The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers (3 page)

Read The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers Online

Authors: Kevin D. Mitnick,William L. Simon

Tags: #Computer Hackers, #Computer Security, #Computers, #General, #Security

BOOK: The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers
12.38Mb size Format: txt, pdf, ePub

a fairly good random number generator.

But they soon discovered the random number generator had a fatal flaw that made their task much easier. Mike explained that "it was a relatively Chapter 1 Hacking the Casinos for a Million Bucks 7

simple 32-bit RNG, so the computational complexity of cracking it was within reach, and with a few good optimizations became almost trivial."

So the numbers produced were not truly random. But Alex thinks there's a good reason why this has to be so:

If it's truly random, they can't set the odds. They can't verify

what the odds really are. Some machines gave sequential royal

flushes. They shouldn't happen at all. So the designers want to be

able to verify that they have the right statistics or they feel like they

don't have control over the game.

Another thing the designers didn't realize when they designed this

machine is that basically it's not just that they need a random

number generator. Statistically there's ten cards in each deal --

the five that show initially, and one alternate card for each of

those five that will appear if the player chooses to discard. It turns

out in these early versions of the machine, they basically took those

ten cards from ten sequential random numbers in the random

number generator.

So Alex and his partners understood that the programming instructions on this earlier-generation machine were poorly thought out. And because of these mistakes, they saw that they could write a relatively simple but elegantly clever algorithm to defeat the machine.

The trick, Alex saw, would be to start a play, see what cards showed up on the machine, and feed data into their own computer back at home identifying those cards. Their algorithm would calculate where the ran- dom generator was, and how many numbers it had to go through before it would be ready to display the sought-after hand, the royal flush.

So we're at our test machine and we run our little program and

it correctly tells us the upcoming sequence of cards. We were pretty

excited.

Alex attributes that excitement to "knowing you're smarter than some- body and you can beat them. And that, in our case, it was gonna make us some money."

They went shopping and found a Casio wristwatch with a countdown feature that could be set to tenths of a second; they bought three, one for each of the guys who would be going to the casinos; Larry would be staying behind to man the computer.

They were ready to start testing their method. One of the team would begin to play and would call out the hand he got -- the denomination and suit of each of the five cards. Larry would enter the data into their 8 The Art of Intrusion

own computer; though something of an off-brand, it was a type popular with nerds and computer buffs, and great for the purpose because it had a much faster chip than the one in the Japanese video poker machine. It took only moments to calculate the exact time to set into one of the Casio countdown timers.

When the timer went off, the guy at the slot machine would hit the Play button. But this had to be done accurately to within a fraction of a second. Not as much of a problem as it might seem, as Alex explained:

Two of us had spent some time as musicians. If you're a musician

and you have a reasonable sense of rhythm, you can hit a button

within plus or minus five milliseconds.

If everything worked the way it was supposed to, the machine would display the sought-after royal flush. They tried it on their own machine, practicing until all of them could hit the royal flush on a decent percent- age of their tries.

Over the previous months, they had, in Mike's words, "reverse engi- neering the operation of the machine, learned precisely how the random numbers were turned into cards on the screen, precisely when and how fast the RNG iterated, all of the relevant idiosyncrasies of the machine, and developed a program to take all of these variables into consideration so that once we know the state of a particular machine at an exact instant in time, we could predict with high accuracy the exact iteration of the RNG at any time within the next few hours or even days."

They had defeated the machine -- turned it into their slave. They had taken on a hacker's intellectual challenge and had succeeded. The knowl- edge could make them rich.

It was fun to daydream about. Could they really bring it off in the jun- gle of a casino?

Back to the Casinos -- This Time to Play It's one thing to fiddle around on your own machine in a private, safe location. Trying to sit in the middle of a bustling casino and steal their money -- that's another story altogether. That takes nerves of steel.

Their ladies thought the trip was a lark. The guys encouraged tight skirts and flamboyant behavior -- gambling, chatting, giggling, ordering drinks -- hoping the staff in the security booth manning the "Eye in the Sky" cameras would be distracted by pretty faces and a show of flesh. "So we pushed that as much as possible," Alex remembers. Chapter 1 Hacking the Casinos for a Million Bucks 9

The hope was that they could just fit in, blending with the crowd. "Mike was the best at it. He was sort of balding. He and his wife just looked like typical players."

Alex describes the scene as if it had all happened yesterday. Marco and Mike probably did it a little differently, but this is how it worked for Alex: With his wife Annie, he would first scout a casino and pick out one video poker machine. He needed to know with great precision the exact cycle time of the machine. One method they used involved stuffing a video camera into a shoulder bag; at the casino, the player would position the bag so the camera lens was pointing at the screen of the video poker machine, and then he would run the camera for a while. "It could be tricky," he remembers, "trying to hoist the bag into exactly the right position without looking like the position really mattered. You just don't want to do anything that looks suspicious and draws attention." Mike preferred another, less demanding method: "Cycle timing for unknown machines out in the field was calculated by reading cards off the screen at two times, many hours apart." He had to verify that the machine had not been played in between, because that would alter the rate of iteration, but that was easy: just check to see that the cards displayed were the same as when he had last been at the machine, which was usually the case since "high stakes machines tended to not be played often."

When taking the second reading of cards displayed, he would also syn- chronize his Casio timer, and then phone the machine timing data and card sequences back to Larry, who would enter it into their home-base computer and run the program. Based on those data, the computer would predict the time of the next royal flush. "You hoped it was hours; sometimes it was days," in which case they'd have to start all over with another machine, maybe at a different hotel. At this stage, the timing of the Casio might be off as much as a minute or so, but close enough.

Returning plenty early in case someone was already at the target machine, Alex and Annie would go back to the casino and spend time on other machines until the player left. Then Alex would sit down at the target machine, with Annie at the machine next to him. They'd started playing, making a point of looking like they were having fun. Then, as Alex recalls:

I'd start a play, carefully synchronized to my Casio timer. When

the hand came up, I'd memorize it -- the value and suit of each

of the five cards, and then keep playing until I had eight cards in

sequence in memory. I'd nod to my wife that I was on my way

and head for an inconspicuous pay phone just off the casino floor.

I had about eight minutes to get to the phone, do what I had to

do, and get back to the machine. My wife kept on playing. 10 The Art of Intrusion

Anybody who came along to use my machine, she'd just tell them

her husband was sitting there.

We had figured out a way of making a phone call to Larry's beeper,

and entering numbers on the telephone keypad to tell him the cards.

That was so we didn't have to say the cards out loud -- the casino

people are always listening for things like that. Larry would again

enter the cards into the computer and run our program.

Then I'd phone him. Larry would hold the handset up to the com-

puter, which would give two sets of little cue tones. On the first

one, I'd hit the Pause button on the timer, to stop it counting

down. On the second one, I'd hit Pause again to restart the timer.

The cards Alex reported gave the computer an exact fix on where the machine's random number generator was. By entering the delay ordered by the computer, Alex was entering a crucial correction to the Casio countdown timer so it would go off at exactly the moment that the royal flush was ready to appear.

Once that countdown timer was restarted, I went back to the

machine. When the timer went like "beep, beep, boom" -- right then,

right on that "boom," I hit the play button on the machine again.

That first time, I think I won $35,000.

We got up to the point where we had about 30 or 40 percent suc-

cess because it was pretty well worked out. The only times it didn't

work was when you didn't get the timing right.

For Alex, the first time he won was "pretty exciting, but scary. The pit boss was this scowling Italian dude. I was sure he was looking at me funny, with this puzzled expression on his face, maybe because I was going to the phone all the time. I think he may have gone up to look at the tapes." Despite the tensions, there was "a thrill to it." Mike remembers being "naturally nerv- ous that someone might have noticed odd behavior on my part, but in fact no one looked at me funny at all. My wife and I were treated just as typical high-stakes winners -- congratulated and offered many comps."

They were so successful that they needed to worry about winning so much money that they would draw attention to themselves. They started to rec- ognize that they faced the curious problem of too much success. "It was very high profile. We were winning huge jackpots in the tens of thousands of dol- lars. A royal flush pays 4,000 to 1; on a $5 machine, that's twenty grand."

It goes up from there. Some of the games are a type called progressive -- the jackpot keeps increasing until somebody hits, and the guys were able to win those just as easily. Chapter 1 Hacking the Casinos for a Million Bucks 11

I won one that was 45 grand. A big-belt techie guy came out --

probably the same guy that goes around and repairs the machines.

He has a special key that the floor guys don't have. He opens up

the box, pulls out the [electronics] board, pulls out the ROM chip

right there in front of you. He has a ROM reader with him that

he uses to test the chip from the machine against some golden mas-

ter that's kept under lock and key.

The ROM test had been standard procedure for years, Alex learned. He assumes that they had "been burned that way" but eventually caught on to the scheme and put in the ROM-checking as a countermeasure.

Alex's statement left me wondering if the casinos do this check because of some guys I met in prison who did actually replace the firmware. I wondered how they could do that quickly enough to avoid being caught. Alex figured this was a social engineering approach, that they had com- promised the security and paid off somebody inside the casino. He con- jectures that they might even have replaced the gold master that they're supposed to compare the machine's chip against.

The beauty of his team's hack, Alex insisted, was that they didn't have to change the firmware. And they thought their own approach offered much more of a challenge.

The team couldn't keep winning as big as they were; the guys figured "it was clear that somebody would put two and two together and say, `I've seen this guy before.' We started to get scared that we were gonna get caught."

Beside the ever-present worries about getting caught, they were also concerned about the tax issue; for any win over $1,200, the casino asks for identification and reports the payout to the IRS. Mike says that "If the player doesn't produce ID, we assumed that taxes would be withheld from the payout, but we didn't want to draw attention to ourselves by finding out." Paying the taxes was "not a big issue," but "it starts to cre- ate a record that, like, you're winning insane amounts of money. So a lot of the logistics were about, `How do we stay under the radar?'"

They needed to come up with a different approach. After a short time of "E.T. phone home," they started to conceive a new idea.

New Approach The guys had two goals this time around: Develop a method that would let them win on hands like a full house, straight, or flush, so the payouts wouldn't be humongous enough to attract attention. And make it some- how less obvious and less annoying than having to run to the telephone before every play. 12 The Art of Intrusion

Because the casinos offered only a limited number of the Japanese machines, the guys this time settled on a machine in wider use, a type manufactured by an American company. They took it apart the same way and discovered that the random number generation process was much more complex: The machine used two generators operating in combina- tion, instead of just one. "The programmers were much more aware of the possibilities of hacking," Alex concluded.

But once again the four discovered that the designers had made a cru- cial mistake. "They had apparently read a paper that said you improve the quality of randomness if you add a second register, but they did it wrong." To determine any one card, a number from the first random number generator was being added to a number from the second.

The proper way to design this calls for the second generator to iterate -- that is, change its value -- after each card is dealt. The design- ers hadn't done that; they had programmed the second register to iterate only at the beginning of each hand, so that the same number was being added to the result from the first register for each card of the deal.

Other books

Anna, Where Are You? by Wentworth, Patricia
All Roads Lead to Austen by Amy Elizabeth Smith
Storm: Book 3 by Evelyn Rosado
Papeles en el viento by Eduardo Sacheri
Broken Pieces by B. E. Laine, Kim Young