Author

Topic: DaDice.com - Next Gen Social Gambling Dice Experience | Progressive Jackpot - page 118. (Read 257856 times)

member
Activity: 106
Merit: 10

it was a direct change to server side variables that store usernames.
This is a false statement. The variable that "buffoon" played with was on client-end (i.e. his browser end).


The client side object was updated, it was sent to the server. The server then updated a variable with this new object. So it did infact update a server side variable. If you asked the server for the user list, it also updated the new username in the list and this represents a server side change happening. The server responded to chat with this variable, not the client. If it was only client side, no one would see the name change.

You should also be aware, due to your ability to understand a hackers mind, that it was possible to run javascript on all connected client computers. One could have tipped themselves from another users account and slowly stolen large quantities of bitcoin by simply running some remote javascript code in your uses browsers and withdraw relativity small amounts available in the HW. It could have gone on for months without detection.

It is interesting that you only assume the worst thing that happened was trolling, but I can assure you, your faithful users were being targeted for more than trolling. If it is only second on your list you might want to revisit your policy on critical security breach attempts.

It always looks like a simple hack on the outside, but what one can do with a simple hack can be quite damaging. As mentioned in this thread by nnlmmn (or whatever his name is), someone could just have used another users name to gain trust and "borrow" bitcoin. Simple hacks are, of cause, the majority that occur. Like MT Gox, nothing complex there, but who knew about it? You can't dismiss the simplicity as less important than Lag.
 
This attitude gets me offside, as it appears you are not humble enough to understand there is always a way in and your code is not perfect. You lack what many engineers have - "security fear". It's either due to ignorance or lack of experience. 

Be very clear, do not dismiss anything that comes to your attention. If this was my site, I would have run a maintenance page till it was resolved, not let it run for 15 hours. Your closing picture demonstrates your cockiness. And if your customers aren't scared of that, they should consider it heavily!

copper member
Activity: 1498
Merit: 1528
No I dont escrow anymore.
Just a test of my new senior member signature - Sorry guys

Looks off, did you miss a "center" maybe?
hero member
Activity: 602
Merit: 500
Added to my website. I hope that OP is satisfied with screenshot and description (if not, PM me).
legendary
Activity: 3556
Merit: 9709
#1 VIP Crypto Casino
Just a test of my new senior member signature - Sorry guys
legendary
Activity: 1876
Merit: 1005
There were some serious concerns regarding the yesterday's event but I am quite satisfied now after the official statement of Dadice making the situation clear.I didn't even try to login since yesterday but after having read all discussion in this thread I can now I don't have any reservation. Thanks for updates and handling the situation highly professionally.
full member
Activity: 154
Merit: 100
quick question about the investing on dadice, what do the (.5, 1, 2, etc) kelly units mean? would like to put in a small mount for fun but no idea how this works.

Hey there mate

Let's see if we can help you out here. The kelly refers to the level of risk and reward at which you place your investment.. So 0.5 would work out as the lowest risk but lowest reward. For every 1 BTC you invest at that level you supplement the bankroll by 0.5BTC. But then you only get 50% return in that case on player losses. At 1 kelly it's directly equal. 1BTC is 1 and so on. At 2 Kelly you start seriously increasing risk. You would say invest the 1 BTC again but the bankroll would be showing 2 BTC. It doubles your return but also doubles your risk. 5 and 10 Kelly are 5 times and ten times your investment respectively
legendary
Activity: 882
Merit: 1000
Q. So Dadice was Hacked yesterday?
A. No it was't
The definition of "hacking" is always discussed and there is no clear definition for it. For me and many other hackers, hacking is doing things you are not supposed to by the app/site/device/product creator. Imitating another person on chat is definitely a hack. Perhaps not as serious as bodgybrothers tries to make it look, but it is a hack.

Perhaps it wasn't hacked by the mainstream media definition of "breaking into a computer", but by that definition many hacks w/ serious losses in dice history aren't "hacks". Obviously silly definition.

Yes, this issue has been fixed although it remained 2nd in our priorty,
That is concerning. Although the attacker used it for only trolling purposes - and therefor it wasn't a serious attack - still it was a serious issue and should -always- have first priority on a bitcoin gambling site. A real attacker could use it to imitate trusted players for example with the purpose of getting "loans" and being able to scam some coins.





Basically the same w/ the issue I reported. What happened was that the IP address of each player was broadcasted with the dice roll data. So for every roll you see on their site, the IP of the user was sent too. Leaking the IP addresses of all your players is IMO a serious privacy leak and should be fixed immediately. Still it's only fixed after complaining about it on this forum 5 days after my report-mail. It was number 8 on your priority list?

Bitcoin gambling site that has security and privacy low on the priority list is definitely a red warning for me.

It is not like we didn't investigate what the issue was, we did investigate it as soon as it started and patch was planned and being worked on. How long do you think did it take us to implement a fix? I don't sit with a magic wand on my lap, and as far as I know it was fixed the very same day Smiley How lond did you expect it to be fixed in? Again, it was investigated and classied as not a real threat, our mods were very active in the throughout to take care of this and keep people informed, Lets just leave the "that could have happened" and other "coulds" aside.

Scale of priority:
1. Big number of players who have their coins in site complaining about extreme lagg.
vs.
2. A buffoon troll in a chat issue that our Mods were handling very well.

Now regarding the thing you reported, I apologise for the delay also we have decided to set different protoccols for such reports so next time if there is any such report as you submitted will reach IT department promptly. I know you are upset but I hope you will understand the pressure and number of requests we have to deal with everyday, meanwhile I assure you that such delay for such requests will not happen again Smiley



You think lag is a far bigger problem than the fact that the IP address of every one of your users in chat was broadcast to every other user?
That is unacceptable. You should know that Bitcoin users expect privacy and trust from a gambling site.
Don't just post with some tech and programming jargon that most users won't understand.
Respected programmers like NLNico won't let that through.
It was possible to see the IP address of every user in your chat.
It was also possible to impersonate you and all your support/mods.

No one should be playing on a site that puts this kind of issue as second priority.

full member
Activity: 178
Merit: 100
(ノಠ ∩ಠ)ノ彡B




Keep Rollin'
(p.s. apologise for my grammar/spellings thus this post is in my personal capacity)


Good job. THe ending picture is very nice Smiley)
newbie
Activity: 48
Merit: 0
Q. So Dadice was Hacked yesterday?
A. No it was't
The definition of "hacking" is always discussed and there is no clear definition for it. For me and many other hackers, hacking is doing things you are not supposed to by the app/site/device/product creator. Imitating another person on chat is definitely a hack. Perhaps not as serious as bodgybrothers tries to make it look, but it is a hack.

Perhaps it wasn't hacked by the mainstream media definition of "breaking into a computer", but by that definition many hacks w/ serious losses in dice history aren't "hacks". Obviously silly definition.

Yes, this issue has been fixed although it remained 2nd in our priorty,
That is concerning. Although the attacker used it for only trolling purposes - and therefor it wasn't a serious attack - still it was a serious issue and should -always- have first priority on a bitcoin gambling site. A real attacker could use it to imitate trusted players for example with the purpose of getting "loans" and being able to scam some coins.





Basically the same w/ the issue I reported. What happened was that the IP address of each player was broadcasted with the dice roll data. So for every roll you see on their site, the IP of the user was sent too. Leaking the IP addresses of all your players is IMO a serious privacy leak and should be fixed immediately. Still it's only fixed after complaining about it on this forum 5 days after my report-mail. It was number 8 on your priority list?

Bitcoin gambling site that has security and privacy low on the priority list is definitely a red warning for me.

It is not like we didn't investigate what the issue was, we did investigate it as soon as it started and patch was planned and being worked on. How long do you think did it take us to implement a fix? I don't sit with a magic wand on my lap, and as far as I know it was fixed the very same day Smiley How lond did you expect it to be fixed in? Again, it was investigated and classied as not a real threat, our mods were very active in the throughout to take care of this and keep people informed, Lets just leave the "that could have happened" and other "coulds" aside.

Scale of priority:
1. Big number of players who have their coins in site complaining about extreme lagg.
vs.
2. A buffoon troll in a chat issue that our Mods were handling very well.

Now regarding the thing you reported, I apologise for the delay also we have decided to set different protoccols for such reports so next time if there is any such report as you submitted will reach IT department promptly. I know you are upset but I hope you will understand the pressure and number of requests we have to deal with everyday, meanwhile I assure you that such delay for such requests will not happen again Smiley

legendary
Activity: 1876
Merit: 1295
DiceSites.com owner
Q. So Dadice was Hacked yesterday?
A. No it was't
The definition of "hacking" is always discussed and there is no clear definition for it. For me and many other hackers, hacking is doing things you are not supposed to by the app/site/device/product creator. Imitating another person on chat is definitely a hack. Perhaps not as serious as bodgybrothers tries to make it look, but it is a hack.

Perhaps it wasn't hacked by the mainstream media definition of "breaking into a computer", but by that definition many hacks w/ serious losses in dice history aren't "hacks". Obviously silly definition.

Yes, this issue has been fixed although it remained 2nd in our priorty,
That is concerning. Although the attacker used it for only trolling purposes - and therefor it wasn't a serious attack - still it was a serious issue and should -always- have first priority on a bitcoin gambling site. A real attacker could use it to imitate trusted players for example with the purpose of getting "loans" and being able to scam some coins.





Basically the same w/ the issue I reported. What happened was that the IP address of each player was broadcasted with the dice roll data. So for every roll you see on their site, the IP of the user was sent too. Leaking the IP addresses of all your players is IMO a serious privacy leak and should be fixed immediately. Still it's only fixed after complaining about it on this forum 5 days after my report-mail. It was number 8 on your priority list?

Bitcoin gambling site that has security and privacy low on the priority list is definitely a red warning for me.
sr. member
Activity: 364
Merit: 250
quick question about the investing on dadice, what do the (.5, 1, 2, etc) kelly units mean? would like to put in a small mount for fun but no idea how this works.
full member
Activity: 154
Merit: 100
A fantastic explanatory post from our awesome Dev there
newbie
Activity: 48
Merit: 0
So Dadice was Hacked yesterday. Albeit a chat hack, but it turns out (according to what the dev guy said in chat) the hack was not just a unicode or otherwise, it was a direct change to server side variables that store usernames. This means it is like no other chat hack on other dice sites. On other sites it is basically a client side rendering issue - the server was not infiltrated. On DaDice the username was actually changed on the server via a very simple web socket parameter change.

Q. So Dadice was Hacked yesterday?
A. No it was't. but we can be onboard on a point that there was a peculiar and "witty" type of incident.

Q. How come someone was able to change the name in chat/post as other users? doesn't that mean entire site was compromised?
A. Please allow me to explain how Da Dice system currently works. The main system where users passwords, bitcoins, profiles, stats are stored is completely secure and runs parallel with other Da Dice systems (i.e. Chat, social features) which means that both run 100% apart from each other. Which is infact better and more secure!

There is a separate database that acts as a bridge between these 2 systems, so when a user is authenticated on main dadice system, a special token is generated for him/her to be able to use social features of the site. After this, when a user utilises one of these social features i.e. Sockets for chat, rightthere our NodeJS/Socket.io crosschecks the token.

it was a direct change to server side variables that store usernames.
This is a false statement. The variable that "buffoon" played with was on client-end (i.e. his browser end).

Q. Da Fix?
Yes, this issue has been fixed although it remained 2nd in our priorty, the first priority was as other users have discussed before Smiley latency issue which was causing whole Da Dice to slow down.

However it is not enough to just apply a single patch and consider it fixed. We believe the issue must be throughly investigated, root causes and the exploiters identified. We were able to identify our "buffoons" as @mnbnm, @bluewaffle and @haxer. Their IP address were also blacklisted (I know i know there is no shortage of IPs, vpns or even Da Dice accounts but its the standard protocol to be followed and therefore we suspended their accounts).

We will also be monitoring any further exploiters who attempt to do this time, a quick reenactment:
https://i.imgur.com/B0v78cF.png

(I was online last night with our buffoon who desperately kept trying after the fix was implement.)

Why is this significant. The moderators will tell you it was just a hack to the chat system and was not in anyway an issue to the security of the site. To me it is more than that. It is the site's controls over web sessions that are now in question. Why is it possible to change any details of a web session on the server?  The server and only the server should be monitoring this and ensuring the username used to log in and the session cannot be changed. In this case, it demonstrates that this site could have some more serious vulnerabilities.
There is no doubt that these issues must be addressed seriously and it was. As I have explained before that the two systems run parallel to each other, so just for the sake of security, even the session variables are not shared while both of the systems are fully secure in server end.

The issue was simple:
- Mr. buffoon edits the variable in his browser which carries his username.
- On server side, nodejs authenticated him "as a user of Da Dice" with his token by cross checking it with his user ID.
- Trusting that a user has been authenticated on both places, Mr. buffoon's messages were then relayed to further users.

So just to clearify in between all this, "sessions" were NOWHERE involved and server was NOWHERE compromised.

Change the username in the variable above and then log back in:
You now have someone else's username. No server side checks or anything!

...
The site made it easy with the client telling the server who it was, and the server didn't have any checks of who it actually was.

As explained before, the token was cross checked with ID of user which is carried alongside the token but not the username. And this was the behaviour which has been corrected. So to summarise it: There was NO serious threat, however additional query to cross check "usernames" along side "user ID" has been added for our "Crooked" fellows.

Having said that, suppose we still had NOT fixed this issue even then all that these buffoons and crookeds could do was to broadcast chat messages as other users, nothing else! period!

No longer does the statement "It's just a simple chat hack" make a difference. They have yet to fix it! If it was so simple, why did it take so long!
DenseCrab also complained he lost access to his account and logged in as CenseDrab due to this access issue. And he was also the first to be targeted in chat.

Naturally the poor chap initially thought his account was compromised and in hurry he changed the password which later he couldn't produce himself, he contacted the support and his issue was resolved.

The statement remains same "It's just a simple chat hack", infact "It was just a simple chat hack" and #2 in our priority list that day. The major issue was the speed and latency which our users were experiencing due to CloudFlare and we were working with them to optimise networking.

As for the lag on the site. It has so many DOM updates it is ridiculous. What this means is the browser is constantly updating elements on the page - even some that do not need to be updated. This in turn causes your browser to use a lot of CPU and memory because it is quite slow at updating the DOM. The other issue is, the socket.io is prefering to use ajax over websockets. Ajax long polling causes the browser to do a lot of work and is not really the way forward when running a site like a gambling site. DaDice should force websocket and only websocket. If you have a 2 year old browser then stiff, upgrade or don't use the site.

This is the totally different issue but I will still address it to make it clear for you and the rest. Yes we are using socket.io and yes the DOM is constantly updated but this is not exclusive to Da Dice. Similar complains have regularly been made on PrimeDice threads and probably other similar sites too. To prevent DOM from overloading we are already trimming the chat and tables however rendering of rolls and counter balloons, chat messages and etc, these all items are rendered on client-end / user's browsers which means it will indeed use CPU and Memory. I believe that on very least, Da Dice should be complimented for its regular efforts, at least we had courtesy to release the Lite version of our existing interface which dramatically reduces CPU useages. (However traffic / bandwidth consumption remains same but its in our todo list). In fact our efforts has always been complemented by our users.

Now regarding the long polling, I don't think if you understand how socket.io really works. Consider checking following links:
http://stackoverflow.com/questions/26608279/does-socket-io-upgrade-transport-to-websocket-from-polling
http://www.javaworld.com/article/2358967/html-css-js/socket-io-javascript-framework-ready-for-real-time-apps.html
Quote
"This new engine we developed is a groundbreaking change in terms of reliability," said Rauch, who works at blogging services provider Automattic. "Instead of attempting a connection with WebSocket, then falling back to something else -- which can result in slow connection times -- we try first what we know will always work, connect immediately, then try to upgrade to WebSocket [after] we test it and know it works."

still unsure?
https://i.imgur.com/bF2MfID.png

Ending Note:

Obviously the agenda is to spread panic and slander Da Dice. If you realise you should "steer clear" of this one, you're welcome to do so and same from our official threads and etc... Main thing is that when we told our user in chat that there is nothing to worry about, our loyal users understood the fact that there was indeed nothing serious to be concerned about although whole new level of trolling was unleashed in our chat box. Infact no one has given a real thought to post here at Bitcointalk as well... Da Dice is aiming for #1 position and I personally believe that arena is big enough for all fishes to swim so there is no real need to get super competitive and the fact must be accepted with open heart.

Is dadice hack proof? fool proof?
No! but any other site is not either. We have seen the current #1 dice site facing challenges it self from time to time, every day technology is evolving and new and new means of manipulations are being developed. We have had our fair share of serious threats right upon our start and we are constantly working on these challenges... but then there are these kind of people too:

http://rs2img.memecdn.com/hacker_c_161851.jpg

Keep Rollin'
(p.s. apologise for my grammar/spellings thus this post is in my personal capacity)
full member
Activity: 238
Merit: 100
★YoBit.Net★ 200+ Coins Exchange & Dice
Today the autobet is really fast, other day only continue stopped, but from today i see more of 1 bet for second, and not stop one time  Grin
its working for me just fine too, its nice to see that they check people responses about their websites and fix all the problems
full member
Activity: 154
Merit: 100
TITLE BOUT OF THE CENTURY!!!

MAYWEATHER VS PACQUIAO HERE ON DADICE!!!!




This weekend for 48 hours only we are putting the title of JABBA on the line!

Two fighters! One winner will roll out with the Highrolling Title of JABBA!
 

The loser will henceforth carry the title of SlaveLeiea!


The Current Champion @Scotch! Tough, strong and with a roundhouse bankroll known to level the opponents...

The Challenger @SemenFlower! Fast, edgy and with a surprise uppercut in his balance....


Who will win the title? Who will face ignominy!

Find out this weekend on DaDice

The highest rolling player for the weekend will win the coveted title!


Let's get ready to ROOOOOOOOOOOOOOOOOOOOOOOOOOOOLLLLLLLLLLLLL!!!!

Watch this space for more details and Keep Rollin'!

sr. member
Activity: 252
Merit: 250
DaDice Administration
Today the autobet is really fast, other day only continue stopped, but from today i see more of 1 bet for second, and not stop one time  Grin
the autobet was really slow for me when dadice had like over 97 million rolls, i guess people were rolling like crazy then, actually manually betting was even faster than autobeting so i guess you were on when it was close to the grand prize

I have just checked and we had around 97 million rolls the same amount of bets/day as today. So I hope our tweaking did work out. However, there's many a slip twixt cup and lip Smiley
sr. member
Activity: 252
Merit: 250
DaDice Administration
Today the autobet is really fast, other day only continue stopped, but from today i see more of 1 bet for second, and not stop one time  Grin

Thanks Mario, we have changed a few settings in the past 24 hours. The input of our community is very important to us, so please continue to let us know.
hero member
Activity: 658
Merit: 500
Today the autobet is really fast, other day only continue stopped, but from today i see more of 1 bet for second, and not stop one time  Grin
the autobet was really slow for me when dadice had like over 97 million rolls, i guess people were rolling like crazy then, actually manually betting was even faster than autobeting so i guess you were on when it was close to the grand prize
legendary
Activity: 2156
Merit: 1082
Today the autobet is really fast, other day only continue stopped, but from today i see more of 1 bet for second, and not stop one time  Grin
legendary
Activity: 1218
Merit: 1007
I am trying to get to the site but it says: Error 404: Connection Timed Out!
Is it just me or someone's having the same problems?

EDIT: Tried refreshing and now working fine.
Jump to: