Author

Topic: Primedice.com | Since 2013 | Longest Running Crypto Casino | 113 BTC Jackpot! - page 1080. (Read 1989815 times)

legendary
Activity: 926
Merit: 1000
Zoltan - PD Moderator
How true is the post above me?

Was that resolved already?

Stunna already replied a couple pages before. On PD side it is marked as resolved. I dont know why he is still posting this, he got more btc than he lost or would have won...

Everything is 100% true, I have a log of email detailing everything. It was not resolved, despite opinions like the one above. This post explains exactly what happened. Do you think that reply from the 'developer' counts as resovled? I have been provided NO PROOF whatsoever.



Let me quote Stunna:
We overpaid you a LOT already. We paid out .14 despite you winning the bet after that one and making back everything you lost. We didn't take that into account though. Then on TOP of that we rounded it up to .2

I'm also pretty sure we sent you all the relevant bet ID's. They don't mean anything though as we no longer publicly display our old database. You have to take our word for it. One thing I can tell you we are not interested in doing is unfairly taking BTC off our customers. You're being very unfair to me and the PD team. I understand we took a while to sort this out as it is a very difficult situation and it's all to do with a redundant part of the website.

So it is marked as resolved... It is not my opinion i just copied what he said...
newbie
Activity: 47
Merit: 0
How true is the post above me?

Was that resolved already?

Stunna already replied a couple pages before. On PD side it is marked as resolved. I dont know why he is still posting this, he got more btc than he lost or would have won...

Everything is 100% true, I have a log of email detailing everything. It was not resolved, despite opinions like the one above. This post explains exactly what happened. Do you think that reply from the 'developer' counts as resovled? I have been provided NO PROOF whatsoever.

legendary
Activity: 926
Merit: 1000
Zoltan - PD Moderator
How true is the post above me?

Was that resolved already?

Stunna already replied a couple pages before. On PD side it is marked as resolved. I dont know why he is still posting this, he got more btc than he lost or would have won...
member
Activity: 109
Merit: 10
How true is the post above me?

Was that resolved already?
sr. member
Activity: 292
Merit: 250
legendary
Activity: 1876
Merit: 1303
DiceSites.com owner
Well the discussion of vulnerability related things on dice sites and the theoretical possibility of cracking the PD server seeds seemed relevant enough (today.)

But, after that last post I was not planning to reply anymore and agree the last few posts were a bit too much offtopic, sorry guys :p That's it.
hero member
Activity: 868
Merit: 1000
^ Guys, wouldn't it be better to discuss that problem in the BikiniDice thread rather than here?
legendary
Activity: 1274
Merit: 1001
"shh, he's coding..."
I do not expect you to understand this. So, do not worry.

Sorry, it was a joke like your lol!  Grin
No problem with you, we listen all community advice. But we have our convictions
legendary
Activity: 1876
Merit: 1303
DiceSites.com owner
Ps I'm one of bikinidice developer
Ah, this explains it. Just stay stubborn and keep making silly statements. That's it.
I do not expect you to understand this. So, do not worry.
legendary
Activity: 1274
Merit: 1001
"shh, he's coding..."
Lol?
So we can just stop with the whole bitcoin system I guess? Since it's also theoretically possible to crack private keys etc.
You understand his statement "we use per-roll against brute-forcing" was silly, right?

No, I'm saying that it is safer to change the seed everytime. That's it.
But I do not expect you to understand this. So, do not worry.
legendary
Activity: 1876
Merit: 1303
DiceSites.com owner
@NLNico
Yes it's difficult but not impossible.
Lol?

So we can just stop with the whole bitcoin system I guess? Since it's also theoretically possible to crack private keys etc.

You understand his statement "we use per-roll against brute-forcing" was silly, right?
sr. member
Activity: 319
Merit: 250
Is the API working? I wrote a betting script using curl and php and its not working, when it used to work.
legendary
Activity: 1274
Merit: 1001
"shh, he's coding..."
full member
Activity: 196
Merit: 104
I would find it hard to keep track of each server seed if I run an automatic bot. How do I verify each roll in that case?

Yes it's so hard to track server seed with auto-bet, we need to working on some API calls to solve this untrust.

Wait... So you guys could potentially observe the betting pattern of players and change the server seed to make them lose? Can't the server modify the result and show a server seed when the user requests for it via the API and gives the user the losing result when calculated?
]

No. We use the same server seed until you opt to change it. The client seed is nonced in order to create different rolls. There is no way for PD to show a different server seed without you noticing.

I think that post was for Bikinidice, as they change server seed on each roll.
legendary
Activity: 1876
Merit: 1303
DiceSites.com owner
Part of fixing the issue is forcing all accounts to set a new seed pair, in an hour expect to be prompted to set a new pair.

We (bikinidice) change server seed every rool. That's isn't very pretty for player (need to check every time his pair to make sure of our fair system) but we need to protect our investors coin.

Sites like bikinidice which pick a new server seed for every roll are a real pain to play on for the paranoid gambler. In order to be sure that the rolls are fair, you have to make a note of each new server seed hash, and then pick a new random client seed as well - for every roll - and then verify the rolls afterwards, too.

If any player force the sha256 server seed is a BIG problem. Yes it's difficult but not impossible.
Lol?
I think if you had some coin of other player you need to take more care than a "lol"  Wink
Yeh, definitely. But just the fact that he, as a dice site operator, thinks brute-forcing is a problem with a long enough seed is pretty funny. Let's do some maths.



PD uses 26 lowercase letters and 10 numbers in their seed, so 36 different characters with a length of 64 characters. So 36^64 =
4011991914547630480065053387702443812690402487741812225955731622655455723258857 248542161222254985216 different seeds.
The bitcoin network calculates double SHA256 hashes with a speed of 297,275,048.09 GH/s. So 297275048.09*1000000000 = 297275048090000000 double SHA256 hashes per second (pretty impressive right?), and single SHA256 would therefor be 297275048090000000*2= 594550096180000000 hashes per second. This is 594550096180000000*60 (seconds) *60 (minutes) *24 (hours) *365 (days) = 18749731833132480000000000 hashes a year. However, it would take:

4011991914547630480065053387702443812690402487741812225955731622655455723258857 248542161222254985216 / 18749731833132480000000000

= 213975962443264184927319954831658656345664031820000000000000000000000000000 years

to calculate all the original seed-hash calculations of PD with the power of the entire bitcoin network.



So yes. I do think it's funny that he thinks this is a serious threat or that he thinks he is "protecting his players/investors" by having a "seed per roll" system. He is actually quoting a message of October of dooglus just to say "see dooglus, this PD hack is exactly the reason why we have hashes per roll, so we cannot have teh damn brute-forcers". I kinda assumed or hoped that was a joke or something, hence the "lol?".

Don't get me wrong. A dice site can have many problems / server-seed leaks, to name a few:
- Any SQL injection or code execution or things like that to get to the database with the seeds.
- Any other way of "leaking" the un-hashed server-seed (probably what happened here - personally I am curious for the later update with hopefully some technical details)
- Running in a shared hosting or VPS environment with a bad hosting employee.
- Not separating nonces / client seeds, like BikiniDice was planning to do (like I pointed out here)
- Having a predictable random generator so the server seeds could be predicted (BikiniDice seems to use the PHP rand() function, so I hope the server seed is generated more randomly than that)
- Any other algorithm flaws, like PRC had many months ago with getting the "next character" instead of "next set of 5" thing.
- If your "server seed" is actually not that long, brute-forcing is a problem.
- And obviously any other normal security issues like XSS, CSRF, etc.


Nothing bad towards BikiniDice though, I really like the trollish-internet-concept. Just thought it was a silly statement to make.


Ps, I am not that good in math, if there is a problem please correct me, but the idea is clear I think.
legendary
Activity: 3192
Merit: 1279
Primedice.com, Stake.com
I would find it hard to keep track of each server seed if I run an automatic bot. How do I verify each roll in that case?

Yes it's so hard to track server seed with auto-bet, we need to working on some API calls to solve this untrust.

Wait... So you guys could potentially observe the betting pattern of players and change the server seed to make them lose? Can't the server modify the result and show a server seed when the user requests for it via the API and gives the user the losing result when calculated?
]

No. We use the same server seed until you opt to change it. The client seed is nonced in order to create different rolls. There is no way for PD to show a different server seed without you noticing.
legendary
Activity: 2464
Merit: 1037
CEO @ Stake.com and Primedice.com
I would find it hard to keep track of each server seed if I run an automatic bot. How do I verify each roll in that case?

Yes it's so hard to track server seed with auto-bet, we need to working on some API calls to solve this untrust.

Wait... So you guys could potentially observe the betting pattern of players and change the server seed to make them lose? Can't the server modify the result and show a server seed when the user requests for it via the API and gives the user the losing result when calculated?

There is a possibility of that happening. It would be better for the user to change the client seed frequently, if thats the case.

Is everything good on PD?

All good Smiley .
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
I would find it hard to keep track of each server seed if I run an automatic bot. How do I verify each roll in that case?

Yes it's so hard to track server seed with auto-bet, we need to working on some API calls to solve this untrust.

Wait... So you guys could potentially observe the betting pattern of players and change the server seed to make them lose? Can't the server modify the result and show a server seed when the user requests for it via the API and gives the user the losing result when calculated?

There is a possibility of that happening. It would be better for the user to change the client seed frequently, if thats the case.

Is everything good on PD?
Primedice uses the same server seed and client seed throughout till either they notify you or you change it yourself. They cannot change the result since the results are predetermined when the server seed and the client seed are set. The one affecting result is the nonce which increases by 1 after every bet.
sr. member
Activity: 252
Merit: 250
Ace of ♠♠♠♠
I would find it hard to keep track of each server seed if I run an automatic bot. How do I verify each roll in that case?

Yes it's so hard to track server seed with auto-bet, we need to working on some API calls to solve this untrust.

Wait... So you guys could potentially observe the betting pattern of players and change the server seed to make them lose? Can't the server modify the result and show a server seed when the user requests for it via the API and gives the user the losing result when calculated?

There is a possibility of that happening. It would be better for the user to change the client seed frequently, if thats the case.

Is everything good on PD?
Jump to: