On Monday, July 6, 2009, a video poker was the center of attention. Two engineers from Nevada’s Gaming Control Board showed up at the Silverton Casino Lodge. The off-the-strip South Las Vegas casino is best known for its mermaid aquarium, but the GCB geek squad wasn’t there to see swimmers in bikini tops and zip-on fish tails. They’d come to examine machine 50102, a Game King video poker unit on the casino floor that had been waiting for them, taped off like a crime scene, all weekend.
Manufactured by International Game Technology – a gambling leviathan that boasts $2 billion in revenue a year — the Game King is the ubiquitous workhorse of casino gambling, built to draw and keep gamblers who enjoy the fast pace and anonymity of machine play. Players can select from three cash levels and nearly three dozen different game variations, like Deuces Wild, Jacks or Better, Double Double Bonus and One-Eyes Jacks. A Vegas local named John Kane had been the final player at machine 50102, and he’d opted for Triple Play Triple Double Bonus Poker, winning three hands at once at the maximum $10 denomination. His last game was still on the screen: three aces, four aces, three aces again. At payout odds of 820-to-1 he’d scored an $8,200 bonanza.
But the casino had been suspicious, and Kane didn’t collect the last win. For one thing, Kane, now 54, had enjoyed a lot of big payouts that day: in about an hour he’d scored five jackpots large enough to require a hand pay and IRS paperwork. The GCB engineers yanked the machine’s logic tray and EEPROM and took them back to the lab. There they discovered the secret behind Kane’s lucky streak: he was exploiting a previously-unknown firmware bug present in the Game King and nine other IGT machines – one that had been hidden for seven years.
Now Kane and the bug he exploited are at the center of a high-stakes legal battle before a federal judge in Las Vegas. The question: was it a criminal violation of federal anti-hacking law for Kane and a friend to knowingly take advantage of the glitch to the tune of at least half-a-million dollars? Prosecutors say it was. But in a win for the defense, a federal magistrate found last fall that the Computer Fraud and Abuse act doesn’t apply, and recommended the hacking charge be dismissed. The issue is now being argued in front of U.S. District Court Judge Miranda Du, who’s likely to rule this month.
It’s the latest test of the Computer Fraud and Abuse Act, a 1986 law originally intended to punish hackers who remotely crack defense or banking computers over their 300 baud modems. Changes in technology and a string of amendments have pushed the law into a murky zone where prosecutors have charged people for violating website terms-of-service or an employer’s computer use policies. After the January suicide of Aaron Swartz, who’d been charged under the CFAA and other laws, Representative Zoe Lofgren (D-CA) drafted “Aaron’s Law” to reform the act. But that bill hasn’t been introduced. In the meantime, Andrew “Weev” Auernheimer was sentenced last March to three-and-a-half years in prison under the CFAA for running a script that downloaded 120,000 customer e-mail addresses that AT&T exposed on their iPad support website.
In the Game King case, the arguments are largely focused on whether Kane and his co-defendant, Andre Nestor, exceeded their legal access to video poker machines by exploiting the bug. Kane’s attorney, Andrew Leavitt, says Kane played by the rules imposed by the machine, and that’s all that matters.
“What you see in most gambling cheating cases is the guy’s got a magnet in his boot or he’s shocking the machine with static electricity.” says Leavitt, a veteran Vegas defense attorney. “All these guys did is simply push a sequence of buttons that they were legally entitled to push.”