Tepix
6 days ago
So, just stating the obvious, you can now (¥) download all xbox games directly from the microsoft store for free? I.e. the xbox is - for now - as completely hacked as the PS Vita?
(¥) you might have to figure out some details
ryx
6 days ago
Yep. This seems to be the most overlooked part of the article, although maybe the most interesting.
Unfortunately not for anyone who has activated the auto-update feature on his/her Xbox, as the latest system software version seems to include a higher kernel version than supported by the collateral-damage exploit.
38
6 days ago
Exactly why you should never, ever, enable auto update, for anything. Too often it ends up breaking something or patching something you don't want patched. It allows a profit seeking company to enable or disable software functionality on your device, regardless if it's in your interest.
indrora
6 days ago
It should be noted that unless you've modified an Xbox One, from what I understand you cannot stop it from auto updating unless you permanently disconnect it from the internet (which will cause your licenses to eventually expire, in the year timespan or so), new launch games won't run (they're tied to a minimum version of the OS).
__MatrixMan__
6 days ago
Wow, so it's a ticking time bomb, that should be illegal.
seabass-labrax
6 days ago
I agree that the device updating without your consent should be illegal, but new games requiring the updates seems fair enough: the Xbox can still run all of the games it was advertised to be able to do so at launch, and if game developers could not rely on the presence of system updates, Microsoft would just release an entirely new, incompatible Xbox instead. I think that updates are fine so long as you can update and roll back whenever you want to.
Tanoc
5 days ago
The PSP had firmware updates as well, and certain games strongly encouraged you to do so. But many had a workaround: The firmware loaded from the UMD itself. This meant your minimum firmware version could be rolled back, or that in some cases you didn't need to update and then rollback at all, as it was all loaded from the UMD. No matter what though, Sony mandated that all games support a minimum version. The last minimum version I remember was 3.00 from 2007 that introduced MemoryStick verification as an alternative to UMD verification because the PlayStation Store necessitated the ability to run without UMDs, and the final firmware update being 6.60 from 2011.
We could easily go back to installing firmware on-disc or in-download and only calling it at runtime. We won't because devs are in a desperate and futile campaign to outrun console modding (and to some extent piracy) they can't control. With consoles moving to common PC hardware rather than custom hardware like Flipper or Cell they're just going to get broken into faster and faster, so the only bet is harsher and harsher DRM on the software side. AMD straight up sold PlayStation 5 defects as the AMD 4700S "all in one" board.
71bw
5 days ago
>and the final firmware update being 6.60 from 2011
6.61 from January 2015[1].
[1] https://www.psdevwiki.com/psp/index.php?title=Official_Firmw...
Zambyte
6 days ago
Depending on if you consider "authorization" to require consent or informed consent, it already is illegal behavior under CFAA.
klodolph
6 days ago
That would require a pretty creative interpretation of the CFAA.
fragmede
6 days ago
The CFAA's broad enough so as to allow a lot of creative interpretation. A journalist using view source was breaking the CFAA was one district attorneys view.
hedora
6 days ago
This is the only carve out I could find for manufacturers of computers:
> No action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware.
I guess Microsoft could argue their entire operating system business, app store, and update infrastructure are intentionally negligent, and so not covered.
I’d think a reasonable court would say that it’s working as designed, and therefore not covered by the carve out.
user
6 days ago
anticensor
5 days ago
Intentional negligence is not a thing in law.
timenova
6 days ago
The same is the case with the Xbox Series X/S. I was shown three options for the last update: [Update Now] [Continue Offline without Updating] [Shut Down Xbox].
eric-hu
5 days ago
> (which will cause your licenses to eventually expire, in the year timespan or so)
Can you manually modify the system clock? If so you could roll the calendar back every 3-6 months.
user
6 days ago
thot_experiment
6 days ago
Yup, 100%. My golden rule of computers is:
If it's working right now, an update can only cause it to break. The best case scenario is that it still works. Why would your roll the dice?
emeril
6 days ago
so true - the few who are at risk of real exploits are already aware of this and do more than just system updates
I only let my browser autoupdate (somewhat reluctantly) since I view that as the most likely security issue on my winpc but when I used to let win10 autoupdate (and other garbage dell drivers), things would start breaking after each update
this also applies to phone app updates - I only update if there's a reason to, not just for the sake of updating...
and people wonder why I have the best working phone and pc at the office...
appendix-rock
6 days ago
> the few that are at risk…
Boxes get popped all the time. Why are you painting such a dishonest picture?
> and people wonder why I have the best working phone and pc at the office...
Probably because you know about computers. Nothing to do with your poor security practice.
And this still doesn’t say anything about the explicitly absolutist advice in the parent comment. “No matter the circumstance, turn auto-update off! Just in case you want to partake in some piracy!”
LoganDark
3 days ago
> Probably because you know about computers. Nothing to do with your poor security practice.
IME knowing about computers is what causes auto-update to break things. Because you actually rely on the kind of things that it would break.
hoffs
6 days ago
Golden rule to get exploited
38
6 days ago
the "but muh security" argument is absolute horseshit 99% of the time. and the 1% that actually need it, are going well beyond automatic updates to secure their systems.
trog
6 days ago
If you look at the background radiation of the Internet of automated things just hitting services to probe for exploits, they are most commonly looking for exploits from bugs in older software.
There's a timing argument - that unless you're at risk of zero days (like you're the DOD) - that you probably don't need to upgrade immediately. But it seems unarguable to me that the longer you wait, the greater the risk from a security perspective.
As always, security is a trade off. Risk of breaking from an update has to be balanced against risk of exploit. I'd argue the latter is going up more quickly than the former.
thot_experiment
6 days ago
How many actual zerodays are there that don't require you to ALSO be doing something dumb per year? It seems exceedingly rare. I understand the argument if you're talking about like, a server running some CMS or whatever, sure that's gonna get pwned because it's a big target so it's worth going after. Your natted personal machine? You're fine unless you're running executable off random russian sites (and even then you're probably fine if you're getting your shit from reputable shady sites)
l33t7332273
6 days ago
There was that Windows IPv6 no click zero day within the last couple of weeks
thot_experiment
6 days ago
good thing i disable IPv6 at home because it's an annoying pita and i run no machines with windows in the cloud, checkmate :P
on a more serious note though I don't think machines with ipv6 enabled that are behind a NAT are likely to be vulnerable to this, i suppose maybe wormable if you can natpunch through some p2p voip or gaming service, it's the sort of patch i would probably install if i were made aware of it (if i had ipv6 enabled), but being made aware of it doesn't like, leave me worried, and i don't consider it to be likely to affect me unpatched
BSDobelix
5 days ago
>I don't think machines with ipv6 enabled that are behind a NAT are likely to be vulnerable to this
Would you be interested in educate yourself about IPv6?
thot_experiment
5 days ago
No, I'd rather just keep turning it off. Though if you're interested in telling me why I'm wrong concisely instead of being snarky I'll read that.
BSDobelix
4 days ago
NAT and IPv6......you really should educate yourself about it IPv6 is not "that" new...trust me (bro). You know, keep learning is a big part of life ;)
LorenzoGood
6 days ago
No, this is a crazy take, old versions of software are usually rife with exploits, where everyone knows about the bug.
thot_experiment
6 days ago
It's really not, I never upgrade anything and I haven't been pwned in like a decade. (Or maybe I have been pwned but not in a way that's affected me at all so you know, whatever)
LorenzoGood
6 days ago
On an internet exposed server?
thot_experiment
6 days ago
While sibling comment is correct about the discussion I do have a few VPS I've had around for a while (<5 years with only password based SSH too because keys are annoying asf to manage when you're like, on your phone trying to do something etc) and I barely ever upgrade those and everything seems fine. They have DNS pointed at them too so it's not like they're secret in any way.
I suspect it's because I don't use many common software packages so the attack surface is small-ish.
ndriscoll
6 days ago
What's difficult about managing keys? I use key login with termux and if anything it's easier because typing passwords (or anything) on a phone is tedious.
Agree in general that people wildly overestimate the risk leaving things alone. e.g. nginx hasn't had a security advisory affecting basic http 1.1 serving static content without TLS in many years. And of course desktops are behind stateful firewalls.
thot_experiment
6 days ago
For me a big appeal of having a "home" environment on a VPS is that I can just do useful things from any computer-like device, that's not really possible with keys. Rather than fucking around with keys I can just SSH in from wherever and roll the password when I'm done. High entropy non shared passwords are just fine, you'll get your IP timed out after a couple attempts, nobody is throwing a botnet at bruteforcing my pass.
38
6 days ago
thats not what the discussion is about, stop hijacking the thread to push your narrative.
LorenzoGood
5 days ago
I understand that auto updates aren't ideal, because they cause breakage (most of my systems dont auto update), but I don't get not updating your systems at all.
adr1an
6 days ago
The arch rule says update btw
appendix-rock
6 days ago
Absurd. There are benefits to enabling auto-updating (security, etc). One should weigh up the costs / benefits oneself and make a call based on that. As usual, such absolutist guidance is hyperbolic.
HeavyStorm
5 days ago
Yeah, never ever make sure you are patched against hackers who can exploit your devices...
newdee
5 days ago
Nobody should follow this advice. Not least because you (the person giving it) wouldn’t have to live with the consequences of following it, but mostly because it’s idiotic.
simonjgreen
6 days ago
Total tangent, but extremely interested in the use of the Yen/Yuan sign as a footnote marker. Is there some history here I’ve overlooked or is this just arbitrary?
Tepix
6 days ago
Haha - i was looking for ¹, ² or § but couldn‘t find them on my german ipad onscreen keyboard, so i improvised.
pbhjpbhj
6 days ago
Interesting that you'd use "Section", "§", as a reference marker. Asterisk (*), and dagger (†) are common reference markers in British English, but not the section sign, aka "silcrow".
Is that a common usage /auf Deutsch/? Such use is listed on the Wikipedia page, but it's a use I don't ever recall having seen before.
pferde
6 days ago
I'm wary of using the asterisk in internet forums, or really in almost any textual exchange online these days, because everything tries to parse text as markdown, and I am never sure whether or not my asterisks will get eaten.
Especially on sites like this one, which have no previews.
yjftsjthsd-h
6 days ago
On HN you just escape as \* to avoid it doing italics, but I agree that using characters that uniformly work is sensible
c0balt
6 days ago
It's common in some contexts, in particular ¹/²/... is common for footnotes in handwritten and digital texts.
§ is a bit less common but iirc used in some legal texts. It's also easy to use on ANSI German keyboards with shift+3.
quectophoton
6 days ago
I usually do it like this[1], if that helps.
[1]: Borrowing syntax from Markdown.
AStonesThrow
6 days ago
I learned BASIC programming on a VIC-20, and I typed in so many "A$, B$, C$", for decades thereafter I pronounced "$" as "string" ("A-string, B-string", etc); it got weird as I discussed Perl scripts with coworkers...
amplex1337
5 days ago
Hah, I did this as well but on a TI-99-4A. Stopped a long time ago but yes var$ would have been pronounced var-string, even in context of later gwbasic, qbasic etc.
petabyt
5 days ago
So many memories just flooded my brain of using § for Minecraft Pocket edition...
bratwurst3000
6 days ago
you have tp hold a key longer and then there it is. i think it was „s“
bewaretheirs
6 days ago
I've not seen it used this way before but it is similar enough to the dagger and double-dagger symbols that the intent to use it as a footnote marker is clear.
user
6 days ago
user
6 days ago