Feeds

Pwnie Awards celebrate best and worst of security

Showcasing the maddest skillz

The Power of One eBook: Top reasons to choose HP BladeSystem

Organisers of the security world's Oscars, the Pwnie Awards, have announced the nominees for the second annual awards.

The Pwnies celebrate both the achievements and failures in security research and the wider IT security scene, so they are best thought of as a mixture of the Razzies, which recognise the worst in Hollywood, and the Oscars. The list of 37 nominees for the nine Pwnie Award categories will be narrowed down to winners by the judges, who will meet at an undisclosed location in order to decide the winners, before an awards ceremony at the Black Hat conference in Las Vegas on 6 August.

The list of nominees was narrowed from 134 submissions in categories including best client-side bug, most innovative research, lamest vendor response and most epic FAIL. Nominees in the bug category include URI protocol handler flaws, a class of flaw that put competing browser and application vendors at loggerheads in blaming others for vulnerabilities, the infamous Safari carpet-bombing bug and Apple's QuickTime media player application. QuickTime gets recognition as a result of numerous flaws with the application over the last 12 months.

In the Mass Ownage category the crippled OpenSSL random number generator in Debian, which resulted in the production of weak SSL and SSH keys, heads the nominations. SQL injection attacks, which became a preferred tactic for hackers to plant malware on vulnerable websites, also get a nod.

Security research and notable bugs are recognised in other award categories. Recent research in cold boot attacks on encryption keys will fight it out in the most innovative security research division with Rolf Rolles's research on virtualisation and security.

Lame Flame

Plenty of attention is likely to focus on the lamest vendor response award. McAfee's unimpressive answer to flaws in its "Hacker Safe" certification programme earns a dishonorable mention alongside NXP's decision to sue researchers who broke the security of its Mifare Classic smart cards. NXP's litigious response makes it the odds-on favourite to pick up the award, sparing Linus Torvalds, whose security-themed rant earlier this month earned him a nod.

Well-known security researcher Dan Kaminsky makes an appearance in several categories including the overhyped vulnerability slot, where the much publicised but still unspecified DNS cache poisoning vulnerability gets a mention. There might as well be no other nominees in the category since Kaminsky is a shoo-in for the award, in our book at least.

Momentous screw-ups (AKA epic fails) make up a more competitive category. Debian, for supplying a vulnerable OpenSSL library without realising it for two years, competes in this category against Todd Davis, the hapless Lifelock chief exec, whose anti-fraud service failed to protect him after he posted his social security number on the web. Intriguingly Windows Vista also gets a mention in this category for "proving security doesn't sell" and may be the dark horse for recognition here.

Former professional football players traditionally retire to manage pubs. Most hackers who have the "personality of a supermodel who does discrete mathematics for fun" go off to run coffee shops or some such so it's only fair the Pwnie Awards also include a Lifetime Achievement Award category. Dan Geer, who was fired by @stake after writing a paper about the risks on the lack of diversity in software established by Microsoft's dominant position, earns a nod in this category.

The full list of runners and riders for the Pwnie Awards can be found here. ®

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.