Slashdot Mirror
Keeping Secrets in Hardware: Xbox Case Study
BS405397 writes "Here is the just released MIT whitepaper on the security holes in the MS X-Box, and for those who are interested, opens up the X-Box pretty nicely." Update: 06/04 17:13 GMT by M : The server appears to be down at the moment. There is a copy of the paper mirrored here. Reuters and other news outlets have now picked up the story, two days after Slashdot.
Doesn't this violate the DMCA?
Mr. Smoove
When the xbox first came out I wondered about the security holes it would have once they rolled out the internet service. Does anyone know if it is setup in a way that it can receive software updates?
Hacker Media
OUCH!...looks like the server went kaboom...ok, who's gonna be the first with a mirror?
Here is the guys website (bunnie), with a ton of other hacking information not in the whitepaper.
He also has an alternative link to the paper.
the byproduct of years of oppression by the white man
Inconceivable!
I quote from a posting to XBOXHACKER that quotes "I did the work in february, but it took about three months to get it positioned and cleared with both MIT and Microsoft."
I guess that means the DMCA was not violated although the posting mentions that Microsoft intend on addressing these 'holes' in future revisions of XBOX hardware.
[)amien
While the rest of the world waits for the site to come available...
Let's all go to the lobby,
Let's all got to the lobby,
Let's all go to the lobby...
To get ourselves a drink!
you don't have to outrun the bear, just the slowest person in your group.
My favorite game protection of all time was quake 2. First Id software makes this incredible game, with 0 protection against copying, and then release quake 3 with online copy protection and online gameplay only. Thus, suckering in a bunch of people into buying the new version. I wonder if the struggle between companies and consumers will ever end, because the companies always lose :P
- tristan
Hopefully, this is yet one more step in fully hacking the X-Box (can't tell because the site's been /.ed)
And I don't meant the usual Playstation-like hacking. I couldn't care less about not having to pay for games...
What I can't wait for are things like a DiVX player (DivX movies on TV!), Linux -> and with it all those wonderful applications, DVD Movies without the hardware adapter, etc. and all of this for only 200 bucks!
Many Dreamcasts were sold because of their hacking potential...just imagine what an X-Box is capable of! This, more than any reason, is why I'm hoping the X-Box pulls through and "makes it" among the video game platforms...
here is a mirror
I put on my robe and wizard hat.
I don't even get the login prompt on the MIT FTP server.
Really wanted to read this. sigh.
For those who where unable to see the .PDF, due to the ./ effect... :) probing the LDT/Hyper Transport Bus via an hardware tap board linked to a FPGA based custom sniffer. It seem a bit like a magic... but the only magical thing is the mind operating those (cheap!) hardware! :)
It is about searching for magic numbers
Very intresting read!
Bye!
Should we start taking bets as to when the "xbox update" web site and service packs start coming out?
Karma: Food Fight (Mostly affected by Date Plate).
That's pretty impressive, guys. How big is that PDF anyway? I timed out with 7 replies showing.
Well since the article is Slashdotted and I haven't read it, I could be horribly mistaken when I say this. However, I know MS wants to network the XBox. As a stand alone, there's not many holes in it worth worrying about. But when its networked, thats an altogether different story. And I'm sure most Slashdotters are aware of MS's track record on security holes....
But what are you trying to secure on an Xbox really? Your saved games? I know some people are trying to port operating systems to it but if that's the case I would thing the current OS wouldn't much cause of concern.
I feel everyone should play the game just like the next guy, but if someone wants to get into my Xbox just so they can get to the boss without having to work for it I'm not really complaining.
Everything I say is a lie.
Except that. And that. And that. And that.
The funny thing is this PCWorld article that touts PS2 security over XBox and GameCube. The ironic part is when Sony announces their "partnership" with companies such as "America Online" and "RealNetworks." RealNetworks... now THAT's a company I trust with my personal information!
First of all, do you spumrags even bother trying to read the links or getting some context before you go off half-cocked? Obviously not. Your message would be better informed if it said "Frost Pist Bitches!"
Second, it should be obvious to anyone with 2 working braincells that the security problem facing the XBox is not network security but instead security against the local user. Particularlly, preventing them from booting non-approved software.
Being able to automatically hack lots of Xboxes would be quite nice if one wants to do, say, a DDOS...
It's possible, pig! err... moose
Does this mean I can hack into some little kid's (Insert-Name-Of-Stupid-Video-Game-Char-Here) and upload a patch to display all opposing characters as completely nude, full-figured women?
Or bust my way over to a Middle-East gaming area and put the head of Osama on all the bosses? Wait, do they still have electricity over there?
Reverse engineering is legal under most circumstances. Prohibiting it would create a new form of intellectual property, which, unlike patents, would not have to be disclosed. Trade secrets are limited in scope; trade secret law is mostly about disclosure by people authorized to know the trade secret.
You wanna host? I've the .PDF
the "security holes" this paper are about refer to the authors techniques for breaking the protection of the "secret" boat loader that MS employs.
it's just his take on where the security could have been improved. all in all MS looks to have relied on the security through obscurity approach (hiding the true boot loader behind a dummy boot loader), just that their obscurity fails when you monitor traffic over a bus with a simple card.
PS: dreamcasts and playstations have always been hackable, as is the xbox, no real surprise there.
I have two answers to this.
1) Sure. Would you want some script kiddie to delete a saved game you've spent many hours working on? While it wouldn't be the worst thing in the world, it would be frustrating.
2) Microsoft intends the XBox to be the first of a larger presence in the family home. Imagine when everything in your house runs through the XBox (or similiar device) as MS ultimately envisions. Would you want B1FF to be able to get control over your home security system? Your climate control? Banking info? I wouldn't.
I like this part about MS guy:
The speaker at this talk also indicated that the kernel on the Xbox is a much-stripped-down Win2k derivative (from 12 MB to around 23kB).
(from their website)
Got the PDF. I cannot host it. I have a 56K dialup line.
What is there to study about the Xbox case? Its butt ugly ;)
We are above the law here. Even if the MPAA, RIAA and Microsoft decided to waste money trying to sue every single one of us, we'd still be able to get by.
People would then start hacking into major infrastructure computers. The whole world would collapse. Microsoft know this. They know its possible to do this because they wrote the software. This is why they will not risk a fight.
He frequents the Xbox hacker msesage boards. Heres what else he had to say about Microsoft in this post...
... hmm...patent search turns up nil on the Xbox...guess we'll just have to reverse engineer it. (FTR, Nintendo has patented what looks to be the entirety of the N64 console, thus perchance making reverse engineering an N64 illegal--not yet court tested.)"
"To answer some specific questions:
no, I will not publish the encryption key or the boot block. That's Microsoft copyright material, and I respect their copyright.
Microsoft is not particularly happy about the paper, but they seemed to concede that well, reverse engineering is protected by law, so there's nothing they can do about it. Let's hope they don't change their opinion...they've been known to go back on their word before. "
also, from his website...
"You are actually allowed by law to reverse engineer copyrighted code so long as it is necessary to discover the ideas or functional elements behind the code (still, I'm not allowed to post copyrighted code for free distribution). Hey, microsoft...what are the ideas and functional elements behind your BIOS ROM?
the byproduct of years of oppression by the white man
Because when Microsoft makes the networking component available, millions (?) of clueless end users will hook it up to their cable modem connection, totally oblivious that there may even be the _slightest_ chance that there is a single open exploit ready to be taken advantage of for DDoS attacks. And what about the possibility of stored credit card information used for MMORPG -type games? Playing habits of owners? What if Microsoft released personal finance software for the Xbox? Are you saying that can't happen?
Did you stop to think and ask yourself those questions before you generalized this "security feature" of the Xbox console? Or are you one of the millions of lusers I just described? I use MY Win2K box for playing games and ONLY playing games. Does that make my PC simply a GAMING platform?
How would you feel if your Xbox was attacked and all you had to do was "reinstall a few games." The worst that can happen is NOT the point. The fact that it COULD POSSIBLY happen IS.
Bonehead.
you don't have to outrun the bear, just the slowest person in your group.
Microsoft probably has nothing to do with this "hole"(I am hesitent to call it that). NViDIA is almost certainly the one who laid out the spec that used the bus. MS probably just signed off on it.
I'd do something interesting, but my server can't handle a slashdotting.
...that we will be able to play NetHack on the xbox?
This post will enter the public domain 70 years after my death, unless Disney buys another extension.
You're missing the point. With security holes that allow custom code to be loaded it will be possible to run new software on the Xbox. For example, the Xbox-linux project will see some benefits from this paper.
"I either want less corruption, or more chance
to participate in it." -- Ashleigh Brilliant
The security discussed in the paper isn't intended to protect the user, it's intended to protect Microsoft's control over the platform -- it's the lockout that keeps software that isn't blessed by MS from running on the XBox. If companies can bypass it, they can ship XBox games without paying royalties.
When I first saw this story. I thought this guy has found some way to get to another Xbox over a network.
After reading the paper, I see all he has found was the secret book block and the non-encrpted bus.
He is yet to decrypt the kernel.
So we are a long way from using he XBox as a cheap PC.
I guess it means he didn't find any security holes that would compromise you system over a network; or any holes would require a service pack from Microsoft.
