Absolute Soulreading/Rigged thread #3

[suzzer99]

[ QUOTE ]
teddy,

I've read these threads for the past several days and I'm posting for the first time. I work as an internet security consultant. I also play quite of bit of poker online, but not at absolute.

From what I've seen so far, this smells of an inside job. This seems eerily similar to the Breeders cup scandal of 2002:
http://espn.go.com/horse/news/2002/1120/1463562.html

The problem here almost certainly is a rogue inside guy with intimate knowledge of the backend server software and access to hole card data in real time. How someone is able to get that information during a live hand could only be done through multiple failures at different levels at absolute.

From a software design standpoint, any poker site should go to great lengths to ensure that the hole card data can only be seen by the person playing the hand. There should be no feature on the server software to allow any human to view hole cards until the hand is over. After the hand is over, it can be written to the HH logs. There is simply no reason to have any "superuser" account in production that can see other hole cards, nor should there be any way for even the administrators of the servers or the software to even view this information. However, all the evidence provided here so far indicates that there is some back door like this at absolute that has been used in production.

It seems clear to me that there is likely a breakdown here in the Absolute organization where software security controls were not followed. Usually this happens when organizations get sloppy. Is it a coincidence that many of the hand history files are corrupt when coming from Absolute? Is it a coincidence that the security team has trouble figuring out if two players even played together?

I think not.

From the information available so far, it seems that management is not intentionally trying to use “god mode” to steal money at high stakes tables. That would be crazy. But, there is probably one or two inside guys that know more about the system than anyone else that they should be looking at. From your synopsis of their security department, this might take some time for them to figure out what really happened. This is especially true since the people that actually used the information had no clue how to hide their tracks.

[/ QUOTE ]

Great post K9. What do you think of the possibility of some kind of network sniffer onsite or near the site, and then broken encryption in the hole-card data going to the clients? I mean hole cards are such a tiny bit of data, if you don't purposely add a bunch of random noise. Maybe they just watched the line long enough to figure out the encrypted signature of every different combination of hole cards. Maybe the inside dudes actually work at Absolute's Costa Rican ISP. Hmmmm....

[adanthar]

[ QUOTE ]
Adanthar, if I PM you my e-mail address, can you send me these hand histories? I would be interested in computing various other statistics on the data. Or do I need to contact ikestoys and/or others?

[/ QUOTE ]

Yes

[suzzer99]

Btw I proved to myself that I could rig the online fan voting for the first Contender (boxing reality show), by bumping Jonathan Reid from 1% of the vote to 4% in like an hour. Real tough. Just wrote a script to vote, delete cookie, repeat.

But I stopped short of affecting anyone's actual payday. There was some obvious rigging going on as the two crappiest fighters no one liked jumped way into the lead overnight one night and stayed there. Annoying too since $100Ks of prize money was potentially at stake for these guys if they can fight in the top fan fight.

Anyway the point is, I was shocked Yahoo and NBC let this happen, when it was obvious cheating to anyone watching closely. There's so little quality control in most programming jobs. It's really pathetic.

[goofyballer]

Haha, I tried to help rig the "Dancing with the Rochester Stars" competition for 2+2er epdaws, who was a contestant on the show, but sadly since this was not as wide-scale as The Contender, the thousands of votes coming from the same IP were a little easier for them to notice. [img]/images/graemlins/mad.gif[/img]

[Deuce2High]

Seif is playing the absolute 1k right now but he has chat turned off.

[suzzer99]

[ QUOTE ]
Haha, I tried to help rig the "Dancing with the Rochester Stars" competition for 2+2er epdaws, who was a contestant on the show, but sadly since this was not as wide-scale as The Contender, the thousands of votes coming from the same IP were a little easier for them to notice. [img]/images/graemlins/mad.gif[/img]

[/ QUOTE ]

They noticed at Yahoo. Or they could have if they just looked at any logs. They just didn't care.

But Dancing with the Rochester Stars sounds pretty awesome. My old roommate was from Rochester. He didn't paint a pretty picture.

[K9s00ted]

It only makes sense that security department has some tool to view the hole cards for all the players. It also makes sense that the programmers at least have a tool to use when initially developing and debugging to view the hole cards of a hand in progress.

However, I can see no reason why any human needs to be able to see this information in real time in production. The poker site needs to have the controls in place to make sure these tools/ backdoors never sneak their way into production. Management needs to make these procedures are always followed.

[Redgrape]

[ QUOTE ]
An explanation for non-poker players:

Across the world, hundreds of thousands of people often take part in games of online poker. These games are typically run by a variety of businesses - businesses that make a long-term profit because of the safety, security and reliability of their games.

Recently, one operator, called "Absolute Poker" appears to have been allowing cheating to take place on their site. In short, it appears that certain player accounts are able to view the supposedly hidden cards of other players. In a game of poker it is impossible to beat someone who knows with 100% accuracy what cards you have!

In Texas Hold'em poker, the most popular form of poker, each player is dealt two cards. These two cards are then combined with community cards to form the best five card poker hand for each player. The best two cards to be dealt are two aces - often called "pocket aces." This is closely followed in strength by a pair of kings, a pair of queens, and so on.

Playing in a recent tournament, the cheaters NEVER made a bet when any of their opponents had pocket kings, pocket aces or pocket queens. This would not be unusual - except that they made a bet on almost every other hand. In other words, they are playing every hand, except when their opponents have one of the strongest possible hands, and they have no possible way to know it (there are no relevant physical "tells" or signs in online poker compared to playing in person).

Due to the way that Texas Hold'em is played, there are a series of rounds of betting on each hand. There is betting when the first two (hidden) cards are dealt, and then after three of the community cards are dealt, and then after the next community card, and then after the fifth and final community card. The cheater's betting patterns on each round are only explainable by someone who can see other players' cards.

For example, on the last round of betting, when all the cards are dealt, one hand is always going to be better than the other player's (sometimes they are tied and are the same, but this is irrelevant here). The players who are cheating always managed to make the right decision at the end. If the opponent's hand was worse, the cheaters would bet or raise. If the cheaters' hand was worse, the cheaters would either fold, or sometimes make a big bluff. Not once did the cheaters call - because if you know what your opponents' cards are, you would never need to call.

Much of the data has been collected and analysed using a computer program called PokerTracker, which is used by many professional poker players across the world. This program records games of poker, and calculates statistics on how players play. Hundreds of hands were analysed, and this analysis revealed:

I can't explain the PT stuff well. If someone else can, this might be a good addition..

[/ QUOTE ]

This is close to perfect!

[g-p]

just had a +33k session on absolute without anyone dumping to me!!! i think, at least

[K9s00ted]

[ QUOTE ]
[ QUOTE ]
teddy,

I've read these threads for the past several days and I'm posting for the first time. I work as an internet security consultant. I also play quite of bit of poker online, but not at absolute.

From what I've seen so far, this smells of an inside job. This seems eerily similar to the Breeders cup scandal of 2002:
http://espn.go.com/horse/news/2002/1120/1463562.html

The problem here almost certainly is a rogue inside guy with intimate knowledge of the backend server software and access to hole card data in real time. How someone is able to get that information during a live hand could only be done through multiple failures at different levels at absolute.

From a software design standpoint, any poker site should go to great lengths to ensure that the hole card data can only be seen by the person playing the hand. There should be no feature on the server software to allow any human to view hole cards until the hand is over. After the hand is over, it can be written to the HH logs. There is simply no reason to have any "superuser" account in production that can see other hole cards, nor should there be any way for even the administrators of the servers or the software to even view this information. However, all the evidence provided here so far indicates that there is some back door like this at absolute that has been used in production.

It seems clear to me that there is likely a breakdown here in the Absolute organization where software security controls were not followed. Usually this happens when organizations get sloppy. Is it a coincidence that many of the hand history files are corrupt when coming from Absolute? Is it a coincidence that the security team has trouble figuring out if two players even played together?

I think not.

From the information available so far, it seems that management is not intentionally trying to use “god mode” to steal money at high stakes tables. That would be crazy. But, there is probably one or two inside guys that know more about the system than anyone else that they should be looking at. From your synopsis of their security department, this might take some time for them to figure out what really happened. This is especially true since the people that actually used the information had no clue how to hide their tracks.

[/ QUOTE ]

Great post K9. What do you think of the possibility of some kind of network sniffer onsite or near the site, and then broken encryption in the hole-card data going to the clients? I mean hole cards are such a tiny bit of data, if you don't purposely add a bunch of random noise. Maybe they just watched the line long enough to figure out the encrypted signature of every different combination of hole cards. Maybe the inside dudes actually work at Absolute's Costa Rican ISP. Hmmmm....

[/ QUOTE ]

suzzer,
I've done a lot of network sniffing for all sorts of troubleshooting. It is a useful tool to have. But, if Absolute has implemented their end to end security correctly, network sniffing would not likely lead anywhere. Even if you had the private certs and could decrypt the communication, you would likely only be able to see data sent to an individual player, not the entire table. This route is just too complicated to ever pull off. The same argument goes for all the talk about client PCs being infected with some sort of trojan. Think simple. Only the central server software knows all the hole cards. How did it get out? Absolute or an independant auditor could track down the real story if they just follow the money of the known cheats.