Online Poker Room Cracked (not a hoax)

This is documented fact: an online poker room’s shuffling algorithm and random number generator were so flawed that a player could predict the next card off the deck and know his opponent’s cards.

Before proceeding, you need to know that it is our informed opinion that the people promoting “Party Poker Cracked” ebooks and software on the web, in chat rooms, in newsgroups, and at the poker tables are making false claims. Their claims are absurd on their face. Do not buy their ebooks, do not visit their websites, and do not follow their system. We’ll expose more about these “Party Poker Cracked” claims in a future article.

We recommend reading this prior installment on the basic concepts of how cards are shuffled at an online poker site. Knowing those very basic concepts will make it easier to understand what went wrong.

In 1999, online poker rooms for real money were just beginning to emerge. One of these early poker sites was Planet Poker, which used software from ASF Software, Inc. In order to help instill trust in game integrity, they made the software code of their shuffling algorithm public.

This in itself is not bad – knowing the source code of a shuffling algorithm does not allow a person to know the outcome of running it, because the shuffle will be based on a input which should be truly random and also unpredictable.

The problem was that Planet Poker’s algorithm, random number generator, and random data source were significantly flawed.

The first problem was that the shuffling algorithm actually couldn’t produce every possible deck variation because of numerical limitations combined with a programming flaw.

In this situation, the RNG generated a 32-bit number, which only supports numbers up to approx 4 billion. As you read in the prior article, there are many more than 4 billion possible deck orderings.

Making matters worse was that the source for random data was based on the number of milliseconds past midnight. But there are only approximately 87 million milliseconds in a day. This means there were only 87 million orderings of cards that could be used.

This limitation was significant because this particular shuffling algorithm started each run of the shuffling algorithm with the same deck order. Imagine if you were at a live cardroom with a dealer who had a lazy shuffle, only riffle-shuffling a couple times. Since the cards are mucked in a different order each hand, the effects of that dealer’s lazy shuffle may not be very evident. But what if that dealer started with a new deck of cards out of the box every time? Wouldn’t you at least eventually notice some clumping of suits and card values?

As explained in the prior article, there are approximately 130,000,000,000,000,000,000,000,000,000,000,000,000,000,000 possible deck orderings for a 52-card deck. Eighty-seven million is significantly less.

This combination of flaws is already problematic enough for concern, and knowing this would cause many players to leave a poker site. But it was worse than that.

The second problem was that the RNG seed was predictable with some effort. A user knowing the RNG seed and the programming function operating on that seed and the shuffling algorithm would be able to crack the shuffle.

The RNG seed was based on the number of milliseconds from midnight. The team that cracked the poker site was able to synchronize their clocks with the poker site’s clock and was able to reduce the number of possible shuffles at any one time to a set of 200,000 possibilities.

Through these dissections of the algorithm and RNG flaws, we’ve seen the number of deck orderings slip from 52! (the huge number above) to 4 billion, to 87 million, and now to 200,000.

Still, that’s a lot of possible deck orderings, and without number-crunching power and more data, that’s not enough to take dramatic advantage of the site. But by combining how Hold 'Em poker is played along with the power of computers this was a fairly easy task for the cracking team.

The team plugged in the position of the dealer button and first five known cards in a Hold ‘Em game. These cards were their two hole cards and the three community cards on the flop. Based on that data, their computer was able to search the potential 200,000 deck orderings for the one that was being used during that hand.

Net result: After the flop, the cracking team knew the hole cards of every single player and knew the turn and river in advance.

How much money did these crackers make? Well, the good news is that the cracking team was part of a group effort to find security holes and alert companies so that they could fix them. They alerted ASF Software, makers of the software used by Planet Poker and they corrected the flaw quickly.

Yes, this really happened in 1999. The cracking team was from Reliable Software Technologies. They are Brad Arkin, Frank Hill, Scott Marks, Matt Schmid, Thomas John Walls, and Gary McGraw. You can read a more technical overview of their effort here:

Our next article will discuss how the major poker sites’ current approach to shuffling differs from the flawed approach of a few years ago at Planet Poker. The differences are significant and should give players confidence in the randomness of the cards.

You can find prior entries on this topic here:

Basics of Online Shuffling

Live Cardroom Deck Shuffles

Online Shuffling - Setting Expectations

Party Poker: Up to $100 Added to your first deposit

Paradise Poker: Win a seat to WSOP.  Satellites running now