
Russians Engineer a Slot Machine Cheat that Casinos Can't Fix - arielm
https://www.wired.com/2017/02/russians-engineer-brilliant-slot-machine-cheat-casinos-no-fix/
======
kartan
I see a lot of complains why this is illegal. It is illegal, as anything that
it is illegal, because the law says so.

As, for example, in Nevada:

"NRS 465.075 Use of device for calculating probabilities.

It is unlawful for any person at a licensed gaming establishment to use, or
possess with the intent to use, any device to assist:

    
    
          1.  In projecting the outcome of the game;
    
          2.  In keeping track of the cards played;
    
          3.  In analyzing the probability of the occurrence of an event relating to the game; or
    
          4.  In analyzing the strategy for playing or betting to be used in the game,
    

except as permitted by the commission."

[http://www.gambling-law-us.com/State-Laws/Nevada/](http://www.gambling-law-
us.com/State-Laws/Nevada/)

~~~
cityhall
The irony here is it's only illegal to beat the games because the casinos
figured out how to rig the democratic process to get favorable laws passed. If
we put it to a vote, what would the public think was more unethical, using a
mechanical device to count cards or using lobbyists to make sure you can't
lose?

~~~
huac
If a casino could lose money, you'd either have only small, locals casinos, or
none at all. Votes are rarely referendums on ethics.

In this case we'd (and by we, I mean Nevada residents) compare two scenarios:
a world without the big Vegas casinos (and their tax revenue, their employees,
the good stuff), or a somewhat rigged world with the casinos.

~~~
gech
What a defeated view. Hopefully one day those Nevada residents may see a
horizon beyond the sprawling parking lot of a casino.

~~~
huac
If there is an industry that can profitably offer better jobs/economic
incentives to Nevada, then I think you would see that industry gain power and
relatively weaken the grip of the casinos on Nevada.

So maybe in 5 years we'll be complaining about how Nevada residents can't see
beyond 'rigged' tech jobs that don't pay as much as the Bay Area...

------
ainiriand
I would like to know what is morally wrong in defeating a system designed to
beat you. Designed to (almost) always win. The Casino is the one that cheats
because the odds are not completely random, as they should.

~~~
digler999
They aren't charging the defendants with a 'moral' crime. I'm not sure what
their exact charges are, and they depend on minutae like the article said:
"crossing state lines makes it a felony conspiracy to commit fraud". Gaming
regulations are written to favor the house. You're correct that we wouldn't
expect them to be charged with "tampering with a gaming device" because they
never touched it, and they got comparatively light sentences (2 years)
compared to Nevada where you can easily get 5-10. Some states may have a new
law like "using a computer to manipulate a gaming device" or similar. I think
they put that one on the books so that you can't cheat roulette by calculating
the trajectory of the ball, or identify unique variances in cards. Regardless,
you can expect the laws everywhere to catch up after this incident.

I disagree that the "system is designed to beat you" or that the casino
"cheats". The casino is there for entertainment. If you don't use it in
moderation it can ruin your life just like any other vice: alcohol, drugs,
sex, etc.

If you have $1000-$5000 (or more), you can fly out to Vegas for the weekend,
have a really good time (gaming is only part of that), fly home, and you've
got a significant chance that you'll either win or break even. You might also
lose, and that's the excitement cycle that is gambling. But even if you lose
you can also have a good time at a show/nightclub/concert, every kind of
themed bar, meet women, etc, so if you discard "winning money" as the primary
objective, gambling isn't designed to beat you.

If you go to the casino every day after work, don't be surprised that you will
not win anything, or that it might escalate just like any other drug (spending
more, not happy when you win, etc).

What shocks me is that these guys have the technical prowess to reverse
engineer the game/PRNG, but they didn't have the sense to slow down their
pace, or reverse engineer the casino management system to avoid detection (or
they didn't think to hide their iphone from the start, they said the first guy
was holding it right up to the screen, when $100 spent on a clothing
alteration would have allowed him to hide it). If you're going to fly
internationally to commit a crime, you should know who you're up against and
use adequate countermeasures.

~~~
phkahler
>> "crossing state lines makes it a felony conspiracy to commit fraud".

I don't see any fraud though. Sure, they found a system to beat the slot
machines, but I'm not sure how that's fraud. What if some guys think they're
really good at playing poker and they take a trip to a casino to play?

At what point does playing smart become fraud? or cheating? When does counting
cards in blackjack become cheating? When you get too good at it? This whole
area seems rather strange.

~~~
centizen
The big factor here is that casino's specifically forbid the use of devices
intended to affect the outcome of the game. You go to a casino, you have to
play by their rules. If not, they can argue you are attempting to defraud
them.

Counting cards is a much better example of "playing smart", and it is not
actually illegal - although casinos will ban any player they suspect to be
counting they will likely not be charged with a crime. But once you bring a
personal implement in to the situation, it very much becomes a prosecutable
crime.

~~~
phkahler
>> The big factor here is that casino's specifically forbid the use of devices
intended to affect the outcome of the game. You go to a casino, you have to
play by their rules. If not, they can argue you are attempting to defraud
them.

I understand that they may kick you out for being too good (he must be
"cheating"). And the argument about using a device to aid you might be a more
concise definition of cheating of some sort. But I've never noticed any posted
rules that one would reasonably be expected to know about. And the use of the
term "fraud" is important because then it becomes a legal issue with big
consequences beyond getting kicked out or banned from a particular casino.
OTOH a casino doesn't need to post the law for people to read. Does the law
defer to the casino rules? That wouldn't be appropriate IMHO.

There are "house rules" and there are laws. I'm kind of wondering where those
lines are and what specifically these guys did that constitutes a felony. What
specific aspect of their scam was illegal. I'm not disputing that it was
dishonest and in effect a scam of sorts.

~~~
cardiffspaceman
IANAL but there are a few things in this matter that seem to be common
knowledge. How these things will apply to a specific instance is for lawyers
to discuss. The law, at least in Nevada, does defer to the casino's right to
do business with whomsoever it chooses. The law does not permit the casino to
beat a card counter up (like in the movie "Casino") but they can insist that
such a customer leave and never come back, and in those cases at least in
Nevada, when such a customer tries to return, they may become a trespasser
[1].

[1][http://www.pandullolaw.com/Criminal-
Defense/Trespassing.aspx](http://www.pandullolaw.com/Criminal-
Defense/Trespassing.aspx)

------
CapacitorSet
Saved you a click: the internal state of some slot machines' PRNG can be
predicted after observing a few of its outputs.

~~~
dghughes
The slot in question an Aristocrat MAV500 mark VI is 32-bit and is no longer
in production.

It's as random as much it can be made so in that range of 2,147,483,647? I'm
not a programmer I'm not sure how a stop symbol or blank is chosen when
programming a slot theme.

Newer slots are 64-bit and have larger virtual reels.

Some slots now even use a product called quantum randomness supposedly true
randomness. [https://comscire.com/](https://comscire.com/)

~~~
Strom
The CPU architecture bit size (32-bit) has no impact on the random range. You
can implement an arbitrary length RNG on any machine.

Based on the article it seems that the flaw is that the machine uses the
timing of human interaction as a significant seed source. This works well
enough for unaware people, but as evidenced here is super easy to exploit once
the knowledge is out there. Using time (e.g. the time the program started) as
the PRNG seed is a very common security flaw. Otherwise experienced engineers
keep making this mistake even in 2017.

~~~
jcoffland
I don't think that is what the article said. Where do you read that the
machine uses the user's timing to seed the PRNG? It talks about timing the
button presses but my understanding was that that was only used after the PRNG
was cracked. The PRNG is cracked by measuring the timings of on screen cues.
These cues are essentially outputs from the PRNG. There is nothing that
indicates the user's timing is used as a seed as far as I can tell.

~~~
Strom
I assume you understood that by timing I didn't mean seconds from 1970. Beyond
that this seems to be getting into semantics territory on how we define
'seed'. To be clear, I agree with what you're saying about the PRNG flaw.

We can probably agree that PRNG is a function that takes an input and produces
an output. I guess you take issue with me calling this input the seed. My use
is probably a simplification indeed, but I thought one that doesn't change any
principles. Because the user's interaction timing is crucial, it seems pretty
clear to me that the exploit is about influencing the input of the PRNG. We
can call this input something else, e.g. internal state. Or we can call it the
seed.

~~~
jcoffland
The seed of a PRNG is a pretty well defined thing.

~~~
Strom
Successful communication depends on participants understanding eachother.
You'll notice that the context of my comment was replying to a person who
stated that they are not a programmer. Filling my post with unnecessarily
precise lingo would work to undermine my goal which is to convey a basic idea.

------
moftz
At what point does a scheme like this go from just being a way to outsmart the
slot machine to felony fraud? I know you are allowed to use those blackjack
cheat cards at the tables in Las Vegas but what if I started using a
calculator and my own crazy algorithm? Is that fraud? What if I had an ear
piece and hidden camera glasses to stream video to some blackjack guru outside
in a van? I'm guessing that would be fraud. Is it the fact that he's using an
outside source to determine his actions?

~~~
upofadown
Here is a section of the Nevada gambling fraud law that hits close to a method
that involves button timing:

>7\. To manipulate, with the intent to cheat, any component of a gaming device
in a manner contrary to the designed and normal operational purpose for the
component, including, but not limited to, varying the pull of the handle of a
slot machine, with knowledge that the manipulation affects the outcome of the
game or with knowledge of any event that affects the outcome of the game.

In general you are not allowed to do anything clever in a casino. It isn't
stated as such, but the actual crime is winning consistently. If you walk into
a casino certain that you will not be providing the house with their cut then
you will almost for sure run up against some law. Extra laws will be generated
as required by the governments involved.

~~~
usrusr
Key word being "knowledge".

Seems like you are free to believe in any fantasy about you having an edge
over the house, except when that belief happens to be true. The mere thought
of having a streak of luck would make winning illegal. If thoughtcrimes were
animals, this would be a cute little kitty.

~~~
Bartweiss
> Seems like you are free to believe in any fantasy about you having an edge
> over the house, except when that belief happens to be true.

This is a pretty common pattern in "intent" crimes. As a simple example:
attempted murder requires a potentially-effective plan. Shooting at someone
and missing is attempted murder, burning a voodoo doll of them is not - no
matter how sincerely you expect it to work.

It does produce an odd situation where stupidity becomes a legal defense, but
the basis for it is pretty understandable. It's not criminalizing being right,
it's decriminalizing being wrong, presumably because it's too hard to define
the boundaries of whether something useless was done with real intent.

~~~
Sunset
I would argue that burning a voodoo doll should at least count for intent to
harm.

Lets say I am completely mistaken about how chemistry works and I think that
adding salt to wine will somehow make it a deadly cocktail. With intent to
kill you I make such a concoction and serve it to you.

In that case I should still be able to be punished under the law.

~~~
schoen
1991 article by David D. Friedman about this topic:
[http://digitalcommons.law.scu.edu/cgi/viewcontent.cgi?articl...](http://digitalcommons.law.scu.edu/cgi/viewcontent.cgi?article=1565&context=facpubs)

~~~
Zak
The article assumes rational behavior with regard to everything except which
methods of committing crimes are possible and concludes that punishing
impossible attempts creates a rational disincentive to all attempts.

It's right in a game-theory sense, but not a practical one. Proving intent to
a jury is based on circumstantial evidence. Shooting a gun at someone is
strong evidence of intent to murder because it is widely known that guns are
lethal. Countering the weight of that evidence would require very convincing
evidence that the shooter did not believe his actions would be lethal. Proving
that someone believed burning a voodoo doll would be lethal would be very
difficult since it is widely known that burning voodoo dolls is not lethal.
Even apparent evidence that the voodoo practitioner had a genuine belief is
easily played off as an act, and in criminal law, the benefit of the doubt
goes to the defendant.

There's also the matter of people having mistaken beliefs about the
probability of punishment.

------
linohh
For the german speaking; here's a documentary about a guy who did this in the
late 70ies in Germany - without an iPhone, just by developing a feeling for
the (back then) mechanical machines.

[https://vimeo.com/169617086](https://vimeo.com/169617086)

Fun fact: §263a StGB (German penal code) was in part created to combat this
kind of externally assisted prediction for slot machines. It is now punishable
with up to five years in prison, if you just create or distribute the software
up to three years.

------
ptero
Funny (and sad) how something that could be praised as an ingenious trick a
hundred years ago is now considered a crime that state spends serious effort
to pursue.

Cannot resist to reference an older perspective (from Smoke Bellew):

[http://www.online-literature.com/london/smoke-bellew/4/](http://www.online-
literature.com/london/smoke-bellew/4/)

~~~
LordKano
That was a great story. A little long but still great.

------
technofiend
A quick search of the inestimable comp.risks archives revealed this:

[http://catless.ncl.ac.uk/Risks/15/80#subj2](http://catless.ncl.ac.uk/Risks/15/80#subj2)

 _Montreal -- Daniel Corriveau said he hopes that his 'victory over the system
will give hope to others.' The computer analyst and his family received more
than $620,000 [1C$ = U$0.75], including interest, from the Montreal casino
yesterday, weeks after they overcame odds of one in six billion and beat an
electronic keno game three times in a row."_

The author explains the following key points:

o Corriveau used an "antique 286" computer to analyse 7,000 combinations from
the keno game, [which uses an electronic pseudo-random number generator].

o Corriveau noticed that the electronic game was repeating numbers in a
predictable pattern.

o Corriveau and several family members bet on what they predicted would be due
to come up; they won three times in succession.

