[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <8B32EDC90D8F4E4AB40918883281874D9B8B@pivxwin2k1.secnet.pivx.com>
Date: Thu, 11 Sep 2003 15:28:33 -0700
From: "Thor Larholm" <thor@...x.com>
To: "Stefan Esser" <s.esser@...atters.de>
Cc: <bugtraq@...urityfocus.com>,
"NTBugtraq" <NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM>
Subject: RE: Computer Sabotage by Microsoft
Automatic system updates are nothing new, we see it all the time with
antivirus software. Given that the enduser has agreed for his AV to be
updated automatically, none of us see any moral, ethical or legal
implications with that scenario.
The legality of this in regards to your XBox all boils down to whether
you have given sufficient permission for maintenance installations on
your system. Could you have given permission in any of the EULA or
shrinkwrap licenses for your Xbox itself? (Did you read any of them?).
Did you give permission for this as part of your Xbox-live subscription?
If so, is that license valid? European courts generally think less of
shrinkwrap licenses, and most paragraphs in them need to be reasonably
valid and not cause excess harm or disstress to the enduser who may not
be fully aware of the extent of the license he is agreeing to.
So was this computer sabotage or the fulfillment of a service agreement
between you and the vendor?
I can see how this specific update might not benefit you tremendously
personally, given that you, like many others who see the Xbox as a cheap
server paid partly by Microsoft, have come to expect and depend on this
particular vulnerability to exist, but the fact remains that this is an
identified security vulnerability that disrupts the ordinary privilege
handling of the system, in particular to the executing of unsigned code.
We may disagree with Microsoft on whether only signed code should be
allowed to execute on the Xbox, but that is a completely different
discussion.
The crux here is with the method of delivery.
One thing is sure, we will see a greater level of automation for patch
management in the future. I can reasonably imagine the default
installation of Longhorn to automatically download and install critical
security updates, and given an agreement like we already have with most
AV software I see no problems in that.
Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher
-----Original Message-----
From: Stefan Esser [mailto:s.esser@...atters.de]
Sent: Thursday, September 11, 2003 11:31 AM
To: full-disclosure@...ts.netsys.com
Cc: bugtraq@...urityfocus.com
Subject: Computer Sabotage by Microsoft
Hi,
well it finally happened. I came back home after work, connected my XBOX
to the internet and went into the XBOX-Live menu configuration. Well
what happened. The XBOX started automaticly downloading the new crappy
XBOX-Live dashboard, which is of course fixed.
This is IMHO an act of computer sabotage. I have never allowed MS to
modify my dashboard or to auto update my dashboard.
Is any lawyer on the list who can point me to the right paragraphs? I do
not believe this computer sabotage is legal in any european country.
Yours,
Stefan Esser
--
------------------------------------------------------------------------
--
Stefan Esser
s.esser@...atters.de
e-matters Security
http://security.e-matters.de/
GPG-Key gpg --keyserver pgp.mit.edu --recv-key
0xCF6CAE69
Key fingerprint B418 B290 ACC0 C8E5 8292 8B72 D6B0 7704 CF6C
AE69
------------------------------------------------------------------------
--
Did I help you? Consider a gift:
http://wishlist.suspekt.org/
------------------------------------------------------------------------
--
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists