I've read (though have no first hand experience) that slot machines have better security and better vetting than electronic voting machines do so I'm not surprised either.
In Nevada the source code for gaming devices is required to be provided to the state gaming commission.
(c) In the case of a gaming device, a copy of all executable software, including data and graphic
information, and a copy of all source code for programs that cannot be reasonably demonstrated to have
any use other than in a gaming device, submitted on electronically readable, unalterable media;
But only for "programs that cannot be reasonably demonstrated to have any use other than in a gaming device".
Makes one imagine what kind of political trench wars probably went on behind the scenes about this regulation.
Edit: On second thought, this seems awfully easy to circumvent. What stops me from making a rigged PRNG and then refusing to make the source code available on the grounds that there are lots of non-gambling applications for PRNGs?
The gaming commission also regulates how much each machine must pay out over a given period with a given take. Any machine not in compliance is removed, and the casino can be fined. Continued non-compliance can result in the termination of the casino gaming license.
This was true even before electronic slot machines.
Sounds better but still defeatable. I could track individual players throughout the casino (which is already common practice, I think) and decide on payout depending on how much money I already made through them.
E.g., if someone already dumped a lot of money into other games, I can give them above-average odds of winning and be sure I still make a profit (and they make a loss), otherwise I'll give them below-average odds.
If I tune this right, the average outcome over all players will still look "fair".
Or I simply give the above-average play sessions to strawmen.
Except that that is not allowed. It's individual machines tested in isolation that should perform exactly as legally mandated. The only kind of remote interaction there is is logging to make sure they can prove that the machine performed as advertised and to know when to empty the coin box.
Modern slot machines don't use just local rngs, they essentially obtain lottery tickets from a central computer. That's how you get building-wide jackpots.
But that's the point. If the provision lets me withhold part of the source code from inspection, there is no way to actually verify that I don't do that.
I could hide the above manipulations in some component I don't have to expose and have the machine play nice under testing conditions. (See certain automakers for examples)
You could make a rigged PRNG but the front-end software of the system (different applications) have to display extremely detailed statistics on every function and variable (payouts, money in, number of wins, probabilities etc) and that code will have to be open source. The only upside to interfering with the PRNG would be being able to predict the winning moves based on whats on-screen (assuming whats on-screen is derived from the PRNG).
The actual slot machines themselves are unexpectedly secure. But the back-end environment is usually a total mess. The aim of the admins is to make sure no-one gets to the back-end environment and that's achieved through heavy use of CCTV and port-security on switches.
(c) In the case of a gaming device, a copy of all executable software, including data and graphic information, and a copy of all source code for programs that cannot be reasonably demonstrated to have any use other than in a gaming device, submitted on electronically readable, unalterable media;
http://gaming.nv.gov/modules/showdocument.aspx?documentid=29...