EVE General Discussion

Rek:

If you like, you're free to evaluate our method for choosing winners. The code we use to get the number is here. As you can see, we draw it from random.org. You can find their real-time statistics here and several peer-reviewed papers on the quality of their random-generator here.

And, from a more practical standpoint - with over 1,733,423 Blinks completed, it would be a MONSTROUS amount of work to try and rig them/keep that rigging hidden from the public/the dozens of people who've worked for Blink. Saner by far to just run it honestly and enjoy it for what it is :)

Hope that helps :)

Was a Blink addict for a long time, spent billions and won billions, far more than I've ever put in but just like every game you need to put yourself limits.

And yes, those are serious people, whatever you win it's really yours, they ship your stuff when possible for 0 isk, you'll never miss a single isk you deposit because it's API done or Andrew/Mom will watch logs to give you back what's yours.

There are few serious people you can trust in this game, SommerMom and Andrew are 2 of those. Not only they will always respect their contract with their customers but some times offer them to buy stuff, like LP's stuff, rare ships, faction mods etc.

Really, they're awesome dudes.

yep, that would be one way of doing it - but in practice it would rely on blink using a misconfigured nameserver which is pretty unlikely.

Alternatively you could block access to random.org via a ddos (or wait for a time when random.org is not available for some other reason) and try to exploit some weakness in mt_rand.

Any pseudo random number generator which does not fetch entropy from outside sources is periodic, that is the numbers will start repeating themselves after some time.
For the mersenne twister used by mt_rand the period is 2^19937 − 1 which is pretty long. And of course the sequence of random numbers is different for each of the 2^32 seed states.
If Blink was trying to create really long random numbers one still might be able to figure out at which position one is in which sequence after observing a couple of outputs. But with the small numbers of tickets this is hopeless.
Additionally consider that Blink does probably use multiple php processes to handle requests each of which maintains its own PRNG. I guess that the PRNG of whatever php process gets to handle the request for the final ticket gets to determine the winning number - so you can't even look at the sequence of winning numbers and treat them as a sequence of mt outputs - they are a wild mix of any number of MTs.
Your best bet would probably be to try get php to spawn a new process with your request (or maybe you are lucky and cogdev.net uses a CGI configuration but in real-life that doesn't happen) in which case a new PRNG would be initialized and you would "only" have to guess one of the 2^32 seed states.

Real slot machines keep cycling through random numbers even when there is no user input to prevent an attacker from being able to exploit the PRNG's sequential nature.

On Linux a call to /dev/random (which introduces entropy from hardware devices; but which is blocking and can be slow if not enough entropy is in the pool) or /dev/urandom (less true randomness but fast) would probably be preferable to mt_rand.
However, in practice I can't really see anyone being able to exploit this.

I challenge you to attempt that at any modern casino. That technique is long dead.

Gil makes a good point, honestly - end of the day, if you don't enjoy gambling, or think we'd be silly enough to **** it up by rigging it, you're best off not playing.

We're more than happy to answer questions and provide facts, but if you're dubious after that, the safe answer in Eve is always to keep your ISK in your own wallet. We're not trying to coerce anyone into gaming. :)

And if anyone ever thought otherwise while using it, they deserver to lose ISK


Me?

I love Somerblink I've actually made a couple hundred million off it. It 'would' be closer to 1b, but when I started I didn't realise it would be smarter to get paid back the ISK & put it back in to blink, rather than just changing it back in to blink credit

Well, not really played on somer a lot.
But yesterday i won 1 talos, 2x navy caracals, navy geddon and lots of other small stuff.
Came out of it with about 300m in profits.

So no, its not cheating on their part, but as with all types of gambling, the house allways wins in one way or another.

As a comp.sci guy, I'll have to say that piece of 'code' fails hard.

While the random number generator (random.org) is trustworthy, the chain of trust is not kept. There is no way to verify 1) that the linked PHP code is actually what is executed 2) that the game that 'rolls the dice' rolled it just once instead of doing it multiple times until the desired result happens and 3) that every entry in a game is a real player who paid for the slot with ISK (rather than RMT).

If you really wanted to be secure and ensure 1) and 2), each game would (when created) have an random ID and the trusted random number generator would take this ID when rolling the dice, and it would only allow a single roll. The somer blink site would then link to the result page, where the ID, time and result would be viewable.

Do that and your site would be 'trustworthy' for players, but not necessarily RMT free as per 3).

Frankly the part of you post above about 'statistics' and 'peer-reviewed papers' is a clear example of trying to hide a weak link in a chain by showing off how damn strong all the other links are.

In answer to the first question - It's answered anecdotally in the thread above you. :) Some folks get lucky on their first few blinks, and stop forever. It's the same reason some people have win ratios at 0% - they get a bad first run, and stop forever. I grant, it's something that would be addressed with the "fixed win percentage" idea outlined earlier in the thread, but that's just not something we're willing to do. Every draw is, and will stay, independent to every other draw. :)

In answer to the second question - Large swaths of database queries readily available to the public in a unified location are a server-melting fiasco. Blink receives around 700-2.5k individual users per hour, most of which stay on the site for 27-42 minutes each, and hammer F5 like a rabid monkey while they're there. Some concessions have to be made to technical performance :)

In answer to why YOU specifically aren't given large swaths of statistical data with personal information redacted - if that's what it would take for you to play, we're okay with you not playing. :) Even if we did take the time to hand all that over, a day later you could make the same demand for information again, and again, and again. If someone really distrusts our service that much, we're totally cool with you not using it :)

In answer to Rakshasa Taisab:

Each blink does have a unique identifier, it's Blink ID number. It is visible on even the currently active blinks, in the lower left hand corner of the Blink (highlight the text there to see it). The results from that are viewable to anyone who played on that Blink - though I grant, they're not perpetually visible to anyone who wants to look.

And, again, all that said - I absolutely concede there's zero way we could guarantee that all of that code didn't change right after you looked. The answer to that one will always be: It wouldn't benefit us to do that. It would catastrophically cripple us. But if you disbelieve that, it's totally cool to keep not playing. :)

Edit to add: Re-reading, I misunderstood what you were looking for from a unique identifier. Random.org doesn't have any type of identification API, so that's not possible (to my knowledge) while using them as our RNG source.

I think it's going to be very hard to prove anything, on way or the other. Random is random, and while some results are statistically unlikely they are not impossible, someone can win 100 out of 100 games without cheating. Unless you hack into the webserver and prove their code is designed to fix the rolls, i can't see how you are going to prove anything, and even that would end up being your word against their on weather or not the the prove was genuine.

Personally i that the site is legit, it's just like playing slot machines with a set payout ratio. It's not cheating, just very much in the favor of the house.