Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
It's funny.  Laugh. Security

2008 Pwnie Award Nominees Announced 74

ruphus13 writes "The Pwnie Awards, an 'annual awards ceremony celebrating and making fun of the achievements and failures of security researchers and the wider security community' announced their 2008 nominees. From their site, 'The final list of nominees for the nine Pwnie Award categories is finally published. We've received some really good submissions and it was not an easy task to narrow them down to five nominees per category, but we hope that we've done a good job. The next step for the Pwnie Awards judges will gather in an undisclosed location prior to the award ceremony and vote on the winners.'"
This discussion has been archived. No new comments can be posted.

2008 Pwnie Award Nominees Announced

Comments Filter:
  • by nathan s ( 719490 ) on Monday July 21, 2008 @04:52PM (#24280365) Homepage

    OMG PWNIESS!!!

  • Pwned (Score:5, Funny)

    by Anonymous Coward on Monday July 21, 2008 @04:53PM (#24280373)

    Their web server has been pwned.

    • Re:Pwned (Score:5, Informative)

      by Nos. ( 179609 ) <andrew&thekerrs,ca> on Monday July 21, 2008 @05:01PM (#24280467) Homepage

      Nominees

      We received 134 submissions for the Pwnie Awards, of which we've selected 37 nominees. Please select an award category from the list above to see the nominees.

      The winners of the Pwnie Awards will be anounced on August 6, 2008 at a ceremony at the BlackHat USA conference in Las Vegas.

      Pwnie for Best Server-Side Bug

      Awarded to the person who discovered the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.

      • Windows IGMP kernel vulnerability (CVE-2007-0069 [mitre.org])

        Discovered by: Alex Wheeler and Ryan Smith

        Not only did Alex Wheeler and Ryan Smith lay claim to a lucky CVE number, they also laid down the law with a remote kernel code execution vulnerability [iss.net] that was exploitable in the default firewall configuration on Windows XP, 2003 and Vista. Despite the SWI team's claim [technet.com] that its exploitation is "unlikely in real-world conditions", Kostya Kortchinsky was able to develop a highly reliable exploit [immunitysec.com] for this vulnerability.

      • NetWare kernel DCERPC stack buffer overflow

        Discovered by: Nicolas Pouvesle

        At REcon 2008, Nicolas Pouvesle demonstrated [recon.cx] some amazing NetWare-Fu with his kernel exploitation techniques and staged payloads for a stack overflow in the DCERPC stack in the NetWare kernel. Besides impressing everyone at the conference (not to mention all of the Quebecois women around Montreal), he also struck fear into the hearts of NetWare administrators everywhere. All three of them.

        This vulnerability also shows how there can often be similar vulnerabilities in different implementations of the same functionality. And when a vulnerability in one implementation is found and fixed, similar bugs in other implementations may go unnoticed for a while. What does it take to make a vendor like Novell audit their DCERPC code for simple vulnerabilities? A widespread worm exploiting a stack overflow in the Microsoft DCERPC stack, crippling large portions of the Internet, and supposedly causing a blackout of the entire East Coast of the USA? Apparently not.

      • ClamAV Remote Command Execution (CVE-2007-4560 [mitre.org])

        Discovered by: Nikolaos Rangos

        This vulnerability was a remote command injection in the recipient e-mail address of an e-mail message examined by the ClamAV open-source AntiVirus scanner. In a nod to 1993, ClamAV called sendmail with popen(), placing the recipient e-mail address right there in the command. With open source anti-virus products, Linus's Law [wikipedia.org] clearly does hold: "Given enough eyeballs, all bugs shallow", even the ones that we knew about fifteen years ago.

      • SQL Server 200

      • I'm glad I refreshed this page before posting that I managed to find out the categories before it succumbed. That would've been a self-own.
      • A "404 Not Found" page? Dummies... you should link to a DESCRIPTION of the bugs, not link to the actual bugs themselves!

        Oops, the page is just Slashdotted. Nevermind.
      • by Opyros ( 1153335 )

        Like models, hackers wear a lot of black, think they are more famous than they are, and their career effectively ends at age 30. Either way, upon entering one's third decade, it is time to put down the disassembler and consider a relaxing job in management.

        Hate to nitpick, but one enters one's third decade upon turning 20!

      • by Trogre ( 513942 )

        Nominees

        * Best Server-Side Bug [slashdot.org]
        * Best Client-Side Bug [slashdot.org]
        * Mass 0wnage [slashdot.org]
        * Most Innovative Research [slashdot.org]
        * Lamest Vendor Response [slashdot.org]
        * Most Overhyped Bug [slashdot.org]
        * Best Song [slashdot.org]
        * Most Epic FAIL [slashdot.o

        • Oded Horowitz

          Like Cher, Oded only needs to go by his first name. He is that much of a bad ass.

        Well, why did they give his last name then?

    • don't you mean 'pwnied'?
  • by Anonymous Coward on Monday July 21, 2008 @04:55PM (#24280387)

    Security watchers and pundits might also like to take a look at this security news portal [360is.com].

    AG.

  • SdDOS (Score:2, Redundant)

    by jfroot ( 455025 )

    Maybe they should give themselves an award as they appear to be pwned by the Slashdot effect.

  • Did they nominate the slashdot effect as a security concern?
  • Interesting (Score:1, Troll)

    by Etrias ( 1121031 )
    What would be funny if someone found out where their "undisclosed location" would be and published it.

    The Pwnies got PWNED!
  • by russlar ( 1122455 ) on Monday July 21, 2008 @04:59PM (#24280447)
    Did we just set some sort of record?
  • by Anonymous Coward on Monday July 21, 2008 @05:00PM (#24280461)

    Microsoft sure pwned the ISO when they got OOXML 'accepted' as a 'standard.'

    • Yes, it was a joke, but I still want to point out that "social hacking/engineering" and bribing/collusion are two very opposite things. While one employs some level of sophistication and utilizes positive human attributes such as intelligence and wit the other simply goes for the lowest common denominator and exploits negative human attributes such as greed and vanity.
  • http://pwnie-awards.org/ [pwnie-awards.org] The /. effect wins the day once again.
  • by djveer ( 1179631 ) on Monday July 21, 2008 @05:06PM (#24280557)
    From the "Most Epic FAIL" section... "Windows Vista for proving that security does not sell $100,000,000 invested in security and what does Microsoft have to show for it? Customers are revolting against Windows Vista and nobody who has a choice is chosing to upgrade. It doesn't matter that Vista really is the most secure Microsoft operating system ever made, all customers care about is the annoyance of the UAC prompts, the confusing user interface and the insane hardware requirements."

    I can agree with that completely. Windows Vista is significantly better for security than it's predecessor and had fewer vulnerabilities in the first year of release. However if people are so frustrated by the usability, hardware requirements, and confusing UAC prompts that they don't want to touch it with a 10-foot pole, that sort of seems like they're heading the wrong direction to me. They should be concentrating on making it more secure without direct user intervention.
    • by jd ( 1658 ) <imipak.yahoo@com> on Monday July 21, 2008 @06:02PM (#24281131) Homepage Journal

      Way back in the mists of time, part of my University training was on Human-Computer Interfaces and how not to design them. One of the first things we were told about was excessive alerts and excessive confirmations. It just causes the user to be desensitized to those things that are important, and they end up hitting the given key or clicking the necessary box without really reading any of the dialog presented. This actually worsens security. Especially if there's any way to silence such warnings, by disabling them for example, or having a utility that injects a confirmation into the module that handles the dialog.

      I believe security can sell, but that paranoia and pestering won't. Mandatory access controls, role-based access controls and POSIX access control lists do not require pestering dialog. There are general-purpose operating systems rated A1 on the old Orange Book scale - the highest rating for host security you can get - and I doubt a single one requires massive user intervention to do anything more complex than Solitaire.

      I would argue, then, that the article is wrong on Vista, that Vista is NOT the most secure offering from Microsoft because users stop trusting the security facility and are more likely to accidentally permit applications to do something stupid. You have to consider th wetware, and the wetware is very easily overloaded with trivia. Vista is only the most secure offering from Microsoft if nobody uses it.

      • Re: (Score:1, Interesting)

        by Anonymous Coward

        The UAC prompts in Vista seem annoying because they make a bad first impression... a lot of what you're doing with a new or upgraded computer is installing and tweaking things.

        Linux and Mac OS aren't really any different, I'm not sure why but they seem to get a bye on what is essentially the same thing (sudo GUI).

      • by Anonymous Coward on Monday July 21, 2008 @06:49PM (#24281563)

        No kidding. This needs to be modded as high as it can go: Windows Vista is NOT the most secure Windows ever. It just dumps the security concerns onto a user who has no clue what to do with them.

        UAC prompts are the most useless things ever. "Something is trying to do something. Cancel or Allow?"

        How the fuck should I know?!

        I mean, really, has anyone actually looked at those prompts? I consider myself fairly computer literate, but the prompts confuse me. I have no idea what they're asking about.

        Consider going to a car mechanic, and being told "we need access to your car, cancel or allow?" Do you allow them to have access? After all, they need access to your car to fix it. But do you trust them?

        In real life, you might do research on that. But you can't research the prompts in Vista. They're system modal. (Really. Microsoft themselves killed system modal mode in Windows 2000 only to reintroduce it in Vista.) So you can't go and look up if SMENTTYN.EXE is something you need to allow to access C:\WINDOWS or is something that shouldn't.

        (And what, exactly, does "access C:\WINDOWS" mean? Read something? Write something? Execute something? Who knows!)

        So instead most users just get fed up and Allow everything.

        And when they get pwned by a trojan horse that they never thought to question, Microsoft can honestly say that Windows didn't let it in: the user did by clicking "allow."

        Ignoring the fact that the user wasn't given enough information to make an informed decision and that Vista doesn't allow the user to do anything else until they've answered the question.

        Vista provides the illusion of security, but it's actually less secure than XP, since it conditions users to blindly allow everything they're asked to do until they get fed up and learn how to disable the security entirely. At least XP only asked Cancel or Allow when running executables downloaded from the Internet instead of just about everything.

        • Re: (Score:3, Insightful)

          by T.E.D. ( 34228 )

          Windows Vista is NOT the most secure Windows ever. It just dumps the security concerns onto a user who has no clue what to do with them.

          UAC prompts are the most useless things ever. "Something is trying to do something. Cancel or Allow?"

          Only if you are running as root. (I renamed "administrator" to "root" on my Vista box to avoid confusion.) Comparing apples with apples, what does my Debian box do when I'm running as root and a program wants to change something secured? Generally, it just lets the program d

      • Re: (Score:3, Insightful)

        There are general-purpose operating systems rated A1 on the old Orange Book scale

        A GPO that got a mathematical review? Like, reduced to a discrete graph and proven to function as predicted in all cases mathematically possible?

      • by Pr0xY ( 526811 ) on Monday July 21, 2008 @06:56PM (#24281655)

        Agreed...

        However, one thing to keep in mind is that currently the vast majority of "owned" windows boxes, were not infected by an remote exploit, but were infected by trojan horses.

        This poses an interesting and hard problem for Microsoft (i'm not trying to defend them, but i do believe in being fair). The issue is, how the heck do you prevent the installation of malware if the user ASKED for it to be installed?

        Windows defender actually does a pretty good job here. It's not perfect, but nothing is. UAC is an "ok" solution and to be honest, not too different from Ubunut's password prompt during privileged operations.

        I think Microsoft got the "right idea" with UAC, but the implementation of it went very wrong. Primarily due to the coarse granularity of what is "privileged." It's a tough thing to get right, and the *nix world has an advantage in this category, namely that the users are *used* to things like sudo and su to do things that are privileged.

        I've seen plenty of Windows users complaining on forums about UAC with things like "why the heck do I need a UAC prompt for just changing the time?!?" They simply don't get that anything that could potentially have an effect on other users of the system is an "admin" task.

        So all in all, I think Vista is better, but is simply a tough pill to swallow for the users who simply don't care or don't get security concepts...

        I think something better with UAC would be something like: "You are about to install something, would you like it to be installed for the current user or every user on the system?" Default to current user, and if they pick "every user" ask them for a password then.

        • Re: (Score:2, Funny)

          by Geak ( 790376 )
          Very poorly implemented. The majority of people who use computers are completely computer illiterate. Most times I'm suprised they can figure out how to do something as technical as breathing. Anyway, what I'm getting at is they wouldn't know WTF "privileged" means in computer terms, even after consulting a dictionary.

          The dialog should just say, "You are about to give a program permission to do whatever the fuck it wants to your computer, including INFECT IT WITH A VIRUS if it so chooses!!!! Unless y
        • by jotok ( 728554 )

          However, one thing to keep in mind is that currently the vast majority of "owned" windows boxes, were not infected by an remote exploit, but were infected by trojan horses.

          Not disagreeing with you here, but cite your sources (I could use data like that).

      • by beav007 ( 746004 )

        Way back in the mists of time, part of my University training was on Human-Computer Interfaces and how not to design them. One of the first things we were told about was excessive alerts and excessive confirmations. It just causes the user to be desensitized to those things that are important, and they end up hitting the given key or clicking the necessary box without really reading any of the dialog presented. This actually worsens security. Especially if there's any way to silence such warnings, by disabl

  • ZDNet has more info. (Score:3, Informative)

    by MRe_nl ( 306212 ) on Monday July 21, 2008 @05:08PM (#24280571)

    As their own site seems down, some more info here
    http://blogs.zdnet.com/security/?p=1519 [zdnet.com]

  • coral cache link (Score:5, Informative)

    by Anonymous Coward on Monday July 21, 2008 @05:30PM (#24280807)

    Thanks for slashdotting my poor little server on a DSL line :-)

    Try this: http://pwnie-awards.org.nyud.net/2008/awards.html [nyud.net]

    Alexander Sotirov
    Pwnie Awards

    • by russlar ( 1122455 ) on Monday July 21, 2008 @05:43PM (#24280937)
      Can we nominate you for a Pwnie Award for hosting a server on a DSL line?
      • Re: (Score:3, Funny)

        by Anonymous Coward

        Can we nominate you for a Pwnie Award for hosting a server on a DSL line?

        Sure, but I doubt you'll be able to get to the site to submit the nomination :-)

        I didn't expect to get Slashdotted. Last year I submitted a link to the awards and it didn't even make it to the front page, so I figured that nobody outside of the security industry cared.

        Alexander Sotirov
        Pwnie Awards

        • And for not posting relevant "News for Nerds", we pwned CmdrTaco at his anniversary party. Ask him for the pictures!
  • The next step for the Pwnie Awards judges will gather in an undisclosed location

    So how will they know where to go?

  • Life Lock Nomination (Score:4, Informative)

    by wiz31337 ( 154231 ) * on Monday July 21, 2008 @05:41PM (#24280911)

    I don't know if anyone else saw it but, Life Lock's very own CEO Todd Davis was nominated for a Pwnie for his brilliant idea to publicize his SSN.

    Someone was able to use his info to get a $500 fast cash loan.

    Not the most techie Pwnie but funny nonetheless.

  • by Anonymous Coward

    Posting anonymously for obvious reasons...

    My employer recently released a new "security measure" where our software phones home during installation (and ONLY during installation) to ensure the license key is valid (it has to be pre-generated on the server, avoiding the possibility for key generators).
    However, the code to do so is a very easy to "decompile" .NET assembly (not even obfuscated, and with REALLY obvious method and property names) - it took me literally about 15 minutes to make a new version of t

    • by HTH NE1 ( 675604 )

      I worked at a web design company (now defunct) where the standard way to handle forms data submitted via a secure socket layer was to e-mail them unencrypted to the client's mailbox, which was often an AOL.com address.

      And one client (a historical society site) who was quoted too low a price for a hosting plan with SSL had his forms hosted on another client's site (which sold lingerie, massage oils, candles, and Beanie Babies) that did have SSL, and those forms contained credit card information. A frameset w

  • Do I win? (Score:5, Funny)

    by pwnies ( 1034518 ) * <j@jjcm.org> on Monday July 21, 2008 @06:40PM (#24281465) Homepage Journal
    Do I win?
  • by dinodaizovi ( 1330195 ) on Monday July 21, 2008 @06:56PM (#24281653) Homepage
    We quickly moved the site to a server with real bandwidth. So slashdot away!

    Cheers,

    Dino Dai Zovi
    Pwnie Awards
  • by Trogre ( 513942 ) on Monday July 21, 2008 @10:06PM (#24283433) Homepage

    Pwnie for Most Overhyped Bug

                Unspecified DNS cache poisoning vulnerability (CVE-2008-1447)

                Dan Kaminsky

                Dan Kaminsky is credited with discovering some unspecified vulnerabilities in DNS that allow for cache poisoning on a massive the-intarweb-tubes-will-burst-and-flood-your-basement scale. There has been massive media attention over this vulnerability and a large amount of backlash in the security community over the lack of details. When the full details of the vulnerability are revealed at BlackHat, the masses will decide whether the hype and secrecy were worth it. And, more importantly, the Pwnie Judges will vote on whether Dan gets the Pwnie for Most Overhyped Bug.

    Lamest Vendor Reponse

                Linus Torvalds

                Linux kernel non-disclosure policy

                Proving that open-source security has not improved much since it relied on the idea of getting enough eyeballs to make bugs shallow, Linus Torvalds demonstrated his incompetence at handling security isses by defending silent patching of security vulnerabilities in the Linux kernel:

    So I personally consider security bugs to be just "normal bugs". I don't cover them up, but I also don't have any reason what-so-ever to think it's a good idea to track them and announce them as something special.

                Adding insult to injury:

                Btw, and you may not like this, since you are so focused on security, one reason I refuse to bother with the whole security circus is that I think it glorifies - and thus encourages - the wrong behavior.

                It makes "heroes" out of security people, as if the people who don't just fix normal bugs aren't as important.

We gave you an atomic bomb, what do you want, mermaids? -- I. I. Rabi to the Atomic Energy Commission

Working...