I bet on the Giants -3.5. Oh, the casino has taken advantage of my misunderstanding of -3.5. They have escalated access to my money based upon my mistake. Have they committed fraud? Do I get my money back? Do I get to change my bet after the fact? Of course not.
They put out a machine which was giving away money. The guy did nothing other than put money in the machine and push the buttons.
If Vegas had to return all the money to the gamblers who made mistakes, it would just be a desert again.
Two comments; Back around the turn of the century when electronic gaming machines were taking off I did a lot of due diligence on the rules and regulations for building a gaming machine. They didn't have regulated payouts, they have regulated games. A game license was two part, one the set of rules and the mathematics behind the probabilities they set; and an audit/dump of the mechanism/code to implement those rules such that the game was run as described. It was very clear that if a machine violated the rules of the game they were presenting, it was the makers fault, not the casinos. So liability could only be pushed back on the casinos if the player was able to "modify or affect" the machine outside of specifications.
So if a player brings in a magnet or a custom EPROM or a wire that they stick through the coin slot to make a short circuit - Casino is liable.
If the Player using the game in the way the game allows and it pays out more or otherwise fails to implement the rules of the game correctly - Manufacturer is liable.
The only 'out' on that last bit is if the manufacturer knows of a bug and they tell the casino how to prevent it, and the casino fails to do so, then the casino is liable again.
Anyway, it was a land mine of liability as far as I could see and starting a company in that space was going to require as many lawyers as it did engineers it seemed to me so I passed.
Second comment, so when the MGM Grand opened for the "first" time it had a Jai Lai court and people could bet on the games. That system allowed for people to walk up to terminals and enter their bets. Basically you entered the game, either the spread or score, and the bet amount. Someone figured out that the keyboard was just a X/Y scanning matrix (like nearly every keyboard in existence) and if you held down the right three keys all at once the keyboard controller would get a scan code for '-' (even though there was no minus sign on the keyboard). You could bet "to win" on a game where the odds were against, and enter a negative score. The bet would pay out when the player lost because their score was negative relative to the other player. I do not remember the exact mechanism in the logic but as a budding computer programmer at the time I found it an interesting exploit (a minus injection bug :-). They of course fixed it right away but they didn't take back money from people who had been payed out.
My understanding is that all the slot/video machines have highly regulated payouts. The law states they must pay within a certain range, and they are verified by state employees on a regular basis.
If he is causing the machine to pay out at a level outside that allowed by the law, then he's breaking the law as much as the casino would be to make it pay out differently as well.
Edit: To clarify, I don't think he should be tried for hacking. I think he should be tried for circumventing state gaming laws, if applicable, or released. If they don't cover this, they it should be legislated if it is deemed important enough. Going after someone through some loosely affiliated law because you want them to go to jail even though what they did wasn't strictly illegal in wrong, IMHO.
Slots have highly regulated payouts, but in most US state gaming boards this is dictated by a minimum payout that all slots must average across a casino's slot floor.
An anomaly in one machine is nothing usual - in fact it's quite common given the size of jackpots and the volatility of the game's math.
In which case I don't see how he could be tried under gaming laws, and given the specifics of the case, I don't see how he could be tried under anti-hacking laws.
For a machine like that, I consider the interface the public API, and if the interface allows something that isn't specifically disallowed through some other statement or direction, I think it's fair game.
He didn't use some knowledge of internal mechanisms of the game (if his lawyer is to be believed) to exploit it, he noticed that it was incorrectly keeping the payout amount between game types with different payout multipliers, and took advantage of that fact. He learned that it was possible through using their API. In my eyes that's a critical point.
I'm kind of baffled why the feds got involved in the first place.
There's a reason why casinos have a sign on each machine that says MALFUNCTION VOIDS ALL PAYS. Normally they could catch someone taking advantage of the bug and declare the payout invalid. Obviously these payouts all passed any kind of tamper detection tests, so normal casino procedure would be to pay the man barring any other kind of funny business.
Eh, that's the same type of argument that could be made for exploiting vulnerable public APIs (pass in some query that isn't sanitized, etc.). I don't know the law surrounding those types of cases, but I would hazard to guess those get prosecuted rather hard.
It's a fine grained distinction, but I thin kit applies there as well, to some degree. If exploiting the API requires leveraging knowledge of the underlying systems (buffer exploit, path traversal issue, etc) that aren't generally discoverable in normal usage, than that may be hacking. If it's a matter of the user discovering through normal use that through a normal set of operations that they have access to more of the same resource they already got (more money when they get some on a regular basis, in the article), then I don't think that's hacking, I think that's learning how to use the API you were presented.
Of course, I'm presenting this aswhat I think should be, not how it is.
Weev was sentenced to 3.5 years for simply downloading AT&T's data that was made available over a public (but obscure) API. So yes, seems like you'll get prosecuted pretty harshly.
What's even more ironic is that this was a video poker, not a slot.
Why is that different? Unlike a slot where the payout decision is made the moment you pull the handle, a video poker machine has a decision point. Namely, you can choose to hold or discard cards, then draw the remaining cards to determine your win. The outcome of your "slot pull" is based on this play.
In the gaming software world, video poker percentages are determined by what the different hands pay out, given optimal play. There are very few video poker players in the world that never make mistakes and play optimally. The slack comes from drunk tourists that make the wrong decisions and increase the casino's take.
Funny that THOSE mistakes are allowable, isn't it?
I bet on the Giants -3.5. Oh, the casino has taken advantage of my misunderstanding of -3.5.
False equivalency. This isn't the casino saying 'hey, we don't know what 820-1 means', this is the guy saying to the casino 'hey, you thought that was a 2-1 win but it was really a 820-1 win' when it wasn't.
To fix your analogy, it would be if the Casino had -3.5, but when it came time to collect, they told you it was actually -350. That would also be fraud.
This is another one of those places where analogies hurt more than they help. You can come up with an analogy to mean whatever you want here, so that's not helpful, and it's not like anybody's confused about what happened.
(It's like I was in a car, and I was betting I could make the jump over the bridge, but while I was in midair the police moved the bridge...)
I bet on the Giants -3.5. Oh, the casino has taken advantage of my misunderstanding of -3.5. They have escalated access to my money based upon my mistake. Have they committed fraud? Do I get my money back? Do I get to change my bet after the fact? Of course not.
They put out a machine which was giving away money. The guy did nothing other than put money in the machine and push the buttons.
If Vegas had to return all the money to the gamblers who made mistakes, it would just be a desert again.