Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Security Entertainment Games Science

Colorado Researchers Crack Internet Chess Club 130

Posted by timothy from the that's-nice-dear-and-how-was-class dept.
edpin writes "University of Colorado at Boulder students hacked the 30,000-plus-member Internet Chess Club as part of research funded by the National Science Foundation. With guidance from University of Colorado at Boulder computer security researcher John Black, two students reverse-engineered the service to up their ranks and steal passwords." Update: 10/10 23:05 GMT by T : Reader Bryan Rapp points out that this story duplicates the one posted last month -- sorry about that.
This discussion has been archived. No new comments can be posted.

Colorado Researchers Crack Internet Chess Club More

Colorado Researchers Crack Internet Chess Club

Comments Filter:

  • Stealing Passwords? (Score:5, Insightful)

    by still_sick ( 585332 ) on Sunday October 10, 2004 @06:06PM (#10488211)
    Kind of dick move, no?

    They proved their point by putting themselves high up in the ranks.

    A legitimate Research project should NOT have involved messing with other people's accounts.

    If you want to do that, have some person known to the researchers make up an account with the express purpose of their team trying to steal the password.

  • dupe duke nuker? (Score:5, Insightful)

    by gl4ss ( 559668 ) on Sunday October 10, 2004 @06:07PM (#10488217) Homepage Journal


    technically the story it links to is though new, but it's about an old thing.

    now.. about these dupes.. just one thing makes me wonder, do the editors have extremely bad memory or don't they follow slashdot at all themselfs? since in most cases a regular reader remembers if he has seen the same story(or one with a lot of resemblance) before. and hell, theoretically they should have more time than 20 secs per a story they pass, so they could have put "chess" into the old stories search.

    now, on things that need refreshing or something a 'follow-up' stories could be worth while doing, but not reporting them as totally new.

  • Ethical ramifications of this. (Score:4, Insightful)

    by mind21_98 ( 18647 ) on Sunday October 10, 2004 @06:10PM (#10488242) Homepage Journal
    A public institution funding cheating attempts is cause for concern. I assume they got the Internet Chess Club's permission beforehand, but if they didn't they could be in a world of trouble. Just my two cents.

  • Slashdot needs dupe detection for editors (Score:3, Insightful)

    by Ars-Fartsica ( 166957 ) on Sunday October 10, 2004 @06:14PM (#10488265)
    Yes they probably could just search through old articles for a title matching the new submission, or some regex at submission time...I mean come on, this is a solvable problem.

  • I wonder... (Score:5, Insightful)

    by Oligonicella ( 659917 ) on Sunday October 10, 2004 @06:16PM (#10488284)
    what the U of C's attitude would be toward someone who hacked into their computers to, you know, just experiment and gain knowledge? Maybe up their grades or look at other peoples information?

    Just wondering if the shoe fits the other foot.

  • Ask Slashdot? (Score:2, Insightful)

    by comwiz56 ( 447651 ) <<comwiz> <at> <gmail.com>> on Sunday October 10, 2004 @06:19PM (#10488300) Homepage
    I think this belongs more as an ask slashdot, "What are the ethics of edu-hacking?"

  • Re:Forget white hat and black hat... (Score:5, Insightful)

    by general_re ( 8883 ) on Sunday October 10, 2004 @06:25PM (#10488333) Homepage
    Don't you have to know how to commit a crime in order to stop folks from commiting crimes?

    Exactly why killing a man is part and parcel of becoming a homicide detective. Errr, wait, it's not.

    Yes, you have to know how crimes are committed to solve/prevent them, but committing those crimes is not the only way to gain that knowledge.

  • Re:Slashdot needs dupe detection for editors (Score:5, Insightful)

    by Anonymous Coward on Sunday October 10, 2004 @06:44PM (#10488437)
    nah just get rid of timothy

  • This is research? (Score:2, Insightful)

    by Anonymous Coward on Sunday October 10, 2004 @06:57PM (#10488509)
    The difference between this "research" and a felony is exactly what? Maybe the anthrax scare was really an NSF funded biological experiment?

    This is a complete waste of taxpayer money, and Dr. Black should have his grants revoked. In fact, I've been in the supposed "computer security" academic community, and it's mostly bogus crap masqueraded as "research" because people don't know better. Computer security research is the AI of our time.

  • Re:Another dupe, timothy? (Score:3, Insightful)

    by XaXXon ( 202882 ) * <xaxxon&gmail,com> on Sunday October 10, 2004 @06:58PM (#10488514) Homepage
    What completely boggles my mind is that he posted BOTH of the stories. I mean.. if he took a week off or something and didn't realize the other story had been posted, I could understand it.. but he posted BOTH. ...shakes head...

  • Re:Forget white hat and black hat... (Score:5, Insightful)

    by general_re ( 8883 ) on Sunday October 10, 2004 @07:36PM (#10488734) Homepage
    As I said, though, there are plenty of ways to gain that kind of knowledge without actually breaking the law. Forensic accountants learn how to spot money-laundering schemes without having to get out there and launder money. Serial-murder specialists don't have to kill scores of people to learn how serial killers operate. Viral pathologists don't infect people with HIV so they can learn how to prevent AIDS.

    In all those cases, they study past cases, study current events, and don't generally have to become like the things they're acting against in order to defeat them, and I have no idea why computer security should be different - as someone who used to work in banking, allow me to testify that we didn't go out and rob banks or kite checks in order to learn how to prevent others from doing the same. And in those few cases where hands-on experience is absolutely necessary, you don't need to go out into the world and involve innocent third-parties - you set up a controlled environment where they can play on the playground without actually attacking real people. The ethics of this sort of "white-hat" hacking are non-existent - this is absolutely unethical behavior on the part of these clowns, and in no way do the ends justify the means.

  • hacking the honor system... (Score:3, Insightful)

    by Vellmont ( 569020 ) on Sunday October 10, 2004 @11:07PM (#10489877) Homepage
    The article seems to exagerate the importance of this hack by talking about voting, credit card numbers, etc. But my question is how significant is this?

    How secure something needs to be depends on what it is you're protecting. In this case it's the legitimacy of a chess game played over the internet and ratings of individual players. Is their something at stake more than game fairness and an online chess rating? (prize money for example). The article mentions famous people are on the server, is Madonnas chess account being hacked supposed to make me feel scared?

    The problems should be fixed of course (if possible), but it sure seems like we're scraping the bottom of the security alert barrel on this one.

  • Re:Forget white hat and black hat... (Score:3, Insightful)

    by Tony-A ( 29931 ) on Sunday October 10, 2004 @11:25PM (#10489952)
    Assuming that they are fair to mediocre players and that their scores do not and will never matter, and they are comfortable with having their scores purged, and they do nothing to "help their buddies" or "hurt their enemies", I don't see anything that unethical about it.
    A lot depends on the target and any perceptions of conflict of interest. Even getting nosy about academic records is most likely taboo.

  • Re:Meanwhile... (Score:3, Insightful)

    by Old Wolf ( 56093 ) on Monday October 11, 2004 @01:49AM (#10490517)
    The unfortunate side of this coin is that 'smart' cards don't actually offer a lot of added security. Most of the objections people haev raised to magstripe cards still apply to smartcards. Also, most smartcards get their security hacked within a few months of coming out (meaning that the manufacturers are continually in a cycle of sending new cards out). Their only benefit is that the unwashed masses feel safer.

    This is really a great fraud which makes money for the people developing smart-card processing systems and the general public pay for it (well, the merchants pay for it, and they usually pass the costs onto the customers).

  • Re:Forget white hat and black hat... (Score:3, Insightful)

    by general_re ( 8883 ) on Monday October 11, 2004 @04:43AM (#10491163) Homepage
    But if you did go out and rob banks and kite checks, would you not learn something from what worked and what did not?

    Maybe. But the problem is that in so doing, the "good guys" become morally, ethically, and legally indistinguishable from the bad guys - you've erased the difference between you and them, your altruistic motives notwithstanding. The ends do not justify the means.

    But hacking a chess site is probably not so bad, since potential harm is low.

    The rightness or wrongness does not depend on the level of risk to the perpetrators. Investigating the efficacy of home security systems is a worthy goal. Breaking into strangers' houses is not an appropriate method of pursuing that goal, even if you minimize the risk by making sure that nobody's home at the time. And, I suppose I should add, even if you don't plan to take anything.

Slashdot Top Deals

Arithmetic is being able to count up to twenty without taking off your shoes. -- Mickey Mouse

Close