2008 Pwnie Award Nominees Announced

ruphus13 writes "The Pwnie Awards, an 'annual awards ceremony celebrating and making fun of the achievements and failures of security researchers and the wider security community' announced their 2008 nominees. From their site, 'The final list of nominees for the nine Pwnie Award categories is finally published. We've received some really good submissions and it was not an easy task to narrow them down to five nominees per category, but we hope that we've done a good job. The next step for the Pwnie Awards judges will gather in an undisclosed location prior to the award ceremony and vote on the winners.'"

Consolidated Security News Site

Security watchers and pundits might also like to take a look at this security news portal.

AG.

Most EPIC fail, Windows Vista?

[djveer]

From the "Most Epic FAIL" section... "Windows Vista for proving that security does not sell $100,000,000 invested in security and what does Microsoft have to show for it? Customers are revolting against Windows Vista and nobody who has a choice is chosing to upgrade. It doesn't matter that Vista really is the most secure Microsoft operating system ever made, all customers care about is the annoyance of the UAC prompts, the confusing user interface and the insane hardware requirements."

I can agree with that completely. Windows Vista is significantly better for security than it's predecessor and had fewer vulnerabilities in the first year of release. However if people are so frustrated by the usability, hardware requirements, and confusing UAC prompts that they don't want to touch it with a 10-foot pole, that sort of seems like they're heading the wrong direction to me. They should be concentrating on making it more secure without direct user intervention.

Re:Most EPIC fail, Windows Vista?

[Pr0xY]

Agreed...

However, one thing to keep in mind is that currently the vast majority of "owned" windows boxes, were not infected by an remote exploit, but were infected by trojan horses.

This poses an interesting and hard problem for Microsoft (i'm not trying to defend them, but i do believe in being fair). The issue is, how the heck do you prevent the installation of malware if the user ASKED for it to be installed?

Windows defender actually does a pretty good job here. It's not perfect, but nothing is. UAC is an "ok" solution and to be honest, not too different from Ubunut's password prompt during privileged operations.

I think Microsoft got the "right idea" with UAC, but the implementation of it went very wrong. Primarily due to the coarse granularity of what is "privileged." It's a tough thing to get right, and the *nix world has an advantage in this category, namely that the users are *used* to things like sudo and su to do things that are privileged.

I've seen plenty of Windows users complaining on forums about UAC with things like "why the heck do I need a UAC prompt for just changing the time?!?" They simply don't get that anything that could potentially have an effect on other users of the system is an "admin" task.

So all in all, I think Vista is better, but is simply a tough pill to swallow for the users who simply don't care or don't get security concepts...

I think something better with UAC would be something like: "You are about to install something, would you like it to be installed for the current user or every user on the system?" Default to current user, and if they pick "every user" ask them for a password then.