Perhaps the term "prove" is too strong in that little or nothing can really be proved from the hacks. But I do think some clear observations can be made that reinforce the foundation of my "defensive browsing" approach to computing. For those readers who may not know what the CanSecWest hacks are, in March of 2008, a security conference was held in Vancouver, British Colombia which held a contest to see who could hack into three separate machines one running Mac OSX 10.5.2, one running Ubuntu 7.10, and the final machine running Vista Ultimate SP1. The Mac fell first through a flaw in the Safari browser. Vista fell next through a flaw in Adobe's Flash control. At the end of the 3 day contest only the Ubuntu machine was left standing. See here for details.
While the results of the contents are not all the surprising, I think it is worth none of the machines were hacked on the first day of the contest. On the first day, the three machines were plugged into the network only and left there without any user interaction. The operating systems alone were not hackable by conference-goers. The Mac and Vista machines were compromised when hackers were allowed run applications as a user would. The second day, only apps installed by default on the OS could be run. The Mac fell. The third day, any third party application could be run. Vista fell. As more information comes out about the exact nature of the hacks, we'll learn how important the user was to the process of compromising the machine.
Without making too much of this, it does imply that at least some important intrusions and hacks perpetrated on today's modern operating systems probably are done with users sitting in front of their machines. While we don't yet know what exactly the flaws were that exposed the machines to the hackers, we do know that applications--web applications that ran software the exposed the machine were the culprit. The basis of "defensive browsing" is that some of these types of attacks can be prevented if users approach their internet use with more knowledge and better awareness. My argument is that while browsing defensively can't stop hackers, it will put users in a much better position to see them coming.