|
|
A month or so ago, I came across a security hole in an online poker network.
I’d thought about writing something about it after it had been fixed but time passed and I’d forgotten quite how major it was until I just mentioned it to someone who works for a network operator. His reaction was similar to mine when it first came to light: holy shit.
Firstly I need to say that this has definitely been fixed now and it was, rightly, treated with some urgency by the developers. However, even they didn’t know this was an issue. Nor did any of the 40+ operators on the Microgaming network (formerly Prima Poker), which includes high profile UK names like Stan James, Ladbrokes and Bet365.
All of their players were at risk.
We can only hope that because so many different technical teams had failed to spot this, fraudsters hadn’t noticed it either. After all, it’s such a fundamental security flaw, you probably wouldn’t even think to look.
OK that’s plenty of hype. If you have the geek gene, this picture may frighten you immediately. If not, read on and I’ll explain what it means:
This is the text view output from an HTTP traffic debugger. It shows that player information was being sent over the network in the clear. I’ve highlighted the key parts: if you read between the ampersands, you can see my username and password (obviously this isn’t my password, I just changed it for the screen grab) and my real money balance.
Yes, at the time I did have over $14,000 in my account. I don’t any more. It was never really mine, just a fallout from testing new deposit methods. But I did sit down at a $1/$2 limit table with a five figure roll once. 🙂
From a crook’s point of view, being able to see the real money balance is a luxury that would not normally be afforded to them by using keyloggers or the less subtle approach of watching people as they key in their username and password. They would not even need to attempt to access a stolen account to know whether there is enough money in there to make it worth their while trying to run off with it.
Although I ran this traffic sniffer on my own PC, software does exist to read such traffic over a network. It’s the reason you have to look for the padlock in Internet Explorer when you’re entering credit card information. Then you know the details are encrypted before they are sent in such a way that only the web server can understand them, and not anyone listening to the network along the way.
A point I failed to get across recently when I had to pay import duty when collecting from a Parcel Force depot and they took me into the back office to enter my credit card information in an insecure web page. Seemingly, nobody had ever challenged this before.
There’s no padlock in a poker program, you just have to trust it.
The Microgaming client was in fact using SSL to send encrypted requests to the server. However along the way, they were being redirected and ended up unencrypted in the process. The redirector idea is great in theory, meaning that if an operator wants to change the location of a page or a script that’s used for their site, their players don’t need to download a whole new client for that simple change.
It’s the sheer number of requests that sent this information that was really worrying. Simply logging in to the client was secure, no username or password was visible. Accessing the banking pages was similarly secure. Whew, you may think.
However, accessing "My Page" sent all this information in the clear. This page typically shows players their loyalty point status, allows them to change their contact information and also allows access to banking anyway. It could often be the button that players press to make a deposit or withdrawal instead of "Bank".
More worrying, as soon as you were logged in, a promotions page appeared in a popup. This is just a web page designed to appear in a window inside the poker program. So why would it even need to be passed information about the user? Similarly, the promotions banner that is displayed in the lobby was being passed all this information. There’s really no need.
These screenshots (click to enlarge) shows all the sensitive data being passed out and then back again. At least on the way out (the bottom right pane shows an HTML form that submits these values to the actual location of the pages) it uses a secure connection.
|
|
|
|
|
My Page
|
Promotions pop up
|
Promotions banner
|
The operator’s news page was accessed in a similar way. There’s no need at all to send a password to this page – is the latest news really only available to registered players? The responsible gaming information and support pages also received way more information than they needed. No password here, but all the other information is present. Someone must have made the decision to omit the password but to still transmit username and balance to these pages. I just can’t think what the reasoning would be for that decision.
|
|
|
|
|
News page
|
Responsible Gaming page
|
Support page
|
So that’s six different places that a user’s account information was being transmitted. In case that’s not enough, there was one other instance that made sure anyone who was listening in for account information would not be disappointed.
In the program’s lobby – the screen where you search for which poker tables you want to play at – there is a scrolling message that is set by the operator. Because this message is intended to be updated frequently – for instance, it might say "check out our money added tournament starting at 8pm" – it refreshes every three minutes.
