# Tetrominos, Workflows, and the Global Economy - GrabCON

## Метаданные

- **Канал:** DarkSec
- **YouTube:** https://www.youtube.com/watch?v=PlhlwczZLvI

## Содержание

### [0:00](https://www.youtube.com/watch?v=PlhlwczZLvI) Segment 1 (00:00 - 05:00)

hey everyone thank you for having me here at grab con i'm john and today i'm going to be taking a look at the topic of gamification in my presentation tetrameters workflows and the global economy how gamification is reshaping information security bit by bit that being said let's go ahead and dive right in so first things first here's a quick background info on who i am a pen tester here for state farm in the united states additionally i am the content director and community manager for trying hackney and last but certainly not least i am one of the leads for the infosight librarians guild project moving on let's look at what this talk is going to be about here's a quick thesis to show you an idea of what we're going to be going through over the course of this topic on the whole gamification is the evolution of learning at its finest and this is no different within infosec as we embrace gamification we can further learning and strengthen our industry on the whole and that's something that we'll see very heavily as we go throughout these next slides moving on let's talk about what is a game you know there a lot of things come to mind when we're first thinking about what a game is but it's more of a complex topic when you talk about what a game is at its core as far as modern examples the big three that come to mind at first are video games which you can see over there on the right with the nintendo game boy board games and even puzzles but taking a step back we can see that a game ultimately is entertainment married with challenge and growth you can have challenging games that you need to get better at you need to gain skills and experience by playing the game in order to move further you can have creative games like animal crossing things like that you increase your skill by playing and by experimenting but we can see that overall this idea of challenge and growth are really present and we'll dive into that further as we go throughout this talk let's move on to talking about one of my favorite games personally of all time tetris now tetris is nothing short of fascinating you'll see a little note here on the bottom of the box art from russia with fun tetris is incredibly historical just because it of the influence that this game has had across generations and across the world so this next bit is more or less straight from wikipedia tetris was created in 1984 by russian software engineer alexey pagetnob this was when he worked at the russian academy of sciences i believe originally designed for the electronica 60 computer that was a replica or kind of a spin-off of a computer that we had here in the west tetris became a cultural phenomenon which has transcended generations and even the iron curtain while the history and copyrights of this game are nothing short of incredible our focus today is on games and gamification overall so why tetris and just a quick meta note on this i highly recommend looking up there is a video by the gaming historian on the history of tetris it is about an hour long well worth your time tetris is just fascinating and i recommend diving into it now let's talk about what is tetris if you've never played it tetris is a game that consists of placing these blocks that fall from the top of the screen to the bottom and those blocks are called tetrameters you can see some there on the right those blocks are made up of or shapes that four individual blocks that create a well or a good variety that you have to use to fill lines on the screen and ultimately mean score so here you have this idea of a sense of accomplishment be a score and yet you have a continuing challenge where the game gets faster and faster as you play more and furthermore you have the introduction of strategy in that you can get more points for clearing multiple lines at once uh in the case of clearing four lines you get a tetris and even in some other tetris games you get even more bonuses and things like that being said we can see how there's an addictive cycle that's started to kick in with even just a simple game like this tetris one of the most magical points before i move on to my next slide is that no matter if even if you don't speak the language that the game's in tetris is very easy to understand when you pick it up it's very simple concept straightforward and it's almost like this universal communication between you and the game that makes it just riveting to pick up now taking a step back from tetris let's talk about how that ties into gamification by taking a look at what gamification is overall so for gamification i'm going to be using the octalysis framework uh this was developed by yukai chow apologies if

### [5:00](https://www.youtube.com/watch?v=PlhlwczZLvI&t=300s) Segment 2 (05:00 - 10:00)

i butchered his name uh the optolysis framework is a human-centric gamification design that lays out the core drives for motivation leveraging this we can start to break down where and how gamification works now this framework was originally created by uh yukai chow after he i believe he was playing diablo 2 and his friends stopped playing they slowly just petered off and then he realized he was the only one playing the game out of his friend group and he took a step back and he felt this sort of looming dread and it was this idea that you know he had spent a lot of time on this video game and he was wondering what he had gotten out of it and he wanted to take a step back even further and start to break down why he was compelled to spend so much time playing diablo 2 and playing other video games in general and what exactly the driving factors are behind that and using that and exploring his own drives he found the framework of victorious which we'll go ahead and break down here so octalysis is made up of as you would have guessed eight core drives and we're gonna go ahead and break those down one by one the first drive here is this idea of epic meaning and calling when you enter the world of a video game you have this idea that you're doing this for the greater good in the case of you know like end of the broad games you have this idea that you need to defeat the big bad in order to actually you know you have this greater purpose in life a great example of this is the legend of zelda series where you have to defeat ganon in nearly every game and it's to stop this sort of apocalyptic enslavement of humanity or what humidity is left i it's a very compelling drive overall the next one that we have core drive2 is development and accomplishment i alluded to this earlier with the idea of skill but you want to have this idea that when you're looking at a game you can see this progress bar you can see these accomplishments that you've got in the example of xbox gamer score you have playstation trophies things like that make you feel that you've gained something you've grown and that your progress is measured uh a good example of this is the world map in mario where you have these individual wall levels that you have to clear and it shows on the world map afterwards that you've cleared everything until you just have ambassador's castle left there moving on we have core drives three and four uh number three is the empowerment of creativity and feedback uh animal crossing is an excellent idea for both of these core drives and let's go ahead and talk about core drive four before i talk about the game overall core drive 4 is this idea of ownership and possession and these core drives really go hand in hand because when you're putting in this effort you want to have ownership to be able to show that your creative prowess is growing or maybe you're taking a step back looking at like fighting games or brawlers you come up with a creative solution to beat a boss or maybe a new combo that you know it works really well against how your opponent's fighting style but in the animal crossing games you have this idea of your island specifically in the newest one new horizons where you have this huge creative canvas and on that space you have won this idea of ownership but you can do with it whatever you want you can show it off and there's this huge sharing community factor and those book drives are incredibly compelling if you're if you have any doubts on this i recommend looking at the animal crossing community there are some incredibly creative people out there and it shows just how powerful those tribes are moving on we have core drives five and six so number five is social influence and relatedness this has been a core drive that has really grown especially with the idea of online multiplayer and tournaments where you have this idea that if you are the best in the world uh for example call of duty you know you are the best in the world you've won a tournament counter-strike has a very big around this and you have this community of people you can talk to and be able to relate to them and then core drive 6 scarcity and impatience that's something that goes more or less hand in hand with this one as well but has some different ideas mixed in scarcity only one person can be the best impatience you have time trials and you have tournaments you know you have a round timer and a lot of games you can see how these things start adding up and we'll get into the last few core drives in a moment but these start adding up to really push you towards whatever goal the developer of either game or whatever situation wants to push you towards moving on to core drives seven and eight we have the idea of unpredictability and curiosity uh if you've ever read a book and you just get to the point where you just need to keep continuing on you need to know what happens on the next page this is that drive the idea of exploration wondering what is going to come next and you have this idea over on

### [10:00](https://www.youtube.com/watch?v=PlhlwczZLvI&t=600s) Segment 3 (10:00 - 15:00)

the side where for example the nathan drake games or other games like tomb raider that this exploration really is the main core drive and we'll talk about how these drives mix and how we can have sort of different levels coming up here in a couple slides but the last drive that we have here and this gets into what is referred to as a sort of black hat not to be confused with black cat hacking but black hat game design where you have this idea of loss and avoidance this is a core drive that really comes into focus with the dark souls or souls like games where dying in those games it sucks it's a huge consequence and you can see immediately the consequences of your actions at play that's sort of a negative impetus but you can see how that can drive you moving on we can start to see and apologize for the low resolution image here you can see how we can measure these different core drives and we can see how a different situation might have more of one than another and sometimes might just not have very much of one in general but you can see this broken down into eight of uh or the eight core drives per each situation in this case being building up a plot you can see how those core drives can evolve throughout the actual game and how we can start measuring them and putting them into practice that being said let's move into infosec i mean we're hackers here let's talk about how this actually matters behind just you know hacking our brains so taking a step back to try hack me uh this is just a quick history lesson to walk into how we got to gamification with try hack me uh this was founded in 2018 by ben uh he goes by skitty and then a shoe i joined just a couple months in i ended up getting involved with uh i had created a box that eventually became known as blue i had created it for a cyber defense competition or uh rather a cyber defense club that i was running at the time because i wanted a good exercise that had some of these ideas of gamification in it and eventually just ended up getting involved and joined on with the team from this we we're starting things off and this is something that ben and shoot really focused on was this idea of the state of learning in infosec now anyone who's tried to do some learning and infosight will be able to comment on this pretty thoroughly that it can come across as fragmented especially because it's a relatively new field and you know the grand scheme of things and with fragmentation comes this idea of it potentially being inaccessible that's a problem that is a big problem and ultimately especially as you move into more higher uh difficulty levels within infosec you have you can see that this is difficult on a good day things don't always make sense and there's a lot of room for improvement and that's something that hackney ultimately was founded on uh and one of my favorite ideas here is the analogy of a ladder being the ideas of like the different subs that you have to take to learn something uh you can't skip over one topic it doesn't really work that well and you can't skip wrongs on a ladder from that you start building up this idea of a learning path and start trying to work your way backwards for maybe you learn something but you have to learn how you learn it and that's really where we start seeing a lot of motivation behind try hackney moving into this idea of redefining info second education i we wanted to take a look at where was change actually possible and from this we found three core ideas first and foremost we had this idea of addressing the beginner then we had don't try harder try again that is actually a quote from john hammond that i just love and then the idea of security as a game of exposure let's break down these ideas first we have the concept of addressing the beginner we wanted to start from fresh with learning trying to take a step back and trying to figure out there was a lot of room for growth where were those missing rungs and ultimately we needed to take a look at what we were learning what we knew from infosec and tried to consider what had to come before that so maybe to use nmap properly you needed to know networking ip addressing at least a little bit and we had to have this idea where do you first start your journey because you know everyone wants to start but sometimes finding that place to start is the hardest part moving on to the idea of don't try harder try again we wanted to examine this idea of punishment and reward with this we had a really big idea of the removal punishment with the focus on learning and improvement because if you're learning infosec it's probably because it's out of passion because it is a difficult field you know not just to get in but it can be very difficult to learn at times because infosec requires this idea of being a

### [15:00](https://www.youtube.com/watch?v=PlhlwczZLvI&t=900s) Segment 4 (15:00 - 20:00)

sort of a base level where you understand the technology but then moving into this idea of sort of a mastery where you can abuse it because in order to actually hack something you need to really understand what system is there in the first place so you can understand its flaws then we have this idea of punishing private or just you know not at all and then reward in public the entire idea of you know frustration with this learning and punishing people for things that they didn't necessarily know is archaic at best and you know there are situations where it works but the marrying that with the idea of gamification there's really just so much more that you can do with that and then rewarding public that is something we'll go into in a later slide but um having this gamification system really lends itself very well to that reward system and then security as a game of exposure when i was first starting there was this huge stigmata towards looking at write-ups everyone thinks that oh i'm going to be cheating if i go look at a write-up and we wanted to really reinforce and this is something that you can see present in the try hackme discord it is okay to look at a write-up because you really if you don't know something it's very difficult to know what you don't know if you've never heard of it before and that's really where this concept of exposure comes in security you need to know a lot of different things to sort of a small level where you have these juxtaposed ideas of breadth and depth so breath being how much you have to know depth being how much of it of each topic do you need to know and examining the proper proportions behind that really is how you start um defining where the learning has to happen so say for example again returning that idea of nmap knowing a little bit of uh networking about how to get that tool installed knowing how to use kali to some extent or whatever operating system you install it on but knowing how much of those that you need to know so how much experience you need to have with cali that is where you can start seeing the challenge on the educational level and really where there was a lot of room for improvement and you can see as we go throughout these where these gamification values really are starting to bleed in to infosec and even moving into more specifically let's break down how gamification works on try hackney or at least some of the major points so here we have this idea of gamification first and foremost in the interface when you are hacking it should feel like a game you shouldn't be punished for not knowing something you should be rewarded and it should feel like fun that's the real power behind gamification is where you take something that is work and make it fun because it has a gamification factor to it you can see this happening with uh for example uh bug bounty systems where you can get a standing from it or even more so a lot of workplaces are slowly adopting this as a reward system and then we have this idea of points more than anything i we wanted to introduce these points but there's a mix of you know where do points become pointless where is that value and that's really where you start seeing this leaderboard come into play additionally we had this idea of streaks i believe that's something that ben came up with and it's just wonderful gives that impetus to keep coming back day after day because having a big streak gets you rewards and then you create this idea of a passive but powerful addiction throughout the entire site where these factors start adding up very slowly but they add up to be something really compelling and powerful and then gamification in the challenges so you can have themed rooms and this gets into one of my favorite rooms on the website uh first and foremost when i'm going through and taking a look at the box you're looking at rooms that we're looking to accept i love this idea of being able to tell a story with whatever box i'm doing so say for example the biohazard room and i apologize if you've not done this room i'm going to try to avoid spoilers but biohazard is based off of resident evil biohazard i'm not really big on horror games but i love that room resident evil is known very well for its challenges the little puzzles in the game they're just very well done and descal one of the community members that i don't know if he's done active anymore i don't believe so but he took that and translated it into an information security challenge with a slight resident evil twist on it and it makes ultimately a really compelling journey that you know some of the challenges are trivial but you have these extra factors on top of solving info set challenges into how these challenges fit together for what you're ultimately doing in the room and it's really compelling if you haven't done this room before now i highly recommend doing it even just after this talk we're just going to load it up

### [20:00](https://www.youtube.com/watch?v=PlhlwczZLvI&t=1200s) Segment 5 (20:00 - 25:00)

right now it's a ton of fun and that's really where you start seeing the gamification factor come into full force because make no mistake you're doing work going through that room you're learning how to do these things some of them are not very difficult some of them and that's still work that you're getting people to do on their own time because it's fun and that's the magic of gamification and then we have this idea of real world versus the game uh especially on the site where you know this is your learning skills to be able to take them out into the real world you have to have this balance between gamified and also realistic and that's something that has to be balanced there's a lot of power in striking that balance correctly moving on we have this idea of rewarding the user so on top of having gamification in the interface and telling a story with you know these boxes or vulnerable virtual machines we have this idea of rewarding the user with things like easter eggs now if you haven't done it there was a day 24 for uh 2021's avenue cyber 2020 the most recent one as the time of this recording uh day 24 was a box created by myself mirland oracle spooky and varg of the tri hackney community and it is just riddled with easter eggs if you've done that box and you didn't find easter eggs go back and don't follow the instructions don't follow my instructions at all there is so much more if you just don't pay attention to me don't watch my write-up i uh or the video that i did for that just skip over that explore things that are not where i tell you to go and you can see this idea of poking around and exploring it's sort of like the zelda design of wandering around and you find secrets just for wandering you know we would go through and a lot of times we'll hide uh some vouchers uh like one month premium vouchers and try happy boxes that release and we just won't tell people because it's a ton of fun um a classic example of this sticking is sent back to video games is golden eye goronai is a classic game for the nes nintendo entertainment system and it was full of easter eggs full of cheat codes full of things that you could explore and it rewarded people for trying and trying out new stuff that's really cool idea and then taking that and putting it in boxes we have this idea of rewarding exploration and embracing advanced concepts in that some of the boxes that i design and that we want to look for on the site will have ways that you can just skip buy stuff you can skip steps if you know to do things or know how to do other things that make the boxes easier there are a lot of ideas like that and that's really cool and that's something that especially if you get a box differently than someone else that's a fun conversation to have this that's exciting and we have probably the most important part of this the community element these are a little bit older screenshots at this point in time but we have this idea of the leaderboard and the try hacking community behind everything so the subreddit and then the discord and the form you know you have a group of hackers and that you can learn with um additionally you have this idea of certificates and completion so you get these rewards for completing things and that's very meaningful because you can show that off on places like twitter and linkedin and that furthers the community aspect more than anything with when you're learning hacking having that group of friends that you can sort of egg each other on that is one of the best ways you can learn and it's something that's incredibly powerful if you don't have a group of friends to learn hacking with i highly recommend introducing yourself to other people start making friends try to figure out who you can hack with because you will learn better you will learn more you will learn faster you will have more fun playing with other people and then taking a step forward let's take a look at how this is going to go in the future this is something that this talk was previously designed for another conference as a keynote this is something that was a little bit more focused on that but i wanted to still talk about where the industry ultimately is going to go with this so labs and levels this is something we've really focused on to try hack me and i know other sites that focus on this as well but furthering networks further furthering this idea of multiple machines and then sort of revisiting that exploration drive this idea of freedom of choice or you have a guided experience there's a lot of pros uh progress that can be made there and i think that that's really where the industry has a lot of room for growth and then teaching more with less so more tools available uh to the user again having that idea that if you have a virtual machine that people are in and they've already hacked in even if they do something that doesn't necessarily matter and i'll talk about this a little bit with blue you still have that space that you can teach and i think that's something that we can grow a lot on the industry with taking a step back and using the example of blue on try hackney i had this idea when i created it that hey we've gained access to this machine and while it's not necessary to prives because eternal blue gets you root on the system going through and showing how you can use just like privacy mechanisms within

### [25:00](https://www.youtube.com/watch?v=PlhlwczZLvI&t=1500s) Segment 6 (25:00 - 28:00)

metasploit that's something that you have that space you can teach with and you can get a lot of value since you're already there so it's an idea that i think that we can go a lot further with the industry and then we have this idea of everyone is a hacker i think that further more and more this is something we've done an excellent job of but we still have a ways to go is uh being more accepting with our industry and gamification is for everyone taking that and driving home the point if anyone can learn this agnostic of you know age gender you know if you have disabilities i think that there's a lot that we can do with that and then being human and everything this is something that i think that the community overall has a lot of ways uh we can grow um and this is something that you could take a step back and get on a soapbox with but you know there's a human behind that keyboard at least until the robots take over and really focusing on that not just in the community aspect but focusing on it from our educational aspect you know we learn distinctly as humans we have a lot of progress with that and that's somewhere that i see the industry growing immensely and again the future of infosect training i already talked about this quite a bit but uh increased coverage for like blue team and this is something that we've had a lot of additions for and keep posted for a potential event with this on trent hackman you didn't hear me um further training of red team so again these examples such as defer advanced topics uh d4 being digital forensics and incentive response i think these advanced topics are really where we're going to see a lot of growth and then redevelop trainings putting feedback to good use this is one of our favorite things to do on trihack because you know maybe a part of the room is just completely you know it's very confusing and it's not necessarily confusing to us but that's a sign that maybe we need to go back and rewrite that and maybe there needs to be a hint so something that we can do a lot as industry and then redefine learning experience i'm gonna glaze over this pretty quickly but exploration of how we learn further than just the basic understanding uh there is a veritasium video that sounds super old on this that i recommend checking out just because that entire idea of the different types of learning is very flawed but it's something that we need to pass on an educational level and then the expansion of uh modalities for our actual teaching so further leaning into gamification leading into more experimental learning methods and then really pushing this idea of asynchronous training like uh with sites such as trihackney or other online training sites pushing that further so that we can go further as an industry on the whole just some concluding thoughts to wrap this up again gamification is the evolution of learning at its finest and this is no different within infosec as we embrace gamification we can further learning and strengthen our industry on the whole and hopefully throughout the presentation that has been something that has been clear as we explore just how much growth is possible that being said thank you for having me here at grab con i am john i go by dark star online feel free to follow me on twitter but otherwise thank you so much to have a great rest of your conference

---
*Источник: https://ekstraktznaniy.ru/video/38715*