Presented at Black Hat 2012 by Tamara Denning, Tadayoshi Kohno, and Adam Shostack.
You and your fellow players work for Hackers, Inc.: a small, elite computer security company of ethical, white hat hackers that perform security audits and provide consultation services. Their Motto: You Pay Us to Hack You.
In 1992, Steve Jackson Games published the game Hacker, satirizing the Secret Service raid that seized drafts of GURPS Cyberpunk. The Hacker game manual helpfully states, "Important Notice To Secret Service! This Is Only A Game! These Are Not Real Hacking Instructions! You Cannot Hack Into Real Computers By Rolling Little Dice!" Now, 20 years later, we wish to announce a new card game that's fun, yes, but also designed to illustrate important aspects of computer security. We licensed our game mechanics (Ninja Burger) from none other than Steve Jackson Games, then created all-new content--complete with illustrations and graphic design--to deal with computer security topics.
Each person plays as a white hat hacker at a company that performs security audits and provides consulting services. Your job is centered around Missions -- tasks that require you to apply your hacker skills (Hardware Hacking, Software Wizardry, Network Ninja, Social Engineering, Cryptanalysis, Forensics, and more) and a bit of luck in order to succeed. You gain Hacker Cred by successfully completing Missions ("Disinformation Debacle," "Mr. Botneto", "e-Theft Auto") and you lose Hacker Cred when you fail. Entropy cards help you along the way with advantages that you can purchase ("Superlative Visualization Software") and unexpected obstacles that you can use to thwart other players ("Failed to Document"). Gain enough Hacker Cred, and you win fame and fortune as the CEO of your very own consulting company.
Why a game? Entertainment provides an engaging medium with which to raise awareness of the diversity of technologies impacted by security breaches and the creativity of techniques employed by attackers. In this talk, we will describe our goals in creating the game, discuss trials involved in the game design process, and discuss the potential applications of security-themed games.