Forgot your password?
typodupeerror
Security Entertainment Games Science

Colorado Researchers Crack Internet Chess Club 130

Posted by timothy
from the that's-nice-dear-and-how-was-class dept.
edpin writes "University of Colorado at Boulder students hacked the 30,000-plus-member Internet Chess Club as part of research funded by the National Science Foundation. With guidance from University of Colorado at Boulder computer security researcher John Black, two students reverse-engineered the service to up their ranks and steal passwords." Update: 10/10 23:05 GMT by T : Reader Bryan Rapp points out that this story duplicates the one posted last month -- sorry about that.
This discussion has been archived. No new comments can be posted.

Colorado Researchers Crack Internet Chess Club

Comments Filter:
  • by Anonymous Coward on Sunday October 10, 2004 @05:01PM (#10488178)
  • we're still using stupid magnetic cards for our daily _BANK_ usage...
    • by baywulf (214371)
      They need to use the high security password mechanism used on bank checks.
    • Re:Meanwhile... (Score:3, Interesting)

      by mbrix (534821)
      Not in Denmark (and I suspect, many other countries). We are moving to chip-based cards instead. Actually, Denmark is almost fully converted away from magnetic cards.
      • Re:Meanwhile... (Score:3, Insightful)

        by Old Wolf (56093)
        The unfortunate side of this coin is that 'smart' cards don't actually offer a lot of added security. Most of the objections people haev raised to magstripe cards still apply to smartcards. Also, most smartcards get their security hacked within a few months of coming out (meaning that the manufacturers are continually in a cycle of sending new cards out). Their only benefit is that the unwashed masses feel safer.

        This is really a great fraud which makes money for the people developing smart-card processing
        • Here in the UK the chip card is combined with a PIN number. If you don't know the PIN then programming up a copy card with a stolen card number is pretty useless.
      • in most places where they're used for banking they're still used to just hold the one number that would have be readen off from the magnetic strip earlier.

    • Perhaps you are, but the UK and I belive much of Europe is moving to chips embedded in the card instead of the magnetic strip. I don't know how many cash machines (ATMs) use them yet, but most shops do.
      • So instead of a hard to reproduce signature (well mine is) there's an easy to remember 4 digit number that the criminal can watch you type in just before stealing your wallet (stores almost universally don't have adequate security on their keypads).

        Thankfully it doesn't seem to be switched on in the UK yet - I've never been asked for a PIN... refusing to type it in while surrounded by shoppers could cause a scene (either give me a secure way to type it in and prove it's secure, or you aint getting it).
        • So instead of a hard to reproduce signature (well mine is) there's an easy to remember 4 digit number that the criminal can watch you type in just before stealing your wallet

          Exactly :) I've developed a technique of laying all my figers over the keys so it's harder to tell exactly which ones I pressed. I'd prefer it if the keypad were hidden somehow though.

        • And... there are various form of keypad entry systems.. What's stopping Mr Shopkeeper from altering the device to record a copy of the PIN you enter ? Or pointing a tiny covert video camera at the device ? As he already has the magnetic strip info, he just trundles down to the cash machine with his made up card and enters the PIN.

          Whilst in the past some criminals would hide/wire up devices to cash machines, they can now do so from the comfort of their own shops..

          The PIN should NOT be the same as the one u
          • What's stopping Mr Shopkeeper from altering the device to record a copy of the PIN you enter ?

            The banks won't certify any particular device for use in shops (and thus, they won't be able to process transactions successfully) if it allows this.

            Also, if a shopkeeper perpetrated the fraud by the other means you suggest, it would be simple to trace it to that shop, by examining the transaction records.

            Finally, later versions of the terminal software do not actually record the card number, to avoid this very
            • I think you've misunderstood the scenario.

              Dishonest shopkeeper installs tampered with reader (why would he care about certification)? Shoopers come in and buy the low value items (say We've seen something like that here in the UK with crooks setting up their own ATMs, which do dispense money (at their cost) which they re-coup many times over using the stolen card details.

            • Stupid Slashdot misinterpreting less than signs, you'd think they'd get a competent developer to fix their code as well (and make the pound symbol work without requiring arcane knowledge).

              I think you've misunderstood the scenario.

              Dishonest shopkeeper installs tampered with reader (why would he care about certification)? Shoopers come in and buy the low value items (say less than 100GBP ) and swallows that loss. Shopkeeper takes their card data and stolen PINS and goes on a spending spree.

              We've seen so

        • I really think you'd be making a mistake by insisting on a signature rather than PIN.

          A thief's attempt at your signature need only be an approximation to be accepted - and at some shops they don't seem to check at all. You don't really think that the millions of fraudulent transactions that are carried out on stolen cards are all from people with simple signatures, do you? If someone steals your card, they will walk into a shop and try to buy a high-value item, for example a laptop or jewellery. If th
    • University of Colorado at Boulder researcher John Black said:"Unless you have a lot of experience, don't try to invent your own security system, it will just be broken," said Black, an assistant professor of computer science in CU-Boulder's College of Engineering and Applied Science. "Believe me, it's better to leave that job up to the experts."

      Is it me or does he sound kinda smug about all this? What, did he join ICC some while ago and get his ass handed to him...so all this time he planned his revenge o
    • What's wrong with that? It isn't a security risk to read what's written on the card or to create a new card, and it's a very minor risk to duplicate a card (the risk being that the attacker could gradually guess the PIN over time).

    • I assume you didn't give the security of credit cards a thought ?

      That's even more extreme... by just knowing one number that they print out on receipts you can access someone's bank account.

  • by LegoEvan (772742) on Sunday October 10, 2004 @05:05PM (#10488193) Homepage
    As I'm Bobby Fischer.
  • by Anonymous Coward on Sunday October 10, 2004 @05:05PM (#10488200)
    It seems like only yesterday [slashdot.org] that the site was hacked, and now it has happened again?

    Those admins need a good kick up the backside.
  • ...what the hell are the ethics of edu-hacking? That's pretty weird, if you ask me. It could be considered like white hat except that it's done for the hacker's benefit as well, but still... it seems a little fishy. I mean, would you go through an Anarchist's Cookbook with your teacher?
    Maybe that's just me. *shrug*
    • Don't you have to know how to commit a crime in order to stop folks from commiting crimes?

      What you've said is paramount to saying that no sex education will keep us all virgins!!

      Cheers,
      -- The Dude
      • by general_re (8883) on Sunday October 10, 2004 @05:25PM (#10488333) Homepage
        Don't you have to know how to commit a crime in order to stop folks from commiting crimes?

        Exactly why killing a man is part and parcel of becoming a homicide detective. Errr, wait, it's not.

        Yes, you have to know how crimes are committed to solve/prevent them, but committing those crimes is not the only way to gain that knowledge.

        • Commiting homicide won't make you a better homicide detective. A homcide detective observes the mistakes of others, a security expert observes their own mistakes.

          Kill somebody, and what are the chances you'll notice the eyelash that conveniently fell out? You'd have to look for your own mistakes, while not utilising the information of how it was done at all for you to gain any skill, and it would be easier to wait until somebody gets killed for a reason other than to solve. The killing itself would get you
          • by general_re (8883) on Sunday October 10, 2004 @06:36PM (#10488734) Homepage
            As I said, though, there are plenty of ways to gain that kind of knowledge without actually breaking the law. Forensic accountants learn how to spot money-laundering schemes without having to get out there and launder money. Serial-murder specialists don't have to kill scores of people to learn how serial killers operate. Viral pathologists don't infect people with HIV so they can learn how to prevent AIDS.

            In all those cases, they study past cases, study current events, and don't generally have to become like the things they're acting against in order to defeat them, and I have no idea why computer security should be different - as someone who used to work in banking, allow me to testify that we didn't go out and rob banks or kite checks in order to learn how to prevent others from doing the same. And in those few cases where hands-on experience is absolutely necessary, you don't need to go out into the world and involve innocent third-parties - you set up a controlled environment where they can play on the playground without actually attacking real people. The ethics of this sort of "white-hat" hacking are non-existent - this is absolutely unethical behavior on the part of these clowns, and in no way do the ends justify the means.

            • But if you did go out and rob banks and kite checks, would you not learn something from what worked and what did not?

              There's a question of whether learning to practice is faster/cheaper than learning through study, and I doubt that either is better for all situations.

              Obviously, robbing a bank for practice is a bad idea, as someone is liable to get shot. But hacking a chess site is probably not so bad, since potential harm is low.
              • But if you did go out and rob banks and kite checks, would you not learn something from what worked and what did not?

                Maybe. But the problem is that in so doing, the "good guys" become morally, ethically, and legally indistinguishable from the bad guys - you've erased the difference between you and them, your altruistic motives notwithstanding. The ends do not justify the means.

                But hacking a chess site is probably not so bad, since potential harm is low.

                The rightness or wrongness does not depend on

                • Comparing breaking into a recreational website with breaking into someone's home is not an equitable comparison.
                  • Why, because you say so? In both cases, A) it's someone else's property, and; B) others have absolutely no right whatsoever to enter it in that fashion. I don't care how much good one thinks will come of it, or how little harm one thinks will come of it - that server was not theirs, and they had no right whatsoever to behave as though it was theirs to do with as they pleased. Morally and ethically, it's exactly the same as "learning" about home security by breaking into strangers' houses.

                    Nobody gets to

            • And in those few cases where hands-on experience is absolutely necessary, you don't need to go out into the world and involve innocent third-parties - you set up a controlled environment where they can play on the playground without actually attacking real people.
              How would you do that? If you set up the security, when you try to break it, you'll have knowledge that the attackers won't. This means that you won't try as hard in areas where you think you did a good job, so those areas might not stand up to a
              • You could set up honeypots, to observe how real bad guys might try to get into a system. You could have someone else set up a test server for you, so that you don't have the advantage of knowing in advance what you're up against.

                Or, you know, you can do the whole thing with no more than a phone call - "Hello, Mr. ICC Webmaster? We're computer security researchers at the University of Colorado, and we'd like your permission to try to break into your systems as part of your research. Plus, in exchange, w

            • Serial-murder specialists don't have to kill scores of people to learn how serial killers operate

              People would be hurt

              Viral pathologists don't infect people with HIV so they can learn how to prevent AIDS

              People would be hurt

              this is absolutely unethical behavior on the part of these clowns, and in no way do the ends justify the means

              Tell me, how is anyone hurt if I were to find a security hole in a bank site, chess club, whatever, and post an email to said bank/club. The only one hurt would be me, m
              • Who is harmed if I break into your house while you're away, especially if I don't take anything or break anything? No one, obviously, so it must be okay, right?

                I don't think so. You are not permitted to treat someone else's property as your own without their permission, no matter how "harmless" you think it might be. It's not your call to make. Period.

                I don't suppose you'd like to try getting a bank to volunteer their codebase for you to test our in your closed environment?

                We didn't "volunteer" ou

          • Kill somebody, and what are the chances you'll notice the eyelash that conveniently fell out? You'd have to look for your own mistakes, while not utilising the information of how it was done at all for you to gain any skill, a...

            Yeah that must be the reason homicide detectives don't get their training by killing people. Moron.

        • Homicide detectives don't stop people from killing. They find out who did it after it's already happened.
        • Maybe that's the reason for high crime! We don't have experienced detectives!
    • Assuming that they are fair to mediocre players and that their scores do not and will never matter, and they are comfortable with having their scores purged, and they do nothing to "help their buddies" or "hurt their enemies", I don't see anything that unethical about it.
      A lot depends on the target and any perceptions of conflict of interest. Even getting nosy about academic records is most likely taboo.
  • by still_sick (585332) on Sunday October 10, 2004 @05:06PM (#10488211)
    Kind of dick move, no?

    They proved their point by putting themselves high up in the ranks.

    A legitimate Research project should NOT have involved messing with other people's accounts.

    If you want to do that, have some person known to the researchers make up an account with the express purpose of their team trying to steal the password.
    • by aerojad (594561)
      I agree. I also wonder if this could cause any charges to be filed for acessing personal information.
    • Erm, I crack other people's systems! I really really do! And I get paid to do it! By the people who contract with me to examine their systems for security flaws... However, I don't hit 'em blind - they know in advance that I'm going to be doing this. This seems like dirty pool...
    • If anyone had read the paper, they would have realized that the summary on /. is misleading (well, wrong).

      No passwords were stolen. No rated games were played, and all games (unrated/rated) were only played between authors of the paper.

  • by Anonymous Coward on Sunday October 10, 2004 @05:07PM (#10488216)
    if we can mod stories as dupe, we can set the threshold high enough so we can never have to deal with idiot editors posting dupes again!!!
  • dupe duke nuker? (Score:5, Insightful)

    by gl4ss (559668) on Sunday October 10, 2004 @05:07PM (#10488217) Homepage Journal


    technically the story it links to is though new, but it's about an old thing.

    now.. about these dupes.. just one thing makes me wonder, do the editors have extremely bad memory or don't they follow slashdot at all themselfs? since in most cases a regular reader remembers if he has seen the same story(or one with a lot of resemblance) before. and hell, theoretically they should have more time than 20 secs per a story they pass, so they could have put "chess" into the old stories search.

    now, on things that need refreshing or something a 'follow-up' stories could be worth while doing, but not reporting them as totally new.
    • The real problem besides editors not following slashdot properly is that the search engine is bloody useless. Even if an editor wanted to search for old instances of the same story, slashdot would be essentially no help in this pursuit. A more powerful search which was actually useful would possible be even a more welcome feature than HTML compliance.
  • by Timesprout (579035) on Sunday October 10, 2004 @05:07PM (#10488224)
    by influencing crackers to dupe [slashdot.org] their cracks, thus saving other organisations from their unwanted attention.
  • Heh (Score:5, Interesting)

    by FiReaNGeL (312636) <fireang3l AT hotmail DOT com> on Sunday October 10, 2004 @05:10PM (#10488239) Homepage
    You don't have to give yourself all the trouble of defeating security to be a chess star on Internet. Just run a copy of fritz on another computer while you 'play'... instant skill!

    This is why is stopped playing online. Nothing beats a real game of chess, in front of a real person anyway. Reactions from your opponent are almost as important as in poker!
  • by mind21_98 (18647) on Sunday October 10, 2004 @05:10PM (#10488242) Homepage Journal
    A public institution funding cheating attempts is cause for concern. I assume they got the Internet Chess Club's permission beforehand, but if they didn't they could be in a world of trouble. Just my two cents.
  • Web Programmers (Score:4, Informative)

    by Jesus IS the Devil (317662) on Sunday October 10, 2004 @05:16PM (#10488283)
    I've seen way too many programmers who think they're the world's greatest gift to mankind, but don't know the FIRST RULE of developing web applications:

    NEVER TRUST USER INPUT

    This leads to stupid hacks like sql injection, html injection (leads to XSS), etc etc.

    Not saying this is how it happened, but I wouldn't be the least bit surprised if this is how it happened.
  • I wonder... (Score:5, Insightful)

    by Oligonicella (659917) on Sunday October 10, 2004 @05:16PM (#10488284)
    what the U of C's attitude would be toward someone who hacked into their computers to, you know, just experiment and gain knowledge? Maybe up their grades or look at other peoples information?

    Just wondering if the shoe fits the other foot.
    • Re:I wonder... (Score:2, Informative)

      by Vole_of_Wrath (789989)
      As a student of University of Colorado, living in the dorms no less, CU is VERY uptight about their internet security. They have almost every port closed from the outside, and they dont let you access the internet without several dozen procedures to make sure your computer is safe. I'm not saying it isn't foolproof, but it's like Fort Knox :X
  • Ask Slashdot? (Score:2, Insightful)

    by comwiz56 (447651)
    I think this belongs more as an ask slashdot, "What are the ethics of edu-hacking?"
  • Isn't this Illegal? (Score:3, Interesting)

    by Anonymous Coward on Sunday October 10, 2004 @05:21PM (#10488310)
    I don't see how this being done under the auspices of the school absolves the students from prosecution.

    Can anyone explain this to me?

  • by cliffiecee (136220) on Sunday October 10, 2004 @05:32PM (#10488378) Homepage Journal
    Internet Chess Club has more than 30,000 members worldwide and claims Madonna, Nicolas Cage, Will Smith and Gary Kasparov as players.

    One of these things is not like the others,
    One of these things just doesn't belong,
    Can you tell which thing is not like the others
    By the time I finish my song?
  • Posted by timothy on Monday October 12, @03:00PM
    from the came-back-and-bit-us-in-the-ass dept.
    someguy
    writes "The 30,000-plus-member Internet Chess Club filed suit today against the University of Colorado at Boulder for encouraging students to hack their service as part of research funded by the National Science Foundation. With guidance from University of Colorado at Boulder computer security researcher John Black, two students were able to reverse-engineer the service to up their ranks and steal passwords
  • Bah (Score:1, Flamebait)

    by Trailwalker (648636)
    A Chess Club?

    Tell them to come back after they have cracked one of the systems at Langley, Va.
    • They were looking for the blueprints for the weapons of mass distraction? TWF? Really. How secure you expect to be a chess club? I suggest they up the difficulty level. Next target: the Girl Scout cookies web server
      • Re:Bah (Score:3, Informative)

        by jnguy (683993)
        A chess club where grandmasters play, and the general population has confidence in, I would imagine its fairly secure.
        • ...because their ratings on the website are well - if not irrelevant, but at best a confirmation. I have a belief in their skills because of their grandmaster ranking (as in, through tournament play), not because of their online rating. If that was the sole claim to their skill, I would be very doubtful. Tournaments of some importance, even over the internet is often done with a public audience and all that makes it very credible.

          Grandmasters could play on the most unsecure, untrusted of networks and it wo
  • This is research? (Score:2, Insightful)

    by Anonymous Coward
    The difference between this "research" and a felony is exactly what? Maybe the anthrax scare was really an NSF funded biological experiment?

    This is a complete waste of taxpayer money, and Dr. Black should have his grants revoked. In fact, I've been in the supposed "computer security" academic community, and it's mostly bogus crap masqueraded as "research" because people don't know better. Computer security research is the AI of our time.
    • Computer security research is the AI of our time.

      Yes, but AI is also still the AI of our time. So's 90% of Macroeconomics, 80% of Chaos Theory, and a whopping 103.8% of Nanaotech.
    • well the difference is obvious so what you're asking is a loaded question. Other people too have compared this to killing as a crime, which is also absurd.... It is what it is, maybe it's foolish to do, but it's not the same thing as an actual crime, because actual crimes and even actual crime's punishments are based on intent. They intended to use the information in an educational manner and they also intended to tell the chess club that they did it, they didn't intend to change madonna's account around
  • security (Score:3, Funny)

    by virtualone (768392) on Sunday October 10, 2004 @06:00PM (#10488525)
    From TFA - "Unless you have a lot of experience, don't try to invent your own security system, it will just be broken"

    instead, just bindly trust that handy cryphography API that came with your operating system
    - (c) by the NSA
  • by Provocateur (133110) on Sunday October 10, 2004 @06:47PM (#10488805) Homepage
    You'd think they'd unlock the keys to the playboy/Penthouse site and gain gold membership or something, folks, but nooooo....it hadda be the Chess Club.

    To quote Homer's brain, That's it; I'm leaving.

  • by Anonymous Coward
    to academics and not institutions.

    In all fairness... after reading the original paper, I asked ICC if they are aware of the problem and directed me to their security help file. ICC did fix one problem regarding membership payments:

    http://www.chessclub.com/help/security

    "Question: Is my credit card secure at ICC?

    ICC has upgraded the way we process online payments. You can check out our new secure web payment forms at https://www.chessclub.com/store/members/payment.p h p

    When you access the web form, your
  • great news (Score:4, Funny)

    by Pierre (6251) on Sunday October 10, 2004 @08:01PM (#10489137)
    This is great! I forgot my password 6 months ago and I can't get anybody to reset it for me - I'll bet these guys have recovered it - woo hoo I can play chess again
  • by gmacd997 (811854) on Sunday October 10, 2004 @09:03PM (#10489534)
    The Internet Chess Club (ICC) has taken steps to improve security since this paper was published.

    For details on the paper and ICC's response see the help file at:
    http://www.chessclub.com/help/blackpaper

    For details on how ICC protects user's security see:
    http://www.chessclub.com/help/security

    For details on how ICC protects user's privacy see:
    http://www.chessclub.com/help/privacy

    An excerpt from the /blackpaper help file:

    Question: What is ICC doing to improve security?

    ICC is doing three main things to improve security:

    1) ICC has changed our payment systems so that all online credit card payments go through secure web forms. You can check out our new secure web payment forms at https://www.chessclub.com/store/members/payment.ph p When you access the web form, your browser shows a 'locked padlock' icon that indicates your communication with ICC are encrypted and secure. ICC takes great care in protecting financial information. See http://www.chessclub.com/help/privacy for more information.

    2) ICC is updating Timestamp to close the cracks identified in the paper. This process will take some time to complete. As Black, Cochran, and Gardner show in their paper, getting Timestamp security right is a complex task. Ultimately, when we deploy a new version of Timestamp, ICC users will need to upgrade their chess client software to take advantage of the increased security.

    3) ICC is doing an internal security review. ICC is committed to keeping confidential data secure through upgrades to our servers and client programs. We are actively engaged in improving our current security mechanisms, while at the same time, devoting substantial resources to catching cheaters.

    ...

    If you have any questions or comments, you can ask a question in Channel 1, the Help Channel, send a message to ICC or send an email to icc@chessclub.com.

    Also, ICC is not suing anyone over the paper by John Black, Martin Cochran, and Ryan Gardner.

    George MacDonald
    General Manager
    Internet Chess Club
  • by Vellmont (569020) on Sunday October 10, 2004 @10:07PM (#10489877) Homepage
    The article seems to exagerate the importance of this hack by talking about voting, credit card numbers, etc. But my question is how significant is this?

    How secure something needs to be depends on what it is you're protecting. In this case it's the legitimacy of a chess game played over the internet and ratings of individual players. Is their something at stake more than game fairness and an online chess rating? (prize money for example). The article mentions famous people are on the server, is Madonnas chess account being hacked supposed to make me feel scared?

    The problems should be fixed of course (if possible), but it sure seems like we're scraping the bottom of the security alert barrel on this one.
  • ... include coverage of people who have nothing better to do with their time than cheat at a board game?

"How to make a million dollars: First, get a million dollars." -- Steve Martin

Working...