How Apropos

In my recent posting on Cyberpunk, Commentariat(tm) Agent LykeX decided to call my bluff [stderr] regarding the question of gamifying hacking/cyberwar in a semi-realistic manner. So, in order to better explain the topic, I have arranged for the federal government to horribly face-plant its entire security strategy by suffering a devastating transitive trust attack. Seriously, the timing is remarkable.


Seriously, though, how would you? Assuming it still has to work as a proper game mechanic, not requiring any technical computer background for people to play, and still “encapsulate the challenge”?

Not being a hacker or even that computer savvy, I’m not sure how you’d go about it. I’ve just tried to think about it a bit and I’m not getting anywhere.

I think that there are a number of hard problems in representing hacking well. First and foremost, it’s not very interesting. It’s always seemed to me to be an exercise in book-keeping and patience more than anything else. A game element that is based on patience is really a tough sell.

First, let’s talk (briefly) about how the US government and a huge chunk of the private sector just discovered that they were waddling around with their pants down around their ankles. [crn] What happened was my biggest nightmare, back when I was the CSO at Tenable (my official day-job for the last 13 years of my career): a security system that distributed active software components was subverted to distribute active malware along with its updates. In other words, the security command/control management plane became the attacker’s tool.

The U.S. government late Sunday night called on all federal civilian agencies to power down SolarWinds Orion products immediately because they are being used as part of an active security exploit.

An emergency directive issued by the Cybersecurity and Infrastructure Security Agency (CISA) comes “in response to a known compromise involving SolarWinds Orion products that are currently being exploited by malicious actors,” according to the notice. “This Emergency Directive calls on all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.”

This is a standard nightmare for a security products company. Imagine that you’re a company that offers antivirus software that includes a self-updating agent that runs on hundreds of thousands of customers’ machines. Because it’s an antivirus agent, it does its work at a system level – privileged access required. If an attacker is able to put their own logic in the distribution stream for the agent, they have just “hacked” hundreds of thousands of systems instantly and irrevocably. The holy grail/ultimate hack would be to get inside of Microsoft’s patch update system and roll some malware into a patch release, thereby controlling a significant percentage of all the systems on the planet. At that point, the hacker’s challenge would be trying to figure out what useful things they could do with all of that stuff. Imagine you had access to all the computers – that’s basically what just happened with SolarWinds: Orion is a centralized management platform, and everyone who is using it now has centralized malware. Oops. That included vendors and security vendors.

Transitive trust attacks are when A trusts B and B trusts C: you attack C, in order to gain access to A. The state of computer security is so bad that most organizations do not defend effectively against transitive trust attacks. Most of the famous breaches you’ll hear about are transitive trust attacks or insider attacks (really just another form of transitive trust attack if you think about it). Burning Microsoft’s patch update would be the big kahuna of hacks, but it’s sort of like using nuclear weapons: people would notice. Then, there would be the fascinating question, “what do we do about it?” to which the answer is: nothing. In order to make the current software economy work, it has been necessary (and convenient for Microsoft) to have everyone trust Microsoft patch update and, besides, no organization is capable of patching Microsoft’s code for them. Such an attack is such massive overkill that it’d make everyone step back for a moment and re-assess things, until they realized that there is no alternative, so “whatever!” That is what will happen with the FireEye / SolarWinds breach: they’ll say “we fixed it!” and everyone will shrug.

This is not how lockpicking is done, either

So, what would a hacking game look like? I’m assuming it’d be part of some larger game, because otherwise there’s no point to it. There has to be a goal. There would be a couple of different types of goal:

  • Collect information about a thing
  • Collect information at random (“this looks interesting…”)
  • Gain control over a thing
  • Damage a thing (a subset of “gain control”)
  • Alter information about a thing (an overlap of “collect information” and “gain control”)

What are the tools available? Information. That’s it. So, the hacking mini-game is about using information to manipulate other information. In terms of the SolarWinds attack, the hackers had to understand SolarWinds’ corporate systems, gain control over the code update process and inject their own code, then they shifted to exploiting attacks against targets that depended on SolarWinds.

In the context of CD Projekt Red games, The Witcher 3 includes an in-game card game called “Gwent” in which you collect Gwent cards and you can play against NPCs that are controlled by AIs. It’s pretty clever game design because the AI doesn’t have to be brilliant – it can be variously challenging based on the cards that the game scenario give the NPC; they can be overpoweringly good and a player can’t beat them until they have enough powerful cards or are brilliant or lucky Gwent players themselves. The in-game hacking mini-game would look sort of like that except the game would play out asynchronously.

The hacker picks a target and schedules “recon”. Some of the cards the hacker has represent recon tools (“Ice” in Gibson’s nomenclature) – the recon tool might take a certain amount of time, and would return:

  • Fail – your tool is burned (if it was not off-the-shelf malware) and you lose that card from your deck permanently. There would be various cards that give a fail result, “Firewall” just fails your recon. “Active Defense Level XX” might fail your recon and also take time from you. I imagine there’d be a variety of defense cards, and a variety of offense recon cards.
  • Bad Fail – your tool is burned and your target backtracked you; there will be a knock on your door in 5 minutes, a sleepy-eyed guy in a raincoat would very much like to talk to you about your hacking career, which just ended. I am imagining that the Bad Fail scenario was a result of attacking someone who has a seriously more powerful card in their deck, or they have a “Backtrack” Ice card that they play on you, which gives your meat-space location. Note that the player might also have “Backtrack” Ice that they can play if they are under attack.

Then you’d have “Vulnerability” cards – if your recon against the target finds a possible point of attack, you get a vulnerability card you can play against them, which gives you an exploit. Or, if they have an active defense, your vulnerability may be a trap and you just got suckered into a bad fail and they’ve played a backtrack card you didn’t know about. Worse, maybe they recon you, back and get a vulnerability card they can play against you, and they backtrack you and scramble your deck, i.e.: you just lost a few of your cards.

I must note that I am stealing some of these mechanics from Gwent, but Gwent stole from Magic The Gathering, etc. The great thing about card-powered mini-games is that you can expand them easily, and you can also have unexpected powers appear in scripted scenarios, or at random. So our in-game hacker could decided to just do a run against the porn shop down the street, which has middling defenses that they burn through with a vulnerability. When you burn through a target’s defenses you may learn something (you get a card from the loser’s deck) or you may steal some of their data or you may get something mysterious that you have to spend time researching to figure out what it is. I.e.: you downloaded a block of encrypted data and you need to let your Ice chew on it for a while, but they’re looking for you and have your home address – time to relocate ricky-tick while the Ice chews away – then you discover you just found the specs for some valuable new tech and a) you have a huge bounty on you now and b) you can sell the specs for credits. You can use the credits on the black market to buy and sell Ice – i.e.: game cards – or data which is basically convertible back and forth with credit. In this mini-game you might do an automated attack against porn stores every so often when you’re not doing anything else, and you collect data you can sell but it’s not really important stuff and your reputation gets bad in some sectors, good in the black market, and if you ever go after the wrong target and they burn you, your bad reputation results in a large army of sleepy-eyed guys in raincoats who have come to collect on you.

I imagine that a fun aspect of the game would be managing a work-queue; you’d be playing several games at once against the various targets you are exploiting, reconning, or defending against. You’d also be buying exploits on the black market and researching your own, once you had enough skills to develop your own attacks (basically, the game would randomize a card for you, at an appropriate level, with occasional rare drops). You might be researching an exploit against the porn store’s Ice and stumble over an exploit that would burn through the firewalls of a bank; oh, the fun! Oh, the mob of sleepy-eyed guys who now want to discuss that with you in person! Oh, the fun!

Or perhaps there are special cards which allow vulnerable decks to be taken over and feedback blasted through the users’ protco-prod(tm) interface. Boom! There goes your brain, or your anus, or whatever.

