Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Gambling
Re: OFFICIAL DICEBITCO.IN ANNOUNCEMENT ABOUT THE SKIPPED NONCES INCIDENT
by
grux
on 20/09/2014, 18:27:05 UTC
Quote from: DiceBitcoin on September 19, 2014, 11:41:52 PM
In around 24hrs past the incident, the bankroll shrinked from 7500 coins to ~1700. Then,we had one user, mateo, which was hitting the bankroll non stop for almost 12hrs more, eating almost 600 BTC of profit (site was ~288 BTC profit prior to the 7th of September and around -320 BTC when mateo stopped playing).. Lot of speculation exists as well around that user, so please allow me to elaborate. User mateo was registered on 2014-08-06 18:22:05 and before the incident of 7th of September was -33 BTC in total. The date he registered the other developer was not hired yet, so it is impossible that it was him. The new hire had no access to the database (or to the production server) which means that it is impossible for him to know other users’ seeds. On top of that, mateo did randomize his rolls before he goes on with his crazy streak (my guess would be to verify if he got affected by the malicious code - btw he was not affected). Given all those facts there is 0% chance it could be someone that knew the server seed and played against it. When he asked for a withdrawal when done, we are left astonished with that run (like we didn’t have enough shit already to deal with). We postponed his withdrawal for several hours. We went through his rolls again and again, we searched every possible way of ”cheating”. Everything was legit, so we paid him out.

If he didn't have access to production/database servers, but could upload code himself unchecked, what makes you guys think he wouldn't add any query or even a URL that reveals the auth details or seeds for himself?

I imagine anyone with access and ability to upload unchecked code can do the following:
  • Read out the authentication details used to connect to the database/wallet
  • Run a query to look up seeds
  • Intercept passwords before they are hashed and checked against database
  • Forge tokens/cookies and log into another's account
  • Change/delete entire tables of the database
  • Increase or decrease balances of any user

Why are you guys even assuming that seeds, passwords, and server are safe? Isn't it time for a full system seed and password change?

Are you guys just making up this whole "employee" story? Are you guys this inexperienced?