Most of the online card room web sites I have looked at sale us snake oil when it comes to the process they use to shuffle a deck.
Far to many card rooms do not have secure shuffles or they do not tell us anything about their shuffle.
Anyone playing online poker should read this http://www.interhack.net/people/cmcurtin/snake-oil-faq.html.
Keep in mind that the process to shuffle a deck is the same process used to encrypt a key. With a shuffle, a seed number, called a key in encryption, is used as a parameter for a function that will produce a series of random numbers. The process to hack a card room in order to know everyone’s card is the same as a hacker would use to decrypt other data on the internet. It is a very easy thing to write an insecure application especially when known insecure methods are used and as in the case of online poker there is a need to add a certain amount of entropy to the seed possibilities. I look at the fairness pages for most poker rooms and they are either saying nothing, not enough or touting methods that are known to be insecure, such as time of day, mouse movements, and network traffic.
In order for a card room to have a secure shuffle the source of the data needs to be perfectly casual. It is arguable rather some things such as user mouse positions and network traffic can be considered casual or casual enough. However there are methods such as using radiation decay or random background noise that are perfectly casual. Why are they using other methods that may or may not be casual? A good secure seed cannot be hacked if the source of the data used to produce the key cannot be reproduced, guessed at reasonably or sniffed. Everything can be known about the production of the key, the PRNG used, the type of data source used, the size of the key, the entropy of the seed etc, and the seed cannot be hacked if the data used to produce the seed is casual.
When a card room is vague about the way they shuffle a deck, or they tell us that it is certified, or assure us that it is perfectly safe because they shuffle the deck a thousand times, they are in the snake oil business. All they need to tell us is how large the seed is and where they got it from. If they can’t do that for my money it means that are not getting it from a secure source, and that sooner or later some bright hack is going to take the players at that room off for a lot of money before they figure it out.

So not only am I beating the honest players online, but I'm also overcoming a rigged deal and crooked players too?!? Damn, I'm better than I thought... /forums/images/icons/ooo.gif

none of the tabs on the link you posted work.

your site looks evil. can anyone please tell me if this is something that i should worry about? i went to this site, kept hitting the tabs on the left, and the pages just reloaded. nothing worked.

i hate to be paranoid, but i have heard that people can plant things etc by steering you to a website. how do i make sure i did not get trojaned or whatever?

if i run my spy busting software, would it detect problems?

sorry elyjon, but your credentials scare me, and you are brand spankin' new.

i am sure i have made a total techno-based fool of myself with this post, but i did not know until last week that you could click on links to websites that can hurt your machine or security.


lil' help zoovy's??

I did not say or even imply any deal was crooked. I am just saying that the security of the decks is not good enough and that many of the rooms I have seen according to what I understand have some chance of being the victim of a succesful hack. Glad your beating them online, you must read tells better then you read my post.

Your right that is scary, because that is not the page that link points to. (It is not my site BTW). Maybe this link will work (http://www.interhack.net/people/cmcurtin/snake-oil-faq.html)

From Paradisepoker's web site:

"That's a great way to shuffle, but the shuffling algorithm is only part of a good solution. The random number generator used during the shuffling process is even more important. It needs to be based on unpredictable events and it needs to have a large enough seed and a large enough entropy pool to make it impossible for any player to have an advantage over the other players. Our random number generator is based on several independant non-predictable entropy sources that continue to modify the generator sequence in real time. Our random number generator is not reseeded for every hand using the time of day; any crypotologist would tell you that method is simply far too predictable to offer any security."

So what is the problem exactly? Years ago, some online casinos did used a predictable RNG, but it was cracked. To the best of my knowledge, no repudable site uses something like this anymore.

From Ultimatebet's web site:

"Our approach is to forgo pseudo-random number generation wherever possible and instead use true random number generation from proven random physical devices. Our system utilizes thermal noise on a zener diode - shielded to prevent any environmental interference. The characteristics of this device are governed by the laws of quantum physics and are provably non-deterministic. Through the use of true random numbers and our shuffling algorithm (see below), we ensure first that it is impossible to predict the next card coming off the deck, and second that every possible shuffle combination is equally likely, all 8.06581751709439 X 1067 of them or 80,658,175,170,943,900,000, 000,000,000,000,000,000,000, 000,000,000,000,000, 000,000,000,000. "

From Pokerstars web site:

"
SHUFFLE

"Anyone who considers arithmetic methods of producing random digits is, of course, in a state of sin." - John von Neumann, 1951

We understand that a use of a fair and unpredictable shuffle algorithm is critical to our software. To ensure this and avoid major problems described in [2], we are using two independent sources of truly random data:
user input, including summary of mouse movements and events timing, collected from client software
true hardware random number generator developed by Intel [3], which uses thermal noise as an entropy source
Each of these sources itself generates enough entropy to ensure a fair and unpredictable shuffle. "

And last, but not least...from Partypoker's web site:

"PartyPoker.com uses a secure RNG (SHA-1 cryptographic hash algorithm) implemented by SUN which is cryptographically certified. SUN's SeedGenerator class generates the initial seed. The seed is produced by counting the number of times the VM manages to loop in a given period.The samples are translated using a permutation (s-box) and then XORed together. This process is non linear and prevents the samples from "averaging out". The s-box is designed to have even statistical distribution. A number of sleeper threads are also created which add entropy to the system by keeping the scheduler busy.These are gathered in the background by a daemon thread thus allowing the system to continue performing it's different activities, which in turn add entropy to the random seed.The class also gathers miscellaneous system information, some machine dependent, some not. The updated seed is then used for dealing cards during each card dealing round. Cards in all subsequent hands will be dealt using a seed which is completely random and which is completely unrelated to the seed used to deal the previous hands of cards, thus ensuring total randomness and hence, complete fairness."

Yes, somebody might crack a shuffle again someday, but please don't get Granny in an uproar. /forums/images/icons/wink.gif It ain’t at all likely to happen.


Cut & Paste from Poker Stars (http://www.pokerstars.com/security.html) regarding their shuffle. There’s lots more for the interested reader.

* user input, including summary of mouse movements and events timing, collected from client software
* true hardware random number generator developed by Intel [3], which uses thermal noise as an entropy source
* We use 249 random bits from both entropy sources (user input and thermal noise) to achieve an even and unpredictable statistical distribution.
* we do not start the next hand until we obtain the required amount of entropy from Intel RNG.


From http://www.distributed.net/ , a site using thousands of PCs to crack a 64 bit key.

* On 14-Jul-2002, after 1757 days of searching the winning key to RSA Labs' RC5-64 project was successfully recovered by distributed.net


Oh, and Granny, if you’re concerned about having picked up something unexpected during one your “excursions” I recommend this: Housecall (http://housecall.trendmicro.com/). It only works with the Microsoft version of Java so you must use Internet Explorer.

This site uses the time of day, incredibly insecure. While not all the data used to generate the seed, if enough is the seed can become incredibly easy to crack.

EmpirePoker uses a Secured-Random RNG, which is cryptographically certified. The RNG "seed" is the initial point from which a sequence of randomly generated numbers start. It is impossible to predict the sequences resulting from the seed. To ensure that a number sequence will not repeat itself, the seed is calculated using as many factors as possible, such as network activity, time of the day and several other parameters.

The ones you mentioned are good but there are many that are not. I am not here to raise parnoia- just that many card rooms simply want to feed us marketing BS, especially some of the new places. I think people should insist on info like PP,UB and take a little time to understand what to look for.

BTW miscellaneous system information can be guessable and depending on how much they use may compromise the security of the seed. The CPU clock is considered Misc system info.

PP has a good shuffle, but what exactly are the sources of entropy? I have read thier page and they use mouse movement among other things, to add entropy. Mouse movement has some problems. They also have a huge key something like 2022 bits, that would make it tough. It is good enough, but they should look to more casual sources.

Good routine, but thee is no such thing as a proven random physical device. The physical devices are designed to produce casual data. They contain entropy but the randomness of those devices is unrecdictable and therefore may contain unpredictable bias. In other words you just do not know what is coming out and how it might come out, this seems like random but it is not, it is casual data, and that may or may not be data that is statistically correct, it is not statistically predictable. It is difficult to produce seeds that are both secure and statistically correct.