Author

Topic: comments (Read 1731 times)

member
Activity: 113
Merit: 10
¿Sabe lo que quiero decir?
August 30, 2012, 09:49:01 AM
#15
The main issues at a quick glance are:
  • Session hijacking is possible (even with different browser and ip)
  • No passwords by default (non technical people may not understand that their account is actually open to anyone)
  • No https

Small things that raise too many flags for a site that is going to be acting as an ewallet:
  • The PW change box shows pw in plaintext and doesn't even check if the 2 pws are the same
  • Broken links
  • Broken state awareness (tells you to login after u already have)
  • directory listings enabled (can be dangerous)
  • test scripts laying around (can be dangerous)

Too sloppy/unfinished to trust. Hire some pen testers first before claiming to be secure. It's a lot of responsibility running an ewallet.

Hi!

Session hijacking is possible in the same way that AES can be cracked so I don't think that's an issue, unless you mean there's some way they can be hijacked "easily". Hmm -- a lot of what you said is simply wrong, for example we've had SSL for almost a week now, there is no broken state awareness (you misclassified the problem, and it was fixed yesterday). This isn't the kind of thing I would exactly call a security hole or a bug anyway. Another odd thing is what you said about the change password box. It does not in fact show your password in plaintext, so I'm not sure why you said that. Second, it does in fact check to see if the passwords are the same or not, so I'm not sure why you said that either. Also test scripts -- not really relevant.

However I must thank you kindly for telling me about directory listings. I wasn't even aware of that until you pointed out, I thought it was turned off by default. Fixed!

You know what, I should make a hall of fame for the people who helped me make hotwallet a better place. Thanks! ^^/
Session hijacking is an issue. Once someone finds a XSS exploit (which are pretty common), they can embed a cookie stealer to get your session (and then bitcoins). It's also an issue because it's easy to protect against (validate the session against the user agent / ip). You could also require that the user has to re-input their pw when making any or large bitcoin transactions. That would make stolen sessions less dangerous.
Test scripts are relevant because they can be very dangerous. Since test scripts aren't meant to be deployed to the public, and because they are usually bare bones hacks, they usually lack security checks. I once found an test image upload script on a website; Since it was a test script, it didn't properly enforce file extensions. This would theoretically let me upload any file I want, include a php shell (which would give me control over the site).

As for the other things, are you sure we are talking about the same site? Can you double check the link you posted? (199.48.69.241 and hotwallet.ca) Those are all still true from my end.
member
Activity: 113
Merit: 10
¿Sabe lo que quiero decir?
August 30, 2012, 08:25:13 AM
#14
The site seems pretty broken (and unsafe). Why not run on testnet first?

The site doesn't seem broken or unsafe to me. Can you point out a specific error?

If you can't point out a specific error then I don't see why you think it is broken or unsafe, dunno, I use the site myself all the time, so far no coins have been lost.
The main issues at a quick glance are:
  • Session hijacking is possible (even with different browser and ip)
  • No passwords by default (non technical people may not understand that their account is actually open to anyone)
  • No https

Small things that raise too many flags for a site that is going to be acting as an ewallet:
  • The PW change box shows pw in plaintext and doesn't even check if the 2 pws are the same
  • Broken links
  • Broken state awareness (tells you to login after u already have)
  • directory listings enabled (can be dangerous)
  • test scripts laying around (can be dangerous)

Too sloppy/unfinished to trust. Hire some pen testers first before claiming to be secure. It's a lot of responsibility running an ewallet.
member
Activity: 113
Merit: 10
¿Sabe lo que quiero decir?
August 30, 2012, 06:56:39 AM
#13
The site seems pretty broken (and unsafe). Why not run on testnet first?
legendary
Activity: 2940
Merit: 1333
August 29, 2012, 05:23:48 PM
#12
I clicked one of the big red betting buttons without creating an account and got an ugly error:

Code:
Notice: Undefined index: doghouse in /var/www/hotwallet/dragondice/play.php on line 26 moved to https://199.48.69.241/hotwallet/dragondice/ddice.php
legendary
Activity: 2940
Merit: 1333
August 29, 2012, 05:19:44 PM
#11
What do you guys think? Any guess as to what house odds are on this? Smiley

DRAGON DICE
Payout Table

RollEventPayout
2Troll Treasurex 3.0
3Orc Beathx 0.5
4Pirate's Peeve (Why is the Rum Always Gone?)x 0.0
5The Silver Starx 1.5
6Kobold Ambush!x 0.0
7Roll Again!+roll
8Goblin's Goldx 1.1
9Skeleton Attack!x 0.5
10King's Crownx 1.7
11Pirate's Revengex 0.0
12Dragon Dicex 7.0

Did I calculate the stats right? How should I calculate house odds? Thanks.

Assuming you're rolling 2 dice and summing them, the house pays out x BTC per BTC bet, where:

x = (3.0*1 + 0.5*2 + 0.0*3 + 1.5*4 + 0.0*5 + x*6 + 1.1*5 + 0.5*4 + 1.7*3 + 0.0*2 + 7.0*1) / 36
36x = (3.0*1 + 0.5*2 + 0.0*3 + 1.5*4 + 0.0*5 + 6x + 1.1*5 + 0.5*4 + 1.7*3 + 0.0*2 + 7.0*1)
30x = (3.0*1 + 0.5*2 + 0.0*3 + 1.5*4 + 0.0*5 + 1.1*5 + 0.5*4 + 1.7*3 + 0.0*2 + 7.0*1)
x = (3.0*1 + 0.5*2 + 0.0*3 + 1.5*4 + 0.0*5 + 1.1*5 + 0.5*4 + 1.7*3 + 0.0*2 + 7.0*1) / 30
x = 0.9866666666666667

i.e. exactly 4/3% house edge.
legendary
Activity: 2271
Merit: 1363
August 29, 2012, 02:33:10 PM
#10
And now i lost in an Error 0.3 LTC , Fatal error: Call to undefined function hwlog() in /var/www/hotwallet/dragondice/play.php on line 245 .

