Report: Bodog Anonymous Security Not So Anonymous (Video)
Following the release of its new upgraded software, the online poker firm Bodog proclaimed it had figured out a way of preventing the so-called “sharks” from viewing critical player data. This week, some members of the online poker community were quick to report that critical data had reportedly been hacked. A video demonstration was released in an effort to support this notion.
From the HH Smithy Blog:
Bodog’s software was broken in under 3 hours, just like PartyPoker’s anonymous tables. Therefore, if you’re interested in the nitty-gritty details, you can check them out on our blog about PartyPoker: How Anonymous Are The PartyPoker Anonymous Tables?
The cliffs notes of the attack boil down to this: Bodog trusts the client. This is a major violation of basic IT Security rules – you can NEVER trust the client with proprietary or sensitive information. This is a simple concept that novice coders learn early on when writing database calls and a web form. You would never collect data from a web form without properly sanitizing it – for example, if you had a contact form on a website that POSTed data to your server using PHP, you’d use something like mysql_real_escape_string() to sanitize the POSTed inputs. If you didn’t, you’d open yourself up to very simple SQL Injection attacks.
Sony made the same mistake when their PlayStation Network was hacked – they trusted the client. As famed iPhone and Sony hacker George Hotz (geohot) said:
This arrogance undermines a basic security principle, never trust the client. It’s the same reason MW2 was covered in cheaters, Activision even admitted to the mistake of trusting Sony’s client. Sony needs to accept that they no longer own and control the PS3 when they sell it to you. Notice it’s only PSN that gave away all your personal data, not Xbox Live when the 360 was hacked, not iTunes when the iPhone was jailbroken, and not GMail when Android was rooted. Because other companies aren’t crazy.
At the time, Bodog officials had touted that the “anonymous tables” feature stops poker pros accessing any data on how you play your game via the use of HUDs and other data mining sites like PokerTableRatings and SharkScope. This is totally unique to the Bodog Poker Network and will send shockwaves through the online poker playing community.
Arguably the best known poker pro on the planet, Daniel Negreanu himself, freely admits that using player data has helped him win. In his own blog he states: “There is plenty of information online that you could find about your opponents. For example, what they've won, what tournaments they normally play and how they do overall. I'd type in their online results under the notes tab, then also color code the notes with either "Winning Tourney Player" or "Losing Tourney Player. All these tools helped me make better reads in marginal situations.”
“Anonymous tables make this type of player data impossible to collect,” a presser from Bodog Poker insisted.
Jonas Odman, explains: “We believe that introducing these features makes the Bodog Recreational Poker Model a pioneer in the online poker world and offers all players of all abilities the fairest place to play. We have shown before that we are not afraid of controversy by changing the way rakeback was viewed and starting to block data mining sites earlier this year and these new features now give players a less biased ‘pure poker’ experience. To my mind the software and Bodog’s Recreational Poker Model is a genuine game changer.”
Bodog is one of the online companies that has found itself in the crosshairs of the US Attorney’s Office in Baltimore over these past couple of years. They were, in fact, the initial target of that ongoing investigation.
One of the reasons cited for the attempted crackdown on data mining has to do with tracking websites and their ability to rank online poker rooms like Bodog. Executives from the top 3 Internet poker rooms were charged last April with money laundering and bank fraud. Some of the defendants are scheduled to face trial in March.
Bodog Poker executives have expressed to sites such as PokerScout.com that they do not wish to be ranked. In recent weeks, company officials have become increasingly antsy regarding efforts to prevent professionals, traffic monitoring sites and others from accessing such critical data.
- Chris Costigan, Gambling911.com Publisher