[REOdeathwagon]

Bots, Cheating, and Online Poker
Posted on Sun Dec 10, 2006 03:11:18 PM
http://www.notedpokerauthority.com/a...ine-poker.html

Recently, a long-time member of the Las Vegas poker community posted a question in several public forums about cheating. He saw a Google ad on my site for an organization selling some “Cheating” software for poker.

I saw those ads too, and I submitted them immediately to Google so that they wouldn’t display. Google selects the ads to display, but I can veto them manually, and I vetoed the cheating ones. Normally I have a laissez faire attitude toward ads, figuring that my readers are smart enough to know what might be worth buying (poker equipment, books, and other stuff) and what’s a dud. But I won’t have “Cheat at Poker” spashed across my site, whether the guy is selling snake oil or not.

The post then asks what cheating methods might be used online, and what he should be concerned about. I don’t want to alarm people, but I think it’s a valid question, so I figured I’d talk a bit about it. There are two major classes of cheating threats: attacks on the basic integrity of the game, and team play.

Attacks on the Integrity of the Game

I’m talking about stuff like the cards being “rigged,” about some players being able to see others’ hands, and about people being able to crack the random number generator (RNG).

To be hit by one of these things requires either incompetent software design, deliberate misuse by someone on the inside, or spyware.

At the 30,000 foot level, here’s how a poker program “should” work. It should use a hardware RNG to ensure true randomness rather than pseudo-randomness. Computers often generate “random” numbers by taking a fixed seed (like the current time) and running it through a very unpredictable function. This makes the output seem random, but if you know the original seed number, you can just run the function again and predict what the “random” number will be.

Hardware RNG is truly random. An example is a radioactive source and a Geiger counter. You can’t predict when the next atom will decay, when the Geiger counter will next “blip.” No one can. It’s a law of nature. You can use the random blips of a Geiger counter to generate truly random, unpredictable numbers.

Poker software should generate your hole cards with hardware RNG. Then it should send them to you through an encrypted channel. It would work similarly to the encryption on the web. Here’s how it might work. Your computer selects a secret key (i.e., password) at random (or, rather, psuedo-random). It encrypts it using the poker site’s public key and sends it to the site (read more about public key cryptography). The site decrypts the key and then sends you a confirmation that you both have the same key. Then the site communicates your cards to you using your agreed upon secret key.

If done correctly, no one “listening in” can know what your cards are. It’s a secret between you and the poker site. That’s how a poker site should work, and it’s relatively basic stuff for any competent developer. But not all developers are competent, and they could do it wrong. The site could be cheap and scrimp on the hardware RNG, thus relying on psuedo-random numbers. Since those numbers can be predicted, one could “crack” the code and figure out what all the cards are.

The site could also mis-implement the encryption algorithm and introduce a vulnerability there. Fortunately, online poker sites seem to be settling on a few online poker software packages rather than developing new ones for each little site. The major packages shouldn’t have these problems. I’d expect them only from a homebrew piece of software at a little site.

As I said, your cards are a secret between you and the poker site. Or rather, between your computer and the poker site’s computer. Those are the two points of attack. If someone at the poker site who has access to the server code wanted to look at cards, they could, without question, do so. There’s no way around that.

More immediately concerning (at least to the extent that it’s actually something you can control), however, is spyware. Your computer knows your secret key and your cards. If you accidently download and install a spyware package designed to sniff out your cards, you’re toast. It would sit in the background, and you’d have no immediate tip-off to its existence. It would read either your secret key or your actual decrypted cards and transmit them to a server run by the spyware developer. Then he could see your cards every time you play.

Writing such spyware without “cooperation” from the poker client is far from trivial, however, as Windows has built-in protections to prevent a random program from accessing the memory of another. In other words, I couldn’t write a program that just looks at the memory used to store your cards because that memory belongs to a different program. Windows would say, “Nope, you can’t read that.” [Ed. Actually, it’s really not all that hard to write spyware that grabs your cards. An easy example is a screenscraper that watches what’s on your monitor and forwards that information to a 3rd party. Thanks to MFM in the comments for catching my brainfart.]

But if there’s a vulnerability in the poker client, then they spyware could “sneak in” and become part of the poker client. At that point, it could read and transmit freely. The client has to be written very rigorously to avoid exposing such a vulnerability. Here’s a quick example. Say the client is divided into different modules: one part converses over the Internet, one part displays cards on screen, and one part encodes and decodes things. The spyware might be able to hack the part that displays cards and inject code that reads and transmit your cards to the cheaters. To defeat that, the person who wrote the client code would have to check at load time that the card displaying module is untainted. In other words, before it loads ANYTHING, it has to make sure no one changed it.

Most poker client software actually probably does that. But there are probably literally thousands of similar checks and verifications the poker client has to make throughout the code to make sure that no evil code sneaks in, and humans being humans, usually a few get missed.

Again, I’m not trying to be alarmist. It’s not easy to write such a piece of spyware. But in computer security, where there’s a will, there’s a way. There’s money to be made, and you can be 100% certain people are working on hacks like this as you read this. Someone will find a hack, get people to install it, and use it for a while to steal money. Eventually the poker site will find out, and the developer will fix the crack. But in the meantime, bad stuff has happened.

