Yeah, at least for them they are saying they aren't able/willing to do so it sounds like

Let me translate:

"Not a single person on our development team passed Computer Science 102."

Or apparently English 101 in the customer service department. They hold their employees to high standards obviously

It sounds like they are banking on not many people being capable of creating this type of debugger. While that may true, it only takes one person with intent to distribute to turn that theory upside down.

Didn't want to point that out, but true all the same.

Yes, this is the very tenet of Security Through Obscurity.

"I hope that no one looks into this because we're violation basic client-server trust protocols."

That is horrible programming.

My Bodog client just downloaded an update (4.0.9). Kyle, does this update interfere with your de-anonymizer?

Lol highly doubt it. Bodog obviously isnt that smart

I have never played Bodog and after seeing this video and the A tables
I guess I never will.

What a mess!

The one thing I don't quite get is the security issue. Party Crasher does allow you to see the login # i.d.'s so obv the tables are not anonymous as they claim
but why does the viewing of account #'s provide a security risk. At most sites including Poker Stars the screen name is essentially the account # and you see those.

How is viewing the login in #'s any different then viewing the screen name which is used as a login for other sites?

Stars offers two-factor authentication. That's secure. Anyone else who doesn't offer this is not secure, period, especially when you expose login names/credentials.

A video is upcoming soon to talk about this.

We're taking a look at the new update, but our office isn't dedicated to penetration testing and security analysis. We'd love to be paid for that, but we have other stuff we have to do to earn money. So hopefully I can update you soon, but we'll see.

They just installed a new graphic. Now when you have a bad beat, the dog from Duck Hunt pops up and laughs at you.

Its just a bit surprising that no one from Bodog as made any comments yet

lol

Good to see that they are putting their resources where they will do the most good.

Yeah they added another 1 at the end of your client ID, you're safe now.

I'm going to write a longer blog post about this in the future, but here's something I want to point out:

We cracked their anonymous tables, and the changes they need to make to fix the problem permanently are difficult. We know that they probably didn't do it overnight.

Here's my point: Unless ******** (or some other pen test organization) tells you that Bodog is or is not safe, what will you assume? What will anyone assume? That it's safe? That it's hackable?

I cannot think of a more obvious situation that proves the need for independent analysis. When Internet poker is legalized in the United States (and it's coming eventually, we all know that), people will rightfully demand that these sites are audited by people who understand the industry and provide full disclosure on their operations.

Maybe this means there is a hope for HUDS coming back? Awesome
Just withdrew all my funds from Bodog but I might redeposit if I find out there is a HUD that will work again.

Hey Kyle, thanks for your work on this.

I understand the concept about not trusting the client but how would a properly designed program remedy this if they still wanted to anonymize tables (which I think is ******ed regardless)...

Would you have to do all the processing/tracking of who is who on the server side which would put a lot more load on their servers? Is that potentially why they avoided doing it that way? Could they just encrypt the info getting sent client side instead?

Video uploading. Blog post to accompany.

And my response to Bodog Becky's laughable statement:

Then why have you banned my accounts? Including accounts from 4 years ago? I posted evidence of this.

Do you REALLY want to go down this road again?

I'll ask you this: Prove it to us that your security is tight and that we can't break it again.

Again, why did you ban me and not get in touch with me personally?

This is beautiful spin, everyone. I hope you are seeing what is happening here - an attempt to get out in front of the story and paying lip service to open standards and independent analysis, yet not ONCE did they personally contact me and ask for help.

Demand independent analysis. It goes hand in hand with regulation. Period.

rofl.... love it1

I'm a computer and web programmer and have experience in security... so if anybody else has the same knowledge as me let me know if I'm wrong here... but...

Can't they just md5 the user ID's with a salt and make it impossible to backtrace them except to their server?

I don't know, seems like a really basic thing that many websites have that are far less sophisticated as far as security requirements, and for some reason, NOBODY that works at Bodog has said a word about it?

Sigh, if Bodog sees this, I can fix your entire issue in about 90 minutes, let me do it?

Oh and I can fix your add chips button too... just grab the player's stack as a variable before you add chips to their stack and do a compare.

You guys are pretty sad if a 23 year old web designer knows more about coding your software than you do...

And I repeat, sigh.

Just as long at that stuff doesn't break the superuser back end functionality they've worked so hard to conceal. So we're basically dealing with potripper himself, eh?

If at first you don't succeed, try again.

That would solve the problem of backtracing to an actual name/nick, but you would still be able to use the ID to unanonymize for datamining and/or your HUD.

Juk

They don't sell bodog HH.

They have ridic high prices tho.