back to article So what's the easiest box to hack - Vista, Ubuntu or OS X?

This story was updated to correct the maximum prize amount available. Tired of all the knee-jerk banter from fanboys about whose operating system is the most secure? So are the organizers of the CanSecWest security conference, which will be held in Vancouver later this month. And with a contest awarding as much as $20,000 worth …


This topic is closed for new posts.
  1. This post has been deleted by its author

  2. John Doe

    The easiest box to hack... the one with the dumbest owner.

  3. Webster Phreaky
    Jobs Horns

    I'll put my money on Flaky Buggy Swiss Cheese OS X

    and all the MacMonkey Kool Aid Drinkers will faint from acute Denial Fantasy. The more and more evidence that it's OS X that's a POS, the deeper the Apple FanBoys stick their heads up their arses to escape reality.

  4. Anonymous Coward

    Dumb prize

    Whoever hacks a laptop first gets to take it away with them?

    So once they've proven how crap the OS is they get to keep the vista machine?

    I suppose at least if they won the mac they could put any OS on it, whereas the vista/ubuntu machines you're limited to windows/linux(/dos/etc)

    What's the betting that they have XP running within fusion on the mac? that'd double the vulnerabilities while still keeping to the rules of popular software.

  5. Anonymous Coward
    Anonymous Coward

    Not a fair contest

    It all depends upon who wants which box the most. I personally wouldn't want a MacBook air, I'd prefer a good ol' MacBook Pro. As for the PCs, I'd rather have a new Thinkpad so wouldn't bother attempting them. This is all pretty academic as I'm by no means some kick ass hacker.

  6. Marvin the Martian
    Paris Hilton

    So they invert the economical factor?

    Which of the three is the shiniest? Then that one will be targeted more than the others I guess!

    Paris coz' she also can't separate economical logic from shinycity.

  7. Steven Knox

    @Webster Phreaky

    Will you put your Reg commenting privileges on it?

  8. Chad H.
    Jobs Halo

    @ Webster

    And I look forward to you eating your words... Care to make a real wager?

  9. Morely Dotes

    @ Tim Spence

    "with the world+dog currently hacking Vista, there can't be that many exploits left undiscovered."

    O ye of little faith! There are literally million of lines of code in Vista; even Microsoft isn't aware of all the exploits.

  10. Anonymous Coward
    Anonymous Coward

    Have to agree with Tim there

    Surely a known security hole that is still present in the most up to date patches is much more of a concern that a one-off homebrew hack by a pro? In the interests of exciting competition i can see the reasoning behind that rule, but it most certainly invalidates this as a test of the most secure OS.

  11. Morely Dotes

    @ Webster Phreaky

    It's funny. I don't own a Mac, don't use a Mac, and I think the MacBook Air is design for morons.

    But I am absolutely certain that OS X is orders of magnitude more secure than any version of Windows; OS X doesn't come with Internet Explorer, and IE is *designed* to allow remote code execution.

  12. Mike
    Thumb Down

    The problem with this. . .

    "Winning exploits must target a previously unknown vulnerability; vulns that have already been reported to the affected software maker or a third party are not eligible."

    That is horribly unfair, because Apple in particular fails to fix vulnerabilities even after they've been reported. This skews it horribly in Apple's favor. After all, what other company sits on a publicly disclosed security vulnerability for a year and STILL doesn't fix it?

  13. Anonymous Coward

    bargin - for them

    yeah submit a previously unknown bug allowing code to execute for the price of a laptop PC - what a bargin - for them.

    Watch out for a few hours into the competition the rules being relaxed to the point of uselessness so they can announce a 'winner'

  14. Kwac
    Dead Vulture

    @Tim Spence

    "with the world+dog currently hacking Vista, there can't be that many exploits left undiscovered"

    As Oscar Wilde said of second marriages "the triumph of optimism over experience".

    Are you really suggesting that, after several years, XP has no vulnerabilities left undiscovered?

    The advantage the linux hacker has, of course, is that he/she has full access to ALL the coding - which is why its hacked so much more often than Microsoft produts, isn't it?

  15. IR

    It doesn't matter

    It doesn't matter what the story is about, if it mentions Apple/MS/Linux or anything vaguely related, people write bad comments about it or the competitors.

    Here's a quick template to save them coming up with something even vaguely original:

    *Delete were appropriate

    Apple/Microsoft* are awful, why does anyone use the overpriced stuff created by them? The should try using a proper operating system like OSX/XP/Vista/W2000/Ubuntu/OtherLinuxDistro*. I had a OSX/XP/Vista/W2000/Ubuntu/OtherLinuxDistro* system and it was awful, so many problems with it. In the end I got OSX/XP/Vista/W2000/Ubuntu/OtherLinuxDistro* and it works great. The Apple/Microsoft/Linux* fanboys should stop licking obs/Gates/Ballmer/Linus* by ignoring the failings and start using free/stable/flexible/innovative/intuitive/secure* stuff like me. Take your JesusPhone/Microshaft/Freetardware* and shove it!

  16. Sceptical Bastard

    @ Morely Dotes

    Quote: "Vista; even Microsoft isn't aware of all the exploits."

    Waddya mean, "even"? Microsoft seems less likely than most to be aware of Windows exploits - or, rather, to admit they exist.

    Your remark about IE's designed-in code execution is cock on.

  17. Anonymous Coward
    Anonymous Coward

    Wait a minute couldn't they

    just sell the vulnerability + exploit code and buy whatever they wanted this contest rule doesn't make any sense.

  18. Sampler

    Comfort default

    If you're used to writing exploits for windows machines wouldn't you go for the Vista box as it'd be the easiest for you?

    The counter to that people may avoid the Vista machine just for the sake of proving linux/mac isn't secure - as you're only allowed to target one machine you'd have to pick one.

    Also the shiny aspect has been mentioned - butt ugly flakey fuji, sexy sony or sleek air?

    All the air's and graces of a fair fight but still not cutting it - you can never get a fair balance due to the above, and other, circumstances.

  19. Webster Phreaky
    Jobs Horns

    @Morely Dotes, Funny ... OS X was the loser LAST YEAR!

    How do you Apple FUDS account for that??

    And as for the inane comment "Dumb prize", a computer is a computer whether it's a notebook or a desktop. The target is the OS, not the conveyance, dope. A MacBook Air is more attractive when it's free than having to buy the under-featured POS.

    I'll have plenty of Catsup for you MacTards to eat your Crow with. Keep watchin.

  20. Don Mitchell

    @John Doe

    John Doe got it right, the biggest security hole on any computer is the user.

    If you really want to count security holes, you can always look at the CERT advisories. Over the years, the number of threats has been remarkably close to equal for Windows and Linux.

  21. Chris

    @The problem with this. . .

    "That is horribly unfair, because Apple in particular fails to fix vulnerabilities even after they've been reported. This skews it horribly in Apple's favor. After all, what other company sits on a publicly disclosed security vulnerability for a year and STILL doesn't fix it?"

    ...erm... Microsoft?

  22. Anonymous Coward


    Couldn't have said it better myself, nearly spat coffee all over my keyboard after reading that.

  23. Anonymous Coward
    Paris Hilton

    +1 for IR

    Well said that person!

    Also, i was under the impression that the going rate for an unknown vuln was on the order or several grand anyway. so....

    ~£700 - £mackbook pro and 1337 glory. (and 10k prize for the last compo? nice! assuming you win...)


    fair bit of cash for selling expoit to legit people (no time limit)


    loadsa £££ for going black hat on peoples a$$es (both selling and using exploit) (no time limit)

    besides, whats the point in finding a shiny new exploit when there are plenty of known ones that are not yet patched?

    as paris might say:

    glory is nice, cash is better. ;)

  24. Glen Turner

    Soft Linux target

    I would have thought that Fedora running SELinux would have been the harder Linux target. Zero remotely exploitable flaws to date.

    My coat is the one with Mandatory Access Control.

  25. Steve Todd

    And to think

    that we were getting worried that Webster might be sick or have expired from excessive spleen. Back to his usual rabid form after all. If you don't want to buy something then don't buy it. No need to make it your mission in life to insult the item and anyone who does actually buy it.

  26. Chad H.
    Thumb Down

    Pwn2Own 2007

    And here is the articles from last years:

    Way they're written suggest that is that Mac was the looser because it was the only contestent (can anyone confirm).... Gee Webster, hardly a fair fight if the other guy doesnt show up.

  27. some person

    uh, what? a contest? maybe you need to go to journalism school

    What the hell kind of article is this, anyway? It seems more like an advertisement for the "contest" than an actual, objective, researched account of the event-to-be. You're implying that such a "contest" can *end* or serve to be a talking point for fans of one operating system over another? One commenter already pointed out that CERT numbers over the year are very close for Linux and Windows, there's no mention of how different the code bases are, how mature any of the individual products are at the time of the "contest," nor does it mention how absurd it is to call such a thing a fair competition at all. Sounds more to me like you either have no idea what you're talking about, you're one of those who actually thinks Fox News is "fair and balanced," and/or just wanted to plug the event and get another dollar for posting another article. Too bad the register doesn't pay for quality instead of quantity.

    As for those who are wasting your time and ours touting the wonders of your operating system, hey, let's have an subjective argument about car brands next! How about shampoo! Because we've all had *exactly* the same amount of experience and training and marketing spewed at us for every brand of shampoo and every brand of car, so certainly we can form rational, logical opinions on which is the 'best' for every or any situation. Christ, people, flame wars were so last century. Stop wasting the bandwidth of those of us who want to use the internet for more than a giant circle jerk.

  28. Joseph Haig

    Re: Soft Linux target

    "I would have thought that Fedora running SELinux would have been the harder Linux target."

    Agreed. I have enough trouble running things normally with SELinux installed. I wouldn't even know where to begin with a remote exploit.

    ... and my coat is the one next to it. The one with all the sleeves and pockets sewn up.

  29. Will Godfrey Silver badge

    @ some person

    You forgot to include the (still unresolved) issue of whether valves are better than transistors.

    Mine's the one with the 1968 Newnes Valve and Transistor catalogue sticking out the pocket.

  30. James O'Brien

    Common Reg

    Let us know how this turns out. I for one want to know which falls first though for all intents and purposes I think whoever tries the Vista box will get so frustrated with the UAC on Vista they will probably crack the laptop faster by hitting it with ol' trusty the sledgehammer. But let us know :)

  31. Anonymous Coward

    shampoo and cars

    i often find head and shoulder leaves my hair nice and managable where as herbal escences and pantenne make my hair feel frizzy. so head and shoulders ftw

    i think the newer model fiesta look spiffy, but have never driven one.

    ok ill bite

    yes the article is obvious flame bait - sorry - "a thoughtful piece intended to encourage debate" but it hardly warrants your level of vitriol.

    the contest is between the *people* and assuming the CERT metric makes all Os included "very close", then *it doesnt matter which system is hacked first*, only how fast the person is.


    "Stop wasting the bandwidth of those of us who want to use the internet for more than..." looking down our noses at people who dare discuss things?

    or to sum up

    "Stop wasting the bandwidth of those of us who want to use the internet for more than..." Trolling

  32. Elrond Hubbard
    Thumb Down

    And who knows...

    After they're done they might even get up the courage to talk to a real human girl!

    No sorry, I'm just being daft now.

  33. Martin Usher

    Its probably a PR stunt

    Its another attempt to demonstrate "Look, see, Windows is as good as OS-X and Linux!" (They might shoot for "better" but that's probably too ambitious.)

  34. Peter W

    re: cert statistics

    from the register itself

    "We queried the United States Computer Emergency Readiness Team (CERT) database, and the CERT data confirms our conclusions by a more dramatic margin. When we queried the database to present results in order of severity from most critical to least critical, 39 of the first 40 entries in the CERT database for Windows are rated above the CERT threshold for a severe alert. Only three of the first 40 entries were above the threshold when we queried the database about Red Hat. When we queried the CERT database about Linux, only 6 of the first 40 entries were above the threshold."

    looking at cert numbers alone is pointless.

  35. Ed

    36 issues fixed

    Lucky Apple fixed 36 security issues yesterday :)

  36. Schrock

    You all miss the point

    The problem of security holes is nearly pointless. Windows doesn't need to be attacked, it runs slower and slower each week from the minute you buy a new computer until it is so slow that it is worthless. Linux doesn't work with my printer or my wireless card, and the free freaks drop subsysyems that work for things that don't simply because they have more utopian licenses (sound and printing) OS X is worthless by itself without $$$ of purchased software and cost $$$ for every minor update and codebase patch.

    I have all three, and an exploit would be refreshing, better than products that I pay good money for that in one way or another render themselvers inoperable.

    They all suck.

  37. Chris iverson


    F*cking Brilliant.

    I wager the first system is broken when person A hits person B and C with brick and throws all three on floors, jumps on them, etc

    Mines the windbreaker with the Commodore 64 behind it

  38. Anonymous Coward
    Anonymous Coward

    You don't get it, do you?!

    The SOLE purpose of this event is to uncover new vulnerabilities which aren't yet known and obtain full disclosure of how they can be exploited. It has absolutely nothing to do with comparing different products.

  39. Jon

    My guess is unbuntu

    personally, i think i think they shouldn't install third party software, just defaults with full patches.

    The quicktime exploit last year would have also worked against windows, but the exploit writer was quoted saying he targeted mac on purpose 'because of smug attitude' (because i wanted to join the smug club)

  40. This post has been deleted by its author

  41. Martin Owens

    I bet that

    The attacks on the Linux machine are going to focus on skype, a proprietary application or driver is not easy to secure or to test for security problems. I find the very idea of having skype on the linux machine to be unfair.

    the above post is right, all operating systems suck; the question is what the hell are you doing about it punk.

  42. Nexox Enigma

    Seems rather boring to me

    Of course They had to choose Ubuntu, which is one of those excellently loaded distros that runs god knows what services by default. They should have thrown in some BSD just to make it interesting. And some machines that anyone would actually want to own (I mean have as personal property... not crack...).

  43. Ian Damage

    Not exactly a balanced contest...

    Few problems as I see it..

    1) Different hardware in each lappy. There may be a vuln available in one particular laptop that isnt available in the other 2. BIOS, manufacturer drivers etc

    2) This is a test of stable OS. I dont know anything about OSX, but Windows you cant just "install the OS", where you can with any form of linux. When does it stop being a test of OS, and more a test of "which 3rd party dev writes the shittiest code?"

    3) Last year it was won by hacking an application, Quicktime. This year, the Vista box could be hacked via Quicktime, or the Mac box hacked via Office for Mac. Do you honestly think Microsoft would spend as much time on stability/security on a product for a competitor compared to one for their own market. Think Apple would return the favour?

    Mine the tartan trenchcoat with "Cyncial Prick" on the back.

  44. Michael Segall

    Seems a bit odd

    Shouldn't the prize be the 2 computers that resisted hacking?

  45. Slaine

    best tool for the job

    ... given the competition permits a hardwire (cross-over cable?) link - we must assume that the target system is in the room... so the most effective tool for getting anything out of this system is a philips screwdriver.

    In all honesty though, as we already know, the easiest system to hack is one that was designed or operated by any member of a british government agency.

