More likely someone from the inside imo, like those guys that told you 'we are secure Lee don't worry'.

This.

Lee, you may be describing the median or most likely case, but certainly not the real extent of the risk that existed. It has been explained several times in these threads already. Here's a few details to consider.

1. The cake games servers, according to information published on your web site here, use the IP range 200.26.205.0/24. That means the game servers are physically located at the Conet hosting facility. That company has hundreds of employees with access to the network traffic. And they could see ALL hole cards for ALL players during the time the traffic was not encrypted.
   
2. Conet uses multiple backbone Internet carriers, and those companies have thousands of employees who can access the network traffic. If the cake traffic all comes in on just one of them, then those employees would have access to ALL hole cards for ALL players. If the cake traffic comes in on multiple backbones from different parts of the world, then employees of the respective carrier would have access to ALL hole cards for players in that part of the world.
   
3. If most Cake players are in the US, then all of that traffic appears to get to Conet via Global Crossing. There aren't many companies running undersea cables to Curacao. Global Crossing has about 5000 employees. A few hundred of those people would be able to see ALL hole cards for ALL US players.
   
4. I assume there are also Cake employees who have access to those colocated servers, who could also see the hole cards of ALL players during the time they were unencrypted. I realize that a few high-access employees would probably have always had the ability to see them even when the connection was encrypted (directly on the server) and hopefully those people are always prohibited from playing, but without encryption that increases to include everyone with access to the network containing the servers.
   
5. Because of the nature of Internet carriers, many employees of other companies not directly carrying that traffic, also have access to parts of the network. Vendors, companies sharing peering points, consultants, and many others. You don't even have to work for the company that owns the traffic. Now we're definitely into thousands of people that could have seen the hole cards of many players, not just one or two players.
   
6. As you go further out on the traffic web away from the servers, any particular node will contain traffic from fewer players, but still more than one player.
   
7. The only case where a hacker would have access to only ONE player's hole cards, would be the case where someone's personal wireless network or local network was snooped. In other words, at any terminus of the cake network connection, containing only one player. That seems to be the least damaging scenario, but it is continuously referred to as the only one to worry about. I'd be worried that some of the others I described occurred.
   
   
   

Excellent post Spade.

A- post Spade (Needed more ALL in upper case letters)

Any news on old Cake clients encryption verification?
Did anyone investigate/confirm that the Cake clients older then 18 months used Twofish?

+1
Good to see that there is still some substance itt

Great post Spade, but I am sure somebody is probably going to try and argue with you about it, that seems to be the status quo itt.

For the record I second everything that you said (as I type this I am logged into a big regional ISPs peering point with a very big international carrier), and is the scary part about all of this there are probably 5-10K people who had access to the traffic and all of them are at least fairly smart and have the technical know how to pull this off.

Hi all -
As I said in my previous post, I believe that the greatest likelihood of trouble comes from the outside, not the inside. But it doesn't matter what I believe - our auditors are using methods that will find cheaters on either side of the fence.

Best regards,
Lee Jones

Cake Poker Cardroom Manager

Nah, you just have to say that.

Lee,
do you see how this situation can be perceived as the perfect crime?

1. Virtually undetectable if superuser knows what he/she is doing.

2. Almost perfect alibi if affected site has our trust - "oops we forgot to put in encryption - we are good now, move along, nothing to see"

3. Virtually impossible to prosecute - see AB/UB (they even know that dirtbag RH was the perpetrator and he's out playin the golf with his buddy Layne Flack)

So what's the answer? I know you have a vested interest in the company and are directly affected if it loses money - so I don't really blame you for all your spin control.

I guess the answer is that you guys Fk' up big time - so big that it's hard to see it as less than calculated.

You have lost our trust and I would recommend that nobody play on your site.

Lee, would you please open this thread in OTT: "Ask me anything about being the Thony Hayward of poker" ?

I've criticized Lee a fair bit both here in this thread and elsewhere. Part of it is probably my reaction to some of the fanboy adoration that he gets here on 2p2. But some of you are now going over the line.

Give the guy credit for bringing someone like NoahSD on board, despite Noah's criticism. IMO, that's a very solid, humble move.

I wonder who the previous VP of Software Development was, what he could tell us about the original TwoFish implementation, the circumstances around it being replaced with XOR, his opinion about the level of security it provided, etc.

Are you out there reading this Mr. VPSD?

What can you tell us?

@Lee Jones -
Why were you told that Cake was more secure than Cereus when you originally asked?

Did the VP of software blindly believe y'all were still using TwoFish? Did he just give you the answer he knew you wanted to hear?

@Lee Jones -
The three audits that you listed focus on hand histories, etc.

Is anything being done to look for insider cheating? Anyone that may have the ability to change or conceal hand histories, change player IDs, etc. should be investigated in a different way.

The level of incompetence required to think XOR obfuscation is sufficient security for a poker site is very high. This makes people justifiably suspicious of an inside job.

Can the investigations team please check all the accounts used in winning money from the gold card program. Like a superuser could break even at poker and pull goldcards out of their ass if it's an inside job.

When I first joined cake I didnt get any gold cards for several months. So eventually I wrote to them and they didn't reply however the very next day I got a huge amount of gold cards all at once.

And I won the gold card race thing for that month which wasn't fair on anyone else in the race but I wasnt complaining.

I'm not concerned personally with the gold card race, I was one of the players who ran exceptionally bad thru the End of july and August period......400nl-1000NL....Some of the names mentioned I did play against so I am interested and how this investigation is handled publicly.

Nice post Spade.

Mr. Lee, any explanation in this regard?

or the Ari Fleischer.

"Mission accomplished"

Also...

Lee, could you be more specific as to why EXACTLY you guys replaced the 2-fish encryption with the XOR? You have been very vague about this - could you give us the details of the "performance" issues you have been eluding to.

I realize that I'm probably being naive in expecting this to be answered, especially considering it's the 4th time or so that I've asked, but I consider it as important as the XOR encrypted data packets issue (especially because it requires no work at all to "crack"):


-- How long was the login to the Cake Store sending email address/password combos in cleartext?

-- Will there be any auditing of accounts that did log in to the insecure Cake Store, to ensure they haven't been tampered with?

Will NoahSD and others be given access to Cake Store order records? Will statistical analysis be applied to ordering patterns to detect abnormalities? Such as buying way too many cakes?

Sorry, couldn't help but troll a little bit.

seriously this^^^

hire a well known auditing firm.

so lets say you find a superuser 100% for sure

superuser1 he has 100k in his bankroll. What happens? Does cake take all that money? is it going to be given to people he superused it from? what will happen? what if he cashed out 25k before that?