Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Linux, Twitter, and Red Hat "Win" Big At Pwnie Awards

Soulskill posted more than 5 years ago | from the i'd-like-to-thank-the-academy dept.

Security 63

hugmeplz writes "The third annual Pwnie Awards took place last night at Black Hat in Las Vegas, and a full list of the winners has been posted. 'Most Epic Fail' honors went to the notorious Twitter/Google Apps hack from earlier this month that raised all sorts of questions about cloud computing security. Red Hat got skewered with the 'Mass 0wnage' award, also known as the 'Pwnie for Breaking the Internet,' for issuing a version of OpenSSH that left a backdoor open to hackers. The Linux development team earned 'Lamest Vendor Response' recognition for 'continually assuming that all kernel memory corruption bugs are only Denial-of-Service.' Naturally, Microsoft didn't slip past judges' eyes. Its vulnerability that enabled the Conficker worm to do its thing earned honors as the 'Most Overhyped Bug.' On the more positive side, the Pwnie Awards recognized security pros Wei Yongjun, sgrakkyu, Sebastian Kramer and Bernhard Mueller for accomplishments such as discovering bugs and demonstrating exploits. The Pwnie for Best Song went to Doctor Braid for his song Nice Report. Solar Designer snagged the Lifetime Achievement Award, for among other things, being the first to demonstrate heap buffer overflow exploitation, according to the Pwnie Awards Web site."

Sorry! There are no comments related to the filter you selected.

Jews did 9/11. (-1, Offtopic)

Luke727 (547923) | more than 5 years ago | (#28904141)

Listen, and understand. That Pwnie is out there. It can't be bargained with. It can't be reasoned with. It doesn't feel pity, or remorse, or fear. And it absolutely will not stop, ever, until you are dead.

frost pist (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#28904171)

frost pist!!!!11

First post (2, Funny)

thetoadwarrior (1268702) | more than 5 years ago | (#28904229)

They're not really awards you brag about. So I won't be expecting victory speeches.

Re:First post (5, Funny)

Mesa MIke (1193721) | more than 5 years ago | (#28904461)

OMG! PWNIES!

Re:First post (1)

MartinSchou (1360093) | more than 5 years ago | (#28911203)

Damn, that's the funniest thing I've seen in a long time.

Actually, if your read .... (3, Insightful)

dbcad7 (771464) | more than 5 years ago | (#28905135)

What I noticed in the nominations.. is that these were supposed to be award to PEOPLE who discovered the vulnerabilities.. how this has turned into something like Red Hat receiving a "your bad" award, instead of "anonymous discoverer" being recognized for a "good job at finding the baddie".. I just don't know... I guess it's more fun to point out flaws.. So I will point out a flaw in the submitter of the article, for their comprehension skills.

Three First Posts!!!! (-1, Redundant)

Anonymous Coward | more than 5 years ago | (#28904247)

OMG!!! How can a thread have THREE first posts?

Re:Three First Posts!!!! (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#28904341)

OK Cuntdot Fags, who wants to waste another mod point? I'll even tell you to mod this a flamebait, there you only have to select the MOD and click moderate.

Re:Three First Posts!!!! (-1, Redundant)

Anonymous Coward | more than 5 years ago | (#28904511)

Okay cuntdot fags, who here hasn't trolled??

'breaking the internet' (2, Insightful)

JonJ (907502) | more than 5 years ago | (#28904277)

Has there been a mass breakout of rooted RHEL machines?

Re:'breaking the internet' (3, Funny)

Anonymous Coward | more than 5 years ago | (#28904375)

The word from Pyongyang hasn't come down yet.

Re:'breaking the internet' (1)

theGreater (596196) | more than 5 years ago | (#28904555)

No, but there -has- been a mass breakout of 'hacked' Google Apps / Twitter accounts. What's that, social engineering and guessing of weak passwords? Well, that doesn't have the same cachet as poking fun at newsworthy companies, so we'll just sensationalize it and give it a misleading title instead.

-theGreater must be new here.

Re:'breaking the internet' (1)

Jerry (6400) | more than 5 years ago | (#28911829)

Ya, didn't you hear?

They discovered a massive 1.9 MILLION zombie bot farm a few weeks ago. It was in all the news ..... Oh, wait, those zombies were all Windows boxes.

Never mind.

May want to actually read the article on this one (5, Informative)

pembo13 (770295) | more than 5 years ago | (#28904335)

I read through to find out what had happened with Red Hat. I was surprised to see they were referencing the incident last year where some binaries were signed by an intruder, and went on to say that there was "little public information available" on incident. However I know Red Hat made several press releases, culminating with a full time line of the events. In fact, I seem to remember the problem having been due to someone's lax handling of their own secrets (keys/password) as opposed to an actual hack.

Re:May want to actually read the article on this o (1)

rayvd (155635) | more than 5 years ago | (#28908489)

Yeah, I think it was an internal thing, and no packages were ever distributed. The steps they took were all precautionary (with as internal as it was they probably could have said nothing and no one would have been the wiser).

But hey, fun to stir up FUD...

Re:May want to actually read the article on this o (1)

Vexorian (959249) | more than 5 years ago | (#28908745)

In fact, the twitter 'hack' was also just a case of human error. The kernel case is something I haven't heard of, so I'll assume the only "true" vulnerability here was windows' one used for conficker worm, which coincidentally was just minimized as 'overhyped'.

Cornflicker (1, Informative)

westlake (615356) | more than 5 years ago | (#28904347)

Its vulnerability that enabled the Conficker worm to do its thing earned honors as the 'Most Overhyped Bug.'

Cornflicker was a non-event for those who had installed the patch months before the worm began to do it's thing.
 

Re:Cornflicker (1)

corychristison (951993) | more than 5 years ago | (#28904431)

Cornflicker?
No, it's C-o-n-f-i-c-k-e-r:
http://en.wikipedia.org/wiki/Conficker [wikipedia.org]

Re:Cornflicker (1)

Anonymous Coward | more than 5 years ago | (#28904449)

Really? I thought it was Cornfucker.

Re:Cornflicker (1)

X0563511 (793323) | more than 5 years ago | (#28905171)

Behold! [youtube.com]

(I was going to post something else [youtube.com] , but it's slightly NSFW and hence requires an account to watch)

Re:Cornflicker (0)

Anonymous Coward | more than 5 years ago | (#28907473)

Ficker actually means fucker in German. Lots of giggling ensued.

Re:Cornflicker (0)

Anonymous Coward | more than 5 years ago | (#28904443)

Cornflicker was a non-event for those who had installed the patch months before the worm began to do it's thing.

Although it's quite funny to see you so arrogantly prescribe incorrect grammar, I feel obligated to inform you that you've got [uwaterloo.ca] it [wsu.edu] backwards [wikipedia.org] .

Re:Cornflicker (1, Funny)

Anonymous Coward | more than 5 years ago | (#28905359)

...to do it is thing.

Thanks for the correction.

Where's 3dRealms? (3, Funny)

damn_registrars (1103043) | more than 5 years ago | (#28904501)

I would think that this award should have gone to 3drealms for their great job finally releasing Duke Nukem Forever and turning fantastic corporate profits against all odds. It was worth every moment of wait, suspense, and hype.

Re:Where's 3dRealms? (1)

Tubal-Cain (1289912) | more than 5 years ago | (#28906085)

Even Yahtzee [escapistmagazine.com] agrees.

"Epic Fail?" "Ownage?" (5, Insightful)

RobotRunAmok (595286) | more than 5 years ago | (#28904503)

Help me out with this one: Do they go out of there way to sound like their fourteen years old cuz it's some kind tradition/secret handshake thing, or don't they realize how juvenile and goofy they sound?

Re:"Epic Fail?" "Ownage?" (3, Informative)

RobotRunAmok (595286) | more than 5 years ago | (#28904525)

"their way"... "like they're"... long week

Re:"Epic Fail?" "Ownage?" (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#28904643)

They're geeks.

Re:"Epic Fail?" "Ownage?" (2, Interesting)

Runaway1956 (1322357) | more than 5 years ago | (#28904757)

Think about it. These are BLACKHAT awards. Who are blackhats? People who want to break into other people's computers. Who idolizes a blackhat? Script kiddies. Those blackhats who are not felons, are not criminals waiting to be convicted, or criminals waiting to be caught, are just juvenile asses trying to emulate the "bad boys". Face it - these are the guys who really DO live in their mama's basements. Growing up and going off to jail is actually a form of upward mobility for them.

Re:"Epic Fail?" "Ownage?" (0, Troll)

Runaway1956 (1322357) | more than 5 years ago | (#28905575)

Flamebait? ROFLMAO - when you reach my age, and you've watched a generation of kids grow from diapers to jail cells, then you come back and label my opinions as flamebait. Oh wait - I apologize, Mr. Moderator. I see who you are now. You're still living in YOUR mother's basement!!

