Colorado Researchers Crack Internet Chess Club 130
edpin writes "University of Colorado at Boulder students hacked the 30,000-plus-member Internet Chess Club as part of research funded by the National Science Foundation. With guidance from University of
Colorado at Boulder computer security researcher John Black, two students reverse-engineered the service to up their ranks and steal passwords." Update: 10/10 23:05 GMT by T : Reader Bryan Rapp points out that this story duplicates the one posted last month -- sorry about that.
Another dupe, timothy? (Score:5, Informative)
Re:Another dupe, timothy? (Score:5, Funny)
Slashdot needs dupe detection for editors (Score:3, Insightful)
Re:Slashdot needs dupe detection for editors (Score:5, Insightful)
perhaps a grant could be applied (Score:3, Funny)
I mean come on, this is a solvable problem.
Yes, I agree with you. Perhaps the National Science Foundation can dedicate next years grant to solving Slashdot's dupe problem instead of hacking into an internet chess club.
Re:Another dupe, timothy? (Score:3, Insightful)
Re:Another dupe, timothy? (Score:1)
Forgive me father, for i have sinned
Re:Another dupe, timothy? (Score:4, Interesting)
Re:Another dupe, timothy? (Score:2)
Re:Another dupe, timothy? (Score:2)
Meanwhile... (Score:2)
Re:Meanwhile... (Score:3, Funny)
Re:Meanwhile... (Score:2)
Re:Meanwhile... (Score:3, Interesting)
Re:Meanwhile... (Score:3, Insightful)
This is really a great fraud which makes money for the people developing smart-card processing
Re:Meanwhile... (Score:1)
Re:Meanwhile... (Score:2)
Re:Meanwhile... (Score:1)
Re:Meanwhile... (Score:2)
Thankfully it doesn't seem to be switched on in the UK yet - I've never been asked for a PIN... refusing to type it in while surrounded by shoppers could cause a scene (either give me a secure way to type it in and prove it's secure, or you aint getting it).
Re:Meanwhile... (Score:1)
Exactly :) I've developed a technique of laying all my figers over the keys so it's harder to tell exactly which ones I pressed. I'd prefer it if the keypad were hidden somehow though.
Re:Meanwhile... (Score:1)
Whilst in the past some criminals would hide/wire up devices to cash machines, they can now do so from the comfort of their own shops..
The PIN should NOT be the same as the one u
Re:Meanwhile... (Score:2)
The banks won't certify any particular device for use in shops (and thus, they won't be able to process transactions successfully) if it allows this.
Also, if a shopkeeper perpetrated the fraud by the other means you suggest, it would be simple to trace it to that shop, by examining the transaction records.
Finally, later versions of the terminal software do not actually record the card number, to avoid this very
Re:Meanwhile... (Score:2)
I think you've misunderstood the scenario.
Dishonest shopkeeper installs tampered with reader (why would he care about certification)? Shoopers come in and buy the low value items (say We've seen something like that here in the UK with crooks setting up their own ATMs, which do dispense money (at their cost) which they re-coup many times over using the stolen card details.
Re:Meanwhile... (Score:1)
Re:Meanwhile... (Score:2)
Stupid Slashdot misinterpreting less than signs, you'd think they'd get a competent developer to fix their code as well (and make the pound symbol work without requiring arcane knowledge).
I think you've misunderstood the scenario.
Dishonest shopkeeper installs tampered with reader (why would he care about certification)? Shoopers come in and buy the low value items (say less than 100GBP ) and swallows that loss. Shopkeeper takes their card data and stolen PINS and goes on a spending spree.
We've seen so
Re:Meanwhile... (Score:1)
When cash machines first came out, they didn't have realtime links to the central bank for your account. So the card held the value for the amount you'd withdrawn that day (and therefore presumably also the pin), so that if you went to another machine, it could make sure you hadn't withdrawn over your daily allowance.
A popular scam at the time cash machines first came out was to get your
Re:Meanwhile... (Score:1)
A thief's attempt at your signature need only be an approximation to be accepted - and at some shops they don't seem to check at all. You don't really think that the millions of fraudulent transactions that are carried out on stolen cards are all from people with simple signatures, do you? If someone steals your card, they will walk into a shop and try to buy a high-value item, for example a laptop or jewellery. If th
Sounds pretty smug to me... (Score:2)
Is it me or does he sound kinda smug about all this? What, did he join ICC some while ago and get his ass handed to him...so all this time he planned his revenge o
Re:Meanwhile... (Score:2)
Re:Meanwhile... (Score:2)
That's even more extreme... by just knowing one number that they print out on receipts you can access someone's bank account.
This isn't really useful... (Score:5, Funny)
Re:This isn't really useful... (Score:4, Informative)
Re:This isn't really useful... (Score:2)
Will they never learn? (Score:5, Funny)
Those admins need a good kick up the backside.
Forget white hat and black hat... (Score:2, Interesting)
Maybe that's just me. *shrug*
Re:Forget white hat and black hat... (Score:2, Funny)
What you've said is paramount to saying that no sex education will keep us all virgins!!
Cheers,
-- The Dude
Re:Forget white hat and black hat... (Score:5, Insightful)
Exactly why killing a man is part and parcel of becoming a homicide detective. Errr, wait, it's not.
Yes, you have to know how crimes are committed to solve/prevent them, but committing those crimes is not the only way to gain that knowledge.
Re:Forget white hat and black hat... (Score:2)
Kill somebody, and what are the chances you'll notice the eyelash that conveniently fell out? You'd have to look for your own mistakes, while not utilising the information of how it was done at all for you to gain any skill, and it would be easier to wait until somebody gets killed for a reason other than to solve. The killing itself would get you
Re:Forget white hat and black hat... (Score:5, Insightful)
In all those cases, they study past cases, study current events, and don't generally have to become like the things they're acting against in order to defeat them, and I have no idea why computer security should be different - as someone who used to work in banking, allow me to testify that we didn't go out and rob banks or kite checks in order to learn how to prevent others from doing the same. And in those few cases where hands-on experience is absolutely necessary, you don't need to go out into the world and involve innocent third-parties - you set up a controlled environment where they can play on the playground without actually attacking real people. The ethics of this sort of "white-hat" hacking are non-existent - this is absolutely unethical behavior on the part of these clowns, and in no way do the ends justify the means.
Re:Forget white hat and black hat... (Score:2)
There's a question of whether learning to practice is faster/cheaper than learning through study, and I doubt that either is better for all situations.
Obviously, robbing a bank for practice is a bad idea, as someone is liable to get shot. But hacking a chess site is probably not so bad, since potential harm is low.
Re:Forget white hat and black hat... (Score:3, Insightful)
Maybe. But the problem is that in so doing, the "good guys" become morally, ethically, and legally indistinguishable from the bad guys - you've erased the difference between you and them, your altruistic motives notwithstanding. The ends do not justify the means.
But hacking a chess site is probably not so bad, since potential harm is low.
The rightness or wrongness does not depend on
But you're still missing the point... (Score:2)
Re:But you're still missing the point... (Score:2)
Nobody gets to
Re:Forget white hat and black hat... (Score:2)
How would you do that? If you set up the security, when you try to break it, you'll have knowledge that the attackers won't. This means that you won't try as hard in areas where you think you did a good job, so those areas might not stand up to a
Re:Forget white hat and black hat... (Score:2)
Or, you know, you can do the whole thing with no more than a phone call - "Hello, Mr. ICC Webmaster? We're computer security researchers at the University of Colorado, and we'd like your permission to try to break into your systems as part of your research. Plus, in exchange, w
Apples and oranges (Score:2)
People would be hurt
Viral pathologists don't infect people with HIV so they can learn how to prevent AIDS
People would be hurt
this is absolutely unethical behavior on the part of these clowns, and in no way do the ends justify the means
Tell me, how is anyone hurt if I were to find a security hole in a bank site, chess club, whatever, and post an email to said bank/club. The only one hurt would be me, m
Re:Apples and oranges (Score:2)
I don't think so. You are not permitted to treat someone else's property as your own without their permission, no matter how "harmless" you think it might be. It's not your call to make. Period.
I don't suppose you'd like to try getting a bank to volunteer their codebase for you to test our in your closed environment?
We didn't "volunteer" ou
Re:Forget white hat and black hat... (Score:2)
Yeah that must be the reason homicide detectives don't get their training by killing people. Moron.
Re:Forget white hat and black hat... (Score:1)
Re:Forget white hat and black hat... (Score:1)
Re:Forget white hat and black hat... (Score:3, Insightful)
A lot depends on the target and any perceptions of conflict of interest. Even getting nosy about academic records is most likely taboo.
Re:illegal (Score:1)
Stealing Passwords? (Score:5, Insightful)
They proved their point by putting themselves high up in the ranks.
A legitimate Research project should NOT have involved messing with other people's accounts.
If you want to do that, have some person known to the researchers make up an account with the express purpose of their team trying to steal the password.
Re:Stealing Passwords? (Score:2, Interesting)
Re:Stealing Passwords? (Score:1)
Re:Stealing Passwords? (Score:1)
No passwords were stolen. No rated games were played, and all games (unrated/rated) were only played between authors of the paper.
we should be able to mod stories (Score:3, Interesting)
dupe duke nuker? (Score:5, Insightful)
technically the story it links to is though new, but it's about an old thing.
now.. about these dupes.. just one thing makes me wonder, do the editors have extremely bad memory or don't they follow slashdot at all themselfs? since in most cases a regular reader remembers if he has seen the same story(or one with a lot of resemblance) before. and hell, theoretically they should have more time than 20 secs per a story they pass, so they could have put "chess" into the old stories search.
now, on things that need refreshing or something a 'follow-up' stories could be worth while doing, but not reporting them as totally new.
Re:dupe duke nuker? (Score:2)
Re:dupe duke nuker? (Score:1)
Re:dupe duke nuker? (Score:2)
Slashdot fights evil (Score:5, Funny)
Heh (Score:5, Interesting)
This is why is stopped playing online. Nothing beats a real game of chess, in front of a real person anyway. Reactions from your opponent are almost as important as in poker!
Ethical ramifications of this. (Score:4, Insightful)
Web Programmers (Score:4, Informative)
NEVER TRUST USER INPUT
This leads to stupid hacks like sql injection, html injection (leads to XSS), etc etc.
Not saying this is how it happened, but I wouldn't be the least bit surprised if this is how it happened.
Re:Web Programmers (Score:5, Funny)
But keep on trucking web guru!
Re:Web Programmers (Score:2)
READ grasshoppa read!
I wonder... (Score:5, Insightful)
Just wondering if the shoe fits the other foot.
Re:I wonder... (Score:2, Informative)
Ask Slashdot? (Score:2, Insightful)
Isn't this Illegal? (Score:3, Interesting)
Can anyone explain this to me?
Such an august list of members (Score:5, Funny)
One of these things is not like the others,
One of these things just doesn't belong,
Can you tell which thing is not like the others
By the time I finish my song?
Re:Such an august list of members (Score:5, Funny)
Re:Such an august list of members (Score:2)
Re:Such an august list of members (Score:1)
YRO: Internet Chess Club Sues Colorado Researchers (Score:1)
from the came-back-and-bit-us-in-the-ass dept.
someguy writes "The 30,000-plus-member Internet Chess Club filed suit today against the University of Colorado at Boulder for encouraging students to hack their service as part of research funded by the National Science Foundation. With guidance from University of Colorado at Boulder computer security researcher John Black, two students were able to reverse-engineer the service to up their ranks and steal passwords
Bah (Score:1, Flamebait)
Tell them to come back after they have cracked one of the systems at Langley, Va.
Re:Bah (Score:1)
Re:Bah (Score:3, Informative)
I don't really... (Score:2)
Grandmasters could play on the most unsecure, untrusted of networks and it wo
This is research? (Score:2, Insightful)
This is a complete waste of taxpayer money, and Dr. Black should have his grants revoked. In fact, I've been in the supposed "computer security" academic community, and it's mostly bogus crap masqueraded as "research" because people don't know better. Computer security research is the AI of our time.
Re:This is research? (Score:2)
Yes, but AI is also still the AI of our time. So's 90% of Macroeconomics, 80% of Chaos Theory, and a whopping 103.8% of Nanaotech.
Re:This is research? (Score:1)
Re:This is research? (Score:1)
1.evading taxes to give to charity
2.stealing money from a bank to give to charity
in both cases your INTENT is to steal money from one source and give to another source....hacking into a computer isn't stealing what are you stealing ?
Crime is based on INTENT.... why do you think crazy people don't go to jail....why do you think 10 year old children don't go to jail....why do you think someone who kills someone by purely accident gets a slap on the wrist....
Maybe i worded it wrong, yes
security (Score:3, Funny)
instead, just bindly trust that handy cryphography API that came with your operating system
- (c) by the NSA
Even in THIS dupe, it's the CHESS CLUB folks! (Score:3, Funny)
To quote Homer's brain, That's it; I'm leaving.
Academic research reporting should be left... (Score:1, Informative)
In all fairness... after reading the original paper, I asked ICC if they are aware of the problem and directed me to their security help file. ICC did fix one problem regarding membership payments:
http://www.chessclub.com/help/security
"Question: Is my credit card secure at ICC?
ICC has upgraded the way we process online payments. You can check out our new secure web payment forms at https://www.chessclub.com/store/members/payment.p h p
When you access the web form, your
great news (Score:4, Funny)
ICC Security Improvements (Score:5, Informative)
For details on the paper and ICC's response see the help file at:
http://www.chessclub.com/help/blackpaper
For details on how ICC protects user's security see:
http://www.chessclub.com/help/security
For details on how ICC protects user's privacy see:
http://www.chessclub.com/help/privacy
An excerpt from the
Question: What is ICC doing to improve security?
ICC is doing three main things to improve security:
1) ICC has changed our payment systems so that all online credit card payments go through secure web forms. You can check out our new secure web payment forms at https://www.chessclub.com/store/members/payment.p
2) ICC is updating Timestamp to close the cracks identified in the paper. This process will take some time to complete. As Black, Cochran, and Gardner show in their paper, getting Timestamp security right is a complex task. Ultimately, when we deploy a new version of Timestamp, ICC users will need to upgrade their chess client software to take advantage of the increased security.
3) ICC is doing an internal security review. ICC is committed to keeping confidential data secure through upgrades to our servers and client programs. We are actively engaged in improving our current security mechanisms, while at the same time, devoting substantial resources to catching cheaters.
If you have any questions or comments, you can ask a question in Channel 1, the Help Channel, send a message to ICC or send an email to icc@chessclub.com.
Also, ICC is not suing anyone over the paper by John Black, Martin Cochran, and Ryan Gardner.
George MacDonald
General Manager
Internet Chess Club
hacking the honor system... (Score:3, Insightful)
How secure something needs to be depends on what it is you're protecting. In this case it's the legitimacy of a chess game played over the internet and ratings of individual players. Is their something at stake more than game fairness and an online chess rating? (prize money for example). The article mentions famous people are on the server, is Madonnas chess account being hacked supposed to make me feel scared?
The problems should be fixed of course (if possible), but it sure seems like we're scraping the bottom of the security alert barrel on this one.
Since when does "news for nerds" (Score:2, Funny)
Re:Is slashdot editing anything like survivor? (Score:3, Informative)
Re:Choice quote... (Score:1, Funny)