UB Encryption Issues; Los Angeles, CA
May 11, 2022
6 Comments

Sorry for the delay everyone.  It was one of my best friend's bachelor parties and I obviously needed to attend that this past weekend.

It goes without saying that everyone is shocked and concerned, rightfully so, over the most recent UB security issues that have gone down.  I have received numerous emails from people asking me how another cheating scandal could have gone on there.  This is not true.  There has not be another incident of cheating that has been found, but rather a scary security hole that was discovered.  This is an email that I received that I wanted to share with you all with some inside information directly from UB:

"I wanted to touch base with all of you as I know there was some concern with this recent encryption issue found on our network. 
Please understand we fully see the frustration you have with this type of issue as we do as well.  However, I am very confident in stating this was a relatively small issue and one that was remedied quickly.  Please remember that for someone to have exploited this vulnerability, they would have to have the technical capabilities to crack the encryption/cypher method that we used prior and they would have also had to hack into your local network in order to gain access to sensitive data. It is possible that a hacker could try to develop a system to intercept communication through the internet but this is even more complicated and we believe it is even less likely than the first scenario described.
The method we used for encryption/cyphering was outdated.  As soon as they reported the issue to us, we immediately began working on solutions.  We released a new version of our software the next morning to address the security vulnerability.
Again, we have no reason to believe anyone has exploited this vulnerability but we have just begun investigating users that our players have requested.  We are reviewing all serious complaints to see if any player was able to exploit this vulnerability and we will investigate any other serious requests we receive.
We fixed this issue by implementing a more advanced multi-layer encryption, and we have also implemented logic that will prevent any  manipulation of this encryption.
We have also started working on a more advanced solution, which is the implementation of the OpenSSL standard for our client encryption.  We expect to have this live in a few days.
We have been in communication with 3rd party companies who we will be working with us to test the new encryption that we are using and the OpenSSL version that we are working on now.  We are also discussing the possibility of PokerTableRatings (PTR) engaging the poker community and auditing our complete security in order to ensure we are doing everything possible to provide a secure gaming environment."

Clearly with the history that UB has had, everyone was incredibly concerned about the situation.  It seems that it has been dealt with at this point and it is my hope that ANY members of the poker community get involved and attempt to test the security as they can.  I have spoke with CEO Paul Leggett and he has assured me that he welcomes any and all of those members to not only test security but also to go through past records as well regarding other issues that many still feel that haven't been addressed. 

I continue to work with the team over there to attempt to make sure that there are open lines of communication between the poker community as a whole and the UB management.  I have asked Paul to write a semi-regular blog addressing some of the issues that some of the poker bloggers bring up and he has agreed that that is a good idea and something that we need to do.  Whether it is hand-histories, ownership issues, or security ones like the one above, often I am not in a position to directly answer them as I do not work in Costa Rica at the home offices and actually help run the company.  I advise, and again, try to serve as a conduit for information to flow through when issues are brought up, but in truth I don't often have the answers.  I wasn't with UB when many of the negative issues originally happened and thus don't always know the answers, but I want to be able to put Paul in a position where he can answer them.  I am hoping that this will bring more truth into the light and hopefully assuage people's fears.

On the latest issue, Paul has instructed me that he is currently working on a list of FAQ's that UB will be using when they call players as well as posting on the blog.  He will be posting that later on in this week.

As always, I can be emailed for any number of issues from anyone in the community.  I am continuing to attempt to handle most hand-history related questions, although some are in the queue.  I always have some frustration at the time that it takes to get things sorted out, as well as the fact that there are some issues on the UB side with retrieving the data occasionally, I'm usually told that are based in the fact that the Cereus network was began not too long ago and much of that data is held elsewhere.  I would like Paul to write a blog explaining the issue there as well...

That's it for now.  Talk soon...

peace,
J

JOESEBOK
"...don't try to bleed me, cause i've been here before, and i deserve a little more..."

16 hours ago
COMMENTS
poker fanWe all know you have the poker community's interests in mind Seebs, but the fact remains that UB/AP software was not sufficiently tested before it went into production. The mis-awarding of a pot to Hellmuth only got the attention it did because of who it involved. The 'encryption' of client side data with XOR is purely negligent coding. The statement that this was an exploit/vulnerability and that there wasn't any cheating going on is simply unfounded. Unless there's a complete analysis of hands SINCE Cereus was launched, you will never know if someone else had figured this out before PTR did. And if someone WAS exploiting this vulnerability, and wanted to be smart (unlike the Russ Hamilton and company) they could easily disguise their knowledge of their opponent's cards by folding to a bluff once in a while etc. I don't understand how anyone would play real money games on the Cereus network when there's reputable alternatives.1
jackhighSeebs, don't you guys think you should just shut down until the problem is fixed? More people (hackers) now know of the securtiy problems at UB. It will take at least a week for proper encryption to take place (saying it will be sooner is just not being truthful). If you truly cared about your customers, doesn't it make sense to shut it down until you can do it right? I know you need that UB paycheck to pay the bills right now and you need to paint a positive picture for your employer etc. but this is an incredibly horrendous securtiy oversite and glossing it over isn't the right way to go. Please, tell your bosses to just do the right thing and shut down the site until you can guarantee your players security.2
pandaJoe, why is the email you quote anonymous? There is no good reason for that. You have failed to give any critical analysis of either this or the cheating scandal. To quote your blog from 21st September 2009, "I would never be a P.R. spinning machine for them... I would never be comfortable with Ub's history unless I could have a direct impact on making sure that it [cheating] never happened again." Will you accept that you have clearly failed to do so given such a serious, and easy to spot, security hole? Paul Leggett has claimed many times that security had since been verified by a 3rd party, did you oversee this at all? I would guess not seeing as you now describe your role for UB as nothing more than a "conduit for information to flow through," which is markedly different from what you claimed in September.1
I_Like_HamWill everyone get off seboks back. He has a lot on his plate at the moment, getting those ever elusive hand histories for one. Have you ever tried to get hand histories from stars you know it takes a long time. Second he as to address how phil hellmuth was shipped a pot with the losing hand, then how the same account won the bad beat jackpot twice, and now this. Leave joe alone. peace, I-4
sdjayteejust dont see how anyone can have piece of mind while playing for any kind of real money on UB2
FoucaultThanks for the update, Joe. I appreciate that you understand why, particularly in light of UB's history, people are skeptical about some of the claims being made now. In particular, what about the past claims by Leggett and others that Cereus is now the safest place to play and has had "countless" security audits? Can you get them to release the names of the companies that performed these audits? Can you get them to authorize the auditing companies to make the results of the audits public? What will be done in the future to ensure the security of the site? Clearly all the audits that took place to date were not sufficient. Why should anyone believe the site is now secure, given that such an obvious vulnerability was overlooked until now? Personally, I have my doubts as to whether rigorous audits ever took place, and I will not play on Cereus until I see proof. Given the company's history, the claims of its spokespeople have no credibility and need to be supported by verifiable evidence. 0