Colorado Researchers Crack Internet Chess Club 130
edpin writes "University of Colorado at Boulder students hacked the 30,000-plus-member Internet Chess Club as part of research funded by the National Science Foundation. With guidance from University of
Colorado at Boulder computer security researcher John Black, two students reverse-engineered the service to up their ranks and steal passwords." Update: 10/10 23:05 GMT by T : Reader Bryan Rapp points out that this story duplicates the one posted last month -- sorry about that.
Another dupe, timothy? (Score:5, Informative)
Re:Another dupe, timothy? (Score:5, Funny)
Slashdot needs dupe detection for editors (Score:3, Insightful)
Re:Slashdot needs dupe detection for editors (Score:5, Insightful)
perhaps a grant could be applied (Score:3, Funny)
I mean come on, this is a solvable problem.
Yes, I agree with you. Perhaps the National Science Foundation can dedicate next years grant to solving Slashdot's dupe problem instead of hacking into an internet chess club.
Re:Another dupe, timothy? (Score:0)
And timothy is not talking to timothy . . .
What a shame. So much for professionalism. Isn't this the second story that timothy has duplicated today? Apparently timothy has a thing for Chess clubs and Intestinal robots . . .
See the intestinal robot duplication here [slashdot.org]
Re:Another dupe, timothy? (Score:0)
"Internet Chess Club" Security Defeat site:slashdot.org
The first (of only 2) story listed is the original that you mention. Its not that hard. But I guess this is Timothy we are talking about.
Re:Another dupe, timothy? (Score:3, Insightful)
Re:Another dupe, timothy? (Score:1)
Forgive me father, for i have sinned
Re:Another dupe, timothy? (Score:4, Interesting)
Re:Another dupe, timothy? (Score:2)
Re:Another dupe, timothy? (Score:2)
Meanwhile... (Score:2)
Re:Meanwhile... (Score:3, Funny)
Re:Meanwhile... (Score:2)
Re:Meanwhile... (Score:3, Interesting)
Re:Meanwhile... (Score:3, Insightful)
This is really a great fraud which makes money for the people developing smart-card processing systems and the general public pay for it (well, the merchants pay for it, and they usually pass the costs onto the customers).
Re:Meanwhile... (Score:1)
Re:Meanwhile... (Score:2)
Re:Meanwhile... (Score:1)
Re:Meanwhile... (Score:2)
Thankfully it doesn't seem to be switched on in the UK yet - I've never been asked for a PIN... refusing to type it in while surrounded by shoppers could cause a scene (either give me a secure way to type it in and prove it's secure, or you aint getting it).
Re:Meanwhile... (Score:1)
Exactly :) I've developed a technique of laying all my figers over the keys so it's harder to tell exactly which ones I pressed. I'd prefer it if the keypad were hidden somehow though.
Re:Meanwhile... (Score:1)
Whilst in the past some criminals would hide/wire up devices to cash machines, they can now do so from the comfort of their own shops..
The PIN should NOT be the same as the one used in places where the card isn't visually inspected (i.e. cash machines)
Re:Meanwhile... (Score:2)
The banks won't certify any particular device for use in shops (and thus, they won't be able to process transactions successfully) if it allows this.
Also, if a shopkeeper perpetrated the fraud by the other means you suggest, it would be simple to trace it to that shop, by examining the transaction records.
Finally, later versions of the terminal software do not actually record the card number, to avoid this very problem. You should see on the receipt something like "49997........0452" , enough digits to identify the card well enough for audit purposes but not to allow someone to commit fraud with it. And as before, a terminal modification which steals card numbers, would not pass certification.
NB. This is how it works in New Zealand, if other countries don't implement security measures then they are stupid.
Re:Meanwhile... (Score:2)
I think you've misunderstood the scenario.
Dishonest shopkeeper installs tampered with reader (why would he care about certification)? Shoopers come in and buy the low value items (say We've seen something like that here in the UK with crooks setting up their own ATMs, which do dispense money (at their cost) which they re-coup many times over using the stolen card details.
Re:Meanwhile... (Score:1)
Re:Meanwhile... (Score:2)
Stupid Slashdot misinterpreting less than signs, you'd think they'd get a competent developer to fix their code as well (and make the pound symbol work without requiring arcane knowledge).
I think you've misunderstood the scenario.
Dishonest shopkeeper installs tampered with reader (why would he care about certification)? Shoopers come in and buy the low value items (say less than 100GBP ) and swallows that loss. Shopkeeper takes their card data and stolen PINS and goes on a spending spree.
We've seen something like that here in the UK with crooks setting up their own ATMs, which do dispense money (at their cost) which they re-coup many times over using the stolen card details.
Re:Meanwhile... (Score:1)
When cash machines first came out, they didn't have realtime links to the central bank for your account. So the card held the value for the amount you'd withdrawn that day (and therefore presumably also the pin), so that if you went to another machine, it could make sure you hadn't withdrawn over your daily allowance.
A popular scam at the time cash machines first came out was to get your own legitimate card, with (say) a £500 quid a day limit.
Clone the card (e.g.) 60 times(sticking a piece of video tape over any old piece of plastic of the same size would do), then go to (e.g.) 60 different cash point machines - on each card, you withdraw your £500 quid limit, you then toss (or reprogramme) the card, and use the next card on a new machine etc.
Then after the day is done, you do a runner
Back then, though, I think the problem wasn't that great, due to the fact that there weren't all that many cash machines around !
Re:Meanwhile... (Score:1)
A thief's attempt at your signature need only be an approximation to be accepted - and at some shops they don't seem to check at all. You don't really think that the millions of fraudulent transactions that are carried out on stolen cards are all from people with simple signatures, do you? If someone steals your card, they will walk into a shop and try to buy a high-value item, for example a laptop or jewellery. If the shop insists on PIN entry, they will be stopped UNLESS they've seen your number, whereas your signature is right there on the back of the card.
By the way, chip-and-PIN cards are on their way to the UK - I've already used them a few times.
Sounds pretty smug to me... (Score:2)
Is it me or does he sound kinda smug about all this? What, did he join ICC some while ago and get his ass handed to him...so all this time he planned his revenge on the whole ICC and those that brought him down! ATTACK THEIR SITE!! And get the NSF to fund him to do it! ATTACK! ATTACK!
Um...cough...sorry, got a little carried away there...
Re:Meanwhile... (Score:2)
Re:Meanwhile... (Score:2)
That's even more extreme... by just knowing one number that they print out on receipts you can access someone's bank account.
This isn't really useful... (Score:5, Funny)
Re:This isn't really useful... (Score:0)
Re:This isn't really useful... (Score:4, Informative)
Re:This isn't really useful... (Score:2)
Re:This isn't really useful... (Score:0)
Will they never learn? (Score:5, Funny)
Those admins need a good kick up the backside.
Forget white hat and black hat... (Score:2, Interesting)
Maybe that's just me. *shrug*
Re:Forget white hat and black hat... (Score:0)
Re:Forget white hat and black hat... (Score:0)
Yes I would have. My school had some great teachers. It's just you.
Re:Forget white hat and black hat... (Score:2, Funny)
What you've said is paramount to saying that no sex education will keep us all virgins!!
Cheers,
-- The Dude
Re:Forget white hat and black hat... (Score:5, Insightful)
Exactly why killing a man is part and parcel of becoming a homicide detective. Errr, wait, it's not.
Yes, you have to know how crimes are committed to solve/prevent them, but committing those crimes is not the only way to gain that knowledge.
Re:Forget white hat and black hat... (Score:2)
Kill somebody, and what are the chances you'll notice the eyelash that conveniently fell out? You'd have to look for your own mistakes, while not utilising the information of how it was done at all for you to gain any skill, and it would be easier to wait until somebody gets killed for a reason other than to solve. The killing itself would get you nothing, all the benefit comes from solving it.
On the other hand, when you hack, you find out what mistakes other people make, so that you can then not make them. The benefit comes from knowing how people will attempt to hack you.
To put it another way, a detective must know how to attack. Unless they commit homicide, in which case they'll be on the defense, knowing how to defend is useless if you don't learn how to bypass those defenses, which it won't (note: I am neither a homicide detective nor a cold-blooded murderer). The skill of bypassing defenses comes from attacking, not from defending. A security expert is on the defense though, making him more akin to the killer - and being a homicide detective will certainly help you evade other homicide detectives. Since he must defend, he must know how he will be attacked, and to have the best knowledge of that, he must attack.
This is probably redundant by now, but I don't wanna waste the typing.
Re:Forget white hat and black hat... (Score:5, Insightful)
In all those cases, they study past cases, study current events, and don't generally have to become like the things they're acting against in order to defeat them, and I have no idea why computer security should be different - as someone who used to work in banking, allow me to testify that we didn't go out and rob banks or kite checks in order to learn how to prevent others from doing the same. And in those few cases where hands-on experience is absolutely necessary, you don't need to go out into the world and involve innocent third-parties - you set up a controlled environment where they can play on the playground without actually attacking real people. The ethics of this sort of "white-hat" hacking are non-existent - this is absolutely unethical behavior on the part of these clowns, and in no way do the ends justify the means.
Re:Forget white hat and black hat... (Score:2)
There's a question of whether learning to practice is faster/cheaper than learning through study, and I doubt that either is better for all situations.
Obviously, robbing a bank for practice is a bad idea, as someone is liable to get shot. But hacking a chess site is probably not so bad, since potential harm is low.
Re:Forget white hat and black hat... (Score:3, Insightful)
Maybe. But the problem is that in so doing, the "good guys" become morally, ethically, and legally indistinguishable from the bad guys - you've erased the difference between you and them, your altruistic motives notwithstanding. The ends do not justify the means.
But hacking a chess site is probably not so bad, since potential harm is low.
The rightness or wrongness does not depend on the level of risk to the perpetrators. Investigating the efficacy of home security systems is a worthy goal. Breaking into strangers' houses is not an appropriate method of pursuing that goal, even if you minimize the risk by making sure that nobody's home at the time. And, I suppose I should add, even if you don't plan to take anything.
But you're still missing the point... (Score:2)
Re:But you're still missing the point... (Score:2)
Nobody gets to decide for themselves which rules, regulations, or laws apply to them based on whatever "higher" end they happen to have in mind, not even witless academics.
Re:Forget white hat and black hat... (Score:2)
How would you do that? If you set up the security, when you try to break it, you'll have knowledge that the attackers won't. This means that you won't try as hard in areas where you think you did a good job, so those areas might not stand up to a real cracker.
I agree that you shouldn't hack a site to learn how to defend yourself, but as long as nothing gets hurt or damaged I don't have much problem with it, and sometimes it is the best way.
Re:Forget white hat and black hat... (Score:2)
Or, you know, you can do the whole thing with no more than a phone call - "Hello, Mr. ICC Webmaster? We're computer security researchers at the University of Colorado, and we'd like your permission to try to break into your systems as part of your research. Plus, in exchange, we can help you harden your systems afterward." Would that really have been so difficult? Is that really so unreasonable, that they should ask permission beforehand? Bad guys trespass without permission - that's how we know they're bad guys. Good guys aren't supposed to do that too.
Apples and oranges (Score:2)
People would be hurt
Viral pathologists don't infect people with HIV so they can learn how to prevent AIDS
People would be hurt
this is absolutely unethical behavior on the part of these clowns, and in no way do the ends justify the means
Tell me, how is anyone hurt if I were to find a security hole in a bank site, chess club, whatever, and post an email to said bank/club. The only one hurt would be me, mainly because I would probably have my ass sued off. Deaths by murder or HIV are quite often very obvious, a hacker sneaking into a computer and filing off $0.001/account/day isn't necessarily so. Yes, you can study existing hacks, but the fact is that it's the new and unusal ones that one should beware of... not quite as straightforward as many other cases.
Oh, and for the record - scientists might not infect the general public with a virus to test it - but they will infect test animals/etc and try some "cures" on human volunteers. I don't suppose you'd like to try getting a bank to volunteer their codebase for you to test our in your closed environment?
Re:Apples and oranges (Score:2)
I don't think so. You are not permitted to treat someone else's property as your own without their permission, no matter how "harmless" you think it might be. It's not your call to make. Period.
I don't suppose you'd like to try getting a bank to volunteer their codebase for you to test our in your closed environment?
We didn't "volunteer" our code to people. We hired professionals, both as employees and as consultants to vet our stuff. Nor did we accept volunteer "consultants" - I assure you, the ICC webmaster was far more generous than my former employers would have been. If it were their systems and their call, the FBI would have been kicking down doors on the CU campus before the ink even dried on their "research paper"
Re:Forget white hat and black hat... (Score:2)
Yeah that must be the reason homicide detectives don't get their training by killing people. Moron.
Re:Forget white hat and black hat... (Score:1)
Re:Forget white hat and black hat... (Score:1)
Re:Forget white hat and black hat... (Score:3, Insightful)
A lot depends on the target and any perceptions of conflict of interest. Even getting nosy about academic records is most likely taboo.
Re:illegal (Score:1)
Stealing Passwords? (Score:5, Insightful)
They proved their point by putting themselves high up in the ranks.
A legitimate Research project should NOT have involved messing with other people's accounts.
If you want to do that, have some person known to the researchers make up an account with the express purpose of their team trying to steal the password.
Re:Stealing Passwords? (Score:2, Interesting)
Re:Stealing Passwords? (Score:1)
Re:Stealing Passwords? (Score:1)
No passwords were stolen. No rated games were played, and all games (unrated/rated) were only played between authors of the paper.
we should be able to mod stories (Score:3, Interesting)
dupe duke nuker? (Score:5, Insightful)
technically the story it links to is though new, but it's about an old thing.
now.. about these dupes.. just one thing makes me wonder, do the editors have extremely bad memory or don't they follow slashdot at all themselfs? since in most cases a regular reader remembers if he has seen the same story(or one with a lot of resemblance) before. and hell, theoretically they should have more time than 20 secs per a story they pass, so they could have put "chess" into the old stories search.
now, on things that need refreshing or something a 'follow-up' stories could be worth while doing, but not reporting them as totally new.
Re:dupe duke nuker? (Score:0)
Re:dupe duke nuker? (Score:2)
Re:dupe duke nuker? (Score:1)
Re:dupe duke nuker? (Score:2)
Slashdot fights evil (Score:5, Funny)
Heh (Score:5, Interesting)
This is why is stopped playing online. Nothing beats a real game of chess, in front of a real person anyway. Reactions from your opponent are almost as important as in poker!
Ethical ramifications of this. (Score:4, Insightful)
Web Programmers (Score:4, Informative)
NEVER TRUST USER INPUT
This leads to stupid hacks like sql injection, html injection (leads to XSS), etc etc.
Not saying this is how it happened, but I wouldn't be the least bit surprised if this is how it happened.
Re:Web Programmers (Score:5, Funny)
But keep on trucking web guru!
Re:Web Programmers (Score:2)
READ grasshoppa read!
I wonder... (Score:5, Insightful)
Just wondering if the shoe fits the other foot.
Re:I wonder... (Score:2, Informative)
Ask Slashdot? (Score:2, Insightful)
Isn't this Illegal? (Score:3, Interesting)
Can anyone explain this to me?
Such an august list of members (Score:5, Funny)
One of these things is not like the others,
One of these things just doesn't belong,
Can you tell which thing is not like the others
By the time I finish my song?
Re:Such an august list of members (Score:5, Funny)
Re:Such an august list of members (Score:2)
Re:Such an august list of members (Score:1)
YRO: Internet Chess Club Sues Colorado Researchers (Score:1)
from the came-back-and-bit-us-in-the-ass dept.
someguy writes "The 30,000-plus-member Internet Chess Club filed suit today against the University of Colorado at Boulder for encouraging students to hack their service as part of research funded by the National Science Foundation. With guidance from University of Colorado at Boulder computer security researcher John Black, two students were able to reverse-engineer the service to up their ranks and steal passwords."
( Read More... | 1 of 3 comments | yro.slashdot.org )
Bah (Score:1, Flamebait)
Tell them to come back after they have cracked one of the systems at Langley, Va.
Re:Bah (Score:1)
Re:Bah (Score:3, Informative)
I don't really... (Score:2)
Grandmasters could play on the most unsecure, untrusted of networks and it would do very little to them. As long as they get to play interesting games against worthy opponents, why should they care about some online ranking? They have their real ranking to show.
Kjella
This is research? (Score:2, Insightful)
This is a complete waste of taxpayer money, and Dr. Black should have his grants revoked. In fact, I've been in the supposed "computer security" academic community, and it's mostly bogus crap masqueraded as "research" because people don't know better. Computer security research is the AI of our time.
Re:This is research? (Score:2)
Yes, but AI is also still the AI of our time. So's 90% of Macroeconomics, 80% of Chaos Theory, and a whopping 103.8% of Nanaotech.
Re:This is research? (Score:1)
Re:This is research? (Score:1)
1.evading taxes to give to charity
2.stealing money from a bank to give to charity
in both cases your INTENT is to steal money from one source and give to another source....hacking into a computer isn't stealing what are you stealing ?
Crime is based on INTENT.... why do you think crazy people don't go to jail....why do you think 10 year old children don't go to jail....why do you think someone who kills someone by purely accident gets a slap on the wrist....
Maybe i worded it wrong, yes they intended to hack a computer, but their intentions were only to hack, not to do anything else, so ok they're guilty of figuring out how to break into a safe and not take anything oh know they should be punished severely....
security (Score:3, Funny)
instead, just bindly trust that handy cryphography API that came with your operating system
- (c) by the NSA
Even in THIS dupe, it's the CHESS CLUB folks! (Score:3, Funny)
To quote Homer's brain, That's it; I'm leaving.
Academic research reporting should be left... (Score:1, Informative)
In all fairness... after reading the original paper, I asked ICC if they are aware of the problem and directed me to their security help file. ICC did fix one problem regarding membership payments:
http://www.chessclub.com/help/security
"Question: Is my credit card secure at ICC?
ICC has upgraded the way we process online payments. You can check out our new secure web payment forms at https://www.chessclub.com/store/members/payment.p
When you access the web form, your browser shows a "locked padlock" icon that indicates your communication with ICC are encrypted and secure. ICC takes great care in protecting financial information. See help privacy for more information. In almost ten years of service, no member has ever lost a penny of their money because of poor security at ICC."
Now if only someone could divulge Madonna's online name so all the chess geeks could finger her.
great news (Score:4, Funny)
ICC Security Improvements (Score:5, Informative)
For details on the paper and ICC's response see the help file at:
http://www.chessclub.com/help/blackpaper
For details on how ICC protects user's security see:
http://www.chessclub.com/help/security
For details on how ICC protects user's privacy see:
http://www.chessclub.com/help/privacy
An excerpt from the
Question: What is ICC doing to improve security?
ICC is doing three main things to improve security:
1) ICC has changed our payment systems so that all online credit card payments go through secure web forms. You can check out our new secure web payment forms at https://www.chessclub.com/store/members/payment.p
2) ICC is updating Timestamp to close the cracks identified in the paper. This process will take some time to complete. As Black, Cochran, and Gardner show in their paper, getting Timestamp security right is a complex task. Ultimately, when we deploy a new version of Timestamp, ICC users will need to upgrade their chess client software to take advantage of the increased security.
3) ICC is doing an internal security review. ICC is committed to keeping confidential data secure through upgrades to our servers and client programs. We are actively engaged in improving our current security mechanisms, while at the same time, devoting substantial resources to catching cheaters.
If you have any questions or comments, you can ask a question in Channel 1, the Help Channel, send a message to ICC or send an email to icc@chessclub.com.
Also, ICC is not suing anyone over the paper by John Black, Martin Cochran, and Ryan Gardner.
George MacDonald
General Manager
Internet Chess Club
hacking the honor system... (Score:3, Insightful)
How secure something needs to be depends on what it is you're protecting. In this case it's the legitimacy of a chess game played over the internet and ratings of individual players. Is their something at stake more than game fairness and an online chess rating? (prize money for example). The article mentions famous people are on the server, is Madonnas chess account being hacked supposed to make me feel scared?
The problems should be fixed of course (if possible), but it sure seems like we're scraping the bottom of the security alert barrel on this one.
Since when does "news for nerds" (Score:2, Funny)
Re:Is slashdot editing anything like survivor? (Score:3, Informative)
Re:Choice quote... (Score:1, Funny)