从分析一篇报告说起(Report — Bovada.lv 2015 — Online Poker In Danger)

Report — Bovada.lv 2015 — Online Poker In Danger

今天看到了这篇文章,作者是Data Mine Poker,原文刊载于Medium上。





Reasons For This Report

先说撰写这篇报告的原因(Reasons For This Report)。这个报告是投标用的私人合同的一部分*。他们(报告作者)从技术细节入手,想要了解清楚在线扑克的现状。

*剩余的部分在第二篇里会出现(Following this initial public circulation report, a secondary full length report will be released on a case by case basis for private use. The secondary report will include full software sources, data access, and image/video evidence collected throughout the testing phases.)

众所周知,判断技术细节的考察指标无非是安全性,合法性和公平性(security, legality, and fairness)。考察这些技术,其实也是为2016年第二季度的计划做准备。

赌博在全世界都有着广泛的市场,美国当然包括在内。因为有利可图,所以会有相关的利益集团,想方设法地采取各种各样的手段,使自身合法化,占有市场以谋取利益。其中,有两家大公司Draft Kings 和 FanDuel(估值已经超过$1 billion),他们当然也想分一杯羹。

美国现在三大扑克室有Bovada Poker,BetOnline Poker和Carbon Poker。其中的Bovada扑克室已经拿到了合法经营的资质,而且非常全。这一点在全美只有很少公司能够做到。然而,现在特拉华州和内华达州(Delaware and Nevada)要求博彩公司交税。税额巨大,Bovada当然不干,于是在这些地方的人们被限制使用了。而且,很有可能越来越多的州政府会要求博彩公司交税。

博狗的背景大家可以自己看,不翻译了。Bovada是Bodog在北美的公司,关键点在于,Bovada Poker并没为设立在美国境内,而且使用的博彩软件没有经过内华达州博彩委员会或者相关的赌博管控机构的认证。

所以,测试团队就认为是有安全风险的。( Bovada’s poker room software may have potential security risks……)



1.可能被流氓雇员*(rogue employee(s))或者黑客团体(hack group)利用(随机数生成器和洗牌算法)

*流氓雇员就是指盗取公司用户数据并出售的人(This should mean "an employee who betrays the service-provider company" by selling customer details.)

*绝对扑克(absolute poker)的那次作弊事件,据该公司声明就是因为一名公司职员侵入了内部系统,可以看到其他玩家手中的牌,才会有这个后果。


*在这一点上,可能会发生与绝对扑克和UB类似的情况(This could be related to a similar situation that happened to Absolute Poker and Ultimate Bet between 2005 and 2008),以上请参见 Absolute Poker和Ultimate Bet黑历史

于是,打伙牌 和 机器人 这两种作弊的方式被认为出现频率会很高。


All reasoning is based off of statistical models, Monte Carlo simulations, and basic data science principles. Due to this style of reasoning, it is possible that results may vary player to player to an unknown degree. However, based on the same reasoning, out of the ordinary occurrences can still be classified as statistical anomalies.



The team behind this research is comprised of:

1 data scientist (15+ years professional experience)

1 gambling software developer (helped build one of the largest online gambling software systems available)

1 software engineers (5+ years of professional experience each)

1 mathematician (PhD in Statistics)







The different hand types analyzed include:

Bad Beat - described above.

Super Bad Beat — a player has over a 99% percent chance of winning a hand and loses to community turn cards. Usually the result of a player hitting 2 specific cards in a row.

Multi Big Hand - a hand when multiple players at the table end up having a very high ranking hand such as a straight, flush, full house, straight flush, or royal flush.

Oddball Win - a player over plays a low ranking starting hand and wins against a very high ranking starting hand.

BB,Super BB,Multi Big Hand,Oddball Win等等 这些是德扑的基本术语,不解释了。而且原文也有释义。


This data includes details that could define a single user such as:

Timing on actions — the average time it takes for a user to take an action when it becomes their turn.

Non uniform bet amounts — some users have a specific betting strategy during certain hand types. Sometimes, the amounts are awkward in comparison to the table blinds.

EV % — the percentage of hands that a player decides to place money in to the pot (calls, raises), not including being forced to place blinds.

Bluff % — the percentage of completed hands that the user attempts to bluff on.

Win % vs. Play % — the percentage of complete hands the user wins compared to the percentage of hands the user plays through completely.

Multiple smaller comparisons. Sit out times, changes in bet styles, tilt timing, etc.


Data Collection — Development (开始想办法采集数据了)

想要进行数据分析,最开始的一部就是采集数据。经过分析得出,Bovada Poker的Mac端和Windows端还是比较安全的,想要从上面采集数据比较复杂。于是转向了移动网页版(Mobile Web (JavaScript) application),也就是手机端的研究。


然而这里,译者需要提醒大家注意一点,这里的数据并不包括每位玩家的手牌的数据,仅仅是游戏过程中产生的数据。(这意味着玩家的手牌只有show down时才能被记录下来)尽管博狗是匿名桌,测试团队使用的方法还是能给每位玩家对上号的。

Data Collection — Initial Results 初步结果

After almost a year of data collection, over 20 million hands were collected and stored in a central database.Within these hands, over 1.4 million separate intra table players were recorded (meaning if a person takes a seat at a table, they are counted as a single player, until they leave the table).

Current Inspection MySQL Database of Recorded Handed



Once this development was complete, our team started setting up a stream on every poker table available, monitoring them for inaccuracies or problematic reporting and building analysis systems from the data collected.


The system used for user behavior analysis was a time window, play style algorithm. Based on a set of multiple characteristics (aggression level, percentage of hands played, win percentage, etc), a user can be classified as a specific type of player over a statistically significant number of hands (a time window). By judging play style over every set number of hands (every window), it becomes easy to find large changes in play style that occur quickly (adjacent windows).

主要着重于分析用户的打牌风格,并根据它来分类。并采用了时下最流行的Machine Learning技术来预测该玩家是不是也在别的桌子上玩。

List of common poker player styles, provided by our friends at iHoldem Indicator.http://www.iholdemindicator.com/features.html


Data Collection — Analysis 开始数据分析了


1.很难通过分析玩家打牌的风格辨别出可疑行为【和作弊者使用full hand data*的方法相似,请参阅Ultimate Bet/Absolute Poker的作弊丑闻】

*这里full hand data就是字面意思,所有玩家的手牌数据

Video from past Absolute Poker Cheating Scandal.https://www.youtube.com/watch?v=PbQyKgELDEA

2.设定了两个测量指标(metrics)判断你是否是super user(超级用户)

第一个是连续100手牌里,赢了多少个大盲。(The first metric is the number of Big Blinds won over 100 consecutive hands.) 一般来说,一个职业扑克手,平均水平是8到10个大盲每100手牌。

第二个是河牌侵略性。(The second metric used is the level of River Aggression.)这个也可参考下Absolute Poker作弊事件的细节。简单来说,就是作弊的玩家在河牌上打得很有侵略性,要么bet要么fold,从来不call。

测试结果表明Bovada并未出现AB Poker那种问题。

不过,测试团队随后又在极端情况下测试了一下(Edge casing),同样也是通过计算百手大盲数盈利来判断。

*Edge case是计算机术语,在软件工程领域中,在极端情况下测试也常常是发现/制造系统后门的手段(Edge casing is commonly used by exploiters and encryption developers to find/make back doors in to an encrypted system.)

这里要声明一个问题,Edge case是可以被人利用的。

The random number generator is one of the most crucial pieces of an online poker room, so it is guaranteed that a group of expert level programmers and mathematicians would scan the source code with a fine tuned comb to verify its fairness. Any individual with a substantial background in encryption and advanced mathematical algorithm theory would be capable of both creating an edge case scenario as well as finding hidden edge case algorithms.

文中举出了Ronald Harris的例子。这个人曾经在一个软件公司工作,为Atlantic City Casino Keno games编写和测试程序。他写了一个特殊的算法,能每隔几个星期,产生一个可以预测的比赛。这意味着,作为写这段程序的程序员而言,他早就知道了结果。于是他利用这点为他赢得了大奖。不过他最终在派他朋友领奖金时被逮住。

From calculated averages across all hands collected, approximately 1 in 18.4 hands resulted in a big hand played out to a 15+ Big Blinds win (one player winning a substantially large pot). To be more exact, the average for a 6 player table was 1 in 20.6 (4.85%), and for a 9 player table it was 1 in 17.9 (5.59%). Out of these hands, over 55% of the hands resulted in players placing 80% or more of their table chip stack in to the pot.


测试时使用了蒙特卡洛模拟(Monte Carlo simulation)

Our results for the Monte Carlo simulation showed, over billions of random hands, that for a 6 player table, a potential big hand occurs 1 in every 14 hands (7.14%) and for a 9 player table, a big hand occurs 1 in every 12 hands (8.33%). These base level odds look shockingly low considering hand odds collected directly from Bovada and the fact that these odds are for every single hand played till the hand (meaning no folding of potential big hands).


As a separate case study, our team was able to contact poker tracker and purchase a database of approximately 216 million poker hands tracked by their software from Bovada, Bet Online, SportsBetting.ag, America’s Cardroom, and 888 Poker. This data was then parsed, cleaned, and analyzed the same exact way as the hand data our team collected directly from Bovada.



Histogram of Big Hand Probabilities through Monte Carlo Simulation. Purchased Databases and Bovada Collected Big Hand Probabilities Shown on same Axis.

结论简单来说就是,Bovada出big hands的概率太大了,在这些扑克室中是最高,比888Poker高了一倍多。

板上钉钉的证据:团队在分析用户行为数据(user action data)的时候发现,超过80%的玩家,在面对这些Big hand的时候,打牌的风格像是变了一个人。

还有种种行为反映博狗的不正常。然而,在译者看来,这些理由太牵强。很多被团队认为是作弊的行为,你可以认为是,也可以认为不是。所以后面的预测模型(Prediction Model)及概论(Overview)就不做进一步解释了。

Playing Analysis — Collusion 共谋(其实就是打伙牌)

The main strategies employed were:

Informing of each other players’ hands. The cards known then helped the team make decisions on whether a certain hand was winnable and what the increased or decreased winning odds were.

Pushing players out with raise and re raise scenarios across the table. This means that multiple players on the team would raise and re raise in order to steal blinds/initial bets from other players.

Chip dumping. After the above strategies, to mask the collusion play, sometimes one team member would lose a large portion of their chips to another team member. In order to even the team back out and keep the collusion value high, these players would purposely lose hands to shift chips back to another low stacked team member.

开始实践了,一个3人小组,在6人桌上打无限注,他们之间通过电话联系,并且使用相同的战略以达到合作的目的。 (IP地址这些东西团队都有注意,并经过处理,不会影响结果)





a) 7 Large Win Sessions (200%+ Gain) (+$11,545)

b) 3 Medium Win Sessions (50%+ Gain) (+$3,200)

c) 4 Low Win Sessions (0–50% Gain) (+$995)

d) 4 Low Loss Sessions (0–50% Loss) (-$1,040)

e) 2 Full Loss Sessions (100% Loss) (-$2,350)




Throughout the entire process, the team never received any form of security message, account ban, funds seizure, etc. Each team member used the same player account for each session and followed the same procedures each time.


在别的平台上(BetOnline, SportsBetting.ag, etc),上述几个行为都会触发预警机制,或者系统把手牌记录的log一扫描就能发现异常。然而Bovada完全没反应。

Due to this, our team came to the conclusion that either Bovada does not have this security software in place or does not care to take action against these players.



Based on these findings, our team can easily confirm that Bovada Poker is a haven for collusion activity.


Playing Analysis — Bots



Bovada — Online Poker In Trouble


Most of these blatant security gaps come from the JavaScript Mobile Web application

然后就在吹America’s Card Room安全性高。








*随机数生成器和洗牌算法 未认证、不公开;

*大牌,冤家牌,河杀等等出现的频率过高,包括一些oddball win的出现让人觉得不可思议







比如,在证据的选择上有倾向性,并存在夸大的嫌疑。在对比Big hands的时候,为了显示Bodog的概率不正常,特意从第三方(Poker Tracker)这里购买了数据作对比。在算法,数据来源等不同的情况下,这样的对比其意义是有限的。



是,蒙特卡洛模拟,大数据统计分析,这些都没错。理论上可以这样计算,可是在实际打牌中呢?测试团队所设计的策略和分类标准是切合实际的嘛?我看未必,而且也不可能做到。不可控因素太多,算法再怎么调整,BOT和人的思维还是不同的。Machine Learning至少在这个阶段还模拟不出人脑的效果。



也不是说这篇报告一文不值,它至少还是揭露了bodog存在的安全性漏洞。我想,这样的安全隐患不仅是博狗存在,在大多数以盈利为目的网络扑克室里都会存在。故意发出大牌,冤家牌也好,提高河杀的几率,甚至是有意添加机器人或者叫Super User,目的都是在于平衡生态。从公司的角度出发,它想要盈利必须要吸引到足够多的人来玩,同时又要减少Pro对于Freshman的打击。做出些这些的人为调整,也在意料之中。何况对于Pro而言,这种程度的调整,还难不倒他们。






“Talk is cheap,show me the code.”

