Microsoft’s strategic insecurity

Bruce Schneier pointed to this in his blog this week:
http://www.xbox-linux.org/wiki/17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System

ZDNet has a discussion about the ethics of such ‘hacking’. If Microsoft sells the XBox cheap so as to generate game revenue is it fair to deny them that by hacking the XBox to run Linux?

This article is about the security system of the Xbox and the mistakes Microsoft made. It will not explain basic concepts like buffer exploits, and it will not explain how to construct an effective security system, but it will explain how not to do it: This article is about how easy it is to make terrible mistakes and how easily people seem to overestimate their skills. So this article is also about how to avoid the most common mistakes.

To me, this is a good example of FMEA – Failure Mode Effect Analysis. And all my regular readers will know that this is on of my pet subjects 🙂

Perhaps the most interesting follow-up is a comment about the limited liability that the manufacturers insist on slapping on their products which prompted someone to write:

I bought it, so if I want to use it as a boat anchor, its not their business. If I use it as a shooting target, its not their business.
If I use it as a chair, its not their business. If I do something stupid with it and get hurt, its also not their business.

Indeed.

Regular readers will also know my attitude towards the “Oh you weren’t supposed to do that” style of security – aka “You must be this tall to attack the castle” or the pole in the front garden for the housebreaker to run into.

Why do some people consider me cynical?
Oh, right – were all bozos on this bus in the security
business, we’re “paid to be paranoid”.

Perhaps the DMCA and Britain’s new anti-hacking law will expand to cover the use of screwdrivers and soldering irons by other than licenced professionals. You think that’s a joke? In Quebec its illegal for a householder (i.e. someone not licenced) to do any electrical work other than changing a light bulb. No doubt this is justified as a “safety regulation”.

About the author

Security Evangelist