Printable Version of Topic
Click here to view this topic in its original format
Dumpshock Forums _ Shadowrun _ Hacking my way
Posted by: Serbitar May 8 2006, 11:58 AM
This is the first post in a series, where I want to present my interpretation of hacking runs.
With several posts (all int his thread) I want to cover several situations, and my interpretation of how the matrix rules can be used and balanced.
(might not be the order of final posting)
Hacking a host and performing a data steal
Hacking through a relay of linked nodes
Hacking a security camera and performing overwatch
Hacking someone's wireless equipment
Hacking into a drone network
TODAY: Hacking a host and performing a data steal
Note that this is only my interpretation and not final. I might edit this post a lot during the next days, depending on comments and other considerations, but I will note changes by using different colours and maintaining a changelist.
General comments:
Deleted subscriber house rule
1.) When you successfully hack in, you have a valid user/security/admin account for this session only. When you leave the node, your account has gone. Legal actions (actions covered by the permissions of the account) can be performed by a simple computer+skill test (if needed at all). Illegal actions (actions not covered by the permissions of the account) must be perfomred by an opposed hacking+skill test vs. system+firewall of the node. The GM may call for an extended oppesed test if a certain treshold has to be achieved. Net hits of the node determine that the node notices that something is being tempered with. The GM decides what happens with which number of net hits.
2.) IC/agents have to successfully detect a stealthed hacker to engage in actions (including analyzing hack attempts) against him.
(H) Hacker:
Hacking: 5 (specialization stealth)
Computer: 5
Hot-SIM: +2 dice
Firewall: 5
Response: 5
Firewall: 5
Signal: 5
Loaded programmes:
- Exploit 5
- Analyze 5
- Browse 5
- Stealth 5
Not loaded programmes:
- Edit 5
(N) Node:
Firewall: 4
System: 4
Signal: 4
Response: 4
Loaded programmes:
-Analyze 4
(IC1) IC: Patrol-1
Pilot 4
-Analyze 4
-Attack 4
-Armor 4
(IC2) IC: Patrol-2
Pilot 4
-Analyze 4
-Attack 4
-Armor 4
Steps:
(bold steps denote the minimal version of this example)
(H) Hacking In
(N) Noticing the Hack
(H) Matrix Perception
(IC1) Matrix Perception
(H) Stealth roll
(IC2) Matrix Perception
(H) Stealth roll
(H) Unload Exploit
(H) Load Edit
(H) Browsing for Data
(H) Browsing for Data
(N) Noticing the Hack
(IC2) Noticing the Hack
(H) Stealth roll
(H) Downloading the Data
(N) Noticing the Hack
(IC2) Noticing the Hack
(H) Stealth roll
(H) Logging off
Explained:
(H) Hacking In
Hacking+Exploit(Firewall, 1 Turn): 5+5+2 = 4 hits (porb. to fail hacking in in 1 turn: 39%)
The hacker is trying to hack into the node. He is going for a user account. The rules say he has to engage in a Hacking+Exploit (firewall, 1 turn) test, to do so. With his first roll he is beating the treshold and is in.
(N) Noticing the Hack
Firewall+Analyze(Stealth): 4+4 = 4 hits (prob. to notice the hacker in 1 turn: 9%)
The node is trying to notice that somebody is hacking in. He rolls, per RAW, Firewall+Analyze versus a treshold of the hackers Stealth programme. As this is a "hack on the fly" attempt, the node may roll everytime, the hacker is rolling to hack in. In our example, the hacker needed only one try, so the host may only roll once, too.
As the node scores only 4 hits, and the stealth programme of the hacker is 5, he is not noticed. The GM may note down the 4 hits, as they may act as a treshold for the hacker to clear the system logs of his hack attempt.
(H) Matrix Perception
Computer+Analyze vs Firewall+Stealth
The hacker is setting his analyze programme to constantly analyze his sourroundings. He is rolling Computer+Analyze vs. Firewall+Stealth to find stealthed IC or backdoors. For ease of gameplay, the GM is only rolling this test for stealthed objects. If the hacker wants to further examine something he has already detected to gain further information he must explicitly say so.
As the two patrolling IC are not stealthed, the hacker sees them without performing any test. The GM does not have to roll for stealthed objects, as neither the IC, nor the node, are running any stealth programmes.
(IC1) Matrix Perception
Pilot+Analyze vs Computer+Stealth: 4+4 = 3 hits
The patrolling IC Patrol-1 is set to constantly analyze the node for intruders. As the hacker has a valid user account for this session, he is no intruder, but the IC will have to detect the presence of the hacker to note any hacking actions he might undertake. As the hacker is running a stealth programme, the IC must undertake an opposed test to detect him. For ease of gameplay, this test should be rolled by the GM.
(H) Stealth roll
Computer+Stealth vs Pilot+Analyze: 5+5+2+2 = 3 hits (prob. for the hacker to get noticed: 13%)
The GM rolls 3 hits for the hacker. The IC does not detect the presence of the hacker. Unless something happens, the IC will not attempt again to detect the hacker. If the IC tryies again, it will have a -2 dice penalty for trying again.
(IC2) Matrix Perception
Pilot+Analyze vs Computer+Stealth: 4+4 = 5 hits
The second IC (Patrol-2) is trying to detect the hacker, too.
(H) Stealth roll
Computer+Stealth vs Pilot+Analyze: 5+5+2+2 = 3 hits (prob. for the hacker to get noticed: 13%)
The IC has 1 net hit in this opposed test. It has detected the hacker. As the hacker has a valid user account for this session, the IC does nothing else.
(H) Unload Exploit
Simple Action
The hacker is unloading his Exploit utility. He can only have 4 programmes running without a response penalty and wants to load an edit tool.
(H) Load Edit
Complex Action
The hacker is loading his edit tool.
(H) Browsing for Data
Computer+Browse(5, 1 Phase) 5+5+2 = 3 hits, 8 hits = 2 phases
The hacker is using his user account to browse for the file he seeks. The GM knows that the file is not listed in the directories that are accessible for normal users. He decides, that it will need an extended test (5, 1 phase) for the hacker to find, that the file is not listed in the directories. As this is a legitimate action, the ahcker uses his computer skill. After 2 phases the hacker accumulates 8 hits and is informed that the file is not listed. IC2 is constantly analyzing the hacker, but as he is doing nothing wrong, nothing happens. IC1 is not even aware that the hacker is in the node. (Note: Some very high security system might synchronize the detections of their IC, but this triggeres wrong alarms, very often. GMs, do not synchronize your IC unless you want to make your system extremely high security, as sucess probabilites for a hack decline rapidly.)
Note that the hacker is using computer+browse only because he exactly knows which file he is looking for. If he only knew which kind of information he was looking for, he might have to use the data search skill and face a much higher treshold.
(H) Browsing for Data
Hacking+Browse vs System+Firewall (1, 1 Phase) 5+5+2 = 3 hits
The hacker has not found the files in the user acessible indexes. He knows that the file is there, so he tries to hack into the full file index.
This is an illegitimate action, as accessing the full file directory would need security access. The GM decides that finding a simple file in an index is an (1, 1 Phase) extended test.
Note that the hacker would be using hacker+browse even if he only knew which kind of information he was looking for, but he might have to face a much higher treshold.
(N) Noticing the Hack
System+Firewall vs Hacking+Browse (1, 1 Phase) 8+8 = 2 hits (prob. for the hacker to get noticed: 19%)
The node is trying to detect that sombody is hacking into the file system. As the hacker achieves 1 net hit, he is finding the file in 1 phase. he GM may note down the 2 hits, as they may act as a treshold for the hacker to clear the system logs of his hack attempt.
(IC2) Noticing the Hack
Pilot+Analyze vs Hacking+Stealth 4+4 = 1 hit
IC2 is constantly scanning the node for intruders. As the hacker is now trying to o something, that is not covered by his access rights, the IC might notice it. The GM is rolling an opposed Matrix Perception test.
(H) Stealth roll
Computer+Stealth vs Pilot+Analyze: 5+5+2+2 = 3 hits (prob. for the hacker to get noticed: 13%)
The IC does not notice the hacing attempt of the hacker.
(H) Downloading the Data
Hacking+Edit vs Firewall+System (1, 1 Phase) 5+5+2 = 3 hits
The hacker is trying to download the data. As the file can only be read (and downloaded) with security access, he has to perform a hack to do it.
In his first try, he rolls 3 hits.
(N) Noticing the Hack
System+Firewall vs Hacking+Browse (1, 1 Phase) 8+8 = 2 hits (prob. for the hacker to get noticed: 19%)
The node again tries to detect the hack. It rolls 2 hits, which means the hacker achieves 1 net hit and downloads the file.
(IC2) Noticing the Hack
Pilot+Analyze vs Hacking+Stealth 4+4 = 2 hit
As the hacker is again trying to o something, that is not covered by his access rights, the IC might notice it. The GM is rolling an opposed Matrix Perception test.
(H) Stealth roll
Computer+Stealth vs Pilot+Analyze: 5+5+2+2 = 3 hits (prob. for the hacker to get noticed: 13%)
The IC does not notice the hacking attempt of the hacker.
(H) Logging off
The hacker is login off. Note that the node accumulated 8 hits during the hack. This means, the hacker left lots of evidence of his activities in the node.
Discussion:
This was an example of a competent hacker (all ratings 5), hacking into a high traffic database (node 4) with good security (analyze 4, 2 patrolling IC).
To achieve his run unnoticed he had to hack in in 1 turn (giving the node 2 tries to achieve his stealth treshold of 5 would result in a 66% chance of being detected). Hacking in in 1 turn left him with a 9% chance of being detected.
In the node he had to do 2 opposed test with 12 dice vs 8 dice (browsing and downloading). His chance to fail such a test are 19%. His chance to fail at least one of the tests are 35%. Edge can be used here.
Then he had to survive the scanning attempts of the IC. Depending on how many of the IC detected him at the initial test, he had to face 0-4 opposed test with 14 dice vs 8 dice. As mentioned before, the chance to fail one such a test are 13%. As tehre opposed tests are doe by the GM, the GM might as the player beforehand whether he might invest Edge to avoid detection. The GM can then use Edge in such cases.
Note, that Edge-wise it makes a huge difference whether the hacker is rolling ONE stelath test when he enters the node, which every IC has to beat, or whether he (or the GM for him) is rolling a stealth test seperately for each IC. I recommend the second version.
All in all, GMs should be careful. After the hackers Edge has run out he is very likeley to trigger an alarm, which is very bad in most hacking runs.
The rolls in this run were tailored such, that it does not get too long and different situations are explained. The chance (without Edge) for the hacker to get this run through unnoticed are under 40%.
Better figure out the probabilites beforehand (i.e. with a calculator tool like this: http://www.serbitar.de/stuff/probabilities.xls ).
Thanks to comments from:
Dashifen
Aku
Rotbart van Dainig
blakkie
Edit:
- Changed Karma for Edge
- added hot-sim, stealth specialization, changed probabilites
- added hint about data search
- deleted subscriber house rule
- added not loaded programmes
- corrected wrong attributes used in scanning tests for IC
Posted by: Kremlin KOA May 8 2006, 12:06 PM
serb you may want to factor in that most hackers would go in HOT ASIST and that they just maybe specialized in the most important of hacking tasks in the game the entry
so an Exploit specialization would not be unlikely
Posted by: Oracle May 8 2006, 12:07 PM
Karma can be used for hacking??
Posted by: Kremlin KOA May 8 2006, 12:11 PM
he means edge
Posted by: Serbitar May 8 2006, 12:12 PM
Damn, sorry, I'm still playing SR3, too . . . I'll convert that .. .
Posted by: Serbitar May 8 2006, 12:22 PM
| QUOTE (Kremlin KOA @ May 8 2006, 07:06 AM) |
| serb you may want to factor in that most hackers would go in HOT ASIST and that they just maybe specialized in the most important of hacking tasks in the game the entry so an Exploit specialization would not be unlikely |
Thanks, very good comment. I completely forgot that.
EDIT: I let him be specialized in stealth, as this is maximizing probability in this example.
Posted by: Kremlin KOA May 8 2006, 01:15 PM
Also how fast does the runner need the file?
If he has overnight he might as well do it the slowway, with packet sniffing
Posted by: Serbitar May 8 2006, 01:31 PM
Sure, but then he might have gone for admin access anyway (no reason not to), and then he wouldnt have to roll anything at all, as an admin can do anyhting. That would have made my example rather short . . .
Posted by: blakkie May 8 2006, 01:55 PM
| QUOTE (Serbitar) |
| Sure, but then he might have gone for admin access anyway (no reason not to), and then he wouldnt have to roll anything at all, as an admin can do anyhting. That would have made my example rather short . . . |
But perhaps relavent?
However i certainly would challenge the idea that logged in as admin the decker can just do -anything- and that the decker wouldn't have to still avoid detection. After all they would still be in illegally.
Posted by: Serbitar May 8 2006, 02:10 PM
I know that you have a different opinion, but I can not model any rule set which
- lets IC analyze things
- is not totally impossible to hack
- does not need an infinite ammount of dice rolling
- gives admin and security access and advantage over normal access
with that assumption.
I would recommend sattelite nodes to prevent easy hacking. The hacker may get admin access to the sattelite, by probing, but then he has to ist there for several hours if he wants to get admin access to the second line "real" node. IC or patroling security personel (security hackers?) could wonder what even an admin is doing there for hours . . . (if they detect him)
Posted by: Aaron May 8 2006, 02:15 PM
| QUOTE (Serbitar) |
1.) The "subscriber" rule works for non hacking attempts only. If something is accepting input only from a certain device, this restriction can be bypassed by a simple hacking attempt. Otherwise, for example a security camera, a maglock or whatever could never be hacked directly. |
You could, but I believe you'd only have access to the device itself. This is useful if you just want the device, but not at all useful if it's the node you want.
| QUOTE (Serbitar again) |
| If it was hardwired to it's controlling node, it could not even be used as access to the local net, as it would not accept connections from your comlink. |
That's why we can still get datajacks. In fact, my hacker's first run was through a building with hardwired cameras. I had to physically get into the building and then plug into and hack a camera to get access to deal with the security node. Which is the other nice thing a datajack lets you do: get access to a fully wired system.
Posted by: blakkie May 8 2006, 02:26 PM
| QUOTE (Serbitar @ May 8 2006, 08:10 AM) |
| I know that you have a different opinion, but I can not model any rule set which - lets IC analyze things - is not totally impossible to hack - does not need an infinite ammount of dice rolling - gives admin and security access and advantage over normal access with that assumption. |
Perhaps -you- are unable to....what? WTF are you talking about? I really think you need to go away and think about this some more. I mean "can not model any rule set which lets IC analyze things"? It is like your are a martian that just dropped out of the sky and are trying to talk about how "Bon Jovi flavoured ice cream can not possibly melt." All words in the English language, but all in all an unfathomable phrase.
Posted by: Serbitar May 8 2006, 02:28 PM
| QUOTE (Aaron) | ||
You could, but I believe you'd only have access to the device itself. This is useful if you just want the device, but not at all useful if it's the node you want. |
You could not hack into the camera, as the camera, per RAW, would not accept input from you. You had to spoof an ID that the camera accepts input from. And when the camera was hardwried into the network, there would be no way that you could sniff any traffic to derive the desired ID.
Posted by: blakkie May 8 2006, 02:36 PM
| QUOTE (Serbitar @ May 8 2006, 08:28 AM) | ||||
You could not hack into the camera, as the camera, per RAW, would not accept input from you. You had to spoof an ID that the camera accepts input from. And when the camera was hardwried into the network, there would be no way that you could sniff any traffic to derive the desired ID. |
How about hot tap the wire to the camera? Assuming the camera doesn't have a DJ port right on it. No they don't have specific details in the SR4 core book for that, but it would be a Hardware Extended Test. They cover stuff like that under, I believe, CCSS in R3.Seriously, i think you are really out of your element here.
Posted by: Serbitar May 8 2006, 02:37 PM
| QUOTE (blakkie) |
| Perhaps -you- are unable to....what? WTF are you talking about? I really think you need to go away and think about this some more. I mean "can not model any rule set which lets IC analyze things"? It is like your are a martian that just dropped out of the sky and are trying to talk about how "Bon Jovi flavoured ice cream can not possibly melt." All words in the English language, but all in all an unfathomable phrase. |
Ok, the slow way:
If I drop the assumption that a hacker, who has hacked in with acces rights which would allow a certain action to be performed, if it was a valid account, can not perform this action without any consequences (this is what you want) i have several problems:
- I would have to make scan roles for every IC all the time, or disallow scanning IC
- I would make hacking next to impossible, or skip allowing IC to analyze hackers or hacking actions
- I would have to roll tons of dice, because every IC in the system is constantly analyzing each action of the hacker, or disallow IC to analyze constantly
- I would have to think of some reason why somebody would want admin access, as it does not have any advantages any more
As I like to have IC that is roaming about and analyzing stuff AND I want to make hacking possible AND I dont want to roll tons of IC AND I want the admin account to mean something I have to drop the assumption that you would like to see som much.
Posted by: blakkie May 8 2006, 02:54 PM
Apparently your memory is quite short. 
| QUOTE (page 228) |
| When an intruder alert is triggered, the node will launch an IC program and direct it to engage the intruder(s). |
As i've pointed out in the other thread, IC are the -response- to detection.
EDIT:
| QUOTE |
| As I like to have IC that is roaming about and analyzing stuff |
To what end? What are you trying to accomplish with this. What is the goal?
| QUOTE |
| I would have to think of some reason why somebody would want admin access, as it does not have any advantages any more |
You just seem way out of your element here, because there are multiple possibilities. Perhaps you should phrase the thread as a question rather than an answer? Like "What are the advantages illegally entering with an admin login?"
Posted by: Serbitar May 8 2006, 03:05 PM
@blakkie
p. 222 Patrolling IC . . . (emphasis by me)
I want to have patrolling IC, because I like the idea, i ilke how it adds to the hacking experience and because it is in the rulebook.
As to tapping the camera: thats a valid thing to do, but this makes subscribing just an additional dice roll to to. Just complicating things without adding anything. I just dont like it. I stated before several times that this is my interpretation of the matrix rules.
| QUOTE (Serbitar) |
This is the first post in a series, where I want to present my interpretation of hacking runs. With several posts (all int his thread) I want to cover several situations, and my interpretation of how the matrix rules can be used and balanced. |
Furthermore I think you have never tried to fit all the "possibilities" that are given in RAW to a consistent picture. The problem with the RAW matrix rules is, that the hacker has no idea what to expect, because there are too many "possibilites". I want to eliminate all the possibilities that are unpractical or make hacking impossible.
Thats why I made my 3 assumptions at the start of my post. Either accept these and discuss the results, or just note that you do not want to make these assumptions (of course, then this thread is not for you) and be done with it.
Posted by: blakkie May 8 2006, 03:17 PM
| QUOTE |
| @blakkie p. 222 Patrolling IC . . . (emphasise by me) |
The one that starts out "Highly secure systems might employ IC..."? Well hell ya such a system is going to be hard to make a run on. Because it is -suppose- to be damn hard.
So what was the point of the roaming IC. Just to envoke a sense of danger? Or to add an element of risk? Because one or two Data Bombs are a great passive way to add risk, and a bit of good fluff narative can easily envoke any lacking sense of danger.
| QUOTE |
| I stated before several times that this is my interpretation of the matrix rules. |
As i've stated several times now, you really seem to be better positioned to ask questions. You are creating your own "problems" and then creating more issues by the "solution" to those problems.
In short, i find your interpretation is roughly on par with that to be expected from a blind dyslexic -martian- pengiun.
Posted by: Serbitar May 8 2006, 03:24 PM
You are neither creating problems, nor solutions. In fact you have not contributed constructively to any of the matrix threads arround.
I know your argumentation, I know your view of the situation (even before this thread. I considered it and mentioned you in the credits because of this) and I think, by now, everyone reading this thread does, too. So everybody who is sharing your view can skip this thread and label it "not appropriate" for him.
Everybody who is interested in a workable solution can read on (at least until blakkie is coming up with his own).
Posted by: blakkie May 8 2006, 03:31 PM
| QUOTE (Serbitar @ May 8 2006, 09:24 AM) |
| In fact you have not contributed constructively to any of the matrix threads arround. |
I didn't contribute constructively but i STILL got a credit? Hot damn!
I went through the effort of explaining to you how far you head is jammed up between your cheeks. Then i offered explainations and links to other rather simple solutions. Plus i even spelled out some handly diceless rule of thumbs to help explain the rolls that are made, and how you can handle the benefits of using login hops without a lot of mucking around with +/- dice pools.
So what would my post need to do to earn your consideraton as a constructive one? Is nodding in agreement to your inane, failing grasp of computer systems the only way to?
Posted by: Kremlin KOA May 8 2006, 03:39 PM
Okay
Blakkie: Serbitar has a point in tat using patrolling IC would be a cost effective way to provide a second layer of defence to a host
Serbitar: Blakkie has a point in that IRL hacking is done by packet siffing or finding a OS exploit that allows root (admin) access and abusing thepriveledges given therin, therefore shadowrun modelling it such is quite realistic.
Posted by: blakkie May 8 2006, 03:45 PM
| QUOTE (Kremlin KOA @ May 8 2006, 09:39 AM) |
| Okay Blakkie: Serbitar has a point in tat using patrolling IC would be a cost effective way to provide a second layer of defence to a host |
My point is that he is complaining about it becoming "impossible", but it is only "impossible" if he makes it so. Patroling IC that actually roll to check for intruders are intended for -hard- systems.
On moderate systems just fluff about IC happening by is enough to bring up story danager. Of course the GM needs to really sell it if he has cynical players. Or the GM can just fiat an IC dropping on the decker if the player becomes a bit blasie about all the system security icons passing by.
Just don't do it with a killer IC. Something like a trace is cool, because what it does is add a time suspense without an immediate danger.Hell, you can describe the Firewall+System detection of a hack-in attempt as a manifestation of an IC (a system security icon). It doesn't mean you have to use the IC crunch.
Posted by: Serbitar May 8 2006, 03:55 PM
Then tell me how you want to manage player comlinks, where they can install as much IC as the rules allow? (Analyze 6, 3-4 Analyze 6 Agents on a 6 comlink)
Johnsons, runners and people of the same category do what is possible by the given rules.
You have to balance matrix hosts against that. As I said before, you have never tried to fit it all into a consistent picture. I have at least tried to.
Posted by: mintcar May 8 2006, 04:00 PM
| QUOTE (Serbitar) | ||
Ok, the slow way: If I drop the assumption that a hacker, who has hacked in with acces rights which would allow a certain action to be performed, if it was a valid account, can not perform this action without any consequences (this is what you want) i have several problems: - I would have to make scan roles for every IC all the time, or disallow scanning IC - I would make hacking next to impossible, or skip allowing IC to analyze hackers or hacking actions - I would have to roll tons of dice, because every IC in the system is constantly analyzing each action of the hacker, or disallow IC to analyze constantly - I would have to think of some reason why somebody would want admin access, as it does not have any advantages any more As I like to have IC that is roaming about and analyzing stuff AND I want to make hacking possible AND I dont want to roll tons of IC AND I want the admin account to mean something I have to drop the assumption that you would like to see som much. |
Try to look at it the same way as you would a physical intrusion. The runners may have forged security access passes, and that sure is a big advantage, but they can't expect to run no risk what so ever of being caught. Matrix rules have been covering every possible thing that could happen in the past, making matrix runs shallow and limited like a board game. Simply accept that it's not like that anymore and that you need to take judgement yourself as a GM. You don't constantly make perception tests for guards in a building just because you're allowed to do you? Why on earth would you do something like that in the matrix then?
Posted by: Serbitar May 8 2006, 04:07 PM
Good points. Thats why I am restricting anlayzation rolles to illegal actions. If every action, even those covered by the hacked account, where illegal, I would have to roll much more often.
Posted by: blakkie May 8 2006, 04:10 PM
| QUOTE (Serbitar @ May 8 2006, 09:55 AM) |
| Then tell me how you want to manage player comlinks, where they can install as much IC as the rules allow? (Analyze 6, 3-4 Analyze 6 Agents on a 6 comlink) Johnsons, runners and people of the same category do what is possible by the given rules. You have to balance matrix hosts gainst that. As I said before, yopu have never tried to fit it all into a consistent picture. I have at least tried to. |
Right off the top i'll say i envision a rating 5 commlink not availble at character creation with rating 6 commlinks being hard to come by and in my opinion should require licensing if not enforced as government/corp issue only. No that isn't exactly canon by the equipment list. But IMO they kinda dropped the ball there. Basically what rating 7 is described as i think rating 6 should be, rating 7 should be the stratosphere, and rating 8 little more than a rumor. At least for Response. Not so much for Signal, especially if they are willing to strap on a small booster backpack or fit it into a cyberlimb. But still, just as today you can't just go out and willy-nilly open up your own radio station legally, there are going to be some legal limits when your signal starts covering a wide area.
Second off they just loaded up a bunch of their available processing power with protection. It is like protecting a vault by filling it with concrete. Rock solid protection, but you are now not really protecting much. This has been explained to you a number of different ways by a number of different people a number of different times.
So what if the player does that to his character's commlink? So now they are going to -really- notice the decker that breaks in and drops a Black IC anvil on their head. *shrug* EDIT:And they have a lot less room for programs to protect their persona. The rest of the world? The GM has control over that and can apply sanity filters as needed.
EDIT: Oh, and on the consistant picture part? Well yes I have put out information about that. But i guess you shouldn't be faulted for not noticing, being a dyslexic blind martian pengiun and all.
Posted by: mdynna May 8 2006, 04:36 PM
Also remember that you as the GM decide what is "illegal" for an Admin account and what is "legal." Corp Security designers aren't stupid. They know Hackers can get in with Admin access, so they aren't going to let Admin's do everything any time they want. Any action that is "overtly" damaging or hostile should not be under the pervue of the Admin account. Period. Therefore, the Hacker makes his Hacking roll, and the system makes its roll to oppose. In fact, I would say the system is more prone to analyze actions taken by the Admin account than any else.
Think about hueristic virus scanners. That's basically what they do. Virus usually do their nastiness by using low-level system interrupts and such (stuff that I would call "Admin" actions). The anti-Virus programs look specifically for an unusually high number of those actions and try to detect if they originate from a malicious source. So, if anything, Hackers should be "logging on" with normal User privelages and "hacking their way up" to things they want to perform. I would say that systems "watch" what Security and Admin users are doing more than regular "Joe users."
Posted by: Kremlin KOA May 8 2006, 04:50 PM
Oh thank god I'm not agreeing with blakkie anymore
Blakkie
the starting hacker in the book has rating 5 comlink
Posted by: blakkie May 8 2006, 04:59 PM
| QUOTE (Kremlin KOA @ May 8 2006, 10:50 AM) |
| Oh thank god I'm not agreeing with blakkie anymore Blakkie the starting hacker in the book has rating 5 comlink |
Did i mention it wasn't canon by the equipment list? Hot damn, yes there it is in my post!
So what does the sample character having a rating 5 commlink have to do with it? That's right, sweet dick all. Anyway, by rolling back the hardware one notch you can make room up top without letting the dice pools get away from you.
Incidentally i see a similar problem with the availability at chargen of rating 6 programs. But without hardware to run them on, that doesn't really matter much. Sure you can run a rating 5 program on a rating 4 commlink, but then you can only run 3 programs total at once since you tie up a slot with the Reality Filter.
Posted by: Serbitar May 8 2006, 05:46 PM
| QUOTE (mdynna @ May 8 2006, 11:36 AM) |
| Also remember that you as the GM decide what is "illegal" for an Admin account and what is "legal." |
Per definition an admin account can do anything.
@blakkie:
I think you are now solving your homemade problems . . .
System and Firewall have no availability at all
Response has 16
A 6 Agent has 18
Even with my "only skill rerolls" houserule, the standard fixer (5+5 dice) has the stuff available in 10 dayswith 40%probability.
With RAW he has 10 rerolls and can deliver it for example in 14 days with 93% probability (including glitches).
So a 6/6/6/6
1 Analyze 6,
3 Agent 6,
1 Encryption 6
Is per RAW the standard every serious shadowrunner that knows a competent hacker will be running when he is not actively in VR. Costs about 15,000 Nuyen.
Nobody will have less, as everybody knows what serious threat it is for a shadowrunner to get hacked.
And THATS the baseline everything else will have to be compared with, as this is what is given by the rules for players.
Every Johnson will, for consistency reasons have the same, every important person, that can spare the money, will have it, too.
Posted by: blakkie May 8 2006, 06:06 PM
| QUOTE (Serbitar) | ||
Per definition an admin account can do anything. |
They have "total access", which is entirely different than what you seem to be meaning by "do anything" and certainly does not preclude the helpful (one might almost say constructive, if you were actually looking for constructive) tips mdynna has given.
Posted by: blakkie May 8 2006, 06:11 PM
| QUOTE (Serbitar) |
| @blakkie: I think you are now solving your homemade problems . . . System and Firewall have no availability at all Response has 16 A 6 Agent has 18 |
Actually in the core book an Agent 6 doesn't even exist (check at the back in the gear section).
BTB Response 5 has Avail 12 (chargen legal), and yes Response 6 is 16. But not 16R or 16F. Or higher.
Posted by: Serbitar May 8 2006, 06:14 PM
Negative:
The system does not question admin actions. The system can only verify that it is an admin. The system can not find out whether an action is appropriate for the overall situation or not. Thats why any actions performed by an admin will never be hacking actions.
If you hack yourseelf root access, you are root. The system never questions root. It only verifies that you are really root.
Posted by: Serbitar May 8 2006, 06:18 PM
| QUOTE (blakkie) |
| Actually in the core book an Agent 6 doesn't even exist (check at the back in the gear section). |
page ? paragraph ?
Posted by: blakkie May 8 2006, 09:37 PM
| QUOTE (Serbitar @ May 8 2006, 12:18 PM) | ||
page ? paragraph ? |
Oops, sorry about that. That was only Autosofts that have that wierd cap that doesn't show up on page 228. But I wasn't refering Agents anyway, I know they have a higher Avail, 18 isn't too bad. It is just the hacking programs that have the low ratings....but like i said getting the hardware down is the real key.
Not that, now that you mention it, the higher Agents wouldn't also fall into that power range that would require licensing. It seems rather odd that something that cheap (only 15K) and suppositly realtively easily copied (although arguably an Agent could be built to actively fight against pirating attempts) and legal would rank so high on the Avail.
| QUOTE |
| Negative: The system does not question admin actions. |
Er, actually mdynna was spot on. For big iron at least at one time. I know because a person in my class many years ago, innocently, managed on a PDP-11 we were on to pass a system type command on to the OS to execute within it's own thread. It didn't really do anything harmful, however half a day later a very concerned IT department security manager showed up wanted to know wtf the student had done. How did he know something happened? Because he had initiated a policy of personally monitoring the log of the system level commands for anomolies. It was still a system process that had done this command, but the usage for it was outside the norm.
Move forward 80+ years and instead of a flesh and blood IT security manager you have a backroom system process monitoring the command logs looking for suspicious activity.
Watchers watching the watchers.
Posted by: Serbitar May 8 2006, 11:46 PM
So to sum things up:
Comlink all 6
6 Analyze
3 Agents 6
Encryption 6
is a thing which most likely every Runner worth his salt will have, given the cost and availabilities in the book. Nothing of these is even restricted, you can walk into a shop and just buy it. Thus any matrix rules, or interpretation of the rules, must cope with this fact and take it as a quasi baseline.
As to monitoring system logs: It is right there in my example. It has been there from the start.
Posted by: Divine Virus May 9 2006, 12:02 AM
umm.... isn't hacking on the fly 1 IP not, 1 turn?
Posted by: hobgoblin May 9 2006, 12:43 AM
one small thing about admin accounts. in windows today you can remove the default admin accounts access to anything if so wanted. basicly is just another account, but as default it have higher access then the rest of them.
therefor its possible that even with a admin account you can run into files and other objects that you have no legal access to. now there are some safeguards buildt in, like say a admin can take ownership of something. but he cant give it back, so it will be noticed if its not supposed to be done unless asked for or orderd.
hell, there is a "crasy" security system being put into use for linux, developed by the NSA. its called SElinux. and with that, even if i log in as root i may not have all the powers one would normaly expect. i dont fully understand its full range of abilitys myself, but it seems one can vary the access rights based on if the root account is accessed localy or remotly, among other things.
so in many cases there would still be things one could not do, even with a admin account, when logged in remotely.
hmm, now that i think about it there was a story in a book i read, or maybe a web article, where the only way to gain full unrestricted admin access from a terminal was by having that terminal connected on the correct port on the network.
now the makers of this system was showing it of at some industry gathering, and was offering a money price if anyone could crack it, so sure of its safety they was.
but someone did in the and crack it. by waiting for the techies to walk away for a coffe break, leaving some sales zombie there. then one person distracted that zombie, while another picked the lock of the networking locker, flipped some wires over, created a secondary admin account or something like that, flipped the wires back, relocked the locker and waited for the techs to return. then he walked up to a terminal, enterd into the admin account and called the techs over so they could see end of the day he walked out of there with the cash.
as the name of the person? kevin mitnick
Posted by: Serbitar May 9 2006, 01:22 PM
@Virus
I will check that
@hobgoblin
sure, there may be the ocasional account called "admin" or "root" that can not do anything in some system. But there is allways an account, that can do anything. Just call this one admin, and the rest security.
After all its just a matter of naming. For sake of simplicity, at least.
Posted by: blakkie May 9 2006, 02:27 PM
| QUOTE (Serbitar @ May 9 2006, 07:22 AM) |
| @hobgoblin sure, there may be the ocasional account called "admin" or "root" that can not do anything in some system. But there is allways an account, that can do anything. Just call this one admin, and the rest security. After all its just a matter of naming. For sake of simplicity, at least. |
You stunned wombat.
The point is that on systems with the power to back it up there are watchers watching the watchers. Ultimately the system itself sits above any and all accounts. The accounts can influence the system to varying degrees, but those are all in fact just requests not actual actions performed directly by the account. Requests that can all be checked and monitered....and a number will be, and there are indeed limits put in place. Sometimes the 'hack' is just to avoid detection and raising an alert, sometimes it is to actually be able to have the action occur at all. With the higher level accounts more the former than the later.
Posted by: Serbitar May 9 2006, 04:54 PM
Those are extreme exceptions. They do not have to be covered by rules, as long as they stay just that, exceptions.
Posted by: Kremlin KOA May 9 2006, 05:19 PM
Blakkie That does notin any way model Real Life computing systems
Now considering that the SR4 wireless change was supposed to add realism
The closest I have seen to a system with admin being limited was quite simply one where nousernames were assigned to the Root
You could still hack root access withan exploit
At the last Ruxcon (big Hacker convention in Sydney Australia) the winning time for a particular hack contest for such a system was 12 seconds
Posted by: blakkie May 9 2006, 05:59 PM
| QUOTE (Kremlin KOA @ May 9 2006, 11:19 AM) |
| Blakkie That does notin any way model Real Life computing systems |
My experience in writing Windows NT drivers say otherwise. Intel Ring 0 code is run by the system itself, and only the system. You cannot execute it from the context of an account. The administrator can still get the system to execute given code, but you have to do it by altering the OS itself. Each new version of NT makes manual alteration of the OS drivers more difficult. In effect you have to 'hack' into place a replacement driver.
This all on a POS desktop machine.
Posted by: Kremlin KOA May 9 2006, 06:26 PM
there is a reason why NT is not normally used for large networks
besides which with NT all the major hacking (SR) actions can be done on an account with full priveledges
even crash (BSoD) although on NT it might take a hacking action
UNIX and LINUX systems, which are more secure, do allow root to access the kernel
oh and IRL NT does have a level of account which can access the kernel, it is just only supposed to be available to microsoft personnel
Posted by: James McMurray May 9 2006, 06:30 PM
NT has been used in every large network I've encountered including two colleges, a 1500 employee (~1200 workstations) company, and a 110,000 employee company (with who knows how many workstations).
In the classified lab I worked in NT was used for some stuff and linux was used for others. The choice was made based on programmer's personal preference and software of choice.
Posted by: Kremlin KOA May 9 2006, 06:32 PM
interesting
was going on US and Aus national statistics
most of the large networks in te US are UNIX or Linux(I think 75% or so between them circa '99)
the rest are wither MACos (rare as hen teeth) or NT
Posted by: James McMurray May 9 2006, 06:34 PM
I can only speak from personal experience, not having worked in 75% of the companies in america and Australia. I'd be interested in seeing a source for that statistic, given how easily manipulated statistics can be. You'd probably get different numbers if you talked to Microsoft then you would if you queried a BBS populated by *NIX gurus.
Posted by: Kremlin KOA May 9 2006, 06:40 PM
the aussie ones were supposed to be Australian Bureau... not sure if the US ones were as reliable.
It makes sense, as it is only a recent development for networ hub machines to be PCs as opposed to dedicated unix servers
Posted by: James McMurray May 9 2006, 06:55 PM
Those are also 1999 statistics, which mean next to nothing now. I'm not saying it's wrong, just that tossing out a 7 year old number from partially unknown sources is far from being evidential.
Posted by: Kremlin KOA May 9 2006, 06:59 PM
evidential it is
Absolue proof it is not
(sorry , the distinction between those is a pet peeve)
my major point was that the standard 'admin' account in NT is not what SR is calling 'admin' that is more like a security account
Posted by: James McMurray May 9 2006, 07:09 PM
Ok, I suppose you could call it evidence. It's possible that it is false evidence, and it's definitely out dated evidence. But if you want to be technical, then the guy I pay $5 to so he'll say I was with him playing video games all night instead of out robbing liquor stores also constitutes evidence.
Posted by: blakkie May 9 2006, 07:38 PM
| QUOTE (Kremlin KOA @ May 9 2006, 12:26 PM) |
| besides which with NT all the major hacking (SR) actions can be done on an account with full priveledges |
...with observance from the system. Anything of import really, because once again all the I/O goes through the OS. It is a function of the "micro"kernel architecture.
| QUOTE |
| even crash (BSoD) although on NT it might take a hacking action |
Most definately for BSoD, because the system catches it otherwise. A BSoD is ultimately caused by a driver programmer screwing up and not making the driver bulletproof.
| QUOTE |
| oh and IRL NT does have a level of account which can access the kernel, it is just only supposed to be available to microsoft personnel |
I'm not sure you have that exactly straight. Are you talking about the Local System account, because that is something a little different. It still passes stuff through the system. It is really similar to Administrator from a security POV, and in some ways more limited because of lack of access to the desktop and user input.
I think you misunderstand me here. I'm not talking about an account per say. I'm talking about the system itself. Sure the root account can recompile parts of the kernel and load them in. But those actions themselves are still going through the kernel to be able to do that since your basic IO, the actual communication with the hardware, is done through the kernel. Right?
Posted by: Serbitar May 15 2006, 12:52 PM
After some thought I decided to skip my "no subscrpition" interpretation of the rules, for compatability. The subscription rule can always be bypassed by simply sniffing the traffic to a node and then spoofing the ID. This does simply add just another two dice rolls to any decent security network, but what the heck . . .
In my next text I will give an example of how to prevent unlimited "network relaying" for infinite security.
Posted by: Serbitar May 15 2006, 06:49 PM
Comments: Assumptions 1-2 from my previous examples still apply.
TODAY: Hacking through a relay of linked nodes
It was discussed a couple of times: What can be done against a network where several nodes are linked, using the subscriber rule, together to prevent, or delay, hacking.
A very good example would be this:
A runners has a main comlink A, he uses for normal communication, and 5 "relay" comlinks B,C,D,E,F. Only comlink F has wireless capability.
The runner uses his main comlink to communicate, comlink B only accepts input from A and C, comlink C only accepts input from B and D and so forth:
A - B - C - D - E - F - WiFi-World
To get to A, a hacker has to hack B,C,D,E, and F first.
But then, in SR4, everything has a device rating. Even our clothes are nodes, as they have built in climate control and such. They might only have a device rating of 1, but they would also have to be hacked. So the runner could do the following:
A - B - C - D - E - cyberleg - smartgun - trousers - jacket - glasses - F - WiFi-World
This is perfectly acceptable under standard SR4 rules, and the first example isnt even unlogical, but a very sensible thing to do.
So what to do about this? Just let hackers go through everything?
I propose a rules interpretation that circumvents possible dice orgies, is fast and understandable:
A by using Spoof a hacker can disguise as a data packet and exploit a node to relay him to his destination. He needs the network ID of the host he wants to be relayed to. If he wants to also spoof the ID he originated from, he can do so in a separate test.
Every host, that the hacker is being relayed to, may roll against the spoof test with System+Firewall If the hacker has at least 1 net success, he is relayed to the next host in the chain, or he may chose to hack into the node that is relaying him using normal "hacking on the fly" procedures. In both cases he may choose to analyze the node to get information about the system ratings only. If he does not have any net successes, he may decide to immediately hack the node in question using standard "hacking in on the fly" procedures, use legit access rights to access the node, or be catapulted back to the node he started the spoof attempt from. When he is relayed to his destination, he may hack into the node on the fly, or access it with legit user rights.
Note that if the relay host, scores any net hits in the opposed test, it has detected that something is wrong and may launch security measures.
(H) Hacker:
Hacking: 5 (specialization stealth)
Computer: 5
Hot-SIM: +2 dice
Firewall: 5
Response: 5
Firewall: 5
Signal: 5
Loaded programmes:
- Exploit 5
- Analyze 5
- Spoof 5
- Sniffer 5
(C1) Comlink 1:
Firewall: 6
System: 6
Signal: -
Response: 6
(C2) Comlink 2:
Firewall: 1
System: 1
Signal: -
Response: 1
(C3) Comlink 3:
Firewall: 3
System: 3
Signal: -
Response: 5
(C4) Comlink 4:
Firewall: 6
System: 6
Signal: 6
Response: 6
Network architecture:
C1 - C2 - C3 - C4 - WiFi-World
Steps:
(bold steps denote the minimal version of this example)
(H) Sniffing Traffic
(H)Matrix Perception
(H) Spoofing relay
(C4) Detecting relay spoof
(H) Analyze action
(C3) Detecting relay spoof
(H) Analyze action
(C2) Detecting relay spoof
(H) Analyze action
Explained:
(H) Sniffing Traffic
Hacking+Sniffer: 5+5+2 = 3
The hacker wants to hack into Johnsons comlink. He knows Johnson is extremely paranoid and might have several layers of relay comlinks. He phones the Johnson to give a status report. As he does not want to hack into the MSPs database to get the node ID that is correlated to the Johnsons phone number, he is simply monitoring the traffic going from the MSP to the Johnson. To interfect the traffic he has to succeed in a Hacking+Sniffer test. With 3 hits, he easily intercepts the traffic.
Note: If the traffic was encrypted it had to be decrypted first.
(H)Matrix Perception
Computer+Analyze: 5+5+2 = 2
To get the ID out of the traffic, the hacker has to succeed in a simple matrix perception test.
(H) Spoofing relay
Hacking+Spoof: 5+5+2 = 5 hits
Now, the hacker wants to hide as a communications data package. He spoofs the ID of such a package and virtually knocks on the door of the Johnsons gateway host C4.
(C4) Detecting relay spoof
System+Firewall: 6+6 = 4 hits
The C4 chokepoint comlink scans the traffic for validity before relaying it. It achieves 4 hits in its test, which leaves the hacker with 1 net success. The node automatically relays the "hacker package" down the subscriber line.
(H) Analyze action
Hacking+Analyze: 5+5+2 = 2 hits
The hacker wants to know what node he is being relayed through. He rolls only 2 hits and goes for System and Firewall attributes. The GM tells him that both are 6. With a "holy shit" on his virtual lips the hacker is relayed to the next node.
(C3) Detecting relay spoof
System+Firewall: 3+3 = 3 hits
The C3 relayhost comlink scans the traffic for validity before relaying it. It achieves 3 hits in its test, which leaves the hacker with 2 net success. The node automatically relays the "hacker package" down the subscriber line.
(H) Analyze action
Hacking+Analyze: 5+5+2 = 3 hits
The hacker wants to know what node he is being relayed through. He rolls 3 hits and goes for System, Firewall and Response attributes. The GM tells him the ratings. The hacker is mumbling "getting better" while he is relayed to the next node.
(C2) Detecting relay spoof
System+Firewall: 1+1 = 1 hit
The C2 relayhost comlink scans the traffic for validity before relaying it. It achieves 3 hits in its test, which leaves the hacker with 2 net success. The node automatically relays the "hacker package" down the subscriber line to C1.
(H) Analyze action
Hacking+Analyze: 5+5+2 = 3 hits
The hacker wants to know what node he is being relayed through. He rolls 3 hits and goes for System, Firewall and Response attributes. The GM tells him the ratings, which are 1,1,5. The hacker thinks "big mistake" and notes the ID of this node. He might hack in here later to get some admin privileges and install a backdoor right in the Johnsons subscriber line.
The hacker is then relayed to the final C1 comlink, where he may try to hack in, with an Hacking+Exploit (6, 1 Phase) extended test.But his best choice is to do the whole procedure again and hack, the weak C2 comlink, get some admin privileges and then sit there and probe the hell out of the heavily fortified C1 comlink to avoid detection in his exploit attempt.
Posted by: Loestal May 19 2006, 02:11 AM
Forgive me for not reading every page...but I can't seem to find how clean out your net hits from a system before logging off so you don't leave a data trail. I looked in the book, and perhaps I'm just passing it by but I can't seem to find how to do it..so could somebody please tell me or direct me to a page number so that I can figure this out.
Posted by: Serbitar May 19 2006, 08:32 AM
Its not in there . . . Thats the overall problem of the matrix rules with the basic SR4 book. Everything is left to the GM. Im trying to fill the gap by giving some ideas, but thats just it.
So here you go: (btw, you do not clean net hits, but hits. If the node had any net hits, you wouls have been detected).
You can erease all the traces of your hacking activities you left in the node, by editing the log files. Admin previliges are needed for this if you do not have them, you have to hack).
This is an extended: Computer+Edit (1, 1 combat turn) extended test. Every hit deletes "edit programme rating" hits worth of traces you left behind.
If you do not have the priviliges it is an opposed Hacking+Edit vs System+Firewall(1, 1 Combat turn) extended test. Note that this test also generates hits for the node, tht have to be cleaned up.
If you clean everything up, nobody can find out by looking at that system logs, that it was hacked. (Of course, one might tell that the system is hacked when the node does wiered things, but you will just not find it in the logs). If any hits are left behind, one can find the hackers matrix ID (just like modern day IP number) in the logs and what he did. Note that the matrix ID can be spoofed and such.
Posted by: Loestal May 19 2006, 07:48 PM
Ok thanks, that clears things up except 1 thing...which I might be reading it wrong. Is it the hits the hacker scores that he must clean...or the hits the system scores that the hacker has to clean?
Posted by: Aaron May 19 2006, 09:04 PM
Where does it say you need to clean hits? I'm not finding anything like that.
Posted by: Serbitar May 20 2006, 03:27 AM
@Loestal:The hits the system scores.
@Aaron:You do not need to clean hits. I am simply giving hints on how such a system can work. The book (RAW) says, that hack attempts can be found. But it gives no rules how this is decided and what a hacker can do against it. It is up to the GM till unwired is out. I am just giving suggestions on how to do it.
So once more: Thes rules I give in this thread are my interpretation of the matrix rules. Nothing should (to my knowledge) contradict the rules given by RAW, but I am adding a LOT of assumptions and extra stuff on how things COULD work.
I just want to give examples of how to model a working matrix ruleset covering various situations that is consistent and understandable.
Powered by Invision Power Board (http://www.invisionboard.com)
© Invision Power Services (http://www.invisionpower.com)