Thread: Latest AP press release
View Single Post
  #7  
Old 11-09-2007, 04:49 AM
Matfrid Matfrid is offline
Member
  
Join Date: Dec 2006
Posts: 34
Default Re: Latest AP press release
[ QUOTE ]
I think this part is interesting.

[ QUOTE ]
• “The system breach was the result of a recent internal software release impacting internal reporting. The breach was exploitable only by an authorized AP person that manipulated the internal reporting software, together with the AP gaming software. The security breach was not, therefore, the result of an external action, and no individual outside AP could exploit the breach.

• “There is no evidence of the current or past existence of a “super-user” account. There is no player account in the AP system with the ability to see other players’ hole cards.


[/ QUOTE ]

There was speculation that this exploit was related to the release of the new client. They appear to be confirming this.

They also appear to be defining a super-user account as an account that someone can log into the client software with and see other players' hole cards, and that no such account exists. With that definition, I imagine this is a true statement.

I hope they eventually release more details about exactly how the system was exploited.

From the above it sounds like the new client software began reporting back information (maybe screen grabs?) that could be intercepted by something on the AP network and used to determine the user hole cards.

[/ QUOTE ]

I think that is very unlikely. Why would they need to grab information from the clients when they already have all the information? All relevant hand information is somewhere in the system for evaluation of showdowns and for writing hand histories.

It is more likely that their statement refers to how this information was treated internally. I don't know which platform they use, so there is not much to speculate about.

What hit me first was their use of the expression 'internal reporting'. It is not a term that you would find in discussions about secure information handling of web portals, application servers and multi-tiered software. It is probably a mistake, but the term is almost solely used for an internal system för detecting fraud, wrong doings, policy violations and the like. This makes it a very humorous mistake, or - unlikely but intriguing - they actually mean what they say.
Reply With Quote