A Radioactive, Search-Hardened User Name for Online Poker

Wednesday, June 16, 2010

I don't know if it was premeditated or some sort of fluke involving sunspots and cosmic rays, but a humorous hats off to PokerStars player ROBCASHFLOW, whoever you are, for successfully embedding an illegal, invisible, non-printing ASCII control character (specifically, the unit separator, decimal value 31, hex 0x1F) between the third and fourth letters of your online poker username...

ROBCASHFLOW

...making life just a little more difficult for anybody who wants to search for your name, or type it into a search box, or copy and paste it into something, store it in a database, upload it to a website, etc. Essentially, this handle is a complete PITA! : ) So today we salute you, Mr. Embedding Problematic Phantom Characters into His Online User Name Guy, in recognition of that fact.

But I don't see any phantom characters.

Right. Because they're phantom. They're invisible. To "see" these characters, you have to use a trick like this one (or crack open a hex editor):

  1. Select the above user name (ROBCASHFLOW) with your mouse, then let go of the mouse.
  2. Press and hold the SHIFT key on your keyboard.
  3. While holding the SHIFT key, use the Left and Right arrow keys to move the trailing edge of the selection back and forth across the gap between the "B" and the "C".

You'll notice it takes two keypresses to navigate from the position just before the "C" to the position just after, where it should only take one. That's because one of those keypresses is consumed by that innocuous ASCII 31.

Okay, but that's just a glitch. It doesn't happen consistently.

It happens anywhere the player name "ROBCASHFLOW" appears, on any website, in any document, in any application window, across pretty much the entire world of computing. The embedded "phantom" character is a formal part of the player name even though we can't see it, so it gets dumped to the hand history file, uploaded to the website, copied-and-pasted into the text document, downloaded to your iPhone, and so forth and so on. Forever.

Take a look at the following telltale bug report (now resolved) from the Hold'em Manager forums. The culprit? The rascal, ROBCASHFLOW, in Seat 3, with his embedded phantom character.

Hi I just got some import errors for the first time today.
I am using version 1.06.03H
here is a hand. Thanks for the help.

PokerStars Game #XXXXXXXXXXX: Hold'em No Limit ($0.25/$0.50) - 200X/11/25 23:43:50 ET Table 'Apus II' 6-max Seat #3 is the button
Seat 1: KGould035 ($9.70 in chips)
Seat 2: RHFiend ($50 in chips)
Seat 3: ROBCASHFLOW ($87.55 in chips)

When I first stumbled across this (well, actually, I ran into the problem because I happen to have a hand history against this guy, which was causing an obscure error condition in my poker setup, which compelled me to start Googling, at which point I found the HEM bug report and started to piece together the ROBCASHFLOW puzzle) I thought to myself:

Huh. Probably a fluke.

So I did some more searching and I discovered ROBCASHFLOW is also mentioned here, here, here, and here. And everywhere his name appears (with no exceptions), there you'll find an invisible phantom character embedded.

This doesn't just happen on websites; that phantom ASCII 31 is also preserved on the desktop, in the PokerStars client, not to mention Hold'em Manager, PokerTracker, PostgreSQL, Notepad, Word, Excel, and, in general, anywhere you can get a caret or selection to move through ROBCASHFLOW's official name, it will stutter between the "B" and the "C". And that's not a bug: that's correct behavior, provided you've accepted the fact that obnoxious nonprintable characters can appear in player handles.

(Which by the way, is a big WTF unto itself.)

So yes, I'd say it happens consistently.

The Search-Resistant Handle

The upshot of all this is that ROBCASHFLOW's handle is effectively hardened against casual searches. Just try surfing over to Sharkscope.com and doing a search for ROBCASHFLOW. One of two things will happen:

  • If you TYPE his name into the search box, omitting the phantom character, you won't find him. The search returns 0 results, as it should. There is no player called ROBCASHFLOW, without the embedded phantom. There is a player called ROBCASHFLOW, however. With the phantom.
  • If you COPY AND PASTE his name, you won't even be able to get his name into the Search box. It will truncate everything occurring after the phantom character, leaving you with "ROB".

[Update: Sharkscope appears to have changed/updated their behavior this morning. This player is now searchable through the below link as well as through copy-and-paste into the search box.]

