> But the casino had been suspicious, and Kane didn’t collect the last win
Bad move!
This reminds me of Louis Colavecchio. He made quite a lot of money off Atlantic City casinos using counterfeit slot machine tokens. The casinos KNEW they were being ripped off by a counterfeiter, because their token counts at the end of the day were coming in consistently high, but they were stymied because they could not tell which tokens were counterfeit. That made it hard to even get started tracking their origin. Even the token manufacturers were not able to determine which of a set of tokens were authentic and which were counterfeit. [1]
Colavecchio's downfall came one day when he was playing a machine, and it jammed, eating his token. He simply moved to the next machine, and continued playing. That caught the attention of the guard watching that row of machines on the security camera. These machines were something like $10 or $25 per play machines. When a legitimate gambler has a token of that value eaten by a machine, they don't just let it go and move on to another machine. They report it and make a fuss until they get their money back. The guard realized that one person who would just move on would be the counterfeiter--he would not want to draw attention to himself by making a fuss, and psychologically would think of his tokens as only worth a few cents and so would not be upset at losing one.
With that lead, they were able to watch Colavecchio and get enough evidence to nail him.
[1] Years after Colavecchio was caught and convicted, his counterfeit tokens remained in circulation in Atlantic City casinos, because they never did figure out a way to tell which were real and which were Colavecchio's.
Though, that wasn't my reading of "Kane didn’t collect the last win." I read it as "the casino didn't pay him for the win because they suspected him of hacking/cheating."
It could be either one though. Now I'm not really sure.
Cool story. For the curious, "Sentenced to seven years, Colavecchio was released in 2006. He was re-arrested by the FBI only a few months later having resumed his activities, and release on a $25,000 surety bond"
Wow, while this may be acting on stereotypes but I am surprised and have to hand it to the security guard who worked through that train of logic on the fly.
This is like watching game speedrunners exploit glitches in the game to get a better time, and then hearing laypeople complain about it not being a "real" run. If it's all done within the context of the system, then it's fair.
In game speedruns, the context is: "Beat this game as fast as possible with the following restrictions (no cheats, 100% completion not necessary, etc) using the provided input system."
If I go to a casino, the context of playing a slot machine is: "Put real money into this machine and press buttons on it until you run out of money or leave." There aren't any implicit rules like, "some combination of button presses are not allowed".
Let the player have his money, patch the bug and move on.
In complete agreement. This is no different than me just coming up with a crummy game to begin with. Let's say I run a casino and accidentally set up a modified game of blackjack where the odds favor the customers instead of the house. Customers merely playing this game is "exploiting" a bug. Should I be able to sue them? (BTW a couple of months ago this happened with mis-shuffled decks) The premise of this game is to get people to risk their money, I can't whine when it backfires on me and I lose instead of them! I certainly don't get to sue the casino for exploiting my gambling addiction or the fact that I had a little too much to drink before my last bet.
Look, let's be honest here: casinos are nothing more than legal (and sure, transparent) scams, plain and simple (at least when its house vs. customer and not customer vs. customer). The rules are systematically designed to drain you of your money while tricking you into thinking you might win. And I have absolutely no problem with that. I am a free market guy, and as far as I'm concerned gambling is voluntary. HOWEVER, if you are going to dedicate your business to literally ruining people's lives and profiting from their losses, then suck it up when you are too stupid and your con backfires on you. Don't get the law involved, and thus my taxpayer dollars, to save you from your unsuccessful grift. This is as absurd as an idiot running a faulty ponzi scheme and then suing his marks because they made money and he didn't.
By the same argument, the context of using the internet is "send packets, receive replies". There aren't any implicit rules like "sending a specific field that is larger than expected (as to overrun a fixed-size buffer) is not allowed".
(FWIW, I agree with you. It is impossible to forcibly break into a computer over the network.)
The catch with this case is that the game involved is overtly a simulation of a physical game, and the only purpose of the simulation is to increase the efficiency for the casino to let more players play a known physical game more quickly, not to change the nature of the game itself. You can make the case that places where the simulation diverges from the physical game were clearly unintended and should be obvious to players to be bugs, not part of the rules of the game, and hence unfair for gamers (or, likewise, casinos) to exploit since they were stepping beyond the bounds of fair play.
I'm not sure how strong this argument is but it's clearly different than just saying it's like a speedrun. Just because the medium is virtual doesn't mean you aren't entering into a implicit contract to play by the rules of poker.
That's interesting, because in most games the people who exploit bugs in a game are banned/removed/punished. It's standard practice in online games to punish those who use the game in an unintended but presented way (exploit bugs).
He didn't use the bug to win but rather change the payout. If it was a logic bug causing him to win against the machine I would say he was fine, however this bug allowed him to change the payout amount, which is fraud. It is really no different than if the machine printed out the amount on a ticket and he forged a different amount on it before he turned it in.
I bet on the Giants -3.5. Oh, the casino has taken advantage of my misunderstanding of -3.5. They have escalated access to my money based upon my mistake. Have they committed fraud? Do I get my money back? Do I get to change my bet after the fact? Of course not.
They put out a machine which was giving away money. The guy did nothing other than put money in the machine and push the buttons.
If Vegas had to return all the money to the gamblers who made mistakes, it would just be a desert again.
Bottom line: he was beating the house. There is no way that would've been "fine" to the casinos.
On the bright side for him, at least it's not the "old days" when casinos were run by the mob. From that perspective, he should be grateful to be thrown in front of a judge.
Doesn't it speak more to the lack of operational oversight of the casinos? I've never worked in the gaming industry, but I have to think they have metrics showing a flow of winnings/losings.
If you discover a reproducible flaw in a blackjack game -- the card shuffler at a certain table isn't random -- is there a penalty for that? Because just having a computer in the mix doesn't seem like it really changes the moral equation.
Blackjack already has a reproducible flaw, it is called card counting. It is not illegal, but casinos frown upon it and often ban people who are suspected of card counting. I would argue that noticing and exploiting a flaw in the blackjack card shuffler falls along the same lines. You are using meta-knowledge to reduce the house edge. But this is not what Kane did, he didn't alter his chances of winning, he altered the payout.
The real argument is not if pushing the buttons in the right order is cheating, but is it hacking? That issue seems to come down to whether or not there was an escalation of access. Did those button presses give him unauthorized access to data? He exploited a flaw to alter the payout of the game, and that is at the very least fraud. If we are using your blackjack analogy this is like he somehow Jedi mind tricked the dealer to change the payout for a 21. If I used a software exploit to get a bank computer to double my money I have no doubt that would be seen as hacking. So how is the gambling machine different?
I have this feeling that the other shoe is about to drop, and we're going to find out something big is missing from the reporting, they they had a friend working at the company.
Also, this logic:
“All these guys did is simply push a sequence of buttons that they were legally entitled to push.”
is very annoying. You can describe any illegal action as innocuous. I'm not saying this case deserves to be hacking (IMHO if you learn, say, that the sequence of cards resets every 256th turn through, more power to you), but this is a weak argument.
Not that weak. Imagine you had computer chess instead of computer poker, and imagine you discovered that if you play black and choose some special kind of Sicilian defense, the computer plays very weakly because of the bug in the algorithm and your chances of winning are greater. Is that illegal now? Would it be illegal if you played chess with human (for a wager) and knew he's weak at certain positions and specifically played for those? Using opponent's weakness in the specific area of the game to win is a very common thing in sports, not making it illegal in casino setting is a very strong argument IMO.
Doing something like magnets is different of course because it violates implicit assumption of the playing on the machines, but just pressing buttons is not.
The issue is that we as a society expect the user to guess at the intent of the programmer (even when it seems obvious) instead of going by their code's behavior, which is fundamentally flawed. In the weev/ATT thing, they were even leveraging this insane duality for profit - the publishing of the email addresses by ATT was an explicit design decision for user convenience, and they relied only on obscurity and the law to protect the data. Weev and Gawker made sure that the obscurity argument was a non-starter, and we'll see about the legal one in the next few years.
I think that the casinos should have the liability, because they are the ones who deployed automatic money dispensers with poorly-designed software running on them. I don't see criminal behavior, here. If you program (or load software) onto your robot, you are responsible for when it carries out those instructions, even if you did not fully envision the consequences in advance. Same goes for replying to packets on the internet. It's impossible to rob a server of information at gunpoint.
This is DWIM carried through the machine and legally imposed onto the end-user, and that's a load of crap.
I have this feeling that the other shoe is about to drop, and we're going to find out something big is missing from the reporting, they they had a friend working at the company.
I doubt it - all that he would have had to do to discover this bug was to accidentally press "change game" at the point where it offered him the double-or-nothing, which would be easy to do if he was intending to press "no" then "change game" in quick succession.
I don't think it's black and white. Inserting money into the machine and pressing buttons is a lot more innocuous than, say, taking a screwdriver to the machine, manipulating it with an electromagnet, etc. I can't think of any way to describe those kind of manipulations in an innocuous manner.
Fascinating. This reminds of the true story of a group of friends who won nearly a million dollars by reverse-engineering video poker machines and finding flaws in the pseudo-random number generators used to select random cards. These people have given anonymous interviews and an entire description of their adventure to Kevin Mitnick for his book The Art of Intrusion. They also claim to have never been caught, thanks in part to the fact they stopped exploiting it after they won "enough" money! http://www.amazon.com/Art-Intrusion-Exploits-Intruders-Decei...
Here is an interesting anecdote. From the author of the article's wikipedia page.
His best-appreciated hack was a takeover of all of the telephone lines for Los Angeles radio station KIIS-FM, guaranteeing that he would be the 102nd caller and win the prize of a Porsche 944 S2.
When the Federal Bureau of Investigation started pursuing Poulsen, he went underground as a fugitive. When he was featured on NBC's Unsolved Mysteries, the show's 1-800 telephone lines mysteriously crashed
The reddit office was just next to Kevin's desk. Kevin is a cool guy. He's crazy smart and makes an excellent security journalist. He married his defense attorney and they have a super cute kid. And I talked to him once about the radio contest thing, because I was a teenager at the time and remember trying to win that contest.
This is going to be tough to argue from a hacking standpoint. IANAL, but a quick perusal of some of the hacking-related legislation shows that almost all federal definitions of "hacking" involve "without or exceeding authorization "(See sections (1)(a), (1)(b), and (1)(c) in the Computer Fraud & Abuse Act (CFAA) [1]). A definition of that phrase is provided at length in this pamphlet [2] put out by the Department of Justice Cybercrime division. Specifically, from the first document (section (e)(6)):
> the term "exceeds authorized access" means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter
and from the second (section A.2):
> The term “without authorization” is not defined by the CFAA. The term “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”
Later in the same section, it states:
> Prosecutors rarely argue that a defendant accessed a computer “without authorization” when the defendant had some authority to access that computer. However, several civil cases have held that defendants lost their authorization to access computers when they breached a duty of loyalty to the authorizing parties, even if the authorizing parties were unaware of the breach. [...] Some of these cases further suggest that such a breach can occur when the user decides to access the computer for a purpose that is contrary to the interests of the authorizing party. See, e.g., Citrin, 440 F.3d at 420 (defendant’s authorization to access computer terminated when he resolved to destroy employer’s files); ViChip Corp. v. Lee, 438 F. Supp. 2d 1087, 1100 (N.D. Cal. 2006) (same); NCMIC Finance Corp. v. Artino, 638 F. Supp. 2d 1042, 1057 (S.D. Iowa 2009) (“[T]he determinative question is whether Artino breached his duty of loyalty to NCMIC when Artino obtained information from NCMIC’s computers.”).
Not sure what to make of that, as again, IANAL. Still, this is definitely not hacking in the traditional legal sense.
Understand that the Justice department pamphlet is how they would like it to be interpreted but how it is actually interpreted is based on case law. And they provide the case law that supports their interpretation.
It will be interesting if that language gets stricken from the CFAA because it will significantly blunt this particular tool in the governments toolbox.
That said, I expect that this case will find for the defendant on the grounds that the Casinos put those machines in, they agreed to pay out any winnings. That there was a bug was IGT's issue. So the casinos will then have their losses covered by IGT's errors and omissions insurance.
I really don't like trying to judge this case with analogies to non-electronic gambling. It's not a terrible way to start thinking about the issue, but taken too far it allows someone to come up with almost arbitrary conclusions.
Rather, I think it's best to judge this by what a certain outcome would do to the greater picture.
(And now to argue for my own interpretation, which happens to use the above argument.)
I was in the middle of writing what I thought was a pretty interesting argument, when I realized...
Why the hell is the federal government even getting involved in this? I mean, I know why, but it has nothing to do with them. This is (or should be) a case about what constitutes fair play at a casino. Jumping into this and flexing the CFAA just seems beyond ridiculous.
I like this argument. When looking at the other analogies (ATM giving you too much cash, cashier giving you wrong change, etc), the missing detail is that a casino is sort of a morality-free zone for money when you think about it. The casino is given a license by the state to offer losing odds to customers, thus guaranteeing the casino a (statistical) advantage (and the gov't a cut of the profits). In other words, the casino is allowed to exploit people's greed and credulity that they can beat the odds.
And so, if there is no money-morality at a casino, I don't see why casino patrons shouldn't be allowed any exploit of whatever games the casino offers (card counting, bug exploits, etc)--barring of course any threats or injury to people. If the dealer doesn't shuffle the cards or the game has a bug, up to the gambler to take advantage of it until the casion fixes it.
So by this reasoning, creating counterfit tokens at a casino would be considered fair-play. I actually don't see that as a problem--it does not affect legal money supplies so why should the feds or states prosecute it. Up to the casino to protect itself and develop secure tokens. I don't see why the feds were involved in that case either (of course, I understand under the current laws).
In my hypothetical world, he only thing the government should be regulating are the taxes (on winnings by both sides) and the non-money aspects of casinos, such as ensuring personal safety. It's not allowed for the patron or the casino to threaten or hurt anyone based on any money transactions. Casinos can exclude patrons by refusing to allow them to play, but they can't physically interfere with them.
> Much of the cheating the Technology Division deals with comes from professionals, who will buy a used game machine, put it in their garage and plumb it for vulnerabilities.
> “They are looking to explore how they can exploit the machine from a mechanical standpoint,” says Jim Barbee, chief of the division. That means physical hacks aimed at the coin hopper or the bill reader. Software vulnerabilities like Kane’s are nearly unheard of.
It's fun to speculate how this bug might have come about.
My suspicions are that each sub-game maintains separate state about the last game played, but that the wager amount and "has the win been paid" flag variables are global, shared between all games. When the double-or-nothing option is disabled, wins are paid immediately; but when it's enabled, that flag doesn't get set until the user either declines to double up or the result of doubling-up is determined. This leaves a window for the user to switch games, changing the wager in the process, and have the payout recalculated because the win has not been paid yet.
I'd expect that there would be some some central database of these machines that track their incoming and outgoing money that all the casinos feed their data into. It would seem crazy that this type of activity would go undetected to the tune of several hundred thousand. Even if payouts were tracked locally, it should have been a huge red flag. Unless the tracking that is sent over (or compared locally against baselines) is based off of in-play data and the amount exploited in the bug was never properly reported.
IANAL, but I have thought a lot about what constitutes cheating at gambling, as opposed to legal advantage play, and I think this is cheating. The key distinction, for me, is that the machine is not a game in and of itself, but an interface for offering multiple games.
(For those who didn't read the article, the scheme basically involves playing game A at the minimum wager until you get a big win, then switching to game B at a higher wager until the game B reaches a certain state, and then switching back to game A, at which point the machine would re-calculate your earlier win in game A based on your (higher) wager in game B.)
The nearest analog I can think of is switching roulette table chips between tables of different denominations. When you buy roulette chips, the croupier notes the value of a stack of 20 chips, usually $20, $100, or $500 a stack, by placing a token near the wheel. Looking at a single chip, it's impossible to tell whether the chip is worth $1, $5, or $25. And a given color chip at one table may be worth $1, while at a neighboring table it's worth $25. Table chips are marked with a letter on their face indicating which table they belong to, but croupiers don't always examine the letters, so if you slip chips between tables, you might be able to wager a low-denomination chip and be paid off in high-denomination chips. That's definitely cheating, even if the casino doesn't immediately stop you from slipping chips between games.
My general rule of thumb is that anything that happens within a game is fair play. If the exploit had been that a particular sequence of wagers would cause the random number generator to behave in a predictable way, then I'd be fine with it. But I wouldn't consider the game-selection interface to be part of the game.
This is obviously (at least it should be obvious) a business matter between the casino and the game vendor, not the user. The way this should have played out is 1) the casino notices the pattern, 2) the casino pulls the machine and scolds the vendor for shipping a bug that hurt their business, and 3) the vendor loses future contracts or resolves the issue in a way that satisfies the casino.
If you apply this same logic to coin-operated arcade games, you are breaking the law if you use the Tetris PRNG hack mentioned today (https://news.ycombinator.com/item?id=5640893) or even Pac-Man patterns (http://www.math.montana.edu/~hyde/pacman/) to "exceed your legal access" and extend your play time, thus stealing valuable quarters that would otherwise be spent by non-exploiting players.
You might even be able to apply this to games with IAP. Better not get too good at playing Super Monster Candy Time 2, buddy!
This case would be laughable if not for the fact that we all know the gambling associations are going to use their wealth & power to make his life hell.
[+] [-] tzs|13 years ago|reply
Bad move!
This reminds me of Louis Colavecchio. He made quite a lot of money off Atlantic City casinos using counterfeit slot machine tokens. The casinos KNEW they were being ripped off by a counterfeiter, because their token counts at the end of the day were coming in consistently high, but they were stymied because they could not tell which tokens were counterfeit. That made it hard to even get started tracking their origin. Even the token manufacturers were not able to determine which of a set of tokens were authentic and which were counterfeit. [1]
Colavecchio's downfall came one day when he was playing a machine, and it jammed, eating his token. He simply moved to the next machine, and continued playing. That caught the attention of the guard watching that row of machines on the security camera. These machines were something like $10 or $25 per play machines. When a legitimate gambler has a token of that value eaten by a machine, they don't just let it go and move on to another machine. They report it and make a fuss until they get their money back. The guard realized that one person who would just move on would be the counterfeiter--he would not want to draw attention to himself by making a fuss, and psychologically would think of his tokens as only worth a few cents and so would not be upset at losing one.
With that lead, they were able to watch Colavecchio and get enough evidence to nail him.
[1] Years after Colavecchio was caught and convicted, his counterfeit tokens remained in circulation in Atlantic City casinos, because they never did figure out a way to tell which were real and which were Colavecchio's.
[+] [-] harryh|13 years ago|reply
Though, that wasn't my reading of "Kane didn’t collect the last win." I read it as "the casino didn't pay him for the win because they suspected him of hacking/cheating."
It could be either one though. Now I'm not really sure.
[+] [-] reustle|13 years ago|reply
http://en.wikipedia.org/wiki/Louis_Colavecchio
[+] [-] rurounijones|13 years ago|reply
[+] [-] vinhboy|13 years ago|reply
[+] [-] adamnemecek|13 years ago|reply
[+] [-] lifeformed|13 years ago|reply
In game speedruns, the context is: "Beat this game as fast as possible with the following restrictions (no cheats, 100% completion not necessary, etc) using the provided input system."
If I go to a casino, the context of playing a slot machine is: "Put real money into this machine and press buttons on it until you run out of money or leave." There aren't any implicit rules like, "some combination of button presses are not allowed".
Let the player have his money, patch the bug and move on.
[+] [-] tolmasky|13 years ago|reply
Look, let's be honest here: casinos are nothing more than legal (and sure, transparent) scams, plain and simple (at least when its house vs. customer and not customer vs. customer). The rules are systematically designed to drain you of your money while tricking you into thinking you might win. And I have absolutely no problem with that. I am a free market guy, and as far as I'm concerned gambling is voluntary. HOWEVER, if you are going to dedicate your business to literally ruining people's lives and profiting from their losses, then suck it up when you are too stupid and your con backfires on you. Don't get the law involved, and thus my taxpayer dollars, to save you from your unsuccessful grift. This is as absurd as an idiot running a faulty ponzi scheme and then suing his marks because they made money and he didn't.
[+] [-] sneak|13 years ago|reply
(FWIW, I agree with you. It is impossible to forcibly break into a computer over the network.)
[+] [-] gfodor|13 years ago|reply
I'm not sure how strong this argument is but it's clearly different than just saying it's like a speedrun. Just because the medium is virtual doesn't mean you aren't entering into a implicit contract to play by the rules of poker.
[+] [-] diminoten|13 years ago|reply
David Sirlin has a chapter in his book "Playing To Win" entitled, "What Should be Banned?" It's about tounaments, but it may apply here as well: http://www.sirlin.net/ptw-book/what-should-be-banned.html
[+] [-] sliverstorm|13 years ago|reply
[+] [-] dugmartin|13 years ago|reply
[+] [-] LanceH|13 years ago|reply
I bet on the Giants -3.5. Oh, the casino has taken advantage of my misunderstanding of -3.5. They have escalated access to my money based upon my mistake. Have they committed fraud? Do I get my money back? Do I get to change my bet after the fact? Of course not.
They put out a machine which was giving away money. The guy did nothing other than put money in the machine and push the buttons.
If Vegas had to return all the money to the gamblers who made mistakes, it would just be a desert again.
[+] [-] fatjokes|13 years ago|reply
On the bright side for him, at least it's not the "old days" when casinos were run by the mob. From that perspective, he should be grateful to be thrown in front of a judge.
[+] [-] pgrote|13 years ago|reply
Doesn't it speak more to the lack of operational oversight of the casinos? I've never worked in the gaming industry, but I have to think they have metrics showing a flow of winnings/losings.
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] hughw|13 years ago|reply
[+] [-] format|13 years ago|reply
The real argument is not if pushing the buttons in the right order is cheating, but is it hacking? That issue seems to come down to whether or not there was an escalation of access. Did those button presses give him unauthorized access to data? He exploited a flaw to alter the payout of the game, and that is at the very least fraud. If we are using your blackjack analogy this is like he somehow Jedi mind tricked the dealer to change the payout for a 21. If I used a software exploit to get a bank computer to double my money I have no doubt that would be seen as hacking. So how is the gambling machine different?
[+] [-] vinhboy|13 years ago|reply
If anything, you can blame the guy for not being moral and telling the casino about their mistake, but he is definitely not required to.
It's the casino's fault, or the game creator, for putting out a buggy game. They should be happy to have discovered the problem and just fix it.
Should I be allowed to sue vending machine owners every time my candy doesn't drop?
[+] [-] danielweber|13 years ago|reply
Also, this logic:
“All these guys did is simply push a sequence of buttons that they were legally entitled to push.”
is very annoying. You can describe any illegal action as innocuous. I'm not saying this case deserves to be hacking (IMHO if you learn, say, that the sequence of cards resets every 256th turn through, more power to you), but this is a weak argument.
[+] [-] smsm42|13 years ago|reply
Doing something like magnets is different of course because it violates implicit assumption of the playing on the machines, but just pressing buttons is not.
[+] [-] sneak|13 years ago|reply
I think that the casinos should have the liability, because they are the ones who deployed automatic money dispensers with poorly-designed software running on them. I don't see criminal behavior, here. If you program (or load software) onto your robot, you are responsible for when it carries out those instructions, even if you did not fully envision the consequences in advance. Same goes for replying to packets on the internet. It's impossible to rob a server of information at gunpoint.
This is DWIM carried through the machine and legally imposed onto the end-user, and that's a load of crap.
[+] [-] caf|13 years ago|reply
I doubt it - all that he would have had to do to discover this bug was to accidentally press "change game" at the point where it offered him the double-or-nothing, which would be easy to do if he was intending to press "no" then "change game" in quick succession.
[+] [-] EvanAnderson|13 years ago|reply
I don't think it's black and white. Inserting money into the machine and pressing buttons is a lot more innocuous than, say, taking a screwdriver to the machine, manipulating it with an electromagnet, etc. I can't think of any way to describe those kind of manipulations in an innocuous manner.
[+] [-] mrb|13 years ago|reply
[+] [-] thehigherlife|13 years ago|reply
His best-appreciated hack was a takeover of all of the telephone lines for Los Angeles radio station KIIS-FM, guaranteeing that he would be the 102nd caller and win the prize of a Porsche 944 S2.
When the Federal Bureau of Investigation started pursuing Poulsen, he went underground as a fugitive. When he was featured on NBC's Unsolved Mysteries, the show's 1-800 telephone lines mysteriously crashed
http://en.wikipedia.org/wiki/Kevin_Poulsen
[+] [-] jedberg|13 years ago|reply
[+] [-] apawloski|13 years ago|reply
[1] http://www.google.com
[+] [-] eykanal|13 years ago|reply
> the term "exceeds authorized access" means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter
and from the second (section A.2):
> The term “without authorization” is not defined by the CFAA. The term “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”
Later in the same section, it states:
> Prosecutors rarely argue that a defendant accessed a computer “without authorization” when the defendant had some authority to access that computer. However, several civil cases have held that defendants lost their authorization to access computers when they breached a duty of loyalty to the authorizing parties, even if the authorizing parties were unaware of the breach. [...] Some of these cases further suggest that such a breach can occur when the user decides to access the computer for a purpose that is contrary to the interests of the authorizing party. See, e.g., Citrin, 440 F.3d at 420 (defendant’s authorization to access computer terminated when he resolved to destroy employer’s files); ViChip Corp. v. Lee, 438 F. Supp. 2d 1087, 1100 (N.D. Cal. 2006) (same); NCMIC Finance Corp. v. Artino, 638 F. Supp. 2d 1042, 1057 (S.D. Iowa 2009) (“[T]he determinative question is whether Artino breached his duty of loyalty to NCMIC when Artino obtained information from NCMIC’s computers.”).
Not sure what to make of that, as again, IANAL. Still, this is definitely not hacking in the traditional legal sense.
[1]: http://energy.gov/sites/prod/files/cioprod/documents/Compute...
[2]: http://www.justice.gov/criminal/cybercrime/docs/ccmanual.pdf
[+] [-] ChuckMcM|13 years ago|reply
It will be interesting if that language gets stricken from the CFAA because it will significantly blunt this particular tool in the governments toolbox.
That said, I expect that this case will find for the defendant on the grounds that the Casinos put those machines in, they agreed to pay out any winnings. That there was a bug was IGT's issue. So the casinos will then have their losses covered by IGT's errors and omissions insurance.
[+] [-] jjjeffrey|13 years ago|reply
Rather, I think it's best to judge this by what a certain outcome would do to the greater picture.
(And now to argue for my own interpretation, which happens to use the above argument.)
I was in the middle of writing what I thought was a pretty interesting argument, when I realized...
Why the hell is the federal government even getting involved in this? I mean, I know why, but it has nothing to do with them. This is (or should be) a case about what constitutes fair play at a casino. Jumping into this and flexing the CFAA just seems beyond ridiculous.
[+] [-] 205guy|13 years ago|reply
And so, if there is no money-morality at a casino, I don't see why casino patrons shouldn't be allowed any exploit of whatever games the casino offers (card counting, bug exploits, etc)--barring of course any threats or injury to people. If the dealer doesn't shuffle the cards or the game has a bug, up to the gambler to take advantage of it until the casion fixes it.
So by this reasoning, creating counterfit tokens at a casino would be considered fair-play. I actually don't see that as a problem--it does not affect legal money supplies so why should the feds or states prosecute it. Up to the casino to protect itself and develop secure tokens. I don't see why the feds were involved in that case either (of course, I understand under the current laws).
In my hypothetical world, he only thing the government should be regulating are the taxes (on winnings by both sides) and the non-money aspects of casinos, such as ensuring personal safety. It's not allowed for the patron or the casino to threaten or hurt anyone based on any money transactions. Casinos can exclude patrons by refusing to allow them to play, but they can't physically interfere with them.
[+] [-] DanBC|13 years ago|reply
> “They are looking to explore how they can exploit the machine from a mechanical standpoint,” says Jim Barbee, chief of the division. That means physical hacks aimed at the coin hopper or the bill reader. Software vulnerabilities like Kane’s are nearly unheard of.
Someone should sell them a fuzzing suite.
[+] [-] caf|13 years ago|reply
My suspicions are that each sub-game maintains separate state about the last game played, but that the wager amount and "has the win been paid" flag variables are global, shared between all games. When the double-or-nothing option is disabled, wins are paid immediately; but when it's enabled, that flag doesn't get set until the user either declines to double up or the result of doubling-up is determined. This leaves a window for the user to switch games, changing the wager in the process, and have the payout recalculated because the win has not been paid yet.
[+] [-] ssharp|13 years ago|reply
[+] [-] jmharvey|13 years ago|reply
(For those who didn't read the article, the scheme basically involves playing game A at the minimum wager until you get a big win, then switching to game B at a higher wager until the game B reaches a certain state, and then switching back to game A, at which point the machine would re-calculate your earlier win in game A based on your (higher) wager in game B.)
The nearest analog I can think of is switching roulette table chips between tables of different denominations. When you buy roulette chips, the croupier notes the value of a stack of 20 chips, usually $20, $100, or $500 a stack, by placing a token near the wheel. Looking at a single chip, it's impossible to tell whether the chip is worth $1, $5, or $25. And a given color chip at one table may be worth $1, while at a neighboring table it's worth $25. Table chips are marked with a letter on their face indicating which table they belong to, but croupiers don't always examine the letters, so if you slip chips between tables, you might be able to wager a low-denomination chip and be paid off in high-denomination chips. That's definitely cheating, even if the casino doesn't immediately stop you from slipping chips between games.
My general rule of thumb is that anything that happens within a game is fair play. If the exploit had been that a particular sequence of wagers would cause the random number generator to behave in a predictable way, then I'd be fine with it. But I wouldn't consider the game-selection interface to be part of the game.
[+] [-] BHSPitMonkey|13 years ago|reply
[+] [-] sehugg|13 years ago|reply
You might even be able to apply this to games with IAP. Better not get too good at playing Super Monster Candy Time 2, buddy!
[+] [-] mixmastamyk|13 years ago|reply
I was rooting for the guy until that sentence. Book'em Danno.
[+] [-] klodolph|13 years ago|reply
I'm sure they would have pulled all the games pretty quickly if it had gotten out. Casinos take analytics seriously.
[+] [-] jacoblyles|13 years ago|reply
[+] [-] derleth|13 years ago|reply
[+] [-] reillyse|13 years ago|reply