Bitcoin Forum
November 25, 2017, 04:32:24 AM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 [4]  All
  Print  
Author Topic: Monero dice seed hacked?  (Read 3676 times)
Spoetnik
Legendary
*
Offline Offline

Activity: 1456


FUD Philanthropist™


View Profile
February 08, 2017, 07:30:38 AM
 #61

It would be interesting to know if this was a custom API or a public one, meaning that maybe other sites are affected and their owners could use this news to protect their sites too.
Of course patching your own is top priority.


Custom API, so I don't think this affects anyone else. We've disabled betting in the meantime whilst we sort this out, but I really think the lesson to other operators is not to be overconfident in your code or in your setup. Everything can and will be compromised, so assume it's going to happen and put safeguards in place to handle that eventual scenario.

I am bookmarking this comment gold  Cheesy

Best comment of 2017 so far easily.

FUD first & ask questions later™
1511584344
Hero Member
*
Offline Offline

Posts: 1511584344

View Profile Personal Message (Offline)

Ignore
1511584344
Reply with quote  #2

1511584344
Report to moderator
1511584344
Hero Member
*
Offline Offline

Posts: 1511584344

View Profile Personal Message (Offline)

Ignore
1511584344
Reply with quote  #2

1511584344
Report to moderator
1511584344
Hero Member
*
Offline Offline

Posts: 1511584344

View Profile Personal Message (Offline)

Ignore
1511584344
Reply with quote  #2

1511584344
Report to moderator
Join ICO Now A blockchain platform for effective freelancing
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1511584344
Hero Member
*
Offline Offline

Posts: 1511584344

View Profile Personal Message (Offline)

Ignore
1511584344
Reply with quote  #2

1511584344
Report to moderator
1511584344
Hero Member
*
Offline Offline

Posts: 1511584344

View Profile Personal Message (Offline)

Ignore
1511584344
Reply with quote  #2

1511584344
Report to moderator
1511584344
Hero Member
*
Offline Offline

Posts: 1511584344

View Profile Personal Message (Offline)

Ignore
1511584344
Reply with quote  #2

1511584344
Report to moderator
Spoetnik
Legendary
*
Offline Offline

Activity: 1456


FUD Philanthropist™


View Profile
February 08, 2017, 07:51:40 AM
 #62

I think probably it is added back to the investors at the time of adding back. So if someone divested, he won't get anything, but if someone invested, he would get a share of the added back amount Huh

Yeah, that's how it sounds like. Actually when I designed the moneypot investment system, what I did was create a repayable log of all the investment/divestment/bet events for in a nightmare situation like this (or software bug) it could be replayed so investors wouldn't have made/lost money from the changes in the bankroll when a fake better (or software bug) was playing.

The situation is probably a big mess now, as some investors have lost more than they should've and others made more than they should've. And it's probably pretty likely the ones who unfairly made money have already withdrawn (?) or at the very least, will be unhappy if their balance gets put to the correct amount

Reminds me of Cryptsy's POINTS hack roll-back drama.
Seems the Monero guys who make a coin and RUN a GAMBLING SITE BUSINESS using said coin are smarter than everyone else.. except when they get hacked.. via "over confidenceCheesy

I think he is lucky only. how hack seed? it's impossible.

We found the bug he exploited that leaked the seed, and we've subsequently patched it.

Oh yeah ?
I guess just take your word for it huh ?
What makes you think there was an exploit in your API ?
..the result ?

I understand the risk is on the investors too and the situation would have been different if the cheater managed to withdraw all the money.

But the cheater didn't get any of it, so if you do rewind the cheater's bets, it seems very obvious that you should refund to the affected investors. To suggest otherwise seems ridiculous to me. And to give free money to people who invested after the whole situation seems even more crazy.

We made a decision on how to handle it at the time, under pressure, to the best of our ability. You are welcome to disagree with that decision, but unless you're in that scenario running your own site your opinion is largely meaningless. It's easy to look at it after the fact and go "well I would have done X" - I can think of any one of 30 different ways we could have handled things.

That seems like a normal thing to do. If I see a site is hacked, obviously my first reaction is to withdraw my own money. You must be pretty stupid to not immediately make sure your left-over money is safe.

So then you cut your losses and you get out, the end. There is no coming back later on to try reclaim imagined profit.

Perhaps a comparison will help: let's say that you have 10 BTC in Poloniex. You hear that Poloniex isn't processing BTC withdrawals, along with panic that they're hacked, and use your BTC to buy a bunch of WaffleCoin and withdraw it. You sell your WaffleCoin on ShapeShift, but now the market's tanked and you end up with 9 BTC. Later that day Poloniex put out a statement apologising for the issues and stating that they're now fixed. Would you insist that they roll the trades back? What about the shorters that took profit from you?

Or what if you invested in a startup, and then when it looked like things were going south you sold your investment at a loss. Two years later the startup is a huge, successful company. Do you insist on taking profit from the growth because you *used to be* an investor?

You shouldn't roll the whole database back, you should look which investors got affected by the cheater and how much they lost. In theory just the rolls and invest/divest information, should be sufficient. I understand it's technically tricky and needs some custom script to calculate, but that seems like the only fair way.

EG: you have the invested amounts of the current investors. Loop all events (= all bets + divests/invests) from latest to start of cheater. First event is probably some real bet after the cheater, recalculate what the invested amounts where before that bet. Second event same. If event is a invest/divest, adjust invested amounts too. Then when you reach the last bet of cheater, you should have all the info of which investors were invested at that time including the amount. Separately save how much they lost (or gained) in that cheater's bet. Continue loop and if the event is a cheater's bet, do the same. All till you are back to the first cheater's bet. IMO after this, you should have a list of investors with specific amounts of how much they lost? Reimburse those amounts to the investors.

We thought about this, but we decided that it would be too dangerous for us to spend days and weeks trying to build a magical "undo" script, completely wrecking any auditability, and potentially ending up with a screwed up data set at the end.

BillyBurns already made a loss from the cheater? So if you decided the losses were on the investors, nothing would have changed? He wouldn't need to deposit - he is already in loss.

edit: TBH I am not sure how many investors actually divested like BillyBurns. If he is the only one, things are probably more easy :x But just the mindset of refunding the investors who actually lost money seems important to me.

With all respect to the affected investor, he took his $100 loss and walked away. He didn't contact us, he didn't ask for input on how we were going to handle things. He just assumed that it was the end, and he would have been the *only* investor to get out with his money had we not had safeguards and had the attacker been able to actually drain the wallet. What would have happened then?

You stated at the outset that you understand that the situation would have been different had the attacker managed to withdraw, but you're not actually following that thought through. Had that played out we'd have a total loss on the part of all the investors, and one investor who only incurred a $100 loss, and you can bet that investor wouldn't volunteer to divvy up his remaining funds among the affected investors.

Ultimately you're asking us to take up a morally hazardous position. What happens when someone "accidentally" places a large bet and loses? Should we undo their bet, and take the profits from the investors? An investor that divests and withdraws is no longer part of the bankroll. They bailed out with a profit or with a loss, and that's the end of that.

Nevertheless, I've already offered to send $100 to the affected investor, so I'm not sure what more you expect?

Teach us how gambling sites are *suppose* to work. LOL
Does this involve SPECULATING a seed was compromised ?

And who exactly is "we" ?
Is King Risto involved with the site in any way ? Who is ?

FUD first & ask questions later™
Spoetnik
Legendary
*
Offline Offline

Activity: 1456


FUD Philanthropist™


View Profile
February 09, 2017, 05:16:00 PM
 #63

Custom API, so I don't think this affects anyone else. We've disabled betting in the meantime whilst we sort this out, but I really think the lesson to other operators is not to be overconfident in your code or in your setup. Everything can and will be compromised, so assume it's going to happen and put safeguards in place to handle that eventual scenario.

What a fucking sleazy little bullshitter.

He has the god damn nerve to say bullshit like that and sell merch with the below printed on it..



These Monero guys and all their misc companies and associations are corrupt back stabbing deceitful lying & bullshitting little obnoxious fucking pigs.

Snake oil salesmen raking in large profits while selling you all this ANON gimmick bullshit
and the big dream of...... "One day"

Maybe these cocky stupid fucking assholes should should change the text on their hoodies ?

Maybe something like.. "Everything can and will be compromised" ?  Cheesy

PS:
Know where he got that from ?
Me and my so called "FUD" i posted for damn near 3 years now.
But it's true when he says it and lying Troll FUD when i do huh ?

Fluffy you are a fucking greedy deceitful little crypto-rat in the shadows counting your cash like all the other profiteers with their gimmick coins.. and tell Risto you want a raise bud LOL
And yeah Risto did admit way back to paying the dev's so don't play that off as a joke either.

Of course my questions went unanswered earlier.. little pussies in hiding  Roll Eyes

Go fuck yourselves Morono's ..i told you 2017 was gonna be fun HAHHAHAHAHHA

FUD first & ask questions later™
moooonu
Hero Member
*****
Offline Offline

Activity: 546


Campaign Manager - Hire Now https://goo.gl/f3Trx9


View Profile WWW
February 10, 2017, 09:27:27 AM
 #64

WOW!!!!

looks like he exactly know which roll is going to come next. However, he tried to look it real with those few red bets. I am not sure but someone can't be that much lucky when it comes to probability.

adaseb
Legendary
*
Online Online

Activity: 1428



View Profile
February 12, 2017, 09:54:28 PM
 #65

The thing is, this guy who did this was an idiot and by betting like that he made it very obvious that there are security leaks somewhere.

But imagine how many BTC were lost by small gamblers who made less obvious bets for the past couple of months prior, they must of cleared out thousands of dollars before it was caught on.

Not really running a gambling site these days with all these security issues.

FORTUNEJACK.COM[
                            
9 BTC WELCOME PACK FOR 1ST 5 DEPOSITS
FREE 1,000 mBTC daily for LuckyJack winners
[
          
]
Pages: « 1 2 3 [4]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!