Print 21 comment(s) - last by Fritzr.. on May 9 at 11:37 PM

Men still face a single count of wire fraud for exploiting bug in the machines

Following an outburst of public outcry over a pair of men facing up to five years in federal prison for "exceeding authorized use" and exploiting a bug in video poker casino machines to win big, the two charged counts under the Computer Fraud and Abuse Act of 1986 (18 USC § 1030) have been dropped.

U.S. District Court for the District of Nevada by Federal Judge Miranda Du cited a recent Ninth Circuit Court of Appeals ruling [PDF], which sought to more strictly confine the ambiguous wording of the CFAA to prevent abuse.  She demanded prosecutors to justify their use under the 9th Circuit's Nosal ruling; federal prosecutors were unable to so they dropped the CFAA charges against co-defendants John Kane, 54, and Andre Nestor, 41.

Assistant U.S. Attorney Michael Chu wrote in a court order [PDF] obtained by Wired, "The United States of America, by and through the undersigned attorneys, hereby moves this Court to dismiss Counts 2 and 3 of the Indictment."

Prosecutors had argued previously that the sequence of buttons needed to activate the programming error constituted "hacking".  But they were unable to defend that opinion in the face of the recent regional scale-back of the CFAA, when defense lawyers argued that the co-defendants were simply playing by the rules of the machine (rules which were broken).

Game King
The pair used their trick on the Game King multi-game machine. [Image Source: IGT]

That leaves a single count of wire fraud against each man.  The wire fraud charges (18 U.S.C. § 1343) are built on the premise that the defendants used phone conversations to plan to defraud the plaintiffs (the casinos), a federal offense.  Of course, given that the feds couldn't even make the accusation that they "hacked" (a form of fraud) stick, the fraud-based claim seems pretty questionable.

Mr. Kane's counsel -- Andrew Leavitt, a veteran LV lawyer -- comments, "The case never should have been filed under the CFAA, it should have been just a straight wire fraud case. And I'm not sure its even a wire fraud. I guess we'll find out when we go to trial.'"

In a previous interview he had stated, "They’re going to have real tough time with the wire fraud.  I never really understood why the federal government took this case in the first place."

Now with one victory in hand he looks to beat back this final federal charge.

Source: U.S. District Court for the District of Nevada via Wired [PDF]

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

what rules
By fic2 on 5/8/2013 10:36:51 AM , Rating: 4
when defense lawyers argued that the co-defendants were simply playing by the rules of the machine (rules which were broken).

From my understanding from the previous article the men followed the game rules. Just because they pushed the buttons faster than the game was supposed to allow doesn't mean they didn't follow the rules. The game has the "rules" programmed into it. Those programming rules are the only "rules" that count and they allowed people to press the buttons faster. If the company can't program it's software correctly that is not the fault of the players. I am sure these guys weren't the first to win because of this allowance but one of them was the first to notice what allowed him to win.

But he was definitely stupid in not spreading his winning ways over multiple casinos and multiple days.

RE: what rules
By AntiM on 5/8/2013 11:07:46 AM , Rating: 3
Yes, I would say he operated the machines exactly in the manner in which they were designed/programmed, maybe not in the way they were intended to operate, but nonetheless, a machine can only operate in a manner in which it was designed.
He was rather stupid and greedy though. He could have easily made 50 or 60 thousand a year without raising too many suspicions. If I discovered such a flaw, I wouldn't tell a soul. He killed the proverbial egg laying goose with his greed.

RE: what rules
By BRB29 on 5/8/2013 11:16:59 AM , Rating: 3
Yep, I wouldn't tell anyone either. I would just do it once a month at different casinos. I would also intentionally lose a few.

RE: what rules
By hughlle on 5/8/2013 11:21:17 AM , Rating: 2

I'm sure most people when they were young stood infront of a fruit machine madly bashing buttons because they had no idea what was going on.

RE: what rules
By Solandri on 5/8/2013 11:31:10 AM , Rating: 5
It's a poor choice of words in Jason's writing. It created an unintentional double entendre which you guys are reading the wrong way.

"Rules which were broken" doesn't mean the guy broke the rules. It means the rules were defective and didn't work as intended.

By BRB29 on 5/8/2013 10:31:02 AM , Rating: 2
What a waste of taxpayer's money. How does this even make it to federal court?

RE: Lol
By Solandri on 5/8/2013 12:07:43 PM , Rating: 2
I suspect it made it to federal court because the issue it deals with is bigger than a slot machine in a casino. On the one hand you have a system which was clearly intended to be operated a certain way. On the other hand, you have defective programming which allowed it to be operated a different way. If someone operates it that different way, who is to blame?

The same issue comes up with hackers exploiting a security vulnerability in a server's software. Or with people exploiting a bug in an online game. Those who own the server or game view it as exploitation and place 100% of the fault on the hackers or exploiters. The people taking advantage of the bug view it as bad programming and place 100% of the fault on the programmers. Since it was intentionally programmed that way, they feel they are doing nothing wrong by taking advantage of it.

The Feds obviously want to come down on this as far in favor of the casino/server/game as possible. Hence the initial hacking charges. From their perspective, intent when designing the system should count for everything. That even if you forgot to lock your door, the fact that you intended to lock it means uninvited guests are not welcome.

I'm really not sure what the solution here is. If you go with the intent of the slot machine designers, then you're vulnerable to fraud when they later claim they intended something which they really didn't while designing it. If you go with the people using the system as designed (but not intended), then you're requiring that every system be implemented perfectly. Clearly an unachievable goal.

In the locking the house door example, you get around the problem by ignoring the lock and codifying into law the intent of the lock - to prevent trespassers. So you just make trespassing illegal, then it doesn't matter if you forget to lock the door. Unauthorized entry is still a crime. But if you try to apply that to everything, you have to codify into law everything that is and isn't considered authorized behavior in every game, server, and slot machine. That seems a bit excessive, and would threaten to increase the size of our laws by several orders of magnitude. Online games can put it in their EULA, and servers can be given a modicum of protection by making it illegal to access the system if you're not authorized to use it. But I'm not sure how you'd do it for things which are intended to be used by anybody, like slot machines, ATMs, automatic toll booths, self-checkout scanners, etc.

RE: Lol
By BRB29 on 5/8/2013 2:00:25 PM , Rating: 3
No those hackers writes codes that explore a vulnerability. This guy is using a fixed function machine. He did not do anything besides what is allowed.

The fault is by whoever made the machine.

RE: Lol
By Fritzr on 5/9/2013 11:37:41 PM , Rating: 2
Add to that. Unless the instructions say wait until the prompt appears before you press a button, then you are following the printed instructions even though a programming error makes an early button press generate a winning hand.

This is a program bug and it is the responsibility of the casino to take the machines offline until they can be patched.

As private businesses they may sue to recover money lost due to the programming error, but finding a bug and failing to report it is (not yet) a crime.

The earlier vending machine example would clearly be theft as the instructions will clearly state that payment is expected for each item taken.

The ATM example (which has happened) is often handled as theft as users are expected to know that the amount dispensed is supposed to be the same as the amount charged to the account.

RE: Lol
By chimto on 5/8/2013 7:46:53 PM , Rating: 2
The keyword is intent. In your trespassing example the intent is the act of trespassing which is itself illegal. The intent of a hacker is to gain unauthorized access and/or do any number of illegal activities.

The intent when playing a slot machine is to win money which is not illegal. As long as you play the game without doing anything illegal then you have not done anything wrong in my opinion.

Still smells like theft
By kaborka on 5/8/2013 12:23:39 PM , Rating: 2
Sorry, what they did was wrong. You can rail about big corporations owning the government, but if you discover a code that is guaranteed to take money from the machine, it's still theft. What if it was an ATM?

RE: Still smells like theft
By jeepga on 5/8/2013 1:57:12 PM , Rating: 2
I agree. However, in my opinion it's civil and not criminal. I don't see it as any different than if you discover holding down a button on a snack vending machine keeps dropping snacks.

RE: Still smells like theft
By zoomer4321 on 5/8/2013 7:01:14 PM , Rating: 2
Thank you. We seem to be in the minority because a big corporation is involved.
I wonder how people would feel if it was a bug in an ATM and someone figured out that pressing the # key at a certain time deducted the money from another's account such as from the people that don't think this is stealing. After all, it would be within the "rules" of the ATM, right?

RE: Still smells like theft
By zoomer4321 on 5/8/2013 7:09:01 PM , Rating: 2
BTW the "rules", the real rules are posted and are described as chance of winning and the payout of each combination. By using this exploit, you are changing the probability and therefore violating the rules. That is what makes it stealing. The bug in the software and it's use is theft. Just like it would be if a bug DIDN'T payout at the rate posted netting the casino more.
Most would say that is stealing but if it is coded in like this exploit, how can you say benefiting the casino is stealing and benefiting the player and the player using the exploit isn't stealing?

RE: Still smells like theft
By ironargonaut on 5/8/2013 8:32:58 PM , Rating: 3
its coded into the machine to take in more money then it gives out while giving the user the impression that the game is actually a game of chance. Take video poker for example, you get four spades and you draw another virtual "card"; odds in real poker are slightly less then one in four you will get a flush and win. However, the odds in video poker are not slightly less then 1in4. The machine is programmed to display a spade based on a predetermined algorithm. I would proffer the game presents 4 of a suite at a higher rate than statistically likely.
Therefore, the game is programmed to defraud the user. Have the casino's been charged?
With an ATM it is common knowledge it should give you the amount you requested from your account. If a cashier gives you more change and you notice it, but don't return it, it is theft, same with an ATM. Plus, I am sure somewhere in your card agreement it also says you must return any mistakes.
The funny thing about odds is they are just that, odds. My question is did the machine adjust and then payout less money to other people, thus the casino still made the same money? So, it could be argued that one person got lucky and another unlucky.
Also, basically what the feds are saying is if you create/find a system that wins you money in Vegas you are a crook, because the house is supposed to win. And, if intent is the measure then every gambler who thinks they have a system to beat the odds are really crooks.
Morally, however, they new they had an unfair advantage and were exploiting it. Two wrongs don't make a right. But two wrights make a plane. :)

casinos own the goverment in that state
By KOOLTIME on 5/8/2013 11:10:35 AM , Rating: 5
the big mafiosa ( corporate ) casino's own all the politician's in the state, so they get to charge and jail anyone they like, to claim fairness of their shoddy gambling practices which have unfair skewed odds built into them.

They are a business for profit, so the odds are adjusted accordingly. Some games are true gambles, most slot/electronic games are fixed though so house will win over average, that's not true gambling at that point any more.

By GoodRevrnd on 5/8/2013 12:36:22 PM , Rating: 1
I don't think you understand how gaming works at all. By your definition virtually no games are "true gambling." House edge is controlled via the payouts for each probability event. This is why "bet on black" isn't a 50/50 proposition. There's no actual "fixing" of the outcome that takes place (even in electronic games) like you insinuate. Do you think they're running a charity where they can afford to build large properties with high operating costs and have a net zero position on all the games? Give me a break.

goose and gander
By DockScience on 5/8/2013 1:52:07 PM , Rating: 3
When casinos communicate about setting the odds on winning in the software in THEIR favor, are they not indeed speaking of defrauding the consumers?

By room200 on 5/8/2013 10:55:03 PM , Rating: 2
Full of win.

By Cheesew1z69 on 5/8/13, Rating: -1
RE: O.M.G...
By Cheesew1z69 on 5/8/2013 4:19:03 PM , Rating: 1
LOL, bunch of butt hurt losers.

"A lot of people pay zero for the cellphone ... That's what it's worth." -- Apple Chief Operating Officer Timothy Cook

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki