AP, rigged, etc. #8981.4 - the plot thickens

[TheMuppet]

[ QUOTE ]
[ QUOTE ]
"That decision stands, and no such software has ever been developed in PokerStars software to view hole cards live in real time."

This is BS. You don't need any special software at all, the client is fully capable of displaying the hole cards, if the server sends it to the client.

[/ QUOTE ]
It is special software in the sense that it has to tell the server to send it all of the hole card data. If all you needed to do was log on to the regular client with a special ID to get all the hole card info, well, that would be monumentally stupid. Like Absolutely stupid.

Their claim seems legit if they have never created such a custom client or allowed for that kind of superuser ID.

[/ QUOTE ]

There is no need for the client to tell the server anything. All that is need is for the game server to have the capabilities, and for the user to have the privilege.

If you logon with a user that has the privilege. The hole cards are sent (and your are properly not allowed to sit down).

Everything is handled on the game server. Nothing need to be done on the client.

Now I would never ever in a million years build a poker game server that could do that. But, to my dismay and surprise, fellow software developers I have talk to about this, firmly believe that it is essential to have such a feature built in. And they don't see it as a problem at all.

So yeah, it is galaticly stupid to have such a feature. But this doesn't prevent people from actually building systems with such features.

And given the current state of on-line gambling (oversight, regulation etc), coupled with the fact that intelligent well educated software developers would do this. I find it more than plausible this is what has happened.

Oh and last but not least, I have first hand experience with trading systems, that work in exactly this way (and this was a very well regulated system, trading billions worth of commodities every day).

[teddyFBI]

[ QUOTE ]
Just for the sake of piling on, Absolute ripped off PokerStars' sounds sometime between August and October of 2005. I know because I was shown this. Scott Tom was laughing.

-Michael

[/ QUOTE ]

Michael: as one of the few people who have actually met Scott and some other high-level AP people (perhaps the only one on this forum), I feel like you have a ton of info and/or stories to tell us. Can you think about perhaps making a long post explaining to us how you came to know Scott and spend time at the AP offices, and any other relevant info that outs this guy for the scumbag he appears to be?

You seem to drop in on the threads every couple of days with an interesting story to tell...

[Weevil99]

[ QUOTE ]

Quote:
This is a special client. The server might be cooperating with it (possible, but not likely), or the special client might simply pluck the hole card data from wherever it is stored on the server.



The server in this instance would most definately be cooperating, in so much as verifying the clients authentication to recieve the data.

Otherwise, any Tom, Dick, or Harry could write their own customized client to retrieve the data. This doesn't happen because the server doesn't allow unauthorized access.

In the original example from your quote, the server is cooperating by allowing it...etc.

[/ QUOTE ]

I was referring to the poker server software. The poker server doesn't have to have special code to cooperate with a superuser client. I would consider it a fairly serious vulnerability if it did. The superuser client merely has to have elevated privileges that the operating system on the server honors.

I believe what we're looking at is a superuser (or root) account using a special client (a client for the operating system, not the poker server) designed to pluck hole card data from server storage and display it to the superuser at the remote end.

Obviously, if you have root access, you don't need the special client. You can just poke around and grep hole card data in a shell. But that would be a pain, and I think this whole system dates back to the design of the software itself. It would make much more sense to whip up a crude client, for testing purposes, that could do little more than display cards. When used from a root account, the client has access to all the cards.

The other possibility is that the special display client exists on the server itself. I believe this is less likely, simply because it would have been less convenient in the testing phase and more complicated to write (due to the network code that would have to be developed).

[wax head]

Not sure if this has been posted, forgive me if it has. But this story made Australian IT news today: Poker boss accused of cheating

Just FYI.

[vbm]

[ QUOTE ]
[ QUOTE ]
They don't write the hand to the log server until the hand is completed.
...
Someone with real time access to the log server should be able to see hole cards as they are dealt.
So...

[/ QUOTE ]

You're logic is flawed.

[/ QUOTE ]

as is your english

[MoeJ]

Hm, I found an article dating from 2005: http://www.flopturnriver.com/content...s-837.php#1887

I don't know if it's been posted, but it's kind of amusing:

NICE, France--(BUSINESS WIRE)--Nov. 7, 2005--iovation, the first online fraud detection solution that tracks the reputation of devices, announced it is providing fraud management solutions to leading online gaming sites worldwide -- effectively minimizing their risk of fraud and increasing the value of their operations. iovation inc. has signed Absolute Poker, Bodog, PointBet and Nine.com -- four progressive online gambling Web sites -- each with millions of transactions a year.

Increased competition, growing M&A activity, and a focus on operational excellence have all elevated the importance of fraud prevention in the market. Developed to address industries with a high-volume of online transactions, iovation's ieSnare(TM) system is a back-end fraud protection system that matches distinct device-identifiers to online accounts. A database matching system, called the Device Reputation Authority(TM) (DRA), links devices and accounts allowing merchants to identify and flag fraudsters without revealing personal information.

"Every dollar of fraud has a direct relationship to valuation," said Greg Pierson, president and CEO of iovation. "As the gaming industry capitalizes on consumer enthusiasm, iovation is decreasing fraud and increasing our value to existing and future clients through the growth of the DRA."

Once these devices are identified, forensic analysis can be shared with all organizational networks protected by ieSnare. This allows subscribed networks to make business decisions about individual connections, and allow, limit, or prevent access based on the reputation of the devices involved.

Absolute Poker

A stallion of online poker, Absolute Poker, chose iovation to help enrich its current offering to players and to provide them with a safer place to play poker. While Absolute Poker has successfully managed fraud and client account security with effective tools that are currently in place, they believe that iovation's product will act as an even stronger complement to its existing practices. "While fraudsters continue to evolve and devise new ways to exploit our competitors, it is our belief that by continuously improving our 'fraud tool kit' that we can provide the safest place to play poker online," said Brent Beckley, director of client services at Absolute Poker.

Bodog

In a highly-competitive market, Bodog, an online gambling Web site, realized that the way to achieve competitive advantage was to heighten the confidence-level to its existing and future players. Bodog selected the ieSnare system that not only provided a safe environment for players, but reduced its chargeback rates and allowed Bodog to expand its operations while keeping costs down.

"We now have the ability to grow our company while not having to increase head count. We can manage fraud with ieSnare with ease," said Pilar Catala, director of eCommerce at Bodog.

PointBet

When Asian sportsbook PointBet signed with iovation to expand its business, PointBet owner, Mr. Ong Ongko Wiyono, was successful at growing his business through mail-in deposits. However, now he realizes he needs to accept credit cards to expand his business further. "I have been hesitant to accept credit cards for fear of large fraud losses," Wiyono said. "With iovation I am a step ahead with fraudster information shared by other online gaming companies, and I can contribute to the DRA with research from our site."

Nine.com

Nine.com, an 8-year-old Costa Rica-based online sportsbook, casino and poker Web site, was invited to view an iovation demo while in Costa Rica. Nine.com is presently using Las Vegas From Home's poker software, protected by the ieSnare system, and wanted to expand its fraud protection across its other networks. With many years of experience in the gaming industry, Nine.com, and its sister companies Betcom.com and Mybookie.com, decided to extend its security to the sportsbook and the casino channels. "We wanted to provide a safe environment for our other popular sites," said AJ Green, VP of operations at Nine.com. "iovation has a proven record of decreasing fraud and stopping crime rings from forming and coming back resulting in a much more secure environment for ourselves and our clients"

About iovation

iovation, based in Portland, Oregon, develops fraud-management systems for companies besieged by significant online fraud issues, particularly stolen credit cards, chargebacks and cyber-crime rings. The company has pioneered a unique online fraud-detection technology that links users and their accounts with physical devices, and shares the reputation of those devices with other subscribers. iovation currently manages the reputation of more than 2 million devices in the gaming industry.

[TheMuppet]

[ QUOTE ]
[ QUOTE ]

Quote:
This is a special client. The server might be cooperating with it (possible, but not likely), or the special client might simply pluck the hole card data from wherever it is stored on the server.



The server in this instance would most definately be cooperating, in so much as verifying the clients authentication to recieve the data.

Otherwise, any Tom, Dick, or Harry could write their own customized client to retrieve the data. This doesn't happen because the server doesn't allow unauthorized access.

In the original example from your quote, the server is cooperating by allowing it...etc.

[/ QUOTE ]

I was referring to the poker server software. The poker server doesn't have to have special code to cooperate with a superuser client. I would consider it a fairly serious vulnerability if it did. The superuser client merely has to have elevated privileges that the operating system on the server honors.

I believe what we're looking at is a superuser (or root) account using a special client (a client for the operating system, not the poker server) designed to pluck hole card data from server storage and display it to the superuser at the remote end.

Obviously, if you have root access, you don't need the special client. You can just poke around and grep hole card data in a shell. But that would be a pain, and I think this whole system dates back to the design of the software itself. It would make much more sense to whip up a crude client, for testing purposes, that could do little more than display cards. When used from a root account, the client has access to all the cards.

The other possibility is that the special display client exists on the server itself. I believe this is less likely, simply because it would have been less convenient in the testing phase and more complicated to write (due to the network code that would have to be developed).

[/ QUOTE ]

Actually it takes surprisingly little code to handle this.

Having root access to a server, would be even more stupid. And nobody in their right mind would ever allow root access to a server.

Also if this is done properly all actions etc. are held in the game servers memory until the hand is concluded - Once completed, the information is sent to a DB server and written to the database, once that is completed without an error, the game server sends a hand completed ok to the client and initiates the next hand (if for some reason the DB transaction fails, current hand should be voided and all play at the table stop).

That way you are SURE that there is no way, except actually hacking the game server and running a memory scan, for anyone to obtain the current hole cards.

Oh and by game server, I mean a separate process running on the server for each and every table currently open. (so a new table = new process - And table close = process closing).

And adding some code to handle a privileged user being sent all hole cards = trivial and very very easy.

(and if you wanna get real technical about it, all information except the dealt hole cards are written immediately - And on completion of the hand, the hole cards are written + the deck prior to dealing + stub).

[teddyFBI]

Dear Absolute head honchos:

If you're reading this thread (and I think you are, given that you demanded that the Hilt wedding photos be taken down within about 20 minutes of them being posted), I was just thinking yesterday about the following, which I think would be an important and necessary step toward regaining the trust of 2+2 and the broader poker community (if it's even possible at all, although I believe it is, even while the road may be long). The first step was obviously paying back those who had money stolen from them, which you appear to be on the road to doing, which is the only thing giving me a sliver of hope that you might also agree to the following.

As your investigation of this matter proceeds and winds down, I want to see a Q&A session or roundtable discussion between this community and some of your top-level management and software representatives. I may be able to arrange for the Chairman of the KGC to contribute to this type of discussion as well.

Here's the thing: while some of us are clearly steamed about having our well-earned money stolen from us, I would venture to say that the #1 reason that 90% the members here have steam coming out of their ears on this (and that many people want nothing less than Absolute's bloody demise) is the pervasive lying, misdirection, and stonewalling that we've gotten on this issue from DAY 1! I, myself, have spent way too much of my time over the last 2 months on the phone with your so-called security "supervisors", only to have them tell me that they have extensively investigated the accounts in question and could not find any evidence of wrongdoing. And then, of course, there have been the half dozen or so "official" press releases that have point-blank contradicted each other, as you seem to have struggled to find a lie that 'worked'. The kindest way to describe Absolute's response to this would be utterly opaque and disingenuous. At its core, though, I think you'd have a hard time convincing many here that it wasn't purposefully deceptive and outright criminal.

OK, I get it, if the cheating executives were the ones still pulling the strings and issuing the directives as this scandal broke, then that would somewhat explain the lying and misdirection in how you have addressed the issue...but you now want us to believe that you're cleaning up, so how about you begin with something that you have to this point avoided like the plague: ABSOLUTE TRANSPARENCY.

We have many, many questions about how the initial attempted coverup and ensuing investigation were handled, just what was uncovered (and HOW), and why we should believe that it can't happen again. You will not be bombarded with immature or irrelevant questions --> it does not even necessarily have to be a *real-time* Q&A. If you would like, we will come together as a community and write down our 20 or 30 most important questions, as long as you will pledge to answer each of them to the best of your ability within a reasonable time-frame (perhaps 1 week). Chief Jo Norton: you say that you're committed to turning over a new leaf and earning back the trust of your players? Well it starts with 100% transparency, and you can put your 'money where your mouth is' on this issue by agreeing to an open exchange of questions and answers with this community that has worked tirelessly (and at no charge) to help you uncover just how rotten-to-the-core your poker site has been the past few years.

[Josem]

Absolute,

TeddyFBI is clearly one of the most respected players who has lost money in this debacle.

As an incentive to resolve this situation, I'm happy to remove the website that I host (absolutepokercheats.com) when he thinks it is time.

[RedBean]

[ QUOTE ]

I believe what we're looking at is a superuser (or root) account using a special client (a client for the operating system, not the poker server) designed to pluck hole card data from server storage and display it to the superuser at the remote end.


[/ QUOTE ]

That's one of many possibilities, but would have to happen from within the protection boundary of the server...depending upon where that line is drawn...most likely on the server itself, but possibly from within the entire AP subnet (which includes RivieraLtd).