>>So, the topic of our presentation today is titled Backdooring the Lottery and Other Security Tales of Gaming. Ah, so the overview of the talk will go through some introductions first, who we are, so you get some context, what has happened since 2011 and why that that date is important to me is that’s the last time I was here speaking at Def Con about iGaming , ah, security issues, ah, give a brief historical overview of some attacks and how the, the focus has switched from the physical to now more of a logical side and then probably what’s most interesting and what Evan’s gonna spend a lot of time talking about is ah the Eddie Tipton case, ah, how he discovered, how he rigged the lottery; what Evan did, ah, to reverse engineer the code, etcetera. Ah, if time allows we’ll talk a little bit about the recent Russian, ah, slot attacks, that, ah, you know, they were Wired Magazine recently in the reporter was coming out with another story, ah, in a couple weeks. And then we will try to wrap everything up. So, first one page, one slide about who my company is since they paid for us, SeNet International, ah, look us up, always looking to, to, you know, to, ah, talk to people. Who I am? My name is Gus Fritschie. I’m the CTO of SeNet International and about five years ago after our present, after my presentation, ah, on iGaming, I transitioned ah, a significant portion of our practice into the gaming sectors. I just found it more interesting than, than doing, the government work, ah, that we had been focusing on, and ah, and now I am pretty proud of what we’ve been able to do and the client base we have going across from lotteries to tribal, tribal casinos, corporate casinos, daily fantasy sports, ah, etcetera. >>Hey, so I’m Evan. Ah, I work for Gus. I live in the, what oh, >> Work with me >>Yeah, work with Gus, ah, [laughs], so I live in DC, ah, I work in the [inaudible] distro, it’s a small one. I do reverse engineering and stuff. And in my free time I hike and climb and I live in a van too. So here’s my van. It’s a, [laugh], but yeah. Gus. >>So, so Evan limited me to only two memes. So this is, a, this, this is one of them, Um, so this is not gonna be a, a, a, super technical talk, but then again it’s Sunday, last day of Def Con. I am sure we saw, there’s been a ton of great, highly technical talks, you know, there’s more of a story talk, ah, but Evan definitely does get into the details, ah, with the code which I think, you know, those of you who are interested in that subject should find pretty interesting. So what has happened since two thousand eleven? Um, first by a show of hands hoe many people saw my last one on iGaming security? I was just curious who attended, so a handful of people. So the good news is for all of us online poker players is we got paid back our money from the sites that got shut down, ah, for the most part. Ah, so that’s obviously a good thing. Um, but what we have seen happen is not a lot of movement in iGaming. Ah, the, the green illustrates the states where iGaming is legal. So really we only have three, Nevada, ah, Delaware and New Jersey. Um, and, ah, the yellow is pending, ah, legislation. Why I find this slide interesting is even though it is a small number, its shows that that the footprint is expanding. And I think I don’t have a slide, but if I had a slide where it shows where land based casinos are legal, you will also see that expanding. We have tons of states, even, five years ago that have casinos that didn’t used to have casinos. So we see, uh, um, you know, the, the potential attack footprint expanding. Is there a question? >>Ah, what is iGaming? >>Sorry, iGaming, online poker, online slots, you know, gambling basically online, but the, the, the, Caesars and other companies; they like to call it gaming because gambling has a bad, you know, bad sound to it. >>Thank you >>So this sector has not been immune to security incidence, just like any other sector that you read about in the news. You know, I am not going to talk about any of these, ah, in any detail. Um, I just picked a random sampling of some of the, ah, breaches that have been disclosed and of course as you know there’s plenty of other breaches that occur that, that never get disclosed that we don’t hear about. Um, so, this is obviously an area that, you know, needs to be secured and I think when it comes to, you know, the public’s, you know, the, the trust in the integrity of gaming is extremely important so without that, you know, you don’t really have a really solid business model. With the Las Vegas Sands I do find this interesting. This happened in December twenty fourteen, um, if you didn’t read about it. I am not going to spend a lot of time but, you know, this occurred to arguably the world’s most profitable gaming organization. You know, they make millions and millions of dollars and at this point in time where the breach occurred they had a very small IT security staff. Ah, I don’t have not done any work with Las Vegas Sands, so I can’t speak to their size of their staff now, but I understand it has increased a lot, grown a lot more, ah, money into security in those environments. But the way this breach occurred was just to show you how easy it was. It was just a development server that was stood up, ah, on the perimeter that they didn’t know about, or they knew about but, you know, it was used as a foothold; then they pivoted inside and they just, you know, ran havoc, ah, destroying, ah, data and it could have been a lot worse if they, ah, you know were more sophisticated and decided to be destructive. Um, so history, let’s get into some of the early attacks against slot machines. I’m not gonna really too much time so I want to give Evan his piece which I think is more interesting but obviously in the earlier days we had, you know, physical attacks with fake coins , yo-yo-ing with a coin on a string and pulling it back out. Attacks against a bank nota validator when those started getting installed. Um, and then we had Tommy Carmichael here who came up with a couple of inventions, ah, or devices I should say that allowed him to commit fraud with a monkey paw which he was sort of able to use to jam up the arm release, uh, the coin hopper and then of course with the light wand, uh, which you know manipulated the sensors and uh, allowed the, you know, the money, ah, to come out of the machine without being won. So we, ah, we saw early attacks were more physical in nature. Um, and then another physical attack that we saw that happened in nineteen eighty and ah, my partner from the lottery sector, Herb Delehanty wrote about this in his book, um, and it was also made into a movie. Ah, I don’t think a very good one, but, it , it , it was there. Um, and they weighted the balls so they weighted the sixes and fours and ah, and this was obviously able to hack them because you had collusion between multiple parties. Um, obviously people realized pretty quickly that it was, ah, that is was a fraud and no one got paid out even the illegal books knew that, ah, prior to the lottery even admitting it. So we had these physical attacks, ah, against slot machines and other, ah, other forms of gaming. And then we see a transition to attacks on the logical, ah, side. And I think we start seeing these stories, you will start seeing how they tied together to what, ah, Eddie Tipton did in the, in the MUSL Hot Lotto, ah, RNG fraud case. So, ah, some of you may be aware of Ronald Harris. But he worked for the Nevada Gaming Control Board and his responsibility was basically to perform audits of the gaming software and platforms, and one of the, his responsibilities was to audit the e-proms in the slot machines to make sure that, ah, that they were correct, ah, that they were correct. Um, but what he did was, instead of auditing them, he reprogrammed them, ah, so that, a, when a certain sequence was pushed on the slot machines or a certain number of coins were entered it would pay out, ah, winnings and, a, I spoke to Rex Carlson who is, ah, who was the Director of the Nevada Gaming Control Board and, you know, he said they really don’t know how much money he actually made from this. Um, because he really will never even, he didn’t get caught initially because of this. He got caught because he turned his attention to Keno and this is where it sort of parallels what Mr. Tipton did, in the Hot Lotto case is, since he had access of course to the source code, uh, he found a flaw in the, in the pseudo random number generator and then he wrote a program that allowed him to predict what the winning Keno number was. So, he went to, ah, Bally’s in Atlantic City and with an accomplice they won it on I think the first time, ah, that he played the numbers and they probably could have gotten away with it but they had such poor planning, ah, as far as, you know, what they were going to do after they won. Ah, so this ,of course, raised suspicion and the authorities performed an investigation and they went back and looked at the, at the other work that he was performing. So what we see, is we see, you know, individuals with trust. Who were trusted to perform these reviews and had access, ah, to these devices and this will parallel, ah, what happened, ah, with Eddie. And one last example from a technical perspective and I talked about this, ah, in my last presentation but this is from the Absolute Poker/Ultimate Bet’s Super User scandal, uh, where the owner of the site, ah, I guess I should say alleged, because it was never actually one hundred percent proven. Um, but he had a, convinced one of the programmers that he needed a back door into the program so he could see player’s hole cards because he thought there was; this whole idea was there was cheating and only he could figure out if they were really cheating but he proceeded to use this back door in the, ah, in the poker software to illegally win about twenty million dollars, ah, from players. And this graph shows the individual, one of the accounts, and you can see that he’s way off there as far as the norm from, from a winning, winning percentage. Um, so once again we have examples from, ah, from Ron Harris with the Keno, uh, you know, being able to, ah, access the source code and ah, and find weaknesses. Here we have an example of placing another backdoor in the system allowing the, ah, allowing cheat and fraud to occur in the poker. So, now I’m going to turn it over to Evan where he is going to get into the current events and, ah, what I think is the most interesting topic of this talk. >>All right, cool. So this is my first talk by the way. Ah so, [laughs and claps]. So in case you guys aren’t familiar with how the like lottery works, ah, there’s individual state lotteries and each lottery, ah, manages itself. But there is something called MUSL, which is like an organization which oversees all the state lotteries, well most of them. Um, so, ah, like back in two thousand five wasn’t it? Or was it two thousand four. Ah, it doesn’t matter, so like a while back this guy names Eddie Tipton got at job at MUSL to write an RNG. Uh, so some of the state lotteries use like computer numbered, computer RNG’s so like drawing numbers, ah, others use like balls out of hats, stuff like that. Ah, well not actually hats but um, yeah, ah, so he got a job writing an RNG and pretty much immediately he rigged it, ah, because obviously he wanted to make money um, and they weren’t paying him very much. Ah, but ah, yup, so a these are all the faces involved in this. Tommy Tipton is like his brother; he was involved in it, he helped cash out tickets. Uh, Robert Rhodes, also helped cash out tickets. It was like a friend of his. And then Rob Sand was the Attorney General in charge of like the case. Uh, all right so, uh in two thousand ten uh, Eddie, went into a gas station in Iowa and uh, purchased a ticket for a lottery game. Um, he waited a whole year to claim the ticket which is pretty suspicious. Um, and then also he used a mysterious company incorporated in like Belize and ah, he went through an attorney to try to cash out the ticket. So it was obviously extremely suspicious and ah, the lottery security caught wind of that and ah, decided to do an investigation into it. Um, he also couldn’t receive the money until they completed the investigation and they refused to give their identities and it is possibly illegal. Um, so they withdrew their claims to the prize, uh cause I am assuming they did not want to get caught. Um, let’s see here. Apparently they also received a tip from somebody, ah, that Tipton was the person in the video, actually I think I know who that was, but, um, yeah. Ah, so they started a full investigation in which involved the FBI and stuff too. Um, and they determined that it was him, ah, that purchased the ticket. And because he worked for the lottery, he was banned from playing the lottery, ah, and they kind of used circumstantial evidence to convict him before they actually knew how he actually rigged the lottery or that he did for sure. Um, yeah, let’s see, he was sentenced to ten years in prison, ah, he was out on bond or bail pending appeal, ah, for a good like year. He actually just pled guilty pretty recently. Um, this should be point seventeen, but yeah. And here’s a quick timeline of events. So he was hired in two thousand three at MUSL and the first known case of fraud was in 2005. There could have been earlier cases though; cause there was written in 2004. >>And what is interesting about the timeline here if you look at where it says that that the Colorado Lottery fraud, Wisconsin Lottery Fraud, Kansas Lottery fraud, you see a pattern there. They’re all on the same date and that’s what Evan will talk about when he gets into how this code actually worked and how it allowed him to predict what the winning numbers were going to be. >>And also, these are just known cases of fraud. Ah, there are probably more, um, especially since we found a third date in the code itself which there were no known cases of fraud for. Um, so, let’s see here. Uh, there we go. >>Nah, nah I just also wanted to also ah, ah a couple of gaps just, in the in the story. As Evan mentioned, he was really; he was convicted initially of a charge on really circumstantial evidence. I mean, they had video footage from the from the store, ah, which when you think about it he really made a big mistake because when he, in the other cases of fraud he actually never bought the tickets himself; he had his accomplices, his brother or Robert Rose buying the ticket but in this case he actually went in and bought the ticket himself. And perhaps that is because the prize value was so large that he just didn’t feel comfortable having someone else buy the buy the winning tickets. And he actually went to a convenience store that had audio and also video surveillance. So there’s other stores that he could have gone to that wouldn’t have had the video or the audio and it’s really the audio was what convicted him because his voice is very distinctive and they were able to prove it that way. Of course, he felt and his lawyer’s felt that was circumstantial evidence and they did appeal it and during that appeal process ah, that’s when we were able to get a hold of the, of the Wisconsin lottery RNG which Evan will talk about; and what he did. But, you know, how do you go about rigging a lottery? And this is my second and last meme so I was only allowed two, um, but obviously you become a lottery developer; write code and have your friends buy the winning numbers. It’s that easy. And luckily for the first time we have video surveillance of Eddie Tipton actually performing the programming. [laughs] Naw, naw Evan will tell you how he really did it. >>Yeah so, um, I already kind of went over this part, but um, so basically what he did; he worked for MUSL, um, So not all the lotteries, the state lotteries use the RNG; some of them use third party RNG’s and others use like machines that throw balls up in the air and they come back down and stuff like that which is what lotteries should do by the way; ah, they should not use computers to generate numbers but this is for us [laughs]. Um, so while he worked there, um, so they have like a supervised build process, um, so you have how got past that process which made the numbers predictable on three dates with other conditions as well. Um, and the binaries and the source code were certified by a major testing lab but in the way he did it wouldn’t have mattered unless you really went in depth and ah, checked the binary against the source code, ah, stuff like that. He also had access to the computer images, too, which he could have rigged and used like a root kit or subvertive, ah, changed the numbers as well. So even if he wasn’t the one writing the code he could have rigged the lottery as well. Um, in twenty sixteen, we were contracted to perform imaging as one of the RNG’s, um, and we were actually given permission to review the images at some point and, ah, I was asked to, ah, try to figure out how he did it, um, so at this point nobody had any idea how he actually did it. Um, he didn’t seem smart enough to use a root kit, so uh, when he was convicted, it was assumed he used a root kit to change the numbers uh, cause they didn’t find anything in the code and apparently they didn’t find the binary to be malicious in any way and um, like I find it kind of questionable that they analyzed that, but yeah. Um, so I decided that it, since he was the one writing the RNG itself that I just looked at the binaries and compare them to the code. So I didn’t actually have the code initially so I just started like, uh, just going through the binaries and reverse engineering them. So there are a few binaries that um, the main executables and libraries and stuff like that. Um, so the most interesting binary was one that actually, ah, actually contained like the RNG itself, ah, so it was actually the first binary that I looked at; I started looking at. Um, and this is pretty much what I just said. So I was skimming through all of the functions of the binary and, ah, one of them pretty much caught my eye pretty much immediately. And at this point I knew that um, all the winnings, all the known cases of fraud were on certain dates, so this one I saw had a bunch of date functions right at the top. Ah, so likes that’s probably it, um, like I saw another reason for them to states, so I started reverse engineering it and I saw pretty much immediately that it referencing those specific dates, ah the two dates that we knew and a third day as well. Ah, so I reverse engineered it and figured out exactly what it was doing and how it was seeing the RNG and everything like that. Um, so also it was at the end of the binary was pretty suspicious so, its like somebody tacked on that function at the very end of the like a file. Um, unless you got the source code for the RNG and we saw that there was no; that function wasn’t in there. Um, there are twenty five functions in the source code and twenty six in the binary, ah. As you can see. But yeah, um, so ah yeah. That’s about it. That’s how he did it. Ah, he just, I can go into details on that real quick. Um, so basically each time a number is drawn this function was called and it would receive the RNG with predictable values, um, on certain days of the year. It also had to be like a Wednesday or Sat er uh, and its supposed to be Sunday, Uh a Wednesday or a Sunday. Um, here’s like the code. Uh, his function. And so we actually see the RNG of a bunch of values from the computer. I am not really sure why he did that. He could have used anything really, uh, he’s like a computer name and added like added them up in like through that to seed with like the values to the game and everything. Um, he kind of made it more complicated than was necessary, ah, which made him have to buy more tickets than necessary. In some cases he bought multiple tickets cause he wasn’t sure what the values would be. Um, yeah. And so here’s why certification did not work, ah, it was it was certified by one of the major testing labs, um, and their testing process was to run the output of the RNG through a bunch of statistical tests; um, which is great so it showed the results were unbiased but it doesn’t really catch anybody rigging it. Um, they performed an audit of the source code but the source code you can probably see the difference it will slip that past the supervise build process. Ah, pretty easily, ah, so that’s questionable. Um, and here’s how he could have done it better too. He rigged it only three days a year which made it pretty easy to identify the winnings. Um, if he rigged it on every single day of the year, it would be extremely difficult to identify by the winnings ah, cause what they did what the investigators did was they knew that he was like using certain dates, um, so they just went through all those dates and they looked up all the winnings. Um, and the ones that were most suspicious and they followed those leads, ah, so obviously if you rigged the lottery, definitely do every single day of the year. Um [laughs], and yeah. And also he could have made it, the method of rigging it more discrete. Ah, he could have used root kits and you now changed the numbers in memory. Um, and that would have been much more discrete in ‘ch’ like having it in the binary, ah, cause what we do now is we, ah, check updates to the RNGs, uh, and compare them to the source code via Bindiff, or if its in Java a write a custom tool for that. Um, so we can catch updates like, ah, if anybody tries to like, ah, if a vendor tries to like pass a like a back door in like inside the, ah, update we can catch that pretty easily. Um, so how can this be prevented, ah, source code should be undergo in depth third party reviews. Um, I think the supervise builds are important too. Um, as an additional layer but for updates and if your just like, if you have a binary, um, and your not concerned about the system image, um, it pretty easy to check those with like Bindiff to make sure their not malicious after reviewing the source code. Um, so what we can do is compile the source code and compare it to like the actual binary we get. Um, but there’s another issue like the system image too. Where these guys are building a system image that’s not supervised at all. So they could obviously slip something in. And ah, it’s pretty difficult to supervise that entire process. Ah, you can’t check the image. You can’t be certain of finding anything in there. Um yup, there you are. >>So thanks Evan, I think you went over that very well. Um, you know when you think about it, he actually you had a pretty good idea because once he got this QVRNG.dll file in pat’, certified by the testing labs and you know once again you if the testing labs supposedly and I know they do now because we do, you know, review the source code line by line, ah, but, you know, and they were, ah, supposed to you know watch them compile the codes because if they end up hashing those binaries ah, so in someway we not completely sure he was able to get the testing lab to certify this code was valid and he had it on all these boxes and that never changed. You know he would make modifications perhaps a QV.exe to the executable but he never ever had to modify the .dll. So actually what was interesting, ah, when we reviewed some of the more recent MUSL RNGs and you have remember, he started this process in two thousand three, you know, he wasn’t this fraud case didn’t happen until two thousand eleven. He wasn’t you know convicted, ah, until two thousand fifteen. That’s a lot of time going on for him to make modifications and, ah, you know, as Evan mentioned there are other commercial RNGs in the lottery sector, um, but you know some of the state lotteries ; you know their whole mission is to give back to education or whatever, you know, ah, ah, whatever there uh, is it, in written into the law and, uh, you know, so they’re very frugal with their money and they didn’t want to you know pay two hundred thousand whatever for a RNG so they would pay MUSL a much lower cost. So you have all these RNGs being used in other states and when we reviewed some of the other ones, in other states uh, at least the ones we could get the images to you know it was interesting because the executable was not, was not calling the QVRNG.dll. Correct, Evan? >>Yeah, the newer ones >>Yeah the newer one, so somewhere along the line I think he got scared or nervous perhaps after his, his jackpot win and switched the code so people wouldn’t even look at the QV, QVRNG.dll and maybe his plan was once things died down he could just, you know, call it again, uh, in the future. >>Also I think he just, ah, he left the binary out there when he updated. I think he just left in on there to be honest. Ah, there’s been some speculation that he left it on there because he would switch back in the future but I think he just left it on there when he updated. He never deleted it to be honest. >>Yeah the, there’s I mean, there’s different theories for, for why he did that. Um, but in the end I think it’s uh, a case of where we see breakdowns in a couple different areas and probably the most obvious and basic is that separation of duties. Here you had somebody who was Director of Security at MUSL who was a lead programmer. He had physical access to the boxes. He had everything. And to give MUSL credit now they have completely revamped their entire process, uh, and their operational and management and technical controls are you know a hundred times better that they were, uh, when this fraud, ah, was, uh, what was committed. So I, we can probably, definitely go into more detail and talk later, ah, about the Tipton case outside if you guys have specific questions for Evan like getting into the weeds of it. Um, let’s just check my time here. Ah, we’ve got plenty of time. Ah, I felt we rushed because I was nervous about the video issues in the beginning. Um, so the Russian slot machine hacking. And this sort of ties everything back to the present. We had, we talked about Ron Harris, uh, back in the mid nineteen nineties you know we have the iGaming, uh, the Ultimate Bet/Absolute Poker, you know, fraud. We have this Tipton case and here we have this you know Russian slot machine hacking which a very good article which I’m sure most of you read because it was widely tweeted, uh, at least on my Twitter feed, um and I give a link to it there. Uh and also Willy Allison, World Game Protection Conference, he was also quoted, ah, in the article and, ah, and World Game Protection Conference is a conference here in Vegas in the December time frame and, ah, it pretty much focuses on physical security but he’s broadened it and, ah, he has some inside information as far as how this fraud occurred as well but basically just to re-hash the story and tie it back in. In two thousand nine Putin made, ah, gambling illegal in Russia. There was this flood of slot machines on the black market, um, so, a, some of them or a lot of them, you know, were sold to other casinos but some found there ways into the hands of the Russian Mafia. And ah, they ended up reverse engine, well I’ll just get to that piece of what they did. But in two thousand eleven some casinos in Europe were noticing some suspicious payouts and then in two thousand fourteen in, ah, Missouri, ah, they noticed, ah, unusual and high payouts on some particular slot machines. Um, so they started investigating this, you know, and they, and you know this is where you have compensating controls and other pieces actually worked to end up detecting the fraud. Because they had to go back to the physical surveillance cameras and, ah, tie this all together, um, but these individuals they came back and they were later arrested, ah, in Missouri and them some more were arrested in Singapore, ah, last year. But what did they do? They reverse engineered, similar to what, you know. Evan did with the, with the code, but they reverse engineered, ah, the software; ah, the binary on the slot machines and they found a weakness, ah, in the PRNG. Uh, so what they would what the guys would do is they would take a video of a certain number of spins, um, you know twenty, I say twenty four there but, um, it varied, ah, and that data was transmitted back to their comrades, ah, back in Russia where they were using, ah, you know,very high, ah, powerful computers to, to process this data send it back to them. They had an app on their phone which would then vibrate a couple seconds, milliseconds before they were supposed to hit the button and it wasn’t always successful but it did result in a much higher payout, um, and so this is an example where we have a case where there was a weakness in the, ah, computer programming in the RNG. This wasn’t built on purpose, it was just a mistake that the developers made. Um, and this vulnerability, you know, impacted a particular vendor, ah, Aristocrat, I believe, on their older, uh, versions but, ah, the claim now is and I think not to steal the reporter’s thunder but that they claim that have working code for even modern, more modern, ah, slot machines and are threatening to release this code to the general public. They were trying to blackmail Aristocrat, I believe, ah, but ah so far that hasn’t worked. But it will be interesting to read the story when that comes out. So, we talked about some issues here in, in a lot of, ah, different, ah, different sectors. What can casino and operators do to better protect themselves? I think it’s a lot, no different than any other industry from healthcare to banking, you know, we get caught in this trap of compliance, you know, we gotta be compliant, we gotta be compliant, we gotta be compliant and we waste a lot of money on paper doing that but we have to understand, I know I am preaching to the choir that compliance does not equal security. And ah, you know, when I first got into, you know, working with casinos and other gaming operators I, I went in there thinking these guys going to be super secure. You know, you see all the movies, you know, Oceans Eleven they got all this surveillance cameras and they are very good from a physical perspective for the most part. But you know, quite honestly they, they, they really are lacking, ah, in the technical security controls. But that’s really no different than any other sector and they are doing a lot more now to improve, ah, themselves, they’re being proactive. I’m working with several. I know other firms are working with them, so they really are taking it, ah, to heart to improve their security and protect their players, uh, uh, their players’ data. Um you know, they, more money needs to be spent, ah, on information security and also the operators need to start asking the game manufacturers what, what, how is your system secure? What controls do you have in place? And you know, I’ll give you an example, we were working with a, ah, one, ah, a casino organization and, ah, we were doing a security assessment; just a basic vulnerability assessment and, ah, realized that from the corporate network we could get from to the slot machines and touched an interface card in the slot machines and when I brought that up to the director of IT’s ah, attention because I was curious, like, should you be able to do this? It didn’t seem right . He was like well let me fire off a note to the ah, I’m not going to say the gaming manufacturer’s name. And they came back, oh no, the only things these should talk to is, ah, is a their tracking database. It doesn’t need, it should be firewalled off. So you have, you know, operators, you know, operators are trusting their vendors to do their installations and they are not and you know sometimes not doing it correctly and then also questioning what other controls do you have in place, you know, as far as SCLC process, ah with this code. You know, obviously, these huge organizations they are not like MUSL, they don’t have one guy writing the code ah they have hundreds, ah, but how do we trust that that code is secure especially when we are dealing with some, ah, a lot of the gaming operators do a large amount of off shore, ah, development. What are the controls in place? Luckily, we do have gaming regulations with security components. You know, when New Jersey, uh, the second state to legalize the iGaming, ah, they came out with very, very comprehensive security controls. At least, at least more comprehensive than what was in the unregulated industries. If you recall atnthat time there was really no security controls in place. Ah, and you know, to date, New Jersey is very proud of the fact that they haven’t had a security incident or a breach or their controls are working effectively. You know, Maryland, for example, ah, their gaming commission requires their land-based operators to undergo an annual security assessment. Once again, I am not saying it is perfect but it’s a step in the right direction to have these security regs, these compliance regulations in place. And then, of course, we have our regular regulatory compliance standards, PCI, etc. but as the last bullet says there often its left up to the operator to determine the level of security that is implemented. There’s not strict guidelines even when it come to New Jersey and the testing; it’s sort of left up to us working with the operator to determine who deep we dive and as you can guess a lot of that comes to funding and budget for those operators. So conclusion, while regulated iGaming has added additional controls, you know, there’s still room for improvement both on the operators and regulators. And this goes to brick and mortar casinos as well and also to the lottery sector. Um, you know, in my opinion as I mentioned, I think one of the key risk is in the code. And that’s what concerns me most. You know, and I think this applies to all forms of online, online gambling and also brick and mortar. Ah, I mean, it would be in my opinion pretty easy for something to be ah, added, to-to-to one of these iGaming sites that could allow fraud to be committed. It’s happened in the past. I think it’s going to happen again and its very important for the regulators and operators, ah, to work together and, you know, the last point is as you saw in the slide with the map, you know, while it is still small with iGaming, it’s growing. Daily fantasy sports is here. You can’t watch an NFL football game without seeing Draft Kings or FanDuel advertising. You know, it has become more widely accepted. You know sports betting is a, looks like, you know, it could become legal in in other states besides, ah, Nevada. Um, you know, no longer is gaming focused on Nevada and Atlantic City; it’s across the entire United States and as it becomes, you know ah, you know, as it expands that attack footprint expands, ah, the opportunity expands for crime and fraud to be committed. So that’s what we have. I hope you enjoyed the presentation. I’m sorry for some of the technical delays and we rushed a little but, ah, in the beginning when we probably didn’t have to. Um, but, we would love to speak with any of you, ah, outside, if you have any specific questions, especially for Evan, I know he went through those code, those code slides pretty quickly but, you know, he can definitely go into more detail as far as how that code worked, the various functions etcetera, etcetera., but thank you for attending and enjoy the last day at Def Con. [Applause]