Another realitybraker, subscription rule kills wireless hacking Options

[Brahm]

[mfb]

haha, indeed. i meant the dierolling, though. the task itself might or might not be difficult, but the rolls to determine the success of your attempt don't seem overwhelmingly difficult. unless they're shooting at you in real life.

[TinkerGnome]

Is there any reason why I, as a street sam, couldn't set my smartlink up to only do certain functions wirelessly? For instance, a paranoid street sam could set up his gun so that it only accepted the wireless command remove the saftey (but not set it). I mean, you're essentially arguing that you can get it to do anything the real user can. I don't see why, in defense, the real user can't set it up so that the only wireless commands the device will take are those that won't help you much.

[Brahm]

[mintcar]

TinkerGnome: Look at how TV's work IRL. You can't fucking tune in the channels without using the remote!

There won't be a lot of dials and buttons on your gun. All configurations of the device will be handled wirelessly, and as hackers automaticly log in as admin on devices, there's nothing the hacker can't do.

[Aku]

[mintcar]

You can change the channels but not tune them in. I've lost my remote, so ever since I moved last time, I can't use my TV for watching television programs, only for DVD and videogames that uses scart connections.

Fortunately, I've got an eyeTV box for my computer.

[hobgoblin]

another option is to put in a small jack somewhere on the device, and plug it into the comlink physicaly. some mobile phone brands allow owners to flash their phones at home, but i know of no brand that allow it to be done wirelessly.

my guess is that there is a port available that can allow you to access a kind of service mode, a mode thats more powerfull then what you can reach over wireless.

still, if your so worryed about getting your smartlink hacked, get it skinlinked. much simpler then trying to mess around with what the wireless link can and cant be used for.

and you will find that most tv sets (and some stereos) today have the basic functions available under some panel or other, but the rest can only be accessed via the remote. hell, i have a compact stereo system that i bought in the late 90's that have so many buttons on the remote its silly. about the only thing i can do on the front is basic radio tuning and playback control of the cd and tape parts. for anything more advanced i need the remote :P

[Brahm]

[TinkerGnome]

[Serbitar]

I just wan to again remind everybody, that most of the stuff you suggest might actually already be included in how a firewall works. Nobody knows what secuirty measures are included and what are not.

Thats one reason why I would not allow this kind (I am configuring my comlink in this and that way so it accepts only this and that) of "metaruling" in my games.

The other one is simplicity. I do not want everybody who wants to hack or get decent security to have a degree in IT. Thats what abstract game mechanisms, that use a dice roll to figure out whether a hack was successful or not, are for.

[kigmatzomat]

IMO the only "reality breaker" of the SR4 matrix actions is the fact you cannot record an encrypted signal. The only explanation is that all communication is based on quantum entangling, which also explains the infinite bandwidth.

Otherwise you could record an encrypted signal and try to decode it later.

[TinkerGnome]

[mfb]

indeed. i can't imagine it not including freq hopping. of course, the ability to crack even the most secure encryption in a few seconds or minutes is almost as bad.

[hobgoblin]

heh, the same old debate. you know the answer mfb, if a gm could just state that a file or communication is encrypted and therefor the hacker cant do a thing about it, what is the point of playing a hacker?

[mfb]

steal the passcode from somewhere. do some legwork. use real-life hacker techniques, basically. i enjoy SR's GitS-style realtime hacking, but it does occasionally give me hangups when i think about it too much.

[Serbitar]

Thats why you need decryption times that are between:

- decryption is useless
- encryption is useless

and a rule that makes it possible that sometimes an encryption can not be broken with the current skill/programme ratings.

There are at least 3 house-rules around that do both of this.

[mfb]

heh, i don't think they'll fend off my hangups. they might make the rules work more smoothly, but not more realistically.

[The_Flatline]

Let's see what I can throw out into this conversation here for you folks.

A couple of caveats first though. I intentionally have only skimmed through how, conceptually, the matrix works now through a wireless mesh topography (I wanted to keep my imagination unbiased when I offered up ideas). Second, I skimmed the basic conversation path of this thread, so I apologize if I touch on anything that has already been discussed.

Third, I'm a certified wireless technician in real life, so I understand a bit about how wireless networks function, and how something like this could function in theory if not in reality.

Finally, I know it's just a game, but we have to start really digging at these things conceptually if we want to come up with new and inventive ways of hacking in Shadowrun. After all, the difference between a script kiddy and a hacker is that the hacker will think outside the box, while a script kiddy will just run the program and hit the jackpot.

Onto the meat of my ideas.

1. Stratified frequencies depending on range. It is uneconomical to simply dump power into a tranciever at any given frequency to keep increasing it's range past a certain point. Sooner or later another frequency becomes far more economical for various reasons to step down to a lower frequency band for reasons of distance, signal penetration, and other issues that crop up. You could have, at range zero for instance, an extremely high frequency that is, for example, bordering on the light spectrum and is blocked by a piece of leather or heavy clothing. The range doesn't *have* to be that great for the majority of your PAN devices, because much like bluetooth today illustrates, you'll never get more than 30 feet away from these devices. That makes your commlink a broad-spectrum broadcastor and reciever. If you want to hack from afar, you have to use a certain spectrum at a certain frequency and have to use it in a certain style of exploit. In the FM spectrum for example, the commlink wouldn't accept incoming smartlink data, because it's completely the wrong frequency. Note that my radio theory is shaky, but this seems sound playing around with it in my head. It would also free up vast amounts of spectrum frequencies to allow a fully meshed environment. Look at cell phones right now for example. They are running out of frequencies to let customers connect. It's why during an emergency cell phones are among the first to go down, since there simply aren't enough channels to support saturated communication.

2. It is possible, even with stratified frequency communication, to issue rogue commands into a PAN from great distances. Real life example of this is a bluetooth "sniper" rifle, consisting of a directional antenna, a scope, and a pringles can. It can fire a "turn off" command signal up to two miles away and shut devices off. With a proper spoof signal to the commlink, the commlink would issue the shutdown command to the intended device and power it down, reboot it, or whatever.

3. This entire matrix is based on a system of trusts and privilidges. That means that the core target of any aspiring cowboy should be to compromise the device that administers such trusts and permissions. Much like the Primary Domain Controller in a Domain environment is the juciest target, commlinks and other, higher-order trust servers are the primary focus of hacking. Once you're trusted, you're no longer hacking, you're using the system. This also means that the trust servers should do as little as possible other than offering trusts, to minimize vulnerability. In SR, as a hacker, I would have a second commlink, stripped of all it's software, that only functioned as a trusted permission server. However, seeing how many functions a commlink serves, it leaves a very real and potent vulnerability in the PAN, which I will discuss later.

4. For secure wireless transmission, encryption will be needed. Encryption is a double-edged blade. It provides protection, but at the same time slows down the transmission of data. A certain level of encryption can be performed with a negligible loss of data throughput, but as you improve the level of encryption, the amount of time it takes to encrypt and then decrypt the information skyrockets. I would imagine that without quantum computing (which is another beast entirely), public key encryption would still be the way to go. Each device broadcasts it's public key in the beginning, and then during data transmission the keys could be modulated constantly. After the first "public" public key, the rest of the data would be in a constantly shifting stream of encryption.

I'd rule that if you had SOTA encryption on every link your poor little commlink would melt down, not to mention experience horrid lag. The first time Stu the Sammy booted up his smartlink and noticed a half second lag as his cybereyes had to decrypt the data stream he'd switch off encryption, or at least pull it down to a faster level. This might be a good way to provide a balance between usability and security that your commlink cowboy can exploit. Introducing interference into an area could also make people want to dump their encryption too, as data transmission in a wireless environment drops with increased interference, which makes the time delay for encryption that much more noticible.

5. As for subscribed links between a commlink and it's PAN devices, I see at the moment two avenues of attack allowing a hack into a PAN. The first is the obvious spoof method, useful for issuing rogue commands into the system to disable them. Variants on this could include PAN-to-PAN communication resembling modern day "Man in the Middle" attacks which would offer significantly more ability to affect compromised networks, albeit at the cost of increased latency. Note that latency is a very real concern, especially in wireless networks. Even in voice communications present-day, a third of a second delay, 300ms, is a noticible gap that is reduced whenever possible. 300 ms of interactive video delay would be just as jarring and the two would not probably catch on. So it's easy to rely on latency to clue you in that you're being hacked, to an extent.

The second avenue is to use the time-honored buffer overflow attack. This is in modern days the #1 vulnerability to systems like the Windows OS. To be brief, it's where you insert a piece of information into the running memory of your target that is too big to accept. The data spills out of it's allocated area, overflowing into another area that you have intended. THe "overflow" is a valid command that just so happens to be sitting in a vital portion of the operating system's core memory allocation, and thus the OS executes the illicit command.

SR4 mentions that memory is virtually unlimited in commlinks, which leads to an interesting point. If your commlink has effectivly unlimited storage, and effectivly unlimited running memory, then buffer overflows in theory could be avoided. You'd just pick two very large numbers, multiply, and then offset each program by that much memory to avoid buffer overflows. In reality though, if at any point during the development process, a programmer used effectivly finite memory allocation, or even dynamic memory allocation, and bunched the running memory together, then it would take a fundamental overhaul of the software to avoid the potential for a buffer overflow. Protected memory allocaiton should, in theory, prevent this, but XP and 2000 both have protected kernel memory, and we see how well that works protecting ourselves from bugs and other nasties.

So we're left with one major point of failure in the PANs. The commlink. As a hacker, I would be obsessed with gaining access, and ultimatly trust from, this item, because at that point I'd have the keys to the kingdom. I don't care about the links at that point, because I am already trusted to associate and do whatever the hell I want. At that point I'm simply another, very powerful, node in your PAN that is given superuser trust.

Firewalls, unless they mean something fundamentally different in SR lingo, simply filter out unwanted traffic. You'd almost have to have a semi-autonomous program running on your commlink to monitor both incoming and outgoing traffic and look for trends that raise alarms (such as spoofs), and to monitor memory allocation in order to head off buffer overflows. Otherwise it's the 20th/21st century SOTA race all over again where you have to check daily for security patches from your friendly OS provider (which is what mr & ms john q public is going to be doing, and they won't be religious about it).

I'm not even going to get started on the possibilty of hardware exploits. That is up to an inventive GM to work with an imaginative cowboy to come up with. I'd say reward thinking outside the box with a solution that actually works. I can think of a handfull off the top of my head that I'd allow, but most of them would be of limited use.

6. Even hardwiring your smartlink into your head isn't going to do you much good if your cybereyes or goggles or whatever link up with your commlink in some fashion. Once I have authority from your commlink, I am God, and you are my b*tch. Full mesh sucks for this very reason.

7. The paranoid shadowrunner would do a handful of things on a run. First, maintain a seperate priviledge server for their PAN that simply functions as a priviledge server and absolutly nothing else, and throw all the security and nasty IC I could get my hands on onto it. I'd also make this server require direct human intervention to program new priviledges. I'd make it ignore all incoming wireless communication save for with the commlink, and even then the commlink would not be a trusted device. The paranoid shadowrunner would be using multiple levels of encryption and broadcasting, putting out lots of chatter and noise and trying to soak up as many frequencies as possible to prevent communications by the other team, or using an ineffecient or weak method of communication. The paranoid shadowrunner would also keep critical systems hardwired together and off of the PAN (cybereyes, smartlink, etc... I'd personally use a HUD overlay or something similar for my visual AR). The paranoid shadowrunner would either use a little known OS for his commlink, have a hacker write one for him, be religious about daily security updates (praying he doesn't get hit with a new exploit before the patch comes out), or use a SK program to constantly monitor his commlink for intrusions (or at least more intelligent, proactive IC). The paranoid shadowrunner would also own two sets of PANs. One is his day-to-day PAN that has little of importance to him or her. The second is his running PAN, hardened and paranoid. The paranoid shadowrunner would hire a fixer and a hacker to knock heads together and create a burst-transmission module to more safely communicate with his team, ensuring that even if an enemy is listening in, between frequency hopping and all the other goodies that go into security, even intercepting the signal to begin with becomes a challenge.

This is extremely long and rambling, but it's several ideas I had on the conceptual nature of the Matrix in SR4. I have lots of other ideas, but I thought I'd get these out first. While none of this has crunchy numbers or rules behind it, hacking in the real world is thinking outside the boundries of the system you're dealing with, and understanding how items work and interact with each other to manipulate them. Hopefully it's given a few of you some interesting ideas.

