The Ontario Lottery and Gaming Corp. is in a bit of hot water after refusing to pay a $42.9 million jackpot:
According to the statement, Kusznirewicz was playing an OLG slot machine called Buccaneer at Georgian Downs in Innisfil, Ont., on Dec. 8 when it showed he had won $42.9 million.
When the machine’s winning lights and sounds were activated, an OLG floor attendant initially told Kusznirewicz to go to the “winners circle” to claim his prize, according to the statement. But other OLG employees immediately arrived and told him that the corporation would not be paying, because there had been a “machine malfunction.”
They offered him a free dinner for four at the casino’s buffet.
In a press release, OLG described the malfunction as follows:
“The single Buccaneer-themed slot machine in question is a two cent per play machine with a base game reward of $300 and an absolute maximum payout of $9,025,” the release states.
“The $42 million figure is not a possible award given this machine’s configuration and pay table settings.”
Of course the lawsuit will probably be thrown out, or OLG will settle with the guy for a lesser amount. But from a technical perspective, it’s amusing to think about what happened to cause this scenario. You can imagine the slot machine software looking something like this:
void do_spin() {
spin_reels();
if (winning_combination) {
unsigned int winnings = calculate_payout_in_cents();
send_to_display("You've won $%u!n", winnings/100);
add_to_balance(winnings/100);
}
}
int calculate_payout_in_cents() {
int rv;
if (rv = lookup_payout_amount())
return rv;
else
return -1;
}
For some reason, something caused lookup_payout_amount() to return NULL, which meant calculate_payout_in_cents() returned -1, signifying an error. Then, in addition to implicitly casting the signed result to an unsigned type, do_spin() fails to check for the error condition! It assumes success and announces the payout via the slot machine’s display. In this case, the -1, represented as 0xFFFFFFFF in two’s complement, gets interpreted as an unsigned number, 4294967295, due to the implicit cast, and the display prints “You’ve won $42949672!”
Today’s lesson: remember to check your error conditions!
I had a great time at the SOURCE Boston conference last week. Veracode was a sponsor and a few Veracoders participated as advisory members or volunteers. I had the pleasure, along with Chris Eng, of presiding over the application security track. I think all the talks were of high quality but still a few stood out for me:
Dino Dai Zovi on Mac OS Xploitation. Dino showed how to exploit a quicktime heap overflow. He got the built in iSight camera to take a picture of his victim and send it to him just by clicking on a malicious quicktime movie file. He talked about how exploiting OS X is 1999 all over again because of the lack of ASLR and stack canary protection. He said hacking Windows and Linux is a chore, but OS X is still fun.
Chris Gates and Vince Marvelli on Attacking Layer 8: Client Side Penetration Testing. Client side attacks are on the rise and now the corporate attack of choice yet we don’t pen test for them. What’s up with that? The video for this one is already available online at Vimeo.
Val Smith on Dissecting Foreign Web Attacks. Val unwound one of the popular attacks of our time: compromising web sites to install malicious code that owns the browser and then installs a bot. We all understand it is possible but it is great to see all the tricks of the trade. It is pretty clear that the source of this one was China.
Chris Hoff on The Frogs Who Desired A King: A Virtualization and Cloud Computing Security Fable Set To Interpretive Dance. This talk is being touted as the best ever. Unfortunately I missed it. Can’t wait to see the video.
The videos for all the SOURCE talks should be on-line over the next few weeks. Check www.sourceconference.com
There are some other reviews of the conference out there that will help you decide which videos are worth watching:
A security bug was found in djbdns. Daniel Bernstein pays his promised security bug bounty for the first time. More details about the bug on BugTraq.
Date: 4 Mar 2009 01:34:21 -0000
From: D. J. Bernstein
To: dns@list.cr.yp.to
Subject: djbdns<=1.05 lets AXFRed subdomains overwrite domains
If the administrator of example.com publishes the example.com DNS data through tinydns and axfrdns, and includes data for sub.example.com transferred from an untrusted third party, then that third party can control cache entries for example.com, not just sub.example.com. This is the result of a bug in djbdns pointed out by Matthew Dempsky. (In short, axfrdns compresses some outgoing DNS packets incorrectly.)
Even though this bug affects very few users, it is a violation of the expected security policy in a reasonable situation, so it is a security hole in djbdns. Third-party DNS service is discouraged in the djbdns documentation but is nevertheless supported. Dempsky is hereby awarded $1000.
The next release of djbdns will be backed by a new security guarantee. In the meantime, if any users are in the situation described above, those users are advised to apply Dempsky's patch and requested to accept my apologies. The patch is also recommended for other users; it corrects the bug without any side effects. A copy of the patch appears below.
---D. J. Bernstein
Research Professor, Computer Science, University of Illinois at Chicago
--- response.c.orig 2009-02-24 21:04:06.000000000 -0800
+++ response.c 2009-02-24 21:04:25.000000000 -0800
@@ -34,7 +34,7 @@
uint16_pack_big(buf,49152 + name_ptr[i]);
return response_addbytes(buf,2);
}
- if (dlen <= 128)
+ if ((dlen <= 128) && (response_len < 16384))
if (name_num < NAMES) {
byte_copy(name[name_num],dlen,d);
name_ptr[name_num] = response_len;
