That is one possible interpretation.

I am still of the opinion that Lee Jones has been in the process of determining what happened, and as he learns more, his reports here will change.

I am much more cynical about the programmers and software managers (both present and past employees).

Eighteen months with the doors unlocked.

I guess that explains why Lee was later in that thread completely unwilling to provide us with a timeline, since that would have showed us that he lied about the placeholder thing.

I'm reading the whole thing now as "originally was supposed to be temporary but we never got around to doing anything about it." which is really no better as an answer, as it makes parceling out the bits and pieces of how it happened and the timeline look like a coverup.

This must extend back 18 months back to the exact moment the security was changed over. Whatever sample size you apply to 10 days worth of hands is going to be useless anyway to determine a pattern of cheating unless it was very blatant. If it was blatant I'm sure this hands would have surface by now from this last 10 day stretch.

Wouldn't the most lucrative exploit be in tournaments?

Since the only way the community trusts cake again is by reviewing things to the point they're assured it was only a huge ****up and not intentionally left as an exploit (lol that this is the best case outcome), starting with the revelation date of the possible exploit is somewhat pointless- all it does is give cake a better chance at saying "see were almost certain this wouldn't be exploited and so far we haven't found any evidence it has been".

THAT'S NOT WHAT YOUR CUSTOMERS ARE MOST CONCERNED ABOUT AT THIS POINT.

I should also point out that the ridiculous amount of stalling when asked for a timeline looks super sketchy.

I think that I was the first person to ask for a timeline and I did so on July 27th:


I was really stupid to point out that the reason I was asking for a timeline was to catch him in a lie. Oops . At the time I liked and trusted Lee Jones and assumed he'd made an honest mistake or had been lied to himself or something.

Anyway, this is a very simple question: "Hey, when did that story you just told us happen?" It seems likely that he knew the answer immediately, but even if he didn't he could've just asked the guy who'd just told him the story to tell him when it happened. Instead of doing that and answering, he ignored it for a while. It was repeated many times by myself and others, so he finally acknowledged it on August 4th, saying:

So... I asked him a very simple question whose answer was guaranteed to show that he'd lied about something. The question was repeated many times so he definitely saw it and knew that people wanted answers to it. He responded to many other questions in that time period. It took him 8 days to even acknowledge the question, and when he did he said he wouldn't answer. Then 4 days later he actually did answer with that incredible 18 months revelation.

I'm not going to pretend to know what went on in someone else's mind, but I can speculate. These actions don't look like the actions of someone who made an honest mistake or someone who lied and wanted to come clean. They do, however, look exactly like the actions of someone who's trying to think of a way to lie himself out of a mess.

Lee's explanation for why he took so long to answer some questions makes perfect sense for some questions. It is true that he works for a business with lots of different interests and it makes sense that he would have to talk to a lot of people before he could discuss certain things. It makes no sense why he'd have to take so long to tell us when a story he'd just told happened. Plus, having lots of different people at the table is no excuse for lying to customers.

A possible shortcut is to have a list of Cake tournament winners over the last 18 months.

The audit mentioned in Lee's post is irrelevant to me.
Only independent investigation (maybe headed by Mason?) can convience me that nobody got cheated in the last 18 months.

Got some new questions. I'd appreciate a faster response this time:

Adanthar and Yellowsub

1) How did you pick adanthar and yellowsub? I'd like to point out before you answer that what adanthar did to help catch the cheaters on Cereus, while incredibly impressive, would completely fail to detect superusers who were actually concerned about covering their tracks.

2) I don't care how much you plan to pay yellowsub, but I would like to know how his payment will be determined--i.e. will he be paid a lump sum, by the hour, by the number of things he finds, etc? Will anything else affect his payment?

3) What exactly will adanthar and yellowsub be given access to?

4) To what extent will adanthar and yellowsub be able to discuss their findings with others? To what extent will they be able to make them public? You imply in your post that Jeff will have complete authority to make whatever he wants public. I don't believe that you'd give any outsider legitimate access to your security department and allow him to disclose whatever he finds. Frankly, I wouldn't want you to do that.

5) Will adanthar and yellowsub be allowed to play on Cake Network after they do this audit? What about skins of the Cake network that split off later?

Without a lot more details, this plan basically means nothing.

To Catch a Superuser

1) You refer a few times to "thorough processes our player security team has in place". I assume that you're talking about your ability to catch superusers. Please describe at least one method that you could use to catch a competent superuser.

2) You said at some point that after you were done implementing your security, you'd offer a large cash award to anyone who could show you that it was still possible to sensitive information off of your network. That was obviously an empty challenge because it's essentially bragging that your site has finally graduated to the 21st century. How much will you pay someone who successfully catches a superuser that your security team failed to catch? How much will you pay someone that successfully shows that your security team is unable to catch a competent superuser?

3) What kind of system do you have in place to audit your own employees and security team to make sure that they haven't cheated your customers? If your answer is "They're not allowed to play on the site", don't bother answering.

You've given no indication at all that you understand the difficulties that are inherent in this, and your quick references to security measures are pretty terrifying to people who actually do understand these things.

The Story

1) Do you have any evidence at all that suggests that the false statement that you received in May originated from incompetence and not an outright lie?

2) Where did you get the idea that XOR was a "placeholder"?

3) What was the change in software that happens 18 months ago? Why was the change in software not simply rolled back to preserve your TwoFish algorithm?

Other Stuff

1) Does any external source audit your security?

2) What security responsibilities fall under the jurisdiction of the network and which are the responsibilities of the skins?

3) How many programmers work for your company? How many people work for your security team? Is there any overlap between the two departments?
In all these questions, the more detail, the better.

I should say, Lee, that I think your most recent post is a huge step up from where you were going before. It seems to contain zero lies and a decent amount of legitimate disclosure.

You've obviously got a long way to go before any rational person could say that you've handled this fairly, but I do think it's possible for you to come out of this relatively unscathed. Basically, what you need to do is prove beyond any reasonable doubt not only that no customer was harmed by your company's incompetence, negligence, and possibly sinister intentions but also that no customer could possibly have been harmed by these things. In other words, you need to show that were anyone cheated by this, they would absolutely have been compensated with interest. (I hope that this post makes it clear just how difficult that will be, though.)

I also hope you now recognize that your previous strategy of misleading statements (I could compile a long list if you'd like to see it) and outright lies (see above) won't work.

One more question, Lee. This one's a softball: How many programmers work for your company? How many people work for your security team? Is there any overlap between the two departments?

I agree with Noah on every question.

Noah, to your "Lee lied to us" post, to be fair his explanation here makes sense to me why there was a delay in giving the time line He also made another statement regarding the sheer volume of communication that he was having to wade through (the emails, IM's, and phone calls statement). With this issue being exposed, dealt with, and all the frenzy that I'm sure was going on, I think it's reasonable that he didn't have a time line to announce at that time. Maybe I'm being naive but I also think if he had the intention of lying about it, that announcing that it was vulnerable for 18 months would not fit in with that theory.

Of course I'm as interested as anyone in this and I want the truth. It's just an observation I've made at this time.

All of the typing and you still managed to say nothing?

nofx- he did however say it was none of the community's business when and how those things happened.

Anyway, Lee is ignoring this thread, today he only posted in the official cake thread and posted a link of it in the NVG sticky.
Also, he hasn't answered a single question after his last post.