The best thing said so far!

So... if anyone had bothered to check they could have found the flaw months, even a few years ago (UB)? If you always check the sites - did you find this flaw yourself? (assuming you looked)

And if anyone did check it with a packet tracing tool, they then got to the make the decision of

• Log in and play on Cake, taking advantage of the information. Superuser version 2.0

or

• Inform Cake and/or the world

I don't play on cake.

Not everyone is in a position to take advantage of it. You have to be able to capture other people's traffic. So if someone randomly discovered it they'd have to tell other people until someone was able to use it. Or, people in a position to exploit it and willing to do so, were the only ones ever checking.

Maybe PTR knew for years...

I understand. But wouldn't it be possible for a knowledgeable person to place a sniffer in a location designed to capture the traffic?

Sure. What's unknown is if anyone ever did before this was published. It's been said before, but some of the people who could take advantage of it would be employees of any ISP carrying cake traffic, employees of cake, other people working in network infrastructure where that traffic might pass, anyone in an Internet cafe where there are other cake players, and anyone with neighbors playing cake over unsecured wireless. For example.

It seems easy to determine if SSL is being used. It just seems odd that nobody discovered this and made it public sooner.

We know that you are smart enough to check for un-encrypted packets on the sites you play on.

Is it reasonable to conclude that the Cake programmers would have known how to intercept this data away from the Cake servers also?

Anyone notice an abnormal amount of Russians hanging around a WPT hotel lobby

Would they be inclined to make it public, or to profit from it?

Is it likely that most of Cake's un-encrypted data regularly went through a relatively small number of nodes, based on routing tables?

(Static Routing)

To configure a static route to network 10.10.20.0/24, pointing to a next-hop router with the IP address of 192.168.100.1, type: (Note that this example is written in the Cisco IOS command line syntax and will only work on certain Cisco routers)

Router> enable
Router# configure terminal
Router(config)# ip route 10.10.20.0 255.255.255.0 192.168.100.1

The other option is to define a static route with reference to the outgoing interface which is connected to the next hop towards the destination network.

Router> enable
Router# configure terminal
Router(config)# ip route 10.10.20.0 255.255.255.0 Serial 0/0

@spadebidder

Since u have checked all the sites u play on, which ones implement SSL and which don't?

The hackers will be looking to exploit this, so i don't want to play on any sites that don't implement SSL.

I hate to say it but if this **** continues online poker is DOOMED!

All the big sites are definitely secure, for US players that includes Full Tilt, Stars, and Cereus (since they fixed it). Incidentally, a few months ago on these forums PitBull Poker was caught using unencrypted connections, and there was some evidence they also had insiders playing for the house who could see all hole cards. They shut down shortly after that came out. I'm not in any way comparing Cake to Pitbull.

sweet baby jesus

Talk to us Lee.

The Party software has a history of being pretty poor. Anyone able to check PP?

Absolutely. It takes a relatively small amount of computer savy to be able to exploit unsecured data being broadcast across a router.

This is the question that I have. Cake is a network made up of a number of sites who have a lot to lose by being connected to this mess. How could none of the 55 other Cake Poker skin owners (Doyles Room, Unabomber, Power Poker, Bet US, Gutshot etc...) not pick up on this during their own due diligence.

I don't understand how out of 55 other companies whose revenue, reputation and business model rely on their players having a secure network to play on, not one of them ever bothered to execute the same type of security audit that PTR did to confirm that their players were playing on a safe site.

It doesn't make sense.

How about the Merge network, are they secure?

I posted a comment in the cakepoker feedback thread about a player who had zero results on sharkscope (yeah I know coulda been a new name, but i have notes on all regs), yet this guy was straight crushing 2 tourneys, I think he went on to win both...

It actually seemed like he didn't lose a hand...like he knew the outcome or something...

who really knows for sure???!!

read this post and was like 'holy crap surprised I hadn't heard of this' then saw I posted in the thread, oops

so this thread is long and boring, is there a lot of evidence of actual superusing or is it just a lack of security and thus people have probably cheated?

i am a husng reg and have played a huge volume on FTP. i moved over to cake late last year for volume reasons and to grind over 2 sites and had relative success until 2 players destroyed me relentlessly.

I won't post SN's right now but i was suspicious at the time given that they both played losing styles and mostly destroyed me in non-showdown pots... I reviewed my game and theirs a LOT through this period, spotting a ton of leaks but not being able to beat either of them. Furthermore, the time that the first one stopped playing was around the time that the other guy popped up (i havent been back to check if they were playing at the same time or not, but they both appeared from nowhere)... I did joke with friends at the time that they were superusers, but ended up just going back to FTP and not thinking much of it... It wasnt the sole reason i went back to FTP but had a little to do with it, i didn't trust the site....

I do want to say that there is like a 90% chance that they were legit owning me or on a heater... just saw this thread and thought it'd be a good time to bring it up i guess. it makes no sense for a superuser to play a ton of $200 husng's i guess.

lee's silence is sad

Numero dos, sir. Nobody's posted anything close to credible that suggests a specific case a cheating, but lots of smart people have made lots of strong arguments that suggest the following:

1) It would've been fairly easy for tech-savvy players to see hole cards. This is definitely true for people with access to the connection on either end (i.e. connected to the same wireless as the player or connected to Cake's own networks or working for the ISP of either party). Some people who seem to maybe understand this stuff have said that a good hacker could cheat without access to either of these connections. Some other people say that that's not the case, and I have no clue who's right.

2) People with the ability to cheat could've easily discovered that they were able to.

3) It would be basically impossible for us to find out about a competent cheater without the aid of Cake employees.

4) Cake employees have a strong disincentive towards helping to catch cheaters in this instance, and have obviously shown themselves to be incredibly incompetent. Therefore it seems like a stretch to expect them to get to the bottom of this.

5) Even if Cake employees were competent and committed to looking into this, they could still fail to uncover a competent cheater.

Some people think that the fact that the security vulnerability existed in the first place and the fact that Lee Jones says he was told that it didn't exist in May strongly implies that Cake's programmers left this hole on purpose to exploit it later. They point out that this would be the perfect way for an employee to steal money from customers without being detected. The technical aspect of whether or not incompetence can explain their actions is sort of beyond me, and it's really hard for the uninitiated like me to sort the relevant facts out of the competitive masturbation-by-text that the techies ITT seem to enjoy. I think the fact that Cereus had the same problem lends some small credence to the idea that programmers can in fact be this incompetent and still run a poker network, but we don't even know that Cereus's problem was unintentional and even if we did I don't really like the argument "Cereus screwed it up, so why can't Cake?" Hopefully Lee Jones will shed some more light on this by giving us a timeline and explaining who the hell told him that their unsecure network was secure, but if I were a gambling man I'd bet against that happening.