How 999dice.com is stealing your coins, and exactly why you won't believe me

[mailmansDOGE]

Sounds like "Jake" will be getting nailed by the FBI soon enough...  these scammers never learn...

Can FBI or any other authority do anything about people dealing in BTC?
They do not consider it money so why wont they stay away?

[xuan87]

I never trust this site when Stunna leave a red -ve to jake

Sounds like "Jake" will be getting nailed by the FBI soon enough...  these scammers never learn...

Can FBI or any other authority do anything about people dealing in BTC?
They do not consider it money so why wont they stay away?

If that country has a regulation against BTC crime, I'm sure the law enforcement will busted that guy

[trixter]

Can FBI or any other authority do anything about people dealing in BTC?
They do not consider it money so why wont they stay away?

They do consider it money for a variety of things.

For SEC laws its generally considered money.  For the Silk Road case Ross Ulbright was just convicted of ... money laundering which specifically requires a monetary instrument (his lawyer lost the argument that bitcoin is not money). 

Basically the courts have all  held that bitcoin is money when it comes to criminal acts  that otherwise require money.  The IRS considers it money if a merchant sells goods in it but a commodity other times.  The IRS is the weirdo and has rules that are highly situational dependent on how they view bitcoin. 

[keepinquiet]

Lot of posts overnight so going to try and respond here all in one message.

Disclaimer: 999dice is a scam, fuck them.

You managed to lose 200btc on a shady site that was widely regarded as a scam. You did not due diligence before you went on your degenerated streak (not a gambler). You are a fucking idiot.

Thanks for your input. However, I argue that it is "widely regarded" as a scam. There are 2 threads here about it (three maybe) and not a single one has any proof, or even anything approaching proof. In fact, one of the threads is started by someone who poorly photoshopped "proof". There will always be the sore losers who rant they were scammed. I'm providing strong circumstantial evidence that it's true, or, at least that it's a very real possibility that it's true.

OP if you seriously picked the most shady of the dice websites to bet tens of thousands volume of bitcoins, that was well deserved. For someone that lost ~200 Bitcoin though, posting on a forum doesn't seem like the most appropriate action. I refuse to believe this.

What do you suggest is the most appropriate action then? Law enforcement who doesn't care? Hire a hitman? Fly out to CA and accuse some random person that someone thinks might be him, and what...? Waterboard them until they admit it? What would be a better course of action, aside from getting the word out?

And if you refuse to believe it, for your sake, I hope you don't gamble there.

[pawel7777]

There's some news coverage of this thread:

http://newsbtc.com/2015/02/08/bitcoin-gambling-website-scam-nearly-exposed/

An anonymous Bitcoin user recently exposed a bitcoin gambling website scam after finding empirical evidence against their bet verification system.

According to a BitcoinTalk newbie ‘keepinquiet’, the scam lies in the methods through which cryptocurrency-based gambling website 999dice.com verifies users’ server hash. Unlike other, rather genuine gambling portals, the aforesaid organization makes users click a button in order to verify each bet. Without clicking that button, users have no option to legitimize their bets. At 999dice, you literally have to click the ‘Show Server Seed Hash’ button to see new hash with every bet.

[keepinquiet]

If the OP is correct in his assertion (correlation != causation and all that) this means either they broke sha256 (or do they use 512?  I forget) or they are just brute forcing a loss.  It is highly unlikely that they broke SHA256 or 512.  Therefore they would have to use the wager size tracking and brute force a loss when they decide they want a losing wager.

If they are brute forcing a loss then the response times from the server for larger wager losing bets would vary because it would have to do more operations to return the response.

Well of course they didn't break SHA256/512. If they did they wouldn't be running a scam dice site, they'd just empty any bitcoin address that exists any time they wanted some bitcoin.

As for the server times varying, "brute forcing" the seed would take no time at all. I'm going to simplify their process, because theirs invoves double hashing, then reading the first 3 bytes, converting it to an integer, checking it's value, then using just the last 6 digits. Too much work for a forum example.

So for my example of how "hard" it is to brute force a sha256 seed to make you lose a roll, our bitcointalk-dice site will generate your roll by double sha256'ing the seed. The client seed and nonce are irrelevant for this example, since they wouldnt change. After it's double sha'ed, we will use the first four numbers that appear to get your roll, and divide by 100, so you'll get 00.00-99.99. Also, for brevity, the server seeds will just be random words I feel like picking instead of 32 character strings that clutter up the screen.

So, you're betting 50/50, on low. Server seed is 'ripoff'. Double sha256 the word ripoff (as a string) and you get:
d7ec963e8d5eb5bd118fa809c05abc56d47f77a1a4d421db180b3bf4add8ed80

First four numbers are 7963 so your roll is 79.63. You lose.

Next roll your seed is 'theft'. Result:
30d5dd57f28d02756aa06a71d40b4f300241e5c8323ffb596f9609d630decf5f

First four are 3055 so your roll is 30.55. You win. Ok, now the server thinks you're winning too much, time for you to start losing.

Next seed is 'scam':
92eeea29311e699e209c3127d18f13e7711c1ff903162e4bbe5ab551429ed737

92.29 - a loss. Luck was on our side this time. Lets take back some of those "winnings" we let you have.

Next seed is 'arrogant':
b13e51f886ed5ca336191d8e65fd2f6c0adf43c379af0d60215c8623008ffb89

13.51 - a win... but we want you to lose, and you didn't save the hash for 'arrogant' so lets change the seed to, new random word, 'cheat':
b2a1f658776f82f8e7fb704b3a060773bc24423dc6d0298da55eeea0eb31224d

21.65, damn, ok, try again, 'liar':
6429f62ea32edf61a0d684c5c5be80d71c82385fdaa0eae88aa1a9acc4a3a833

There we go, 64.29, you lose, sorry man. The seed was 'liar', you can be sure we didn't cheat by making sure it hashes out correctly, and you can validate we didn't change the seed by checking the hash we provided before you made the bet.

Oh, you didn't click the button? Sorry. Guess you just gotta trust us.

My point being, 'brute forcing' a sha256/512 to get a random dice number you want is simple. The odds of them finding one that works for them is exactly the same as your chance to lose. It might take 15-20 tries to find a losing hash if you're betting 95% wins, but that would take a server microseconds, tops. You'd never notice it. The TCP overhead and standard traffic time is millions of times faster than the time it'd take to hash it out.

On my mid to high end server I ran those hashes on, I just took the microtime, double hashed a random number 300 times, then checked how long it took.

.000703811 seconds.

.7 milliseconds.

My desktop pings to 999dice.com are about 170milliseconds.

In the time it takes a ICMP packet to hit 999dice and come back, they could have hashed over 72,857 guesses.

It's not hard, and if using timestamps as your basis, it's completely undetectable.

Even worse - if you never change your client seed (something I always did on every roll when using the API), they can save hashes in advance. Need the roll to be 98.55? Pull saved entry number 13,872, that one was 98.55.

[el kaka22]

it is funny
i think most people has know that it is a scam site
but why do people still play there
perhaps because of them still make a profit every day (smart player)
some are a playing with dumb and lost "a lot" and finally put hate to admin there .dont know

[trixter]

As for the server times varying, "brute forcing" the seed would take no time at all. I'm going to simplify their process, because theirs invoves double hashing, then reading the first 3 bytes, converting it to an integer, checking it's value, then using just the last 6 digits. Too much work for a forum example.

Based entirely on your response it appears that the URLs I posted were too technical to be understood properly.  Maybe this URL will be better for you to understand.
 Knowledge is power.  http://en.wikipedia.org/wiki/Timing_attack

Brute forcing the seed would take > 0 time units or > "no time  at all".  It would be detectable and then could provide the basis of proof of  your theory.  I encourage reading the original URLs I posted, they really do contain useful information relevant to proving your theory.  You do want  to prove it right?  This thread is not just a rant session and no proof will be sought?

I took the liberty of confirming that tcp timestamps are enabled and properly passed from their server.

.7 milliseconds.

My desktop pings to 999dice.com are about 170milliseconds.

Excellent you are on your way.  Keep up the good work.

your ping time however is irrelevant.  There are multiple reasons for this but from a basic network perspective ICMP is often given a lower priority on the various networks that comprise the internet and as such is not as reliable.

What you are after is how long the userspace application processes various tasks.  So even if ICMP was treated equally on the network you would only be measuring the kernel time to process and respond which is not very useful.

In the time it takes a ICMP packet to hit 999dice and come back, they could have hashed over 72,857 guesses.

true but  tcp timestamps do not use icmp.  Fortunately the two protocols are completely separate and they must have the result before they send the tcp response back.  This means that you can measure the time it takes to process A vs processing B.  That variance can lead to actual proof as opposed to something else.  Note that you must statistically differentiate between a regular loss and what you claim to be a cheat loss (if that even happens which based on the post I am responding to I doubt more than ever).  

Keep up the good work, you are well on your way to understanding this and how you can prove your theory.  If you need any more help understanding basic networking or basic security let me know and I can fill in the missing pieces.  Side channel attacks are really not that difficult once you understand the basic concepts that go into them.  I encourage you to go forth and learn a little bit about basic networking and software development.  Based on the content of your post I can only come to the conclusion that there is much to be learned about that.

Its all about knowing how long the server does a specific task and when a task takes longer than normal you know something else is going on -  you just dont always know what so you have to get quite a few samples.  Use the faucet its free.

[zanza]

so you are using evidence that the site is a scam that
1) you lost money there
2) its possible they may be using fake seeds

Doesn't seem conclusive, no need to dox anyone, just move on to another gambling site and give a fair warning to others that the site may not be honest.

You have 0 evidence really that they did steal, so your title seems pretty over the top. 

[keepinquiet]

it is funny
i think most people has know that it is a scam site
but why do people still play there
perhaps because of them still make a profit every day (smart player)
some are a playing with dumb and lost "a lot" and finally put hate to admin there .dont know

Or you can actually think for yourself and look at and analyze how the site works. Blatantly trusting "the admin" is a recipe for disaster. *I* trusted the site because it's very well done and LOOKS legit. You can even verify bets. Thats the beauty of it.

And those making profit every day... how much? The smart players making profit every day, how much profit are they making?

Because I saw a lot of that chat room scroll by during my time there using the web interface. And the vast majority was people looking for people to "invest" and others happily investing. Also a lot of people bragging about their balances of .00048172 BTC.

There's a feature I was unaware of that will spam your larger bets to the chat room. The first time I ever asked a question in there, I was prased as a god as people saw my 1.5 BTC bets that won 4.5 BTC (33% odds). I was then also innundated by requests to invest in them. I also learned that "investing" was trusting some other rube who has no better odds than you do, to bet your money for you. That was a sobering moment.

Anyone who is betting there and making any profit at all that is worth mentioning is doing it quitely and not advertising it. And I guarantee you they aren't bragging about it in the chat room for you or anyone else to know.

That being said, I seriously doubt ANYONE is actually profiting for real there.

And a quick side note: I'm pissed I was scammed out of the BTC from a site that goes above and beyond to APPEAR to be legit, however, even more infuriating is the site stealing from the tons of people in the chat room who likely can't AFFORD to be losing money there.

People who have money to gamble arent begging for tips and begging for investors just so they can give it "just one more shot!"

Those are the people who can't afford it. And those are the ones who are being hurt infinitely more than I was. And THAT makes me angry as hell.

[keepinquiet]

As for the server times varying, "brute forcing" the seed would take no time at all. I'm going to simplify their process, because theirs invoves double hashing, then reading the first 3 bytes, converting it to an integer, checking it's value, then using just the last 6 digits. Too much work for a forum example.

Based entirely on your response it appears that the URLs I posted were too technical to be understood properly.  Maybe this URL will be better for you to understand.
 Knowledge is power.  http://en.wikipedia.org/wiki/Timing_attack

Havent read it yet, will later, maybe I don't fully understand. I do know that ICMP is slower. But my point is that if I can do 300 hashes in .7 milliseconds, the "hardest" to brute force bet is a 95% win, in which case you will need, on average, 11 hashes to force. In extreme cases, it will take 350+ or so (the largest number of "losses" in a row I saw for 5% bets, which is obviously not the maximum, but in 100,000,000 runs, a 95% chance roll happened 349 times once or twice), which is why I chose to hash 300 and time that.

And on a web server that appears to be hosted in germany, with random amounts of internet traffic, unknown amounts of server load, unknown amounts of user load on the site, you'd be hard pressed to notice a delay which could be anywhere between .002ms and 10ms, and attribute it to brute forcing a new hash. I havent checked on tcp timestamps, but are they accurate to the .000001th of a second?

And that being said, it's the easiest thing to defend against. All he needs to do is read this thread, see someone might try that, and simply add a usleep(mt_rand(100, 100000)); to the 'check if the bet won and maybe rehash it' function. (Assuming he's using PHP, which he isnt, because his site is done in windows for some bizzare reason).

How do you analyze the tcp timestamps when the server is adding random amounts of delay to every request. Delays so small no one would ever notice the site is running slower, but large enough to completely ruin any testing where you're trying to sense the differene between .002ms and .004ms?

[keepinquiet]

so you are using evidence that the site is a scam that
1) you lost money there
2) its possible they may be using fake seeds

Doesn't seem conclusive, no need to dox anyone, just move on to another gambling site and give a fair warning to others that the site may not be honest.

You have 0 evidence really that they did steal, so your title seems pretty over the top. 

Which is exactly why the title said "and exactly why you won't believe me".

The best scams are the ones that convinced the scammed that they aren't being scammed, and recruit them to defend the scammer. Cults have done this for a long time. It's nothing new.

You say it's possible they are using fake seeds Almost all betting sites MAY be using fake seeds. Almost none of them force you to set your own client seed. They pick it for you. When they do that, they can make your results whatever they want them to be. They all MAY be doing it.

I say it's very probable that 999dice is doing it, precisely because the site is designed in such a way that you must inform the site if you are going to validate a bet, before you can write down the hash to validate it.

If the cops call the drug dealer 30 minutes before they are busting the door in, do you think the cops will ever find drugs there?

If there were some weird law that FORCED cops to notify criminals they were coming 30 minutes in advance, do you think the fact the cops NEVER found and arrested anyone is proof that there are no criminals?

Or is it more likely they are just ditching the place before the cops get there?

[keepinquiet]

Try playing on www.crypto-games.net
Our system is 100% fair. There is no way for us to cheat, you can check seeds of every bet made in past!  

Joter - a suggestion? Your site is very much like 999dice. You need to click something and send uniquely identifiable information to the server to see the hash before the roll is made.

It's impossible for "not me*" to see the hash before the bet without telling the server "Hey, I'd like to see the hash for my next bet plz, I'll be watching."

It's the same thing 999dice does.

Reason I think, in your case, is it's an oversight, is that it would take balls of steel to post an ad for your site in my thread, pointing it out to a guy who did extreme technical analysis of a betting site, and think I wouldn't notice.

Want to bring your site fully into "theres no way we are cheating you" land? Put the hash on the betting page. SHOW ME the hash ALL the time. Don't make me tell you I'm looking.

I'll tell you what though, applause for having the client seed being generated client side via javaqscript when you click the randomize button. I was afraid it was coming from the server, but poking into the source briefly, it does appear to be client side.

* By "not me" I mean I have to be logged in/have my cookie sent to the server to see the seed. Its impossible to load the seed without telling the server I'm looking at it. Since the seeds are individual per user and not static for the site for the day, I have to identify myself to see the seed, thus leaving room for the possibility of cheating.

[busterroni]

This is a great, well-written post. If the site turns out to be a scam (which seems likely), I hope justice is served to whomever is running it. Great job keepinquiet and I hope you get your btc back.

[Belkaar]

Why not create a proxy website that allows users tohave every bet verified?

[trixter]

Havent read it yet, will later, maybe I don't fully understand. I do know that ICMP is slower. But my point is that if I can do 300 hashes in .7 milliseconds, the "hardest" to brute force bet is a 95% win, in which case you will need, on average, 11 hashes to force. In extreme cases, it will take 350+ or so (the largest number of "losses" in a row I saw for 5% bets, which is obviously not the maximum, but in 100,000,000 runs, a 95% chance roll happened 349 times once or twice), which is why I chose to hash 300 and time that.

what about autobets where you have to iterate through several just to see if that one is the way you want?  eg it works like a multiplier?
What about the load of doing this to everyone as is implied?  Presumably they are not just screwing you over (if they are doing it at all). 

hundreds of bets per second, maybe thousands with some doing autobetting (there are several userscripts to do that) plus the load of the web server, MSSQL server, etc.  It is a one box show apparently.  Its also running on windows 2008 which depending on who you talk to is better in terms of performance than windows 8 server. 

The contention rate that would exist is actually quite high, if what you propose is going on.  It would be extremely noticeable if all that was going on.  However even with that timestamps  have been used to fingerprint the clock skew of a specific system even if it physically moves networks, or hides behind TOR hidden services.  There are methods that have some pretty fine accuracy.  Read the footnotes of the papers I provided as well, that will give you 10 or so other papers you can read on the subject.  The Pearson book I listed is partially available on Google Books so partially free to read (I only found it because I was searching for who cited my paper, they misspelled my name which makes me think there are no fact checkers on it so it may not be worth buying - I read nothing other than the footnote so I dunno its overall quality).

And on a web server that appears to be hosted in germany, with random amounts of internet traffic, unknown amounts of server load, unknown amounts of user load on the site, you'd be hard pressed to notice a delay which could be anywhere between .002ms and 10ms, and attribute it to brute forcing a new hash. I havent checked on tcp timestamps, but are they accurate to the .000001th of a second?

you really should read the one about guessing valid usernames.  In that one using tcp timestamps they were able to  tell if a username was valid because it would return faster by not comparing the password and doing the single hash on the supplied password.  That is just one hash, on a server far away, with other things going on.

It would at least let you confirm the theory if its really happening. 

[nyktalgia]

I have lost over 5 btc to 999dice.  It definately seems like a scam in the way that if you need a crucial win to recover it will roll the opposite side or just out of range conveniently.  Even after an improbable loss streak.

This was after I reached max payout on 250+ losses.  I tried to recover at maxpayout and lost another 830k doge after losing 400k doge.   I knew I shouldn't have chased this loss but it just seeems a bit ridiculous.

http://prntscr.com/62shxu

[el kaka22]

Or you can actually think for yourself and look at and analyze how the site works. Blatantly trusting "the admin" is a recipe for disaster. *I* trusted the site because it's very well done and LOOKS legit. You can even verify bets. Thats the beauty of it.

And those making profit every day... how much? The smart players making profit every day, how much profit are they making?

Because I saw a lot of that chat room scroll by during my time there using the web interface. And the vast majority was people looking for people to "invest" and others happily investing. Also a lot of people bragging about their balances of .00048172 BTC.

There's a feature I was unaware of that will spam your larger bets to the chat room. The first time I ever asked a question in there, I was prased as a god as people saw my 1.5 BTC bets that won 4.5 BTC (33% odds). I was then also innundated by requests to invest in them. I also learned that "investing" was trusting some other rube who has no better odds than you do, to bet your money for you. That was a sobering moment.

Anyone who is betting there and making any profit at all that is worth mentioning is doing it quitely and not advertising it. And I guarantee you they aren't bragging about it in the chat room for you or anyone else to know.

That being said, I seriously doubt ANYONE is actually profiting for real there.

And a quick side note: I'm pissed I was scammed out of the BTC from a site that goes above and beyond to APPEAR to be legit, however, even more infuriating is the site stealing from the tons of people in the chat room who likely can't AFFORD to be losing money there.

People who have money to gamble arent begging for tips and begging for investors just so they can give it "just one more shot!"

Those are the people who can't afford it. And those are the ones who are being hurt infinitely more than I was. And THAT makes me angry as hell.

ohh man, honestly i do not understand with things like that,
make it simple
you have 2 BTC and wants 5% profit from 2btc (0.1 BTC (cmiiw)) every day there
trust me, it is very easy
but most people (including me) when got a win they want more and more

been long time i realized. we can not win continuously because the system will change
we should to fooling the system

[trixter]

I have lost over 5 btc to 999dice.  It definately seems like a scam in the way that if you need a crucial win to recover it will roll the opposite side or just out of range conveniently.  Even after an improbable loss streak.

I think their RNG is flawed based on some analysis.  Not horribly so but enough that you do not get an even distribution of numbers.  If I had to guess I would guess they use sql server as their entropy source.  rand() gets its seed in part from time() which does not have  sufficient entropy to create an even distribution over time.

They also appear to have a flawed method of using the server seed.

Server Seed: 035a30aeb639002a3bf131ada765b18840bf4c8e5912ff7f2efe6e6993e949e2
Server Seed Hash: 88f41de51f58329026807b0a1464a6264052fe074e30274472fb63abed77915a

Yet in the code examples we see
@serverSeed binary(32),

If you will notice the server seed is larger than the space allotted for it in the first code example.  Because of the abstract types in the 2nd C# example this does not appear to be an issue.  The site however claims the first example is the actual code they use on the site.  They verify it all  through MSSQL.  This would imply that either that is no longer the validation code or they are truncating the seed.  

[pozmu]

As for understaning having to click the button 'to start' - why? Why be forced to inform the server you're watching at all? Most betting sites publish the hash on a static page anyone can see.

If you publish the hash on a standalone page, you could read the hash on your phone, not logged in, then bet from your PC, and the server would NEVER know you checked the hash. Giving them absolutely no opportunity to cheat, because anyone, at any time, can check.

Putting hash on "static", standalone page would mean they use same seed for every player and disclose it every day/ hour etc.
999dice generates new seed every roll, I can understand how it may require pushing the button to generate/show hash - as you said, even when using API you have to use seperate call to get server's seed hash - reason behind that may be the fact that normally all "magic" happens in one fuction, that takes care of generating server seed, mixing it with client seed and calculating result. Separate function that pre-generate server seed is not run unless you explicitly ask for it. Such construction simplifies the process as they don't have to store pre-generated server seed anywhere - it's generated on the fly during the bet. Yes, it does make changing client seed somehow useless, as without knowing server seed hash we still have to trust casino operator, but hey - 99% users trust the casino and the remaining 1% can click the button - maybe there are some savings in processing speed that makes this complication worthwhile.

And as for the bet verifier - absolutely. The problem is, you gotta click that button. Which tells them you're verifying. Which means it will never not verify.

Best case scenario, if everyone starts verifying, they can't cheat.

Hmm. Maybe tonight I'll write a javascript plugin for 999dice that clicks the hash button automatically after every bet processes. Enough people start doing that, and I bet we see the .1% house edge increase within a few weeks.

Exactly.
That would get rid of all uncertainty.

There is a million scams out there its the godforsaken wild west, sometimes there's a faster gunslinger or a band of manure thieves prowling about??

Sorry for your loss

I would though like a copy of this script (or system) that made you the 60 bitcoins in 14 hours. Why not use it en mass and put a beating on the website. Im sure many here would be happy to help with the project

The admin threatening to confiscate any deposits I make is a good reason to not do that.

As far as a copy of it, won't do you much good unless you've got 50 BTC to deposit and can stomach risking the loss of it. It's not foolproof by any means. Anyone who tells you their system IS, is lying to you.

I also wanted to ask you for a copy of your script.
No, I don't have 50btc but I'm sure it could be used with smaller sum of btc/doges too  

it is funny
i think most people has know that it is a scam site
but why do people still play there
perhaps because of them still make a profit every day (smart player)
some are a playing with dumb and lost "a lot" and finally put hate to admin there .dont know

People play there because they have 0.1% house edge.
Plus they have server-side autobet meaning you can do 200 martingales in one go.
Don't get me wrong, I see sarcasm in your post  

Why not create a proxy website that allows users tohave every bet verified?

Every bot should have built in bet verifier.
I can't remember if that one available @ 999dice have this option... Even if it does, you would have to build it from the source (and read the source first).