Merge disconnects then proceeds to sign players into other players accounts

[Dan Druff]

The scale of these attacks are massive... You seem to think that these things can be solved in 5 minutes of investigation, and that simply isn't the case. I am personally coordinating with a number of sites trying to crack this case.

I'm not talking about solving who is behind it, or even preventing further effective attacks.

I'm talking about realizing back on the 23rd that they were being DDoS attacked, analyzing whether someone was doing it in order to gain an advantage in play (which they were), and then subsequently putting measures in place to minimize the damage when this does occur again. Merge did none of these things.

For example, simply declaring all hands "all-in" when there's a mass-disconnect (rather than folding the guy who can't act) greatly reduces the effectiveness of this cheat. It's not perfect (the cheaters can do it in spots where they want a cheap draw or showdown), but it kills the main point of this exploit.

Merge did not do this. They let the same thing happen all over again two weeks later. And what about all the cash players who were hurt as a side effect of all this?

It was the players who figured out that one guy was using this to cheat. Merge should have figured this out on their own on the 23rd.

And how about their handling of the situation on the 23rd? A guy down to the final 14 was awarded a LOL $60 tournament ticket, when he lost out on thousands in equity. They later fixed it for him after he bitched about it on 2+2, but how could they possibly have entrusted the situation to their third world support monkeys for such a major issue? It would be like a nuclear attack on the US occurring, and President Obama assigning one of the White House janitors to figure out the country's plan for recovery.

And how about the fact that the software was so poorly designed that the DDoS attack caused players to switch accounts? How does that even happen?

I'm not saying that this is an easy situation to solve or stop, but Merge hasn't done themselves any favors with their handling of this matter.

[HowQuaint]

Have you ever run a business before Todd? Snapping one's fingers doesn't magically fix problems. I think we can all agree we'd like to have seen this not even be possible in the first place, but everyone is vulnerable to attacks of this magnitude. When we write the next piece, you'll see how big it was.

[Sanlmar]

Have you ever run a business before Todd? Snapping one's fingers doesn't magically fix problems. I think we can all agree we'd like to have seen this not even be possible in the first place, but everyone is vulnerable to attacks of this magnitude. When we write the next piece, you'll see how big it was.

Todd is on point here. Sadly, I find your answer flip & dismissive.

Merge had no closed loop management system in place apparently to address problems similar to Nov 23. No procedures in place. Dismiss it as a one time occurrence. Variance.

Again, players isolated problem more quickly than Merge.

I seriously believe Merge servers are run out of a vacant closet with no human beings of the IT persuasion on site.

When running a formal business, if a problem is identified said problem should be documented and addressed until resolved. Person assigned should be held to task.

Eventually, you close in on perfection. ISO 9000 uses this scheme in manufacturing, as an example.

This really is a garage operation.

Merge did not have a plan. MERGE DID NOT COMMUNICATE WITH THEIR CUSTOMERS AT ANY POINT DURING THE ATTACK TO MITIGATE THEIR LOSS. Broadcast messages are a useful tool. Players were communicating to each other via 2+2 more quickly than Merge ever did.

FAIL.

I do not give a shit about the technical details nor the breadth of the attack. Any further blather about the attack will show Merge and yourself do not understand the problem here.

I am more interested in Merge discussing how lessons learned on November 23rd were implemented during the most recent attack.

I expect no evidence will be offered in this regard.

[HowQuaint]

I expect no evidence will be offered in this regard.

You are correct. Nor with the other 7 networks under attack share any data with the public. We will publish more about it however.

[Dan Druff]

Have you ever run a business before Todd? Snapping one's fingers doesn't magically fix problems. I think we can all agree we'd like to have seen this not even be possible in the first place, but everyone is vulnerable to attacks of this magnitude. When we write the next piece, you'll see how big it was.

Salnmar posted a great answer to this, so I won't bother repeating what he said.

However, I will say that I was a computer scientist for 8 years, working to solve technical problems for a living every single day.

When your piece of software takes a gigantic dump and does something very harmful, unintended, and destructive (I would rate switching players into others' accounts all of the above), you need to go into panic mode and spend all day and all night figuring out WHY it happened and what caused it.

You can't just shrug your shoulders and move forward. Merge showed a shocking lack of curiosity about the entire matter.

Anyone at Merge examining the technical data regarding the November 23rd attack could have concluded:

1) It was a deliberate DDoS attack
2) It was done in order to exploit the "disconnected user folds to a bet" feature of the software

This didn't require months or even weeks of analysis to figure out. It could have been figured out within a very short time (less than a day, if someone competent analyzed it), and measures could have been put in place to at very least mitigate future damage from further attacks.

Instead they did nothing. And they didn't even put intelligent customer service people on the job to deal with affected parties.

If this happened at Pokerstars, would the guy with the $2200 lost equity have received a $60 tournament ticket? Of course not. That response was ridiculous and embarrassing.

Again, I am not expecting Merge to bring the perpetrators to instant justice, stop them in their tracks, or completely secure the system from future attacks. It is very possible that these attacks are wide-reaching and sophisticated. However, that doesn't mean Merge is absolved of responsibility from understanding it immediately and doing the best they can to mitigate damage.

I will give you credit for releasing these news stories in a way that doesn't completely whitewash the situation, while at the same time giving attaboys to Merge, thus giving your articles the appearance of neutrality and not puffery. However, I think we both know that you would be singing a somewhat different tune about this if Merge wasn't one of your more profitable business partners.

I also acknowledge that you're in a difficult position. You can't be a brutal critic of these online poker sites like I am, and then expect to have a thriving affiliate business at the same time. The two are mutually exclusive -- or at least they are if you want a close relationship with your partners.

[Sanlmar]

I expect no evidence will be offered in this regard.

You are correct. Nor with the other 7 networks under attack share any data with the public. We will publish more about it however.

C'mon That's the line you selected? I cannot believe you missed the point of my post so completely.

This is not 2+2 where everyone gets a stiffie about the scam and miss the more important issue.

We are discussing Merge the company and their lack of problem management.

I am more interested in Merge discussing how lessons learned on November 23rd were implemented during the most recent attack.

I expect no evidence will be offered in this regard.

I will help you.

Example of a management strategy:
If IT (assuming full time IT exits) notes mass and repeated disconnects within 15 minutes - IT shall broadcast message to all users announcing temporary suspension of games with updates every 10 minutes.

7 other networks may have been attacked. Did Merge do a superior job?

Or was some "on call" IT intern paged and he scrambled from a night club to the nearest Starbucks to login.

I do appreciate the dialogue HowQuaint. I do not want to discourage you from posting. Look forward to your thoughts.

I just want the focus of the discussion to remain Merge's actions. Not the DDOS scamtard.

Finally, I will tell you this. All sites have had problems. But frankly I am feeling much warmer toward WPN. They want my business and have phoned me and deposited money unsolicited in my account. They are trying harder.

You can buy loyalty.