zip

[FanEagle]

nice 25x win...too bad you weren't playing btc

[amarel]

Yeah,I should've done it.But I've made enough other wins with btc  .That only proves that you can really win big on that site.

[miffman]

What's annoying about strategies is that you win when you aren't playing for BTC and when you try you lose all of it 

[CryptoPanda]

What's annoying about strategies is that you win when you aren't playing for BTC and when you try you lose all of it 

There it isn't good strategy

[W-M]

Quite an interesting website. The design of the Slot Machine looks nice.

There are however, two problems I currently have with your system:


1. How can people 'send you bitcoins and start playing' within 10 seconds?
This has me slightly concerned, as it usually takes longer, for one to two minutes, until a transaction is confirmed by most of the network. I think that 'within 10 seconds' is an overstatement.

And the more important issue is that you seem to not care at all about confirmations. If you let people play with money from a transaction that is not confirmed yet, you are very susceptible to double-spend attacks. How do you protect yourself from that?


2. You are using SHA-1 as Cryptographic Hash Function.
SHA-1 has been broken since 2005. A nice article with some details can be found here.
 Attacks always get better, they never get worse.
SHA-1 should not be used by anyone who takes themselves seriously. Especially if they are dealing with money.

So, what are you going to do about this?

I'm not trying to be mean, I know how much work goes into developing an intricate web system like this. But you really need to fix these issues if you want people to trust you with their money ;-).

Have a nice day,

~W-M

[CryptoPanda]

Both are good questions, luckily for us we have it thought out and those areas in particular have been extensively considered.

1. As you know transactions are instant, confirmations  need 10 mins on average.
So you can play instantly, but can withdraw only after 2 confirmations. That's the best compromise between game play and security.
Why make the user wait to play, when the actual risk is only when withdrawing? Most people play more than 20 mins, so they don't have to wait for the withdraw either.
That way we prevent double spend attacks without actually sacrificing game play at all, neat right?


2.
http://en.wikipedia.org/wiki/SHA-1#Attacks

As of 2012, the most efficient attack against SHA-1 is considered to be the one by Marc Stevens[32] with an estimated cost of $2.77M to break a single hash value by renting CPU power from cloud servers.[33] Stevens developed this attack in a project called HashClash,[34] implementing a differential path attack. On 8 November 2010, he claimed he had a fully working near-collision attack against full SHA-1 working with an estimated complexity equivalent to 257.5 SHA-1 compressions. He estimates this attack can be extended to a full collision with a complexity around 261.

When building systems that have to be both secure and provide fast game play, one doesn't always just pick the most secure hashing but one that's secure enough for the purpose and efficient as well. You need a balanced decision. We believe that SHA-1 is plenty secure for our minimal and non-important use. Please note that the hashing is just to prevent the user from seeing the seed before the spin, nothing else. Even if he spends $2.7M to uncover it before the spin, he won't have any real gains from that. So the expense of the attack way overthrows the actual benefit.


I hope that this clears out your otherwise valid concerns

[CryptoPanda]

Hey W-M, do you agree?

[CrackedLogic]

Hey W-M, do you agree?

Well I do.

[CryptoPanda]

CrackedLogic, thanks

[amarel]

I also think that this clarifies a lot.

[W-M]

Hey W-M, do you agree?

Yes, I sure do. Thanks a lot for your detailed response .

Although I would personally still advise against using SHA-1, as the $2.27 million attack is the one we know of, but there might be some attacks out there that we don't. A more efficient hashing algorithm does indeed result in the ability to serve more users at the same time. I would still decide to use a stronger, less efficient function over a weaker one, but that comes down to personal preference.

As for the first point:
This is a very smart solution for this problem, and also the one that I would use myself as well. It would make a great addition to your FAQ.

Again, thanks. You've handled my post very diligently.

~W-M

[CryptoPanda]

Hey W-M, do you agree?

Yes, I sure do. Thanks a lot for your detailed response .

Although I would personally still advise against using SHA-1, as the $2.27 million attack is the one we know of, but there might be some attacks out there that we don't. A more efficient hashing algorithm does indeed result in the ability to serve more users at the same time. I would still decide to use a stronger, less efficient function over a weaker one, but that comes down to personal preference.

As for the first point:
This is a very smart solution for this problem, and also the one that I would use myself as well. It would make a great addition to your FAQ.

Again, thanks. You've handled my post very diligently.

~W-M

Yes indeed, you never know how many years after an attack is found we will know about it, but in this very specific case, where there is no real advantage to the attacker we went with this one. Wouldn't use it for something like passwords though.

Yes, it's good idea to add that to the FAQ, will do

Thanks!

[CryptoPanda]

***EASTERN EGG***
If you read this and it's the last post, you just won 0.005 BTC credit!
Post your username right away to get it.

[WhatsBitcoin]

***EASTERN EGG***
If you read this and it's the last post, you just won 0.005 BTC credit!
Post your username right away to get it.

Username Whatsbitcoin  

What is the max bet per spin by the way?

[CryptoPanda]

***EASTERN EGG***
If you read this and it's the last post, you just won 0.005 BTC credit!
Post your username right away to get it.

Username Whatsbitcoin  

What is the max bet per spin by the way?

Refresh and you will see the money

The max bet atm is 0.001, min is 0.0001

[CryptoPanda]

You got them?

[WhatsBitcoin]

You got them?

Yes. My intentions were to play but I could not. Everytime I pressed spin about 75% it didn't spin. The other 25% it spun and just showed blanks for all 3 reels. After 5-10 seconds random symbols would appear in a couple of the reels. From my system, it was a very buggy and bad experience so I withdrew my balance. I was not trying to be a freeroller and simply withdraw but a couple of spins debited my acount and never even spun.

[Bitcoin Games]

I have added bitbandit to the Bitcoin Games Directory now!

[tuanvie]

the game is very detrimental
I tried to deposit 0.0008
8x spin not even win 

[gofoter]

Was your deposit successful?If so,it may have happened that you haven't won but don't get discouraged as it happens sometimes.There have been some quite big wins on the site so it all depends.