It's free to join Gamasutra!|Have a question? Want to know who runs this site? Here you go.|Targeting the game development market with your product or service? Get info on advertising here.||For altering your contact information or changing email subscription preferences.
Registered members can log in here.Back to the home page.

Search articles, jobs, buyers guide, and more.

By Crosbie Fitch
Gamasutra
[Author's Bio]
August 7, 2002

Securing Cyberspace

Strength with Flexibility

Security and Thermodynamics

Printer Friendly Version
   

 
Letters to the Editor:
Write a letter
View all letters


Features

Cyberspace in the 21st Century: Part Seven, Security is Relative

Security and Thermodynamics

About a decade ago, a chap called Len Bullard was asked to have look ahead ten years. He astutely guessed that it would be "A world wide hypermedia system based on markup technology, distributed business processes, etc." - not far off eh? He also explored issues of system stability and security in the face of 'terrorist attack'…

Here's what he has to say:

The goal of destabilization is to exhaust the energy budget of a system and deprive it of the capacity to meet mission goals. One can say a destabilized system exhibits a "higher temperature", thus, an increase in energy expenditure without a resultant increase in organization, until it reaches entropy. Direct attack is one means (e.g. a worm), but more subtle approaches are possible.

Some working definitions:

  • Instability - the sensitivity of a system element to variance. The number of sensitive elements and the degree of sensitivity determine the overall system vulnerability.
  • Destabilization - the process of increasing the entropic value of a system by introducing false referents or relationships that increase the latency of the messaging system beyond the tolerance thresholds of the protocol.

A successful destabilization strategy disrupts the synergy of system and organization. The more interdependent the system, typically, the easier it is to destabilize. To make the system less vulnerable, it needs to be noise-tolerant and we all understand the most common techniques using redundant data storage, matching and verification, and encapsulation of components or view dimensionality to restrict propagation. It is necessary to be able to discriminate natural activity that results in decay (incompetence in functions, superstitious learning, etc) from an active destabilizing agent (goal seeking).

Destabilization in a system can be increased by decreasing the referential value of a pointer. This activity seeks to increase uncertainty and decrease confidence or goodness in a value. These might be called Boltzmann Attacks based on application of the Boltzmann entropy equation:

  • Uncertainty - increase the number of imprecise terms or referents that result in unresolved ambiguities. Superstitious learning is a good example. (aka FUD)
  • Exhaustion - increase the number of referents precise or otherwise beyond the capacity of the system to resolve them within the budget (e.g. time, money, any other finite resource). Vaporware is a good example as it disrupts timing.

    Disrupting timing is an excellent strategy. See Miyamoto Musashi - The Book of Five Rings - "You win in battle by knowing the enemy's timing, and thus using a timing which the enemy does not expect." He goes on to describe foreground and background timing and the need to see both in relationship to each other. Musicians understand this as syncopation and the effects of it on autonomic systems.

    Some factors that affect destabilization are:

  • Position of destabilizing agent in hierarchy of control, that is, the inter-dimensional effectiveness for propagating by force
  • Length of time of effective destabilization, how long is the error undetected and therefore, the density of the error (e.g., replication)

    Destabilization can propagate linearly, by value, or non-linearly by reference.

    To destabilize:

  • Identify a mission critical component and its importance in the event stream
  • Introduce the destabilizing agent with sufficient resources to execute a change needed to
    redefine a component or critical element of a component.

    Reclassification is an excellent strategy here. AKA, labeling. This is why authority is so problematic when creating semantic nets. Note carefully: the principle of rationality is weak for organizing human systems (see Prisoner's Dilemma). No system can be predicated on self-sacrifice that leads to extinction. Trust in an organization is in direct proportion to the relationship to self-preservation.

    If it helps, it is supported. If it extinguishes, it is attacked.

  • Redirect resources so that stabilizing controls are decreased, e.g. distraction.

    For example, a change of focus can be used to mask destabilizing activities. When the hacker better understands your resources and how you apply them, he can create other activities to deny visibility of his real mission. Coordinated attacks are hard to defend against if such knowledge is available.

  • Protect the agent until the energy budget collapses such that effective mission closure cannot be achieved by redirection. Deny the capacity to remediate.

    The notion of focus involves temporal elements of concurrency. What can be known, when and with what degree of certainty, grows or diminishes in relation to the available referents and the capacity of the system to resolve them.

    To counter instability:

  • Identify the noise background. Difficult if the hacker can hide in the noise.
  • Regulate and test any inter-dimensional relationship or signal. Precisely identify extra-domain relationships.
  • Design such that system uses the smallest number of terms.

    As Dr Goldfarb says, conserve nouns, and I say, test verbs.

  • Ensure terms with a large referent set are carefully monitored when applied. Rigorously QA broadcast deliverables by policy.
  • Structure terms into strongly bound classes
  • Collect performance data to identify emerging instabilities. Compare local events and environment continuously (use current maps and keep them current).
  • Isolate inherently unstable components or processes from the network.

    Unstable processes are often useful particularly as they operate near the edge of onset of chaos, and therefore, are engines of evolution. "...crazy but we need the eggs."

  • Design system to maximize opportunism and cooperation among dependent subsystems.

If a system is becoming baroque, it is in need of redesign. If the slightest deviation is a cause of controversy, you probably have a system that is overly sensitive. Note this is an issue for many object-oriented systems that use inheritance.

  • Avoid intrigue as a means to administer policy.

    The thing to know about Machiavelli is, he was fired. Do not make an employee bet their badge as the price of innovation. Don't white pig. If the price of innovation is to watch others get the reward for it, thebehavior will be extinguished.

    As some extra reading, the Taguchi Model for process evolution and Deming's TQA work are worthy. As in all things, over applied, they are also a good way to exhaust an organization. Beware the problem of top-heavy control systems. In most business transactions, if the customer is satisfied, you are done. They'll call you if they need you. Make sure they know you will respond when they call.

    Len

    http://www.mp3.com/LenBullard
    (Source: http://lists.xml.org/archives/xml-dev/200011/msg00009.html)

Other Ideas

Penultimate Arbitration
There is a company called Horizon, a Glimpse of Tomorrow that has done a neat bit of lateral thinking with regard to security (see an article by Ben Hoyt).

The gist of it is that the system enables arbitration of state to occur no closer than neighboring nodes of those nodes most interested in arbitrating it.

So a cheat is unable to change anything to their advantage, because by wishing to change something they would necessarily need to avoid interest in it in order to arbitrate over it, i.e. if they were interested in it, they'd have to ask their neighbors to corrupt it, because only their neighbor would be entrusted with it. And given that arbitration and neighbors may change at any time, it's a tad tricky for the cheat to achieve their ends.

Incidentally, this reminds me of the saying that the people who most want to be politicians are the last people society needs in government.

Anyway, although I do like this idea, it would compromise performance. Perhaps an empirical study could see if this hit was worth worrying about.

Even so, there remains the problem of vandals as opposed to cheats. Cheats are players that require the rules to work in order that their cheats prosper. Vandals don't care what they do as long as it upsets as many people as possible. A vandal would corrupt any arbitration that came their way.

This is why I think reputation monitoring is necessary. It not only detects vandals, but it also detects cheats.

 Recap

So what, apart from a load of waffle, have I achieved so far in terms of solving the security problem for massive multiplayer games?

Securing the game, the fun, and the player's interest
I've proposed that security is ultimately something that only the player is concerned about. The typical player doesn't care if the publisher makes any money, loses control over their property, or ends up in court, nor actually do they care about the developer or ISP in these respects. All they really care about is that they get to play a good game, and naturally they will pay for this, i.e. access to entertainment. It's up to the developer (and publisher, ISP, etc.) to figure out how to create something that players want to access, and to economically (profitably?) charge the player for access to it.

It's really just that most current business models rely on being able to control access via the stable door after the horse has bolted that 'game security' has become such a headache. If it is possible to secure a game sufficient to maintain its entertainment value, but not to sustain traditional business models, then patently this isn't a technology problem but a business model problem.

And so, I've ignored commercial wisdom. I don't think it's ever been useful for solving technical problems anyway. What happens is this: 1) technology gets developed, 2) games get made from the technology, 3) some clever, commercially minded person then has a brain wave and figures out how to make money from them. Do publishers really start the ball rolling themselves, saying "Ah hah! With this new business model we've just thought up, all we need is a new type of product (a game that we have no idea about) that would rely on a new technology (that we have no idea about)" ?

Of course, the typical way a businessman puts it is this: "Yeah, that's a great idea for a new technology, and a great idea for a new kind of game to exploit it, and I'm sure millions of people would love playing it, but unfortunately it isn't compatible with current business models so it'll never happen…"

So what's happening at the moment? Everyone and their dog is bashing their head against a wall trying to produce massive multiplayer technology that supports existing business models, i.e. technology that secures the long-term ability to control access to the game.
Don't do the businessmen's work for them, I say! Make life easy for yourself. Just solve the problem of making a fun massive multiplayer game that will stay fun. And, if it makes you feel better, you can always take solace in the maxim that whenever producers and eager consumers meet, money isn't usually far behind.

So, we can drive a coach and horses through the problem and throw out the need to control access. It makes our life easier, but unfortunately, becomes a commercially unviable proposition. And what in this world allows commercially unviable things to happen? Open Source does! Hurray!
(This is how a certain large software corporation let GNU/Linux come in below their radar, i.e. "Gentlemen, we can now rest easy, because it is no longer commercially viable for anyone to compete with us." Oops!)

Social Security
So, no access security. How on earth can a system survive? Well, I've looked to other systems with very little access control, such as human societies. Just as people are free to talk to each other, but trust tends go hand in hand with reputation, so millions of computers can self-organize themselves according to reputation. This needs nothing more than that the majority of computers are well behaved in terms of identification and consistent good behavior. That's all that people need, after all.

And for those of you wondering how we keep track of people in the system (just so you can prosecute the hackers). Because we don't need to control access, the system does not need to identify the users (players). Of course the game will want to know about players, but the system only needs to uniquely identify computers. Furthermore it doesn't need to authenticate the identified computers, only be reasonably confident that the identity is unique, which by definition it should be (if it isn't, the identity becomes invalid). Trust only builds up due to relationships or the experience between two nodes of each other. Basically, two strangers meet in a crowd and if over time they find each other agreeable and trust has built up due to continued reliability of exchanged responsibilities then that's all that's necessary. There's no need to prosecute if things go wrong, just forget and move on. This works in society too, overall, if the majority of humanity is basically 'good'. Of course, some unfortunate people will suffer from the few nasty characters, but the system as a whole remains viable (except if nasty characters manage to get in positions of overarching power before they do their dirty work, but even then, it's unlikely to be too late for the majority to remedy things).

Just like in the movie The Body Snatchers, even if a good guy is taken over in the middle of the night by an inferior impostor of unknown intentions, irregularities will reveal themselves. Of course, if they don't then it doesn't matter. For example, if your dad is replaced by a doppelganger and you still can't tell the difference then it's still your dad. Hey, the truth is stranger than fiction: Each night asleep, our brains rewire themselves, and each morning we're a slightly different person. However, because we've been philosophically conditioned to believe we're the same 'I' that wakes as went to sleep, we're quite happy to ignore the discontinuity. So really, anyone that says they're 'Fred Bloggs' and matches his profile might as well be believed unless there's significant evidence to the contrary - cos you can't prove you're the same 'you' can you? This is why twins and clones are often used to easily pull the rug from under the audience's expectations in many stories.

But, can it work?
I know it's not the best analogy, and I don't want to trivialize life by comparing it to a game, but a society of people along with a society of computers share similar problems and if people can rely on an imperfect solution, so can computers. And to some extent we can almost consider computers as extensions of their human owners. It's probably not surprising if the computers can and should adopt similar strategies and thus operate on a much larger scale just as viably.
Mankind has gone on for quite a long while without people needing public key encryption to ensure they can tell the difference between good guys and bad guys, or truth and lies (though it helps in warfare). Or rather, it doesn't really matter if we uncover corruption rather than prevent it - society does not collapse with a lie or a criminal. As long as truth and goodness are in the majority, the system works.

 Summary

  • Don't attempt to control access to the system - we're securing fun, not revenue.
  • Provide no Achilles' heel - have no indispensable, central control.
  • Any egg can be a bad egg, even the erstwhile best egg, but the majority are good - bank on it!
  • Measure reputation and, having conferred with peers, grant responsibility accordingly.
  • The system favors content of interest - undesirable content will thus not last.
  • A minor expenditure of energy by the good majority easily outweighs the major expenditure of effort by the bad minority.

Conclusion

You know, I reckon the social approach can work. Moreover, I don't think we need computers to be as intelligent as humans in order to measure reputation. Using a system of heuristics such as I described in my previous article should be sufficient. Nor do we need to maintain some kind of perfect graph of reputation - just going by a quick confer with past and present peers should provide a wide enough sample of reputation measurements.

So don't be blinded by commercial realities. Let's solve the technical problems first, demonstrate a game second, and let the businessmen figure out how to make money out of the new entertainment phenomenon we'll have created. Remember, if the creation of the web had been left to businessmen, it would still remain a commercially unviable proposition, and we'd probably be left with an evolution of CompuServe's proprietary service. However, the web did get created, and plenty of money got thrown around in the dot com boom. History is destined to repeat itself. Let's make it happen. Let's allow millions of people to play in virtual worlds together. The Web is just… so limiting!

Further Reading

No matter how flaky you may find some of the ideas that I've described earlier, and no matter how difficult it has been for you to gauge my reputation, the web is always there to get a second opinion! Here are some second opinions, and naturally, I hope my selection isn't too biased.

Reputation Based Systems
OpenPrivacy: Reputation Capital and Exchange Mechanisms
Freehaven: Accountability Measures for Peer-to-Peer Systems
Advogato: Advogato's Trust Metric
Mojo Nation: Technology Overview
Real Communities: 12 Principles of Civilization (digest here)

Thermodynamic Perspective
"Enterprise Engineering for Concurrent Integrated Product Development and Support Environments" Len Bullard, GEAE, 1991 (CALS Conference '91) (Excerpt)

Sociological Implications
Crypto Anarchy and Virtual Communities
Timothy C. May

Pragmatic Issues
How to Hurt the Hackers: The Scoop on Internet Cheating and How You Can Combat It
By Matt Pritchard

Revenue Models In the Absence of Content Access Controls
The Digital Auction: Making Money When Information Wants to be Free
By Crosbie Fitch

______________________________________________________

[Back To] Securing Cyberspace


join | contact us | advertise | write | my profile
news | features | companies | jobs | resumes | education | product guide | projects | store


Copyright © 2003 CMP Media LLC

privacy policy | terms of service