Winboard Forum

[wgr]

Hi. I am new to this forum, though I have been using xboard as a member of ICC since 1998.

A recent problem came up with timestamp. It no longer works on ICC. Mike (that's his ICC handle) suggested I go to this forum and raise the issue, since nobody at ICC support seems to be able to help.

A couple of weeks ago, there were DoS attacks at ICC. In the scuffle to deal with the problem, ICC may have made a change to IP address or something. I haven't got the full story from them.

Whatever the cause, running xboard with timestamp no longer works. If I run xboard without timestamp, I am able to log in. If I run xboard without timestamp, I am not able to log in.

I hope that there are still people here capable of supporting xboard and timestamp. Anyone who can help?

-Will

[wgr]

I said this:

If I run xboard without timestamp, I am able to log in. If I run xboard without timestamp, I am not able to log in.

I meant to say this:

If I run xboard without timestamp, I am able to log in. If I run xboard with timestamp, I am not able to log in.

I hope this clarifies the problem.

In other words, using timestamp with xboard to log into ICC no longer works, and timestamp cannot be used.

-Will

[Josh Pettus]

Try logging in with the icc ip address as oppose to the domain name. I can't tell you why icc quits out when you try to use the domain name with timestamp, but I'm sure it's on their end. I had to do that with the OSX bundle. Thankfully still works. God forbid they change the ip...

ip is 207.99.83.228

I thought freechess.org had a similar problem with timeseal, but I was wrong, it works fine with the domain name.

[wgr]

Both ways were failing.

However, I got a reply from ICC support yesterday saying they were looking at it. I just tried again, and I found that connecting with timestamp works if and only if I use the explicit ip address.

Perhaps they fixed something (I haven't been told details), and at least for the time being I seem to have a solution.

Note also that the ip address has changed there, apparently in response to the recent DoS. (However, they have turned off the external ping server. So I can no longer ping chessclub.com and get a response. I can still do an internal ping, i.e. issue the ICC ping command from within their own command line, and it works.)

-Will

[Josh Pettus]

Really? that's the same ip address it has been since I put it in the osx app over a year ago. Still works fine. As does timestamp

[H.G.Muller]

Timestamp is a program distributed by ICC, and they want to keep it a secret what it actually does, to prevent 'time cheats'. I thought it took the URL of the server to connect to as a command-line argument, though, and contains the usual code to convert domain names into IP addresses before connecting. So if the IP address of their domain changed, it should not be a problem if you adapt the requested IP address itself. If the domain name chessclub.com no longer maps to the actual IP address of the server, this is a server-side or network (in particular DNS) problem that cannot be solved from Timestamp. (It can be worked around by supplying the correct IP address yourself in stead of the domain name, bypassing the normal DNS lookup.)

If ICC changed the protocol used by Timestamp some way, so that old Timestamp binaries do not work anymore, there isn't anything we can do about it. It would need a Timestamp speaking the new protocol, which only ICC could provide.

P.S. I did not have any problem connecting to ICC with Timestamp from Windows, just now. Worked the same as ever.

[wgr]

Sounds like security through obscurity -- a dinosaur concept.

Software security experts agree that the best practice is using open protocols with only a secret key providing privacy. I could name some other security issues visible through the xboard connection.

Concerning ip changes, I know that the ip address has changed, because my old script to connect through xboard used the explicit ip address, and I have those old lines commented out. I have changed the script to use the new ip address. (Not that I want to get into an unproductive debate about ip addresses.)

Also, I can see using dig, nslookup, and host what the ip address is now.

Interestingly, they have blocked ping. Also, traceroute was showing information about internal servers a few days ago, but that too has been blocked.

-Will

[Josh Pettus]

I didn't mean to imply you were lying or anything like that. I'm sure you are correct, It's just that the ip I listed above and used for over a year seems to work for me. Is that the new ip address in question?

As for security, it is a telnet protocol after all. I wouldn't think to worry about security.

[wgr]

The ip address you mentioned earlier in the thread was 207.99.83.228. That's the old one I used to use.

If you do dig or nslookup on chessclub.com, you (or at least I) now get 207.192.66.15, which is what I now use to connect.

What is using telnet? Would that be xboard? Or do you mean timestamp?

