The Lucky Donut

I've already jinxed myself by doing something as results-oriented as actually having a win goal and writing about it here.  I've just further done myself damage by waiting until the very second I passed the half way mark to take a screenshot of my graph.

A few minutes ago, I passed $1000 in profit playing only $50 NL on PokerStars.  The magic number was $1000.10, in fact.  Out came Poker Grapher, and here's the story so far.  All you graph lovers can click on it for the full size version.

As you'd expect, I've since dropped back under a grand.

My win rate is clearly lower than it was at the last checkpoint.  It took under 6,000 hands to win the first $500, but over twice as many to make it to $1000.  My  overall win rate just clears $5 per 100 hands.  I'm getting very close to 20,000 hands played now, which is starting to resemble a decent sample size.  I don't know whether I should assume I ran hot to start, have just had worse than average cards for a while, or if overall 5BB/100 about right and it all evens out in the end.

The main thing though is that the line has kept on moving in the right direction.

Plenty of added value at Stars right now too.  Seeing as I only started playing $50 NL there to clear a bonus, I was pretty plesed to see another $150 reload bonus come along today.  This time it's because of the impending momentous occasion of their 10 billionth dealt hand.  In addition, there's a money aded tournament every hour, and FPPs clock up at twice their normal rate.

I'll easily make it to Gold Star this month now.  Double rakeback too.  Given that I've paid just over $300 in rake this month for enough FPPs to buy about £20 in Amazon gift certificates, I figure it's usually about 12% rakeback for a Silver Star player.  Should be about 16% for Gold Star.  Not the best by any means, but not a bad deal considering you don't have to jump through any hoops to get rakeback.

It's as close to official as it can get.  Sounds like nobody was meant to say anything but Peter Hook let it slip last week, and confirmed it on his MySpace page yesterday:

"so i went on and lo and behold mentioned the N>O> split so i suppose because it was me sayin it it was out at last. im relieved really hated carryin on as normal with an awful secret"

So how do I pick one song to post to mark the passing of my all time favourite group of all time?

If I had a recording of it, I'd post the dreadful version of State of the Nation that "my band" performed at Kirby Muxloe Church Hall circa 1991.  With a bonus added rap - I kid you not.  There's many reasons I don't have a career in music.  For this travesty, even though it was a one-off, I'm very very sorry indeed.

Thankfully, this will have to do.  Incidentally, this is also the song I want played at my funeral.

On that happy note...

A month or so ago, I came across a security hole in an online poker network.

I'd thought about writing something about it after it had been fixed but time passed and I'd forgotten quite how major it was until I just mentioned it to someone who works for a network operator.  His reaction was similar to mine when it first came to light: holy shit.

Firstly I need to say that this has definitely been fixed now and it was, rightly, treated with some urgency by the developers.  However, even they didn't know this was an issue.  Nor did any of the 40+ operators on the Microgaming network (formerly Prima Poker), which includes high profile UK names like Stan James, Ladbrokes and Bet365.

All of their players were at risk.

We can only hope that because so many different technical teams had failed to spot this, fraudsters hadn't noticed it either.  After all, it's such a fundamental security flaw, you probably wouldn't even think to look.

OK that's plenty of hype.  If you have the geek gene, this picture may frighten you immediately.  If not, read on and I'll explain what it means:

This is the text view output from an HTTP traffic debugger.  It shows that player information was being sent over the network in the clear.  I've highlighted the key parts: if you read between the ampersands, you can see my username and password (obviously this isn't my password, I just changed it for the screen grab) and my real money balance.

Yes, at the time I did have over $14,000 in my account.  I don't any more.  It was never really mine, just a fallout from testing new deposit methods.  But I did sit down at a $1/$2 limit table with a five figure roll once.

From a crook's point of view, being able to see the real money balance is a luxury that would not normally be afforded to them by using keyloggers or the less subtle approach of watching people as they key in their username and password.  They would not even need to attempt to access a stolen account to know whether there is enough money in there to make it worth their while trying to run off with it.

Although I ran this traffic sniffer on my own PC, software does exist to read such traffic over a network.  It's the reason you have to look for the padlock in Internet Explorer when you're entering credit card information.  Then you know the details are encrypted before they are sent in such a way that only the web server can understand them, and not anyone listening to the network along the way.

A point I failed to get across recently when I had to pay import duty when collecting from a Parcel Force depot and they took me into the back office to enter my credit card information in an insecure web page.  Seemingly, nobody had ever challenged this before.

There's no padlock in a poker program, you just have to trust it.

The Microgaming client was in fact using SSL to send encrypted requests to the server.  However along the way, they were being redirected and ended up unencrypted in the process.  The redirector idea is great in theory, meaning that if an operator wants to change the location of a page or a script that's used for their site, their players don't need to download a whole new client for that simple change.

It's the sheer number of requests that sent this information that was really worrying.  Simply logging in to the client was secure, no username or password was visible.  Accessing the banking pages was similarly secure.  Whew, you may think.

However, accessing "My Page" sent all this information in the clear.  This page typically shows players their loyalty point status, allows them to change their contact information and also allows access to banking anyway.  It could often be the button that players press to make a deposit or withdrawal instead of "Bank".

