Also it seems that P@$$w0rd is a suffix you use for many of your password? So pP@$$w0rd means "primedice password"?  If people know a bunch of your other passwords, and then trying to guess your PrimeDice password ... you're not exactly making it hard

I really think you owe PrimeDice an apology for this whole thing, and use it as a cheap lesson on the importance of using a password manager 

:sigh:

It might be a good time to close the thread. There doesn't seem to be a single person who used good security practices who has had any problem. Hopefully though it is a useful lesson for everyone to always use a password manager, both for PrimeDice and every other site. I do not believe there are many people on earth who are capable of reliably remembering unique secure passwords for dozens of different websites.

Something like lastpass is free and works in pretty much every platform. There's really no excuse to not use something like it. Obviously sites like PrimeDice will try do their best to protect users even if their password is weak/compromised, but people need to take responsibility to have a secure password and play from a malware-free device (even with 2FA, a compromised device can still screw you)

It's a pain in the ass setting up a password manager, but it really is time well spent. Like for instance, like a month ago 340M accounts details from AdultFriendFinder seem to have been leaked. It was really nice to not have to worry about about the security of any of my other accounts.



Well it's still users responsibility to keep their password safe. If you share it with someone (intentionally or accidentally) then it's your own problem. But if a password was brute forced (which has never even closed to have happened, I would know as all attempts are logged and monitored) then I would happily refund any loses.



Actually it's intentional. The secure password is generated client-side, which allows users to manipulate it (if they're technical and have a good reason to do so). However, even so
I still verify it zxcvbn to make sure it's reasonably secure.

Just to be very clear, I was only trying to crack their bustabit password (based on information I could find online), I obviously wasn't attempting to crack their other accounts based on the password used at bustabit.  And that risk is now 0, because bustabit doesn't even let users pick their own password.

There's a good library for that by dropbox:  https://github.com/dropbox/zxcvbn

I used it for a while, but it ended up making almost no difference. Pretty much every hacked account I saw wasn't hacked through brute forcing (as we had a recaptcha, and logged failed attempts) but was hacked by people using sites like leakedsource.com  Even when people used unique usernames, a nasty trick some scammers were doing was luring people into other mediums (email, skype, etc) so they could see their other usernames to look them up.


Out of interest, for a couple of days I logged peoples username/password and tried to look them or crack them myself. I think my success rate was about 20-30%.


I've come to the conclusion that passwords are pretty useless by themselves, unless tied to a bunch of other stuff (probably the easiest being email 2FA).  So what I now do is just not let users pick their own passwords (and force them to use a random securely generated one).

Of course users absolutely hate it, but I figure the users who hate it the most are the same ones who don't use password managers and reuse the same password for every site, and they're the exact people who would otherwise get hacked. I think since doing that, claims of hacked accounts have dropped about 10 fold (although forgot password claims have gone up by a similar amount).

It unfortunately doesn't protect against phishing attacks. Something that 2FA tends to do a better job at preventing

Sure, why not? My password was yMrND9DpHD9T   (but I just changed it). Your account has already been hacked, so it presumedly doesn't even have money in it. I don't see the harm in sharing a password as unique and strong as you claim  

BTW what was your username and password (after you changed it)? As you used a unique password to the site, so it shouldn't matter saying it here. It'll likely help primedice as they can check it against the hashed version in the database, and allow people here help you out by checking it against some combo-list sites to make sure it hasn't been leaked somewhere else

Congratulations to dudaxmaimons who has continued his 19x martingale to an amazing 238 bitcoin (..and counting)






(Sorry, I don't like to advertise much. But I feel it'd be a waste of the $133000 USD I lost last night to not do so  )

That would be me, I'm Ryan on BaB.

Last night, I heard someone complaining that they had they had won 0.2 bitcoin on bitstarz, and were required to provide extensive identity verification despite the fact that they had never used anything but bitcoin.

Is this correct? Or a normal process at bitstarz? Under what circumstances do you require id verification for withdrawals?

I think a lot of players pick bitcoin casinos where they can be anonymous and don't need to worry about their documents getting leaked or stollen or used maliciously. And what does bitstarz do with winnings that wasn't withdrawn because a user would rather preserver their anonymity than their money? Is that considered a profit center for the casino, or given away to charities like most physical casinos?

I think the most common source of all account compromises are reusing passwords (and not using password managers in general). Was your password you used unique to the site? Or something someone could look up on leakedsource.com

Yeah, definitely good advice. Right now our turn over is pretty good (our bankroll is ~640 BTC and we do around 2000 bitcoin of volume a day). Obviously things will change considerable with outside investors inflating the bankroll, but hopefully there will also be a corresponding increase in volume as we can appeal to larger gamblers.


Anyway, i think I'll call it "bankroll gambling" instead of "investing" to set proper expectations (even though it'll be +EV and +expected bankroll growth) as it's pretty insanely risky

Sent: 7102ecc82a54a988e17d0568a17c9eff6c49a531ab263a70ac292af017897d8f

Since everyone appears to be happy with the refunds, I've going ahead and releasing the escrow funds. In preparation, I have swept it from cold storage into a hot wallet of mine. When  johny1976 confirms, I'll send the full amount (5.86725325) to the address he gave me earlier (1J5ZyDb44ZKABKzi45BGdBmAfLEk3NDEQu)

I assume you're asking about the dilution fee? It's not final (as it's not released) but the way I coded it is pretty simple. Lets say you invest 1 BTC, you get assigned a stake in the bankroll as if you had invested 0.9 BTC, and all other investors get diluted as if you invested 0.9 BTC

i.e. you off the bat lose 10% of your investment

Then immediately that 0.1 you lost is given to all investors (including yourself) via increasing the bankroll (but not adjusting the stake). So in effect, it is given to all investors equally based on how much they've invested.


Anyway, it gets a little messy when you consider the leverage thing I've added too. But instead of  documenting it here, I'll build up a full explanation and FAQ about it ready for the beta =)

It's not changing ownership, just a code update. It'll continue to be run by me

I didn't notice that conversation before, but I think Dexon was playing with an old version of the code that attempted to detect disconnects and cash people out, and was commenting about how unreliable it is (which is why it's removed).  If you want to detect client disconnects, you need to keep pinging the client and based on a lack of response disconnect them. If you use 15 seconds for instance, there's very few false positives but it's almost useless (the game will have almost certainly already busted). And if you use a timeout of like 2 seconds, you catch most disconnects in time, but then players who got hit by false positives (e.g. temporary lag) and got cashed out would be infuriated and feel like they were cheated. ("Omg, it lagged AND i got cashed out early AND i should've won!)

So I think what has works best, is just always relying on the "auto cash out" and players making sure to always use an auto cash out that they are comfortable with

Haha, yeah.  Although I think technically it would be more ponzi-ish than pyramid-ish. It'll certainly get to the point that investors will never be able to recoup their "dilution fee" from the "dilution fee" of future investors. But that's also fine, because investors should be expecting to make profit from bankrolling the site, and not from future investors.

Basically in bustabit you can be cashed out by one of three things:

a) Sending a "cashOut" event to the server (e.g. manually hitting the button).
b) Force cashout (basically the max profit gets hit, and the server forces you to take the money)
c) Your "auto cash out" value, which is done server side (and there's no interference by lag/latency or what not).


In the past, we used to have a forth option -- which was a "best effort" disconnection detection. However it was extremely unreliable (as there's no way possible way on the internet for a server to immediately and reliably know when someone disconnects). The best you can do is if they're not responding to pings for X milliseconds, then assume they've disconnected. However there were a lot of false positives, and people accusing me of cheating them with this (which completely wasn't the case, but I can understand why it might have looked like it) so I ended up just totally removed it.


I've once had a user who hit something like 2.3 BTC due to hitting a 1100x due to disconnecting (while they were intending to play conservatively, with a small amount of money). Obviously they got happily got the money, and it would've been totally unreasonable for me to expect or want it back etc.

The reality is if that if there is lag (or even disconnects) bustabit doesn't really make any more money, it just uses the risk/reward from your "auto cash out" value. So it's not really possible for us to give refunds (especially for a thing that is impossible to know from the servers point of view, so it would be abused by scammers).



(I've spent a great amount of time an energy explaining and providing information to the guy about this, but he seems more interested in threats and getting me to to pay to delete his posts. I told him at the onset that I don't give in to blackmail,  but I guess some people need to learn the hard way ). I really think it'd be best if we just collectively ignore him, to save everyone the trouble.

That's also rather intentional, as it is designed to create stable investors. If there's a ~10% entrance fee (which goes to other investors, not me) it makes it more difficult to "day trade" and attract investors who are more willing to weather a storm.

I was also hoping (down the line) to do some stuff that is rather terrible for investors, without worrying about the smart/active ones divesting. Like one thing I was hoping to do is have a periodic "charity hour" where all profits from that hour will go to a charity (that takes bitcoin)  e.g. "Red Cross Charity Hour". And any loses from a charity hour would be carried forward to the next. I think it'd be fun for players, good marketing, help good causes etc. But since during those times investors would have no upside (and only downside) it's nice to incentivize them to not just temporarily divest.

Although I should try avoid getting too far sidetracked with that, but it's fun to think about =)