Hacker News new | comments | show | ask | jobs | submit login
Rise and Fall of a Hacker Who Found the Secrets of the Next Xbox and PlayStation (kotaku.com)
122 points by recoiledsnake 1525 days ago | hide | past | web | 22 comments | favorite



> "I was treated like a criminal," he complained to me, looking back at the raid.

Today we learn several lessons:

1) Don't break in to computers of American corporations while living in a country that has historically been very friendly with US law enforcement.

2) Don't break in to computers and boast about it to video game bloggers while using your real identity.

3) Pirating games and using stolen credit card numbers are both crimes, yes, but not doing them doesn't mean that breaking into computers isn't a crime.

4) If you don't want to be treated like a criminal, maybe don't commit crimes.


When I read stuff like that, I just wonder what exactly the "hacked" company is trying to achieve, or if they have any idea themselves.

On one hand, you have a person who seems to genuinely care about the security of your company (since he gave you details), who had both the chance and the opportunity to use the access to leak stuff that could have been quite damaging to the company - yet didn't, and willfully meets the companies representatives and corporate enquirer.

On the other hand, you have a company who seems to have real problem with its security procedures, an improving but frail image as game platform (not so many dead xbox memes at the moment), and a way to manage problems like an elephant in a porcelain shop.

What exactly did anyone in his right mind hoped such a raid would do??? Let's see, for the potential "benefit" effects of frightening other hackers, it further damaged microsoft reputation and it will turn a cooperative hacker group into a revenge-seeking foe. What did they got??? In the day and age of cloud storage, what they took during the raid was at best zeroed harddrives previously containing a copy of the information they wanted that could now be anywhere - and they pissed off the guy who put that information out of they reach.

Strategically, all I see just looks like a terrible move.

Now think for a second - what if the guy puts everything he downloaded (sourcecode, etc) in a torrent, or pass the pdfs they were so willing to protect on wikileaks? What if he start using his knowledge to create not "giant hacks", but small hacks that could masquerade as bugs ? (say randomly turn off live access, hijack random xbox live accounts, etc)

What if he commits suicide ? After all, he said he lost everything! Seriously all this is at best a PR nightmare, and at worst the first step into a Sony PSN style catastrophy. Some people should be fired, they forgot the basic axiom :

DO NOT TAUNT THOSE WHO CAN DAMAGE YOU.

It will be fun watching anonymous attack xbox live in the following days, then the various bad things that will happen - no, not fun, sad. What will happen is so evident it's a tragedy.

Critics are easy, so I'll offer my 5 cents suggestion too. The right move in this case? Give the hackers a psychological assessment, a background check, then a big fat check to replace the bozos who were in charge of your security and failed. Give them more to loose- money, their dream job, reputation.

Just don't turn them into enemies who have nothing to lose.


"DO NOT TAUNT THOSE WHO CAN DAMAGE YOU"

Wouldn't that also apply to revenge-seeking hackers who might end up finding themselves in jail or being chased down?

I.e., "might makes right" doesn't last very long as a basis for a good society.


Well, we also don't know the whole story. Maybe he actually physically stole something/used someone else credit card/etc. and we are taking only his word that he didn't.


> What exactly did anyone in his right mind hoped such a raid would achieve?

Made people think the company in question was doing what it needed to do to protect its users.

The group of people that would see that move as a negative is small. Gamers, by and large are not technically savvy people. They sat and worried about their characters being broken into and people cheating. Basically there is no action too drastic to protect them. The general public is basically the same. A 'hacker' did something, the company targeted brought the hammer down on him. All is well with the world.

Raid the hacker and nothing comes to light from what he did? The company protected its users. Raid and the material is released? This is why we have to be harder and harder on them until they get the message this won't be tolerated. Commits suicide? It just shows how unstable these people are.


> Made people think the company in question was doing what it needed to do to protect its users.

So raiding hacker's houses is the IP equivalent of the TSA?

"Look at us, we're doing something!"


> who had both the chance and the opportunity to use the access to leak stuff that could have been quite damaging to the company - yet didn't

According to the article, he'd leaked "troves" of development documents to the writer of the article. It appears he may be the source, or one of the sources, behind the unprecedented amount of detail that has been leaked ahead of the console announcements.

From the article:

> Dylan wanted to know about next-gen systems, and somehow he learned plenty. He got development documentation for the next PlayStation and Xbox. Long before I'd sized him up as a hacker, he'd sent me troves of PDFs and white papers describing the functionality of both the code-named Orbis and Durango. The documentation was loaded with programming code—and with details.


> Now think for a second - what if the guy puts everything he downloaded (sourcecode, etc) in a torrent, or pass the pdfs they were so willing to protect on wikileaks? What if he start using his knowledge to create not "giant hacks", but small hacks that could masquerade as bugs ? (say randomly turn off live access, hijack random xbox live accounts, etc)

What if he clandestinely does this after he appeared to "genuinely care about the security of your company?" What if he does this after failing the background check or turning down the job?

> Some people should be fired, they forgot the basic axiom :

> DO NOT TAUNT THOSE WHO CAN DAMAGE YOU.

I don't think you can fire somebody from illegal computer intrusion. Microsoft and Epic have probably done some expensive security audits, while the suspected hacker is whining to Kotaku about how law enforcement has searched and seized all his stuff.


Maybe they're trying to drive the best hcakers to China, where they can hack the West without repercussions.


I think he crossed the line somewhat when he put up the dev kit on eBay. Even then I don't think Microsoft was the one that reported him:

>"Microsoft did not initiate this FBI investigation with this individual, as has been asserted in some of the articles in the media," a Microsoft spokesperson told me.

I agree with your last line though. He should be given a punishment like just community service.


He probably will be, it's Australia -- not America.


Agreed, I may be wrong but I can't remember anyone being sent to prison in Western Australia for hacking.


>Dylan's fellow hacker replies in detail about issues with the security of content on the Xbox Live Marketplace—the Xbox 360's online store—but doesn't elaborate on the Gamertag issue. The e-mail ends with a request for the Microsoft person to maybe put in a good word for them. "I don't mean to ask anything of you, and if I denied, I'll still be more than willing to help," Dylan's apparent hacker friend writes, "but do you think it would be possible that me and Dylan, if proved to be useful, could possibly list someone we've spoken to on your end as a reference for resumes or something of the sort?"

This part is puzzling to me. I think that at that point they had proved themselves capable enough to ask Microsoft to straight up hire/contract them, and not just for a resume quote. Establishing this kind of relationship with Microsoft could have also prevented the seizure.

>Dylan told me that he was polite and helpful during the raid, but that "they didn't allow me a lawyer...that's probably the biggest right they took from me."

Does anyone here know Australian law? I certainly don't but at first glance it looks like Dylan was intimidated into not doing what was legally the right thing.


I know of no jurisdiction where there's a right to legal representation during a raid. This makes complete sense, because otherwise you could attempt to hold up a raid and dispose of evidence whilst you waited for your legal counsel to get there. Your can argue about what is and isn't admissible post the raid.

So I don't really think in that particular example any 'right' was taken from him.


> This part is puzzling to me. I think that at that point they had proved themselves capable enough to ask Microsoft to straight up hire/contract them, and not just for a resume quote. Establishing this kind of relationship with Microsoft could have also prevented the seizure.

The marketplace issue is somewhat common knowledge amongst people deeply involved in the Xbox scene. The issue here, to me, is that the "fellow hacker" reported something that he himself didn't discover relating to content security. DaE is also a psychopath, and shouldn't be hired by Microsoft.


Is it a right to have a Lawyer during a raid? It's not like they didn't have a warrant, and he doesn't have to talk to them during the raid - it's the equipment and evidence they are collecting.


It seems a bit far fetched that Microsoft has thousands of servers you can access publicly via default passwords.

They raided his home and took all of his stuff, but didn't arrest him? How is that legal? Shouldn't he get his stuff back if they don't have any case within X hours for prosecution?

I'm sure he's playing the victim here pretty hard because he states that he doesn't believe he has done anything wrong and yet has tried selling a Durango development kit on eBay in the past. He's probably done a lot more than that to prompt an FBI agent across the world to his doorstep.


My guess is that it's the power management system for the servers that is accessible and using default passwords.

Usually there are outlet groups or such that can be controlled from an interface like the one in the screencap.

The servers will talk to and trust the power system so that if there is a problem or outage they can be turned off. Being able to reboot is useful remote admin option.

So like a lot hacks, primary access has been secured but someone forgot about the trusted secondary.


This happened in Australia so it might be totally different, but if it happened in the US: a warrant for search and seizure of evidence requires less cause than a warrant for arrest, especially in the case where it's digital evidence that can be destroyed without a trace quite easily.


IANAL, but I believe they can seize the evidence if they have probable cause that a crime has been committed.

In this case it would be easy to establish probable cause given how open this guy has been with his hacking.

What I'm not sure of is how long its reasonable for the police to retain the seized equipment. Although the guy said he was unemployed, I think most IT people could make a case that the seizure of all computing equipment impedes their ability to earn a living. That doesnt seem fair if no charge s have been laid.


Devkits are, usually, property of the console manufacturer. Maybe things has changed with the new Xbox but this how it was in 6th and 7th generations.

If the ownership of devkits remains at MS then somebody who has one without MS authorization is in possession of stolen property, this answers the question "what did I do wrong?".


He's unemployed because he has 'chronic pain' thus is unable to work but he can spend all his time hacking game development companies? I call bullshit. I don't know his situation but I wouldn't be surprised he's collecting a welfare cheque too considering how easy this is to do in Australia.

(Don't get me wrong I have nothing against people on welfare - Ive been a beneficiary when I was growing up but he sounds like the kind of person who choses not to work and will use any excuse not to.)




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: