Why is it beside the point?

You haven't established their intent for gross negligence and give no charity to the fact this was 30 years ago (pre-Wikipedia and the search breadth we have today). Since then, people have continued to expose severe RNG design flaws in other systems designed by very smart people. It happens...

When you do a shuffling algorithm in a sensitive context (money or security), you have prove that it returns all the possible permutations with equal probability plus put lower bounds on the amount of entropy you need from the underlying RNG. If you're unable to prove it, you shouldn't move forward with the algorithm. Any irregularities in the output distribution can be exploited. This is textbook knowledge pioneered in early encryption works and perfected by the time WWII ended. Evidently the effort to prove correctness was never made.

Now the original article can indeed misrepresent or omit important facts. I'm definitely open to reconsider my conclusion if more facts become available. However "there was no Wikipedia" isn't one of them, it doesn't count as an excuse not to do your job properly.

If it turned out, for example, that "ASF Software" wasn't even aware that their shuffling algorithm was used to shuffle cards and just shipped it along with 200 other basic algorithms as a some sort of "better standard library", this would change the situation. However from the quick googling it seems that their product wasn't a standard library, it was specifically software for Texas Hold'em. This is a "you had one job" kind of situation.

> Since then, people have continued to expose severe RNG design flaws in other systems designed by very smart people. It happens...

Absolutely, but we're not talking frontiers of Computer Science here.

* If you seed your RNG with at most 86 million unique values, you get at most 86 million unique random sequences out of it.

* If your code should have M possible equiprobable outcomes, it has N equiprobable outcomes, and N doesn't divide M, you're in trouble.

I didn't say or imply books didn't exist. You can't credibly say it was as readily available, and I promise you that people are still making these mistakes, today.

> When you do a shuffling algorithm in a sensitive context (money or security), you have prove that it returns all the possible...If you're unable to prove it, you shouldn't move forward with the algorithm.

Ideally, of course! This is a really high standard that I'm afraid isn't enforced in a lot of commercial or even sensitive applications. 86 million permutations is probably good enough and even if someone was clever enough to synch clocks and narrow to 200k permutations, then I'm not convinced there was actually any harm.

Do you have any proof of harm?

And there are plenty of smart people in the 90s and beyond not realizing that relying a system clock to seed values is attackable. These guys, to their credit, patched their system by openly providing their algorithms.

Even if their clients had been harmed, they'd published the algorithm so that their "sophisticated" clients could audit the algorithm.

> I'm definitely open to reconsider my conclusion if more facts become available.

This is circular as you're taking the article's narrative at face value without getting any primary sources confirming gross negligence or "arrogance" as you imply.

Of course not, this is ridiculous. If your job is to shuffle the deck, shuffle it well. It's like doing a 80/20 coinflip and arguing that 50/50 is a "really high standard". And that for a company that sells bet-money-on-coinflips software.

If you don't know how to do it well -- read a book or use std::random_shuffle. Somehow Stepanov was able to do it right (assuming a good RandomNumberGenerator input) from the first try in 1993, without Wikipedia poor guy. And this wasn't even his main job, random_shuffle was one of a dozens of algorithms he envisioned and implemented for the STL.

> This is circular as you're taking the article's narrative at face value without getting any primary sources confirming gross negligence or "arrogance" as you imply.

I did some quick research and it seems that ASF Software had indeed developed the Planet Poker online platform. Which comes down to failing at your main job, I don't really see what other evidence you expect here?

I strongly believe that people in general and software engineers in particular should be held up to high standards. Finding excuses for how school-level math is too hard for them is condescending. It is disrespectful to the very people you're talking about.

If you say they couldn't even understand that N^N is not divisible by N! you basically say that they're mentally challenged. I on the contrary say that they most certainly would've been able to understand it if they made an effort -- which they didn't. So negligence.

> if someone was clever enough to synch clocks and narrow to 200k permutations, then I'm not convinced there was actually any harm.

I don't think you understand the situation at all. In Hold'em in the end you see 7 cards: 2 in your hand and 5 on the table. That's 52x51x...x46 = 674B different sequences of open cards.

This means that by the time you see these cards you can know exactly which of the 200k permutations the engine had chosen for this hand. There's only one that precisely matches one of the 674 billions possible open cards combination that you observe.

In fact, by the time you see the flop (2+3 open cards, 311M variants), you know everyone else's cards.

Nobody's arguing that having a synched clock would NOT make them an advantage player.

You left out the part where I asked for proof anyone had exploited it (harm) and to what significance (how much harm). This actually matters in commercial and practical terms. Otherwise, you're really pressed to claim any real damages.

Meanwhile, and for hopefully the last time, it appears you're holding them to this idealist standard -- similar to an Italian reacting to someone snapping spaghetti noodles in half before throwing them into boiling water.

No need to synchronize the clock. The date alone is enough to guess hands of everyone at the table and turn and river, right after you see the flop.

That's as big of a hole as it can possibly get. That's enough to establish incompetence and/or gross negligence of the authors. Whether the hole was exploited is immaterial to the question.

?

You're apparently hallucinating articles outside HN.

FTA:

>Simply syncing up their own program to the system clock reduced the possibilities to a mere 200,000 potential decks that the algorithm could generate.

86 million is much less than 300 million possible combinations you can see after flop. This means after the flop you know which exact shuffle was used (with a few statistically unlikely collisions where you may have 2 or 3 options).

You need to specify UNIX 'date' as your intent as that phrasing wasn't used in the article.

It's also splitting hairs to say going from 300 million to 80 million is "much less" when that's not even the point of contention. Further to why you're splitting hairs, here's an actual research article [0] where the researchers point out that you needed the synched clock (not just the sysdate) to exploit it with hardware readily available at the time of the exploit, using Pentium 400s.

> That's enough to establish incompetence and/or gross negligence of the authors.

Going back to this claim, I really don't think you know what this term of art means. Ask a legal colleague/friend what they think is the criteria for "gross."

[0] https://web.archive.org/web/20140104095330/http:/www.cigital...

No, I didn't mean unix date, I mean literally date.

I can see two interpretations of the phrasing in the article. Either you have 86M shuffles per day (in this case knowing the date would benefit you) or you have 86M shuffles period (in this case even the date isn't necessary, you already have the totality of information). In both cases we can consider the problem of solving the game with 86M shuffles.

Syncing clocks is needed to enumerate all possible shuffles in real time on a 1999 PC, which is what the paper demonstrates. Doing this in realtime for 86M combinations wouldn't have been possible back then. However building a 1 Gb index file and making a HDD lookup in realtime was absolutely possible on very modest 1999 hardware, you can write such a program in a couple of hours.

Knowing the shuffle with three more rounds of betting to go represents a completely broken poker game, not just some minor biases in outcomes.

I have absolutely no idea what hairsplitting you are talking about, let alone bad faith discussions. 86M combinations is such a little number that you can analyse all of them and solve the game even on 1999 hardware. It's a fact, not a matter of opinion or idealistic standards. If you can just kindly acknowledge this fact, no further discussion will be necessary.

Then, your entire comment is predicated on a mis-quote you emphasized. The article said "seconds," not day of the month. You need to work on clarity, if that was your intent.

> I have absolutely no idea what hairsplitting you are talking about

Either you're lying to me or yourself.

See discussion about "negligence" that you conveniently ignore. Meanwhile, you're tilting at windmills as you keep insinuating someone is arguing against you on the point of algorithmic flaws.

There is such a low number of possible seeds that you can try them all, enumerate all possible shuffles, then check which one of them you've got. Then you know everyone's cards. This is why the game is fatally broken. That's it.

Call it negligence or not, I don't care much. But I'm amused by the fact that you fail to understand a basic combinatorics problem.

> Call it negligence or not, I don't care much.

More bad faith.

So, very simple and good-faith-not-a-straw-man question: do you agree that with 86M possible seeds you can guess all the cards with high probability after you see the flop? No clock synchronization necessary or any other tricks, just direct precomputation of all possible shuffles.

Yes or no would suffice.

Please go poll some English speaking friends and someone with experience in commercial law whether you're making sense.

You're also welcome to blow through time trying to prove whether 86M brute force approach is deliverable in game time with HW of the day, when the researchers expressly pointed out you can approximate the clock based on a couple hands and narrow to 200k * [+/- units of time] sorts.

In this case this happened because after many messages I'm still completely lost as to what is your point exactly, and you refuse to answer simple questions to clarify it. All I know is you're angry and apparently disagreeing something I said.

Good day then.