Table Finder
State of Things
On Friday May 7th we first reported on the now well known security holes in the Cereus network’s data encoding, and ten days later we’re pleased to say that the known issues appear to have been fully resolved. The Cereus network has upgraded all of their server communications to adhere to industry standards of OpenSSL, which will prevent any user data from being stolen. The rest of this article will serve to recap the incident, discuss possible implications of this vulnerability, give you a few tips to protect yourself while playing, and then lastly comment on the industry as a whole as it relates to the player’s safety.
If you only read one portion of this article, skip to the section entitled “Protecting Yourself” and be sure that you’re taking the basic precautions necessary to protect your roll.
Cereus’ Response Recap
Much to our surprise when we first publicized the problem Cereus acknowledged the issue almost immediately both privately and publically. There was minor down-playing on the severity of the issue, but still it was much more than we hoped for. Within a couple of days they introduced a band aid bug fix which did not fix the vulnerability but definitely made it more difficult to reproduce.
Their first crack at OpenSSL support came out last Friday (5/14) and we rapidly found large holes in their implementation. After a bit of convincing on our part they did acknowledge that they were not using SSL to protect user login information. This oversight seriously calls into question the abilities of their developers, or even their level of understanding of software security. However, they did take it seriously and started work on a complete implementation. The final implementation was released on Sunday night (5/16) and has passed our testing. They still have some minor oddities in their implementation but it is in our view 100% secure from having data intercepted by a third party via the network data stream.
Overall, we think that this was the best that we could have hoped for from Cereus. If they had been a regulated financial institution, they would have undoubtedly been forced to bring their entire service offline until a fix was in place, but given that lack of oversight we were surprised that they acknowledged and began repairs as quickly as they did.
Implications
There are some serious implications of this whole vulnerability that I think it’d be worth going over. I’ll review the implications both good and bad for the Cereus network, the third party auditors, and lastly us, the players.
The fact that Cereus responded quickly and publically indicates that there is an awareness of the need to make the players feel safe. It seems to me that Cereus’ current management is serious about improving their image in the public’s eye. Overall, that is a very positive thing.
The question must be asked though, how does such a glaring security hole not get noticed? Oh, and it is a glaring security hole. It was discovered by accident because their datastream was so non-random a quick glance at any network data revealed a pattern which can only be simplistic encoding (even containing plain text delimiters). So then, how can none of the third party auditors which Cereus employed and none of the developers in house have noticed this issue over several years of development? Especially given the recent scandals they have been rocked by, it seems that someone would have taken the time to go over their software with a fine tooth comb. This clearly never happened.
The next question which must be asked is what exactly is the licensing body, the Kahnawake Gaming Commission, doing to ensure the integrity of the gambling sites they house? In their own internet poker regulations document, available on their website, they state “Each Poker Room License holder …. those security controls are subject to the approval of the commission.” Does this mean that Cereus’ half-baked encoding mechanism was at some point approved by them? If so, how can they possibly have the expertise required in order to protect us?
The final but least import implication is that Cereus has some incredibly incompetent developers. To not only attempt something like this in the first place, but then to fail to implement SSL on their login system, shows an appalling lack of technical knowledge. I say this as both a developer and a poker player. I don’t want to cost anyone their job, but I sincerely hope they are looking at finding a more qualified development team; If not for our benefit then for their own.
Safety of the Cereus Network
We are willing to say that we believe the Cereus network’s network encryption is now safe. That means that there is no chance of an outside party intercepting your login information and/or hole cards by sniffing network traffic. That does not mean there is still no possibility of any sort of exploit, such as an SSL man in the middle attack, however we believe that this risk is minimal and is on par with that of the other poker networks. We believe there is no special risk of having your data snooped while playing on the Cereus network.
I want to be very clear that we’re not vouching for any aspect of Cereus’ security than the exact vulnerability we pointed out. This is the extent of our testing, and as such, is the extent of our confidence in their security mechanisms.
Protecting Yourself
It makes sense on the tail of this incident to discuss what you should be doing to protect yourself when you play, always, not just on Cereus. One of the biggest things to do is be aware of the network you’re playing on. Only play on secure networks that you trust, such as your home network. If you are playing on a wireless network make sure that it is WPA2 encrypted. Even though your poker traffic can’t be intercepted, other information which could aid in cracking your poker logins (such as e-mail accounts) might be. This means absolutely positively do NOT play at coffee shops, airports, etc.
Use a different password for each account you have. I suggest having a password you use for financial information, a password for your e-mail accounts, a password for your poker accounts, and a password for non critical accounts such as forums. Use a different username for your e-mail than you do for forums or other public areas, it is pretty easy to guess that a forum name of “pokerbob123” might have an e-mail address of “pokerbob123@gmail.com.” Also, the forum owners presumably have access to the user/pass that you use to log into their forums and you definitely don’t want that to be the same as your e-mail.
Gaining access to someone’s e-mail account is often enough to gain access to their poker accounts by using the “forgot password” function. E-mail accounts should be kept at least as secure as your other sensitive accounts such as poker, or financial accounts.
Do not use a friend’s computer or a public computer to log into your e-mail or your poker account. That computer could be compromised, or even have software or hardware key loggers intentionally installed. Along those same lines, be sure to use antivirus on your computer. There is no excuse for not using antivirus with the wealth of free solutions, including Microsoft’s Security Essentials. Keep your friends and kid brothers off of your computer, especially if you aren’t going to be around. Malware is very tricky these days and can be found in unexpected locations, you don’t know what they are going to try to put on your computer.
Lastly some sites make RSA security dongles and mobile phone security applications available to their players, usually for some fee. PokerStars and Full Tilt are among the sites that are currently offering these, and hopefully more will follow. I can’t vouch for the level of security they offer in practice, but I see no reason to not take advantage of this additional security mechanism – even for peace of mind. I know I would.
Editorial
Poker networks are defacto financial institutions; they receive, hold, and disperse our funds. They should be held to the same standards as any other financial institutions that we trust with our money. It is an artifact of the legal gray area in which many of them operate that they are not held to these same standards. The current framework is a system built to allow these networks to continue to exist; it is not designed to protect the player. This particular incident just serves to highlight the lack of oversight and accountability in our industry. There is an entire list of parties that should be suspect now, if they were not before, including the third party auditors and the licensing body which regulates the network.
The sad truth is that there is really no great incentive for these network owners to be proactive in protecting the player at all. Their only incentive, which loosely correlates to protecting the players, is to avoid PR bungles such as these scandals which have repeatedly rocked Cereus. The loss in revenue is the only real consequence that a network will really incur in this type of situation.
The real problem is one of transparency. We are left to judge the quality of a site, in terms of treatment of the player’s security and funds, more by their marketing and PR than anything else. We assume that the networks take cheating “very seriously,” but it seems like the only cheaters that get caught are nabbed by the poker community itself. We’re told the networks are licensed and audited, but then we find that one of the top ten networks in the world has been using childish encoding schemes for years without anyone noticing.
The only sources of news in the industry operate as affiliates of the poker sites themselves, which makes them extensions of the marketing departments of these poker sites. These news sites get paid directly for advertisements, or more commonly, by directing players to play at a particular network. Their checks are signed by the same networks they are reporting on, giving them little incentive to upset that balance and perhaps a large disincentive to accurately report on the networks’ failures. For a great expose on the pathetic reporting and downplaying of the Cereus incident check out NoahSD’s post on the 2+2 forums entitled “The Pathetic State of Online Poker News.” (http://forumserver.twoplustwo.com/29/news-views-gossip/pathetic-state-online-poker-news-779387/) So not only is there no transparency, and no accountability to the players, the only news sources in the industry are paid by the poker networks.
Truthfully we are at the bottom of the food chain here. The system is set up to protect the rakers, with not any consideration to the rake payers beyond what it’ll take to convince more of them to pay more rake. Until there is more regulation in the industry, we must demand transparency from these networks. If we don’t, who is watching out for us?
Summary
Overall the specific Cereus vulnerability has been resolved, and quicker than we would have expected. Those of you who were afraid to play there because of this specific vulnerability no longer have to worry about this incident. Although new interesting questions have arisen from this incident, it is perhaps comforting to know that it is very unlikely another site will repeat this mistake. The real lesson in this is that we can’t just close our eyes and click deposit, we have to keep our eyes open to the risks we’re taking with our money and our information. Also, secure your wireless networks!
2
2
“Poker networks are defacto financial institutions; they receive, hold, and disperse our funds. They should be held to the same standards as any other financial institutions that we trust with our money.”
Couldn’t agree more. That’s why I only play at Stars, where I know my money is safe.
Really?! And how do you “know” that PokerStars doesn’t have any bugs that are exploitable?
AP still owes me money, they have not fixed that yet!
but is ir really save likes ft or stars
We can’t endorse Cereus to say it is as safe as FTP or Stars, in fact we can’t endorse FTP or Stars to say they are safe. We can tell you that Cereus has addressed this very specific vulnerability, and FTP/Stars never had this vulnerability. Beyond that it is a judgement call you have to make based on their past history, and your own appetite for risk. That is part of the problem really, what criteria are we supposed to use to judge? We can only see the bits and pieces that we’re given as end users, and after that it’s a gamble on the word of the networks.
This sketches me out a bit about AB from all the past problems. I dont understand why this wasnt in place and it took PTR to report this. If not for you guys they probably would of kept running business as usual
Dameon, you and your team here are actually my heros. You should be getting so much credit and financial gain for what you did for Cereus.
I have played on Stars more recently and learnt more recently that Stars check what programs you run when you have their client open. (to make sure your not running bots/cheating software and even SNG power tools). FullTilt and the others don’t do this as far as I know. That was a sign for me that Stars will be the site I play on into the future. F##k rakeback! (They should use this in their marketing rather than the terrible ‘play with the Pros’ motto)
This security flaw of Cereus is obviously not the first. It does make you wonder whether equivalent AJ Green/Scott Toms were aware of the flaw and using it to their advantage.
Two strikes and your out in my opinion. I have no idea why you would play at Cereus.
It is completely the managements fault for having this huge hole. If a bank hired a 12 year old to do it’s security and then asked a giraffe to test it, who would be at fault ?
so again, how do we know that ft and ps are safe?
I suppose they are, they did not make mistakes like this untill now, but how do we know for sure?
its the giraffs fault for not telling, that he cant do it, instead of “yes sir” and have no idea.
ps some 12year olds are pretty smart..lol
pss. if u r not sure about security, simple dont play there. problem fixed
At fulltilt it is still possible to join a table even if accounts have logged in from the same ip adress. At party poker for example this is not possible, their control of ip adresses and log in information seems much better. I have seen people colluding at FTP, together playing with 3 people at the same 9ring table, making pots bigger if one of them had a big hand. I noticed this when i was studying at the library. I know they are investigating these things and even I got back like 10 bucks after they managed to catch people colluding. I played .5/1nl 6max at those times.. serieus… like 10 bucks make a difference then.. LOL…
I prefer to play rushpoker now though. Great innovation imo!
Also likes to play on stars only thing is with 40-100 bb, though play there.
It is too late. I do not give chance anymore for the cereus network
Isn’t Party Gaming listed on the london stock exchange? (Used to be a FTSE 100 company, now FTSE 250) Surely that means they are the most regulated poker site? ( UK gaming commission, FSA, etc.)
it is not the subjecht here but to answer your question
Party Poker is ranked as one of the top three poker sites based on player volume and is considered to be the largest European poker site available online. A publicly traded company, Party Poker is one of the few legal poker sites to make the UK White List. Located and licensed by the Government of Gibraltar, Party Poker features around the clock tournaments, excellent software capabilities which are compatible with Mac and Windows players and is 100% secure not only in software but financially.
LIVE FREE OR DIE HARD
killer108: The description you posted is an example, just like the article mentioned, of biased text written by a site that directly profits from referrals. You didn’t even try to edit out their URL. It may or may not contain some facts but you cannot trust it as fact, because it, like every other poker room description found on a site like that, was most definitely written for the express purpose of making you sign up through them so they get a tasty cut of the rake you generate for the rest of your life on that account, in exchange for some signup bonus.
PTR itself runs poker room ads which score them similar affiliate earnings if you end up making an account at a site through the ad link. No company involved in the poker business is a stranger to profits capable of generating conflicting interests.
ok right, i am disappointed, because before i plays on ub , good software and RB , what happened now confuse.
FT i not get RB , stars bad new buy inn. Where i need to play now , Still UB?
The correct long-term solution is actually quite simple and hope that it’s just a matter of time.
Online Poker sites should NOT be holding our money in the first place, but transferring that important function to a “qualified” 3rd party or independent service (e.g. A Banking Establishment or Service, Financial Account Service, Transaction Facilitator / Guarantor, etc.). Simply mimic what you do EVERY time you pay for something with a Credit Card.
The Online Sites could initially charge your account a session buy-in and then refund any difference when you end your Online Poker Session. Or, the sites could verify/freeze a certain amount in your (”Bank”) account and then release or charge the correct amount to your account when your session is complete.
For example, if you pay for your car’s gasoline with a credit card at the pump, the station has just secured an amount (call it $50) with your financial institution, until the final amount of your “session” at the gas pump is known. When done with your “session”, they reconcile the correct amount to charge your bank/credit card. As well, you never even pay the gas station directly, but your credit Card company or bank does when you tell them to approve the charge (by swiping your card).
Perhaps a new trusted 3rd party service needs to emerge, following the general PayPal model, with all of it’s benefits or risk reduction, security, insurance, etc. Even if this 3rd party Account Money Management is a yet-to-be-provided service, it just makes sense and a form of it should be the norm for the Online Poker Industry.
Q:
But, does that mean it’s only a matter of time before Common Sense kicks into gear? No, absolutely not. Why not? Because there is a LOT of money being made by “holding” Online Poker Players’ money. So, who would fight hard to prevent it? Just ask yourself; would any privately-held, foreign company simply give away one of it’s current revenue streams without a fight?
A:
The smart Online Poker Sites should embrace the concept of 3rd party financial servicing for Long-term Growth, Reputation (Security & Privacy) and Customer Loyalty. If they fight to keep your accounts in-house, they’re just greedy…
What’s the RIGHT thing to do? I just gave you my opinion.
-BoogaChai a.k.a. David Topazian
people still play at ultimate bet
Why ?