There is a lot of indirect evidence that the story as described by Alex is true. Authorities wouldn’t have arrested and sentenced his agents in 2 countries if it wasn’t true. Novomatic wouldn’t have investigated slot machine manipulation, and wouldn’t have released security updates if it wasn’t true.
- Alex, a true story, or an urban legend?
But don’t slot manufacturers have dedicated security specialists? How could these huge companies overlook such a vulnerability?
Unfortunately, security threats can be easily overlooked. This is even more likely for new and unknown types of attacks like this one. Even if there was some security manager in charge at the time, he was trained to mitigate only the threats that were known to him at the time. If the development team didn’t have a true expert on board who would be able to predict new vulnerabilities and raise his hand, then this PRNG (Pseudo Random Number Generators) threat could have been easily overlooked.
The regulators only required PRNG to generate a uniform distribution of generated numbers. This is what even simple PRNGs do. The unpredictability (cryptographic security) doesn’t have to be tested at all.
The PRNG concept sounds like something alien to most "business people". They only care about a few things. They are satisfied when a slot machine:
Also, the software in slot machines often survives several generations of cabinets with just minor updates. And why change something that has worked without problems for the last 15 years, right? Therefore, it is quite possible that even many modern machines use parts of code from the early 90’s.
- doesn’t crash,
- is liked by players,
- makes money.