Print 21 comment(s) - last by Fritzr.. on May 9 at 11:37 PM

Men still face a single count of wire fraud for exploiting bug in the machines

Following an outburst of public outcry over a pair of men facing up to five years in federal prison for "exceeding authorized use" and exploiting a bug in video poker casino machines to win big, the two charged counts under the Computer Fraud and Abuse Act of 1986 (18 USC § 1030) have been dropped.

U.S. District Court for the District of Nevada by Federal Judge Miranda Du cited a recent Ninth Circuit Court of Appeals ruling [PDF], which sought to more strictly confine the ambiguous wording of the CFAA to prevent abuse.  She demanded prosecutors to justify their use under the 9th Circuit's Nosal ruling; federal prosecutors were unable to so they dropped the CFAA charges against co-defendants John Kane, 54, and Andre Nestor, 41.

Assistant U.S. Attorney Michael Chu wrote in a court order [PDF] obtained by Wired, "The United States of America, by and through the undersigned attorneys, hereby moves this Court to dismiss Counts 2 and 3 of the Indictment."

Prosecutors had argued previously that the sequence of buttons needed to activate the programming error constituted "hacking".  But they were unable to defend that opinion in the face of the recent regional scale-back of the CFAA, when defense lawyers argued that the co-defendants were simply playing by the rules of the machine (rules which were broken).

Game King
The pair used their trick on the Game King multi-game machine. [Image Source: IGT]

That leaves a single count of wire fraud against each man.  The wire fraud charges (18 U.S.C. § 1343) are built on the premise that the defendants used phone conversations to plan to defraud the plaintiffs (the casinos), a federal offense.  Of course, given that the feds couldn't even make the accusation that they "hacked" (a form of fraud) stick, the fraud-based claim seems pretty questionable.

Mr. Kane's counsel -- Andrew Leavitt, a veteran LV lawyer -- comments, "The case never should have been filed under the CFAA, it should have been just a straight wire fraud case. And I'm not sure its even a wire fraud. I guess we'll find out when we go to trial.'"

In a previous interview he had stated, "They’re going to have real tough time with the wire fraud.  I never really understood why the federal government took this case in the first place."

Now with one victory in hand he looks to beat back this final federal charge.

Source: U.S. District Court for the District of Nevada via Wired [PDF]

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: Lol
By Solandri on 5/8/2013 12:07:43 PM , Rating: 2
I suspect it made it to federal court because the issue it deals with is bigger than a slot machine in a casino. On the one hand you have a system which was clearly intended to be operated a certain way. On the other hand, you have defective programming which allowed it to be operated a different way. If someone operates it that different way, who is to blame?

The same issue comes up with hackers exploiting a security vulnerability in a server's software. Or with people exploiting a bug in an online game. Those who own the server or game view it as exploitation and place 100% of the fault on the hackers or exploiters. The people taking advantage of the bug view it as bad programming and place 100% of the fault on the programmers. Since it was intentionally programmed that way, they feel they are doing nothing wrong by taking advantage of it.

The Feds obviously want to come down on this as far in favor of the casino/server/game as possible. Hence the initial hacking charges. From their perspective, intent when designing the system should count for everything. That even if you forgot to lock your door, the fact that you intended to lock it means uninvited guests are not welcome.

I'm really not sure what the solution here is. If you go with the intent of the slot machine designers, then you're vulnerable to fraud when they later claim they intended something which they really didn't while designing it. If you go with the people using the system as designed (but not intended), then you're requiring that every system be implemented perfectly. Clearly an unachievable goal.

In the locking the house door example, you get around the problem by ignoring the lock and codifying into law the intent of the lock - to prevent trespassers. So you just make trespassing illegal, then it doesn't matter if you forget to lock the door. Unauthorized entry is still a crime. But if you try to apply that to everything, you have to codify into law everything that is and isn't considered authorized behavior in every game, server, and slot machine. That seems a bit excessive, and would threaten to increase the size of our laws by several orders of magnitude. Online games can put it in their EULA, and servers can be given a modicum of protection by making it illegal to access the system if you're not authorized to use it. But I'm not sure how you'd do it for things which are intended to be used by anybody, like slot machines, ATMs, automatic toll booths, self-checkout scanners, etc.

RE: Lol
By BRB29 on 5/8/2013 2:00:25 PM , Rating: 3
No those hackers writes codes that explore a vulnerability. This guy is using a fixed function machine. He did not do anything besides what is allowed.

The fault is by whoever made the machine.

RE: Lol
By Fritzr on 5/9/2013 11:37:41 PM , Rating: 2
Add to that. Unless the instructions say wait until the prompt appears before you press a button, then you are following the printed instructions even though a programming error makes an early button press generate a winning hand.

This is a program bug and it is the responsibility of the casino to take the machines offline until they can be patched.

As private businesses they may sue to recover money lost due to the programming error, but finding a bug and failing to report it is (not yet) a crime.

The earlier vending machine example would clearly be theft as the instructions will clearly state that payment is expected for each item taken.

The ATM example (which has happened) is often handled as theft as users are expected to know that the amount dispensed is supposed to be the same as the amount charged to the account.

RE: Lol
By chimto on 5/8/2013 7:46:53 PM , Rating: 2
The keyword is intent. In your trespassing example the intent is the act of trespassing which is itself illegal. The intent of a hacker is to gain unauthorized access and/or do any number of illegal activities.

The intent when playing a slot machine is to win money which is not illegal. As long as you play the game without doing anything illegal then you have not done anything wrong in my opinion.

"I'd be pissed too, but you didn't have to go all Minority Report on his ass!" -- Jon Stewart on police raiding Gizmodo editor Jason Chen's home

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki