Slashdot Mirror
Security Concerns When Consoles Go Online?
VonGuard writes "I've written an article for Security Focus about the security concerns that having an Xbox or Playstation 2 on your network might raise. The article, entitled Welcome to the Jungle was an interesting experience to write. I really think that Sony will end up having some trouble from their stance on third party security design, while Microsoft might end up smelling like roses. Too bad MS shipped the Nimda virus with their Korean version of .Net Visual Studio."
someone just hacked my game of gta3, i lost my saved game. oh damn.
are they going to delete my games?!?!? FP..
Could have complete cross-compatitibility between consoles and regular comps...
Could I read just one article on Slashdot that doesn't rehash Microsoft bashing (the Nimda thing) that's old news?
People on this site always have to get in their Microsoft bashing. It is pretty shameful. Why can't you just make do with what is out there? That article had nothing to do with the Nimbda virus, but the poster had to throw it in there cause Microsoft didn't look bad in that article. Awful.
Someone haxored my xbox ... and they own it now
omg, they dont even run a proper os to bounce packets inside the local net.
Even if using the linux in psx2 its linux and you need to secure it as any other box.
Come on. This really looks childish. That's an irrelevant story. Just let the facts speak for themselves or you lose credibility.
I used to bulls-eye womp-rats in my pants
Its interesting to note that in this case the closed network MS have been building for X box might be the best thing in the circumstances as it should prevent DDOS usage of the things.
but is this really going to be a major issue ? in reality how much time will these boxen spend on line when not playing games ?
have MS written in code to the os to identify what is and is not and X Box for example? and what about servers - can they be run ?
Thought provoking.
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
when a 10 years old kid start playing Tic-Tac-Toe on Norad's top secret supercomputer.
someone is addressing this subject. I've been cracking hacked up playstation jokes for a few months now. Regardless, the same principles apply to console security as do to any workstation, home server, always-on ip connected thing. I think the real concerns could come into play when the linux distro thing starts to have a more common place in the console market (if ever.) Anyhow, I think there's probably some stack hackers that might want to start thinking about kernel level mods to address the forthcoming issues.
-- http://www.criticalassets.com
I thought the PS2 boots of the DVD for the game you're playing, so what exactly would the permanent harm be? Someone h4x0rs your system, all you have to do is reboot. If your running Linux of the toolkit though, that may be a problem, and if for some reason you get Windows working on it, for god's sake make sure you don't install IIS.
Have you been stalked by Seth today?
Jesus. Why not fucking say something about the Challenger in every NASA post? Assholes.
"Xbox Live has military grade security to ensure no cheaters, no hackers, and no viruses."
Now I try not to MS bash but come on this just seemed funny to me that is all
man
No manual entry for
X-box will have better security you say? Right... man, I can't WAIT till consoles are on line... I love laughing at security holes in all the crap I don't use, or know how to use properly.
m l
X-Box was already cracked. It didn't get much press covereage... Eweek did a story, here's the reg's:
http://www.theregister.co.uk/content/3/25568.ht
Closing their service to outsiders increases the security of their system overall and "prevents hackers from scaling beyond one machine," the company claims. "Xbox Live has military grade security to ensure no cheaters, no hackers, and no viruses."
Now only if they could apply this theory to their OS strategy...
People are going to hack their consoles. Hell, the first thing I did with my TiVo was to take it apart. Don't think I'm not tinkering with my xbox, it's potential as a cheap Apache webserver or slave in a rendering farm begs experimentation.
It's good that Sony is supportive of the curious developer. It means their platform will spread wider. At $199 apiece, there's no reason not to mod consoles.
I don't doubt a lot of consoles are going to be 0wn3d. Whether it's Microsoft first or Sony will depend on the hobbiest - or on a corporate uh-oh. After all, Microsoft did ship Nimda to Korea with Visual Studio .Net. I'm not crazy about Microsoft's decision to close their gaming
community, but I'm not surprised either.
Blizzard does the same thing (and are villified for it). But I'm less troubled by Blizzard's motives than by Microsoft's.
Ok, so someone hacks you Playstation. That's bad, but I don't think it's nearly as bad as the article will have you belive. Remember, people, these are consoles. You turn them off when you're not playing. You reset them when you swap games. And although the Xbox has a harddisk, I'm not sure if you could actually store something on it that would have any effect on the machine after a reset and a swapped game.
While it may or may not be hard to hack the console in the first place, it should be pretty difficult to keep the box hacked. It's like if you re-installed your PC everytime you want to run a new program.
