From the New Seattle forums, a guy who thinks the matrix rules are awesome and has actual RL credentials regarding electronic security. Put that in your pipe and smoke it! And then discuss it, because this is a discussion board.

I'm a software engineer too. I don't hack the planet on my spare time, but I did tale a hacking class in university (for the prupose of knowing how to defend against it). So yeah, the principle of probing and using an exploit to get in is real life hacking 101. While I certainly like the rules as they are, I don't think the rules are anything to be in awe of, this is very basic stuff. It's like saying that to bake a cake, you need flour and an oven.

Well just like how the driving/chase rules don't have specific rules for how to time your downshift perfectly in order to drift around an urban intersection at 95 MPH and the combat rules don't simulate someone carefully lining up a sniper rifle from three KM out, adjusting for wind, target movement, and the number of grains of powder in his carefully handmade bullet. You just make a pilot/longarms roll with some modifiers for difficulty and be done with it.

I'm not saying the hacking rules leave anything to be desired. But similarly, if someone made a post saying he was an F1 pilot and said the Chase rules were very impressive, you'd cock an eyebrow at him too.

Seconded Backgammon, we have no way of knowing whether or not DizzyKA is on the level or not.

The plural of anecdote is not data. The singular surely isn't, either (surprising, that).

Did he forget that in SR you have to decrypt a wireless signal before you can intercept its packets?

IRL you have to intercept the traffic and perform the decryption on them.

and if SR had real life encryption, you could kiss the hacker archetype byebye...

thing is, he is one of the last threads connecting SR with cyberpunk of old.

Yeah, there's no question that hacking is more reliable in SR4 than in real life. Like he said, the most legendary guy who ever got caught had 13 zero-day exploits. SR4 hackers can pull those out of their ass whenever they feel like it (though they don't last very long). There might be an explanation for this, as no system will even be vulnerability free, and when people can hook their hacking tools directly into their brain and overclock the whole thing in hot sim, it's hard to keep them from finding said vulnerabilities. And then again, there might be no explanation except that this is Cyberpunk, and Daddy Gibson told us that we're allowed to hax like crazy

That's a really wierd defense of the hacking rules.
The SR-rules don't model the search for exploits well, if at all. That's not actually a problem, because modelling that stuff realistically would make for a really boring game.
Finding a zero-day exploit in RL is a lot of work and even more luck and is usually a matter of days or even weeks, while every joe-average in SR finds an exploit in a few hours. Experienced hackers even have a significant chance of finding a lasting exploit on the fly.
So, why exactly is not modeling the real-world "accurate"?

And that's one of the least inaccurate parts of the SR-matrix rules...

Uhh ok, yeah... I wouldn't put anyone who "hacks the planet" on weekends as a professional. They have professional certs for people who do this thing for a living. Including the ethical hacker certs. Black Hat is just finishing up in Vegas right now which anyone in the US and in the field should be attending. Shadowrun has always even since 1e had some semblance to real world cracking. I wouldn't say 4e is any more accurate than any previous edition. The terminology is more accurate but weather you want to call it attack or exploit is not a big deal to me. To my knowledge no edition of any Shadowrun has ever been seized by the US Secret Service (Like GURPS Cyberpunk), so obviously its not a manual for how to really do it.

Yeah and staring at packets all day, looking for files that are bigger than they should be or unusual traffic... its pretty boring. And personally I tell my users if they loose there password to an encrypted drive... we will be formatting because im not tying up my workstation for weeks to decrypt your disk just so you can get your powerpoint back.

I'm curious if his website is insecure.org. because all those tools are legit and some of them are even free.

But I muzt haz my PowerPointz! With them I can be awesome!

gurps cyberpunk got seized mostly because it was edited on a computer, and the US secret service walked in and grabbed all computers, as one of them was running a bbs that someone they where interested in where attending.

*sigh* You do realize that just by virtue of there being a codified attack program their not zero day exploits right? In real world parlance everyone but Otaku are script kiddies unless they completely coded all their own attack programs form scratch.

attack programs only operate on persona-like icons...

thats the thing about SR matrix, i took a turn towards magic with crash 1.0 (2029), when echo mirage was deployed.

after that, things have been a balancing act between cyberpunk style hacking (heavily rooted in the 80's BBS environment) and real life (as more and more people in the community gained understanding of computers and networks).

until virtual realities 2.0 was released, the matrix behaved pretty much like the US phone system and bbs's (read hacker crackdown to get some impression of how it was if one is to young to have been a computer interested teen during the 80's), VR2.0 shifted things a bit more towards the internet and the web, by making sculpted systems the norm, but only with SR4 do we have a system thats close to the net (in that one no longer have to path out each RTG and LTG between attacker and target, much like one do not care about the number of routers one traverses when surfing).

the deckers of SR1-3 was more like phone phreaks, with the RTGs being regional phone switches, where with the right tones down the line, or the right unlisted number dialed, one could set up a international conference call of unlimited size while not paying.

I'm not into software as such, network engineer by trade but ended up specialising mostly in wireless and optical transmission for a telco and a wireless broadband provider, but I suspend disbelief once a month for the sake of a game of SR

The SR rules system shouldn't be realistic - real world hacking is not something that gets done in combat turns.

Lack of realism has never been any of my problems with the matrix system. I just wish it was as "together" as the whole of the magic system. You don't see mages with Agent Smith problems or skills that have no purpose.

The magic system has had the better part of four editions to simmer and cook. The Matrix system gets revamped every Ghost-be-damned edition, and it shows. There's never been enough time to boil it down to the point of least possible idiocy.

got to love that SOTA-coaster, eh?

I don't buy the argument "it can't be modeled after the real world because it's so much faster." That does not follow. We haven't forgotten that it's futuristic, science fiction game, right? I don't think anyone said it was actually emulating the real world. As such, a failure to follow a real world detail, like how long it takes, doesn't invalidate the original post. The original post is saying something pretty simple -- the matrix rules approximate real world hacking insofar as real world hacking is all about finding holes. Matrix hacking is also about finding holes using Exploit. That's really the only accuracy that the OP was talking about.

The fact that it's done with a program and not your bare hands doesn't mean it fails in terms of realism -- we're talking about a future world where new computer technologies make programs more powerful. The fact that it's done at lightning speed doesn't mean it fails in terms of realism, either, since we're talking about plugging your brain directly into what is effectively an optical supercomputer. Realistic doesn't mean "the same as it is today." Realistic means "shares something in common with modern day hacking." At least, that's how I see it. We find exploits today. We find exploits in SR4. The methods have changed, but the ultimate goals are the same. That's the accuracy the OP was talking about, and I don't think anyone's quibbles about how fast it is or whether you use a program contradict it at all.

I blame TRON. If the SR1 designers had never been distracted by the "quest for the MCP" through the CPU/SPU/SAN dungeon crawl it might have had a chance.

Of course their only alternative was Wargames, which wasn't exactly a cyberspace adventure.

Added to the List of Things for my Next Hacker:
2) a Tron-style avatar and preferred environment
3) a tendency to delay those trying to access a hacked node with prompts like 'Would you like to play a game?'

That has nothing to do with being accurate, though, because it really isn't. By that train of thought, D&D accurately reflects real medieval battles, because people get stabbed in the face in both. Which it doesn't. And neither does SR. Now, it isn't necessarily bad, just because it isn't accurate, but an argument for realism built on top of such a weak foundation is kinda useless.

EDIT: spelling

For the record, I'm talking about symmetrical encryption, not asymmetrical encryption, which talks about 2048bit keys and larger.

Well, the hacker archetype would still be alive, but when it comes to breaking encryption he'll be seriously hampered. Encryption has consistently beat out brute forcing the key to decrypt the data. The reason is that brute force times don't scale linearly with encryption key size. If I increase the key size from 64 bits to 128 bits, the decryption time squares. What sucks about breaking encryption is that it's best described in scientific notation. A 128bit key has about 2^128 possible combinations. A computer which can perform an exaflop (10^18 calculations per second) will still take 1.3x10^10 years (longer than the age of the universe) to break the encryption. Bumping the encryption to 258bit, which is available now, would up the time required for an exaflop computer to be 3x10^51 years to break.

Folding@home has the highest FLOP value (mind you that's distributed computing) at 8.1 petaflops (8.1x10^15 calculations per second). The human brain is estimated to be capable of 15 petaflops (1.5x10^16 calculations per second).

I could see organizations in Shadowrun developing a means to harness the human brain as a computer, kidnapping a bunch of street scum, putting them into a coma and keeping their bodies alive via life support while using the full capacity to compute various things.

Just some brief numbers on how many people it would take to do this.... Let's set a goal of 90 days to crack the encryption. It is also reasonable that 512bit encryption would be standard fair.

512bit encryption has 1.3x10^154 combinations.
There are 7,776,000 seconds in 90 days leading to a required FLOP value of 1.7x10^147 FLOPs.
So it would require 1.1x10^131 individuals to brute force a 512bit encryption. Which is more than the entire population of earth at the time.

Needless to say, in SR a hacker will not be brute-forcing encryption. If he's breaking encryption, he's going to be doing so via exploits in the key generation algorithm or limiting the possibilities of the key via figuring out what was used for the key phrase.

Or you could build a dyson sphere computer out of the solar system. I think it would take all of the matter inside of pluto and arranged computationally optimally to make a computer large enough to brute force current encryption in a reasonable time frame.

i am not sure if the part i cut out was defending my point or not, so i am not going to touch it.

but i just wanted to say that unwired already touches on the bit i quited. See the sidebar on page 67...

That was all assume that modern computing and cryptography has remained the standard into the sixth world and quantum computing/cryptography hasn't become the norm. The problem is that if quantum computing/cryptography becomes common rather than modern techniques, everything will be encrypted. There's no reason not to once we have broken that barrier, the additional cost of encryption after it is negligible. In fact, the overhead of encryption on modern equipment is not worth nothing, but due to legacy issues encryption hasn't taken hold. With a new method comes the opportunity to learn from the mistakes of the old method.

When it comes to encryption and breaking it, a hacker will use exploits in the random key generation algorithm or divine the pass phrase by breaking into a less secure system or through simple social engineering.

When I say less secure system, I could be talking about asymmetric encryption (RSA). RSA encryption has significantly larger counts of bits in the key generation. IIRC 2048bit is the norm for RSA, but that is comparable to about a 112bit symmetrical key. To get an RSA key that is equivalent to a 256bit symmetrical key, you would require a RSA key that is 15360. Needless to say, it takes significantly longer to encrypt/decrypt a message using RSA over symmetrical encryption. RSA encryption uses a Public Key Infrastructure (PKI). In PKI I would have a private key that only I know, while I would distribute a public key to anyone I wish to have secure communications with. The public key only allows you to encrypt a message to send to me, you would need the private key (which only I possess) to decrypt that message. This is the common method of encryption on the Internet due to the ease of distributing the public key. Simply, the risk of what a person can do with my public key is very low. The worst thing they could do is send an encrypted message to me while posing as another individual (something hackers in Shadowrun may want to consider doing). With symmetrical keys if the key gets lost, you don't know where it is, or you suspect it has been compromised you have to completely issue new keys and reencrypt the data that had used the old key.

PKI is probably still in full force in the Matrix, but even PKI equivalent to 128bit will still resist brute force tactics to decrypt the data. To test every combination of a 128bit key in 90 days would require computing power of 4.3x10^31 FLOPS. Something I am sure is safely out of reach of most individuals aside from governments and the AAA corps. So my point still stands, exploiting the key generation algorithm or acquiring the key phrase from another individual will still be the only way to break into encrypted data, unless the hacker has access to a quantum computer...