Pwnie Awards 2017

Nominees for the Pwnie Awards 2017

Pwnie for Best Server-Side Bug

Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.

  • CVE-2016-6309

    Credit: @robertswiecki

    The only 'critical' bug in OpenSSL to get a CVSS score of 10. This is a use-after-free bug, triggered pre-auth during the TLS handshake, allowing remote code execution. The bug was introduced by a fix for a previous (low severity) bug, resulting in OpenSSL releasing an emergency update right after their regular update. Most websites use OpenSSL.

  • CVE-2017-0143, 0144, 0145

    Credit: NSA's Equation Group (?)

    These vulnerabilities allow arbitrary remote command execution on Microsoft Operating Systems running the SMB file sharing protocol, which is pretty much all MSFT systems. The vulnerabilities became known as a result of the Shadow Brokers release of (allegedly) the NSA's ETERNAL* exploits, which include variations for different OS versions and functions. Multiple ransomware platforms have taken advantage of these vulnerabilities, causing Microsoft to release patched for unsupported systems such as Windows XP.

  • Cloudbleed

    Credit: Tavis Ormandy

    Random PII on the internet. During a fuzzing project Tavis discovered a bug in one of Cloudflare's HTML parsers, that would cause Cloudflare's edge servers to return random memory dumps in HTTP responses. These data dumps including consumer emails, encryption keys, and other private information - information that was in turn cached by other search engines. This vulnerability affected all cloudflare customers.

  • CVE-2017-0290

    Credit: Natalie Silvanovich and Tavis Ormandy

    Described by Tavis as "the worst windows remote code execution", this bug allowed remote code execution on any system running Microsoft WinDefender, which is available by default and is ironically is supposed to defend against malware. Google's report stated that "vulnerabilities in MsMpEng are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service". The engine runs as SYSTEM and is not subject to any sandboxing. It is accessible remotely via a number of critical, ubiquitous Windows services, including Exchange and the IIS web server. The vulnerability lies in the underlying x86 integrator, and can be exploited by submitting a specially crafted file, such as an email, for parsing by the engine. The file does not need to be displayed in order for the vulnerability to be exploited. Shortly after dealing with the ETERNAL* exploits and Wannacry, this vulnerability caused Microsoft to issue an emergency patch just 48 hours after it was disclosed to them.

  • CVE-2017-5689

    Credit: Maksim Malyutin

    An authentication bypass vulnerability affecting just about every Intel server with AMT, ISM or Intel Small Business technology enabled, allowing unprivileged network attackers to gain system privileges (where AMT has been provisioned). This is notable because AMT provides the possibility to remotely control a computer even if when powered off. Packets sent to ports 16992 or 16993 are redirected through Intel's Management Engine (a small, separate processor independent of the main CPU) and passed to AMT. Patch rollouts are expected to be slow, as while it is Intel's responsibility to develop the patches (which it has done), it is not Intel's responsibility to deliver them. That's down to the device manufacturers and OEMs; and it is generally thought that not all will do so.

  • CVE-2016-6432

    Credit: Slipper and Kelwin (@KelwinYang)

    A buffer overflow vulnerability in the Identity Firewall feature of Cisco Adaptive Security Appliance software before 9.6(2.1) allows unauthenticated, remote code execution. The Cisco ASA Identity Firewall feature is enabled by default but requires NetBIOS probing to be enabled (disabled by default). Attackers can exploit this vulnerability by sending a crafted NetBIOS packet in response to a NetBIOS probe sent by the ASA software.

Pwnie for Best Client-Side Bug

Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting client-side bug.

  • Microsoft Office OLE2Link URL Moniker/Script Moniker (CVE-2017-0199)

    Credit: Ryan Hanson, Haifei Li, Bing Sun, Unknown Hackers

    In an instance of parallel discovery, two different flaws were identified in how Microsoft Office handles linked OLE objects. CVE-2017-0199 refers to both issues, the first related to the URL Moniker, which can be used to load arbitrary HTA payloads via OLE (and RTF) documents, and the other to the Script Moniker, which can be abused in PowerPoint documents via custom actions. Haifei Li reported the Script Moniker vector and Ryan Hanson the URL Moniker while an unknown party was actively exploiting the URL Moniker issue with spear phishing attacks.

    These bugs were interesting from a timing perspective (at least three different folks discovering them in parallel) and due to the fact that they were perfectly effective against Windows 10 and Office 2016, bypassing all memory-based attack mitigations. Since the publication of these issues, both vectors have become favorites of penetration testers and random blackhats alike.

    Haifei Li & Bing Sun's presentation at the SYSCAN360 Seattle conference pointed out that Microsoft's patch may not be complete, as it blacklists two COM controls, but exploitable may be possible through third-party controls instead.

  • Compromising Linux using SNES Sony SPC700 Processor Opcodes (CESA-2016-0012 & CESA-2016-0013)

    Credit: Chris Evans

    In a follow-up to his work on compromising Linux through NES emulator 6502 opcodes, Chris Evans explores and exploits a subtle emulation error in the Super Nintendo audio coprocessor emulator of gStreamer, leading to 100% reliable drive-by attacks against Fedora 25 and Google Chrome. In addition to gStreamer on Fedora, the primitives supported by these vulnerabilities allow for reliable exploitation of the nome-video-thumbnailer and totem applications on Ubuntu Linux. Is it finally the year of Linux Desktop 0-day?

  • Chrome OS exploit: One Byte Overflow and Symlinks

    Credit: Anonymous

    An anonymous researcher presented a chain of vulnerabilities that led to a full compromise of Google ChromeOS, starting with a single-byte overflow in the C-ARES DNS library. The path to root was complicated, weird, and beautiful.

  • Project Zero vs Malware Protection Service ( CVE-2017-0290, CVE-2017-8538, CVE-2017-8540, CVE-2017-8541, CVE-2017-8558 )

    Credit: Tavis Ormandy, Natalie Silvanovich, Mateusz Jurczyk (j00ru), Junghoon Lee (lokihardt), Ian Beer

    Windows 8 and newer have a Malware Protection service that runs in the background with SYSTEM privileges, unsandboxed, and parses all files written to disk with no user interaction, in a plethora of different file formats. After Tavis Ormandy discovered the scary and easily accessible attack surface and ported the component to Linux, he and other members of P0 proceeded to identify and report a number of critical RCE vulnerabilities. These included bugs in the parsing of executable files, the x86 emulation layer, and a number of serious issues in the internal Javascript interpreter.

  • Pwning the Nexus ( CVE-2016-5197, CVE-2016-5198

    Credit: Qidan He (@flanker_hqd), Gengming Liu (@dmxcsnsbh)

    During the 2016 CanSecWest Mobile Pwn2Own competition, KeenLab combined three vulnerabilities into a full exploit chain against Android Nougat. A remote exploit against Chrome was followed by a sandbox escape in Chrome's Intent parsing, allowing them to (jump from a sandboxed context to arbitrary application installation](].

Pwnie for Best Privilege Escalation Bug

Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting privilege escalation vulnerability. These vulnerabilities can include local operating system privilege escalations, operating system sandbox escapes, and virtual machine guest breakout vulnerabilities.

  • x86: broken check in memory_exchange() permits PV guest breakout (CVE-2017-7228)

    Credit: Jann Horn

    Vulnerabilities like this one don't exactly make us feel a calm state of enlightement when running the Xen hypervisor, especially when they are so skillfully exploited to run shell commands in every VM on the same host. It might be time to rename the Xen Hypervisor to the ThisIsFine Hypervisor.

  • task_t considered harmful - many XNU EoPs (CVE-2017-9***)

    Credit: Ian Beer

    you cannot hold or use a task struct pointer and expect the euid of that task to stay the same.
    Many many places in the kernel do this and there are a great many very exploitable bugs as a result.

    When Ian can't even be bothered to grep for all of the instances of a bug, you might have a problem.

  • Drammer: Deterministic Rowhammer Attacks on Mobile Platforms

    Credit: Victor van der Veen, Yanick Fratantonio, Martina Lindorfer, Daniel Gruss, Clementine Maurice, Giovanni Vigna, Herbert Bos, Kaveh Razavi, Cristiano Giuffrida

    Mobile computing row hammer attacks (MC Hammers, for short) are terrifying. You can't touch them and can only hope that, please, they won't hurt you.

  • Blitzard (CVE-2016-1815)

    Credit: Qidan He

    It's never to early to talk to your children about the dangers of blit. The helpful researchers at KeenLab have prepared an illustrated guide to some of the dangers of blit that can help with this potentially awkward, yet very important conversation.

  • xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window (CVE-2017-7184)

    Credit: slipper from ChaitinTech

    At this year's Pwn2Own, a fully patched Ubuntu desktop was compromised via this Linux privilege escalation showing that even Slashdot readers aren't safe from staged exploit contests.

Pwnie for Best Cryptographic Attack (new for 2016!)

Awarded to the researchers who discovered the most impactful cryptographic attack against real-world systems, protocols, or algorithms. This isn't some academic conference where we care about theoretical minutiae in obscure algorithms, this category requires actual pwnage.

  • Critical vulnerability in JSON Web Encryption (JWE) - RFC 7516

    Credit: Antonio Sanso and Quan Nguyen

    RFC 7516 aka JSON Web Encryption (JWE) hence many software libraries implementing this specification used to suffer from a classic Invalid Curve Attack. This would allow an attacker to completely recover the secret key of a party using JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES), where the sender could extract receiver's private key.

  • Flip Feng Shui: Hammering a Needle in the Software Stack

    Credit: Kaveh Razavi, Ben Gras, Erik Bosman, Bart Preneel, Cristiano Giuffrida, Herbert Bos

    We introduce Flip Feng Shui (FFS), a new exploitation vector which allows an attacker to induce bit flips over arbitrary physical memory in a fully controlled way. FFS relies on hardware bugs to induce bit flips over memory and on the ability to surgically control the physical memory layout to corrupt attacker-targeted data anywhere in the software stack. We show FFS is possible today with very few constraints on the target data, by implementing an instance using the Rowhammer bug and memory deduplication (an OS feature widely deployed in production). Memory deduplication allows an attacker to reverse-map any physical page into a virtual page she owns as long as the page's contents are known. Rowhammer, in turn, allows an attacker to flip bits in controlled (initially unknown) locations in the target page.

    We show FFS is extremely powerful: a malicious VM in a practical cloud setting can gain unauthorized access to a co-hosted victim VM running OpenSSH. Using FFS, we exemplify end-to-end attacks breaking OpenSSH public-key authentication, and forging GPG signatures from trusted keys, thereby compromising the Ubuntu/Debian update mechanism. We conclude by discussing mitigations and future directions for FFS attacks.

  • The first collision for full SHA-1

    Credit: Marc Stevens, Elie Bursztein, Pierre Karpman, Ange Albertini, Yarik Markov

    The SHAttered attack team generated the first known collision for full SHA-1. The team produced two PDF documents that were different that produced the same SHA-1 hash. The techniques used to do this led to an a 100k speed increase over the brute force attack that relies on the birthday paradox, making this attack practical by a reasonably (Valasek-rich?) well funded adversary. A practical collision like this, moves folks still relying on a deprecated protocol to action.

Pwnie for Best Backdoor

Awarded to the researchers who introduced or discovered the most subtle, technically sophisticated, or impactful backdoor in widely used software, protocols, or algorithms.

  • M.E.Doc

    Credit: Totally Not Russia

    To prepare their taxes, folks the world over install janky software developed for a captive market of their nation's tax laws. In Ukraine, accountants who installed M.E.Doc received a backdoor in the gig and a half of their full installation. The backdoor used M.E.Doc's own servers for command and control, allowing the network operator to target commands to publicly known tax identification numbers! And yes, this is the alleged patient zero for the NotPetya ransomware that appeared in June, just before Ukraine's Constitution Day.

  • SonicWall GMS Backdoor

    Credit: Dell Software

    SonicWall's GMS is a central policy management solution for managing your security appliances. Among other hilarious bugs, it included backdoor accounts UT000000000000, UT123456789100, UT123456789200, and UT123456789300. Each of these has a default password of "password," and the first just happens to have the authority to add new user accounts!

  • SUN8I_ROOT_DEVICE / rootmydevice

    Credit: AllWinner

    The H3, A83T, and H8 variants of Linux 3.4 from AllWinner included a handy little backdoor where writing "rootmydevice" to /proc/sunxi_debug/debug would elevate your process to root. Happily, this was silently fixed with a patch that makes the feature configurable, so be on the lookout for SUN8I_ROOT_DEVICE in your ARM kernel configurations!

Pwnie for Best Branding

Sometimes the most important part of security research is how you market and sell the vulnerability you discovered. Who cares how impactful the actual vulnerability is, what matters is how sweet your logo turns out!

  • RingRoad

    Credit: Robert Morton, Austin Klasa, Daniel Sokoler

    Best bug branding or most overhyped? Both. Symmetric-encrypted data in QUIC reveals the length of the data underneath, so you can potentially deduce password lengths. This bug definitely deserves it's own branding.

  • GhostButt

    Credit: Atlassian Security Team

    Ghostbutt (CVE-2017-8291) has it all, a website, a clever logo, made even cleverer byhaving the logo be the exploit and, of course, the use of the -butt suffix (ala threatbutt), . It doesn't have a online store, but[t] it does have a song.

  • DirtyCOW

    Credit: Unknown (for website) / Phil Oester || Unknown Author (for name of exploit)

    Some bugs have logos, some have domains. Dirty COW had an active social media strategy and even a shop selling t-shirts, bags and iPad covers. Dirty, indeed.

  • Cloudbleed

    Credit: taviso && [email protected]

    Tavis cleverly named-not-named his incredible cloudflare bug ("It took every effort not to call this cloudbleed") inside of Project Zero's issue tracking system. It was just a matter of time before someone like seclogodesigner was going to, as their name suggests, make a logo.

Pwnie for Epic Achievement (new for 2016!)

Awarded to the researchers, attackers, defenders, executives, journalists, nobodies, randos, or trolls for pulling off something so truly epic that we couldn't possibly have predicted it by creating an award category that did it justice.

  • 360 Security (Qihoo)


    This team took away ZDI's Pwn2Own master prize by chaining three 0day exploits, taking them from browser sandbox to virtual machine escape on a fully patched VMWare Workstation. This was a first for ZDI. The initial vulnerability exploited a heap overflow in Microsoft Edge, followed by a kernel type confusion bug, ending in an uninitialized buffer vulnerability in SVGA, resulting in the highest payout from ZDI ($105k).

  • Ke Liu


    Ke Liu is a security researcher of Xuanwu Lab of Tencent, focused on PDF file format vulnerabilities. During the last year, he has found nearly 150 vulnerabilities independently in the world's most popular PDF readers including Adobe Reader, Foxit Reader, Google Chrome, Windows PDF Library, and OS X Preview. More than 100 of the vulnerabilities have been fixed by vendors and assigned with CVE numbers.

  • Federico Bento


    Exploits possible due to an ioctl named TIOCSTI have been documented by luminairies such as Theo de Raadt since the 80's, but the work of Federico Bento may well have finally influenced the powers that be to put their weight behind addressing it. TIOCSTI allows unprivileged users to insert characters into the terminal's input buffer allowing easy unprivileged to privileged escapes. Federico has been reporting a stream of vulnerabilities based on TIOCSTI, and subsequently OpenBSD, SELinux, Android, and grsecurity have finally acted to remove, block or restrict its use.

  • Spencer McIntyre


    Security researcher and senior metasploit developer Spencer McIntyre is known for his development and ongoing security research. This nomination recognizes Spencer's interest in hacking the hackers, based on his work identifying vulnerabilities in the widely used post-exploitation powershell framework, Empire. Spencer discovered two vulnerabilities with the empire team, both allowing remote compromise of a control server.

  • Janus


    Original Petya malware author and otherwise ransomware-activist Janus may have released the private decryption key to the initial Petya, but that doesn't appear to have prevented ongoing development of this ransomware. Despite Petya's unique qualities, including implementation of an overwrite of the Master Boot Record and initial deployment via a Ukranian accounting package, Petya has been heavily criticized. However, recent versions have been credited with features that cause mayhem all the way to the boardroom, including Kaspersky users getting a free pass and material impact on the operations and financial performance of victim companies.

Pwnie for Most Innovative Research

Awarded to the person who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post.

  • American Fuzzy Lop

    Credit: Michal Zalewski

    This tool was originally written a few years ago, but sometimes revolutionary ideas take a while for the rest of us to realize how important they are - plus new features are being continually added to it. AFL has revolutionized the field of fuzz-testing by making an incredibly fast and easy to use tool that utilizes modern ideas of fuzzing. Best of all, it works on real world applications to find real world vulnerabilities. Just because I still don't believe it can find that old sendmail bug, doesn't mean it isn't a revolutionary tool.

  • Ghost telephonist

    Credit: Yuwei Zheng, Lin Huang, Qing Yang, Haoqi Shan, Jun Li

    Only using a computer and a cell phone, these researchers showed how on some cellular networks, due to an issue with LTE signaling, they could impersonate devices on the network. This allowed them to intercept calls and SMS messages intended for the victim as well as make calls and send SMS message that seem to come from the victim.

    Even though I like me some shellcode in my research, I guess if you can just take calls intended for famous Hollywood movie actors or break SMS based 2fa without it, it is still probably okay.

  • ASLR on the line

    Credit: Ben Gras, Kaveh Razavi, Erik Bosman, Herbert Bos, Cristiano Giuffrida

    Exploit writers have been bending over backwards to try to defeat ASLR for the better part of a decade. Usually this requires finding some soon-to-be-patched memory disclosure bug. Of course this is a hard job and needs to be repeated for different browsers/plugins/versions/etc. Then these guys come along with a universal ASLR bypass based on timing of the caching of memory access. Of course this works using Javascript in most browsers by default and isn't really something you can fix very easy. Seems too easy, I think I'll keep looking for infoleaks like a real hacker.

  • Bochspwn Reloaded

    Credit: Mateusz "j00ru" Jurczyk

    The original Bochspwn tool, circa 2013, found local privilege escalations based on "double fetch" conditions in kernels by doing memory instrumentation using the Bochs VM. The new Reloaded research was focused on finding infoleak vulnerabilities using a similar mechanism. Using this tool, he found 30 Windows kernel memory disclosure vulnerabilities as well as a handful of Linux kernel infoleaks. We all love tools that find real bugs in real software, and this one comes with cool visuals too. I can't wait for Bochspwn Revolutions.

  • Drammer

    Credit: Victor van der Veen, Yanick Fratantonio, Martina Lindorfer, Daniel Gruss, Clementine Maurice, Giovanni Vigna, Herbert Bos, Kaveh Razavi, Cristiano Giuffrida

    Rowhammer was a pretty cool discovery a few years ago but as time goes on, the application of this attack technique continues to improve and impress. Traditional Rowhammer attacks don't work against mobile platforms. Drammer rectifies this by implementing rowhammer in a completely deterministic way against Android on ARM. In the end, they demonstrate this by getting root on an Android device using no software vulnerabilities and requiring no user permissions. That is like something I think I saw once on CSI: Cyber attack.

Pwnie for Lamest Vendor Response

Awarded to the vendor who mis-handled a security vulnerability most spectacularly.

  • SystemD bugs 5998, 6225, 6214, 5144, 6237

    Credit: Lennart Poettering

    Where you are dereferencing null pointers, or writing out of bounds, or not supporting fully qualified domain names, or giving root privileges to any user whose name begins with a number, there's no chance that the CVE number will referenced in either the change log or the commit message. But CVEs aren't really our currency any more, and only the lamest of vendors gets a Pwnie!

  • eVestigator

    Credit: Simon Smith

    No one likes a copyright cry-baby, so we're giving extra points to Simon Smith for having taking down every Youtube video and Medium post about the vulnerabilities in his commercial forks of Onion Browser and other open source cell phone apps, sold under the names 1IQ, eVestigator, RPL Central, and Official Intelligence. Simon also seems to be fond of threatening to sue his critics, and we look forward to his creative and hilarious citations of the Australian Crimes Act of 1958 to silence our award ceremony.

  • Callisto NOMX

    Credit: Scott Helme and Alan Woodward / Will and Shawn

    Claiming to be the ``World's Most Secure Communications Protocol,'' the Calisto NOMX is a secure email appliance built from a Raspberry Pi in a fancy case with hilarious default passwords using self-signed keys from other projects, forking an open source project that has been unmaintained since 2009. True to its name, it makes no MX records, so outbound messages--including some convenient responses to the bug reporters!--are routinely blocked as spam by every other email provider.

    We tried to read the vendor's side of the story at, but found only a conveniently verbose SQL error.

Pwnie for Most Over-hyped Bug

Awarded to the person who discovered a bug resulting in the most hype on the Internets and in the traditional media. Extra points for bugs that turn out to be impossible to exploit in practice.

  • Cloak and Dagger(CVE: none)

    Credit: Yanick Fratantonio, Chenxiong Qian, Simon Chung, Wenke Lee

    An app with no explicit permissions could use the "draw on top" permission which allows clickjacking, keystroke recording, installation of other apps.

    It had a domain name "", which was a website that included videos, lots of text, and a long list of examples of press coverage. The research itself wasn't entirely new, It wasn't the first examples to use draw on top or a11y for attacks. However It still managed to get covered in main stream media like Newsweek and the International Business Times as well as other outlets, as pointed out on their page, like Blasting News and HotForSecurity.

    Its kind of a cool attack but does require the app to be installed and the attack itself is so hard to describe that they did a usability study to see if it actually worked against people. For the record, if your exploit gets you a shell, you don't need usability studies.

  • Dirty Cow (CVE-2016-5195)

    Credit: Phil Oester

    This was a privilege escalation vulnerability in the Linux kernel that utilized a race condition with copy-on-write of private read-only memory mappings.

    While this did have a website, a logo, and a twitter account, its pretty obvious that this was done in a tongue in cheek way and maybe not even by the discoverer. I love the lines on the site that say how you aren't vulnerable and it also includes a swag section with extremely expensive logo'd swag.

    Overall, kinda confusing on whether the researcher really thought it was a big deal or not, but regardless, its one of hundreds of Linux kernel escalations so it probably doesn't need a logo, even though Mark Dowd says its hard finding Linux kernel bugs these days.

  • Enter 30 to shell - Cryptsetup bug (CVE-2016-4484)

    Credit: Hector Marco and Ismael Ripoll

    A vulnerability in the way cryptsetup unlocks LUKS encrypted partitions allowed attackers with physical access an initrd shell. This may allow an attacker to load some non desired OS or delete data. For very special machines, like ATMs, kiosks, etc, this might be a problem.

    This attack was covered in threatpost and slashdot. However, even the slashdot commenters, in their great wisdom, figured out that it wasn't a big deal.

    Not hyped excessively but does require physical access and doesn't even get you real shell.

  • Wannacry kill switch (CVE-2017-0144)

    Credit: MalwareTechBlog

    This wasn't about an overhyped bug but rather overhyped coverage for the "accidental hero" and "savior" who "saved the world". This researcher had his 10 minutes of fame and then some for following standard practice during his day job. On top of all the press, he got $10k from Hacker One and a years worth of free pizza. Alas, it wasn't all happy, as the BBC eventually published details of who he was and where he lived as well as other dirt on his life.

    Had MalwareTechBlog not registered the domain, one of the other 100 of AV or Threat Intel companies would have done so and yes we're jealous because he's more famous than any of the Pwnie judges.

Pwnie for Best Song

What kind of awards ceremony does not have an award for best song?

  • 0x0A Hack Commandments

    Credit: Dual Core

    Inspired by a talk of the same name by @thegrugq, Dual Core's cover of Notorious BIG's classic "10 Crack Commandments" instructs listeners with solid advice on maintaining proper operational security, reminding them that above all else, STFU if you plan to not get caught.

  • Ransomware

    Credit: Mc Hackudao

    Over this catchy trap beat, Mc Hackudao raps the story of a ransomware author, leaving the admins and users of vulnerable and misconfigured systems at a loss for their data, making them #wannacry.

  • Hello (Covert Channel)

    Credit: Manuel Weber, Daniel Gruss (et al)

    As a cover of Adele's Hello, this song added an extra element of stagecraft to a presentation on a cache-based covert channel, in both describing the attack and being the content delivered over the coverit channel.

  • If you like hacking Pineapples

    Credit: Fabienne Serriere

    In this cover of The Pina Colada Song, Fabienne brings us fond memories of pwning conference n00bs, with a hat tip to the Pineapple Hunter, who shelled the script kids who were trying to shell other conference wifi users.

  • Machines of Loving Disgrace

    Credit: Greg Linares

    In a novel approach to music generation, Greg uses bytecode elements from prominent malware to generate loops and beat patterns, piecing them together as a sort of code-as-music to cr eate EDM.

Pwnie for Most Epic FAIL

Sometimes giving 110% just makes your FAIL that much more epic. And what use would the Internet be if it wasn't there to document this FAIL for all time? This award is to honor a person or company's spectacularly epic FAIL.

  • Leaky OpSec Leaking Leakers

    Credit: The Intercept

    The only thing The Intercept likes more than leaking classified documents is leaking their sources, and in Reality this might be the Winner. Despite years of taking opsec precautions in order to protect data and its sources, The Intercept managed to expose a source by the classic printer fingerprinting pattern.

  • HTTPSafe Browser

    Credit: Kaspersky

    As cited in CVE-2016-6231, the Kaspersky "Safe" Browser for iOS failed to validate SSL certificates for any site other than the sites on the known phishing or malware list. This makes sense, of course, because we already know we can trust the good sites, but you never know about the certificates on those shady URLs, you gotta keep an eye on that shit!

  • Cloudbleed

    Credit: Cloudflare

    Citing the Wikipedia entry, "data from Cloudflare customers was leaked out and went to any other Cloudflare customers that happened to be in the server's memory on that particular moment. Some of this data was cached by search engines." This is fine. Everything is fine. Think of it as highly-available, crowd-sourced distributed backup.

  • Laws Down Under

    Credit: Government of Australia

    Everyone wants to stop criminals. In a legislative effort to force vendors to hand over the plaintext contents of encrypted communications, Prime Minister Malcom Turnbull was confronted with the pesky laws of mathematics; that is, that with properly implemented crypto, no one, including vendors, could simply decrypt the user data. Turnbull replied "Well the laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia". Finally, some progress in the war on math!

Lifetime Achievement Award

Most hackers have the personality of a supermodel who does discrete mathematics for fun. Like mathematicians, hackers get off on solving very obscure and difficult to even explain problems. Like models, hackers wear a lot of black, think they are more famous than they are, and their career effectively ends at age 30. Either way, upon entering one's third decade, it is time to put down the disassembler and consider a relaxing job in management.

We no longer announce nominees for Lifetime Achievement. The winner will be announced at the ceremony and posted on the website.

Pwnie for Epic 0wnage

0wnage, measured in owws, can be delivered in mass quantities to a single organization or distributed across the wider Internet population. The Epic 0wnage award goes to the hackers responsible for delivering the most damaging, widely publicized, or hilarious 0wnage. This award can also be awarded to the researcher responsible for disclosing the vulnerability or exploit that resulted in delivering the most owws across the Internet.

  • WannaCry

    Credit: North Korea(?)

    Shutting down German train systems and infrastructure was Childs play for WannaCry. Take a legacy bug that has patches available, a leaked ("NSA") 0day that exploits said bug, and let it loose by a country whose offensive cyber units are tasked with bringing in their own revenue to support themselves and yes, we all do wanna cry.

    An Internet work that makes the worms of the late 1990s and early 2000s blush has it all: ransomware, nation state actors, un-patched MS Windows systems, and copy-cat follow on worms Are you not entertained?!?!?

  • FlexiSpy hack


    Creepy stalker-ware company gets hacked, servers RM'd, source code and customer data dumped to the press, and the hackers wrote about how they did it. This brings back memories of Fluffy Bunny "Look Ma! I'm on SANS!"

    All of this only made more interesting by the vendor response: "False news!"

  • Shadow Brokers dumps

    Credit: Russia. Straight up: Russia...

    Right before the NSA could launch an attack against Russia as payback for actions that had been identified during the presidential election (and probably payback for some other things we aren't allowed to know), they get iced. Kapow! Out of the blue comes a "hacking group" claiming to have the Fort's full kit!

    What would you do? Either the Shadow Brokers are bluffing (and they dumped just enough of the kit that they may not be), or you are walking into a trap because someone out there has part of your playbook!

    Part of this nomination goes to Shadow Brokers for having the kit in the first place, the other part of this nomination goes to the delivery, timing, and false flag auction.

    Welcome to behind the green door and a glimpse at the great game everyone!

    Bonus points for subsequent ransomware worms lifting parts of the released kit.

Nominations opened.
Nominations closed.
The list of nominees is announced.
Awards ceremony at the BlackHat USA conference in Las Vegas.
Awards Ceremony
when Wed, Aug 8th 2018
where BlackHat USA 2018, Lagoon JK (Level 2), Mandalay Bay, Las Vegas