Your argument falls apart with the simple fact that, per the source material, the vast majority of major systems are sculpted by the 2070's. They aren't using the standard UMS iconography anymore, if they ever did. Aztechnology and Renraku particularly haven't since the 2050's. Unless you're running a reality filter, of course, and even then the deck's doing all the work of translating UMS into your personalized metaphor, but that doesn't mean it doesn't pull in the actual icons.

If you're going strictly by RAW, you're right, but if we're looking at a reshaping, or an outright reboot, then KCKitsune's thoughts have some merit.

I'm inclined to say that ASIST has to be an interface, rather than an end-to-end protocol, because that level of network demand must be superfluous to the actual facts communicated.

Hence the reason I said that a commlink will only EVER give you 2d6 initiative. A full on cyberdeck with a hardwire connection will allow you to get to 5d6 if you're rocking the right hardware.




They must publish** that iconography because if they didn't then nobody other than them could use it.

** == or it got stolen... hell that can be the purpose of a Shadowrun... Aztechnology has just updated their Iconography and Ares would really, Really, REALLY like to have a copy for an op they have planned, but don't want to tip their hand just yet... so send in the 'Runners to nab a copy...

I think nonDecker hacking deserves a place in the game, but it deserves to be low key cybercrime type stuff. Messing up a Corporate MatrixSite for Stuffershack or Weapons World. Databombing a ForumSite or FanSite. That's the kind of stuff the script kiddies should be ripping around with. Any low grade mom and pop corp sites or minor brand sites that kind of thing. Possibly hacking some minor exec's commlink or breaking a cheap Wireless security network (temporarily before any Matrix response retaliates). It adds scope to the Matrix but it also means Deckers come into their own through a mixture of Talent and Skill and the Tools provided (to whit a Cyberdeck). Just as EchoMirage was the most effective option than any of the Non-VR programmers could hope to be. Potentially that could even be represented by a shift in relevant skills and where one aids another.

I think that the easier approach may be caps and penalties.

Think about it this way:

New kid on the 'trix, has a few scripts, using a tortoise. Can exploit whatever his scripts can exploit (unpatched, cheapass crap) no faster than the tortoise can run. Capped by tortoise speed, has low skills, and penalty for crappy script kit.

Sharper scripter. Has a fat library of scripts, including investigative ones. Higher skills, knows various strategies. Has a decent commlink, with AR. Capped by commlink speed, but better than a half-wrecked tortoise in a charity office somewhere. Modest skills, but a fat stack of scripts makes work easier.

Security smarts. Has a fat library of scripts, but also can write more scripts to do things like fire off successive waves of attack automatically. Can fire off IC, given access to a computer beefy enough to actually run it, but isn't capable of having much of an icon himself, without a deck. Has a high-end commlink, uses either AR, VR, or cold sim with a neural net. Good skills give a reasonable dice pool, depending on the interface and network path. Still at his best when attacking known quantities, but also has the experience to do solid footwork.

All in. Sure, has the IC to do live attacks (essentially, scripts + live morphing), has a neural implant and hot sim from a hand-modded deck (this illegal drek isn't on the shelves at Stuffer Shack, chummer) so can climb into the Matrix and tangle with the IC directly, when on a direct physical link. If sitting somewhere on a mesa east of CalFree off a satellite? Might as well type, because hot sim buys you no advantages whatsoever.

Observe: this approach allows for the young, the broke and the inexperienced to be productive, while affording them a smooth career path, assuming they survive. It means that a team just starting out doesn't have a Fastjack clone ready to rumble with the big boys, opening all the doors and blinding all the enemies for them, but it also means that the barrens kid with a cheap commlink and an AR glove might one day be the new Fastjack.

I'll let other people figure out how to make decking useful without needing combat hacking. Maybe hacking biomonitors to prevent alarms or convincing the security computer that the guard is still alive and patrolling.



Agreed. Combining strength and body might make them just as good as agility (used for everything) or reaction (initiative, dodge, driving). I'd say charisma is the same. It's good for faces and...one type of mage that could easily be moved to another stat. If all but one character on most teams is using it as a dump stat, combine it with another dump stat (Logic or willpower for mental stats?) to make them at least moderately useful.

I don't have a problem with dump stats existing, especially if they have niche usefulness. I'm OK with there being a differentiation between toughness and strength.

Before any such determination is made, an editorial/design team needs to convene and carefully ask themselves what sort of game/milieu/spirit is intended, and which rules would support such a game. They might go either way on the stats thing, based on that. This alone will not make or break the game.

You could merge Strength and Body, and Charisma and Willpower. You could even recombine Agility and Reaction, and Logic and Intuition, as they were in SR1-3. Leaving you with four attributes, Body, Agility, Willpower, Logic. Which is pretty simple. You could even merge Magic, Resonance, and Edge into a single attribute, called Spirit. Everyone has it, but only the awakened can use it for Magic.

The best thing is that it establishes the right attitude. Every Stat block leads with its BAWLS.

Charisma is only a dump stat if you allow it to be as a GM. One of the things that needs a lot more push in the 'How to GM' sections is that the only reason super-specialized scaling breaking builds work is if you let players only ever have to make rolls against their best stats. No character should be expected to be able to survive as an autist.

No player should have to make an autist, just to be good at a non-face specialty. From SR4 onwards, as Attributes became worth more, they also became more limited at char-gen. I think social skills need to be dramatically overhauled. There should be a few social skills to quantify things like lying to someone, bluffing someone, etc. But one mistake was making the face a specialty - one, that meant they made it have similar opportunity costs as other specialties (several high Attributes, lots of skills, and expenditure of money, magical ability, or both), and two, that meant that going against a face is like hacking against a decker or getting into a gunfight with a street samurai. Add to that some vagueness as to what social skills actually do, add in bonuses that can simply overwhelm penalties that should drastically curtail them, and let social skills affect PCs, and, well, you have the current mess.

Personally, I think Charisma would fit into Intuition best if you combine Attributes; social savvy and reading people fits in well with noticing things and going with your instincts. I think social skills should, like hacking in the discussion above, be easier to buy into, and use, at a non-face level.

I did actually get that, thanks. You still haven't addressed my point: one of your stated methods (imposing a karma cost for lowering Essence) does precisely nothing to reach your stated goal (alleviating street samurai's dependence on nuyen).

That's something else I think needs looking at and reconsidering. Roles, Specialities and Archetypes... These should go back to being starting points and Concept inspirations instead of Classes in all but name. They should still exist but there should be more breadth brought back with them with each Archetype talking about the possibilities within itself and character creation talking about those other avenues too. Thinks like the Private Eye, Weapons Specialist, Combat Decker, Infiltration Expert, the different Mage and Shaman and Adept flavours, Street Samurai, Razor Guys, generalist and focused Rigger concepts, Gangers turned runner and so on. Concepts that mix and blend skill set and Role purposes within the team.

Roles are fortunately rather flexible. A face can be an infiltrator. A rigger can be a decker. And a rocker can be a shaman.

Or whatever.

But a better approach may be to reconsider them in terms of what problems they solve. Deckers and infiltrators can be considered in terms of bypassing security. Samurai can be many things from wetwork specialists (snipers, stealthy razors and so on) to security and covering fire.

Perhaps it's the change we need.

I think that's a lot of what I'm getting at in trying to kill the single-purpose min-maxing. Having to hit a 'must be this tall to be effective' bar makes a lot of interesting character concepts not considered 'viable' at the table.

Single-purpose min-maxing is understandable, when the premise of the game is teams of specialists, when specialties have a high opportunity cost, and when so many tests have that "bar".

There are several ways to address this - lowering the starting maximums (freeing up more points for other things), giving more resources for character creation, or tweaking the rules so that lower skills are more viable.

Personally, I favor giving more resources for character creation, because I have seen that in a campaign I was in that used pre-errata karmagen. With extra resources to play with, characters were comfortably good at their specialties and then branched out. There was less min-maxing.

I'm a fan of a little of column B and column C on your suggestions there. Little more character resources and something that makes lower skill ranks usable. Maybe instead of skill groups there's a Background package that grants a set if skills and ranks that reflect that character concept. Eg: Street Samurai presented as a couple of Close Combat Skills, a Ranged Skill, a Street Etiquette, a Cybertech, a Bushido and a Bike skill (as a random selection), a Razorguy (or Girl) may be more focused on implant based close combat, underworld skills, stealth...

Needs work I know, especially as i dont want to encourage classes... just posting in passing...

Starting Packages can work with that, look at the one from Twilight: 2000, SR5 Run Faster or MechWarrior 4. Maybe not the current numbers, but something similar.

I was, strangely, cleaving to somewhere between the L5R Schools and the Backgrounds from D&D5e. Possibly an Origins route or something where maybe there are 3 package options which you select as you come up with your background (Age of Arthur does something similar in fact). Like you're playing a Street Samurai who used to be a Ganger from the Barrens (giving you the Street Sam, Ganger and Street Life origin skill packs) or maybe you're an ExCorp Wizkid GoGanger (so, Ganger again along with Corp Life and Arcane Education packs) and so on.

Sure, the only thing it does is allowing to reach this goal without creating an even bigger issue.

There are four possibilities to allow a character a new feature: automatically, with a requirement, with a cost, or with a risk. There is a fine line between requirement and cost, as "paying the cost" could be considered as a requirement, and reaching a requirement is likely to have a cost (even if it's only time). You can call it "non-cost requirement" is you want. The difference is that a cost involve consuming one or several resources that cannot be spent on something else.

Older editions of Shadowrun had, for instance, a Karma Reserve based on a requirement: once you earnt X karma, one was added to the Karma Reserve. Summoning spirit comes with a risk of suffering wounds. There are also a number of negative qualities (that is, more build points) or wireless bonus that come with a risk that's left completey at the hand of the gamemaster.

And there things that comes with a cost. The two obvious commodities to spend people will think of are nuyen and karma. But obviously Essence is another.

Currently, augmentations have a nuyen and an Essence cost. The nuyen cost may be too high. Or too low. It just doesn't matter because there is no way it can be set at an appropriate level. Because nuyen, unlike karma or Essence, belongs to the setting. Authors and gamemasters need nuyen in the setting to have PC and NP buy or sell groceries, sport cars, corporate stock or shipment of narcotic substances. What seems like an appropriate nuyen cost for one gamemaster at one point may suddenly cease to be if the PC get the opportunity to steal and fence a Ferrari. There is a game balance issue here that currently requires changes to the setting and the stories, and that's the very opposite of what should be done.

People have been searching for an equilibrium for almost three decades, and obviously none have found one that satisfied everyone so far.

My point is that the nuyen cost for augmentation should be shoot to totally unsignificant levels because there is no satisfying equilibrium to be found. But having only an Essence cost is not going to work, for completely different reason. Essence is a resource that character receive a fixed amount at chargen and cannot increase later (leaving HMHVV aside). No progression here. You'd just take everything at chargen. So if I intend to make the nuyen cost unsignificant and still have a character progression for street sams, I need to introduce another cost. I propose karma. It is one possibility to have a mathematical formulae linking the Essence and karma costs, but it could also be completely different values set for each augmentations.

Another thing might be to (and this is more organisational) create a solid factbook for all contributing writers.

There's nothing wrong with having freelancers, and combining multiple sources, but as a practical matter they need to be on the same page. This should greatly reduce the incidence of confusing contradictions in writing that have resulted in so very many errata.

Why fix in errata what you can get right the first time?

What I want in 6th edition shadowrun is simple: I want the quality inshadowrun, both writing, editing, fluff, Continuity....to be the same quality that comes out of their battletech line. I own more then a few BT books from CGL and they are way better quality then the shadowrun line.

I'm with you there. I think we all are really. Editorial and cleanup has been really lacking in the SR line. A fact book would certainly help with this but equally important is the editors doing their job (and the editor shouldn't also be the writer) and someone making sure the edited copy makes it to print.

Nah, currently every stat block leads with agility. Quickness got broken into 2 stats because those 2 stats are still better than the other stats.

Shadowrun is about a team getting in and getting out alive, usually through sneaking (including decking here) and talking, then fighting. Everyone needs to be able to at least sneak (agility) and fight (agility or magic), plus usually something else. I'm sure the attitude of Shadowrun *could* be that those are unimportant, but that isn't anywhere near close to what Shadowrun is now.

Agility is the only stat important to everyone currently. Everyone having a dump stat isn't necessarily bad, as long as it isn't always the same stat. Not every stat needs to be equally important for everyone, but other than a rigger in a van, I can't think of anyone whose primary stats aren't agility + something else or just agility. Spread skills out, divide or combine stats, whatever. Give a reason for everything to matter to most characters, and you have better balance and better variety.

Combining charisma skills into the other mental stats could help improve the other mental stats. For example: logic (knowledge of the topic) or intuition (knowing people) for lying.

Also agreeing on better editing (and putting edits into the books) and giving everyone something to do in and out of combat.

On hacking: I think we should first focus on the elephant in the room, non-viable encryption. Anyone with a degree in comp-sci will tell you that without viable encryption our wireless world is impossible... but so is a wired one, since you'd have to rely on pre-shared OTP keys to do all communication... however for our jacked-in hackers/deckers to be viable we *need* breakable encryption.

To solve this Gordian know I suggest going with Koekepan's suggestion and treating ASIST as more than a fancy VR technology.



This means that the "wetware"-CPU in your skull, i.e. your brain has some peculiar properties when it comes to solving math problems that give computers a hard time. Maybe the brain has the potential to act as a natural quantum computer, maybe we can simply "feel" the right fields of numbers to solve a problem. The end result is that when a hacker jacks in, he not only gets a funky interface, but parts of his brain are used for computing tasks. Maybe most of the VR is just a way to represent what he's doing to his consciousness in a way that doesn't dissociate his personality.

As a result most encryption methods can be broken, but only if you're willing to hook up the living brain of a person. This would also mean that hacker/decker skills are truly skill like shooting or swimming. It's not just maths and some programming knowledge. It's a painfully acquired aptitude toward "thinking" the right way that can't be book learned, or can only be learned to the same degree as you'd do meditation or the art of parkour.

The end result is, any communication that doesn't use pre-shared One-Time-Pad keys can be cracked... but there's a world of difference between the neophyte l33t k1d who's doing his first rodeo vs. a living legend like Fast Jack. Also, this doesn't mean that conventional hacking is in-viable... it's very much an option. However to be *effective* it needs massive HW & SW resources... hence you can still hack shitty security on a commlink, but anything that's actually put together will call for massive processing power... or putting your brain on the line.

I think the thing a lot of players miss out on is that the premise is not that PCs should succeed on every test.

You should, as a player, be doing stuff your character may or may not succeed at, or why are we bothering with mechanics anyway? We could just shoot craps instead if it's the joy of a good dice roll.

Flaser, I think that you have the right approach, but the wrong idea.

Encryption is the wrong target for this, because cracking encryption is largely a matter of computational power, in a very strict sense. If you want to find a goal for meatware, start somewhere where a combination of instinct, creativity and computation help: QA.

As luck would have it, most cracking is rather similar to very aggressive QA analysis. You're trying to do things to the interface that it wasn't designed to handle.

This means that neural reactions really do make sense on some level - but also still implies that it can be done with other hardware, at a penalty. Tortoise? Viable. Drek-hot-deck? Ideal.

On the other side, scripts are then things that deckers did - just packaged for regular reuse.

Thoughts?

Sounds like a fine idea and dovetails with what I put out. A commlink can actually do decking, but is limited to rating 3. You want to go beyond that? Get the right hardware (cyberdeck**) and go to town!

** == can either be an external device or installed as a piece of cyberware.

I'm not sure there is any elephant in the room because I don't think hackers/deckers need breakable encryption that much.

Strong encryption does protect transmission and cold storage. That leaves hackers/deckers plenty of things to do by hacking live systems, which is pretty much what is done nowadays.

Instead of trying to break into node A where the data is stored, or to intercept the data as it is transmitted between node A and node B, you break into node B where the data is uncrypted, displayed or updated and you trick node B into sending data to you (possibly even tricking node B from downloading the data from node A in the first place). Strong encryption also provides strong authentification, which should prevent you from breaking in at all, and that's where phishing, vulnerabilities and social engineering comes in hand (though vulnerabilities also happen in strong encryption, ask Cryptkeeper).

Actually, circumventing strong encryption that way might even comes in hand to explain why shadowrunners have to break this week into the actual lab or office the work is being done, instead of some remote data center. It also could explain why you can only get the opportunity to download some random value paydata instead of entire corporate archives.

Um... I think you guys are mixing up things. I was talking about real-world encryption that the Internet and all your gadgets run on, not just the in-game mechanic of encrypted data.

@Koekepan: Not exactly. Part of public-key (AKA asymmetric) encryption is that you have so called "trap-door" (mathematical) functions. They're easy to compute in one direction but difficult in the other without special information. This duality is what allows you to more or less securely use the Internet. The computing power to crack these things is either widely available or it isn't... and your average hacker won't have access to the kind of hardware I'm talking about. (These problems are non trivial to crack with *super* computers).

My problem with hackers as envisioned is that they don't make a lick of sense if you actually know anything about cryptography... Yes, yes... it's all just a game and having elves & trolls and magic-mojo doesn't make a lick of sense either. But cyberspace is a tricky issue because it's actually something we have ever more daily experience with, so the zeerust-tech and Holywood hacking are becoming ever more ridiculous as we as a society get more and more tech-savvy. Hence the idea that the brain (with ASIST) can fill in for a quantum-computer. These can solve said "trap-door" problems much faster because they run many problems in parallel they allow complex (as in complex numbers) superposition of states.

Anyway, what hacker need IMHO is a single "Unobtainium" tech that defines what they can and can't do, why they can and can't do said stuff... and the wider implications of how this tech affects society as a whole thought through. Until we do that we're just putting band-aid after band-aid on the issue, since our demands* are mutually exclusive.

*:
1. A computer infrastructure that's usable for daily purposes.
2. Deckers hacking the Gibson with their brains jacked in and all (or most) things tech their plaything.

I think that they're trying to close the loop between the two, and examine what the in-game consequences of various approaches would be.



Oh, I know. Long history with computer science, mathematics, and security administration here. If you're terribly, terribly bored I could even talk to you about different approaches to trap door functions and what might constitute a trap door function in the age of quantum computing, and how that relates to NP completeness, and .... but I digress.

Since you appear to have confused what I was getting at, let me try to be clearer:

You have three types of encryption, broadly speaking (and this is not on the algorithmic dimension, as you will see): encryption that can be cracked in a timely fashion, encryption that will take a while to crack, and encryption that is infeasible to crack before the heat death of the universe. You will observe that these categories are rather sloppy. This is not an accident. This is because cracking encryption is a contextually meaningful endeavour. If you're in a firefight, any cracking that takes more than two seconds is not very helpful. If you're preparing a court case, several weeks might still be plenty of time.

By this categorisation, encryption moves from infeasible to feasible based on the algorithms involved, the available hardware, and the context of need. Authentication systems that use encryption will add timeouts to their challenge/response systems as a defence against naive attackers. This is, you may observe, analogous to the difference between petrochemical resources and petrochemical reserves - something that peak oil denialists love to get wrong because it helps them paper over the cracks in their ideology. (In case you're unfamiliar with the difference, resources are stuff that we know exists. Reserves are what we can reach and extract at a justifiable price and efficiency level. We know perfectly well that we have massive, huge, vast resources. Reserves are a hell of a lot smaller, although the reserves number jumps every time the oil price does. This is why it doesn't matter how big the resources are - if oil costs $1,000,000/bbl but the supply is inexhaustible, nobody cares. It might as well be on Mars.)

I will gloss over various other attacks such as replay attacks, interference to force renegotiations and so on... in each case the question is: can you crack the encryption in time?

It is because of this contextuality of analysis that blanket statements about the viability of cracking encryption don't really help. So maybe it takes just twenty seconds for you to crack my ephemeral communication - so what? If it means that you discover that I intend to drop a grenade on your location ten seconds after it went off, who cares? Crack it all you want - the concentration will help you wait for the grenade.

Oh, and as for securely using the internet, I have very, very bad news for you: the encryption is surprisingly irrelevant because of the degree to which it is only one tiny aspect of the bigger security picture. I could give you a wall-to-wall OTP system, and I could still crack it - not the encryption as such, but the overall network. And this is (another reason) why concentrating on the encryption is misguided.



Actually that's not quite true. If you want to handwave the magical power of something, the brain is a rather poor candidate. At best, neural systems approximate mathematical functions, and the degree to which that is meaningfully parallelised is very open to contextual analysis. If the brain is doing your calculations, you must have found precisely the right neurons in precisely the right configuration (that is vulnerable to things like whether or not you had any CNS stimulants in the last half-hour) and that has precisely nothing to do with the sensorium. If that were all you needed, your Ultimate Cyberdeck would be a portable petri-dish with a nodule of neurons from a rat.



We hardly need unobtainium for that.

But first, let's talk about how encryption isn't the be-all and end-all of information security.

There are end runs around it. Let's say you devise the perfect encryption system. Uncrackable, forever. Trivially easy to implement, computationally negligible to apply, and even super-efficient in bandwidth. Well, every encryption system depends on the key. You have the key? You have the data.

How might I, your evil cracker from hell, crack it? After all, we do know, mathematically, how to build such things (or very nearly). Well, for starters I might see if any of the platforms that are end-point parties to your encryption are trivially crackable with these handy-dandy script-kiddy tools I have. They are? Oh, goody! Go ahead, my friend, encrypt all the things. Since I'm now a party to the encryption, I'm in. Even if the systems themselves are tough nuts, is your implementation really rock solid? After all, it's kind of sad how many have been cracked because they used non-random random sources (for example).

Maybe you're tighter than a prohibitionist's rear end on system security, and my script-kiddy tricks don't work. Ok, fine, fine. I show up in a nice suit, looking for a job. While the HR cutie trots off ("Oh, no hurry, I know you folks are busy, I'll just hang out here! This is great coffee, by the way.") to find out what the deal is, I'll peek under a few keyboards, mousepads and calendars to see whether just maybe someone left a sticky note with a password around. Oooh, will ya look at that! I'm in.

Maybe your buddies are all a crack team of total security badasses, who use three factor authentication every time they need to fart. Dammit, you're going to make me work for this? OK, great. I capture one of them, hack off a little toe with the claw end of a hammer and toss it in a blender. Then I ask him, nicely, to please log into the system for me. Awww, thanks, you're such a swell guy! You get to keep the rest of your toes! ... and I'm in.

Ok, so your people are immune to pain, fear or the need to ever see their loved ones again. I flush the corpse. What next? Think, think, think .... oh right! I hang out at their favourite bars, and pickpocket a suitable system. Yay, I'm in!

Wait, your people don't drink, your system times out authentication every two seconds, and if I ever fail a login they melt down to slag. Fine, next approach: Bribery. I identify the disgruntled, and do a few favours, maybe ask a few favours back. Your people willingly give your stuff up.

No, your team is all composed of total fanatics willing to tear their own hearts out before betraying you. Right, well, then we enter all-out social engineering. Get them to do seemingly trivial things that afford me some kind of entry. Maybe I get them to log in five times ("Geeze, it isn't working for me! Can you just try that again? Oh, I'm sorry to be such a bother, but I swear this thing is killing me ...") to infer things about the protocol, or the seat of the logic, or whatever.

But no, your team follows all procedures to the letter, no questions asked and no answers given. What else? Well, there's nothing like physical involvement. These days (like, today) many surveillance systems are networking based. Maybe if I can tap one of those lines (or *heeheehee* wireless!) and be the total man in the middle until I can figure out a gap in your storage system to which your surveillance goes, and then once I own that I have all the data.

You see the point? Encryption don't mean nuthin'. It's only one tiny, tiny part of a complex defence in depth. And if there is a consistent weak spot in the technology itself, it is the implementation.

(As an aside, in this age of Windows 10, App Stores, Google, AJAX frameworks and so on, it's cute how you can come up with phrases such as: "This duality is what allows you to more or less securely use the Internet." But again, I digress...)

So what opportunities do we have for justifying dhaeckers at all? After all, those heckers and dackers must have some good reason for direct neural interface, and the benefits of cognition as opposed to raw computation. Getting directly to the brain nominally tightens the OODA loop. The hdeacker must be able to act with quick enough responses to do things that would otherwise prove difficult or impossible. Encryption doesn't match this field of cracking endeavour, because a perfect defence to all dheackers everywhere would be to up the encryption game - and that's not the case. So what could it be?

If the OODA loop is the valuable part (and the fluff has always made a big deal of the screaming speed needs to be satisfied by neural interfaces) then there has to (by implication) be something requiring creativity and responsiveness for a valuable exploit. What might that be? Encryption? No. You're not decrypting anything faster because you're in a virtual battle with an army of rabid pacman ghosts. Running exploit scripts? No. Hit the ENTER key and let the scripts run. No OODA loop involvement beyond that. Social engineering? No. You're not socially engineering your way through a receptionist because you're arm-wrestling a centaur in virtual space.

The only thing that more or less makes sense in this context is probing and exploiting an unfamiliar terrain on the fly. This may include software and hardware elements, but this has much less correspondence with encryption cracking than, as I stated above, QA procedures. Find the hole, exploit the hole, see what you can get. Find the hole, exploit the hole, see what you can get. Some holes/exploits simply slow down opposition (sucking up RAM or CPU time) or create confusion (a billion bogus requests) while others actually penetrate things (SQL injection attacks, stack smashing and so on) which let you do the nefarious.

This is what I was talking about, and why I largely dismissed what you said about encryption; because it's not an appropriate match for the concepts behind the milieu, or what dheackers should be doing, according to the fluff.

Now, as a consequence of all this, you can see how earlier I was saying that it makes for a good career progression, because you can start with known exploits from a tortoise, and end up generating and recording your own new exploits and selling them to kids with tortoises. You can see how there's some degree of logic to the faster gear mattering, without instantly rendering your team's hdaecker useless because a bullet went through their deck. You can also see how it motivates certain real-world principles of information security, starting with: "If it's that darned important, don't put it on a computer." through "Well, damn. Put it on a computer, but stick that computer in a faraday cage." to "Nobody really cares, just put it in a spreadsheet next to HAWTCHICKSTRIP.mp4 and CUTEKITTEHS.pptx."

Basically much higher verisimilitude.

Hacking itself works just fine with encryption. The depressingly common way to hack a company:
- Scan their public homepage for known bugs in on the off-the-shelf content management systems (Joomla, WordPress et cetera) they're using
- Install a shell on the webserver, escalate account privileges to root
- The webserver is connected to the internal company network, obviously anybody inside the company network is a trustworthy employee, therefore you can just access the file storage

The problem with encryption is that if the files you just liberated are encrypted (most of the time they would not be, but if), there is nothing the players can do about it. Realistic encryption with a decent password cannot be overcome with wits, skills, cinematic action or anything else, if the GM declares that the file is encrypted you are SOL, end of discussion.

Before we bog down the discussion with even more shoptalk, let me point out that I'm not a computer security layman. I teach comp-sci as a day job. I'm aware of Kerckhoff principle, the princliple of even hardness (I'm not familiar with the English term), the role of social engineering, the trouble with man-in-the-middle attacks, side-channel attacks, heck we could even talk about langsec, but I don't think these issues are that relevant to Shadowrun game design.

Koekepan, I focused on encryption, since its existence allows you to use networks on a daily basis because it facilitates confidentiality, authentication and integrity. Without solid encryption you wouldn't have those things. Yes, I *am* aware, that our solutions are not fool-proof... far from it. However, just as you pointed out, the Big-Ω complexity of the various parts of the system should be considered. A lot of the "cracks" you listed were in fact circumvention* of the whole system. No, encryption isn't the end-all, be-all question of security. However a lot of the on-the-fly hacks we see in the game are highly unlikely if encryption is decent. If it can be routinely circumvented we need to outline the framework how said state of affairs came to be and how everyday computer use can still go on, *without* script kiddies robbing everyone blind.

I concur with you on the idea that incorporating all these other facets of hackerdom into Shadowrun would enrich the game... however we'd need to give hard categorical answers as to what a hacker can and can't do (easy, can do it in weeks, can't do it ever), so GMs have a handle on how to treat the issue. Because most GMs aren't sysops or computer scientists like us. We need to give some hard and fast rules that let laymen decide whether a task is outside the realm of feasible.

*Then* all the other facets of security circumvention come into play with the face infiltrating the complex to gain access to certain records that'd allow better social engineering, legwork could involve discovering what software the target is running and what 0-day vulnerabilities there are. It's more interesting and makes hacking into a group effort where everyone can contribute through its different aspects.

*E.g. mitm attack circumvents the necessity of decryption anything by fooling the participants into believing that the attacker supplied numbers are the partner's public key.

I don't see that as a player problem, unless they are deliberately trying to break the system with builds that exploit rules loopholes. But simple, logical character optimization? No. If a normal, optimized character can breeze through challenges, it is not the player's fault. A player should not have to intuit an acceptable power level. The GM should provide additional guidance for the players about the power level of his/her game, and provide appropriate challenges.

If hyperspecialists still dominate the game, then (getting back to the purpose of this thread) the rules need to be changed. Personally, I think the rules are already fairly balanced, with limited character creation resources and their associated opportunity costs (getting X means you can't have Y); hard limits that let the characters start out strong but not at the level of the very best (with skills that go to 12, deltaware, initiation, and submersion, the players have many ways to improve); many potential negative modifiers to counteract high dice pools: and finally, the deadly and tactical nature of the game, where even thugs or gangers can be deadly in numbers and using some elementary tactics. I have played lots of optimized characters, and they have all gotten banged up.

Honestly, SR5 is a good example of how not to fix perceived imbalances. They broke out the nerf bat for SURGE, the sensitive system negative quality, and everything else that seemed "too good". They either made an option all but unusable, or tacked on an unfun hindrance to it. The latter is especially bad, because while flat penalties might reign in hyperspecialists, they affect non-hyperspecialists even more, actually encouraging min-maxing.

Shadowrun will always be a difficult game to balance, because characters don't have levels, but a sliding scale of versatiliy to specialization, and there will be times when one is more useful than the other. Compare the street samurai and bounty hunter archetypes. Sure, the street samurai is better at initiative, dodging and soaking damage, and combat dice pools. But other than combat skills, he is woefully limited. He can sneak or drive, a bit, and probably default for simple athletics tests like climbing over a chain-link fence. He rolls two dice to default on perception tests, and one die to default on social skills (except that he can't even do that for con tests). The bounty hunter, by contrast, rolls around 6-8 dice for combat skills, meaning that even a single thug or ganger will be a tough fight for him. On the other hand, he has a much wider array of other skills. He can patch up someone's wounds, perform basic maintenance or repairs on his guns or his vehicle, function in social situations (especially intimidating other people), find food or shelter out in the boonies or the barrens, jimmy a lock, etc.

If a campaign is all combat-focused, the street samurai will outshine the bounty hunter. If the campaign has other skills come up, then the bounty hunter will have more spotlight time.

To me, the biggest problem with skills is not the high end, but the low end, where a skill of 1 or 2 really doesn't mean that much. I am not sure how to fix this. Maybe raise the defaulting penalty from -1 to -2, and be more explicit about what kind of simple tasks you don't need to roll for if your skill is 1 or better. A skill of 1 should be "trained" rather than "beginner". Considering how many skills that, say, a basic wageslave defaults on, even a skill of 1 should be pulling away from the pack.

Fair enough. That's precisely why I was saying that cracking encryption is the least useful approach to justifying gibsonian cyberspace as a meaningful necessity for a top-flight security intruder. If it makes all the encryption useless forever, then every bad actor from the mafia to a motivated kid in a basement is suddenly one step away from sidestepping encryption as a concept. If it somewhat moves the envelope on which encryption is meaningful, corporate admins everywhere sigh deeply, and update their standards. Net effect: near nil. If it makes no difference to decryption, it absolutely has to affect something else.

This something else must be something that benefits from a tighter OODA loop, or it is utterly out of step with anything in the fluff, which implies that it's not the simple fact that brainmeat is in contact with electronics, but that decision-making is involved. This, again, is inconsistent with encryption being the target. My position, which is still in accordance with every fact you brought forward, remains that the key element must be related to exploratory work and live experimentation, rather like a boxing match in which boxers try their favourite combos on each other, while angling and looking for gaps and trying modifications of their combos.

Bear in mind that it's in the nature of QA analysis as well as cracking, to look around the edges, not just the straightforward elements. Why decrypt anything if you don't have to? Since computers deal with humans, you can handwave away all the social engineering, threats and interface problems all you like, but it's a perennial problem that people simply don't do it correctly. They constantly demand new passwords with ridiculous criteria, so that writing things down becomes an easy choice. If every computer system were simply an exercise in solving an equation, totally separated from any human concerns, definitions or interpretations, security would be a hell of a lot easier. This is why those ill-fitting seams in the system exist that afford attackers a purchase.

From a game design perspective, you need something that offers a coherent narrative so that the players and the GM all know what game they're playing, and so that the GM can coherently judge whatever nuttiness the players are getting up to. If the dhaecker's one answer is: "I crack that encryption HARDER! Turn on the afterburners! I'm cracking it FASTER! RAWWR!" then it's really not adding a lot, nor making sense in terms of gibsonian activities. If on the other hand, the hdeacker is trying to get through a public interface just enough to use a known exploit on a vulnerable piece of hardware, so that he can copy a temporary key from memory fast enough to subvert a running encrypted communication - that makes a lot more sense, and reaction times and rapid decision-making clearly help a lot.

Bear in mind that a lot of encryption that is totally, super-duper important you guys, is kind of irrelevant to intrusion in most cases. It's only there to protect the ephemeral communication of the moment. The mere fact that a hdaecker happens to have been able to open a communications channel already implies, since the channel is encrypted, that there's encryption going on - which doesn't require cracking, since as of inception, the hdeacker is a party to the link. And consequently, unless the dheacker is trying to crack someone else's encrypted link, the fact that someone else has encrypted their Matrix link through which they're viewing hot burmese-on-persian catpr0n is so bottomlessly irrelevant as to be a meaningless distraction.

Errata Shadowrun: Anarchy, flesh out Amps & Gear, add more descriptions, and a bit more flexibility in point allocation for chargen. You can all flame me now.

As a GM I tend to differentiate between skilled and uskilled PCs through what additional information I give out. Having AGI 5 vs AGI 2 + Lockpick 2 might mechanically be the same, however the natural contortionist won't be able to interpret what's before him whereas the beginner lock-picker might realize that the particular lock he's facing can be frozen to make bypassing it easier.

I wouldn't flame you at all. While I think Anarchy goes too far toward simplicity, and the focus on being a narrative game isn't the right default, there are a lot of great ideas in there that should influence the next edition of the game. I consider it a grand experiment, free from having to conform to what came before. It would be foolish to disregard its lessons.

I'm particularly keen on the idea of rerolling failed dice as the default way gear and such can affect a dice pool. It means that you need more ranks in a skill to get the maximum benefit from your gear.

...but you stubbornly ignore that most attacks do not need the break the encryption between two parties, because the attacker IS one of the parties. If Joe Scriptkiddie attempts to crack your account on a website by automatically trying all possible possible passwords in the login form, it does not matter whether that website uses HTTPS or not. Joe is taking the same way as a legitimate user.

What are certificates and digital signatures? Oh, they happen to involve asymmetric encryption too... now what's this magic property that prevents a newbie hacker, alias John. Q. Public from "creating" a cred-stick with a million nuyen? Sengir, I was harping on encryption being a contentious issue since our current digital security is so heavily entwined with it. I know and do acknowledge that this is more or less a pet-peeve of mine, kinda similar to how a doctor can't watch medical procedurals or how an astronomer finds most sci-fi flicks inherently silly.

Anyway, my only real game-design related issue is that hacking rules should provide a better baseline as to what's easy, hard but doable and impossible so GMs have a better feel for what can and can't be hacked and what tricks there are to hack something anyway using the aforementioned social and technical aspects of hacking unrelated to slugging it out with IC in the Matrix.

EDIT: Anyway you are right, a lot of hacks can be done without circumventing whatever encryption schemes are used in other parts of the security, Meredith L. Patterson gives a wonderful talk why our software is so insecure in the langsec link I gave before.
If there's a moral to my rants, it's this: don't make encryption easy to break or outline very carefully how it can be done since real security is heavily reliant on it. (Think of the Hacker with cracked million nuyen credsticks).

That is a problem in game with encryption. They can't seem to make up their mind how good it is. On one hand you have encrypted comms and hosts that hackers routinely bypass and on the other you have cred sticks or SINs that seem mostly uncrackable. Why not encrypt your comms or hosts with the same encryption you put on the cred sticks? Oh right, cuz then hackers wouldn't have anything to do. In world consistency would be nice.

The open question from game design's perspective, is how much all this matters.

Even assuming you have mathematically perfect (or at least infeasibly assailable) encryption, a hell of a lot can happen, as both Sengir and I have pointed out. Out-of-band attacks are a constant approach, as any reverse engineer could tell you. Even if you have a security team moving over your fresh OTP keypad (an 18-wheeler full of paper tape), that security team can come under attack by runners.

If you're trying to represent action in a matrix environment, then that metaphor makes no sense for representing the cracking of encryption. If the value of the metaphor is such that it's a requirement of the game (and really, what would shadowrun be without the matrix?) then you have to ask what they are doing in the matrix. Surfing for porn? Well, probably, but what does that metaphor actually represent?

That's the key question, which I tentatively answered by my references to QA and looking for imperfections in implementations.

Nothing that prevents a script kiddie from automatically entering two billion possible passwords, or registering as Robert '); DROP TABLE Students;--. Encryption makes data arrive at its destination unread and unaltered, but cannot help if that unaltered and unread data is malicious.

PS: I know, client authentication exists. Should Amazon demand that every user has a client certificate to prevent SQL injections?

Please read up on how certificates are used to provide authentication and integrity, confidentiality (making a connection secure) is only a part of what encryption schemes are used for. I brought up the example of hacked credsticks for a specific reason.
However even if you focus on your login scenario, using a smart card actually would make it pretty darn hard to just bomb the server with random password, since then authentication works very differently. The server sends you a challenge, you have to encrypt it with your private key and the server uses your public key to verify that you actually encrypted the challenge. (This is the reverse of how asymmetric encryption is usually used. Now the decryption key is public and the encryption one is private. Certificate Authorities and Chain of Trust use this scheme to ascertain whether a given public key belongs to the person it claims to belong to).

Our systems are insecure, because our implementations are inherently flawed, not because our security schemes are vulnerable from the get go. Our protocols and interfaces weren't rigorously enough designed to adhere to only regular or context-free (machine) languages as operation to begin with was much more important initially than security. These issues are often called security bugs, the hell of the thing though is that you often can't test for them all in advance, since they involve input that's improper by intent and exhaustive testing is impossible for most software.

With all that said though, I don't think our discussion is contributing to the thread anymore. If you'd like to keep going, I suggest creating a separate thread for it.

Whatever works best at your table, man, but I prefer my SR to be a little more game and less free-form narrative. Anarchy just doesn't do it for me.



Eh, credstick hacking is more of a rules thing for gameplay reasons. If credsticks were hackable, then a lot of the reason to 'run is gone because your friendly team Decker can literally just make money from nothing. It's the same problem that ends up in riggers just turning into chop-shop owners or mages just refining telesama all day and making better safe money as grey-market producers.

I'll admit that I've kind of gotten lost in the technicality of the debate about encryption here, especially since I'm at best a regular user with mainly conceptual understanding of the concept. That being said, however, I'll agree that there is an issue with the logic behind encryption. Either encryption works and is very difficult or impossible to break, or it doesn't and can be broken relatively easily. For the sake of believability, we need encryption to work, but for the sake of the game, we need encryption to be able to be broken, because else the hacker will have very little to do in the game. And that then leads me to a house rule I've tried to implement for a campaign I've just started with some friends using 4a rules. You can only break an encryption with a decrypt program with a higher rating than the encryption (except rating 1 vs. rating 1, where you'll simply need twice as many hits as normal, in order to break it). This idea is meant to serve two purposes. 1) It makes encryption useful to some extent, as it prevents cracking it in some situations, and 2) it means that there will be a need for "social hacking", if you can't break the encryption with your decrypt program.

It's really not that hard to understand: Transport encryption (like HTTPS) prevents data from being read or altered en route. But it is not a magic wand which prevents malicious data or messages from Nigerian princes from being sent.
I'm talking about letter bombs and you keep responding that envelopes prevent a letters from being read or altered by third parties. Not that this isn't a nice property, but it's totally irrelevant to the point at hand.

Why wouldn't you just buy the best decryption program and be able to hack any encryption then? Honestly, it sounds pointless and makes decryption mandatory now (which it already is...).

This isn't meant for you, Kyrel, but in general. Its stupid to make the Matrix realistic. It should be 100% based off the metaphor because the coding and security is so insanely high level that it's literally beyond human comprehension how this stuff actually works. It makes some sense when you think about it. Echo Mirage weren't necessarily better hackers then everyone, but they did have the first ASIST interfaces and they weren't going through lines of code or seeing 0s and 1s. No, they were seeing a high level abstraction that made security vulnerabilities in the code more obvious and easier to exploit.

So the point is no longer to make unhackable encryption, because the metaphor of the VR Matrix makes it easier to crack. The whole point of Matrix security is to make the metaphor fight back. Security is more about frying someone's brain cells, since it's more reliably secure.

This also gets to the point, AR vs VR hacking. We can't go back to only VR hacking, because then we run in to the problem of the hacker having their own 30 minute dungeon crawl while the rest of the team goes and gets pizza. So we NEED hacking to move at the same speed as the rest of the game.

The biggest problem with the Matrix is that its too slow. It basically means you need to go VR hacking, because you need all the initiative passes you can get to hack or fight IC, or whatever. But the problem is, being immobile is kind of a death sentence. A way to fix this, and that is to give everyone mesh reality if you're in VR. So that you can spend your meat initiative doing meat things like running around, taking cover, or shooting people, and the rest of your initiative goes towards Matrix actions. Also reducing Matrix actions from complex to simple, would also help a lot. After all, twitchy fast paced combat should most definitely be apart of the Matrix metaphor, maybe taking a dice pool penalty to reduce the action type.

