Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Microsoft PlayStation (Games) Security Sony XBox (Games) Games

The Hacker Who Found the Secrets of the Next Xbox and PlayStation 214

An anonymous reader writes "Stephen Totilo at Kotaku has a long article detailing the exploits of an Australian hacker who calls himself SuperDaE. He managed to break into networks at Microsoft, Sony, and Epic Games, from which he retrieved information about the PS4 and next-gen Xbox 'Durango' (which turned out to be correct), and he even secured developer hardware for Durango itself. He uncovered security holes at Epic, but notified the company rather than exploiting them. He claims to have done the same with Microsoft. He hasn't done any damage or facilitated piracy with the access he's had, but simply breaching the security of those companies was enough to get the U.S. FBI to convince Australian authorities to raid his house and confiscate his belongings. In an age where many tech-related 'sources' are just empty claims, a lot of this guy's information has checked out. The article describes both SuperDaE's activities and a journalist's efforts to verify his claims."
This discussion has been archived. No new comments can be posted.

The Hacker Who Found the Secrets of the Next Xbox and PlayStation

Comments Filter:
  • by Frosty Piss ( 770223 ) * on Sunday February 24, 2013 @01:36PM (#42996287)

    In an age where many tech-related 'sources' are just empty claims, a lot of this guy's information has checked out.

    And he still broke into other people's networks without permission. But I suppose that's OK here since the private info that he released was of interest to Slashdotters and was "accurate"? It was OK because the victims where Microsoft and Sony? Or, shall we see another case of the famous Slashdot Double Standard?

    • by Mitreya ( 579078 ) <mitreya.gmail@com> on Sunday February 24, 2013 @01:44PM (#42996331)

      And he still broke into other people's networks without permission. But I suppose that's OK here since the private info that he released was of interest to Slashdotters and was "accurate"?

      It may be ok to a degree for the cases where he broke in and then notified the company of a breach (without doing any damage or requesting a payment)
      Companies should be required by law not to pursue anyone who notified them of security holes in good faith. Instead they choose to harass such people, scaring them off and making MY data less secure.

      • by Frosty Piss ( 770223 ) * on Sunday February 24, 2013 @01:53PM (#42996399)

        It may be ok to a degree for the cases where he broke in and then notified the company of a breach...

        Hi, I broke into your house and ran may fingers through your dainty underthings and fondled your tooth brush.

        Don't you think you should buy a better lock and maybe an alarm system?

        Don't bother thanking me, it's what I do...

        • by daremonai ( 859175 ) on Sunday February 24, 2013 @02:06PM (#42996463)

          Hi, I broke into your house and ran [my] fingers through your dainty underthings

          Then you've been punished enough already.

        • by Mashiki ( 184564 )

          If you broke into my house to stop someone from stealing my things and in turn ran your fingers through my dainty things while in the progress of stopping the commission of a crime, well we have something completely different right? In turn, someone who finds a security hole and not profiting, and disclosing privately that the issue exists should be lauded. Those that do disclose shouldn't be.

          • Your scenario has little or nothing to do with the story. This guy broke into some networks and reviled business information to the public.

            • I also revile business information. Revilers Unite!

            • Your scenario has little or nothing to do with the story. This guy broke into some networks and reviled business information to the public.

              Uh... where exactly did he criticize business information in an abusive or angrily insulting manner?

          • by sycodon ( 149926 )

            Why do people cling to the perception that committing a clearly illegal act is somehow/sometimes justified for some reason?

            • by Mashiki ( 184564 )

              Why do people cling to the perception that committing a clearly illegal act is somehow/sometimes justified for some reason?

              Short answer? Sometimes a single person committing a single illegal act, and 'saving face' for someone else. Is better in the long run than an issue existing and 300 people using the same breach a few months down the road. There are reasonable expectation in case law at least in my country on such things. Both in things relating to physical property, and to computer crime.

        • by Mitreya ( 579078 )

          Hi, I broke into your house and ran may fingers through your dainty underthings and fondled your tooth brush.

          Don't you think you should buy a better lock and maybe an alarm system?

          While creepy (particularly the toothbrush fondling part :), it is still preferable to waiting for an even less scrupulous person to break into your house

          I see it more as "Hi, I was passing by the street and pushing on everyone's door (for fun, it is what I do). Your door had opened when I pushed it -- you may want to fix your lock".

          This may be a tad creepy, but these people are not the problem. The ones who would quietly use this information are the problem.

          • Re: (Score:2, Insightful)

            by xstonedogx ( 814876 )

            If you truly believe such behavior is merely "a tad creepy" and that it isn't a problem, seek professional help. I'm serious. What this guy did to these networks is way less of a problem than your disturbing analogy.

            The last time I saw someone "helpfully" checking doors in my neighborhood I called the cops. There is never a good reason to test the security of a stranger's house, or even a friend's house, unless they want you to do so. If you really care, write a damn pamphlet about home security and hand it

            • I suspect that any network admins worth their pay would be able to tell 1) if the exploit / entry method the guy was talking about was true, and 2) what he did when he got in there. If not, they have bigger problems.

              I sympathize with the views here, on both sides. Yes, this guy did something wrong, and at least in some cases seems to have been genuinely grey (if not white) hat about it. But if a system as a flaw big enough, how do you want the company to find out about it, this guy or Anonymous/Lulzsec?

              H

              • default passwords + open IP is a big issue and you don't even need to be a be good hack to pull that off.

              • I suspect that any network admins worth their pay would be able to tell 1) if the exploit / entry method the guy was talking about was true, and 2) what he did when he got in there. If not, they have bigger problems.

                The problem is that it doesn't stop at 2)

                2. Verify what he did when he got there. If he tells you what he did, then yes, you should be able to check that.

                Now comes the fun part:
                3. Prove that he didn't do anything else. This isn't easy, in fact, you are trying to prove a negative. You assume that their systems are perfectly designed to log/alert/block/etc anything additional, and that this is possible for a network admin 'worth their pay'. Let me tell you, no network admin worth their pay should assume

            • by Mitreya ( 579078 )

              The last time I saw someone "helpfully" checking doors in my neighborhood I called the cops. There is never a good reason to test the security of a stranger's house, or even a friend's house, unless they want you to do so.

              I am not saying that I would encourage such behavior. But once a problem is found, I'd prefer to be notified about it (and I want the companies in question to be notified about it). There has to be a mechanism to allow this.

              Getting back to the network... You only have the word of someone unscrupulous that they didn't commit further unscrupulous activities.

              If they are not requesting anything in exchange then they are not benefiting from notifying you about the breach. You, however, DO benefit from being notified of a security breach.

              I also assume you do not take their word for it and perhaps verify that they haven't done anything untoward

              • I am not saying that I would encourage such behavior. But once a problem is found, I'd prefer to be notified about it (and I want the companies in question to be notified about it). There has to be a mechanism to allow this.

                I think this stands out to me most. I have to agree that yeah, you are being dishonest for doing it. But telling someone should be ok. IF however, when your admin does his check finds you did steal the kitchen sink, it isn't as ok. I will say however, he only REALLY did that with epic, and only when drunk. He only talked to MSFT when they found him. There is a lot of things he did like leak specs would be doing what is wrong. So sadly, he did enough to deserve some of this. The degree is debatable IMHO.

            • The real issue here is why we, as a society, couldn't put his skills to good, lawful use. (There is also unlawful good, but I won't go there, since what matters is the lawfulness) He seems like somebody with the skills. Why isn't he working for a security firm? Why isn't he making software more secure through lawful methods?

              To follow the physical lock analogy, instead of him going around your neighborhood checking locks/doors, why wasn't he a locksmith? A locksmith should be able to obtain access through an

              • Why isn't he working for a security firm?

                what is doing is kind of in the trade school / hands on area and HR does not like them even when people who to them know more then people in college.

              • by Bert64 ( 520050 )

                The problem in many countries, is that while this guy has skills he may not necessarily have the paperwork to prove his skills.
                As such, companies simply won't hire him, and will never give him the chance to prove what skills he has.

                Also, if he gets convicted he will have a criminal record, which will be yet another reason why companies won't hire him.

                So the end result is that once all the dust settles, his only way of earning a living will be to use his skills for illegal purposes. And if he goes to jail, h

          • You have a strange perspective. IF someone random person is going around pen-testing the neighborhood, im going to have him arrested. THe problem is self-appointed idiots like this who thinks its ok to pen-test shit that does not belong to them.
        • Re: (Score:2, Insightful)

          by Anonymous Coward

          If I'm in charge of millions of people's credit card information, THANKS! You're better than dealing with hackers who would rather take that credit card information, sell it on the black market and have to deal with legal charges for failure to properly secure financial information!

        • by rtb61 ( 674572 )

          You are a shit head. A direct personal invasion is not the same as an internet hack of a business account. One relates to escalation which can result in bodily harm and death and the other of course is largely meaningless. M$ in this case has used it's corporate US power to escalate this beyond all reason, to a risky how invasion with some douche FBI agent threatening a minor with extradition (zip, zero, nil, nul chance, just some douche being true dick). How was the hack possible, obviously some truly pis

      • Comment removed based on user account deletion
      • NO. Simply put, dont break into other people's networks, regardless of intent. It is never ok to trespass in the name of self-righteousness. Also, its not YOUR data, it is data about you.
      • at least have whistleblower protection and other stuff like company who use eula's to make you at fault for bugs or even website typo's that let you get pass security with out even trying to hack.

        whistleblower protection is needed to cover stuff like what happened to Stephen Heller and others like him.

        http://en.wikipedia.org/wiki/Premier_Election_Solutions [wikipedia.org]

      • by Bert64 ( 520050 )

        They harass such people because they acted in good faith and informed them.
        Malicious hackers will try to be stealthy, so they will NEVER invite dialog with their victims unless it's for purposes of extortion, and they will generally go to extreme lengths to disguise their identities, keep access to whatever systems they breached and use them to gain further access if possible.

        Someone who tries to help them by identifying a hole and helping to fix it makes themselves an easy target. Someone who is stealthy,

      • by stevew ( 4845 )

        No - simply no. He broke in to a private network without permission That is equivalent to "Entering" of a Breaking and Entering charge in the US in a brick/mortar situation. There is not ethical difference between the two. What he did with his ill-gotten gains aren't relevant to the discussion. That is the same thing as killing someone today, then joining Amnesty International the next day?!?

      • by Luckyo ( 1726890 )

        It is not. Draw a legal comparison:

        Is it okay to lockpick all company office locks, evade security cameras using various hiding techniques, crack the safe combination using a high tech listening device with a lot of trade secrets, take photographs as evidence and then mail all of the evidence of break-in? Because that is exactly what you're doing, but through computers and networks instead of doors and corridors.

        Many people use "but it's okay for my to pick my neighbour's lock just to show him that it's wea

    • And he still broke into other people's networks without permission.

      That's really scary. And that's just a rather neutral individual. Imagine what would happen if large institutions with agenda like FBI or CIA started doing the same thing! Oh, wait...

    • by Anonymous Coward

      In an age where many tech-related 'sources' are just empty claims, a lot of this guy's information has checked out.

      And he still broke into other people's networks without permission. But I suppose that's OK here since the private info that he released was of interest to Slashdotters and was "accurate"? It was OK because the victims where Microsoft and Sony? Or, shall we see another case of the famous Slashdot Double Standard?

      Generally I'm in favour of being cautious about rewarding tossers who release malware on the net, hack and wreck systems, or in some other way wreak merry havoc and then expect fat job offers. They should not be rewarded but rather should be put in fuck-you-in-the-ass jail. But In this case I'd be wiling to compromise. If that guy really did no damage, and If I was MS, I'd compensate him for the damages done by the FBI and the Aussie cops, make him a job offer and put him to work in my security department d

    • I think that obtaining the info on the Xbox and the PS just served as a proof of his feat. He infiltrated the networks of two mega-corps that spend millions on security and employ hundreds of experts using his skills and knowledge. Maybe he didn't even care about the specs of the consoles. He just wanted the kind of information that would prove that he had actually gained access.

      The one with the twisted perspective on the subject is you in this case. You completely ignore the black/gray/white-hat categoriza

      • Re: (Score:2, Redundant)

        by dreamchaser ( 49529 )

        He broke the law, if his story is true, plain and simple. You're the one with twisted perspective on it. He had no right to access their networks or proprietary information. I hope they don't go TOO hard on him as he did seem to have relatively benign intentions, but he hacked into systems without permission. The companies in question did not contract him to do penetration testing or an overall security assessment.

      • by Sir_Sri ( 199544 )

        You realize there are firms that sell that sort of security right? And academic programs on how to do so etc.

        There are legit was to enter the business he simply chose a different route.

      • infiltrated or used some ones log on and password that maybe been in a other system that did not have millions sent on security

    • another case of the famous Slashdot Double Standard?

      Citation please. ;)

    • What double standard?  Good technicians are encouraged to explore the network.

      Or do we just want to let the Chinese develop good security knowledge?

      He didn't destroy anything, that's the point.

      What is wrong with you?
      • What double standard? Good technicians are encouraged to explore the network. Or do we just want to let the Chinese develop good security knowledge? He didn't destroy anything, that's the point. What is wrong with you?

        Good technicians who are employed to explore a network are encouraged to do it. That's about as far as it goes in reality.

    • by c0lo ( 1497653 )

      Or, shall we see another case of the famous Slashdot Double Standard?

      Why not, is it forbidden? I'm looking to Washington DC and I don't see a Single Standard, even if US may benefit from having one (e.g. consider the Constitution, how many "standard" interpretation it does have?).

  • by Anonymous Coward on Sunday February 24, 2013 @01:39PM (#42996305)

    It starts out like this, a hacker looking for the latest games, then it leads to Global Thermonuclear War.

  • No damage? (Score:1, Informative)

    by l00sr ( 266426 )

    There seems to be this common misconception that a network can be broken into without causing any damage. Tell that to the IT department that has to re-flash and re-image every damn machine on the network to make sure no backdoors were left behind.

    • by Anonymous Coward

      So, you're saying that IT shouldn't fix backdoors on their network as long as no one ever breaks in using them (that they know about)?

    • Re:No damage? (Score:5, Insightful)

      by K. S. Kyosuke ( 729550 ) on Sunday February 24, 2013 @02:09PM (#42996475)

      There seems to be this common misconception that a network can be broken into without causing any damage. Tell that to the IT department that has to re-flash and re-image every damn machine on the network to make sure no backdoors were left behind.

      There seems to be this common misconception that having to fix a network to remove holes and backdoors is somehow worse than having lived with it for some time without knowing it Not to mention the fact that your second sentence does not substantiate the first, also known as the non sequitur fallacy: not having caused any damage and being under suspicion for having caused some are two completely independent things.

      • Guess there is a difference between your definition of "damage" and the GP's. In a business setting, any time, effort, or money that you spent, and would not have to spend if there were no breach is considered "damage".
        • Guess there is a difference between your definition of "damage" and the GP's. In a business setting, any time, effort, or money that you spent, and would not have to spend if there were no breach is considered "damage".

          And as long as you can make things up, any word can mean anything you want. So, to continue your line of reasoning: my dictionary tells me that "breach" can mean the same thing as "crack" or "fissure", and the hole was there before the guy got in there, so logically, they'd have to spend effort anyway.

        • Your front door lock is broken, but you didn't realise it. A passer-by tells you that is broken. Do you blame him for the "damage" to your wallet that comes from fixing it?

          Or how about this: You're understandably unhappy that he pushed your door open and poked his head in. He claims he didn't take anything (and given how he volunteered the information about your door, there's no reason to disbelieve him), but are you angry at him that you now feel the need to double-check everything you own, just in case he

          • Your front door lock is broken, but you didn't realise it. A passer-by tells you that is broken. Do you blame him for the "damage" to your wallet that comes from fixing it?

            Or how about this: You're understandably unhappy that he pushed your door open and poked his head in. He claims he didn't take anything (and given how he volunteered the information about your door, there's no reason to disbelieve him), but are you angry at him that you now feel the need to double-check everything you own, just in case he (or someone else) took something?

            If the lock was "broken" because he was able to devise a method to pick it necessitating that I replace the lock then YES. Imperfect security is reality everywhere all the time. If you think your systems are completely secure all it means is that you are mistaken.

            • Your argument is that his actions opened their systems wider, than if he hadn't done anything? Is there any evidence of that being the case here?

              If that's not the case, then he still did them a favour by pointing out a hole in their security. Sure there may be others, but now they know about this one. The responsible action would be to close the hole (and thank him), but they could always ignore it and do nothing; they'd be no worse off.

              • Your argument is that his actions opened their systems wider, than if he hadn't done anything? Is there any evidence of that being the case here?

                If that's not the case, then he still did them a favor by pointing out a hole in their security. Sure there may be others, but now they know about this one. The responsible action would be to close the hole (and thank him), but they could always ignore it and do nothing; they'd be no worse off.

                No, my point is that a system that is not perfectly secure is not an invitation for anyone who wants to access the system. Just as you will go to jail if I leave my front door closed but unlocked and you walk in and rifle through my wife's underwear drawer. Maybe you take a photo of it, while you're there but leave the actual items. Unlocked (or insecure in computers) does not equate to do whatever you want. If the company had no security other than a telnet uid/pwd, he still isn't allowed to crack that

                • Pretty hard line to take on a guy who was a) a kid, b) merely curious, not malicious, c) did no damage, and d) did them (and their customers) a favour by alerting them to a security hole that could be maliciously exploited by the next hacker to drop by.

                  Some companies (e.g. Epic) actually appreciated the heads-up, and sent him a signed poster in thanks. Your position that he be punished instead, while defensible under a strict interpretation of the law, looks more like a dick move to me. I'd expect a judge w

        • Guess there is a difference between your definition of "damage" and the GP's.

          In a business setting, any time, effort, or money that you spent, and would not have to spend if there were no breach is considered "damage".

          Excuse me...

          Why is it that you think that a breach that is committed by someone who reports it to you and potentially faces repercussions for their having a Bushido-style sense of honor about things causes less damage than a breach committed by someone who then proceeds to profit from said breach without disclosing it to you, up to and including selling the details of how to repeat it to third parties?

          Do you somehow think that the people who open themselves up to the repercussions are smarter than the ones

    • Re:No damage? (Score:5, Insightful)

      by Jah-Wren Ryel ( 80510 ) on Sunday February 24, 2013 @02:12PM (#42996501)

      There seems to be this common misconception that a network can be broken into without causing any damage. Tell that to the IT department that has to re-flash and re-image every damn machine on the network to make sure no backdoors were left behind.

      Those actions and associated costs are not the result of having your network broken into. They are the result of being told your network is vulnerable - even if you have no knowledge that the network was actually broken into.

      • by bwcbwc ( 601780 )

        No, you're conflating two different types of security vulnerabilities:
        1) The gap the guy originally used to get in, plus any other pre-existing vulns.
        2) the gaps the guy may have introduced into the network while he had access, via new malware, etc.

        The re-flashing and stuff mentioned on the GGP is primarily to mitigate #2.

        #1 is definitely not the guys fault, but any precautions required to mitigate #2 definitely are.

        And whether you agree with the law or not, breaking into secured networks is still illegal r

      • by Xugumad ( 39311 )

        My network is vulnerable. I know this, because it exists.

        The question is how vulnerable.

        I run Linux, not OpenBSD, so there's a greater chance that I'll get a zero-day attack sprung on my network. However we make that compromise because it's considered reasonable.

        I run services we need, but each is a risk.

        There is no such thing as a secure network, there is only a secure-enough network.

      • There seems to be this common misconception that a network can be broken into without causing any damage. Tell that to the IT department that has to re-flash and re-image every damn machine on the network to make sure no backdoors were left behind.

        Those actions and associated costs are not the result of having your network broken into. They are the result of being told your network is vulnerable - even if you have no knowledge that the network was actually broken into.

        That is not completely correct. Once you know your network has been broken into you can no longer trust any device that has potentially been intruded upon and more often then not a full rebuild is required, simply finding a vulnerability means you have to patch it not rebuild. There will always be vulnerabilities, maintaining and monitoring is key to that, however once a vulnerability is exploited the cost skyrockets.

    • by dissy ( 172727 )

      So what you're saying is, if you say to me in conversation you are running a server with such and such software, and I reply also in conversion that the latest version of software such and such is exploitable, then give you the URL to the security announcement... I now somehow owe you money despite not even knowing where your network is let alone haven't touched the thing? Simply because you need to check for backdoors and reimage potentially backdoored machines?

      I think you don't understand how this "fau

  • by Anonymous Coward

    > he retrieved information about the PS4 and next-gen Xbox 'Durango' (which turned out to be correct)

    "Durango" hasn't been revealed yet. How do we know his info is correct?

    • by Sir_Sri ( 199544 )

      They might mean he had info on early development kits, a lot of that info has leaked out (there are after all lots of companies that have said kits).

      Early development kits aren't final hardware though, so they don't mean much to consumers or people on the outside.

  • Chinese Army (Score:5, Insightful)

    by the eric conspiracy ( 20178 ) on Sunday February 24, 2013 @01:52PM (#42996385)

    Ugh.

    If some surfer dude from Oz can do this imagine what the Chinese Army and the TLAs have gotten into.

    I don't know is this is good or bad, Mutually Assured Destruction can be a good thing, as well as can be the dissemination of information.

    However it sure should give people pause when they put a server online. Or make their bank accounts available on the web.

    It might be a case of not if but when.

  • So, it's okay for the u.s government and even corporations to spy on our communications(facebook, phone calls, chats), emails, and whatever we upload to the cloud without a court warrant but when somebody does it to a corporation or government it's time for the feudal u.s system to go bat shit crazy on his/her ass. If u.s does not follow the constitution why should we, remember by the people for the people. Hah, who cares it's a feudal system. People just stop hacking it's not worth losing your life over.

    • by bwcbwc ( 601780 )

      No it's not OK for the government to do that. But just because the government screws you over doesn't mean you can go screwing over 3rd parties. The problem isn't that the law against cracking networks is necessarily bad (although I'll agree it's not perfect and overreaches), it's that the government and corporations aren't held to the same standard as individuals, which is a completely separate issue.

  • by Anonymous Coward

    Because no one seems to be blaming the companies like usual, no one is blindly angry for no reason and no one seems pissed off. Why? Because he stole information that users here find interesting.

    I mean he did the same thing that hackers have done to companies before and you people lined up to spout the same comments and blame the companies for being hacked many many many times but now all the sudden you change your tune simply because he wasnt trying to steal personal information about you. He commited the

  • Really? (Score:2, Insightful)

    by Anonymous Coward

    Summary: Kid breaks in networks of corporate entities, accesses trade secrets, purchases development hardware using fraudulent information, brags about it on the internet and then cries about being "ruined".

    There is nothing "ethical" about any of this kid's shenanigans. He cried about them taking his toys away, and doesn't even realize he's going to pound-me-in-the-ass prison yet.

    Moral of the story: Common sense eludes hacker.

  • banking fraud can get you time in a FPMITA and he did it on the International level.

  • WE make sure that no good deed goes unpunished. no matter where you are in the world, do something good and we will find you and punish you.

  • Your computers and other electronic devices can be confiscated without warrants or your "permission" within 100 miles of the U.S. border without cause or suspicion because you have no right to privacy, and the contents of your phone can be examined by a police officer during a traffic stop, but their computers are private and protected by people with guns?

    Right. Got it.

    In the past, people would never have tolerated this. They'd have risen up against it and the evil bastards who propagated it.

    Now, we're just

  • I would argue that he may have done a great deal of damage. Releasing plans for future products can tip off competitors. Information regarding future products can also result in a customer not purchasing what is currently available in anticipation for a future product. Both of these can mean millions of dollars in losses for a company.

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol

Working...