
Masterminding the largest lottery scam in American history - petethomas
https://www.nytimes.com/interactive/2018/05/03/magazine/money-issue-iowa-lottery-fraud-mystery.html
======
asr
I'm amazed at how brazen/obvious of a cheat the code here is:

 _Tipton’s extra lines of code first checked to see if the coming lottery
drawing fulfilled Tipton’s narrow circumstances. It had to be on a Wednesday
or a Saturday evening, and one of three dates in a nonleap year: the 147th day
of the year (May 27), the 327th day (Nov. 23) or the 363rd day (Dec. 29).
Investigators noticed those dates generally fell around holidays — Memorial
Day, Thanksgiving and Christmas — when Tipton was often on vacation. If those
criteria were satisfied, the random-number generator was diverted to a
different track. Instead, the algorithm would use a predetermined seed number
that restricted the pool of potential winning numbers to a much smaller,
predictable set of numbers._

Admittedly, this is based only on the description from the article, which says
it is describing pseudocode. But obviously, once this code is found, it's game
over. Apparently the audit process for lotteries is terrible enough that this
didn't matter.

Compare this with the auto emissions cheating scandal, where the algorithm was
complicated in order to hide what was happening, so that the code would not be
obvious as a defeat device: [http://cseweb.ucsd.edu/~klevchen/diesel-
sp17.pdf](http://cseweb.ucsd.edu/~klevchen/diesel-sp17.pdf) (see pages 6-8).

~~~
ergothus
From the DEFCON presentation I mentioned elsewhere, it also seems like if he
hadn't flubbed up and tried to claim the 16.5 million dollar prize, he (and
his friends/family) wouldn't have been caught at all.

I can't believe he put the code in when he knew it would be audited, but then
I doubly can't believe he would poke them to take a second look by suggesting
something odd was involved at all.

~~~
giarc
From the original article here, it sounds like if he hadn't talked with the
cashier at the Qwikstop he would be fine.

~~~
tedunangst
Or if the intermediary had simply said they forgot what they were wearing.

~~~
giarc
Ya I don't know why they would have tried to guess (unless Eddie told him the
wrong info by mistake). It was nearly 1 year prior and no one would expect
someone to remember what they were wearing when they walked into a gas station
on a random Wednesday.

------
crb002
Way worse than NYT uncovers. The Iowa Attorney General conspired with the Iowa
Lotto to charge the Iowa Lotto VP of Security with an "annoying speech" simple
misdemeanor in retaliation for him blowing the whistle to Iowa Citizens Aide
Ombuds investigator Bert Dalmer. Unfortunately for Iowa AG Tom Miller, the
criminal complaint affidavit is still available for public records request at
Des Moines Police Department even though the court records are sealed due to a
deferred prosecution.

See
[https://en.wikipedia.org/wiki/Coates_v._City_of_Cincinnati](https://en.wikipedia.org/wiki/Coates_v._City_of_Cincinnati)
, but Iowa still has "annoying" speech criminalized under Iowa Code 708.7; the
ultimate whistleblower retaliation tool.

~~~
crb002
[https://ialottery.com/PDF/Legal/BoardMaterials/2011/BoardPac...](https://ialottery.com/PDF/Legal/BoardMaterials/2011/BoardPacket_062011.pdf)
\- Last minutes citing some of Diaz's whistleblower concerns.

------
ASalazarMX
This reminded of a famous fraud in the Mexican Lottery. It was low-tech,
basically the company that transmits the draw managed to record it minutes
before, tell insiders the numbers and later transmit the video as if it was
real-time. $12 million USD were stolen, only $8 million were recovered.

The lotteries here (besides the statistical argument) are not trustworthy. I
urge people who buy tickets to save their money, but the dream of getting rich
instantly is too alluring.

~~~
gruez
>$12 million USD were stolen, only $8 million were recovered

>only $8 million

isn't a 75% recovery rate pretty good for cases like this?

edit: 67%

~~~
ouid
maybe, but 8/12 isn't 75%

~~~
gruez
thanks, updated.

------
ergothus
> From Tipton’s point of view, it was complicated. He had done something to
> see if he could do it. To his surprise, it worked. He said he inserted that
> code only once; after the code was approved by Gaming Laboratories
> International, machines containing it were shipped all over the country.

The article skips right over this. HTH was this code, which the article
reports wasn't even hidden, approved by a third party?

Trying to find out, I found this:

[https://www.desmoinesregister.com/story/news/investigations/...](https://www.desmoinesregister.com/story/news/investigations/2018/03/16/iowa-
mastermind-who-scammed-lotteries-5-states-he-says-problems-he-exploited-arent-
fixed-should-you/399257002/)

Which mentions:

"Tipton designed his rigged coding so that it wasn't detected in the company's
random tests, according to a report Fritschie helped present last year."

...as well as: "Toyne said the association does not have any ongoing
contractual relations with Gaming Labs."

The "report" mentioned earlier is a DEFCON presentation about gambling fraud
in general, pretty interesting read:
[https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20pre...](https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Gus-
Frischie-and-Evan-Teitelman-Backdooring-the-Lottery.pdf)

In it mentions "The method of rigging the RNG could have been more discrete"
and gave the breakdown of reverse engineering the binary to find(?) the source
code. It also said the labs tested the RNG for statistical bias (which would
pass) and audited the source code (it only gives the Picard Facepalm pic, so I
assume the auditors likely relied solely/mostly on the automated test.

~~~
dlhavema
it sounds like they would have to run their tests with mock dates for every
date out of the year to discover anything, unless they happened to run their
tests on one of the 3 days mentioned in the code, they wouldn't find it. how
many tests would they need to run to really tell if there is any bias?

~~~
Slartie
Why would it even be okay at all for a piece of code that determines the seed
for a pseudo RNG via observation of hardware events (a Geiger counter
measurement, according to the article) to even access the date and time on a
given system? It should have no use for that information, and with a piece of
code of that criticality, one would expect auditors to scrutinize any and all
syscalls that it performs. This way it should have been fairly obvious that
it's requesting the time from the OS, which it shouldn't do in the first
place. Mocking date/time info is unnecessary if your code under test is
entirely unable to get time information from the system in the first place.

~~~
moltar
All of the brightest minds were building Facebook ;)

------
sweis
Before he even backdoored it, the lottery was using a Mersenne Twister?

 _The random number is called the seed, and the seed is plugged into the
algorithm, a pseudorandom number generator called the Mersenne Twister. At the
end, the computer spits out the winning lottery numbers._

~~~
egypturnash
Mersenne Twister, with a seed based on the amount of Americum-241 detected by
a Geiger counter.

[https://en.m.wikipedia.org/wiki/Americium#Occurrence](https://en.m.wikipedia.org/wiki/Americium#Occurrence)
if you’re curious how much there generally is and how much it might fluctuate.

~~~
rootw0rm
There's no excuse for using MT for anything important this century.

~~~
himom
Fortuna w/ AES as the block cipher.

------
foxbarrington
"It was a simple piece of code, partly copied from an internet source,
inserted by the one man responsible for information security at an
organization that runs three dozen United States lotteries."

"Tipton’s extra lines of code first checked to see if the coming lottery
drawing fulfilled Tipton’s narrow circumstances. It had to be on a Wednesday
or a Saturday evening, and one of three dates in a nonleap year: the 147th day
of the year (May 27), the 327th day (Nov. 23) or the 363rd day (Dec. 29). If
those criteria were satisfied, the random-number generator was diverted to a
different track. Instead, the algorithm would use a predetermined seed number
that restricted the pool of potential winning numbers to a much smaller,
predictable set of numbers."

~~~
wycy
> partly copied from an internet source

Ah the ol' stackoverflow copy/paste.

------
r00fus
Facebook non-sequitur:

"Tommy Tipton had three Facebook friends named Conn." How did they get this
data, was it available due to warrant or probable crime?

Yet another reason to not use FB. Like, at all. I doubt the police could ask
FB for their "dossier" on you if you're not signed up (or does FB provide
shadow profile access to law enforcement?)

~~~
kevinwang
You can view a person's friends on Facebook

------
chiefalchemist
Mind boggling that one or two people (the perp and the cop) and their separate
strains of attention to details + curiosity could impacts so many.

Maybe luck is real after all ;)

Great story.

------
_bxg1
"...inserted by the one man responsible for information security at an
organization that runs three dozen United States lotteries."

That's the entire problem, right there. He could have been much more brazen
and still succeeded.

------
upofadown
I guess if you are going to go bad, hacking a lottery is not the most terrible
thing you can do. Reducing public confidence in what is basically the numbers
racket might even be considered a public good...

------
ALee
If the recent Zuckerberg testimony is an example, we need more public
officials who can understand the complexity of code, technology, and the law.

I've known the young assistant attorney general in this story for more than
ten years. Rob Sand is a great guy and is running to be a state auditor of
Iowa - you can support him at robsand.com. Also, if you're interested in
meeting him in person, I'm also happy to facilitate an introduction (friends
across the country like to house him from time to time).

------
Hasz
They would have never figured this out had the idiot just had someone else
claim the 16.5M prize, or simply picked a state that allows winners to be
anonymous.

~~~
giarc
I wonder why he tried to go through lawyer and offshore companies this time,
rather than have a friend claim the ticket.

I wonder if he found out they had video recording of the person buying the
ticket.

------
seren
I don't know if it is hubris, but the investigation only started because no
one claimed the 16 millions jackpot. He could probably have keep winning
smaller sums forever.

~~~
astura
And he seriously bought the ticket himself, that's amateur level incompetence.

~~~
cavanasm
I think having hundreds of people buy the tickets would have upped the
complexity too much. He didn't deterministically have the exact number. He was
playing hundreds of tickets per win still.

------
kotrunga
This was written well. A fun read!

~~~
emodendroket
I enjoyed it, but the reveal was a little disappointing.

~~~
danso
Why disappointing? Because it seemed so simple? To me, that is the appeal,
since the complexity of the hack has an inverse relation to the level of
incompetency of the bureaucratic oversight.

~~~
emodendroket
I mean, yeah. It just felt anticlimactic.

------
rajacombinator
Now imagine what a diligent and clever thief could do and extrapolate to how
many other lotteries must be rigged...

------
himom
You gotta be an 18th c. French philosopher/writer to game lotteries these
days.

------
astura
Uh... I really, really dislike this title, its inaccurate and (intentionally?)
misleading.

The title is "The Man Who Cracked the Lottery" but it's not about someone
actually _cracking_ the lottery, that is, figuring out how to mathematically
win the lottery or figuring out existing flaws; its just about straight up
insider fraud. A better title is "The Man Who Rigged the Lottery." Or the
TL;DR version: "Man Inserted Logic Bomb Into Lottery Draw Code Because There
Was No Controls To Stop Him."

Its still somewhat of an interesting read but the title really ruined it for
me; I was expecting an entirely different story.

Examples of people actually cracking the lottery/gambling site:

[https://highline.huffingtonpost.com/articles/en/lotto-
winner...](https://highline.huffingtonpost.com/articles/en/lotto-winners/)

[https://www.developer.com/tech/article.php/616221/How-We-
Lea...](https://www.developer.com/tech/article.php/616221/How-We-Learned-to-
Cheat-at-Online-Poker-A-Study-in-Software-Security.htm)

~~~
emodendroket
The article suggests there was an audit that he had to get past, at least.

> From Tipton’s point of view, it was complicated. He had done something to
> see if he could do it. To his surprise, it worked. He said he inserted that
> code only once; after the code was approved by Gaming Laboratories
> International, machines containing it were shipped all over the country.

~~~
astura
What good is an "audit" if it doesn't even catch the simplest of simple
malicious code?

~~~
jwilk
The auditors did only this:

\- ran the RNG through statistical tests (which of course passed flawlessly)

\- audited the source code (but the backdoor was in binaries…)

Source: DEFCON presentation linked elsewhere in comments.

------
charleyma
Jumping ahead of the conversation a bit, insert blockchain thread here. (=

~~~
ASalazarMX
Only if it includes a lightweight and fast electron client.

------
ruiquelhas
By looking only at the title, I actually thought for a brief moment that this
would be a story about Ethereum.

------
smallgovt
Why is there a tone of respect/admiration around scams like this but when a
small startup founder makes a less-than-criminal mistake (eg lendedu) HN users
want their heads on a stake?

~~~
danso
The current top-voted comment [0] expresses amazement -- not admiration --
that the hack was so stupidly simple. Can't read the author's mind, but I
share a similar sentiment: it's amazing that this crime was possible, and it
reveals the incompetence/complacency of the Iowa Lottery's IT.

[https://news.ycombinator.com/item?id=16995374](https://news.ycombinator.com/item?id=16995374)

