eGaming Today - Absolute Scapegoat? AbsPoker claims rogue programmer framed owner/executive

BREAKING UPDATE
ABSOLUTE POKER STATEMENT, 10/21/2007

Based upon our preliminary findings, it appears that the integrity of our poker system was compromised by a high-ranking trusted consultant employed by AP whose position gave him extraordinary access to certain security systems. As has been speculated in several online forums, this consultant devised a sophisticated scheme to manipulate internal systems to access third-party computers and accounts to view hole cards of other customers during play without their knowledge. As this consultant was aware of the details of our fraud detection process, the likelihood that the scheme would be uncovered through our normal procedures was minimized. We consider this security breach to be a horrendous and inexcusable offense.

Absolute Poker just admits here that there were "third-party computers and accounts" able to "view hole cards of other customers during play". They did not claim this "high-ranking" employee created the system to view hole cards, only that he "manipulate[d] internal systems to access" such systems.

That is completely inexcusable. There is no legitimate purpose even for the most sophisticated security, fraud and collusion detection systems, to have access to hole cards in play. Everything that needs to be done, can be done, the second the hand has completed.

There are two other plausible explanations that makes sense in context of absolute poker's statement, but both would a be a scandal of equal or greater proportions themselves. 1) that the AP poker client takes screenshots of player's computers and sends those back to AP or 2) the AP poker client provides concurrent remote access (view desktop) to the player's computer to AP upon demand.

Note, some programs do take screenshots to detect robot play and other cheats (World of Warcraft uses such). However, these rely on pattern recognition, the patterns sent to the client -- the screenshots never leave the client computer.

It was leaked that the account POTRIPPER belongs to AJ Green, former Vice President of Operations. Is this true, or are they claiming this was false information? I find their lack of clarity on this issue to be more telling.

It seems they are claiming a rogue programmer played on the POTRIPPER account (amongst others) that did not belong to him. They still haven't denied the POTRIPPER account belongs to the former Vice President of Operations.

If it were true the owners of the accounts were not the ones to play on them, would this fact not have turned up immediately when the accounts were (allegedly) frozen in mid-September and investigated? Would they not have contacted the owners of the accounts they froze, and learned the fact the account owners did not play?

Are we to seriously believe that AJ Green, or whoever the POTRIPPER account did belong to, did not notice he won first place in a $100,000 guarantee tournament?

An IP address traced to Scott Tom's residence was watching the table. Now I can still accept this is innocent, AJ asked Scott (or someone else in that residence) to watch him play, demonstrate to his former boss and friend how awesome a poker player he really is.

However, I find the idea that this IP address was a "plant" to frame Scott Tom lacks credibility. The address was dug out of an Excel file after significant investigative work by N 82 50 24. Sending spoofed TCP packets (as was alleged) is one thing, tricking the poker server to record the wrong IP address for an observer session for several hours is another.

It would be more believable if they claimed a computer in the Tom residence was found with a Trojan horse backdoor, rather than claiming this IP address was "spoofed" and planted as a frame job.

Other 2+2 posters have admitted to receiving an Excel file of same format and information upon inquiry to Absolute Poker alleging fraud or collusion in tournaments, as long as a year ago. If this is true, then the sending of the Excel file was neither an attempt at whistleblowing nor at attempt at a frame job, but just standard policy. The employee who sent this file has allegedly been fired.

If I read the above statement literally, it seems they claim the compromise was solely that he was able to get into the accounts in question. And at that point, he saw hole cards.

If this were the case, then Absolute Poker was already compromised, intentionally and by design. The rogue programmer did not compromise Absolute Poker, he took advantage of the compromise, for profit or to expose it as a whistleblower.

Many people have suggested that there are "super user" accounts or account types that are able to see hole cards. Perhaps such accounts are not able to play, only observe tables -- the account #363 found observing POTRIPPER. Some people have gone so far to suggest such an account has legitimate purpose, for testing or fraud detection.

There is absolutely no legitimate purpose for any account nor any backoffice system to be able to view hole cards of a hand while it is in play. Creating such a feature would be an enormous breach of ethics and security. The existence of such a feature would be a huge temptation for insider cheating.

Fraud and collusion detection systems work off hand histories, compiled upon completion of a hand. Never should it be possible to compile a hand history of a hand in-progress.

Another suggestion is that a hacked poker client was used, perhaps one written for testing purposes, that is able to see hole cards. This would require the hole cards for all players be sent in the first place, perhaps encrypted to a special testing key, and/or only sent by the server upon recognizing the 'testing client'.

The creation of such feature would again be a huge breach of ethics and security, which has no legitimate purpose.

This is not an RNG flaw (like the PlanetPoker debacle in 1999). Such a flaw would require input of the player's hole cards and flop cards before the deck could be singled-out from the possibles; just knowledge of two cards is insufficient. POTRIPPER definitely seems to know all the hole cards before the flop. Secondly, this flaw would usually provide knowledge of the turn and river cards. Twice POTRIPPER was demolished by river cards (hand #54 and hand #73).

Real-time decryption/analysis of all traffic leaving the Absolute Poker servers. Unless he's coordinating with the NSA, this is a very unlikely scenario.

Query access to the Absolute Poker database. This presumes that hole cards in play are stored in the database in unencrypted format, which would also be a very serious hole in security; or they are encrypted to a key that is static and known to the rogue programmer. It also presumes the rogue programmer had access to the DBO privilege account, read access to tables is generally denied to all users in secure database design (only access to stored procedures).

General employees should never have access to the production databases. If query access is given to data analysts, fraud detection experts, back-end systems and applications, it ought to be only to an *archive* version of the database that is a trailing backup (hours to days old), and would never contains live play data.

The production database must be firewalled. Access to the production database for emergency diagnostics needs to be tightly controlled. A secure terminal console with 24hr surveillance cameras would be more suitable than allowing special case VPN access thru the firewall. In either case access is monitored.

The idea that rogue programmer had interactive access to the backend system for more than five hours, and this did not involve the complicity of anyone else, is hard to fathom.

Any stored procedures and programs planted in the back-end ought to be detected by a tripwire system, and outbound data blocked by the firewall.

POTRIPPER had access to the hole cards in real-time. He acted in first position (under the gun) with equal precision, with 15 seconds to act. The superuser or data leakage theories are easier to believe in this case, however both those would either have involved sanction by Absolute Poker in design of their system, or a conspiracy involving a large number of programmers and testers. The idea a single rouge programmer could plant an easter egg in a program as well tested and subject to security audits as a poker server, is hard to believe.

Absolute Poker's own statements that this rouge programmer was trying to demonstrate a known and ignored security flaw counts against the idea he planted easter eggs or back-end Trojans.

It may be accepted that their backend security design and policies are so deficient and defective that interactive access was used. However it would be hard to ever trust the integrity of the Absolute Poker system again if they are so grossly negligent.

It is my conclusion, that this was an exploit of a feature designed and implemented by Absolute Poker; for benign or malevolent purposes. It is my opinion that there doesn't exist any rouge programmer, but rather this feature was exploited by someone who was greedy and careless. If I am wrong and a rouge programmer does exist, he was more likely a sysadmin who decided to shed light on a feature whose existence may have been abused by other Absolute Poker insiders.

Absolute Poker's initial denials are very incriminating. The fact Absolute Poker also allegedly fired the person who sent the Excel hand history audit is also very incriminating. Their 180 degree turn-around spin/blame game is not a clean admission.