Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Crime Government Security Technology

Investigation Into Security Director Who Hacked the Lottery Expands (bgr.com) 167

An anonymous reader sends the latest update on Eddie Tipton, the man who worked for the Multi-State Lottery Association who was convicted of rigging a lottery game so he could win a $14 million jackpot. BGR reports: "Not too long ago, Eddie Tipton was convicted of hacking into the Multi-State Lottery Association's computer system in order to rig a nearly $17 million jackpot in Iowa. Now comes word that an investigation into Tipton's hacking activities is expanding to include a number of other states. Thus far, lottery officials from Colorado, Wisconsin and Oklahoma have indicated that Tipton may have also gamed lottery jackpots in their respective states. What makes this saga all the more interesting is that Tipton actually used to work at the Multi-State Lottery Association as a security director. In that capacity, Tipton allegedly installed a rootkit onto his company's computer system that influenced the manner in which 'random' numbers were generated. As a result, Tipton was able to calculate and gain access to winning lotto numbers before their public unveiling. With the numbers in tow, authorities claim that Tipton would reveal the winning numbers to friends who would then buy 'winning' lotto tickets and then collect on big paydays."
This discussion has been archived. No new comments can be posted.

Investigation Into Security Director Who Hacked the Lottery Expands

Comments Filter:
  • Serious question.. (Score:5, Interesting)

    by Wovel ( 964431 ) on Wednesday December 23, 2015 @04:39PM (#51174663) Homepage

    There are states that use a computer to pick their numbers and not balls pushed out by a machine?

    • by Ecuador ( 740021 ) on Wednesday December 23, 2015 @04:47PM (#51174709) Homepage

      Not only that, but they seem to license a specific random number generator from a 3rd party, with, apparently no oversight, security etc in place.
      I wonder if they pay good money for the generator to be "really" random, not like the pseudo-random crap you usually get with one-liners...

      • by arth1 ( 260657 )

        Many random routines boil down to trusting the OS, like /dev/random, and just running entropy tests against the data.
        This is relatively secure, unless someone has root access to the machine, and can replace /dev/random or the kernel.

        It's easy enough to mod the kernel to feed numbers from a list that passes any entropy test, but which is already available.

        • by sinij ( 911942 )

          Many random routines boil down to trusting the OS, like /dev/random, and just running entropy tests against the data. This is relatively secure, unless someone has root access to the machine, and can replace /dev/random or the kernel.

          Alternatively, they can just predict /dev/random output if it contains sufficiently low entropy. You don't need root access for that.

          See Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices

          • Alternatively, they can just predict /dev/random output if it contains sufficiently low entropy. You don't need root access for that.

            No you can't, you're mixing things a bit up. /dev/random - in most implementation is of the *blocking* variety. I will never let the entropy go low enough. If there isn't enough entropy, the device will simply block until enough entropy has been gathered.
            (Because of these pauses, it might be a performance bottleneck), that's why most implementations also offer... /dev/urandom - which is the *unblocked* one. It will always spits out random numbers, no matter what the current state of the entropy pool is. If

            • by hawguy ( 1600213 )

              Alternatively, they can just predict /dev/random output if it contains sufficiently low entropy. You don't need root access for that.

              No you can't, you're mixing things a bit up. /dev/random - in most implementation is of the *blocking* variety. I will never let the entropy go low enough. If there isn't enough entropy, the device will simply block until enough entropy has been gathered.

              But only if /dev/random's judge of entropy is correct, if the machine is running in a VM, its environment could be manipulated to make it *think* it has sufficient entropy even if it's not "real" entropy.

              • by arth1 ( 260657 )

                Or /dev/random might be a link to another device that acts differently, or the kernel might be compromised and switch the output from /dev/random to a pregenerated list that passes entropy tests but is known, or the file system driver might interface your open() call with a different program if the calling process has one specific name and tries to open /dev/random, or the compiler you build your polling software with might be compromised and substitute parts of specific code, or any of hundreds of other po

            • by sinij ( 911942 )

              No you can't, you're mixing things a bit up. /dev/random - in most implementation is of the *blocking* variety. I will never let the entropy go low enough. If there isn't enough entropy, the device will simply block until enough entropy has been gathered.

              While for most cases you are correct, Linux heuristic estimator function is dated and does not always work. For example, you can't rely on Disk I/O for entropy if you are using SSD. In such cases estimation function would fail by over-estimating entropy and system would not correctly block at low-entropy conditions. This is because when it was written disk drives with their variable seek time were the norm.

              Another consideration, is that you might think you are using /dev/random, but in reality have system

        • by AmiMoJo ( 196126 )

          You can buy off the shelf hardware random number generators that are certified to meet a high standard of randomness and unpredictability. They are mostly used for generating secure crypto keys but would work for a lottery too.

          Considering the large amount of money involved you would think that getting the system as a whole designed properly and audited wouldn't be too much to ask. It's not like it's a unique or even uncommon problem - many countries have lotteries with legally mandated protections and stand

          • by arth1 ( 260657 )

            You can buy off the shelf hardware random number generators that are certified to meet a high standard of randomness and unpredictability. They are mostly used for generating secure crypto keys but would work for a lottery too.

            Yes, but how do you know that the random numbers actually come from the random number generating device, and is not substituted on the fly by the device that connects to it?
            And how do you know the random number generator doesn't have a built-in exploit, like e.g. if being pulled in a specific time sequence, it switches over to feeding a list of pre-generated random numbers that still pass entropy tests but are known to the programmer who made the device?

            Only systems that are built from scratch under monitor

            • by AmiMoJo ( 196126 )

              Keep reading my comment all the way to the end and you will find your questions were anticipated and answered.

              • by arth1 ( 260657 )

                Legally mandated protections and standards does not ensure that a lottery cannot be manipulated.

                If that were the case, casinos around the world would scramble to implement those protections and standards. Instead, they have much higher standards and protections, because they unlike governments know of far more pitfalls, and they still get manipulated from time to time.

                Short of a system where the random numbers can be replicated by anyone without any proprietary equipment, but not be predicted, any lottery

      • Obligatory (Score:4, Insightful)

        by s.petry ( 762400 ) on Wednesday December 23, 2015 @05:19PM (#51174893)
        The Lottery is a hidden Tax on the Poor.
        • Actually, it's a tax on people who cannot do math.

          I say this because, even though poor folk have more impending reasons to cast their dreams (and money) in that direction, we both know there are well-off people who buy tickets whenever the jackpot goes over a certain amount.

          • by s.petry ( 762400 )

            I think it depends on which book you prefer. I happened to be referring to Milton Friedman, but I read the tax on the stupid not long ago in a fantasy book (Pattrick Rothfuss). I still weigh in the favor of what I stated because many people in poverty play the lottery because it's the only way they can see out of poverty. The further people go into poverty the more likely they are to play. It's very easy for the state to appear egalitarian by offering a lottery, but we all see where those education fund

            • Obviously people with mod points are ignorant to any discussion on the topic... *sigh*

              Probably people with gambling addictions, or pissed because Draft Kings and Fanduel was banned in New York.

          • I don't think its math just simple logic. You take money in, pay all expenses, take profit, pay a few people out whats left. That is the way a lottery works, its clear that it is not a good deal even without doing the sums.

            Those who disagree can send me money now, I promise to return 50% of what I collect to one of you.

          • You might not be as good at math, well statistics really, as you think. Imagine a lottery with a $1 Billion jackpot, and chance of winning is 1:100 Million. Statistically each dollar you spend on a ticket would have an average return of $10.

            It is more complicated than this. There is the possibility of multiple winning entries, the complicating factor of other prizes besides the entire jackpot, etc.

            I haven't bothered doing the statistics on this, but I suspect somebody has. I have the impression that when
            • Generally no. The 'split winnings' factor kills it.

            • MIT students did, for years as a matter of fact. And that was AFTER they both explained how and asked the lottery board ( who said it was legal ) if they could use the exploit they found. There was a TED talk on it, it was actually quite interesting. I don't remember who it was, but it was an easy to follow, yet informative talk.

              Basically what it all boils down to is this: state run lottery gets pretty much the same amount of money if there is a winner or a not since tax / cost of entry on tickets goes to t

        • by s.petry ( 762400 )
          To the person who marked this a "troll", it is not a troll because you can't comprehend content [businessinsider.com] or context [cnn.com]. Of course those benefiting from the lottery see this as an attack on their income stream.
        • The Lottery is a hidden Tax on the Poor.

          Wow - they called you a Troll? Should be modded +5 insightful. The poor buy a huge number of lottery tickets, and many others are bought by people who are trying to use it as a retirement plan.

          Abut around Slashdot these days, the truth is often considered trolling.

        • The Lottery is a tax on people who don't understand statistics.
        • by fred911 ( 83970 )

          No, it's a tax on people that failed math.

      • by eth1 ( 94901 )

        I wonder if they pay good money for the generator to be "really" random, not like the pseudo-random crap you usually get with one-liners...

        They're paying someone to run a lava lamp and webcam in their closet 24/7.

        • by TWX ( 665546 )
          I already run a lava lamp. Where can I sign up to provide this service for a fee?
      • by houghi ( 78078 )

        They probably saven money and just bought a book [wikipedia.org] in a second hand store that contains a series of random numbers.

    • DOH!!!!!
    • Balls picked by a machine have a calculatable bias. There are papers on the subject.

  • Lawsuit? (Score:2, Interesting)

    by hawguy ( 1600213 )

    Does this open the hacked lottery to class action lawsuits by people who played the rigged lottery but had no chance of winning?

    • by Anonymous Coward

      What do you mean? Their odds of winning were identical. Their expected payback, however, would be lower since it would be split with cheaters. So non-cheating winners might have a gripe.

      • What do you mean? Their odds of winning were identical. Their expected payback, however, would be lower since it would be split with cheaters. So non-cheating winners might have a gripe.

        Well, TFA implies that this guy may have changed the algorithm so he could predict the numbers, and it puts "random" in quotation marks. So it depends on exactly what he did, but if the numbers could be predicted in advance, it's possible he did something that might also alter the odds, which would potentially violate the published odds.

        If certain patterns of numbers had a better or worse chance than the published odds due to his tinkering, I'd imagine there might be grounds for a case... but it'd like

      • Their odds of winning were identical.

        Wrong. He's accused of manipulating the "random" number generator. If he knew what the winning numbers were going to be, that implies that the pick is no longer random. If you put money on numbers 1 2 3 4 5 and 6, and he knew the winning numbers would be 7 8 9 10 and 11, that means you had a 0% chance of ever winning on that draw, by way of his actions. It's not as if he just played the numbers that were picked truly at random, he somehow steered the outcome of that game to a fixed result.

        • by bws111 ( 1216812 )

          I didn't see what the actual manipulation was, did you? He could have manipulated the RNG so that instead of generating a new number every time it was called it just returned the next of a set of previously generated numbers. If he had access to that set of numbers, which could have been generated perfectly, he would know the winning numbers, and everyone else's chances would be exactly like they were before.

    • by Anonymous Coward

      Does this open the hacked lottery to class action lawsuits by people who played the rigged lottery but had no chance of winning?

      He didn't change the numbers so if they didn't win they wouldn't have won anyway. They still had a chance of winning but had they won they would have had to share the money.

      Though if there were any winners that legitimately won, they should sue and get their fair share of the money.

    • Exactly! Then again, how would you prove you played a lottery and lost? People won't keep a lottery ticket if it didn't win or the cash register receipt for the ticket purchase. The individual states might sue but that wouldn't help those who paid and lost.
    • by AmiMoJo ( 196126 )

      They had the usual chance of winning, it's just that this guy was able to predict the next set of numbers. They would only have a case if they won the same week as him and got half as much as they otherwise would have.

  • by rsilvergun ( 571051 ) on Wednesday December 23, 2015 @05:06PM (#51174805)
    Every state that has one uses it to cut taxes on the rich instead of adding to Education budgets (seriously, there's a John Oliver video over on youtube that explains it). It's addictive gambling that often drains the last few dollars from the poor and worse it gives the lower class a false feeling of hope that discourages them from demanding better living conditions. It encourages the downtrodden to think of luck as a skill you work at and view their failure to win as a personal failure. Lotteries are one of the most vile tools for controlling the working class ever devised. How is it nobody but one guy on youtube ever points this out?
    • No.

      It's the best possible tax. One on people bad at math.

      • by Quirkz ( 1206400 )

        I'd say people who are bad at music ought to be taxed more than those bad at math, but maybe that's just me.

        • The people bad at math are being taxed when they try to do math. (see the dude upthread who thinks one lottery ticket is a good idea).

          How do we tax people bad a music only when they try to play? Just tax disco, country and rap music acts?

          • The people bad at math are being taxed when they try to do math.
            How do we tax people bad a music only when they try to play?

            When they buy overpriced "professional" musical equipment thinking they'll strike it rich as a rock star? Or is that yet another tax on people who are bad at statistics?

      • it's the poor and disadvantaged... We're taking advantage of people who are really vulnerable already. Hell, some of them might know the odds but can't help themselves. Gambling is addictive...
      • by AmiMoJo ( 196126 )

        Actually, it's a great indicator of people who think they understand maths but in reality have a poor grasp of magnitudes and no appreciation of value.

        A lottery ticket is cheap. Buying one doesn't affect my quality of life at all, but gives me some entertainment and excitement. Even if I don't win, it wasn't money wasted, and it's such a small amount that investing it wouldn't be beneficial enough to make me choose that option.

        Sure, if I was really poor I'd stop playing. Then again, I'd also own a much chea

    • by onkelonkel ( 560274 ) on Wednesday December 23, 2015 @05:14PM (#51174867)

      When Italy first proposed a state run lottery, the Catholic Church pointed out that gambling was a sin. The government replied that lotteries aren't gambling, they are a tax on imbeciles.

    • by modi123 ( 750470 )

      How else are you to get that golden ticket to the upper side, utopia, The Island, or Elysium?

  • I wonder... (Score:2, Funny)

    by NEDHead ( 1651195 )

    Is it too late to 'Friend' this guy on Facebook?

  • Im sure glad nothing like this would ever happen to voting machines
  • So your friend worked for lottery security and he told you the numbers and that's how you won the lottery...

    Ummm... what? I did win the lottery. And my friend did tell me the numbers. But he told me BEFORE the numbers were picked.

    Yeah, that's what we are saying

    So why am I on trial.

    Because your friend worked for lottery security and he told you the numbers and that's how you won the lottery...

    Oh, boy.

With your bare hands?!?

Working...