Real-world security

hacktop.jpgMany people who know or care about computer security probably won’t be surprised to hear claims that Linux or BSD is generally more secure than Windows. That conventional wisdom seems to have been confirmed yet again by the results of a hacking challenge last March 28, Friday, at the CanSecWest 2008 conference. This was reported in the InfoWorld article, “With Vista breached, Linux remains unbeaten in hacking contest“:

Earlier this week, contest sponsors had put three laptops up for grabs to anyone who could hack into one of the systems and run their own software. A $20,000 cash prize sweetened the deal, but the payout was halved each day as contest rules were relaxed and it became easier to penetrate the computers.

On day two, Independent Security Evaluators’ Charlie Miller took the Mac after hitting it with a still-undisclosed exploit that targeted the Safari Web browser. After about two minutes work, Thursday, Miller took home $10,000, courtesy of 3Com’s TippingPoint division, in addition to his new laptop.

It took two days of work, but Shane Macaulay, finally cracked the Vista box on Friday, with a little help from his friends.

Macaulay, who was a co-winner of last year’s hacking contest, needed a few hacking tricks courtesy of VMware researcher Alexander Sotirov to make his bug work. That’s because Macaulay hadn’t been expecting to attack the Service Pack 1 version of Vista, which comes with additional security measures. He also got a little help from co-worker Derek Callaway.

It wasn’t all clear sailing for Linux though. The story noted that the Vista exploit involved a “cross-platform bug that took advantage of Java to circumvent Vista’s security.” Such an exploit could conceivably work in Linux as well. Furthermore, the story also stated:

Some of the show’s 400 attendees had found bugs in the Linux operating system, she said, but many of them didn’t want to put the work into developing the exploit code that would be required to win the contest.

(Post updated) Why didn’t Macaulay use the Java exploit to break into the Linux laptop too — and walk away with another laptop? It was the rules. You could only use an exploit once and claim a prize. I wonder though, why no one else found that exploit on Linux first. I would have wanted to know if it really could be used to break into the Linux box.

And was it just too much difficult to work out exploits from the exposed Linux bugs? One would think that the prize would make such work well worth it. Unless, of course, it was just too much of a hassle to do so in the alloted time.

Whatever the reasons, the fact remains that even with a cross-platform Java exploit and bugs in Linux, it was still too difficult (or not attractive enough) to hack the Linux box. The Vista laptop was far easier to take down and OS X one easier still. That is the same reality that will be facing many amateur and “gifted” hackers in the real world. In that sense, then, a Linux system is quite likely the most secure of the three — for now.

By the way, what operating system are you running at work and at home? Do you have problems with computer viruses? Viruses may not be a hack, but they are still an issue.

Like one very intelligent person once said: When you’re running from a hungry bear, you don’t really have to outrun it; you just have to outrun the next guy.

This entry was posted on March 31, 2008 at 9:15 pm and is filed under FOSS, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply