TheUntitled
|
|
December 20, 2013, 01:52:25 PM |
|
Hey everyone, We're going to take the site down for about 24 hours to do some upgrades to the servers.
Thank you all for the help over the past few days. We'll be back soon.
When we return, all of your accounts will be exactly as they are right now.
Thanks! The MooCoin Team
Alright. Now that the firefox glitch is fixed I'll be able to properly test it when it comes back online.
|
Freelance writer at CoinBuzz.com
|
|
|
matt608
|
|
December 20, 2013, 04:23:39 PM |
|
Will tetris battle be one of the games on offer? I've been wanting to play that for BTC for soo long...
|
|
|
|
moocoin (OP)
Member
Offline
Activity: 112
Merit: 10
Do you moo?
|
|
December 21, 2013, 01:19:12 AM |
|
Ok! We're back online. We've made a couple of changes to the site: - Fixed the captcha exploit. Man it's hard to find a good captcha these days! The effective ones are all really ugly and we don't want you guys dealing with ugly! We implemented Are You A Human. Please try to exploit it. If you do, you can keep the BTC you get from the faucet! - We left everyone's btc alone...even those people that exploited the faucet bug. Because you earned it and helped us fix it. - We went through some additional testing on Firefox and Chrome. If you still see artifacts, let us know. - We added a little bit of mood lighting to the site. Make sure you come back at different times of the day to check it out! Thanks again, everyone. The MooCoin Team admin@moocoin.com
|
|
|
|
moocoin (OP)
Member
Offline
Activity: 112
Merit: 10
Do you moo?
|
|
December 21, 2013, 01:38:39 AM |
|
Will tetris battle be one of the games on offer? I've been wanting to play that for BTC for soo long...
We're already working on our next game, and while we're doing that, we're solidifying the plugin architecture. That will let other developers write their own game modules for MooCoin! I'm not sure what the next game will be. Maybe when we're ready, we'll make a poll and ask you guys and gals... Thanks!
|
|
|
|
Drug5bitz
|
|
December 21, 2013, 02:11:45 AM |
|
Looks good, I'm liking this more than satoshidice already.
|
If you would like to donate to my jalapeno mods, or just buy me a b33r it's all appreciated.
BTC Address 1DX24XAojH2qjAgFzbME81o9BD3yDjfGLR
|
|
|
dnaleor
Legendary
Offline
Activity: 1470
Merit: 1000
Want privacy? Use Monero!
|
|
December 21, 2013, 02:13:18 AM Last edit: December 21, 2013, 02:25:41 AM by dnaleor |
|
- Fixed the captcha exploit. Man it's hard to find a good captcha these days! The effective ones are all really ugly and we don't want you guys dealing with ugly! We implemented Are You A Human. Please try to exploit it. If you do, you can keep the BTC you get from the faucet! I tried slickbot again and indeed, I can not find a way to explot the previous bug, congratz!! - We left everyone's btc alone...even those people that exploited the faucet bug. Because you earned it and helped us fix it. 2.5 mBTC were deducted from my account, but doesnt matter, I wanted to help you guys - We went through some additional testing on Firefox and Chrome. If you still see artifacts, let us know.
I still have a "mirrored" screen... Bug is still there... (Chrome) edit: I dont have the problem on IE.
|
|
|
|
gogodr
|
|
December 21, 2013, 03:05:56 AM |
|
I just tried cracking it and I can confirm that it is possible, yet very very complicated. you can easily get the session secret by using AYAH.sessionSecret().value (you should look into making variables use strict by placing the whole javascript inside a function. that will make variables not accessible from the console. ) anyways, the correct validation is encrypted (which could be decrypted and elaborate a script to generate it) also with a simple scanner I managed to know the ajax calls needed in those games. For the most part your are very secure. This captcha haves many many levels of security and even a DDOS protection on their websockets server(validated by session). Still I recommend you to place a server sided cap on which you can no longer ask for btc from the faucet. As I already mentioned the verification is actually on the client side and then the program sends a hashed string to the websockets server in order to verify the transaction. (if the game is correct) this can be automated and a skilled hacker could break this system in a couple of days. The system is already pretty secure, a cap would make it infallible.
aside, are you a human is not as antithetical as the previous one, but it is way more secure so good job on the change.
|
|
|
|
moocoin (OP)
Member
Offline
Activity: 112
Merit: 10
Do you moo?
|
|
December 21, 2013, 04:41:26 AM |
|
I just tried cracking it and I can confirm that it is possible, yet very very complicated. you can easily get the session secret by using AYAH.sessionSecret().value (you should look into making variables use strict by placing the whole javascript inside a function. that will make variables not accessible from the console. ) anyways, the correct validation is encrypted (which could be decrypted and elaborate a script to generate it) also with a simple scanner I managed to know the ajax calls needed in those games. For the most part your are very secure. This captcha haves many many levels of security and even a DDOS protection on their websockets server(validated by session). Still I recommend you to place a server sided cap on which you can no longer ask for btc from the faucet. As I already mentioned the verification is actually on the client side and then the program sends a hashed string to the websockets server in order to verify the transaction. (if the game is correct) this can be automated and a skilled hacker could break this system in a couple of days. The system is already pretty secure, a cap would make it infallible.
aside, are you a human is not as antithetical as the previous one, but it is way more secure so good job on the change.
Wow. Thank you for looking at it in such depth. We actually have three levels of security on the server side. We're happy to talk about them, unlike some websites, because we don't believe that keeping your security methods a "secret" is a legitimate way to secure your site. 1) When the client solves the game, it generates a "solution" key. We collect the solution key and send it to our server. Our server then makes a call to the CAPTCHA server to make sure that the solution key is correct for the puzzle that we generated. If so, we know at least that the person or bot correctly solved the captcha. Hopefully it's hard to solve with a bot... 2) We store the solution/session combo and only let it be used once. This prevents replay attacks. 3) We have a hard limit on the amount the faucet will produce in a given amount of time. We also have code in place to limit velocity on a user-basis, but we haven't activated that yet. We're also going to do more rate limiting, but really really want to stay away from limiting the faucet based on your balance or legitimate solving speed. Moo.
|
|
|
|
gogodr
|
|
December 21, 2013, 05:04:10 AM |
|
keep up the good work :3 no problem, ethical hacking and security diagnostics is one of my hobbies. I work on web development with a small team and doing this kind of things is also useful for me. I always learn new methods of security breaching and how to patch them which is knowledge I can put into practice for my own work.
|
|
|
|
Snail2
Legendary
Offline
Activity: 1512
Merit: 1000
|
|
December 21, 2013, 10:34:33 PM |
|
Looks great, I see only two issues. 1. Transaction and game history looks a bit messy. I've used the faucet twice, played one game, but I see four faucet usage and two games 21 December 2013 22:22:56 0.00000100 Faucet 21 December 2013 22:23:25 0.00000100 Faucet 21 December 2013 22:24:28 0.00000100 Win 21 December 2013 22:22:56 0.00000100 Faucet 21 December 2013 22:23:25 0.00000100 Faucet 21 December 2013 22:24:28 0.00000100 Win Same thing in game history Paper, Rock, Scissors 21 December 2013 22:09:20 0.00000100 Won Paper, Rock, Scissors 21 December 2013 22:09:20 0.00000100 Won 2. In both game and transaction history I see "Showing 0 to 0 of 0 entries". There should be more than 0 entries. I wish you great success Keep up the good work
|
|
|
|
moocoin (OP)
Member
Offline
Activity: 112
Merit: 10
Do you moo?
|
|
December 22, 2013, 12:30:05 AM |
|
Looks great, I see only two issues. 1. Transaction and game history looks a bit messy. I've used the faucet twice, played one game, but I see four faucet usage and two games 21 December 2013 22:22:56 0.00000100 Faucet 21 December 2013 22:23:25 0.00000100 Faucet 21 December 2013 22:24:28 0.00000100 Win 21 December 2013 22:22:56 0.00000100 Faucet 21 December 2013 22:23:25 0.00000100 Faucet 21 December 2013 22:24:28 0.00000100 Win Same thing in game history Paper, Rock, Scissors 21 December 2013 22:09:20 0.00000100 Won Paper, Rock, Scissors 21 December 2013 22:09:20 0.00000100 Won 2. In both game and transaction history I see "Showing 0 to 0 of 0 entries". There should be more than 0 entries. I wish you great success Keep up the good work That's strange that everything is duplicated on your account. Can you let us know which browser you're using? I'm guessing it's a client-side problem. If possible, please email us your account id (your personalized url) to admin@moocoin.com. This also makes me realize that we need some way to identify accounts securely without asking folks for their account ID... Thanks, The MooCoin Team
|
|
|
|
gogodr
|
|
December 22, 2013, 12:34:51 AM |
|
you could use wallet addresses as account id's and make it so the user can only withdraw to that address. No wait, bad Idea. someone could log into with another's person wallet and lose on purpose
|
|
|
|
moocoin (OP)
Member
Offline
Activity: 112
Merit: 10
Do you moo?
|
|
December 22, 2013, 01:44:22 AM |
|
Hi Everyone,
We just added a public account id for everyone. It's doesn't do anything except help us identify your account if you give it to us. It's perfectly ok to share it with us in a public forum like this. No one can access your account with your public Id.
You can get your public Id by clicking the help button, then looking in the lower left of that dialog box. It will always start with PUB.
Make sure you never share your private account Id. That one is found in the URL of your browser and does NOT start with PUB.
Snail2: If you get a chance, can you send us your public Id so we can take a look at the duplication in your account?
Thanks! The MooCoin Team
|
|
|
|
TheUntitled
|
|
December 22, 2013, 01:26:38 PM |
|
After playing around with the faucet for a bit, I suggest doing one of the following things:
1) Adding a time limit between claims of the faucet money (at BitVegas we set it to 15 minutes) 2) Raising the amount of money that one gets from the faucet, but only allowing a claim if the user's balance is 0 (satoshiaces.com did this and it worked great to encourage actual gambling rather than abuse)
At the moment, being able to infinitely claim from the faucet can lead to some pretty extreme abuse.
As for the new Captcha: it works better and fits in perfectly with the design of the site. Much less irritating than stuff like ReCaptcha when most of the time it's impossible for you to read what you're meant to type.
|
Freelance writer at CoinBuzz.com
|
|
|
moocoin (OP)
Member
Offline
Activity: 112
Merit: 10
Do you moo?
|
|
December 22, 2013, 03:12:02 PM |
|
After playing around with the faucet for a bit, I suggest doing one of the following things:
1) Adding a time limit between claims of the faucet money (at BitVegas we set it to 15 minutes) 2) Raising the amount of money that one gets from the faucet, but only allowing a claim if the user's balance is 0 (satoshiaces.com did this and it worked great to encourage actual gambling rather than abuse)
At the moment, being able to infinitely claim from the faucet can lead to some pretty extreme abuse.
As for the new Captcha: it works better and fits in perfectly with the design of the site. Much less irritating than stuff like ReCaptcha when most of the time it's impossible for you to read what you're meant to type.
Thanks for the feedback. We're going to continue playing around with different faucet ideas until we get to a place that our players love.
|
|
|
|
TheUntitled
|
|
December 22, 2013, 03:46:14 PM |
|
After playing around with the faucet for a bit, I suggest doing one of the following things:
1) Adding a time limit between claims of the faucet money (at BitVegas we set it to 15 minutes) 2) Raising the amount of money that one gets from the faucet, but only allowing a claim if the user's balance is 0 (satoshiaces.com did this and it worked great to encourage actual gambling rather than abuse)
At the moment, being able to infinitely claim from the faucet can lead to some pretty extreme abuse.
As for the new Captcha: it works better and fits in perfectly with the design of the site. Much less irritating than stuff like ReCaptcha when most of the time it's impossible for you to read what you're meant to type.
Thanks for the feedback. We're going to continue playing around with different faucet ideas until we get to a place that our players love. Alright, sounds good. I compiled some data on the faucet, hopefully it'll make the process of improving it a little easier. You can find it here: https://docs.google.com/document/d/16-xcwSs17o-hxP_NM1k8vwWAtyZNTbRPR9IF0gloJckWhile doing the tests for that Document, I found a glitch: if you double-click the "Get free Bitcoins" button, a black overlay goes over the website and you need to refresh to fix it. I've tested it on Firefox, Chrome and Safari and it happens on them all.
|
Freelance writer at CoinBuzz.com
|
|
|
moocoin (OP)
Member
Offline
Activity: 112
Merit: 10
Do you moo?
|
|
December 22, 2013, 06:12:10 PM |
|
After playing around with the faucet for a bit, I suggest doing one of the following things:
1) Adding a time limit between claims of the faucet money (at BitVegas we set it to 15 minutes) 2) Raising the amount of money that one gets from the faucet, but only allowing a claim if the user's balance is 0 (satoshiaces.com did this and it worked great to encourage actual gambling rather than abuse)
At the moment, being able to infinitely claim from the faucet can lead to some pretty extreme abuse.
As for the new Captcha: it works better and fits in perfectly with the design of the site. Much less irritating than stuff like ReCaptcha when most of the time it's impossible for you to read what you're meant to type.
Thanks for the feedback. We're going to continue playing around with different faucet ideas until we get to a place that our players love. Alright, sounds good. I compiled some data on the faucet, hopefully it'll make the process of improving it a little easier. You can find it here: https://docs.google.com/document/d/16-xcwSs17o-hxP_NM1k8vwWAtyZNTbRPR9IF0gloJckWhile doing the tests for that Document, I found a glitch: if you double-click the "Get free Bitcoins" button, a black overlay goes over the website and you need to refresh to fix it. I've tested it on Firefox, Chrome and Safari and it happens on them all. That's awesome. The numbers really add up. We have a hard-cap on the amount we let leave the faucet every day, but certainly don't want the funds concentrated into just a few folks who drain the faucet. Even though they don't individually collect much, it prevents others from using it. Point [well] taken. We're going to discuss, but I'm guessing we'll limit to folks that have a zero balance...
|
|
|
|
TheUntitled
|
|
December 22, 2013, 07:07:35 PM |
|
After playing around with the faucet for a bit, I suggest doing one of the following things:
1) Adding a time limit between claims of the faucet money (at BitVegas we set it to 15 minutes) 2) Raising the amount of money that one gets from the faucet, but only allowing a claim if the user's balance is 0 (satoshiaces.com did this and it worked great to encourage actual gambling rather than abuse)
At the moment, being able to infinitely claim from the faucet can lead to some pretty extreme abuse.
As for the new Captcha: it works better and fits in perfectly with the design of the site. Much less irritating than stuff like ReCaptcha when most of the time it's impossible for you to read what you're meant to type.
Thanks for the feedback. We're going to continue playing around with different faucet ideas until we get to a place that our players love. Alright, sounds good. I compiled some data on the faucet, hopefully it'll make the process of improving it a little easier. You can find it here: https://docs.google.com/document/d/16-xcwSs17o-hxP_NM1k8vwWAtyZNTbRPR9IF0gloJckWhile doing the tests for that Document, I found a glitch: if you double-click the "Get free Bitcoins" button, a black overlay goes over the website and you need to refresh to fix it. I've tested it on Firefox, Chrome and Safari and it happens on them all. That's awesome. The numbers really add up. We have a hard-cap on the amount we let leave the faucet every day, but certainly don't want the funds concentrated into just a few folks who drain the faucet. Even though they don't individually collect much, it prevents others from using it. Point [well] taken. We're going to discuss, but I'm guessing we'll limit to folks that have a zero balance... Glad I could help! I've had more experience with poorly executed faucets than I'd like to admit, so I'm happy to be using those experiences to help you guys. I'll continue testing the site and get back to you with more information. Keep an eye on that document, as I'll probably be editing in more information at some point.
|
Freelance writer at CoinBuzz.com
|
|
|
moocoin (OP)
Member
Offline
Activity: 112
Merit: 10
Do you moo?
|
|
December 24, 2013, 02:54:55 AM |
|
Hi Everyone, We have some pretty exciting news today. We've released the first part of the pluggable game architecture: the server side code. If you're a developer, or just interested in what we're doing that's different, read on, then take a look at the repo. There, you can find the actual server-side game code for the Paper, Rock, Scissors game on the live MooCoin website. What is it?
Our pluggable game architecture lets other developers write games on our platform. If you ever wanted to create one or two player bitcoin games, but didn't want to deal with all of the boilerplate, this is a perfect solution for you. What does MooCoin handle for me?
We handle deposits, accounts, database operations, withdrawals, player matching, fees, bitcoin network integration, and all operational aspects of running the site. What do I have to do?
You just write your game code for the server, and the UI code for the client. What's the revenue share?
Right now, we think we're going to share back 20% of the revenue with the game developer. This may change as we approach the full launch. What technologies does it use?
Node.js for the server-side. We also use MongoDB and a bunch of other technology, but the API shields you from needing to know that HTML5 for the client-side. We'll give you a div on the page, and you write your game code inside of it. Websockets for the communication channel between the server and client. Please give us feedback on the API while it's still young and flexible. We're currently implementing our second game to be released at the same time as the client-side of the API. Thanks! The MooCoin Team admin@moocoin.com
|
|
|
|
moocoin (OP)
Member
Offline
Activity: 112
Merit: 10
Do you moo?
|
|
December 27, 2013, 04:38:06 AM |
|
Hi everyone, We've now completed the API for both the client and server. This means that we're 100% ready to plug in games created by external developers! We've published the actual game code that we use to play Paper, Rock, Scissors on our repo. We would love feedback on the API and the experience of creating a game for the MooCoin platform. We'll continue to improve the experience of creating games on the platform, but we need your feedback to make it better! For a limited time, we're going to use a 50% revenue share with game developers. If you're an experienced developer, let us know that you're interested and we'll provide whatever support you need to get you rolling. You can get started without our help right now! Just go take a look at the repo to see our Paper, Rock, Scissors codebase. You'll be surprised at how easy it is to create a game on the platform. We handle almost everything for you, freeing you up to focus on your game code. Thanks! The MooCoin Team Email: admin@moocoin.comGame website: www.moocoin.comDeveloper website: dev.moocoin.com
|
|
|
|
|