I had originally seen an article speculating someone power cycled a keno
machine after recording the winning numbers, with the assumption or knowledge
that the random number generator reseeded with a 0 on cold boot. I'm not sure
if that's just me mis-remembering the details of this case, or another one
altogether. If anyone has a link to the second case please let me know.

------
andrewem
Figuring out the pattern of a pseudorandom device used for gambling reminds me
of Michael Larson, who learned the patterns used on a TV game show in order to
win a lot of money. See
[https://en.m.wikipedia.org/wiki/Michael_Larson](https://en.m.wikipedia.org/wiki/Michael_Larson)

------
splonk
> Allison notes that those operatives try to keep their winnings on each
> machine to less than $1,000, to avoid arousing suspicion.

This is likely to be because they're trying to avoid the automatic W-2G that's
generated for slot winnings over $1200. Basically if you're playing
anonymously on a slot machine, any payout of $1200 or over on a single spin
will generate a human interaction. Unless you're playing at fairly high stakes
(say, over $100/spin), this is normally rare enough that hitting several
$1200+ results in a short time span would be very suspicious. Keeping every
win under $1200 allows a person to play as anonymously as you reasonably can
in a casino.

------
mnarayan01
The "And Casinos Have No Fix" part of the title seems exaggerated; if nothing
else, it appears that only a small subset of 5+ year old machines are
affected.

~~~
rtkwe
From the description of the attack it seems like the only reason other
machines aren't affected is because the Russian group running this hasn't
gotten their hands on those machines.

~~~
orclev
Sort of maybe. It sounds like the slot machine makers are being cheap with
their machines. There are such things as hardware RNG that will produce a
truly random number, it's just that for most applications they're overkill.
This seems like an instance where not only aren't they overkill, they're
almost mandatory. They talk a bit about using encryption to protect the PRNG
algorithm, but that's just a bandaid, at best it buys them a little bit of
time, but ultimately it will be cracked the same way.

A hardware RNG is actually pretty cheap to make, there are actually open
source (as in the circuit diagrams are available) ones floating around the
internet that you can build for less than $20 worth of parts. The
manufacturers probably don't want to go that far because a) compared to most
of the parts in the machine it's a fairly expensive piece so it will cut into
profits, b) hardware RNG function a bit different from a PRNG so properly
integrating one requires a certain amount of skill, c) it isn't their problem
really, they already got their money, it's the casinos that are losing, and d)
it's simpler to just prosecute the handful of people doing this (for now).

~~~
cwmma
e) it's much harder to be sure a hardware RNG actually does produce random
outputs compared to a PRNG

~~~
orclev
That was somewhat covered by point b, but yeah, in terms of verification it's
tricky to determine if a hardware RNG is actually, you know, random. The other
part that makes it tricky is that most hardware RNGs don't produce enough
entropy to keep a system fed during active usage so you typically need to use
their outputs as inputs to more traditional PRNGs or to periodically re-seed a
PRNG which was actually the main thing I was thinking about with point b.

------
FabHK
Don't know what PRNG they use, but for the Mersenne Twister (MT19937, which
was considered state of the art the beginning of this millennium) for example
you can deduce the state after 600 or so observations (of 32 bit words), and
then predict what it'll deliver after that. See [1] for details and some good
background on PRNG, if possibly a bit biased (she's promoting her PCG family).

For gambling purposes, probably makes sense to use cryptographically secure
PRNG :-)

[1] [http://www.pcg-random.org/predictability.html](http://www.pcg-
random.org/predictability.html)

------
droithomme
That is a very interesting article.

I disagree with the characterization of the crews as "cheaters". They didn't
cheat. They turned a game of chance into a game of skill, then excelled at
that skill. Of course this has happened to other games as well, such as with
card counting in blackjack, which is also inaccurately described as cheating
when it's actually mastery of the game.

------
peapicker
Change to roulette, chaos theory, and physicists -- using 8bit hardware in
shoes -- and you get the fascinating book "The Eudaemonic Pie" by Thomas Bass.
Highly recommended.

~~~
Zanni
Came here to say the same thing. Brilliant book. A team of physicists created
a computer to track a roulette ball and wheel with sufficient accuracy to gain
a whopping 40% advantage over the house. Their hardware was never reliable
enough (in terms of not catching on fire, the predictions were good) to make
much money. Doyne Farmer, a member of the team basically invented the field of
chaos theory, then went on to make a fortune on Wall Street.

~~~
peapicker
I actually interned at Los Alamos Natl Lab at the Center for Nonlinear Studies
while Doyne was there (late 80's - dating myself - before The Prediction
Company). Cool guy! He had a nifty custom piece of hardware board for cellular
automata in his computer that at the time blew me away. Was a cool job... got
to write code that ran on things like Cray YMP supercomputers. Had a Thinking
Machines CM-1 as well... (like in Jurassic Park with the blinkenlights).

------
justinpombrio
By " _Can 't_ fix", they mean " _could_ fix by putting in new slot machines
whose PRNGs aren't crackable, but _choose not to_ because it wouldn't be cost
effective".

Why don't slot machines use true random numbers? They could still skew the
results however they like.

~~~
imaginenore
why can't they simply update the firmware?

A secure PRNG can be made trivially.

~~~
Scuds
sure it can.

Now, implement it on a system from 2008 whose source and tooling has been
scattered to the winds.

~~~
xorblurb
tons of people are working on video game console emulators, and that kind of
people could do that easily...

------
jjuel
The true fix is just to replace the machines. As they said the newer machines
have encryption to hide the PRNG. Obviously some places can't do that, and the
company is not doing it for free. So technically the casinos cannot fix the
compromised machines themselves, but they could just replace them.

~~~
Retric
If I know the PRNG and the encryption then I can predict the outcome of the
encrypted PRNG.

The encryption community has dealt with this issue for a long time and there
are a lot of useful approaches, and many ways to fail.

~~~
falsedan

      >  If I know the PRNG and the encryption then I can predict the outcome of the encrypted PRNG.
    

I assume they are mixing the PRNG output with a secret key using some
encryption algorithm. Given the cyphertext (observed spins) + the algorithm,
you still can't predict numbers until you discover the key.

~~~
Retric
Depends on the algorithm. Many encryption schemes are vulnerable if you know
the cyphertext and can guess the plain text.

This is one of those cases where if they knew what they where doing the PRNG
would be fine as is. So, you can't just and wave some undefined encryption
scheme and assume they will implement it correctly.

~~~
Scaevolus
Any cryptographic hash function works as a key derivation function (KDF) or
cryptographically secure pseudo-random number generator (CSPRNG). Even ones
with broken collision resistance are probably still suitable-- you could just
take the bottom bits of MD5(secret_key + counter) and that would be enough.

~~~
Retric
Very much no. If I know the hash function will always map input X > Y for all
machines and I can guess say 100,000 possible states for the PRNG based on for
example the time stamp then:

Hash those 100,000 states, compare the output of those hases to the observed
output to find the actual PRNG state. Then always know the hashed output of
the PRNG.

PS: Read
[https://en.wikipedia.org/wiki/Cryptographic_hash_function](https://en.wikipedia.org/wiki/Cryptographic_hash_function)
Now if each machine used it's own hidden salt then that would be a real
option. But, cryptographic hash does not imply an unknown salt.

~~~
Scaevolus
With a secret state of 128 bits or more, you can't brute force it before the
sun burns out.

~~~
Retric
Edit: You said secret_key aka hidden salt, but if I can get that key by say
access to the machine then it's not necessarily hidden.

I am pointing this out because the assumption is a poor PRNG used by
incompetent team in the first place. Saying just do X, when it's possible to
do X and still have a problem is not an actual solution. It's equivalent of
saying just be competent.

------
brilliantcode
Somebody play a tune on the world's smallest violin. People kill themselves
because of casino normalizes self destructive behavior. So a bunch of
impoverished engineers figure out a way to beat an outfit that profit's off
from ripping people off. More power to them. I hope they take out all the
fucking casino's ripping people off. Not that I condone hacking but casino
really doesn't even register on my empathy list. Fuck them.

It should be legal to burn money also because people love doing it at a swanky
place like casinos. At least you won't see people get addicted to dousing your
cash with gasoline and throwing a cigarette at it.

I just thought of it and it seems quite exhilarating at the prospect....but it
is safer and less addictive than gambling in casinos.

------
jcoffland
> As Hoke notes, Aristocrat, Novomatic, and any other manufacturers whose
> PRNGs have been cracked “would have to pull all the machines out of service
> and put something else in, and they’re not going to do that.”

This just goes to show that despite the money the casinos are losing to this
Russian group, they are still making so much money off the people _they_ are
cheating that it's not worth fixing the problem.

