Machine and Man in Cyberpunk

[Username17]

A persistent, even fundamental trope of cyberpunk is the bluring of the borders between man and machine. Humans trade away their essential humanity in order to be upgraded as devices, the mind itself is found to be exploitable, upgradable, and interchangeable as a cog in a device. Man enters the machine through cyberspace, and machine enters man through cybernetics. The machine becomes the man through artificial intelligence and emergent properties, the man becomes the machine through soul crushing corporate life and the conquest of artifice over self.

And this trope, this extremely central trope is generally a sticking point in Cyberpunk games. It is to be blunt: Not done particularly well in Tabletop. There are some nice examples in computer games and even board games, but the delivery in tabletop RPGs has been very poor. And I would say that one of the major sticking points is just plain old Player Agency.

In a written story, the characters simply do whatever the author thinks is cool. They have no agency at all. In a computer game, the characters have only a few limited choices, and no real ability to act "outside the box". But in the tabletop RPG, the player can do pretty much anything. And since they are looking at the system actively looking for ways to exploit it and "win" (in character even, in the case of computer hackers), choices that make narrative sense but don't make mechanical sense get passed over. Something "sounding cool" to the author is very much not enough to get the players to use it.

And the results on cyberware choices are obvious and disappointing. No one is willing to trade some of their terribly limited humanity and money away to get awesome looking shark teeth. The results on Matrix rules are more pernicious but still terrible: no one has been able to make a set of computer hacking rules that are anything but hot garbage because it's really hard to do. The Hacker is someone who in character spends most of his time thinking about what are essentially the rules of the game and trying to break the setting through exploits in them. The core realities of the fact that the very nature of computer networks means that they can be expanded.



The problem here is that if it is at all important how many computers are being assigned to a problem, you can add one more. Or a hundred more. You just fucking can. That not only is topography abusable, but topology is as well. If people are able to crack your 256 bit key is cracked too quickly (say: 1 second), it's no problem at all to upgrade to a 65,536 bit key (cracked in over four minutes) or a 4,294,967,296 bit key for that matter (cracked in 195 days). If the enemy hacks through a gateway computer too quickly, just put in another five or 25 gateways. And this works on both ends. If your automated password finder is going to solve the password in 6 hours, why not split the work up to four machines and do it in an hour and a half? Or to 120 machines and get it done in 3 minutes? Both the Security and the Hacker can throw arbitrarily more processing power at any problem.

And it really doesn't help that in many cases, "Team Security" or "Team Hacker" (or both) is going to be played by a street kid who is siphoning power out of a leaky transformer to keep his batteries from running out and sometimes it is going to be played by a multi-trillion dollar global megacorporation that not only has unimaginably titanic resources, but literally produces the computers being used.

So in the story (or in a card game or computer game), you have this metaphorical wall that represents some access limiting protocol and the Hacker character uses his metaphorical jackhammer to tear a chunk of that wall down so that the character can enter the system. And that's cool imagery. And if you really had to, you could come up with some post hoc explanation that the jackhammer actually represented some sort of trojan that created a temporary backdoor that the character used to log in or some shit. And if you're writing Neuromancer or playing NetRunner, that is sufficient. There is no Player Agency in the computer topology of the world, there's just a description (and possibly a card) for the "wall" and the "hammer". But for a tabletop RPG, it is not. Because the players do not want hostile hackers to jackhammer through their walls, so if they can route traffic through a series of intermediaries to limit the effectiveness of temporary backdoors, they will do that.


How does this work? No one knows!

Which gets us to levels of abstraction. Basically, books and video games and card games work in this medium because they are extremely abstracted. You get some sort of setpiece about how there's a metaphorical wall or a metaphorical guard dog or something and then the Hacker uses some weird metaphor to metaphor themselves past it (or fail). To work in a tabletop role playing game, the stuff needs to be at least as abstracted.

Computer topography can't matter. Computer topology can't matter either. That's going to break peoples' brains, but the sad fact is that a table top role playing game cannot handle worrying about whether a connection is routed through a portable phone in Formosa or not. This may seem like kind of a surprising statement, considering that "I routed the traffic through a portable phone in Formosa" is like the 3rd most likely thing for a Cyberpunk genre hacker to say. But the fact remains that the game can't handle having that statement actually make any difference, because the hacker could jolly well have additional portable phones to route traffic through in Pakistan, Nigeria, and Kentucky and even if that was somehow fair we've already used up too much fucking table time.

The actual game actions need to start and stay very high concept and very abstract, with the details of things being filled in on the fly. The model should probably be Star Trek technobabble. One run you avoid detection by "rerouting traffic through an Icelandic server", and on another run you avoid detection by "spoofing the access ID of an off-duty employee", but it does not matter which you choose because the "Avoid Detection" test is the same regardless. And frankly, the cybernetic upgrades need to be the same. Whether we're playing ICE Cyberspace, Cyberpunk 2020, or Shadowrun, I am simply never going to spend my precious Empathy/Humanity/Essence on having cyberhorns, because horns are kind of stupid and there are much better options to spend that limited resource on (like blades on your arms). The only way "cool concepts" like cyber minotaurs and grafted sharkskin and shit are going to actually happen is to make the upgrades effects based and then let the player go off on their own pseudo-scientific rant about what the hell they did to their body to get those numbers.

-Username17

[rasmuswagner]

For fluff, you can talk about "adaptive subroutines", "agile resource allocation" and "heuristic signature scanning" - the short of the long being, doing more of the same shit doesn't work like it does in 2013, you need to do somehow better shit.

For example, say "DDOS doesn't work, because the target server can pull in effectively infinite distributed capacity in approximately zero time at zero cost".

Also, the rules should explicitly encourage the GM to say "Yeah, you failed your roll. How could your brilliantly planned hack fail? You tell me, fucker."

[kzt]

So we do HERO style "special effects" for "cyberware"? Presumably with some sort of bonus by the GM it it's sufficiently cool?

Yeah, really high level abstraction seems a rational solution for hacking. The other is really granular and detailed non-abstraction solution, but would also truly suck in play.

The trick is balancing the idea that people actually keep important stuff on computers connected to networks and the ability of people to steal this stuff. Banks don't usually install sliding glass doors on their bank vaults, which makes it hard for every bored teen with a rock or Mom's credit card with which to buy a hammer to steal a million bucks. In SR, well not so much.

[sabs]

One of the things that Shadowrun matrix rules from first edition and 4th edition taught me is that you really need those hacking rules to be non-technical.

It's just too easy to get caught in the technical trap, especially since many rpgers are also very tech savvy. The 4.0 Matrix rules tried to bring in botnets, and cell phone sized computers. From a computer geek standpoint, it makes sense. But when you start to actual work it out in a way that isn't a horrible mess of fidlly bonuses or thousand's of dice, it just doesn't work.

I wanted for a while to update the matrix rules to actualy take into account that every major corporation runs it's own operating system.
I wanted to be able to write a hack that gave me bonuses against computers running AresOS 3.0. But when you actually start trying to do that with the built in software writing rules, and everything else, it's just a nightmare of upkeep that doesn't really add the "fun" I was looking for.

It's always bothered me that the Shenghi Dragon Sword program... is just an attack 4. Yawn. But I honestly can't find a fun way to make the Shenghi Dragon sword, more or less cool than the Spray and Pray gun of hacking program.

They're both attack rating 4 programs, and that feels unsatisfying.

[Seerow]

It's always bothered me that the Shenghi Dragon Sword program... is just an attack 4. Yawn. But I honestly can't find a fun way to make the Shenghi Dragon sword, more or less cool than the Spray and Pray gun of hacking program.

They're both attack rating 4 programs, and that feels unsatisfying.

Didn't Unwired have optional program modifications that you could add onto your programs? I could see something along those lines working. Set it up something like Weapon/Vehicle customization, where you can choose to upgrade your programs, giving a little more diversity/uniqueness.



As an aside, while I don't mind reflavoring, I don't like the idea of Cyberware by default being purely effects based. It should definitely have some default appearance/way it works, and then the player can get something different if they want.

That said I don't even get how they would end up with some of Frank's examples. What the fuck cyberware-based bonus are you going to get that gives you Shark teeth, or turns you into a cyber-minotaur? (Or was the Cyber-Minotaur thing supposed to be an example of how having 1 limb = 1 cyberlimb gets abusive?).

Personally I'm much more comfortable with just saying "Cosmetic changes don't cost essence". Seriously shark teeth or neon-rainbow color changing hair is cool, and fits the genre, but those are things that don't need to cost essence mechanically, and what the fuck kinds of effects are you going to get that make those changes anyway?

[Whatever]

For certain characters, a bonus to various social skills could come in the form of shark teeth (perhaps alongside other "cosmetic" mods).

[Red_Rob]

Matrix runs should be much more abstract than they ever have been. The old way (Running a corp computer like a D&D dungeon with the IC as monsters and the decker's programs as magic spells and weapons) has a certain charm, but is just too much game time to devote to a 1 person activity. It should be handled more like Mages summoning a spirit. Make some choices, make some rolls, wham-bam and done.

I see a matrix run more like this: The decker chooses a goal from a smallish list, tweaks a few parameters, then the player and the GM make a few rolls each (about 10 rolls total tops) and the GM narrates what happened and how it ended up.

Really there are about 3 iconic scenes from cyberpunk literature and scenario design that deckers need to be able to pull off:
[*] The pre-run scout-out. Target: floorplans, security details, personnel schedules, anything to make the upcoming run easier. Risks: Increasing the alertness level of the target for a while, calling down heat, leaving a recognisable trace.
[*] Shutting down security on site. Target: Switching off cameras, turning off alarms, overriding security doors and scrambling drones. Preferrably this should be done on-site and mid-run to increase party cohesion and player investment. Risks: Alerting the target to the team, taking extra time to complete a task, physical damage from BLACK-IC.
[*] Extracting sensitive data. Target: Stealing important mcguffin files containing paydirt or mission target info. Preferrably this should be done on-site at the climax of a run whilst the rest of the party are trying to hold off security teams. Risks: Alerting the target to the teams position, Setting off logic bombs or auto-delete security measures, physical damage from BLACK-IC.

[Krusk]

I've been abstractly working on my own RPG with cyberpunk elements to it for a bit now, so I'll throw out my own thoughts. Maybe they will revolutionize the genre, or maybe they suck.

I'd like to get LESS abstract. Now obviously, we can't just literally bring in some networking gear and make the players do that, but I think thats not a bad jumping off point.

The main idea is basing hacking around "Actions". Each person gets an action (or 2 or 3 or whatever) a round and we do the hacking minigame just like we do the combat minigame. (The two probably can't happen at the same time. ) We have the GM draw out a high level Network Diagram using 3 types of Nodes.
1- Routers - These are the stuff between devices, and serve as what are basically switches and routers in todays modern networks. They pass traffic around, and are how the hacker/systems admin navigates.
2 - Firewalls - These are highly defensive "Things" with automated defenses the hackers need to break past. We can stat up a few different models, or come up with stats for them.
3 - Servers - These are the things that do "Things". Not actually servers as they are used in tech fields today, but close enough for the layman to talking about "Hacking servers" and sounding cool. An example for these would be "The email server" "The security Camera server" etc. Breaking into these lets you "Do stuff". Some stuff might be "Copy the files" or "Delete the file" or "disable the system"

The GM takes this and roughs out a map, we provide some generics in the back of the book, right next to the monsters/thugs pages.

So to actually hack, the hacker and the server admin have actions they can take. Those actions are used to either A - Move about the network or B - "Do Stuff". Doing stuff consists of the things that can be done in servers above, cybercombat, or maybe other stuff. Move about the network is the key part.

When "Jacked into the matrix" you can really only handle being in one device at a time. To move about them takes actions. With that in mind, the system admin doesn't want an infinatley big network, or he will never be able to get over to the "Camera server" to boot out the hacker who is messing with it. Even worse would be the hacker in camera server, and the hacker in email server. If the sys admin keeps those servers close he can quickly jump from one to the next. If he keeps them spread out, its harder for everyone to navigate to them, that means hackers, but it also means him.

PCs mapping the network - when a PC is in a device they have visibility into every device adjacent to it on the network. Every connection is instantly known. What you don't know, is what is 2 hops away. So the systems admin might have a map and know a better route.

So... our megacorp has the following set up.
http://www.gliffy.com/_ui/images/exampl ... _large.png

The main sysadmin may hang in what is labeled as the "Users Drive". His firewall alerts saying someone is trying to hack in, because the hacker failed his check. The hacker is able to get into "Hp switch white" though. The sys admin takes an action to move to "Gigabit switch" and this is done in secret to the player. The hacker sees 4 connections. 105.1 (the firewall), A switch cloud (that he would know an IP of, if we bother listing IPs with this system), "Gigabit switch", and 100.80 "Ecometry server". Knowing this is an eco-android factory (or someshit) he takes his action to jump into that.

The two of them play guess and check to bounce around looking for one another, and maybe the hacker gets a "Stealth not to announce where I am" and the sys admin gets a "What are they in" check. If/When they find one another, they have a couple rounds of cyber combat. If the hacker wins, he gets his data and jacks out. If the sys-admin wins he either forces the hacker out, or grabs his identity, or both.

Gear - The hacker PC can buy gear. We put some arbitrary limit on it, and it works like slots. some gear gives bonuses to cyber combat, some gives it to stealth, some lets you see 2 hops away. Gear is called "Programs" and live on your laptop. Depending on how expensive your laptop is, it can handle more/better programs. [insert fluff about how hacking programs are so system intense, your PC can't do much besides hacking].

Benefit = Multiple people can be hacking, and it can work like a dungeon crawl. In bigger dungeons they can even go through different firewalls, and share data with one another. "Oh hey, video servers are over here" and the players can draw it out together. Multiple sys-admins can also be running around, and the junior ones might suck. Do you fight them and waste time while the good one comes, or do you run and risk him getting lucky?

You could potentially do it real time, if you say the hacker has to be in the security camera server, or someone will notice and turn them back on. That could also be a pain to run.

Disadvantage - I can see people not caring about hacking, and playing smash bros while others do it. in an RPG where the intent is its as integral as combat that may not be a downside of the rules so much as playing the wrong rules.

[Krusk]

As for Mr Smith, you just say "No". Maybe some stuff about how putting mr smith/s on your network slows things down and end users complain. Most people only put like 3 tops, and even thats expensive/annoying.

Why don't PCs do this for their gear? Expensive, or maybe it makes their stuff bog down too.

[...You Lost Me]

Some stuff might be "Copy the files" or "Delete the file"...

[Grek]

The Shadowrun, "Go into virtual reality and virtually fight your way through a virtual dungeon" metaphor for cyber combat is really stupid and needs to go. Computers don't work that way, and there's no personal skill involved in smashing your botnet up against a corporate server, just a comparison of money spent vs. money spent. The way I see it, there's three GOOD hacking styles that you'd want rules for.

1. Brute Force Hack. This is you trying to run through all possible passwords with a bot net, sending an email with a trojan in it, tap their phone line or some other weak-sauce, low effort hacking attempt. Only works if the other guy doesn't know shit about computers and is really obvious to the target if you fail. On the plus side, this requires no prep time and you can do it to lots of people at once, if for some reason you cared to do that.

2. MacGuffin Program. This is you spending the weekend coding up some leet program that will give you admin access, the root password, a key-logger and control over the fire sprinkler system if it gets uploaded to the target server. All you have to do is get it there. You either con some employee into installing it using their legitimate access, or you make a run, Neuromancer style, to plug the program in yourself.

3. Physical Access. If you have physically stolen the computer that has the data on it, you can extract whatever data you wanted from it using futuristic techno-wizardry and induction scanners. This takes a long time if you don't have the passwords and requires that the computer be turned off while you do it, but it always works in the end.

[Foxwarrior]

Now that actually sounds like truth, Grek.

Don't forget things like Adobe Flash Viruses to get access to employee computers, or SQL injection. They require somewhat more finesse and care than the Brute Force hacks you mentioned, but they're still relying on mostly easily avoided vulnerabilities.

[Seerow]

The Shadowrun, "Go into virtual reality and virtually fight your way through a virtual dungeon" metaphor for cyber combat is really stupid and needs to go. Computers don't work that way, and there's no personal skill involved in smashing your botnet up against a corporate server, just a comparison of money spent vs. money spent. The way I see it, there's three GOOD hacking styles that you'd want rules for.

1. Brute Force Hack. This is you trying to run through all possible passwords with a bot net, sending an email with a trojan in it, tap their phone line or some other weak-sauce, low effort hacking attempt. Only works if the other guy doesn't know shit about computers and is really obvious to the target if you fail. On the plus side, this requires no prep time and you can do it to lots of people at once, if for some reason you cared to do that.

2. MacGuffin Program. This is you spending the weekend coding up some leet program that will give you admin access, the root password, a key-logger and control over the fire sprinkler system if it gets uploaded to the target server. All you have to do is get it there. You either con some employee into installing it using their legitimate access, or you make a run, Neuromancer style, to plug the program in yourself.

3. Physical Access. If you have physically stolen the computer that has the data on it, you can extract whatever data you wanted from it using futuristic techno-wizardry and induction scanners. This takes a long time if you don't have the passwords and requires that the computer be turned off while you do it, but it always works in the end.

This solution basically removes the hacker as an archtype in Shadowrun though. Seriously your three options are
1) An attack that nobody of importance will actually succumb to
2) An attack that comes about through things that have nothing to do with the hacker's skill
3) Something you do in your down time.

Given the choice between the dungeon-style cybercombat Krusk lays out, and what you describe, I'll go with Krusk all the way. Krusk's at least sounds like it could be sort of fun.

[fectin]

Well, routing through a hojillion other systems probably slows your connection down pretty bad, which makes you less good at brute forcing attacks. If that's a one-for-one tradeoff, hackers could just have a "network" pool, which they allocate to attack (a more direct connection to target systems gives you a much faster interface, but also gives them a faster interface) or defense (because bouncing your signal through the slow-ass proxy makes most attacks against you get a 408: Timeout, but most of your attacks also time out).
As long as there's a fair amount of hackery ambiently. there's an incentive to maintain at least some defense. You also get the trope where stupid hackers go bare-brained and get fried. Also, because hackers probably default to all defense when they aren't lancing, hacker defenses against hackers are probably stellar. I'm okay with that.

