The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers
By Kevin D. Mitnick and William L. Simon
4.5/5
()
About this ebook
Kevin Mitnick, the world's most celebrated hacker, now devotes his life to helping businesses and governments combat data thieves, cybervandals, and other malicious computer intruders. In his bestselling The Art of Deception, Mitnick presented fictionalized case studies that illustrated how savvy computer crackers use "social engineering" to compromise even the most technically secure computer systems. Now, in his new book, Mitnick goes one step further, offering hair-raising stories of real-life computer break-ins-and showing how the victims could have prevented them. Mitnick's reputation within the hacker community gave him unique credibility with the perpetrators of these crimes, who freely shared their stories with him-and whose exploits Mitnick now reveals in detail for the first time, including:
- A group of friends who won nearly a million dollars in Las Vegas by reverse-engineering slot machines
- Two teenagers who were persuaded by terrorists to hack into the Lockheed Martin computer systems
- Two convicts who joined forces to become hackers inside a Texas prison
- A "Robin Hood" hacker who penetrated the computer systems of many prominent companies-andthen told them how he gained access
Kevin D. Mitnick
Kevin Mitnick (Technical Editor) is the most famous computer hacker in the world. Since his first arrest in 1981, at age 17, he has spent nearly half his adult life either in prison or as a fugitive. He has been the subject of three books and his alleged 1982 hack into NORAD inspired the movie War Games. Since his plea-bargain release in 2000, he says he has reformed and is devoting his talents to helping computer security.
Related to The Art of Intrusion
Related ebooks
Hacking the Hacker: Learn From the Experts Who Take Down Hackers Rating: 4 out of 5 stars4/5The Art of Deception: Controlling the Human Element of Security Rating: 3 out of 5 stars3/5Tribe of Hackers Red Team: Tribal Knowledge from the Best in Offensive Cybersecurity Rating: 0 out of 5 stars0 ratingsTribe of Hackers: Cybersecurity Advice from the Best Hackers in the World Rating: 5 out of 5 stars5/5The Cyber Attack Survival Manual: Tools for Surviving Everything from Identity Theft to the Digital Apocalypse Rating: 0 out of 5 stars0 ratingsThe Art of Attack: Attacker Mindset for Security Professionals Rating: 5 out of 5 stars5/5Tribe of Hackers Security Leaders: Tribal Knowledge from the Best in Cybersecurity Leadership Rating: 0 out of 5 stars0 ratingsHacked Again Rating: 5 out of 5 stars5/5Spam Nation: The Inside Story of Organized Cybercrime—from Global Epidemic to Your Front Door Rating: 4 out of 5 stars4/5Tribe of Hackers Blue Team: Tribal Knowledge from the Best in Defensive Cybersecurity Rating: 0 out of 5 stars0 ratingsThe Cybersecurity Playbook: How Every Leader and Employee Can Contribute to a Culture of Security Rating: 0 out of 5 stars0 ratingsCybersecurity Program Development for Business: The Essential Planning Guide Rating: 0 out of 5 stars0 ratingsWell Aware: Master the Nine Cybersecurity Habits to Protect Your Future Rating: 0 out of 5 stars0 ratingsWe Have Root: Even More Advice from Schneier on Security Rating: 5 out of 5 stars5/5Project Zero Trust: A Story about a Strategy for Aligning Security and the Business Rating: 0 out of 5 stars0 ratingsCybersecurity For Dummies Rating: 5 out of 5 stars5/5Cybersecurity All-in-One For Dummies Rating: 0 out of 5 stars0 ratingsSocial Engineering: The Science of Human Hacking Rating: 3 out of 5 stars3/5The Pentester BluePrint: Starting a Career as an Ethical Hacker Rating: 4 out of 5 stars4/5Unmasking the Social Engineer: The Human Element of Security Rating: 5 out of 5 stars5/5How to Hack Like a Pornstar Rating: 5 out of 5 stars5/5Dark Territory: The Secret History of Cyber War Rating: 4 out of 5 stars4/5Hunting Cyber Criminals: A Hacker's Guide to Online Intelligence Gathering Tools and Techniques Rating: 5 out of 5 stars5/5Becoming an Ethical Hacker Rating: 4 out of 5 stars4/5Trojan Horse: A Jeff Aiken Novel Rating: 4 out of 5 stars4/5Ultimate guide for being anonymous: Avoiding prison time for fun and profit Rating: 5 out of 5 stars5/5Hands on Hacking: Become an Expert at Next Gen Penetration Testing and Purple Teaming Rating: 3 out of 5 stars3/5How to Hack Like a Pornstar: A Step by Step Process for Breaking into a BANK Rating: 5 out of 5 stars5/5
Security For You
How to Become Anonymous, Secure and Free Online Rating: 5 out of 5 stars5/5Social Engineering: The Science of Human Hacking Rating: 3 out of 5 stars3/5IAPP CIPP / US Certified Information Privacy Professional Study Guide Rating: 0 out of 5 stars0 ratingsCompTIA Network+ Practice Tests: Exam N10-008 Rating: 0 out of 5 stars0 ratingsTor and the Dark Art of Anonymity Rating: 5 out of 5 stars5/5CompTIA Security+ Study Guide: Exam SY0-601 Rating: 5 out of 5 stars5/5Hacking For Dummies Rating: 4 out of 5 stars4/5CompTIA Network+ Review Guide: Exam N10-008 Rating: 0 out of 5 stars0 ratingsThe Hacker Crackdown: Law and Disorder on the Electronic Frontier Rating: 4 out of 5 stars4/5Make Your Smartphone 007 Smart Rating: 4 out of 5 stars4/5CompTIA Security+ Study Guide with over 500 Practice Test Questions: Exam SY0-701 Rating: 0 out of 5 stars0 ratingsCybersecurity: The Beginner's Guide: A comprehensive guide to getting started in cybersecurity Rating: 5 out of 5 stars5/5Cybersecurity For Dummies Rating: 5 out of 5 stars5/5How Not To Use Your Smartphone Rating: 5 out of 5 stars5/5Wireless Hacking 101 Rating: 5 out of 5 stars5/5Cybersecurity All-in-One For Dummies Rating: 0 out of 5 stars0 ratingsCodes and Ciphers - A History of Cryptography Rating: 4 out of 5 stars4/5Hacking : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Ethical Hacking Rating: 5 out of 5 stars5/5How to Hack Like a Pornstar Rating: 5 out of 5 stars5/5How to Hack Like a GOD: Master the secrets of hacking through real-life hacking scenarios Rating: 4 out of 5 stars4/5The Invisibility Toolkit Rating: 5 out of 5 stars5/5Codes and Ciphers Rating: 5 out of 5 stars5/5Dark Territory: The Secret History of Cyber War Rating: 4 out of 5 stars4/5CompTIA Network+ Certification Guide (Exam N10-008): Unleash your full potential as a Network Administrator (English Edition) Rating: 0 out of 5 stars0 ratingsCybersecurity for Beginners : Learn the Fundamentals of Cybersecurity in an Easy, Step-by-Step Guide: 1 Rating: 0 out of 5 stars0 ratingsCompTIA CySA+ Study Guide: Exam CS0-003 Rating: 2 out of 5 stars2/5
Reviews for The Art of Intrusion
14 ratings8 reviews
- Rating: 4 out of 5 stars4/5Enjoyable, fast read. It included enough technical details to keep me interested. But, it did not overwhelm the reader with jargon to the extent that someone without a technical background would be lost. I only wish it was written a bit more recently. Perhaps a follow up will be released in the next few years? I look forward to reading other work by Kevin.
- Rating: 3 out of 5 stars3/5Mildly interesting book about the exploits of hackers. Requires some networking knowledge to understand fully. Some of these stories are fairly old (using 386 processes in one story and when warez and torrenting sites were novelties in the other!) but most are still interesting. Social engineering aspects of the book are most interesting, and much of the advice is quite relevant.
- Rating: 5 out of 5 stars5/5This is a highly intriguing read for any IT professional. An eye opener.
- Rating: 3 out of 5 stars3/5This is a quick read, and is entirely devoted to stories of hackers and crackers who break into systems - some maliciously, and some for the sheer fun of it. I particularly enjoyed the story about the company who was hired by a company who had made an offer to buy it, to conduct a penetration test and attempt to break into their system. The prospective target company not only cracked the prospective purchaser's computer system, they also broke into their voice mails and were able to know the company's exact negotiating strategy and plans for the company once the purchase went through. The target wisely held the negotiation meeting before the meeting at which they revealed their successful penetration, and declined the purchase offer. Each chapter is followed by Mitnick's insights and recommendations, which only serve to remind me of the vulnerabilities of my office's systems. Interesting, for people who like computers and this sort of thing.
- Rating: 5 out of 5 stars5/5I would like to read it, but its "Currently unavailable on Scribd". My father recommend me this book.
- Rating: 3 out of 5 stars3/5I guess I lean over to this side of modern life, I like the internet and its history.
Well written, informative, understandable and engaging. - Rating: 3 out of 5 stars3/5I honestly have no memory of this book. I remember reading it while I studied for my CEH. I guess it was good enough to finish, but not good enough to remember. That might be unfair, though, since I consume a decent amount of cyber* related information. It might have just been lost to the noise.
- Rating: 4 out of 5 stars4/5This author was recommended to me by a geek friend and after I did some research on Mitnick, I realised this was a guy I wanted to read. I was a bit amazed to read all the reviews who accused Mitnick of putting his ego all over the book. I didn't see any evidence of that at all. Yes he talks quite a bit about his own experiences in relation to what he is talking about in that chapter but that is to be expected. After all, he IS a convicted computer hacker! So he does have some knowledge in this area! Is this egotism? I don't think so. He is just giving us the benefit of his own experiences.Where this book slightly falls down is that Mitnick makes it WAY too complicated and technical for people like me who are not that techie and geeky. So he talks about computer languages and hacking procedures that are just way too complicated to follow. So if you are not fluent in the lingo, you'll find yourself page flipping. This book is ideally for geeks and nerds who talk computer languages that normal people wouldn't even begin to comprehend! Not me unfortunately.Nevertheless, this is a fascinating insight into the world of hacking and it is also frightening - it makes you realise how insecure a lot of computer systems are all over the world and how a teenager with a PC can easily gain access. Remember that the next time you're entering your password into your online banking.
Book preview
The Art of Intrusion - Kevin D. Mitnick
Chapter 1
Hacking the Casinos for a Million Bucks
Every time [some software engineer] says, Nobody will go to the trouble of doing that,
there’s some kid in Finland who will go to the trouble.
— Alex Mayfield
There comes a magical gambler’s moment when simple thrills magnify to become 3-D fantasies — a moment when greed chews up ethics and the casino system is just another mountain waiting to be conquered. In that single moment the idea of a foolproof way to beat the tables or the machines not only kicks in but kicks one’s breath away.
Alex Mayfield and three of his friends did more than daydream. Like many other hacks, this one started as an intellectual exercise just to see if it looked possible. In the end, the four actually beat the system, taking the casinos for about a million dollars,
Alex says.
In the early 1990s, the four were working as consultants in high-tech and playing life loose and casual. You know — you’d work, make some money, and then not work until you were broke.
Las Vegas was far away, a setting for movies and television shows. So when a technology firm offered the guys an assignment to develop some software and then accompany it to a trade show at a high-tech convention there, they jumped at the opportunity. It would be the first in Vegas for each of them, a chance to see the flashing lights for themselves, all expenses paid; who would turn that down? The separate suites for each in a major hotel meant that Alex’s wife and Mike’s girlfriend could be included in the fun. The two couples, plus Larry and Marco, set off for hot times in Sin City.
Alex says they didn’t know much about gambling and didn’t know what to expect. You get off the plane and you see all the old ladies playing the slots. It seems funny and ironic, and you soak that in.
After the four had finished doing the trade show, they and the two ladies were sitting around in the casino of their hotel playing slot machines and enjoying free beers when Alex’s wife offered a challenge:
Aren’t these machines based on computers? You guys are into computers, can’t you do something so we win more?
The guys adjourned to Mike’s suite and sat around tossing out questions and offering up theories on how the machines might work.
Research
That was the trigger. The four got kinda curious about all that, and we started looking into it when we got back home,
Alex says, warming up to the vivid memories of that creative phase. It took only a little while for the research to support what they already suspected. Yeah, they’re computer programs basically. So then we were interested in, was there some way that you could crack these machines?
There were people who had beaten the slot machines by replacing the firmware
— getting to the computer chip inside a machine and substituting the programming for a version that would provide much more attractive payoffs than the casino intended. Other teams had done that, but it seemed to require conspiring with a casino employee, and not just any employee but one of the slot machine techies. To Alex and his buddies, swapping ROMs would have been like hitting an old lady over the head and taking her purse.
They figured if they were going to try this, it would be as a challenge to their programming skills and their intellects. And besides, they had no advanced talents in social engineering; they were computer guys, lacking any knowledge of how you sidle up to a casino employee and propose that he join you in a little scheme to take some money that doesn’t belong to you.
But how would they begin to tackle the problem? Alex explained:
We were wondering if we could actually predict something about the sequence of the cards. Or maybe we could find a back door [software code allowing later unauthorized access to the program] that some programmer may have put in for his own benefit. All programs are written by programmers, and programmers are mischievous creatures. We thought that somehow we might stumble on a back door, such as pressing some sequence of buttons to change the odds, or a simple programming flaw that we could exploit.
Alex read the book The Eudaemonic Pie by Thomas Bass (Penguin, 1992), the story of how a band of computer guys and physicists in the 1980s beat roulette in Las Vegas using their own invention of a wearable
computer about the size of a pack of cigarettes to predict the outcome of a roulette play. One team member at the table would click buttons to input the speed of the roulette wheel and how the ball was spinning, and the computer would then feed tones by radio to a hearing aid in the ear of another team member, who would interpret the signals and place an appropriate bet. They should have walked away with a ton of money but didn’t. In Alex’s view, Their scheme clearly had great potential, but it was plagued by cumbersome and unreliable technology. Also, there were many participants, so behavior and interpersonal relations were an issue. We were determined not to repeat their mistakes.
Alex figured it should be easier to beat a computer-based game because the computer is completely deterministic
— the outcome based on by what has gone before, or, to paraphrase an old software engineer’s expression, good data in, good data out. (The original expression looks at this from the negative perspective: garbage in, garbage out.
)
This looked right up his alley. As a youngster, Alex had been a musician, joining a cult band and dreaming of being a rock star, and when that didn’t work out had drifted into the study of mathematics. He had a talent for math, and though he had never cared much for schooling (and had dropped out of college), he had pursued the subject enough to have a fairly solid level of competence.
Deciding that some research was called for, he traveled to Washington, DC, to spend some time in the reading room of the Patent Office. I figured somebody might have been stupid enough to put all the code in the patent
for a video poker machine. And sure enough, he was right. At that time, dumping a ream of object code into a patent was a way for a patent filer to protect his invention, since the code certainly contains a very complete description of his invention, but in a form that isn’t terribly user-friendly. I got some microfilm with the object code in it and then scanned the pages of hex digits for interesting sections, which had to be disassembled into [a usable form].
Analyzing the code uncovered a few secrets that the team found intriguing, but they concluded that the only way to make any real progress would be to get their hands on the specific type of machine they wanted to hack so they could look at the code for themselves.
As a team, the guys were well matched. Mike was a better-than-competent programmer, stronger than the other three on hardware design. Marco, another sharp programmer, was an Eastern European immigrant who looked like a teenager. But he was something of a daredevil, approaching everything with a can-do, smart-ass attitude. Alex excelled at programming and was the one who contributed the knowledge of cryptography they would need. Larry wasn’t much of a programmer and because of a motorcycle accident couldn’t travel much, but was a great organizer who kept the project on track and everybody focused on what needed to be done at each stage.
After their initial research, Alex sort of forgot about
the project. Marco, though, was hot for the idea. He kept insisting, It’s not that big a deal, there’s thirteen states where you can legally buy machines.
Finally he talked the others into giving it a try. We figured, what the hell.
Each chipped in enough money to bankroll the travel and the cost of a machine. They headed once again for Vegas — this time at their own expense and with another goal in mind.
Alex says, To buy a slot machine, basically you just had to go in and show ID from a state where these machines are legal to own. With a driver’s license from a legal state, they pretty much didn’t ask a lot of questions.
One of the guys had a convenient connection to a Nevada resident. He was like somebody’s girlfriend’s uncle or something, and he lived in Vegas.
They chose Mike as the one to talk to this man because he has a sales-y kind of manner, a very presentable sort of guy. The assumption is that you’re going to use it for illegal gambling. It’s like guns,
Alex explained. A lot of the machines get gray-marketed — sold outside accepted channels — to places like social clubs. Still, he found it surprising that we could buy the exact same production units that they use on the casino floor.
Mike paid the man 1,500 bucks for a machine, a Japanese brand. Then two of us put this damn thing in a car. We drove it home as if we had a baby in the back seat.
Developing the Hack
Mike, Alex, and Marco lugged the machine upstairs to the second floor of a house where they had been offered the use of a spare bedroom. The thrill of the experience would long be remembered by Alex as one of the most exciting in his life.
We open it up, we take out the ROM, we figure out what processor it is. I had made a decision to get this Japanese machine that looked like a knockoff of one of the big brands. I just figured the engineers might have been working under more pressure, they might have been a little lazy or a little sloppy.
It turned out I was right. They had used a 6809 [chip], similar to a 6502 that you saw in an Apple II or an Atari. It was an 8-bit chip with a 64K memory space. I was an assembly language programmer, so this was familiar.
The machine Alex had chosen was one that had been around for some 10 years. Whenever a casino wants to buy a machine of a new design, the Las Vegas Gaming Commission has to study the programming and make sure it’s designed so the payouts will be fair to the players. Getting a new design approved can be a lengthy process, so casinos tend to hold on to the older machines longer than you would expect. For the team, an older machine seemed likely to have outdated technology, which they hoped might be less sophisticated and easier to attack.
The computer code they downloaded from the chip was in binary form, the string of 1’s and 0’s that is the most basic level of computer instructions. To translate that into a form they could work with, they would first have to do some reverse engineering — a process an engineer or programmer uses to figure out how an existing product is designed; in this case it meant converting from machine language to a form that the guys could understand and work with.
Alex needed a disassembler to translate the code. The foursome didn’t want to tip their hand by trying to purchase the software — an act they felt would be equivalent to going into your local library and trying to check out books on how to build a bomb. The guys wrote their own disassembler, an effort that Alex describes as not a piece of cake, but it was fun and relatively easy.
Once the code from the video poker machine had been run through the new disassembler, the three programmers sat down to pour over it. Ordinarily it’s easy for an accomplished software engineer to quickly locate the sections of a program he or she wants to focus on. That’s because a person writing code originally puts road signs all through it — notes, comments, and remarks explaining the function of each section, something like the way a book may have part titles, chapter titles, and subheadings for sections within a chapter.
When a program is compiled into the form that the machine can read, these road signs are ignored — the computer or microprocessor has no need for them. So code that has been reverse-engineered lacks any of these useful explanations; to keep with the road signs
metaphor, this recovered code is like a roadmap with no place names, no markings of highways or streets.
They sifted through the pages of code on-screen looking for clues to the basic questions: What’s the logic? How are the cards shuffled? How are replacement cards picked?
But the main focus for the guys at this juncture was to locate the code for the random number generator (RNG). Alex’s guess that the Japanese programmers who wrote the code for the machine might have taken shortcuts that left errors in the design of the random number generator turned out to be correct; they had.
Rewriting the Code
Alex sounds proud in describing this effort. We were programmers; we were good at what we did. We figured out how numbers in the code turn into cards on the machine and then wrote a piece of C code that would do the same thing,
he said, referring to the programming language called C.
We were motivated and we did a lot of work around the clock. I’d say it probably took about two or three weeks to get to the point where we really had a good grasp of exactly what was going on in the code.
You look at it, you make some guesses, you write some new code, burn it onto the ROM [the computer chip], put it back in the machine, and see what happens. We would do things like write routines that would pop hex [hexadecimal] numbers on the screen on top of the cards. So basically get a sort of a design overview of how the code deals the cards.
It was a combination of trial and error and top-down analysis; the code pretty quickly started to make sense. So we understood everything about exactly how the numbers inside the computer turn into cards on the screen.
Our hope was that the random number generator would be relatively simple. And in this case in the early 90’s, it was. I did a little research and found out it was based on something that Donald Knuth had written about in the 60’s. These guys didn’t invent any of this stuff; they just took existing research on Monte Carlo methods and things, and put it into their code.
We figured out exactly what algorithm they were using to generate the cards; it’s called a linear feedback shift register, and it was a fairly good random number generator.
But they soon discovered the random number generator had a fatal flaw that made their task much easier. Mike explained that it was a relatively simple 32-bit RNG, so the computational complexity of cracking it was within reach, and with a few good optimizations became almost trivial.
So the numbers produced were not truly random. But Alex thinks there’s a good reason why this has to be so:
If it’s truly random, they can’t set the odds. They can’t verify what the odds really are. Some machines gave sequential royal flushes. They shouldn’t happen at all. So the designers want to be able to verify that they have the right statistics or they feel like they don’t have control over the game.
Another thing the designers didn’t realize when they designed this machine is that basically it’s not just that they need a random number generator. Statistically there’s ten cards in each deal — the five that show initially, and one alternate card for each of those five that will appear if the player chooses to discard. It turns out in these early versions of the machine, they basically took those ten cards from ten sequential random numbers in the random number generator.
So Alex and his partners understood that the programming instructions on this earlier-generation machine were poorly thought out. And because of these mistakes, they saw that they could write a relatively simple but elegantly clever algorithm to defeat the machine.
The trick, Alex saw, would be to start a play, see what cards showed up on the machine, and feed data into their own computer back at home identifying those cards. Their algorithm would calculate where the random generator was, and how many numbers it had to go through before it would be ready to display the sought-after hand, the royal flush.
So we’re at our test machine and we run our little program and it correctly tells us the upcoming sequence of cards. We were pretty excited.
Alex attributes that excitement to knowing you’re smarter than somebody and you can beat them. And that, in our case, it was gonna make us some money.
They went shopping and found a Casio wristwatch with a countdown feature that could be set to tenths of a second; they bought three, one for each of the guys who would be going to the casinos; Larry would be staying behind to man the computer.
They were ready to start testing their method. One of the team would begin to play and would call out the hand he got — the denomination and suit of each of the five cards. Larry would enter the data into their own computer; though something of an off-brand, it was a type popular with nerds and computer buffs, and great for the purpose because it had a much faster chip than the one in the Japanese video poker machine. It took only moments to calculate the exact time to set into one of the Casio countdown timers.
When the timer went off, the guy at the slot machine would hit the Play button. But this had to be done accurately to within a fraction of a second. Not as much of a problem as it might seem, as Alex explained:
Two of us had spent some time as musicians. If you’re a musician and you have a reasonable sense of rhythm, you can hit a button within plus or minus five milliseconds.
If everything worked the way it was supposed to, the machine would display the sought-after royal flush. They tried it on their own machine, practicing until all of them could hit the royal flush on a decent percentage of their tries.
Over the previous months, they had, in Mike’s words, reverse engineering the operation of the machine, learned precisely how the random numbers were turned into cards on the screen, precisely when and how fast the RNG iterated, all of the relevant idiosyncrasies of the machine, and developed a program to take all of these variables into consideration so that once we know the state of a particular machine at an exact instant in time, we could predict with high accuracy the exact iteration of the RNG at any time within the next few hours or even days.
They had defeated the machine — turned it into their slave. They had taken on a hacker’s intellectual challenge and had succeeded. The knowledge could make them rich.
It was fun to daydream about. Could they really bring it off in the jungle of a casino?
Back to the Casinos — This Time to Play
It’s one thing to fiddle around on your own machine in a private, safe location. Trying to sit in the middle of a bustling casino and steal their money — that’s another story altogether. That takes nerves of steel.
Their ladies thought the trip was a lark. The guys encouraged tight skirts and flamboyant behavior — gambling, chatting, giggling, ordering drinks — hoping the staff in the security booth manning the Eye in the Sky
cameras would be distracted by pretty faces and a show of flesh. So we pushed that as much as possible,
Alex remembers.
The hope was that they could just fit in, blending with the crowd. Mike was the best at it. He was sort of balding. He and his wife just looked like typical players.
Alex describes the scene as if it had all happened yesterday. Marco and Mike probably did it a little differently, but this is how it worked for Alex: With his wife Annie, he would first scout a casino and pick out one video poker machine. He needed to know with great precision the exact cycle time of the machine. One method they used involved stuffing a video camera into a shoulder bag; at the casino, the player would position the bag so the camera lens was pointing at the screen of the video poker machine, and then he would run the camera for a while. It could be tricky,
he remembers, trying to hoist the bag into exactly the right position without looking like the position really mattered. You just don’t want to do anything that looks suspicious and draws attention.
Mike preferred another, less demanding method: Cycle timing for unknown machines out in the field was calculated by reading cards off the screen at two times, many hours apart.
He had to verify that the machine had not been played in between, because that would alter the rate of iteration, but that was easy: just check to see that the cards displayed were the same as when he had last been at the machine, which was usually the case since high stakes machines tended to not be played often.
When taking the second reading of cards displayed, he would also synchronize his Casio timer, and then phone the machine timing data and card sequences back to Larry, who would enter it into their home-base computer and run the program. Based on those data, the computer would predict the time of the next royal flush. You hoped it was hours; sometimes it was days,
in which case they’d have to start all over with another machine, maybe at a different hotel. At this stage, the timing of the Casio might be off as much as a minute or so, but close enough.
Returning plenty early in case someone was already at the target machine, Alex and Annie would go back to the casino and spend time on other machines until the player left. Then Alex would sit down at the target machine, with Annie at the machine next to him. They’d started playing, making a point of looking like they were having fun. Then, as Alex recalls:
I’d start a play, carefully synchronized to my Casio timer. When the hand came up, I’d memorize it — the value and suit of each of the five cards, and then keep playing until I had eight cards in sequence in memory. I’d nod to my wife that I was on my way and head for an inconspicuous pay phone just off the casino floor. I had about eight minutes to get to the phone, do what I had to do, and get back to the machine. My wife kept on playing. Anybody who came along to use my machine, she’d just tell them her husband was sitting there.
We had figured out a way of making a phone call to Larry’s beeper, and entering numbers on the telephone keypad to tell him the cards. That was so we didn’t have to say the cards out loud — the casino people are always listening for things like that. Larry would again enter the cards into the computer and run our program.
Then I’d phone him. Larry would hold the handset up to the computer, which would give two sets of little cue tones. On the first one, I’d hit the Pause button on the timer, to stop it counting down. On the second one, I’d hit Pause again to restart the timer.
The cards Alex reported gave the computer an exact fix on where the machine’s random number generator was. By entering the delay ordered by the computer, Alex was entering a crucial correction to the Casio countdown timer so it would go off at exactly the moment that the royal flush was ready to appear.
Once that countdown timer was restarted, I went back to the machine. When the timer went like beep, beep, boom
— right then, right on that boom,
I hit the play button on the machine again.
That first time, I think I won $35,000.
We got up to the point where we had about 30 or 40 percent success because it was pretty well worked out. The only times it didn’t work was when you didn’t get the timing right.
For Alex, the first time he won was pretty exciting, but scary. The pit boss was this scowling Italian dude. I was sure he was looking at me funny, with this puzzled expression on his face, maybe because I was going to the phone all the time. I think he may have gone up to look at the tapes.
Despite the tensions, there was a thrill to it.
Mike remembers being naturally nervous that someone might have noticed odd behavior on my part, but in fact no one looked at me funny at all. My wife and I were treated just as typical high-stakes winners — congratulated and offered many comps.
They were so successful that they needed to worry about winning so much money that they would draw attention to themselves. They started to recognize that they faced the curious problem of too much success. It was very high profile. We were winning huge jackpots in the tens of thousands of dollars. A royal flush pays 4,000 to 1; on a $5 machine, that’s twenty grand.
It goes up from there. Some of the games are a type called progressive — the jackpot keeps increasing until somebody hits, and the guys were able to win those just as easily.
I won one that was 45 grand. A big-belt techie guy came out — probably the same guy that goes around and repairs the machines. He has a special key that the floor guys don’t have. He opens up the box, pulls out the [electronics] board, pulls out the ROM chip right there in front of you. He has a ROM reader with him that he uses to test the chip from the machine against some golden master that’s kept under lock and key.
The ROM test had been standard procedure for years, Alex learned. He assumes that they had been burned that way
but eventually caught on to the scheme and put in the ROM-checking as a countermeasure.
Alex’s statement left me wondering if the casinos do this check because of some guys I met in prison who did actually replace the firmware. I wondered how they could do that quickly enough to avoid being caught. Alex figured this was a social engineering approach, that they had compromised the security and paid off somebody inside the casino. He conjectures that they might even have replaced the gold master that they’re supposed to compare the machine’s chip against.
The beauty of his team’s hack, Alex insisted, was that they didn’t have to change the firmware. And they thought their own approach offered much more of a challenge.
The team couldn’t keep winning as big as they were; the guys figured it was clear that somebody would put two and two together and say, ‘I’ve seen this guy before.’ We started to get scared that we were gonna get caught.
Beside the ever-present worries about getting caught, they were also concerned about the tax issue; for any win over $1,200, the casino asks for identification and reports the payout to the IRS. Mike says that If the player doesn’t produce ID, we assumed that taxes would be withheld from the payout, but we didn’t want to draw attention to ourselves by finding out.
Paying the taxes was not a big issue,
but it starts to create a record that, like, you’re winning insane amounts of money. So a lot of the logistics were about, ‘How do we stay under the radar?’
They needed to come up with a different approach. After a short time of E.T. phone home,
they started to conceive a new idea.
New Approach
The guys had two goals this time around: Develop a method that would let them win on hands like a full house, straight, or flush, so the payouts wouldn’t be humongous enough to attract attention. And make it somehow less obvious and less annoying than having to run to the telephone before every play.
Because the casinos offered only a limited number of the Japanese machines, the guys this time settled on a machine in wider use, a type manufactured by an American company. They took it apart the same way and discovered that the random number generation process was much more complex: The machine used two generators operating in combination, instead of just one. The programmers were much more aware of the possibilities of hacking,
Alex concluded.
But once again the four discovered that the designers had made a crucial mistake. They had apparently read a paper that said you improve the quality of randomness if you add a second register, but they did it wrong.
To determine any one card, a number from the first random number generator was being added to a number from the second.
The proper way to design this calls for the second generator to iterate — that is, change its value — after each card is dealt. The designers hadn’t done that; they had programmed the second register to iterate only at the beginning of each hand, so that the same number was being added to the result from the first register for each card of the deal.
To Alex, the use of two registers made the challenge a cryptology thing
; he recognized that it was similar to a step sometimes used in encrypting messages. Though he had acquired some knowledge of the subject, it wasn’t enough to see his way to a solution, so he started making trips to a nearby university library to study up.
If the designers had read some of the books on cryptosystems more carefully, they wouldn’t have made this mistake. Also, they should have been more methodical about testing the systems for cracking the way we were cracking them.
Any good college computer science major could probably write code to do what we were trying to do once he understands what’s required. The geekiest part of it was figuring out algorithms to do the search quickly so that it would only take a few seconds to tell you what’s going on; if you did it naively, it could take a few hours to give you a solution.
We’re pretty good programmers, we all still make our living doing that, so we came up with some very clever optimizations. But I wouldn’t say it was trivial.
I remember a similar mistake made by a programmer at Norton (before Symantec bought them) that worked on their Diskreet product, an application that allowed a user to create encrypted virtual drives. The developer implemented the algorithm incorrectly — or perhaps intentionally — in a way that resulted in reducing the space for the encryption key from 56 bits to 30. The federal government’s data encryption standard used a 56-bit key, which was considered unbreakable, and Norton gave its customers the sense that their data was protected to this standard. Because of the programmer’s error, the user’s data was in effect being encrypted with only 30 bits instead of 56. Even in those days, it was possible to brute-force a 30-bit key. Any person using this product labored under a false sense of security: An attacker could derive his or her key in a reasonable period and gain access to the user’s data. The team had discovered the same kind of error in the programming of the machine.
At the same time the boys were working on a computer program that would let them win