LAS VEGAS -- There's much more to hacking than just the Hollywood portrayal of a speed typing contest, say the computer security professionals who've developed a new hacking-themed card game called Control-Alt-Hack.
Control-Alt-Hack is based on Steve Jackson Games' Ninja Burger, but from the characters to the mission cards to the entropy cards, the demystification of white hat computer security is the name of this game. Game co-designer, security researcher, and University of Washington Computer Security and Privacy Research Lab honorary member Adam Shostack said at the Black Hat 2012 confab here that when it comes to teaching ethical hacking, also known as white hat hacking, not enough educators "use carrots, not sticks."
"Humor creates an open atmosphere," that helps break down the shyness of learning, he said during the conference session about the game. He explained that people are more likely to ask questions about things that they think they should've already learned if it's part of a game.
Games, he noted, have a spectrum from being as easy to learn as Go or dice games, all the way through Dungeons and Dragons or Settlers of Catan. Choosing a game to base Control-Alt-Hack on that involved humor and a bit of complexity would help keep the subject matter interesting for the target audience of teens and young adults.
In Control-Alt-Hack, you work as a researcher for a computer security company that gets hired to stress-test other companies. The deck of 156 cards includes 16 "person" cards to give you an identity during the game. The characters were given realistic traits, so there are no stereotypes of the obese, unkempt researcher covered in potato chip debris and pizza grease. Instead, you can play as one of eight men or eight women who have interests as varied as martial arts or rock climbing, and all are snazzily dressed in their artwork.
Getting Steve Jackson Games to agree to license Ninja Burger to them was a strategic move, explained Tammy Denning, who co-designed the game with her fellow University of Washington researcher Yoshi Kohno. "We didn't have to play-test the game mechanics, since we mapped the Ninja Burger content to Control-Alt-Hack," Denning said.
The game is currently in production and not expected to reach store shelves until the fall. That didn't stop Denning, Kohno, and Shostack from simulating the game as they explained how it worked. Each time they reached a point where they had to roll the dice, they would throw blue fuzzy dice out into the audience. Those lucky enough to catch one will get the game for free when it's ready for distribution.
Another factor of being based on Ninja Burger's gameplay is that the game is about having fun. "It's a fun game with educational content," explained Kohno. "It's not for teaching fractions."
Despite the emphasis on fun, the game goes to great lengths to be accurate. The learning objectives, obfuscated behind cute pop culture references like, "I find your lack of encryption disturbing," include promoting the accessibility of computer science and computer security; teaching that there's more to computer security than antivirus and the Web; and accurately depicting a diverse range of attack techniques and attacker goals.
SCADA and medical device hacking are more likely to show up than ransomware, and the techniques you can use include disinformation; exploiting weak passwords and unpatched software; and cross-correlating data sources, all in the name of the good guys.
Control-Alt-Hack isn't easy to hack, as it appears there's no "blank" card to draft your own mission on to. However, it does contain a nod to the cryptography-minded: one card is written entirely in code.