I don't think he did much wrong here. It doesn't appear that he actually broke in to your computers, he just submitted lots of bets.<p>If you're going to run a casino (whose entire business model is based on exploiting weaknesses of others for profit), don't be surprised if people try to exploit your weaknesses for profit.<p>I'm not saying there's anything wrong with running a casino, I think it is fine. I just think that what he did is fine too.<p>EDIT: Except the part where you apparently didn't pay out all of his winnings. I'm not fine with that part. Also doxing one of your customers just because he made a profit out of you.
"To understand how Hufflepuff beat our system, one must understand how our provably fair system (RNG) works."<p>"Our database had seeds that were both inactive and in use at the same time all connected to Hufflepuff."<p>To me it sounds like your company simply didn't understand how the system you created worked, it sounds like you merely understood how you wished it to work. Gambling has always favored people who actually understand the system in place, by not understanding the system you yourselves were implementing you created the opportunity for a customer to understand it better than you. What you describe with your database having seeds that were both in use and inactive at the same time, sounds to me like you did not do a good job managing concurrency on records which were crucial to your business.<p>While I can not say whether the users did anything illegal, the post you have created to call attention to this does not make an adequate case for wrong doing on the users part. However your response does make an amazing case for you having responded to an implementation issue in your software very poorly, and I think would make future users who are aware of this less likely to use your service.<p>That is just my opinion given the information you have presented, as you seem to focus more on maliciously providing information of the person you are accusing as opposed to proving your accusations that the person in question committed a crime while doing so.
> <i>and time again to investigate and each time our developers could not find any wrong-doing.</i><p>> ...<p>> <i>This was done by sending it more requests than it could handle in a small time period, think hundreds of requests in under a second</i><p>Sounds like your developers really messed up. The server logs would be the #1 place I would look. Where else really? How do you not notice hundreds of requests per second (from the same IP I assume)?
I'm reflexively sympathetic to the small, scrappy startup. But...<p>...man this is not a sympathetic story. You're running a gambling site (morally shady and an obvious magnet for abuse), using bitcoins (another huge abuse magnet), you had very supicious gambling patterns (a massive red flag that no real casino would accept), and you just let the guy keep playing? That's not how you're supposed to do that.<p>And as for the whole "we had a timing bug in our code, and we couldn't find it even with hard proof that it existed, and then we finally thought we'd fixed it, and then we <i>asked the guy for the million dollars back</i> (??!?), and then it turned out we hadn't fixed it at all, and he hit us up for another few thousand"? Like, that just sounds screaming amateurish.<p>If you can't be trusted to write secure code, or at least fix the bugs you find in it, maybe online bitcoin casinos aren't for you? And if you think asking people nicely to give you your money back works in casinos, maybe you don't understand the industry?<p>Edit: I'm not trying to be a dick, but I feel like the proper blogpost to write would be a grovelling "hey guys, I know it's super obvious, but if you're doing an online gambling website, monitor your transactions for specific patterns. Know what a real punter looks like, and aggressively throttle anyone who doesn't behave like one. Otherwise you'll be stupid idiots who lose a million dollars over a stupid bug, and then have to write a magnanimous letter congratulating the guy who exploited you for winning so much money (man that was painful to write)." You made some huge mistakes, and it doesn't sound like you really learned from them, or even identified them. Hint: Your core mistake was not a timing bug that emerged when your system was under heavy load.
Lol. They (as any sane Casino operator would) should have booted this guy immediately on day 1, claiming they felt he was scamming the system. Sure, pay him out, but don't let him keep betting. Yeesh. I have to wonder if this was an inside job and they let him siphon those winnings. I am highly suspicious of most bitcoin companies, and I wonder if they're all just shells around vulnerabilities looking to siphon user deposits / investments.
Uh, that post includes some doxxing.<p>From an observer's view, after fully reading it and seeing how hostile their response is, I can only applaud the player. To me it seems fair game. She exploited a weakness in the game, something that in meatspace is often hailed as genius. In bitcoin online gambling, race conditions are a part of the game that has to be expected to be attacked.<p>With their doxxing they lost any bit of sympathy I had.
The (costly) lesson learned here doesn't revolve around Primedice's RNG architecture but the strict importance of testing.<p>We all face pressure to deliver but at the end of the day -like brakes on a car- testing is one thing you should never cut corners on.<p>Although another 2 weeks of testing may not have explicitly exposed the vulnerability, it surely would have offered a better baseline from which to evolve better heuristics for the analysis of the exploit when it did occur.
"We heavily explored what we thought was every possibility, ran simulations and did the math and came to the conclusion that he was just incredibly lucky."
ROTFL
<i>Any information that leads to the return of the coins from this incident will be greatly rewarded. We invite you to analyze the above bitcoin addresses and find out where the bulk of the coins ended up if you have the skills.</i><p>What does this mean? Are they trying to <i>steal</i> the thief (according to them). Shouldn't they inform the local authorities and let them handle the case?
Strange choice to put a picture from the Ocean's Eleven series at the top of the article, seeing as how the thieves in those films are considered the protagonists/heroes.<p>I think a bit more information included with the article to verify this was actually a 'hack' would be helpful. I mean, was this akin to counting cards or what? It's hard to tell from the article.
<p><pre><code> ... did the math and came to the conclusion that he was just
incredibly lucky
</code></pre>
Woah. Red flag. Just incredibly lucky doesn't exist. Odds are odds.
It is really interesting to me how different Bitcoin users' understanding of morality and the typical person's are. To almost any joe or Jane on the street, exploiting a weakness in someone else's security -- be it an unlocked door or an unchecked error code -- to acquire money from them without their intent, is Wrong. On the other hand, taking retaliatory action, such as providing what detail you can about that person in the service of returning the ill-gotten gains, is right.<p>Judging by the contents of this thread, the Bitcoin/hacker community feels just the opposite. How odd. I feel like this more than anything will impede the mass adoption of Bitcoin.
> <i>Sorry for the long read</i><p>Didn't feel long at all; it was concise and had enough detail to satisfy a casual reader (me) with links to more detail if I wanted it.
Some pretty hilarious YouTube comments on the linked video[0]: "could you please share your strategy in that video", "Please, Send your method of play and programs for this need". Sorry, but I'm pretty sure nobody's going to share their bot for making 2000 BTC in an hour.<p>[0] <a href="https://www.youtube.com/watch?v=lSLXv5Tz1ZY" rel="nofollow">https://www.youtube.com/watch?v=lSLXv5Tz1ZY</a> , linked from "$8000 worth of bitcoin every second for hours on end"