And before you start thinking that maybe this guy doesn't have a Sharkscope profile, let me just point out that he's listed on the Sharkscope list of player names starting with "ROB", where his name has a valid hyperlink to his profile page, which is:

http://www.sharkscope.com/?username=ROB%1FCASHFLOW&network=pokerstars

But good luck pulling up that page in a web browser. Go ahead and give it a shot. You'll end up back at the truncated "ROB" screen.

You see, not only can you not search for ROBCASHFLOW; you can't even get his name to fit inside the search box. Not without working at it. The phrase ROBCASHFLOW is like kryptonite for search.

[Update: Sharkscope appears to have changed/updated their behavior this morning. This player is now searchable again.]

How To Invalidate Your Player Notes File

Nowadays the top poker sites (Full Tilt and PokerStars) both use an open XML format for storing player notes. This is a big feature, often overlooked, which I hope spreads to other sites in due course. But XML has some peculiarities, not least of which is this:

Certain characters are illegal and may not appear in a valid, well-formed XML document

You can check out the nightmarish W3C XML spec for the official rundown, but I'll go ahead and tell you: ASCII 31, the problem character in ROBCASHFLOW's name, is an illegal XML character.

ASCII 32, the next character up, is legit; that's a plain vanilla space character. But ASCII 31 is illegal XML. Any XML document that contains an unencoded ASCII 31 is an invalid XML document, by definition. And since player notes files are XML documents, on PokerStars anyway, that means that taking a note on ROBCASHFLOW silently invalidates your XML notes file.

That doesn't mean that you lose your player notes file, or that your player notes get corrupted, or that PokerStars refuses to load them. None of that happens. Don't worry about it. (Especially since you routinely backup your player notes files, right?)

It just means that your XML file is now technically invalid, and if you ever try to load it or edit it with another tool, there's a good chance you'll get one of these.

As would happen if you tried to use (just as one common example) the .NET XmlReader class to read one of these hypothetical invalidated player notes files. That's a validating reader and it doesn't play games with invalid XML characters. It blows up, and no, XmlReaderSettings.CheckCharacters doesn't help. As the documentation states:

If the XmlReader is processing text data, it always checks that the XML names and text content are valid, regardless of the property setting. Setting CheckCharacters to false turns off character checking for character entity references.

But that's secondary to my point, which is that not only is it difficult to search for ROBCASHFLOW, even taking a simple note on him is a little iffy.

Which brings us to...

The Radioactive Player Handle

ROBCASHFLOW isn't the first or the only player to come up with a problematic handle out of, for all I know, sheer orneriness. It's hard to encounter handles like \vv/îåm, ·¨·.àçé.·¨·, or ¶ChäseK. without imagining that their owners took a sort of perverse Pinky and the Brain imp-glee in creating them. No offense to people who happen to prefer a slightly more obfuscated handle...

"HAHAHAHA! [angry nerd laugh] That'll show them who the clever one is. My handle contains SEVEN IRREGULAR CHARACTERS. I'm IMMUNE TO SEARCH, bitches!"

But there's another angle here. What happens when people, fully aware that their online usernames will be analyzed to death, design their handles for difficulty? To be as difficult as possible to work with? I did this way back when Paradise Poker was king and player tracking was in its infancy. I know others have done it in the years since.

For example, by creating a handle in which the first three characters are spaces (if the site allows it), you defeat any text processor that does typical string trimming:

string s = GetPlayerNameFromFileOrWherever();
s.Trim(); // Oops. We just trimmed part of the player's name

Alternately, you can embed multiple spaces inside the name:

John     Doe

Which might cause problems if that name is ever displayed over HTML, where those spaces will likely get folded into a single space, or else represented a sequence of non-breaking spaces, neither of which preserves the original name perfectly.

Obviously as you start throwing control characters, so-called "extended ASCII" characters, and possibly Unicode into the mix, not to mention the different meaningful things you can do with punctuation...

"Hello, thank you for calling Acme Poker customer support. My name is Nancy. May I have your account username please?"

"Sure. It's ';DELETE * FROM player--'."

"Thank you, Mr. ';DELETE * FROM player--'. How may I assist you today?

...things start to get hairy, in a giant-hairy-tarantula-skittering-down-your-collarbone sort of way. Which is why I've always thought that the wide leeway online poker sites give their players in choosing handles is maybe, possibly, a bad idea. As much as I'm for giving users options, letting them invest in their identities, engage with the site, etc., and as much as having a flexible handle policy actually helps with that, the standard mantra of alphanumerics plus limited punctuation is there for a reason: it keeps usernames simple and relatively exploit-free.

And you know what else? It keeps usernames presentable. Consider what happens when a new player observes a real-money game of online poker for the first time, and sees people sporting names like:

  • \vv/îåm
  • ...........42...........
  • assclown007
  • youpayformymeth$

Consider how awesome it will be for the game of online poker, from a PR standpoint, when some kid with a handle like Balls__2Ur__Chin wins the big mega-prize. That's what'll convince the world that poker is a game of skill and sportsmanship. Of course.

"Balls__2Ur__Chin sweeps the 2019 Online Poker MegaMillions Tourney; Wins Record 18mil."

So as much as the Zork-hacking nerd in me is amused by clever handles and embedded control characters, another part of me wishes there was a little more of a standard. Until there is, anytime you make the assumption that...

User names always contain normal, printable, visible, healthy, sane letters, numbers, and punctuation and nothing else

...players like \vv/îåm and the enigmatic ROBCASHFLOW will come out of the woodwork to blast that assumption to smithereens, whether they mean to or not.

Agree, disagree, have your own username horror story to share? Let us know.

Tags: online poker, poker

35 comment(s)

Fascinating. What a colorful example of the ages-old problem of the untrustiness of user input. I don't play poker but I enjoyed this. ps. the W3C XML spec links appears to be broken.

What's more interesting to me is that online poker is at a place where you can type any player's name into Google and find this sort of info. Whatever happened to "reasonable exceptation of privacy"?

Doesn't exist.

I suppose the most serious problem here is not knowing whether you're playing against GuyLaliberte or some pro who is using username GuyLaliberte with some embedded phantom characters. This could hurt your bankroll badly before you realize what's going on. I think this is kind of comparable to using someone else's poker account to play (which I think is forbidden on every casino), so the casinos should really prevent this from happening.

Reasonable expectation of privacy? Why would one have that when playing online poker on a public site? Sounds unreasonable to me.

Something strange...

I tried searching for him on Sharkscope this morning, and the behavior was just like you said. I tried it five or six times.

I just tried it again, and now I can search for him fine (on Sharkscope). The link works, and copy-paste into the search box works.

Does the Sharkscope team read this site?

Here's a great username story for you:

I did a web application penetration test for a friend of mine. His website would allow you to register pretty much any username without sanitization, then create the directory "C:\users\$username" and give the user full permissions to it. (This was before the days of Vista.)

So, I registered ".." as a username. Oops. The script didn't stop when it failed to create "C:\users..", which of course is equivalent to "C:\", which always exists. And so, when it came time to give me full permissions to its contents, it had no problem doing so.

Most people don't think that usernames can be used as a source of havoc for web developers, but they absolutely can, and very frequently.

The control character is also used on IRC as the underline marker.

Oh wow, that makes a lot of sense dude.

Lou www.ip-spoofing.net.tc

Just FYI, this is on the front page (2nd page anyway) over on Reddit. Peace. Enjoyed hanging back in Big D, shout the next time you're in town.

It's not just online poker. My work processes payments made via direct credit into its bank account, and as well as the amount an online banking user can specify a message with his payment.

Some little scrote had embedded a couple of ASCII nulls in his message, and the bank accepted it and passed it on. Took us a while to figure that one out. It's Ctrl-@ hacking fans.

Speaking of Zork, I used to play (PVP) MUDs online and eventually figured out I should obfuscate my name as much as possible to make myself harder to attack.

None of the games I played allowed much in the way of fun non-printing characters or anything like that, but I think my most successful tactic was naming myself "Element". There were a number of non-player characters named "elemental" in the game, and the command processor allowed you to shorten any input. So, I would drag these elementals around with me wherever I went, and by controlling the sequence that we moved I'd make it nearly impossible to target me. If you typed "kill element" it would attack one of the elementals instead. There was no quoting mechanism to let you override the interpreter. Depending on what order we entered the room, I would be something like "4.element", but nobody could keep track of that as they died off and I brought in new ones.

It was a hell of a thing while it lasted. My hat's off to ROBCASHFLOW's deviousness.

So .. how did Rob get this name into the database at PokerStars to begin with? It's not like you can just type in Ctrl-Space or Shift-Space or Alt-031 and have the entry box in Windows accept the input. (it works with Pasting, because the standard windows input assumes that "text" data is "text" data, because if it weren't text, it wouldnt be text data, right? y'know ..)

So... how did it get there?

The non-printing character's showing up fine in the Opera browser as a question mark in a box, a bit like [?].

And I can copy and paste it to Notepad++, the non-printing character shows up as [US].

Still, a clever trick!

So, it seems that Opera likes to display a little box with a ? in it, IE8 just gives you a box, and Firefox ignores the 0x1F completely (except for selection purposes). Can we get a Chrome user to tell us what Chrome does?

ChroMe does nothing. The character is invisible, but oddly enough it does not allow to paste it. So the ChroMe words here I had to paste using FF ;o)

TY James for another nice write-up.

and Safari (at least on Window$) does the same ;)

came over from eddit love it! and love the article !

Neither Chrome or FF select the entire word when you double click on it (which makes sense). But as mentioned above, they don't indicate the existence of the extra character visually.

This kind of sloppiness is typical of geekdom in general - but the fact that the MS .NET class - which is basically the default class for this - can't handle it is just plain wrong.

Oh - congrats for having so many high end observers that the instant you called this bug, TWO sites fixed it.

I have seen this behavior on some apps where you could paste the 255 ascii code followed by the backspace char, both would appear as a hidden char. Must be something like this I presume.

Superb post. The day this popped I saw a couple other posts trail you on Reddit about weird naming issues. Glommers. Reddit is full of punks.

Thanks.

I really enjoyed this discussion. Reminds me of the problems we had in the "old days". I started programming in 1963 on an IBM 709 and worked my way up through the IBM mainframe models until just a few years ago. We encountered many similar errors, but most of them were caused by flaky I/O equipment. Paper tape that read fine through a mechanical reader but had thin spots or oily sections that raised havoc when read with the "new fangled" optical readers. Key punches that would get a stuck relay and punch extra holes in the card, mag tape drives that didn't detect parity errors. All these things passed invalid data into the system and eventually the A/R job or payroll would blow up and some poor programmer would be called out of bed in the middle of the night to figure out how to get the garbage out of the data and get the bills or paychecks out in time to make the morning mail! (about three thousand employees and over 750,000 accounts receivable!)

Good luck! Dennis

Enjoyed the read on phantom characters. Interesting!

GOTCHA BITCH!

alt text

Same with

live@pompeii

In Demeter 1.0.9 in Mac OS X 10.4.11 it is invisible and it can be copy/pasted.

What would be really awesome is embedding illegal unicode (e. g. surrogates) in a field :-D I tried to do it in my name field but Mac OS won't let me C$￶ ￿(@;"""﷽︀︀ﶠ􏿾􏿲󠀁󠀀𪪩𫝀

Also, the control characters I embedded in there went away :-(

YOU GUYS ARE ALL WRONG I AM ROB|CASFLOW ITS ME AND IM A DONK AT POKER. AND JUST PRRESS SHIFT AND BUTTON LEFT OF 1 HAVING CAPS LOCKED

WHERE DOES MY COMMENT APPEAR, THIS SITE IS A RIP-OFF AND LYING!!! IF THEY WANT TO PROVE RIGHT THEY HAVE MY E-MAIL CONTACT ME

i am the ROB|CASHFLOW in question, gotta conflict or want to settle something, well contact me, i hate having people talking in my back even worse having a site bringing my name down. You guys want a lawsuit??? contact me please as soon as possible or, yes i will take action.

you are hiding my messages

It is my great pleasure to read it . thank you for you have done. www.jerseysnba-n.com

Use the form below to leave a comment.






Share This Article

Coding the Wheel has appeared on the New York Time's Freakonomics blog, Jeff Atwood's Coding Horror, and the front page of Reddit, Slashdot, Digg.

On Twitter

Thanks for reading!

If you enjoyed this post, consider subscribing to Coding the Wheel by RSS or email. You can also follow us on Twitter and Facebook. And even if you didn't enjoy this post, better subscribe anyway. Keep an eye on us.

Question? Ask us.

About

Poker

I am just sittin' here watching the wheels go round and round...


Hire

You've read our technical articles, you've tolerated our rants and raves. Now you can hire us anytime, day or night, for any project large or small.

Learn more

We Like

Speculation, by Edmund Jorgensen.