Security Alert - How is this even possible?

[thepokerkeep]

I'd love to hear a valid explanation from someone in Cake's security department regarding the lack of SSL encryption on your network. Please explain how, in spite of what happened at Cereus recently, you guys failed to make sure your own security was up to minimum industry standards.

Please explain how a poker network can operate for so many years without someone catching this. Seriously WTF? Where do you guys hire your staff? No one thought to check your encryption system even after the Cereus blow up.... come on!!

What are you doing about it? When can we expect this issue to be fixed? Are you planning on taking your network offline until it's fixed? If not, why not? Are you planning to issue a press release or warning to your players about the risks involved by playing on your network?

Source: Cake Network Security Warning

[universal4]

Please explain how a poker network can operate for so many years without someone catching this. Seriously WTF? Where do you guys hire your staff? No one thought to check your encryption system even after the Cereus blow up.... come on!!

I think this is one of the most important points Terry made....

After the previous mess and how bad it made them look, you still didn't take the time to ask what kind of encryption was being used??

Every single casino, sportsbook and poker room out there should be asking this same question right now!!

(In reality this question should have been asked and answered BEFORE the first visitor arrived at the site when it went live...but if it wasn't the clock is now ticking)

Rick
Universal4

[thepokerkeep]

Can someone from GPWA get Cake to respond here?

I see Lee Jones is taking the time to post at 2p2 and their PR department took the time to email me.... expecting them to address their affiliates in an open forum isn't asking too much is it?

[Chips]

Typical cake service.

[Anthony]

Can someone from GPWA get Cake to respond here?

I see Lee Jones is taking the time to post at 2p2 and their PR department took the time to email me.... expecting them to address their affiliates in an open forum isn't asking too much is it?

I sent cake a note pointing them to this thread.

[JustinJ]

Hello,

Recently there has been news circulated by PTR regarding the security of the Cake Poker software. Our development team have confirmed that the described encryption vulnerability exists, although the claim by PTR has been falsely overstated. However, we are taking this very seriously and have mobilized our senior engineers to address the problem and strengthen the security of the Cake Poker software. We are adding an SSL layer to secure all communication between our servers and the client software and will complete the development and testing of this as soon as possible. Cake Poker is totally committed to closing this hole in our server-client communication security and it will be our top priority until it is 100% complete.

In the meantime, for players playing on Cake Poker, we encourage them to follow security practices, such as:

• Players should ensure that their computer is secure. Run anti-virus and spy ware detection software, not to share their computer's password with anybody else, etc.
• For added security, we recommend playing on a wired network. Plugging your computer into a router or modem with an Ethernet cable is the best defense against packets being sniffed.
• If using a wireless network, we recommend that is WPA2 protected.
• We encourage all players not to play on a wireless network which is not password protected.


We will ensure to keep you updated as to the progress of this development.


Best Regards,

[universal4]

We understand this may be a massive undertaking for you but glad to see that you are taking it seriously and acting on it.

Can you give any kind of indication as to any kind of timetable of getting an update rolled out?

Rick
Universal4

[thepokerkeep]

Can you explain what part of the PTR report was false?
They did crack your security.
They did access sensitive data, in real time.
They did observe players hole cards, in real time.

If they did it, others have the ability to do so as well, especially now that the security hole is public knowledge.

Why is the network still allowing players to play on an unsecured network?

[thepokerkeep]

Why did Cake remove the warning that was in place when players logged into the poker client? This was the one and only effort you had made to inform the players - now it's gone!

From my perspective, it looks like Cake is putting profit above player security.... not the best strategy for long term survival. Doing the right thing now may cost you in the short term - but failing to protect/inform your players is going to cost you dearly in the long term.

No warnings to players!
Very little communication with affiliates!
Releasing misleading or incomplete information!

Cake needs to Communicate and Take Responsibility! Otherwise the network will lose all credibility with affiliates and players. Time is running out - do the right thing before it's too late!

The bad press is just beginning, stay tuned for round 2.

[grem]

access to players cards is a big mistake

[bb1web]

I'm writing a waring to my readers now.

[Chips]

Blogged a caution to readers, adding to caution block on blacklist page as well. Will remain in place until the issue has been resolved.