As for who maintains timestamp, I'm a little confused. The reason I got onto this board is that I heard that the people who maintain it are at the winboard forum. Whereas H. G. Muller's post today said that ICC distributes timestamp and keeps it secret. So who actually does maintain timestamp and know how it works?

Am I correct in understanding that xboard and winboard are maintained by people on this forum?

-Will

[Josh Pettus]

It's just very strange the old one is working for me right now. I suppose there is some sort of redirect in place? Is it likely to go down at some point?

Harm can elaborate I'm sure, but Timestamp is definitely an ICC property. There is no code for timestamp in the xboard codebase. Xboard isn't even the only client that makes use of it. They all do.

AFIK, ICC and FICS both use telnet to communicate to the various clients. Xboard being one such client, there are many. So in answer to your question, everyone.
http://en.wikipedia.org/wiki/Internet_chess_server

[wgr]

Really!

So when xboard connects to ICC, it uses plain old telnet, my password is sent as cleartext, and anyone can snoop during the session. I was kind of aware of that, but it sounds like you're saying in addition that ICC has no newer protocols for any of the new user interfaces. Is that right?

So for example you see all these things advertised like Lantern and Blitzin and Dasher, and they may have fancy UIs, but underneath there is no data security? Just the same plain old telnet?

I would think in this day and age you would get at least tunnelling with TLS or ssh, along with some authentication protocols like LDAP and/or Kerberos -- giving key exchange with RSA and preventing man-in-the-middle attacks. No such luck, with all the UIs?

-Will

[Josh Pettus]

AFAIK, yup. And exactly. Best not to think about it too much...It will only keep you up at night.

[H.G.Muller]

If you connect through plain telnet anyone can indeed listen in. But Timestamp does encrypt selected parts of the communication, and I believe that username and password are indeed encrypted. (I know this for sure from the FICS equivalent Timeseal, where an ICS starts to complain that your username contains invalid characters when the server runs without timeseal decoder.)

I think all the ICC UIs use Timestamp (or a plaintext TCP/IP connection).

Note that the aim of the Timestamp protocol is not primarily to improve the security of user authentication or guard against eavesdropping. It is intended to be a protection against malicious authentic users. The protocols you mention are useless against that. E.g. you can login on a remote machine with ssh, and then enter whatever malicious command you want, and ssh will dutifully relay it. The purpose of Timestamp is to create a 'trusted environment' on the users machine, that can perform actions (in particular reading the system clock and sending that info to the server) without the user on that same machine being able to mess with them. If it was exactly known what Timestamp is doing (possibly in reaction to something it received from the server, which the user also could see), nothing would stop the user from doing exactly the same on clock readings that he first doctored to his advantage.

Playing on-line Chess is not like banking. Outsiders cannot gain anything by stealing your identity, or eavesdropping on your Chess games. So a modest deterrent will be enough to discourage attacks on the system. Why try to fix problems that in practice never seem to occur?

[H.G.Muller]

Am I correct in understanding that xboard and winboard are maintained by people on this forum?

This is correct. I am the currently most active Win/XBoard developer, and Josh takes care of integrating XBoard with and packaging it for OSX/Mac. WinBoard and XBoard for Mac are packaged with the appropriate Timestamp binary we obtained from ICC, and the Timeseal binary we obtained from FICS.

As to the relation between Win/XBoard and Timestamp: when run in -ics mode, XBoard has several methods to connect to the ICS, but the preferred method is to launch a 'helper program' (specified by -icshelper) on the same machine as it is running. It will then communicate with this program through a pipe (similar to how it communicates to engines), using 'telnet protocol'. That latter is basically just transferring text from and to a remote machine, but there are some 'control sequences' for throttling the data stream, swicthing on and of echo, etc. XBoard knows these, and uses these when appropriate.

Telnet is the default -icshelper, and what goes on between Telnet and the ICS is exactly the same as when you would launch Telnet from the command line (with the ICS domain name and port number). XBoard just emulates a user that plays on the ICS through Telnet by typing the moves. But it would be perfectly possible to do the latter yourself.

Now Timestamp can be used as Telnet from the command line as well. It behavior towards the user is basically the same; it will use the terminal window from which you launch it, and you can type ICS commands, and get the reply displayed there. You would not see a difference between using Timestamp that way and using your system's Telnet utility. The only difference is that what actually goes over the TCP/IP connection with the ICS is accompanied by 'time stamps' based on the user's system clock, and encrypted in a secret way.