Cyber Karpman

Spoiler: Big figure of transactional analysis, this triangle can be played with computers. Passionate players will make memorable games.

Also called Drama Triangle, this psychological game have been synthetised by psychiatrist Stephen B. Karpman (thus its name) in 1968 from the other psychological games played at that time (Internet was not yet born, they managed to have fun).

In this game, players have got each one problem to solve. But they prefer to play rather than to solve their problem. In order to do so, they’ll take one of those three following roles:

In theory, the game can be played with three players but it’s lot more fun with only two players. In this version, a role is empty and it allows one of the players to take it (leaving the previous one). Classical example: noticing that the Saviour did not solve the Victim’s problem, one of the player takes the persucutor rôle and reproach the other for his lack of effectiveness.

Examples of movement, two player game

This rôle change makes awkwardness at the other player who did not expect the move (which bring bonus points). Hopefully, he can equalize by switching his role with the new empty one. The game continue as the players danse around the triangle, earning points. We saw skillful professionnal players doing double flip by changing their role twice in a single sentence…

For prestigious championships, players are allowed breaks to rest (some games last for years). The scoring becomes a problem and the help from official is required. It’s only an excuse to get new players on stage and multiply the games.

As you’ll see, this game have been adapted to computers and will let you have playful fun moments with convert friends, colleagues, and cyber-player that are waiting for a game with you.

Cyber security

Perhaps the most obvious field about (ab)using the triangle, there is computer security. Takes this story about hats, where the whites hats save your from the black hats. Add then the grey hats that admit changing roles and everything is said…

Paradoxically, black hats make bad players. They’ll deliberately take the persecutor role when attacking computers and apps. But once the exploit is done, they accomplished their objectives, resolved their problems and the game is over. Without scoring any points. Making them searching for other players.

Following nearly the same idea, cyber criminals don’t play well. Their encryption of files makes them persecutors, forcing their victim to find a saviour. They will be saviour if the victim pays the ransom. And if not, a contractor will take the role. In both cases the game is over and they must find new players.

The first true players comes amongst bug hunters. The principle looks casual: they’ve been promised a reward for any vulnerability they find. But it’s only marketing bullshit because the client only want to communicate about his security without spending any ressource. When searching for vulnerabilities, bug hunters are persecutor. Once found, they’ll present themselves as saviours but it does not solve the client’s problem so the client begin to danse by taking the persecutor role: the vulnerability is out of scope, have already been disclosed or its score is too low for any reward. The bug hunter is then a victim… Both ask for the help of an officiel, hence the creation of online platforms.

But the best teams are found amongst white hats that have understood that in order to win, they must regularly change their roles. Mimicing american football, we find two squads:

The art of this business is to alternate the squads at the right moment. The red team makes booster shots to enforce the dependency to the blue team. It works over the medium term. But in the long run, there’ll be new problem to solve…

Example of a three player game, two allies.

Day after day, chances are the blue team will make a blunder. It’s human, it’s bound to happen, so it did to crowdstrike who has deploied a bug, making all the computers they were supposed to protect, to hang on. The saviour transformed himself into persecutor.

But a true attack may also succeeds. After all, a pirate need chance only once instead of the blue team that need chance each time. The contractor can not admit its fault and will suggest its red team make an audit to find the causes (read: weaknesses at victim’s side) and improvement path (read: saviour’s business opportunities). Again, the saviour transformed himself into persecutor.

In the end, facing numerous fails, the client may lose confidence at his contractor and look at competitors. One of them will suggest an audit to make an inventory of the assets (read: weaknesses at previous contrator’s side). The victim transform himself into persecutor (and the contractor move from saviour to victim). This bizare set doesn’t last long, the client quickly move back to his victim’s position, the constractor use his blue team to save the client. And the ex-contractor look for another client.

The obvious solution is to internalize the management of one’s own security but there are traps. Appointing a CISO (Chief Information Security Officer) only internalize the triangle. It’s an excuse to get a saviour at home, considering the rest of the company as a victim. And the game run again.

The trap is the same with digital sovereignty. The main idea, regain control over its computers, is usually perverted to replacing foreign (contr)actors by domestic ones. But the nationality of a contractor doesn’t change the shape of the relationship which remains a triangle…

The key to get out of the triangle: everyone must take care of his own security.

As civil computer experts

Not ashamed by the cyber professionnal, we find other good players in the whole computer industry. A client had a problem and found a contractor to take care for him.

We have a good base to play and need only a little help from destiny to start dansing. A failing backup, a network or app that doesn’t work as expected or a client that do not pay. Lawyers have called a judge who entrust us to make it more clear.

In lots of cases, the parties sincerely search to understand and take their responsibilities. They need our help to provide an external and neutral poit of view. After discussions, reading documents, making some expertiments to check hypothesis, the fog is lifting enough to find a consensus. The outcome is often amicable and they get along with each other well.

But in other cases, the constractor had to save the client. They have already danse for some time, accumulating little errors until an avalanche submerge the project. The parties have lost how many point they earned and hope we can bring the scoring back.

Three first moves.

Initialy, the client explains his helpless victim position hoping the contractor will save him. Facing the obvious failure of the task, the client explain the contractor’s fault. The argument is mainly a systematic denigration of the contractor. This persecution in the hope it’ll repair everything.

It’s now the contractor’s turn. He will take the victim spot, left empty by the client. So he will first list all the damage (moral and financial) he got. Then, he will explain that all the problem that arise where because of his actions. It was not his fault.

Client’s turn. Continuing to denigrate will only enforce the contactor’s victim position. So he change its stragegy and take the saviour position. He’ll then explain all the effort he made to solve the contractor’s problems. Advance payment, delays, amendment, share of ressoures,… he’ve made all possible to save the project and his contractor.

At this time of the game, the role have been exchanged. But the problem remain unsolved and the game must go on. The client being in saviour position, has no interest to move.

Three next moves.

So the contractor takes the lead. In the victim’s position, nothing is his fault, so it must be the client’s fault. How ? He did not respect is obligations of cooperations. He hasn’t provided the needed equipment and resources, he replied too late and ask for too many changes in the project and did not paid. This is an awfull client.

As the contractor did in the first moves, the client then move in victim’s position. There were indeed some problems but none because of his actions. That was not its fault if the resources weren’t available and if it took time to gather informations to reply and fix the specifications.

To end the phase, the contractor will then list all its efforts made to solve the client’s problems. Providing his own resources, the numerous reminders and the writing of the (contractual) documentation. Impartially, everything has been tried to save the client.

And they turn around, again and again. Until we send our final report.

Beware of traps. Each time one of them is at the persecutor and the other at the victim, they expect the expert to take the saviour side. The aim is not to find the Truth (or a consensus) but to recruit a new player to danse with them.

Enshitification

For the amateur lovers of the triangle, lots of platforms have been provided online to play everywhere an internet connexion is available.

We start with some users. They have a problem they don’t want to solve by themselves. So they find an editor ready to save them with his app. The editor doesn’t want to solve hist problem but keep his saviour position because the points can be changed into euros. The triangle is in place and the players are ready to danse.

But who’s gonna make a move?

  1. The editor may send spams targeted ads or limit some features (he’s persucuting the victim). The user will then pays some subscription hoping to solve the editor’s problem.
  2. Unsatisfied by the app or the service, the client will denigrate the editor, hoping a reaction (he’s persecuting). It’ll work only if the users were in the saviour position (paying a subscription needed by the editor). Leaving the saviour position empty, the editor can move in and save the users.
  3. When it doen’t work, users have to find a competitor. They’ll first idolize him (especially if he take care of migrating the user’s data) but they’ll invevitably be disappointed and a new dance will begin.

Some speak about enshitification. First the platforms take care of their users, then of their partners (i.e. advertisers or providers) and then of themselves. The solution would then be to make those plateforms neutral and interroperable.

For me, it’s only a triangle dance: plateform are first in the saviour position, then persecutors and then victims. The solution won’t change the shape because it consider the user as helpless, needing a platform to solve its problem.

Let’s take, as example, the fediverse. This platform respect all the criteria to be considered as a solution to the problem of enshitification. But if you went there hoping to be saved, you’ll reproduce the same dance. You’ll find the instance is not well managed, moderators are bad, the software is ugly and other defects, bogs and failures that force you to change the instance or the whole app. And you’ll come back disappointed.

If you’ve got a problem with computer, solve it by yourself. That’s what we’ve done: we broadcast in our own website, we notify through our own RSS feed and we communicate by mails. And we feel a lot better.

Other situations

If you love this game, you’ll find plenty of situations to play. We won’t list them all but here is a short list if you lack of ideas.

Setup a parental control app: Your kids are helpless victims and you need a software to save them. Spoiler: it won’t work.

Setup a virtual workplace for schools: Kids, parents and teachers are not able to communicate by themselves and this all in one messaging app will help. After awhile, everyone is more stressed than before.

Use AI: We’d be too busy (or incompetent) to get good photos or to find answers by ourselves. Hopefully, AI are there to save us.

Use frameworks: Developers and sysops need those abstraction layers that hide below details. Advantage: we can always stack more layers.

Software Supply Chain : Companies exploit pieces of softwares made by volunteer and claim to be offended about bugs. Bonus: nmp and composer can automate this dependency.

DOH - DNS over HTTP: To avoid I be victim of spies and lying DNS, Firefox chose to redirect all my requests to Cloudflare… bypassing my ad-blocker. I had to setup specific configuration to block DoH and get control back again.

And after?

This triangular frame of reference allows to recognize a lot of toxic situations. When you are facing software, support or marketing team and you feel awkward (or angry), chance are you are in a disguised triangle. To make sure, just find who’s at which position.

And if you find yourself in a triangle, the solution is quite simple: make a step back to quit the dance, take a deep breath to regain control and recognise who own the problem. You’ll then be able to react more efficiently.