Feeds

back to article Five-year-old discovers Xbox password bug, hacks dad's Live account

A five-year-old boy has found and exploited a password flaw in his Xbox to hack into his father's Xbox Live account. Still of Kristoffer playing on the Xbox Look out, Mitnick ... Kristoffer Von Hassel on his Xbox (Credit: ABC 10 / KGTV) The parents of Kristoffer Von Hassel, from Ocean Beach in San Diego, California, noticed …

COMMENTS

This topic is closed for new posts.

Page:

Researcher Compensation

Doesn't four free games with a year long subscription to X-Box Live constitute a developer's account?

4
0

An NSA Recruitment guy will be round their house next week.

8
2

Re: NSA Recruitment guy

He'll have to be quick to beat the FBI agents who will turn him over to the US Attorney for prosecution... let's see 1 count of hacking is a minor offence... so would only require 20 years in the slammer with a plea bargain.

On a serious note, if his dad is telling the truth about Kristoffer's "inquisitiveness" and natural tendency towards this type of thing... well he should really get used to the idea of visiting his son behind bars from age 16 and beyond. The government does not reward the creativity of those who tinker and probe.

31
2

Re: NSA Recruitment guy

May we expect emigration to China?

1
2
Bronze badge

Re: NSA Recruitment guy

>... well he should really get used to the idea of visiting his son behind bars from age 16 and beyond.

Nonsense. They couldn't keep that kid in custody NOW for 5 minutes before he gave them the slip.

7
0

Re: NSA Recruitment guy

No, they will ban him from access a computer or the web for life and wonder why he then ignores it.

3
1

Re: NSA Recruitment guy

The poor kid, I wouldn't be surprised that he and his dad both go to a deep dark hole in Sandastan for enhanced interrogation cause the exposed the NSA's paid backdoor into Microsoft Live accounts. Cause you know all those terrorists and Ruskies use that to communicate.

1
1
Silver badge
Meh

"Kristoffer received...

"...four games for free from Microsoft in recompense, along with a year's Xbox Live subscription and $50 (about 30 quid)"

Wow, their generosity is underwhelming...

38
2

Re: "Kristoffer received...

What does he want games for? Hacking the security is much more fun.

9
0
Bronze badge

Re: "Kristoffer received...

>Hacking the security is much more fun.

I see you have been around children this age. My not quite 2.5 year old nephew knows all the alphanumeric characters and is trying to type in passwords. Calculators, microwaves, and washing machines face the same barrage of button mashing (as characters are loudly announced). It's like an elegant form of a million monkeys on a million typewriters in a natural pseudorandom sort of way to go about brute forcing quality tests, but there you have it.

10
0
MrT
Bronze badge

“I was like, 'yea!'”...

... I wonder if he was quite so “'yea!'” after working out what he got as a reward. Still, at that age being given anything in recognition is nice, and his dad's clearly pleased for him.

Spoken like a true Californ-aye-ayyyyyyy beach boy, both of them. Just missing the response containing "stoked", "bummed off", "gnarly", etc., starting every sentence with "So..." ;-)

5
0
Anonymous Coward

Re: "So, <whatever>"

"starting every sentence with "So..." ;-)"

So, get your Old Grey Whistle Test tapes out. Not for the music, but for the presenter. So, specifically, surely Whispering Bob Harris pioneered the "So, <whatever>" concept, many decades ago?

Oh no hang on, it may have been "'cos, <whatever>"?

So sorry. Much wrongness.

2
0

Re: "Kristoffer received...

So what games did they give him? Grand Theft Auto?

2
0
Anonymous Coward

MS Security...

...so weak, a 5 yr old can hack it.

39
0
Anonymous Coward

Re: MS Security...

"Run out and find me a five year old child!"

(I won't bother apologizing to Groucho).

10
0
Bronze badge
Holmes

Re: apology to Groucho

Your in luck, he wouldn't have it!

1
3
Silver badge

Re: MS Security...

"Run out and find me a five year old child!"

Michael Jackson said that too and he got into trouble for it....

3
3
Anonymous Coward

Welcome To Windows

The Worlds most secure OS

Disclaimer:

As long as you are older than 5

15
0

Re: Welcome To Windows

> The Worlds most secure OS

> Disclaimer:

> As long as you are older than 5

Shouldn't that be "Younger" than 5?

1
2
Anonymous Coward

"FIVE-year-old finds Xbox Live password backdoor, hacks into dad's account"

Wow that's going to get picked up by the media and no mistake.

"His father Robert Davies, who works as a computer security specialist"

Ah. Call me cynical.

20
3
Bronze badge

in other news

Dog farts during extended family gathering

Naughty doggy...

4
1
Anonymous Coward

What an amazing coincidence!

"His father Robert Davies, who works as a computer security specialist"

9
2
Silver badge

Re: What an amazing coincidence!

Not necessarily a coincidence. If the five year old child of a plumber or golf pro found this bug, his dad probably wouldn't bother to inform Microsoft about it. The kid probably may not have been the first to discover it, only the first whose dad reported it.

12
2
Bronze badge

Re: What an amazing coincidence!

Er, if the father was a golf pro then there would be no coincidence.

3
2
Silver badge

Evil Overlord rule number 12: One of my advisors will be an average five-year-old child. Any flaws in my plan that he is able to spot will be corrected before implementation.

Apparently MS fails as Evil Overlord.

18
0

Also rule 60 (paraphrased somewhat): 'my passwords should not be breakable by a five year old child'

3
1
Silver badge

To be honest, you could waste an afternoon listing the EO rules that Microsoft ignores, like number 61:

61. If my advisors ask "Why are you risking everything on such a mad scheme?", I will not proceed until I have a response that satisfies them.

10
0
Silver badge

help!

Where can I find this list?

0
0
Bronze badge

Re: help!

http://www.eviloverlord.com/lists/overlord.html

2
0
Silver badge
Joke

Re: help!

Nice list.

Rule 50: My main computers will have their own special operating system that will be completely incompatible with standard IBM and Macintosh powerbooks.

is easy to fulfil: just use an old CDC 7600 with its 6 bit bytes and ten byte words, and an OS that is not so much "not user friendly" as "user hostile." The only downside is that it is slower than your average smartphone.

As an alternative, you could up the voltage on all the i/o ports to fry any PC or macbook attached to it without authorization, inspired by the idea of the etherkiller

1
0
Silver badge

Re: passwords should not be breakable by a five year old child

Except the kid didn't break it, he circumvented it. It was an elegant hack in both the new and old senses of the word.

0
0
Silver badge

Takes me back to the 1990s

I had Win3.11 on PC that the kids would use on occasion for playing games. I thought they were playing too many games, so I enabled the login in stuff and added a password.

The next day I saw the kids playing without me having logged them in and was both annoyed as well as impressed by how a 5 year old could have cracked the security.

It turns out all you needed to do was hit the escape key....

9
0
Mushroom

Hacking MS security

"So simple, even a child can do it!"

5
1
Silver badge

My take on this.

It might be surprising, but not entirely without precedent.

Remember everyone used to make jokes about programming VCRs? "Just get a 5 year old to do it".

Children are persistant, and try things that may not be intuitive to adults - especially the adults who wrote the firmware/software.

Remember the guy who single-handedly crashed an airline entertainment system by fiddling? He did so by trying things that would not make sense in that context. OK, that was an adult, but children are especially good at trying things that would never occur to adults - again, particularly some adults that write security context code.

12
0
Anonymous Coward

Re: My take on this.

Children are persistant, and try things that may not be intuitive to adults - especially the adults who wrote the firmware/software.

That's partially because kids learn different: they EXPECT to fail a number of times, and that doesn't discourage them - they keep trying. A large proportion of people lose that ability to consider failure as a stepping stone to success when they grow up.

Personally, I think EVERY bit of tech needs to be kid tested by 3, 5 and 12 year olds. If it survives that you can consider it military grade :)

13
0
Anonymous Coward

Re: My take on this.

"Children are persistant, and try things that may not be intuitive to adults - especially the adults who wrote the firmware/software."

I started work on some Palo Alto firewalls recently - with no training and no time to reference the manuals.

I was asked to set up some NAT, sounds simple but these things are seriously weird in the brain-wiring department.

I only got it working by trying every permutation of zone between the rule and the NAT statement. Once it started working I looked at the zone 'logic' of what was happening and have just decided to commit the scenario to memory - because it still doesn't make sense.

Sometimes you have to behave like a child and pretend you don't know anything in order to learn something. My first tech job I fixed a Lotus Notes Post office (or whatever the hell the thing was called) by re-building it using every different possible option until it worked. Saved the company about £3k in call out fees.

0
0
Silver badge

I wasn't much older than that (8) when I first started finding holes in the password system on my dad's DOS based menu program. He gave up on keeping me out of the games with passwords and started hiding the power cord by the time I was 9. Mind you that menu program was pretty primitive and my dad's not exactly an expert at computer security (plus I was way ahead of the rest of my age group as far as computers). I'd expect better from a modern system.

1
0
Devil

Good on the kid for figuring this out, but

since Xbox will be used by KIDS, shouldn't Microsoft have rented a kindergarten class for a day, given them a dozen machines and instructions to "have fun", and taken notes on what the sprogs discovered? As was noted above, kids are pretty darned creative (before it gets beaten out of them) which makes them both a joy and a nuisance (da widdle debbils). :)

2
0
Silver badge
Devil

Re: Good on the kid for figuring this out, but

Isn't that the same technique that gave us TIFKAM?

6
0
Anonymous Coward

Re: Good on the kid for figuring this out, but

...or the Win XP default desktop theme?!

5
0
Silver badge
Happy

Re: Good on the kid for figuring this out, but

The XP Desktop theme?

Nah, that's for two year old Telly-tubby fans.

2
0
Anonymous Coward

Re: Good on the kid for figuring this out, but

TIFKAM - I had completely forgotten that acronym and hoped that there was an unexpected release of a new version of the PIHKAL / TIHKAL books or something. Also useful resources for those with daring and experimental minds but definitely not for children ;)

1
0
Happy

kids are always good testers

has not really to do with computers but about 20-25 years ago we had to develop some cases/boxes that would carry car/battery-inverters or mobile radios that would be used under extreme conditions like:

vibrations water heat cold etc

what we could not damage, kids could break in days

they were not allowed to use hammers and that kind of tools

so the smart ones took a rope and tied the casing/box behind their bicycles riding over shitty streets with pools of water, the result was awfull

it took some time to make the product kiddy-proof before we could deliver the final product that was happily accepted by the client

6
0
Silver badge
FAIL

Server-side authentication

MS have heard of it...

3
0
Silver badge

Re: Server-side authentication

First people complain about "always online" requirements, then they complain there aren't "always online" requirements. ;)

2
0
Bronze badge
Happy

KID NEEDS A NICKNAME....

....how about, NEO?

1
0
Anonymous Coward

Microsoft security

So bad even 5 year old car hack it..

2
1
J 3
Mushroom

Re: Microsoft security

<blink>CONGRATULATIONS!</blink>

You are commentard number 1,000,000 to make that witty comment!

Go to http://fun.drno.de/flash/ButtonRedBig.swf to win something! Maybe! Just follow the instructions!

0
0
Pirate

INFANT?

I never get why they call a five year person an infant. I remember being five and I was in kindergarten and past infancy.

2
0
Bronze badge

Re: INFANT?

Tell my why a 17 y/o is called a child in the UK, even though they can drive a car, have babies and join the Army.

(The answer is - governments are stupid, but they set the laws).

5
0

Page:

This topic is closed for new posts.