Monday, March 31, 2008

Is Ubuntu Really More Secure Than Mac / Vista?

At the Pwn to Own competition (link to story above), participants were awarded money and prizes for hacking into various operating systems, and Ubuntu came out as the winner over Mac OSX and MS Vista. While some people are shouting from the rooftops, I'm not jumping for joy, and I'll tell you why in a minute.

First, let's look at the competition rules. The original rules stated that the winner must use a 0-day exploit on a machine with only default software installed. I think this requirement was as fair as you can get, but it still left some operating systems with more software to exploit than others had. I believe the order would be Ubuntu with the most, Mac coming in second, and Vista with the least. As I said, though, I don't think you can really get more fair than that. Any additional software would just invite argument.

The really good news is that all three systems survived. No one was able to break into a default system using only the supplied tools. I'm not surprised, either. OS security has come a long way since XP and OS 9. We can all be happy that the Internet will probably be a much safer place in a couple more years.

Because no computers had been cracked, the rules were relaxed to allow visits to web sites. The Mac fell within two minutes. I think this is a wake-up call to Mac fans who believe that their platform is secure. I will state it more clearly for Mac fans visiting my site: your OS is a ticking time bomb -- get your shit straight while your relatively small market share still protects you.

Honestly, I was surprised that Vista wasn't first. Yes, I expose my anti-MS feelings. Still, I've said many times that Vista seems to be a secure system. The complaints people have with it are the result of getting used to XP's broken security. In fact, Vista never fell. No one ever had an exploit for it.

Finally, to move things along, contestants were allowed to install popular add-on software. What was popular was decided by the judges, so it's difficult to say whether this portion was fair or not. Vista fell due to a flaw in Flash. That's certainly popular, so there should be no complaints, but I wonder whether the exploit would work on Linux versions of Flash.

So Ubuntu was left standing, the apparent winner. And the crowd rejoiced. The blogosphere resounded with choruses of how great Ubuntu is.

I say it's all BS.

The real problem comes down to the requirement for a 0-day expoit. Open source has to win in this situation. There are tons of reported flaws in Ubuntu ... so many that fixing them all in a timely manner is difficult. This is the same reason that Microsoft sponsors then parades around research on the number of exploits in various operating systems. MS gets to hide any vulnerabilities that they don't want to report, while open source operating systems have everything out in the open.

Because they're all out in the open, how are you going to get a 0-day on the software? It's possible, but much less likely than getting one on a system where bug reports aren't encouraged or public.

Don't get me wrong. I think that having everything out in the open is great and pushes vendors to fix their problems. Security issues get fixed really quickly in Ubuntu (other issues ... not so fast). When you start including the non-main packages, though, things slow down more, but being able to look over the source code and search bug databases makes "all bugs shallow." How do you expect to get a 0-day exploit on code which thousands of people have pored over before you?

I love Ubuntu. I have a blog on it. This competition still doesn't mean shit.

Let's have one without the 0-day requirement, and then we'll see who the real winner is. My money's on OpenBSD.

6 comments:

  1. Well, it is not all BS. You are more likely to get hacked on Vista and OSX ... But even those are fortresses compared to XP.

    But I would love to see a competition were every hack would be allowed. Just get admin rights.
    I think Vista has some nice security features. I think Firefox should get a protected mode too. Browsers are the major attack vector nowadays.

    ReplyDelete
  2. Just to be clear: I meant that all the hurrays and huzzahs were BS. The competition wasn't BS, but it didn't mean anything in real-world terms as to whether you'll be compromised or not. Vista is probably STILL most likely for that.

    Ubuntu is great, and I use it on every machine I have save one kitchen lappy which uses Geexbox. I'm not dis'ing it: I just don't agree with the crowd.

    ReplyDelete
  3. You have to take into account the guy wanted the mac so he came prepared. Everything ready he just plugged in and pressed a button. Thats why it didn't take that long

    They didn't expect the vista to upgraded to sp1, so it took them awhile

    ReplyDelete
  4. I'll take your bet and back Solaris. But I'll use Kubuntu. Security means a lot, but compatibility and applications mean more. That's the only reason Windows still exists.

    ReplyDelete
  5. I'm a linux user since ever, but not an Ubuntu one, simply because I feel better using another distribution (Fedora).

    Anyway I wouldn't say that Ubuntu is safer than Vista or Mac, but I'd rather say Linux is safer!


    cheers

    ReplyDelete
  6. Taking a risk and posting from a Mac. (Your warning doesn't mean you've put said exploit on your site, does it? Well, it was too late a few milliseconds after I hit that link. Hopefully, you're only able to read files on my desktop or whatever. ;)

    Anyway, I agree that there is a lot of meaningless noise here. Tippingpoint, or whoever the sponsor was, was just buying some new exploits and getting publicity. (Not necessarily a bad thing.)

    I also agree that I would have liked to have seen a contest that would have meaning to the average user, but that would have required a lot of work. Not just providing default installs and saying get admin, but providing several "typical" configurations and saying get passwords and credit card numbers.

    (Which was perhaps why the contest was more focused on read this time around than on execute.)

    ReplyDelete

Other I' Been to Ubuntu Stories

Related Posts with Thumbnails