Thread: Absolute Poker Scandal: An Inside Job
View Single Post
  #41  
Old 10-16-2007, 10:14 AM
ChrisV ChrisV is offline
Senior Member
  
Join Date: Jul 2004
Location: Adelaide, Australia
Posts: 5,104
Default Re: Absolute Poker Scandal: An Inside Job
[ QUOTE ]
Can someone comment on the actual likelihood of an account that was created SO early in the Absolute alpha-testing process (so early as to be account ID 363) CONTINUING to possess "superuser" capabilities over the course of nearly 8 or 10 years (what with all the various software upgrades / fixes, etc)?

It's not that I'm not 100% convinced with all the evidence that we've collected to date. It's just that nearly every explanation given to this point starts with the premise that there's an account that was created VERY early on in the game that has hole-card viewing capability. It's possible that it's the original creator of that account who is a rogue programmer, but more likely that the real rogue guy is a more recently-employed programmer who just "discovered" this older superuser testing account (otherwise we'd have to believe that the original rogue programmer just "sat on" the superuser account for nearly 8 years before exploiting it). But can some systems-admin guys comment on the just how realistic an assumption it is that a testing account that was created 8 whole years ago, when the Absolute software looked and functioned very, very differently than it does now would CONTINUE to "work" through all the various upgrades, patches, software overhauls, etc, that have happened since Absolute's inception?

[/ QUOTE ]

I worked as a software developer for a few years. If we assume that in the user database there is a flag to mark someone as a superuser, that would definitely still be there. But it seems odd that the code activating it would still be in the system. The possibilities seem to me to be:

- The Absolute development team was extremely slack and lazy and the codebase is a mess. This is perfectly possible.

- The superuser ability is still active for various testing and diagnostic capabilities. That would be a huge breach of security, but is also possible.

- If we go with the "rogue programmer" theory, what would normally be done with this type of code is that it would be active in a debug build of the software and not a release build. What happens is that scattered through the code are declarations like this:

#if DEBUG
(debug-only code goes here)
#endif

The code in between is compiled only in debug builds. If there was a rogue programmer looking to exploit Absolute, he could simply remove the #if/#endif statements and check the code back in. When the release build was compiled, the code would be there as normal.

This is all speculation of course and I have no idea which option is correct.

Edit: Regarding the code still being there through patches, upgrades etc, there's nothing mysterious about that. If the developers find an account like this useful for testing initially, they are going to continue to find it useful for testing patches etc.