The second and final day of BSidesSF was crammed with great talks. Here's a round-up of the discussions that caught my attention. As always, thanks to the volunteers and organizers who consistently make this a must-attend event.
First to speak was Trey Ford, former Black Hat general manager and now global security strategist at Rapid7. He highlighted problems with Washington's Internet security legislation efforts and called on the security community to step up and inspire meaningful change in the lawmaking process. He also suggested the community show more compassion in the face of setbacks and mistakes. As security professionals, he said, we have to stop eating our own.
"I want to challenge us to get out of our heads the idea of 'I' and 'you' and think about 'we'. A lot of research is an exercise in ego -- we enjoy that, the learning and discovery, and value elitism in our community," he said. "But we've got to get past perfection and set standards and goals, and then celebrate incremental wins."
Christopher Soghoian of the ACLU (American Civil Liberties Union) gave a talk about the U.S. government's surveillance activities and urged attendees to start viewing the government as a security threat.
In a nutshell, he used his talk -- "When 'Trust Us' Is Not Enough: Government Surveillance in a Post-Snowden World" -- to paint the government as a villain that will stop at nothing to break private encryption. SC Magazine's Tony Morbin wrote a story about it here.
Another talk focused on attack code that can bypass Microsoft's zero-day prevention software. The code, developed by researchers at Bromium Labs, sneaks past the multiple defenses found in the Enhanced Mitigation Experience Toolkit (EMET). The researchers privately notified Microsoft before making their work public, and the software giant will in turn credit them with the discovery once version 5 of EMET comes out. Jared Demott, one of the researchers who discovered the flaw, earned third place in Microsoft's Bluehat contest. Cash awards go to researchers who help Microsoft fix security holes.
Dan Goodin, security editor at Ars Technica, wrote about the presentation here.