Over the years, a number of people set up Feedburner accounts to proxy RSS from our blogs into their system. I generally support the emergence of such chaos, but I cannot provide support or management. Google is end of lifing the old Feedburner, and for those of you reading via Feedburner RSS, I humbly ask that you update to https://adam.shostack.org/blog/feed/ or https://adam.shostack.org/blog/comments/feed/ (with comments).
Heriot-Watt University in Scotland is hosting a “Workshop on Serious Games for Cyber Security,” May 21-22.
The White Box, and its accompanying book, “The White Box Essays” are a FANTASTIC resource, and I wish I’d had them available to me as I designed Elevation of Privilege and helped with Control-Alt-Hack.
The book is for people who want to make games, and it does a lovely job of teaching you how, including things like the relationship between story and mechanics, the role of luck, how the physical elements teach the players, and the tradeoffs that you as a designer make as you design, prototype, test, refine and then get your game to market. In the go-to-market side, there are chapters on self-publishing, crowdfunding, what needs to be on a box.
The Essays don’t tell you how to create a specific game, they show you how to think about the choices you can make, and their impact on the game. For example:
Consider these three examples of ways randomness might be used (or not) in a design:
- Skill without randomness (e.g., chess). With no random elements, skill is critical. The more skilled a player is, the greater their odds to win. The most skilled player will beat a new player close to 100% of the time.
- Both skill and randomness (e.g., poker). Poker has many random elements, but a skilled player is better at choosing how to deal with those random elements than an unskilled one. The best poker player can play with new players and win most of the time, but the new players are almost certain to win a few big hands. (This is why there is a larger World Series of Poker than World Chess Championship — new players feel like they have a chance against the pros at poker. Since more players feel they have a shot at winning, more of them play, and the game is more popular.)
- Randomness without skill (e.g., coin-flipping). There is no way to apply skill to coin-flipping and even the “best” coin flipper in the world can’t do better than 50/50, even against a new player.
The chapter goes on to talk about how randomness allows players to claim both credit and avoid blame, when players make choices about die rolls and the impact on gameplay, and a host of other tradeoffs.
The writing is solid: it’s as long as it needs to be, and then moves along (like a good game). What do you need to do, and why? How do you structure your work? If you’ve ever thought about designing a game, you should buy this book. But more than the book, there’s a boxed set, with meeples, tokens, cubes, and disks for you to use as you prototype. (And in the book is a discussion of how to use them, and the impact of your choices on production costs.)
I cannot say enough good things about this. After I did my first game design work, I went and looked for a collection of knowledge like this, and it didn’t exist. I’m glad it now does.
Image from Atlas Games.
I’m getting ready for the 5-year anniversary of my book, “Threat Modeling: Designing for Security.”
As part of that, I would love to see the book have more than 55 5 ⭐ reviews on Amazon. If you found the book valuable, I would appreciate it if you could take a few minutes to write a review.
My Linkedin Learning course is getting really strong positive feedback. Today, I want to peel back the cover a bit, and talk about how chaotically it came to be.
Before I struck a deal with Linkedin, I talked to some of the other popular training sites. Many of them will buy you a microphone and some screen recording software, and you go to town! They even “let” you edit your own videos. Those aren’t my skillsets, and I think the quality often shines through. Just not in a good way.
I had a great team at Linkedin. From conceptualizing the course and the audience, through final production, it’s been a blast. Decisions that were made were made because of what’s best for the student. Like doing a video course so we could show me drawing on a whiteboard, rather than showing fancy pictures and implying that that’s what you need to create to threat model like the instructor.
My producer Rae worked with me, and taught me how to write for video. It’s a very different form than books or blogs, and to be frank, it took effort to get me there. It took more effort to get me to warm up on camera and make good use of the teleprompter(!), and that’s an ongoing learning process for me. The team I work with there manages to be supportive, directive and push without pushing too hard. They should do a masterclass in coaching and feedback.
But the results are, I think, fantastic. The version of me that’s recorded is, in a very real way, better than I ever am. It’s the magic of
Holywood 7 takes of every sentence. The team giving me feedback on how each sounded, and what to improve.
The first course is “Learning Threat Modeling for Security Professionals.”
It’s a genre
Why would the best burger place in the United States close? Because thousands of people had the same stupid idea as you and flooded the place. Waiting times for burgers stretched to several hours, staff were overwhelmed, service declined and loyal customers were alienated.
- A remote Hawaiian island, East Island, was destroyed by Hurricane Walaka. East Island was 11 acres. It was also a key refuge for turtles and seals. Read more in The Guardian.
- Maersk has sent a ship, the Venta Maersk, through the Northern Passage. The journey and its significance were outlined by the Washington Post, with predictions of 23 days (versus 34 to sail via Suez). In reality, it took 37 days, according to the press release, “without incident.” The idea that there’s a sailable Northern Passage is astounding, even if a first sailing took longer than expected.
I had not seen this interesting letter (August 27, 2018) from the House Energy and Commerce Committee to DHS about the nature of funding and support for the CVE.
This is the sort of thoughtful work that we hope and expect government departments do, and kudos to everyone involved in thinking about how CVE should be nurtured and maintained.
STARS-Me (or Space Tethered Autonomous Robotic Satellite – Mini elevator), built by engineers at Shizuoka University in Japan, is comprised of two 10-centimeter cubic satellites connected by a 10-meter-long tether. A small robot representing an elevator car, about 3 centimeters across and 6 centimeters tall, will move up and down the cable using a motor as the experiment floats in space.
The slides from my Blackhat talk, “Threat Modeling in 2018: Attacks, Impacts and Other Updates” are now available either as a PDF or online viewer.
“20 Ways to Make AppSec Move at the Speed of DevOps” is in CSO. It’s a good collection, and I’m quoted.
Cybersecurity 2.0 is a new promo from Humble Bundle. Nearly $800 worth of books, including my Threat Modeling, Schneier’s Secrets and Lies, and a whole lot more!