Video Poker Firmware Bug Yields Big Money, Federal Charges

JoeyRox writes "Over the course of playing $12 million worth of video poker, Las Vegas resident John Kane stumbled onto a firmware bug in IGT's 'Game King' machines that allowed him to cash out for 10x the amount of his winnings. John and his friends took advantage of the vulnerability to the tune of $429,945. John's friend was arrested by U.S. marshals and charged with violation of the Computer Fraud and Abuse Act, but a federal magistrate ruled that the law doesn't apply and recommended dismissal. The case is currently being argued in a U.S. District Court."

Fraud is fraud

[i kan reed]

If you knowingly trick a computer into giving you money that's not yours, it's not any different than tricking a person into the same. Open door fallacies are the worst.

Abuse of civil matters

[briancox2]

This looks to me like a civil matter. That is, if there had never been the DMCA. There is a recent trend by big corporations to abuse the criminal court systems to resolve their disputes with the heavy hand of govnernment. I don't think it will stop until we stand up and demand government that is FOR the people.

Re:Fraud is fraud

[K. S. Kyosuke]

The machine is programmed to behave in a certain way. If you handle it in some way, it will give you more money. I'd blame the vendor. Do you blame the customer who goes to the shop where they often overpay him in change for fraud?

Re:Fraud is fraud

[AuMatar]

But that's not the right law to charge him under. Charge him under fraud or stealing, no problem. This is the anti-hacking law- they're charging him with hacking. I don't think this qualifies. It also is the difference between being tried in the federal court system (hacking is a federal crime) vs the state (which owns the laws for theft and fraud).

Either way he should be prosecuted, the question is why and where.

Re:Fraud is fraud

[cayenne8]

I don't think he should be prosecuted.

They have a machine...he didn't sigh any EULA or agreements about how to use it.

The main use of this machine is you put money into it, you hit buttons, it sometimes pays out.

He found a combination of buttons that causes it to pay out a LOT.

I see no problem with what he did. He simply put money in and pushed buttons on machine set out in public for the purpose of people pushing buttons and sometimes getting money out of it.

Show where he violated the signed terms of use or NDA or other type contract on exactly HOW he was to use the machine, and maybe you have a case.

After RTFA

[John Napkintosh]

I don't see this as being a criminal act, but given the way that it was carried out, I think the casino has every right to demand 9/10 of his winnings back.

You win a game at the $1 level, exploit a bug to change your cash level to $10 before accepting the payout, and then accept your payout. Well, you didn't actually make the bet at the $10 level, so you shouldn't expect your winnings to be multiplied by 10, but that's what's happening here. I'd argue that he's still entitled to the original 1x amount and let the casino ban him if they want to.

Re:Fraud is fraud

[Minwee]

Exactly. For example if I am playing poker and have a lousy hand, but bid high to trick the other players into folding, then that's fraud too. If I use that trick to make money then I'm stealing from the house.

Right?

Re:Fraud is fraud

[gfxguy]

How is it fraud? If you tell a machine you want $20 and it gives you $40 (even if you do it repeatedly), you haven't committed an act of deception. I'm not saying it's right or ethical, I'm saying it's not fraud, and it certainly shouldn't be prosecuted that way. Theft by taking, maybe.

Re:Fraud is fraud

[BitZtream]

Read the article.

He's exploiting the interaction between two different software modules to his advantage. While from a technical perspective he didn't write any assembly to exploit a buffer overflow, he instead used his fingers and eyes to write a mental program which moved his fingers in order to exploit an initialization bug in the software. The software was not clearing out memory it reused for like purposes between two different games, by exploiting this, he was able to increase his winnings by 10x.

He really is using a software exploit and 'hacking' the software. He just isn't using your typical UI to enter and run the hack but he really is exploiting a software bug like metasploit would, or any other attack vector.

This isn't your typical hacking applied to some object that just happens to have a processor. He is hacking the software, and more so, a specific version of the software with specific features enabled. This is no different than an attack targeted at Chrome or Safari, it just seems that way because the UI isn't a terminal window.

Re:Fraud is fraud

[geekoid]

No, you are the asshole. Plus shortsighted and egotistical, so you are the complete tri-fuckta.

Yeah. lets make people completely responsible for software errors. That way when you are charged the wrong price, you can be billed the next time the store does their books.
Oh, sales tax calculated wrong? well you better be ready to pay the difference to the store.

Hey, last time you pumped gas, there was an error and we charged yo for one less gallon, pay up now!

On and on.

"You haven't made me sign a document stating that I won't kill you while you sleep"
and there it is; a completely incorrect absurd example that has nothing to do with the issue at hand. You have no valid point, you lose.

Re:Fraud is fraud

[pla]

This is why the Gaming Commission is required to test/inspect the machines (to include deposits and payouts) on a regular basis. Until you have evidence that this is happening you're just trying to justify theft. If the machine were found to be faulty, the individual would have their provable losses returned to them, probably up to a few hundred dollars.

That sounds just peachy - Except that the machines in question had the exact same tests done to them, and still contained a bug that no one had caught for who knows how long.

It counts as pure hubris to claim that bugs in the opposite direction (opposed to the player) don't exist and remain uncaught.


That said, the definition of "fraud" here has a lot of flexibility. I recall a case from my youth (when I worked for a competitor of IGT, for whatever credibility that gives me) where someone cracked our RNG algorithm on a "pick 3" type game. After they had won a few hundred grand, the jurisdiction asked us to look into it, and we changed the RNG, the player stopped winning game after game after game. No charges ever followed, because it shouldn't count as fraud if you figure out how to win the fucking game, even though an entire state government lost a noticeable amount of money.

Re:Fraud is fraud

[nabsltd]

The theory would rely on Video Poker being the *one* slot machine in the casino that uses random chance in shuffling.

Video poker isn't a slot machine, and the shuffling is purely random.

The skill comes in knowing what cards to keep on the "hard" hands, but other people have figured it out for you [wizardofodds.com], so you don't have to be as "smart", just have a good memory.