Feeds

Pwnie Awards celebrate best and worst of security

Showcasing the maddest skillz

Providing a secure and efficient Helpdesk

Organisers of the security world's Oscars, the Pwnie Awards, have announced the nominees for the second annual awards.

The Pwnies celebrate both the achievements and failures in security research and the wider IT security scene, so they are best thought of as a mixture of the Razzies, which recognise the worst in Hollywood, and the Oscars. The list of 37 nominees for the nine Pwnie Award categories will be narrowed down to winners by the judges, who will meet at an undisclosed location in order to decide the winners, before an awards ceremony at the Black Hat conference in Las Vegas on 6 August.

The list of nominees was narrowed from 134 submissions in categories including best client-side bug, most innovative research, lamest vendor response and most epic FAIL. Nominees in the bug category include URI protocol handler flaws, a class of flaw that put competing browser and application vendors at loggerheads in blaming others for vulnerabilities, the infamous Safari carpet-bombing bug and Apple's QuickTime media player application. QuickTime gets recognition as a result of numerous flaws with the application over the last 12 months.

In the Mass Ownage category the crippled OpenSSL random number generator in Debian, which resulted in the production of weak SSL and SSH keys, heads the nominations. SQL injection attacks, which became a preferred tactic for hackers to plant malware on vulnerable websites, also get a nod.

Security research and notable bugs are recognised in other award categories. Recent research in cold boot attacks on encryption keys will fight it out in the most innovative security research division with Rolf Rolles's research on virtualisation and security.

Lame Flame

Plenty of attention is likely to focus on the lamest vendor response award. McAfee's unimpressive answer to flaws in its "Hacker Safe" certification programme earns a dishonorable mention alongside NXP's decision to sue researchers who broke the security of its Mifare Classic smart cards. NXP's litigious response makes it the odds-on favourite to pick up the award, sparing Linus Torvalds, whose security-themed rant earlier this month earned him a nod.

Well-known security researcher Dan Kaminsky makes an appearance in several categories including the overhyped vulnerability slot, where the much publicised but still unspecified DNS cache poisoning vulnerability gets a mention. There might as well be no other nominees in the category since Kaminsky is a shoo-in for the award, in our book at least.

Momentous screw-ups (AKA epic fails) make up a more competitive category. Debian, for supplying a vulnerable OpenSSL library without realising it for two years, competes in this category against Todd Davis, the hapless Lifelock chief exec, whose anti-fraud service failed to protect him after he posted his social security number on the web. Intriguingly Windows Vista also gets a mention in this category for "proving security doesn't sell" and may be the dark horse for recognition here.

Former professional football players traditionally retire to manage pubs. Most hackers who have the "personality of a supermodel who does discrete mathematics for fun" go off to run coffee shops or some such so it's only fair the Pwnie Awards also include a Lifetime Achievement Award category. Dan Geer, who was fired by @stake after writing a paper about the risks on the lack of diversity in software established by Microsoft's dominant position, earns a nod in this category.

The full list of runners and riders for the Pwnie Awards can be found here. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.