Open Side Menu Go to the Top
Register
Thoughts on Security in Online Poker Thoughts on Security in Online Poker

04-30-2010 , 12:39 AM
PLEASE READ BEFORE POSTING:

Please be careful what you say here. ITT, we're going to discuss ways to make it harder for people to cheat and scam in the online poker world. This is not a thread for helping people figure out how to cheat or scam and get away with it. If you have something to say that might help the bad guys, e-mail it to the sites directly or PM it to me. If you're not sure, PM me and I'll let you know.

Here's an example to make it clear what's not ok: When online poker was relatively new, people made bots that always took the same amount of time to act. Eventually, people figured this out and bots like this got caught. If this weren't really commonly known to all bot makers, it would not be okay to publicly discuss trying to catch bots by looking for this because that would let bot makers know what to avoid.

I hope the mods will help to enforce this.

Intro

This OP is a random list of thoughts that I have about various situations in online poker security. It's certainly not comprehensive, and some of it will probably be old news. Some of it will probably be pretty stupid since I'm not particularly educated about this stuff. But I think some of my ideas are probably decent, so I thought I'd post them and hopefully help out a bit.

Please feel free to add your own suggestions and to comment on mine (again, keeping in mind that information that will help cheaters is not acceptable). With any luck, this thread could become a fairly comprehensive guide to online poker security.

Unfortunately, cliffs aren't really possible for a post like this. Obv feel free to only read about the parts that interest you.

Multiaccounting

(This is about having a second account, not playing two accounts in the same tournament or at the same table.)

Currently, there are barely any consequences to multiaccounting. I'm not really sure how it varies by site, but I've heard of lots of examples of people being caught multiaccounting and suffering no real consequences. The sites closed their second account and kindly sent the money that they had there to their original account. So, it's not surprising that multiaccounting is very common.

As I see it, there are only two possible solutions to this.

1) Allow everyone to change their screen names often (like Cake does). That way nobody will gain an advantage from multiaccounting because everyone will be relatively unknown. This also solves some other problems like datamining and extreme bumhunting. The big problem with this is that it kills a lot of the fun of poker that comes from building reads on players over long periods of times. It also makes it much harder for players to report suspicious players to sites or to catch cheaters on their own. And, it would be a big disadvantage to sponsored players who presumably wouldn't be allowed to play anonymously. Regardless, it seems like only a few sites are interested in this approach.

2)Start actually having harsh financial punishments for multiaccounting. The sites should send out an e-mail announcing that a new policy on multiaccounting will take place in a month or something, giving people a grace period to close their extra accounts. After that, people who get caught mutliaccounting should face real financial consequences. The penalty should be expensive enough that the risk of getting caught negates the advantage gained. Of course, the money that sites take from multiaccounters should be given to the players they cheated.

Also, if you played against a second account, you obviously have the right to know the name of the original account. In that way, people won't get an advantage by being unknown when they switch back to their original accounts.

I should mention that some players have a second account for completely innocent reasons. For example, some people signed up to FTP to railbird long before they started playing but forgot their password or didn't like the name they used or whatever, so they started a new account. The purpose of the grace period is to give people like this a chance to sort things out. (And hopefully in examples like the one I just gave, the sites do the reasonable thing and close the original account, not the second one.)


Datamining

Right now, the sites try to prevent datamining by making it harder to actually gather the hands. They could pull this off if they allow players to frequently change screen names or if they stop allowing observers to the table. Otherwise, there's just no way that they'll manage this because all this data is easily available and dataminers only need to collect it.

Datamining also serves some legitimate functions that I don't think the sites really should discourage. It's helpful for catching cheaters. Some people have claimed that that's not true, but I think I've recently proved them wrong. It's also helpful for preventing sites from cheating, and more importantly, allowing third parties to assure people that the sites aren't cheating. It also provides really awesome datasets for nerds like me who are interested in various economics problems related to poker or for governments considering licensing it.

So, the way I see it, there are three options on datamining:

1)Actually make it impossible to datamine in the ways I've already mentioned. I don't think many sites will do this.

2)Just completely allow datamining. This has the obvious problem that people who don't datamine will be at a big disadvantage.

3)Instead of trying (and failing) to prevent the actual collecting of data, just make it so that people can't use datamined hands in their HUDs.

This should be pretty easy to do. As I understand it, HM and PT3 have both agreed to follow the T+Cs of the sites. (For example, neither HUD works on Cake because Cake has banned HUDs.) So, ask them (and whatever other HUD companies are out there) to only give HUD data from hands that were played by the current player. Obviously give them a reasonable amount of time to make these changes. Then slightly modify the way that you release hand histories so that people have to update their HUDs in order to continue using them (and therefore get the update that keeps datamined hands out of their HUDs). If any software developers don't comply (I assume the big ones would), put them on the banned software list and treat them like you do all other banned software.

This won't stop people from studying how other people play between sessions, but nothing practical will prevent that, and that's a lot less serious than using datamined hands in your HUD, IMHO. This plan also has a lot of extra benefits. For one thing, it stops people from using previously datamined hands in their HUDs as well as new datamined hands. It also prevents people from using shared databases in their HUDs, and it means that when you play on someone else's computer you won't get data from hands that he played. Plus, datamining for legitimate purposes (like catching cheaters or studying poker for academic/legal reasons) could continue. Those are all benefits that my solution has but preventing datamining completely does not.

This will probably prevent the vast majority of people from using datamined hands in their HUDs, but I have to admit that there are ways to get around a restriction like this (I'd prefer if people didn't discuss them ITT). To stop people from doing this, take screen shots of players' screens occasionally (most sites already do this when looking for other forms of cheating) and if someone is caught with datamined stats in their HUD, take some amount of money from them and give it to their opponents. You won't have to take these screen shots very often at all to make it -EV for people to try to get around the above restrictions since the benefit that people gain from datamining isn't huge.

I realize that even this isn't a complete solution. Some programmers will figure out ways around this (please don't discuss them ITT). But I don't think that this means that the idea isn't good. Currently, lots of people who are willing to break the rules do so with almost no effort and gain an advantage over people unwilling to break these rules. If this gets implemented, a few people will continue to break the rules, but it will be limited to people with the resources and knowledge to do it and some of them will actually get caught. I think that's a big improvement.

PTR/Sharkscope/OPR/PokerDB/HSDB/etc.

These sites aren't going anywhere unless the poker sites make the information they need totally unavailable—i.e. allow people to change their screen names or don't allow observers to watch games or see tournament results. So either Stars, FTP, etc. do those things, or they should accept that PTR, sharkscope, etc. are going to exist and figure out how best to coexist with them. There are a few things that I think almost everyone agrees should change:

1)Players should be able to opt out of any of these sites. People should have the right to play poker without someone posting publicly how much they've won or lost. Obviously details about how a player would be told about his option to opt out are up for debate, but I think this general idea is pretty solid. (I think Stars has tried something similar except asking players to opt in instead of opt out. This seems impractical to me because I just don't think many sites would be willing to give up all the data of the people who don't care either way.)
2)In general, things that might come off as mocking should be removed. So no “top losers” lists and no “tilt scores” and no ranking someone 4 millionth out of 4 million or anything.
3)No mocking people with data from these sites in chat. (“OMG you're down $3,000! You're so bad!”)
4)Players can't play and have PTR/Sharkscope/etc. open at the same time. Sites should make it clear that they're going to start enforcing this rule, and then start enforcing it. PTR/Sharkscope/etc. can help by explaining this clearly on their front pages or with a popup or whatever. If it's feasible with software, one side or the other could give a warning when a player is in violation of this so he has a chance to close his web browser without getting in trouble.
5)No HUDs that use the data from these sites.

If a datamining site complies with these rules (or whatever other set of rules everyone agrees to), the poker sites should simply allow them to exist. Otherwise they can continue to make life difficult for them by blocking IP addresses, etc. I bet they'll comply.

I realize that lots of people won't consider this to be an ideal solution, but I doubt anyone can come up with a better one that actually has a chance of happening.

Collusion

The sites need to do a better job of finding suspicious players on their own. They're much better equipped to do this than players, and players are in general really really bad at it.

However, looking through a large database of players for collusion is really difficult. I've talked to a few different programmers about this, and they all agree that the only reasonable way to do it is to maintain a separate database that's indexed specifically to look for collusion. Obviously what you look for is pairwise statistics between various players (How often does Alice 3-bet Bob? How often does Bob get to showdown against Alice? What % of hands has Alice played with Bob? Etc.) and if these numbers are significantly anomalous, a security rep should look into it. People who understand this stuff a lot better than I do tell me that this is a pretty expensive thing for the sites to do, but, frankly, the sites have plenty of money to make this happen. (Maybe they could even enlist dataminers to help )

Testing for hole card sharing is really really easy. I assume sites already know this, but I'll mention it anyway to discourage people from trying it and so that people can check on their own if they've been cheated in this way with HM. All you have to do is filter for hands in which one of the suspect players has a certain type of hand in a certain spot and see how the other player plays. Then look at the same spot where the first player had a different hand and see if play changes. Rinse and repeat for a few different spots and a few different types of hands, and account for randomization and you have a definitive way to tell if players are sharing hole cards. The sites should automate this process as well. (You can use the exact same method to check if someone can see your hole cards.)

Other types of collusion are a bit harder to detect and prove since you can't really prove intent in all cases. The key in these cases is to have very strict rules and to enforce them selectively. For example, if a buddy and I softplay each other and do so over tens of thousands of hands or more, that's cheating. It's cheating because I can be expected to know better and because it's reasonable to assume that I did it to gain an edge. This is true regardless of whether I actually succeeded in gaining an edge (Some cheaters suck at it. They should still be punished.) or whether it can be shown that we had an explicit agreement (because that's impossible to show unless I'm dumb enough to admit to it). However, if a casual player doesn't 3-bet someone very much, I think that's fine because it's too likely that he's doing it for some reason other than the fact that he's giving the player he's avoiding equity at the expense of the other players at the table. If two casual players agree not to 3-bet each very often or to avoid each other in a tournament or something, they should get a warning and an explanation that that's not ok, and if they do it again they should suffer more severe punishment.

This might sound like an awkward way to handle things. It's obviously a double standard where winning players are held more responsible than losing players. It also requires some subjectivity on the part of security departments, which isn't ideal. But, it's really not too bad. The vast majority of cases will be pretty clear cut like the examples I gave above. Plus, the only alternative I see is to allow collusion. In fact, I know that Stars already handles some types of potential cheating in essentially this way, and I assume other sites do as well.

What to Do If You Suspect Someone of Cheating

1)E-mail the poker site right away. It seems like in every cheating scandal, there's a long list of players who suspected that the cheating was happening but didn't mention it to anyone. Don't be one of those people. It's in your best interest to say something because, if you're right, you should be entitled to money back. Plus, it takes like two minutes max to write up a decent e-mail. (Don't be embarrassed because you might be wrong. The poker sites get a huge volume of e-mail from people saying that the site is rigged because they got TT when someone else had AA or whatever. So, even if you're totally wrong and overlooked something simple, you'll still probably be in the top 20% of e-mailers :P.)
2)Try to tell people privately about your suspicions if you see them playing against the suspect account. However, don't make things public right away. If you do, and you're right that cheating is happening, you'll be increasing the chances that the cheater gets money off of the site. If you're wrong, you'll be hurting an innocent person's name and causing unnecessary panic.
3)Wait a while. These things take time... like weeks. If you're not sure how much time is reasonable, ask someone who knows better. You can PM me if you'd like.
4)If the site doesn't finish in a reasonable amount of time, or you're not satisfied with their answer, contact someone you trust to look it over. You can PM me about it if you'd like.
5)If the consensus seems to be that the site screwed up, make it public.

Security Tokens

The risk of losing money to hackers is still very real because some immature douche bags think it's funny to spend all their time trying to hack people's accounts and then dumping all their money in high stakes cash games.

Security tokens (like this one: http://en.wikipedia.org/wiki/RSA_SecurID ) make poker accounts nearly unhackable. All sites should have these by now. If you play on a site that doesn't, e-mail them and bug them about it. If you keep more than ~$1k on a site that has these and don't have one, get one.

Vote with Your Voice if not Your Money

I'm not asking anyone to boycott sites that don't enact good security measures because that's just not going to happen. (Honestly, I'm not willing to boycott any sites myself.) Instead, just suggest the safer sites to the casual players that you meet. If you're anything like me, you get asked about online poker by the uninitiated a lot, so if we all do this, this will directly drive some more traffic to the safer sites. Plus, it will also make the safer sites softer which will mean that we'll be better off playing on them which will make us safer and also further reward the safer sites.

If you have a blog or a web site or some medium that is remotely linked to poker, go out of your way to promote the safer sites and avoid promoting the less safe sites. Big companies like 2p2, cardplayer, bluff, WSOP, etc. should follow this policy as well.

Bots

CAPTCHA (http://en.wikipedia.org/wiki/Captcha) is awesome. It's not perfect, but it's a lot harder to get around than other methods of catching bots. Sites should just make you very occasionally have to enter a CAPTCHA before opening a table.

Incidentally, there are a lot of other methods that the sites could use to catch bots that I won't discuss publicly because they depend on programmers' ignorance. You shouldn't talk about these publicly things either. (See my example in the first section.)

Whether or not a Player Cheated is not Private Information

This should go without saying, but apparently FTP has a different view on things. FTP currently states that it would violate a player's privacy to reveal that his account is under investigation or to reveal whether or not a player has been caught cheating. When I first heard this, I naturally assumed that there was some misunderstanding, but I've confirmed it from multiple sources. In particular, when I repeatedly asked FTP what they were doing about the stoxtrader cheating scandal, I was always told something like this: "As previously stated we are unable to provide information regarding another player's account" (except in one instance mentioned below).

A player is not entitled to privacy when it comes to whether or not he cheated. If a player cheated or is suspected of cheating, those affected deserve to know for obvious reasons. If a player hasn't been caught cheating, I don't see why he would have a problem with the sites letting them know.

FTP's current policy also makes it impossible for players to hold them accountable in their security decisions. That's completely unacceptable.

(Incidentally, FTP's already violated this policy repeatedly when it's convenient for them. For example, they refused to comment at all about the stoxtrader situation when I originally asked and they assured me that that was their policy and they wouldn't even tell me if they were investigating. Then I posted my thread and two days later FTPSean posted publically that FTP was investigating.)

Miscellaneous Tips for Not Getting Scammed

* AIM logging is awesome. If you have the standard AIM client, go to Edit-> Settings-> IM Archives and check “Archive IMs”. Now every AIM conversation you have with someone on this computer will be saved to your hard drive. This is really key for remembering prop bets and staking arrangements and all the other various deals that you enter into over AIM as an online poker player. Plus, it's also good for remembering when you're supposed to meet up with someone or a phone number or whatever as well.

* Don't ever transfer money with a random person. Even if you have him send first, he can still scam you in various ways or you could end up with your account locked.

* Prop bets are very risky. A lot of people don't plan on welching on bets when they make them because they don't expect to lose. Then if they do lose, they feel wronged. So only make prop bets with people you trust or use an escrow. Never make prop bets for significant amount with someone who's not a gambler without making it very very clear that they will have to pay you real money if they lose.

* Always google someone's screen name before doing any business with them. For example, don't do business with this guy http://www.google.com/search?sourcei...q=cornell+fiji or this guy http://www.google.com/search?hl=en&s...mrozo&gs_rfai= .

* Change all your security questions answers to random gibberish. Otherwise anyone who looks up what your elementary school is or whatever can hack your accounts.

* AIM and e-mail accounts aren't secure. If someone IMs or e-mails you asking for something and doesn't sound like himself, you should be very suspicious that he's been hacked. If you have a phone number, call. Otherwise, try asking a question that only he would know the answer to. If it's a hacking or you're not sure, post on 2p2 to warn others. False alarms are no big deal.

* In general, you should try to use two forms of communication before making big transactions (IM and phone, for example).

Last edited by Bobo Fett; 04-30-2010 at 04:11 AM. Reason: Added section as per OP's request.
Thoughts on Security in Online Poker Quote
04-30-2010 , 12:50 AM
wow.

give me a minute to digest :]
Thoughts on Security in Online Poker Quote
04-30-2010 , 01:02 AM
Good job putting this together for people, Noah. I'm going to link this to the person to person transfer thread and ask Mike to possibly add it to the OP (in regards to the last part of the post anyway).

Well done again, Sir.

For anyone interested in more tools and tips for safe trading please visit this post, witch is a wealth of collective information http://forumserver.twoplustwo.com/sh...25&postcount=1

Last edited by Nofx Fan; 04-30-2010 at 01:12 AM.
Thoughts on Security in Online Poker Quote
04-30-2010 , 01:02 AM
Quote:
Originally Posted by NoahSD

CAPTCHA (http://en.wikipedia.org/wiki/Captcha) is awesome. It's not perfect, but it's a lot harder to get around than other methods of catching bots. Sites should just make you very occasionally have to enter a CAPTCHA before opening a table.

Incidentally, there are a lot of other methods that the sites could use to catch bots that I won't discuss publicly because they depend on programmers' ignorance. You shouldn't talk about these publicly things either. (See my example in the first section.)
Why not make the CAPTCHA random and just pause the persons tables for 15 seconds or whatever? Make it look like a disconnect to the other players.
Thoughts on Security in Online Poker Quote
04-30-2010 , 01:04 AM
Quote:
Originally Posted by eastern motors
Why not make the CAPTCHA random and just pause the persons tables for 15 seconds or whatever? Make it look like a disconnect to the other players.
People mess up CAPTCHAs sometimes. They should have a couple chances and not lose money if they screw up too many times. An alternative is to have it before you post a blind or before you get dealt cards, but I don't think you should put it in the middle of hand.

Besides, with my way nobody else is inconvenienced and I don't see any downside. Is there a downside that I'm missing?

Last edited by NoahSD; 04-30-2010 at 01:17 AM.
Thoughts on Security in Online Poker Quote
04-30-2010 , 04:38 AM
Noah, some very good stuff there. Much of it I agree with, some I might have minor quibbles with, but there's only a couple things I see fit to comment on:

Quote:
Originally Posted by NoahSD
2)Start actually having harsh financial punishments for multiaccounting. The sites should send out an e-mail announcing that a new policy on multiaccounting will take place in a month or something, giving people a grace period to close their extra accounts. After that, people who get caught mutliaccounting should face real financial consequences. The penalty should be expensive enough that the risk of getting caught negates the advantage gained. Of course, the money that sites take from multiaccounters should be given to the players they cheated.

Also, if you played against a second account, you obviously have the right to know the name of the original account. In that way, people won't get an advantage by being unknown when they switch back to their original accounts.

I should mention that some players have a second account for completely innocent reasons. For example, some people signed up to FTP to railbird long before they started playing but forgot their password or didn't like the name they used or whatever, so they started a new account. The purpose of the grace period is to give people like this a chance to sort things out. (And hopefully in examples like the one I just gave, the sites do the reasonable thing and close the original account, not the second one.)
I agree with this, but with one exception. Your last paragraph is very important, and I don't think a 30-day grace period is enough to handle these cases. You're going to have people who forget they even had another account, and those who open that second account long after this is enacted. I'm talking about the people who never played on the first account, or maybe they played for a few weeks and then heard about RB and opened a second account; that sort of thing. When a site discovers something like that, and can tell the player derived no benefit over other players, nor was it possible for them to, there's no reason to penalize them if the site is willing to let them off.

Quote:
Originally Posted by NoahSD
Security Tokens

The risk of losing money to hackers is still very real because some immature douche bags think it's funny to spend all their time trying to hack people's accounts and then dumping all their money in high stakes cash games.

Security tokens (like this one: http://en.wikipedia.org/wiki/RSA_SecurID ) make poker accounts nearly unhackable. All sites should have these by now. If you play on a site that doesn't, e-mail them and bug them about it. If you keep more than ~$1k on a site that has these and don't have one, get one.
I would just add to this that Keepass is a must-have as well, especially if you play on sites without tokens.

As for datamining, I'll post here what I posted in the PTR Premium thread:

Quote:
Originally Posted by Bobo Fett
All that said, I am strongly against any solution that involves wiping out my ability to track my own play, and to be able to analyze at least a month or two of history against other players. I don't have a problem with a site allowing name changes every month or two, but I really feel notes need to carry over. This doesn't seem the ideal solution to the PTR problem, so I think targeting observed tables is definitely the way to go. Limit the observed tables to one or two, and either put a time limit on this, or use a captcha at random intervals. Still allows people to rail pros or their buddies, but puts a big crimp in datamining.

If that's not enough observed tables for some people who like to rail a lot, allow more on a case-by-case basis. For example, if someone plays regularly, maybe you allow them to observe an extra table or two, especially if they don't exhibit tell-tale datamining traits.

I don't know how hard this would be for sites to implement, but it doesn't seem to me like it would be that difficult. Perhaps I'm mistaken, but if I'm not, I think it's clearly the best way to go.

Quote:
Originally Posted by NoahSD
Ugh... should've put this in the OP. Can a mod throw this in after the bots section?
Done, and I deleted this post to eliminate duplication and possible confusion, if that's OK. I can undelete if there's some reason to.
Thoughts on Security in Online Poker Quote
04-30-2010 , 06:06 AM
the best times to introduce a captcha is either before you start playing (when you sit or log in or somewhere between when you log in and when you get your first cards) and at any random hand when the bot is not involved in the hand.
Thoughts on Security in Online Poker Quote
04-30-2010 , 06:43 AM
Quote:
Originally Posted by Bobo Fett
I would just add to this that Keepass is a must-have as well, especially if you play on sites without tokens.
what exactly does KeePass do?
Thoughts on Security in Online Poker Quote
04-30-2010 , 07:43 AM
Great post, OP. I'm just in the middle of it, will read the rest later.
Thoughts on Security in Online Poker Quote
04-30-2010 , 08:30 AM
Quote:
Originally Posted by Nitrub
what exactly does KeePass do?
Lets you create extremely secure passwords and keeps them in a password-protected encrypted file.

Basically, the passwords for important sites I use look like Hx;YGMmHZG9jZ}Oi6ic'0,3S$RQ(]>, and each one is unique.
Thoughts on Security in Online Poker Quote
04-30-2010 , 08:39 AM
My $0.02:

Great suggestions NoahSD. Two comments regarding concurrent use of programs (HUDs, miners, etc) and sites (PTR, etc):

This is extremely hard to prevent. You can do trivial stuff like check running processes etc. But there are ways to fool them. As you say I will not even touch on how that could be done, suffice it to say it is extremely hard for a poker site to enforce a rule on a client computer whose player has complete control over. In this scenario, only a few players will be running HUDs and miners.

How does the landscape change if instead of many players running HUDs only a few could run them? Would it not be less fair than it is now?

As for PTR: I think the sites realize just how much they need PTR. PTR is an independent body that can verify the site's fair play in case there is a serious accusation. It's one heck of an insurance policy. It's keeping me honest, and it's showing the world that I'm honest. For that reason alone I would put up with PTR.
Thoughts on Security in Online Poker Quote
04-30-2010 , 08:41 AM
What would be interesting is if a poker site turned their relationship with PTR on its head by curtailing everyone's ability to observe tables, except for PTR (or a similar site), who they would give unlimited access to while strictly mandating how the info could be used.
Thoughts on Security in Online Poker Quote
04-30-2010 , 08:56 AM
True, but:

1) The site telling PTR how it can use the data creates the impression of information hiding, which defeats the purpose

2) PTR will need to have a financial incentive to do this, I imagine the "strict mandates" from the sites will be along the lines of "don't sell hand histories to anyone".

3) If you ask a lawyer about whether or not you should do something, the lawyer will always say not to do it. So if there is an agreement between a site and PTR, what will happen is that the information will be hidden from everyone that is interested in seeing it. Ie, the site would need to review and approve any released information, PTR would not be able to publish stats comparisons between sites (for example). I am borrowing heaviliy here from the computer world where database manufacturers have effectively prevented meaningful benchmarking in a database. I think the same would happen here: The sites would each have different restrictions on PTR and information would be far more obscure, and we are back to square one: Full of uncertainty with baseless accusations being thrown around with no way to truly verify them (ie, is PTR protecting its relationship with the site, and therefore keeping it mouth shut, and other people have absolutely no way to verify it either way).

What are you guys' throughts about this? I for one am pretty optimistic about how it works now. People are not associated with one another, so there is full transparency in place. Once you get lawyers involved in contractual information sharing, things hit the fan. The stakes are too high. That's my impression anyway.

EDIT: The way I see the online poker ecosystem working is this: The players PTR themselves, and that keeps PTR honest. Keeping PTR honest in turn keeps the sites honest. It also keeps the players honest since they know PTR has all their hands that can be analyzed any time in the future and have their cheating detected. Since everyone is keeping everyone else honest, there is a reasonable expectation of fairnes and there is trust.

Last edited by oldspeedy; 04-30-2010 at 09:08 AM.
Thoughts on Security in Online Poker Quote
04-30-2010 , 09:32 AM
Quote:
Originally Posted by Bobo Fett
Lets you create extremely secure passwords and keeps them in a password-protected encrypted file.

Basically, the passwords for important sites I use look like Hx;YGMmHZG9jZ}Oi6ic'0,3S$RQ(]>, and each one is unique.
looks cool, should I keep the password file somewhere online ?
Thoughts on Security in Online Poker Quote
04-30-2010 , 09:33 AM
Quote:
Originally Posted by Nitrub
looks cool, should I keep the password file somewhere online ?
I don't think it's set up for that. If you need portability, I believe it's designed so you can have your file on a USB drive.

And it's free!
Thoughts on Security in Online Poker Quote
04-30-2010 , 10:21 AM
regarding account security:

I've worked as a programmer for the last 5 years or so, all of which I've dealt with some of the blacker kind of hackers (both within my company for testing and external ones).
we often hire high level hackers and give them a paycheck in return for working for us and not against us to strengthen our robustness.
one of my best friends at my job got hired after showing up to his job interview with a hacked version of a portion of our database on his personal laptop and showing it to the division manager.

there is literally nothing the average person can do to avoid getting owned by a high level hacker, assuming he was really set as a target.

you can secure your computer to a level you (and various knowledgeable people) would deem sufficient, but there are really endless way to completely destroy someones fortress of security, big or small.
even if you bolt and lock everything that can possibly lead to your account, social engineering (http://en.wikipedia.org/wiki/Social_...%28security%29) in poker is beyond easy. there are so many factors involved you can't fully know/trust, you stand no chance.
so first of all, like anonymous alcoholism, we should admit we are powerless.

however, after that slap of reality:

1. the amount of high level hackers is not high.
2. poker is not recognized worldwide as a huge source of income. most people, intelligent as they may be, never even think some people have hundreds of thousands of dollars behind some username/password weak-ass client.

=

the amount of high level hackers pursuing poker players is close to zero.
that said, the amount of douchebag script kiddies pursuing poker players is probably a lot higher than people assume.
however, they are ******s, and we are not. mostly.


without clever social engineering, breaking the lock of RSA+password is very very hard, to the verge of unachievable.
if someone cannot obtain your RSA token, or get you or someone around you to give up that information, it is near impossible to gain entry.

additional steps of caution that everyone should take are:

1. keep a separate email account for poker, per website. do not have it in anyway relate to your real name/screen name, and keep it SECRET. don't use the 'remember password' option on your browser for that account, don't link it to any real life account, don't send anyone except support emails from that account, don't sign up to 2p2 under that account, whatever else...
this email account has ONE incoming/outgoing stream and it is to the pokersite ALONE.

2. you don't need password like 3t23tawG#@25@#%(!(!)@)5. that is nonsense and you will never remember them. I am aware of programs like KeePass that will manage that for you, but the idea of having a password manager (with one master password) that holds within it your entire online world is not something security experts are thrilled about.

of course that is better than passwords like "hello24524", "letmein", "password11", "ilovevagina", but that can be easily outdone.
a password like "Bark4B@rK!" is near impossible to hack. so is "sL123@$@$". you can have relatively short but complex password that will never be broken.
use that for the pokersite, your private email, etc.

3. if you cannot afford a separate poker computer (as most people don't), have a working, good antivirus. as far as I know, the best in the industry is NOD32. the best free antivirus I can think of is Avast although I have not used it in a while.
firewalls come in all shapes and forms these days and all the major companies are fine (zonealarm jumps to mind), but really the windows7 firewall is just fine.

4. in general, try to keep as little as possible people who can relate you to your online screen name. think of it as your bank account, how many people know your account number?
I am not talking about people on this forum who know I am heygorgeouss on stars, I'm talking about people knowing that gorgeouss = Bob van Bobbenstien from 5th street New York.
there are exactly 2 internet friends who know my real name, and I've known those guys online for 8 years (before poker, probably before ADSL)

5. try not to be a ******. don't instantly trust everyone online. there are many scam artists out there, some of them are much smarter than you. you are not god's gift to mankind, and you too can be easily fooled.
I've seen people who I know are geniuses fall prey to a determined scam artist within a span of hours.
relying on your ability to soul read anyone you come in contact with is a fail waiting to happen.


after all that, I know it's hard, but try not to be overly paranoid. you should be fine. don't forget to bring a towel.

Last edited by gorgeouss; 04-30-2010 at 10:28 AM.
Thoughts on Security in Online Poker Quote
04-30-2010 , 10:22 AM
Quote:
Originally Posted by Bobo Fett
I agree with this, but with one exception. Your last paragraph is very important, and I don't think a 30-day grace period is enough to handle these cases. You're going to have people who forget they even had another account, and those who open that second account long after this is enacted. I'm talking about the people who never played on the first account, or maybe they played for a few weeks and then heard about RB and opened a second account; that sort of thing. When a site discovers something like that, and can tell the player derived no benefit over other players, nor was it possible for them to, there's no reason to penalize them if the site is willing to let them off.
Yeah. I guess I should've been clear that the penalty should be calculated by some formula that takes into account number of hands played on each account, number of hands played against the same opponent on each account, and stakes played on each account. I definitely think that someone who played 0 hands on one of the accounts shouldn't be penalized at all. (Though maybe they should lose their rakeback. That's for FTP and affiliates to decide, not me.)



Quote:
As for datamining, I'll post here what I posted in the PTR Premium thread:
This solution won't work. I won't post how to get around it, but if I have a rough idea of how to get around this (with very little programming knowledge), PTR definitely does.

Basically, at this point these things are pretty big sophisticated operations. If it's possible for a bot observer to get any individual hand, it will be possible for a dataminer to get (almost) all hands. The only ways that I think they could stop this are:

1) Ban observing of tables, or only allow it in certain instances or whatever. In other words, make it so that at least some hands are not observable to anyone not sitting at the table.
2) Allow people to change their screen names so that datamining isn't very helpful.
3) Make the information that you see on the table CAPTCHA (i.e., the player's name, cards, bet sizes, etc. are all CAPTCHA images sent from the server). I'm told this would be pretty expensive (because it would require generating a lot of images) and the CAPTCHAs would have to be pretty ugly and annoying to actually work.

Quote:
What would be interesting is if a poker site turned their relationship with PTR on its head by curtailing everyone's ability to observe tables, except for PTR (or a similar site), who they would give unlimited access to while strictly mandating how the info could be used.
I don't see why anyone except PTR would want this.

If the mandates Stars put into this were strong enough, other people would simply come in to compete while getting around whatever restrictions stars put in (assuming they're not one of the three above, since those seem unlikely). If they're not strong enough to make that happen, then I think Stars could probably get everyone to agree to them without having to give one site a monopoly in roughly the way I mentioned in my OP.

That might seem like I'm making stuff up arbitrarily, but I don't think I am. I think that it's exactly when the restrictions become strong enough to make a competitor necessary that Stars would have to offer up something more than just no more harassment to get a site to comply.

Last edited by NoahSD; 04-30-2010 at 10:32 AM.
Thoughts on Security in Online Poker Quote
04-30-2010 , 10:28 AM
Quote:
Originally Posted by oldspeedy
This is extremely hard to prevent...
Yeah, but it's easy to make pretty hard to get around. I think that these changes will stop the vast vast majority of players from using datamined hands in HUDs.

It sucks that a few people will get around it, but I think the number who will do it will be very low, and a few of them will screw it up and get caught.

Quote:
How does the landscape change if instead of many players running HUDs only a few could run them? Would it not be less fair than it is now?
I hope it's clear from my OP that I'm not suggesting banning HUDs. I'm suggesting banning HUDs that include datamined hands (or, technically, hands that do not have the current player at the table).

FWIW, I don't think that the advantage that people get from having datamined hands in their HUD is that huge. So it really doesn't bother me too much if I change it from the current situation (where A LOT of people do this) to a situation where only a few people who are willing to jump through a bunch of hoops for that small edge have it.
Thoughts on Security in Online Poker Quote
04-30-2010 , 10:44 AM
@gorgeouss:

so you suggest having one email account per site BUT the same password for all of them?
Thoughts on Security in Online Poker Quote
04-30-2010 , 10:47 AM
Great conversation.

I am not talking about someone trying to cheat the system and screwing up, I am talking about a hacker type that will be a step ahead of the anti-cheat police and will sell his "HUD-enabler" to anyone willing to pay the price. There is a commercial market for this already in online gaming (first person shooters and such), and once there is a technological attempt to prevent HUD use, people will find a way around it, and cheats will be sold for that as well.
Thoughts on Security in Online Poker Quote
04-30-2010 , 11:25 AM
Quote:
3)No mocking people with data from these sites in chat. (“OMG you're down $3,000! You're so bad!”)
People need to report this to support more often. I always do. Don't expect people to stop doing this unless you are reporting them.
Thoughts on Security in Online Poker Quote
04-30-2010 , 11:29 AM
Quote:
Originally Posted by ubeticall
@gorgeouss:

so you suggest having one email account per site BUT the same password for all of them?
absolutely not

however you can use a similar pattern for your password.

let's say your pattern is

xBon%#y99

so for pokerstars you can have pBon%#s99
for pokerstars email you can have pBon%#e99
etc..

that way you remember a certain combo of difficult characters but have a large amount of passwords.

(obviously the above example is very simplified and you shouldn't just use "PS" for pokerstars "FT" for fulltilt or only two variables at all, but something you'll remember)
Thoughts on Security in Online Poker Quote
04-30-2010 , 11:45 AM
Quote:
Originally Posted by NoahSD
Collusion

...People who understand this stuff a lot better than I do tell me that this is a pretty expensive thing for the sites to do, but, frankly, the sites have plenty of money to make this happen...
Actually, I am one of those people who do know how to do this, and basically it wouldn't cost the sites anything except a few people's salary who are capable. Considering the sites make hundreds of millions a year, I don't think asking them to hire a couple more people in the security department is asking too much considering how lacking it is. As I mentioned on another thread, I'd even work for PS (assuming they would let me work from home).
Thoughts on Security in Online Poker Quote
04-30-2010 , 12:52 PM
old,
Again, I'm not suggesting that the sites ban HUDs. I'm suggesting that the sites ban HUDs that use more information than people should have.

This makes the incentive for getting around these restrictions pretty small.

Jon,
Again, I'm completely uneducated about this stuff, so I'm just passing on third-hand information that I might be misinterpreting. However, as I understand it, it will cost a lot of money to set up servers running an indexed database with pairwise comparisons of hundreds of thousands of players over tens of billions of hands. I've been told it's pretty much a one-time cost, though.
Thoughts on Security in Online Poker Quote
04-30-2010 , 01:13 PM
Quote:
Originally Posted by NoahSD
old,
Again, I'm not suggesting that the sites ban HUDs. I'm suggesting that the sites ban HUDs that use more information than people should have.

This makes the incentive for getting around these restrictions pretty small.

Jon,
Again, I'm completely uneducated about this stuff, so I'm just passing on third-hand information that I might be misinterpreting. However, as I understand it, it will cost a lot of money to set up servers running an indexed database with pairwise comparisons of hundreds of thousands of players over tens of billions of hands. I've been told it's pretty much a one-time cost, though.
There is no need to setup anything like that... all you need to do is run some (obviously custom) reports off of their current databases...

They could even use some relatively cheap reporting software like Crystal Reports if they can't code sql themself. With the right access, and even Crystal Reports, I could be catching cheaters in under an hour.

Some of the more complicated reports I have in mind would probably have to be coded from scratch, but that wouldn't take more than a day or two.
Thoughts on Security in Online Poker Quote

      
m