5 Year Old Hacks Xbox Live; Thankfully DOJ Apparently Uninterested In Prosecuting Cute Kid Under CFAA

from the cfaa-is-broken dept

Mon, Apr 7th 2014 11:34am — Mike Masnick

There have been a bunch of stories going around about how 5-year-old Kristoffer Von Hassel figured out a way to hack the Xbox Live password system. Kristoffer's parents noticed that their son was logging into his father's account and playing games he wasn't supposed to be playing. They asked him how he was doing it and he showed them:

Just after Christmas, Kristoffer's parents noticed he was logging into his father's Xbox Live account and playing games he wasn't supposed to be.

“I got nervous. I thought he was going to find out,” said Kristoffer.

In video shot soon after, his father, Robert Davies, is heard asking Kristoffer how he was doing it.

A suddenly excited Kristoffer showed Dad that when he typed in a wrong password for his father’s account, it clicked to a password verification screen. By typing in space keys, then hitting enter, Kristoffer was able to get in through a back door.

Kristoffer's father, Robert Davies, works in computer security (which, frankly, makes me a little skeptical that Kristoffer really made this discovery), and submitted the bug to Microsoft, who not only quickly fixed it, but also listed Kristoffer on their March "acknowledgements" for security researchers who helped them find bugs and vulnerabilities.

Of course, the flip side to this story is how we've seen the CFAA used in the past to go after people discovering similar flaws. Compare the story of Kristoffer to the story of Andrew "weev" Auernheimer. Kristoffer clearly exceeded authorized access to the Xbox Live system in order to obtain something of value (perhaps he gets off because the "something" is not worth more than $5,000, but still...). Of course, weev is an obnoxious internet troll, and Kristoffer is a cute 5-year-old. I guess that's what's meant by "prosecutorial discretion."

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cfaa, doj, kristoffer von hassel, security, vulnerabilities, xbox, xbox live
Companies: microsoft

22 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

silverscarcat (profile), 7 Apr 2014 @ 11:25am

On the other hand...
Had the DoJ gone after the kid, we might see some real push to reform the CFAA.

...

Which is probably why they didn't do it.
[ link to this | view in chronology ]
- G Thompson (profile), 7 Apr 2014 @ 8:39pm
  
  Re: On the other hand...
  Actually I'd go as far as to say they probably thought of going after the kid then realised.. oh wait criminal responsibility starts at 6yrs old only in the USA (11 for federal crimes).. Crap!
  
  Thinking they care about what the public actually think has proven now to be absolute folly.
  [ link to this | view in chronology ]
  - Pragmatic, 11 Apr 2014 @ 5:47am
    
    Re: Re: On the other hand...
    Call me cynical, but do you think Daddy claimed his li'l boy did it so he could report the bug without the possibility of sharing a cell with weev?
    
    Something something "I dare you to court bad publicity by going after a 5 year old, you jerks!"
    [ link to this | view in chronology ]
James Jensen (profile), 7 Apr 2014 @ 11:32am

It's said that the second half of the title was necessary.
[ link to this | view in chronology ]
Anonymous Coward, 7 Apr 2014 @ 11:38am

ireally am surprised that DoJ was uninterested in the little man because of his age. normally, it's 'no holds barred' or so i thought
[ link to this | view in chronology ]
KevinEHayden (profile), 7 Apr 2014 @ 11:52am

Good thing it wasn't a PS4!!!
He's just lucky it was an xbox and not a PS4. Based on some of their earlier actions, Sony would probably be demanding confiscation of the gaming system, full prosecution and maximum jail time.
[ link to this | view in chronology ]
- James Jensen (profile), 7 Apr 2014 @ 3:22pm
  
  Re: Good thing it wasn't a PS4!!!
  Yeah, Sony scares me way more than Microsoft when it comes to what they'll do to their console customers.
  [ link to this | view in chronology ]
ECA (profile), 7 Apr 2014 @ 11:55am

NOT A HACK
This is an EXPLOIT..
This is a FAILURE for xbox..
[ link to this | view in chronology ]
- Scott Yates (profile), 7 Apr 2014 @ 12:33pm
  
  Re: NOT A HACK
  Not even really an exploit maybe. I would call this more discovery of a back door.
  [ link to this | view in chronology ]
Violynne (profile), 7 Apr 2014 @ 12:12pm

To realize Microsoft released this console without closing the security hole is...

...

... ah, who the hell am I kidding. Been using Microsoft products for decades. There's always a way to break security until it's "patched".

It wouldn't surprise me if the next hack, er exploit, comes from UUDDLRLRBA while playing Netflix while Kinect sits "idly" by.
[ link to this | view in chronology ]
Anonymous Coward, 7 Apr 2014 @ 12:27pm

Not interested, but the day still isn't over. If we try hard enough, we can apply the law evenly against all infringers
[ link to this | view in chronology ]
John William Nelson (profile), 7 Apr 2014 @ 12:28pm

DoJ prosecutor somewhere thinks . . .
"Hmmm, I could get another easy conviction belt notch. 5 year old kids roll over easy. Just have to find a way to get him charged as an adult. I mean, he knows how to use a computer, so that must mean he is mature enough to be charged as an adult. I don't even know how to use my web box of tubes."
[ link to this | view in chronology ]
Anonymous Coward, 7 Apr 2014 @ 12:30pm

Why would the DoJ pursue someone publishing the hack to a vendor, especially when the vendor accepts it?

Microsoft even has a program for this and perhaps the kid even was paid for his find.
http://technet.microsoft.com/en-us/security/dn425036

I've got no clue if weev reported his flaw to AT&T or not, so don't know if it's relevant to his case. It was a bit of a stretch in any case to persecute him for getting the list of email addresses from a website.
[ link to this | view in chronology ]
- Anonymous Coward, 7 Apr 2014 @ 12:54pm
  
  Re:
  IIRC, he got in trouble when he reported it to ATT.
  [ link to this | view in chronology ]
DogBreath, 7 Apr 2014 @ 12:55pm

Based on past history, the future is already written on the wall.
Can't wait for the kid to turn 18... and he finds out he has a lifetime ban on any Xbox/Microsoft account he tries to set up, for "Hacking".
[ link to this | view in chronology ]
- Loki, 7 Apr 2014 @ 3:06pm
  
  Re: Based on past history, the future is already written on the wall.
  Don't know about that, but I'd be willing to put a small sum that he's on some government watch list somewhere now.
  [ link to this | view in chronology ]
  - Pragmatic, 11 Apr 2014 @ 5:49am
    
    Re: Re: Based on past history, the future is already written on the wall.
    We'll find out when Daddy books a trip to Disneyland.
    [ link to this | view in chronology ]
- FreeCultureForFreePeople, 8 Apr 2014 @ 2:33am
  
  Re: Based on past history, the future is already written on the wall.
  True, he'll not be able to access any Xbox/Microsoft account, but it's because 'Microsoft' will be a distant, unpleasant memory by the time this kid turns adult.
  Snowden's revelations greatly helped people realize that they are not to be trusted, and the Windows 8 disaster, along with the end of support for Windows XP, will surely help to make people look for alternatives - Linux, for example. Now that there's a Steam client for Linux, it gets more attractive as a gaming platform, too.
  [ link to this | view in chronology ]
Anonymous, 7 Apr 2014 @ 3:34pm

If you don't stop him now, by the age of 7 he'll be knocking over liquor stores!
[ link to this | view in chronology ]
Anonymous Coward, 8 Apr 2014 @ 8:49am

I wonder if a 5 year old hasn't just discovered an NSA back door.
[ link to this | view in chronology ]
Anonymous Coward, 8 Apr 2014 @ 12:04pm

Hacked By Chinese!
Now we have an even bigger insult... Hacked by a 5 year old!
[ link to this | view in chronology ]
Anonymous Coward, 9 Apr 2014 @ 8:52pm

I suppose the flaw was created on purpose.
[ link to this | view in chronology ]