Slashdot Mirror
Feds Drop CFAA Charges Against 'Hacker' Who Exploited Poker Machines
FuzzNugget writes "According to Wired, the two CFAA charges that were laid against the man who exploited a software bug on a video poker machine have been officially dismissed. Says Wired: '[U.S. District Judge Miranda] Du had asked prosecutors to defend their use of the federal anti-hacking law by Wednesday, in light of a recent 9th Circuit ruling that reigned in the scope of the CFAA. The dismissal leaves John Kane, 54, and Andre Nestor, 41, facing a single remaining charge of conspiracy to commit wire fraud.' Kane's lawyer agreed, stating, 'The case never should have been filed under the CFAA, it should have been just a straight wire fraud case. And I'm not sure its even a wire fraud. I guess we'll find out when we go to trial.'"
spinning in his grave.
You got to know when to hold em.
Know when to fold em.
Know when to walk away, know when to run.
Yes, but apparently if you profit off a glitch, it is your fault and yu are a bad person however if you simply write a buggy poker machine slot machine game thingy, you are just A-Okay.
To me, this is exactly like charging a person who uses a buggy phone that gives them free calls every other call with fraud. They bought the phone as is, made no changes to it and they are being charged. These guys didn't change the code in the poker machine, they just knew what buttons to press after putting money in. If anything, they should be celebrated as the folks that beat the gaming industry.
Moved to http://soylentnews.org/. You are invited to join us too!
Nothing in the summary links to the actual article in which the charges are noted as dismissed. Here's the relevant link: http://www.wired.com/threatlevel/2013/05/video-poker-hacking-dismissed/
How many undiscovered glitches are there that cause the player to lose unfairly?
How many undiscovered glitches are there that cause the player to lose unfairly?
These are called features ;)
Same as with candy bar machines.
They frequently fail to give you your candy bar, but they almost never accidentally give you 2 candy bars.
They're obviously engineered to "fail" in a way that benefits the "house"....
It is illegal if David beats Goliath.
New Economic Perspectives
Its all in the EULA you agreed to when you clicked on the button. Didn't you read the incomprehendable fine print?
Except most casinos have a very specific clause that says all winnings are scrutinized and may be denied if the winnings are as a result of a machine fault.
Yes, a casino is NOT a way to make money - if you treat them as a form of entertainment rather than money making, you're closer to the actual reality of what a casino actually is.
You cannot win. It's why if you do win a jackpot, the machine you used is immediately isolated and wheeled away to confirm the win, verify there's no shenanigans with the machine, and to verify there's no faults with the machine. And yes, if they forget to update the game firmware, that counts as a fault and your winnings will be denied.
In fact, all that really has to happen is the guy gets billed for all his winnings due to faulty machines. No muss, no fuss, no criminal charges. Just a big ass bill having to repay every single dollar won.
Those newlines are there for a reason.
They would have been there, but someone couldn't be bothered to figure out what the new command for unix2dos was.
We strapped him down real good.
Only a few months ago we had this:
http://gawker.com/5559346/apples-worst-security-breach-114000-ipad-owners-exposed
http://www.wired.com/business/2013/03/weev/
AT&T had left the accounts of every iPad owner open, a group spotted it, reported it to Gawker, the Feds investigated, let AT&T off, and arrested the group and the lead was sentenced to 3.5 years.
So now you can't report security holes you find to the news because the FBI will arrest you for hacking.
And yes, if they forget to update the game firmware, that counts as a fault and your winnings will be denied.
I may be wrong, but I believe they do get fined and the fault recorded. Gaming associations are intended to close down establishments who have too many "mistakes" like that.
Now, I have zero experience with the reality. The way the article reads, it seems that the Nevada’s Gaming Control Board swooped in to oversee things closely. The jaded or masturbacynical will see this as "the system is rotten, they are there just to protect the casinos run by the *man*, man!", and the naive will believe government enforcement always works for the innocent person. The reality is somewhere between Goofy and the "we are nihilists" crowd's view, and egregious errors are corrected according to regulations.
Which really hits the thing this article never covered (or I missed it). Sure there's legal prosecution going on now, but were the winnings illegitimate according to the Pennsylvania and Nevada statutes?
"$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien
"Goatse Security obtained its data through a script on AT&T's website, accessible to anyone on the internet. When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a Web application."
The 'hack' was they visited a URL, and the FBI managed to convince a judge that visiting a URL is hacking. The FBI clearly cooperated in AT&T's coverup here, visiting a URL is not hacking. It appears that AT&T is too big to prosecute, so they shot the messenger.
The CFAA was misused and the limited technical knowledge of a judge abused, to get a prosecution that lets AT&T cover up their negligence in exposing private data publicly on the web. It also shields them from lawsuits, since they can point to the 'crime', and claim to be the 'victims'.
They dropped the CFAA charges in this case, but that means nothing, the FBI has long abused that law, it clearly needs to be fixed and the FBI clearly need to be reined in.
If an ATM starts spitting out double money, I don't think I'm entitled to keep it even though "I was just playing by it's rules". Now in this case it's a bit different I suppose since it is a game where I can win or lose. But the part that they are winning here is not really in the game but an artifact of the the way credits are miscounted. SO it's really analogous to the double-money ATM issue.
Some drink at the fountain of knowledge. Others just gargle.
I doubt there are that many, largely because it would be pretty stupid to risk losing your license to operate a machine that, simply by the laws of probability, will almost make money. In the places where these things operate they usually have to undergo some pretty stringent testing to make sure the odds of winning are as close to "real" poker as possible. TFA even mentions them undergoing random spot inspections where they take a SHA-1 hash of the machine data and compare it with what is registered....
Monstar L
Sure, I'll accept that analogy. Now give me an example where anyone was charged with a felony after an ATM didn't give a customer as much money as was withdrawn from the account. Maybe a misdemenor? A successful lawsuit even?
Corporations make mistakes all the time and the vast majority of them are in their favor. And yet these people who have millions of dollars and trained specialists and lawyers at their disposal... for some reason they are held to a much lower standard of justice. Some kid writes a fairly benign virus, gets charged as an adult and goes to prison. Sony, a multibillion dollar transnational corporation with a legion of lawyers and technical experts at its disposal, designs a rootkit to install itself on the computers of tens of millions of their customers. Result? A few class action lawsuits that offered a refund of the purchase price or a coupon for a DRM'ed digital download version of the album.
I'm not anti-corporation, I just think they should be held to a higher standard than individuals instead of being given a free pass for doing what are otherwise considered to be felonies.
Taking something that isn't yours is stealing, even if the owner makes it easy.
To me, this is exactly like charging a person who uses a buggy phone that gives them free calls every other call with fraud. They bought the phone as is, made no changes to it and they are being charged. These guys didn't change the code in the poker machine, they just knew what buttons to press after putting money in. If anything, they should be celebrated as the folks that beat the gaming industry.
While I agree that using CFAA to prosecute these guys was prosecutorial overreach of the abusive kind, the cellphone analogy does not quite work (close though :-) ) - if the "normal" operating process for the poker machine is "put money in", "play", "complete game", "cash out/play again/insert more money and repeat", and the guys were doing this, then the analogy would work.
But the actual process was one that was so illogical that the only statistically likely way to discover it would be with inside information or via hacking. Probably the prosecutors originally assumed this was the case and were looking at using CFAA, and decided to be lazy and press on with abusive over-reach instead of re-adjusting to use more appropriate legislation when their initial investigations. Alternatively, the prosecutors could actually have, SHOCK AND HORROR, actually done their job properly, and looked at all of the available evidence and THEN decided what statutes they were going to try and run the prosecution under to aim for a conviction based on the actual discovered evidence rather than their own assumptions or that one of them really wanted to try a CFAA case.
Having said that it is statistically likely to have been uncovered with inside information or hacking, the number of times people have played these machines means that there was still a slim but significant possibility of it being discovered by accident as seems to have happened here, and in those cases (as far as I am aware) there is no legal requirement for him to report the "malfunctioning" equipment to either the casino or the manufacturer so the worst thing that could be done to him legally is for the casino to ban him from their establishments and for the casino to take the matter up with the manufacturer, using a civil law suit to recover the lost money from the manufacturer, who then makes a claim on some liability insurance or other (and if I am wrong about him not having a duty to report the problem, then it is a civil problem between the casino and the patron).
Is it stealing if the owner gives it to you mistakenly?
He was presented a game. He played the game. He won. He was prosecuted. He did not cheat to win the game. He did not take anything that wasn't freely given.
