Imagine what's going on in RnC games since they aren't tracked...
Players who ch/f every time you flop a set and call every river bluff, anyone?

there have been many speculating moneytaker was white hat and didnt care about money, just trying to expose gg's lax security. why do we think that?

the two arguments i'm aware of are
a) their sn is the name of a hacker group
b) they played so bad they must've wanted to get caught

to a): has that hacking group ever whitehatted anything or even done something "just to show" security exploits? briefly reading about them it sounds like they operated silently and undetected for a period of years before their sophisticated financial crimes were detected and attribtued to them

to b): robbie jade. also, the atrocious play is entirely consistent with someone who's not sophisticated at poker but is sophisticated at pushing known allin equities to grow bankroll fastest

the theory's also inconsistent with moneytaker cashing out some of their winnings so GG couldn't confiscate it all, no?

That's unfortunate.

It does make sense, minbetting gives you more points than checking. These "fishes" are rb pros abusing the rush leaderboards.

Nailed it.

This is what matters. The issue is GG's whole approach to security and how they prioritize speed of release over security, not the isolated incident (which may not be so isolated).

Trying to investigate chipdumping cases/cases with unnaturally high winrates, that doesn't make all that much sense, in the context of this specific issue. If multiple players took advantage of the exploit, it's unlikely they'll have done it as blatantly as MoneyTaker69. If it's been used in a smart way, there'll be no way for you to identify the perpetrators. GG might not even be able to do so, based on their blog post, as they likely don't have any server side logs that'd make it easy to identify. And if they do, there's no way they'll ever disclose it, if there's more than this one case.

If you live in a country where GG holds a local license, it could be worth flagging this to the local regulator, but it's unlikely they'll understand the severity of the issue.
The local regulator could demand a formal investigation and data to be shared with them.

As a software developer, that the bug happened doesn't surprise me. Business types can't be bothered with the details and want speed and new features above all else. If there's a bug, they know they can just blame the technical people.

It often takes a heroic stand by a programmer to slow down and do things right, which only works if the programmer has been there for a while and has a lot of clout.

Don't worry. They are hiring a new security person, thus doubling there security team.

From what I understand, the client was able to request AIEV from the server at any time during the hand, and the server provided it. I'd say that's a pretty egregious defect as far as its effect, but it's really just a "minor" (i.e. non-architectural) programming error. It doesn't take long to add a check to that procedure call to verify that the client is also in a state where it is allowed to see all non-folded hole cards (i.e. all in or post hand), so I don't think this one can even be blamed on rushing features to market. It's just a bug that wasn't picked up in testing.

As long as the code which collects the rake is working fine I’m sure the higher ups dgaf. This is how the real world operates

That's still a massive design failure. Two seconds of thought should have told you that could be exploited.

If cutting corners, sometimes one too much is cut. It's easier to find out in hindsight and ask: why was that particular corner cut, easily avoided.

You have to have that staff not cutting security corners. GG should maybe quadruple, if doubling means a very small number!

Using Adobe AIR is more relevant here, in regards to rushing things and not having priorities in order. There're also past incidents and cases, but this most recent one is obviously in a league of its own.

Above are images of NL10 Leaderboards on GG poker at different timeframes this year. This is really not looking good guys.
so far we have evidence of suspicious accounts on NL10, NL25, NL50, NL500

Programmers, especially cheap ones, are not always entirely well versed with the business domain in which they operate. Two seconds of thought would tell us, as poker players that, yes. It may not be entirely intuitive to someone who has never played a hand of poker and gets paid to churn out lines of code. "Just" forgot to double-check a condition for a state the code should never reach anyway, and wouldn't, without a hacked client.

Fair point.

Players didn't care when their recent promotion was funded by reducing players rakeback.

Players didn't care when their "free" buffet and rooms at Atlantis were taken from the "guaranteed" prize pool at WSOP Paradise

Players didn't care when their Spins didn't award the right multipliers

Player don't care about PVI and just take it

Players don't care that their Curacao "licence" provides literally ZERO player protections

Players didn't care when they remained in Russia through a skin, when every other site withdrew from the market according to international sanctions

Players don't care that they operate in markets that require a license illegally by using agents and changing the countries that players are located in

Why would they possibly care now?

Two seconds of thought during a security review, which is clearly not part of their process. So it's not only a massive design failure, but a massive management failure--they don't have a way to catch massive design failures.

If you design the server correctly who cares is they hack the client. The server's API from clients should consist of a limited set of operations. Sit at table, fold/bet/raise, leave table, chat. That's pretty much it. Any other operations are initiated server side and encrypt the data so you can't spoof a different client. To allow the client to request hole card information or equities is just terrible design.

Welcome to the world where everything is run and decided by MBAs who know absolute dick about anything except "make numbers go up".

Also a very fair point. And as far as equities go, I see no reason to not just calculate them on the client anyway, once the server has sent hole card info. The equities should always be based on visible hole cards and the board, and those alone.

When money is at stake, your programmers need to understand the domain inside and out.

True. But let's be honest, what are the chances that they don't offshore their development to some sweatshop in India?

Their development is done in South Korea.

C'mon GG insiders, pls do not wait a year or two from now to tell us what's really going on behind the scenes like it was with pitbull poker back in 2009.

GG was set up to scam players, wasn't it?

I understand what you are getting at, but the exact probability isn’t relevant. The existing tools are sufficient to determine this was likely cheating. Poker dope shows a 100.00% chance of loss over even 5000 hands for a player with far higher than 100 st dev. Cheating occurs more often than 00.00% of the time (we dont even have to define “of the time”) so a player with fish stats winning at any significant amount let alone 90bb/100 over even a 5k hand sample is far more likely to be cheating. A security check should have been triggered after a few thousand hands.

The live guys saying this was a fish on a heater have a scale misunderstanding around how large a sample 15k hands is. If a fish cleaned out their table a full 100% of sessions for 3 months they would all be crying “cheater” too. Poker hands aren’t distinct random events. To get lucky fish need their pattern of play to match what the deck gives. Things like having air when their opponent also has bottom of range or putting in money bad on an early street to improve to the best hand. They don’t randomize in a way that allows them to perfectly dance around raindrops. A “tails never fails” guy running into an outlier string of coins landing on tails looks different than someone guessing perfectly every time. GG’s security team would be able to tell the difference when reviewing hands.