Systems of Magic, and a request

[rising_moon]

Recently I've read a few excellent fantasy novels which were written around believable, consistent, and reasonable systems of magic. Believable magic is one of the elements that will sell me on a writer. I've enjoyed The Abhorsen Trilogy, by Garth Nix, and, most recently, The Name of the Wind, by Patrick Rothfuss.

I've learned that Brandon Sanderson, who wrote this essay on systems of magic, is going to finish Robert Jordan's 12th and final novel of the Wheel of Time series. Depending on my Lady's response to his work, I might take up the first one. :)

Unrelatedly (maybe): can any of you recommend a good history (articles, blogs, anything) of technical approaches to affixing Identity? That is, assuring that individuals are who they say they are? I'm making a study of transaction psychology -- financial services inclined but not fixed -- and would love some background data on approaches to identity assurance. Thanks!

Comments

[hissilliness.livejournal.com]

I started out quite disliking Sanderson's essay. Eventually I had to admit that this is just because I'm an opposing partisan. His taxonomy, on consideration, strikes me as sound, but my tastes run in the other direction. Over-explicated magical systems (like WoT) end up reading to me like RPG sourcebooks with some characters stuck in for color. I'd much rather read something like Susanna Clark, which, over and over, gave me the shivery sense that is so much of what I come to fantasy for.

[rising-moon.livejournal.com]

this is just because I'm an opposing partisan

And this is one of the reasons I love your commentary! :D

Your review of Last Call described the chief fallout from the Rules hangup: half a book's worth of Law, then half a book's worth of the writer shoehorning the plot into the Law.

Then there's China Mieville, whom you know I adore, who simply makes shit up as he goes along, and you realize that his rules are beside the point.

Susanna Clark, eh? Where should I start?

[hissilliness.livejournal.com]

Clark has two books out. Jonathan Strange & Mr. Norrell is her novel, and The Ladies of Grace Adieu is short stories set in the same world.

[dilletante.livejournal.com]

huh, in general i find tim powers does a good job of preserving a sense of wonder with his rules-- i can't always predict what's going to work for his characters but usually it feels like it fits with the rest of the magic in retrospect.

[dilletante.livejournal.com]

i went into the essay with your comments in mind, but had trouble figuring out what viewpoint he presents that one could be partisan about. :) but i guess that's because i just read the essay as being about the taxonomy and especially about his rule of thumb (you can only use magic to solve problems to the extent that the readers understand how magic works). do you disagree with his rule of thumb? (i think it's an excellent one).

i find myself thinking about it in terms of mystery novels: you can totally end your mystery with "oh, it turned out the butler had an evil twin, ha ha" but some readers will feel cheated. similarly, coming up with a new magic rule that solves everything strikes me the same way.

[hissilliness.livejournal.com]

Samuel Delany suggests in a couple places that whenever we set up ostensably equal dichotomies, there's always an implicit hierarchy.

The only people I ever hear talk about Hard vs Soft SF are people who love the former, and usually show a bit of contempt for the latter. Sanderson goes out of his way to assert that he believes both the approaches he describes to be equally valid, but, to be blunt, I don't believe him.

I do think his proposed rule is worth musing on, I think it is nowhere near as hard-and-fast as he asserts. Exhibit A here would once again be Jonathan Strange, which is way to the Soft end if I understand the essay at all, and does not fall neatly into the problems-sloved-with-magic/problems-solved-not-with-magic dichotomy.

More generally, yeah, if you're setting up a puzzle game like a mystery novel, explicit rules are necessary. Not all fantasy novels are, or should be, puzzle games.

My New Theory

[hissilliness.livejournal.com]

This has just popped into my head, I need to mull it a bit more before I'm convinced I believe it:

the how-not-to-do-it examples in your and Sanderson's descriptions have two salient qualities: arbitrariness and effortlessness. The former, I think, is a matter of tone more than anything else. Magic needs to feel consistent, it does not need to necessarily be consistent.

The deus-ex-machina climaxes that Sanderson warns against are really more about that effortlessness. An example: in WoT, which, as I said, is generally too Hard for my tastes, there's a wicked important climactic bit where the main protaganist attempts a massive alteration of the very nature of magic itself. It is a very Soft moment--there had been no prior indication that human effort could produce any such effect.

However, Jordan emphasizes what a huge amount of work, skill, suffering, and risk it requires, and that's what makes it not feel like a cheat.

Conclusion: magic has to cost somehow. I suspect that this is why so much of the magic in Harry Potter felt flat to me--Rowling made so much of it costless & effortless.

[shadowswords.livejournal.com]

assuring that individuals are who they say they are

I believe this (http://en.wikipedia.org/wiki/On_the_Internet,_nobody_knows_you're_a_dog) is the definitive starting point for any such an endeavor. Maybe to the point of cliché by now, but hey, it does have a couple of references that might be useful.

[rising-moon.livejournal.com]

Heh. That's part of what I'm looking at: if the Internet doesn't know, how does my bank? Or the credit card company? Or my online documentation storage system?

Wau! Wau!

[goldsquare.livejournal.com]

The issue breaks into three parts: Identity, Authentication and Authorization.

Generally speaking, people tend to confuse or conflate Identity and Authentication, but that is not necessary. Consider LJ - you might grant some people certain rights to read your blog because of what they write, say or do - but never know their real name and identity. You Authorize them via a Friends list.

Meanwhile, when they log in, they Authenticate their credential to LJ (or, since LJ accepts other ID servers and their authentication, maybe to someone else).

I cannot recall where I first read about these issues, I can do a little digging. For interesting browsing, you might look at some of the articles in Wired (and other places) by Bruce Schneier, CTO of Countepane. You might also ask patsmor or look at the links in her blog. I have not done so, but since she is an expert in Internet Security and Privacy, I am sure she can give you references on the topic. (She is also a close friend of cvirtue as well as myself - and an SCA person of excellent repute and good cooking skills. Amongst many other terrific features.)

[rising-moon.livejournal.com]

This is an excellent taxonomy of the topic, thank you. Authentication is the wing that I'm concerned about -- that is, Authentication of Your Identity, e.g., "what you know" and "what you are", and how certainty and ease-of-use impact your device interaction.

Yeh, I'm a big Schneier fan. :)

Thank you for the pointer to patsmor! I'll go poke at her info page and introduce myself.

[goldsquare.livejournal.com]

To brief the topic briefly, one authenticates in one of two ways. One other proffers evidence of a shared secret, or each party proffers secrets.

The secrets are broken down into "what I have, what I am, what I know". An example of each is: a token that generates large numbers over a period of time -or- a fingerprint -or- a password". Highly secure systems use two or even three of those, and often use rotating systems of information, or variable challenges.

When passing the secrets back and forth, every single step of the way must be secure, or in the end the security is worthless. That means not just careful transmission, but careful handling. For example, some old software used to accept a password, and store it clearly, in memory. Users that wanted to break into the system could search used memory, or unauthorized memory or disks for patterns that contained those passwords.

Some of the more sophisticated systems use leased access concepts - where access is temporary, and must be periodically renewed automatically. (Kerberos was one such system, developed at MIT. The Jini software project used leases for everything, including access, and was developed at SUN Microsystems.)

One can proxy authentication to another system - meaning that the two systems can authenticate each other in a complex way, and then the proxying system will trust the other to do the work.

There are two major threats to authentication, although there are countless more. One is compromise of a secret, and the other is to play a "man in the middle" and somehow capture all traffic. Means of losing secrets are legion.

I hope this lecture is helpful. If not, please chalk it up to good intentions. :-)

[lanome.livejournal.com]

I actually find that it's not the believability of the magic but whether or not it plays a roll as an excuse (i.e. *poof* things suddenly work out because of magic) that sells me on a writer. Magic is nice and all, but if it takes away from character development, I'll take a pass.

[rising-moon.livejournal.com]

That makes sense. I rather like my magic to be integrated in the course of life, like gently blowing across the fingers to light candles (Sandra Bullock in Practical Magic), rather than the Really Big Hammer.

[herooftheage.livejournal.com]

I think I fell in love with Barbara Hambly's work early on, when she described what has to be the most sensible way I've ever heard of for killing dragons: poisoned harpoons at the limits of what mechanical advantage can chuck them. None of this wading in with sword or lance nonsense.

[rising-moon.livejournal.com]

Barbara Hambly! She sounds like my kind of fantasy writer. Which of her books would you recommend that I pick up first?

[herooftheage.livejournal.com]

I'd certainly start with Dragonsbane, and the two sequels. Besides being down to earth about killing dragons, it's a great power struggle story. The dragonkiller is from the hinterlands, and is sort of treated in the Royal Court as a backwoods baron that has to be dealt with, but doesn't really have to be taken seriously.

The thing is, he knows all this full well, and uses that image to his advantage in lots of situations. So, besides practical dealing with magic, you also get a dose of clever court politicking.

[dreda.livejournal.com]

Wait. WAIT. The twelfth one is going to be the last one? Really and for true?!?

ZOMG I can chuck this moldering monkey corpse off my back!!

[rising-moon.livejournal.com]

Hee! So says his web site (http://www.brandonsanderson.com/), anyway, which I found through polyhymnia_. The magic bar graph reports that he is 85% finished!

[dreda.livejournal.com]

"We'd rather leave his legacy as it stands than have bad books attached to his name." - B. Sanderson

other than the books he wrote himself, of course...

(Grr. Crack monkey, get thee behind me! ;)

[kyttle.livejournal.com]

Personally, I find that having consistent limitations to magic is really important to me for a story. I really hate it when magic is so all-powerful that a character should just be able to wave any problem away, but for some inexplicable reason they don't.

[kyttle.livejournal.com]

To switch to the other topic, identity is pretty much always established by proving that you know the solution to some really tough problem that only you would know the answer to. There are a few ways to do this. Banks typically ask you to fill out answers to personal questions when you register, the theory being that only you would know those answers. Passwords do the same thing--registering a shared secret that in theory only you will know. But there is a much cooler way...

There are certain types of puzzles that are easy to create but hard to solve if you don't know how they were created. Factoring large prime numbers is an example. We have math that lets us quickly test if numbers are prime, but it's really hard to factor composite numbers into the primes that make them up. This means we can quickly find two large (hundreds of digits) prime numbers and multiply them together to get a really big composite number that pretty much only the person who knows the original two primes can factor.

Here's the cool part. You can put up the really big composite number on the web so that anyone can see it. It is so hard to factor that no one will be able to. Now, when anyone needs to authenticate you, all you have to do is prove that you can factor it. You now have a public test that only you can pass and that anyone can use to verify your identity.

The tricky part is making such a test reusable (proving that you know *how* to factor the number without revealing what those factors actually *are*), but that's a whole different topic.

[rising-moon.livejournal.com]

Me, too. It's annoying when an omnipotent magic user suddenly... isn't.

[rising-moon.livejournal.com]

(note to self)

Refer to the Media Lab "Amulet" project, i.e. the Wireless Universal Key.

While the professor rummaged in his pockets I hopefully imagined a tidy little lozenge like the old SecureIDs. Seeing the actual artifact, it occurred to me that cultural resistance to inelegant visual/physical design might trump other constraints to a system's adoption. (The Amulet is kinda big. I don't want to wear one around my neck -- which is where my magical mind expects to put an amulet.)

[goldsquare.livejournal.com]

Consider, for example, the subcutaneous RFID chip. Something which is, apparently, quite common at some of the Euro-trash bars in the Caribbean. Apparently some of the attendees wear swim suits so skimpy that carrying a credit card is impossible, and they don't want to carry a bag or purse.