Slashdot Mirror
Feds Drop CFAA Charges Against 'Hacker' Who Exploited Poker Machines
FuzzNugget writes "According to Wired, the two CFAA charges that were laid against the man who exploited a software bug on a video poker machine have been officially dismissed. Says Wired: '[U.S. District Judge Miranda] Du had asked prosecutors to defend their use of the federal anti-hacking law by Wednesday, in light of a recent 9th Circuit ruling that reigned in the scope of the CFAA. The dismissal leaves John Kane, 54, and Andre Nestor, 41, facing a single remaining charge of conspiracy to commit wire fraud.' Kane's lawyer agreed, stating, 'The case never should have been filed under the CFAA, it should have been just a straight wire fraud case. And I'm not sure its even a wire fraud. I guess we'll find out when we go to trial.'"
spinning in his grave.
You got to know when to hold em.
Know when to fold em.
Know when to walk away, know when to run.
What is this madness? Glitches are part of video games. Even speedrunners know that.
Nothing in the summary links to the actual article in which the charges are noted as dismissed. Here's the relevant link: http://www.wired.com/threatlevel/2013/05/video-poker-hacking-dismissed/
How many undiscovered glitches are there that cause the player to lose unfairly?
How many undiscovered glitches are there that cause the player to lose unfairly?
These are called features ;)
Same as with candy bar machines.
They frequently fail to give you your candy bar, but they almost never accidentally give you 2 candy bars.
They're obviously engineered to "fail" in a way that benefits the "house"....
Don't you mean Liberals?
It is illegal if David beats Goliath.
New Economic Perspectives
This here:
https://www.youtube.com/watch?v=jgDsbjAYXcQ&feature=player_embedded#!
Is it true that the FBI deliberately refuses to allow recordings of any interviews in case their agents are caught lying? And that the notes they keep are the legal definition of the interview? So that if they 'tweak' the notes, you can't say you didn't say that, because that's lying to an FBI agent (the legal definition of the interview is the hand written notes, so you are now changing your story, a crime!), and you can't agree that you said that because it implicates you in crime. Catch 22.
If this is true, then the FBI are guilty of some serious criminal behavior. Why don't they record the interviews on an audio recording device ? Why are they afraid of an accurate recording?
"According to Wired, the two CFAA charges .. have been officially dismissed".
Where does it say that in the two links provided?
AccountKiller
Those newlines are there for a reason.
They would have been there, but someone couldn't be bothered to figure out what the new command for unix2dos was.
Not many, I'd imagine. The house controls the odds of winning very carefully. This guy got extra winnings through a bug that caused the machine to pay out 10x what was on the screen. If there were an equivalent bug causing the machine to pay out 1/10th of the displayed winnings, you can bet your ass there'd be a lawsuit.
(not that I'm at all defending their attempts to screw this guy)
They're engineered to be fail safe.
We strapped him down real good.
Only a few months ago we had this:
http://gawker.com/5559346/apples-worst-security-breach-114000-ipad-owners-exposed
http://www.wired.com/business/2013/03/weev/
AT&T had left the accounts of every iPad owner open, a group spotted it, reported it to Gawker, the Feds investigated, let AT&T off, and arrested the group and the lead was sentenced to 3.5 years.
So now you can't report security holes you find to the news because the FBI will arrest you for hacking.
"Goatse Security obtained its data through a script on AT&T's website, accessible to anyone on the internet. When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a Web application."
The 'hack' was they visited a URL, and the FBI managed to convince a judge that visiting a URL is hacking. The FBI clearly cooperated in AT&T's coverup here, visiting a URL is not hacking. It appears that AT&T is too big to prosecute, so they shot the messenger.
The CFAA was misused and the limited technical knowledge of a judge abused, to get a prosecution that lets AT&T cover up their negligence in exposing private data publicly on the web. It also shields them from lawsuits, since they can point to the 'crime', and claim to be the 'victims'.
They dropped the CFAA charges in this case, but that means nothing, the FBI has long abused that law, it clearly needs to be fixed and the FBI clearly need to be reined in.
Interestingly enough, some vending machines are also "hackable" by pushing multiple selection buttons or pressing buttons in a certain sequence. In some cases they can be made to vend without putting money in first, and some other sequences may display the total money in the machine or activate the coin ejector. ("Jackpot!")
If an ATM starts spitting out double money, I don't think I'm entitled to keep it even though "I was just playing by it's rules". Now in this case it's a bit different I suppose since it is a game where I can win or lose. But the part that they are winning here is not really in the game but an artifact of the the way credits are miscounted. SO it's really analogous to the double-money ATM issue.
Some drink at the fountain of knowledge. Others just gargle.
I've always been lucky and I wouldn't be surprised to learn that I've actually gotten two more often than I've been ripped off. (In fact, I only remember being ripped off once, at work, where I was reimbursed. But I remember several occasions where I've gotten two.)
In a casino? I'd imagine the customer would immediately point out the glitch to a staff and get reimbursed, gamblers can get really nasty when they lose unfairly. So I'd say zero undiscovered glitches that go against the gambler. There may be some that are yet not fixed but not undiscovered.
As to whether this particular case, going the opposite way, is a crime... Well every online game I've played says "bug-use is a bannable offense" so it's a grey area at best, but you still can't blame the casino from raising a stink.
Analogy time: let's say someone discovers that through some wild combination of reflections he can see your younger sister taking a shower off the shiny back of a brand new stop sign. So he videos the shower scene while legally standing on a public sidewalk, and puts in on YouTube. Illegal or a legit use of a bug?
Here's the new article at wired.com http://www.wired.com/threatlevel/2013/05/video-poker-hacking-dismissed/
They should have used wireless...
Sheesh, evil *and* a jerk. -- Jade
I doubt there are that many, largely because it would be pretty stupid to risk losing your license to operate a machine that, simply by the laws of probability, will almost make money. In the places where these things operate they usually have to undergo some pretty stringent testing to make sure the odds of winning are as close to "real" poker as possible. TFA even mentions them undergoing random spot inspections where they take a SHA-1 hash of the machine data and compare it with what is registered....
Monstar L
Sure, I'll accept that analogy. Now give me an example where anyone was charged with a felony after an ATM didn't give a customer as much money as was withdrawn from the account. Maybe a misdemenor? A successful lawsuit even?
Corporations make mistakes all the time and the vast majority of them are in their favor. And yet these people who have millions of dollars and trained specialists and lawyers at their disposal... for some reason they are held to a much lower standard of justice. Some kid writes a fairly benign virus, gets charged as an adult and goes to prison. Sony, a multibillion dollar transnational corporation with a legion of lawyers and technical experts at its disposal, designs a rootkit to install itself on the computers of tens of millions of their customers. Result? A few class action lawsuits that offered a refund of the purchase price or a coupon for a DRM'ed digital download version of the album.
I'm not anti-corporation, I just think they should be held to a higher standard than individuals instead of being given a free pass for doing what are otherwise considered to be felonies.
That's his point, don't go have a chat with the FBI, even if its not under oath, even if your not accused on anything, or a witness, because they have a policy of only keeping *their* hand written notes, and preventing a proper authentic recording.
The official policy is to prevent an accurate recording of an interview, and permitting only their inaccurate one.
You can say "I *wasn't* in that bar that evening", the FBI agent writes "I *was* in that bar that evening", if you deny saying what the FBI agent wrote, they'll try prosecuting for lying to a Federal agent, if you agree, they've successfully fabricated a fake piece of evidence that places you at the scene of a crime.
That would be perverting the course of justice, but the FBI rules ensure the evidence isn't there to prove it.
On the subject of vending machines, I once discovered a flaw in the bill-reader of a vending machine that wouldn't take my bill. At first I thought it was a problem with the bill, so I tried smoothing it out and reinserting and after about five tries, noticed that the machine had credited me $2 without taking the bill. I took my item, got the change and met up with my friends.
The machine was in the basement of my dorm, and my friends were in the TV lounge one floor up. I told them the story about the machine - and we proceeded to play the vending machine much like the 'hackers' in the video poker case. We took turns inserting a dollar bill (it was always rejected) until the machine gave us the credit, bought the lowest-price item and collected $1.50 in change each time until we emptied the machine of change. We made off with about $17 in quarters apiece...
Taking the SHA-1 hash does not detect BUGS that cause the PLAYER to lose money more than expected. How would you even know such a bug existed? Does QA go through mathematically checking everything under all circumstances (the answer is no: this guy found a case they didn't check). The question stands: how many CASINO-BIASED bugs remain?
Analogy time: let's say someone discovers that through some wild combination of reflections he can see your younger sister taking a shower off the shiny back of a brand new stop sign. So he videos the shower scene while legally standing on a public sidewalk, and puts in on YouTube. Illegal or a legit use of a bug?
The looking would be legal. Video of a naked sub-18 posted without permission would likely be a crime, regardless of how it was obtained. If your younger sister is over 18, the only issue would be using someone's likeness without permission.
Learn to love Alaska
Did you read the fucking comment, or just zoom in on a word and start mouthing off? The programs MUST go through a certification process that will catch most of the bugs, and the SHA-1 hash is to ensure that the code remains the same. So the benefit from creating casion-biased bugs is probably less than the potential cost of getting caught.... so yeah, when you hit that "reply" button in the future, actually read the fucking comment instead of just scanning for keywords, ok?
Monstar L
There have been several cases where the machine displayed a much higher jackpot then what was then paid out.
http://news.slashdot.org/story/10/06/05/1828218/malfunction-costs-couple-11-million-slot-machine-jackpot
http://idle.slashdot.org/story/09/11/06/1638213/casino-denies-man-166-million-jackpot
And I don't think the 'winners' got anywhere with their lawsuits.
he can see your younger sister taking a shower off the shiny back of a brand new stop sign. So he videos the shower scene while legally standing on a public sidewalk, and puts in on YouTube. Illegal or a legit use of a bug?
Legit use of a bug, but a violation of YouTube's Terms of Service ("you will not submit to the Service any Content or other material that is contrary to the YouTube Community Guidelines") and Community Guidelines ("YouTube is not for pornography or sexually explicit content").
In the specific case of my younger sister, it's also horrific taste. She's quite unattractive. (Community guidelines: "YouTube is not a shock site. Don't post gross-out videos")
"I guess we'll find out when we go to trial.'"
It is this "Lucky shot" kind of "justice" that makes the U.S. justice system a boring joke around the world. Off course there is always the possibility that you sue somebody for something that turns out not to be applicable, but just suing (and therefore financially draining) a victim just to see what he may be accused of is just criminal.
Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
I'd imagine this would be taken pretty seriously. Nevada regulated games pretty tightly, but the casinos want to provide an honest game. Their reputation matters, and they make a huge profit running honest games. A suggestion that they're cheating puts off a lot more honest players than they can win through a few glitches.
I had a vending machine once display "WINNER" on the LCD, then it proceeded to give me my item and ALSO refund all the money I put into it!
It was very, very rare as used that machine quite often and it only happened once. But it does show the people that program them might easily have put in things that favor the person using the machine...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
The point of pressing any buttons in the poker is to win or increase the winnings. No button pressing combination is thus any different from any other. And they should either all be illegal or not. Blaming these people for playing the game as it is, is just ridiculous. Casinos should be more careful about bugs and pay the bills in this case for their failure to do so.
Voting systems, now, I wish the same scrutiny was awarded to them.
So what was your limit? If the owner had forgotten to lock it would you have taken all the contents? How about if someone had accidentally left a crow bar nearby? Would you have pried open the machine? What's the line you won't cross?
You need to calm down and grow up.
Banning a lucky or plucky player is one thing but prosecuting him for a crime is a much different thing. I think banning is reasonable in most cases ('right to refuse service') but prosecutions should only happen when crimes are committed.
Not sure I'm convinced that exploiting an obvious glitch isn't hacking. Especially when part of the process involves manipulating the casino into enabling the feature. It's pretty obvious that this isn't intended behaviour and it's a glitch.
Also not convinced that it is wire fraud. Seems an odd charge to apply.
I was just at the casino the other day... The machines clearly state "all malfunctions void all pays and plays".
That's the only way to be sure.
I have an anecdote on vending machines. While going to school, I worked at a large drugstore (smaller than Walmart, larger than Walgreens). There was a soda vending machine outside. It was owned by some company that had lots of them in various places around the region. On coming to work opening the store on a Saturday we saw it had been broken into (it had a rather large steel bar across it and a huge lock, but they had been cut). The "money box" was taken. However the "change box" (where the machine keeps a certain amount of dimes, nickels, and a few quarters as change for sales) was still there and still full. The product (a bunch of various sodas) was still there too. We called the company and they said they would send someone on Monday. Two days later - with this machine open. They didn't care much about the stuff still in there. We figured this was stupid, so we removed all the soda (filled two shopping carts) and put it in the back room. We also held down the internal buttons that caused it to drop change and emptied the change box and put that in the back too. (As I recall I think I kept about a 6 pack of sodas for myself). We returned all that stuff to the company - and they didn't care. No thanks, no nothing. Apparently they CAN afford that. Because that kind of thing happens a lot. And they just write it off and move on.
but now he has to fight to get out the Griffin Book
Sounds like you did a good thing. It's annoying that you cared more than the company, and some recognition and thanks would be nice, but then that's not why we do good things (at at least shouldn't be.)
if the house like the rest of us can resist greed , it dosnt need 'bugs' to make money it allready has features built into an honest game that punters allready accept to ensure i makes money over the long term.
One that always comes to mind for me is cellular companies and billing errors. Strange how they can make the same error, every month, for possible a tens or hundreds of thousands, and the solution always seems to be just "oh sorry sir, we'll correct that on your next bill."
I had a co-worker who had a pretty tight budget, and remember that every single month he was on the phone correcting his cellular company's "mistakes." Of course, he was locked into a 3yr contract, so even after half a year or more mistakes he couldn't switch.
Meanwhile, the people that didn't watch their bills like a hawk get screwed, and the telco makes millions of illegitimate profit. Strange how those errors are 99.99% of the time in favour of the telco, and how they seem to always come back.
Who gets charged in court for that?
I would worry more about being taken out into the back alley and having my legs broken. Casinos don't like people winning their money. He was lucky to only be arrested.
Depends on the machine. At one place, two of the 5 had special sensors that ensured something fell down into the chute (I think the machines called it "seeing eye" or something). It's just a little optical sensor whose beam gets broken by the item.
Once, it DID fail on me - the item was still stuck on the loop. The machine detected this and spun it around again, so I ended up with two.
I noticed that those machines were also better engineered - one item common to all had a habit of falling the wrong way and getting wedged in the chute such that the door was stuck shut. (or get caught on a lip in the chute) The seeing eye machines didn't have lips that could catch the item nor did the item ever fall the wrong way to get stuck - they were engineers to prevent the item from flipping around and tended to have the items slide down rather than tumble.
The poker game was programmed such that a certain set of button pushes would result in a win. Why is using the program as it was programmed a crime?
In my experience, that's not actual true -- most vending machines dispense one item per operation by turning an auger 1 revolution -- if the item snags, 1 further revolution will generally unsnag the first item and drop the second, getting the next guy 2 candy bars. It's pretty much zero-sum unless one slot on the auger isn't filled (in which case, don't buy that item when the empty slot comes up!) or the machine thinks an auger was fully refilled when it was partially refilled, and lets you keep purchasing from it after it has already dropped all its contents (again, don't do that!).
Now, the money processing side can be bad (occasionally eating a dollar bill or failing to dispense change) but you said "fail to give you your candy bar" which I assume refers to the vending side...
That was my thought when I read the summary, but then I read the article.
The glitch wasn't one that caused the machine to lose; it was one that allowed the player to manipulate the machine into paying out the same jackpot *twice*. Compounding that, it could be made to pay out that jackpot at odds higher than the player actually faced the first time around.
Let's look at this by analogy. Suppose there was a real card game offered by the casino, and this game had a flaw in it; that flaw consists of a no-lose strategy. There'd be nothing immoral about a player noticing that strategy and exploiting it to win. That's the impression of the software glitch the summary gives. In fact the glitch works more like this: suppose the player notices that when the employee hands out winning chips, he leaves a drawer full of chips open where anyone coming along could grab them. The player then plays until he wins, pockets his winnings, then walks around to the other side of the table and stuffs a bunch of chips that don't belong to him into his pocket.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Suppose, just suppose, you discover that if you tap three times on the side of an old-fashioned one-armed bandit, at a specific place and a specific speed, it pays off!
So you do this ten thousand times, win ten thousand dollars. And the casino finds out.
What's the charge? Wire fraud?
Nooo .. they'll grit their teeth, buy you a drink, and yank every damned one of those machines offline until they get the bug fixed.
So what's different now with this software glitch? And why blame the clever guy who discovered it?
Let the casinos take their hits and learn their lessons. This is NOT criminal, IMHO.
Ooh, I love fantasy! Here's a good one for you!
We heard of the horns in the hills ringing,
the swords shining in the South-kingdom.
Steeds went striding to the Stoningland
as wind in the morning. War was kindled.
There Théoden fell, Thengling mighty,
to his golden halls and green pastures
int he Northern fields never returning,
high lord of the host. Harding and Guthláf,
Dúnhere and Déorwine, doughty Grimbold,
Herefara and Herubrand, Horn and Fastred,
fought and fell there in a far country:
in the Mounds of Mundburg under mould they lie
with their league-fellows, lords of Gondor.
Neither Hirluin the Fair to the hills by the sea,
nor Forlong the old to the flowering vales
ever, to Arnach, to his own country
returned in triumph; nor the tall bowmen,
Derufin and Duilin, to their dark waters,
meres of Morthond under mountain-shadows.
Death in the morning and at day's ending
lords took and lowly. Long now they sleep
under grass in Gondor by the Great River.
Grey now as tears, gleaming silver,
red then it rolled, roaring water:
foam dyed with blood flamed at sunset;
as beacons mountains burned at evening;
red fell the dew in Rammas Echor.
This bug reminds me of one in Baldur's Gate -- to activate a scroll or item or something your characrer normally couldn't, pause the game, go into the backpack and click on an item to activate it, then swap its spot with the item you really wanted to activate.
On pressing go, the lockout check had already been performed, but the swapped item activates.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
In my short experience of working at a casino as a slot attendant, we've had malfunctions (eg: play button stuck down) that has caused the patron to lose their money. In that case we verify how much they started with and give them a ticket for the original amount (this is customer service, not a legal requirement). Anyone could tell you that if they hit a jackpot (anything above $2,000 or $3,000, can't remember which) while the machine was malfunctioning (as long as it was a legitimate play and not an error), they're not going to want their original credits back. Since it was a malfunction that didn't affect the outcome of the plays, I'm sure the casino would have honored that win. Casinos (or more specifically, the vendors casinos use) will find and fix glitches not only because they still have laws to follow, but also because it isn't hard for them to take all your money legally.
On top of that, most casinos have all plays computed on a server in a back room. Unless you're in Vegas (class 1 machines, iirc), plays are generally not run on the machine you're sitting at. They're just clients that show you what the outcome on the server was. Even if the machine were to somehow have some kind of exploitable glitch, it would not sync up with the server.
Finally, EVERY machine has a disclaimer that says "Malfunction voids all plays and pays". This is the be-all and end-all.
tl;dr: Casinos don't need glitches to take your money.
If we colonize Mars, it won't be the World Wide Web anymore. UWW?
Here's a stencil for anyone else who wants to play:
Don't you mean <political alignment I don't like>?
In school, we had a vending machine with a glitch where if you put in a quarter then unplugged/plugged in the machine, it would power up with a dollar credit. The items in the machine all cost 75 cents, so a quarter would come back out. The students would keep this quarter on top of the machine for anyone to use (we called it the bitch quarter). It was cleaned out in a matter of days. It was refilled once, then they noticed that it was emptied again with no money in it so they removed the machine.
Miller Lite tastes like water that's somehow managed to rot.
Awesome response. And a perfect example of why I've never gotten through either the bible or any Tolkien book. Blech.
And remember, by violating YouTube's terms of service you too can be prosecuted under the CFAA.
As I said elsewhere, if I understand the bug correctly it's worth noting that it was still technically possible for him to lose. If he lost every game he would walk away with nothing but empty pockets. Therefore the fundamental nature of game wasn't changed--it was still gambling, but with the odds/payouts dramatically changed.
And the wording of the game is consistent with his play. It only worked on machines with a double-payout multiplier, and he played to the multiplier. It just happened that he could multiply a previous payout if he didn't already cash it out. That's what it's supposed to do, right?
Learn to love Alaska