Help - Search - Members - Calendar
Full Version: SRV
Dumpshock Forums > Discussion > Shadowrun
Pages: 1, 2, 3, 4, 5
kzt
QUOTE (Nath @ Nov 19 2013, 04:39 AM) *
I sometimes wonder if the more realistic approach wouldn't actually be near-complete randomness, except for the most precisely called shots ; something like 2D6+0 for 9mm, 2D6+2 for .228, 2D6+4 for .50 BMG. I mean, even the worst shooter in the world has a chance of hitting right on the femoral by random chance, while even the best sniper can sometimes get not better than a shoulder at long range.

The Army's MILES casualty card approach. Not actually unreasonable. I also think players would hate it it.
Nath
QUOTE (Draco18s @ Nov 20 2013, 05:54 AM) *
I have seen a system that does hit locations well--not in actual usage, but designed to be quick-to-use and accurate--the designer said that one of the most common questions he gets about it is "how the hell do you hit someone's BACK (i.e. the spinal area) when you're attacking from the front with a sword?" The answer is "Real easy: it goes over their shoulder."
That is actually not as crazy and hard as it may sound in a sword+large shield fight, if you engage in close combat to get around the shield (though it clearly not is a beginner's move). But that wouldn't work with a spear. The best chance to hit the spinal area from the back probably rather is to pierce through the chest. Depending on where the blow lands, you may suffer from only a light wound in the abdomen proper, and devastating damages to the spinal cord.
Stahlseele
If you want to play something with hitlocations, then you obviously don't want to play shadowrun.
if you implement hitlocations into shadowrun, the next thing you need to do is change everything else.
first you need to change the complete armor system to account for hit locations.
after that you need to change all weapons and attacks to account for both armor changes and hit locations.
after that you need to change all attributes to account for hit locations, because, of course, if you have hit locations, then each limb and other body part has to get it's own set of stats to account for it being hit.
after that you need to change all skills to account for changes to attributes because they are used with attributes which you had to change in the last step and to account for the changes in weapons and attacks.
thorya
I tend to agree that hit locations add too much complexity for the return in realism (and I tend towards simulationist), but the one time I've played a game that implemented hit locations well it was a third party add-on to a d20 system. It used a deck of cards with hit locations and effects on them. You made your attack and drew a card, so very little additional mechanics to memorize or extra rolling. It had the bonus of just letting you keep the card on your sheet to remember the effect of the hit location. There were no separate hit points to keep track of or redesign of the other mechanics. Really one day the GM just showed up with the deck and said "I want to try this." and we put it into play after about a minute or two of discussion.

Something like that might work for SR, if you want hit locations. Each card would have a hit location, additional damage (or decrease in damage if you hit something non-vital like a hand), and penalties, if any. You could go with cyber armor only applies if you get hit in a location it applies to, or just put armor penetration on the card as well. Maybe you eliminate the called shot bonus to damage and instead on a called shot you get to draw extra cards and pick on. On a burst maybe you draw two cards (or three or four) and apply all the effects.

I tried finding the deck, but a quick google search didn't turn it up.
Stahlseele
i see several points wrong with that already.


a system has to be designed around hit locations from the start.
if you tack it on afterwards, it simply won't work.
thorya
QUOTE (Stahlseele @ Nov 20 2013, 10:39 AM) *
i see several points wrong with that already.


a system has to be designed around hit locations from the start.
if you tack it on afterwards, it simply won't work.


And yet I've played a game that did not have hit locations from the start and it ran fine with them added on, like I just said. Granted, it was D&D not SR, but personal experience tells me that your broad generalization is not true.
Surukai
Hit locations tend to wreck havoc with armor. If the attacker has any choice in where to attack you massively devalue armor and pigeon hole people to wrap them up like Michelin dolls in armor.

And if hit locations have own hp pools you end up with a disaster where you are better off getting shot in the chest than anywhere else.

GURPS has that flaw. I am so sick and tired of people constantly chopping the FEET of enemies because they "autocripple" after taking 30% damage compared to the CHANCE of getting a crippling hit when doing 200% of the target's hp when aiming for the chest. That is complete Bullshit and make combat a retarded feet-chopping fest to get free unresistable knockdowns and slap autocrippling effects on your target ignoring most of the system.

Add to that that it is very difficult to get decent armor on feet and hands, so not only need to do 1/6th as much damage to get a guaranteed knockdown/complete IWIN condition... no.. just no. Shadowrun would not benefit.

Much better keep it that hit location can be described by GM after damage is rolled. A good hit (many net hits) and OR very few hits on soak = You hit a weak spot that the armor didn't really cover and you ended up with P damage and lots of boxes. Few net hits (so damage becomes stun) means it hit dead on the target's armor.

The lucky shot from an unskilled shooter (a "noob" firing .22LR) hit the HEAD when the target glitch/fails damage resist roll completely and that is why the target got so wounded even though he statistically doesn't.

It might be 1 in 1000 to roll 0 hits on 17 soak dice (12 armor + 5 body)... but with a few soaks per game session per character and playing for months means that it is likely to happen every now and then in most gaming groups. In fact it is 0.96% chance (risk) to roll less than 2 hits on 17 dice. One in a hundred shots will only soak 1 damage or less and there you have your lucky hits that hit your head and whatnot.


Few hits on large dice pools is far far far far more common than the "you always roll pool/3 hits" crowd seem to think.

Draco18s
QUOTE (Nath @ Nov 20 2013, 08:09 AM) *
That is actually not as crazy and hard as it may sound in a sword+large shield fight, if you engage in close combat to get around the shield (though it clearly not is a beginner's move). But that wouldn't work with a spear. The best chance to hit the spinal area from the back probably rather is to pierce through the chest. Depending on where the blow lands, you may suffer from only a light wound in the abdomen proper, and devastating damages to the spinal cord.


The system was built primarily sword-and-board as I understand it. He would demonstrate the possibility of getting a cutting blow on someone's back by jumping at them and slapping them over the shoulder (gently). "Add three feet of steel, and it's actually quite easy to do."

I would have loved to get a chance to actually play the fellow's system, but we were both manning our tables at a small con (and I was only filling in for a partner, who had gone off to get dinner).
Epicedion
QUOTE (Stahlseele @ Nov 20 2013, 08:58 AM) *
If you want to play something with hitlocations, then you obviously don't want to play shadowrun.


Nah.

QUOTE
if you implement hitlocations into shadowrun, the next thing you need to do is change everything else.


Not really.

QUOTE
first you need to change the complete armor system to account for hit locations.


Not exactly. You need to add detail, but not completely change everything.

QUOTE
after that you need to change all weapons and attacks to account for both armor changes and hit locations.


Not at all.

QUOTE
after that you need to change all attributes to account for hit locations, because, of course, if you have hit locations, then each limb and other body part has to get it's own set of stats to account for it being hit.


Definitely not.

QUOTE
after that you need to change all skills to account for changes to attributes because they are used with attributes which you had to change in the last step and to account for the changes in weapons and attacks.


Really not.
Glyph
I am cautious about anything that would add to the rules bloat of Shadowrun, which is already complex with an abstract damage system. I guess a lot of it also depends on whether or not you prefer cinematic play or not.

Hacking is one area that is far too complex. Cyberdecks should have a few simple stats (or even a single rating), with programs assumed (rather than this utility to do this, that utility to do something else, etc.). If you want to have Tron-style hacking, cybercombat should be done simply, and use similar mechanics to meat world combat. If you want to affect devices or get some kind of security access, whether in a Tron-style virtual world or not, it should be about the same level of complexity, and clarity, as bypassing a MagLock. There should not be any matrix-connected cyberware - hacking should be against communication networks, which should be played up a lot. Teams should be using tactical comms to get bonuses, indirect fire, and instant communications, and drones and security systems should be run remotely fairly often, to take advantage of having someone actively directing them as opposed to leaving them to function within the more narrow parameters of their programming.
Koekepan
QUOTE (Glyph @ Nov 21 2013, 07:09 AM) *
I am cautious about anything that would add to the rules bloat of Shadowrun, which is already complex with an abstract damage system. I guess a lot of it also depends on whether or not you prefer cinematic play or not.

Hacking is one area that is far too complex. Cyberdecks should have a few simple stats (or even a single rating), with programs assumed (rather than this utility to do this, that utility to do something else, etc.). If you want to have Tron-style hacking, cybercombat should be done simply, and use similar mechanics to meat world combat. If you want to affect devices or get some kind of security access, whether in a Tron-style virtual world or not, it should be about the same level of complexity, and clarity, as bypassing a MagLock. There should not be any matrix-connected cyberware - hacking should be against communication networks, which should be played up a lot. Teams should be using tactical comms to get bonuses, indirect fire, and instant communications, and drones and security systems should be run remotely fairly often, to take advantage of having someone actively directing them as opposed to leaving them to function within the more narrow parameters of their programming.


Yes. In fact, it should be possible to maintain verisimilitude while grossly simplifying the hacking/decking system. I am in full agreement.
Koekepan
On further thought, besides a complex back end system (notionally simplified by access to gibsonian cyberspace) what really makes information security is complex results of the combination of simple parts on the one hand, and the devilishly uncompromising nature of information theory on the other. Perhaps a similar sort of complex result from simple rules is what we should look for - emergent effects being displayed.
Glyph
... so would you introduce real world hacking into shadowrun?
Koekepan
QUOTE (Glyph @ Nov 22 2013, 07:22 AM) *
... so would you introduce real world hacking into shadowrun?


No. It's actually amazingly boring.

But I would look at things with similar attributes which can be more entertainingly presented within the game's basic concepts.
Irion
Hit locations are quite easy if you just differantiate between the armor-raitings and there are only effects for major hits.

So only if you take more than body/2 damage the point you get specific mali depending on the part of the body you were hit.
For example: Arm
-2 Agility, -2 strength if using this arm.

You can also introduce several levels, so if you get hit twice for more than body damage or once for more than body damage you get
-4 to agility,-4 strength if using this arm.

And if you get hit three times for more than body/2 damage or one time for body*1.5 damge you can't use the limb anymore.
So if this would be your head, you are knocked out.
Healing those severe injuries would be harder than to just heal "scratches".

You can use the same system also without locating the hit and use general mali.
Draco18s
QUOTE (Glyph @ Nov 22 2013, 12:22 AM) *
... so would you introduce real world hacking into shadowrun?


Don't forget remotely accessing CCTV.
(At least Torchwood had an excuse for how they could do that: alien tech)
Koekepan
Edit: just realising how long this post is, I'm breaking it up into spoiler blocks and summaries.

So let's start thinking about decking.

Some considerations for real information security.
[ Spoiler ]


Shadowrun's canon does an utterly miserable job of presenting any of the above. (I've posted on this before, but can't be bothered looking up the link.)

Explanation of why shadowrun decking is an abject failure as far as verisimilitude is concerned.
[ Spoiler ]


OK, got those facts clear? If you can reach it, you can crack it open like a coconut with a machete, and without much more effort read everything in it like drinking the coconut milk. Easy or convenient? Not always - there are countermeasures - but given that the countermeasures largely mean (to anyone without hot sim) trying again in a while, this means that any organised crime syndicate can throw people at the problem of cracking any system until someone grabs the brass ring.

So what does this imply for human conduct?

Explanation of why the game world consequences are way off base.
[ Spoiler ]


In the real world, what is the situation?

A dose of reality again.
[ Spoiler ]


All right, so the question then becomes: how do deckers become useful if nobody puts anything important online, and everything is actually cross-checked, or encryption technology isn't turned into a forgotten black art (and yes, there are trapdoor functions which apply to quantum computers as well)?

Some ideas.
[ Spoiler ]

So what would I consider a plausible start to this?

Game ideas for verisimilitude.
[ Spoiler ]


Ultimately, the decker can and should do a lot, including being the team's security consultant and communications coordinator. It just should be on a more sensible basis.

Game mechanic wise, cards may be a great way of representing entries to systems, known cracks, passwords and so on, but that's a different concern.
Glyph
I think hackers should write their own code/programs more (which would also separate the real hackers from the script kiddies, a recurring complaint from some players). Unfortunately, the rules as written make it too much of a time sink (part of the problem is that hackers need a kajillion different utilities). I think the rules need to reflect that hackers should be tweaking utilities and programs snagged from the hacker community, rather than coding everything from scratch.

Although I am ambivalent about the return of cyberdecks, that is something that would make hackable security less unbelievable. Make hacker feats against things such as encryption the province of expensive, cutting edge hardware. And maybe using it creates a "footprint", or shows up eventually as a glitch in the larger databases, is otherwise trackable - you need a reason for hackers to focus on hard targets, rather than just going around snagging the banking and personal information of random people for a living.

I think a lot of this is the misguided notion of fighting "power creep", while forgetting that shadowrunners are supposed to be elite criminals who can do things that Joe Average can't. Making shadowrunners less powerful makes them less plausible if they are supposed to be true industrial spies, saboteurs, and freelance expediters. Shadowrunners should make enough money that stealing cars or hacking someone's checking account should be considered not worth the complications.
Koekepan
QUOTE (Glyph @ Nov 26 2013, 01:12 AM) *
I think hackers should write their own code/programs more (which would also separate the real hackers from the script kiddies, a recurring complaint from some players). Unfortunately, the rules as written make it too much of a time sink (part of the problem is that hackers need a kajillion different utilities). I think the rules need to reflect that hackers should be tweaking utilities and programs snagged from the hacker community, rather than coding everything from scratch.


I agree, I think that this is a healthy reflection of what they do and gives a reason for why they're sitting around rather than pumping up in the gym.

QUOTE (Glyph @ Nov 26 2013, 01:12 AM) *
Although I am ambivalent about the return of cyberdecks, that is something that would make hackable security less unbelievable. Make hacker feats against things such as encryption the province of expensive, cutting edge hardware. And maybe using it creates a "footprint", or shows up eventually as a glitch in the larger databases, is otherwise trackable - you need a reason for hackers to focus on hard targets, rather than just going around snagging the banking and personal information of random people for a living.


I'm all there for the expensive, cutting edge hardware. I'm also all there for activities showing up eventually - this is what auditing systems are for. Anomalies get detected, and root cause analyses happen. Otherwise everything on a computer pretty much turns into a fond hope that it's working correctly, which is no foundation for a successful Stuffer Shack, let alone a megacorp.

The real perpetrators behind heavy hacking of commlinks of random people would be someone like a Vory boss:

"Grigori. We have your family. Every hundred thousand nuyen you extract from hacking, they live another week. Get them to live for a year, we set you all free."

Grigori would hack every poorly secured commlink between Swindon and Singapore, and do as many of them as quickly as possible as he could - wirelessly, because this is The Matrix! The Vory boss doesn't even care if by some miraculous mischance someone clobbers Grigori. He also has Vladimir, Evgeny, Dmitri and three dozen others in the same position.

This is why the situation as currently described in canon is untenable - because when you can scale up daylight robbery to a few million per day, you have a business model which any organised criminal would get going in a hot minute. This would actually be more profitable than what they currently do in real life - setting up botnets, phishing and stealing credit card numbers.

QUOTE (Glyph @ Nov 26 2013, 01:12 AM) *
I think a lot of this is the misguided notion of fighting "power creep", while forgetting that shadowrunners are supposed to be elite criminals who can do things that Joe Average can't. Making shadowrunners less powerful makes them less plausible if they are supposed to be true industrial spies, saboteurs, and freelance expediters. Shadowrunners should make enough money that stealing cars or hacking someone's checking account should be considered not worth the complications.


I'm not worried about power creep in this context. Even by the most strict standards, once your team has copied the unique widgets and stolen by pinhole camera observation the passwords required for a quorum based administrative login to a central processing system for Horizon, logged on, diverted a few billion nuyen's worth of transactions and left less trace than a ninja kitten, Joe Average is left so far behind that he'd probably not even believe the story. Dorothy Decker wouldn't bother cracking the security on random commlinks, not because it isn't money, but because if they were that vulnerable people wouldn't keep their paydata there, and because she's working on that Mitsuhama subsidiary for a big payday.
Koekepan
Here is a link from wired.com about some of the problems with bitcoins, which actually reflect a few of my concerns mentioned above. Good read, not too technical.
Koekepan
Let's give SRV processes some thought:

Every computational device has a model, and an update level. Example: Horizon Librarian, updated 2071.11.25.1800, because updating equipment is a pain and someone fell asleep at the switch.

Harry the Happy Hacker has a library of known exploits at his command, including a few for the Librarian, but about half of them are invalidated by that version. Of the ones he has which would work, two will give him an active user login, one will elevate his privileges to administrative on that system, one will lock it up or force a reboot, and one will overburden the electronics, at least damaging it and possibly starting a fire.

What Harry would like to know is whether or not the Librarian is well watched, and he would like to use it as a launchpad for further network intrusions. He grabs an active user login (a quiet exploit, though not entirely undetectable), quickly escalates privilege, puts in a backdoor, then waits to see if anything happens. Ostensibly nothing does.

What Harry doesn't know is that the administrators did notice the anomalous inbound connection, and are monitoring the system for changes rather than just shutting it all down. Turns out, they have their own library of exploits, which they fully intend to bring down on Harry's deck, but they want Harry to get overconfident first.

Harry starts to investigate the network around the Librarian, and quickly locates a Renraku Observer, updated 2068.05.13, controlling their security cameras. He launches an exploit on it from the Librarian, subverts it, and establishes a backdoor with a callback, then disconnects just as his deck chirps an anomaly warning. Harry can use the Observer to get back in, but first he should probably check his record of how his deck was (obviously) attacked, because he's not quite as safe as he thought he was.

A week of securing his deck later, Harry gets back into the Observer, and does a bit of snooping. He ignores the Librarian (which has since been updated anyway) but finds out that the target's standard equipment is the Horizon Scribe. Harry doesn't have any current exploits for it, but that doesn't mean he can't write one. He goes out to his favourite electronics supplier, obtains a Horizon Scribe, and starts abusing it. Two weeks later, he has a viable, zero-day exploit on the Scribe, which he can use to gain access to any desktop in their network, should he need to.

In the mean time, while Harry has been living on caffeine, sugar and profanity, Brenda the Black Magician has been working on a spell design intended to unweave chain-link fence and weave it back up so as to afford Mike the Merc and Igor the Infiltrator easier and more flexible access to the grounds. She does the design, and then alchemically generates two stored copies of the spell. Sure, she could cast it on the fly then, if she memorised it or cast it painstakingly from a formula, but it's just better and easier to have the prepared nuggets ready to deploy when the moment comes.

Mike has been walking the mean streets, bribing disgruntled employees with affordable beer, listening to sob stories and piecing together the human side of the story. Igor has been reading public records, and pretending to be a surveyor, doing his best to get the physical layout as clear as he can.

On the date in question, Harry coordinates remotely with Brenda, who's also doing the driving, Mike and Igor. Brenda opens the fence, and Harry logs in and quickly uses the Renraku Observer like a pity date, using a couple of dozen Horizon Scribes to filter and alter the feed while Mike and Igor slip inside to do the dirty work. The corp admins try their hacking back, only to discover that it doesn't appear to be working - and by the time they figure out that the camera feeds are useless and Harry's out of their reach, it's too late.

If everything goes well, Brenda opens the fence for Mike and Igor five minutes later, they all drive off, while Harry tidies up the logs and they get ready for reporting back to Johnson.

This probably makes prep and legwork a very large part of Shadowrun, but for everyone except those currently checking the mirrors in the bars to see how pink their mohawks are, that's probably OK. There is thought and valuable effort to be put in on all sides, formula articulation by the mage, analysis and planning by the hacker, and everyone can deal with human interaction and specialty knowledge. This gives a pretty usable level of abstraction to the hacking, while actually making it more interesting in my view than just another combat to adjudicate while everyone else works on their rules for dice jenga.
Koekepan
So, yeah, I haven't forgotten about all this. I'm just writing huge amounts of material.

Since Dumpshock's been quiet, I thought I'd just produce some of what I've written to draw fire ... or comments, at least.

The topic at hand is corporate opposition, what it's like and what to expect. It's mostly for the GM, but players would find it useful.

-------------------

How do corporations react to runs?

In theory, the perfect run leaves the corps completely ignorant, but the reality is that they react to, and plan for, the ever-present risk of being a target.

Small companies don't have substantial resources, and tend to contract with the local authorities such as Lone Star for some kind of elevated security. Even fairly large regional enterprises are more likely to contract out. Only really large companies are likely to have a dedicated security department, and this extends to magical security in most cases.

Really large companies, especially the ones with extraterritoriality, are more likely to shell out for a dedicated security team. The bigger the company, the better the training and equipment and supplementation with facilities such as magic is likely to be.

A special case of security arrangements is where a business is a subsidiary of, or otherwise linked to a larger corporation. Then they are likely to have access (at favourable subcontracting rates) to the parent corporation's security facilities and expertise.

The same is broadly true of security deckers and riggers, up to a point. Because they have more access to deeply compromising, or at least valuable information, smaller companies are likely to hire them internally.

Certain kinds of low cost, highly effective measures are nearly universal. High strength construction, often high walls, security doors and checkpoints, cameras, access readers and so on are cheap and easy to put in place. These also dovetail with things such as sprinklers, smoke detection systems, fire alarms and the usual sort of physical security systems one expects to see.

There are various strategies in play here, some of which are more effective against amateurs than against shadowrunners:

o Direction. Security architecture is intended to drive people in manageable ways. When the fire alarm goes off, the signs flash and tell people how to best leave the building. Similarly, the walls and razor wire and barking dogs suggest to people that it's just easier and less risky to go through the security checkpoint. The security guard there doesn't have to lift a finger to make people come to him. They just naturally do. If enemies such as runners do penetrate, the architecture should suggest how they leave as well, leading them into the waiting arms of overwhelming power.
o Deterrence. Big walls, razorwire, visible checkpoints and scary security dogs deter most gangers, casual vandals and drunks. This principle does stretch beyond intimidation as well. If a place just looks uninteresting, people are less likely to bother with it. Another facet of deterrence is making it clear that one is under surveillance. Cameras (real or fake) can be quite obvious, perhaps every fifty feet on top of a fifteen foot wall. Large, open, sweeping lawns also make people less inclined to try to cross them if they are up to no good.
o Detection. So Drunk Dave decides to climb the fence and play with the security dogs. The surveillance will collect his data. It might archive it, or send it off for analysis and correlation with other trespassing reports, or notify security and Lone Star, or try to identify him by public records - or all of the above. Either way, they know more.
o Disable. This one is often more subtle than it seems. It doesn't mean crippling every customer or vendor who shows up, but it might mean offering people approaching the building a poor view of what's going on. Maybe the shrubbery screens people from outside. Maybe the pretty lights tend to blind surveillance. This can also extend to vehicles, with bollards or other vehicle management tools to prevent people from driving a van in through the front entrance. The whole system is designed to put the security team at an advantage, and enemies at a disadvantage.
o Depth. Bad security is like an egg - a crunchy perimeter and a nutritious centre. Good security provides defence in depth. The runners should always be challenged, confounded, confronted and confused.
o Delay. Everything goes better for the corporation when shadowrunners have to slow down. Time delay safes? Great. Slow opening doors? Great. Locked doors they have to navigate? Excellent. Strategically placed structural bars that make trolls have to constantly bend down? Installed everywhere. Complex internal corridor structure? Of course.


Direction, deterrence, detection and disabling apply to every visitor, regardless of how benign. Visitors are directed to the front office, deterred from trying to climb in through a window or enter through a side door, under surveillance like everybody else and afforded a controlled view of what is going on. Depth is rarely relevant to casual visitors, unless they are there for some kind of inspection, or are maintenance staff who have to pass through multiple layers or zones to reach their targets. Delays only apply to a very limited set of people, because well-behaved people should not be significantly inconvenienced by them.

In a pitched battle, corporations tend to win. When more corpsec personnel constantly arrive with bigger and bigger guns, no team of runners can expect to survive. When runners slip in and out, the best the corpsec team can hope to do is identify them after the fact and exact bloody vengeance. For this reason, the first duty of corpsec when dealing with an incursion is not to confront runners. It's to slow them down. Stay out of their way, and lock doors. Raise barriers. Shut down elevators. Keep the runners in the dark as long as possible, and yell for help. The more surveillance is gathered on them during this process, the better, because even if the runners make it out, surveillance means that the bloodhounds of the corp have more evidence to work on.

The business of the corp is not to fight runners. The business of the corp is to make money. Fighting runners is destructive, disruptive, and generally counterproductive. Letting runners think that they escaped and walk into the waiting arms of a corpsec response is vastly preferable in most cases to a pitched battle. Smart corpsec teams establish a perimeter on the quiet while the runners wander around doing their run.

The same principles apply to electronic security.

o Direction. Look at the shiny front end, come in through an authorised login, everything's easier if you just let us know who you are.
o Deterrence. A tactfully stated hack-back warning or security award can suggest that fiddling along the fringes of the system bears more risk than likely reward.
o Detection. Log everything. Record your logs in multiple, redundant ways. Save your logs offline so that even the total destruction of the system does not prevent forensics.
o Disable. Hide access opportunities. Hide identifying information. Use private networks, air gaps and quorum login systems.
o Depth. Don't rely on a single firewall to protect you. Design every system to operate as securely as possible under the assumption that every other system has been subverted.
o Delay. Don't respond to ten thousand login attempts as fast as possible - add a little delay to confound an attacker. If an alarm has gone up, reduce network rates or require reauthentication.

In reality, these rules are not unique to corporations. Runners can make frequent use of them, depending on their activities. Wise runners on a bodyguarding job should at least consider these ideas. Runners who are trying to avoid a confrontation can also make good use of them, and of course understanding the mindset of the opposition is always beneficial.

If every target always adopted all these ideals, the world would look very different. The reality is that they do not.

There's always someone who thinks that the budget is wrong, or that walls suggest the wrong idea, or that razorwire communicates paranoia and weakness, or something like that. Corporate planners don't like complex, maze-like layouts because they inhibit corporate efficiency. Cameras cost money - but the data storage to contain all their footage and analysis costs a hell of a lot more money. If you have a good perimeter, doesn't it make sense to save money on internal security? And so on. There's always an excuse, always a budget crunch, always a reason to hire fewer guards. The real question is who has the upper hand in planning - the security department, or marketing? Infosec, or accounting? It's a cinch that an Ares security compound is slightly harder to run against than a solid block of granite, but that Yamaguchi Lace and Lingerie will be much more inclined to ignore security precepts and collect insurance money after the fact.

Bearing this in mind, there are colour codes to describe physical security levels on sites.

-------------------

Here follows a few lines on physical security classifications.

-------------------

o Infrared sites have minimal security. A public parking lot is typical. There may be a camera, but there's a good chance it's a fake. There are no gates, and the facilities are open to all comers. Direction and Deterrence apply, and maybe Detection but even then only to minimal effect.
o Red sites have limited security. A dive bar is fairly typical of this level. It's open to pretty much all comers, and while it's easier to go past the troll at the door and not make trouble, there are no serious efforts at Depth, Delay or Disabling entrants.
o Orange sites are like Red sites, but there may be more aggressive Direction and Deterrence. A small corporate branch office is generally on this level. There's a door. You're expected to use it. Please sign the guest register. There are cameras watching a few key points, but probably nobody is watching them at any given time. Still, if anyone thinks to save the contents sometime in the next week and watch them, they can do so. Otherwise it probably gets deleted.
o Yellow sites are like Orange sites, but the perimeter is well monitored. Direction is in full effect, and Deterrence can easily reach the point of being potentially harmful, such as a wall topped with spikes that are not purely ornamental. There are cameras, probably with thermographic capabilities. There's someone whose job involves monitoring those cameras, and the footage is stored, probably for an extended period. At the door, ID is checked and visitor badges are provided, and there is definite asymmetry to the positioning - the front desk security are probably behind some kind of defences, and while security staff might not be significantly armed they certainly have panic buttons.
o Green sites are like Yellow sites, but internal Detection is stronger. There may or may not be a security rigger managing the building, but there definitely are location monitors, integrated wireless activity tracking systems to correlate the movements of electronics with those of people, internal as well as perimeter cameras, door activity monitors, and of course internal security checks on various locations. Depth is improving significantly here. This is what one might expect in a medium sized corporation's main office. Their key strategy is not to win in a battle with runners at this point, but to be able to provide, as nearly as possible, detailed information to law enforcement or similar professionals. Drunks and vandals will definitely find themselves dogpiled by security goons with stun batons, but nobody will stop the twitchy street samurai with a katana and a manic grin.
o Blue sites are like Green sites, but at this level the security team is prepared for some level of active resistance. They are armed. They might be subcontracted from Lone Star, Knight Errant, other vendors or they might be directly hired. It doesn't matter too much. They probably have minor body armour and service pistols, they probably have at least minor cyberware or bioware, and they definitely have good communications. There's definitely at least one security rigger monitoring site security through a host of detection devices, and if the site is large enough there are probably multiple security riggers managing various defined zones.
o Indigo sites are where the kidding around stops. Direction and Deterrence are clear - they might be attractive, or even polite, but it should be as plain as daylight to all comers that even if you scale the wall, pass over or through the razorwire, avoid being spiked and get down on the other side that you will be surrounded by some very mean-looking cyberdogs. Detection is massive, constant and omnipresent. There are mass monitors at key doorways. There are dye sprays at key exits. The revolving doors are triggered by successful authentication, and then rotate precisely once. The guards have armour jackets and sidearms - and at least some of them have carbines. Bollards prevent ground vehicle attacks, and there is a well-defined security breach protocol. Key egress corridors can be filled at a moment's notice with crowd trapping foam or webbing.
o Violet sites are like Indigo sites, but carved up into communicating zones. This is the sort of preparedness generally seen around highly sensitive corporate sites or government installations. Passage from one zone to another means going through a very carefully watched door as well as metahuman guards with serious armament. There are road blocks with defined kill zones, and paranimal security. Dedicated magical security is managed by a magical team, while drone riggers patrol the area. There are contingency plans, frequently drilled, with respect to assault from every conceivable direction including maritime (where applicable), tunnels, aerial or ground. Personnel have security dossiers, and visitors get security dossiers whether they want them or not. There are insurance contingencies explicitly written to cover collateral damage. This means that if the security team shoots someone who belongs there in the process of fighting some sort of incursion, insurance pays out.
o Ultraviolet sites are the nightmare. There is a contingency plan for actually locking down the entire site, and killing anyone who tries to escape. There are inward-facing autoturrets. There are systems that can and will release neurotoxin gases or torch the entire zone. Whatever is being kept here is so important and so secret that it would be better to immolate the whole zone than to let it out. Ever.

-----------------

Thoughts? Comments? Incoming?
Stahlseele
2 years, not bad.
Koekepan
QUOTE (Stahlseele @ Nov 22 2015, 03:15 AM) *
2 years, not bad.


Ouch! you wound me, sir.

I actually have a lot more, I just thought I had to start somewhere.
Stahlseele
no, i meant on the thread necro nyahnyah.gif
as i, myself, do not GM, this does not interest me quite as much as it would were i a GM.
this is, for me, basically only:"let's see what kind of stuff my GMs could stumble upon that i might need to prepare for"
Koekepan
QUOTE (Stahlseele @ Nov 22 2015, 03:20 AM) *
no, i meant on the thread necro nyahnyah.gif
as i, myself, do not GM, this does not interest me quite as much as it would were i a GM.
this is, for me, basically only:"let's see what kind of stuff my GMs could stumble upon that i might need to prepare for"


Isn't that cheating? Poor GMs, always driven to stay one step ahead of their players, always running like rabbits dodging greyhounds ... *sadness*

And if we can have immortal elves, I don't see why we can't have immortal threads.
Stahlseele
Cheating? Well, a bit meta maybe . .
But i know for a fact that they also check in here every time i break something to try and find good ways to reign me back in.
It's part of the fun i think ^^
Koekepan
What I wrote there was fairly generic, and honestly should be familiar in general, if not in detail, to anyone who does security work. It's not really system-dependent.

I have been working on separate questions, such as the dice system. I wanted some of the flexibility of the early systems, without the weird 6/7 statistical quirk, so I've taken a page from HackMaster's book for penetrating rolls.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Dumpshock Forums © 2001-2012