  46. paul


    "The advantage the linux hacker has, of course, is that he/she has full access to ALL the coding - which is why its hacked so much more often than Microsoft produts, isn't it?"

    Kinda, there are lots of theoretical vulnerabilities that are patched regularly - as people can see the code and guess. But I hate to disappoint you - there are not that many real world exploits.

  47. Peter Gathercole Silver badge

    @Don Mitchell

    I think if you read the CERTs, you will find that a large number of the Linux vulnerabillities are theroetical, unexploited problems that have been identified by examination of the code. Do you really think that the buffer overrun security pronlems were all discovered by experimentation? Many of these problems have not even got example exploit code published.

    So, which do you trust more. The code that has been examined and found that there may be theoretical problems (which are fixed reeeal quick), or the code that has definite exploits published, and may not get patched for months. Just imagine how many problems are likely to be found in Windows if the code was open, if there are this many discovered by experimentation.

    Please don't just count the exploits, examine them in detail, and you then won't compare apples and oranges.

  48. Anonymous Coward
    Anonymous Coward


    The reason that they will be running Ubuntu is that it is probably the most popular/mainstream Linux that regular people would try.

    Fair enough if some other distro is more secure "with no known exploits" but if a regular person like myself can't install it becuse you need and command line stuff then we would just go with OSX, Vista or Ubuntu.

    This is a comp to find the flaws in the biggest/latest distros of each and not a competition of which version of an OS has the most secure version.

    I'm sure someone could write a Linux distro that was 100% remote secure but if an everyday user can't use it easily then it is useless for everyday people. Thats also why they are having common apps installed on all of them, because people use them. If you had a OS with no apps then it kind of serves no point except to heat and light the room slightly!!

  49. Anonymous Coward
    Anonymous Coward


    I don't get it.

    If you have a fully patched machine without viruses or trojans etc, and you have a Norton / McAfee / TrendMicro etc. type firewall with all the ports except internet and email locked down, are you still vulnerable to be taken over completely from the Internet?

    What about if you also have a modern router with an ADDITIONAL firewall?

    Surely that must be safe? Or is this competition not using firewalls and third party security products?

  50. KarlTh

    On the money

    are the posts pointing out that the real weak point is the WetWare. I'd wager that 90% of *real world* inappropriate disclosure of computer data (which is what actually matters in the end) and creation of botnets comes down to social engineering.

    Even on the notoriously hackable XP/2000 + IE combo I reduced real world infections by Malware by about 99% by finally separating users from the admin rights which they'd historically become accustomed to believe they were entitled to have and run with - admittedly, at the time when the only remote mass configuration options we had were NetWare login scripts, which run as the user logging in, this was pretty much true. But I digress.

    A better use of time than this contest would be finding the writers of software who expect the user to have admin rights on Windows boxes and putting them up against the wall. Mind you, they'll be out of a job soon anyway because their shite won't work on Vista with UAC.

  51. Malcolm McLachlan
    Thumb Up


    Spot on! I am so tired of FanBoy wankers and their skewed opinions

  52. Magnus

    @Michael Segall

    The contest doesn't end when a computer gets hacked. People can still try and get the other two (and claim the bounty on finding the exploit which compromises that computer as well).

    As people above have pointed out it isn't about which platform is the "most secure" but about finding possible vulnerabilities for the major plaforms with a fairly standard hardware/software setup for each platform.

  53. Mark Roome

    Re: It doesn't matter by IR

    Well done that (wo)man, well done indeed.

  54. Robert Harrison

    The competition could be easier...

    ... It could include a 'user' sat at each laptop who you would have to trick into installing your malware/exploit to make it more like reality (alongside attacking just the machine itself). I reckon if you got some 'uninitiated' regular users to act as the 'marks' the competition would be over in minutes. :o)

  55. Paul

    I don't realy get the point...

    ...of arguing which is the most secure. Realy that is only a small part of why you chose an OS. Personaly I think the best OS, and probably one of the most popular (I have 3 computors running it) is the Bosch engine Managment system :-)

  56. Steve Evans

    @John Doe

    Very very true...

    Email: Please click the link below to see naked pictures of [insert celeb here]


  57. Anonymous Coward
    Anonymous Coward

    Admin/root code

    "The first person to remotely run code on each one gets to take the machine home"

    The competition should be for the first person to remotely run code as the "administrator/root" as this would demonstrate that the machine has been fully compromised.

  58. Anonymous Coward

    no need for competition

    There is plenty of the usual fanboy rubbish being spouted on here... even the first comment is excusing windows. People can't just wait and see based on the rules supplied, they have to get in there already and justify their view.

    Personally i would expect someone with real skill to get into any of the three. However since its going to be pros who are likely to win, i still feel more secure using a unix based OS (i.e. both the non-vista machines).

    Also for you windows fanboys, dont take it too personally, windows really is crap.

  59. Christopher Rogers
    Thumb Up

    I don't get it

    Whats with all the rants? Someone has decided to run a competition to give people the chance to win a computer if they can develop a hack. Where's the harm?

