Entries Tagged "games"
Page 5 of 7
David Livingstone Smith moderated the fourth session, about (more or less) methodology.
Angela Sasse, University College London (suggested reading: The Compliance Budget: Managing Security Behaviour in Organisations; Human Vulnerabilities in Security Systems), has been working on usable security for over a dozen years. As part of a project called “Trust Economics,” she looked at whether people comply with security policies and why they either do or do not. She found that there is a limit to the amount of effort people will make to comply — this is less actual cost and more perceived cost. Strict and simple policies will be complied with more than permissive but complex policies. Compliance detection, and reward or punishment, also affect compliance. People justify noncompliance by “frequently made excuses.”
Bashar Nuseibeh, Open University (suggested reading: A Multi-Pronged Empirical Approach to Mobile Privacy Investigation; Security Requirements Engineering: A Framework for Representation and Analysis), talked about mobile phone security; specifically, Facebook privacy on mobile phones. He did something clever in his experiments. Because he wasn’t able to interview people at the moment they did something — he worked with mobile users — he asked them to provide a “memory phrase” that allowed him to effectively conduct detailed interviews at a later time. This worked very well, and resulted in all sorts of information about why people made privacy decisions at that earlier time.
James Pita, University of Southern California (suggested reading: Deployed ARMOR Protection: The Application of a Game Theoretic Model for Security at the Los Angeles International Airport), studies security personnel who have to guard a physical location. In his analysis, there are limited resources — guards, cameras, etc. — and a set of locations that need to be guarded. An example would be the Los Angeles airport, where a finite number of K-9 units need to guard eight terminals. His model uses a Stackelberg game to minimize predictability (otherwise, the adversary will learn it and exploit it) while maximizing security. There are complications — observational uncertainty and bounded rationally on the part of the attackers — which he tried to capture in his model.
Markus Jakobsson, Palo Alto Research Center (suggested reading: Male, late with your credit card payment, and like to speed? You will be phished!; Social Phishing; Love and Authentication; Quantifying the Security of Preference-Based Authentication), pointed out that auto insurers ask people if they smoke in order to get a feeling for whether they engage in high-risk behaviors. In his experiment, he selected 100 people who were the victim of online fraud and 100 people who were not. He then asked them to complete a survey about different physical risks such as mountain climbing and parachute jumping, financial risks such as buying stocks and real estate, and Internet risks such as visiting porn sites and using public wi-fi networks. He found significant correlation between different risks, but I didn’t see an overall pattern emerge. And in the discussion phase, several people had questions about the data. More analysis, and probably more data, is required. To be fair, he was still in the middle of his analysis.
Rachel Greenstadt, Drexel University (suggested reading: Practical Attacks Against Authorship Recognition Techniques (pre-print); Reinterpreting the Disclosure Debate for Web Infections), discussed ways in which humans and machines can collaborate in making security decisions. These decisions are hard for several reasons: because they are context dependent, require specialized knowledge, are dynamic, and require complex risk analysis. And humans and machines are good at different sorts of tasks. Machine-style authentication: This guy I’m standing next to knows Jake’s private key, so he must be Jake. Human-style authentication: This guy I’m standing next to looks like Jake and sounds like Jake, so he must be Jake. The trick is to design systems that get the best of these two authentication styles and not the worst. She described two experiments examining two decisions: should I log into this website (the phishing problem), and should I publish this anonymous essay or will my linguistic style betray me?
Mike Roe, Microsoft, talked about crime in online games, particularly in Second Life and Metaplace. There are four classes of people on online games: explorers, socializers, achievers, and griefers. Griefers try to annoy socializers in social worlds like Second Life, or annoy achievers in competitive worlds like World of Warcraft. Crime is not necessarily economic; criminals trying to steal money is much less of a problem in these games than people just trying to be annoying. In the question session, Dave Clark said that griefers are a constant, but economic fraud grows over time. I responded that the two types of attackers are different people, with different personality profiles. I also pointed out that there is another kind of attacker: achievers who use illegal mechanisms to assist themselves.
In the discussion, Peter Neumann pointed out that safety is an emergent property, and requires security, reliability, and survivability. Others weren’t so sure.
Conference dinner tonight at Legal Seafoods. And four more sessions tomorrow.
Speaking to the BBC, HMRC spokesperson Clare Merrills warned that faulty counterfeit consoles could be unsafe.
“You might find you plug it in and the adaptor sets on fire or the wires start to melt and stick out,” she warned.
“When you buy these goods, you’re not funding our economy, you’re actually funding criminals in these far off places and it could be linked to terrorism,” she added.
Why be rational, when you can stoke fear instead?
EDITED TO ADD (1/13): How to spot a fake Nintendo console.
In a presentation that rivals any of my movie-plot threat contest entries, a Pentagon researcher is worried that terrorists might plot using World of Warcraft:
In a presentation late last week at the Director of National Intelligence Open Source Conference in Washington, Dr. Dwight Toavs, a professor at the Pentagon-funded National Defense University, gave a bit of a primer on virtual worlds to an audience largely ignorant about what happens in these online spaces. Then he launched into a scenario, to demonstrate how a meatspace plot might be hidden by in-game chatter.
In it, two World of Warcraft players discuss a raid on the “White Keep” inside the “Stonetalon Mountains.” The major objective is to set off a “Dragon Fire spell” inside, and make off with “110 Gold and 234 Silver” in treasure. “No one will dance there for a hundred years after this spell is cast,” one player, “war_monger,” crows.
Except, in this case, the White Keep is at 1600 Pennsylvania Avenue. “Dragon Fire” is an unconventional weapon. And “110 Gold and 234 Silver” tells the plotters how to align the game’s map with one of Washington, D.C.
I don’t know why he thinks that the terrorists will use World of Warcraft and not some other online world. Or Facebook. Or Usenet. Or a chat room. Or e-mail. Or the telephone. I don’t even know why the particular form of communication is in any way important.
The article ends with this nice paragraph:
Steven Aftergood, the Federation of the American Scientists analyst who’s been following the intelligence community for years, wonders how realistic these sorts of scenarios are, really. “This concern is out there. But it has to be viewed in context. It’s the job of intelligence agencies to anticipate threats and counter them. With that orientation, they’re always going to give more weight to a particular scenario than an objective analysis would allow,” he tells Danger Room. “Could terrorists use Second Life? Sure, they can use anything. But is it a significant augmentation? That’s not obvious. It’s a scenario that an intelligence officer is duty-bound to consider. That’s all.”
My guess is still that some clever Pentagon researchers have figured out how to play World of Warcraft on the job, and they’re not giving that perk up anytime soon.
They said — and it’s almost too stupid to believe — that:
the balaclava “could be used to conceal someone’s identity or could be used in the course of a criminal act”.
Don’t they realize that balaclavas are for sale everywhere in the UK? Or that scarves, hoods, handkerchiefs, and dark glasses could also be used to conceal someone’s identity?
The game sounds like it could be fun, though:
Each player starts as an empire filled with good intentions and a determination to liberate the world from terrorists and from each other.
Then the reality of world politics kicks and terrorist states emerge.
Andrew said: “The terrorists can win and quite often do and it’s global anarchy. It sums up the randomness of geo-politics pretty well.”
In their cardboard version of realpolitik George Bush’s “Axis of Evil” is reduced to a spinner in the middle of the board, which determines which player is designated a terrorist state.
That person then has to wear a balaclava (included in the box set) with the word “Evil” stitched on to it.
So, you’re sitting around the house with your buddies, playing World of Warcraft. One of you wonders: “How can we get paid for doing this?” Another says: “I know; let’s pretend we’re fighting terrorism, and then get a government grant.”
Having eliminated all terrorism in the real world, the U.S. intelligence community is working to develop software that will detect violent extremists infiltrating World of Warcraft and other massive multiplayer games, according to a data-mining report from the Director of National Intelligence.
You just can’t make this stuff up.
EDITED TO ADD (3/13): Funny.
Interesting and thoughtful article about suicide attacks in the online video game Halo 3:
Whenever I find myself under attack by a wildly superior player, I stop trying to duck and avoid their fire. Instead, I turn around and run straight at them. I know that by doing so, I’m only making it easier for them to shoot me — and thus I’m marching straight into the jaws of death. Indeed, I can usually see my health meter rapidly shrinking to zero.
But at the last second, before I die, I’ll whip out a sticky plasma grenade — and throw it at them. Because I’ve run up so close, I almost always hit my opponent successfully. I’ll die — but he’ll die too, a few seconds later when the grenade goes off. (When you pull off the trick, the game pops up a little dialog box noting that you killed someone “from beyond the grave.”)
It was after pulling this maneuver a couple of dozen times that it suddenly hit me: I had, quite unconsciously, adopted the tactics of a suicide bomber — or a kamikaze pilot.
It’s not just that I’m willing to sacrifice my life to kill someone else. It’s that I’m exploiting the psychology of asymmetrical warfare.
Because after all, the really elite Halo players don’t want to die. If they die too often, they won’t win the round, and if they don’t win the round, they won’t advance up the Xbox Live rankings. And for the elite players, it’s all about bragging rights.
I, however, have a completely different psychology. I know I’m the underdog; I know I’m probably going to get killed anyway. I am never going to advance up the Halo 3 rankings, because in the political economy of Halo, I’m poor.
Spammers have created a Windows game which shows a woman in a state of undress when people correctly type in text shown in an accompanying image.
The scrambled text images come from sites which use them to stop computers automatically signing up for accounts that can be put to illegal use.
By getting people to type in the text the spammers can take over the accounts and use them to send junk mail.
I’ve been saying that spammers would start doing this for years. I’m actually surprised it took this long.
Sidebar photo of Bruce Schneier by Joe MacInnis.