As an aside, I had an interesting though. You're only allowed to make so many trusted associations with your commlink. I wonder if there's a priority to the list. If there is and you hacked a commlink, how horrid would it be to have A1 priority assigned to all the spam advertisements bouncing around, and suddenly have your commlink disassociate itself from every piece of equipment on your body, effectivly shattering your PAN?

[hobgoblin]

1. can be said to be allready rolled into the signal rating today. higher signal rating equals a device that can talk on a bigger collection of frequenzys and therefor see the jump in range...

2. this is the issue about what the spoof program can or cant do. or basicly the debate that have been going since the pdf got released and disected...

3. maybe this will be coverd in unwired, what do we know?

4. i kinda like the sound of that. ramp the encryption rating over the signal rating of the lowest rating device and suddenly you start to have a negative dice effect (maybe in the order of 1:1, as in 1 point over the signal rating equals 1 dice lost. or if that sounds to harsh, 2:1 or lower).

still, encryption is about more then signal warfare. something like this will only fix the issue of high rating encryption on transmissions, not files and storage media.

5. hmm, latency. no comment about that. but i will comment about buffer overflows.

allready today we are getting changes (that are long overdo) to the x86 cpu's that allow for a memory area to be flagged as storage or executable. this kills some of the overflow issues.

then there is tings like managed code (.net, java) that is becomming more and more popular. a buffer overflow is less of a issue there as the code isnt working directly with memory addresses (the way c/c++ does).

and i have a feel that in SR managed code is the norm. hell, i suspect that to be able to do what you can do with a agent (having a memory construct that can move from node to node) you have to make it in managed code so that when it tells the host node to transfer it, the node frezze the agents status and then transfer the whole memory construct over. this cant be done with a unmanaged program as the bits of code that work directly with memory addresses would now fail. or atleast thats my take on it.

6. the question here is how they link. headware comlink, skinlinked devices, presto. ok, so a single signal on the wrong side of the firewall and you have a problem...

7. paranoia is a nice thing, until it starts to interfer with your ability to do your job :P btw, a paranoid runner would not hire anyone to do anything. you dont know who else they may be payed to work for, therefor you have to do everything yourself...

thing is that if you want to simulate computing and communications in a realistic way, things get very boring very fast for anyone thats not a geek...

blue planet (one of the more realistic sf rpgs in my view) just avoids the whole subject with a small article in the back of their tech book that points towards legwork and similar...

[hobgoblin]

hmm, i got thinking (bad news, right?) that you not only need to know the address of the comlink, but allso the address of the device you want to access/spoof.

a wireless link behave just like old hub/coax ethernet networks. you add a sender and reciever address and then send it out there, hoping that only the one that need to read the message realy do so.

however, if we think that a comlink can vary its transmission range depending on what kind of traffic it sends out, it can be damned hard for a external comlink to pick up PAN traffic.

as and example. if we say that a high signal rating comlink can send not only on the highest setting, but allso on the lowest, and can change between these dynamicaly, then you can allso say that the comlink can downtune their signal rating to range 0 when sending PAN traffic.

this means you either have be to within 3 meters of the person to be able to pick up the addresses of the diffrent PAN devices out there. or you have to get hold of a very nice antenna ;)

and i would guess that directional antennas, atleast ones that are not mounted onto a wall somewhere, are under licence. ie, if lone star see you waving a directional antenna around, they have to stop and ask for papers...

so i would say that trying to spoof signals at a guards smartlink is a "bad" idea. i would rather want to go thru the comlink as that can be done nice and "safe" from behind solid cover some 20+ meters away ;)

ICE be damned, that one can deal with, a .45 thru the chest is something else...

and if one go thru the comlink, no subscription setup in the world will help...

for agents and drones this is a diffrent thing entirely, as they often operate at ranges that makes long range spoofing very practical indeed. therefor, while you could maybe use spoof on a PAN device, i would not say its a practical way of going about it...

[mfb]

if you're hacking the commlink anyway, you can just ask it for the device's address. if you're just spoofing the device directly, all you have to do is find the commlink's address, then hack into a device that's within the target device's signal radius and listen for traffic with that address as a recipient. one of those senders will be your target device.

[Brahm]

[hobgoblin]

and under that rule you atleast have a fighting chance of cracking the encryption :P

[hobgoblin]