Feds Realize That Exploiting A Bug In Casino Video Poker Software Is Not Hacking And Not A CFAA Violation

from the about-time dept

For years, we've talked about how casinos were able to get away with not paying people who won jackpots from electronic gambling machines, by claiming that their wins were really because of software glitches. That always seemed like a highly questionable practice, but even more questionable was filing criminal charges against winners who won because of those glitches. We talked about one such case back in 2007, and then another one in early 2011. That 2011 case involved two guys, John Kane and Andre Nestor, who had figured out a bug in some video poker software from International Game Technology, a gaming giant.

The bug was very complex. It involved a series of different steps that had to be taken: play one game on the machine until you have a high payout, then switch to a different game, play until an option popped up to "double up" (basically a double or nothing proposition on a "high card wins" bet), then add more money to the machine, exit the specific game, change the denomination amount to the game maximum, and then switch back to the original game played. At that point the high payout from the initial round shows, allowing that amount to be re-awarded. On top of that, it would recalculate the award by the new denomination level, often increasing the "payout" by 10x.

Apparently Kane discovered this bug by accident from playing a ridiculous amount of video poker. His lawyer claims that Kane was obsessed with video poker and probably played it more than anyone. He also insists that there was no research or effort that went into this. It was just a fluke from playing so often that Kane found the bug -- and then got his buddy Nestor (and a few others) involved in using this bug to win an awful lot of money. When Nestor was arrested, he was reasonably angry about the whole thing:
“I’m being arrested federally for winning on a slot machine,” he said. “It’s just like if someone taught you how to count cards, which we all know is not illegal. You know. Someone told me that there are machines that had programming that gave a player an advantage over the house. And that’s all there is to it.…

“Who would not win as much money as they could on a machine that says, ‘Jackpot’? That’s the whole idea!”
The feds, of course, hit them with CFAA (Computer Fraud and Abuse Act) charges, the same highly questionable hacking law we've been writing so much about lately. The feds argued that Kane and Nestor "exceeded authorized access" -- one of the most troubling parts of the CFAA. The DOJ argued that:
In short, the casinos authorized defendants to play video poker. What the casinos did not do was to authorize defendants ‘to obtain or alter information’ such as previously played hands of cards. To allow customers to access previously played hands of cards, at will, would remove the element of chance and obviate the whole purpose of gambling. It would certainly be contrary to the rules of poker.
However, the court was skeptical of this argument, and after the 9th Circuit's ruling in last year's case against David Nosal, where they said that merely violating an employer's computer use policy did not mean you had exceeded authorized access, the court asked the DOJ to explain how the CFAA still applied in light of the Nosal ruling.

Apparently, the DOJ realized that the CFAA charges no longer made sense and, yesterday afternoon dropped those charges. In a simple filing with no explanation, the DOJ asks the court to dismiss the two CFAA-related charges in the indictment. Kane and Nestor still face a single wire fraud charge, but that's much less of a threat than the CFAA charges. At the very least, it's good to see increasing pushback on the DOJ for its regular abuse of the CFAA to pile on charges.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    mikez (profile), May 8th, 2013 @ 11:55am

    This case is another example of the DOJ doing the work of a large corporation with no interest to the actual law. The issue here shouldn't be with the guys that were exploiting the bug, the casino(s) should be pursuing the issue with the company that wrote the software in civil court.

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    crade (profile), May 8th, 2013 @ 11:56am

    Intentionally exploiting what you know to be a software bug for commercial gain? If that's not hacking what is? It's practically a textbook example.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, May 8th, 2013 @ 11:57am

    Yet another reason why you'd be an idiot to waste your time and money gambling at a casino.

    If you start to win serious amounts of money you get kicked out of the Casino, or arrested in this case.

    If you lose (which you're highly likely to, as all the games are statistically rigged against you, so that the longer you play the more likely you are to lose money) then they won't kick you out, because you're their ATM.

     

    reply to this | link to this | view in thread ]

  4.  
    icon
    crade (profile), May 8th, 2013 @ 12:01pm

    Re:

    Not that there's anything wrong with that of course.. :) Gotta keep the lazy dev's honest somehow.

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    Zakida Paul (profile), May 8th, 2013 @ 12:03pm

    Doi!

    Well, give them a Blue Peter badge.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, May 8th, 2013 @ 12:09pm

    the next thing you'll be telling us is that those at the DoJ learned to count and to read as well!!

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    Rikuo (profile), May 8th, 2013 @ 12:18pm

    I wonder.

    There was a recent gold duplication bug in Diablo 3.
    http://www.escapistmagazine.com/news/view/123838-Gold-Dupe-Bug-Forces-Diablo-3-Auction-House-Off line

    Would the feds want to charge players who exploited this bug with the CFAA?

     

    reply to this | link to this | view in thread ]

  8. This comment has been flagged by the community. Click here to show it
     
    identicon
    out_of_the_blue, May 8th, 2013 @ 12:38pm

    Quite obscure complex bug = anomaly!

    I guess that Mike is sorta right. Throw him a bone. -- IF the facts hold up as stated, but the bug sounds so complex that I can't believe was found by playing. -- OR if so, then I've no sympathy for an addicted gambler.

    Whatever. Main point is that this affects, as anomalies do, only the few involved.

    Meanwhile, the get-rich-quick lure of gambling strips millions daily from saps.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, May 8th, 2013 @ 12:44pm

    Re: Quite obscure complex bug = anomaly!

    OOTB misses point of article yet again. News at 11.

    None of that really matters, the point was the CFAA was being used to charge him for something that was just an exploit that required no tampering with the machine whatsoever.

    Also I don't care about those millions of saps. They had a choice, they chose to gamble.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, May 8th, 2013 @ 12:48pm

    video poker is okay. Internet poker is illegal.
    I think I've had my daily allowance of stupid for today.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, May 8th, 2013 @ 12:53pm

    Were the machines inspected?

    If he stumbled across the bug is one thing. Now if a software developer intentially placed it there to be exploited is another. Hopefully, the gaming board inspected this and several of these machine types to detetmine if there was tampering before charges were filed.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    DCX2, May 8th, 2013 @ 1:02pm

    Re:

    The exploiters did not exceed the authorized limit of their usage. They did not install files on the machine or otherwise modify it. They did not touch buttons or knobs that they were not allowed to touch. They did not feed the machine a properly malformed sequence of bytes which was designed to trick it into doing something it wasn't designed to do.

    Not what I would call "textbook example of hacking". Now THIS is a textbook example of hacking. But it isn't criminal so long as you have authorized access to the machine that you exploit.

    http://fail0verflow.com/blog/2012/cve-2012-0217-intel-sysret-freebsd.html

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    ChrisH, May 8th, 2013 @ 1:02pm

    I've said it a million times. The DOJ's interpretation of the CFAA (and other laws) is meaningless if it disagrees with previous court opinions.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, May 8th, 2013 @ 1:04pm

    It's a shame that the teeth are being pulled from this fine piece of legislation that may have actually provided for a fitting punishment for call of duty cheats.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, May 8th, 2013 @ 1:14pm

    Re: Quite obscure complex bug = anomaly!

    If have found complex bugs in computer games I enjoy playing. I see it no differently then him and video poker. The fact that you have no sympathy for a person being charge for a crime that doesn't apply is no surprise though.

     

    reply to this | link to this | view in thread ]

  16.  
    icon
    Rikuo (profile), May 8th, 2013 @ 1:26pm

    Re: Quite obscure complex bug = anomaly!

    "The bug was very complex. It involved a series of different steps that had to be taken: play one game on the machine until you have a high payout, then switch to a different game, play until an option popped up to "double up" (basically a double or nothing proposition on a "high card wins" bet), then add more money to the machine, exit the specific game, change the denomination amount to the game maximum, and then switch back to the original game played. At that point the high payout from the initial round shows, allowing that amount to be re-awarded. On top of that, it would recalculate the award by the new denomination level, often increasing the "payout" by 10x. "

    So blue, wanna tell me which, if any, of those steps is illegal? I'll give you a hint. The answer is spelled N-O-N-E.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Anonymous Coward, May 8th, 2013 @ 2:44pm

    Kane and Nestor still face a single wire fraud charge, but that's much less of a threat than the CFAA charges.

    Wire fraud under Section 1349: "shall be fined under this title or imprisoned not more than 20 years, or both." The CFAA charges were either 5 or 10 years. How is wire fraud "much less of a threat than the CFAA charges"? I know you like evidence, so what's yours for making this claim?

     

    reply to this | link to this | view in thread ]

  18.  
    icon
    crade (profile), May 8th, 2013 @ 3:03pm

    Re: Re:

    Well that's silly. By this definition, if you did it with the access you were provided, you did not excede the authority limit of the usage. If you are able to install files (by exploiting from rootkit bug or whatever) then it is within your authorized limit.

    They did in fact, do exactly what you say here:
    "did not feed the machine a properly malformed sequence of bytes which was designed to trick it into doing something it wasn't designed to do"

    This is exactly what was done. They gave it a sequence of input (which will eventually be translated to bytes, not that the bit organization matters to anything) that was specifically designed to trick the system into doing something it wasn't designed to do.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Anonymous Coward, May 8th, 2013 @ 3:07pm

    Re:

    I remember during the "Love is in the Air" event a couple of years ago in WoW. They had just redone the event, and you could collect these 'charms' when killing mobs.

    It took 10 charms to make a bracelet and it took hundreds of these bracelets to buy things in game (pets, mounts, stuff needed for all of the achievements.)

    Not every mob killed resulted in a charm being obtained, so farming these charms (which were Bind on Pickup...the bracelets were able to be sold on the AH..) required a fast repopulating mob that was easy to kill.

    I remember it like yesterday....

    There is a raid named "Ulduar" that has this vehicle mechanic at the beginning in which there are pillars of Dark Iron dwarves that constantly spawn until you use the vehicles to break down the pillars.

    You guessed it, just killing the Dark Iron dwarves themselves spawned these charms like crazy.

    4 people, 4 vehicles (because you needed a raid to go in there, and you could get charms for when other people killed something as well.)

    We made "WoW Bank" until they hotfixed it the next day.

    I would be turned off of gaming forever if they pressed charges....

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    DCX2, May 8th, 2013 @ 3:31pm

    Re: Re: Re:

    No, *they* did not create those bytes. The developer of the machine they were exploiting created those bytes by virtue of the program on the machine. Look at that link again - iZsh is actually writing those bytes himself (or rather, his compiler generates the bytes, but the point is, he is writing the code that eventually results in generated bytes of information). Those who exploited the video poker software wrote no bytes themselves.

    You may need to brush up on your terminology. A rootkit is installed by someone who does not have authorized access to the machine. If you had authorized access, you wouldn't need the rootkit! In fact, the very act of installing files can be considered exceeding authorized access if you were not authorized to install files on that machine.

    In contrast, the individuals caught exploiting this bug were authorized to push the buttons they were pushing. No one said they were not authorized to push those buttons in some specific order. They did not impersonate anyone by pushing those buttons. They did not engage in privilege escalation to have access to the system that they were not authorized to have.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    DCX2, May 8th, 2013 @ 3:39pm

    Re: Re: Re:

    I would also argue that whether or not the video poker software does what the original developer intended for it to do is entirely separate from what it was designed to do. Computers do exactly what programmers tell them to do.

    The video poker machine did exactly what it was designed to do. Users press the buttons that the casino allows them to press. Software processes the button presses. When certain conditions are met, money spews forth. This is the design and this is what happened.

    Had the developer screwed up the odds and the machine had started to pay out far more than was intended, do you think the casino would have grounds for telling the winners "sorry, you were exploiting a bug in the software, give back your winnings"?

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Anonymous Coward, May 8th, 2013 @ 3:42pm

    Where's the line?

    I think there's an interesting gray area here about just when an exploit becomes criminal.

    If a slot machine had a bug that erroneously resulted in a jackpot payout every time you played, you'd hardly be a criminal for playing that machine.

    On the other hand if the bug is more complex, such that say you had to push a long sequence of buttons in a precise order to force the machine into some sort of test mode, from which you could then force a payout, that seems to cross a line. What if you only knew about this because you had detailed inside knowledge of the machines (but had not planted the bug yourself)? What if you had this knowledge not as an insider, but because you had studied the machines for this purpose?

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Anonymous Coward, May 8th, 2013 @ 3:59pm

    Re: Where's the line?

    Then you can win until they fix it.

    There's people that do that, with machines, lotto tickets, everything, cause there IS a method to the madness, and they're actually successful.

    People don't hunt them and make them pay the money back however, because it's legal.

    Much like he said, Card Counting is legal, while a casino can BAN you from the casino for card counting, they cannot prosecute you for it.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Anonymous, May 8th, 2013 @ 4:40pm

    According to the new "Iron Man" movie, people don't say "hack" anymore. So what DO they say?! Sure seems like people still say hack.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Anonymous Coward, May 8th, 2013 @ 4:40pm

    Re: Re: Where's the line?

    Card counting is illegal in Nevada, though Nevada is the only jurisdiction in the world that makes card counting illegal. It is considered a form of cheating, punishable by up to 6 years in jail and $10,000 in fines, like any other form of cheating, if they can prove you were counting cards.

    No other place in the world makes card counting illegal.

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Anonymous Coward, May 8th, 2013 @ 4:46pm

    Its amazing they don't bring CFAA charges against one of the biggest slot machine cheats of all times, known as "Mr D", whom it took 30 years for the casinos to finally catch up with.

    He bascially used a "light wand" to blind the sensor on slot machines to make ant winning play pay out as much as $500, depending on how much money was in the machine.

    At least the casinos that "Mr D" hit with is light wand scheme have the good sense not to have him proseucted under CFAA, and are having him prosecuted under state laws on the matter instead.

     

    reply to this | link to this | view in thread ]

  27.  
    icon
    Ferel (profile), May 8th, 2013 @ 6:13pm

    Re: Re:

    Blizzard deals with most game exploits the easy way: account ban or suspension, depending on severity and how quick they hotfixed it. To my knowledge, Blizz has only gone legal against players for modifying the game client's code and hosting private World of Warcraft servers (the latter for attracting unsubscribed players, IIRC).

     

    reply to this | link to this | view in thread ]

  28.  
    icon
    harbingerofdoom (profile), May 8th, 2013 @ 10:30pm

    Re:

    curious....exactly what are your credentials concerning the operations of gaming machines within the state of nevada?

    im wondering exactly how you know them to be rigged?

     

    reply to this | link to this | view in thread ]

  29.  
    icon
    FarSide (profile), May 9th, 2013 @ 6:00am

    Re: Re: Re: Re:

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    Anonymous Coward, May 9th, 2013 @ 6:32am

    Re: Re:

    In the UK all gaming machines have to pay out a minimum of 70% of the intake. If they are not rigged then how do they keep within the legal limit?

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    Anonymous Coward, May 9th, 2013 @ 6:37am

    Re: Re: Re: Where's the line?

    Counting cards is not illegal, its the way to play the game.

    The only reason it is illegal is because of the corrupt officials in Nevada.

     

    reply to this | link to this | view in thread ]

  32.  
    icon
    btr1701 (profile), May 9th, 2013 @ 7:38am

    Re: Re: Re: Where's the line?

    > Card counting is illegal in Nevada, though Nevada is the
    > only jurisdiction in the world that makes card counting illegal.

    It most certainly is not illegal. The Nevada Supreme Court ruled conclusively that a player who uses nothing but his own innate ability, unassisted by technology or collaboration with others, cannot be prosecuted for cheating at a casino game.

     

    reply to this | link to this | view in thread ]

  33.  
    identicon
    Bengie, May 9th, 2013 @ 8:33am

    Re:

    What do you think High Frequency Trading does thousands of times per second?

     

    reply to this | link to this | view in thread ]

  34.  
    identicon
    late2p, May 17th, 2013 @ 8:05am

    All these online gambling sites and a fair amount of betting sites are a scam. The lack of physical gambling in this area is really hurting thanks to this online explosion. I'd rather gamble in person and have a shot at taking home winnings, rather than gamble online with the knowledge I won't be able to cash out once the automatic website algorithim hits and I start mysteriously losing.

     

    reply to this | link to this | view in thread ]

  35.  
    identicon
    alex123, Aug 13th, 2013 @ 7:40pm

    Helow

    Can I simply just say what a relief to uncover a person that genuinely knows what they are talking about on the web. You actually know how to bring an issue to light and make it important. A lot more people need to read this and understand this side of your story. I was surprised that you're not more popular because you surely have the gift.
    Sbobet

     

    reply to this | link to this | view in thread ]

  36.  
    identicon
    David Bowie, Apr 22nd, 2014 @ 2:44am

    Your post was really wonderful in which you wrote about different forms of online poker and I am glad that I came across it. I am also sure that many people who aspire to play poker shall learn a lot from this post. I would also like to invite people to my website which houses and offers all the major variants of poker online and where the players can play this game in stunning graphics and amazing sounds.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This