Cereus Poker Security Response
Cereus Poker has responded to our communications with them regarding their network vulnerability. They have requested that we post this email here and we agree that keeping the public informed about progress toward a solution is the best course of action. We also appreciate their candor in communicating with us.
Cereus Poker has responded to our communications with them regarding their network vulnerability. They have requested that we post this email here and we agree that keeping the public informed about progress toward a solution is the best course of action. We also appreciate their candor in communicating with us. Hi Dameon,We really truly appreciate the email you have sent us regarding the vulnerability in our encryption. I just became aware of your article 30 minutes ago and I have read your article and watched the video. I think you have done a great thing for the poker community by emailing us and letting the community know about it. Thank you for that.
I would also like to express how seriously we take this issue. I’m expecting to have a solution in place in a matter of hours and I would really like to discuss engaging your company to help us test the solution, if your company provides such services.
I would greatly appreciate it, if you could paste the contents of this email on your website, so your followers are assured that we are aware of the issue and we are working diligently to address it.
I would also like to emphasize to your readers that this issue would require someone to have access to their local network and also have the technical capabilities to crack our encryption in order to gain access to the player data and see the clear text like you did in your demonstration.
Again, I greatly appreciate you notifying us and the poker community and we will investigate this fully and completely and fix the problem immediately.
Regards,
Paul Leggett
COO, Tokwiro Enterprises
It would not require access to the local network, just the traffic at ANY hop between the user's PC and UB's servers.
I like the way he tries to get you guys on side by asking your company to test it. This is a way of buying your co-operation. It is reasonable to consider that this hole was left by the security team so they could access whole cards off site.
**** UB, anyone who plays there is *******
Edit: Watch the language
Ridiculous that anyone still plays at those sites after all the cheating scandals that have been detected. Imagine how much has gone undetected and now even more proof comes to light about how easy it is for people to cheat on those sites. GG Russ Hamilton & company, laughing all the way to the bank.
.... and lol @ anyone who ever believed the whole 'it's an entirely new company and new software and new management, we're on the up and up' schtick.
i really like the way ptr has stepped up in this and the stox case to try and help protect the poker community. kudos.
Why is it the poker community has to fix all of these guys' problems. Seriously, their track record is laughable.
is he going to pay us an hourly wage for helping * fix* and * test* a security issue. I didn't do to well in my computer programming class. Do you guys trust my opinion. I mean jesus... Than there is other major sites like stars and tilt and this cheating scandal with stox poker where the * security* departments did * thorough* checks on cheating alligations yet it takes diligent work from person devoting hours upon hours to exploit something that a billion dollar industries top notch * security* team couldn't figure out or chose not to to exploit. Maybe they just to busy thinking of new ways to make more money of us. I mean I sure do believe them when they say we are safe playing there. And I do believe them when they say the cards aren't juiced either and its random. I mean why not. This is some risky game of roullete a lot of hard working and honest people try to get a big score at and we are all getting taken advantage of one way or another. Thanks to ptr for at least exposing this much.
It's pretty obvious that they are not prioritizing security. I really hate these kind of things. It makes it so much more likely that governments will be able to lock down the poker market.
@ Lewkiz
Wouldn't that suck, a government monopolized online poker server? X-{ . . . Fees on deposits, withdrawals, and all profits tracked to tax you right off the bat (not that most players need to worry about that).
To PTR... Isnt your program just the same as any bot type of program or holdem manager that can see and read your whole cards in real time... Your video shows your program displaying your own hole cards, umm big deal there are loads of programs that can do the same thing on atleast cake ub full tilt ect... So how does this show anything special.. The only way this is possible is to have you computer it self hacked, obviously through your internet. So having your computer hacked is bad in general specially if you play poker.. I dont see anything diff between ub ap full tilt cake ect... Maybe you could be more clear and show a video that display someone elses hole cards..... thanks
Tim, the holecards are exposed by decrypting networktraffic. If you would plug that laptop into one of the switches of the Cerus datacentres (or any hop with close proximity to Cerus endpoints) you would see everyones holecards!
Rutger: plugging the computer into the switch of cereus lol isnt this a little far fetch... i know of programs that also decrypt network traffic on any site out there... So this can be done on any site if you can plug into the "datacentres" ???
which sites are Cereus, just absolute and UB?
"I would really like to discuss engaging your company to help us test the solution, if your company provides such services."
He would like to entrust the safety of his network to a company that he doesnt even know if they offer testing as a service! he doesnt know what their track record and experience in this field... what an idiot wanting to publish that letter.... regardless of the capabilities of PTR guys the point being this guy doesnt know!
ANNNNGERRRRRRRRR!
I still haven't seen any update that indicates this may of been fixed. He says a couple hours? Isn't that just a lie that they would possibly fix it that fast?
I'm only going to play on a wired home network from now on, and try to find a new site.
yes just absolute and UB are cereus.
Thanks to whoever did the research on to expose this.
then is better not to play there more, shame rakeback and good software
It sucks they are not in the US or somewhere where they would be more regulated and shut down! They have no consequences to their ongoing scam. I have never heard of any company that is known to have their customers scammed for years and they can still operate and make millions+ $ a year. At least my b.r. was free from ptr. Thanks for all you hard work PTR:)
if they were in the US or somewhere more regulated the americans wouldnt be playing on there either
Thanks again PTR for keeping the poker community informed and being involved with helping to investigate the stox case and for catching the encryption problem that cereus network has. I' am closing my accounts both with UB and AP. Again thank you PTR!!!!
i play here, does seemed rig and like paeople can see my cards sometimes
also i emailed them once with hand histories that were suspicious, they said, oh our blah blah is tested its legit, basically
a case of the pot calling the kettle black
omgtimdwan says: plugging the computer into the switch of cereus lol isnt this a little far fetch…
Actually, no its not. How do you think the internal employee at AP exposed the super user hack 2 years ago. I am sure there are a bunch of employees, contractors, and vendors who have all the access they need. Not only could they "plug in", they could reconfigure router's switches, etc. to forward the traffic to anywhere they chose. Not to mention, "plugging in" to the the data center (yes its two words) is not the only means to capture the traffic.
"i know of programs that also decrypt network traffic on any site out there… So this can be done on any site if you can plug into the “datacentres” ???"
No you don't. If these programs existed the security of the entire internet would be in question since almost every other site uses industry standard encryption methods, the same ones used at banks, online stores, and just about every internet site that uses encryption. Would you do online banking with a bank that used weak crackable encryption. If you did you would be an idiot. This is the same scenario from an attack vector perspective.
"The only way this is possible is to have you computer it self hacked, obviously through your internet. So having your computer hacked is bad in general specially if you play poker.. I dont see anything diff between ub ap full tilt cake ect… Maybe you could be more clear and show a video that display someone elses hole cards….. thanks"
No its not. Hacking anything on the Cereus network could potentially get you what you need. Hacking any piece of infrastructure that sits between the client and the server gets you what you need. Do you think that some organized crime ring has/is not exploiting this in some way. Pretty naive...
TO: BI1x
There are plenty of programs out that read full tilt etc in real time... I have seen it myself and its simple as hell to get a hold of... but if u can hack into ones computer then u would see there cards as they play.. but what PTR is showing in there video I can do also with a program... What I would like to see is a video showing someone elses hole cards.... because the videos AGAIN IS 100% useless BECAUSE I CAN DO THE SAME THING ON FULL TILT... PLEASE MAKE A VIDEO WHERE U CAN SEE SOMEONE ELSE'S CARDS!!!! then it would be believable that cereus can be hacked otherwise ITS ALL HYPE... NO PROOF THANKS...
"There are plenty of programs out that read full tilt etc in real time… I have seen it myself and its simple as hell to get a hold of… but if u can hack into ones computer then u would see there cards as they play.. but what PTR is showing in there video I can do also with a program… What I would like to see is a video showing someone elses hole cards…. because the videos AGAIN IS 100% useless BECAUSE I CAN DO THE SAME THING ON FULL TILT… PLEASE MAKE A VIDEO WHERE U CAN SEE SOMEONE ELSE’S CARDS!!!! then it would be believable that cereus can be hacked otherwise ITS ALL HYPE… NO PROOF THANKS…"
You are a moron and have no idea what you are talking about. Do you think that programs like Holdem Manager or Poker Office are reading your hole cards from the network traffic. They read it from your hand histories retard, after they are sent to your computer, how it was designed to work. You obviously work for AB/UB and are trying to convince people their BS is legit. People are not that stupid. The video fully demonstrates the exploit. The second linux box is reading the hold cards from the data stream not hand histories. There are NO programs that can do that at any other card room. Don't listen to this retard he has no clue or he works for AP/UB.
"BECAUSE I CAN DO THE SAME THING ON FULL TILT…"
So make a video...
Dude you are a complete fkin idiot, im not talking about holdem manager or poker office u complete idiot, im talking about programs that u dont even know exist i swear on my life ive seen and use (not on my computer), a program (bot) that you might not have heard of that shows the cards u are dealt in real time on the program no through hand histories, the cards are displayed faster on the program then on the screen of full tilt, and its the same for every site out.. YOUR THE IDIOT BECAUSE YOU watch a video that shows nothing of cereus being hacked, they show there own hole cards in real time oooo mmmmyyyy godddd big fkin deal IVE DONE THAT ON FULL TILT..... I WANT TO SEE SOMEONE ELSES CARDS SO I CAN BELIEVE THAT CEREUS CAN BE HACKED>>> PLAIN AND SIMPLE.... UR THE IDIOT
AP/UB should be shut down, too many epic fails and false promises.
omgtimdwan,
You don't understand what is being said here. The hole cards displayed are being read through a wireless signal, the computer he is seeing the hole cards on is not connected to the internet nor the computer being played on. So it doesn't matter that he can see the cards on UB, it's just an example. He could be sitting outside while someone else is playing and steal the hole card information before the person playing is even aware of them. Meaning he could be the person sitting next to the guy at the table with A4o and still know his cards. Everyone here understands it's a little far fetched that someone would camp out in your backyard to see your hole cards, but the implications of this technique on a larger scale would be devastating to the Cereus community. Also, the programs you're talking about DO NOT decrypt network traffic, they simply read the hand history that is updated in real-time as the hand is played. They're only called hand "history" because you can go back and see what happened. In other words the hand history is not saved as a text file after the hand is completed, its continuously updated as the hand is played out. Allowing programs like holdem manager to display this information in real-time, seemingly reading the network traffic being sent to your computer, although this couldn't be further from the truth.
@ omgtimdwan
So you are saying there are programs out there that can decrypt OpenSSL? You would have to be saying that since Fulltilt uses it to wrap communication between the server and client. Wow, I work in the security industry and have for almost 10yrs. and you are sitting on one of the best kept secrets in the industry. You could be a millionaire with that kinda technology. The only know vulnerabilities related to SSLv3 are man-in-the-middle based attacks and do not have anything to do with cracking the encryption like what is being displayed in this video.
Thanks for playing...