More eCOGRA Seals Awarded

[jetset]

I just do not see the validity of that statement, Grandmaster. The way I read this press release is that all interested software providers and the casinos they serve are welcome to attend a briefing on the progress being made, and what obtaining a Seal genuinely involves.

It does not to my mind indicate in any way that proprietary information on the TGTR is about to be released to providers but not players, if that is your implication.

I would suggest that contrary to your interpretation this PR not only shows that the initiative is open to every company that can meet the standards, but is transparent and informative in a practical sense for those prepared to commit directly to eCOGRA regulation who perhaps want to ask questions of a business nature.

It is an additional opportunity to openly and honestly present eCOGRA. And on your transparency issue eCOGRA has been diligent in the detail on its website, carrying out briefings and issuing press releases on its activities from day one.

Similarly, I do not see how you can interpret the following paragraph as implying that the Seal is awarded by players. To me it explains a business rationale for voluntary regulation by committed casinos: "Our goal is to introduce sensible self-imposed regulation that will improve business by attracting to our approved casinos a bigger percentage of gamblers tired of questionable practices and inept operational conduct elsewhere".

That is a legitimate goal projecting the probable results of successful regulation as eCOGRA develops. And I would see that as a real advantage to players fed up with "...questionable practices and inept operational conduct elsewhere."

eCOGRA is all about introducing sensible, player-sensitive rules to casinos and enforcing them to give the player a better service and experience...and a fast and effective dispute resolution service if he/she encounters any problems.

The other side of the coin is that players will appreciate these very real attributes and be more likely to gravitate to Seal casinos, especially when these offer a range of softwares and games as more providers join up.

If you remain unconvinced by eCOGRA's website, the impressive people involved in the initiative, the progress made thus far, the quality of the casinos that have signed up and the bona fides of the founding funders along with the arguments that have been presented here and elsewhere, then I must conclude that your opinion is set and is unlikely to change in the immediate future. That is your prerogative, but I'm sure you will keep an open mind as the initiative develops, the regulations are seen to be enforced and more good casinos join the Seal list and provide real improvements in efficiency and player treatment.

Contrary to your own opinion, I believe this initiative is way more significant than a "useful dispute resolution service".

 

[jpm]

It sounds like that casinos are allowed to learn about the procedures, so the arguments put forward justifying secrecy are not valid, it is just us stupid players who are kept in the dark.

They are learning more about the certification procedure, not the exact methodology of the audit. A synopsis of these procedures already been published here and elsewhere:

eCOGRA requires that approved casinos are financially stable and have adequate reserves to cover wagers. The probity of casino management is scrutinised, together with player protection measures, payout times and financial facilities, games fairness, responsive Support and general operational efficiency. Policies have to be in place for communicating with clients and dealing with player complaints, and satisfactory technical capabilities and anti money-laundering systems are critical.

I'm sure they aren't about to disclose the methodology to those that they are certifying, for the very reasons we've discussed in this thread ad nauseum.

 

[caruso]

LOL. JUST that EXACT requirement was constantly thrown at the OCA project: "What is the methodology?" Now, because we have a bunch of suits trumpeting OBEs and various other titles (by the way, what is the average cost of a peerage in the UK these days? I think 100 grand will get you something pretty awesome) claiming that their "verification process" proves the software "fair", all of a sudden it's INAPPROPRIATE to disclose this information!

OK, I am the ONLY player to see the BLATANT DOUBLE STANDARD of this position??

If we have an INDEPENDENT organization, INDEPENDENTLY gathering data from REAL players and performing VERIFIABLE tests which are NOT in any way manipulatable from the casino end and the organization is NOT sitting squarely in the pockets of those they claim to "verify", we need to see their inside leg measurements and some DNA samples. As soon as the boot's on the other foot - oh no, very very sorry, we can't disclose that information. You'll have to take us on our honour.

LMAO.

If you remain unconvinced by eCOGRA's website, the impressive people involved in the initiative, the progress made thus far, the quality of the casinos that have signed up and the bona fides of the founding funders along with the arguments that have been presented here and elsewhere, then I must conclude that your opinion is set and is unlikely to change in the immediate future.

You conclude wrong.

His opinion, like mine, is not set. He, like me, is an intelligent person capable of making intelligent decisions based on the facts. He has made his decision. Unremarkaby, it pretty much mirrors my own. Equally unremarkably, it pretty much mirrors the opinion as expressed by the vast majority of informed (heavy stress on "informed") players, ie. as a RESOLUTION SERVICE, fantastic, but as anything which claims to make a statement about game fairness it is a waste of time UNTIL the processes and methods are on the table and verifiable by other people, including US.

You can peddle this stuff to the online media; you can peddle it to the UK mainstream media; you can peddle it to the UK gaming board; you can peddle it to the punters - they'll all lap it up. You canNOT peddle it in this kind of environment, frequented by a lot of INFORMED players, and expect a free ride. We know what's what. If you doubt that, read back through this thread and the one at WOL. You'll see informed player after informed player expressing the same opinion: dispute resolution service = right on and thumbs up all the way. Software verification = waste of time in its current form.

 

[jpm]

If we have an INDEPENDENT organization, INDEPENDENTLY gathering data from REAL players and performing VERIFIABLE tests which are NOT in any way manipulatable from the casino end and the organization is NOT sitting squarely in the pockets of those they claim to "verify", we need to see their inside leg measurements and some DNA samples. As soon as the boot's on the other foot - oh no, very very sorry, we can't disclose that information. You'll have to take us on our honour.

Ok, but then who is going to pay the bill for all of this testing and verification?? I don't think they are going to do it for free. Someone has to foot the bill. Because the casinos are paying for the certification does not necessarily mean that eCOGRA is in their pockets. No more so than a reputable auditing firm is in the pocket of the corporation they are auditing simply because the corporation is paying the bill (Enron, etc. aside).

Its pretty unlikely that the players are all going to be willing to pay for this service, and equally unlikely that the people doing to work are going to do it gratis. So we are left with 2 choices, either we have no organization like eCOGRA who can do some good and we rely solely on message boards to resolve disputes, or we accept an organization like eCOGRA who is funded by the casinos they are certifying and support them until they prove themselves one way or the other.

It will become obvious very quickly whether they are puppets of the casinos or a legitimate source of dispute resolution, etc. Why not give them the chance to prove themselves before you start tearing them down as corrupted by the casinos they are certifying? If you're so sure they are a phony organization, let them prove it for you! If it turns out that they aren't, all the better for everyone. But at least give them the chance to succeed or fail.

 

[caruso]

You're missing the point. I APPLAUD the dispute resolution side. I have no problem with it. I love it. I don't need to "give it a chance" because it's already the bee's knees as far as I'm concerned.

Will I ever have recourse to use it? I doubt it. Riverbelle? Lucky Nugget? Who ever had a problem with these places? You could probably count them all on one hand since the day they opened.

That's the thing: although we ostensibly have a "blanket" service on offer here in terms of general quality control, however much the other aspects may be trumpeted as indicators of their general excellence we all know that what this is REALLY all about is just ONE thing: software verification. Ecogra casinos guarentee the player a fair game. Guarenteed. Tested. Verified. Rubber stamped. Do I want to know that Ecogra is in my corner if I have a payment dispute with Lucky Nugget? Hardly - it's most unlikely to happen. Do I want to know that Ecogra "guarentees" me a fair game at Lucky Nugget? Hell yes. This is the SINGLE most important aspect. We know it, Ecogra knows it. Everyone knows it.

The other aspects are very nice, but let nobody be deluded into thinking that the software verification claim is anything less than ninety nine point nine nine percent the selling point of Ecogra. Ecogra guarentees me a fair game at their casinos. And this claim is BY DEFINITION MEANINGLESS because it cannot be verified. Cannot, will not.

"We will mediate disputes": Brilliant. Already proven. Everything I could ever ask for with icing and cherries on the top.

"We guarentee a fair game": Balloney.

That is the problem.

 

[GrandMaster]

They are learning more about the certification procedure, not the exact methodology of the audit. A synopsis of these procedures already been published here and elsewhere:

eCOGRA requires that approved casinos are financially stable and have adequate reserves to cover wagers. The probity of casino management is scrutinised, together with player protection measures, payout times and financial facilities, games fairness, responsive Support and general operational efficiency. Policies have to be in place for communicating with clients and dealing with player complaints, and satisfactory technical capabilities and anti money-laundering systems are critical.

I'm sure they aren't about to disclose the methodology to those that they are certifying, for the very reasons we've discussed in this thread ad nauseum.

I am sure the casinos are told what data they need to provide on daily, weekly or monthly basis, and what they can expect in return. It is claimed that TGTR is also used by Boss Media, Cryptologic and major land based casinos. I don't think they are paying PwC for nothing, they must be getting something out of it, the process must provide quite extensive information back to the casino management. Why can't some of it be shared with us? I have not found any mention of TGTR apart from ecogra, so maybe the other casinos think of it as a management tool rather than anything in the interest of the players, certainly they are not advertising it. I would like to understand the relation between ecogra and the TGTR process. Was ecogra established first, and TGTR developed to meet ecogra's principles, or did TGTR come first and then the principles were formulated to fit around it?

We always come back to the issue of secrecy and proprietary information. It was a strategic mistake to go for a proprietary process whose details are not revealed to players. It is outright misleading to call the seal the "players seal of approval" when players are not involved in the approval process at any stage.

Let me try to explain again that it is not necessary to keep the process secret to stop the casinos from manipulating it. Consider Windows and IE, Linux and Mozilla. The former are proprietary, the latter are open source. Which have more security issues? Windows and IE, despite the fact that the source code to Linux and Mozilla are freely available to any hacker to try to exploit. Linux and Mozilla are more secure, although not perfect, because they were designed with security as one of the objectives. (Before you argue that Linux is a minority operating system and it is not worth for the hackers to bother with it, Linux is a leader in the webserver market, and for most companies, the security of their webserver is important, even more so if they are involved in e-commerce.)

 

[jpm]

Thanks Caruso, now I understand where you're coming from on this issue. Your objections make more sense to me now.

 

[rowmare]

Quote: :Consider Windows and IE, Linux and Mozilla. The former are proprietary, the latter are open source. Which have more security issues? Windows and IE, despite the fact that the source code to Linux and Mozilla are freely available to any hacker to try to exploit. "

That's apples and oranges. Microsoft is notorious for releasing software while still in the beta stage. They are constantly releasing patches to fix their oversights and errors, security problems.

Breaches in windows security is far more widely publicized simply because the average Joe knows who Microsoft is (for the same reason a hacker seeking publicity is well advised to attack microsoft software). Also, hackers prefer to go after vulnerable, privately owned p.c.'s rather than servers who fiercely protect their security with firewalls, et al. Hell, you don't have to get into a server's software to take them down, anyway.

Hackers consider themselves an elite bunch, and love to hate Microsoft, while respecting the hell out of Linux, etc - most true geeks run Linux or Unix and Use Mozilla and Mozilla's Thunderbird.

I could go on ad nausium and make a much larger list explaining why microsoft is hacked more often than linux and their ilk. But I digress, this isn't the focus of the forum.

Apples and oranges, I tell ya!

 

[jpm]

I couldn't agree more, and prevalence of Windows is a HUGE factor as well. I would argue about the 'true geeks use linux' comment though. (but this isn't the thread for it! )

 

[GrandMaster]

Quote: :Consider Windows and IE, Linux and Mozilla. The former are proprietary, the latter are open source. Which have more security issues? Windows and IE, despite the fact that the source code to Linux and Mozilla are freely available to any hacker to try to exploit. "

That's apples and oranges. Microsoft is notorious for releasing software while still in the beta stage. They are constantly releasing patches to fix their oversights and errors, security problems.

Breaches in windows security is far more widely publicized simply because the average Joe knows who Microsoft is (for the same reason a hacker seeking publicity is well advised to attack microsoft software). Also, hackers prefer to go after vulnerable, privately owned p.c.'s rather than servers who fiercely protect their security with firewalls, et al. Hell, you don't have to get into a server's software to take them down, anyway.

Hackers consider themselves an elite bunch, and love to hate Microsoft, while respecting the hell out of Linux, etc - most true geeks run Linux or Unix and Use Mozilla and Mozilla's Thunderbird.

I could go on ad nausium and make a much larger list explaining why microsoft is hacked more often than linux and their ilk. But I digress, this isn't the focus of the forum.

Apples and oranges, I tell ya!

No analogy is perfect, but I wanted to address jpm's claim that secrecy is necessary to stop the casinos from manipulating TGTR. Security through obscurity is not an accepted engineering principle. Obviously, if I were designing military communications systems, I would not give the details to the enemy, but the system would be evaluated on the basis that the enemy knows how the system works, just does not have the encryption key. Secrecy is just adds a thin additional layer security, it is not the foundation of security. Since TGTR is meant to reassure players that the game is fair, keeping the process and the results secret is wrong.

You seem to have a very romantic image of hackers. Hacking and cybercrime is a big business. There have been several worms recently which turned the infected machines into spam spewing zombies. You must have heard of the extortion demands and DDoS attack on gambling sites. Industrial espionage has also moved into the cyberworld. People involved in these activities are doing it for the money, not for any kind of feelings about Microsoft, they may even be grateful for all the security flaws. (I hope you all patched your Windows machines yesterday.) If Linux were easier to hack into, cybercriminals would hack into Linux boxes. There are a lot more computers running Windows, but servers (including web servers, many of which run Linux) are inherently vulnerable, even behind a firewall, because they have to accept connections from other computers. Hacking into a webserver with a high bandwidth connection would be great for a spammer, since he could send out a lot more spam than through a computer with slower connection. Windows is the hackers' favourite target, because it is more hackable.

 

[rowmare]

You seem to have a very romantic image of hackers. Hacking and cybercrime is a big business. There have been several worms recently which turned the infected machines into spam spewing zombies. You must have heard of the extortion demands and DDoS attack on gambling sites. Industrial espionage has also moved into the cyberworld. People involved in these activities are doing it for the money, not for any kind of feelings about Microsoft, they may even be grateful for all the security flaws. (I hope you all patched your Windows machines yesterday.) If Linux were easier to hack into, cybercriminals would hack into Linux boxes. There are a lot more computers running Windows, but servers (including web servers, many of which run Linux) are inherently vulnerable, even behind a firewall, because they have to accept connections from other computers. Hacking into a webserver with a high bandwidth connection would be great for a spammer, since he could send out a lot more spam than through a computer with slower connection. Windows is the hackers' favourite target, because it is more hackable.

There are a lot of security concerns regarding linux, unix, etc.
Even a quick search on any search engine would tell you that.

Over than 90% of computers around the world run windows, including many host/servers.

A large percentage of worms, viruses, etal get passed on through email - most notably through outlook express. Why? Because they are so widely used!

The DDos attacks on gambling sites have nothing to do with operating systems per se, and comprise computers regardless of their operating system, be it windows or Linux or Unix or Jimmy's awesome OS.

As for your comment about me having a romantic view of hackers, I don't know how you read that into my post. I regard hackers with contempt, and In no way meant to make them seem noble. (I'm being polite about this, having erased an earlier remark about you bein in need of a proctologist to have your head removed, but thought it too tackless).

 

[jpm]

No analogy is perfect, but I wanted to address jpm's claim that secrecy is necessary to stop the casinos from manipulating TGTR. Security through obscurity is not an accepted engineering principle. Obviously, if I were designing military communications systems, I would not give the details to the enemy, but the system would be evaluated on the basis that the enemy knows how the system works, just does not have the encryption key. Secrecy is just adds a thin additional layer security, it is not the foundation of security. Since TGTR is meant to reassure players that the game is fair, keeping the process and the results secret is wrong.

The algorithms are MUCH more important in an encrypted communications system than the encryption key. Knowing the algorithms and how they are used in the system would be more valuable than just having the encryption key. Even determining a partial key, or using a totally different key if the original key is poorly chosen, can give you what you want to know, if you have the algorithms and other specs on how the system works. Ask Motorola for all the details on their DVP system for instance and see if they give it to you.

While 'security through obscurity' may not be an 'accepted engineering principle', it is a necessary security principle. This is why security experts and not engineers design security protocols and procedures. While some of these experts may be engineers, not all of them are. And likewise, not all engineers are security experts. In fact, I find many engineers to be the BIGGEST security risks/holes in an organization. But again, this is another apples to oranges comparison that really doesn't have anything to do with the thread.

A more relevent analogy would be the way the airlines and TSA evaluate passengers to determine who is low risk and who is high risk with regards to terrorism. They have a number of factors they use to evaluate the passenger to determine this risk, and they will tell you SOME of the factors, but will never tell you ALL of them or how they are used. If you knew all of this info, you could easily make yourself look less risky than you actually are (assuming you have bad intentions of course).

The same holds true for a casino. If I run a dishonest casino and I want you to come in and certify that my casino plays fair. You tell me the exact methodology ahead of time that you are going to use to determine that my games are fair, I can most certainly manipulate things so that it looks fair when you evaluate it. This is the very reason why when a reputable auditing firm comes in to audit a business, they pull things from the files at random to inspect/confirm. They will tell you ahead of time that they are going to do this, but not what specific things they are going to inspect/confirm. The investors and financiers of that business don't need to know the exact methodology and items that were inspected/confirmed to believe what the auditors report to them, as long as the auditors are reputable and honest. (Now re-read that last sentence replacing the words 'investors/financiers' with 'players', and 'business' with 'casino'.)

Try calling PWC and tell them you want to have them come and audit a company, but before you agree to hire them, you want to know their exact methodology and exactly what items the will want to inspect/confirm and see what they tell you.

(Romware, once again your comments are right on the mark )

 

[spearmaster]

Windows is the hackers' favourite target, because it is more hackable.

While Windows is definitely more hackable (rather, more buggy than any other software available) - that is not the reason it is the hacker's favorite target.

The reason it is the hacker's favorite target is because 90% (btw, that figure is low) of computers use Windows. Thus, if one wanted to spread viruses, it would be far easier to spread through Windows than Linux or any *nix for that matter.

Also, home users generally don't use Linux... and home users obviously know much less about security and firewalls and the like. So the success rate of an infection is generally higher.

 

[caruso]

The argument that transparency of the reporting process is by definition impossible because of "manipulation" issues is entirely irrelevant.

"Sorry, but we cannot disclose our processes becuase of security issues."

Fine, I don't have any problem with that - other than that since the results reported from those processes are now also "by definition" totally valueless, the software certification is the same - totally valueless. It makes no difference how much you try to work your way around the issue, that simple fact remains. Uncorrobarated / uncorroboratable claims of this kind are nothing more than fiction.

And I wonder if this is now Ecogra's official stance on the issue? So, no can do. Security issues. It would be ironic if the excuse they found to keep their non-existent "validation process" under wraps was neatly provided for them on the message boards, where casinos and those representing them are called to task on a day by day basis.

 

[GrandMaster]

The algorithms are MUCH more important in an encrypted communications system than the encryption key. Knowing the algorithms and how they are used in the system would be more valuable than just having the encryption key. Even determining a partial key, or using a totally different key if the original key is poorly chosen, can give you what you want to know, if you have the algorithms and other specs on how the system works. Ask Motorola for all the details on their DVP system for instance and see if they give it to you.

This is not the current accepted thinking. There are many published, publicly available strong algorithms, which you can implement yourself on your computer if you wish. See for example "Applied Cryptography" by Bruce Schneier, or "Practical Cryptography" by Niels Ferguson and Bruce Schneier. Here is a quote from p. 344 of "Secrets and Lies", another excellent book by Bruce Schneier: "The only way to have any confidence in the security of a system is over time, through expert evaluation. And the only way to get that expert evaluation is if the details of a sytem are public. A good security design has no secret in the details. In other words all the security is in the product itself and its changeable secret: the cryptographic keys, the passwords, the tokens, and so forth. The antithesis is security by obscurity. The details of the system are part of security. If a system is designed with security by obscurity, then that security is delicate. As the designers of the once proprietary security systems, the DVD encryption scheme, and the FireWire interface learned, sooner or later the details will be released. A bad system design is secure as long as the details remain secret, but quickly breaks once they are released. A good system design is secure even if the details are public."

Motorola may have good commercial reasons for not revealing the details of DVP to me, but if I were considering a product using DVP for a specific purpose, I would insist on having it evaluated by my own experts, rather than rely on Motorola's word.

While 'security through obscurity' may not be an 'accepted engineering principle', it is a necessary security principle. This is why security experts and not engineers design security protocols and procedures. While some of these experts may be engineers, not all of them are. And likewise, not all engineers are security experts. In fact, I find many engineers to be the BIGGEST security risks/holes in an organization. But again, this is another apples to oranges comparison that really doesn't have anything to do with the thread.

You make it sound like engineers cannot be experts. There is something called security engineering, in fact I have a book by Ross Anderson with this title.

A more relevent analogy would be the way the airlines and TSA evaluate passengers to determine who is low risk and who is high risk with regards to terrorism. They have a number of factors they use to evaluate the passenger to determine this risk, and they will tell you SOME of the factors, but will never tell you ALL of them or how they are used. If you knew all of this info, you could easily make yourself look less risky than you actually are (assuming you have bad intentions of course).

You believe everything the government tells you, don't you. Read

You do not have permission to view link Log in or register now.

for an explanation how the passenger profiling can be defeated, and that it is in fact worse than picking out people at random.

The same holds true for a casino. If I run a dishonest casino and I want you to come in and certify that my casino plays fair. You tell me the exact methodology ahead of time that you are going to use to determine that my games are fair, I can most certainly manipulate things so that it looks fair when you evaluate it. This is the very reason why when a reputable auditing firm comes in to audit a business, they pull things from the files at random to inspect/confirm. They will tell you ahead of time that they are going to do this, but not what specific things they are going to inspect/confirm. The investors and financiers of that business don't need to know the exact methodology and items that were inspected/confirmed to believe what the auditors report to them, as long as the auditors are reputable and honest. (Now re-read that last sentence replacing the words 'investors/financiers' with 'players', and 'business' with 'casino'.)

Try calling PWC and tell them you want to have them come and audit a company, but before you agree to hire them, you want to know their exact methodology and exactly what items the will want to inspect/confirm and see what they tell you.

There are literally millions of auditors in the world, so the methods of auditing are not exactly secret. When it comes to verifying the fairness of the games and the RNG, the testing could also involve testing randomly chosen sets of results. Just finding a non-random source that would pass several published randomness tests would be hard enough, but it would be even harder for a casino to manipulate the results if it does not even know which results to fix.

 

[jetset]

More casinos have passed the eCOGRA inspections - there's a news release elsewhere on Casinomeister with the news today that C.O.N. is now on board.

Briefings for an open audience of providers takes place lunchtime today in Toronto at GIGSE, and there are two other public and open presentations scheduled for later this week by chairman Michael Hirst and CEO Andrew Beveridge.

 

[jpm]

This is not the current accepted thinking. There are many published, publicly available strong algorithms, which you can implement yourself on your computer if you wish.

True, but they are not published as being the ones used by a particular organization or military unit. If their specific algorithms were being published and/or made public, I'm sure they would have them changed. I'll still maintain that you don't make the specific details of your security system public in the desire to maintain its privacy and security.

Motorola may have good commercial reasons for not revealing the details of DVP to me, but if I were considering a product using DVP for a specific purpose, I would insist on having it evaluated by my own experts, rather than rely on Motorola's word.

I'm sure they'd let you evaluate it, but they wouldn't supply you with their proprietary information detailing every aspect of the system.

You make it sound like engineers cannot be experts. There is something called security engineering, in fact I have a book by Ross Anderson with this title.

I don't know how you got that out of what I said, I was pretty clear about it. There are engineers who are security experts, and vice versa. Being one does not automatically make you the other. Having worked with many engineers in the past, I can tell you that many of them didn't concern themselves with security. Some would have their passwords written down right next to their workstation or on the monitor, etc, or use no password at all for example.

You believe everything the government tells you, don't you.

Not at all, just using that as an example. I believe its a totally flawed system and if they wanted to profile the right people, it would be very easy to do and I think we all know how to do it. You don't need fancy relational databases and computers snooping into everyone's private life to figure it out.

There are literally millions of auditors in the world, so the methods of auditing are not exactly secret.

Exactly what I said, the methods are not secret, what exactly they are looking at is. Or more accurately, it is random in the example I cited. I think that is probably the best way to do an audit of any sort (other than a full audit of all information). Hopefully that is the way eCOGRA goes about doing it, but we may never know. And since we don't know, we have to run an honest casino, or we'll most likely be found out by whatever method they are using.

In any case, I think we've probably beaten this poor dead horse to a pulp by now. I think that those who are against eCOGRA will not be convinced otherwise by anything else I can say here. eCOGRA's actions will have to speak for them.

 

[dominique]

More casinos have passed the eCOGRA inspections - there's a news release elsewhere on Casinomeister with the news today that C.O.N. is now on board.

I have been looking for this but cannot find it.

Maybe someone can point me in the right direction?

 

[jpm]

Its in the thread just below this one Dominique. Go back up to the Casino Industry Discussion forum and look right under this thread.

 

[dominique]

Thank you, jpm.

 

[The Dude]

https://www.casinomeister.com/forums/threads/cassava-casinos-awarded-ecogra-seals.4423/?t=4423

 

[GrandMaster]

True, but they are not published as being the ones used by a particular organization or military unit. If their specific algorithms were being published and/or made public, I'm sure they would have them changed. I'll still maintain that you don't make the specific details of your security system public in the desire to maintain its privacy and security.

PGP is an open source secure e-mail program used by many individuals and businesses. These people usually advertize the fact that they use PGP and put their public key on their webpages or business cards.

Here is another quote from Secrets and Lies, p. 91: "Auguste Kerckhoff first stated this thesis in 1883: There is no secrecy in the algorithm, it's all in the key."

 

[caruso]

I just took a look at one of the seals: "PLAYERS' seal of approval"?? WTF is with "players"?? Where did "players'" come into this? Golden Riviera is "player approved"?

Good grief, what a fit up con job this is. You industry people really make me want to throw up sometimes. You're beneath contempt. How do you sleep at night, knowing the con you're perpetrating on the ignorant public?

And in case anyone doubts how CENTRAL the "software verification" BS is to this whole fit-up con job, and how totally SECONDARY the "disputes resolution" tack-on is, take a look at the opening lines of the BS "seal" statement:

"eCOGRAs Players Seal of Approval is awarded to those casinos which have achieved compliance with eCOGRAs high standards and demonstrated that:

Games are fair"

...implying, along with all the other BS, that the PLAYERS are somehow in agreement with these "claims".

What a con job. I can't believe anyone out there with a conscience is buying this.

 

[jpm]

PGP is an open source secure e-mail program used by many individuals and businesses. These people usually advertize the fact that they use PGP and put their public key on their webpages or business cards..

And your point is? This has nothing to do with an encrypted military communications system.

Here is another quote from Secrets and Lies, p. 91: "Auguste Kerckhoff first stated this thesis in 1883: There is no secrecy in the algorithm, it's all in the key."

Cryptography was still extremely primitive in 1883, and Auguste obviously was not around when the Enigma machine was put into use by Germany during WW2. Take a look at how the allied cryptographers broke the Germans communications using that device. They had captured books of keys, but they didn't have the algorithm to use with them and as such, the keys were useless. This was more important with the later versions of the Enigma box that added another code wheel and user configurable jumper connections to strengthen the encryption.

 

[jpm]

I just took a look at one of the seals: "PLAYERS' seal of approval"?? WTF is with "players"?

I'd have to agree with you on this part Caruso, I was wondering why it was a 'players' seal of approval too.

 

[spearmaster]

Good catch. There is no justification whatsoever for the seal to say "Players Seal of Approval".

I assume word will get back to eCOGRA very quickly.

 

[The Dude]

To begin with, I believe the "Players Seal of Approval" is meant for the players, not from the players -- this makes sense. I don't see a problem with this.

A lot of the criticism made against eCogra in this thread has been made moot by the inclusion of other software providers Cassava for one, and there are a few others on the table at the moment.

I've met Andrew Beveridge a number of times in the past, and last week I had the opportunity to meet with Michael Hirst, and Frank Catania as well. I also have a good insight on what is happening behind the scenes - from the inspection process to player complaint procedures. To compare this operation to another "Safebet" is mindless. Since eCOGRA's inception, there has been plenty of "transparent" information given to ensure the "informed" players that comparing the two is nonsensical.

I honestly feel that this organization is the closest thing to regulation. All of us (players, webmasters, operators, licensors, turnkey solution providers, etc.) have awaited an organization that has a criteria that casinos must comply with, and that continually scrutinizes these operations.

eCOGRA is open for any software provider. And once the software provider is in, then the casinos are eligible for membership. Licensing jurisdictions are irrelevant since it is the eGOGRA standards that need to be met. This is a very good thing, and will be the closest thing to regulation as we will possibly get.

Hopefully within the upcoming months, we'll all get a good feel on how this is beneficial for all of us - naysayers as well.

 

[jpm]

To begin with, I believe the "Players Seal of Approval" is meant for the players, not from the players -- this makes sense. I don't see a problem with this.

I think you're right about this Bryan. I was thinking about it the other day and it definitely depends on where you place the emphasis. I guess its just poor choice of wording, since it almost sounds like it was a vote by players that awarded the seal.

 

[GrandMaster]

I've met Andrew Beveridge a number of times in the past, and last week I had the opportunity to meet with Michael Hirst, and Frank Catania as well. I also have a good insight on what is happening behind the scenes - from the inspection process to player complaint procedures. To compare this operation to another "Safebet" is mindless. Since eCOGRA's inception, there has been plenty of "transparent" information given to ensure the "informed" players that comparing the two is nonsensical.

Can you share with us any information on how the fairness of the games is verified? There is no transparency here.

 

[The Dude]

Can you share with us any information on how the fairness of the games is verified? There is no transparency here.

Not much more than I can say except which is detailed on eCOGRA's website here:

You do not have permission to view link Log in or register now.

here:

You do not have permission to view link Log in or register now.

and here:

You do not have permission to view link Log in or register now.

How is this not transparent?

Does anyone know if the Nevada Gaming Commission

You do not have permission to view link Log in or register now.

these same sort of requirements for their land based casino games? I'm looking for the same sort of guidelines, but I don't see them right off the bat - they may be hidden somewhere.

What I am getting at is that what is explained in detail at the eCOGRA site indicates "Fair Gaming", and it seems that they have placed their requirements out there for public view unlike a government run gaming commission that is undoubtably (?) fair. What more information do you want?

 

[The Dude]

I think you're right about this Bryan. I was thinking about it the other day and it definitely depends on where you place the emphasis. I guess its just poor choice of wording, since it almost sounds like it was a vote by players that awarded the seal.

It was confirmed today that this was meant as for the players, not from the players.

 

[caruso]

It was confirmed today that this was meant as for the players, not from the players.

Sorry, it doesn't matter what they intended. "Players' Seal Of Approval" means "Seal of approval of the players", ie. something either created by, or rubber-stamped and "authorized" by us, the players. It clearly does NOT read as "Hey players, here's a seal for you".

Admittedly, it's a tricky little piece of wording - manufactured by this increasingly tricky little organization.

What more information do you want?

Their stated intentions are irrelevant. Evidence of the workings of the collection process leading to confirmation that the data is genuine, and, beyond that, those actual figures (corroborated as genuine) with the tests applied to "verify" their "randomness".

Without this, the "seal" is meaningless.

But we already know that.

 

[kniepm]

Admittedly, it's a tricky little piece of wording - manufactured by this increasingly tricky little organization.

Their stated intentions are irrelevant. Evidence of the workings of the collection process leading to confirmation that the data is genuine, and, beyond that, those actual figures (corroborated as genuine) with the tests applied to "verify" their "randomness".

Without this, the "seal" is meaningless.

But we already know that.

Does someone this sure that everyone is cheating actually deposit and play on line? That would be a contradiction of your own somewhat twisted logic, no?

 

[GrandMaster]

The thread that refuses to die

Cryptography was still extremely primitive in 1883, and Auguste obviously was not around when the Enigma machine was put into use by Germany during WW2. Take a look at how the allied cryptographers broke the Germans communications using that device. They had captured books of keys, but they didn't have the algorithm to use with them and as such, the keys were useless. This was more important with the later versions of the Enigma box that added another code wheel and user configurable jumper connections to strengthen the encryption.

Auguste Kerckhoff was the first to state the principle, but it still holds true today. Here are a few more sentences from the same page:
"If an algorithm is used in products, it will be reverse engineered. Once-secret algorithms that have been reverse engineered include RC4, all digital cellular encryption algorithms, the DVD and DIVX video encryption algorithms, and the FireWire algorithms. Even algorithms buried deep in military hardware will be reverse engineered: the Enigma during World War II, and just about every NATO and Warsaw Pact algorithm during the Cold War. (We don't know those, but the respective militaries do.) It is a good design to assume that the enemy knows the details of your algorithms, because eventually they will."

I would add to the list of failed secrets the MediaMax CD3 copy protection system that can be circumvented by holding down the Shift key.

An algorithm requires significant investment into hardware or software, but keys are easy to generate, today's computers negotiate a new key for each secure connection. An algorithm may have 2 to the power of 128 or even 256 possible keys, whereas the number of potential algorithms is probably less than a hundred. Here is a "real world" example. A safe may have a million possible combinations. Knowing that a particular safe was made by Chubb won't help you much in opening it. On the other hand, imagine that you find a piece of paper with "combination to the safe 60-28-34" written on it. You may only have to try a handful of safes if you are in a small town. It may not work, the piece of paper may have been dropped by someone from hundreds of miles away who was just passing through, but you have a much better chance if you know the combination and have to find the right safe than the other way around.

 

[spearmaster]

Sorry, it doesn't matter what they intended. "Players' Seal Of Approval" means "Seal of approval of the players"

Well, let's say that it can be easily misconstrued. I am in agreement with Caruso here - the "intent" is not the issue - its the "impression" that counts.

I would strongly suggest that eCOGRA find a better way to issue something which indicates that the casino is eCOGRA-accredited - which is much more accurate - rather than giving the impression that eCOGRA is a rubber-stamp organization.