fajensenApril 7, 2014 9:48 AM

And now he has to change name and school for blabbing about that hack all of his friends were using ;)

maxCohenApril 7, 2014 10:14 AM

Tomorrow's news: Five year old indited on computer fraud and abuse and labeled a terrorist. Put on no fly list for the rest of his life. Drones now flying over San Diego.

Незнайко НезнамовApril 7, 2014 10:32 AM

They didn't sue him for the skin on his back?
Just cause he's a minor?


/sarcasm off

BPApril 7, 2014 10:46 AM

Tisk tisk. One free year of xbox for the five year old. Bad old Microsoft taking all it can get and giving as little as it can? That's the message they're sending to folks who hunt malware and system problems. Surely they can give the boy a better prize that that. A free lifetime subscription to Microsoft security info or its opeating systems might be a good price. Something to keep him doing what he just did. Something to guide the little boy to keep up the good work.

WooshApril 7, 2014 10:49 AM

Clearly this kid is a budding cyber-criminal and/or cyber-terrorist. As a representative of the Department of Justice, I don't understand what he did but I do know that it's like blowing up a nuclear power plant. He needs to be locked up in solitary for the rest of his life before he kills us all!

AnuraApril 7, 2014 11:46 AM

This is how it starts: first you find a way around security in a game console, then you are logging into FTP sites with weak passwords, and before you know it you are launching ICBMs by blowing into a phone.

anonymousApril 7, 2014 11:58 AM

@Незнайко Незнамов

No, they didn't sue him because he is from California.

Nick PApril 7, 2014 12:17 PM

It's been a meme of mine here for a long time that software was so low assurance that systems get owned by 13 yr old script kiddies. Microsoft just forced me to retract and revise that statement:

Systems and services are so insecure today that a 5 year old might bypass them.

That's really... really... really... bad.

Skeptical (a different one)April 7, 2014 12:53 PM

Am I the only one who has been deeply skeptical of this report from the first day it was published? Com'on, his dad is a security researcher whose name just so happens to appear in every news article. If one wanted to embarrass MS what greater way to do it than say, "your product sucks so bad my five year old can hack it."

I don't believe the 5 yo did it for one second.

DaveApril 7, 2014 1:21 PM

@Skeptical (a different one):

As I read this, I look over and see my 5 year old using a Mac to watch youtube videos without any assistance what so ever. (Okay, I did write the password down for him on a postit note. Yeah, yeah. Security breached. But if you've got access to the postit, you've got access to the hardware.)

I have 35 years of experience developing software. At age 5 he runs rings around me on Android tablets. He's already far better at Plants vs Zombies than I suspect I ever will be.

Yes, putting in spaces for the password is certainly within the grasp of a 5 year old, and something they are quite likely to try.

ThomasApril 7, 2014 1:39 PM

This is obviously an incredibly ingenious security operation by Microsoft.

One of the ways to protect your assets is by "benefit denial".

From now on, no one will ever be able to brag about hacking a Microsoft system ever again.
No researcher will ever be able to justify the funding to replicate what a 5-year old can do.
No zero-day will be worth more than a toddlers stick-figure drawing stuck on the fridge.

Nick PApril 7, 2014 2:14 PM

@ Dave

Your comment reminds me of No 1 on this Cracked list.

The thing is that young kids' brains are wired to constantly learn and solve puzzles. It's how they build their knowledge. They seem kind of dumb only because they lack the knowledge & heuristics that take years to build. However, given what little they have, they're actually so smart across so many spectrums that we still haven't built robots that can compete in all areas.

So, while I laugh at a 5yr old beating Microsoft, I simultaneously acknowledge kids have an edge over adults at finding simple ways around their problems. I mean, if they're not doing that they must be asleep, am I right? ;)

ChristianApril 7, 2014 3:31 PM

I am honestly not surprised. "Hackers and Crackers" have been getting younger and younger over the span of the years. Just a while ago, there were 15 year olds learning the tricks of the trade and creating powerful botnets and 0 days every now and then. Although, It is a little breathtaking seeing that a 5 year old busted a Microsoft flaw. 4 games and a year to xbox live? Not even close to good payment, but if the kid is happy, I see nothing wrong with it.

Clive RobinsonApril 7, 2014 4:45 PM

@ Nick P,

    So, while I laugh at a 5yr old beating Microsoft, I simultaneously acknowledge kids have an edge over adults at finding simple ways around their problems. I mean, if they're not doing that they must be asleep, am I right?

Asleep is when they are at their most dangerous :-)

As I've mentioned befor when I was very young, I was into everything and worked out how to pull things appart (dining table, step ladder, sauce pans, just to name a few). It was just lucky that the only electronic thing around was a valve radio/gramaphone, otherwise I might well have been toast.

When I was eight I started self learning on how to fix valve radios and later even transistor portable televisions. It was not untill later in the last couple of years of school that we got access to dial up computers. It was when in collage I self learnt to hack computers to get around "limitations imposed by managment". And "home computers" did not start ariving untill some time after I was earning wages and had bought my own flat.

I was working at (what is now a Uni) when I discovered a very similar "login bug" on a Unix box ( ICL PERQ [1]). My only reward for finding it was being "told off" by the technician in charge of it (Steve Crook) for finding it and the anoyance of my work colleagues who had exploited it (after I had shown them) to play PacMan at lunch times...

Interestingly the same bug issue continued to haunt many Unix systems including Sun Boxes for some years afterwards which I found usefull on many occasions as it gave you root access.


Nick PApril 7, 2014 5:20 PM

@ Clive

Funny. PERQ was interesting in that the Wikipedia article says it also ran FLEX. FLEX was one of the machines I cited which was architecturally easier to secure than modern machines. That the firmware handled all memory management and it was a capability machine would knock out a ridiculous amount of problems in the right hands, reducing many in the wrong hands.

Of course, you got a PERQ box with the OS on the opposite end of security. Lucky for your gaming sessions, eh? ;)

name.withheld.for.obvious.reasonsApril 7, 2014 5:42 PM

@ Clive Robinson

@ Mike the goat
Interestingly the same bug issue continued to haunt many Unix systems including Sun Boxes for some years afterwards...

Sounds like the rlogin bug that persist until 97' or 98' if memory somewhat serves me. I too started at 9 years of age by building radios--by the time I was twelve I had a lucrative TV repair business.

Those were the days--at Christmas had a conversation about the intricacies in properly de-gaussing at CRT. If took a few extra cycles to pull the net in the old skull cavity. The ICL reminds me of the Xerox workstation up to the time FrameMaker was introduced. Landscape and portrait display orientation (active) that I believe Radius stole from. Of course nearly all took something from PARC, right Morris and Steve?

@ Nick P
My argument that the design of most major routers (big iron) consists of an I/O processor and a GPU like control/management/supervisor device. I didn't mention multiple or separate cores. Cisco on the core routers have a similar logical architecture but the design rational is aligned with redundancy and fallback recover. In 2004 I started development on an synchronous multi-core design. It was really a hybrid, on the Xilinx slab an I/O processor was tied to a processing core to reduce the cost of development. And, the design was to produce two dies that solved several problems including real estate, temperature, and power consumption issues.

Nick PApril 7, 2014 6:36 PM

@ name.withheld

"My argument that the design of most major routers (big iron) consists of an I/O processor and a GPU like control/management/supervisor device."

I understood your argument. I just thought you'd find Octeon III interesting.

Clive RobinsonApril 7, 2014 8:15 PM

@ Nick P

    Of course, you got a PERQ box with the OS on the opposite end of security.

Actualy it came with both Unix and FLEX on the 25Mbyte 14inch hard drive. The reason it had Unix ported onto it in the first place was due to the UK Science and Education Research Council which decided to stansardise on Unix, Cambridge Ring and the PO/BT Packet Switched Service (PSS) and GPIB (originaly HP-Interface Bus).

For my sins I did work on the Cambridge Ring and GPIB and developed a GPIB to Cambridge Ring converter that looked like a terminal concentrator. It got put into several UK Unis and research establishments to aid in large physics and astronomy work as well as the Weapons Research Establishment. It was in my mind even when I developed it a "cludge" because I could clearly see the Cambridge Ring realy had no future, though I was surprised when they evolved it into what became ATM (and we all know how well that went after 95). As for my device I was only to happy to get shot of it on to otheres at the Ruthorford Appleton Labs (RAL) over in Didcott Oxfordshire. RAL was more famous for ATLAS and eventualy JANET and produced a lot of original and inovative thinking. But as usual the failings of the UK Govenment ment it was not possible to capitalise on them which is why a lot of UK inovation got "sold back" to the UK in US and later Far East products...

DBApril 7, 2014 8:26 PM

@Sketpical (the original one)

I'd say the heartbleed bug is more likely :)

murrayApril 7, 2014 9:39 PM

So it's down to 5 years old now. Bruce says "attacks only get better with time"...

CallMeLateForSupperApril 8, 2014 11:07 AM

I read about this elsewhere yesterday. Immediately emailed the URL to a friend and colleague from our Assurance days. I knew he would guffaw and pound the table; he would recognize this "hack" as exactly the kind of thing that a good Assurance person does... with regularity.

"Nobody would ever fill the password prompt with spaces!"
OK. I'll test that first.

"No operator idly flips the Normal/Test switch on the mainframe console during [boot]". (1)
But when he does, the [boot] will fail, computer will cough up blood and advise the operator to call for service. Obviously service personnel won't find a problem. So this is a problem.

"Our operating systems don't utilize the Read Backward command in that fashion."
There are other operating systems, and that particular way of using Read Backward clearly is permitted by Architecture. When it is utilized a predictable area of RAM gets corrupted. Further, the corruption is neither detected nor reported. (Anyone want to explain this "glitch" to e.g. NYSE, NASA, Pentagon, IRS?)

The only thing that's more fun than making a new design is testing it.

(1) "IML" (Initial Microcode Load) was the actual Company Speak for "booting" a mainframe.

DaveApril 8, 2014 12:54 PM

@Nick P:

Children's brains are wired to learn. They learn quickly, so very quickly. (Do not let them see how the child-proof locks operate if you want them to remain child-proof. Once one kid knows they all know.)

Computers are designed to be easy to use to get adults, who don't learn so quickly, to use them. Naturally kids have the advantage here.

Filling the field with spaces is exactly the sort of thing a child would do just for fun. Whereas most adults, especially programmers, would never think to try it.

Not excusing Microsoft here. This was pretty stupid of them. But yes I do believe a kid could discover this on his own.


FigureitoutApril 8, 2014 10:52 PM

--I remember the news segment NBC news did where anchors secretly filmed their kids (creepy, but whatever) and the "suburban soccer moms" were aghast when their kid opened the pill bottles in like 10 seconds.

Another one of those "hard journalism" pieces by the "investigative" journalist Jeff Rossen. Another one of his "masterpieces" was filming randoms outside a liquor store and underage kids could convince adults to get booze. Then some mom's were "aghast" at that. Idiot needs to take a camera into an American school where you can get almost any drug imaginable (even ones you've never heard of, lab-made drugs) and kids are and aren't stupid, the drug-dealing opsec just gets better. Cracking down on a kid's freedom just makes them want to explore or break that restriction; it's simple psychology...

nwodbApril 11, 2014 7:54 PM

I think they should make a cool catch phrase and logo every time a Microsoft product gets hacked. I'm thinking "Crayon Bleed", or "Space-bar Gate"... or is the appending "Gate" to the end reserved for the crooks in government?

EDApril 12, 2014 1:03 PM

Kristoffer discovered that if he simply pressed the space bar to fill up the password field, the system would let him in to his dad's account.

Challenge launched to come up with a server code snippet supporting the official thesis of the bug over that of an intentional backdoor.

JardaApril 14, 2014 1:54 PM

BTW, isn't it against sam law about hacking? Shouldn't he serve some ten years of jail time?

GeorgeApril 15, 2014 3:11 AM

Am I the only one who thinks £30, four games and a "Live" subscription seems rather harsh for such a fundamental bug? Give the guy a new bike, at least.

Brian M.April 15, 2014 9:41 AM

@Skeptical (a different one):
"I don't believe the 5 yo did it for one second."

I worked in the XBox games group for a bit. I saw the most unbelievably worst code I have ever seen at Microsoft. Seriously, it was truly amateur hour. I refuse to work in Microsoft again due to that group.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.