Arrested for Cheating the Cheaters

Picture from https://secure.wikimedia.org/wikipedia/en/wiki/File:Casino_slots.jpg

This is a really bizarre computer crimes case. A man knows of a bug in a gambling machine at casinos. He goes into the casinos, uses the machines with complete authorization, at least in some cases, if not all, asks casino staff to modify the machines and they willingly do so. The man exploits the software flaw using only the buttons on the machine and is then arrested in Pennsylvania. As Mr. Nester is about to enter the courtroom for his trial FBI agents arrest him on federal charges. Do not mess with the mob, they can and will make the government do things to you!!!

The story can be found at http://www.post-gazette.com/pg/11004/1115414-58.stm. I have a mailing list that I occasionally use to add commentary to security related news items. Occasionally I simply write my own articles, but usually it is just commentary. The following is the commentary I added to the news story, but to me the more interesting part was the commentary from a friend and co-worker that will follow my commentary. You are welcome to join the mailing list at http://lists.esetsoftware.com/mailman/listinfo/industrynews

Beware of how you gamble!

This is an interesting story in part because the defendant was authorized to use the computer (slots are computers today) and in part because he pushed the same buttons that anyone could push. Modifications made to the machine at his request were approved by casino staff. I didn’t see in the articles exactly what Mr. Nestor is charged with. It is one thing if he infects or modifies a slot machine, but, despite “cheating”, I wonder specifically what law he broke?

If you ever play a slot machine and somehow stumble across a series of button pushes that seem to consistently pay out, be careful, you might be exploiting a bug and gambling with your freedom.

Does it sound far-fetched that you could randomly find a bug in the software? While working at Microsoft I was given an internal program to use that was so frustrating that one day I just started pounding random keys on the keyboard and found a bug in the program I could replicate every time! It turns out the developers knew about the bug but thought that nobody would ever encounter it!

Now Kirk Parker, who has worked at ESET even longer than I have added

Back in the days when I was a video game designer/programmer I did a stretch of time working for a company that made casino games.  One of my first tasks there was to redesign the randomization routines that were used in their keno and poker machines because players had found (by massive trial and error) that the current routines weren’t completely random.  It would never have occurred to us at that time that these players could be prosecuted for exploiting flaws like this – it was our problem, not theirs.

The really disquieting thing about this story is that complex games like poker are designed to “cheat” in order to even the odds when extra features are turned on.  A basic poker game will give odds that slightly favor the house, just like the game played with real cards.  But turn on all those extra bonus/double-up/super jackpot/wild-one-eye-jacks etc., etc., and usually the result is a tremendous player advantage.  To offset this and bring the odds back to slightly in favor of the house, the games would use a scheme -- like simply discarding some of the player’s winning hands behind the scenes.  Occasionally players would find a loophole where the game could be tricked into thinking it hadn’t paid out enough (often by purposefully losing), and then a bet at the right time would pay a bigger-than-normal jackpot.  The line between software “glitch” and designed feature is pretty darn fuzzy! 

Unless these guys had inside knowledge about an intentionally placed back-door, I would think the prosecution would have a difficult time with this.  Consider: If you noticed a smudge on the back of a physical card that let you know which card it was -- is that prosecutable cheating?  How much different is that than noticing a player’s “tell” to give yourself an advantage?

Very interesting case...

-=K

All in all, a very bizarre situation

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center – ESET LLC