Slashdot Mirror
Internet Chess Club Security Defeated
Scott_F writes "Researchers at the University of Colorado at Boulder have been able to defeat the security mechanisms of the Internet Chess Club and can effectively play a zero-time match, as well as have complete control over the game. The paper is titled How to Cheat at Chess: A Security Analysis of the Internet Chess Club. If you're not familiar with the ICC, it is where many Grandmasters play regularly, with rumors of Bobby Fischer making an occasional appearance. It appears that the ICC has relied on security through obscurity, but we all know how poorly that works. Chess, anyone?" Update: 09/08 21:08 GMT by J : In totally unrelated chess news, I found today's commentary on Zermelo's Theorem interesting, both for the math of the game and the look at a mistaken echo chamber.
Shall we play a game?
Check Mate in 1 then..
Rus
Cheap UK and US VPS
Chess club relies on security through obscurity; got cracked. Therefore security through obscurity sucks and its polar opposite, open source security, rules. Therefore open source rules. Therefore Linux rules. Therefore Microsoft sucks. Apple, we don't yet have an established opinion on.
Cheating at chess online?? Like how, an aimbot or something? It isn't like the other player isn't going to notice when your Queen bunnyhops across the board and headshots 4 pawns in a row without missing. Feh.
Speak truth to power.
HOLLY: Prawn takes Horsie.
QUEEG: Bishop-Pawn takes Pawn.
HOLLY: Bish takes Prawn.
QUEEG: Bishop to Knight Five. Double Check and Mate, sucker!
HOLLY: Oh yeah, I didn't see that...
LISTER: Holly, man, what have you done!?
RIMMER: He's lost.
QUEEG: And the loser gets erased.
HOLLY: Noughts and Crosses?
That's why I post to /. as AC.
Norman Cook's Ode to Sl
At long last we have proof that Go is better than Chess. Nobody compromised their server : )
Wait, an online chess club doesn't have a good defence? Their server has an opening? The whole web site is one big gambit?
wouldn't this be the case for more than just chess? Such as checkers, chinese checkers, chineese chess, strategeo, risk, ect.
:) ) GO is just such a game. The komi (points awarded to the player that goes second) helps eliminate this advantage. As such, i belive that GO is a fairer game.
(Dare i mention the infamous GO in a chess story?)
While i am attempting to drop my karma like a rock, i would also add that chess is NOT the fairest of all games, becuase there is a definate difference/advantage depending on what color you are, and thus who goes first. A game in wich this is not the case (or it is compensated for would be even more fair. (here is where my karma takes nose dive
I should say that i am not trying to trash talk chess. I enjoy chess just as much as the next guy, and it is terrific game to play -- both for enjoyment and as mental excersise. Above, i was just trying to point out what i thought was wrong with the parent.
ICC's game security relies on a program called 'timestamp' that accurately records how much time you used for the move (so that players with more internet latency than others don't get penalised).
This timestamp program is not open source but they publish a binary version for various operating systems.
It sounds as if someone has hacked this (ie. so you can tell it that your move took 0.1 seconds -- the server deliberately does not allow moves to be faster than 0.1 seconds). If you have ever played a timed chess game (especially, one with short times, eg. 1 minute per game), you will know that this represents a huge advantage.
I don't know what the article means about "complete control over the game", the server does not allow illegal moves etc. -- unless they have somehow hacked into the server, or managed to insert packets into the TCP/IP connections between the server and the opponent (which would be a problem with FreeBSD or the opponent's OS).
Also the article mentions 'network security protocol', which is odd given that you can play games there by a plain telnet connection (telnet to chessclub.com:23 or chessclub.com:5080) or any 3rd party clients with no security.
The Windows client software supplied by ICC includes some un-documented security to validate itself (ie. let the server know you are using this piece of software and not a 3rd-party client), this is useful for detecting if people are trying to cheat by getting a chess-playing program to automatically play their moves for them.
And finally, I fear that a "robustification" of timestamp, to use accepted open security mechanisms, would end up in greater lag for the players -- either due to greater packet sizes, or greater processing power required by the client or the server (which has to do this for 4000+ connections at once), which is a pity (even 20ms is noticeable in a speed game of chess).
Anyone have more information?
The first rule of Chess Club is - you do not talk about Chess Club.
Dogma - "let's just say we'd like to avoid any empirical entanglements."
There's an easy way to fix the unfairness in Chess. Play an even number of games, alternating sides, and see who comes out on top in the end. I think it's no coincidence that this is what's actually done in tournaments.
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
It's called defense in depth. Just because you believe that your underlying security is solid and you know that obscurity by itself wouldn't be a complete solution doesn't mean that adding some obscurity on top of what you have as an extra level of security is a bad idea. Just because I know that you can cross a moat doesn't mean I'm not going to put a moat full of alligators around my castle in addition to the guys on top of the walls with boiling oil and so forth.
And if you really believe that obscurity never has a place in security, does that mean you will happily give out all your passwords, etc., because they were useless anyway?
In other news (offtopic), where did my "Older Stuff" slashbox on the home page go? I went to my home page preferences to add a Politics slashbox when they added that section (which retroactively contains old politics stories, very nice) and now I don't have "Older Stuff" anymore. It's there when I'm not logged in. But I don't see it listed anymore as a choice in preferences (it should be in bold since it's one of the defaults for non-logged-in users). I'm so confused. Any help? Thanks.
I'd rather be lucky than good.
The article says that no unix chess client comes with integrated timestamping, which is a good reason to plug mine - Jin, which does.
Also, I'm an ICC admin and I can tell you that we're looking into the issue and will probably publish an official response later.
he don't play chess anymore, only 'FisherRandom', special chess with altered rules he invented. Basically, you shuffle backrank pieces identically for both players
And why doesn't he shuffle the front pieces, too? That would make it even more interesting.
(I know only just enough about chess to make this post.)
However, in reality all security is through obscurity. For one you need to keep the (private) key secret.
That is not what "security through obscurity" means. The term refers to keep things other than the key secret, such as the algorithm, the magic key combination needed to get the password prompt, etc.
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
Is creating a _really_ secure equivalent of the internet chess club. I see this as a serious opportunity for an open source team to demonstrate how they can do security _right_.
Short history, from memory: Way way back, there was only ICS, the Internet chess server. In 1995, it was turned into the commercial server ICC, the Internet Chess Club, which is still around and going strong. It's closed source and costs money unless you're a grandmaster.
As a protest to this, FICS, the Free ICS was started. It is, to this day, free "as in beer" (if for a moment we assume that beer is free of charge). It used to be Free as in GPL and avilable from the FTP site.
However, after others downloaded the Free code and started their own commercial servers with it (and they don't have to distribute their own changes under the GPL, since the software isn't distributed at all, it only runs the server), the code was closed as the developers didn't like working for free for a commercial server. I believe that server was Chess.net.
Later, FICS new main developer recoded all of FICS, so that none of the GPL code remained - or so he claimed when he sold a copy to a company named GamesParlour during the Internet boom, under some license other than the GPL. He also worked for them for a while. Endless FICS flamewars ensued. There is actually a reasonable chance that his claim is true, since he's been the sole developer for many years now.
Anyway, some people thought this was reason enough to start a new, open source chess server. The one I know of is chessd. I have no idea about its status.
To this day, FICS is still the best place to play chess for free for non-GMs, while talking about AI in the religion channel and politics in the politics channel, and everything else in ch 50.
Oh, and keeping track of time client side, and sending the times to ICC is done there with a utility called "timestamp". On FICS, the equivalent is called "timeseal", and I would be really really surprised if it wasn't at least as vulnerable. I believe there is actually some exploit in the wild. Not many people care though.
(I'm ElOso on FICS.)
I believe posters are recognized by their sig. So I made one.
Looks like you gave yourself away there. Now we know Anonymous Coward is really Mateito (746185).
Lately democracy seems to be based on the skybox, the Happy Meal box, the X-box, and the idiot box.