When Random Isn't Random Enough: Lessons from an Online Poker Exploit

As recent as 2010 we were finding major flaws in online poker security, here are a couple of videos I did of us sniffing hole cards out of the air because sites were lying about their use of SSL. They were using xOR encryption. Insane.<p><a href="http://www.youtube.com/watch?v=4HBUe8Fb73Q" rel="nofollow">http:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=4HBUe8Fb73Q</a> <a href="http://www.youtube.com/watch?v=AAQDEXJdbQc" rel="nofollow">http:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=AAQDEXJdbQc</a>

The solution here, which the article fails to mention, and which every security expert will undoubtedly tell you, is to make sure you use <i>super random numbers</i> (that&#x27;s the technical term, for the layperson) by adding two random numbers together.

I understand that &quot;swap with entire deck&quot; can&#x27;t possibly be uniform because it has 52^n input possibilities, which is not divisible by 52! (and that the correct Fisher-Yates having 52! input possibilities and being able to generate every possible outcome is one way to prove that it is uniform). However, I&#x27;m not sure I can come up with an intuition for why any particular bias should exist, or why there is a discontinuity that makes it much more likely for a card to end up a short distance after its starting position:<p><a href="http://en.wikipedia.org/wiki/File:Orderbias.png" rel="nofollow">http:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;File:Orderbias.png</a><p>Anyone have a good explanation?

It seems to me that the only major issue here is using a seed which can be trivially brute forced. Even if you don&#x27;t look around the expected server time in order to guess the seed more quickly, 32 bits is really not hard at all to brute force these days.<p>I don&#x27;t believe the number of bits the PRNG can generate is an issue here since we only need to uniformly get a number between 1 and 52, though what may be questionable is the cycle length of the PRNG if it weren&#x27;t using an easily brute forced seed.<p>I&#x27;m not entirely convinced the off-by-1 is substantial, nor the fact that the shuffle produces duplicate shuffles (I can&#x27;t intuit a significant bias, so I may well be wrong here).<p>So to summarize: never seed a PRNG with a small and easily brute forced value.

Direct link to the full article with a detailed explanation of the exploit: <a href="http://www.cigital.com/papers/download/developer_gambling.php" rel="nofollow">http:&#x2F;&#x2F;www.cigital.com&#x2F;papers&#x2F;download&#x2F;developer_gambling.ph...</a>

Ignoring that some of the variables don&#x27;t match up properly (the arrays: card and Card), it seems like the explanation of the first flaw may also be flawed.<p><i>Flaw #1: An Off-by-One Error<p>The algorithm above tries to iterate over each card in the deck, swapping each card with another randomly chosen card in the deck. However—every programmer has made this mistake before—there&#x27;s an off-by-one error. The function random(n) returns a number between 0 and (n-1), not between 1 and n as the programmer intends. As a result, the algorithm will never swap the 52nd card with itself; the 52nd card can never end up in the 52nd place. So that is the first reason the &quot;random&quot; card shuffling isn&#x27;t really random.</i><p>The comment refers to the Pascal code:<p><pre><code> random_number := random(51)+1; </code></pre> If the programmer really thought that random was between 1 and n then the random_number variable would be a number between 2 and 52 (1+1 to 51+1). It seems like, instead, a better explanation is that they may have thought random(n) produced a random number between 0 and n, hence the need to increment by one. Another explanation is they just messed up the slicing using 51 instead of 52.<p>The point being that in the writer&#x27;s explanation of the flaw they actually make the same mistake.<p>Funnily enough googling &quot;pascal random&quot; points to a stackoverflow article where the best answer makes the same error.<p><a href="https://stackoverflow.com/questions/4965863/how-to-get-a-random-number-in-pascal" rel="nofollow">https:&#x2F;&#x2F;stackoverflow.com&#x2F;questions&#x2F;4965863&#x2F;how-to-get-a-ran...</a>

This was an interesting article. (Font size is tiny using Chrome on iOS).<p>&gt; If your business or technology depends on using random numbers, your best bet is to use a hardware random number generator.<p>Some hardware RNGs would be hopeless for this task. It&#x27;d be scary to have to buy one of these things and trust the output.

I haven&#x27;t seen this link posted yet <a href="http://www.idquantique.com/random-number-generators/products.html" rel="nofollow">http:&#x2F;&#x2F;www.idquantique.com&#x2F;random-number-generators&#x2F;products...</a><p>Note they claim: &quot;QUANTIS has also been approved by national authorities and can be used for gaming applications.&quot;<p>If I were implementing this for a casino, I&#x27;d do what other posters have already suggested and use at least two independent hardware sources for my random numbers and XOR them together. IMO Intel&#x27;s on-chip RNG would probably be a good source to use, but only in conjunction with others.

I&#x27;m curious how actually random are current generators in online poker? I mean, some rather subtle patterns, situations would generate larger pots, therefore more rake. Or being on the new players side in 50&#x2F;50 situations would &#x27;help&#x27; to get him addicted.<p>I am not talking about 100% of the time dealing someone pocket kings, and someone else pocket aces and king on the flop.<p>Something subtle and very rare would be enough to count for large amounts of money at the end of the year, given the volume of major poker sites. On other hand, if someone would leak it, that might ruin the business for good.

Flaw #3 seems flawed to me. There are 52! possible ways to shuffle a deck of cards but a game is only played using a small subset. Suppose there are 4 players, then you need 2 times 4 plus 5 is 13 cards. The remaining deck of 39 cards can be shuffled in 39! ways without affecting the game. These possibilities are still included in those 52! of total possibilities. In case of 4 players there are only 52!&#x2F;39! possible games that can be played. This is still a larger number then the 4 billion mentioned in the article but it doesn&#x27;t dwarf the 4 billion as the 8*10^67 does.

I admit I am a total noob here, but couldn&#x27;t you make something with a TV turned to a station with just static? I have often wondered about this but lack the &#x27;propriate schoolin&#x27;.

I&#x27;m not a pro (not even an amateur, actually), but the very premise of “shuffling the deck” bewilders me. Shuffling the whole deck is so obviously bug-prone. Why not just pick random elements from decks instead? If I ever wrote a deck simulator I&#x27;d never shuffle anything, just picked 1 out of n &lt; 52 when needed. Is this approach too naive and well-known to be somehow flawed as well?

Another lesson to be learned here is it&#x27;s generally not a good idea to publish the code to a vulnerable, in-production system unless you are very, very sure there are no bugs.

I like to use this as an example of a problem that secure multiparty computation can solve i.e. that you can remove a buggy &#x2F; malicious central dealer from a system.

Related post <a href="https://news.ycombinator.com/item?id=7196820" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=7196820</a>

Did this exploit actually got exploited? Or did they notify the site and gave them an opportunity to fix it before they released their findings?

This is one of those times you&#x27;d really want to use an actual random number generator, rather than a pseudo-random number generator.

true random based on atmospheric noise: random.org