Spider, you're correct that Google doesn't penalize for duplicate content; they merely filter and only show one or the other. The problem for the webmaster is that Google may not show the one you want.
Which means, of course, no, this is not some tricky loophole one can exploit. One cannot
generally get both the WWW and the non-WWW versions of a page to visibly rank for the same search query.
Technically, the definition of duplicate content is "the same content available through two or more URLs" so yeah, if Google sees the WWW and non-WWW as two separate instances, it would be duplicate content and would be filtered as such.
Again, from a technical perspective, the WWW version is simply a subdomain like any other subdomain (such as "blog.yourdomain.com" or "support.yourdomain.com"). It's a subdomain that has acquired a special meaning over time and generally doesn't get used the same as other subdomains, but that's really all it is.
So technically, if your server is set up for it, you could serve different content at the WWW and the non-WWW versions of your site. It would be unusual and unexpected, but there's nothing technically stopping it. And that is the only instance I can think of where there's a chance the two might show up for the same search query: if they actually were serving different content. But since that would be a very strange thing to do (not to mention all the extra work one would have to do to optimize two different pages equally for the same query) it's highly unlikely to happen.
Because of the special status of the WWW subdomain, many web hosts are already set up to automatically treat WWW and non-WWW calls the same. If your host already has things set up this way, all is well. If they don't, you may need to take other action to make sure Google knows how to handle the two.
Fortunately, Google is smart enough to see when the WWW and the non-WWW are the same thing, and they will eventually merge the two in their listings. Again, though, the problem is they may not merge them to show the one you prefer.
You can influence that by making sure that internally you only link to the version you prefer, and whenever you set up links externally (directory listings, buyer's guides, paid advertising, etc.) you only use the version you prefer. The problem with that is that you don't necessarily have control over how other
people link to you, so there may be links that point to the non-preferred version.
Of course, the safest way to make sure Google shows the WWW (if that's what you want) or only the non-WWW (if that's what you want) right from the get-go is to use server-side redirects to send all requests for the undesired alternative to the desired version.