Coindice,Johny1976 Scam. Sell script with bugs. - page 2.

elm

legendary

Activity: 1050

Merit: 1000

Quote from: jackyballz on May 31, 2015, 07:17:54 AM

When there are so many people complaining about the script, I wonder why someone just doesn't post the whole code of the latest script in public so that everyone can take a look at it and find existing bugs / backdoors. I'm a coder and security analyst myself, but not interested in running a dice site - still I would love to see if there are some bugs in the script that were put in there on purpose.

so maybe some script owner can give you the script for review. but to see that you jump in with your 1st post
doesn't smell that good either IMO, no offense intended.

jackyballz

newbie

Activity: 2

Merit: 0

When there are so many people complaining about the script, I wonder why someone just doesn't post the whole code of the latest script in public so that everyone can take a look at it and find existing bugs / backdoors. I'm a coder and security analyst myself, but not interested in running a dice site - still I would love to see if there are some bugs in the script that were put in there on purpose.

elm

legendary

Activity: 1050

Merit: 1000

just for info............Johny deleted today 5 postings of mine. I didnt offend him at all I just asked some questions.

Sad

elm

legendary

Activity: 1050

Merit: 1000

Quote from: SebastianJu on May 27, 2015, 06:58:14 AM

Quote from: elm on May 25, 2015, 01:50:14 PM

Quote from: SebastianJu on May 25, 2015, 01:45:37 PM

At the end... if those risks are mentioned for years then there might be something true. As long as no careful code review is done... including database entries. Roll Eyes

so who could do a careful code review?

I dont know since normally you need to KNOW risky code parts. And thats something the average code developer not knows in detail.

Another thought i got is... didnt op mention that the max profit he sat was a big part of the house? Theres a reason why dooglus even sat the max profit down from 1% to 0.5% on justdice. The reason was that someone was able to win a big part of the house with 1%. Thats why you normally use the kelly criterion. And the kelly criterion says 1% is the best value for best profit. If you raise that value then the chance raise exponentially that you will lose big parts of the house. Or all of it. The reason is that its very hard to win back something lost if your house is, lets say halved already.

Thats mathematics. And maybe the script seller should point that out more aggressively.

Though thats only another thought as a possible problem.

agree with you but the seller is very quiet Sad

until now

SebastianJu

legendary

Activity: 2674

Merit: 1083

Legendary Escrow Service - Tip Jar in Profile

Quote from: elm on May 25, 2015, 01:50:14 PM

Quote from: SebastianJu on May 25, 2015, 01:45:37 PM

At the end... if those risks are mentioned for years then there might be something true. As long as no careful code review is done... including database entries. Roll Eyes

so who could do a careful code review?

I dont know since normally you need to KNOW risky code parts. And thats something the average code developer not knows in detail.

Another thought i got is... didnt op mention that the max profit he sat was a big part of the house? Theres a reason why dooglus even sat the max profit down from 1% to 0.5% on justdice. The reason was that someone was able to win a big part of the house with 1%. Thats why you normally use the kelly criterion. And the kelly criterion says 1% is the best value for best profit. If you raise that value then the chance raise exponentially that you will lose big parts of the house. Or all of it. The reason is that its very hard to win back something lost if your house is, lets say halved already.

Thats mathematics. And maybe the script seller should point that out more aggressively.

Though thats only another thought as a possible problem.

elm

legendary

Activity: 1050

Merit: 1000

Quote from: SebastianJu on May 25, 2015, 01:45:37 PM

At the end... if those risks are mentioned for years then there might be something true. As long as no careful code review is done... including database entries. Roll Eyes

so who could do a careful code review?

SebastianJu

legendary

Activity: 2674

Merit: 1083

Legendary Escrow Service - Tip Jar in Profile

Quote from: BitcoinDistributor on May 20, 2015, 06:06:13 PM

Quote from: SebastianJu on May 20, 2015, 10:58:56 AM

You are all new members. I dont see how the problem can be proven except there is an error in the code that makes the outcome of the bets guessable or a real backdoor. So that everyone knows the problem existed before it was sold.

How could it be made sure that the casino owners didnt change the code themself? That they are all new users doesnt make it easier.

Im not blaming, i only point out a problem.

Are there other casino owners that run their script without problems? It would be strange when such an exploit would be used only by 2 out of 100 casinos or so...

In all seriousness, new or old doesn't really matter anymore. Could take $50 and buy myself a two year senior account if I wanted.

Thats right... though theoretically it would be way easier to create a number of newbie accounts and tell a story about multiple scripts acting strange.

Though again... i dont accuse, i only point out that its hard to prove. And i wonder, how many scripts were sold and how many scripts wallets, out of that, were emptied?

At the end... if those risks are mentioned for years then there might be something true. As long as no careful code review is done... including database entries. Roll Eyes

yogg

legendary

Activity: 2464

Merit: 3158

I bought a dice website which was using CoinDice. Since I was not the original script buyer, I didn't get any update and Johny never replied to my PM when I contacted him to look for a solution.
However, I asked a dev to audit the code before I put it in production. He said it was ok to run it, and that there is no backdoor.

Sure, there was no backdoor.
About 2 months later, someone found an exploit and managed to empty my hot wallets. Again, this was not a backdoor made on purpose.

What happened is that the hacker found a way to repeat some operations.
At the beginning, he repeated bets. [Screenshot] (see how the bet ID got reversed but the roll outcome is the same for all the bets... Disturbing isn't it ?)
But then, the exploiter managed to repeat withdrawals and made them happen several times in my wallet, while the script shows it processed them only once.

I have read a lot of thread about CoinDice being easily exploited. Overall, it seems poorly secured.
Because Johny didn't care at all about my messages, I won't buy, host or support a CoinDice script ever.

Buyers beware.

Dogedigital

legendary

Activity: 1330

Merit: 1000

Quote from: SebastianJu on May 20, 2015, 10:58:56 AM

You are all new members. I dont see how the problem can be proven except there is an error in the code that makes the outcome of the bets guessable or a real backdoor. So that everyone knows the problem existed before it was sold.

How could it be made sure that the casino owners didnt change the code themself? That they are all new users doesnt make it easier.

Im not blaming, i only point out a problem.

Are there other casino owners that run their script without problems? It would be strange when such an exploit would be used only by 2 out of 100 casinos or so...

All those that I have talked to including me have had problems with the script. I bought all versions and have just abandoned them all.

All updates are the same versions with 1-2 extra lines of code. Multiple devs were reached to make modifications and most of them said that it was unworkable and it was much easier to start from scratch.

However I can say that I never ran into a backdoor in my versions (there's a lot of counterfeits that actually do include backdoors).

BitcoinDistributor

sr. member

Activity: 350

Merit: 250

Quote from: SebastianJu on May 20, 2015, 10:58:56 AM

You are all new members. I dont see how the problem can be proven except there is an error in the code that makes the outcome of the bets guessable or a real backdoor. So that everyone knows the problem existed before it was sold.

How could it be made sure that the casino owners didnt change the code themself? That they are all new users doesnt make it easier.

Im not blaming, i only point out a problem.

Are there other casino owners that run their script without problems? It would be strange when such an exploit would be used only by 2 out of 100 casinos or so...

In all seriousness, new or old doesn't really matter anymore. Could take $50 and buy myself a two year senior account if I wanted.

SebastianJu

legendary

Activity: 2674

Merit: 1083

Legendary Escrow Service - Tip Jar in Profile

You are all new members. I dont see how the problem can be proven except there is an error in the code that makes the outcome of the bets guessable or a real backdoor. So that everyone knows the problem existed before it was sold.

How could it be made sure that the casino owners didnt change the code themself? That they are all new users doesnt make it easier.

Im not blaming, i only point out a problem.

Are there other casino owners that run their script without problems? It would be strange when such an exploit would be used only by 2 out of 100 casinos or so...

coindicestand

newbie

Activity: 15

Merit: 0

its ok, but u say u good server administrator. how can u see cheating i gameplay in your apache log? im not good in this, but i think will be no hack activity in apache we will know everything when we reverse script. soon.

inBTCwetrust

newbie

Activity: 5

Merit: 0

Quote from: coindicestand on May 19, 2015, 10:00:30 AM

Quote from: inBTCwetrust on May 19, 2015, 09:43:05 AM

and what about my problem

the exact same problem is here too and the problem is not from the server i secure my server very good and i know how to secure my server ( i work as a servers administrator ) .

plus the strategy happens is not from the server side at all it is exploit on the script it self since the hacker load a real BTC on the site and then he bet with ( 1% , 0.5% ) win chance and he success from his first bet , it happens with me with 3 account each was new register account and he just do a single bet with a bet chance just ( 1% , 0.5% ) and win from his first roll and run with all the money from the site .

first time i told he is a very lucky person but then after i see that happens with a different 2 account the same day i was completely sure that this is not a luck .

Yes man, same game. Anyway its a cheating. It cant be 100% if script is secured. We have same problem. try to find a statistic from admin panel and u see mb some blinds are lost..or see same stats of players like me. here can be an exploit or backdoor im not coder, i dont know. But tell US that we all cant setup script on safe server is a BULLSHIT FAKE AND LIE! I dont know what is Apache, i ask my admin to turn it on after hack. I was hacked in 2-3 hours after start dice. Thats johny and his guys. I think its time to ban this person. Or how we can get our moneyback?

Johny1976, I think ther is no way to tell us that ur script fully secured! Its a Lie. Think we find good guys who fix bugs and knock u out from this forum. I think not only 2 guys who was hacked. POPCORN and see who come here with same problems with same johny with same script.

i Can get prooflink to admin panel anyone who are compitent in this question. can pay some bits for reversing this dice to fix bugs and so on. after we do all i think we can share this script or else. nobody shoul be ripped more what do u think guys?

i think we should wait for him to fix this problem but first he have to confess that he have a problem on his script we all know that nothing is 100% secure he have to fix the problem because keeping such problem on wild is not good for him or for the buyers

coindicestand

newbie

Activity: 15

Merit: 0

Quote from: inBTCwetrust on May 19, 2015, 09:43:05 AM

and what about my problem

the exact same problem is here too and the problem is not from the server i secure my server very good and i know how to secure my server ( i work as a servers administrator ) .

plus the strategy happens is not from the server side at all it is exploit on the script it self since the hacker load a real BTC on the site and then he bet with ( 1% , 0.5% ) win chance and he success from his first bet , it happens with me with 3 account each was new register account and he just do a single bet with a bet chance just ( 1% , 0.5% ) and win from his first roll and run with all the money from the site .

first time i told he is a very lucky person but then after i see that happens with a different 2 account the same day i was completely sure that this is not a luck .

Yes man, same game. Anyway its a cheating. It cant be 100% if script is secured. We have same problem. try to find a statistic from admin panel and u see mb some blinds are lost..or see same stats of players like me. here can be an exploit or backdoor im not coder, i dont know. But tell US that we all cant setup script on safe server is a BULLSHIT FAKE AND LIE! I dont know what is Apache, i ask my admin to turn it on after hack. I was hacked in 2-3 hours after start dice. Thats johny and his guys. I think its time to ban this person. Or how we can get our moneyback?

Johny1976, I think ther is no way to tell us that ur script fully secured! Its a Lie. Think we find good guys who fix bugs and knock u out from this forum. I think not only 2 guys who was hacked. POPCORN and see who come here with same problems with same johny with same script.

i Can get prooflink to admin panel anyone who are compitent in this question. can pay some bits for reversing this dice to fix bugs and so on. after we do all i think we can share this script or else. nobody shoul be ripped more what do u think guys?

inBTCwetrust

newbie

Activity: 5

Merit: 0

Quote from: johny1976 on May 19, 2015, 07:38:46 AM

I said to him in Skype conversation that we would give him everything he'd losted if he gave us any kind of proof (the Apache logs would be enough). He said that Apache by default has the logs off, which is a lie. I see something suspicious here.

We do have a compensation program for cases like this one. Sadly, no one gave us any proof, that it was caused by our script. He was the one setting up the server so he could possibly do something wrong.

As I said, it could be the problem in our script, but there's no evidence for us to confirm that claim.

and what about my problem

the exact same problem is here too and the problem is not from the server i secure my server very good and i know how to secure my server ( i work as a servers administrator ) .

plus the strategy happens is not from the server side at all it is exploit on the script it self since the hacker load a real BTC on the site and then he bet with ( 1% , 0.5% ) win chance and he success from his first bet , it happens with me with 3 account each was new register account and he just do a single bet with a bet chance just ( 1% , 0.5% ) and win from his first roll and run with all the money from the site .

first time i told he is a very lucky person but then after i see that happens with a different 2 account the same day i was completely sure that this is not a luck .

johny1976

legendary

Activity: 1135

Merit: 1002

Developer

I said to him in Skype conversation that we would give him everything he'd losted if he gave us any kind of proof (the Apache logs would be enough). He said that Apache by default has the logs off, which is a lie. I see something suspicious here.

We do have a compensation program for cases like this one. Sadly, no one gave us any proof, that it was caused by our script. He was the one setting up the server so he could possibly do something wrong.

As I said, it could be the problem in our script, but there's no evidence for us to confirm that claim.

coindicestand

newbie

Activity: 15

Merit: 0

Hey guys! I see,not only me have same problems. Thanks for ur time! I can give this script to reverse and fix all bugs in audit or give u access. Pls if u can help to stop this scam bullshit dont stay away.
Pm me if i can help with someth. We should stop this together. Regards.

BitcoinDistributor

sr. member

Activity: 350

Merit: 250

Quote from: kopipe on May 19, 2015, 02:30:16 AM

Someone graciously sent me a copy, so now I am doing my audit. If you're reading this Johnny, I have no intention of stealing from you, I have no interest in running a dice site or copying it further.

I've already found a big problem with the script.

Here is how the hashes and server seeds are being generated (the author is Polish):

Code:

function generateHash($delka_retezce,$capt=false) {
if ($capt==true) $mozne_znaky='123456789ABCDEFGHIJKLMNPQRSTUVWXYZ';
else $mozne_znaky='abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ';
$vystup='';
for ($i=0;$i<$delka_retezce;$i++) $vystup.=$mozne_znaky[mt_rand(0,strlen($mozne_znaky)-1)];
return $vystup;
}

function generateServerSeed() {
$rand_nr=mt_rand(0.01*100,99.99*100)/100;
if (mt_rand(1,2)==2) $pre_rand=($rand_nr-0.01);
else $pre_rand=($rand_nr+0.01);
$str=generateHash(26).'-'.((double)(($pre_rand+0.001).mt_rand(1,99999999999999999999999999999)));
return $str;
}

You can see that the main source of randomness is mt_rand. mt_rand is not cryptographically secure, according to PHP's own documentation!

Quote from: PHP docs

This function does not generate cryptographically secure values, and should not be used for cryptographic purposes. If you need a cryptographically secure value, consider using openssl_random_pseudo_bytes() instead.
Caution

The distribution of mt_rand() return values is biased towards even numbers on 64-bit builds of PHP when max is beyond 2^32. This is because if max is greater than the value returned by mt_getrandmax(), the output of the random number generator must be scaled up.

As you can see, max is 99999999999999999999999999999, far larger than 4294967296. The function generateServerSeed() also seems very fishy to me, why doesn't it just get cryptographically secure bytes? Why add/subtract 0.01 and 0.001?

Don't run/buy this script based on this alone. The hashing is NOT suitable for Bitcoin casinos which need cryptographically secure randomness.

Try to find the backdoor he installed. For many years people have said there is a backdoor which allows him to empty the owner's bank wallet and send it to a specified address within the code.

kopipe

full member

Activity: 245

Merit: 124

Someone graciously sent me a copy, so now I am doing my audit. If you're reading this Johnny, I have no intention of stealing from you, I have no interest in running a dice site or copying it further.

I've already found a big problem with the script.

Here is how the hashes and server seeds are being generated (the author is Polish):

Code:

function generateHash($delka_retezce,$capt=false) {
if ($capt==true) $mozne_znaky='123456789ABCDEFGHIJKLMNPQRSTUVWXYZ';
else $mozne_znaky='abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ';
$vystup='';
for ($i=0;$i<$delka_retezce;$i++) $vystup.=$mozne_znaky[mt_rand(0,strlen($mozne_znaky)-1)];
return $vystup;
}

function generateServerSeed() {
$rand_nr=mt_rand(0.01*100,99.99*100)/100;
if (mt_rand(1,2)==2) $pre_rand=($rand_nr-0.01);
else $pre_rand=($rand_nr+0.01);
$str=generateHash(26).'-'.((double)(($pre_rand+0.001).mt_rand(1,99999999999999999999999999999)));
return $str;
}

You can see that the main source of randomness is mt_rand. mt_rand is not cryptographically secure, according to PHP's own documentation!

Quote from: PHP docs

This function does not generate cryptographically secure values, and should not be used for cryptographic purposes. If you need a cryptographically secure value, consider using openssl_random_pseudo_bytes() instead.
Caution

The distribution of mt_rand() return values is biased towards even numbers on 64-bit builds of PHP when max is beyond 2^32. This is because if max is greater than the value returned by mt_getrandmax(), the output of the random number generator must be scaled up.

As you can see, max is 99999999999999999999999999999, far larger than 4294967296. The function generateServerSeed() also seems very fishy to me, why doesn't it just get cryptographically secure bytes? Why add/subtract 0.01 and 0.001?

Don't run/buy this script based on this alone. The hashing is NOT suitable for Bitcoin casinos which need cryptographically secure randomness.

Quickseller

copper member

Activity: 2926

Merit: 2348

There have been a number of reports of various bugs in this script. Considering the amount of money being put into some bitcoin related casinos I am surprised that the script is not being looked at more closely prior to being put into production.

Topic: Coindice,Johny1976 Scam. Sell script with bugs. - page 2. (Read 4592 times)