Security by space bar



  • Xbox password flaw exposed by five-year-old boy

    The five-year-old hacker isn't TRWTF:

    @BBC said:

    The boy worked out that entering the wrong password into the log-in screen would bring up a second password verification screen.

    Kristoffer discovered that if he simply pressed the space bar to fill up the password field, the system would let him in to his dad's account.

    I honestly cannot fathom how you can get to this point of security failure.



  • I wonder why they weren't just doing a try again on password failure. I mean you keep count of fails with the server to catch brute forcers, but otherwise you normally just give the same password stuff again. Anyone with an Xbox account have an explanation as to why the verification would have been diff from the base sign in (other than dumb stuff on the back end which was apparently there)?



  • Whew, when I first read the title I thought it said "Five-year-old boy exposed by Xbox password flaw" and started panicking that somebody had found my--- You know what, nevermind..

    @TFA said:

    In an interview with local news station KGTV, Kristoffer said: "I was like yea!"

    Then he found his Dad's collection of True Blood fan-art wallpapers and some lucky future psychiatrist got a down payment on a new boat. Look kids: it's all fun and games hacking dad's Xbox account until you discover you were an accident. And not in the "Oh crap, I think it's still inside you" way but in the "In any other civilization in human history my dad would have been tied to a rock and thrown into a river by his own parents once he started talking."

    Just think: if the Enigma machine had this flaw, Alan Turing would have had a lot more time to wear women's underwear and we'd never have gotten the personal computer or the Arduino-powered Fleshlight*. History.


    (*Come to think of it, if Alan Turing had had more time on his hands he probably would have invented something far, far more perverted.)



  • @morbiuswilters said:

    Arduino-powered Fleshlight
     

    Citation needed.


    Also, welcome back morbs, you missed some interesting happenings.



  • @Snooder said:

    Also, welcome back morbs, you missed some interesting happenings.

    Don't be a tease, what'd I miss?



  • @morbiuswilters said:

    Don't be a tease, what'd I miss?
     

    Nothing.



  • @dhromed said:

    @morbiuswilters said:

    Don't be a tease, what'd I miss?
     

    Nothing.


    Bossy racism. A Monty Python signature guy. Blakey getting all worked up about people gaming with a mouse and keyboard. The usual. Oh, and the Macys' Day Parade thread.


  • Trolleybus Mechanic

    @mikeTheLiar said:

    Kristoffer discovered that if he simply pressed the space bar to fill up the password field, the system would let him in to his dad's account.
     

    Maybe that was his password.



  • @mikeTheLiar said:

    A Monty Python signature guy.
    Rats. Which thread? Sometimes there are disadvantages to reading with signatures disabled.



  • @mikeTheLiar said:

    @dhromed said:

    @morbiuswilters said:

    Don't be a tease, what'd I miss?
     

    Nothing.


    Bossy racism. A Monty Python signature guy. Blakey getting all worked up about people gaming with a mouse and keyboard. The usual. Oh, and the Macys' Day Parade thread.

    dhromey's answer was 160 characters more-concise.



  • @morbiuswilters said:

    @mikeTheLiar said:
    @dhromed said:

    @morbiuswilters said:

    Don't be a tease, what'd I miss?
     

    Nothing.


    Bossy racism. A Monty Python signature guy. Blakey getting all worked up about people gaming with a mouse and keyboard. The usual. Oh, and the Macys' Day Parade thread.

    dhromey's answer was 160 characters more-concise.





  • @Lorne Kates said:

    @mikeTheLiar said:

    Kristoffer discovered that if he simply pressed the space bar to fill up the password field, the system would let him in to his dad's account.
     

    Maybe that was his password.

    Unlikely. The article says the dad works in security (and I'm assuming they don't mean driving around in a Wackenhut VW Beetle and making sure bums aren't jerking off in the ATM buildings..) That means there's probably a 67 character, randomly-generated password on the wifi that has to be read aloud any time a guest wants to use the Internet connection..

    "Oh Jesus Christ, it says the password is wrong again!"

    "Yeah, I think we hit trouble in that long stretch of Ys.. you entered 'capital Y, capital Y, lowercase y, period, lowercase y', right?"

    "Forget it, I'll just tether with my goddamn phone. I don't need both kidneys, anyway.."



  • @BenLynn said:

    Filed under: mine is shorter

    TMI.



  • @dhromed said:

    @morbiuswilters said:

    Don't be a tease, what'd I miss?
     

    Nothing.

    I heard some really awesome guy came back.



  • @bstorer said:

    @dhromed said:

    @morbiuswilters said:

    Don't be a tease, what'd I miss?
     

    Nothing.

    I heard some really awesome guy came back.
    Really?  Who?

     



  • @HardwareGeek said:

    @mikeTheLiar said:
    A Monty Python signature guy.
    Rats. Which thread? Sometimes there are disadvantages to reading with signatures disabled.

    Any thread with Mott555.



  • @El_Heffe said:

    @bstorer said:

    @dhromed said:

    @morbiuswilters said:

    Don't be a tease, what'd I miss?
     

    Nothing.

    I heard some really awesome guy came back.
    Really?  Who?

     


    Morbs is back, you silly goose!



  • @morbiuswilters said:

    Unlikely. The article says the dad works in security (and I'm assuming they don't mean driving around in a Wackenhut VW Beetle and making sure bums aren't jerking off in the ATM buildings..) That means there's probably a 67 character, randomly-generated password on the wifi that has to be read aloud any time a guest wants to use the Internet connection..
    My wifi has such a password, mostly because I got tired of coming up with decent but memorable passwords for a some time a few years back. But I also have a second wifi network for guests with an easy password, but low bandwidth priority and no access to my network printer or porn box file server. It's a pretty good setup, because I get twice the healty, refreshing wifi radiation.



  • @mikeTheLiar said:

    @El_Heffe said:

    @bstorer said:

    @dhromed said:

    @morbiuswilters said:

    Don't be a tease, what'd I miss?
     

    Nothing.

    I heard some really awesome guy came back.
    Really?  Who?

     

    Morbs is back, you silly goose!
    Please. He just follows me around because I have a fifth of gin and loose morals.



  • @bstorer said:

    @morbiuswilters said:
    Unlikely. The article says the dad works in security (and I'm assuming they don't mean driving around in a Wackenhut VW Beetle and making sure bums aren't jerking off in the ATM buildings..) That means there's probably a 67 character, randomly-generated password on the wifi that has to be read aloud any time a guest wants to use the Internet connection..
    My wifi has such a password, mostly because I got tired of coming up with decent but memorable passwords for a some time a few years back. But I also have a second wifi network for guests with an easy password, but low bandwidth priority and no access to my network printer or porn box file server. It's a pretty good setup, because I get twice the healty, refreshing wifi radiation.

    I used to have something like a 40 char password, just because I had only copy-and-pasted it in. Then I had some roommates that wanted to connect the Wii. It took an hour.



  • @morbiuswilters said:

    @bstorer said:
    @morbiuswilters said:
    Unlikely. The article says the dad works in security (and I'm assuming they don't mean driving around in a Wackenhut VW Beetle and making sure bums aren't jerking off in the ATM buildings..) That means there's probably a 67 character, randomly-generated password on the wifi that has to be read aloud any time a guest wants to use the Internet connection..
    My wifi has such a password, mostly because I got tired of coming up with decent but memorable passwords for a some time a few years back. But I also have a second wifi network for guests with an easy password, but low bandwidth priority and no access to my network printer or porn box file server. It's a pretty good setup, because I get twice the healty, refreshing wifi radiation.

    I used to have something like a 40 char password, just because I had only copy-and-pasted it in. Then I had some roommates that wanted to connect the Wii. It took an hour.

    This does not in any way raise the question: How long is the shortest string containing all 40 character passwords?



  • @Ben L. said:

    How long is the shortest string containing all 40 character passwords?
    ((k!)k39) / k40 + 39, where k is the number of distinct symbols allowed in a password. If you're short of storage space you can save the last 39 characters, which are simply a repeat of the first 39, by allowing substrings to be extracted from your string in a wrap-around fashion.



  • @flabdablet said:

    @Ben L. said:
    How long is the shortest string containing all 40 character passwords?
    ((k!)k39) / k40 + 39, where k is the number of distinct symbols allowed in a password. If you're short of storage space you can save the last 39 characters, which are simply a repeat of the first 39, by allowing substrings to be extracted from your string in a wrap-around fashion.

    Wrong. It's 1, if you stack all the characters on top of each other.


  • :belt_onion:

    @bstorer said:

    @dhromed said:

    @morbiuswilters said:

    Don't be a tease, what'd I miss?
     

    Nothing.

    I heard some really awesome guy came back.

    All we need now is for MPS to come back and we can 'party' like it's 2009



  • @mikeTheLiar said:

    I honestly cannot fathom how you can get to this point of security failure.

    A single string.isNullOrWhitespace(pass) instead of string.isNullOrEmpty(pass) would do it.



  • @zybex said:

    @mikeTheLiar said:
    I honestly cannot fathom how you can get to this point of security failure.

    A single string.isNullOrWhitespace(pass) instead of string.isNullOrEmpty(pass) would do it.

    I may be drunk, but that doesn't make much sense. I mean, presumably if they intended to check if the password was null or whitespace, they wouldn't then let that through, would they?



  • @bjolling said:

    @bstorer said:

    @dhromed said:

    @morbiuswilters said:

    Don't be a tease, what'd I miss?
     

    Nothing.

    I heard some really awesome guy came back.

    All we need now is for MPS to come back and we can 'party' like it's 2009

    I think the Connecticut state mental health system finally did its job there and put him away.



  • @bjolling said:

    All we need now is for MPS to come back and we can 'party' like it's 2009
    No chance of that. He was banned. Community Server bans cannot be defeated, by even the greatest hackers.


  • BINNED

    @morbiuswilters said:

    I think the Connecticut state mental health system finally did its job there and put him away.
     

    I always thought you were, like, friends. You keeping his back from the forista's backstabbing while he was heroically fighting the SSDS dragon.


  • Considered Harmful

    @morbiuswilters said:

    @flabdablet said:
    @Ben L. said:
    How long is the shortest string containing all 40 character passwords?
    ((k!)k39) / k40 + 39, where k is the number of distinct symbols allowed in a password. If you're short of storage space you can save the last 39 characters, which are simply a repeat of the first 39, by allowing substrings to be extracted from your string in a wrap-around fashion.

    Wrong. It's 1, if you stack all the characters on top of each other.

    That sounds like the tallest string, not the shortest.



  • @topspin said:

    @morbiuswilters said:

    I think the Connecticut state mental health system finally did its job there and put him away.
     

    I always thought you were, like, friends. You keeping his back from the forista's backstabbing while he was heroically fighting the SSDS dragon.

    TDWTF Mafia was not unlike the Allied powers of WWII. We too saved all the Europeans from a hopeless existence. In this case, MPS was Stalin, difficult to deal with and an eventual problem once other threats were neutralized. Luckily he turned his own destructive nature inside as well as out, which kept him from ever being a true threat.



  • @morbiuswilters said:

    @zybex said:
    @mikeTheLiar said:
    I honestly cannot fathom how you can get to this point of security failure.

    A single string.isNullOrWhitespace(pass) instead of string.isNullOrEmpty(pass) would do it.

    I may be drunk, but that doesn't make much sense. I mean, presumably if they intended to check if the password was null or whitespace, they wouldn't then let that through, would they?

    I've been trying to figure out how this could happen, but every article has been short on detail. Did the entire password field have to be filled in order to make it work? Or would any number of spaces done the same thing?



  • @bstorer said:

    @morbiuswilters said:
    @zybex said:
    @mikeTheLiar said:
    I honestly cannot fathom how you can get to this point of security failure.

    A single string.isNullOrWhitespace(pass) instead of string.isNullOrEmpty(pass) would do it.

    I may be drunk, but that doesn't make much sense. I mean, presumably if they intended to check if the password was null or whitespace, they wouldn't then let that through, would they?

    I've been trying to figure out how this could happen, but every article has been short on detail. Did the entire password field have to be filled in order to make it work? Or would any number of spaces done the same thing?

    My first thought was "Lazy programmers who didn't want to re-type the password each time put in a way to bypass it, accidentally released it that way."



  • @morbiuswilters said:

    @bstorer said:
    @morbiuswilters said:
    @zybex said:
    @mikeTheLiar said:
    I honestly cannot fathom how you can get to this point of security failure.

    A single string.isNullOrWhitespace(pass) instead of string.isNullOrEmpty(pass) would do it.

    I may be drunk, but that doesn't make much sense. I mean, presumably if they intended to check if the password was null or whitespace, they wouldn't then let that through, would they?

    I've been trying to figure out how this could happen, but every article has been short on detail. Did the entire password field have to be filled in order to make it work? Or would any number of spaces done the same thing?

    My first thought was "Lazy programmers who didn't want to re-type the password each time put in a way to bypass it, accidentally released it that way."

    My first thought was "Buffer overflow that changed the address of the password check function in the code to the address of the function that gets called when the password is valid."



  • @Ben L. said:

    @morbiuswilters said:
    @bstorer said:
    @morbiuswilters said:
    @zybex said:
    @mikeTheLiar said:
    I honestly cannot fathom how you can get to this point of security failure.

    A single string.isNullOrWhitespace(pass) instead of string.isNullOrEmpty(pass) would do it.

    I may be drunk, but that doesn't make much sense. I mean, presumably if they intended to check if the password was null or whitespace, they wouldn't then let that through, would they?

    I've been trying to figure out how this could happen, but every article has been short on detail. Did the entire password field have to be filled in order to make it work? Or would any number of spaces done the same thing?

    My first thought was "Lazy programmers who didn't want to re-type the password each time put in a way to bypass it, accidentally released it that way."

    My first thought was "Buffer overflow that changed the address of the password check function in the code to the address of the function that gets called when the password is valid."

    Yeah, presumably they're not using a C string library from 1982 for the Xbox.

    I mean, hey, maybe they are, but I figure M$ programmers aren't as moronic as Apple or FOSS ones. At least, they don't look at a new technology and think "How can I make this as much as possible like operating a Carter Administration-era timeshare system?"



  • @morbiuswilters said:

    "How can I make this as much as possible like operating a Carter Administration-era timeshare system?"

    Answer: stagflation



  • @blakeyrat said:

    @morbiuswilters said:
    "How can I make this as much as possible like operating a Carter Administration-era timeshare system?"

    Answer: stagflation

    Needs more Billy Beer.



  • @El_Heffe said:

    @blakeyrat said:

    @morbiuswilters said:
    "How can I make this as much as possible like operating a Carter Administration-era timeshare system?"

    Answer: stagflation

    Needs more Billy Beer.



  • @bstorer said:

    @dhromed said:

    @morbiuswilters said:

    Don't be a tease, what'd I miss?
     

    Nothing.

    I heard some really awesome guy came back.



  • @Ben L. said:

    My first thought was "Buffer overflow that changed the address of the password check function in the code to the address of the function that gets called when the password is valid."
    My first thought was "'goto fail', again?".

     



  • @blakeyrat said:

    @morbiuswilters said:
    "How can I make this as much as possible like operating a Carter Administration-era timeshare system?"

    Answer: stagflation

    Deer farts? wat?


Log in to reply