back to article Five-year-old discovers Xbox password bug, hacks dad's Live account

A five-year-old boy has found and exploited a password flaw in his Xbox to hack into his father's Xbox Live account. Still of Kristoffer playing on the Xbox Look out, Mitnick ... Kristoffer Von Hassel on his Xbox (Credit: ABC 10 / KGTV) The parents of Kristoffer Von Hassel, from Ocean Beach in San Diego, California, …

COMMENTS

This topic is closed for new posts.
  1. Uncle Siggy

    Researcher Compensation

    Doesn't four free games with a year long subscription to X-Box Live constitute a developer's account?

  2. MrMur

    An NSA Recruitment guy will be round their house next week.

    1. Keep Refrigerated

      Re: NSA Recruitment guy

      He'll have to be quick to beat the FBI agents who will turn him over to the US Attorney for prosecution... let's see 1 count of hacking is a minor offence... so would only require 20 years in the slammer with a plea bargain.

      On a serious note, if his dad is telling the truth about Kristoffer's "inquisitiveness" and natural tendency towards this type of thing... well he should really get used to the idea of visiting his son behind bars from age 16 and beyond. The government does not reward the creativity of those who tinker and probe.

      1. SDoradus

        Re: NSA Recruitment guy

        May we expect emigration to China?

      2. oolor

        Re: NSA Recruitment guy

        >... well he should really get used to the idea of visiting his son behind bars from age 16 and beyond.

        Nonsense. They couldn't keep that kid in custody NOW for 5 minutes before he gave them the slip.

      3. KirstarK

        Re: NSA Recruitment guy

        No, they will ban him from access a computer or the web for life and wonder why he then ignores it.

      4. William Hinshaw

        Re: NSA Recruitment guy

        The poor kid, I wouldn't be surprised that he and his dad both go to a deep dark hole in Sandastan for enhanced interrogation cause the exposed the NSA's paid backdoor into Microsoft Live accounts. Cause you know all those terrorists and Ruskies use that to communicate.

  3. Graham Marsden
    Meh

    "Kristoffer received...

    "...four games for free from Microsoft in recompense, along with a year's Xbox Live subscription and $50 (about 30 quid)"

    Wow, their generosity is underwhelming...

    1. This Side Up

      Re: "Kristoffer received...

      What does he want games for? Hacking the security is much more fun.

      1. oolor

        Re: "Kristoffer received...

        >Hacking the security is much more fun.

        I see you have been around children this age. My not quite 2.5 year old nephew knows all the alphanumeric characters and is trying to type in passwords. Calculators, microwaves, and washing machines face the same barrage of button mashing (as characters are loudly announced). It's like an elegant form of a million monkeys on a million typewriters in a natural pseudorandom sort of way to go about brute forcing quality tests, but there you have it.

    2. MrT

      “I was like, 'yea!'”...

      ... I wonder if he was quite so “'yea!'” after working out what he got as a reward. Still, at that age being given anything in recognition is nice, and his dad's clearly pleased for him.

      Spoken like a true Californ-aye-ayyyyyyy beach boy, both of them. Just missing the response containing "stoked", "bummed off", "gnarly", etc., starting every sentence with "So..." ;-)

      1. Anonymous Coward
        Anonymous Coward

        Re: "So, <whatever>"

        "starting every sentence with "So..." ;-)"

        So, get your Old Grey Whistle Test tapes out. Not for the music, but for the presenter. So, specifically, surely Whispering Bob Harris pioneered the "So, <whatever>" concept, many decades ago?

        Oh no hang on, it may have been "'cos, <whatever>"?

        So sorry. Much wrongness.

    3. xerocred

      Re: "Kristoffer received...

      So what games did they give him? Grand Theft Auto?

  4. Anonymous Coward
    Anonymous Coward

    MS Security...

    ...so weak, a 5 yr old can hack it.

    1. Anonymous Coward
      Anonymous Coward

      Re: MS Security...

      "Run out and find me a five year old child!"

      (I won't bother apologizing to Groucho).

      1. oolor
        Holmes

        Re: apology to Groucho

        Your in luck, he wouldn't have it!

      2. Thorne

        Re: MS Security...

        "Run out and find me a five year old child!"

        Michael Jackson said that too and he got into trouble for it....

  5. Anonymous Coward
    Anonymous Coward

    Welcome To Windows

    The Worlds most secure OS

    Disclaimer:

    As long as you are older than 5

    1. mythicalduck

      Re: Welcome To Windows

      > The Worlds most secure OS

      > Disclaimer:

      > As long as you are older than 5

      Shouldn't that be "Younger" than 5?

  6. Anonymous Coward
    Anonymous Coward

    "FIVE-year-old finds Xbox Live password backdoor, hacks into dad's account"

    Wow that's going to get picked up by the media and no mistake.

    "His father Robert Davies, who works as a computer security specialist"

    Ah. Call me cynical.

    1. king of foo

      in other news

      Dog farts during extended family gathering

      Naughty doggy...

  7. Anonymous Coward
    Anonymous Coward

    What an amazing coincidence!

    "His father Robert Davies, who works as a computer security specialist"

    1. Anonymous Coward
      Anonymous Coward

      Re: What an amazing coincidence!

      Not necessarily a coincidence. If the five year old child of a plumber or golf pro found this bug, his dad probably wouldn't bother to inform Microsoft about it. The kid probably may not have been the first to discover it, only the first whose dad reported it.

      1. Adam 1

        Re: What an amazing coincidence!

        Er, if the father was a golf pro then there would be no coincidence.

  8. Captain DaFt

    Evil Overlord rule number 12: One of my advisors will be an average five-year-old child. Any flaws in my plan that he is able to spot will be corrected before implementation.

    Apparently MS fails as Evil Overlord.

    1. Richard 26

      Also rule 60 (paraphrased somewhat): 'my passwords should not be breakable by a five year old child'

      1. Captain DaFt

        To be honest, you could waste an afternoon listing the EO rules that Microsoft ignores, like number 61:

        61. If my advisors ask "Why are you risking everything on such a mad scheme?", I will not proceed until I have a response that satisfies them.

        1. Anonymous Coward
          Anonymous Coward

          help!

          Where can I find this list?

          1. James O'Shea

            Re: help!

            http://www.eviloverlord.com/lists/overlord.html

            1. Michael H.F. Wilkinson Silver badge
              Joke

              Re: help!

              Nice list.

              Rule 50: My main computers will have their own special operating system that will be completely incompatible with standard IBM and Macintosh powerbooks.

              is easy to fulfil: just use an old CDC 7600 with its 6 bit bytes and ten byte words, and an OS that is not so much "not user friendly" as "user hostile." The only downside is that it is slower than your average smartphone.

              As an alternative, you could up the voltage on all the i/o ports to fry any PC or macbook attached to it without authorization, inspired by the idea of the etherkiller

      2. Tom 13

        Re: passwords should not be breakable by a five year old child

        Except the kid didn't break it, he circumvented it. It was an elegant hack in both the new and old senses of the word.

  9. Charles Manning

    Takes me back to the 1990s

    I had Win3.11 on PC that the kids would use on occasion for playing games. I thought they were playing too many games, so I enabled the login in stuff and added a password.

    The next day I saw the kids playing without me having logged them in and was both annoyed as well as impressed by how a 5 year old could have cracked the security.

    It turns out all you needed to do was hit the escape key....

  10. Florida1920
    Mushroom

    Hacking MS security

    "So simple, even a child can do it!"

  11. John Tserkezis

    My take on this.

    It might be surprising, but not entirely without precedent.

    Remember everyone used to make jokes about programming VCRs? "Just get a 5 year old to do it".

    Children are persistant, and try things that may not be intuitive to adults - especially the adults who wrote the firmware/software.

    Remember the guy who single-handedly crashed an airline entertainment system by fiddling? He did so by trying things that would not make sense in that context. OK, that was an adult, but children are especially good at trying things that would never occur to adults - again, particularly some adults that write security context code.

    1. Anonymous Coward
      Anonymous Coward

      Re: My take on this.

      Children are persistant, and try things that may not be intuitive to adults - especially the adults who wrote the firmware/software.

      That's partially because kids learn different: they EXPECT to fail a number of times, and that doesn't discourage them - they keep trying. A large proportion of people lose that ability to consider failure as a stepping stone to success when they grow up.

      Personally, I think EVERY bit of tech needs to be kid tested by 3, 5 and 12 year olds. If it survives that you can consider it military grade :)

      1. Anonymous Coward
        Anonymous Coward

        Re: My take on this.

        "Children are persistant, and try things that may not be intuitive to adults - especially the adults who wrote the firmware/software."

        I started work on some Palo Alto firewalls recently - with no training and no time to reference the manuals.

        I was asked to set up some NAT, sounds simple but these things are seriously weird in the brain-wiring department.

        I only got it working by trying every permutation of zone between the rule and the NAT statement. Once it started working I looked at the zone 'logic' of what was happening and have just decided to commit the scenario to memory - because it still doesn't make sense.

        Sometimes you have to behave like a child and pretend you don't know anything in order to learn something. My first tech job I fixed a Lotus Notes Post office (or whatever the hell the thing was called) by re-building it using every different possible option until it worked. Saved the company about £3k in call out fees.

  12. sisk

    I wasn't much older than that (8) when I first started finding holes in the password system on my dad's DOS based menu program. He gave up on keeping me out of the games with passwords and started hiding the power cord by the time I was 9. Mind you that menu program was pretty primitive and my dad's not exactly an expert at computer security (plus I was way ahead of the rest of my age group as far as computers). I'd expect better from a modern system.

  13. skeptical i
    Devil

    Good on the kid for figuring this out, but

    since Xbox will be used by KIDS, shouldn't Microsoft have rented a kindergarten class for a day, given them a dozen machines and instructions to "have fun", and taken notes on what the sprogs discovered? As was noted above, kids are pretty darned creative (before it gets beaten out of them) which makes them both a joy and a nuisance (da widdle debbils). :)

    1. hplasm
      Devil

      Re: Good on the kid for figuring this out, but

      Isn't that the same technique that gave us TIFKAM?

      1. Anonymous Coward
        Anonymous Coward

        Re: Good on the kid for figuring this out, but

        ...or the Win XP default desktop theme?!

        1. Steve Davies 3 Silver badge
          Happy

          Re: Good on the kid for figuring this out, but

          The XP Desktop theme?

          Nah, that's for two year old Telly-tubby fans.

      2. Anonymous Coward
        Anonymous Coward

        Re: Good on the kid for figuring this out, but

        TIFKAM - I had completely forgotten that acronym and hoped that there was an unexpected release of a new version of the PIHKAL / TIHKAL books or something. Also useful resources for those with daring and experimental minds but definitely not for children ;)

  14. Dunhill
    Happy

    kids are always good testers

    has not really to do with computers but about 20-25 years ago we had to develop some cases/boxes that would carry car/battery-inverters or mobile radios that would be used under extreme conditions like:

    vibrations water heat cold etc

    what we could not damage, kids could break in days

    they were not allowed to use hammers and that kind of tools

    so the smart ones took a rope and tied the casing/box behind their bicycles riding over shitty streets with pools of water, the result was awfull

    it took some time to make the product kiddy-proof before we could deliver the final product that was happily accepted by the client

  15. Dan 55 Silver badge
    FAIL

    Server-side authentication

    MS have heard of it...

    1. h4rm0ny

      Re: Server-side authentication

      First people complain about "always online" requirements, then they complain there aren't "always online" requirements. ;)

  16. i like crisps
    Happy

    KID NEEDS A NICKNAME....

    ....how about, NEO?

  17. heidilee2
    Pirate

    INFANT?

    I never get why they call a five year person an infant. I remember being five and I was in kindergarten and past infancy.

    1. Anonymous Coward
      Anonymous Coward

      Re: INFANT?

      Tell my why a 17 y/o is called a child in the UK, even though they can drive a car, have babies and join the Army.

      (The answer is - governments are stupid, but they set the laws).

      1. Chris G

        Re: INFANT?

        Ian, you are absolutely right, plus in the states they can't drink alchohol before they are 21 but can be sent to a foreign land to kill or be killed (is dying sober a good thing?)

        Not quite hacking but on the estate where I grew up all the kids knew that any internal key would open any door in our houses but non of the parents seemed to know that.

      2. J 3
        Coat

        Re: INFANT?

        ...and in Westeros and surrounding localities you are a (wo)man grown by sixteen and can even be an unsupervised Monarch! Hell, they frequently kill their first victim by age 10 there.

    2. Michael Dunn
      Headmaster

      Re: INFANT? @ heidilee2

      I'm glad you raised this point - as a confirmed pedant of 80 years, I can really go to town on it.

      The word 'infant' is strictly a legal term from the Latin 'infans' = 'not speaking', meaning one who was unable to 'speak' in a court, or unable to make a contract. Until fairly recently, the term 'infant' applied up to the age of 21, later reduced to 18 - when I was a National Serviceman, liable to be sent to fight in the Korean War, I was unable to vote.

      Kindergarten, primary, secondary and in some cases even in university (I had uni entrance at 16) we were all infants.

  18. Anonymous Coward
    Anonymous Coward

    Microsoft security

    So bad even 5 year old car hack it..

    1. J 3
      Mushroom

      Re: Microsoft security

      <blink>CONGRATULATIONS!</blink>

      You are commentard number 1,000,000 to make that witty comment!

      Go to http://fun.drno.de/flash/ButtonRedBig.swf to win something! Maybe! Just follow the instructions!

  19. Zot

    A bug?

    Or just a tester shortcut, inserted deliberately. Someone forgot to remove the code upon release. MS are taking it lightly, but it reflects really badly on their software and security.

    Does it have to be a row of spaces, can you use any character?

    1. Loyal Commenter Silver badge

      Re: A bug?

      Reminds me of the early version of MS Office, where you could use the 'developer' software key of 1111-1111-1111-1111-1110 (or similar)

  20. Anonymous Coward
    Anonymous Coward

    Of course

    If it was open source he could have uploaded a patch

  21. Proffesor Madhead

    Oh crap!! imagine the farmville bill when hes 6!

    the world is really different when you get to that layer.. humanity is going to evolve a neural interface to its tech.

  22. Anonymous Coward
    Anonymous Coward

    I long for the days of playing console games offline

    No Internet connection, no ping, no account logins, no DLCs, no chatting with someone whom you've never met when playing the game.

    Those were the days and we still had plenty of fun, and the graphics might not have been the best, but we still had lots of fun, hadn't we? Sega 16-bit, NES, SNES, PC Engine etc.

  23. David Gale

    Hack Attack!

    Why the cynicism? At a time when I was working with local authorities, including education, my kid decided that hacking his school's admin network was more entertaining than his school's IT curriculum. Granted he was 11 yrs old at the time but, within a few weeks, he'd graduated to hacking a national curriculum online student testing facility. I had anticipated using his 'work' to provide me with some traction in discussing security infrastructure but the reaction (without blobbing him in) was indifference. Too much potential for embarrassment?

    David Gale

    SITFO.org

  24. Gordon Pryra

    WTF!!

    Why is a five you old playing on any system unsupervised?

    Shit parents tbh

    If you cant give up the time needed to look after them then keep your pants on

    1. h4rm0ny

      Re: WTF!!

      Well I was frequently allowed to read books unattended for hours at a time as a child. In fact, I would cheerfully do so. I don't think that was an example of parental neglect, but it's just as much a case of doing something unsupervised as playing an offline game, is it not?

    2. Tom 13

      Re: WTF!!

      I wouldn't call it unsupervised, more like lightly supervised. It's not like he realized it because he got a credit card bill for stuff he didn't buy. He saw what the kid was doing one of the times he was using it. So maybe it will call for a bit more supervision in the future, but he wasn't completely AWOL.

  25. Anonymous Coward
    Anonymous Coward

    The Worlds most secure OS

    > Disclaimer:

    > As long as you are older than 5

    Shouldn't that be "Younger" than 5?

    It's called juxtaposition.

    1. Sir Runcible Spoon

      "It's called juxtaposition."

      Well it certainly would be had you replied in-line.

  26. Nameless Faceless Computer User
    Big Brother

    close call

    Thankfully, no music was downloaded.

  27. DerekCurrie
    Paris Hilton

    ... Returning us to that age old question: You use Microsoft because WHY?!

    Thankfully, Google's Android has offered Microsoft a run for it's, um, money regarding insecurity. But still that nagging question: Why use Microsoft when you know its poor security is gonna bite you?

  28. plrndl
    Mushroom

    Hey Microsoft

    While you're listening to customers, how about fixing the user interface in W8?

    1. Anonymous Bullard

      Re: Hey Microsoft

      They have been: the 5 year old customers

    2. Anonymous Coward
      Anonymous Coward

      Re: Hey Microsoft

      You don't understand: Microsoft doesn't fix the user interface. Microsoft fixes users.

  29. Surreal
    Windows

    Shades of Win95 registration key

    I'd thought MS got this bug sorted after it became widely known that one could simply enter spaces as the registration key during a Windows 95 install. That must have been the previous generation of MS engineers, I s'pose?

This topic is closed for new posts.

Other stories you might like