Full Version: Hacking my way
Ok, I suppose you could call it evidence. It's possible that it is false evidence, and it's definitely out dated evidence. But if you want to be technical, then the guy I pay $5 to so he'll say I was with him playing video games all night instead of out robbing liquor stores also constitutes evidence.
| QUOTE (Kremlin KOA @ May 9 2006, 12:26 PM) |
| besides which with NT all the major hacking (SR) actions can be done on an account with full priveledges |
...with observance from the system. Anything of import really, because once again all the I/O goes through the OS. It is a function of the "micro"kernel architecture.
| QUOTE |
| even crash (BSoD) although on NT it might take a hacking action |
Most definately for BSoD, because the system catches it otherwise. A BSoD is ultimately caused by a driver programmer screwing up and not making the driver bulletproof.
| QUOTE |
| oh and IRL NT does have a level of account which can access the kernel, it is just only supposed to be available to microsoft personnel |
I'm not sure you have that exactly straight. Are you talking about the Local System account, because that is something a little different. It still passes stuff through the system. It is really similar to Administrator from a security POV, and in some ways more limited because of lack of access to the desktop and user input.
I think you misunderstand me here. I'm not talking about an account per say. I'm talking about the system itself. Sure the root account can recompile parts of the kernel and load them in. But those actions themselves are still going through the kernel to be able to do that since your basic IO, the actual communication with the hardware, is done through the kernel. Right?
After some thought I decided to skip my "no subscrpition" interpretation of the rules, for compatability. The subscription rule can always be bypassed by simply sniffing the traffic to a node and then spoofing the ID. This does simply add just another two dice rolls to any decent security network, but what the heck . . .
In my next text I will give an example of how to prevent unlimited "network relaying" for infinite security.
In my next text I will give an example of how to prevent unlimited "network relaying" for infinite security.
Comments: Assumptions 1-2 from my previous examples still apply.
TODAY: Hacking through a relay of linked nodes
It was discussed a couple of times: What can be done against a network where several nodes are linked, using the subscriber rule, together to prevent, or delay, hacking.
A very good example would be this:
A runners has a main comlink A, he uses for normal communication, and 5 "relay" comlinks B,C,D,E,F. Only comlink F has wireless capability.
The runner uses his main comlink to communicate, comlink B only accepts input from A and C, comlink C only accepts input from B and D and so forth:
A - B - C - D - E - F - WiFi-World
To get to A, a hacker has to hack B,C,D,E, and F first.
But then, in SR4, everything has a device rating. Even our clothes are nodes, as they have built in climate control and such. They might only have a device rating of 1, but they would also have to be hacked. So the runner could do the following:
A - B - C - D - E - cyberleg - smartgun - trousers - jacket - glasses - F - WiFi-World
This is perfectly acceptable under standard SR4 rules, and the first example isnt even unlogical, but a very sensible thing to do.
So what to do about this? Just let hackers go through everything?
I propose a rules interpretation that circumvents possible dice orgies, is fast and understandable:
A by using Spoof a hacker can disguise as a data packet and exploit a node to relay him to his destination. He needs the network ID of the host he wants to be relayed to. If he wants to also spoof the ID he originated from, he can do so in a separate test.
Every host, that the hacker is being relayed to, may roll against the spoof test with System+Firewall If the hacker has at least 1 net success, he is relayed to the next host in the chain, or he may chose to hack into the node that is relaying him using normal "hacking on the fly" procedures. In both cases he may choose to analyze the node to get information about the system ratings only. If he does not have any net successes, he may decide to immediately hack the node in question using standard "hacking in on the fly" procedures, use legit access rights to access the node, or be catapulted back to the node he started the spoof attempt from. When he is relayed to his destination, he may hack into the node on the fly, or access it with legit user rights.
Note that if the relay host, scores any net hits in the opposed test, it has detected that something is wrong and may launch security measures.
