Article on bots by Ed Miller - Offshore Sport Betting

speedealer · #1 (**permalink**) December 15th, 2006, 04:12

Bots, Cheating, and Online Poker
Posted on Sun Dec 10, 2006 03:11:18 PM

Recently, a long-time member of the Las Vegas poker community posted a question in several public forums about cheating. He saw a Google ad on my site for an organization selling some “Cheating” software for poker.

I saw those ads too, and I submitted them immediately to Google so that they wouldn’t display. Google selects the ads to display, but I can veto them manually, and I vetoed the cheating ones. Normally I have a laissez faire attitude toward ads, figuring that my readers are smart enough to know what might be worth buying (poker equipment, books, and other stuff) and what’s a dud. But I won’t have “Cheat at Poker” spashed across my site, whether the guy is selling snake oil or not.

The post then asks what cheating methods might be used online, and what he should be concerned about. I don’t want to alarm people, but I think it’s a valid question, so I figured I’d talk a bit about it. There are two major classes of cheating threats: attacks on the basic integrity of the game, and team play.

Attacks on the Integrity of the Game

I’m talking about stuff like the cards being “rigged,” about some players being able to see others’ hands, and about people being able to crack the random number generator (RNG).

To be hit by one of these things requires either incompetent software design, deliberate misuse by someone on the inside, or spyware.

At the 30,000 foot level, here’s how a poker program “should” work. It should use a hardware RNG to ensure true randomness rather than pseudo-randomness. Computers often generate “random” numbers by taking a fixed seed (like the current time) and running it through a very unpredictable function. This makes the output seem random, but if you know the original seed number, you can just run the function again and predict what the “random” number will be.

Hardware RNG is truly random. An example is a radioactive source and a Geiger counter. You can’t predict when the next atom will decay, when the Geiger counter will next “blip.” No one can. It’s a law of nature. You can use the random blips of a Geiger counter to generate truly random, unpredictable numbers.

Poker software should generate your hole cards with hardware RNG. Then it should send them to you through an encrypted channel. It would work similarly to the encryption on the web. Here’s how it might work. Your computer selects a secret key (i.e., password) at random (or, rather, psuedo-random). It encrypts it using the poker site’s public key and sends it to the site (read more about public key cryptography). The site decrypts the key and then sends you a confirmation that you both have the same key. Then the site communicates your cards to you using your agreed upon secret key.

If done correctly, no one “listening in” can know what your cards are. It’s a secret between you and the poker site. That’s how a poker site should work, and it’s relatively basic stuff for any competent developer. But not all developers are competent, and they could do it wrong. The site could be cheap and scrimp on the hardware RNG, thus relying on psuedo-random numbers. Since those numbers can be predicted, one could “crack” the code and figure out what all the cards are.

The site could also mis-implement the encryption algorithm and introduce a vulnerability there. Fortunately, online poker sites seem to be settling on a few online poker software packages rather than developing new ones for each little site. The major packages shouldn’t have these problems. I’d expect them only from a homebrew piece of software at a little site.

As I said, your cards are a secret between you and the poker site. Or rather, between your computer and the poker site’s computer. Those are the two points of attack. If someone at the poker site who has access to the server code wanted to look at cards, they could, without question, do so. There’s no way around that.

More immediately concerning (at least to the extent that it’s actually something you can control), however, is spyware. Your computer knows your secret key and your cards. If you accidently download and install a spyware package designed to sniff out your cards, you’re toast. It would sit in the background, and you’d have no immediate tip-off to its existence. It would read either your secret key or your actual decrypted cards and transmit them to a server run by the spyware developer. Then he could see your cards every time you play.

Writing such spyware without “cooperation” from the poker client is far from trivial, however, as Windows has built-in protections to prevent a random program from accessing the memory of another. In other words, I couldn’t write a program that just looks at the memory used to store your cards because that memory belongs to a different program. Windows would say, “Nope, you can’t read that.” [Ed. Actually, it’s really not all that hard to write spyware that grabs your cards. An easy example is a screenscraper that watches what’s on your monitor and forwards that information to a 3rd party. Thanks to MFM in the comments for catching my brainfart.]

But if there’s a vulnerability in the poker client, then they spyware could “sneak in” and become part of the poker client. At that point, it could read and transmit freely. The client has to be written very rigorously to avoid exposing such a vulnerability. Here’s a quick example. Say the client is divided into different modules: one part converses over the Internet, one part displays cards on screen, and one part encodes and decodes things. The spyware might be able to hack the part that displays cards and inject code that reads and transmit your cards to the cheaters. To defeat that, the person who wrote the client code would have to check at load time that the card displaying module is untainted. In other words, before it loads ANYTHING, it has to make sure no one changed it.

Most poker client software actually probably does that. But there are probably literally thousands of similar checks and verifications the poker client has to make throughout the code to make sure that no evil code sneaks in, and humans being humans, usually a few get missed.

Again, I’m not trying to be alarmist. It’s not easy to write such a piece of spyware. But in computer security, where there’s a will, there’s a way. There’s money to be made, and you can be 100% certain people are working on hacks like this as you read this. Someone will find a hack, get people to install it, and use it for a while to steal money. Eventually the poker site will find out, and the developer will fix the crack. But in the meantime, bad stuff has happened.

That’s about it for the integrity of the game. To be honest, I think it’s a relatively low risk for most people. Frankly, it’s a lot easier for spyware just to grab your password through a keylogger, log in as you, and take your money that way. Be very careful about what you install on your computer, and be on the lookout for drive-by downloads. And don’t play at shady sites. The shadier the site, the more likely someone working for it will see the easy money they can grab and grab it.

Team Play

Team play is a more imminent threat. Obviously, colluding is trivial. Talk to someone else while you play. It’s a skill, though… two idiots who can’t play poker aren’t a threat. But two excellent players who have mastered colluding will be damn near unbeatable.

Identifying collusion is tricky. There’s ways sites can do it, but a lot of the evidence is circumstantial, and it requires human eyes to make the final call. Whenever you have a network-scale problem and a human-scale solution, stuff will slip through the cracks. Especially when the problem users are largely anonymous and can just change IP’s, bank accounts, and usernames and start again.

Furthermore, cardrooms have a long-term incentive to squelch cheating (because it fleeces the regular players and eventually they’ll stop playing), but a short-term incentive to cover it up (because a cheating scandal will chase players away long before they get frustrated and quit on their own). Whenever your first incentive is to cover something up, you have a dangerous situation. It’s not an indictment of cardrooms, it’s just the way it is.

To me, the most direct threat to online poker is colluding bots. By themselves, bots are a major threat to online poker. Bot software is now available to the public at a very affordable price. (Please don’t flame me for the link. Enough people already know about and use these bots that the damage is done, so to speak. If you don’t believe me, look at the forums at that site and see how active they already are. I’m very much trying to educate the regular player about what they are up against.)

The reason bots are a threat is because it’s not too hard to code a bot that will beat the small games, both limit and no limit. Small games are the lifeblood of the poker economy and the $100 losses at $2-$4 are ultimately what feed the $1,000-$2,000 games at the top - pyramid style. In a normal small stakes game, incompetent players fill most of the seats, and the few good players “shear the sheep,” as it were, taking their cut, but leaving most of the money floating around.

Bots, however, have the capability to be in hundreds of games simultaneously. Eventually they will “skin the sheep.” They will continue to expand and fill seats until someone stops them, or until it’s no longer profitable. If the bots are making no money, then it means the cardroom is getting its rake, the good players are getting a tiny bit, and the bad players are getting slaughtered. They’ll quit. And without their money, the whole online poker pyramid will collapse.

Bots are quite literally the cancer of online poker. They will multiply until they have killed their victim or until someone contains them. The bot software I linked above allows users to create their own AI and plug it into the bot framework. Hundreds of great poker minds are working right now to develop better AIs. If you want insight into their brains, again, read those forums.

More threatening still is colluding bots. Bots can communicate with other bots and share hole cards. Say someone writes a colluding bot and sits it in three seats of a game. The bots share hole cards with each other and instantly adjust their strategies based on the extra knowledge. A well-coded bot of this type would be extremely formidable even to strong players.

