Slashdot Mirror

← Back to Stories (view on slashdot.org)

Colorado Researchers Crack Internet Chess Club

Posted by timothy on from the that's-nice-dear-and-how-was-class dept.

edpin writes "University of Colorado at Boulder students hacked the 30,000-plus-member Internet Chess Club as part of research funded by the National Science Foundation. With guidance from University of Colorado at Boulder computer security researcher John Black, two students reverse-engineered the service to up their ranks and steal passwords." Update: 10/10 23:05 GMT by T : Reader Bryan Rapp points out that this story duplicates the one posted last month -- sorry about that.

43 of 130 comments (clear)

  1. Another dupe, timothy? by Anonymous Coward · · Score: 5, Informative

    Internet Chess Club Security Defeated

    1. Re:Another dupe, timothy? by Anonymous Coward · · Score: 5, Funny

      The funny thing is, timothy posted both stories!

    2. Re:Another dupe, timothy? by XaXXon · · Score: 2, Insightful

      What completely boggles my mind is that he posted BOTH of the stories. I mean.. if he took a week off or something and didn't realize the other story had been posted, I could understand it.. but he posted BOTH. ...shakes head...

    3. Re:Another dupe, timothy? by shawn(at)fsu · · Score: 3, Interesting

      What we need is a way to chart what editor posts the most dupes, maybe the social shamming thing that keeps crime low in countries other than the US would work well here.

      --
      500 dollar reward for tip(s) leading to the arrest of the person(s) who stole my sig.
  2. This isn't really useful... by LegoEvan · · Score: 5, Funny

    As I'm Bobby Fischer.

    1. Re:This isn't really useful... by AEton · · Score: 3, Informative

      If I were you, I wouldn't be proud of being Bobby Fischer.

      --
      We recently had heard in the office over one of the Yellow Machine that's made by Anthology Solutions.
  3. Will they never learn? by Anonymous Coward · · Score: 5, Funny

    It seems like only yesterday that the site was hacked, and now it has happened again?

    Those admins need a good kick up the backside.

  4. Forget white hat and black hat... by rasafras · · Score: 2, Interesting

    ...what the hell are the ethics of edu-hacking? That's pretty weird, if you ask me. It could be considered like white hat except that it's done for the hacker's benefit as well, but still... it seems a little fishy. I mean, would you go through an Anarchist's Cookbook with your teacher?
    Maybe that's just me. *shrug*

    --
    webpage
    1. Re:Forget white hat and black hat... by ElDuderino44137 · · Score: 2, Funny

      Don't you have to know how to commit a crime in order to stop folks from commiting crimes?

      What you've said is paramount to saying that no sex education will keep us all virgins!!

      Cheers,
      -- The Dude

    2. Re:Forget white hat and black hat... by general_re · · Score: 5, Insightful
      Don't you have to know how to commit a crime in order to stop folks from commiting crimes?

      Exactly why killing a man is part and parcel of becoming a homicide detective. Errr, wait, it's not.

      Yes, you have to know how crimes are committed to solve/prevent them, but committing those crimes is not the only way to gain that knowledge.

      --
      ABSURDITY, n.: A statement or belief manifestly inconsistent with one's own opinion.
    3. Re:Forget white hat and black hat... by general_re · · Score: 4, Insightful
      As I said, though, there are plenty of ways to gain that kind of knowledge without actually breaking the law. Forensic accountants learn how to spot money-laundering schemes without having to get out there and launder money. Serial-murder specialists don't have to kill scores of people to learn how serial killers operate. Viral pathologists don't infect people with HIV so they can learn how to prevent AIDS.

      In all those cases, they study past cases, study current events, and don't generally have to become like the things they're acting against in order to defeat them, and I have no idea why computer security should be different - as someone who used to work in banking, allow me to testify that we didn't go out and rob banks or kite checks in order to learn how to prevent others from doing the same. And in those few cases where hands-on experience is absolutely necessary, you don't need to go out into the world and involve innocent third-parties - you set up a controlled environment where they can play on the playground without actually attacking real people. The ethics of this sort of "white-hat" hacking are non-existent - this is absolutely unethical behavior on the part of these clowns, and in no way do the ends justify the means.

