According to the statement, Kusznirewicz was playing an OLG slot machine called Buccaneer at Georgian Downs in Innisfil, Ont., on Dec. 8 when it showed he had won $42.9 million.

When the machine’s winning lights and sounds were activated, an OLG floor attendant initially told Kusznirewicz to go to the “winners circle” to claim his prize, according to the statement. But other OLG employees immediately arrived and told him that the corporation would not be paying, because there had been a “machine malfunction.”

They offered him a free dinner for four at the casino’s buffet.

In a press release, OLG described the malfunction as follows:

“The single Buccaneer-themed slot machine in question is a two cent per play machine with a base game reward of $300 and an absolute maximum payout of $9,025,” the release states.

“The $42 million figure is not a possible award given this machine’s configuration and pay table settings.”

Of course the lawsuit will probably be thrown out, or OLG will settle with the guy for a lesser amount. But from a technical perspective, it’s amusing to think about what happened to cause this scenario. You can imagine the slot machine software looking something like this:

void do_spin() {
  spin_reels();
  if (winning_combination) {
    unsigned int winnings = calculate_payout_in_cents();
    send_to_display("You've won $%u!n", winnings/100);
    add_to_balance(winnings/100);
  }
}

int calculate_payout_in_cents() {
  int rv;
  if (rv = lookup_payout_amount())
    return rv;
  else
    return -1;
}

For some reason, something caused lookup_payout_amount() to return NULL, which meant calculate_payout_in_cents() returned -1, signifying an error. Then, in addition to implicitly casting the signed result to an unsigned type, do_spin() fails to check for the error condition! It assumes success and announces the payout via the slot machine’s display. In this case, the -1, represented as 0xFFFFFFFF in two’s complement, gets interpreted as an unsigned number, 4294967295, due to the implicit cast, and the display prints “You’ve won $42949672!”

Today’s lesson: remember to check your error conditions!

FREE Security Tutorials from Veracode

Cyber Security Threats
Mobile Phone Security
Flash Player Security
SQL Injection Attack
CRLF Injection
 

Veracode Security Solutions

Software Security Testing
Binary Code Analysis
Application Testing
 

Veracode Data Security Resources

Data Breaches
Data Loss Prevention
Data Security

Dino Dai Zovi on Mac OS Xploitation. Dino showed how to exploit a quicktime heap overflow. He got the built in iSight camera to take a picture of his victim and send it to him just by clicking on a malicious quicktime movie file. He talked about how exploiting OS X is 1999 all over again because of the lack of ASLR and stack canary protection. He said hacking Windows and Linux is a chore, but OS X is still fun.

Chris Gates and Vince Marvelli on Attacking Layer 8: Client Side Penetration Testing. Client side attacks are on the rise and now the corporate attack of choice yet we don’t pen test for them. What’s up with that? The video for this one is already available online at Vimeo.

Val Smith on Dissecting Foreign Web Attacks. Val unwound one of the popular attacks of our time: compromising web sites to install malicious code that owns the browser and then installs a bot. We all understand it is possible but it is great to see all the tricks of the trade. It is pretty clear that the source of this one was China.

Chris Hoff on The Frogs Who Desired A King: A Virtualization and Cloud Computing Security Fable Set To Interpretive Dance. This talk is being touted as the best ever. Unfortunately I missed it. Can’t wait to see the video.

The videos for all the SOURCE talks should be on-line over the next few weeks. Check www.sourceconference.com

There are some other reviews of the conference out there that will help you decide which videos are worth watching:

• Thoughts On Source Boston
• Review Source Boston 2009
• Comments on Chris Hoff’s talk

Veracode Security Solutions

Security Threat Guides

Date: 4 Mar 2009 01:34:21 -0000
From: D. J. Bernstein
To: dns@list.cr.yp.to
Subject: djbdns<=1.05 lets AXFRed subdomains overwrite domains

If the administrator of example.com publishes the example.com DNS data through tinydns and axfrdns, and includes data for sub.example.com transferred from an untrusted third party, then that third party can control cache entries for example.com, not just sub.example.com. This is the result of a bug in djbdns pointed out by Matthew Dempsky. (In short, axfrdns compresses some outgoing DNS packets incorrectly.)

Even though this bug affects very few users, it is a violation of the expected security policy in a reasonable situation, so it is a security hole in djbdns. Third-party DNS service is discouraged in the djbdns documentation but is nevertheless supported. Dempsky is hereby awarded $1000.

The next release of djbdns will be backed by a new security guarantee. In the meantime, if any users are in the situation described above, those users are advised to apply Dempsky's patch and requested to accept my apologies. The patch is also recommended for other users; it corrects the bug without any side effects. A copy of the patch appears below.

---D. J. Bernstein
Research Professor, Computer Science, University of Illinois at Chicago

--- response.c.orig 2009-02-24 21:04:06.000000000 -0800
+++ response.c 2009-02-24 21:04:25.000000000 -0800
@@ -34,7 +34,7 @@
uint16_pack_big(buf,49152 + name_ptr[i]);
return response_addbytes(buf,2);
}
- if (dlen <= 128)
+ if ((dlen <= 128) && (response_len < 16384))
if (name_num < NAMES) {
byte_copy(name[name_num],dlen,d);
name_ptr[name_num] = response_len;