OS and Software > All Things Unix > Vista and Mac lose over Linux in Hacking contest

Vista and Mac lose over Linux in Hacking contest

This has been discussed in Security and All Things Mac

Basically, the real story here is all 3 platforms are equally vulnerable:

OS X and Linux because there are no proactive sandboxes isolating the browser from the rest of the system.

Windows Vista because Adobe wrote a broker to IE7's sandbox that allowed jailbreak.
--
Ubuntu MOTU Developer and Forums Council

reply to phoneboy3
Not the way I see it. Linux won. End of story. You can argue over why it won which could have very well been because nobody wanted to successfully hack it, but the bottom line is it won. These are the very people who make these systems insecure by spreading these hacks. So they if they are not motivated to hack it then by definition, the system is more secure.

I guess they didn't bother testing any of the BSDs, given the short time frame.
--
Hello...is there anybody in there?

reply to sporkme

That's correct, and Vista lasted so long, in part, because it was SP1 being tested (which is kind of what a service pack is supposed to do, among other things).

When you actually read the links provided, you pick up all sorts of interesting tidbits, but why spoil a good bash-fest with facts.

It might have been more relevant if each machine had survived the same number of attacks, or if some of the same exploits had been attempted against the applicable third-party software in each O/S. So personally I wouldn't say Linux won so much as Mac lost - big - but I do feel a little better about my choice of platform. The thread in the Security forum had some more links and commentary from the participants, worth reading.

fwiw

--

"My goal in life is to become the kind of problem that people throw money at".

reply to gentux

reply to phoneboy3
Linux has thousands of eyes viewing the publicly disclosed code and talking about it on publicly visible mailing lists. Exploits are fixed very quickly and the means are in place to push those fixes to users within a day or so if needed. There's no fame and glory for exposing or even fixing a Linux weakness, it just happens everyday.

The winner has a bone to pick with Apple and used an exploit he's been sitting on for a while. Webkit code is in the open but the development process isn't always transparent so it's easy to find where it's weak but the process leaves the opportunity for people to find exploits for glory. Look at most all the headlines that came out of Vancouver. "MacBook Air first to fail" and similar. The organizers picked a high profile piece of hardware and got more attention when it was able to be the headline getter. The first person up on the first day something was likely to be cracked was the probably the number one person likely to have an exploit for the Mac platform.

Most Windows exploits that work are sold for cash because there's a market for them and Microsoft themselves will even buy them. Apple does not buy exploits and that's how it should be. Microsoft is just promoting the malware industry by paying into it.

It was a MacBook Air that was reported as 'losing'. So specific hardware lost and some other software lost and won and that isn't biased? I didn't see any news about Sony winning. This was a chance to bash Apple and they succeeded, stupid people will believe it and most people won't know, and the rest don't care. Yes... stupid people will believe it. That's life.
--
~~This is not The Greatest Sig in the World without annoying urls, no. This is just a tribute.~~

reply to antiserious

reply to phoneboy3

said by Computerworlduk :

---

It was lack of interest in Linux rather than the operating system's inherent security that left an Ubuntu laptop unbreached in a hacking contest, said the security expert who oversaw the contest.

"There was just no interest in Ubuntu," said Terri Forslof, manager of security response for 3Com's TippingPoint, which put up the cash prizes awarded at the contest last week at CanSecWest. "A contest such as this is not a measure of relative security between operating systems. It's not an accurate barometer."

Just because the laptop - a Sony running the Ubuntu 7.10 distribution of Linux - had been untouched doesn't mean that the operating system is any more secure than either Mac OS X or Windows Vista, both which fell to attacks.

"It was actually a lack of interest" on the part of the PWN To OWN contestants, Forslof said. "Shane's [Macaulay] exploit would have worked on Linux. He could have knocked it over. But [the contestants] get a lot more mileage out of attacks on the Mac or Windows," she continued.

---

reply to phoneboy3
You can try throw rocks at the facts which is the nature of hackers I suppose. I have to assume an event this big with this much money involved would have been well thought out and organized such that the playing field was as equal as possible.

If anything, the fact Vista had SP1 on it so soon after it's release gave it an unfair advantage over all the rest so the fact it made it to the end doesn't mean all that much to me.

reply to phoneboy3
So what is your point? Don't connect computers to the internet? Put them all in sealed rooms with retna scan access?

It never ceases to amaze me how paranoid some people can get about security.

reply to phoneboy3
.....and smug.

reply to phoneboy3
No, my point is, there should be more work going into proactive security measures such as establishing SELinux/Apparmor security contexts for desktop applications that are prone to exploitation, such as web browsers or untrusted code.

Even as an Ubuntu developer and advocate, I wouldn't think to conclude from this contest that Ubuntu is somehow more secure. It may be, it may not be, but what's apparent is that this class of exploits would work perfectly fine on Ubuntu -- we have nothing that actively stops it other than general stack-smashing protection from buffer overflows.
--
Ubuntu MOTU Developer and Forums Council