      --
      ABSURDITY, n.: A statement or belief manifestly inconsistent with one's own opinion.
    4. Re:Forget white hat and black hat... by Tony-A · · Score: 2, Insightful

      Assuming that they are fair to mediocre players and that their scores do not and will never matter, and they are comfortable with having their scores purged, and they do nothing to "help their buddies" or "hurt their enemies", I don't see anything that unethical about it.
      A lot depends on the target and any perceptions of conflict of interest. Even getting nosy about academic records is most likely taboo.

    5. Re:Forget white hat and black hat... by general_re · · Score: 2, Insightful
      But if you did go out and rob banks and kite checks, would you not learn something from what worked and what did not?

      Maybe. But the problem is that in so doing, the "good guys" become morally, ethically, and legally indistinguishable from the bad guys - you've erased the difference between you and them, your altruistic motives notwithstanding. The ends do not justify the means.

      But hacking a chess site is probably not so bad, since potential harm is low.

      The rightness or wrongness does not depend on the level of risk to the perpetrators. Investigating the efficacy of home security systems is a worthy goal. Breaking into strangers' houses is not an appropriate method of pursuing that goal, even if you minimize the risk by making sure that nobody's home at the time. And, I suppose I should add, even if you don't plan to take anything.

      --
      ABSURDITY, n.: A statement or belief manifestly inconsistent with one's own opinion.
  5. Stealing Passwords? by still_sick · · Score: 4, Insightful

    Kind of dick move, no?

    They proved their point by putting themselves high up in the ranks.

    A legitimate Research project should NOT have involved messing with other people's accounts.

    If you want to do that, have some person known to the researchers make up an account with the express purpose of their team trying to steal the password.

    --
    ...Also, I didn't know Buggalo could fly.
    1. Re:Stealing Passwords? by aerojad · · Score: 2, Interesting

      I agree. I also wonder if this could cause any charges to be filed for acessing personal information.

      --

      SecondPageMedia - Wha
  6. we should be able to mod stories by Anonymous Coward · · Score: 3, Interesting

    if we can mod stories as dupe, we can set the threshold high enough so we can never have to deal with idiot editors posting dupes again!!!

  7. dupe duke nuker? by gl4ss · · Score: 4, Insightful



    technically the story it links to is though new, but it's about an old thing.

    now.. about these dupes.. just one thing makes me wonder, do the editors have extremely bad memory or don't they follow slashdot at all themselfs? since in most cases a regular reader remembers if he has seen the same story(or one with a lot of resemblance) before. and hell, theoretically they should have more time than 20 secs per a story they pass, so they could have put "chess" into the old stories search.

    now, on things that need refreshing or something a 'follow-up' stories could be worth while doing, but not reporting them as totally new.

    --
    world was created 5 seconds before this post as it is.
  8. Slashdot fights evil by Timesprout · · Score: 5, Funny

    by influencing crackers to dupe their cracks, thus saving other organisations from their unwanted attention.

    --
    Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
    What truth?
    There is no dupe
  9. Re:Meanwhile... by baywulf · · Score: 2, Funny

    They need to use the high security password mechanism used on bank checks.

  10. Heh by FiReaNGeL · · Score: 4, Interesting

    You don't have to give yourself all the trouble of defeating security to be a chess star on Internet. Just run a copy of fritz on another computer while you 'play'... instant skill!

    This is why is stopped playing online. Nothing beats a real game of chess, in front of a real person anyway. Reactions from your opponent are almost as important as in poker!

    --
    Eureka Science News - automatically updated
  11. Ethical ramifications of this. by mind21_98 · · Score: 3, Insightful

    A public institution funding cheating attempts is cause for concern. I assume they got the Internet Chess Club's permission beforehand, but if they didn't they could be in a world of trouble. Just my two cents.

