Feds Realize That Exploiting A Bug In Casino Video Poker Software Is Not Hacking And Not A CFAA Violation

from the about-time dept

For years, we’ve talked about how casinos were able to get away with not paying people who won jackpots from electronic gambling machines, by claiming that their wins were really because of software glitches. That always seemed like a highly questionable practice, but even more questionable was filing criminal charges against winners who won because of those glitches. We talked about one such case back in 2007, and then another one in early 2011. That 2011 case involved two guys, John Kane and Andre Nestor, who had figured out a bug in some video poker software from International Game Technology, a gaming giant.

The bug was very complex. It involved a series of different steps that had to be taken: play one game on the machine until you have a high payout, then switch to a different game, play until an option popped up to “double up” (basically a double or nothing proposition on a “high card wins” bet), then add more money to the machine, exit the specific game, change the denomination amount to the game maximum, and then switch back to the original game played. At that point the high payout from the initial round shows, allowing that amount to be re-awarded. On top of that, it would recalculate the award by the new denomination level, often increasing the “payout” by 10x.

Apparently Kane discovered this bug by accident from playing a ridiculous amount of video poker. His lawyer claims that Kane was obsessed with video poker and probably played it more than anyone. He also insists that there was no research or effort that went into this. It was just a fluke from playing so often that Kane found the bug — and then got his buddy Nestor (and a few others) involved in using this bug to win an awful lot of money. When Nestor was arrested, he was reasonably angry about the whole thing:

“I’m being arrested federally for winning on a slot machine,” he said. “It’s just like if someone taught you how to count cards, which we all know is not illegal. You know. Someone told me that there are machines that had programming that gave a player an advantage over the house. And that’s all there is to it.…

“Who would not win as much money as they could on a machine that says, ‘Jackpot’? That’s the whole idea!”

The feds, of course, hit them with CFAA (Computer Fraud and Abuse Act) charges, the same highly questionable hacking law we’ve been writing so much about lately. The feds argued that Kane and Nestor “exceeded authorized access” — one of the most troubling parts of the CFAA. The DOJ argued that:

In short, the casinos authorized defendants to play video poker. What the casinos did not do was to authorize defendants ‘to obtain or alter information’ such as previously played hands of cards. To allow customers to access previously played hands of cards, at will, would remove the element of chance and obviate the whole purpose of gambling. It would certainly be contrary to the rules of poker.

However, the court was skeptical of this argument, and after the 9th Circuit’s ruling in last year’s case against David Nosal, where they said that merely violating an employer’s computer use policy did not mean you had exceeded authorized access, the court asked the DOJ to explain how the CFAA still applied in light of the Nosal ruling.

Apparently, the DOJ realized that the CFAA charges no longer made sense and, yesterday afternoon dropped those charges. In a simple filing with no explanation, the DOJ asks the court to dismiss the two CFAA-related charges in the indictment. Kane and Nestor still face a single wire fraud charge, but that’s much less of a threat than the CFAA charges. At the very least, it’s good to see increasing pushback on the DOJ for its regular abuse of the CFAA to pile on charges.

Filed Under: , , , , , , , ,
Companies: international game technology

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Feds Realize That Exploiting A Bug In Casino Video Poker Software Is Not Hacking And Not A CFAA Violation”

Subscribe: RSS Leave a comment
41 Comments
DCX2 says:

Re: Re:

The exploiters did not exceed the authorized limit of their usage. They did not install files on the machine or otherwise modify it. They did not touch buttons or knobs that they were not allowed to touch. They did not feed the machine a properly malformed sequence of bytes which was designed to trick it into doing something it wasn’t designed to do.

Not what I would call “textbook example of hacking”. Now THIS is a textbook example of hacking. But it isn’t criminal so long as you have authorized access to the machine that you exploit.

http://fail0verflow.com/blog/2012/cve-2012-0217-intel-sysret-freebsd.html

crade (profile) says:

Re: Re: Re:

Well that’s silly. By this definition, if you did it with the access you were provided, you did not excede the authority limit of the usage. If you are able to install files (by exploiting from rootkit bug or whatever) then it is within your authorized limit.

They did in fact, do exactly what you say here:
“did not feed the machine a properly malformed sequence of bytes which was designed to trick it into doing something it wasn’t designed to do”

This is exactly what was done. They gave it a sequence of input (which will eventually be translated to bytes, not that the bit organization matters to anything) that was specifically designed to trick the system into doing something it wasn’t designed to do.

DCX2 says:

Re: Re: Re: Re:

No, they did not create those bytes. The developer of the machine they were exploiting created those bytes by virtue of the program on the machine. Look at that link again – iZsh is actually writing those bytes himself (or rather, his compiler generates the bytes, but the point is, he is writing the code that eventually results in generated bytes of information). Those who exploited the video poker software wrote no bytes themselves.

You may need to brush up on your terminology. A rootkit is installed by someone who does not have authorized access to the machine. If you had authorized access, you wouldn’t need the rootkit! In fact, the very act of installing files can be considered exceeding authorized access if you were not authorized to install files on that machine.

In contrast, the individuals caught exploiting this bug were authorized to push the buttons they were pushing. No one said they were not authorized to push those buttons in some specific order. They did not impersonate anyone by pushing those buttons. They did not engage in privilege escalation to have access to the system that they were not authorized to have.

DCX2 says:

Re: Re: Re: Re:

I would also argue that whether or not the video poker software does what the original developer intended for it to do is entirely separate from what it was designed to do. Computers do exactly what programmers tell them to do.

The video poker machine did exactly what it was designed to do. Users press the buttons that the casino allows them to press. Software processes the button presses. When certain conditions are met, money spews forth. This is the design and this is what happened.

Had the developer screwed up the odds and the machine had started to pay out far more than was intended, do you think the casino would have grounds for telling the winners “sorry, you were exploiting a bug in the software, give back your winnings”?

Anonymous Coward says:

Yet another reason why you’d be an idiot to waste your time and money gambling at a casino.

If you start to win serious amounts of money you get kicked out of the Casino, or arrested in this case.

If you lose (which you’re highly likely to, as all the games are statistically rigged against you, so that the longer you play the more likely you are to lose money) then they won’t kick you out, because you’re their ATM.

Anonymous Coward says:

Re: Re:

I remember during the “Love is in the Air” event a couple of years ago in WoW. They had just redone the event, and you could collect these ‘charms’ when killing mobs.

It took 10 charms to make a bracelet and it took hundreds of these bracelets to buy things in game (pets, mounts, stuff needed for all of the achievements.)

Not every mob killed resulted in a charm being obtained, so farming these charms (which were Bind on Pickup…the bracelets were able to be sold on the AH..) required a fast repopulating mob that was easy to kill.

I remember it like yesterday….

There is a raid named “Ulduar” that has this vehicle mechanic at the beginning in which there are pillars of Dark Iron dwarves that constantly spawn until you use the vehicles to break down the pillars.

You guessed it, just killing the Dark Iron dwarves themselves spawned these charms like crazy.

4 people, 4 vehicles (because you needed a raid to go in there, and you could get charms for when other people killed something as well.)

We made “WoW Bank” until they hotfixed it the next day.

I would be turned off of gaming forever if they pressed charges….

Ferel (profile) says:

Re: Re: Re:

Blizzard deals with most game exploits the easy way: account ban or suspension, depending on severity and how quick they hotfixed it. To my knowledge, Blizz has only gone legal against players for modifying the game client’s code and hosting private World of Warcraft servers (the latter for attracting unsubscribed players, IIRC).

out_of_the_blue says:

Quite obscure complex bug = anomaly!

I guess that Mike is sorta right. Throw him a bone. — IF the facts hold up as stated, but the bug sounds so complex that I can’t believe was found by playing. — OR if so, then I’ve no sympathy for an addicted gambler.

Whatever. Main point is that this affects, as anomalies do, only the few involved.

Meanwhile, the get-rich-quick lure of gambling strips millions daily from saps.

Anonymous Coward says:

Re: Quite obscure complex bug = anomaly!

OOTB misses point of article yet again. News at 11.

None of that really matters, the point was the CFAA was being used to charge him for something that was just an exploit that required no tampering with the machine whatsoever.

Also I don’t care about those millions of saps. They had a choice, they chose to gamble.

Rikuo (profile) says:

Re: Quite obscure complex bug = anomaly!

“The bug was very complex. It involved a series of different steps that had to be taken: play one game on the machine until you have a high payout, then switch to a different game, play until an option popped up to “double up” (basically a double or nothing proposition on a “high card wins” bet), then add more money to the machine, exit the specific game, change the denomination amount to the game maximum, and then switch back to the original game played. At that point the high payout from the initial round shows, allowing that amount to be re-awarded. On top of that, it would recalculate the award by the new denomination level, often increasing the “payout” by 10x. “

So blue, wanna tell me which, if any, of those steps is illegal? I’ll give you a hint. The answer is spelled N-O-N-E.

Anonymous Coward says:

Kane and Nestor still face a single wire fraud charge, but that’s much less of a threat than the CFAA charges.

Wire fraud under Section 1349: “shall be fined under this title or imprisoned not more than 20 years, or both.” The CFAA charges were either 5 or 10 years. How is wire fraud “much less of a threat than the CFAA charges”? I know you like evidence, so what’s yours for making this claim?

Anonymous Coward says:

Where's the line?

I think there’s an interesting gray area here about just when an exploit becomes criminal.

If a slot machine had a bug that erroneously resulted in a jackpot payout every time you played, you’d hardly be a criminal for playing that machine.

On the other hand if the bug is more complex, such that say you had to push a long sequence of buttons in a precise order to force the machine into some sort of test mode, from which you could then force a payout, that seems to cross a line. What if you only knew about this because you had detailed inside knowledge of the machines (but had not planted the bug yourself)? What if you had this knowledge not as an insider, but because you had studied the machines for this purpose?

Anonymous Coward says:

Re: Where's the line?

Then you can win until they fix it.

There’s people that do that, with machines, lotto tickets, everything, cause there IS a method to the madness, and they’re actually successful.

People don’t hunt them and make them pay the money back however, because it’s legal.

Much like he said, Card Counting is legal, while a casino can BAN you from the casino for card counting, they cannot prosecute you for it.

Anonymous Coward says:

Re: Re: Where's the line?

Card counting is illegal in Nevada, though Nevada is the only jurisdiction in the world that makes card counting illegal. It is considered a form of cheating, punishable by up to 6 years in jail and $10,000 in fines, like any other form of cheating, if they can prove you were counting cards.

No other place in the world makes card counting illegal.

btr1701 (profile) says:

Re: Re: Re: Where's the line?

Card counting is illegal in Nevada, though Nevada is the
only jurisdiction in the world that makes card counting illegal.

It most certainly is not illegal. The Nevada Supreme Court ruled conclusively that a player who uses nothing but his own innate ability, unassisted by technology or collaboration with others, cannot be prosecuted for cheating at a casino game.

Charles Cochems says:

Re: Re: Re:2 Where's the line?

You cannot be prosecuted for unassisted card counting.

As long as you do it all in your head, and are not signalling the count to other players, it is 100% legal. You are not allowed to use a device to ASSIST you in counting. That’s what’s considered cheating, and that will get you prosecuted. Raising your bet because the count is high is not signalling other players. But say if you counted and sat in first base, and bet one denomination for high count, and a different one for low count (both small) and the other players were making their decisions based on that, that’s cheating. Counting is legal when done only for yourself, and without using anything but your own head to track it.

But casinos are allowed to bar advantage players, whether they are cheating or not. Gambling is a privilege, not a right.

If someone is making it big counting cards, it affects the casino’s bottom line. Once they determine you are in fact advantage playing, and not just lucky, expect to get barred if you are costing them too much money. Advantage playing video poker (certain full pay games can be done) is just too slow a grind, and its’ easy to make mistakes, so that’s generally not bothered with. But if there was one with high enough stakes, it might be an issue.

Casinos very rarely bar non advantage players that aren’t cheating, even if they are winning, because seeing people win makes other want to play, and lose. And if the player is barred, they can’t lose their money back to the casino. Fairly often, lucky big winners end up loosing it ALL back if they don’t take the money and run.

Anonymous Coward says:

Its amazing they don’t bring CFAA charges against one of the biggest slot machine cheats of all times, known as “Mr D”, whom it took 30 years for the casinos to finally catch up with.

He bascially used a “light wand” to blind the sensor on slot machines to make ant winning play pay out as much as $500, depending on how much money was in the machine.

At least the casinos that “Mr D” hit with is light wand scheme have the good sense not to have him proseucted under CFAA, and are having him prosecuted under state laws on the matter instead.

late2p says:

All these online gambling sites and a fair amount of betting sites are a scam. The lack of physical gambling in this area is really hurting thanks to this online explosion. I’d rather gamble in person and have a shot at taking home winnings, rather than gamble online with the knowledge I won’t be able to cash out once the automatic website algorithim hits and I start mysteriously losing.

alex123 (user link) says:

Helow

Can I simply just say what a relief to uncover a person that genuinely knows what they are talking about on the web. You actually know how to bring an issue to light and make it important. A lot more people need to read this and understand this side of your story. I was surprised that you’re not more popular because you surely have the gift.
Sbobet

Dave Miller says:

Your post was really informative and very insightful about the online casino websites. I am very glad to read the content of this post in which you wrote how to begin playing casino games for the first time in the websites. I am sure it will help out many newcomers and here I would also like to introduce everyone to my brilliant online casino website where all the players can take advantage of exciting bonuses and play for profitable jackpots.

William Delao (profile) says:

Slotmode

In Smash the Pig, this piggy is loaded with cash! Trigger the Pick a Pig Bonus and choose a pig to win random multipliers – up to 20x! Or you might win another pick, win all the prizes on the screen, or trigger the Pig Smashing Bonus, where you smash pigs until the Luck Meter runs out. If you smash all the pigs and have some luck left, you win additional pigs to smash! https://slotmode.guide/slots/smash-the-pig-igt/

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...