Absolute Poker's Mistake Is Primarily Poor Protocol Design

[shipitfish]

I thought I'd mention briefly the story that has had the online poker world going since the first 2+2 posts last month showed one player's 100% river aggression factor. The story ends with Absolute Poker's executives using “root” accounts to swindle online players by knowing their exact card holdings in high stakes cash games and high buy-in tournaments.

I won't go through the details of the story; I've been following it from a distance (since my poker time is limited these days), so I would probably get a few details wrong. Since I have more time to listen things while commuting than reading stuff online, I got the best summary of this situation from this week's episode of the Rounders podcast. Also, two posts that extempore (aka Paul Phillips) made give some good details. (I am not a true NYC'er, BTW, because I can't read easily on the subway and listen to podcasts instead.)

I had suggested before that perception of badly written software and not true “rigging” would ultimately be a serious problem for online poker. I think I'm going to declare myself as somewhere between 30%-50% right about that.

Some might say this situation shows that Absolute was “rigged”, since it was an inside job. Executives at the company held the root account, and used it to view everyone's cards and gain huge edges against their customers. But, putting on my hat as information technology expert for a moment, I argue that this is a software problem as much as anything else.

The software should never had this feature. There is no good reason that standard client software, used from an off-site location, should have had the ability to receive hidden card information before the cards were exposed in the hand. Indeed, the network protocol itself should never even send hidden card information until the completion of the hand (if at all).

The idea that the network protocol sent opponents' hole card information over the wire before shows simply bad system design and programming. There is no reason to do this, and a hundred reasons not to. Had the software not been designed this way, the only cheating temptation our friendly Absolute executive would have involved modifying the server software himself to send him card information in real time somehow. Maybe the guy was a smart software developer or system administrator and could have pulled off the job himself, but I doubt it.

Finally, to bring my personal politics into this, this is why I firmly believe that all poker server software should be Open Source and Free Software (FOSS). There is no competitive advantage for these poker sites to gain from having server software that differs; their branding, interface, and other edges happen on the client side. (I happen to think client software should be FOSS too, but that's a harder argument.) The argument for FOSS server technology for all online poker is clear and simple. Players should be allowed to examine the code to be sure only their authenticated accounts can receive their hidden cards.

Of course, only the site administrators should be allow to change the versions of this FOSS running on their own servers, but they should publish that source for public inspection. That's the only way online poker can actually be safe from these sorts of challenges.

BTW, full disclosure: A good friend of mine is the premiere developer in the world of FOSS poker technology. His site has some useful and interesting stuff. I must admit, I am jealous sometimes that his day job is writing FOSS poker software, but I still hope his software gains more adoption in reaction to these events.

Comments

[jellymillion.livejournal.com]

I mostly agree with you, but I can't help thinking that the honest sites will prove to be honest, while the dishonest ones will lie. Saying that you're using the vanille, out-of-the-box OSS code and actually doing so are two different things: something as simple as a one-liner (OK, maybe three or four lines) that writes hidden cards to a log file would suffice. After that all you need is a slightly souped-up tail program and you're in business.

So some form of audit process is needed. For that, some form of regulation is needed.

All in all, too easy to circumvent.

It looks like Absolute were a disaster waiting to happen. Stories of their incompetence already abound, like the one where not only did their software prove incapable of correctly ranking Razz hands but their so did their support people.

Of course, pokersource has (unless it's been fixed recently) a problem with lowball rankings too, when the hands get into unusually high territory. I'm not knocking ps, mind you - I ported much of pokenum to C# last year and it's a fascinating lesson in high-performance C.

[shipitfish.livejournal.com]

Oh, I completely agree that regulation and third-party auditing is the right road. I would then argue that regulation will only work if you are using FOSS server software that helps the public watch the watchers.

As for showdown ranking problems in pokersource, I am sure Loic would want patches. I thought he fixed all those back when he was researching the Razz showdown question.

[jellymillion.livejournal.com]

I'd love to see the voluntary self-regulation, er, regulations for online poker rooms. I don't think there's a chance of such a thing ever happening, not even if the US government performed a smart volte-face. It would only take one government (and there would actually be plenty) to disavow the need for checks and the dodgy sites would flock there. The fish wouldn't know or care, so the sharks would follow them and we'd be no better off. Welcome to the supra-national world.

It's all a bit tricky.

You're probably right about the Razz thing - it's months since I looked at the code. For sure pokersource would get my money in any accuracy competition with Absolute.