The following is a guest post by Chris Markman, Academic Technology Specialist at Clark University, where he presses the "fast-forward button" on Hacker Conference videos to give you a summary of the talk in a condensed format, with direct links to resources mentioned in the talk. New posts are available each month in the Security Matters blog column.
Jarred White (@eviljarred) mentions at the beginning of this talk that he has delivered it several times at security conferences in the United States recently, so there's a chance you may have encountered "Threat Modeling the Minecraft Way" in some other form. The one we're discussing today is from BSides Nashville 2016, which took place on Saturday, April 16. The slides to this talk do not appear to be available online; there are some definite highlights worth skipping ahead to see if you do not have time to watch the entire 56-minute video.
For the uninitiated, at 2:53 Jarred begins to briefly explain what Minecraft is and why it's a useful tool for threat modeling, and at 5:03 we get a larger overview of the parallels between information security and Minecraft's game mechanics — asset protection being the biggest component. The conversation about game mechanics continues for several minutes and includes discussion about protecting both in-game resources and perimeter defenses.
If you have played Minecraft before but need to be convinced that it's a useful threat-modeling tool, skip ahead to 14:04. This is where we get a comparison of Minecraft's "threat agents" to real-world security attacks. For example, creeper monsters are very similar to denial-of-service attacks, in the sense that they are sneaky, unpredictable, and can destroy assets; skeletons (which shoot arrows) are similar to remote code execution; zombies are similar to viruses. The list goes on.
At 22:32 we get a great example of how Minecraft enables players to design passive security measures to mitigate threats. Jarred uses the example of an architectural feature that can block spiders from climbing up walls. This is noteworthy because it's the only Minecraft monster (threat) that can bypass a standard in-game security measure for protecting assets — walls.
If you have played Minecraft before and do not need to be convinced it could be a useful threat-modeling tool — or have maybe looked at the new Minecraft Education Edition website and are interested in adding security to your list of resources — at minute 28 Jarred begins to quiz the audience and asks them to threat model an actual structure and how it could be improved. This is by far the best part of the presentation, but it relies on a familiarity with the game. This section of the talk continues until the six-minute wrap-up.
While right now may not be the right time to implement a Minecraft-based information security training program at your institution, consider the fact that the game has over 100 million registered users and is being used by places like Code.org and LearnToMod.com to teach programming skills. It is difficult to find exact numbers because the game requires a credit card to register an account, but speaking anecdotally, a large portion of those 100 million users are also under the age of 20. Could Minecraft be the "ultimate" interactive learning platform for the next generation of IT professionals? After watching this talk, check out the MinecraftEdu wiki and other recent blog posts on the subject and tell us what you think in the comment section below.
Chris Markman has been blogging about technology since 2008, first as a volunteer for the Participatory Culture Foundation and later as an MSLIS student at Simmons College and MSIT student at Clark University. Prior to joining the Academic Technology Services team at Clark University in 2014, he managed a film and music library in the Visual and Performing Arts department. Markman is a member of the New England Archivists professional group and several artist collectives in the city of Worcester, Massachusetts.
© 2016 Christopher Markman. This EDUCAUSE Review blog is licensed under the Creative Commons BY-NC-SA 4.0 International license.