Slashdot Mirror

← Back to Stories (view on slashdot.org)

Investigation Into Security Director Who Hacked the Lottery Expands (bgr.com)

Posted by samzenpus on from the is-there-anything-else-you'd-like-to-tell-us? dept.

An anonymous reader sends the latest update on Eddie Tipton, the man who worked for the Multi-State Lottery Association who was convicted of rigging a lottery game so he could win a $14 million jackpot. BGR reports: "Not too long ago, Eddie Tipton was convicted of hacking into the Multi-State Lottery Association's computer system in order to rig a nearly $17 million jackpot in Iowa. Now comes word that an investigation into Tipton's hacking activities is expanding to include a number of other states. Thus far, lottery officials from Colorado, Wisconsin and Oklahoma have indicated that Tipton may have also gamed lottery jackpots in their respective states. What makes this saga all the more interesting is that Tipton actually used to work at the Multi-State Lottery Association as a security director. In that capacity, Tipton allegedly installed a rootkit onto his company's computer system that influenced the manner in which 'random' numbers were generated. As a result, Tipton was able to calculate and gain access to winning lotto numbers before their public unveiling. With the numbers in tow, authorities claim that Tipton would reveal the winning numbers to friends who would then buy 'winning' lotto tickets and then collect on big paydays."

25 of 167 comments (clear)

  1. Serious question.. by Wovel · · Score: 4, Interesting

    There are states that use a computer to pick their numbers and not balls pushed out by a machine?

    1. Re:Serious question.. by Ecuador · · Score: 4, Interesting

      Not only that, but they seem to license a specific random number generator from a 3rd party, with, apparently no oversight, security etc in place.
      I wonder if they pay good money for the generator to be "really" random, not like the pseudo-random crap you usually get with one-liners...

      --
      Violence is the last refuge of the incompetent. Polar Scope Align for iOS
    2. Re:Serious question.. by Anonymice · · Score: 4, Interesting

      I call balls on that!

      The analogue method with balls shown on live TV isn't done "for show", it's done specifically to prevent the risk of tampering - the exact same reason why we all still vote with pieces of paper & 100s/1000s of people counting them out by hand.
      Drawing the numbers beforehand has zero to gain, other than a ton of controversy if something happened to backfire.

    3. Re:Serious question.. by arth1 · · Score: 2

      Many random routines boil down to trusting the OS, like /dev/random, and just running entropy tests against the data.
      This is relatively secure, unless someone has root access to the machine, and can replace /dev/random or the kernel.

      It's easy enough to mod the kernel to feed numbers from a list that passes any entropy test, but which is already available.

    4. Re:Serious question.. by plover · · Score: 2

      How do you test the circuits? How do you know that Joe's Random Generator is truly random? Tests for random number generators can only ensure they don't hit any known distribution patterns; but as the Dual EC DBRG fiasco showed, even a high quality random number generator can have an invisible back door.

      And the number space isn't large enough to take a lot of chances. If Joe and Frank both get their corrupt RNGs in the vault, the number of tickets they have to buy to have a good chance of winning drops dramatically; they could sell their secrets to a gang who uses smurfs to buy the thousands of lottery tickets needed to guarantee a win of tens of millions of dollars.

      --
      John
    5. Re:Serious question.. by sunderland56 · · Score: 4, Insightful

      the exact same reason why we all still vote with pieces of paper

      I'm afraid I have some bad news for you.

    6. Re:Serious question.. by Ol+Olsoc · · Score: 2

      the exact same reason why we all still vote with pieces of paper

      I'm afraid I have some bad news for you.

      Right States run by Republicans use electroniv voting. Much more reliable results that way.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    7. Re:Serious question.. by Razed+By+TV · · Score: 3, Informative

      Quick mention of the 1980 PA lottery scandal, in which balls were swapped with counterfeit balls.

      https://en.wikipedia.org/wiki/...

  2. Can we just drop the lottery already? by rsilvergun · · Score: 5, Insightful

    Every state that has one uses it to cut taxes on the rich instead of adding to Education budgets (seriously, there's a John Oliver video over on youtube that explains it). It's addictive gambling that often drains the last few dollars from the poor and worse it gives the lower class a false feeling of hope that discourages them from demanding better living conditions. It encourages the downtrodden to think of luck as a skill you work at and view their failure to win as a personal failure. Lotteries are one of the most vile tools for controlling the working class ever devised. How is it nobody but one guy on youtube ever points this out?

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
    1. Re:Can we just drop the lottery already? by HornWumpus · · Score: 2

      No.

      It's the best possible tax. One on people bad at math.

      --
      John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
    2. Re:Can we just drop the lottery already? by onkelonkel · · Score: 4, Interesting

      When Italy first proposed a state run lottery, the Catholic Church pointed out that gambling was a sin. The government replied that lotteries aren't gambling, they are a tax on imbeciles.

      --
      None of them can see the clouds; The polished wings don't care.
    3. Re:Can we just drop the lottery already? by HornWumpus · · Score: 2

      Good joke. But gambling and drinking are sins that were added by the anti-fun brigade at a much later date. Catholics are fine with both.

      --
      John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
    4. Re:Can we just drop the lottery already? by Quirkz · · Score: 2

      I'd say people who are bad at music ought to be taxed more than those bad at math, but maybe that's just me.

      --
      The Quirkz Handbook of Self-Improvement for People Who Are Already Pretty Okay
    5. Re:Can we just drop the lottery already? by penguinoid · · Score: 2

      the Catholic Church pointed out that gambling was a sin.

      Bingo!

      --
      Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
  3. Obligatory by s.petry · · Score: 3, Insightful

    The Lottery is a hidden Tax on the Poor.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    1. Re:Obligatory by TWX · · Score: 2

      Your odds of winning with no ticket are exactly zero. Your odds with 1 ticket are greater than zero.

      No tickets cost $0. One ticket costs more than $0, and it usually costs more than (prize_money)*(probability of winning the jackpot).

      On the other hand, if one ticket costs me the loose change that's been piling up for the last several months and gives me three or four days to daydream while I'm stuck doing an otherwise unpleasant job, so be it. That's $2.00 for three or four days of a greater degree of happiness, and no letdown because I know that I'm not actually going to win.

      --
      Do not look into laser with remaining eye.
    2. Re:Obligatory by Ol+Olsoc · · Score: 2

      Actually, it's a tax on people who cannot do math.

      I see a lot of people (like you) who suck at math make that claim. Your odds of winning with no ticket are exactly zero. Your odds with 1 ticket are greater than zero. I'm not sure what part of Math class you missed to not understand this.

      I agree that purchasing more than 1 ticket for something like the Powerball is silly. Because the difference in odds between 1, 2, or even 100 tickets is insignificant. But 1 ticket is still infinitely greater odds than no ticket at all.

      From what I have seen personally, and the number of tickets some folks I know have purchased, I've done better by putting that money in the bank - even at today's crappy rates. Why? Because even when they do win, it's something small, and they do what with it? That's right, they buy more lottery tickets. So they might sink a couple hundred to maybe have a slim chance of winning 50, then buy 50 dollars worth more tickets, but don't win. So they are out that much, where I still have my original couple hundred dollars, and a half cent interest.

      So yeah, I'm never going to win the lottery. Then again most people who play the lottery are never going to win the lottery, even with "infinitely" better chances than me.

      The distinction is cute, but darn near meaningless.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    3. Re:Obligatory by chmod+a+x+mojo · · Score: 2

      MIT students did, for years as a matter of fact. And that was AFTER they both explained how and asked the lottery board ( who said it was legal ) if they could use the exploit they found. There was a TED talk on it, it was actually quite interesting. I don't remember who it was, but it was an easy to follow, yet informative talk.

      Basically what it all boils down to is this: state run lottery gets pretty much the same amount of money if there is a winner or a not since tax / cost of entry on tickets goes to the state ( no matter what, it is taken pre-winnings pool calculations ), and then tax on winnings does as well, it doesn't matter too much if it is taxed on 1-2 big winners or across several smaller winners*.

      * multiple smaller winners actually drive sales higher since people see more winners and think they have a higher chance of winning.

      --
      To err is human; effective mayhem requires the root password!
    4. Re:Obligatory by Ol+Olsoc · · Score: 2

      On the other hand, if one ticket costs me the loose change that's been piling up for the last several months and gives me three or four days to daydream while I'm stuck doing an otherwise unpleasant job, so be it. That's $2.00 for three or four days of a greater degree of happiness, and no letdown because I know that I'm not actually going to win.

      I was listening to a show on NPR recently about gambling.

      Here's some excerpts from it. http://www.npr.org/2015/09/29/...

      They spoke about different people, and why some go on ot become gambling addicts, while others do not.

      It turns out that for some people such as myself, if we don't win, we get not enjoyment from it. This would seem correct to me, as in my one experience with gambling was tears ago on a return trip from the West coast, where my wife and I stayed a couple nights in Las Vegas. I tried out the slot machines, won a little then lost it. I figure I lost a total of 50 cents in the end.

      But I lost it, and came out with a little less money. No happieness there for me, no real emotional content at all.

      Sot some other folks would have been all excited about the initial winning, then disregarded the eventual loss. Seems different folks might be wired a little differently.

      But in the studies done, they had people getting the happy reaction even if they almost won. Missing one number on the lottery ticket or one fruit on a slot machine actually makes them feel as good as if they had won.

      Whereas for me, it just annoyed me a little.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    5. Re:Obligatory by clovis · · Score: 2

      Your odds of winning with no ticket are exactly zero. Your odds with 1 ticket are greater than zero.

      No tickets cost $0. One ticket costs more than $0, and it usually costs more than (prize_money)*(probability of winning the jackpot).

      There's more to it than just (prize_money)*(probability of winning the jackpot) is less than the cost of a ticket.

      The costs of a weekly lottery ticket over your entire life is still a low number. $52 * 100 years = $5,200. That's peanuts. It may even be less than I have actually spent on peanuts so far in my life counting the wife and kids.

      It is a game and there are TWO payouts.
      The first is, you're playing a game and you have fun. That is a payout.
      The second is the money you get if you win. The payoff is much much larger than you can get any other way - you cannot make that much money by investing $5200. Even Madoff didn't promise that large a return. So the usual rules of ROI don't apply here.

    6. Re:Obligatory by Penguinisto · · Score: 2

      Actually, it's a tax on people who cannot do math.

      I see a lot of people (like you) who suck at math make that claim. Your odds of winning with no ticket are exactly zero. Your odds with 1 ticket are greater than zero.

      You forget ROI, which is why your assertion fails. No tickets and no winnings costs me $0.00 One ticket and no winnings costs me $2, with no ROI. Multiple tickets with no winnings is $2 * n, again with no ROI. Powerball's absolute best odds are at 1:55.41 , which means that one would need to purchase at least $112 in tickets to even halfway hope for (but obviously not guarantee) a return of any kind, and that's just for a $4.00 ROI at minimum - if you're sufficiently lucky.

      Of course, you could defy all odds and win $$millions on just one $2 ticket, but the odds are stacked way too far against that happening on anything approaching a predictable basis.

      Certainly there's entertainment value in it (one can always dream), but that's nothing to do with mathematics: the odds are still stacked against you, and the only consistent winner of the game is the government, hence a 'tax'.

      Meanwhile, here's something else to consider: the typical ticket buyer is usually well below what one would call 'middle class' in income, which means that each dollar spent means a lot more to that person, and that income can ill-afford to be wasted on such an endeavor. As a younger man, I've lived under the poverty line, and I can attest to the fact that $2 (or back then, $1) was often the difference between, say, paying rent on time or not. Would that $1 have made me a multi-millionaire? Most likely not, so why the hell would I risk homelessness on such long-assed odds? Given the results of my frugality back then, I'm doing a whole hell of a lot better now when it comes to income - enough that my wife no longer has to work, we live comfortably, and my daughter currently goes to college w/o her or myself having to take on any debt in order to make that happen. This makes me a hell of a lot happier than any desperate dreaming of some Robin Leach inspired lifestyle ever could.

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
  4. Catholics and gambling . . . by Latent+Heat · · Score: 2

    B32!

  5. Implementation details... by DrYak · · Score: 2

    Alternatively, they can just predict /dev/random output if it contains sufficiently low entropy. You don't need root access for that.

    No you can't, you're mixing things a bit up. /dev/random - in most implementation is of the *blocking* variety. I will never let the entropy go low enough. If there isn't enough entropy, the device will simply block until enough entropy has been gathered.
    (Because of these pauses, it might be a performance bottleneck), that's why most implementations also offer... /dev/urandom - which is the *unblocked* one. It will always spits out random numbers, no matter what the current state of the entropy pool is. If gets too low, you're basically just having a CPRNG (a cryptographic *pseudo*-random number generator). It might look random, but if you collect enough data, you can guess the internal state of the generator and predict the next number.

    The problem is that, for performance reason, lots of people tend to use the second one, even for situation where this is a bad idea. Like generating the random numbers needed for a cryptographic key.

    See Mining Your Ps and Qs: Detection of

    Widespread Weak Keys in Network Devices

    Linux is one of the unix-like system that implements these kind of split random/urandom duality.
    Linux is also incredibly popular on embed device.
    Embed devices tend to have *not that much* sources of entropy (e.g.: no harddrive and input devices with chaotic timing)
    Gathering enough entropy for the critical process would take time.

    But several implementation use urandom (on the grounds that nobody wants to wait 30 minute after turning an appliance now. They want to push the button and the device imediatly tunring on and being operationnal).
    Which is a BAD IDEA(tm) for cryptography.

    The good idea would have been: defer the generation of keys as late as possible, e.g.: right before they are actually needed for the first time. By then some entropy (network timings, etc...) could have been generated.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
    1. Re:Implementation details... by hawguy · · Score: 2

      Alternatively, they can just predict /dev/random output if it contains sufficiently low entropy. You don't need root access for that.

      No you can't, you're mixing things a bit up. /dev/random - in most implementation is of the *blocking* variety. I will never let the entropy go low enough. If there isn't enough entropy, the device will simply block until enough entropy has been gathered.

      But only if /dev/random's judge of entropy is correct, if the machine is running in a VM, its environment could be manipulated to make it *think* it has sufficient entropy even if it's not "real" entropy.

  6. vote by Smiddi · · Score: 2

    Im sure glad nothing like this would ever happen to voting machines