Imagine when everything in your house runs through the XBox (or similiar device) as MS ultimately envisions.
Imagine the day when I allow Microsoft to control everything in my house. Why would anyone do that? If it controls home security, you might as well just not lock your doors if you are going to use a Microsoft product.
Remember, despite all of Microsof's plans, they can't take over your home unless you buy their products. The simple answer is not to do it. Don't let your friends do it either. Friends don't let friends use Microsoft.
Then again, why would I want any one company to control my home security, television, stereo, and toaster? Microsoft isn't the only dishonest company out there; and good companies can go bad. Tying your entire home into someone else's network seems insecure to me.
t'nera semordnilap
Yeah, who would want a $200 general purpose computer wiuth built in ethernet and DVD capability? I mean, what are you going to do, get a keyboard working and have a $200 Linux machine that's comprable to most $800 boxen? Or get it to run DivX movies? Or network 5 of them into a $1000 Beowulf cluster?
It's not a gaming system. It's a computer that's been artificially limited to gaming. People want to break into it to remove those limitations, so they can have a very cheap, fairly powerful and flexible computer system.
The article -- the whole console hacking phenomenon -- is not about people breaking into your Xbox of ther internet. If you had read the article, you would have seen that it's about hacking the box to be able to boot custom code. There's no question of "reinstalling a few games" unless someone breaks into your house, reprograms the flash ROM in your Xbox, and turns it into a Linux machine.
-b
I didn't get to see the paper, due to /. effect. However, a few ideas how it could be dangerous.
Packet Sniffer
Distributed Denial of Service attacks
Remote hacking
OK, I've skimmed the PDF, and while the words "security holes in the XBox" in the article may lead you to think about traditional software buffer-overflow-I've-r00ted-your-box types of security holes... this article is about HARDWARE!! The PDF talks about hacking the hardware and getting around the encryption on the bootloader to be able to load your OS of choice, for example.
Meanwhile I'm reading posts from people who are nearly soiling themselves afraid to plug their XBox into a network for fear of being r00ted. What a joke. I bet when michael saw the words "XBox" and 'security hole' in the same sentence, he became so excited and nervous that he could hardly move his finger to click the button on the mouse. Sheesh.
I got a grudging thumbs up, so to speak, from Microsoft on my Xbox reverse engineering work
I think I'd much rather he post what must've been a very entertaining conversation with a Microsoft spokesperson than the bios to the XBox.
I wasn't aware security was a big issue in gaming consoles.
It never has been, because:
a) Most systems only kept data related to the game in a very limited space. (On a memory card say or a cartridge its self in the past) - the X-Box is fitted with a hard drive, so there is access to alot of data beyond the scope of individual games since all the data is likely to be in one place.
b) Once you hook something up to the internet, (Which the X-Box plans to do, or at least a network of some kind) then it opens the door to the data stored on your system. This also means that as well as game data, users are likely to at the very least have emails stored on their systems.
I saw the light at the end of the tunnel... But it was just someone with a flashlight bringing more work.
In case you didn't know already, MS is selling Xbox's at a huge loss. Much to my suprise, MS did not get to it's current position by losing money like this. They're planning on making up the lost money by having a sucessful console that sells tons of games and makes up the money there (Sega anyone?), so I believe the "security holes" might be referring to little snafu's so you can put a different OS on it. Because we all know different OS won't run the games. Every time someone buys an Xbox hoping to turn it into a hella cheap PC, MS loses their money on that machine for good, because that person won't be buying any games for it.
A lot of the security features talk about rom encryption, flashing it with a new bios, accessing the hard drives, etc. All of these thing make it more difficult to turn it into a cheap PC, and supports my theory as stated above.
So no need to worry about DDoS or lost savegames. This is about playing unauthorized games, making a DiVX player etc.
Let's face it, who could resist the idea of getting a cool computer while at the same time losing Microsoft money? It's a fab idea!
Security is a huge issue in gaming consoles, particularly as they become similar in capability and more competitve with each other.
It's widely agreed that the making or breaking point for any console is the software library available for it. Console makers therefore spend a lot of time, money and effort attempting to win over software developers to their platform.
And regardless of how enticing an offer the developer receives, developers need to sell software to stay in business. The main advantage of the console market (as opposed to the PC gaming market) is that the platforms are closed and proprietary, and (ideally) make piracy virtually impossible without modifying the hardware. The main problem with the security holes isn't that malicious users can compromise a user's data; the problem is that even casual users will be able to pirate games.
This prospect scares the living hell out of developers, and rightfully so. Witness the demise of the Sega Dreamcast, which occurred a surprisingly short time after someone figured out how to boot CD-R's on the console.
