Skip to content
Naked Security Naked Security

Lottery chief who “rigged the randomness” is jailed for 10 years

He was supposed to protect the lottery from fraudsters and cheats, but the court was told that he used USB malware to cheat the lottery himself.

Eddie Raymond Tipton, come on down!

Or, more precisely, “We’re sending you down for 10 years.”

Tipton faced court in April 2015, and was finally convicted in July 2015, of rigging an Iowa lottery draw.

Last week, he was sentenced.

The charges went back to December 2010, when prosecutors argued that Tipton, ironically the security director of the Multi-State Lottery Association (MUSL) at the time, tampered with the lottery software to remove the “random number” part of choosing the winning ticket.

We’ve written many times on Naked Security about the importance of randomness in many aspects of computer security.

💡 COOL GRAPHICS: Randomness bugs in “Cryptocat” ►

Whether it’s choosing strong passwords that don’t follow any predictable pattern or shifting around software unpredictably in memory to make it harder for hackers to hit, randomness, as we have quipped before, is far too important to be left to chance.

And Tipton, as Naked Security’s Lee Munson wrote back in July 2015, apparently left nothing to chance:

The court heard that Tipton had secretly installed a self-deleting rootkit on a MUSL computer system that allowed him to tamper with the lottery's random number generator, thus allowing him to buy a guaranteed winning ticket for a future draw.

After covering his tracks - by also tinkering with security cameras that watched the lottery computer - he visited a Des Moines QuikTrip gas station on 23 December 2010, and purchased the ticket that would change his life, though not in the way he imagined.

Many of us will have wondered just how cool it would be to know next week’s lottery numbers in advance – heck, even just knowing that 7 was coming up would be handy – and day-dreamed about what we’d do if we could buy a certain winning ticket.

Unfortunately for Tipton, putting his foreknowledge into practice turned out to be more complicated than you might think.

As an employee of MUSL – indeed, as its security director – he wasn’t actually permitted to enter the lottery, for the same reasons (albeit on a much larger scale) that Sophos staff aren’t allowed to win prizes in any of the #sophospuzzle competitions we run.

→ Technically, Sophos staff can submit solutions, just for fun, but they don’t actually get put forward for prizes.

If nothing else, propriety demands such a rule, but in this case, it was part of Tipton’s downfall.

Firstly, he wasn’t actually able to cash out his ticket, although the court heard evidence that he tried to do so by proxy through two separate legal firms in the US and Canada.

Secondly, the circumstantial evidence that seems to show him buying the ticket in the first place is hard to explain away: why enter a lottery you know you are prohibited from winning?

Interestingly, according to CBS, Tipton’s attorney argued for a light sentence – probation, in fact – so that the sentence would reflect the financial loss, which was negligible because Tipton was unable to cash out the fraudulent ticket before it expired.

But the judge wasn’t buying that argument, not least because Tipton’s job was specifically to protect the lottery from fraudsters and cheats:

This is about as large an invasion of trust as I can possibly imagine. That is something the court considers to be significant in regard to the gravity of this offense.

And there you have at least a partial answer to that old chestnut of a question, “Quis custodiet ipsos custodes.”

1 Comment

In the UK, the National Lottery numbers are chosen from numbered balls tumbling in a machine. The machine’s made of transparent plastic, and is even powered by pneumatics rather than electricity. So even if particular timing DID make it possible to select certain balls, pneumatics aren’t accurate enough to do that.

Why not just do that? At a rate of half a dozen numbers a week, you don’t need a computer to do it.

And to use a PC (running Windows?) ought to be a crime!

We also count our votes by hand in elections, and have results within 24 hours, with most results after just a few hours. Votes are filled out by pen on paper. Again, it’s not something that needs automating.

Some things are too important to trust to computers.

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!