As this process was also transmitting all the sensitive information in the clear, all a wannabe thief would have needed to do is set up a traffic sniffing program for a few minutes and wait to be furnished with the account details. Minimum effort, maximum loot.
Marquee text
The screenshots I’ve posted are from Gutshot Poker. I need to stress that this operator was not at risk from this flaw – it was spotted and fixed before the player base was migrated from their previous operator. This hole would have been catastrophic to Gutshot, who operate an internet cafe where every PC is used to play online poker. A scammers paradise.
So I’ll say it again: this has now been fixed. There’s no need to kneejerk and cashout from whatever site you play at. Don’t bother the site’s support asking whether your money is safe. It finally actually is.
But if you’ve ever played on a Microgaming site in the past you really should change your password right away.
We didn’t go to Newcastle at the weekend. Decided that getting up at 5am to drive and then catch a train was actually a silly idea. I don’t know why it took so long to realise something so obvious. Will try to do it again soon, possibly the next bank holiday weekend.
Instead I bought a Nintendo Wii, which has been on the cards for a while but seeing an advert on the big screen before Spiderman 3 seemed to do the trick. God knows why that was the final push, but it seems I’m a slave to advertising just like everyone else. However, so far the console is as disappointing as the movie was. Not just the silly sand monster and the black ooze from outer space, the story was all over the place and it was way too long. Considering how good the sequel was, and how cool the dark suit story looked from the trailer and could have been, it was a real let down.
The Wii situation wasn’t helped by the fact the traded-in copy of Madden I got didn’t load. It’s gone back and I’ve re-ordered it from HMV thanks to a combination of Quidco and discount coupons from McDonalds. But I was very much up for doing the whole pretending-to-actually-throw-the ball using the Wii stick thing but I had to make do with some Wario thing instead.
I just didn’t get it. You watch some cartoon graphics for a while then it says to do something, you wave the stick at the screen and if you waved it in the right place (which happened about half the time) you did whatever it asked you to do, even before you worked out what the thing was. I think I must be too old now, but I couldn’t really see where the game was.
The whole stick waving shenanigans is hit and miss. Whilst Wii Sports is great fun and I love that it makes a swooshing noise when you swipe your tennis racket, and other such novelties, anything that needs you to point at the screen was decidedly dodgy. I tried the sensor bar in various positions and each was dodgy in its own separate way.
I’ll have to give another game a try before I decide if it was a complete waste of money and I should have got an Xbox 360 instead (at least then I could play Rainbow Six Vegas with high definition computer-generated neon in my living room).
The Wii isn’t the only reason I have a sore elbow though today. Believe it or not, Claire and I also started to play squash regularly. We don’t know the rules and use extra-bouncy balls (noobs’ balls are bright blue, so the guys in the court next door know we’re crap when it goes flying over the dividing wall) but hey, it’s excercise – and that in itself is impressive.
It seems that I’m 33.
Here are some of the "cards" I’ve had. Nothing says "you’re an old geek" quite like an ASCII art birthday cake.
To the anonymous reader who took issue with me saying that it’s grim up north, which (whilst it clearly is in parts) was really just an excuse to put a KLF song on my blog. Are you still reading?
I’ve used a free train ticket to book a trip to Newcastle this weekend. We’re going to be there for 10 hours – Claire somehow thinks she can get me to Derby station for 6.39am – and will be getting around on public transport. We want to go the MetroCentre and some kind of seaside, not sure if there’ll be time for much else but open to suggestions.
If we get to go through Byker station on the Metro, that’s a bonus that will provide minutes of childish pleasure. Just like how it was compulsory to hum very loudly the time we had a stopover at Dallas airport, I’m sure Claire will briefly be the Donna Air to my Ant or Dec.
Cullercoats Bay looks the easiest beach to get to, but Whitley Bay, South Shields and Sunderland are options. Where is the sand most likely to resemble yellow, and the sea likely to be the least black?
This is what happens when the Coke machine in McDonalds breaks down.
At least you still get the monopoly game tokens. I’d have been lost without these, even though I did have a backup plan for monopoly gratification: I was sitting in a restaurant on Pentonville Road, just around from Kings Cross station. Free parking nowhere to be seen though.
Today’s haul included a free coffee and an Oatso Simple porridge that I’ll never use. Even if I ever do get to a McDonalds before 10.30, why the hell would I want a pot of porridge when there’s perfectly good meat products on offer?
Vij was staying with us at the weekend and I’d left him in front of the TV whilst I went upstairs to play some poker. I’m a fantastic host, as you can tell, but he knows where the kettle is, and that’s all that really matters.
When he wandered in I had four tables running and almost straight away I fell into this hand. Instinctively I began talking through my thought process, which made me look like a genius (naturally) and also made me wonder whether thinking through hands out loud was a good strategy. If I have to justify every decision to someone else, I should make good decisions.
I made a pretty damn good laydown here, and for the right reasons, but I’m still not convinced by my flop play. It was a little bit on the random side. Should I be thinning the field with a good but vulnerable hand in a multi-way pot, or should I wait for a safe card or to improve and then re-evaluate? I opted to call, not really knowing whether I was trapping or going fishing.
Still, I folded a set and I was right. 🙂
PokerStars No-Limit Hold’em, $0.50 BB (9 handed) Hand History Converter Tool from FlopTurnRiver.com (Format: HTML)
CO ($41.75)
Button ($60)
SB ($23.55)
BB ($20)
Hero ($77.65)
UTG+1 ($25.40)
MP1 ($71.15)
MP2 ($44.35)
MP3 ($20.25)
Preflop: Hero is UTG with 9c, 9h.
Hero calls $0.50,
We’re talking about something else, and I limp in on autopilot.
“Chris, you’ve got a pair of nines on that table.”
He points, but knows better than to get too close and risk getting a sweaty fingerprint onto my monitor.
“Yep, I already called, look.”
“Didn’t you want to raise with that?”
“No, I’ve got poor position and I want to keep the pot small…”
UTG+1 raises to $1.5,
“… so I can still play if someone raises. Like that. :)”
There was an actual smilie at the end when I spoke
MP1 calls $1.50, 2 folds, CO calls $1.50,
“Any more callers? This will be easy then. If I don’t catch another 9 I’m done, but if I do I should be laughing.”
Vij nods. He didn’t actually nod. He’ll have said something, because that’s Vij’s way, but I wasn’t exactly listening. I was waiting to see if I would be able to show off by winning a nice big pot. In fact I don’t really remember what else he said at all. Hell, I’m struggling to remember what I said myself and just making up stuff to fill in the gaps.
1 fold, SB calls $1.25, 1 fold, Hero calls $1.
Flop: ($8) Tc, 9d, Js (5 players)
“Yes! Oh, wait. That’s sort of good”.
SB bets $0.5, Hero calls $0.50,
“Right, let’s see what happens.”
UTG+1 calls $0.50, MP1 raises to $4,
“Hmm. What’s he raising with?.”
CO calls $4,
“Oh. This one’s got something then.”
SB calls $3.50,
“So somebody could have the straight. I’m not scared of him, but he’s a worry. This guy probably has a draw, probably just a queen.”
I wiggle at MP1, then CO, then SB in turn using the mouse pointer, then pause to work out the pot odds.
“But I do have odds to draw against the straight, so I can call even if I’m behind”
Hero calls $3.50, UTG+1 folds.
“OK, pair it!”
Turn: ($24.50) 4s (4 players)
“That doesn’t help anyone, so let’s see who’s still interested.”
SB checks, Hero checks, MP1 bets $14,
“Right. I’m not afraid of him.”
CO raises to $36.25, SB folds,
“Now we have a decision, don’t we?”.
Vij nods, or something, and I press the button for some extra thinking time.
“OK, I don’t care what the first guy has, it’s probably not much. This is the one who has a hand. He could have the straight, but I can’t say for sure. Aaaaagh, what do I actually beat? Anything? Would he really push there with two pair? No.”.
I’ve come to a decision. Folding a set is excrutiating, but there’s no way I’m winning.
“He’s got two tens, two jacks or a straight.”
Hero folds, MP1 calls $22.25.
“God I hope I’m right.”
River: ($97) 2c (2 players)
Final Pot: $97
Main Pot: $97, between CO and MP1.
MP1 has Qh Jh (one pair, jacks).
CO has Ts Th (three of a kind, tens).
Outcome: CO wins $97.
My hands thrust themselves into the air.
“Oh yes. I’m good”.
And Vij is less impressed than he should be.
On tonight’s show, Derren Brown went to Las Vegas and brainwashed an American lady into thinking that red was black. The effect was dramatic. She was pretty freaked out to see that her red car had apparently been resprayed whilst she enjoyed an evening at the Peppermill. But what the cameras didn’t show is the complete meltdown, possibly followed by night in jail, she must have had trying to play roulette shortly afterwards.
In the Trick or Treat feature, he apparently taught a 75 year old granny to play poker. For this show victims are asked to choose from two cards to pick whether they’ll get something nice or something nasty. I have to admit I thought the whole series would be manipulated so it was always a trick, but tonight’s sweet old lady got a treat.
There’s no psychology involved in forcing the choice: both cards are identical, with a cunning and overly elaborate typeface used so that it reads "trick" when held one way up and "treat" when flipped over. I confess: I had to pause the show using Sky+ and turn my head right round to check this out, and had to use Google to find out that the word I didn’t know I was looking for is "ambigram".
Super Gran is given a crash course in Texas Hold’em and then dropped into a tournament situation with five professionals. Probably not ones you’d have heard of. Derren has taught her superlative reading skills, which is apparently enough to ensure that she will win a made-for-TV crapshoot poker-style tournament. They said it lasted a 90 minutes start to finish, fast even for a six-handed tournament. We only got to see three hands.
She called an all-in bet with a king-high flush draw. Perhaps she learned to recognise weakness from the bettor, but depending on stack sizes and money in the pot this could be a pretty standard call anyway. They didn’t say. We don’t know how much she’d learned about playing draws. Perhaps it looked like the nuts against a player with a twitch, but with one overcard and a draw you’re rarely a favourite. Except the few times you come up against a smaller unpaired flush draw. Which she did.
Facing an all-in preflop with K9s, Derren’s horse makes the call. The other player has T7o. Given the emphasis on how good these other players all are, we have to assume that he made an automatic push with a short stack, so this was probably an automatic call.
With AQ on a flop of A88, our hero decides that her hand is good. Maybe I still have a lot to learn, but I’m going broke here every time the other guy has AK or any hand with an 8.
She came second. A one in six chance to win, and she still missed the glory by one.
A similarly close-but-still-busto result in Derren’s Russian Roulette stunt would have been much more interesting.
The current UK series is available for free catch-up on 4oD. Apparently a new six-part series is being made for US television by Sci-Fi channel to air in July. Perfect timing!
It appears that I’m doing somewhat better than I expected at no limit ring games. This really is the first time I’ve tested myself over more hands than I needed to play to clear a particular bonus or to gain a particular membership level. After nearly 6000 hands, I’ve been beating $50 NL on Poker Stars for just over $8 for every 100 hands. Not too shabby at all.
Of course this started when I had a bonus to clear. I still had about 1400 points left to earn towards the 1500 I needed to unlock a $150 bonus on Stars. The bonuses now have an expiry date and I just couldn’t see myself clearing it before June playing $12 turbo sit-and-gos. $1 in tournament fees is 5 player points, so that’d be nearly 300 tournaments.
I started off by trying their $25 NL as I’d done OK at this level clearing Party Poker bonuses in the past. It didn’t take long to realise that you earn virtually no FPPs at this level. $50 NL still doesn’t generate the abundance of rake (and hence the freely flowing frequent player points) that you get from $2/$4 or $3/$6, but the last time I played fixed limit at these levels I was constantly frustrated. I felt I was playing OK, but the game on Stars was tough and I wasn’t good enough to beat the rake. I maintained Gold Star status for a few months, lost a few hundred dollars but earned enough points to get a jacket I didn’t really need and couple of hundred quid to spend at Amazon. About even, obviously.
