Hacker News new | ask | show | jobs
by alexey-salmin 280 days ago
You still don't get it.

No need to synchronize the clock. The date alone is enough to guess hands of everyone at the table and turn and river, right after you see the flop.

That's as big of a hole as it can possibly get. That's enough to establish incompetence and/or gross negligence of the authors. Whether the hole was exploited is immaterial to the question.
1 comments
caminante 279 days ago
"the date alone"

?

You're apparently hallucinating articles outside HN.

FTA:

>Simply syncing up their own program to the system clock reduced the possibilities to a mere 200,000 potential decks that the algorithm could generate.

link
alexey-salmin 279 days ago
> For another, the system ties its number generation to the number of seconds that have passed since midnight, resetting once each day, which further limits the possible random values. Only about 86 million arrangements could be generated this way, the Reliable Software Technologies team discovered.

86 million is much less than 300 million possible combinations you can see after flop. This means after the flop you know which exact shuffle was used (with a few statistically unlikely collisions where you may have 2 or 3 options).

link
caminante 279 days ago
Dude, this is so weird, and you continue to act in bad faith.

You need to specify UNIX 'date' as your intent as that phrasing wasn't used in the article.

It's also splitting hairs to say going from 300 million to 80 million is "much less" when that's not even the point of contention. Further to why you're splitting hairs, here's an actual research article [0] where the researchers point out that you needed the synched clock (not just the sysdate) to exploit it with hardware readily available at the time of the exploit, using Pentium 400s.

> That's enough to establish incompetence and/or gross negligence of the authors.

Going back to this claim, I really don't think you know what this term of art means. Ask a legal colleague/friend what they think is the criteria for "gross."

[0] https://web.archive.org/web/20140104095330/http:/www.cigital...

link
alexey-salmin 279 days ago
> You need to specify UNIX 'date' as your intent as that phrasing wasn't used in the article.

No, I didn't mean unix date, I mean literally date.

I can see two interpretations of the phrasing in the article. Either you have 86M shuffles per day (in this case knowing the date would benefit you) or you have 86M shuffles period (in this case even the date isn't necessary, you already have the totality of information). In both cases we can consider the problem of solving the game with 86M shuffles.

Syncing clocks is needed to enumerate all possible shuffles in real time on a 1999 PC, which is what the paper demonstrates. Doing this in realtime for 86M combinations wouldn't have been possible back then. However building a 1 Gb index file and making a HDD lookup in realtime was absolutely possible on very modest 1999 hardware, you can write such a program in a couple of hours.

Knowing the shuffle with three more rounds of betting to go represents a completely broken poker game, not just some minor biases in outcomes.

I have absolutely no idea what hairsplitting you are talking about, let alone bad faith discussions. 86M combinations is such a little number that you can analyse all of them and solve the game even on 1999 hardware. It's a fact, not a matter of opinion or idealistic standards. If you can just kindly acknowledge this fact, no further discussion will be necessary.

link
caminante 278 days ago
> No, I didn't mean unix date, I mean literally date.

Then, your entire comment is predicated on a mis-quote you emphasized. The article said "seconds," not day of the month. You need to work on clarity, if that was your intent.

> I have absolutely no idea what hairsplitting you are talking about

Either you're lying to me or yourself.

See discussion about "negligence" that you conveniently ignore. Meanwhile, you're tilting at windmills as you keep insinuating someone is arguing against you on the point of algorithmic flaws.

link
alexey-salmin 278 days ago
I'm sorry, but you simply don't understand how the exploit works. You don't need to guess the seed of the RNG, you don't need to synchronize anything, none of that matters.

There is such a low number of possible seeds that you can try them all, enumerate all possible shuffles, then check which one of them you've got. Then you know everyone's cards. This is why the game is fatally broken. That's it.

Call it negligence or not, I don't care much. But I'm amused by the fact that you fail to understand a basic combinatorics problem.

link