Speeding Up Hacking, A Matrix rant Options

[kzt]

[Spike]

Actually, Ser, As a newcommer to this debate I read the rulebook pretty heavily before posting. While its poorly organized in many regards, a quick look at the actual hacking rules point out that you have to give yourself permissions with an Edit action if you want account access. It's not missing, a hacker by default doesn't have permissions for all that stuff he's doing unless he takes an action to give himself permissions for later...


at which point, as far as the game is concerned, he's not really hacking any more until he attempts to exceed the permissions he gave himself. Maybe I'm reading too much into it.

[Serbitar]

[RunnerPaul]

[Spike]

Serbitar:

My point was that you don't have access rights or a user account until you edit an account with permission into existance. Prior to that you are an invader, a ghost in the machine, a fly in the ointment.

Once you've gone and given yourself an account, provided that account isn't discovered and closed in the meantime, you can log in as a fully authorized user at any point. You've already hacked in, now you are just logging in.

I started my research on the last post on page 221 under hacking, and then under hacking and accounts, which is where I suspect the confusion starts. Hacking and Accounts refers specifically to logging in with a stolen account, rather than just breaking in. If you don't have a legitimate account, stolen or edited in, then you have to break in.

Of course, you break in by hacking an existing account... the difference is one of where you do it.

OF course the key factor here, to me, is that at any point in this you are literally trying to be someone else. That other person undoubtedly has their own icons, their own distinctive persona, which isn't you... in fact, they may even be online at the same time you are. So when IC 'sees you', what they are actually seeing is that you are not who you say you are.

Now, if your hacked account has enough priviledge you can Edit a perfectly legitimate account for yourself, one that you don't have to hack to get into. As long as that account doesn't set off any alarms (say by hitting a data bomb or running a decrypt program on a file) then the IC isn't going to see it as anything but legit. A security hacker MIGHT notice they've got one too many admins running around, so it's not totally without risk.

I hope I explained why I think that the fact that you've hacked Admin privildeges isn't an instant 'I win' button, and why IC should, or should not harrass a hacker depending upon how he got in, as the rules suggest rather than lay out explicitely.

[FrankTrollman]

[Spike]

[Garrowolf]

One of the things that I did for my game was to seperate fast hacks and slow hacks by account privileges.

A fast hack was where you were brute force hacking. I used exploit to cancel out the firewall. I have an attribute called security level that reflects things like sysops and strict user accounting. The firewall can be supressed but the security level is a constant issue. The security level reflects the things that in the RAW are the system making perception tests.

I do use security tally. You can increase the security tally in a few ways. You can roll below the security threshold, each point below adds one. Or you can glitch which adds the security threshold rating to the tally. You have a stealth program that supresses it's rating in security tallys.

All the rolling is done from the hacker's point of view. Until a security tally makes it past the stealth program then there is nothing for the system to notice. One it does then it starts raising the firewall to block out the possible problem. Add the alarm level (the security tally - the stealth rating) to the firewall until it doubles the firewall's rating.

This is the default behavior. I don't see any reason that any system would automatically send IC after every hacking attempt. Now use IC as a sort of data bomb on certain secret files. It only activates if you touch it in a bad spot.

One of my problems with the logic of Shadowrun hacking is that it SEEMS to be based on the idea that you would have only a few hacking attempts at a time and that it wouldn't slow the system down too much to have a few IC agents running around in the system looking at the few people in the system. Most systems that would have IC would have hundreds to thousands of users and a hundred hacking attempts each hour (or even minute). There would be constant bot tests of all the megacorp firewalls. Running enough IC to deal with all this would crash the system faster then that much normal server traffic. I can't imagine something much bigger then a semi intelligent program that can run other programs, make decisions, and move from place to place so it has to be independant. If it is an independant program it would be huge. If it is just a function of the system then it can be everywhere.

So this would allow a fast hack. The issues of account privaleges is covered by the security threshold (basically a person that just trusts their firewall has no security threshold and a sysop watching everything gives it a 4, the problem is that the higher your security the harder it is to do legitimate functions as it is always checking on you - this is why many people drop it down to nothing and trust their firewall even today).

A slow hack would be different. The interval would be in minutes or hours. You would exploit the firewall. Then you would edit it to always let you in. You no longer have to exploit the firewall. Then you exploit the security system and give yourself a user account. Then you exploit the system again if you need to to give yourself a admin account. Then you do what ever you want to do but make sure that you can get back in long term. Maybe you have the e-mail system cc everything to you. Maybe you have the reports of a monitoring program go to you. Etc. In effect you have a new contact. You can always get this information. You access level becomes a loyalty level. You have a connection level in a way reflecting the kind of information you are getting. The GM could roll a SOTA check versus the loyalty level anytime you want to find something out. This would possibly lower the loyalty (maybe called access level) until you slow hacked to fix the issue.

This is more of what I was thinking. A slow hack would be during downtime. The GM and the player could sit down and work this out. The fast hack wouldn't give you long term advantages but it would be a quick rolling system.

What do you guys think?

[Rotbart van Dain...]

Uh... great. Now, tell us - where's exactly the difference to RAW OTF and probing hacking?

[Spike]

I rather suspect the presence of black ice puts a stop to most casual hackers, and those hackers who are more or less immune (ie, not running VR to hack, or just using bots) are a mild enough threat to be ignorable.

We suggest that hackign is a cheap profession to get into... for a shadowrunner. For the normal asshat hackers that make up your hundreds or thousands of hacks? not so cheap, so they use cheaper wares... or older wares. Not saying they aren't out there, only that they are a much less credible threat to megacorps who are used to dealing with professional hackers and AI's...

[Serbitar]

What I specifically dont like in the RAW hack in rules is, that you will always hack in with admin rights if probing, and that nobody will notice a probe in progress.

Of course I have my own solution for that, but still, in RAW its kind of annoying.

[Blade]

I think that probing is not exactly working all the time on the node with your program. You may get a copy of the node "blueprint" and then experiment safely on your copy.

I'd like to add that you may spend some time search on the Matrix for details about the security of the node or the security holes this type of node may have or that you may try to adapt some of your exploit programs to that node, but I know you'll answer me that "since you don't roll data search and you don't roll software that's not the case".

What I mean is that probing the target is something you might be able to do without interacting directly with it, and so without any risks of being noticed before trying to get inside.

[Serbitar]

Its not about realism, its about balancing, and "what you want."
Everybody hacking in for admin access is kind of lame, at least for me.

[Blade]

Except that it takes longer... And who knows, once inside the security measures may be heavier for admins. If you can't afford a check of each and every user entering the node, you surely ca do it for admins.

Yeah I know, that part isn't explicitely covered by the rules but the rules don't state that it's harder to get inside an Ares building pretending you are Damien Knight than pretending you are a janitor either.

[deek]

Yeah, I think that is the point, probing takes more time. In my experience so far, our group's hacker has entered approximately 20 systems through the course of our games. All but one of those were hacking on the fly. There was only one time that he went in other than an admin.

The thing is, every single time he has hacked on the fly, going for admin, he has set off alerts. He has solid stats, comm at 5/5/5/5, all programs at 5, and even a node 3/3/3/3 has been able to get 5 hits on his stealth before he was able to hit 9 (firewall 3 + admin 6) on the test.

I always ask him if he is going to try admin and he always says yes, knowing he is going to set off an alarm...so while I agree it is kinda lame to always go admin, thus far, he hasn't hit a "big" system that is really going to pour it on him with IC and other countermeasures...

Probing on the other hand, especially going for admin...yeah, why not go for admin? But there has only been one run this group has been on that the hacker could afford the one hour extended test that probing gives you. That in and of itself is the obstacle...and more than enough. Granted, if you are giving your players days or weeks to prepare, well, then it is going to be lame and most runs pretty easy. So far, I haven't given them that much time to prepare, so it all kinda balances itself out!

[Rotbart van Dain...]

[Serbitar]

\signed

The main-target host of a run will always be probed before. Everything else is just plain stupid.

Deek, please give examples of why they didnt probe.

[Dashifen]

Edit: Don't mean to put words in Deek's mouth, but I think my example meets your needs, Serb.

[Rotbart van Dain...]

That's why you let Agents do the normal info-search.

[Spike]

Actually, I can imagine that most heavy hack runs are against 'hardened targets' who can't be hacked prior to the run. You know, pay data is in a node inside a wireless access blocking room, things like that. Once the runners are on site they DO NOT have time to probe the target, they have to break that sucker RIGHT FREAKING NOW before real security with real bullets are breathing down their necks.

If you runners can probe every target before the run, then the problem isn't the hacking rules, it's the lame corporate security. ;)

[Dashifen]

[Rotbart van Dain...]

Sure, it's called railroading for a reason.

[deek]

Two examples for why they are not probing:

1) Much as Spike said, they are already on site or too much heat to drop everything and let the hacker start spending an hour or two to hack.

2) Which is mostly the way I set runs up, there is little time between the meet and mission specs and the time they need to be there and do "stuff". Many times, the group is meeting at a bar, hangout or luxury box as a sports arena and they often times still have to go back to their respective dwellings, get equipment and then travel together to some other location.

I haven't don't the hack A before hack B, then to go hack C...I like the concept, but I wouldn't do that on a regular basis. 90% of the time, hacking is happening to control/disable security, crash systems or grab some paydata on the way out.

And maybe it has a lot to do with our hacker also enjoying combat and not wanting to focus as much on the matrix...but still, I do run missions in a way that there is not a whole lot of lead time...

[Rotbart van Dain...]

And, what exactly keeps the hacker from using travel time? The matrix is wireless, man.

[kigmatzomat]

I've just skimmed this thread. Fun stuff. I'm going to throw fuel on the fire by giving my interpretation of events.

Primary security would be the firewall but that's not enough so there's internal network monitoring. Both the OTF and Prober have some privileges on the system based on the user level of the application/account they respectively used to gain access. There are a host of applications that do that IRL now that are outside of the OS known as "intrusion detection systems" (IDS). These would be reflected by the "roaming" IC.

Given the scope of SR4 node/hosts, the bulk of the computing world will have one host per location with lots and lots of slave components that we can pretty much ignore (yay, SR4!). For example, my office (an engineering firm) has a local server (host) that handles printing, file storage, and mail. File storage is technically SAN but it's all managed by the server's authentication so it's one node. Other offices would be their own nodes, with various permissions granted to remote users.

These hosts would have two forms of IC, an everpresent sensor & defense laden program that acts as IDS/antivirus, and an Active Scan program that has the offensive oomph to wipe out attacks. IDS is always on and making regular perception tests. Depending on the number of slave devices, IDS could scan the primary host as rarely as once round or as much as every IP. Active Scan probably runs periodically (every 5-60 minutes) to provide a backup to the IDS and ensure the IDS is itself uncorrupted.

How IDS and Active Scan interact with hackers will depend on how the hacker enters the system.

Hack on the Fly (OTF) vs. Probing. OTF is a proper attack, using buffer overruns, weak encryption exploits, etc. to execute code on the host illicitly. 99% of an OTF hackers actions are outside the normal usage profile for the application that was exploited, making them very vulnerable to IDS. OTF hackers are constantly trying to stealth their way past the IDS system.

Probing results in the hacker acquiring a completely legit user account. Probing the network produces a userid+password, just as if you'd pointed a gun at John Doe's privates and demanded his access codes but with fewer stains on the carpet. The hacker can do anything the poor hacked John Doe could do with the same amount of IT attention. Meaning if you read John Doe's email, no problem. Read John Doe's files or files John Doe has ready access to, no problem. Start running hack software to break into Jane's files, problem.

IDS will detect a problem on a probed account if there are two logins from the same user. If John Doe decides, out of character, to update the TPS reports because there's nothing on the trid, the hacker could suddenly be in deep drek.

Active Scan might, maybe, be able to detect a probed account. I'd make it a hard test for Active Scan to realize that the account is being accessed from a machine running stealth/spoofing. I'd make the test very hard if the hacker made a perception test against John Doe's comm before the run and then tried to spoof as that comm.

The VR representation of this is entirely up to the host. IDS is anything from a security guard to eyes in the walls. Active Scan could be a roaming guard, a vacuum cleaner, or birds flying overhead.