Jump to content

 

Board for Microsoft Security Issues?


ZZBroncos
 Share

Recommended Posts

I am posting just to present the idea of having a board dealing specifically with security issues people have noticed with Xbox Live, the achievement system or anything else Xbox Live related that could impact one's gaming experience.

The reason for this is simple. Few really are aware of how insecure Xbox Live and their parent company Microsoft really are. It is also not limited to Xbox Live for it is a problem that cuts across all spectrums of electronics on the civilian market even up to the newest military technologies.

The board would be used as a medium for member of the X360a community to post issues they are having with Live, people who do hack then crack accounts, gamers to avoid, gamesavers, ect.

There is a need for this as many people have no idea that just by playing a game with someone over Xbox Live they are literally giving that person everything they need to hack, crack and hijack their account.

Then, if the moderators and administrators will allow it, a section could be designated for ways that account can be hacked using Microsoft to do everything for you. Currently, I know of 4 methods to acquire accounts just through the work of Microsoft employees or Microsoft services. This could be closed all non admins or mods to prevent exploitation of these methods. Every time a method is determined to work, an Admin could make a phone call to Microsoft (Corporate) to inform them about the vulnerabilities in their network.

This idea has a lot of tangible benefits to not only the X360a community but to the entire Xbox Live community. I deplore you, the X360a site admin team to act upon this request for the betterment of the Xbox Live community and the rule of law.

 

Thank You

 

ZZ

Link to comment
Share on other sites

I am posting just to present the idea of having a board dealing specifically with security issues people have noticed with Xbox Live, the achievement system or anything else Xbox Live related that could impact one's gaming experience.

The reason for this is simple. Few really are aware of how insecure Xbox Live and their parent company Microsoft really are. It is also not limited to Xbox Live for it is a problem that cuts across all spectrums of electronics on the civilian market even up to the newest military technologies.

The board would be used as a medium for member of the X360a community to post issues they are having with Live, people who do hack then crack accounts, gamers to avoid, gamesavers, ect.

There is a need for this as many people have no idea that just by playing a game with someone over Xbox Live they are literally giving that person everything they need to hack, crack and hijack their account.

Then, if the moderators and administrators will allow it, a section could be designated for ways that account can be hacked using Microsoft to do everything for you. Currently, I know of 4 methods to acquire accounts just through the work of Microsoft employees or Microsoft services. This could be closed all non admins or mods to prevent exploitation of these methods. Every time a method is determined to work, an Admin could make a phone call to Microsoft (Corporate) to inform them about the vulnerabilities in their network.

This idea has a lot of tangible benefits to not only the X360a community but to the entire Xbox Live community. I deplore you, the X360a site admin team to act upon this request for the betterment of the Xbox Live community and the rule of law.

 

Thank You

 

ZZ

 

Good idea, only thing is I don't know how well microsoft would take advice given. More so how quickly.

Link to comment
Share on other sites

Kaleido42 I know what you are saying, but literally when it would be apparent how insecure it is, I hope the media would pick up on this and actually delve into the complete apathy that this country has towards its cyber defences. Imagine an article on the front of the Washington Post detailing how, if a person wanted, they could sever the United States and the Western Hemisphere from the rest of the world with 6-9 small truck bombs which would cause zero causalities.

Back to Microsoft, they do not care, but when they are taking flack in the media for already having a crap console (I have had 14 RRoD in 3 years) AND they have an easily hackable and thus crackable internet service where credit card numbers are used routinely and sensitive information is dispersed throughout this system. Many adults entrust their children with their credit card around 14-16 if they are upper middle class and up. Imagine the outcry if the account of the son of the President of the United States was hijacked (yes, Obama does not have a son, it is a hypothetical premise).

Also it would encourage members of the X360a community to NOT put any personal information on their account, whether it is just information or a credit or debit card.

Since members of the community have flamed me for a lack of credibility on a similar thread where I inquired about ideas for a new GT, go check out smallwarsjournal.com or longwarsjournal.com and read. Do not think or jump to any conclusions. Just read the boards, discussions and the round tables. These are people who are experts in their fields who have intimate knowledge of many, many topics relevant to cyber security.

Lastly, notice how people discuss on the boards. It is civil. It is possible. These are people from all walks of life, all backgrounds, all beliefs and biases, all corners of the political spectrum. They have civil discussion on topics that are near and dear to them. In some instances they have been severely injured for them or lost close friends fighting because of views expressed there. There is no flaming, mainly due to the excellent admin team which I met not long ago.

No offense is intended but the exact opposite should be taken away from this. The admin team here could learn something from one of the best admin teams on any forum on the net. They are excellent here and are overwhelmed with everything they have to deal with, and this is not their job. But the amount of flaming that goes on virtually unabated (thanks JDM for quelling the flaming on my GT thread) needs to stop.

 

I also just realized how long this post is going to be, so I will try to avoid doing it again just to conserve the time of members reading this.

 

Thank You

Link to comment
Share on other sites

I have a few question's and observations which carry on from your previous thread.

 

You noted that people will still hack despite the legal risks. You also related it to murder (there are laws against murder but it still happens). I understand that and here is my rebuttal to that statement.

 

Lets say there was an outcry over a murder and the public demanded more be done to prevent it. The Government provides armor for everyone.

 

It'd be harder to murder someone, sure, but if the person really wanted to they'd eventually get it done. This is how I relate the two. MS could increase security but if people were capable of hacking before, I doubt anything MS does would stop them.

 

LIVE is monitered by MS, which is a deterrent. As is the law.

If people are still willing to hack and risk imprisonment, well, that's their prerogative.

 

Could you please explain this sentence; "a section could be designated for ways that account can be hacked using Microsoft to do everything for you."

 

Wouldn't someone need to figure out/execute the hack to make this possible? Or are you suggesting we think of ways to access the network/information and ask MS to test it out?

 

Not sure that that would go down too well...

 

The idea of a security board is a decent one. However, I fear it'd become repetitive/pointless. Most of the topics would be "My account is under threat from a hacker, what do I do?"

 

Well, what do they do? Other than report the person to MS and file a complaint. In your other thread you mentioned you were changing your GT to avoid being hacked. That is not 100% effective, nor is any other measure.

Link to comment
Share on other sites

I explained some things in your other thread but I thought I would address the credit card issue here.

 

It's not possible to see someone's credit card info from their account on their 360 or even on xbox.com.

 

You can't even see your own credit card number. It usually looks about like this:

 

****************4621

 

The last four numbers only visible so that the card holder can identify their card from others if you've used multiple payment methods.

 

Someone would have to either work at MS or probably work for the NSA... which we all know doesn't exist... :p to get your credit card numbers from Microsoft.

 

Also, as Webb told me about another forum, I doubt this would be used all that much. Their are maybe two or three threads a week in various forums about "account hacking"... not enough to warrant it's own forum.

 

But I'm not exactly a decision maker... so I guess we'll find out when one of the admins drops by.

 

EDIT: Also on the point of those places you linked to being more mature... it's mostly comprised of current and ex-military personel. Of course it's more mature.

 

Throw a 12 year old kid in there and see what happens.

Edited by Skillet
Link to comment
Share on other sites

This 'Security Issues' crap is getting out of hand... It seems that there have been more threads dedicated to this now than there ever was... It's annoying.

 

People just don't know how to handle their personal information and they give it out like candy, much like doctors with Vicodin. It's going to be your fault 99% of the time and there's nothing we can do about it. The board would be full of members falsely accusing other people of hacking and members telling everyone to send someone bad feedback so that Microsoft will look into it. Unfortunately, the second part will not do anything as most of us will not have come in contact with that player in recent games, so Microsoft will just throw that report away.

 

Be careful with your personal information. If you're not careful with it, don't hop on x360a and cry about it looking for either sympathy or a reason why. Also, once you get a reason as to why it most likely happened, don't disregard it and tell everyone they're wrong. If you're so right about it in the first place, don't come here and bitch about it. Figure it out on your own and leave everyone here alone.

Link to comment
Share on other sites

If someone can get all of your information just by playing ONE game online with you then what do you suggest we do about that?

 

Never play online again?

 

Only ever play with people we know (and pray they haven't been hacked)?

 

Go and live underground?

 

Seriously, if someone is that dedicated to hacking your acocunt then you may well be screwed. But my question to you would be this - if it was that damn easy then why has no one hacked people high up the leaderboards yet? Surely their cards are the biggest juiciest prize's on offer, and they play that much that they have probably crossed paths with countless other people, yet they aren't being hacked.

 

So I think things aren't as bad as your doom and gloom prediction makes out.

Link to comment
Share on other sites

My two cents (need the posts so I can join the 1000s club :))

 

1. Good idea to have a dedicated forum for those that wish to discuss the topic. I don't think it would be wise to discuss the methods tho as further advertising would only make idiots want to try it out

 

2. Good idea about the gamertags for those that you know are dodgy. Hopefully these would have been reported to Microsoft too of course. It means people could refer to your list when approached with a friend request or game invite from an unknown. Means they'd have to check every invite and be online to look at the list and look thru all the crap posts to get to the list but... :)

 

3. A question. What's the point of someone hacking an account? Why would anyone bother? All it does is create an inconvenience for me as I lose all my points. They don't get any persoinal info about me unless they have access to the MS databases and, if they had access to that and knew my gamertag, couldn't they just look it up there?

 

Number 3 is a real question btw, not meant to be taken sarcasticly (dammit Safari I know that's spelt incorrectly but I don't know the right spelling!!!)

 

EDIT: PS - I personally don't think that this is a forum I would visit or really be interested in. I work in IT and know how vulnerable damn near everything is but this site isn't really somewhere I go for technical hacking info. That said it's not a stupid idea and not worthy of the ridicule you've received in this and the other forearm. There is a great deal of interest in the topic so I think it's valid to add. Those that don't like it can just not visit :)

Edited by Psycho Chickan
Link to comment
Share on other sites

I don't think he is being ridiculed.

 

As far as I see it, it is not the admins duty to report issues to Microsoft and even if they did, why would MS listen to us in the first place?

 

If you have a specific security issue, or think you have spotted a problem with MS security and want to let them know about it - then just do it yourself. Why come onto a website, post your issue and then expect them to take it up with MS? That makes no sense.

 

As people have already said: a forum full of potential hack exploits and the like, is asking for trouble. If the forum was therefore only visible to mods etc then what would be the point?

Link to comment
Share on other sites

I could see the point of making it admin read only. Say I think I've found an exploit and the easiest way I could get that information to M$ is by posting it here for x360a to pass along. It makes much more sense making it so that the only people that can read about my exploit are the ones going to tell M$ to get it fixed and not people that will take advantage of it.

 

That said, I see no need for this forum. As it's been said, we as individuals can just as easily inform M$ as the site can, although I will agree an individual is less likely to be taken seriously.

 

@ Skillet: he's right about information being passed on just by playing. The most basic information which anyone can find out if they were so inclined is someone's IP address. Simply monitor your 360 traffic and you have someone's IP. From there you can have your basic, free trace which gives the city of the person, or for the serious people who will pay, an exact address. You could play with me for two minutes and another two minutes can pass and I could know exactly where you live.

 

If I could get someone's address that easy. you think it's that much harder to get a credit card number? Not for someone who knows what they're doing. Someone who knows what they're doing wouldn't even need to trace an IP, they could just crack into your account and get all your personal information, including a CC#

Link to comment
Share on other sites

If I could get someone's address that easy. you think it's that much harder to get a credit card number? Not for someone who knows what they're doing. Someone who knows what they're doing wouldn't even need to trace an IP, they could just crack into your account and get all your personal information, including a CC#

actually it would be near impossible to use any info thats on your xbox about your Credit Card, you might be able to make a purchase for points and gift them to the hackers main account, but i dont know if they allow you gift anymore...

Link to comment
Share on other sites

What are you talking about? Let's say I have a CC on file (I don't, but let's say) and you can see my registered information. There is my address, name, birthdate, and credit card #. Buying a few measly M$ points (which is restricted anyway, to 10,000 MSP) is nothing, but with that information someone could commit identity theft.

Link to comment
Share on other sites

I could see the point of making it admin read only. Say I think I've found an exploit and the easiest way I could get that information to M$ is by posting it here for x360a to pass along. It makes much more sense making it so that the only people that can read about my exploit are the ones going to tell M$ to get it fixed and not people that will take advantage of it.

 

That said, I see no need for this forum. As it's been said, we as individuals can just as easily inform M$ as the site can, although I will agree an individual is less likely to be taken seriously.

 

@ Skillet: he's right about information being passed on just by playing. The most basic information which anyone can find out if they were so inclined is someone's IP address. Simply monitor your 360 traffic and you have someone's IP. From there you can have your basic, free trace which gives the city of the person, or for the serious people who will pay, an exact address. You could play with me for two minutes and another two minutes can pass and I could know exactly where you live.

 

If I could get someone's address that easy. you think it's that much harder to get a credit card number? Not for someone who knows what they're doing. Someone who knows what they're doing wouldn't even need to trace an IP, they could just crack into your account and get all your personal information, including a CC#

 

Alright... fine.

 

66.82.9.55

 

Now tell me where I live. You have four minutes.

 

EDIT: The problem with your argument is the fact that if it were really so easy to obtain someone's personal information via their IP address, the internet would die. There would be so many instances of identity theft... a single "hacker" could obtain millions of dollars per day before they were ever caught. Multiply that by about... say 500 moronic people intelligent enough to do it and the government has the biggest mess to handle since World War 2.

 

And as I said before, short of working at Microsoft, there is no way for someone to figure out your credit card number through your account with Microsoft. It's not even visible to you.

Edited by Skillet
Link to comment
Share on other sites

Address: 11717 Exploration Lane

City: Germantown

StateProv: MD

PostalCode: 20876

Country: US

 

Doubt that's you, but okay.

 

That's probably the address for my ISP.

 

Which I believe I explained in Bronco's other thread.

 

Good luck wrestling my account info from them.

Edited by Skillet
Link to comment
Share on other sites

You haven't really proved anything. http://www.find-ip-address.org/ will give you your own information. There are places you can use to find other people's information, but I'm not going to bother search for em, I've made my point. I've guessed that you have to pay for the ones that will give you exact details.

 

My other point is that a real hacker won't even need to do this to get your information, their best source is what they see listed in your registered information.

 

Oh... what my address?

 

Telephone number?

 

Name?

 

Wouldn't want a hacker getting a hold of a phone book then! And I guess I better take the house number off of my mailbox. As for IPs.. I guess you better leave this site. Think about it... every administrator, moderator, and member who has moderator powers in a specific forum can view your IP address. I can view the IP of anybody in the media board.

 

Seriously. Quit with the conspiracy crap. It's getting really old and I'm tired of this argument.

 

As has been said many, many times before, all accounts that have been "hacked" have been traced back to phishing. Don't give out your info... you don't lose your account.

 

It's as simple as that.

Link to comment
Share on other sites

What are you talking about? Let's say I have a CC on file (I don't, but let's say) and you can see my registered information. There is my address, name, birthdate, and credit card #. Buying a few measly M$ points (which is restricted anyway, to 10,000 MSP) is nothing, but with that information someone could commit identity theft.

no it only has the last 4 digits

Link to comment
Share on other sites

I have to run to a panel discussion on IO of the Taliban and Al Qaeda in Afghanistan. I will try to hit all of your concerns tomorrow sometime as I have other demands on my time tonight.

I will touch the smallwarsjournal.com issue. The fact that it is absent 12 years and made up of retired military (which is incorrect, since there are active duty, reserve, civilian, government employees ect.) is irrelevant. Most if not 80% of the community is at least 17 years old. Yet the incivility is a huge issue here. If it were only 12 year olds I would just say that their parents need to see what they are posting but its not. Personally, I think people should be suspended from the site for a period of time for violating ToS or CoC of X360a for posts they made. I just want stringent punishment for those that repeatedly flame for any reason. It is a video game site dedicated to acquiring achievements, no where near as serious as the issues discussed on that site and yet they are many orders of magnitude more civil than is present (normally) on this site.

I am amazed (no offense intended towards you two) and will thank Skillet and Tussell for their civility as I stopped participating on the forums because many of the community members of this site's first instinct is to flame just to flame. You two have renewed my faith, I guess you could call it that, in this site in regards to having civilized discussions. Again, thank you.

Gotta run, I will be back tomorrow.

*Note: I do love this site and it is painful to have typed the things above, but it is true.

**Note: Not touching your information as I am not authorized to do anything domestically and my job is infinitely more important than proving a point on this site.

Link to comment
Share on other sites

**Note: Not touching your information as I am not authorized to do anything domestically and my job is infinitely more important than proving a point on this site.

 

Yet... you keep trying.

 

Perserverence is admirable but kind of pointless in this instance. There's you and one or two others with your doomsday international security conspiracy that has somehow seeded itself over to the 360 and think that the Admin team here (that you say could learn from the best, apparently) are the ones who should do something about it.

 

And you and those few people are against just about everyone else who has posted here and in your other thread.

 

As for the maturity of this site, it's rather mature.

 

It still doesn't pay to compare a site with 300,000 members to a site with what, a thousand? Maybe two? Especially when the other site is, as you say, current military. They're trained to be disciplined, are they not? Of course it's more mature.

Link to comment
Share on other sites

ZZBroncos-Everyone in this thread has been civil.

 

Not sure what you consider flaming to be. Sure, we've disagreed with you, but we've done it in a polite way.

 

That was the point, and I was pointing two people out who HAVE been posting somewhat constantly. I am not syaing people are not being civil on this thread. I am pointing out how almost every single thread here is filled with flames. It was a tangent I noticed.

Link to comment
Share on other sites

Perserverence is admirable but kind of pointless in this instance. There's you and one or two others with your doomsday international security conspiracy that has somehow seeded itself over to the 360 and think that the Admin team here (that you say could learn from the best, apparently) are the ones who should do something about it.

 

And you and those few people are against just about everyone else who has posted here and in your other thread.

 

I do not think the admin team can do anything. The point I was trying to get across was that it is ludicrous to really consider your account secure or anything else you do by internet. The whole reason behind that was a few people had suggested I was 'not knowledgeable' in this area and that Xbox Live had nothing to worry about in so far as security is concerned.

*Note: The point about not providing you information from the IP address you posted just to prove a point is

1) It is Illegal

2) I am not authorized to do anything of that nature domestically without Writ of Habeas Corpus

3) It is irrelevant to gather information over Xbox Live. If I played with you, and you wanted me to grab the IP then do it, yes it would be relevant. This is not as there are hundreds of thousands of people that do that daily. I do not see how I need to 'prove' something is understood to be so. It’s like being asked to prove how gunpowder propels a bullet since you (hypothetically) believe that it is magic. It would be a waste of time.

Gotta run again, I will be replying to the posts that will require significantly more time. Later

Link to comment
Share on other sites

I do not think the admin team can do anything. The point I was trying to get across was that it is ludicrous to really consider your account secure or anything else you do by internet. The whole reason behind that was a few people had suggested I was 'not knowledgeable' in this area and that Xbox Live had nothing to worry about in so far as security is concerned.

 

*Note: The point about not providing you information from the IP address you posted just to prove a point is

1) It is Illegal

2) I am not authorized to do anything of that nature domestically without Writ of Habeas Corpus

3) It is irrelevant to gather information over Xbox Live. If I played with you, and you wanted me to grab the IP then do it, yes it would be relevant. This is not as there are hundreds of thousands of people that do that daily. I do not see how I need to 'prove' something is understood to be so. It’s like being asked to prove how gunpowder propels a bullet since you (hypothetically) believe that it is magic. It would be a waste of time.

 

Gotta run again, I will be replying to the posts that will require significantly more time. Later

 

My question is simply this. If it was as simple to hack anyones account as you claim it is - then why isn't this a widespread issue? As if the hackers got away with it once they are hardly going to sit back and say 'enough is enough'.

 

More importantly why aren't people at the top of various leaderboards being hacked? As they are surely the most obvious target.

 

I know of people who have been hacked and invariably they have been sucked into some kind of website based scam that asks for their details. Hard luck for them - but they did eventually get their accounts back. If you could name me just ONE person that you KNOW has had their account taken without them posting their details somewhere they shouldn't then maybe you'd have a point. But I can't see it happening as people (whether they admit it or not) have only been taken down via some kind of web based scam and not just by playing one game with someone.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

×
  • Create New...