As anybody who plays chess online knows, on occasion a chess playing
site like the one PlayChess by Chessbase will say "Player XYZ detected
using chess playing software--their account has been deleted".

Also when recently the Topolov-Anand match was played, the Bulgarian
servers stated (when I was checking out the live match): "Warning:
Chessbase detected!". Apparently they were upset that Chessbase
software was being used to analyze the match, which they wanted
exclusive live rights to (they have sense sued Chessbase).

Speculation: how do they do that? How to they detect software
remotely--isn't this a security breach?

Some theories:

1) They have some software that can check out what programs are
running in your memory, and:
(a) this software is bundled with the chess interface used by online
chess playing programs, or
(b) this is a Java applet that runs under any browser

If 1)(b), isn't this something an anti-virus program would catch?
Maybe not.

2) They are faking it: they simply analyze some games played by
suspected cheaters--maybe people reported by opponents who are
suspicious --and if enough of the game show that nearly all moves were
the 'recommended' moves played by typical chess playing software like
Rybka or Fritz, then the accounts are deleted. In the case of the
Bulgarian servers--since the organizers of this match were upset with
Chessbase before the match because Chessbase stated they were going to
rebroadcast the moves--which BTW I don't think Chessbase has legal
rights to--the Bulgarian organizers simply added a message "Warning:
Chessbase detected!" just to show anybody they were upset with
Chessbase, to scare them, since most serious chess players use
Chessbase. In other words, it was a fake message that everybody saw,
even those not using Chessbase software.


RL

From: "raylopez99" <(E-Mail Removed)>

| As anybody who plays chess online knows, on occasion a chess playing
| site like the one PlayChess by Chessbase will say "Player XYZ detected
| using chess playing software--their account has been deleted".

| Also when recently the Topolov-Anand match was played, the Bulgarian
| servers stated (when I was checking out the live match): "Warning:
| Chessbase detected!". Apparently they were upset that Chessbase
| software was being used to analyze the match, which they wanted
| exclusive live rights to (they have sense sued Chessbase).

| Speculation: how do they do that? How to they detect software
| remotely--isn't this a security breach?

| Some theories:

| 1) They have some software that can check out what programs are
| running in your memory, and:
| (a) this software is bundled with the chess interface used by online
| chess playing programs, or
| (b) this is a Java applet that runs under any browser

| If 1)(b), isn't this something an anti-virus program would catch?
| Maybe not.

| 2) They are faking it: they simply analyze some games played by
| suspected cheaters--maybe people reported by opponents who are
| suspicious --and if enough of the game show that nearly all moves were
| the 'recommended' moves played by typical chess playing software like
| Rybka or Fritz, then the accounts are deleted. In the case of the
| Bulgarian servers--since the organizers of this match were upset with
| Chessbase before the match because Chessbase stated they were going to
| rebroadcast the moves--which BTW I don't think Chessbase has legal
| rights to--the Bulgarian organizers simply added a message "Warning:
| Chessbase detected!" just to show anybody they were upset with
| Chessbase, to scare them, since most serious chess players use
| Chessbase. In other words, it was a fake message that everybody saw,
| even those not using Chessbase software.

Huh ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

"raylopez99" <(E-Mail Removed)> wrote in message
news:fc013a92-1995-4a2f-ba25-(E-Mail Removed)...
> As anybody who plays chess online knows, on occasion a chess playing
> site like the one PlayChess by Chessbase will say "Player XYZ detected
> using chess playing software--their account has been deleted".
>
> Also when recently the Topolov-Anand match was played, the Bulgarian
> servers stated (when I was checking out the live match): "Warning:
> Chessbase detected!". Apparently they were upset that Chessbase
> software was being used to analyze the match, which they wanted
> exclusive live rights to (they have sense sued Chessbase).
>
> Speculation: how do they do that? How to they detect software
> remotely--isn't this a security breach?
>
> Some theories:
>
> 1) They have some software that can check out what programs are
> running in your memory, and:
> (a) this software is bundled with the chess interface used by online
> chess playing programs, or
> (b) this is a Java applet that runs under any browser
>
> If 1)(b), isn't this something an anti-virus program would catch?
> Maybe not.
>
> 2) They are faking it: they simply analyze some games played by
> suspected cheaters--maybe people reported by opponents who are
> suspicious --and if enough of the game show that nearly all moves were
> the 'recommended' moves played by typical chess playing software like
> Rybka or Fritz, then the accounts are deleted. In the case of the
> Bulgarian servers--since the organizers of this match were upset with
> Chessbase before the match because Chessbase stated they were going to
> rebroadcast the moves--which BTW I don't think Chessbase has legal
> rights to--the Bulgarian organizers simply added a message "Warning:
> Chessbase detected!" just to show anybody they were upset with
> Chessbase, to scare them, since most serious chess players use
> Chessbase. In other words, it was a fake message that everybody saw,
> even those not using Chessbase software.

http://support.chess.com/index.php?_...barticleid=711

"How does Chess.com detect cheating?
One part of our analysis involves comparing human moves to computer moves
and looking at statistical significance. The other parts are not public
knowledge. We will never disclose our exact methods for catching cheaters
(to prevent cheaters from adapting their methods), but it involves both
cutting-edge technology and human judgment."

See also:

http://www.chessclub.com/help/Speedtrap

"The methods we use are confidential, because describing them in detail
would allow cheaters to cheat more intelligently. However, we can clear up
some common misconceptions by listing some things that do NOT cause us to
put someone on the computer list:"

I suspect they all will have similar 'explanations' on their respective
sites.

....shouldn't that be Ruy Lopez? ) I used that name when installing Vista
because of the chess piece icon displayed during the process, and I never
use my real name on any of my computers.

raylopez99 wrote:
> [snip]

I doubt this belongs in the C# group or AV group. Probably not chess
either. More like software security or something, I think.

I have some ideas on how they do this and how they do it in any other
online game. I won't go into the details on exactly how you can do the
same or how you can defeat it.

> Speculation: how do they do that? How to they detect software
> remotely--isn't this a security breach?

You have two choices, at least: Take a risk or not play it.
There's no way to to detect such things remotely without the local
machine sending some data first that allows the remote machine to detect
it. Internal data of the game could be changed by the analyzer one way
or another (you don't see this anywhere on the outside), and the game
can either detect it locally or send a hash of or chunk of the data for
verification.

> Some theories:
>
> 1) They have some software that can check out what programs are
> running in your memory, and:

Either that or what I mentioned earlier. These are the simplest methods
I can think of at the moment at least.

> (a) this software is bundled with the chess interface used by online
> chess playing programs, or

Sure, it could be either bundled with it, integrated into the main
application (game) or it is downloaded from somewhere after
installation. Maybe I misunderstood?

> (b) this is a Java applet that runs under any browser

If so, it can of course check its internal data and let the server know
either if something is suspicious, or simply let the server decide if it
looks suspicious. I doubt it would be allowed to check what other
applications are running and read from their memory if it's a Java
applet, since that sounds very dangerous. But it's an IE or Firefox
plugin.. Yes, I think that would be possible. Just like the Flash
plugin. You may know it has been vulnerable for exploitation.

> If 1)(b), isn't this something an anti-virus program would catch?
> Maybe not.

They can't magically know what kind of application it is and decide that
it is something that should be "caught". If it should block Java applets
by default, they should of course let you decide whether to run it or
not. Or if it has the same kind of feature I have in Outpost Firewall
Pro ("Host protection"), it will catch attempts to access other
processes (for example reading memory from them).

> 2) They are faking it: they simply analyze some games played by
> suspected cheaters--maybe people reported by opponents who are
> suspicious --and if enough of the game show that nearly all moves were
> the 'recommended' moves played by typical chess playing software like
> Rybka or Fritz, then the accounts are deleted. In the case of the
> Bulgarian servers--since the organizers of this match were upset with
> Chessbase before the match because Chessbase stated they were going to
> rebroadcast the moves--which BTW I don't think Chessbase has legal
> rights to--the Bulgarian organizers simply added a message "Warning:
> Chessbase detected!" just to show anybody they were upset with
> Chessbase, to scare them, since most serious chess players use
> Chessbase. In other words, it was a fake message that everybody saw,
> even those not using Chessbase software.

I think that would be a complex to do anyways, so I doubt it. But of
course they can if if they want to.

>
> RL

Cheat detection methods do it one way or another with some variations,
but I believe it's basically the same thing (of course, some are better
than others).
I have not tried to give you very informational technical details on
this. Just enough, I hope.

--
Regards,
Jackie

From: "Jackie" <(E-Mail Removed)>

| raylopez99 wrote:
>> [snip]

| I doubt this belongs in the C# group or AV group. Probably not chess
| either. More like software security or something, I think.

+1

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

On Jun 9, 3:10*pm, "FromTheRafters" <erratic @nomail.afraid.org>
wrote:

> ...shouldn't that be Ruy Lopez? ) I used that name when installing Vista
> because of the chess piece icon displayed during the process, and I never
> use my real name on any of my computers.

Very clever. And thanks for the links with explanations...those chess
programmers are always on the cutting edge!

Ray "Ruy" Lopez

On Jun 9, 4:28*pm, Jackie <Jac...@an.on> wrote:
> raylopez99 wrote:
> > [snip]
>
> I doubt this belongs in the C# group or AV group. Probably not chess
> either. More like software security or something, I think.

Feel free to cross-post it there then.

>
> I have some ideas on how they do this and how they do it in any other
> online game. I won't go into the details on exactly how you can do the
> same or how you can defeat it.

Hell why not? I guess you might be giving away company secrets?

>
> > Speculation: how do they do that? *How to they detect software
> > remotely--isn't this a security breach?
>
> You have two choices, at least: Take a risk or not play it.
> There's no way to to detect such things remotely without the local
> machine sending some data first that allows the remote machine to detect
> it. Internal data of the game could be changed by the analyzer one way
> or another (you don't see this anywhere on the outside), and the game
> can either detect it locally or send a hash of or chunk of the data for
> verification.

Well of course I assume the local machine sends data.

>
> > Some theories:
>
> > 1) They have some software that can check out what programs are
> > running in your memory, and:
>
> Either that or what I mentioned earlier. These are the simplest methods
> I can think of at the moment at least.

I have a feeling this is not so simple...

> If so, it can of course check its internal data and let the server know
> either if something is suspicious, or simply let the server decide if it
> looks suspicious. I doubt it would be allowed to check what other
> applications are running and read from their memory if it's a Java
> applet, since that sounds very dangerous. But it's an IE or Firefox
> plugin.. Yes, I think that would be possible. Just like the Flash
> plugin. You may know it has been vulnerable for exploitation.
>

A plugin to check memory, to see if chess playing software resides in
said memory? Dangerous sounding.


> > 2) They are faking it: *they simply analyze some games played by
> > suspected cheaters--maybe people reported by opponents who are
> > suspicious --and if enough of the game show that nearly all moves were
> > the 'recommended' moves played by typical chess playing software like
> > Rybka or Fritz, then the accounts are deleted. *

Well this turns out to be one way--but not the only way--cheating is
detected according to the poster FromTheRafters.


>
> Cheat detection methods do it one way or another with some variations,
> but I believe it's basically the same thing (of course, some are better
> than others).
> I have not tried to give you very informational technical details on
> this. Just enough, I hope.

Not enough I pray. But don't give away the kimono and compromise the
internet just to satisfy my curiosity.

Thanks,

Ray

On 09-06-2010 05:47, raylopez99 wrote:
> As anybody who plays chess online knows, on occasion a chess playing
> site like the one PlayChess by Chessbase will say "Player XYZ detected
> using chess playing software--their account has been deleted".
>
> Also when recently the Topolov-Anand match was played, the Bulgarian
> servers stated (when I was checking out the live match): "Warning:
> Chessbase detected!". Apparently they were upset that Chessbase
> software was being used to analyze the match, which they wanted
> exclusive live rights to (they have sense sued Chessbase).
>
> Speculation: how do they do that? How to they detect software
> remotely--isn't this a security breach?
>
> Some theories:
>
> 1) They have some software that can check out what programs are
> running in your memory, and:
> (a) this software is bundled with the chess interface used by online
> chess playing programs, or
> (b) this is a Java applet that runs under any browser
>
> If 1)(b), isn't this something an anti-virus program would catch?
> Maybe not.
>
> 2) They are faking it: they simply analyze some games played by
> suspected cheaters--maybe people reported by opponents who are
> suspicious --and if enough of the game show that nearly all moves were
> the 'recommended' moves played by typical chess playing software like
> Rybka or Fritz, then the accounts are deleted. In the case of the
> Bulgarian servers--since the organizers of this match were upset with
> Chessbase before the match because Chessbase stated they were going to
> rebroadcast the moves--which BTW I don't think Chessbase has legal
> rights to--the Bulgarian organizers simply added a message "Warning:
> Chessbase detected!" just to show anybody they were upset with
> Chessbase, to scare them, since most serious chess players use
> Chessbase. In other words, it was a fake message that everybody saw,
> even those not using Chessbase software.

I think it must be 1a.

An unsigned Java applet can not go outside the sandbox and
a signed Java applet will prompt for additional access.

Arne

http://java.sun.com/j2se/1.4.2/docs/...rmissions.html

I had a look here just now to figure out exactly what a Java applet is
allowed to do.

AWTPermission > readDisplayPixels
Screenshots to detect the analyzer.

FilePermission
Search for known "bad applications" in the file system to see if they
are installed.

RuntimePermission > setContextClassLoader
I am not sure exactly which system they are talking about here. But if
it is kind of the same as the SetThreadContext API on Windows, and in
addition the code is somehow injected into the remote process (which I
doubt), this is one way to take complete control over that process (read
from its memory and send something back to the chess applet?).

RuntimePermission > writeFileDescriptor
"may allow malicous code to plant viruses" (and other things)

RuntimePermission > loadLibrary.{library name}
"Java security architecture is not designed to and does not prevent
malicious behavior at the level of native code"

Well, this would be very dangerous and would allow anything to be done
in the OS as far as permissions allow it. Even outside the sandbox.

--
Regards,
Jackie

Jackie wrote:
> Well, this would be very dangerous and would allow anything to be done
> in the OS as far as permissions allow it. Even outside the sandbox.

But of course not without you letting it do that first.

--
Regards,
Jackie