Today I am going to retell a story from 1999, a story in which developers of a popular online poker platform implemented card-shuffling software with a handle of subtle but critical bugs.
Image credit: David Wells on Flickr
Welcome to the Brightlights of Poker Mania. Here you can enjoy a full suite of poker options, not only do you get to play the famous Texas Holdem, but you can enjoy five and seven card stud. Learn to play a variety of poker games, and have fun doing it. Play poker against some fun poker players, each with their own specialty skills. Real Online Poker Scams You Should Worry About. Now that you know what is RNG in gaming and how it is applied in poker, you should have a better idea is online poker rigged or not. As you could see, rigging online poker games would be virtually impossible, and at the end of the day, very risky for the sites. Playing Card Shuffler. This form allows you to draw playing cards from randomly shuffled decks. The randomness comes from atmospheric noise, which for many purposes is better than the pseudo-random number algorithms typically used in computer programs. A lifelong poker player who moved online in 2004, Josh founded Beat The Fish in 2005 to help online poker players make more-informed decisions on where to play and how to win once they got there. He hopes to counter the rampant dishonesty in online gaming media with objective reviews and relevant features.
Although this story is 15 years old, the lessons it holds for algorithm developers are still relevant.
It's far to easy to introduce subtle bugs into random number generators and algorithms, and those bugs can have disastrous results.
Pseudo Poker Online Multiplayer
In online poker—as in real poker—the game starts with the shuffle. It's important to ensure that the shuffle is randomly distributed.
There are 52 distinct cards in a fair deck; there are 52! distinct possible shuffles. Or 8.0658x1067. Which is a big number.
In 1999, ASF Software, Inc. provided the software behind many of the popular online poker platforms of the era. They published their shuffling algorithm.
Here it is. Take a look and see if you can spot a flaw.
![Pseudo poker online poker Pseudo poker online poker](/uploads/1/3/8/5/138584523/436265354.png)
procedure TDeck.Shuffle;varctr: Byte;tmp: Byte;random_number: Byte;begin{ Fill the deck with unique cards }for ctr := 1 to 52 doCard[ctr] := ctr;{ Generate a new seed based on the system clock }randomize;{ Randomly rearrange each card }for ctr := 1 to 52 do beginrandom_number := random(51)+1;tmp := card[random_number];card[random_number] := card[ctr];card[ctr] := tmp;end;CurrentCard := 1;JustShuffled := True;end;
Flaw #1: An Off-by-One Error
The algorithm above tries to iterate over each card in the deck, swapping each card with another randomly chosen card in the deck. However—every programmer has made this mistake before—there's an off-by-one error. The function random(n) returns a number between 0 and (n-1), not between 1 and n as the programmer intends. As a result, the algorithm will never swap the 52nd card with itself; the 52nd card can never end up in the 52nd place. So that is the first reason the 'random' card shuffling isn't really random.
Flaw #2: The Shuffle Isn't Uniform
The flawed algorithm above swaps the ith card with a random card selected from the entire deck—all 52 cards. A proper shuffling algorithm will swap the ith card only with a card in the interval (i, n). That is, it considers each element for a random swap only once. There are n! unique shuffles, and the proper shuffling algorithm generates each shuffled deck only once. The original bad implementation makes certain decks significantly more likely than others.
Flaw #3: Using a 32-bit Seed
If your business or technology depends on using random numbers, your best bet is to use a hardware random number generator. ASF didn't do that. They used a deterministic machine with a software pseudo-random number generator. Worse, they used a 32-bit seed. Because the output of the pseudo-random number generator is 100% determined by the seed, there are only N^32 possible seed values—meaning only N^32 possible shuffles. That's only about 4 billion possible shuffles, out of a total of 8.0658x1067 theoretical possible shuffles.
Pseudo Poker Online Poker
Flaw #4: Using the System Clock as a Seed
The flawed algorithm used the Pascal function Randomize(), which chooses the seed based on the number of milliseconds since midnight. But there are only 86,400,000 milliseconds in the day—which means that there are only 86,400,000 possible shuffles that the flawed algorithm could produce.
But it gets worse. Because the random number generator seed is based on the server time clock, hackers synchronized their program with the server clock and were able to reduce the number of possible shuffles to only 200,000. At that point, once the hacker knew 5 cards in the shuffle, he could quickly search through the 200,000 possible shuffles in realtime and find the exact one in his game. So once the hacker knew the 2 cards in his hand and the 3 cards in the flop, his program could tell him which cards would come on the turn and the river, as well as which cards every other player held.
Some final words of wisdom from Robert Sedgewick, author of Algorithms:
Pseudo Poker Online Games
'That's a pretty tough thing to have happen if you're implementing online poker. You might want to make sure that if you're advertising that you're doing a random shuffle that you go ahead and do so.'—Robert Sedgewick, Professor of Computer Science, Princeton