More than those fucking elves, magic, or pretty computer graphics Shadowrun is a game about exploiting circumstances.
Recognizing, engineering, and closing such opportunities is a valuable real life skill.
Bruce Schneier, who may have coined the term, contrasted a security mindset with an engineering mindset.
When you act with the engineering mindset, you break an end goal into manageable, concrete parts to refine. Then you make them work together to perform to whatever standards you’ve establish.
Security mindset is both like this and the opposite of it. Engineering is about making things which do what they’re supposed to. Security is about recognizing you can use mechanisms for unintended purposes.
An early affinity for security mindset once almost got me kicked off a plane when returning from England in the summer of 2002. Apparently, it’s not polite to inform someone Security Theater is useless during a performance.
One of my “favorite” security flaws today is uneven security authentication between websites. Things like one website using the same information another website just gives away. The more accounts you have, the more likely to run into this you are. Amazon and Apple are two big culprits here.
Hackers can and do take advantage of these uneven overlaps in security to compromise accounts. Nasty stuff when combined with data mining.
What does this have to do with Shadowrun? Pretty much everything. Shadowrun is usually about committing crimes without getting caught. If things, lol, go according to plan.
Devising a plan means watching a system and pushing it against itself. You ask, “What are they doing to stop people like me?” and “Where are they skimping?”
Note how I don’t say anything about a place being secure. In both shadowrun and the real world there is a fundamental lack of security. Cost and priorities limit what you can do.
The best you can manage is making it too inconvenient for would-be criminals. Make the risk bigger than the potential reward and you’ll save yourself trouble.
As an example, the White House’s security plans assume it will take 10 minutes for someone to break the locks on secure rooms.
A few years back, some researchers figured out to crack the locks the White House was using in around 30 seconds instead of ten minutes.
Ooops. And that’s the locks on one of the most visible secured buildings on the planet.
This illustrates how even well-designed security can contain hidden flaws. I hope they fixed it.
With careful observation and testing, such breakdowns become more likely.
There are two reasons to develop a security mindset. To defend yourself and your interests and to commit attacks. I don’t suggest the latter in the real world, which is why I play games like shadowrun.
Developing Security Mindset.
Martial arts give a compelling reason to spend time practicing and developing skills. If you wait till you’re attacked to think about how to react to it, it’s too late.
This also applies to learning how to think like a subversive attacker.
So, where can you go to learn more? Well, playing a game like Shadowrun will help to a point.
If you’re looking for inspiration there are no shortage of well made fiction. TV such as Burn Notice or Leverage or the movie Catch Me If You Can. Or any good heist flick. On the note of Catch Me If You Can, the story’s protagonist is a real guy who has since become a security consultant. Frank Abagnale is pretty awesome at what he does.
Studying hacking tricks and security techniques are good sources.
Ultimately, the best way to develop it is just be curious how the world you see around you works and where the limits are.
A real life example: I once asked a hotel if I could borrow someone’s left cell phone charger from the lost and found. Because this was a work trip and my boss handled the paperwork next morning, I didn’t return it. Should I assume I could walk into any hotel and expect to be able to get another?
No. For starters, the helpfulness of most people varies on their mood, stress levels, and if they think you’re trying to take advantage of them. My intention to return the charger and my need for one were both honest at the time. Am I a good enough liar to avoid making someone suspicious? Have other people tried this as a scam before? Lots of variables to work around even if each is small on their own.
Ultimately, Security Mindset is about fleshing out the phrase, “The Devil is in the details.” People tend to build systems to handle the most common circumstances. There are always weird exceptions which make it harder to work around. And it will always be possible to create them.
Next week we’ll discuss applying this to shadowrun.
Power Walking In The Darkness: The Unofficial Shadowrun Blog 