Text Link Ads

Showing posts with label encryption. Show all posts
Showing posts with label encryption. Show all posts

Sunday, July 18, 2010

Poker Table Ratings Uncovers Cereus Flaw and Then Makes Everyone Misunderstand What it Means

Ok, I’m out of the loop so I missed this issue that was bought up in May and then which circled sites like wildfire.  UltimateBet and Absolute Poker were using a simple custom encoding instead of industry standard SSL encryption (the kind your browser uses where you are visiting https:// sites like a bank, etc.)  The flaw is definitely something that should have been fixed (and was fixed a few weeks ago) but the explanation given by Poker Table Ratings (their article here) gave the impression that the flaw could easily allow an attacker to compromise your account, see your hole cards, etc.
Well… Yes.  IF you are playing UltimateBet on an unsecured and unencrypted wireless connection AND someone has a computer with a special wireless card that lets them sniff packets AND if they figured out the encoding they could see information sent from you to the cardroom (like your username and password) and from the cardroom to you (like your hole cards) AND they are sitting right next to you.
One minor issue—who plays poker (or does anything financial at all) on an unsecured unencrypted wireless connection?  ALMOST NO ONE.  Most online players, I’d dare say, play poker either from a single computer, or from a home wired network or from an encrypted home wireless network.  And instead of acknowledging that this is basically safe they say even wired networks could be compromised which goes beyond silly because it means that someone has to target YOU and then get a wired connection to your wired network which means plugging an RJ 45 into your switch/router/whatever which is probably right there sitting next to you and THEN they have to have a special network card that allows packet sniffing, the software to use that card and the ability to crack the encoding, and then somehow use that while you are playing online poker.  So… yes if your sister is a master computer hacker and lives with you there could have been an issue.  For everyone else in the world there’s NO way your account, hole cards, etc are going to be compromised.
Question:  If someone knows about this bug and sees my account playing poker can they hack me and see my hole cards?
Answer: Not unless they know who you are in real life and break the physical security at your actual physical network to intercept your information.  If they only know your poker Screen Name there is no way for them to target you.  They must actually get in close physical proximity to you in the real world.
Of course UltimateBet and Absolute Poker are now using industry standard SSL encryption so even this “in-person” attacks on your account won’t work anymore, but my point is that this was never a threat to most players at these sites and only a mild threat to the worst-case-scenario people who were logging in and playing real-money poker or an unknown and unsecured wireless network.  For those people, even though this issue has been fixed I sincerely recommend they stop doing that.  And stop accessing their bank and any other financial or sensitive information.