[117666] in Cypherpunks

home help back first fref pref prev next nref lref last post

No subject found in mail header

daemon@ATHENA.MIT.EDU (Anonymous)
Wed Sep 8 12:23:37 1999

Date: Wed, 8 Sep 1999 16:59:21 +0200 (CEST)
Message-Id: <199909081459.QAA29742@mail.replay.com>
From: Anonymous <nobody@replay.com>
To: cypherpunks@algebra.com
Reply-To: Anonymous <nobody@replay.com>

from risks 3 sept 99

Date: Fri, 3 Sep 1999 05:26:02 -0700 (PDT)
From: "Matthew Schmid" <mschmid@rstcorp.com>
Subject: Online gambling software flaw

Regardless of its quasi-legal status, online gambling presents an entire
raft of risks.  Key questions include: Will your personal information be
handled securely (for example, will the credit card number you're paying
with be stolen or the fact that you're gambling at all be leaked)?  What if
the gaming site is hacked?  Could you be playing against cheating insiders
or players acting in collusion?  Are the games implemented correctly and
fairly?  Is the software secure?  In response to the last question, we have
demonstrated that the answer is no.

The Software Security Group at Reliable Software Technologies
(www.rstcorp.com) has discovered a serious flaw in the implementation of
Texas Hold 'em Poker that is distributed by ASF Software, Inc.
(www.asfgames.com).  We have exploited this flaw in the lab.  Our exploit
allows a player (us) to calculate the exact deck being used for each hand in
real time.  That means a player using our exploit knows the cards in every
opponent's hand as well as the cards that will make up the flop (cards
placed face up on the table after rounds of betting).  We can win every
time.  A malicious attacker could use our exploit to bilk innocent players
of actual money without ever being caught.  ASF Software has been notified
of the flaw.

Currently we know of three online casinos (www.planetpoker.com,
www.purepoker.com, and www.deltacasino.com) that appear to use ASF
Software's implementation of Texas Hold 'em Poker.  All three Websites allow
players to compete for real money.  There is also a demo casino
(www.casinococo.com) that allows players to gamble with play money.  We have
only used our exploit against the demo casino.

The flaw exists in the card shuffling algorithm used to generate each deck.
Ironically, the code was publicly displayed at www.planetpoker.com/ppfaq.htm
with the idea of showing how fair the game is to interested players (the
page has since been taken down).  In the code, a call to randomize() is
included to produce a random deck before each deck is generated.  The
implementation, built with Delphi 4 (a Pascal IDE), seeds the random number
generator with the number of milliseconds since midnight according to the
system clock. That means the output of the random number generator is easily
predicted.  A predictable "random number generator" is a very serious
security problem.

There are a number of other problems in the implementation that could lead
to complete security compromise.  We have only exploited the easiest one at
this time.

The broad take-home message from this work is simple: when software
misbehaves, bad things can happen.  Our mission in the Software Security
Group is to stamp out insecure code before it is placed in service.  Members
of the group involved with the Gambling exploit are: Brad Arkin, Frank Hill,
Scott Marks, Matt Schmid, and TJ Walls.  The Software Security Group is led
by Dr.Gary McGraw.

Matt Schmid, Reliable Software Technologies  <mschmid@rstcorp.com>


home help back first fref pref prev next nref lref last post