Friday, January 15, 2016

The Schelling Game

At the Shmoocon conference, a vendor ("Breach Intelligence") is putting a card in ever schwag bag with an "IoC". The game works by giving everyone a different IoC, in pairs. If you find your matching IoC and come to their booth, they'll give you a free quadcopter.

This is like the "Schelling Point", a question in game theory. You are supposed to meet somebody New York City, but neither of you have been told where to meet. So where do you go? The trick is to estimate the most logical place that the other person, using the same information as you, would make. Most people agree that the answer is the "information booth at Grand Central Station".

So how do you find your matching IoC to win the prize? One guy is walking around asking strangers to match cards. That's useful, because a lot of people who don't want to play the game simply give him their cards, so he's got an ever expanding list of possible matches.

My solution is to tweet the IoC, and of course, blog about it:

If my partner searches Twitter, they will find it. That's because Twitter's search engine is instantaneous. Google, on the other hand, will take a few days before they'll find this page and index it, by which time either Shmoocon will be over, or the vendor will have run out of prizes.

At first I tweeted that number bare, because my partner has only to search it to find me. But it hides the purpose so that others don't get on to the trick, find their matches, and exhaust the prizes. But that doesn't work, because the logic applies to my partner as well. So instead, I want to publicize the technique widely, 

So, should my partner choose to find me, then searching on Twitter or (in time) Google should be possible. Sadly, though, I hear they've already run out of quadcopters.

BTW, an IoC, or "indicator of compromise" is a checksum or pattern that was retrieved in analyzing a breach, which can then maybe used to detect similar breaches elsewhere. It's the thing that OmniCISA was designed to share. These are IoC of real attacks. If you google the number on your card, not only may you find your partner, you may also find the original virus or attack that the IoC applies to on a website.

No comments: