Feds Realize That Exploiting A Bug In Casino Video Poker Software Is Not Hacking And Not A CFAA Violation
from the about-time dept
For years, we've talked about how casinos were able to get away with not paying people who won jackpots from electronic gambling machines, by claiming that their wins were really because of software glitches. That always seemed like a highly questionable practice, but even more questionable was filing criminal charges against winners who won because of those glitches. We talked about one such case back in 2007, and then another one in early 2011. That 2011 case involved two guys, John Kane and Andre Nestor, who had figured out a bug in some video poker software from International Game Technology, a gaming giant.The bug was very complex. It involved a series of different steps that had to be taken: play one game on the machine until you have a high payout, then switch to a different game, play until an option popped up to "double up" (basically a double or nothing proposition on a "high card wins" bet), then add more money to the machine, exit the specific game, change the denomination amount to the game maximum, and then switch back to the original game played. At that point the high payout from the initial round shows, allowing that amount to be re-awarded. On top of that, it would recalculate the award by the new denomination level, often increasing the "payout" by 10x.
Apparently Kane discovered this bug by accident from playing a ridiculous amount of video poker. His lawyer claims that Kane was obsessed with video poker and probably played it more than anyone. He also insists that there was no research or effort that went into this. It was just a fluke from playing so often that Kane found the bug -- and then got his buddy Nestor (and a few others) involved in using this bug to win an awful lot of money. When Nestor was arrested, he was reasonably angry about the whole thing:
“I’m being arrested federally for winning on a slot machine,” he said. “It’s just like if someone taught you how to count cards, which we all know is not illegal. You know. Someone told me that there are machines that had programming that gave a player an advantage over the house. And that’s all there is to it.…The feds, of course, hit them with CFAA (Computer Fraud and Abuse Act) charges, the same highly questionable hacking law we've been writing so much about lately. The feds argued that Kane and Nestor "exceeded authorized access" -- one of the most troubling parts of the CFAA. The DOJ argued that:
“Who would not win as much money as they could on a machine that says, ‘Jackpot’? That’s the whole idea!”
In short, the casinos authorized defendants to play video poker. What the casinos did not do was to authorize defendants ‘to obtain or alter information’ such as previously played hands of cards. To allow customers to access previously played hands of cards, at will, would remove the element of chance and obviate the whole purpose of gambling. It would certainly be contrary to the rules of poker.However, the court was skeptical of this argument, and after the 9th Circuit's ruling in last year's case against David Nosal, where they said that merely violating an employer's computer use policy did not mean you had exceeded authorized access, the court asked the DOJ to explain how the CFAA still applied in light of the Nosal ruling.
Apparently, the DOJ realized that the CFAA charges no longer made sense and, yesterday afternoon dropped those charges. In a simple filing with no explanation, the DOJ asks the court to dismiss the two CFAA-related charges in the indictment. Kane and Nestor still face a single wire fraud charge, but that's much less of a threat than the CFAA charges. At the very least, it's good to see increasing pushback on the DOJ for its regular abuse of the CFAA to pile on charges.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: andre nestor, casinos, cfaa, doj, exceed authorized access, hacking, john kane, las vegas, video poker
Companies: international game technology
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
[ link to this | view in thread ]
If you start to win serious amounts of money you get kicked out of the Casino, or arrested in this case.
If you lose (which you're highly likely to, as all the games are statistically rigged against you, so that the longer you play the more likely you are to lose money) then they won't kick you out, because you're their ATM.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Doi!
[ link to this | view in thread ]
[ link to this | view in thread ]
There was a recent gold duplication bug in Diablo 3.
http://www.escapistmagazine.com/news/view/123838-Gold-Dupe-Bug-Forces-Diablo-3-Auction-House-Off line
Would the feds want to charge players who exploited this bug with the CFAA?
[ link to this | view in thread ]
Quite obscure complex bug = anomaly!
Whatever. Main point is that this affects, as anomalies do, only the few involved.
Meanwhile, the get-rich-quick lure of gambling strips millions daily from saps.
[ link to this | view in thread ]
Re: Quite obscure complex bug = anomaly!
None of that really matters, the point was the CFAA was being used to charge him for something that was just an exploit that required no tampering with the machine whatsoever.
Also I don't care about those millions of saps. They had a choice, they chose to gamble.
[ link to this | view in thread ]
I think I've had my daily allowance of stupid for today.
[ link to this | view in thread ]
Were the machines inspected?
[ link to this | view in thread ]
Re:
Not what I would call "textbook example of hacking". Now THIS is a textbook example of hacking. But it isn't criminal so long as you have authorized access to the machine that you exploit.
http://fail0verflow.com/blog/2012/cve-2012-0217-intel-sysret-freebsd.html
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Quite obscure complex bug = anomaly!
[ link to this | view in thread ]
Re: Quite obscure complex bug = anomaly!
So blue, wanna tell me which, if any, of those steps is illegal? I'll give you a hint. The answer is spelled N-O-N-E.
[ link to this | view in thread ]
Wire fraud under Section 1349: "shall be fined under this title or imprisoned not more than 20 years, or both." The CFAA charges were either 5 or 10 years. How is wire fraud "much less of a threat than the CFAA charges"? I know you like evidence, so what's yours for making this claim?
[ link to this | view in thread ]
Re: Re:
They did in fact, do exactly what you say here:
"did not feed the machine a properly malformed sequence of bytes which was designed to trick it into doing something it wasn't designed to do"
This is exactly what was done. They gave it a sequence of input (which will eventually be translated to bytes, not that the bit organization matters to anything) that was specifically designed to trick the system into doing something it wasn't designed to do.
[ link to this | view in thread ]
Re:
It took 10 charms to make a bracelet and it took hundreds of these bracelets to buy things in game (pets, mounts, stuff needed for all of the achievements.)
Not every mob killed resulted in a charm being obtained, so farming these charms (which were Bind on Pickup...the bracelets were able to be sold on the AH..) required a fast repopulating mob that was easy to kill.
I remember it like yesterday....
There is a raid named "Ulduar" that has this vehicle mechanic at the beginning in which there are pillars of Dark Iron dwarves that constantly spawn until you use the vehicles to break down the pillars.
You guessed it, just killing the Dark Iron dwarves themselves spawned these charms like crazy.
4 people, 4 vehicles (because you needed a raid to go in there, and you could get charms for when other people killed something as well.)
We made "WoW Bank" until they hotfixed it the next day.
I would be turned off of gaming forever if they pressed charges....
[ link to this | view in thread ]
Re: Re: Re:
You may need to brush up on your terminology. A rootkit is installed by someone who does not have authorized access to the machine. If you had authorized access, you wouldn't need the rootkit! In fact, the very act of installing files can be considered exceeding authorized access if you were not authorized to install files on that machine.
In contrast, the individuals caught exploiting this bug were authorized to push the buttons they were pushing. No one said they were not authorized to push those buttons in some specific order. They did not impersonate anyone by pushing those buttons. They did not engage in privilege escalation to have access to the system that they were not authorized to have.
[ link to this | view in thread ]
Re: Re: Re:
The video poker machine did exactly what it was designed to do. Users press the buttons that the casino allows them to press. Software processes the button presses. When certain conditions are met, money spews forth. This is the design and this is what happened.
Had the developer screwed up the odds and the machine had started to pay out far more than was intended, do you think the casino would have grounds for telling the winners "sorry, you were exploiting a bug in the software, give back your winnings"?
[ link to this | view in thread ]
Where's the line?
If a slot machine had a bug that erroneously resulted in a jackpot payout every time you played, you'd hardly be a criminal for playing that machine.
On the other hand if the bug is more complex, such that say you had to push a long sequence of buttons in a precise order to force the machine into some sort of test mode, from which you could then force a payout, that seems to cross a line. What if you only knew about this because you had detailed inside knowledge of the machines (but had not planted the bug yourself)? What if you had this knowledge not as an insider, but because you had studied the machines for this purpose?
[ link to this | view in thread ]
Re: Where's the line?
There's people that do that, with machines, lotto tickets, everything, cause there IS a method to the madness, and they're actually successful.
People don't hunt them and make them pay the money back however, because it's legal.
Much like he said, Card Counting is legal, while a casino can BAN you from the casino for card counting, they cannot prosecute you for it.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Where's the line?
No other place in the world makes card counting illegal.
[ link to this | view in thread ]
He bascially used a "light wand" to blind the sensor on slot machines to make ant winning play pay out as much as $500, depending on how much money was in the machine.
At least the casinos that "Mr D" hit with is light wand scheme have the good sense not to have him proseucted under CFAA, and are having him prosecuted under state laws on the matter instead.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re:
im wondering exactly how you know them to be rigged?
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Where's the line?
The only reason it is illegal is because of the corrupt officials in Nevada.
[ link to this | view in thread ]
Re: Re: Re: Where's the line?
> only jurisdiction in the world that makes card counting illegal.
It most certainly is not illegal. The Nevada Supreme Court ruled conclusively that a player who uses nothing but his own innate ability, unassisted by technology or collaboration with others, cannot be prosecuted for cheating at a casino game.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
Helow
Sbobet
[ link to this | view in thread ]
[ link to this | view in thread ]
nice post
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Re: Re: Where's the line?
You cannot be prosecuted for unassisted card counting.
As long as you do it all in your head, and are not signalling the count to other players, it is 100% legal. You are not allowed to use a device to ASSIST you in counting. That's what's considered cheating, and that will get you prosecuted. Raising your bet because the count is high is not signalling other players. But say if you counted and sat in first base, and bet one denomination for high count, and a different one for low count (both small) and the other players were making their decisions based on that, that's cheating. Counting is legal when done only for yourself, and without using anything but your own head to track it.
But casinos are allowed to bar advantage players, whether they are cheating or not. Gambling is a privilege, not a right.
If someone is making it big counting cards, it affects the casino's bottom line. Once they determine you are in fact advantage playing, and not just lucky, expect to get barred if you are costing them too much money. Advantage playing video poker (certain full pay games can be done) is just too slow a grind, and its' easy to make mistakes, so that's generally not bothered with. But if there was one with high enough stakes, it might be an issue.
Casinos very rarely bar non advantage players that aren't cheating, even if they are winning, because seeing people win makes other want to play, and lose. And if the player is barred, they can't lose their money back to the casino. Fairly often, lucky big winners end up loosing it ALL back if they don't take the money and run.
[ link to this | view in thread ]
Slotmode
In Smash the Pig, this piggy is loaded with cash! Trigger the Pick a Pig Bonus and choose a pig to win random multipliers – up to 20x! Or you might win another pick, win all the prizes on the screen, or trigger the Pig Smashing Bonus, where you smash pigs until the Luck Meter runs out. If you smash all the pigs and have some luck left, you win additional pigs to smash! https://slotmode.guide/slots/smash-the-pig-igt/
[ link to this | view in thread ]