Now that the echoes of PWN2OWN competition are fading, I would like to tell you my thougts about it. First of all, the contest itself is a great way to bring the information security to the mind of the average it worker out there. Too often security is a topic that is deemed too obscure to be given proper coverage by the mass media.
Secondly, security research is a critical component in the software ecosystem and it sure needs their own rituals and celebrations where talented researchers get together to show off or become known.
Finally, as much as anybody else who end up unscathed I (we) would like to boast but can’t.
There is no known metric to decide among web browsers which one is more secure. Certainly a 20 hour contest where $5K is at stake (and you need to leave your country) is not the place. What if the objective whas to steal your facebook cookie?
MSFT and Mozco have tried to come up with metrics. They sure feel biased and self-serving, just like benchmarks but worse, since there is noting that you can test yourself.
But one thing most software professionals must have taken home: security in depth (aka the sandbox) is your friend. Why aren't more people implementing sanbox-like technolgies to their internet facing apps?
Yes, FF3 I am looking at you.
Yes, Windows Media Player, I am looking at you too.
It beats me. Do they think they can eventually catch all bugs?
ps. The second day, when you can use flash, and I did expect somebody do use that vector. I can only think that flash exploits sell very well.
