Correct, it's much more likely it takes place and nobody ever knows it, including Cake. I think the likelihood of that is very high at this point for those who play on the unsecure connections. The published exploit is just a big dare to hackers, and some of them will have access to some portion of the traffic, with probability=1. Some of those will attempt the hack, and some of those will succeed. Whether they actually do so maliciously or just to do it to say they did it (like PTR) is the only uncertainty.

Why can't Cake simply shut things down for 'maintenance' while they fix the issue? Is it a matter of no rake being paid in the downtime? Even if they choose not to specify their reasons for maintenance, it is much safer to do that than not alert us of what is going on.

I think that's certainly a part of the equation for Cake's management. Lose players on 2+2 or other message boards, or risk losing all the players who do not look at the boards.

I think many people on here think that Cake should do everything that is good the their players, but the reality is vastly different in any business that considers itself a business. Quoting Wikipedia: A business is typically formed to earn profit that will increase the wealth of its owners and grow the business itself. Many people here are expecting Cake (and PTR as well, by the way) to act like some other type of organization, and that's never going to happen.

The cost in the form of lost customers is always a part of the equation for any business facing a tough decision.

You can see that 2+2 came to a similar crossroads very recently and decided on full disclosure to its members:



Cake believes non-disclosure is better...

I think you are misleading yourself in blaming Cake for the consequences of any decision you take of your own free will. Do what you want, but blame no one except yourself. Otherwise Cake would have a perfect response to you: Ok, so don't go play anywhere else and stop whining..

Cake are going about this the wrong way because players are going to be more furious to find this out from online forums and articles instead of a direct statement from the company. With Cake explaining things then we would not be so pissed off from finding it out elsewhere. Even if we start to tell everyone in the chat box at the tables what is happening, more will leave than they would if Cake said something about it. No matter what they are in a lose-lose situation but the right thing is obviously to announce it.

My intentions are not to whine or complain, but as a customer we should be able to do so. Cake offered us the perfect environment to play in and now they have ruined it for many people. There is a feeling of hopelessness when something you really enjoy is taken away and you are forced back to play on worse sites.

Hard to imagine to whom you could be referring when saying "worse sites" atm

My opinion: This just means that Cake does not have high regard for player security in its corporate culture. Reinforced by their website asking for logins on unsecured pages and by porting the "secure protocol" over to their upcoming beta version, I think it indicates a general disregard for security, rather than some programmer taking a shortcut.

The fact that Cake has not very visibly fired anyone over this simply proves people were acting according to the expectations of higher-ups all along. This is most certainly something to fire someone over: Head of "security", head of IT, lead programmers, CEO, COO, CIO, CTO, the list goes on of the number of people who could have and should have caught this (or ordered an independent audit to catch stuff just like this). I think one of the people least responsible is Lee. He is just the public face for the site. The heavy lifting, the planning, the security precautions, the technical expertise, all of that stuff is handled day in and day out by other people who know better.

The moron inside Cake who took the decision to re-implement or port (or authorized it) over a broken encryption protocol t the new client version without kicking and screaming to everyone is one who would be sacked immediately. As well as anyone who either okayed the implementation or who failed to disclose it internally.

Anyway, I think Cereus handled it much better, but Cereus had practice in dealing with public crises; and Cake did not. They are learning right now that sometimes it's better to accept responsibility and just fix it and not waste time placing blame on anyone else.

But the clock is running, let's see how quickly Cake can fix things. They did fix the web site SSL problem quickly; how long it takes them to fix the client protocol will be a reflection of their technical expertise and the quality of their code.

Any cake promotions in august? seems like now might be a good time to announce something.

I must admit, I think this stance is untenable. In plain english, you are basically saying that "We know that anyone with access to Cake's data stream can steal your money, but several hundred thousand in revenue is more important to us than your security." Shutdown the site.

I've always held you in high esteem, but I think the company you keep reflects very poorly on your reputation.

Mr. oldspeedy:

Declaring that somebody should be fired over this is a bit premature. I'm sure that during the "management reviews" and so forth that follow this kind of calamity, there will be a thorough investigation to determine why and how this happened. The breakdown could have occurred anywhere along the chain, from the most junior programmer all the way up to the most senior executive. If lower-level people were aware of this problem and raised concerns to higher-ups only to be ignored or rejected; that fact will come out - and be dealt with appropriately. If a programmer (or people) on the technical side of Cake did this intentionally, (possibly for a nefarious purpose), that person (or persons) will surely be exposed and dealt with accordingly. The thing is that it will take time for Cake management, Cake's shareholders, (and the Dutch Government that licenses Cake), to conduct an investigation. But rest assured, due to the severity of this crisis and the impact it has had on Cake's business, there will be a thorough and exhaustive investigation to determine exactly what occurred and why.

There will definitely be a change in business practices at Cake in the wake of this calamity. I don't think anybody at Cake - and especially Lee Jones - wants to see a repeat of anything approaching the events of this week.

I'm really starting to hate 2+2 ... I spend more time posting on here than I do playing poker!!

Former DJ

I would say: "We know that anyone with access to Cake's data stream can steal your money, but "keeping the business alive is more important to us than your security."

You cannot really argue with Cake on that. I think they are choosing to tough it out while this gets fixed.

Here's an interesting question. What would an online bank do?

Perhaps it is. I think it's subjective. If it were me in charge I would fire that person (or people) first, and then fix the problem. This is because of two reasons:

1) I know how incompetent a programmer or manager you need to be to take personal/financial information security lightly (on a business whose major component is doing this very task correctly); and

2) Not only do I need to fix the problem, I need to send a clear message to everyone, inside the organization and out (ie, customers), that this is a capital sin and completely unacceptable.

Granted, if I fire everyone because I have not been keeping watch over my organization, then I cannot fix the problem quickly, so I need to have them fix the problem first. :-) Maybe Cake is in this position.

For me, there is no need for this. I would tell my CIO/CTO: "Fire the person responsible for this now. If this was your doing, then resign immediately. Come back when you are done, I'll wait right here." You either know what's going on at your organization or you don't. It does not even need to be hostile, you simply explain to the new ex-employees: "What you did places our entire business in jeopardy. It will take maybe years to correct our tarnished image. You made some bad decisions and we need to take corrective action immediately to stay alive; unfortunately, part of those corrective actions is to let you go immediately. Here's $x to make this whole thing less bad for you."

Lol, me too :-)

Could be that the +EV move is keeping the site up, and risking the cost of refunding someone who's account might be emptied by a hacker. They may feel that the odds of getting hacked are slim enough to take the risk. Hopefully if it did happen they would refund.

So this makes it right?

So if someone discovers that a hotel has Legionnaires or salmonella and reports it to the hotel management as well on an internet site, but the hotel decides not to inform all current and future guests and not close down then this is ok? Or I guess this is someone's life that is at risk, not their money. Someone else's money is ok to put at risk, as long as the hotel still gets theirs.

Or if an old passageway was found into your local bank vault, where your money was being kept, but the bank decided to stay open with this security breach, risking that your money may be taken.

I'm not saying it's "the righteous path", I'm just saying I can see the line of reasoning.

If there were additional consequences from staying open with known security vulnerabilities, then the best choice would probably change.

I like how Cake is "choosing to tough it out." They aren't toughing out anything. The players are assuming all the risk of their money being stolen. Cake is implicitly saying that anyone who plays on their site is sucker that deserves to be separated from his money.

Secondly if they shutdown the site for 3-4 days for maintenance, people are still going to login on Monday. Its really routine to not be able login to a financial site for a couple of days while they perform maintenance.

wow, finally a sober post ITT on the recent issue... I find it quite humorous how people can't translate the concept of EV to things other than poker.

What are you talking about? Do you think if a banking website had a security vulnerability they would say "gee, if we shut things down we will lose out on business for a few days, so let's leave things as they are"? It will never happen because they have a responsibility to protect their customers security and will do everything in their power to keep it that way.

Cake isn't doing any of that.

The player's are the only ones that have the right to make the choice to put their money on the line.
Doing it, with full knowledge of the danger, provided by Cake.

man im following this thread so closely i stopped playing at doyle's until they can fix that issue :S

They are trying to do what, exactly? They haven't stopped datamining, PTR collects hand histories from Cake - Which is probably how they found this loophole.

If they don't acknowledge there is a problem (Cereus had it up on their news/blog sections, and took the brunt of folks comments - Cake, not so much), then they don't let people know when its fixed. I bet when the notice was up - common folks not aware all of a sudden found Google to be a friend.

The Greed is Good (ie don't let folks know so they sign in and play, we need moniez, gotta pay ourselves and the shareholders - is Cake publicly traded btw?) is NOT an enlightened philosophy. Actually, it goes back as a philosophy for over 2000 years - don't think even Budha would approve of this.

And we have site representatives on here from all the US accepting sites (and most Euro sites), that DO talk and address issues (although the Victory guy likes to cut and paste English answers, not really a personable type).

Sorry, they aren't doing the best possible.

That would be because - THE WEEKEND IS COMING UP - PRIME TIME FOR PLAY FROM THE US, And we don't want a little thing like stolen plain text passwords, logins, hole cards - to stop that influx of cash.

K i jumped ship good day all

That would be ****ing awesome! There might be some good to come of this after all.

I'm not playing on Cake until this is fixed, and am actually withdrawing a large portion of my money from the site. Fix this ASAP Cake or you're losing a regular customer since 2007.

Edit: Oh and by the way guys I made an 8k withdrawal the other day and it cleared just fine so Cake's not freezing accounts or anything crazy. Also Lee Jone's shouldn't be treated so harshly jeez