Matrix rules accurate, Perspective from a software engineer Options

[Larme]

From the New Seattle forums, a guy who thinks the matrix rules are awesome and has actual RL credentials regarding electronic security. Put that in your pipe and smoke it! And then discuss it, because this is a discussion board.

I'm actually quite surprised at the "accuracy" of the matrix and hacking abilites in SR4. It almost seems like they asked a programmer to help describe the rules. I'm a software engineer and in my free time occasional hack the planet and write the internet. Like the way they explain things - that you're not actually breaking a firewall as if it were a mob, you're just looking for a hole which can later be patched up. Thats how its done nowadays.

The kind of exploits they talk about a lot are referred to commonly today as "zero day" exploits. A zero day exploit is an issue that a hacker discovers but no one knows about it i.e. the company that makes the software, anti-virus and security companies like norton, Microsoft. There are people who hoard these "zero day" exploits and they are referred to as "dragons". They mostly live across the seas where software criminal laws are leanient to non-existent. These people make their living doing jobs for people or selling security flaws to others, in fact this is how companies like Norton find a lot of the holes their software plugs - they pay for it. There was recently someone caught, can't remember for what, think the police got him on a forum but he had something to the tune of 13 zero day exploits which is unheard of as most people who are good at what they do usually run into two or three in their lives.

The way the books talk about source code and programs is all surprisingly accurate as well. I really like the way they handle hacking in/editing systems especially the extended tests. The longer you run a program against something like say a brute force program, the closer it gets to the answer - it just takes time.

{REDACTED -- paragraph where he gives URLs for hacking tools, which I am not comfortable spreading around, and I also am not sure if it would comply with forum rules to repost that kind of stuff...}

DizDiz!

[Backgammon]

I'm a software engineer too. I don't hack the planet on my spare time, but I did tale a hacking class in university (for the prupose of knowing how to defend against it). So yeah, the principle of probing and using an exploit to get in is real life hacking 101. While I certainly like the rules as they are, I don't think the rules are anything to be in awe of, this is very basic stuff. It's like saying that to bake a cake, you need flour and an oven.

[imperialus]

I'm a software engineer too. I don't hack the planet on my spare time, but I did tale a hacking class in university (for the prupose of knowing how to defend against it). So yeah, the principle of probing and using an exploit to get in is real life hacking 101. While I certainly like the rules as they are, I don't think the rules are anything to be in awe of, this is very basic stuff. It's like saying that to bake a cake, you need flour and an oven.

Well just like how the driving/chase rules don't have specific rules for how to time your downshift perfectly in order to drift around an urban intersection at 95 MPH and the combat rules don't simulate someone carefully lining up a sniper rifle from three KM out, adjusting for wind, target movement, and the number of grains of powder in his carefully handmade bullet. You just make a pilot/longarms roll with some modifiers for difficulty and be done with it.

[Backgammon]

I'm not saying the hacking rules leave anything to be desired. But similarly, if someone made a post saying he was an F1 pilot and said the Chase rules were very impressive, you'd cock an eyebrow at him too.

[Ravor]

Seconded Backgammon, we have no way of knowing whether or not DizzyKA is on the level or not.

[Heath Robinson]

The plural of anecdote is not data. The singular surely isn't, either (surprising, that).

[Draco18s]

Did he forget that in SR you have to decrypt a wireless signal before you can intercept its packets?

IRL you have to intercept the traffic and perform the decryption on them.

[hobgoblin]

and if SR had real life encryption, you could kiss the hacker archetype byebye...

thing is, he is one of the last threads connecting SR with cyberpunk of old.

[Larme]

Yeah, there's no question that hacking is more reliable in SR4 than in real life. Like he said, the most legendary guy who ever got caught had 13 zero-day exploits. SR4 hackers can pull those out of their ass whenever they feel like it (though they don't last very long). There might be an explanation for this, as no system will even be vulnerability free, and when people can hook their hacking tools directly into their brain and overclock the whole thing in hot sim, it's hard to keep them from finding said vulnerabilities. And then again, there might be no explanation except that this is Cyberpunk, and Daddy Gibson told us that we're allowed to hax like crazy (IMG:style_emoticons/default/wink.gif)

[Dragnar]

That's a really wierd defense of the hacking rules.
The SR-rules don't model the search for exploits well, if at all. That's not actually a problem, because modelling that stuff realistically would make for a really boring game.
Finding a zero-day exploit in RL is a lot of work and even more luck and is usually a matter of days or even weeks, while every joe-average in SR finds an exploit in a few hours. Experienced hackers even have a significant chance of finding a lasting exploit on the fly.
So, why exactly is not modeling the real-world "accurate"?

And that's one of the least inaccurate parts of the SR-matrix rules...

[tete]

Uhh ok, yeah... I wouldn't put anyone who "hacks the planet" on weekends as a professional. They have professional certs for people who do this thing for a living. Including the ethical hacker certs. Black Hat is just finishing up in Vegas right now which anyone in the US and in the field should be attending. Shadowrun has always even since 1e had some semblance to real world cracking. I wouldn't say 4e is any more accurate than any previous edition. The terminology is more accurate but weather you want to call it attack or exploit is not a big deal to me. To my knowledge no edition of any Shadowrun has ever been seized by the US Secret Service (Like GURPS Cyberpunk), so obviously its not a manual for how to really do it.

Yeah and staring at packets all day, looking for files that are bigger than they should be or unusual traffic... its pretty boring. And personally I tell my users if they loose there password to an encrypted drive... we will be formatting because im not tying up my workstation for weeks to decrypt your disk just so you can get your powerpoint back.

I'm curious if his website is insecure.org. because all those tools are legit and some of them are even free.

[Draco18s]

And personally I tell my users if they loose there password to an encrypted drive... we will be formatting because im not tying up my workstation for weeks to decrypt your disk just so you can get your powerpoint back.

But I muzt haz my PowerPointz! With them I can be awesome!

[hobgoblin]

gurps cyberpunk got seized mostly because it was edited on a computer, and the US secret service walked in and grabbed all computers, as one of them was running a bbs that someone they where interested in where attending.

[LurkerOutThere]

*sigh* You do realize that just by virtue of there being a codified attack program their not zero day exploits right? In real world parlance everyone but Otaku are script kiddies unless they completely coded all their own attack programs form scratch.

[hobgoblin]

attack programs only operate on persona-like icons...

thats the thing about SR matrix, i took a turn towards magic with crash 1.0 (2029), when echo mirage was deployed.

after that, things have been a balancing act between cyberpunk style hacking (heavily rooted in the 80's BBS environment) and real life (as more and more people in the community gained understanding of computers and networks).

until virtual realities 2.0 was released, the matrix behaved pretty much like the US phone system and bbs's (read hacker crackdown to get some impression of how it was if one is to young to have been a computer interested teen during the 80's), VR2.0 shifted things a bit more towards the internet and the web, by making sculpted systems the norm, but only with SR4 do we have a system thats close to the net (in that one no longer have to path out each RTG and LTG between attacker and target, much like one do not care about the number of routers one traverses when surfing).

the deckers of SR1-3 was more like phone phreaks, with the RTGs being regional phone switches, where with the right tones down the line, or the right unlisted number dialed, one could set up a international conference call of unlimited size while not paying.

[MKX]

I'm not into software as such, network engineer by trade but ended up specialising mostly in wireless and optical transmission for a telco and a wireless broadband provider, but I suspend disbelief once a month for the sake of a game of SR (IMG:style_emoticons/default/smile.gif)

[kigmatzomat]

The SR rules system shouldn't be realistic - real world hacking is not something that gets done in combat turns.

Lack of realism has never been any of my problems with the matrix system. I just wish it was as "together" as the whole of the magic system. You don't see mages with Agent Smith problems or skills that have no purpose.

[Ancient History]

The magic system has had the better part of four editions to simmer and cook. The Matrix system gets revamped every Ghost-be-damned edition, and it shows. There's never been enough time to boil it down to the point of least possible idiocy.

[hobgoblin]

got to love that SOTA-coaster, eh? (IMG:style_emoticons/default/wink.gif)

[Larme]

I don't buy the argument "it can't be modeled after the real world because it's so much faster." That does not follow. We haven't forgotten that it's futuristic, science fiction game, right? I don't think anyone said it was actually emulating the real world. As such, a failure to follow a real world detail, like how long it takes, doesn't invalidate the original post. The original post is saying something pretty simple -- the matrix rules approximate real world hacking insofar as real world hacking is all about finding holes. Matrix hacking is also about finding holes using Exploit. That's really the only accuracy that the OP was talking about.

The fact that it's done with a program and not your bare hands doesn't mean it fails in terms of realism -- we're talking about a future world where new computer technologies make programs more powerful. The fact that it's done at lightning speed doesn't mean it fails in terms of realism, either, since we're talking about plugging your brain directly into what is effectively an optical supercomputer. Realistic doesn't mean "the same as it is today." Realistic means "shares something in common with modern day hacking." At least, that's how I see it. We find exploits today. We find exploits in SR4. The methods have changed, but the ultimate goals are the same. That's the accuracy the OP was talking about, and I don't think anyone's quibbles about how fast it is or whether you use a program contradict it at all.

[kigmatzomat]

The magic system has had the better part of four editions to simmer and cook. The Matrix system gets revamped every Ghost-be-damned edition, and it shows. There's never been enough time to boil it down to the point of least possible idiocy.

I blame TRON. If the SR1 designers had never been distracted by the "quest for the MCP" through the CPU/SPU/SAN dungeon crawl it might have had a chance.

Of course their only alternative was Wargames, which wasn't exactly a cyberspace adventure.

[TeknoDragon]

I blame TRON. If the SR1 designers had never been distracted by the "quest for the MCP" through the CPU/SPU/SAN dungeon crawl it might have had a chance.

Of course their only alternative was Wargames, which wasn't exactly a cyberspace adventure.

Added to the List of Things for my Next Hacker:
2) a Tron-style avatar and preferred environment
3) a tendency to delay those trying to access a hacked node with prompts like 'Would you like to play a game?'

[Dragnar]

As such, a failure to follow a real world detail, like how long it takes, doesn't invalidate the original post. The original post is saying something pretty simple -- the matrix rules approximate real world hacking insofar as real world hacking is all about finding holes.

That has nothing to do with being accurate, though, because it really isn't. By that train of thought, D&D accurately reflects real medieval battles, because people get stabbed in the face in both. Which it doesn't. And neither does SR. Now, it isn't necessarily bad, just because it isn't accurate, but an argument for realism built on top of such a weak foundation is kinda useless.

EDIT: spelling

[StealthSigma]

and if SR had real life encryption, you could kiss the hacker archetype byebye...

thing is, he is one of the last threads connecting SR with cyberpunk of old.

For the record, I'm talking about symmetrical encryption, not asymmetrical encryption, which talks about 2048bit keys and larger.

Well, the hacker archetype would still be alive, but when it comes to breaking encryption he'll be seriously hampered. Encryption has consistently beat out brute forcing the key to decrypt the data. The reason is that brute force times don't scale linearly with encryption key size. If I increase the key size from 64 bits to 128 bits, the decryption time squares. What sucks about breaking encryption is that it's best described in scientific notation. A 128bit key has about 2^128 possible combinations. A computer which can perform an exaflop (10^18 calculations per second) will still take 1.3x10^10 years (longer than the age of the universe) to break the encryption. Bumping the encryption to 258bit, which is available now, would up the time required for an exaflop computer to be 3x10^51 years to break.

Folding@home has the highest FLOP value (mind you that's distributed computing) at 8.1 petaflops (8.1x10^15 calculations per second). The human brain is estimated to be capable of 15 petaflops (1.5x10^16 calculations per second).

I could see organizations in Shadowrun developing a means to harness the human brain as a computer, kidnapping a bunch of street scum, putting them into a coma and keeping their bodies alive via life support while using the full capacity to compute various things.

Just some brief numbers on how many people it would take to do this.... Let's set a goal of 90 days to crack the encryption. It is also reasonable that 512bit encryption would be standard fair.

512bit encryption has 1.3x10^154 combinations.
There are 7,776,000 seconds in 90 days leading to a required FLOP value of 1.7x10^147 FLOPs.
So it would require 1.1x10^131 individuals to brute force a 512bit encryption. Which is more than the entire population of earth at the time.

Needless to say, in SR a hacker will not be brute-forcing encryption. If he's breaking encryption, he's going to be doing so via exploits in the key generation algorithm or limiting the possibilities of the key via figuring out what was used for the key phrase.

[Draco18s]

For the record, I'm talking about symmetrical encryption, not asymmetrical encryption, which talks about 2048bit keys and larger.

Well, the hacker archetype would still be alive, but when it comes to breaking encryption he'll be seriously hampered. Encryption has consistently beat out brute forcing the key to decrypt the data. The reason is that brute force times don't scale linearly with encryption key size. If I increase the key size from 64 bits to 128 bits, the decryption time squares. What sucks about breaking encryption is that it's best described in scientific notation. A 128bit key has about 2^128 possible combinations. A computer which can perform an exaflop (10^18 calculations per second) will still take 1.3x10^10 years (longer than the age of the universe) to break the encryption. Bumping the encryption to 258bit, which is available now, would up the time required for an exaflop computer to be 3x10^51 years to break.

Or you could build a dyson sphere computer out of the solar system. I think it would take all of the matter inside of pluto and arranged computationally optimally to make a computer large enough to brute force current encryption in a reasonable time frame.