Recently on #GamblingTwitter there was the following tweet that I found extremely thought-provoking relating two fields that I like to think I know somewhat well — sports betting and computer hacking. Ed Miller tweeted the following -
My initial reactions comprised of “that’s 100% right” to “that’s 100% wrong” and finally realized that it’s a really interesting, nuanced topic. However for the TLDR crowd —
Spending time and resources learning about hacking and cybersecurity could be helpful to your betting and providing you with a more adversarial mindset, but your time is almost definitely better spent in other disciplines. Additionally, spending time exploring hacking and cybersecurity topics are probably more useful for sportsbook operators than bettors.
Of Course, On Some Level, Ed is 100% Right
Of course Ed is right at the most basic level — exploring these topics will help you some variable amount in your betting. It’s pretty hard to argue with “if you take the time to learn something, it will benefit you” so of course Ed’s tweet is correct. While Ed and his co-author go more in-depth on this topic in The Logic of Sports Betting, Ed did note a few hacking / cybersecurity topics that he thought might be valuable to understand to help improve your betting in the following tweet —
Let’s quickly talk about the 3 items brought up in the tweet above — attack surface, social engineering and timing attacks; however, much of the conclusions below can be similarly applied to other cybersecurity areas not mentioned.
Attack Surface in cybersecurity is basically all the vectors through which an attacker can try and exploit a target. For external attackers this means looking for all “points of entry” and trying to find vulnerabilities to exploit that entry point to either reach more internal resources, release a payload or take something of value.
For sports bettors attack surface means something very different, but the concept of “looking for vulnerable attack vectors” remains similar. Common attack vectors for sports bettors include (but not limited to) —
- +EV promotions that are poorly conceived by the sportsbook
- Stale or mispriced lines
- Accepting correlated bets in parlays
- Reliance on certain technologies to function properly (i.e. oracle attacks)
The main takeaway when trying to apply the lessons of “attack surface” is for bettors to understand exactly how a sportsbook functions, identify weaknesses and exploit them. For all of your outs, you should know who their line provider is or if lines are set in-house, when their lines for certain sports post, when those limits go up or down, the house rules, where in the order of outs syndicates move their lines, etc.
Social engineering in cybersecurity can be defined as loosely as “any act that influences a person to take an action that may or may not be in their best interest” (which is too loose of a definition for many cybersecurity examples / implementations IMO) or as rigidly as “the manipulation of humans to provide otherwise secured, confidential or personal information and / or access”. Most often social engineering attacks are only steps in a much larger attack where gaining access or information through social engineering allows for a much more complicated attack to occur.
For sports bettors social engineering skills can be applied in a similar albeit more simplistic way although the types of social engineering attacks commonly found in cybersecurity (pretexting, spear phishing, water holing, tailgating, etc) aren’t really that applicable. Bettors should simply think of social engineering as “persuasion tactics” and studying them in the light of cybersecurity is needlessly complex. Persuasion tactics that sports bettors should be adept at implementing and executing include, but are not limited too —
- Interacting with other sports bettors to learn edges and gain information otherwise inaccessible to you
- Interacting with local bookies to obtain favorable working relationships with credit / payment / limits.
- Interacting with other bettors in peer-to-peer / cross-booking arrangements to obtain favorable edges and crossing arrangements.
Clearly, there are obvious benefits to understanding social engineering attacks in a cybersecurity context; however, general persuasion tactic study may be a better use of your time. Or, said more succinctly by @TinkerSec —
Timing Attacks in cybersecurity and cryptography mean something very different than what bettors could potentially apply into their betting endeavors. In its most basic form, timing attacks in security are attacks in which analyzing the time taken to execute an action can reveal certain pieces of information. When you really dig into actual applications of timing attacks by hackers, there aren’t very many direct lessons sports bettors can really learn.
Instead, sports bettors when thinking about “timing” attacks against sportsbooks should focus on timing in terms of actions and reactions. For instance —
- How long between Pinny / CRIS moving do the offscreens move?
- Is there an observable pattern between market moving books moving and bets being made prior to that move on offscreen / non-market moving books / PPHs / locals?
- Can observing the timing of your DonBest screen lighting up on certain books provide any insight about a group or groups certain betting patterns?
