LAS VEGAS. One of the highlights for me in any given year of the Black Hat security conference is the Pwnie awards. It’s a time for some good lighthearted fun, while still looking at some very serious problems — and making fun of those responsible for creating the problems and praising those that found the problems..
The pwnie for the best client side bug was a joint award to pinkie pie and Sergey Glazunov for their respective Google Pwnium flaws that they found earlier this year.
The best privilege escalation bug went to Bromium’s Rafal Wojtczuk for the Intel x64 sysret privilege escalation flaw. Wojtczuk detailed his flaw during a talk at Black Hat here today as well.
My favorite category however and the one that usually elicits the best audience response, is the pwnie for the most epic fail. This award was given out by Metasploit creator HD Moore.
“You have to really screw up big time to win this,” Moore said.
The nominees included the entire anti-virus industry, LinkedIN for their .breach of 6 million passwords and application delivery controller F5. F5 had a static root SSH key which in effect enabled a shared key across all F5 customers.
The winner: F5.
Now normally the winner of the epic fail category doesn’t show their face. This time it was different. An un-named person from F5 came up to the podium to accept the award and he even gave a few words of thanks.
“You got a bug with us, bring it to us. We want it,” the F5 winner said.
The final pwnie was for the most epic 0wnage and it went to the authors of Flame for their MD5 collision attack.
“Is the author of flame in the audience? “ pwnie judge Dino dai Zovi asked?
No one stood up.