Randomness in shuffling on-line
Here is a rather lengthy article which someone e-mailed me regarding security at on-line poker...I've seen some strange plays lately, though I don't play at any of the identified poker houses, and am getting concerned that on-line play may not be quite as random as g
Skip over navigation
» Home » Company » Solutions » News » Resources » Labs
Search
Cigital Home > News > Press Releases > Read Release
Press Release
Internet Gambling Software Flaw Discovered by Reliable Software Technologies Software Security Group
DULLES, Va., September 1, 1999—The Software Security Group at Reliable Software Technologies, the leading authority and industry visionary on software assurance for security-critical software, today announced the discovery of a major security flaw in Internet Gambling software. The flaw can be exploited to bilk innocent players of actual money in online poker games.
Regardless of its quasi-legal status, online gambling presents an entire raft of risks. Key questions include: Will your personal information be handled securely (for example, will the credit card number you're paying with be stolen or the fact that you're gambling at all be leaked)? What if the gaming site is hacked? Could you be playing against cheating insiders or players acting in collusion? Are the games implemented correctly and fairly? Is the software secure? In response to the last question, we have demonstrated that the answer is no.
The Software Security Group at Reliable Software Technologies has discovered a serious flaw in the implementation of Texas Hold 'em Poker that is distributed by ASF Software, Inc.. We have exploited this flaw in the lab. Our exploit allows a player (us) to calculate the exact deck being used for each hand in real time. That means a player using our exploit knows the cards in every opponent's hand as well as the cards that will make up the flop (cards placed face up on the table after rounds of betting). We can always make the right decision, and consequently maximize our earnings. A malicious attacker could use our exploit to bilk innocent players of actual money without ever being caught. ASF Software and all of their online casino customers have been notified of the flaw.
Currently we know of three online casinos (www.planetpoker.com, www.purepoker.com, and www.deltacasino.com) that appear to use ASF Software's implementation of Texas Hold 'em Poker. All three Websites allow players to compete for real money. There is also a demo casino that allows players to gamble with play money. We used our exploit against the demo casino. We also demonstrated, without actually cheating, that it could be used against real money casinos.
The flaw exists in the card shuffling algorithm used to generate each deck. Ironically, the code was publicly displayed at www.planetpoker.com/ppfaq.htm with the idea of showing how fair the game is to interested players (the relevant question has since been removed). In the code, a call to randomize() is included to produce a random deck before each deck is generated. The implementation, built with Delphi 4 (a Pascal IDE), seeds the random number generator with the number of milliseconds since midnight according to the system clock. That means the output of the random number generator is easily predicted. A predictable "random number generator" is a very serious security problem.
The scenario below illustrates the problem. The first screen shows an actual game in progress. In this scene, we are jonnyboy (whose cards are shown face up) and three "flop" cards are displayed. Two other players are participating, but their cards are not displayed (for obvious reasons).
Click to enlarge
By synchronizing our clock with the clock on the online casino and hitting the "shuffle" button, our program can calculate the exact shuffle. That means we know all the cards that have yet to appear, everyone's hand, and who will win. The screen shot below shows the information displayed by our program in realtime during an actual game. Our program knows what cards are to appear in advance, before they are revealed by the online game.
Click to enlarge
As you can see in the screen shown below, taken at the conclusion of the demonstration game, our program has correctly determined all the cards. Given our program, a malicious user would know when to hold 'em and know when to fold 'em with 100% accuracy. This information can be used to win money from unsuspecting players.
Click to enlarge
A typical hand involves $30-1000 in the pot. We estimate over $100,000 worth of money changes hands daily on the four most popular online poker sites.
There are a number of other problems in the poker implementation that could lead to complete security compromise. We have only exploited the easiest one at this time.
The broad take home message from this work is simple: when software misbehaves, bad things can happen. Our mission in the Software Security Group is to stamp out insecure code before it is placed in service. Members of the group involved with the Gambling exploit are: Brad Arkin, Frank Hill, Scott Marks, Matt Schmid, and TJ Walls. The Software Security Group is led by Dr.Gary McGraw.
About Reliable Software Technologies
Headquartered in Dulles, VA, Reliable Software Technologies Corp. (RST) is a leading authority and industry visionary on software assurance for critical software. Founded on the simple, compelling premise that software must work, the company offers technology and services that help organizations deliver reliable, robust, and secure software—the essence of software assurance. With expertise in test optimization, security and metrics, RST helps corporations, independent software vendors and system integrators optimize time spent in development and test, dramatically accelerating time-to-market.
Learn more about RST on the Web at http://www.rstcorp.com/.
More technical details are available
Contact:
Steve Goodwin
Cigital
703-404-5822 (office)
sgoodwin@cigital.com
News & Events
> Featured
> Press Releases
> In the News
> Events
Subscribe
Join our SQM Update List
Copyright ©1995-2005, Cigital, Inc.
