Federal prosecutors charged a man who stumbled over a 7-year-old software flaw in the Game King video poker machines with a federal hacking crime, after he used the discovery to win thousands of dollars.
This amazing Nevada gaming story is a great read. It raises lots of questions, given Nevada’s disposition toward cheaters, and the state’s advanced gaming regulatory scheme.
CFAA is a difficult charge. Federal District Court Judge Miranda Du ordered both attorneys to produce briefings on whether the video poker machines are “protected” under the act. The briefs were due and late April and Judge Du may rule soon.
In his motion to dismiss, Defense Attorney Andrew Leavitt argued, among other things, that video poker machines don’t meet even the most basic requirement of connecting to the internet.
He also argued that applying federal CFAA interferes with the state’s right to regulate gaming. On that point he has an ally in attorney and computer crime scholar Orrin Kerr. Kerr wrote about using the CFAA to “federalize” state crimes, citing the case against a man who used the same video poker flaw to win money in Pennsylvania.
Also interesting to read: the Gaming Control Board report attached to Leavitt’s motion outlines the investigation at the Silverton Casino, where the exploit was discovered.
UPDATE: Wired reports:
“…Las Vegas [Federal] prosecutors targeting two men who took advantage of a software bug to win a small fortune at video poker have dropped all hacking charges from the case, cashing out an 18-month legal battle over the applicability of the 1986 Computer Fraud and Abuse Act.
The United States of America, by and through the undersigned attorneys, hereby moves this Court to dismiss Counts 2 and 3 of the Indictment,” wrote(.pdf) Assistant U.S. Attorney Michael Chu yesterday, in a terse motion immediately granted by U.S. District Judge Miranda Du….The dismissal leaves John Kane, 54, and Andre Nestor, 41, facing a single remaining charge of conspiracy to commit wire fraud — another federal law that generally criminalizes fraudulent schemes that use wire communications. Trial is set for August 20.”
by Ira Victor, G2700, GCFA, GPCI, GSEC, ISACA CGEIT CRISC. Ira Victor is a digital forensics and data security analyst. He is a contributor to HabeasHardDrive.com, The SANS Computer Forensics Blog, and CyberJungle Radio. He holds US patents in email security and authentication. He President of Sierra-Nevada InfraGard, and a member of The High Tech Crime Investigation Association (HTCIA). Follow Ira’s security and forensics tweets: @ira_victor.