The Infosec Introvert Travel Blog

So, you’ve finally landed that infosec job of your dreams! The clouds have parted and angels have descended from the sky singing Aphex Twin.

Congratulations, I believed in you all along.

One small problem: they say you’re going to have to travel. Maybe to a customer site. Maybe to training. It doesn’t matter. You’re an introvert and haven’t traveled much, and you’re starting to panic.

Don’t worry – I’m here for you, friend! Let’s go over some basic travel tips for introverted infosec people.

Learn How and What to Pack

There are hundreds of great blogs on packing for travel you can seek out, so I’ll keep these tips fairly brief:

  • A decent suitcase is a really important investment. Cheap suitcases without proper roller wheels are frustrating to lug across airports and will break at incredibly inopportune times. I recommend that every traveler have one decent quality carry-on suitcase and one decent quality backpack or shoulder bag with a laptop pouch, at a minimum. The last thing you need is a strap, zipper, or wheel snapping in the middle of the airport. I see no particular advantage to either soft-side or hard-side bags – the most important things to me in a carry-on are a lightweight, sturdy bag that will fit in regional jet overhead bins even when full.
  • Learn to neatly and tightly fold or roll your clothes. Clean ones, and dirty ones upon your return. Packing cubes are a huge help by this. I personally like these ones. Some people prefer compression bags, but I’ve found them a lot more frustrating to use on the return trip, and they don’t last as long.
  • Choose clothes that don’t easily wrinkle, and stick to a common color scheme. The more pieces of clothing you can mix, match, reuse for a couple days, and layer, the easier your life will be on your trip.
  • Shoes and boots are some of the bulkiest and heaviest things you can pack, so choose a versatile pair of dress shoes and bring as few pairs as possible.
  • Pack a small towel.
  • When flying, always pack essential travel-size toiletries and one change of clothes (underwear and socks at a minimum) in your carry-on bag. Luggage does get lost, and flights get delayed (sometimes overnight).
  • On the same note, always have medication, contact lenses, underwear, and socks for one more day than you plan to travel.
  • Always carry a travel-size Ibuprofen, Benadryl, and antacid. Those are a few small things you do not want to have to take a walk for in a strange city when you really need them.
  • Consider your personal daily usage of toiletry items. A million bloggers will tell you a million different things about how much soap to pack. For the most part, travel-size items will last you 3-4 days. For longer trips, you’ll probably need more. However, if you have long hair like I do, you might need more than a 3oz / 100ml bottle of conditioner for even a three day trip. This is something you’ll learn with practice.
  • If you run out of your travel-size toiletry items, buying toiletries at your destination is usually by far the most economical option, particularly when flying. There are convenience stories or pharmacies almost anywhere. However, expensive cosmetics or skincare products are definitely an exception and may motivate you to pay $25 each way to check a suitcase. Your call.
  • One final note about toiletries and flying – learn what the TSA and similar international agencies consider a “liquid” and a “gel”. There are lots of alternative toiletries like face wipes and solid deodorants that are not controlled by liquid restrictions that can give you a bit more wiggle room.
  • Have two phone chargers – one in your suitcase or car, and one in your carry-on or laptop bag.
  • If traveling to a different country, ensure you have the correct power adapters or plugs for your electronics. Bring a power converter if necessary, but they’re bulky and becoming irrelevant. Most laptops and phones made in the last 10 years can handle either 110v or 220v AC, so all you’ll need to replace is the plug, not the power brick. Check yours and make sure.
    TIP: MacBook wall plugs side off the power brick and are trivial to swap at will!
  • Plan for a catastrophic laptop crash, with either a USB drive or a recovery partition.

Have a Passport

They last a decade and aren’t super-expensive, but they take quite a while to arrive unless you pay for them to be expedited. Every infosec person should have one for last minute work or conference travel. Pat notes that it’s a great idea to pay for a passport card as well, as secondary emergency ID, and for the smaller form factor.

Learn How To Fly

It’s okay if you’ve never flown on a plane before. Lots of great infosec people hadn’t before they got their first job.

Read up a bit on air travel regulations before getting on your first flight. Prepare to go through airport security. For instance, read up on liquid and gel restrictions, and keep this bag easily retrievable in your carry on. Be prepared to take your laptop out quickly in the security line. In most places, security also requires removing belts, jewelry, wallets, and shoes, then placing them in a bin.

US Residents – ensure your State ID or Driver’s License is still adequate to use at the airport. Some states’ will not be soon, and you may need to purchase an enhanced ID or use a federal ID card such as a passport or military ID card.

Domestically, check into your flight at least an hour prior to boarding time (not departure time) – longer if you intend to check a bag. (If you’re running late, checking in on your phone can sometimes get you on the plane after check-in closes at the airport.) International travel has a significantly longer lead time – check the airport’s website for details.

Check the gate on your boarding pass and find and verify it has not changed before going off for a washroom break or a coffee. Airports all over the world are full of signs and maps to help you. Make sure you’re back at the gate before boarding time. (Once again, this is not the same as departure time.)

Most economy-class domestic flights in the US no longer serve any meal, and some may not even serve drinks. Others offer packaged food at a pretty exorbitant cost. I recommend you grab a sandwich and a drink in the airport after you find your gate. In my experience, most other countries’ carriers still serve a light snack – your ticket will usually indicate this. International flights will usually serve at least one meal, but you might not get any choice of what it is (allergen free, vegetarian, etc).

A bit about boarding groups – you and I will probably never be in the oft fabled Boarding Group 1. That tends to be pay-to-play, or extremely frequent travelers, or business class. If you’re in a higher boarding group (3-5 on most airlines), the overhead bins may fill up, and you’ll be required to check your carry-on bag for free at the gate. Ensure your important documents, electronics, and medications are transferred to your person if this is required.

On the plane, follow all posted safety instructions and stay seated with your seatbelt fastened unless you go to the lavatory. Be polite to the crew and don’t be afraid to ask questions.

What I normally have on my person or under the seat (not in the overhead bin) on your average flight:

  • Phone in airplane mode
  • Headphones (most commercial aircraft now support standard ones)
  • Wallet
  • Earplugs
  • Sandwich (on domestic flights)
  • Water bottle
  • Book
  • Travel neck pillow
  • Pen (especially if I have to fill out international customs forms)
  • Melatonin (on international flights) – (please note different sleep aids are OTC-authorized in different countries; plan accordingly).
  • Vicks Vapor Inhaler or equivalent (no, it’s not a vape – it helps with the dry air.)

Congratulations, you’re now an airport pro.

Safety and Security

Once again, we’ve reached a topic on which there have been many great blogs and articles already written (I particularly love Stephen Northcutt‘s – he’s definitely had some adventures!)

A few small fundamentals:

  • Be aware of the threats you will face as an individual and as an information security employee of your company in the place you’re going, before you arrive.
  • Consider bringing loaner / disposable electronic devices. At the very least, update and encrypt your devices. (They should be already, but this becomes absolutely critical during travel.)
  • Do not carry large sums of cash on your person, and don’t carry all your money in one place. Consider a discreet money belt or anti-theft bag.
  • Ensure the locks, peephole, phone, and safe in your hotel room work properly and ask to change rooms immediately if they do not.
  • Never let a stranger into your hotel room.
  • Pay attention to your surroundings. It’s very easy in a strange city to get distracted by the sights or your map. Tourist areas all over the world often have heavy pickpocket activity and crazy traffic.
  • Consider sightseeing with a buddy, but don’t let eating or sightseeing alone stop you from getting out. (Just make sure somebody knows where you are.)
  • Don’t make yourself a target! Don’t wear clothing that identifies your point of origin or that you are a tourist (language, flags, distinct regional clothing styles, etc). Dress like a local whenever possible. Keep the camera in the bag until you’re ready to use it.
  • Addendum, AMERICANS: Yes, us! We stand out. We tend to be significantly louder and less professionally dressed than locals, especially in Europe. Please, just don’t.
  • If you’re leaving your country, understand what access foreign internet service providers and customs agents may have to your personal and work devices.
  • Evaluate your personal threat model and make an informed risk decision about what devices and data to bring with you, and how you plan to connect to the internet and authenticate to your accounts while traveling (private VPN? Yubikey?)
  • notes that when progressing through security, Immigration, or Customs, it’s never particularly wise to introduce yourself as as a “computer hacker”. “IT” or “computer security” is quite sufficient unless pressed for specifics. “Hacking” carries various legal and social connotations around the world.

We as Information Security professionals tend to be highly and often reasonably paranoid about our personal security, so I will simply leave you with a reminder that everyone is in fact not out to get you, and while you should always make sensible and informed risk decisions about your security, you should also not let them entirely prevent you from exploring a new place.

Before You Leave Your Country

For US Residents:

  • Check the State Department Website for travel safety information on the country you will be visiting:
  • Check the CDC website for information on vaccinations you require prior to travel:
    TIP: Doctor on Demand can provide you a cheap and easy vaccine referral via your phone or tablet when walk in clinic nurse practitioners cannot.
  • Consider enrolling in the US State Department STEP program.
  • comments that the TSA PreCheck and Global Entry programs are a huge benefit for frequent air travelers, especially travelers in a professional group. Those programs do come with significant background checks and biometric disclosure, so while I personally find them extremely time-saving, you will need to make your own privacy decision.

For Everyone:

  • Contact your personal and/or work mobile phone provider for information on international voice and data plans for the duration of your travel. If you do not purchase international data service, disable cellular data for the duration of the trip or you may unwittingly face extremely steep fees. T-Mobile One is my favorite pick  for frequent international travelers from the US, as it provides free 2G data service in dozens of countries with no plan modification or additional fees.  prefers GoogleFi for the faster global 3G speeds, but their plans contain a firm data cap and overage charges if you plan to tether. If your phone is unlocked, you can also consider buying a SIM card at your destination if you need to do a lot of local calling.
  • Consider purchasing a travel health insurance policy, particularly if you’re traveling somewhere without universal health coverage for non-residents, or if you might be participating in high risk activities. Do get your shots in advance.
  • Choose a chip-enabled credit card that is preferably not your primary bill auto-payment method to bring on your travel, and contact the provider in advance to inform them you will be traveling abroad. ( adds an great reminder that some credit cards carry not insignificant international transaction fees – ensure you check this with your bank).
  • Read up a little on your destination. Understand the general geography, weather, economy, customs and courtesies (like tipping), criminal statistics, food and water safety, corruption, and political climate. Learn the current exchange rate to your country’s currency. Learning a couple phrases in the local language, (particularly courtesies and greetings), is usually appreciated by locals.
  • Make a copy of your important travel documents to lock in your room safe for the duration of your trip, in case of a lost or stolen wallet.

Have a Good Attitude

So you’re going to training in Springfield, population 700, with nothing but cornfields for miles in every direction. Or maybe you’re going to a country you never wanted to visit and you don’t speak the language. Everything’s terrible, right?

Let me let you in on a secret: I have never in my life traveled anywhere I didn’t like something about! In the most remote, Midwestern town I’ve ever traveled to, I found an amazing Amish market with the best sandwich I’ve ever eaten! I had amazing traditional Central American chocolate and an incredible boat ride through the glaciers in Anchorage. I saw adorable meerkats at a private zoo in Germany. These are the things you will remember in 10 years. You will not remember the hotel room – they start to blend together.

It’s important to remember that people are complicated individuals with lives and hobbies, wherever you go. Life might be much faster paced or much slower paced than what you’re used to, but people still eat, have families, and find recreation. If you keep your spirits up and ask around, you’ll find something cool to do anywhere you’re sent.

Packing the Game Console?

I love gaming too, but try to leave the PS4 at home if at all possible on your first trip to a new place. Give the place a chance. If you still hate it after 3 days, I’ll give you a pass on watching cable and playing smartphone games.

Plan Outside Business Hours

Traveling for business is a very different experience than traveling for pleasure. Significantly – packing requirements will be different, and your schedule will be different. This shouldn’t be an excuse for you to stay in your hotel room. Particularly in large cities, there are plenty of sights to see after business hours. While museums may frequently be closed after 5PM, outdoor sights will likely remain open much later – and be less crowded! Many attractions and tour companies offer passes and tickets at discounted rates in the evenings. There are also musical and theatrical events, even on weeknights.

Tripadvisor and Viator are a great resource for finding interesting things to do prior to your travel. Keep in mind that lots of smaller attractions have active Facebook pages where you can seek additional information from locals or employees. I like to take some notes with operating hours, locations, and prices to bring with me.

Ask a Local, and Keep an Open Mind

Don’t be afraid to ask colleagues, employees, or the hotel concierge for recommendations of local stuff to do or places to eat. People usually love talking about their favorite things! Even if what they suggest isn’t normally your cup of tea, consider giving their recommendations a shot (with reasonable health, security, and safety considerations).

The absolute worst that is likely to happen in 99.5% of cases is you’ll be stuck ordering the plain tomato soup, or you’ll be bored and bemused for a few hours. Conversely, you might have a great time, and discover a new favorite food. Either way, you’ve had a new life experience and you’ve grown as an individual.

