SAN FRANCISCO -- The opening keynote from noted security expert Dan Kaminsky at B-Sides San Francisco Sunday showed that the counter-corporate impulse in the security research community is alive, well, and a bit unruly.
In the semi-darkened DNA Lounge a few blocks south of the Moscone Center where a talkative audience spent a lot of its energy exhorting Kaminsky to down various alcoholic drinks mid-talk; per his trademark off-the-cuff style, Kaminsky announced he was glad not to be using PowerPoint slides or to have much in the way of structure to his talk.
More from RSA 2013
For all the news, analysis and video interviews from San Francisco, check out SearchSecurity.com's special coverage of RSA Conference 2013.
Kaminsky took fairly predictable jabs at the RSA Conference, the massive event that formally opens Tuesday in whose shadow B-sides finds its "salon des refusees" niche, saying his theory on the RSA Conference is that "there are like a thousand companies there. They can't all be crap."
It was clear in the context that the audience of perhaps 100 listeners thought that most of the companies who participate in the annual dog-and-pony show were, indeed, crap.
Kaminsky's talk -- nothing if not wide-ranging -- did hit on several more serious notes. One that particularly resonated with the audience compared defense and response mechanisms for physical attacks in society with those used in information security.
"Imagine you're walking down the street minding your own business and a guy runs up to you and smacks you on the head with a lead pipe. Your skull is cracked open, you're bleeding." The response, Kaminsky said, is immediate and substantial. Bystanders use cell phones to call dedicated emergency response teams. You're taken to a hospital full of expensively trained doctors and you're patched up whether you can afford it or not. And the police take pains to find your attacker, placing the offender in a judicial system that hopes to mitigate future threats.
"You know what the security equivalent of that plan is?" Kaminsky asked. "You're hit on the head with a lead pipe and people start laughing and being like, 'Dude, where's your helmet? Why weren't you wearing a helmet?' It's not like they're wearing a helmet. They're just sitting around laughing.
"Fixing security is going to require a level of societal investment that we're not necessarily used to," Kaminsky said.