interesting colluding poker bots article


Dormant account
Mar 31, 2006
Bots, Cheating, and Online Poker
Posted on Sun Dec 10, 2006 03:11:18 PM
Outdated URL (Invalid)

Recently, a long-time member of the Las Vegas poker community posted a question in several public forums about cheating. He saw a Google ad on my site for an organization selling some Cheating software for poker.

I saw those ads too, and I submitted them immediately to Google so that they wouldnt display. Google selects the ads to display, but I can veto them manually, and I vetoed the cheating ones. Normally I have a laissez faire attitude toward ads, figuring that my readers are smart enough to know what might be worth buying (poker equipment, books, and other stuff) and whats a dud. But I wont have Cheat at Poker spashed across my site, whether the guy is selling snake oil or not.

The post then asks what cheating methods might be used online, and what he should be concerned about. I dont want to alarm people, but I think its a valid question, so I figured Id talk a bit about it. There are two major classes of cheating threats: attacks on the basic integrity of the game, and team play.

Attacks on the Integrity of the Game

Im talking about stuff like the cards being rigged, about some players being able to see others hands, and about people being able to crack the random number generator (RNG).

To be hit by one of these things requires either incompetent software design, deliberate misuse by someone on the inside, or spyware.

At the 30,000 foot level, heres how a poker program should work. It should use a hardware RNG to ensure true randomness rather than pseudo-randomness. Computers often generate random numbers by taking a fixed seed (like the current time) and running it through a very unpredictable function. This makes the output seem random, but if you know the original seed number, you can just run the function again and predict what the random number will be.

Hardware RNG is truly random. An example is a radioactive source and a Geiger counter. You cant predict when the next atom will decay, when the Geiger counter will next blip. No one can. Its a law of nature. You can use the random blips of a Geiger counter to generate truly random, unpredictable numbers.

Poker software should generate your hole cards with hardware RNG. Then it should send them to you through an encrypted channel. It would work similarly to the encryption on the web. Heres how it might work. Your computer selects a secret key (i.e., password) at random (or, rather, psuedo-random). It encrypts it using the poker sites public key and sends it to the site (read more about public key cryptography). The site decrypts the key and then sends you a confirmation that you both have the same key. Then the site communicates your cards to you using your agreed upon secret key.

If done correctly, no one listening in can know what your cards are. Its a secret between you and the poker site. Thats how a poker site should work, and its relatively basic stuff for any competent developer. But not all developers are competent, and they could do it wrong. The site could be cheap and scrimp on the hardware RNG, thus relying on psuedo-random numbers. Since those numbers can be predicted, one could crack the code and figure out what all the cards are.

The site could also mis-implement the encryption algorithm and introduce a vulnerability there. Fortunately, online poker sites seem to be settling on a few online poker software packages rather than developing new ones for each little site. The major packages shouldnt have these problems. Id expect them only from a homebrew piece of software at a little site.

As I said, your cards are a secret between you and the poker site. Or rather, between your computer and the poker sites computer. Those are the two points of attack. If someone at the poker site who has access to the server code wanted to look at cards, they could, without question, do so. Theres no way around that.

More immediately concerning (at least to the extent that its actually something you can control), however, is spyware. Your computer knows your secret key and your cards. If you accidently download and install a spyware package designed to sniff out your cards, youre toast. It would sit in the background, and youd have no immediate tip-off to its existence. It would read either your secret key or your actual decrypted cards and transmit them to a server run by the spyware developer. Then he could see your cards every time you play.

Writing such spyware without cooperation from the poker client is far from trivial, however, as Windows has built-in protections to prevent a random program from accessing the memory of another. In other words, I couldnt write a program that just looks at the memory used to store your cards because that memory belongs to a different program. Windows would say, Nope, you cant read that. [Ed. Actually, its really not all that hard to write spyware that grabs your cards. An easy example is a screenscraper that watches whats on your monitor and forwards that information to a 3rd party. Thanks to MFM in the comments for catching my brainfart.]

But if theres a vulnerability in the poker client, then they spyware could sneak in and become part of the poker client. At that point, it could read and transmit freely. The client has to be written very rigorously to avoid exposing such a vulnerability. Heres a quick example. Say the client is divided into different modules: one part converses over the Internet, one part displays cards on screen, and one part encodes and decodes things. The spyware might be able to hack the part that displays cards and inject code that reads and transmit your cards to the cheaters. To defeat that, the person who wrote the client code would have to check at load time that the card displaying module is untainted. In other words, before it loads ANYTHING, it has to make sure no one changed it.

Most poker client software actually probably does that. But there are probably literally thousands of similar checks and verifications the poker client has to make throughout the code to make sure that no evil code sneaks in, and humans being humans, usually a few get missed.

Again, Im not trying to be alarmist. Its not easy to write such a piece of spyware. But in computer security, where theres a will, theres a way. Theres money to be made, and you can be 100% certain people are working on hacks like this as you read this. Someone will find a hack, get people to install it, and use it for a while to steal money. Eventually the poker site will find out, and the developer will fix the crack. But in the meantime, bad stuff has happened.

Thats about it for the integrity of the game. To be honest, I think its a relatively low risk for most people. Frankly, its a lot easier for spyware just to grab your password through a keylogger, log in as you, and take your money that way. Be very careful about what you install on your computer, and be on the lookout for drive-by downloads. And dont play at shady sites. The shadier the site, the more likely someone working for it will see the easy money they can grab and grab it.

Team Play

Team play is a more imminent threat. Obviously, colluding is trivial. Talk to someone else while you play. Its a skill, though two idiots who cant play poker arent a threat. But two excellent players who have mastered colluding will be damn near unbeatable.

Identifying collusion is tricky. Theres ways sites can do it, but a lot of the evidence is circumstantial, and it requires human eyes to make the final call. Whenever you have a network-scale problem and a human-scale solution, stuff will slip through the cracks. Especially when the problem users are largely anonymous and can just change IPs, bank accounts, and usernames and start again.

Furthermore, cardrooms have a long-term incentive to squelch cheating (because it fleeces the regular players and eventually theyll stop playing), but a short-term incentive to cover it up (because a cheating scandal will chase players away long before they get frustrated and quit on their own). Whenever your first incentive is to cover something up, you have a dangerous situation. Its not an indictment of cardrooms, its just the way it is.

To me, the most direct threat to online poker is colluding bots. By themselves, bots are a major threat to online poker. Bot software is now available to the public at a very affordable price. (Please dont flame me for the link. Enough people already know about and use these bots that the damage is done, so to speak. If you dont believe me, look at the forums at that site and see how active they already are. Im very much trying to educate the regular player about what they are up against.)

The reason bots are a threat is because its not too hard to code a bot that will beat the small games, both limit and no limit. Small games are the lifeblood of the poker economy and the $100 losses at $2-$4 are ultimately what feed the $1,000-$2,000 games at the top - pyramid style. In a normal small stakes game, incompetent players fill most of the seats, and the few good players shear the sheep, as it were, taking their cut, but leaving most of the money floating around.

Bots, however, have the capability to be in hundreds of games simultaneously. Eventually they will skin the sheep. They will continue to expand and fill seats until someone stops them, or until its no longer profitable. If the bots are making no money, then it means the cardroom is getting its rake, the good players are getting a tiny bit, and the bad players are getting slaughtered. Theyll quit. And without their money, the whole online poker pyramid will collapse.

Bots are quite literally the cancer of online poker. They will multiply until they have killed their victim or until someone contains them. The bot software I linked above allows users to create their own AI and plug it into the bot framework. Hundreds of great poker minds are working right now to develop better AIs. If you want insight into their brains, again, read those forums.

More threatening still is colluding bots. Bots can communicate with other bots and share hole cards. Say someone writes a colluding bot and sits it in three seats of a game. The bots share hole cards with each other and instantly adjust their strategies based on the extra knowledge. A well-coded bot of this type would be extremely formidable even to strong players.

If poker sites want to survive and keep their pot-o-gold running into the next decade, they need to tackle the bot problem head on (apply directly to the forehead). They have adopted some counter-measures. For instance, Party and Stars (and possibly others) use a technology called captchas (youve no doubt seen them on numerous websites now) to thwart bots. A captcha is just an image with distorted lettering on it. Its trivial for humans to see through the distortion and type in the lettering, but its a tough problem for computers. The site challenges you with a captcha, and you have to type it in to keep playing. Bots wont be able to do this reliably enough to avoid detection.

But captchas dont work at all if a person is sitting there watching the bot. Say someone has three computers with a colluding bot on each computer. They tell the bots to play, and they monitor the action to look out for captchas. Its a solution for the nickel-and-dime botting at the very bottom, but as soon as theres meaningful money involved, people will sit there just to type in captchas. Or hire people to do that. Lots of people would be happy to earn $8/hour to sit there and type in captchas.

Its a tough nut to crack, but sites will eventually have to attack the problem very aggressively if they want to keep their businesses going. And ultimately, the deck is stacked against the cardrooms. Theres no iron-clad solution. Bots can run remotely so the bot software is entirely undetectable on the client machine. Poker clients would have to ban the use of all sorts of macroing and other automated input programs to stop it, but the bleeding edge botters will always be one step ahead.

In fact, the botters could reduce their footprint on the client machine to nearly zero. They could run the bot on a separate computer. The bot could simply suggest plays (informed with the hole cards of other bots) on that computer, and a hired person could execute the plays in real time on the client machine. The hired player could respond to chat, enter captchas, and otherwise appear like a completely normal player. This could be done in workshop-style offices on a large scale in places like Eastern Europe where kids can be hired very cheaply. The only recourse the cardrooms would have is the labor-intensive collusion detection available to them. If the botters collude smartly, (i.e., they dont collude every hand, but mix it up to use poker terms), they could escape detection for quite a while. Lest you think this is far-fetched, such workshops already exist in China to play online computer games and sell virtual property.

Unfortunately, as I gaze into my crystal ball, I fear colluding bots may make online poker in 2010 just a shell of what it is today. As someone who makes his living off the vibrancy of honest poker, that thought scares me a lot. But just because I want the problem to go away doesnt mean it will. You, every honest poker player, should know what the threats are and exactly what you might be up against when you play online poker.

Ed Miller Noted Poker Authority
With the passage of the UGIEA, and the majority of the reputable casinoes [non MGS] taken away from us Americans, I have been playing alot more online poker lately. I do feel fortunate that I do not play alot of holdem though, because i feel thats where these majority of these bots are. I do not think that this is the end of online poker. I do still KNOW that you can make $$$ playing online.

I personally believed before I read this article that the bots were good for the game, with their 10-20% vpip. the new bots are much more aggressive though, eventually this is going to hurt the solid players profits.
And eventually they are going to move into mixed games where collusion can definately hurt more.

Everyone knows that this is not a new problem, but Ed raises some pretty scary points that I myself have never thought of in this article. The new bots are much more aggressive than the old weak tight ones. It's the network of collussion that scares me the most.

If colluding bots could nail a holdem game, think for a minute what they could do to a pot limit omaha game, or even worse a pot limit omaha/8 game. Just three bots at the table, thats 12 known cards out of the deck. Imagine a bot being able to stack off with a jack high flush knowing that it can't be beat. If I personally saw the bot table this hand for his stack, I would think he was a maniac - definately not a bot - all the while the network would be busy chopping my ass up, slowly but surely.

Winholdem has been around for at least three years, the program he is selling is not the one I'm worried about. That guy is a dick everyone knows that. But I think alot of the coders started on his platform and added to it, making more advanced shit. As AI gets more advanced, the bots start reacting to your tendencies, just like a solid player would. And the less sophisticated bots will get eaten up by the better bots too.
The ones that started out of the Univ. of Alberta?? [ I think - POKI ] are probably making $$$. F**k, that contest was at least 2 years ago.

There is just to much money in this shit for it not to grow and spread just like a f**king cancer. It will get more sophisticated with time, don't kid yourself that it won't.
Think about a offshore [or onshore] warehouse full of bots playing best hand. They could suck a game dry pretty quick. scary thoughts, man.

But think about some of these smaller sites/networks out there and ask yourself why they would want to get rid of the bots?
To a new startup site, these are just props that they do not have to pay.
And bots pay a full rake just like humans do.
They add more players to games.
The only thing they do not do that a prop would is start games.
Bots play everyday [ christmas included ].
Bots don't bonus hunt or play only with a bonus.
All new sites / networks have used props in the past, to get started. Jetset had them until the day they shut down.
It's a win/win situation for a new sites/ networks.

I forget the name of the site that already went through a scandal in the last couple of years for having their own site santioned bots?

Just some things to think about, before you quit your day job with dreams of becoming an online pro.

Merry Christmas
An excellent post but

Party has im afraid gone way downhill since the american players left..the reason i say this is that there is an overwhelming amount of team play going on no matter at what level you play up too about 25/50 games..ive been a party member for 2 years and its seriously getting worse everyday so much so i emailed them closing my acct and outlined to them the reasons why..

1. Non english speakers seem to be taking over and i emailed you about 5-6 times and eachtime a silly we will monitor this..

2. discussing hands in progress at the table and partys reply to my detailed email giving hand numbers players etc>>> we will monitor this.

3.Obvious collussion thats so noticeable an idiot can see it...partys reply??? we will monitor this..

Now forgive me if i am wrong but partys future relies heavily on the far east so thats why nothing is ever going to be done about this if they are going to rely say for example on china and stipulate english only at the tables noones gonna party has basically given up the ghost and could not give a damn about UK players they have seriously short memories and 1 last thing have a look at all the nice freeolls they give to scandinavians,germans,russians,oceanic areas....british players?? no chance

goodbye party .
I've read numerous articles like this and to be honest I think this does more harm to the "poker economy" by scaring away the fish. I've been called a bot by the fish when I multi table and don't chat, and house player when I do chat, by the fish. And when I was a fish I used to think everyone I lost to was a potential bot or cheater. Now that I'm a pretty solid player I know who the bots are because I can steall from them. They are predictable since they are running a program not actually thinking. They're usually very aggresive which is profitable at most limits online, but if you figure them out and use that against them they become easy prey. At least that's my theory, I don't think bots are a big threat or as widespread, not yet anyway...
If a slot simulator is a bot, boo hoo.
I count that sh*t in my head, and will use it against any fair program any time. The damn things streak, that is chaos, and it ain't so hard to figure.
I've read numerous articles like this and to be honest I think this does more harm to the "poker economy" by scaring away the fish. I've been called a bot by the fish when I multi table and don't chat, and house player when I do chat, by the fish. And when I was a fish I used to think everyone I lost to was a potential bot or cheater. Now that I'm a pretty solid player I know who the bots are because I can steall from them. They are predictable since they are running a program not actually thinking. They're usually very aggresive which is profitable at most limits online, but if you figure them out and use that against them they become easy prey. At least that's my theory, I don't think bots are a big threat or as widespread, not yet anyway...

Nie post -- actually the fishes, thinking that they lose because of bots, is not that bad. That's not something that will drive them out.

When I was a fish, I played for 5 months without knowing what a rake and a rakeback is. I knew the house is taking some money, but didn't bothered to care how much.

Nowadays, 90+% of the bots are losing money (in general), not to talk about a pro playing against a bot.

It's interesting to see the dramatic posts in the beginining, and how 1.5 years later nothing actually changed toward the predictions.
from where did you pull this little "factoid"?

You mean the 90+%?

That is commonly believed number, and I have some indications that it's correct by trying to verify it myself.

I don't have a link or so - you won't find a definite opinion and exact number even on the question what % of the online players in general are winning players.
Team play is cheating too

I have run across several instances on sites where players in chat have actually asked other players for their IM addy.

When I was asked if I had an IM by one of the players at a poker room I play in quite a bit, I gave him a Yahoo IM name that I happened to have open at the time. The player IM'ed me immediately and sent me a message saying he would tell me his hole cards if I would tell him mine.

I declined, but I am sure many others have not.

Since I only play tournies this probably does not have that much effect on me, but now I often suspect some of the players at these tournies at that site are colluding by sharing hole cards via IM. Expecially so when I see consistent play decision delays start suddenly from a player who was prechecking earlier.

Just my thoughts. And maybe something to watch for.
While reading the recent issues I thought about that too, DoverPro... How hard would it be to have a seperate line of communication, go to a place and buddy up around a table to collude. Poker is all skill my ass, it's the biggest potential for cheating out there IMO.

Users who are viewing this thread

Meister Ratings