Slashdot Mirror
Hackers Can Easily Lift Credit Card Info From a Used Xbox
zacharye writes "Using nothing more than a few common tools, hackers can reportedly recover credit card numbers and other personal information from used Xbox 360 consoles even after they have been restored to factory settings. Researchers at Drexel University say they have successfully recovered sensitive personal data from a used Xbox console, and they claim Microsoft is doing a disservice to users by not taking precautions to secure their data. 'Microsoft does a great job of protecting their proprietary information,' researcher Ashley Podhradsky said."
Proprietary software vendors cannot be trusted to put your interests first. If they can get away with it they will always put their interests first. But, of course, their interests will remain well protected.
Need a Python, C++, Unix, Linux develop
I also thought the CC info was stored on Microsoft's servers. You can't even buy stuff on an Xbox without being logged into your Live account.
-Billco, Fnarg.com
Straight wiping of a 360 hard drive will destroy it for future 360 use. The hard drive security sector (hddss.bin) is stored on the disk and, if erased, will render the hard drive useless on a stock 360 console. The security sector cannot be "spoofed" or otherwise as each hddss.bin is unique to the specific hard drive on which it resides. Only by backing up the specific sectors where hddss.bin is stored before wiping, then restoring them afterward, will keep the hard drive usable in a 360 console.
There are hacking tools to convert non-360 hard drives into usable drives, but not Microsoft OEM drives. I can't believe the researchers recommended a straight wipe without this caveat.
I buy the gift cards when doing anything regarding the xbox
And why all that? Microsoft has no involvement in you selling your Xbox. If it has some data on there that you don't want others to know it's your fault. Not like "you can wipe this clean and sell it" is listed as a feature.
What is wrong with you exactly? You are clearly damaged in some way.
First Sale Doctrine: I buy shit from you, the shit is mine now, I sell shit to someone else. You don't get to stop or interfere with that.
Sorry but I like liberty and being free. I don't want to live in a nation where all my stuff belongs to the aristocracy and I'm just renting it from them at their pleasure, that's just slavery in a different name.
I also thought the CC info was stored on Microsoft's servers. You can't even buy stuff on an Xbox without being logged into your Live account.
The point, I think, is that it's naive not to assume some engineer decided to store the info in *both* places. If you were trying to make the customer experience as smooth as possible, and you had 99% confidence that the home box was in possession of the Real User, you might want to make the process a little more "foolproof".
Say the billing server glitches and corrupts their copy of the CC... Poll the console, get the number, transaction approved. The alternative is pop up a CC entry screen, which has a non-zero chance to frustrate the Real User to the point of cancelling the sale. Bad for a market built on instant gratification.
Any goodheart engineer who cries foul from a system security training point of view, has probably never had to answer to a Director more concerned with their department operating at a loss for years. Xbox division regularly dipped into and out of the red until the last couple of years.
And the bigger point is, with all the revisions to the Dashboard, it may be impossible to know when this purported "feature" was added, taken away, or actively used. I bet you 2800 MS Points that the next dash update roots out and purges this data. Won't stop the class-actions though.
I miss when I didn't have to use cheat codes to clear my data. :(