Automatic system updates are nothing new, we see it all the time with antivirus software. Given that the enduser has agreed for his AV to be updated automatically, none of us see any moral, ethical or legal implications with that scenario. The legality of this in regards to your XBox all boils down to whether you have given sufficient permission for maintenance installations on your system. Could you have given permission in any of the EULA or shrinkwrap licenses for your Xbox itself? (Did you read any of them?). Did you give permission for this as part of your Xbox-live subscription? If so, is that license valid? European courts generally think less of shrinkwrap licenses, and most paragraphs in them need to be reasonably valid and not cause excess harm or disstress to the enduser who may not be fully aware of the extent of the license he is agreeing to. So was this computer sabotage or the fulfillment of a service agreement between you and the vendor? I can see how this specific update might not benefit you tremendously personally, given that you, like many others who see the Xbox as a cheap server paid partly by Microsoft, have come to expect and depend on this particular vulnerability to exist, but the fact remains that this is an identified security vulnerability that disrupts the ordinary privilege handling of the system, in particular to the executing of unsigned code. We may disagree with Microsoft on whether only signed code should be allowed to execute on the Xbox, but that is a completely different discussion. The crux here is with the method of delivery. One thing is sure, we will see a greater level of automation for patch management in the future. I can reasonably imagine the default installation of Longhorn to automatically download and install critical security updates, and given an agreement like we already have with most AV software I see no problems in that. Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher -----Original Message----- From: Stefan Esser [mailto:s.esser@e-matters.de] Sent: Thursday, September 11, 2003 11:31 AM To: full-disclosure@lists.netsys.com Cc: bugtraq@securityfocus.com Subject: Computer Sabotage by Microsoft Hi, well it finally happened. I came back home after work, connected my XBOX to the internet and went into the XBOX-Live menu configuration. Well what happened. The XBOX started automaticly downloading the new crappy XBOX-Live dashboard, which is of course fixed. This is IMHO an act of computer sabotage. I have never allowed MS to modify my dashboard or to auto update my dashboard. Is any lawyer on the list who can point me to the right paragraphs? I do not believe this computer sabotage is legal in any european country. Yours, Stefan Esser -- ------------------------------------------------------------------------ -- Stefan Esser s.esser@e-matters.de e-matters Security http://security.e-matters.de/ GPG-Key gpg --keyserver pgp.mit.edu --recv-key 0xCF6CAE69 Key fingerprint B418 B290 ACC0 C8E5 8292 8B72 D6B0 7704 CF6C AE69 ------------------------------------------------------------------------ -- Did I help you? Consider a gift: http://wishlist.suspekt.org/ ------------------------------------------------------------------------ --
