Arrested for Cheating the Cheaters

Picture from

This is a really bizarre computer crimes case. A man knows of a bug in a gambling machine at casinos. He goes into the casinos, uses the machines with complete authorization, at least in some cases, if not all, asks casino staff to modify the machines and they willingly do so. The man exploits the software flaw using only the buttons on the machine and is then arrested in Pennsylvania. As Mr. Nester is about to enter the courtroom for his trial FBI agents arrest him on federal charges. Do not mess with the mob, they can and will make the government do things to you!!!

The story can be found at I have a mailing list that I occasionally use to add commentary to security related news items. Occasionally I simply write my own articles, but usually it is just commentary. The following is the commentary I added to the news story, but to me the more interesting part was the commentary from a friend and co-worker that will follow my commentary. You are welcome to join the mailing list at

Beware of how you gamble!

This is an interesting story in part because the defendant was authorized to use the computer (slots are computers today) and in part because he pushed the same buttons that anyone could push. Modifications made to the machine at his request were approved by casino staff. I didn’t see in the articles exactly what Mr. Nestor is charged with. It is one thing if he infects or modifies a slot machine, but, despite “cheating”, I wonder specifically what law he broke?

If you ever play a slot machine and somehow stumble across a series of button pushes that seem to consistently pay out, be careful, you might be exploiting a bug and gambling with your freedom.

Does it sound far-fetched that you could randomly find a bug in the software? While working at Microsoft I was given an internal program to use that was so frustrating that one day I just started pounding random keys on the keyboard and found a bug in the program I could replicate every time! It turns out the developers knew about the bug but thought that nobody would ever encounter it!

Now Kirk Parker, who has worked at ESET even longer than I have added

Back in the days when I was a video game designer/programmer I did a stretch of time working for a company that made casino games.  One of my first tasks there was to redesign the randomization routines that were used in their keno and poker machines because players had found (by massive trial and error) that the current routines weren’t completely random.  It would never have occurred to us at that time that these players could be prosecuted for exploiting flaws like this – it was our problem, not theirs.

The really disquieting thing about this story is that complex games like poker are designed to “cheat” in order to even the odds when extra features are turned on.  A basic poker game will give odds that slightly favor the house, just like the game played with real cards.  But turn on all those extra bonus/double-up/super jackpot/wild-one-eye-jacks etc., etc., and usually the result is a tremendous player advantage.  To offset this and bring the odds back to slightly in favor of the house, the games would use a scheme — like simply discarding some of the player’s winning hands behind the scenes.  Occasionally players would find a loophole where the game could be tricked into thinking it hadn’t paid out enough (often by purposefully losing), and then a bet at the right time would pay a bigger-than-normal jackpot.  The line between software “glitch” and designed feature is pretty darn fuzzy! 

Unless these guys had inside knowledge about an intentionally placed back-door, I would think the prosecution would have a difficult time with this.  Consider: If you noticed a smudge on the back of a physical card that let you know which card it was — is that prosecutable cheating?  How much different is that than noticing a player’s “tell” to give yourself an advantage?

Very interesting case…


All in all, a very bizarre situation

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center – ESET LLC

Author , ESET

  • Leo Davidson

    Isn't card-counting another example? I think it's illegal in Las Vegas casinos, or something like that.
    That's always struck me as deeply wrong; it's just people paying attention to the game's state and remembering public information. Instead of admitting the game is flawed* (or changing the odds to cope) they make it illegal to play the game well.
    *Flawed as in winnable by the player instead of stacked against him.
    That's casinos, though, isn't it? The house always wins.

  • Dan


    You hit the nail on the head – casinos pretty much do what they like.
    You can lose as much money as you want, even your house. But win too much and you'll end up leaving through the fire exit with a broken nose.

  • b moose

    It would seem that if there are bugs that exsist that pay out improperly do to errors in the programing or machines,  it is equaly likly that there are bugs that unfairly prevents them from not paying out properly at times. How much more are casinos raking in from players?   Players have no way to investigate such errors. Casinos provide the machines, if thier faultly that should be thier risk.  Maybe casinos will start installing labels or warnings on the machines that state they maybe defective and if you win regularly you could go to jail!!!    The saying "Play at your own risk" should be equaly applied to casinos!!!    I hope the guy gets off.

Follow us

Copyright © 2017 ESET, All Rights Reserved.