SEPTEMBER 18 To ulTRAX From: jgreely@corp.webtv.net (J Greely) Date: Fri, Sep 18, 1998, 12:36pm (EDT-3) To: ulTRAX@webtv.net Subject: Re: What was the real issue? In your letters I sense a concern that there was some "real" danger about people getting into Testdrive... and it had less to do with licensing and partners... but something deeper. The service that has testdrive.webtv.net email addresses, which we usually call "Daily" (for how frequently the service software on it changes), not only has unreleased software on it, but also has very limited capacity, making it necessary to limit the number of people using it. There's also the issue of people getting "stuck" there, when someone else puts an internal build on their box; that caused an extra load on customer care. What really concerns us, though, isn't getting to the Daily service; it's having the internal build. Internal builds have extra functionality that production builds lack, including extra secret codes. Because that functionality was never intended for real customers, it hasn't necessarily been tested for security. Getting to Daily isn't the only thing you can do with an internal build; one of the reasons we have been scanning the newsgroups is to find out if anyone discovered any of those other special functions. So far, no one has used any key words that would indicate that they'd done so, which is a great relief to us. I also have a question why JS was removed from the GoTo? It was never supposed to be there, and the security of the service hadn't been validated against it (obviously). Until a formal review is done of just what can be accomplished through creative abuse of JS, we definitely won't turn it back on. We probably won't anyway, but that's another issue. Granted it gave some ability to access WTV URLs directly... as well as probe them for info.... I wish that we could be sure that everyone involved in writing different pieces of the service had worked with an awareness of security issues, but the truth is that many of them apparently believed that our control over the client meant that we could be sure that no one could get to an internal URL directly. -j ====================================================== SEPTEMBER 18: To ulTRAX From: jgreely@corp.webtv.net (J Greely) Date: Fri, Sep 18, 1998, 2:09pm (EDT-3) To: ulTRAX@webtv.net Subject: Re: What was the real issue? So what were these "special functions"? I wouldn't tell you even if I had a signed non-disclosure form in my hands. Sorry, but it really is confidential. I'd like to offer, in way of amends for obvious transgressions, my services in checking around for those leaks WTV fears. Not my department. I can mention it to the folks who are doing the security reviews, but I wouldn't hold my breath. I think they want to get the first pass done themselves before considering any external assistance, just in case. An explanation of the roles of the User, Subscriber, and Silicon IDs would suffice. Heh. They're the primary indexes for the associated databases. A User is any of the six logins a box can have, and includes the associated Subscriber number. The Subscriber holds the billing and other global data, and includes the associated Silicon Serial ID. The SSID is the box itself. If you unsibscribed and sold your box, the person who bought it would have new Subscriber and User IDs, but the same SSID. So is WTV's concern that we can direct access WTV URLs? *OR* that in having that ability we might probe for "hidden" URLs that are being considered for the next upgrade? Neither. There are no "hidden" URLs on the production service. The concern with direct access to internal URLs is that we believe some of them were written with the assumption that they could only be accessed by legitimate requests, and don't correctly enforce security. Does WTV see as a problem if we have the ability to access URLs as below (Hmmmmm... none of which seem to be working now.... Is WTV trying to shut this Trick down?). I've never looked at this page, and I don't have time right now. I'll take a look later. -j ====================================================== SEPTEMBER 21 To Pure-Pleazure To: Pure-Pleazure@webtv.net (¶ü®é WébTV KîñG) Subject: Re: WEBTV IS WATCHING AND I GOT PROOF From:J Greely Date: Mon, Sep 21, 1998, 4:21am (EDT-3) Pure-Pleazure@webtv.net (¶ü®é WébTV KîñG) writes: I'm thinking it's webtv interpreting (however the hell you spell that) our e-mail messages to see who these messages are being written by.. All I can say to this is "thanks for the laugh". Okay, maybe I'll say a little more. We don't scan your incoming mail. We don't scan your outgoing mail. We don't "punish" people by disconnecting them from the service. We don't pay any special attention to the accounts of people who read or post to this newsgroup. We don't have special code in the system to treat you differently. We don't plan to start doing any of these things in the future. We don't really care what you talk about, or where. We do care about some of the illicit things people have done and want to do again, because they might cause problems for us or for other customers. -j ====================================================== SEPTEMBER 21 To Pure Pleasure To: Polo-Sport-Guy@webtv.net Subject: Re: PARANOIA MY ASS! From: J Greely Date: Mon, Sep 21, 1998, 4:25am Polo-Sport-Guy@webtv.net writes: Inside sources tell me webtv is watching I just didn't want to say anything, but now you made me do it. This wasn't news. Many of the regulars even know who it is who's been checking out the newsgroup. Since it's a public forum, this shouldn't really be surprising. I had someone that lives near webtv headquaters that is in touch with someone. They saw that person browsing our NG. Hell, you should have just asked ultrax; it would have been quicker. Trust me I know! Me, too. -j ====================================================== SEPTEMBER 22 To ulTRAX From: jgreely@corp.webtv.net (J Greely) Date: Tue, Sep 22, 1998, 2:09pm (EDT-3) To: ulTRAX@webtv.net Subject: [no subject] I was looking more for the keywords What keywords? Why was it possible to add more than 6 users? Simple incompetence. Since someone thought that the "correct" way was the only way to do it, they didn't bother having the service itself check to see how many you already had. I'm confused. Obviously I had been able to access the Game Setup and UsageBasedBilling pages despite the fact there are not available buttons on 2.2 to click to get to these pages. ====================================================== SEPTEMBER 26 From: jgreely@corp.webtv.net (J Greely) Date: Sat, Sep 26, 1998, 6:58pm (EST-2) To: ulTRAX@webtv.net Subject: Re: HACKING WTV-TRICKS ulTRAX@webtv.net (Killer<> ulTRÅX <> Willie) writes: Tricks were created as a backup for getting around in the browser should the Client software fail. Um, "no". Most of them were created so external partners could refer to internal URLs (things like home and aroundtown), and others were created to provide debugging information, testbeds for specific features, or additional features useful primarily to us. I can't think of anything that would do as you describe, or why we'd want to. As such WTV probably can not stop their use in the GoTo as they have the other so-called "tricks". Actually, many of them we can, with the new security model for tricks that's coming out in a few weeks. With the exception of the tricks that take you to places you can already get to, most of them will require use of the tricks password (it will not be possible to "go around" the password protection straight to the URL). wtv-tricks:/StayConnected (! disabled?) It now returns an error. -j ====================================================== SEPTEMBER 26 From: ulTRAX@webtv.net Date: Sat, Sep 26, 1998, 10:16pm (EST+1) To: jgreely@corp.webtv.net (J Greely) Subject: Re: HACKING WTV-TRICKS Working another Saturday night? I can't remember everything you said LOL. Obviously StayConnected was shut down. I have to post something. Then after my attempts to explain modem speed/compression/ etc in another group.... I realized that I'm usually wrong about things anyway. Between the Freezes and the Newbies I'm loosing it. Screw my Human Service background. I expected lots of 12 year olds during summer break.... yet they seem to be crawling out of the wood work the past few days. The very term "hacking" is a magnet. Sears have the box on sale? Question: what's the infamous "white border" that randomly appears on some pages. Often when I try to use validator at http://members.tripod.com/~mdrbbt/reference/source.html a white border will appear blocking the referrer box. It happens at other pages as well. I have to reload, sometimes several times, before the border goes away. Question #2 Will there ever be a HTML kill switch for mail/posts? Think of the bandwidth that could be saved! I'd disable all html. I hate the wait. Question #3 What the hell was Demo? I mean the old Demo that we all knew and loved. How was it that we could access it at all? ==================================    Saved message