Pwn to Own–Real-Life Edition
Remember the recent “Pwn to Own” competition, where it was claimed that Windows security was so much better than Mac security, because the Mac was cracked nearly instantly on day 2, but the Windows machine lasted until day 3?
Well, people are learning the hard way that these competitions don’t necessarily reflect real life:
Hundreds of Thousands of Microsoft Web Servers HackedHundreds of thousands of Web sites – including several at the United Nations and in the U.K. government — have been hacked recently and seeded with code that tries to exploit security flaws in Microsoft Windows to install malicious software on visitors’ machines.
Could it possibly be that this Windows flaw was not used at the competition because it was worth a lot more in the real world than it was in a hacker’s competition? Um, duh. Were such hacks not so valuable on the black market, the Windows machines at the competition probably would have been hacked immediately. That doesn’t mean that Windows is more secure–precisely the opposite, in fact. Mac hacks are relatively valueless enough that hackers would rather use them to get a free laptop. Windows hacks are valuable enough to sell to people who want to do serious harm.
So far, Mac security woes remain almost completely on the hypothetical level: reported vulnerabilities, proof-of-concept malware, and hack-purely-for-show demonstrations, which are almost the only examples used to claim that Mac security ain’t so great. The only other examples are social-engineering trojans which depend on tricking humans into circumventing the OS security, and even those number at two, possibly three.
Windows security, on the other hand, comes up short in the real world: tens of thousands of pieces of malware, worldwide virus and worm threats, attacks causing disruption and a great deal of time and money spent on containment and repair, and countless attacks on personal machines. Just this last week, my boss told me that his browser became completely useless because every time he tried to go to a web site, porn and other spam links were substituted; his security software (kept up-to-date) somehow missed it in screening and could not repair it, and so now he’s going to have to reinstall the entire OS and all his software. Many of my students who use Windows have reported similar problems, and I have had several friends over the past few years tell me about malware wiping out their Windows systems.
I know tons of people who own Macs, and despite none of them running any security software, none have ever reported any such problems.
So, when you read those editorials about how Windows actually has “better” security than Macs, understand that such reports do not always do not in any way reflect real-world situations. Maybe this will change at some point in the future, but sure as hell not yet.