With regards to VR/AR, my thoughts are these:

- VR is basically an extension of AR; you filter out more of the meatworld to focus exclusively on the Matrix. It'll have some benefits; you won't take as much penalties from distractions or something. Clearer matrix perception. But nothing too major. Also, it's possible to "project" in VR and appear visibly as a ARO; some areas feature this heavily. Both virtual and meat guests welcome.
- The big difference is DNI vs. tortoise interfacing. You can use AR through DNI, and use VR with a helmet and gloves. The more directly connected to the Matrix you are, the faster you'll be in the Matrix. However, you'll also be more vulnerable to biofeedback.
- Sculpting of systems has no real game effect. That's a kind of Gibsonian lunacy that, if you read carefully, even Gibson didn't really believe in. Tron was a funny movie, but these days, nobody can suspend that much disbelief. If form and function of the system happen to match, that's meant for the convenience of legitimate users. IC will tend to look inconspicuous and innocent.



With regards to programs/hardware:

- Part of the fluff of any hacking story is a lot of talk about how SOTA your stuff is, and how quickly everything is getting even faster and nastier. However, actually tracking game effects of SOTA will quickly result in tedious amounts of bookkeeping. This needs to be avoided.
- Hollywood has some good ideas about making hacking fun; don't obsess about details. Hacking programs are like spells that you throw at computers.
- Programs should do something specific, clearly and explicitly defined. Like guns or spells. For different tasks, different programs.
- While programs are a lot like other equipment, their availability is a different thing altogether. Downloading is the norm, and programs are basically free, except for MacGuffin programs that do really unusual or exceptionally powerful things. (Plot items, most of the time.)
- There's no reason not to use the best programs you can get. Ratings therefore are a needless abstraction (Rating 1-5 medkits anyone?). Hacking uses Attribute+Skill rolls.



Encryption/Security of the everyday matrix:
I don't know very much about encryption myself. I know just enough to feel very unconvinced by Unwired. It looks arcane, complicated and yet wrong.

- One time pads are a safe and much-used method of encryption. Most devices are equipped with a VAST one-time pad shared with a trusted party, like a MSP. To communicate with a third party, you send the MSP an encrypted message; they decrypt, then re-encrypt with the one-time pad of the intended recipient. Now and then you buy a new datachip with a gazillion lines of new one-time-pad at a local StufferShack.
- Breaking high-end encryption is impossible; you need to just hack the receiver or sender.

Or something like that. Like I said, I don't know all that much about encryption; more sophisticated safe communication protocols surely exist.



Some general thoughts:
- It shouldn't turn into a big sub-game
- The hacker's most important job is to disable security systems that otherwise are nearly impossible to circumvent (motion sensors on the other side of a door.) This needs to be doable, most of the time.
- Fluff and game mechanics shouldn't contradict each other.
- Not too hard, no cakewalk either.
- Plausible security for the masses (at least against non-elite hackers)
- Mechanically similar to other game rules (guns, spells)
- More than one way to get things done; meaningful choice of tactics
- Designing a network shouldn't take the GM's whole afternoon
- Suspension of disbelief shouldn't be too hard
- Usable both by computer nerds and people who think Hollywood Hacking is totally awesome.
- No brainhacking without DNI.

Well, looks like I got my work cut out for me... I'm going to be stealing lots of ideas from Frank, I think.

EDIT: On second thought, this is really way too much work. I've got some papers to write, and I shouldn't pick up anything this big at the same time

The reason the brain hacking was included in Frank's rules system was to force everyone else to care about the Matrix. More importantly, it forces the people you are interested in to care about the Matrix. For J. Q. Public, the fact that he can get free p()rn and watch all the latest TV programs is more or less a good enough reason; but for the people who are choosing the 9mm retirement plan and have deadly secrets to keep, free p()rn just isn't a good enough reason.

So, you have two basic ways to force the people you are interested in to care about the Matrix: the carrot or the stick. Frank's approach is mostly stick based; if you don't care about the Matrix, you'll get hit with a huge stick. So everyone who we are interested in cares a lot about the Matrix. Or you can have a carrot based approach (see my sample idea here). The bonuses provided by being connected to the Matrix are so important to non-matrix related stuff that people will risk being exposed to hacking to get them.

Of course, you still have to deal with things like banking, electronic money, and encryption too.

Bob is correct that you need an incentive to people not to just switch 'hacking' to 'off' which is entirely possible in the core rules. The stick works better than the carrot because it doesn't interfer with other dice pools.

This is the biggest problem with taking out 'brain hacking' from Frank's rules - generally it re-introduces the hacking to off option, and you need an altenative way to compensate

What exactly do you mean by "forcing to care about the Matrix"? I don't really get your problem.

You don't have to force people to use the internet; they'll do so themselves. And even if they didn't - why would you want to force them?

Read Frank's opeing post: Nash Equilibria and Matrices, Your targets are not stupid..

The short version, if people can 'not care' about the Matrix, then the hacker isn't a very viable PC archetype. Which means that our rules contradict our fluff, break genre, or however you want to phrase it. And since we are playing the game for the fluff, not for teh rules, we'd rather have rules that agree with the fluff rather than contradict it. So how do you get rules that agree with the fluff? By forcing people to participate in the Matrix, so the hacker has a reason to put on his ninja suit, like everyone else.

The interesting question regarding Mr. Nash, once you´ve gotten how that works, is what values to assign to the matrix. If you arrive at the conclusion that the chance of being hacked is worse than loosing free communication, matrix dp boni, TacNets, and "being hacked instead of shot", you might have used the wrong ones. Just saying (again).

That's one of the biggest issue I have with Frank's system, but I see that I've already said what I had to say about it in the 10th post of the aforementioned thread.

That's the point, when the consquence of 'being hacked' is 'you lose millions of credits and/or die' then the equilibrium is set to 'turn hacking to off' especially given the ease of doing that.

Plus your suggested boni don't apply to, say, a secure door. It doesn't better from free comms, matrix DP bonuses or tacnets, so why won't it have hacking set to off?

What's the probability of getting hacked? What's the perceived probability of getting hacked? What's the perceived probability that YOU can get hacked, especially with that SOTA "Security Suite" you pay every month for?
How much easier do you make your life by having a door that opens automatically when you are near?

Nash Equilibrium is fine for game theorist, but it can't be applied to many real-life situations. And even if you could find the right values for all that, you'd still make the mistake of considering that people are rational. How many people have I heard saying: "I have only one password I use for everything, and it's a dictionary word. I know it's bad, but I don't have anything important so why bother?"? And most of these people use online banking. Even when their lives are concerned: just look at how many people drive while drunk or texting... Most people don't perceive risks correctly, they'll be afraid of flying but won't have any problem driving even if it's statistically far more dangerous.

Because the people who use one password for everything are not the people we are interested in. The game is about very high security places, where we can expect security to be implemented by the most paranoid, knowledgeable, and meticulous guys around. Remember that free p()rn is a great excuse for J. Q. Public to have a matrix connection. But not a very good excuse for the super secret war crimes lab. So, the rules have to give a reason for the super secret war crimes lab to be hackable, not for some random guys home PC. Also, we can't rely on the excuse that the guys who run the security at the SSWCL to be idiots excuse for why they are hackable.

We're talking about the end of town that doesn't connect their computers to the internet today, the sort of people who have professionals on staff to

a) be paranoid; and

b) kill people who are threats.

In that enviroment, where you are hiring professional killers, why would you have a wireless enabled door?

Even more importantly, they perceive risks they take themselves as less risky than risks others ask them to take.

Continuing with the bad password example: Many, many, many people use the password "password," despite how insecure and obvious it is. But they're perfectly willing to take that risk. But as soon as someone else mandates what their password should be, they'll be up in arms about it: "Someone knows what my password is! Must rebel against authority!"



Brain hacking doesn't solve this problem. Brain hacking solves the John Q. Public not being online. Brain hacking in no way prevents a large secure corporation from taking their secure servers offline.

The people who use one password for everything are the same as the people who work in the high security places.
Anyway, the goal of high security places isn't to be secure: it's to do their job. Sure, you can protect a place from hacking by having no network or no computers, but if you can't get any (or enough) work done without computers or a network access, then your secure place is useless.

I supposed, to be more specific, it is the ability to high density signal to manipulate any equipment, of which brains are just one example, within range.

Okay, so I plowed my way through that flame-hammered thread. Some interesting tidbits here and there. I've found that people have the following issues:

Without brain-hacking, hackers don't have anything to do in combat
This is very dubious. A total hacking specialist might be in trouble, but generally you can:
- Learn to use a weapon
- Drones
- Mess up the enemy's TacNet
- Otherwise try to manipulate the battlefield

People can just Opt-Out of the Matrix
Yes, they can. Let them; Shadowrun should have neo-Luddite tribes in the forest, weirdo eco-shamans and paranoid crazies with tinfoil hats. And while the R&D server may be offline, consider the following:
- Companies need some measure of Matrix access for their daily functioning. To communicate with vendors/ customers/ in-house departments located elsewhere
- Companies need to communicate with their personnel
- Drones pretty much require WiFi to be useful
- Normal people will have commlinks the way people have cell phones in the present
- The Matrix is very convenient
- Matrix assistance is so very very useful. Generally a +2 to almost all tasks.

"Normal" security isn't good enough
This can be fixed by constructing the difficulty in a different way.

"High" security is too hard for PCs
This can be fixed by constructing the difficulty in a different way.

Matrix use is a subgame
So is sneaking in, astral projection and Face-work. All players must occasionally sit back and watch someone else do something. That's okay as long as it's cool and fun to watch.
The problem is that hacking takes too long, has a lot of clunky rules and as a result isn't very exciting. This can mostly be addressed by having more exciting things happen, more diversity in what happens during hacking, and smoother (less layers) game mechanics. Any extended check that can be reasonably converted into a single check saves a minute of counting dice.

Script Kiddies
Hacking will be Attribute+Skill based. You simply need programs and hardware to do anything at all, just like you need a gun to shoot people. And just like there are different guns with different benefits, there are different programs with different benefits.

Agent Smith
Agents will be limited to a rating of 4, which is it's Attribute for Matrix tests. It needs Activesofts to gain hacking skills. There will be limits to how much brute force is worth in hacking, but there is a role somewhere for botnets.

I've though about brainhacking, and I like some of it. But not Frank's interpretation;
- Two-way DNI is required for most serious brainhacking, and only local receivers can receive a brain.
- One-way signals to the brain are essentially either a microwave ray gun, or brown noise. Neither is really an instance of brain hacking.

So strapping someone to a chair, putting a trode net on him, and mindfucking him is perfectly fine; pointing a commlink at him from across the room isn't.

For the wannabe brain-hackers among you, I'll leave you the following thoughts:
- Capsule rounds with DMSO, Carcerands with DNI-Nanites
- Gas grenades with Carcerands and DNI-Nanites

Sure, DNI Nanites need to be introduced, but those actually make a lot of sense.

Cool and fun to watch or quick enough to solve. Even if hacking a single camera was cool and fun to watch, I guess the other players (and eventualy the hacker too) will get bored after the third camera.
So I think you should have two resolutions methods: a quick one for simple hacks and another one for more important hacks (which could also be divided in quick hacks (a few combat turns) and long hacks (several hours with a lot of planning) since both can be interesting). And you have to make sure that the rules for the important hacks make hacking scenes interesting enough for the rest of the team to watch.

Good point, I'll add it to the list.

Ideally, routine tasks like hacking a video camera should take roughly as long as firing a gun. Maybe that would be an interesting application of Electronic Warfare.
I'm not sure if I'll end up with exactly the same list/number of skills. Some seem to have rather few applications, or very unintuitive applications.
I'm very intrigued by the possibilities of a more Hardware-oriented hacking approach; once you get physical access, you can do things to a device that will bypass many software security measures.

And happen about as often.

Even if its a one-roll deal, you shouldn't be making that roll to walk down each hallway (every 30 seconds).

Hmm. I'm in favor of the following way of doing it:

1) Realize the facility's security cameras are not connected to the Matrix
2) Get near a camera without getting seen
3) Hardware-access the camera
4) Hack the security network through the entrance the camera's wired connection provides

I'd have to generally agree with this too, and rethink, perhaps, my standpoint the core system's expected usage is the issue, though I'm not swayed very far from that yet. But, working within the confines of the existing one, this is a very good point.

Mentioned before and will be mentioned again. Social engineering will practically always beat a good encryption. Hell, commanding voice some poor Exec somewhere: "State your password!" Good grief.

I've been thinking about the encryption issues of day to day cash transfers that go *through* your local stuffer shack. They can't encrypt their financial books at the corporation (at least not without using a 24 hour key to unencrypt just to look at the things) to something useful, but they can encrypt micro-cash transactions to the banks with a high degree of safety.

Odd, but alright... but in a way, it *could* be made to make sense to both sides of the discussion, fluff-wise. Micro-transactions and small data blips are practically undecryptable precisely because they're so small, you can't get enough of an algorithm going to un-translate, but the larger files (the entire account history in the bank, for example) is large enough to do so with. It makes (more) sense with the one shot pads (even if you don't know the PAD, magic-matrix wise, the algorithm could figure out the core mechanic and then attempt a brute force) but still doesn't make the electronic world a cryptological nightmare (ie: useful).

The other side of that is why don't banks get broken into more often? Because they keep machines constantly running that have logged in with their 24 hour keys and are under physical guard that would require you to be an assault team to access, and any decrypt attempt is automatically logged to a separate system and checked by the spyder. Only the banking industry would usually undertake these measures (and any super-secure site the GM decided on).

This, at least, MIGHT help in cleaning up the fluff around matrix banking activity, something that's bothered me. If noone cared, sorry for the volume.

Matrix Banking is actually fairly simple.

Credsticks don't contain money; they're essentially a large one-time pad keyed to an account. For example:

You wish to transfer money from credstick A to B. You set the amount of money to transfer, and then touch them together. B tells A of an account number to which to transfer the money. A then sends a one-time-pad encrypted message to the bank holding A's bank account; they decrypt it, and transfer the money to B's account. B's account then sends an encrypted message to B-credstick to tell B that the transfer has been completed.

The accounts are linked to the credstick, allowing anonymity and trading of credsticks instead of money transfers, if you like. The transmissions to the bank are likewise secure.

All this is possible because we've got "practically unlimited storage space", and that means a credstick can hold a one-time pad that won't be exhausted in reasonable time (and they only cost 25 nuyen to replace anyway.)

Since the account isn't on the credstick, the bank isn't at risk from people inflating their accounts. However, a hacked credstick could be used to clean out an account. But that generally requires physical access to the credstick; they're so simple that they'd be very hard to hack.

My problem isn't with a hardware credstick, but with simply intercepting the local stuffer shack, dropping all the loot to an offshore account in the Caymans, and walking away from the industry which you ran from the middle of Antarctica, on some very private AAA's installation so extraterroriality will get in the way of finding you while you do a quick SIN switch.

Rich for life, and theoretically, very easy for a hacker. Why run? The rules for cashflow, outside of hardware transfers, are very iffy, at best.

Well, any communication could theoretically be made indecipherable with OTPs. So why doesn't the StufferShack use a credstick plugged into the register? That'd be pretty safe. (You could try to hack the register to make it think it had to pay out to a customer, I suppose. But the bank could have "receiving only" accounts for the registers.)

The problem is much more in getting all those hardware OTPs distributed; that brings us to Johnny Mnemonic-land.

OR to different encryption schemes. I know they exist; I just don't know much more about them. And when I write encrption rules, I need to know at least some basics, just to make sure I don't ignore a glaringly obvious method.

my understanding is that you cant go VR using only gloves and glasses, you need full trodes or datajack for that.

That's the RAW, yes. I don't agree with it.

The real important distinction to me isn't AR/VR, it's DNI or tortoise. In DNI you're much faster; many actions will take one "size" less in DNI.

For IPs, I'm thinking about just having 1 IP, but letting "meat" IP boosters apply. Perhaps a specialized booster that only increases IP for mental actions, like budget Wired Reflexes.

Quantum mechanics can help with that. It is possible to transmit quantum information over a fiber optic cable in such a way that any attempt to eavesdrop will be quite apparent. That is ideal for exchanging OTPs; in fact, such a system is called "quantum encryption". This has recently been demonstrated at lengths of 30km. It is also possible to do wirelessly, with very short (but demonstrated) ranges.

Its because observing the data stream changes it. I believe it's still readable on the receiving end, but you know its been tampered with.

Exactly. So, somebody sends you a one time pad using such a system. Since you know nobody observed it in transit (if anybody has observed it along the way, you don't use it), you know that only the sender (and anybody the shared a copy with) and you have a copy. Just like using a data courier, only without that silly (and unreliable) wetware.
Now you have a nice pair of OTPs to use for (unbreakably) secure communications.

Personally, I explain the possibility of secure transactions with the SR4 encryption rules by considering that to successfully compromise the transaction, the hacker would need:
* To find the commlink/signal (this can be done before the transaction takes place)
* To successfully decrypt the signal
* To use an intercept action on the signal (according to RAW, you can't intercept a signal before decrypting it).
All this before the transaction is over. Since most transactions will take a few milliseconds, most hackers won't be able to have all this done in time.

As for the rest of the bank systems, they aren't completely secure, but they are aware of this and they have ways to track down a hacker who would steal money. Just like you can steal physical money from a bank, you can steal it by the Matrix. In both cases, the biggest difficulty will be to avoid getting caught and still be able to use your money.

When you think about it, today's banking system isn't very secure: PIN codes are 4 numbers long and can be cracked easily, YES card or other exploits can be done quite easily and compromised bank accounts access are sold everyday in black markets. Though, the banking system still works... Well it has problems but not because of hackers.

also, transactions will be bank to bank, with the actions out in the field basically being the same as one party calling his bank and saying "this is joe, transfer x to account y" then the other party "hi, this is carl, can you give me the recent transfers from account z?". The banks keep a log of all this at each end, and if any customer complains, they can roll back whenever.

and credit companies are similar, they can basically erase the false uses, and then if the sums make a big enough bite into their balance sheet can start to track the person who did the fake uses down. And with just about anything having a RFID and a datatrail, that can be easy unless the person got the money out as certified cred, and then converted that into diamonds or something else without a RFID (tho i guess diamonds could just as easily have some kind of serial engraved using nanites in SR).

Basically, the trick with tricking banks and credit companies, as with anything else, is to stay below radar. Biggest mistake is to grab a platinum card and then go out and buy a jaguar on the spot. Thats like bin laden going on world tv live and giving out his exact gps location...

Okay, that quantum encryption bit was an interesting read. So it appears that I can justify secure encryption and communication existing. The question is: how secure can it get without making hackers less playable?

Thereotically, data can be encrypted in a provably secure format. However, the really secure methods for two parties to establish a shared OTP aren't terribly fast; both Kish and Quantum take some time. This is fine for a lot of purposes, like transferring business data.

However, some communications need a lot more speed. Particularly high-density communications where response time is important. Like controlling drones or live simsense (rigging, VR hacking). This can still be encrypted, but it's not unbreakable.

I'm toying with the idea that a brain-computer aggregate would be capable of solving problems that are quite hard for normal computers. This will of course involve some handwaving, especially in the choice of what exactly human brains contribute, and what applications that leads to. I'm thinking that pattern recognition and ambiguity handling and abductive reasoning would be plausible contributions a human brain can make to a computer.

This could then be used to justify the importance of hackers over agents; brain+computer would be able to outwit pure computers in cybercombat for example. Maybe brain+computer aggregates will also be surprisingly good at cryptanalysis.

After all, canon fluff states that the earliest cyberdecks demonstrated that the new technology made all previous security obsolete..

I didn't read the thread, so I may be reiterating some previous ideas. I apologize if I am. This is also a basic overview, not a finished system. It still obviously needs work.

Cinematic Hacking in Shadowrun

Why?

Because nobody but computer geeks really care about the intricacies involved in hacking. They want a system that is quick, that meshes with the game, allows for a dedicated character to shine, and is interesting. Instead of even concerning yourself with matrix topology, let's abstract everything out to a cinematic level and not concern ourselves at all with the actual elements of hacking & programs.

The System

Anyone who has played Spycraft will be very familiar with this system.

Hackers have commlinks and all necessary programs needed to hack. Commlinks have a rating of 0-6. The rating of the commlink is an amalgam of hardware and software. This is a dice pool modifier to the hacker.

All commlinks, nodes, servers, and any other location a hacker can "visit", contains either an agent or a spider/enemy hacker. Nodes/servers have ratings of 0-12 (which function exactly like a commlink rating). The agent running on a node also has a rating of 0-12. Combining the node and the agent (or the commlink/server + spider's hacking pool) equal your base hacking pool. For purposes of technology level, assume that a rating of 6 is state of the art for consumers.

Progress for the hack is measured in terms of "authority points". These are arbitrary measurements that reflect a user's control and initiative in the hacking "war". There is always an offensive party and a defensive party in every hack.

The defending party starts combat by rolling either it's rating in the case of an agent, or logic + hacking in the case of a person. The defender gains this many "authority points" to begin with.


Example:
Twitch needs to hack a security door node in the local Renraku corp HQ, and security is tight. He connects and before combat begins, the agent (rating 5) rolls its rating- 5 dice, and comes up with 3 successes. The Agent therefore starts the combat with 3 "authority" points while Twitch has zero.

There is a list of offensive and defensive actions that can be taken. At the start of each round, before any initiative passes, the hackers involved in the hack each select one offensive and one defensive action from the list and reveal it at the same time. Cross referenced, each action will impact the dice pool of the opponent.


Example:
Twitch is hacking a node, and at the start of the turn decides he's going to open up with an "Overflow Buffer" attack. The node (gm) has decided to open with a firewall defense, which is specifically designed to counter the buffer overflow. Cross referencing, Twitch gets a -4 penalty to his dice pool, and the agent gets a 0 modifier. Both the agent and Twitch then add their node/comlink rating to their dicepools and roll.

Whoever achieves the most successes is assumed to have successfully performed their ability. Resolve the text of the ability to adjust authority points. In the event of a tie, the defender gains a single Authority Point.


Example:
Twitch rolls his dice pool and comes up with 2 successes. The Agent rolls 4 successes, meaning he successfully enacts the Firewall defense. The text says that the agent starts closing off communication points, strangling the ability of the hacker to attack the node at all. The defender gains 2 Authority Points for completing this maneuver, plus 1 Authority point for every 2 net successes. This means that the Agent gains 3 Authority points, giving him a total of 6 Authority points

Note that some maneuvers require a difference of X number of Authority points. For example "pwn the system!", where you shred the defenses of the network and the entire system is laid bare to you, ending combat and giving you full, free access to the network, requires you to have 15 or more "authority points" than the rating of the node/commlink/server. Conversely "Dumpshock!", which cuts off the hacker and inflicts a point of stun damage per 2 Authority points requires 15 more points than your opponent.

Some actions require a narrower range:

Example:
"Break it off!" immediately and safely ends combat with the defender. Requriement: Defender may not have more than 5 more Authority points than you do.

At the end of the "hacking" turn, both the defender and attacker have the ability to spend Authority Points. To manipulate the system in some way, the hacker needs to spend a number of Authority points equal to the node/commlink rating. There is no limit to how many times you can spend authority points in one turn, so long as you have the points to do so. This represents you spending some of your initiative and attention on achieving an immediate, short-term goal.

Example:
Several rounds later, Twitch has gained 6 Authority points, and the Agent has 9. The Agent has the "Black Hammer" attribute, which means it can spend 1 Authority Point at the end of every hacking round to inflict 1 point of physical damage on Twitch. It does this, spending 3 Authority points and inflicting 3 physical. Twitch, however, needed to only force a door open so his team could get through it. He spends 5 Authority points to manipulate the node controlling the security doors, and forces the doors in this area to unlock. Next turn he can try to "break it off!" and log out of the system before things get worse.

After this round, the normal combat round occurs for the rest of the team.

Augmented Reality

If a hacker is using Augmented Reality, s/he may still participate in the "meat" round, at a cost of 2 Authority Points per turn, representing a yielded initiative. At the GM's discretion, a -2 dice penalty may be imposed on the hacker during his "meat" actions for multi-tasking (almost all combat or active skills should receive this penalty, but a person could generally walk, carry a slightly distracted conversation, dial in a passcode, possibly search a small area for something obvious, etc).

You choose at the start of each turn if you want to be in AR or VR, but don't pay the points price until the end of the hacking phase. You may never have less than zero Authority Points, so at 0 you may hack in AR without penalty.

VR & Hotsim

VR prevents the hacker from acting in the meat world, but the up shot is that the hacker doesn't pay that 2 Authority Point penalty each turn. If a hacker decides to go hotsim, a further +1 (or maybe 2) dicepool modifier is given to the hot-simmed hacker. However, VR opens up a hacker to stun damage, and hotsim opens up a hacker to physical damage.

Black & Grey ICE

In AR, a hacker is immune to stun & physical damage from ICE. In VR, a hacker can receive stun damage, soaked as normal. Also, in rare circumstances, physical damage can also impact a VR user. The rating of the commlink represents "armor" in the form of safety circuits in the simrig. The commlink subtracts it's rating from any incoming physical damage before being applied to the user.

In hotsim, physical damage goes straight through to the hacker: the commlink does not "soak" the physical damage beforehand.

Agents

While hackers have the full gambit of offensive/defensive attributes to cull from, agents generally are only defensive, and have a limited number of maneuvers available to them. They will always have the ability to monitor the hacker, which results in either 1 Authority point per turn, but effectively rolls a 0-net success on all hacking contests, or can roll agent + node rating as a maneuver. Otherwise, agents have a number of defensive maneuvers equal to their rating. These can either be pre-determined (commercial agents are often well known for their defensive packages), or randomly drawn (hackers of varying talents cobble together defensive suites, leading to a lot more uncertainty).

Agents also are assigned Authority Abilities. Stun, Trace, Slow, Black Hammer, etc... all cost varying amounts of Authority Points.

For 10 authority Points, an alert can be issued by an agent, which can do 1 of 2 things.

1) It can alert a Spider, who will instigate cyber-combat in D6 rounds. This is a silent alert that the hacker has no knowledge of.

2) If no spider is available, each node that triggers an alert will add it's rating to the number of starting Authority Points that the defender receives for all further hacks in that network, until the alert is canceled.

Custom Code

It's generally assumed in most hacks that the hacker is whipping off code bits assembled quickly from libraries of exploits, worms, viruses, and other nasty tricks. However, with dedicated effort, you can create a big gun. Custom Code has a rating of 1-6, and represents an especially nasty virus or exploit you've discovered and "weaponized". It's extremely potent (adding dice to your dice pool for the duration of combat), but is time consuming to create. Creating custom code is an extended test, 1 month in duration, and has a threshold of rating x 3.

Most agents are adaptive in nature, and analyze exploits used by intruders. Corporate, commercial agents usually submit their defenses to a global database run by the Corporate Courts, sharing intrusion data and bolstering defenses under the concept that there is safety in numbers. Hackers who code their own agents can use this if they subscribe for a nominal fee.

Any agent who does not have the attribute of "Isolated" is tied into this system. The first time you use custom code, it works at it's appropriate rating for the duration of that single combat. However, the agent is recording and uploading, in real time, heuristics about your attack, and the database updates itself with counter-tactics, who then download the appropriate defenses back to all subscribers.

In game terms, after your first use of custom code, every combat that you use your code the agent gets to roll it's rating in dice. Every two hits (rounded down) reduces, permanently, your custom code rating by 1. At rating 0 the code becomes useless: it's been used too many times in the wild and any agent subscribing to the database can adapt to your exploit.

Custom code can not be maintained, upgraded, or enhanced in any way at all. Think of it as the cyber equivalent of a clip of highly powerful ammunition.



-------------------------

That's just off the top of my head. Any thoughts?

....That looks pretty nice.

I remember glancing over Spycraft once and recall the "Authority Points" mechanic.

It was actually the chase system and was measured in "lead", which wasn't individually tracked. The idea of allowing a hacker or agent to spend "authority" to achieve short-term goals instead of having to completely hack each node each time speeds up the time spent hacking.

Interesting.. I'm gonna let this sink in, it's working in a fairly different direction than I was thinking. Maybe I'll borrow my friend's spycraft book to cehck up their system, since apparently they had a bright idea there.

Exactly.

I like the concept above. How would multiple IC/Hackers/Agents work. What if they add their authority together, creating a teamwork.

Dixie,
Why wouldn't a network want to have all of its nodes with active alerts 24/7? With 5 rating 3 nodes on constant alert, anything that is being hacked automatically has 15 Authority Points and Dumpshock!s the hacker. If 15 AP is insufficient, then just add more nodes on constant alert.

Pretty decent, might give it a shot sometime

Cinematics.

You're asking too many questions.

Trust me, I agree with you in common sense. But I threw common sense totally out the door and went with cinematics. The chase system I adapted hacking from has a maneuver in it called "That's Impossible!" that pretty much says "You get to defy the laws of physics and reality for one turn. Have fun thinking up something." Reality intentionally is left by the wayside. The idea of an intrusion alert provides a "the clock is ticking" trade-off for the hacker, and an option for the GM if the hacker is totally outclassing his agents.

Also, I didn't develop the rules enough, nor have I playtested them. I might say that after a dumpshock, the alert is canceled or something similar. The concept is to give you a penalty for faffing about or biting off more than you could chew. I'd probably re-write the "monitor" ability to make it a little more useful for the GM, but the idea is that if a hacker totally outclasses an agent, it can "observe and report", and if the hacker needs to access the system again, it's waiting to f*ck with the intruder.

Oh okay I suppose that I can also give you a real-world explanation. Intrusion alerts usually send off all kinds of alarms, lockdowns, and kicks in higher amounts of logging. That results in A) more processor overhead, resulting in degraded end-user service, and B) the sysadmin (and there will always be a sysadmin) actually has to take time to go and review the alert. It's the concept of Chicken Little. He doesn't want it going off constantly, because that tells him nothing. System alerts are there to make an intruder's life harder while someone (eventually) responds, and to let the admin know that there was something important enough to *cause* an alarm that warrants his attention.

The system needs a *lot* of fleshing out and balancing to make it quick and fun. I'd probably try to reduce the die rolls somewhat, and probably reduce thresholds, to make hacking go quicker in either direction. The intent was to make agents pose an obstacle, but make hackers a real lethal threat, while avoiding the munchkin crunching that the current system has.

I tend to favor either a realistic system with sacrifices made for gameplay, or a totally cinematic system that isn't based in reality at all. Meshing the two tends to screw things up and set up common sense assumptions that break the rules system down.

For example, I wouldn't describe the topology of the wireless Matrix in great detail. Nodes would be wired/wireless, and in AR/VR each node would have a list of relevant systems it "subscribed" to. For example, the above security door node would have access to the building event logs, read only access to the authorized users list (executive offices) letting you force the door but not forge a new ID authorization, and a read-only access to the power grid (on power out, unlock the door). This would give you three things you could possibly do with this node. You could force the door by faking authorized access, you could cut the power or fake a power outage, and you could access the logs to either cover your tracks or see who passed through the door in the last 24 hours. Each of those actions would require on average the rating of the node in authority points. I might introduced the "hardened" attribute, which adds to the required number of authority points to force the system to do anything.

I'd abstract things even further with encryption and files. Files can only be decrypted by the node that encrypted them (note, it doesn't have to be the storage node), and each rating of encryption costs node rating x encryption rating (so for example, if it's a Renraku black bag R&D lab, the encryption might be level 4, and the node might be level 5, meaning 20 authority points to force the decryption. It'd be easier to pwn the node at that point, but probably dangerous regardless). Brute force cracking could be done by Commlink rating divided by the total authority point requirement in weeks rounded up (so if you had 20 points to decrypt an encrypted file, and a commlink 3, it'd take 7 weeks to brute force crack).

I could complicate things by allowing multiple commlinks of the same rating to hack on a decryption, with the rating equaling how many identical commlinks you can cluster together (4 rating 4's for 16 authority points a week for example). However, even a rating 1 commlink is considered "professional" hardware in this system. Rating 6 is SR3's Excalibur Deck costs, since you can do *so* much with it.

This way, network topology will have strongholds and checkpoints without worrying about designing topology. Checkpoints are obstacles to overcome, and complicate longer hacking missions. Strongholds are nodes that actually contain the useful processes (authorized user list, decryption access, alarm servers, etc etc) and would be a significant effort to gain access to. A spider might monitor the hacker as he forces his way through checkpoint nodes, and enter into combat at strongholds.

I'm not even worrying about how a legitimate user accesses the same system. The odds of a PC ever accessing a black bag R&D network legitimately is slim to none, and could be roleplayed out without system mechanics.

It's a major thematic overhaul of the Matrix, and I'm not even sure if it would mesh with the rest of the game, but I feel like it might focus on the "bigger picture" more than the minutiae of hacking.

That might work, or allow individuals to share authority points at a cost (2-to-1 or whatever).

Thematically I'd be more likely to only want to run one hacking session at a time. One hacker/agent takes point, the rest support, while still being about to do sh*t in the meat world if possible.

It's actually the one major flaw that I have in proposing the system. In Spycraft, it's always one dude driving and everyone else riding shotgun. If it's multiple people vs one target, then that's easier, one target plays a maneuver against all the opponents, and each action is resolved, either with it's own roll for each opponent (yuck) or one roll vs three (better, but still yuck), accumulating authority points from each "face off". In a general melee between multiple opponents on each side, I have no elegant solution. It would devolve into rolling craploads of dice and combat phases before the meat round starts, which would suck and totally go against the intent of the system (to maintain inertia).

It needs a lot of writing to be feasible.

1. you need to create defensive & offensive maneuvers thematically appropriate. There was something like 8-10 in Spycraft.
2. You need to create a matrix of penalties/bonuses for each player to encounter depending on who played what.
3. You'd also need "authority point" costs for agents for stun damage, dumpshock, black ICE, trace, etc etc.
4. A list of general network "services" that each node a character accesses could potentially have read or write access to.
5. sh*tloads of playtesting

It's doable, but it'd require a lot of work to balance, and at the end of it, you might find it *still* makes hacking a pain in the ass.

I know the chase system is craploads of fun in Spycraft. We actually looked forward to the chases. But they were set pieces almost, frequent but distinct. It might not suit something done as frequently as general hacking.

Hehehe. I have to actually try Spycraft sometime. Nothing like a maneuver called "That's Impossible!" complete with exclamation mark.

Yes, but because their employer cleverly requires that they use their RSA card (the one that generates a new random code every 60 seconds) to log into the network that they can reach only after the guard looks at their ID card and the biometric lock decides they are the person the card was issued to, it's pretty unimportant what their personal password preferences are.

Passwords suck as a security measure, no matter how complex. If you are depending on passwords to keep your secrets "your secrets" you are going to have a bad day coming.

I've read the Matrix rules for SR2, SR3 & SR4 several times and none of them make complete sense to me. I know my own SR game would benefit greatly from a more cinematic/streamlined hacking system.

That SpyCraft derivative seems a lot more simple and intuitive. If anyone is willing to write it up, then I'm more than willing to playtest it.

Looking over the Spycraft hacking rules, I think it's almost possible to strait up rip it right out. The section contains no rules as to how Lead is gained or loss or what the checks are (those are spycraft system specify) so something would need to be adapted, but yeah. Basically its all right there and ready.

You basically have a list of strategies (types of hack) that have an associated skill, program, or other requirements, a modifier, and a few possible advantages for winning the roll.

For example:

Tactic:
“Shall We Play A Game?”

Skill:
Tactics (Wis)

Requirements:
Computer Power Rating 3+,
Probe software

Modifier:
–4

Advantage:
Pause, Probe

Pause means that as you keep taking actions against the target, no progress (Lead) is gained or lost.
Probe forces the loser to make a Computers check. Success means nothing, With failure, the winner may immediately execute 1 core command (eg, if the Hacker succeeds a probe, the SysAdmin rolls Computers, if they fail the Hacker gets off a system action).
Core Commands are things like editing files, downloading data, stopping programs, authorizing/banning users, upload programs....

There's also a table on how long each hack action takes, the bigger the Lead the system has over the hacker, the longer it takes to perform a hack action:



Might need a little work to make it shadowrun, but it's basically already there.

I'd like to see hacking stratified into two types. Bear with me, here, I'm being general.

The first kind is network hacking. Essentially what hackers do in the game now. It's the "upper-level" attack that lets you build backdoors, hijack existing accounts, or make entirely new ones for yourself. Also lets you futz with the entire concept of the node.. for security nodes, you could deactivate or manipulate almost anything connected. What makes it different then current Shadowrun is the scale; network hacking should be abstracted into general rolls, and placed against a time scale. It should also require dedicated equipment, as previously mentioned. No more hacking the Pentagon with a cell phone. You need a dedicated suite of computers. This also makes the hacker responsible for hiding his physical location through proxies - more potential for out-of-run hacker gameplay.

The second kind of hacking is gizmo hacking, which includes everything mentioned in the hacker-as-spy idea. This is on-site, and only requires a 'link. It also frees up hacker actions for other things. For example, when not directly hacking a device, the hacker could use AR more actively; perhaps expand the rules for TacNets, for example.

Now, the fun of this system is that it clearly delineates the hacker's job into the buildup / preparation phase, and the tactical phase. Before the run, the hacker can (through his actions) pick a strategy going in, like pushing bad drivers to turrets, and make them a little bit less aware. Alternatively, he could try and forge some emails, and get some security personnel transferred before the run.

This could also be fun. Essentially turn it into a card game. Hacking stops being primarily about rolls and more about strategy. There would need to be a lot, though - maybe thirty or forty.

I don't think you need 30 or 40 different tactics, all you need are the basic 12 or so that grant you some kind of advantage. The goal is to use those advantages to get what you need, which isn't necessarily the same thing from hack to hack.

To return to the Quantum Communication item for a moment, more recent results cast the perfection in doubt.
It turns out that due to a number of factors, folks were able to demonstrate undetctable tapping of a Quantum link.
Sorry, there is no free lunch,
Joel

Oh, do link that.