comments

[usagi]

comments

[LuaKT]

Apparently I have a temporary ban for creating too many accounts.

[payb.tc]

https://199.48.69.241/hotwallet/devicoin.php

Announcing Devil Coins!

appropriate name, since my entire screen fills with red when I click your link

[willphase]

11   Pirate's Revenge   x 0.0

how ironic

Will

[Bitcoin Oz]

Can you tell us who the people/developers are behind hotwallet ?

Are they insured by CPA 

[qwertyqwerty]

New game! New game!

Play Now --> Dragon Dice (Official Website)

What do you guys think? Any guess as to what house odds are on this?

DRAGON DICE
Payout Table

Roll	Event	Payout
2	Troll Treasure	x 3.0
3	Orc Beath	x 0.5
4	Pirate's Peeve (Why is the Rum Always Gone?)	x 0.0
5	The Silver Star	x 1.5
6	Kobold Ambush!	x 0.0
7	Roll Again!	+roll
8	Goblin's Gold	x 1.1
9	Skeleton Attack!	x 0.5
10	King's Crown	x 1.7
11	Pirate's Revenge	x 0.0
12	Dragon Dice	x 7.0

Current stats for Bitcoin Betting:
Pot: 0.0235
Total Bets: 0.022
Paid Out: 0.0279
Win Ratio: 126.82% (est.)

Current stats for Litecoin Betting:
Pot: 0.65
Total Bets: 0.6
Paid Out: 0.67
Win Ratio: 111.67% (est.)

Did I calculate the stats right? How should I calculate house odds? Thanks.

Assuming balanced die

Solving
x=.0278*3+.0556*0.5+.0833*0+.1111*1.5+.1389*0+.1667*x+.1389*1.1+.1111*.5+.0833*1.7+.0556*0+.0278*7
x=0.98691948

Payout=98.6%
House Edge=1.4%

[exdirrk]

New game! New game!

Play Now --> Dragon Dice (Official Website)

What do you guys think? Any guess as to what house odds are on this?

DRAGON DICE
Payout Table

Roll	Event	Payout
2	Troll Treasure	x 3.0
3	Orc Beath	x 0.5
4	Pirate's Peeve (Why is the Rum Always Gone?)	x 0.0
5	The Silver Star	x 1.5
6	Kobold Ambush!	x 0.0
7	Roll Again!	+roll
8	Goblin's Gold	x 1.1
9	Skeleton Attack!	x 0.5
10	King's Crown	x 1.7
11	Pirate's Revenge	x 0.0
12	Dragon Dice	x 7.0

Current stats for Bitcoin Betting:
Pot: 0.0235
Total Bets: 0.022
Paid Out: 0.0279
Win Ratio: 126.82% (est.)

Current stats for Litecoin Betting:
Pot: 0.65
Total Bets: 0.6
Paid Out: 0.67
Win Ratio: 111.67% (est.)

Did I calculate the stats right? How should I calculate house odds? Thanks.

Assuming balanced die

Solving
x=.0278*3+.0556*0.5+.0833*0+.1111*1.5+.1389*0+.1667*x+.1389*1.1+.1111*.5+.0833*1.7+.0556*0+.0278*7
x=0.98691948

Payout=98.6%
House Edge=1.4%

Get out of here with that math.

[phantastisch]

The Balance updates to what you have won or lost before you see the dice roll.

And i would suggest getting a real domain for Hotwallet in General , even a college student like myself can afford one.

[phantastisch]

And now i lost in an Error 0.3 LTC , Fatal error: Call to undefined function hwlog() in /var/www/hotwallet/dragondice/play.php on line 245 .

[phantastisch]

And now i lost in an Error 0.3 LTC , Fatal error: Call to undefined function hwlog() in /var/www/hotwallet/dragondice/play.php on line 245 .

I just put that in because I'm going to show the results of the last 10 games. it only logs once the winnings have been calculated but before the page loads; you probably rolled Pirate's Revenge or something. Sorry!

If it means anything, even though this was not actually an error that caused you to lose coins, I will transfer some of my personal litecoins to you to cover the loss. Please PM me your account number and I'll send you some litecoins to ease the pain.

Thanks for using hotwallet!

Nah, I'm good I won 2,5 LTC already but got greedy and lost them again :-p No need to replace.

The Balance updates to what you have won or lost before you see the dice roll.

And i would suggest getting a real domain for Hotwallet in General , even a college student like myself can afford one.

Balance issue will be fixed soon. I know about it, just lazy :p

The thing about the domain name is, I can't think of a good domain name o_o

Any suggestions?

Why not stick with Hotwallet ? Whats wrong with that?

[dooglus]

What do you guys think? Any guess as to what house odds are on this?

DRAGON DICE
Payout Table

Roll	Event	Payout
2	Troll Treasure	x 3.0
3	Orc Beath	x 0.5
4	Pirate's Peeve (Why is the Rum Always Gone?)	x 0.0
5	The Silver Star	x 1.5
6	Kobold Ambush!	x 0.0
7	Roll Again!	+roll
8	Goblin's Gold	x 1.1
9	Skeleton Attack!	x 0.5
10	King's Crown	x 1.7
11	Pirate's Revenge	x 0.0
12	Dragon Dice	x 7.0

Did I calculate the stats right? How should I calculate house odds? Thanks.

Assuming you're rolling 2 dice and summing them, the house pays out x BTC per BTC bet, where:

x = (3.0*1 + 0.5*2 + 0.0*3 + 1.5*4 + 0.0*5 + x*6 + 1.1*5 + 0.5*4 + 1.7*3 + 0.0*2 + 7.0*1) / 36
36x = (3.0*1 + 0.5*2 + 0.0*3 + 1.5*4 + 0.0*5 + 6x + 1.1*5 + 0.5*4 + 1.7*3 + 0.0*2 + 7.0*1)
30x = (3.0*1 + 0.5*2 + 0.0*3 + 1.5*4 + 0.0*5 + 1.1*5 + 0.5*4 + 1.7*3 + 0.0*2 + 7.0*1)
x = (3.0*1 + 0.5*2 + 0.0*3 + 1.5*4 + 0.0*5 + 1.1*5 + 0.5*4 + 1.7*3 + 0.0*2 + 7.0*1) / 30
x = 0.9866666666666667

i.e. exactly 4/3% house edge.

[dooglus]

I clicked one of the big red betting buttons without creating an account and got an ugly error:

Code:

Notice: Undefined index: doghouse in /var/www/hotwallet/dragondice/play.php on line 26 moved to https://199.48.69.241/hotwallet/dragondice/ddice.php

[ErnestoJuarell]

The site seems pretty broken (and unsafe). Why not run on testnet first?

[ErnestoJuarell]

The site seems pretty broken (and unsafe). Why not run on testnet first?

The site doesn't seem broken or unsafe to me. Can you point out a specific error?

If you can't point out a specific error then I don't see why you think it is broken or unsafe, dunno, I use the site myself all the time, so far no coins have been lost.

The main issues at a quick glance are:

• Session hijacking is possible (even with different browser and ip)
  
• No passwords by default (non technical people may not understand that their account is actually open to anyone)
• No https

Small things that raise too many flags for a site that is going to be acting as an ewallet:

• The PW change box shows pw in plaintext and doesn't even check if the 2 pws are the same
• Broken links
• Broken state awareness (tells you to login after u already have)
• directory listings enabled (can be dangerous)
• test scripts laying around (can be dangerous)

Too sloppy/unfinished to trust. Hire some pen testers first before claiming to be secure. It's a lot of responsibility running an ewallet.

[ErnestoJuarell]

The main issues at a quick glance are:

• Session hijacking is possible (even with different browser and ip)
  
• No passwords by default (non technical people may not understand that their account is actually open to anyone)
• No https

Small things that raise too many flags for a site that is going to be acting as an ewallet:

• The PW change box shows pw in plaintext and doesn't even check if the 2 pws are the same
• Broken links
• Broken state awareness (tells you to login after u already have)
• directory listings enabled (can be dangerous)
• test scripts laying around (can be dangerous)

Too sloppy/unfinished to trust. Hire some pen testers first before claiming to be secure. It's a lot of responsibility running an ewallet.

Hi!

Session hijacking is possible in the same way that AES can be cracked so I don't think that's an issue, unless you mean there's some way they can be hijacked "easily". Hmm -- a lot of what you said is simply wrong, for example we've had SSL for almost a week now, there is no broken state awareness (you misclassified the problem, and it was fixed yesterday). This isn't the kind of thing I would exactly call a security hole or a bug anyway. Another odd thing is what you said about the change password box. It does not in fact show your password in plaintext, so I'm not sure why you said that. Second, it does in fact check to see if the passwords are the same or not, so I'm not sure why you said that either. Also test scripts -- not really relevant.

However I must thank you kindly for telling me about directory listings. I wasn't even aware of that until you pointed out, I thought it was turned off by default. Fixed!

You know what, I should make a hall of fame for the people who helped me make hotwallet a better place. Thanks! ^^/

Session hijacking is an issue. Once someone finds a XSS exploit (which are pretty common), they can embed a cookie stealer to get your session (and then bitcoins). It's also an issue because it's easy to protect against (validate the session against the user agent / ip). You could also require that the user has to re-input their pw when making any or large bitcoin transactions. That would make stolen sessions less dangerous.
Test scripts are relevant because they can be very dangerous. Since test scripts aren't meant to be deployed to the public, and because they are usually bare bones hacks, they usually lack security checks. I once found an test image upload script on a website; Since it was a test script, it didn't properly enforce file extensions. This would theoretically let me upload any file I want, include a php shell (which would give me control over the site).

As for the other things, are you sure we are talking about the same site? Can you double check the link you posted? (199.48.69.241 and hotwallet.ca) Those are all still true from my end.