My understanding is that all the slot/video machines have highly regulated payouts. The law states they must pay within a certain range, and they are verified by state employees on a regular basis.
If he is causing the machine to pay out at a level outside that allowed by the law, then he's breaking the law as much as the casino would be to make it pay out differently as well.
Edit: To clarify, I don't think he should be tried for hacking. I think he should be tried for circumventing state gaming laws, if applicable, or released. If they don't cover this, they it should be legislated if it is deemed important enough. Going after someone through some loosely affiliated law because you want them to go to jail even though what they did wasn't strictly illegal in wrong, IMHO.
Slots have highly regulated payouts, but in most US state gaming boards this is dictated by a minimum payout that all slots must average across a casino's slot floor.
An anomaly in one machine is nothing usual - in fact it's quite common given the size of jackpots and the volatility of the game's math.
In which case I don't see how he could be tried under gaming laws, and given the specifics of the case, I don't see how he could be tried under anti-hacking laws.
For a machine like that, I consider the interface the public API, and if the interface allows something that isn't specifically disallowed through some other statement or direction, I think it's fair game.
He didn't use some knowledge of internal mechanisms of the game (if his lawyer is to be believed) to exploit it, he noticed that it was incorrectly keeping the payout amount between game types with different payout multipliers, and took advantage of that fact. He learned that it was possible through using their API. In my eyes that's a critical point.
I'm kind of baffled why the feds got involved in the first place.
There's a reason why casinos have a sign on each machine that says MALFUNCTION VOIDS ALL PAYS. Normally they could catch someone taking advantage of the bug and declare the payout invalid. Obviously these payouts all passed any kind of tamper detection tests, so normal casino procedure would be to pay the man barring any other kind of funny business.
Eh, that's the same type of argument that could be made for exploiting vulnerable public APIs (pass in some query that isn't sanitized, etc.). I don't know the law surrounding those types of cases, but I would hazard to guess those get prosecuted rather hard.
It's a fine grained distinction, but I thin kit applies there as well, to some degree. If exploiting the API requires leveraging knowledge of the underlying systems (buffer exploit, path traversal issue, etc) that aren't generally discoverable in normal usage, than that may be hacking. If it's a matter of the user discovering through normal use that through a normal set of operations that they have access to more of the same resource they already got (more money when they get some on a regular basis, in the article), then I don't think that's hacking, I think that's learning how to use the API you were presented.
Of course, I'm presenting this aswhat I think should be, not how it is.
Weev was sentenced to 3.5 years for simply downloading AT&T's data that was made available over a public (but obscure) API. So yes, seems like you'll get prosecuted pretty harshly.
What's even more ironic is that this was a video poker, not a slot.
Why is that different? Unlike a slot where the payout decision is made the moment you pull the handle, a video poker machine has a decision point. Namely, you can choose to hold or discard cards, then draw the remaining cards to determine your win. The outcome of your "slot pull" is based on this play.
In the gaming software world, video poker percentages are determined by what the different hands pay out, given optimal play. There are very few video poker players in the world that never make mistakes and play optimally. The slack comes from drunk tourists that make the wrong decisions and increase the casino's take.
Funny that THOSE mistakes are allowable, isn't it?
If he is causing the machine to pay out at a level outside that allowed by the law, then he's breaking the law as much as the casino would be to make it pay out differently as well.
Edit: To clarify, I don't think he should be tried for hacking. I think he should be tried for circumventing state gaming laws, if applicable, or released. If they don't cover this, they it should be legislated if it is deemed important enough. Going after someone through some loosely affiliated law because you want them to go to jail even though what they did wasn't strictly illegal in wrong, IMHO.