Monday, June 29, 2009

Stealing the pot

This one is old news, but it touches on two themes of interest here. The story is the online poker cheating scandal of 2007.

Under not-so-disruptive technology, consider the very existence of online poker. Many people want to gamble. Governments tend to regulate gambling. There's a lot of money in gambling. Ergo, there is a strong incentive to exploit any available gray area to get a game going, for example by running it in an area where no particular government has clear jurisdiction. This has traditionally included rivers and the high seas, but the internet will do nicely.

Under anonymity, consider how the cheating happened and how it was detected. In online poker, as with message boards and other online games, you go by a handle. Someone named, say, Potripper could be anyone. Your next-door neighbor, a dentist in Saskatchewan, the prime minister of a G8 country, anyone. In this particular case, Potripper was someone with special privileges who could see all the cards on the table. This was of considerable help in knowing when to hold 'em and when to fold 'em.

Back under not-so-disruptive technology, the reason Potripper could get away with this is that the game was operating in a legal gray area, but players, at least once they'd become comfortable with the setup, assumed the game was on the level. Most of the time it was, but most of the time isn't all of the time. Again, this is not new with the internet. It's very, very old.

And finally, back under anonymity, how did the cheats get caught? They got greedy (strictly speaking, this should also go under not-so-disruptive). Players started to notice that some accounts were playing suspiciously. Experienced poker players soon learn to play conservatively most of the time. Potripper was making wild bets, bets that should have failed often enough to lose significant money. But Potripper's big, reckless bets never managed to lose.

You could see it on a scatterplot. Everyone else at the table was in the same general area. The good players were in positive territory, but not very far. The poorer players were in the negative territory, but not very far. Potripper was way, way off from the norm. About fifteen standard deviations off. The odds this would happen by chance were beyond minuscule.

Anonymity requires cover. For a person to remain anonymous, there need to be plenty of people who could possibly be that person. Looking at a scatterplot, there was no way to single out a particular skillful or unskilled player. If the cheat had been content with winning a little here and a little there, sometimes losing a bit, it would have been much harder to detect that there was something amiss. But when there's one, and only one, data point in the "so unlikely it's not even funny" area, it's dead easy to identify Potripper with the cheat.

Matching the handle to the cheating was easy. That left matching the handle to the person, and for that the players investigating caught a break. In response to a complaint, the poker site sent out an exceptionally detailed history of the game play, one that included IP addresses of the participants. That linked up behavior, handle, and IP. The IP was owned by the poker site.

The claim was made that a consultant had cheated "to prove a point". Well ... white hats do routinely try to exploit systems with the intent of passing the information on to the interested parties, for example in the case of MD5 SSL certificates. Once they find the weakness, they make a concerted effort to ensure that it doesn't get exploited for ill. The cheats didn't exactly do this. They instead used a number of handles over the course of months or years to steal millions of dollars. So no, sorry. That's not proving a point. That's out-and-out fraud [I should point out that I take no position here as to who was defrauding whom, but clearly someone was defrauding somebody].

Had they been less greedy, they would probably never have been caught. Conversely, less greedy cheats (or the same ones, having toned it down) may still be at it. Caveat bettor.

No comments: