2008 Pwnie Award Nominees Announced

← Back to Stories (view on slashdot.org)

2008 Pwnie Award Nominees Announced

Posted by CmdrTaco on Monday July 21, 2008 @08:51AM from the my-little-pwnie dept.

ruphus13 writes "The Pwnie Awards, an 'annual awards ceremony celebrating and making fun of the achievements and failures of security researchers and the wider security community' announced their 2008 nominees. From their site, 'The final list of nominees for the nine Pwnie Award categories is finally published. We've received some really good submissions and it was not an easy task to narrow them down to five nominees per category, but we hope that we've done a good job. The next step for the Pwnie Awards judges will gather in an undisclosed location prior to the award ceremony and vote on the winners.'"

5 of 74 comments (clear)

Min score:

Reason:

Sort:

Consolidated Security News Site by Anonymous Coward · 2008-07-21 08:55 · Score: 3, Insightful

Security watchers and pundits might also like to take a look at this security news portal.
AG.
Most EPIC fail, Windows Vista? by djveer · 2008-07-21 09:06 · Score: 5, Insightful

From the "Most Epic FAIL" section... "Windows Vista for proving that security does not sell $100,000,000 invested in security and what does Microsoft have to show for it? Customers are revolting against Windows Vista and nobody who has a choice is chosing to upgrade. It doesn't matter that Vista really is the most secure Microsoft operating system ever made, all customers care about is the annoyance of the UAC prompts, the confusing user interface and the insane hardware requirements."

I can agree with that completely. Windows Vista is significantly better for security than it's predecessor and had fewer vulnerabilities in the first year of release. However if people are so frustrated by the usability, hardware requirements, and confusing UAC prompts that they don't want to touch it with a 10-foot pole, that sort of seems like they're heading the wrong direction to me. They should be concentrating on making it more secure without direct user intervention.
1. Re:Most EPIC fail, Windows Vista? by bluefoxlucid · 2008-07-21 10:55 · Score: 2, Insightful
  
  There are general-purpose operating systems rated A1 on the old Orange Book scale
  A GPO that got a mathematical review? Like, reduced to a discrete graph and proven to function as predicted in all cases mathematically possible?
  
  --
  Support my political activism on Patreon.
2. Re:Most EPIC fail, Windows Vista? by Pr0xY · 2008-07-21 10:56 · Score: 4, Insightful
  
  Agreed...
  However, one thing to keep in mind is that currently the vast majority of "owned" windows boxes, were not infected by an remote exploit, but were infected by trojan horses.
  This poses an interesting and hard problem for Microsoft (i'm not trying to defend them, but i do believe in being fair). The issue is, how the heck do you prevent the installation of malware if the user ASKED for it to be installed?
  Windows defender actually does a pretty good job here. It's not perfect, but nothing is. UAC is an "ok" solution and to be honest, not too different from Ubunut's password prompt during privileged operations.
  I think Microsoft got the "right idea" with UAC, but the implementation of it went very wrong. Primarily due to the coarse granularity of what is "privileged." It's a tough thing to get right, and the *nix world has an advantage in this category, namely that the users are *used* to things like sudo and su to do things that are privileged.
  I've seen plenty of Windows users complaining on forums about UAC with things like "why the heck do I need a UAC prompt for just changing the time?!?" They simply don't get that anything that could potentially have an effect on other users of the system is an "admin" task.
  So all in all, I think Vista is better, but is simply a tough pill to swallow for the users who simply don't care or don't get security concepts...
  I think something better with UAC would be something like: "You are about to install something, would you like it to be installed for the current user or every user on the system?" Default to current user, and if they pick "every user" ask them for a password then.
3. Re:Most EPIC fail, Windows Vista? by T.E.D. · 2008-07-22 06:25 · Score: 2, Insightful
  
  Windows Vista is NOT the most secure Windows ever. It just dumps the security concerns onto a user who has no clue what to do with them.
  UAC prompts are the most useless things ever. "Something is trying to do something. Cancel or Allow?"
  Only if you are running as root. (I renamed "administrator" to "root" on my Vista box to avoid confusion.) Comparing apples with apples, what does my Debian box do when I'm running as root and a program wants to change something secured? Generally, it just lets the program do it with no warning whatsoever.
  Of course running general programs as root is considered stoopid (beyond "stupid"). So lets pretend we are smart and don't run as root. Then we run a program that needs root to accomplish something. On my Debian box either the program fails, or I get a password prompt for the root account. Continuing with this radical concept of comparing apples to apples: doing the same on my Vista box gives me....the exact same result. Some programs fail, some (perhaps most) give me a password prompt for the root account.
  What really used to make Windows boxes so insecure was that it was such a PITA to elevate to root privs on the occasions you needed it that nobody bothered running any other way, despite the insane security risk. This is what Vista fixed.