What bizarre rules! If "winning exploits must target a previously unknown vulnerability", then with the world+dog currently hacking Vista, there can't be that many exploits left undiscovered. And with few(er) targeting Linux and OSX, there's surely loads of exploits left to discover.

With the above in mind, I don't see how this "contest" will prove which is easiest to hack into. The results could be legitimately disputed against whichever way they go.

It all depends upon who wants which box the most. I personally wouldn't want a MacBook air, I'd prefer a good ol' MacBook Pro. As for the PCs, I'd rather have a new Thinkpad so wouldn't bother attempting them. This is all pretty academic as I'm by no means some kick ass hacker.

"with the world+dog currently hacking Vista, there can't be that many exploits left undiscovered."

O ye of little faith! There are literally million of lines of code in Vista; even Microsoft isn't aware of all the exploits.

Surely a known security hole that is still present in the most up to date patches is much more of a concern that a one-off homebrew hack by a pro? In the interests of exciting competition i can see the reasoning behind that rule, but it most certainly invalidates this as a test of the most secure OS.

It's funny. I don't own a Mac, don't use a Mac, and I think the MacBook Air is design for morons.

But I am absolutely certain that OS X is orders of magnitude more secure than any version of Windows; OS X doesn't come with Internet Explorer, and IE is *designed* to allow remote code execution.

It doesn't matter what the story is about, if it mentions Apple/MS/Linux or anything vaguely related, people write bad comments about it or the competitors.

Here's a quick template to save them coming up with something even vaguely original:

*Delete were appropriate

Apple/Microsoft* are awful, why does anyone use the overpriced stuff created by them? The should try using a proper operating system like OSX/XP/Vista/W2000/Ubuntu/OtherLinuxDistro*. I had a OSX/XP/Vista/W2000/Ubuntu/OtherLinuxDistro* system and it was awful, so many problems with it. In the end I got OSX/XP/Vista/W2000/Ubuntu/OtherLinuxDistro* and it works great. The Apple/Microsoft/Linux* fanboys should stop licking obs/Gates/Ballmer/Linus* by ignoring the failings and start using free/stable/flexible/innovative/intuitive/secure* stuff like me. Take your JesusPhone/Microshaft/Freetardware* and shove it!

Quote: "Vista; even Microsoft isn't aware of all the exploits."

Waddya mean, "even"? Microsoft seems less likely than most to be aware of Windows exploits - or, rather, to admit they exist.

Your remark about IE's designed-in code execution is cock on.

just sell the vulnerability + exploit code and buy whatever they wanted this contest rule doesn't make any sense.

If you're used to writing exploits for windows machines wouldn't you go for the Vista box as it'd be the easiest for you?

The counter to that people may avoid the Vista machine just for the sake of proving linux/mac isn't secure - as you're only allowed to target one machine you'd have to pick one.

Also the shiny aspect has been mentioned - butt ugly flakey fuji, sexy sony or sleek air?

All the air's and graces of a fair fight but still not cutting it - you can never get a fair balance due to the above, and other, circumstances.

John Doe got it right, the biggest security hole on any computer is the user.

If you really want to count security holes, you can always look at the CERT advisories. Over the years, the number of threats has been remarkably close to equal for Windows and Linux.

that we were getting worried that Webster might be sick or have expired from excessive spleen. Back to his usual rabid form after all. If you don't want to buy something then don't buy it. No need to make it your mission in life to insult the item and anyone who does actually buy it.

Its another attempt to demonstrate "Look, see, Windows is as good as OS-X and Linux!" (They might shoot for "better" but that's probably too ambitious.)

from the register itself

"We queried the United States Computer Emergency Readiness Team (CERT) database, and the CERT data confirms our conclusions by a more dramatic margin. When we queried the database to present results in order of severity from most critical to least critical, 39 of the first 40 entries in the CERT database for Windows are rated above the CERT threshold for a severe alert. Only three of the first 40 entries were above the threshold when we queried the database about Red Hat. When we queried the CERT database about Linux, only 6 of the first 40 entries were above the threshold."

looking at cert numbers alone is pointless.

The problem of security holes is nearly pointless. Windows doesn't need to be attacked, it runs slower and slower each week from the minute you buy a new computer until it is so slow that it is worthless. Linux doesn't work with my printer or my wireless card, and the free freaks drop subsysyems that work for things that don't simply because they have more utopian licenses (sound and printing) OS X is worthless by itself without $$$ of purchased software and cost $$$ for every minor update and codebase patch.

I have all three, and an exploit would be refreshing, better than products that I pay good money for that in one way or another render themselvers inoperable.

They all suck.

The SOLE purpose of this event is to uncover new vulnerabilities which aren't yet known and obtain full disclosure of how they can be exploited. It has absolutely nothing to do with comparing different products.

personally, i think i think they shouldn't install third party software, just defaults with full patches.

The quicktime exploit last year would have also worked against windows, but the exploit writer was quoted saying he targeted mac on purpose 'because of smug attitude' (because i wanted to join the smug club)

Errm, the contest is IMHO mildly pointless for a variety of reasons:

(1) Skillset. As with any pen test (which is what this is), it only proves that at a certain point in time a certain operating system in a certain configuration was (not) hackable by a certain person with a certain skillset, and who was or was not entirely awake at the time. That's quite a few variables that can change and invalidate the result so ever if you get an OK it may only be valid for a second.

(2) Return on Investment. You assert that the idea is to find new vulnerabilities (which, incidentally, are by definition "not yet known" :-). The question you forgot to ask is just how useful that public announcement would be to the wannabee hacker. Not only could he get exposed as "a danger to society, better make him a terrorist" - remember, there are laws out there that make security research legally dangerous, from a pure return on investment point of view such an skilled individual may turn instead to use his knowledge in writing toolkits for organised crime if he's not too worried about the police (or is pressed into "service"). So he's not going to show up on the radar.

And don't get me started on the risk factor of discovering a zero day publicly so that the supplier doesn't get a chance to fix the problem before announcement. Could become quite an entertaining liability problem for the organisers..

The attacks on the Linux machine are going to focus on skype, a proprietary application or driver is not easy to secure or to test for security problems. I find the very idea of having skype on the linux machine to be unfair.

the above post is right, all operating systems suck; the question is what the hell are you doing about it punk.

Of course They had to choose Ubuntu, which is one of those excellently loaded distros that runs god knows what services by default. They should have thrown in some BSD just to make it interesting. And some machines that anyone would actually want to own (I mean have as personal property... not crack...).

Few problems as I see it..

1) Different hardware in each lappy. There may be a vuln available in one particular laptop that isnt available in the other 2. BIOS, manufacturer drivers etc

2) This is a test of stable OS. I dont know anything about OSX, but Windows you cant just "install the OS", where you can with any form of linux. When does it stop being a test of OS, and more a test of "which 3rd party dev writes the shittiest code?"

3) Last year it was won by hacking an application, Quicktime. This year, the Vista box could be hacked via Quicktime, or the Mac box hacked via Office for Mac. Do you honestly think Microsoft would spend as much time on stability/security on a product for a competitor compared to one for their own market. Think Apple would return the favour?

Mine the tartan trenchcoat with "Cyncial Prick" on the back.

Shouldn't the prize be the 2 computers that resisted hacking?

The reason that they will be running Ubuntu is that it is probably the most popular/mainstream Linux that regular people would try.

Fair enough if some other distro is more secure "with no known exploits" but if a regular person like myself can't install it becuse you need and command line stuff then we would just go with OSX, Vista or Ubuntu.

This is a comp to find the flaws in the biggest/latest distros of each and not a competition of which version of an OS has the most secure version.

I'm sure someone could write a Linux distro that was 100% remote secure but if an everyday user can't use it easily then it is useless for everyday people. Thats also why they are having common apps installed on all of them, because people use them. If you had a OS with no apps then it kind of serves no point except to heat and light the room slightly!!

I don't get it.

If you have a fully patched machine without viruses or trojans etc, and you have a Norton / McAfee / TrendMicro etc. type firewall with all the ports except internet and email locked down, are you still vulnerable to be taken over completely from the Internet?

What about if you also have a modern router with an ADDITIONAL firewall?

Surely that must be safe? Or is this competition not using firewalls and third party security products?

are the posts pointing out that the real weak point is the WetWare. I'd wager that 90% of *real world* inappropriate disclosure of computer data (which is what actually matters in the end) and creation of botnets comes down to social engineering.

Even on the notoriously hackable XP/2000 + IE combo I reduced real world infections by Malware by about 99% by finally separating users from the admin rights which they'd historically become accustomed to believe they were entitled to have and run with - admittedly, at the time when the only remote mass configuration options we had were NetWare login scripts, which run as the user logging in, this was pretty much true. But I digress.

A better use of time than this contest would be finding the writers of software who expect the user to have admin rights on Windows boxes and putting them up against the wall. Mind you, they'll be out of a job soon anyway because their shite won't work on Vista with UAC.