Right now, sitting at home, I can if I want print a document out of any of the printers in the office where I work. Tomorrow, I can send an email and have one of the secretaries pick it up and file it away if I want.

Though I don't see there being a need for hardcopy information in 2070, there's certainly no reason why it should impact working from home.

Well firstly, the point I made was that there is no reason why your choke point should be any harder to hack than the distributed node itself. You can have the same IC, the same System, Response and Firewall for the same cost. The rules don't make any distinction. So in fact, hacking a choke point is not, as you say, much harder. It is the same. So if your enemy hacker could break into this node, then they could break through a choke point. If they couldn't get through your choke point, then they couldn't get into this node. And very likely, anything beyond a "choke point" node wouldn't have anywhere near the level of security that the choke point did so a hacker that made it past that would likely be okay from there on. If future nodes do have equal or greater IC, then the choke point security model is redundant anyway. You can also have multiple nodes if you want, see later.

No, it's not. And the rules support this. Distributed nodes can connect to other distributed nodes. That's what the matrix is.

Well I doubt with 2070 technology it's quite the same as "Oh no! I closed the program without saving the file." And in fact, SR4,pg.223 does say "All active programs are saved and users logged off." That's pretty different to "dumpshocking everyone and ruining everything they were working at." Please refrain from portraying your own assumptions as RAW.

But in comparing the downsides of office and home based working, I think the theoretical possibility of network downtime is a minor factor compared to the massive advantages not having to have everyone drag their carcass into town every morning. At a stroke you've eliminated traffic problems, large amounts of sick leave and more. Not to mention that if you have to shut down your "choke point" node you've just brought down your entire connection to the outside world (including phones, emails, messenging, matrix search, clients ability to contact you and vice versa). For anything other than the tiniest company where everyone is onsite and their are no sister or branch offices elsewhere, it's hard not to consider that a major event. Shutting down a node is an absolute last resort when the IC, hired hackers has failed. But if a company has to face the final resort to get a hacker out, I daresay they can accept the six or seven combat turns it takes to reboot (SR4,pg.223). The main point is that it's not really different any advantage or disadvantage over an "internal" system.

Well those aren't SANs and LTGs. SANs and LTGs were specific types of nodes in the older editions' "dungeon crawl" approach to hacking, in which a decker would first have to locate their local exchange, hack that, then make their way to the company system and hack the System Access Node to gain entry to the dungeon behind it. They were very specific rules entities. So when I say that there are no SANs or LTGs in SR4 and you say the RAW says there are because of the above text about numerous gateways and base stations, you are very wide of the mark. The concept is gone and no hacker has to think about how his VR call connects from the Tacoma grid to a listed Matrix number in New York anymore. You are very rooted in past editions, here. Things have changed.

So have a chain of nodes! I disagree with it as an approach that a company would take in general, but if you really want to do it, then you can have the home worker connect to a general node and then pass from there to another node again. You can even call this first node a "choke point" if you wish. SR4 makes no hard tie between physical location and function. And that makes sense and is a large part of the point of the matrix in SR4.

Okay, well Intercepting Traffic requires you to have hacked into the node in the first place, which brings you straight back to my point about distributed nodes being able to support just as much security as any other sort of node. Having a distributed network accessible from home doesn't open you up to the Intercepting Traffic rules only sniffing as I said. But if you'd read a little further into the page you're actually referencing, you'd see the following:

Intercepting Wireless Signal is the Sniffing test I referred to in the first place and we've dealt with that a while ago. You're going to need to hack the node which is the same whether it is onsite or off, so there's no disadvanage to off.

There are however, massive cost and productivity reasons why telecommuting is better. Security in SR4 meets their needs almost exactly as well as having everyone working in an office. So you're getting huge business advantages in return for no reduction in security. Telecommuting just makes so much more sense in SR2070 than offices do.

That's a very good point. Traditionally in SR, hackers have bypased the whole "chokepoint" concept by simply sneaking on site and connecting to a terminal in an office that by necessity reasonably accessible. Sticking everything in a data haven negates this weakness and forces hackers to deal with the "chokepoint" security that is now placed on the target node itself, instead. In fact, it makes sense that even actual offices would still have their data off-site in this way, cost and trust allowing.

All of these are approaches are so closely linked to having effectively unbreakable encryption that it just isn't funny anymore.

In SR4 you have to be on a hard-wired connection that doesn't go through the matrix if you want even the possibility of some security. Otherwise some kid down the block will steal your login ID and authentiction and can act as you on your corporate network.

Without effective encryption the only thing you can do with an uncontained network is to share public information. You can't expect any privacy, you can't prevent people from casually stealing money from anyone dumb enough to transfer funds on the network, you can't prevent people from making phone calls from your phone number to Lone Star bragging about how they can't catch you, etc.

This wasn't obvious to Gibson in 1984 (he wrote the book and the next few on a manual typewriter!) but it's obvious now to anyone who has even a passing understanding of how things actually work.

Well there has to be reliable authentication methods because there are such things as credsticks and banks. The world of Shadowrun doesn't make sense without it. The gear section on pg. 322 does say that banking accounts have encryption ratings of 6+ so there is tougher out there.

The RAW don't actually say that you break encryption and then can do what you like as far as the matrix is concerned. Breaking encryption is only one step in hacking into a node (and only used in some circumstances). Note for example that in Intercepting Wireless Communication, you are required to do the decryption as a pre-requisite to actually making your sniff test. Encryption is not the whole hacking process.

Also, the book does suggest that more severe encryption exists and that you can include IC in the encrypted data. That goes a long way toward making encryption effective.

That's like saying paying online with your credit card is secure because it is done...

..you never actually played a hacking scenario involving tiered networks, did you?
The point is that each noded slows you down and raises the chances of you failing, as you now have to hack otf... and being detected by ICE.

That's true for 'shutting down', which takes time. Not for 'severing all outside connections'... which I was talking about, as it doesn't.

Network downtime always is reality.

Actually, with the rules of hopping nodes, it's worse. That aside, I can assure you that, just because previous editions tried to explain network topology, this is not the reason for my disagreement with your idea.

Unfortunatly, it does... but that's part of the subscription problem.

Either your lines are physically secure, in which case you don't have to woory - or they aren't, because they are routet over open network. And in that case, somebody will listen, and as there is no strong cryptography in SR, vpns don't work.

That's only true if people don't understand how cryptography is used. In the real world, no body is going to encrypt every file they have with a seperate password. It's insanely unrealistic, mostly because you can't remember them and you have to write them down. Where do you store this list? So it is typically used as a background process, where data is stored encrypted and automatically decrypted for the the user by the OS using something that is part of the user account. If you compromise the user account you can access the data.

The other way file encryption is used is to prevent people from stealing a device, be it a laptop or a backup tape, and being able to just read all the data. To get around this you need to get the password or get the data when it is not encrypted. This requires some though, but it's no impossible or that complex. It just requires the player to do something other than wait 12 seconds.

For example, lets assume I have that spiffy new seagate HD on my laptop that uses effectively unbreakable encryption, decrypts data on the fly, and requires a password to boot up. Does that mean you can't steal data off my laptop? Hardly.

1) You can hack the machine while I'm using it, or while it is running. This results in a process that is running as an authorized user and as such, has access to the unencrypted hard drive.

2) You can stick a gun in my face and politely ask for the data.

3) You can send in a microdrone and watch me enter the password.

4) You can steal the machine and the little note I might have that has the password written on it.

5) You can con me into loading a program that compromises the machine and allows me to access the unencrypted hard drive.

6) You can install hardware that records me entering the password, like by stealing the real machine and replacing it with a similar machine that has some special add-ons.

7) You can call up the corporate help desk and explain that you need the password because you lost it.

You can sit down at the machine when I foolishly left it unattended and unlocked "for just a moment" because of your clever phone call and copy the data you want.

I've been playing since 1st edition actually, so yes - I have played through the dungeon crawl hacker system on numerous occasions. You've done a partial quote here which is misleading of you. I also pointed out that a distributed network can still have a tiered node structure if that is what you want. You ignored that despite it meaning that there doesn't need to be an actual difference between the structure of a distributed node and one that represents a machine in an office. If you really want to take your dungeon crawl approach, then a distributed system doesn't stop you.

However, I think that an approach whereby you make a sequence of rooms to hack through is archaic and it does not fit with the wireless approach that SR4 takes.

I don't see any rules for severing outside connections that doesn't involve shutting down a node, whether that is your choke point node or the work node itself. The only way the severing outside connections makes sense other than to shut down a node is to go and pull some plugs out of the wall. Now that is something I can't see any computer security person using as a defence measure for their employer and it would take as long to do physically as issuing a shutdown notice to a node which takes seconds.

And if you've just severed outside connections then I don't see why you would say that all the work is ruined. You've not grasped yet that all the work and data resides on the node and that workers simply have interfaces to it. Anyway, this point arose because you said that:

Yes, you can. And there are the rules for it. Again, the functionality and security are no different whether this is an internal node or a distributed one.

I dispute that in 2070, but even if I were to allow it, this is not a distinction between a distributed node and an internal one. There is no advantage to an internal system here.

And again, you've quoted selectively. My point that shutting down all access to the outside world is not a viable security defence for a modern company remains. I can't see the salesman saying: "And another advantage of our systems is that when our security system fails, you can simply disconnect your office from all phone calls, clients, sister offices, matrix searches and your manager who's working from home today." No, definitely not. And what are you exchanging for this? The ability for every one of your employees to be present in the office no matter where they are in the world or when and the potential for all of your branches to be integrated into a single seamless entity with simple interaction between people at those branches as needed. If you really want to shut down a node, whether distributed or not, it takes seconds and doesn't have consequences for people's work or them being dumpshocked as you said.

Please explain how the "rules for hopping nodes" make this worse than previous editions. I disagree. You said there were still SANs and LTGs. There are not. I felt obliged to address that. The point arose because you said that a hacker could sit on the LTG and eavesdrop on the data. In SR4, they can't.

No, it doesn't. It really, really doesn't. The only way in which physical location comes into play is through signal range and that doesn't apply here. We're talking about connections over the matrix.

Again, you are talking about your own assumptions that the rules do not support. To have meaningful interaction with the node you must first hack it using the same rules that you would to hack a node on site. It is not weaker.

the existence of the unbelievable makes the believability of the mundane more important, not less. if the mundane stuff is believable, then it will be easier to suspend disbelief when it comes to the unbelievable.

The presence of magic, metahumans and dragons doesn't make realism less important. It makes it more important. Shadowrun has a gritty, realistic feel and to preserve that it has to make sense internally. You can have spirits that double the speed of a ship, but as FrankTrollman is always pointing out, you then have to consider the effect on world commerce. The same goes for modern technology. We're already shifting to a telecommuting model today. What will another sixty years do?

But can you see the majority of businesses maintaining a large, expensive office with all the concommitent problems of travel, employee absence, time lost, networking because of the fear someone will break into Bob's house and put a gun to his head? Not to mention that this same technology works for distributed offices. You could even have a few communal offices in different areas of the town where people work in their virtual office with a different company at each desk.

But the actual data and work still resides on the company system. It's not as if it's lying around unguarded at the employee's home. They just remotely connect up. So assuming that your employees don't actually live in the office, they're still just as vulnerable to home break ins and blackmail and threats as they would be working from home. You don't change your entire working practices just to shut one door when you have another five to the same room unlocked.

I think it's clear that agents can be extremely sophisticated and people-friendly without being an actual AI, but it doesn't really matter as someone doesn't need to be on site to take calls. It makes much more sense to have your secretaries in a call centre somewhere and keep costs down. Or have you not had to call anyone for support, recently?

So the logic would be that because you need a janitor on site, all employees should come in to keep him company? Or that because you need to come in to the office very occasionally, you have to come in every day? Printers are in the SR4 gear list, btw. They cost a few nuyen and you through them away when you're done. I'm not getting this strange obsession people have with paper in the 2070 world of realistic VR and AR and another sixty years of user interface development.

Again, remote access doesn't mean people have to be replaced with machines. They're just in the next cubicle, even if that cubicle is half-way around the world.

And now the world's top researchers can be enticed to work for you without having to give up friends, family, move the kids to a different school, etc. No-one is talking about replacing people here (that's a different topic). We're just talking about the lack of need for an office.

Personally, I get more work done at home without people bugging me all the time. And in a VR / AR office, there are plenty of ways of monitoring people's activity and productivity. I see the dystopian world of Shadowrun being very very keen on targets.

If you did so in SR4, you would have noticed how much harder it is to hack a strong node, then stay in it undetected and hack the next ones on the fly, instead of just hacking one strong node.

No, you are talking about a layer structure.

If you think so. I dnon't, and the RAW tells us that secure sites still go hardwired, tiered and chockepointed... now... perhaps this is for a reason, huh?

It's right above shutting down for single connections... and shutting down all connections whould be a free action to turn of the interfaces.

Granted, incremental saving allows you to recover... but thank you for seeing my point about dumpshocking you VR workers.

There is. If the outside link is down when telecommuting, you got yourself some free time. If it's down, but the internal office network is still up, most of the work continues.

If you have accepted that shutting it down is, then simply pulling the network plug is, too.
It's usually a last resort, though.

The rules for loggin in on p. 220 still require you to have a direct connection - or else you have to log in to each node in between to travel there.
The network transparency you seem to assume has no RAW backing.

..and where did you pull that assumption from?
By the RAW, any matrix grid/base station is a single node (network that can be accessed) - and nothing in the RAW prevents the hacker from just sitting there virtually.

No. As you 'node' is a virtual network routed over real nodes of the matrix accessing each one of those allows one to eaves-drop on the VPN - per RAW, as on p. 224.

in SR, encryption is replaced by electronic security known as ICE

encryption is more there as a wire trap to call the ICE on you then its about locking you out fully.

its to bad that the decrypt rules work using response+decrypt and not some kind of knowledge in cryptography, and had different time frames between using VR and AR.

that way it could be explained with that old comment about corps being horrified when the asist equiped echo mirage agents where able to breeze past any existing security. as in, the enhanced digital reaction time of VR, comboed with knowledge in cryptography allowed some agents to find flaws in the encryptions that was unknown before.

thats the interesting thing about the human brain, its not linear. its very intuitive when it comes to finding patterns and other interesting bits

but i presented those as a example of real life remote working with desktop solutions, not as a full explanation of how SR works for the same.

also, when one looks at the "intercept traffic" rules there are two conditions. you either have to be on a node the traffic visits, or you have to be within range of the sender. as in, it seems to me that you cant just find a wireless link between the remote office worker and the office node. you have to be within his transmission range, or hack one of the nodes (home comlink node or office node, as it seems the matrix in general isnt a node ).

im guessing this is done because of the mesh idea of wireless traffic. while some packages will take one route, some others will take another route, and your left with only part of the picture.

and then its the question of what is in the traffic. is it the whole file he is working on? is it the VR simsense asist data/commands? i hardly think that the text is sent in ascii

That's a cryptographic formula. Hence, 12 seconds later. . . .

hahahaha! that's a good one, that's funny. ...nobody actually did that, did they?

like kzt said, you've just described encryption. that's the principle Enigma was based on, and it hasn't changed in the intervening ~70 years (or ~130 years, in SR).

(Emphasis added)

That's the key. You personally get more done at home. You. Not humanity. You are not the sum total of everyone in the world (no matter what your momma tells you).

Have you ever heard of an economic term called the "Free Rider Principle"? If X amount of work has to get done and you have N people working on it, and everyone gets rewarded the same (say R) what happens? Everyone could do X/N and everyone gets R. However, someone could do W=(X-1)/N and still get R. In fact you could realize that you could do W=0 in which case everyone but you has to do X/(N-1) and everyone still gets R. There is actually a DISINCENTIVE to work.

If you introduce a boss then things change because now the boss can take away your R if you don't carry your weight (if you say R=salary then it represents you being fired). Let's say that the boss is S=cost of supervision. The company gets a gross revenue of RW-S. The tradeoff is that you need more S to get more W out of your employees. As S goes up GR goes down. You need to find the optimal amount of S to get W.

In an office setting you have a boss who can physically go around and see what his workers are doing. S=Rboss. If you have telecommuting workers you still need a boss to monitor what is going on. In addition you also need to purchase all the licenses for the programs that the boss needs to monitor remote workers. S=Rboss+Cprograms. If you are talking a rating 4 agent it is 4000 per worker and due to SOTA this is a yearly expense not an asset. So a boss supervising a dozen workers you are talking about 48,000 per year.

If you are a corporation you are going to have that large building anyway. It is a rule of business that if you want to be the biggest, baddest corporation on the block that no one wants to f**k with then you HAVE to have a skyscraper. So the cost of the building is irrelevant to our calculation. The cost of commuting is entirely borne by the employee and the cost of maintaining the building in operation is negligible.

So what about the boss and the employees. The boss's performance is based on how much W he gets out of his employees. If he doesn't perform then he loses his Rboss. So he has incentive to monitor employees properly. As for the employees they will do work based on f(Wboss, R). It is some function of how diligent the boss is and how good their salary is. At equilibrium R=X/N and workers are getting properly rewarded for a fair share of work. If they get paid less than that they quit, find another job, or slack and get fired.

However, I'm saying that it is better to force the employee to commute and this cost is borne by the employee. Therefore the employee requires R+Ccommute where Ccommute=T+VCV-Diff(CoL). T= time to commute, VCV=cost of driving the vehicle and Diff(CoL)=difference between cost of living near work and where he commutes from. Moving out to the suburbs makes Diff(CoL)=T+VCV so Ccommute=0. So employees don't need any extra R to make up for commuting (immobility of employee and other considerations aside). If this equality doens't hold then the employee leaves his job and finds one that is closer to home or else actually gets a bonus for his commute. So I've proved that commuting doesn't cost the employee anything and R is what they get.

So would you rather pay RN or would you rather pay RNCprograms? If the worker is very highly paid then Cprograms is a very small percentage and it is actually worthwile to allow them to work at home. Researchers, executives, consultants, etc. However, the lower paid workers (wageslaves) Cprograms is a large percentage (say 5*5000=25000, 4000/25000=16%) of wages so it doesn't pay to let them work at home. It is cheaper to make them work at the building.

EDIT: I got all the theoretical math right but when I use numbers I get them wrong. It should be Middle Lifestyle x12 not x5, which gives you 6 2/3% programs to wages. Still a very significant jump.

What do you think a TAN is?

they wouldn't crack the copy protection for the same reason why corporations nowadays don't (or shouldn't!) do it: legal ramifications. The company that makes the software can sue the pants off you for doing so. If the cost savings of hacking the software is greater than the legal costs of getting sued, then yes they would. But this is usually not the case.

Yes the higher paid employees are more likely to be targets. Regardless of whether they work at the office or at home they must be protected by magical and physical security so that is a wash. However, there are so few of these "high priority" employees compared to the wage slaves that the percentage is low. Plus there is also a difference between where the costs come from. Executives come out of the bottom line whereas employees come out of the top lines. Executive costs come out of shareholder wealth whereas employee costs can affect the executives' bonuses.

yow. that's bulky as hell. gotta keep a physical list of numbers, gotta limit the time spent on each transaction, gotta physically receive the new list every so often... yech. i think in SR, that would kill more business than it protected.

You were talking about severing the connections of an entire node. The rules you refer to are a technique for booting off a single user (normally a hacker). This isn't going to affect the other users.

No. Not incremental saving. You really, really haven't got this. The data is on the node. Disconnecting a user is like disconnecting a monitor. The user is going to reconnect the terminal and be exactly where they were and all work will be fine. As to dumpshocking, three things. Firstly, AR will render you immune to this and AR is sufficient for most tasks. Secondly, the 5S damage that Joe Worker will have to resist will probably be gone completely in four hours. It's a great big hangover but it's hardly a massive disaster. It will upset people, nothing more. Thirdly, and this is the big one, there's no good reason why a company would disconnect the entire node to cause anyone a problem in the first place. If they know the hacker is there, then they disconnect him nobody else. You just referred to the very rules to do this. Your criticism against remote access is that with an onsite setup, you can disconnect a "choke point" node and dump the hacker only whilst with a distributed set up you cannot. So aside from the fact that there's no need because you can target the hacker directly, we have the issue of whether or not anyone in your onsite version of this setup is actually accessing nodes outside the office. I think the answer is very very likely, yes. Workers will be doing research. Salesmen will be communicating with others and CEOs will be in virtual conferances. And if so, you're dumpshocking them when you casually bring down your "choke point" ! You seem to have an idea that an onsite node offers you some great advantageous disconnection counter to hackers that is not possible with an offsite node. In fact the same technique is available to both and will have terrible consequences for nil advantage in both cases.

Now, we keep coming back to one same point which is this one:

and

The book uses the term tiered for this, so that's what I used. Anyway, these are the same issue. You have this idea that for security you need a series of nodes that the hacker has to battle their way through. I disagree with that for reasons that I have covered already, but that aside, nothing in SR4 prevents such a structure existing just because the first node is distributed. If you want your dungeon crawl approach to matrix hacking, then you can have it. It doesn't matter if the node is a distributed network or a single machine in a building somewhere. You keep saying that this is only possible with a purely wired connection, but the rules are fine with it being wireless as well.

If you are genuinely not getting this point rather than just being argumentative, then I'll do an example.

Baby Corp has forty employees who work from home, only coming in for special meetings. They have terminals in their homes which connect to a single distributed network that is a node. SR4 explicitly states that such a network be considered a node.

Data does not reside on the terminals. These are not nodes. They are interfaces to the node. The node is the network. This is fine under SR4.

The node has IC, firewall, etc. It can have just as much as a "choke point" node that you might set up in your model. For me, this is sufficient. But you want a layered series of nodes. Okay. We call this first node that the workers connect to Node A. This is a gateway node that does some security work, has lots of IC and good firewall. You now have your chokepoint node. From here, the workers can connect to a second node on which to do their work. Lets call this Node B. It can be a machine in an (small) office owned by Baby Corp. It can be based in a third party data haven run by Data Safe Inc. or it can even be another distributed node. All are options available and all is perfectly allowable under SR4 rules and supported by the flavour text of the book. You can, if you wish, insert as many nodes as you feel are necessary in between Node A and Node B. I'm going to emphasize once again that I think this approach is archaic and not the SR4 way, but I'm illustrating it to show that there is no advantage here of onsite versus offsite nodes. You can still have your dungeon crawl.

Does this open up a security vulnerability? No. If a hacker wants to get access to the node, then he needs to hack it. And if he wants to get access to Node B, then he needs to hack that. This is how it is stated to work in SR4. Sniffing traffic we've already dealt with and it's debatable what you could reach anyway. In order to get the real data, you need to hack the node and, if you're dungeon crawling, its intermediary layers, too. It's the same mechanics whether your onsite or off.

Yep. The book makes reference to this. But not every site is an ultra-secure lab. I think the vast majority of the business world will be using telecommuting. Lets not forget that it offers enormous productivity and cost benefits.

If the average corp's outside link goes down that is an immense inconvenience and corps aren't going to accept it as part of their security policy. No purchase of a security system will ever be based on the salesman boasting that if his security software isn't good enough, you can pull the plug out. But you were talking about disconnecting / shutting down the node in order to disconnect the hacker. It's irrelevant because you can disconnect the hacker yourself directly without affecting other users. And a shutdown and restart is only a matter of seconds anyway. It's hardly the wasted afternoon that you are making it out to be.

I'm not quite getting what you're saying here. Are you saying that an onsite network is harder to reach than the distributed one? If so, I don't agree with that. It would be an unsuccessful business that I couldn't locate their business's matrix site for. Unless it were the Syndicates, in which case they're not likely to have office workers anyway.

These two are the same issue. You use the term real node, but in SR4, the distributed network is also a "real" node. It is no less capable of supporting IC, firewall etc as anything else. What you are doing here is putting your own interpretation on the rules and saying that it's only a pretend node that exists on top of real ones and that a hacker can subvert it by going for the routers. However, the rules require you to hack what you think is a pretend node. IC is an abstraction for a massively complicated security system. The node is data that travels from place to place and a persona is something that is actually a program running on a user's terminal. But we have rules for cybercombat and travelling from node to node and IC and hacking. Each of these represent the processes that you are describing. In describing the matrix and hacking, we have to build our interpretations on the rules. What you are doing, is skipping that and bringing your own assumptions of how things work and ignoring what the rules imply. We can't do that.

See there's a problem right there. The word "if." You can build a beautiful structure on an assumption, but it will remain a guess.

I don't think you need to invoke a rating 4 agent for every worker. Firstly, I think given the sophistication that agents are capable of, one that simply ran some basic heuristics on a workers activity would be much less. And you don't need to stand over everyone studying what they do. You just need to be present enough that you can instill some activity. Knowing that your boss has a habit of using his security access to wander in unobserved from time to time and watch employees working should be more than enough to keep people on their toes. Likewise for a single agent that wanders the network and has a look at random workers.

But really, just the prospect of coming in for your monthly review and having your boss go through what you've been doing will keep people busy. The virtual office is really no different to the real office in these terms. Except for the fact that you can't see when your boss is looking at your screen.

As stated, turning off the interface with a free action... will.

No, it doesn't uses the term tiered for what you were. You were just confusint what you meant with it.

A statistically proven idea.

No. If it's wireless, a MitM attack is a non-issue and you are back to square one.

That's a shame. Because otherweise you would have noticed that, instead of hopping networks like in old times, hackers have to hop nodes now... by the RAW.

Granted - 'physical', then.
Gain access to the physical node - gain a shot at any virtual one on it.

No, I'm going along with your assumptions that such a thing as a virtual node can even exist.
(Which is pretty likely, as Agents are such a case)

Otherwise, by the RAW, your 'distributed node' does not exist.
Only devices and networks qualify as nodes, and you are lacking the network... but run on top of it.

No, that would be firewall. IC is pretty well-defined.

Actually, it's the other way round. The rules imply that such things don't work... and neither does the whole matrix. At least when you look at actual rules (not just descriptions) concerning connections, navigation, system power and security.

Are 'we' royalty?


VPNs do exist in SR4, but they are mainly protected by obscurity.
Thus, from a business perspective, they are so insecure that the are just 'in'.

It's possible you misunderstood the point. You don't need to shutdown the whole node. You have the facility to disconnect specific users just as easily. The rules make it quite simple once you have identified the hacker. And if you haven't, then you wouldn't be taking any action of any sort. Shutting down the node is not an advantage of onsite networks. It's irrelevant to this issue.

The book refers to tiered networks as where some systems can only be accessed through another system first. Seems straight-forward to me and I don't think anyone is confused by what we're talking about.

Yes. That sentence was actually part of a whole paragraph which stated that you could have the same structure in a wireless set up. That was the point of it.

You don't accept that a network can be secure without a dungeon crawl approach (which I do), but you then go on to state that it's a disadvantage for the home network because you think you can only implement this approach with an office network hidden away from the rest of the world. In fact, the rules will let you do it anywhere and it's no advantage.

The fact that I also criticise the dungeon crawl approach is simply because I think there are two things wrong with what you're saying.

Yes. You keep saying this but it is not the case. By "MitM attack is a non-issue" you mean that it becomes trivial to access the data? No - you need to hack the node before you can do such a thing. Lets stick to the actual terms in the book to avoid assumptions creeping in. For wireless connections, we're talking about a Sniff test. This will not grant you access to the data in the node. To get that you have to hack the node. And the rules for this are the same wherever the node is and whatever type it is. No advantage to either off-site or onsite networks.

No, I'm still not seeing the problem. Are you saying that you would require a character to hack his way through every router and base station that his signal passes through from one city to another? That's not how things work. You go to the target and you start to hack. Finding the target when it's a registered, advertising corporation will not be hard. You're going to have to explain how SR4 it "worse than the old rules" to go to a target site.

Now this is exactly what I'm talking about. Your own assumptions are being brought into it when there's nothing in the book to support it. Physical? Virtual? The book explicitly states that a node can represent a network and goes on to give the precise rules for how to hack that node. You have no knowledge of how that network is routed around. You have no idea what protocols or systems the matrix uses. You have no idea how many layers of protocol exist between the VR matrix that is perceived and the low-level signals or which layers are susceptible to hacking and how. The IPv6 protocol today is now undergoing revision to prevent denial of service attacks. Now that's sophisticated! So I don't know how advanced the matrix infrastructure is but I bet it's pretty impressive. We can only go by the rules that are written and base our interpretations on that. And the rules tell you how to hack a node and it doesn't give shortcuts for the node being virtual. You want access, you have to hack.

Well I'm glad we agree on something. The book explicitly states such a network as an example of what a node may be.

Oh my mistake. We don't agree after all. The book says that a network is a node. These people are using a network which is a node. This is plain and what the rules support.

Surely we can agree that IC is a complicated security program? VR combat represents a whole range of programs interacting in attempts to neutralise each other. It's not an icon literally hitting another.

But I'm not making assumptions. Everything I have said has been backed up by referencing the rules themselves. The treatment of a network as a node. The requirement to hack that node to gain access to data. The potential for that node to then connect to another node in a tiered approach. Please point out what in my design for a home access network cannot be implemented under SR4 rules.

No. Thankfully.

Hardly. The problem is that against well-versed attackers, an individual disconnect can fail, leaving you the option to pull the plug. That's the first advantage of a chokepoint.
Then, if the attacker left Agents/Sprites, you have to shutdown the node... in case of a chokepoint, that doesn't even touch the real network.

While an Agent running on a Node has to be accessed through that node, he's not a tiered network.

The first node is nearly always probed and entered silently. If that first node already contains data... bingo.

This will grant you access to parts of the data being processed and eventually account and passcode information you can use to rob the node dry legitimately... or insert your own data, which happens to be an Agent.

Actually, that's exactly what the RAW tells us.

No, the RAW defines a node as a device or network, talking about physical things. What you are proposing is something the RAW hasn't even touched yet.

That doesn't even matter. The basic principles stay the same and the rules cover the specifics.

..you are trying to kill me, don't you?
The IPv6 protocol contained outdated crap specs from IPv4, allowing predefined routing... at last they noticed that this could lead to additional DoS problems. The other ways of DoS attacks are still there...

The RAW conflicts heavily with the descriptions.
A computer hat can only connect a dozen others at the same time? The lack of network transparency, but users having to leapfrog nodes?

The rules allow all kind of shortcuts that involve chaining the location of the attack or getting passcodes.

What 'network'? Again, the rules approach the physical layout and don't yet specify anything about virtual ones.

Actually, you are making quite a few. First, you are assuming that network transparency exists, then you are going for virtual networks nowhere mentioned in the rules, and afterwards, you try to explain to us the equivalent of an Agent being untouchable in cybercombat because you would have to hack him first.

No. Your claims are just backed by descriptions. Claims like the inability of listening to connections running through backbone nodes are actually contradictional to the rules.
Another problem of your aproach is that you want a certain effect, then try to justify it by desperatly searching for supporting evidence and fight back at people that look at the rules first and then conclude that the desired effect is highly unlikely.

No. It gets you rights equivalent to an account...

No. I'm still trying to make knasser understand why a VPN in SR4 is insecure as it relies on cryptography for security. Others have already given up.

Which is, unfortunately, pretty much the case: Normally, your connection to any node is not encrypted... meaning your authentication is done in plain.

Which is basically utter madness.

maybe so. but like i said, having the key does not make you the person. and that is what the ICE will pounce on

Oddly enough, I have almost exactly the same impression of you. This is getting us nowhere. I don't think either of us are idiots. Let's try and take a slightly less adversarial approach. I can feel myself starting to get into a You vs. Me mindset which is rarely productive. I'm going to identify what I see as the key points we disagree on - add or clarify if you need to - and then I'll say what I think the contention is and why. Maybe we wont be able to reconcile our views, but if we don't understand each other's perspective then this will both have been a huge waste of both of our times.

I guess the big point of dispute is whether or not a distributed network can be a node. I say yes. You seem to say no. It will be pointless for me to just keep repeating that it can be and you to keep telling me it can't. I'll explain where I'm coming from. The book says that a network can be a node. This is in the description of nodes and also used elsewhere in the Wireless World chapter. We both agree on a network being a node, I think.

Now for me, I don't see that it makes a difference whether the computers are networked with short cables or with long cables, whether they talk to each other over one router or over several. Likewise, I don't see that it matters whether the computers are talking to each other over loops of actual cable or using wireless connections. Not for purposes of whether it's a node or not. I guess what I'm looking for from you in order to get me to stop treating my set-up as a node, is an explanation as to why and how increasing the distance between terminals or replacing a wire with a radio signal changes the conceptual nature of the the terminals. To me, the connection happens below the level of the "nodiness" quality of the network. So without a solid reason for an exception, I see the book's description of a node as a network as having no special caveats about distance or wireless. If we can agree that it's a node under RAW, then it will be much easier to discuss the actual rules issues around it.

The second point we disagree on I think, is whether such a wireless node can have a layered or tiered approach. If you don't agree with the network node being possible in the first place, then this question is a little moot but you have argued the case so far on the allowance that it can, so I think it is productive to carry on. My opinion on this is more or less as simple as the rules say that nodes can connect to other nodes, therefore this node can do so. Say we call the network Node A, with it's various firewall settings, IC, whatever. Lets say the company has a Node B purely for the accounts department and this is based in a machine in the actual office which also has its firewall settings, IC, company hacker, etc. I don't see why Node A shouldn't maintain a connection to Node B. And if the hacker wants to get at data on Node B, then he has to go through Node A and its security, followed by Node B and its security. If he wants Node C which is the security system which only Node B connects to, not Node A, then that is another step again. This is what I understand to be meant by a layered or tiered system. You said that such a system isn't possible with the home system, so obviously I'm missing some understanding that you have which I don't. Or else you thought I was saying something different to the above. Are we actually talking about the same thing with the layered / tiered approach? If not, where do we disagree? If so, what prevents the security model above?

I see those as the two main stopping points between us. There are two other points I'm still interested in debating, but I don't think they effect the Home vs. Office decision.

The first is whether or not the consequences of "pulling the plug" on a node are different between an offsite and an onsite network. I don't think they affect the home vs. office decision because the consequences of both are so drastic that I can't see them being part of any company's security policy.

Restarting a node to clear out hackers or agents takes a matter of seconds and doesn't cause dumpshock. Severing connection at a choke point as you talk about would cause dumpshock to external employees in my scenario, but would cause dumpshock to internal employees connecting outwards in yours. The usefulness of it as a security technique is so intermittent, I just can't see it as part of security procedure. Especially when there are more viable techniques such as trying to disconnect the hacker himself or (far, far more useful) targetting the hacker with IC, hired hackers of your own, or tracking his data trail. As these do not vary between the offsite and the onsite scenarios, I don't see it affecting this discussion.

The second is your quote

I genuinely do not get this. In my game, if a player wants to hack Corp X, they locate the corporation's office in the matrix, through a matrix address and go straight to that node without any trials and tribulations (though in practice, they'll spoof their data trail). I believe this to be possible because I think being able to locate an office or site would be essential to the ordinary business of a corporation. I only make this stage difficult if it's some secretive organisation such as the Vory. For comparison, how in your game does a hacker "arrive" at his target corporation?

So that's where I see us as being in this discussion. The big issues are the first two. Points 3 and 4 are a sideshow. I think we'd both see it that way round because 1 and 2 affect everything else whilst 3 and 4 are isolated rules debates. So hopefully we can talk in these terms as I think the debates of when to apply sniffing tests, what you can probe, etc all depend on us agreeing on these concepts.

-Khadim.

Yes. And in fact you've often said things in this thread that are conceptually what I'm talking about as well.

The reason for aguing conceptually rather than in implementation terms is because the concepts must be based on the RAW. Implementation is really just fluff as none of us know how the matrix and its protocols in 2070 might work. I can come up with plenty of good flavour text to support the rules of SR4 hacking. It's the concepts that we should debate. The rest follows.

For example, it was said earlier that there is encryption in SR4, and it's called IC. The virtual reality of the matrix represents vast complex operations. It's what allowed the Echo Mirage team to blaze through the security of its day. IC is the representation of the new generation of security software. Does a VPN exist in SR2070? Certainly. And the security software is IC.

That's how I see it, anyway.

Fine. Let me restate it. According to RAW, contained in the FAQ, all of this tiering stuff is irrelevant to any discussion. I can hack myself legitimate access on the remote worker's terminal and use that to spoof the communication into the corporate node with access = to the employee.

So I'll restate the cost of a remote worker as Csecurity programs. Now every single remote terminal is a possible point of entry for the hacker instead of just the main host, and each needs some measure of security. Possibly less than 4000 unless you are willing to have IC, agents, and/or spiders in which case the cost is higher. My argument is still valid.

I have however, proven that it doesn't cost the employee or the corporation anything to have all those mid-level workers come into the office so ANY cost beyond the basic salary of employees and bosses is wasted money.

With my brief introduction into the world of cryptology from Neal Stephenson's "Cryptonomicon" I would never, ever want to have anything approaching real encryption in my SR game.

GM: I'm introducing realistic encryption into my games.
<Woosh>
Player1: What was that sound?
Player2: All the fun being sucked out of the game...

Right. In order to make any of this work, we have to accept that encryption (and even computers) don't work the way we think they do. Not even in theory. Maybe it's quantum computers, maybe it's the awakening, maybe it's the same reason atomics got messed up, maybe it's something else, but for whatever reason the theories are wrong, something has changed, the earth is not flat, newtonian physics aren't universally true, magic works, and encryption doesn't work the way we think it does. In fact, it works the way the rules describe it. What an interesting discovery! We must proceed from there.
That's the point that I've gotten to. I'm sick of trying to make sense of encryption in SR. It makes my brain hurt. All I can do is shrug and move on. (and bitch about having to wait for unwired. I can do that, too)

i don't remember any specific points in the GitS movies where encryption was used unrealistically, or at least couldn't be explained away.

i've actually had a lot of fun with it. you can do some neat stuff, like using watcher spirits to convey one-time pads. a pure hacker in such a game is, as has been pointed out elsewhere, going to see a lot less action, which is why it wouldn't work for regular SR.

hmm, i read snow crash not to long ago.

interesting book, and it talks about the human brain having a kind of low level (or bitcode) style language that we all understand, but dont know about.

in the similar way, ASIST have made complex low level command sets and similar deadly simple, to the level of intuitive. maybe so much so that people no longer knows what its like to work directly on the chip, so to speak.

hell, look at the evolving world of the programming language. one started out with hole punches and rows of bits. moved on to assembler, C/C++, and the latest generation (java, .net and all that) are so removed form the hardware logic that you no longer have to worry about things like memory allocation and clean up.

sure, said languages are anything but effective, and many purists still prefer to code down and dirty to get the speed the want.

same deal with ICE and stuff, its no high level, and maybe designed to look for patterns rather then fingerprints of known attacks.

as in, there are layers upon layers of checks and similar. your programs no longer work directly on the hardware, they ask other programs that again ask other programs and so on.

the latest iteration of cpus from intel and amd are still talked about as X86. but the low down logic of them no longer talk X86. they instead talk a internal set of commands that the X86 stuff is translated into by a special area of the cpu.

so i would not be surprised if even the wireless traffic sniffer does not sniff raw wifi, but instead sniff higher level traffic, as i wonder if not trying to sniff the low level stuff would result in such masses of traffic that not even lofwyr would be able to read it on the fly.

there is even talk in the book about encrypted data having ICE bonded to it as and extra layer of security. i guess that shows what cornerstone of SR computer security the ICE is. and with good reason. we are talking about a bit of programming that can in theory kill a person

i can see a scriptkiddie trying out some stuff they found in a corner of the matrix, get jumped by a ICE and run screaming to mom in fear that it wants to kill them or something.

or maybe one could rather say that encryption was never talked about in them?

Ah. I thought you were talking about software to check employee productivity. The two were getting a bit muddled up there. In that case, it's even easier. The terminals don't need IC on each of them. The terminals are just an interface to the node itself and don't contain any data. They're like monitors. SR4, under the definition of nodes describes a whole network as a node. The same IC will cover all terminals because they're all joined as one node. What you describe would be like running IC on each persona.

And I'm sorry, but you really haven't proved that it costs neither the employee or the corporation money to have employees driving in and out of work all day long. Obviously there is a cost there. Your quote:

is false. Maintaing a building includes heating costs, lighting costs, ground rent, building rent or building purchase or building construction, cleaners, toilet facilities, parking areas, kitchen areas, health and safety, insurance. Plenty more, I'm sure. Don't neglect the savings in start up costs, either. Smaller office = smaller repayments.

And an employee's wages can be $X or in $x + Amount They Save, where x < X by the amount they save. Obviously if the amount they save doesn't come from you, then you've just made a saving on salaries whilst the employee gets the same gain.