Many people have dreamed of landing a big Las Vegas payout, but usually they are relying on luck. For gamblers John Kane and Andre Nestor, however, raking in major winnings was a matter of finding and exploiting a loophole in the software of a popular model of video poker machine. Kane and Nestor enjoyed an impressive string of victories before being caught by the casinos they were taking advantage of – and charged under a federal hacking law, Wired reported.
Their case has became the object of a major legal dispute around the question of software errors: Did Kane and Nestor violate the law by manipulating the glitch in the game, or was the casino responsible for the losses related to its faulty machines?
Tricking a video poker machine
According to Wired, Vegas local John Kane was a serial gambler who stumbled across a previously unknown error in a series of video poker machines made by International Game Technology. He shared the bug with Nestor, who lived in Pennsylvania, and they used the glitch to beat the house in numerous casinos. According to Kane and Nestor’s attorney, Andrew Leavitt, the discovery was an accident.
“[Kane] accidentally hit a button too soon, and presto,” Leavitt told Wired, “It was a fluke. There was no research… Just playing.”
As explained in a motion filed by Leavitt, a player could play an IGT game until he or she won a high payout, prompting the appearance of a secondary betting feature called “double up.” At this point, the player could insert more cash into the machine, allowing him or her to exit the double up screen and change the denomination being played for. When the player returned to the cash out screen, the win would be re-calculated at the new denomination. So, for instance, Kane could play for $1 stakes until he landed a big win and then multiply his winnings tenfold by tricking the machine into thinking he had been playing for $10 stakes.
In a laboratory analysis of Kane’s exploit for the Nevada Gaming Control Board, electronic lab engineer John Lastusky wrote that the “game’s re-evaluation of the win is the result of a software anomaly.” Attempts to defraud gambling machines with physical techniques that involve manipulating the coin hopper or bill reader are not uncommon, Jim Barbee, chief of the GCB’s Technology Division, told Wired. However, this was the first software issue he had ever encountered.
The exploit had gone unnoticed for seven years, Wired reported. In a notice to casinos in 2009, IGT recommended disabling the double up feature and announced it was introducing a patch. However, a legal battle remained.
The legal complications
Kane and Nestor were charged with hacking under the Computer Fraud and Abuse Act, a 1986 law intended to prosecute bank hacking that has been drawn to encompass a wide range of issues with changes in technology. They maintained that the law was irrelevant in their case because a video poker machine does not fall under the types of protected computers the law had in mind and Kane’s and Nestor’s actions were within the scope of authorized actions that could be performed on the computer.
“Mr. Kane played the machine exactly how the machine was designed to be played and exactly the way the ‘approved software’ with the ‘software anomaly’ allowed the machine to be played and he is not guilty of computer fraud,” Leavitt wrote in the motion for dismissal.
The prosecution maintained that while the casinos authorized defendants to play video poker, it did not authorize them to alter information about the game. Essentially, by changing the bet retroactively in a video poker game, the players were violating the compact of gambling. On May 6, however, the federal government dismissed the CFAA charge, limiting the legal battle to a single charge of wire fraud, Wired reported in a separate article.
The implication of the ruling is that makers and users of devices such as video poker machines may have limited legal recourse in challenging consumer behavior that manipulates these machines in unwanted but permissible ways due to glitches. As a result, casinos such as the ones targeted by Kane and Nestor are on the hook for thousands in payouts due to faulty software. To prevent such incidents from occurring, vendors can use tools like static analysis software to catch errors and address them in production. While such legal questions remain unresolved, improving software quality can help companies avoid such thorny issues altogether.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.