PWN 2 OWN contest lets hackers choose Vista, OS X or Linux
By Darren Murph 
posted March 27th 2008 9:40AM
posted March 27th 2008 9:40AM
Last year's PWN 2 OWN contest at the CanSecWest security conference went over way better than expected (read: exploits were glorified), so this year, organizers have spiced things up by letting hackers have their way with three separate machines. The Linux, OS X and Vista-based rigs were all setup as similarly as possible in order to "make sure the attack surface was the same on all of them." For attendees in Vancouver, there sits a $20,000 top prize -- which dwindles with each passing day as restrictions on attacks ease up -- but it can only be acquired if an all new zero-day cyber roundhouse kick is used. Anyone here going to give it a go? You get to keep the freshly victimized laptop too, you know.
Whoops, forgot! BTW, I don't own a car. That makes the profit even sweeter!
Maybe it's just me... but isn't this a little like posting a few security guards to represent a firewall in front of a school locker (any version of Windows), and a few security guards in front of Fort Knox (Mac OS X / Linux)? Even if you can get past the security guards, good luck getting in to Fort Knox... they've allowed the world to help improve their security thanks to the software being open source.
The Windows NT kernel (2000, XP, Vista) will never be as secure as Mac OS X anything (as it's based on FreeBSD) or Linux anything unless they rewrite its kernel. You'd need third party software to bring Windows up to speed... and this isn't open source fanboy talk, either. On the bright side, I was surprised that Engadget didn't go in to detail about the laptop running Mac OS. ;)
wth are you talking about? Only reason why WinNT kernel doesn't seem as secure as OSX is cuz it has a bigger market share. of course it's gonna seem like it's the most vulnerable cuz it's the most hacked compared to OSX. but in reality, OSX is less secure than WinNT esp. Vista.
This is what happens when ignorant people don't pay attention to statistics. As an example, "Oh, there are 50,000 hacked PCs and only 1,000 hacked Macs....Macs must be more secure." Read the fine line. Of the 50,000 hacked, what is the total population? and of the 1,000 hacked Macs, what is their total population? Naturally, even with a super defense, no matter how big PC market is, the hackers for PC are also bigger compared to Macs. So it would appear that the WinNT kernel is weak, when if fact, it isn't.
Another population example, if you have a city and a lot of people will gang up to attack it, of course some holes will be exposed. In comparison, if you have another city but WAY FEWER people attacking it, of course it's going to seem "harder" to penetrate because less people are collaborating.
Don't believe everything the media tells you...especially Apple. "Crash-proof" ya right. I've seen many OSX crash whatever version they are. "More Secure" cuz they twist statistics.
The Windows NT kernel (2000, XP, Vista) will never be as secure as Mac OS X anything (as it's based on FreeBSD) or Linux anything unless they rewrite its kernel."
Too true, they'd have to rewrite the kernel to remove all the additional security embedded within it that neither FreeBSD nor Linux come with by default. Object level security on every operating system object (every file, every directory, every registry key and value) etc. All with support for multiple users and groups and a rich concept of ownership. All with support for distributed account IDs out of the box.
Neither Linux nor FreeBSD support anything like this out of the box. MAC and ACLs come close but fail in many regards, and Ubuntu sure isn't SELinux. Even with those supports builtin they fail at providing their security tokens over the wire utterly. Neither OS at the kernel level has the concept of a security domain, though you can add some of what NT provides with LDAP or NIS.
NT6 has even more security not available within these either. Tying not only security IDs but also trust levels and trust level requirements to security objects (and programs, etc) in order to prevent the kind of ownage that happened to the MBA in this contest. IE7 out of the box on Vista, even if compromised, only has access to change a tiny portion of your user files as a default, out of the box configuration. Even a broken IE7 executing arbitrary code will find it virtually impossible to do more than screw your browser's cache.
Can you please stop calling crackers "hackers". Learn the distinction and stick to it.
Agreed. There are "Hackers", "Crackers", and "Phreakers". All different. Umm, am I forgeting any?
Datacide:
The vile plague known as script kiddies.
Oh yes, how could I have forgotten _their_ kind
Not a work safe site. Let us know in future.
it's over: mba and safari
http://dvlabs.tippingpoint.com/blog/2008/03/27/day-two-of-cansecwest-pwn-to-own---we-have-our-first-official-winner-with-picture
I'm not surprised to be honest. Everyone assumes that Macs are just the most secure thing around. Obviously, this is not the case. I'll bet Vista doesn't even get hacked during this contest. What will the Microsoft haters have to say then?
@Flashpoint
I think you mean the specialist tools may hackers use to defeat firewalls, and very clever thay are too! One guy who used to work for me on system security, had one that showed us how well an attempted hack on our servers was progressing we could literaly watch the combinations being run fascinating stuff.