(H) Hacker:
Hacking: 5 (specialization stealth)
Computer: 5
Hot-SIM: +2 dice
Firewall: 5
Response: 5
Firewall: 5
Signal: 5
Loaded programmes:
- Exploit 5
- Analyze 5
- Spoof 5
- Sniffer 5
(C1) Comlink 1:
Firewall: 6
System: 6
Signal: -
Response: 6
(C2) Comlink 2:
Firewall: 1
System: 1
Signal: -
Response: 1
(C3) Comlink 3:
Firewall: 3
System: 3
Signal: -
Response: 5
(C4) Comlink 4:
Firewall: 6
System: 6
Signal: 6
Response: 6
Network architecture:
C1 - C2 - C3 - C4 - WiFi-World
Steps:
(bold steps denote the minimal version of this example)
(H) Sniffing Traffic
(H)Matrix Perception
(H) Spoofing relay
(C4) Detecting relay spoof
(H) Analyze action
(C3) Detecting relay spoof
(H) Analyze action
(C2) Detecting relay spoof
(H) Analyze action
Explained:
(H) Sniffing Traffic
Hacking+Sniffer: 5+5+2 = 3
The hacker wants to hack into Johnsons comlink. He knows Johnson is extremely paranoid and might have several layers of relay comlinks. He phones the Johnson to give a status report. As he does not want to hack into the MSPs database to get the node ID that is correlated to the Johnsons phone number, he is simply monitoring the traffic going from the MSP to the Johnson. To interfect the traffic he has to succeed in a Hacking+Sniffer test. With 3 hits, he easily intercepts the traffic.
Note: If the traffic was encrypted it had to be decrypted first.
(H)Matrix Perception
Computer+Analyze: 5+5+2 = 2
To get the ID out of the traffic, the hacker has to succeed in a simple matrix perception test.
(H) Spoofing relay
Hacking+Spoof: 5+5+2 = 5 hits
Now, the hacker wants to hide as a communications data package. He spoofs the ID of such a package and virtually knocks on the door of the Johnsons gateway host C4.
(C4) Detecting relay spoof
System+Firewall: 6+6 = 4 hits
The C4 chokepoint comlink scans the traffic for validity before relaying it. It achieves 4 hits in its test, which leaves the hacker with 1 net success. The node automatically relays the "hacker package" down the subscriber line.
(H) Analyze action
Hacking+Analyze: 5+5+2 = 2 hits
The hacker wants to know what node he is being relayed through. He rolls only 2 hits and goes for System and Firewall attributes. The GM tells him that both are 6. With a "holy shit" on his virtual lips the hacker is relayed to the next node.
(C3) Detecting relay spoof
System+Firewall: 3+3 = 3 hits
The C3 relayhost comlink scans the traffic for validity before relaying it. It achieves 3 hits in its test, which leaves the hacker with 2 net success. The node automatically relays the "hacker package" down the subscriber line.
(H) Analyze action
Hacking+Analyze: 5+5+2 = 3 hits
The hacker wants to know what node he is being relayed through. He rolls 3 hits and goes for System, Firewall and Response attributes. The GM tells him the ratings. The hacker is mumbling "getting better" while he is relayed to the next node.
(C2) Detecting relay spoof
System+Firewall: 1+1 = 1 hit
The C2 relayhost comlink scans the traffic for validity before relaying it. It achieves 3 hits in its test, which leaves the hacker with 2 net success. The node automatically relays the "hacker package" down the subscriber line to C1.
(H) Analyze action
Hacking+Analyze: 5+5+2 = 3 hits
The hacker wants to know what node he is being relayed through. He rolls 3 hits and goes for System, Firewall and Response attributes. The GM tells him the ratings, which are 1,1,5. The hacker thinks "big mistake" and notes the ID of this node. He might hack in here later to get some admin privileges and install a backdoor right in the Johnsons subscriber line.
The hacker is then relayed to the final C1 comlink, where he may try to hack in, with an Hacking+Exploit (6, 1 Phase) extended test.But his best choice is to do the whole procedure again and hack, the weak C2 comlink, get some admin privileges and then sit there and probe the hell out of the heavily fortified C1 comlink to avoid detection in his exploit attempt.
TODAY: Hacking through a relay of linked nodes
It was discussed a couple of times: What can be done against a network where several nodes are linked, using the subscriber rule, together to prevent, or delay, hacking.
A very good example would be this:
A runners has a main comlink A, he uses for normal communication, and 5 "relay" comlinks B,C,D,E,F. Only comlink F has wireless capability.
The runner uses his main comlink to communicate, comlink B only accepts input from A and C, comlink C only accepts input from B and D and so forth:
A - B - C - D - E - F - WiFi-World
To get to A, a hacker has to hack B,C,D,E, and F first.
But then, in SR4, everything has a device rating. Even our clothes are nodes, as they have built in climate control and such. They might only have a device rating of 1, but they would also have to be hacked. So the runner could do the following:
A - B - C - D - E - cyberleg - smartgun - trousers - jacket - glasses - F - WiFi-World
This is perfectly acceptable under standard SR4 rules, and the first example isnt even unlogical, but a very sensible thing to do.
So what to do about this? Just let hackers go through everything?
I propose a rules interpretation that circumvents possible dice orgies, is fast and understandable:
A by using Spoof a hacker can disguise as a data packet and exploit a node to relay him to his destination. He needs the network ID of the host he wants to be relayed to. If he wants to also spoof the ID he originated from, he can do so in a separate test.
Every host, that the hacker is being relayed to, may roll against the spoof test with System+Firewall If the hacker has at least 1 net success, he is relayed to the next host in the chain, or he may chose to hack into the node that is relaying him using normal "hacking on the fly" procedures. In both cases he may choose to analyze the node to get information about the system ratings only. If he does not have any net successes, he may decide to immediately hack the node in question using standard "hacking in on the fly" procedures, use legit access rights to access the node, or be catapulted back to the node he started the spoof attempt from. When he is relayed to his destination, he may hack into the node on the fly, or access it with legit user rights.
Note that if the relay host, scores any net hits in the opposed test, it has detected that something is wrong and may launch security measures.
(H) Hacker:
Hacking: 5 (specialization stealth)
Computer: 5
Hot-SIM: +2 dice
Firewall: 5
Response: 5
Firewall: 5
Signal: 5
Loaded programmes:
- Exploit 5
- Analyze 5
- Spoof 5
- Sniffer 5
(C1) Comlink 1:
Firewall: 6
System: 6
Signal: -
Response: 6
(C2) Comlink 2:
Firewall: 1
System: 1
Signal: -
Response: 1
(C3) Comlink 3:
Firewall: 3
System: 3
Signal: -
Response: 5
(C4) Comlink 4:
Firewall: 6
System: 6
Signal: 6
Response: 6
Network architecture:
C1 - C2 - C3 - C4 - WiFi-World
Steps:
(bold steps denote the minimal version of this example)
(H) Sniffing Traffic
(H)Matrix Perception
(H) Spoofing relay
(C4) Detecting relay spoof
(H) Analyze action
(C3) Detecting relay spoof
(H) Analyze action
(C2) Detecting relay spoof
(H) Analyze action
Explained:
(H) Sniffing Traffic
Hacking+Sniffer: 5+5+2 = 3
The hacker wants to hack into Johnsons comlink. He knows Johnson is extremely paranoid and might have several layers of relay comlinks. He phones the Johnson to give a status report. As he does not want to hack into the MSPs database to get the node ID that is correlated to the Johnsons phone number, he is simply monitoring the traffic going from the MSP to the Johnson. To interfect the traffic he has to succeed in a Hacking+Sniffer test. With 3 hits, he easily intercepts the traffic.
Note: If the traffic was encrypted it had to be decrypted first.
(H)Matrix Perception
Computer+Analyze: 5+5+2 = 2
To get the ID out of the traffic, the hacker has to succeed in a simple matrix perception test.
(H) Spoofing relay
Hacking+Spoof: 5+5+2 = 5 hits
Now, the hacker wants to hide as a communications data package. He spoofs the ID of such a package and virtually knocks on the door of the Johnsons gateway host C4.
(C4) Detecting relay spoof
System+Firewall: 6+6 = 4 hits
The C4 chokepoint comlink scans the traffic for validity before relaying it. It achieves 4 hits in its test, which leaves the hacker with 1 net success. The node automatically relays the "hacker package" down the subscriber line.
(H) Analyze action
Hacking+Analyze: 5+5+2 = 2 hits
The hacker wants to know what node he is being relayed through. He rolls only 2 hits and goes for System and Firewall attributes. The GM tells him that both are 6. With a "holy shit" on his virtual lips the hacker is relayed to the next node.
(C3) Detecting relay spoof
System+Firewall: 3+3 = 3 hits
The C3 relayhost comlink scans the traffic for validity before relaying it. It achieves 3 hits in its test, which leaves the hacker with 2 net success. The node automatically relays the "hacker package" down the subscriber line.
(H) Analyze action
Hacking+Analyze: 5+5+2 = 3 hits
The hacker wants to know what node he is being relayed through. He rolls 3 hits and goes for System, Firewall and Response attributes. The GM tells him the ratings. The hacker is mumbling "getting better" while he is relayed to the next node.
(C2) Detecting relay spoof
System+Firewall: 1+1 = 1 hit
The C2 relayhost comlink scans the traffic for validity before relaying it. It achieves 3 hits in its test, which leaves the hacker with 2 net success. The node automatically relays the "hacker package" down the subscriber line to C1.
(H) Analyze action
Hacking+Analyze: 5+5+2 = 3 hits
The hacker wants to know what node he is being relayed through. He rolls 3 hits and goes for System, Firewall and Response attributes. The GM tells him the ratings, which are 1,1,5. The hacker thinks "big mistake" and notes the ID of this node. He might hack in here later to get some admin privileges and install a backdoor right in the Johnsons subscriber line.
The hacker is then relayed to the final C1 comlink, where he may try to hack in, with an Hacking+Exploit (6, 1 Phase) extended test.But his best choice is to do the whole procedure again and hack, the weak C2 comlink, get some admin privileges and then sit there and probe the hell out of the heavily fortified C1 comlink to avoid detection in his exploit attempt.
Forgive me for not reading every page...but I can't seem to find how clean out your net hits from a system before logging off so you don't leave a data trail. I looked in the book, and perhaps I'm just passing it by but I can't seem to find how to do it..so could somebody please tell me or direct me to a page number so that I can figure this out.
Its not in there . . . Thats the overall problem of the matrix rules with the basic SR4 book. Everything is left to the GM. Im trying to fill the gap by giving some ideas, but thats just it.
So here you go: (btw, you do not clean net hits, but hits. If the node had any net hits, you wouls have been detected).
You can erease all the traces of your hacking activities you left in the node, by editing the log files. Admin previliges are needed for this if you do not have them, you have to hack).
This is an extended: Computer+Edit (1, 1 combat turn) extended test. Every hit deletes "edit programme rating" hits worth of traces you left behind.
If you do not have the priviliges it is an opposed Hacking+Edit vs System+Firewall(1, 1 Combat turn) extended test. Note that this test also generates hits for the node, tht have to be cleaned up.
If you clean everything up, nobody can find out by looking at that system logs, that it was hacked. (Of course, one might tell that the system is hacked when the node does wiered things, but you will just not find it in the logs). If any hits are left behind, one can find the hackers matrix ID (just like modern day IP number) in the logs and what he did. Note that the matrix ID can be spoofed and such.
So here you go: (btw, you do not clean net hits, but hits. If the node had any net hits, you wouls have been detected).
You can erease all the traces of your hacking activities you left in the node, by editing the log files. Admin previliges are needed for this if you do not have them, you have to hack).
This is an extended: Computer+Edit (1, 1 combat turn) extended test. Every hit deletes "edit programme rating" hits worth of traces you left behind.
If you do not have the priviliges it is an opposed Hacking+Edit vs System+Firewall(1, 1 Combat turn) extended test. Note that this test also generates hits for the node, tht have to be cleaned up.
If you clean everything up, nobody can find out by looking at that system logs, that it was hacked. (Of course, one might tell that the system is hacked when the node does wiered things, but you will just not find it in the logs). If any hits are left behind, one can find the hackers matrix ID (just like modern day IP number) in the logs and what he did. Note that the matrix ID can be spoofed and such.
Ok thanks, that clears things up except 1 thing...which I might be reading it wrong. Is it the hits the hacker scores that he must clean...or the hits the system scores that the hacker has to clean?
Where does it say you need to clean hits? I'm not finding anything like that.
@Loestal:The hits the system scores.
@Aaron:You do not need to clean hits. I am simply giving hints on how such a system can work. The book (RAW) says, that hack attempts can be found. But it gives no rules how this is decided and what a hacker can do against it. It is up to the GM till unwired is out. I am just giving suggestions on how to do it.
So once more: Thes rules I give in this thread are my interpretation of the matrix rules. Nothing should (to my knowledge) contradict the rules given by RAW, but I am adding a LOT of assumptions and extra stuff on how things COULD work.
I just want to give examples of how to model a working matrix ruleset covering various situations that is consistent and understandable.
@Aaron:You do not need to clean hits. I am simply giving hints on how such a system can work. The book (RAW) says, that hack attempts can be found. But it gives no rules how this is decided and what a hacker can do against it. It is up to the GM till unwired is out. I am just giving suggestions on how to do it.
So once more: Thes rules I give in this thread are my interpretation of the matrix rules. Nothing should (to my knowledge) contradict the rules given by RAW, but I am adding a LOT of assumptions and extra stuff on how things COULD work.
I just want to give examples of how to model a working matrix ruleset covering various situations that is consistent and understandable.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.