Slashdot Mirror
Linux, Twitter, and Red Hat "Win" Big At Pwnie Awards
hugmeplz writes "The third annual Pwnie Awards took place last night at Black Hat in Las Vegas, and a full list of the winners has been posted. 'Most Epic Fail' honors went to the notorious Twitter/Google Apps hack from earlier this month that raised all sorts of questions about cloud computing security. Red Hat got skewered with the 'Mass 0wnage' award, also known as the 'Pwnie for Breaking the Internet,' for issuing a version of OpenSSH that left a backdoor open to hackers. The Linux development team earned 'Lamest Vendor Response' recognition for 'continually assuming that all kernel memory corruption bugs are only Denial-of-Service.' Naturally, Microsoft didn't slip past judges' eyes. Its vulnerability that enabled the Conficker worm to do its thing earned honors as the 'Most Overhyped Bug.' On the more positive side, the Pwnie Awards recognized security pros Wei Yongjun, sgrakkyu, Sebastian Kramer and Bernhard Mueller for accomplishments such as discovering bugs and demonstrating exploits. The Pwnie for Best Song went to Doctor Braid for his song Nice Report. Solar Designer snagged the Lifetime Achievement Award, for among other things, being the first to demonstrate heap buffer overflow exploitation, according to the Pwnie Awards Web site."
They're not really awards you brag about. So I won't be expecting victory speeches.
Has there been a mass breakout of rooted RHEL machines?
-- Linux user #369862
I read through to find out what had happened with Red Hat. I was surprised to see they were referencing the incident last year where some binaries were signed by an intruder, and went on to say that there was "little public information available" on incident. However I know Red Hat made several press releases, culminating with a full time line of the events. In fact, I seem to remember the problem having been due to someone's lax handling of their own secrets (keys/password) as opposed to an actual hack.
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
I would think that this award should have gone to 3drealms for their great job finally releasing Duke Nukem Forever and turning fantastic corporate profits against all odds. It was worth every moment of wait, suspense, and hype.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
Help me out with this one: Do they go out of there way to sound like their fourteen years old cuz it's some kind tradition/secret handshake thing, or don't they realize how juvenile and goofy they sound?
"their way"... "like they're"... long week
to the ones that hacked their web page and put that fake list of awards.
Come on, "experts" that calls Linux a "vendor"? That called "overhyped" the bug that enabled Conflicker to do the biggest massive infection of PCs since 2003? Their link to the "backdoored redhat openssh" (that was already discussed here that wasnt) actually links to an advisory about a Windows remote rpc vulnerability.
Of course, the alternative is that their page is how it was meant to be, and in that case Hanlon would have the real explanation of what happened.
Think about it. These are BLACKHAT awards. Who are blackhats? People who want to break into other people's computers. Who idolizes a blackhat? Script kiddies. Those blackhats who are not felons, are not criminals waiting to be convicted, or criminals waiting to be caught, are just juvenile asses trying to emulate the "bad boys". Face it - these are the guys who really DO live in their mama's basements. Growing up and going off to jail is actually a form of upward mobility for them.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
What I noticed in the nominations.. is that these were supposed to be award to PEOPLE who discovered the vulnerabilities.. how this has turned into something like Red Hat receiving a "your bad" award, instead of "anonymous discoverer" being recognized for a "good job at finding the baddie".. I just don't know... I guess it's more fun to point out flaws.. So I will point out a flaw in the submitter of the article, for their comprehension skills.
waiting for ad.doubleclick.net
Bonus points for using the non-word 'cuz' and the easily-avoided error 'their' in your post complaining about the poor English of others.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
Don't be foolish. The world is not so simple, black and white as compared to the colours of imaginary hats. In the world we live in, there may be many justified reasons for breaking into a computer. Script kiddies don't just idolise blackhats, anyone interested in security research does, for coming up with the frequently ingenuous attacks they devise. Judging them for their actions is another issue altogether.
If you ignore ACs because they are anonymous - you're an idiot.
Despite popular opinion, wisdom and maturity do not necessarily come with age, and it certainly hasn't in your case. You don't have the slightest fucking clue about the security industry, and the only things you have backing you up are ad hominems and an impressive amount of childishness for someone who likes to brag about their age. Being older doesn't make you any more right; it just makes you older and still wrong.
Think about it. These are BLACKHAT awards. (...)
Registration for Black Hat costs around $1500, and one of their major sponsors is Microsoft.
Draw your own conclusions.
What the hell. This looks like a troll event if there ever was one, and MS astroturfing as well.
- Conficker bug 'overhyped'? Millions of PCs are infected, turned into zombies and/or crippled and that's 'overhyped'? The Kaminsky DNS bug would be a better candidate. This is just ridiculous.
- Red Hat successfully recovers from losing a private key (the worst thing that can happen in any public key cryptography system) with little actual damage and they call it 'massive ownage'?
- Kernel memory corruption is exploitable? I'm no kernel guru, but I think this is only possible in some rare cases, like when a dangling pointer will always point to a predictable offset from the return address on the stack, but in general it is not. On top of that it would be hard to develop such a bug into a local root exploit, because after the memory corruption the system will be unstable. This is similar to the null-dereference vulnerability in Mozilla which the reporter described as a stack-based buffer overflow to get extra publicity from people who don't know any better.
Whoever they are they I'm not lending them much credibility.
Those who would give up liberty to obtain working drivers, deserve neither liberty nor working drivers.