Wednesday, May 19, 2010

Tokwiro COO Paul Leggett Speaks About Video Showing Encryption Flaws on the Cereus Poker Network, the Brain Center For Both and, Online Poker's Biggest Cheat-Riddled Poker Sites!

On May 6, published a video that showed encryption flaws on the CEREUS Poker Network that would have allowed hackers to gain access to players' hole cards while games were actually in progress.

Since the video was first posted, Tokwiro COO Paul Leggett has been communicating with PokerTableRatings to fix the issue. After working with PokerTableRatings over the past week to secure the network, Leggett sat down with Bluff Magazine to answer questions about the video, the network and the scandals that have plagued UltimateBet and AbsolutePoker over the past two years.


How did you first hear about the video?

Paul Leggett: PokerTableRatings released that video and sent an email, I believe, simultaneously. At least that’s what they told me when I spoke to them. I first learned of it when someone in our security department called me. Shortly after I was forwarded the email that (PokerTableRatings) sent to a couple of people in our organization.

Was the email professional in nature?

Leggett: It was professional in nature. I am of the belief that it would have been better for the poker community and players if they notified us and maybe gave us a short period of time to respond seriously. Otherwise, they would have released it publicly because it took us roughly 12 hours to increase our security. If they’d given us that window of time, twelve hours or one day, to show that we’re serious about it before releasing it to the public, that would have benefitted the poker community.

But they’re a business and I understand that they have their own reasons to do things the way they do. But they’ve been very professional in helping us test it and we’re very happy to work with them. We’re impressed by their organization, but I think that one small decision would have been better for poker players if they maybe gave us 24 hours to respond.

What was your initial reaction to the video?

Leggett: I was very concerned when I saw the video and immediately contacted all of our technical staff to verify that it was or was not true. Shortly after that it was identified that it was accurate. I was initially very upset, but immediately began trying to communicate to our players and get the issue resolved immediately.

Do you think your network was targeted specifically, do you think this was something PTR knew about? How do you think PTR came up with the idea to attempt this?

Leggett: They probably saw some positive PR from their involvement in exposing the StoxPoker trainer that was multi-accounting. So I have no reason to believe they intentionally targeted us. But PTR’s software tries to interact with software like ours, so their developers are naturally going to try to poke around in our software and try to figure out how it works so they can extract data. So I think that they stumbled across it, and there’s no malicious intent in stumbling across it. It’s just the nature of their business that allowed one of their developers to poke around and he discovered the vulnerability.

BLUFF: How did the software get to the point where there was this vulnerability?

Leggett: It was a poor decision made by our software development that implemented a weak method to protect client-server communication. The decision seems to have been made for performance, but basically it doesn’t matter, it was a poor decision. We should have been using a much better version of encryption to protect the communication between the players’ computer and our servers.

BLUFF: Is this at all related to either of the previous software issues on UltimateBet?

Leggett: Absolutely not. What we uncovered about the UltimateBet scandal was there was a software program that was left there by the previous owners or was built by the previous owners a long time ago and they were exploiting that for years in order to view player’s hole cards. Anybody internally if they were abusing their power, like what happened under the previous ownership of UltimateBet, they would not use a method like this because it’s very difficult. They can’t just see hole cards, they have to learn how to crack our code and decipher the communication. They also have to gain access to the messages as they go back and forth between a player’s computer and our servers. So it would be a very foolish way for anybody to try to view player’s hole cards, especially if you were an internal employee.

Will the Kahnawake Gaming Commission be involved here at all?

Leggett: Absolutely. Our company has to inform the Gaming Commission within 24 hours of any serious issues relating to the operation. So I notified them shortly after I communicated to players about what was going on and we’re currently working with them to find the best third party auditor that we can. We’re even considering people outside the gaming industry to help us confirm that first - exactly what PokerTableRatings has done - confirm that our client-server communication is using OpenSSL properly.