  60. brimful

    I so badly

    want all the hackers / crackers to target the apple laptop first. The reasong behind this is that apple claims to be more secure than windows. I'm not a MS fanboy but I absolutely detest the over-priced under-spec'd systems that Apple puts their badge on. Since the apple laptop (yes the mac air, mac book pro, mac whatever IS a laptop / PC) will be the first one to fall, surely then it'll be less secure than windows? I use the reasoning that a bank vault is pretty secure even if unlocked as long as no one wants to break into it. But that same bank vault will be less secure if an army of umpa lumpas used molten chocolate to fight their way in.

    Flame: because I really want apple to burn.

  61. vincent himpe

    I'll gladly donate my laptop

    running fully patched DOS 6.21 to anyone that can hack into it using either a wireless connection or crossover cable.

    That'll prove once and for all that DOS is the most secure of them all !

    Mine's the one with the two 360K single sided 5 1/4 floppy drives. ...

  62. Anonymous Coward

    3 OS's, 3 attacks?

    wouldn't a fair contest be when all the contestants try to hack one OS at a time. with the OS running with out on 3rd party software. this would mean that the hackers would all have the same target with the same problems.

  63. Tom Hawkins

    Oh for God's sake...'s not a scientific study or some kind of cracker world championship, it's a publicity stunt aimed at raising the profile of security on all platforms (as well as the profile of the people who are running it). Which is a good thing, right?

    Anyway, how are you supposed to pronounce 'pwn' - I always assumed you said 'own' but that would make the name of this competition sound like the name of a former cheapskate mobile operator as rendered by a non-English speaker, which can't be exactly what they had in mind.

  64. Dana W


    "Flame: because I really want apple to burn"

    Neither my Mac, nor my Ubuntu box can be owned merely by going to the wrong WEBPAGE! The Only way Vista will win this is if Microsoft is sponsoring the contest.

    Smile: Because even 90% of Windows people know Vista is utter trash.

  65. frymaster

    The setup will be key

    If all it's doing is sitting on the 'net - and not being used - XP SP2 is pretty secure - the firewall may not be very powerful but it's up to the job of stopping unsolicited incoming connections, until the spyware you pick up off some dodgy website punches large holes through it, at least. I can't imagine Vista is much different.

    Conversely, Ubuntu comes with no firewall configured. The blessing and curse of linux - configurability - means that it doesn't come with, say, firestarter, because some people (like, er, me) like to hand-hack their iptables scripts, and some other people don't want a firewall at all. (Funny how the blessing and curse of linux is the curse and blessing of windows, eh?)

    Personally my gut instinct (that and a second mortgage will get you a cup of coffee at Kosta) is that a well-tuned ubuntu box is more secure than windows, that ubuntu is not tuned specifically for security out of the box, that ubuntu is easier to tune than windows, and that windows is fairly well tuned out of the box.

    The question is, how are most net-connected machines out in the wild configured?

  66. Josh Owen

    @Webster Phreaky


    I laughed so hard I nearly fell off my chair!!!

    Mac fanboys really do get on my wotsits.........

    Security by obscurity doesn't work......What a surprise.........

    The fact that it lost last year makes it all the more amusing!

  67. g00p

    oh dear..

    ..aside from the obvious point that any box is secure as the owner makes it..

    surely having seperate people attempting the task makes it an unfair test immediately

    they should have 2 "competitions"

    one to find the most skilled sys admin, having one winner for all three platforms. and another to find the most skilled hacker, once again having one winner for all three platforms

    present the three computers to the sys admin winner and ask him to secure them as best he can

    ask the hacker to break into them as required, timing each attempt and also looking at his/her methods

    even then it wouldnt be a fair test.


    i disagree with all of it.

    pessimism ftw.

  68. Wolf
    Paris Hilton

    Stupid Contest because... only takes ONE (count 'em ONE) exploit to compromise any OS. Just ONE. Forget the 50,000+ vulnerabilities you've patched in whichever OS you develop, it only takes a single unpatched critical hole and your previous efforts are for naught.

    Does nobody remember this? Reminds me of the Terry Pratchett book with the fight between the little dragon and the massive monster that was King of Ankh-Morpork for a whlie.

    The little dragon had to be lucky every single time the big dragon attacked. The big dragon only had to be lucky *once*...

    We're asking for humans to create perfection. Isn't going to happen.

    Paris, because she's a pretty girl.

  69. Anonymous Coward
    Dead Vulture

    @AC re ubuntu

    it looks like you think if any muppet can't use something it must be flawed in some way.

    If a 'regular person' like yourself can't do something, how about you maybe put a little effort into it instead of demanding that everyone else cater to the lowest common denominator?

    -consider that it's at least plausible you are not in fact 'an everyday user', but a lazy twat who expects others to solve their problems, whilst telling them how wrong they are about everything.

  70. Flocke Kroes Silver badge


    "If you have a fully patched machine without viruses or trojans etc, and you have a Norton / McAfee / TrendMicro etc. type firewall with all the ports except internet and email locked down, are you still vulnerable to be taken over completely from the Internet?"

    A firewall inspects all the packets of data arriving from or going to a network interface, and then decides what to do with each on according to a list of rules. A firewall can reject a packet, ignore it, forward it, redirect it, log it or some combination of the above.

    Send whatever you like at my telnet port, and you will not achieve anything useful - even if the firewall leaves the port open - as I have nothing listening on the telnet port. Setting the firewall to blocking outgoing packets with a destination of port 80 can make a machine more secure at the expense of making it difficult to access the internet.

    The competition is based on cracking computers that have (more than) enough software working to make them useful, so the firewall rules have to be quite lax.

    "What about if you also have a modern router with an ADDITIONAL firewall?"

    A second firewall is only going to do the same thing as the first firewall, and is only of value if you think the first firewall is defective.

    Once some data is past the firewall, it is up to some application to treat all the data from the network as suspicious. Some applications do a worse job than others. Any bug in an application that causes network data to be trusted without rigorous checking is is a weakness that can be exploited. A badly designed application will give the exploiter root/admin access at once. A better design gives the cracker only the authority that the application needs, so she need a local elevation of privilege exploit to get root/admin rights.

    As far as I know, Norton / McAfee / TrendMicro antivirus software is more than just a firewall. They also examine files and processes for clues that they are not a virus/trojan/worm/root kit. This adds an extra hoop to jump, but as I have not used windows for over a decade, I have not bothered to find out if it is a significant barrier.

    "Surely that must be safe?"

    Safe from what?

    If you get access to my desktop machine, you can change what TV programs I record. I have not made a huge effort to secure it is not worth anyone's time to crack it. It is acceptably safe for me.

    If you crack my laptop, add a key logger without me catching on, get my gpg password and my encrypted password file, you could play with my bank accounts. Find a gullible mule to launder the money for you, and you get a few thousand. I have added enough personalised security to make this not worth your time. Again, it is acceptably safe for me.

    An individual installation of XP/Vista/Linux/OSX/BSD may not guard much value, but when a single image is installed on thousands of machines, the budget available to crackers will be far in excess of what any individual is prepared to spend on defending the machine. I would not use a large mass produced software image to defend anything that I could not easily replace. Other people have different opinions on what is safe. If I had ten years of experience securing XP, I might have different opinions too.

  71. Paul Williams

    @Nexox Enigma

    In answer to why there is no BSD linux laptop, there is its the OSX one as OSX is just a proprietary version of BSD. Have a look at top of the flavors of BSD is Apple OSX.

  72. Red Bren

    Le Mans Start?

    To make things fairer, why not start with blank hard drives and deduct the time taken to install the OS from the time taken to find the first exploit?

    I still think the penguin will win wings down...

  73. Wayland Sothcott
    IT Angle


    I agree that they should allow a more real world challenge. Known valnerabilitys should be allowed, afterall, if they are known then surely they should be fixed.

    The fact that the attacking computer has a user and the victim does not have a user seems a bit unfair. Also the use of a crossover cable seems a bit limiting. Perhaps a hub might make things more interesting, for that matter a router would be even better. Everyone in the world could hack and defend against everyone. It would be just like the real Internet. Hang on....

  74. Richard Cartledge

    The same vulnerability can't be used against more than one box

    The same vulnerability can't be used against more than one box - how can that give a balanced result. The results will be skewed by the attractiveness of the platform for the hacker to hack, something which the organisers say is specifically intended not to happen.

  75. Anonymous Coward

    It should be...

    Whats easiest to hack, ubuntu virtualized in vista virtualized in OSX on a macbook air, or solaris virtualized in vista virtualized slackware. Or we could put red hat inside an XP pro box inside a.....

  76. Tobias Liebhart
    Thumb Up

    @Webster Phreaky

    Always thought you were just trying to make other people (fanboyz of whatever kind) angry because your comments were so ridiculous they had hardly any insight or knowledge. Just provoking. Nice to see some self-criticism from your side, makes me easier to tell that I'm a Mac Lunatic (aka idiot) ever since I was touched by this dark side (at the age of 5)

    But I think you should get a real life some time, because there's only so much to say about any platform without repeating yourself ;)

    That said - grow up you fanatics

    There's no such thing as: One OS to rule them all. Every OS has its uses.


  77. Anonymous Coward
    Anonymous Coward

    They can't permit attack of known vulnerabilities for a reason

    ... it is a time-limited competition - whoever cracks whichever machine first, wins. Therefore, what point is there in allowing attack of known vulnerabilities? It would just turn into a competition to see who could install and run their pre-rolled (prior to the competition) exploit the fastest.

    Excuse me while I roll my eyes at the fricking morons who continually post here at the Register.

  78. Mike Moyle

    I'd like to see one additional piece of data.

    What would make this particularly interesting to me is if the sponsors had some way of tracking the number of discrete attacks on each machine during the contest.

    That is, at the point that laptop "A" gets pwned, I'd like to know what number of attacks it sustained, compared with "B" and "C".

    I don't suppose that it would really make a difference, I'd just find it interesting to see it graphed out, since it would presumably imply something about the contestants' mindset - which one they felt they were likeliest to be able to get into.

    On the other hand, it might be really amusing if some attacker managed to "piggy-back" on another's work - either intentionally or inadvertently - an independent attack by attacker "X" that strikes right after attacker ""Y" has caused a buffer overflow, say, but before "Y" can follow up on it... I'd suggest a Texas-Cage match to see who gets to take the laptop home, in that case.

    Of course, if someone were REALLY devious, they could spend the duration of the event trying to subvert all of the other contestants' machines on the network while they are all busy frantically trying to break in to the "official" target boxes. That way, the "winner" might go home with a new laptop, but the REAL winner would "go home" with fifty!

  79. Paul Rafter
    Paris Hilton

    Did somebody say?

    That all you can install on a PC is Windows, Linux or DOS? Where have you been for the last three years?

    Paris because the poster responsible for that piece of info is having a blonde day

  80. brimful

    @Dana W

    I admit that Vista is completely rubbish hence why I haven't installed it even though I have a MSDN license. The reason why I want Apple to burn is bacause MS doesn't come out with some dodgy advert about the naughty step. Couple that with apple products being over priced, under spec'd, over sexed up, and shamelessly being the bimbo of the computing world, and you get a huge friggin explosion.

    Flame: cos I want apple to burn, I want the mac brand to burn, I want the ipod brand to burn, and I want Jobs to burn. Actually scratch the last part. Instead I want jobs to march the apple fanboys off a cliff and then march off after them as well.

  81. J


    "CanSecWest's Pwn2Own contests are useful because they allow us to isolate the technical strengths and weaknesses of a given platform from its popularity."

    Kinda... I have a hunch, from my own uninformed guts, that a skilled hacker will be able to target and own any "regular" system hooked to the net. Also, I think that that's is fundamentally very different from the automated exploits, worms, whatever in the wild. That's more of a concern to me: which system is less vulnerable to the script kiddies? Because I have no reason to fear being targeted by a skilled hacker. But anyone who connects to the net is automatically and fully exposed to the automated stuff, so that's what's much more worrying.

    Can't they devise a competition to check for that instead?

  82. dave lawless

    3 shithole OSes

    Why don't they do it with something that has actually been written with security in mind.

    Single user no network OSes with multiuser capabilities hacked on will always lose.

  83. Steve Todd


    You can argue about Apple being over priced, but under spec'd? The MacBook Pro is one of the fastest Vista notebooks available. Stand Apple models up against decent brand name Wintel kit and they compare pretty well. It's not until you get to the bespoke or kit-built boxes with nutter bastard cooling and go-faster stripes that you can significantly out-perform them.

  84. Bounty


    We're all going to die, so life/everything is just a giant circle ..... so get used to them. In the meantime, this looks like a fun contest for anyone who doesn't regularly get paid more for exploits, or want's to pad their resume with some publicity. And it's fair if you look where they're comming from. They want 0-day, that's why they have the prize. Using know exploits would just be boring, Joe Turk doesn't get bonus prizes for defacing websites regularly!

    They set them up with some common apps, some default settings. Sounds fair to me. Own a box to own the box.

  85. Matthew Barker

    Love match between the "trolls" & "fanboys"

    The heart has been repurposed for this post...

    Quite impressive...15 times Anonymous appears.

    The string "tard" only appears 3 times in this page (until this post). And one of those was Bastard. I think this might be a good sign.

    Fanboy (or variants fanbois, fanboyz) appears 10 time (again, +1).

    Not *very* creative.

    I think the Reg's comments pages are becoming chatrooms for the pairing of "trolls" and apologists.

    Maybe a dating service could be established...or "no-holds barred" mud-wrestling match to be webcast from the Reg website. In the latter case, my prediction is that more so-called fanboys will show up than "trolls". "Trolls" usually seem to like the cover of anonymity – or am I playing a troll with that last comment? Also, I predict the first whining will be heard from the "fanboys". But, in my experience, trolls are also prone to wingeing.

    In any case, I favour the dating service. Then they can all look meaningfully (and contemptuously) into one-another's eyes and breeding a new generation of American corporate CEOs, leaving room in the comments pages for any really meaningful and thoughtful commentary.



  86. Mike Lovell


    "I admit that Vista is completely rubbish hence why I haven't installed it even though I have a MSDN license"

    I always here this shit. "Vista is completely rubbish" then you ask them "How long you been running it", then they usually say "I'm not running it" or "I installed it, didn't like it, then installed XP again". Oooo, scary change!!!

    Do we really have to do this EVERY time something new comes out!


  87. Stewart Haywood

    The most secure machine is

    One running Vista with SP1. It won't even boot!

  88. plastical

    @Ubuntu by Anon Coward

    "Fair enough if some other distro is more secure "with no known exploits" but if a regular person like myself can't install it becuse you need and command line stuff then we would just go with OSX, Vista or Ubuntu."

    Command line stuff. Because It's all so scary. Amateur.

    "I'm sure someone could write a Linux distro that was 100% remote secure"

    100%. Totally, completely and utterly. I could do that now, including a pair of wirecutters and my ethernet cable.

    "if an everyday user can't use it easily then it is useless for everyday people. "

    No sh*t, sherlock. And if an everyday user can't use it they shouldn't be using a computer in the first place.

  89. Jach

    Kind of Interesting

    I'd like to see the results, even if the contest is a little screwy. I think they should allow use of known bugs, because a large majority of attacks are from known bugs.

    And I'd rather see something like Gentoo.

  90. Scott

    @ Mike Lovell

    "I always here this shit. 'Vista is completely rubbish' then you ask them 'How long you been running it', then they usually say 'I'm not running it' or 'I installed it, didn't like it, then installed XP again'. Oooo, scary change!!!

    Do we really have to do this EVERY time something new comes out!


    You're absolutely right, if not a bit harsh.

    However, I've been running Vista Home Premium for about 5 months now, so I speak from experience when I say that it definitely shipped before its time. In fact, Vista just crashed this morning and refuses to boot at all (even booting to the "recovery partition" won't work). I know this isn't a hardware problem because I can boot Ubuntu just fine and mount (and access every part of) the NTFS Vista partition.

    I guess it's time to dig out those recovery CDs... At least I can use Ubuntu to save off my documents and other important files to a USB drive or something.

  91. Wolf

    CP/M for the win! :)

    Commenting on the poster who said a secure OS was the only way to go. Sure, use CP/M! No networking=no networking attack vector! Absolutely uncrackable remotely.

    I win... (laughing)

  92. Matt Caldwell


    I thought the main attractiveness of UNIX (and thus LINUX, the free copy) was that it was coded with multiple simultaneous users in mind, ie I thought it was not like Windows where they took a single user system and hacked multiuser capability (kinda) into its backdoor.

    I'm positive that I have read this from multiple credible sources.

  93. heystoopid

    My My

    My , My , the flames are high today !

    Let the games and the flames continue !

  94. Christian Berger


    The setup is completely unrealistic.

    First of all you may only use unknown security problems. Keep in mind that companies like Microsoft are horribly bad at patching them even if they are known. Internet Explorer, for example still has ActiveX support althought it's a known security hole for about a decade now.

    Second not all machines are patched equal. Windows machines barely get patched because of various reasons. One is that the typical fix for a broken Windows system is to reinstall it. The install-medium automatically sets it back to the unpatched version.

    So the realistic test would be to just clone some random boxes from companies and individuals.

    Of course, one also has to include the user. For example the simplest way to get your code executed on a Windows box is to set up a website offering a "free download", or bundling it with a crack to a popular software programme. Windows users essentially will run any .exe-file they get ahold off. And the typical way of searching for software is typing "name free download" into a random search engine and clicking the first link.

    Windows and MacOSX just make dangerous things to simple. That is the reason why I currently wouldn't give my parents such a box.

  95. Mark

    It's an unfair test

    I mean, who wants any computer with Vista on it???

  96. Mike Lovell


    "You're absolutely right, if not a bit harsh.

    However, I've been running Vista Home Premium for about 5 months now, so I speak from experience when I say that it definitely shipped before its time. In fact, Vista just crashed this morning and refuses to boot at all (even booting to the "recovery partition" won't work). I know this isn't a hardware problem because I can boot Ubuntu just fine and mount (and access every part of) the NTFS Vista partition."

    Well in your case I'll allow the criticism! All these other sheep though, they get right on my tits.

    "Brimful" is definitely a tosser though, I stand by that.

  97. kain preacher

    @By Wolf

    some one made ac64 web server.

    try hacking that,

  98. Anonymous Coward
    Anonymous Coward

    can we have one of those prebuilt Phorm Box on that table too please ;)

    the perfect story...., put a prebuilt Phorm box on that table and you guys can then tell us just how secure that really is going to be ;) have had some interesting answers to questions they posed to Phorm (see

    page )

    *Q8. Are Phorm's servers within the ISP prebuilt (OS & software wise) by Phorm, or are they built

    by ISP technical groups following instructions given by Phorm?*

    A8. Prebuilt by Phorm.

    *Q9. Is all Phorm proprietary software delivered in unobfuscated source form to the ISPs and

    compiled by trustworthy employees of the ISP?*

    A9. No, ISPs don’t get access to the source code.

  99. Andrew Underhill


    Well I tried Vista Ultimate, but gave up and went back to WinXP. Not because Vista was a security nightmare (UAC was a pain), but rather that it performed badly compared to WinXP and openSUSE 10.3.

    BUT it was very pretty and i do seem to spend a lot of time trying to make Suse look prettier (!)(=slower?).

    So with WinXP, and SUSE 10.3. I _suspect_ SUSE is more secure because there is less crap that I know about is running on it, whereas, XP probably has stuff I don't know about running on it.

    So *nix = I know about (ish) and can fell happy that its ok, but

    Windows = know less about and so have to rely on Microsoft efforts to keep it safe (they do issue a lot of patches dont they).

    Which would I trust? *nix because of my background........


    The value of the test? Not which O/S is best, but rather which exploit can be found that can then be fixed.

    (Penguin because its not a tart)

  100. Elrond Hubbard
    Thumb Down

    Nice try

    I'm not going to read or skim all 100+ comments, but here's what I've got to say:

    Are you fucking kidding me? You'd want me to give up 0-day exploits for a fucking laptop? Not that you should, but a 0-day to the right people can be worth 30 of these crap laptops.

  101. Anonymous Coward
    Anonymous Coward


    only 30 times E;rond, to a whitehat perhaps, but it must be assumed if a Blackhat had just one 0-day for the Phorm interception for profit boxes mentioned above in presumably jest, then that would be priceless?

This topic is closed for new posts.

Other stories you might like