Friday, August 8, 2014

My Little Pwnie Awards

All work and no play makes your average CISSP Security d00d a dull boy.  Or girl.  So once a year the community gathers together to celebrate the most righteous pwnage seen over the last 12 months.  It's that time of year again, when the Black Hat Briefings security conference shows the greatest security research (this year sadly without me).

Still, the Pwnie Awards bring some retrospective and, yes, humor to a field that sometimes seems to be nothing but a vale of tears.  And so with no further ado, this year's bleeding turkeys, hung on display for your amusement and edification:
Best Server-Side Bug: (Surprise, surprise) Heartbleed, credited to Neel Mehta and Codenomicon. Heartbleed is perhaps the most famous security trouble of the year, which brought more attention to the many drawbacks of SSL. Although Mehta and Codenomicon were lauded for their work in solving the problem, the open-source community was nominated for the Pwnie for "Most Epic Fail," being that the flaw existed for two years.
I actually think that this deserves a better award than this - Heartbleed is probably the worst security bug I've ever seen, and I've seen literally thousands of them over twenty years or so.  Epic, epic, epic fail (Pwnie Awards fail?).
Lamest Vendor Response: AVG, saying that a software weakness was "by design" and therefore not a vulnerability. This offense even beat out another nominee: "Daniel" from Open Cert who replied to a researcher's request for the appropriate email address for vulnerability disclosures, with "it was not ignored dick head why lie! are you a professional or not? professionals don't need to lie to prove a point they use facts!"
Heh.  I'm going a bit out on a limb here, but it seems like calling someone a "dick head" who's reporting a security bug in your product is the express lane to Internet fame.  Just a guess, though.  But mad props to the AVG support team for bringing the definitive "arrogant junior engineer" dismissivness.  Yeah, we meant to do that stupid thing you're talking about.  Totally.  Amirite?

Others at the link.  And there's this song, too, which is totally how Security rolls, yo.



They in the dark 'cos they got no intrusion detection ...

Win.

7 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. No kidding. My email spam has jumped a LOT in the past few months. Somebody must have spun up a new botnet.

    Speaking of network vermin, can you recommend a browser that 1) isn't Chrome, and 2) can be configured to use a proxy without having to change IE's proxy settings?

    ReplyDelete
  3. Dave, you looked at Opera? I haven't looked at their proxy settings so I can't directly answer your question, but I've liked their stuff in the past.

    ReplyDelete
  4. Yes, I looked at Opera but when you open the network settings it just opens IE's Internet Options dialog. Firefox is the same.

    Oh, I just remembered Safari. I'll give that a try.

    ReplyDelete
  5. If you're running a reasonable operating system or a reasonable mail tool, visit okean.com to get some lists of IP addresses of "known" spam generators. I installed this list in both iptables and postfix and saw an immediate decrease in spam.

    And it has been reduced even further as I have added additional ip addresses from spam headers to that list.

    Just a thought. YMMV, of course.

    ReplyDelete

Remember your manners when you post. Anonymous comments are not allowed because of the plague of spam comments.