The bottom line is that developers won't produce for a platform that facilitates piracy. That is very bad news for Microsoft, particularly in light of their bleeding money out of each console they sell.
What I can't wait for are things like a DiVX player (DivX movies on TV!), Linux -> and with it all those wonderful applications, DVD Movies without the hardware adapter, etc. and all of this for only 200 bucks!
I keep wondering if an Xbox with keyboard, mouse & montior, running Linux, might not make a good, inexpensive classroom computer? I mean, the box is already rad-hardened against hyperactive game-playing children, right?
Is there any chance this would work?
If you say, "now I'll be modded down because of X", I'll happily oblige.
Microsoft, not content with just SOFTWARE security holes, has now moved on to HARDWARE security holes.
I read that article and found it very interesting. It seems there's always a weakness in any security system, and a clever person with time on their hands can find it.
But then it hits me: this "security" is to keep THE OWNER, the PAYING CUSTOMER, out of the product he bought. This "security" doesn't protect my family, me, or my possessions from absolutely anything. It serves no purpose except to make work for somebody at Microsoft and then somebody at MIT. If they left it out, they'd save both parties a lot of effort. I'm sure someone will build on this article and figure out how to easily run arbitrary code on the Xbox, and so the security will be a total waste. So why is it there?
I would think that they'd want security in there to protect their trade secrets. If information like this gets out (oops) then people will be able to make unlicenced games, and that would trash Microsoft's console business model.
I'm one of the sysadmins at the AI lab - we had a power shutdown in our building last night through much of today, but the site is back up and ready to get slashdotted.
He now understands the boot process, and can mess with it via hardware mods. But he has only the decryption key, which is the public key of the pair. To make a bootable disc, you need the encrypting (private) key, which is nowhere in the XBox. That key probably exists only in a vault in Redmond.
I don't really care all that much about the XBox, but if the RIAA and MPAA have their way, all audio and video equipment will be protected like this.
I guess I am naive here. What is the point of making the X-box or any other game console hard to hack?
I used to believe the old saw that compared game consoles to razors; lose money on the console, make up for it on the games. But I read something recently which seemed (to me) to prove that everyone except M$ was making money on consoles too. So although it might make sense for M$ to prevent hacking for use as other than a game console, why would others do so?
Is it to prevent people from playing ill-gotten copies of games?
Is it to prevent cheating while playing a game?
Is it to prevent reverse engineering of a game?
I guess I just don't get it!
Infuriate left and right
I'm never going to quite understand this mindset. So what if it costs MS $300, $400, or even $1000 to manufacture the XBox? Buying one is only going to help them.
That's right. Buying an XBox, no matter what kind of a deal it is, no matter how much money MS "loses" on it, helps them out. For starters, while they might lose $100 for each XBox bought, they lose $200 more when you don't buy it.
Then you have the marketing figures that say that these boxes are flying off of the shelves. That they should press on with their unwavering determination and $40 billion to dominate the market, because people want them there.
If we really want to shaft MS out of the console market, the way to do it is to not buy XBoxes. Eventually they'll realize that nobody wants their crap, their inventory is sitting in warehouses (or worse yet, getting shipped back to them to make room for the PS3), and we'd rather bow to the Lord God Sony for our home entertainment.
Pax, Ardax
"I assumed blithely that there were no elves out there in the darkness"
I really wish they'd steal a more up to date version from FreeBSD, instead of using one from before 2.2..
Weapons of Mass Analysis
From the paper:
"...it is an error to assume that a secret, distributed along with the information it guards, is never revealed."I don't know about that. It seems to have worked for the Word file format.
Then you have the marketing figures that say that these boxes are flying off of the shelves.
Yeah, but microsoft only makes money on the games / online service. Mircosoft may hype the sales, but gaming companies are still going to notice that the software isn't selling.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Let's say that Microsoft released financial software for the XBox and people chose to buy and use it. Should Microsoft's centralized database ever get hacked, it would not be a security issue; it would simply be natural selection. :)
My XBox web server is vulnerable? I guess I'll just have to download a patch from windows update!
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
it's to play games
This opening of the Xbox may eventually a fellow run independently developed game software on the Xbox hardware. ("Independently developed" means that Microsoft doesn't get a cut of the revenue. So much for razors and blades business model.) With a port of the GNU/Linux system to Xbox hardware, such games would potentially include the whole gnome-games suite, the freepuzzlearena suite, Tetanus On Drugs, Tux Racer, Quake III Arena, and every NES and Game Boy Advance game in existence.
Will I retire or break 10K?
Actually, while you're right... everyone (besides MS) does make money off their consoles... they also make a lot of money off something else: licensing. In fact, while you can make a pretty penny off your console, the main draw is that you get an even larger percentage from the license royalties off every game your console sells. You only sell one console per person. You sell lots of games.
Naturally, if everyone could write code for a console and burn their own CDs or DVDs, large game houses would have little reason to buy licensed development kits and publishing contracts with their respective console manufacturer, and thus you lose a lot of your revenue.
Interestingly enough, though, in the old days, unlicensed games happened every so often. I recall that Taito reverse-engineered the NES cartridge and put out their own games...
Don't think of it as a flame---it's more like an argument that does 3d6 fire damage
It might not be as much as you think.Microsoft recently told shareholders that the X-Box was just only losing 20% of what Sony was initially losing on the PS2. A friend put that to end up somewhere in the $20-$30 range. ...And the SEC tends to get a bit grumpy with companies that mislead investors...
Hopefully, you are a long way from wanting to do such a thing. For $100 or so, you can have a nice Athlon mobo with a 700MHz processor. Buying a used system would be even cheaper. Of course, any other option would be much less encumbered by silly things M$ likes to put on junk, like the serial number he found.
The point is that stupid M$ and others are working to make hardware that the user has no control over but fail. It's just another proof that Senator Holling's wet dream of control of all digital devices can only be implimented by foolish laws. Inailienable rights are those which require vast expendatures to violate.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
You have it backwards.
No, you have it all wrong. The Xbox encrypts the flash with RSA's RC4 symmetric cipher (i.e. not a public key cipher). The remainder of this post is (strictly) off-topic because the Xbox boot process does not use public-key encryption.
The private key decrypts.. the public key encrypts.
In a public-key secrecy scheme, you're correct. But in a public-key authentication scheme, the private key encrypts the hash into a signature, and the public key decrypts the signature for comparison with the hash.
He has the private key. And you can derive the public key from the private key.
No, you can't do that in (for example) RSA.
Will I retire or break 10K?
It uses the new meaning of the word secure. The meaning championed by IP Cartels like the MPAA and RIAA, by initiatives like SDMI and by products like the Secure Digital Memory Card. Jane Consumer buys secure products because she thinks they will prevent access by people she considers thieves. But if her product uses the new meaning of secure then it was designed to prevent access by people the IP Cartels consider thieves... and Jane soon realizes there is really only one person considered a thief -- herself, the Consumer.
The new-meaning-of-secure products are secured against the Consumer -- the buyer and owner of the product.
In the Xbox case, the new Security works like this :
Jane Consumer has just purchased her new secure Xbox and can theoretically play any game that is compatible with her Xbox hardware and OS. Fortunately, any Company that designs games for MS Windows can, with a little effort, figure out how to design Xbox compatible games.
Unfortunately, Jane can't play Xbox hardware+OS compatible games because Xbox security locks her out -- and Microsoft won't sell her a key to open it. MS instead sells the keys to Game Companies through License fees that are passed on to the Consumer. So Jane ends up buying an Xbox, a game and a key to let the game in.
The beauty of this scheme is that Jane can't just buy the key once, open her Xbox, and be done with her new-found security forever. She has to buy the key with every copy of every game that she will ever buy for her Xbox.
The new-meaning-of-secure products are not designed to protect Consumers' property and information. Nor are they designed to harrass and annoy Consumers. They are designed to extract more money from Consumers.
Fortunately for Consumers, unlocking these new secure products, through the modern magic of digital wizardry, requires no additional knowledge or effort. All it takes is a little more money -- Jane & Joe Consumers' money of course...
Face it Folks... if you design unsecured products with lifetime warranties, you are in the wrong business. A Consumer will buy your product about once. But that same Consumer will soon pay an IP fee every time she uses her new IP-Utilizing product. I.E. her new music player, video player, book reader, game console (insert future IP-Utilizing product here).
Jono
As was mentioned in several posts, this is bad (for MS) because it may allow two things - non-authorized software development and pirated software. (don't mark me as redundant yet, keep reading :)
That's why Nintendo stuck with cartridges and why they now have a non-standard format for Gamecube games. I am really surprised other console developers haven't done this.... the slight increase in costs to slow piracy is a good trade-off.
Anyone know if it would be possible to burn those mini-dvd's that Nintendo uses?
Robots are everywhere, and they eat old people's medicine for fuel.
Those are all wonderful points, but they all have the same flaw. While you may not allow Microsoft to control everything in your house, 90% of the world is running Windows, and MS is trying pretty hard to get them all to buy an X-Box. The problem is not that you're not going to buy all their products, it's that everyone else is. That's why it's important.
"If he thinks he can hide and run from the United States and our allies, he's sorely mistaken." Bush on bin Laden
...even casual users will be able to pirate games.
This prospect scares the living hell out of developers, and rightfully so. Witness the demise of the Sega Dreamcast, which occurred a surprisingly short time after someone figured out how to boot CD-R's on the console.
Unrelated. Think of, say, the mod chip for PSX. Sega had other problems.
"If he thinks he can hide and run from the United States and our allies, he's sorely mistaken." Bush on bin Laden
Interestingly enough, though, in the old days, unlicensed games happened every so often. I recall that Taito reverse-engineered the NES cartridge and put out their own games...
That wasn't Taito (a licensed publisher of Arkanoid and Bubble Bobble); it was Atari, under the Tengen brand. (By the way: Tengen's NES port of Klax had some of the best music on the NES. They were able to squeeze bass out of that system that not even Nintendo probably knew was there.)
Most of the independently published games published by companies other than Tengen sucked. Color Dreams/Wisdom Tree games really weren't all that playable, except for Crystal Mines (aka Exodus) and the "King of Kings" 3-in-1. Hacker/Panesian had only one hit, Bubble Bath Babes (aka Soap Panic), and it was a puzzle game somewhat similar to Kirby's Avalanche.
However, in the modern era (post-NESticle), a new NES scene has sprung up. (Read More...)
Will I retire or break 10K?
So a LinuX-Box is a little closer to reality now, but with even with that possibility, I still won't buy an X-Box. Microsoft doesn't deserver an another cent of my money.
You've beaten my Windows, which means you're exceptionally strong, so you could have put the poison in your own goblet, trusting in your strength to save you, so I can clearly not choose the wine in front of you. But, you've also bested my X-Box, which means you must have studied, and, in studying, you must have learned that man is mortal, so you would have put the poison as far from yourself as possible, so I can clearly not choose the wine in front of me!
Anybody notice the author's name: Andrew "Bunnie" Huang. Wonder if he's the notorious defacer Fluffi Bunni.
But if no X-boxes are sold, then they won`t manufacture any more... so they will just have the current stockpile sitting unsold. If you buy them, but dont buy games, then they will far more likely produce more units. Assuming they lose $300 on an unsold unit, and $100 on a sold unit.. They need only sell 3x more machines than they currently have stockpiled and they will lose. Besides, Look at cobalt raq servers and similar devices, using an x-box for such an application could save hosting companies a lot of money.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
> I wasn't aware security was a big
:-)
> issue in gaming consoles.
Security has it's place in THIS gaming console
a) it's intended to be connected to the internet
b) it has a HDD
imagine someone writes a nice virus/worm with evil intentions (e.g. download a tiny linux distro, and then take over your XBox , store child pronography on you HDD or start a DOS on www.microsoft.com
No. The XBox is a PC designed to work like a console.
Basically it's a PC with these specs:
733MHz Celeron
64MB PC100 RAM
GeForce 2.5...halfway between GeForce 2MX and 3.
8GB HD.
cheap 10/100 base T NIC
non-standard USB (based on 1.1 spec) connections for controllers.
However, for all the efforts to try to hax0r the XBox...and I wish them all well...they are going to have to find a way to make a keyboard work with it. With the tweaked non-standard USB it's not gonna be easy.
Knowledge is power. Knowledge shared is power multiplied.
Because the "jam buffers" are initialized by the flash eprom *in the clear*, it is possible to initialize them to a faulty state, which causes the boot sequence to abort, and you can then run anything you can put into the eprom.
Karma: Food Fight (Mostly affected by Date Plate).
Well, it's black, and has a big "X" on it.
Have you read my journal today?
Xbox Live (Or whatever it's called) is a closed network. So even if someone did manage to hack into the network, using, for example, a modified Xbox, or a PC with special software, I doubt they could do much damage.
What are they gonna do, DDoS the High Score server? lol
Besides.. From the looks of the way Microsoft did the protection on the Xbox, it'll be 6-12 months before anyone even breaks whatever kinda protection they put on the online service.
Look at the scene now, they still can't boot unsigned code. And only now, within the last week, have mod chips come out.
RaGe
We're all just noise on the wires..
Who the hell is going to keep their credit card number and other personal info on their X-Box? You don't need that at all, any info would be on the servers, which I'd expect will not be X-boxes, and even then, I doubt the billing info would be anywhere near the game servers. So much as I dislike MS, I think it's pretty certain that these problems are really just theoretical, not threatening (though I'll be honest, I haven't read it because it was /.ed)
He does far more than reverse-engineer the XBox. Read this guy's project list. He's cranked out an incredible list of hardware projects. His own RISC CPU. A DES cracker. A controller for a midget submarine. An all-new design PBX for his frat house. Keyboard pedals for EMACS. A Linux-based computer that fits in a Star-Tac phone case (in progress.) Plus he's in a fraternity, plays guitar and violin, and has a blonde girlfriend. And all this while doing a thesis at MIT.
Xbox Live might be a closed network, but I doubt the internet protocol in the xbox forces it to work only on the Xbox Live network. I'm sure someone can write software that'll let Xbox browse the web, which means Xbox can connect to any site on the internet, which means it can participate in a DDoS attack. It's not like you get a special line installed that is directly connected to the Xbox Live network and not connected to anything else. It's still connected to the internet, so it can attack anything on it.
That's not really true. For legal reasons. You think people couldn't crack the original Playstation? Even if they could, people couldn't just ship playstation games without paying royalties.
Of course you could write software that'll let the Xbox browse the web, etc.. But the issue here is the Xbox Live Network, which is a closed, propritary system. Even if you got into Microsoft's servers, (No IIS jokes, please, hehe), somehow uploaded a virus, etc etc, it wouldn't run on normal, unmodded Xbox's.
.2% of Xbox owners that are smart enough to actually run custom software, and have the stones to open thier system and modify it, would do any damage if they all somehow got infected with an Xbox virus..
And I highly doubt that
Most people who are knowledgable (Spelt wrong, shut up..) enough to do these kinds of modifications to thier system, are also smart enough to not download anything that pops up in front of them.
Also, unlike Windows, Xbox doesn't have an email program that runs attachments the second you view an email (Outlook comes to mind..), so there wouldn't be an easy means of transportation for a virus.
RaGe
We're all just noise on the wires..
Sure - but one could easily argue that its main purpose is to keep pirates from running unauthorized (copied) programs on it
and to keep developers from building their own executables without real dev kits (and depriving ms of royalties)
and it keeps game hack systems out - like the gameshark and the codebreaker like devices from running.
And before you bitch and moan about MS being a bunch of bastards - almost every game system that ever came along has had some system to keep developers, hackers, and users from explointing the technology inside. Even Atari was that way - mostly through Atari not releasing all the specs for programming it so their games could look better in comparision - and they sued the first company who dared defy them (I think it was sierra).
My point is, that while Xbox Live is a closed network, the Xbox itself can still access the rest of the internet, and hence can still be a pawn in a DDoS attack.
Beg to differ. There's nothing stopping somebody from running $OSofCHOICE on an xbox and rebooting the box to play (official, MS-endorsed) games. Using this technique to run burned/pirated copies of discs might be a bigger worry, but wide availability of modchips to do this hasn't hurt the PS[X,2] all that badly.
Click here if you just like to click on shit.
The point of "security" on a console is to be an anticompetitive measure to control the software market for the device. The people who make video game home systems are bare knuckle capitalists. They want to extract the maximum profit from the system--by taking a toll from every piece of software sold, by limiting the number of titles and copies that ship to customers, by using product supply as a cudgel in negotiations with retailers, by controlling the mass media coverage of their systems.
Slashdot is all about being angry at MS; appropriate, since MS is the monopolist controller of the PC world. But we should be mindful of the fact that MS's business practices are nowhere near as bad as those of computer monopoly pioneers like IBM and Univac. At one time everything was bundled: software, hardware, support. Your one vendor had you by the balls and was in a position to extract every possible dollar from you, just short of driving you away. That's what the video game market is like. When someone has a monster platform like Sony Playstation, they can just milk it and milk it, since there really is no competition for those PS software dollars.
Then you have the marketing figures that say that these boxes are flying off of the shelves.
:-O
I disagree, I expect that if every slashdotter and their dog boycotted it still wouldn't make a dent in the sales figures. Most people couldn't give a shit about whether MS has a monopoly or not, these pwople will buy the xbox if they see it can run shiny new games.
Game producers will jump on the xbox bandwagon when they see the sales figures for the current games, not the sales figures for the xbox. Personally I'd pick up a few xboxes if they could run linux, turn them into a dvd/divx/mp3 player, whatever I felt like at the time. Come to think of it my dad needs a new PC, he's still got a P100
He who defends everything, defends nothing. -- Fredrick The Great
The key phrase there is "casual users." Modifying a console entails a significant amount of risk, money and effort. There will always be a small fraction of the user base that goes to the trouble of doing so, but those users comprise such a small percentage of the population that it's not really a financial issue. When the other 99% of the market has easy access to free games, that's another matter entirely.
Here's where things get kinda hairy and I'm not sure my initial information was correct. All the talks about being able to put a new OS on the XBox involved some sort of bios hack or chage, as there's certain security measures in the bios to make sure you can't change vital things like the OS. So if you change the OS, you're probably going to have to decompile and hack up the bios a little bit, after all this I doubt the machine will function as normal.
Here's what I'm pretty sure of: XBox's hd consists of 3 partitions, one for data, one for music, and a yet unused partition (or at least something to this extent). That partiton scheme seems kinda weird, you may be able to put linux on the unused partition, but how in the heck are you going to be able to bootstrap the thing without messing with the MBR? It's obviously no small task to put a different OS on the machine, or else someone would have done it already, LET alone, putting a new OS on it while retaining XBox compatiblity for games. Also, what happens when games finally start using that 3rd partiton for whatever reason?
http://www.xbox-scene.com/xbox1data/news-archive-1 7-3-2002.php
Interact is putting this out. News bite is buried almost at the bottom of the page.
Knowledge is power. Knowledge shared is power multiplied.
My point is, how would you actually go about distributing this 'virus' that would do the actual DDoS'ing? Certanly not through the Xbox Live network, and I don't think there would be enough people who download, say, an infected Linux distro, to cause any real damage.
Although you are right on one thing, the possibility, and fuctionality, is there.
RaGe
We're all just noise on the wires..
Modifying a console entails a significant amount of risk, money and effort.
Gimme a break. You can get it done on a street corner for 20 bucks cash. I don't know a single person with a Playstation who hasn't gotten a mod chip.
"If he thinks he can hide and run from the United States and our allies, he's sorely mistaken." Bush on bin Laden
I do. I know only a handful who have, and none with anything more complex than the original PlayStation. It probably depends on the types of people you know; I'm currently in a public high school. It's also worth pointing out that the PlayStation is hardly a hot platform anymore. I'm not sure of the availability of GameCube modchips, but I know that PS2 and XBox chips cost upwards of $50, require 40 or so solder points, and aren't terribly reliable. That's prohibitive enough for most people I know.
Then again, why would I want any one company to control my home security, television, stereo, and toaster?
crestron - nuff said
Please give your mod points to others, Im at the cap. They will appreciate it more
I specify FreeBSD, because of the current descendants of BSD-Lite, it has the nicest ftp client at the moment.
Weapons of Mass Analysis
Stopp ripping consumers off. The main reason why people pirate games is that simply (like ink cartridges), they are a rip off. You sell a product to a crowd with little money (teenagers) and expect them to cough up $50 for every game - come on, that's horse crap. The profit margins for game developers are ludicriuos. Doesn't matter on the platform - people are tired of paying $50 for a game, when half the time they only get a few hours of enjoyment out of it. Heem, lety's see - Store cost at CompUSA for Halo is $45, MSRP is $50. Who's making the cash? Manufacturing costs (I'm not counting development costs) are less than $1 for most games. I've only purchased a FEW games that have been worth the money (like FFX or Metal Gear Solid 2) - most are not. If you want to sell allot of games and keep profits up, LOWER YOUR MSRP on games! $29 is a fair price for a great game and $20 is good for an average game. Until game prices go down, I will continue to copy PS2 games and use them with my PS2 mod chip. Crash Bandicoot for PS2 sucks majorally with 5 minute load times, and they expect $50 for this game? Give me a break....
The Neo 4 is the most complex PS2 modchip and only requires 20 solder points. The NEO 4.5 has gotten that down to 11. There are single swap mods for the PS2 that don't require soldering at all and cost $20, and on top of all this, you can buy premodded PS2s for about $50 more than a regular PS2.
I agree that not a lot of people have mods for this generation of systems, but it isn't because it's prohibitive. Even getting it professionally installed will pay itself off after your 3rd blockbuster "rental".
-no broken link
"measures taken to guard against espionage or sabotage, crime, attack, or escape".
You've stated the obvious and dodged the point. The point is that some products advertized to the consumer as secure fail to disclose that the security is for someone else -- they give the false impression that the security is for the consumer.
Be honest. If you bought a product advertised as secure... say a home... would'nt you assume that it was designed to prevent espionage or sabatoge against you? Prevent crime or attack against you?
Wether the idea of security for Company X in a product is valid or not is for the consumer to decide.
Manufacturers should be required to fully disclose who these products are secured for, and how that security will be used to extract more money from the property owner.
Let a fully informed consumer decide if it's worth paying extra for security that secures her property against her, for the benefit of Company X.
In the case of Xbox, it's only slightly less agregious. Microsoft understands that the security is for Microsoft, so they don't prominently advertise Xbox security to consumers. But is hiding this security from the consumer really any better?
I say that manufacturers should be required to fully disclose the situation to consumers before purchase. Something like a prominent label that says:
Disclosure : This product contains security features that secure the product against the owner for the benefit of Company X
Jono