Tag Archives: security

What Werewolf teaches us about Trust & Security

20 Replies

After sharing the idea behind this post with Bruce Schneier, I’ve been encouraged to think a little more about what Werewolf can teach us about trust, security and rational choices in communities that are, or are at risk of, being infiltrated by a threat. I’m not a security expert, but I do spend a lot of time thinking about negotiation, collaboration and trust, and so thought I’d pen some thoughts. The more I write below, the more I feel Werewolf could be a fun teaching tool. This is something I hope we can do “research” on at Berkman next week.

For those unfamiliar with Werewolf (also known as mafia), it’s very simple:

At the start of the game each player is secretly assigned a role by a facilitator. Typically there are 3 werewolves (who make up one team) and around 15 villagers, including one seer and one healer (who make up the other team).

Each turn of the game has two alternating phases. The first phase is “night,” during which everyone covers their eyes. The facilitator then “wakes” the werewolves who agree on a single villager they “murder.” The werewolves then return to sleep. The seer “wakes” up and points at one sleeping player and the facilitator informs the seer if that that player is a werewolf or villager. The seer then goes back to sleep. Finally the healer “wakes” up and selects one person to “heal.” If that person was chosen to be murdered by the werewolves during the night they are saved and do not die.

The second phase is “day”; this starts with everyone “waking up” (uncovering their eyes). The facilitator identifies who has been murdered (assuming they were not healed). That person is immediately eliminated from the game. The surviving players – e.g. the remaining villagers and the werewolves hidden among them – then debate who among them is a werewolf. The “day” ends with a vote to eliminate a suspect (who is also immediately removed from the game).

Play continues until all of the werewolves have been eliminated, or until the werewolves outnumber the villagers.

You can see why Werewolf raises interesting questions about trust systems. Essentially, the game is about whether or not the villagers can figure out who is lying: who is claiming to be a villager but is actually a werewolf. This creates a lot of stress and theatre. With the right people, it is a lot of fun.

There are, however, a number of interesting lessons that come out of Werewolf that make it a fun tool for thinking about trust, organization and cooperation. And many strategies – including some that are quite ruthless – are quite rational under these conditions. Here are some typical strategies:

1. Kill the Newbies

If you are playing werewolf for the first time and people find out, the village will kill you. For first time players – and I remember this well – it sucked. It felt deeply unfair… but on further analysis it is also rational.

Villagers have only a few rounds to figure out who are the werewolves, and there are strategies and tactics that greatly improve their odds. The less familiar you are with those strategies the more you threaten the group’s ability to defeat the werewolves. This makes the calculus for dealing with newbies easy: at best the group is eliminating a werewolf, at worst they are eliminating someone who hurts the odds of them winning. Hence, they get eliminated.

I’m assuming that similar examples of this behaviour take place when a network gets compromised. Maybe new nodes are cut off quickly, leaving the established nodes to start testing one another to see if they can be trusted. Of course, the variable could be different; a threat could spark a network to kill connections to all connections that, say, have outdated firmware. The point is, that such activities, while sweeping, unfair and likely punishing many “innocent” members, can feel quite rational for those part of the group or network.

2. Noise Can be Helpful

The most important villager is the seer, since they are the only one that can know – with certainty – who is a werewolf and a villager. Their challenge is to communicate this information to other villagers without revealing who they are to the werewolves (who would obviously kill them during the next night).

Good seers first ask the facilitator if the person next to them is a villager, then the person to the other side and then slowly moving out (see figure 1 below). If the person next to them is a villager they can then confide in them (e.g. round 1). Good seers can start to build a “chain” of verified villagers (round 2-3) who, as a voting block can protect one another and kill suspected (or better identified) werewolves at the end of each “day.”

Figure 1

Figure 1

This strategy, however, is predicated on the seer being able to safely communicate with those on their left and right. Naturally, werewolves are on the lookout for this behaviour. A player that keeps discreetly talking to those on their left and right makes themselves a pretty obvious target for the werewolves. Thus it is essential during each round that everyone talk to the person to their left and right, regardless of whether they have anything relevant to say or not. Getting everyone talk creates noise that anonymizes communication and interferes with the werewolves’ ability to target the seer.

This is a wonderful example of a simple counter-surveillance tactic. Everybody engages in a behaviour so that it is impossible to find the one person doing it who matters. It was doubly interesting for me as I’ve normally seen noise (e.g. unnecessary communication) as a problem – and rarely as a form of counter-power.

Moreover, in a hostile environment, this form of trust building needs to happen discreetly. The werewolves have the benefit of being both anonymous (hidden) from the villagers but are highly connected (they know who the other werewolves are). The above strategy focuses on destroying the werewolves by using creating a parallel network of villagers who are equally anonymous and highly connected but, over time, greater in number.

3. Structured and Random Stress Tests

The good news for villagers is that many people are terrible liars. Being a werewolf is hard, in part because it is fun. You have knowledge and power. Many people get giddy (literally!). They laugh or smirk or overly compensate by being silent. And some… are liable to say something stupid.

As a result, in the first round players will often insist that everyone introduce themselves and say their role. E.g. “Hi my name is David Eaves and I’m a villager.” You’d be surprised how many people screw up. On rare occasions people will omit their role, or stumble over it, or pause to think about it. This is a surefire way of getting eliminated. It comes back to lesson 1. With poor information, any information that might mean you are a werewolf is probably worth acting on. Werewolf: it’s a harsh, ruthless world.

This may be a interesting example of why ritual and consistency can become prized in a community. It is also a caution about the high transaction costs created by low-trust environments (e.g. ones where you worry the person you are talking to is lying). I’ve heard of (and have experienced first hand) border guards employing a form of the above strategy. This includes yelling at someone and intimidating them to the point where they confess to some error. If a a small transgression is admitted to, this can be used as leverage to gain larger confessions or to simply remove the person from the network (or, say, deny them entry into the country).

However, I suspect this strategy has diminishing returns. People who haven’t screwed up in the first two rounds probably aren’t going to. However, I suspect perpetuating this strategy  is something werewolves love. This is because it is an approach that is devoid of fact. Ultimately any minor deviation from an undefined “right” answer becomes justification for eliminating people – thus the werewolves can convince villagers to eliminate people for trivial reasons, and not spend their time looking at who is eliminating who, and who is coming to the aid of who in debate, patterns that are likely more effective at revealing the werewolves.

A note on physical setup

Virtually every time I’ve played werewolf it has been in a room, with the players sitting around a large table. This has meant that a given player can only talk, discreetly, with the player to their left and right. I have once played in a living room where people basically were in an unstructured heap.

What’s interesting is that I suspect that unstructured groups aid the werewolves. The seer strategy outlined in section 2 would be much more difficult to execute in a room where people could roam. A group of people that clustered around a single player would quickly become obvious. There are probably strategies that could be devised to overcome this, but they would probably be more complicated to execute, and so would create further challenges for the villagers.

So perhaps some rigidity to the structure of a community or network can go a long way to making it easier to build trust. This feels right to me, but I’m not sure what more to add on this.

All of this is a simple starting point (I’m sure I have few readers left at this point). But it would be fun to think of more ways that Werewolf could be used as a fun teaching tool around networks, trust and power. Definitely interested in hearing more thoughts.

How Car2Go ruins Car2Go

30 Replies

So let me start by saying, in theory, I LOVE Car2Go. The service has helped prevent me from buying a car and has been indispensable in opening up more of Vancouver to me.

For those not familiar with Car2Go, it is a car sharing service where the cars can be parked virtually anywhere in the city, so when you need one, you just use a special card and pin number to access it, drive it to where you want to go and then log out of the car leaving it for the next person to use it. All this at the affordable rate of 38 cents a minute. It’s genius.

So what’s the problem?

Well, in practice, I’m having an increasingly worse experience with Car2Go, particularly when I’m most in need the service. What’s worse, the reasons are entirely within the control of Car2Go and specifically how it designed its app, its workflow and its security. My hope is there are lessons here for designers and anyone who is thinking about online services, particularly in the mobile space.

Let me explain.

Car2go-find-a-car-150x150First, understand that the Car2Go’s brand is built around convenience. Remember, the use case is that, at almost any time, you can find a car near you, access it, and get to where you want to go. Car2Go is not for people planning to use a car hours ahead (you don’t really want to be paying 38 cents a minute to “hold” a car for 3 hours until you need it. That would cost you $68!). Indeed the price point is designed to discourage long term use and encourage short, convenient trips. As a result ease of access is central to the service and the brand promise.

In theory here is what the process should look like.

  1. Fire up the Car2Go app on your smart phone and geolocate yourself
  2. Locate the nearest car (see screen shot to right)
  3. Reserve it (this allows you to lock the car down for 15 minutes)
  4. Walk to your car, access it using your Car2Go card and pin number
  5. Drive off!

Here is the problem. The process now regularly breaks down for me at step 3. At first blush, this may not seem like a big deal… I mean, if the car is only a few blocks away why not just walk over and grab it?

Alas, I do. But, often when you really want a car someone else does too! This is even more the case when say… it’s raining, or it’s the end of the business day. Indeed, many of the times when you would really like that car are times when someone else might also really want it. So being able to lock it down is important. Because if you can’t…? Well, the other week I walked 12 blocks in the rain trying to get to 4 different Car2Go cars that I could see in the app but couldn’t reserve. Why four? Because by  the time I got each of them, they were gone, scooped by another suer. After 30 minutes of walking around and getting wet, I gave up, abandoned my appointment (very suboptimal) and went home. This is not the first time this has happened.

The impact is that Car2Go is increasingly not a service I see myself relying on. Yes, I keep using it, but I no longer think of it as a service I can count on if I just cushion a little extra time. It’s just… kind of reliable because the split between really frustrating outcome and totally delight, is starting to be 40/60, and that’s not good.

Car2go-login-150x150But here is the killer part. Car2Go could fix this problem in a day. Tops.

The reason I can’t reserve a car is a because the Car2Go app forces you to log back in every once and a while. Why? I don’t know. Even if someone stole my phone and used it to reserve a car it would be useless. Let’s say they managed to also steal my wallet so had my Car2Go card. Even now it doesn’t help them since without my pin they couldn’t turn the car on. So having some rogue person with access to user’s account isn’t exactly putting Car2Go in any danger.

So maybe you’re thinking… well, just remember your password David! So here’s a big user moment.

I WISH I COULD.

But Car2Go has these insanely stupid, deeply unsafe password rules that require you to have at least one number, one letter and a capitalized letter (or a special character – god knows if I remember their rules) in your password. Since the multitude of default passwords I use don’t conform to their rules, I can never remember what my password is, leaving me locked out of my Car2Go app. And trust me, when you are late for a meeting, it’s raining and you’re getting soaked, the last thing you want to be doing is going through a password reset process on webpages built for desktop browsers that takes 10 t0 15 minutes to navigate and complete. Many a curse word has been directed at Car2Go in such moments.

What’s worse is there is evidence that shows that not only do these passwords rules create super crappy user experiences like the one I described above, they also user accounts less secure. Indeed, check out this Wired article on passwords and the tension between convenience and effectiveness:

Security specialists – and many websites – prompt us to use a combination of letters, numbers, and characters when selecting passwords. This results in suggestions to use passwords like “Pn3L!x8@H”, to cite a recent Wired article. But sorry, guys, you’re wrong: Unless that kind of password has some profound meaning for a user (and then he or she may need other help than password help), then guess what? We. Will. Forget. It.

It gets worse. Because you will you forget it, you’ll do something both logical and stupid. YOU’LL WRITE IT DOWN. Probably somewhere that will be easy to access. LIKE IN YOUR PHONE’S ADDRESS BOOK.

Stupid password rules don’t make users create smarter passwords. It makes them do dumb things that often make their accounts less secure.

The result? Car2Go’s design and workflow creates a process that suboptimizes the user experience, all in an effort to (I’m guessing) foster security but that, in reality, likely causes a number of Car2Go users to make terrible decisions and make their accounts more vulnerable.

So if you are creating an online service, I hope this cautionary tale about design, workflow is helpful and password authentication rules. Get them wrong and you can really screw up your product.

So please, don’t do to your service what Car2Go has done to theirs. As a potential user of your product, that would make me sad.