Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Concerns When Consoles Go Online?

Posted by michael on from the never-had-these-problems-with-atari dept.

VonGuard writes "I've written an article for Security Focus about the security concerns that having an Xbox or Playstation 2 on your network might raise. The article, entitled Welcome to the Jungle was an interesting experience to write. I really think that Sony will end up having some trouble from their stance on third party security design, while Microsoft might end up smelling like roses. Too bad MS shipped the Nimda virus with their Korean version of .Net Visual Studio."

8 of 211 comments (clear)

  1. Microsoft Bashing by Anonymous Coward · · Score: 4, Insightful

    People on this site always have to get in their Microsoft bashing. It is pretty shameful. Why can't you just make do with what is out there? That article had nothing to do with the Nimbda virus, but the poster had to throw it in there cause Microsoft didn't look bad in that article. Awful.

  2. Is that really neccesary? by recursiv · · Score: 4, Insightful
    Too bad MS shipped the Nimda virus with their Korean version of .Net Visual Studio


    Come on. This really looks childish. That's an irrelevant story. Just let the facts speak for themselves or you lose credibility.

    --
    I used to bulls-eye womp-rats in my pants
  3. for those that don't read the article by Rubbersoul · · Score: 4, Funny


    "Xbox Live has military grade security to ensure no cheaters, no hackers, and no viruses."


    Now I try not to MS bash but come on this just seemed funny to me that is all :)

    --
    man .sig
    No manual entry for .sig.
  4. deleted games by lightspawn · · Score: 4, Insightful
    someone just hacked my game of gta3, i lost my saved game. oh damn.


    Yeah right, try shrugging it off when somebody deletes your Phantasy Star Online characters after 50 hours of gameplay (this actually happened to many many people playing Sega's first online RPG).

  5. MS's "Disney Land" approach by Y-Crate · · Score: 5, Interesting

    Microsoft decided some time ago that the best way to create a good online gaming experience for a console is to maintain a console's three biggest advantages over PC gaming.

    No Cheating
    No Viruses
    And no Cheating

    Cheating in online games has reached such epidemic porportions on the PC that many have given up on it completely. Others just slug it out and learn to deal with it.

    Microsoft wants to offer 3rd party mods and the like to its customers. Since they get a cut of every game sold for the Xbox, it makes sense for them to freely distribute mods that increase the value of the games and the console. But they want to check to make sure the mods aren't buggy, virus infected peices of shit that are going to screw up a few million Xboxes.

    They want to take all the mods, pour over them, check them for cheats and viruses then let you d/l them. All the while monitor for cheats in use.

    If they can do it, more power to them.

    If not, the Xbox is in trouble.

    I give them 50/50 odds.

    I'm sure a lot of people are like "OMG, Microsoft, evil, evil evil! They can't do anything right!"

    Well, they are evil (so are Nintendo and Sony in their own ways) and they do screw up more than they succeed. But they do have divisions which score a win on a regular basis.

    The Macintosh Business Division was created when it became clear that teaching some Windows guys the Mac's APIs and sitting them down to port Word or something was a complete disaster. A small team of people who Knew What They Were Doing sat down and without interference from the rest of the company, were allowed to do their own thing.

    The result? The versions of Office, IE, Outlook and other Microsoft apps are lightyears ahead of their Windows counterparts. They pick up the latest APIs and exploit them before anyone else. Their products tend to be stable, well-thought out and actually useable.

    How has the community reacted? The MBU averages 1 Billion+ dollars in revenue every year.

    Could the X-Box division do the same thing? Yes

    Is it too early to tell? Yes

    Does it look promising? Yes

    They've already made a number of good decisions with the Xbox. Excluding the bizzarely unreliable store models, they are stable and reliable machines that can be left on for ages. The hard drive didn't bring patches for games, but only free expansion discs, personal game soundtracks and the end of memory card hell. The money I've saved in memory cards has nearly paid for games I own.

    The breakaway cables have saved me about half a dozen destroyed Xboxes.

    The DVD kit saved me when an out of warranty DVD player turned to crap.

    The Xbox has some issues, but it doesn't have the "too many hands in the pie" problem that Windows and the PC versions of IE, Outlook and Office do that lead to bloat, instability and security problems.

    They can make it work. It's their call wether they do or not

  6. So... by sean23007 · · Score: 5, Insightful

    Too bad MS shipped the Nimda virus with their Korean version of .Net Visual Studio.

    Now, wait a second. These are two completely unrelated parts of the company. If the Xbox team does something well, they deserve praise, and if the .NET team does something poorly, they deserve to get slammed. But the Xbox team does not need to hear about the mistakes of the .NET team. You wouldn't say that the Playstation 2 sucks because Sony supports copy protection on its CDs, would you? That was un-called-for.

    --

    Lack of eloquence does not denote lack of intelligence, though they often coincide.
  7. Relevance by _Sprocket_ · · Score: 4, Interesting



    Too bad MS shipped the Nimda virus with their Korean version of .Net Visual Studio


    Come on. This really looks childish. That's an irrelevant story. Just let the facts speak for themselves or you lose credibility.


