Well, CanSecWest’s PWN 2 OWN contest has just shown that Mac OS X isn’t “inherently safer” and that clearly it is possible for a user to open an e-mail on a Mac and have it join a spam botnet.

For those not familiar with CanSecWest or their PWN 2 OWN contest, here is the scoop. CanSecWest is “the world’s most advanced conference focusing on applied digital security.” And for the last few years, they have been running a contest during the conference to see which operating system is the most vulnerable: Windows Vista, Mac OS X, or Ubuntu Linux.

If you can hack (run arbitrary code) the laptop running the OS, you get to keep the laptop and a $10,000 cash prize. It is important to note that the “hacker” does not get physical access to the machine, and the laptops are in their default configuration. If you want more details please check out this link.

For the second year in a row the Mac was the first to fall, and Charlie Miller is now the proud owner of a MacBook Air with Mac OS X 10.5.2. Charlie is best known for being the researcher who first hacked Apple’s iPhone. It may be rude to say, but it is kind of vindicating for us that clearly we weren’t out on a limb when it came to Mac security. Within two minutes of the start, he directed the contest organizers to a certain website that executed his exploit.

Although the winner cannot publicly disclose details of the vulnerability, it is safe to assume the problem is in Safari. This comes after Paypal started recommending to their users that they ditch Safari due to security issues. And for the icing on the cake, Apple has started to use some under-handed methods to trick fool scam swindle con hustle sucker encourage iTunes/Quicktime users to install their underdog browser.

What can the nay-sayers say now?

Purdue spokesperson Jeanne Norberg said: “As an Internet service provider, Purdue will forward these letters when the user can be accurately identified.” “Purdue will not voluntarily provide names to the RIAA. However, should those notified choose not to pay the settlement, the RIAA may obtain court-ordered subpoenas to obtain the individuals’ names.”

21 subpoenas were issued this summer out of the 37 who received settlement letters last semester. “Purdue [provided] the names of 19 individuals, and subsequently the RIAA reduced its total request for names to 17.”

Am I the only one who is just a little disturbed by the line “…should those notified choose not to pay the settlement?” I do not condone peer-to-peer sharing stealing of music, but I think the record companies’ resources would be better spent working on a new business model that leverages digital music and the Internet instead of suing four-dozen kids in one of their key customer demographics. Hopefully we’ll see some more creativity in music distribution business models such as SpiralFrog, and more consumer-friendly technology advancements like Microsoft’s new watermarking technology in the future.

Full Disclosure: I am a grad student at Purdue. See our previous coverage here.