Return to Unfiction unforum
 a.r.g.b.b 
FAQ FAQ   Search Search 
 
Welcome!
New users, PLEASE read these forum guidelines. New posters, SEARCH before posting and read these rules before posting your killer new campaign. New players may also wish to peruse the ARG Player Tutorial.

All users must abide by the Terms of Service.
Website Restoration Project
This archiving project is a collaboration between Unfiction and Sean Stacey (SpaceBass), Brian Enigma (BrianEnigma), and Laura E. Hall (lehall) with
the Center for Immersive Arts.
Announcements
This is a static snapshot of the
Unfiction forums, as of
July 23, 2017.
This site is intended as an archive to chronicle the history of Alternate Reality Games.
  

The time now is Wed Nov 13, 2024 1:44 am
All times are UTC - 4 (DST in action)		 View posts in this forum since last visit
View unanswered posts in this forum
Calendar
 Forum index » Meta » Puppetmaster Help
Use of "hacking" within a ARG
Moderators: imbri
View previous topicView next topic
Page 1 of 2 [19 Posts]   Goto page: 1, 2 Next
Author Message
Nik_Doof
Unfettered


Joined: 09 Oct 2004
Posts: 494
Location: Liverpool, UK

 		Use of "hacking" within a ARG
I've come across an interesting idea...

I was sat trying to devise better ways of interaction, more things players can do than the normal search a site for URLs, checking emails, IMs etc... and i thought: wouldnt it be good for players to actually "hack" a server. Obviously it wouldnt be securied up to the teeth, and possibly a handy hint would point them to where they have to go.

I know already we've got alot of eager beavers who telnet and ftp to every site in-game in the chance its actually in-game....so would you think this concept would drop quite easily into existing gameplay or would you have to point it out in broad daylight.
_________________
Nik_Doof
No you cant have my 333 Letimark Very Happy

PostPosted: Wed Sep 28, 2005 2:18 pm
 View user's profile Visit poster's website AIM Address Yahoo Messenger MSN Messenger
 ICQ Number 
 Back to top 
imbriModerator
Entrenched


Joined: 21 Sep 2002
Posts: 1182
Location: wonderland

 		It's an interesting concept and could probably be used well in the right game. We did something similar in Metacortechs, however after someone gained access to the server, we changed the way it was set up in order to increase our own security. It made sense with the hacking themes found in the Matrix and a number of the players were looking for something such as that. Though, honestly, I don't think that the game lost anything when we changed the format for those puzzles as more people were ultimately able to participate in those puzzle finds.

Bottom line for me, I wouldn't require such activity unless it really fits with the audience and also enhances the story and plot. I think it could be a mistake to do it just for a game device.

-b

PostPosted: Sat Oct 01, 2005 10:35 am
 View user's profile Visit poster's website AIM Address
 Back to top 
bill
Unfettered


Joined: 25 Sep 2002
Posts: 614
Location: Tampa

 		My issue with using hacking in a game is establishing clear boundaries. It's one thing to purposefully leave an ftp port open, it's quite another to expect players to continually port scan your server and pound it with scripted exploits because you hinted they need to break in.

Once you give them permission to try things, some will inevitably go for broke.

I'm not saying to completely avoid this, but make it clear in-game where the boundaries are. If you want them to find an ftp server, don't tell them to port scan, get them to look specifically for an ftp server.

Even if you think you're running a tight ship, I promise that even a moderately successful game will have players that know far more than you on how to secure a server and how to circumvent your security.
_________________
Bill
http://deaddrop.us/
Dedicated to Alternate Reality Gaming

PostPosted: Sat Oct 01, 2005 11:15 am
 View user's profile Visit poster's website Yahoo Messenger
 Back to top 
GuyP
Unfettered


Joined: 15 Sep 2004
Posts: 584
Location: London, UK

 		Also, it might create the impression that hacking is an acceptable ARG tactic, something which might have a fairly dire impact on other games.

PostPosted: Wed Oct 05, 2005 2:40 am
 View user's profile Visit poster's website AIM Address MSN Messenger
 Back to top 
jefftheworld
Boot


Joined: 16 Apr 2005
Posts: 65

 		The problem is people will start using that to solve everything...you would have to use multiple sites/servers so that they wouldn't get everything at once.
_________________
Gamer Army - Official Recruiting Officer

Join Gamer Army today!

PostPosted: Wed Oct 05, 2005 11:15 pm
 View user's profile
 Back to top 
Nik_Doof
Unfettered


Joined: 09 Oct 2004
Posts: 494
Location: Liverpool, UK

 		Now that is what i suspected....

I dont like the idea that players will adopt the "hack" angle against other ARGs, i'd be responsible for making brute-forcing the server acceptable Embarassed

As for the port scanning, i guess boundries will be enforced in that, maybe a little script that gives the play a slap in the term of a firewall rule to drop traffic from there ip if they step out of line Smile (of course mapped into the plot)

Also with regards of security, it would of been setup more as a server just for the purpose of that. Having a hacking angle and having your websites hosted on the same box would be silly, unless you want them to find and enable the website Smile

I'm going to be playing more with this idea, as it might be a nice little nugget of gameplay to throw into the mix.

Thanks for the input guys!
_________________
Nik_Doof
No you cant have my 333 Letimark Very Happy

PostPosted: Thu Oct 06, 2005 5:43 am
 View user's profile Visit poster's website AIM Address Yahoo Messenger MSN Messenger
 ICQ Number 
 Back to top 
GuyP
Unfettered


Joined: 15 Sep 2004
Posts: 584
Location: London, UK

 		A site that might interest you is: http://try2hack.nl/ Smile [/url]

PostPosted: Fri Oct 07, 2005 1:16 am
 View user's profile Visit poster's website AIM Address MSN Messenger
 Back to top 
Alex Smith
Decorated


Joined: 30 Jul 2004
Posts: 162

 		Re: Use of "hacking" within a ARG
Nik_Doof wrote:
I've come across an interesting idea...

I was sat trying to devise better ways of interaction, more things players can do than the normal search a site for URLs, checking emails, IMs etc... and i thought: wouldnt it be good for players to actually "hack" a server. Obviously it wouldnt be securied up to the teeth, and possibly a handy hint would point them to where they have to go.

I know already we've got alot of eager beavers who telnet and ftp to every site in-game in the chance its actually in-game....so would you think this concept would drop quite easily into existing gameplay or would you have to point it out in broad daylight.


It'd work extremely well, if it was mocked up accurately, and could be executed effectively. Unfortunately, it's another one of those brilliant ideas that is nigh-on impossible.
_________________
Alex³ / Proffessor of Syzygystology / Snopple

PostPosted: Mon Apr 10, 2006 8:14 pm
 View user's profile MSN Messenger
 Back to top 
Nova Loop
Veteran


Joined: 06 Apr 2006
Posts: 132
Location: wherever i go

 		I am just starting to think about becoming a PM and I have thought about this too.
If a hacking angle were introduced into a game, would it be too "cheesy" to provide (via hints) access to a hacking "tool" (i.e.:.exe file, Flash, or ActiveX, local security aside) that I developed for the game? The "tool" could give the illusion of hacking without actually having the player perform any real hacking. It could be created in such a way that less techno-saavy people could perform the "hack" and participate in the game as well.
Just chewing on ideas and looking for feedback.
Thanks
-TJ
_________________
064071062060067067066071067063066070062060064071062060066070066061066064062060
067064066071066104066065062060067064066106062060064061065062064067062105060060

PostPosted: Tue Apr 11, 2006 11:51 am
Last edited by Nova Loop on Mon Apr 24, 2006 3:35 pm; edited 1 time in total
 View user's profile AIM Address Yahoo Messenger
 Back to top 
MageSteff
Pretty talky there aintcha, Talky?


Joined: 06 Jun 2003
Posts: 2716
Location: State of Denial
tjray wrote:
I am just starting to think about becoming a PM and I have thought about this too.
If a hacking angle were introduced into a game, would it be too "cheesy" to provide (via hints) access to a hacking "tool" (i.e.:.exe file, Flash, or ActiveX, local security aside) that I developed for the game? The "tool" could give the illusion of hacking without actually having the player perform any real hacking. It could be created in such a way that less techno-saavy people could perform the "hack" and participate in the game as well.
Just chewing on ideas and looking for feedback.
Thanks
-TJ


It's a question of feel and realism. For the tech savvy, it wouldn't be real, which they would tell other players. It would be a nice visual, but would it break the suspension of disbelief in the "realism" of your game? And is that something you are willing to sacrifice?

Call me gun-shy, but I would hate to encourage players of any game to basically use brute force as a storytelling tool. You can never be sure which ones are the new players who don't understand the "usual" conventions about not using brute force (port scans, dictionary attacts) - they might take them to the next game without checking that it is part of that games play style.

Re: Nik_Doof's original question:
My personal opinion (worth whatever you are willing to donate for it) the community in general has been about finding ways other than "brute force" to solve a problem. That resorting to Brute Force is a "coward's way" to get a solution.

Now if you were putting in play information that tells the players that there is an open port - that they should be LOOKING for an open port in a specific place - that isn't really brutung, that is players making use of in game information. The difference being - the players now have a reason to be looking there and not just randomly attacking your servers. I think the community will make sure that in those situations the newer players know that they can only ping that port because the Characters said it would be open and not because they can just go hit a server because they feel like it. If you decide to have an open port... I sure hope you make the players bend over backwards first to get that info...

Now if you go and tell them they will need to launch a dictionary attact against you... I'll give you a wet noodle for stupid PM tricks and have your photo plastered over the beer bottles at the Chat room bar as an example of what not to do.... Wink Laughing
_________________
Magesteff
A small group of thoughtful people could change the world. Indeed, it's the only thing that ever has. - Margaret Mead


PostPosted: Tue Apr 11, 2006 2:09 pm
 View user's profile Visit poster's website AIM Address Yahoo Messenger MSN Messenger
 Back to top 
EmmanuelGoldstein
Decorated


Joined: 20 Oct 2004
Posts: 281

 		It's entirely possible, given enough time, it would be trivially easy to write a program that sits on some port that emulates any kind of service you want, you could make it as real as you wanted, or as fake as you wanted.

PostPosted: Thu Apr 13, 2006 12:05 pm
 View user's profile
 Back to top 
Wandering Scribble
Boot

Joined: 04 May 2006
Posts: 15
EmmanuelGoldstein wrote:
It's entirely possible, given enough time, it would be trivially easy to write a program that sits on some port that emulates any kind of service you want, you could make it as real as you wanted, or as fake as you wanted.


Very true. One site of note is http://www.hackthissite.org/. This is a site designed to assist developing white-hat hackers' knowledge bases, skills, and moral standards. Every challenge presented on the site is basically an emulation of a real site. Using real attempts to hack the sites will yield the same kind of results that one would normally expect from a real, unprotected site, except that in this case, the results are spit back by scripts that give the responses based on the exact input the hacker gave while attempting a hack.

I notice that as soon as the topic moves to hacking, people start grumbling about dictionary attacks and brute force. Hacking != brute forcing, folks! In fact, one of the no-nos in higher-level hacking is attempting a brute force of a site, because it will give away the hacking attempt and most likely the hacker too. From a practical point of view, most knowledgeable sysadmins will notice a huge deluge of queries or connections to a server and realize that it is an attack on the system. They will then call the authorities and/or track the hacker down on their own. So in the interest of immersive reality, one could say that brute forcing is out of the question simply because it would alert the bad guys to the fact that you are, in fact, trying to hack their site and take whatever action they feel is necessary.

Here's an idea: create a site with a customized PHP login script. Allow attempts to perform sql injections, but code in specific responses to a certain injection type to spit out a mirror of the output one would expect from the attack on a real site. It's simple, it's secure, and it's a neat way of expanding immersiveness.

On a side note, one should be aware of the fact that hacking, like everything else in an ARG, should make sense given the situation. A very basic security mistake, like storing a password in a plaintext file out in the open, would only be made by an amateur coder and not by all-knowing artificial entities or large corporations.

PostPosted: Sun May 07, 2006 1:03 pm
 View user's profile AIM Address
 Back to top 
Ciaran_H
Veteran

Joined: 11 Nov 2004
Posts: 123
Location: England, UK
Wandering Scribble wrote:
A very basic security mistake, like storing a password in a plaintext file out in the open, would only be made by an amateur coder and not by all-knowing artificial entities or large corporations.


I wouldn't be too sure about that. That's what *should* be the case, but it sometimes isn't.

PostPosted: Sun May 07, 2006 1:48 pm
 View user's profile Visit poster's website AIM Address
 Back to top 
Wandering Scribble
Boot

Joined: 04 May 2006
Posts: 15
Ciaran_H wrote:
That's what *should* be the case, but it sometimes isn't.


Ok, I wasn't going to mention that, but yes, you're right, it's not always the case. In fact, I could mention some pretty ugly examples of big-time corporations or even government agencies not securing their own websites and/or servers. I suppose what I meant was that generally, one should consider what types of hacking should be allowed and what shouldn't in order to not break suspension of disbelief. I mean, wouldn't people think it's pretty unbelievable that some high-tech, conspiracy-perpetuating, super-secret society would not even take a few basic precautions to ensure their websites and/or servers remain secure? It could happen, I suppose.

I merely wanted to stress that the hacking would be just one more challenge to the players, while the immersion that came as a result would be more important. Whatever the players are willing to accept, that's good enough for me.

PostPosted: Sun May 07, 2006 2:11 pm
 View user's profile AIM Address
 Back to top 
MageSteff
Pretty talky there aintcha, Talky?


Joined: 06 Jun 2003
Posts: 2716
Location: State of Denial
Wandering Scribble wrote:

Very true. One site of note is http://www.hackthissite.org/. This is a site designed to assist developing white-hat hackers' knowledge bases, skills, and moral standards.
....

I notice that as soon as the topic moves to hacking, people start grumbling about dictionary attacks and brute force. Hacking != brute forcing, folks! In fact, one of the no-nos in higher-level hacking is attempting a brute force of a site, because it will give away the hacking attempt and most likely the hacker too.


Since we don't want to encourage the appearance of illegal activity i.e. black hats the questions become:

1. How to place the players in the "white hat" group? Do we have a character "hire" them as security experts to test a site?

2. I think we need a definition for Brute force. To me it has meant "not solving the puzzle in the manner intended" running dictionary scripts and not doing the work directly. Time to start a discussion over in the meta section I guess.

We still come back to the fact of teaching the players it is OK to attack a server. Players who have been in the community for a while would know the difference, but I am still afraid of teaching newer players that hacking is an acceptible way to solve puzzles when it isn't.
_________________
Magesteff
A small group of thoughtful people could change the world. Indeed, it's the only thing that ever has. - Margaret Mead


PostPosted: Sun May 07, 2006 4:03 pm
 View user's profile Visit poster's website AIM Address Yahoo Messenger MSN Messenger
 Back to top 
Display posts from previous:   Sort by:   
Page 1 of 2 [19 Posts]   Goto page: 1, 2 Next
View previous topicView next topic
 Forum index » Meta » Puppetmaster Help
Jump to:  


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
You cannot post calendar events in this forum



Powered by phpBB © 2001, 2005 phpBB Group