RAW Hacking, How different GM's handle problems Options Track this topic Email this topic Print this topic Download this topic Subscribe to this forum Display Modes Switch to: Outline Standard Switch to: Linear+

[Faelan]

I realize there are probably a dozen topics answering my questions to different degrees, and I have found many, but I have found it problematic parsing the information down into something useful. In this instance I am not looking for a whole new system, but more likely assorted house rules to rectify the following problems.

1) The speed of hacking leaves me wondering why anyone even bothers to encrypt anything, unless it is just to prevent casual users from access.
2) The quality of encryption leaves me wondering how financial transactions are conducted securely?
3) The existence of hackastack or agent smith makes me ask the question of how do you defend against the Mongol horde?
4) How do you maintain control of vehicles or drones with the above issues?

Most of my players avoid players avoid playing hackers like the plague so I get to use a lot of handwaving, however one really likes having his drone army.

Some solutions I came up with were as follows:

1) I have made breaking encryption an all or nothing roll, not extended. Break the threshold and succeed, don't and fail, get detected, prepare to be booted.
2) Agents must buy hits, they never roll. Get a secure enough system and it does not matter how many attacks roll in. In other words if its a hacker he has a shot.
3) Also looking at Electronic Warfare as a major way of cutting down on hacking, and for denying others use of their wireless networks.

So what house rules have people come up with for dealing with these issues, and better yet how do you use Electronic Warfare in your games. Thanks.

[Starmage21]

I realize there are probably a dozen topics answering my questions to different degrees, and I have found many, but I have found it problematic parsing the information down into something useful. In this instance I am not looking for a whole new system, but more likely assorted house rules to rectify the following problems.

1) The speed of hacking leaves me wondering why anyone even bothers to encrypt anything, unless it is just to prevent casual users from access.
2) The quality of encryption leaves me wondering how financial transactions are conducted securely?
3) The existence of hackastack or agent smith makes me ask the question of how do you defend against the Mongol horde?
4) How do you maintain control of vehicles or drones with the above issues?

Most of my players avoid players avoid playing hackers like the plague so I get to use a lot of handwaving, however one really likes having his drone army.

Some solutions I came up with were as follows:

1) I have made breaking encryption an all or nothing roll, not extended. Break the threshold and succeed, don't and fail, get detected, prepare to be booted.
2) Agents must buy hits, they never roll. Get a secure enough system and it does not matter how many attacks roll in. In other words if its a hacker he has a shot.
3) Also looking at Electronic Warfare as a major way of cutting down on hacking, and for denying others use of their wireless networks.

So what house rules have people come up with for dealing with these issues, and better yet how do you use Electronic Warfare in your games. Thanks.

I love the idea of #2, but #1 makes no sense at all. Real encryption, that SR4 encryption emulates, merely takes time.

[RunnerPaul]

1) The speed of hacking leaves me wondering why anyone even bothers to encrypt anything, unless it is just to prevent casual users from access.

Locks keep honest men honest.

2) The quality of encryption leaves me wondering how financial transactions are conducted securely?

The stronger encryptions offered up in Unwired go a long way to making Shadowrun's electronic banking actually possible, IMO. One possible solution is to have the central banks automatically issue a set of authentication tokens for transactions to account holders on an hourly basis, the tokens having been pre-encrypted with 24-Hour Strong Encryption. Think of it as the CVV number on the back of your credit card, except you have a set of them, using a different one for each transaction you make, and you get a replacement set delivered to you every hour. Oh, and the tokens are delivered by a high rating Agent that has encyrpted the entire set as a single archive using Dynamic Encryption. Set the system to reject any transaction bearing a token that's more than 18 hours hold, and make anyone who's had an unscheduled matrix-access outage of 24 hours or more go through extra verification procedures before being issued further tokens.

4) How do you maintain control of vehicles or drones with the above issues?

Use Unwired's rules for Slaving, bolt armor plate over top the drone's physical hardwire connection ports with a standing command to shoot anyone who comes after it with a wrench, and limit your wireless communications to point-to-point Beam Links.

1) I have made breaking encryption an all or nothing roll, not extended. Break the threshold and succeed, don't and fail, get detected, prepare to be booted.

Harsh. One alternative I've seen proposed was to use a "Diminishing Returns" style cascading test interval. First roll of the extended test takes a combat turn. Second takes a minute, Third takes an hour, fourth takes a day, 5th takes a month, 6th takes a year, 7th, takes a decade and so on.

[Faelan]

I realize decrypting just takes time, but the speed with which it occurs in SR4 seems ridiculous. My limiting decrypt to a single all or nothing attempt is meant for on the fly hacking, since it is described as a brute force attempt. In other words you will be detected and chased unless you manage to get inside and make it your own. The thresholds and times for slowly hacking seem fine to me, even as extended rolls. I don't want to ban the brute force approach, but I definitely want to make it very risky. My line of thinking is you take the sledgehammer to the backdoor, the SYSOP hears you and the encryption is changed immediately, and the hounds of hell are set loose on your ass. If you knock the door down you jump through and the SYSOP responds too late, you are in. The brute force approach does not take much thinking, hence Agents get to do it. The long term approach is something I am thinking of not allowing Agents to do. To really hack, in other words sneak in and mess with a high security system requires a sentient being behind the wheels not some program.

Thanks for the suggestion for the drones, and the diminishing returns. The financial transaction security still seems shaky. It really has to be damn near unbreakable for it to be reliable.

[kzt]

We used NPC hackers and hacking just happened. Life was good.

[Faelan]

Life was good. Keyword WAS, thanks for rubbing it in (IMG:style_emoticons/default/wink.gif)

[jklst14]

3) The existence of hackastack or agent smith makes me ask the question of how do you defend against the Mongol horde?

I haven't thought this through yet but in addition to the Access ID limitation in Unwired, you could cap the max ratings of Agents. Say the node's Response/2 instead of Response? Then a real life hacker will always be better than any agent, since most Agents would have a rating of 3 at most.

It would leave us with a problem of all IC sucking. Maybe there's a way around that? Or maybe this wasn't such a great idea...


-JKL

[The Jopp]

My solution to encryption and to make it take longer is to do the following:

Encryption - Program adds its rating to all tests against the node
Decryption - Decryption reduce the effectiveness of encryption by its rating.

So, a hacker with Decryption 3 going up against an encryption 6 will have a +3 to all treshold tests like probing the target and hacking on the fly and similar tests where there is a fixed treshold.

In opposed tests the target adds defense dice.

My reasoning with this is because the encryption is not static. Both sides use live encryption that changes by the second which means that there is no set encryption key as it changes constantly to keep people from getting inside.

Also, it mean that one can fail miserably if one doesn't have a decryption program as everything becomes a LOT harder.

[Ryu]

- Encryption is a success test. Check.
- The good old credstick is now a slaved node with integral passkey for a "militarised" bank server. The rating 6 encryption is just there to annoy hackers. We are using the logic+skill option, so the SOTA rules increase believeability for matrix banking.
- Using Agent Smith angers the universe. Yes, that is a solution. I´m playing around with a rule limiting multiple uses of one program in the same timeframe, but so far it does not work for cybercombat.
- Vehicle security is an issue? Encryption + passkey + firewall upgrade + slaving to the comlink.

2) Agents must buy hits, they never roll. Get a secure enough system and it does not matter how many attacks roll in. In other words if its a hacker he has a shot.
3) Also looking at Electronic Warfare as a major way of cutting down on hacking, and for denying others use of their wireless networks.

Number 2 is great, that might actually be a simple solution. Perhaps with rolling the "leftover" dice, to use the full range of ratings. I´m considering to count only the highest icon damage per IP, so that running multiple attack agents on one target gets inefficient fast.

If you are looking at Electronic Warfare, consider to use a smart jammer against known offenders. Adds ECCM to the requirements of hacking your net, if nothing else.

[Faelan]

Thanks for the input. I think what I will be going with is adding the logic attribute to any roles. This gives a live hacker an advantage over the machine (unless its an AI), combined with Agents having to buy hits (and yes I think rolling the left over 1 or 2 dice will work great) will create the effect I was looking for. Note the hacker defending against Agents can also buy hits, this essentially neutralizes the threat of the Mongol Horde, and makes hacking what I wanted, which is a character vs character situation. Ultimately I think it will cut back on unwanted dice rolling, give systems a decent level of everyday security since having Agents do your dirty work against a well secured system is out of the question, and in addition to the master and slave unit rules provide limited access to stealing drones. In other words I think things will be challenging now, without it being impossible.

I think I will be using EW for limiting opposing wireless connections or preventing jamming of friendly connections. Proper use of this could require a hacker to hardwire into the local node just to avoid potentially getting kicked off by losing "bars" at an inopportune time.

[Aaron]

The stronger encryptions offered up in Unwired go a long way to making Shadowrun's electronic banking actually possible, IMO.

Electronic banking relies on strong encryption only when it's a centralized system. In a decentralized system, you don't really need any encryption.

[RunnerPaul]

Electronic banking relies on strong encryption only when it's a centralized system. In a decentralized system, you don't really need any encryption.

Two questions then:

• Can you detail how a decentralized banking system works? A swarm of computers all taking a vote on how much available funds are in account A and whether or not the account holder authorized a transfer of some of those funds to account B?
• What canon references lead you to believe such a system is in use in Shadowrun?

[Aaron]

[*]Can you detail how a decentralized banking system works? A swarm of computers all taking a vote on how much available funds are in account A and whether or not the account holder authorized a transfer of some of those funds to account B?

I have before on DS, albeit a while ago. You'll have to search for it, sorry.

[*]What canon references lead you to believe such a system is in use in Shadowrun?

Again, I've posted this before, too. At this point, you'd be doing the same search through DS or the PDFs that I would. Plus there's probably something in Unwired; I'd start in the fluff and then maybe look in the game info sections for forging cash.

[RunnerPaul]

I have before on DS, albeit a while ago. You'll have to search for it, sorry.

I tried, but I'd be more successful if I had a better idea of timeframe than "A while ago" or a better keyword than "banking" or "decentralized" to use. You're approaching the 2K post mark, and the only two hits turned up on either of those two keywords under your name were your posts in this thread.

Plus there's probably something in Unwired; I'd start in the fluff and then maybe look in the game info sections for forging cash.

Unwired sections for forging cash only apply to funds on certified credsticks, which are really just an obscure corner case of SR's Electronic Banking.

[Aaron]

I tried, but I'd be more successful if I had a better idea of timeframe than "A while ago" or a better keyword than "banking" or "decentralized" to use. You're approaching the 2K post mark, and the only two hits turned up on either of those two keywords under your name were your posts in this thread.

All I can say is keep looking. I'm getting sick of spending time rendering professional explanations of how computers (or networks, or encryption, or programming, or anything else I get paid to teach) work, only to have some obtuse twit not bother to read it, give obtuse replies, and insult the intelligence of myself and of other readers. I'm not naming names and I'm not saying that I expect you to do the same thing. It's just that I'm sick of being lead down the path to frustration just because I like to teach and be helpful. I'd be happy to describe the system in person if you catch me at a convention or something, but until then I'm afraid you'll have to do your own research.

It might be about identification rather than banking, but it's pretty much the same whether your data is money or identity, if that helps.

Unwired sections for forging cash only apply to funds on certified credsticks, which are really just an obscure corner case of SR's Electronic Banking.

This one I'll help with, because I remember reading that and thinking that AH was pretty cool for including it. Lemme see ... here it is on page 95 of Unwired. It seems to have been chopped down a bit; now it's only something about online cred being constantly tracked and monitored. So I guess it's been edited down to just an implication of a decentralized system.

Hm. Maybe I will give a mini-lesson. Here: the system is akin to the way a BattleTech Grand Melee or a game of hopscotch is refereed.

[RunnerPaul]

Hm. Maybe I will give a mini-lesson. Here: the system is akin to the way a BattleTech Grand Melee or a game of hopscotch is refereed.

At first blush, I'd have questions about the scalability of those techniques, but I'll just attribute that to the mini-ness of the lesson.

[Ryu]

Something in that direction (link)???

I sent my (information access code) to my bank, after sending individually worthless "junk" to several other servers, tampering with one of those just destroys the transaction, and the bank can access my data just fine, because it got the access code?

[Aaron]

Sorta like that, yeah, except that since the data is held in a large number of places at once, and those places can query one another to double-check their own information, the only way to forge electronic cash is to alter the data in all places at once. If storage and transfer speeds are ridiculously high (as is the case in Shadowrun), then you can't actually forge electronic cash unless you crash the whole Matrix at once, assuming you can find all of the places the cash is being tracked.

[RunnerPaul]

assuming you can find all of the places the cash is being tracked.

Surely that's just a matter of traffic analysis?

[Faelan]

I think what Aaron is saying is that you essentially have these rock solid sites, which constantly double check each other, so unless you hack all of them simultaneously the information will revert to its proper format near instantaneously. My question to this then is how does this quorum of trust identify a legal transaction? Is a legal transaction essentially bursting the access code to twenty different servers and since it is good to go they all accept. Whereas with an illegal transaction I would have to hack those twenty servers simultaneously for the same effect. The security gets better as the number of secure servers I am transmitting to goes up. Of course you could still steal from someone if you manage to break their perfectly legal access code, but this would require what?

[kzt]

Of course you could still steal from someone if you manage to break their perfectly legal access code, but this would require what?

Recording, decrypting and replaying the code....

The claims that you can't record an encrypted signal would certainly surprise people who do real world decryption, because that is a key element of the process. That's how the US broke the Venona one-time pads, the Purple Japanese diplomatic codes, the JN-25 navy code, and the Germans broke the British BAMS, Naval Cipher No.3 and the US Black diplomatic code.

[Aaron]

Surely that's just a matter of traffic analysis?

That's a valid approach, but what if you're trying to find hundreds or even thousands of nodes for each single nuyen? Let's say you only have a thousand nodes tracking cash, and each unit is tracked by only two hundred of those nodes. That's a one in 6.6 x 10²¹⁵ possible sets of 200 nodes to choose from. Incidentally, that's also the number of cash units that such a system could track.

And what if the data you mined five minutes ago is out of date? If the tracking nodes keep trading responsibility for any given unit of cash, that makes it even harder to track.

Could such a system be viable today? Well, in smaller form, yes; see Ryu's link to the distributed file system, above. Could it be viable in The Future? It'd not only be viable, it would be trivial.

[kzt]

You expect to maintain a consistent state table on EVERY commlink in the ENTIRE world for EVERY nuyen? Really? I'd attack the synch process then, just a little. It's got to be like someone trying to use OSPF to route the internet and should crash nicely.

Otherwise, I'd start randomly nuking packets bound for several of the major sites. Now they don't agree and the world melts down.

[Aaron]

You expect to maintain a consistent state table on EVERY commlink in the ENTIRE world for EVERY nuyen? Really? I'd attack the synch process then, just a little. It's got to be like someone trying to use OSPF to route the internet and should crash nicely.
Otherwise, I'd start randomly nuking packets bound for several of the major sites. Now they don't agree and the world melts down.

See, this is why I've given up trying to offer stuff to DS.

kzt, if you're clever enough to think of that attack (which, obviously, you are), you're also clever enough to come up with a solution to it. It's not as much of a vulnerability as your post suggests.

[Ryu]

You would not need to maintain consistency on every server, far from that. Let several thousand servers compare data, and accept a 75% result as valid.

The commlinks can connect to a few transaction servers, which establish trust in the commlinks identity by comparing data. They maintain coherency of the money, and manipulate the money conditionally if the transaction comes from a trusted source and is acceptable to the bank. The security of your account does depend on the security of your endpoint.