- When do your outs raise limits on specific events and does it provide more value to “attack” / bet right as limits raise or do you find that this type of activity flags your outs too quickly?
- Do we see timing / line move differences on certain events between offshores and Vegas brick and mortar casinos? What do these discrepancies tell us?
There are plenty of timing related things bettors can track and analyze that may provide value so understanding the concept of timing attacks can be useful, but the similarities end quickly and allocating a lot of time to understand cybersecurity specific examples won’t be overly useful.
If Not Hacking / Cybersecurity, Then What?
The obvious answer is financial market trading.
Before reading / watching any financial market trading resources, my first suggestion is to read Steven Levitt’s 2004 paper “Why Are Gambling Markets Organised So Differently From Financial Markets?”. It’s very good to have the differences in these disciplines and markets explicitly spelled out before diving into non-sports betting resources.
However, as someone who bets sports and trades on a daily basis on a somewhat high level, many of the lessons I have learned in market I can apply to the other and doing both has improved both skill sets noticeably. Focusing on modeling, risk, spreads, liquidity, which markets “lead”, etc are all skills that are largely transferable. The similarities between the two disciplines is similar enough to be highly transferable, yet different enough to help you understand the concepts more deeply as you process exactly why betting markets and financial markets are organized differently.
Red Team : Bettors :: BlueTeam : Sportsbooks
If you are unfamiliar with the concept of red and blue teams (which I believe is originally a military concept), red teams in cybersecurity are basically digital and physical penetration testers — these are individuals trying to break into not only your digital computer networks, but also your physical locations. Blue teams are both digital and physical defenders trying to prevent unauthorized access and the leaking of confidential or important information. This adversarial relationship in the cybersecurity world has obvious parallels to the sports betting world.
However, as I replied to Ed on Twitter, Ed’s suggestion of exposing yourself to cybersecurity concepts, in my opinion, is far more useful to blue teams / sportsbooks than red teams / bettors. The reason for this is mainly twofold —
- Sportsbooks are basically technology companies now. Sure, your local Vinny might still have a marble notebook with a ledger written in a code a 6 year old could break, but by and large in 2020 sportsbooks are technology companies to some degree. Sure, sports bettors also leverage technology, but there are many, many people betting on sports (including many doing this at a very high level) that utilize the bare minimum when it comes to technology. Cybersecurity concepts are absolutely directly practical for sportsbooks where almost all bettors will be able to draw only minor pieces of applicable knowledge.
- Unless bettors are willing to dabble in actions of questionable legality, sportsbooks will absolutely have to defend themselves against determined, criminal actors. Sportsbooks have to defend their web server, their database, their odds feeds, their score oracles, their payment rails, etc. While there are absolutely bettors who will try and exploit certain technological flaws, the number of these bettors is a very, very small percentage of the betting population.
So, while it seems sort of hypocritical to say that the same systems that need to be defended are more important than learning how to attack these systems in the sports betting world, you can see how while all sportsbooks will almost certainly be exposed to some amount of cybersecurity practices, sports bettors can go their whole betting career being very successful, yet not utilize much in the way of cybersecurity concepts.
You’re An Idiot, I Still Want Good Hacking Resources
Fair enough.
Ed suggested Kevin Mitnik’s books and, while I grew up with an autographed Free Kevin sticker in my room, I think his books are a little dated now.
For social engineering, you really can’t do much better than Christopher Hadnagy’s books or by visiting the website he runs at https://www.social-engineer.org/ .
After that it gets tricky to really tout good resources that are books because they become so dated so quickly or they become too technical. Instead, for people with little domain knowledge, I would suggest subscribing to and listening to The Darknet Diaries Podcast which has over 70 episodes about some of the most interesting cybersecurity stories in recent years and the content is non-technical enough and presented in such a way that anyone can really follow.
For more advanced technologically inclined people, just ping me and I can offer some more suggestions.
Thank You Ed
Just because I don’t fully agree with Ed’s tweet(s) doesn’t mean I didn’t think his tweets were valuable or thought-provoking. I really enjoyed sitting down for a few days and thinking about this topic to the point where I felt the need to type them out to organize them. He’s still both right and wrong, but hopefully we clarified in what ways he both hit and missed the mark.
