Pages:
Author

Topic: OFFICIAL DICEBITCO.IN ANNOUNCEMENT ABOUT THE SKIPPED NONCES INCIDENT - page 3. (Read 5526 times)

member
Activity: 84
Merit: 10
There is one aspect of that story that's still bothering me (well there is more than one TBH, but I'm trying to pretend now that it's true). They said the the rogue employee "had to chose manually which player to ‘cheat’". How did he do that if he didn't have access to the production database? Some kind of a backdoor in the UI? All we've seen was two or three lines of code that don't really explain much. I think at the very least DB should have published the whole commit. This is one of those things that would have gone a long way towards credibility.

Good point.

The three line screenshot didn't really show anything. Could we see the whole diff he submitted? The condition for when to apply the nonce-skip would be interesting. I too wonder how the rogue employee was able to chose manually which players to cheat when he didn't have access to the db.

To answer your question there was no backdoor on the UI. Besides the "main" website we also have an application in place that we use to do simple day-to-day operations (such as reseting users password, process manual withdraws etc), an 'admin' application if you like.

In this application the are only stuff that anyone can view (no secret stuff lying around) and do. One of those is that one could view / edit a JSON field on the user that we use primarily for storing meta information (for you techies take a look here: http://www.postgresql.org/docs/9.4/static/datatype-json.html) such as last-login, how much time he is active etc, nothing important. He used this schemaless column to store the data he wanted in order to persist the conditions that when met the skipping happened.

Doog, as for the diff I will post it later Smiley
legendary
Activity: 2940
Merit: 1333
He could have just picked "x" number of random users to have nonces skipped for, and it just so happened that the first one to notice was a whale and the rest didn't actually bet until it was discovered and simply never bet anything while the code was in effect.

By "not having DB access" they could mean that the employee did not have the ability to write/make changes to the DB but could "read" the DB. If this was the case he could simply pick "x" number of users who would bet large amounts.

He could have used the bet verifier to check how much was wagered on random bets by each user and picked users who had made large bets. (I have not actually used the bet verifier prior to when they disabled it so I don't know if this would actually make sense)

All this could explain how he decided which users were best to target.

None of this explains how he then *manually* targeted those users.
sr. member
Activity: 434
Merit: 250
refund my 2btc that was stolen from me

1K8iVACToB2a1rxcTRedPRgs6h4C54u3Yv

 Angry Angry Angry Angry
sr. member
Activity: 420
Merit: 250
There is one aspect of that story that's still bothering me (well there is more than one TBH, but I'm trying to pretend now that it's true). They said the the rogue employee "had to chose manually which player to ‘cheat’". How did he do that if he didn't have access to the production database? Some kind of a backdoor in the UI? All we've seen was two or three lines of code that don't really explain much. I think at the very least DB should have published the whole commit. This is one of those things that would have gone a long way towards credibility.

Good point.

The three line screenshot didn't really show anything. Could we see the whole diff he submitted? The condition for when to apply the nonce-skip would be interesting. I too wonder how the rogue employee was able to chose manually which players to cheat when he didn't have access to the db.
If he was watching the live bets then the rogue employee could get a good idea as to who had a lot of money in their account, or he could have looked at the "high rollers" section to see who where larger betters.

He could have just picked "x" number of random users to have nonces skipped for, and it just so happened that the first one to notice was a whale and the rest didn't actually bet until it was discovered and simply never bet anything while the code was in effect.

By "not having DB access" they could mean that the employee did not have the ability to write/make changes to the DB but could "read" the DB. If this was the case he could simply pick "x" number of users who would bet large amounts.

He could have used the bet verifier to check how much was wagered on random bets by each user and picked users who had made large bets. (I have not actually used the bet verifier prior to when they disabled it so I don't know if this would actually make sense)

The above is nothing more then speculation but all would fit the story that Dicebitco.in gave.
legendary
Activity: 2940
Merit: 1333
There is one aspect of that story that's still bothering me (well there is more than one TBH, but I'm trying to pretend now that it's true). They said the the rogue employee "had to chose manually which player to ‘cheat’". How did he do that if he didn't have access to the production database? Some kind of a backdoor in the UI? All we've seen was two or three lines of code that don't really explain much. I think at the very least DB should have published the whole commit. This is one of those things that would have gone a long way towards credibility.

Good point.

The three line screenshot didn't really show anything. Could we see the whole diff he submitted? The condition for when to apply the nonce-skip would be interesting. I too wonder how the rogue employee was able to chose manually which players to cheat when he didn't have access to the db.
legendary
Activity: 3654
Merit: 8909
https://bpip.org
We cannot assume this is the case, [...]

