1. 43

  2. 28

    More programmers should be aware of this trick: I used to use the "?_=" + Math.random() at the end of ad pixels ages ago to detect operating system versions.

    1. 2

      That is spooky and impressive. How did you figure this out? Reverse engineering the RNG implementation of each browser?

      1. 11

        There’s the Silence on the Wire book which has a lot of details about how to passively fingerprints users and their environment by looking at similar things. Super interesting read, even if many of its content is not really applicable nowadays.

        1. 5

          It’s worth to know that Silence on the Wire was written by lcamtuf and a practical application of the knowledge from his book can be seen in his projects, most notably p0f (though he himself is now more known for writing afl). I agree though that a lot of the book would be very hard to directly apply (but it’s damn worth the read!).

        2. 2

          For most browsers you shouldn’t have to reverse engineer because they are open source.

      2. 6

        Russians Engineer a Brilliant Slot Machine Cheat—And Casinos Have No Fix

        Russians Reverse Engineer Slot Machine RNG Implementation, Win Some Money and Get Arrested, and Casinos Can Get Stuffed

        There, fixed that for you.

        1. 5

          and Get Arrested

          Well, some of the people at the very bottom of the enterprise got arrested. The people running the organisation that is doing this… have no realistic expectation of getting arrested?

        2. 5

          Why are the slot machines purely relying on pseudorandomness? There seem to be some sources of “true” randomness that they can use to seed the PRG without requiring additional hardware, e.g. the trailing digits of exact timing of various events (so, for instance, pressing a button or inserting a dollar bill exactly on the hour and 0.001 seconds after the hour lead to completely different results - I highly doubt any human, even an app-assisted one, is capable of being precise enough on timing to exploit that).

          1. 3

            In fact since they are dedicated machines to generate the randomness, they could just use some hardware which does generate true randomness.

            Honest question, why don’t they just do that? Is it because they can’t prove the true randomness of the source?

            1. 2

              Newer machines have TRNGs but these older ones that were being exploited do not and instead rely on PRNGs. Implementing a TRNG on old machines would not be worth the hassle according to the article.

            2. 1

              Came here to ask the same question. I suspect the answer has something to do with regulations that require verifiable, deterministic behaviour. I do wish someone with experience writing slot machine code could chime in.

              1. 1

                I’m taking a wild guess here based on how this happened elsewhere. The possible reasons I see are:

                1. Programmer could make games but didn’t know cryptography or care about security. Just used what they learned in a programming book on random numbers.

                2. Cost minimization. Simple RNG can run on dirt-cheap CPU (even MCU). Might add a dollar or ten to profit of each machine if this philosophy is applied throughout its development.

              2. 5

                It shouldn’t be against the law for those Russians to have cheated in the casinos in the way they did. If the casinos don’t want that kind of cheating they should’ve kicked them out of the casino, not used the power of the state to prosecute them. I’m actually pretty angry that they got prison time for that.

                1. 6

                  Ahhh the Joys of Spinning the Truth…..

                  The government-approved software that powers such machines gives the house a fixed mathematical edge, so that casinos can be certain of how much they’ll earn over the long haul—say, 7.129 cents for every dollar played.

                  It’s OK if the casino’s cheat…. but people playing the machines are cheating if they win.

                  This why “Alternative Facts” can survive….there is so much “spin” on the truth these days, alternative facts seem almost straight by comparison.

                  1. 13

                    It depends. If the odds are posted then it’s fair, as in, you know what you are getting in to. Same with state run lotteries. If every spin/ticket has the same chance of winning (and you know the odds) it’s fair.

                    The whole topic of whether it should be legal to exploit the weaknesses of those with a gambling addiction (real addiction, as in they mortgaged their house to play) same as alcoholics at the bar and drug addicts, is a different question we are not discussing here.

                    1. 12

                      If any hacking is going on, it’s hacking of the human reward / risk psychology.

                      Although I’d argue from speaking to various people attracted to Lotto and the like, their understanding of odds and the implications thereof are minimal and heavily skewed by massive saturation advertizing of the upside.

                      1. 5

                        I totally agree, you can’t sell alcohol to minors, because they’re not intellectually equipped to make that decision (as the theory goes). The same goes with gambling and many adults. You can prove that they don’t posses the necessary understanding of probability theory to decide whether they should gamble.

                        1. 4

                          You can prove that they don’t posses the necessary understanding of probability theory to decide whether they should gamble.

                          Yes you can.

                          Step 1: explain the odds. Step 2: ask if they want to play. Step 3: if “yes”, they don’t understand.

                    2. 5

                      Err, usually the payout rates of these machines are not only posted but advertised prominently. When customers know what the rate is it is hardly cheating.

                      1. 16

                        Actually let me hammer on a little.

                        That fine print statement of the odds, and a flashing neon ALL CAPS sign yelling, “WIN A MILLION!!” is exactly the cognitive gap that is thrown at Joe Average every blooming day, which is why we’re now in a world where “Alternative Facts” can flourish.

                        It’s where when casino owners are making a fortune from Joe Average through software that cheats is “not a cheat”, and another guy, using exactly the same software making a smaller fortune “is a cheat”.

                        In my book both are cheats and deserve each other.

                        But the spin in the article makes me angry.

                        1. [Comment removed by author]

                          1. 12

                            Oh I hear you.

                            But let’s be graphically clear that casino’s don’t give a shit whether it was with electronic aid or bare human skill.

                            Their definition of a cheater is “any Schmoe we’re not stripping money off.”.


                            Still, casinos object to the practice, and try to prevent it,[23] banning players believed to be counters. In their pursuit to identify card counters, casinos sometimes misidentify and ban players suspected of counting cards even if they do not.[24]

                            Casinos have spent a great amount of effort and money in trying to thwart card counters.

                            Conversely estimating blackjack probabilities incorrectly is quite ok.

                            As I said, casino’s and these guys heartily deserve each other.

                            That’s said, I’d bet you a beer that embedded processors with hardware random number generators are about to become more common / cheaper…

                        2. 2

                          Maybe in your jurisdiction. Certainly not on any I have walked passed.

                          Even then I bet they are not nearly as prominently as “WIN A MILLION!!! JACKPOT!!”