Privacy Policy
Accessibility Statement
Contact Us enerally believed. Anyone have any thoughts on this? Here's the article:
Skip over navigation
» Home » Company » Solutions » News » Resources » Labs
Search
Cigital Home > News > Press Releases > Read Release
Press Release
Internet Gambling Software Flaw Discovered by Reliable Software Technologies Software Security Group
DULLES, Va., September 1, 1999—The Software Security Group at Reliable Software Technologies, the leading authority and industry visionary on software assurance for security-critical software, today announced the discovery of a major security flaw in Internet Gambling software. The flaw can be exploited to bilk innocent players of actual money in online poker games.
Regardless of its quasi-legal status, online gambling presents an entire raft of risks. Key questions include: Will your personal information be handled securely (for example, will the credit card number you're paying with be stolen or the fact that you're gambling at all be leaked)? What if the gaming site is hacked? Could you be playing against cheating insiders or players acting in collusion? Are the games implemented correctly and fairly? Is the software secure? In response to the last question, we have demonstrated that the answer is no.
The Software Security Group at Reliable Software Technologies has discovered a serious flaw in the implementation of Texas Hold 'em Poker that is distributed by ASF Software, Inc.. We have exploited this flaw in the lab. Our exploit allows a player (us) to calculate the exact deck being used for each hand in real time. That means a player using our exploit knows the cards in every opponent's hand as well as the cards that will make up the flop (cards placed face up on the table after rounds of betting). We can always make the right decision, and consequently maximize our earnings. A malicious attacker could use our exploit to bilk innocent players of actual money without ever being caught. ASF Software and all of their online casino customers have been notified of the flaw.
Currently we know of three online casinos (www.planetpoker.com, www.purepoker.com, and www.deltacasino.com) that appear to use ASF Software's implementation of Texas Hold 'em Poker. All three Websites allow players to compete for real money. There is also a demo casino that allows players to gamble with play money. We used our exploit against the demo casino. We also demonstrated, without actually cheating, that it could be used against real money casinos.
The flaw exists in the card shuffling algorithm used to generate each deck. Ironically, the code was publicly displayed at www.planetpoker.com/ppfaq.htm with the idea of showing how fair the game is to interested players (the relevant question has since been removed). In the code, a call to randomize() is included to produce a random deck before each deck is generated. The implementation, built with Delphi 4 (a Pascal IDE), seeds the random number generator with the number of milliseconds since midnight according to the system clock. That means the output of the random number generator is easily predicted. A predictable "random number generator" is a very serious security problem.
The scenario below illustrates the problem. The first screen shows an actual game in progress. In this scene, we are jonnyboy (whose cards are shown face up) and three "flop" cards are displayed. Two other players are participating, but their cards are not displayed (for obvious reasons).
Click to enlarge
By synchronizing our clock with the clock on the online casino and hitting the "shuffle" button, our program can calculate the exact shuffle. That means we know all the cards that have yet to appear, everyone's hand, and who will win. The screen shot below shows the information displayed by our program in realtime during an actual game. Our program knows what cards are to appear in advance, before they are revealed by the online game.
Click to enlarge
As you can see in the screen shown below, taken at the conclusion of the demonstration game, our program has correctly determined all the cards. Given our program, a malicious user would know when to hold 'em and know when to fold 'em with 100% accuracy. This information can be used to win money from unsuspecting players.
Click to enlarge
A typical hand involves $30-1000 in the pot. We estimate over $100,000 worth of money changes hands daily on the four most popular online poker sites.
There are a number of other problems in the poker implementation that could lead to complete security compromise. We have only exploited the easiest one at this time.
The broad take home message from this work is simple: when software misbehaves, bad things can happen. Our mission in the Software Security Group is to stamp out insecure code before it is placed in service. Members of the group involved with the Gambling exploit are: Brad Arkin, Frank Hill, Scott Marks, Matt Schmid, and TJ Walls. The Software Security Group is led by Dr.Gary McGraw.
About Reliable Software Technologies
Headquartered in Dulles, VA, Reliable Software Technologies Corp. (RST) is a leading authority and industry visionary on software assurance for critical software. Founded on the simple, compelling premise that software must work, the company offers technology and services that help organizations deliver reliable, robust, and secure software—the essence of software assurance. With expertise in test optimization, security and metrics, RST helps corporations, independent software vendors and system integrators optimize time spent in development and test, dramatically accelerating time-to-market.
Learn more about RST on the Web at http://www.rstcorp.com/.
More technical details are available
Contact:
Steve Goodwin
Cigital
703-404-5822 (office)
sgoodwin@cigital.com
News & Events
> Featured
> Press Releases
> In the News
> Events
Subscribe
Join our SQM Update List
Copyright ©1995-2005, Cigital, Inc.
Privacy Policy
Accessibility Statement
Contact Us enerally believed. Anyone have any thoughts on this? Here's the article:
Comments
Cheers
Magi
That article is complete BS. Just look at the date.
Any hardcore poker player should know that this is all true. There was a flaw in the seed used for the RNG at planet poker. Given the server time and your hole cards, it could predict all the cards delt at the table and the board.
As I have posted before, I would hope any popular site would be audited for this type of thing and post this information to enhance their credibility. If I'm dreaming on this, I'd really like to know about it.
If someone was to pass around a recent article concerning a popular site with valid evidence, I'd be very interested to see it. Pretend I'm from Missouri.
I can't see how such a site could survive today.