On a larger topic -- Security. There were two major items we saw at launch back in August that we addressed shortly thereafter. In addition there were also a few of the "the client knows something it shouldn't about the other player's cards" that we addressed as well. These were definitely "Oh, s***" moments for us, we pulled back into closed beta, and we deservedly fell on our swords several times for not spotting these before launch. If you know of any security issues that weren't addressed since we opened up again, we would absolutely want to hear about them so email us directly at help@goko.com. As for "what's different than before" in this regard, the responsible parties were let go about a week after launch and we refocused our efforts after that.
First of all, I would like to thank you deeply for posting all of this information here. Communication is really important, and hearing something is always and definitely helpful.
Let me try to explain why I find this explanation unsatisfactory. "The responsible parties were let go about a week after launch." This is actually indicative of the problem to me. This seems to imply that there are a few guys who are responsible for security, and since there was a security problem, they got the ax. But security should be a concern for *everyone*. If you are working at a summer camp, you shouldn't have one or two or ten guys whose responsibility is the kids' safety. EVERYONE's first responsibility is the kids' safety. Similarly, in every workplace (well, every one I have ever known), the number one responsibility is the safety of everyone. It should be the same way here - security is everyone's concern. Now, I am not suggesting you should fire everyone. Heck, I don't care if you got rid of *anyone*. I just want it to get done right. And much as I'd just like to take your word for it that things are safe, we unfortunately don't live in the kind of world where that is a practical decision to make. It really sucks that this is the case, but if we DID live in that kind of world, then of course we wouldn't need security measures at all. It doesn't help that you've had the big security issues in the past.
Ultimately, I'm not so concerned about the specific security problems you had. You've fixed those, that's fine. It's about the process, the process by which you didn't find them, or by which you knew about them and didn't communicate that to whoever made the decision to launch, or by which you did communicate and the guy making the launch decision launched anyway. Because I don't see indications that this is any less likely to happen on a problem in the future, and even if you have everything covered right now (certainly possible), new threats are coming out all the time.
It's analogous to going to a restaurant and being served chicken that, when you cut into it, is raw. This is a problem of any of a number of people, who didn't cook the thing properly, and who didn't get it checked properly. Now, you might say, I am pretty likely to be fine going there and getting chicken again later on, if this is just one incident anyway, so what's the problem? Well, why am I comfortable doing that? Well, there are a couple reasons. Number one is that it's really obvious whenever chicken is raw, and that is something I can't duplicate with these e-security issues. That would be more like using mold food, wiping it off and using it, I guess. But the real reason I can feel safe is that there are health inspectors. Basically, what I would like to see here, and what most tech companies do, is hire someone, someone independent of themselves, someone reputable, who from time to time basically does an audit on your system, from a security standpoint. You get this, and you have them give you a clean bill of health, I'll be fine with security, and I'll buy your product. Even if they show the occasional issue, that's okay, so long as they're minor enough anyway - you aren't going to get 100% coverage, and I realize that. I just want someone independent to look over things.