Wednesday, October 31, 2007

How to Properly Exploit a Super User Account

There has been tons of news about the cheating scandal at Absolute Poker. I have never played on that site. I am not sure if I have all the facts straight, but it appears an insider with AP had access to a "super-user" account, that could see all the hole cards at the table live. The super-user would then communicate to somebody in the game what hole cards he was against, and he would make some ridiculous calls and other obviously strange plays based on knowing his opponents exact cards. I guess they were able to pull this off for years, probably with the help of some internal stonewalling of any investigation, as it was an insider doing it. To me that is a pretty big hole in a systems security to have a super user account with that type of power. I am not sure why they would need to see the cards live, when everything that happens (including hole cards) is stored forever in the database. I see no reason to be able to see live cards, and I now wonder how many other sites are loose with their security like this.

All of this is beside the point of this post. These guys fucked up. They did it all wrong. This is how I would have done it (For the record I would have not done the following). Lets assume that the deck shuffle works as follows for a poker site. A random number generator determines the order of the deck. The cards are dealt off and the flop, turn, and river cards are sitting on top of the deck. I am assuming that the deck is not re-shuffled after the hole cards are dealt, and that no burn cards are required (this is not an important point). My point is that a super-user can see what the board will be preflop. That's is the info that you want. That's the info you exploit without getting caught.

So you don't allow yourself to view the other peoples hole cards, but you do take a peak at the eventual board preflop. If you see that you will end up with two-pair or better, you play on, otherwise you fold. Ok, you are not going to fold AA-QQ preflop, but you can play them weak if you know they are going to go nowhere, or just jam them preflop. So you know going in that you will river the straight with your 3 gap suited hole cards. So you make what looks like some bad calls preflop and on the flop, make what looks like a bluff attempt on the turn, and suckout a 4-outer on the river. Happens all day, everyday online. Nobody would suspect anything, but that you were a horrible player. The beauty is that it will not always work. You will get coolers still. You will flop a flush and lose to a higher flush. Your rivered straight will make the other guy a higher one. You will lose some big pots along the way, and people will say "look at this donk drawing to a 4 outer, and when he hits he still loses, lol". Nobody would suspect a thing if you played it this way. You may be considered the biggest luckbox around, but it would be "luckbox" and not "cheater". Is it a crime to draw to 2 outers?

So the moral here is, if you have access to a "Super User" account with the intention of scamming millions of dollars from the unsuspecting public, don't do the obvious. Don't look at the hole cards! Look at the board to be, and play like a freakin donk and you will never be caught.

Labels: , ,


At 1:28 PM, Blogger Astin said...

Or just resist temptation and lose a hand every once in awhile. Go to showdown with a draw you played weakly, or push with 2-pair vs a set when you have a huge chip lead over a shortie. It's not like you can't make it back.

The problem with cheaters is that they cheat to perfection, which is a dead giveaway. You have to look imperfect.

Oh - and the latest I heard was that it was an account created waaay back when for testing purposes, and it was rediscovered by an outside contractor when they did their software upgrade a few months back. He also activated and transferred some dead accounts to himself and then dumped winnings to family/friends.

Just sloppy all around.

At 6:22 AM, Blogger Peter said...

Nice blog! More people should read it. If you want, you can register your blog It is free and and it automatically updates when you do an update, so visitors of our site can see when you updated your blog. The big advantage is that it will attract much more visitors to your blog.

At 1:48 PM, Blogger Hammer Player a.k.a Hoyazo said...

FWIW I haven't read any accusations that the superuser account could see any of the flop, turn or river cards before they were dealt. So your idea, while a good one in theory, I don't think applies in this case. From what I've read, the guy could just see everyone's hole cards and that's it.

And Astin you hit it right on the head. Even this donkey coulda easily done this again and again forever, by not taking those cheap opportunities to win huge pots by calling allins on the river with 10-high. You could so easily just make sure to lose some small pots, and win the big ones in the key spots. You could probably do that forever and make a ton of dough if done smartly.


Post a Comment

<< Home