[kzt]

This solution basically removes the hacker as an archtype in Shadowrun though. Seriously your three options are
1) An attack that nobody of importance will actually succumb to
2) An attack that comes about through things that have nothing to do with the hacker's skill
3) Something you do in your down time.

#1 is the source of a crazy number of very highly successful attacks. A variation of this is a driveby attack on a watering hole, where you compromise a server outside the security perimeter of you target and wait for someone there to connect, at which point it installs a rootkit on everyone who connects. But not sure it's appropriate for a TTRPG.

There are literally hundreds if not thousands of people who get paid by the PRC goverment to do #2. It also often relies on #1. (See the extremely clever attack on the RSA Secure-ID one-time tokens, where the PRC goverment compromised EVERY Secure-ID token in the world.) It requires quite a lot of skill. But it's also slow and requires a lot of patience. Not ideal for a TTRPG.

#3 either is trivially successful (you run egrep against the mounted drive) or impossibly hard (You need 24 billion years to break the crypto.) There are not very many interesting cases that are not either of those. However the process of getting the machines is quite suitable for a TTRPG.

[Foxwarrior]

Downtime powers that you finish deploying at the perfect moment are very appropriate for a Heist TTRPG, kzt.

[Seerow]

This solution basically removes the hacker as an archtype in Shadowrun though. Seriously your three options are
1) An attack that nobody of importance will actually succumb to
2) An attack that comes about through things that have nothing to do with the hacker's skill
3) Something you do in your down time.

#1 is the source of a crazy number of very highly successful attacks. A variation of this is a driveby attack on a watering hole, where you compromise a server outside the security perimeter of you target and wait for someone there to connect, at which point it installs a rootkit on everyone who connects. But not sure it's appropriate for a TTRPG.

Read what he actually said.

1. Brute Force Hack. This is you trying to run through all possible passwords with a bot net, sending an email with a trojan in it, tap their phone line or some other weak-sauce, low effort hacking attempt. Only works if the other guy doesn't know shit about computers and is really obvious to the target if you fail. On the plus side, this requires no prep time and you can do it to lots of people at once, if for some reason you cared to do that.

You know what this doesn't apply to? Literally any person a shadow runner cares about. (At least any of them that use computers that you care about getting into)

There are literally hundreds if not thousands of people who get paid by the PRC goverment to do #2. It also often relies on #1. (See the extremely clever attack on the RSA Secure-ID one-time tokens, where the PRC goverment compromised EVERY Secure-ID token in the world.) It requires quite a lot of skill. But it's also slow and requires a lot of patience. Not ideal for a TTRPG.

Once again, read what he actually wrote:

2. MacGuffin Program. This is you spending the weekend coding up some leet program that will give you admin access, the root password, a key-logger and control over the fire sprinkler system if it gets uploaded to the target server. All you have to do is get it there. You either con some employee into installing it using their legitimate access, or you make a run, Neuromancer style, to plug the program in yourself.

Basically the hacker spends some down time crafting a one time use program. You then need to make a run, or pull a con, to make the program actually work. This is an NPC job, not one for a major player character Archtype. You even admit, this isn't ideal for a TTRPG.

#3 either is trivially successful (you run egrep against the mounted drive) or impossibly hard (You need 24 billion years to break the crypto.) There are not very many interesting cases that are not either of those. However the process of getting the machines is quite suitable for a TTRPG.

The process of getting machines, sure. But once again the actual hacker's job: Getting the data out, is an NPC's job. Or at best worth a few points in a secondary skill. Not appropriate for a major archtype.



Basically the three examples laid out make the hacker a guy who does some stuff in his downtime from home, because anything he can on site is inefficient, not likely to work, and will likely alert everyone nearby to his presence. This goes completely against the genre, and is not something I'd be remotely interested in.

[Grek]

This solution basically removes the hacker as an archtype in Shadowrun though. Seriously your three options are
1) An attack that nobody of importance will actually succumb to
2) An attack that comes about through things that have nothing to do with the hacker's skill
3) Something you do in your down time.

Given the choice between the dungeon-style cybercombat Krusk lays out, and what you describe, I'll go with Krusk all the way. Krusk's at least sounds like it could be sort of fun.

I disagree. Just because there are 3 basic network invasion methods doesn't mean that there are only 3 things that a Hacker can do or only 3 things the Hacker player is bringing to the table.

#1 gets you control over any and all low-security infrastructure nearby. Warehouse doors unlock for you. Vending machines break down when you need an excuse to pose as repairmen. Fire alarms stop calling the cops when you commit arson. Security cameras erase footage as you pass and report the location of police to you. Just because other hackers aren't going to be easily hacked doesn't mean that everyone in the world is going to pay out the ass to have an IT guy hack-proof everything they own.

#2 gets you control over secure systems during the mission. Either from the start, if you use social engineering to get the program installed before you get there, or for the second act of the mission, once you've broken in. Either way, this gives you everything from #1 and then some. Secure doors open for you, internal security logs disappear, the corp security stops getting updates on your position, you get to listen in on the enemy TacNet and GridGuide lets you steal the CEO's car on your way out.

#3 is there for groups that don't have a hacker player. They can take the black box to a fence and have him hack it for them. It's not especially interesting or detailed because it's something that only happens when nobody in the group wanted to play a hacker and, presumably, nobody in your group gives a shit about hacking.

E: The key here is that #1 is something you do in real time vs. an unprotected machine, but not against protected machines or people. #2 is something you prepare ahead of time, set off and then activate in real time against protected machines and people. In both cases, you need to bring the hacker along for the run so that he can make the computers do stuff for you during the run.

[kzt]

Read what he actually said.

1. Brute Force Hack. This is you trying to run through all possible passwords with a bot net, sending an email with a trojan in it, tap their phone line or some other weak-sauce, low effort hacking attempt. Only works if the other guy doesn't know shit about computers and is really obvious to the target if you fail. On the plus side, this requires no prep time and you can do it to lots of people at once, if for some reason you cared to do that.

You know what this doesn't apply to? Literally any person a shadow runner cares about. (At least any of them that use computers that you care about getting into)

I'm arguing the premise that you and he accept, so , yeah, I did read what he wrote and arguing that it's wrong. The fact that he and you describe it as obvious doesn't mean it IT IS obvious. It is not at all obvious if done correctly. The fact that this is in fact the most common approach used by PRC intel agencies to actually gain initial access to the networks they have compromised suggests it isn't at all obvious. RSA Security, which makes the most common one time security token used by government and major companies in addition to a whole range of other well respected security systems, is an extremely security conscious company. It was taken down by an email to a few carefully chosen people in HR entitled “2011 Recruitment Plan”, containing a file called 2011 Recruitment plan.xls

This was used to eventually own all of RSA and that provided the data used to break into the classified network of defenses contractors Northrop Grumman and L3 Communications. It actually could have been (and probably WAS used) to break into anyone using Secure-ID tokens. Does having arbitrary access to all of Ares data seem like a useful objective to a runner team? That is what this is roughly akin to.

Is it a a lot of fun for a TTRPG? Probably not if run in detail, but it most certainly is an attack that very important people and organizations WILL succumb to.

[Grek]

That's a textbook example of social engineering, kzt. You write up some code that gives you control of the other guy's system, then convince him that it's something else legitimate that they actually want to open. Then they open it and all their bases belong to you. And then you go to their bases and walk out with classified military secrets to give to the Chinese.

Mechanically, that's a #2 MacGuffin hack, not a brute force hack.

[Username17]

So we do HERO style "special effects" for "cyberware"? Presumably with some sort of bonus by the GM it it's sufficiently cool?

Yes. Because when you have specific devices the following happens:

• People don't take Dermal Armor because it sucks.
• You end up having to make excuses for why Aluminum Bone Lacing is less Essence intensive than Titanium Bone Lacing, and that doesn't make a lick of sense.
• There is a vast world of potential modifications that could increase a person's toughness from organ casing to induced fibrosis that will not in fact get used by anyone because there is only room for a couple local maximums of toughness enhancement.

Much better to have a "toughness enhancement" and then have a short paragraph of suggested systems. You could even have available downsides that you could check off to make the system cheaper. So rather than having two whole writeups for Orthoskin and Dermal Plating, you just pay less for your implanted armor system if it's "physically visible".

Yeah, really high level abstraction seems a rational solution for hacking. The other is really granular and detailed non-abstraction solution, but would also truly suck in play.

It's not just that it would suck in play. I mean, it would suck in play. But it also cannot work. Rather than go through Krusk's long tirade and point out all the many many failure points, let's skip to the failure point he already admitted:

As for Mr Smith, you just say "No". Maybe some stuff about how putting mr smith/s on your network slows things down and end users complain. Most people only put like 3 tops, and even thats expensive/annoying.

Why don't PCs do this for their gear? Expensive, or maybe it makes their stuff bog down too.

He has no fucking idea. His system is going to break wide open as soon as anyone figures out the hackastack, and his only solution is to ask the players nicely to please not break the game system. Which is pretty fucked, considering that "breaking the system" is what the character is actually attempting to do in character at that very moment. So you're asking the player to not only do things which are tactically weak, but literally and specifically out of character and nonsensical in order to keep the game world from imploding. That's terribad.

The trick is balancing the idea that people actually keep important stuff on computers connected to networks and the ability of people to steal this stuff. Banks don't usually install sliding glass doors on their bank vaults, which makes it hard for every bored teen with a rock or Mom's credit card with which to buy a hammer to steal a million bucks. In SR, well not so much.

The idea of just using theft or fraud to get money is quite a strain on most cyberpunk adventures. Many cyberpunk adventures are predicated on the idea that the characters are going to do quite stupid and dangerous things for really very small amounts of money. You were supposed to do Universal Brotherhood all the way through the commando raid against a hive full of xenomorphs for a couple grand. CP2020 gives out mission payments so low you're better off greyhawking the equipment of Solos you shoot.

Nevertheless, performing heists and identity theft is totally in-genre. The goal of the system should be to get the players to perform Monaco/Ocean's Eleven style heists without getting them to abandon all pretense of doing poorly paid street level detective work in order to steal money and retire to Caribbean islands. Ultimately that is probably more of a character problem than a rules problem though. While characters who at least claim to be motivated by purely mercenary concerns are a staple of the genre - they don't actually work well for serial adventures.

Still, I think you could do something with enforcement. The idea there would be that having more or spending than a certain amount of fraudulent electronic money would cause the T-men to crack down on you. So you can live off fake credit cards or whatever, but you have to live a low lifestyle like the Winchesters in Supernatural. And getting paid in money that isn't credit card fraud still has value.

-Username17

[Thymos]

Ok, I had a hard part getting through franks first post, because the beginning of it is so wrong.

AES 256 will probably last us into 2200. If you can brute force AES 256, then brute forcing 257 bit keys will take twice as long, 258 twice as that (4 times) etc... Essentially even if moores law continues to hold true adding 64 bits to a key will give us roughly 100 more years of security. It's also not trivial at all to add length to keys.

As far as tor goes, that works by using non standard routers and flagrantly violating internet protocol. It's "secure" the same way apple is secure, because no one bothers, and if someone did it's probably far less secure.

Using proxies is great and all, but seriously slows down your connection speed. Routing your connection through a phone in alaska will make a damn 56k dialup feel good about itself (you won't get anything done).

Now onto what's actually useful for a game.

The perfectly implemented secure crypto system is essentially unbreakable. Fortunately for our games crypto systems are never implemented correctly (even in the real world). Our hackers will be looking for exploits and sidechannel attacks (if you know what that is).

So here's basically how I imagine it should work:

If your use proxies, this makes detecting your location harder, but also makes it harder for you to hack due to slow speeds (and is handled easily with a negative to hack and a bonus to avoid them discovering where you are).

Script kiddying doesn't work usually because the exploits vary from system to system and you need a good hacker to see those exploits (and find out which ones are present).

The defense skill should be rolled ahead of time when setting up the system. Set up bonuses, caps and such that the bad programmer will always make something shitty, the good one will make something good, worse on a time crunch, etc.

There are should also be 3 aspects to maintain and attack.

1. Intrusion Defense - How hard it is to bypass firewalls and such to get in and have access.

2. Detection - How hard it is to bypass detection so that either people don't know you were ever in (very hard), or know that you are in at the moment (not as hard).

3. Robustness - Once your in how hard is it to shut the system down, or how well do they sandbox someone who does not have complete access (gaining complete access would involve bypassing this).

So let's define something called Access. This is something the hacker wants. They need to use exploits and such to gain access. This would be a roll against the systems intrusion defenses. Access is something you have or don't, and is always the first step. This represents bypassing firewalls, or obtaining the users password who doesn't have admin access.

If the attacker cares, they can add some difficulty to avoid detection. Avoid detection completely should be expensive, avoiding it at the moment not as much. If they are shutting down someone else gun then they wouldn't care about detection for example, as it would immediately be obvious in the real world.

Now the attacker has access. They would need to roll against robustness to gain either full control or shut the system down. Shutting the system down is far easier than gaining control (simply using an exploit to crash a computer is far easier than gaining admin access or, the hardest, control of the kernel). Robustness would also slow an attacker down in obtaining sensitive information. This allows in some degrees of success. If someone is using a drone to shoot at you, the hacker could either just shut it down, or try the harder task of turning it against it's controller.

Of course the rubber hose technique will always work (find someone who has access and beat them with a rubber hose till they give it to you). That's part of the game though.

Now onto turning off networking on certain devices. Sure you can do it, but there's usually a reason the device is networked in the first place. Make devices that the hacker may want to attack have reasons for being online, and penalties if they aren't.

[Username17]

Ok, I had a hard part getting through franks first post, because the beginning of it is so wrong.

AES 256 will probably last us into 2200. If you can brute force AES 256, then brute forcing 257 bit keys will take twice as long, 258 twice as that (4 times) etc... Essentially even if moores law continues to hold true adding 64 bits to a key will give us roughly 100 more years of security. It's also not trivial at all to add length to keys.

Oh for fuck's sake. This is why we can't have nice things. You are making assumptions about future cryptography that you have no business making. Yes, a brute force check on a 256 bit key requires you to check on the order of 10^77 possibilities. That is a lot. And a 266 bit key would be on the order of 10^80 possibilities, which is three orders of magnitude more. But if you were doing an evolutionary algorithm, you'd only need to run it 512 times to get a 256 bit key, and a 266 bit key would only bump up the requirements to running it 532 times.

The point is that even if you have something that works under those parameters, you can still run code breaking times up to ridiculous not-gonna-happen-in-game timeframes just by declaring that you are adding more layers. As soon as we bust out actual math penises, the numbers get really stupid and they get that way really fast.

The perfectly implemented secure crypto system is essentially unbreakable.

No. The perfectly implemented secure crypto system is actually unbreakable. Because it's not math, it's a one time pad. Which is actually unbreakable. That sort of thing is actually fine for games, because the "perfect" encryption actually requires a physical transfer of keys at some point, which leaves it open for rubber hose cryptanalysis.

-Username17

[Thymos]

Oh for fuck's sake. This is why we can't have nice things. You are making assumptions about future cryptography that you have no business making. Yes, a brute force check on a 256 bit key requires you to check on the order of 10^77 possibilities. That is a lot. And a 266 bit key would be on the order of 10^80 possibilities, which is three orders of magnitude more. But if you were doing an evolutionary algorithm, you'd only need to run it 512 times to get a 256 bit key, and a 266 bit key would only bump up the requirements to running it 532 times.

Eh, the only assumption I'm making that I didn't state is that we haven't found an effective crypt-analytic attack on the used algorithm (currently AES). I stated the assumption that moores law was continuing to hold true, although most people seem to think that our improvements will slow down, not speed up. Since my assumption is that crypt-analysis won't help us, this leaves brute force, which if moores law works my assumptions are holding true. Either way we agree that brute forcing isn't gonna do shit. This is good for the game, because it means grabbing a ton of computers is hardly more effective than just using your portable one you have with you on the mission.

So far DES has been out since 1977, and AES since 1998, and we haven't found any successful crypt-analytic (there is one against AES I guess, but it improves it so little that it's not worth mentioning, and might actually be slower than brute force) attack on either of those two. I'm not getting my hopes up.

No. The perfectly implemented secure crypto system is actually unbreakable. Because it's not math, it's a one time pad. Which is actually unbreakable. That sort of thing is actually fine for games, because the "perfect" encryption actually requires a physical transfer of keys at some point, which leaves it open for rubber hose cryptanalysis.

Well, I meant ones actually used over the internet, we both know that there are several prohibitive things about one time pads on the internet (also there isn't much of a system to one time pads, that's just the perfect technique). Of course moving the pad keys in a flash drive that is inaccessible by any network might make for an interesting plothook.

By essentially I meant that it was computationally infeasible to break.

Anyway, back to what it means for the game.

All this stuff means is that hackers in the game should use side-channel attacks. Which for the game is great. This means that in real time attackers can look at the surface of a system and try to find weaknesses. Sure they'll have scripts to exploit those (for some weaknesses), but the attacker still needs skill to find a way in.

This is why I suggested that 3 tier bit, and abstracting what weakness the player found. I have no idea what exploits there are in our current systems we haven't found, nor what exploits there are going to be in the future system.

Just leave those 3 basics, Intrusion, Detection, Robustness. Or basically getting in, hiding (optional), and difficulty once your in. How you get in and all is abstracted, since we cannot reasonably know what weaknesses there are (although it's almost guaranteed that they'll still see current weaknesses... dear god people are still being hacked using SQL injections). Same with the other two really.

[zeruslord]

Evolutionary algorithms are a real thing, but they won't work on any crypto system worth using, because changing a single bit of your guess at the key causes a large and unpredictable change in the output - that's the whole point. Generally cryptosystems aren't actually as hard to break as the simple math on the key length would claim, but that usually means that attacks are merely beyond national budgets for the foreseeable future rather than needing more mass and energy than is available in the solar system.

There's a couple things Grek's description of hacking is missing. The major one is that macguffin hacks aren't necessarily one-shot things: they exploit some set of vulnerabilities in the target system in order to do more than they should be allowed to. (usually this goes user-input data -> running code -> running code in the kernel -> doing the actual stuff you wanted). Until somebody figures out what you did and fixes the vulnerabilities, you can keep using the same exploit. Even after they find the bugs and write the patches, they have to convince all their users to update. As a result, macguffin-type hacks degrade over time: they start off able to break any system running the programs and OS they target, and then get progressively less useful as potential targets update their systems. In the end, they wind up as basically just extra tools in your type 1 hack toolbox.