Printable Version of Topic

Click here to view this topic in its original format

Dumpshock Forums _ Shadowrun _ Should all coms require admin access?

Posted by: sunnyside Jan 18 2007, 07:00 AM

Basically it seems like all personal electronics (especially on runners) should only have the admin level and thus require an extra 6 successes on to hack into them.

Is this right? I.E. if you try and hack a smartlink (Device rating 3?) you should have to get 9 successes hacking in and have it probably roll 6 die against you every time.

Posted by: Moto42 Again Jan 18 2007, 09:56 AM

A lot of devices today have multiple levels of access, either to keep the users from messing up options they usually don't need, or (more commonly) to keep the user from doing things that don't make financial sense for the company. (like cell phones that "only work with one carrier"
or a budget printer that is really the full-price model with a slowdown chip,
or a comlink model 2031C that has only minimal anti-interference tech (ECCM 3) "But if you spring the extra ¥75 you can get the 2031A, with ECCM 4!" (The A model is just the C model minus a jumper that disables some of the hardware signal filters)

My point is, many devices COULD have only an admin level of access, but it's far more likely that the user (and most hostile hackers) will only deal with a dumbed-down user-account.

_______________
>>"I got a critical glitch trying to remove the inhibitor chip in my left hand, and it send a kill-signal to all Fuchi tech on my PAN. ... I didn't know my new lungs were made by a Fuchi subsidiary."
>>"I'm sorry sir, but you've clearly voided you warranty. I'm terminating the call now.*
--Customer Service in 2067 stinks

Posted by: Blade Jan 18 2007, 11:12 AM

As security goes in SR, commlinks and any devices meant to be used by one single user (or by many users with the same account privileges) should only have an admin access.
(I know that's not how it works nowadays)

For commlinks, there might be some "user" access for other users. For example, I might give a user access to my friends so that they can see my photo-album in my commlink.

Posted by: Kesslan Jan 18 2007, 11:20 AM

Yeah I agree with Blade. If the OS is 'hard coded' wich.. effecitvely it would be in things like smartlinks. Then there's absolutely NO reason why you shouldnt soley have an 'admin access account'. I mean just look at the IPod. You dont have sub 'accoutns' on that. Just one sole 'access'. The software is all 'firmware'. With just the device itself you cant possibly edit the software. And if you mess it up you just wipe the internal drive and reinstall.

I shoudl know. My Ipod got messed up somehow or other when I was updating the playlist. The only way to fix it was to do a fresh install of the software. Also back when I used to work tech support for Compaq they had these computer terminals you could effectively get for what ever the tax cost you. Because you paid say.. $900 for the computer + monitor. You got a direct $100 rebate from Compaq. You got an additional $300 rebate from Microsoft if you signed up for their MSN service, and so on and so forth. On some of the system syou could actually 'technically' make $40. But that contract with MS is for 3 years. So your not really 'making' money it's just prestented that way.

The systems themselves either worked.. or didnt. They didnt even have a hard drive. The more 'advance'd systems had one as an added feature. Normally they just had a floppy drive and a CDrom. Along with a 'hard coded' OS. If something went wrong with the OS you wiped the flash memory and reinstalled. If that didnt work you sent it back to Compaq and (assuming it was still under warranty) they sent you a new one.

There was only one 'account' to that version of windows as well I belive. Since you couldnt really even save your settings.

Posted by: Rotbart van Dainig Jan 18 2007, 11:36 AM

QUOTE (Blade)

Thanks to Microsoft, it is how it works nowadays.

And basically, if there only is one user, the user has to be root.

Posted by: Kesslan Jan 18 2007, 12:13 PM

Actually thats the other thing. If you have say.. a copy of Windows Xp on yoru computer. And no one else has an 'account' on that computer. Guess what? -You- Are admin access.

It's part of the reason some people manage to totally screw up their systems on a regular basis. Like all thsoe time yet again when I was workign in tech support. I'd get callers saying their computer wouldnt boot up. Why? End reason. They'd used that admin access to go into the system registry and 'delete all that junk I didnt need'.

Course all that junk was what told the computer what was what, and where that stuff was. With that gone it didnt know what the hell to do.

Posted by: Serbitar Jan 18 2007, 12:14 PM

But contrary to Shadowrun, in real life, it is more difficult to hack servers that dont only have an admin account. Having only an admin account is a drawback in RL.

Posted by: Kesslan Jan 18 2007, 12:23 PM

Yeah well. RL doesnt have DNI either

In the end I dont pick at SR too much for it's certain failures in logic. Thats where the fantasy/fiction part of the game comes in.

Posted by: ixombie Jan 18 2007, 12:30 PM

QUOTE (Kesslan)

Just... no. We should not be using ipods of all things as a model for technology in 2070. In 2070, computers can be woven into jackets. There is no reason to assume that your toaster, or your underpants even, have a dumbed down 'firmware' computer in them. Devices with a System have a System, and that's all that SR4 provides. As a general rule, SR4 technology, 63 years in the future, is better than modern tech. I don't think it ever makes sense to assume that SR4 technology is limited just because similar tech is limited today.

Posted by: Kesslan Jan 18 2007, 12:37 PM

QUOTE (ixombie)

QUOTE (Kesslan @ Jan 18 2007, 06:20 AM)

I'm not saying it's limited necessarily. I'm using it as an example of a way it 'could' work. Afterall why shouldnt the OS be hardcoded? Its the way alot of OSes are goign these days. It's alot easier to fix problems that way. You basically have hard coded instructions, which can be updated via firmware. Then you have 'settings' and such which are saved to actual normal storage space. Considering that All SR4 tech uses 'solid state' memory. Thats honestly the best option to go with infact.

I eman think about it. Ok so you have your comlink and yoru files and the OS on the comlink gets messed up cause of some virus messnig with the settings. Reboot.

Bingo. your up and running again assumign there's no damage hardware side. I mean thats exactly how decker programs work under SR3. Just cause a virus 'destroys' a program doesnt mean it's erased off yoru deck. Just the version 'in active memory' is screwed to hell. So you have to reload it.

Posted by: Kesslan Jan 18 2007, 12:39 PM

Hell for that mater look at the BIOS of any computer as it's been for years. Guess what? Solid state OS right there. Real basic perhaps. But it still is one. Hell modern motehrboards pretty much all now have 'dual bios' now too. Which means if one BIOS chip gets screwed to hell somehow you still have a totally seperate secondary backup to run off of.

Posted by: sunnyside Jan 18 2007, 02:43 PM

But the bottom line is if you're trying to hack anything that doesn't actively have user account, like some Matrix site, you're looking at a minimum of 7 successes to hack in. Something like a smartgun will probably take 9(Device rating 3) and Mr. J's commlink (rating 5) should take 11. And assuming they have up to date analyze programs the devices are probably throwing ratingx2 dice at you every time you try and hack them.

It basically means that hacking on the fly is a lot harder than I'd previously thought as getting that extra 6 successes will often get you detected.

I suppose that kinda makes sense. If you've got a system that has to juggle tons of users it's bound to have more chinks that one that's just meant to have one.

Posted by: cetiah Jan 18 2007, 08:17 PM

QUOTE (Kesslan)

What is an admin account to you?

An admin account is different based on the software and application you're talking about. A hacker term 'admin' is quite a bit different than, say, the 'admin' account that governs your Windows XP or common website.

A BIOS is an example of an operating system with no ADMIN account. That is, there's no master user that tells the BIOS how to do what it does. It just does it, based on the requests from the user. You can't tell it precisely how to manage memory, can't edit a sequence of binary commands, manage priorities, clear up buffer overflows, and thousands of other little things I'm not really aware of because I'm not a hacker admin. Maybe if I knew more about unix...

As for windows XP, I'm surprised no one mentioned this, but if you think you only have one account, you are dead wrong. Try signing out with your 'master account' and login as 'admin' and see what happens. A whole seperate secret account that most people don't know about it. (By the way, if you didn't know about it, I suggest you login now and setup a password on the 'admin' account.)

A user tells the computer what to do. An admin tells the computer how to do it. To properly admin a system, you have to be able to manage beyond the user-level, which usually involves communicating with the OS in binary code or using a programming language. The more natural the programming language, the more layers of translation you go through and each layer handles its own operation. When you get down to the final user-interface (such as most windows users are familiar with today), you've gone through so many layers of translation that most decisions and operations have already been made for you. When you click on a button or pull down a drop menu, you send commands through the GUI and the translaters reroute that into more and more complex operations.

An hacker with admin access is someone who could get into those complex operations and make changes directly, essentially altering the way the computer handles its operations. He won't usually be able to go all the way in, depending on the OS and software used. A hacker with user-access can't go in as deep and must communicate with the user-interface, but is usually aware of all the behind-the-scenes stuff going on and trying to manipulate the OS into doing what he wants.

