Slashdot Mirror
Feds Drop CFAA Charges Against 'Hacker' Who Exploited Poker Machines
FuzzNugget writes "According to Wired, the two CFAA charges that were laid against the man who exploited a software bug on a video poker machine have been officially dismissed. Says Wired: '[U.S. District Judge Miranda] Du had asked prosecutors to defend their use of the federal anti-hacking law by Wednesday, in light of a recent 9th Circuit ruling that reigned in the scope of the CFAA. The dismissal leaves John Kane, 54, and Andre Nestor, 41, facing a single remaining charge of conspiracy to commit wire fraud.' Kane's lawyer agreed, stating, 'The case never should have been filed under the CFAA, it should have been just a straight wire fraud case. And I'm not sure its even a wire fraud. I guess we'll find out when we go to trial.'"
spinning in his grave.
You got to know when to hold em.
Know when to fold em.
Know when to walk away, know when to run.
Yes, but apparently if you profit off a glitch, it is your fault and yu are a bad person however if you simply write a buggy poker machine slot machine game thingy, you are just A-Okay.
To me, this is exactly like charging a person who uses a buggy phone that gives them free calls every other call with fraud. They bought the phone as is, made no changes to it and they are being charged. These guys didn't change the code in the poker machine, they just knew what buttons to press after putting money in. If anything, they should be celebrated as the folks that beat the gaming industry.
Moved to http://soylentnews.org/. You are invited to join us too!
Nothing in the summary links to the actual article in which the charges are noted as dismissed. Here's the relevant link: http://www.wired.com/threatlevel/2013/05/video-poker-hacking-dismissed/
How many undiscovered glitches are there that cause the player to lose unfairly?
How many undiscovered glitches are there that cause the player to lose unfairly?
These are called features ;)
It is illegal if David beats Goliath.
New Economic Perspectives
Except most casinos have a very specific clause that says all winnings are scrutinized and may be denied if the winnings are as a result of a machine fault.
Yes, a casino is NOT a way to make money - if you treat them as a form of entertainment rather than money making, you're closer to the actual reality of what a casino actually is.
You cannot win. It's why if you do win a jackpot, the machine you used is immediately isolated and wheeled away to confirm the win, verify there's no shenanigans with the machine, and to verify there's no faults with the machine. And yes, if they forget to update the game firmware, that counts as a fault and your winnings will be denied.
In fact, all that really has to happen is the guy gets billed for all his winnings due to faulty machines. No muss, no fuss, no criminal charges. Just a big ass bill having to repay every single dollar won.
Those newlines are there for a reason.
They would have been there, but someone couldn't be bothered to figure out what the new command for unix2dos was.
Only a few months ago we had this:
http://gawker.com/5559346/apples-worst-security-breach-114000-ipad-owners-exposed
http://www.wired.com/business/2013/03/weev/
AT&T had left the accounts of every iPad owner open, a group spotted it, reported it to Gawker, the Feds investigated, let AT&T off, and arrested the group and the lead was sentenced to 3.5 years.
So now you can't report security holes you find to the news because the FBI will arrest you for hacking.
And yes, if they forget to update the game firmware, that counts as a fault and your winnings will be denied.
I may be wrong, but I believe they do get fined and the fault recorded. Gaming associations are intended to close down establishments who have too many "mistakes" like that.
Now, I have zero experience with the reality. The way the article reads, it seems that the Nevada’s Gaming Control Board swooped in to oversee things closely. The jaded or masturbacynical will see this as "the system is rotten, they are there just to protect the casinos run by the *man*, man!", and the naive will believe government enforcement always works for the innocent person. The reality is somewhere between Goofy and the "we are nihilists" crowd's view, and egregious errors are corrected according to regulations.
Which really hits the thing this article never covered (or I missed it). Sure there's legal prosecution going on now, but were the winnings illegitimate according to the Pennsylvania and Nevada statutes?
"$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien
"Goatse Security obtained its data through a script on AT&T's website, accessible to anyone on the internet. When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a Web application."
The 'hack' was they visited a URL, and the FBI managed to convince a judge that visiting a URL is hacking. The FBI clearly cooperated in AT&T's coverup here, visiting a URL is not hacking. It appears that AT&T is too big to prosecute, so they shot the messenger.
The CFAA was misused and the limited technical knowledge of a judge abused, to get a prosecution that lets AT&T cover up their negligence in exposing private data publicly on the web. It also shields them from lawsuits, since they can point to the 'crime', and claim to be the 'victims'.
They dropped the CFAA charges in this case, but that means nothing, the FBI has long abused that law, it clearly needs to be fixed and the FBI clearly need to be reined in.
If an ATM starts spitting out double money, I don't think I'm entitled to keep it even though "I was just playing by it's rules". Now in this case it's a bit different I suppose since it is a game where I can win or lose. But the part that they are winning here is not really in the game but an artifact of the the way credits are miscounted. SO it's really analogous to the double-money ATM issue.
Some drink at the fountain of knowledge. Others just gargle.
Sure, I'll accept that analogy. Now give me an example where anyone was charged with a felony after an ATM didn't give a customer as much money as was withdrawn from the account. Maybe a misdemenor? A successful lawsuit even?
Corporations make mistakes all the time and the vast majority of them are in their favor. And yet these people who have millions of dollars and trained specialists and lawyers at their disposal... for some reason they are held to a much lower standard of justice. Some kid writes a fairly benign virus, gets charged as an adult and goes to prison. Sony, a multibillion dollar transnational corporation with a legion of lawyers and technical experts at its disposal, designs a rootkit to install itself on the computers of tens of millions of their customers. Result? A few class action lawsuits that offered a refund of the purchase price or a coupon for a DRM'ed digital download version of the album.
I'm not anti-corporation, I just think they should be held to a higher standard than individuals instead of being given a free pass for doing what are otherwise considered to be felonies.
To me, this is exactly like charging a person who uses a buggy phone that gives them free calls every other call with fraud. They bought the phone as is, made no changes to it and they are being charged. These guys didn't change the code in the poker machine, they just knew what buttons to press after putting money in. If anything, they should be celebrated as the folks that beat the gaming industry.
While I agree that using CFAA to prosecute these guys was prosecutorial overreach of the abusive kind, the cellphone analogy does not quite work (close though :-) ) - if the "normal" operating process for the poker machine is "put money in", "play", "complete game", "cash out/play again/insert more money and repeat", and the guys were doing this, then the analogy would work.
But the actual process was one that was so illogical that the only statistically likely way to discover it would be with inside information or via hacking. Probably the prosecutors originally assumed this was the case and were looking at using CFAA, and decided to be lazy and press on with abusive over-reach instead of re-adjusting to use more appropriate legislation when their initial investigations. Alternatively, the prosecutors could actually have, SHOCK AND HORROR, actually done their job properly, and looked at all of the available evidence and THEN decided what statutes they were going to try and run the prosecution under to aim for a conviction based on the actual discovered evidence rather than their own assumptions or that one of them really wanted to try a CFAA case.
Having said that it is statistically likely to have been uncovered with inside information or hacking, the number of times people have played these machines means that there was still a slim but significant possibility of it being discovered by accident as seems to have happened here, and in those cases (as far as I am aware) there is no legal requirement for him to report the "malfunctioning" equipment to either the casino or the manufacturer so the worst thing that could be done to him legally is for the casino to ban him from their establishments and for the casino to take the matter up with the manufacturer, using a civil law suit to recover the lost money from the manufacturer, who then makes a claim on some liability insurance or other (and if I am wrong about him not having a duty to report the problem, then it is a civil problem between the casino and the patron).
Is it stealing if the owner gives it to you mistakenly?
He was presented a game. He played the game. He won. He was prosecuted. He did not cheat to win the game. He did not take anything that wasn't freely given.
Learn to love Alaska
Analogy time: let's say someone discovers that through some wild combination of reflections he can see your younger sister taking a shower off the shiny back of a brand new stop sign. So he videos the shower scene while legally standing on a public sidewalk, and puts in on YouTube. Illegal or a legit use of a bug?
The looking would be legal. Video of a naked sub-18 posted without permission would likely be a crime, regardless of how it was obtained. If your younger sister is over 18, the only issue would be using someone's likeness without permission.
Learn to love Alaska
There have been several cases where the machine displayed a much higher jackpot then what was then paid out.
http://news.slashdot.org/story/10/06/05/1828218/malfunction-costs-couple-11-million-slot-machine-jackpot
http://idle.slashdot.org/story/09/11/06/1638213/casino-denies-man-166-million-jackpot
And I don't think the 'winners' got anywhere with their lawsuits.
he can see your younger sister taking a shower off the shiny back of a brand new stop sign. So he videos the shower scene while legally standing on a public sidewalk, and puts in on YouTube. Illegal or a legit use of a bug?
Legit use of a bug, but a violation of YouTube's Terms of Service ("you will not submit to the Service any Content or other material that is contrary to the YouTube Community Guidelines") and Community Guidelines ("YouTube is not for pornography or sexually explicit content").
In the specific case of my younger sister, it's also horrific taste. She's quite unattractive. (Community guidelines: "YouTube is not a shock site. Don't post gross-out videos")
I assume you didn't read into the case. The prosecutors were never trying to argue that Nestor (the accused) used hacking to find the glitch. They were trying to argue that the combination of keys that activates the glitch is so complex that it should by itself be considered 'hacking'.
However, the 'combination of keys' used was not that extraordinary - all were legal game-play moves. Boiled down to the fact that switching a denomination of a game could change the payout the machine would give you on games you already won (but did not cash out yet).
The prosecution was trying to paint is as access rights violation but they failed to show just what exactly did the defendants do that they were 'not entitled' to do.
It still might be a fraud. Especially since Nestor convinced the operator in one case to switch on the feature that enabled the glitch. But hacking is out of the question.
I had a vending machine once display "WINNER" on the LCD, then it proceeded to give me my item and ALSO refund all the money I put into it!
It was very, very rare as used that machine quite often and it only happened once. But it does show the people that program them might easily have put in things that favor the person using the machine...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
So what was your limit? If the owner had forgotten to lock it would you have taken all the contents? How about if someone had accidentally left a crow bar nearby? Would you have pried open the machine? What's the line you won't cross?
There is no EULA on a poker machine.
What you see is what you get.. no wait... what you see is what takes your money... No, hang on, let me word this... What you see should take your money... and if it doesn't then you can be hit with all sorts of charges... Hmmm, that doesn't sound as good as my original line...
Moved to http://soylentnews.org/. You are invited to join us too!
Taking something that isn't yours is stealing, even if the owner makes it easy.
This is gambling however. It's like playing a game of poker where you aren't supposed to see the cards, but one player is showing them to you. It is HIS/HER fault. Using the knowledge of that players cards in your betting and game is fine-and-dandy with me. Each player should be covering his cards.
This is a slot machine, it is a perfectly legal profit center for casinos and gaming establishments to strip money away from the poor, addicted, weak-minded and the like. This isn't a case where a chap sneaks into a software design company, steals the code for a slot machine and sells it to another developer. This is out and out poor coding that has bitten someone in the ass and they are suing the guy who noticed it. If I was semi-omnipotent (whereby had the power to change who got fined, but not whether they got fined) I would be slugging any fine directly to the company who coded this rubbish in the first place.
And seeing as I am in a somewhat antagonistic mood, please enlighten me on how enticing dim-witted souls into thinking that they have a real chance of winning money, as compared to in reality siphoning off their meager funds isn't stealing. Casinos are nothing short of a way for someone to profit off the addictions, simple-wits and guilability of those beneath them - and this is said from someone who has made a good deal of money from playing poker - the real kind, against other players, not the poker-machine type. If you ask me, they should be totally and utterly, without the slightest hesitation, liable for any mistakes on their part, any badly written gaming machines, or any-and-all dumb-shittery, mental-fuck-up-edness or downright incompetence on their part.
Moved to http://soylentnews.org/. You are invited to join us too!