And, of course the mini-game would have mission profiles:

  • Attack something and get whatever you can
  • Defend something, usually yourself but sometimes a client
  • Find something, successfully attack a target that gives you another target to attack, etc., until you get the thing you were looking for and thoroughly piss off the trail of targets you attacked (if you were not subtle)
  • Destroy something or someone by taking control of specific targets to get access to real world elements (e.g.: you just took control over Badger’s bluetooth-controlled propane forge. Now you can murder Badger and everyone else in their immediate vicinity)
  • Watch someone by taking control of their cameras or phones and maintaining that control (“escort mission” in most games) without getting detected or blocked

I think that’s about it. By chaining mini-game quests you could build entire plot-lines involving targeting attacks, or players could just go smash and grab to get cash. In gaming terms, I’m describing a crafting system attached to a mini game where you can buy/sell/craft cards that you use to drive the mini game forward. The whole system would be asynchronous with the other events in the game and you could be engaged in a bunch of battles at once; make it a reward/punishment system for the player depending on how well they micro-manage their resources and schedule their assets.

The last part would be a mapping function where the card-game ties to your targets so that you would be able to see the relationship between your target and your attack surface. Think how exciting that might be! You exploit a vulnerability in the porn site and discover that there’s something on that network that you can’t scan effectively and maybe there’s a link to a big conglomerate that …. uh, oh, that’s Chechen mafia, I think. Is it worth trying? So the mapping function would build a dynamic picture of the relationships between the things you know anything about, and what attacks and defenses (Ice cards) you have currently in play against them. You might open the map and suddenly that porn site you were scanning has mysteriously turned purple and you’ve never seen anything like that before, uh oh. Holy shit, that’s an AI! What is an AI doing there!? “Wintermute”? Sounds harmless enough.

OK, I think that’s probably enough. It’d take a bunch of serious design sessions and some idea-stealing but a pretty damn cool hacking game could be developed. I’ve basically described a mix of Steve Jackson’s old Illuminati game, Magic The Gathering, and Gwent. Hell, you could do like Blizzard did with Hearthstone and have a multi-player battle element where you could asynchronously battle other players to try to steal their best cards or hire sleepy eyed guys in raincoats. And, yes, Molly Kolodny would be a card that you could play, if you happened to get it, and she would seriously devastate whatever you played it against.

Above is the much-derided hacking mini-game from Cyberpunk. You have a limited amount of time (“breach time remaining”) to find the required patterns in the grid and mouse them into your “buffer” which then counts as executing a successful attack. What this has to do with hacking, I do not know. It measures how quickly you can work the janky d-pad controls and that is about it.

A high five to any of you who recognized the procto-prod reference.

Now, I have to comment on the first image that I included in this posting – the one with the hacker in the ubiquitous hoodie pointing at the map. That’s a fairly typical illustration that media dumbasses use to illustrate hacking and it shows a profound non-understanding of hacking in the sense that I’ve described it as a problem of transitive trust. Geography is irrelevant. That’s the point of computer networks! What is relevant is the topography of the network – the interconnections between nodes. You don’t care if your target is in New Jersey or in low Earth orbit! You do care if the sleepy eyed guys in raincoats know your location, and that’s about it. In my career I used to run into this all the time: security people who ought to know better, saying “the attack appears to be coming from China” or whatever. Sure, and for $30/month I can make my packets appear to be coming from someplace, too, using a VPN service. Geo-location only matters to the sleepy eyed guys or the guys with stealth drones loaded with knife missiles.

Hackers do wear hoodies, though. That is true. So do lots of people. The best hacker I ever met wore bespoke suits that were nicer than mine, which shocked the living shit out of me because my suits were really nice. But I used to wear custom Rocky Carroll cowboy boots instead of Converse All Stars (the other broad cultural stereotype I resent) so I outdid him in the footwear department. One of the other great hackers I knew wore boating shoes everywhere, even in snow and ice, and a Helly Hansen jacket. Safety green is mighty subtle.

Last point: if you’re picking a lock and you put so much pressure on your torsion bar that it breaks, you’re really doing it wrong. The torsion bar must be very gently taken up, and you use your pick in the keyway. Not a flippin’ screwdriver. If you want to see someone lose their shit about lockpicking mini-games in computer games, ask Deviant Ollam what he thinks about the mini-games and broken torsion bars. I’m kidding, don’t troll him, he’s a good guy.



