Use a Software Bug to Win Video Poker? That’s a Federal Hacking Case

&#62; But the casino had been suspicious, and Kane didn’t collect the last win<p>Bad move!<p>This reminds me of Louis Colavecchio. He made quite a lot of money off Atlantic City casinos using counterfeit slot machine tokens. The casinos <i>KNEW</i> they were being ripped off by a counterfeiter, because their token counts at the end of the day were coming in consistently high, but they were stymied because they could not tell which tokens were counterfeit. That made it hard to even get started tracking their origin. Even the token manufacturers were not able to determine which of a set of tokens were authentic and which were counterfeit. [1]<p>Colavecchio's downfall came one day when he was playing a machine, and it jammed, eating his token. He simply moved to the next machine, and continued playing. That caught the attention of the guard watching that row of machines on the security camera. These machines were something like $10 or $25 per play machines. When a legitimate gambler has a token of that value eaten by a machine, they don't just let it go and move on to another machine. They report it and make a fuss until they get their money back. The guard realized that one person who would just move on would be the counterfeiter--he would not want to draw attention to himself by making a fuss, and psychologically would think of his tokens as only worth a few cents and so would not be upset at losing one.<p>With that lead, they were able to watch Colavecchio and get enough evidence to nail him.<p>[1] Years after Colavecchio was caught and convicted, his counterfeit tokens remained in circulation in Atlantic City casinos, because they never did figure out a way to tell which were real and which were Colavecchio's.

This is like watching game speedrunners exploit glitches in the game to get a better time, and then hearing laypeople complain about it not being a "real" run. If it's all done within the context of the system, then it's fair.<p>In game speedruns, the context is: "Beat this game as fast as possible with the following restrictions (no cheats, 100% completion not necessary, etc) using the provided input system."<p>If I go to a casino, the context of playing a slot machine is: "Put real money into this machine and press buttons on it until you run out of money or leave." There aren't any implicit rules like, "some combination of button presses are not allowed".<p>Let the player have his money, patch the bug and move on.

He didn't use the bug to win but rather change the payout. If it was a logic bug causing him to win against the machine I would say he was fine, however this bug allowed him to change the payout amount, which is fraud. It is really no different than if the machine printed out the amount on a ticket and he forged a different amount on it before he turned it in.

If you discover a reproducible flaw in a blackjack game -- the card shuffler at a certain table isn't random -- is there a penalty for that? Because just having a computer in the mix doesn't seem like it really changes the moral equation.

My goodness. This is such baloney. How are you going to get charged with hacking for something like this.<p>If anything, you can blame the guy for not being moral and telling the casino about their mistake, but he is definitely not required to.<p>It's the casino's fault, or the game creator, for putting out a buggy game. They should be happy to have discovered the problem and just fix it.<p>Should I be allowed to sue vending machine owners every time my candy doesn't drop?

I have this feeling that the other shoe is about to drop, and we're going to find out something big is missing from the reporting, they they had a friend working at the company.<p>Also, this logic:<p><i>“All these guys did is simply push a sequence of buttons that they were legally entitled to push.”</i><p>is very annoying. You can describe any illegal action as innocuous. I'm not saying this case deserves to be hacking (IMHO if you learn, say, that the sequence of cards resets every 256th turn through, more power to you), but this is a weak argument.

Fascinating. This reminds of the true story of a group of friends who won nearly a million dollars by reverse-engineering video poker machines and finding flaws in the pseudo-random number generators used to select random cards. These people have given anonymous interviews and an entire description of their adventure to Kevin Mitnick for his book The Art of Intrusion. They also claim to have never been caught, thanks in part to the fact they stopped exploiting it after they won "enough" money! <a href="http://www.amazon.com/Art-Intrusion-Exploits-Intruders-Deceivers/dp/0471782661" rel="nofollow">http://www.amazon.com/Art-Intrusion-Exploits-Intruders-Decei...</a>

Here is an interesting anecdote. From the author of the article's wikipedia page.<p>His best-appreciated hack was a takeover of all of the telephone lines for Los Angeles radio station KIIS-FM, guaranteeing that he would be the 102nd caller and win the prize of a Porsche 944 S2.<p>When the Federal Bureau of Investigation started pursuing Poulsen, he went underground as a fugitive. When he was featured on NBC's Unsolved Mysteries, the show's 1-800 telephone lines mysteriously crashed<p><a href="http://en.wikipedia.org/wiki/Kevin_Poulsen" rel="nofollow">http://en.wikipedia.org/wiki/Kevin_Poulsen</a>

This is going to be tough to argue from a hacking standpoint. IANAL, but a quick perusal of some of the hacking-related legislation shows that almost all federal definitions of "hacking" involve "without or exceeding authorization "(See sections (1)(a), (1)(b), and (1)(c) in the Computer Fraud &#38; Abuse Act (CFAA) [1]). A definition of that phrase is provided at length in this pamphlet [2] put out by the Department of Justice Cybercrime division. Specifically, from the first document (section (e)(6)):<p>&#62; the term "exceeds authorized access" means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter<p>and from the second (section A.2):<p>&#62; The term “without authorization” is not defined by the CFAA. The term “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”<p>Later in the same section, it states:<p>&#62; Prosecutors rarely argue that a defendant accessed a computer “without authorization” when the defendant had some authority to access that computer. However, several civil cases have held that defendants lost their authorization to access computers when they breached a duty of loyalty to the authorizing parties, even if the authorizing parties were unaware of the breach. [...] Some of these cases further suggest that such a breach can occur when the user decides to access the computer for a purpose that is contrary to the interests of the authorizing party. See, e.g., Citrin, 440 F.3d at 420 (defendant’s authorization to access computer terminated when he resolved to destroy employer’s files); ViChip Corp. v. Lee, 438 F. Supp. 2d 1087, 1100 (N.D. Cal. 2006) (same); NCMIC Finance Corp. v. Artino, 638 F. Supp. 2d 1042, 1057 (S.D. Iowa 2009) (“[T]he determinative question is whether Artino breached his duty of loyalty to NCMIC when Artino obtained information from NCMIC’s computers.”).<p>Not sure what to make of that, as again, IANAL. Still, this is definitely not hacking in the traditional legal sense.<p>[1]: <a href="http://energy.gov/sites/prod/files/cioprod/documents/ComputerFraud-AbuseAct.pdf" rel="nofollow">http://energy.gov/sites/prod/files/cioprod/documents/Compute...</a><p>[2]: <a href="http://www.justice.gov/criminal/cybercrime/docs/ccmanual.pdf" rel="nofollow">http://www.justice.gov/criminal/cybercrime/docs/ccmanual.pdf</a>

I really don't like trying to judge this case with analogies to non-electronic gambling. It's not a terrible way to start thinking about the issue, but taken too far it allows someone to come up with almost arbitrary conclusions.<p>Rather, I think it's best to judge this by what a certain outcome would do to the greater picture.<p>(And now to argue for my own interpretation, which happens to use the above argument.)<p>I was in the middle of writing what I thought was a pretty interesting argument, when I realized...<p>Why the hell is the federal government even getting involved in this? I mean, I know why, but it has nothing to do with them. This is (or should be) a case about what constitutes fair play at a casino. Jumping into this and flexing the CFAA just seems beyond ridiculous.

&#62; <i>Much of the cheating the Technology Division deals with comes from professionals, who will buy a used game machine, put it in their garage and plumb it for vulnerabilities.</i><p>&#62; <i>“They are looking to explore how they can exploit the machine from a mechanical standpoint,” says Jim Barbee, chief of the division. That means physical hacks aimed at the coin hopper or the bill reader. Software vulnerabilities like Kane’s are nearly unheard of.</i><p>Someone should sell them a fuzzing suite.

It's fun to speculate how this bug might have come about.<p>My suspicions are that each sub-game maintains separate state about the last game played, but that the wager amount and "has the win been paid" flag variables are global, shared between all games. When the double-or-nothing option is disabled, wins are paid immediately; but when it's enabled, that flag doesn't get set until the user either declines to double up or the result of doubling-up is determined. This leaves a window for the user to switch games, changing the wager in the process, and have the payout recalculated because the win has not been paid yet.

I'd expect that there would be some some central database of these machines that track their incoming and outgoing money that all the casinos feed their data into. It would seem crazy that this type of activity would go undetected to the tune of several hundred thousand. Even if payouts were tracked locally, it should have been a huge red flag. Unless the tracking that is sent over (or compared locally against baselines) is based off of in-play data and the amount exploited in the bug was never properly reported.

IANAL, but I have thought a lot about what constitutes cheating at gambling, as opposed to legal advantage play, and I think this is cheating. The key distinction, for me, is that the machine is not a game in and of itself, but an interface for offering multiple games.<p>(For those who didn't read the article, the scheme basically involves playing game A at the minimum wager until you get a big win, then switching to game B at a higher wager until the game B reaches a certain state, and then switching back to game A, at which point the machine would re-calculate your earlier win in game A based on your (higher) wager in game B.)<p>The nearest analog I can think of is switching roulette table chips between tables of different denominations. When you buy roulette chips, the croupier notes the value of a stack of 20 chips, usually $20, $100, or $500 a stack, by placing a token near the wheel. Looking at a single chip, it's impossible to tell whether the chip is worth $1, $5, or $25. And a given color chip at one table may be worth $1, while at a neighboring table it's worth $25. Table chips are marked with a letter on their face indicating which table they belong to, but croupiers don't always examine the letters, so if you slip chips between tables, you might be able to wager a low-denomination chip and be paid off in high-denomination chips. That's definitely cheating, even if the casino doesn't immediately stop you from slipping chips between games.<p>My general rule of thumb is that anything that happens within a game is fair play. If the exploit had been that a particular sequence of wagers would cause the random number generator to behave in a predictable way, then I'd be fine with it. But I wouldn't consider the game-selection interface to be part of the game.

This is obviously (at least it <i>should</i> be obvious) a business matter between the casino and the game vendor, not the user. The way this should have played out is 1) the casino notices the pattern, 2) the casino pulls the machine and scolds the vendor for shipping a bug that hurt their business, and 3) the vendor loses future contracts or resolves the issue in a way that satisfies the casino.

If you apply this same logic to coin-operated arcade games, you are breaking the law if you use the Tetris PRNG hack mentioned today (<a href="https://news.ycombinator.com/item?id=5640893" rel="nofollow">https://news.ycombinator.com/item?id=5640893</a>) or even Pac-Man patterns (<a href="http://www.math.montana.edu/~hyde/pacman/" rel="nofollow">http://www.math.montana.edu/~hyde/pacman/</a>) to "exceed your legal access" and extend your play time, thus stealing valuable quarters that would otherwise be spent by non-exploiting players.<p>You might even be able to apply this to games with IAP. Better not get <i>too</i> good at playing Super Monster Candy Time 2, buddy!

&#62; In June, Nestor returned to Pennsylvania, and began working the exploit with a crew.<p>I was rooting for the guy until that sentence. Book'em Danno.

&#62; “These guys kind of kept it a secret,” says Leavitt. “If this had got out… this would have been a bad thing for the casinos.”<p>I'm sure they would have pulled all the games pretty quickly if it had gotten out. Casinos take analytics seriously.

That's impossible. Gambling software is carefully regulated and approved by state gaming control boards, so there cannot be bugs.

This case would be laughable if not for the fact that we all know the gambling associations are going to use their wealth &#38; power to make his life hell.

I wonder what would happen if the situation were reversed. What if a machine was found to have been paying out less money on winnings than the stated rules. My guess is this would be a non-issue or at worse the casino would face a small fine.

This is a feature, not a bug.<p>Certainly, the Casino didn't know about it. Imagine you sign a legal document you don't 100% understand (you miss sg). Who cares? You are bound to it. The Casino didn't fully understand the "contract of the machine". Who cares?

The entire casino business model relies on bugs in the human mind.

&#62; It takes a lot of video poker play to stumble upon a bug like &#62; that. And Kane, according to his lawyer, played a lot of video &#62; poker. “He’s played more than anyone else in the United &#62; States,” claims Leavitt. “I’m not exaggerating or embellishing. &#62; … In one year he played 12 million dollars worth of video &#62; poker” and lost about a million, he says. “It’s an addiction.”<p>You gotta admire this guy's commitment to quality assurance!

That's crazy. Am I "hacking" a vending machine if it gives me two candy bars instead of one? What if he had just closed his eyes and slammed the buttons and this happened? Would he be the world's foremost blind hacker? Both sides are engaged in taking as much of the other's money as possible within a set of rules, and he won.

There are signs on these machines that read malfunction voids pay. This ultimately is a malfunction, and is the casino's responsibility is to verify before payout. Exploiting a malfunction to increase payout on an already negotiated win might be fraud, but hacking?

If I am a cashier and occasionally accidentally give out more change than I should, surely that is wholly my own problem (a fault of my own process) and not that of the person who takes the money I gave them.

I don't read wired (tired of their lengthy narratives that always culminate with the subject cast in a holier than thou light) so i will assume this is about someone exploiting a bug left by the cassino on their own systems.<p>Anyone who understand law care to explain how this is different than sitting at a black jack table and the croupier just dealing up all the cards face up?

so, if it is considered "hacking" to do this, what about the first time he found the exploit? He didn't intend to do that he just jumped the gun to get back to playing. Was that mistake a crime?

Shared mutable state strikes again.

I guess it's OK to steal billions of dollars from tourists, but when the tables are turned, it becomes a crime.