
Teens Who Hacked Microsoft's Xbox Empire and Went Too Far - wolfgke
https://www.wired.com/story/xbox-underground-videogame-hackers/
======
ajeet_dhaliwal
_For kicks, he says, the guards tossed the prisoners’ sandwiches onto the
floor of the van, knowing that the tightly shackled men couldn’t reach them._

Why is this permitted? Does anyone other than me think the guards should also
be prosecuted for this behavior? Worst of all who are the sort of people who
apply for these jobs, behave like this all day and then just go home at the
end of the day to have a nice evening with family. Very disturbing.

Aside, odd feeling reading this article featuring a US-Canada border crossing
right after playing Detroit: Become Human last night.

~~~
rdiddly
Disciplined maybe, not prosecuted, as there are very few ways of placing a
sandwich ("in a jet turbine" for example) that would constitute a crime. Also
don't forget you're reading Wired's telling of Pokora's telling of the event.
Do we know this was done "for kicks?" Do we know the guards' inner thoughts,
or did they express them outwardly? All we have is that Wired says Pokora says
it was for kicks. Another explanation I can dream up right now: It's futile to
give a shackled man a sandwich, even if you leave it right in his lap.
(Assuming hands shackled behind.) So maybe the guards roll their eyes at the
bureaucracy they work for, that insists on prepping a sandwich for someone who
has no way of eating it, and they toss it in, in a combination of frustration
with that, and the usual disdain for the kind of people they carry in the back
of the vehicle who have (allegedly, but probably, since prosecutors don't like
weak cases) acted to harm other people in a way that's serious enough to be
illegal. Disclaimer: Unjust laws and victimless crimes exist.

~~~
reefoctopus
You’re doing mental gymnastics to justify cruel and dehumanizing behavior.

~~~
nannal
you're advocating prosecution for improper sandwich distribution.

~~~
cbanek
Or prosecution for people who's job it is to properly take care of people in
their charge, when those people aren't allowed to take care of themselves.

------
cududa
This really hit home with me. As a kid I hacked Microsoft and leaked some
Windows Longhorn (the precursor to Vista) builds.

One of those kids was wondering around the exact floor where my desk was. I
got a job and career out of it, these kids got jail time and one suicide.
Geez.

~~~
heydonovan
This is such a turn-off to the industry. I'm not going to accidentally login
to an unencrypted URL and get jail time because it's considered unauthorized.
I'd love to be a hacker, but the thought of prison is too much.

~~~
brandonjm
Have you considered looking into white hat hacking? You could essentially be
paid by companies to hack their own product entirely legally for the purpose
of better securing it against potentially malicious hackers.

~~~
wolfgke
> Have you considered looking into white hat hacking?

In my observation, this is a branch of industry that is very hard to get into.

> You could essentially be paid by companies to hack their own product
> entirely legally for the purpose of better securing it against potentially
> malicious hackers.

For this purpose, one uses quite different techniques than for blackhat
hacking. E.g. in the whitehat case, the source code is often available etc..
So brutal code reviews, which require rather different skills (e.g. knowing
all the subtle details of the language standard (e.g. C/C++)), are much more
effective to secure applications than using the typical "blackhat techniques"
(reverse engineering, knowing subtle details of CPU behaviour etc.).

~~~
Canada
I agree it's not easy to get a job where your role is exclusively reversing
software, but I don't think it's all that hard to get in if you're willing to
take on a wider variety of projects. If can do code review, web app security,
hunt for bugs in big Java or .NET codebases, and so on then there's work
definitely work available. There will be cool projects that require serious
reverse engineering, and if you deliver results on those then you'll tend to
get that type of work more often. But yeah, consulting means billing hours, so
you have to work on stuff that's less interesting to earn money for your
company, especially when you're new.

~~~
wolfgke
> But yeah, consulting means billing hours, so you have to work on stuff
> that's less interesting to earn money for your company, especially when
> you're new.

I know some people (myself included) who would work as consultant but have no
idea how to even get hold of consulting jobs. Yes, I often ask people who are
much much successful in getting those, how they got them. These successful
consultants eventually admit that they themselves have no real idea. People
just approached them etc. I (and lots of other people) are not the kind of
people "that are simply approached".

TLDR: I would not even know how to start to get consulting jobs (and lots of
people have a similar problem).

Disclaimer: I am talking about the situation in Germany. In the USA, it might
be different.

~~~
Canada
Okay I'll offer some advice:

First of all, forget about the "situation in Germany". Work is everywhere, so
be willing to accept work anywhere. There's definitely a pecking order in
consulting firms and you can get projects because the company gets a one off
engagement with a new client who wants the work done on site. The company has
some really awesome full time employees who could do it in their sleep, but
they're busy on long term contracts with key clients. Be willing to go, as a
subcontractor, to some unglamorous location for a week long project to pentest
some shitty internal application that nobody has ever heard of. Get a few of
those under your belt and you'll know how it works.

Second, understand that there's more to it than your technical skills. Make
friends who work in the industry. Talk with them about what they're working
on. Find any interesting bugs or behavior in what you're working on? Chat with
them about that. Doesn't really matter if it's security related or not. The
people who do the work in the industry are all generally interested in the
details of software. If you're into that, then you belong.

Keep reminding your friends that you're hungry for work. Keeping in touch will
keep you in mind when they need an extra guy to help out.

Once you start getting work be sure you contribute well. Everyone wants to
have the most high severity findings, and obviously you will need to produce
those if you wanna keep getting work, but also be that guy who goes the extra
mile to help put the report together, write up extra recommendations that
would be helpful.

Keep in touch with the people you work with. Be cool to the sales/project
management/accounting people. It's simple things like getting your
expenses/timesheets/invoices filed in a timely manner. There's more to the
business than finding vulnerabilities. Everyone wants to close out the job,
get paid, and move on. Show everyone that you know how to behave like a
professional. Remember that the people responsible for staffing are asking
themselves: Who do we know that we can send in there to take care of this
work, so that we can bill them and collect this revenue, who will get the job
done and be easy to work with?

Be that guy, and you will be approached too, and you can find full time work
in the industry if you want.

------
hastes
This is one of the best reads in a long time. Awesome article and extremely
interesting.

I have friends a long time ago that used to buy CoD modded lobbies from these
guys. Crazy to see how their lives unfolded.

~~~
StudentStuff
It is quite a good read, but its sad to see how computing has continued to be
locked away from the end user, affording them access to a walled garden of the
manufacturers choosing, with no ability to change OSes or even install basic
security updates without the hardware manufacturers consent and involvement.

~~~
zeusk
I interned in the Graphics kernel team at Microsoft and we worked quite a lot
with xbox. None of those people like DRM and copy protection bullshit but the
studios (both gaming and media) demand it and not having them could mean
losing market share to others that are willing.

Cheat prevention is another big reason that often came up for the hardened
environment.

------
cbanek
Physical security is so important. I was really surprised when the Xbox team
moved from the RedWest campus to Studio A.

In RedWest, we had a building that was pretty much all Xbox employees, and
other Microsoft employees couldn't just badge in. In Studio A, if I remember
correctly, it was all just public access.

The consoles are everywhere, and people's offices weren't normally locked
(before most people moved into to bullpens, which didn't even have doors).

For the most part, you can trust the employees. We had take home consoles that
were signed with the proper keys to run retail games, but could also be
debugged and get crash logs, and those were fairly safe and well tracked. (You
were told, don't let your friends see/play them) But you can't trust anyone
else who just randomly enters the building, and with teams so big that you
don't know everyone, politely holding the door open for someone is just asking
for it.

Source: I worked on the Xbox 360 team.

------
blancotech
Really great article. As someone who first became interested in computer
science from Xbox “hacking” and JTAGing 360s this shows an alternative path
that would have been easy to go down. When you become enveloped by the status
you attain in forums, meet sketchy “friends” online, and start getting easy
money, then the path of least resistance becomes the one in this article.

~~~
wolfgke
> When you become enveloped by the status you attain in forums, meet sketchy
> “friends” online, and start getting easy money, then the path of least
> resistance becomes the one in this article.

I rather believe that most such people (including adolescents) are not _that_
willing to go down the path of easy money. The problem rather is in my
opinion: The other side is simply not there to make counteroffers (i.e. less
money, but perfectly legal etc.). So it is _not_ a choice between "going on
the dark side vs light side" (which is a serious decision to make, and
confronted with this decision, I believe, most people (again including
adolescents) would indeed choose the "light side"), but rather a situation of
"only the dark side makes an offer: will you go into it or not - 'we have lots
of money to offer'". Confronted with this, I can understand quite well that
there exist people (in particular adolescents might be prone to that because
they have less life experience) who will go into it.

So provocatively one could even state that the problem rather is that "the
other side is at fault", since they make no serious legal offers to prevent
such people from "turning much into the dark side".

------
hsrada
The lure of making money as a child is a temptation far stronger than most can
resist. If I had access to the things these guys had, I can totally see myself
going down the exact same path.

Now, a little older, the prospect of fines that will take a lifetime to repay
and/or prison is way more deterring. As a kid, you just never think about it.

~~~
wolfgke
> Now, a little older, the prospect of fines that will take a lifetime to
> repay and/or prison is way more deterring. As a kid, you just never think
> about it.

I believe one _does_ think about that, but concludes that the risk to get rich
is worth it (because one has few such chances in life) and if all things go
bad, there is still the suicide option.

~~~
klenwell
Actually this subject is taken up directly in a chapter of Robert Sapolsky's
Behave that I just read titled, appropriately enough, "Adolescence; or, Dude,
Where's My Frontal Cortex?"

Some interesting stuff in there, some of which you're probably already
familiar with. You could argue that a kid does "think" about it. But to use
the word "concludes" may be a stretch.

I found this passage by Sapolsky on the neurobiology of risk/reward assessment
in adolescents especially interesting and relevant here:

 _Age differences in absolute levels of dopamine are less interesting than
differences in patterns of release. In a great study, children, adolescents,
and adults in brain scanners did some task where correct responses produced
monetary rewards of varying sizes. During this, prefrontal activation in both
children and adolescents was diffuse and unfocused. However, activation in the
nucleus accumbens in adolescents was distinctive. In children, a correct
answer produced roughly the same increase in activity regardless of size of
reward. In adults, small, medium, and large rewards caused small, medium, and
large increases in accumbens activity. And adolescents? After a medium reward
things looked the same as in kids and adults. A large reward produce a
humongous increase, much bigger than in adults. And the small reward?
Accumbens activity_ declined _. In other words, adolescents experienced
bigger-than-expected rewards more positively than do adults and smaller-than-
expected rewards as aversive. A gyrating top, nearly skittering out of
control.

This suggests that in adolescents strong rewards produce exaggerated
dopaminergic signaling, and nice sensible rewards for prudent actions feel
lousy._

That's not the whole story when it comes to kids' decision making, but it's of
a piece with the rest of the chapter and shows that most kids are literally --
anatomically -- unable to think about things like this in a way they will be
able to a few years later.

~~~
XorNot
That particular tidbit of information is what makes me _terrified_ of raising
children and dovetails into the best description of the tragedy of being a
teenager: you're exactly old enough to get into real trouble, and exactly
young enough not to realize you shouldn't.

------
makkesk8
Really really great article! Hopefully, this sheds some light on people who
are in similar situations to ask themselves if it's worth it.

------
brod
Interesting article, I think it represents the trials and tribulations of
underground adolescent hacking cultures quite well. For people who currently
find themselves in similar situations I'm sure it's inspiring and very
confronting.

------
dynjo
This could honestly be turned into a movie.

~~~
pishpash
Yeah, much more interesting than the Facebook movie.

------
rozzzly
Lol I used to talk to Anthony back in the Halo 3 era. I never did anything
nefarious/illegal, but it's interesting to know that some of my IMs were
probably read by an FBI agent at one point.

------
michaelmcmillan
What a fantastic article – technical, interesting and well written. Kudos!

------
Born_Again
Fantastic article. It reminds me of the story of Paul Le Roux, a man who also
took his love of programming too far. Although he had more malicious
intentions.

[https://magazine.atavist.com/the-
mastermind](https://magazine.atavist.com/the-mastermind)

HN Discussion:

[https://news.ycombinator.com/item?id=11381625](https://news.ycombinator.com/item?id=11381625)

------
dleslie
And herein you see evidence to why the industry is growing more interested in
SaaS and doubling-down on DRM; they face an endless army of thrill-seeking
adolescents without a care for the side-effects of their actions.

Software security is hard; placing any trust whatsoever in software you cannot
completely control is a recipe for insecurity. Game development security is a
nightmare.

~~~
omeid2
Utter rubbish.

If _thrill-seeking adolescents_ can compromise your systems, you deserve to be
out of business.

Yes, security is hard, but it is an spectrum, from compromisable by
_adolescent thrill-seekers_ to state-nation actors.

Most systems are there to facilitate business, personal, or even more
critical, industrial or military operation, none of which you want to be easy
to compromise.

And as for SaaS, it does nothing to security but increase the attack surface
by requiring more components in your system and requiring the system to be
always online, in 99% of cases anyways. On top of that, with SaaS you not only
have to secure your systems but also safeguard your clients' data, which only
reinforces the idea that: if you can't do basic security, you should be out of
business.

And in what world does DRM helps with security? DRM is nothing short of a
device of enforcing draconian copyright laws.

~~~
heavenlyblue
This is not how most of the law works, though.

If you are a weak person, does that justify the actions of a few armed robbers
that are going to mug you on the street? Do you mean I had to take care of my
own security by hiring someone all the time? Then why am I paying my taxes to
support the police force?

Most of the businesses in the real world operate on a combination of trust and
optimism. The moment you take away that stability, businesses suddenly become
way less efficient.

Let’s be honest: security in IT is just like security in the physical world.
Stealing a car that had an open door is as illegal as stealing a car by
picking it’s lock. In such a scenario hacking is just another dimension to
physical warfare - and frankly warfare belongs to the military.

The fact that most of the bigger companies had to deal with security
themselves is just another matter: they had to operate in the world where the
authorities were yet not good enough at tracking hackers. Today though - I can
see where businesses that don’t think their security matters would just not
bother. It’s not their area of responsibility and I would rather they did what
they do well - make money.

~~~
omeid2
The objective of law is not to emulate but rather constrain and govern
society.

It is not hard to argue that the subject matter of each and every law and code
is based on immediate or at least likely, if not precedent, events rather than
to naively assume that, that which is illegal should not happen and leave your
car unlocked.

Besides, my argument and criticism is not concerned with sanctioning of
unfavorable behavior but rather holding accountable those who make promises
and sales you products.

> It’s not their area of responsibility and I would rather they did what they
> do well - make money.

But why not? the car maker is not in the business of providing security
guards, but I bet you wouldn't be happy if they made cars that were easy to
pick, why would this not apply to other business?

Most online business make a big deal of security in their sales, why not
holding accountable for those promises?

------
jrochkind1
it oughta be illegal that we can't run the software we want and the software
we write on the devices we buy.

~~~
tluyben2
Yeah, I mean; stealing things from a campus and breaking into networks aside;
people shouldn’t charged for anything illegal for hacking devices they buy and
passing on that info. It’s crazy it’s not allowed in the first place. There is
a perfectly fine way of preventing that; just say the device is not yours but
you paid to rent it for a period (say 10 years); the device does not belong to
you. Then you can say it’s illegal to mod, but if it’s yours I find it
absolutely insane you cannot reverse engineer, repair or mod it.

~~~
jrochkind1
It is no less insane if they "just say the device is not yours but you paid to
lease it".

~~~
tluyben2
Why? If it’s not your property... If you rent a car, you cannot remove the
doors, if you buy it you can, that’s accepted. What’s the difference? In
return, when it’s broken, the owner (the one you rent it from) needs to repair
it. Unlike when it’s bought and out of (some kind of) warranty.

~~~
jrochkind1
Because it's essentially a lie. As revealed by your formulation "just say" \--
your experience is no different if everything in your possession is 'owned' by
you and illegal to modify, or if they change their mind and "just say"
everything in your possession that matters with regard to this isn't really
'owned' by you at all. It's not a step forward, it leaves you in exactly the
same position. If it is insane, then "just saying" something doesn't make it
more sane.

My concern is the experience of not having control over our equipment (not a
good experience or way to live), not a semantic technicality.

~~~
tluyben2
It is not a technicality; it is a way of legally doing it. I see your point
though; buying is, with the added burden of patents and copyright on top, a
wrong term. You cannot buy anything in the sense we would like to buy it.

~~~
jrochkind1
Whether it's legal or not to prevent you from running the software you want
and the software you write on your xbox, IMO it _oughta_ be illegal, whether
they just say you are leasing it or not.

------
home_boi
> Clark had just turned 27 and left behind an estate valued at more than $4
> million.

He got to keep the money even though he got convicted for wire fraud?

~~~
foota
I think the wire fraud was probably something aside from their main activities
-- like how Al Capone got put away for tax evasion.

------
ramshanker
Awesome article. Reminded me of Albus Dumbaldore dialogue to Harry. "Curiosity
must be handled with care".

------
eecc
TL:DR but it befuddles me how corporate expects people to sit in front of a
shiny toy and just use it as instructed rather than take it apart and mess
around to understand how the damn thing works. That’s how we evolved as bloody
apes, checking out the other monkeys’ sticks and stones and learning by
example.

They’re literally trying to lawyer out evolution..

------
Pica_soO
I guess this a lecture for all those script-kiddies- leave the actually
exploiting to the pros- sell your zero-days on the black market.

Obviously investing in secure software is more costly then having a lobbyist
for prison sentences in Washington and a good PR-Department.

The problem is, that way, the whole stack from the metal up is basically
crumble, untested and very frail - should one big time agent release a
autonomous attack into the wild. But hey, we saved a dime today. Tomorrow
there might be no more dimes, so if it were not for those meddling kids, the
bookies would have gotten away with it.

~~~
lawnchair_larry
FYI, script kiddies don’t have 0days by definition.

------
arnvald
Great article, I enjoyed reading it! Also, the illustrations are great, they
perfectly fit the vibe of the article.

------
ythn
Great article, and was happy to see they got reasonable prison sentences.

------
gulperxcx
anyone mind giving a tl;dr version of this article? I find the text really
strenuous to look at.

~~~
code_duck
Some kids started hacking game companies and finding ways to cheat and
download pre-release versions of games. This turned into a business, they got
were thrill seeking and coveted more money, and got caught.

------
rosstex
Awesome read!

------
s2g
> After finishing his prison sentence, Pokora spent several more months
> awaiting deportation to Canada in an immigration detention facility in
> Newark, New Jersey

So I've never done anything that would result in my being deported, but man
does this scare me. The current climate, if I fuck up in some minor way, I
still feel like I could end up in prison for months waiting for them to send
me back north.

It's just scary.

------
floatboth
> The Gears of War 3 leak triggered a federal investigation, and Epic began
> working with the FBI to determine how its security had been breached

Ugh. Why do even supposedly "cool" companies go to the cops when they get
pwned? Own up to your mistakes, change your passwords, fix your security.
Don't report anything to the fucking authorities. What would punishing a kid
even give you?

~~~
shagie
Most organizations don't have the resources to find out where the way the
crackers got in. Once someone is in, changing the passwords and fixing the
security may not be sufficient to prevent them from getting in again. Until
that someone is tracked down and identified, there is no way to know if this
is some kid doing it for fun or industrial espionage from a competitor.
Furthermore, there's no way to know what they actually got - source code to a
product? plans to some hardware? Payroll and identity information?

It isn't practical for each organization to maintain a staff of forensic
security specialists. When one does need them, they can be found rather
inexpensively in law enforcement given that a crime (likely) has been
committed.

