Internet Chess Club Security Defeated

Scott_F writes "Researchers at the University of Colorado at Boulder have been able to defeat the security mechanisms of the Internet Chess Club and can effectively play a zero-time match, as well as have complete control over the game. The paper is titled How to Cheat at Chess: A Security Analysis of the Internet Chess Club. If you're not familiar with the ICC, it is where many Grandmasters play regularly, with rumors of Bobby Fischer making an occasional appearance. It appears that the ICC has relied on security through obscurity, but we all know how poorly that works. Chess, anyone?" Update: 09/08 21:08 GMT by J : In totally unrelated chess news, I found today's commentary on Zermelo's Theorem interesting, both for the math of the game and the look at a mistaken echo chamber.

Security through obscurity..

[Karamchand]

..is not as bad as its reputation. Of course it is not enough and you should not rely solely on it. But it can be a helpful part of your whole security-plan. Read more in this interesting paper by Jay Beale, the Lead Developer of the Bastille Linux Project.

Re:Security through obscurity..

[arvindn]

Wrong. I've read Jay Beale's paper, and he argues that while "security implemented solely through obscurity is bad", obscurity can be a useful extra layer to improve security. But "security implemented solely through obscurity" is precisely what is happening in the ICC case, and a little reverse engineering renders the system completely defenseless. The theoretical reason why the reverse engg. was inevitable is the impossibility of obfuscating programs.

Just a thought

[phaetonic]

Would Yahoo! Games be more secure than ICC? If so, why?

The Real Challenge

[randall_burns]

Is creating a _really_ secure equivalent of the internet chess club. I see this as a serious opportunity for an open source team to demonstrate how they can do security _right_.

I can imagine that it _would_ be possible to do some really intersting things that would make remote matches _much_ harder to cheat at(i.e. do things like authenticate who is observing each of the remote players).

Legality?

[maximilln]

I'm all for it, but...

Was this legal?

Aren't there local, state, federal, and international laws against exposing the vulnerability of a private system? Haven't many people already been harassed by the FBI for doing much the same thing with corporate systems? Or do these people get a free pass because they're from a University?

Stale news

I haven't read the paper, but my bet is that it's an exploit of timestamp, a program that adds time to the clock to compensate for lag. This was exploited two years ago on FICS, and such an exploit for ICC (they run off of similar codebases, including timeseal/timestamp IIRC) was inevitable. The hacked copy of timestamp rolls back the system clock a few milliseconds each move, thus making the server see it as lag.
Now, they just ban users that use the exploit.
If you're going to post a story, at least make sure it's recent.

FICS

[bcrowell]

FICS is better than ICC anway. FICS is free. ICC makes you pay.

Hackers games

[frakir]

Authors of that analysis took really hard way to crack icc binary timestamp. Takes about 2 hours to get ICC java client, find java timeseal class and disassemble it. Same is true for FICS (freechess.org).
Been there, done that (also once wrote a client app for both servers).

While writing timestamp version with public/private key authentication would work against snooping CC numbers, lag info can always be altered with simpler means then cracking timestamp. For apps using local clock system calls can always be hooked/intercepted (someone did that in Linux about a year ago)