    --
    US businesses that currently accept chip and PIN/signature
  12. Re:Meanwhile... by mbrix · · Score: 3, Interesting

    Not in Denmark (and I suspect, many other countries). We are moving to chip-based cards instead. Actually, Denmark is almost fully converted away from magnetic cards.

  13. Slashdot needs dupe detection for editors by Ars-Fartsica · · Score: 2, Insightful

    Yes they probably could just search through old articles for a title matching the new submission, or some regex at submission time...I mean come on, this is a solvable problem.

    1. Re:Slashdot needs dupe detection for editors by Anonymous Coward · · Score: 5, Insightful

      nah just get rid of timothy

  14. Web Programmers by Jesus+IS+the+Devil · · Score: 4, Informative

    I've seen way too many programmers who think they're the world's greatest gift to mankind, but don't know the FIRST RULE of developing web applications:

    NEVER TRUST USER INPUT

    This leads to stupid hacks like sql injection, html injection (leads to XSS), etc etc.

    Not saying this is how it happened, but I wouldn't be the least bit surprised if this is how it happened.

    --

    eTrade SUCKS
    1. Re:Web Programmers by mrtroy · · Score: 5, Funny

      Umm they were sniffing network traffic, not doing "injections"...

      But keep on trucking web guru!

      --
      [I can picture a world without war, without hate. I can picture us attacking that world, because they'd never expect it]
  15. I wonder... by Oligonicella · · Score: 4, Insightful

    what the U of C's attitude would be toward someone who hacked into their computers to, you know, just experiment and gain knowledge? Maybe up their grades or look at other peoples information?

    Just wondering if the shoe fits the other foot.

    1. Re:I wonder... by Vole_of_Wrath · · Score: 2, Informative

      As a student of University of Colorado, living in the dorms no less, CU is VERY uptight about their internet security. They have almost every port closed from the outside, and they dont let you access the internet without several dozen procedures to make sure your computer is safe. I'm not saying it isn't foolproof, but it's like Fort Knox :X

  16. Ask Slashdot? by comwiz56 · · Score: 2, Insightful

    I think this belongs more as an ask slashdot, "What are the ethics of edu-hacking?"

  17. Isn't this Illegal? by Anonymous Coward · · Score: 3, Interesting
    I don't see how this being done under the auspices of the school absolves the students from prosecution.

    Can anyone explain this to me?

  18. Such an august list of members by cliffiecee · · Score: 5, Funny

    Internet Chess Club has more than 30,000 members worldwide and claims Madonna, Nicolas Cage, Will Smith and Gary Kasparov as players.

    One of these things is not like the others,
    One of these things just doesn't belong,
    Can you tell which thing is not like the others
    By the time I finish my song?

    1. Re:Such an august list of members by dukeisgod · · Score: 5, Funny

      Come on now, don't pick on Will Smith just because he's black...

  19. This is research? by Anonymous Coward · · Score: 2, Insightful

    The difference between this "research" and a felony is exactly what? Maybe the anthrax scare was really an NSF funded biological experiment?

    This is a complete waste of taxpayer money, and Dr. Black should have his grants revoked. In fact, I've been in the supposed "computer security" academic community, and it's mostly bogus crap masqueraded as "research" because people don't know better. Computer security research is the AI of our time.

  20. Re:Is slashdot editing anything like survivor? by MikeBabcock · · Score: 2, Informative

    You can edit your personal settings to not show stories by him though.

    --
    - Michael T. Babcock (Yes, I blog)
  21. security by virtualone · · Score: 3, Funny

    From TFA - "Unless you have a lot of experience, don't try to invent your own security system, it will just be broken"

    instead, just bindly trust that handy cryphography API that came with your operating system
    - (c) by the NSA

    --
    Only morons moderate based on a sig.
  22. Even in THIS dupe, it's the CHESS CLUB folks! by Provocateur · · Score: 3, Funny

    You'd think they'd unlock the keys to the playboy/Penthouse site and gain gold membership or something, folks, but nooooo....it hadda be the Chess Club.

    To quote Homer's brain, That's it; I'm leaving.

    --
    WARNING: Smartphones have side effects--most of them undocumented.
  23. great news by Pierre · · Score: 3, Funny

    This is great! I forgot my password 6 months ago and I can't get anybody to reset it for me - I'll bet these guys have recovered it - woo hoo I can play chess again

  24. Re:Bah by jnguy · · Score: 2, Informative

    A chess club where grandmasters play, and the general population has confidence in, I would imagine its fairly secure.

  25. ICC Security Improvements by gmacd997 · · Score: 5, Informative

    The Internet Chess Club (ICC) has taken steps to improve security since this paper was published.

    For details on the paper and ICC's response see the help file at:
    http://www.chessclub.com/help/blackpaper

    For details on how ICC protects user's security see:
    http://www.chessclub.com/help/security

    For details on how ICC protects user's privacy see:
    http://www.chessclub.com/help/privacy

    An excerpt from the /blackpaper help file:

    Question: What is ICC doing to improve security?

    ICC is doing three main things to improve security:

    1) ICC has changed our payment systems so that all online credit card payments go through secure web forms. You can check out our new secure web payment forms at https://www.chessclub.com/store/members/payment.ph p When you access the web form, your browser shows a 'locked padlock' icon that indicates your communication with ICC are encrypted and secure. ICC takes great care in protecting financial information. See http://www.chessclub.com/help/privacy for more information.

    2) ICC is updating Timestamp to close the cracks identified in the paper. This process will take some time to complete. As Black, Cochran, and Gardner show in their paper, getting Timestamp security right is a complex task. Ultimately, when we deploy a new version of Timestamp, ICC users will need to upgrade their chess client software to take advantage of the increased security.

    3) ICC is doing an internal security review. ICC is committed to keeping confidential data secure through upgrades to our servers and client programs. We are actively engaged in improving our current security mechanisms, while at the same time, devoting substantial resources to catching cheaters.

    ...

    If you have any questions or comments, you can ask a question in Channel 1, the Help Channel, send a message to ICC or send an email to icc@chessclub.com.

    Also, ICC is not suing anyone over the paper by John Black, Martin Cochran, and Ryan Gardner.

    George MacDonald
    General Manager
    Internet Chess Club

  26. hacking the honor system... by Vellmont · · Score: 2, Insightful

    The article seems to exagerate the importance of this hack by talking about voting, credit card numbers, etc. But my question is how significant is this?

    How secure something needs to be depends on what it is you're protecting. In this case it's the legitimacy of a chess game played over the internet and ratings of individual players. Is their something at stake more than game fairness and an online chess rating? (prize money for example). The article mentions famous people are on the server, is Madonnas chess account being hacked supposed to make me feel scared?

    The problems should be fixed of course (if possible), but it sure seems like we're scraping the bottom of the security alert barrel on this one.

    --
    AccountKiller
  27. Since when does "news for nerds" by mark-t · · Score: 2, Funny

    ... include coverage of people who have nothing better to do with their time than cheat at a board game?

    --
    File under 'M' for 'Manic ranting'
  28. Re:Meanwhile... by Old+Wolf · · Score: 2, Insightful

    The unfortunate side of this coin is that 'smart' cards don't actually offer a lot of added security. Most of the objections people haev raised to magstripe cards still apply to smartcards. Also, most smartcards get their security hacked within a few months of coming out (meaning that the manufacturers are continually in a cycle of sending new cards out). Their only benefit is that the unwashed masses feel safer.

    This is really a great fraud which makes money for the people developing smart-card processing systems and the general public pay for it (well, the merchants pay for it, and they usually pass the costs onto the customers).

  29. perhaps a grant could be applied by SethJohnson · · Score: 2, Funny



    I mean come on, this is a solvable problem.

    Yes, I agree with you. Perhaps the National Science Foundation can dedicate next years grant to solving Slashdot's dupe problem instead of hacking into an internet chess club.

    --
    $5 / month hosted VPS on linux = awesome!