5-yr old boy "Recognised security researcher" ..... Microsoft

[Saracen]

Apparently, this precocious youngster, Kristoffer Von Hassel, from San Diego, discovered how to log in to MS Live accounts without a valid password, on Dad's Xbox.

It was a .... complicated .... hack.

When asked for a password, provide an invalid one. When subsequently asked for verification, fill field in with blanks.

Result? Access.

Well, aside from this intrepid junior hacker being acknowledged by what is no doubt a red-faced MS, what does it say about MS security, especially in the days of MS "accounts" and multiple device sync'ing, that MS programmers could be so rampantly incompetent?

And what does it say for the principle of cloud-syncing files, or passwords, or even settings?

I mean, hat's off to junior for his determination and all, but MS? Really? You morons. Muppets. Idiots.

Source : BBC

[stevie lee]

well for starters it'll mean a sudden bout of 'hackers' trying the trick on every Microsoft based service there is, plus every website. just to see whether they have the same security feature aswell.


and its nice of them to include his dads email at the 1:11 mark in the video bet he'll have lots of friends now

I'm ignoring that his dad is a security IT expert aswell, that's not convenient in any way shape or form.

[wasabi]

BBC "Dad Robert - who works in security - sent details of the flaw to Microsoft" = suspicious.

Yeah, outsourced anything shouldn't be trusted. Neither should we entirely trust emotive stories from taxpayer-funded news organizations that allegedly let garish presenters roger kids on their watch.

I'm a bit 'meh' at the story. Which is worse - this, or this?

[santa claus]

You morons. Muppets. Idiots.

Getting a bit rowdy there my honourable friend

As for the 'hack' I don't think 'internet' and
'Security' should appear in the same sentence.

[Saracen]

Getting a bit rowdy there my honourable friend

As for the 'hack' I don't think 'internet' and 'Security' should appear in the same sentence.

Unless separated by "lack of", or maybe "has naff all".

[Galant]

Unless separated by "lack of", or maybe "has naff all".

This should be given a thread all to itself. Any more for any more?

[TheAnimus]

Apparently, this precocious youngster, Kristoffer Von Hassel, from San Diego, discovered how to log in to MS Live accounts without a valid password, on Dad's Xbox.

My understanding is it was a defect on the local Xbox.

It is symptomatic of a bigger problem with the everything linked everywhere model. The console in this case (as is my understanding) stores a cyrpto key that is used for all communication with services. This key can expire and has to be refreshed. This local hack will only work if the key stored locally is still valid.

So whilst it's a massive failure by the xbox dev team, and their QA it has almost more serious ramifications in the use case.

If you rely on say cloud storage, and you are using the same password for access to it, as you do just to launch a game, you've got a pretty poor security model.

MS at the moment at least make you grant each unique app access to each service, but still the problem is that we've regressed in terms of security model.

You effectively run as a root user, because there are no restrictions on how you can use that token you've got from these services. This isn't just MS, this is Google Drive, DropBox (but if you use that, you deserve worse), HubIC etc.

What this means is that if I want to delete all files you've got, I can do that with the same token you'd grant me to read say photos or similar.

This is why you don't ever have the root model of security, it's just completely wrong to begin with (one of the reasons I dis like people who talk about security on linux, they should have studied more their kernel design classes) and sadly I doubt it will be fixed.

We've moved to a world, where for convenience we give away the keys to the whole house, just for the simplest of things.

[Saracen]

....

We've moved to a world, where for convenience we give away the keys to the whole house, just for the simplest of things.

And that, as was said to me earlier, is another whole thread in it's own right. Another example would be online banking, and yet another would be personal data privacy, as exemplified by everything from corporate data mining and big data, to the incredibly offensive nature of NHS arrogance over care.data.

I'm sure I have a bit of a reputation as paranoid, stuck in the past, etc, when it comes to a lot of "advances", be it cloud computing or permanent cameras in Kinect, or RFID chips, digital wallets or even ID cards. I've got broad shoulders. I'll live with it.

But personally, I work on the assumption that NOTHING can be guaranteed to be secure on the internet, and from care.data, it even seems that what we each discuss in medical confidence with our GP is regarded by the NHS (not the GPs or medical staff, but the bureaucrats) as "their" data, to do with as they damn well please.

And, because nothing can be guaranteed to be secure once it's on the net, or even given out in strict confidence, to supposedly trustworthy organisations, it's not a case of "if" it will be abused, but merely :-

- when,
- by whom, and
- how badly .... and how often, and for exactly what.

So, I always try to balance the benefits (and there are some) of putting some things out there with the potential downside. An example would be phone number. Some years ago, I gave my private home number to an employer, in confidence. Without my permission, they then added that to a company directory, and distributed it to all employees and some clients.

Result? Yup, I started getting calls at home, from both staff and even clients, at all sorts of inconvenient hours, like the middle of Sunday dinner, when we had guests. So, I changed the number and refused, point blank, to give the new one to that employer. They want to contact me, supply a mobile phone. Needless to say, I left shortly thereafter, and in fact, went self-employed (with two phone lines, one personal, one business).

Larry Ellison wasn't far off the mark when he said (paraphrasing) "there's no such thing as privacy, get over it". The same is true of absolute security. Ask the NSA's victims, or (post Snowden), the NSA. Talk about being hoist with your own petard.

So, the only way to maximise (as opposed to ensure) privacy, or security, is to be VERY selective about what you put out there, in any form, no matter how well you THINK it's protected or secured, and to ONLY do so where, for each of us in our own judgement, the benefit outweighs the risk. My judgement is that cloud services, social media sites, etc, and even online banking, the benefit to me is minimal, or zero. For others, of course, YMMV.

[Darision]

Its sorta scary that there are security flaws like the one in this incident, makes you wonder how safe the internet actually it.