How to Make a Good Hacking Game When the Reality Is Massively Dull


#1

When I, a layperson, think of hacking I think of two things: the movie Hackers and that episode of NCIS when two people started typing on a keyboard simultaneously in order to hack faster. Because if media has shown us anything, it’s that nobody actually knows how hacking works.


This is a companion discussion topic for the original entry at https://waypoint.vice.com/en_us/article/8xma9p/how-to-make-a-good-hacking-game-when-the-reality-is-massively-dull

#2

Hacking is fun though…


#3

A common trait is using what Trobbiani calls a “zeroth person perspective.” […] The player is put inside the game and tasked to do the work. They’re not named, usually, but are referred to as “you.”

…eh? That’s called second person and has been done by text adventures since forever?


#4

It’s an innovation hype industry, if Activison can act like they invented animated fish and the entire concept of rhythm then folks can act like an indie dev invented character perspectives.


#5

Hacking is a lot of fun and if game designers would actually bother to research the subject or talk to people who are in infosec they would find there is a lot to work with to make it realistic while also not being boring. I can’t begin to tell you how saddening it is to play a game with “hacking” in it when it’s clear the people behind it have no idea what it’s really like. The industry is very open and has conferences and meetups all over the world all the time so come hang out with us!

As an example I highly suggest anyone who is thinking about having hacking in their game in some way really look into CTF’s as they are designed to be fun short hacking games.

People also seem to assume it’s always very complicated and you need to be really smart to do these kinds of things along with being an expert with a linux terminal. True if you want to use most tools the most optimally it’s probably with a terminal but almost every major tool has had a GUI made for it and most of them are really easy to use.

Another thing that has always bothered me is that no one ever wants to make a defensive security hacking game or minigame. Those can be just as fun as breaking things! Doing a CTF where you are basically playing KotH for servers is a ton of fun for the defensive people on your team because as soon as someone breaks into and captures a server you need to come in and start fixing and setting up defenses before another team breaks in. There’s also the National Collegiate Cyber Defense Competition where college students are given a network and told to defend it while answering requests from a fake boss. It often turns into this hilarious plate spinning situation where you’re trying to keep all your services up and running while your “boss” makes requests that throw a wrench into things.

Here’s some suggestions that would make for good hacking mini games that are authentic that I feel an average player could handle:

  • Password breaking: Player got their hands on a bunch of hashed passwords and now needs to use something like Hashcat to decrypt them by using wordlists and adding in flags for where to do character substitution.
  • Man in the middle attack: Player is intercepting traffic from the target and needs to go through the captured web packets to look for clues or passwords. Give the player some cool device like a wifi pineapple.
  • Social engineering: This is pretty self explanatory and games have already done a pretty good job of this in some cases but I don’t think anyone has ever actually really focused on the art of it. Sophie Daniels did a story for Motherboard about the topic and you should all read it if you get the chance.

As an aside Motherboard also had some really good live streams earlier this year where they brought in people that talked their way through what they were doing and why they were doing it that way


#6

There’s a Mr. Robot ios game that despite being basically twine/choose your own adventure on the backend does a pretty solid job of depicting the social engineering side of things IMO.