This article was taken from the November 2014 issue of WIRED magazine. Be the first to read WIRED's articles in print before they're posted online, and get your hands on loads of additional content by subscribing online.
John Kane was on a hell of a winning streak. On July 3, 2009, he walked alone into the high-limit room at the Silverton Casino in Las Vegas and sat down at a video poker machine called the Game King. Six minutes later the purple light on the top of the machine flashed, signalling a $4,300 (£2,670) jackpot. Kane waited while the slot attendant verified the win and presented the tax paperwork - a procedure required for any win of $1,200 or greater -- then, 11 minutes later, ding ding ding!, a $2,800 win. A $4,150 jackpot rolled in a few minutes after that. All the while, the casino's director of surveillance, Charles Williams, was peering down at Kane through a camera hidden in a ceiling dome. Tall, with a high brow and an aquiline nose, 50-year-old Kane had the patrician bearing of a man better suited to playing a Mozart piano concerto than listening to the chirping of a slot machine. Even his play was refined: the way he rested his long fingers on the buttons and swept them in a graceful legato, smoothly selecting good cards, discarding bad ones, accepting jackpot after jackpot with the vaguely put-upon air of a creditor finally collecting an overdue debt. Williams could see that Kane was wielding none of the array of cheating devices that casinos had confiscated from grifters over the years. He wasn't jamming a light wand in the machine's hopper or zapping the Game King with an electromagnetic pulse. He was simply pressing the buttons. But he was winning far too much, too fast, to be relying on luck alone.
At 12:34pm, the Game King lit up with its seventh jackpot in 90 minutes, a $10,400 payout. Now Williams knew something was wrong: the cards dealt on the screen were the exact same four twos and four of clubs that yielded Kane's previous jackpot. The odds against that were astronomical. Williams called over the executive in charge of the Silverton's slots, and they reviewed the surveillance tape together. The evidence was mounting that Kane had found something unthinkable: the kind of thing gamblers dream of, casinos dread, and Nevada regulators have an entire auditing regime to prevent. He'd found a bug in the most popular video slot in Las Vegas.
As they watched the replay for clues, Kane chalked up an eighth jackpot worth $8,200, and Williams decided not to wait any longer. He contacted the Silverton's head of security, a formidable character with slicked-back silver hair and a black suit, and positioned him outside the slot area. His orders: make sure John Kane doesn't leave the casino.
Kane had discovered the glitch in the Game King three months earlier on the other end of town, at the unpretentious Fremont Hotel and Casino in downtown's Glitter Gulch. He was overdue a lucky break. Since the Game King had got its hooks in him years earlier he'd lost between tens of thousands and hundreds of thousands annually. At his previous haunt, the locals-friendly Boulder Station, he blew half a million dollars in 2006 alone -- a pace that earned him enough Player's Club points to pay for his own Game King to play at his home on the outskirts of Vegas, along with technicians to service it. (The machine was just for fun -- it didn't pay jackpots.) "He's played more than anyone else in the United States," says his lawyer, Andrew Leavitt. "I'm not exaggerating or embellishing. It's an addiction."
To understand video poker addiction, you have to start with the deceptively simple appeal of the game. You put some money in the machine, place a bet of one to five credits and the computer deals you a poker hand. Select the cards you want to keep, slap the Draw button, and the machine replaces the discards. Your final hand determines the payout.
When the first video poker machine hit casinos in the 70s, it was a phenomenal success -- gamblers loved that they could make decisions that affected the outcome instead of just pulling a handle and watching the reels spin. The patent holder started a company called International Game Technology that debuted on Nasdaq in 1981.
IGT's key insight was to tap into the vast flexibility offered by computerised gambling. In 1996, the company perfected its formula with the Game King Multi-Game, which allowed players to choose between several variations of video poker.
Casinos snatched up the Game King, and IGT sold them regular firmware upgrades that added still more games to the menu. On September 25, 2002, the company released its fifth major revision -- Game King 5.0. Its marketing material was triumphal: "Full of new enhancements, including state-of-the-art video graphics and enhanced stereo sound, the Game King 5.0 Multi-Game suite is sure to rule over your entire casino floor with unprecedented magnificence!"
But the new Game King code had one feature that wasn't in the brochure -- a series of subtle errors in program number G0001640 that evaded laboratory testing and source-code review. The bug survived like a cockroach for the next seven years.
It passed into new revisions, one after another, ultimately infecting 99 different programs installed in thousands of IGT machines around the world. As far as anyone knows, it went completely undetected until late April 2009, when John Kane was playing at a row of four low-limit Game Kings outside the entrance to a Chinese fast-food joint at the Fremont, smoke swirling around him and 90s pop music raining down from the casino's sound system.
He'd been switching between game variations and racking up a modest payout. But when he hit the Cash Out button to take his money to another machine, the candle lit at the top of the Game King and the screen locked up with a jackpot worth more than $1,000. Kane hadn't even played a new hand, so he knew there was a mistake. He told a casino attendant about the error, but the worker thought he was joking and gave him the money anyway.
At that point, Kane could have forgotten the whole thing. Instead, he called a friend and embarked on the biggest gamble of his life.
There were no limits now. They could play anywhere and beat<span class="s2">the house wherever they went. Nestor, who'd been scraping by on a $1,000-a-month welfare cheque, saw a whole new future unfolding: home ownership, an investment account, security, better clothes and gifts for his friends back home. For his part, Kane was already well on his way to erasing the massive losses he'd suffered since moving to Sin City.
Working as a team had its advantages. While experimenting with the bug, they discovered that they could trigger a jackpot on the same hand more than once: all they had to do was lower the denomination again and repeat the steps to activate the glitch. They could effectively replay their win over and over, as much as they wanted. It was a risky play -- even the busiest casino might notice the same player repeatedly winning with the same hand. But now that they were playing together, Kane and Nestor could ride on each other's jackpots.
Nestor won $4,000 with four aces; then, after waiting a bit, Kane slid over to the same machine and replayed the hand for another $4,000.
They could even piggyback on other players' wins. No longer confined to four low-limit slots at a single casino, they prowled the floor at Harrah's looking for empty machines still showing a player's jackpot. Once they got an attendant to turn on Double Up, it took only seconds to replay the hand at up to ten times the original value. Video poker wasn't even gambling any more. "You had complete control over how much you could win," Nestor says. "If you wanted to go to a casino and win $500,000 in one day, you could win $500,000 in one day."
At the end of the evening, Nestor says they went to his cheap hotel room at Bill's Gamblin' Hall and Saloon to settle up. As the benefactor of Kane's discovery, Nestor had agreed to give his old friend half his winnings. But now that the cash was rolling in, he was having second thoughts about the arrangement. Every jackpot, he realised, was being reported to the Internal Revenue Service, and he'd already won enough from the bug to propel him into a higher-tax bracket. If he paid half to Kane off the top, he might wind up without the reserves to pay his tax debt come April. He broached the subject with Kane: he'd be more comfortable holding on to the money until his taxes were paid.
Kane was indignant but not surprised; leave it to Nestor to turn even free money into a problem to obsess over. He insisted Nestor honour his agreement, and Nestor grew more agitated. "What am I doing? Why am I even doing this?" he complained. "I'm not winning any money doing this if I'm giving you all this up front." Kane finally agreed to accept a third of Nestor's $20,000 take for the day. Nestor says he counted out $6,000 in hundreds, and Kane said good night.
The tension between the men lingered the next day at the Wynn, a towering supercasino with more than 1,300 slots. They played side by side, raking in money and continuing to argue. Nestor was now of the opinion that he shouldn't have to pay Kane anything. It was Nestor, after all, who'd figured out that the Double Up feature was part of the bug. "This was my gift to you," Kane shot back. "If you'd found this bug instead of me, you'd never have told me about it."
The accusation stung. Nestor gaped at his friend, then he stood and walked away from the machine.
The next day Nestor nursed his hurt feelings with a solo trip to the Rio. His records show he left the casino with about $34,000 in his pockets. He didn't need Kane at all. "There was so much money to be made, what did it even matter?" he says.
On his last day in Vegas, Nestor continued his solo run, hitting a Game King at the Wynn for a combined $61,000. Back in his room at Bill's, he added up his winnings: he was going home with $152,250 in cash. And he wasn't done yet. There were casinos in Pennsylvania, too, where he could operate without the slightest risk of Kane knowing what he was up to.
After Nestor left, Kane tore into Vegas with a vengeance. Official numbers have never been released, and Kane declined to speak for this article, but the FBI would later tally Kane's winnings at more than $500,000 from eight casinos. The Wynn, where Kane kept four nines on one Game King for days, was the biggest loser at $225,240.
Back in Pennsylvania, Nestor targeted the casino at the Meadows Racetrack. He dressed smartly and brought along a small entourage for company: his room-mate, a retired policeman named Kerry Laverde; and Patrick Loushil, a server at Red Lobster who agreed to collect some of Nestor's jackpots, so they wouldn't all show up on his tax bill. Nestor hammed it up when he won, gushing excitedly to the slot workers -- "I'm so excited! Here, feel my heart!" -- and tipping generously.
But it all began to unravel the night Kane found himself waiting for a payout at the Silverton. Kane paced and huffed, and complained to slot attendants. Finally, three men strode up to him. The head of security directed Kane to an alcove, handcuffed him, and escorted him away. An armed agent from the Gaming Control Board arrived soon after. He sealed the machines Kane had been playing on and collected Kane from the back room, where he'd been handcuffed to a chair. Kane's wallet and $27,000 were confiscated, and he was booked into the Clark County Detention Center on suspicion of theft.
After a night in jail, Kane was released. He called Nestor to warn him the bug had been discovered. "Stay out of the casinos," Kane said. Nestor's heart sank. It was painful to imagine Kane being treated like a common criminal. But after the call, Nestor talked himself into an alternative theory.
What if there'd been no arrest? What if Kane had made up the story to scare Nestor into stopping? He'd been back in Pennsylvania for three weeks and had already won nearly $50,000 from the Meadows'
Game King. He decided to ignore Kane's story and started planning his next trip to the Meadows.
Three days later, in Las Vegas, engineers from the Nevada Gaming Control Board's technology division descended on the Silverton. The forensics investigation of the Game King scam had fallen to John Lastusky, a 25-year-old clean-cut USC computer engineering graduate.
He pulled up the game history on the two machines Kane had played and reviewed the wins, then slid out the logic trays, the metal shelves housing the Game King's electronic guts, and checked the erasable programmable read-only memories containing the machines' core logic, graphics and sound routines. There was no sign of tampering. He confiscated the trays and packed them up for the trip back to headquarters.
Housed in an anonymous office park near the airport, the GCB's technology division was formed in the mid 80s to police video gambling. The division helps set the rigorous standards that gamemakers such as IGT must meet to deploy machines in the Silver State. A 275m<sup>2</sup> laboratory at the back is packed with slot machines in various states of undress - some powered down, others stripped to their bare electronics.
A locked-down room adjacent to the lab is more important: it houses a repository of the source and executable code for every version of game software ever approved in Nevada - more than 30,000 programs. Every addition is examined: is the random-number generator random enough? Does the game pay out at the advertised rate? "We're not necessarily looking for something nefarious, the goal is to ensure the integrity of the product," says division chief Jim Barbee.
There's a danger of gaming software being backdoored. In 1995, one of the GCB's own staffers, Ron Harris, went bad. He modified his testing unit to reprogram EPROMs on the machines he audited. His software triggered a jackpot upon a particular sequence of button presses - like a Konami Code for cash. He was caught and served two years in prison. The division's paranoia, coupled with the game industry's self-interest, have kept video-gambling code clean and mostly free of exploitable bugs. That made the Game King case an intriguing puzzle for Lastusky. Armed with the surveillance footage, Lastusky sat at a Game King in the lab and experimented. Within days he was able to reproduce the exploit. He gave his findings to IGT, which rushed out a warning to its customers advising them to immediately disable the Double Up option.
Every Game King on the planet running a vulnerable version would need a patch. The upgrade process would be gruelling.
Slot machines aren't online. New programs are burned on to EPROMs and shipped in the mail in plastic tubes.
Blind to the firestorm in Vegas, Nestor continued to play at the Meadows, until August 31, when the casino got suspicious and refused to pay Nestor on a four of a kind. He protested but walked away, then breaking into a run. He was up $480,000. The ride was over, but he had enough cash to last him forever.
At 1.30pm on October 6, 2009, a dozen state and local police converged on Andre Nestor's split-level condo on a quiet street in Swissvale. He was dozing on his sofa when the banging started. "State police!
Open up!" The battering ram hit the door seconds later, splintering the frame and admitting a flood of cops into the house.
Nestor says he started towards the stairs, his hands over his head, when he came face-to-face with a trooper in full riot gear. "Get on the floor!" yelled the trooper, levelling his AR-15 at Nestor's face. Nestor complied.
For the next two hours, Nestor watched helplessly, handcuffed to a kitchen chair, while the police ransacked his neat home. They flipped over his mattress, ripped insulation from his ceiling, rifled his PC. At about 4pm, Nestor's room-mate, Laverde, arrived home and was arrested on the spot as an accomplice to Nestor's crimes.
It was the first major gambling scandal in Pennsylvania since the state had legalised slots in 2004. The media portrayed Nestor as a real-life Danny Ocean, and prosecutors hit him with 698 felony counts, ranging from theft to criminal conspiracy. The district attorney seized every cent of Nestor's winnings and gave it back to the Meadows. Nestor and Laverde spent about ten days in the county jail before making bail.
A defiant Nestor vowed to fight the case -- no jury would convict a gambler for beating a slot machine at its own game. But on January 3, 2011, when it was time for jury selection, Nestor was hit with another surprise. Two FBI agents showed up and pulled him from the Washington County courthouse. The US Justice Department had taken over the case. Nestor and Kane had both been charged federally in Las Vegas.
As the agents walked him to their car, Nestor stopped in front of a TV camera and let loose. "I'm being arrested federally now -- for winning at a slot machine!" he shouted in disbelief. "This is what they do to people! They put a machine on the floor, and if it has programming that doesn't take your money and you win on their machine, they will throw you in jail!"
The Las Vegas prosecutors charged Nestor and Kane with conspiracy and violations of the Computer Fraud and Abuse Act (CFAA). Passed in 1986, the CFAA was enacted to punish hackers who remotely crack computers related to national defence or banking. But in the internet age the government had been steadily testing the limits of the law in cases that didn't involve computer intrusion in the usual sense. Kane and Nestor, the government argued, exceeded their otherwise lawful access to the Game King when they knowingly exploited a bug. The casinos only authorised gamers to play by the rules of video poker. "To allow customers to access previously played hands of cards at will would remove the element of chance and obviate the whole purpose of gambling," assistant US attorney for the District of Nevada Michael Chu argued. "It would certainly be contrary to the rules of poker."
The defence attorneys pushed for dismissal of the hacking charge, on the grounds that anything the Game King allowed players to do through its interface was "authorised access" by definition: the whole point of playing slots is to beat the machine, and it's up to the computer to set and enforce limits. "All these guys did is simply push a sequence of buttons they were legally entitled to push," says Leavitt, Kane's attorney.
The pretrial motions dragged on for more than 18 months, while the CFAA was under a microscope. The US Ninth Circuit Court of Appeals threw out computer-hacking charges in a closely watched case against David Nosal, a former executive at a corporate-recruiting firm who persuaded three employees to leak him information from the firm's database.
Seeing parallels to the Game King prosecution, the judge overseeing Kane and Nestor's case ordered the government to justify the hacking charge. The prosecutors didn't even try, opting instead to drop the charge -- leaving only an ill-fitting "conspiracy to commit wire fraud" count. As a December 3, 2013, trial date approached, the Feds made Kane and Nestor separate but identical offers: the first one to agree to testify against the other would walk away with five years' probation and no jail time. It was the Prisoner's Dilemma. Without speaking, they both arrived at the optimal strategy: they refused the offer. A few months later, the Justice Department dropped the last of the charges, and they were free.
Kane and Nestor haven't spoken since 2009. After his arrest Kane began recording classical music in his house and uploading the videos to YouTube.
Nestor's greatest regret is that he let the Game King bug come between him and Kane. "I didn't want it to go that far," he says. "I thought he and I were friends long enough that these kinds of issues didn't need to happen." Laverde signed over Nestor's money in exchange for avoiding trial. (There are no court filings to suggest that Kane's winnings were seized.) Nestor says the Meadows still has his winnings, and the IRS is chasing him for $239,861.04 in back taxes, interest, and penalties -- money he doesn't have.
Nestor has been banned from Pennsylvania casinos but he gambles occasionally in neighbouring states. His addiction right now is Candy Crush, which he plays on a cheap androids tablet. He cleared 515 levels in two months, using a trick he found on the internet to get extra lives without paying.
WIRED US contributing editor Kevin Poulsen (@kpoulsen) wrote about hacking OkCupid in issue 03.14
This article was originally published by WIRED UK
