If I'm understanding right, here's something that kind of does what you want: https://opendime.com/It's not a very good model for the traditional "cold storage" type system though. |
|
|
|
Paypal is just the beginning. Between man in the middle attacks, fraud, chargebacks, the fact that they prohibit gambling sites in the first place. All bad news.
The website is also running on old buggy/exploitable code. The owner talks like a moron and gets angry. It's nothing but bad. The chances this website becomes big is near zero. Simply not getting scammed almost seems unlikely.
Sure, but you're thinking about it all wrong. Not only do you have to cashout before the game busts, you gotta withdraw before the whole site implodes. So in a way, it's kind of the ultimate version of bustabit.  |
|
|
|
In the past I have considered whether having the same hosting provider, same programming language, etc. is still "single point of failure" in this perspective though. But that is probably being extremely paranoid (and I obv don't know details here anyway.) But sure, on any other invest site (without "audit server") I would withdraw my funds right away now lol. Those bets are pretty sick lol, not the profit itself, but 1.01x the whole time and then the timing of switching to this huge target, damn. But congrats  until otherwise proven I guess. (emphasis mine) I'm not really worried about programming language/environment similarities, on account of the audit server been written in a very popular programming language with zero package dependencies on a pretty standard OS image. The machine is extensively firewire walled of (mainly just DoS concerns). The audit server itself is insanely simple, it just has 3 endpoints which log requests/response to disk. And then I scan the logs with a script I wrote that checks for any form of cheating (e.g. seed reuse, nonces not used in order, seedHash not match etc.) and calculates what the profit is expected to be. The tool to audit the server log is actually a *lot* bigger and complex than the server itself. (Fun fact: Out of extreme paranoia, I've never shared with anyone the code that audits the audit servers log. Just incase I've made a coding error which would mean not identifying a type of cheating or miscalculating expected profits -- it's best if no one can know) I think the bigger concern is perhaps that Daniel and I did decide to host it in the same physical datacenter on account of minimizing latency. That's potentially a weakness, although likely not a huge one. I assume you'd need be something like a state-actor to pull that off (being able to physically walk into the datacenter with guns and badges would probably make the attack a lot more feasible). But if anyone advanced enough to pull off the perfect crime of pillaging a 2-independent server setup like bustadice, doing it for 35 btc like that doesn't make sense. Might as well have made it look less weird, and done it for 1000 btc+. But yeah, in general I agree with you. I'd be like "oh shit, this is looking weird" if the exact same bets happened on bustabit (where there's no audit server). But with bustadice, I'm a bit like *yawn*. (Although I'm in a bit of a unique of not needing to blind-trust anyone). But I think it's a good reminder to investors about how risky bankroll investing is. |
|
|
|
his 2nd 'bigger' bet is so lucky. and then risking everything you earned on the next risky bet doesnt look a thing most people would do. is there a way server seed could have been compromised. is this really 100% for sure just luck?
I've verified the bets, and I can confirm he did indeed win that. Which means either: a) Daniel and I have both been compromised [1] b) He was lucky [1] By "compromised" I mean either "acting dishonestly" or "have been hacked". If I hacked Daniel for instance, that would count as both compromised. (me for being dishonest, Daniel for losing his server seed). But if only 1 of us were compromised, the other one should be seeing the games aren't verifying. I hate to be over-confident (I always feel like I'm jinxing reality), but I'd say there's probably a >99.999% chance that the win is legitimate. |
|
|
|
I need an independent tool for checking hashes. I don’t trust this tool.
I don't trust the tool either actually (because it doesn't run through and verify the terminating hash). So I wrote my own utility: busta-verify.jsconst crypto = require("crypto");
const terminatingHash = '86728f5fc3bd99db94d3cdaf105d67788194e9701bf95d049ad0e1ee3d004277';
const salt = '0000000000000000004d6ec16dafe9d8370958664c1dc422f452892264c59526';
function* genHashChain(hash) {
while (hash !== terminatingHash) {
yield hash;
hash = crypto.createHash('sha256').update(hash).digest('hex');
}
}
function calcGameId(hash) {
let count = 0;
for (const _ of genHashChain(hash)) {
count++;
if (count > 10e6) {
throw new Error("not part of canonical chain?!");
}
}
return count;
}
function gameResult(seed) {
const nBits = 52; // number of most significant bits to use
const hmac = crypto.createHmac("sha256", salt);
hmac.update(Buffer.from(seed, 'hex'));
const r = parseInt(hmac.digest("hex").slice(0, nBits / 4), 16);
let X = r / Math.pow(2, nBits); // uniformly distributed in [0; 1)
X = 99 / (1 - X);
const result = Math.floor(X);
return Math.max(1, result / 100);
}
const seed = process.argv[2];
let gameId = calcGameId(seed);
for (const hash of genHashChain(seed)) {
console.log(`game id ${(gameId--).toString()} \t ${hash} \t ${gameResult(hash).toFixed(2)}x`);
}
And you can run it in the command line like: node busta-verify.js 37e8d5c3f676a597f49055958f93ae6e37a16affae033f47dc093419aefaf82fwhich would output: game id 9 37e8d5c3f676a597f49055958f93ae6e37a16affae033f47dc093419aefaf82f 28.69x
game id 8 3a328fd59bcb7e354025395b340c3f75c69e02f90f1994c79ff08bf196aa5767 1.52x
game id 7 5ae265dbc77ff2e9b6f6aac53437913a2dabcd6e2d45757ee90399c300f237ad 4.40x
game id 6 8c443fb28a49079cc21acc7ede06267edc45338b1640c18d1f571e1d3524f846 4.00x
game id 5 16fb2865a2c0fc828c7e789ee21262a02e88ea1c135b04c3e0e1e4bad6396c90 1.95x
game id 4 a840f5c02904a165d58da467afdfc9a7903cc54aef6f5e75f0c9307f28ed40b6 2.71x
game id 3 6e548074a57b39330de68ab00a2b42377a2d822fb1a7774d502e8bf17b1ec617 1.04x
game id 2 9f60c0b9439f8bdd27adb2053876d9fa36b7e3ca051a0d95114668992f9c1845 7.42x
game id 1 9f57575fd54cd441e962448537e155ace9555df10cd27fa817bbcaf48a59ebcf 15.49x
On a recent game it'll lag for a few seconds, as it needs to keep hashing to verify that it's on the canonical chain. To verify a game match the game id against the hash and bust. Also that outputs all games, so I'd recommend running it through less or head. e.g. node busta-verify.js $HASH | less |
|
|
|
Your description does not begin to give us credit where due! It does not mention the redesign effort and upgrading of outdated code we performed. Additionally it does not factor in our realtime ETH exchange backend or any of the visually obvious design changes that we’ve made.
I don't mean to in any shape-or-form minimize the amount of work you've done. And I can see there's several improvements. You (and your team?) seem like competent developers, and I have no doubt you'll keep improving it. However, it's also kind of beside the point. All your work is built upon code in which you're not following the licensing requirements.
Fair to who? Us getting the license certainly does not benefit crash players. At best, it would give Daniel some pocket change. It does not seem “fair” to a startup to be forced to either pay for a license or Open Source their competitive edge (in a sea of commoditized v1 clones). Hence we are sticking to our guns.
As you know, the code was made available on the condition that you contribute back either monetarily (via paying a 1 time fee) or via making your changes also open-source, to potentially benefit everyone else who is interested. Frankly its a shame that the only people who think it is “unfair” to use the open-source code are other game operators that have cloned v1 BaB (or in your case made BaB v1). Much like George RR Martin wouldn’t be ecstatic at you downloading GOT, I’m sure you and the other license holders aren’t ecstatic about us not buying it.
It really makes absolutely zero difference to me what you do. I'm just posting my opinion here as someone linked me to this thread and asked me what I thought, and I figured it'd make the most sense to me just being public with my thoughts. Still to come out here and publicly claim we are untrustworthy (even tho we never did any wrong to our players), seems more “unfair” to me.
I wouldn't say that you are untrustworthy as much as I'd that I'd never trust your operation. (Or maybe that's the what untrustworthy means? But still, it feels like too strong a word). Of course everyone needs to make up their own mind. To be perfectly honest, the reason that I wouldn't trust you isn't so much about the piracy/copyright infringement, it's more just how you're handling it. I just don't for the life of me understand why you'd let this whole thing tarnish your brand. And a brand that doesn't mind being tarnished, is one I'm scared of. Actually not very long ago (a couple months, at most?) there was a much bigger site (betking) that also violated the license and then pulled the "we modified it, so we shouldn't have to pay or open-source it". I too left them negative trust over it, as I reasoned that it's kind of ridiculous to trust a site that is happy marring it's reputation so easily (also their lying about it wasn't really inspiring). Then a week or so later, they decided to scam all their investors. Now I'm not trying to imply you'll do the same, but I just don't trust brands that don't fight hard to have a squeaky clean image. Saying things like this “does not give me much optimism for your future” and we are “tarnishing our brand” just seems like blatant attacks on our character, rather than our actions as game operators. Still you’re entitled to your opinion. We will continue to build trust in our community one feature/one day at a time. I’m sure consistency over time will benefit us!
I think you misunderstand what a character attack is. I believe I've only criticized your actions on account that's all I know of you. Violating the license is an action as a game operator! (Unless you've internalized this so much, it's now part of your character?! :S) Despite this, I harbor you no will-ill and hope you go on to surprise me and build a successful business. P.S. you build trust via how you act in situations like this, not in how much development or features you make. P.P.S. why do you think it'll lower your competitive advantage in releasing your changes? bustabit built a multi-million dollar business on totally open-source code. A site is made up of a lot more than its source code. Actually the only reason I stopped publishing the source as open-source was for anti-DOS reasons. I was getting attacked by a bunch of people I pissed off on bitcointalk (lol...) and they kept reading my changes and the source code to better learn how to DoS the site. From a competitive point of view, I'm really not sure it matters. |
|
|
|
Looking at the minified code, it's pretty clearly based on the bustabit source code. And it doesn't seem to be in question: To your point on open sourcing our code. Given all the modifications we made, open sourcing our code will open us to potential software exploits and make us less competitive against those that just copied BaB v1.
and looking at your game-engine in chromes debugger and all the state is largely the same. You're using the same anti-lag algorithm and axis-rendering algorithm. Looking at the network protocol, it's exactly the same as v1. Your code happens to have some of the exact same design errors that bustabit v1 had (which was fixed in v2) and your server exhibits the same timing as the unoptimized v1 server (.e.g. v1 opensource, not running the kungfuck branch). It's also undeniable that the text (e.g. FAQ) and code used to be a direct copy as well. I don't think you're acting fairly by taking commercial software, making a bunch of improvements (well done!) and not contributing them back like the license requires (nor paying for a commercial license, that doesn't have that restriction). And the fact you're willing to tarnish your brand to avoid following one of the most reasonable commercial software licensing program that I'm aware of, doesn't give me much optimism for your future. |
|
|
|
This seems like a pretty dishonest take. Honestly you should've just went with: "we are against copyright law, it's bullshit and we have no intentions of following it" and that's a stance I could at least respect. Should all implementations of the graph game be forced to conform to BaB's standards? Nice misdirection. Clearly no one actually thinks, implied or said that. It's just that if you're going to directly copy the bustabit source code you need to comply with the license. And the license is exceedingly reasonably, if you don't want to pay all you need to do is keep the entire code under AGPLv3. Or you can pay if you want to keep it private. I don't think you'll find any other commercial software that is more reasonable than that. And to those that believe that licensing is the only path to legitimacy, here is a recent counterexample -- a not-so favorable “licensed” site by the name of CrashDoge (and more). That's not a counter-example? That just shows buying a license doesn't stop you being dishonest. But no one claimed so. In most places you need a license to buy a gun. If someone with a licensed gun misuses it, that doesn't give you permission to have a gun without a license. Well, when we were notified about landing on license.txt, we contacted Daniel (BaB's current operator). And unfortunately we couldn’t come to an agreement that Moon3D was sufficiently different. Reminds me of what recently happened: I was trying to buy this guys (no longer manufactured) 2-speed internal bicycle hub. I really wanted it, so I offered him a couple hundred dollars (way more than it's worth, really) but he refused to go lower than $1000. We didn't come to an agreement, so I walked away and he kept his stupid hub. Generally that's what happens when you can't come to an agreement. If you're not willing to buy the code, you should've done your own clean-room implementation or comply with the AGPLv3 license. But honestly, I just don't get the point of pirating code like this. It seems you fundamentally misunderstand how the industry work. The number #1 thing players care about is playing somewhere trustworthy. There's not even a close 2nd to that. You'll never be able to build a trustworthy brand when it's clouded in, and founded by software piracy. If you don't have the money for a license, just keep your changes under AGPLv3 too. It's only fair. I understand you've never scammed anyone, and I don't really think piracy is that big of a deal (I just downloaded a pirate copy of the last episode of GoT, and sure as hell glad I didn't pay for 40 minutes of people exchange greetings...) but I'd strongly distrust your brand and encourage other people to do so too. Why? Because bitcoin is pretty much the wild-west, and the only realistic recourse people have if they feel they've been mistreated is trying to raise it to the publics attention. A brand with a squeaky clean image is going to bend over backwards to maintain that (e.g. I once badly mishandled and bungled someone's support ticket, so I gave them a bitcoin in compensation to make sure they came out of that happy) while a brand mired in controversy, a customers avenue of recourse is approximately 0. Good luck with your project! |
|
|
|
https://bitroll.io/games/crashesSeeking some clarity please. Is this website using Crash software that is not owned by Bustabit team? Or is it using a licenced or unlicensed version of Crash code owned by Bustabit team? From a quick look, it looks like an independent implementation of the bustabit game -- so they'd have no need to buy a license (you only need a license if you're using the actual bustabit code). |
|
|
|
Lets hope this wasn't another attack like the one that happened because it would be really sad to see bustabit keep getting attacked and attacked until the bankroll and investors money get emptied.
I don't really get what you mean. Investors have been doing great (I know, I'm one). Looking at a chart, the recent events: March 21 investors lost 126 btc (which Daniel then fully comp'd back a few days later), March 27: Investors made 117 btc. April 3rd: Investors lost 84 btc. For any reasonable time frame, investors have been doing very well. But if a 153 btc loss is concerning, remember that it's only 2.4% of the (virtual) bankroll, it's actually a pretty tiny loss. It easily could one day be x10 that. So if that's troubling, then it means you should probably lower your investment (or offsite). Can the OP explain this? Sounds like a little bit shady. I'm not giving an accusation bustabit because it has a good reputation in this forum but I think we need explanation regarding this matter.
What makes it shady? There's a big "Delete account" option in the settings. I'm not a lawyer, but I think it's existence is a requirement for GDPR compliance, and it's not surprise someone who just made a big win wants to keep it on the down-low. |
|
|
|
i just visit bustabit and i want to see his profile but i got "No account with this user name exists"
bustabit allows you to delete your account, which seems to be popular with people who win or lose a lot. So i presume after he withdrew his winnings he deleted his account. (Kind of annoying for the rest of us who'd like to look at the games though) |
|
|
|
to try it out I just paid .5 btc in dilute fees, total onsite and offsite bankroll (and my bankroll) increased by my investment amount excluding the fees (exactly till .001 btc correct), where did my fees go if they didn't go to the investors?
Since you PM'd me this (although the correct person would've been "devans"), and posted it here -- I'll just answer it here in case it's useful to anyone else =) So let's define some symbols: A = onsite amount you are investing B = offsite amount you are investing C = dilution fee So your question is "Why did the bankroll go up by A+B and not A+B+C?" and the answer to that is simple: your account balance was only decreased by A (and *not* A+C). In other words, A is before fees, and not after fees. So the dilution fee did indeed go into the bankroll (some of which would've flowed back to you) |
|
|
|
After you reinvest with the dilution credits, it seems that there is a display bug that shows that you have more dilution fee credits than you actually have.
Confirming this happened to me too. (fixed by a refresh) |
|
|
|
|
What you're thinking about is 3-of-3, where you need all 3 of 3 keys to authorize a transfer. The only benefit to that over a normal (1-of-1) wallet, would be that you can easily do secret-sharing (e.g. your original plan of storing diff keys in diff spots). But I'd strongly recommend against it, as it sounds a lot like you just want 2-of-3...
|
|
|
|
n-of-m means "You need n keys of the total m keys to authorize a transfer". Exactly. So say i keep one key in each site and my house burns down with my computer and paper backup of key 1. I buy a new house and a new computer, install Electrum and need to provide.... 3 keys, which I don't have anymore?
No. Say your house burns down, then you use the other 2 keys to transfer money. When ever sending a payment, you only need 2 of the 3 keys. Initialization only happens once, when you create the original wallets. What would be my approach to move the coins to a new wallet when I only have two keys left to enter?
2-of-3 means you can transfer funds using 2 of the 3 created keys. You'd probably create a *new* 2-of-3 wallet, and then transfer to it. |
|
|
|
|
2-of-3 means you need 2 of the 3 to authorize a spend. So your scheme is functionally ~equivalent to just a normal bitcoin storage. Each "site" contains 2 of the 3 keys that would be required to authorize a transaction. Only during the initialization setup are you required to provide information about all 3.
Doing what you're trying to do is simpler than what you're doing: create a 2-of-3 wallet, and keep 1 key in each location
|
|
|
|
I have just paid the reimbursements to all affected bankroll investors and the same amount of dilution fee credits. If you were online when I paid the reimbursements you may have to refresh the page before your correct account balance is shown.
Sweet! Thanks! (BTW for anyone who doesn't know what "dilution fee credits" are, it simply means you can put that money back into the bankroll without needing to pay any dilution fee) |
|
|
|
Like we have https://www.blockchain.com/api or https://block.io/api/ for on chain transactions, do we have something similar for Lightning Network? To be specific, I am looking for the following functions through Lightning API... - generating a Lightning address - getting a callback while receiving a Lightning transaction - creating & broadcasting a Lightning transaction I think this is actually all possible using BlueWallet's LndHub. You could make API requests to their server, or host your own. |
|
|
|
|
Show Posts
