Wednesday, April 23, 2014

PPA vs Adelson's puppet, a $10k Security Challenge Gauntlet Has Been Thrown!

     I hear there is a $10k challenge from Eddie Harari to Jim Thackston post via Robbie Strazynski over at

     Cheri Jacobus is an unknowledgeable "pundit", we believe to be hired by Sheldon Adelson (aka the #HYPOCRITE ), who has a lot of opinions and drama filled tweets, but very few facts (if any!) .. if you haven't seen her tweets lately, a quick scan will tell you all you need to know without much digging.

Along those lines, I have copied the following for clarity on the subject:

     Presented for your viewing pleasure, the emails betwixt Rich Muny, Cheri Jacobus, Jim Thackston, Eddie Harari, with at least a CC for Robbie Strazynski ...
... In it's entirety, typos and all, from Facebook via Rich Muny (with his blessings, of course!)

The five of us had an email chat in late Feb./ early Mar. Eddie Harari listened to both sides, even phoning Thackston and me. In this email exchange, I pushed Thackston hard on his misrepresentation of the capabilities of online poker sites' collusion detection surveillance, and neither Thackston for Jacobus had an answer.
So, you can imagine my shock when I saw Jacobus attacking Eddie Harari for merely writing an article that reflected our discussion perfectly. As she continues her malicious, disrespectful attacks, I decided to release the email discussion:
On Feb 28, 2014 12:14 AM, "Jim Thackston" wrote:
Mr. Harari,
I saw your tweets in response to the PPA comments
I try to avoid the Twitter exchanges as much as I can.
I urge you to look at these 2 articles that I annotated for the May 2013 briefing I gave at FBI Headquarters in Washington DC.
The BBC article is very important to the discussion about collusion because it describes the reality of the incentives and disincentives for poker websites to enforce anti-collusion policy.
I disagree that 4-way collusion is easy to detect reliably and consistently (i.e. without generating false positives).
There is legal liability reason for poker websites to ignore collusion.
Let’s say a poker website uses anti-collusion algorithms and a person who earns a living playing online poker is falsely accused of collusion and is banned from the site.
The player is not guilty of collusion so he hires a lawyer to sue the poker website.
This would force the poker website to prove in a court of law that anti-collusion systems work perfectly.
The poker website will lose the lawsuit.
This is a very strong disincentive to look closely for collusion.
I made this point to the FBI using the BBC article and they agreed.
I approach this issue using scientifically sound arguments that are proven through actual testing and demonstration.
I would rather communicate with you using email rather than Twitter.
I also want to stay away from the charged rhetoric used by Muny and others.
Thank You and Regards,
Jim Thackston
[phone number redacted]
From: Eddie Harari
Sent: Friday, February 28, 2014 9:17 AM
To: Jim Thackston; Rich Muny; Robbie Strazynski
Subject: Re: Twitter
Dear Mr, Thackston,
I have studied the collusion theory and implementation. I also looked at the papers you have sent me. I think you have done a good work and i am sure you are an expert of this matter.
I know you may not like what i have to say , and I would like to say this as proffetionaly as I can.
(aside from detection methods that are known to be working in major online gambling sites today).
1. Strong ID on registration and physical certificate authentication for playing in a room is a must.
2. Suspicion should not ban player from playing, it should randomly assign a different seat for him (on a different table)
3. *** If possible then players should be shuffeled periodically and assign different seats. (mix up the players whithin the room) ***
4. When "suspicion" score goes higher then a certain level , the player details should be looked into and also the players acount should be suspended untill investigation has been done.
5. report each and every withdraw to the authorities so they can know about it and let the player know your doing it.
6. report your suspicion to the authorities so they can cross reference that with what they have... ( Let the players know your doing it and agree to it).
7. Work only with players from countries that cooporate with your regulation and your able to work with them about those things...
This will not eliminate and detect 100% of collusion, but it will sure make the people think 10 times before they do it. and from my experiance when they find that this is not as easy as it used to be and not as safe as it used to be , they will walk away and find another attack vector .
We deal with probability and statistics we never deal with absolute solusion , you know there is no such thing.
I respect your work and must say that impressed with your programming skills.
But what we (the experts) need to make things right, saying something is wrong (which is 100% correct) makes you a good expert. Correcting it , makes you great one !
When i wrote the Article about cyber security i did it so people know the risks and will understand that the issue of playing online is not that simple.
everybody in this debate agrees on that matter.
The debate should not be around what is going on now, it should be about the question IS IT POSSIBLE TO FIX THOSE ISSUES.
beside collusion there are a lot more issues that right now , i cant solve from the top of my head ... this is why i decided to give it time , learn some more... and write the answer in a second article.
I want to assure you, i will respect any comment you or any other expert have on this matter or on my work or ideas,i want to keep this debate proffetional and clean.

( sorry for the typos i have not edited this response, english is 3'rd language for me ).
(please forward to cheri jacobus i dont have her email right here...).
From: Jim Thackston
Sent: Friday, February 28, 2014 11:41 AM
To: 'Eddie Harari' ; Rich Muny ; 'Robbie Strazynski'
Subject: RE: Twitter
Dear Mr. Harari,
I have accounted for the countermeasures you’ve described below.
Please consider these points:
1. The patterns of play are known to the money launderers. They will know what an anti-collusion system is looking for.
2. Different patterns of play are seen by an anti-collusion system for different player skill levels – money launderers know this. Lower stakes tables populated by novices present different patterns than those for higher stakes tables.
3. The objective of collusion for money laundering purposes is to move money between colluding players, not to steal from bystanders.
4. Most importantly, the degree of difficulty in having automated systems try to find 4-way collusion (by 4 people who know what they’re doing) is far higher than for 2-way collusion. Please see this page and ask whether or not you think the anti-collusion countermeasures can be beaten:
At the urging of the PPA, we have asked the top regulator for the state of New Jersey to grant immunity from prosecution to test our methods with real money using the NJ-based websites.
So far, no response.
As a technology professional, you will appreciate that, in mathematical terms, poker is a very non-linear game. And non-linear problems are always difficult ones to solve.
Any anti-collusion system is essentially solving a non-stop non-linear problem. As the design of anti-collusion algorithms gets tighter, the number of false positives will become unacceptably high. Consider that poker is more non-linear than fluid systems such as the airflow over an airplane wing – there is randomness in such systems but it is ‘predictable’ randomness. Because human free will is involved in poker, such reliable predictability is not possible.
You mentioned rush poker – that can be exploited as well. Somewhat more difficult but only on the lower stakes tables simply because of time versus dollar amounts and the higher number of mule accounts required.
A money laundering operation can also corrupt poker tournaments which not only allows for the injection of dirty money, it also makes a profit for the launderers. (I haven’t posted the procedure for doing this but it works like the rush poker exploit.)
The ultimate conclusion I came to long ago is that the countermeasures required to eliminate money laundering (and cheating) were so burdensome that the business model can’t survive if the regulators and websites are serious about enforcing the rules.
Which means they won’t and thus the security problem remains. (See the FBI comments from the November 2009 letter to Spencer Bachus – they wrote about the lack of incentive to stop nefarious activity for a reason. And state and national governments have the same disincentive to effectively monitor – they need the money.)
Hope this adds some insight into the depth of my research.
Thank You and Regards,
Jim Thackston
In a message dated 3/3/2014 5:19:12 A.M. Eastern Standard Time, Rich Muny writes:
Dear Mr. Harari,
This has been an interesting topic of discussion for us. As you may know, the Poker Players Alliance is comprised of 1.2 million poker players and enthusiasts who, as those most directly impacted by collusion, are dedicated to attacking collusion and empowering law enforcement to take clear action against those who’d prey on the poker community. Our community was victimized by those at Ultimate Bet and Absolute Poker, and many of us – me included – are just now receiving our Full Tilt Poker balances (the result of a non-collusion issue). There are no greater advocates for safe online poker than those who actually play the game.
So, I read with great interest Jim’s statement that “the objective of collusion for money laundering purposes is to move money between colluding players, not to steal from bystanders.” This is a marked change from past discussion with Jim, where it was strongly implied that this scenario would be injurious to innocent players to the point where their funds would be at great risk. As it’s rather clear that the two would be mutually exclusive (collusion would increase the likelihood of getting caught money laundering), this is certainly a welcome update from him.
All that being said, I see several issues with Mr. Thackston’s analysis. I start with the actual likelihood of someone even making such an attempt. It’s one thing to come up with a political construct to use solely to justify banning the game, which we believe this is. It’s quite another to demonstrate actual, real-world threats. After all, if the “mules” were playing, they would have to be highly skilled and disciplined. Even with automation to aid or handle play outright, they mules would have to handle questions skillfully on their play if they came up. It’s unlikely someone would find value in training up a crew, providing them with up to six-figure playing bankrolls, and essentially requiring them to forfeit their opportunity to play the game for real by requiring them to use real IDs when playing. It’s also highly unlikely that money launderers would use this method, with 100% of transactions tracked, every hand recorded and, again, with real IDs required of all players. That’s why we’ve not seen this method used in the decade of online poker available to U.S. players through licensed and offshore sites alike.
As to the proposed “method” itself, I find that it would simply not work as advertised, for many reasons. The initial reason is launderers would not wish to raise their profile by colluding in a way to impact the other players at the table at all ... even it were a net neutral impact. If anything, they’d bleed off some money to reduce detectability. The second is that there is a fundamental issue where the “losing” mules funnel their money almost solely to the winning mules, while also simultaneously breaking even with the rest of the table. This differential would probably be very detectable. A simple SharkScope check of the losing players’ stats to opponents would be interesting by itself.
Thackston also comments on what anti-collusion systems look for. However, he offers no evidence or data regarding capabilities of anti-collusion measures. Thackston and I are both engineers who used to work on turbomachinery design. My chief engineer liked to refer to this as a “hand wave.” That’s what I take it to be as well. And, PPA never suggested that Thackston break laws and test his theories on real money games. We simply pointed out that he presented no evidence at all in the capability of anti-collusion technology.
So, point by point, this hand wave of “colluders know patterns of anti-collusion technology” is, to be frank, nonsense. Thackston cannot even produce this. Would a colluder learn by trial-and-error.  And, they are not random patterns. They are optimal patterns. Deviating further and further from optimal reduces the capability of collusion greatly –- along with increasing its variance. This also brings human nature to question. How many “mules” are willing to tell the boss they lost that day, saying “well, that’s variance for ya’”? It’s rather clear at least one would push the envelope to recover – especially if they were simply trained on collusion play and not as actual poker players.
And, there’s the fact that once one money launderer is identified, the scheme would unravel quickly, with lots of felony charges and seized funds. In other words, it’s a terrible way to launder money on play within the U.S.
PPA takes money laundering seriously and offers actual solutions. PPA Executive Director John Pappas recently testified before a Congressional committee on online poker consumer protection and law enforcement empowerment, with specific emphasis on anti-money laundering compliance programs, complete with auditable records, to be maintained by sites.
We also very strongly disagree with the notion that sites have no incentive to stop collusion. Sites in the U.S. are big name operations like Caesars and MGM that have no desire to tarnish their names. In other words, they have all the reason in the world to ensure players see their sites as honest and trustworthy.
We are pleased by the compliance of the licensed U.S. sites as well as the experience of some offshore sites that no longer serve the U.S. market but which are licensed offshore for operation where they offer services, such as PokerStars.
I hope this helps. Thank you again Mr. Harari.
Rich Muny
Vice President of Player Relations
Poker Players Alliance
P.S. Per your request, I added Cheri Jacobus to distribution
From: Cheri Jacobus
Sent: Saturday, March 8, 2014 10:33 AM
To: Rich Muny
Cc: Jim Thackston ; Eddie Harari; Robbie Strazynski
Subject: Re: Twitter
Rich -- You wrote: "After all, if the “mules” were playing, they would have to be highly skilled and disciplined" -- it is clear you have no idea what Mr. Thackston is talking about. The mules would not be playing in the game. That you do not seem to understand this despite the many hours you have logged on Twitter attempting to negate Jim's findings, is an indication that you, PPA members and others would greatly benefit from that live demo for PPA, the press and livestreamed for your members that Jim has repeatedly offered and that you refuse. It's also likely that the regulator's refusal to address this will raise questions.
Cheri Jacobus
On Mar 8, 2014, at 3:08 PM, Rich Muny wrote:
Hi everyone,
We understand Thackston’s proposal perfectly. When I wrote about how mules not playing would still require certain skills to elude detection, I was obviously including mules whose accounts were being played by others VPNing in.
I realize Cheri is new to all of this, but she needs to understand that Thackston didn’t invent the ideas of collusion, VPN play, or multi-accounting. Players have been discussing these risks and the steps sites and players can take to mitigate them since the online game started. That’s why articles like Mr. Harari’s are published on poker sites. I get that it all sounds scary to a layperson, but every single person who ever put real money on a site has considered these issues. We discuss it all the time on forums like 2+2. Thackston simply offers nothing new here.
For Eddie and Robbie’s benefit, Cheri and Jim want PPA to live-stream Jim “demonstrating” collusion..on a play-money site like Yahoo! Then, I guess Thackston would come in with a hand wave saying these mythical money launderers know all the secrets of anti-collusion technology and can defeat them at every turn. This, despite the fact that there aren’t even any money launderers trying this at all, much less those who know everything sites look for in site surveillance.
It’s quite obvious they want PPA to do this to earn them free publicity and status, but I have no idea why they think PPA would promote the efforts of prohibitionists who are more interested in finding problems – real and imaginary – than solutions. Otherwise, they’d have streamed their own event by now. I told them I’d be more than happy to share the date and time of their demo with my Facebook and Twitter friends and followers. I even invited Cheri onto my live webcast to discuss. So, we’re all still waiting for them to make their video or whatever they have in mind.
Cheri also commented on regulators. Regulators and sites address collusion and money laundering detection as step #1 in site surveillance and security. Jim didn’t come to them with anything new. In fact, rather than asking to test the anti-collusion software itself, he wanted to test his idea with actual, real-money players at the table. Of course he was rebuffed.
I think this has been a terrific discussion. It would be a shame for it not to be shared publicly. Perhaps Mr. Harari or Mr. Strazynski could include it or make it an article all its own? As we’ve all consented by definition by providing this with one another, it seems ready to go.
From: Cheri Jacobus
Sent: Saturday, March 8, 2014 3:22 PM
To: Rich Muny
Cc: Jim Thackston ; Eddie Harari ; Robbie Strazynski
Subject: Re: Twitter
Rich, Jim made it clear in response to an email you did not share with the others that he does not consent to you sharing his emails. I do not consent to mine being used in that way, either. We did not initiate the contact with you, nor did we initiate the cc to you.
Post a Comment