Internet Chess Club Security Defeated 264
Scott_F writes "Researchers at the University of Colorado at Boulder have been able to defeat the security mechanisms of the Internet Chess Club and can effectively play a zero-time match, as well as have complete control over the game. The paper is titled How to Cheat at Chess: A Security Analysis of the Internet Chess Club. If you're not familiar with the ICC, it is where many Grandmasters play regularly, with rumors of Bobby Fischer making an occasional appearance. It appears that the ICC has relied on security through obscurity, but we all know how poorly that works. Chess, anyone?" Update: 09/08 21:08 GMT by J : In totally unrelated chess news, I found today's commentary on Zermelo's Theorem interesting, both for the math of the game and the look at a mistaken echo chamber.
Greetings Dr. Falken (Score:5, Funny)
Hackers games (Score:2, Interesting)
Been there, done that (also once wrote a client app for both servers).
While writing timestamp version with public/private key authentication would work against snooping CC numbers, lag info can always be altered with simpler means then cracking timestamp. For apps using local clock system calls can alwa
Obviously (Score:5, Funny)
Rus
Re:Obviously (Score:5, Funny)
Pawn to Kings King 1 (Score:2, Funny)
Doh! No Fair!
Ob. Red Dwarf reference (Score:5, Funny)
QUEEG: Bishop-Pawn takes Pawn.
HOLLY: Bish takes Prawn.
QUEEG: Bishop to Knight Five. Double Check and Mate, sucker!
HOLLY: Oh yeah, I didn't see that...
LISTER: Holly, man, what have you done!?
RIMMER: He's lost.
QUEEG: And the loser gets erased.
HOLLY: Noughts and Crosses?
Re:Ob. Red Dwarf reference (Score:5, Funny)
Security through obscurity.. (Score:4, Interesting)
Re:Security through obscurity.. (Score:5, Funny)
That's why I post to /. as AC.
Busted. (Score:5, Funny)
Re:Security through obscurity.. (Score:2)
if you just trust that nobody will ever capture your packets and peek in you're totally screwed if the application relies on any security at all.
(i'm taking that there was actual game logic on the end clients.. which I seriously must ask what the fuck for? the server could very well just ask which piece to move and where to and then check the validity of that move before doing it - what secutiry through obscurity would that need?)
after all y
Re:Security through obscurity.. (Score:4, Interesting)
Re:Security through obscurity.. (Score:5, Insightful)
It's called defense in depth. Just because you believe that your underlying security is solid and you know that obscurity by itself wouldn't be a complete solution doesn't mean that adding some obscurity on top of what you have as an extra level of security is a bad idea. Just because I know that you can cross a moat doesn't mean I'm not going to put a moat full of alligators around my castle in addition to the guys on top of the walls with boiling oil and so forth.
And if you really believe that obscurity never has a place in security, does that mean you will happily give out all your passwords, etc., because they were useless anyway?
In other news (offtopic), where did my "Older Stuff" slashbox on the home page go? I went to my home page preferences to add a Politics slashbox when they added that section (which retroactively contains old politics stories, very nice) and now I don't have "Older Stuff" anymore. It's there when I'm not logged in. But I don't see it listed anymore as a choice in preferences (it should be in bold since it's one of the defaults for non-logged-in users). I'm so confused. Any help? Thanks.
Re:Security through obscurity.. (Score:2)
Security by obscurity means your system relies on that the mechanism is unknown. For example, this timestamp program. As soon as it was found how it worked, it could be instantly broken.
Good security is when an attacker can't break your system faster than brute force, even when given all the computing power, knowledge of how it was built and tools on t
Re:Security through obscurity.. (Score:2)
Re:Security through obscurity.. (Score:2)
You add (in addition to the moat) a field of land mines. There is a path through the minefield.
Are you saying that this provides no security over just the moat?
Summary of story (Score:5, Funny)
Re:Summary of story (Score:2)
Re:Summary of story (Score:2, Insightful)
Most people find managing private keys to bee "way hard". Even if that management is nothing more that making sure you store a backup of the key offline in case your computer goes poof.
Oh well for the world when lazy people are 99% of the people out there...
Re:Summary of story (Score:4, Insightful)
Re:Summary of story (Score:2, Funny)
First rule of chess club: Do NOT talk about chess club!
Re:Summary of story (Score:2, Funny)
Ooooooooooooooo, Shiny!
KFG
Re:Summary of story (Score:2, Funny)
See how well they hide?
KFG
Re:Summary of story (Score:2)
http://www.securityfocus.com/news/136 [securityfocus.com]
I'm not saying that your wrong, but I know this Interbase (the original name of the database, before it was Open Sourced) bug was published on slashdot (I'm not going to bother trying to find the link), and fits the description you give (other then the "hide" portion of the Buzilla DB).
I read slashdot pretty religiously, but don't remember ever hearing such a story about Mo
Chess is the fairest games of all (Score:2)
But, cheating is still possible with the help of latest technology. In an on board match, you could have some person watching your game and suggest moves after checking in a computer. This is more true of non Grandmaster games. Its almost impossible to do this in GrandMaster games as necessary precautions are taken.
Now, in internet chess, cheating is even more likely to occur. It is very difficult to hold a fair tournament com
Re:Chess is the fairest games of all (Score:5, Insightful)
(Dare i mention the infamous GO in a chess story?)
While i am attempting to drop my karma like a rock, i would also add that chess is NOT the fairest of all games, becuase there is a definate difference/advantage depending on what color you are, and thus who goes first. A game in wich this is not the case (or it is compensated for would be even more fair. (here is where my karma takes nose dive
I should say that i am not trying to trash talk chess. I enjoy chess just as much as the next guy, and it is terrific game to play -- both for enjoyment and as mental excersise. Above, i was just trying to point out what i thought was wrong with the parent.
Re:Chess is the fairest games of all (Score:5, Insightful)
Re:Chess is the fairest games of all (Score:3, Insightful)
I am not sure that many people would agree with this boundry. That is, if you played a single game of chess, you would feel safe claiming that you had played a game of chess. If soemone came up to you and said, "No
Re:Chess is the fairest games of all (Score:2)
Re:Chess is the fairest games of all (Score:2)
Not Risk (Score:2)
Re:Chess is the fairest games of all (Score:3, Informative)
Risk isn't a fair game, in the sense that it involves random elements, rather then purely skill. Checkers is probably a fair game, however, there are some varitions to it's standard rules.
http://en.wikipedia.org/wiki/Solved_board_games [wikipedia.org]
According to that page, reversi is just such a game.
It's entirely
Re:Chess is the fairest games of all (Score:2)
as there are no referees to make wrong calls, and judges to give wrong scores.
Actually, tournaments have people called arbiters who assist the players and rule on any unclear cases or when the players disagree on something. And it's not uncommon that an arbiter makes a wrong call.
But, cheating is still possible with the help of latest technology. In an on board match, you could have some person watching your game and suggest moves after checking in a computer. This is more true of non Grandmaster game
Greetings, Doctor Falken. (Score:2)
Some of the top analytical and intuitive problem solvers in the world, and they can still get their credit cards hacked. Bravo.
But why oh why couldn't the researchers have researched a hack on, say, Everquest? Thirty thousand startled and whiny chess players wouldn't be nearly as entertaining as three hundred thousand startled and whiny mob grinders.
Zero-Time match? (Score:2)
Re:Zero-Time match? (Score:2, Informative)
A Zero-Time match would mean you've hacked the clock and your moves never take any time.
Re:Zero-Time match? (Score:3, Insightful)
Another poster's implied dismissal of low time games as 'smack-the-clock' speed chess seems to disregard what is implied in the article - that many people play low-time games because it's commonly believed that you cannot cheat on them. It's not what I think of as chess but if it's widely used for that reason this find is significant.
Just a thought (Score:3, Interesting)
Re:Just a thought (Score:2)
A special case of this is the "don't run faster than the bear - run faster than the slowest guy you're with" - if the bear doesn't get anything to reward him (her?) for running past the slowest guy in order to get you, then he (she?)
Re:Just a thought (Score:2)
Do I really care? No, I go play someone else.
Are the alternatives safer? (Score:3, Funny)
To bad it isnt go... (Score:2)
cheat at chess?? (Score:5, Funny)
Re:cheat at chess?? (Score:2)
Nah, it's nothing that obvious. The cheat takes away the fog of war, just like every 13-year-old bastard I play on battle.net : (
Re:cheat at chess?? (Score:3, Informative)
Daniel
Re:cheat at chess?? (Score:5, Funny)
White: (castles)
Black: OMG WTF CAMPING L5M3R N00B
Re:cheat at chess?? (Score:4, Informative)
1. Open chess program
2. Input Opponent's move
3. Chess program offers best possible countermove
You never need to know why the move works, how it will help you win or even when mate is near. The program does it all...
Of course online veterans can spot someone using a program fairly quickly. Some sites even try to discourage it by not letting you move your mouse off the app. If you do your opponent is notified and they can adjourn the game.
Even then, all you would need is a laptop and some creative timing skills. But if you need to cheat at chess that badly, when it doesn't effect any legitimate rank you may have for the "traditional" clubs, you need are in desperate need of getting laid and should put away the computer...
Re:cheat at chess?? (Score:2)
Um?
Sufficient.. (Score:2, Insightful)
If two guys are playing and the game randomly changes, a review of the play list can confirm someone cheated. Therefore, they do have sufficient security. There is a big distinction between having sufficient security and being ultra-secure. You don't secure a pool with armed guards to prevent kids from falling in, you simply build a taller fence.
Ah ha! (Score:2, Funny)
Ha! (Score:5, Funny)
Can't believe it (Score:5, Funny)
Let me guess... (Score:2)
The Real Challenge (Score:4, Interesting)
I can imagine that it _would_ be possible to do some really intersting things that would make remote matches _much_ harder to cheat at(i.e. do things like authenticate who is observing each of the remote players).
Re:The Real Challenge (Score:5, Informative)
Is creating a _really_ secure equivalent of the internet chess club. I see this as a serious opportunity for an open source team to demonstrate how they can do security _right_.
Short history, from memory: Way way back, there was only ICS, the Internet chess server. In 1995, it was turned into the commercial server ICC, the Internet Chess Club, which is still around and going strong. It's closed source and costs money unless you're a grandmaster.
As a protest to this, FICS, the Free ICS was started. It is, to this day, free "as in beer" (if for a moment we assume that beer is free of charge). It used to be Free as in GPL and avilable from the FTP site.
However, after others downloaded the Free code and started their own commercial servers with it (and they don't have to distribute their own changes under the GPL, since the software isn't distributed at all, it only runs the server), the code was closed as the developers didn't like working for free for a commercial server. I believe that server was Chess.net.
Later, FICS new main developer recoded all of FICS, so that none of the GPL code remained - or so he claimed when he sold a copy to a company named GamesParlour during the Internet boom, under some license other than the GPL. He also worked for them for a while. Endless FICS flamewars ensued. There is actually a reasonable chance that his claim is true, since he's been the sole developer for many years now.
Anyway, some people thought this was reason enough to start a new, open source chess server. The one I know of is chessd [sf.net]. I have no idea about its status.
To this day, FICS is still the best place to play chess for free for non-GMs, while talking about AI in the religion channel and politics in the politics channel, and everything else in ch 50.
Oh, and keeping track of time client side, and sending the times to ICC is done there with a utility called "timestamp". On FICS, the equivalent is called "timeseal", and I would be really really surprised if it wasn't at least as vulnerable. I believe there is actually some exploit in the wild. Not many people care though.
(I'm ElOso on FICS.)
No HTML version. :( (Score:3, Funny)
Adds a whole new meaning... (Score:3, Funny)
"y3r p4wn i5 0wn3d!!!"
Re:Adds a whole new meaning... (Score:3, Funny)
y3r p4wn i5 pwn3d.
Legality? (Score:3, Interesting)
Was this legal?
Aren't there local, state, federal, and international laws against exposing the vulnerability of a private system? Haven't many people already been harassed by the FBI for doing much the same thing with corporate systems? Or do these people get a free pass because they're from a University?
Bobby Fischer in the ICC ? (Score:3, Informative)
Bobby Fischer certainly has a very interesting and complex personality....
Rainer
Re:Bobby Fischer in the ICC ? (Score:2)
> that he would play there.
Yeah, I have my doubts, too (and I don't play chess).
But it was fun while it lasted.
Every other year, he sort of appeared in some random part of the world (was - supposedly - even spotted in Germany once, some years ago) and disappeared immediately.
Apparently, there's a Japanes woman who wants to marry him...
Rainer
Re:Bobby Fischer in the ICC ? (Score:2)
Re:Bobby Fischer in the ICC ? (Score:5, Funny)
And why doesn't he shuffle the front pieces, too? That would make it even more interesting.
(I know only just enough about chess to make this post.)
Re:Bobby Fischer in the ICC ? (Score:2)
What happened exactly? (Score:5, Insightful)
This timestamp program is not open source but they publish a binary version for various operating systems.
It sounds as if someone has hacked this (ie. so you can tell it that your move took 0.1 seconds -- the server deliberately does not allow moves to be faster than 0.1 seconds). If you have ever played a timed chess game (especially, one with short times, eg. 1 minute per game), you will know that this represents a huge advantage.
I don't know what the article means about "complete control over the game", the server does not allow illegal moves etc. -- unless they have somehow hacked into the server, or managed to insert packets into the TCP/IP connections between the server and the opponent (which would be a problem with FreeBSD or the opponent's OS).
Also the article mentions 'network security protocol', which is odd given that you can play games there by a plain telnet connection (telnet to chessclub.com:23 or chessclub.com:5080) or any 3rd party clients with no security.
The Windows client software supplied by ICC includes some un-documented security to validate itself (ie. let the server know you are using this piece of software and not a 3rd-party client), this is useful for detecting if people are trying to cheat by getting a chess-playing program to automatically play their moves for them.
And finally, I fear that a "robustification" of timestamp, to use accepted open security mechanisms, would end up in greater lag for the players -- either due to greater packet sizes, or greater processing power required by the client or the server (which has to do this for 4000+ connections at once), which is a pity (even 20ms is noticeable in a speed game of chess).
Anyone have more information?
Re:What happened exactly? (Score:5, Informative)
You could read the actual paper, but this is Slashdot, after all...
Yes, they hacked the Linux version of the timestamp client to send zero move times. They also reverse-engineered the timestamp protocol.
Security is an issue because they're exchanging passwords and credit-card numbers with the client. The authors were able to crack the "encryption" being used to transmit this stuff (a 100-byte one-time pad) by sniffing only 10 bytes (it was a very predictable sequence). The client and server also exchange two 64-bit keys in the open when the session is opened, which are used to generate the 100-byte pad.
Re:What happened exactly? (Score:2)
An OTP needs to be only used once, and to be completely random. Besides, it can't be generated in place. I wrote a small chat program that used an OTP once.
The way you do it is to use some good random number generator, such as
Re:What happened exactly? (Score:2)
This has made me want a good game of chess, i was never as good as I'd like, but I did enjoy it. If only the computer would let me win occassionally, it is very hard on my ego.
Re:What happened exactly? (Score:2, Informative)
Re:What happened exactly? (Score:2)
Having read the researcher's paper more fully: there are two "network security protocol"s in question:
1) 'timestamp' encrypts its messages to prevent tampering; this is obviously useless if you have already reverse-engineered the timestamp program
2) the Windows client uses some weak security to identify itself and allow credit-card processing.
Obviously the solution to (2) is, as the researchers suggest, only allowing credit card by a secure web-based system (which are
Re:What happened exactly? (Score:2)
They are most useful for indicating it is extraordinarily unlikely that a given message was modified from its original. They are unfortunately not clearly useful for indicating one 16 digit number is not another 16 digit number; two 16 digit numbers may or may not hash to the same value. I am not aware of a solution beyond hashing all possible 13 to 16 digit numbers and looking for collissions; but that brings us around t
Security Rule # 1 (Score:5, Funny)
Security through obscurity meme... (Score:3, Insightful)
However, in reality all security is through obscurity. For one you need to keep the (private) key secret.
In practice, good security is composed of several layers, one of which should be obscurity. For example, you might RSA/ssh restrict access to a host, but it still pays to (a) not advertise its existence (b) make it insconpicuous (c) close logins to an account after more than three failed attempts (d) keep the communication protocol secret (e) place a good lock on the door to the computer room (f) not write the password on a post it note and place it in your drawer (g)
Notice how many of those listed above derive security from obscurity in practical, effective ways.
Re:Security through obscurity meme... (Score:5, Insightful)
That is not what "security through obscurity" means. The term refers to keep things other than the key secret, such as the algorithm, the magic key combination needed to get the password prompt, etc.
Re:Security through obscurity meme... (Score:2)
Re:Security through obscurity meme... (Score:2)
Re:Security through obscurity meme... (Score:2)
Security by obscurity means the security of your system depends on its implementation being secret. Say, some program claiming to be secure that sends "encrypted" data by XOR'ing it with the string "password" which is fixed. Same goes for a chat server I reverse-engineered which tried to make it difficult to write different clients by sending you a number, and requiring you to apply some math on it and send it back. As soon as somebody decompiled it, the math th
This has been going on for ages! (Score:2)
Cheating through outside programs (Score:3, Insightful)
set it to super hard
move as your oponent
lose to computer you win.
In FPS' Anyone who's been to a lan cafe has seen screen watching but it's little brother talking on the phone or using a voice comm program to communicate with teamates (while alive and dead).
The worst part about cheats like these is that the cheater doesn't think they are cheating, if you ask they won't know what you are talking about.
It's fine in matches where both teams are doing it but in public servers it's definitly cheating, in some games like quake or CS(With death cams it's kind of a problem it's not always obvious but in games that rely heavily on knowledge such as raven shield knowing where your teamate was shot from after he dies can be decisive.
Please people if you have access to information your opponents cannot possibly have access to consider what you are doing to the game.
I like things like death cams and teamwork but I'd have to take steps against this kind of thing if I was running a server, though usually the people running servers are the worst offenders, Ventrillo anyone?
Karate Kid Security (Score:2)
In marginally related news... (Score:2)
It seems as though the Robinsons, who live down the street from me, relied on security through obscurity. I guess they were asking for it! I sure am doing them a favor by exposing this vulnerability.
Hmm (Score:3, Funny)
Not quite research (Score:2)
FICS (Score:4, Interesting)
Re:FICS (Score:4, Informative)
Re:FICS (Score:2)
Re:FICS (Score:2)
Integrated timestamping (Score:5, Informative)
The article says that no unix chess client comes with integrated timestamping, which is a good reason to plug mine - Jin [jinchess.com], which does.
Also, I'm an ICC admin [chessclub.com] and I can tell you that we're looking into the issue and will probably publish an official response later.
Re:Integrated timestamping (Score:2)
Old ICC Flaw (Score:2)
Pink Elephant (Score:2)
So, no point in reverse engineering the client and cracking the protocol just to fake some latency in order to gain some extra seconds. Which only help in blitz games anyway. Which are a lot more fun to play offline anyway.
Checkmate (Score:2)
Heard the talk (Score:3)
In general the timestamping problem is clearly an insoluble one, because the server has no way to tell if the human took only as much time to think as the client software claims. Obfuscation is a stopgap solution that deters the casual attacker, but there is no cryptographic solution apart from "trusted" hardware (yikes).
The way the music/movie industry has tackled the problem is to go on the offensive and call everyone a criminal. Let's see what the ICC does.
In Related Chess News... (Score:2, Informative)
the solution to this cheating.. (Score:2)
Favourite article quote (Score:2)
"Since rearchitecting the Internet is both infeasible and falls short of a full solution (...)"
I couldn't agree more.
Visual pun at the end of Aliens... (Score:2, Funny)
Re:I'm not surprised (Score:2)
If you ever rub elbows with the crowds that really get into chess, you'll find them an honorable bunch.
I've found that there are three kinds of Chess players: nice guys, deep thinkers and assholes. Chess ability seems to be independent of which group the player belongs in.
Re:I'm not surprised (Score:2)
Re:I'm not surprised (Score:2)
People play chess because they enjoy chess. Why would someone play just to cheat? What's the reward?
"Time chess" aside, how could you cheat anyways? As soon as I see a rook move diagonally, or two pieces move at a time, I know theres cheating. How exactly do you "cheat" at chess without it being blatantly obvious?
Now if they found out how to "cheat" at blackjack or poker on an online Casino, that's something to talk about. There's cash money involved. People generally secure thing