That’s about it for the integrity of the game. To be honest, I think it’s a relatively low risk for most people. Frankly, it’s a lot easier for spyware just to grab your password through a keylogger, log in as you, and take your money that way. Be very careful about what you install on your computer, and be on the lookout for drive-by downloads. And don’t play at shady sites. The shadier the site, the more likely someone working for it will see the easy money they can grab and grab it.

Team Play

Team play is a more imminent threat. Obviously, colluding is trivial. Talk to someone else while you play. It’s a skill, though… two idiots who can’t play poker aren’t a threat. But two excellent players who have mastered colluding will be damn near unbeatable.

Identifying collusion is tricky. There’s ways sites can do it, but a lot of the evidence is circumstantial, and it requires human eyes to make the final call. Whenever you have a network-scale problem and a human-scale solution, stuff will slip through the cracks. Especially when the problem users are largely anonymous and can just change IP’s, bank accounts, and usernames and start again.

Furthermore, cardrooms have a long-term incentive to squelch cheating (because it fleeces the regular players and eventually they’ll stop playing), but a short-term incentive to cover it up (because a cheating scandal will chase players away long before they get frustrated and quit on their own). Whenever your first incentive is to cover something up, you have a dangerous situation. It’s not an indictment of cardrooms, it’s just the way it is.

To me, the most direct threat to online poker is colluding bots. By themselves, bots are a major threat to online poker. Bot software is now available to the public at a very affordable price. (Please don’t flame me for the link. Enough people already know about and use these bots that the damage is done, so to speak. If you don’t believe me, look at the forums at that site and see how active they already are. I’m very much trying to educate the regular player about what they are up against.)

The reason bots are a threat is because it’s not too hard to code a bot that will beat the small games, both limit and no limit. Small games are the lifeblood of the poker economy and the $100 losses at $2-$4 are ultimately what feed the $1,000-$2,000 games at the top - pyramid style. In a normal small stakes game, incompetent players fill most of the seats, and the few good players “shear the sheep,” as it were, taking their cut, but leaving most of the money floating around.

Bots, however, have the capability to be in hundreds of games simultaneously. Eventually they will “skin the sheep.” They will continue to expand and fill seats until someone stops them, or until it’s no longer profitable. If the bots are making no money, then it means the cardroom is getting its rake, the good players are getting a tiny bit, and the bad players are getting slaughtered. They’ll quit. And without their money, the whole online poker pyramid will collapse.

Bots are quite literally the cancer of online poker. They will multiply until they have killed their victim or until someone contains them. The bot software I linked above allows users to create their own AI and plug it into the bot framework. Hundreds of great poker minds are working right now to develop better AIs. If you want insight into their brains, again, read those forums.

More threatening still is colluding bots. Bots can communicate with other bots and share hole cards. Say someone writes a colluding bot and sits it in three seats of a game. The bots share hole cards with each other and instantly adjust their strategies based on the extra knowledge. A well-coded bot of this type would be extremely formidable even to strong players.

If poker sites want to survive and keep their pot-o-gold running into the next decade, they need to tackle the bot problem head on (apply directly to the forehead). They have adopted some counter-measures. For instance, Party and Stars (and possibly others) use a technology called captchas (you’ve no doubt seen them on numerous websites now) to thwart bots. A captcha is just an image with distorted lettering on it. It’s trivial for humans to see through the distortion and type in the lettering, but it’s a tough problem for computers. The site challenges you with a captcha, and you have to type it in to keep playing. Bots won’t be able to do this reliably enough to avoid detection.

But captchas don’t work at all if a person is sitting there watching the bot. Say someone has three computers with a colluding bot on each computer. They tell the bots to play, and they monitor the action to look out for captchas. It’s a solution for the nickel-and-dime botting at the very bottom, but as soon as there’s meaningful money involved, people will sit there just to type in captchas. Or hire people to do that. Lots of people would be happy to earn $8/hour to sit there and type in captchas.

It’s a tough nut to crack, but sites will eventually have to attack the problem very aggressively if they want to keep their businesses going. And ultimately, the deck is stacked against the cardrooms. There’s no iron-clad solution. Bots can run remotely so the bot software is entirely undetectable on the client machine. Poker clients would have to ban the use of all sorts of macroing and other automated input programs to stop it, but the “bleeding edge” botters will always be one step ahead.

In fact, the botters could reduce their footprint on the client machine to nearly zero. They could run the bot on a separate computer. The bot could simply suggest plays (informed with the hole cards of other bots) on that computer, and a hired person could execute the plays in real time on the client machine. The hired player could respond to chat, enter captchas, and otherwise appear like a completely normal player. This could be done in workshop-style offices on a large scale in places like Eastern Europe where kids can be hired very cheaply. The only recourse the cardrooms would have is the labor-intensive collusion detection available to them. If the botters collude “smartly,” (i.e., they don’t collude every hand, but “mix it up” to use poker terms), they could escape detection for quite a while. Lest you think this is far-fetched, such workshops already exist in China to play online computer games and sell virtual property.

Unfortunately, as I gaze into my crystal ball, I fear colluding bots may make online poker in 2010 just a shell of what it is today. As someone who makes his living off the vibrancy of honest poker, that thought scares me a lot. But just because I want the problem to go away doesn’t mean it will. You, every honest poker player, should know what the threats are and exactly what you might be up against when you play online poker.

Ed Miller · Noted Poker Authority