Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Colorado Researchers Crack Internet Chess Club

timothy posted more than 9 years ago | from the that's-nice-dear-and-how-was-class dept.

Security 130

edpin writes "University of Colorado at Boulder students hacked the 30,000-plus-member Internet Chess Club as part of research funded by the National Science Foundation. With guidance from University of Colorado at Boulder computer security researcher John Black, two students reverse-engineered the service to up their ranks and steal passwords." Update: 10/10 23:05 GMT by T : Reader Bryan Rapp points out that this story duplicates the one posted last month -- sorry about that.

cancel ×

130 comments

Sorry! There are no comments related to the filter you selected.

Another dupe, timothy? (5, Informative)

Anonymous Coward | more than 9 years ago | (#10488178)

Re:Another dupe, timothy? (5, Funny)

Anonymous Coward | more than 9 years ago | (#10488184)

The funny thing is, timothy posted both stories!

Slashdot needs dupe detection for editors (2, Insightful)

Ars-Fartsica (166957) | more than 9 years ago | (#10488265)

Yes they probably could just search through old articles for a title matching the new submission, or some regex at submission time...I mean come on, this is a solvable problem.

Re:Slashdot needs dupe detection for editors (5, Insightful)

Anonymous Coward | more than 9 years ago | (#10488437)

nah just get rid of timothy

Re:Another dupe, timothy? (0)

Anonymous Coward | more than 9 years ago | (#10488279)

Perhaps Timothy has shared his username with others and so there is now more than one timothy . . .

And timothy is not talking to timothy . . .

What a shame. So much for professionalism. Isn't this the second story that timothy has duplicated today? Apparently timothy has a thing for Chess clubs and Intestinal robots . . .

See the intestinal robot duplication here [slashdot.org]

Re:Another dupe, timothy? (-1, Troll)

Anonymous Coward | more than 9 years ago | (#10488438)

This is a site made by Perl amateurs for other amateur programmers and users of toy operating systems. What do you expect? The niveau of MSDN? Get a clue.

Re:Another dupe, timothy? (0)

Anonymous Coward | more than 9 years ago | (#10488296)

You would think that the Slashdot editors could maybe go to Google to check if a story has already been posted. I went there and searched for:

"Internet Chess Club" Security Defeat site:slashdot.org

The first (of only 2) story listed is the original that you mention. Its not that hard. But I guess this is Timothy we are talking about.

Re:Another dupe, timothy? (0)

Anonymous Coward | more than 9 years ago | (#10488309)

Even a plain search for "chess" here on Slashdot's weak search shows it.

Re:Another dupe, timothy? (0)

Anonymous Coward | more than 9 years ago | (#10489498)

And that's quite possibly the worst search engine ever made.

Re:Another dupe, timothy? (0)

Tezkah (771144) | more than 9 years ago | (#10488329)

Obviously he is hacking the /. chess club to up his editorial rankings!

Re:Another dupe, timothy? (0)

Anonymous Coward | more than 9 years ago | (#10488435)

We really should give timothy a break. I mean, if he stopped posting stories, CmdrTaco would be about the only one left. And then CmdrTaco would be more careless, trying to get out as many stories as possible, and start duping like crazy again.

Re:Another dupe, timothy? (2, Insightful)

XaXXon (202882) | more than 9 years ago | (#10488514)

What completely boggles my mind is that he posted BOTH of the stories. I mean.. if he took a week off or something and didn't realize the other story had been posted, I could understand it.. but he posted BOTH. ...shakes head...

Re:Another dupe, timothy? (1)

daveashcroft (321122) | more than 9 years ago | (#10488627)

all you pawns are belong to us.

Forgive me father, for i have sinned ;-)

Is Timothy as hopeless as Michael? (0)

Anonymous Coward | more than 9 years ago | (#10488796)

I guess not. Timothy is just a dickhead, whereas Michael Sims is a prick as well as a hopeless dickhead.

Slashdot: Once was great, now in tatters

Re:Another dupe, timothy? (3, Interesting)

shawn(at)fsu (447153) | more than 9 years ago | (#10488843)

What we need is a way to chart what editor posts the most dupes, maybe the social shamming thing that keeps crime low in countries other than the US would work well here.

Re:Another dupe, timothy? (0)

Anonymous Coward | more than 9 years ago | (#10489440)

How about a spelling shaming chart for Slashdot users?

Re:Another dupe, timothy? (0)

Anonymous Coward | more than 9 years ago | (#10489176)

Is there some way we can mod timothy or michael down to the point where they have bad enough Karma that they'll go to hell or something? However, keep in mind it does happen [slashdot.org] I mean, they are human. What is the process for being able to post stories on slashdot?

Re:Another dupe, timothy? (1)

bl1st3r (464353) | more than 9 years ago | (#10489631)

What I want to know is how an editor can dupe his OWN stories. I can understand if CowboyNeal has the midnight shift and posts something that CmdrTaco posted a month prior during the day or something, but come ON! TIMOTHY DUPES TIMOTHY?!?!

Meanwhile... (1)

alexandre (53) | more than 9 years ago | (#10488191)

we're still using stupid magnetic cards for our daily _BANK_ usage...

Re:Meanwhile... (2, Funny)

baywulf (214371) | more than 9 years ago | (#10488227)

They need to use the high security password mechanism used on bank checks.

Re:Meanwhile... (1)

Zorilla (791636) | more than 9 years ago | (#10488419)

Which means it's time to break out the candy bars.

Re:Meanwhile... (3, Interesting)

mbrix (534821) | more than 9 years ago | (#10488249)

Not in Denmark (and I suspect, many other countries). We are moving to chip-based cards instead. Actually, Denmark is almost fully converted away from magnetic cards.

Re:Meanwhile... (2, Insightful)

Old Wolf (56093) | more than 9 years ago | (#10490517)

The unfortunate side of this coin is that 'smart' cards don't actually offer a lot of added security. Most of the objections people haev raised to magstripe cards still apply to smartcards. Also, most smartcards get their security hacked within a few months of coming out (meaning that the manufacturers are continually in a cycle of sending new cards out). Their only benefit is that the unwashed masses feel safer.

This is really a great fraud which makes money for the people developing smart-card processing systems and the general public pay for it (well, the merchants pay for it, and they usually pass the costs onto the customers).

Re:Meanwhile... (0)

Anonymous Coward | more than 9 years ago | (#10488460)

Not in most other places [chipandpin.co.uk] , there again you may not be as lucky as us [bbc.co.uk] at the current time.

I heard the reasons for not implementing EMV in the US was due to other factors, like liability and inertia (less losses?) I almost read a paper saying the majority of people in the US don't hold current accounts, which I found hard to believe, but maybe there's something in it.

Re:Meanwhile... (1)

mollymoo (202721) | more than 9 years ago | (#10488510)

Perhaps you are, but the UK and I belive much of Europe is moving to chips embedded in the card instead of the magnetic strip. I don't know how many cash machines (ATMs) use them yet, but most shops do.

Re:Meanwhile... (1)

Tony Hoyle (11698) | more than 9 years ago | (#10488950)

So instead of a hard to reproduce signature (well mine is) there's an easy to remember 4 digit number that the criminal can watch you type in just before stealing your wallet (stores almost universally don't have adequate security on their keypads).

Thankfully it doesn't seem to be switched on in the UK yet - I've never been asked for a PIN... refusing to type it in while surrounded by shoppers could cause a scene (either give me a secure way to type it in and prove it's secure, or you aint getting it).

Re:Meanwhile... (0)

Anonymous Coward | more than 9 years ago | (#10489302)

You can request a chip + signature if you like, whether the shop are ok with it is up to them since they will then be liable for any fraud.

Re:Meanwhile... (1)

mollymoo (202721) | more than 9 years ago | (#10489479)

So instead of a hard to reproduce signature (well mine is) there's an easy to remember 4 digit number that the criminal can watch you type in just before stealing your wallet

Exactly :) I've developed a technique of laying all my figers over the keys so it's harder to tell exactly which ones I pressed. I'd prefer it if the keypad were hidden somehow though.

Re:Meanwhile... (1)

welsh git (705097) | more than 9 years ago | (#10489611)

And... there are various form of keypad entry systems.. What's stopping Mr Shopkeeper from altering the device to record a copy of the PIN you enter ? Or pointing a tiny covert video camera at the device ? As he already has the magnetic strip info, he just trundles down to the cash machine with his made up card and enters the PIN.

Whilst in the past some criminals would hide/wire up devices to cash machines, they can now do so from the comfort of their own shops..

The PIN should NOT be the same as the one used in places where the card isn't visually inspected (i.e. cash machines)

Re:Meanwhile... (0)

Anonymous Coward | more than 9 years ago | (#10489923)

Actually, from what I hear, the PIN is actually stored on the card itself. And if you have a magnetic card writer, you can make your own pins and/or read the stored pin.

Re:Meanwhile... (1)

welsh git (705097) | more than 9 years ago | (#10489964)

I don't know about the chip, but the PINS aren't held in the magnetic strip, although I think they may have used to be..

When cash machines first came out, they didn't have realtime links to the central bank for your account. So the card held the value for the amount you'd withdrawn that day (and therefore presumably also the pin), so that if you went to another machine, it could make sure you hadn't withdrawn over your daily allowance.

A popular scam at the time cash machines first came out was to get your own legitimate card, with (say) a £500 quid a day limit.

Clone the card (e.g.) 60 times(sticking a piece of video tape over any old piece of plastic of the same size would do), then go to (e.g.) 60 different cash point machines - on each card, you withdraw your £500 quid limit, you then toss (or reprogramme) the card, and use the next card on a new machine etc.

Then after the day is done, you do a runner :-)

Back then, though, I think the problem wasn't that great, due to the fact that there weren't all that many cash machines around !

Re:Meanwhile... (1)

Old Wolf (56093) | more than 9 years ago | (#10490500)

What's stopping Mr Shopkeeper from altering the device to record a copy of the PIN you enter ?

The banks won't certify any particular device for use in shops (and thus, they won't be able to process transactions successfully) if it allows this.

Also, if a shopkeeper perpetrated the fraud by the other means you suggest, it would be simple to trace it to that shop, by examining the transaction records.

Finally, later versions of the terminal software do not actually record the card number, to avoid this very problem. You should see on the receipt something like "49997........0452" , enough digits to identify the card well enough for audit purposes but not to allow someone to commit fraud with it. And as before, a terminal modification which steals card numbers, would not pass certification.

NB. This is how it works in New Zealand, if other countries don't implement security measures then they are stupid.

Sounds pretty smug to me... (1)

sgant (178166) | more than 9 years ago | (#10488776)

University of Colorado at Boulder researcher John Black said:"Unless you have a lot of experience, don't try to invent your own security system, it will just be broken," said Black, an assistant professor of computer science in CU-Boulder's College of Engineering and Applied Science. "Believe me, it's better to leave that job up to the experts."

Is it me or does he sound kinda smug about all this? What, did he join ICC some while ago and get his ass handed to him...so all this time he planned his revenge on the whole ICC and those that brought him down! ATTACK THEIR SITE!! And get the NSF to fund him to do it! ATTACK! ATTACK!

Um...cough...sorry, got a little carried away there...

Re:Meanwhile... (1)

Old Wolf (56093) | more than 9 years ago | (#10490469)

What's wrong with that? It isn't a security risk to read what's written on the card or to create a new card, and it's a very minor risk to duplicate a card (the risk being that the attacker could gradually guess the PIN over time).

This isn't really useful... (5, Funny)

LegoEvan (772742) | more than 9 years ago | (#10488193)

As I'm Bobby Fischer.

Re:This isn't really useful... (0)

Anonymous Coward | more than 9 years ago | (#10488247)

Bobby Fisher defeated by cyberterrorist!!

Re:This isn't really useful... (3, Informative)

AEton (654737) | more than 9 years ago | (#10488255)

If I were you, I wouldn't be proud [everything2.com] of being Bobby Fischer [slashdot.org] .

Re:This isn't really useful... (1)

AEton (654737) | more than 9 years ago | (#10488268)

Holy crap I suck at links [everything2.com] - so much for a technical education here :/

Re:This isn't really useful... (1)

LegoEvan (772742) | more than 9 years ago | (#10488270)

I'm the current world champion! Nobody's taken my title since I won it last. The fact that I refuse to play against any professionals and most likely play online is moot. Bobby

Re:This isn't really useful... (0)

Anonymous Coward | more than 9 years ago | (#10489551)

If that is the case, why didn't you plug Fischer Random Chess? A typical Bobby speech goes something like "Fischer Random Chess is the future. Normal chess is dead. Only evil American infidels still play it.".

Will they never learn? (5, Funny)

Anonymous Coward | more than 9 years ago | (#10488200)

It seems like only yesterday [slashdot.org] that the site was hacked, and now it has happened again?

Those admins need a good kick up the backside.

Forget white hat and black hat... (2, Interesting)

rasafras (637995) | more than 9 years ago | (#10488206)

...what the hell are the ethics of edu-hacking? That's pretty weird, if you ask me. It could be considered like white hat except that it's done for the hacker's benefit as well, but still... it seems a little fishy. I mean, would you go through an Anarchist's Cookbook with your teacher?
Maybe that's just me. *shrug*

Re:Forget white hat and black hat... (0)

Anonymous Coward | more than 9 years ago | (#10488215)

I guess you've never had one of those chemistry teachers that shows you a thing or two he probably shouldn't.

Re:Forget white hat and black hat... (0)

Anonymous Coward | more than 9 years ago | (#10488229)

> ...would you go through an Anarchist's Cookbook with your teacher?

Yes I would have. My school had some great teachers. It's just you.

Re:Forget white hat and black hat... (2, Funny)

ElDuderino44137 (660751) | more than 9 years ago | (#10488303)

Don't you have to know how to commit a crime in order to stop folks from commiting crimes?

What you've said is paramount to saying that no sex education will keep us all virgins!!

Cheers,
-- The Dude

Re:Forget white hat and black hat... (5, Insightful)

general_re (8883) | more than 9 years ago | (#10488333)

Don't you have to know how to commit a crime in order to stop folks from commiting crimes?

Exactly why killing a man is part and parcel of becoming a homicide detective. Errr, wait, it's not.

Yes, you have to know how crimes are committed to solve/prevent them, but committing those crimes is not the only way to gain that knowledge.

Re:Forget white hat and black hat... (1)

Weirdofreak (769987) | more than 9 years ago | (#10488634)

Commiting homicide won't make you a better homicide detective. A homcide detective observes the mistakes of others, a security expert observes their own mistakes.

Kill somebody, and what are the chances you'll notice the eyelash that conveniently fell out? You'd have to look for your own mistakes, while not utilising the information of how it was done at all for you to gain any skill, and it would be easier to wait until somebody gets killed for a reason other than to solve. The killing itself would get you nothing, all the benefit comes from solving it.

On the other hand, when you hack, you find out what mistakes other people make, so that you can then not make them. The benefit comes from knowing how people will attempt to hack you.

To put it another way, a detective must know how to attack. Unless they commit homicide, in which case they'll be on the defense, knowing how to defend is useless if you don't learn how to bypass those defenses, which it won't (note: I am neither a homicide detective nor a cold-blooded murderer). The skill of bypassing defenses comes from attacking, not from defending. A security expert is on the defense though, making him more akin to the killer - and being a homicide detective will certainly help you evade other homicide detectives. Since he must defend, he must know how he will be attacked, and to have the best knowledge of that, he must attack.

This is probably redundant by now, but I don't wanna waste the typing.

Re:Forget white hat and black hat... (4, Insightful)

general_re (8883) | more than 9 years ago | (#10488734)

As I said, though, there are plenty of ways to gain that kind of knowledge without actually breaking the law. Forensic accountants learn how to spot money-laundering schemes without having to get out there and launder money. Serial-murder specialists don't have to kill scores of people to learn how serial killers operate. Viral pathologists don't infect people with HIV so they can learn how to prevent AIDS.

In all those cases, they study past cases, study current events, and don't generally have to become like the things they're acting against in order to defeat them, and I have no idea why computer security should be different - as someone who used to work in banking, allow me to testify that we didn't go out and rob banks or kite checks in order to learn how to prevent others from doing the same. And in those few cases where hands-on experience is absolutely necessary, you don't need to go out into the world and involve innocent third-parties - you set up a controlled environment where they can play on the playground without actually attacking real people. The ethics of this sort of "white-hat" hacking are non-existent - this is absolutely unethical behavior on the part of these clowns, and in no way do the ends justify the means.

Re:Forget white hat and black hat... (1)

Lesrahpem (687242) | more than 9 years ago | (#10490315)

Homicide detectives don't stop people from killing. They find out who did it after it's already happened.

illegal (0, Troll)

iamnotacrook (816556) | more than 9 years ago | (#10488441)

anarchists cookbook is illegal so STAY AWAY.

Re:illegal (1)

cyrax777 (633996) | more than 9 years ago | (#10488616)

no only cooking up the stuff in there with out the proper local,state and federal permits if applicaple Is.

Re:Forget white hat and black hat... (2, Insightful)

Tony-A (29931) | more than 9 years ago | (#10489952)

Assuming that they are fair to mediocre players and that their scores do not and will never matter, and they are comfortable with having their scores purged, and they do nothing to "help their buddies" or "hurt their enemies", I don't see anything that unethical about it.
A lot depends on the target and any perceptions of conflict of interest. Even getting nosy about academic records is most likely taboo.

That's my prof! (-1)

Anonymous Coward | more than 9 years ago | (#10488210)

Way to go!

Stealing Passwords? (4, Insightful)

still_sick (585332) | more than 9 years ago | (#10488211)

Kind of dick move, no?

They proved their point by putting themselves high up in the ranks.

A legitimate Research project should NOT have involved messing with other people's accounts.

If you want to do that, have some person known to the researchers make up an account with the express purpose of their team trying to steal the password.

Re:Stealing Passwords? (2, Interesting)

aerojad (594561) | more than 9 years ago | (#10488489)

I agree. I also wonder if this could cause any charges to be filed for acessing personal information.

Re:Stealing Passwords? (1)

killpog (740063) | more than 9 years ago | (#10488815)

Erm, I crack other people's systems! I really really do! And I get paid to do it! By the people who contract with me to examine their systems for security flaws... However, I don't hit 'em blind - they know in advance that I'm going to be doing this. This seems like dirty pool...

we should be able to mod stories (3, Interesting)

Anonymous Coward | more than 9 years ago | (#10488216)

if we can mod stories as dupe, we can set the threshold high enough so we can never have to deal with idiot editors posting dupes again!!!

dupe duke nuker? (4, Insightful)

gl4ss (559668) | more than 9 years ago | (#10488217)



technically the story it links to is though new, but it's about an old thing.

now.. about these dupes.. just one thing makes me wonder, do the editors have extremely bad memory or don't they follow slashdot at all themselfs? since in most cases a regular reader remembers if he has seen the same story(or one with a lot of resemblance) before. and hell, theoretically they should have more time than 20 secs per a story they pass, so they could have put "chess" into the old stories search.

now, on things that need refreshing or something a 'follow-up' stories could be worth while doing, but not reporting them as totally new.

Re:dupe duke nuker? (0)

Anonymous Coward | more than 9 years ago | (#10488234)

The worst part is that subscribers get to report dupes (stories are pre-posted for about 20 minutes)... and they get ignored usually. Although, one day, I literally saw CmdrTaco post 3 straight dupes, and as I fired off dupe emails for each and he removed them. I'm pretty sure he doesn't read the site regularly at all.

Re:dupe duke nuker? (1)

drinkypoo (153816) | more than 9 years ago | (#10488931)

The real problem besides editors not following slashdot properly is that the search engine is bloody useless. Even if an editor wanted to search for old instances of the same story, slashdot would be essentially no help in this pursuit. A more powerful search which was actually useful would possible be even a more welcome feature than HTML compliance.

Re:dupe duke nuker? (1)

NoOneInParticular (221808) | more than 9 years ago | (#10490691)

Such a more powerful search engine is already in place [google.com] . (Note the exact title of today + restricting the search to slashdot brings back the original story).

Since when is cracking research? (-1, Troll)

Anonymous Coward | more than 9 years ago | (#10488219)

So these professors are playing at being crackers, is this really a news story?

I don't see it. Web sites are cracked everyday, but the perpetrators don't usually brag about it.

Slashdot fights evil (5, Funny)

Timesprout (579035) | more than 9 years ago | (#10488224)

by influencing crackers to dupe [slashdot.org] their cracks, thus saving other organisations from their unwanted attention.

Heh (4, Interesting)

FiReaNGeL (312636) | more than 9 years ago | (#10488239)

You don't have to give yourself all the trouble of defeating security to be a chess star on Internet. Just run a copy of fritz on another computer while you 'play'... instant skill!

This is why is stopped playing online. Nothing beats a real game of chess, in front of a real person anyway. Reactions from your opponent are almost as important as in poker!

Ethical ramifications of this. (3, Insightful)

mind21_98 (18647) | more than 9 years ago | (#10488242)

A public institution funding cheating attempts is cause for concern. I assume they got the Internet Chess Club's permission beforehand, but if they didn't they could be in a world of trouble. Just my two cents.

Kerry looks like a fag (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10488248)

See his debate appearance? The guy looked like he had lipstick on!

Choice quote... (1)

twoslice (457793) | more than 9 years ago | (#10488251)

"Unless you have a lot of experience, don't try to invent your own security system, it will just be broken," said Black, an assistant professor of computer science in CU-Boulder's College of Engineering and Applied Science. "Believe me, it's better to leave that job up to the experts."

I think this applies to Micro$oft....

Re:Choice quote... (1, Funny)

Anonymous Coward | more than 9 years ago | (#10488536)

My thought was that if this guy has so much experience and feels compelled to preach as an expert, why the hell is in academia? Those who can, do; those who can't, teach; and those who can't teach become professors.

Isn't this a CRIME? (-1, Troll)

Anonymous Coward | more than 9 years ago | (#10488278)

Can't cite a specific statute, but wouldn't this be some sort of a criminal violation? Wire Fraud? Violation of the Patriot Act? John Ashcroft: where are you?

I hope the two students are tossed out on their ass, and their degree credits are zeroed out. I can't believe they were allowed to do this, and if Colorado doesn't sanction them, I hope the school loses some funding.

As for the NSF, is this ALL they have left to do with our tax dollars?

Web Programmers (4, Informative)

Jesus IS the Devil (317662) | more than 9 years ago | (#10488283)

I've seen way too many programmers who think they're the world's greatest gift to mankind, but don't know the FIRST RULE of developing web applications:

NEVER TRUST USER INPUT

This leads to stupid hacks like sql injection, html injection (leads to XSS), etc etc.

Not saying this is how it happened, but I wouldn't be the least bit surprised if this is how it happened.

Re:Web Programmers (5, Funny)

mrtroy (640746) | more than 9 years ago | (#10489051)

Umm they were sniffing network traffic, not doing "injections"...

But keep on trucking web guru!

I wonder... (4, Insightful)

Oligonicella (659917) | more than 9 years ago | (#10488284)

what the U of C's attitude would be toward someone who hacked into their computers to, you know, just experiment and gain knowledge? Maybe up their grades or look at other peoples information?

Just wondering if the shoe fits the other foot.

Re:I wonder... (2, Informative)

Vole_of_Wrath (789989) | more than 9 years ago | (#10488466)

As a student of University of Colorado, living in the dorms no less, CU is VERY uptight about their internet security. They have almost every port closed from the outside, and they dont let you access the internet without several dozen procedures to make sure your computer is safe. I'm not saying it isn't foolproof, but it's like Fort Knox :X

Ask Slashdot? (2, Insightful)

comwiz56 (447651) | more than 9 years ago | (#10488300)

I think this belongs more as an ask slashdot, "What are the ethics of edu-hacking?"

Isn't this Illegal? (3, Interesting)

Anonymous Coward | more than 9 years ago | (#10488310)

I don't see how this being done under the auspices of the school absolves the students from prosecution.

Can anyone explain this to me?

Is slashdot editing anything like survivor? (-1, Troll)

Ninja Programmer (145252) | more than 9 years ago | (#10488343)

... Because if it is, can we vote timothy off the island?

Re:Is slashdot editing anything like survivor? (0)

Anonymous Coward | more than 9 years ago | (#10488513)

tims got some good sh|t to say, leave him alone!

Re:Is slashdot editing anything like survivor? (2, Informative)

MikeBabcock (65886) | more than 9 years ago | (#10488520)

You can edit your personal settings to not show stories by him though.

Re:Is slashdot editing anything like survivor? (0)

Anonymous Coward | more than 9 years ago | (#10488723)

Is there an option in the personal settings to only see Timothy's stories the first time he posts them?

Such an august list of members (5, Funny)

cliffiecee (136220) | more than 9 years ago | (#10488378)

Internet Chess Club has more than 30,000 members worldwide and claims Madonna, Nicolas Cage, Will Smith and Gary Kasparov as players.

One of these things is not like the others,
One of these things just doesn't belong,
Can you tell which thing is not like the others
By the time I finish my song?

Re:Such an august list of members (5, Funny)

dukeisgod (739214) | more than 9 years ago | (#10488539)

Come on now, don't pick on Will Smith just because he's black...

Re:Such an august list of members (0)

Anonymous Coward | more than 9 years ago | (#10489793)

Wil is black? Get out of here!

http://www.imdb.com/title/tt0120891/

No way someone would be DUMB enough to put a black guy in this role!

YRO: Internet Chess Club Sues Colorado Researchers (0)

psoriac (81188) | more than 9 years ago | (#10488493)

Posted by timothy on Monday October 12, @03:00PM
from the came-back-and-bit-us-in-the-ass dept.
someguy
writes "The 30,000-plus-member Internet Chess Club filed suit today against the University of Colorado at Boulder for encouraging students to hack their service as part of research funded by the National Science Foundation. With guidance from University of Colorado at Boulder computer security researcher John Black, two students were able to reverse-engineer the service to up their ranks and steal passwords."

( Read More... | 1 of 3 comments | yro.slashdot.org )

Bah (1, Flamebait)

Trailwalker (648636) | more than 9 years ago | (#10488497)

A Chess Club?

Tell them to come back after they have cracked one of the systems at Langley, Va.

Re:Bah (1)

AlienRancher (734517) | more than 9 years ago | (#10488835)

They were looking for the blueprints for the weapons of mass distraction? TWF? Really. How secure you expect to be a chess club? I suggest they up the difficulty level. Next target: the Girl Scout cookies web server

Re:Bah (2, Informative)

jnguy (683993) | more than 9 years ago | (#10489286)

A chess club where grandmasters play, and the general population has confidence in, I would imagine its fairly secure.

This is research? (2, Insightful)

Anonymous Coward | more than 9 years ago | (#10488509)

The difference between this "research" and a felony is exactly what? Maybe the anthrax scare was really an NSF funded biological experiment?

This is a complete waste of taxpayer money, and Dr. Black should have his grants revoked. In fact, I've been in the supposed "computer security" academic community, and it's mostly bogus crap masqueraded as "research" because people don't know better. Computer security research is the AI of our time.

Re:This is research? (1)

Artifakt (700173) | more than 9 years ago | (#10488810)

Computer security research is the AI of our time.

Yes, but AI is also still the AI of our time. So's 90% of Macroeconomics, 80% of Chaos Theory, and a whopping 103.8% of Nanaotech.

Re:This is research? (1)

tq_at_sju (218880) | more than 9 years ago | (#10489312)

well the difference is obvious so what you're asking is a loaded question. Other people too have compared this to killing as a crime, which is also absurd.... It is what it is, maybe it's foolish to do, but it's not the same thing as an actual crime, because actual crimes and even actual crime's punishments are based on intent. They intended to use the information in an educational manner and they also intended to tell the chess club that they did it, they didn't intend to change madonna's account around so that every time she went pawn to rook 4 a wav of material girl played...wait a minute that's a good idea...

security (3, Funny)

virtualone (768392) | more than 9 years ago | (#10488525)

From TFA - "Unless you have a lot of experience, don't try to invent your own security system, it will just be broken"

instead, just bindly trust that handy cryphography API that came with your operating system
- (c) by the NSA

Information theft is... (0)

Anonymous Coward | more than 9 years ago | (#10488769)

...just that, information theft. Regardless of who funded, directed or performed the work.

Those people should be on trial for computer crimes.

Even in THIS dupe, it's the CHESS CLUB folks! (3, Funny)

Provocateur (133110) | more than 9 years ago | (#10488805)

You'd think they'd unlock the keys to the playboy/Penthouse site and gain gold membership or something, folks, but nooooo....it hadda be the Chess Club.

To quote Homer's brain, That's it; I'm leaving.

Academic research reporting should be left... (1, Informative)

Anonymous Coward | more than 9 years ago | (#10488927)

to academics and not institutions.

In all fairness... after reading the original paper, I asked ICC if they are aware of the problem and directed me to their security help file. ICC did fix one problem regarding membership payments:

http://www.chessclub.com/help/security

"Question: Is my credit card secure at ICC?

ICC has upgraded the way we process online payments. You can check out our new secure web payment forms at https://www.chessclub.com/store/members/payment.ph p

When you access the web form, your browser shows a "locked padlock" icon that indicates your communication with ICC are encrypted and secure. ICC takes great care in protecting financial information. See help privacy for more information. In almost ten years of service, no member has ever lost a penny of their money because of poor security at ICC."

Now if only someone could divulge Madonna's online name so all the chess geeks could finger her.

great news (3, Funny)

Pierre (6251) | more than 9 years ago | (#10489137)

This is great! I forgot my password 6 months ago and I can't get anybody to reset it for me - I'll bet these guys have recovered it - woo hoo I can play chess again

ICC Security Improvements (5, Informative)

gmacd997 (811854) | more than 9 years ago | (#10489534)

The Internet Chess Club (ICC) has taken steps to improve security since this paper was published.

For details on the paper and ICC's response see the help file at:
http://www.chessclub.com/help/blackpaper

For details on how ICC protects user's security see:
http://www.chessclub.com/help/security

For details on how ICC protects user's privacy see:
http://www.chessclub.com/help/privacy

An excerpt from the /blackpaper help file:

Question: What is ICC doing to improve security?

ICC is doing three main things to improve security:

1) ICC has changed our payment systems so that all online credit card payments go through secure web forms. You can check out our new secure web payment forms at https://www.chessclub.com/store/members/payment.ph p When you access the web form, your browser shows a 'locked padlock' icon that indicates your communication with ICC are encrypted and secure. ICC takes great care in protecting financial information. See http://www.chessclub.com/help/privacy for more information.

2) ICC is updating Timestamp to close the cracks identified in the paper. This process will take some time to complete. As Black, Cochran, and Gardner show in their paper, getting Timestamp security right is a complex task. Ultimately, when we deploy a new version of Timestamp, ICC users will need to upgrade their chess client software to take advantage of the increased security.

3) ICC is doing an internal security review. ICC is committed to keeping confidential data secure through upgrades to our servers and client programs. We are actively engaged in improving our current security mechanisms, while at the same time, devoting substantial resources to catching cheaters.

...

If you have any questions or comments, you can ask a question in Channel 1, the Help Channel, send a message to ICC or send an email to icc@chessclub.com.

Also, ICC is not suing anyone over the paper by John Black, Martin Cochran, and Ryan Gardner.

George MacDonald
General Manager
Internet Chess Club

of course (0, Troll)

cursingflashor (571586) | more than 9 years ago | (#10489712)

pwn3d

hacking the honor system... (2, Insightful)

Vellmont (569020) | more than 9 years ago | (#10489877)

The article seems to exagerate the importance of this hack by talking about voting, credit card numbers, etc. But my question is how significant is this?

How secure something needs to be depends on what it is you're protecting. In this case it's the legitimacy of a chess game played over the internet and ratings of individual players. Is their something at stake more than game fairness and an online chess rating? (prize money for example). The article mentions famous people are on the server, is Madonnas chess account being hacked supposed to make me feel scared?

The problems should be fixed of course (if possible), but it sure seems like we're scraping the bottom of the security alert barrel on this one.

More proof: Slashdot outsourcing to Asia! (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#10489983)

Still more proof that Slashdot is outsourcing to low-priced Asian help.

...or are the U.S. editors really that incapable of doing their frickin' jobs?

Since when does "news for nerds" (2, Funny)

mark-t (151149) | more than 9 years ago | (#10490367)

... include coverage of people who have nothing better to do with their time than cheat at a board game?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?