Moki,
could an attacker easily tap into your network from the source - let's say an office inside or near the server center on the reservation?

Absolutely. Physical security is important for datacenters as well, for this very reason.

Any even remotely decently designed network topology will have the servers that are dealing with sensitive data physically and logically separated from the rest of the network.

However, remember, that these data packets still flow in the clear on a route from your machine to the host server and back again. In doing so, they are routed through a number of public networks... which is why sensitive data needs to be well encrypted regardless of the security measures on either end.

So is the official response that this was just a "temporary" encryption method while they update the REAL encryption. This excuse seems a little half baked!

Lee, you need to respond quickly to our concerns. Your obvious delay seems as if you guys are trying to "cook up" some fishy story ala UB

Yea GG Cake,

Thanks Moki,
Ok here's a hypothetical situation.
Could Cake or UB have some sort of network hub in Costa Rica or wherever that the data packets flow through on their way in or out of the physical servers? Could this "hub" be easily "hacked" from an outside computer located anywhere in the world - if the hacker knew of its existence?

Yes, they could route the traffic in any manner they pleased. Here's how IP routing works.

However, the "hub" you mentioned can't really be any more easily hacked than their datacenter could be hacked. In other words, the same rules apply. There's no reason why an additional hub would be any less secure, inherently, except that it's one more point of failure.

Also bear in mind that properly encrypted traffic is very, very difficult to hack in realtime. I'll stop at using the word "impossible" because anything in software is possible.

Encryption is really an arms race. Making it so difficult to overcome that it isn't realistic with current technology to crack some of the current encryption methods.

Most 1st tier providers have heavy duty security and are the life blood of the Internet, no you can't just walk in there and setup a physical tap or even packet sniffing for poker. Also I believe that they are regulated and controlled by real entities that have law enforcement power to cite and fine them for lapses in security - for this they get to run the backbone of the Internet. I have been in some hubs in LA, you do not get in there unless you are security cleared and have someone who can pass the finger print scan to open the door....and this was just a hub not the main throughput for the region like SJC. If you want to see where you go through use the tracert command in CLI on your machine to google or yahoo.

I am just overly skeptical that this total security F*ck up is due just to incompetence. It just don't smell right!
My theory:
These sites are "leaving" themselves vulnerable to a controlled hack to inside operators who know of the security flaw. Easier for management to deny or sweep under the rug if they get caught than some sort of "superuser" program. "We had nothing to do with it. We didn't superuse you. Somebody hacked us. Oh we were just fixing our system and using a temporary security patch - yeah that's it, that's the ticket! Site is secure you can come and play now!"

Also, where is Lee Jones!

I doubt that a single engineer or internet security expert has posted in this thread. (I'm a software engineer). Even if encryption is sub-standard... breaking it remains non-trivial. The idea that some random hacker living in his mom's basement could:

(1) Find and capture your packets.

(2) Sniff your packets.

(3) Decode your packets.

(4) Then sit in at your table.

(5) Take advantage of your hole cards.

(6) And do all of this in real time.

Is unbelievably far fetched. For what? To take you for $1,000?

If the CIA or NSA assigned a team to do this...
It would be still be non-trivial...
And would probably take weeks to ramp up.

I would be 1000 times more worried...
About simple Inside Job cheating at Cake...
Forget about packet sniffing.

Lee has been responding in the zoo thread:
http://forumserver.twoplustwo.com/28...thread-464370/

He was asking about the possibility of someone getting on a tier 1 core router or switch to data mine info...not what you are talking about.

It isn't nearly as complicated as you make out now that the hack has been published. Anyone with access to the traffic can just filter for anything going to/from cake servers. The IP range is trivial to discover. How to get the encryption key has been published already (XOR lol). Then they spend a few minutes reviewing some packets to figure out what the authentication conversation looks like and filter for that. Then they capture logins and passwords. As for hole cards, if they are upstream far enough (like a rogue employee at the ISP servicing cake's datacenter, or any cake employee) they can do the same to get all the hole cards and filter them by table number. An interface to group and display those and tell you what tables to join could be created in hours. How long has this thing been published now? Somebody somewhere is working on exploiting this hole already.

Not a similar analysis...but I got crushed on that site, it never felt right, and I got out a few months back after banging my head against the wall for a few months.

Well, you'd be incorrect.

And what you stated isn't what he's asking.

Obviously the backbone providers are regulated, and you can't just walk up to one, and tap into it there (easily).

What he was asking was whether a company could have their datacenter at location X and have all traffic to there routed through location Y. And the answer is obviously yes.

The packets would travel to their destination at location Y, and be routed onwards to the datacenter at location X. Things like this are done every day, for legitimate purposes.

I assume he's surmising that it could be done for illegitimate purposes as well; and sure, it could.

I agree that an inside job or a other vector of entry is probably easier (depending on how awfully done the security is). However you are far overestimating how difficult it is to break a number of encryption methods. Poorly done encryption is like a house that you lock the front door on, but leave the window open. Once people figure out the right way in, it's open season.

jackhigh:

I'm worried that your "theory" may be correct. This is the second major poker site/network where a problem involving encryption security has surfaced. I don't have expertise or experience in TCP/IP, web site programming, and related technologies. (The closest I ever got was database programming and development of fairly simple management information and decision support systems - with an emphasis on the word "simple".) However, given my limited background, it is my understanding that there is an "industry standard" encryption technology that is generally considered to be the most secure method for ensuring the safe transmission of sensitive data. (I'm not sure about this, but I think this encryption method might go by the acronym SSL or something like that.) Anyway, this industry standard encryption technology is used by banks, large internet retailers such as Amazon.com, credit card companies, and most business entities that transmit sensitive financial data. It just makes sense that ALL poker sites should be using this most secure "industry standard" encryption technology.

So, with respect to Cake Poker, the question boils down to: Why did Cake (and the Cake network) choose to use an encryption technology other than the industry standard? Somebody inside Cake made a conscious decision to go with a less secure (and possibly vulnerable) encryption technology. It seems that there can only be two possiblities here: Incompetence or something sinister. If it's the latter, then that is very troubling.

Hopefully Lee Jones is going to get to the bottom of this as I have the impression that he is very distressed by this development. He seemed to admit as much in his earlier post where he virtually admitted some failure on his part for not having been more diligent and inquisitive [about the software] when he first came on board with Cake. To my way of thinking Lee "manned up" to the problem, didn't try to run away from it or become overly evasive, and promised (implicitly) that he'll either get to the truth and get these shortcomings fixed, or, if the "truth" is not forthcoming, he'll resign. If there is something sinister (and deliberate) going on at Cake Poker, I don't think Lee Jones will sacrifice his good name by continuing to be associated with Cake Poker.

After this experience you would think that the online poker industry would have learned its lesson. Henceforth, if any internet poker site (or network) is not using the most secure "industry standard" data encryption technology, that site should be considered suspect and avoided.

It will be interesting to see what comes out of Cake Poker (and Lee Jones) in the coming days.

Former DJ