Slashdot Mirror
Internet Chess Club Security Defeated
Scott_F writes "Researchers at the University of Colorado at Boulder have been able to defeat the security mechanisms of the Internet Chess Club and can effectively play a zero-time match, as well as have complete control over the game. The paper is titled How to Cheat at Chess: A Security Analysis of the Internet Chess Club. If you're not familiar with the ICC, it is where many Grandmasters play regularly, with rumors of Bobby Fischer making an occasional appearance. It appears that the ICC has relied on security through obscurity, but we all know how poorly that works. Chess, anyone?" Update: 09/08 21:08 GMT by J : In totally unrelated chess news, I found today's commentary on Zermelo's Theorem interesting, both for the math of the game and the look at a mistaken echo chamber.
Shall we play a game?
Check Mate in 1 then..
Rus
Cheap UK and US VPS
Searching for Bobby Fischer.... on the internet?
Checkmate.
Doh! No Fair!
Damn wallhackers!
..is not as bad as its reputation. Of course it is not enough and you should not rely solely on it. But it can be a helpful part of your whole security-plan. Read more in this interesting paper by Jay Beale, the Lead Developer of the Bastille Linux Project.
Chess club relies on security through obscurity; got cracked. Therefore security through obscurity sucks and its polar opposite, open source security, rules. Therefore open source rules. Therefore Linux rules. Therefore Microsoft sucks. Apple, we don't yet have an established opinion on.
Whatever shall we do, I'll never play online chess again!
I like suggestions, but I don't like contributing towards them.
Chess is about the only sport out there that isn't susceptible to performance enhancing drugs, or blood doping. But it is really annoying to play against people who end up being computer programs.
as there are no referees to make wrong calls, and judges to give wrong scores.
But, cheating is still possible with the help of latest technology. In an on board match, you could have some person watching your game and suggest moves after checking in a computer. This is more true of non Grandmaster games. Its almost impossible to do this in GrandMaster games as necessary precautions are taken.
Now, in internet chess, cheating is even more likely to occur. It is very difficult to hold a fair tournament completely online anytime soon. Something like our elections.
New year Resolution: Don't change sig this year
Would you like to play a game?
Some of the top analytical and intuitive problem solvers in the world, and they can still get their credit cards hacked. Bravo.
But why oh why couldn't the researchers have researched a hack on, say, Everquest? Thirty thousand startled and whiny chess players wouldn't be nearly as entertaining as three hundred thousand startled and whiny mob grinders.
www.kitchengeek.com -- Nosh for
yuo fail it.
Please return to your Windows(tm) machine promptly, Sir.
Could somebody explain the meaning and significance of the term "zero-time match"?
www.eFax.com are spammers
Would Yahoo! Games be more secure than ICC? If so, why?
I'm always up for a nice game of global thermonuclear war...
There would be so many possible Sai jokes....
HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
U PWND MY PAWN.
Cheating at chess online?? Like how, an aimbot or something? It isn't like the other player isn't going to notice when your Queen bunnyhops across the board and headshots 4 pawns in a row without missing. Feh.
Speak truth to power.
security protocol used between client and server provides sufficient security
If two guys are playing and the game randomly changes, a review of the play list can confirm someone cheated. Therefore, they do have sufficient security. There is a big distinction between having sufficient security and being ultra-secure. You don't secure a pool with armed guards to prevent kids from falling in, you simply build a taller fence.
HOLLY: Prawn takes Horsie.
QUEEG: Bishop-Pawn takes Pawn.
HOLLY: Bish takes Prawn.
QUEEG: Bishop to Knight Five. Double Check and Mate, sucker!
HOLLY: Oh yeah, I didn't see that...
LISTER: Holly, man, what have you done!?
RIMMER: He's lost.
QUEEG: And the loser gets erased.
HOLLY: Noughts and Crosses?
That's how Deep Blue won...
At long last we have proof that Go is better than Chess. Nobody compromised their server : )
Wait, an online chess club doesn't have a good defence? Their server has an opening? The whole web site is one big gambit?
The password was "JOSHUA".
Trolls lurk everywhere. Mod them down.
Is creating a _really_ secure equivalent of the internet chess club. I see this as a serious opportunity for an open source team to demonstrate how they can do security _right_.
I can imagine that it _would_ be possible to do some really intersting things that would make remote matches _much_ harder to cheat at(i.e. do things like authenticate who is observing each of the remote players).
Why no HTML version? Grrr.
Get your own free personal location tracker
I've been a member of the ICC since 1995ish, when you used telnet, and quick typing skills to put your moves in. Leave my favorite work past time alone!! I don't want to have to doubt who I play... and I have played 8000+ games in the past three years on ICC
This adds a whole new meaning to
"y3r p4wn i5 0wn3d!!!"
Norman Cook's Ode to Sl
...didn't a little software company called Microsoft try that once?
Due to lack of disk space this user has been discontinued
I'm all for it, but...
Was this legal?
Aren't there local, state, federal, and international laws against exposing the vulnerability of a private system? Haven't many people already been harassed by the FBI for doing much the same thing with corporate systems? Or do these people get a free pass because they're from a University?
+++ATHZ 99:5:80
The article writes that time stamping can be easily defeated.. yes it can (using User Mode Linux usually works better than intercepting the kernel calls) but playing a chess game on a bad connection without timestamping just sucks.. (I tried it with FICS.. it's the free internet chess server http://www.freechess.org ). Being able to steal credit card numbers is naturally not the same category.
Any company/organisation that feels itself to have any value should invest in good security measures.
I wish to remain anomalous
Bobby Fischer certainly has a very interesting and complex personality....
Rainer
Windows 2000 - from the guys who brought us edlin
If you ever rub elbows with the crowds that really get into chess, you'll find them an honorable bunch.
There's nothing for them to gain by cheating at chess. There's no reason to expect anyone else to cheat at chess. Thus, little reason for security.
I don't need no instructions to know how to rock!!!!
I haven't read the paper, but my bet is that it's an exploit of timestamp, a program that adds time to the clock to compensate for lag. This was exploited two years ago on FICS, and such an exploit for ICC (they run off of similar codebases, including timeseal/timestamp IIRC) was inevitable. The hacked copy of timestamp rolls back the system clock a few milliseconds each move, thus making the server see it as lag.
Now, they just ban users that use the exploit.
If you're going to post a story, at least make sure it's recent.
ICC's game security relies on a program called 'timestamp' that accurately records how much time you used for the move (so that players with more internet latency than others don't get penalised).
This timestamp program is not open source but they publish a binary version for various operating systems.
It sounds as if someone has hacked this (ie. so you can tell it that your move took 0.1 seconds -- the server deliberately does not allow moves to be faster than 0.1 seconds). If you have ever played a timed chess game (especially, one with short times, eg. 1 minute per game), you will know that this represents a huge advantage.
I don't know what the article means about "complete control over the game", the server does not allow illegal moves etc. -- unless they have somehow hacked into the server, or managed to insert packets into the TCP/IP connections between the server and the opponent (which would be a problem with FreeBSD or the opponent's OS).
Also the article mentions 'network security protocol', which is odd given that you can play games there by a plain telnet connection (telnet to chessclub.com:23 or chessclub.com:5080) or any 3rd party clients with no security.
The Windows client software supplied by ICC includes some un-documented security to validate itself (ie. let the server know you are using this piece of software and not a 3rd-party client), this is useful for detecting if people are trying to cheat by getting a chess-playing program to automatically play their moves for them.
And finally, I fear that a "robustification" of timestamp, to use accepted open security mechanisms, would end up in greater lag for the players -- either due to greater packet sizes, or greater processing power required by the client or the server (which has to do this for 4000+ connections at once), which is a pity (even 20ms is noticeable in a speed game of chess).
Anyone have more information?
But were they kind enough to let ICC fix their security hole before they published the article ?
The first rule of Chess Club is - you do not talk about Chess Club.
Dogma - "let's just say we'd like to avoid any empirical entanglements."
The RSA company created the "security through obscurity is useless" meme as a way to sell their product (public key cryptosystems).
... you get the idea.
However, in reality all security is through obscurity. For one you need to keep the (private) key secret.
In practice, good security is composed of several layers, one of which should be obscurity. For example, you might RSA/ssh restrict access to a host, but it still pays to (a) not advertise its existence (b) make it insconpicuous (c) close logins to an account after more than three failed attempts (d) keep the communication protocol secret (e) place a good lock on the door to the computer room (f) not write the password on a post it note and place it in your drawer (g)
Notice how many of those listed above derive security from obscurity in practical, effective ways.
Beating up on the chess club (when the AV club wasn't available) really brings me back to those good ol' high-school days.
Well, even when he was not detained, I doubt that he would play there. In a recent interview (while in captivity) at ChessBase (www.chessbase.com), he said he don't play chess anymore, only 'FisherRandom', special chess with altered rules he invented. Basically, you shuffle backrank pieces identically for both players (there's one or two more minor rules I think). Makes the game more interesting (for him!) at his level of play.
Eureka Science News - automatically updated
What is it with chess playing computers using security through obscurity? First a high school kid breaks into the chess playing WOPR by guessing the password, Joshua, deceased son of programmer Dr. Falcon, now this? Next thing you know someone is going to post an article about how some kids figured out how to make free phone calls by shorting a payphone handset with a cola can tab, a cptn. crunch wistle, and a 6.5536Mhz crystal.
Im dreaming ofa big bndwdth, That can resist the
That should be easy to patch doesn't it?
if($gameOver && $matchTime eq 0) Response.Redirect("niceTrySmartPants.jsp");
or something along those lines.
In chess on Yahoo many of the top players use a chess program it's really simple:
set it to super hard
move as your oponent
lose to computer you win.
In FPS' Anyone who's been to a lan cafe has seen screen watching but it's little brother talking on the phone or using a voice comm program to communicate with teamates (while alive and dead).
The worst part about cheats like these is that the cheater doesn't think they are cheating, if you ask they won't know what you are talking about.
It's fine in matches where both teams are doing it but in public servers it's definitly cheating, in some games like quake or CS(With death cams it's kind of a problem it's not always obvious but in games that rely heavily on knowledge such as raven shield knowing where your teamate was shot from after he dies can be decisive.
Please people if you have access to information your opponents cannot possibly have access to consider what you are doing to the game.
I like things like death cams and teamwork but I'd have to take steps against this kind of thing if I was running a server, though usually the people running servers are the worst offenders, Ventrillo anyone?
Does anyone know if FICS (Free Internet Chess Server) uses the same security scheme and therefor also compromised?
"It would be wrong to refuse to face the fact that everything is fundamentally sick and sad."
How poorly that works, I'm sure plenty of american agents working over the border during the cold were were damn glad of how good it does work.
It's a bad idea to rely on it, but then it's a bad idea to rely on any one thing to provide all your security.
aka... Him throw punch, you no be there.
> Well, even when he was not detained, I doubt
> that he would play there.
Yeah, I have my doubts, too (and I don't play chess).
But it was fun while it lasted.
Every other year, he sort of appeared in some random part of the world (was - supposedly - even spotted in Germany once, some years ago) and disappeared immediately.
Apparently, there's a Japanes woman who wants to marry him...
Rainer
Windows 2000 - from the guys who brought us edlin
Next week I'll be publishing a paper about my neighbor's house, entitled "How to Get Free Jewelry: A Security Analysis of the Robinson Estate". I'll be posting this paper on all the telephone poles in the neighborhood.
It seems as though the Robinsons, who live down the street from me, relied on security through obscurity. I guess they were asking for it! I sure am doing them a favor by exposing this vulnerability.
Looks like the only winning move is not to play.
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
Honestly this paper sounds a bit childish. It seems as if the write is either very proud of himself or very unhappy with ICC. It seems that reasonable efforts were made for security though not wonderful. The server should compare calculated network lag to tracrt network lag, and should remove the symbols, but there is only so much you can do to keep someone from reverse engineering a small binary. The 64 bit seed seems to need an asymetrical encryption, but really what else is needed? And is there a HUGE worry that there will be a man-in-the-middle attack against your chess game? These are paying customers of a chess server, not bnet and CS script kiddies. The critisism of ICC is way too harsh. (And undeserving of a slashdot front page article I might add.)
I do security
But do they know the proper response to Queen to Queen's Level 3?
The only reason we have the rights we have is that people just like us died to gain those rights. -- Cheerio Boy
Security through obscurity rocks! Hence MS Windows is better than Linux because it is more obscure.
And we owe it all to Steve Ballmer: "Developers! Developers! Developers!" Thrice the developers, thrice the line count, thrice the obscurity, thrice the security.
Or something like that.
FICS is better than ICC anway. FICS is free. ICC makes you pay.
Find free books.
The article says that no unix chess client comes with integrated timestamping, which is a good reason to plug mine - Jin, which does.
Also, I'm an ICC admin and I can tell you that we're looking into the issue and will probably publish an official response later.
Rule # 1:
You don't talk about Chess Club
does it still really happen in the forest?
A better place is freechess.org. I suggest using the Thief interface, especially for bughouse games. There are about 10 times more people on there playing bug than on ICC. Don't know about normal chess, but I've seen quite a few GM's on there. Played a couple too(it's not fun).
Vote for new mod!!! Score:-2,Imbecile
It was possible to win a game just by refreshing the board so much that the opponent's timer ran out. Later the ICC had timestamping which should reduce effects of net lag.
Know your pads. One time pad: good for cryptography. Two timing pad: where to take your mistress.
The pink elephant overlooked in this discussion is that cheating in online chess is trivial anyway - just let Fritz make the moves for you and you win every time (except, perhaps, against Kasparov and, of course, other cheaters).
So, no point in reverse engineering the client and cracking the protocol just to fake some latency in order to gain some extra seconds. Which only help in blitz games anyway. Which are a lot more fun to play offline anyway.
he don't play chess anymore, only 'FisherRandom', special chess with altered rules he invented. Basically, you shuffle backrank pieces identically for both players
And why doesn't he shuffle the front pieces, too? That would make it even more interesting.
(I know only just enough about chess to make this post.)
I cheated YEARS before he wrote the paper.
I merely play on a processor lacking a 64 bit Time Base register stamp (or claiming to no via virtual machinet), and use a system driver to alter system tick clocks and sync with time of day, then AFTER every send i speed-correct time to match real time clock, but when Its my move i hit CAPS-LOCK key and my code makes the system clock tick not advance.
out of band cheating.
no need to modify code
worked well
that guy who wrote the paper has no imagination, and lacks true hacking skills
Check and checkmate. :) If they relied on security through obscurity, they got what they asked for.
quidquid latine dictum sit altum videtur.
In general the timestamping problem is clearly an insoluble one, because the server has no way to tell if the human took only as much time to think as the client software claims. Obfuscation is a stopgap solution that deters the casual attacker, but there is no cryptographic solution apart from "trusted" hardware (yikes).
The way the music/movie industry has tackled the problem is to go on the offensive and call everyone a criminal. Let's see what the ICC does.
We already know that security thru obscurity is no security.
Still, the paper was very insightful regarding security protocols. I think we should all download it and learn how (and how NOT) to implement a security mechanism.
There are several new stories today about Bobby Fischer winning a deportation injunction in Japan.
still no word from the guys who dress up in home made armor.
So when is PunkBuster going to come out with a new version that supports all the popular chess clients?
The dice are too fickle. Fairness would involve reducing it to a pure strategy game. The dice and teh cards in Risk make it much less than pure strategy.
"Politicians are interested in people. Not that this is always a virtue. Fleas are interested in dogs." P.J. O'Rourke
Authors of that analysis took really hard way to crack icc binary timestamp. Takes about 2 hours to get ICC java client, find java timeseal class and disassemble it. Same is true for FICS (freechess.org).
Been there, done that (also once wrote a client app for both servers).
While writing timestamp version with public/private key authentication would work against snooping CC numbers, lag info can always be altered with simpler means then cracking timestamp. For apps using local clock system calls can always be hooked/intercepted (someone did that in Linux about a year ago)
"Since rearchitecting the Internet is both infeasible and falls short of a full solution (...)"
I couldn't agree more.
You might have been trying to funny, but I wonder about moving the peices in both dimensions?
01101001 01100001 01101101 01101110 01101111 01110100 01100001 01101100 01100001 01110111 01111001 01100101 01110010
Looks like you gave yourself away there. Now we know Anonymous Coward is really Mateito (746185).
Lately democracy seems to be based on the skybox, the Happy Meal box, the X-box, and the idiot box.
They had been living together for a while and didn't feel the need to get married. They're getting married now to try to prevent his deportation.
English is easier said than done.
"Queen takes Bishop"
I have my own variant where I play chess on a Go board. I call it "Guess."
You insensitive clod!
I'll...uh...challenge you to a game of chess for such an insult!
Don'y you mean professor? At least quote it correctly.
this is useful for detecting if people are trying to cheat by getting a chess-playing program to automatically play their moves for them.
Isn't this unavoidable, though? I mean, couldn't someone just switch back and forth between the ICC client, and say, one of the Chessmaster programs for example? (or if the client detects switching away and reports it, then have Chessmaster on another computer) Then, set the Chessmaster computer opponent to a high level, and play your opponent's moves against Chessmaster. And whatever moves Chessmaster makes, you play on ICC.
So to me, there is no possible way of preventing people from cheating in online chess. I mean this could even work in speed chess if you are fast enough, and set the timer low in Chessmaster (or whatever other program). Ideally, set it lower than the real match time, to make up for the "lag" of seeing what move to make and then making it yourself. Of course you'd have to be pretty damn fast to win a 1 minute game that way, but it could be done.
now if only worldwinner's security could be defeated.. one could make quite a buck through that system.
Never admit to being a member of Internet Chess Club.
The second rule of internet chess club is...
Never admit to being a member of Internet Chess Club.
For me to actually win a game again then?
(it is possible to forget enough basic chess to lose to most any program, let alone human. it just takes 20 years of neglect)
I wonder if AE DT'ing pawns are considered tasteless? (obEQ)
Try it, and you'll soon discover why that doesn't work.
The recommendations in the whitepaper seem overly complicated. Anyone care to explain why a checksum would be inadequate?
I like FICS better than ICC, but anyways...
Why does it matter that much about someone breaking timeseal? If you're cheating on ICC, then you truly must have no life. Yes, there are some prizes available for their tournaments, but to play on ICC just to win stuff is silly. Chess is a game. If you cheat so that you can win some rinky-dink prize or, even more deplorably, to just boost your rating then you are truly a pathetic individual. Any win by cheating is essentially hollow and meaningless. Chess is fun, but cheating seeems like one way to make it un-fun really fast. When chess stops being fun, what's the point?
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 is the magic number.
Yes, maybe Bobby Fischer has played on the ICC. But has Joshua a.k.a. WOPR made an appearance? That would be something.
Global warming is neither science, nor politics. It is a religion.
Why is everyone obsessing about the timestamping problem? Didn't anyone read past page 6? The entire encryption system is broken, meaning there's a man-in-the-middle attack to sniff or alter any game traffic on the wire. The paper seems to vaguely suggest that even ICC credit card payments get sent using this completely bogus cipher.
314-15-9265
http://slashdot.org/articles/04/07/08/2159244.shtm l?tid=126&tid=128&tid=154&tid=172&tid= 95
There is a confidential flag in bugzilla and is used to keep those currently unfixed security bugs out of the public eye
The Singularity is closer than you think
Quant
Would it be equally easy with Go?
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Interestingly, there is a variant of chess which plays just like you describe: Kriegspiel. Each player sees their own pieces and not their opponent's pieces.
I've never actually played it; regular chess is enough for one lifetime!
Since when does figuring out that someone else's software isn't secure count as "research"? We keep reading about "security researchers" finding this or that exploit, but that doesn't sound like research to me. All these researchers are doing is figuring out that somebody didn't write very good code or didn't think about the security enough. Sure, if you figure out that a widely accepted approach to security had a flaw, that would be research, but finding a problem with a specific case just sounds like QA to me. I'm curious why universities would fund people to tryg to break into any random piece of software.
well, his personality isn't *that* interesting.
he's an insecure, paranoid, raging anti-semite.
some of his chess results will probably never be equalled, however.
As the subject says, there are other chess servers. The other large one I know about is PlayChess, which is run by ChessBase (the same company who produce [Deep] Fritz and others).
:)
I realise you probably know this, but I'm guessing other people probably wouldn't.
At some base level, you're right. When both players are equally exposed to the same random functions, then it's technically fair.
At the same time, being subject to the vagarities of fate seems unfair on some level. And for that reason I wouldn't classify a game that uses random functions in any way, as being on quite the same level as one that is a "pure" strategy game.
"Politicians are interested in people. Not that this is always a virtue. Fleas are interested in dogs." P.J. O'Rourke
My dad play there pretty regular. He is world rated master (2100+) and there reason he loves that site is because it is secure and has good talent that comes through there. I play every once in a while and do enjoy the site. Hope you get everything fixed before their is any permanent damage.
Click HERE