Slashdot Mirror

← Back to Stories (view on slashdot.org)

Internet Chess Club Security Defeated

Posted by timothy on from the global-thermonuclear-war dept.

Scott_F writes "Researchers at the University of Colorado at Boulder have been able to defeat the security mechanisms of the Internet Chess Club and can effectively play a zero-time match, as well as have complete control over the game. The paper is titled How to Cheat at Chess: A Security Analysis of the Internet Chess Club. If you're not familiar with the ICC, it is where many Grandmasters play regularly, with rumors of Bobby Fischer making an occasional appearance. It appears that the ICC has relied on security through obscurity, but we all know how poorly that works. Chess, anyone?" Update: 09/08 21:08 GMT by J : In totally unrelated chess news, I found today's commentary on Zermelo's Theorem interesting, both for the math of the game and the look at a mistaken echo chamber.

12 of 264 comments (clear)

  1. Re:Zero-Time match? by Anonymous Coward · · Score: 2, Informative

    Matches are timed, you have x minutes or seconds to complete your game, sometimes with an increment where after each move y seconds are added to your time remaining.

    A Zero-Time match would mean you've hacked the clock and your moves never take any time.

  2. Bobby Fischer in the ICC ? by rainer_d · · Score: 2, Informative
    Well, not currently. He's detained in Japan and has just fought of (temporarily) his deportation to the US.
    Bobby Fischer certainly has a very interesting and complex personality....

    Rainer

    --
    Windows 2000 - from the guys who brought us edlin
  3. Re:What happened exactly? by 14erCleaner · · Score: 5, Informative
    Anyone have more information?

    You could read the actual paper, but this is Slashdot, after all...

    Yes, they hacked the Linux version of the timestamp client to send zero move times. They also reverse-engineered the timestamp protocol.

    Security is an issue because they're exchanging passwords and credit-card numbers with the client. The authors were able to crack the "encryption" being used to transmit this stuff (a 100-byte one-time pad) by sniffing only 10 bytes (it was a very predictable sequence). The client and server also exchange two 64-bit keys in the open when the session is opened, which are used to generate the 100-byte pad.

    --
    Have you read my blog lately?
  4. Integrated timestamping by SashaM · · Score: 5, Informative

    The article says that no unix chess client comes with integrated timestamping, which is a good reason to plug mine - Jin, which does.

    Also, I'm an ICC admin and I can tell you that we're looking into the issue and will probably publish an official response later.

  5. Re:cheat at chess?? by Daniel · · Score: 2, Informative

    Most serious chess games are played with a clock; this analysis shows how to rig the clock on ICC.

    Daniel

    --
    Hurry up and jump on the individualist bandwagon!
  6. Re:cheat at chess?? by csritchie · · Score: 4, Informative

    Cheating online at chess is much less sophisticated.

    1. Open chess program
    2. Input Opponent's move
    3. Chess program offers best possible countermove

    You never need to know why the move works, how it will help you win or even when mate is near. The program does it all...

    Of course online veterans can spot someone using a program fairly quickly. Some sites even try to discourage it by not letting you move your mouse off the app. If you do your opponent is notified and they can adjourn the game.

    Even then, all you would need is a laptop and some creative timing skills. But if you need to cheat at chess that badly, when it doesn't effect any legitimate rank you may have for the "traditional" clubs, you need are in desperate need of getting laid and should put away the computer...

  7. Re:The Real Challenge by Scarblac · · Score: 5, Informative

    Is creating a _really_ secure equivalent of the internet chess club. I see this as a serious opportunity for an open source team to demonstrate how they can do security _right_.

    Short history, from memory: Way way back, there was only ICS, the Internet chess server. In 1995, it was turned into the commercial server ICC, the Internet Chess Club, which is still around and going strong. It's closed source and costs money unless you're a grandmaster.

    As a protest to this, FICS, the Free ICS was started. It is, to this day, free "as in beer" (if for a moment we assume that beer is free of charge). It used to be Free as in GPL and avilable from the FTP site.

    However, after others downloaded the Free code and started their own commercial servers with it (and they don't have to distribute their own changes under the GPL, since the software isn't distributed at all, it only runs the server), the code was closed as the developers didn't like working for free for a commercial server. I believe that server was Chess.net.

    Later, FICS new main developer recoded all of FICS, so that none of the GPL code remained - or so he claimed when he sold a copy to a company named GamesParlour during the Internet boom, under some license other than the GPL. He also worked for them for a while. Endless FICS flamewars ensued. There is actually a reasonable chance that his claim is true, since he's been the sole developer for many years now.

    Anyway, some people thought this was reason enough to start a new, open source chess server. The one I know of is chessd. I have no idea about its status.

    To this day, FICS is still the best place to play chess for free for non-GMs, while talking about AI in the religion channel and politics in the politics channel, and everything else in ch 50.

    Oh, and keeping track of time client side, and sending the times to ICC is done there with a utility called "timestamp". On FICS, the equivalent is called "timeseal", and I would be really really surprised if it wasn't at least as vulnerable. I believe there is actually some exploit in the wild. Not many people care though.

    (I'm ElOso on FICS.)

    --
    I believe posters are recognized by their sig. So I made one.
  8. Re:FICS by SashaM · · Score: 3, Informative

    FICS is not better on the timestamping front though. Their own algorithm, called timeseal is not any more secure than timestamping. I know because I wrote a client for both ICC and FICS.

  9. In Related Chess News... by evilninja · · Score: 2, Informative

    There are several new stories today about Bobby Fischer winning a deportation injunction in Japan.

  10. Re:Chess is the fairest games of all by ComputerSlicer23 · · Score: 2, Informative
    Actually it's an open question if chess is a fair game or not. You are actually making the implicity assumption that moving first is an advantage. There are games where going second is an advantage.

    Risk isn't a fair game, in the sense that it involves random elements, rather then purely skill. Checkers is probably a fair game, however, there are some varitions to it's standard rules.

    http://en.wikipedia.org/wiki/Solved_board_games

    According to that page, reversi is just such a game.

    It's entirely possible that Chess is just such a game, that Black and run the perfect counter to whatever it is that White does. Most people believe that playing White is an advantage (in practice it appears to be), however, it theory it isn't in any way. Go is also another open question as to it's fairness in the end.

    Kirby

  11. Re:What happened exactly? by vadim_t · · Score: 2, Informative

    Well, the concept of an OTP always has "truly random" mentioned somewhere in it. It's because the whole thing works on the idea that by adding truly random noise to a message produces something that looks like more noise.

  12. Re:Bobby Fischer in the ICC ? by Anonymous Coward · · Score: 1, Informative

    Try it, and you'll soon discover why that doesn't work.