Pwn to Own–Real-Life Edition
Remember the recent “Pwn to Own” competition, where it was claimed that Windows security was so much better than Mac security, because the Mac was cracked nearly instantly on day 2, but the Windows machine lasted until day 3?
Well, people are learning the hard way that these competitions don’t necessarily reflect real life:
Hundreds of Thousands of Microsoft Web Servers HackedHundreds of thousands of Web sites – including several at the United Nations and in the U.K. government — have been hacked recently and seeded with code that tries to exploit security flaws in Microsoft Windows to install malicious software on visitors’ machines.
Could it possibly be that this Windows flaw was not used at the competition because it was worth a lot more in the real world than it was in a hacker’s competition? Um, duh. Were such hacks not so valuable on the black market, the Windows machines at the competition probably would have been hacked immediately. That doesn’t mean that Windows is more secure–precisely the opposite, in fact. Mac hacks are relatively valueless enough that hackers would rather use them to get a free laptop. Windows hacks are valuable enough to sell to people who want to do serious harm.
So far, Mac security woes remain almost completely on the hypothetical level: reported vulnerabilities, proof-of-concept malware, and hack-purely-for-show demonstrations, which are almost the only examples used to claim that Mac security ain’t so great. The only other examples are social-engineering trojans which depend on tricking humans into circumventing the OS security, and even those number at two, possibly three.
Windows security, on the other hand, comes up short in the real world: tens of thousands of pieces of malware, worldwide virus and worm threats, attacks causing disruption and a great deal of time and money spent on containment and repair, and countless attacks on personal machines. Just this last week, my boss told me that his browser became completely useless because every time he tried to go to a web site, porn and other spam links were substituted; his security software (kept up-to-date) somehow missed it in screening and could not repair it, and so now he’s going to have to reinstall the entire OS and all his software. Many of my students who use Windows have reported similar problems, and I have had several friends over the past few years tell me about malware wiping out their Windows systems.
I know tons of people who own Macs, and despite none of them running any security software, none have ever reported any such problems.
So, when you read those editorials about how Windows actually has “better” security than Macs, understand that such reports do not always do not in any way reflect real-world situations. Maybe this will change at some point in the future, but sure as hell not yet.
Before I go on to take issue with some of your logic, I’d like to show you something that scares me a lot more than the attacks (which you picked up on with admirable speed, by the way):
http://seattletimes.nwsource.com/html/microsoft/2004379751_msftlaw29.html
Yes, Microsoft really does possess a complete back door into every Windows computer, and yes they really have given it to law enforcement. Brilliant. Wonder how many days it’ll take the thing to hit BitTorrent now that the public’s heard about it.
Now, moving on to your post itself. First of all, this exploit doesn’t really apply to a CanSecWest style situation; the Windows exploits it’s using on those who visit the web page have already been fixed. What’s new is the attack on the server, which wasn’t really at all applicable to hacking into a workstation.
Of course, that’s because it’s worse.
Second, there’s three very good reasons Macs aren’t USED as servers, whereas Microsoft has about 10% of the server market last I checked: the hardware’s very hard to customize, both the OS and the hardware are very expensive, and it just isn’t designed for it. Mac was designed for the middle-class or more wealthy person’s workstation. Windows can get the job done, it just has crappy security and high downtime.
On the other hand, there’s Linux and BSD, which trump both Mac and Windows in terms of security by miles, and which have about a tenth the downtime of Windows servers (Mac, of course, doesn’t make servers). Oh, and right, they’re free.
Yeah…there’s a reason Linux has 90% of the server market share. It actually, you know, works.