Microsoft is updating Internet-enabled Xbox game consoles with a software patch that blocks users from installing the Linux operating system on the machine, and also apparently deletes some files Linux users have stored on the Xbox's hard drive, according to the Xbox Linux Project.
The group also noted that some Xbox Live-enabled games appear to automatically connect to Microsoft servers, identifying the machine running the game, without the need for an Xbox Live account.
The update plugs a flaw in the Xbox Dashboard (its startup menu), which Linux enthusiasts had used to install Linux without the need for modifying the console's hardware. Ordinarily, the console will not run software that has not been approved by Microsoft.
The Xbox, and Linux users' efforts to run their software of choice on it, is seen by many as a test case for future PCs that are more tightly controlled by the vendor -- a vision embodied in Microsoft's Next-Generation Secure Computing Base (NGSCB) project, formerly known as Palladium. The NGSCB effort has raised concerns amongst privacy and civil liberties advocates.
The Xbox Linux Project, in an effort partly funded by Lindows founder Michael Robertson, created a version of Linux that could run on the Xbox, and devised a method using the Dashboard flaw and a bug in an Xbox game to install the operating system. The process allows the machine to continue functioning as a standard console, as well as offering the option to boot Linux. The Xbox is built of standard PC parts and runs on a stripped-down version of Windows.
The Xbox update automatically installs itself on consoles that have the ability to connect to the Internet, if a user selects the "Xbox Live" option from the Dashboard. The user needs only to enter Internet connection details, and need not have signed up for the Xbox Live service, which allows users to play networked games. Users are not asked to approve the update, as is standard for Xbox Live software updates.
The update disables the bug that allowed Linux to be installed, according to Michael Steil, one of the principal members of the Xbox Linux Project. "As soon as the Dashboard is updated, our application to disable the Xbox's anti-Linux protection (version 1.0) will not work any more," he said, adding, "we're working on a version 2.0."
He said the update also erased a directory on the Xbox's hard drive that had contained a document he created and stored using Linux. "I never allowed Microsoft alter anything on my Xbox through the Internet, and I never signed anything that contains a permission for Microsoft to do so," he wrote in an open letter to Microsoft, published on the Xbox Linux Web site. "I never allowed Microsoft to delete anything on my Xbox through an Internet connection."
Steil noted that Microsoft's actions might even be subject to penalties under Germany's anti-hacker laws.
Automatic updates are controversial, particularly where it comes to Windows, by far the dominant PC operating system. Microsoft is considering making Windows security updates automatic, but users have baulked at a broader scope for un-approved software upgrades. In some cases, software vendors have already used updates to remove functionality deemed controversial, such as an Apple iTunes update that removed certain networking capabilities.
Under the installation method used by the Xbox Linux Project, known as Mechinstaller, a set of three files are transferred to the Xbox's hard drive via an Xbox USB memory card. From a game called MechAssault, one of the files is "opened" as though it were a saved game. This installs Linux, which can then be accessed via the Dashboard.
Steil also noted that some Xbox games appear to connect to Microsoft servers each time they are run, without the user's knowledge, and without the need for an Xbox Live account.
Steil said that when he set up the console with his Internet settings, it automatically transmitted data including the machine's serial number to a Microsoft server. Some Xbox Live-enabled games, including the popular Tom Clancy's Splinter Cell, go through a similar procedure each time they are launched, again without the need for an Xbox Live connection, he said.
Splinter Cell did not transmit the console's serial number, at least not in plain-text form, but a response from the server contained the number. This "proves that Microsoft knows about the serial, and knows what Xbox just started Splinter Cell", Steil said in a statement on the Xbox Linux site.
"Microsoft spies on Xbox gamers. All Xbox Live users, even if they don't use any 'Live' content, as well as all other users that have set up their networking correctly, are automatically registered at Microsoft with their serial number each time they start Splinter Cell (and possibly other games), without being asked," he stated.
Microsoft representatives were unable to comment for this article.