Home page logo

bugtraq logo Bugtraq mailing list archives

RE: Computer Sabotage by Microsoft
From: "Thor Larholm" <thor () pivx com>
Date: Thu, 11 Sep 2003 15:28:33 -0700

Automatic system updates are nothing new, we see it all the time with
antivirus software. Given that the enduser has agreed for his AV to be
updated automatically, none of us see any moral, ethical or legal
implications with that scenario.

The legality of this in regards to your XBox all boils down to whether
you have given sufficient permission for maintenance installations on
your system. Could you have given permission in any of the EULA or
shrinkwrap licenses for your Xbox itself? (Did you read any of them?).
Did you give permission for this as part of your Xbox-live subscription?
If so, is that license valid? European courts generally think less of
shrinkwrap licenses, and most paragraphs in them need to be reasonably
valid and not cause excess harm or disstress to the enduser who may not
be fully aware of the extent of the license he is agreeing to.

So was this computer sabotage or the fulfillment of a service agreement
between you and the vendor?

I can see how this specific update might not benefit you tremendously
personally, given that you, like many others who see the Xbox as a cheap
server paid partly by Microsoft, have come to expect and depend on this
particular vulnerability to exist, but the fact remains that this is an
identified security vulnerability that disrupts the ordinary privilege
handling of the system, in particular to the executing of unsigned code.
We may disagree with Microsoft on whether only signed code should be
allowed to execute on the Xbox, but that is a completely different

The crux here is with the method of delivery.

One thing is sure, we will see a greater level of automation for patch
management in the future. I can reasonably imagine the default
installation of Longhorn to automatically download and install critical
security updates, and given an agreement like we already have with most
AV software I see no problems in that.

Thor Larholm
PivX Solutions, LLC - Senior Security Researcher

-----Original Message-----
From: Stefan Esser [mailto:s.esser () e-matters de] 
Sent: Thursday, September 11, 2003 11:31 AM
To: full-disclosure () lists netsys com
Cc: bugtraq () securityfocus com
Subject: Computer Sabotage by Microsoft


well it finally happened. I came back home after work, connected my XBOX
to the internet and went into the XBOX-Live menu configuration. Well
what happened. The XBOX started automaticly downloading the new crappy
XBOX-Live dashboard, which is of course fixed. 

This is IMHO an act of computer sabotage. I have never allowed MS to
modify my dashboard or to auto update my dashboard.

Is any lawyer on the list who can point me to the right paragraphs? I do
not believe this computer sabotage is legal in any european country.

Stefan Esser


 Stefan Esser
s.esser () e-matters de
 e-matters Security

 GPG-Key                gpg --keyserver pgp.mit.edu --recv-key
 Key fingerprint       B418 B290 ACC0 C8E5 8292  8B72 D6B0 7704 CF6C
 Did I help you? Consider a gift:

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]