More worrying, as soon as you were logged in, a promotions page appeared in a popup.  This is just a web page designed to appear in a window inside the poker program.  So why would it even need to be passed information about the user?  Similarly, the promotions banner that is displayed in the lobby was being passed all this information.  There's really no need.

These screenshots (click to enlarge) shows all the sensitive data being passed out and then back again.  At least on the way out (the bottom right pane shows an HTML form that submits these values to the actual location of the pages) it uses a secure connection.

The operator's news page was accessed in a similar way.  There's no need at all to send a password to this page - is the latest news really only available to registered players?  The responsible gaming information and support pages also received way more information than they needed.  No password here, but all the other information is present.  Someone must have made the decision to omit the password but to still transmit username and balance to these pages.  I just can't think what the reasoning would be for that decision.

So that's six different places that a user's account information was being transmitted.  In case that's not enough, there was one other instance that made sure anyone who was listening in for account information would not be disappointed.

In the program's lobby - the screen where you search for which poker tables you want to play at - there is a scrolling message that is set by the operator.  Because this message is intended to be updated frequently - for instance, it might say "check out our money added tournament starting at 8pm" - it refreshes every three minutes.

As this process was also transmitting all the sensitive information in the clear, all a wannabe thief would have needed to do is set up a traffic sniffing program for a few minutes and wait to be furnished with the account details.  Minimum effort, maximum loot.

Marquee text

The screenshots I've posted are from Gutshot Poker.  I need to stress that this operator was not at risk from this flaw - it was spotted and fixed before the player base was migrated from their previous operator.  This hole would have been catastrophic to Gutshot, who operate an internet cafe where every PC is used to play online poker.  A scammers paradise.

So I'll say it again: this has now been fixed.  There's no need to kneejerk and cashout from whatever site you play at.  Don't bother the site's support asking whether your money is safe.  It finally actually is.

But if you've ever played on a Microgaming site in the past you really should change your password right away.

We didn't go to Newcastle at the weekend.  Decided that getting up at 5am to drive and then catch a train was actually a silly idea.  I don't know why it took so long to realise something so obvious.  Will try to do it again soon, possibly the next bank holiday weekend.

Instead I bought a Nintendo Wii, which has been on the cards for a while but seeing an advert on the big screen before Spiderman 3 seemed to do the trick.  God knows why that was the final push, but it seems I'm a slave to advertising just like everyone else.  However, so far the console is as disappointing as the movie was.  Not just the silly sand monster and the black ooze from outer space, the story was all over the place and it was way too long.  Considering how good the sequel was, and how cool the dark suit story looked from the trailer and could have been, it was a real let down.

The Wii situation wasn't helped by the fact the traded-in copy of Madden I got didn't load.  It's gone back and I've re-ordered it from HMV thanks to a combination of Quidco and discount coupons from McDonalds.  But I was very much up for doing the whole pretending-to-actually-throw-the ball using the Wii stick thing but I had to make do with some Wario thing instead.

I just didn't get it.  You watch some cartoon graphics for a while then it says to do something, you wave the stick at the screen and if you waved it in the right place (which happened about half the time) you did whatever it asked you to do, even before you worked out what the thing was.  I think I must be too old now, but I couldn't really see where the game was.

The whole stick waving shenanigans is hit and miss.  Whilst Wii Sports is great fun and I love that it makes a swooshing noise when you swipe your tennis racket, and other such novelties, anything that needs you to point at the screen was decidedly dodgy.  I tried the sensor bar in various positions and each was dodgy in its own separate way.

I'll have to give another game a try before I decide if it was a complete waste of money and I should have got an Xbox 360 instead (at least then I could play Rainbow Six Vegas with high definition computer-generated neon in my living room). 

The Wii isn't the only reason I have a sore elbow though today.  Believe it or not, Claire and I also started to play squash regularly.  We don't know the rules and use extra-bouncy balls (noobs' balls are bright blue, so the guys in the court next door know we're crap when it goes flying over the dividing wall) but hey, it's excercise - and that in itself is impressive.

It seems that I'm 33.

Here are some of the "cards" I've had.  Nothing says "you're an old geek" quite like an ASCII art birthday cake.

To the anonymous reader who took issue with me saying that it's grim up north, which (whilst it clearly is in parts) was really just an excuse to put a KLF song on my blog.  Are you still reading?

I've used a free train ticket to book a trip to Newcastle this weekend.  We're going to be there for 10 hours - Claire somehow thinks she can get me to Derby station for 6.39am - and will be getting around on public transport.  We want to go the MetroCentre and some kind of seaside, not sure if there'll be time for much else but open to suggestions.

If we get to go through Byker station on the Metro, that's a bonus that will provide minutes of childish pleasure.  Just like how it was compulsory to hum very loudly the time we had a stopover at Dallas airport, I'm sure Claire will briefly be the Donna Air to my Ant or Dec.

Cullercoats Bay looks the easiest beach to get to, but Whitley Bay, South Shields and Sunderland are options.  Where is the sand most likely to resemble yellow, and the sea likely to be the least black?