If poker sites want to survive and keep their pot-o-gold running into the next decade, they need to tackle the bot problem head on (apply directly to the forehead). They have adopted some counter-measures. For instance, Party and Stars (and possibly others) use a technology called captchas (you’ve no doubt seen them on numerous websites now) to thwart bots. A captcha is just an image with distorted lettering on it. It’s trivial for humans to see through the distortion and type in the lettering, but it’s a tough problem for computers. The site challenges you with a captcha, and you have to type it in to keep playing. Bots won’t be able to do this reliably enough to avoid detection.

But captchas don’t work at all if a person is sitting there watching the bot. Say someone has three computers with a colluding bot on each computer. They tell the bots to play, and they monitor the action to look out for captchas. It’s a solution for the nickel-and-dime botting at the very bottom, but as soon as there’s meaningful money involved, people will sit there just to type in captchas. Or hire people to do that. Lots of people would be happy to earn $8/hour to sit there and type in captchas.

It’s a tough nut to crack, but sites will eventually have to attack the problem very aggressively if they want to keep their businesses going. And ultimately, the deck is stacked against the cardrooms. There’s no iron-clad solution. Bots can run remotely so the bot software is entirely undetectable on the client machine. Poker clients would have to ban the use of all sorts of macroing and other automated input programs to stop it, but the “bleeding edge” botters will always be one step ahead.

In fact, the botters could reduce their footprint on the client machine to nearly zero. They could run the bot on a separate computer. The bot could simply suggest plays (informed with the hole cards of other bots) on that computer, and a hired person could execute the plays in real time on the client machine. The hired player could respond to chat, enter captchas, and otherwise appear like a completely normal player. This could be done in workshop-style offices on a large scale in places like Eastern Europe where kids can be hired very cheaply. The only recourse the cardrooms would have is the labor-intensive collusion detection available to them. If the botters collude “smartly,” (i.e., they don’t collude every hand, but “mix it up” to use poker terms), they could escape detection for quite a while. Lest you think this is far-fetched, such workshops already exist in China to play online computer games and sell virtual property.

Unfortunately, as I gaze into my crystal ball, I fear colluding bots may make online poker in 2010 just a shell of what it is today. As someone who makes his living off the vibrancy of honest poker, that thought scares me a lot. But just because I want the problem to go away doesn’t mean it will. You, every honest poker player, should know what the threats are and exactly what you might be up against when you play online poker.

Ed Miller

Bots, Cheating, and Online Poker · Noted Poker Authority
Mods I did not see any affiliate banners on his site when I was there. Let me know if the link was not cool, and I will remove it, or you can. Just trying to give the author his proper tribute.

speedealer · #2 (**permalink**) December 15th, 2006, 05:48

With the passage of the UGIEA, and the majority of the reputable casinoes [non MGS] taken away from us Americans, I have been playing alot more online poker lately. I do feel fortunate that I do not play alot of holdem though, because i feel thats where these majority of these bots are. I do not think that this is the end of online poker. I do still KNOW that you can make $$$ playing online.

I personally believed before I read this article that the bots were good for the game, with their 10-20% vpip. the new bots are much more aggressive though, eventually this is going to hurt the solid players profits.
And eventually they are going to move into mixed games where collusion can definately hurt more.

Everyone knows that this is not a new problem, but Ed raises some pretty scary points that I myself have never thought of in this article. The new bots are much more aggressive than the old weak tight ones. It's the network of collussion that scares me the most.

If colluding bots could nail a holdem game, think for a minute what they could do to a pot limit omaha game, or even worse a pot limit omaha/8 game. Just three bots at the table, thats 12 known cards out of the deck. Imagine a bot being able to stack off with a jack high flush knowing that it can't be beat. If I personally saw the bot table this hand for his stack, I would think he was a maniac - definately not a bot - all the while the network would be busy chopping my ass up, slowly but surely.

Winholdem has been around for at least three years, the program he is selling is not the one I'm worried about. That guy is a dick everyone knows that. But I think alot of the coders started on his platform and added to it, making more advanced shit. As AI gets more advanced, the bots start reacting to your tendencies, just like a solid player would. And the less sophisticated bots will get eaten up by the better bots too.
The ones that started out of the Univ. of Alberta?? [ I think - POKI ] are probably making $$$. Fuck that contest was at least 2 years ago.

There is just to much money in this shit for it not to grow and spread just like a fucking cancer. It will get more sophisticated with time, don't kid yourself that it won't.
Think about a offshore [or onshore] warehouse full of bots playing best hand. They could suck a game dry pretty quick. scary thoughts, man.

But think about some of these smaller sites/networks out there and ask yourself why they would want to get rid of the bots?
To a new startup site, these are just props that they do not have to pay.
And the bots pay a full rake just like us humans do.
They add more players to games.
The only thing they do not do that a prop would is start games.
Bots play everyday [ christmas included ].
Bots don't bonus hunt or play only with a bonus.
All new sites / networks have used props in the past, to get started. Jetset had them until the day they shut down.
It's a win/win situation for a new sites/ networks.

I forget the name of the site that already went through a scandal in the last few years for having their own site santioned bots?

Just some things to think about, before you quit your day job with dreams of becoming an online pro.

Merry Fuckin Christmas
speedealer

hilbert · #3 (**permalink**) December 15th, 2006, 11:31

pretty interesting article..

i know the obstacle isn't *that* big but.. to take it to the scale of warehouses.. where would they get all the different identities to play with?

also.. do you see possibly having invite only sites where you have to know someone or something like that? high level of personal security?

hell i dont know.. i do find it interesting.. but i suppose i better make as much money as i can now before something drastic happens.

studmuffin · #4 (**permalink**) December 15th, 2006, 17:51

Quote:

Originally Posted by hilbert

pretty interesting article..

i know the obstacle isn't *that* big but.. to take it to the scale of warehouses.. where would they get all the different identities to play with?

also.. do you see possibly having invite only sites where you have to know someone or something like that? high level of personal security?

hell i dont know.. i do find it interesting.. but i suppose i better make as much money as i can now before something drastic happens.

I think in those 2nd/3rd world countries where this would likely be happening, identities are a commodity and can be easily bought and sold.

So I'll be going over to eastern Europe in a couple of weeks... j/k

But seriously, does anyone have an idea on the highest limits these bots can profitably play? It seems like the answer would just be to get good enough to play at higher limits than the bots can.

speedealer · #5 (**permalink**) December 16th, 2006, 00:41

Quote:

Originally Posted by hilbert

also.. do you see possibly having invite only sites where you have to know someone or something like that? high level of personal security?

hell i dont know..

Some Chess sites already do this, hilbert, but are the bot owners going to find away in...probably.

speedealer

speedealer · #6 (**permalink**) December 16th, 2006, 01:21

Quote:

Originally Posted by hilbert

i know the obstacle isn't *that* big but.. to take it to the scale of warehouses..

Even the shittiest PC can run the bot software and poker client at the same time.

The Zippy video The Return - movie.wmv @ ZippyVideos.com - Free Video Webhosting

If a coder has already produced a verified winning bot.

His next step would be simply to do the math, and build on the economy of scale. Business 101.
Then simply reinvest a portion of the profits, back into research and development of more advanced bots.
A successfull bot coder also generates a portion of his profits from less advanced bots.

speedealer

speedealer · #7 (**permalink**) December 16th, 2006, 01:53

Quote:

Originally Posted by hilbert

where would they get all the different identities to play with?

Gnomes have been around as long as bonus hunting, internet gambling.
It's just not discussed publicly any longer.

speedealer

speedealer · #8 (**permalink**) December 16th, 2006, 07:22

What has been confirmed by the Investigations Dept. @ Party is that in April 2006, there were ' 21 ' bots that Party removed from their $22 & $33 - sit & goes. These bots were confirmed there for over two months 24/7. These bots were confirmed to have a winning ROI. Party removed those '21' accounts and their funds were confiscated.

But seriously, does anyone have an idea on the highest limits these bots can profitably play? It seems like the answer would just be to get good enough to play at higher limits than the bots can.

On another forum there is pretty conclusive evidence of bots in Partys middle limit -6 MAX tables, $10/$20 thru $30/$60. Every bot by the OP had at least 3k - 7k hands played in his database for a total of at least 30,000 hands played. With conservative winrates of at least 1.4/100 BB. These bots all had very similiar Pokertracker numbers, and a timing tell, this is how they were identified. These bots were semi-confirmed to only play one at a table.

If bots have already been 'outed' in the middle limit 6 max tables, one have to to be naive to think that there are not bots playing higher already.

'outed' bot Pokertracker number averages
vpip +30% / preflop raise +24% / attempted to steal blinds +39% / won @ showdown +50% / check raised flop +17$ / check raied turn +7% /

6 MAX $10/$20 bots.
Addemoney
Bennydale
Promethuis
Flying _spurr
tawriffic
Starawy
Wonder_W72
Roccosuper
Prime_move
Paggliaco
72,000 hands, they are winning at 1.50BB/100 - source flintoff

Other middle limit Party 6 MAX bots- from spiff21
AddedMoney1
bennydale111
big_colonel
bound_away
cloudy_bay
ducks_nuts
fair_dingkum
flying_spur
frames_depot
Gabriel6661
GoldenGus
gunsmoked333
HelicoptLeo
Liguria111
Mads080205
mes_ami
miss_meidy
pagliaccio_
prime_move
Prometheus42
roball111
RoccoSuper
sanddance
simon_sez555
stabber555
Starway
successor111
tuckerrain
tawriffic
WonderW_72
vallyvally

Party and PokerStars have always been the most diligent in the industry at detecting and removing bots.
Party is ('was' for us americans) basicly a back door in their measures to identify bots, among other things.
AFAIK, Pacific and Full Tilt, WSEX, etc., have done nothing to thwart the botters. There is evidence that some of the smaller sites actually encourage bots.

We as players can bitch about Party for many, many things but they are the industry leader in the fight against bots. And should be commended for that.

For the poker clients themselves the bot issue is definately a conflict of interest, as the bots are their most frequent and best customers.

The ones that started out of the Univ. of Alberta?? [ I think - POKI ] are probably making $$$.
http://www.cs.ualberta.ca/~pokert/ Link to the 2006 competition. ( POKI )
AAAI-06 Computer Poker Competition 2006 AAAI Computer Poker Competition (American Association for Artificial Intelligence) in Boston this year.

I guess what I have learned from researching this info. that I didn't know before is that :
* The bots are winning players at the middle limit hold em
* The bots are not weak tight - before I assumed they would be
* The bots can collude with other bots
* The bots are winning at levels higher than $3/$6 - before I assumed they wwould be playing very low limits
* The bots have a proven short stack No limit ring game play
* The bots will attempt to steal your blind* The bots have very respectable aggression factors of least 1.6 on every street - see weak tight
* The bots can win in shorthanded games - I assumed they would be in full games only
* The bots raise alot from the blinds - see weak tight
* The bots will bluff raise the river w/ ace high
* The bots DON'T just play full ring games
* The bots in their 'factory' setup are probably little more than breakeven players
* The bots are interlinked to poker tracker and can profile YOU in 30 hands , they use this data in real-time and input it into their algorithms
* The bots have already proven to be winners in sit n goes - I assumed they would only be playing for cash
* The bots need two computers to run at Party

REALITY
Bots have already killed chess for money online.
Bots are killing or have killed backgammon for money online.

Worldwide online poker for money is going to always be around for the foreseeable future. Bots are now always going to involved in online poker.
We as successfull players will adjust and adapt, and coexist with the other winning players, winning bots, breakeven players, losing bots, and losing players.
It is my personal opinion that when collusion between these bots is normal, it will certainly have a negative affect on everyones EV.

IMHO, the comparison can be made between online poker and the financial markets where computer trading programs and successfull traders have coexisted for years, with both adapting.
In America ( online pokers biggest market ) the boom has passed and we are definately on the downturn of the spike. This is the time that any traditional market weeds the weak out. Online poker will be no different. The bots will just help the market with weeding out part.

speedealer