CakePoker / Cake Feedback Thread

[FutureInsights]

Quote:

Originally Posted by Lee Jones

Sure, when the issue came up in May, I asked our software management team. They told me that we were more secure than Cereus. When this all came to light a few hours ago and they got down into the actual code, it turned out they were wrong (as one of the senior managers just admitted to me).

Somewhere along the software ladder, there was a error of omission, commission, stupidity, documentation or some combination thereof. I'm not happy about it and neither is the manager to whom I spoke.

Furthermore, I definitely have to accept some blame here. I could have (and wished I had) pushed further on the response I got, talked to some development people about it (they're in-house), etc.

I'm going to post an official response shortly, but believe me, I feel crappy about having said in May that we had stronger encryption than Cereus did when we didn't. The lesson I've learned is to ask more harder questions when these sorts of things come up.

I owe the entire Cake poker community an apology: I am very very sorry.

Best regards,
Lee Jones

Cake Poker Cardroom Manager

Not trying to throw Lee under bus. This is what I expected. This is what I supposed happened. This is what I hoped would change.

This is the problem.. More diligence costs more money. That is where the responsibility lies. And unfortunately, it comes down to Lee.

All this Jayrock spew was much ado about nothing - since the programming is in house. That is where Top Level Management needs more contact/control. They don't have to know every coding detail, but top of the line CEOs don't get there without a few months of 48 hour days studying SOME to have a handle.

Learn some stuff Lee, and this won't happen to you. If you wimped out due cost - well, that is another issue.

[Kevin Flynn]

Is it just me or isn't PTR causing the biggest problem with online poker.

[duh]

It's quite a weird coincidence to have the exact same security flaw as UB. It's such an unconventional encryption method that I'm starting to wonder if Cake was/is created by the same developers who wrote the Cereus/UB/AP software. Lee can you confirm/deny this?

[Lee Jones]

Official Cake Poker response regarding the post on the PTR website

Hi folks -
Needless to say, I've been dealing with nothing else for the last few hours. For what it's worth (and that's not much), I was not aware of this weakness until I read about it on the PTR website.

While this is obviously cause for concern, please note that for an attacker to exploit this would require a hacker with a great deal of encryption expertise and a relatively rare set of circumstances.

While it is possible that such an attack could occur, we believe that its actual likelihood is very low. In fact, to our knowledge, no such attack has taken place. The "good" news here is that if such an attack had been successfully launched, we would know about it because somebody would have had his or her account drained of its funds. We are not aware of any such loss and it's fair to say that such a loss would quickly become public knowledge, too.

All that said, we are devoting our top software people to addressing this issue immediately. When it has been resolved, we'll make a public announcement to that effect. In the meantime, it certainly can't hurt for you to only play at Cake on wired networks or wireless networks which are WEP-protected.

Finally, as regards the statement on our website that we use a twofish encryption algorithm, that is, unfortunately, not correct. We used to use a twofish algorithm implementation but discovered an error in the implementation and were switching to a new algorithm. The current algorithm was a "placeholder" until the new one was rolled into the program. The incorrect statement on the website is our fault and we apologize.

We take our players' security extremely seriously and are reprioritizing our software development schedule to put this at the top of the list. We appreciate your understanding and patience.

Best regards,
Lee Jones

Cake Poker Cardroom Manager

P.S. A personal note: I am exceedingly proud of my reputation in the poker industry. With that reputation comes an extraordinary responsibility and I take that most seriously. I feel that I dropped the ball here. I wasn't responsible for the software development and had absolutely no knowledge of the potential security hole. But I have a feeling that if I'd pushed harder in a few places and asked a few more questions back in May, I might have been able to uncover it.

Suffice it to say I feel awful about that.

Aside any technical lessons I've learned, I've learned a personal one, too, which is not to accept the first answer I get to a hard question. I apologize for not asking the second and third questions back in May.

Regards, Lee

[ginobli2311]

Quote:

Originally Posted by Lee Jones

Sure, when the issue came up in May, I asked our software management team. They told me that we were more secure than Cereus. When this all came to light a few hours ago and they got down into the actual code, it turned out they were wrong (as one of the senior managers just admitted to me).

Somewhere along the software ladder, there was a error of omission, commission, stupidity, documentation or some combination thereof. I'm not happy about it and neither is the manager to whom I spoke.

Furthermore, I definitely have to accept some blame here. I could have (and wished I had) pushed further on the response I got, talked to some development people about it (they're in-house), etc.

I'm going to post an official response shortly, but believe me, I feel crappy about having said in May that we had stronger encryption than Cereus did when we didn't. The lesson I've learned is to ask more harder questions when these sorts of things come up.

I owe the entire Cake poker community an apology: I am very very sorry.

Best regards,
Lee Jones

Cake Poker Cardroom Manager

Thanks for the sincere apology Lee. It goes a long way. However, this situation is absolutely unacceptable in light of what happened at the Cereus network just a few short months ago. That should have been a wake-up call for any poker network to makes sure their security was up to industry standards.

I feel very cheated right now. I have thousands of dollars on the network and have a huge amount of hands I feel were played in a very "strange and abnormal" manner against me. Was I cheated? Possibly.....I'll probably never know, but just the simple fact that this was a possibility makes me sick to my stomach. We're talking about thousands of my hard earned dollars here.

I respect your reputation and I don't fully blame you for this situation by any means. I just hope you do everything in your power to get this right and make sure you let us know that we are valued as Cake loyal players......because right now.....I sure don't feel like I'm being taken seriously. And that is grossly unfair because I rake around 8 to 12 thousand a month.

I hope you do two things:

1. Fix this problem ASAP
2. Reward the **** out of us for staying with you and cake through these tough times. I'm talking about a network wide HUGE rake race or bonus or something. I can tell you right now I'm very close to jumping ship.....and i bet others are as well. Also....get someone to fix this ****ing gold card situation.

Thanks

[NOSUP4U]

Quote:

Originally Posted by Kevin Flynn

Is it just me or isn't PTR causing the biggest problem with online poker.

Your last post was bad but this one is even worse if I'm reading it right. You don't like PTR? None of us did, until it turned out they're the biggest factor in cleaning up online poker ever. DoN collusion rings stealing a million from the poker economny? Check. Bots on Stars stealing half a million? Check. No security at Cereus? Check. No security at Cake? Check.

PTR is the best thing that ever happened to online poker, and that's even factoring in how terrible their reporting of win/losses is for online poker.

Mark

[d3 fact0]

Quote:

Originally Posted by NOSUP4U

Your last post was bad but this one is even worse if I'm reading it right. You don't like PTR? None of us did, until it turned out they're the biggest factor in cleaning up online poker ever. DoN collusion rings stealing a million from the poker economny? Check. Bots on Stars stealing half a million? Check. No security at Cereus? Check. No security at Cake? Check.

PTR is the best thing that ever happened to online poker, and that's even factoring in how terrible their reporting of win/losses is for online poker.

Mark

relax brah? I read his post as an attempt at 'dry' humor....

[IGRINDRAZZFML]

Quote:

Originally Posted by Lee Jones

Sure, when the issue came up in May, I asked our software management team. They told me that we were more secure than Cereus. When this all came to light a few hours ago and they got down into the actual code, it turned out they were wrong (as one of the senior managers just admitted to me).

Somewhere along the software ladder, there was a error of omission, commission, stupidity, documentation or some combination thereof. I'm not happy about it and neither is the manager to whom I spoke.

Furthermore, I definitely have to accept some blame here. I could have (and wished I had) pushed further on the response I got, talked to some development people about it (they're in-house), etc.

I'm going to post an official response shortly, but believe me, I feel crappy about having said in May that we had stronger encryption than Cereus did when we didn't. The lesson I've learned is to ask more harder questions when these sorts of things come up.

I owe the entire Cake poker community an apology: I am very very sorry.

Best regards,
Lee Jones

Cake Poker Cardroom Manager

No offense Lee I always liked you and thought you were a standup guy. But it seems fishy to me that someone like you that is so on top of things and is always aware of things that are going on wouldn't know this. I have been playing on cake mostly last couple of months but now I am very unsure if I will ever play there again.


"Somewhere along the software ladder, there was a error of omission, commission, stupidity, documentation or some combination thereof. I'm not happy about it and neither is the manager to whom I spoke."

I would think that people that make all these codes and do all of these things for a living would be able to know how weak the encryption is... especially if PTR can find it out. Also I doubt that anything would have EVER happened if Cake wasn't caught by PTR.
Also I want to add that ever since I have been playing on cake I felt like there was something wrong with the RNG or something. I have NEVER seen so much 2 outers 1 outers and wierd plays and runner runners in my life(that worked for and against me). I am not complaining about it since I am winning there but just wanted to mention that me and some other people I know think there is something VERY fishy with the RNG.. or maybe it was from the weak encryption or BOTH.

I would like to know Lee why we should still be playing on there.

[NOSUP4U]

Quote:

Originally Posted by d3 fact0

relax brah? I read his post as an attempt at 'dry' humor....

I would have too, except his previous post was about how he didn't think this was a very big deal at all and wasn't even close to being on the same level as the Cereus security breach.

Mark

[wigan rl]

Lee if someone is smart enough to spot this is it possible for them to cover themselfs ie not pop up on your radar?

And they wouldn't just withdraw would they they would lose ammounts to mates and get the cash out that way

If anyone who plays on cake has seen some odd stuff going on (proof not just some random fish hit a gutshot) them let lee know via pm and dont make this public

Lee it's not your fault you was given wrong information and i hope you guys sort it out asap

[karmabling]

Lee stated to use WEP encrypted wireless setting if you play on cake using wireless. This is incorrect. DO NOT USE WEP. It is easily hacked/compromised.

If you must play on cake using a wireless internet connection then please make sure you are using WPA2 for encrption of your wireless internet.


Karma

[Gugel]

Quote:

Originally Posted by jayrock

Cake Poker is not paying me a dime - I am simply a supporter of them and everything they have done for the industry.

If anyone here believes this is the fault of Lee Jones, they are sadly mistaken. Poker sites don't have in-house software teams, they rely on third parties to do whatever they need done.

Using Lee as a scapegoat makes me sick and is completely uncalled for. No way in hell could he have known this was going on or could he prevent it from happening.

I won't deny that this is a problem - but blaming Lee for something beyond his control is no way to go.

Um, Cake Poker IS paying you if you are on their development team (which you apparently admitted to in another thread).

Quote:

Originally Posted by jayrock

The blame does lie with the devs and we will take full responsibility for it. Lee does communicate with us internally but is not involved in any other stages apart from discussions. To blame him for anything other than problems with the network skin he is on, is just not justified in this case...

[NoahSD]

Hi Lee,
Your site is currently operating with easily breakable encryption. This fact is currently widely known by a ton of people, likely including people who are willing to compromise their morals to make money. This fact is probably not known to lots of people who risk large amounts of money on your site daily. Even if you were correct that plugging in or using encrypted wireless would mean no risk for the user here (As I understand it, this is absolutely not true, though), you would still be putting your customers at risk by keeping your site up while your security is compromised.

If you shut down your site, you will lose rake and you will inform customers of your mistake who were not previously aware of it. If you keep it running, you are putting those interests--the interests of Cake Poker--above the interests of your customers.

I have a lot more to say about your response, but I think that's most pressing.

[dostofan]

Quote:

Originally Posted by ginobli2311

I feel very cheated right now. I have thousands of dollars on the network and have a huge amount of hands I feel were played in a very "strange and abnormal" manner against me. Was I cheated? Possibly.....I'll probably never know, but just the simple fact that this was a possibility makes me sick to my stomach. We're talking about thousands of my hard earned dollars here.

While were talking about the encryption problem, how do you know some of this "strange and abnormal" play isn't from people who have used PE and other cheat programs without your knowledge? It is documented that people on Cake are using these programs. If someone has a huge database of statistics on you and you just have some notes on them, how fair is that? They know exactly what % you fold on what street for example and can try to manipulate you to get you off a hand. Yes, the encryption problem is serious. Yes, someone could have possibly used that missing layer of security against you. Yes, there could be superusers. We just don't know.

But we do know is that it's almost certain someone has used PE or HUDs and other cheat programs at Cake against you possibly costing you serious money with no knowledge of what was(is) going on on your part. While they take a look at the encryption problem it would be nice if they would fix this as well(by disallowing notes to follow with name changes). In the meantime, if you don't play with a HUD, etc at Cake(ie you follow the rules) please know the "deck" is stacked against you.

[bronx bomber]

Wow, I always had a ton of respect for Lee but that response is just retarded. PTR says that a players hole cards are vulnerable, and Lee says that Cake would have been aware of it happening because a player would have reported a theft, ignoring the superuser possibilities. Did I read that right? Anyone?