attend and speak at the DeepSec Conference in November; talk slots are 45 minutes + 5 minutes of Q&A so plan accordingly
  • Applications must be received by 31 January 2020 to scholars@deepsec.net

Scholar Benefits:

  • Work will be published in DeepSec Journal “In Depth Security: Proceedings of the DeepSec Conferences”; Published works for this section of the journal are expected to be more raw, cutting edge research ideas, as a precursor to a future peer reviewed work. The published work will be guided by the Scholar Mentors but not subject to full peer review.
  • Opportunity to present at DeepSec Conference
  • Six months of mentorship and assistance in research from DeepSec Scholar Mentors
  • Full admission ticket including lodging for DeepSec Conference held in Vienna, Austria
  • EURO 5.000 for travel and research costs. Half paid 31 July, second half paid week of DeepSec Conference
  • Mentors will work with Scholars on a defined time-line for mentorship sessions, research drafts any in person meetings or discussions and final paper submission dates

We will follow-up the call for applications here in this blog with introductions of your potential mentors.