Son Of Sun Tzu blog

Son Of Sun Tzu blog

They keep saying my audience will find me…

26 May 2022

Weeknotes for Wargames, Wizards, and Warriors.

As fifty percent of my readership complained about the breathless bulleted format I’ve been using, which is a very fair point to make, I’m experimenting with different formatting this “week”, although I’ve much less material.

Considering how I create these blogs I should be able to generate an index easily, so it’s trivial for people to see if there’s something of interest each time. ( A newsletter that does this really well is the tl;dr sec newsletter, the format actively encourages picking and choosing the sections relevant to you, I aspire to do the same. )

I worked:

Game-based Exercise Design - Some interesting projects and discussions in my role with Stone Paper Scissors. Research on what skills are required to be part of a Control team for an exercise or megagame, game design ideas and suggestions, as well as participating in future online events.

A recent wargame on NBC. Wargames aren't always about war, we don't always wear suits.

The future of Distance Wargaming - as a member of Wargame Developments I attending an online event on the future of online wargaming. Many worthy points were made and I look forward to seeing a write-up of the outcomes. Whether professional wargaming, as a discipline, can take advantage of the incredible opportunity the current pandemic has provided is another matter though.

I’m writing another article - it should be out in a week or so, more thinking with Indy Neogy on strategies businesses should adopt. I’m trying to complain less about the absence of business strategy and do more about it.

PlaySecure - great submissions to this year's event; I’m looking forward to seeing what comes out of the conference.

Threat modeling but fun - this presentation on threat modeling with a card game was useful to see, especially to see how a relatively simple game immediately improved the outcomes and engagement with a task that would usually be a repetitive trudge through a checklist.

Threat modeling again, and fun again - this OWASP London presentation on threat modeling with an online card game was useful to see as I was double-booked for the live stream timing. Again, a relatively simple format immediately improves the task. As always, grateful to organisations that put their videos online to let us all watch them in our own way at our own speed.

Free solo online training games - I blogged about a few I've seen or tried, and will add more as I discover them. Comments and recommendations welcome.

I consumed:

Moon Knight was enjoyable to the end, but without giving too much away the ending was inconclusive and underwhelming. The logic of what location was what mental representation was lost, and as always with Marvel the focus was on making sequels inevitable rather than possible. I kind of like the way Marvel films have (re?)introduced in or post credits scenes… but can you imagine the end of something like Alien with a foreshadowing of Aliens?

Putting valid points about representation to one side, more diverse heroes are just more interesting.

Owning a gaming console is so 2010 - on the same day that weird input lag with my controller made NVidia’s Geforce Now service unusable, Xbox Cloud Gaming made access to Fortnite free. Fortnite is a relatively silly looter shooter, with its fair share of griefers, and players unable to work together as a team, but fun nonetheless. If you’ve got a reasonable system - any enterprise PC or laptop from the last ten years, or domestic system from maybe the last five should do - do give it a go. It does complain about what I’m using when I join, but it works anyway.

For obtuse game design reasons I finished reading the Haynes Operations Manual of Siege Warfare. A good read, well laid out and presented. I found it particularly interesting to read on the evolution of tactics and counter-tactics, for example castle defenders detecting the besiegers’ attempts to mine under their walls by planting bells on sticks in the ground; or even their metal shields into the soil, and “listening” for the vibrations.

Once an attack was suspected, the defenders would then start mining from the inside of the castle outwards, to meet the miners underground, with all the horrifying underground combat options that implies. If I had one complaint I think Haynes could have made more of their brand, and made this more of a guide for the aspiring Castellan.

Recommended Animation - If you’re a parent who wants something you can enjoy watching with your children - with some peril and “adult issues” but without being too frightening or leading to conversations you’re not ready for - I do recommend Hilda and Owl House. Of course, if like me, you’re not a parent, but just like entertaining stories with well written plot and characterisation, then I recommend them too… with none of that “guilty pleasure” buffoonery either.

Noteworthy just for the demo, which I played most of: Card Shark. Do take a look at this review if you’re considering a game that’s a little different, where success is much more around co-ordination than memory or reactions, and with a real sense of atmosphere.

The art style, and sound design, are particularly noteworthy.

A good take on a bad film - I watched MST3K's treatment of “Killer Fish”. A weirdly awful film where I thought the latest incarnation of MST3K were particularly on form. I’m not sure I could watch the film otherwise, even as an intentionally bad film - maybe I’ve been conditioned by recent cinema, but old films seem so slow. Maybe that’s why they’re suitable for this “riffing” technique, is there space in a modern film for those kind of interjections?

A better take on a worse film - I watched the last episode in the current series of MST3K on Netflix, “Ator: The Fighting Eagle”. Arguably the best episode so far just as MST3K is coming to an end of this run. Definitely not a film for arachnophobes, with the main villain being appropriately called the Spider Cult. For MST3K the episode order is kind of irrelevant, so if you’re looking to give the idea a try then do pick this… I think it’s a good example of the endearing way they poke fun at a film, and the quality of the movies they watch.

Quite a few spiders, and many, many, thighs.

I forgot to mention last time:

NDMA - I attended a free online conference by the Naturalistic Decision Making Association, very interesting ideas around how to measure, examine, and capture expertise, I’d be interested to hear if any of you have experience, and recommendations or warnings, about this.

How do you aim a whale? - An online gaming session of “Wizzards” quickly descended into a “last wizard standing” conflict. The game is a free form megagame with resource management constraints, based in a fantasy setting, with the main aim being training for game management rather than as an end in itself. The relatively open scenario of the game means the teams can choose whether to work together or separately towards the aim. The scenario implies just one winning team, but the scenario allows for innovation beyond that.

But considering the teams, the shared history of the players, and the magical scenario, this quickly became a competition to out-think our rivals with the spells at our disposal. Can you summon a whale accurately enough to determine where it lands, or who it lands on? Does a dragon summoned underground explode? I genuinely find combining magic with my meager knowledge of physics interesting… which has always been the case, but recently focused by this video by Lindybeige, and rewatching Flight of Dragons.

Flight of Dragons. Delightful.

The most important part of Incident Response might not be technology based - This SASIG webinar on crisis communication and public relations after a cyber security incident was good, the two most noteworthy reasons for me:

  • Firstly, it emphasised how important communications are, and therefore how important it is to plan those communications in advance. This is something I’ve seen illustrated in exercises, where even having a template response that isn’t completely appropriate can get a team started on an emergency communication, whereas staring at a blank document with a clock ticking can freeze a team.
  • Secondly, the presentation emphasised that you should decide in advance how much that you and your organisation want to share. There are legal and compliance and ethical questions that your organisation wants to ask itself in calmer times, and ideally you all know your answers in advance with everybody required to have, rather than the best answer available from whoever you could get hold of.

I thought:

Similar to auto-generating an index mentioned above, there should be an easy way to programmatically collect the sporadic thoughts I have had over the previous “week”. But, for now, a manually created list…

  • I’m increasingly interested in business strategy, and especially how successful companies with enough wealth to buy quality advice ( or run Proof of Concepts, or wargame new ideas ) appear to just be doing what everyone else is doing, because everyone else is doing it. The recent NFT based efforts by Ubisoft and Starbucks sprang to mind, and whatever the NFL Rivals game is meant to be, very much the “bomb a hill” analogy from Simon Wardley.

  • Thinking about the curb-cut effect a lot, not only in how we all benefit from interfaces being more accessible, but how the benefit to everyone is a good way to argue for making interfaces more accessible.


  • In game design in general, as well as related to my own project, how to prevent stalling as a tactic.

  • How the interface to new versions of old online services, for example instant messaging such as Signal and WhatsApp, is prettier but worse than similar services decades ago, such as IRC. There’s something in this, if only an article or blog post…

  • It’s an over-simplification of the country’s very complex history, but rather than more traditional interpretations, if you consider the United States as a country established by religious extremists then suddenly the actions of and in America makes a lot more sense.

  • Thinking how, as always, cyber security has taken some of the simplest but least useful ideas from military thinking, and ignored the difficult/conceptual but game-changing ideas and experience.

  • I adore the Eurovision Song Contest’s scoring system, and the way it is specifically designed for maximum tension for the longest periods. Similarly I unironically love the pauses by the presenters that were left for so long as to almost be satirical.

I genuinely liked this entry

  • Trying to recall who I know, in some vague way, who essentially has a PhD in Batman.

  • Why aren’t there more organisations like the Library of Mistakes.

  • How useful it can be to determine what something is in order to innovate as to what it could be.

  • How penetration test reports are still the start of a security process, not the end - and how the discipline hasn’t learnt that in the last two decades or so.

  • Is wargaming cheating? Wargaming has a branding problem - is cheating one way to describe it?


My next set of notes will undoubtedly be just before, or just after, the PlaySecure conference next month.

See you there.