Dumpshock Forums > Information Gathering For Non-Deckers

Full Version: Information Gathering For Non-Deckers

Dumpshock Forums > Discussion > Shadowrun

Drraagh

Sep 10 2010, 01:39 AM

This is the text of one of my GM articles I've written up elsewhere that someone asked me to post. I'm thinking of putting them all on a site for everyone to read. And these are my own opinions, may be different with the sort of theme you play in., but the idea is to get people thinking. I have about forty or so articles written up, since I just write when I get inspired. Also, all the stuff I write about is SR3, but shouldn't be hard to adapt to SR4, as it is more based on theory than actual system rules.
----------------------
And now, the article:
----------------------
We all know deckers can get us a ton of info from hacking sites or even from doing basic information searches, but how many of us have looked into other ways to get information? Why would we need to do that? Well, not all information we need is on the trix, we don't have access to a decker to do the work for us, we don't have the time (or money) to get someone else involved... There are a number of reasons on why Shadowrunners should understand the basics of information gathering.

Matrix gives us a lot of examples of how to find information, including a whole section on the rules for /any player/ to do a search for it online. Sure, it is easier for a decker because they're have faster computers and have apps that give them bonii and the like, but anyone can use those rules. SOTA: 2064 also has a good section on the Spygame, part of the section is on intelligence gathering, including things like Deep Cover agents and spy satellites. As well, there are references in that book as well as Sprawl Survival Guide's police and court sections about magic being used to gather info, so I'll just touch on them lightly.

However, a single person with little to no gear can get a lot of information, and at the end of the day, information is key to runners, and they make good runs on their own or a way to build into a larger run. So, what I am going to show here are a bunch of examples that people may not think about. There are groups out there called Tiger Teams, http://en.wikipedia.org/wiki/Tiger_team, whose job it is to test an organization's ability to protect its assets by attempting to circumvent, defeat, or otherwise thwart that organization's internal and external security. In the computer security field, you'll also hear this referred to as pen testing, or penetration testing. All of them are going to be followed by video examples, to give you some ideas of their usefulness. THey had two episodes of an actual Tiger Team in action, http://video.google.com/videoplay?docid=-4...00972832974202# and http://video.google.com/videoplay?docid=5642547759793319840#, which should give people some ideas of what runners could do.

The primary way to get information is just asking for it. It may seem strange that way, but if you actually have a justifiable reason for the information, people are quite willing to give it to you. There are people working for corporations who are trained to be helpful, receptionists for example are more than happy to tell you when their boss will be available for meetings, if you make it seem like you have a reason to know that. You can also use the reverse of that and find out when they're not available, thus knowing when the boss is not on site and thus not able to be contacted. A few examples of how asking for it can work for criminals, check out http://www.youtube.com/watch?v=7vIOWIt4j2M which is a video from the social engineering panel at 'Last HOPE', which is pretty much a convention of 'hackers'.

Now, how do you get the information to make it seem like you know what you're doing? Well, one of the easiest ways is looking at what information people give out freely. One way to start is what people throw out. Dumpster diving is not for the faint of stomach, but you can find a lot of things. There /are/ printers in SR, so people do print things out. They also write them down. And if they don't, this stuff gets put on OMC chips and those chips can get thrown out, as do computers themselves. Great way to get info there. Look at http://www.securitydreamer.com/2009/02/sco...ter-diving.html for some information about what you're able to find currently in garbage. Also, maybe you want to get into the building, well, check out an old computer game from the 1990's called Bureau 13, one way you can sneak into the corporate building is to go to the garbage bin next to the building, grab a box, and pretend to be delivering something to the building.

I will go back to a few other ways to gather info on people, but I wanted to continue with the train of 'You're in the building, now what?' Well, there are many things you can do inside a building, http://www.sans.org/reading_room/whitepape...pionage-201_512 is a great writeup on some examples of what you can do inside a building in modern days, which can easily be extrapolated to SR. Some of the tools they use here are already duplicated in SR. Also, since you're in the building, don't forget about targets of opprotunity, like shoulder surfing a password or finding an unlocked terminal, check out http://www.youtube.com/watch?v=5ZfwBAQb_lA for some more examples of the sort of information we don't really pay much attention to. Also, once you're inside a building, a lot of the security measures are there to keep the people there safe and protect their property than to challenge people, because once you make it inside it is believed you belong there, so security measures like http://www.youtube.com/watch?v=u0-GEBS5wl8 aren't usually common except for really secure areas.

What are some other ways to get people's information? Well, what do people use today? They put information up on the internet, as mentioned http://www.weregeek.com/2010/05/17/ and http://www.youtube.com/watch?v=dlxf3b9dGzg, people putting up their images, their names, pet names, friends, school information, birthdays, things like that. If you remember, Paris Hilton's phone was hacked by a teenager who went to the site to login and using publicly available information (What is your favorite pet's name?), they were able to get into the account and get all this information about her and other people's numbers that she had. Not to mention what you can do if you actually get a hold of a device like a phone or computer, since people have information stored there rather than remember it. You could get into their email account and similar with it.

With the push of cameraphones over the last few years, some people are getting seriously limited on the phones they can take with them to work. Why? Well, if you work in a really secure area, you can't have a cameraphone because you could be gathering photos of information that should not leave the building. That's not really social engineering, but what else can cameras do that people don't think about? Cameras allow you to take pictures of uniforms, of badges, of license plates and car paint jobs, of all the little things that you can use to make something look like something its not. If you work in a place where you need a badge, you'll see how hard it can be to walk around without one. Maybe its your keycard, maybe its just your ID, but what happens if you don't have one? http://www.youtube.com/watch?v=zQ58vb6RMKw is a sample of what can come out of a printer with today's technology. Just imagine in SR's time. You tailgate behind someone who's already opened the door, quickly sliding your card through. If it doesn't work, or you get caught, you could always talk to the security guard, saying you're here on behalf of Mr. Big and they can call him to find out. Oh, what's that, Mr. Big is out this week? You already knew that because you did some legwork and found that out and now are using that information to your benefit.

http://tvtropes.org/pmwiki/pmwiki.php/Main/SocialEngineering has some good social engineering tricks, with both real life examples and media examples, a lot of which are covered here already, but you'll be able to see links to other media that you can use them in. Also, for those of you who haven't seen it, http://www.youtube.com/watch?v=5CWrzVJYLWw is a link to No Tech Hacking done at another Hacker Convention, Defcon, a presentation that first shows you how to interpret information that is in the public eye (What does a Hacker See?), and then ways to use no technology or 'basic technology', which means no computers, to get into a building and/or get information from it.

There is one other technique that I think most characters may want at least some basic understanding in. Maybe not as much as a decker might, but some skill in this could save your character's life or at least grant you some security. And that is phreaking. To quote Wikipedia, which is the first reference I know most people use, "Phreaking is a slang term coined to describe the activity of a subculture of people who study, experiment with, or explore telecommunication systems; such as equipment and systems connected to public telephone networks." Why do I say runners would want to know something about this, and how could this be useful to non-deckers? Well, a history lesson first; Captain Crunch, a well-known figure in the phreaking circle, found that the whistles given out in boxes of the cereal he took the name from, produced a tone that allowed him to interface with the phone system and manipulate it for free calls and similar things. Great ability of course, but what most would be of interest to a non-decker, phreaking allows you to do things like make sure your line is not being tapped or make untracable and/or unbilled calls.

Now, I've talked to another player about this sort of thing before, and their comment was that social engineering would be a dead art in Shadowrun. What with the matrix, where you can immediately confirm if who you're talking to is who you're talking to, then the paperless office, and also the whole thing of biometric security and magicial aura readings. Yes, all of those can make the job harder, but they don't make it impossible.

With the Matrix, they can look up information, and possibly even try to reach the person they think they're talking to, or the person you say you work for. But if you've done your homework, you're already long gone by the time they actually get a hold of that person. The boss is out for a week on a corporate retreat? Ok, time to call in and pretend to be his assistant, and needing to get his password so that he can get the key project done that needs to be out to market immediately. If the person doesn't want to give the password, maybe he can explain to the boss why the project wasn't done and the company lost all that money. Fear is a great motivator, as is helping people. There's a book by Kevin Mitnick entitled 'Art of Deception' that shows some of these tricks I've mentioned and more. I can name a number of other books that are useful, but that one shows the con, shows how it was done, and shows how to protect against it, to help corps prevent money loss.

Paperless office I've mostly covered to some degree, even if you assume they don't print anything. But biometrics and magical stuff, really great security measures, if they work the way they were supposed to. I'll skip the decking possiblities here, because this is about how to do it without decking and thus more a focus on the people, but what good are locks when the employees let you in? Pretend to be a representative from another company that this one works with/for and you're here to see the work that's being done. Or maybe, its done the other way around. Get yourself a building, set up a fake business, bring some employees over and then make them want to work with you. Of course, to do that, they need to give you access to their information. These tricks allow you to bypass most of the astral security, since you're not an intruder, you're a corporate representative. The emotions are the big thing, especially when it comes to astral readings since they can get your general emotional state.

I'll cover a couple magical things that could be a problem for social types and how you can get around that.
Analyze Truth, it only clicks on direct lies. Indirect lies and misconceptions are not detected, and it only works on spoken words. So, you need to make sure you use some creative wordplay to get past that one, but just think about the idea of the double entendre as a way to make this work. You're saying what you mean, but is it really what you mean. Have you looked at News Headlines that don't really mean what they sound like: "Obesity Study Seeks Larger Test Group", "Miners Refuse To Work After Death", "Stolen Painting Found By Tree", "Kicking Baby Considered To Be Healthy".
Mind Probe, now this one is a hard spell, unless you're pretty decent at resisting it or have your memories altered beforehand. Though, if you don't give them reason to doubt your story, they likely won't resort this far. Do enough precursor work like calling and finding when the boss is away, scheduling an appointment for the week after he gets back and then show up a week early. You're not lying you have an appointment, you just got the dates wrong. Could they show you around anyway, since you won't be able to come back for another two months?
Compel Truth, it's a violation of your rights in the CAS/UCAS by law enforcement, but doesn't stop other people from using it. You can try and resist, sure, but much like mind probe, if you don't give them a reason to suspect, they probably won't use it. And again, it only works when speaking, so if you hand them a business card saying you work for the CEO and then only speak what you believe to be true. If you're really afraid of this, things like alter memory or personafix chips would be a great way to get around this and mind probe.

There are a few spells you can use as well, though they could cause problems for you if you want to avoid getting caught. Things like Control spells, for example, do leave signatures and also people could resist them. Not to mention that a wise security precaution would be to figure out ways to make them not quite work easily. "Keep the door open for me" implanted via a suggestion spell makes sense, but then there is an alarm that goes off if the door is open for longer than fifteen seconds.

I've mentioned TV shows and movies and reading materials before that are great for the social type characters who want to learn these types of skills and how to use them in the game. I can give you a list, but most of what I'll say will be duplicated in places like http://en.wikipedia.org/wiki/Confidence_tr...ion_and_movies). Youtube has some good videos on social engineering and con artists that would be useful. If you've ever watched Abbot and Costello, there's a bit they do, 'Do you have two tens for a five?', that if you pad it out properly can be a perfect example of fasttalk. It's similar to the 'false change' examples, where you ask someone to give you five ones for a five dollar bill, then before they take the five from you and give you five ones, you give them the five and get them to change the five ones they have and that five you gave them into a ten.

A couple things that didn't quite fit into the same set as the rest of the information gathering tricks but may help.

You can get a lot of personal biometric information from a person without their direct knowledge. Gattaca has a scene in it showing how a corporation can get your DNA fro a handshake, the drug testing sample or even the saliva from your envelope or a drinking glass. But what else can you get from stuff like that? You can get fingerprints and/or palmprints, you can get a fairly decent voice sample from talking to someone, you can get blood if you're really good (poke them by accident with something sharp, just a pinprick, but its still blood). All of that can be used to make a pretty decent duplicate if you need to, with the right skills of course. There's tech to duplicate fingerprints and the like, so those are another way around biometrics.

Sometimes, with the proper information, you don't even need to get on site to do things. There are examples in Kevin Mitnick's book about how you can use the information you have to get people to send you things, or give you access to things you shouldn't have. Sometimes, you'll still have to go get it, but that's the risks. A perfect example of this is in http://video.google.com/videoplay?docid=-802212709674482476# from about 4:45 to 10:12.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.