When the World Wide Web was first becoming commercialized in the mid-to-late 1990s, many surfers were wary of shopping online and entrusting their credit card numbers to someone they didn’t know in a location that was hundreds, if not thousands, of miles away. Many surfers were even less willing to provide checking account or credit card informa- tion to a gambling site hosted outside the United States, particularly because there was no way for the players to verify that sites ran honest games or that they weren’t a scam. Many online poker rooms are licensed by the Mohawk Council of Kahnawake, a Native Canadian territory, so there is the potential for a licensee to lose its permit for cause.
Assuming the games are on the square, which seems a pretty safe assumption in light of the money an online poker room can make legitimately, there is still the potential for sys- temic problems, such as predictable card orders or players teaming up against you, that give other players an unfair advantage. In this chapter, we’ll show you how players have attempted to hack the system and what you can do to protect yourself.
Predicting the Order of a Shuffled Deck
Wouldn’t it be cool if you knew the exact order of the deck after the dealer shuffled it? You could use that information to construct each player’s hand, the board cards to come in a flop game, and (most importantly) determine whether you would be the eventual winner. You might have heard that it’s possible to predict the cards that will come out of the deck in an online poker game. In 1999, a team of researchers from Reliable Software Technologies (www.citigal.com/) created a software tool that let them determine the exact order of the deck in play for a particular Hold ’em hand. Here’s the story of how they did it and how the online casinos fixed the problem.
One of the fundamental principles of data security is that you should be able to publish the set of steps (or algorithm) you follow to deal cards, pick lottery numbers, encrypt data, or whatever, without compromising the process’ integrity. In the physical world, anyone can find out that lottery drawings use a clear, circular tumbler partially filled with marked Ping-Pong balls and blown air to pick the winning numbers. The on-site security, equipment verification regime, and physical randomness of the tumbler mean that even if there is some way to hack the system, such as by modifying a few balls to increase the chance of particular winning combinations, the security system makes it very difficult to implement the attack effectively.
The same philosophy applies in the digital world. In January 1997, the United States federal government began a competition to select a data encryption algorithm to be used for the Advanced Encryption Standard (AES). One of the competition requirements was that each algorithm submitted would be published in full so anyone could analyze it. After three-and-a-half years of public and private analysis, the U.S. government selected the winner: Rijndael, an algorithm submitted by two Belgian cryptographers.
Why did the government take so long to pick the winner? Because digital security pro- cesses are extremely hard to implement flawlessly. Subtle mistakes a dozen tenured professors miss could seem obvious to a first-year graduate student, and even one such mistake might be enough to render an otherwise secure algorithm, or a specific imple- mentation of that algorithm, worthless. When you’re dealing with a security specification as important as the AES, it’s only prudent to review the candidate algorithms thoroughly.
It was in that spirit of openness that ASF Software published the details of its shuffling algorithm, used at the time by sites such as PlanetPoker, PurePoker, and DeltaCasino, for public scrutiny. The result of that analysis was shocking: Because the Hold ’em games’ shuffling algorithm used an easily guessed random number to begin selecting the cards to be dealt, it was possible to predict the entire deck’s order after seeing only five cards. Yep, if you stayed through the first round of betting, you could determine whether you would be the eventual winner without putting another dollar into the pot unless you wanted to. Figure 7.1 shows the graphical user interface the security researchers put on their prediction program. The numbers just above the hole cards show each player’s rank at the end of the hand.
You can find the full story of the Reliable Software Technologies team’s exploit on the Web at www.cigital.com/news/index.php?pg=art&artid=20.
PlanetPoker, the most popular site using the ASF Software shuffling algorithm, changed its procedures in very short order. Now when you go to online poker sites and sift through their frequently asked questions (FAQs), you see some geekily en- tertaining detail on how they randomly determine which card appears next. Here’s a part of the UltimateBet explanation, which you can find on the Web in its entirety at www.ultimatebet.com/about-ub/rng.html.
Our approach is to forgo pseudo-random number generation wherever
possible and instead use true random number generation from proven random physical devices. Our system utilizes thermal noise on a zener diode—shielded to prevent any environmental interference. The characteristics of this device are governed by the laws of quantum physics and are provably non-deterministic. Through the use of true random numbers and our shuffling algorithm
(see below), we ensure first that it is impossible to predict the next card
coming off the deck, and second that every possible shuffle combination
is equally likely, all 8.06581751709439 × 1067 of them or 80,658,175,170,943,900,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000.
What’s nice about the explanation is that it’s true. The zener diode’s state is physically unpredictable when it’s isolated from close-in heat sources and the like, so it generates a string of truly random numbers. And if this complex procedure seems like overkill, just consider the good will PlanetPoker had to recapture after its debacle with the ASF Soft- ware algorithm.
The bottom line is that the major online poker rooms appear to be much better about en- suring the randomness and fairness of their dealing procedures. We don’t know for sure that the sites’ shuffling algorithms have no weaknesses. We haven’t verified the systems ourselves (as if we’d know how), but there’s nothing in the current literature indicating any weaknesses.