Re: AP, rigged, etc. #8981.4 - there was no superuser account
[ QUOTE ]
[ QUOTE ]
Quote:
This is a special client. The server might be cooperating with it (possible, but not likely), or the special client might simply pluck the hole card data from wherever it is stored on the server.
The server in this instance would most definately be cooperating, in so much as verifying the clients authentication to recieve the data.
Otherwise, any Tom, Dick, or Harry could write their own customized client to retrieve the data. This doesn't happen because the server doesn't allow unauthorized access.
In the original example from your quote, the server is cooperating by allowing it...etc.
[/ QUOTE ]
I was referring to the poker server software. The poker server doesn't have to have special code to cooperate with a superuser client. I would consider it a fairly serious vulnerability if it did. The superuser client merely has to have elevated privileges that the operating system on the server honors.
I believe what we're looking at is a superuser (or root) account using a special client (a client for the operating system, not the poker server) designed to pluck hole card data from server storage and display it to the superuser at the remote end.
Obviously, if you have root access, you don't need the special client. You can just poke around and grep hole card data in a shell. But that would be a pain, and I think this whole system dates back to the design of the software itself. It would make much more sense to whip up a crude client, for testing purposes, that could do little more than display cards. When used from a root account, the client has access to all the cards.
The other possibility is that the special display client exists on the server itself. I believe this is less likely, simply because it would have been less convenient in the testing phase and more complicated to write (due to the network code that would have to be developed).
[/ QUOTE ]
Actually it takes surprisingly little code to handle this.
Having root access to a server, would be even more stupid. And nobody in their right mind would ever allow root access to a server.
Also if this is done properly all actions etc. are held in the game servers memory until the hand is concluded - Once completed, the information is sent to a DB server and written to the database, once that is completed without an error, the game server sends a hand completed ok to the client and initiates the next hand (if for some reason the DB transaction fails, current hand should be voided and all play at the table stop).
That way you are SURE that there is no way, except actually hacking the game server and running a memory scan, for anyone to obtain the current hole cards.
Oh and by game server, I mean a separate process running on the server for each and every table currently open. (so a new table = new process - And table close = process closing).
And adding some code to handle a privileged user being sent all hole cards = trivial and very very easy.
(and if you wanna get real technical about it, all information except the dealt hole cards are written immediately - And on completion of the hand, the hole cards are written + the deck prior to dealing + stub).
|