Why our governments protect the jerks who steal money from the less
intelligent members of our society is beyond me. That there are laws that
support casinos is no justification. Casinos are themselves a scam and should
not be protected against scammers at the expense of tax payers.

~~~
kartan
> Casinos are themselves a scam and should not be protected against scammers
> at the expense of tax payers.

In Sweden casino gambling, and other types of gambling, is owned by the state.
The state keeps the money from the gamblers. It is like an extra tax that
people can choose by themselves. In Spain it is similar for Lottery, it moves
a lot of money in Christmas and the state keeps the profits. Any country can
achieve similar results applying high taxes to gambling.

I think that forbidding gambling is an error, as it just moves it to more
unsafe locations and opens good business for criminal organizations. Standards
that regulate gambling are a better solution, it reduces gambling addiction
creating less attractive gambling games, it forbids to loan money to gamblers
while they are playing (that is really important), and in general keeps
gambling in check.

Disclaimer: I have worked in the gambling industry, and I will probably do it
in the future.

------
usgroup
"Casino is entertainment for which you pay a probabilistic fee proportionate
to your spend". Ok, a bit of a stretch, I personally think. I honestly think
that people gamble on things like slots because they don't have an educated
sense of probability. I'm not sure the transaction is quite as clean as buying
a cinema ticket and trading cash for entertainment.

"These guys were right to do it". I think the edge exists because it's
ultimately illegal. I think it's tantamount to an illegal distribution of cash
from a casino to a mob. Would it be any different if they hacked their bank
account?

~~~
audleman
> I honestly think that people gamble on things like slots because they don't
> have an educated sense of probability

I once became an investor on a BitCoin gambling site. The operator let you
either gamble, the normal route, or invest and receive a share of the payout.
He was extremely clear about the house edge.

I went into the chat room and asked people: why do you gamble if you know the
odds are against you. The most canonical answer I received:

"Maybe I believe my luck has an edge on the house"

------
gwbas1c
I wonder if there's enough variation in how people pull the handles and push
the buttons that they could be used to partially re-seed the PRNG frequently
enough that it the seed can't be determined by a video?

~~~
CapacitorSet
That's the technique Linux uses, it feeds keyboard and mouse timing events
into one of its entropy pools. I can't see why they wouldn't do this for slot
machines.

~~~
manarth
The article mentions newer slot machines, "whose PRNGs use encryption to
protect mathematical secrets" \- so new machines are already considered
secure.

    
    
      Aristocrat, Novomatic, and any other manufacturers whose PRNGs have 
      been cracked “would have to pull all the machines out of service
      and put something else in, and they’re not going to do that.”
    

So they could be fixed, it's purely a financial decision.

    
    
      as long as older, compromised machines are still popular with customers,
      the smart financial move for casinos is to keep using them and accept
      the occasional loss to scammers.

~~~
lsaferite
Seems like using a radioactive decay RNG would also help, no?

~~~
thecatspaw
sure, but are you gonna put a tiny bit of radioactive material in every slot
machine? Not to forget that the RNG would have to be restocked if the material
ever runs out

~~~
orclev
Pretty sure the half-life of most things that would be used is already longer
than the MTBF of just about every other part a slot machine.

------
Aardwolf
Since the title says "Can't Fix": Isn't it fixable by injecting some entropy
into the PRNG for every roll like button press durations in nanoseconds,
temperature, hardware quantum based, ...?

~~~
digler999
you'd have to do a hardware mod, and gaming is a regulated industry. so every
mod you do has to be submitted to a state or nationwide gaming regulatory
authority, takes months (at least) to get approval, and costs easily $100k.

Not to mention full regression testing on the statistics of the game. You
would have to "re-prove" the validity of the RNG , which requires another QA
cycle, statistical expert, and game designer (to ensure that the frequency and
distribution of wins matches the specification sheet)

~~~
Aardwolf
Button timing might be doable with a software change only. Doesn't solve the
other testing procedures of course.

But what would be the difference with other casino software bugs then, are
those also "Unfixable" then?

~~~
digler999
there aren't many other software bugs in casinos that affect the money.
They're usually graphics-related or crashes, and they usually just restart the
machine and write a bug report.

If they are related to money, they pull the machine out of the field until a
new software version is fixed. A gaming company I used to work at had an issue
with multi-jurisdictional machines that worked in Mexico but could display
english or spanish. The machines could also change denomination, say from
$0.05 to $0.25. There was some bug where if you reset the power, you could get
it to bump your credits up from 20 nickels to 20 quarters (or might have been
20 pesos to 20 cents), it was something dramatic and easily exploitable that
was fixed promptly.

------
LeonM
Reminds me of the first chapter of Kevin Mitnick's 'The Art of Intrusion' [0].
The first chapter tells the story of (I believe) American programmers who
reverse engineer the PRNG on a poker machine, so they could predict when the
machine would deal the next royal flush.

[0] [https://www.amazon.com/Art-Intrusion-Exploits-Intruders-
Dece...](https://www.amazon.com/Art-Intrusion-Exploits-Intruders-
Deceivers/dp/0471782661)

------
thomyorkie
> A finger that lingers too long above a spin button may be a guard’s only
> clue that hackers in St. Petersburg are about to make another score.

Seems like this is easy for the scammers to work around. They could calculate
the average time it takes for the scammer to lift his hand from his lap and
press the button, and then use that time instead of .25 seconds. Would be less
successful, but would seem to be almost impossible to detect.

------
danbmil99
Kevin Mitnick wrote about a similar hack over a decade ago:
[https://www.ethicalhacker.net/features/book-
reviews/mitnick-...](https://www.ethicalhacker.net/features/book-
reviews/mitnick-the-art-of-intrusion-ch-1-hacking-the-casinos-for-a-million-
bucks)

I knew some of the people involved and actually saw some of the code if
anyone's interested.

------
sageikosa
Similar idea...

[https://en.wikipedia.org/wiki/Michael_Larson](https://en.wikipedia.org/wiki/Michael_Larson)

~~~
gspetr
Great article and HN thread about this guy:

[https://news.ycombinator.com/item?id=9570713](https://news.ycombinator.com/item?id=9570713)

------
bitexploder
There is a fix and it is not crazy. The gist is they were able to brute force
the PRNG of the machines and predict their future state. Hardware RNG is thr
answer. In crypto it is obviously bad if someone can predict anything about
your random values (keys / IVs). A hardware RNG, "cryptographically strong"
RNG algorithms, and resetting the RNG very often make this problem go away.

~~~
bluGill
The problem is that you cannot add a hardware random number generator to
existing machines and the cost of buying a new machine is high enough that
casinos do not want to do it.

If the scammers get too big the casinos will replace the compromised machines
and the scam ends. The scammers seem to know this: they are targeting more an
more casinos around the world in an apparent effort to make sure it is worth
the risk.

Actually you don't need hardware random number generators. There is enough
variance in human input to feed a cryptograhic random number generator. The
code to add this probably wouldn't be that hard to write (they might be 8 bit
CPUs or some such limit that makes it impossible though). However all code
changes have to be certified by regulatory bodies (for good reason) which
makes it not worth the effort to fix old machines.

~~~
bitexploder
That is fair enough. For older machines I have no idea what the answer is. I
just mean designing this securely is not too hard. Hardware RNG is cheap,
though. You are right though, these old machines do present a pickle.

------
problems
Curious how they screwed this one up - did they just have no proper random
source? Nothing like modern operating systems use, like disk latency? If
you're in the business of doing random numbers, you'd think you'd embed a
cheap hardware based random number generator, even if it was extremely
limited, just to seed a CSPRNG.

~~~
mark-r
I'm guessing that proper hardware random sources, or the operating system
entropy generators, are harder to verify by gaming commissions so they didn't
get used. The article does mention that more modern software uses
cryptographic generators that can't be predicted.

------
mark-r
The title is a bit misleading (clickbait?) - the problem can certainly be
fixed, and the article even goes into some of the ways. It just isn't cost-
effective. Retiring the problematic machines would do it.

I wonder if they can change the amount of money you play for in those
machines, so that it's no longer worth it to try to cheat them?

------
matt_wulfeck
It looks to me like a PRNG is fed once and never reseeded. That's the only way
that simply observing the spin would tell about the outcome. In fact I'm
surprised it doesn't just "produce" the outcome every time the button is hit
simply from a few bytes of the prng.

~~~
gspetr
As was said elsewhere in the thread: It seems that the organizer of this
affair does not want his hired hands to figure out what's going on, telling
them instead it's some computer magic they calculate real-time.

------
Illniyar
"Since code isn’t prone to sudden fits of madness..."

Lol, I just can't stop laughing at that one.

------
mirekrusin
Why is it so difficult to create randomness? Input from microphone or even
variations in electricity input should be more than enough, no? Why is it such
a huge struggle, I don't understand, especially in machines that depend on the
randomness.

~~~
tomjen3
Those would be random, but not necessarily uniformly random (an input from a
mic in a casino is going to register very loud noises often).

~~~
gspetr
Even so, how would one go about defeating such RNG?

~~~
triangleman
Oh I get it! If you can't prove that it's predictably random then you can't
prove the outcome (house advantage) and then the casino won't buy the machine.
Am I right?

------
ommunist
Really funny piece. It really feels like one of those Order vs Chaos battles,
with Russians on the Order side. Guys found the order in randomness, I'd like
to see the math behind their operational methodology. Also, why iPhone?

------
neals
After reading a bit about it, it seems very difficult (impossible?) to get a
true random set of numbers. Anyboyd here on HN that has some insight? Are
there interesting hardware or random-number-as-a-service things going on?

~~~
ef4
There are a lot of people who make hardware random number generators:

[https://en.wikipedia.org/wiki/Comparison_of_hardware_random_...](https://en.wikipedia.org/wiki/Comparison_of_hardware_random_number_generators)

------
Cyph0n
It's still unclear how the organization broke the PRNG in the first place.
Were they somehow able to get their hands on a machine for hardware analysis?
Or did they just have their "operatives" play slots and capture video which
they then manually analysed for patterns?

Offloading the computation to a remote server is a smart idea though. There is
a lot of cool stuff happening in the game cheating space.

~~~
Xylakant
Yes they did. Says so in the article.

~~~
Cyph0n
Ah, must have missed it.

------
broahmed
I like how the guys were described as "scammers" and "cheaters"; the same
adjectives could be used to describe the casinos.

------
MR4D
I would think that having 2 PRNGs and then switching between them would ruin
this strategy.

Obviously this would cost money for retrofitting, but all new slots could
employ a new design, getting rid of this problem over a few years.

Not a perfect solution, but at least it's a medium to long-term fix.

~~~
DashRattlesnake
They already have a fix (better PRNGs), they just don't want to pay to
implement it.

"Use 2 PRNGs and switch between them somehow" sounds kinda like "roll your own
encryption." This stuff is hard to get right, and iterating on quick-fixes
without a deep understanding of the problem seems unlikely to do anything
except introduce minor roadblocks for the attackers.

------
RichardHeart
Abusing humans desire to pattern find and take risks for profit is bad.
Casinos are bad. If you could weaponize gambling and spread it in an enemy
nation, you'd do much to hurt it's GDP. I made a video about why gambling
sucks.

------
thedailymail
Anyone interested in how the gambling industry makes their billions mainly
from slot machines, and how they engineer them to hijack people's dopamine
systems should read Addiction by Design (MIT Press, 2012).

------
shermozle
I get that creating a genuine random number generator isn't easy, but surely
this points out that it's something the slot machines should have rather than
a PRNG?

------
aaossa
How does that encryption work? Is like those sha-256 circuits used in Bitcoin
mining? Is it possible to modify the affected machines to allow encryption?

~~~
y7
Yes, using SHA-256 you can create a cryptographically secure PRNG. See
[https://en.wikipedia.org/wiki/Cryptographically_secure_pseud...](https://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator)

------
eykanal
Not knowing much about video jamming, is it possible to block this hack by
attacking the cameras?

~~~
Cyph0n
I read a paper on such a technique a while back. The CMOS sensors in
smartphones are very sensitive to a certain band of infrared. I think it would
be possible to set up a system that automatically detects smartphone location
and splashes its general area with infrared. With a good controller and motor
setup, you could probably have a single jammer that can alternate between
multiple phones.

~~~
joezydeco
And can be blocked with a small piece of infrared filter film.

~~~
Cyph0n
It depends on the threat model I guess. Whether or not such a system would
work in a casino environment, I don't know.

------
grandalf
This is the sort of use case that initially got me excited about Google glass.

------
JCzynski
I don't see why this is illegal, any more than counting cards in blackjack.

~~~
Zanni
It's illegal because there's a law prohibiting the use of electronic devices
to gain an advantage. If you could study the patterns offline sufficiently
that you could use the same technique _without a device_ in the casino, it
would be legal.

------
Glyptodon
I don't understand why this is wrong/illegal.

~~~
digler999
because it's a threat to their business ?

~~~
Glyptodon
I mean sure, the _business_ can kick them out, ban them, whatever, that's
fine. I have no problem with that.

What I have a problem with is the implication that using public information to
succeed at something without any malicious interference in its operation could
be a _criminal_ matter.

------
forgottenpass
_Slot machine outcomes are controlled by programs called pseudorandom number
generators that produce baffling results by design._

goddamnit wired. You're as bad as IT World. I don't know why I keep reading
your trash.

~~~
bluejekyll
They do an ok job of going on and explaining the limits of a PRNG. They're
trying to target this to the broader market...

~~~
shepardrtc
I generally agree, but "baffling results" is just plain stupid. Might as well
start talking about internet "tubes".