    Yea. It looks childish. But that doesn't mean the event has no relevance here. Let's look at this a bit deeper.


    Data integrity is often one of the goals of an organization's infosec posture. This is more than simply ensuring the data is not improperly accessed and is available. It is also ensuring the data has not been altered without authorization.

    In this case, Microsoft's data being offered to its customer had its integrity violated. Malicious code made its way in to an external distribution; not obscure code but a well known virus. Now, Microsoft is not the only one to suffer the embarrassment of distributing a virus. But it does highlight a breakdown in Microsoft's internal infosec practices. And that comes at a very inopportune time for Microsoft.


    So the question would then be - how does this apply to the security of the XBox? Microsoft has a long history of troubles not only with security, but an almost arrogantly blatant disregard for security practices and concepts. This has eventually backfired on Microsoft and they have been faced with a growing PR issue. The answer to this situation has been Trusted Computing - a bottom-up change in Microsoft where everyone has been trained in infosec concepts and practices. If Trusted Computing pans out, Microsoft's security woes are behind them.


    The cynical in the infosec / IT industry have already noted that they've heard this song before. Microsoft's PR and Marketing departments constantly promise security - especially after incidents that focus on MS products. Furthermore, experienced infosec workers know that addressing infosec issues often requires a complete change in methodology and outlook. And this translates in to changing Corporate culture. Microsoft may be nimble, but this change may be too demanding for even Microsoft to accomplish.


    The relevance of Nimda appearing on a Microsoft software release is the question of whether this incident was a simple embarrassment or an indication of a continued lack of understanding for infosec issues within the Microsoft culture. And that certainly has a bearing on the question of Microsoft's concepts of information security and the XBox.

  8. Bad, bad box, bad! by juliao · · Score: 4, Informative
    The difference of attitude between MS and Sony is striking: Sony chosses to "open" its system, letting developers implement new things, potentially allowing devices other than Sony consoles to access their network. Microsoft, on the other hand, chooses to "close" their system, specifying their own methods and protocols, and creating a supposedly XBox-only network. What is wrong with this picture?

    In fact, this looks very much like the Unix-Windows security arena. Unix has been traditionally open. All the protocols are open, and, especially, the implementations never assume that they know who or what is on the other side. This, in fact, is one of the critical aspects of security. Never trust the remote. Ever. Always assume that things can be spoofed, always assume that all and every piece of data you receive has NOT been validated by the remote. This is the Unix way of doing things. This, in fact, is the right way of doing things.

    Alternatively, you can start "trusting" the untrustable. You can build a single platform network and assume that all data sent from the remote is "good data". This is naive, and leads to disaster.

    Remember the "ping of death" vulnerability that existed on Windows machines: why did it exist? The simple answer is that it was there because the ICMP stack was badly coded. Right. But that's only half of the story. In fact, it was there because of Microsoft's way of thinking. Microsoft always assumes that things are under full control. The ping of death vuln existed because the Windows version of "ping" did not allow for larger-than-a-given-number packets to be sent. And the Microsoft way of thinking is "if the client can not send it, the server can neglect checking for it". That way of thinking has lead to many of the security flaws in Microsoft products.

    The truth is, things are not always under full control. The XBox can be hacked locally, changed into allowing modifications to be performed on the "Microsoft trusted" software components. Other kinds of machines can be connected to the network and made to pretend to be XBoxes, while still allowing full control by the owner on what gets sent and to where.

    In short, by choosing to create an "XBox-only network", Microsoft has taken the step that will make its network fundamentally insecure. If you still can't see why, think of it in the Disneyland way Microsoft suggests. What they are in fact saying is that "since the Disneysoft is secure, you can trust everyone there". The things you normally tell kids to do, like "never take candy from strangers", are no longer in effect inside the Disneysoft. Inside Disneysoft, you can take candy from anyone. What is the rationale behind this?
    That "bad people" can't go inside? Wrong.
    That "bad people", once inside, can't give you candy because "giving candy" is not an option? Wrong - if you own the box, everything is an option.
    That if "bad people" do this, they will be expelled? Sure. They can expell all they want. That won't prevent them from coming back, and it certainly won't prevent your kid from being dead.

    A last thought: People go around saying "what can happen? someone steals your save game? so what?".

    Well, on one side, the XBox is being touted as a future "computing/internet/browsing platform". That means all kinds of sesitive information is going to get stored in its hard disk. And while having your save game stolen can be little more than a nuisance, having your personal data, personal files and credit card information stolen can be a bit more serious than that.

    On the other side, the XBox has a network adapter. And guess where it is going to sit? Right on your home network. Together with your PC. Together with your other local devices. Probably inside your firewall? Great target for a hacker to attack and, from there, jump on to your private network. Sure, you can always firewall it, put it on a DMZ. Sure... Microsoft does not have a good security record.

    --

    free the mallocs!