Feds Realize That Exploiting A Bug In Casino Video Poker Software Is Not Hacking And Not A CFAA Violation

from the about-time dept

Wed, May 8th 2013 11:46am — Mike Masnick

For years, we've talked about how casinos were able to get away with not paying people who won jackpots from electronic gambling machines, by claiming that their wins were really because of software glitches. That always seemed like a highly questionable practice, but even more questionable was filing criminal charges against winners who won because of those glitches. We talked about one such case back in 2007, and then another one in early 2011. That 2011 case involved two guys, John Kane and Andre Nestor, who had figured out a bug in some video poker software from International Game Technology, a gaming giant.

The bug was very complex. It involved a series of different steps that had to be taken: play one game on the machine until you have a high payout, then switch to a different game, play until an option popped up to "double up" (basically a double or nothing proposition on a "high card wins" bet), then add more money to the machine, exit the specific game, change the denomination amount to the game maximum, and then switch back to the original game played. At that point the high payout from the initial round shows, allowing that amount to be re-awarded. On top of that, it would recalculate the award by the new denomination level, often increasing the "payout" by 10x.

Apparently Kane discovered this bug by accident from playing a ridiculous amount of video poker. His lawyer claims that Kane was obsessed with video poker and probably played it more than anyone. He also insists that there was no research or effort that went into this. It was just a fluke from playing so often that Kane found the bug -- and then got his buddy Nestor (and a few others) involved in using this bug to win an awful lot of money. When Nestor was arrested, he was reasonably angry about the whole thing:

“I’m being arrested federally for winning on a slot machine,” he said. “It’s just like if someone taught you how to count cards, which we all know is not illegal. You know. Someone told me that there are machines that had programming that gave a player an advantage over the house. And that’s all there is to it.…

“Who would not win as much money as they could on a machine that says, ‘Jackpot’? That’s the whole idea!”

The feds, of course, hit them with CFAA (Computer Fraud and Abuse Act) charges, the same highly questionable hacking law we've been writing so much about lately. The feds argued that Kane and Nestor "exceeded authorized access" -- one of the most troubling parts of the CFAA. The DOJ argued that:

In short, the casinos authorized defendants to play video poker. What the casinos did not do was to authorize defendants ‘to obtain or alter information’ such as previously played hands of cards. To allow customers to access previously played hands of cards, at will, would remove the element of chance and obviate the whole purpose of gambling. It would certainly be contrary to the rules of poker.

However, the court was skeptical of this argument, and after the 9th Circuit's ruling in last year's case against David Nosal, where they said that merely violating an employer's computer use policy did not mean you had exceeded authorized access, the court asked the DOJ to explain how the CFAA still applied in light of the Nosal ruling.

Apparently, the DOJ realized that the CFAA charges no longer made sense and, yesterday afternoon dropped those charges. In a simple filing with no explanation, the DOJ asks the court to dismiss the two CFAA-related charges in the indictment. Kane and Nestor still face a single wire fraud charge, but that's much less of a threat than the CFAA charges. At the very least, it's good to see increasing pushback on the DOJ for its regular abuse of the CFAA to pile on charges.

Government Motion to Dismiss Us v Kane (PDF)Government Motion to Dismiss Us v Kane (Text)

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: andre nestor, casinos, cfaa, doj, exceed authorized access, hacking, john kane, las vegas, video poker
Companies: international game technology

40 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

mikez (profile), 8 May 2013 @ 11:55am

This case is another example of the DOJ doing the work of a large corporation with no interest to the actual law. The issue here shouldn't be with the guys that were exploiting the bug, the casino(s) should be pursuing the issue with the company that wrote the software in civil court.
[ link to this | view in thread ]
crade (profile), 8 May 2013 @ 11:56am

Intentionally exploiting what you know to be a software bug for commercial gain? If that's not hacking what is? It's practically a textbook example.
[ link to this | view in thread ]
Anonymous Coward, 8 May 2013 @ 11:57am

Yet another reason why you'd be an idiot to waste your time and money gambling at a casino.

If you start to win serious amounts of money you get kicked out of the Casino, or arrested in this case.

If you lose (which you're highly likely to, as all the games are statistically rigged against you, so that the longer you play the more likely you are to lose money) then they won't kick you out, because you're their ATM.
[ link to this | view in thread ]
crade (profile), 8 May 2013 @ 12:01pm

Re:
Not that there's anything wrong with that of course.. :) Gotta keep the lazy dev's honest somehow.
[ link to this | view in thread ]
Zakida Paul (profile), 8 May 2013 @ 12:03pm

Doi!
Well, give them a Blue Peter badge.
[ link to this | view in thread ]
Anonymous Coward, 8 May 2013 @ 12:09pm

the next thing you'll be telling us is that those at the DoJ learned to count and to read as well!!
[ link to this | view in thread ]
Rikuo (profile), 8 May 2013 @ 12:18pm

I wonder.

There was a recent gold duplication bug in Diablo 3.
http://www.escapistmagazine.com/news/view/123838-Gold-Dupe-Bug-Forces-Diablo-3-Auction-House-Off line

Would the feds want to charge players who exploited this bug with the CFAA?
[ link to this | view in thread ]
This comment has been flagged by the community. Click here to show it

out_of_the_blue, 8 May 2013 @ 12:38pm

Quite obscure complex bug = anomaly!
I guess that Mike is sorta right. Throw him a bone. -- IF the facts hold up as stated, but the bug sounds so complex that I can't believe was found by playing. -- OR if so, then I've no sympathy for an addicted gambler.

Whatever. Main point is that this affects, as anomalies do, only the few involved.

Meanwhile, the get-rich-quick lure of gambling strips millions daily from saps.
[ link to this | view in thread ]
Anonymous Coward, 8 May 2013 @ 12:44pm

Re: Quite obscure complex bug = anomaly!
OOTB misses point of article yet again. News at 11.

None of that really matters, the point was the CFAA was being used to charge him for something that was just an exploit that required no tampering with the machine whatsoever.

Also I don't care about those millions of saps. They had a choice, they chose to gamble.
[ link to this | view in thread ]
Anonymous Coward, 8 May 2013 @ 12:48pm

video poker is okay. Internet poker is illegal.
I think I've had my daily allowance of stupid for today.
[ link to this | view in thread ]
Anonymous Coward, 8 May 2013 @ 12:53pm

Were the machines inspected?
If he stumbled across the bug is one thing. Now if a software developer intentially placed it there to be exploited is another. Hopefully, the gaming board inspected this and several of these machine types to detetmine if there was tampering before charges were filed.
[ link to this | view in thread ]
DCX2, 8 May 2013 @ 1:02pm

Re:
The exploiters did not exceed the authorized limit of their usage. They did not install files on the machine or otherwise modify it. They did not touch buttons or knobs that they were not allowed to touch. They did not feed the machine a properly malformed sequence of bytes which was designed to trick it into doing something it wasn't designed to do.

Not what I would call "textbook example of hacking". Now THIS is a textbook example of hacking. But it isn't criminal so long as you have authorized access to the machine that you exploit.

http://fail0verflow.com/blog/2012/cve-2012-0217-intel-sysret-freebsd.html
[ link to this | view in thread ]
ChrisH, 8 May 2013 @ 1:02pm

I've said it a million times. The DOJ's interpretation of the CFAA (and other laws) is meaningless if it disagrees with previous court opinions.
[ link to this | view in thread ]
Anonymous Coward, 8 May 2013 @ 1:04pm

It's a shame that the teeth are being pulled from this fine piece of legislation that may have actually provided for a fitting punishment for call of duty cheats.
[ link to this | view in thread ]
Anonymous Coward, 8 May 2013 @ 1:14pm

Re: Quite obscure complex bug = anomaly!
If have found complex bugs in computer games I enjoy playing. I see it no differently then him and video poker. The fact that you have no sympathy for a person being charge for a crime that doesn't apply is no surprise though.
[ link to this | view in thread ]
Rikuo (profile), 8 May 2013 @ 1:26pm

Re: Quite obscure complex bug = anomaly!
"The bug was very complex. It involved a series of different steps that had to be taken: play one game on the machine until you have a high payout, then switch to a different game, play until an option popped up to "double up" (basically a double or nothing proposition on a "high card wins" bet), then add more money to the machine, exit the specific game, change the denomination amount to the game maximum, and then switch back to the original game played. At that point the high payout from the initial round shows, allowing that amount to be re-awarded. On top of that, it would recalculate the award by the new denomination level, often increasing the "payout" by 10x. "

So blue, wanna tell me which, if any, of those steps is illegal? I'll give you a hint. The answer is spelled N-O-N-E.
[ link to this | view in thread ]
Anonymous Coward, 8 May 2013 @ 2:44pm

Kane and Nestor still face a single wire fraud charge, but that's much less of a threat than the CFAA charges.

Wire fraud under Section 1349: "shall be fined under this title or imprisoned not more than 20 years, or both." The CFAA charges were either 5 or 10 years. How is wire fraud "much less of a threat than the CFAA charges"? I know you like evidence, so what's yours for making this claim?
[ link to this | view in thread ]
crade (profile), 8 May 2013 @ 3:03pm

Re: Re:
Well that's silly. By this definition, if you did it with the access you were provided, you did not excede the authority limit of the usage. If you are able to install files (by exploiting from rootkit bug or whatever) then it is within your authorized limit.

They did in fact, do exactly what you say here:
"did not feed the machine a properly malformed sequence of bytes which was designed to trick it into doing something it wasn't designed to do"

This is exactly what was done. They gave it a sequence of input (which will eventually be translated to bytes, not that the bit organization matters to anything) that was specifically designed to trick the system into doing something it wasn't designed to do.
[ link to this | view in thread ]
Anonymous Coward, 8 May 2013 @ 3:07pm

Re:
I remember during the "Love is in the Air" event a couple of years ago in WoW. They had just redone the event, and you could collect these 'charms' when killing mobs.

It took 10 charms to make a bracelet and it took hundreds of these bracelets to buy things in game (pets, mounts, stuff needed for all of the achievements.)

Not every mob killed resulted in a charm being obtained, so farming these charms (which were Bind on Pickup...the bracelets were able to be sold on the AH..) required a fast repopulating mob that was easy to kill.

I remember it like yesterday....

There is a raid named "Ulduar" that has this vehicle mechanic at the beginning in which there are pillars of Dark Iron dwarves that constantly spawn until you use the vehicles to break down the pillars.

You guessed it, just killing the Dark Iron dwarves themselves spawned these charms like crazy.

4 people, 4 vehicles (because you needed a raid to go in there, and you could get charms for when other people killed something as well.)

We made "WoW Bank" until they hotfixed it the next day.

I would be turned off of gaming forever if they pressed charges....
[ link to this | view in thread ]
DCX2, 8 May 2013 @ 3:31pm

Re: Re: Re:
No, *they* did not create those bytes. The developer of the machine they were exploiting created those bytes by virtue of the program on the machine. Look at that link again - iZsh is actually writing those bytes himself (or rather, his compiler generates the bytes, but the point is, he is writing the code that eventually results in generated bytes of information). Those who exploited the video poker software wrote no bytes themselves.

You may need to brush up on your terminology. A rootkit is installed by someone who does not have authorized access to the machine. If you had authorized access, you wouldn't need the rootkit! In fact, the very act of installing files can be considered exceeding authorized access if you were not authorized to install files on that machine.

In contrast, the individuals caught exploiting this bug were authorized to push the buttons they were pushing. No one said they were not authorized to push those buttons in some specific order. They did not impersonate anyone by pushing those buttons. They did not engage in privilege escalation to have access to the system that they were not authorized to have.
[ link to this | view in thread ]
DCX2, 8 May 2013 @ 3:39pm

Re: Re: Re:
I would also argue that whether or not the video poker software does what the original developer intended for it to do is entirely separate from what it was designed to do. Computers do exactly what programmers tell them to do.

The video poker machine did exactly what it was designed to do. Users press the buttons that the casino allows them to press. Software processes the button presses. When certain conditions are met, money spews forth. This is the design and this is what happened.

Had the developer screwed up the odds and the machine had started to pay out far more than was intended, do you think the casino would have grounds for telling the winners "sorry, you were exploiting a bug in the software, give back your winnings"?
[ link to this | view in thread ]
Anonymous Coward, 8 May 2013 @ 3:42pm

Where's the line?
I think there's an interesting gray area here about just when an exploit becomes criminal.

If a slot machine had a bug that erroneously resulted in a jackpot payout every time you played, you'd hardly be a criminal for playing that machine.

On the other hand if the bug is more complex, such that say you had to push a long sequence of buttons in a precise order to force the machine into some sort of test mode, from which you could then force a payout, that seems to cross a line. What if you only knew about this because you had detailed inside knowledge of the machines (but had not planted the bug yourself)? What if you had this knowledge not as an insider, but because you had studied the machines for this purpose?
[ link to this | view in thread ]
Anonymous Coward, 8 May 2013 @ 3:59pm

Re: Where's the line?
Then you can win until they fix it.

There's people that do that, with machines, lotto tickets, everything, cause there IS a method to the madness, and they're actually successful.

People don't hunt them and make them pay the money back however, because it's legal.

Much like he said, Card Counting is legal, while a casino can BAN you from the casino for card counting, they cannot prosecute you for it.
[ link to this | view in thread ]
Anonymous, 8 May 2013 @ 4:40pm

According to the new "Iron Man" movie, people don't say "hack" anymore. So what DO they say?! Sure seems like people still say hack.
[ link to this | view in thread ]
Anonymous Coward, 8 May 2013 @ 4:40pm

Re: Re: Where's the line?
Card counting is illegal in Nevada, though Nevada is the only jurisdiction in the world that makes card counting illegal. It is considered a form of cheating, punishable by up to 6 years in jail and $10,000 in fines, like any other form of cheating, if they can prove you were counting cards.

No other place in the world makes card counting illegal.
[ link to this | view in thread ]
Anonymous Coward, 8 May 2013 @ 4:46pm

Its amazing they don't bring CFAA charges against one of the biggest slot machine cheats of all times, known as "Mr D", whom it took 30 years for the casinos to finally catch up with.

He bascially used a "light wand" to blind the sensor on slot machines to make ant winning play pay out as much as $500, depending on how much money was in the machine.

At least the casinos that "Mr D" hit with is light wand scheme have the good sense not to have him proseucted under CFAA, and are having him prosecuted under state laws on the matter instead.
[ link to this | view in thread ]
Ferel (profile), 8 May 2013 @ 6:13pm

Re: Re:
Blizzard deals with most game exploits the easy way: account ban or suspension, depending on severity and how quick they hotfixed it. To my knowledge, Blizz has only gone legal against players for modifying the game client's code and hosting private World of Warcraft servers (the latter for attracting unsubscribed players, IIRC).
[ link to this | view in thread ]
harbingerofdoom (profile), 8 May 2013 @ 10:30pm

Re:
curious....exactly what are your credentials concerning the operations of gaming machines within the state of nevada?

im wondering exactly how you know them to be rigged?
[ link to this | view in thread ]
FarSide (profile), 9 May 2013 @ 6:00am

Re: Re: Re: Re:
yes
[ link to this | view in thread ]
Anonymous Coward, 9 May 2013 @ 6:32am

Re: Re:
In the UK all gaming machines have to pay out a minimum of 70% of the intake. If they are not rigged then how do they keep within the legal limit?
[ link to this | view in thread ]
Anonymous Coward, 9 May 2013 @ 6:37am

Re: Re: Re: Where's the line?
Counting cards is not illegal, its the way to play the game.

The only reason it is illegal is because of the corrupt officials in Nevada.
[ link to this | view in thread ]
btr1701 (profile), 9 May 2013 @ 7:38am

Re: Re: Re: Where's the line?
> Card counting is illegal in Nevada, though Nevada is the
> only jurisdiction in the world that makes card counting illegal.

It most certainly is not illegal. The Nevada Supreme Court ruled conclusively that a player who uses nothing but his own innate ability, unassisted by technology or collaboration with others, cannot be prosecuted for cheating at a casino game.
[ link to this | view in thread ]
Bengie, 9 May 2013 @ 8:33am

Re:
What do you think High Frequency Trading does thousands of times per second?
[ link to this | view in thread ]
late2p, 17 May 2013 @ 8:05am

All these online gambling sites and a fair amount of betting sites are a scam. The lack of physical gambling in this area is really hurting thanks to this online explosion. I'd rather gamble in person and have a shot at taking home winnings, rather than gamble online with the knowledge I won't be able to cash out once the automatic website algorithim hits and I start mysteriously losing.
[ link to this | view in thread ]
alex123, 13 Aug 2013 @ 7:40pm

Helow
Can I simply just say what a relief to uncover a person that genuinely knows what they are talking about on the web. You actually know how to bring an issue to light and make it important. A lot more people need to read this and understand this side of your story. I was surprised that you're not more popular because you surely have the gift.
Sbobet
[ link to this | view in thread ]
Dave Miller, 30 Apr 2014 @ 6:59pm

Your post was really informative and very insightful about the online casino websites. I am very glad to read the content of this post in which you wrote how to begin playing casino games for the first time in the websites. I am sure it will help out many newcomers and here I would also like to introduce everyone to my brilliant online casino website where all the players can take advantage of exciting bonuses and play for profitable jackpots.
[ link to this | view in thread ]
loriel, 11 Nov 2014 @ 6:19am

nice post
The post contains really beneficial information that will satisfy readers and can clarify things upon. You have you a nice way of presenting certain issue and seems to be so qualified
[ link to this | view in thread ]
game gratis, 22 May 2016 @ 8:34am

nice information.
[ link to this | view in thread ]
Charles Cochems, 26 Apr 2019 @ 5:27pm

Re: Re: Re: Re: Where's the line?
You cannot be prosecuted for unassisted card counting.

As long as you do it all in your head, and are not signalling the count to other players, it is 100% legal. You are not allowed to use a device to ASSIST you in counting. That's what's considered cheating, and that will get you prosecuted. Raising your bet because the count is high is not signalling other players. But say if you counted and sat in first base, and bet one denomination for high count, and a different one for low count (both small) and the other players were making their decisions based on that, that's cheating. Counting is legal when done only for yourself, and without using anything but your own head to track it.

But casinos are allowed to bar advantage players, whether they are cheating or not. Gambling is a privilege, not a right.

If someone is making it big counting cards, it affects the casino's bottom line. Once they determine you are in fact advantage playing, and not just lucky, expect to get barred if you are costing them too much money. Advantage playing video poker (certain full pay games can be done) is just too slow a grind, and its' easy to make mistakes, so that's generally not bothered with. But if there was one with high enough stakes, it might be an issue.

Casinos very rarely bar non advantage players that aren't cheating, even if they are winning, because seeing people win makes other want to play, and lose. And if the player is barred, they can't lose their money back to the casino. Fairly often, lucky big winners end up loosing it ALL back if they don't take the money and run.
[ link to this | view in thread ]
William Delao (profile), 5 Aug 2020 @ 12:12pm

Slotmode
In Smash the Pig, this piggy is loaded with cash! Trigger the Pick a Pig Bonus and choose a pig to win random multipliers – up to 20x! Or you might win another pick, win all the prizes on the screen, or trigger the Pig Smashing Bonus, where you smash pigs until the Luck Meter runs out. If you smash all the pigs and have some luck left, you win additional pigs to smash! https://slotmode.guide/slots/smash-the-pig-igt/
[ link to this | view in thread ]