(Be sure to read part 2 of Bodog’s security failures!)
As many of you are aware, Bodog has completely anonymized their poker tables. They say they’re doing this to protect the “recreational gambler,” the one that is preyed upon by the winning players. (We have a blog post about this “theory” coming in a month or so.)
Bodog’s press release on November 30th states:
This feature stops poker pros accessing any data on how you play your game via the use of HUDs and other data mining sites like PokerTableRatings and SharkScope. This is totally unique to the Bodog Poker Network and will send shockwaves through the online poker playing community.
Anonymous tables make this type of player data impossible to collect.
Impossible to collect, you say?
Additionally, Bodog rep JustinR (aka Jurollo) had this to say on TwoPlusTwo:
This is the issue with only doing some anonymous tables, in that way your program runs a certain way and some packets of information may be diverted for anon tables. Bodog NEVER sends this information to the tables, there is NOTHING to intercept. That information stays on their server side for reporting and security.
He was referring to our PartyPoker exploit that we wrote just a week ago and insinuating that Bodog was immune from this kind of attack. Unfortunately for Justin, his information is both misleading and factually incorrect.
We broke it.
Bodog’s software was broken in under 3 hours, just like PartyPoker’s anonymous tables. Therefore, if you’re interested in the nitty-gritty details, you can check them out on our blog about PartyPoker: How Anonymous Are The PartyPoker Anonymous Tables?
The cliffs notes of the attack boil down to this: Bodog trusts the client. This is a major violation of basic IT Security rules – you can NEVER trust the client with proprietary or sensitive information. This is a simple concept that novice coders learn early on when writing database calls and a web form. You would never collect data from a web form without properly sanitizing it – for example, if you had a contact form on a website that POSTed data to your server using PHP, you’d use something like mysql_real_escape_string() to sanitize the POSTed inputs. If you didn’t, you’d open yourself up to very simple SQL Injection attacks.
Sony made the same mistake when their PlayStation Network was hacked – they trusted the client. As famed iPhone and Sony hacker George Hotz (geohot) said:
This arrogance undermines a basic security principle, never trust the client. It’s the same reason MW2 was covered in cheaters, Activision even admitted to the mistake of trusting Sony’s client. Sony needs to accept that they no longer own and control the PS3 when they sell it to you. Notice it’s only PSN that gave away all your personal data, not Xbox Live when the 360 was hacked, not iTunes when the iPhone was jailbroken, and not GMail when Android was rooted. Because other companies aren’t crazy.
Bodog sends the data to the client in the hopes that no one will fire up a debugger and take a look at software they’re installing on their own computer. As covered above, this is a violation of client-server trust, but it’s also a basic example of what’s called Security Through Obscurity.
This problem is not unique to the Internet gambling industry; it’s very common in software development no matter what industry. Relying on “hiding” something from the user in the hopes that they won’t find it is not a valid security method; it’s actually much worse than simply not having security at all!
Bodog’s anonymous tables are similar to having WEP encryption on your wireless router – it’s far worse than simply having an open network! If you have an open network, you are admitting to yourself (and everyone else) that you don’t care about security and that anyone can connect. No problem – at least everything is upfront. However, if you have a WEP “secured” network, you’re fooling yourself into thinking you’re secure when in reality it would take 20 minutes using Backtrack 5 to crack your network and steal bandwidth (or worse).
WEP is easily crackable using freely available tools from the web (with graphical user interfaces and everything) – the false sense of security it gives you is far worse than having no security. When it’s just yourself, that’s bad enough, but if you were to run a major corporate network using WEP “encryption,” you’d be placing professional and personal details at risk while telling everyone that it was safe.
This is exactly what Bodog is doing – they’re taking a shortcut with their obfuscation code and telling everyone that it’s alright, that player tracking tool won’t work and that they’re protecting the “recreational gambler.” But they aren’t. It’s far worse now than it was before – at least before people knew what they were getting into. Now they’re fooled into a false sense of security.
Well, they were before we wrote this post, anyway.
Here’s the video explaining how we did it and what it means.
Share this with all your friends who play on Bodog, and if you haven’t yet, check out the PartyPoker Anonymous Tables post on our site and share that too. Information like this is meant to be spread and shared to all those who might be affected, because you better believe that Bodog is going to try and cover this up.