
Jackpot-fixing investigation expands to more state lotteries - tokenadult
http://www.aurorasentinel.com/news/jackpot-fixing-investigation-expands-to-more-state-lotteries/
======
gojomo
The firm involved, "Multi-State Lottery Association"
([http://www.musl.com/](http://www.musl.com/)), is a _non-profit_ which lists
37 US lotteries as members
([http://www.musl.com/musl_members.html](http://www.musl.com/musl_members.html)).

California is not listed, but MUSL also apparently originated "Powerball",
which is available in California.

Sounds like they might offer some great jobs for hackers and security
professionals! Alas, their 'Careers' page
([http://www.musl.com/musl_careers.html](http://www.musl.com/musl_careers.html))
reports:

"There are currently no positions available."

~~~
luckyduck2015
MUSL is a weird org. They have compliance requirements for security that are
only disclosed to the Counsel of the lottery organization, who signs an NDA.

Their actual requirements as far as I could tell are similar to IRS 1075.
Lotteries are as secure as any state revenue or health department. (I.e. In
most cases decent perimeter and shitty internal controls)

------
hackuser
How could anyone have the ability to install a rootkit undetected on the
lottery computer? Computing systems that aren't properly secured are like bank
vaults left unsecured, but in many cases they also are remotely accessible.

People shouldn't be any more shocked at these exploits than the 'exploit' of
an employee stealing cash from an insecure bank vault. We should expect it. It
would be a honeypot if we took security seriously.

For some reason people don't take the security of digital assets as seriously
as security of physical assets; we don't invest the significant resources
required to secure them.. How secure are voting machines, as an example? Given
the enormous stakes of elections, we know what to expect.

~~~
Spooky23
Poor internal controls.

Getting internal security threats like this dealt with requires strong
controls and frequent audit. That means 5x or more staff.

In the old days, the lotto used ping pong balls to pick numbers and all
operations were observed by a third party auditor. IMO, you need physicial
processes that can be observed and understood by a layman to have a high level
of assurance.

~~~
toomuchtodo
Cheaper to just go back to physical processes that can be easily audited.
Simple = better.

~~~
brianwawok
Is it easy to audit ping pong balls? Seems you can weight them just as easily
as you can do a root kit.

~~~
Spooky23
You can write down a procedure to weigh them, measure them, document chain of
custody, etc.

With a computerized process, how do you assure that the code isn't tampered
with? Or that the OS is tampered with? You _can_ do it, but the average
auditor from KPMG or Deloitte can't, and the people who can are hard to find.

------
jackfoxy
Real random numbers,
[https://github.com/jackfoxy/RandomBitsSolution](https://github.com/jackfoxy/RandomBitsSolution)
The wrapping code can be short and sweet and run in a repl on an audited
machine... or go back to Ping-Pong balls as suggested by others.

The point being just about any software supplied be a vendor is going to be
non-trivial and in some way exploitable.

