Slashdot Mirror

← Back to Stories (view on slashdot.org)

Allegation: Lottery Official Hacked RNG To Score Winning Ticket

Posted by timothy on from the his-number-was-up dept.

SternisheFan writes with this excerpt from Ars Technica about what may be the most movie-worthy real-life crime story of the year so far: Eddie Raymond Tipton, 51, may have inserted a thumbdrive into a highly locked-down computer that's supposed to generate the random numbers used to determine lottery winners, The Des Moines Register reported, citing court documents filed by prosecutors. At the time, Tipton was the information security director of the Multi-State Lottery Association, and he was later videotaped purchasing a Hot Lotto ticket that went on to fetch the winning $14.3 million payout.

In court documents filed last week, prosecutors said there is evidence to support the theory Tipton used his privileged position inside the lottery association to enter a locked room that housed the random number generating computers and
infect them with software that allowed him to control the winning numbers. The room was enclosed in glass, could only be entered by two people at a time, and was monitored by a video camera. To prevent outside attacks, the computers aren't connected to the Internet. Prosecutors said Tipton entered the so-called draw room on November 20, 2010, ostensibly to change the time on the computers. The cameras on that date recorded only one second per minute rather than running continuously like normal.

"Four of the five individuals who have access to control the camera's settings will testify they did not change the cameras' recording instructions," prosecutors wrote. "The fifth person is defendant. It is a reasonable deduction to infer that defendant tampered with the camera equipment to have an opportunity to insert a thumbdrive into the RNG tower without detection."

58 of 342 comments (clear)

  1. Honestly ... by gstoddart · · Score: 5, Interesting

    I'm actually surprised there haven't been more cases of insiders rigging lotteries.

    I should think knowing all of those zillions of dollars are just sitting there would cause more people to decide to see if they could get away with it.

    --
    Lost at C:>. Found at C.
    1. Re:Honestly ... by Anonymous Coward · · Score: 5, Insightful

      You don't see it more often because only idiots actually try to skim the lottery via the actual lottery.

      The ones who get away with it are the guys taking it out of the account via the budget (usually for a tax break for their large donors), or taking bribes from shop owners who want to sell tickets.

    2. Re:Honestly ... by gstoddart · · Score: 3, Informative

      I had always thought, like so many lotteries for random things, that those associated with the company, even by merely being a family member of someone that is employed by them, makes it so that they can not participate in the drawings.

      Of course they do, for the obvious reasons.

      The winning ticket went unclaimed for almost a year. Hours before it was scheduled to expire, a company incorporated in Belize tried to claim the prize through a New York attorney. In January, Tipton was charged with two counts of fraud. The allegations that he used his insider access to tamper with the RNG were first made in the court documents filed last week.

      It's not like he walked up and tried to claim the ticket personally.

      It is required that people not be able to participate. But someone went to great lengths to do this at arms length from themselves.

      --
      Lost at C:>. Found at C.
    3. Re:Honestly ... by bondsbw · · Score: 4, Insightful

      Of course, all they need to do is not get caught. Same thing happens with slot machines and other random chance electronic games... it's easier than lobbying:

      1) Casino boss invites high ranking government official.
      2) Boss says, "We know you'll have fun, but I think you'll have more fun on machine number 57 if you grant consideration to improving legal conditions surrounding our fine establishment."
      3) Official wins jackpot
      4) Boss wins jackpot (figuratively)

      You're a fool if you don't think this happens. This is why I'm against electronic gambling. Not because of some moral "gambling is of the devil" thing... but because it would be trivial to rig these machines and then erase all evidence that anything fraudulent happened. Politicians can literally transform your hopes and dreams into money lining their wallet.

      --
      All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
    4. Re:Honestly ... by Shakrai · · Score: 5, Funny

      You need a trusted co-conspirator.

      Those words are mutually exclusive. :)

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
    5. Re:Honestly ... by colfer · · Score: 2

      Yep, from TFA: "The winning ticket went unclaimed for almost a year. Hours before it was scheduled to expire, a company incorporated in Belize tried to claim the prize through a New York attorney."

    6. Re:Honestly ... by TheCarp · · Score: 3, Insightful

      Maybe more people who do it are at least somewhat smart about how they employ their tools? It sounds like this guy did a lot of upfront planning, but then failed at some of the most basic precautions. Why would he be caught dead anywhere near a lotto point of sale during such a caper? Surely that many millions justifies an accomplice to do the actual ticket purchasing and crying in front of the media, and the promising to help grandma and the community.

      Note the implication in the article talking about rootkits....they clearly didn't find the actual software. If he hadn't been caught on video buying the ticket they would have little to go on.

      --
      "I opened my eyes, and everything went dark again"
    7. Re:Honestly ... by Mr+D+from+63 · · Score: 2

      It might justify an accomplice, but finding one is very risky. Most folks will not want to participate and be compelled to turn you in just to protect themselves. I guess it would be easy enough to pay a guy to get your ticket for you. A better disguise may have helped.

      What is really hard is getting the money in the end and not being noticed.

    8. Re:Honestly ... by TWX · · Score: 5, Insightful

      There was a game somewhere that was proven to have software so faulty that it wasn't even capable of 'drawing' one of the possible numbers that players could choose.

      Computer-based random number generators are just about the worst possible way to conduct a lottery. They're not random, they're subject to tampering, they're only understood by a few people, and their function while operating cannot be observed by the public. They also aren't exciting.

      Machines that dump a bunch of balls into a spinning drum and then start pulling those balls out look cool on TV, plus they can be inspected, the public understands how they work, their operation is transparent, and because of the nature of the beast, are about as random as one can get within the context of a machine doing the drawing.

      --
      Do not look into laser with remaining eye.
    9. Re:Honestly ... by Anonymous Coward · · Score: 5, Interesting

      http://en.wikipedia.org/wiki/1980_Pennsylvania_Lottery_scandal

      Nope, balls don't work either.

    10. Re:Honestly ... by someone1234 · · Score: 4, Insightful

      You could ask any street urchin to buy a ticket for you.
      He has some highly sophisticated method, but was caught at the easiest part anyone could do better.

      --
      Patents Drive Free Software as Hurricanes Drive Construction Industry
    11. Re:Honestly ... by operagost · · Score: 4, Insightful

      Yeah, but he purchased the ticket himself, assuming the authorities are correct. He must have not even bothered to wear any kind of disguise, because convenience store cameras are usually so bad you can't even tell whether a perp is human.

      --

      Gamingmuseum.com: Give your 3D accelerator a rest.
    12. Re:Honestly ... by Adriax · · Score: 2

      Your first 4 words answered your own question.
      It's just random racism. A troll post designed to elicit a predictable response so the trolls can convince themselves they're some kind of puppet master and therefor superior.

      Since they're protected from meaningful responses by internet anonymity, just ignore them. And if you feel the overrhougiding need to respond, keep it short and simple.
      Don't respond with humor though. That can be misinterpreted as a kindred spirit agreeing with them and getting in on the action.

      --
      I don't suffer from insanity, I enjoy every minute of it!
    13. Re:Honestly ... by OzPeter · · Score: 4, Interesting

      This is why I'm against electronic gambling. Not because of some moral "gambling is of the devil" thing... but because it would be trivial to rig these machines and then erase all evidence that anything fraudulent happened.

      There was a case in Australia* with an a gaming machine based on a horse race scenario. Someone started winning big on it, and when the investigation was done it was discovered that when the game was not actively being played, it displayed a "demonstration" game .. that turned out to be the next real game that would be played (or some such). So all you had to do was to wait until the demo came on, then then when it finished, bet on the horse that one the demo.

      A perfect example of stupidity in the place of malice. So while your reasoning is potentially valid (and with a nod to Dennis Ritchie and his paper on trusting compilers), there is a broader set of reasoning to be against electronic gaming.

      * Writing from memory because I can't be bothered hitting google.

      --
      I am Slashdot. Are you Slashdot as well?
    14. Re:Honestly ... by ShanghaiBill · · Score: 4, Insightful

      Another reason you don't see it more often, is that most lotteries don't use a software RNG. Many use labeled ping pong balls, in a transparent container, that are selected in front of a live audience, and broadcast on TV in real time. That is more difficult to rig.

    15. Re:Honestly ... by IronChef · · Score: 5, Informative

      I worked for years in a slot machine company, and the scenario you propose would be difficult to execute. That sort of thing was easier in the old days when machines used socketed ROMs ... but today it's increasingly server managed and cryptographically signed and there is simply no way for the owner of a machine to flip a switch and rig the game.

      A game will have several payout selections, like 95.6%, 98%, etc. and you can choose among them, but that is about it.

      Slot manufacturers are under the microscope and will not jeopardize their licenses by making it easy for owners to rig games--at least in the US. The industry is HIGHLY regulated and multiple third party labs are involved in certifying the products.

    16. Re:Honestly ... by Lumpy · · Score: 4, Funny

      I filled it with new balls all with the same number.... I CANT LOSE!

      --
      Do not look at laser with remaining good eye.
    17. Re:Honestly ... by jeffmeden · · Score: 2

      Of course, all they need to do is not get caught. Same thing happens with slot machines and other random chance electronic games... it's easier than lobbying:

      1) Casino boss invites high ranking government official.
      2) Boss says, "We know you'll have fun, but I think you'll have more fun on machine number 57 if you grant consideration to improving legal conditions surrounding our fine establishment."
      3) Official wins jackpot
      4) Boss wins jackpot (figuratively)

      You're a fool if you don't think this happens. This is why I'm against electronic gambling. Not because of some moral "gambling is of the devil" thing... but because it would be trivial to rig these machines and then erase all evidence that anything fraudulent happened. Politicians can literally transform your hopes and dreams into money lining their wallet.

      There (should be) a paper trail of payouts to any winner from any casino, for tax purposes. The distinction that a mechanical vs electronic device was "rigged" is totally secondary to that fact. If this was skirted, then several other laws were also broken that day.

    18. Re:Honestly ... by HornWumpus · · Score: 4, Funny

      I don't believe any slot machine only takes 2% house odds.

      --
      John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
    19. Re:Honestly ... by dcw3 · · Score: 2

      Surely, someone will notice the great big brass ones.

      --
      Just another day in Paradise
    20. Re:Honestly ... by dcw3 · · Score: 2

      This is why I'm against electronic gambling.

      It's not any safer to utilize non-electronic. In spite of all the cameras at the casinos in Vegas, I've personally witnessed a couple of people get away with cheating. It can be trivial to do things right in front of a camera that won't be noticed.

      --
      Just another day in Paradise
    21. Re:Honestly ... by Kaenneth · · Score: 4, Interesting

      Promotional machines/settings; they can set individual machine odds.

      A new cluster of machines come in they set the game to payout well, to get people addicted, so it becomes some people's favorite machine.

      After a couple weeks/months they slowly lower the percentage, while moving the machine out of the prime spot, with the addicts following it, and they set up the next new game...

    22. Re:Honestly ... by Paradise+Pete · · Score: 2

      No but he was a dipshit that bought the ticket. 100% rookie move.

      A partner would be both expensive and risky. So far, the only evidence they seem to have is that somebody messed with the camera, and that he had "an interest in root kits". Well he's the security director. Not exactly a shocking revelation. Would you convict on those two facts? I don't think you can. If forensics on the computer don't reveal anything I'd say he walks. All the way to the bank.

    23. Re:Honestly ... by rkww · · Score: 3, Informative

      with a nod to Dennis Ritchie and his paper on trusting compilers

      Reflections on Trusting Trust -- Ken Thompson

    24. Re:Honestly ... by TheCarp · · Score: 4, Informative

      Not entirely, if you can trust that his interests and yours are aligned then you can generally trust him. Actually, I was reading some interesting articles on Rockefellar and the railroads recently, where they came up with an ingenious price fixing scheme where Rockefellar was a colluding customer whose interests were aligned with the conspirators.

      Basically price fixing often has a loophole.....rebates. Colluding companies can still compete by offering secret rebates to customers, thus reducing the effective rate while appearing to honor the collusion agreement.

      Enter the colluding customer. Rockefellar was in a uinique position as he owned several companies and nobody really knew what all companies he owned and didn't. He was given what were called "Drawbacks", that is rebates for every barrel of oil which shipped, whether he was the customer or not! This allowed him to ship under any name and still get his rebate without admitting which companies were his.

      In this way, colluding entities were prevented from defecting by aligning incentives to create a kind of trust.

      --
      "I opened my eyes, and everything went dark again"
    25. Re:Honestly ... by eth1 · · Score: 3, Insightful

      You could ask any street urchin to buy a ticket for you.
      He has some highly sophisticated method, but was caught at the easiest part anyone could do better.

      Hm... if someone came up to me as asked me to buy them a lottery ticket, I'd be rather suspicious. At the very least, I'd buy a second one with the same numbers and keep it for myself.

    26. Re:Honestly ... by rahvin112 · · Score: 3, Interesting

      Most businesses have replaced or will replace their security cameras with high resolution cameras, typical 720P or higher. 1080P cameras are now the standard. This is a remarkably high resolution and with the recording being digital it is VERY easy to identify people. The lottery probably requires vendors to have such cameras.

    27. Re:Honestly ... by rahvin112 · · Score: 2

      There are a few, usually by the entrance. They move them around too. Most of the machines have significantly lower payout rates but there are always a few that have high payouts so people hear and see large payouts.

    28. Re:Honestly ... by rogueippacket · · Score: 2

      You could ask any street urchin to buy a ticket for you. He has some highly sophisticated method, but was caught at the easiest part anyone could do better.

      Think it through a bit more... this guy still has to collect with his winning ticket. It wasn't the act of buying the ticket alone that was suspicious, it was that he tried to claim the winnings while being in the employ of the lotto. I think that's a red flag everywhere.

    29. Re:Honestly ... by weweedmaniii · · Score: 2

      Yes the balls can be rigged but after speaking with some lottery folks years ago, they go to great lengths to insure there's no tampering with the balls. The state lottery decided to do their first ever live draw remotely and I was assigned there doing first aid/security (I was in the National Guard) The lottery security guy was explaining how they had several sets of balls. All sets were weighed before and after the draw and had to be within a very narrow window of weight both before & after. the draw set is also chosen randomly and before and after the draw each ball is weighed to make sure there is no tampering as well as the set holder without the balls. So about 15 minutes prior the sets were weighed, one was chosen each ball was weighed and the set holder was weighed. The draw was done live and immediately after the everything was reweighed and passed. This was 20 years ago so the methods may have improved or changed. I don't play much but I think the big money is still ping pong balls, now the small every 5-10 minute is RNG I guess.

      --
      "If stupid things work...then they are not stupid."
  2. This happened back in the day... by GerbilSoft · · Score: 5, Insightful

    ...but instead of hacking a random number generator, they injected paint into the ping-pong balls used for the live drawing.

    http://en.wikipedia.org/wiki/1...

    1. Re:This happened back in the day... by GerbilSoft · · Score: 5, Interesting

      And now for a follow-up question: Why exactly was a "highly locked-down computer" set to automatically execute code from flash drives?

    2. Re:This happened back in the day... by thaylin · · Score: 2

      Who said it autoexecuted? He went in there to actually do work on the computer, supposedly. I did not see anything in the report that shows he just plugged it in and left.

      --
      When you cant win, ad hominem.
    3. Re:This happened back in the day... by Daniel+Hoffmann · · Score: 2

      Because it was running Windows XP?

    4. Re:This happened back in the day... by colfer · · Score: 2

      Didn't need to. Somebody had root, probably him. He at least had privileges to change the time!

    5. Re:This happened back in the day... by WillAdams · · Score: 2

      You're conflating the movie (injecting paint) w/ the real life court case (it was determined that they had sprayed the exterior of the ping pong balls w/ fixative).

      --
      Sphinx of black quartz, judge my vow.
    6. Re:This happened back in the day... by mwvdlee · · Score: 2

      Makes me wonder; would it be possible to set up a root account that requires two different passwords (the number of humans required to be present in the room) out of a set of five allowed passwords (the number of humans that were allowed to enter the room).

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  3. Re:Employees can play? by CajunArson · · Score: 3, Informative

    Of course. If you read more about the story, this guy setup a shell corporation in Belize that tried to claim the prize just before it was going to expire. He obviously knew that he couldn't walk in and claim the prize, but he thought he could get away with having this magical shell corporation claim it on his behalf and that it wouldn't get back to him.

    --
    AntiFA: An abbreviation for Anti First Amendment.
  4. Audit trails, dammit? by JaredOfEuropa · · Score: 2

    I'm surprised to see a complete lack of audit trails on critical systems like this. They need to require individual accounts of which every action is logged in an immutable audit trail. On both the camera system and the random number box. There is no way to prevent malfeasance committed using privileged accounts, but you should at least be able to determine who did what after the fact.

    --
    If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    1. Re:Audit trails, dammit? by gstoddart · · Score: 2

      Except a rootkit can probably bypass anything in the OS which would allow for auditing.

      That's kind of the point of a rootkit.

      So depending on the OS, and just how much this could bypass, that there was simply no record isn't surprising.

      That's what the tool is designed for, and it certainly isn't there to do anything but bypass security.

      If you have security holes in your OS which can be exploited, chances are your auditing is included in things which can be bypassed.

      --
      Lost at C:>. Found at C.
  5. Re:Completely dumb by Harald+Paulsen · · Score: 4, Insightful

    Are all criminals dumb, or do we just catch the dumb ones?

    That's something I've always wondered.

    --
    Harald
  6. Erm.. Why a computer? by thegarbz · · Score: 5, Insightful

    What is the point of using an expensive and highly locked down computer in place of a dead simple machine filled with pingpong balls?

    1. Re:Erm.. Why a computer? by Anonymous Coward · · Score: 2, Insightful

      Hard to justify millions of dollars in spending for ping pong balls and a GoPro camera.

    2. Re:Erm.. Why a computer? by slashmydots · · Score: 2, Informative

      They have been proven statistically not random.

    3. Re:Erm.. Why a computer? by MasseKid · · Score: 2

      Because supposedly, it was more secure than pingpong balls, which have been hacked in the past. http://en.wikipedia.org/wiki/1...

    4. Re:Erm.. Why a computer? by Whorhay · · Score: 3, Interesting

      Neither is the computer though. I wonder what the difference is and if it actually is significant enough to matter. I'd just go with a set of dice, buy new dice for every drawing and pick some random person on the street to roll the dice each time.

    5. Re:Erm.. Why a computer? by Sloppy · · Score: 3, Insightful

      Because 9/11. Someone exploited the previous system once, so instead of thinking, we need to make expensive, radical changes.

      I like all the questions in this thread. People, if you're going to start asking questions, just cut to the end and ask why have a lottery at all. They are a totally worthless idea. Every second you spend on thinking of how to "fix" their integrity, is a second you could spend on something much more useful, like thinking about how to make dog shit taste like chocolate pudding. Now let's get to work on the cocoa powder experiments, everyone.

      --
      As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
  7. RNG? by ArcadeMan · · Score: 2

    RNG sucks. I'd rather play a BLM or a THF.

    --
    Get free satoshi (Bitcoin) and Dogecoins
  8. Re:Completely dumb by oodaloop · · Score: 4, Insightful

    Probably the latter. The selection bias here is huge. The really smart criminals aren't caught.

    --
    Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
  9. Who controls the cameras? by whoever57 · · Score: 4, Interesting

    Why do people who have access to the computer also have the ability to control the cameras?

    Splitting responsiblity this way is such a basic and obvious security measure.

    --
    The real "Libtards" are the Libertarians!
  10. Re:Ambiguous by Richard_at_work · · Score: 2

    From reading various articles on this, the person in question entered the room under the auspices of carrying out legitimate maintenance work, but had doctored the surveillance camera so it only recorded one second a minute rather than continuously - getting the other person to look the other way for a few minutes is a simple matter of social engineering ("hey, I forgot X and I'm right in the middle of this, could you get it?") and doesn't mean they were in on it.

  11. Re:Completely dumb by Rande · · Score: 4, Insightful

    The really smart criminals get into politics. Then, even if you are caught, nothing happens to you...unless you've pissed off another higher ranked politician, in which case it doesn't matter if you've actually done what you've been accused of.

  12. Circumstantial much by guruevi · · Score: 4, Interesting

    He's got the winning lottery ticket, there was a malfunction with the camera's. So far I haven't seen any 'evidence' that that person actually did it. He might have been in cahoots with his co-workers. Splitting the ticket 2-5-ways is still pretty lucrative.

    If he did it, he was pretty dumb to think he could get away with it. He should've
    1. Remained anonymous (if possible, some lotteries allow it, some don't), let his lawyer pick up the money
    2. Gone for a lot lower number (winning low enough so you can get a cash payout at the shop (~$600/week is still a nice bonus))
    3. Allowed enough time for the evidence to be destroyed (video camera's probably overwrite old stuff every n months) then played and collected. If you implement your own RNG, you could easily predict numbers in advance.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  13. Re:Why are lottery employees allowed to play at al by war4peace · · Score: 2

    Someone hasn't read TFA.

    --
    ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
  14. Kids these days. Harrumph! by operagost · · Score: 2

    Darn young baby boomer whippersnappers are so lazy. He wouldn't have been caught if he'd just typed in the code live instead of slothfully brandishing a newfangled flash drive!

    cat > rootkit.exe

    In my day, I would've had to key it in the front panel! A command shell is pure luxury!

    --

    Gamingmuseum.com: Give your 3D accelerator a rest.
  15. He should have... by sycodon · · Score: 4, Funny

    ...put the cameras on a 30 minute loop and hired an acrobat to lower into the room from the roof after hours and change the system. Then do the Lotto Commissioner's wife to keep him distracted.

    Just be sure to check for a new logo on the floor.

    --
    When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
  16. four out of five? by chilenexus · · Score: 2

    > "Four of the five individuals who have access to control the camera's settings will testify they did not change the cameras' recording instructions," prosecutors wrote. "The fifth person is defendant."

    In other words, five out of five individuals will testify that they did not change the cameras' recording instructions.

  17. There is a LOT more than just this by WindBourne · · Score: 2

    Go look at the Powerball PRIOR to the new group bring awarded managing it.
    You will see that over and over, the winners were on the east coast. Keep in mind that CA was one of the largest states to be part of Powerball, and had one of the most buyers of tickets, and yet, states on the east coast overwhelmingly won more than CA, esp. on the big ones.
    Technically, it is possible. Statistically, it was theft that was going on.

    --
    I prefer the "u" in honour as it seems to be missing these days.