REOdeathwagon
Dormant account
- Joined
- Mar 31, 2006
- Location
- arizona
Bots, Cheating, and Online Poker
Posted on Sun Dec 10, 2006 03:11:18 PM
Outdated URL (Invalid)
Recently, a long-time member of the Las Vegas poker community posted a question in several public forums about cheating. He saw a Google ad on my site for an organization selling some Cheating software for poker.
I saw those ads too, and I submitted them immediately to Google so that they wouldnt display. Google selects the ads to display, but I can veto them manually, and I vetoed the cheating ones. Normally I have a laissez faire attitude toward ads, figuring that my readers are smart enough to know what might be worth buying (poker equipment, books, and other stuff) and whats a dud. But I wont have Cheat at Poker spashed across my site, whether the guy is selling snake oil or not.
The post then asks what cheating methods might be used online, and what he should be concerned about. I dont want to alarm people, but I think its a valid question, so I figured Id talk a bit about it. There are two major classes of cheating threats: attacks on the basic integrity of the game, and team play.
Attacks on the Integrity of the Game
Im talking about stuff like the cards being rigged, about some players being able to see others hands, and about people being able to crack the random number generator (RNG).
To be hit by one of these things requires either incompetent software design, deliberate misuse by someone on the inside, or spyware.
At the 30,000 foot level, heres how a poker program should work. It should use a hardware RNG to ensure true randomness rather than pseudo-randomness. Computers often generate random numbers by taking a fixed seed (like the current time) and running it through a very unpredictable function. This makes the output seem random, but if you know the original seed number, you can just run the function again and predict what the random number will be.
Hardware RNG is truly random. An example is a radioactive source and a Geiger counter. You cant predict when the next atom will decay, when the Geiger counter will next blip. No one can. Its a law of nature. You can use the random blips of a Geiger counter to generate truly random, unpredictable numbers.
Poker software should generate your hole cards with hardware RNG. Then it should send them to you through an encrypted channel. It would work similarly to the encryption on the web. Heres how it might work. Your computer selects a secret key (i.e., password) at random (or, rather, psuedo-random). It encrypts it using the poker sites public key and sends it to the site (read more about public key cryptography). The site decrypts the key and then sends you a confirmation that you both have the same key. Then the site communicates your cards to you using your agreed upon secret key.
If done correctly, no one listening in can know what your cards are. Its a secret between you and the poker site. Thats how a poker site should work, and its relatively basic stuff for any competent developer. But not all developers are competent, and they could do it wrong. The site could be cheap and scrimp on the hardware RNG, thus relying on psuedo-random numbers. Since those numbers can be predicted, one could crack the code and figure out what all the cards are.
The site could also mis-implement the encryption algorithm and introduce a vulnerability there. Fortunately, online poker sites seem to be settling on a few online poker software packages rather than developing new ones for each little site. The major packages shouldnt have these problems. Id expect them only from a homebrew piece of software at a little site.
As I said, your cards are a secret between you and the poker site. Or rather, between your computer and the poker sites computer. Those are the two points of attack. If someone at the poker site who has access to the server code wanted to look at cards, they could, without question, do so. Theres no way around that.
More immediately concerning (at least to the extent that its actually something you can control), however, is spyware. Your computer knows your secret key and your cards. If you accidently download and install a spyware package designed to sniff out your cards, youre toast. It would sit in the background, and youd have no immediate tip-off to its existence. It would read either your secret key or your actual decrypted cards and transmit them to a server run by the spyware developer. Then he could see your cards every time you play.
Writing such spyware without cooperation from the poker client is far from trivial, however, as Windows has built-in protections to prevent a random program from accessing the memory of another. In other words, I couldnt write a program that just looks at the memory used to store your cards because that memory belongs to a different program. Windows would say, Nope, you cant read that. [Ed. Actually, its really not all that hard to write spyware that grabs your cards. An easy example is a screenscraper that watches whats on your monitor and forwards that information to a 3rd party. Thanks to MFM in the comments for catching my brainfart.]
But if theres a vulnerability in the poker client, then they spyware could sneak in and become part of the poker client. At that point, it could read and transmit freely. The client has to be written very rigorously to avoid exposing such a vulnerability. Heres a quick example. Say the client is divided into different modules: one part converses over the Internet, one part displays cards on screen, and one part encodes and decodes things. The spyware might be able to hack the part that displays cards and inject code that reads and transmit your cards to the cheaters. To defeat that, the person who wrote the client code would have to check at load time that the card displaying module is untainted. In other words, before it loads ANYTHING, it has to make sure no one changed it.
Most poker client software actually probably does that. But there are probably literally thousands of similar checks and verifications the poker client has to make throughout the code to make sure that no evil code sneaks in, and humans being humans, usually a few get missed.
Again, Im not trying to be alarmist. Its not easy to write such a piece of spyware. But in computer security, where theres a will, theres a way. Theres money to be made, and you can be 100% certain people are working on hacks like this as you read this. Someone will find a hack, get people to install it, and use it for a while to steal money. Eventually the poker site will find out, and the developer will fix the crack. But in the meantime, bad stuff has happened.
Thats about it for the integrity of the game. To be honest, I think its a relatively low risk for most people. Frankly, its a lot easier for spyware just to grab your password through a keylogger, log in as you, and take your money that way. Be very careful about what you install on your computer, and be on the lookout for drive-by downloads. And dont play at shady sites. The shadier the site, the more likely someone working for it will see the easy money they can grab and grab it.
Team Play
Team play is a more imminent threat. Obviously, colluding is trivial. Talk to someone else while you play. Its a skill, though two idiots who cant play poker arent a threat. But two excellent players who have mastered colluding will be damn near unbeatable.
Identifying collusion is tricky. Theres ways sites can do it, but a lot of the evidence is circumstantial, and it requires human eyes to make the final call. Whenever you have a network-scale problem and a human-scale solution, stuff will slip through the cracks. Especially when the problem users are largely anonymous and can just change IPs, bank accounts, and usernames and start again.
Furthermore, cardrooms have a long-term incentive to squelch cheating (because it fleeces the regular players and eventually theyll stop playing), but a short-term incentive to cover it up (because a cheating scandal will chase players away long before they get frustrated and quit on their own). Whenever your first incentive is to cover something up, you have a dangerous situation. Its not an indictment of cardrooms, its just the way it is.
To me, the most direct threat to online poker is colluding bots. By themselves, bots are a major threat to online poker. Bot software is now available to the public at a very affordable price. (Please dont flame me for the link. Enough people already know about and use these bots that the damage is done, so to speak. If you dont believe me, look at the forums at that site and see how active they already are. Im very much trying to educate the regular player about what they are up against.)
The reason bots are a threat is because its not too hard to code a bot that will beat the small games, both limit and no limit. Small games are the lifeblood of the poker economy and the $100 losses at $2-$4 are ultimately what feed the $1,000-$2,000 games at the top - pyramid style. In a normal small stakes game, incompetent players fill most of the seats, and the few good players shear the sheep, as it were, taking their cut, but leaving most of the money floating around.
Bots, however, have the capability to be in hundreds of games simultaneously. Eventually they will skin the sheep. They will continue to expand and fill seats until someone stops them, or until its no longer profitable. If the bots are making no money, then it means the cardroom is getting its rake, the good players are getting a tiny bit, and the bad players are getting slaughtered. Theyll quit. And without their money, the whole online poker pyramid will collapse.
Bots are quite literally the cancer of online poker. They will multiply until they have killed their victim or until someone contains them. The bot software I linked above allows users to create their own AI and plug it into the bot framework. Hundreds of great poker minds are working right now to develop better AIs. If you want insight into their brains, again, read those forums.
More threatening still is colluding bots. Bots can communicate with other bots and share hole cards. Say someone writes a colluding bot and sits it in three seats of a game. The bots share hole cards with each other and instantly adjust their strategies based on the extra knowledge. A well-coded bot of this type would be extremely formidable even to strong players.
If poker sites want to survive and keep their pot-o-gold running into the next decade, they need to tackle the bot problem head on (apply directly to the forehead). They have adopted some counter-measures. For instance, Party and Stars (and possibly others) use a technology called captchas (youve no doubt seen them on numerous websites now) to thwart bots. A captcha is just an image with distorted lettering on it. Its trivial for humans to see through the distortion and type in the lettering, but its a tough problem for computers. The site challenges you with a captcha, and you have to type it in to keep playing. Bots wont be able to do this reliably enough to avoid detection.
But captchas dont work at all if a person is sitting there watching the bot. Say someone has three computers with a colluding bot on each computer. They tell the bots to play, and they monitor the action to look out for captchas. Its a solution for the nickel-and-dime botting at the very bottom, but as soon as theres meaningful money involved, people will sit there just to type in captchas. Or hire people to do that. Lots of people would be happy to earn $8/hour to sit there and type in captchas.
Its a tough nut to crack, but sites will eventually have to attack the problem very aggressively if they want to keep their businesses going. And ultimately, the deck is stacked against the cardrooms. Theres no iron-clad solution. Bots can run remotely so the bot software is entirely undetectable on the client machine. Poker clients would have to ban the use of all sorts of macroing and other automated input programs to stop it, but the bleeding edge botters will always be one step ahead.
In fact, the botters could reduce their footprint on the client machine to nearly zero. They could run the bot on a separate computer. The bot could simply suggest plays (informed with the hole cards of other bots) on that computer, and a hired person could execute the plays in real time on the client machine. The hired player could respond to chat, enter captchas, and otherwise appear like a completely normal player. This could be done in workshop-style offices on a large scale in places like Eastern Europe where kids can be hired very cheaply. The only recourse the cardrooms would have is the labor-intensive collusion detection available to them. If the botters collude smartly, (i.e., they dont collude every hand, but mix it up to use poker terms), they could escape detection for quite a while. Lest you think this is far-fetched, such workshops already exist in China to play online computer games and sell virtual property.
Unfortunately, as I gaze into my crystal ball, I fear colluding bots may make online poker in 2010 just a shell of what it is today. As someone who makes his living off the vibrancy of honest poker, that thought scares me a lot. But just because I want the problem to go away doesnt mean it will. You, every honest poker player, should know what the threats are and exactly what you might be up against when you play online poker.
Ed Miller Noted Poker Authority
Posted on Sun Dec 10, 2006 03:11:18 PM
Outdated URL (Invalid)
Recently, a long-time member of the Las Vegas poker community posted a question in several public forums about cheating. He saw a Google ad on my site for an organization selling some Cheating software for poker.
I saw those ads too, and I submitted them immediately to Google so that they wouldnt display. Google selects the ads to display, but I can veto them manually, and I vetoed the cheating ones. Normally I have a laissez faire attitude toward ads, figuring that my readers are smart enough to know what might be worth buying (poker equipment, books, and other stuff) and whats a dud. But I wont have Cheat at Poker spashed across my site, whether the guy is selling snake oil or not.
The post then asks what cheating methods might be used online, and what he should be concerned about. I dont want to alarm people, but I think its a valid question, so I figured Id talk a bit about it. There are two major classes of cheating threats: attacks on the basic integrity of the game, and team play.
Attacks on the Integrity of the Game
Im talking about stuff like the cards being rigged, about some players being able to see others hands, and about people being able to crack the random number generator (RNG).
To be hit by one of these things requires either incompetent software design, deliberate misuse by someone on the inside, or spyware.
At the 30,000 foot level, heres how a poker program should work. It should use a hardware RNG to ensure true randomness rather than pseudo-randomness. Computers often generate random numbers by taking a fixed seed (like the current time) and running it through a very unpredictable function. This makes the output seem random, but if you know the original seed number, you can just run the function again and predict what the random number will be.
Hardware RNG is truly random. An example is a radioactive source and a Geiger counter. You cant predict when the next atom will decay, when the Geiger counter will next blip. No one can. Its a law of nature. You can use the random blips of a Geiger counter to generate truly random, unpredictable numbers.
Poker software should generate your hole cards with hardware RNG. Then it should send them to you through an encrypted channel. It would work similarly to the encryption on the web. Heres how it might work. Your computer selects a secret key (i.e., password) at random (or, rather, psuedo-random). It encrypts it using the poker sites public key and sends it to the site (read more about public key cryptography). The site decrypts the key and then sends you a confirmation that you both have the same key. Then the site communicates your cards to you using your agreed upon secret key.
If done correctly, no one listening in can know what your cards are. Its a secret between you and the poker site. Thats how a poker site should work, and its relatively basic stuff for any competent developer. But not all developers are competent, and they could do it wrong. The site could be cheap and scrimp on the hardware RNG, thus relying on psuedo-random numbers. Since those numbers can be predicted, one could crack the code and figure out what all the cards are.
The site could also mis-implement the encryption algorithm and introduce a vulnerability there. Fortunately, online poker sites seem to be settling on a few online poker software packages rather than developing new ones for each little site. The major packages shouldnt have these problems. Id expect them only from a homebrew piece of software at a little site.
As I said, your cards are a secret between you and the poker site. Or rather, between your computer and the poker sites computer. Those are the two points of attack. If someone at the poker site who has access to the server code wanted to look at cards, they could, without question, do so. Theres no way around that.
More immediately concerning (at least to the extent that its actually something you can control), however, is spyware. Your computer knows your secret key and your cards. If you accidently download and install a spyware package designed to sniff out your cards, youre toast. It would sit in the background, and youd have no immediate tip-off to its existence. It would read either your secret key or your actual decrypted cards and transmit them to a server run by the spyware developer. Then he could see your cards every time you play.
Writing such spyware without cooperation from the poker client is far from trivial, however, as Windows has built-in protections to prevent a random program from accessing the memory of another. In other words, I couldnt write a program that just looks at the memory used to store your cards because that memory belongs to a different program. Windows would say, Nope, you cant read that. [Ed. Actually, its really not all that hard to write spyware that grabs your cards. An easy example is a screenscraper that watches whats on your monitor and forwards that information to a 3rd party. Thanks to MFM in the comments for catching my brainfart.]
But if theres a vulnerability in the poker client, then they spyware could sneak in and become part of the poker client. At that point, it could read and transmit freely. The client has to be written very rigorously to avoid exposing such a vulnerability. Heres a quick example. Say the client is divided into different modules: one part converses over the Internet, one part displays cards on screen, and one part encodes and decodes things. The spyware might be able to hack the part that displays cards and inject code that reads and transmit your cards to the cheaters. To defeat that, the person who wrote the client code would have to check at load time that the card displaying module is untainted. In other words, before it loads ANYTHING, it has to make sure no one changed it.
Most poker client software actually probably does that. But there are probably literally thousands of similar checks and verifications the poker client has to make throughout the code to make sure that no evil code sneaks in, and humans being humans, usually a few get missed.
Again, Im not trying to be alarmist. Its not easy to write such a piece of spyware. But in computer security, where theres a will, theres a way. Theres money to be made, and you can be 100% certain people are working on hacks like this as you read this. Someone will find a hack, get people to install it, and use it for a while to steal money. Eventually the poker site will find out, and the developer will fix the crack. But in the meantime, bad stuff has happened.
Thats about it for the integrity of the game. To be honest, I think its a relatively low risk for most people. Frankly, its a lot easier for spyware just to grab your password through a keylogger, log in as you, and take your money that way. Be very careful about what you install on your computer, and be on the lookout for drive-by downloads. And dont play at shady sites. The shadier the site, the more likely someone working for it will see the easy money they can grab and grab it.
Team Play
Team play is a more imminent threat. Obviously, colluding is trivial. Talk to someone else while you play. Its a skill, though two idiots who cant play poker arent a threat. But two excellent players who have mastered colluding will be damn near unbeatable.
Identifying collusion is tricky. Theres ways sites can do it, but a lot of the evidence is circumstantial, and it requires human eyes to make the final call. Whenever you have a network-scale problem and a human-scale solution, stuff will slip through the cracks. Especially when the problem users are largely anonymous and can just change IPs, bank accounts, and usernames and start again.
Furthermore, cardrooms have a long-term incentive to squelch cheating (because it fleeces the regular players and eventually theyll stop playing), but a short-term incentive to cover it up (because a cheating scandal will chase players away long before they get frustrated and quit on their own). Whenever your first incentive is to cover something up, you have a dangerous situation. Its not an indictment of cardrooms, its just the way it is.
To me, the most direct threat to online poker is colluding bots. By themselves, bots are a major threat to online poker. Bot software is now available to the public at a very affordable price. (Please dont flame me for the link. Enough people already know about and use these bots that the damage is done, so to speak. If you dont believe me, look at the forums at that site and see how active they already are. Im very much trying to educate the regular player about what they are up against.)
The reason bots are a threat is because its not too hard to code a bot that will beat the small games, both limit and no limit. Small games are the lifeblood of the poker economy and the $100 losses at $2-$4 are ultimately what feed the $1,000-$2,000 games at the top - pyramid style. In a normal small stakes game, incompetent players fill most of the seats, and the few good players shear the sheep, as it were, taking their cut, but leaving most of the money floating around.
Bots, however, have the capability to be in hundreds of games simultaneously. Eventually they will skin the sheep. They will continue to expand and fill seats until someone stops them, or until its no longer profitable. If the bots are making no money, then it means the cardroom is getting its rake, the good players are getting a tiny bit, and the bad players are getting slaughtered. Theyll quit. And without their money, the whole online poker pyramid will collapse.
Bots are quite literally the cancer of online poker. They will multiply until they have killed their victim or until someone contains them. The bot software I linked above allows users to create their own AI and plug it into the bot framework. Hundreds of great poker minds are working right now to develop better AIs. If you want insight into their brains, again, read those forums.
More threatening still is colluding bots. Bots can communicate with other bots and share hole cards. Say someone writes a colluding bot and sits it in three seats of a game. The bots share hole cards with each other and instantly adjust their strategies based on the extra knowledge. A well-coded bot of this type would be extremely formidable even to strong players.
If poker sites want to survive and keep their pot-o-gold running into the next decade, they need to tackle the bot problem head on (apply directly to the forehead). They have adopted some counter-measures. For instance, Party and Stars (and possibly others) use a technology called captchas (youve no doubt seen them on numerous websites now) to thwart bots. A captcha is just an image with distorted lettering on it. Its trivial for humans to see through the distortion and type in the lettering, but its a tough problem for computers. The site challenges you with a captcha, and you have to type it in to keep playing. Bots wont be able to do this reliably enough to avoid detection.
But captchas dont work at all if a person is sitting there watching the bot. Say someone has three computers with a colluding bot on each computer. They tell the bots to play, and they monitor the action to look out for captchas. Its a solution for the nickel-and-dime botting at the very bottom, but as soon as theres meaningful money involved, people will sit there just to type in captchas. Or hire people to do that. Lots of people would be happy to earn $8/hour to sit there and type in captchas.
Its a tough nut to crack, but sites will eventually have to attack the problem very aggressively if they want to keep their businesses going. And ultimately, the deck is stacked against the cardrooms. Theres no iron-clad solution. Bots can run remotely so the bot software is entirely undetectable on the client machine. Poker clients would have to ban the use of all sorts of macroing and other automated input programs to stop it, but the bleeding edge botters will always be one step ahead.
In fact, the botters could reduce their footprint on the client machine to nearly zero. They could run the bot on a separate computer. The bot could simply suggest plays (informed with the hole cards of other bots) on that computer, and a hired person could execute the plays in real time on the client machine. The hired player could respond to chat, enter captchas, and otherwise appear like a completely normal player. This could be done in workshop-style offices on a large scale in places like Eastern Europe where kids can be hired very cheaply. The only recourse the cardrooms would have is the labor-intensive collusion detection available to them. If the botters collude smartly, (i.e., they dont collude every hand, but mix it up to use poker terms), they could escape detection for quite a while. Lest you think this is far-fetched, such workshops already exist in China to play online computer games and sell virtual property.
Unfortunately, as I gaze into my crystal ball, I fear colluding bots may make online poker in 2010 just a shell of what it is today. As someone who makes his living off the vibrancy of honest poker, that thought scares me a lot. But just because I want the problem to go away doesnt mean it will. You, every honest poker player, should know what the threats are and exactly what you might be up against when you play online poker.
Ed Miller Noted Poker Authority