Linux Unscathed in PWN to OWN
Last year, CanSecWest, the “world’s most advanced conference focusing on applied digital security”, held a contest called PWN to OWN.* Basically they set up a couple of Apple Macbook Pro laptops and attendees could connect to them via ethernet or WiFi. If you could pwn it (hack it with progressive rules over three days), you got to take it home with you.
It was a big hit, so this year CanSecWest held another PWN to OWN contest with the hardware to hack being Microsoft Vista, Apple OS X, and Ubuntu Linux laptops. All three had the latest OS patches but were otherwise set up like a default installation. This contest made it interesting, as it gives you a relative feel for the security, or exploit-ability, of the big three desktop operating systems.
All three of the laptops survived the first day of the contest, which has very limited rules on the tools you could use to hack the machines. The second day of the contest, hackers were allowed to download exploit tools from the web. Ten minutes into the second day, the Apple OS X laptop fell, reportedly due to a security hole in Safari.
Vista outlasting OS X surprised me. Part of it had to do with the Vista laptop having SP1, which hasn’t been out long enough to be thoroughly pwned yet, but still, ten minutes into the second day? Ouch. If you’re an OS X user, you might, ah, go back and take a look at the post I did on TrueCrypt.
Vista lasted until the third day before it fell, which, a brand new SP1 aside, is still pretty impressive for a Microsoft product. I’d rather use an abacus than run Vista, but hats off to the Redmond folks for battening down the hatches.
And the Ubuntu Linux laptop? After three days of some of the best security hackers taking a crack at it, it was never pwned. Ubuntu stood in it’s brown-themed glory, giving the group of talented hackers the proverbial finger. This despite all of the source code being available for anyone to see.
This is just one contest, so it would be dangerous to draw a definitive conclusion about OS security from the results. Of course, danger is my middle name:**
Ubuntu Linux > Vista > OS X
*PWN: A leetspeak slang term implying domination or humiliation of a rival. As in: I keep getting pwned by 8 year olds when I play games online. I really think they should make a separate “you have to be this tall to get in” section for online gamers. I can’t compete with a bunch of finger-twitching ridilan-taking adolescents that play 20 hours a day and haven’t seen the sun for two years.
**My middle name is actually Thoreau. As in Henry David Thoreau. If you want to have your child fleeing for his life in public school and you don’t think a first name of “Tobin” will suffice, adding “Thoreau” after it should seal the deal.