
Six Face Charges In Scheme To Manipulate Lottery Game - jzwinck
http://www.courant.com/breaking-news/hc-more-5-card-cash-arrests-0323-20160322-story.html
======
Kenji
Most interesting bit is in the end:

 _An investigator for the Connecticut Lottery determined that terminal
operators could slow down their lottery machines by requesting a number of
database reports or by entering several requests for lottery game tickets.
While those reports were being processed, the operator could enter sales for 5
Card Cash tickets. Before the tickets would print, however, the operator could
see on a screen if the tickets were instant winners. If tickets were not
winners, the operator could cancel the sale before the tickets printed._

Lack of atomicity of the operation is the key here.

~~~
capitalsigma
That's really terrible design. It seems almost unfair to charge these guys for
exploiting such an obvious loophole.

~~~
slavik81
They found a flaw in one layer of security. That's why there's more than one
layer of security.

~~~
capitalsigma
Sure, I guess. But this is like playing craps at a table where you can take
back your bet after you see where the ball lands... What else are you supposed
to do?

~~~
mvid
Aside: Roulette has a ball that landed, craps has dice.

------
refurb
_the operator could see on a screen if the tickets were instant winners. If
tickets were not winners, the operator could cancel the sale before the
tickets printed._

Wow, looks like someone screwed up big time. Why the hell would you ever allow
someone to see whether or not it was a winning ticket before printing it?
That's asking for abuse.

------
awinter-py
oh god I hope their legal defense is 'we thought this was a feature not a
bug'.

computer law will get so much clearer if we stop blaming people for using
systems as they're built.

~~~
wpietri
Unlikely. Many kinds of cheating are basically using systems as they're built.
Social systems, accounting systems, computer systems. Those systems are just a
(fallible) embodiment of the relationships we choose to create between one
another.

If somebody abuses a system to shift a relationship to one that's parasitic or
harmful, they shouldn't expect the rest of society to blame the system rather
than the system's abuser.

~~~
awinter-py
Are you saying that the original 'relationship' of the lottery isn't parasitic
or harmful?

I take your point that it's useful to have a definition of cheating that goes
beyond 'what the system seems to permit'. On the other hand, there's a point
at which you release software that's so vulnerable that the liability is as
much on the coder as the criminal.

~~~
wpietri
> Are you saying that the original 'relationship' of the lottery isn't
> parasitic or harmful?

I agree that it is, but that doesn't matter for the moral analysis of the
people who got arrested. If they had been screwing the lottery and donating
the money to gambling addiction programs, I'd applaud them. But this was just
thievery.

> On the other hand, there's a point at which you release software that's so
> vulnerable that the liability is as much on the coder as the criminal.

I don't think there's a fixed quantity of moral responsibility that you have
to allocate between criminal and victim. If you don't install a very good lock
on your door, that does not lessen the criminal's liability, moral or legal,
for breaking in.

~~~
awinter-py
It does lessen liability. Breaking & entering is a crime; tresspassing is a
lesser crime. 'Just wandering in' is hard to prosecute.

~~~
wpietri
Sorry if I was unclear, I was suggesting that the _quality_ of a lock doesn't
matter. I agree that the _existence_ of a lock matters. Which I think should
have been obvious from the phrase "criminal breaking in", in that as you point
out, mere trespassing is a different crime from breaking in.

~~~
awinter-py
Rewinding to the original question: the sys devs for the lotto system didn't
install a lock.

~~~
wpietri
I doubt they, the prosecutors, the judge, or a jury will agree with you on
this. I certainly don't. It wasn't very good security, easily jimmied. But
that was true with early vending machine security as well, and with a
surprising number of home door locks. The defendants here went beyond normal
operation of the machine, which is all that it will take to qualify it for
"rigging a game" and the computer crimes.

~~~
awinter-py
Most state lottos describe their product as a 'game' and by the common
definition, games can be won if you know how to play them. Also, it's illegal
in many states to operate a gambling establishment -- therefore we can assume
that gambling is harmful to society.

Given those definitions, these guys can defend themselves by saying (a) I was
playing the game, (b) the mere fact that I turned a gamble into a sure win
isn't evidence of ill intent -- as we all know, gambling is immoral, and (c)
this use was not proscribed by the instructions.

I wouldn't be surprised if there are rules against playing the lotto at your
own store; that would be a contractual breach requiring the merchants to
return their winnings. You can stretch that contractual breach to claim
'unauthorized use' for a CFAA charge, though if you lose it sets a tough
precedent that hurts other CFAA prosecutions. But the mere act of using the
machine in an alternative (but not prohibited) way isn't a crime.

------
braythwayt
The basic premise:

 _“We the government, who represent the people, are in the business of
exploiting the people’s unfamiliarity with probability. You the retailer, who
represent us, are not supposed to be in the business of exploiting our
unfamiliarity with security.”_

~~~
Laaw
They represented the government in this instance, so no, your premise is
incorrect.

~~~
braythwayt
You just said what I said! "You the retailer, who represent us."

------
dang
Url changed from [http://arstechnica.com/security/2016/03/cops-lottery-
termina...](http://arstechnica.com/security/2016/03/cops-lottery-terminal-
hack-allowed-suspects-to-print-more-winning-tickets/), which points to this.

