Thread: Absolute Soulreading/Rigged thread #3
View Single Post
  #1107  
Old 09-22-2007, 08:53 AM
Fousekis Fousekis is offline
Senior Member
  
Join Date: Feb 2007
Posts: 104
Default Re: Absolute Cheating
Without wanting to sound like a [censored], I think people should stop making up scenarios of how the cheating was actually facilitated because all they are doing is hurting the credibility of this story.

The following are not facts as I have no way of confirming any of this, but they are all based on my experience in the IT field and my knowledge of how to build secure systems. The assumption here is that AP is being regulated and audited by someone that can tell their ass from their elbow.

"Superuser account", "Pit boss account", etc.

The existence of such a type of account is highly unlikely. It offers absolutely nothing more than a detailed log produced after the hand has been concluded and would be deemed a major security risk. Even if AP tried to have such an account, no regulatory/auditing authority would allow it.

Even in the unlikely situation were such an account existed for a reason we are failing to conceive, there is no reason for allowing access to it remotely as once more it would be considered a major security risk.

If such an account did exist, it would be a contradiction to the reason for its existence to limit it to just one table at a time.

Super user account that lets you play at the table

I hope you are joking. There is no way this can be justified to any regulatory/auditing authority. As a matter of fact, if I was doing the auditing and I spotted something like that, I'd have them fail the evaluation and recommend the business is shut down.

Cracking the client software

First of all the term "hacking" means to code, not to take advantage of vulnerabilities. The media have once more taken one thing and twisted it to mean another. Anyway, what you are actually referring to here is cracking.

First of all the communication between the client and the server is encrypted. So to begin with you'd need to crack the encryption or somehow acquire the decryption key. Cracking the encryption would require far longer than a few seconds, but it is possible (depending on the architecture of the software) to only need to crack it once and then be able to re-use the information you have acquired. It is also possible for the decryption key to have been made available to you in some way. Either way, we will assume that someone could potentially work around the encryption.

Now someone has access to the communication between the client and the server. He can intercept messages, alter them, send spoofed messages etc. Well, they have achieved nothing. The server software would have absolute no reason to send the hole cards of player A to player B in the middle of the hand without a showdown. No matter what you send the server through your cracked client, the code that sends you back the hole cards of other player would never execute unless it thought a showdown was taking place. If you tricked the server into thinking a showdown as taking place, it would not just conveniently send you the hole cards of the other players and then proceed with the hand as normal, it would bring the hand to showdown on everyone's client.

Gaining access to a central network router and intercepting traffic

You need to be physically present to perform this attack. You need to be plugged into the local network, you cannot perform this type of attack remotely. Let me make it 100% clear. You will need to be siting next to the router, with one computer playing at the tables and the other computer capturing the raw data as it flows through the router.

Why is this hurting the story?

Absolute Poker knows all this. Their security and IT departments are well aware of all the possible ways their system could be attacked (its part of your system design to produce these scenarios). Can you see why people sending them emails claiming that they have allowed their system to be compromised through a "superuser account" is hurting this story? They know a superuser account does not exist. They know that cracking their client software would achieve nothing. They know their physical security has not been compromised.

Right, so what you are saying basically is that no cheating could have taken place

Absolutely (heh) not, I am not saying that at all. I am saying that we should not try and speculate how the cheating happened, we should just be stating the facts. I do have a couple of theories as to how this could have been technically achieved without being detected by regulatory/auditing/code review checks (e.g. debugging code that made its way into the production system) but elaborating on them adds no value to the story.