Bots in PartyPoker's 6-max Limit games?

[RayBornert]

[ QUOTE ]
[ QUOTE ]


the truth is that 4 security holes were created
when the live game moved to the internet
1) the muck is no longer guaranteed to be forgotten
2) sites do not prove their deck selection is random
3) players cannot physically see other players (nor the site)
4) cant prove that the server isn't colluding with a player

the reason i knew this early is because one of my first
assignments in the gaming industry was to find all of the
security holes in the online game and address them with a
view toward applying for certification for an internet server
platform within the state of nevada.

what i learned was that the ngc does not care how popular
a game is or even what the players or the house really
want. all they care about is whether or not the game is
physically secure and whether or not they are able to
physically police and measure all aspects of the game in
question.

[/ QUOTE ]

1) the muck. Deliver hole cards to each player encrypted so that noone aside form each player knows what their cards are not even the server, the server only records the hole cards in the event of a SD. It can't be that hard to make a deck that the server effectively shuffles "face down" so that the rank/suit of the "card" remains fixed and unchangeable but cannot be read by the server that deals it.

Setup a dealing system whereby once the hand is dealt the remaining cards are wiped from the system - provably so.

2) sites could very easily prove that the decks they deal are randomly chosen - say we have 100 possible decks that are randomly shuffled using the present RNG methods (which are independantly sampled and proved to be random by independant testers) just pick one of those 100 decks at random using similar randomising technology - you could get each player to "choose" a deck in turn but this would slow the games down and generate less rake...

3) webcams - each player at a site is sent a webcam/indentity device when they sign up (this tech is very inexpensive and was several years ago) - you could go so far as to have a thumbprint scanner built into each cam so that when a player logged on they cannot do so without providing a thumbscan before they can play - players could be required to visible on camera at all times during play.

[ QUOTE ]
t's
impossible to both secure the players card info on
the internet and prove that the server is not colluding
with a player. it turns out that the internet makes
it impossible to do both. if you turn off the encryption
then you can prove that the house is not colluding with
a player but then the players card info is at risk. if
you secure the card info then you cant sniff the traffic
to prove the server didnt collude with a player.

[/ QUOTE ]

4) only the hole cards need encryption during transit to the players computer. If the server is blind to what cards it is dealing in any case how CAN it collude?

The pot is only shipped after the SD (or all but one player folds) it would be a simple matter to check whether the server has colluded with a player after the completion of the hand but before the pot is shipped.

Consider the PGP encryption technique.

for every message thats encrypted 2 keys are used a public and private key. What if the shuffler shuffled the deck (which was chosen at random using a verifiable method) - after each card is individually encrypted once for every player (say there are 6 players then it makes 6 copies of each card using each players public key, which are then locked together as one unit) each unit of cards is dealt to each player in turn so you have 6 K[img]/images/graemlins/spade.gif[/img] that all got encrypted using each players seperate public key dealt as one unit. Each player upon receiving their card tried to decrypt each card but obviously the key they have only unlocks one of them (as they are all the same it doesn't matter - the 5 other copies get discarded) provided that the cards are encrypted before the deck is shuffled the server traffic can be transmitted in plaintext and sniffed to stop any collusion between server and client. The server cannot possibly tell which cards it has dealt to whom. It doesn't need to know players hole cards until such time as they are shown down. A copy of each individuals hh can then be encrypted on each players machine and sent back to an archive server which holds each hh for a set period of time (but which cannot be accessed unless required) so that if any players are suspected of colluding between themselves somehow the records can be pulled and the complete hh rebuilt for any given hand to prove collusion one way or another

Provided the keys you are using have enough bits they are impossible to crack in any reasonable timeframe - and even if you knew another players key it wouldn't do any good as you cannot derive the private key that each player holds from the public key - you can tell if the server is sending card info to the wrong players as the server traffic is totally unencrypted and sniffable - once hole cards are dealt the rest of the deck is decrypted to deal community cards - once the board cards are dealt the remaining cards can be verifiably destroyed.

PGP technology has been around much longer than online poker has...

I might be wrong here (I'm sure you'll correct me if I am) but think I've just solved your four "insolvable" problems without spending a lot of money on research - security holes fixed - now you can stop breaking sites T&C's on some crazy whim we can all play on a level playing field and everyones happy - or is there something I've missed?

[/ QUOTE ]

matrix,

1) i'm not sure you understand the muck issue

poker servers are responsible for dispensing the hidden
card info to each player and that information must come
from somewhere. the function is similar to a dealer;
the issue isn't whether or not there can be encryption
between server and client; the issue is that if the
server has complete knowledge of the deck (much the way
a live dealer does not) then that knowledge can be
remembered after the hand is finished; this is called
server side hand history; in a live casino the information
is guaranteed to be forgotten (the exception being the
camera tables now in existance); but in the current online
servers the information is preserved/remembered; this means
that it's possible for a site operator to make the info
available to some (after the hand is over) and not others;
(and that would be cheating)
e.g. the site we play on could be sending you all of the
server side hh's and i'd never know it. it's not possible
for a site operator to prove that his server erased the
muck as opposed to storing it in a database for later use.
if the operator claims to do that or claims to not share
the info then you're required to just "trust" him; this is
called a "good faith" security requirement - also known
as a security hole. bottom line is that you must publish
the muck to eliminate the "good faith" security requirement.
(*note that this is not an issue for the live b&m game
because the deck is never known by any one person)

2) random decks

it is possible to prove that the deck is random. the live
digital platform can guarantee this; however, online game
servers do not provide this feature; they currently just
do random server side shuffling and ask you to "trust" that
they did not select the deck.

bottom line is that player determined shuffling is possible
but we know of no site that does it. therefore it's still
a "good faith" security issue.

3) cant see players

your webcam is an understandable attempt to visibly police
players; you might as well install an anal probe while
you're at it; this is not a workable solution; you have a
better chance at a successful honest-holdem style site than
getting everyone to agree to a big-brother style camera in
their home. this is the point where i say that i'd quit
online poker if i were forced to use a web-cam. my privacy
trumps your need to have physical policing.

4) cant prove the server isn't colluding with a player

(matrix the issue is not if encryption works the issue
is that it does work)

dude. if the connection is encrypted then it's not possible
to sniff the information traveling to the player and that
means that it's possible for the server to cheat with one
of the players by sending them a privileged piece of info
(like the entire deck that's being used this hand)
the purpose of an encrypted channel is to gain a private
conversation between 2 parties and if the conversation
between the server and client is totally secure then the
server can tell the client anything it wants including the
next 100 decks to be dealt. you can defeat this if an
non-encrypted channel is used (this is what live digital
does) but that puts player card info at risk in the context
of the internet in that somebody might be able to sniff
the traffic and learn our cards. live digital doesn't have
this problem because the internet is not involved; live
digital happens on a closed lan.

the honest holdem t&c plugs holes 1-3 but not 4
hole 4 is an unsolvable problem on the internet.

the live digital platform plugs all 4 holes.
(because the internet is not involved)

the current internet servers dont plug any of the 4 holes
(they could plug 1-3 but they dont
nobody can plug hole 4 on the internet)

ray

[RayBornert]

[ QUOTE ]
yeah, I'm even more confuse by his attempt at logic now.

Even though I disagree with him at least his arguments were just bad and defensive.
Now they just seem to be completely non-sensical.


"You can't prove that you haven't cheated therefore you are guilty until proven innocent therefore it's okay to use a bot."

[/ QUOTE ]

micro,

when it comes to getting certification for a game
everyone is guilty until presumed innocent.
i know that seems foreign especially here in america
where everyone is innocent until proven guilty.

but when it comes to getting certification for a game
server you bear the burden to prove that the players
are innocent and that the site operator is innocent.
if you cant provide proof then the game cant be
certified.

there cannot be any aspect of the game where the best
answer we can give is
"well you're just going to have to trust me on that one"
the gaming control board will laugh at you.

i totally understand that the online game is acceptable
to you guys; but that's not the basis by which a serious
gaming jurisdiction decides to certify and police a game.

this doesn't mean that the online game is going away.
it just means that it will never be certified in the
united states. i.e. you're never going to see the day
when a las vegas casino can open a holdem site on the
internet.

live digital maybe.
online never.

ray

[D0nB]

go screw yourself you [censored] douchebag!

[RayBornert]

[ QUOTE ]
go screw yourself you [censored] douchebag!

[/ QUOTE ]

is that the best reply you have?
refute what i'm saying or admit that it's true.
but dont tilt man.

ray

[Theodore Donald Kiravatsos]

[ QUOTE ]

5th,

your moral high ground is not as high as you think it is.
you have no way to prove that you do not:
track, bot or team.

just because i'm not accusing you doesn't mean you've not
done these things or that you would not or could not. any
claims on your part are just claims and i have no recourse
other than to just "trust" you.

in online holdem,
you're guilty until proven innocent.

ray

[/ QUOTE ]

After reading your posts and giving them careful consideration, I have decided that even your BS is BS. There are tobacco lawyers less morally bankrupt than you.

You seem like the sort who would conjure up some circular logic to tell yourself it was it was OK to keep a wallet you "found"...in someone's pants pocket...with someone in the pants...who was standing up to sing a hymn in church...

[Mr Rick]

[ QUOTE ]

1) the muck is no longer guaranteed to be forgotten
2) sites do not prove their deck selection is random
3) players cannot physically see other players (nor the site)
4) cant prove that the server isn't colluding with a player

[/ QUOTE ]

As a computer programmer and software manager for over 20 years I disagree with the conclusion that points 1,2, and 4 are unsolvable on the internet.

Software can be verified and "branded" for want of a better word. The verification consists of a line by line code review of all software code and build processing pseudo-code. The executable that is running can be examined for this "brand" to see that the already verified software has not been modified. Access of the running programs and the host operating system would have to be made available to the certifying agency on a 24/7 basis (so they could continuously verify that the running software is indeed the certified software). The verification of the software would have showed that inside of the encrypted messages sent to players the program was not shipping anything extraneous to the game, that it was using randomly generated cards, and that the muck was indeed being discarded. This would be very expensive of course and make upgrades prohibitively expensive as well.

Point 3 is of course not solvable even with cameras and microphones - though I agree that the introduction of cameras alone would be untenable to almost all internet players. Collusion could still occur with 2 or more players in the same room out of each others' camera sightlines. As for bot recognition, the "bots" themselves would eventually be actual robots sitting at the terminals looking exactly like humans - thus necessitating the anal probes.

But - here is what I don't get. Even at casinos who can see all players at the table, collusion can occur and it is actually more difficult to detect than on-line because of the lack of hole card data. In a world championship bridge tournament scandal in the late 1960s or early 1970s the Italian team (I believe) signaled suit preference for leads by looking in a particular direction when it was time for their partners to lead a card. In poker it would be similarly easy to get a "partner" to bet or raise by looking in a particular direction or by making innocuous hand signals as the MIT "Bringing Down the House" crew did. Similarly, hole card data could be requested and then transmitted.

And why is item 4 not a live issue as well? Dealer collusion with players is very hard to detect. And is likely to be caught only in retrospect after viewing film if at all. Similarly, a dealer could (with lots of practice) "gravitate" a single card to an individual player assuming that auto-shufflers are not being used - which goes to point number 2 as well.

[Theodore Donald Kiravatsos]

[ QUOTE ]

I wonder if Party isn't reactive rather than proactive in a lot of these situations. They'll take action someone points something out to them, but otherwise they really don't care.

[/ QUOTE ]

Okay, I just spent 20 minutes using the search function, and wasn't resourceful enough to find the thread I wanted. I gave up trying to find it.

However, the post that came to mind about Party being reactive as opposed to proactive happened when a guy hooked up a bunch of bots to occupy every seat in a ring game and just fold every hand...

no rake was being collected because...
(almost) no flops were seen, HOWEVER

The bots were all colluding with each other and communicating information about their hole cards, and they would take a flop only when the distribution of hole cards was such that the odds on the flop sidebet were favorable for the players. Because they were all bots, they were playing 600 hands an hour, folding nearly every flop.

Remember the side bet in the ring games? It seems that, rather than get rid of the bots, Party took the sidebet option away from the players so as not to get burned on this prop.

To me, Party's move was a very telling (re)action, and this was a step taken to protect themselves rather than to protect the players. It seems it was easier to kill the sidebet rather than hunt down the bots. As far as I know, the sidebet option is still available in tournaments and SNGs, where you can't stack the table with a bunch of your dumb buddies or your colluding robot army.

"Your excuses are your own" -- Richard Roma

[RayBornert]

[ QUOTE ]
[ QUOTE ]
[ QUOTE ]

I want to stop bots.

I am trying to think of ways that regular players can help to do this because it seems unlikely to me that the poker sites will be proactive in doing it, mostly because of the reasons you just said.


[/ QUOTE ]

Initiate table chat with anyone with 2+2-like stats. If they consistently do not respond with intelligent conversation, they are most likely a bot.

This would require 2+2 custom to be to respond to table chat on occasion.

[/ QUOTE ]

I agree with the above posts and I have found this entire thread scintillating. I am fairly new to on-line poker (year and a half) and was in the process of trying to make this my means of support when the internet ban hit. My poker mentor suggested that I log on to the 2+2 forum and I recently have (hence my Post total is low). I was about to try to go to FullTilt to continue my play at the $5/$10 level... I am now in somewhat of a quandry because of what I now believe is the proliferation of bots and I have a reluctance to go there. I should also say that I was in the computer industry for 20 years up until 2005 as a programmer, consultant, and then software project manager - with a degree in computer science.

Until today I was convinced that on-line sites had a vested interest in keeping bots out - because of the potential loss of non-bot players. However, in addition to the very persuasive rake profit argument, it may well be that a complete loss of non-bot players might not actually matter to the sites if it were to happen at a time when there were many different bots playing freely. Some bot programmers and configuration experts might find it wothwhile to continue playing against other "loser" bots. Note that now, human losers outnumber human winners by a wide margin so maybe we would have more loser bots than winner bots but, the loser bot owners may keep trying to improve their "entries".

OK to the conversation. The reality of this situation is that bots will always be a threat. Because there are hackers who will do anything regardless of right and wrong - and because there is a huge monetary incentive.

Ideas to combat bots:
1) Identify potential bot players and their corollary statistics and publish as you have already done. This should start a collaborative effort to get a complete list on all sites based on the statistical and timing signature of the potential bots.
2) Think video/computer games. Understand their algorithms, and find their weaknesses. This may require private collaboration (i.e., get trusted bot haters and send private e-mails, because public posts would be easy to spot by bot owners and would eliminate financial punishment). Though I think it would be much easier to post like you have been doing. Collectively I think there is tremendous wisdom here.
3) When you have a winning algorithm, make sure there are enough of you (us) to punish them hard. The play should begin at roughly the same time so the punishment will be extreme.
4) If HU or 3-way is the best way to beat them - then alert other innocent human players via on-line chat that a bot is playing at the table (and name the bot) and that should incent the humans to leave. Then destroy the bots.
5) When implementing counter offensive strategies, we must be vigilant not to play 2 or more of us at the same table - even if we are not consciously colluding. Because we will know the proper "bot" counter strategy and we may be able to infer the other 2+2ers cards by their betting. Then we would be no better than the bot owners.
6) if a counter strategy cannot be formulated or cannot bring the bots to their knees (i.e., force their removal by their owners), then ask support of all 2+2ers to "out" them on-line via chat - at every possible opportunity. Most other human players will leave the tables immediately and the 2+2er can just sit out. The sites themselves will be devestated by the loss of games. They may try to stop our chats - but if they did that, I would assume that the internet forums would explode with posts and backlash at that site would be crippling. Eventually sites would see that in the current 2006/2007 timeframe, they will lose all of their business if they don't start acting proactively. Part of this strategy may be to alert the sites of the bot player names as well - so that they will stop the bot players ASAP. Within a very few incidents, I predict that sites will start acting very very proactively.
7) I like "2)" through "5)" above because it could disincent bot owners financially. However, it may be immoral, in that while a strategy is being formulated we are knowingly allowing a cheater to prosper at the expense of fellow poker players. And of course, in the time it takes to come up with a strategy, the bots could earn more than we could take from them when our counter strategy is implemented. So it may make sense to jump to "6)" as soon as we have fairly conclusive evidence of bot playing.

*** alternate and not mutually exclusive solution ***

7) Create a not for profit Poker Site with virtually no rake – run or at least designed by 2+2’ers whose sole purpose is to provide a botless game. Note that the “Rake” incentive that Ray keeps insisting on won’t be there for the site. And it would be a fun challenge to keep ahead of the bots. The site could publish its anti-bot commitment and a tally of bot types and users that had been banished. Freerolls could include all confiscated bot moneys.
7+) It might be something famous poker players would sponsor.
7++)Perhaps some of the rake would be used to counter the US on-line anti-poker legislation. Or even provide a legal way for US players to continue playing [I realize this is off the original track...]
8) Also create a bot freindly poker site - possibly for profit - that welcomes and encourages bot playing. It would be interesting to see the debate on whether hole card sharing should be disallowed... Since it is hard to effectively police, maybe it is more efficient to allow it. Perhaps, with a legal and ethical alternative many bot owners wouldn't even try to invade non-bot sites (or at least the 2+2 non-bot site).

******* Other observation *******

Ray Bornert is providing us with extraordinary insight into the bot world. I for one am grateful for his perserverence on this thread. Why are we not treating him like we would a fish (no offense meant Ray)? I would never insult a fish, lest he go away. We should be thanking Ray for playing with us, whatever we may think of him.

[/ QUOTE ]

rick,

i'd definitely deposit and play at honest holdem
mostly because the thing i want most is to play at a site
where it's impossible for the operator to wrongfully accuse me.

ray

[Evigt_Drabbad]

bots are back at party!

[Beastmaster]

Ray-
How widespread is it at FT / ABS / Stars / WSEX / UB?
What limits