Hacking the Casinos foraMillion Bucks

the guys an assignment to develop some software and then accompany it to a trade show at a high-tech conven- tion there, they jumped at the opportunity.<br><br> It would be the first in Vegas for each of them, a chance to see the flashing lights for themselves, all expenses paid; who would turn that down? The separate suites for each in a major hotel meant that Alex 9s wife and Mike 9s girlfriend could be 05_569597 ch01.qxd 1/11/05 9:27 PM Page 1 COPYRIGHTED MATERIAL included in the fun. The two couples, plus Larry and Marco, set off for hot times in Sin City.<br><br> Alex says they didn 9t know much about gambling and didn 9t know what to expect. cYou get off the plane and you see all the old ladies play- ing the slots. It seems funny and ironic, and you soak that in. d After the four had finished doing the trade show, they and the two ladies were sitting around in the casino of their hotel playing slot machines and enjoying free beers when Alex 9s wife offered a challenge: cAren 9t these machines based on computers?<br><br> You guys are into computers, can 9t you do something so we win more? d The guys adjourned to Mike 9s suite and sat around tossing out ques- tions and offering up theories on how the machines might work. Research That was the trigger. The four cgot kinda curious about all that, and we started looking into it when we got back home, d Alex says, warming up to the vivid memories of that creative phase.<br><br> It took only a little while for the research to support what they already suspected. cYeah, they 9re com- puter programs basically. So then we were interested in, was there some way that you could crack these machines? d There were people who had beaten the slot machines by creplacing the firmware d 4getting to the computer chip inside a machine and substi- tuting the programming for a version that would provide much more attractive payoffs than the casino intended.<br><br> Other teams had done that, but it seemed to require conspiring with a casino employee, and not just any employee but one of the slot machine techies. To Alex and his bud- dies, cswapping ROMs would have been like hitting an old lady over the head and taking her purse. d They figured if they were going to try this, it would be as a challenge to their programming skills and their intellects. And besides, they had no advanced talents in social engineering; they were computer guys, lacking any knowledge of how you sidle up to a casino employee and propose that he join you in a little scheme to take some money that doesn 9t belong to you.<br><br> But how would they begin to tackle the problem? Alex explained: We were wondering if we could actually predict something about the sequence of the cards. Or maybe we could find a back door [software code allowing later unauthorized access to the program] that some programmer may have put in for his own benefit.<br><br> All programs are written by programmers, and programmers are The Art of Intrusion 2 05_569597 ch01.qxd 1/11/05 9:27 PM Page 2 mischievous creatures. We thought that somehow we might stumble on a back door, such as pressing some sequence of buttons to change the odds, or a simple programming flaw that we could exploit. Alex read the book The Eudaemonic Pie by Thomas Bass(Penguin, 1992), the story of how a band of computer guys and physicists in the 1980s beat roulette in Las Vegas using their own invention of a cwear- able d computer about the size of a pack of cigarettes to predict the out- come of a roulette play.<br><br> One team member at the table would click buttons to input the speed of the roulette wheel and how the ball was spinning, and the computer would then feed tones by radio to a hearing aid in the ear of another team member, who would interpret the signals and place an appropriate bet. They should have walked away with a ton of money but didn 9t. In Alex 9s view, cTheir scheme clearly had great potential, but it was plagued by cumbersome and unreliable technology.<br><br> Also, there were many participants, so behavior and interpersonal rela- tions were an issue. We were determined not to repeat their mistakes. d Alex figured it should be easier to beat a computer-based game cbecause the computer is completely deterministic d 4the outcome based on by what has gone before, or, to paraphrase an old software engi- neer 9s expression, good data in, good data out. (The original expression looks at this from the negative perspective: cgarbage in, garbage out. d) This looked right up his alley.<br><br> As a youngster, Alex had been a musi- cian, joining a cult band and dreaming of being a rock star, and when that didn 9t work out had drifted into the study of mathematics. He had a tal- ent for math, and though he had never cared much for schooling (and had dropped out of college), he had pursued the subject enough to have a fairly solid level of competence. Deciding that some research was called for, he traveled to Washington, DC, to spend some time in the reading room of the Patent Office.<br><br> cI fig- ured somebody might have been stupid enough to put all the code in the patent d for a video poker machine. And sure enough, he was right. cAt that time, dumping a ream of object code into a patent was a way for a patent filer to protect his invention, since the code certainly contains a very complete description of his invention, but in a form that isn 9t terri- bly user-friendly.<br><br> I got some microfilm with the object code in it and then scanned the pages of hex digits for interesting sections, which had to be disassembled into [a usable form]. d Analyzing the code uncovered a few secrets that the team found intriguing, but they concluded that the only way to make any real progress would be to get their hands on the specific type of machine they wanted to hack so they could look at the code for themselves. Chapter 1Hacking the Casinos for a Million Bucks 3 05_569597 ch01.qxd 1/11/05 9:27 PM Page 3 As a team, the guys were well matched. Mike was a better-than- competent programmer, stronger than the other three on hardware design.<br><br> Marco, another sharp programmer, was an Eastern European immigrant who looked like a teenager. But he was something of a dare- devil, approaching everything with a can-do, smart-ass attitude. Alex excelled at programming and was the one who contributed the knowl- edge of cryptography they would need.<br><br> Larry wasn 9t much of a pro- grammer and because of a motorcycle accident couldn 9t travel much, but was a great organizer who kept the project on track and everybody focused on what needed to be done at each stage. After their initial research, Alex csort of forgot about d the project. Marco, though, was hot for the idea.<br><br> He kept insisting, cIt 9s not that big a deal, there 9s thirteen states where you can legally buy machines. d Finally he talked the others into giving it a try. cWe figured, what the hell. d Each chipped in enough money to bankroll the travel and the cost of a machine. They headed once again for Vegas 4this time at their own expense and with another goal in mind.<br><br> Alex says, cTo buy a slot machine, basically you just had to go in and show ID from a state where these machines are legal to own. With a driver 9s license from a legal state, they pretty much didn 9t ask a lot of questions. d One of the guys had a convenient connection to a Nevada resident. cHe was like somebody 9s girlfriend 9s uncle or something, and he lived in Vegas. d They chose Mike as the one to talk to this man because che has a sales-y kind of manner, a very presentable sort of guy.<br><br> The assumption is that you 9re going to use it for illegal gambling. It 9s like guns, d Alex explained. A lot of the machines get gray-marketed 4sold outside accepted channels 4to places like social clubs.<br><br> Still, he found it surprising that cwe could buy the exact same production units that they use on the casino floor. d Mike paid the man 1,500 bucks for a machine, a Japanese brand. cThen two of us put this damn thing in a car. We drove it home as if we had a baby in the back seat. d Developing the Hack Mike, Alex, and Marco lugged the machine upstairs to the second floor of a house where they had been offered the use of a spare bedroom.<br><br> The thrill of the experience would long be remembered by Alex as one of the most exciting in his life. We open it up, we take out the ROM, we figure out what proces- sor it is. I had made a decision to get this Japanese machine that looked like a knockoff of one of the big brands.<br><br> I just figured the The Art of Intrusion 4 05_569597 ch01.qxd 1/11/05 9:27 PM Page 4 engineers might have been working under more pressure, they might have been a little lazy or a little sloppy. It turned out I was right. They had used a 6809 [chip], similar to a 6502 that you saw in an Apple II or an Atari.<br><br> It was an 8-bit chip with a 64K memory space. I was an assembly language programmer, so this was familiar. The machine Alex had chosen was one that had been around for some 10 years.<br><br> Whenever a casino wants to buy a machine of a new design, the Las Vegas Gaming Commission has to study the programming and make sure it 9s designed so the payouts will be fair to the players. Getting a new design approved can be a lengthy process, so casinos tend to hold on to the older machines longer than you would expect. For the team, an older machine seemed likely to have outdated technology, which they hoped might be less sophisticated and easier to attack.<br><br> The computer code they downloaded from the chip was in binary form, the string of 1 9s and 0 9s that is the most basic level of computer instructions. To translate that into a form they could work with, they would first have to do some reverse engineering 4a process an engineer or programmer uses to figure out how an existing product is designed; in this case it meant converting from machine language to a form that the guys could understand and work with. Alex needed a disassembler to translate the code.<br><br> The foursome didn 9t want to tip their hand by trying to purchase the software 4an act they felt would be equivalent to going into your local library and trying to check out books on how to build a bomb. The guys wrote their own dis- assembler, an effort that Alex describes as cnot a piece of cake, but it was fun and relatively easy. d Once the code from the video poker machine had been run through the new disassembler, the three programmers sat down to pour over it. Ordinarily it 9s easy for an accomplished software engineer to quickly locate the sections of a program he or she wants to focus on.<br><br> That 9s because a person writing code originally puts road signs all through it 4 notes, comments, and remarks explaining the function of each section, something like the way a book may have part titles, chapter titles, and subheadings for sections within a chapter. When a program is compiled into the form that the machine can read, these road signs are ignored 4the computer or microprocessor has no need for them. So code that has been reverse-engineered lacks any of these useful explanations; to keep with the croad signs d metaphor, this recovered code is like a roadmap with no place names, no markings of highways or streets.<br><br> Chapter 1Hacking the Casinos for a Million Bucks 5 05_569597 ch01.qxd 1/11/05 9:27 PM Page 5 They sifted through the pages of code on-screen looking for clues to the basic questions: cWhat 9s the logic? How are the cards shuffled? How are replacement cards picked? d But the main focus for the guys at this juncture was to locate the code for the random number generator (RNG).<br><br> Alex 9s guess that the Japanese programmers who wrote the code for the machine might have taken shortcuts that left errors in the design of the random number generator turned out to be correct; they had. Rewriting the Code Alex sounds proud in describing this effort. cWe were programmers; we were good at what we did.<br><br> We figured out how numbers in the code turn into cards on the machine and then wrote a piece of C code that would do the same thing, d he said, referring to the programming language called cC. d We were motivated and we did a lot of work around the clock. I 9d say it probably took about two or three weeks to get to the point where we really had a good grasp of exactly what was going on in the code. You look at it, you make some guesses, you write some new code, burn it onto the ROM [the computer chip], put it back in the machine, and see what happens.<br><br> We would do things like write routines that would pop hex [hexadecimal] numbers on the screen on top of the cards. So basically get a sort of a design overview of how the code deals the cards. It was a combination of trial and error and top-down analysis; the code pretty quickly started to make sense.<br><br> So we understood everything about exactly how the numbers inside the computer turn into cards on the screen. Our hope was that the random number generator would be rela- tively simple. And in this case in the early 90 9s, it was.<br><br> I did a lit- tle research and found out it was based on something that Donald Knuth had written about in the 60 9s. These guys didn 9t invent any of this stuff; they just took existing research on Monte Carlo methods and things, and put it into their code. We figured out exactly what algorithm they were using to gener- ate the cards; it 9s called a linear feedback shift register, and it was a fairly good random number generator.<br><br> But they soon discovered the random number generator had a fatal flaw that made their task much easier. Mike explained that cit was a relatively The Art of Intrusion 6 05_569597 ch01.qxd 1/11/05 9:27 PM Page 6 simple 32-bit RNG, so the computational complexity of cracking it was within reach, and with a few good optimizations became almost trivial. d So the numbers produced were not truly random. But Alex thinks there 9s a good reason why this has to be so: If it 9s truly random, they can 9t set the odds.<br><br> They can 9t verify what the odds really are. Some machines gave sequential royal flushes. They shouldn 9t happen at all.<br><br> So the designers want to be able to verify that they have the right statistics or they feel like they don 9t have control over the game. Another thing the designers didn 9t realize when they designed this machine is that basically it 9s not just that they need a random number generator. Statistically there 9s ten cards in each deal 4 the five that show initially, and one alternate card for each of those five that will appear if the player chooses to discard.<br><br> It turns out in these early versions of the machine, they basically took those ten cards from ten sequential random numbers in the random number generator. So Alex and his partners understood that the programming instructions on this earlier-generation machine were poorly thought out. And because of these mistakes, they saw that they could write a relatively simple but elegantly clever algorithm to defeat the machine.<br><br> The trick, Alex saw, would be to start a play, see what cards showed up on the machine, and feed data into their own computer back at home identifying those cards. Their algorithm would calculate where the ran- dom generator was, and how many numbers it had to go through before it would be ready to display the sought-after hand, the royal flush. So we 9re at our test machine and we run our little program and it correctly tells us the upcoming sequence of cards.<br><br> We were pretty excited. Alex attributes that excitement to cknowing you 9re smarter than some- body and you can beat them. And that, in our case, it was gonna make us some money. d They went shopping and found a Casio wristwatch with a countdown feature that could be set to tenths of a second; they bought three, one for each of the guys who would be going to the casinos; Larry would be staying behind to man the computer.<br><br> They were ready to start testing their method. One of the team would begin to play and would call out the hand he got 4the denomination and suit of each of the five cards. Larry would enter the data into their Chapter 1Hacking the Casinos for a Million Bucks 7 05_569597 ch01.qxd 1/11/05 9:27 PM Page 7 own computer; though something of an off-brand, it was a type popular with nerds and computer buffs, and great for the purpose because it had a much faster chip than the one in the Japanese video poker machine.<br><br> It took only moments to calculate the exact time to set into one of the Casio countdown timers. When the timer went off, the guy at the slot machine would hit the Play button. But this had to be done accurately to within a fraction of a second.<br><br> Not as much of a problem as it might seem, as Alex explained: Two of us had spent some time as musicians. If you 9re a musician and you have a reasonable sense of rhythm, you can hit a button within plus or minus five milliseconds. If everything worked the way it was supposed to, the machine would display the sought-after royal flush.<br><br> They tried it on their own machine, practicing until all of them could hit the royal flush on a decent percent- age of their tries. Over the previous months, they had, in Mike 9s words, creverse engi- neering the operation of the machine, learned precisely how the random numbers were turned into cards on the screen, precisely when and how fast the RNG iterated, all of the relevant idiosyncrasies of the machine, and developed a program to take all of these variables into consideration so that once we know the state of a particular machine at an exact instant in time, we could predict with high accuracy the exact iteration of the RNG at any time within the next few hours or even days. d They had defeated the machine 4turned it into their slave. They had taken on a hacker 9s intellectual challenge and had succeeded.<br><br> The knowl- edge could make them rich. It was fun to daydream about. Could they really bring it off in the jun- gle of a casino?<br><br> Back to the Casinos 4This Time to Play It 9s one thing to fiddle around on your own machine in a private, safe location. Trying to sit in the middle of a bustling casino and steal their money 4that 9s another story altogether. That takes nerves of steel.<br><br> Their ladies thought the trip was a lark. The guys encouraged tight skirts and flamboyant behavior 4gambling, chatting, giggling, ordering drinks 4hoping the staff in the security booth manning the cEye in the Sky d cameras would be distracted by pretty faces and a show of flesh. cSo we pushed that as much as possible, d Alex remembers.<br><br> The Art of Intrusion 8 05_569597 ch01.qxd 1/11/05 9:27 PM Page 8 The hope was that they could just fit in, blending with the crowd. cMike was the best at it. He was sort of balding.<br><br> He and his wife just looked like typical players. d Alex describes the scene as if it had all happened yesterday. Marco and Mike probably did it a little differently, but this is how it worked for Alex: With his wife Annie, he would first scout a casino and pick out one video poker machine. He needed to know with great precision the exact cycle time of the machine.<br><br> One method they used involved stuffing a video camera into a shoulder bag; at the casino, the player would position the bag so the camera lens was pointing at the screen of the video poker machine, and then he would run the camera for a while. cIt could be tricky, d he remembers, ctrying to hoist the bag into exactly the right position without looking like the position really mattered. You just don 9t want to do anything that looks suspicious and draws attention. d Mike preferred another, less demanding method: cCycle timing for unknown machines out in the field was calculated by reading cards off the screen at two times, many hours apart. d He had to verify that the machine had not been played in between, because that would alter the rate of iteration, but that was easy: just check to see that the cards displayed were the same as when he had last been at the machine, which was usually the case since chigh stakes machines tended to not be played often. d When taking the second reading of cards displayed, he would also syn- chronize his Casio timer, and then phone the machine timing data and card sequences back to Larry, who would enter it into their home-base computer and run the program.<br><br> Based on those data, the computer would predict the time of the next royal flush. cYou hoped it was hours; sometimes it was days, d in which case they 9d have to start all over with another machine, maybe at a different hotel. At this stage, the timing of the Casio might be off as much as a minute or so, but close enough.<br><br> Returning plenty early in case someone was already at the target machine, Alex and Annie would go back to the casino and spend time on other machines until the player left. Then Alex would sit down at the target machine, with Annie at the machine next to him. They 9d started playing, making a point of looking like they were having fun.<br><br> Then, as Alex recalls: I 9d start a play, carefully synchronized to my Casio timer. When the hand came up, I 9d memorize it 4the value and suit of each of the five cards, and then keep playing until I had eight cards in sequence in memory. I 9d nod to my wife that I was on my way and head for an inconspicuous pay phone just off the casino floor.<br><br> I had about eight minutes to get to the phone, do what I had to do, and get back to the machine. My wife kept on playing. Chapter 1Hacking the Casinos for a Million Bucks 9 05_569597 ch01.qxd 1/11/05 9:27 PM Page 9 Anybody who came along to use my machine, she 9d just tell them her husband was sitting there.<br><br> We had figured out a way of making a phone call to Larry 9s beeper, and entering numbers on the telephone keypad to tell him the cards. That was so we didn 9t have to say the cards out loud 4the casino people are always listening for things like that. Larry would again enter the cards into the computer and run our program.<br><br> Then I 9d phone him. Larry would hold the handset up to the com- puter, which would give two sets of little cue tones. On the first one, I 9d hit the Pause button on the timer, to stop it counting down.<br><br> On the second one, I 9d hit Pause again to restart the timer. The cards Alex reported gave the computer an exact fix on where the machine 9s random number generator was. By entering the delay ordered by the computer, Alex was entering a crucial correction to the Casio countdown timer so it would go off at exactly the moment that the royal flush was ready to appear.<br><br> Once that countdown timer was restarted, I went back to the machine. When the timer went like cbeep, beep, boom d 4right then, right on that cboom, d I hit the play button on the machine again. That first time, I think I won $35,000.<br><br> We got up to the point where we had about 30 or 40 percent suc- cess because it was pretty well worked out. The only times it didn 9t work was when you didn 9t get the timing right. For Alex, the first time he won was cpretty exciting, but scary.<br><br> The pit boss was this scowling Italian dude. I was sure he was looking at me funny, with this puzzled expression on his face, maybe because I was going to the phone all the time. I think he may have gone up to look at the tapes. d Despite the tensions, there was ca thrill to it. d Mike remembers being cnaturally nerv- ous that someone might have noticed odd behavior on my part, but in fact no one looked at me funny at all.<br><br> My wife and I were treated just as typical high-stakes winners 4congratulated and offered many comps. d They were so successful that they needed to worry about winning so much money that they would draw attention to themselves. They started to rec- ognize that they faced the curious problem of too much success. cIt was very high profile.<br><br> We were winning huge jackpots in the tens of thousands of dol- lars. A royal flush pays 4,000 to 1; on a $5 machine, that 9s twenty grand. d It goes up from there. Some of the games are a type called progressive 4 the jackpot keeps increasing until somebody hits, and the guys were able to win those just as easily.<br><br> The Art of Intrusion 10 05_569597 ch01.qxd 1/11/05 9:27 PM Page 10 I won one that was 45 grand. A big-belt techie guy came out 4 probably the same guy that goes around and repairs the machines. He has a special key that the floor guys don 9t have.<br><br> He opens up the box, pulls out the [electronics] board, pulls out the ROM chip right there in front of you. He has a ROM reader with him that he uses to test the chip from the machine against some golden mas- ter that 9s kept under lock and key. The ROM test had been standard procedure for years, Alex learned.<br><br> He assumes that they had cbeen burned that way d but eventually caught on to the scheme and put in the ROM-checking as a countermeasure. Alex 9s statement left me wondering if the casinos do this check because of some guys I met in prison who did actually replace the firmware. I wondered how they could do that quickly enough to avoid being caught.<br><br> Alex figured this was a social engineering approach, that they had com- promised the security and paid off somebody inside the casino. He con- jectures that they might even have replaced the gold master that they 9re supposed to compare the machine 9s chip against. The beauty of his team 9s hack, Alex insisted, was that they didn 9t have to change the firmware.<br><br> And they thought their own approach offered much more of a challenge. The team couldn 9t keep winning as big as they were; the guys figured cit was clear that somebody would put two and two together and say, 8I 9ve seen this guy before. 9 We started to get scared that we were gonna get caught. d Beside the ever-present worries about getting caught, they were also concerned about the tax issue; for any win over $1,200, the casino asks for identification and reports the payout to the IRS. Mike says that cIf the player doesn 9t produce ID, we assumed that taxes would be withheld from the payout, but we didn 9t want to draw attention to ourselves by finding out. d Paying the taxes was cnot a big issue, d but cit starts to cre- ate a record that, like, you 9re winning insane amounts of money.<br><br> So a lot of the logistics were about, 8How do we stay under the radar? 9 d They needed to come up with a different approach. After a short time of cE.T. phone home, d they started to conceive a new idea.<br><br> New Approach The guys had two goals this time around: Develop a method that would let them win on hands like a full house, straight, or flush, so the payouts wouldn 9t be humongous enough to attract attention. And make it some- how less obvious and less annoying than having to run to the telephone before every play. Chapter 1Hacking the Casinos for a Million Bucks 11 05_569597 ch01.qxd 1/11/05 9:27 PM Page 11 Because the casinos offered only a limited number of the Japanese machines, the guys this time settled on a machine in wider use, a type manufactured by an American company.<br><br> They took it apart the same way and discovered that the random number generation process was much more complex: The machine used two generators operating in combina- tion, instead of just one. cThe programmers were much more aware of the possibilities of hacking, d Alex concluded. But once again the four discovered that the designers had made a cru- cial mistake.<br><br> cThey had apparently read a paper that said you improve the quality of randomness if you add a second register, but they did it wrong. d To determine any one card, a number from the first random number generator was being added to a number from the second. The proper way to design this calls for the second generator to iterate 4that is, change its value 4after each card is dealt. The design- ers hadn 9t done that; they had programmed the second register to iterate only at the beginning of each hand, so that the same number was being added to the result from the first register for each card of the deal.<br><br> To Alex, the use of two registers made the challenge ca cryptology thing d; he recognized that it was similar to a step sometimes used in encrypting messages. Though he had acquired some knowledge of the subject, it wasn 9t enough to see his way to a solution, so he started mak- ing trips to a nearby university library to study up. If the designers had read some of the books on cryptosystems more carefully, they wouldn 9t have made this mistake.<br><br> Also, they should have been more methodical about testing the systems for cracking the way we were cracking them. Any good college computer science major could probably write code to do what we were trying to do once he understands what 9s required. The geekiest part of it was figuring out algorithms to do the search quickly so that it would only take a few seconds to tell you what 9s going on; if you did it naively, it could take a few hours to give you a solution.<br><br> We 9re pretty good programmers, we all still make our living doing that, so we came up with some very clever optimizations. But I wouldn 9t say it was trivial. I remember a similar mistake made by a programmer at Norton (before Symantec bought them) that worked on their Diskreet product, an appli- cation that allowed a user to create encrypted virtual drives.<br><br> The developer implemented the algorithm incorrectly 4or perhaps intentionally 4in a way that resulted in reducing the space for the encryption key from 56 The Art of Intrusion 12 05_569597 ch01.qxd 1/11/05 9:27 PM Page 12 bits to 30. The federal government 9s data encryption standard used a 56-bit key, which was considered unbreakable, and Norton gave its cus- tomers the sense that their data was protected to this standard. Because of the programmer 9s error, the user 9s data was in effect being encrypted with only 30 bits instead of 56.<br><br> Even in those days, it was possible to brute-force a 30-bit key. Any person using this product labored under a false sense of security: An attacker could derive his or her key in a rea- sonable period and gain access to the user 9s data. The team had discov- ered the same kind of error in the programming of the machine.<br><br> At the same time the boys were working on a computer program that would let them win against their new target machine, they were pressing Alex for a no-more-running-to-the-payphone approach. The answer turned out to be based on taking a page from the Eudaemonic Pie solu- tion: a cwearable d computer. Alex devised a system made up of a minia- turized computer built around a small microprocessor board Mike and Marco found in a catalog 4and, to go along with it, a control button that fit in the shoe, plus a silent vibrator like the ones common in many of today 9s cell phones.<br><br> They referred to the system as their ccomputer- in-the-pocket thing. d cWe had to be a little clever about doing it on a small chip with a small memory, d Alex said. cWe did some nice hardware to make it all fit in the shoe and be ergonomic. d (By cergonomic d in this context, I think he meant small enough so you could walk without limping!) The New Attack The team began trying out the new scheme, and it was a bit nerve- wracking. Sure, they could now dispense with the suspicious behavior of running to a pay phone before every win.<br><br> But even with all the dress rehearsal practice back at their coffice, d opening night meant performing in front of a sizeable audience of always-suspicious security people. This time the program was designed so they could sit at one machine longer, winning a series of smaller, less suspicious amounts. Alex and Mike recapture some of tension when they describe how it worked: Alex: I usually put the computer in what looked like a little tran- sistor radio in my pocket.<br><br> We would run a wire from the computer down inside the sock into this switch in the shoe. Mike: I strapped mine to my ankle. We made the switches from little pieces of breadboard [material used in a hardware lab for constructing mock-ups of electronic circuits].<br><br> The pieces were about one inch square, with a miniature button. And we sewed on a little bit of elastic to go around the big toe. Then you 9d cut a Chapter 1Hacking the Casinos for a Million Bucks 13 05_569597 ch01.qxd 1/11/05 9:27 PM Page 13 hole in a Dr.<br><br> Scholl 9s insole to keep it in place in your shoe. It was only uncomfortable if you were using it all day; then it could get excruciating. Alex: So you go into the casino, you try to look calm, act like there 9s nothing, no wires in your pants.<br><br> You go up, you start play- ing. We had a code, a kind of Morse Code thingy. You put in money to run up a credit so you don 9t have to keep feeding coins, and then start to play.<br><br> When cards come up, you click the shoe button to input what cards are showing. The signal from the shoe button goes into the computer that 9s in my pants pocket. Usually in the early machines it took seven or eight cards to get into sync.<br><br> You get five cards on the deal, you might draw three more would be a very common thing, like hold the pair, draw the other three, that 9s eight cards. Mike: The code for tapping on the shoe-button was binary, and it also used a compression technique something like what 9s called a Huffman code. So long-short would be one-zero, a binary two.<br><br> Long-long would be one-one, a binary three, and so on. No card required more than three taps. Alex: If you held the button down for three seconds, that was a cancel.<br><br> And [the computer] would give you little prompts 4like dup-dup-dup would mean, cOkay, I 9m ready for input. d We had practiced this 4you had to concentrate and learn how to do it. After a while we could tap, tap while carrying on a conversation with a casino attendant. Once I had tapped in the code to identify about eight cards, that would be enough for me to sync with about 99 percent assurance.<br><br> So after anywhere from a few seconds to a minute or so, the com- puter would buzz three times. I 9d be ready for the action. At this point, the computer-in-the-pocket had found the place in the algorithm that represented the cards just dealt.<br><br> Since its algorithm was the same as the one in the video poker machine, for each new hand dealt, the computer would cknow d what five additional cards were in waiting once the player selected his discards and would signal which cards to hold to get a winning hand. Alex continued: The computer tells you what to do by sending signals to a vibra- tor in your pocket; we got the vibrators free by pulling them out of old pagers. If the computer wants you to hold the third and the The Art of Intrusion 14 05_569597 ch01.qxd 1/11/05 9:27 PM Page 14 fifth card, it will go beep, beep, beeeeep, beep, beeeeep, which you feel as vibrations in your pocket.<br><br> We computed that if we played carefully, we had between 20 and 40 percent vigorish, meaning a 40 percent advantage on every hand. That 9s humongous 4the best blackjack players in the world come in at about 2-1/2 percent. If you 9re sitting at a $5 machine pumping in five coins at a time, twice a minute, you can be making $25 a minute.<br><br> In half an hour, you could easily make $1,000 bucks. People sit down and get lucky like that every day. Maybe 5 percent of the people that sit down and play for half an hour might do that well.<br><br> But they don 9t do it every time. We were making that 5 percent every single time. Whenever one of them had won big in one casino, he 9d move on to another.<br><br> Each guy would typically hit four or five in a row. When they went back to the same casino on another trip a month later, they 9d make a point of going at a different time of day, to hit a different shift of the work crew, people less likely to recognize them. They also began hitting casinos in other cities 4Reno, Atlantic City, and elsewhere.<br><br> The trips, the play, the winning gradually became routine. But on one occasion, Mike thought the moment they all dreaded had come. He had just cgone up a notch d and was playing the $25 machines for the first time, which added to the tension because the higher the value of the machines, the closer they 9re watched.<br><br> I was a bit anxious but things were going better than I antici- pated. I won about $5,000 in a relatively short amount of time. Then this large, imposing employee taps me on the shoulder.<br><br> I looked up at him feeling something queasy in the pit of my stom- ach. I thought, cThis is it. d cI notice you been playing quite a bit, d he said. cWould you like pink or green? d If it had been me, I would have been wondering, cWhat are those 4 my choices of the color I 9ll be after they finish beating me to a pulp? d I think I might have left all my money and tried to dash out of the place.<br><br> Mike says he was seasoned enough by that point to remain calm. The man said, cWe want to give you a complimentary coffee mug. d Mike chose the green. Chapter 1Hacking the Casinos for a Million Bucks 15 05_569597 ch01.qxd 1/11/05 9:27 PM Page 15 Marco had his own tense moment.<br><br> He was waiting for a winning hand when a pit boss he hadn 9t noticed stepped up to his shoulder. cYou dou- bled up to five thousand dollars 4that 9s some luck, d he said, surprised. An old woman at the next machine piped up in a smoker 9s raspy sandpa- per voice, cIt ...<br><br> wasn 9t ... luck. d The pit boss stiffened, his suspicions aroused. cIt was balls, d she cawed.<br><br> The pit boss smiled and walked away. Over a period of about three years, the guys alternated between taking legitimate consulting jobs to keep up their skills and contacts, and skip- ping out now and then to line their pockets at the video poker machines. They also bought two additional machines, including the most widely used video poker model, and continued to update their software.<br><br> On their trips, the three team members who traveled would head out to different casinos, cnot all go as a pack, d Alex said. cWe did that once or twice, but it was stupid. d Though they had an agreement to let each other know what they were up to, occasionally one would slip away to one of the gambling cities without telling the others. But they confined their play to casinos, never playing in places like 7-Elevens or supermar- kets because cthey tend to have very low payouts. d Caught!<br><br> Alex and Mike both tried to be disciplined about adhering to ccertain rules that we knew were going to reduce the probability of getting noticed. One of them was to never hit a place for too much money, never hit it for too much time, never hit it too many days in a row. d But Mike took the sense of discipline even more seriously and felt the other two weren 9t being careful enough. He accepted winning a little less per hour but looking more like another typical player.<br><br> If he got two aces on the deal and the computer told him to discard one or both of the aces for an even better hand 4say, three jacks 4he wouldn 9t do it. All casi- nos maintain cEye in the Sky d watchers in a security booth above the casino floor, manning an array of security cameras that can be turned, focused and zoomed, searching for cheaters, crooked employees, and others bent by the temptation of all that money. If one of the watchers happened to be peeking at his or her machine for some reason, the watcher would immediately know something was fishy, since no reason- able player would give up a pair of aces.<br><br> Nobody who wasn 9t cheating somehow could know a better hand was waiting. Alex wasn 9t quite so fastidious. Marco was even less so.<br><br> cMarco was a bit cocky, d in Alex 9s opinion: He 9s a very smart guy, self taught, never finished high school, but one of these brilliant Eastern European type of guys. And flamboyant. The Art of Intrusion 16 05_569597 ch01.qxd 1/11/05 9:27 PM Page 16 He knew everything about computers but he had it in his head that the casinos were stupid.<br><br> It was easy to think that because these people were letting us get away with so much. But even so, I think he got over-confident. He was more of a daredevil, and also didn 9t fit the profile because he just looked like this teenage foreigner.<br><br> So I think he tended to arouse suspicion. And he didn 9t go with a girlfriend or wife, which would have helped him fit in better. I think he just ended up doing things that brought attention onto him.<br><br> But also, as time went on and we all got bolder, we evolved and tended to go to the more expensive machines that paid off bet- ter and that again put more risks into the operation. Though Mike disagrees, Alex seemed to be suggesting that they were all three risk takers who would keep pushing the edge of the window to see how far they could go. As he put it, cI think basically you just keep upping the risk. d The day came when one minute Marco was sitting at a machine in a casino, the next minute he was surrounded by burly security people who pulled him up and pushed him into an interviewing room in the back.<br><br> Alex recounted the scene: It was scary because you hear stories about these guys that will beat the shit out of people. These guys are famous for, cF__k the police, we 9re gonna take care of this ourself. d Marco was stressed but he was a very tough character. In fact, in some ways I 9m glad that he was the one that did get caught if any of us were going to because I think he was the most equipped to handle that situation.<br><br> For all I know he had handled things like back in Eastern Europe. He exhibited some loyalty and did not give us up. He didn 9t talk about any partners or anything like that.<br><br> He was nervous and upset but he was tough under fire and basically said he was work- ing alone. He said, cLook, am I under arrest, are you guys police, what 9s the deal? d It 9s a law enforcement type of interrogation except that they 9re not police and don 9t have any real authority, which is kind of weird. They kept on questioning him, but they didn 9t exactly manhandle him.<br><br> Chapter 1Hacking the Casinos for a Million Bucks 17 05_569597 ch01.qxd 1/11/05 9:27 PM Page 17 They took his cmug shot, d Alex says, and they confiscated the com- puter and all the money he had on him, about $7,000 in cash. After per- haps an hour of questioning, or maybe a lot longer 4he was too upset to be sure 4they finally let him go. Marco called his partners en route home.<br><br> He sounded frantic. He said, cI want to tell you guys what happened. I sort of screwed up. d Mike headed straight for their headquarters.<br><br> cAlex and I were freaked when we heard what happened. I started tearing the machines apart and dumping pieces all over the city. d Alex and Mike were both unhappy with Marco for one of the unneces- sary risks he ran. He wouldn 9t put the button in his shoe like the other two, stubbornly insisting on carrying the device in his jacket pocket and triggering it with his hand.<br><br> Alex described Marco as a guy who cthought the security people were so dumb that he could keep pushing the enve- lope with how much he was doing right under their noses. d Alex is convinced he knows what happened, even though he wasn 9t present. (In fact, the other three didn 9t know Marco had gone on a casino trip despite the agreement to clue each other in on their plans.) The way Alex figures, cThey just saw that he was winning a ridiculous amount and that there was something going on with his hand. d Marco simply wasn 9t bothering to think about what could cause the floor peo- ple to notice him and wonder. That was the end of it for Alex, though he 9s not entirely sure about the others.<br><br> cOur decision at the beginning was that if any of us was ever caught, we would all stop. d He said, cWe all adhered to that as far as I know. d And after a moment, he added with less certainty, cAt least I did. d Mike concurs, but neither of them has ever asked Marco the ques- tion directly. The casinos don 9t generally prosecute attacks like the one that the guys had pulled. cThe reason is they don 9t want to publicize that they have these vulnerabilities, d Alex explains.<br><br> So it 9s usually, cGet out of town before sundown. And if you agree never to set foot in a casino again, then we 9ll let you go. d Aftermath About six months later, Marco received a letter saying that charges against him were not being pressed. The four are still friends, though they aren 9t as close these days.<br><br> Alex figures he made $300,000 from the adventure, part of which went to Larry as they had agreed. The three casino-going partners, who took all The Art of Intrusion 18 05_569597 ch01.qxd 1/11/05 9:27 PM Page 18 the risk, had initially said they would split equally with each other, but Alex thinks Mike and Marco probably took $400,000 to half a million each. Mike wouldn 9t acknowledge walking away with any more than $300,000 but admits that Alex probably got less than he did.<br><br> They had had a run of about three years. Despite the money, Alex was glad it was over: cIn a sense, I was relieved. The fun had worn off.<br><br> It had become sort of a job. A risky job. d Mike, too, wasn 9t sorry to see it end, lightly complaining that cit got kind of grueling. d Both of them had been reluctant at first about telling their story but then took to the task with relish. And why not 4in the 10 or so years since it happened, none of the four has ever before shared even a whis- per of the events with anyone except the wives and the girlfriend who were part of it.<br><br> Telling it for the first time, protected by the agreement of absolute anonymity, seemed to come as a relief. They obviously enjoyed reliving the details, with Mike admitting that it had been cone of the most exciting things I 9ve ever done. d Alex probably speaks for them all when he expresses his attitude toward their escapade: I don 9t feel that bad about the money we won. It 9s a drop in the bucket for that industry.<br><br> I have to be honest: we never felt morally compromised, because these are the casinos. It was easy to rationalize. We were stealing from the casinos that steal from old ladies by offering games they can 9t win.<br><br> Vegas felt like people plugged into money-sucking machines, dripping their life away quarter by quarter. So we felt like we were getting back at Big Brother, not ripping off some poor old lady 9s jackpot. They put a game out there that says, cIf you pick the right cards, you win. d We picked the right cards.<br><br> They just didn 9t expect any- body to be able to do it. He wouldn 9t try something like this again today, Alex says. But his rea- son may not be what you expect: cI have other ways of making money.<br><br> If I were financially in the same position I was in then, I probably would try it again. d He sees what they did as quite justified. In this cat-and-mouse game, the cat continually learns the mouse 9s new tricks and takes appropriate measures. The slot machines these days use software of much better design; the guys aren 9t sure they would be suc- cessful if they did try to take another crack at it.<br><br> Still, there will never be a perfect solution to any techno-security issue. Alex puts the issue very well: cEvery time some [developer] says, Chapter 1Hacking the Casinos for a Million Bucks 19 05_569597 ch01.qxd 1/11/05 9:27 PM Page 19 8Nobody will go to the trouble of doing that, 9 there 9s some kid in Finland who will go to the trouble. d And not just in Finland but in America, as well. I NSIGHT In the 1990s, the casinos and the designers of gambling machines hadn 9t yet figured out some things that later became obvious.<br><br> A pseudo random number generator doesn 9t actually generate random numbers. Instead, it in effect warehouses a list of numbers in a random order. In this case, a very long list: 2 to the 32nd power, or over four billion numbers.<br><br> At the start of a cycle, the software randomly selects a place in the list. But after that, until it starts a new cycle of play, it uses the ensuing numbers from the list one after the other. By reverse-engineering the software, the guys had obtained the list.<br><br> From any known point in the crandom d list, they could determine every subsequent number in the list, and with the additional knowledge about the iteration rate of a particular machine, they could determine how long in minutes and seconds before the machine would display a royal flush. C OUNTERMEASURES Manufacturers of every product that uses ROM chips and software should anticipate security problems. And for every company that uses software and computer-based products 4which these days means pretty nearly every company down to one-person shops 4it 9s dangerous to assume that the people who build your systems have thought about all the vulnerabilities.<br><br> The programmers of the software in the Japanese slot machine had made a mistake in not thinking far enough ahead about what kinds of attacks might be made. They hadn 9t taken any security measures to protect people from getting at the firmware. They should have foreseen somebody gaining access to a machine, removing the ROM chip, reading the firmware, and recovering the program instruc- tions that tell the machine how to work.<br><br> Even if they considered that pos- sibility, they probably assumed that knowing precisely how the machine worked wouldn 9t be enough, figuring that the computational complexity of cracking the random number generator would defeat any attempt 4 which may well be true today but was not at the time. So your company markets hardware products that contain computer chips; what should you be doing to provide adequate protection against The Art of Intrusion 20 05_569597 ch01.qxd 1/11/05 9:27 PM Page 20 the competitor who wants a look at your software, the foreign company that wants to do a cheap knockoff, or the hacker who wants to cheat you? The first step: Make it difficult to gain access to the firmware.<br><br> Several approaches are available, including: Ï Purchase chips of a type designed to be secure against attack. Several companies market chips specifically designed for situ- ations where the possibility of attack is high. Ï Use chip on-board packaging 4a design in which the chip is embedded into the circuit board and cannot be removed as a separate element.<br><br> Ï Seal the chip to the board with epoxy, so that if an attempt is made to remove it, the chip will break. An improvement on this technique calls for putting aluminum powder in the epoxy; if an attacker attempts to remove the chip by heating the epoxy, the aluminum destroys the chip. Ï Use a ball grid array (BGA) design.<br><br> In this arrangement, the connectors do not come out from the sides of the chip but instead are beneath the chip, making it difficult if not impos- sible to capture signal flow from the chip while it is in place on the board. Another available countermeasure calls for scratching any identifying information off the chip, so an attacker will be deprived of information about the manufacturer and type of chip. A fairly common practice, one used by the machine manufacturers in this story, calls for the use of checksumming ( hashing ) 4including a checksum routine in the software.<br><br> If the program has been altered, the checksum will not be correct and the software will not operate the device. However, knowledgeable hackers familiar with this approach simply check the software to see whether a checksum routine has been included, and if they find one, disable it. So one or more of the methods that pro- tect the chip physically is a much better plan.<br><br> T HE B OTTOM L INE If your firmware is proprietary and valuable, consult the best security sources to find out what techniques hackers are currently using. Keep your designers and programmers up-to-date with the latest information. And be sure they are taking all appropriate steps to achieve the highest level of security commensurate with cost.<br><br> Chapter 1Hacking the Casinos for a Million Bucks 21 05_569597 ch01.qxd 1/11/05 9:27 PM Page 21 05_569597 ch01.qxd 1/11/05 9:27 PM Page 22

less