PlayNoEvil - Game Security, IT Security, and Secure Game Design Services - Contact Us at ceo@secureplay.com - Optimal Play

Stopping Data Mining in Online Poker - The Quixotic Quest

ceo@secureplay.com (SecurePlay) — Mon, 19 Apr 2010 05:05:00 -0700

Recently, a well-known online poker player was suspended for using data mining against another player. He had 20,000 hands of his own (!!) and downloaded an additional 30,000 hands (!!!) to uncover the weaknesses and habits of his foe.

He admitted doing this and was suspended for a while.

Virtually all online poker sites have rules against data mining using other players data. However, as noted, online poker hands are essentially public, so the data is widely available (along with slick analytic tools). One writer noted that analyzing other players hands is just like soccer players or football players looking at the video of their opponents previous games - the information is available to everyone and serious players/teams use what is available to improve their performance.

As a practical note, it is pretty much impossible to stop anyone from data mining in online poker. Its like card counting in online blackjack or poker. It is well nigh undetectable.

Essentially, online poker and other such games are essentially different from face-to-face games. Game operators and other players should recognize that they are very likely to be facing a person with computer aided tools for hand analysis and strategy... after all, the games are being played on a computer.

One can recognize these tools and make them part of the "legal" game or bury one's head in the sand that this isn't going on everyday by virtually everyone.

J. Rodriguez (2009),"Online Poker -- The Data Mining Dilemma", http://www.cardplayer.com/poker-news/8221-online-poker-the-data-mining-dilemma

R. McAdam (2010), "Online Poker Data Mining - The Pro Opinion II", http://www.cardplayer.com/poker-news/8911-online-poker-data-mining-the-pro-opinion-ii

Trivia Games are Doomed! Really!

ceo@secureplay.com (SecurePlay) — Fri, 19 Dec 2008 08:06:58 -0800

Trivia games are in deep trouble ... and they've been killed by Google.

Oh, you can still have a good time with Trivial Pursuit and its brethren at home or at (small) parties (if you keep an eye on people's cell phones), but trivia contests, especially online, and extra especially for money just don't work.

Trivia games join many traditional word games, memory games, and math games which rely on the limitations of human memory and thinking to function. Other puzzle games, like Sudoku, also face serious challenges in many online and competitive environments because they have algorithmic solutions.

(by the way, this includes many physics-based games like darts and pool as well)

I've talked about this before, but the problem was brought into focus (yet again), by the problems that bar-based trivia games are having in a world of iPhones and other smart phones.

Bars love simple trivia games, they are easy to support, highly entertaining with drunken players, don't have a lot of infrastructure (no fancy graphics, just questions and answers), and anyone can play and most people think they are pretty good at such things.

A pub-trivia game, called Quizzo, is suffering from "The Attack of the iPhone" with many players cheating using their phones to research answers on the Internet during game play.

Bars try to institute rules to minimize the problem (I don't think they've gone to cell phone jammers... yet... and you can't go to the bathroom during a round), but it is hurting the game and their business.

Charades, anyone?

J. Fletcher (2008), "At Quizzo night, an effort to try and thwart cheaters", http://www.pressofatlanticcity.com/113/story/349521.html

Worldwinner Scrabble Cubes Skill Game Exploit? or Fake Hack?

ceo@secureplay.com (SecurePlay) — Fri, 26 Sep 2008 01:00:00 -0700

Scrabble Cubes is a competitive skill game at Worldwinner. The game has a randomized set of dice with letters on it that are used to spell words, similar to Boggle, except the letters on the cubes can only be used 3 times. Cubes can be removed, and the game has a time limit (see full rules at Worldwinner).

There is an exploit claimed for the game that allows you to use the letters on a cube an unlimited number of times (as opposed to 3), which is a huge advantage for scoring in the game at Cashgamers.net. (There is even a video).

If real, this would be quite troubling as the game can be played competitively for money.

If real.

The video is ambiguous.

It does show the exploit, but the question is whether it is simply a memory editor attack that only works on the client. The key problem is that there is no proof that the score or results have been sent to the server. It would probably not be difficult to use a memory editor to change the game so that it would not limit the number of times a letter can be used... there is a constant "3" in the code somewhere, and it could be changed to whatever value you like.

If the game actually sent the results (all of the formed words) to the server, the server would/should! be able to validate (or rather invalidate) the results with the hack.

If the game sends the high score only, then we have a problem. Or, rather, Worldwinner does.

This game should be vulnerable to some wicked "bot" attacks that run a dictionary to compute the optimal strategy and words, by the way. I suspect all of the hidden letters are pre-downloaded meaning they could be extracted on the way to the browser or by a memory editor/reader once they are in it. This would be very hard to stop or detect.

Ah, nothing like money to make cheating more interesting.

Security through Game Design - Some thoughts on Nexon's Mabinogi

ceo@secureplay.com (SecurePlay) — Fri, 28 Mar 2008 09:46:58 -0700

"Security", whatever the heck it means, is often an afterthought - a distraction from the task at hand. This is true for most of the world and it is certainly true for games.

But, what if you build security in from the beginning? Will it be more effective (and less expensive)?

Nexon seems to be exploring "security by design" in its new MMO Mabinogi. Whether Nexon's measures are successful or not, it is almost certainly a better approach than wishing security problems away.

Continue reading "Security through Game Design - Some thoughts on Nexon's Mabinogi "

Hacking and Cheating in Pool at Yahoo... or not

ceo@secureplay.com (SecurePlay) — Thu, 10 Jan 2008 09:09:51 -0800

In monitoring the wacky world of game cheats, a nice looking tool for cheating at Yahoo's online pool game came across my virtual desk. Yahoo Pool Buddy (definite trademark infringement) looks to be a nicely packaged and designed cheating tool for Yahoo Pool. Also, of course, the question is - are you only getting a cheating tool, or a bit more than you bargained for?

Continue reading "Hacking and Cheating in Pool at Yahoo... or not"