[DoTheMath]

There was no superuser account.

Well, at least there didn't have to be one. There are a number of methods by which hole cards theoretically could be read without there neeeding to be a poker account with superuser abilities. From what I have read here, we haven't seen proof that the suspicious observer account was the account to which the hole card information was transmitted. We just know that the account was logged onto the table as an observer while the suspicious play occurred. It was logged on all that time, but we don't know it was used all the time it was logged on.

Theory 1) There was nothing special about the account. It was just being used by the observer to watch how well POTRIPPER was doing. The hole card information was being obtained by some other means involving inside access to the server.

Theory 2) There was nothing special about the observer account except that POTRIPPER or an accomplice knew its password. The account was merely used to identify which table the POTRIPPER account was playing at. This might account for the two-hand delay before the observer account arrived and POTRIPPER started acting psychic - the observer account was looking at other tables or reading the list of players/tables in the lobby. Once the person using the observer account confirmed POTRIPPER's location he just didn't bother to log off. Once the observer knew which table to scan, he used other system admin software to query a database or the server to get reports of cards dealt.

Theory 3) There was nothing special about the observer account, except its name. The presence of that particular observer at the table acts as a key to unlock the server to allow/cause it to transmit hole card information to some predesignated location.

Theory 4) There was nothing special about the account, but there was something special about the client it was running. Any account could use the special client software if they had it. It was the client software which had the special ability, not the account.

Consider this. The average player uses the same software client to play at a table or observe a table. The server sends information to all the clients at a table. Either
a) The server sends the same information to all clients and the client software picks which hole card information it needs to display - one player's or none, or
b) The server sends almost the same information to all clients. The only difference in what is sent is that player clients get only their own hole cards and observer clients get all players' hole card information but the client displays none of it, or
c) The server sends almost the same information to all clients. The only difference in what is sent is that player clients get their own hole cards and observer clients get no hole card information.
Of these three possibilities, the third is the most likely. It is more secure, and is consistent with what AP says about its software. However, it requires the server to send differential information depending on the status of the connected client. A special piece of client software could indicate a third possible status to the server, which causes the server to send all hole cards to that particular client. This obviously requires that the server be designed with this leak in mind.

In the case of the first two possiblities, there is no need to make any changes to the server code. The data is being transmitted. All it takes is a special version of the client that actually displays the hole card data.

Whichever of these possibilities applies, there is no need to have an account with special abilities. While it would have been more secure to make sure that only special accounts could use the special client, there is no absolute requirement that the client's use be restricted to certain accounts. Tight control of the distribution of the special client software might have been the only security precaution.

Do I really believe there was no superuser account? I don't know. I'm just trying to show that a supersuser account may not be required as part of a scheme to read hole cards. There are other possible explanations. I do not claim that the other explantions are more plausible.