How to Properly Exploit a Super User Account
There has been tons of news about the cheating scandal at Absolute Poker. I have never played on that site. I am not sure if I have all the facts straight, but it appears an insider with AP had access to a "super-user" account, that could see all the hole cards at the table live. The super-user would then communicate to somebody in the game what hole cards he was against, and he would make some ridiculous calls and other obviously strange plays based on knowing his opponents exact cards. I guess they were able to pull this off for years, probably with the help of some internal stonewalling of any investigation, as it was an insider doing it. To me that is a pretty big hole in a systems security to have a super user account with that type of power. I am not sure why they would need to see the cards live, when everything that happens (including hole cards) is stored forever in the database. I see no reason to be able to see live cards, and I now wonder how many other sites are loose with their security like this.
All of this is beside the point of this post. These guys fucked up. They did it all wrong. This is how I would have done it (For the record I would have not done the following). Lets assume that the deck shuffle works as follows for a poker site. A random number generator determines the order of the deck. The cards are dealt off and the flop, turn, and river cards are sitting on top of the deck. I am assuming that the deck is not re-shuffled after the hole cards are dealt, and that no burn cards are required (this is not an important point). My point is that a super-user can see what the board will be preflop. That's is the info that you want. That's the info you exploit without getting caught.
So you don't allow yourself to view the other peoples hole cards, but you do take a peak at the eventual board preflop. If you see that you will end up with two-pair or better, you play on, otherwise you fold. Ok, you are not going to fold AA-QQ preflop, but you can play them weak if you know they are going to go nowhere, or just jam them preflop. So you know going in that you will river the straight with your 3 gap suited hole cards. So you make what looks like some bad calls preflop and on the flop, make what looks like a bluff attempt on the turn, and suckout a 4-outer on the river. Happens all day, everyday online. Nobody would suspect anything, but that you were a horrible player. The beauty is that it will not always work. You will get coolers still. You will flop a flush and lose to a higher flush. Your rivered straight will make the other guy a higher one. You will lose some big pots along the way, and people will say "look at this donk drawing to a 4 outer, and when he hits he still loses, lol". Nobody would suspect a thing if you played it this way. You may be considered the biggest luckbox around, but it would be "luckbox" and not "cheater". Is it a crime to draw to 2 outers?
So the moral here is, if you have access to a "Super User" account with the intention of scamming millions of dollars from the unsuspecting public, don't do the obvious. Don't look at the hole cards! Look at the board to be, and play like a freakin donk and you will never be caught.