The window of opportunity for exploiting the machine for DDoS attacks, as stepping stone etc only exists for as long as the gamers current gaming session. With enough boxes out there, that could still add up, of course.
The cheating/disrupting games angle is much more benign - this is something the gamers will notice, and thus force the game companies/console manufacturers to fix, or they risk losing their sales, and as we all know, wallet beats paper, rock AND scissors.
Oooh... so now when someone is playing DOA3, and the guy on MY network gets the crap kicked out of him, one of my servers gets the crap kicked out of it as well. Now, seeing as I am pissed about that... I go and royally beat the crap outta him, and whee... look ma, I just killed www.microsoft.com
And so we go, on with our lives
We know the truth, but prefer lies
Lies are simple, simple is bliss
Well if they didn't throw in the MS bashing, they would be keeping to the spirit of a slashdot post. No matter if it concerns MS or not they must make some not so witty remark about how MS is the evil overlord of the earth. BAH.
This statement alone is worth article rejection. Just what the hell does shipping the Nimda virus with a product update have to do with online console gaming security?
Even if the two are remotely related, the latter was an internal screwup while the former would likely be a case of l33t h4xx0r5.
"Adequacy.org: Where congenital stupidity is not an option, but a requirement."
http://web.mit.edu/bunnie/www/proj/anatak/xboxmod. html
There's an Xbox mod. How long before kiddies start buying mod kits that have holes (as if there aren't holes not yet found.) Another poster asked how often consoles will be online while not playing games... why couldn't a trojan take up bandwidth while a game was being played? And with broadband, they'll likely be left on. No, the internet is a dangerous place and you don't have to be named Gibson (www.grc.com) to be paranoid.
. This sig unintentionally left blank. I meant to put something here, but I'm busy.
Yeah right, try shrugging it off when somebody deletes your Phantasy Star Online characters after 50 hours of gameplay (this actually happened to many many people playing Sega's first online RPG).
So lets say that all the XBoxes that are hooked up to broadband suddenly are "triggered" like so many zombie 98 machines and start attacking certain domains or whatnot...
Scary proposition, but luckily I don't think too many people keep their XBoxes on all the time...
I would imagine that since the PS/2 or Xbox is INSIDE a LOCAL network, it wouldnt really open up security issues. For something to really cause a security issue, it has to open up and recieve requests on a port. I.E. Apache, telnet, ssh, ftp etc etc. So I dont think the PS/2 or Xbox is a problem. Unless you give it a global ip and start running Apache...uh....shit...There's an idea...
In college, really poor, need a flatscreen.
Good points and i was wondering about it - but the issue is present with every console isnt it..?
And the broadband applies to the states but what about other countries ? in Australia at the price of broadband i cant see many people getting it just for their X Boxen.
I refuse to argue with Anonymous Cowards - if you want a discussion get an account....
Isn't that how it works with PC Gaming? The security of the game and ultimately the PC lies in the hands of the Game developers and things for the most part work out "O.K".
The same methodology for the PS2 will work. "Why Fix it if it ain't broke". If a PS2 Developer House wants their game to flourish online they know they will have to do their best to curb cheating and most certainly avoid security holes in their games at all costs.
I fail to see how having Microsoft hold all the cards for the security of the XBox is a good thing. That's how it is with their OS and well... look at it.
Power to the Third parties!
Microsoft decided some time ago that the best way to create a good online gaming experience for a console is to maintain a console's three biggest advantages over PC gaming.
No Cheating
No Viruses
And no Cheating
Cheating in online games has reached such epidemic porportions on the PC that many have given up on it completely. Others just slug it out and learn to deal with it.
Microsoft wants to offer 3rd party mods and the like to its customers. Since they get a cut of every game sold for the Xbox, it makes sense for them to freely distribute mods that increase the value of the games and the console. But they want to check to make sure the mods aren't buggy, virus infected peices of shit that are going to screw up a few million Xboxes.
They want to take all the mods, pour over them, check them for cheats and viruses then let you d/l them. All the while monitor for cheats in use.
If they can do it, more power to them.
If not, the Xbox is in trouble.
I give them 50/50 odds.
I'm sure a lot of people are like "OMG, Microsoft, evil, evil evil! They can't do anything right!"
Well, they are evil (so are Nintendo and Sony in their own ways) and they do screw up more than they succeed. But they do have divisions which score a win on a regular basis.
The Macintosh Business Division was created when it became clear that teaching some Windows guys the Mac's APIs and sitting them down to port Word or something was a complete disaster. A small team of people who Knew What They Were Doing sat down and without interference from the rest of the company, were allowed to do their own thing.
The result? The versions of Office, IE, Outlook and other Microsoft apps are lightyears ahead of their Windows counterparts. They pick up the latest APIs and exploit them before anyone else. Their products tend to be stable, well-thought out and actually useable.
How has the community reacted? The MBU averages 1 Billion+ dollars in revenue every year.
Could the X-Box division do the same thing? Yes
Is it too early to tell? Yes
Does it look promising? Yes
They've already made a number of good decisions with the Xbox. Excluding the bizzarely unreliable store models, they are stable and reliable machines that can be left on for ages. The hard drive didn't bring patches for games, but only free expansion discs, personal game soundtracks and the end of memory card hell. The money I've saved in memory cards has nearly paid for games I own.
The breakaway cables have saved me about half a dozen destroyed Xboxes.
The DVD kit saved me when an out of warranty DVD player turned to crap.
The Xbox has some issues, but it doesn't have the "too many hands in the pie" problem that Windows and the PC versions of IE, Outlook and Office do that lead to bloat, instability and security problems.
They can make it work. It's their call wether they do or not
can be found at news.com and of course there is that little article I wrote for Game Developer (which has already been covered twice here) at gamasutra.com
-Matt Pritchard
Just about ALL games that combat online cheating have to do so through online updates. With these consoles still largely running off their read only media, attacks on them are likely to last longer than with their PC counterparts. I'll stick to my PC games, thank you very much.
[donning flamesuit] /. - sometimes it's deserved and sometimes it's not. Mostly the former.
Yeah, there's a lot of Microsoft bashing on
MS touts it security while its insecurity stands frozen in the stark daylight. It's kind of like trying to be all suave and debonair with your fly unzipped. It's funny.
Now I'm all for using the right tool for the right job. It just turns out that Linux is cheaper, breezier, and more stable most of the time. For LAN parties, it's Windows 2000 hands-down. For console gaming, I like the XBox - mostly for its hacking potential. But I plan to get a Playstation 2 as well.
Someone haxored my xbox ... and they own it now
omg, they dont even run a proper os to bounce packets inside the local net.
Two words. Shit. Bull. Rearrange them until they make sense to you.
Too bad MS shipped the Nimda virus with their Korean version of .Net Visual Studio.
.NET team does something poorly, they deserve to get slammed. But the Xbox team does not need to hear about the mistakes of the .NET team. You wouldn't say that the Playstation 2 sucks because Sony supports copy protection on its CDs, would you? That was un-called-for.
Now, wait a second. These are two completely unrelated parts of the company. If the Xbox team does something well, they deserve praise, and if the
Lack of eloquence does not denote lack of intelligence, though they often coincide.
You know, it almost seems that Micro$oft might be coining yet another totally ambigous term to be used by the all-knowing press when discribing 'computer things'.
It reminds me of the wonderul unit of measurment we have come to know as the 'Library of Congress' that renders such wonderfully discriptive stories such as:
HEADLINE - 1000000GB Ethernet spec being reviewed!
Transfers 4324231124 LoC's per / second!
Or maybe the use of number of songs an MP3 player can hold....(instead of MB of storage)
Just makes me want to find out exactally what this 'military grade security'. Just remember, they didn't bother specifying which military. If their idea of militrary involves a bunch of monkeys, then it might not be so good...
Yes, I know its off topic but I couldn't help myslef...
Still, I hope they live up to their claims for the sake of the net. After all, they've come a long way since they couldn't get "ping" right (eg. the ping of death attack which could bring a server down with one command).
Waking up one morning and finding out that you XBox which you left online playing HALO was turned into an FTP server, by a couple of script kiddies.
"It takes many nails to build a crib, but one screw to fill it."
that the news.com article focuses mostly on the "cheating" side of the problems and barely touches the more general purpose "hacking the console game via the new".
However, if you hack the console, cheating is a automatically a problem by definition.
It's interesting that the definiton of online cheating has expanded to included a myraid of things a person can do disrupt the game, host systems, or even the network connections of other players. All that seems to matter is hurting another player in some way.
Console systems will be vulnerable to the standard problems (buffer overflows, poor design, etc), but just how much can you loose? On the Xbox, it will be necessary to save executable code to the hard-drive to make a hack persistant, and I'm not sure that a game currently running is even allowed any access to those paritions. On the PS2, what if the hard drive isn't even present? Just reboot and reset.
On the flip side - it's a royal pain to patch a console game. You have to issue new disks.
-Matt Pritchard
I'm afraid I didn't actually see a single fact in the entire article. Lots of 'coulds', 'possibly', etc., and suchlike, but nothing in the realm of real information. He quoted a 'source' who didn't seem to know that much, I burned 2 years of my life playing my dreamcast online and didn't suffer a single instance of the attack mentioned. This is a serious issue that needs to be dealt with, but how about we add some new information when we post our articles to major news sites?
(from the article)
"it's just a game"
Well if it's just a fucking game then why bother fucking cheating you worthless shit eater. People like you make me despair for humanity.
Did I mention that online cheating really annoys me?
thoug microsofts security record is, well, slim at best. it's a little bit out of line to use every opportunity to mock them for theire* blunders. this article deals with consoles, and the editor managed to slip inn a little "and they also did ..."
its a little bit of "say what they wan't to hear", well hey, this is slashdot
*hmm. i better go watch "henry fool" again, the donut people
XBox: $200
1-year subscription to XBox Live: $50
Getting to play halo on the internet before the PC and Mac users get to play it at all: Priceless
using namespace slashdot;
troll::post();
The author seems to confuse the true danger, that of people being to 'get root' on the consoles, and thus pull off things such as distributed denial of service attacks, with the trivial ability of people to patch the various games with hacks so they can show their 133t s|
The first is a true danger and should convince people to only attach these consoles to the net by way of a well configured firewall. The second can be summed up by saying "whoop-de-frickin-doo."
---
Kwanza is not a Polish holiday!
. . . of Xboxes
. . . running the Nimda virus.
Nathan's blog
They say it's not such a big problem, because a hacker could only either cheat in an online game, or perform a DoS attack on the user. "If someone hacks you, shrug shoulder's, hit reset. You've only lost time."
But the real problem is that eventually these consoles will also serve functions other than just gaming. Both Micros~1 and Sony want your living room for more than games, they want to provide other services such as movie/music downloads, general web surfing and online commerce.
That means that the HDD (standard in Xbox, optional in PS2) will contain potentially valuable information, such as content you've downloaded, or maybe your CC number you used to buy the extra content in the first place. So if hackers could get at that data, they're potentially ripping you off.
While this problem exists on PC too, consoles are an easier target because each one has exactly the same OS (non-upgradeable/non-patchable). If game Foo comes out with some vulnerability that allows hackers to access the contents of the HDD, then the game developer won't be able to send out a patch for Foo...
Yeah, I'd be worried.
You can have an absolute open box where anyone can get on and do anything they want, and it will have a military grade. Granted it is not a high level of security but it is a military graded security.
my XBox or PS2 get r00t3d? What can be worth the time spent hax0ring the consoles? It's not like they are being used to store CC numbers... It's not that there are shell access for which you can compile l33t war eggies for #h4x0r-united... Hell, even for the publicity concious h4x0rs out there, it doesn't even run HTTP service (even it it does/can, who the hell would want to point a domain to their XBox/PS2 anyway!), so there's no web pages to deface!
The only security you need for your consoles is physical security so that it doesn't get stolen while you're not playing with it (and most definitely it won't be online during this time).
Welley Corporation - SLM Scammers
Thanks for that. I'm going to leave work early tonight to buy an x-box!
lets take the track record for Asheron's Call, currently microsofts highest premium on-line game. If you are looking for an example of MMORPG where massive cheating and hacking is allowed this is it. While developed by an outside company, which created a great game, Microsoft controls the rules and Code of Conduct. Microsoft could careless about the cheating and does minimum amount of taking care of people who just play to cause problems for other people. Thing is thier is no reason to believe that microsoft will change with the X-Box network. Based on microsoft's current track record thier is no way I would purchase an x-box for on-line gaming and believe that microsoft will take care of the security, hacking, and just plain trouble making people.
Yea. It looks childish. But that doesn't mean the event has no relevance here. Let's look at this a bit deeper.
Data integrity is often one of the goals of an organization's infosec posture. This is more than simply ensuring the data is not improperly accessed and is available. It is also ensuring the data has not been altered without authorization.
In this case, Microsoft's data being offered to its customer had its integrity violated. Malicious code made its way in to an external distribution; not obscure code but a well known virus. Now, Microsoft is not the only one to suffer the embarrassment of distributing a virus. But it does highlight a breakdown in Microsoft's internal infosec practices. And that comes at a very inopportune time for Microsoft.
So the question would then be - how does this apply to the security of the XBox? Microsoft has a long history of troubles not only with security, but an almost arrogantly blatant disregard for security practices and concepts. This has eventually backfired on Microsoft and they have been faced with a growing PR issue. The answer to this situation has been Trusted Computing - a bottom-up change in Microsoft where everyone has been trained in infosec concepts and practices. If Trusted Computing pans out, Microsoft's security woes are behind them.
The cynical in the infosec / IT industry have already noted that they've heard this song before. Microsoft's PR and Marketing departments constantly promise security - especially after incidents that focus on MS products. Furthermore, experienced infosec workers know that addressing infosec issues often requires a complete change in methodology and outlook. And this translates in to changing Corporate culture. Microsoft may be nimble, but this change may be too demanding for even Microsoft to accomplish.
The relevance of Nimda appearing on a Microsoft software release is the question of whether this incident was a simple embarrassment or an indication of a continued lack of understanding for infosec issues within the Microsoft culture. And that certainly has a bearing on the question of Microsoft's concepts of information security and the XBox.
Although the article itself might not be bad, it is quite surprising that the author posts it himself on /. If all the /. readers were posting everything we publish on the web, the /. staff would be quite overwhelmed by the amount of self-advertising posts.
But, of course, this does not question the interest of the article.
The other issue is that somebody might figure out how to crack these boxes from afar (and, because they're all identical, once you've got one you've got them all). Now, people don't keep commercially-sensitive data on them, so the worst that can happen from the owner's POV is that the box is rendered unusable and they have to take it back to the store. However, they'd make a really good place to run DDoS's from.
The best way to make this harder, IMHO, would be to require people using these boxes to use special broadband connections that have been firewalled upstream to let only let normal traffic in and out - nobody should be trying to establish connections with these consoles, and the only things they should be trying to connect to are the game servers. Anything else should be firewalled off. The firewall would presumably be carefully monitored.
One wonders also whether game code runs "as root" on the XBox. Obviously such code should have direct access to the video hardware, but whether it has unfettered access to the file system is another question. Surely it's possible given the restricted functionality available and given an unmodified XBox, that only code signed by Microsoft can alter certain key files? (In other words, avoid "local root exploits" in services runnable by game code). That way, even if a game has a buffer overflow or the like in its network code, nothing too serious can be compromised and the problem presumably goes away on power-cycle when the whole game is reloaded fresh from DVD.
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
Comming to your Xbox soon!
BSOD for the Xbox
Nimda for the Xbox
iloveyou for the Xbox
linux for the Xbox
Goatse.cx for the Xbox
... this will be an intersting experiment.
Can anyone remember when in Internet history this many nodes have gone on-line in such a short period of time?
I don't know what sort of bandwidth these games will require, but what if any effect will there be when potentially hundreds of thousands of consoles start accessing the 'net within a period of a few days, on top of the normal growth?
Article X: The powers not delegated... by the Constitution...are reserved...to the people
Microsoft's closed network might be the greatest thing ever, but that won't matter if noone wants to use it. And I bet thousands of teenagers aren't exactly thrilled about being forced to live in Mickeyland. (Also, how does this kid-friendly network work with the "cool, for grown-ups" angle MS is trying to sell the machine with?)
From the article:
"I don't always cheat. I'm pretty good playing straight," he insists. "Cheating makes me a god."
Ok, if you are "pretty good" playing straight, why cheat? Seriously. It's a game. People cheat all the time, but I for the life of me don't understand the need to have an edge like this.
IMO, part of the fun is seeing how you truly match up against people and watching yourself progressively get better. This I feel like God crap is worthless. Besides, doesn't he get tired of it?
I know there will be plenty of people saying it's just human nature to do this, but really, is it? The vast vast majority of people are not like this, so what causes people (in Counter Strike and other online games I mean) to do this. Notoriety? Fame? (It's a fucking game!) Fortune? I don't think so.
I guess my final take on this is yes, he may indeed think he is a God, but all he is doing is cheapening himself in the eyes of people like me. And I believe there are a lot of us out there. Do unto others as you would have them do unto you.
Sent from your iPad.
Because if NASA had the same track record as Microsoft, the US would still not have anything in orbit, much less on/around other planets. (Except perhaps a lot of debris and radioactive fallout.)
How in gods name could X-box be safer than PS2? I thougt that xbox ran a mutated version of Windows XP. It is supposed to be a multimediahub in the future and as such it is bound to have many networking fetures turned on and fully implemented. Since many exploits that works on WINXP probably works on Xbox i can rpedict that it wont be that safe. PS2 on the other hand hasnt any known exploits yet and to get hold of the SDK is a bit harder. I think xbox owners will have to patch as often as any other WinXP user.
HTTP/1.1 400
Someone will hack your PS2, so what? You maybe lose your FFX savedata but what more?
With Xbox things will be maybe a little harder because of the harddrive and a maybe more hackable OS, but whatever it's only a game.
It's not called "Microsoft Bashing" ... it's called "Restating the Obvious".
However, it's quite annoying no matter what you call it. Microsoft's track record is well known. Restating it for people won't make them listen. Just shut up and let them eat their own dogfood for a while longer. They'll figure it out or they will fall by the wayside.
its linux and you need to secure it as any other box
No, you don't. You might want to patch or disable some of the buggy programs that are distributed with it, but Linux itself (the ekrnel) is fairly secure. Probably more so than any other OS kernel (well, apart from some things like Solaris maybe), due to the amount of people and experience put into it.
Follow me
In fact, this looks very much like the Unix-Windows security arena. Unix has been traditionally open. All the protocols are open, and, especially, the implementations never assume that they know who or what is on the other side. This, in fact, is one of the critical aspects of security. Never trust the remote. Ever. Always assume that things can be spoofed, always assume that all and every piece of data you receive has NOT been validated by the remote. This is the Unix way of doing things. This, in fact, is the right way of doing things.
Alternatively, you can start "trusting" the untrustable. You can build a single platform network and assume that all data sent from the remote is "good data". This is naive, and leads to disaster.
Remember the "ping of death" vulnerability that existed on Windows machines: why did it exist? The simple answer is that it was there because the ICMP stack was badly coded. Right. But that's only half of the story. In fact, it was there because of Microsoft's way of thinking. Microsoft always assumes that things are under full control. The ping of death vuln existed because the Windows version of "ping" did not allow for larger-than-a-given-number packets to be sent. And the Microsoft way of thinking is "if the client can not send it, the server can neglect checking for it". That way of thinking has lead to many of the security flaws in Microsoft products.
The truth is, things are not always under full control. The XBox can be hacked locally, changed into allowing modifications to be performed on the "Microsoft trusted" software components. Other kinds of machines can be connected to the network and made to pretend to be XBoxes, while still allowing full control by the owner on what gets sent and to where.
In short, by choosing to create an "XBox-only network", Microsoft has taken the step that will make its network fundamentally insecure. If you still can't see why, think of it in the Disneyland way Microsoft suggests. What they are in fact saying is that "since the Disneysoft is secure, you can trust everyone there". The things you normally tell kids to do, like "never take candy from strangers", are no longer in effect inside the Disneysoft. Inside Disneysoft, you can take candy from anyone. What is the rationale behind this?
That "bad people" can't go inside? Wrong.
That "bad people", once inside, can't give you candy because "giving candy" is not an option? Wrong - if you own the box, everything is an option.
That if "bad people" do this, they will be expelled? Sure. They can expell all they want. That won't prevent them from coming back, and it certainly won't prevent your kid from being dead.
A last thought: People go around saying "what can happen? someone steals your save game? so what?".
Well, on one side, the XBox is being touted as a future "computing/internet/browsing platform". That means all kinds of sesitive information is going to get stored in its hard disk. And while having your save game stolen can be little more than a nuisance, having your personal data, personal files and credit card information stolen can be a bit more serious than that.
On the other side, the XBox has a network adapter. And guess where it is going to sit? Right on your home network. Together with your PC. Together with your other local devices. Probably inside your firewall? Great target for a hacker to attack and, from there, jump on to your private network. Sure, you can always firewall it, put it on a DMZ. Sure... Microsoft does not have a good security record.
free the mallocs!
eweek is linking to a report (PDF format) from a student at MIT detailing how Microsoft is using a hardware-based encryption key in the Xbox. The bad news? The key is identical in every unit.
"For every right, an equal responsibility..."
Everyone seems to forget that XBoxLive is a subscription service. How about I hack your box and steal your password? Now I can play as you.
Even worse when MS truly implements passport as a "single sign-on" service.. then I'll be able to become you wherever there is passport. Perhaps I'll log in and place a few bids on ebay for you.. you did want a gamecube and PS2 didn't you? Well guess what lucky bidder, you just paid $800 for them!
From the linked article:
Closing their service to outsiders increases the security of their system overall and "prevents hackers from scaling beyond one machine," the company claims. "Xbox Live has military grade security to ensure no cheaters, no hackers, and no viruses."
So they couldn't make their OS with mititary grade security, but their game console is good to go? Yeah, right.
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
Security is one of the reasons Microsoft is building its online service as a closed, Microsoft-only system.
'Cos for sure no one has ever made a clone of battle.net or Everquest
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Section E of the warranty (page 18) says "Exclusions from limited warranty. This limited warranty shall not apply and Microsoft has no liability ... if the Xbox Product:" ... (section E5) "is damaged by programs, data, viruses, or files, or during shipments"
Not that you'd ever get one with the military grade security, but it's reassuring that Microsoft has no responsibility to do anything...
HIV Crosses Species Barrier... into Muppets
If a security hole is found that lets you execute arbitrary code, maybe you won't need a mod chip.
Wow, I remember when I put my Dreamcast up on my network, and it was hax0r3d by all those script kiddies, and, ummm, they erased my CDROM...
....And this guy's comments about Dreamcast exploits. yeah SUUURE. I'll throw my Dreamcast on my network, give you its IP, and you can give it a ping of death. ive _____NEVER_____ heard of this, and have been VERY active in online play with the Dreamcast.
Yeah sure. Whatever. Sounds like someone is making stuff up now.
"Nintendo has yet to officially announce its networking plans for the Gamecube, but there are games slated for release on the platform later this year which are designed for online play, most notably Sega's Phantasy Star Online. It's rumored that Nintendo will release a modem for its system this coming October, says Che Chou, editor at the videogaming magazine Electronic Gaming Monthly."
Um, hey smart guy, um, well... Nintendo has stated they WILL have a modem, AND broadband adapter. Get with it, E3 was HOW long ago?
Looks to me that someone just wanted to go bashing and not even look up their facts before writing an article on security focus.
With all the disinformation in this guy's article, and the lame M$ bash in the post, dare i ever go back to Security Focus for 'information'.
Nah.
I am very security conscious and the problem is not only limited to 3rd parties exploiting a security flaw in the XBox. What I am also worried about is that Microsoft, Sony or whoever has "legitimate" access to the box to upload code which could simply run in the background, put the box's ethernet interface into promiscous mode and start logging what's on the lan and report back to the mothership. Corporations do not care the least bit about your security at home. Another good real-life example of that was my TelCo suggesting I connect their DSL modem directly to my lan. Then they'd only have to upload a modified firmware to that modem and voila: instant carnivore!
it's still a game console. there's nothing to be gained from hacking the living crap out of someone's game console. You're not going to find secrets or confidential data, and you're not going to DoS a ton of people by knocking out a game console. There are more important things for MS's security teams to work on.
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
How is that not an update?
"for a situation where a new kernel has something you need but dont have... you dont ever need to recompile your kernl if everything works ok..."
That sounds exactly like an update to me. You had no need to update windows if 3.11 had everything you needed.
I'm sure the security on the X-Box is up to the military standards of say, Tuvalu or Somalia.
XBoxen? Fucking lame d00d
Speaking of Microsoft and Virii, I wonder if they will have a part of the windows update page, or some thing like it, that will allow it to recieve updates, or if their servers will automatically patch them.
Xaotik Designs
Think of ring 0 as the hardware version of root priveledges. Infact, the software protections that enforce the system security policy would not be possible without all of the user's code running outside ring 0.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
Might be useful to have the facts before we start ripping into MS -
Xbox Live's security is probably a signed key (Kerberos?) infrastructure (served by MS) that encrypts and authenticates all traffic at the stack level, whether games are peer-to-peer or server centric. But it still just runs over the 'net, the only 'closed' part is that keys are only given to Xbox subscribers. For $50/yr you get 'security', that's what you're really paying for.
Given that you can already network Xboxes w/o Xbox live (Halo parties), we know that an Xbox can talk in unencrypted TCP/IP... maybe the install disc for Xbox Live will turn this off tho? Anyone know if LAN-connected Xboxes use encryption?
Otherwise yes I agree, there's got to be some holes in it!
I like how Sony is letting developpers do what they want as far as online gaming goes. Of course, when things go wrong and security is breached guess where the finger points? :)
I thought the largest problem with a hackable machine on a network is if every other computer on that network trusts the other computers on that network, all of the sudden everything is just as insecure.
Whatever electronic technology you are talking about, if it is reprogrammable, and it is connected to others systems, it is potentially dangerous. If someone happens to figure out how to gain system level code access to these machines, they can reprogram to do whatever the heck they want. The real danger is from virii. Say you play the game for 3 hours. During that 3 hours, a virii could infect your system, and use spare cpu power to do who knows what. Anyone interested in being arrested because a hacker used their xbox or ps2 to try and break into a government server?
Well, you are partialy correct in stating that for something to be exploited it has to be running a service (ftp, ssh, telnet etc..), but just because something is on an INSIDE network doesn't mean it's secure (unless you know what your doing).
Someone could be running AIM for instance on an inside network you wouldn't see it with a portscan or anything like that but give the wrong person your handle and start a conversation with them and they can take over your PC (Check out CERTs on this).
Once a communication tunnel has been established servers can then be exploited.
Lets say that the central server for a particular game you want to play get's hacked once you log on it would be very easy to send you bad data packets etc...
Probably just release an update CD you stick into your system and it'll load any new software you need.
For an example, look at the Sony PS2 DVD remote, which comes with a CD containing the new drivers if you have an earlier model.
I don't know about you, but I don't leave my game consoles running unless I'm actually using them...
My PC, on the other hand, is another matter. Of course, even if I'm not sitting in front of the monitor, there's always Seti or some other distributed computing program running.
The Sony world being "open" to a degree means that it's possible for a company to be stupid about how it goes about verifying that the code on the console is the same that was shipped from the factory (using a mechanism that's vulnerable to playback attacks, for example), or to leave debugging "cheat" codes turned on -- but that's the fault of the individual company, and not the overall model.
Bottom line: simplicity breeds robustness. There just isn't enough "there" there on a console to exploit.
"though I think there's no more danger than the zillions of PCs already out there.
The difference is that if an exploit is found (or should I say when) the exploiter will be able to rely on all the consoles being the same. And furthermore, there is not currently any mechanism for getting a patch out to and installed on millions of existing consoles to close the hole. Maybe PCs are still more of a danger, but this new problem is worth considering.
Don't moderate flamebait as Troll. Know the difference or you will be Meta-moderated.
On cursory examination, one can use any old hard drive; the connectors are standard. The hard drive is a rebadged Maxtor 3.5" job with special rails to lock it inside the PS2 chassis.
I'll have to test this theory out this weekend, but I see no reason it won't work, unless Sony altered the firmware for the hard drive
--
Me spell chucker work grate. Need grandma chicken.
Closed global broadband network. Bwahahahahahahahaha!A HAHAHAHAHAHAHAHAHAHA!!!
Bwahahahaahahahahahahahahahaha!
BWAHAHAHAHAHAH
Contrary to the popular belief, there indeed is no God.
Yes, of course... and back to the topic at hand, we should hold Microsoft responsible if you get hacked with these hole-ridden mod kits!
This is like saying that if I remove the fucking steering wheel from my car, and then kill a family of four, I should hold GM or Ford or Toyota or whomever responsible "because I was able to remove the steering wheel from the car."
I think your logic is flawed. Note you didn't exactly say that, but from reading your post I got that impression.
Aw, fuck it. Let's go bowling. - The Big Lebowski
Don Kellogg is cheating. Over the last hour he's pumped round after round into camouflage-clad terrorists, and only a few of them have been able to return the favor.
Later on he will masturbate violently to pictures and movies of gorgeous Playboy models, while he imagines having sex with them. No woman in the world is even remotely interested in returning the favour.
"I don't always cheat. I'm pretty good playing straight," he insists.
I try to explain that whacking off to more than one nude model in the same night really isnt regarded as cheating on them, but the point appears lost on him. I dare not ask him to expand upon the 'straight' comment.
"Cheating makes me a god."
I'm pretty sure most gods shower more often. It's not as if he spends time that could have been spend on personal hygeine actually becoming good at the game.
I subtly suggest that he might not need to cheat if he considers using the mouse to turn instead of using the arrow keys, but as his on screen persona turns around slighty faster than the short arm of the mickey mouse clock on his wall, he claims that he can make just as easily make a headshot on someone standing behind him across a large distance, armed with nothing but his knife.
"And besides, the mouse sticks a bit too much when I try and turn around sharply."
"Sticks?", I inquire.
"To my hands," he explains, "Damn these hairy palms."
As he says this, he pumps three rounds from his Heckler and Koch MP5 into an unsuspecting opponent, bringing his kill count up to 47; his nearest competitor has 21. Kellogg plays under the pseudonym "Nharlothep," and when he cheats, he is indeed a god.
And when he plays without cheating, he gets crucified. But its not the hands-and-feet-nailed-to-a-cross style of crucifixtion, its the pole-up-the-arse, u-would-probably-get-beaten-in-a-game-of-solitare type of destruction. Heck, the guy installs VNC on peoples computers and then challenges them to a game of Microsoft Hearts.
He begins to type a message into the keyboard. A search-and-destroy effort this slow hasnt been seen since the first world war. "w00t! w00t! ph34r m3!!!" he types.
Sorry, I can't take an article on security seriously from someone who doesn't appear to understand the meaning of the word "hacker" appearing to use it instead of cracker perhaps the author should read the dictionary I mean its annoying that the media use the word so ignorantly, but a security guy?