Jump to content

Week 8 NFL shared fantasy

Recommended Posts

DONKWOOD    467

hey idiots, how about you draft a quarterback this week that gets positive points? k thanks.

just kidding. great work as usual boys.

k063q0.jpg

Share this post


Link to post
Share on other sites

BubbaKGB    8

There is no way for the information that this poster saw to result in anything nefarious, it is simply the output from a server that was briefly running in debug mode (instead of just showing you a cookie cutter error page, you get a more detailed description of the error) to help our developers identify an issue. None of this information is of any use to anyone regardless of how much you might know about computers. It is also not an indication of DraftKings as a company as this poster claims. It is simply not possible for someone else to access any of your information with what the poster saw on that page whether it be your financial data, lineups, etc.

I understand many in poker may default to the assumption that they're being lied to or cheated because of how many times that has happened in the past in the poker world and I'm sorry if this poster feels he was blown off by support, we never want any of our customers to feel that way. We definitely apologize if he felt he was being given the runaround in response to this.

Jon, I appreciate your response and the apology, but you are not presenting any facts. You're saying you believe what your guys are telling you enough to post here and stand behind it (which I guess is understandable). However, I continue to believe that you (or they) are wrong. Just because nothing nefarious happened doesn't mean it isn't possible. I'm not saying that DraftKings is trying to do something shady, but I am saying that the mistake is a much bigger deal than you are letting on (or than you are aware of).

1

Share this post


Link to post
Share on other sites

wab80    39

So far we got

Djg x3 paid ----- still owed 85.42

Vernicle x6 paid ---- still owed 19.95

Jets x2 paid ------ still owed 16.78

Chk x2 paid ----- still owed 16.78

Sponge x4 paid ----- still owed 3.17

PlustotheEV x3 paid ------ still owed 25.17

Kmc x1 paid ----- still owed 8.39

Weeminer x10 paid ----- still owed 83.90

Resilient x1 paid ---- still owed 8.39

Hostile x1 paid ---- still owed 8.39

QW x5 paid

Sgtkyle x1 paid ------ still owed 36

IdareyouAA x2 paid ---- still owed 16.78

Grinchpants x1 paid ---- still owed 8.39

Paki x1 paid ----- still owed 8.39

Donkwood x5 paid

If I missed you let me know. And to anyone that wants to get paid and not roll it over I dont mind sending some out.

Share this post


Link to post
Share on other sites

Drewch    0

Computer Security expert here.

DraftKings is PCI compliant, which means all of your credit card data, privacy, and anything regarding payments is completely safe from intrusion.

This is both hilarious and naive. You know who else was PCI compliant? Sony. They got exploited and 70 million users' credit card information was stolen. Don't hide behind your certifications, they're just industry BS for non technical people to say they've done some audits so people can trust them.

There is no way for the information that this poster saw to result in anything nefarious, it is simply the output from a server that was briefly running in debug mode (instead of just showing you a cookie cutter error page, you get a more detailed description of the error) to help our developers identify an issue. None of this information is of any use to anyone regardless of how much you might know about computers.

Please tell me, how much do you know about computers? Running a production server in development mode is a huge security concern. Printing stack traces is for developers to help solve issues while the site is in development, not production. These stack traces are literally a gold mine for crackers, please see here, here, here, here, here, here, here.

It is also not an indication of DraftKings as a company as this poster claims. It is simply not possible for someone else to access any of your information with what the poster saw on that page whether it be your financial data, lineups, etc.

BubbaKGB didn't directly say this error trace lets you access credit cards, he's saying that it's a serious problem for you to display stack traces publicly because it gives so much information about the system. When crackers look for breaking a site, one thing they do is try to break SQL statements or put bad data into forms, in hopes that a stack trace is printed. He never said straight out that this means your credit card info can be stolen or lines can be changed, but pointed out that if the developers are that clueless about running a production site in development mode and displaying stack traces (and then further saying it's no biggie), then you should be cautious about putting money on there.

If you came here and said "Wow, that's really bad, we will immediately rectify the problem and admit that that's very bad security practice", then maybe people would feel comfortable. But the fact that you came in here saying "Oh we fixed it, but it's really not a big deal", then who knows what else is wrong with your site that you "don't think is a big deal."

I understand many in poker may default to the assumption that they're being lied to or cheated because of how many times that has happened in the past in the poker world and I'm sorry if this poster feels he was blown off by support, we never want any of our customers to feel that way. We definitely apologize if he felt he was being given the runaround in response to this.

He was given the runaround on this, you're lucky he followed up and pointed out a major security issue with your system. Most people would just be like "Oh it's a javascript error" as your support staff told him.

I certainly appreciate the importance of customers of online gaming companies paying close attention to things like this and exercising extreme caution, anyone who has known me will attest that in my 8 years playing poker I was always skeptical of operators and demanding of ethical behaviour and open lines of communication from everyone in the industry. I retired from poker and joined DraftKings full time only after becoming convinced that I could help build a company that I was comfortable resting my reputation on. The fact is that DraftKings is a US based, venture backed, and highly ethical company with stringent safeguards in place to protect our players. Your personal information, financial information, and all game and lineup data are completely safe with us.

Again, Sony is/was a publicly traded massive corporation. Justifying your security by saying "We're ethical and venture backed" is laughable. There are tons of venture backed companies that have zero security considerations - I'm glad you have PCI Compliance (you wouldn't be able to run your site without it). But don't say "We're PCI compliant, we'll never get hacked" and then give crackers a goldmine to start building an exploit.

Share this post


Link to post
Share on other sites

Drewch    0

So if I'm reading this correctly...Bubba, Fatal Error, and Drewch are saying they also like RG3 this week?

It's gunna be a fucking shootout. You really can't go wrong with RG3 this week.

Share this post


Link to post
Share on other sites

BubbaKGB    8

Computer Security expert here.

Please tell me, how much do you know about computers? Running a production server in development mode is a huge security concern. Printing stack traces is for developers to help solve issues while the site is in development, not production. These stack traces are literally a gold mine for crackers, please see here, here, here, here, here, here, here.

Fwiw, what you see described on this page (one of Drewch's links above) is exactly what happened to me. There were running their production server in debug mode and I got a printed error of their information in response to entering the wrong info somehow.

Cliffs:

Accidental leaking of sensitive information through error messages

Server messages need to be parsed before being passed on to the user.

Consequences

Confidentiality: Often this will either reveal sensitive information which may be used for a later attack or reveal private information stored in the server.

Avoidance and mitigation

Implementation: Any error should be parsed for dangerous revelations.

Build: Debugging information should not make its way into a production release.

Discussion

Once an attack has failed, the first thing an attacker may use to stage the next attack is the error information provided by the server.

SQL Injection attacks generally probe the server for information in order to stage a successful attack.

1

Share this post


Link to post
Share on other sites

Drewch    0

So should we not play on dk anymore?

I switched to Fanduel. If they would have acknowledged that it was security problem, and fixed it, then I might have stayed. But when I hear stuff such as "Oh it's completely harmless that we printed the stack trace to the consumers", I tend to stay away, far far away. Especially when it comes from top members of their staff - if it started and ended with the support rep, then fine. But what I've seen in this thread - I'm out for good.

Share this post


Link to post
Share on other sites

danimal703    0

Just a heads up, as of now, there are less than 2K seats left for the $300K on FanDuel. Itll be full by the end of the night Im sure. Might want to throw a few entries in there now just to reserve the spots. I just entered it twice with BS lineups that Ill go back and change later just so I could have the spots held.

Share this post


Link to post
Share on other sites

FatalError    0

So should we not play on dk anymore?

We take security very seriously but the message that BubbaKGB saw is of absolutely no value in and of itself. You are no less safe on DraftKings than you are on any site regardless of that message. We had error messaging temporarily enabled to root out a bug. This is not a security issue.

As far as the insinuation that I'm being lied to or don't understand the topic, I have my bachelors degree in computer science and was a systems and database administrator prior to my run at poker, admittedly it has been a long time since I've put that knowledge to work but I can promise you that I certainly understand what I'm being told by my developers and that they're not "lying" to me or covering anything up.

What's being posted here is copy and pasted stories from other websites describing the hacking or bad design of poorly secured websites and has no more bearing on DraftKings than it does to any other website. There is unfortunately little more I can say here other than to reiterate that the error message has absolutely no value.

Share this post


Link to post
Share on other sites

BubbaKGB    8

We take security very seriously but the message that BubbaKGB saw is of absolutely no value in and of itself.

You don't need to repeat what I have already said multiple times. Is this really what you want to be claiming? We fucked up, but it's okay because the error we showed you has no value in and of itself (meaning it has no value unless you want to exploit the site). I know that by itself there was no harm. I've said that at least 10 times and am not claiming otherwise.

What's being posted here is copy and pasted stories from other websites describing the hacking or bad design of poorly secured websites and has no more bearing on DraftKings than it does to any other website. There is unfortunately little more I can say here other than to reiterate that the error message has absolutely no value.

No. I copied an example of why the error message I got IS an issue. Everything Drewch said is 100% true and it comes from somebody who I promise has more knowledge than you or your devs. It's pretty simple and I honestly cannot believe you still won't admit how serious it is that I was able to see the error. Still basically shrugging it off as nothing.

1

Share this post


Link to post
Share on other sites

Drewch    0

We take security very seriously but the message that BubbaKGB saw is of absolutely no value in and of itself. You are no less safe on DraftKings than you are on any site regardless of that message. We had error messaging temporarily enabled to root out a bug. This is not a security issue.

Wait - so to find a bug you enabled stack traces to be printed out client side, rather than just print them into your log file? Or have the log emailed to your developers when the error case hits? What you just said makes ZERO sense, I'm assuming it's coming from you not your developers - there is no way a real developer would say that.

"Oh, to find a bug instead of looking at logs, I displayed the logs to the client."

As far as the insinuation that I'm being lied to or don't understand the topic, I have my bachelors degree in computer science and was a MS certified systems and database administrator prior to my run at poker, admittedly it has been a long time since I've put that knowledge to work but I can promise you that I certainly understand what I'm being told by my developers and that they're not "lying" to me or covering anything up.

I'm not worried about what your developers are telling you, what scares me is management (or whatever you do there), saying that it's not an issue when it is an issue. If you have a CS degree you should know that what you just said about posting logs to the client to find a bug makes zero sense. Yes, you would enable logging, but you would do that through log files, not by showing stack traces to the client.

What's being posted here is copy and pasted stories from other websites describing the hacking or bad design of poorly secured websites and has no more bearing on DraftKings than it does to any other website. There is unfortunately little more I can say here other than to reiterate that the error message has absolutely no value.

I didn't copy paste anything, I just took a few articles that talked about why stack traces are a typical starting point for crackers trying to break into a site so people could understand what I'm saying and why it's a huge problem.

Share this post


Link to post
Share on other sites

wab80    39

Just a heads up, as of now, there are less than 2K seats left for the $300K on FanDuel. Itll be full by the end of the night Im sure. Might want to throw a few entries in there now just to reserve the spots. I just entered it twice with BS lineups that Ill go back and change later just so I could have the spots held.

Just entered 2 lineups to save a spot

Share this post


Link to post
Share on other sites

Paki_Poker    37

What's DK's policy on retention and disposition of credit card or other financial information?

Meaning, if it's hackable...leaving the site might not protect you, if you've already given this information and they don't have a disposition standard for the private information they collect.

Share this post


Link to post
Share on other sites

Drewch    0

What's DK's policy on retention and disposition of credit card or other financial information?

Meaning, if it's hackable...leaving the site might not protect you, if you've already given this information and they don't have a disposition standard for the private information they collect.

Not sure, maybe FatalError can comment. Since they're PCI compliant, I'm sure if you request to have everything removed that they will do so.

Just to be clear, any site is hackable, or as the potential to be exploited. I am just concerned with DK's lack of security knowledge and care about good security practise.

Share this post


Link to post
Share on other sites

BubbaKGB    8

What's DK's policy on retention and disposition of credit card or other financial information?

Meaning, if it's hackable...leaving the site might not protect you, if you've already given this information and they don't have a disposition standard for the private information they collect.

They kept telling me they don't store credit card information (customer has to type it in every time) and that there was no issue with the error appearing. I don't know one way or the other about the CCs being stored (or whether that matters if transactions and numbers are recorded) but either way, it's not insignificant that I could see their information. It's not so much that the error being served to me meant the site was immediately at risk, it's that it's an indicator of a much larger, underlying issue (which is what I think you're getting at).

Basically, they are trying to say I misunderstood what I saw. Meanwhile, I know what I saw represents, so I'm trying to get them to address the problem as it relates to the whole site.

1

Share this post


Link to post
Share on other sites

wab80    39

This the 535 and the 25 on fanduel

QB Robert Griffin III $8,800 WAS@DEN ?

RB Marshawn Lynch $8,600 SEA@STL ?

RB Eddie Lacy $6,800 GB@MIN ?

WR Harry Douglas $6,500 ATL@ARI ?

WR Victor Cruz $7,200 NYG@PHI ?

WR Denarius Moore $5,400 PIT@OAK ?

TE Jordan Reed $5,400 WAS@DEN ?

K Caleb Sturgis $5,000 MIA@NE ?

D Seattle Seahawks $6,000 SEA@STL ?

Import Lineup

This is the 100 and 25 on fanduel

QB Tony Romo $8,500 DAL@DET ?

RB Eddie Lacy $6,800 GB@MIN ?

RB Reggie Bush $8,100 DAL@DET ?

WR Victor Cruz $7,200 NYG@PHI ?

WR Harry Douglas $6,500 ATL@ARI ?

WR Denarius Moore $5,400 PIT@OAK ?

TE Jason Witten $6,800 DAL@DET ?

K Caleb Sturgis $5,000 MIA@NE ?

D Atlanta Falcons $5,400 ATL@ARI ?

Import Lineup

Share this post


Link to post
Share on other sites

wab80    39

109 on draftday

QBRobert Griffin III$18,000

X

RBMarshawn Lynch$17,000

X

RBEddie Lacy$13,550

X

WRHarry Douglas$11,600

X

WRDenarius Moore$10,750

X

TEJordan Reed$9,650

X

FLEXJason Witten$8,800

X

KCaleb Sturgis$5,500

X

DJets (NYJ)$5,000

X

Share this post


Link to post
Share on other sites

wab80    39

109 and 109q on dk

QB R. Griffin III 21.0 swap out

RB Eddie Lacy 12.6 swap out

RB Marshawn Lynch 19.1 swap out

WR Harry Douglas 11.3 swap out

WR Victor Cruz 18.9 swap out

TE Jordan Reed P 14.2 swap out

FLEX Denarius Moore 15.3 swap out

K Caleb Sturgis 8.8 swap out

DST Falcons 5.7 swap out

109 on dk

QB R. Griffin III 21.0 swap out

RB Eddie Lacy 12.6 swap out

RB Reggie Bush P 20.0 swap out

WR Denarius Moore 15.3 swap out

WR Harry Douglas 11.3 swap out

TE Jordan Reed P 14.2 swap out

FLEX Tony Gonzalez 15.5 swap out

K Caleb Sturgis 8.8 swap out

DST Packers 8.3 swap out

109 on dk

QB Tony Romo 20.7 swap out

RB Eddie Lacy 12.6 swap out

RB Marshawn Lynch 19.1 swap out

WR Harry Douglas 11.3 swap out

WR Denarius Moore 15.3 swap out

TE Jordan Reed P 14.2 swap out

FLEX Knowshon Moreno 18.9 swap out

K Caleb Sturgis 8.8 swap out

DST Falcons 5.7 swap out

Share this post


Link to post
Share on other sites

wab80    39

I'll be back on in the am to see what changes you guys want. I will only be able to make changes until 11:30 tho because day 2 of my tourney starts at noon. Hopefully we can get everything set by then. gl us

Share this post


Link to post
Share on other sites

danimal703    0

So far we got

Djg x3 paid ----- still owed 85.42

Vernicle x6 paid ---- still owed 19.95

Jets x2 paid ------ still owed 16.78

Chk x2 paid ----- still owed 16.78

Sponge x4 paid ----- still owed 3.17

PlustotheEV x3 paid ------ still owed 25.17

Kmc x1 paid ----- still owed 8.39

Weeminer x10 paid ----- still owed 83.90

Resilient x1 paid ---- still owed 8.39

Hostile x1 paid ---- still owed 8.39

QW x5 paid

Sgtkyle x1 paid ------ still owed 36

IdareyouAA x2 paid ---- still owed 16.78

Grinchpants x1 paid ---- still owed 8.39

Paki x1 paid ----- still owed 8.39

Donkwood x5 paid

If I missed you let me know. And to anyone that wants to get paid and not roll it over I dont mind sending some out.

Just wanted to make sure you saw my post early on about rolling mine over and me sending additional money. I sent the extra $14 on Friday to make it 2 total shares for me.

Share this post


Link to post
Share on other sites

wab80    39

Just wanted to make sure you saw my post early on about rolling mine over and me sending additional money. I sent the extra $14 on Friday to make it 2 total shares for me.

You are in for 2. I am not gonna be able to link anything. Day 2 of the tourey I'm in starts at noon. I will get it linked when I can. Sorry about that

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.