The math of shuffling cards almost brought down an online poker empire

Original Article ↗ Hacker News Discussion ↗

Article focus and 52! discussion

  • Many commenters find the article’s early emphasis on “52! is huge” largely irrelevant to the real issue, though some enjoy the perspective on how large 52! is.
  • Others note that in “computer terms” 52! is < 2²²⁶, so not astronomically large compared with common key sizes, though still enormous for brute-force enumeration.
  • Several stress that no one sensible generates a random deck by enumerating all 52! permutations anyway.

RNG and seeding failures in the poker system

  • Core bug: the RNG was seeded from time-of-day with millisecond or second resolution, capping possible deck arrangements at about 86 million.
  • This small state space allowed precomputation or clock-synchronization attacks; with observed community cards (especially after the flop), an attacker could narrow down or determine all players’ cards.
  • Thread links to the original technical paper, which describes both a biased shuffle algorithm and the weak PRNG seeding.

Shuffle algorithms and correctness

  • Strong consensus: Fisher–Yates (Knuth shuffle) with a cryptographically secure RNG gives an unbiased, effectively optimal shuffle.
  • Several criticize the article’s implication that computers “cannot replicate” human shuffles; commenters argue computers are typically more random than human dealers, whose physical shuffles are measurably biased.
  • Naïve or ad-hoc shuffling schemes (e.g., repeatedly simulating riffle shuffles or sorting by random keys) are viewed as risky unless mathematically proven unbiased.

Randomness sources and hardware

  • Commenters mention /dev/urandom, CPU instructions like RDRAND/RDSEED, and quantum/thermal noise–based TRNGs as practical entropy sources capable of generating hundreds of megabits per second.
  • Some note that hardware RNGs can be subverted (e.g., via microcode or virtualization), so system design and threat model still matter.

Security standards and blame debate

  • One camp calls the 1990s poker RNG design grossly negligent, arguing that even then probability theory and correct shuffling algorithms were well-known.
  • Another camp is more sympathetic, pointing out that many systems—even by smart teams—have shipped with weak RNGs, and that harm and intent matter when judging “negligence.”

Other games and perceptions

  • Magic: The Gathering Online/Arena shuffles are discussed; some players feel online shuffles “feel different,” with notes about deliberate “smoothing” of opening hands in some modes.