$16.5 million
for 10 years' jail time.
Worth every cent I'd say - certainly beats working for a living (pays more too).*
Hope, for his sake, he didn't stash it in Panama though.
The Multi-State Lottery's former IT security boss Eddie Tipton smuggled code onto lotto machines that allowed him to predict the numbers drawn on certain days of the month. That's according to investigators in Iowa this week. In July, Tipton was found guilty of fraud in the US state, and was sent down for ten years, for …
It may well be much more than 10 years. "He's now awaiting trial in Colorado, Wisconsin, Oklahoma and Kansas"
The guy was probably well paid as an IT boss and used to certain lifestyle he won't be living from now on. He looks like 50+ years old in his mugshot - chances are that after all those other states have piled their sentences over this first one the guy is geriatric or more likely dead before released. The article doesn't state whether the money was recovered, spent or stashed. Likely his current house and belongings are going under hammer to pay for everything.
"$16.5 million for 10 years' jail time"
Except he doesn't get to keep the money, so it's $0 for 10 years' jail time.
[IIRC, he never got the money in the first place -- lottery officials refused to award the prize money because it was being claimed by an anonymous off-shore trust company or something like that.]
Oh, and it wasn't 16.5 million he never got his hands on, it was 14.3 million.
They get far less auditing and attention than lottery machines, and something this basic still slipped through! So does anyone really think it would be hard for insiders to write similar software for a touchscreen machine that did some checks of date, contents of ballot, etc. so that it recorded votes 100% accurately during testing, but on the day of the election silently switches 5% of votes in certain preselected precincts? There's no paper trail to audit, no way to know it switched your vote, no way anyone could even find out since 5% is within the expected margin for exit polling.
Oh, you say "surely they'll notice if the exit poll margin is always tilted in one party's direction, right?" That's easy to fix, you tilt it the OTHER direction in unimportant local races, and in states that are so red or so blue 5% won't matter to the outcome. You reserve the switcheroo in your party's (or the highest bidder's) favor for the toss up states, where it really matters!
Completely agree. $16.5M is chump change compared to getting control of a country. It is WAY too important to trust to anything more complex than pencil and paper. Pencil and paper and a chain of mutual distrust works bloody well, is scalable, is hard to rig, and most importantly is simple enough for people to see democracy in action, not trusting it to mysterious forces. This is why they allow TV in parliament, and before that the public and press galleries to show the open process
The problem in the US is that control over the elections is done by officials that are either elected positions or political appointees. So a place like Chicago where the democrats are in power they are able to do some things like bringing out the dead to vote. Likewise in some states where republicans are in power, they have enacted voter ID laws - claiming to combat the imaginary problem of voter fraud but it is really about suppressing turnout of minorities and students who are less likely to meet the ID requirements (and allows for challenging the veracity of their ID even when they do have it, which requires them to produce further proof later for that ballot to count...knowing most won't bother)
Then you have the problem of gerrymandering, in which district boundaries are redrawn every 10 years after the census. With computers that's now down to a science, and is one of the primary reasons why US politics have become so polarized. The strategy is that the party in power gets to redraw boundaries in most states, so they will attempt to maximize the number of people from the other party in some districts, and create reliable majorities for their party in others, with the goal of maximizing the number of safe seats for their party. The US would really benefit from a law that required that be done by computer according to formula that drew boundaries in a sensible way that followed existing county or city borders as much as possible, but of course congress has zero incentive to pass such a law or even discuss it because many of them would lose their jobs.
Obviously a state like Utah or California is going to have more voters of one party than the other no matter how boundaries are drawn, so they might still have a number of such 'safe seats' but in those states that are evenly split like Florida or Ohio would have much more competitive congressional elections they do now, and when the parties nominated a guy on the extreme he'd lose to a more moderate foe. Currently it doesn't matter how extreme a nominee is, if he's running in a safe seat where his party has a clear majority he's going to win even if he's batshit crazy.
"So a place like Chicago where the democrats are in power they are able to do some things like bringing out the dead to vote. Likewise in some states where republicans are in power, they have enacted voter ID laws - claiming to combat the imaginary problem of voter fraud" - The dead voting is by definition voter fraud so it is not an imaginary problem especially in Chicago or some counties in Colorado were there more voters than residents old enough to vote.
Are they having living people actually coming to the polls and claiming to the be the dead person, or are they just using absentee ballots in the dead person's name? I would assume the latter, as that is much easier to manage with a large pool of "voters", and with much less risk of detection. The voter ID laws don't do anything to improve the security of absentee ballots.
Just have a party sympathizer at an apartment building or retirement home who can collect absentee ballots mailed to designated non existent apartment numbers or room numbers.
>code that was installed after the machine had been audited
Why was the code not in Read-Only Memory? There are so many things that don't add up, here. A "security boss" with access to the code repository and the code release mechanism... Mutable code in the actual machine which draws the numbers (I assume there is only one, or maybe two, to give redundancy)... No checksumming of the audited code, to be verified before each run? And this for a lottery enterprise, that by definition depends on the trust of its users. At least in the UK national lottery, the numbers are chosen by an assured chaotic physical system in plain view. Why is anybody using digitally generated random numbers, anyway?
The software needs to be installable on the server because it has to be updated so it can't be on ROM. Practically any method used to protect it can be furtled by someone who is trusted with root. If there's a process which regularly checks executables against a list of checksums, the checksum list can be changed too. It's not as if the system as a whole or even each executable can be verified before each run either, lottery terminals are constantly hitting the system all day. As for digitally generated random numbers, does that include a lucky dip? You can argue about how random it is, but it's probably more random than people choosing their own numbers.
"Practically any method used to protect it can be furtled by someone who is trusted with root."
Now, either I've massively misunderstood the principles behind things like ARM TrustZone (which has been around for many years), or perhaps you're unaware that there is a world outside x86, a world where many alleged problems are already solved, including the one of not being able to protect secrets from, and prevent tampering by, someone with root access.
Actually even the x86 world has its TrustZone equivalent now: SGX.
https://software.intel.com/en-us/blogs/2013/09/26/protecting-application-secrets-with-intel-sgx
Go have a read.At least one of us will find it enlightening
That said, pencil and paper ballots are fine by me. Voting machines, less so, for the reasons demonstrated here.
"ARM servers aren't going to be used for lotteries "
If they are a more trustworthy way of e.g. generating trustworthy random numbers than something that doesn't have a root-proof anti-tamper mechanism (e.g. historic x86), wouldn't you say someone ought to be asking why they *aren't* being used for e.g. the random number generation part of lotteries?
Or am I missing something?
Part of me respects his ingenuity and feels that you can't blame the man for trying. Of course since he was caught, maybe he wasn't so ingenious.
I think we all have on some level a deep-seated desire to pull one over on the powers that be, and winning the lottery, naturally. Most of us have somewhat better impulse control though. Morality? Or at least more fear of repercussions.
Tell her if she's going to gamble, do it properly, or just spend the money on something you like.
Lottery odds are awful compared to pretty much any bet you can lay at a bookies, scratchies even worse.
At least poker or sports betting involves some small amount of skill, allows you to "put your money where your mouth is" and you win at much higher rates, with massively higher returns.
You'll still generally lose your money :)
I've always managed to win* money from casinos, and know a few professional gamblers, so if you have an effective system and stick to it, you can even come out ahead. None of them bet on sports that they actually liked (rugby league, sumo and tennis) but had a very good understanding of the stats, and where quite unemotional about how they bet.
In NZ, I'd always bet against the ABs**, and mostly won the bets.
*per session, I'd always leave when I was up, and ~80% of the time my winnings where less than $5/hour of playtime.
** usually a spread bet, so not that they would lose, but they would win by less than 20.