Slashdot Mirror

← Back to Stories (view on slashdot.org)

Internet Chess Club Security Defeated

Posted by timothy on from the global-thermonuclear-war dept.

Scott_F writes "Researchers at the University of Colorado at Boulder have been able to defeat the security mechanisms of the Internet Chess Club and can effectively play a zero-time match, as well as have complete control over the game. The paper is titled How to Cheat at Chess: A Security Analysis of the Internet Chess Club. If you're not familiar with the ICC, it is where many Grandmasters play regularly, with rumors of Bobby Fischer making an occasional appearance. It appears that the ICC has relied on security through obscurity, but we all know how poorly that works. Chess, anyone?" Update: 09/08 21:08 GMT by J : In totally unrelated chess news, I found today's commentary on Zermelo's Theorem interesting, both for the math of the game and the look at a mistaken echo chamber.

59 of 264 comments (clear)

  1. Greetings Dr. Falken by Anonymous Coward · · Score: 5, Funny

    Shall we play a game?

  2. Obviously by rf0 · · Score: 4, Funny

    Check Mate in 1 then..

    Rus

    --
    Cheap UK and US VPS
    1. Re:Obviously by Zork+the+Almighty · · Score: 4, Funny

      PAwned!

      --

      In Soviet America the banks rob you!
  3. Pawn to Kings King 1 by ravenspear · · Score: 2, Funny

    Checkmate.

    Doh! No Fair!

  4. Security through obscurity.. by Karamchand · · Score: 3, Interesting

    ..is not as bad as its reputation. Of course it is not enough and you should not rely solely on it. But it can be a helpful part of your whole security-plan. Read more in this interesting paper by Jay Beale, the Lead Developer of the Bastille Linux Project.

    1. Re:Security through obscurity.. by Mateito · · Score: 4, Funny
      Security through obscurity is not as bad as its reputation.

      That's why I post to /. as AC.

      --
      Norman Cook's Ode to Sl
    2. Re:Security through obscurity.. by Frizzle+Fry · · Score: 4, Insightful
      Which misses the point that someone who would attempt to change the server address and port *must* believe that it is effective, otherwise why do it?

      It's called defense in depth. Just because you believe that your underlying security is solid and you know that obscurity by itself wouldn't be a complete solution doesn't mean that adding some obscurity on top of what you have as an extra level of security is a bad idea. Just because I know that you can cross a moat doesn't mean I'm not going to put a moat full of alligators around my castle in addition to the guys on top of the walls with boiling oil and so forth.

      And if you really believe that obscurity never has a place in security, does that mean you will happily give out all your passwords, etc., because they were useless anyway?

      In other news (offtopic), where did my "Older Stuff" slashbox on the home page go? I went to my home page preferences to add a Politics slashbox when they added that section (which retroactively contains old politics stories, very nice) and now I don't have "Older Stuff" anymore. It's there when I'm not logged in. But I don't see it listed anymore as a choice in preferences (it should be in bold since it's one of the defaults for non-logged-in users). I'm so confused. Any help? Thanks.
      --
      I'd rather be lucky than good.
    3. Re:Security through obscurity.. by arvindn · · Score: 3, Interesting

      Wrong. I've read Jay Beale's paper, and he argues that while "security implemented solely through obscurity is bad", obscurity can be a useful extra layer to improve security. But "security implemented solely through obscurity" is precisely what is happening in the ICC case, and a little reverse engineering renders the system completely defenseless. The theoretical reason why the reverse engg. was inevitable is the impossibility of obfuscating programs.

  5. Summary of story by ricotest · · Score: 5, Funny

    Chess club relies on security through obscurity; got cracked. Therefore security through obscurity sucks and its polar opposite, open source security, rules. Therefore open source rules. Therefore Linux rules. Therefore Microsoft sucks. Apple, we don't yet have an established opinion on.

    1. Re:Summary of story by Anonymous Coward · · Score: 2, Funny
      Chess club relies on security through obscurity

      First rule of chess club: Do NOT talk about chess club!
    2. Re:Summary of story by kfg · · Score: 2, Funny

      The story was covered in slashdot, but I can't find a link.

