Bots in PartyPoker's 6-max Limit games?

[RayBornert]

[ QUOTE ]
[ QUOTE ]


the truth is that 4 security holes were created
when the live game moved to the internet
1) the muck is no longer guaranteed to be forgotten
2) sites do not prove their deck selection is random
3) players cannot physically see other players (nor the site)
4) cant prove that the server isn't colluding with a player

the reason i knew this early is because one of my first
assignments in the gaming industry was to find all of the
security holes in the online game and address them with a
view toward applying for certification for an internet server
platform within the state of nevada.

what i learned was that the ngc does not care how popular
a game is or even what the players or the house really
want. all they care about is whether or not the game is
physically secure and whether or not they are able to
physically police and measure all aspects of the game in
question.

[/ QUOTE ]

1) the muck. Deliver hole cards to each player encrypted so that noone aside form each player knows what their cards are not even the server, the server only records the hole cards in the event of a SD. It can't be that hard to make a deck that the server effectively shuffles "face down" so that the rank/suit of the "card" remains fixed and unchangeable but cannot be read by the server that deals it.

Setup a dealing system whereby once the hand is dealt the remaining cards are wiped from the system - provably so.

2) sites could very easily prove that the decks they deal are randomly chosen - say we have 100 possible decks that are randomly shuffled using the present RNG methods (which are independantly sampled and proved to be random by independant testers) just pick one of those 100 decks at random using similar randomising technology - you could get each player to "choose" a deck in turn but this would slow the games down and generate less rake...

3) webcams - each player at a site is sent a webcam/indentity device when they sign up (this tech is very inexpensive and was several years ago) - you could go so far as to have a thumbprint scanner built into each cam so that when a player logged on they cannot do so without providing a thumbscan before they can play - players could be required to visible on camera at all times during play.

[ QUOTE ]
t's
impossible to both secure the players card info on
the internet and prove that the server is not colluding
with a player. it turns out that the internet makes
it impossible to do both. if you turn off the encryption
then you can prove that the house is not colluding with
a player but then the players card info is at risk. if
you secure the card info then you cant sniff the traffic
to prove the server didnt collude with a player.

[/ QUOTE ]

4) only the hole cards need encryption during transit to the players computer. If the server is blind to what cards it is dealing in any case how CAN it collude?

The pot is only shipped after the SD (or all but one player folds) it would be a simple matter to check whether the server has colluded with a player after the completion of the hand but before the pot is shipped.

Consider the PGP encryption technique.

for every message thats encrypted 2 keys are used a public and private key. What if the shuffler shuffled the deck (which was chosen at random using a verifiable method) - after each card is individually encrypted once for every player (say there are 6 players then it makes 6 copies of each card using each players public key, which are then locked together as one unit) each unit of cards is dealt to each player in turn so you have 6 K[img]/images/graemlins/spade.gif[/img] that all got encrypted using each players seperate public key dealt as one unit. Each player upon receiving their card tried to decrypt each card but obviously the key they have only unlocks one of them (as they are all the same it doesn't matter - the 5 other copies get discarded) provided that the cards are encrypted before the deck is shuffled the server traffic can be transmitted in plaintext and sniffed to stop any collusion between server and client. The server cannot possibly tell which cards it has dealt to whom. It doesn't need to know players hole cards until such time as they are shown down. A copy of each individuals hh can then be encrypted on each players machine and sent back to an archive server which holds each hh for a set period of time (but which cannot be accessed unless required) so that if any players are suspected of colluding between themselves somehow the records can be pulled and the complete hh rebuilt for any given hand to prove collusion one way or another

Provided the keys you are using have enough bits they are impossible to crack in any reasonable timeframe - and even if you knew another players key it wouldn't do any good as you cannot derive the private key that each player holds from the public key - you can tell if the server is sending card info to the wrong players as the server traffic is totally unencrypted and sniffable - once hole cards are dealt the rest of the deck is decrypted to deal community cards - once the board cards are dealt the remaining cards can be verifiably destroyed.

PGP technology has been around much longer than online poker has...

I might be wrong here (I'm sure you'll correct me if I am) but think I've just solved your four "insolvable" problems without spending a lot of money on research - security holes fixed - now you can stop breaking sites T&C's on some crazy whim we can all play on a level playing field and everyones happy - or is there something I've missed?

[/ QUOTE ]

matrix,

1) i'm not sure you understand the muck issue

poker servers are responsible for dispensing the hidden
card info to each player and that information must come
from somewhere. the function is similar to a dealer;
the issue isn't whether or not there can be encryption
between server and client; the issue is that if the
server has complete knowledge of the deck (much the way
a live dealer does not) then that knowledge can be
remembered after the hand is finished; this is called
server side hand history; in a live casino the information
is guaranteed to be forgotten (the exception being the
camera tables now in existance); but in the current online
servers the information is preserved/remembered; this means
that it's possible for a site operator to make the info
available to some (after the hand is over) and not others;
(and that would be cheating)
e.g. the site we play on could be sending you all of the
server side hh's and i'd never know it. it's not possible
for a site operator to prove that his server erased the
muck as opposed to storing it in a database for later use.
if the operator claims to do that or claims to not share
the info then you're required to just "trust" him; this is
called a "good faith" security requirement - also known
as a security hole. bottom line is that you must publish
the muck to eliminate the "good faith" security requirement.
(*note that this is not an issue for the live b&m game
because the deck is never known by any one person)

2) random decks

it is possible to prove that the deck is random. the live
digital platform can guarantee this; however, online game
servers do not provide this feature; they currently just
do random server side shuffling and ask you to "trust" that
they did not select the deck.

bottom line is that player determined shuffling is possible
but we know of no site that does it. therefore it's still
a "good faith" security issue.

3) cant see players

your webcam is an understandable attempt to visibly police
players; you might as well install an anal probe while
you're at it; this is not a workable solution; you have a
better chance at a successful honest-holdem style site than
getting everyone to agree to a big-brother style camera in
their home. this is the point where i say that i'd quit
online poker if i were forced to use a web-cam. my privacy
trumps your need to have physical policing.

4) cant prove the server isn't colluding with a player

(matrix the issue is not if encryption works the issue
is that it does work)

dude. if the connection is encrypted then it's not possible
to sniff the information traveling to the player and that
means that it's possible for the server to cheat with one
of the players by sending them a privileged piece of info
(like the entire deck that's being used this hand)
the purpose of an encrypted channel is to gain a private
conversation between 2 parties and if the conversation
between the server and client is totally secure then the
server can tell the client anything it wants including the
next 100 decks to be dealt. you can defeat this if an
non-encrypted channel is used (this is what live digital
does) but that puts player card info at risk in the context
of the internet in that somebody might be able to sniff
the traffic and learn our cards. live digital doesn't have
this problem because the internet is not involved; live
digital happens on a closed lan.

the honest holdem t&c plugs holes 1-3 but not 4
hole 4 is an unsolvable problem on the internet.

the live digital platform plugs all 4 holes.
(because the internet is not involved)

the current internet servers dont plug any of the 4 holes
(they could plug 1-3 but they dont
nobody can plug hole 4 on the internet)

ray