Crap, I think I just broke my arm - I'm laughing so hard I fell off my chair!

Re:"Epic Fail?" "Ownage?" (2, Informative)

Virak (897071) | more than 5 years ago | (#28906335)

Despite popular opinion, wisdom and maturity do not necessarily come with age, and it certainly hasn't in your case. You don't have the slightest fucking clue about the security industry, and the only things you have backing you up are ad hominems and an impressive amount of childishness for someone who likes to brag about their age. Being older doesn't make you any more right; it just makes you older and still wrong.

Re:"Epic Fail?" "Ownage?" (1)

Jurily (900488) | more than 5 years ago | (#28907487)

Being older doesn't make you any more right; it just makes you older and still wrong.

Age should bring with it the experience to make you not wrong. If you're not stuck in a permanent puberty like so many people.

Re:"Epic Fail?" "Ownage?" (1)

Virak (897071) | more than 5 years ago | (#28909587)

I was using "you" in the sense of the second person pronoun, not as in "a specific but unspecified person" (like "one"). I don't think all people stay stupid and set in their irrational, poorly-founded beliefs even with age.

Just most of them.

Re:"Epic Fail?" "Ownage?" (1)

moonbender (547943) | more than 5 years ago | (#28907567)

Wow, you take your Slashdot moderations really seriously.

Re:"Epic Fail?" "Ownage?" (3, Insightful)

metrix007 (200091) | more than 5 years ago | (#28906285)

Don't be foolish. The world is not so simple, black and white as compared to the colours of imaginary hats. In the world we live in, there may be many justified reasons for breaking into a computer. Script kiddies don't just idolise blackhats, anyone interested in security research does, for coming up with the frequently ingenuous attacks they devise. Judging them for their actions is another issue altogether.

Re:"Epic Fail?" "Ownage?" (1)

Runaway1956 (1322357) | more than 5 years ago | (#28906427)

One word. "Greyhat"

Re:"Epic Fail?" "Ownage?" (1)

metrix007 (200091) | more than 5 years ago | (#28907015)

What you may refer to as a greyhat, Others might a blackhat, while I may think there were doing the right thing. As I said, it's not so simple.

Re:"Epic Fail?" "Ownage?" (2, Informative)

Flavio (12072) | more than 5 years ago | (#28907105)

Think about it. These are BLACKHAT awards. (...)

Registration for Black Hat costs around $1500, and one of their major sponsors is Microsoft.

Draw your own conclusions.

Re:"Epic Fail?" "Ownage?" (2, Informative)

DNS-and-BIND (461968) | more than 5 years ago | (#28905369)

Sadly, those are phrases used by "legitimate" "security" "professionals" these days.

Bonus points for using the non-word 'cuz' and the easily-avoided error 'their' in your post complaining about the poor English of others.

Re:"Epic Fail?" "Ownage?" (0)

Anonymous Coward | more than 5 years ago | (#28906043)

You must be old here.

Re:"Epic Fail?" "Ownage?" (1)

moonbender (547943) | more than 5 years ago | (#28907601)

I was going to write that maybe they don't care that they sound juvenile, because they're doing this as an internal thing, and not to please the world/the press or whatever. But actually, I disagree. I read TFA and they don't sound juvenile to me at all. They do use phrases like epic fail etc. but these are just part of internet culture at this point -- and they're used here sort of tongue-in-cheek, along with all of TFA, in fact (e.g. "Also known as Pwnie for Breaking the Internet."). On the other hand, the grammar is fairly complex and the spelling seems fine. So, no, it doesn't sound particularly juvenile (maybe a bit goofy -- is that bad?) to me; it's just not a security advisory, that's all. Contrast this to most YouTube comments or a random MySpace page...

Re:"Epic Fail?" "Ownage?" (1)

L7_ (645377) | more than 5 years ago | (#28910801)

Fourteen year olds aren't creative enough to make up those type of words. They are knowledgeable enough to pick up on them though, and re-use the extensions of human textual speech that security experts, hipsters, and 30 year old MMO veterans create.

A lot of people that speak like that are adults. Everyone that makes up the memes are adults.

Awards for government e-fails? (0)

Anonymous Coward | more than 5 years ago | (#28904509)

Why don't they have awards for fails on the e-government level? Is it simply that there are too many?

Afterall, the blackhat people must be the ones running metagovernment, right? http://metagovernment.org/wiki/Main_Page [metagovernment.org]

Re:Awards for government e-fails? (0)

Anonymous Coward | more than 5 years ago | (#28904991)

No offense, but metagovernment is too sophisticated thinking for the Black Hat people.

Missing award... (5, Insightful)

gmuslera (3436) | more than 5 years ago | (#28904745)

to the ones that hacked their web page and put that fake list of awards.

Come on, "experts" that calls Linux a "vendor"? That called "overhyped" the bug that enabled Conflicker to do the biggest massive infection of PCs since 2003 [wikipedia.org] ? Their link [mitre.org] to the "backdoored redhat openssh" (that was already discussed here that wasnt) actually links to an advisory about a Windows remote rpc vulnerability.

Of course, the alternative is that their page is how it was meant to be, and in that case Hanlon would have the real explanation of what happened.

Re:Missing award... (0)

Anonymous Coward | more than 5 years ago | (#28906965)

Come on, "experts" that calls Linux a "vendor"?

Typical, "Linux is an X, not a Y, and whatever you say bounces off me and sticks to you" defense

Re:Missing award... (1)

dotwhynot (938895) | more than 5 years ago | (#28907435)

That called "overhyped" the bug that enabled Conflicker to do the biggest massive infection of PCs since 2003 [wikipedia.org] ?.

Conficker is interesting, because Microsoft actually had it patched pretty early (Oct 08), months before the spreading really became as massive as it became (Jan-Apr 09 and onwards). Meaning it's main vector and success factor was people who'd disabled automatic Windows Update. You could say that this lays the blame more with users than Microsoft (we usually do that when the same happens to Linux, Mac or Firefox or similar - "but they have patched that, quickly/long ago"). But more interestingly (or humorous); who disables Windows Update? Us nerds with a long memory and strong opinion of Microsoft updates creating problems? We who want to control our machine ourselves? Meaning this was actually a nerd disease? ;-> Hitting and spreading among the people "who know what they are doing" more than the "unwashed masses"? Don't know, probably more factors, I just love the delicious irony of this one :)

Re:Missing award... (1)

Marcos Eliziario (969923) | more than 5 years ago | (#28908605)

In my experience, most people who disable automatic on windows updates are people using bootleg copies of windows, because of WGA. You see: the guy has a patched WGA, and them decides to disable Automatic Updates for fear of having a new and improved WGA which will get him. Of course, nobody actually forces you to use windows unless you've bought a machine where it was bundled an paid as part of the price, so bootleg user well deserve it, as there are plenty of high quality open source and free-as-in-beer-and-as-in-thomas-jefferson--and-thoureau-tocqueville Operating Systems out there. I use windows 7 and Linux daily, but at least I have a technet subscription bought specifically so I could have access to MS operating systems and servers for the purpose of development and experimentation.

Re:Missing award... (1)

cthulhu11 (842924) | more than 5 years ago | (#28928799)

... not to mention the childish misuse of "fail" as a noun.

Love the logo. (0, Offtopic)

antdude (79039) | more than 5 years ago | (#28904919)

Pony vs. Pwnie. So do the winner get golden My Little Pony? :P

pwnies? (1, Insightful)

timmarhy (659436) | more than 5 years ago | (#28904941)

the stupid name given to this event means they need to give themselfs their own fail award..

Was that page 0wned? (1)

SkepticApe (1609787) | more than 5 years ago | (#28904975)

WTF is all the "Cheddar Bay" nonsense in this? ........"In the midst of all the Linux kernel security debates about exploiting NULL function pointer dereferences, Cheddar Bay, transparency regarding known or potential security issues, Cheddar Bay, and the protection afforded by LSMs running within an insecure kernel, Cheddar Bay, sometimes the very simple yet damaging vulnerabilities don't get nearly the attention they deserve. This is one such vulnerability."

Re:Was that page 0wned? (0)

Anonymous Coward | more than 5 years ago | (#28907321)

http://www.jethrocarr.com/?cms=blog:20090718

mp3 (0)

Anonymous Coward | more than 5 years ago | (#28905355)

hehe.. take a closer look at the mp3.

Seriously.

My own security award for twitter (1)

OneInEveryCrowd (62120) | more than 5 years ago | (#28906321)

Earlier this week twitter advised people who had used a certain app to change their passwords because the app may have been insecure. Then I went to the update password page and noticed that the new password is passed to twitter using http, not https like they do for the regular login.

Naturally, Microsoft didn't slip past judges' eyes (0)

Anonymous Coward | more than 5 years ago | (#28907469)

"Naturally, Microsoft didn't slip past judges' eyes..." Nice try. At least the poster attempted to give the impression that the article and the awards they were 'reporting' on were balanced and impartial.

The point is that this story was posted on Slashdot, a place where Linux users and advocates congregate. The intention was to cast a little more doubt into the minds of the faithful. Loosen the grip of the Linux users just a little more.

Little by little. Microsoft is attacking on all fronts and it is a dirty war. If you are a Linux user, then now is the time to batten down the hatches and prepare to repel the invaders, because if you don't, in the not too distant future, you will find that Linux will have become dependent on Microsoft technologies and the software freedom which blossomed in the nineties will be nothing but a fleeting memory. Microsoft have paid their way into the heart of the Linux territory. Even the staunchest of Linux advocates can be tempted with a good salary and a bit of promotion. No need to ask them to sabotage the whole thing, just a gentle nudge here and there, some persuasion, some dissuasion. I never thought I would see the day when I would find win32 applications installed by default on my computer during a Linux installation and yet there they are in the Ubuntu install. Not so in Red Hat!

I am not surprised that of all the Linux distributions Red Hat was singled out at the event and in the summary. No mention of security issues with Novell SuSe. Hmm, that distribution must be the distribution to use then! (not)

Re:Naturally, Microsoft didn't slip past judges' e (0)

Anonymous Coward | more than 5 years ago | (#28909263)

I'm typing this on debian squeeze and have used Linux since SuSE 6.1, but the unfortunate fact is that this criticism of the kernel team is a fair one. The focus of Linux has always been on shiny new features and performance, they have no real security process or dedicated team, it's very much an afterthought. Vulns usually get caught pretty quickly, so you're usually safe so long as you don't use bleeding edge kernels, but sometimes a big one gets through and this is just going to keep happening.

 

Furthermore I'd say this is a direct result of Linus' leadership, he could do with being a bit more like Theo.

Trolls creep into meatspace (2, Interesting)

Tweenk (1274968) | more than 5 years ago | (#28907843)

What the hell. This looks like a troll event if there ever was one, and MS astroturfing as well.
- Conficker bug 'overhyped'? Millions of PCs are infected, turned into zombies and/or crippled and that's 'overhyped'? The Kaminsky DNS bug would be a better candidate. This is just ridiculous.
- Red Hat successfully recovers from losing a private key (the worst thing that can happen in any public key cryptography system) with little actual damage and they call it 'massive ownage'?
- Kernel memory corruption is exploitable? I'm no kernel guru, but I think this is only possible in some rare cases, like when a dangling pointer will always point to a predictable offset from the return address on the stack, but in general it is not. On top of that it would be hard to develop such a bug into a local root exploit, because after the memory corruption the system will be unstable. This is similar to the null-dereference vulnerability in Mozilla which the reporter described as a stack-based buffer overflow to get extra publicity from people who don't know any better.

Whoever they are they I'm not lending them much credibility.

Re:Trolls creep into meatspace (1)

CyberDragon777 (1573387) | more than 5 years ago | (#28911957)

Conficker is not a case of a serious bug, it is a case of serious user idiocy.

In their defense... (1)

Anonymous Struct (660658) | more than 5 years ago | (#28910315)

If you read the descriptions, a lot of these are awarded based on the most sophisticated and technically interesting security holes found. I'll admit that the SCTP hole was interesting, even though I kind of wonder if there was ever a single instance of it being exploited in the wild. The place where I have to call BS is the RedHat package signing issue and the 'overhyped' Server service hole. There isn't really any evidence that anybody was affected by the signing key breech, so they're just assuming that some ungodly number of people were affected. This is compared to their 'overhyped' MS08-067, which was actually a huge deal and was widely exploited. Maybe Conficker itself was overhyped, but 067 affected Win2k up through 2008 and targeted a service that virtually all Windows hosts are running. There almost couldn't be a bigger security hole. Maybe it wasn't technically interesting, but there's no way it was "overhyped". That pretty much killed their credibility for me.

RedHat? (0)

Anonymous Coward | more than 5 years ago | (#28915201)

why does everybody think (or silently acknowledge) that this SSL trouble was caused by *RedHat*?

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?