OFFICIAL DICEBITCO.IN ANNOUNCEMENT ABOUT THE SKIPPED NONCES INCIDENT

[Martijnvdc]

Even IF it wasn't one big scam, why would people trust you with money again after such big mistakes?
I lost 85% of my investment in this website, and the owner won't refund me because i was ""positively affected""...
Mateo was still playing with my invested money when i divested the little bit i had left. So i don't see how i wouldn't be refunded, if this security issue is the cause of it.
The responses i got from their ticket system were VERY shady to say the least.

[DiceBitcoin]

I've broken down these arguments in the past, the crux of it is dicebitco.in isn't anonymous and doesn't want to go to jail or be hunted after. I stand by everything I said including the part about the 1000 coins.

That is the most stupid thing i ever heared in the whole DB saga. You really believe im not anonymous, and "i am afraid of been hunted or go to jail"? lol. At this point i really dont know if you do believe this, or you simply try to use this argument because you still cant accept the fact we are refunding.

tl;dr you are trully stupid if you think FEAR is the reason im doing this. Only thing scares me is human stupidity, and you man take it in another level. Like seriously, bring it on.

Even IF it wasn't one big scam, why would people trust you with money again after such big mistakes?
I lost 85% of my investment in this website, and the owner won't refund me because i was ""positively affected""...
Mateo was still playing with my invested money when i divested the little bit i had left. So i don't see how i wouldn't be refunded, if this security issue is the cause of it.
The responses i got from their ticket system were VERY shady to say the least.

Get your facts right. We will not refund you because you were not affected by this, only certain players(less than 20 ) got affected. You lost because you pulled our your investment by divesting when you were in minus. If you didnt divest, you would never lose those coins(but made a nice extra as well).

[Martijnvdc]

Get your facts right. We will not refund you because you were not affected by this, only certain players(less than 20 ) got affected. You lost because you pulled our your investment by divesting when you were in minus. If you didnt divest, you would never lose those coins(but made a nice extra as well).

Mateo was STILL PLAYING against MY investment. He was CHEATING me out of MY money. You didn't halt gambling while the cheating was going on at all. Explain to me how this is not a SCAM.
You are a shameless scammer. It's as simple as that.

[WhatTheGox]

Crazy situation 

[DiceBitcoin]

Mateo was STILL PLAYING against MY investment. He was CHEATING me out of MY money. You didn't halt gambling while the cheating was going on at all. Explain to me how this is not a SCAM.
You are a shameless scammer. It's as simple as that.

You are wrong. The gambling WAS HAULTED when the incident found(all accounts turned into invest-only) and reinstated betting only when we made sure the malicious code is not in place. Also, mateo didnt play that particular day, but almost 24h~ after the inicdent. It was your choice to leave your coins invested or divest them when you were losing(invest/divest was never haulted, same as withdrawals).

[AirFlame]

Don't see why on Earth anyone would deal with you from this point onwards.

Good luck trying to regain people's trust after potentially scamming over a thousand coins.

You had a bug in Your primedice and people was deceived. Wait how many was it ?

around 37,500 bets were settled as losses when they should have been wins...

https://bitcointalk.org/index.php?topic=208986.msg8441727#msg8441727

[Martijnvdc]

Mateo was STILL PLAYING against MY investment. He was CHEATING me out of MY money. You didn't halt gambling while the cheating was going on at all. Explain to me how this is not a SCAM.
You are a shameless scammer. It's as simple as that.

You are wrong. The gambling WAS HAULTED when the incident found(all accounts turned into invest-only) and reinstated betting only when we made sure the malicious code is not in place. Also, mateo didnt play that particular day, but almost 24h~ after the inicdent. It was your choice to leave your coins invested or divest them when you were losing(invest/divest was never haulted, same as withdrawals).

YOU ARE LYING.
He won almost all his bets... Against a negative bankroll... This site is STILL RIGGED.
You should have halted the gambling and sent the investor's money to their emergency address once a security issue was found. Instead, you let the gambling continue, and even THEN you still let Mateo withdraw his money. You continued the gambling without a deep inspection into your source code.
How can you lie about what happened when there were so many people watching it all happen??

Also, i believe it would be your moral obligation to halt the gambling until all investors could at least be given the time to log into their accounts. I wasn't even given a chance or even a warning email of what happened. A gambler won UNFAIRLY against my investment, and somehow it's my fault for not divesting WHILE he was cheating??

Your actions show nothing but the intent to steal money from the investors and get away with it.

[DiceBitcoin]

YOU ARE LYING.
He won almost all his bets... Against a negative bankroll... This site is STILL RIGGED.
You should have halted the gambling and sent the investor's money to their emergency address once a security issue was found. Instead, you let the gambling continue, and even THEN you still let Mateo withdraw his money. You continued the gambling without a deep inspection into your source code.
How can you lie about what happened when there were so many people watching it all happen??

Also, i believe it would be your moral obligation to halt the gambling until all investors could at least be given the time to log into their accounts. I wasn't even given a chance or even a warning email of what happened. A gambler won UNFAIRLY against my investment, and somehow it's my fault for not divesting WHILE he was cheating??

Your actions show nothing but the intent to steal money from the investors and get away with it.

Get your facts right. He didnt win almost all his bets, plus he ended up busting big time(lost all he won + more). Against a negative bankroll..? What is negative bankroll? mateos' first withdrawal wasnt done automatically. We went though all his bets and they were legit. He also had randomzied his server seed, so it was impossible for him to cheat. Simple as that. As far as the"continued gambling" we did only after we inspected the code, isolated the malicious code and made 1000% sure it works as it should. Calling the site STILL RIGGED will just get you a negative trust next time you post, without facts. And thats the last time i answer to you. I am sorry you divested when in loss, but the gambler did NOT win unfairly against your investment, since he had no access to server seeds. You miss the point that from this whole fiasco, the OJLY people that had a profit out of this were investors. Neither we or users with known server seeds.

[Martijnvdc]

YOU ARE LYING.
He won almost all his bets... Against a negative bankroll... This site is STILL RIGGED.
You should have halted the gambling and sent the investor's money to their emergency address once a security issue was found. Instead, you let the gambling continue, and even THEN you still let Mateo withdraw his money. You continued the gambling without a deep inspection into your source code.
How can you lie about what happened when there were so many people watching it all happen??

Also, i believe it would be your moral obligation to halt the gambling until all investors could at least be given the time to log into their accounts. I wasn't even given a chance or even a warning email of what happened. A gambler won UNFAIRLY against my investment, and somehow it's my fault for not divesting WHILE he was cheating??

Your actions show nothing but the intent to steal money from the investors and get away with it.

Get your facts right. He didnt win almost all his bets, plus he ended up busting big time(lost all he won + more). Against a negative bankroll..? What is negative bankroll? mateos' first withdrawal wasnt done automatically. We went though all his bets and they were legit. He also had randomzied his server seed, so it was impossible for him to cheat. Simple as that. As far as the"continued gambling" we did only after we inspected the code, isolated the malicious code and made 1000% sure it works as it should. Calling the site STILL RIGGED will just get you a negative trust next time you post, without facts. And thats the last time i answer to you. I am sorry you divested when in loss, but the gambler did NOT win unfairly against your investment, since he had no access to server seeds. You miss the point that from this whole fiasco, the OJLY people that had a profit out of this were investors. Neither we or users with known server seeds.

Great. So where is YOUR proof of not being Mateo then?
Also, you went through all his bets, which skipped nonces, and somehow you considered those to be legit? If he skips nonces then he is cheating and you shouldn't have paid him his "winnings". You're not implying he wasn't cheating, right?
Go ahead and give me negative feedback. Threatening other people on here won't improve your trust at all. If this is how you work then i honestly don't see how anyone would ever trust you with a single bitcent ever again. You have proven to be completely incompetent of running this website responsibly. Tell me, what is the emergency address for?? Was there even any source code in place that would send to those addresses in case of an emergency?
Go ahead and give an honest man negative feedback. Go right ahead.

Also, a negative bankroll is a bankroll where there is a minus-sign in front of it...

[jaysabi]

BR can't be negative. Once it's zero, there's nothing to bet against. Profit was negative, not bankroll.

Can we lock this thread and direct all comments to the longer thread already dealing with this topic? There doesn't need to be two discussions about the same topic going on, that just leads to confusion and missing information and people saying the same things in two different places.

[suchmoon]

Get your facts right. We will not refund you because you were not affected by this, only certain players(less than 20 ) got affected. You lost because you pulled our your investment by divesting when you were in minus. If you didnt divest, you would never lose those coins(but made a nice extra as well).

I think your own facts are not quite right. As was posted in the other thread, even if investors didn't divest they wouldn't have gained their coins back, let alone "extra".

Why don't you post a list of investors from before the shitstorm, and exactly how much each of them divested/invested/lost/gained since then.

[robhimself]

Get your facts right. We will not refund you because you were not affected by this, only certain players(less than 20 ) got affected. You lost because you pulled our your investment by divesting when you were in minus. If you didnt divest, you would never lose those coins(but made a nice extra as well).

I think your own facts are not quite right. As was posted in the other thread, even if investors didn't divest they wouldn't have gained their coins back, let alone "extra".

Why don't you post a list of investors from before the shitstorm, and exactly how much each of them divested/invested/lost/gained since then.

The thing I'm most curious about is who were these investors who saw the shitstorm that was DBC and still decided to go and invest new coins during it, just in time to catch Mateo dumping back what he had won before. That's the problem here, the owner could easily be Mateo and also be most of the investment on the site right now. So he sacrificed some BTC to the few legit investors still in on the site in order to gain back trust for an even bigger Mateo (or likely some new account) win in the future.

[dooglus]

Good luck trying to regain people's trust after potentially scamming over a thousand coins.

I stand by everything I said including the part about the 1000 coins.

I don't think I understand. What 1000 coins are you talking about here?

I see two ways to interpret your "potentially" here:

1) Are you saying they had the potential to steal 1000 BTC? If so, the number is more like 7000, since that's what was in the bankroll that they could have stolen (but instead they allowed investors to withdraw almost all of it).

2) Or are you saying that you think they actually stole 1000 BTC? If so, how? Even if "Mateo" was a site player, he lost more than he won, and it was less than 1000 BTC.

Neither way makes much sense to me. Could you be clearer about what you're actually accusing them of?

[grux]

In around 24hrs past the incident, the bankroll shrinked from 7500 coins to ~1700. Then,we had one user, mateo, which was hitting the bankroll non stop for almost 12hrs more, eating almost 600 BTC of profit (site was ~288 BTC profit prior to the 7th of September and around -320 BTC when mateo stopped playing).. Lot of speculation exists as well around that user, so please allow me to elaborate. User mateo was registered on 2014-08-06 18:22:05 and before the incident of 7th of September was -33 BTC in total. The date he registered the other developer was not hired yet, so it is impossible that it was him. The new hire had no access to the database (or to the production server) which means that it is impossible for him to know other users’ seeds. On top of that, mateo did randomize his rolls before he goes on with his crazy streak (my guess would be to verify if he got affected by the malicious code - btw he was not affected). Given all those facts there is 0% chance it could be someone that knew the server seed and played against it. When he asked for a withdrawal when done, we are left astonished with that run (like we didn’t have enough shit already to deal with). We postponed his withdrawal for several hours. We went through his rolls again and again, we searched every possible way of ”cheating”. Everything was legit, so we paid him out.

If he didn't have access to production/database servers, but could upload code himself unchecked, what makes you guys think he wouldn't add any query or even a URL that reveals the auth details or seeds for himself?

I imagine anyone with access and ability to upload unchecked code can do the following:

• Read out the authentication details used to connect to the database/wallet
• Run a query to look up seeds
• Intercept passwords before they are hashed and checked against database
• Forge tokens/cookies and log into another's account
• Change/delete entire tables of the database
• Increase or decrease balances of any user

Why are you guys even assuming that seeds, passwords, and server are safe? Isn't it time for a full system seed and password change?

Are you guys just making up this whole "employee" story? Are you guys this inexperienced?

[dooglus]

If he didn't have access to production/database servers, but could upload code himself unchecked, what makes you guys think he wouldn't add any query or even a URL that reveals the auth details or seeds for himself?

They've addressed this before.

He couldn't upload code himself. They uploaded his code for him without properly testing it. When they found out that his code was malicious they backed out his change.

While the code was in place he could potentially have grabbed a server seed, but apparently he randomized after his change was backed out, meaning he no longer had a way of reading his seeds.

I think that's how it goes, anyway.

[grux]

If he didn't have access to production/database servers, but could upload code himself unchecked, what makes you guys think he wouldn't add any query or even a URL that reveals the auth details or seeds for himself?

They've addressed this before.

He couldn't upload code himself. They uploaded his code for him without properly testing it. When they found out that his code was malicious they backed out his change.

While the code was in place he could potentially have grabbed a server seed, but apparently he randomized after his change was backed out, meaning he no longer had a way of reading his seeds.

I think that's how it goes, anyway.

We cannot assume this is the case, he may have randomized his own seed, but we're ignoring the true danger here. He may know the seeds to many whales or to even other accounts he has that DB doesn't know about. And the seed isn't the only vector here for such a disastrous situation.

[dooglus]

We cannot assume this is the case, [...]

I wasn't assuming anything. I was repeating what I think is the "official story".

[BusyBeaverHP]

I had 0.01 invested in DiceBitco.in and was fortunate enough to immediately withdraw that Sunday after hearing about the skipped nonce incident. My observation of the events:

1. Skipped nonces -  A high roller (finnile) discovered he was losing due to skipped nonces that targeted only winning bets.

2. More high rollers noticed the cheat - The skipped nonce bug targeted high rollers.

3. Site owner's response - They claimed that the code was implemented by a new employee.
However, the statement manl put out a day earlier contradicted this: there was no new employee.
Didn't GHash.io blame a new employee for their double-spending incident as well?

4. Investors are alarmed. Bankroll plummeted from 7000 BTC down to less than 2000 BTC. I divested and withdrew at this point.

5. Owners disable DiceBitco.in's peer bet verification and chat lobby.
There is absolutely no reason to hide betting verification other than to cheat.

6. Enter "mateo".

7. Using a few thousand 49.5% bets, mateo turned a +300 positive bankroll into -300. Nobody can verify his rolls.
What is the probability that a high roller shows up out of nowhere and sweep the bankroll shortly after betting verification is disabled?

8. The site owner then goes completely silent for two weeks.

Everyone can come to their own conclusions at this point.

[suchmoon]

We cannot assume this is the case, [...]

I wasn't assuming anything. I was repeating what I think is the "official story".

There is one aspect of that story that's still bothering me (well there is more than one TBH, but I'm trying to pretend now that it's true). They said the the rogue employee "had to chose manually which player to ‘cheat’". How did he do that if he didn't have access to the production database? Some kind of a backdoor in the UI? All we've seen was two or three lines of code that don't really explain much. I think at the very least DB should have published the whole commit. This is one of those things that would have gone a long way towards credibility.

[dooglus]

There is one aspect of that story that's still bothering me (well there is more than one TBH, but I'm trying to pretend now that it's true). They said the the rogue employee "had to chose manually which player to ‘cheat’". How did he do that if he didn't have access to the production database? Some kind of a backdoor in the UI? All we've seen was two or three lines of code that don't really explain much. I think at the very least DB should have published the whole commit. This is one of those things that would have gone a long way towards credibility.

Good point.

The three line screenshot didn't really show anything. Could we see the whole diff he submitted? The condition for when to apply the nonce-skip would be interesting. I too wonder how the rogue employee was able to chose manually which players to cheat when he didn't have access to the db.