This has been posted

http://www.pokertableratings.com/blog/2 ... r-network/

In short it confirms that the Cereus network is unsecure due to the fact that it does not encrypt using SSL.

If the procedure is followed then you can view hole cards.


The fact that people STILL play on UB make me think that this mail is moot HOWEVER those with an interest in the integrity of the game may find this interesting.

Thanks

You would think AP/UB would be as secure as fort knox and as honest as abe lincoln after their history. I would never play there just on principle but wouldn't another scandal be the silver bullet to these sites? That they don't at least use top flight secure software amazes me. Though it probably shouldn't.

Unfortunately UB will survive because people will still play there under the illusion that the games are much 'softer'

These same people have no integrity for the game

How many times does one have to fuck up ? To many people shying away from a collective responsibility to ensure games are played on a level.

Tournaments are winnable there, so if there are people who can see my hole cards, then I can beat people who can see my whole cards.

WOW

And they actually had the nerve to promote Cereus as "the most secure poker network in the industry" when it first launched.

Long before the scandals broke, I always felt AP and UB to be a mixture of incompetence and shadiness. Both have been proven to be true.

Cliff notes of the article: UB uses very weak encryption in sending and receiving data from its players. If you are on a wireless network and it's not encrypted, people can "listen" to the communications between your computer and UB.

This would be especially easy to accomplish in places known to have large numbers of online poker players, such as Commerce, Bellagio, or the Rio in the summer.

I disagree that it's unlikely that this has been used to steal from people. If PTR kept quiet about this, they could have easily camped out at the places listed above and stolen many thousands of dollars per day.

I just ran across this too and was going to post as while...LMAO
Not like I care really I dont even play on AP or UB anymore, stop playing there like 4 years ago, BUT WOW man this is crazy.......HOW DUMB do you have to be to still be playing at AP and UB????

XBLINK is pissed I'm sure.

I agree that it is more through luck than anything else if this has NOT been exploited but believe someone somewhere will have.

The only difference i feel about this is regarding sympathy for users, as there have been so many stories regarding UB/AP that ignorance is no longer a defence.

Quite simply DO NOT play on UB/AP under any circumstances or more fool you !

The chances of you being cheated without being on a public wireless network are extremely low. Out of the 1/2 a dozen ways you could be cheated, this one is probably the least likely. Most action on that site is low limit and I can't fathom how it would be worth someone's time to cheat 99% of the games using this. I suppose maybe tapping into someone's network upstream and playing hup high limit games might be worth it.

Their software development was obviously outsourced, as you can tell by the off grammar in the client and the general feel to it. It is quite barebones and has that from a spec type of feel.

How can you say the chances are "extremely low" that someone found the flaw and exploited it? It has already been demonstrated that it can be done.

Had PTR not been a noble organization, they would be licking their chops waiting for this year's WSOP, and camping out several laptops at the Rio and Bellagio. If others also figured this out, they are very possibly already doing this.

I agree that in TYPICAL CASES it is unlikely that someone would be sniffing your public wireless signal. That's because there's little to be gained from doing that. In this case, the method was proven, and it's very easy to find a large gathering of poker players on an unsecured network.

Wasn't Hollywood Dave on radio a few months ago claiming that he guaranteed UB was the safest place to play and all of the shadiness was in the past. I mean wtf does he have to say now? What does Sebok have to say? I use to think these were alright guys, they came out said they would fix every thing but haven't done anything and continue to stick by this piece of shit company. They are no different than Phil and Annie yet try to act like they are doing everything they can. Whata load of shit. Get them on radio Druff, no mercy, no caring about hurting their feelings and no settling for bullshit answers.

It's probably extremely low because most would find it incredulous that this could happen but there are plenty of people with greater knowledge/ skills in this field for whom this could be invaluable.

Evidently the solution is simple..Do not play there for both moral AND security issues.

Based on Hollywood Daves response on DDRadio i would suggest he has zero knowledge/ influence or ignorance is bliss !

I don't even understand how you can think the odds are anywhere but extremely low that a typical UB/AP user would be cheated using this particular system. Why don't you take your average user, who is not on unencrypted wifi and run through the scenario for us and figure how much $ one could actually make ? Did you just misread my sentence? I made the disclaimer 'without being on a public wireless network..' because thats pretty much the only way you'd be cheated using this system. I shouldn't have used "you" as I was not directing it at anyone in particular.

I'm just being reasonable here. I have no interest in whether people choose to play on the site or not.

Lets play devils advocate though. You have to sit in the RIO, sniff traffic until you find someone on the network, then you hit jackpot if they are headsup. If they're not, then the effectiveness is diluted by the fuller the table. Even if it is headsup, they may or may not continue playing you. The Rio is very large though, it isn't like you can just grab all network traffic. I bet the wireless APs only cover 70 rooms or so top. (Cement walls + low wattage) You'd have to rent a different rooms to increase effectiveness. Your talk of how someone could just clean up is a bit foolish. This whole 'if they weren't honest, they'd be making thousands' is amusing stuff. The biggest pot on UB right now is $80. I can't see why WSOP has everyone logging into UB of all sites. Obviously you shouldn't play there at the RIO/Bellagio or any other area like that on an unsecured connection... but you are yelling fire in a theater for no good reason. Weighing everything out, it is not near as simple as you claiming.

It took me all of 10 minutes to find the decoding function for the packets going to and from the client inside the absolute MainClient.exe using an open source C++ decompiler.

So yea, decoding traffic to and from Cereus if one had access to unencrypted TCP/IP traffic would be pretty easy.

This is really about as bad as it gets. I have to think if exploits for this weren't prolific before, they will be within 24 hours.

Yeah, I thought of that too.

Knowing, AP/UB, they will sit on their ass about this for a few weeks, and not treat it with the urgency that it deserves.

I can imagine that some people are writing utilities right now and planning some lucrative trips to Commerce/Bellagio very soon.

Also, to be honest, I have ZERO sympathy for anyone who gets cheated on UB at this point.

The lightning already struck once there, and the company has demonstrated itself to be incompetent, arrogant, and unapologetic.

If you continue to play there, you have no right to bitch when the next person steals your money.

Imagine the scenario with no 2+2 community, no PTR, no Haley

Online poker would be a shambles.

I am based in the UK where policy ( certainly online ) is liberal and there are no restrictions in place.

For the U.S or people who reside in the U.S these sort of scandals only harm in an environment which i understand is already restricted and heavily scrutinized.

lol such a fucking joke.

You guys forget how easy it is to cheat in poker to begin with by simple collusion in a short handed game. If someone has enough money to back this, it'd make more sense to start games and cheat 3rd/4th players via signals. Not as effective cheating this way, but it is as easy as hunting around _hoping_ to find a headsup highlimit player. Not sure these headsup guys sit around in the commerce/bellagio. You might find one. I suppose if you were familar with the HUP players to begin with, it would make this a lot simpler. (Especially if you were willing to social engineer what part of the hotel they're staying in.)

Knowing the holecards of one player in a 6 handed game etc will not net you buckets of money. It might double/triple your EV, but that doesn't make it anywhere near worth doing given all the other ifs that have to come together.