Pages:
Author

Topic: I know how provably fair works but... (Read 1331 times)

sr. member
Activity: 353
Merit: 254
unibtc - Bitsler.com Developer
December 16, 2015, 08:27:29 AM
#25
Quote
thank you again for the detailed answer very much appreciated

please let me ask you if there is a way to let someone code and implement the provably fair option and then close it like a safe that no one will have access and in case the safe is damaged we will see it and stop the game.

we can't code and don't have the provably fair knowledge to run a casino on our own we would always need coder.  the sharks would eat us alive Smiley like it happened with MD
that is mainly the reason why we are on moneypot

thanks again

Yes there is a way. One example is, if you hire a dev to create a website for you, have it done on a test server. once it is done, the dev will give you the full source with installation instructions to your own server. Before installing, have a 3rd party check the code for you. Again this is before you install it on your live server, meaning, database names, database password and other critical variables are not yet set.

A good dev keeps notes, but a great dev gives detailed documentations. Have your dev give you a documentation, maybe a pdf or something that gives a detailed explanation on how the system works in a layman's term, documentation includes processes, every page's role, the logic on how the system works, the algorithm used, 3rd party scripts use if there are any, installation instructions, security modules or scripts used.. etc..

Once code has been checked, you then install it on your live server, and its the only time where you will be asked for database names, database passwords etc..

Doing this, you can be sure that only you knows the critical variables for your site..Some site open up a semi-production site which they call beta version of the site, which is open for public to check for bugs etc.  And if ever bugs occurs, the original dev has the original source code, therefor, he can have it fixed on his end without accessing the live server itself, then he can just give you an updated source to fix the bug, you can have a 3rd party check it again..All this depends on what is the agreement between you and the dev.

There are many ways on how one can prevent a dev from turning against the owner. Above is just one example i can think of.

-uni

thank you very much again Smiley this was very helpful for us because this could be a solution for us old men who cannot code.


btw I can't connect to your app Sad

We had some issues regarding DDos, server was attacked while i was asleep, and my node crashed, It was unexpected, but its fixed now. Thanks
legendary
Activity: 1974
Merit: 1014
All Games incl Racer and Lottery game are Closed
December 16, 2015, 07:16:57 AM
#24
Quote
thank you again for the detailed answer very much appreciated

please let me ask you if there is a way to let someone code and implement the provably fair option and then close it like a safe that no one will have access and in case the safe is damaged we will see it and stop the game.

we can't code and don't have the provably fair knowledge to run a casino on our own we would always need coder.  the sharks would eat us alive Smiley like it happened with MD
that is mainly the reason why we are on moneypot

thanks again

Yes there is a way. One example is, if you hire a dev to create a website for you, have it done on a test server. once it is done, the dev will give you the full source with installation instructions to your own server. Before installing, have a 3rd party check the code for you. Again this is before you install it on your live server, meaning, database names, database password and other critical variables are not yet set.

A good dev keeps notes, but a great dev gives detailed documentations. Have your dev give you a documentation, maybe a pdf or something that gives a detailed explanation on how the system works in a layman's term, documentation includes processes, every page's role, the logic on how the system works, the algorithm used, 3rd party scripts use if there are any, installation instructions, security modules or scripts used.. etc..

Once code has been checked, you then install it on your live server, and its the only time where you will be asked for database names, database passwords etc..

Doing this, you can be sure that only you knows the critical variables for your site..Some site open up a semi-production site which they call beta version of the site, which is open for public to check for bugs etc.  And if ever bugs occurs, the original dev has the original source code, therefor, he can have it fixed on his end without accessing the live server itself, then he can just give you an updated source to fix the bug, you can have a 3rd party check it again..All this depends on what is the agreement between you and the dev.

There are many ways on how one can prevent a dev from turning against the owner. Above is just one example i can think of.

-uni

thank you very much again Smiley this was very helpful for us because this could be a solution for us old men who cannot code.


btw I can't connect to your app Sad
sr. member
Activity: 353
Merit: 254
unibtc - Bitsler.com Developer
December 16, 2015, 06:29:56 AM
#23
Quote
thank you again for the detailed answer very much appreciated

please let me ask you if there is a way to let someone code and implement the provably fair option and then close it like a safe that no one will have access and in case the safe is damaged we will see it and stop the game.

we can't code and don't have the provably fair knowledge to run a casino on our own we would always need coder.  the sharks would eat us alive Smiley like it happened with MD
that is mainly the reason why we are on moneypot

thanks again

Yes there is a way. One example is, if you hire a dev to create a website for you, have it done on a test server. once it is done, the dev will give you the full source with installation instructions to your own server. Before installing, have a 3rd party check the code for you. Again this is before you install it on your live server, meaning, database names, database password and other critical variables are not yet set.

A good dev keeps notes, but a great dev gives detailed documentations. Have your dev give you a documentation, maybe a pdf or something that gives a detailed explanation on how the system works in a layman's term, documentation includes processes, every page's role, the logic on how the system works, the algorithm used, 3rd party scripts use if there are any, installation instructions, security modules or scripts used.. etc..

Once code has been checked, you then install it on your live server, and its the only time where you will be asked for database names, database passwords etc..

Doing this, you can be sure that only you knows the critical variables for your site..Some site open up a semi-production site which they call beta version of the site, which is open for public to check for bugs etc.  And if ever bugs occurs, the original dev has the original source code, therefor, he can have it fixed on his end without accessing the live server itself, then he can just give you an updated source to fix the bug, you can have a 3rd party check it again..All this depends on what is the agreement between you and the dev.

There are many ways on how one can prevent a dev from turning against the owner. Above is just one example i can think of.

-uni
legendary
Activity: 3374
Merit: 2198
I stand with Ukraine.
December 16, 2015, 04:58:11 AM
#22
To answer OP's question, There are different types/kinds of  "scripts/algo" one can use to generate a random seed, and most of the time, it varies from site to site, depending on how it was programmed by their dev. But nowadays, devs stick to what is "common" therefor you might see different sites that uses same algo to generate a random seed. But ofcourse it doesn't mean both site will have the same server seed, (tho there is a very very slim chance it could happen).

You can program a computer to generate a random number, but that program is and will always be at the mercy of its programming. So you cannot actually say that it has given you a random number because the fact is, its just following the sequence of how it is programmed, it generally starts with something then follows a pattern. Tho the complexity of the result is enough to be called random, its never truly random since it is just ruled by a consistently repeating algorithm. This are called "pseudo-random number generators" (PRNG). And most of the site uses this kind of way to generate their seeds.

So any script/algo programmed on a computer is always a PRNG? Answer is No.. One can generate a True Random Number Generator (TRNG) on a computer, this is by use of different kinds of entropy. Some uses a device that relies on thermal, noise or any unpredictable environmental elements that we as humans have no control over. And this can be called a true random number generator. Like ryan said, one can use /dev/random, which uses environmental noise. Another example is, Random.org, which they claim, uses atmospheric noise to generate a true randomness.

So the fact is, most sites uses PRNG? Yes. So there is a possibility to crack it? YES and NO. If we talk of possibility, then yes there is always a possibility of something, but the probability of that happening is so low. Like i said above, the complexity of the results of a PRNG is enough to be called random, therefore the chance to crack a single seed is so low that if compared, you'd have better chance of winning the lottery than trying to crack it in a lifetime.

-uni

Thank you very much for your explanation! It is written in simple language and at the same time is shedding light on such complicated and incomprehensible things that I can say nothing but WOW! Man, you should write books.
legendary
Activity: 1974
Merit: 1014
All Games incl Racer and Lottery game are Closed
December 16, 2015, 04:52:55 AM
#21
To answer OP's question, There are different types/kinds of  "scripts/algo" one can use to generate a random seed, and most of the time, it varies from site to site, depending on how it was programmed by their dev. But nowadays, devs stick to what is "common" therefor you might see different sites that uses same algo to generate a random seed. But ofcourse it doesn't mean both site will have the same server seed, (tho there is a very very slim chance it could happen).

You can program a computer to generate a random number, but that program is and will always be at the mercy of its programming. So you cannot actually say that it has given you a random number because the fact is, its just following the sequence of how it is programmed, it generally starts with something then follows a pattern. Tho the complexity of the result is enough to be called random, its never truly random since it is just ruled by a consistently repeating algorithm. This are called "pseudo-random number generators" (PRNG). And most of the site uses this kind of way to generate their seeds.

So any script/algo programmed on a computer is always a PRNG? Answer is No.. One can generate a True Random Number Generator (TRNG) on a computer, this is by use of different kinds of entropy. Some uses a device that relies on thermal, noise or any unpredictable environmental elements that we as humans have no control over. And this can be called a true random number generator. Like ryan said, one can use /dev/random, which uses environmental noise. Another example is, Random.org, which they claim, uses atmospheric noise to generate a true randomness.

So the fact is, most sites uses PRNG? Yes. So there is a possibility to crack it? YES and NO. If we talk of possibility, then yes there is always a possibility of something, but the probability of that happening is so low. Like i said above, the complexity of the results of a PRNG is enough to be called random, therefore the chance to crack a single seed is so low that if compared, you'd have better chance of winning the lottery than trying to crack it in a lifetime.

-uni

thank you very much for taking the time to explain your knowledge in a more detailed way.

as I know you are a coder so if all depends on you regarding the provably fair implementation nothing bad can happen to your bank roll. but you know what happened to Magical Dice Sad how could they or any other non coder (like we) prevent this to happen?


In an online business, there is no 100% fool proof against this. Even big companies can get in trouble if their devs turn to rogue. But there are ways to prevent this. One example is a structural design of your system. One dev should only be assigned to a certain part of the system and not have access to everything. If the your system is project based, then one dev should have no access to the system at all once the project is finish.  Another is to hire a 3rd party security guy that will double check your site's code and integrity. There maybe other ways, but the fact is, it is doable.

But personally, my opinion is, an owner "MUST" atleast know the basic logic of his own system, you don't have to know how to code, but know how your system works is a must. Trust is a big word when it comes to this "pixelized" online world, but with proper preparation and strategy, an owner wont need this to have a successful site.

The issue with magicaldice is that, they hired a dev, and trusted the dev to run the site and have full access. When MD1 went live, the dev should no longer have access to their database, and only grant access to the dev on special occasions like fixing bugs etc..and then immediately revoke it once it is fixed. I know there maybe "holes" on my statement, but thats the basic. Owners already had this idea, what if their dev create an alt and play.. But they trusted their dev not to do it, which is totally wrong.

-uni

thank you again for the detailed answer very much appreciated

please let me ask you if there is a way to let someone code and implement the provably fair option and then close it like a safe that no one will have access and in case the safe is damaged we will see it and stop the game.

we can't code and don't have the provably fair knowledge to run a casino on our own we would always need coder.  the sharks would eat us alive Smiley like it happened with MD
that is mainly the reason why we are on moneypot

thanks again

sr. member
Activity: 353
Merit: 254
unibtc - Bitsler.com Developer
December 16, 2015, 04:31:43 AM
#20
To answer OP's question, There are different types/kinds of  "scripts/algo" one can use to generate a random seed, and most of the time, it varies from site to site, depending on how it was programmed by their dev. But nowadays, devs stick to what is "common" therefor you might see different sites that uses same algo to generate a random seed. But ofcourse it doesn't mean both site will have the same server seed, (tho there is a very very slim chance it could happen).

You can program a computer to generate a random number, but that program is and will always be at the mercy of its programming. So you cannot actually say that it has given you a random number because the fact is, its just following the sequence of how it is programmed, it generally starts with something then follows a pattern. Tho the complexity of the result is enough to be called random, its never truly random since it is just ruled by a consistently repeating algorithm. This are called "pseudo-random number generators" (PRNG). And most of the site uses this kind of way to generate their seeds.

So any script/algo programmed on a computer is always a PRNG? Answer is No.. One can generate a True Random Number Generator (TRNG) on a computer, this is by use of different kinds of entropy. Some uses a device that relies on thermal, noise or any unpredictable environmental elements that we as humans have no control over. And this can be called a true random number generator. Like ryan said, one can use /dev/random, which uses environmental noise. Another example is, Random.org, which they claim, uses atmospheric noise to generate a true randomness.

So the fact is, most sites uses PRNG? Yes. So there is a possibility to crack it? YES and NO. If we talk of possibility, then yes there is always a possibility of something, but the probability of that happening is so low. Like i said above, the complexity of the results of a PRNG is enough to be called random, therefore the chance to crack a single seed is so low that if compared, you'd have better chance of winning the lottery than trying to crack it in a lifetime.

-uni

thank you very much for taking the time to explain your knowledge in a more detailed way.

as I know you are a coder so if all depends on you regarding the provably fair implementation nothing bad can happen to your bank roll. but you know what happened to Magical Dice Sad how could they or any other non coder (like we) prevent this to happen?


In an online business, there is no 100% fool proof against this. Even big companies can get in trouble if their devs turn to rogue. But there are ways to prevent this. One example is a structural design of your system. One dev should only be assigned to a certain part of the system and not have access to everything. If the your system is project based, then one dev should have no access to the system at all once the project is finish.  Another is to hire a 3rd party security guy that will double check your site's code and integrity. There maybe other ways, but the fact is, it is doable.

But personally, my opinion is, an owner "MUST" atleast know the basic logic of his own system, you don't have to know how to code, but know how your system works is a must. Trust is a big word when it comes to this "pixelized" online world, but with proper preparation and strategy, an owner wont need this to have a successful site.

The issue with magicaldice is that, they hired a dev, and trusted the dev to run the site and have full access. When MD1 went live, the dev should no longer have access to their database, and only grant access to the dev on special occasions like fixing bugs etc..and then immediately revoke it once it is fixed. I know there maybe "holes" on my statement, but thats the basic. Owners already had this idea, what if their dev create an alt and play.. But they trusted their dev not to do it, which is totally wrong.

-uni
legendary
Activity: 1974
Merit: 1014
All Games incl Racer and Lottery game are Closed
December 16, 2015, 04:18:10 AM
#19
To answer OP's question, There are different types/kinds of  "scripts/algo" one can use to generate a random seed, and most of the time, it varies from site to site, depending on how it was programmed by their dev. But nowadays, devs stick to what is "common" therefor you might see different sites that uses same algo to generate a random seed. But ofcourse it doesn't mean both site will have the same server seed, (tho there is a very very slim chance it could happen).

You can program a computer to generate a random number, but that program is and will always be at the mercy of its programming. So you cannot actually say that it has given you a random number because the fact is, its just following the sequence of how it is programmed, it generally starts with something then follows a pattern. Tho the complexity of the result is enough to be called random, its never truly random since it is just ruled by a consistently repeating algorithm. This are called "pseudo-random number generators" (PRNG). And most of the site uses this kind of way to generate their seeds.

So any script/algo programmed on a computer is always a PRNG? Answer is No.. One can generate a True Random Number Generator (TRNG) on a computer, this is by use of different kinds of entropy. Some uses a device that relies on thermal, noise or any unpredictable environmental elements that we as humans have no control over. And this can be called a true random number generator. Like ryan said, one can use /dev/random, which uses environmental noise. Another example is, Random.org, which they claim, uses atmospheric noise to generate a true randomness.

So the fact is, most sites uses PRNG? Yes. So there is a possibility to crack it? YES and NO. If we talk of possibility, then yes there is always a possibility of something, but the probability of that happening is so low. Like i said above, the complexity of the results of a PRNG is enough to be called random, therefore the chance to crack a single seed is so low that if compared, you'd have better chance of winning the lottery than trying to crack it in a lifetime.

-uni

thank you very much for taking the time to explain your knowledge in a more detailed way.

as I know you are a coder so if all depends on you regarding the provably fair implementation nothing bad can happen to your bank roll. but you know what happened to Magical Dice Sad how could they or any other non coder (like we) prevent this to happen?

sr. member
Activity: 353
Merit: 254
unibtc - Bitsler.com Developer
December 16, 2015, 03:58:38 AM
#18
To answer OP's question, There are different types/kinds of  "scripts/algo" one can use to generate a random seed, and most of the time, it varies from site to site, depending on how it was programmed by their dev. But nowadays, devs stick to what is "common" therefor you might see different sites that uses same algo to generate a random seed. But ofcourse it doesn't mean both site will have the same server seed, (tho there is a very very slim chance it could happen).

You can program a computer to generate a random number, but that program is and will always be at the mercy of its programming. So you cannot actually say that it has given you a random number because the fact is, its just following the sequence of how it is programmed, it generally starts with something then follows a pattern. Tho the complexity of the result is enough to be called random, its never truly random since it is just ruled by a consistently repeating algorithm. This are called "pseudo-random number generators" (PRNG). And most of the site uses this kind of way to generate their seeds.

So any script/algo programmed on a computer is always a PRNG? Answer is No.. One can generate a True Random Number Generator (TRNG) on a computer, this is by use of different kinds of entropy. Some uses a device that relies on thermal, noise or any unpredictable environmental elements that we as humans have no control over. And this can be called a true random number generator. Like ryan said, one can use /dev/random, which uses environmental noise. Another example is, Random.org, which they claim, uses atmospheric noise to generate a true randomness.

So the fact is, most sites uses PRNG? Yes. So there is a possibility to crack it? YES and NO. If we talk of possibility, then yes there is always a possibility of something, but the probability of that happening is so low. Like i said above, the complexity of the results of a PRNG is enough to be called random, therefore the chance to crack a single seed is so low that if compared, you'd have better chance of winning the lottery than trying to crack it in a lifetime.

-uni
sr. member
Activity: 285
Merit: 250
December 16, 2015, 02:18:09 AM
#17
---Snip--- Does it differ from site to site?
Logically Its not necessary  Wink , but practically it depends on the software.
Every dice site is made DEVELOPERS , who develop codes , and person who invest or hold/own the bankroll make sure that the site uses unique software so that no person can cheat them.
Ex: when you wanna attend a party function of someone special then you look for single piece dress so that you have only that copy and that's guarantee that none of people will wear the same cloths at the party.
hero member
Activity: 924
Merit: 1005
4 Mana 7/7
December 16, 2015, 02:09:06 AM
#16

It very much matters.

If the server seed is generated using a hash of the current time in millionths of a second then the player can easily cheat. He just needs to notice what the time is when the server seed is created, then hash a few million times in that neighbourhood until he gets the server seed hash that the site has shown him. Then he has the server seed and can predict all his future rolls.
My point as well.
Quote
The server seeds should be entirely unpredictable, to prevent such attacks. Collect entropy from wherever you can to make your RNG unpredictable.
What source, as a dice site owner ,would you suggest for a "unpredictable RNG".
legendary
Activity: 2940
Merit: 1333
December 07, 2015, 03:08:34 PM
#15
It doesn't matter how the server seed is created. That's the idea of provably fair.
Why doesn't it matter?
Because the combination of server and client seed are creating the result, not one of those independently.

It very much matters.

If the server seed is generated using a hash of the current time in millionths of a second then the player can easily cheat. He just needs to notice what the time is when the server seed is created, then hash a few million times in that neighbourhood until he gets the server seed hash that the site has shown him. Then he has the server seed and can predict all his future rolls.

The server seeds should be entirely unpredictable, to prevent such attacks. Collect entropy from wherever you can to make your RNG unpredictable.
sr. member
Activity: 313
Merit: 250
i ♥ coinichiwa
December 07, 2015, 03:02:13 PM
#14
We have an intern who moves the mouse all day to create enough entropy for the random generator.  Grin
hero member
Activity: 924
Merit: 1005
4 Mana 7/7
December 06, 2015, 09:37:08 AM
#13
Hufflepuff incident required the user to know the server seed beforehand and it wasn't due to a weak RNG for the server seed. Hufflepuff was able to get an active seed. The seed was used by multiple players and it was not guessed.
I am aware of that, but considering no one has talked about how server seeds themselves are created, it got me curious(that and me having to create the algorithm). As for the hufflepuff incident, I meant, if someone knows/accurately guesses how server seeds are created and the algorithm is weak, say it creates variables like "1111111111a", then "111111111b" , or "ab" "al" "et" "eb"(XY, x is unchanged the first time, the second time increased by 4, Y changes by 8 variables) etc, they can know what the next/all server seeds will be.
At any rate, to rephrase my question, how would you make the random variable generator such that the RN(Variable)G in itself is secure.
legendary
Activity: 1624
Merit: 1007
December 06, 2015, 09:35:24 AM
#12
Hey there, well I suppose nearly everyone on this board has heard about provably fair and how it is user verifiable etc. The client seed is entered by user, nonce is "created" by adding 1 successively after every roll, but how is server seed created, which script/algorith does it use to create a random string of letters? Does it differ from site to site?

Unfortunately i cant really say how or which algorithm they use as i do not know but i can say that it does differ from site to site. Some sites have the same "basic formula" but some parts like secrets need to be different ect or one site could exploit the other.
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
December 06, 2015, 09:32:05 AM
#11
Both are exploitable so I'm going with no.

Are they?
It doesn't matter how the server seed is created. That's the idea of provably fair.
Why doesn't it matter?
Because the combination of server and client seed are creating the result, not one of those independently.

You can enter your client seed, basically anything you like,
so the server seed can be exactly the same, anything they like.
They are exploitable by the player. Same thing as hufflepuff in a nutshell
Hufflepuff incident required the user to know the server seed beforehand and it wasn't due to a weak RNG for the server seed. Hufflepuff was able to get an active seed. The seed was used by multiple players and it was not guessed.
copper member
Activity: 1904
Merit: 1874
Goodbye, Z.
December 06, 2015, 09:28:35 AM
#10
When most of the wsbsitss say they are provably fair I never believe it because they can choose what to show and have hiding functions scamming the fuck outta you.

thats funny. thanks for the laugh Cheesy
That the same for the "provably fair" casino in your sig?

At any rate, my concern being, the numbers are random but the server seed can be exploitable if the function which creates them is weak(not secure) and known.
P.S: That and I have to create an algorithm for provably fair.

I'd suggest a "Don't Ask. Don't Tell." attitude.
P.S.: Who the hell is crazy enough to let YOU take care of that. "(insider joke)"
hero member
Activity: 924
Merit: 1005
4 Mana 7/7
December 06, 2015, 09:28:09 AM
#9
But only if you know how they are created. If you know how things work, if you find an exploit in one specific situation.
So not knowing how exactly one site is creating their server seed is part of the process to prevent userside exploits, right?
Further, it doesn't matter how the site does it, as explained above. That's probably why most people don't know it/don't care.
@Me, you're not supposed to argue with yourself(insider joke)
At any rate, my concern being, the numbers are random but the server seed can be exploitable if the function which creates them is weak(not secure) and known.
P.S: That and I have to create an algorithm for provably fair.
legendary
Activity: 1988
Merit: 1317
Get your game girl
December 06, 2015, 09:25:34 AM
#8
The scripts can be coded in any back end server side programming language like php or node.is . These languages have random function which generates the randon number based on conditions .Example : generate random().integers<100 .This will allow to generate the numbers less than 100 randomly .When most of the wsbsitss say they are provably fair I never believe it because they can choose what to show and have hiding functions scamming the fuck outta you.
copper member
Activity: 1904
Merit: 1874
Goodbye, Z.
December 06, 2015, 09:25:12 AM
#7
They are exploitable by the player. Same thing as hufflepuff in a nutshell

But only if you know how they are created. If you know how things work, if you find an exploit in one specific situation.
So not knowing how exactly one site is creating their server seed is part of the process to prevent userside exploits, right?
Further, it doesn't matter how the site does it, as explained above. That's probably why most people don't know it/don't care.
hero member
Activity: 924
Merit: 1005
4 Mana 7/7
December 06, 2015, 09:19:39 AM
#6
Both are exploitable so I'm going with no.

Are they?
It doesn't matter how the server seed is created. That's the idea of provably fair.
Why doesn't it matter?
Because the combination of server and client seed are creating the result, not one of those independently.

You can enter your client seed, basically anything you like,
so the server seed can be exactly the same, anything they like.
They are exploitable by the player. Same thing as hufflepuff in a nutshell
Pages:
Jump to: