Information Warfare Mechanics

[Strung Nether]

I was brainstorming some ideas to handle tactical-scale information warfare in future cyberpunk style universe. As far as I know, there don't seem to be many precedents for subsystems like this. Obviously handling sight angles of individual hacked street cameras and satellites is stupid, but determining what is a "good" way to go about it is harder to determine. It should obviously not be its own complete mini-game like shadowrun hacking. Having the designated hacker spend an hour to tell the rest of the party where the enemies are is a bad idea.

My current idea that I am calling a "overwatch" system. The basic premise is that there is a level of "overwatch" that you have in a certain area.

Level 1: you know when people enter or leave, and the general purpose of the arera.
Level 2: you know the location of individual people in the area, and have intermittent visual information on them. You know if a person is a guard or a scientist or whatever, and where he is right now well enough to hit him with a grenade.
Level 3: you have direct visual and auditory information on everyone in the area. you know who is out of ammo, who is holding a grenade, who is shot, who is speaking and what they are saying.

Locations will have modifiers to them, such as infrastructure and security. A poor infrastructure and good security will both limit your ability to obtain overwatch. You can deploy your own spy drones to grant yourself increased levels of overwatch, but doing so can telegraph your presence and intentions. During combat, you can spend turns reducing someone else levels of overwatch, or increasing your own.

"She shoots at you, then ducks back to reload armor piercing rounds into her carbine. She has two grenades on her belt and a simple tactical vest." is an example of the information overwatch would give you. The goals of this system are that improving your own overwatch or degrading someone else's is equally worth an action as trying to shoot someone in the face. Having better overwatch than your opponents would give you bonuses to things like "to hit" and stealth checks, on top of more information about generic things like which doors are locked and who is sleepy and not paying attention.

Does anyone have any experience with subsystems like this?

[Username17]

Between my work on official Shadowrun, the Ends of the Matrix, and my tinkering with Cyberpunk Fantasy Heartbreaker, there are probably no more than a handful of people on the planet who have thought about this problem as much or as deeply as I have. And I think you are mostly on the right track.

The basic contradiction you have to deal with is the 'realism' needs for cameras to not show what they can't see, and the 'playability' needs for the system to be resolved in a reasonable amount of time. Essentially, if you roll a single camera down the hallway, you can't see anything but the hallway or the narrative breaks suspension of disbelief; but you also can't have two cameras be resolved as one camera and then the other, because that is a slope into infinity mirror so slippery that it is essentially a cliff.

So the big thing you have to fight is the temptation to worry about individual networks or who owns what. In an ordinary mall you might be considering cameras provided by dozens of rival corporations and hundreds of private citizens wearing futuristic Google glass. Under no circumstances are you going to want each person's gear to defend itself separately. Firstly because that would make the mall scenario unplayable, and secondly because characters can infinitely compartmentalize their gear if that's what they want to do.

So basically what you want is for a non-opposed test that gives you a security threshold that you can draw los from, and then you get to draw los from everything in your range of that security threshold or less, regardless of owner. Then all the shit you have the pass codes to (presumably including your own stuff) counts as security zero for the purposes of whether you get los or not.

Opposition on the net needs to be active rather than passive. Because otherwise infinity mirror effects make hacking bog down if they are possible at all.

-Username17

[fectin]

Important part is establishing infowar effects that either directly effect objective or greatly increase your ability to effect objective. The first is much less boring than the second.

[ishy]

Is hacking in this example role-protected? Or can everyone do it though devices or whatever?

[virgil]

Something like this?

Overwatch (Analysis)
Type: D Range: L Time: CA (S)
Cameras and other sensor devices receive data, and before it's written onto its memory storage, this data is vulnerable to interception. If your net hits exceed the sensor's Matrix Stealth (only 1 hit is needed to see through a sensor which is not attempting to be stealthy), you can draw LoS from that sensor.
As your data will be coming in through an aggregate of sources within range, so you need to use Windowed Sensor Monitoring (-2 to dicepool).
Optimized Defense: Hardwired to Network

[Strung Nether]

I think my current idea, if I can communicate it well enough, meets those requirements. There are no different networks, only one thinly defined area such as "this block of apartments" or "this industrial warehouse" which might have different sub areas, such as "the secret basement" or "the CEO's office" which are considered independent of the area they are in in terms of oversight/security/infrastructure.

Security is a "soak" that you have to beat in order to obtain overwatch. You roll your "hack" skill(assuming a rng like shadowrun), subtract security, and your result is the level of overwatch that you have. No re-trys for awhile(hours?). The infrastructure limits your maximum overwatch. You can deploy spy drones to increase your overwatch by 1 but then people get a chance to spot you and identify your snooping(stealth check).

You can reduce someone else's overwatch buy making a hack attack against them, and they can do the same to you. Succeeding simply reduces their over-watch by 1, which is significant giving the lack of granularity in the levels.

This is about as abstracted as possible. It wouldn't be role protected, but people who specialize in it would obviously be rolling more dice.

[Seerow]

Security is a "soak" that you have to beat in order to obtain overwatch. You roll your "hack" skill(assuming a rng like shadowrun), subtract security, and your result is the level of overwatch that you have. No re-trys for awhile(hours?). The infrastructure limits your maximum overwatch. You can deploy spy drones to increase your overwatch by 1 but then people get a chance to spot you and identify your snooping(stealth check).

Honestly if you're going to make net successes = overwatch, you need some more granularity, because it will become laughably easy to gain 3 overwatch in an area.

[Username17]

Areas need to be defined by the overwatch range of the electronic warfare specialist doing the acting. If you divide things into zones based on what is actually in them it becomes intractable immediately when characters attempt to do things in malls. Consider how many different corporations are "doing stuff" in a typical shopping mall.

-Username17

[Whipstitch]

Honestly if you're going to make net successes = overwatch, you need some more granularity, because it will become laughably easy to gain 3 overwatch in an area.

You don't have to tie it to net successes, necessarily. You could restrict people to only going up one overwatch level per test and then make the likelihood of drawing attention on a failed 1->2 or 2->3 test worse than failing a 0->1 test. It'd mandate more rolls in some cases, but it'd be manageable if thresholds are set so that many amateur hackers will typically settle for level 1 or 2 overwatch in the first place.

[K]

The new Steam game Invisible Inc basically feels like what cyber-run-ish hacking should look like. I kind of think that the oldschool 80s cyberpunk with video game conventions should probably go away.

[Seerow]

Areas need to be defined by the overwatch range of the electronic warfare specialist doing the acting. If you divide things into zones based on what is actually in them it becomes intractable immediately when characters attempt to do things in malls. Consider how many different corporations are "doing stuff" in a typical shopping mall.

-Username17

So Overwatch being defined as a personal trait, an area around the Hacker, rather than a local one?

In that case how does it work when the Hacker moves around? Does it follow them? Or do you create an overwatch area that then stays in place regardless of where you go? In that case, how long does an overwatch last once established? Do you have to stay within the established perimiter, or can you have your Electronic Warfare specialist sneak in and establish overwatch days before the mission starts, and direct their team from home?

[RadiantPhoenix]

So Overwatch being defined as a personal trait, an area around the Hacker, rather than a local one?

In that case how does it work when the Hacker moves around? Does it follow them? Or do you create an overwatch area that then stays in place regardless of where you go? In that case, how long does an overwatch last once established? Do you have to stay within the established perimiter, or can you have your Electronic Warfare specialist sneak in and establish overwatch days before the mission starts, and direct their team from home?

You can keep it up until you stop maintaining it, or until an enemy hacker stops you.

The longer you keep it up, however, the more likely it is to be detected.

[TheFlatline]

Areas need to be defined by the overwatch range of the electronic warfare specialist doing the acting. If you divide things into zones based on what is actually in them it becomes intractable immediately when characters attempt to do things in malls. Consider how many different corporations are "doing stuff" in a typical shopping mall.

-Username17

So Overwatch being defined as a personal trait, an area around the Hacker, rather than a local one?

In that case how does it work when the Hacker moves around? Does it follow them? Or do you create an overwatch area that then stays in place regardless of where you go? In that case, how long does an overwatch last once established? Do you have to stay within the established perimiter, or can you have your Electronic Warfare specialist sneak in and establish overwatch days before the mission starts, and direct their team from home?

From what Frank was saying, it seemed like you established a perimeter around the hacker and a "hack value", that if it overcame the area's security rating you could use any point in that radius as your line of sight.

Or something like that I"m multitasking and may be missing something.

[Foxwarrior]

Well, of course if you're doing something with a large area of effect that targets fifty different things, you shouldn't be using a separate dicepool-based roll for each target. That would be dumb. Nobody would seriously suggest that, except the Shadowrun people, and it's pretty clear they're not the guys to go to for fast resolution.

That doesn't mean you have to go so very abstract though. It's entirely possible to hack five cameras and still know where each one is located.

[virgil]

Nobody would seriously suggest that, except the Shadowrun people, and it's pretty clear they're not the guys to go to for fast resolution.

I have not seen a single person suggest this, including major Shadowrun nerds, so I'm curious as to where this is coming from.

[Foxwarrior]

No, I got the impression that Frank was feeling all clever by not suggesting it.

[Username17]

Well, of course if you're doing something with a large area of effect that targets fifty different things, you shouldn't be using a separate dicepool-based roll for each target. That would be dumb. Nobody would seriously suggest that, except the Shadowrun people, and it's pretty clear they're not the guys to go to for fast resolution.

That doesn't mean you have to go so very abstract though. It's entirely possible to hack five cameras and still know where each one is located.

Everything about this post is stupid and wrong, including especially the person who wrote it. Whether you're using a dice pool or not is completely irrelevant, any resolution system that rolls or calculates anything for every camera in an area is unacceptable. And that further means that it is unacceptable to calculate or roll anything for every 'set' of cameras - in far too many instances the number of sets is going to be just as intractably large as the number of literal cameras.

As of last year, there is a security camera for every 11 people in the UK, and it's rising fast, and they are disproportionately located in places where cyberpunk protagonists would want to acquire intelligence and erase evidence of their crimes. Further, the cyberpunk future literally has more personal recording devices (such as smart phones and camera shades) than it has people.

Not only is hacking five cameras one at a time with any resolution system imaginable too much table time for that action, but once you've done that you're still less than one percent finished hacking the locally relevant recording devices in a populated commercial center.

There are times when you care about the location of individual cameras, and you need to be able to have your system care where cameras are, but most of the time you won't. Because frankly, mostly you're going to be doing a Dark Knight 2 thing where you receive a bunch of aggregate data from phones and cameras and satellite images and whatever and have a real time 3d map.

That's why this sort of thing has to be all about the guy doing it. The hacker's range and the hacker's hack strength, with everything in range being subverted if it is below the security threshold of the hack. You can't do an action resolution per device because there are several orders of magnitude too many devices. Subversion has to function like jamming, because there are so many fucking devices in the future that no other system is possible.

-Username17

[Foxwarrior]

Thank you, it is only fair for you to respond in kind.

Yes, actually I caught that you were aiming for the Dark Knight 2 thing the first time, but I'm not entirely convinced that the capstone of a batman movie should be the basic spying technique for hackers.

Although I suppose it's a fair point that if you're aiming for a game about committing robberies and not getting caught, you'd need an aura of camera-blocking in order for camera-blocking to even matter. Good on ya for realizing that. Alternative solutions like the Ugly Shirt do also exist, just so you know.

[Username17]

The ugly shirt (and its associated techniques to block non-visual biometrics like the hot pocket and the dance mix) are just slightly more elaborate versions of dropout. First of all, they aren't really a thing for computer specialists to do, and secondly they don't really stop you from being investigated - just keep you from being detected by person recognition software. If you commit a crime while wearing an ugly shirt, the fuzz still gets a picture of your face. The only thing it helps is to keep the alert level from going up when you walk in the building - but if you weren't already in n a terror watch list you wouldn't anyway.

But the bottom line is that the goal is to make the computer specialist a viable role - and fucking around with individual devices is incompatible with that. Both from a character effectiveness and a resolution speed standpoint. The other players don't have time to listen to you declare an action for every recording device in every stall in the food court, and the character would be a mechanical cripple if he had to do that.

-Username17

[Foxwarrior]

So, just spying with two recording devices at a time is intolerable?

[Omegonthesane]

The ugly shirt (and its associated techniques to block non-visual biometrics like the hot pocket and the dance mix) are just slightly more elaborate versions of dropout.

I am not familiar with these terms. Technically I'm not familiar with the ugly shirt either, but that one's a lot more self-explanatory.

[Username17]

The ugly shirt (and its associated techniques to block non-visual biometrics like the hot pocket and the dance mix) are just slightly more elaborate versions of dropout.

I am not familiar with these terms. Technically I'm not familiar with the ugly shirt either, but that one's a lot more self-explanatory.

The basic idea in all cases is that in order for a computer algorithm to identify you it must first successfully determine where 'you' begin and end. So if you wear a shirt of sufficiently broken pattern, the computer will be unable to resolve a human shape and thus be unable to tag where the face is. No tagged human face means no matches against whatever database it's using.

Similarly, if you put some ir sources around (like some hot rocks in your pockets), then you won't conform to the infrared signature of a human and won't trigger an id check. And if you have some bass heavy techno noise pumping out of an iPod you won't be identified by microphones looking for heartbeats.

The core issue is that automatic identification systems don't report that Kurt Kobain is wandering around all over the city when Nirvana shirts are on sale at hot topic, nor do they waste processor cycles attempting to look up every book cover as a license plate. Context is important, and if you don't adhere to the assumed contexts, the computer won't know how to look you up.

The limitations should be obvious. If an actual person views the tape, they can designate you for lookup, and then you'll be identified if you're in the system. So it adds minutes or hours to the time it takes for you to get recognized. Sometimes that's enough if you simply want to avoid scrutiny until you've boarded a train or something. But it's really no substitute for having someone spoof cameras.

-Username17

[Omegonthesane]

The ugly shirt (and its associated techniques to block non-visual biometrics like the hot pocket and the dance mix) are just slightly more elaborate versions of dropout.

I am not familiar with these terms. Technically I'm not familiar with the ugly shirt either, but that one's a lot more self-explanatory.

The basic idea in all cases is that in order for a computer algorithm to identify you it must first successfully determine where 'you' begin and end. So if you wear a shirt of sufficiently broken pattern, the computer will be unable to resolve a human shape and thus be unable to tag where the face is. No tagged human face means no matches against whatever database it's using.

Similarly, if you put some ir sources around (like some hot rocks in your pockets), then you won't conform to the infrared signature of a human and won't trigger an id check. And if you have some bass heavy techno noise pumping out of an iPod you won't be identified by microphones looking for heartbeats.

The core issue is that automatic identification systems don't report that Kurt Kobain is wandering around all over the city when Nirvana shirts are on sale at hot topic, nor do they waste processor cycles attempting to look up every book cover as a license plate. Context is important, and if you don't adhere to the assumed contexts, the computer won't know how to look you up.

The limitations should be obvious. If an actual person views the tape, they can designate you for lookup, and then you'll be identified if you're in the system. So it adds minutes or hours to the time it takes for you to get recognized. Sometimes that's enough if you simply want to avoid scrutiny until you've boarded a train or something. But it's really no substitute for having someone spoof cameras.

-Username17

In which case I stand corrected on the ugly shirt - I thought that was the rather less tech dependent tactic of wearing an extremely distinctive item like clown pants or a pink wig so that people remember the extremely distinctive feature and have difficulty recognising you after you ditch it.

[Blade]

That talk of ugly shirt and other techniques just underline something important when designing a system for games about security/counter-security.

Security measures and counter-measures keep changing and updating. Going into the details of which techniques to use and how to counter them is likely to lead the table into a not really interesting arms race (unless the players are actually into this).

In the end the best way is either to have a fixed set of measures and counter-measures and to ban anything else, or to have an abstract system where your "security" and "counter-security" rolls can be anything and will only be explained when/if interesting.

The first one is ok if you design something completely new where you can arbitrarily say "this is possible" and "this isn't". In other cases, players will wonder why "they can't simply x to counter y" and that won't feel satisfactory.

I prefer the second one. You roll security/counter-security and then you either handwave it, or you make an explanation on the fly without having to worry about the implications since it's just a fluff explanation for this one-time success/failure.

[Username17]

Yeah, shit like the ugly shirt isn't really something you can build into the game. It's at best fluff that explains why characters can bypass passive security systems that they know about.

Putting on a dance mix necklace will prevent an acoustic biometric alarm from identifying you as an intruder, but it will also cause you to be tagged as an anomaly by a motion sensor array. But you can spoof a motion sensor by wearing a lampshade and curtain. And so on.

If you know what the passive defenses are, there are a number of 'weird tricks' that will keep them from doing their job during your mission. But that should probably be resolved with a skill roll and some improvised storytelling. And I still don't see how Foxwarrior thinks this is a replacement for the 'computer guy' archetype in cyberpunk cooperative storytelling.

-Username17