And the metaphor should also be reflected not needing to rely on "hacking" or "software" skills, but by using pistols or climbing, or whatever. Other active skills should replace hacking, because everything is just a metaphor in the VR landscape.

Agreed. To add to this: if there is a totally invulnerable form of encryption, without which any pretense at information security is a joke, then everybody would be using it.

The whole reason this doesn't happen in the real world is that there aren't off-the-shelf Decryptomatic Infrawogulators™ (Now with Extra Quantum Power!™®).



I don't buy the incomprehensibility-through-complexity handwave, because otherwise nobody could do a damn thing. "I tried to tally up our quarterly expenses, boss, I swear, but it kept coming back as the Necronomicon! I need a deck!"

If you're proposing that only the specific activity of looking for vulnerabilities (essentially, high-speed QA work) requires an interface like that, then so be it. But at that point I'll build a Matrix node that is essentially decker-proof because its interface is a 14.4KHz modem. Yeah. Where's your fancy interface NOW, drekhead?

Mind you, this would be a strong argument for requiring physical access to be able to do any strong attacks using fancy-pants decking technology, but the first thing I'd do then is pull off any deck-compatible interfaces. Sorry chummer, unless you brought your soldering iron and you're good at splicing optic fibre under fire, this one is happening old school.



He stood tall, a legend among his fellows, the decker that nobody could kill. He used a tortoise, mouse and keyboard, with a slow refreshing screen so that it couldn't even try to induce epilepsy. He wasn't the fastest, but he was unstoppable. They called him Juggernaut.



OK, so this argument amounts to: Shadowrun computers are magic pixie boxes that do plot mcguffin stuff in parallel with the rest of the action, because that's more convenient for action. Let's just ignore the problem of distractions in a firefight. I don't know about you, but if this thing interferes with my attention in combat, it's the first thing that's going into the trash.

Instead of all this discussion about the Matrix being a different form of magic (it's not magical, it has electrons! I swear!) how about we investigate the central concept, which goes even deeper than gibsonian cybernetspaceinterfacing?

It's computers. Computers, all the way down. What do computers do? Mostly, they shuffle bits around. Sometimes they do calculations on those bits, and sometimes get really crazy and change bits. (Usually on a Friday, after 5PM.)

What does encryption do? Primarily, obfuscate content. Sometimes with some added salt around authentication, but mostly it comes down to keeping private conversations private (depending on some constraints). Encryption doesn't solve problems around subverted or malicious counterparties, as Sengir and I both pointed out.

What does the interface do? It offers pertinent information in a useful fashion, and affords the user opportunities to take relevant action. Relevant action, as previously discussed, will almost never be "DECRYPT HARDER" but unfortunately will also require judgement (otherwise why the hell isn't it automated out the hoop?) which means that as an activity it is incompatible with victory in combat. Or did you somehow envision Ronald the Runner hacking the Matrix while grappling with Og the Ogre?

The real implication of all these facts, taken as a whole, is that if you're not just treating computing in ShadowRun as just another layer of Magic, tallying payroll has to be feasible without a deck, decking has to require either very fat pipes or direct access, and is in any case incompatible with real world action.

This implies that you're going to need a two-stage game. It's not unthinkable. Contract Bridge is a two-stage game. First you bid, then you play. Similarly, runs start with legwork. There's no reason that magical and matrix legwork can't fold into the whole process as well - and that includes lining up appropriate spells, summoning appropriate spirits, or assembling an appropriate library of hacks and cracks. The idea that all the Matrix action has to happen precisely while the infiltrator is shimmying down a drainpipe into the corporate garden retreat makes no sense at all.

I know, I know, it's heresy to suggest that every single ShadowRun session might not be a non-stop fragfest with wall-to-wall blood-and-hydraulic-fluid decor, but on every single level, from the corp exec signing a budget for equipment that can't be owned and trashed by a barrens kid in under a minute, to the question of whether or not encryption really means encryption in ShadowRun, the show-up-and-wing-it approach to decking makes less sense than a cockatrice petting zoo.

The Matrix VR metaphor wouldn't care at all about your hardware. Once again Echo Mirage was hacking networks on the Internet like it was nothing. This means that the metaphor makes it trivial to hack any system regardless of hardware limitations.



Without exposing your brain cells to biofeedback it means you don't get all the benefits of the VR metaphor. Which to be fair, the mechanics do slightly reinforce that in all editions.



The idea isn't that the Matrix is literally magic, but that it's a high level abstraction on top of a higher level abstraction. It's like all those insane Java frameworks that are abstractions on top of other abstractions but taken to the nth degree. The idea is that low level code is a thing of the past. It's easier to visualize code in a 3d interface and sculpt (literally in 3d VR space) code then it is to write lines of code into VIM. In 50 years all our coding paradigms are going to be completely obsolete.

I think we've flogged the horse of encryption to death, but I'll have to flog it just a bit more:



Encryption... err, no let's be proper. Public-key certificates do more than that. They provide authentication and integrity. If somebody's response checks out with a given public key (which is signed by a trusted CA) you can be reasonably sure that:
a) They're who they claim they are
b) What you received is what was sent and it wasn't tampered with in transfer

These issues are separate from the communication being secure (that is unmonitored) by 3rd parties, but arr just as vital to daily operations.

I harp on encryption for the reason that cracking these functions should remain non-trivial. The result is that when the team wants to subvert these functions of the security system they have to be clever and apply lateral thinking instead just "Decrypting harder" as you put it... What do I mean under "lateral" thinking? They'd have to discover how certificates and credentials are handed out at the target site, find out how fail-over cases, like temp-workers, new hirees, parent-company reps, etc. go about their business and exploit the cracks in said procedures... or be ambitious and forge their own certificates by exploiting a weak chain the greater infrastructure outside the target, say a new CA has started business in town and their site is not yet secure...

I like this approach because it makes security more diverse and interesting than a mere target number and we end up with a verisimilitude that starts to generate whole adventures. "Hacking" a major CA could be a Shadowrunning job on its own that could enable storming other, bigger Matrix targets that'd normally remain impenetrable.