> But the casino had been suspicious, and Kane didn’t collect the last win
Bad move!
This reminds me of Louis Colavecchio. He made quite a lot of money off Atlantic City casinos using counterfeit slot machine tokens. The casinos KNEW they were being ripped off by a counterfeiter, because their token counts at the end of the day were coming in consistently high, but they were stymied because they could not tell which tokens were counterfeit. That made it hard to even get started tracking their origin. Even the token manufacturers were not able to determine which of a set of tokens were authentic and which were counterfeit. [1]
Colavecchio's downfall came one day when he was playing a machine, and it jammed, eating his token. He simply moved to the next machine, and continued playing. That caught the attention of the guard watching that row of machines on the security camera. These machines were something like $10 or $25 per play machines. When a legitimate gambler has a token of that value eaten by a machine, they don't just let it go and move on to another machine. They report it and make a fuss until they get their money back. The guard realized that one person who would just move on would be the counterfeiter--he would not want to draw attention to himself by making a fuss, and psychologically would think of his tokens as only worth a few cents and so would not be upset at losing one.
With that lead, they were able to watch Colavecchio and get enough evidence to nail him.
[1] Years after Colavecchio was caught and convicted, his counterfeit tokens remained in circulation in Atlantic City casinos, because they never did figure out a way to tell which were real and which were Colavecchio's.
Though, that wasn't my reading of "Kane didn’t collect the last win." I read it as "the casino didn't pay him for the win because they suspected him of hacking/cheating."
It could be either one though. Now I'm not really sure.
Cool story. For the curious, "Sentenced to seven years, Colavecchio was released in 2006. He was re-arrested by the FBI only a few months later having resumed his activities, and release on a $25,000 surety bond"
Wow, while this may be acting on stereotypes but I am surprised and have to hand it to the security guard who worked through that train of logic on the fly.
I happened to know several security guards and bouncers when I was young -- a lot of them really are gifted when it comes to noticing anomalies in individual and crowd behavior.
This is like watching game speedrunners exploit glitches in the game to get a better time, and then hearing laypeople complain about it not being a "real" run. If it's all done within the context of the system, then it's fair.
In game speedruns, the context is: "Beat this game as fast as possible with the following restrictions (no cheats, 100% completion not necessary, etc) using the provided input system."
If I go to a casino, the context of playing a slot machine is: "Put real money into this machine and press buttons on it until you run out of money or leave." There aren't any implicit rules like, "some combination of button presses are not allowed".
Let the player have his money, patch the bug and move on.
In complete agreement. This is no different than me just coming up with a crummy game to begin with. Let's say I run a casino and accidentally set up a modified game of blackjack where the odds favor the customers instead of the house. Customers merely playing this game is "exploiting" a bug. Should I be able to sue them? (BTW a couple of months ago this happened with mis-shuffled decks) The premise of this game is to get people to risk their money, I can't whine when it backfires on me and I lose instead of them! I certainly don't get to sue the casino for exploiting my gambling addiction or the fact that I had a little too much to drink before my last bet.
Look, let's be honest here: casinos are nothing more than legal (and sure, transparent) scams, plain and simple (at least when its house vs. customer and not customer vs. customer). The rules are systematically designed to drain you of your money while tricking you into thinking you might win. And I have absolutely no problem with that. I am a free market guy, and as far as I'm concerned gambling is voluntary. HOWEVER, if you are going to dedicate your business to literally ruining people's lives and profiting from their losses, then suck it up when you are too stupid and your con backfires on you. Don't get the law involved, and thus my taxpayer dollars, to save you from your unsuccessful grift. This is as absurd as an idiot running a faulty ponzi scheme and then suing his marks because they made money and he didn't.
By the same argument, the context of using the internet is "send packets, receive replies". There aren't any implicit rules like "sending a specific field that is larger than expected (as to overrun a fixed-size buffer) is not allowed".
(FWIW, I agree with you. It is impossible to forcibly break into a computer over the network.)
The internet isn't a game though, so restrictions based on intentions is fair. I think games, especially those which elicit feelings of competition or a strong desire to win, are all about finding the discrepancies between the rules as they are intended and the rules as they are implemented. When you push those boundaries, you get the advanced techniques and high level play which makes competitive gaming so interesting.
> The internet isn't a game though, so restrictions based on intentions is fair.
It is massively unfair to impose criminal liability upon people because they refuse to make assumptions about the intent of a programmer or sysadmin that they have never met or communicated with.
The catch with this case is that the game involved is overtly a simulation of a physical game, and the only purpose of the simulation is to increase the efficiency for the casino to let more players play a known physical game more quickly, not to change the nature of the game itself. You can make the case that places where the simulation diverges from the physical game were clearly unintended and should be obvious to players to be bugs, not part of the rules of the game, and hence unfair for gamers (or, likewise, casinos) to exploit since they were stepping beyond the bounds of fair play.
I'm not sure how strong this argument is but it's clearly different than just saying it's like a speedrun. Just because the medium is virtual doesn't mean you aren't entering into a implicit contract to play by the rules of poker.
But as far as I have read the article the glitch is not about the simulation of cards but rather about game mode flags you can carry unintendedly between different game modes.
The quoted example makes him pause game one at a high win, switch to game type two to achieve a 'tenfold win' token and then combine this with the paused game.
These are arbitrary rules put in place just for the simulated card games in the first place.
And of course for him it hugely increases the probability to achieve this scenario intended to be very rare.
Can you elaborate what you mean by "nothing?" Why do they call it video poker?
The point is that insofar as the game replicates poker one can basically use that as a way to identify the difference between a "bug" and a "odd game rule."
In poker you do not win by having a good hand - you win by either having the best hand of those remaining at showdown, or being the only hand left. There is no "house" - all the players are equivalent, and playing alone is meaningless. When you play real poker in a casino, the casino isn't taking either side of any of the bets - the players are just paying the casino to play (real poker isn't generally very profitable for the casino - where it's offered its generally for "prestige" reasons, to bring in players who will hopefully play other casino game while they're here).
The only thing that these played-against-the-house games take from real poker is similar hand rankings.
Well, for one thing the "double up" option is not a part of standard poker. More conspicuously, physical poker involves a high degree of observation/manipulation/etc of human opponents and that is not a part of video poker.
Yes you remove the human element and change some betting rules but at its core video poker is a simulation of physical poker. The parent doesn't have much of a point other than being overly hyperbolic to discount the reality that there is certainly an argument that this was a bug and hack since the exploit sits clearly outside the realm of the game of poker.
That's interesting, because in most games the people who exploit bugs in a game are banned/removed/punished. It's standard practice in online games to punish those who use the game in an unintended but presented way (exploit bugs).
I don't know any serious speedrunners who consider most exploits to be cheating. Something as simple as bunnyhopping is an exploit, yet you'd be laughed at if you tried to run Quake without doing so.
True, there are some exploits which are truly degenerate, but they are specifically handled. Exploits in general are highly encouraged. Speedruns are listed in terms of the restrictions given: a specific difficulty, 100% vs any%, rules governing the timing, etc.
Skiing in Tribes was originally a bug, and it became an essential feature and set the franchise apart from other shooters.
Exploits in speedrunning aren't often easy to do, and finding new applications for them are part of the challenge and can set one speedrunner ahead of another.
I remember seeing a speedrun of Half-Life where the player went through a wall (that you weren't supposed to go through), kept going (past all of the weird clipping visual nonesense), and finally came out in a different level (which IIRC wasn't even populated with enemies), and kept going through the game.
That seems like cheating to me. Little glitches in the game mechanics are a little bit different.
The problem is that there's no bright line to be drawn between bunny hopping and glitching through a wall. It's a continuous spectrum of larger and larger glitches.
Just out of curiosity, I assume you'd also consider abusing the "minus world" glitch in Super Mario Bros to be cheating, assuming it happened to let you finish the game faster? That glitch is nearly identical to the Half-Life case you described.
Bunnyhopping is allowed, but the problem was that for one Half Life run macros and authotkey was used to sequence things.
Bunnyhopping using only mouse, keyboard or gamepad is okay
He didn't use the bug to win but rather change the payout. If it was a logic bug causing him to win against the machine I would say he was fine, however this bug allowed him to change the payout amount, which is fraud. It is really no different than if the machine printed out the amount on a ticket and he forged a different amount on it before he turned it in.
I bet on the Giants -3.5. Oh, the casino has taken advantage of my misunderstanding of -3.5. They have escalated access to my money based upon my mistake. Have they committed fraud? Do I get my money back? Do I get to change my bet after the fact? Of course not.
They put out a machine which was giving away money. The guy did nothing other than put money in the machine and push the buttons.
If Vegas had to return all the money to the gamblers who made mistakes, it would just be a desert again.
Two comments; Back around the turn of the century when electronic gaming machines were taking off I did a lot of due diligence on the rules and regulations for building a gaming machine. They didn't have regulated payouts, they have regulated games. A game license was two part, one the set of rules and the mathematics behind the probabilities they set; and an audit/dump of the mechanism/code to implement those rules such that the game was run as described. It was very clear that if a machine violated the rules of the game they were presenting, it was the makers fault, not the casinos. So liability could only be pushed back on the casinos if the player was able to "modify or affect" the machine outside of specifications.
So if a player brings in a magnet or a custom EPROM or a wire that they stick through the coin slot to make a short circuit - Casino is liable.
If the Player using the game in the way the game allows and it pays out more or otherwise fails to implement the rules of the game correctly - Manufacturer is liable.
The only 'out' on that last bit is if the manufacturer knows of a bug and they tell the casino how to prevent it, and the casino fails to do so, then the casino is liable again.
Anyway, it was a land mine of liability as far as I could see and starting a company in that space was going to require as many lawyers as it did engineers it seemed to me so I passed.
Second comment, so when the MGM Grand opened for the "first" time it had a Jai Lai court and people could bet on the games. That system allowed for people to walk up to terminals and enter their bets. Basically you entered the game, either the spread or score, and the bet amount. Someone figured out that the keyboard was just a X/Y scanning matrix (like nearly every keyboard in existence) and if you held down the right three keys all at once the keyboard controller would get a scan code for '-' (even though there was no minus sign on the keyboard). You could bet "to win" on a game where the odds were against, and enter a negative score. The bet would pay out when the player lost because their score was negative relative to the other player. I do not remember the exact mechanism in the logic but as a budding computer programmer at the time I found it an interesting exploit (a minus injection bug :-). They of course fixed it right away but they didn't take back money from people who had been payed out.
My understanding is that all the slot/video machines have highly regulated payouts. The law states they must pay within a certain range, and they are verified by state employees on a regular basis.
If he is causing the machine to pay out at a level outside that allowed by the law, then he's breaking the law as much as the casino would be to make it pay out differently as well.
Edit: To clarify, I don't think he should be tried for hacking. I think he should be tried for circumventing state gaming laws, if applicable, or released. If they don't cover this, they it should be legislated if it is deemed important enough. Going after someone through some loosely affiliated law because you want them to go to jail even though what they did wasn't strictly illegal in wrong, IMHO.
Slots have highly regulated payouts, but in most US state gaming boards this is dictated by a minimum payout that all slots must average across a casino's slot floor.
An anomaly in one machine is nothing usual - in fact it's quite common given the size of jackpots and the volatility of the game's math.
In which case I don't see how he could be tried under gaming laws, and given the specifics of the case, I don't see how he could be tried under anti-hacking laws.
For a machine like that, I consider the interface the public API, and if the interface allows something that isn't specifically disallowed through some other statement or direction, I think it's fair game.
He didn't use some knowledge of internal mechanisms of the game (if his lawyer is to be believed) to exploit it, he noticed that it was incorrectly keeping the payout amount between game types with different payout multipliers, and took advantage of that fact. He learned that it was possible through using their API. In my eyes that's a critical point.
I'm kind of baffled why the feds got involved in the first place.
There's a reason why casinos have a sign on each machine that says MALFUNCTION VOIDS ALL PAYS. Normally they could catch someone taking advantage of the bug and declare the payout invalid. Obviously these payouts all passed any kind of tamper detection tests, so normal casino procedure would be to pay the man barring any other kind of funny business.
Eh, that's the same type of argument that could be made for exploiting vulnerable public APIs (pass in some query that isn't sanitized, etc.). I don't know the law surrounding those types of cases, but I would hazard to guess those get prosecuted rather hard.
It's a fine grained distinction, but I thin kit applies there as well, to some degree. If exploiting the API requires leveraging knowledge of the underlying systems (buffer exploit, path traversal issue, etc) that aren't generally discoverable in normal usage, than that may be hacking. If it's a matter of the user discovering through normal use that through a normal set of operations that they have access to more of the same resource they already got (more money when they get some on a regular basis, in the article), then I don't think that's hacking, I think that's learning how to use the API you were presented.
Of course, I'm presenting this aswhat I think should be, not how it is.
Weev was sentenced to 3.5 years for simply downloading AT&T's data that was made available over a public (but obscure) API. So yes, seems like you'll get prosecuted pretty harshly.
What's even more ironic is that this was a video poker, not a slot.
Why is that different? Unlike a slot where the payout decision is made the moment you pull the handle, a video poker machine has a decision point. Namely, you can choose to hold or discard cards, then draw the remaining cards to determine your win. The outcome of your "slot pull" is based on this play.
In the gaming software world, video poker percentages are determined by what the different hands pay out, given optimal play. There are very few video poker players in the world that never make mistakes and play optimally. The slack comes from drunk tourists that make the wrong decisions and increase the casino's take.
Funny that THOSE mistakes are allowable, isn't it?
I bet on the Giants -3.5. Oh, the casino has taken advantage of my misunderstanding of -3.5.
False equivalency. This isn't the casino saying 'hey, we don't know what 820-1 means', this is the guy saying to the casino 'hey, you thought that was a 2-1 win but it was really a 820-1 win' when it wasn't.
To fix your analogy, it would be if the Casino had -3.5, but when it came time to collect, they told you it was actually -350. That would also be fraud.
This is another one of those places where analogies hurt more than they help. You can come up with an analogy to mean whatever you want here, so that's not helpful, and it's not like anybody's confused about what happened.
(It's like I was in a car, and I was betting I could make the jump over the bridge, but while I was in midair the police moved the bridge...)
Bottom line: he was beating the house. There is no way that would've been "fine" to the casinos.
On the bright side for him, at least it's not the "old days" when casinos were run by the mob. From that perspective, he should be grateful to be thrown in front of a judge.
Doesn't it speak more to the lack of operational oversight of the casinos? I've never worked in the gaming industry, but I have to think they have metrics showing a flow of winnings/losings.
If you discover a reproducible flaw in a blackjack game -- the card shuffler at a certain table isn't random -- is there a penalty for that? Because just having a computer in the mix doesn't seem like it really changes the moral equation.
Blackjack already has a reproducible flaw, it is called card counting. It is not illegal, but casinos frown upon it and often ban people who are suspected of card counting. I would argue that noticing and exploiting a flaw in the blackjack card shuffler falls along the same lines. You are using meta-knowledge to reduce the house edge. But this is not what Kane did, he didn't alter his chances of winning, he altered the payout.
The real argument is not if pushing the buttons in the right order is cheating, but is it hacking? That issue seems to come down to whether or not there was an escalation of access. Did those button presses give him unauthorized access to data? He exploited a flaw to alter the payout of the game, and that is at the very least fraud. If we are using your blackjack analogy this is like he somehow Jedi mind tricked the dealer to change the payout for a 21. If I used a software exploit to get a bank computer to double my money I have no doubt that would be seen as hacking. So how is the gambling machine different?
"Now when Kane returned to Triple Double Bonus Poker, he’d find his previous $820 win was still showing. He could press the cash-out button from this screen, and the machine would re-award the jackpot. Better yet, it would re-calculate the win at the new denomination level, giving him a hand-payout of $8,200."
To me it seems analogous to placing a $1 bet on a table game, then swapping the $1 bet for a $10 bet if your wager paid out. That kind of cheating/fraud is fairly commonplace (and dealers are trained to prevent it).
That doesn't sound too different from finding and exploiting a bug in an online bank.
If e.g. someone found a way to log in as other users, that would reflect poorly on the bank's security, but it wouldn't entitle them to withdraw all the money they could access, even through "a sequence of buttons that they were legally entitled to push."
I think categorizing it as hacking makes sense in that light. The issue seems to be that the current laws treat hacking as an exotic crime with federal scope, which makes the legal cases a bit quirky.
I agree, now that I think about it. Claiming the reward is based on winning the game, but the payout is due to a bug (which the casino is not aware of) and not a win, so it is a deception (fraud).
When I was a teenager, an ATM once reported my checking account balance had a few extra thousand dollars in it. Withdrawing that money would be fraud, even though it was a computer error. Luckily I was not a stupid teenager and I left it alone. The next day it was back to the correct value.
FYI - gaming regulators in different states deal with card counters in different ways. In NV, the casino is allowed to ask you to leave and ban you from the casino. But, not in NJ. in NJ you cannot be barred from a casino for counting cards. The casino can shuffle the deck after every hand to make the game fair again (or unfair in the right way).
Not that I agree with it in the slightest but when incrementing sequential user IDs on a website is "hacking" then the courts will find this is "hacking" just the same.
re: the morality of the situation. this guy lost a million dollars in one year playing video poker. That's an addiction and it is certainly amoral to allow someone with a gambling addiction to play in your casino. In my opinion, any moral obligation goes away when the other side is taking advantage of your addiction.
Although I do think that this guy crossed a legal line, there's no doubt that the casino would love to have him right up against that line as hard as possible.
I have this feeling that the other shoe is about to drop, and we're going to find out something big is missing from the reporting, they they had a friend working at the company.
Also, this logic:
“All these guys did is simply push a sequence of buttons that they were legally entitled to push.”
is very annoying. You can describe any illegal action as innocuous. I'm not saying this case deserves to be hacking (IMHO if you learn, say, that the sequence of cards resets every 256th turn through, more power to you), but this is a weak argument.
Not that weak. Imagine you had computer chess instead of computer poker, and imagine you discovered that if you play black and choose some special kind of Sicilian defense, the computer plays very weakly because of the bug in the algorithm and your chances of winning are greater. Is that illegal now? Would it be illegal if you played chess with human (for a wager) and knew he's weak at certain positions and specifically played for those? Using opponent's weakness in the specific area of the game to win is a very common thing in sports, not making it illegal in casino setting is a very strong argument IMO.
Doing something like magnets is different of course because it violates implicit assumption of the playing on the machines, but just pressing buttons is not.
If he outsmarted the poker-logic, I'd say great for him. If the game always shuffled two aces next to each other, that would be fine knowledge for him to use.
He didn't use something like that, though. The payout was supposed to be $820 and by messing with the denominations he got it to be $8,200.
No, by the very rules of the game (the code), the payout was supposed to be $8200, and the machine dispensed it accordingly.
To impose criminal liability upon someone because they didn't make the assumption that the programmer/casino/manufacturer really meant for something else to happen instead is an exceptionally dangerous state of affairs.
Weev is doing 41 months right now for conspiracy to commit unauthorized access and identity fraud (possession of a list of email addresses) because his team spidered a website run by AT&T. AT&T themselves said that there was no crime and no damages, and said in court that they (AT&T) were the ones who published the data on the web.
The US Attorney felt differently, and now he's in federal prison for a few years while we try to sort out his appeal.
This is what happens when you make someone who requests data or a system state change criminally liable for that independent, autonomous system responding with data or changing to that state by its own software's defined operation. It's a blatant misapplication of responsibility.
The rules of the game are not in the code. If the bug would be the other way around, where it would suddenly payout 82$ if you'd press this sequence of buttons, the casino would definitely return the money.
It's like giving money to strangers. If you surprise them by giving them money that's OK, it's your money. If you surprise them by stealing from them, that's not OK.
So a game that surprises you by giving more winnings than expected is fine; a game that suddenly reduces the winnings by taking some of the money you've won is not fine.
Or another way: Sometimes I feel generous and forgo a customer the decimal part of their bill to save them trying to find the money or if they haven't enough, that's fine, it's my "game". I can't decide to take their change though.
When the giving more is built in to the game, so you play it a a particular way and the you win more, that's just a game that you're winning.
I can't seem to find a source for this but I remember reading an article about Kasparov playing Deep Blue talking about how Kasparov intentionally tried to use some unpredictable moves to exploit Deep Blue's algorithm. I don't think anyone considered this cheating.
The issue is that we as a society expect the user to guess at the intent of the programmer (even when it seems obvious) instead of going by their code's behavior, which is fundamentally flawed. In the weev/ATT thing, they were even leveraging this insane duality for profit - the publishing of the email addresses by ATT was an explicit design decision for user convenience, and they relied only on obscurity and the law to protect the data. Weev and Gawker made sure that the obscurity argument was a non-starter, and we'll see about the legal one in the next few years.
I think that the casinos should have the liability, because they are the ones who deployed automatic money dispensers with poorly-designed software running on them. I don't see criminal behavior, here. If you program (or load software) onto your robot, you are responsible for when it carries out those instructions, even if you did not fully envision the consequences in advance. Same goes for replying to packets on the internet. It's impossible to rob a server of information at gunpoint.
This is DWIM carried through the machine and legally imposed onto the end-user, and that's a load of crap.
Fortunately we don't live in the wild west. If the bank forgets to lock its vault it's not free money season.
He didn't just find some way to, say, outsmart the random number generator. (And I think that would be fine: casinos encourage people to think they have founds ways to beat the system, because they keep on trying them, putting more money in the casinos' pockets. If someone manages to somehow actually beat the system, good for him.) He found a bug in the payout calculator.
If you figure out a way to press buttons on an ATM that makes your withdrawal credited as a deposit, it's neither legal or right to repeatedly exploit that. There is no "gee, I really thought it meant to do that."
You are forcing people to make assumptions about the intent of a system with a defined interface.
An ATM has but one function, assumptions about those seem reasonable (though I think laws against using them without those assumptions are unnecessary, as ATM operators are incentivized already to prevent circumstances in which they lose money). When you generalize that to remote computers, or touchscreen gaming, it becomes less reasonable to force users of those systems to assume the intent of the programmer to stay out of jail.
It's a much more elegant and workable and fair solution to simply let the rule lie with the code, which is defined formally, and let the potential negative consequences of deploying code that is not fully understood incentivize people to be careful about what they deploy for interaction with the general public (be it slots, ATMs, or networked computers).
(An aside, PLEASE stop with the terrible physical analogies about locks and vaults. They are simple straw man arguments. It is impossible to break a lock by force over the internet, or to rob a web service at gunpoint. The intent of a locked door is a safe and reasonable assumption to make, and to punish others for not making. That is simply not so on the internet - a perfect example being spidering email addresses from a public web service that was expressly configured to emit them.)
It is disingenuous to assume that we as a society should leave this to courts full of non-technical people to determine what is and is not disingenuous in terms of end-user assumptions about the correct workings of a system, versus letting the responsibility lie simply on the operators of that system because THEY ARE RESPONSIBLE FOR DEPLOYING IT.
The harm that this is causing is already great, and will increase tremendously. It's simply dangerous to say "it's obvious" because, while this case may or may not be, to have to make a determination of obviousness of the intent of the programmer/casino/bank/whatever, is something courts are famously bad at. You really don't want that state of affairs.
I have this feeling that the other shoe is about to drop, and we're going to find out something big is missing from the reporting, they they had a friend working at the company.
I doubt it - all that he would have had to do to discover this bug was to accidentally press "change game" at the point where it offered him the double-or-nothing, which would be easy to do if he was intending to press "no" then "change game" in quick succession.
I don't think it's black and white. Inserting money into the machine and pressing buttons is a lot more innocuous than, say, taking a screwdriver to the machine, manipulating it with an electromagnet, etc. I can't think of any way to describe those kind of manipulations in an innocuous manner.
The point is using the phrasing "inserting money into the machine and pressing buttons" is intended to distract from the actual legal question around more difficult questions of intent and liability: if someone willfully exploits a bug in a poker video game, are they guilty of a crime?
Fascinating. This reminds of the true story of a group of friends who won nearly a million dollars by reverse-engineering video poker machines and finding flaws in the pseudo-random number generators used to select random cards. These people have given anonymous interviews and an entire description of their adventure to Kevin Mitnick for his book The Art of Intrusion. They also claim to have never been caught, thanks in part to the fact they stopped exploiting it after they won "enough" money! http://www.amazon.com/Art-Intrusion-Exploits-Intruders-Decei...
Here is an interesting anecdote. From the author of the article's wikipedia page.
His best-appreciated hack was a takeover of all of the telephone lines for Los Angeles radio station KIIS-FM, guaranteeing that he would be the 102nd caller and win the prize of a Porsche 944 S2.
When the Federal Bureau of Investigation started pursuing Poulsen, he went underground as a fugitive. When he was featured on NBC's Unsolved Mysteries, the show's 1-800 telephone lines mysteriously crashed
The reddit office was just next to Kevin's desk. Kevin is a cool guy. He's crazy smart and makes an excellent security journalist. He married his defense attorney and they have a super cute kid. And I talked to him once about the radio contest thing, because I was a teenager at the time and remember trying to win that contest.
This is going to be tough to argue from a hacking standpoint. IANAL, but a quick perusal of some of the hacking-related legislation shows that almost all federal definitions of "hacking" involve "without or exceeding authorization "(See sections (1)(a), (1)(b), and (1)(c) in the Computer Fraud & Abuse Act (CFAA) [1]). A definition of that phrase is provided at length in this pamphlet [2] put out by the Department of Justice Cybercrime division. Specifically, from the first document (section (e)(6)):
> the term "exceeds authorized access" means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter
and from the second (section A.2):
> The term “without authorization” is not defined by the CFAA. The term “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”
Later in the same section, it states:
> Prosecutors rarely argue that a defendant accessed a computer “without authorization” when the defendant had some authority to access that computer. However, several civil cases have held that defendants lost their authorization to access computers when they breached a duty of loyalty to the authorizing parties, even if the authorizing parties were unaware of the breach. [...] Some of these cases further suggest that such a breach can occur when the user decides to access the computer for a purpose that is contrary to the interests of the authorizing party. See, e.g., Citrin, 440 F.3d at 420 (defendant’s authorization to access computer terminated when he resolved to destroy employer’s files); ViChip Corp. v. Lee, 438 F. Supp. 2d 1087, 1100 (N.D. Cal. 2006) (same); NCMIC Finance Corp. v. Artino, 638 F. Supp. 2d 1042, 1057 (S.D. Iowa 2009) (“[T]he determinative question is whether Artino breached his duty of loyalty to NCMIC when Artino obtained information from NCMIC’s computers.”).
Not sure what to make of that, as again, IANAL. Still, this is definitely not hacking in the traditional legal sense.
Understand that the Justice department pamphlet is how they would like it to be interpreted but how it is actually interpreted is based on case law. And they provide the case law that supports their interpretation.
It will be interesting if that language gets stricken from the CFAA because it will significantly blunt this particular tool in the governments toolbox.
That said, I expect that this case will find for the defendant on the grounds that the Casinos put those machines in, they agreed to pay out any winnings. That there was a bug was IGT's issue. So the casinos will then have their losses covered by IGT's errors and omissions insurance.
I really don't like trying to judge this case with analogies to non-electronic gambling. It's not a terrible way to start thinking about the issue, but taken too far it allows someone to come up with almost arbitrary conclusions.
Rather, I think it's best to judge this by what a certain outcome would do to the greater picture.
(And now to argue for my own interpretation, which happens to use the above argument.)
I was in the middle of writing what I thought was a pretty interesting argument, when I realized...
Why the hell is the federal government even getting involved in this? I mean, I know why, but it has nothing to do with them. This is (or should be) a case about what constitutes fair play at a casino. Jumping into this and flexing the CFAA just seems beyond ridiculous.
I like this argument. When looking at the other analogies (ATM giving you too much cash, cashier giving you wrong change, etc), the missing detail is that a casino is sort of a morality-free zone for money when you think about it. The casino is given a license by the state to offer losing odds to customers, thus guaranteeing the casino a (statistical) advantage (and the gov't a cut of the profits). In other words, the casino is allowed to exploit people's greed and credulity that they can beat the odds.
And so, if there is no money-morality at a casino, I don't see why casino patrons shouldn't be allowed any exploit of whatever games the casino offers (card counting, bug exploits, etc)--barring of course any threats or injury to people. If the dealer doesn't shuffle the cards or the game has a bug, up to the gambler to take advantage of it until the casion fixes it.
So by this reasoning, creating counterfit tokens at a casino would be considered fair-play. I actually don't see that as a problem--it does not affect legal money supplies so why should the feds or states prosecute it. Up to the casino to protect itself and develop secure tokens. I don't see why the feds were involved in that case either (of course, I understand under the current laws).
In my hypothetical world, he only thing the government should be regulating are the taxes (on winnings by both sides) and the non-money aspects of casinos, such as ensuring personal safety. It's not allowed for the patron or the casino to threaten or hurt anyone based on any money transactions. Casinos can exclude patrons by refusing to allow them to play, but they can't physically interfere with them.
> Much of the cheating the Technology Division deals with comes from professionals, who will buy a used game machine, put it in their garage and plumb it for vulnerabilities.
> “They are looking to explore how they can exploit the machine from a mechanical standpoint,” says Jim Barbee, chief of the division. That means physical hacks aimed at the coin hopper or the bill reader. Software vulnerabilities like Kane’s are nearly unheard of.
It's fun to speculate how this bug might have come about.
My suspicions are that each sub-game maintains separate state about the last game played, but that the wager amount and "has the win been paid" flag variables are global, shared between all games. When the double-or-nothing option is disabled, wins are paid immediately; but when it's enabled, that flag doesn't get set until the user either declines to double up or the result of doubling-up is determined. This leaves a window for the user to switch games, changing the wager in the process, and have the payout recalculated because the win has not been paid yet.
I'd expect that there would be some some central database of these machines that track their incoming and outgoing money that all the casinos feed their data into. It would seem crazy that this type of activity would go undetected to the tune of several hundred thousand. Even if payouts were tracked locally, it should have been a huge red flag. Unless the tracking that is sent over (or compared locally against baselines) is based off of in-play data and the amount exploited in the bug was never properly reported.
IANAL, but I have thought a lot about what constitutes cheating at gambling, as opposed to legal advantage play, and I think this is cheating. The key distinction, for me, is that the machine is not a game in and of itself, but an interface for offering multiple games.
(For those who didn't read the article, the scheme basically involves playing game A at the minimum wager until you get a big win, then switching to game B at a higher wager until the game B reaches a certain state, and then switching back to game A, at which point the machine would re-calculate your earlier win in game A based on your (higher) wager in game B.)
The nearest analog I can think of is switching roulette table chips between tables of different denominations. When you buy roulette chips, the croupier notes the value of a stack of 20 chips, usually $20, $100, or $500 a stack, by placing a token near the wheel. Looking at a single chip, it's impossible to tell whether the chip is worth $1, $5, or $25. And a given color chip at one table may be worth $1, while at a neighboring table it's worth $25. Table chips are marked with a letter on their face indicating which table they belong to, but croupiers don't always examine the letters, so if you slip chips between tables, you might be able to wager a low-denomination chip and be paid off in high-denomination chips. That's definitely cheating, even if the casino doesn't immediately stop you from slipping chips between games.
My general rule of thumb is that anything that happens within a game is fair play. If the exploit had been that a particular sequence of wagers would cause the random number generator to behave in a predictable way, then I'd be fine with it. But I wouldn't consider the game-selection interface to be part of the game.
This is obviously (at least it should be obvious) a business matter between the casino and the game vendor, not the user. The way this should have played out is 1) the casino notices the pattern, 2) the casino pulls the machine and scolds the vendor for shipping a bug that hurt their business, and 3) the vendor loses future contracts or resolves the issue in a way that satisfies the casino.
If you apply this same logic to coin-operated arcade games, you are breaking the law if you use the Tetris PRNG hack mentioned today (https://news.ycombinator.com/item?id=5640893) or even Pac-Man patterns (http://www.math.montana.edu/~hyde/pacman/) to "exceed your legal access" and extend your play time, thus stealing valuable quarters that would otherwise be spent by non-exploiting players.
You might even be able to apply this to games with IAP. Better not get too good at playing Super Monster Candy Time 2, buddy!
The goal of regulation is regulation. Therefore it meets its goals always, every time.
(On a side note, wouldn't it be awesome if every regulatory agency posted a list of quantitative goals and produced audited quarterly and annual reports on how it is doing? What a different world that would be!)
The goal isn't always regulation - sometimes it is, sometimes not. When the goal is regulation, however, the excuse is always consumer protection, regardless of whether the actual form that the regulations take is a good approximation of a minimal, lowest-impact way to achieve those protections.
And higher regulatory compliance costs make a very good barriers to entry, so lots of entrenched interests will lobby for regulation, because the benefits are concentrated among a few players with lots of resources. By contrast, the beneficiaries of lower-regulation regimes are typically consumers and upstart firms with fewer resources. Guess which group is going to be lobbying politicians? Guess which side makes a better story for politicians to tell their constituents? Guess which side brings the actual regulatory agency heads bigger budgets, more power, and general career advancement?
It's an intrinsically unbalanced game, and what the economists call "rent-seeking" is a continually ongoing problem for most economic and political systems.
Now, how about an actual debate on how to structure an actual regulatory regime specifically, instead of painting "Regulation!!!!" with a broad brush one way or the other? Both of you sides, goodness.
This case would be laughable if not for the fact that we all know the gambling associations are going to use their wealth & power to make his life hell.
I wonder what would happen if the situation were reversed. What if a machine was found to have been paying out less money on winnings than the stated rules. My guess is this would be a non-issue or at worse the casino would face a small fine.
Certainly, the Casino didn't know about it. Imagine you sign a legal document you don't 100% understand (you miss sg). Who cares? You are bound to it. The Casino didn't fully understand the "contract of the machine". Who cares?
> It takes a lot of video poker play to stumble upon a bug like
> that. And Kane, according to his lawyer, played a lot of video
> poker. “He’s played more than anyone else in the United
> States,” claims Leavitt. “I’m not exaggerating or embellishing.
> … In one year he played 12 million dollars worth of video
> poker” and lost about a million, he says. “It’s an addiction.”
You gotta admire this guy's commitment to quality assurance!
That's crazy. Am I "hacking" a vending machine if it gives me two candy bars instead of one? What if he had just closed his eyes and slammed the buttons and this happened? Would he be the world's foremost blind hacker? Both sides are engaged in taking as much of the other's money as possible within a set of rules, and he won.
What if he had just closed his eyes and slammed the buttons and this happened? Would he be the world's foremost blind hacker?
That's not a very good argument. Intent matters. This guy obviously knew he had uncovered a bug, and repeatedly exploited it while attempting to hide the fact that he was doing so.
I can't speak to whether the CFAA actually will or should be interpreted to treat his actions as a crime, but it would not be an unreasonable law that did.
Huh? Through a specially designed switch back and forth between games, he manages to multiply a preexisting payout by a factor of 10. It is absurdly obvious that this was a bug.
There are signs on these machines that read malfunction voids pay. This ultimately is a malfunction, and is the casino's responsibility is to verify before payout. Exploiting a malfunction to increase payout on an already negotiated win might be fraud, but hacking?
If I am a cashier and occasionally accidentally give out more change than I should, surely that is wholly my own problem (a fault of my own process) and not that of the person who takes the money I gave them.
I don't read wired (tired of their lengthy narratives that always culminate with the subject cast in a holier than thou light) so i will assume this is about someone exploiting a bug left by the cassino on their own systems.
Anyone who understand law care to explain how this is different than sitting at a black jack table and the croupier just dealing up all the cards face up?
so, if it is considered "hacking" to do this, what about the first time he found the exploit? He didn't intend to do that he just jumped the gun to get back to playing. Was that mistake a crime?
Is it stealing if you cash checks on an account you know is overdrawn but don't say anything? They gave you the money, it is up to them to verify the balance on the account, right?
Bad move!
This reminds me of Louis Colavecchio. He made quite a lot of money off Atlantic City casinos using counterfeit slot machine tokens. The casinos KNEW they were being ripped off by a counterfeiter, because their token counts at the end of the day were coming in consistently high, but they were stymied because they could not tell which tokens were counterfeit. That made it hard to even get started tracking their origin. Even the token manufacturers were not able to determine which of a set of tokens were authentic and which were counterfeit. [1]
Colavecchio's downfall came one day when he was playing a machine, and it jammed, eating his token. He simply moved to the next machine, and continued playing. That caught the attention of the guard watching that row of machines on the security camera. These machines were something like $10 or $25 per play machines. When a legitimate gambler has a token of that value eaten by a machine, they don't just let it go and move on to another machine. They report it and make a fuss until they get their money back. The guard realized that one person who would just move on would be the counterfeiter--he would not want to draw attention to himself by making a fuss, and psychologically would think of his tokens as only worth a few cents and so would not be upset at losing one.
With that lead, they were able to watch Colavecchio and get enough evidence to nail him.
[1] Years after Colavecchio was caught and convicted, his counterfeit tokens remained in circulation in Atlantic City casinos, because they never did figure out a way to tell which were real and which were Colavecchio's.