Slashdot Mirror
Internet Chess Club Security Defeated
Scott_F writes "Researchers at the University of Colorado at Boulder have been able to defeat the security mechanisms of the Internet Chess Club and can effectively play a zero-time match, as well as have complete control over the game. The paper is titled How to Cheat at Chess: A Security Analysis of the Internet Chess Club. If you're not familiar with the ICC, it is where many Grandmasters play regularly, with rumors of Bobby Fischer making an occasional appearance. It appears that the ICC has relied on security through obscurity, but we all know how poorly that works. Chess, anyone?" Update: 09/08 21:08 GMT by J : In totally unrelated chess news, I found today's commentary on Zermelo's Theorem interesting, both for the math of the game and the look at a mistaken echo chamber.
security protocol used between client and server provides sufficient security
If two guys are playing and the game randomly changes, a review of the play list can confirm someone cheated. Therefore, they do have sufficient security. There is a big distinction between having sufficient security and being ultra-secure. You don't secure a pool with armed guards to prevent kids from falling in, you simply build a taller fence.
wouldn't this be the case for more than just chess? Such as checkers, chinese checkers, chineese chess, strategeo, risk, ect.
:) ) GO is just such a game. The komi (points awarded to the player that goes second) helps eliminate this advantage. As such, i belive that GO is a fairer game.
(Dare i mention the infamous GO in a chess story?)
While i am attempting to drop my karma like a rock, i would also add that chess is NOT the fairest of all games, becuase there is a definate difference/advantage depending on what color you are, and thus who goes first. A game in wich this is not the case (or it is compensated for would be even more fair. (here is where my karma takes nose dive
I should say that i am not trying to trash talk chess. I enjoy chess just as much as the next guy, and it is terrific game to play -- both for enjoyment and as mental excersise. Above, i was just trying to point out what i thought was wrong with the parent.
ICC's game security relies on a program called 'timestamp' that accurately records how much time you used for the move (so that players with more internet latency than others don't get penalised).
This timestamp program is not open source but they publish a binary version for various operating systems.
It sounds as if someone has hacked this (ie. so you can tell it that your move took 0.1 seconds -- the server deliberately does not allow moves to be faster than 0.1 seconds). If you have ever played a timed chess game (especially, one with short times, eg. 1 minute per game), you will know that this represents a huge advantage.
I don't know what the article means about "complete control over the game", the server does not allow illegal moves etc. -- unless they have somehow hacked into the server, or managed to insert packets into the TCP/IP connections between the server and the opponent (which would be a problem with FreeBSD or the opponent's OS).
Also the article mentions 'network security protocol', which is odd given that you can play games there by a plain telnet connection (telnet to chessclub.com:23 or chessclub.com:5080) or any 3rd party clients with no security.
The Windows client software supplied by ICC includes some un-documented security to validate itself (ie. let the server know you are using this piece of software and not a 3rd-party client), this is useful for detecting if people are trying to cheat by getting a chess-playing program to automatically play their moves for them.
And finally, I fear that a "robustification" of timestamp, to use accepted open security mechanisms, would end up in greater lag for the players -- either due to greater packet sizes, or greater processing power required by the client or the server (which has to do this for 4000+ connections at once), which is a pity (even 20ms is noticeable in a speed game of chess).
Anyone have more information?
An umbrella can quickly be turned inside-out or get loose and hit you in the face...
The RSA company created the "security through obscurity is useless" meme as a way to sell their product (public key cryptosystems).
... you get the idea.
However, in reality all security is through obscurity. For one you need to keep the (private) key secret.
In practice, good security is composed of several layers, one of which should be obscurity. For example, you might RSA/ssh restrict access to a host, but it still pays to (a) not advertise its existence (b) make it insconpicuous (c) close logins to an account after more than three failed attempts (d) keep the communication protocol secret (e) place a good lock on the door to the computer room (f) not write the password on a post it note and place it in your drawer (g)
Notice how many of those listed above derive security from obscurity in practical, effective ways.
In chess on Yahoo many of the top players use a chess program it's really simple:
set it to super hard
move as your oponent
lose to computer you win.
In FPS' Anyone who's been to a lan cafe has seen screen watching but it's little brother talking on the phone or using a voice comm program to communicate with teamates (while alive and dead).
The worst part about cheats like these is that the cheater doesn't think they are cheating, if you ask they won't know what you are talking about.
It's fine in matches where both teams are doing it but in public servers it's definitly cheating, in some games like quake or CS(With death cams it's kind of a problem it's not always obvious but in games that rely heavily on knowledge such as raven shield knowing where your teamate was shot from after he dies can be decisive.
Please people if you have access to information your opponents cannot possibly have access to consider what you are doing to the game.
I like things like death cams and teamwork but I'd have to take steps against this kind of thing if I was running a server, though usually the people running servers are the worst offenders, Ventrillo anyone?
There's an easy way to fix the unfairness in Chess. Play an even number of games, alternating sides, and see who comes out on top in the end. I think it's no coincidence that this is what's actually done in tournaments.
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
It's called defense in depth. Just because you believe that your underlying security is solid and you know that obscurity by itself wouldn't be a complete solution doesn't mean that adding some obscurity on top of what you have as an extra level of security is a bad idea. Just because I know that you can cross a moat doesn't mean I'm not going to put a moat full of alligators around my castle in addition to the guys on top of the walls with boiling oil and so forth.
And if you really believe that obscurity never has a place in security, does that mean you will happily give out all your passwords, etc., because they were useless anyway?
In other news (offtopic), where did my "Older Stuff" slashbox on the home page go? I went to my home page preferences to add a Politics slashbox when they added that section (which retroactively contains old politics stories, very nice) and now I don't have "Older Stuff" anymore. It's there when I'm not logged in. But I don't see it listed anymore as a choice in preferences (it should be in bold since it's one of the defaults for non-logged-in users). I'm so confused. Any help? Thanks.
I'd rather be lucky than good.
The article mentions, in fact, that the minimum 'charge' is 0.1 seconds even if the client returns '0' so an exactly 0 time match is impossible.
Another poster's implied dismissal of low time games as 'smack-the-clock' speed chess seems to disregard what is implied in the article - that many people play low-time games because it's commonly believed that you cannot cheat on them. It's not what I think of as chess but if it's widely used for that reason this find is significant.
Bad management trumps ideology - Show the world you want better leadership. http://www.timefornewmanagement.com
As they have done... LONG ago! The application of said algs are generally the users responsibility, as it is in UNIX.
Most people find managing private keys to bee "way hard". Even if that management is nothing more that making sure you store a backup of the key offline in case your computer goes poof.
Oh well for the world when lazy people are 99% of the people out there...
The term itself is an oxymoron - that's why it became an adage. The arguments provided in the link are mostly valid, but the reality is that security is helped very little by obscure methods. Obscurity can only help in a very insignificant way, and to such a small degree that it is rarely worth it to implement.
The Caesar cipher wasn't security through obscurity in its time. The key for a Caesar cipher WAS the cryptosystem itself... and that was the state of the art then. Just because we all now know how it works and have since developed advanced methods of cryptanalysis does not mean that it was security through obscurity any more than RSA is in a time where QC and factoring shortcuts are yet undiscovered.
Script kiddies == not serious threat unless you have a bonafide vulnerability. Diverting script kiddies has little to do with security and everything to do with convenience. If you are running a vulnerable web server on an obscure port, and a script kiddie scan misses it because he is inept, you are not any more secure. If you are secure, it doesn't matter what port you are on and script kiddies are the least dangerous threat posed to you anyway.
Running a port scan detector doesn't necessarily force a port scan from a skilled cracker, nor are port scans difficult to hide. This is the same point - stopping script kiddies is convenient, but it is not any more secure than running on a known port if your server has a vulnerability.
Slowing down an attacker is also not security unless you are actually looking. The "security" comes almost entirely from actually paying attention in the first place. Besides, time is free for script kiddies. Professional-level crackers with expensive time would not be thwarted by such a small obstacle.
Intrusion detection might be slightly easier using obscure methods, but then again intrusion detection does not constitute security. It's only a minor piece, despite what IDS vendors may tell you - intrusion prevention is much more important. Overall, security is ultimately about cost: making it more costly to get at your stuff than what it is worth, at little cost to you. You have to spend time=money obscuring your setup; if it's only to filter out script kiddies from your intrusion detection results, you may find that you've netted very little time, and therefore very little security.
What a fool believes, he sees, no wise man has the power to reason away.
Don'y you mean professor? At least quote it correctly.
This is a good point, and i had thougth of that. But then to desribe chess as a fair game, a game of chess would actually have to consist of 2 games of chess. Thus, the base unit of play that one would have to partake in (in order to claim that one had played chess) would have to be 2 games.
:D
I am not sure that many people would agree with this boundry. That is, if you played a single game of chess, you would feel safe claiming that you had played a game of chess. If soemone came up to you and said, "No way!, you have only played 1/2 a game of chess!", you would look at that guy like he was an idiot.
Thus we see that the basic unit of chess is a single game. Thus, the game of chess is unfair (or could be, depending on what you think the advantage may be for going first). You can FIX the game of chess, by trying to average out the flaw (again, if it exists). But the idea, i think, is that in the end, the basic game remains unfair.
I hope that makes some sense. I am not sure that it does, but that is what i was thinking at the time