The Pwnie Awards, an annual ceremony that can be looked at as the security version of the Oscars or the Darwin Awards, has released the list of nominees for this year. The awards are to be handed out on August 06, during Black Hat in Las Vegas.
Pwnie Awards: The nominees are in (IMG:J.Anderson/pwnie-awards.org)
There are nine categories for the awards. With gongs on offer for "Lamest Vendor Response", where the vendors offer up classic responses or comments to tough questions, there is a good dose of humor in the nomination and award process. Other categories, such as "Best Server-Side Bug" or "Client-Side Bug", offer a serious side to the Pwnies, recognizing researchers' efforts.
So what makes up a nomination for "Lamest Vendor Response"?
Well, one that stands out is McAfee, which explained that XSS vulnerabilities cannot be used to attack a server:
“Cross-site scripting can't be used to hack a server. You may be able to do other things with it. You may be able to do things that affect the end-user or the client. But the customer data protected with the server, in the database, isn't going to be compromised by a cross-site scripting attack, not directly.”
(The Pwnie site also points to the “super hacker” comment made during an interview. Classic quotation.)
Another lame vendor response comes from a company The Tech Herald is used to covering, NXP, which said in response to Radboud University cloning an Oyster card: “This was not a hack of the Oyster system. It was a single instance of a card being manipulated.”
Other mentions in the "Lamest Vendor Response" category include Linus: “I personally consider security bugs to be just normal bugs” Torvalds, and Wonderware, the company that was sent to python.org because it needed a compiler.
Another category, "Most Epic Fail", has one nominee that is sure to win on comedic value alone.
“Todd Davis, CEO of a fraud-prevention company called Lifelock, had publicly posted his Social Security number (457-55-5462) to show his confidence in the services offered by his company. Of course, a clever marketing stunt does not mean that the protection is actually worth anything. As expected, it did not take long for Davis' identity to get stolen: somebody in Texas got $500 from an online payday loan company using Davis' SSN,” the Pwnie nomination site explains.
"Best Server-Side Bug" holds several good contenders, but the recent bug for SQL Server 2005 might take the prize here. Likewise, "Best Client-Side Bug" could go to the disclosure of Multiple URL protocol handling flaws (Nate McFeters, Rob Carter, and Billy Rios) or to the discovery of the Safari carpet bomb attacks (Laurent Gaffié, Nitesh Dhanjani and Aviv Raff).
Other categories, like "Best Song", offer some great tunes, but they are NSFW (Clockwork FTW). "Most Overhyped Bug" centers on things that gained lots of attention, for example, Dan Kaminsky and the 'Unspecified DNS cache poisoning vulnerability' made the list.
However, despite all the fun and games, the "Most Innovative Research and Lifetime Achievement Award" Pwnies are worth checking out. Get the full list of nominees and categories by clicking here.
There are currently no comments for this article. Be the first to comment! (no registration required)
Advertising
There are currently no comments for this article. Be the first to comment! (no registration required)