Avi Rubin Comments on Internet Security and Online Poker
When I sat down earlier today with Avi Rubin here on the main floor at the 2014 World Series of Poker, he told me something shocking.
Internet banking as we know and practice it is dead — or very soon will be — given the way technology works and the advancements, hackers continue to make in stealing all of our secrets. But personal banking and finance are only the tip of a larger and dirtier iceberg that’s floating out there. We might as well be passengers on the Titanic’s maiden voyage.
Fact is, everything we do online is vulnerable to attack and exposure, which should really be alarming right now given the current political climate, especially to those who are engaged in the fight to legalize online poker.
Avi Rubin’s credentials in this arena are impeccable. Poker is extraordinarily lucky to have him as a potential resource working on our side. We should use him to develop ways to counter the bad guys. He’s even willing to help us out simply for his deep love of the game, combined with a fundamental belief that online poker sites must be pressed to go the distance to protect players at all times, in all games.
Rubin’s conclusions and bold ideas merit our attention. Even though we may not always like what we read, and some of the conclusions he’s reached will be troubling, we are much better off working with him in the long run. We must ally ourselves with Rubin and those who have his expertise (who are few), rather than denying that security breeches remain a serious issue. Here we have one of the world’s foremost experts in this area. So, let’s take advantage of him and his generosity.
Accordingly, I encourage those in the poker industry to call upon Rubin to work with us. At the very least, his most recent articles deserve serious attention.
Pay particular note to PAGE 3 of the paper, “Securing Online Poker.”
Abstract:
As an avid poker player, I enjoyed playing low-stakes cash games and low buy-in tournaments on Full Tilt Poker before Black Friday. However, as a Computer Scientist specializing in network and software security, I would never play poker online for any significant stakes, due to security concerns around malware and malicious remote access tools. In this article, I describe a new scheme that is easy to adopt, requires no new hardware or user training, and which I believe eliminates the primary threat of malware in online poker. Under my scheme, implemented properly, I would be comfortable playing poker online for whatever stakes my bankroll would allow.
JOHNS HOPKINS UNIVERSITY ENGINEERING (“HOLD’EM OR FOLD’EM“)
PAPER: SECURING ONLINE POKER
A PREVIOUS ARTICLE I WROTE ON RUBIN: “AVI RUBIN’S FANTASY“
Avi’s claims of past attacks are misleading: the two
“documented cases of attackers using RATs to cheat at poker” both failed.
1) Avi’s claims about Douglas Polk having “lost $35,000” are misleading since Polk publicly confirmed that he had the money returned to him and that he lost nothing. IF you follow the link in the footnote, this is explained in detail (but left out of the main text).
2) The other so-called “documented” case of attackers “remotely observing players’ hole cards in high-stakes games” also did not happen as described in footnote 3 did not involve any observance of hole cards – merely someone trying to do this. While this is not explained in the footnoted link, details of this case are publicly available on twoplustwo.com and elsewhere.
Online poker security is a significant challenge, but authors would be well advised to not claim that failed attacks are examples of successful attacks on players.
I realise that point #2 might be unclear, so trying to re-word it:
2) The other so-called “documented” case of attackers “remotely observing players’ hole cards in high-stakes games” did not involve any hole cards being observed by attackers remotely. That was a case of someone merely attempting (and failing) to do this. While this is not explained in the footnoted link, details of this case are publicly available on twoplustwo.com and elsewhere.
Michael, I appreciate your comments. Just to be clear, I was not using the fact that there are documented cases of RAT tools being used to cheat at poker as an argument that online poker is insecure, but rather as a symptom.
In my opinion, based on 22 years as a professional in the computer security industry, the vulnerability of high stakes online poker to RAT tools is very real. I have seen evidence in the lab of malware such as the Zeus malware platform, and others, specifically targeting users of online poker and sending screen shots to Eastern Europe and former Soviet block countries.
While it may be the case that the examples I cites are lacking in some way, I don’t think that detracts from the bigger issue which is that there is a real threat that needs to be addressed. Furthermore, I don’t think the fact that one player was able to figure out that he was a victim and managed to get his money back is an indication that things are safe, but rather, I think it demonstrates that the attack is real. If the best defense is that you have to go back to Poker Stars and request a 35k refund, then I think the situation is quite dire.
Avi
Yes, there is a risk of RATs. They are just one of many integrity challenges for anyone running a poker site.
“If the best defense is that you have to go back to Poker Stars and request a 35k refund, then I think the situation is quite dire.”
I think precisely the opposite! The fact that PokerStars was able to detect this activity and return the money to the victim is strong evidence that the current security systems worked perfectly in that case.
In any other crime, the fact that the “police” identified the offender and returned the “stolen goods” would be celebrated as a system working as it should! (Used quotes since it’s just a metaphor)
Michael,
We can agree to disagree about whether the current system is working. However, I hope that you would a agree that an enhancement to the current system, where malware is avoided, and nobody’s cards are observed by attackers, and nobody has to come to their poker game provider for a refund, is an improvement over the state of the art. That is what I am proposing in my paper.
I am a huge fan of poker, and I would like to see online poker continue and thrive. I think that anything that can be done to make it more secure should be welcomed as a positive development.
Avi
Yeah, I think your system would further reduce the risks.
However:
a) It comes at a significant cost to the player experience. It doesn’t seem very customer friendly to me. You could offset that by making it opt-in.
b) I don’t think the risks are particularly high currently. While, ideally, it would obviously be preferable to not have RATs in the first place (and the two examples in your paper are example of RATs) there are other options to mitigate the risk too. These options, such as the customer preventing malware installation in the first place, or the poker site security working effectively, can reduce the risk as part of a comprehensive security strategy.
Of course, it is always my intention that this is an opt-in choice. It would be added as a configuration options where you check a box if you want to use an external device to view your hole cards, or leave it unchecked if you are willing to take your chances.
I’m scared away from online poker because of collusion. What can be done about that? IP addresses can be easily spoofed, etc.
Bob – Generally speaking there are extensive collision detection algorithms in place, occasionally collusion remains undetected for a period but with time colluders typically are discovered – at which point the network in conjunction with any good regulatory regime such as Nevada, New Jersey, and Isle of Man where PokerStars is located will help facilitate refunds to all players who were affected by collusion. This means your risk of collusion is very low, if it does occur once it is detected you are safe knowing that you will eventually be refunded once due process has been served. Also in the new state centric model of NJ and NV it is much easier to prosecute if cheating or fraud is detected, this will continue to serve as a deterrent. The cheating methods discussed by Avi can theoretically occur but they are very rare, even Avi would agree with this, and luckily for you these methods are more likely to be used against high stakes players rather than a typical player – which means it will be once again easier to detect over time.
You can rest assured knowing that you are fairly safe, the issues discussed by Avi and Michael above are very rare and there is a reasonable recourse in the event of a rare issue really did occur.
Your fear is an example why it is my opinion that this should have been a B to B topic, rather than a B to C topic. Avi’s concept should be pitched to regulators and poker site operators as a technology innovation rather than as a solution that is brought to consumers first. As Avi explained in the comments this is an opt-in protection solution, he is reasonable enough to know that all users will not want to use his technique, he is aware that this is a slightly consumer unfriendly option. Avi’s solution should be similar to the RSA key generators which are currently offered at the bigger sites such as PokerStars- nobody has to use them, but cautious players can choose to. Its a personal choice.
PS: I personally think a bigger risk is the storage of poker site passwords without obfuscation in the poker client’s preferences. WSOP.com in Nevada does this, its a huge securty risk.