RE: Online Games Consoles and Security Implications

["Evans, TJ" <tjevans () kpmg com>]

Not to step into an area that I know little about <xbox security>; but I
think " If Microsoft could secure a game console running Win2K you'd imagine
Win2K and XP would be a lot more secure then they appear to be." Is
something of a logical fallacy.

Keep in mind - we are talking about separate worlds here - a game console is
something that, for the most part, need to perform *ONE SET OF FUNCTIONS*.
Making hardware, software and peripherals work together in a secure, FAST
fashion when you only need to do 1 set of functions, and when user tinkering
is <by default> limited/non-existent (not counting those of you who crack
the case open and really get into them :)> is *nowehere* near as difficult
as trying to make an OS/platform that needs to support thousands of pieces
of 3rd party software, hardware and has users breaking it in countless
unimaginable ways ...


</$.02>
Thanks!
TJ


-----Original Message-----
From: Elan Hasson [mailto:elan () daryl org] 
Sent: Tuesday, May 21, 2002 10:25 PM
To: Stan Bubrouski
Cc: vuln-dev () securityfocus com
Subject: RE: Online Games Consoles and Security Implications

heh, nintendo was cool..
I own an xbox myself. I'm VERY happy with it. i should probably install
the xdk again and post some of the docs to the list. It was saying how all
the packets are encrypted and stuff and how it can take a DoS (for
example, something that could 'clog the pipe') and be able to drop the
packets and sort through the garbage-data and not affect game performace
packets or something.

Yes, it does run a Windows2000 kernel (slimmed down of course) I've even
played with dissassembling xbox images. Its nice stuff. VERY nice. MS did
an excellent job with it. the fact that all of the software runs on a
harddrive and isn't on a chip is a BIG plus. That gives the ability for
people to download updates and stuff to it...hehe XBOX-service pack 1
anyone? HEH!

-----Original Message-----
From: Stan Bubrouski [mailto:stan () ccs neu edu]
Sent: Tuesday, May 21, 2002 8:15 PM
To: Elan Hasson
Subject: Re: Online Games Consoles and Security Implications


Elan Hasson wrote:
> The xbox is VERY secure, read the docs on Network Security in the SDK.
>
> MS even has a bit in there about Denial Of Service..and how the xbox can
> handle it and not affect game performance.

REDICULOUS.  They call Win2k very secure.  They call IE very secure.
The bottom line is that it is a Microsoft product with embedded Win2k
code (correct?).  This is quite the contrary to what you suggest.  If
Microsoft could secure a game console running Win2K you'd imagine Win2K
and XP would be a lot more secure then they appear to be.  What
Microsoft writes and what Microsoft does are two different things, you
can't guarentee security, you can only try to ensure it by taking the
proper steps.  I recall Bill Gates calling Windows one of the most
secure OS's, A FLAT OUT LIE.

Not trying to start a flame war, so let's not, just pointing out to kids
that might be reading this, that there is no proof the XBoX is more
secure than PS2 or anything else.  You want security, pull out your old
1986 nintendo ;-)

Best Regards,

Stan Bubrouski


*****************************************************************************
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.         
*****************************************************************************