• About us…

  • The archives

  • RSS The Gaming Session

  •  Better and faster with IPv6

  • ipv6 ready

When I think about service security – things like the recently broached Playstation Network, or any one of a number of such things that hold identity data, security credentials or that are trusted to provide critically important data (like the electronic voting machines in the USA). I’m persistently reminded of claw crane games.

They’re the ones where you manoeuvre a mechanical claw on a crane-like apparatus to pick up a prize (mostly stuffed toys and other cheapies, but with a number of higher-value prizes mixed in).

All claw crane games have one thing in common. They can be rigged by the owner. Usually that boils down to adjusting grip strength of the claw. Dialling that down allows the player to only grab the lightest prizes, and the owner weighs down the containers of watches and jewellery with metal weights. The claw simply cannot pick up and hold on to the more expensive prizes in any but the most exceptional circumstances.

Modern claw machines are more clever about it. They’re computerised and know when a prize has been won, and keep track, working to a set of odds that the owner can pre-program into the machine to decide just how much value in prizes to give out for a certain number of coins put into the machine. These machines will deliberately weaken their grip to drop prizes in order to maintain the prearranged odds of winning.

A machine that manages to score too many wins despite this (possible if prizes get hooked in unusual ways and don’t get dropped so readily) will sulk, and stage a ‘break down’, no longer allowing people to play until seen to by the owner.

Exactly what the odds might be, and how things are arranged largely depends on how much regulation is being applied to the machines. In some places, there is almost none, and claw cranes will rarely produce a prize, and then only the cheapest things. Even so, it’s quite possible for claw-cranes to be rigged well outside of the regulations without anyone discovering it.

Why do these machines come to mind when I think about secure and reliable services?

Because we take the word of the owner that they do what they’re supposed to do.

Over the last couple of major elections in the USA, doubts were cast on the electronic voting machines in some regions. Little inconsistencies turned up (like more votes being recorded than actual voters who used the machines, and one candidate receiving no votes at all, despite his having voted for himself at polling-time, just to name a few).

When these matters were investigated, the machine manufacturers were desperate to avoid having any third-party examine the software. Software that should have been so utterly simple, verifiable and foolproof that there should have not been the least risk if you’d published it in newspapers or on billboards.

You’ve got to take our word for it, they said.

Sony’s Playstation Network (PSN) got itself compromised, apparently because the most basic steps to produce a secure system were not taken. This, after Sony shot itself in the foot on security of the console and signed-software itself in much the same way.

Now Sony’s ready to come back and be really super-secure. In what way?

You’ve got to take our word for it, they say.

Japan’s holding out on allowing the PSN to operate there, feeling that that is not good enough.

And why, actually, should it be? All Japan seems to be waiting for is for Sony to say the right things about its revived PSN service. If it was a bridge or a building, a wharf or a car that had just let down a lot of people, you would have a third-party inspection and check it for security and safety, and fitness-for-purpose.

But when it comes to software, it seems, the ones who stand to profit most from cutting corners are the ones who ask you to take them at their word that your data is safe with them.

All things considered, I’d as soon trust a claw crane game to cough up a gold watch.

Tags: , , , , , , , , ,

Categories: Opinion, Technology.

Got a news tip or a press-release? Send it to news@taterunino.net.
Read previous post: