Spec-exec CPU bugs sweep hacking Oscars – and John McAfee’s in there like a bullet
Fun and frolics at the 2018 Pwnie Awards
Black Hat The whizz kids who uncovered the Spectre and Meltdown data-leaking flaws in modern processors have scooped two Pwnie Awards – often referred to as the information security industry’s Oscars.
Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, Mike Hamburg, Jann Horn, and Anders Fogh were members of three teams that independently discovered the speculative-execution engine design blunders, and reported them to semiconductor makers and operating system developers.
This week, amid Black Hat USA 2018, they won a gong for the best privilege escalation bug, and also the award for the most innovative research, although when popping up to the stage to pick up their glammed up My Little Pony-style trophies, they said they honestly didn’t think that they had done the best research of the year.
The full list of 2018 Pwnie Awards winners are here.
Double winners are rare at the Pwnies, but at least the gang was there to pick up their prize. You couldn't say that for the winner of the Lamest Vendor Response gong, which this year went to the security industry’s batshit old uncle John McAfee and his paymasters at bungling cryptocurrency wallet maker Bitfi.
One of the judges, Luta Security’s Katie Moussouris, pointed out that Bitfi was not initially nominated for the award. However, in the final days before the awards night, the Pwnie website was hit by thousands of people nominating Bitfi and Mcadee for their failed PR campaign: they had claimed their wallet was unhackable. It was very hackable.
In recognition of @Bitfi6 and @officialmcafee and their prestigious @PwnieAwards accolades, we'd like to show you @spudowiar playing DooM on his #BitFi secure wallet! Congratulations! pic.twitter.com/50qZZu1MnF— Abe Snowman (@AbeSnowman) August 9, 2018
“The internet has demanded it,” she said, adding that Mcafee had “killed the competition.” This bought a laugh from the crowd: Mcafee was named by police as a suspect for the murder of his Belizean neighbor in 2012. Mcafee denies any wrongdoing.
Mcafee wasn’t there to pick up his award, so it got taken anyway by Ryan Castellucci, principal security researcher at White Ops. Castellucci was one of the researchers who detailed the lousy security of Bitfi's hardware.
“Mcafee has written at least two hit pieces about me recently so I’m taking his Pwnie,” Castellucci said on stage. He’s planning a further demo of the parlous state of Bitfi at the DEF CON hacking conference later this week.
The Lifetime Achievement award, the most prestigious Pwnie, this year went to Michał Zalewski, who goes by the handle lcamtuf. All the judges acknowledged the massive impact this Polish-born hacker has had on the industry, both in his work at Google, as a published author, as the developer of state-of-the-art fuzzer American Fuzzy Lop and other tools, and as a mentor for young talent. He received a special gothic Pwnie for his work. ®