crypto-games.net, 30% house edge, bugs and vulnerabilities, screw the investors!

[subSTRATA]

again, i stand that i didnt threaten them at any point.

[xetsr]

again, i stand that i didnt threaten them at any point.

Pay me or I sell the exploit , which would only screw investors. Yeah okay, no harm done there  

[subSTRATA]

again, i stand that i didnt threaten them at any point.

Pay me or I sell the exploit , which would only screw investors. Yeah okay, no harm done there  

i never demanded payment from them, i only asked that the full sum be agreed to and i did agree that I would disclose the first bug if they agreed, which they did not. the disclosure of the second bug was not up to me as I had no in depth knowledge of it at the time. then the insults began... i never even put the bug to use either. again, youre free to think what you think, but at this point i have no ill intentions to either of the individuals running the site.

well it seems this has quickly turned against me somehow, i agree that xetsr has valid points and that i am at fault for a lapse in judgement, but i did not get anything out of this from either crypto-games or any other third party.

[Quickseller]

I can't speak to any specific conversations that either Dooglus or subSTRATA had with this site's owner, or the owner of other sites. However if it were me that had found the exploit, then I would have told them something along the following:

"I have found an issue with your site that others could potentially use to steal from you, I have no intention of disclosing it to anyone other then you, nor do I have any intention of using such exploit personally, although I cannot guarantee that others will not use the same public information to exploit this same issue."

I think the above would pass the test of not being blackmail, while still being reasonably compensated for your time/skills.

The fact is that gambling sites are for-profit entities, and giving advice as to how to prevent yourself from getting robbed when large amounts of money is at stake should not be given for free. These sites should invest in the time/effort to prevent these kinds of exploits from existing in the first place.

[Mist]

Yeah, shits fucked on this site. Avoid it like the plague boys

thats a rather crude way to put it, but yes, basically that.


this guy needs to get out, like now. 4.66 BTC invested given the current situation.

I'm not here to sugar coat anything. Poorly coded, bad management, and the lack of ability to do math. Recipe for the investors to lose everything. Only reason to stay around here is if you are a player that can abuse the glitches and make some bank.

not saying im trying to sugar coat it, just saying the language was rather crude. but after the shady turn of events, im going to assume that crypto-games.net will not be giving anything for the bug finding(s), and considering the address in OP as a tip address. if dooglus wants to post one too ill gladly edit it into the op, the guy really deserves credit for finding some back-end bugs.

Yeah, I got you. Dooglus really is good at finding bugs and he gets paid from sites regularly for it. I'm sure he wont mind too much though.

Wait, so Dooglus blackmails other sites too? word it anyway you want but this was blackmail, pay my price or I release / sell the exploit that would harm not only the owner but innocent investors who probably didn't know better.

right? Or am I missing something here?

I never said doog blackmails people. The fuck are you leaping on me here for? Sites approach him for it and he helps them out. He also finds them by himself on the side but never blackmails anyone for it.

[subSTRATA]

I can't speak to any specific conversations that either Dooglus or subSTRATA had with this site's owner, or the owner of other sites. However if it were me that had found the exploit, then I would have told them something along the following:

"I have found an issue with your site that others could potentially use to steal from you, I have no intention of disclosing it to anyone other then you, nor do I have any intention of using such exploit personally, although I cannot guarantee that others will not use the same public information to exploit this same issue."

I think the above would pass the test of not being blackmail, while still being reasonably compensated for your time/skills.

The fact is that gambling sites are for-profit entities, and giving advice as to how to prevent yourself from getting robbed when large amounts of money is at stake should not be given for free. These sites should invest in the time/effort to prevent these kinds of exploits from existing in the first place.

something along those lines;


i made it clear there were two bugs in the initial pm sent, and at which a later point DCM was suddenly surprised there were two bugs. also i made it clear in the first few pages of the thread that no details would be disclosed except to the site owner.

[xetsr]

again, i stand that i didnt threaten them at any point.

Pay me or I sell the exploit , which would only screw investors. Yeah okay, no harm done there  

i never demanded payment from them, i only asked that the full sum be agreed to and i did agree that I would disclose the first bug if they agreed, which they did not. the disclosure of the second bug was not up to me as I had no in depth knowledge of it at the time. then the insults began... i never even put the bug to use either. again, youre free to think what you think, but at this point i have no ill intentions to either of the individuals running the site.

well it seems this has quickly turned against me somehow, i agree that xetsr has valid points and that i am at fault for a lapse in judgement, but i did not get anything out of this from either crypto-games or any other third party.

You didn't get anything out of this... but what if someone did pay you? This is the point I'm trying to make. if someone offered you what you were asking for, you would have sold them the exploit, right? Like your previous posts suggested.

You were willing to release the exploit for a price at the expense of investors.

[xetsr]

I can't speak to any specific conversations that either Dooglus or subSTRATA had with this site's owner, or the owner of other sites. However if it were me that had found the exploit, then I would have told them something along the following:

"I have found an issue with your site that others could potentially use to steal from you, I have no intention of disclosing it to anyone other then you, nor do I have any intention of using such exploit personally, although I cannot guarantee that others will not use the same public information to exploit this same issue."

I think the above would pass the test of not being blackmail, while still being reasonably compensated for your time/skills.

The fact is that gambling sites are for-profit entities, and giving advice as to how to prevent yourself from getting robbed when large amounts of money is at stake should not be given for free. These sites should invest in the time/effort to prevent these kinds of exploits from existing in the first place.

https://bitcointalk.org/index.php?topic=1106133.msg11780169#msg11780169

the admin of the site seems rather hostile and is trying to rip both me and dooglus off, demanding a lower bounty for the deal, i am entertaining offers in this thread or through pm regarding this. a percentage of this will be paid to dooglus for his help in confirming this issue.

Am I misunderstanding something here?

[subSTRATA]

again, i stand that i didnt threaten them at any point.

Pay me or I sell the exploit , which would only screw investors. Yeah okay, no harm done there  

i never demanded payment from them, i only asked that the full sum be agreed to and i did agree that I would disclose the first bug if they agreed, which they did not. the disclosure of the second bug was not up to me as I had no in depth knowledge of it at the time. then the insults began... i never even put the bug to use either. again, youre free to think what you think, but at this point i have no ill intentions to either of the individuals running the site.

well it seems this has quickly turned against me somehow, i agree that xetsr has valid points and that i am at fault for a lapse in judgement, but i did not get anything out of this from either crypto-games or any other third party.

You didn't get anything out of this... but what if someone did pay you? This is the point I'm trying to make. if someone offered you what you were asking for, you would have sold them the exploit, right? Like your previous posts suggested.

You were willing to release the exploit for a price at the expense of investors. cant find it now, but at the point in which the dev/admin mentioned that emails were sent out to investors, is around the time when i learned that there were investors on the site.

ill be quite honest here, i initially noticed the bug when i clicked "max" on the site, and noticed the discrepancy of 6500x and 0.02% win chance. at that point in time, i had no knowledge there was an investment option on the site.

Am I misunderstanding something here?

no you are not, that is my fault and a serious lapse in judgement.

edit: at this point

I am not even sure that I would trust the site to pay out large wins that a +EV strategy would result in. The site is very new, has a tiny bankroll, and is acting very unprofessionally.

big point here; even if they decide to pay out, their decisions in handling this entire matter were questionable at best, announcing their site as the subject of this thread was probably the biggest mistake, this is a lose-lose situation for them now.

Yeah, and it's not only them at risk, but also investor's money.
Them being "confident" is totally going to bring a lot of people down.

Time to take a couple of last looks at the site lol.

great point, after this, their site is dead regardless of the outcome. inviting people to come and dump your bankroll and not even consulting with your investors? that's some special publicity right there.

[xetsr]

again, i stand that i didnt threaten them at any point.

Pay me or I sell the exploit , which would only screw investors. Yeah okay, no harm done there  

i never demanded payment from them, i only asked that the full sum be agreed to and i did agree that I would disclose the first bug if they agreed, which they did not. the disclosure of the second bug was not up to me as I had no in depth knowledge of it at the time. then the insults began... i never even put the bug to use either. again, youre free to think what you think, but at this point i have no ill intentions to either of the individuals running the site.

well it seems this has quickly turned against me somehow, i agree that xetsr has valid points and that i am at fault for a lapse in judgement, but i did not get anything out of this from either crypto-games or any other third party.

You didn't get anything out of this... but what if someone did pay you? This is the point I'm trying to make. if someone offered you what you were asking for, you would have sold them the exploit, right? Like your previous posts suggested.

You were willing to release the exploit for a price at the expense of investors. cant find it now, but at the point in which the dev/admin mentioned that emails were sent out to investors, is around the time when i learned that there were investors on the site.

ill be quite honest here, i initially noticed the bug when i clicked "max" on the site, and noticed the discrepancy of 6500x and 0.02% win chance. at that point in time, i had no knowledge there was an investment option on the site.

Am I misunderstanding something here?

no you are not, that is my fault and a serious lapse in judgement.

Okay then, glad you realized your mistake and the damage that could have been done if you were to get an offer and proceeded to sell the exploit.

Just so everyone knows, I have nothing to do with the site and I'm not a investor. I'm just wondering why nobody else could see the point I was trying to make. If someone pulled this BS at just-dice (offered to sell an exploit if Dooglus didn't pay up), all the kids over there would go absolutely crazy.

I changed my feedback to neutral since you admitted you made a mistake

[xetsr]

I'm just wondering why nobody else could see the point I was trying to make. If someone pulled this BS at just-dice (offered to sell an exploit if Dooglus didn't pay up), all the kids over there would go absolutely crazy.

I pointed this out earlier, and it was ignored. But probably just because the site admin responded like a raving lunatic, so it's hard to sympathize with him.

I don't sympathize for him at all. He was willing to let investors get screwed too. I do sympathize for the investors though, as I doubt they had any idea on what was going on and were most likely the ones who would get screwed over by this.

Seems people turn a blind eye around here lately when it comes to the more higher ranked members...

[Quickseller]

I can't speak to any specific conversations that either Dooglus or subSTRATA had with this site's owner, or the owner of other sites. However if it were me that had found the exploit, then I would have told them something along the following:

"I have found an issue with your site that others could potentially use to steal from you, I have no intention of disclosing it to anyone other then you, nor do I have any intention of using such exploit personally, although I cannot guarantee that others will not use the same public information to exploit this same issue."

I think the above would pass the test of not being blackmail, while still being reasonably compensated for your time/skills.

The fact is that gambling sites are for-profit entities, and giving advice as to how to prevent yourself from getting robbed when large amounts of money is at stake should not be given for free. These sites should invest in the time/effort to prevent these kinds of exploits from existing in the first place.

https://bitcointalk.org/index.php?topic=1106133.msg11780169#msg11780169

the admin of the site seems rather hostile and is trying to rip both me and dooglus off, demanding a lower bounty for the deal, i am entertaining offers in this thread or through pm regarding this. a percentage of this will be paid to dooglus for his help in confirming this issue.

Am I misunderstanding something here?

I am not saying that the OP did what I suggested should have been done, I am just saying that you can receive a bug/exploit bounty without blackmailing/extorting the owner of the site.

I know that here, the owner of the site said:

Exploit it please, and earn 1 btc. When you do we are willing to pay you 1.5btc extra to tell us about it. We are tired of this lame scam attempts. We get mails of exploits weekly, but no one proved or steal anything. Only reason why we offered you any amount is because you have others users backing you up.

If something similar was said about selling the exploit, then the OP trying to sell it would be fair game. If something similar was not said, then trying to sell it would not be appropriate.

When it comes to bug reports, there is a very fine line between blackmail and responsible disclosure.

[subSTRATA]

Okay then, glad you realized your mistake and the damage that could have been done if you were to get an offer and proceeded to sell the exploit.

Just so everyone knows, I have nothing to do with the site and I'm not a investor. I'm just wondering why nobody else could see the point I was trying to make. If someone pulled this BS at just-dice (offered to sell an exploit if Dooglus didn't pay up), all the kids over there would go absolutely crazy.

I changed my feedback to neutral since you admitted you made a mistake

selling it was the first intention with the thread, and later on i opted to take the more moral route and provide the details to the admin, but through the exchange, the frustration in dealing with the admin resulted in my looking to sel it again, and then back to public disclosure of the bug so that it could be fixed. either way, excuses arent accepted, so i wont be making any, the only thing to do is continue the moral path from now on, as it were.

if anything, i hope future dice site owners/dice site script coders can take a page out of this and thoroughly examine their code to prevent anything similar to this happening.

[Dogedigital]

So.... I made another video as others didn't believe me and I knew 100% that the next 5000 rolls would result in 0 wins.  I'm uploading the video as we speak.

I also predicted (as you can hear in the video) that if I started a new user account and changed the VPN, that I would hit in about 2-400 rolls which low and behold, I did.


Again... You tell me that something isn't wrong.  I believe there's tampering going on. 

[subSTRATA]

So.... I made another video as others didn't believe me and I knew 100% that the next 5000 rolls would result in 0 wins.  I'm uploading the video as we speak.

I also predicted (as you can hear in the video) that if I started a new user account and changed the VPN, that I would hit in about 2-400 rolls which low and behold, I did.


Again... You tell me that something isn't wrong.  I believe there's tampering going on.  

glad to see you followed my suggestion, even more so to see that my suspicion may have been proven true. i said this in the chat before after speculation from a pm conversation, but it may be that your ip/account is blacklisted to skip nonces or something of the sort.

[Dogedigital]

So.... I made another video as others didn't believe me and I knew 100% that the next 5000 rolls would result in 0 wins.  I'm uploading the video as we speak.

I also predicted (as you can hear in the video) that if I started a new user account and changed the VPN, that I would hit in about 2-400 rolls which low and behold, I did.


Again... You tell me that something isn't wrong.  I believe there's tampering going on. 

glad to see you followed my suggestion, hope it gets uploaded faster than the last one.

Youtube is telling me 56 minutes.  I wasn't able to get the new user winning as my computer died from video memory, but I can easily do it under any other account and expect a win within 2-400 rolls.

I recorded it with myself in the video to show that there was no funny business, editing, or magic going on and that it was all in real time with the time stamps proving that there no re-takes.

[subSTRATA]

Youtube is telling me 56 minutes.  I wasn't able to get the new user winning as my computer died from video memory, but I can easily do it under any other account and expect a win within 2-400 rolls.

I recorded it with myself in the video to show that there was no funny business, editing, or magic going on and that it was all in real time with the time stamps proving that there no re-takes.

glad to see you followed my suggestion, even more so to see that my suspicion may have been proven true. i said this in the chat before after speculation from a pm conversation, but it may be that your ip/account is blacklisted to skip nonces or something of the sort.

sorry, i have a habit of editing posts immediately after posting them, just wanted to make sure this part was seen regarding the issue here. I wouldnt be surprised if something to enable this function was already implemented in the back end; it doesnt seem right that something like this could be implemented in such a short time frame.

[Quickseller]

I think the above would pass the test of not being blackmail, while still being reasonably compensated for your time/skills.

Blackmail? No. Extortion? Absolutely.

It's almost as classic as the "What a nice car you have there. It would be shamed it it got scratched. How about you give me $5 to keep an eye on it"

Edit: As xetsr noted, he even explicitly threatened to sell the exploit

This couldn't be more black and white.

The fact is that gambling sites are for-profit entities, and giving advice as to how to prevent yourself from getting robbed when large amounts of money is at stake should not be given for free. These sites should invest in the time/effort to prevent these kinds of exploits from existing in the first place.

As a professional security researcher if I ever did what subSTRAT did, the absolute minimum I'd be looking at is immediate dismissal. He is free to offer his services to a site for a fee, but the veiled threats and withholding an exploit. He even goes on to explicitly say how much money he believes his exploit could be used to steal.

The correct course of action would've been him to responsibly disclose to the site admins that problem. Wait for them to fix it. Then ask them for a bounty. And if he's unhappy with the bounty cry foul and rave how much he hates the site and feels ripped off.

Why does he need to give up the information first? I don't see any reason why the OP needs to disclose the entire exploit prior to making any arrangement. If the owner of the site is not willing to pay the amount that the person who found the exploit wants for it then I don't see any reason why he should be forced to give up the information for less then what he thinks it is worth.

Explaining how much he thinks someone using the exploit could steal from the site is, IMO, something that would allow the owner of the site to gage how much would be reasonable to pay for such information.

I think that it is important to be very clear that you have no intention of either using the exploit yourself or disclosing it to other third parties. This is important because I am not trying to defend the OP from trying to sell the exploit.

Stating the fact that someone else could potentially find the same exploit is a true statement, and is relevant if nothing more then public information was used to find such exploit as it means that the person soliciting the bounty for the exploit simple staying silent may not be sufficient to protect the site from getting robbed.

[xetsr]

I can't speak to any specific conversations that either Dooglus or subSTRATA had with this site's owner, or the owner of other sites. However if it were me that had found the exploit, then I would have told them something along the following:

"I have found an issue with your site that others could potentially use to steal from you, I have no intention of disclosing it to anyone other then you, nor do I have any intention of using such exploit personally, although I cannot guarantee that others will not use the same public information to exploit this same issue."

I think the above would pass the test of not being blackmail, while still being reasonably compensated for your time/skills.

The fact is that gambling sites are for-profit entities, and giving advice as to how to prevent yourself from getting robbed when large amounts of money is at stake should not be given for free. These sites should invest in the time/effort to prevent these kinds of exploits from existing in the first place.

https://bitcointalk.org/index.php?topic=1106133.msg11780169#msg11780169

the admin of the site seems rather hostile and is trying to rip both me and dooglus off, demanding a lower bounty for the deal, i am entertaining offers in this thread or through pm regarding this. a percentage of this will be paid to dooglus for his help in confirming this issue.

Am I misunderstanding something here?

I am not saying that the OP did what I suggested should have been done, I am just saying that you can receive a bug/exploit bounty without blackmailing/extorting the owner of the site.

I know that here, the owner of the site said:

Exploit it please, and earn 1 btc. When you do we are willing to pay you 1.5btc extra to tell us about it. We are tired of this lame scam attempts. We get mails of exploits weekly, but no one proved or steal anything. Only reason why we offered you any amount is because you have others users backing you up.

If something similar was said about selling the exploit, then the OP trying to sell it would be fair game. If something similar was not said, then trying to sell it would not be appropriate.

When it comes to bug reports, there is a very fine line between blackmail and responsible disclosure.

That post by the owner was made AFTER the exploit was being sold. subSTRATA admitted this thread was created with intentions to sell it at first...

Anyway, subSTRATA admitted he made a mistake so I'm done here.

I will drop some negative feedback on joter85 so hopefully others will no longer invest or play there without knowing about these bugs and exploits. Who knows, these exploits may have been in place for a reason. Like to slowly drain the investors

[subSTRATA]

I will drop some negative feedback on joter85 so hopefully others will no longer invest or play there without knowing about these bugs and exploits. Who knows, these exploits may have been in place for a reason. Like to slowly drain the investors

pretty perceptive, this was also a point brought up in a pm; as it stands the dice script created by joter85 is either incomplete/shoddy or intentionally faulty. if i were to give the benefit of the doubt considering that 1094x bets that are still going through, im inclined to think that the script was shoddily created and is incomplete. however, with dogedigital's experience with the site possibly having nonces skipped on the "simsim" account, i really dont know what to think here.

edit: Russel434 is still at it, ~0.12 in profit as of right now with 1k satoshi bets, exploiting both bugs to obtain a 9.4% edge as previously stated.