Of course, how all this interacts with DNI, I have no idea. But presumably a hacker is someone who has powerful icons in the matrix environment, while a hacker-admin can decode or recode icons (as opposed to accessing programs and procedures that make icons for you based on your instructions).

Posted by: cetiah Jan 18 2007, 08:29 PM

QUOTE (sunnyside)

I really don't see Shadowrun as the kind of world where everyone is tech-saavy, despite people's objections. I think people in the Shadowrun universe have more toys than they know what to do with and the idea with someone whos only got 4 dice between their Logic and Computer skills having admin access to their commlink is kind of scary. In low-security interfaces, admin access is used mostly by technical stuff to make custom improvements or fix technical problems. There's simply no reason for a common user to ever use the admin account, much like people don't use admin accounts in things they own today.

I would, however, be interested in helping out a hacker who wanted to do this for security reasons. But I wouldn't allow it in a system that didn't also allow them to make their own custom OS. If they made their own custom OS, then sure, a constant +6 modifier would make perfect sense to me. There might be compatiblility issues though with other commlinks or with the matrix.

Personal opinion: I believe the +6 modifier represents additional security to protect the admin account because it is so vitally important and can seriously scrag a commlink. I believe some amount of care would be taken to keep incompetent users out of the admin account, too. Such as not telling anyone that it exists. Also, consider that "admin access" may not necessarily represent an "admin account" like those used in Windows today with a login name and password and whatnot. That's just one technique. "Admin access" may represent any combination of techniques used to get into the nuts and bolts of the system and make tweaks, such as a special back-door protocol built in to access the system's core, and it may be different for every commlink or every OS.

Posted by: sunnyside Jan 18 2007, 09:15 PM

I suppose there is an issue of RAW vs how we feel about things. I'm kind of interested in both.

From a RAW(Rules as written) point of view it says admin access takes an extra 6 successes and that simple devices usually only have admin accounts. It however does not specify whether you can choose to only have admin type access on systems that typically have lower security levels (I.e. if a corp can only have admin access on their high security offline system because they know it makes it much harder for a hacker to get in undetected in the time they have while security closes in).

From this viewpoint lower access acounts are a liability that you put up with because you want to be able to handle extra traffic and users who may do things like forget their passwords etc. If you can't turn the lower levels off they represent the fact it's easier to hack things like computers that are meant to interface with the Matrix in many ways (all sorts of ports are open, all sorts of traffic is coming in, all sorts of traffic is going out and expecting responses). Something like a smartlink need not assume this liability as it need only interact with one device in one way.

Conversly you could make an argument (a slightly weak one) that devices like smartlinks are not so sophisticated and so would be more vulnerable (they wouldn't get +6 for admin access, you log in as normal and get admin access).

Or you could argue a departure from RAW and say they should have multiple levels which would be quite workable especially from the modern day cell phone analogy.

Still this makes a HUGE difference ingame. At three successes to get in most PC hackers can get in on the first try and probably not be detected. At nine successes it'll take them more like three combat turns and they're looking at 18 dice coming at them, which will typically beat a level six stealth program and easily beat the more common level five.

So we're talking about the difference between easy and hard hacking of devices.

Posted by: Moon-Hawk Jan 18 2007, 09:20 PM

QUOTE (sunnyside)

So we're talking about the difference between easy and very hard hacking of devices.

True, but also bear in mind that this mainly applies to hacking on the fly.
When probing the target that +6 just means that it will take a bit longer, but the probability of being detected does not change at all.
Personally, I think hacking on the fly should be pretty difficult, and very likely to be detected.

Posted by: sunnyside Jan 18 2007, 09:28 PM

QUOTE (Moon-Hawk)

True, but also bear in mind that this mainly applies to hacking on the fly.

Obviously.

Personally I'm leaning toward "hacking on the fly is hard" myself.

My only aprehension is that it makes life a little hard on the hackers when in the field. On the other hand I suppose they'll appreciate their cybercombat stuff more.

I'm also leaning toward being able to turn off lower level accounts as a way of essentially designating more "paranoid" systems.

Posted by: deek Jan 18 2007, 09:37 PM

The +6 is fine, IMO, and I run with all device rated objects only having admin access. I think the main thing to realize is that while the +6 threshold makes it tougher on the hacker, its what the GM builds as a response to an alert that really makes the difference.

A low-security node may only have tracking IC or maybe even none at all...so while an alert may be raised, there may not be any major consequences from the alert. Some systems may just try and terminate the connection or do a reboot...I think keeping in mind that each node may be different is a good thing a GM needs to throw at their players.

Sometimes there will be a ton of IC ready to pounce on the hacker...other times, no recourse besides the hacker having to send a command to the node to cancel the alert...

Posted by: Dashifen Jan 18 2007, 09:52 PM

I've always run it that any device with the exception of hosts have only admin level access -- even commlinks. It's worked out very well. though it has made the players feel less paranoid about their stuff getting hacked.

Edit: nevermind, just saw that deek posted essentially the same thing.

Posted by: Catharz Godfoot Jan 19 2007, 01:49 AM

Ignoring the hacking difficulty modifiers and certain other rules, a lot of devices should have *no* admin access. It's a fairly standard security practice to remove all administrative accounts on a firewall, for example. Many consumer electronics, similarly, will have no administrative access to avoid people getting functionality that they haven't payed for. Then again, many consumer electronics only *say* they don't have admin accounts, and then leave hidden default accounts, which has led to a lot of exploitation in the past.
Unfortunately, SR4 *requires* that there be an admin account, which basically means you're out of luck if you want to make a secure/'locked in' system.

Most computer security guides will tell you to set up a user-level account on your computer, and to use that instead of root. Then whenever you need root access, you Sudo. This is so that you don't majorly screw things up in a totally accidental way, and so that programs you install on the fly don't get administrative powers (which limits viri, trojans, etc).

The current hacking system seems to reflect the old-school 'hacking the mainframe' philosophy more than the 'getting a person's browser to execute malicious code' one. That is, you find some pooly-protected user level account out of maybe 300 (with a password like '123' or 'JohnDoe1'), and mess with things until you figure out an exploit to get root access.
This doesn't really reflect personal computers (e.g. comlinks) very well, which should indeed (by the SR4 rules) only have admin access for security reasons. In this case, it might more sense to use an opposed test of your Exploit (+System 'cause that's how they do it) vs. the target's Electronic Warfare + Firewall. Then you get co-control of whatever account (probably the only account) was being used.

Cyberlimbs and other consumer electronics should (as you say) also only have admin access, and the owner of the limb won't have the password (Genetech or Ares or whoever have it). This is a situation in which the currently used DC makes a lot of sense, and really explains why anyone with half a brain turns off wireless access to their cyberware.

Regardless, the rules aren't designed to be realistic at all, so I probably just wasted a lot of breath

Posted by: Fortune Jan 19 2007, 01:53 AM

QUOTE (Dashifen)

That's how I always deal with it as well.

QUOTE

nevermind, just saw that deek posted essentially the same thing.

True, but that doesn't mean I can't throw in my own 'me too' as well.

Posted by: Kesslan Jan 19 2007, 07:49 AM

Yeah alot of this is more or less what I was trying to get at witht he whole admin thing. I mean with the BIOS you either have access or you dont. Which is really waht I was aiming at with the BIOS to Commlink reference. I've had it before where when I worked in a computer store, we'd get customers come in and they'd have a BIOS password setup. But we dont have it.

So.. either the customer had to give us the BIOS password so we could make the alterations. Or we had to pop open the case and physically reset the jumper. Depending on the system the only other time the password gets wiped is when the BIOS battery dies. Thus wiping the chip's memory and setting it back to hard coded factory settings.

I really dont see why a Commlink would ultimately be that much different. You have this underlaying OS thats flash encoded. And then whiel it's up and running and has a powersource you can save all thse fun settings etc and make all these alterations. But ultimately if something goes screwy you can just turn it off, turn it back on again and it's 'back to factory settings'. Your data is still stored in the memory though.

And that doesnt mean that there isnt some 'ultimate' 'true' admin access level put in by the manufacturer. But say in this case for a hacker to actually get at that they'd have to actually physically switch over a jumper. So to do it any other way they have to hack into the 'offical' 'admin' account. Which with a commlink since it's a personal device like a cellphone. Is the only 'account' available.

So yeah ultimately the commlink would give you that +6 where appropriate. And to me at least that seems alto more 'realistic' than a hacker being able to get in as easily as scatching his balls without some known ahead of time backdoor or some such. And I'd toally expect the 'stock OS' to have such a backdoor too. Finding it is a whole other story however.