64 comments

[ 0.99 ms ] story [ 124 ms ] thread
"It was a simple piece of code, partly copied from an internet source, inserted by the one man responsible for information security at an organization that runs three dozen United States lotteries."

"Tipton’s extra lines of code first checked to see if the coming lottery drawing fulfilled Tipton’s narrow circumstances. It had to be on a Wednesday or a Saturday evening, and one of three dates in a nonleap year: the 147th day of the year (May 27), the 327th day (Nov. 23) or the 363rd day (Dec. 29). If those criteria were satisfied, the random-number generator was diverted to a different track. Instead, the algorithm would use a predetermined seed number that restricted the pool of potential winning numbers to a much smaller, predictable set of numbers."

> partly copied from an internet source

Ah the ol' stackoverflow copy/paste.

I'm amazed at how brazen/obvious of a cheat the code here is:

Tipton’s extra lines of code first checked to see if the coming lottery drawing fulfilled Tipton’s narrow circumstances. It had to be on a Wednesday or a Saturday evening, and one of three dates in a nonleap year: the 147th day of the year (May 27), the 327th day (Nov. 23) or the 363rd day (Dec. 29). Investigators noticed those dates generally fell around holidays — Memorial Day, Thanksgiving and Christmas — when Tipton was often on vacation. If those criteria were satisfied, the random-number generator was diverted to a different track. Instead, the algorithm would use a predetermined seed number that restricted the pool of potential winning numbers to a much smaller, predictable set of numbers.

Admittedly, this is based only on the description from the article, which says it is describing pseudocode. But obviously, once this code is found, it's game over. Apparently the audit process for lotteries is terrible enough that this didn't matter.

Compare this with the auto emissions cheating scandal, where the algorithm was complicated in order to hide what was happening, so that the code would not be obvious as a defeat device: http://cseweb.ucsd.edu/~klevchen/diesel-sp17.pdf (see pages 6-8).

From the DEFCON presentation I mentioned elsewhere, it also seems like if he hadn't flubbed up and tried to claim the 16.5 million dollar prize, he (and his friends/family) wouldn't have been caught at all.

I can't believe he put the code in when he knew it would be audited, but then I doubly can't believe he would poke them to take a second look by suggesting something odd was involved at all.

From the original article here, it sounds like if he hadn't talked with the cashier at the Qwikstop he would be fine.
Or if the intermediary had simply said they forgot what they were wearing.
Ya I don't know why they would have tried to guess (unless Eddie told him the wrong info by mistake). It was nearly 1 year prior and no one would expect someone to remember what they were wearing when they walked into a gas station on a random Wednesday.
Why is it not possible to simply detect whether the car is stationary or moving?
I don't know if it is hubris, but the investigation only started because no one claimed the 16 millions jackpot. He could probably have keep winning smaller sums forever.
And he seriously bought the ticket himself, that's amateur level incompetence.
I think having hundreds of people buy the tickets would have upped the complexity too much. He didn't deterministically have the exact number. He was playing hundreds of tickets per win still.
This was written well. A fun read!
I had the opposite experience. I got exhausted trying to read this article and ended up losing interest less than half way through.
I wish there was a book that collected famous security incidents in this writing style.
I enjoyed it, but the reveal was a little disappointing.
Why disappointing? Because it seemed so simple? To me, that is the appeal, since the complexity of the hack has an inverse relation to the level of incompetency of the bureaucratic oversight.
Before he even backdoored it, the lottery was using a Mersenne Twister?

The random number is called the seed, and the seed is plugged into the algorithm, a pseudorandom number generator called the Mersenne Twister. At the end, the computer spits out the winning lottery numbers.

Same thing I thought. Pure incompetence.
Uh... I really, really dislike this title, its inaccurate and (intentionally?) misleading.

The title is "The Man Who Cracked the Lottery" but it's not about someone actually cracking the lottery, that is, figuring out how to mathematically win the lottery or figuring out existing flaws; its just about straight up insider fraud. A better title is "The Man Who Rigged the Lottery." Or the TL;DR version: "Man Inserted Logic Bomb Into Lottery Draw Code Because There Was No Controls To Stop Him."

Its still somewhat of an interesting read but the title really ruined it for me; I was expecting an entirely different story.

Examples of people actually cracking the lottery/gambling site:

https://highline.huffingtonpost.com/articles/en/lotto-winner...

https://www.developer.com/tech/article.php/616221/How-We-Lea...

Thanks a lot! That’s why the comments are sometimes worth reading before the text! You saved time to many potential readers.
We've updated the title to a representative phrase from the article, but we're happy to update it again if someone can suggest something better!
The article suggests there was an audit that he had to get past, at least.

> From Tipton’s point of view, it was complicated. He had done something to see if he could do it. To his surprise, it worked. He said he inserted that code only once; after the code was approved by Gaming Laboratories International, machines containing it were shipped all over the country.

What good is an "audit" if it doesn't even catch the simplest of simple malicious code?
The auditors did only this:

- ran the RNG through statistical tests (which of course passed flawlessly)

- audited the source code (but the backdoor was in binaries…)

Source: DEFCON presentation linked elsewhere in comments.

Mind boggling that one or two people (the perp and the cop) and their separate strains of attention to details + curiosity could impacts so many.

Maybe luck is real after all ;)

Great story.

Jumping ahead of the conversation a bit, insert blockchain thread here. (=
Only if it includes a lightweight and fast electron client.
This reminded of a famous fraud in the Mexican Lottery. It was low-tech, basically the company that transmits the draw managed to record it minutes before, tell insiders the numbers and later transmit the video as if it was real-time. $12 million USD were stolen, only $8 million were recovered.

The lotteries here (besides the statistical argument) are not trustworthy. I urge people who buy tickets to save their money, but the dream of getting rich instantly is too alluring.

(comment deleted)
>$12 million USD were stolen, only $8 million were recovered

>only $8 million

isn't a 75% recovery rate pretty good for cases like this?

edit: 67%

maybe, but 8/12 isn't 75%
thanks, updated.
"It was low-tech, basically the company that transmits the draw managed to record it minutes before, tell insiders the numbers and later transmit the video as if it was real-time."

Not unlike the premise of the film, "The Sting".

> From Tipton’s point of view, it was complicated. He had done something to see if he could do it. To his surprise, it worked. He said he inserted that code only once; after the code was approved by Gaming Laboratories International, machines containing it were shipped all over the country.

The article skips right over this. HTH was this code, which the article reports wasn't even hidden, approved by a third party?

Trying to find out, I found this:

https://www.desmoinesregister.com/story/news/investigations/...

Which mentions:

"Tipton designed his rigged coding so that it wasn't detected in the company's random tests, according to a report Fritschie helped present last year."

...as well as: "Toyne said the association does not have any ongoing contractual relations with Gaming Labs."

The "report" mentioned earlier is a DEFCON presentation about gambling fraud in general, pretty interesting read: https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20pre...

In it mentions "The method of rigging the RNG could have been more discrete" and gave the breakdown of reverse engineering the binary to find(?) the source code. It also said the labs tested the RNG for statistical bias (which would pass) and audited the source code (it only gives the Picard Facepalm pic, so I assume the auditors likely relied solely/mostly on the automated test.

it sounds like they would have to run their tests with mock dates for every date out of the year to discover anything, unless they happened to run their tests on one of the 3 days mentioned in the code, they wouldn't find it. how many tests would they need to run to really tell if there is any bias?
What if the rigging was only in a certain year? Auditing each day for the next decade would be safer. A good code review sounds even better.
While code review isn't foolproof, this seems like it should have been fairly obvious.
Well, more than is practical to run, probably.
Why would it even be okay at all for a piece of code that determines the seed for a pseudo RNG via observation of hardware events (a Geiger counter measurement, according to the article) to even access the date and time on a given system? It should have no use for that information, and with a piece of code of that criticality, one would expect auditors to scrutinize any and all syscalls that it performs. This way it should have been fairly obvious that it's requesting the time from the OS, which it shouldn't do in the first place. Mocking date/time info is unnecessary if your code under test is entirely unable to get time information from the system in the first place.
All of the brightest minds were building Facebook ;)
I feel like generating a lot (100k? You can tweak to get whatever confidence you want) of numbers for every day for the next several (30?) years and running tests like chi-squared (or others, see http://www.cse.wustl.edu/~jain/iucee/ftp/k_27trg.pdf) doesn't seem too crazy when you're talking about millions of dollars in prize money.
It's interesting that they noted he was 100 pounds overweight. I would suspect that gluttony is a trait that affects every action in a persons mental framework.
They would have never figured this out had the idiot just had someone else claim the 16.5M prize, or simply picked a state that allows winners to be anonymous.
I wonder why he tried to go through lawyer and offshore companies this time, rather than have a friend claim the ticket.

I wonder if he found out they had video recording of the person buying the ticket.

Which makes me wonder - did he do that as well? Who else might have been using this hack (in states no in addition to Tipton?
Way worse than NYT uncovers. The Iowa Attorney General conspired with the Iowa Lotto to charge the Iowa Lotto VP of Security with an "annoying speech" simple misdemeanor in retaliation for him blowing the whistle to Iowa Citizens Aide Ombuds investigator Bert Dalmer. Unfortunately for Iowa AG Tom Miller, the criminal complaint affidavit is still available for public records request at Des Moines Police Department even though the court records are sealed due to a deferred prosecution.

See https://en.wikipedia.org/wiki/Coates_v._City_of_Cincinnati , but Iowa still has "annoying" speech criminalized under Iowa Code 708.7; the ultimate whistleblower retaliation tool.

Why is there a tone of respect/admiration around scams like this but when a small startup founder makes a less-than-criminal mistake (eg lendedu) HN users want their heads on a stake?
The current top-voted comment [0] expresses amazement -- not admiration -- that the hack was so stupidly simple. Can't read the author's mind, but I share a similar sentiment: it's amazing that this crime was possible, and it reveals the incompetence/complacency of the Iowa Lottery's IT.

https://news.ycombinator.com/item?id=16995374

Facebook non-sequitur:

"Tommy Tipton had three Facebook friends named Conn." How did they get this data, was it available due to warrant or probable crime?

Yet another reason to not use FB. Like, at all. I doubt the police could ask FB for their "dossier" on you if you're not signed up (or does FB provide shadow profile access to law enforcement?)

You can view a person's friends on Facebook
"...inserted by the one man responsible for information security at an organization that runs three dozen United States lotteries."

That's the entire problem, right there. He could have been much more brazen and still succeeded.

By looking only at the title, I actually thought for a brief moment that this would be a story about Ethereum.
(comment deleted)
Now imagine what a diligent and clever thief could do and extrapolate to how many other lotteries must be rigged...
You gotta be an 18th c. French philosopher/writer to game lotteries these days.
I guess if you are going to go bad, hacking a lottery is not the most terrible thing you can do. Reducing public confidence in what is basically the numbers racket might even be considered a public good...
If the recent Zuckerberg testimony is an example, we need more public officials who can understand the complexity of code, technology, and the law.

I've known the young assistant attorney general in this story for more than ten years. Rob Sand is a great guy and is running to be a state auditor of Iowa - you can support him at robsand.com. Also, if you're interested in meeting him in person, I'm also happy to facilitate an introduction (friends across the country like to house him from time to time).