It's the fifth year of the pwnie awards at the annual Black Hat Conference, and I just thought You all might appreciate the nominees for the Epic Fail award and the Epic 0wnage awards





Deciding who deserves the Epic Fail award this year is gonna be tough, and seeing who goes on stage to pick up the epic 0wnage award should definitely be interesting considering ~60%+ of the attendees are federal employees

http://pwnies.com/nominations/

WHAT? I didn't even get nominated for an award? <_<

Stuxnet should win hands down. The other guys only did SQL injections.

Bradly Manning allegedly did some great social engineering, which I'm always fond of personally.

But yeah, I want it to be Stuxnet, just so the mystery of who created it will be revealed when the author does [not] pick up the award.

For those unfamiliar with Stuxnet, here's a great video on it: http://vimeo.com/25118844

Edit: Man, I won't be winning any spelling bee contests today apparently.

this.

stuxnet is a work of art... :bowdown:

unless you know anyone cooking wormcode with embedded plc rootkits?

I nominate the pwnie award for the epic fail.

seriously? they're applauding lulzec?

Applauding is the wrong word, they acknowledge their mass exploiting. The 0wnage award has gone to various groups in the past, both on the criminal and non-criminal side. You could say that whatever or whoever wins it is basically acknowledged as being the biggest threat or problem at the current time to computer/network security.

The conference is attended by hackers, pen testers, security consultants, security venders, FBI cyber-crime, DOD members, and countless security experts.

What happens in the conference could easily be misinterpreted as "evil" (and undoubtedly in some cases is indeed evil): people leave and spread USB drives infected with malware like conficker all over the place, they take over access points, they do arp poisioning attacks, they redirect web traffic, strip out ssl, and countless other things. It's all (well, almost all, there are black hats in the mix, afterall) to make it clear just how bad it is to be complacent in cyber security and how sometimes it can be just incredibly easy to cause damage in one kind or another to your computers or network.

I fail to see how that makes them better in any way.

these are [mostly] the guys that secure our systems. If they can be compromised easily, we have problems. The people going make our antivirus, lock down our networks, and everything. Generally only a few fall victim to much, exploits are caught fast and removed.

This thing really isn't for the faint of heart, and really only designed for those in the industry: the cost to go to Black Hat is $1500 if you get it early, otherwise it goes to above $2k for a ticket. Then it's an additional $1000+ for the training panels.

You could say all the antics that go on are an initiatory action to see how good you are at your job.

To get the point across at how good these guys are: someone accidentally targetted them with a fake ATM machine, and it was found out very fast (http://www.pcworld.com/businesscenter/article/169469/fake_atm_doesnt_last_long_at_hacker_meet.html). Note it wasn't Black Hat, it was DEF-CON, Black Hat's more enthusiast-friendly hacker sister convention (same people run both)

If you still don't understand how this all makes things better: the only way to make things better is to find the breaking point of the current things and fix it. That's what happens at Black Hat. Live testing (which is all the craziness and "evil" I've described so far) goes on at the conference, training on how to stop it also goes on, panels on the newest exploits and how to fix them happen as well.

If you still don't like it, I'll just tell you it's a hacker/security convention, you weren't meant to understand it

well naturally thats why I put "I fail" but I think I do understand a little better now. more or less black hat by what your saying is essentially fighting fire with fire.
but I am not going to rant against this whole thing as I only known about it via your posting, it just annoyed me how they talked about lulzec as if lulzec was
was some how meaningful or that their acts were philanthropic in some way as opposed to a group of hackers randomly attacking people for their own selfish reasons.

This, but I do chuckle a little whenever I hear about a good ol Bobby Tables attack.

http://xkcd.com/327/


I've heard it's a bad idea to bring your cellphone to these kinds of events

You'd have to understand the hacker subculture to understand it any better probably. Otherwise the best I can offer you is that the pwnie award decriptions can be highly sarcastic. I thought that'd be clear by Sony being the only nominee for the FAIL award, but you can look at previous years if that isn't clear. McAfee last year was almost nominated for both epic fail and epic 0wnage for destroying thousands of corporate workstations with an update that flagged windows system files as malware. Microsoft Windows Vista was nominated for Epic Fail for being "too secure for it's own good" (remark on how consumers hate UAC despite UAC being a security feature)

If you want further insight, you can watch the documentary http://video.google.com/videoplay?docid=-5112548212809281320


http://www.youtube.com/watch?v=TzR7R6fBr00 -- Bet you didn't know you could do that with GSM

LulzSec did make many people (and companies I assume) reconsider their security. So while what they do is bad, some of the after effects are good.

not saying their actions did not make people take security more seriously, but that doesn't mean I would go as far as saying that justified their actions. or in the least that they should be commended in any way.

I think you should just take it with a grain of salt. It's most likely not 100% super serious.

Pwnie awards? Epic 0wnage??

:facepalm:

I really find this war of ideals as I′d call it funny. You've basically got two sides. The side that is very optimistic about human nature in general and is very slack about security and such because they in the base do not suspect people to do bad things. Then you got the side that pessimistic about human nature who think the best way to tear down the optimism of the former group is to become the very kind of people they are pessimistic about other people being like.

I myself tend to lean towards the former group, I myself would never intentionally harm anyone in any form or manner, even if it′s only virtually (granted in this age of the Silicon there is nothing "only" about our virtual property), so of course I′d like to think other people would keep the same ideals and honestly if no one plays a crook then what is the point of security ?

Honestly we've all heard sayings like "Once bitten, twice shy","the burnt child dreads the fire","a wet cat avoids the rain". But some people try to force those lessons upon people in their weird twisted way, not doing too much harm but still doing some damage in hopes that people will start to share their pessimism for other people and up all of their security to a point where they metaphorically spend their days sitting in a chair with a cocked gun aimed at the front door.

Both parties have their point, people are not all good like the optimistic group would like to believe but neither are people all that bad like the pessimistic group would like to believe. It is very rare to meet people who would truly aspire to do bad things for selfish reasons or for simply for the sake of being bad and those people, who fit that criteria, that I've met in person could be counted with the fingers of a single hand.

Anyway as I like to count myself leaning further on the optimistic side of the scale than the pessimistic side I can't say I appreciate hackers who bring chaos just to make a point, but I can say I do understand the line of thinking behind it, even if I don't really agree with it.

I wonder what sony's chances are on getting the epic fail award? :whistling:

^

Stuxnet has be heralded as one of the first "Cyber Cruise Missiles" and i'm betting it will lay the foundation for more dangerous viruses, worms, trojans, etc... . Lulzsec is a joke from articles i've read where they are just a bunch of script kiddies. However that group of "Script Kiddies" managed to take down Sony which just proves how piss poor Sony's security was at that time. Heard a rumor that they were using 64bit encryption technology while the current standard is 128 to 256bit atleast.

If those Anonymous and Lulzsec guys want to impress me they need to attack china or get the you know what out.

http://pwnies.com/winners/

Sony won Epic Fail (big surprise), and Stuxnet won Epic 0wnage

Also from the conference: http://www.cio.com/article/687231/A_Power_Plant_Hack_That_Anybody_Could_Use?page=1&taxonomyId=3045. Apparently one of the writers of the Siemens firmware decided to include a backdoor that would give them remote shell access to the system. It's never been removed and applies to almost all Siemens S7 computers.

http://www.cio.com/article/687215/Black_Hat_Hackers_and_Crackers_Needed_to_Counter_Terrorists Even trying to woo those who are potentially members of LulSec and Anonymous with the line "This is my first Black Hat. We are legion."

After reading this I agree with Stuxnet winning.

For anyone who still doesnt know how Stuxnet was used this is a pretty good read (even if it does read like the Reader's Digest at times). http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/all/1

I have to admit I didnt know anything about it till reading this article about twenty minutes ago, thought I found something new to post but did a search for Stuxnet first and well .... I'm late as usual :blush2: