Taking a break from working on his doctoral thesis, Massachusetts Institute of Technology (MIT) graduate student Andrew "Bunnie" Huang decided that it might be fun to poke around the security systems protecting Microsoft's Xbox game console.
With a little creative tinkering and a measure of precision soldering, Huang quickly isolated the main public security keys. Although legally prevented from sharing the keys with the world, he described his methods in detail in a widely distributed research paper, helping spur a wave of Xbox-hacking that has led to the development of Xbox versions of Linux and other homemade software.
After graduating from MIT last year, Huang set up his own consulting business, specializing in reverse engineering. But he still has some more Xbox insights that he'd like to share with the world--that is, if only he can find a way.
Huang's recently completed book, "Hacking the Xbox" was recently dropped by Wiley subsidiary Hungry Minds, citing possible legal issues under the controversial Digital Millennium Copyright Act (DMCA). The Department of Justice recently used the DMCA to shut down ISOnews.com, a Web site partly used to distribute Xbox-hacking tools, and to imprison the site's owner.
Plans to self-publish the book hit another snag a couple of weeks ago when Americart, a provider of online shopping cart services, declined to sell the book because it feared getting sued. But Huang remains determined to press this project through to completion.
"The thing I have to emphasize is that the book itself is not criminal," Huang said. "It'd be like saying that breaking and entering is illegal, so you can't write a book on how locks work."
Huang spoke with CNET News.com about the book, the importance of hardware hacking and his willingness to serve as a DMCA guinea pig, if necessary.
Q: What have you learned to do with the Xbox since your research paper was published?
A: I did a lot of work but if I talked about it I'd get in a lot of trouble. I did some work with a few people who were trying to figure out alternate methods to get to the Xbox hardware without necessarily involving the copyrighted code Microsoft has--basically finding backdoors in the initialization and boot sequence.
I helped out one guy in particular who was critical in figuring out the method that's used by everyone today. It is basically a flaw in the system initializer that lets you put code anywhere in the system that you want it.
From there, I backed off and got kind of quiet. Things were starting to heat up, and a lot of people were starting to move into piracy and other very controversial issues. I sort of became a fly on the wall and gave people advice in some key areas.
And then Wiley approached you about writing a book?
Yeah--Wiley has the "Dummies" series, and wanted to create a similar line of introductory hacking guides: hacking TiVo, hacking the Xbox, hacking your DVD player. The book overall is an education book. I try to teach people as much as possible how to do hacks on their own and try to avoid as much as possible the really cookie-cutter, boring stuff.
So it's not just, "Here's how you install this mod chip?"
There are a few pictures of mod chips installed...but it's more like here's how a mod chip works, and here's how people used reverse engineering to figure out how Xbox security works. It's trying to give a novice hacker or someone who has very little experience the confidence he or she needs to open up the box and start playing around with the stuff on the inside. And there's sort of a running dialogue about the experiences that I had getting into the Xbox, including the legal issues.
It ends with a brief section on where things are today. That's where I mention mod chips. But the book is really encouraging people to learn their own way.
Was there much discussion of legal concerns with the publisher?
When I first started working with them, they realized that it was a touchy subject. They had me develop an outline, and when I went over it with their lawyers, they said, "Yeah, this should be OK."
Then I got a call (a few months later) during which they basically said they'd had some turnover in the legal department and weren't feeling so good about the book now. I don't know if this had anything to do with it, but right around the time that they gave me they call, the Department of Justice shut down ISOnews.com and they were sort of beating on the doors of a lot of mod chip guys.
Has the ISOnews.com case had a chilling effect beyond your work?
I think that it's had a major chilling effect. Maybe the reason that companies started (backing out of such publishing deals) this is that the DMCA has become such a hot topic. A lot of companies aren't willing to really push their content directly through a public trial. The whole idea of taking a person and making an example of him seems to have backfired. They tried that with a few guys and it didn't work.
I think a lot of companies are starting to take more indirect attacks. To use a really bad analogy, instead of going for the mafia boss, you take out the guys in the street, the little mod chip vendors.
I want to put a stake in the ground and say, "Hey, I strongly believe what I'm doing is legal.
They're trying other techniques within the word of the law to put a damper on this activity without getting bad press.
If they were to go ahead and take any Xbox-Linux guys and crucify them for running Linux on the Xbox, they'd have the whole open-source crowd really up in arms. There'd be a really big negative mark on the Xbox.
So even though Microsoft has said, "You guys can't run Linux on the Xbox," they're not going to really do anything about it in the short term. It's not hurting their revenue enough to have them fight a battle on principal.
Are you afraid personally of the possible consequences of publishing the book?
Oh yeah. Lately it's been really day-to-day. I get a lot of e-mail from a lot of people, and sometimes you see the subject line and freeze for a moment, thinking, "This is it, they're coming to get me." And then it just turns out to be an innocent question. But the fact that Americart felt it had to reject my book shows how jittery people are.
So how are you going to sell the book now?
There's always PayPal, I guess...Although someone pointed out to me that PayPal has an explicit clause that says you can't use the service to sell mod chips. Even though this isn't a mod chip per se, it might be construed as a technology or a tool under the wording of the DMCA.
The big question that I had when I published my paper at MIT was whether this would be considered a copyright circumvention tool under the DMCA. I think it's wildly unrealistic to think that a court would agree with such an expansive interpretation of a tool. But to a limited degree, they might go along with it.
Beyond the question of what's a tool, there are still a lot of questions about whether mod chips are copyright circumvention devices at all, since they do other, legitimate things. Would it be useful to have a court opinion on that?
It would be. I think that part of the reason I decided to go ahead with the book is that I'm really tired of hearing, "Well, there's three cases that never went to court, but here's the direction in which they kind of leaned." There's no real stakes in the ground about this.
There's a lot of fear, uncertainty and doubt. And the longer the people who want to enforce these laws can cast the shadow of fear without ever having to bring something to court, the more effective they are. This type of publishing is kept underground and under control.
I want to put a stake in the ground and say, "Hey, I strongly believe what I'm doing is legal and it's beneficial for people to know about this stuff." If we don't know about it, then the bad guys are going to figure it out and they're going to take our lunch. Maybe I'm being a fool by saying this, but if someone wants to challenge me on this, I think it's something we need to talk about in a court of law. I don't know where I'd find the resources to defend myself. If I am taken to court, then I'll figure it out.
The big game companies seem to paint all hacking as enabling software piracy. What's your rationale for why it's useful to hack the hardware?
There's this thing called fair use that pretty much had been protected until the DMCA came out. It says that if I take my hard-earned money and buy a piece of hardware--whether it's a hammer or a razor or a computer--I can take it home and do what I want.
The real critical issue is if it turns out that Microsoft can put a ban on people running their own code on a piece of hardware.
I don't have to just use a hammer to pound nails. Same goes for a computer or a video game machine.
The real critical issue is if it turns out that Microsoft can put a ban on people running their own code on a piece of hardware. That'd enable people to develop monopolies over hardware by simply securing the hardware to something cryptographic in the software base.
Microsoft could start offering incentives to hardware makers to install a Palladium chip that only runs Windows on it, and people who remove it are guilty under the law. Eventually, you just lock up the whole world.
That's the whole crux. We're going to investigate this hardware and run Linux on it and push things a little. We need to figure out really soon what this is going to do to the industry and whether this is something of which we need to be afraid.
Right after I did the paper, I worked with a guy to find the avenues to completely bypass the Xbox security systems. And what we ended up with was amazing. It was a concatenation of four bugs from various vendors that allowed it to happen.
It's a real-life example of why I think Palladium isn't going to work--every vendor is going to have some small bug that individually doesn't mean much, but when you stack 'em together, it becomes a big security hole. And once you commit it to silicon, it becomes a billion-dollar bug.
So it sounds like a big part of your motivation is educational?
Oh yeah, a very large part of it is educational. When I first started doing this, I asked my professor if he thought there was academic merit to it. He was really positive. The security community has been debating for a long time about how we secure chip buses--do we just make it really fast and take it out of the realm of hackability? This sets a data point for what it takes to extract data out of a high-speed bus. It's a real meat-and-potatoes example of security--what can go wrong and what can be done about it.
Do you expect your work to be reflected in the design of Xbox 2?
I think it will be. Nvidia had to scrap a bunch of chips because Microsoft rotated the (security) code, and I think that was at least, in part, specifically because of what I'd done.
With the Xbox 2, there's a couple of different directions they could take. They could say, "Fair use is fair use. Go ahead and run Linux on it, but if I catch you copying games, I'm going to nail you good." Or they'll try to tie it down even more cryptographically.
There are things that they can try. But there's a dozen attacks that I've kept in my back pocket and that other hackers have kept in their back pockets that nobody's even talked about. Those will come out if Microsoft tries to secure the hardware again.
What do you think of the James Bond hack for running unsigned software on the Xbox?
That looks really promising for freeing Linux to the mainstream. It either spells the beginning for a new age in Xbox hacking, or it's the demise. Either it's such a potent weapon against the Xbox that Microsoft will have no choice but to start enforcing stronger policies on hacking, or they may have to change the hardware. Or they could decide to back off and let Linux flourish. But I think it's going to tip the scale somehow.
And this is just one exploit. There are probably a lot of others. The thing that I'm looking for a is network attack, where you just plug it into the network, run a script on the PC and send a specially formed packet to the Xbox, and voila, you've got your code in the Xbox. That's the kind of thing I'd look out for being an incredibly huge problem for Microsoft.
Has the rationale for running Linux on an Xbox been diluted, now that you can buy a $200 Linux PC from Wal-Mart?
People talk and joke about that a lot. But there are a couple of things to realize. One is that those $200 PCs don't have anything close to the graphics power that the Xbox has. And most of the Linux applications for the Xbox have not been geared toward turning it into a Web server or a word processor. They want to turn it into a media center and have the box under their stereo system that stores videos, digital audio and other stuff. The Xbox is really pretty handy for that. And they use Linux because it has all these great tools for working with media.
What the appeal for you to doing reverse engineering work?
I think it's an important area and it's fun. I really like security more than anything else, so I've been working on TEMPEST-style surveillance equipment, looking for security holes that should be fairly obvious, trying to raise awareness for the public that information isn't as safe as it is thought to be.
Something like a public service job?
I guess you could say it's public service. What it boils down to is either someone's going to write a paper and say there's this vulnerability, or you're going to find out the hard way. One of my goals as I do this exploration, more for my own fun than anything else, is to be able to say it was this easy or this hard to break your hardware, and here's what you can do to remedy it.