      See how well they hide?

      KFG

    3. Re:Summary of story by Anonymous Coward · · Score: 2, Insightful

      As they have done... LONG ago! The application of said algs are generally the users responsibility, as it is in UNIX.

      Most people find managing private keys to bee "way hard". Even if that management is nothing more that making sure you store a backup of the key offline in case your computer goes poof.

      Oh well for the world when lazy people are 99% of the people out there...

    4. Re:Summary of story by kfg · · Score: 2, Funny

      Apple, we don't yet have an established opinion on.

      Ooooooooooooooo, Shiny!

      KFG

    5. Re:Summary of story by bunratty · · Score: 3, Insightful
      On the other side, security with cryptography/cyphers is mathematically proven to be safe.
      Can you point me to such a proof? A mathematical cryptographic system that can be decrypted in a reasonable amount of time, but is proven unable be cracked in a reasonable amount of time, would amount to a proof that P != NP. Then I can collect my $1000000!
      --
      What a fool believes, he sees, no wise man has the power to reason away.
  6. Just a thought by phaetonic · · Score: 2, Interesting

    Would Yahoo! Games be more secure than ICC? If so, why?

  7. Are the alternatives safer? by GMFTatsujin · · Score: 2, Funny

    I'm always up for a nice game of global thermonuclear war...

  8. cheat at chess?? by spoonyfork · · Score: 4, Funny

    Cheating at chess online?? Like how, an aimbot or something? It isn't like the other player isn't going to notice when your Queen bunnyhops across the board and headshots 4 pawns in a row without missing. Feh.

    --
    Speak truth to power.
    1. Re:cheat at chess?? by Daniel · · Score: 2, Informative

      Most serious chess games are played with a clock; this analysis shows how to rig the clock on ICC.

      Daniel

      --
      Hurry up and jump on the individualist bandwagon!
    2. Re:cheat at chess?? by Mr.+Bad+Example · · Score: 4, Funny

      That'd sure make chess more...interesting.

      White: (castles)

      Black: OMG WTF CAMPING L5M3R N00B

    3. Re:cheat at chess?? by csritchie · · Score: 4, Informative

      Cheating online at chess is much less sophisticated.

      1. Open chess program
      2. Input Opponent's move
      3. Chess program offers best possible countermove

      You never need to know why the move works, how it will help you win or even when mate is near. The program does it all...

      Of course online veterans can spot someone using a program fairly quickly. Some sites even try to discourage it by not letting you move your mouse off the app. If you do your opponent is notified and they can adjourn the game.

      Even then, all you would need is a laptop and some creative timing skills. But if you need to cheat at chess that badly, when it doesn't effect any legitimate rank you may have for the "traditional" clubs, you need are in desperate need of getting laid and should put away the computer...

  9. Sufficient.. by some2 · · Score: 2, Insightful

    security protocol used between client and server provides sufficient security

    If two guys are playing and the game randomly changes, a review of the play list can confirm someone cheated. Therefore, they do have sufficient security. There is a big distinction between having sufficient security and being ultra-secure. You don't secure a pool with armed guards to prevent kids from falling in, you simply build a taller fence.

  10. Ob. Red Dwarf reference by Anonymous Coward · · Score: 5, Funny

    HOLLY: Prawn takes Horsie.
    QUEEG: Bishop-Pawn takes Pawn.
    HOLLY: Bish takes Prawn.
    QUEEG: Bishop to Knight Five. Double Check and Mate, sucker!
    HOLLY: Oh yeah, I didn't see that...
    LISTER: Holly, man, what have you done!?
    RIMMER: He's lost.
    QUEEG: And the loser gets erased.
    HOLLY: Noughts and Crosses?

    1. Re:Ob. Red Dwarf reference by jayhawk88 · · Score: 4, Funny

      And here I thought British humor was dry and impenetrable...

  11. Ah ha! by jszep · · Score: 2, Funny

    That's how Deep Blue won...

  12. Ha! by CGP314 · · Score: 4, Funny

    At long last we have proof that Go is better than Chess. Nobody compromised their server : )

  13. Re:Zero-Time match? by Anonymous Coward · · Score: 2, Informative

    Matches are timed, you have x minutes or seconds to complete your game, sometimes with an increment where after each move y seconds are added to your time remaining.

    A Zero-Time match would mean you've hacked the clock and your moves never take any time.

  14. Can't believe it by Nick+of+NSTime · · Score: 5, Funny

    Wait, an online chess club doesn't have a good defence? Their server has an opening? The whole web site is one big gambit?

  15. The Real Challenge by randall_burns · · Score: 3, Interesting

    Is creating a _really_ secure equivalent of the internet chess club. I see this as a serious opportunity for an open source team to demonstrate how they can do security _right_.

    I can imagine that it _would_ be possible to do some really intersting things that would make remote matches _much_ harder to cheat at(i.e. do things like authenticate who is observing each of the remote players).

    1. Re:The Real Challenge by Scarblac · · Score: 5, Informative

      Is creating a _really_ secure equivalent of the internet chess club. I see this as a serious opportunity for an open source team to demonstrate how they can do security _right_.

      Short history, from memory: Way way back, there was only ICS, the Internet chess server. In 1995, it was turned into the commercial server ICC, the Internet Chess Club, which is still around and going strong. It's closed source and costs money unless you're a grandmaster.

      As a protest to this, FICS, the Free ICS was started. It is, to this day, free "as in beer" (if for a moment we assume that beer is free of charge). It used to be Free as in GPL and avilable from the FTP site.

      However, after others downloaded the Free code and started their own commercial servers with it (and they don't have to distribute their own changes under the GPL, since the software isn't distributed at all, it only runs the server), the code was closed as the developers didn't like working for free for a commercial server. I believe that server was Chess.net.

      Later, FICS new main developer recoded all of FICS, so that none of the GPL code remained - or so he claimed when he sold a copy to a company named GamesParlour during the Internet boom, under some license other than the GPL. He also worked for them for a while. Endless FICS flamewars ensued. There is actually a reasonable chance that his claim is true, since he's been the sole developer for many years now.

      Anyway, some people thought this was reason enough to start a new, open source chess server. The one I know of is chessd. I have no idea about its status.

      To this day, FICS is still the best place to play chess for free for non-GMs, while talking about AI in the religion channel and politics in the politics channel, and everything else in ch 50.

      Oh, and keeping track of time client side, and sending the times to ICC is done there with a utility called "timestamp". On FICS, the equivalent is called "timeseal", and I would be really really surprised if it wasn't at least as vulnerable. I believe there is actually some exploit in the wild. Not many people care though.

      (I'm ElOso on FICS.)

      --
      I believe posters are recognized by their sig. So I made one.
  16. No HTML version. :( by caluml · · Score: 2, Funny

    Why no HTML version? Grrr.

    --
    Get your own free personal location tracker
  17. Adds a whole new meaning... by Mateito · · Score: 2, Funny

    This adds a whole new meaning to

    "y3r p4wn i5 0wn3d!!!"

    --
    Norman Cook's Ode to Sl
    1. Re:Adds a whole new meaning... by Skidge · · Score: 2, Funny

      "y3r p4wn i5 0wn3d!!!"

      y3r p4wn i5 pwn3d.

  18. Legality? by maximilln · · Score: 2, Interesting

    I'm all for it, but...

    Was this legal?

    Aren't there local, state, federal, and international laws against exposing the vulnerability of a private system? Haven't many people already been harassed by the FBI for doing much the same thing with corporate systems? Or do these people get a free pass because they're from a University?

    --
    +++ATHZ 99:5:80
  19. Bobby Fischer in the ICC ? by rainer_d · · Score: 2, Informative
    Well, not currently. He's detained in Japan and has just fought of (temporarily) his deportation to the US.
    Bobby Fischer certainly has a very interesting and complex personality....

