There have been a bunch of stories going around about how 5-year-old Kristoffer Von Hassel figured out a way to hack the Xbox Live password system
. Kristoffer's parents noticed that their son was logging into his father's account and playing games he wasn't supposed to be playing. They asked him how he was doing it and he showed them
Just after Christmas, Kristoffer's parents noticed he was logging into his father's Xbox Live account and playing games he wasn't supposed to be.
“I got nervous. I thought he was going to find out,” said Kristoffer.
In video shot soon after, his father, Robert Davies, is heard asking Kristoffer how he was doing it.
A suddenly excited Kristoffer showed Dad that when he typed in a wrong password for his father’s account, it clicked to a password verification screen. By typing in space keys, then hitting enter, Kristoffer was able to get in through a back door.
Kristoffer's father, Robert Davies, works in computer security (which, frankly, makes me a little skeptical that Kristoffer really made this discovery), and submitted the bug to Microsoft, who not only quickly fixed it, but also listed Kristoffer
on their March "acknowledgements" for security researchers who helped them find bugs and vulnerabilities.
Of course, the flip side to this story is how we've seen the CFAA
used in the past to go after people discovering similar flaws. Compare the story of Kristoffer to the story of Andrew "weev" Auernheimer
. Kristoffer clearly exceeded authorized access to the Xbox Live system in order to obtain something of value (perhaps he gets off because the "something" is not worth more than $5,000, but still...). Of course, weev is an obnoxious internet troll, and Kristoffer is a cute 5-year-old. I guess that's what's meant by "prosecutorial discretion."