New "Secure" Xbox Cracked In Under A Week

ilsie writes "Numbnut says it all in his post at xboxhacker.net. To quote his post, 'On behalf of the Xbox Linux Team, I am proud to announce that at 10:45BST the 'v1.1' secure version of the Xbox was proven to be running arbitrary BIOS code in a normal 256KByte modchip - with no additional hardware required. In short, in under a week we were able to normalize the new box to enable it to interoperate with Linux properly.'"

EULA changes?

[KernelHappy]

By any chance, has anyone checked to see if Microsoft modified the EULA when they released the new version of the Xbox? It would be interesting if they stuck anything in there that would strengthen their ability to prosecute and/or seek damages for circumvention of the protection scheme.

Re:EULA changes?

[mbogosian]

Sorry but reverse engineering is pretty well established....

Here, here! (Of course it's not legal anymore, but that's splitting hairs....)

Whatever happened to legitimate forms of deterrance? If I crack open my TiVo, I void the warranty. I can dick around all I want, but if I screw something up, I have to pay to have it fixed. This is enough to deter most of the technology-ignorant public from screwing with their hardware, and it's a method which has been around for years. Has everyone forgotten about this?

Re:EULA changes?

[Galvatron]

I think the reason Shelled is trying to draw a distinction is that arguably, EULA's are not contracts. There is no meeting between the two parties, no chance for negotiation, no signature, the EULA is perpetual, and a price is paid for a physical good (making it look very much like a sale, covered by first sale doctrine rather than contract law). Of course, IANAL, but from the articles that get on Slashdot every now and again, it sounds like the courts haven't quite settled on an answer as to whether EULA's are legitimate contracts or not.

Re:EULA changes?

[DragonMagic]

Problems I find with your argument:

1) You assume a person reads an EULA. Even though a contract can still hold up if you don't read it, you're still required to sign it. If you never read an EULA or agree to it through a click, then how are you agreeing to it? Simply because they say "By using this product, you agree to our terms"?

2) Another problem with EULAs are many of the corporate ones are too one-sided. They're not responsible for anything, but you're fully responsible to follow all their rules. Some even say you can't even talk about the product or take pictures of it or anything without permission, but that they can use your information for their company's marketing research without your permission to do so. (that is, they can use it to market you magazines whether or not you asked for them)

3) You don't need to be 18 to buy many EULA products, and to have a contract valid, either a person 18 or older must agree to it, or the parent or guardian of that under-18 person must agree to have that person agree. When a 17 year old purchases an Xbox and takes it home, goes through the licensing agreements on his own, then starts playing, how can Microsoft say the EULA can still affect him?

4) There are many people who play video games who cannot read, or cannot read English. So EULAs written in English are still valid even though the other party cannot understand them? I do believe that contracts have to be signed by parties that understand them, and if it's in another language, the translator must sign off on them. I could be wrong, of course.

But again, EULAs are hardly contracts in the sense of contracts, but more of agreements that you won't do bad things to the company issuing the product. I can't wait until EULAs are struck down and normal copyright laws apply to the products (or patents to hardware).

Re:EULA changes?

[dreamword]

You raise good issues. However, things are not precisely as you state (or, perhaps, as they should be).

1) You assume a person reads an EULA. Even though a contract can still hold up if you don't read it, you're still required to sign it. If you never read an EULA or agree to it through a click, then how are you agreeing to it? Simply because they say "By using this product, you agree to our terms"?

It doesn't matter if the person reads the EULA, mostly because there's really no way to prove whether or not the person read the EULA. In this context, clicking "accept" is as good as a signature. If you're curious, see ProCD v. Zeidenberg, one of the first clickwrap cases. It's a very good opinion reasoning why clickwraps should be binding.

2) Another problem with EULAs are many of the corporate ones are too one-sided. They're not responsible for anything, but you're fully responsible to follow all their rules. Some even say you can't even talk about the product or take pictures of it or anything without permission, but that they can use your information for their company's marketing research without your permission to do so. (that is, they can use it to market you magazines whether or not you asked for them)

They are definitely "one-sided" in that one side has more responsibilities to the other side. However, it's not true that you're just signing away your rights for nothing; if you were, there would be no binding contract. You're signing away your rights to do certain things in exchange for them letting you use their software. The right to use their software does not cost just what you pay for the box at the store; it costs what you pay for the box at the store PLUS your agreement to follow the license terms.

3) You don't need to be 18 to buy many EULA products, and to have a contract valid, either a person 18 or older must agree to it, or the parent or guardian of that under-18 person must agree to have that person agree. When a 17 year old purchases an Xbox and takes it home, goes through the licensing agreements on his own, then starts playing, how can Microsoft say the EULA can still affect him?

Good one. I'm not sure. There are some kinds of contracts that minors can make, but I don't think this is one of them. If there's no contract, it's possible that the minor might not be held to the license terms, and we'll have to rely on under-18ers to do our dirty work. On the other hand, it's possible that the minor can't assert the right to USE the program at the same time as they assert the right NOT TO BE BOUND to the terms of the license agreement. Anybody have a better grasp on this area? I don't know if there have been any minor-clickwrap cases. Same goes for English-illiterate clickwrap cases; I just don't know if anyone's litigated it yet.

But again, EULAs are hardly contracts in the sense of contracts, but more of agreements that you won't do bad things to the company issuing the product. I can't wait until EULAs are struck down and normal copyright laws apply to the products (or patents to hardware).

They're definitely contracts, in any legal sense of the word. It sucks (I think first sale doctrine should apply, and there should be some consumer-software default rules set legislatively that are hard for software companies to EULA around), but that's how it is.

Re:This actually _is_ funny.

[TrueKonrads]

Since the careful ekrout actually read my comment, he shurely must have missed word physical. P.S it's a 0 score comment

Preventitive Security

[jdkane]

Once the complete XBox product is in the customer's hands, all the security in the world is simply a set of preventitive measures.
Because the product is an autonomous unit, obviously anybody is free to hit it from any angle until the security is broken.

I'm sure Microsoft doesn't really expect that the XBox product will be totally secure. So it's probably not such a big deal whenever the product is cracked.

However Microsoft's sporatic changes to the XBox security may easily cause confusion to consumers who try to purchase mod chips (because different version exist), which in and of itself it a good tactic. Frustrated consumers are probably less likely to spend money on modifications after they find some mods don't work (because they are meant for a different version of the XBox).

Re:All Right!!

[dwc16]

"WHY would you want to run Linux on your X-Box? That is beyond me. You can get a fast PC for under $300. And a monitor - TVs have totally shitty resolution"

Answer (for some)
Find me a PC that can do progressive scan and/or component-out for under 300$. Now, hooked up to a nice plasma/front projector, etc etc, I can

- Run emulator's, yum!
- Watch any type of media that I please, full screen

That's just for starters. There is always a legit counter point. For me, I could pick up the new AIW 9700 with component-out, but I've already spent 300$ right there.

This is what excites joe-blows like me, no more having to drag the PC into the den and run a shitty s-video/whatever output to my HDTV.

I hope I've helped people to see one appeal for going through the long process of getting the xbox ready to run Linux, then running 100's of things thru that, including W2K.

Re:If they cant secure an Xbox.

[FooBarWidget]

It doesn't matter wether Palladium gets cracked or not, because for the vast majority of users, there will be no difference. The security may be "good enough" so that it can only cracked by using illegal hardware.
If the majority ("average users") can't break the security, then any solution is useless.

Re:Question for you.

[Troed]

Please come to Sweden and show me where I can get a cheap PC with the characteristics of the Xbox in a store, for the same price.

Oh, you thought the US was the whole world?

That's not reverse engineering

[qengho]

Mr. Gates himself related the story of reverse engineering MSDOS by dumpster diving for source code

That's theft of trade secrets, if true. "Reverse engineering" is treating the object in question (program or device) as a black box with inputs and outputs and reproducing its behavior exactly, without access to source documents.

What contract did I sign?

[Inoshiro]

I don't recall the EB guys hounding me to sign some sort of contract when I bought my Xbox. In fact, I don't recall any sort of contract in the box with it that I signed.

The closest thing I could find was the ABOUT XBOX in the dashboard, which talks about how the softvare on the Xbox is protected by copyright law. Since I have no intention of pirating the Xbox dashboard, I think I'm legal.

Plus, once I own something, it's mine. As I've said before, I could rip off the top of my Xbox, put all my night soil in there, and grow flowers from the rich loam. Microsoft can't say anything to me about the use of it, because I own it.

Anyone care to tell me what the big deal is?

Its just a hardware revision.. the sony playstation had quite a few (1- 3- 5- 7- and 9-series), the playstation2 had quite a few, and now the xbox has its first hardware revision. Like with the xbox, it took a while before the playstaion mods supported the new revisions. which is obvious, since the board layout changed.
Its pretty standard to have revisions through time.. things get more optimised, compact, cost-efficient, god knows what else. Or dont you think its normal to update hardware ?
big fat deal! stop being paranoid, its just a new xbox revision for gods sake...

Re:Anyone care to tell me what the big deal is?

[Nintendork]

This new revision had the security key changed. Microsoft had to scrap a lot of the older parts to make this change. The change had only been implemented in the plant that supplies Australia and it's already cracked. That's why it's news.

Re:This actually _is_ funny.

[Bishop]

Very expensive process, but doable.

Cost is always part of the doability [sic]. When designing a secure system part of the equation is how hard it would be to crack the system. It is possible to brute force RSA, but that does not make RSA any less secure. The same concept applies here. If it would cost more to crack the system then it would to buy an insider, then the system is, for most purposes, secure.

Re:Betcha Nvidia's Pissed

[Jason+Earl]

I suppose it is somewhat comical that anyone would consider partnering with Microsoft in this day and age. Even the devil has a better reputation of living up to his end of the bargain.

so was this a "Trusted" Xbox?

because while nothing is ever hacker/cracker proof, I find MS products to be a playground for data driven attacks, brute force network/system attacks and general instability that causes unintentional but very costly damage. I wonder if that is a sign that the Microsoft corp really just does NOT understand the definition of "secure", if MS is simply incapable of creating secure products... or more likely if they don't give a crap and put money into marketing, legal and general middle management that would better be spent in QA, design, and implementation of their products.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Betcha Nvidia's Pissed

[neocon]

I support the Palestinians. So would you if you cared to open your eyes [electronicintifada.net]

Now, what is it about linking to a site which describes Louis Farrakhan as `wise' and `balanced', which endorses murder-suicide bombings, and which rushed to repeat Arafat's lies that there was a massacre at Jenin, but claims they never said so now that Arafat admits that there was not which you think will make people agree with you?