29 March 2008

Ubuntu Beats OSX and Vista in Pwn 2 Own Hackathon

Pwn 2 Own is a competition where if you can hack it, you win it along with a nice pile of cash. All vulnerabilities must be original, and they cannot be publicized until after the creator of the software has had a chance to fix it. The competition was between a MacBook Air, a Vista SP1 laptop, and an Ubuntu laptop. Each day, different things are allowed.

  • Day 1
    • $20,000
    • OS, drivers, network stack
    • All left standing
  • Day 2
    • $10,000
    • Default-installed userspace software
    • MacBook taken down in 2 minutes by Safari, Ubuntu & Vista left standing
  • Day 3
    • $5,000
    • Popular 3rd party apps are game
    • Vista taken down with a Flash vulnerability

Regarding hacking the MacBook Air, the winner said "I thought of the three it was the easiest" (according to Channel Register). That's the first time I've ever heard anyone say OSX is easier to hack than Windows. Wow. But, it turned out to be true, and I think we turned out to be the real winners ;) Until next year's we can say our OS is the hardest to hack!


Anonymous said...

So no one got the ubuntu laptop? :P

Where can I get a more detailed story on the results? I would be interested to read more of what happened in detail. Thanks!

Mackenzie said...

Tipping Point has all the in-depth stuff. Check the links on the right (in the "March" section) to see the info for each day.

Tom said...

One thing that stood out for me from the IDG story ...

``Some of the show's 400 attendees had found bugs in the Linux operating system, she said, but many of them didn't want to put the work into developing the exploit code that would be required to win the contest.''

No idea what they meant, though — did the users have a soft spot for Linux? Or did they not have enough time to turn bugs into exploits?

At any rate, I expect Update Manager to be busy this week.

Mackenzie said...

If by "bugs in Linux" they literally mean the Linux kernel, exploiting those bugs would have been worth $20,000 on the first day. Based on that, I'm thinking it means there was too much more effort involved in cracking the kernel as compared to cracking the other systems, but of course that's just my interpretation.

nikoPSK said...

Very good read.

Anonymous said...

There is one thing which throws the results off which you are not considering:

The MacBook Air is brand new and definitely some hot hardware. It was the "top" prize in the sense that many people wanted to get their hands on it. So of the three (OSX, Vista, Ubuntu) OSX had the largest bull's eye on it.

Mackenzie said...

With that much money on the line, you go for the easiest target. You can buy whatever computer you want with that money. And I certainly would *not* buy a stupid ethernet-less laptop that has only 1 USB port. The guy that hacked the Mac even said it was the easiest target.

Anonymous said...

Still won't stop the Air from selling well. People prefer sexy design to something geeky like the number of ports, at least in my experience. :)

Mackenzie said...

Even geeks? The people in the competition are without a doubt geeks.

The reason for the cash prize is to eliminate the "well this OS is more common..." and "oh that one looks nice..." incentives because the cash is just too big.

Mackenzie said...

If they exploited bugs in Linux, that would've been worth $20,000 (for hitting the OS). They went after the Mac apps instead for $10,000. The MacBook is *not* worth > $10,000.

Tom said...

Followup time ...

The TippingPoint people say the Ubuntu laptop wasn't hacked because nobody was interested in hacking into it. Reason? Because hacking into Mac OS X and/or Windows Vista gets more attention from the press.

http://tinyurl.com/2vjnvl (link redirects to ComputerWorld.com)

So scratch the "more secure" and the "takes more time" theories ... apparently it's all about the headlines.

Mackenzie said...

The only perspective in that article is in the form of a bunch of quotes from one person who worked for Microsoft. I know no matter who you talk to there's opportunity for bias, but I'd really like to see an interview with the crackers themselves. The Mac cracker did say the Mac was the easiest target. And yeah, if Ubuntu had fallen first, it'd be "well they went after it extra hard because they'd get glory for breaking the unbreakable Linux," so no matter what you do, we'll all be loyal to our platforms. At that point, the people doing the break-ins are the only ones that know their motivation for going after what they did. I can't see what glory there'd be in breaking Vista. It's expected. OSX and Linux are the ones that'd get you more "cool points."

Rex said...

here's some useful info about the Macbook Air: http://www.maconair.com/the_pros_and_cons

Anonymous said...

I agree with Mackenzie. If it was the last day of the contest with $5000 up for grabs, and only a 30-minute window of opportunity, you wouldn't be thinking of any damn headline! You'd be thinking, "oh, which one would give me a higher chance for a new notebook and some cold cash?", and not "which OS's vulnerability will get me more press?"