    Rainer

    --
    Windows 2000 - from the guys who brought us edlin
  20. Re:Chess is the fairest games of all by VendingMenace · · Score: 4, Insightful

    wouldn't this be the case for more than just chess? Such as checkers, chinese checkers, chineese chess, strategeo, risk, ect.

    (Dare i mention the infamous GO in a chess story?)

    While i am attempting to drop my karma like a rock, i would also add that chess is NOT the fairest of all games, becuase there is a definate difference/advantage depending on what color you are, and thus who goes first. A game in wich this is not the case (or it is compensated for would be even more fair. (here is where my karma takes nose dive :) ) GO is just such a game. The komi (points awarded to the player that goes second) helps eliminate this advantage. As such, i belive that GO is a fairer game.

    I should say that i am not trying to trash talk chess. I enjoy chess just as much as the next guy, and it is terrific game to play -- both for enjoyment and as mental excersise. Above, i was just trying to point out what i thought was wrong with the parent.

  21. What happened exactly? by Old+Wolf · · Score: 4, Insightful

    ICC's game security relies on a program called 'timestamp' that accurately records how much time you used for the move (so that players with more internet latency than others don't get penalised).
    This timestamp program is not open source but they publish a binary version for various operating systems.
    It sounds as if someone has hacked this (ie. so you can tell it that your move took 0.1 seconds -- the server deliberately does not allow moves to be faster than 0.1 seconds). If you have ever played a timed chess game (especially, one with short times, eg. 1 minute per game), you will know that this represents a huge advantage.

    I don't know what the article means about "complete control over the game", the server does not allow illegal moves etc. -- unless they have somehow hacked into the server, or managed to insert packets into the TCP/IP connections between the server and the opponent (which would be a problem with FreeBSD or the opponent's OS).

    Also the article mentions 'network security protocol', which is odd given that you can play games there by a plain telnet connection (telnet to chessclub.com:23 or chessclub.com:5080) or any 3rd party clients with no security.

    The Windows client software supplied by ICC includes some un-documented security to validate itself (ie. let the server know you are using this piece of software and not a 3rd-party client), this is useful for detecting if people are trying to cheat by getting a chess-playing program to automatically play their moves for them.

    And finally, I fear that a "robustification" of timestamp, to use accepted open security mechanisms, would end up in greater lag for the players -- either due to greater packet sizes, or greater processing power required by the client or the server (which has to do this for 4000+ connections at once), which is a pity (even 20ms is noticeable in a speed game of chess).

    Anyone have more information?

    1. Re:What happened exactly? by 14erCleaner · · Score: 5, Informative
      Anyone have more information?

      You could read the actual paper, but this is Slashdot, after all...

      Yes, they hacked the Linux version of the timestamp client to send zero move times. They also reverse-engineered the timestamp protocol.

      Security is an issue because they're exchanging passwords and credit-card numbers with the client. The authors were able to crack the "encryption" being used to transmit this stuff (a 100-byte one-time pad) by sniffing only 10 bytes (it was a very predictable sequence). The client and server also exchange two 64-bit keys in the open when the session is opened, which are used to generate the 100-byte pad.

      --
      Have you read my blog lately?
    2. Re:What happened exactly? by vadim_t · · Score: 2, Informative

      Well, the concept of an OTP always has "truly random" mentioned somewhere in it. It's because the whole thing works on the idea that by adding truly random noise to a message produces something that looks like more noise.

  22. Security Rule # 1 by UrgleHoth · · Score: 5, Funny

    The first rule of Chess Club is - you do not talk about Chess Club.

    --

    Dogma - "let's just say we'd like to avoid any empirical entanglements."
  23. Security through obscurity meme... by Alomex · · Score: 2, Insightful

    The RSA company created the "security through obscurity is useless" meme as a way to sell their product (public key cryptosystems).

    However, in reality all security is through obscurity. For one you need to keep the (private) key secret.

