Pwnie Award Nominee

Thu, 24 Jul 2008 12:36:06 GMT

Yesterday a friend of mine let me know that some of my BT Home Hub security research (details here and here) got nominated for the Pwnie Awards.

At first I thought "oh, that's cool", but then I learned the category my research had been nominated to: "Most Overhyped Bug". At first I had kind of mixed feelings whether or not I should be happy about it, but to be honest, there is nothing negative about their comments:

GNUCITIZEN and pagvac initiated a media blitz over this vulnerability which allows a malicious web page to use a CSRF attack to bypass authentication and modify the settings on the most popular home DSL router in the UK. This could allow a remote site to disable your firewall, modify your DNS server settings, or enable remote administration of your router. The bug was real, but it was accompanied by such a massive media campaign that it surely deserves a nomination.

Fair enough, it received a lot of media attention which is true, but we did not actually PR these findings (believe it or not), but rather answered questions formulated by the media mainly via email.

If you are not familiar with the Pwnie Awards, it's an informal ceremony organized by several known researchers which attempts to highlight the events during the last year in the Infosec industry. This year is only the second edition of the awards. The ceremony is meant to be a bit humorous, as in making fun of the infosec industry kind of thing. The winners announcement actually takes place during the BlackHat Vegas briefings. I will definitely do my best to attend the ceremony as Alexander Sotirov told me I was invited. Sweet!

My favorite quote from the Pwnie Awards site is from the "Lifetime Achievement Award" category which states:

Like mathematicians, hackers get off on solving very obscure and difficult to even explain problems. Like models, hackers wear a lot of black, think they are more famous than they are, and their career effectively ends at age 30.

Yeah, pretty lame awards. I wonder If they would list HDM as the most lamest PoC stealer alive. Ah, I get ya, he runs that show, so who cares eh. That's show--erm security business. /rvdh