RE: Online Games Consoles and Security Implications

From: Kayne Ian (Softlab) (Ian.Kayne@softlab.co.uk)
Date: 05/24/02


From: "Kayne Ian (Softlab)" <Ian.Kayne@softlab.co.uk>
To: Vuln-Dev <VULN-DEV@SECURITYFOCUS.COM>
Date: Fri, 24 May 2002 09:37:52 +0100

Of course, if you did manage to hack an XBox and load some DDOS client on
it, you still need to worry about how to ensure it runs at every boot and
that a game doesn't knock it out. On top of all that I'd say the risk is
lowered anyway - how many people leave their console on & online 24hrs a day
ready to participate in an attack? Effort -v- Result, who is going to hack
out a DDOS network only to find they can't use it when they need it.

0.02.

Ian Kayne
Technical Specialist - IT Solutions
Softlab Ltd - A BMW Company

> -----Original Message-----
> From: Elan Hasson [mailto:elan@daryl.org]
> Sent: 22 May 2002 18:36
> To: Evans, TJ; vuln-dev@securityfocus.com
> Subject: RE: Online Games Consoles and Security Implications
>
>
> Exactly, its common knowledge the more code you have, the
> more room for
> error(bugs). ALOT of functionality was ripped from the kernel
> to have it run
> on xbox, the docs do say something about 'no ntfs, no ACLs' etc..
> everythings running in ring0 from what i understand.
>
> -----Original Message-----
> From: Evans, TJ [mailto:tjevans@kpmg.com]
> Sent: Wednesday, May 22, 2002 5:58 AM
> To: vuln-dev@securityfocus.com
> Subject: RE: Online Games Consoles and Security Implications
>
>
> Not to step into an area that I know little about <xbox
> security>; but I
> think " If Microsoft could secure a game console running
> Win2K you'd imagine
> Win2K and XP would be a lot more secure then they appear to be." Is
> something of a logical fallacy.
>
> Keep in mind - we are talking about separate worlds here - a
> game console is
> something that, for the most part, need to perform *ONE SET
> OF FUNCTIONS*.
> Making hardware, software and peripherals work together in a
> secure, FAST
> fashion when you only need to do 1 set of functions, and when
> user tinkering
> is <by default> limited/non-existent (not counting those of
> you who crack
> the case open and really get into them :)> is *nowehere* near
> as difficult
> as trying to make an OS/platform that needs to support
> thousands of pieces
> of 3rd party software, hardware and has users breaking it in countless
> unimaginable ways ...
>
>
> </$.02>
> Thanks!
> TJ
>
>
> -----Original Message-----
> From: Elan Hasson [mailto:elan@daryl.org]
> Sent: Tuesday, May 21, 2002 10:25 PM
> To: Stan Bubrouski
> Cc: vuln-dev@securityfocus.com
> Subject: RE: Online Games Consoles and Security Implications
>
> heh, nintendo was cool..
> I own an xbox myself. I'm VERY happy with it. i should
> probably install
> the xdk again and post some of the docs to the list. It was
> saying how all
> the packets are encrypted and stuff and how it can take a DoS (for
> example, something that could 'clog the pipe') and be able to drop the
> packets and sort through the garbage-data and not affect game
> performace
> packets or something.
>
> Yes, it does run a Windows2000 kernel (slimmed down of
> course) I've even
> played with dissassembling xbox images. Its nice stuff. VERY
> nice. MS did
> an excellent job with it. the fact that all of the software runs on a
> harddrive and isn't on a chip is a BIG plus. That gives the
> ability for
> people to download updates and stuff to it...hehe XBOX-service pack 1
> anyone? HEH!
>
> -----Original Message-----
> From: Stan Bubrouski [mailto:stan@ccs.neu.edu]
> Sent: Tuesday, May 21, 2002 8:15 PM
> To: Elan Hasson
> Subject: Re: Online Games Consoles and Security Implications
>
>
> Elan Hasson wrote:
> > The xbox is VERY secure, read the docs on Network Security
> in the SDK.
> >
> > MS even has a bit in there about Denial Of Service..and how
> the xbox can
> > handle it and not affect game performance.
> >
>
> REDICULOUS. They call Win2k very secure. They call IE very secure.
> The bottom line is that it is a Microsoft product with embedded Win2k
> code (correct?). This is quite the contrary to what you suggest. If
> Microsoft could secure a game console running Win2K you'd
> imagine Win2K
> and XP would be a lot more secure then they appear to be. What
> Microsoft writes and what Microsoft does are two different things, you
> can't guarentee security, you can only try to ensure it by taking the
> proper steps. I recall Bill Gates calling Windows one of the most
> secure OS's, A FLAT OUT LIE.
>
> Not trying to start a flame war, so let's not, just pointing
> out to kids
> that might be reading this, that there is no proof the XBoX is more
> secure than PS2 or anything else. You want security, pull
> out your old
> 1986 nintendo ;-)
>
> Best Regards,
>
> Stan Bubrouski
>
>
> **************************************************************
> **************
> *
> The information in this email is confidential and may be
> legally privileged.
> It is intended solely for the addressee. Access to this email
> by anyone else
> is unauthorized.
>
> If you are not the intended recipient, any disclosure,
> copying, distribution
> or any action taken or omitted to be taken in reliance on it,
> is prohibited
> and may be unlawful. When addressed to our clients any
> opinions or advice
> contained in this email are subject to the terms and
> conditions expressed in
> the governing KPMG client engagement letter.
> **************************************************************
> **************
> *
>

********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom
they are addressed.

If you are not the intended recipient or the person responsible for
delivering to the intended recipient, be advised that you have received
this email in error and that any use of the information contained within
this email or attachments is strictly prohibited.

Internet communications are not secure and Softlab does not accept
any legal responsibility for the content of this message. Any opinions
expressed in the email are those of the individual and not necessarily
those of the Company.

If you have received this email in error, or if you are concerned with
the content of this email please notify the IT helpdesk by telephone
on +44 (0)121 788 5480.

********************************************************************



Relevant Pages

  • RE: Online Games Consoles and Security Implications
    ... Online Games Consoles and Security Implications ... Win2K and XP would be a lot more secure then they appear to be." ...
    (Vuln-Dev)
  • Analyst: Sony Will Win 61% Market Share in Next Gen:TEAMXBOX.COM
    ... Sony, Microsoft and Nintendo will sell nearly 200 million next generation games consoles by 2012, according to Strategy Analytics, the global research and consulting company. ... According to a report released today titled "Games Consoles For The Digital Home: Assessing The Prospects For PS3, Xbox 360 And Revolution", Microsoft's Xbox 360 will present a serious challenge to Sony's dominance of the games console market and will lead the North American and European markets until 2007. ...
    (uk.games.video.xbox)
  • RE: Online Games Consoles and Security Implications
    ... I own an xbox myself. ... They call Win2k very secure. ... The bottom line is that it is a Microsoft product with embedded Win2k ... Microsoft could secure a game console running Win2K you'd imagine Win2K ...
    (Vuln-Dev)
  • Re: Wireless adapter........
    ... Hell of a lot easier, quicker and more secure than wireless, plus you can ... use it for other devices instead of the Xbox if you want. ...
    (uk.games.video.xbox)
  • Re: Online Games Consoles and Security Implications
    ... > If you could install Linux on an Xbox, ... > Dreamcast where you have to load the OS everytime you boot, ... In anycase Xbox is a kind of a PC anyway and would be ... : RE: Online Games Consoles and Security Implications ...
    (Vuln-Dev)