The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers (4 page)

To Alex, the use of two registers made the challenge "a cryptology thing"; he recognized that it was similar to a step sometimes used in encrypting messages. Though he had acquired some knowledge of the subject, it wasn't enough to see his way to a solution, so he started mak- ing trips to a nearby university library to study up.

If the designers had read some of the books on cryptosystems more

carefully, they wouldn't have made this mistake. Also, they should

have been more methodical about testing the systems for cracking

the way we were cracking them.

Any good college computer science major could probably write

code to do what we were trying to do once he understands what's

required. The geekiest part of it was figuring out algorithms to do

the search quickly so that it would only take a few seconds to tell

you what's going on; if you did it naively, it could take a few

hours to give you a solution.

We're pretty good programmers, we all still make our living

doing that, so we came up with some very clever optimizations.

But I wouldn't say it was trivial.

I remember a similar mistake made by a programmer at Norton (before Symantec bought them) that worked on their Diskreet product, an appli- cation that allowed a user to create encrypted virtual drives. The developer implemented the algorithm incorrectly -- or perhaps intentionally -- in a way that resulted in reducing the space for the encryption key from 56 Chapter 1 Hacking the Casinos for a Million Bucks 13

bits to 30. The federal government's data encryption standard used a 56-bit key, which was considered unbreakable, and Norton gave its cus- tomers the sense that their data was protected to this standard. Because of the programmer's error, the user's data was in effect being encrypted with only 30 bits instead of 56. Even in those days, it was possible to brute-force a 30-bit key. Any person using this product labored under a false sense of security: An attacker could derive his or her key in a rea- sonable period and gain access to the user's data. The team had discov- ered the same kind of error in the programming of the machine.

At the same time the boys were working on a computer program that would let them win against their new target machine, they were pressing Alex for a no-more-running-to-the-payphone approach. The answer turned out to be based on taking a page from the Eudaemonic Pie solu- tion: a "wearable" computer. Alex devised a system made up of a minia- turized computer built around a small microprocessor board Mike and Marco found in a catalog -- and, to go along with it, a control button that fit in the shoe, plus a silent vibrator like the ones common in many of today's cell phones. They referred to the system as their "computer- in-the-pocket thing."

"We had to be a little clever about doing it on a small chip with a small memory," Alex said. "We did some nice hardware to make it all fit in the shoe and be ergonomic." (By "ergonomic" in this context, I think he meant small enough so you could walk without limping!)

The New Attack The team began trying out the new scheme, and it was a bit nerve- wracking. Sure, they could now dispense with the suspicious behavior of running to a pay phone before every win. But even with all the dress rehearsal practice back at their "office," opening night meant performing in front of a sizeable audience of always-suspicious security people.

This time the program was designed so they could sit at one machine longer, winning a series of smaller, less suspicious amounts. Alex and Mike recapture some of tension when they describe how it worked:

Alex: I usually put the computer in what looked like a little tran-

sistor radio in my pocket. We would run a wire from the computer

down inside the sock into this switch in the shoe.

Mike: I strapped mine to my ankle. We made the switches from

little pieces of breadboard [material used in a hardware lab for

constructing mock-ups of electronic circuits]. The pieces were

about one inch square, with a miniature button. And we sewed

on a little bit of elastic to go around the big toe. Then you'd cut a 14 The Art of Intrusion

hole in a Dr. Scholl's insole to keep it in place in your shoe. It was

only uncomfortable if you were using it all day; then it could get

excruciating.

Alex: So you go into the casino, you try to look calm, act like

there's nothing, no wires in your pants. You go up, you start play-

ing. We had a code, a kind of Morse Code thingy. You put in

money to run up a credit so you don't have to keep feeding coins,

and then start to play. When cards come up, you click the shoe

button to input what cards are showing.

The signal from the shoe button goes into the computer that's in

my pants pocket. Usually in the early machines it took seven or

eight cards to get into sync. You get five cards on the deal, you

might draw three more would be a very common thing, like hold

the pair, draw the other three, that's eight cards.

Mike: The code for tapping on the shoe-button was binary, and it

also used a compression technique something like what's called a

Huffman code. So long-short would be one-zero, a binary two.

Long-long would be one-one, a binary three, and so on. No card

required more than three taps.

Alex: If you held the button down for three seconds, that was a

cancel. And [the computer] would give you little prompts -- like

dup-dup-dup would mean, "Okay, I'm ready for input." We had

practiced this -- you had to concentrate and learn how to do it.

After a while we could tap, tap while carrying on a conversation

with a casino attendant.

Once I had tapped in the code to identify about eight cards, that

would be enough for me to sync with about 99 percent assurance.

So after anywhere from a few seconds to a minute or so, the com-

puter would buzz three times.

I'd be ready for the action.

At this point, the computer-in-the-pocket had found the place in the algorithm that represented the cards just dealt. Since its algorithm was the same as the one in the video poker machine, for each new hand dealt, the computer would "know" what five additional cards were in waiting once the player selected his discards and would signal which cards to hold to get a winning hand. Alex continued:

The computer tells you what to do by sending signals to a vibra-

tor in your pocket; we got the vibrators free by pulling them out of

old pagers. If the computer wants you to hold the third and the Chapter 1 Hacking the Casinos for a Million Bucks 15

fifth card, it will go beep, beep, beeeeep, beep, beeeeep, which you

feel as vibrations in your pocket.

We computed that if we played carefully, we had between 20 and

40 percent vigorish, meaning a 40 percent advantage on every

hand. That's humongous -- the best blackjack players in the

world come in at about 2-1/2 percent.

If you're sitting at a $5 machine pumping in five coins at a time,

twice a minute, you can be making $25 a minute. In half an

hour, you could easily make $1,000 bucks. People sit down and get

lucky like that every day. Maybe 5 percent of the people that sit

down and play for half an hour might do that well. But they don't

do it every time. We were making that 5 percent every single time.

Whenever one of them had won big in one casino, he'd move on to another. Each guy would typically hit four or five in a row. When they went back to the same casino on another trip a month later, they'd make a point of going at a different time of day, to hit a different shift of the work crew, people less likely to recognize them. They also began hitting casinos in other cities -- Reno, Atlantic City, and elsewhere.

The trips, the play, the winning gradually became routine. But on one occasion, Mike thought the moment they all dreaded had come. He had just "gone up a notch" and was playing the $25 machines for the first time, which added to the tension because the higher the value of the machines, the closer they're watched.

I was a bit anxious but things were going better than I antici-

pated. I won about $5,000 in a relatively short amount of time.

Then this large, imposing employee taps me on the shoulder. I

looked up at him feeling something queasy in the pit of my stom-

ach. I thought, "This is it."

"I notice you been playing quite a bit," he said. "Would you like

pink or green?"

If it had been me, I would have been wondering, "What are those -- my choices of the color I'll be after they finish beating me to a pulp?" I think I might have left all my money and tried to dash out of the place. Mike says he was seasoned enough by that point to remain calm.

The man said, "We want to give you a complimentary coffee mug."

Mike chose the green. 16 The Art of Intrusion

Marco had his own tense moment. He was waiting for a winning hand when a pit boss he hadn't noticed stepped up to his shoulder. "You dou- bled up to five thousand dollars -- that's some luck," he said, surprised. An old woman at the next machine piped up in a smoker's raspy sandpa- per voice, "It ... wasn't ... luck." The pit boss stiffened, his suspicions aroused. "It was balls," she cawed. The pit boss smiled and walked away.

Over a period of about three years, the guys alternated between taking legitimate consulting jobs to keep up their skills and contacts, and skip- ping out now and then to line their pockets at the video poker machines. They also bought two additional machines, including the most widely used video poker model, and continued to update their software.

On their trips, the three team members who traveled would head out to different casinos, "not all go as a pack," Alex said. "We did that once or twice, but it was stupid." Though they had an agreement to let each other know what they were up to, occasionally one would slip away to one of the gambling cities without telling the others. But they confined their play to casinos, never playing in places like 7-Elevens or supermar- kets because "they tend to have very low payouts."

Caught! Alex and Mike both tried to be disciplined about adhering to "certain rules that we knew were going to reduce the probability of getting noticed. One of them was to never hit a place for too much money, never hit it for too much time, never hit it too many days in a row."

But Mike took the sense of discipline even more seriously and felt the other two weren't being careful enough. He accepted winning a little less per hour but looking more like another typical player. If he got two aces on the deal and the computer told him to discard one or both of the aces for an even better hand -- say, three jacks -- he wouldn't do it. All casi- nos maintain "Eye in the Sky" watchers in a security booth above the casino floor, manning an array of security cameras that can be turned, focused and zoomed, searching for cheaters, crooked employees, and others bent by the temptation of all that money. If one of the watchers happened to be peeking at his or her machine for some reason, the watcher would immediately know something was fishy, since no reason- able player would give up a pair of aces. Nobody who wasn't cheating somehow could know a better hand was waiting.

Alex wasn't quite so fastidious. Marco was even less so. "Marco was a bit cocky," in Alex's opinion:

He's a very smart guy, self taught, never finished high school, but one

of these brilliant Eastern European type of guys. And flamboyant. Chapter 1 Hacking the Casinos for a Million Bucks 17

He knew everything about computers but he had it in his head

that the casinos were stupid. It was easy to think that because these

people were letting us get away with so much. But even so, I think

he got over-confident.

He was more of a daredevil, and also didn't fit the profile because

he just looked like this teenage foreigner. So I think he tended to

arouse suspicion. And he didn't go with a girlfriend or wife,

which would have helped him fit in better.

I think he just ended up doing things that brought attention onto

him. But also, as time went on and we all got bolder, we evolved

and tended to go to the more expensive machines that paid off bet-

ter and that again put more risks into the operation.

Though Mike disagrees, Alex seemed to be suggesting that they were all three risk takers who would keep pushing the edge of the window to see how far they could go. As he put it, "I think basically you just keep upping the risk."

The day came when one minute Marco was sitting at a machine in a casino, the next minute he was surrounded by burly security people who pulled him up and pushed him into an interviewing room in the back. Alex recounted the scene:

It was scary because you hear stories about these guys that will

beat the shit out of people. These guys are famous for, "F__k the

police, we're gonna take care of this ourself."

Marco was stressed but he was a very tough character. In fact, in

some ways I'm glad that he was the one that did get caught if any

of us were going to because I think he was the most equipped to

handle that situation. For all I know he had handled things like

back in Eastern Europe.

He exhibited some loyalty and did not give us up. He didn't talk

about any partners or anything like that. He was nervous and

upset but he was tough under fire and basically said he was work-

ing alone.

He said, "Look, am I under arrest, are you guys police, what's the

deal?"

It's a law enforcement type of interrogation except that they're

not police and don't have any real authority, which is kind of

weird. They kept on questioning him, but they didn't exactly

manhandle him. 18 The Art of Intrusion

They took his "mug shot," Alex says, and they confiscated the com- puter and all the money he had on him, about $7,000 in cash. After per- haps an hour of questioning, or maybe a lot longer -- he was too upset to be sure -- they finally let him go.