Friday, May 07, 2010

UB Security Flaw Take

Putting aside the general dislike of Cereus/UB/Absolute that is out there, I think the recent security flaw isn't as major as has been suggested by the various commentators out there.

Yes, using a simple XOR encoding instead of the industry standard SSL encryption is dumb. In fact, it's flat-out inexplicable. That's day 1 in cryptography. They may as well send the data as a text file.

But why it's NOT as major a concern as it's being made out to be is the interception portion of the situation. The vulnerability as it was described can only be exploited with access to the end-user's network.

So to be abused, the following conditions would have to be met:

- You're playing on UB/AP on a wireless network
- Someone knows you're doing this
- This someone is within range of your router
- This someone must access your router, either because its unsecured or by hacking it
- They must run some relatively available and simple code to access your hole cards
- They must ALSO play on UB/AP and sit at your table

This isn't a case of some random insider creating a superuser account against random players. You would have to be targeted. Now, if you broadcast that you play at these sites to unscrupulous people who know where you play from AND have the technical knowledge to pull this off (not complicated for anyone with a computer background, but above the heads of your average Joe), then you could make yourself a target. If you play from public, unsecured wireless networks (ie.- coffee shops, wi-fi hotspots), then you could be in danger. But again, someone would have to know you were playing on these sites AT THAT TIME, and know your online name in order find you.

If you're playing at home, have any level of access control on your router, or are wired-only, then you don't have much to worry about.

That said, I still won't play on these clusterfuck excuses of poker sites.


lightning36 said...

I feel much safer not understanding the nuts and bolts of this computer security crap.

*TT* said...

"So to be abused, the following conditions would have to be met:"

you mean like playing on the public WiFi networks at Commerce Casino, Bellagio, WSOP, or any other major card room with a hotel?

Your right that this probably won't be a big issue for the average online low stakes player who has only $300 in their account and never plays the tournament circuit, but for those who play the tournament circuit, or for those who play online while staying at casino hotels, this is a MASSIVE issue.

PS: Perhaps you are not aware that Commerce Casino had an incident of theft via packet sniffing last year. This problem is not new... but UB's encryption issue is.