

How we learned to cheat at online poker: a story of software security - henning
http://www.cigital.com/papers/download/developer_gambling.php

======
MicahWedemeyer
Before you get all excited and start writing your own pseudo-random number
generator, make sure to take a stroll through some CodeSOD over at the Daily
WTF. There are plenty of examples of people trying to out-smart the built-in
generators and failing miserably. This stuff ain't easy.

------
matt1
Keep in mind that this happened in the late 1990s. The major players in online
poker (PokerStars and Full Tilt Poker) have millions of dollars to lose if
someone discovered a flaw in their random number system. Accordingly, they
have invested a lot of money and time into ensuring that their systems are
secure to avoid something like this happening agin.

That being said, there are still problems.

Several months ago the 2+2 poker community discovered people using "superuser"
accounts on Absolute Poker, which could see everyone else's holecards.
Fortunately, the perpetrator wildly abused his powers and was discovered in
time.

And who knows, you could discover some zero day exploit that gets you the same
thing. All you have to do is spend thousands of hours attempting something
that you probably won't succeed at and even if you did, you'd probably be
discovered quickly because of inconsistencies in your play.

~~~
rudyfink
<http://pokermining.wordpress.com/2007/12/20/cheating-graph/> is a graph from
the 2+2 post showing how much of an outlier the cheating play was. It is the
little red dot in the far upper right.

~~~
matt1
Variance obviously.

It's called 1 in a trillion for a reason ;)

------
mattmaroon
And oldie but a goodie. I remember when this first happened. A lot of people
thought the industry would never recover. My opinion was always that half of
the people thought it was rigged anyway (even when it wasn't) and still
played, so what was the difference?

I think I've since been proven right by the fact that Ultimate Bet and
Absolute Poker still exist.

------
zandorg
I remember a casino where the communication between player and server was done
using SSL. I compiled a custom OpenSSL DLL and was able to intercept the
roulette commands!

Unfortunately whether it was a winning bet was done on the server, and the
communication was just sending the bet to the server, and the other way, the
result to the player.

~~~
DanHulton
Good to know that they obeyed rule #1 for game design: "Never trust the
client!"