    In practice, good security is composed of several layers, one of which should be obscurity. For example, you might RSA/ssh restrict access to a host, but it still pays to (a) not advertise its existence (b) make it insconpicuous (c) close logins to an account after more than three failed attempts (d) keep the communication protocol secret (e) place a good lock on the door to the computer room (f) not write the password on a post it note and place it in your drawer (g) ... you get the idea.

    Notice how many of those listed above derive security from obscurity in practical, effective ways.

    1. Re:Security through obscurity meme... by HeghmoH · · Score: 4, Insightful

      However, in reality all security is through obscurity. For one you need to keep the (private) key secret.

      That is not what "security through obscurity" means. The term refers to keep things other than the key secret, such as the algorithm, the magic key combination needed to get the password prompt, etc.

      --
      Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
  24. Cheating through outside programs by Deliveranc3 · · Score: 2, Insightful

    In chess on Yahoo many of the top players use a chess program it's really simple:
    set it to super hard
    move as your oponent
    lose to computer you win.

    In FPS' Anyone who's been to a lan cafe has seen screen watching but it's little brother talking on the phone or using a voice comm program to communicate with teamates (while alive and dead).

    The worst part about cheats like these is that the cheater doesn't think they are cheating, if you ask they won't know what you are talking about.

    It's fine in matches where both teams are doing it but in public servers it's definitly cheating, in some games like quake or CS(With death cams it's kind of a problem it's not always obvious but in games that rely heavily on knowledge such as raven shield knowing where your teamate was shot from after he dies can be decisive.

    Please people if you have access to information your opponents cannot possibly have access to consider what you are doing to the game.

    I like things like death cams and teamwork but I'd have to take steps against this kind of thing if I was running a server, though usually the people running servers are the worst offenders, Ventrillo anyone?

  25. Re:Chess is the fairest games of all by HeghmoH · · Score: 4, Insightful

    There's an easy way to fix the unfairness in Chess. Play an even number of games, alternating sides, and see who comes out on top in the end. I think it's no coincidence that this is what's actually done in tournaments.

    --
    Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
  26. Re:I'm not surprised by stratjakt · · Score: 2

    No, why would you?

    People play chess because they enjoy chess. Why would someone play just to cheat? What's the reward?

    "Time chess" aside, how could you cheat anyways? As soon as I see a rook move diagonally, or two pieces move at a time, I know theres cheating. How exactly do you "cheat" at chess without it being blatantly obvious?

    Now if they found out how to "cheat" at blackjack or poker on an online Casino, that's something to talk about. There's cash money involved. People generally secure things where there's something to lose.

    You want to come over and play chess, and start knocking my pieces off when I'm not looking and shit, go ahead. It just makes you an idiot.

    I just don't see the big whoop with this story. It makes sense that the ICC isn't the Fort Knox of the internet, why would it be?

    --
    I don't need no instructions to know how to rock!!!!
  27. Hmm by Dirtside · · Score: 2, Funny

    Looks like the only winning move is not to play.

    --
    "Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
  28. FICS by bcrowell · · Score: 3, Interesting

    FICS is better than ICC anway. FICS is free. ICC makes you pay.

    --
    Find free books.
  29. Integrated timestamping by SashaM · · Score: 5, Informative

    The article says that no unix chess client comes with integrated timestamping, which is a good reason to plug mine - Jin, which does.

    Also, I'm an ICC admin and I can tell you that we're looking into the issue and will probably publish an official response later.

  30. Re:Zero-Time match? by phearlez · · Score: 2, Insightful

    The article mentions, in fact, that the minimum 'charge' is 0.1 seconds even if the client returns '0' so an exactly 0 time match is impossible.

    Another poster's implied dismissal of low time games as 'smack-the-clock' speed chess seems to disregard what is implied in the article - that many people play low-time games because it's commonly believed that you cannot cheat on them. It's not what I think of as chess but if it's widely used for that reason this find is significant.

    --
    Bad management trumps ideology - Show the world you want better leadership. http://www.timefornewmanagement.com
  31. Re:Bobby Fischer in the ICC ? by poot_rootbeer · · Score: 5, Funny

    he don't play chess anymore, only 'FisherRandom', special chess with altered rules he invented. Basically, you shuffle backrank pieces identically for both players

    And why doesn't he shuffle the front pieces, too? That would make it even more interesting.

    (I know only just enough about chess to make this post.)

  32. Heard the talk by arvindn · · Score: 2
    John Black (first author) presented this at the Crypto 2004 rump session. It was a fantastic talk, and I was fortunate to be there.

    In general the timestamping problem is clearly an insoluble one, because the server has no way to tell if the human took only as much time to think as the client software claims. Obfuscation is a stopgap solution that deters the casual attacker, but there is no cryptographic solution apart from "trusted" hardware (yikes).

    The way the music/movie industry has tackled the problem is to go on the offensive and call everyone a criminal. Let's see what the ICC does.

  33. Re:FICS by SashaM · · Score: 3, Informative

    FICS is not better on the timestamping front though. Their own algorithm, called timeseal is not any more secure than timestamping. I know because I wrote a client for both ICC and FICS.

  34. In Related Chess News... by evilninja · · Score: 2, Informative

    There are several new stories today about Bobby Fischer winning a deportation injunction in Japan.

  35. Re:Chess is the fairest games of all by ComputerSlicer23 · · Score: 2, Informative
    Actually it's an open question if chess is a fair game or not. You are actually making the implicity assumption that moving first is an advantage. There are games where going second is an advantage.

    Risk isn't a fair game, in the sense that it involves random elements, rather then purely skill. Checkers is probably a fair game, however, there are some varitions to it's standard rules.

    http://en.wikipedia.org/wiki/Solved_board_games

    According to that page, reversi is just such a game.

    It's entirely possible that Chess is just such a game, that Black and run the perfect counter to whatever it is that White does. Most people believe that playing White is an advantage (in practice it appears to be), however, it theory it isn't in any way. Go is also another open question as to it's fairness in the end.

    Kirby

  36. Hackers games by frakir · · Score: 2, Interesting

    Authors of that analysis took really hard way to crack icc binary timestamp. Takes about 2 hours to get ICC java client, find java timeseal class and disassemble it. Same is true for FICS (freechess.org).
    Been there, done that (also once wrote a client app for both servers).

    While writing timestamp version with public/private key authentication would work against snooping CC numbers, lag info can always be altered with simpler means then cracking timestamp. For apps using local clock system calls can always be hooked/intercepted (someone did that in Linux about a year ago)

  37. Busted. by pokeyburro · · Score: 4, Funny

    Looks like you gave yourself away there. Now we know Anonymous Coward is really Mateito (746185).

    --
    Lately democracy seems to be based on the skybox, the Happy Meal box, the X-box, and the idiot box.
  38. Visual pun at the end of Aliens... by vudufixit · · Score: 2, Funny

    "Queen takes Bishop"

  39. hey! by Zilfondel2 · · Score: 2, Funny

    You insensitive clod!

    I'll...uh...challenge you to a game of chess for such an insult!

  40. Re:Um... by itriedeverythingelse · · Score: 2, Insightful

    Don'y you mean professor? At least quote it correctly.

  41. Re:Chess is the fairest games of all by VendingMenace · · Score: 2, Insightful

    This is a good point, and i had thougth of that. But then to desribe chess as a fair game, a game of chess would actually have to consist of 2 games of chess. Thus, the base unit of play that one would have to partake in (in order to claim that one had played chess) would have to be 2 games.

    I am not sure that many people would agree with this boundry. That is, if you played a single game of chess, you would feel safe claiming that you had played a game of chess. If soemone came up to you and said, "No way!, you have only played 1/2 a game of chess!", you would look at that guy like he was an idiot.

    Thus we see that the basic unit of chess is a single game. Thus, the game of chess is unfair (or could be, depending on what you think the advantage may be for going first). You can FIX the game of chess, by trying to average out the flaw (again, if it exists). But the idea, i think, is that in the end, the basic game remains unfair.

    I hope that makes some sense. I am not sure that it does, but that is what i was thinking at the time :D