unforum

[MageSteff]

Brute Force and Hacking

[Dionysus]

Thats an intereestign question. One that I ran into during Orbital Colony. At one point a player (names escape me) solved a puzzle by using a Substitution Cracker program that basically tries all possibel combinations until it identifies words.. thus giving cleartext.

I called 'foul' on this player, beleiving that to be Brute Force but was informed by my fellow players that it wasn't. They told me that Brute Force would be like.. assualtign a password box, trying every possible password combination until you got in. Apparently, that was a no-no because it put undue stress on the PM's server.

I'm not sure I buy that. Using the SubCracker and Forcing a password box seem pretty similar to me. However, I can understand the defense of the SubCracker in that a truely random substitution could take forever to solve even with the help of Frequency Analysis.

Honestly? I don't know. I've been given way too much contrary explanatiosn to know how to define Brute Force for ARGing

[Ethernull]

My opinions:

Brute Force is a method of Hacking, but not all hacking is Brute Force. Brute Force is generally considered in security circles to be repeated attempts at entry to a protected area or document by trying every possible combination until success is found. THis could be with a dictionary list or with raw cyclic iteration - aaa, aab, aac...zzx, zzy, zzz.

To me, the term seems to be used in an ARG to mean attempting a solve that is not based on clues, deduction or speculation, aside from a single lucky guess.

So if I had no idea how we were supposed to solve a particular code, and just started trying everything that could possibly be input, I would be accused of Brute Forcing (and rightly so, in my opinion.)

Now if I had an idea based on evidence or speculation that I based my attempts on, it probably wouldn't get criticized. For example, if we needed to access a passworded website and I speculated that the password was one of the characters names, then tried all 20 names until I found the right one, I probably wouldn't be accused of Brute Forcing in an ARG.

It seems to me that most people are fine with a "Lucky Guess" based on speculation. The problem seems to stem from having no idea how a particular solve should be attempted and then just trying every possible combination without any understanding of why it would work.

I don't consider the method being used on Studio Cyphers at the moment to be brute forcing, I consider it "Probing." People are systematically trying every combination for Poison & Parasites, but they are recording and categorizing the results in an attempt to understand the method behind the puzzle.

Trying a few different solves, purposefully different and systematic, in an attempt to reverse engineer a puzzle by understanding how it works is not something I consider Brute Forcing. There is a specific, purposeful and methodical process being used that still needs to be interpreted and understood. You still need to use your intelligence, speculate, theorize, test and deduce in order to get a solve this way. Brute Forcing is a blind Ogre with a club smashing in a door. The other example is picking the lock.

[Rogi Ocnorb]

Magesteff's right with "I'll know it when I see it."
Within the expected behavior of whatever game/puzzle is being assaulted, most folks know when they're engaging in cheatery.
Assault on 13th Labour is an example where, it appears, the puzzle designer more or less expects a brute force solve to be needed.
And everybody's fine with that, cause participation is strictly voluntary and the computer processing cycles used are your own to do with as you please. What if a player who can't play chess to save their soul but can program something to try all attempts, does so because that's the only way they can proceed, why shouldn't they? It's up to the puzzle designer to consider that this may be a possible scenario. I did a puzzle in a trail I thought would require a certain level of "brute forcing" and ultimately, the person who got it did so using Excel and looking for patterns. They got it in mere hours instead of the weeks I was expecting.
So, it goes both ways.

[Ciaran_H]

[aliendial]

To be frank, we are discussing one of those "rules" that is really up to the PMs. The original rule came about because a brute force attack on one password box during the Beast became such a huge resource drain that it shut things down and became very expensive. From that evolved in-game ways to suggest a new approach be attempted - like having in-game characters take down the site for "maintenance" and the like. Players learned to take a hint. Didn't that happen during Lockjaw?

A secondary justification of course was one of fair play - moving a game ahead through in-game developments and proper solves rather than "hacking" around the outside. But that's rationalization, I think, and not a rule. This is more subject to the "you put out the puzzle, you may have to accept I found an unexpected way to solve it" lesson learned by many PMs. Were I a PM I would never assume there's an enforceable rule here I can design against.

There was always a tension because these games attract people of diverse skills and clever solves can come from anywhere including outside the sphere the PMs may have tried to establish. And that's part of the fun for players and challenge for PMs.

I have therefore not assumed that "no-brute-forcing" was a "rule" but rather a suggestion/advice that resource-sucking attacks are probably not going to be allowed, especially in private games. But be prepared for someone to try it and then you'll find out whether the PMs are prepared to let you do it. Anything else is probably fair game.

[rowan]

[Rolerbe]

Brute Force is using your contacts at the FBI to force the web host to disclose IP packet traces.

Having a site go down because of the 'ping storm' from an automated password attack is the natural consequence of such an attack. And, as such, something the PM's should protect against up front (I can think of several game-friendly ways...).

I consider this type of problem solving approach not breaking a commandment, but rather poor form from players in that its no fun for anyone. So, it should be the course of last resort, agreed to through much discussion, if the team is truly stumped, and no additional hints (from the attentive PM's) are forthcoming.

A common 'problem' is for players to get an inside password. So, its a natural spot for a puzzle. But Rowan has a point for PM's to ponder: how to keep this realistic -- i.e. in proper context in the game -- yet make this more than just an unlikely guessing game -- i.e. 'fun'.

[imbri]

I'd agree with the "I'll know it when I see it" camp. Though, I must say, that my definition is fairly liberal and, pretty much, confined to things that are illegal or bordering on destroying the game.

As a PM, I have no problem with the players using whatever tools they have at their disposal to solve a puzzle and/or advance the story - especially if that means that they're interacting with the story world and not with me. If I design a puzzle, I've probably considered several ways that it can be solved and missed several dozen other ways. It's kinda exciting, for me, to see if players go at it the way I assume they will or if they'll do something that never would have crossed my mind. If people want to use computer tools to help them, more power to em. I, frankly, see no difference in using photoshop to play with an image to reveal a secret message and using some little computer script to decode a a cipher of some sort. The puzzle should not be "how does the PM want me to solve this." If it it, you are taking yourself out of the game and looking at it from a distinctly meta perspective. Instead of interacting with the characters and the game, you are now interacting with the PMs.

Now, if this takes you into illegal territory (breaking into some server without rather direct advice from the characters to do so, for example) or puts so much strain on the game that it will take the game down (the dictionary scripts in Lockjaw that was killing our bandwidth, for example), then it's a problem. And, aside from being a problem, it's just rude and completely unnecessary.

[krystyn]

FWIW, the PMs of the Beast did not actually discourage the brute forcing of the RUR14 puzzle.

[vpisteve]

/me looks in the ARG rulebook.

Oh wait, that's right, there isn't one.

The PMs form whatever boundaries they see fit:
The Beast guys didn't do anything to stop bruteforcing.
Lockjaw let players know in an ingame way that it was offlimits (This was back in the golden days when webhosting and bandwidth weren't nearly as cheap and fat as today).

etc.

Cause, meet effect. If players ever stray outside some line, the PMs will (should) take care of it themselves. And yes, sometimes part of the fun is finding where those lines lie.

It's all fair game, imo. Puzzles are meant to be solved after all, right? Just because they weren't solved the "right" way doesn't mean they weren't solved.

(Generally speaking, of course).

EDIT: I dunno why I can't resist throwing my two-cents in whenver Imbri and Krystyn post in a row.

Oh, and yes. Don't break the law.

[krystyn]

... unless Lucky would like to see you in a graveyard after the sun sets.

And Lucky's really hard to resist, I've heard.

[MageSteff]

OK so it seems we have two different "definitions" of Brute Force developing:

1. Technical: Any malicious attempt against the game technology (i.e. web sites, servers, phones, e-mail, etc.) that causes the game sites to go down or become unusable in an unscheduled (by the PMs) manner. May include activities that may be considered illegal by law enforcement agencies.

2. Personal: Use of technology that a player may have access to that does not cause disruption of play for the Puppet Masters/other players. This may involve but is not limited to; decompiling flash presentations; running information through a decoder (for example a ROT or binary translator), using programs or scripts that use only player resources to solve challenges posed by the PMs.


Furthermore: Technical Brute force is considered "bad manners" by a majority of the community, while Personal use of Brute Force is more of a gray scale that varies from person to person.

*Bad Manners means such behavior will earn the wrath of the vulva puppet!

[Rolerbe]

Good summary. But I say #2 is not brute force, just additional evidence of the remarkable tool using hairless ape.

PM's should build their puzzles assuming use of these kinds of tools. Or blaze new puzzle paths where there are no tools.

PM's should be able to depend on reasonable restraint from the players on #1.

[krystyn]

I think that the players just need to beware their own cleverness, is all.

I remember during the Beast there was that really purty flash puzzle at the dream clinic site, and someone decompiled it lickity split to get the number combos and whatnot to unlock the next bit, simply by looking at the code underneath ... and I always regretted that there was never a pure attempt to solve the puzzle the 'correct' way. There were many posts to the Cloudmakers list using deductive reasoning to justify the answers found in the decompile, but the purity of the inductive was lost to the group forever.

Know what I mean? It's less of a rule, and more of a, "Rats! We just shot ourselves in the foot, as a collective!"

I always wondered what sorts of flights of fancy our imaginations could've dreamed up, had decompiling never entered into that puzzle's solution. We still had some interesting thoughts, but the intensely heavy character study was a lot less urgent, after.

Not all puzzles that could involve brute solving have that level of character development, though, so don't take this anecdote as endorsement of one 'view' over another.