RE: Online Games Consoles and Security Implications

["Kayne Ian (Softlab)" <Ian.Kayne () softlab co uk>]

Of course, if you did manage to hack an XBox and load some DDOS client on
it, you still need to worry about how to ensure it runs at every boot and
that a game doesn't knock it out. On top of all that I'd say the risk is
lowered anyway - how many people leave their console on & online 24hrs a day
ready to participate in an attack? Effort -v- Result, who is going to hack
out a DDOS network only to find they can't use it when they need it.

£0.02.

Ian Kayne
Technical Specialist - IT Solutions
Softlab Ltd - A BMW Company


> -----Original Message-----
> From: Elan Hasson [mailto:elan () daryl org]
> Sent: 22 May 2002 18:36
> To: Evans, TJ; vuln-dev () securityfocus com
> Subject: RE: Online Games Consoles and Security Implications
>
>
> Exactly, its common knowledge the more code you have, the 
> more room for
> error(bugs). ALOT of functionality was ripped from the kernel 
> to have it run
> on xbox, the docs do say something about 'no ntfs, no ACLs' etc..
> everythings running in ring0 from what i understand.
>
> -----Original Message-----
> From: Evans, TJ [mailto:tjevans () kpmg com]
> Sent: Wednesday, May 22, 2002 5:58 AM
> To: vuln-dev () securityfocus com
> Subject: RE: Online Games Consoles and Security Implications
>
>
> Not to step into an area that I know little about <xbox 
> security>; but I
> think " If Microsoft could secure a game console running 
> Win2K you'd imagine
> Win2K and XP would be a lot more secure then they appear to be." Is
> something of a logical fallacy.
>
> Keep in mind - we are talking about separate worlds here - a 
> game console is
> something that, for the most part, need to perform *ONE SET 
> OF FUNCTIONS*.
> Making hardware, software and peripherals work together in a 
> secure, FAST
> fashion when you only need to do 1 set of functions, and when 
> user tinkering
> is <by default> limited/non-existent (not counting those of 
> you who crack
> the case open and really get into them :)> is *nowehere* near 
> as difficult
> as trying to make an OS/platform that needs to support 
> thousands of pieces
> of 3rd party software, hardware and has users breaking it in countless
> unimaginable ways ...
>
>
> </$.02>
> Thanks!
> TJ
>
>
> -----Original Message-----
> From: Elan Hasson [mailto:elan () daryl org]
> Sent: Tuesday, May 21, 2002 10:25 PM
> To: Stan Bubrouski
> Cc: vuln-dev () securityfocus com
> Subject: RE: Online Games Consoles and Security Implications
>
> heh, nintendo was cool..
> I own an xbox myself. I'm VERY happy with it. i should 
> probably install
> the xdk again and post some of the docs to the list. It was 
> saying how all
> the packets are encrypted and stuff and how it can take a DoS (for
> example, something that could 'clog the pipe') and be able to drop the
> packets and sort through the garbage-data and not affect game 
> performace
> packets or something.
>
> Yes, it does run a Windows2000 kernel (slimmed down of 
> course) I've even
> played with dissassembling xbox images. Its nice stuff. VERY 
> nice. MS did
> an excellent job with it. the fact that all of the software runs on a
> harddrive and isn't on a chip is a BIG plus. That gives the 
> ability for
> people to download updates and stuff to it...hehe XBOX-service pack 1
> anyone? HEH!
>
> -----Original Message-----
> From: Stan Bubrouski [mailto:stan () ccs neu edu]
> Sent: Tuesday, May 21, 2002 8:15 PM
> To: Elan Hasson
> Subject: Re: Online Games Consoles and Security Implications
>
>
> Elan Hasson wrote:
> > The xbox is VERY secure, read the docs on Network Security 
> in the SDK.
> > MS even has a bit in there about Denial Of Service..and how 
> the xbox can
> > handle it and not affect game performance.
>
> REDICULOUS.  They call Win2k very secure.  They call IE very secure.
> The bottom line is that it is a Microsoft product with embedded Win2k
> code (correct?).  This is quite the contrary to what you suggest.  If
> Microsoft could secure a game console running Win2K you'd 
> imagine Win2K
> and XP would be a lot more secure then they appear to be.  What
> Microsoft writes and what Microsoft does are two different things, you
> can't guarentee security, you can only try to ensure it by taking the
> proper steps.  I recall Bill Gates calling Windows one of the most
> secure OS's, A FLAT OUT LIE.
>
> Not trying to start a flame war, so let's not, just pointing 
> out to kids
> that might be reading this, that there is no proof the XBoX is more
> secure than PS2 or anything else.  You want security, pull 
> out your old
> 1986 nintendo ;-)
>
> Best Regards,
>
> Stan Bubrouski
>
>
> **************************************************************
> **************
> *
> The information in this email is confidential and may be 
> legally privileged.
> It is intended solely for the addressee. Access to this email 
> by anyone else
> is unauthorized.
>
> If you are not the intended recipient, any disclosure, 
> copying, distribution
> or any action taken or omitted to be taken in reliance on it, 
> is prohibited
> and may be unlawful. When addressed to our clients any 
> opinions or advice
> contained in this email are subject to the terms and 
> conditions expressed in
> the governing KPMG client engagement letter.
> **************************************************************
> **************
> *


******************************************************************** 
This email and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom 
they are addressed. 

If you are not the intended recipient or the person responsible for 
delivering to the intended recipient, be advised that you have received 
this email in error and that any use of the information contained within 
this email or attachments is strictly prohibited. 

Internet communications are not secure and Softlab does not accept 
any legal responsibility for the content of this message. Any opinions 
expressed in the email are those of the individual and not necessarily 
those of the Company. 

If you have received this email in error, or if you are concerned with 
the content of this email please notify the IT helpdesk by telephone 
on +44 (0)121 788 5480. 

********************************************************************