Be The Travel Agent

Traveling with a group can be tough – even deciding where to eat can take a while if everybody is polite and introverted. Don’t be afraid to make yourself the travel agent for a day. Once you’ve identified something cool to see or a great place to eat, do a little research and suggest it to your traveling companions, and you’ll probably be surprised how many people were just waiting for somebody else to take the initiative. If you can tell them how you’ll get there and what the entry fees and hours are, all the better!

Have An Escape Plan

It’s important for any introverted traveler to plan reliable places to recombobulate that frequently exist and are similar in any unfamiliar city. Two reasons:

1) When something goes wrong (hotel room not ready, plane delayed, etc), this will give you a place to spend an hour or two and rethink your plans, and

2) When you get fed up with being around the same coworkers or customers, it will  provide you something do to alone.

These places are unique to you and I can’t tell you exactly what yours are going to be. In general, they should:

  • Be open across a broad range of hours.
  • Have a place to sit with free WiFi.
  • Be safely and easily accessible by ride-share, walking, or taxi – even if your phone’s dead.
  • Have reasonably clean public washrooms.
  • Be reasonably secure.
  • Allow you to stay for an hour or two.
  • Have friendly employees or patrons who can give you directions or assistance.
  • Provide you something to do, even if it’s just read a map without disruption.
  • Outlets are a plus.

My personal choices are shopping malls and yoga studios. They exist pretty ubiquitously and it’s easy for a stranger to patronize them without a lot of discussion. They provide me with familiar surroundings and some peace and quiet to think about my next move. Any rideshare driver knows where one is. Some other suggestions that exist in nearly any medium to large town might be:

  • Gyms with drop-in rates.
  • Libraries
  • Coffee shops

Bars are great but I don’t recommend them for this purpose in specific.

Whatever you choose, make sure you have those factors in the back of your mind, and even consider looking up where your choices are on a map before you travel. You’ll have a fallback plan when something goes wrong (or you just need some time to yourself). Don’t spend all of your time there, but use them as needed to recharge.


No amount of Vitamin C in a pouch alone will reliably keep you from getting sick! The facts are simple – you will likely be in a confined space with a few sick people during any flight, class, or conference. The #1 best way to prevent con plague is adequate sleep, healthy meals, and washing your hands regularly with soap and warm water. Bring hand sanitizer, but don’t rely on it exclusively. Try to drink plenty of water and juice to moderate coffee and alcohol.

No Problem is Insurmountable

Everybody makes mistakes while traveling. I’ve been in 7 countries this year and have a go bag, and I still occasionally forget to pack basic stuff. Things are going to go wrong. You’re going to forget something important like deodorant or medication, or it’s going to rain your entire trip, or your luggage is going to get lost. Maybe your wallet will get stolen or misplaced.

Do your best to plan sensibly, but realize plans will sometimes go awry. There are very few places you will travel for an information security job where even these problems will be insurmountable or deadly. There are convenience stores, pharmacies, and Western Unions all over the world. Clothes can be replaced. Replacement credit cards can be overnight-ed to your hotel. Toiletries can be replaced. Cables and adapters can be same day delivered by Amazon. Even money, passports, and mobile phones can be replaced within a day in most places. Consider it a learning experience.

The first thing you must do when something goes massively awry is take a deep breath and think. The second thing you should do is contact the authorities if a crime has been committed. This may be local police, or your country’s consulate, or both. Your employer’s loss prevention, physical security, or travel team will probably be able to assist you with next steps. Your hotel can also provide assistance in many situations you might feel are impossible crises.

You can do this! Keep calm and carry on!

The Infosec of Ready Player One – A Review

A Ready Player One major motion picture directed by Steven Spielberg is scheduled for release in March 2018, resulting in a recent resurgence of popularity of the Ernest Cline cyberpunk novel which serves as its inspiration. So, this seems like as good a time as any for me to briefly revisit the 2011 novel and discuss my personal thoughts on the good, bad, and ugly of its information security content.

Despite an all-star crew (based a bit on extensive online commentary nerd rage from people who read early leaked scripts, but mostly based on the bombastic and wildly diverging contents of the trailer itself), I don’t have particularly high hopes for the movie to express the novel’s techno-philosophical depth in only a couple hours. Nonetheless, I hope to revisit it with the brilliantly apropos MayaofSansar of Linden Labs after release.

Firstly, let me make it abundantly clear that this blog is up to the elbows full of Ready Player One spoilers. If you haven’t read the book and have any desire at all to have the book’s twists and puzzles be a surprise, stop reading here. Really! I highly recommend you pick up a copy of the book. While I have a couple nits to pick with Cline’s character development and my personal interpretation of the plot, it is an iconic cyberpunk novel filled with unfortunately plausible social and technological predictions. It also contains references to pretty much every geek fandom and iconic classic game, ever, in it. Cool beans? Go forth to to and seek victory!


Okay. Now that they’re gone, fellow Gunters – let’s proceed!


IOI’s Infosec Sucks

Let’s first discuss Parzival/Wade’s daring intrusion into the malevolent IOI mega-corporation’s network. As you probably recall, Wade has a limited period of days to abruptly become an (indentured) employee of IOI so he can access their corporate intranet from a terminal inside their offices. Once inside, he uses a series of black market exploits (which he purchases in advance from disgruntled employees) to escalate privileges and access his target sensitive Sixer team servers.

What I found believable:

From the perspective of an author in 2011, insider threats were a pretty timely topic. Wade isn’t the only insider that factors into his successful exfiltration of sensitive data. He purchases sensitive IOI network data and system exploits from the black market before he enters the facility – ostensibly from (reasonably) disgruntled network technicians. None of this is particularly implausible.

We see few specifics of the exploits and back doors that Wade uses in his espionage, but most of his physical and digital measures are “living off the land”-style abuse of sanctioned network and business operations. No malware is involved. This is generally a smart intrusion tactic.

What I found less believable:

1) The entire McGuffin of IOI’s network being effectively airgapped. Obviously, it provides pivotal drama to see Wade trapped inside a hostile, dystopian corporation conducting espionage. Nonetheless, we see evidence throughout the book that it’s simply not possible that IOI’s office systems are even close to disconnected from the internet / OASIS. Aside from fundamental business operations that go along with running a telecommunications company, we see the Sixers regularly logging into the OASIS. We also see Wade take constant external support chats in his assumed employee identity.

Cline falls back to the unfortunately ubiquitous cyberpunk trope of impenetrable firewalls. In reality, firewalls were already a legacy defense when the book was written in 2011 and today they’re evaded through phishing, malvertising, watering holes, and poor engineering far more often than they are directly exploited.

Wade could potentially have avoided his torturous week of indenturement with a well placed phish or some social engineering. That wouldn’t have made a great story, though. 🙂

2) IOI’s network security really sucks, even by 2011 standards. Certainly, Wade’s tactics would work in plenty of environments today, but it’s far less believable that they all work for a week without any detection at a massively powerful global technology corporation storing ultra-sensitive, incriminating data.

Let’s think about all the times Wade’s activity should have been detected by a competent security monitoring team:

  • When he logged into his in-use sleeping quarters computer as a maintenance tech in the middle of the night, with no associated trouble ticket or physical entry.
  • When a privileged account was used from a sleeping quarters computer, regardless of the quality of privilege escalation Wade used to obtain access.
  • When he created new, highly privileged accounts on the IOI network.
  • When he accessed “crown jewel” ultra-sensitive Sixer servers from previously unknown administrative account, via a sleeping quarters computer.
  • When he inserted a removable drive without a known maintenance hardware ID into his sleeping quarters computer.
  • When he conducted a phenomenally massive transfer of sensitive files to a external drive across the network (it’s later equated to the size of the Library of Congress).
  • When he issues a network command for his ankle bracelet to release at night, in a sleeping unit, with no human or secondary check required.

We can actually learn a lot of solid infosec lessons from Wade’s intrusion and it’s consequently one of my favorite parts of the book. However, the premise that these well known attack vectors of 2017 are still not monitored in the most powerful corporation in the world in a technologically advanced 2044 is pretty unbearably dystopian for me. Raise a cheer, pessimistic friends!

Holy Crap! Encryption Backdoors!

Throughout the novel, GSS is presented as a relative bastion of corporate good in opposition to IOI’s faceless corporate greed. Indeed, for much of the novel, co-founder Ogden Morrow acts as a secret guardian for the Five. Morrow finally reveals himself when Art3mis, Parzival, and Aech, and Shoto are in dire straits on the run from IOI hired guns – by materializing as the Great Wizard Og inside Aech’s super-ultra-mega secret encrypted chatroom(!) While there’s some minor protest from the protagonists at this, it’s mostly glazed over in the book as administrative access exclusive to the GSS founders’ accounts, therefore not a concern.

That’s not how any of this works.

If the Og and Anorak (and ultimately Parzival) avatars have exclusive access to privately encrypted chat rooms in the OASIS, that means that there is a functioning crypto backdoor for the OASIS chatroom software. Given IOI’s cutthroat study and exploitation of OASIS software and staff, a backdoor for the server’s encryption and the associated cryptographic weakness would have been a juicy target for Sorrento and his IOI superiors, putting all Gunters at risk. To top that off, Morrow maintained his backdoor access even after leaving GSS – a weakness GSS’s security team might not even be aware of.

Wade’s Anti-Forensics

Zeroizing and melting drives. Not bad, kid.

Finding the Five

At the climax of the novel, Sorrento and his IOI Sixer team track down the Five in real life, to bribe, kidnap, and eventually attempt to kill them as they become increasingly successful in the Hunt for Halliday’s Egg. Let’s spend a little time considering the implications of how each of the Five is located:

Parzival is found because he makes a minor OPSEC mistake long before the contest begins (and he doesn’t draw this connection until it’s far too late). His private school transcripts, including his full home address, were linked to his OASIS account. IOI simply bribes a school adminstrator for the information after a rival student leaks the fact he’s in high school on a public message board. Of course, Wade improves his personal security substantially after this, creating and adopting a fake real-life identity.
Art3mis, Shoto, and Daito are presumably found and profiled a little later through a combination of similar OPSEC failures and their use of IOI subsidiary networks to connect to the OASIS. Services like anonymous VPNs don’t seem to exist in Cline’s 2044.  We might presume that Daito is the first one of them found as IOI operatives successfully murder him in his home during a critical battle.
Aech is the only one of the Five that IOI never successfully gains surveillance on. Helen’s unintentionally brilliant OPSEC includes her consistently faking her real name, race, and gender since childhood, even on school registration and among friends. She also lives in an RV and stays mobile, traveling from city to city. IOI is able to detect her logins on subsidiary wireless access points, but she moves too unpredictably for them to locate.

Once again, we have a portion of Ready Player One where Cline gives us quite a lot of food for thought about privacy and identity online in 2017 and beyond. The issue of internet service providers collecting browsing and location data and associating it us is an extremely relevant one today as debates over digital privacy and net neutrality rage globally. The potential abuse of internet activity data by advertising companies or by rogue employees certainly creates another incentive for privacy measures beyond simple TLS.

In addition, considering our OPSEC as our online personas, and the potential for those personas to be matched to our real life identities through legal or illegal means, is always timely.

The Stunning Lack of Reversing and Exploitation

There have been countless in-game and out-of-game MMORPG competitions in today’s world, with some substantial and coveted prizes and bounties at stake. However, nothing has ever come close in magnitude to the hunt for Halliday’s Egg. Competitive intelligence is real, and it’s not implausible that IOI would hire an entire staff and devote immense resources to winning the billions of dollars on the line.

What struck me as immersion-breaking unbelievable, throughout the book, was how little system exploitation was done in the course of the hunt. Decades of MMORPGs have built a multimillion dollar exploit, bot, and farming industry. There are minor mentions in the novel about GSS’ measures to ban cheating players and the pretty dire real-world consequences of a lifetime ban on citizens. However, with the utterly insane money at stake in the Hunt and the extreme measures that IOI is willing to go to to win, my tactics would have been quite different as a vile and unscrupulous Sorrento. I would have hired an army of reverse engineers to analyze the OASIS code, resources, and databases, searching for unusual locations and items by keyword and statistical anomalies – aided by paid spies at GSS with access to the back-end servers. It’s really pretty difficult to hide an implemented item, character, or environmental elements inside the resources and indexes of a modern game. Simply locating instances of Anorak’s avatar and voice samples would have been invaluable to narrowing the search.

Essentially the only consistent exploitation we see in the game even by the most desperate characters is IOI hacking their local biometric authentication hardware as a means to share biometrically locked characters. The Sixers mostly play by a twisted interpretation of in-game rules.

Since the Sixers are still certainly breaking the EULA of the OASIS, this can’t simply be written off as them wishing to avoid nullification of a victory for cheating. They seem to skip a rather trivial corporate espionage step with their extensive resources, proceeding directly to kidnapping and murder in the real world.

We’re STILL Using Unique One Word Handles in 2040??

No, no we are not. Not unless everybody wants to be named like randomly generated passwords or Sixer IDs.


This was infosec-specific commentary in which I didn’t delve into the abundant online gaming implications of the OASIS multi-world system or the extreme complexity of quest and skill-level balancing between technological, magical, and physical skills. (Or the horrifying implications of professional avatar permadeath.) I’ll leave that blog for my gaming industry pals. I’d love to hear your thoughts and interpretations of Ready Player One and cybersecurity in the comments. Until next time!