Bitcoin Forum
March 28, 2024, 10:30:47 PM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
  Home Help Search Login Register More  
  Show Posts
Pages: « 1 [2] 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 ... 121 »
21  Alternate cryptocurrencies / Speculation (Altcoins) / Re: [XMR] Monero Speculation on: February 22, 2017, 11:07:43 PM
Im still waitinf for monero to increase so i cna sold this coin of mine i really want to change another coins and try to grab some opportunity and try making profit to other coin where i can get or assured profits.

Well you're in luck! I had a meeting with my spiritual advisor this evening, and after throwing the bones and looking into her crystal glass she confirmed that Monero will increase on March 7th at 3:14pm UTC.

They did mention that they were talking about the block limit increasing, but hey, you asked about an increase.
22  Alternate cryptocurrencies / Speculation (Altcoins) / Re: [XMR] Monero Speculation on: February 22, 2017, 10:56:49 PM
Considering I'm doing quite well with my 'investment' I fail to see how I was scammed. Must be some weird logic that makes sense to Monero fanboys I suppose.

Good luck with your 'investment' too

There are a ton of people that made money on OneCoin too...
23  Economy / Gambling / Re: Monero dice seed hacked? on: October 19, 2016, 07:01:12 PM
We already have a replayable log (that's the point of the MySQL log after all), but we couldn't rewind the entire system. Consider, for instance, a new user that created an account and deposited funds. If we roll the system state back we would have to manually allocate all of those and manually recreate the users. And, too, consider the exact issue we've got above, where a user divested and withdrew - how do you roll that back? You can't, so you have to move forward with the system in the current state.

::sigh::

That's not what a replayable log is, at all. A replayable log is logging all the individual events (e.g. bets, investments and divestments), in such a way that if you found a mistake had occurred (or in this case, fraud) you could fix the mistake (in this case, delete the bets) then replay everything so the investors balance is exactly is if the fraud never occurred in the first place.

It's actually just a good practice to be in, when ever I mutate state I *always* store the cause of it. (e.g. if someone transfers money, I log an event of the transfer. If someone claims the faucet, I store the details of that, if someone invests I store a record of it (and things like how much the bankroll was before they invested) etc).

And probably the other mistake people make, is over-constraining their database to not allow negative values. e.g. While a user balance never should be negative, the system should support it as cases like this might cause some accounts to legitimately be negative (them withdrawing gains they shouldn't have) or even deposits reverting after a blockchain reorg etc.

It's great for a disaster recovery situation like this, and it's great from an audibility perspective

Exactly, see http://martinfowler.com/eaaDev/EventSourcing.html

Note that even if you don't follow strict event sourcing best practices you should still have a log of everything anyway so that you can replay, just takes more effort. Surely each bet/invest/divest actoin must have a timestamp on his MySql rows?


Guys, you don't know our system design, you don't know our architecture. Even if you did, you can't possibly have all the facts of the matter. The continuous string of commentary is entirely pointless - the decision is not going to be made again, we've already moved past it.

And yes, we have timestamped logs for every single action, every single bet, every single investor credit, every single investor debit.
24  Economy / Gambling / Re: Monero dice seed hacked? on: October 19, 2016, 10:10:27 AM
Fluffy I agree with a lot of what Nico has said. I would like a refund because I do believe I should have received one, but I do not want the refund if you believe it to be out of charity. I want it because you believe its the right thing to do. If you change your mind could you credit it to  my account.

We're always open to discussing things like this, and finding an amicable solution for everyone. That's why we have an email address that you can use. Having a messy ideological discussion on troll central is not a fantastic way to achieve that, especially given that we *are* responsive to support emails.
25  Economy / Gambling / Re: Monero dice seed hacked? on: October 19, 2016, 10:08:15 AM
What? Let's say the cheater would have won 50% of the BR, I divested to cut losses, and cheater continues to win rest of BR. Then yes, indeed, I would only have a 50% loss, while others would have a 100% loss. That's exactly right and that's why someone should divest/withdraw when he sees the site is hacked. I don't see why that investor with 50% loss would owe anything to the other investors?

So you're of the position that other investors, who may be asleep due to timezones, should just suffer the 100% loss? So in that event the investor is just "lucky", and the rest are "unlucky"?

And yet in the reverse all investors should be "lucky"?

How do you not see the disconnect here?

I am honestly surprised about the replies here. I have been following your site for months and had a pretty high opinion of it since you are a trusted XMR developer.

lol sure, that's why we're listed on DiceSites, right? Don't patronise me.
26  Economy / Gambling / Re: Monero dice seed hacked? on: October 19, 2016, 08:11:58 AM
I think he is lucky only. how hack seed? it's impossible.

We found the bug he exploited that leaked the seed, and we've subsequently patched it.
27  Economy / Gambling / Re: Monero dice seed hacked? on: October 19, 2016, 07:52:39 AM
I understand the risk is on the investors too and the situation would have been different if the cheater managed to withdraw all the money.

But the cheater didn't get any of it, so if you do rewind the cheater's bets, it seems very obvious that you should refund to the affected investors. To suggest otherwise seems ridiculous to me. And to give free money to people who invested after the whole situation seems even more crazy.

We made a decision on how to handle it at the time, under pressure, to the best of our ability. You are welcome to disagree with that decision, but unless you're in that scenario running your own site your opinion is largely meaningless. It's easy to look at it after the fact and go "well I would have done X" - I can think of any one of 30 different ways we could have handled things.

That seems like a normal thing to do. If I see a site is hacked, obviously my first reaction is to withdraw my own money. You must be pretty stupid to not immediately make sure your left-over money is safe.

So then you cut your losses and you get out, the end. There is no coming back later on to try reclaim imagined profit.

Perhaps a comparison will help: let's say that you have 10 BTC in Poloniex. You hear that Poloniex isn't processing BTC withdrawals, along with panic that they're hacked, and use your BTC to buy a bunch of WaffleCoin and withdraw it. You sell your WaffleCoin on ShapeShift, but now the market's tanked and you end up with 9 BTC. Later that day Poloniex put out a statement apologising for the issues and stating that they're now fixed. Would you insist that they roll the trades back? What about the shorters that took profit from you?

Or what if you invested in a startup, and then when it looked like things were going south you sold your investment at a loss. Two years later the startup is a huge, successful company. Do you insist on taking profit from the growth because you *used to be* an investor?

You shouldn't roll the whole database back, you should look which investors got affected by the cheater and how much they lost. In theory just the rolls and invest/divest information, should be sufficient. I understand it's technically tricky and needs some custom script to calculate, but that seems like the only fair way.

EG: you have the invested amounts of the current investors. Loop all events (= all bets + divests/invests) from latest to start of cheater. First event is probably some real bet after the cheater, recalculate what the invested amounts where before that bet. Second event same. If event is a invest/divest, adjust invested amounts too. Then when you reach the last bet of cheater, you should have all the info of which investors were invested at that time including the amount. Separately save how much they lost (or gained) in that cheater's bet. Continue loop and if the event is a cheater's bet, do the same. All till you are back to the first cheater's bet. IMO after this, you should have a list of investors with specific amounts of how much they lost? Reimburse those amounts to the investors.

We thought about this, but we decided that it would be too dangerous for us to spend days and weeks trying to build a magical "undo" script, completely wrecking any auditability, and potentially ending up with a screwed up data set at the end.

BillyBurns already made a loss from the cheater? So if you decided the losses were on the investors, nothing would have changed? He wouldn't need to deposit - he is already in loss.

edit: TBH I am not sure how many investors actually divested like BillyBurns. If he is the only one, things are probably more easy :x But just the mindset of refunding the investors who actually lost money seems important to me.

With all respect to the affected investor, he took his $100 loss and walked away. He didn't contact us, he didn't ask for input on how we were going to handle things. He just assumed that it was the end, and he would have been the *only* investor to get out with his money had we not had safeguards and had the attacker been able to actually drain the wallet. What would have happened then?

You stated at the outset that you understand that the situation would have been different had the attacker managed to withdraw, but you're not actually following that thought through. Had that played out we'd have a total loss on the part of all the investors, and one investor who only incurred a $100 loss, and you can bet that investor wouldn't volunteer to divvy up his remaining funds among the affected investors.

Ultimately you're asking us to take up a morally hazardous position. What happens when someone "accidentally" places a large bet and loses? Should we undo their bet, and take the profits from the investors? An investor that divests and withdraws is no longer part of the bankroll. They bailed out with a profit or with a loss, and that's the end of that.

Nevertheless, I've already offered to send $100 to the affected investor, so I'm not sure what more you expect?
28  Economy / Gambling / Re: Monero dice seed hacked? on: October 19, 2016, 06:01:02 AM
I lost? I was invested in the roll for the entirety of that guys bets he did not make 1 bet that I wasn't apart of( From all the ones I pasted) the other 30k he won that I didn't see I may or not have been but we should be able to know since I know nearly what % of the roll i had invested before I deposited 20 hours ago. I'm not some dude trying to scam you if you look in the crypto-games thread, the support sent me a extra 81 ether 2 days ago  in 1 of my withdrawals and I sent it back.

How can you claim no investors lost when, I deposited 32 Xmr and 20 hours later my Xmr is worth 15 Xmr...... I only divested and cashed out because it was evident to me he was cheating after I looked at those rolls and I somehow get punished for alerting you guys and acting in a intelligent way. I'm assuming I alerted you since I posted in chat my suspicion, then emailed support with a title Seed been hacked. Then pmed Nico with my suspicion, then I requested a withdrawal that was sent while there were no indicators of anyone aware of the hacker other than the hacker and I, also I didn't see his rolls happening, I just opened a tab saw all those bets, no bets were made after I had noticed the seed was compromised.

If all his wins were re-added to the bankroll then my funds would have been re-added to the bankroll because he did in fact win my Xmr...  So since I can verify he did in fact win my Xmr and I can verify you guys did in fact add his wins back to the bankroll where does the extra Xmr he wins that were originally my investment end up?

His wins weren't re-added to the bankroll based on the prior state, they were re-added based on the state of the system at the time we were re-adding it. The state of your part of the bankroll at that time was 0, so you don't benefit from that.

Let me put it differently: you saw the errant bets and you divested and withdrew your money, in a panic and at a loss. What if the attacker had gotten away with his withdrawals, and we had to socialise the loss? Would you deposit your money back in to participate in that?

In a situation like this you, as a participant in the bankroll, have your funds invested at risk. Everyone takes the same risk, and gets the same reward. If you try and circumvent a scenario you are effectively cutting your losses, come what may, and it isn't reasonable to turn around afterwards and expect an outcome that is any different.

Look, if the $100 you lost in this scenario is completely untenable then we'll personally send you 15 XMR from the site profits.

I'd be interested in this aswell, how did you determine which investor got which part of the secured funds back once you rolledback the clearly compromised bets?

Based on the investor roll at the time of the distribution out. Because there had been users created and withdrawals / deposits processed in the meantime, we couldn't simply roll the database back.

I think probably it is added back to the investors at the time of adding back. So if someone divested, he won't get anything, but if someone invested, he would get a share of the added back amount Huh

Yep exactly; there wasn't any other way to do that that wouldn't have added insane amounts of complexity to the process, and potentially left the data in an extremely broken state.

Yeah, that's how it sounds like. Actually when I designed the moneypot investment system, what I did was create a repayable log of all the investment/divestment/bet events for in a nightmare situation like this (or software bug) it could be replayed so investors wouldn't have made/lost money from the changes in the bankroll when a fake better (or software bug) was playing.

The situation is probably a big mess now, as some investors have lost more than they should've and others made more than they should've. And it's probably pretty likely the ones who unfairly made money have already withdrawn (?) or at the very least, will be unhappy if their balance gets put to the correct amount

We already have a replayable log (that's the point of the MySQL log after all), but we couldn't rewind the entire system. Consider, for instance, a new user that created an account and deposited funds. If we roll the system state back we would have to manually allocate all of those and manually recreate the users. And, too, consider the exact issue we've got above, where a user divested and withdrew - how do you roll that back? You can't, so you have to move forward with the system in the current state.
29  Economy / Gambling / Re: Monero dice seed hacked? on: October 18, 2016, 10:19:13 PM
Your seed was someway hacked, some investor was losing a lot because of this ( and it is your fault just to state clearly how I see it) and tried to limit their losses.

Basically now they are the only one who suffered a loss because you have that great security measure for which you manually process every withdrawal.

From an external point of view it's kind of ridicolous... but if I was an investor I would be very disappointed.

It could be seen also as an inside job to keep some of investors money... but Am just putting it here as a provocation and not something I really think.

Nobody lost any money, you're confused.
30  Economy / Gambling / Re: Monero dice seed hacked? on: October 18, 2016, 06:55:52 PM
Fluffy I see the site bankroll went back up from 60k to 140k now... but I see people betting currently but my account still has taken the massive losses from that player.

You don't have any invested in the bankroll? Is your investment on another account?

I divested and withdrawal what was left right after I saw his rolls.

-16.660736590630 Xmr, ( Don't know if all loses were from him but I assume a large portion of it was) I was only invested on site for around 20 hours before I divested.

Deposit Hash
c7a2edb767827fb3d32d58150a7cfa3c1d855c83bf7a3e3a134b23abbcd1778a

Withdrawl Hash
c9cf4173c48e773ce85f84b0fb6a3a6e80e7a51a0665cbf00d1783ea20e1ddba

Ah - yeah, then you wouldn't have benefited from things being put right since you weren't part of the bankroll any longer, and didn't even have funds still on the site. In a situation like this we can't really compensate for people who have taken their funds out the site.
31  Economy / Gambling / Re: Monero dice seed hacked? on: October 18, 2016, 05:39:30 PM
Fluffy I see the site bankroll went back up from 60k to 140k now... but I see people betting currently but my account still has taken the massive losses from that player.

You don't have any invested in the bankroll? Is your investment on another account?
32  Economy / Gambling / Re: Monero dice seed hacked? on: October 18, 2016, 02:17:51 PM
Looking at the expected variance is interesting, but obviously some dude who makes profits on a few accounts would be impossible to detect. Since you are publicly accepting investors (and were in loss even before this big winner), I do assume you are looking at logs to figure out if previous accounts potentially cheated? At minimum you could see which accounts accessed that specific API function? I don't think most users use the API. Besides that, potentially IPs/browsers/other info/etc can help to see if its possible someone else might have abused it.



The way this guy was betting, was clearly to show that he could cheat. IMO this could have 2 reasons:

1) "I already stole enough so I will just show you that your site has a vulnerability"
2) "I can cheat on here, but don't want to receive a reward and rather just show it off"

IMO the first reason seems more likely. It is exactly what HufflePuff (who stole 2000+ BTC) did on PD with account "RobbinHood".



In the end I am personally not an investor and I am not sure how many public investors your site has, but I am obviously just saying this for the investors. If a site like PD (which doesn't accept investments) had this, I wouldn't be bothering Stunna about "previous accounts" or anything.

Yes we're taking a look at the API logs, and correlating it against recent betters. We'll weed out any other accounts he has;)
33  Economy / Gambling / Re: Monero dice seed hacked? on: October 18, 2016, 09:49:09 AM
Custom API, so I don't think this affects anyone else. We've disabled betting in the meantime whilst we sort this out, but I really think the lesson to other operators is not to be overconfident in your code or in your setup. Everything can and will be compromised, so assume it's going to happen and put safeguards in place to handle that eventual scenario.

Do you think it could have been compromised a long time ago? Maybe the hacker got tired of milking it and just went for a big score.

It's entirely possible, but one of the Monero Research Lab wrote a paper (for fun) a year ago establishing a way to analyse whether someone is cheating by determining whether they are massively changing the deviation of the site.

We run this analysis in the back all the time, so if someone was consistently cheating, even if they were using multiple accounts and small amounts, we'd see it show up because the site would (statistically speaking) be far out of the expected variance.

You can read the paper here: https://lab.getmonero.org/pubs/MRL_Monte_Carlo_Edition.pdf
34  Economy / Gambling / Re: Monero dice seed hacked? on: October 18, 2016, 09:33:22 AM
It would be interesting to know if this was a custom API or a public one, meaning that maybe other sites are affected and their owners could use this news to protect their sites too.
Of course patching your own is top priority.


Custom API, so I don't think this affects anyone else. We've disabled betting in the meantime whilst we sort this out, but I really think the lesson to other operators is not to be overconfident in your code or in your setup. Everything can and will be compromised, so assume it's going to happen and put safeguards in place to handle that eventual scenario.
35  Economy / Gambling / Re: Monero dice seed hacked? on: October 18, 2016, 09:11:47 AM
Looks like they managed to grab the server seed through a leak in the API - we're busy patching it, and will rollback the naughty bets. Thankfully we process every single withdrawal manually, and most of the funds are all locked up in a cold wallet, so no money was lost. It's precisely because of the very high risk of an exploit that we don't let withdrawals process automatically!
36  Alternate cryptocurrencies / Announcements (Altcoins) / Re: [XMR] Monero - A secure, private, untraceable cryptocurrency on: October 11, 2016, 06:25:21 PM
Fluffypony and I both got married on the exact same day (of the exact same year) Shocked. What are the chances?

It shows that we have good taste in dates, and in dates!
37  Alternate cryptocurrencies / Speculation (Altcoins) / Re: [XMR] Monero Speculation on: October 05, 2016, 06:12:43 PM
Quote
XMRdude: fluffypony, so what you assume how long it takes to realease?
fluffypony: XMRdude: not a clue eh

If that is the real fluffypony than: wtf (they were taking about the GUI Wallet)

That was me - it's an open-source project, I have no idea when it will be releasable. It depends on unpaid volunteers chipping away at a sculpture until *they* feel it's ready, all I do is the last little bit, where I wrap the sculpture in bubble wrap and send it out to the world.
38  Alternate cryptocurrencies / Speculation (Altcoins) / Re: [XMR] Monero Speculation on: October 05, 2016, 06:02:29 PM
Thought about this ?


https://cointelegraph.com/news/monero-loses-darknet-market-in-apparent-exit-scam

"“Everyone is looking at the 150 BTC Oasis made from their exit scam while in fact Oasis probably made most of their money from their Pump&Dump (tm) game they pulled of with their Monero stunt."

"Previously hacked MyMonero web wallet unresponsive

The web wallet for Monero, MyMonero run by famed XMR developer FluffyPony, has been unresponsive for several days, according to several users on Reddit. Users reportedly were unable to withdraw funds and have contacted support days ago, with no response. Users are still able to import private keys to another wallet to secure their funds."



That fluffypony guy, always being unresponsive!
39  Alternate cryptocurrencies / Announcements (Altcoins) / Re: [PRE-ANN] Monero Qt GUI, cross platform full XMR node. on: September 22, 2016, 09:28:28 PM
I wanted to make pool, i wanted to buy domain, now i don`t  Grin There was not a problem to reach seller. But i  will move y pool out of monero.org domain.

Oh good, so we're in agreement that you don't "need" 10k XMR.


I didn't know about years of your work, but Qt may be not your strong side. I am not open-souce developer. I am not asking for "pay first deliver code later" manner. The only thing i asked is to start new fundraising for new Qt wallet.  
This was not a very hard work for me to add monero changes to cryptonotewallet Qt wallet, but it took some non-stop 24 hours of coding and understanding.
I wonder why you still call me a scammer. You have an official fundraising for Monero related projects, moreover you have an official fundraising for Monero GUI.
I asked to add my GUI wallet for fundraising, you answered with LOL. Rude and unpolite guy. After i uploaded proof video with compilled and working wallet (hardfork passed, wallet synced now) you have seen what happen. I don't know what to do and what to think about it.
I

I can't decipher everything you've written here, but there is one thing I understood: you're wanting to get paid for "non-stop 24 hours of coding and understanding". Ok, let's start there.

Johnny_Mnemonic suggested you price it at the same USD value as the Qt GUI fundraiser, which puts it at 700 XMR at today's prices (29.17 XMR per hour if you literally spent 24 hours on this). This is in-line with moneromooo's per-hour price at his first fundraiser, and moneromooo has done more for Monero's development than you could ever do.

I think that 700 XMR is a fair goal, and I am willing to help you create you a Forum Funding System proposal to raise 700 XMR.
40  Alternate cryptocurrencies / Announcements (Altcoins) / Re: [PRE-ANN] Monero Qt GUI, cross platform full XMR node. on: September 22, 2016, 08:39:13 PM
I can show source code to trusted dev, this is not a problem if only he will promise me in public that he will not release the same wallet after observing source code.
One again, my intentions are clear i want to provide good GUI wallet and receive developer donations, because i can see 14000 XMR funding for GUI wallet that is another RPC thing.
https://forum.getmonero.org/9/work-in-progress/2476/the-official-qt-gui-project

1. The 14k was liquidated into fiat immediately because Ilya's payments are denominated in fiat currency
2. It's not "another RPC thing", Ilya has written an API he hooks into from scratch: https://github.com/monero-project/monero/tree/master/src/wallet/api

Beyond that, this entire story, the domain sale, you being the only person able to communicate with the domain owner, etc. is all so insanely fishy that I can't believe it to be anything but a setup or a scam. If you're genuinely just a developer who is so good that they managed to do all this work in a few days then the onus is on you to prove it.

You forget that we've worked on this for 2.5 years, and many of the contributors and developers and Core Team members who have worked unpaid on it have a stash that is smaller than 10k XMR. Coming in here and demanding that amount of money for a few days work is simply insulting to the people that have made Monero what it is.

In addition to that, open-source development never works in a "pay first deliver code later" manner. If you want to get paid then release the code, and raise funds afterwards, like every single other FOSS project out there. As it stands right now you are nothing more than a common scammer trying to leach off the community in deference to the people who have actually brought Monero to the point it is at today.
Pages: « 1 [2] 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 ... 121 »
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!