Learn to love Alaska
Analogy time: let's say someone discovers that through some wild combination of reflections he can see your younger sister taking a shower off the shiny back of a brand new stop sign. So he videos the shower scene while legally standing on a public sidewalk, and puts in on YouTube. Illegal or a legit use of a bug?
The looking would be legal. Video of a naked sub-18 posted without permission would likely be a crime, regardless of how it was obtained. If your younger sister is over 18, the only issue would be using someone's likeness without permission.
Learn to love Alaska
There have been several cases where the machine displayed a much higher jackpot then what was then paid out.
http://news.slashdot.org/story/10/06/05/1828218/malfunction-costs-couple-11-million-slot-machine-jackpot
http://idle.slashdot.org/story/09/11/06/1638213/casino-denies-man-166-million-jackpot
And I don't think the 'winners' got anywhere with their lawsuits.
he can see your younger sister taking a shower off the shiny back of a brand new stop sign. So he videos the shower scene while legally standing on a public sidewalk, and puts in on YouTube. Illegal or a legit use of a bug?
Legit use of a bug, but a violation of YouTube's Terms of Service ("you will not submit to the Service any Content or other material that is contrary to the YouTube Community Guidelines") and Community Guidelines ("YouTube is not for pornography or sexually explicit content").
In the specific case of my younger sister, it's also horrific taste. She's quite unattractive. (Community guidelines: "YouTube is not a shock site. Don't post gross-out videos")
I assume you didn't read into the case. The prosecutors were never trying to argue that Nestor (the accused) used hacking to find the glitch. They were trying to argue that the combination of keys that activates the glitch is so complex that it should by itself be considered 'hacking'.
However, the 'combination of keys' used was not that extraordinary - all were legal game-play moves. Boiled down to the fact that switching a denomination of a game could change the payout the machine would give you on games you already won (but did not cash out yet).
The prosecution was trying to paint is as access rights violation but they failed to show just what exactly did the defendants do that they were 'not entitled' to do.
It still might be a fraud. Especially since Nestor convinced the operator in one case to switch on the feature that enabled the glitch. But hacking is out of the question.
"I guess we'll find out when we go to trial.'"
It is this "Lucky shot" kind of "justice" that makes the U.S. justice system a boring joke around the world. Off course there is always the possibility that you sue somebody for something that turns out not to be applicable, but just suing (and therefore financially draining) a victim just to see what he may be accused of is just criminal.
Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
In real poker, if you see that your opponent has a 'tell' and use that against them, does that make you guilty of fraud? No. IMHO, mame thing applies here
I had a vending machine once display "WINNER" on the LCD, then it proceeded to give me my item and ALSO refund all the money I put into it!
It was very, very rare as used that machine quite often and it only happened once. But it does show the people that program them might easily have put in things that favor the person using the machine...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
So what was your limit? If the owner had forgotten to lock it would you have taken all the contents? How about if someone had accidentally left a crow bar nearby? Would you have pried open the machine? What's the line you won't cross?
There is no EULA on a poker machine.
What you see is what you get.. no wait... what you see is what takes your money... No, hang on, let me word this... What you see should take your money... and if it doesn't then you can be hit with all sorts of charges... Hmmm, that doesn't sound as good as my original line...
Moved to http://soylentnews.org/. You are invited to join us too!
But the actual process was one that was so illogical that the only statistically likely way to discover it would be with inside information or via hacking.
Really?
How about the guy is playing for pennies... Wins. But its only pennies. Decides to play another game, also wins. Figures may as well raise the stakes, since he keeps winning. Raises his bet, then remembers he didn't cash out his first win.
It isn't as convoluted as it sounds.
Taking something that isn't yours is stealing, even if the owner makes it easy.
This is gambling however. It's like playing a game of poker where you aren't supposed to see the cards, but one player is showing them to you. It is HIS/HER fault. Using the knowledge of that players cards in your betting and game is fine-and-dandy with me. Each player should be covering his cards.
This is a slot machine, it is a perfectly legal profit center for casinos and gaming establishments to strip money away from the poor, addicted, weak-minded and the like. This isn't a case where a chap sneaks into a software design company, steals the code for a slot machine and sells it to another developer. This is out and out poor coding that has bitten someone in the ass and they are suing the guy who noticed it. If I was semi-omnipotent (whereby had the power to change who got fined, but not whether they got fined) I would be slugging any fine directly to the company who coded this rubbish in the first place.
And seeing as I am in a somewhat antagonistic mood, please enlighten me on how enticing dim-witted souls into thinking that they have a real chance of winning money, as compared to in reality siphoning off their meager funds isn't stealing. Casinos are nothing short of a way for someone to profit off the addictions, simple-wits and guilability of those beneath them - and this is said from someone who has made a good deal of money from playing poker - the real kind, against other players, not the poker-machine type. If you ask me, they should be totally and utterly, without the slightest hesitation, liable for any mistakes on their part, any badly written gaming machines, or any-and-all dumb-shittery, mental-fuck-up-edness or downright incompetence on their part.
Moved to http://soylentnews.org/. You are invited to join us too!
Banning a lucky or plucky player is one thing but prosecuting him for a crime is a much different thing. I think banning is reasonable in most cases ('right to refuse service') but prosecutions should only happen when crimes are committed.
Sounds like you did a good thing. It's annoying that you cared more than the company, and some recognition and thanks would be nice, but then that's not why we do good things (at at least shouldn't be.)
In poker you are play against the person not his cards.
One that always comes to mind for me is cellular companies and billing errors. Strange how they can make the same error, every month, for possible a tens or hundreds of thousands, and the solution always seems to be just "oh sorry sir, we'll correct that on your next bill."
I had a co-worker who had a pretty tight budget, and remember that every single month he was on the phone correcting his cellular company's "mistakes." Of course, he was locked into a 3yr contract, so even after half a year or more mistakes he couldn't switch.
Meanwhile, the people that didn't watch their bills like a hawk get screwed, and the telco makes millions of illegitimate profit. Strange how those errors are 99.99% of the time in favour of the telco, and how they seem to always come back.
Who gets charged in court for that?
Awesome, you just coined a new term, and I like it.
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
I fully agree here. I read the article to see how this worked, clearly if he was doing something obviously wrong, like flashing roms, or manipulating the device in some way, I would say he is in the wrong...
Instead, he found that some added feature on the game instituted rules which, as it turned out, allowed him to effectively retroactively increase his bets.
I would agree this is cheating if it was being done through almost any other mechanism but, they added this rule into the system, they allowed it to carry between games, and it to be applied to an unclaimed win in another game.
It reminds me of losing a magic game to a rules lawyer based on a technical point that I didn't understand until he explained it. It sucks, but, its the game. Maybe it means the game needs to be fixed, but, its not his fault for finding out that there was a particularly advantageous style of play; and it shouldn't invalidate his prior wins. This is especially true of any casinos which (and its clear they did) continued to leave the feature activated even after becoming aware of it.
"I opened my eyes, and everything went dark again"
its not his fault for finding out that there was a particularly advantageous style of play
In fact casinos rely on people believing that they have a "system" or advantageous style of play when in reality they do not (on the whole). I suppose the question is if the casion had a faulty roulette wheel which increased the frequency of some particular region would the casino be entitled to keep any winnings?
SJW n. One who posts facts.
They are accused of intentionally exploiting a glitch in the machine to fraudulently win hundreds of thousands of dollars.
In gambling, I don't see the problem here. In gambling, it is everyone's intention to take everyone else's money. Why are you at fault just because the house was a bad gambler for once? It's hard to compare this to anything because gambling is specifically a game everyone is trying to take someone else's money while giving nothing in return. As a player I don't have an equal exchange contract when I gamble. I want your money and will take it how ever I can within the rules of the game you have set out for me to play.
Ok. So by extension, if you mix up a $100 chip for a $10 chip and it's obvious you did so (saying "I'm betting ten dollars" to the people around you. And maybe you're colorblind, etc.), do you think that you'd stand a chance in hell getting your $90 back? And yet there was no 'meeting of minds'! So, do believe the owners/operators of the casino should be charged with criminal fraud, sending them in prison for years, permanently nullifying their civil rights, screwing them over whenever they try to apply for jobs for the rest of their lives?
Or, you know, maybe it's the responsibility of the gamblers to be aware of the world around them. To accept responsibilities for their own fuckups. And by the same token, perhaps someone who set up a faulty gambling device that mistakenly gives a statistical edge to the player (when normally the edge always goes to the owner) should be expected to suffer the consequences of their own ineptitude instead of blaming others. It's sickeningly twisted to argue it's legal for casinos to profit from player ignorance/incompetence/misunderstandings (without these things the gambling industry would shrink dramatically) but illegal for the reverse to ever occur.