Technical Analysis of XBox Save Game Hack

DJPenguin writes "There is an excellent article at the XBox Linux Project that describes exactly how the XBox savegame hack works. It details how the author went to great lengths to hide exactly what was going on. It turns out the exploit code is hidden within an image of Tux himself!" An enlightening read, to say the least.

Hidden code?

[SharpFang]

See IOCCC for true masters of making the code unreadable!

Geez

[craigtay]

From the looks of this article, they could probably make an entire course at a univeristy devoted to modding the xbox.

Re:Geez

[fearlessrogue]

I will sign up for that course.

Stego or not?

[robogun]

The code was "hidden" in the jfif header, therefore does not qualify as steganography in my opinion. But I bet MS jumps all over this and gets stego banned.

Re:Stego or not?

[AdEbh]

I think it could. Steganography means hidden/covered writing from it's Greek roots. The term is older than computers so I think the distinction between the body or header of an image file is a bit fine.

<p>- Alex

Re:Stego or not?

[tuxtomas]

How about Stego banged?

Re:Stego or not?

[RevAaron]

I think I'd say I agree with the parent- the distiction isn't overly fine, IMHO. That is, that's like saying it's stenography to type out some "hidden text" in plaintext on the cover page of a document, leaving the rest of the document with no information encoded, and doing nothing to really hide the illicit data.

Unless this data in the image header is really hidden, but if its in the header, it's probably in the comment...

Re:Stego or not?

[Theatetus]

Let me guess, you generated that comment in FrontPage

Hmmmm... no, I don't see the 300 Kb of useless XML... not generated by an MS product.

Re:Stego or not?

[robogun]

Well, if any data hidden in an image qualifies as stego, your common digital camera, which imprints EXIF and /or IPTC data on each photo taken, is suddenly a subversive tool.

Your sekrit message will be much more difficult to identify if it is hidden somehow among the image data, not just set in the header. Most image display programs will show it.

I suspect the author did not use "true" stego to hide the code because a) hidden like that, the code would not execute without some kind of wrapper to pull it out and b) he wanted to avoid being accused of potentially subversive acts such as steganography.

But I bet Microsoft will grab at any straw to protect the xbox fron Linux, even if it includes redefining stego to include that. And sorry if my offhand comment offends you. You really should stop worrying about what other people think about other people's posts. Even your argument is weak as stego is a common abbreviation for steganography. Do you ever use the word photo to describe a photograph or do you go through life insisting people say the entire word photography?

Re:Stego or not?

[dspeyer]

Personally, I would regard group sex with three ton lizards as a bad thing but, hey, if it turns you on, it's your funeral.

Re:Stego or not?

[AdEbh]

No, generated by my own hast. I forgot to change the HTML formated and skipped the preview.

I closed my fucking p's this time :)

- Alex

Re:Stego or not?

[prockcore]

But I bet MS jumps all over this and gets stego banned.

What would be the point in that? If they know you're using stego, then it kind of defeats the whole purpose, doesn't it? Banning it would be meaningless, since the entire concept of stego is to hide the very fact that you're using it from the authorities.

Re:Stego or not?

[vrmlguy]

IIRC, stego was invented by the ancient Persians, and consisted of shaving a slaves head, tatooing the message onto his scalp, waiting for his hair to grow back, and sending him to the recepient.

So, using the header of a file is obviously very much in the spirit of the original concept.

back in my room i

[msh104]

continue praying... thank you holy tux, you defeated evil xbox with nothing more than a blink of your image. if possible reveal thy self in thy full glory and microsoft will treamble in your pressence.

Re:I will never understand this.

[3.1415926535]

It sure does.

Python 2.2.2 (#1, Dec 9 2002, 18:20:25)
[GCC 3.2.1] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> "%x"%(0xAD9+0x5EF)
'10c8'

I don't understand.

[Civil_Disobedient]

Sorry for my ignorance, but why hide the code? If a true linux fanatic wants to spread the good word, so to speak, why bother with the whole encryption routine and fake JMP's? Why not just make the hack completely transparent so anyone can do it?

Re:I don't understand.

[AdEbh]

I don't think that the Tux image was in the game executable, rather the save game file. This is a hack that uses a weakness in 007, not a back door placed in by someone working on 007.

- Alex

Re:I don't understand.

[kc8kgu]

Not that I would ever waste my time trying to hack an X box, but I can imagine a couple of reasons why the hacker might what to hide how it worked.

The big one is that the more cryptic and obfusicaed the hack is, the less likely the vulnerabitly will be fixed in a future version because its less likely to be found and understood the the engineers trying close it. From the article, it seems as if the game already has four versions that have this hole.

But to contridict myself, the article seems to indicate the big hole is a simple buffer overflow. Easily noticed and fixed. If there are other relatively unknown hacks inside the encrypted payload, it may extend their availability and usefulness.

On the other hand, the hacker my be simply trying to hide his identity, changing her code so it doesn't seem like its in her personal style. To explain, people who write software for long enough in any arbitrary language begin to develop their own consistant style. Don't get me wrong, they do use the language's idiom to a certain extent, but usually have their own bit of flair to add to them.

Lets consider the c/c++ for loop. Here are a few ways to write it - all pretty standard.

/* first example */
int i;
for (i=0; i < FOO_COUNT; i++)
DoItTo(myfoos[i]);

/* second example */
for (int index=0; index < FOO_COUNT; index++)
{
DoItTo(myfoos[index]);
}

/* third example, assume ok to change myfoos */
for (myfoos; myfoos != NULL; myfoos++)
DoItTo(*myfoos);

Given a large enough sample of a persons code (say the did it for a living and their employer used cvs or similar), its pretty easy to tell who wrote. After about 15-20 lines of code, I can pretty well tell which of my coworker are to blame for the latest bug. Its not a finger print, but you just need a glove size to narrow down the search.

Or, I could be completely off base. Its happened before... Once ;-)

Just my $0.02

(ps, I realize that the guys fixing the hole wouldn't have the source to look at, but i would wager that enough flair gets through to the machine language)

Re:I don't understand.

[Homology]

This is a hack that uses a weakness in 007, not a back door placed in by someone working on 007.

Can't wait for the next sequel! Will we see James Bond in the next Matrix movie? Perhaps allied with a Tux? I'm sure Batman will have a few words to tell 007 of his bad choice of companions.

Re:I don't understand.

[MikeCamel]

A fair enough point, but (as I'm sure kc8kgu knew), once things are compiled, it becomes much less simple to identify a hacker's signature. A decent compiler will compile all the above examples to the same code. I don't buy "enough flair gets through to the machine language" for short code fragments, I'm afraid. A good optimising compiler is a good obfuscator, too. I wonder if anyone's done any studies on exactly how much personal style you need to exert in order for it to turn up at a) the assembler level or b) the machine code level?

Re:I don't understand.

[Jmstuckman]

Your first and second example would compile to the exact same machine language. With the thousands of people who could have done this hack, I doubt that the machine language would fingerprint them enough to catch them.

Re:I don't understand.

No compiler would produce the same code for all three examples. In particular, use of the postfix unary increment in the for loop guarantees that. If the C++ code was written with a prefix unary increment (i.e. I'm saying using ++myFoos instead of myFoos++) then maybe it would be the same. The compiler is forced to call the copy constructor for myFoos in the third example, and no amount of optimization can avoid that.
However, I totally agree with you point -- the programming style of a higher-level language does not carry through to machine code in any real way.
I also highly doubt the hack author would have written the hack in anything other than assembly anyway.

Re:I don't understand.

[Tackhead]

> A fair enough point, but (as I'm sure kc8kgu knew), once things are compiled, it becomes much less simple to identify a hacker's signature. A decent compiler will compile all the above examples to the same code. I don't buy "enough flair gets through to the machine language" for short code fragments, I'm afraid.

You're assuming the code in question was compiled. Glancing at it, I'd lay good odds that it was handcrafted.

Besides, with the risk of being DMCA'd into his or her component atoms (regardless of where our mystery hacker lives), this isn't the kind of hack you can do in 15 minutes, slap your name on it, and get your ego gratification by having worldwide bragging rights.

That leaves only one other route to ego gratification - spend a few hours, make it perfect, and get your ego gratification by presenting a beautiful gift to geeks and hackers around the world... and by leaving the world's DMCA types puzzle they'll never figure out.

Win-win, as I see it. And artful as all fuck. Call it the Faberge' egg of hackerdom.

"Who was that masked man?"
"Nobody knows, ma'am. Folks 'round here call 'im the Lone Ranger."
"Artful fucker, ain't he?"
"Yes ma'am. Maddest props to him."

Re:I don't understand.

[kc8kgu]

A few points:

As others have noted, and I agree, It most certainly was written in assembler.

And I'm sure there isn't a whole lot of personal style that makes it through from the source to the machine language - but I *guarentee* there are cases when it does.

Consider:

* The fact that it more then likely was written in assembler makes my original proposition all the more valid. It won't go through a compiler and get "standardized". Any and all little nuances will end up being in the code that everyone sees.

* It was just an silly little example it C - I could think of a dozen cases off the top of my head that would affect the machine language - preference for reversed loops, a love of function pointers, defensive bounds checks or lack thereof, always maximizing for speed, always maximizing for size, preference for an obscure factoring optimization, ad nauseum.

QED

Re:I don't understand.

[Tony-A]

And I'm sure there isn't a whole lot of personal style that makes it through from the source to the machine language - but I *guarentee* there are cases when it does.
It is possible to identify people just from the way they walk.
The compiler will do a good job of muddling the distinctions among programmers, but most of the organizational proclivities of the programmers will still get through into the machine code. For the exact same partial order implied by the algorithm and the data, the programmers will repeatedly choose a distinctive linear order. Oddly enough, if the programmers are good enough, and there is a determinable optimum linear order or a cannonical linear order, two programmers can produce identical programs down to the exact spelling of the comments.

Stop these immoral actions!

[henriksh]

Why are you guys constantly trying to work against the hard-working software publishers at Microsoft?

Come on, guys - you know it's not right. Don't copy that floppy!

Re:Stop these immoral actions!

[fishbowl]

Come on, indeed.

Does it harm the ketchup industry if I put mayonaise on my burger? Should I support the ketchup people if they try to put the mayonaise people out of business?

Why did the hacker try to hide how he did it?

[Martin+Marvinski]

If anyone knows it would be intresting to hear the reason why.

Re:Why did the hacker try to hide how he did it?

[rusty0101]

My suspicion would be that the hacker involved works at a game company that created the game that he found a way to include the method of bypassing the security for.

If that is the case, he would want to hide the fact that the exploit exists, as well as hiding the fact that he installed the exploit.

He would then have to make sure that the exploit made it through QA, and the game made it to the market. Next he has to verify for himself that he can take advantage of the exploit in the wild, then he can make others aware that the exploit is possible, preferably without revealing his identity.

But that's just one possibility. Maybe he did it just to see how obtuse he could make an exploit.

Disclaimer, the above are mearly ideas, I don't work at a game company, or for any company that I know has production involvement with any computer games, or any Microsoft products related to gaming.

-Rusty

Re:Why did the hacker try to hide how he did it?

[lkaos]

Nah, this is still just a buffer overflow. I doubt he "put" it in there.

I think that any programmer can appreciate why he went to such lengths to hide the code. It's a hell of a cool thing to do.

In this world of script kiddies, it's very important to disguinish between kiddies and people who are true hackers. Mad props to him for showing that hacking is most certainly an art.

The modification of the public key to make is divisible by 3 was just beautiful.

Re:Why did the hacker try to hide how he did it?

[Martin+Marvinski]

I think that any programmer can appreciate why he went to such lengths to hide the code. It's a hell of a cool thing to do.

In this world of script kiddies, it's very important to disguinish between kiddies and people who are true hackers. Mad props to him for showing that hacking is most certainly an art.

But isn't the whole philosophy behind linux to be open and clear?

Re:Why did the hacker try to hide how he did it?

So what? This isn't about Linux. It's the cracking of the most vigorously defended game console to date. It's a spy vs spy type of game with an appreciable side effect.

Re:Why did the hacker try to hide how he did it?

[Troed]

Uhm. Go hack the Gamecube. Xbox was easy.

Re:Why did the hacker try to hide how he did it?

[the+gnat]

In this world of script kiddies, it's very important to disguinish between kiddies and people who are true hackers. Mad props to him for showing that hacking is most certainly an art.

Um, that's not a very good distinction: you need to be clear what meaning of "hacker" you're using. Someone who r00ts my box and types "rm -rf /*" is not an artist, he's a criminal who should have his nuts ripped off - no matter how 1337 his 5ki11z are. Although the legality of hacking the X-Box is questionable, it's in a different world entirely from the vandalism associated with computer break-ins, and the community is doing this to a product they paid for and own.

By confusing the illicit modding and the website defacing, you're making it all the harder to defend against future DMCAs. Many of the big corporate lobbyists and lawyers we so love to bash on Slashdot would love for the public and politicians to view hobbyists and crackers as the same thing.

Re:Why did the hacker try to hide how he did it?

[Rick.C]

But isn't the whole philosophy behind linux to be open and clear?

After reading /. for a year or two, I sort of deduced that the whole philosophy behind linux was to be cool.

Re:Why did the hacker try to hide how he did it?

[silas_moeckel]

Hackers traditionaly hold to the ethic of do no harm. It's one thing to get into a box poke around get some evidence that you were there and not damamge anything besides covering your tracks (and thats a bit of a new thing due to the excessive laws against it) A script kiddie is just that a script kiddie lets try to not confuse the two. If they call themselves a hacker thats fine it dosent make it true. The hackers of the world know who they are and how to tell there own.

Re:Why did the hacker try to hide how he did it?

[Penguin2212]

Someone who r00ts my box and types "rm -rf /*" is not an artist, he's a criminal who should have his nuts ripped off - no matter how 1337 his 5ki11z are.

I would assume that by "Script Kitty" he meant somebody who does that kind of shit. However, there is a distinction between knowing how to so something like that, and actually doing it. A person who knows how to "r00t" your box and erase your entine root partition, but chooses not to and rather decides to help to solve that problem would most certianly not be a script kitty. Just because somebody has "1337 5ki11z" doesn't mean that they have to use them for evil.

Re:Why did the hacker try to hide how he did it?

[Patrick13]

If anyone knows it would be intresting to hear the reason why.

Isn't there a fair sum of money up for grabs for the person who creates a non-modded linux Xbox hack?

Re:Why did the hacker try to hide how he did it?

[Arrepiadd]

Um, that's not a very good distinction: you need to be clear what meaning of "hacker" you're using. Someone who r00ts my box and types "rm -rf /*" is not an artist, he's a criminal who should have his nuts ripped off

That's why there are hackers... and crackers!

Although people tend not to use the term crackers, it exists and it refers to what you call as a bad hacker.

Re:Why did the hacker try to hide how he did it?

You said that

By confusing the illicit modding and the website defacing, you're making it all the harder to defend against future DMCAs. Many of the big corporate lobbyists and lawyers we so love to bash on Slashdot would love for the public and politicians to view hobbyists and crackers as the same thing.

Are you trying to say that this was illicit modding? Let's look at it, this is using the hardware they sold you for what you want to do. You don't have to sign an agreement with MS to buy x many games. If they want that, then they should handle it the say way that Columbia House et al do.

There is nothing that says I can buy a PS2, that I must buy games for it. What if I just buy one, and that is the only one I wanted. Maybe in 2 years, I go and buy a discount game somewhere, or some used games. That is not breaking the law, I can do whatever I want with it.

If I choose to not buy any games for my game machine, that is their problem, not mine. They take that risk when they make the game machine, they hope that it will make a profit, but they are not guaranteed.

This is not illicit modding, it would only be illicit if people were modding them and then selling those as original boxes.

Re:Why did the hacker try to hide how he did it?

[S.Lemmon]

I'm sure the reason was to make it harder for others to use the same hack to play copied games.

Remember, they've already gone out of their way to stress it's use for a legitimate purpose (running Linux) and not for piracy. This is just one more example of that. It shows a good faith effort by the authors to insure the hack can't as easily be exploited for other purposes.

Re:Why did the hacker try to hide how he did it?

[TeknoHog]

After reading /. for a year or two, I sort of deduced that the whole philosophy behind linux was to be cool.

I second that. Why else would it have a power animal from the Antarctica? Also, it did originate in Finland where it's pretty bloody cold during most of the year.

Re:Why did the hacker try to hide how he did it?

[miu]

Hackers traditionaly hold to the ethic of do no harm. It's one thing to get into a box poke around get some evidence that you were there and not damamge anything besides covering your tracks

What you are describing is still a system cracker. The "do no harm" philosophy is pure ignorance. Someone breaking into a machine and covering his tracks can do a lot of unintentional harm.

Those who hack the XBox don't have to worry about causing harm because they are working entirely on their own equipment.

Re:Why did the hacker try to hide how he did it?

[dash2]

The hackers of the world know... how to tell there own.

Yeah, and so do I: by their bad spelling and grammar.

Re:Why did the hacker try to hide how he did it?

[the+gnat]

What you are describing is still a system cracker. The "do no harm" philosophy is pure ignorance. Someone breaking into a machine and covering his tracks can do a lot of unintentional harm.

Standard operating procedure for dealing with a break-in where I work: nuke the system and restore from backups. I guess we could avoid this, if we instead spent several days auditing the system. Unfortunately, one must always assume the worst- there's no way to tell how badly the system has been compromised, so all breakins must be treated as complete losses. As for unintentional damage, the last few hacks I witness involved no data loss whatsoever, but the root-granting exploit caused the system to become unstable over time and we had to endure repeated crashes before we finally realized what had happened.

I'd be willing to bet that none of the people who defend "ethical" crackers have ever had to professionally admin a server.

Re:Why did the hacker try to hide how he did it?

[the+gnat]

A person who knows how to "r00t" your box and erase your entine root partition, but chooses not to and rather decides to help to solve that problem

If they break in, as far as I'm concerned it's just as bad, because we can't assume anything about their intentions. Unless they're specifically employed to police our boxes/network, they have no business and no right to gain unauthorized access to our systems, and I'll assume that any breakin is malicious.

Re:Why did the hacker try to hide how he did it?

[the+gnat]

Are you trying to say that this was illicit modding?

Illicit, not illegal. I think the project is actually quite cool. My point is that it's (necessarily) very of secretive, definitely not what the manufacturer intended, and possibly illegal under the current fucked-up technology laws we have. It's just enough of a gray area that Microsoft (or the MPAA, etc.) will take any chance they get to lump it in with breakins and piracy. But I don't think it's wrong: that was the point.

Re:Why did the hacker try to hide how he did it?

[Cruciform]

That's it. Hand in your geek card and membership kit.

Re:Why did the hacker try to hide how he did it?

[silas_moeckel]

Your talking about 20 years of difference in society. Hackers breaking into computers was something that happened 20 years ago because they were there. I would hazard to say that those same people today arent breaking into other peoples systems without consent anymore. Remember its a term about 30 years from before the days of home computers when unless you worked for or went to school someplace that had proccessing power you didn't have any means of using a computer with any apreciable power legaly.

And as a past system admin (back long long ago :), yes any signs of break should illicit a complete restore there are to many places to leave a nasty bit of code. In th modern age if you dont design your systems as pretty disposable you are realy engineering yourself into a corner.

Re:Why did the hacker try to hide how he did it?

[itzdandy]

this is a "cracker" , this is willfull distruction of anothers property and is against "hacker" ethics. "hackers" are all about freedom of information and will gladly break into a system and take data, but not destroy it.

Re:Why did the hacker try to hide how he did it?

[n6mod]

From what I've read, the buffer overflow is in an XDK call. In other words, it's Microsoft that blew it.

Re:Why did the hacker try to hide how he did it?

[fishbowl]

>But isn't the whole philosophy behind linux to
>be open and clear?

You are not allowed to be "open and clear" when you reside in a Federal prison. And it's really hard to be of any use to the community when you are locked up in a Federal prison which happens to be on the communist island nation of Cuba.

[I'm still appalled, that I have never heard anyone question the existence of a US prison in Cuba.]

Re:Why did the hacker try to hide how he did it?

[Lectrik]

Hackers traditionaly hold to the ethic of do no harm. It's one thing to get into a box poke around get some evidence that you were there and not damamge anything besides covering your tracks (and thats a bit of a new thing due to the excessive laws against it) A script kiddie is just that a script kiddie lets try to not confuse the two. If they call themselves a hacker thats fine it dosent make it true. The hackers of the world know who they are and how to tell there own.

If I had to define the term "Hacker", I think I'd go with; Someone who finds unintended ways to do cool things with hardware/software that was never intended by it's creators.

Re:Why did the hacker try to hide how he did it?

[Tokerat]

In the context of the X-Box hack, however, I think "hacker" means something more like "dreams in x86 assembler", or "impresses Carmack", or perhaps "pwnz L1NUS!!!11"

Well, maybe not that last one...

Re:Why did the hacker try to hide how he did it?

[gezerk]

>> She may have been a psychotic suicidal lunatic but damn she could write code.

Sounds like a GREAT first line for a book!

Brilliant!

[1010011010]

The code is just brilliant. A lot of care was taken in the construction of this hack. No script kiddie is he.

It looks like it retrives the private key. That's interesting.

Re:Brilliant!

[ignoramus]

It looks like it retrives the private key. That's interesting.

I agree that it's interesting but the exploit doesn't retrieve or recreate the private key - it does something I've been fretting about recently: it simply modifies the public key - thereby creating it's own (new and weak) key pair.

From the article:Once you modify the public key this way, you end up with a public key that is easily factorable. It is now divisible by 3!

Anyone here bright enough to suggest a good way to protect from this? My first thought was to sign the public key with another, use an X.509 certificate or something but the problem is that you can always patch the signature/certificate/checksum/whatever verification mechanism... So what is the solution?

Re:Brilliant!

It does not retrieve the original private key. By modifying the public key in memory, the exploit effectively creates a new key pair. Read the complete article.

Re:Brilliant!

[Dthoma]

"My first thought was to sign the public key with another, use an X.509 certificate or something but the problem is that you can always patch the signature/certificate/checksum/whatever verification mechanism... So what is the solution?"

There is no solution. If someone's got physical access to hardware, all bets are off and there's nothing you can do. The only solution to the problem would be a physical one, such as using superglue to hold the case shut.

Re:Brilliant!

[3.1415926535]

So what is the solution?

I'll give you a hint: There isn't one!

As somebody who's name escapes me at the moment said, "There ain't no such puppy as a trusted client."

Re:Brilliant!

[bucky0]

Something that isn't as effective but worked well is the 'Suicide' function in some arcade game boards.

Here is a description of what it is Basically, the decryption key is stored in a battery backed up RAM. If you toy with the board(trying to dump the rom and whatnot), The key gets lost and the board becomes unusable.

Re:Brilliant!

[circusnews]

Correct me if I am wrong, but does this not show that trusted computing will be DOA once some one uses such a method on a trusted system?

I guess my question is not so much "what is the solution", but are we looking at the right problem?

Re:Brilliant!

[SiliconEntity]

nyone here bright enough to suggest a good way to protect from this? My first thought was to sign the public key with another, use an X.509 certificate or something but the problem is that you can always patch the signature/certificate/checksum/whatever verification mechanism... So what is the solution?

You'd have to put the key and the checking code into tamper-resistant hardware which then had the power to shut down the game and refuse to play it if the signature was bad. Ideally the hardware would be integral to the operation of the system so you couldn't just disable it.

Re:Brilliant!

[Cylix]

This was defeated.

I believe capcom uses this technique on their boards. The problem is, batteries tend to die over time and at some point the key is lost due to age. (3 years?) The manufacturer will generally fix the system.

However, this encryption method was eventually defeated. The guys were originally doing it to get the old capcom rom's off, but found out they could decrypt the newer games too.

At the time, they decided not to release their findings, as they were a classic rom shop and didn't want to destroy the technique for newer arcades.

I believe the group was decrypting the roms and released those, but eventually someone gave out the material.

I gave up following the story when they said they cracked it, but ethical reasons kept them from giving away the information.

Anyhow, with battery backed up stuff, the trick is to provide power before disconnecting the battery.

Re:Brilliant!

[bucky0]

Reading the link I sent you makes it seem like their encryption has gone through revisions and current stuff is looking difficult to crack...

Regardless, if that type of crazy encryption can people hackers at bay for 5 years, that's great considering most consoles have a lifetime of 5 years.

Re:Brilliant!

[hbo]

Don't publish no durn code with buffer overruns. 8)

Even Palladium won't protect you if you have one of those, providing the vulnerability occurs after the application has authenticated to the hardware. Unless you do something like challenge the app periodically to prove it has an intact copy of the secret key. Does Palladium do that? I don't know. Anti-stack crashing kernels combined with a crypto enabled platform could help too. But the whole game is complex as hell. And it has some of the best minds on the planet working on both sides, so the whole thing is an arms race. I'm nowhere near brilliant enough to predict what attacks those clever folks will mount on such a platform, or to predict their chances of success.

Re:Brilliant!

[JazFresh]

Anyhow, with battery backed up stuff, the trick is to provide power before disconnecting the battery.

As George found to his chagrin in the Seinfeld episode "The Frogger".

Re:Brilliant!

[fishbowl]

"A USB key could be a feasable commercial solution; if distributors took responsibility for PKI infrastructure after the point of sale."

But the scale of the problem must prevent that.

One of my MSDN subscriptions failed to activate, because the activation key was already taken. My guess is that someone registered it along with a wide swath of other keys, perhaps using a generator or just guessing. They aren't afraid of any consequences -- why should they? They are less than a needle in a haystack.

Meanwhile, I, the paying customer (or the customer's agent/admin/manager/whateverIam), am shut out of the product I purchased.

The whole thing would be better without the copy protection in the first place -- the "protection" didn't protect either the customer or the vendor, nor did it prevent the unauthorized use. On the other hand, it did create an inconvenience and an expense for everyone involved: the customer, the vendor, and the unauthorized user.

Re:I will never understand this.

[Jmstuckman]

"Can calc.exe add two pairs of hex octets?"

Yes.

Hexadecimal.

[aussersterne]

Many calculations in computing are done in base 16 because it's convenient (each circuit is either on or off, two possibilities; 16 is 2 to the 4th power, while 10 is not an even power of two).

In base 16 notation, the digits usually are:

0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f

So, 15 in decimal (base 10, what you're used to) is f in hexadecimal (base 16, more convenient for computing due to on/off nature of electricity, since 16 is an even power of 2).

And just as 9 + 1 = 10 (reach the highest digit? carry the one and begin with a zero again in the next column) f + 1 = 10 (reach the highest digit, carry the one and begin with a zero again in the next column).

Other basic hex math for example:

9 + 1 = a

9 + 2 = b

f0 + 1 = f1

ff + 1 = 100

a + 1 = b

b + 2 = d

And so on.

The 0x is a holdover from C programming, prefixing a value in c by 0x indicates that it is a hexidecimal (base 16) number and not a decimal (base 10) number.

Re:Hexadecimal.

[smeenz]

It's a sad sad day when someone gets modded up for explaining how hexadecimal works on slashdot.org

Come on.. are we geeks or mice here ?

Re:Hexadecimal.

[Dthoma]

"Come on.. are we geeks or mice here ?"

Squeak!

Don't Copy that Floppy

[Altheus]

Don't Copy That Floppy

Re:Don't Copy that Floppy

[efishta]

I thought it was interesting that the Rap song sounded like it was from the early 90s, and the games looked like they were from that era (Oregon Trail 1??) but the programmer was talking about Neverwinter Nights. Has NWN really been in production that long?

Re:Don't Copy that Floppy

[Echnin]

He was talking about the original Neverwinter Nights.

Re:Don't Copy that Floppy

[Echnin]

Oops, should have previewed; messed up a link tag. Here's the site I was trying to link to: The original Neverwinter Nights.

Re:Don't Copy that Floppy

[The-Perl-CD-Bookshel]

I think that it is great that they show Tetris in that video because the guy who was responsible for all of the math behind Tetris was getting swindled out of his money by the developers for years. So kids: stick to copying other people's ideas, please!

You know your a geek...

[Realistic_Dragon]

...when you can skim that article and not need to look anything up.

Re:You know your a geek...

[nathanh]

...when you can skim that article and not need to look anything up.

You really know you're a geek when you can read the opcodes without referring to the assembly.

The source code for

[Pinguu]

Windows XP is stored in tux

XBOX is evil

microsoft takes the open PC standard, cripples it, makes it so that you can't upgrade it, you cant WRITE code for it without paying them royalties, you cant RUN code on it without paying them, and puts their logo on the front. If you even try to open this crippled PC, your warranty is void, if you open up and play around with this crippled PC that you payed for and you own ("hack") you are breaking the law. Dont even think about selling modifications to this crippled PC. You will be put in prison with all the rapists and murderers and other menaces to society.

The scariest part? Is that in 10 years, we wont be talking about a console. This is the future of the PC.

Re:XBOX is evil

[bucky0]

I should'nt feed the troll, but here goes:

1)Making it upgradable would increase cost, they wanted the cheapest box for the performance they could make (sockets cost money)

2)If you don't like the idea of not being able to write your own code for it, then don't buy it.

3)puts their logo on the front...in that case is Dell also evil?

4)If you even try to open this crippled PC, your warranty is void....why does microsoft have to warranty actions on the XBOX that it's not designed for? That's like me saying that AMD should still warranty my processors even if I'm running them out of spec

5)...you are breaking the law. Despite what the spindoctors say, as long as you aren't hacking your xbox to play copied games, they can't touch you if your putting your own software on there (that said, if a side effect of your little hack causes someone to be able to play burned games, then theyre gonna come after you (which sucks for fair use...).

6)The scariest part? Is that in 10 years, we wont be talking about a console. This is the future of the PC.That is the scary part though. Even though 'the powers that be' keep claiming that people will be able to run unsigned content on TCPA hardware. I can't imagine that it would 'accidentally' cripple things like linux and BSD that hurt the bottom line

Could a rival console maker be behind this?

[Martin+Marvinski]

You might be right about this being a spy vs. spy thing because the stakes are so huge. This could mean that rival Console makers are actually hacking the X-box to diminish it's threat. That could be a reason why this hack was so well done!

You brought up an excellent point!

Whoever figured this out originally...

[still_sick]

... Should go down in the hall of fame right next to the guy who figured out Whippits (sp?). To misquote Dennis Leary, these kids should be working for the Space Program!

Does M$ have a fetish

[pair-a-noyd]

for buffer overflows or what??

Seems that's the number one way to whack an M$ system...

Re:Does M$ have a fetish

[damiam]

It's the number-one way to whack any system, Microsoft or not. And no, saying 'M$' instead of 'MS' doesn't make you look cool.

Re:Does M$ have a fetish

[pair-a-noyd]

"And no, saying 'M$' instead of 'MS' doesn't make you look cool."

Um, excuse me, I'm not trying to look cool when I say "M$".
I use that out of PURE DISRESPECT for a company and a thought process that I utterly despise with the most prejudice and malcontempt that I can muster.

You stand corrected.

Re:Does M$ have a fetish

[damiam]

If the most prejudice and malcontempt you can muster is the immature replacement of a S with a $, than you have some severe issues. It's no more mature or effective than referring to open source software as "open sores" or to Linux as "Lunix".

Re:Does M$ have a fetish

[IIRCAFAIKIANAL]

From my parent's basement, I stab at thee!

Re:Does M$ have a fetish

[ceejayoz]

Nice reference!

Re:Does M$ have a fetish

[wcbarksdale]

To be more precise, it's the number-one way to whack a system written in C.

Re:Does M$ have a fetish

[tc]

To be even more precise, it's the number-one way to whack a system written in C running on a machine with a downwards-growing stack.

I've always wondered about this. Why do stacks grow downwards? It seems to me that it wouldn't be any less efficient for them to grow upwards, and growing upwards would have the handy side-effect that buffer overflows would be less likely to be exploitable. Of course, it's a bit late to change how the most popular processors in the world work now...

Re:Does M$ have a fetish

[Tazzy531]

I don't remember specificly, [it's been over 2 years since Comp Architecture class].. But i thought program code grow downwards and data/memory space grows upwards. That way you have plenty of room for each...but not really sure...

Re:Does M$ have a fetish

[tc]

I guess that might be the historical reason, but in these days of virtual memory and separately allocated stacks, it wouldn't make any difference.

Seems like it would be a security win to switch to upwards-growing stacks in future. Or am I missing something?

Re:Does M$ have a fetish

[grimani]

It's the #1 way to whack anysystem...

Re:Does M$ have a fetish

[NintenDoctor]

This is a 007: Agent Under Fire exploit, not an exploit inherent to the Xbox. Agent Under Fire was made by EA, not Microsoft. Blame the right company.

If this was analyzing the MechAssault hack, then you might have a point.

Re:Does M$ have a fetish

[pair-a-noyd]

My point is that Windows, which the Xbox runs, is so rife with security flaws that there is little wonder that a simple buffer overflow did it.

Windows is the O$ with insecurity built in..

Re:Does M$ have a fetish

[Felinoid]

Short answer, No. Unix and security experts have a buffer overflow feddish as to crackers.
This is an easy mistake to make so it happends to nearly everyone once and it's a preticularly nasty mistake as well.
There are programs for Linux and Unix to deal with this sort of defect to actually crash programs that behave this way and the 386 (onward) trys to prevent this sort of behavure.

Some of my early games had this defect (you could run off the screen into system memory.. like tron.. and wrek havok on the system.. Opps)

Using this defect you could edit system memory and overwite parts of the os and all you have to do to enable this mistake is not keep track of your data to be sure your not putting more data into memory than you've requested from the os.

So why dose it happen to Microsoft more than anyone else?

Three important reasons.

1. Open source and micro kernel. You can fix the problem by replacing the defective part of the system. Like recovering moldy chease by cutting off the bad parts.
With open source you find the bad code and fix it. With micro kernel you find the defective file the code in contained in and rewite, patch or replace that segment.
Closed source monolythic is like swiss chease. The mold or defect is so burried into the product you'll never cut it out.

2. Learn from your mustakes.
Microsoft dosen't reguard most defects as sereous and just ignores them. Including buffer overflows. As such they don't learn from mistakes.
Unix people can isolate the culprit and point fingers.. and they do.
Linux people are the same only much worse.

3. Alterntives: Windows people don't have easy alterntives Unix and Linux people do.

Re:Does M$ have a fetish

[bucky0]

If the Xbox ran linux, the same exploit would work. It's a by product of the x86 architechture and the writers of the exploitable save programs, not Microsoft.

Re:Does M$ have a fetish

[pair-a-noyd]

I simply don't believe that.
If I took a copy of Xbox linux source code and built it from scratch on two boxes,one being an xbox and one being say a ppc based box then ran the same exploit on both boxes that are now running xbox Linux that is compiled for THAT cpu, that the xbox would crack and the ppc box would not, simply because of the CPU??

Re:Does M$ have a fetish

[bucky0]

It depends on how the CPU handles the stack. When I said it was a fault of the x86 architechture, I didn't mean that only the x86 was vulnerable, there are other CPUs which are just as vulnerable to that attack. I was just saying that it's a hardware problem and not a software one

Returning to your example..if you rewrote the exploit in PPC assembler(most exploits like that are hand coded) and PPC was vulnerable, it would work.

Re:Does M$ have a fetish

[Fizzl]

Yeah. M$ is so 90's ;)

Re:Does M$ have a fetish

[dvdeug]

[buffer overflows are] the number-one way to whack any system, Microsoft or not.

Any system that's written in a language that's vulnerable to buffer overflows, like C or Assembly. Trying to hack a Lisp machine via a buffer overflow is probably pretty futile.

OMG That was so worth downloading.

[ovapositor]

I just loved that. I think the kids were using and Apple GS. I mean can I say that here?
This is interesting in that is predates the major wave of open source that we can freely copy.

Re:Spell check

[OpCode42]

Its like a receipt, but a deceipt is proof that you didn't purchase something.

Re:Umm someone explain!

[Gyorg_Lavode]

I'm no programmer, but it seems they overflow a buffer used in loading saved games to mount the saved game as the d drive and then run a program off of it. This can then copy the modified files used to boot linux on an unmodified xbox to the hard drive.

Re:Hidden code? (x1488)

[SharpFang]

You say putting program code in contents of jpeg (despite the fact it could work quite elsewhere just as well) is just a common practice?

I understood enough to understand ...

[MickLinux]

... that I didn't understand.

I didn't have to look anything up, though...

I know Assembly, and 80x8n assembly, especially. So that was no problem. I could follow the basic plot; I didn't bother to try to read most of the code, but when I did, it wasn't hard to read. The article was pretty good that way.

But it looks to me like the article really didn't tell how the 007 Save Game was hacked. Rather, the article says "yeah it was hacked, and here's the neat part." But that's where it stops.

There isn't enough info here to reproduce it, unless you already are into hacking the XBox.

But that said, I wonder why [and maybe someone who does understand this hack can explain] the XBox-Linux people at sourceforge don't rewrite their install CDs, and give instructions, to allow a person to use this weakness to install Linux from a single CD.

Could it be that this hack really isn't "out there" yet? That the "Free the XBox" hackers are actually still in negotiations with Microsoft [or with their concrete boots at the bottom of the river]?

Re:I understood enough to understand ...

[Jo+Owen]

This hack was actualy discoverd a while ago, its only the breakdown of it thats new.

Could it be that this hack really isn't "out there" yet? That the "Free the XBox" hackers are actually still in negotiations with Microsoft

The hack has been repoduced, however it requires a copy of 007, and so afaik, it cannot claim the prize, so the contest continues...

Re:I understood enough to understand ...

[smeenz]

The hack is essentially just an exploit of a buffer overflow in the game load code of the game 'Agent Under Fire' (AUF).

Once the buffer overflow was found, it was a relatively simple matter of creating a doctored save game that caused the xbox to boot off the hard drive when you try and 'load' that saved game file.

So to boot into linux, you have to buy AUF, obtain the doctored save game and get it onto the machine (I'm not sure how you go about that part.. perhaps the xbox has some removable media), then boot into AUF, go through the menu system, load your doctored save game, and behold, your xbox will boot into linux.

Re:I understood enough to understand ...

[TCM]

I'm not into this and not too interested anyway. Just one question: Once you have done it, do you still need to do the save game trick every time you want to boot Linux? Or is it a one-time thing and from then on you can boot Linux straight from power-on?

Re:I understood enough to understand ...

[smeenz]

The exploit we're talking about here is the legally 'clean' way of running linux on an xbox, because it doesn't require you to open the box or modify the ROM code

If you want to automatically load linux (or anything other than microsoft's kernel) on startup, then you must modify that bootup code somehow, which breaks the license agreement you have with microsoft, and obviosly any warranty on the xbox.

Re:I understood enough to understand ...

[dknj]

1. Exploit AUF buffer overflow which loads a minimal version of linux with an ftp server
2. Upload modifed dashboard
3. Restart system
4. ???
5. LINUX!@$#

-dk

Re:I will never understand this.

[GiMP]

There are plenty of graphical calculators for Linux.. personally, I use python like the parent or for very simple integer calculations, bc or dc.

Mad props seconded

[lucas_gonze]

The modification of the public key to make it divisible by three was absolutely beautiful. Huge props to the unknown hacker.

XBox sales show this is NOT the future.

[Viewsonic]

So don't worry about it. As far as consoles go, XBox is terrible. It has about 2-3 games worth buying that aren't on the PC, and pretty soon they'll be on the PC regardless.

Conoles will stay consoles. They will be made to play purely games and nothing else. This is what people want to buy, and they're showing it with their pocketbooks right now. Look at how many dedicated gaming devices Sony and Nintendo have sold compared to Microsofts try-and-do-everything Box. The numbers speak for themselves.

Re:XBox sales show this is NOT the future.

[atari2600]

Are you talking out of your ass? Halo for the PC is coming out next month since Microsoft wants it to happen. Microsoft is releasing Halo2 soon sir - the sequel to a game for which people bought the XBOX - for one game!.

If you stop talking thrash and find out for yourself, the XBOX is a pretty powerful console and there are console gamers out there who swear by the XBOX. Sure /. is cool and linux is cooler and MS is evil - that doesn't make the XBOX any less popular. Sure MS is losing money on the XBOX - because MS wants to lose money on the XBOX - hasn't the IE vs Netscape taught you anything?

Go ahead and comment what you wish to on this post but i just spoke the truth - the bottomline: if the cool games for the XBOX have to be out on the PC, MS has to say YES

Re:XBox sales show this is NOT the future.

[cabra771]

Damn, I'll say it. I bought an xbox just for Halo. Am I ashamed? No. Do I have any other games for xbox? Only two others. Do I regret my purchase? No. Halo is one of the only games that I can still play after more than a year and not be sick of one bit. Do I have mine modded? No. Why? I have two pc's in my apartment, why do I need to mod my game console to do something that my one of my cpu's can already do. Why the flying fu#k do I need to run Linux on my xbox when I have a much better machine already running it. Rant? Finished.

Re:XBox sales show this is NOT the future.

[DeadScreenSky]

Look at how many dedicated gaming devices Sony and Nintendo have sold compared to Microsofts try-and-do-everything Box.

Sony I will give you, but I don't think this strategy is actually working for Nintendo too well. Nintendo will win Japan, granted, but Europe, Australia, and America are probably lost at this point. Too bad that the Japanese (non-cellphone) game market is shrinking so much, too.

And if you really think the Xbox has only 2-3 worthwhile games, I am really curious what kind of games you play. Project Gotham, DOA3, Amped, Panzer Dragoon Orta, Shenmue II, JSRF, etc. are all pretty cool, and not available for PC or other systems (at least in the US in the case of Shenmue II). Likewise, how can you defend the GC's smaller library, which also has less variety?

By all means, enjoy any console you like, but it seems stupid to complain about how terrible a console is that many people seriously do enjoy, with sales numbers to prove it.

And what does the Xbox try and do that Sony hasn't tried with the PS2 (which is dominating)?

DMCA relevant section

[Jim+Hall]

The article says:

This explanation is for the sole purpose of writing interoperable software under Sect. 1201 (f) Reverse Engineering exception of the DMCA. So here is the explanation you have all been waiting for.

But you may not know the actual section he's referring to. Here it is:

(f) REVERSE ENGINEERING- (1) Notwithstanding the provisions of subsection (a)(1)(A), a person who has lawfully obtained the right to use a copy of a computer program may circumvent a technological measure that effectively controls access to a particular portion of that program for the sole purpose of identifying and analyzing those elements of the program that are necessary to achieve interoperability of an independently created computer program with other programs, and that have not previously been readily available to the person engaging in the circumvention, to the extent any such acts of identification and analysis do not constitute infringement under this title.

And (a)(1)(A) is the bit that everyone calls to mind when they think of the DMCA:

(a) VIOLATIONS REGARDING CIRCUMVENTION OF TECHNOLOGICAL MEASURES- (1)(A) No person shall circumvent a technological measure that effectively controls access to a work protected under this title. The prohibition contained in the preceding sentence shall take effect at the end of the 2-year period beginning on the date of the enactment of this chapter.

(full text of DMCA)

IANAL, but I think this means that if you crack the protection on something simply so you can understand (and document) the program so it will work with other programs and files, then that's not considered a violation of the DMCA.

-jh

Mod Parent UP!

[mekkab]

Excellent analysis...

Such obfuscated code could only be the prodcut of
A: a paranoid mind
B: someone on a mission to prevent their code from being exploited
C: both.

Re:What does this hack let you do?

[redwoodtree]

I wish someone would answer this question too. I have to idea what the heck it's all about either.

Re:I will never understand this.

[dschuetz]

>>> "%x"%(0xAD9+0x5EF)
'10c8'

Python. Ptuii!

% dc
16o16iAD9 5EF+p
10C8
^D

Online cheating

[mark_space2001]

For me the main issue is online play and cheating. The Xbox has a security key on only allow certain programs (i.e., licensed developers) run programs. This really reduces the chances of online cheating. Cheating online has all but ruined SOCOM's online play for the PS2, I don't want that to happen to Xbox games as well.

Eventually, I think all game consoles will have security keys like the Xbox.

Linux is cool, but not every computing device in the world needs to run it. Unlike servers and desktop PCs, game consoles are not mission critical for anything. These Linux hackers should leave the Xbox alone and devote some time to improving X performance on the desktop, or something else useful.

Re:Online cheating

[ocelotbob]

These Linux hackers should leave the Xbox alone and devote some time to improving X performance on the desktop, or something else useful.

I totally disagree. Hacking a console and writing a graphics rendering system are pretty much non-orthagonal processes. There's a lot of different programming skills that don't easily cross over. The xbox hack scene is, by and large, dominated by college students, part time security folks, and other hobbyists, who don't really have the skills to work on something as complex as you mentioned.

As far as your complaints as to cheating and the xbox, maybe you need to complain to Microsoft. Ask them why a third party can't set up a server for xbox games, so lan partiers, etc, can use their own server and control who plays and who doesn't. End-user authentication is still an important security tool, why is microsoft leaving it out of the loop?

Re:I will never understand this.

[CustomDesigned]

For hex addition, I sometimes use a chinese abacus. The chinese style has two top beads and 5 bottom beads (as opposed to the Japanese style which has 1 top bead and 4 bottom beads). One of the top beads and one of the bottom beads on a chinese abacus are never used for decimal addition (they are used for carries when multiplying). However, if you count each top bead as 5 and each bottom bead as 1, they add up to 15 - which works perfectly for addition in base 16 (just as the 1 top and 4 bottom add up to 9 for decimal addition). The beauty of adding on an abacus is that the answer appears as you "key" in the operands. No wasted keystrokes to type "+" or ENTER.

You know you're a slashdot reader ...

[j2demelo]

when you say "You know your a geek..."

Re:Holy Shit! These guys are assembly gurus!

[cheekyboy]

Oh what about polish vodka?

Re:What does this hack let you do?

[Ho-Lee-Chow]

What does this hack let you do?

Well, how about running the code of your choice an Xbox? How does that sound? (Hint: it used to be impossible without doing a hardware mod.)

Disclaimer: Since I don't own an Xbox, some of these details are a little sketchy and may be incorrect.

This hack lets you load unsigned software, such as Linux, of your choice onto an XBox, without using a mod-chip or making any hardware mods. Previously, you could only run software that is signed by Microsoft on an Xbox, unless you voided the warranty and made Xbox Live impossible by installing a mod-chip or flashing the BIOS.

You need a copy of 007: Agent of Fire. You load the "unsigned" (*) code, such as Linux, and a specially hacked 007: AUF savegame onto a special kind of memory card that connects to your PC.

You then fire up 007: AUF, and load the hacked savegame, which takes advantage of the buffer overflow exploit in order to load your "unsigned" code. This "unsigned" code could be Xbox Linux, XboxMediaPlayer, or any of the other homebrew projects out there for Xbox.

If you haven't heard of the open-source XboxMediaPlayer, it looks pretty sweet. It can play all kinds of audio and video files from your Xbox's hard drive or a streaming server, such as: WMV, ASF, WMA, VCD, SVCD, MPEG, JPEG, GIF, BMP, DivX, XVid, etc. It basically turns your Xbox into a cheap Media Centre PC (except for the TV recording part).

(*) Actually, according to the article, you have to sign the code yourself, but it's easy in this case, because of the way the exploit works.

Process of Discovery, not how it works...

[grimani]

The interesting bit should be how the dude discovered the overflow...not how it works.

Discovering an overflow in a controlled environment such as a console is no easy task. Console games don't usually crash - what indicated an overflow was present for exploiting?

After that, exploiting an overflow is really just a menial task. There really are only a few issues to differentiate each case - how long can the exploit string be before it overwrites something critical? Are certain characters not allowed in the string?

Beyond that, exploiting it is simple...

So, anybody know how that particular overflow was discovered?

Re:Process of Discovery, not how it works...

this breakdown was not written by the person who created it, I doubt they even have any connection whatsoever to the author.. how could you read it and not realize that?

'exploiting an overflow is really just a menial task . There really are only a few issues to differentiate each case - how long can the exploit string be before it overwrites something critical? Are certain characters not allowed in the string?'

good lord, I'm glad everyone on slashdot always throws in a line or two that screams 'I HAVE NO IDEA WHAT I'M FUCKING TALKING ABOUT'

Re:Process of Discovery, not how it works...

[achurch]

I don't know the details of this particular case, but once you have access to the save data it's easy to tweak things that look like they could cause problems. (Put yourself in the developers' shoes, and ask yourself "if I was rushed to get this out the door, where would I be likely to cut corners?") Text strings are obvious things to play with; some games compress their saved data, so you could create a bogus compressed file that expanded to some huge number of bytes and see if it crashes the game; et cetera. The "1% inspiration and 99% perspiration" quote probably applies to finding the overflow just as much as writing the actual exploit.

my first post on /.

[Grimlen]

woooohooooo i finally registered confucious says: "man who goes through airport door sideways , going to Bangkok."

Re:I will never understand this.

[fishbowl]

"if you count each top bead as 5 and each bottom bead as 1, they add up to 15"

What's interesting about that to me is, that's the way I learned abacus, and I've never considered any other representation of the beads... but until I read your post, I never made the connection between hexidecimal and the abacus.

Once upon a time, I knew division and multiplication algorithms for abacus. Now I'm going to have to dust off those memories and see if I can figure out rotate, shift, xor...

Re:what?

[Golias]

True, although all the X-Box Live games suck, except maybe Mechwarrior.

Were it not for HALO, DOA3 and DOAX, my X-Box would already be in my server closet running apache right now. In fact, I'm considering buying a second X-Box for just that... and maybe even a third one for a stand-alone firewall box. I've seen used X-Boxen around town for about $150 each. Thanks to the 007 hack which saves the trouble of mod-chipping, it's the best deal out there for a lightweight server.