Hey just_grindin, good to hear from you. Thanks for taking part and sharing this info.

Thanks, I looked these up and will summarize what I found just to get us all on the same page.

I see that MD5 has a few issues if used for encryption but for our purposes, it shouldn't really matter.

I should stress, for the readers that the above concerns were for encryption and not for authentication as Just Grindin already alluded to. It's only making sure that the file has all it's bits in the right place when compared to a known example if I got my facts straight which is a trivial task by comparison.

Also some interesting drama surrounding Trucrypt. Apparently, it was recently killed off. Not just left as unsupported but actually banned from use by it's own founders. Here's a link to a pod cast that discusses it:

https://soundcloud.com/sophossecurit...hat-comes-next

I never used it myself but the story was a bit eye opening nonetheless. With very little revealed as to why it happened and very little known about the founders in the first place it all seems very mysterious and somewhat ominous as it was described as a fairly popular and widely used encryption scheme to suddenly be yanked from existence.

While I'm guessing it's probably just the founders discovered a major issue that couldn't be resolved and the silence is probably more about not letting the secret out for hackers to exploit before people can get their documents out of harms way. However, silence around it it has invited conspiracy theories to flourish. And justifiably so.

If this sounds like a contradiction but, understand that it's not a 0 sum situation. There is never any upside to creating doubt and the potential downside is generally going to be huge.

In poker these concerns must be multiplied many-times over. That's because if your scammed over the internet it's generally going to be a temporary situation. However, your never cheated once in poker. If left unchecked, the potential downside is not only everything you have but your livelihood as well.

Therefore all reasonable amount of transparency when possible is incumbent upon the poker site or casino just as much as it is for a player to abide by the rules. BTW these statements should not be seen as being directed at anyone in particular. I just think the reason for transparency should be made clear as many seem to miss understand it.

I was asking the wrong question here. Sorry my mistake.

I think your, right it would be tricky for a server to determine this as it should be. I overlooked the fact that since there will still be the table client software operating locally, it's a pretty trivial matter for the client software to do a quick check as soon as it's started to check that the card client was not tampered with.

Also I think it's not that big an issue if it's only an advanced option in the installation to choose a user compiled card client so the user could inspect the code first. Just by having the option available would get enough of us curious types to take a look that would end up vetting the software a million times more thoroughly than any regulating power would have the manpower to do, I'm sure. And as many sites have stated in the past, they are happy to let the players police the site themselves.

The purpose of a secure algorithm is exactly to avoid people to be able to cheat by rigging the server or the client.

I'm not sure what you are suggesting. If you're saying that the process to check if a file has been modified must be a secure encryption technique, I'd disagree.

In this case keeping the card client code hidden via encryption is not our goal, just the opposite, our goal is to keep it transparent but unable to be modified by the user. Therefore using MD5 or SHA1 hashing algorithms only checks that a compiled file to be identical to one that hasn't been modified which shouldn't matter if there happens to be discrete pockets of excessive collisions for certain seed values.

I think that a good example of how these are used is in the downloading of files. These algorithms are mostly used as a check sum to verify the file is 100% identical to the file that was downloaded. In those cases, the site maintains that the hashing algorithm is not intended to securely encrypt the file in transit but just to make sure it downloaded correctly.

As a server you don't need to verify that a validated copy of the software is running, you only care about compliance to the standard. There is no risk in anyone modifying the client, if you want to modify the client, as long as security is concerned, you may as well do so, at your own risk.

Looks to me you are getting a little lost into software security issues.

no idea where this is coming from. Have you been following the thread or taking posts out of context?

There is no such risk, okay?

Again, what are you talking about?

I quoted your own post my friend.
I was explaining you one of "the risks" you talked about and tried to solve doesn't actually exist.

And I'm out

It's impossible for someone to cheat by modifying the client software unless the server already has exploitable security flaws. Someone doesn't understand the client-server model.

Well that's good to know.

So could you see any reason that a card client couldn't be sent in it's uncompiled form so that users could have the option to vet the code before compiling it.

I understand it sounds completely outside the norm but we are talking about essentially a card HUD that can only decrypt cards and display them with no IP to worry about.

Mainly just intellectual property protection. But it isn't a security problem.

I believe that with current methods being nothing more than blind trust, you're correct. The Abs/UB scandal was probably the last example of ever proving a site was cheating using current methods. That only happened because they got greedy and made it too obvious among the best players at the time. While the players knew cheating was going on, they still couldn't actually provide the evidence until a mistake made by someone on the inside sent out HHs with all hole cards shown to finally be able to make a case against them.

However, New Old Guy's post #20 has already shown examples of a poker game that couldn't be rigged. The only issue is that they were too cumbersome to be practical, however I think most who've looked into it believe that eventually new methods will make it more practical.

This thread may already have the solution or at least a very effective solution, though I think I can see ways to streamline it even more.

The real question is if poker sites would be willing to implement it. However, if you consider that poker sites will be lobbying hard to get US legislation to pass and be among those chosen for licensing, Also the only time we may be able to influence new regulations that haven't been put into place yet, we may never again have a better shot at this than now.

As a trader, you know that when companies find an edge in a weak market, even if its through cheating, other companies on the edge will be forced into following suit in order to compete, until finally, all honest sites are either forced out of the market or turn to cheating to level the field except the players end up as the losers. Though eventually all poker loses out when no one trusts the game anymore.

If you think poker could never die, ask any player that was around during the early 90s.

I was only a recreational player back then with occasional visits to Vegas but seriously considered turning pro. I decided to take one trip, try to talk to some pro's, look at rent and cost of living, etc. before making a final decision.

When I got there, I found some poker rooms had closed. I didn't think that much of it as I'd been there only months before and while business seemed a little slow, it didn't seem that bad.

The Riviera's room was open probably due to the fact that it was attached to a large convention center and I knew some of the staff that worked there. The atmosphere was so gloomy the place felt more like a mortuary than a casino. That's when I learned that maybe 90% of the poker rooms in Vegas had closed all within a single summer and you could see it in their faces, that they fully expected to be the next to go. It was a heartbreaking experience that I hope to never have again.

The problem is, poker has already declined to the point where tax revenue for on-line sites are falling far short of expectations making future legislation less certain. If on-line poker doesn't pass, than history is doomed to repeat itself for the US at least.

I am not going to tolerate any more "poker is rigged" stuff in this thread, period. If you want to discuss that, there are 2 or 3 very active threads on the matter in other places on 2+2. This isn't one of them.

Apologies for the dialog.

I think the current method will still have a little too much lag that will have at best an annoying quality to it. I keep thinking of those early episodes of Halt and Catch Fire, which was about the delay time that will cause a person to lose focus or something like that.

I'm thinking there may be streamlining methods that could involve something like a 2 deck system where the deck may be pre-shuffled for the next hand

combined with using some kind of hashing stack sized for enough hole cards for a full game, and use a random card draw so the players coming and going could change without needing to worry about starting over.

Pre-dealing encrypted cards and then dealing decryption keys in real time.

Lots of variants keep coming to mind up but I'm too tired to think it all through clearly right and I'll try to work it out in the morning.

Since I just made lots of updates that are relevant to this thread in the Decentralized Mental Poker Thread, I need to post at least a reference here to preserve the continuity. See posts #19 through #27

http://forumserver.twoplustwo.com/sh...1&postcount=19

I hope to be posting some exciting results concerning a new method of drawing random cards as opposed to dealing shuffled cards in order.

A Brief description can be found in post #25 of that thread

http://forumserver.twoplustwo.com/sh...4&postcount=25

So far it seems to be the best of all worlds and I can see solutions to every issue that has come up in this thread to date as well as some new security concerns over brute force methods that may have inadvertently become a slightly greater risk caused by transparency and validation methods.

Examples can be seen here:

http://www.cigital.com/papers/downlo...r_gambling.php

Not to worry, the new method should actually be an ideal solution against such attacks since it would allow for all theoretical permutations involved in dealing any game rendering any brute force methods completely impotent.

Unfortunately, this project has been delayed due to someone hacking my computer.

They would target only files related to this project and keep deleting them. I first thought it was an issue with drop box overwriting files. Then I realized I was getting hacked and it didn't matter how many new versions or different directories, they were getting deleted.

The last time was a few days ago. Perhaps around 4 hours since my last save, I found the files missing once again. I found one file still existed and tried to open it only it was loaded as read only and reported as already opened by another user. I'm the only person that should be on my network at home.

I disconnected the Ethernet Cable and the file was released at the same instant.

I spent the next several days disconnected, running scans, changing passwords, etc.

Unfortunately he's still able to somehow get on the network and I see the intruder is here as I type this. Disconnecting Now.

Please PM me any ideas to get rid of this guy. He's extremely persistent.

Please don't reply to security ideas here.

Details to follow...

Sorry, I meant to follow up right away but before doing so, It struck me on how I could adapt it for Zoom poker.

I'm pretty close but there's just one little point I'm stuck on. Hope to knock that out soon.