\ / _\/_
Pwnie awards .-'-. //o\ _\/_
-- / \ -- | /o\\
So, once again we find ourselves at that time. As I'm sure you've all been
awaiting eagerly I'll just get right to the point: it's time for the
annual Zero For 0wned pwnie awards!
We had so many people that were deserving of awards in so many categories
that we could go on for days. But that wouldn't be fair to you, the reader,
so we've just brought you the best of the best for your viewing pleasure.
Winners can send an acceptance speech to firstname.lastname@example.org.
Speaking of, none of last year's winners sent us a single acceptance speech!
Not a single one! So fuck all those guys, they're all a bunch of bitches
And now, our first category:
1. Biggest "Internet killing" bug (aka bug that was hyped _way_ too much)
Yeah, this category is all the rage now. Dan Kaminsky started it off with his
DNS bullshit, and then Anton Kapela and Alex Pilosov did BGP, and then there was
that TCP timing attack by Robert E. Lee and Jack Louis of Outpost24, along with
a few other attempts by some lame researchers to cash in on the trend.
Oh, these crazy times we live in! Since we here at ZF0 feel that Phrack
is past its prime and that gay bloggers are gay bloggers, ithilgore and
RSnake will *not* be considered for this award. Sorry Bobby, but I'm sure
that Grossman will be more than happy to suck your dick and make you feel
Anyways, I'm going to have to give this one to the Outpost24 guys. This is the
first time in recent memory that the entire "security community" had been
working hard to figure out a DoS attack. So congrats guys, I'm sure the DDoS
kiddies love you too. BTW, does anyone else think it's odd how shortly before
they were set to go public Jack Louis' house catches on fire and he dies of
smoke inhilation? Whoever did that I owe you a beer.
2. Least trustworthy whitehats
Well, discounting the fact that the entire security industry is a corrupt piece
of shit, we're going to have to give this award to Matasano. I mean really guys?
Posting the details of Dan's "Internet killing" DNS vulenrability before his
0day dropping talk? Not cool. I'm not sure how clients can trust you anymore.
Oh, and Halvar, you weren't supposed to be speculating on what the vuln was
in a public forum. Way to be a dick and not listen to the wishes of some
fat loser who hits himself (we love you Danny). Matasano gets extra
untrustworthy points for having dirty security practices on their server and
getting pwnt. That shouldn't be good for business.
3. Best blog
This is a very prestigious award and sought after award. The winner of this
award not only has to have good technical knowledge and literary skills, but
they need to be active enough to keep me coming back. Last year Matasano took
this award home (and never sent us an acceptance speech!) but this year it goes
hands down to xorl. xorl is a greek chap who runs xorl.wordpress.com, which is
good EVEN if sometimes he lazes out and pulls up a little short on analysis.
Hey, if it's good enough for Dave Aitel it's good enough for me! Speaking of
4. Biggest fail
There's a lot of people who nominated themselves for this award, but I figured
what the fuck, I can give this to whomever I please so I decided to go with
Dave Aitel here. Why Dave do you ask? Well, let me take you back to last year...
The date is August 6th, 2008. The location is Las Vegas Nevada, USA. The event
is none other than the crazy overpriced Blackhat USA conference. Yeah, it's
the *other* pwnie awards, you might have heard of them.
That night Dave Aitel presented an award for Mass 0wnage. Appropriately enough,
he mentioned our zine. However, he for the fucking name wrong. It's Z-*F*-0,
Dave. NOT Z-*D*-0. The 'F' is for 'For'. The only other retard to call us 'ZD0'
was Robert Lemos, and we all know how intelligent that chap is. So yeah, Dave,
we expect a full handwritten apology letter, a full subscription to CANVAS,
and naked pics of your wife Justine (hey, first rule of pr0j3kt m4yh3m as
according to ~el8; get their friends/family. We love you Dave. Really.). You
put yourself in a class with only one other man: Robert Lemos.
That cannot feel good. You can blame him and try to pass this on if you want,
but then you have to at least admit that you read Lemos' work. It's lose-lose.
5. Biggest masturbator
Once again, we've decided to present this award. For those of you who failed to
tune in to our awards last time, this is one of the biggest honors a person can
achieve, as it means they will *NEVER* have a sex life as they're too busy
hacking the living shit out of computers 24/7. Last year we had a few people
who unintentionally nominated themselves. This year the nominees were pretty
much the same, as only 1% of all "security professionals" actually do good
research, and the other 99% are complete retards who use Nessus as a baseline.
But we here at the Official Zero For 0wned Pwnie Awards Nomination And
Assignment Commission (ZF0PANAC -- pronounced "ZF0 panic") feel that
there's only one person who actually deserves this award, so without further ado
the award for biggest masturbator goes to Felix Linder (better known as FX)!
For those of you who missed it, FX gave a talk at CCC about generalizing Cisco
IOS explotation techniques across multiple IOS versions. It was actually
interesting enough that I sat through the whole thing. Congrats FX.
6. Biggest mailing list troll
With n3td3v off FD I was starting to get concerned with who would be keeping
up the long and valued Internet tradition of relentlessly trolling various
public discussion groups. Luckily, I didn't have long to worry as this fine
(alleged) woman was kind enough to step up and take on this responsibility
herself. Yes, I'm speaking of none other than Joanna Rutkowska. You may know
of him^H^Her from the Bluepill hype and all the other VM and hypervisor talks
and papers (s)he releases a few times annually. If not, well, you're not
missing much. The beauty of the situation is that most of the time, Joanna
doesn't even seem to realize that she's trolling lists like Daily Dave until
someone (who happens to have real talent) like Halvar Flake comes along and
tells her to shut the fuck up. So, Joanna, this one's for you.
Oh, and Joanna, we wanted to not only give you an award, but also leave you with
this to think about:
$ uname -a
Linux heze.lunarpages.com 2.6.9-78.0.22.ELsmp #1 SMP Thu Apr 30 19:14:39 EDT
2009 i686 i686 i386 GNU/Linux
$ grep invisi /etc/passwd
$ host invisiblethingslab.com
invisiblethingslab.com has address 126.96.36.199
$ /sbin/ifconfig | grep 188.8.131.52 | head -n 1
inet addr:184.108.40.206 Bcast:220.127.116.11 Mask:255.255.255.0
[DIR] WysiwygPro/ 10-May-2006 04:07 -
[TXT] about.html 18-Jul-2008 04:02 3k
[TXT] blog.html 07-May-2006 13:34 2k
[DIR] bluepillproject/ 13-Oct-2008 20:23 -
[DIR] cgi-bin/ 27-Aug-2005 02:10 -
[TXT] code.html 18-Jul-2008 04:03 6k
[TXT] contact.html 18-Jul-2008 04:03 2k
[TXT] events.html 18-Jul-2008 04:11 23k
[DIR] gallery/ 17-May-2006 02:36 -
[DIR] images/ 18-Jul-2008 04:03 -
[TXT] index.html 18-Jul-2008 04:02 5k
[DIR] invisiblethingslab/ 17-Jul-2009 07:41 -
[DIR] itl_ftp/ 26-Nov-2008 11:52 -
[TXT] joanna.asc 12-Feb-2008 12:57 4k
[TXT] newsarchive.html 10-May-2006 10:10 8k
[TXT] papers.html 18-Jul-2008 04:03 18k
[DIR] papers/ 04-Jan-2009 13:50 -
[DIR] priv/ 12-Aug-2007 07:11 -
[DIR] pub/ 05-Feb-2008 07:32 -
[TXT] robots.txt 04-Mar-2008 07:27 1k
[TXT] speaking.html 18-Jul-2008 04:06 5k
[TXT] style.css 18-Jul-2008 04:03 4k
[DIR] tools/ 04-Mar-2008 07:29 -
We sincerely hope you enjoy it, Joanna!
Anyways, that's all for tonight folks. Enjoy the rest of the production we have
for you, and have a good day.