This issue was buried deep into the Cake Poker Feedback thread; it is serious enough to warrant having its own thread, especially since Cake is stonewalling us there.

Background:
Over a week ago, PokerTableRatings made an announcement about the encryption on Cake Poker. Their "encryption" was weak, and anyone with access to a player's network could intercept their hole-cards. (See also: Cake encryption vulnerabilities) Cake chose not to warn their members about this vulnerability, and took over a week to fix it. Not only were their players still vulnerable during this time, now the exploit was public, so Cake chose to put their players at huge risk.

Problem:
This vulnerability not only made it possible for people to sniff hole-card data locally (from, for example, wireless networks); it also made it possible to do this on the server side, where someone could intercept all hole-card data, and superuser.

Facts:

• There has been no real encryption for a period Lee does not want to disclose.
• As a result of this lack of encryption, anyone with access to a connection from a user to Cake could tap into that connection and read all card data.
• The Cake programmers, who, according to Lee himself, lied to him about the encryption when Lee asked them about it, have access to the network the servers are on.
• Therefore, the Cake programmers could have superusered.
• Cake does not allow datamining, does allow name changes, making it pretty much impossible for the community to check for superusers ourselves.

Opinion:
Any programmer who is responsible for a program that deals with millions of dollars, such as the Cake software, is either incredibly incompetent or intentionally malicious when he uses a fake encryption such as the one used.

Questions:
Lee/Cakepoker,

1. Since when has there been no encryption on Cake? We need a timeline, even if only for those of us who suspect they were hacked on their own local network.
2. How do we know there have not been any super-users (on your side) on Cake, considering that your software had this possibility and considering that you have taken away the players' possibilities to catch them ourselves?

Response from Cake:

1. When asked about the timeline, Lee told us that that's none of our business.
2. Regarding possible superusers and malicious intentions of their programmers, there has been no response at all. For the last week, Lee Jones has ignored any questions relating to this in the CakePoker Feedback Thread, while responding to other questions.

Updates Aug 07:
[LIST][*]Mason Malmuth responds, "Lee: [..] it's probably time that you begin to answer the tough questions"[*]Lee Jones responds, "I have PM'd Mason. I will post here as soon as I can."[*]Mason responds again, "You need to post and answer the questions now. Our posters are the ones you need to communicate with, not me."[*]teetdogs makes an informative post about the implications of the lack of encryption.[*]Lee makes a statement.[*]NoahSD formulates more questions.
[*] NoahSD formulates more
questions.

the virtual world is way tooo dodgy!

Nice hack on the screen name thingie.

Have you played from an unencrypted WiFi spot lately?

Why are you on NVG? They not listening anymore in IP?

To clarify the timeline thing, Lee Jones said (in order to explain why their web site claimed they used encryption that they didn't use...) that they used to use real encryption but found some problem so they got rid of it. When asked when that happened, he said it's none of our business.

If a programmer wanted to superuser, there are much better and less suspicious ways than installing weak encryption and sniffing the network.

Actually, no; this is by far the least suspicious way: Normally, any change in the code base is reviewed by other programmers, and it is tracked who creates what code. It is hard to get any backdoor code in the main server release.

This allows them to sniff the cards in an indirect way, without leaving any trace, and it gives them plausible deniability "oh we didn't know that this encryption didn't actually do anything useful".

I'm gonna go with - Cake had this encryption weakness since day 1 until I'm proven wrong with evidence, not words.
Lee's words don't fly with me anymore.

smells like superuser and looks like a superuser it probally isnt because lee says every thing is ok

vewwy itewesting

Just fwiw, I said in another thread about how I got a trip to the Cake Poker set-up here in Dublin, Ireland a while back and how it was being run from the basement of a Georgian House.

I got a load of pm's asking me for details about it but I refrained as I know Cake and their staff are pretty active here with regular accounts and you can't trust everybody. Another poster knows the story anyway.

For clarification, I thought I'd see if there's a google street view pic of the building. There isn't, so here's a screenshot I took with google earth to highlight the sheer enormity of Cake's operation.



What you're seeing is the Georgian House. The steps lead to the first floor/main door which is the entrance to the businesses occupying floor 1+2. On the right of the steps is a small staircase leading to a door built into the side of the steps which was the entrance to Cake's operation here.

It's a super small basement with two main rooms, a small room in the back and a bathroom. They're mostly used as one bed flats and the georgian buildings themselves are extremely common here in Dublin. I can't imagine many businesses are ran from them, let alone a multi-million dollar business. Fwiw I'm aware they have the software design / maintenance end of the business kept in Canada.

When I was there, security,customer services and the cashier were being run from the same, small room. I'm in no way surprised to see the **** hitting the fan after being down there. It's just a shame to see the great Lee Jones getting himself caught up in this. Walk away Lee, keep your reputation and move back to good businesses.

not to derail this thread, but it may come to use to try to identify some of the users whom you suspect of suspicious play....


I really do not like accusing people of cheating but I have been playing with a player under the name TomAngelo who seems to win every 6 max sit n go I play.

Again, He could very well be a good player, but the way he has been playing seems to be inconsistent with a winning player.

Sorry if I am wron


http://forumserver.twoplustwo.com/28.../index438.html

My default is to trust Lee. He'll come through.

That was our default too, but Lee has been ignoring every serious question while responding to a few easy unrelated questions and making his Cake Poker announcements. He has stonewalled us on even the simple timeline issue.

my first job after leaving Uni was with the biggest FX currency marketmaker in the world, and the offices looked exactly like that. Most of the important backend stuff happens out the way, and the rest occurs in the cheapasshyte front office. They wont really need a fancy front office to host their skeletal support department, especially if the important stuff is elsewhere. Its probably just to have a European liscence or sommat like that.

Wow.