Category Archives: Poker Security and Ethics

Passwords Security

A poster on 2p2 recently exposed a major security vulnerability on Lock Poker. The poster found that his password was included in plaintext in the source code of Lock’s Casino app.

I’m not particularly interested in discussing the specifics of Lock’s implementation, but based on my reading of the thread and some PMs/IMs that I got, a lot of people in the poker community could use a basic run-down of how basic password security works. Indeed, it seems that many players (and perhaps some poker site employees) don’t understand what the heart of the issue is here: A password should not exist in plaintext for longer than it needs to, and it doesn’t need to for very long.

The fact that people seem to not know this is slightly worrisome. So, I thought I’d outline the basics of a standard password implementation in a quick post. This certainly won’t be perfect (No implementation is, of course). But, it’s roughly what your bank uses, and your poker site should probably use many of the same ideas, if not the exact same implementation.

Cryptography is extremely counter-intuitive for the uninitiated, so I’m going to dumb stuff down a lot:


Step 1: SSL

When your computer is sending secure information (e.g., passwords, credit card numbers, etc.) to anyone, there are two important things that you need to do right away:

Read more »

The Vouching System Sucks

The vouching system, which the poker community uses to conduct almost all of its business, is ripe for scamming. I made a post about this once before, but it was a bit schizophrenic and poorly argued. The Jose Macedo scandal and this thread in HSNL have reminded me of my thoughts on the subject, so I decided to dust off the old blog and give you guys a patented (though uncharacteristically hastily written) NSD rant on the subject:

Circumstances change.

Read more »

So What’s Up with This Falling Sky?

I assume that if you’re a reader of my blog, you probably know that the shit has just abruptly hit the fan. (If not, just hop on your favorite poker forum or media outlet or twitter or whatever, and see for yourself.) A lot of you probably have a significant amount of money online; I do too.

So, first of all, don’t freak out, not because there’s no reason to freak out–there is–but because freaking out’s no fun and won’t help. You’re not going to learn anything that’s going to suggest a course of action to change the current situation. So, it’s Friday; go drink your favorite intoxicating beverage with people who don’t play a card game for a living and talk about things other than card games.

That said, you’re probably not gonna take me up on that advice, so here are my thoughts to aid you in your obsessive sweating and to try to disspell some of the incredibly stupid rumors that are floating around. This is going to be a hastily written list of thoughts that I write up before I take my own advice and quit thinking about this for the night.

What Just Happened?

Read more »

The Cheater Challenge

(I’m going to leave names out of this post because I think it applies to a lot of people, many of whom I don’t know about. Obviously I have some specific people in mind, though.)

I’ve had a lot of discussions over the past year or so with known former cheaters and friends of known former cheaters. A lot of them feel that the sort of incessant verbal abuse directed at them on the internet (and much much less often, in real life) is unfair. Their arguments of course vary, but usually the gist will be something like this: “I made mistakes in the past. I’m a different person now. I can’t take back my actions.”

I agree. I believe strongly in forgiveness, and I absolutely hate the idea of giving known former cheaters no chance of redemption and therefore very little incentive to avoid cheating, scamming, and stealing in the future. So, I’d like to try to do something about this.

While I don’t claim to speak for the peanut gallery and I certainly can’t control their opinions, I do think I know enough about the poker community to know how former cheaters (and likely former scammers and thieves as well) can salvage their reputations with the majority of its members. Frankly, it’s pretty obvious, but most known former cheaters are too busy feeling like victims to actually proactively try to make up for what they’ve done, and the community seems to be mostly interested in insulting cheaters and arguing about whether they deserve to be insulted. So, in order to nudge both parties towards a solution, I present The Cheater Challenge:

Read more »

Absolute Poker Keno Update: Money Repaid. Explanation Still a Lie and Reveals Further Amazing Incompetence and Sketchiness

Eight days ago, I wrote a post about Absolute Poker’s ridiculously non-random Keno, which detailed a pathetically incompetent mistake that they had made (or perhaps that an outside contractor, Betsoft Gaming, had made that they’d completely failed to notice). It also explained that their official explanation was a lie and that over five months had gone by without compensation or a better explanation. (I highly suggest reading that post before this one. Otherwise, you’ll have absolutely no clue what I’m talking about. Plus, it’s worth the read.)

Well, I’ve been paid back. At 2:00 today, I got this e-mail from AP (I bolded the important part):

Read more »

Absolute Poker Rigged Keno: Five Months Later with No Compensation and a False Explanation, and How This Relates to Superusers and Joe Sebok

(Update 4/1: AP has repaid customers, but their new explanation leaves a lot to be desired. I recommend reading this post first if you haven’t read it yet, but then see this post for the update.)

Cereus is in the news again, as UB sponsored pro and tweeter extraordinaire Joe Sebok has finally made a 2p2 account to talk about various things. Frankly, reading those threads is just about the most frustrating possible use of one’s time, but for the masochists in the audience, please accept my flower of links: (((1 2 3 4))). ($5 on Stars/FTP to the first person who correctly identifies that reference.)

Basically, what’s going on currently is an argument between Joe and 2p2 in which Joe insists that current Cereus management is clean and 2p2 argues otherwise. (Much of it might actually come down to Joe’s rather lax definition of cleanliness, actually.) Needless to say, the UB/AP superuser scandal is an incredibly big deal. But, it’s so painfully nuanced, complicated, and shrouded in mystery that answering a simple question like “Is Cereus currently run by a bunch of crooks?” is amazingly difficult. So, I’m going to leave the larger scandal to the professionals and sidestep the issue entirely to discuss a much much smaller on-going scandal: Absolute Poker’s rigged keno game and their response. I think that that scandal deserves some more publicity in its own right (and it’s entirely my fault that it has not gotten enough), but I also think it should provide some perspective on the current discussion.

(I think it’s worth noting here that, though this scandal is several orders of magnitude smaller than the superuser scandal, had it happened on any other US-facing network, it would have been huge. The fact that it’s received such disproportionately small attention from the poker community (myself included) is a testament to how jaded we all are when it comes to Cereus.)
Read more »

Unenforced Rules Suck

It’s becoming more and more clear that the major poker sites are not enforcing many of their own rules.

Part of this is because they’ve made rules that simply can’t be enforced: FTP bans ghosting, and most major sites now ban datamining. Some of their rules clearly are enforceable but either aren’t enforced at all or have no real punishments associated with them: I only know of one example of a site actually confiscating money for multiaccounting in cash games (and it was a complicated case), and I don’t think anyone’s ever gotten more than a warning for using PTR while playing. (Similar problems exist in the live poker world as well, but I’m not really qualified to comment. Nate detailed a bunch of problems with selective enforcement at the PCA in this 2p2 post.)

The result is, predictably, a lot of confusion. Some people simply ignore all these rules and make a lot of money as a result. Most people ignore some of the unenforced rules (PTR, ghosting while coaching), but not all of them. Some people get in trouble for doing things that they didn’t even know were wrong. Throughout this process, the unquestionably important rules such as the bans on collusion or buying accounts deep in tournaments lose their weight. This is obviously a terrible situation, and it will only get worse if the sites don’t do something about it as people continue to learn what they can get away with. Current high profile cases of people breaking the rules and making tons of money off of it with no consequences, like ugotabanana and PTR have, will encourage others to follow suit and certainly won’t make things easier.

So, things definitely have to change. In each case in which a rule is either not enforced or enforced only selectively, each site should either change the rule or start seriously enforcing it. They need to make it clear that breaking their rules is cheating, and cheating is both unprofitable and unacceptable. I’ll outline my specific ideas on how to handle multiaccounting and datamining below (a lot of which is just copied and pasted from an old 2p2 post of mine), but I think that the general policy that rules are rules is much more important than the specifics.

Read more »

Trust: Pedophiles, the Stranger Fallacy, and the Vouching System

(I plan to update this blog at least weekly for the next couple months or so. I’ll likely have another post out this week. If you’d like to know when I’ve updated my blog, you can subscribe to my RSS feed or follow me on twitter.)

Say a nine-year-old girl is walking home from school in a small rural town, and it starts to rain. A car pulls up, and a middle-aged man she’s never met offers her a ride home. This scenario makes a lot of people nervous. Because the girl doesn’t know this guy, she doesn’t know if he’s a pedophile, a kidnapper, or a murderer. So, the common wisdom that pretty much every kid was taught when I was little was to refuse the ride–even to just totally ignore the guy. If, however, the driver is the little girl’s neighbor or a friend of her parents or her friend’s dad or someone that she’s seen around town, then the guy’s not a stranger, so she can get into the car and feel perfectly safe.

Obviously, this system doesn’t pass a basic plausibility test. In the first scenario, while the guy was a stranger to her, he’s definitely somebody’s son, is almost certainly somebody’s neighbor, many other people’s friend, and somebody that lots of people see around town, and is pretty likely to be somebody’s dad as well. So, unless this nine-year-old girl has a uniquely gifted ability to pick good neighbors, parents’ friends, friends’ parents, and people she sees around town, then a stranger to her is roughly as likely to be some kind of “bad guy” as someone that she knows. (This is admittedly an oversimplification, but I’ve probably already talked more about this situation than I should on a poker blog. Attempts to find a decent discussion of the issue to link to for interested readers failed miserably. One may not even exist because obviously this is an issue that’s dominated by people who are rather zealous and irrational. If you’d like to talk more about it, bug me on twitter or 2p2 or in the comments or something.)

We use this same terrible logic in tons of situations; we treat strangers with unnecessary suspicion, and we trust people that we know to a remarkable degree. For example, people tend to be pretty guarded about flashing even small amounts of cash in public, but are perfectly willing to let friends of friends into their houses when they have a party–usually with plenty of valuable, stealable things around. This system always feels really natural and reasonable; strangers feel inhuman, and people that we’ve talked to or heard about from friends feel much more human and therefore much safer. But, it relies on the flawed assumption that either bad people don’t end up entering anybody’s social circle or that our social circles is somehow privileged. The first is empirically false, and the second obviously can’t be true for everybody.

The fact of the matter is that most people–strangers or not–have a lot of integrity. In fact, next time you’re walking down the street in a “bad” neighborhood with someone behind you, drop a $100 bill and pretend not to notice. The guy behind you is way way more likely to give it back than he is to take it. I know this from experience as a man who consistently drops and loses valuable things and gets them promptly, kindly, and awkwardly returned. (FWIW, he’s probably a bit more likely to pretend he didn’t see it and hope someone else deals with it than to return it himself.) So, we use an old-fashioned, instinctive system of completely trusting people that we know as a good approximation for the correct system: trusting everyone almost completely barring any direct evidence that we shouldn’t. In most scenarios, this leads people to be overly cautious around strangers and treat people that they know with about the right level of caution. That’s not a big deal, although it probably makes subway rides significantly less pleasant.

In the poker world, we basically use this same flawed system, and it fails tremendously, but in the opposite direction. We place tons of trust in people we know and use an informal vouching system to place tons of trust in friends of friends, and it repeatedly bites us in the ass. Perhaps the most blatant failure of this system was when one of the most respected men in poker, Barry Greenstein, defended the undisputed most hated man in poker, Russ Hamilton, in the face of tons of evidence that made it pretty clear that Russ was guilty and in spite of Russ’s shady past. More close to home, I’ve personally vouched for three different people who have later gone on to screw people over. (FWIW, one has made things right, one appears to be attempting to do so, and one has paid back everybody but me.) In fact, I bet that almost every single person that’s been caught scamming, cheating, or stealing in the poker world has had someone vouch for him in good faith.

Read more »

“The Poker Economy” and Why Your Bottom Line Isn’t a Moral Barometer

(It seems fitting that I make my debut in the blogosphere with a tl;dr rant that’ll probably piss some people off. I’ll probably be writing some less tl;dr rants that’ll piss fewer people off here fairly regularly, so if that’s the sorta thing that appeals to you, stay tuned or whatever. I’ll try to post on twitter when I make a new blog post.)

People in the online poker world are becoming increasingly obsessed with talking about “the poker economy”.  Lots of things are accused of being “bad for the poker economy”–Bumhunting, being a douche to casual players, cheating, and talking strategy at the poker table are pretty much universally considered problems for this noble cause, and some people also mention HUDs, training sites, various forms of legislation, running it twice, short stacking, PTR, public discussions of problems in the poker world like cheating and shady sites, various types of tournament structures, and a ridiculously long list of other things. But WTF is the poker economy?

I don’t really think most people who use the term know what it is–I think they’re more concerned with how they can protect it from the ridiculously long list of threats to its life than they are with knowing WTF it is in the first place.  That’s because it doesn’t really have a definition.  The poker economy is an undefined abstract concept that people use to justify their own opinions. Not coincidentally, people typically mention it when they’re trying to argue for something that would help their bottom line or to justify their own actions. It’s actually quite similar to a strategy that homophobic assholes use when they say weird nonsensical crap like “The strength of America is in its families and homosexuality threatens that”, or when racist assholes say that they’re “preserving their heritage” or something similarly stupid. Basically, it’s a cheap way to make it sound like there’s some moral imperative behind a position. I hope people will start pointing out these empty arguments more often.

But, just because people make terrible arguments doesn’t mean that their positions are wrong.  So, I wanted to discuss some of the specific things that people think “hurt the poker economy” and see which ones people are justified in complaining about. Obviously being a douche to casual players obviously isn’t ok–Not because it “hurts the poker economy” or “is bad for the game” but because being a douche is never ok. Similarly, cheating isn’t ok. It’s not that cheating isn’t ok because it scares fish away or disrupts the beautiful flow of money from fish to pro or anything like that; cheating is simply unethical all on its own. I’ll devote more time to some of the others:

Read more »