Feeds

Pwnie Awards celebrate best and worst of security

Showcasing the maddest skillz

The Essential Guide to IT Transformation

Organisers of the security world's Oscars, the Pwnie Awards, have announced the nominees for the second annual awards.

The Pwnies celebrate both the achievements and failures in security research and the wider IT security scene, so they are best thought of as a mixture of the Razzies, which recognise the worst in Hollywood, and the Oscars. The list of 37 nominees for the nine Pwnie Award categories will be narrowed down to winners by the judges, who will meet at an undisclosed location in order to decide the winners, before an awards ceremony at the Black Hat conference in Las Vegas on 6 August.

The list of nominees was narrowed from 134 submissions in categories including best client-side bug, most innovative research, lamest vendor response and most epic FAIL. Nominees in the bug category include URI protocol handler flaws, a class of flaw that put competing browser and application vendors at loggerheads in blaming others for vulnerabilities, the infamous Safari carpet-bombing bug and Apple's QuickTime media player application. QuickTime gets recognition as a result of numerous flaws with the application over the last 12 months.

In the Mass Ownage category the crippled OpenSSL random number generator in Debian, which resulted in the production of weak SSL and SSH keys, heads the nominations. SQL injection attacks, which became a preferred tactic for hackers to plant malware on vulnerable websites, also get a nod.

Security research and notable bugs are recognised in other award categories. Recent research in cold boot attacks on encryption keys will fight it out in the most innovative security research division with Rolf Rolles's research on virtualisation and security.

Lame Flame

Plenty of attention is likely to focus on the lamest vendor response award. McAfee's unimpressive answer to flaws in its "Hacker Safe" certification programme earns a dishonorable mention alongside NXP's decision to sue researchers who broke the security of its Mifare Classic smart cards. NXP's litigious response makes it the odds-on favourite to pick up the award, sparing Linus Torvalds, whose security-themed rant earlier this month earned him a nod.

Well-known security researcher Dan Kaminsky makes an appearance in several categories including the overhyped vulnerability slot, where the much publicised but still unspecified DNS cache poisoning vulnerability gets a mention. There might as well be no other nominees in the category since Kaminsky is a shoo-in for the award, in our book at least.

Momentous screw-ups (AKA epic fails) make up a more competitive category. Debian, for supplying a vulnerable OpenSSL library without realising it for two years, competes in this category against Todd Davis, the hapless Lifelock chief exec, whose anti-fraud service failed to protect him after he posted his social security number on the web. Intriguingly Windows Vista also gets a mention in this category for "proving security doesn't sell" and may be the dark horse for recognition here.

Former professional football players traditionally retire to manage pubs. Most hackers who have the "personality of a supermodel who does discrete mathematics for fun" go off to run coffee shops or some such so it's only fair the Pwnie Awards also include a Lifetime Achievement Award category. Dan Geer, who was fired by @stake after writing a paper about the risks on the lack of diversity in software established by Microsoft's dominant position, earns a nod in this category.

The full list of runners and riders for the Pwnie Awards can be found here. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.