Andrew Merenbach

Better living through InfoSec

Murder simulators


In this essay, I wanted to explore some information security concepts in a video game I just played. I don’t know if discussing entertainment infosec, if you want to call it that, will be a regular thing for me, or if this will be a one-off. The game is called Thimbleweed Park. It’s a modern point-and-click adventure game that feels as though it stepped right out of the late 1980s. References abound to adventure games, both point-and-click and text adventures. Fans of Twin Peaks will find some additional flavor waiting for them.

The point-and-click genre has experienced something of a revival thanks to the ubiquity of touchscreen devices, where for these games a tap can often be as good as a click. For those who have not played point-and-click adventures, the premise is fairly simple. Much as with text adventures and many RPGs, you have a goal—some sort of end-state objective—and a starting location. You have actions you can perform and an inventory you can use to collect items in-game. These objects might be books, keys, tools—just about anything to help the plot along. Sometimes you’ll need to combine inventory items to make a new item. Often there is a strong asynchronous puzzle element, with a need to return to previously-visited locations in-game.

A prominent element are gatekeepers, which often take the form of puzzles. The more immersive games, in my opinion, don’t cause these puzzles to resemble real-life toys or puzzles like jigsaw puzzles or sliding tiles or word searches. Instead you’ll often find social graces, societal expectations, or simply impassible objects combined into a larger quandary. For example, maybe you can’t walk through the doorway into the fancy back room of a restaurant until you’re wearing a tie. Of course in real life you could just walk back there, but if you try it in game, you may be ushered out by a maĆ®tre d’ or your character may simply say, “I can’t go back there without a tie!” Now you need to find a tie, but where? Maybe there’s one on a mannequin in a locked display case in the window of a shop belonging to an in-game friend of yours, but now you need the key. Can you convince your friend to give it to you? Sure, it was about time to change the mannequin anyway, but this year the ten-gallon hat is really in, so can you please find me one? I promise I’ll give you the key afterward.

Two of the things that really stand out to me about this genre, as well as text adventures, for that matter, are:

  1. While death and destruction are sometimes used as ways to solve puzzles, generally a peaceful, diplomatic, or stealthy solution is required. You seldom get to kill other characters or creatures, even those portrayed as evil, and while breaking down a door is possible in the real-world, you usually have to find a key or pick the lock. I think this particular element of game-design culture makes these games fantastic for requiring creative, critical, and conciliatory thinking. Thimbleweed Park calls out this particular irony with in-game characters referring to such games as “murder simulators.”
  2. Some of the more intricate games do not have a simple linear storyline, or even if they do, some of the puzzles have more than one way to solve them. If you’ve ever played the LucasArts classic Indiana Jones and the Fate of Atlantis, you may recall how partway through, you get a choice of three different paths through the game, some of which overlap in terms of locations, depending on your preferred playing style. Meanwhile, and this isn’t specifically a reference to the Indiana Jones games, sometimes you can unlock a lock with a key, pick it, or maybe even dissolve it with acid. Sometimes this is through mutually exclusionary puzzle solutions beforehand, and sometimes the game simply allows you to complete a task multiple ways.

Why am I talking about all this? Because I think it dovetails really well with information security. Let me count the ways…

  1. A career in information security will likely be more successful with soft skills.
  2. Many security risks can be migigated with a variety of controls.
  3. Many security controls possess multiple control risks, that is, they can be circumvented or can malfunction in a variety of ways.

Let’s address soft skills first. To draw another Twin Peaks analogy, solving puzzles destructively resembles a bit the direct, and at times shoot-from-the-hip, manner of Albert Rosenfield (played by the late Miguel Ferrer). An alternative is to operate slightly more slowly but peacefully like Dale Cooper (played by Kyle MacLachlan). (Side note: Fans of both Thimbleweed Park and Twin Peaks may notice a resemblance to the dialogue mannerisms of certain protagonists.) I argue that whether we’re tracking down a bug or trying to garner buy-in for a security policy, tactical skills alone may not be enough to solve the problem well, if at all.

Suppose I find a security bug in some code I’m looking at. A function is making certain assumptions about the parameters I’m supplying to it. I could probably fix it myself, maybe in five minutes. Albert Rosenfield might just go ahead and fix it, possibly being very truthful that whoever put this bug in there really needs to be careful about uninitialized variables. That’s certainly what I’m thinking in my head! Once I’m done, I move on, more cynical than ever about humanity, ready for the break/fix cycle to repeat.

How can we avoid this mentality? If I fix this myself, I’m not learning anything, whoever caused the bug isn’t learning anything, and frankly I’d rather spend my time on other things. What if someone was depending on this behavior and I end up causing another bug? Perhaps another path is in order.

If I were Dale Cooper, maybe I could influence the original developer to make the fix. Perhaps it’s a product belonging to their team. Maybe I can just flag the bug in their project tracker and mention what my idea for a fix might be, to get them started. Maybe there are opportunities for static and/or dynamic code analysis tools will help, or more unit testing, or developer training.

This gentler touch—bedside manner, if you will—has, I believe, significant potential to amplify one’s contributions to an organization. I really want to argue that this is most of the time, but this may depend on role and industry. I’m sure we can identify some times and a places to be a little more like Albert, perhaps when process or control failures have occurred, but in general being gentle with people’s egos and letting them save face is going to come across better. Not to mention that if the object of your ire is known for toxicity, being blunt with them could trigger an escalation. As they say, you catch more flies with honey than with vinegar… unless it’s Balsamic vinegar, which I think could be fantastic for trapping flies… hmm, going to have to think about this one.

Points two and three are closely related. When tasked with implementing detective controls, we can add cameras and alarm-triggering motion sensors to watch our physical space. We’ll add access logs and metric alarms to watch our servers. You can draw many examples of defense in depth here—access logs could be on the network perimeter level (say, in an IDS). They could be on the endpoint servers. Or both! We can have cameras pointing at the outside of your entrance, you can have them inside, you can put them only in important rooms.

Each control we add, meanwhile, is liable to have multiple weaknesses. A surveillance camera can be stolen; it can be blocked or turned the wrong way; and its footage can be deleted. Access logs can be modified; log systems can crash, resulting in dropped logs; and sometimes logs are on a “best-effort” basis and do not contain absolutely everything that has transpired.

Putting together a solution for a real-life workplace or residence can be just like solving one of these puzzles, with multiple paths all interlinked. We may need to cut through bureaucracy or take the needs of other stakeholders into account. We can’t always use the blunt solution, and when it’s appropriate we’ll probably know. Maybe we can even say these games are an idealized microcosmic representation of the world itself, but I’m not here to discuss the world itself today.