Verbose Curmudgeon

explodingdog: My friend Chris has his Bafflers on sale this...

Wed, 17 Apr 2013 20:03:02 -0400

My friend Chris has his Bafflers on sale this week. These are handmade puzzles. I own a few of them and they are wonderful. You should get one for yourself, even if you don’t just go look at them, they are fantastic.

(via http://www.chrisyates.net/store/puzz.html)

#PrayforBoston

Mon, 15 Apr 2013 20:42:23 -0400

Today, families gathered in one of America’s oldest, greatest cities to support their loved ones as they accomplish something incredible, something they’re already had to work very hard to even attempt. For some, it was another run in the city. For others, it was a first.

A marathon is a celebration of life. The legend, of course, is that an Athenian soldier ran all the way from Athens to the allied city-state of Marathon - 26.2 miles - to warn them of an impending invasion. The soldier arrived in time, but collapsed dead after gasping his precious message. To run this kind of distance is no easy feat. To run it competitively is nothing short of amazing. But whether you finish in 2:15 or 5:21, it’s a feat that should be celebrated.

Some of these families will be going home without everyone. Literally unwhole. Their faith and their support has been repaid with senseless bloodshed.

I can’t pretend like today’s events in Boston haven’t affected me pretty deeply, much more so than these things usually do. I can’t help but be incredibly angry about this, because it’s not just people like me that were being targeted — it’s the people whom I love and who support me that were targeted.

Not in Boston, but I’ve been there… Four hours into the race with family waiting by the finish line. Yes, in a very real sense, that could have been me and mine. And that makes me very, very angry.

As I write this, we’ve reached the “no-nothing” phase of news coverage. We aren’t learning anything new, but the incessant review of the carnage and the footage and the footage of the carnage must carry on.

It’s not that I don’t care anymore, it’s that I’m already exhausted. I’d like to know why, but I wish we could continue learning about this horrible affair without giving the perpetrators the attention they do not deserve.

The front door after the break-in a couple weeks back and the...

Sun, 14 Apr 2013 23:28:29 -0400

The front door after the break-in a couple weeks back and the temp repair job. This is what not having a deadbolt gets you.

A Lesson in Home Security

Sun, 14 Apr 2013 20:58:05 -0400

I work in network and application security, so you’d think I’d have my home in order. And when it comes to my digital presence, you’d be right. But my home? Well, let’s just say that’s been a lesson learned…

A couple of weeks ago, my wife and I left work ad the end of the day and arrived home to find our garage door opener wasn’t responding to the remote. While that was puzzling, there’s plenty of plausible explanations for that. Maybe the power was out, or the battery in the remote died… So, we walked up to the front door to let ourselves in the old fashioned way.

The front door had been pried open but left propped mostly closed behind the storm door. It was immediately obvious that we’d been robbed.

As we looked around the house and assessed what had happened, a few things became clear:

The thieves had gone into the garage, pulled the emergency release on the door opened, and used that to get a vehicle in and out to buy themselves more time.
The thieves had a set list of items they were looking for: TVs, computers, guns, gemstones, watches - things they could fence easily. Items not in their list they left alone.
They avoided things with extensive cords or wires. They took a laptop and its power brick, but left a superior desktop sitting immediately besides it. They took the audio receiver and DVD player, but left the speakers.

As we worked with the county sheriff’s office, we learned that the crew that had hit us had also hit at least three other houses in the general area that day — all during broad daylight.

And despite the obvious pain points, we were lucky. All of the stuff taken was just that — stuff. Thanks to the thieves’ selectiveness we didn’t lose anything of sentimental value, nothing that couldn’t be replaced by insurance.

So, I’ve learned an important lesson about home security. I wouldn’t be a good Samaritan if I didn’t share a few tidbits of knowledge…

DINKs are an Easy Target

Dual Income, No Kids. It means you’re pulling in the bank, but you’re not investing it into a mini-you. It also means your house is probably conspicuously vacant during the weekday.

We heard neighbors mention that, prior to the break-in, some folks were going door-to-door to solicit a new lawn care business, but they didn’t have a brochure, a flyer, or a business card. This was probably the casing job, and it would have been easy to identify that no one was at home during regular business hours.

Your Neighbors Aren’t a Theft Deterrent

You can’t count on your neighbors to provide an ambient deterrent. There’s way too many situations where they just won’t be there to see something happening at your house. My most reliably nosy neighbor was away on errands (though, to hear her tell it, she is terrified for her personal safety because she’s at home all day). Besides, it’s not you can expect them to be glued to their windows, watching your house. Even if they do, will they realize there’s a theft in progress? Will they react in a timely fashion?

Get A Monitored Security System

You aren’t home, your neighbors aren’t watching your house… so do something! Get yourself a monitored security system.

First place I looked was the ever-ubiquitous ADT, but after quite a lot of research, I settled on SimpliSafe. For just $25/month, I get the top tier of their monitoring service. That gets me all the remote access I want, a smartphone app, and a number of other really nice features. That’s $10 cheaper than ADT’s least expensive and least featured option. True, I didn’t get a $100 install deal. It was quite a bit more up front and it was self-install. Personally, I prefer that to yet another stranger sussing out the soft spots in my home’s security.

The install price pays for itself in time anyway. Having a monitored system gets me a $28/month discount on my homeowner’s insurance, and I haven’t even added fire sensors yet. Once I do, that discount increases. At that rate, the installation will be paid for inside of two years’ time.

Once you’ve got it installed, train yourself to use it. I’ve got a reminder on my iPhone to arm the system set to trigger whenever I leave.

Deadbolts Really Are A Must

I’d always wondered a little bit how much of a difference deadbolts would make. Turns out, it makes all the difference. The thieves went through our front door in seconds with a crowbar because there was no real reinforcement there that would stand up to that kind of force.

The seeds of theft, both digital and physical, are usually the identification of weak points. At work, I’ll call it low hanging fruit. Unless there’s strong motivation to target a specific someone, thieves don’t want to have to work hard. If a target is difficult to rob, they won’t.

Having a deadbolt in each of your entryways make your house a high-hanging fruit.

gearpatrol: The Balvenie 50 Year Old. So exclusive that even...

Wed, 06 Feb 2013 18:30:39 -0500

gearpatrol:

The Balvenie 50 Year Old. So exclusive that even the master brewer it’s in honor of doesn’t get a bottle.

I can’t even fathom the attrition from the angel’s share on a 50 year whiskey!

kickstarter: Lonesome highway.Great news from the gaming world...

Mon, 07 Jan 2013 18:26:37 -0500

kickstarter:

Lonesome highway.
Great news from the gaming world this morning: Kentucky Route Zero, our favorite magical-realist adventure game about a secret highway in Kentucky and its mysterious travelers, is finally available to play. Check out Act 1 here.

Act 1 of 5 is now out for Windows and Mac. I’m intrigued by this, but I’ll be holding out for the Linux version (promised “soon”) before I move on this. If you’re bold enough to give this point-and-click a spin, be sure to share your impressions with me!

Skyfall - Think On Your (Technology) Sins

Tue, 27 Nov 2012 18:24:31 -0500

Notice: This post contains mild spoilers, but it’s nothing you can’t gather from the trailer.

The fact that Skyfall is in theatres right now is pretty impressive, considering that MGM died and came back to life just to bring us more Craig-Bond. Still, it’s a pretty good movie. Except for how it deals with technology.

Given the day and age we live in, it’s hard to ignore technology in modern movie plots. This makes it all the more bewildering that so few writers manage to do it well. Much, much more commonly they do a terrible job with it. Skyfall is a perfect example.

Here’s a rundown of the top ten things that went wrong with technology in Skyfall’s script.

1.) IP Tracing Backwards

At one point early on, the folks at MI6 have the opportunity to trace a computer attack in progress. They run through it like a phone trace. The attack is coming from the UK, specifically London. Gasp! The attack is coming from inside MI6!

Here’s the problem: that fact would have been immediately obvious. There are only three ranges of IP space reserved for private networks, whether it’s your home wifi or a first-world intelligence agency. If the attack had originated from inside the private network, they would be able to identify the asset it came from instantly.

Egregiousness factor: Minimal. They arrived at the same conclusion with a bit more pizzaz. Something happens that precludes the next phase of the investigation (who’s connected to that asset as a relay point?) on-screen, but in the real world this investigation would have continued into containment and then prevention.

2.) Don’t Click Shit!

Later, M receives another fun little message from the hacker-sauce villain. The theme of the message follows on one that punctuates the scene I described above, which was a personalized multimedia presentation designed to her to incite a response. This time, the message includes a link.

Naturally, M clicks it.

Oh, it’s only a link to an online video; that’s lucky! Granted, the attacker already has enough control over M’s system to steal focus on an active console session. It’s unlikely he would actually need human interaction to do further harm on that system (or, following on the previous scene, that network). Still…

Egregiousness factor: Irritating, but plausible. As the head of an organization that certainly traffics independently in information and security, this kind of thick-headed ignorance to information security is shocking. Has she neither the training nor the sense that clicking on an obvious hacker payload is a terrible idea? Why was the IT department not her first phone call after clicking it?

3.) Let’s Plug It In, I’m Sure It’s Safe!

At one point, the villain is captured and brought to MI6’s headquarters. They do the sensible thing with his meatworks — they put him into a holding cell where his captors have access to him to interrogate, but he does not access to anything outside of the cell. That’s how holding cells work, generally.

Meanwhile, they are far less sensible about his laptop. They plug it into the network to explore its contents. Not an isolated DMZ for untrusted or possibly malicious assets. A trusted network! With access to important subsystems, like the controls to the physical holding cell.

Predictably, things do not go well for MI6.

Egregiousness factor: Idiotic. Q is not a genius.

4.) It Takes Two

The aforementioned laptop has not one, but two ethernet interfaces. It’s a really, really beefy machine. I bet one is for all the packets in and the other is for the packets out. Computers work like that, right?

Egregiousness factor: No. Computers do not work like that. Not without unnecessarily a very convoluted environment-specific configuration, but this does not and should not convey that the machine is any more super. It just makes #3 twice as dumb.

5.) Jargonizing

On the heels of the scene I described in #3, there’s a frantic hacking scene. The good guys are trying to unravel the loot from the villain’s laptop. Technical terms are flying back and forth, regardless of whether it fits or not. The screen is a mess of nonsense visualization, mostly just to try (and mostly fail) to represent how hard this is.

I’ll dig into some of the finer points of awfulness, but this scene is a classic example of throwing as much jargon as the writers could find at the script and hoping beyond hope that something sticks.

Egregiousness factor: This is slightly less bad than the horrifying programming/hacking sequence of Swordfish.

6.) Polymorphic Encryption

One of the more irritating examples of nonsense jargon to come out of #5 was the following utterance from Q: “He’s using a polymorphic encryption algorithm. It keeps changing!”

Let me be clear. This is not a thing. This doesn’t even make sense.

Whether you’re using symmetric or asymmetric encryption, the point is that the key will decrypt the cipher text. That key doesn’t change. If there’s an active system re-encrypting the cipher, it’s still using the same key pair in the end, so you haven’t changed that the same key unlocks it all in the end. If you’re worried about the integrity of the cipher text itself without the presence of the key, your algorithm isn’t very good — it doesn’t matter if you keep changing it with a derivative key.

Egregiousness factor: High. This is entirely unnecessary. If I start talking about ACTUAL ENCRYPTION THAT REALLY EXISTS, I will make most people zone out within minutes. You don’t have to invent bullshit to tech-impress the audience.

7.) Gibberish != Hexadecimal

During the same hacking sequence I described in #5, Bond’s contribution is to identify non-hexadecimal pairs of characters in a block of what is otherwise clearly a hexadecimal block. This isn’t a great observation - these couplets are literally in a different color on screen.

Egregiousness factor: This is utter nonsense. The stuff you’re putting on screen, it’s either hexadecimal or it’s not. Anything that isn’t 0-9 or A-F is not hexadecimal. Make up your mind. This was not a clue, it was stupid.

8.) An Ultimately Weak Lock

Those non-hexadecimal characters I mentioned in #7 quickly anagram out to form a word, a name. “Try that as a password,” Bond suggests. It works. The tangled knot of nodes and edges quickly unscrambles into the protected data.

Egregiousness factor: My brain is exploding because of the bullshit.

Given how they pointed out in #6 that the bad guy is using mythical encryption functions to protect his data, you would expect the key to rival the effort he’s put into protecting his data.

No, that might make sense. Instead he’s using a password. A case-insensitive password of a single character class and about 10 characters. A password that is barely better than “password”. A password he left lying around in his data on the device.

The more believable setup to this whole moronic scenario would be if he’d written the password on a post-it on the bottom of the laptop. Oh, I forgot; he’s a spy. Maybe put the post-it in a secret compartment.

9.) Radio is Awesome Technology

Skyfall has no hesitation expressing its love for radio. This might be touching, if they spent any amount of time thinking about how radio works (or at least how it doesn’t work).

First is the tracking transmitter Bond if given by Q early on in the film. It’s one of the only two “gadgets,” if you can indeed call them that, that he’s given. It’s not a GPS tracker — that point is made amply clear through dialog from multiple characters.

The thing is the size of a keychain, which means it’s powered by a watch battery. Let’s go nuts and assume it’s powered by two watch batteries. That’s not enough power to transmit a signal from a remote area of China to one listening stations where MI6 could receive it, let alone the three it would take to triangulate a signal.

Later on, Bond finds himself chasing our super villain through Underground tunnels. Meanwhile, back at MI6, a little icon labeled “Bond” zips through a 3D map of the tunnels. How is he being tracked? Presumably it’s the same radio transmitter. But it turns out radio waves don’t travel all that effectively through rock — there are physical limits to how radio travels through dense material like rock and concrete. So, apparently I was wrong before: that transmitter is powered by magic.

Egregiousness factor: Forgivable. If this were the worst of the movie’s offenses against science, it would hardly be worth mentioning. I bring it up largely because the script goes out of its way to applaud low tech, even while abusing it as thoroughly as it does high tech.

10.) “There’s only 6 people in the world who could code this.”

No. You’re wrong, Q. This statement is foolish and you’re an egotistical ass.

It might be true (though a stretch) that only a handful of people in the world could originally come up with a programming trick, but once it’s been done it can be replicated. Despite everything Hollywood has tried to convince you of, the world has no shortage of very smart people who are very good at expanding good ideas if not cooking them up on their own. In fact, there’s entire sub-industries within IT of them.

Pro tip: almost none of the aforementioned very smart people work for governments during peace time because the pay is dirt.

Round up

Skyfall may be the least Bond-like Bond film I’ve seen. With Daniel Craig in the suit, MGM has been reaching for a grittier Bond. They’ve added a few dashes of John McClaine in the mix. I would say this experiment has been a mixed bag but is mostly successful. It’s with disappointment (and a fair amount of catharsis) that I write this post because I want to see Hollywood do tech well and even when it’s doing other things right, so much goes awry with the wrong consultants on the job. So, Hollywood! Bubbe! Give me a call next time, alright?

surplus-mag: Target Joffrey Poster People who don’t watch Game...

Mon, 15 Oct 2012 19:14:38 -0400

surplus-mag:

Target Joffrey Poster

People who don’t watch Game of Thrones … you’re probably confused and please excuse us for a second as we nerd out about HBO’s hit show. People who do watch… target practice.

Drop the price to $2 per target (same as other novelty targets) and I’ll take a dozen.

I decided to give lock picking a spin at DerbyCon. I bought a...

Sun, 07 Oct 2012 15:59:00 -0400

I decided to give lock picking a spin at DerbyCon. I bought a basic set of picks from the Fraternal Order of Locksport (FOOLS) crew and sat down to begin my first attempts at picking a padlock.

It turns out the Master Lock No. 4 laminated locks are ridiculously easy to pick — I was able to tackle those as a complete novice in a matter of minutes. The Master Lock No. 3 proved more of a challenge. I was able to defeat the lock just once before the end of the conference, and only then after a half hour of trying and some pointers from a more experienced lock picker. When I got home, I bought a No. 3 to continue practicing.

As you can see from the video here, I’ve gotten pretty handy with it. I can pretty reliably pop this padlock in a matter of seconds anymore. I’m looking to progress onto some more difficult locks; perhaps a 5- or 6-pin cylinder before attempting something with security pins? Any suggestions on what locks to look for next?

NIST Gives Keccak Function SHA-3 Designation

Wed, 03 Oct 2012 11:11:51 -0400

Last night, NIST announced the winner of the SHA-3 competition that began back in 2007. The algorithm being standardized is the Keccak (pronounced “catch-ack”). The function was designed by programmers from Belgium and Italy, most notably Joan Daemen who co-designed the Rijndael cipher we’ve come to know as AES. Keccak is not derrived from SHA-2. The advantage here is that any future attack on SHA-2 does not extend into an attack - hypothetical or manifested - on SHA-3.

The thing to keep in mind when considering this news is that SHA-3 is neither replacing a broken algorithm nor providing a one-stop-shop for protecting sensitive data. If we’ve learned just one thing since the advent of the GPU, it should be that hashing functions are deterministic unidirectional compression functions and not what we should think of as encryption. These things are so fast that use of a hashing function to protect your data is undone simply by exhaustively compressing comparison messages until we’ve found a matching hash.

Why am I on a soap box about it? Two reasons.

First, I’m already seeing people eager about “upgrading” existing security functions that currently employ SHA-2 to SHA-3. This is nonsense; SHA-3 is not quantifiably more secure than SHA-2. Please don’t do this. It’s a waste of your time and your employer’s money.

Second - and more troubling - I’ve seen some folks excited about “upgrading” from bcrypt to SHA-3. This isn’t nonsense, it’s absurd. An algorithm like bcrypt is valueable and useful for applications like salted password storage because it is a memory-hard key derivation function. It is slow and when it comes to storing passwords, slow is secure. To the person who already knows the password, an evaluation of a few thousand milliseconds is less than a hiccup. But it renders that mode of attack wildly impractical for someone who wants to brute force your stolen password hash. The Keccak function does not compare to this; if you eschew something int he bcrypt/scrypt/PBKDF2 family for simple SHA-3, you’re regressing back into GPU-assailable territory.

The round-about point I’m making here is that the NIST announcement does not radically change the landscape. If this news has you thinking about radical change in your software already, you’ve probably not got your feet planted firmly on the ground. Best to consider SHA-3 an option to, but not a replacement for SHA-2.

Postscript: Please tell me you’re not still using SHA-1. Please, please tell me you’re not still using SHA-0 or MD5.

DerbyCon Take-Aways: CookieCadger

Tue, 02 Oct 2012 15:58:06 -0400

A security conference is usually a pretty good time and place to drop some new software (or the occasional 0-day) on the world and this year’s DerbyCon in Louisville, KY was no disappointment. Over the next few days, I’ll cover some of the new shinies that saw their first dawn at the conference as well as some of my general take-aways and talking points.

First up is a nifty piece of software called CookieCadger. Drawing its name from the verb to cadge - meaning to obtain by imposing on another’s generosity - CookieCadger is a spiritual successor to FireSheep.

FireSheep is a security toy released as a Firefox extension back in 2010 to demonstrate the need for SSL channels at the social networking sites that have become the backbone of our daily web consumption. It implemented a session impersonation attack by lifting session identifiers from cookies being transmitted over unencrypted web traffic. The project caught the attention of the intended parties, HTTPS traffic was enabled for the big players, and FireSheep drifted into the obscurity of vaporware.

Two years later, enter CookieCadger. Started by as a Iowa State graduate project by Matthew Sullivan, CookieCadger expands on the legacy of FireSheep and builds a considerably more robust toolkit from the same concept.

An attacker runs the software (written in Java, so it’s cross-platform from day one) on one or more network interfaces, presumably on older wireless or unswitched wired networks. For instance let’s say he’s in the corner of Joe’s Coffee Shack, a local draw known for its free wifi and open mic nights. All around him people are conducting web traffic happily over port 80, blissfully unaware or unconcerned with the truth that their data is literally flying through the air. The attacker’s machine is sniffing this traffic and extracting vulnerable session data from a packet capture. He doesn’t even need to be sniffing traffic live — he can load in a pcap file to do it, so don’t think you’re safe just because your traffic’s running through switched hardware.

CookieCadger comes with a few pre-built modules for convenience. If you’re foolish enough not to be using Facebook over HTTPS, he’ll see that pop up in a convenient frame of identified sessions. With a quick double-click, CookieCadger launches your Facebook session in his browser window. Total access. There’s a WordPress adapter as well; log into any WP install on an unsecured channel, he’ll see that session. Maybe he’ll use your privileged account to create another for himself to come back to later. It’s easy to build your own adapters for session identification, extraction, and impersonation; just write three methods in JavaScript to tailor it to the target of your choosing and you’re done.

As a blue team member, I’ve already started to come up with some practical applications for this application. The most obvious is to use it for your company’s web applications to verify whether you’re leaving yourselves vulnerable to this exact method of exploitation. I can also see this being used in layperson presentations to demonstrate what SSL encryption is, why it’s important, and what can happen if you believe it doesn’t matter to you.

CookieCadger is not free, but it’s a very modest $10 and that money goes direct to Hackers for Charity. I’ve already got my copy and I’ve been tinkering around with this at home. I recommend checking it out. The source code will be released in the near future (supposedly mid-October) after undergoing a post-hackfest code cleanup.

Check out Matthew Sullivan’s slides for the presentation here.

olympicfashion: Archery London 1908 - Archery London...

Tue, 18 Sep 2012 15:59:38 -0400

olympicfashion:

Archery London 1908 - Archery London 2012

Archery makes looking frumpy look cool.

surplus-mag: Math Club Tee Nothing goes together quite like a...

Mon, 17 Sep 2012 16:01:09 -0400

surplus-mag:

Math Club Tee

Nothing goes together quite like a dangerous motorcycle club and the quadratic equation. Embrace both with this tee.

Surplus Mag tapped into my brain this week. I need this shirt to wear when I’m working on my cryptography homework, because that’s how I feel.

surplus-mag: TAG Heuer Carrera 1887 “SpaceX” Watch Omega and...

Sun, 16 Sep 2012 16:00:06 -0400

surplus-mag:

TAG Heuer Carrera 1887 “SpaceX” Watch

Omega and NASA have always had a long lasting relationship and now another luxury watch manufacturer is getting in the space game. This TAG Heuer Carrera 1887 features the SpaceX logo and both the Falcon 9 launch rocket and Dragon spacecraft - two of their most notable projects.

For those unaware of what SpaceX is, it’s a space transportation company founded by Elon Musk - the genius behind PayPal and Tesla Motors. The guy is basically a real life Tony Stark. Don’t be surprised if he starts fighting off super villains in near future.

I don’t commonly like chronograph-style watches because they violate every principle of simplicity ever uttered. This watch, however, peaks in epic territory on multiple levels. It’s an incredible stylish, understated chronograph that isn’t brazen with its window dressing. It commemorates one of the more important initiatives in modern space travel as well.

surplus-mag: Vintage Wooden Arrows These cool hand painted...

Sat, 15 Sep 2012 15:58:33 -0400

surplus-mag:

Vintage Wooden Arrows

These cool hand painted arrows feature real feathers and blunt metal tips. Hawkeye, Robin Hood, Legolas and the editors here at Surplus all certify the craftsmanship.

surplus-mag: Game of Thrones, Rebranded The super talented Nike...

Sat, 01 Sep 2012 09:12:15 -0400

surplus-mag:

Game of Thrones, Rebranded

The super talented Nike designer and Game of Thrones obsessive Darrin Crescenzi put together this rebranding project and poster for HBO’s latest small screen hit. Something tells us even King Joffrey would approve.

This poster would be a classy addition to your geek den. I thought about it, but I’m already pretty short on wall space. Do what I could not: put this cool on your wall.

"I still have two children. I need to take care of them. To hate [Breivik], it takes all your energy...."

Sun, 26 Aug 2012 10:59:18 -0400

“I still have two children. I need to take care of them. To hate [Breivik], it takes all your energy. From day one, he’s been a zero to me.”

- Freddy Lie, father of Elizabeth Lie who was slain in Anders Breivik’s assault on Utøya island. Quote from GQ’s “Is He Coming? Is He? Oh God, I Think He Is?” by Sean Flynn in the August 2012 issue.

Breivik was recently ruled sane by the Norwegian court and given the maximum sentence of 21 years for the attack that left 77 dead.

gearpatrol: Mr. Armstrong (the real Mr. Armstrong). No one will...

Sat, 25 Aug 2012 16:25:02 -0400

gearpatrol:

Mr. Armstrong (the real Mr. Armstrong). No one will ever have a better, more astronomically badass, profile photo. RIP.

It is our responsibility to keep the legacy of space travel alive. Curiosity needs to he just the beginning of the journey, not the end.

Rest in peace, Commander Armstrong. We owe you a debt our imaginations might never repay.

GenCon Replay - Fortune & Glory: The Cliffhanger Game

Thu, 23 Aug 2012 15:54:23 -0400

A good chunk of my time in the exhibition hall at GenCon was spent at the Flying Frog Productions booth. I fell in love with their games at GenCon 2011 and wanted to come back and drink deep of their geeky elixir this year.

FFP’s games seem like they start with a theme and grow from there. Last Night on Earth is the quintessential zombie title (and among the best of them to boot); Invasion from Outer Space hits the classic B-movie martian invasion theme; Touch of Evil covers the colonial supernatural thriller genre; and most recently Fortune & Glory tackles the globe-trotting, Nazi-fighting buried treasure seeker (a la Indiana Jones) trope head on.

Of all of FFP’s games, F&G probably has the most pieces. It’s the most intimidating looking at a distance and certainly has the heftiest price tag ($100 versus $60 for other base games). From the very start, however, you know you’re getting a lot of game. All of Flying Frog’s premier titles feature multiple scenarios and/or modes of play. In particular, Fortune and Glory is playable competitively, cooperatively, or even solitaire.

Full disclosure: Matt and I really wanted to demo this game at Gen Con last year, but missed the opportunity. We sprang at it this year.

Sitting down, we chose our characters for the game. I opted for Duke Dudley, a British nobleman whose wealth and patriotism were his unique advantages. (This decision may have been influenced by the fact that the photo model for the Duke was literally standing over my shoulder at the time.) Matt chose Doctor Zhukov, a mad Russian scientist whose scientific mind gave him other advantages. As with most FFP games, each character gets different dice-related properties as well asspecial abilities.

With all players’ characters chosen, the treasures of the game were revealed. For each of four colored markers, a treasure (“The Glove”) and an adventure (“Of Zeus”) are selected from different decks of cards and then combined. A location card places it randomly on the world map. This was a demo of the competitive mode of play, so the goal was the be the first player to amass a fortune of eight gold (foreshortened for brevity) and return to their home city claimed the day.

When the dice started rolling, the players were off after the titular fortune and glory. The world map is divided up into regional spaces; each space is one movement, as well as each section of ocean or city. Within the first turn, most players had made it to the location of one of the game’s hidden hidden treasures. Others, like yours truly, got stuck in Wales and ambushed by generic thugs.

Each adventure specifies a number of dangers. That’s a measure of the challenges a player must face before they can claim the treasure for their own. A danger card is flipped from a deck. It specifies a type of challenge - such as lore, agility, or cunning - a success threshold, and a required number of successes. Each player’s character card has a corresponding number of dice. That number of dice are rolled and the rolls that meet or exceed the threshold count towards their passing the challenge. If the challenge is met, the player earns glory points which are used as a secondary currency and may opt to continue towards the treasure or camp until later. If the challenge is failed, a cliffhanger ensues.

A cliffhanger is the logical escalation of a danger not triumphed. If you fail to meet the agility test of a daring airplane chase, you’ll flip the card and find yourself trying to escape a flaming wreck on a mountainside, having surrendered all the glory you amassed this turn. Pass this last-ditch effort and you’ll earn the danger token, get some consolation glory, and get to rest until the next turn. Fail, and you’ll sustain wounds that move you closer to ultimate defeat.

If you should succeed in passing all the dangers before the treasure, you take it and need to bring it to a city to fence. Bigger cities mean a bigger take. Drag your feet getting to safety and another adventurer might separate you from your treasure.

Enter a city, and you’ll need to flip a city card from another deck. This randomizes your trip into the city and ensures your run to ground might not be so run-of-the-mill. You might score some extra gear to help you out in the field, or you might bump into some Nazis.

Did I mention the Nazis? I should have. There are Nazis. They have a zeppelin, which is the universal symbol for intrigue, adventure, and Nazi shenanigans. At the end of every turn, a location card is revealed and a movement roll made. The zeppelin moves that many spaces along the shortest path to the indicated locale. If it reaches the location, it drops Nazi tokens on the field that will further complicate your quest. It’s not all gloom and doom aboard the Nazi airship, however. Each turn, the Third Reich is collecting lost gold of its own on the ship; should you be so daring and lucky as to sneak past the guards while in the same map space, you can steal the Nazi’s loot!

F&G is yet another quality product from a fantastic company. One thing I really respect about these guys is that every year, it’s the guys who are in the photo shoots for the game doing the demos and working the retail counter. They’re more than happy to sign a photo for you.

As for my demo, the Duke didn’t come out on top. A failed race for an artifact in Western Europe kept me busy while a flyboy out of San Francisco got lucky and dug up an artifact worth his requisite 8 gold in his back yard. Maybe next time…

Jojo the Bear versus Zard beast. Advantage: Jojo. Invasion from...

Sat, 18 Aug 2012 11:08:00 -0400

Jojo the Bear versus Zard beast. Advantage: Jojo. Invasion from Outer Space by @FFPGames. #GenCon (Taken with Instagram at GenCon 2012)