I just put that in because I'm going to show the results of the last 10 games. it only logs once the winnings have been calculated but before the page loads; you probably rolled Pirate's Revenge or something. Sorry!

If it means anything, even though this was not actually an error that caused you to lose coins, I will transfer some of my personal litecoins to you to cover the loss. Please PM me your account number and I'll send you some litecoins to ease the pain.

Thanks for using hotwallet!

Nah, I'm good I won 2,5 LTC already but got greedy and lost them again :-p No need to replace.

The Balance updates to what you have won or lost before you see the dice roll.

And i would suggest getting a real domain for Hotwallet in General , even a college student like myself can afford one.

Balance issue will be fixed soon. I know about it, just lazy :p

The thing about the domain name is, I can't think of a good domain name o_o

Any suggestions?

Why not stick with Hotwallet ? Whats wrong with that?

legendary
Activity: 2271
Merit: 1363
August 29, 2012, 12:58:31 PM
#9
And now i lost in an Error 0.3 LTC , Fatal error: Call to undefined function hwlog() in /var/www/hotwallet/dragondice/play.php on line 245 .

legendary
Activity: 2271
Merit: 1363
August 29, 2012, 12:52:14 PM
#8
The Balance updates to what you have won or lost before you see the dice roll.

And i would suggest getting a real domain for Hotwallet in General , even a college student like myself can afford one.
newbie
Activity: 26
Merit: 0
August 27, 2012, 09:46:00 AM
#7
New game! New game!

Play Now --> Dragon Dice (Official Website)

What do you guys think? Any guess as to what house odds are on this? Smiley

DRAGON DICE
Payout Table

RollEventPayout
2Troll Treasurex 3.0
3Orc Beathx 0.5
4Pirate's Peeve (Why is the Rum Always Gone?)x 0.0
5The Silver Starx 1.5
6Kobold Ambush!x 0.0
7Roll Again!+roll
8Goblin's Goldx 1.1
9Skeleton Attack!x 0.5
10King's Crownx 1.7
11Pirate's Revengex 0.0
12Dragon Dicex 7.0

Current stats for Bitcoin Betting:
Pot: 0.0235
Total Bets: 0.022
Paid Out: 0.0279
Win Ratio: 126.82% (est.)

Current stats for Litecoin Betting:
Pot: 0.65
Total Bets: 0.6
Paid Out: 0.67
Win Ratio: 111.67% (est.)

Did I calculate the stats right? How should I calculate house odds? Thanks.


Assuming balanced die Wink

Solving
x=.0278*3+.0556*0.5+.0833*0+.1111*1.5+.1389*0+.1667*x+.1389*1.1+.1111*.5+.0833*1.7+.0556*0+.0278*7
x=0.98691948

Payout=98.6%
House Edge=1.4%

Get out of here with that math.
full member
Activity: 202
Merit: 100
August 27, 2012, 09:39:50 AM
#6
New game! New game!

Play Now --> Dragon Dice (Official Website)

What do you guys think? Any guess as to what house odds are on this? Smiley

DRAGON DICE
Payout Table

RollEventPayout
2Troll Treasurex 3.0
3Orc Beathx 0.5
4Pirate's Peeve (Why is the Rum Always Gone?)x 0.0
5The Silver Starx 1.5
6Kobold Ambush!x 0.0
7Roll Again!+roll
8Goblin's Goldx 1.1
9Skeleton Attack!x 0.5
10King's Crownx 1.7
11Pirate's Revengex 0.0
12Dragon Dicex 7.0

Current stats for Bitcoin Betting:
Pot: 0.0235
Total Bets: 0.022
Paid Out: 0.0279
Win Ratio: 126.82% (est.)

Current stats for Litecoin Betting:
Pot: 0.65
Total Bets: 0.6
Paid Out: 0.67
Win Ratio: 111.67% (est.)

Did I calculate the stats right? How should I calculate house odds? Thanks.


Assuming balanced die Wink

Solving
x=.0278*3+.0556*0.5+.0833*0+.1111*1.5+.1389*0+.1667*x+.1389*1.1+.1111*.5+.0833*1.7+.0556*0+.0278*7
x=0.98691948

Payout=98.6%
House Edge=1.4%
hero member
Activity: 686
Merit: 500
Wat
August 27, 2012, 07:11:14 AM
#5
Can you tell us who the people/developers are behind hotwallet ?

Are they insured by CPA  Cheesy
hero member
Activity: 767
Merit: 500
August 27, 2012, 07:05:38 AM
#4
11   Pirate's Revenge   x 0.0

how ironic Smiley

Will
hero member
Activity: 812
Merit: 1000
August 23, 2012, 06:29:16 PM
#3

appropriate name, since my entire screen fills with red when I click your link Cheesy
member
Activity: 162
Merit: 10
The World’s First Blockchain Core
August 23, 2012, 05:55:55 PM
#2
Apparently I have a temporary ban for creating too many accounts.

vip
Activity: 812
Merit: 1000
13
August 23, 2012, 04:09:51 PM
#1
comments
Jump to: