Machine and Man in Cyberpunk

[hyzmarca]

Social hacks, however, are the most effective. You'd be surprised how far you can get just calling up the IT department and asking for the admin password.

[sabs]

Social hacks, however, are the most effective. You'd be surprised how far you can get just calling up the IT department and asking for the admin password.

I call bullshit on that. I've worked in It for almost 20 years. That only works when there is no IT department, and you've got people trying to admin their own environments and screwing it up.

[Username17]

I'm going to respond to several proposals, but I'll cut down on the copypasta so that things don't get extremely long.

I've been abstractly working on my own RPG with cyberpunk elements to it for a bit now, so I'll throw out my own thoughts. Maybe they will revolutionize the genre, or maybe they suck.

I'd like to get LESS abstract. Now obviously, we can't just literally bring in some networking gear and make the players do that, but I think thats not a bad jumping off point.

As I hinted at earlier, I am openly contemptuous of your ability to make such a thing work. You hinted at your fundamental inability to even think of a rational limit that BotNetting could even have under such a scenario, and fell on the good old standby of just asking the players to pretty please be gentle while raping the setting or something. That is not going to work.

Fundamentally, you have to assume that the players are doing "a lot" of botnetting and are being frequency agile across "a lot" of frequencies while they throw down "a lot" of decoys. You simply can't avoid heavy abstraction here, because firstly you don't have the first fucking clue what "a lot" is going to mean in sixty years and secondly you don't have the table time to roll dice "a lot" of times to resolve any conflict.

We have the GM draw out a high level Network Diagram using 3 types of Nodes.

Fuck. No.

You are not going to draw out network diagrams. That is not going to happen. Those things are arbitrarily large, and players will in fact take advantage of that fact to route all their traffic through dozens of routers or some shit. And that will protect them from combat hacking, but at the cost of making everything in the game take dozens of die rolls to resolve and then everything is ashes and poop. That is not even remotely acceptable for anything. See: 1st edition Shadowrun Matrix.

The way I see it, there's three GOOD hacking styles that you'd want rules for.

As has already been complained about, your suggestion basically leaves little room for characters to actually do things in the adventure. And that sucks. It would be better for hacking in a game to be playable and tell cool stories while being deeply intellectually insulting than for it to pass muster as plausible with modern IT security specialists and theoretical mathematicians while being unplayable, boring, or incompatible with small team adventures.

While the existence of "MacGuffin Programs" that you need to take to the heart of the corporate server in order to affect some major changes is certainly a thing that should be supported (and has profound implications on how much you should be allowed to turn a major corporation's servers into your bitch without such a program), that can't be all there is. The hacker needs to be able to do things - useful things - during an actual honest to goodness dustup. Times when they don't have a year or even a week to do legwork and wait for someone somewhere to make a mistake. They are on a team with people who carry sub machine guns. The very minimum is that they get to pull Italian Job style hijinks and provide "support" during car chases and raids.

There are should also be 3 aspects to maintain and attack.

1. Intrusion Defense - How hard it is to bypass firewalls and such to get in and have access.

2. Detection - How hard it is to bypass detection so that either people don't know you were ever in (very hard), or know that you are in at the moment (not as hard).

3. Robustness - Once your in how hard is it to shut the system down, or how well do they sandbox someone who does not have complete access (gaining complete access would involve bypassing this).

That last one is gobbledygook that looks like it was Googletranslated from Korean. But I could provisionally get on board with that sort of thing.

Basically, as a Hacker, there are three things you do not want to happen:

• You do not want to fail to hack into the target.
• You do not want the target to know they are being hacked while you are doing it.
• You do not want the target to find out who or where you are/were when they find out about the hack.

That implies three basic parameters: your hack, your stealth, and your trail. A perfect hack would do whatever it was intended to do, not raise any alarms while it was being done, and leave no trail leading back to the hacker. It would be trivially easy to do such a thing with 3 rolls (either opposed or not), and I believe that you could plausibly and functionally do it in 2 (with trails being avoided by taking voluntary penalties on the other rolls). But the question of what happens if and when the target discovers that they have been (or are currently being) hacked is another question altogether. I think you might have been attempting to get at that with the "robustness" thing, but I can't tell because that bit appears to have been passed through a game of telephone played by Kazakh grade schoolers.

The thing is that people really do have some pretty weird options in Cyberpunk settings, and Red Rob touched on that nicely:

Really there are about 3 iconic scenes from cyberpunk literature and scenario design that deckers need to be able to pull off:
[*] The pre-run scout-out. Target: floorplans, security details, personnel schedules, anything to make the upcoming run easier. Risks: Increasing the alertness level of the target for a while, calling down heat, leaving a recognisable trace.
[*] Shutting down security on site. Target: Switching off cameras, turning off alarms, overriding security doors and scrambling drones. Preferrably this should be done on-site and mid-run to increase party cohesion and player investment. Risks: Alerting the target to the team, taking extra time to complete a task, physical damage from BLACK-IC.
[*] Extracting sensitive data. Target: Stealing important mcguffin files containing paydirt or mission target info. Preferrably this should be done on-site at the climax of a run whilst the rest of the party are trying to hold off security teams. Risks: Alerting the target to the teams position, Setting off logic bombs or auto-delete security measures, physical damage from BLACK-IC.

Basically, this could be better said by saying that the three things you need to be able to do are: Legwork before a run, Actions during a run, and Victory Conditions at the end of a run. Namely, that "break into the facility and [Hack That Thing]" is as viable a mission as "break into the facility and [Kill That Guy]", "break into the facility and [Take Pictures]", or "break into the facility and [Blow Up That Thing]".

But the point here is that the target of a hack has more choices than "try to ban your IP address", "change the passwords", "turn off the computer", or "send your login data to the FBI". They have Black ICE that can burn out the hacker's brain, and hit teams that can go to the house of the suspected hacker and shoot them in the face. This stuff isn't in there because it's logical or plausible, but because it is awesome.

And the rules need to be able to handle that Black ICE without devolving into Agent Smith Black Hammer Armies. And that requires the abstraction level to be pretty damn high.

-Username17

[Thymos]

I'm having an extremely hard time describing what I mean by robustness.

I picked that word because I can't think of anything else.

Even once you have access to a system there's a limit to how much you can affect. Chrome for example uses a sandbox so that the hacker can't escape it and do anything (theoretically).

Like I said earlier, crashing a computer using a bug is far easier than taking control. Robustness could also represent how long it takes to find sensitive data. Basically in game this could be used to represent degrees of success, or in the case of stealing information how long it will take (to get those time sensitive downloads movies love).

If you have a better choice of word than robustness, I would greatly appreciate that.

My suggestion is that once you have access an additional roll is needed to see all of what the hacker can do (take control of the drone vs. simply make it shut down), or how fast they can attempt their goal (how long it takes to find the opposing companies secret recipe).

I think if we choose to abstract, we should pick some goals of the hacker and set those to be the difficulties and things they have to roll, as opposed to trying to emulate how hacking actually works.

[kzt]

I think if we choose to abstract, we should pick some goals of the hacker and set those to be the difficulties and things they have to roll, as opposed to trying to emulate how hacking actually works.

Yes. There are real world attacks that you can't do in SR. Like when China "accidentally" rerouted most all the US Government traffic through their national ISP by "misconfiguring" their Border Gateway Protocol on their routers.

The idea of doing something like this in a game is cool, the idea of trying to actually do this in detail in a game is most definitely not. So doing a highly abstract system based on goals and skills/resources of the attacker/defender seems like a good idea in theory. Of course, everything works in Theory.

[echoVanguard]

robustness

I think what you're actually trying to describe is the degree to which the system is compromised. A fully-compromised system will give the attacker any asset at its disposal, up to and including configuration powers that can dramatically increase the attacker's threat level within the system. A good example is that a moderately-compromised machine might have sensitive files the attacker can download, but a fully-compromised machine might have its network QoS altered so that the attacker's downloads have top routing priority while abnormal IDS traffic is null-routed and any access logs pertaining to the attacker's session are wiped before being committed to disk. If you want a single word to describe this quality, you're probably out of luck unless you want to go with something like '0wnage'.

I also agree with Frank that you need abstraction to make Hacking work for exactly the reasons he specifies - Hollywood doesn't make movies about how hacking really works because it is boring. The more detail you add, the more dissonance you create and the more loopholes people can exploit.

