Machine and Man in Cyberpunk

[Lokathor]

And I can also see in SR's future that even though these corps are all at each others' throats, there's a good reason to share data on information security. Yeah, you may want runners to hack a system for you, but you also want *your* system to be as secure as possible.

Part of the SR future is that corps will totally accept a seemingly small weakness on their part to try and get at the enemy corp in any way possible. Because they overestimate themselves and they are very aggressive against their foes.

Then this causes a feedback loop and now you've got the entire Shadowrun setup.

[Username17]

How does a really skilled gunman with a really cool gun deal with a spirit who just uses materialization to walk through him? Is this a huge issue? If sometimes guns don't work is it ok if sometimes computers don't work work either?

(It does point out the whole MagicRun aspect of the game, but that's pretty much how it has always been.)

Balancing magic is a separate issue. Many cyberpunk games do not have any magic. Games which do have magic give all kinds of limits or lacks of limits to the magic in them. A lot of fantasy games hand out magical power that is actually bullshit small, and while there are games where magic is super strong, that's nothing like ubiquitous.

In Shadowrun in particular, magic gets hugely boosted over what it is capable of in, for example: Earthdawn. This is done because the magic in Earthdawn simply takes too long, is way too short range, and has effects too minor to compare favorably to modern technology. Someone able to do that crap would be able to make mad bucks as a stage magician, but at the limit they aren't actually able to leverage their powers to do anything that a tech specialist of the future or even the present would be particularly impressed by.

But while those boosts are for the most part simply to keep magic from being the laughingstock that RuneQuest magic, Rolemaster magic, Earthdawn magic, or Tunnels and Trolls magic would be in a setting with submachine guns and cars; the reality is that they still had various stuff that the magic characters can do that other people can't. And when you combine that with the fact that magic got boosted up to the point where you are totally on an even level with other people on the non-role protected factors and then have role-protected abilities on top of that make them overpowered.

-Username17

[Username17]

You're missing my point. Say you release a worm or virus out into the environment. There's a certain length of time before that worm or exploit or virus comes to the attention of the programmers/antivirus people. At that point, they patch the hole or issue AV signatures.

From then on, the *only* way that virus or worm is going to work is if someone has been lazy and hasn't run the patch or downloaded the AV yet. AV is good about updating multiple times a day, but exploit patching... that's a horse of a different color.

An agent that auto-patches as soon as there's patches released would reduce the infection rate in the internet by around 75-80%, and that's not hyperbole.

I could see how continuous auto-updates would put the kibosh on long-running persistent worms, but it sounds like it would make actual security essentially impossible. You're talking about setting up all your systems to be automatically assembled spaghetti code that continuously accepts additions to the spaghetti from the wilderness and incorporates it into itself. Any Black Hat could hack into just about anything by spoofing the headers of one of the update providers to send in an "update" that contains a backdoor or malicious code. And yeah, it might get reverted in a few seconds, but by then you already have a legitimate account or have already caused the centrifuge to destroy itself or whatever.

Such a world would actually work very similarly to the way it is supposed to in cyperpunk stories - people send in actual hackers who actually hack actual systems which are pretty much powerless to keep them out.

-Username17

[Vebyast]

Any Black Hat could hack into just about anything by spoofing the headers of one of the update providers to send in an "update" that contains a backdoor or malicious code.

It'd be a bit more complicated than that; first you have to compromise the one-time pad they exchanged - by hand - with a trusted security officer who works for the update provider. Which you typically do a few seconds before you continue as described and Do Bad Things, but it should be mentioned as a possibility because it could open up more interesting gameplay (whack the courier, steal hard drives, attack two machines simultaneously, etc). And that in turn supposes that the world follows the "real crypto doesn't work" manifesto you led with for Asymmetric Threat, otherwise they just use public-key cryptography or homomorphic encryption and this attack becomes basically impossible. But we're ignoring all the fluff and hoping our bullshit isn't too obnoxious anyway, so it kind of evens out.

[Stahlseele]

Sounds kinda like something Hackers do nowadays sometimes.
If somebody managed to subvert MS Update Service Servers, 80% of the worlds user owned computers would be their bitch . .

[sabs]

Any Black Hat could hack into just about anything by spoofing the headers of one of the update providers to send in an "update" that contains a backdoor or malicious code.

It'd be a bit more complicated than that; first you have to compromise the one-time pad they exchanged - by hand - with a trusted security officer who works for the update provider. Which you typically do a few seconds before you continue as described and Do Bad Things, but it should be mentioned as a possibility because it could open up more interesting gameplay (whack the courier, steal hard drives, attack two machines simultaneously, etc). And that in turn supposes that the world follows the "real crypto doesn't work" manifesto you led with for Asymmetric Threat, otherwise they just use public-key cryptography or homomorphic encryption and this attack becomes basically impossible. But we're ignoring all the fluff and hoping our bullshit isn't too obnoxious anyway, so it kind of evens out.

Okay, if you've got a one time pad that's hand exchanged. You're not doing autoamatic updates. Secondly, as a member of Ares Information Security, I have 1 million servers, and about 100 times that many commlinks that I need to authenticate and keep secure. If you think I'm exchanging one time pads for that shit.. you're high as a kite.

[Josh_Kablack]

Here in 2013, the decade-old Windows XP still has somewhere around a 35%-40% market share of desktop OSes. While downloading updates and applying patches is a heckovalot simpler than migrating OSes, that does seem to indicate that enough people fact people are lazy or reluctant to update in large enough numbers to allow attacks work even when patches / AV exist against that particular attack.

[Foxwarrior]

While the game can accept rigid structures that block cyberspace propagation in both directions for the same reason that it can accept walls being effective cover in fire fights, it cannot accept people divesting themselves of VR equipment in order to render themselves immune to hacking. For the same reason that it cannot accept people simply refusing to purchase a firearm to make themselves immune to bullets.

If you're a tech specialist and your opponents go the full cromagnan,, you should own them.

I really hope you're conflating "Hacker Characters" with "Hacking" here. If it's easier to perform SQL injections on a person if they don't use SQL, your game is stupid and you should feel stupid. If it's easier to trick people with illusions if they don't have Photoshop Detectors implanted in their brains, that makes sense, but illusions of that sort aren't Hacking, they're just a thing that Hacker characters could tend to be extra good at.

[zeruslord]

Windows Update already automatically pushes signed code updates. Auto-generated patches are way in the future, because security is Hard, but guaranteeing that your updates are coming from the person you think they're coming from is pretty well understood already. There's some issues with the current SSL certificate model, mostly related to lacking levels of trust between single-domain and infinite, but that's a spec issue, not a cryptographic one.

[kzt]

Assuming that, in the game, someone doesn't make absurd statements about how crypto doesn't work.

Crypto not working prevents the use of a public network for anything involving money or anything more serious than checking the menu of restaurants downtown. Which means the Internet as we currently know it doesn't happen. No on-line purchases, no VPNs, no one-time cards, no non-repudiation, no verification of who you are really talking to on your video chat session. It's a total disaster for a "cyberpunk" game.

[fectin]

While the game can accept rigid structures that block cyberspace propagation in both directions for the same reason that it can accept walls being effective cover in fire fights, it cannot accept people divesting themselves of VR equipment in order to render themselves immune to hacking. For the same reason that it cannot accept people simply refusing to purchase a firearm to make themselves immune to bullets.

If you're a tech specialist and your opponents go the full cromagnan,, you should own them.

I really hope you're conflating "Hacker Characters" with "Hacking" here. If it's easier to perform SQL injections on a person if they don't use SQL, your game is stupid and you should feel stupid. If it's easier to trick people with illusions if they don't have Photoshop Detectors implanted in their brains, that makes sense, but illusions of that sort aren't Hacking, they're just a thing that Hacker characters could tend to be extra good at.

Using your metaphor, everyone uses SQL. Your brain is an interfaced computer, using it is non-optional. What's in question is whether you make an effort to protect those interfaces.

[Username17]

I really hope you're conflating "Hacker Characters" with "Hacking" here. If it's easier to perform SQL injections on a person if they don't use SQL, your game is stupid and you should feel stupid. If it's easier to trick people with illusions if they don't have Photoshop Detectors implanted in their brains, that makes sense, but illusions of that sort aren't Hacking, they're just a thing that Hacker characters could tend to be extra good at.

1. If your game attempts to adjudicate whether SQL injections have happened or not, it's not operating at a high enough level to make any fucking sense.
2. The future version of SQL injections involves sending impulses directly into peoples' fucking brains, so you're damn right it works better if they don't have any devices that interact with the used wavelengths.

Crypto not working prevents the use of a public network for anything involving money or anything more serious than checking the menu of restaurants downtown. Which means the Internet as we currently know it doesn't happen. No on-line purchases, no VPNs, no one-time cards, no non-repudiation, no verification of who you are really talking to on your video chat session. It's a total disaster for a "cyberpunk" game.

That depends on what it means for crypto to "not work". If undoing the cryptography on a BitCoin is something that takes more time and effort than that coin is worth, then the fact that crypto "doesn't work" doesn't matter for those purposes.

There are a lot of cyberpunk stories that depend on it taking some amount of time to decode things. There are basically no stories or institutions that are invalidated by having cryptography that can be broken, so long as that code breaking is neither instantaneous nor free.

If the future version of PGP is essentially unbreakable, that's a hard nut kick to every "the bad guys have the file, it's only a matter of time before they crack it" scenario. Which let's face it, is every fucking story you want to tell involving Cryptography. From Skyfall on back.

If crypto is breakable in thousands of years or something stupid, you aren't even playing cyberpunk, you're playing cypherpunk. And then all your missions involve honey traps in Sweden.

-Username17

[Vebyast]

If you think I'm exchanging one time pads for that shit.. you're high as a kite.

...Eh? A single hard drive these days can store a big enough one-time pad to encrypt all of Google's traffic, upstream and downstream and youtube included, for about fifteen seconds. It would take two years to run through the same OTP if you transfer at 256KB/s, which I know from experience to be enough to teleoperate a humanoid robot. And that's assuming current data densities.

There are a lot of cyberpunk stories that depend on it taking some amount of time to decode things. There are basically no stories or institutions that are invalidated by having cryptography that can be broken, so long as that code breaking is neither instantaneous nor free.

Here's some technobabble that agrees with reality enough to not break suspension of disbelief. As usual, quantum computers are the answer. They exist, and they can break any crypto that isn't a one-time pad. However, quantum computers are probabilistic; instead of outputting "the key is this", they output "this is the best key I found and it has probability .01 of being a better key than no key at all", and you run it again and again and again until one key in particular has popped out enough times that you're reasonably sure that it's actually the right key. You can use your best guess before then, but sometimes it won't work. The issue is, quantum computers are slow, because each run requires a pile of incredibly clean relativistic particles and making those takes a surprisingly long time.

[echoVanguard]

If it's easier to trick people with illusions if they don't have Photoshop Detectors implanted in their brains, that makes sense, but illusions of that sort aren't Hacking, they're just a thing that Hacker characters could tend to be extra good at.

That's, uh....that's kind of the point. Any action can be undertaken by a character with the appropriate equipment, but a specialized character can be much more effective with it. Anyone can shoot a gun, but a streetsam can hit a target that an untrained shooter would miss. Anyone can can use a commlink, but a hacker can get better data with it than the average luser. And anyone can aim a trid projector at the mark and fire it up, but a dedicated hacker would be able to stream data to the projector on the fly and create a devastatingly believable illusion. Consequently, if you've got an audio-visual neural scrambler, anybody could blast people with it, but a dedicated hacker could script up a zero-day pattern that even cybereye protections might not keep out. The only role protection that's a hard-stop, you-are-a-cat-and-cannot-use-this element in Shadowrun is magic, which isn't cyberpunk.

echo

[Pulsewidth]

There are basically no stories or institutions that are invalidated by having cryptography that can be broken, so long as that code breaking is neither instantaneous nor free.

I can think of only two solutions to force hackers to actually pay for software (important so nuyen cost means something to game balance).

1. Ubiquitous software as a service.
2. All software has to be heavily customized to the only unique part of the hardware it's running on - the hacker's brain.

Traditionally cyberpunk hackers run hacking tools on their own hardware, so I dislike the first option. There's also the problem that hacking tools are likely highly illegal, and only purchasable through anonymous communication channels. It doesn't feel right if those channels are fast and reliable enough for software as a service.

I can't imagine cyberpunk hackers giving anonymous criminals full details of their brain structure. The only way the second option can work is with secure fully homomorphic encryption, so people can buy customized software without revealing what it's customized for. The mathematics is already invented, but the CPU power required makes it impractical today. Not a problem in 2072.

For code breaking stories you have to target the systems that legitimately have the key, or will have the key in the future (eg. when it's taken out of its Faraday cage storage to be used).

And fully homomorphic encryption is just plain cool. It's too interesting as a storytelling device to fall to a global ban on all encryption except one time pads.

[kzt]

As usual, quantum computers are the answer. They exist, and they can break any crypto that isn't a one-time pad. However, quantum computers are probabilistic; instead of outputting "the key is this", they output "this is the best key I found and it has probability .01 of being a better key than no key at all", and you run it again and again and again until one key in particular has popped out enough times that you're reasonably sure that it's actually the right key. You can use your best guess before then, but sometimes it won't work. The issue is, quantum computers are slow, because each run requires a pile of incredibly clean relativistic particles and making those takes a surprisingly long time.

No, that isn't how they work.

For example, a quantum computer can, in theory and if composed of enough qbits, can simply directly factor huge prime numbers in fairly trivial amounts of time. The difficulty of factoring huge prime numbers is what makes RSA work. You can then verify that it works directly.

However the effect of a quantum computer on symmetric crypto is very different. It reduce the keyspace by half. So AES 128 becomes AES 64. And AES 64 is trivially solved by dedicated systems. This is really, really cool. Except that AES 256 becomes AES 128, which requires a very, very large amount of computation power and also releases 10^17 joules of waste heat to brute-force solve due to Shannon Entropy. So no, they are still pretty darn secure.

So the main threat of quantum computers is said to be against public key systems, like RSA, that depend on problems that can be effectively attacked by quantum computers. However it's said by mathematicians that there are various other public key systems that are not particularly vulnerable to a quantum computer attack. For example, it seems reasonable to assume the NSA's move to have Federal public keys based on Elliptic Curve systems instead of RSA for the semi-public (suite B) and the classified (suite A) data use has that sort of reasoning, but I certainly don't understand the math for this.

[Nath]

While the game can accept rigid structures that block cyberspace propagation in both directions for the same reason that it can accept walls being effective cover in fire fights, it cannot accept people divesting themselves of VR equipment in order to render themselves immune to hacking. For the same reason that it cannot accept people simply refusing to purchase a firearm to make themselves immune to bullets.

If you're a tech specialist and your opponents go the full cromagnan,, you should own them. To the same extent and for the same reason that a man with an assault rifle should be able to cut down considerable numbers of unarmored pacifists if they decide to do that.

Except an assault rifle cannot hit a target ten kilometers away. The battlefield is defined as the area within range of the weapons used. You can run away from firearms and leave the battlefield, or avoid entering it in the first place. Distance is as effective as a wall as a counter-measure that can make one temporarily immune to firearm. And, so to speak, there are plenty of walls and distance available in the world for anyone to use (unless the game played is rollerball). You can take an assault rifles and hunt pacifists around, it will take time to find them, or in other words, to enter the battlefield (even if, in that case, it rather means bringing the battlefield to them).

But it's another trope of the cyberpunk genre to have a global information network, where a hacker can find and hit targets from the other side of the Earth. If you introduce range limitation or plenty of "rigid structures that block cyberspace propagation", you're getting away from cyberpunk (though I think the occasional "off-line site" is necessary for some narratives, it needs to stay rare enough to stay true to the cyberpunk genre). If you don't, describing the cyberspace as a permanent and global battlefield of electronic and light pulse may sound cool, but I'm afraid you will bump into other balance issues if you want to avoid digital blades (another cyberpunk trope!) to fall into irrelevance instead.

[Vebyast]

No, that isn't how they work.

Guess I should have marked that more clearly as bullshit. The goal was to move the line for disbelief from "even i can enter a password on my zip file" to "just use elliptic curve cryptography", with subgoals of "more expensive equipment actually works faster" and "race against time". Sorry.

And, you know, given the setting, anybody that's actually in this situation just trades petabyte-scale one-time pads over sneakernet once every few years.

[kzt]

And, you know, given the setting, anybody that's actually in this situation just trades petabyte-scale one-time pads over sneakernet once every few years.

No, there are huge practical issues with OTP beyond the size of the keys and the need to exchange them securely. Not to underestimate that, as it's a problem that scales at N squared. Things like maintaining sync, error correction, spoofing and anti-spoofing. For example, if I can get you to use a OTP thinking you are talking to someone else, you'll have a really hard time talking to them when they send you a message using the OTP you burned.

[kzt]

There are a lot of cyberpunk stories that depend on it taking some amount of time to decode things. There are basically no stories or institutions that are invalidated by having cryptography that can be broken, so long as that code breaking is neither instantaneous nor free.

If the future version of PGP is essentially unbreakable, that's a hard nut kick to every "the bad guys have the file, it's only a matter of time before they crack it" scenario. Which let's face it, is every fucking story you want to tell involving Cryptography. From Skyfall on back.

If crypto is breakable in thousands of years or something stupid, you aren't even playing cyberpunk, you're playing cypherpunk. And then all your missions involve honey traps in Sweden.

Who the hell want to tell a story ABOUT cryptography? It just is what makes the network work. It's like wanting to tell a story about tires. They just are an enabling technology so you can have car chases.

Stupid story lines don't deserve plot protection. Those are dumb. They rely on everyone involved being a moron. If you feel need to encrypt a file you presumably have some vague idea about how important it is and understand how to ensure that an appropriately equipped adversary can't decrypt it within a few order of magnitude of "soon enough to matter" or you are an moron and shouldn't be allowed to handle anything sharp or hot. There are no other options.

Stories about people breaking into safes in building to steal crypto keys are worth telling, those are interesting. Stories that revolve about how many clustered GPUs you have, the thermal efficiency of your cooling, and whether anyone at the power company mentions the oversized power feed to your hideout to the DEA seem kind of hard to make interesting.

[Username17]

Stupid story lines don't deserve plot protection. Those are dumb.

Skyfall got a 92% positive rating at Rotten Tomatoes. You're fucking right stuff like that deserves plot protection, because those are the stories people actually like to tell!

Now normally, "appeal to popularity" is in fact a logical fallacy. But if the question is "what stories do people want to tell with their cooperative storytelling games", an appeal to popularity is very much germane. People genuinely like stories where the encrypted data was captured and now it is a "matter of time" before that data become unencrypted. That's cool. That's how things fucking work in the genre. That's how things fucking work in every example in the genre.

-Username17

[kzt]

So we should enable plot protection for Sparkly Vampires based on ticket sales? Perhaps we need to gut the game system so we can have PCs as talking clownfish since that got 99% positive rating?

[Username17]

So we should enable plot protection for Sparkly Vampires based on ticket sales? Perhaps we need to gut the game system so we can have PCs as talking clownfish since that got 99% positive rating?

If we were making a game about teenage angsty emo romance, then we should make room for vampires, because that is a driving part of the genre. It is not particularly a part of the cyberpunk genre.

Can you name a piece of cyberpunk where hackers cannot decrypt an encrypted file given time and resources? Just fucking one would do. Until you do that, you don't even have an argument and there is nothing to discuss.

-Username17

[Fuchs]

Having the group sneak into a corporate facility to steal a crypto-key is a better story than having the group waiting for the hacker to decrypt the file. Some stories are good for movies, but bad for a game.

[Desdan_Mervolam]

Having the group sneak into a corporate facility to steal a crypto-key is a better story than having the group waiting for the hacker to decrypt the file. Some stories are good for movies, but bad for a game.

Sure. But a better story than that is "The Corp knows we have their file, now we have to hold out long enough for our hacker to decrypt it". Also worth mentioning "Mr. Johnson said that his employers lost valuable data to a rival team of runners. They estimate that the data will be decrypted in another 36 hours and they MUST have that data back or destroyed before it is decrypted."