That honor was bestowed upon the consumer electronics giant at the Pwnie Awards 2011 event on Wednesday at the Black Hat conference, a UBM TechWeb event, in Las Vegas.
Every year, the Pwnies (rhymes with "ponies") honor "the achievements and failures of security researchers and the security community," according to the Pwnie Awards organizers. Nominations are open to the public. Award winners receive a My Little Pony, spray-painted in gold, though not all winners come forward to collect their award.
Sony was a shoe-in for "Most Epic Fail," as the company had been nominated five times, not least for laying off numerous information security personnel just months before suffering a crippling series of cyber attacks that compromised Sony PlayStation Network, Sony Online Entertainment, and Sony Pictures, amongst other Sony websites. Furthermore, it was the only nominee.
"Is anyone from LulzSec here to accept it on their behalf?" said Dino Dai Zovi, one of the eight people who judged the nominations. "LulzSec, please don't hack us."
Dai Zovi also offered a legal disclaimer for the awards: "We want to make sure that for some of these categories, we're not condoning this type of behavior, but recognizing its significance. Because nothing works more awesome than giving everything your 110%, soaring on your dreams, and making your failing even more epic."
On a related note, the Pwnie award for best song went to Geohot, for The Light It Up Contest, his rap about Sony, which launches with the following challenge: "Let's take this out of the courtroom and into the streets, I'm a beast, at the least, you'll face me in the northeast."
In the words of Pwnie judge Dave Aitel, "he's so talented, and so white." Geohot, aka George Hotz, was one of numerous people sued by Sony for allegedly distributing information about how to jailbreak the PS3. According to the Pwnie website, "There is strangely enough a long tradition of hacker-written songs and raps."
RSA won the "Lamest Vendor Response" award, for the SecurID hack, which judge HD Moore summarized as, "Hey, someone may have taken all the secure keys for the thing that forms the name of our company." He said the award was bestowed in particular for "the lack of information available, the fact that it was drawn out for so long, and that they lost the keys to their kingdom, and they're still around."
"If we have a rep from RSA here, feel free to come up and pick up your awesome Pony. We know you're here, there's 16 of you here, we counted. Send out the intern," said Moore. Perhaps predictably, no audience members advanced to the podium. "We'll find you later," he said.
Meanwhile, the lifetime achievement award went to pipacs. "Microsoft today has announced a challenge, giving out $200,000 for work very similar to that that has been done and given away for free by pipacs, a decade ago," said judge Dai Zovi. "All of the operating systems that we use today that have protections against memory trespasses, all of these protection mechanisms can be traced back to the work of pipacs." Microsoft's recently announced prize money for enhancing Windows security, he said, is an extension of the work begun by pipacs, who is perhaps best known for inventing address space layout randomization (ASLR).
Other awards went to security researcher Tarjei Mandt for "Best Privilege Escalation Bug," for discovering Windows kernel win32k user-mode callback vulnerabilities. Comex won the Pwnie for "Best Client-Side Bug" for an attack that bypasses ASLR protection in iOS and exploits a kernel vulnerability to execute arbitrary code in the kernel and disable code signing, and which can be used to jailbreak iOS devices.
In addition, Piotr Bania won the Pwnie for most innovative research for taking a document containing recommendations for improving Windows security, using static analysis on Windows, then implementing many of these fixes in the Windows kernel. "He managed to rewrite all the kernel drivers in Windows to include these protections, without crashing them," said judge Alexander Sotirov.
But perhaps the most eagerly awaited award, however, was in the category of "Epic 0wnage." Nominees included Anonymous "for hacking HBGary Federal," LulzSec "for hacking everyone," as well as Bradley Manning and WikiLeaks--the latter nomination earning a loud, extended round of applause as it was read out. But the winner was Stuxnet, described by the Pwnie judge Mark Dowd as "a non-violent protest against the Iranian nuclear program, allegedly done by a government with some pretty advanced intelligence capabilities. We suspect Belgium."
In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).