That being said, a thing that often gets ignored in hacking situations in games is the idea of time-to-respond - if you hack a guy's car while he's chasing you, he doesn't have time to turn off his wireless or blacklist your IP because he'll be busy crashing into a bridge abutment at 90mph.

echo

[Username17]

My suggestion is that once you have access an additional roll is needed to see all of what the hacker can do (take control of the drone vs. simply make it shut down), or how fast they can attempt their goal (how long it takes to find the opposing companies secret recipe).

I could see something along those lines. Or equally possibly a roll that lets you "do stuff" as an action equivalent to physical world actions you might take. So perhaps you might "shut off the lights" in the same way as you might throw a smoke bomb.

Now the first way that could go shitty is by having too many rolls. If you have an opposed roll to dim the lights, a second opposed roll to avoid setting off an alarm and a third opposed roll to avoid leaving a data trail you're talking about the Hacker character generating six die rolls every time his action comes up before those actions force die rolls in the real world, which they will also do. This is the point at which you want to distribute dots of success between different piles off a single roll.

But the other way that could suck is with Matryoshka Doll systems. If successfully hacking into the outer server just lets you hack into the next layer of the onion, we're back to a level of fuckery up with which we shall not put. Hackers could be plausibly forced to make what is in essence the same test twelve or a hundred times just to get anywhere important. And while that sort of thing is not topologically implausible, it's way too much of a pain in the ass to actually do in a table top game.

-Username17

[Whatever]

In the news: http://www.nytimes.com/2013/05/10/nyreg ... hefts.html

Which is crazy stuff, but you'll note that from a gameplay perspective, the hacker(s) in question are essentially background detail. They did "computer stuff" and then gave the teams the signal to start loading up backpacks and suitcases full of cash. That heist is the sort of thing Shadowrun wants to capture the feel of, but clearly not by emulating the same mechanics.

[Seerow]

Now the first way that could go shitty is by having too many rolls. If you have an opposed roll to dim the lights, a second opposed roll to avoid setting off an alarm and a third opposed roll to avoid leaving a data trail you're talking about the Hacker character generating six die rolls every time his action comes up before those actions force die rolls in the real world, which they will also do. This is the point at which you want to distribute dots of success between different piles off a single roll.

Why not just make it two rolls?

Roll 1) Shut off the lights. This isn't an opposed roll, just a threshold. (Though some tasks may have an opposed roll here, whatever)
Roll 2) Escape notice. This is you avoiding setting off an alarm, and clearing your data trail. Something like threshold 2 keeps the alarm off, threshold 4 keeps the alarm off and you can't be traced back, threshold 6 does the same and also makes it so they can't detect someone was in their system at all. (Note: Numbers pulled out of my ass, and would probably be variable based on the defending system)

Consider it a parallel to a caster casting the spell. Step 1 is equivalent to casting the spell. Step 2 is equivalent to drain. Except if you don't succeed, rather than some non-lethal damage, you potentially trigger an alert.

Opposed tests only come into play when you have an active spider in the system trying to stop you. At that point, the escaping notice part has already failed, and you're into the cybercombat mini-game. This is the part that will typically draw stuff out, but the goal is in most cases this part doesn't actually come up. In the cases it does, an actual alarm has probably been triggered, so while the hacker is dealing with the spider, the rest of the group is dealing with RL security forces that have just been alerted.

[Thymos]

I think detection avoidance should apply a penalty, as opposed to another roll.

Also, I was thinking that once you have access, you have Access. You don't need to roll any more to gain access to other layers.

Robustness should just be one roll to achieve whatever you want once your in, because different actions have different difficulties. So each round when you want to do something different (shut off the lights, shut off security), you roll against the systems robustness once per action to achieve this, and apply difficulty modifiers to avoid detection to the different levels of detection you are trying to avoid (current detection vs. future detection).

Only once you are currently detected do opposed rolls start.

[Username17]

Consider it a parallel to a caster casting the spell. Step 1 is equivalent to casting the spell. Step 2 is equivalent to drain. Except if you don't succeed, rather than some non-lethal damage, you potentially trigger an alert.

I could see that. People trying to trace you would have their difficulties set by the worst stealth (drain) roll you made during the run. Once the alarm goes off for whatever reason, the stealth checks could do something else (poor rolls let the system log pertinent information about your methods or something), or at the very least they still run the risk of limboing down your trace difficulty.

Also, I was thinking that once you have access, you have Access. You don't need to roll any more to gain access to other layers.

I'm not sure that the granularity of having access or not is salvageable. I know, that's heresy, but hear me out.

Let's say we're discussing a bank. Obviously, we have a level of access for the tellers, and higher levels of access for the managers, and even those don't give you access to the bank's international trading profile, which is a connected but distinct thing. But while that's how it works for the bank employees, I think that's insufficiently abstract. Again, we're looking at things from the topological standpoint, and that gets really shitty, really fast.




The ATM is a different system from the teller's workstation. And both are different systems from the manager's computer or the loan officer's computer. And well they should be. But you don't want to worry about which systems the Hacker does and does not have access to on a round by round basis, because that would be a monstrous pain in the ass.

And more importantly, while you do actually kind of want hacking a bank to be a monstrous pain in the ass so that players will just go on the fucking adventures, the logic is much the same for mission areas that the players actually want to be in. I mean, why would the closed circuit cameras be on the same system as the fire extinguishers? And if they aren't, would you have to make a separate "Access Test" for each one? And if you do actually have to do that, doesn't putting the stuff on different systems make the installation way the crap more secure? And if it does, doesn't that encourage players to do that sort of thing with their own stuff, making hacking a monstrous pain in the ass for both the attacker and defender whether they are an NPC or a PC?

I just can't see keeping track of "hacked access" as being a thing that doesn't rest on an extremely slippery slope to draconic levels of butt hurt and fiddliness.

-Username17

[RadiantPhoenix]

In other words, realism isn't a very high design priority compared to, "not making the game an unplayable pain in the ass".

[Krusk]

Ill limit the quotes in my response too.

You are not going to draw out network diagrams. That is not going to happen. Those things are arbitrarily large, and players will in fact take advantage of that fact to route all their traffic through dozens of routers or some shit. And that will protect them from combat hacking, but at the cost of making everything in the game take dozens of die rolls to resolve and then everything is ashes and poop.

Why is drawing a basic diagram more work than drawing a floorplan to a hotel or dungeon under a castle? You aren't going to do the more complex aspects of a real world diagram, but you could certainly do 15-20 high concept "Nodes". Even if those nodes in the real world would be a ring of routers.

The way I envision my scenario working is very similar to a stealth minigame. We run in, hope we dont get seen. They try to see us. If they find us, we do a quick battle and thats the end.

If you make the network arbitrarily large, you won't be able to navigate it yourself in any quick manner. This lowers your response time in the event of a break in. You have a scale you need to balance. I have X people devoted to defense. They can each occupy 1 room/node. If I put a lot of empty rooms in there, my guys have to run through them to get anywhere useful. That lowers our response time. It also makes it harder to get anywhere useful for the hacker, so it increases his offense time.

As for Mr. Smith, you can say "it bogs down the PCs running it to run a mr smith". You can totally load 14 of them onto your laptop, but thats all it can do because laptops only have 14 slots. Buy another laptop? Sure, but that comes out of your money and being a shadowrun style game $=Power.

Real point - Why does a super abstract system handle Mr. Smiths better than mine?

*Also, in my scenario you can jump between devices with no checks, but to do anything in those devices you need a check.

**Social hacking - You don't ask the IT guy for the admin password. You tell the front desk lady you are with IT and need her password/her to log into something for you.

[Grek]

The way I see it, there's three GOOD hacking styles that you'd want rules for.

As has already been complained about, your suggestion basically leaves little room for characters to actually do things in the adventure. And that sucks. It would be better for hacking in a game to be playable and tell cool stories while being deeply intellectually insulting than for it to pass muster as plausible with modern IT security specialists and theoretical mathematicians while being unplayable, boring, or incompatible with small team adventures.

While the existence of "MacGuffin Programs" that you need to take to the heart of the corporate server in order to affect some major changes is certainly a thing that should be supported (and has profound implications on how much you should be allowed to turn a major corporation's servers into your bitch without such a program), that can't be all there is. The hacker needs to be able to do things - useful things - during an actual honest to goodness dustup. Times when they don't have a year or even a week to do legwork and wait for someone somewhere to make a mistake. They are on a team with people who carry sub machine guns. The very minimum is that they get to pull Italian Job style hijinks and provide "support" during car chases and raids.

That seems perfectly doable, to be honest. You'd just need to set it up so that the TN to hack cars and windows and televisions is low enough that you can do it without a special program. Which means writing up some fluff excuse for why cars are so easy to hack and yet people still trust their cars to drive without driving off a cliff, but that's not a problem. If you also give the hacker a gun of his own and the ability to pilot drones, I think you're on a very solid foundation for what a hacker character can do.

[TheFlatline]

I gotta agree with Frank's assessment that basing anything hacking off of real world is a fucking nightmare waiting to happen. I do this shit for a living, and it's boring as fuck and generally can be broken down into exploits, weak passwords, and social engineering. Period.

In a shadowrun setting, much of the sloppiness in today's hacking would realistically be solved by the application of agents that monitor what software and firmware is on your network, and security patches. Therefore, you have maybe 12 seconds between the time that the latest java exploit comes out and the agent patches every instance of java on the network. Boom done.

A "hollywood" abstracted approach seems to be the proper solution because if you allow too much granular detail, you get shit like my wireless sniper rifles that turn PANs on and off from 3 miles away using a pringles can, 10 minutes of programming, and a bluetooth transmitter.

While that's cool shit, you want to avoid all that granularity and create your own fucking network protocol rules. Ditch any relation we have to computers today, because your prediction of what things will be like in 70 years will be wrong, and your idea of "realistic" hacking is wrong to begin with. So don't even go there. Make a fun game system and drape it with the setting's logic.

My idea was cribbed sort of from Spycraft's chase system, which really was the only really smart thing to come out of the game.

I was figuring for an abstract model you determine each system either has a live defender or automated host. Automated hosts have a limited number of different types of actions, while a live defender has access to the entire gambit of hacking actions.

Each hacking action (virus, buffer overflow, etc) has a corresponding defensive action that it's really good against, and really shitty against, and vice versa. These represent dice pool modifiers if the hacker and defender pick up a "synergy" of effects. So your DDOS is particularly tough to Trace, but is weak against ReRoute. Against other stuff, it just runs default. You don't need many actions, just enough to get interesting. 5 or so on each side probably would be enough.

The two sides would roll, and winner gets net successes. Defender gets ties. You bank successes to gain control over the system, and different actions give you different "virtual successes" on top of that, good for that turn, to access certain parts of the system.

The hacker is trying to spend control hits to unlock doors, turn off cameras, gain higher access, crash the system, loot the file store, etc etc... Each of these has a different success cost, determined by first a hits table, and then modified by the hardening of the system, representing the resources spent creating infinite loops and high level encryption and shit. The hacker can also spend hits on dodging attacks, dropping traces, etc etc... He can also spend hits on attacking live defenders.

The defender, whether a human or an agent, is trying to harden the system, lock out access (ie: disable access to cameras entirely so you can't turn them off), boot the hacker off the system, run traces, and run stun/meat damage attacks.

Agents can't be knocked out- they have no stun track, but they're limited by their rating as to how many actions they can have loaded up. Live hackers risk their braincells to have the pantheon of attack tools loaded up.

You can have a whole line of equipment that gives each side dice pool modifiers, and contacts with Shadownet and it's ilk can give you bonuses that take the game narrative as zero day exploits, unencountered viruses, and passwords leeched through social engineering.

And because this is hollywood hacking and not trying to be realistic, it can take place during meat world turns. Hell with wireless your hacker can be *in* a firefight and still hack (albeit at a penalty).

The idea being a simple, quick intrusion should be easy for a hacker to achieve. Slice into the system and open a single door- easy, give me a round or two. PWNing a system however should be a cat & mouse game. Yeah sure rooting the network will basically give you the keys to the kingdom for the run, but the risk should be high, and you should balance immediate gain with long-term benefits. Should you do a short term hack and jack out, knowing that the defender keeps their control hits vs you starting over? Or do you stay jacked in throughout the run, struggling for control, but keeping any hard-won ground you've achieved?

That's an interesting game system to me, different enough from magic and gunplay to make it viable, with interesting decisions not hampered by how much someone understands real world tech.

[TheFlatline]

Here's another real world example of current technology and why basing your 2070 hacking system on today is terribad:

With virtualization, I can actually migrate a virtual machine from one hardware server to another- with zero downtime. In 10 years with bandwidth increasing, I can totally see a scenario where you start your hack on a server, you're detected, and the response is to send the server to a completely different data center somewhere else in the world, where you have no fucking clue where and have to start over again if you want to gain low-level access.

Or with delta-change files I could see in 2070's a situation where your intrusion is detected and someone turns on write-safe, where every single change you make to the system is analyzed (it's just a delta file after all), and is undone, in real time, by the underlying virtual server, which by default *cannot* actually accept communications from the VM up to the server because logically, the server and the VM have a massive chasm between them and logically aren't even in the same networks, even though the server and the machine are physically the same object.

Or how about stenography? That exists now. Imagine what 50 years of progress will do to it? The top secret files you need to steal? They're encrypted inside the CEO's iTunes collection, which you stream and listen to during the hack. And the file you actually download? It roots your device and turns on all your microphones and webcameras and sends copies of itself out to everyone on your contact list and then reports home everything you do. Then if you detect it and pull a fragment of it out, the rootkit frags itself to prevent analysis, but encrypts the barb of code that waits 3 weeks and re-downloads a copy of itself so that you're infected again.

This is all shit happening *now*. Basing your hacking system off of real world technology is, in my opinion, too granular. You'd need to dedicate the entire game to that, and there are computer games that do just that.

[Thymos]

I think you misunderstand access.

All I mean is that it's your foot in the door, robustness is what you do once your there.

So in the bank, moving from the joe shmoe teller to the CEO account? Robustness check. Moving from that to finance? Robustness.

Maybe it could break down into user or admin access, not sure.

So basically the idea is that systems like banks have nigh impossible to penetrate intrusion resistance. So your shadowrun team can bypass this by physically breaking into the bank and plugging their hacker into the mainframe, bypassing any intrusion checks and giving automatic access.

From there the hacker needs to check against robustness to see how long he needs to download the information/wire himself a million dollars.

Access means are you stuck at the password screen without, or able to transfer files to any (as in you can transfer to one of their computers, doesn't matter which) computer on their network with.

[Foxwarrior]

That's a strange way to structure a large company, Thymos. Getting hired as a joe shmoe teller lets you bypass the bank's strongest line of defense? Do they only hire brainwashed clones that they can trust completely or something?

[Thymos]

Actually bizarrely enough that's how someone actually attacked a bank.

They left a flashdrive with malware on it by the smoker area. One of them picked up the flash drive, put it in his computer to see what was on it and the malware uploaded itself to the computer and gave the attackers access.

Of course my example isn't even real or accurate in most senses. It's to help with a game. If you give companies high intrusion defenses it can give your character a good reason to go inside and still hack on a mission.

[Foxwarrior]

Yes, it's good to have people want to plug in directly sometimes, but being able to plug into any random computer makes it irrelevant: if you want to rob the bank in a wired way, you should really have to break into their server room or the CEO's office or something fancy like that, not just the nearest teller's computer.

[Red_Rob]

Having some rules for "social engineering" type hacking would be nice. Cyberpunk games always seem to get so hung up on the tech side of things they never give any suggestions for how to handle schmoozing an employee and stealing their ID card or sending a spoof email to the receptionist and getting their password.

[Ice9]

I think that we do want to support different levels of access (because having the CEO's key-dongle should be more valuable than having some random person's password), but not access to different specific systems (because there can be an unlimited number of those).

I suggest that access be rated by how well it's secured. So for example:
* Level 1: What most external users have. Large number of accounts, loose password requirements, actions not significantly monitored.
* Level 2: Basic employee access. Halfway reasonable security enforced, some monitoring of actions.
* Level 3: Important access. Need to login from a verified system, small enough number that security can monitor them all for suspicious activity.
* Level 4: Vital access. Need a physical dongle, verified system, and probably biometrics, checked heavily.

Then some actions require a certain access level, and one of the actions you can take is "Obtain next level of access". What level you start out at depends on how you entered the system: simple brute force attack? Level 1. Stole the CEO's laptop? Level 4.

Companies can't just set all their shit to access level 4, because that means the janitor needs to use a physical dongle and a long, frequently changed password to turn on the lights.

Note that this does not include "can only be accessed from inside the building." - that would be a separate factor, for things that are not at all connected to an external network. However, being in the building can be a factor that improves your access level (password gets you L2 when outside, L3 when inside, for example).

[rasmuswagner]

As for Mr. Smith, you can say "it bogs down the PCs running it to run a mr smith". You can totally load 14 of them onto your laptop, but thats all it can do because laptops only have 14 slots. Buy another laptop? Sure, but that comes out of your money and being a shadowrun style game $=Power.

Real point - Why does a super abstract system handle Mr. Smiths better than mine?

Now you're just being super-retarded. A laptop costs about the same as an assault rifle. If the street sam could buy 20 assault rifles, plug them together, and go into a run with 20 times the firepower, he would do so. If he could rent a tank gun and bring it with him, he would do that.

And that is what you're suggesting the hacker should be allowed to do.

[kzt]

Some general thoughts as to what the world has to look like to make this work:

Assumption 1: The people who run systems that PCs are after live in this environment, are not insane or retarded and get paid to keep the companies critical stuff safe and will stop being paid if they don't. So really important stuff is not accessible from your mother’s basement. Often the semi-important stuff isn’t accessible from off-site. It certainly isn’t accessible without successfully hacking the company, having super-google skills won’t help you find it lying around on the public network.

Assumption 2: Important people actually trust their computer network and hosts to keep their critical systems and money safe. As we’ll also assume them to have some idea as to how their secure stuff really is, it should be generally true that they are safe against most threats. It should therefore be impossible for a bored 12 year old to break into a bank or defense contractor due to having mom’s credit card. The average home toaster should be difficult to hack for anyone who isn’t an expert, much less an important corporate system. People who want to break into other people’s important computer systems need to hire experts like the PCs to do it, as it requires specialized skills and “stuff” that is not easily acquired. It’s like the skills and tools needed to accomplish covert or surreptitious nondestructive entry in the modern world.

Assumption 3: There is no huge well-known hacker networks producing effective pre-built attack tools for anyone to download or even to buy. It’s treated more like child porn is these days. No legal protection outside of use by “authorized” people. It exists and people trade tools and exploit, but with spectacular busts of entire networks occurring from time to time, while every PD runs occasional or constant undercover operations. Hackers need to know people who know people, would-be hackers who use goggle or craigslist will find an undercover police team a significant percentage of the time.

Assumption 4: Encryption works and is unbreakable when done correctly, but is meaningless for most hacks. If you actually are attacking an on-line computer system any access you get automatically includes the OS decrypting the relevant files for you. Nobody has a little black book full of 512 bit random hex strings they need to enter for every file, with every stinking powerpoint having a different random hex string. That is what the computers do really well, so that is what the OS does.

The only time encryption will cause issues is trying to do things like trying to physically steal an actual hardware computer system, a computer system’s backup, physically tapping communication lines, stealing someone’s authentication credentials over the air or similar. Essentially, if you are not hacking a running computer you might have issues. So electronic money still works fine, but if you successfully fully own a system you can simply read every file on the system.

Assumption 5: People actually back up important stuff, so you can’t steal “the only copy” of a file. If you blow up the entire data center with a nuke it is still very unlikely that any data was actually lost. (This is really my minor pet peeve - not a critical issue.)

[Red_Rob]

Assumption 3: There is no huge well-known hacker networks producing effective pre-built attack tools for anyone to download or even to buy. It’s treated more like child porn is these days. No legal protection outside of use by “authorized” people. It exists and people trade tools and exploit, but with spectacular busts of entire networks occurring from time to time, while every PD runs occasional or constant undercover operations. Hackers need to know people who know people, would-be hackers who use goggle or craigslist will find an undercover police team a significant percentage of the time.

Yeah, I don't know that this is emphasised enough in Cyberpunk RPG's. Hardware and software that allows you to crack corporate security should be horribly illegal in a culture where the corps basically write the laws. A cyberdeck with any kind of hacking program on it should be treated by the cops and the runners as more like having military grade hardware than a gaming computer. If you straight up couldn't really buy high quality programs and had to write your own it would provide a nice in-game reason for a hacker's abilities to get better as his skill levels increased.