Slashdot Mirror
Colorado Researchers Crack Internet Chess Club
edpin writes "University of Colorado at Boulder students hacked the 30,000-plus-member Internet Chess Club as part of research funded by the National Science Foundation. With guidance from University of
Colorado at Boulder computer security researcher John Black, two students reverse-engineered the service to up their ranks and steal passwords." Update: 10/10 23:05 GMT by T : Reader Bryan Rapp points out that this story duplicates the one posted last month -- sorry about that.
Internet Chess Club Security Defeated
we're still using stupid magnetic cards for our daily _BANK_ usage...
As I'm Bobby Fischer.
It seems like only yesterday that the site was hacked, and now it has happened again?
Those admins need a good kick up the backside.
...what the hell are the ethics of edu-hacking? That's pretty weird, if you ask me. It could be considered like white hat except that it's done for the hacker's benefit as well, but still... it seems a little fishy. I mean, would you go through an Anarchist's Cookbook with your teacher?
Maybe that's just me. *shrug*
webpage
Kind of dick move, no?
They proved their point by putting themselves high up in the ranks.
A legitimate Research project should NOT have involved messing with other people's accounts.
If you want to do that, have some person known to the researchers make up an account with the express purpose of their team trying to steal the password.
...Also, I didn't know Buggalo could fly.
if we can mod stories as dupe, we can set the threshold high enough so we can never have to deal with idiot editors posting dupes again!!!
technically the story it links to is though new, but it's about an old thing.
now.. about these dupes.. just one thing makes me wonder, do the editors have extremely bad memory or don't they follow slashdot at all themselfs? since in most cases a regular reader remembers if he has seen the same story(or one with a lot of resemblance) before. and hell, theoretically they should have more time than 20 secs per a story they pass, so they could have put "chess" into the old stories search.
now, on things that need refreshing or something a 'follow-up' stories could be worth while doing, but not reporting them as totally new.
world was created 5 seconds before this post as it is.
by influencing crackers to dupe their cracks, thus saving other organisations from their unwanted attention.
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
You don't have to give yourself all the trouble of defeating security to be a chess star on Internet. Just run a copy of fritz on another computer while you 'play'... instant skill!
This is why is stopped playing online. Nothing beats a real game of chess, in front of a real person anyway. Reactions from your opponent are almost as important as in poker!
Eureka Science News - automatically updated
A public institution funding cheating attempts is cause for concern. I assume they got the Internet Chess Club's permission beforehand, but if they didn't they could be in a world of trouble. Just my two cents.
US businesses that currently accept chip and PIN/signature
Yes they probably could just search through old articles for a title matching the new submission, or some regex at submission time...I mean come on, this is a solvable problem.
I've seen way too many programmers who think they're the world's greatest gift to mankind, but don't know the FIRST RULE of developing web applications:
NEVER TRUST USER INPUT
This leads to stupid hacks like sql injection, html injection (leads to XSS), etc etc.
Not saying this is how it happened, but I wouldn't be the least bit surprised if this is how it happened.
eTrade SUCKS
what the U of C's attitude would be toward someone who hacked into their computers to, you know, just experiment and gain knowledge? Maybe up their grades or look at other peoples information?
Just wondering if the shoe fits the other foot.
I think this belongs more as an ask slashdot, "What are the ethics of edu-hacking?"
Can anyone explain this to me?
Internet Chess Club has more than 30,000 members worldwide and claims Madonna, Nicolas Cage, Will Smith and Gary Kasparov as players.
One of these things is not like the others,
One of these things just doesn't belong,
Can you tell which thing is not like the others
By the time I finish my song?
anarchists cookbook is illegal so STAY AWAY.
Posted by timothy on Monday October 12, @03:00PM
from the came-back-and-bit-us-in-the-ass dept.
someguy writes "The 30,000-plus-member Internet Chess Club filed suit today against the University of Colorado at Boulder for encouraging students to hack their service as part of research funded by the National Science Foundation. With guidance from University of Colorado at Boulder computer security researcher John Black, two students were able to reverse-engineer the service to up their ranks and steal passwords."
( Read More... | 1 of 3 comments | yro.slashdot.org )
I browse Slashdot at +3, Funny
A Chess Club?
Tell them to come back after they have cracked one of the systems at Langley, Va.
The difference between this "research" and a felony is exactly what? Maybe the anthrax scare was really an NSF funded biological experiment?
This is a complete waste of taxpayer money, and Dr. Black should have his grants revoked. In fact, I've been in the supposed "computer security" academic community, and it's mostly bogus crap masqueraded as "research" because people don't know better. Computer security research is the AI of our time.
tims got some good sh|t to say, leave him alone!
You can edit your personal settings to not show stories by him though.
- Michael T. Babcock (Yes, I blog)
From TFA - "Unless you have a lot of experience, don't try to invent your own security system, it will just be broken"
instead, just bindly trust that handy cryphography API that came with your operating system
- (c) by the NSA
Only morons moderate based on a sig.
My thought was that if this guy has so much experience and feels compelled to preach as an expert, why the hell is in academia? Those who can, do; those who can't, teach; and those who can't teach become professors.
Is there an option in the personal settings to only see Timothy's stories the first time he posts them?
...just that, information theft. Regardless of who funded, directed or performed the work.
Those people should be on trial for computer crimes.
University of Colorado at Boulder researcher John Black said:"Unless you have a lot of experience, don't try to invent your own security system, it will just be broken," said Black, an assistant professor of computer science in CU-Boulder's College of Engineering and Applied Science. "Believe me, it's better to leave that job up to the experts."
Is it me or does he sound kinda smug about all this? What, did he join ICC some while ago and get his ass handed to him...so all this time he planned his revenge on the whole ICC and those that brought him down! ATTACK THEIR SITE!! And get the NSF to fund him to do it! ATTACK! ATTACK!
Um...cough...sorry, got a little carried away there...
"Leo Fender was in a 'state of grace' when he designed the Stratocaster." -- Paul Reed Smith
I guess not. Timothy is just a dickhead, whereas Michael Sims is a prick as well as a hopeless dickhead.
Slashdot: Once was great, now in tatters
You'd think they'd unlock the keys to the playboy/Penthouse site and gain gold membership or something, folks, but nooooo....it hadda be the Chess Club.
To quote Homer's brain, That's it; I'm leaving.
WARNING: Smartphones have side effects--most of them undocumented.
to academics and not institutions.
h p
In all fairness... after reading the original paper, I asked ICC if they are aware of the problem and directed me to their security help file. ICC did fix one problem regarding membership payments:
http://www.chessclub.com/help/security
"Question: Is my credit card secure at ICC?
ICC has upgraded the way we process online payments. You can check out our new secure web payment forms at https://www.chessclub.com/store/members/payment.p
When you access the web form, your browser shows a "locked padlock" icon that indicates your communication with ICC are encrypted and secure. ICC takes great care in protecting financial information. See help privacy for more information. In almost ten years of service, no member has ever lost a penny of their money because of poor security at ICC."
Now if only someone could divulge Madonna's online name so all the chess geeks could finger her.
This is great! I forgot my password 6 months ago and I can't get anybody to reset it for me - I'll bet these guys have recovered it - woo hoo I can play chess again
The Internet Chess Club (ICC) has taken steps to improve security since this paper was published.
/blackpaper help file:
h p When you access the web form, your browser shows a 'locked padlock' icon that indicates your communication with ICC are encrypted and secure. ICC takes great care in protecting financial information. See http://www.chessclub.com/help/privacy for more information.
...
For details on the paper and ICC's response see the help file at:
http://www.chessclub.com/help/blackpaper
For details on how ICC protects user's security see:
http://www.chessclub.com/help/security
For details on how ICC protects user's privacy see:
http://www.chessclub.com/help/privacy
An excerpt from the
Question: What is ICC doing to improve security?
ICC is doing three main things to improve security:
1) ICC has changed our payment systems so that all online credit card payments go through secure web forms. You can check out our new secure web payment forms at https://www.chessclub.com/store/members/payment.p
2) ICC is updating Timestamp to close the cracks identified in the paper. This process will take some time to complete. As Black, Cochran, and Gardner show in their paper, getting Timestamp security right is a complex task. Ultimately, when we deploy a new version of Timestamp, ICC users will need to upgrade their chess client software to take advantage of the increased security.
3) ICC is doing an internal security review. ICC is committed to keeping confidential data secure through upgrades to our servers and client programs. We are actively engaged in improving our current security mechanisms, while at the same time, devoting substantial resources to catching cheaters.
If you have any questions or comments, you can ask a question in Channel 1, the Help Channel, send a message to ICC or send an email to icc@chessclub.com.
Also, ICC is not suing anyone over the paper by John Black, Martin Cochran, and Ryan Gardner.
George MacDonald
General Manager
Internet Chess Club
pwn3d
The article seems to exagerate the importance of this hack by talking about voting, credit card numbers, etc. But my question is how significant is this?
How secure something needs to be depends on what it is you're protecting. In this case it's the legitimacy of a chess game played over the internet and ratings of individual players. Is their something at stake more than game fairness and an online chess rating? (prize money for example). The article mentions famous people are on the server, is Madonnas chess account being hacked supposed to make me feel scared?
The problems should be fixed of course (if possible), but it sure seems like we're scraping the bottom of the security alert barrel on this one.
AccountKiller
... include coverage of people who have nothing better to do with their time than cheat at a board game?
File under 'M' for 'Manic ranting'
http://shit.slashdot.org/article.pl?sid=04/10/10/2 151222
I mean come on, this is a solvable problem.
Yes, I agree with you. Perhaps the National Science Foundation can dedicate next years grant to solving Slashdot's dupe problem instead of hacking into an internet chess club.
$5 / month hosted VPS on linux = awesome!
...because their ratings on the website are well - if not irrelevant, but at best a confirmation. I have a belief in their skills because of their grandmaster ranking (as in, through tournament play), not because of their online rating. If that was the sole claim to their skill, I would be very doubtful. Tournaments of some importance, even over the internet is often done with a public audience and all that makes it very credible.
Grandmasters could play on the most unsecure, untrusted of networks and it would do very little to them. As long as they get to play interesting games against worthy opponents, why should they care about some online ranking? They have their real ranking to show.
Kjella
Live today, because you never know what tomorrow brings
Comparing breaking into a recreational website with breaking into someone's home is not an equitable comparison.
paintball
Geeze, I thought everyone knew the level 2 password was "member" and that you needed the logic skill to get past the AI .. /obscure.
Serial-murder specialists don't have to kill scores of people to learn how serial killers operate
People would be hurt
Viral pathologists don't infect people with HIV so they can learn how to prevent AIDS
People would be hurt
this is absolutely unethical behavior on the part of these clowns, and in no way do the ends justify the means
Tell me, how is anyone hurt if I were to find a security hole in a bank site, chess club, whatever, and post an email to said bank/club. The only one hurt would be me, mainly because I would probably have my ass sued off. Deaths by murder or HIV are quite often very obvious, a hacker sneaking into a computer and filing off $0.001/account/day isn't necessarily so. Yes, you can study existing hacks, but the fact is that it's the new and unusal ones that one should beware of... not quite as straightforward as many other cases.
Oh, and for the record - scientists might not infect the general public with a virus to test it - but they will infect test animals/etc and try some "cures" on human volunteers. I don't suppose you'd like to try getting a bank to volunteer their codebase for you to test our in your closed environment?