It's free to join Gamasutra!|Have a question? Want to know who runs this site? Here you go.|Targeting the game development market with your product or service? Get info on advertising here.||For altering your contact information or changing email subscription preferences.
Registered members can log in here.Back to the home page.

Search articles, jobs, buyers guide, and more.

By Crosbie Fitch
Gamasutra
[Author's Bio]
August 7, 2002

Securing Cyberspace

Strength with Flexibility

Security and Thermodynamics

Printer Friendly Version
   

 
Letters to the Editor:
Write a letter
View all letters


Features

Cyberspace in the 21st Century: Part Seven, Security is Relative

Strength with Flexibility

Some of the strongest or most resilient systems are those that can change. The grass that blows in the wind, etc. An animal might die, but the species goes on. The species might become extinct, but life goes on. Ultimately DNA is pretty resilient stuff when it comes to surviving what the universe can throw at it. Perhaps, thinking even beyond DNA, to all life, including as yet undiscovered forms, it's a case of "Life might die out on this planet, but life in this galaxy will go on…"?

But, back to Earth, and more immediate concerns…

I've often wondered if the common cold isn't actually a means by which our immune systems communicate with each other. Think of it like security consultants exchanging details of the latest virus with each other:

"Hey, Fred, I've tweaked this test virus a bit - you know, the one I got from Bill the other day - I've made it a tad more cunning. Infect your system with it and see how long it takes you to suss out how it works"

"Righty ho, Tom. I'll pass it around the lads at work. Our anti-virus software will soon be even stronger"

A system that is constantly exposed to agents that impair its viability will either adapt or die. In other words if we design a system that cannot adapt to unforeseen threats, then we must expect it to become unusable. For a system with a short-term lifespan it's probably quite economic to make it strong but fragile - when it's busted, it's busted. We can always send out a patch or fix if necessary. However, a system that's got to carry on working no matter what's thrown at it has got to survive throughout the threat long enough that an 'immune system' can beaver away, analyze the problem and come up with a fix.

The only immune systems for computer systems in use today tend to comprise human beings (teams of coders). We have wafer scale integration, RAID, and voting computer systems, which eliminate errant components. We have disk formats and databases that can repair themselves after corruption, sometimes even without loss of data. We have virus checkers that can recognize viruses, even mutating ones, and remove them. But, I think we're still at the research stage in terms of developing a system that can recognize novel and undesirable elements solely based on their behavior, that is then able to remove them and allow the damage to be repaired.

Of course, you have to be careful with such automatic measures. Sometimes they cause more harm than good. Not mentioning any names, there is a particular system in use today that attempts to secure a user's files (against accidental loss). Thus it can recreate a user's file if it feels it shouldn't have been lost, and also delete it if it thinks it's spurious. Unfortunately if it gets it wrong (the server crashes) sometimes it can decide that all the user's files are spurious and should be deleted ON THE REMOTE COMPUTER! I've seen this happen and the victim tends to emit steam. But then, even our own biological immune system gets it wrong sometimes - with lethal consequences. But, on balance, I guess we'd choose to keep our immune systems for the greater protection they afford us than the harm they cause if they go wrong. It all depends upon whether you live in an 'unfriendly' environment or not.

So, as we're developing a system to have an unlimited lifespan, it looks like we'll be needing a flexible, resilient system that can tolerate being in a state of continuous compromise and can detect and remedy its sources.

 Societies as Resilient Knowledge Based Systems
Let's now think of humanity at a different level, its behaviour en masse as a cellular organism, perhaps in terms of its nature as a knowledge based system - aside from its behaviour as a parasite on this planet.

Our social system of gossip survives fakes - we can weed out the liars, the false rumour mongers, the charlatans and con artists - well, usually.

Our distributed system on the other hand is one where we have a multitude of computers gossiping about what's going on, and like society there's a continuous ebb and flow of computers that grow in the amount of respect and authoritative status they've earned, and sometimes a fall from grace when they've abused their position.

So somehow we need to combine the gossip system where participants can measure the quality of information they receive by comparing it with everything else they hear. This is viable where infractions are expected to arise from individuals rather than a large consortium. The thing is, by definition, if the consensus wishes you to believe a lie, then the lie becomes the truth. You try telling people the world is round if the consensus is that it's flat! What is important to cyberspace in terms of its entertainment value is that we have a consensus about it - it is not urgent that we inspect each item of information to determine that its internal logic is sound - we'll find that out in due course. Or put another way: if you can't believe everything you hear, then the majority view is a good place from which to start - it tends to cause least friction.

It's only when the majority view is tested that we need to find out whether it's valid or not. For example, until we take a closer look, it doesn't matter whether there are artificial canals on Mars. It doesn't matter whether witchcraft exists or not, one can still exterminate suspected witches to err on the side of caution, and find out the error a bit later when the consensus changes. Taking the minority view is worse, because then any crackpot can say anything, e.g. the sky is falling.
These days we have scientists who we now hope are able to move civilization on to a higher level, where our consensual reality is constructed a little more rigorously, based a bit more on logic and falsifiabilility, and less on rumor and assertion.

You might think that reputation plays a good part in all this. However, what we can observethroughout history is that reputation does not improve the validity of consensus, it merely improves the ability to disseminate it. The Pope might have had a good reputation, but his knowledge concerning reality wasn't particularly sound - the important thing to note though, is that it didn't matter. Civilization just needs consensus, it doesn't need the right one, unless it has to progress (someone invents the telescope, or discovers America, say).

So, cyberspace doesn't necessarily need a 'right' version of virtual reality, it just needs to be able to disseminate, and achieve, a consensus as to a usable version, i.e. we only need to worry about repairing inconsistency when we meet it.

Don't think I'm trying to devalue the benefits of existential veracity - far from it. I'm just pointing out that there's a separation between consensus and true reality, that corruption of the truth is not necessarily a threat to the system's operational viability in providing an entertaining experience.

So if we have a renegade node that's amassed a sizeable reputation then it will indeed have the ability to sow a corrupt version of reality to a large number of its respectful nodes, but this won't necessarily crash the system, or even make it unusable. It might achieve the renegade node's ends, suggesting that a passing asteroid is actually an alien spacecraft able to pick up recently expired souls, but hey, it's difficult for anyone to prove any falsehood has occurred. There's just a consensus discontinuity. Members of each consensus are just as happy with their version of reality as the others are with theirs.

To some extent the most obvious manifestation of an example of a consensus discontinuity today is between religion and science. The trouble with faith is that it doesn't conflict with consensus, at least to the extent that it can be disproved. That's why it's so difficult to deprogram theists. And from the theist's point of view, that's the trouble with science, that it appears to provide a sufficient universe, that it's difficult to persuade atheists that there is more, that there is a god, that faith 'works'.

The point is, that in a virtual world just as in the real one, an 'untrue/true' version can live among a 'true/untrue' version, and both parts can 'know' that their version is the truth.
This is why politicians worry about someone, who challenges their ideas of truth and goodness, amassing popularity and respect. Popularity can outweigh the truth.

So utilizing 'reputations' is a better strategy than giving credit equally, but it isn't a perfect solution. We also need the ability to inspect the fabric of reality for self-consistency, rather than just taking it at face value. However, let's see how far we can get with reputations.

 Reputation Tracking
In order to have some kind of reputation tracking, our system needs to have a means of identifying each participant and the ability to gauge, on a long term basis, the quality of information we receive from them. It doesn't really matter if we only know them for a short-time, we'll make our own judgements regarding what they tell us.

This reputation tracking strategy neatly meshes with the heuristic approach I discussed in the previous article. By measuring a node's reputation based on one's own dealings with that node and by conferring with other nodes that one knows or respects (one may trust senior nodes more, or peer nodes with good reputations) as to their measure of the node's reputation, one can get a fairly reliable idea of a node's 'goodness', i.e. the likelihood that its information is valid. Naturally, one can't simply go by a node's own recording of its own reputation (though if it differs from other nodes' values, something fishy is probably afoot).

This idea isn't new by any means, and for more sophisticated developments please see the end of this article for a bunch of links to further reading.

 Objectives
Remember that peer-to-peer is all about people freely communicating with each other. People have no secrets. Indeed, the system's entire raison d'être is to tell everything that anyone wants to know as efficiently as possible.

A fairly sensitive issue is that people want to be relatively confident about the integrity of the information they receive. And I think this is the key - at least in aggregate terms. It's not that the information must be free of inconsistency, up to date, or correct. It just needs to consist of accurate recordings of events. This is because in some sense, the present is an accumulation of historical events. Although we can still live in a present where the history books have been altered to suit someone's preference, it breaks the spell that this is an alternate reality. It indicates that some players have managed to whisper in god's ear.

If all computers are involved in scribing the history books, and most player's are only interested in playing by the rules, then we need to have some scheme of contriving that the non-rule-abiding players don't get to be scribes.

In other words, in order to secure the system, our primary objective is to determine who is best granted the responsibility for arbitrating over the information that defines the virtual world.

 Why is Existential Accuracy Important?
People seem to be designed to operate in a coherent universe, therefore while occasional drug induced excursions may be 'fun', people prefer that their experience makes sense (at least they want to be confident that it will make sense one day if not today). However, it need only make sense sufficient for them to have an experience in which they can remain entertained, e.g. an experience in which a small percentage of events seem to make little sense may be quite acceptable - indeed the human mind seems adept at ignoring nonsense. We are quite happy to ignore such things as gravity: we'll just say that's the way things are, or we won't even realize that gravity is going on all around us. It'll take an apple falling out of a tree to irritate the right person just enough that they'll ask why long enough for it to outlast their attention span.

Perhaps millennia ago the normal people were a bit miffed that wizards and witches appeared to have an unfair advantage in life. Perhaps they worried that these people with large amounts of wisdom and knowledge could exploit this to mess with reality (god's world). It's happening again today. Perhaps we'll institute laws to make hacking a capital offence, perhaps burning at the stake might be appropriate? When we start relying on cyberspace as a virtual reality then we'll probably get very upset if we find anyone knowledgeable enough to mess with it (they couldn't possibly be wise).

Breaking the Rules, Breaking the Game
A game that no-one plays is a broken game. A hacked game that everyone still plays (numbers are not decreasing), has not been broken.

If not through boredom or lack of time, the only reason people stop playing a game is because it has ceased to be fair. Even if some players are breaking the rules, if their presence and exploits are negligible, they can still fail to impact the fairness of the game as a whole.

Just as thieves break the law, their activities fail to impact the perceived overall fairness of a property-based society. Why? Because detection methods keep thievery to an acceptable level. We can't stop it happening, but we can add costs and risks to it from the thief's perspective. It is possible in some circumstances that you could counter thievery solely by reputation, if reputation is valued by thieves of course. This is why in small groups of people (even thieves) the members of that group don't tend to steal from each other simply because they value membership of the group. To some extent this is how we demonstrate against thieves, by removing them from society and removing their social responsibilities.

I'll say it again: grant arbitration to nodes according to their past performance in terms of consistency and accuracy. And yep, we can measure that, because we have a whole community of nodes involved here. It's not an anonymous, one-to-one relationship. The corrupt nodes then tend to get removed. And it doesn't matter if they resurface as new nodes, because lack of a performance history isn't much different to being untrustworthy in any case.

 Evolvable Security

An open system is an evolvable system. It may be weak today, but each attack makes it stronger. A closed system is a fragile system. It may be strong today, and resist many attacks, but the first successful attack will break it completely.

In an open system the solution is to be open about security. The more a system (including its users) is able to understand about itself the more it is able to recognize and pinpoint anomalies and symptoms of corruption.

Security in an open system is an educational training session between the system and its adverse environment. The system is continuously tested in increasingly sophisticated ways, and each time it adapts and accommodates such tests.

Who's the Enemy?
Conventional wisdom so far in the game development community has been that 'the client is in the hands of the enemy'.

Er, excuse me, but 'the client' is in the hands of the player, and the players are friends (well, until they lose sight of the game). Players shouldn't all be tarred with the same brush just because the hacker sometimes wears a player disguise. Players are the great untapped ally in the war against game hackers.

The Hacker Mindset
All the players hope for is: firstly, that they will have fun; and secondly, that they will have equality of opportunity in having that fun, without being obliged to subvert legitimate player interfaces.
In other words, players wish to suspend disbelief in the virtual world. They don't want to have to hack the system in order to obtain parity with other players that get their rocks off doing that sort of thing (like have to get an 'aimbot' just because everyone else uses them). While it may well be fun to hack, that kind of 'fun' usually depends upon the presence of a number of non-hacker users.
That's the hacker mindset for you: if there's no challenge, there's not much point in hacking it. If a derelict house has no doors or windows, why find a way in via the chimney? If something's already broken or worthless, why try to compromise it further? Their motto is probably "If it ain't broke, break it".

Hacking is mankind's equivalent, but essential facet of nature: continuous stress and exploration of opportunity. It's not so much a war between complex systems and the simpler ones nibbling at their heels, but a symbiotic relationship in evolutionary terms. A system will encourage the evolution of other systems to exploit its weaknesses (often against its interest), and the system will either achieve viable equilibrium, adapt, or fail. This comes back to my point about the common cold. It's in our interest to pass every new variation of this around precisely because it strengthens our species' collective immunity. Who knows, we may even be interested in deliberately mutating the cold virus. Wouldn't it be a pity though, if we discovered a cure for the common cold and in so doing inadvertently wiped ourselves out through an enfeebled immune system? I wonder if we need hackers as much as we need thieves and viruses?

Maintaining the Commons

Cyberspace is just going to be the 3D equivalent of the Web in security terms, i.e. nearly everyone's interested in preventing corruption, subversion, vandalism, etc. But this pressure comes from the entire user base. We don't have a particular corporation charging everyone for the Web and thus contractually obliged to provide a given level of service. The Web is a mutually advantageous piece of global collaboration. Cyberspace will probably be the same.
Oops! I've blown it now. Not only have I suggested that the infrastructure should be free, but now I've implied the content is given away for nothing too. Imagine thousands of cyberspace development companies each having a share valuation based upon how many players frequent their virtual universes. Well, hey, it happened with web sites!

Total security is not possible. We can only continue the escalation of preventative and remedial techniques. The system and its hackers just keep getting more sophisticated. However, it seems that people have reached a steady state in dealing with each other. Or perhaps, maybe that's just the general tendency, and there's an occasional imbalance when one side seems to be winning.
At the end of the day any system we used can become corrupted, but humans have evolved to suss each other out such that an apparent advantage is always checked out for its legitimacy.
But have you noticed how few care about other player's disadvantage? How many players are going to be upset because another player keeps tweaking the system to penalize themselves? Well ok, it might be an indication that someone was subtly learning the ropes toward obtaining a great advantage later on, but that's the hacker's cunning and guile for you.

If nodes in our distributed system are like people, then they need to utilise similar social validation strategies. Nodes should be doing background evaluation of computation quality and consistency.

______________________________________________________

Security and Thermodynamics


join | contact us | advertise | write | my profile
news | features | companies | jobs | resumes | education | product guide | projects | store


Copyright © 2003 CMP Media LLC

privacy policy | terms of service