Slashdot Mirror

← Back to Stories (view on slashdot.org)

Internet Chess Club Security Defeated

Posted by timothy on from the global-thermonuclear-war dept.

Scott_F writes "Researchers at the University of Colorado at Boulder have been able to defeat the security mechanisms of the Internet Chess Club and can effectively play a zero-time match, as well as have complete control over the game. The paper is titled How to Cheat at Chess: A Security Analysis of the Internet Chess Club. If you're not familiar with the ICC, it is where many Grandmasters play regularly, with rumors of Bobby Fischer making an occasional appearance. It appears that the ICC has relied on security through obscurity, but we all know how poorly that works. Chess, anyone?" Update: 09/08 21:08 GMT by J : In totally unrelated chess news, I found today's commentary on Zermelo's Theorem interesting, both for the math of the game and the look at a mistaken echo chamber.

9 of 264 comments (clear)

  1. Greetings Dr. Falken by Anonymous Coward · · Score: 5, Funny

    Shall we play a game?

  2. Summary of story by ricotest · · Score: 5, Funny

    Chess club relies on security through obscurity; got cracked. Therefore security through obscurity sucks and its polar opposite, open source security, rules. Therefore open source rules. Therefore Linux rules. Therefore Microsoft sucks. Apple, we don't yet have an established opinion on.

  3. Ob. Red Dwarf reference by Anonymous Coward · · Score: 5, Funny

    HOLLY: Prawn takes Horsie.
    QUEEG: Bishop-Pawn takes Pawn.
    HOLLY: Bish takes Prawn.
    QUEEG: Bishop to Knight Five. Double Check and Mate, sucker!
    HOLLY: Oh yeah, I didn't see that...
    LISTER: Holly, man, what have you done!?
    RIMMER: He's lost.
    QUEEG: And the loser gets erased.
    HOLLY: Noughts and Crosses?

  4. Can't believe it by Nick+of+NSTime · · Score: 5, Funny

    Wait, an online chess club doesn't have a good defence? Their server has an opening? The whole web site is one big gambit?

  5. Security Rule # 1 by UrgleHoth · · Score: 5, Funny

    The first rule of Chess Club is - you do not talk about Chess Club.

    --

    Dogma - "let's just say we'd like to avoid any empirical entanglements."
  6. Re:What happened exactly? by 14erCleaner · · Score: 5, Informative
    Anyone have more information?

    You could read the actual paper, but this is Slashdot, after all...

    Yes, they hacked the Linux version of the timestamp client to send zero move times. They also reverse-engineered the timestamp protocol.

    Security is an issue because they're exchanging passwords and credit-card numbers with the client. The authors were able to crack the "encryption" being used to transmit this stuff (a 100-byte one-time pad) by sniffing only 10 bytes (it was a very predictable sequence). The client and server also exchange two 64-bit keys in the open when the session is opened, which are used to generate the 100-byte pad.

    --
    Have you read my blog lately?
  7. Integrated timestamping by SashaM · · Score: 5, Informative

    The article says that no unix chess client comes with integrated timestamping, which is a good reason to plug mine - Jin, which does.

    Also, I'm an ICC admin and I can tell you that we're looking into the issue and will probably publish an official response later.

  8. Re:Bobby Fischer in the ICC ? by poot_rootbeer · · Score: 5, Funny

    he don't play chess anymore, only 'FisherRandom', special chess with altered rules he invented. Basically, you shuffle backrank pieces identically for both players

    And why doesn't he shuffle the front pieces, too? That would make it even more interesting.

    (I know only just enough about chess to make this post.)

  9. Re:The Real Challenge by Scarblac · · Score: 5, Informative

    Is creating a _really_ secure equivalent of the internet chess club. I see this as a serious opportunity for an open source team to demonstrate how they can do security _right_.

    Short history, from memory: Way way back, there was only ICS, the Internet chess server. In 1995, it was turned into the commercial server ICC, the Internet Chess Club, which is still around and going strong. It's closed source and costs money unless you're a grandmaster.

    As a protest to this, FICS, the Free ICS was started. It is, to this day, free "as in beer" (if for a moment we assume that beer is free of charge). It used to be Free as in GPL and avilable from the FTP site.

    However, after others downloaded the Free code and started their own commercial servers with it (and they don't have to distribute their own changes under the GPL, since the software isn't distributed at all, it only runs the server), the code was closed as the developers didn't like working for free for a commercial server. I believe that server was Chess.net.

    Later, FICS new main developer recoded all of FICS, so that none of the GPL code remained - or so he claimed when he sold a copy to a company named GamesParlour during the Internet boom, under some license other than the GPL. He also worked for them for a while. Endless FICS flamewars ensued. There is actually a reasonable chance that his claim is true, since he's been the sole developer for many years now.

    Anyway, some people thought this was reason enough to start a new, open source chess server. The one I know of is chessd. I have no idea about its status.

    To this day, FICS is still the best place to play chess for free for non-GMs, while talking about AI in the religion channel and politics in the politics channel, and everything else in ch 50.

    Oh, and keeping track of time client side, and sending the times to ICC is done there with a utility called "timestamp". On FICS, the equivalent is called "timeseal", and I would be really really surprised if it wasn't at least as vulnerable. I believe there is actually some exploit in the wild. Not many people care though.

    (I'm ElOso on FICS.)

    --
    I believe posters are recognized by their sig. So I made one.