PokerTableRatings has verified this and published on their website that we are now in fact using OpenSSL and are fully secure. So we want somebody to do that, but we also need somebody to review everything. We’ve been under a lot of audits before, we’ve been audited by several gaming auditors and unfortunately no one has caught this. We’ve spent a ton of money on these third party audits including PCI compliance as well and unfortunately none of this got caught so we’re looking for the best security company money can buy that will help reassure players that we are secure. And we’re going to be talking with the public about that as we go through this and who’s going to be doing it and then share the information from the security reviews and audits as well.

The Gaming Commission is absolutely involved every step of the way.

Do you expect to face any repercussions (from the KGC)?

Leggett: It’s possible. The first priority was to secure the site. We have an ongoing investigation to make sure that, even though we believe it’s extremely unlikely, that this vulnerability wasn’t exploited for a number of reasons. We don’t believe it was exploited because somebody would have to gain access to it, intercept the messages between, crack our code, etc., but we also have other applications that would detect abnormal win statistics so we think we would have caught it.

We’ve been investigating it for just over a week and so far we have no evidence, but we’ve got a lot of investigating to do to determine if somebody was exploited, and then deal with that situation if it turns out to be true. So there’s an ongoing investigation and there won’t be a decision until it’s completed. So it’s possible there could be ramifications.

How long do you think that internal investigation will take?

Leggett: It’s difficult. We’re investigating specific players now that we had complaints about, but we’re also trying to figure out what can we do internally to expand this investigating and confirm that nobody was exploited. We’re trying to find the parameters of the investigation itself and we’ll communicate that as well. We’re working with the Gaming Commission and we’ve got meetings all this week and it will continue on for some time. Obviously at some point we’ll have to put an end to it, but right now we’re trying to define the parameters the investigation and how far and how deep this has to go.

You mentioned it was a ‘poor decision’. Was there any internal measures taken? Was anybody fired or let go?

Leggett: Nobody has been let go yet. But again, we’re trying to get all the information together. I’m very upset; everybody at UB is very upset that this situation has occurred. It’s obviously bad judgement and we take full responsibility for providing our players with a secure gaming environment. Our software development team should have caught it, the third party audits should have caught it and I took that we had these different entities and groups all checking that it would get caught one way or another that there would be no security holes.

We’ve invested a lot of time and money in building this application. Unfortunately, something fell through the cracks and we’ve got to look at this from the ground up because we can never allow something like this to happen. Really I’m looking for security professionals and third-party auditors that can help us make sure there’s nothing missing. We may have to make some changes in our company with personnel or how we structure across, internal procedures as well. There’s probably going to be a lot of changes that need to be done aside from just reviewing all the security we have now so that nothing can slip through the cracks. Obviously something was wrong so we need to change that.

How do you get past this event, after everything that’s happened over the last two years, to gain customers trust?

Leggett: I don’t expect anybody to have a leap of faith and just trust us blindly. We have to prove that we are we secure. We have to talk to the poker community. We have to say, ‘Tell us what you want us to do to make sure we’re secure’. We’re going to communicate with them about which security company we’re going to use to audit us to make sure that that’s a high enough standard for them to feel secure. And we’re going to have to communicate with them about the results of that audit and the steps taken to make sure we’re secure and all the details, our entire security from RNG to results of penetration testing and security of our network testing.

We’re going to have to do a lot of work to prove we’re secure. Obviously we’ve been through a lot, so we have to keep asking players to stay with us and trust us. It might be difficult but obviously this company has issues in the past, but we inherited them. It’s a whole new team. Anybody that’s interacted with our company knows that I’m the COO, knows that we’ve hired all kinds of new people to help us run this company, they all care about poker and they’re not bad people. But there’s a group of players out there that don’t trust us and we understand why. There were scandals and I don’t blame (the players), they were very offensive, but there’s also a large group of people out there that do trust us because they know when we were dealt this situation, the UltimateBet cheating scandal, that we handled it professionally. We worked hard to get $15 million in settlements from the previous owners who were responsible for the cheating. We put a lot of our own money in there to make sure that everybody else got every penny they deserved.

Even when we made some mistakes along the way, we didn’t handle it perfectly. But we didn’t cheat anybody, we tried to get everybody back everything they were deserved. So I think there’s a group of people who don’t trust us, there’s a group of people who thanked us for getting them the money that they were owed from the people that were responsible and resolving the situation. Even though we have an issue now we’re handling it professionally and we’re doing everything we can to communicate and resolve this issue and insure it is being investigated fully. So I think even when we have problems, we handle them professionally. There’s a large group of people who are loyal customers that stay with us because of that.

If you were one of your players what would your concerns be?

Leggett: Well, I would have been concerned about the vulnerability, even though it’s not likely that somebody exploited it, it’s still theoretically possible. Which is a very scary thing and I would have been very concerned and I would watch how the company responded to the situation and I would wait until I saw it was resolved before I played. My concerns would be ‘Is the site I’m playing on a secure playing environment?’, ‘Am I playing at a place where I can trust the operators?’ Again, it’s up to us to prove to them that we are secure and that they can trust us and that’s what we’re working on.

Do you feel that the way this unfolded maybe gives you a better opportunity to offer that transparency and offer that insight of the way your company runs?

Leggett: I see every problem as an opportunity and I have to treat it that way. I take this very seriously but I do believe we’re the only poker site where you see the COO communicating directly with the players, blogging multiple times a week, responding to their comments, doing many interviews. I think in most poker sites they don’t even know who actually runs the company. So I see that as an opportunity. Obviously we’ve had issues and we’ve got a lot of work to do but I think a lot of people do see us as honest people and open people. We’re trying to be an open company that communicates directly with them and involves them in our business.

Is that approach part of the lessons you’ve learned over the past year and have chosen to apply now?

Leggett: Absolutely. People want answers. They want access to people in the company. We’ve got a lot to prove. I think we’ve done a good job with a lot of the well known poker players. They all know who I am, they’ve all had access to talk to me. I’ve tried to give everything I can to the rest of the poker community, not just our players but everybody by communicating with them through the blog and doing as many interviews as I can with TV, magazines, blogs, websites, etc. to get our message out there.

Do you think the previous scandal will ever go away? Do you think people will ever be satisfied?

Leggett: I realize I’ve got some questions to answer to wrap that up. People are still upset, people are still concerned, but what people really want is full justice, which is these people having their day in court of having to really pay the price. There are some difficulties there that are hard for us to get around, even though we’ve tried really hard, to bring them to justice. But I think that’s what needs to happen in order for every last person to feel comfortable that it is completely resolved. I think a lot of people understand that we’ve tried to do an awful lot with the situation that we were dealt and there are a lot of issues with finalizing the scandal. But for a lot of people, it’s going to require the criminals to be behind bars and I hope one day that does happen.

If the list of names got out there would still be a number of sceptics that wouldn’t believe you or trust the UB brand. Do you think that would lessen the pressure or increase it or change it at all?

Leggett: I think there would be more questions. In order for it to be completely resolved it requires a court and police authorities to be involved to bring these people to justice. I think that’s the only way we’ll see real final closure. I think more information is better but I think if only some information comes out and there’s no criminal court case then it’s just going to raise more questions. But I think the public deserves as much information as we can provide them.

The main thing for me is that the issue has been fixed, it’s been verified. We’re trying to find a Tier 1 security company that we can work with to audit us, one that the poker community will be happy with and that this investigation, even though it’s fixed, is not over. If players have concerns, complaints about specific players or something that they might want us to look into they can contact us at and we’ll be happy to look into anything. If they have any ideas about security, how we can do things better, certain standards they want us to adhere to or third party companies that they think should be auditing us that would give them comfort, we’d be happy to hear their feedback.