Spoofing vs Slaved Commlink Options

[suoq]

So....having cyberware is stupid?
If any jackass with a rating 3 commlink and an off the rack agent can completely shut you down, what's the point?

I don't understand.
1) hack in directly requires a physical (wired) connection to the device. If this is the option available to by the "jackass" you're in enough trouble already.
2) hack the master node. If your master node can be hacked with a rating 3 commlink and an off the shelf agent, you need to quick spending money on your hairstylist and upgrade your gear.
3) spoof the access ID of the master node and then spoof commands to the slave. - Assuming your got the access ID, you're facing a Device Rating x 2 check at -6 dice. (because I cannot, for the life of me, think of a single reason why the admin bonus would not apply here). Again, the rating 3 commlink and off-the-rack are not going to be successful here)

I will agree that of the 3, #3 is by far the problem child. Spoofing was written for a power level in line with SRA4 and with every expansion the power creep has upset the balance of power even more.

[Fortinbras]

(because I cannot, for the life of me, think of a single reason why the admin bonus would not apply here)

If you choose not to have your broadcasting Access ID have Admin Access to aforementioned cyberware, then those Spoofing that Access ID can't delete your enslavement.
Not the best reason, but a reason.

[baronspam]

Because of the vulnerability to spoofing I think the strategy outlined in the first post is a poor one. Don't slave everyone's comlink to the hacker. The hacker should have an access code in case any matrix shenanigans start to go down and he has to jump in there and trash someone, but I think the best overall strategy is for EVEYRONE to always run Firewall 6 on their comlinks, to have the very best response and system they can possibly afford, have the best Analyse program you can afford and run it 24/7 to check for attempts to break in, and add a Steath program for when you are on a run and need to go into hidden mode. With firewall 6 and a high end stealth program its going to be hard for the badguys to even find your comlinks in the first place if you are running in hidden. Getting into a well secured comlink is not as easy as it sounds, and once in you are in you are subject to connection termination or an old fashioned system restart. Plus, if they never tried to hack you how is your own hacker supposed to feel like a hero?

In general, don't connect cyberware to your pan. Once in a while you should to get firmware updates and such, but there really isn't a reason to have cyberware subscribed mid run. You have a DNI to all your own cyberware, turn the bloody wireles off when not in use. The main exception is cybereyes for smartgun systems, but even then just skinlink the system and skip the wireless, or go old school and run a cable through a harness under your armor and plug into your datajack.

If you really, really, really are paranoid about your comlink getting hacked, don't forget you can run your own IC on it as well.

Another trick, do all the above to your main comlink, keep it in hidden, and run a second comlink with moderate defences with a fake SIN and no useful data when you need to have a comlink non-hidden in high security zones or social situations that call for it. The hacker busts into the active comlink, finds a empty address book, a bank acout with 50 nuyen, and nothing subscribed. By this time the wireless on your main link is deactivated, and the group's hackers is joining the party to earn his keep by making the intruder's ears bleed.

[suoq]

If you choose not to have your broadcasting Access ID have Admin Access to aforementioned cyberware, then those Spoofing that Access ID can't delete your enslavement.
Not the best reason, but a reason.

Are you saying that if the broadcasting access ID has some access OTHER than admin access to the cyberware it's somehow creates a more favorable situation for the target? Could you explain please?

[Fortinbras]

Are you saying that if the broadcasting access ID has some access OTHER than admin access to the cyberware it's somehow creates a more favorable situation for the target? Could you explain please?

Nevermind. Once you slave something, the master has admin and only admin access. Unwired p.55.

[suoq]

Don't slave everyone's comlink to....

To do this you either have to:
1) Not run a tacnet.
or
2) Run a decentralized tacnet instead of a Centralized Tacnet (PG 125 Unwired). To do this, you must
a. Convince everyone on the team to invest in a Tacsoft
b. Make sure everyone's commlinks are as solid as the hackers.

This is a non-trivial investment. If your team has the (IMG:style_emoticons/default/nuyen.gif) it's worth it, but teams with limited funds are going to be drawn to that centralized tacnet and therefore slaved to a single commlink and vulnerable to spoofing.


Edit:
3) Simply get everyone good commlinks. It occurs to me that if everyone's on a device rating 6 commlink, then the spoof check is a target of 12 at -6 dice even with the centralized tacnet.

Now someone please refresh my memory, is the Device rating of a commlink System or the average of System & Firewall or the Average of System/Firewall/Signal/Response. I keep finding conflicting suggestions when I try to look it up.

[Ghost_in_the_Sys...]

Only if the Access ID you are spoofing has admin privileges. Even then "Accept me as the new master" is a bit of a misnomer.
The first thing you would need to do is delete the enslavement. Then you would need to hack in and create a legit account for yourself, probably an admin account. Once you have a legit admin account you can slave the device to yourself.
This cannot be done in one command.

You can't just give the command "Be enslaved to X Access ID" because X Access ID doesn't have an account.

By definition a master has admin privileges, but does not necessarily need a particular account. So the first thing you would have to do would be to get the access ID that is the master (which is more like the 0th thing you have to do). You can then spoof the slave -any- command. That command is 'Access ID x is your new master', which then gives Access ID x admin privileges because it is the master. You don't need to hack an admin account first, you're basically just claiming to be the system administrator, then saying you have a new system administrator, so your switching who owns an account, not having to create a new one.

As for peripheral device, guess I missed it, was trying to do a quick find through my PDFs and wasn't coming up for some reason. But as the Unwired Spoof says it operates on electronic devices, which includes nearly everything you would want to use spoof on, and the other things are also listed.

spoof the access ID of the master node and then spoof commands to the slave. - Assuming your got the access ID, you're facing a Device Rating x 2 check at -6 dice. (because I cannot, for the life of me, think of a single reason why the admin bonus would not apply here). Again, the rating 3 commlink and off-the-rack are not going to be successful here)

Why would you take the -6 dice? Spoof doesn't have anything saying that the access privilege required to perform the command has any bearing on the check, does it? My memory on some of the hacking rules are fuzzy, so could be wrong about that.

Are you saying that if the broadcasting access ID has some access OTHER than admin access to the cyberware it's somehow creates a more favorable situation for the target? Could you explain please?

I think he means slave device A to device B with access ID B, then change device B's access ID to C. Now device A only accepts commands from an access ID that isn't broadcast anywhere. Device B can change its access ID back if it needs to (Pulling the proper ID from the hard drive or being entered from metahuman memory). Thus Device A is virtually 100% secure, but also a pain to access and requires a time delay.

[LurkerOutThere]

Actually to do all three.

You should slave your comlink to the hacker so he can monitor the info sec side of the house (provided you trust him)

You should run the best independent security you can in case something breaks the slave linking (spoofing, jamming, hacker getting taken out by panther, actual or cannon)

You should put no more of your ware on your PAN then you need to do to get the job done. Even without tacnet I really like having an audio/video feed to my teammates so i usually keep that up.

Generally speaking cyberware hacking is dumb but there are some easy and relatively cheap precautions you cna take against it. Generally speaking I as a GM honor any reasonable precautions my players want to put in ahead of time. I encourage people at convention games to write down what precautions their taking on their character sheet. If i say to them "Hmmm and it looks like your comms are hacked" and they say "Nope, i've done XYZ" and can show me prior documentation of same I congratulate them on their preparation. Unless said methods involve clustering at which point I start to work on a way to feed them to ghouls.

[Fortinbras]

By definition a master has admin privileges, but does not necessarily need a particular account. So the first thing you would have to do would be to get the access ID that is the master (which is more like the 0th thing you have to do). You can then spoof the slave -any- command. That command is 'Access ID x is your new master', which then gives Access ID x admin privileges because it is the master. You don't need to hack an admin account first, you're basically just claiming to be the system administrator, then saying you have a new system administrator, so your switching who owns an account, not having to create a new one.

Firstly "Access ID X is your new master" isn't a command you can give. A slaved account can only have one master at a time as it will only accept commands from that node. So the first thing you would have to do is delete that enslavement, otherwise the node will still only accept commands from it's original master.
Secondly, the Command "slave to Access ID X" cannot work because Access ID X has no valid account. A device does not recognize commands from any Access ID that isn't in it's account database. That's what hacking is. You are fooling the device into thinking you have legit access.
To slave the device to your Access ID, you would need to create an account. To do this, you need to hack into the system and create one using a Software or Hacking + Edit test.

You can't create any kind of network without access to all the nodes within that network.

EDIT: You could always just Spoof the device to add an account, but that is more difficult.

[suoq]

Why would you take the -6 dice? Spoof doesn't have anything saying that the access privilege required to perform the command has any bearing on the check, does it?

Unwired, Pg 99. I think it's somewhere else as well but searching the PDFs gets frustrating.

-----------------

While we're on the subject. Does a loaded agent program count as IC or not? Any guidelines? Do I need to buy an agent program that's ONLY good for IC for it to count as IC? I get confused with that (much like I get confused with device rating and commlinks). If you're running IC as a hacker, what do you have loaded and running on your commlink at any one time?

[Fortinbras]

While we're on the subject. Does a loaded agent program count as IC or not? Any guidelines? Do I need to buy an agent program that's ONLY good for IC for it to count as IC? I get confused with that (much like I get confused with device rating and commlinks).

All IC are Agents. Not all Agents are IC. For the most part, treat them as one and the same. They are both SK personas and treated the same for rules purposes.

As for device ratings, the BBB says that if the device is playing an important role, then it's Matrix attributes should be filled out. Device ratings are really just for GMs.

[Ghost_in_the_Sys...]

Firstly "Access ID X is your new master" isn't a command you can give. A slaved account can only have one master at a time as it will only accept commands from that node. So the first thing you would have to do is delete that enslavement, otherwise the node will still only accept commands from it's original master.
Secondly, the Command "slave to Access ID X" cannot work because Access ID X has no valid account. A device does not recognize commands from any Access ID that isn't in it's account database. That's what hacking is. You are fooling the device into thinking you have legit access.
To slave the device to your Access ID, you would need to create an account. To do this, you need to hack into the system and create one using a Software or Hacking + Edit test.

You can't create any kind of network without access to all the nodes within that network.

Sure it is. First off nothing in the book says a slave can't have more than one Master (But that doesn't really mater, never wanted it to). Second, Access IDs don't have accounts, so you can't set up an account for Access ID X, and thus don't require an account for Access ID X. Third, you don't need to delete the old enslavement, because that enslavement is how you are accessing the slave in the first place, and so deleting it would only be useful if you then planned to do a normal hack, but that's fairly pointless since you already more or less have admin access.

Device A is slave to Device B, Device C spoofs as Device B, Device C changes the value of the Master's Access ID to that of Device C. Device A is now slave to Device C. There is no need to make a new account, because accounts are just username/password, accounts have nothing to do with access ID. It may be true that after making this switch you'll need to crack the password on the 'Master Account', but it is a bit fuzzy from the description

In this setup, the master is given full admin access to the slave.

means that it requires an admin account (in which case you're just taking over the one that the old master used) or that the master is automatically given full admin access without an account (It basically gives admin level access automatically to anything coming from the master). I don't see spoofing working if it is the former though, because you'd send a command as the master, but it would be blocked if the master didn't happen to be logged in at that moment.

It seems instead that the slave goes "Oh look, an incoming connection/command, if it isn't from my master, I'll ignore it and send my master an update. Oh, it is from my master, I'll go ahead and do whatever it says, because it is from my master. Oh, it says that my master is now Bob instead of Joe. That's weird, but it is my Master, so I'll do what it says. Oh look, a command from Bob, I better do what he says."

[suoq]

As for device ratings, the BBB says that if the device is playing an important role, then it's Matrix attributes should be filled out. Device ratings are really just for GMs.

Alas, tests like Spoofing go vs Device ratings so I need to convert Matrix Attributes back to Device Ratings. Can't recall if there's a consistent way I should be doing it.

[Ghost_in_the_Sys...]

Alas, tests like Spoofing go vs Device ratings so I need to convert Matrix Attributes back to Device Ratings. Can't recall if there's a consistent way I should be doing it.

Add the stats together and divide by 4? Might create some oddities with high signal stuff being oddly hard to spoof, but whatever. Might also consider doing a direct substitution of firewall for the device rating.

[CanRay]

If you slave a CommLink, you better watch out for the Abraham Lincoln AI... He's a nasty bugger!

[Fortinbras]

Sure it is. First off nothing in the book says a slave can't have more than one Master (But that doesn't really mater, never wanted it to).

Unwired does. "the slaved node does not accept any Matrix connections from any other node but the master." If it could have more than one master, it could accept more than one connection.

Second, Access IDs don't have accounts, so you can't set up an account for Access ID X, and thus don't require an account for Access ID X.

Access ID Account. Unwired p. 52.
In this scenario you aren't connected to any other node with access to the device, nor are you inputting a password, so you've got to have an Access ID account.

Third, you don't need to delete the old enslavement, because that enslavement is how you are accessing the slave in the first place, and so deleting it would only be useful if you then planned to do a normal hack, but that's fairly pointless since you already more or less have admin access.

Yes, but you have to beat that device in a Spoof check for every Command you give. Hardly full access.
In addition, deleting the enslavement doesn't delete the Admin access of the master's ID. It simply frees up the device to be slaved to another. You can still Spoof the original Access ID.

Device A is slave to Device B, Device C spoofs as Device B, Device C changes the value of the Master's Access ID to that of Device C. Device A is now slave to Device C. There is no need to make a new account, because accounts are just username/password, accounts have nothing to do with access ID. It may be true that after making this switch you'll need to crack the password on the 'Master Account', but it is a bit fuzzy from the description means that it requires an admin account (in which case you're just taking over the one that the old master used) or that the master is automatically given full admin access without an account (It basically gives admin level access automatically to anything coming from the master). I don't see spoofing working if it is the former though, because you'd send a command as the master, but it would be blocked if the master didn't happen to be logged in at that moment.

It seems instead that the slave goes "Oh look, an incoming connection/command, if it isn't from my master, I'll ignore it and send my master an update. Oh, it is from my master, I'll go ahead and do whatever it says, because it is from my master. Oh, it says that my master is now Bob instead of Joe. That's weird, but it is my Master, so I'll do what it says. Oh look, a command from Bob, I better do what he says."

You can't say accounts have nothing to do with Access IDs when Spoofing a device requires an Access ID.

I'm not saying it's not something you can do, it's just not something you can do in a single action. The device will indeed do whatever Joe says, but if the command from Joe is "Only listen to Bob" you are giving it conflicting info. One of it's basic structures is "Only listen to people on this list." That is integral to all Matrix interaction. Then someone on that list gave the command "Only listen to Joe."
You first have to put Bob on that list. Then say "Don't only listen to me(Joe)." Then say "Only listen to Bob."
Devices need to have things spelled out and can't have conflicting information.

[KarmaInferno]

Have the TacNet on a separate network than your other gear. Just sensors, Smartlink, stuff that NEEDS to communicate with your teammates or outside devices.

Second personal network, hardwired, with everything else you carry that needs to talk to the PAN but not outside the PAN.



-k

[Eimi]

Also, for people mentioning a smartlink being the one weak spot in an otherwise non-wireless activated cyberware character, remember the cyber safety from Augmentation. If you have one of those implanted, as well as an implanted smartlink (in cybereyes or on its own) and a gun with the appropriate safety chip, any wireless smartlink input is overriden, making your smartlink immune to hacking.

[Yerameyahu]

Nah, the smartlink should just be skinlinked anyway, like *all* your gear.

[ravensoracle]

Why not just add a script to your slaved device. If the Master tells you to switch Access Id's, ignore the command and start an Alert?

[squee_nabob]

I don't consider spoofing to be that much of a problem. I've only had NPCs do it to me once, and it's more likely that I am spoofing something. Thus it is actually in the players best interest for it to be possible to spoof anything.

You can make unhackable stuff, but I am not convinced you can make something unspoofable via slaving. Slaving something gives it a Master, and it accepts all orders from the master. If you pretend to be the master, and then give it an order it obeys. All of the scripting to prevent that is what the opposed rolls represent.

[suoq]

I'll admit. I'm not a fan of my gear being skinlinked.

Personally, I like the thought that when I have to leave my gun at the door, I've left a sensor at the door. It's my understanding that the camera on the smartgun (SR4A 322) is a guncam. (Please correct me if I'm wrong, but it certainly appears to make sense.). Since the guncam is trideo, that means I have a decent microphone reporting to my PAN as well as a camera that will let me know if someone is moving my gun. With a skinlink, once your gun is out of your sight, it's vulnerable.

[Ghost_in_the_Sys...]

Unwired does. "the slaved node does not accept any Matrix connections from any other node but the master." If it could have more than one master, it could accept more than one connection.

MMmm, except that if it has more than one master, it still isn't accepting a connection that isn't from a master, but it does say the master, not a master. It isn't exactly spelled out, but I suppose only one master makes sense. Although that just supports my below argument all the more.

Access ID Account. Unwired p. 52.
In this scenario you aren't connected to any other node with access to the device, nor are you inputting a password, so you've got to have an Access ID account.

Okay, my bad, so that means I was indeed right about how the slave responds to a master.

Yes, but you have to beat that device in a Spoof check for every Command you give. Hardly full access.
In addition, deleting the enslavement doesn't delete the Admin access of the master's ID. It simply frees up the device to be slaved to another. You can still Spoof the original Access ID.

True on the first part, and for the second part, my argument below.

I'm not saying it's not something you can do, it's just not something you can do in a single action. The device will indeed do whatever Joe says, but if the command from Joe is "Only listen to Bob" you are giving it conflicting info. One of it's basic structures is "Only listen to people on this list." That is integral to all Matrix interaction. Then someone on that list gave the command "Only listen to Joe."
You first have to put Bob on that list. Then say "Don't only listen to me(Joe)." Then say "Only listen to Bob."
Devices need to have things spelled out and can't have conflicting information.

You seem to be amazingly underestimating what a spoof command can do. You don't think that it can do three painfully simple things in one command? When commanding a drone you don't have to send thousands of commands of "move your left leg, now your right leg, now your left leg, now lift your gun, aim it at the target, pull the trigger, pull the trigger again, etc", you just send it the command of "Go there and engage enemies" Similarly you don't have to send the commands "Create account for ID X, Demaster from device B, master device X" You just say "Change master to X"

Also, I'm fairly sure that the account that device B would be using is simply the "Master account" ie. whoever is listed as the master always uses that account. So it isn't that Device B has an account and happens to be the master, it is that Device B is the master, and thus is using the account that is automatically used for the master.

Why not just add a script to your slaved device. If the Master tells you to switch Access Id's, ignore the command and start an Alert?

Because if you really try, it's fairly easy to make something entirely unhackable, or a facility impossible to break into, but that really isn't in the spirit of being a game. Also, it isn't hard to imagine that the spoof program is able to bypass/defeat such a simple script.

If you slave a CommLink, you better watch out for the Abraham Lincoln AI... He's a nasty bugger!

(IMG:style_emoticons/default/biggrin.gif)

[Yerameyahu]

suoq, skinlink doesn't remove the wireless option. (IMG:style_emoticons/default/smile.gif) It's just a better option when you do use it.

Ghost, I'm not sure. Drones have a Pilot. Commlinks don't. It's bad enough Unwired added the 'spoof commlink' loophole (apparently 'devices' and 'slaved nodes' are now valid targets for Spoof—they never were before).

[Ghost_in_the_Sys...]

No, but it does have an operating system, and in SR those seem to be designed to be as user friendly as possible, so that you have to do as little input as possible to get results. Like I'm sure you just hit 'call bob' and it automatically opens the phone app (or whatever), retrieves the number of bob, and dials it'. Similarly, I think if you hit 'Slave this device to X' it would simply do all the setup that might be required to do so, it wouldn't have you create accounts (Though I still contest that you don't need an account to do this, and simply uses a 'master' account for whoever happens to be the master), or add IDs to the accepted list (Again, not something I think really happens, because it would make all systems virtually unhackable on the fly), or do anything else manually. It'd simply do what is required to make X the master. Kind of like when you install a program, you don't have to unpack individual components and manually install them, you just hit install and the computer does the rest for you (with a couple questions that you can ignore like where to put the program).