 I’d also expected the no limit tables on Stars to be tough, but so far so good. I’ve now hit the $500 profit milestone. The graph from Poker Grapher uses my Poker Tracker database, which treats one big bet as twice the big blind amount. So with $0.25/$0.50 blinds, the scale on this graph is 1 BB = $1.
It took two weeks to get here, and even though I finally cleared the bonus a few days ago I decided to keep playing as it felt like I’d fallen into a groove playing four tables at this level. A good, winning groove at that. I could get a rhythm going with up to 8 tables at $2/$4 but it was often be painful. Literally. If a session turned bad quickly I’d start to cramp up. That just hasn’t happened (so far) playing no limit.
It’s still not a massive sample size but the graph direction is definitely reassuring. I know there’s room for improvement. I’m going to find it and I’ve already spotted some pretty big mistakes. For example, I knew pocket kings was no good to a fifth raise pre-flop, but I had to prove I was right. Was the satisfaction of being right worth more than the $30 I lost? Not quite. It took nearly 400 hands (on average) to win that back.
But now I have a target, although obviously it if all goes tits up there’s a chance I’ll never write about it again. If nobody has coined the phrase "blogger’s discretion" yet, I want to be the first. I’d like to think I’ll stay on top of this one and in fact the timing works out just nicely.
Providing things stay good at this level, I’ll move up in stakes once I’ve won $2000. I want to be comfortable playing $100 NL by the time I go to Vegas in July.
I’m sticking with $50 NL on Stars for as long as there are no bonuses I need to play anywhere else. If a juicy reload comes along then I’ll probably stop to play that through instead, but I’m hoping that Stars can be my home for a long time to come.
Just played another session as a shill for Gutshot’s Poker Night Live table tonight. We all started with $25,000 available for reloading today and the action was fast and furious. It’s difficult to imagine how Barry Martin and Nik Persaud will keep a straight face when they commentate on some of the hands that were, apparently, played at $25/$50 real money blinds!
Here’s my favourite today. The powerhouse never loses…
** Dealing card to Super_Hero: 2 of Clubs, 5 of Diamonds
I_Tilt_Often folded
Super_Hero called – $50.00
kafkakelly folded
RaiseEmUp raised – $300.00
U_Dump_Chips went all-in – $2175.00
1Chipstacker folded
Super_Hero went all-in – $9347.00
RaiseEmUp folded
** Dealing the flop: 5 of Hearts, Jack of Hearts, 4 of Spades
** Dealing the turn: 10 of Diamonds
** Dealing the river: 9 of Clubs
U_Dump_Chips shows: 2 of Hearts, 2 of Diamonds
Super_Hero shows: 2 of Clubs, 5 of Diamonds
Super_Hero wins $4747.00 from the main pot
My plans for the evening were scuppered because City Link are useless cretins who don’t actually know how to deliver a parcel at all, let alone on time. How hard is it? I mean, if post addressed to "Gordon the Gopher, The Broom Cupboard" can get there, what’s the problem with my order for the components I needed to actually do some work tonight? Delivery was refused on Friday – because they took it to the wrong building, apparently just guessing wrong once – and today they claimed the postcode was wrong and refused to even put it on a van. Which it wasn’t. Why not just call me if you can’t find the place, you bastards?
Anyway, I decided to head over to Trafalgar Square to watch the Spamalot cast’s world record attempt for largest coconut orchestra. I won’t keep you in suspense any longer because I’m sure you’re dying to know. They smashed the record, previously held by… the New York cast, of course.
I cooed a little when two of the original Monty Python members were wheeled out –Terry Jones and Terry Gilliam to be precise – and I watched over 4000 people clip-clop along with Always Look on The Bright Side of Life. Something you don’t see every day, for sure.
I was too late to actually get a pair of coconuts to take part, and didn’t even get a picture of some. They were special Spamalot coconuts, you see. I couldn’t decide whether asking "could I take a picture of your coconuts" would be safer with a random man or woman, so I just took some photos of a flying inflatable foot interfering with landmarks instead.
The National Gallery:
Alison Lapper Pregnant:
Nelson’s Column:
And just because it’s the 25th anniversary of the Sinclair ZX Spectrum, I have to also include this picture too.
|
|
Comments