At the Pwn to Own competition (link to story above), participants were awarded money and prizes for hacking into various operating systems, and Ubuntu came out as the winner over Mac OSX and MS Vista. While some people are shouting from the rooftops, I'm not jumping for joy, and I'll tell you why in a minute.
First, let's look at the competition rules. The original rules stated that the winner must use a 0-day exploit on a machine with only default software installed. I think this requirement was as fair as you can get, but it still left some operating systems with more software to exploit than others had. I believe the order would be Ubuntu with the most, Mac coming in second, and Vista with the least. As I said, though, I don't think you can really get more fair than that. Any additional software would just invite argument.
The really good news is that all three systems survived. No one was able to break into a default system using only the supplied tools. I'm not surprised, either. OS security has come a long way since XP and OS 9. We can all be happy that the Internet will probably be a much safer place in a couple more years.
Because no computers had been cracked, the rules were relaxed to allow visits to web sites. The Mac fell within two minutes. I think this is a wake-up call to Mac fans who believe that their platform is secure. I will state it more clearly for Mac fans visiting my site: your OS is a ticking time bomb -- get your shit straight while your relatively small market share still protects you.
Honestly, I was surprised that Vista wasn't first. Yes, I expose my anti-MS feelings. Still, I've said many times that Vista seems to be a secure system. The complaints people have with it are the result of getting used to XP's broken security. In fact, Vista never fell. No one ever had an exploit for it.
Finally, to move things along, contestants were allowed to install popular add-on software. What was popular was decided by the judges, so it's difficult to say whether this portion was fair or not. Vista fell due to a flaw in Flash. That's certainly popular, so there should be no complaints, but I wonder whether the exploit would work on Linux versions of Flash.
So Ubuntu was left standing, the apparent winner. And the crowd rejoiced. The blogosphere resounded with choruses of how great Ubuntu is.
I say it's all BS.
The real problem comes down to the requirement for a 0-day expoit. Open source has to win in this situation. There are tons of reported flaws in Ubuntu ... so many that fixing them all in a timely manner is difficult. This is the same reason that Microsoft sponsors then parades around research on the number of exploits in various operating systems. MS gets to hide any vulnerabilities that they don't want to report, while open source operating systems have everything out in the open.
Because they're all out in the open, how are you going to get a 0-day on the software? It's possible, but much less likely than getting one on a system where bug reports aren't encouraged or public.
Don't get me wrong. I think that having everything out in the open is great and pushes vendors to fix their problems. Security issues get fixed really quickly in Ubuntu (other issues ... not so fast). When you start including the non-main packages, though, things slow down more, but being able to look over the source code and search bug databases makes "all bugs shallow." How do you expect to get a 0-day exploit on code which thousands of people have pored over before you?
I love Ubuntu. I have a blog on it. This competition still doesn't mean shit.
Let's have one without the 0-day requirement, and then we'll see who the real winner is. My money's on OpenBSD.