I wasn't assuming anything. I was repeating what I think is the "official story".

There is one aspect of that story that's still bothering me (well there is more than one TBH, but I'm trying to pretend now that it's true). They said the the rogue employee "had to chose manually which player to ‘cheat’". How did he do that if he didn't have access to the production database? Some kind of a backdoor in the UI? All we've seen was two or three lines of code that don't really explain much. I think at the very least DB should have published the whole commit. This is one of those things that would have gone a long way towards credibility.
full member
Activity: 209
Merit: 100
I had 0.01 invested in DiceBitco.in and was fortunate enough to immediately withdraw that Sunday after hearing about the skipped nonce incident. My observation of the events:

1. Skipped nonces -  A high roller (finnile) discovered he was losing due to skipped nonces that targeted only winning bets.

2. More high rollers noticed the cheat - The skipped nonce bug targeted high rollers.

3. Site owner's response - They claimed that the code was implemented by a new employee.
However, the statement manl put out a day earlier contradicted this: there was no new employee.
Didn't GHash.io blame a new employee for their double-spending incident as well?

4. Investors are alarmed. Bankroll plummeted from 7000 BTC down to less than 2000 BTC. I divested and withdrew at this point.

5. Owners disable DiceBitco.in's peer bet verification and chat lobby.
There is absolutely no reason to hide betting verification other than to cheat.

6. Enter "mateo".

7. Using a few thousand 49.5% bets, mateo turned a +300 positive bankroll into -300. Nobody can verify his rolls.
What is the probability that a high roller shows up out of nowhere and sweep the bankroll shortly after betting verification is disabled?

8. The site owner then goes completely silent for two weeks.

Everyone can come to their own conclusions at this point.
legendary
Activity: 2940
Merit: 1333
We cannot assume this is the case, [...]

I wasn't assuming anything. I was repeating what I think is the "official story".
member
Activity: 67
Merit: 10
If he didn't have access to production/database servers, but could upload code himself unchecked, what makes you guys think he wouldn't add any query or even a URL that reveals the auth details or seeds for himself?

They've addressed this before.

He couldn't upload code himself. They uploaded his code for him without properly testing it. When they found out that his code was malicious they backed out his change.

While the code was in place he could potentially have grabbed a server seed, but apparently he randomized after his change was backed out, meaning he no longer had a way of reading his seeds.

I think that's how it goes, anyway.

We cannot assume this is the case, he may have randomized his own seed, but we're ignoring the true danger here. He may know the seeds to many whales or to even other accounts he has that DB doesn't know about. And the seed isn't the only vector here for such a disastrous situation.
legendary
Activity: 2940
Merit: 1333
If he didn't have access to production/database servers, but could upload code himself unchecked, what makes you guys think he wouldn't add any query or even a URL that reveals the auth details or seeds for himself?

They've addressed this before.

He couldn't upload code himself. They uploaded his code for him without properly testing it. When they found out that his code was malicious they backed out his change.

While the code was in place he could potentially have grabbed a server seed, but apparently he randomized after his change was backed out, meaning he no longer had a way of reading his seeds.

I think that's how it goes, anyway.
member
Activity: 67
Merit: 10
In around 24hrs past the incident, the bankroll shrinked from 7500 coins to ~1700. Then,we had one user, mateo, which was hitting the bankroll non stop for almost 12hrs more, eating almost 600 BTC of profit (site was ~288 BTC profit prior to the 7th of September and around -320 BTC when mateo stopped playing).. Lot of speculation exists as well around that user, so please allow me to elaborate. User mateo was registered on 2014-08-06 18:22:05 and before the incident of 7th of September was -33 BTC in total. The date he registered the other developer was not hired yet, so it is impossible that it was him. The new hire had no access to the database (or to the production server) which means that it is impossible for him to know other users’ seeds. On top of that, mateo did randomize his rolls before he goes on with his crazy streak (my guess would be to verify if he got affected by the malicious code - btw he was not affected). Given all those facts there is 0% chance it could be someone that knew the server seed and played against it. When he asked for a withdrawal when done, we are left astonished with that run (like we didn’t have enough shit already to deal with). We postponed his withdrawal for several hours. We went through his rolls again and again, we searched every possible way of ”cheating”. Everything was legit, so we paid him out.

If he didn't have access to production/database servers, but could upload code himself unchecked, what makes you guys think he wouldn't add any query or even a URL that reveals the auth details or seeds for himself?

I imagine anyone with access and ability to upload unchecked code can do the following:
  • Read out the authentication details used to connect to the database/wallet
  • Run a query to look up seeds
  • Intercept passwords before they are hashed and checked against database
  • Forge tokens/cookies and log into another's account
  • Change/delete entire tables of the database
  • Increase or decrease balances of any user

Why are you guys even assuming that seeds, passwords, and server are safe? Isn't it time for a full system seed and password change?

Are you guys just making up this whole "employee" story? Are you guys this inexperienced?
legendary
Activity: 2940
Merit: 1333
Good luck trying to regain people's trust after potentially scamming over a thousand coins.

I stand by everything I said including the part about the 1000 coins.

I don't think I understand. What 1000 coins are you talking about here?

I see two ways to interpret your "potentially" here:

1) Are you saying they had the potential to steal 1000 BTC? If so, the number is more like 7000, since that's what was in the bankroll that they could have stolen (but instead they allowed investors to withdraw almost all of it).

2) Or are you saying that you think they actually stole 1000 BTC? If so, how? Even if "Mateo" was a site player, he lost more than he won, and it was less than 1000 BTC.

Neither way makes much sense to me. Could you be clearer about what you're actually accusing them of?
full member
Activity: 154
Merit: 100
Calling out scams, one HYIP at a time...
Get your facts right. We will not refund you because you were not affected by this, only certain players(less than 20 ) got affected. You lost because you pulled our your investment by divesting when you were in minus. If you didnt divest, you would never lose those coins(but made a nice extra as well).

I think your own facts are not quite right. As was posted in the other thread, even if investors didn't divest they wouldn't have gained their coins back, let alone "extra".

Why don't you post a list of investors from before the shitstorm, and exactly how much each of them divested/invested/lost/gained since then.

The thing I'm most curious about is who were these investors who saw the shitstorm that was DBC and still decided to go and invest new coins during it, just in time to catch Mateo dumping back what he had won before. That's the problem here, the owner could easily be Mateo and also be most of the investment on the site right now. So he sacrificed some BTC to the few legit investors still in on the site in order to gain back trust for an even bigger Mateo (or likely some new account) win in the future.
legendary
Activity: 3654
Merit: 8909
https://bpip.org
Get your facts right. We will not refund you because you were not affected by this, only certain players(less than 20 ) got affected. You lost because you pulled our your investment by divesting when you were in minus. If you didnt divest, you would never lose those coins(but made a nice extra as well).

I think your own facts are not quite right. As was posted in the other thread, even if investors didn't divest they wouldn't have gained their coins back, let alone "extra".

Why don't you post a list of investors from before the shitstorm, and exactly how much each of them divested/invested/lost/gained since then.
legendary
Activity: 2044
Merit: 1115
★777Coin.com★ Fun BTC Casino!
BR can't be negative. Once it's zero, there's nothing to bet against. Profit was negative, not bankroll.

Can we lock this thread and direct all comments to the longer thread already dealing with this topic? There doesn't need to be two discussions about the same topic going on, that just leads to confusion and missing information and people saying the same things in two different places.
sr. member
Activity: 322
Merit: 250

YOU ARE LYING.
He won almost all his bets... Against a negative bankroll... This site is STILL RIGGED.
You should have halted the gambling and sent the investor's money to their emergency address once a security issue was found. Instead, you let the gambling continue, and even THEN you still let Mateo withdraw his money. You continued the gambling without a deep inspection into your source code.
How can you lie about what happened when there were so many people watching it all happen??

Also, i believe it would be your moral obligation to halt the gambling until all investors could at least be given the time to log into their accounts. I wasn't even given a chance or even a warning email of what happened. A gambler won UNFAIRLY against my investment, and somehow it's my fault for not divesting WHILE he was cheating??

Your actions show nothing but the intent to steal money from the investors and get away with it.

Get your facts right. He didnt win almost all his bets, plus he ended up busting big time(lost all he won + more). Against a negative bankroll..? What is negative bankroll? mateos' first withdrawal wasnt done automatically. We went though all his bets and they were legit. He also had randomzied his server seed, so it was impossible for him to cheat. Simple as that. As far as the"continued gambling" we did only after we inspected the code, isolated the malicious code and made 1000% sure it works as it should. Calling the site STILL RIGGED will just get you a negative trust next time you post, without facts. And thats the last time i answer to you. I am sorry you divested when in loss, but the gambler did NOT win unfairly against your investment, since he had no access to server seeds. You miss the point that from this whole fiasco, the OJLY people that had a profit out of this were investors. Neither we or users with known server seeds.
Great. So where is YOUR proof of not being Mateo then?
Also, you went through all his bets, which skipped nonces, and somehow you considered those to be legit? If he skips nonces then he is cheating and you shouldn't have paid him his "winnings". You're not implying he wasn't cheating, right?
Go ahead and give me negative feedback. Threatening other people on here won't improve your trust at all. If this is how you work then i honestly don't see how anyone would ever trust you with a single bitcent ever again. You have proven to be completely incompetent of running this website responsibly. Tell me, what is the emergency address for?? Was there even any source code in place that would send to those addresses in case of an emergency?
Go ahead and give an honest man negative feedback. Go right ahead.

Also, a negative bankroll is a bankroll where there is a minus-sign in front of it...
member
Activity: 84
Merit: 10

YOU ARE LYING.
He won almost all his bets... Against a negative bankroll... This site is STILL RIGGED.
You should have halted the gambling and sent the investor's money to their emergency address once a security issue was found. Instead, you let the gambling continue, and even THEN you still let Mateo withdraw his money. You continued the gambling without a deep inspection into your source code.
How can you lie about what happened when there were so many people watching it all happen??

Also, i believe it would be your moral obligation to halt the gambling until all investors could at least be given the time to log into their accounts. I wasn't even given a chance or even a warning email of what happened. A gambler won UNFAIRLY against my investment, and somehow it's my fault for not divesting WHILE he was cheating??

Your actions show nothing but the intent to steal money from the investors and get away with it.

Get your facts right. He didnt win almost all his bets, plus he ended up busting big time(lost all he won + more). Against a negative bankroll..? What is negative bankroll? mateos' first withdrawal wasnt done automatically. We went though all his bets and they were legit. He also had randomzied his server seed, so it was impossible for him to cheat. Simple as that. As far as the"continued gambling" we did only after we inspected the code, isolated the malicious code and made 1000% sure it works as it should. Calling the site STILL RIGGED will just get you a negative trust next time you post, without facts. And thats the last time i answer to you. I am sorry you divested when in loss, but the gambler did NOT win unfairly against your investment, since he had no access to server seeds. You miss the point that from this whole fiasco, the OJLY people that had a profit out of this were investors. Neither we or users with known server seeds.
sr. member
Activity: 322
Merit: 250
Mateo was STILL PLAYING against MY investment. He was CHEATING me out of MY money. You didn't halt gambling while the cheating was going on at all. Explain to me how this is not a SCAM.
You are a shameless scammer. It's as simple as that.

You are wrong. The gambling WAS HAULTED when the incident found(all accounts turned into invest-only) and reinstated betting only when we made sure the malicious code is not in place. Also, mateo didnt play that particular day, but almost 24h~ after the inicdent. It was your choice to leave your coins invested or divest them when you were losing(invest/divest was never haulted, same as withdrawals).
YOU ARE LYING.
He won almost all his bets... Against a negative bankroll... This site is STILL RIGGED.
You should have halted the gambling and sent the investor's money to their emergency address once a security issue was found. Instead, you let the gambling continue, and even THEN you still let Mateo withdraw his money. You continued the gambling without a deep inspection into your source code.
How can you lie about what happened when there were so many people watching it all happen??

Also, i believe it would be your moral obligation to halt the gambling until all investors could at least be given the time to log into their accounts. I wasn't even given a chance or even a warning email of what happened. A gambler won UNFAIRLY against my investment, and somehow it's my fault for not divesting WHILE he was cheating??

Your actions show nothing but the intent to steal money from the investors and get away with it.
hero member
Activity: 784
Merit: 500
Don't see why on Earth anyone would deal with you from this point onwards.

Good luck trying to regain people's trust after potentially scamming over a thousand coins.

You had a bug in Your primedice and people was deceived. Wait how many was it ?

Quote
around 37,500 bets were settled as losses when they should have been wins...

https://bitcointalksearch.org/topic/m.8441727
member
Activity: 84
Merit: 10
Mateo was STILL PLAYING against MY investment. He was CHEATING me out of MY money. You didn't halt gambling while the cheating was going on at all. Explain to me how this is not a SCAM.
You are a shameless scammer. It's as simple as that.

You are wrong. The gambling WAS HAULTED when the incident found(all accounts turned into invest-only) and reinstated betting only when we made sure the malicious code is not in place. Also, mateo didnt play that particular day, but almost 24h~ after the inicdent. It was your choice to leave your coins invested or divest them when you were losing(invest/divest was never haulted, same as withdrawals).
Pages:
Jump to: