OpenBSD team mocked at first ever 'Pwnie' awards

OpenBSD team mocked at first ever 'Pwnie' awards

Summary: At the first ever Pwnie Awards announced at the Black Hat Briefings here, a team of well-known researchers picked the OpenBSD team from a list of four software vendors -- BMC, EnCase and Norman AntiVirus were the others -- in the "lamest vendor response" category.

TOPICS: CXO, Security

OpenBSD team mocked at first ever ‘Pwnie’ awards

LAS VEGAS -- The OpenBSD team has won an award for the most spectacular "mishandling" of a critical security vulnerability.

Here's why:

The OpenBSD team refused to acknowledge the bug as a security vulnerability and issued a "reliability fix" for it. A week later Core Security had developed proof of concept code that demonstrated remote code execution. Read the full timeline and quotes in the Core advisory.

During the ceremony, a five-man panel of judges (HD Moore, Alexander Sotirov, Dave Goldsmith, Dino Dai Zovi and Dave Aitel) cheered accomplishments in the bug-finding field and jeers for lame and overhyped discoveries.

Other winners:

Best server-side bug: The Solaris in.telnetd remote root exploit released by Kingcope in February. Kingcope was given a golden Pwnie for finding this vulnerability that did not require any special hacking tools or shellcode.

Best client-side bug: Researchers skape and skywing took this award for finding a nasty Windows vulnerability (Windows 2000 SP4, XP SP1 and SP2, Server 2003 and 2003 SP1) that allowed remote attackers to execute arbitrary code via unspecified vectors involving unhandled exceptions, memory resident applications, and incorrectly "unloading chained exception." The flaw was detailed in Uninformed Vol. 4.

Pwnie for mass ownage: This was won by the unknown hacker who found the WMF SetAbortProc remote code execution hole that was widely exploited in the wild via Internet Explorer. "This vulnerability deserves an award for its obviousness, ease of exploitation and high impact," the judges said.

Most innovative research: Skape's presentation, featured in the Uninformed Vol.2, grabbed this award for being the most interesting piece of work done in the last year.

Most overhyped bug: The controversial MacBook Wi-Fi vulnerabilities released by David Maynor at last year's Black Hat took this dubious award. "In the end, the only public information about Maynor's Wi-Fi vulnerabilities are hype, denial, a media frenzy, and a patch that may or may not have been based on Maynor's findings," the judges said.

Topics: CXO, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • David Maynor definitely deserves a Jeer

    He has to be one of the most unprofessional bug hunters.
    • And C|Net and their ilk...

      ...for perpetuating the nonsense, even when it's inaccuracies were pointed out.

      Big fat raspberry to all.
      • Your full of crap

        The inaccuracies as were pointed out, and eventually proved beyond any shadow of a doubt as Apple eventually admitted as much in black and white was where the reports from lame independent reporters claimed that "APPLE" was denying the possibility of Maynors hack; Apple never once denied it, they never once said in their opinion it didn't exist, they never once said it was highly unlikely to exist, they never once said Maynor had lied about the hack, Apple never claimed their patch did not address any hack Brian Krebs claimed Maynor demonstrated to him on the Macbook wireless drivers, Apple never said they knew, or even thought Maynors claim of a vulnerability in their airport hardware was incorrect.

        The reports that Apple ever denied that Maynors hack was a fake or anything like a fake were bluntly incorrect and poorly conceived biased reporting. Given that Apple is a rather technologically advanced company that can surly hire the best in the business to evaluate claims of such vulnerabilities, Apple has had far more then enough time, as of yesterday to know if Maynors claim of such a vulnerability ever existed. Instead of finally putting the matter to bed by Apple saying something to the effect of:

        "We now believe the vulnerability David Maynor claimed existed, as reported by Brian Krebs of the Washington Post, prior to the Blackhat convention in 2006, did not exist based on our own internal investigations. We have been unable to discover the existence of such a vulnerability as to our understanding of what was reported, and if any party wishes us to stand corrected they will have to provide further technical information to us in order that we may evaluate such claims from a better informed position. Currently we see no way such a vulnerability could exist given out understanding of what was reported."

        Apple has to date never even made so much as a claim the exploit or vulnerability "did not exist in their opinion".

        What they did do was to join forces with Maynors employers for a period of time; Secureworks, and interestingly enough neither company spoke much about the situation at all after that.

        I my self am not an idiot, therefore I am not assuming that the smaller company, Secureworks had the money or power to "shut up" Apple from telling what they knew or suspected was the
        truth. I am absolutely compelled to believe that Apple has the money and power in that situation and I am suspecting that Apple was the one who convinced Secureworks to "shut up" about what they knew. Either way, they both shut up, either they both did so willingly, or one of them was willing and the other was convinced to shut up by the former.

        Its not rocket science, its just facts, if you accept what Apple spokes people say as fact. If you want the links, just ask, I have them all. If you just want to find a place where an Apple spokes person literally says anything close to "WE DO NOT BELIEVE MAYNORS EXPLOIT IS TRUE" Google until your hearts content. You wont find it because Apple never said it didn't exist or they believed it didn't exist. They said alot of things, but they never said that.
  • Re: Maynor's bug

    I wonder when we'll get a comment from Mr. Ou regarding this one.
  • Maynor's Bug

    It seems to me that the problem was that the judges here are clueless on Macs. Apple did a LOT of FUD on this problem, so the Pwnie should have gone to Apple, not Maynor. At least Maynor did due diligence, which can't be said for Apple.
    • Apple fixed the issue pretty quickly, If I remember right

      But the media was still going on and on about it, even after the patch.
    • Despite the attempts by many..

      to hint otherwise, Maynor never showed that exploit to anyone with credibility.
    • BINGO!!! Give this guy a huge cigar!!

      Maynor was a screw up in this situation to be sure because he let the cat out of the bag to Brian Krebs of the Washington Post before he had details of the vulnerability to Apple. He didn't even plan on doing the Apple hardware specific exploit at the Blackhat convention and he muffed the whole deal, along with Krebs reporting it of course as it drove the Apple Jacks insane to read such a thing and they all interpreted every comment by Apple as a claim that Maynor had lied and Apple had evidence no such exploit existed.

      The sad truth is that Apple never did say Maynor had lied or even that Maynor was wrong. They instead carefully parsed their words saying that Maynor had not proved it to them and then promptly joined forces with Maynors employer, Secureworks and nothing more was said from Apple or Secureworks since. Maynor and his side kick at the event, Johnny Cashe Ellck gave every obvious appearance of being "silenced" in the process and the only happy jacks around were the Apple Jacks who claimed victory in an absence of information from either side.

      Nobody ever has given a reasonable explanation as to why after more then a year after the event Apple still cannot say they do not believe such a vulnerability existed as reported by Krebs.

      Of course the Apple Jacks don't worry about that, any answer that makes sense would likely be hurtful to their loyalty.
  • in.telnetd?

    Solaris still ships with telnetd enabled? Say it ain't so!

    (if it doesn't, then I think the Pwnie team needs to get a Pwnie for this)