It's free to join Gamasutra!|Have a question? Want to know who runs this site? Here you go.|Targeting the game development market with your product or service? Get info on advertising here.||For altering your contact information or changing email subscription preferences.
Registered members can log in here.Back to the home page.

Search articles, jobs, buyers guide, and more.

By Crosbie Fitch
Gamasutra
[Author's Bio]
August 7, 2002

Securing Cyberspace

Strength with Flexibility

Security and Thermodynamics

Printer Friendly Version
   

 
Letters to the Editor:
Write a letter
View all letters


Features

Cyberspace in the 21st Century: Part Seven, Security is Relative

A system's security is about controlling the system's relationship with its environment. If you have a predictable environment, or you feel it is safe to assume the environment will be sufficiently predictable for the lifetime of the system, then you can get away with defining a rigid, rather closed security model based on your understanding of this environment. Compromises will most probably be complete as opposed to partial, but one hopes they will at least be a long time coming.

However, if you're developing a system for the very long term, there's not much chance of being able to predict the environment. So any rigid security model doesn't stand a chance. Security in this case needs to be adaptable, and thus, to some extent, intelligent. It needs to be able understand unforeseen threats and attacks, recover from them, and ideally be better prepared to defend against them in the future.

Securing Cyberspace - For Fun, Not Money

Security in cyberspace is a different kettle of fish compared to many computer systems. We aren't a bank, defending a network of computers against unauthorized access, needing to audit and ensure the integrity of all transactions. We have no computers, no intellectual property, nothing of real financial value. All we have is an objective to produce a system that will enable cyberspace and prevent it from being vandalized. In simple terms, we're producing a free game that the whole world can play.

From a real-world, materialistic point of view then, no-one can lose. The source code is still there. The player's money is still in their bank account. What's been created and is inevitably vandalized is entirely virtual: virtual scenery, virtual buildings, and virtual characters.

There's only been one case in which this kind of thing has happened before and it's known as Bowdlerization - the effective vandalization of fiction. You might say that re-writing the history books is comparable, but that is an attempt to change a description of reality, as opposed to a virtual one. Just as some people are into protecting the integrity of works of fiction, so we should be interested in protecting the integrity of the virtual world. Players will be putting a lot of effort in the course of playing within it, and the persistent world that is created will become valuable to many of the players. People won't necessarily require that a castle is never allowed to fall, but they will require that if it is sacked that it is done so via legitimate means and not by hacking the system.

Sure, there is more than the content to vandalize, you can burn the book too. You can trash the computer just as you can trash the virtual world. However, we can rely on conventional security measures for the computer so I don't need to talk about those here. Moreover, we can assume that 100 percent of users (even the hackers) don't want their computers corrupted, and 99% of our users are actively interested in maintaining the integrity of the part of the system that resides on their machine. What we're left with is the task of designing the system to secure the content against that 1 percent of hackers.

But, note that we don't need to be entirely successful in preventing these hackers from achieving their aims. Just as Bowdlerized books remain entertaining to a large audience, despite annoying many purists, so a hacked cyberspace can remain entertaining. Don't get me wrong though. I'm not saying let's give up. I'm saying the opposite: let's build, because even if it does get vandalized now and then, it's still worth repairing the damage and continuing, because the whole edifice doesn't come crumbling down, it's just a tad tainted.

The thing is, cyberspace only has to be useful to the majority of its users, i.e. entertaining. That means it can tolerate a small amount of vandalism or corruption and still remain useful. This is quite unlike a system required for commerce where confidence in its integrity (and thus viability) might completely collapse if it became compromised even in a very small part.

So while some may say that security in P2P systems is a major headache, this is largely from a commercial perspective. We still have a headache of course, but at least we only need to keep the system around 90% clean, rather than 99.99 percent. Of course we'll still strive to stamp out corruption, but now we know our system failure threshold is more achievable than one might at first assume.

 Security in Society

This becomes more akin to maintaining a stable society than of securing a system. Each player's node, in the course of being an integrated member of a productive society must necessarily be completely open to each and every other, simply in order to present the player with its understanding of the virtual world and to allow the player's actions to be conveyed to all other nodes.

So, I think we should start talking more about how members of a society evaluate each other in order to determine truth from falsehood, hypothesis from proof, and rumor from news, rather than how we go about keeping secrets.

I think I'm on the side of the fence that believes an open/free society is a more secure one than a closed/repressed one. If anything, it is precisely because its security is so easily and continuously tested that it becomes reinforced. It has to adapt and learn from each new threat, each new attack. Attempting to utilize a closed security model in the process of government may appear to be a more robust approach because it prevents easy access to control or change, but the trouble is when it breaks, it breaks big. A closed or rigidly secure society rots, it cannot confront any corruption, any weakness in its overall security, until ultimately the whole edifice comes crashing down under its own weight.

A rigid structure such as a building may need to be completely rebuilt after slight structural damage, but a more adaptable structure such as an ant hill can be repaired or rebuilt around even quite major damage.

A society in which each member is free and encouraged to express their views lets the society understand itself, understand any problems, and thus heal itself. A world in which a person is free to fly a plane into a building, is a world that can heal itself (better than nuclear annihilation anyway). Of course, it would have been better if this ill could have been recognized and fixed earlier, but it seems that we must deduce that in this case it was difficult for pleb to speak peace unto superpower. And this just as we thought world peace was imminent, given we've just got 'nation shall speak peace unto nation' sorted…

If anything we need to encourage conversation, exchange of ideas, good along with the bad, pleasant along with the unpleasant. This means facilitating crime along with sociability, theft along with trade, vandalism along with art, etc. This must happen at all levels of society, not just among plebs, but also at the corporate level. Read the Cluetrain Manifesto for how corporations need to change toward greater openness. You can't have two worlds, one of people and one of commerce. We're all in this world together.

And yup, this all applies to P2P systems. Full exchange of information. You can't ban bad information. You can't even ban secrets. There must be no apartheid between commercial content provider and punter - the player is not the enemy - we are all having fun together. We only have to cope with the minority of players that choose not to play by the rules.

 Secrets? From Who?

As far as secrets are concerned, unfortunately the Pandora's box of encryption has been opened and nothing any government can do can undo that. The best thing to do is to encourage free communication of dissent, bigotry, insurrection, crime, etc. Then people won't feel the need to encrypt it. We certainly can't start sending people to prison simply because they've forgotten their private key.

And on that point: if someone published a program that generated public keys without private keys, and everyone started sending each other, as a matter of course, blocks of code that had been encrypted using one of these public keys, then everyone would have a defense against forgetting their private key, i.e. anytime someone wanted to send real code, no-one would know if there existed a private key to it. Perhaps this should be termed 'anti-steganography', i.e. when code becomes widespread, then there's no need to send code covertly.

Anyway, my point is, that you can't ban the undesirable, because if you do, it'll just happen in secret. And the next step, of banning anyone from doing anything in secret, is not just silly it's mad that anyone finds it plausible (like banning suicide - you only catch the failures). The solution is to encourage open communication, and thus to make this a far more productive means of solving problems and resolving disputes. When you provide the means for man to speak freely unto mankind then secrets become redundant.

 Troublesome Alternate Perspectives

Of course, all the above applies to the insane and the criminal as well as the sociable. It is better for an open society to allow someone to show their hand sooner with a lesser act, than for a closed one to force it to commit a much greater act later. A bit like saying "I'd rather someone vented their anger in an e-mail today, than saved up for a gun to shoot me with later…"
But, what to do about the warped sects that follow a collective delusion that humankind must be destroyed? Well, the sooner their hand is shown the sooner something can be done…
However, ultimately there always exists an end to every system. A human can withstand a lot, but a bullet or cancer can finish it off. Humankind can withstand a lot, but a meteorite or nuclear war can finish it off. Life can withstand a lot, but not a supernova. Matter can take a lot, but not a black hole. No system is eternal.

 Similar Systems

So, there is no such thing as perfect security for any system, but we can take pains to ensure that things are as secure as possible, but without compromising the system in the process. This means finding an appropriate approach.

It seems to me that it is better to look to similar systems in nature to apply to our distributed systems based cyberspace, than it is to bang the square peg of rigid systems' security into our triangular hole.

For example, just as our bloodstream happily ferries pathogens along with our blood, it also uses the same network to ferry antibodies as a defense. There are some systems such as this, that on some levels seem to be dangerously open to attack, but are open through necessity, and luckily it's from such systems that we can take examples of appropriate approaches to security.

 Breaking Away from Obsessive Computer Security

Perhaps it's instinctive, perhaps it's brainwashing. Either way, a large chunk of computer literati seem to be overly concerned about security in computer systems. So, perhaps it might be a good idea to just step back a mo and review the situation.

For example, although a high level of conventional security measures may be appropriate for a single computer or a corporate network, it isn't necessarily the best approach for a network of a million or more, effectively anonymous PCs.

With the advent of the Internet it's important not to lose sight of what we're trying to secure, and risk ending up thinking security is sacred. Fragile systems that lose significant value when they're compromised by accident or deliberate act are indeed candidates to warrant considerable security. However, more flexible systems that are expected from the outset to be compromised (perhaps only in part) on a continuous or occasional basis can still maintain their value. Security for such systems is, and must be, an intrinsic property and not an added feature.
The thing is, there's a risk that by continually reinforcing a system's security it simply becomes more and more complicated, burdensome to maintain, unwieldy, and worst of all, ever more fragile. That's why I think it's useful exploring analogues to networked computers, it broadens one's perspective of what's important and how much security, or lack of it, other systems can tolerate.

Insecurity of Changing Systems

Consider human society. If it operates according to certain principles that regard property as a human right, then as long as the majority respect that right, the society can tolerate the few who do not (perhaps making an effort to discourage such disrespect). However, if the majority respect for property collapses then we might still arrive at a stable society - such as communism or anarchy. It will probably be a different society, but not necessarily less 'good'. Whatever the majority conspires to achieve will define the society, and it can still work, still be viable, whether we judge it civilized or not.

There may be some people who are strongly averse to changes in the system, but those changes aren't necessarily undesirable or unworkable. Protecting a system from change may thus sometimes seem to be a given requirement of a security system, but it isn't.
In the sense we're interested in, security is the ability to protect a system from being changed into a patently non-functioning system (and its constituents to non-functioning constituents, but only in so far as the viability of the system is threatened).

The typical solution to this is overkill, i.e. preventing all change to the system except by a select, privileged group.

As can be seen in Open Source software development. Things don't necessarily descend into chaos simply because anyone can change the system. There just happen to be good mechanisms to weed out disadvantageous changes.

I've often heard that people don't like change, so perhaps it's not too surprising that people like security. Creatures of habit aren't we, eh?

But, notwithstanding our discomfort at change, we seek only to minimize the likelihood (and duration should it occur) that our system will cease to function (in whatever form it has evolved into) in a popular way.

 Introducing The Social Approach

In the following discussion my primary focus is to consider security in terms of assuring the system's integrity and operational viability. While such things as access control, secrecy, privacy, rights management, input validation, etc. may figure prominently in typical commercial systems' security requirements, I hope I will end up persuading you that they may not be fundamentally necessary in an open system.

 Changing Focus of Security

Let's start off with a quick review of how the focus of computer security has shifted over the years.
Once upon a time there were only isolated mainframes orbited by dumb terminals (Figure 1). The terminals didn't need to be secured because they weren't considered valuable - they didn't contain any data or other precious resource. Some access control to the terminals may have helped delay some hackers, but the real security cordon was placed around the central mainframe, both physically and in terms of user authentication. Great for text based adventures and reading Usenet.



Figure 1 - Terminal/Mainframe

Then we had the advent of intelligent terminals, computers in their own right that were able to perform some local presentation processing. These could query a central server mainframe for the barest minimum of data or record locking, and handle the complexities of user interaction locally. This made things a bit more responsive, but the client machines still had to be considered in the hands of the enemy (Figure 2). The client/server model is often the initial inclination for commercial systems given that the server is so patently in control, however it has considerable scalability costs. Nevertheless, its good security can help reassure players that games are fair and that their investment in playing will not be compromised.




Figure 2 - Client Server

Note that the server does not necessarily need to be under proprietary control. A variant of it (Figure 3) abandons the need to secure the server, allowing it to be hosted on the same machine as one of its clients. This is quite sufficient for games where players can trust each other, and they are likely to have a network fast enough and a machine powerful enough to cope with the typical number of players.



Figure 3 - Player Hosted Client Server

An alternative to client/server is to make no distinction between participating computers, simply having communication on a peer basis as necessary (Figure 4). In many cases this can help spread the workload and prevent communication bottlenecks. So, although this model is not particularly secure, it can scale to some extent.



Figure 4 - LAN Based Peer-to-Peer

The LAN based peer-to-peer approach can be directly ported over to the Internet (Figure 5), but because bandwidth limits are more significant more careful attention needs to be paid to how relationships are formed, especially if these can be anonymous. Moreover, each computer has to be a little more responsible for what's going on, i.e. the access and privileges it allows to peers. File sharing systems such as Gnutella adopt this kind of approach.



Figure 5 - Unsupervised Peer-to-Peer

Of course, in exchange for an Achilles heel, by providing a secure server alongside the peer-to-peer approach you can provide some security and control for occasions when it's necessary (Figure 6). For example, licensing, payments, indexing, and other features that may need more security than the bulk of information being passed around, can occur via a central server. Napster used something similar to this (and so could be shut down by disabling the server). In some systems the server may only be needed in order to set up a group of peers that thereafter operate independently, and in others it may be used continuously. Either way, it can become a bottleneck.




Figure 6 - Supervised Peer-to-Peer

When the information needing to be provided by the server is proportional to the number of users, then a solution to the scalability problem is to have multiple servers providing the same service. Prospective participants then need to first find the most appropriate server to use (Figure 7).



Figure 7 - Multiple Server

Of course, if the server-side information needs to be shared among all participants then you need to either replicate this information across all servers, or distribute it appropriately (Figure 8). In fact this is beginning to get popular as 'the solution', i.e. you have a two tier distributed system. In the top (central) tier you have the trusted servers which are maintained by trustworthy ISPs, etc. In the lower (outer) tier you have all the untrusted players. You can still allow players to distribute information among themselves for expediency, but ultimately they'll only trust the horse's mouth (a trusted server).

If you have a large amount of content that you need to protect then this is a pretty good solution. However, you have to provide and maintain the servers (or do deals with ISPs).



Figure 8 - Replicated Server (or Partially Distributed System)

One approach that tries to obtain the benefit of player owned infrastructure, but secured content, is to have a distributed system, but encrypt data between the client and the distributed component (Figure 9). This means every player can hack the program that runs on their own computer, but they can only trash the data they have because they don't know how to encrypt valid changes. Thus you can spoil the fun for yourself, but not for anyone else. Well, at worst it's like letting your pals play with your football, but causing hassle when you take your ball away (they just have to fetch another ball).

It's difficult to imagine that if a program on your PC can decrypt and encrypt something, that you can't reverse engineer that process. So I think the jury is still out on this one.

Don't mistake this approach though, for the one where messages between peers are encrypted. Interception is not the only issue. We need to be able to tell the difference between a computer that has a true arbitration on its hard disk and a computer that has a falsehood in its place.
It's a choice between reputation monitoring and believing in perfect security. With the latter, a security breach means the whole system is suspect, because reputation monitoring won't have been utilized. Even so, I daresay there'll be a few attempts to equip consoles intended for massive p2p games with hardware based encryption. Good luck! See how far they got with DVD.

The other side of the coin though, is that such games might not get developed until the non-encrypted approach has been tried and tested, and that will tend to mean that reputation monitoring is going to get honed as an acceptable, if not reliable, security mechanism.




Figure 9 - Encrypted Peer-to-Peer

And so we come to the hierarchically arbitrated distributed system (Figure 10). Totally open. Protected only by the ability to consult ones peers as to the reputation of other peers. No one in control. Just like Linux, you're free to create your own variation, but the likelihood is that people will prefer to use a standard build from a supplier they trust. The market will provide its own validation suites to double-check that each version is hack-free. All you're left with is a few rogue computers running spoof versions trying to corrupt the system. They have to do their dirty work before any of the other peers they deal with start to smell a rat. Just like on eBay, you don't get so much trust while you're still wearing shades, i.e. the ability to corrupt only comes with reputation, and reputation isn't something you get overnight. You can create a cartel to mutually bounce up reputation, but it's unlikely that a particular peer will consult solely the members of that cartel (unlike on eBay). Just like buying your own printing press, printing your own news is no good unless the stories can be verified (even if you own most of the press).



Figure 10 - Hierarchically Arbitrated Distributed System

______________________________________________________

Strength with Flexibility


join | contact us | advertise | write | my profile
news | features | companies | jobs | resumes | education | product guide | projects | store


Copyright © 2003 CMP Media LLC

privacy policy | terms of service