The Two Plus Two Forums have been hacked, and the forums have been taken down by the admins to prevent further damage. The hacker has gained access to a list of usernames, e-mails, hashed passwords, and password salts. While hashed passwords and plaintext passwords aren’t quite the same thing, the combination of the hashed password together with the salt makes it possible for the hacker to find plaintext passwords. (This is preventable, but vBulletin’s default hashing algorithm is md5, which is completely insecure against this sort of thing–and other things.)
In other words, you should assume that there is currently a hacker that knows your 2p2 username, your e-mail, and your 2p2 password. That’s really bad. This isn’t your standard cryptonerd/privacy nut’s rant that makes you do a lot of work to prevent a potential attack that may or may not come and that you don’t understand; this is a situation in which a very serious hacker has already done the attack. Apologies in advance for the bold and all caps and stuff.
So, right now, here’s what you should do:
Read more »
The 2+2 forums are dealing with some bad guys who are trying to brute force people’s passwords. In other words, some guy somewhere is running a computer program that probably has a very long dictionary of commonly used passwords and systematically tries a ton of different passwords for a ton of different accounts on 2+2. These types of attacks are essentially preventable by website administrators (and hopefully 2+2 will get its act together soon), but they’re still quite common.
If your password is uncommon (e.g., “kfag4;6-lkjghaa” and not “mypass”), it’s likely nothing to worry about. If your password is in the list of the million most common passwords, someone may very well get access to your 2+2 account as a result. (You should go to 2+2 and change your password immediately.) Worse still, if you use the same password for your e-mail or for a poker site or your bank account, you might lose money as a result.
So, I just wanted to quickly share some easy ways to choose a decent password. I got the basic idea from an awesome xkcd comic. (BTW, xkcd is really cool, and you should check it obsessively on Mondays, Wednesdays and Fridays.) Remember that the goal of a good password is to be both memorable and extremely hard to guess.
Read more »
A poster on 2p2 recently exposed a major security vulnerability on Lock Poker. The poster found that his password was included in plaintext in the source code of Lock’s Casino app.
I’m not particularly interested in discussing the specifics of Lock’s implementation, but based on my reading of the thread and some PMs/IMs that I got, a lot of people in the poker community could use a basic run-down of how basic password security works. Indeed, it seems that many players (and perhaps some poker site employees) don’t understand what the heart of the issue is here: A password should not exist in plaintext for longer than it needs to, and it doesn’t need to for very long.
The fact that people seem to not know this is slightly worrisome. So, I thought I’d outline the basics of a standard password implementation in a quick post. This certainly won’t be perfect (No implementation is, of course). But, it’s roughly what your bank uses, and your poker site should probably use many of the same ideas, if not the exact same implementation.
Cryptography is extremely counter-intuitive for the uninitiated, so I’m going to dumb stuff down a lot:
Step 1: SSL
When your computer is sending secure information (e.g., passwords, credit card numbers, etc.) to anyone, there are two important things that you need to do right away:
Read more »
Hi, poker blog readers! I was going to post this on my new nerd blog, and maybe I’ll do that as well. But, I figured that poker players might like this, even if it’s not strictly related to poker.
Basically, this is the simplest, most convincing +EV prop bet that I know of. In other words, it’s an awesome hustle. I’ve occasionally imagined walking into a poker room, finding the nearest guy with a visible newspaper or smart phone, and leaving with his money in my pocket, but unfortunately, nerds don’t make good hustlers.
Here’s how you do the Benford’s Law Hustle™:
- Walk into a casino and find one of a very large class of (pseudo)random number generators that roughly satisfy Benford’s law. (Don’t cheat and google that yet.) You can pick random numbers from newspaper articles (Turn to page A5 and find the first number in the first article) or something similar. Tons of things will work; just about the only things that won’t will be numbers from casino games. (E.g., dice and keno boards are no good.)
- Find someone who’s willing to bet on the first digit of the random number. (The first digit of 2,458,193 is two. Nothing fancier than that)
- Bet on one and two.
- Give your opponent both eight and nine.
- Lay two to one… (E.g., you pay him $200 if the number is 8,283 or 9,722, and he pays you $100 if the number is 10,136 or 2. If it’s 637, then no money changes hands.)
- Make an absurd profit.
Read more »
Hi blog readers.
I just started another one of these things. It’s called Solipsist’s Log, and it’s conveniently located at http://www.solipsistslog.com.
I’ll write about non-poker stuff that interests me there. Topics of interest include virtually anything nerdy, with a specialization in computer science theory. (I’m currently waiting to hear back from PhD programs in that field.) I assume that my readership will start out as roughly the nerdier 10% of the people who read Subject: Poker or this blog, most of whom don’t have formal math training. So, for now at least, I’ll try to keep the content accessible to laypeople.
My first post is about my favorite fact: the halting problem. I also made one of those introductory posts that typically accompany new blogs.
So, check it out if you like that sort of thing.
I’ll still maintain my this blog in the sense that I won’t rule out writing future posts for it–I’ve even got some in mind—but, as a blogger with a history of breaking promises to his readers, I ain’t makin’ no more of those right now.
As always, you can follow me on Twitter if you want to stay up-to-date on NoahSD-related news.
The vouching system, which the poker community uses to conduct almost all of its business, is ripe for scamming. I made a post about this once before, but it was a bit schizophrenic and poorly argued. The Jose Macedo scandal and this thread in HSNL have reminded me of my thoughts on the subject, so I decided to dust off the old blog and give you guys a patented (though uncharacteristically hastily written) NSD rant on the subject:
Read more »
For those of you who haven’t heard yet, Thomas Bakker and I have started our own independent poker news site, Subject: Poker. You can read our launch announcement for more detail, but I’ll provide a more opinion-based description here (since it would be inappropriate for me to publish my opinions on a news site).
Read more »
I assume that if you’re a reader of my blog, you probably know that the shit has just abruptly hit the fan. (If not, just hop on your favorite poker forum or media outlet or twitter or whatever, and see for yourself.) A lot of you probably have a significant amount of money online; I do too.
So, first of all, don’t freak out, not because there’s no reason to freak out–there is–but because freaking out’s no fun and won’t help. You’re not going to learn anything that’s going to suggest a course of action to change the current situation. So, it’s Friday; go drink your favorite intoxicating beverage with people who don’t play a card game for a living and talk about things other than card games.
That said, you’re probably not gonna take me up on that advice, so here are my thoughts to aid you in your obsessive sweating and to try to disspell some of the incredibly stupid rumors that are floating around. This is going to be a hastily written list of thoughts that I write up before I take my own advice and quit thinking about this for the night.
What Just Happened?
Read more »
(I’m going to leave names out of this post because I think it applies to a lot of people, many of whom I don’t know about. Obviously I have some specific people in mind, though.)
I’ve had a lot of discussions over the past year or so with known former cheaters and friends of known former cheaters. A lot of them feel that the sort of incessant verbal abuse directed at them on the internet (and much much less often, in real life) is unfair. Their arguments of course vary, but usually the gist will be something like this: “I made mistakes in the past. I’m a different person now. I can’t take back my actions.”
I agree. I believe strongly in forgiveness, and I absolutely hate the idea of giving known former cheaters no chance of redemption and therefore very little incentive to avoid cheating, scamming, and stealing in the future. So, I’d like to try to do something about this.
While I don’t claim to speak for the peanut gallery and I certainly can’t control their opinions, I do think I know enough about the poker community to know how former cheaters (and likely former scammers and thieves as well) can salvage their reputations with the majority of its members. Frankly, it’s pretty obvious, but most known former cheaters are too busy feeling like victims to actually proactively try to make up for what they’ve done, and the community seems to be mostly interested in insulting cheaters and arguing about whether they deserve to be insulted. So, in order to nudge both parties towards a solution, I present The Cheater Challenge:
Read more »
Eight days ago, I wrote a post about Absolute Poker’s ridiculously non-random Keno, which detailed a pathetically incompetent mistake that they had made (or perhaps that an outside contractor, Betsoft Gaming, had made that they’d completely failed to notice). It also explained that their official explanation was a lie and that over five months had gone by without compensation or a better explanation. (I highly suggest reading that post before this one. Otherwise, you’ll have absolutely no clue what I’m talking about. Plus, it’s worth the read.)
Well, I’ve been paid back. At 2:00 today, I got this e-mail from AP (I bolded the important part):
Read more »