  1. says

    Oh yeah: any really good hacking mini game in a cyberpunk world would also encapsulate being able to find the actual person who had critical access, then go talk to them, gently. I know that some organizations that take security seriously have designed their systems against direct attacks on personnel; it’s a side-element of protection against insider attacks. It would make a fun plot element for a hacking game: hack the personnel database to get the system administrator’s home address then go grab your raincoat…

    Fairly few organizations think about insider attacks. Because most organizations are stupid about computer security. What shocks me the most is how stupid the US Government is about computer insider attacks, in spite of being horribly pwn’d by the Soviets over and over and over in during The Cold War. Basically they have shrugged and said “but yeah we like the cloud computing, what me worry?”

  2. says

    I think that you should also be able to engage in a level of recon that is designed to reveal what “cards” the target system has in its “deck”. This way before you make a serious hacking attempt which, if it failed, could bring the trenchcoated agents, you can send relatively innocuous “errors” to the target system to see how it responds.

    If you do it right, you can have another mini game, rather like the old logic game “Mastermind” where certain responses are indicative of, but not conclusive proof of, certain defensive “cards” being in the AI “hand” of the target system. If you solve the “mastermind” puzzle, that would force the target system to reveal (with certainty and specificity) one of the cards in its hand. There can even be several general strategies for these initial recon missions, where certain types of bluff attacks (disguised as garbled network traffic) can reveal, if the puzzle is solved, only certain types of cards. And it only reveals one of the cards of the type vulnerable to that scouting strategy. If five cards are all potential responses to a specific SS, then you can only ever know one of those cards, if it has more than one. (Or maybe which one is “played” is (weighted but?) random, so you might reveal more than one, but you’d never be sure that unrevealed cards are actually absent, rather than simply not having been played yet.) And some cards simply aren’t subject to such reveals. Backtrace cards aren’t “played” in response to errors in network traffic. A system might have to defend its own code from corruption, but a garble is simply never worth a backtrace, only an intentional attack is worth that.

    And, of course, you might also be able to buy information from someone in-game about what defenses exist in your target system rather than playing the Mastermind mini-game over and over. Surely if a system is big enough someone has previously scouted them and you can get information from them. Assuming that they haven’t been turned by the cops when they were backtraced…

    And, of course, knowing the “cards” won’t always tell you what the AI system’s strategy will be in executing its defense, but low-risk/low-reward attacks designed to slowly reveal aspects of a target system’s defenses before a serious hacking attempt feel true to what I know about hacking.

    Though I’ve never done any hacking, so make of that what you will.

    In any case this does sound like a fun subject for game design. I’d be in for tinkering around with this!

  3. says

    Crip Dyke, Right Reverend Feminist FuckToy of Death & Her Handmaiden @#2:
    Mastermind was great!

    All those ideas would serve to tie the abstract hacking game to the in-game reality of the first-person shooter. I think it’d be pretty darned cool, actually.

    I especially like the idea of the hacking game being asynchronous but also affecting the game world. You could start shooting your way into a place and set some Ice to crash the building’s lights in 5 minutes, so you can stealth in… the trick and the fun is meaningfully tying the hacking abstractions to the sense of purpose of what is going on in the “real world”. That’s what stupid hacking mini games like the one in Cyberpunk fail at. So they are just a mindless exercise in button clicking.

  4. says

    Hacking is boring. You recon the target and identify a vulnerability then exploit it (possibly requiring some research) then explore and recon/exploit more. It’s mostly a matter of making sense of all the entities you are dealing with, which is very predictable in real life. E.g: “this thing is running Linux I know how to get in.”

    I’ve watched some of the best go into systems; shoulder-surfing Dave Kennedy once – and it’s mostly a bunch of keyboard rattling and “hm ok this should work” boom he’s in. When the attacker has new exploits, it’s magic: they run a command and the system is open and that’s game over.

    A quintessential example recently was a guy demonstrated how you could take over an iPhone’s operating system with a couple packets that left no trace. Magic! You just launch the attack and the target phone emails you its owner’s photo roll and contact list. In that case you don’t even need to do recon because you know all iPhones were (at that time) vulnerable to the attack.

    I guess one consequence of this is that I realize hacking games aren’t going to be very fun because hacking is actually pretty easy. Security would have to get way better than it is to provide a challenge worth gamifying.

  5. Reginald Selkirk says

    … and, besides, no organization is capable of patching Microsoft’s code for them.

    Including Microsoft.

  6. says

    Reginald Selkirk@#5:
    Including Microsoft.


    There are some architectural “features” in how Windows works that make it impossible to secure certain components of the system. Microsoft has no idea how to fix it and almost certainly cannot because of the performance consequences of doing so. I’m referring to the device driver model (mostly) but also the Windows internal APIs that are exposed for interprocess/interkernel messaging – the data pushed across those APIs are not checked and are simply accepted. There is not a real boundary between user processes and kernel memory, which is a nice way of saying “the operating system has no security.”

    The hack I saw Dave use against the system was an exploit in a control plane application for a graphics adapter that the target system didn’t even have installed. All Dave’s exploit had to do was tell Windows to load the driver, which it did, then it exploited a buffer overrun in the driver and boom, Dave’s code was loaded into the driver’s memory image, running in kernel space – i.e.: the driver was parasitized completely. Device drivers in Windows have full memory access and access to the bus’ I/O interfaces, which means a driver can bypass Windows and talk directly to the graphics card, or the keyboard, or the network interface. It’s instant “game over.”

    For a while, security practitioners talked about “active defense” but that was a non-starter because to actively defend Windows you’d need to be able to patch Windows which would mean you’ve got godlike powers of omniscience and omnipotence. I used to love to ask those people: “OK so let’s say I tell you that there is a new exploit against windows. What does that knowledge gain you? Are you going to disconnect from the internet? No? Are you going to stop using Windows? No? Then why do you care? You’re not going to do anything.”

    Windows is a piece of shit, but then so are all the other operating systems.

  7. xohjoh2n says

    (Note the fallout to non-Google services that use Google account authentication, as well as things like Google Home users not being able to turn their lights on…)

  8. says

    Wow, that was way more of a response than I expected. Cool.
    Reading this, I wondered to myself if something like Cultist Simulator could form a basis. The time mechanics would lend themselves to something that’s tense, but not rushed.

  9. says

    First, let’s talk (briefly) about how the US government and a huge chunk of the private sector just discovered that they were waddling around with their pants down around their ankles.

    Sorry to self-promote, but I just wrote about that. Two million CCP spies around the world have been outed by a data leak, many in high level positions of trust that governments and businessness knew nothing about.

    If this doesn’t lead to worldwide consequences for China, what will?

  10. kurt1 says

    Hacking in the public perception is pretty tainted by Hollywood. The best movie about hacking I saw was Password Swordfish. Ok kidding, actually a german film “Who am I – Kein System ist sicher” (No system is safe). It has a scene where the hackergroup sifts through trash to get information about employees to exploit. Also some other cool tricks, a love story and ambiguous ending, fully recommended.

  11. Pierce R. Butler says

    William Gibson wrote a scene (in “Burning Chrome”, I think) wherein a couple of cybercowboys go after a target’s bank accounts using black-market software obtained from someone who mugged a Russian agent in a New Jersey traffic tunnel, which featured the guy working the console thrashing around frantically and begging his buddy to make a strategic decision very quickly: “I can barely hold it back!”

    Even then, back before I ever accepted a penny for doing any computeristic work, when 3 1/2″ hardshell floppies were the height of coolness, that seemed very Not The Way Anybody Would Do It – but perfect for a movie. Alas, if my failed search on means anything, the repeatedly-rumored cinematic “Burning Chrome” remains unmade (or at least unreleased).

  12. seachange says

    The game of Civilization is slow, it uses your time going through raising several different cities at any one time, and has a tech tree and a wargame attached. Slow is not a problem.

    The social engineering factor could also be in terms of finding out who is buying the porn and blackmailing them. Or finding out their habits and finding the (easier to hack depending on how posh or savvy he/she is) sex worker that they often visit and offer her some cash/credits for some pillow talk. Or hacking a smaller city in order to insert yourself into a larger city that has contact with the local group of sleepy guys for a transitive attack that makes you seem to live elsewhere independent of any remote scrambler/servers you have.

  13. kurt1 says

    @13: The title is a reference to the Unix command. Don’t judge a book by its bilingual title, or something like that.

  14. komarov says

    In response to Marcus and seachange’s “Slow is not a problem” I’d counter that sometimes it is. It’s not completely unreasonable to have slow or multi-session minigame but it doesn’t always fit. While reading this I was thinking back to the Mass Effect 1 hacking games. Those are also basically timed dexterity games (e.g. move the thingie past the moving thingies before time’s up) Hugely annoying but it gets you some extra pick-ups during missions. In a scenario like that you need a quick resolution because you’re not coming back this way. Nor can you have Shepard and her team just sit on the floor for a couple of hours*, working their omnitools doing recon and trying exploits to break into a wallsafe and steal some petty cash. “Wasn’t there a bomb we’re supposed to find?” – “Shut up, I think I’m on to something!”

    However, I don’t think there’s a realistic-looking solution to that except maybe “don’t call it hacking”.

    *Real time, naturally, because people always appreciate that kind of realism in games.

  15. Ketil Tveiten says

    Marcus, you might want to look into the Netrunner card game, which (with lots of cyberpunk/Gibsonian trappings) tries to do something like what you describe here. Also, I think there was a (probably also ridiculously unrealistic, but not CP2077 levels of dumb) hacking simulator game waaaay back called (I think) Uplink, which you might want to take a look at. Would be interesting to hear a professional’s take on both of those.

  16. Who Cares says

    In Cyberpunk 2077 you are not a hacker but a scriptkiddie. You pull up Shodan for Eyes then plug in the reboot command.
    Most of the time anything more has been done by others before the fixer contacts you. And they haven’t done it T-bug or Jackie have. You are just the mule for the last physical bit of the whole hack-a-thon.

    If anything the game is a warning against what happens when everything has a mandatory backdoor. It is not just the corporations that get access, everyone with the right scripts gets it.

    Ps.: ICE is not the recon tools but the stuff that protects against recon tools.

  17. says

    Sorry to self-promote, but I just wrote about that. Two million CCP spies around the world have been outed by a data leak, many in high level positions of trust that governments and businessness knew nothing about.

    Thanks for that link. Right now most of the US security community are fixated on the SolarWinds/FireEye situation and that wasn’t in the news cycle. The symmetry is interesting; it looks like someone is mirroring the Office of Personnel Management breach of 2015.

  18. brucegee1962 says

    Old boardgamer here. One classic in the hacker genre is simply named “Hacker,” by Steve Jackson games ( The board is a network of interconnected cards representing companies and organizations that are connected to one another. Some nodes are better protected than others, but if you can get root access to the poorly protected ones, you can then use that access to go after tougher targets.

    The other big one is Netrunner ( which has gone through many versions over the years. It’s an asymmetric two-player CCG, where one player represents the corporation trying to hide data in data fortresses, while the other player is a hacker trying to break in.

  19. says

    I see a couple of other people have already mentioned it, but Netrunner is an absolute gem if you can find one other person willing to work out how to play it. It, along with all the Android board games, draws heavily from Gibsonian cyberpunk.

  20. says

    Reginald Selkirk@#24:
    Trump moved cyber security budget to pay for his wall before major hacking assault

    True, but the government’s security woes are not a result of not having enough money. They’re a long-term problem that stems from poor governance/management and lack of vision – none of which would be helped by money. In fact I’m pretty sure that, given how stupid the government’s security strategy is, the more they spend – the worse it gets.

  21. DanDare says

    Block attempts by others.
    Misdirect and plant false information.
    Distort others view of reality.
    Create noise to hide real signals.

Leave a Reply