Slashdot Mirror
Man Arrested For Exploiting Error In Slot Machines
An anonymous reader writes "A man awaiting trial in Pennsylvania was arrested by Federal agents on Jan. 4, and accused of exploiting a software 'glitch' within slot machines in order to win payouts. The exploit may have allowed the man to obtain more than a million dollars from casinos in Pennsylvania and Nevada, and officials say they are investigating to see if he used the method elsewhere. The accused stated that 'I'm being arrested federally for winning on a slot machine. Let everybody see the surveillance tapes. I pressed buttons on the machine on the casino. That's all I did.' Apparently, slot machine software errors are fairly common. The lesson here seems to be that casinos can deny you a slot machine win any time they wish by claiming software errors, and if you find an error that you can exploit, you may find yourself facing Federal charges for doing so."
I suppose the most glaring issue here is the double standard that software errors can be legally taken advantage of by the casinos, while they are illegal to take advantage of by the gambler. (or at least that looks like how the recent verdicts have been swinging)
I work for the Department of Redundancy Department.
casinos exploiting human failings to make millions and millions of dollars is legal. People exploiting casino failings to make millions and millions of dollars is illegal.
We hope your rules and wisdom choke you / Now we are one in everlasting peace
The only way to win is to not play.
Put identity in the browser.
It can backfire, however. Gambling is heavily regulated and one of the requirements in some places is that the thing being gambled on must be random. These regulations exist to prevent casinos from having fixed decks for card games or rigged wheels for roulette, but they carry over to other forms of gambling. If you can show that their machine is deterministic, then they may be in trouble. A software glitch that lets you always win may well count, depending on your jurisdiction...
I am TheRaven on Soylent News
Well it's a LITTLE more complicated than that... FTFA:
In order to expose the glitch, a special "double-up" feature had to be internally activated. The men persuaded casino technicians to alter "soft" options on the machines, such as volume and screen brightness controls. Such perks aren't unusual for high-rollers, who can wager anywhere from a few hundred to thousands of dollars in one day.
One Meadows employee, who was not criminally charged or accused of wrongdoing, agreed to enable the double-up feature on the machine with the glitch.
Normally, such a feature would allow a player to risk doubling his winnings or potentially losing them all. The double-up feature isn't usually enabled on the machines in part because it's unpopular with most gamblers, who are unwilling to risk large amounts of money.
When the correct sequence of buttons was pushed, the machine displayed false double jackpots. No casino officials noticed because the bogus jackpots weren't being recorded in the machine's internal system.
Throughout April 2009, Mr. Kane frequented Las Vegas casinos, practicing his technique in a "test run," according to authorities, before calling his friend Mr. Nestor in Pennsylvania.
From May 1 to June 15 in 2009, agents said Mr. Nestor joined Mr. Kane in Las Vegas, where the duo allegedly cashed in phony jackpots "over and over again" and perfected a scheme to exploit the same glitch in casinos across the world.
So they noticed a glitch in the system - one that allowed them to get a Jackpot without it being reported or investigated. They then went worldwide with this to get as much money as they could before getting caught.
Now, don't get me wrong, a bug in the system shouldn't be the fault of the player, and definately shouldn't result in Criminal Charges, I'd even say taking back the winnings is a bit harsh though it depends on the scenario (obviously guys exploiting a flaw should give back all the money, a person experiencing the glitch once shouldn't have to give any of it back).
But claiming that they are completely innocent in this scheme sets a bad precedent. Oh, this website didn't secure their Logins for SQL injection, it's not MY fault the series of buttons I pressed resulted in me accessing their database records. Oh, metasploit showed me a new Microsoft zero day exploit, its not MY fault I got admin access to the webserver by simply pressing the correct keys!
TL;DR - Just because the Casino claims that the player won by a glitch doesn't mean the Casino is evil and the player is being ripped off. Yeah, it's not their fault there is a glitch, but if the player repeatedly exploits it instead of reporting it, you have to expect some sort of consequences.
To distill the article, those machines have some software options, such as volume, screen brightness, and some game options, such as whether or not a Double-Up feature was enabled.
Somehow the guy knew that if the Double-Up feature was enabled a software flaw would be exposed, whereby a certain sequence of button presses would trigger a jackpot (and the jackpot would not be recorded in the data log).
The machines did not have Double-Up enabled by default, so this guy would ask casino techs to mess with settings, like the volume and brightness. While they were changing those settings he also asked to have the Double-Up enabled, thus "enabling" the bug.
So the glaring question is how did this guy know about the "correct sequence of buttons" and the fact that it specifically had to be enabled via the Double-Up feature? To me this reeks of a developer slipping in a "glitch" to trigger a jackpot at will, and it was hidden with that Double-Up feature which they knew was disabled by default to keep the sequence from accidentally being discovered (or found via auditing).
The real criminal is the insider that passed this info along, and presumably maintained anonymity and safety while his patsy actually went around and harvested the winnings, which I'm sure the software developer would receive a share of.
Better known as 318230.
So can gamblers audit the casinos to ensure all the times they lost were not due to a "glitch"?
I'm looking at a slot machine right now and I see this notice: "MALFUNCTION VOIDS ALL PLAYS AND PAYS". Period. It doesn't matter whether that malfunction happens internally or externally.
Gaming is heavily regulated by a state gaming control board and the slots machines themselves have incredibly robust state machines (including power-hit tolerance), tamper resistance, history logs (games played; events; system errors; etc.), and must be certified by a state gaming control board (and possibly a third party lab such as GLI).
Disputes naturally arise and there is a state gaming board approved method for dealing with them. If the player is still unsatisfied he is free to seek a civil action in a court of law.
What one fool can do, another can. (Ancient Simian Proverb)
It's not an idiotic assertion in that it's true in general (all casinos have a clause like "payouts only after verification"), but it is a bit of a non-sequitor.
Basically, anytime the slot machine gives the jackpot, that machine is usually immediately taken offline and wheeled back for verification of the win. Of course, you're not allowed to see this, you only hope they're doing things like comparing the software against the government-escrowed copy (yes, the government maintains a copy of the software) and verifying the settings. Networked jackpots often have to confirm with the network operators in making sure the server actually sent the "win" command to the slot (networked jackpots are determined by the central server when you pull). At any point the casino can simply turn around and say "sorry, it was a glitch" and deny your jackpot. It's happened before.
According to TFA:
The men persuaded casino technicians to alter "soft" options on the machines, such as volume and screen brightness controls.
It appears that their scheme went far beyond exploiting a s/w error in a 'deniable' fashion (Anyone could have pushed that combination of buttons by chance) when they had technicians reconfigure the machines.
IANAL, but one problem in obtaining any sort of criminal conviction is that of proving intent. Had the button combination been pushed with nothing else going on, there could have been some question. But once they solicited help from the casino techs, the jig was up.
Have gnu, will travel.
Oh yeah - I don't have any sympathy for the Casinos they've always been stealing for as long as they've been around.
But two wrongs don't make a right, stealing from a Casino does not make you a good guy (Despite how much you may like Ocean's 11).
And making these guys sound like victims is more whats bothering me. They clearly played it like Con-men what with getting Casino technicians to alter the machines.
That's not a bug, it's an easter egg.
WALSTIB!
While I agree with part of what you are saying, on the other hand we should be careful not to reward shitty design by making it criminal to exploit it. I mean look at DMCA where ANY encryption, even something as lame and completely bogus as ROT13 could possibly get you busted for "circumventing" it. Or that guy being sued for accessing the hockey game even though they put it on a server with NO authentication methods that would let anyone that knew or found the IP address to help themselves.
And finally let us not forget this is casinos we are talking about, places where the odds are so badly stacked against the player that if anyone that didn't have the blessing of the state tried to set up a similar gaming operation they would be busted for fraud, and rightly so. The last thing we need is to give them an excuse to not to have to pay out what little they do pay without having to go through a bunch of legal hoops. After all as another poster pointed out that actually worked on slot machine code all the code is shitty so one could argue that ANY significant payout could be attributed to "software glitch" and with piss poor badly managed code that would be a legitimate argument.
The odds are already so badly stacked on most of them games you'd have better odds at 3 Card Monty, so I'm just worried about setting a precedent that gives them even BETTER than the already overwhelming advantage they already have. Hell I'd already argue most of those games are legalized robbery, do we really need to let them slide for not bothering to have decent code written as well?
ACs don't waste your time replying, your posts are never seen by me.
I like seeing stories like this. Maybe if we have enough of 'em, people will realize that gambling when the house has a stake is a sucker's game.
There's an anecdote in the book "Games You Can't Lose" by Harry Anderson (who played the judge in Night Court, and is a longtime stage magician and collector of cons and swindles). To paraphrase:
One day on a whim, this guy places a bet at a sidewalk Three Card Monte game and of course he loses. So he starts watching carefully how the game is played. And he notices how the dealer ignores bets that are placed on the right card when someone else bets on the wrong one, and how a Monte game always has a bunch of shills around who will helpfully make the wrong bet in case none of the marks do.
So the guy comes back the next day, and when the dealer calls for bets, the guy pulls out a staple gun and staples his dollar to the Queen. Bam! The first guy to ever win at Three Card Monte.
And he pocketed his winnings, after the nurse at the emergency room un-stapled them from his forehead.
This is a common misconception which the likes of Vegas and Atlantic City would love everyone to continue to believe. There are no jurisdictions in the United States in which card counting (without the use of any devices) is illegal. Additionally, a casino has no right to take back any winnings which were legally obtained. In Nevada, casinos *are* permitted to deny you entrance or ask you to leave if they suspect you may be a card counter. AFAIK, they are also free to share ban lists with other casinos as they see fit. In New Jersey, casinos are not even allowed to go this far. Players may not be denied entrance simply because they are too skilled (see Uston v. Resorts International Hotel, Inc.).
And as far as I know, their winnings are not denied for counting cards.
Instead, the casino just bans you. In Nevada a casino can ban you for any (or no) reason. So if they think you are counting they just tell you your business isn't welcome here anymore. You get to cash out what you have but you must leave and not come back.
However, gambling to your best ability is not illegal, however using an assistive device is. You can be prosecuted and your money taken for using a computer to help you count cards.
In Atlantic City, it is not legal to ban you for arbitrary reasons, so the casinos take other anti-counting measures, most notably continuous shuffling machines. With these, literally any card not on the table at the moment could come up next (instead of those also in the used pile), so the odds what could come as the next card never change enough to take advantage of through counting.
I do not know the legality of assistive devices in Atlantic City, I suspect they are illegal there too.
http://lkml.org/lkml/2005/8/20/95
No, he used the interface provided by the device as designed. That the device is faulty is the casino's problem, not his. How did he forge anything at all?
Don't just stand there, get that other dog!
"As designed?" We're clearly dicussing an exploit. Nobody designs slot machines and deliberately inserts autowin codes. He used the device "as is" in a way that clearly violated the anticipated design of the machine.
What makes it a forgery is this: The machine claimed he won. He did, in fact, not win. He forced the machine to incorrectly indicate that the casino owed him money. This is not exactly a "written" instrument, but it's close enough: The machine's "you have won!" display functions equivalently to a document purporting to entitle him to a large amount of cash. But it was not produced as a result of a legitimate game of chance, which is what the machine is supposed to do. Instead it was produced as a result of deliberately triggering a malfunction, which was then misrepresented as legitimate.
When he claimed the jackpot, he presented the printout, the winning screen on the slot machine, whatever as proof that he had won the game of chance. Playing the slots at the casino is effectively entering into a contract with the casino: Play this game of chance according to the rules, and if you win, we will pay you according to the reward schedule. He didn't play according to the rules, instead, he misused casino property to made it appear as if he had. As I see it, that definitely falls under 'the fraudulent making and alteration of a writing to the prejudice of another man's right.'
This is the same exploiting a "software error" concept as the mid-80s game show "Press Your Luck" where a contest http://en.wikipedia.org/wiki/Michael_Larson won far bigger than anyone before him by taking advantage of a poorly planned game, in a legal way.
In that game, CBS reluctantly paid the winnings, and fixed the error so that no one else did it. The casino should do the same since he wasn't shaking the machine, putting coat hangers up the coin return or other such hacks that clearly aren't ok. Asking to turn up the volume or brightness, was ok with the casino employee, even if it unknowingly activates the bug.
I don't see how this could hold up in court. If they can't get the devs to fix it, then take the problem machines off the floor, or implement security in the same way as done to watch card counters. If someone wins more than x times at a machine, or racks up more than $x winnings, pay it out and ask them to leave. Card counters aren't charged with "receiving stolen property", and that's also exploiting an inherent flaw in those games. The casinos bought and paid for the software on their machines, and should be accountable for any flaws in their purchase.
I've been to the casino in question, and have to wonder on any future trips, if I win legitimately even without exploiting anything, will I have unknowingly hit the "Stop" button at a time that could be considered a hack, and be in the same boat as this guy?
Slot machines are not a legitimate game of chance though. If you examine the disassembled code you can see that supposedly random outcomes are actually decided by the code to keep the player feeling like they might win.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC