|
|
|
|
|
COMPUTER HACKING |
In the MetaCyber setting there are two basic
ways to "Hack" a computer that
collectively are referred to as "Cracking"
in a general sense:
|
- NEURAL INTERFACE LAYER: most Mindscapes
expose access to the underlying functionality
of the Computers they run on via Neural
Human Interfaces (NHI's) and / or Agents.
A person with a properly configured Computer
running specialized software (traditionally
called a Deck) can enter the virtual reality
of Mindscapes and take control of them in
various ways. While there are numerous limitations
to this method, there are also some major
pros. This is covered in detail in the Decking
document.
- PROGRAMMATIC INTERFACE LAYER: Computers
can communicate with each other via the
NET. While this has many legitimate and
beneficial uses, it also creates vulnerabilities
to malicious or unauthorized access via
the NET. Characters that have the Computer
Programming Skill and access to a Computer
connected to the NET can attempt to "Hack".
Hacking generally consists of three steps:
- Locate a specific Target Computer
- Penetrate Target Computer's Security
- Hack Target Computer
|
LOCATE TARGET COMPUTER |
A Hacker might already know the NET Address
of their target, but if not they can generally
use the Network Address Directory as described
previously to locate their target.
|
PENETRATE TARGET COMPUTER'S SECURITY |
This is the difficult part of almost all
Hacking endeavors; beating any security
software protecting the Target Computer,
preferably without setting off any alerts
in the process. |
This is generally an extended process and
there are many different techniques and
tricks. However, the success or failure
of the entire process resolves down to a
modified Computer Programming Skill Roll.
|
Of particular importance to the penetrate
process is what Role the Hacker is gaining
access as, which is referred to as Spoofing.
The Role they spoof will determine what
the Hacker can do on the Computer if they
succeed in penetrating its security. As
a defacto standard, there are generally
five Roles with ascending permissions in
general use in the MetaCyber settings, though
some Computers don't support all Roles.
|
- NET User *: Allows the usage of NEC
on the Computer via the NET.
- Local User: Allows limited usage
of productivity software on the Computer.
- Super User: Allows broad usage of
most software on the Computer.
- Local Admin: Allows effectively full
control of the Computer.
- Sys Admin: Allows effectively full
access to and control of all or most Computers
on the Target Computer's internal network.
|
* The NET User Role is generally not applicable
to Hacking, but is relevant to Decking: |
In some cases a Hacker has legitimate user
credentials for the Target Computer, in
which case they don't Spoof a Role, but
are limited to the Role of the user they
are logging in as. |
The following list indicates many different
modifiers relevant to penetrating a Computer's
security. The GM should simply add up all
applicable modifiers and apply them to the
Hacker's Computer Skill Roll to determine
if they succeed or fail at this task. The
GM also determines how long it takes to
make the attempt.
|
|
CIRCUMSTANCE |
MODIFIER |
Have A Valid Password
/ Credentials |
+4 |
Target Computer Is Unsecured |
+2 |
Hacked Target Computer
Previously (Undetected) |
+2 |
Have A True Backdoor |
+2 |
Target Computer Is Poorly
Secured |
+1 |
Hacked Similar Computers
Previously |
+1 |
Have Physical Access To
Target Computer |
+1 |
Target Computer Is Secured |
-0 |
Spoofing Local User |
-0 |
Have Remote Access To
Target Computer |
-1 |
Have Expired Password
/ Credentials |
-1 |
Spoofing Super User |
-1 |
Attempting To Conceal
Trace |
-2 |
Hacked Target Computer
Previously (Detected) |
-2 |
Target Computer Is Well
Secured |
-2 |
Have A False Backdoor |
-2 |
Spoofing Local Admin |
-2 |
Target Computer Is Very
Well Secured |
-4 |
Have Invalid Password
/ Credentials |
-4 |
Spoofing Sys Admin |
-4 |
Target Computer Is Extremely
Secured |
-6 |
Lack the Infiltration
Hacking Option |
-6 |
Target Computer Is Totally
Secured |
-8 |
Target Computer Is Nigh-Impossible
To Hack |
-10 |
|
|
|
|
HACK TARGET COMPUTER |
Once a Hacker has penetrated a Computer,
they can essentially do anything they want
to it up to the level of the Role they spoofed.
They can access any programs, data, or files
on the Computer accessible to their Role,
and even install programs from their own
Computer onto the Target Computer (assuming
they spoofed as a Local Admin or Sys Admin).
They can also usually shut down or reboot
the Computer, which kicks them off, but
brings the system down for at least a few
seconds if not longer. |
Depending on what a Hacker wants to do,
and circumstances involved, one or more
additional Computer Programming Skill Rolls
or other Skill Rolls will likely be necessary.
For instance if a Hacker wanted to access
a database from the Computer they have hacked,
familiarize themselves with the data model,
and write some queries to find data they
are interested in they would need to know
the Databasing subgroup of Computer Programming
and would need to know the query language
in use (usually LQS), and would have to
make one or more Skill Rolls to successfully
complete this task, depending on how granular
the GM wants to get. |
ALERTS |
The main trick to Hacking is of course not
getting caught. There are a number of ways
to set off alerts or leave traces of activity
behind, which give a bonus to the Computer
Programming or Security System Skill Rolls
of any software or people responsible for
monitoring or administrating the Computer.
Similarly, there are things a Hacker can
do to make it harder to detect them, which
result in penalties. In some cases a Hacker
is so clumsy or in over their head that
they set off immediate alarms. The following
chart summarizes the relevant modifiers. |
|
CIRCUMSTANCE |
MODIFIER |
Valid Password / Credentials
Used |
-2 |
Backdoor Used |
-2 |
Complementary Cryptology
Skill Roll Made |
-1 |
Complementary Security
Systems Skill Roll Made |
-1 |
Every point by which Computer
Programming Roll made |
-1 |
Every point by which Computer
Programming Roll failed |
+1 |
Every ten minutes of time
spent using the Target Computer |
+1 |
Local Admin spoofed |
+1 |
Secure Files accessed |
+1 |
Files deleted |
+1 |
Users added |
+1 |
Each Program installed
or deleted |
+1 |
Expired Password / Credentials
Used |
+1 |
False Backdoor Used |
+1 |
System Rebooted |
+1 |
Monitoring User Or Software
Has The Defense Hacking Option |
+1 |
System Shutdown |
+2 |
A Complementary Skill
Roll Was Failed |
+2 |
Sys Admin spoofed |
+2 |
|
|
|
|
The GM should add up all the modifiers and
consult the below Hacking Alert Results
chart for guidance on if a Hacker's activity
is discovered, and how quickly. |
|
TOTAL MODIFIER |
RESULT |
-5 or less |
Hacking goes undetected
for a while, perhaps forever. It is more
likely to be discovered by accident than
by any deliberate effort. |
-0 to -4 |
Hacking wont be detected
in the near term; it is likely to get noticed
during some kind of an audit process at
a later date. |
+1 to +4 |
Hacking is not immediately
noticed unless someone or a security program
is actively monitoring the Computer, but
will likely be noticed within the next few
days. |
+5 to +9 |
Hacking is not immediately
noticed unless someone or a security program
is actively monitoring the Computer, but
will likely be noticed within the day, perhaps
within the hour. |
+10 and higher |
Hacking is noticed immediately. |
|
|
|
|
|
OTHER USEFUL COMPUTER RELATED SKILLS |
There are a couple of other Skills with
a good deal of cross over with Computer
Programming that can be used as Complementary
Skill Rolls to various Computer Programming
tasks, and thus are mentioned here. |
CRYPTOGRAPHY |
The art and science of encrypting and decrypting
data can be very useful indeed to a Computer
Programmer. Many just use utilities on their
Computers to gain the practical benefits
of this discipline, while some Computer
Programmers are also knowledgeable and skilled
in their own right. Either way, Cryptography
has three main uses for a Computer Programmer: |
- Make Penetration of Target Computers easier
- Make Penetration of a Computer harder
- Encrypt and Decrypt Data
|
A Hacker can use Cryptography as a Complementary
Skill Roll to their Computer Programming
Skill Roll when Penetrating a Target Computer's
security. |
A Computer Programmer can use Cryptography
to make their own Computers more Secured
and therefore more difficult to Hack. Most
Computer Programmers take sufficient precautions
for their Computers to be at least Well
Secured, but the use of Cryptography can
improve this by one or more levels depending
on how successful their Skill usage is and
the GM's judgment |
Finally, Cryptography is used in the normal
fashion to encrypt and decrypt data, as
indicated by the Hero System Fifth Edition
Rulebook (or the Ultimate Skill if it is
available). This can be useful if data is
acquired from a Run that could be valuable
if its encryption can be cracked. |
SECURITY SYSTEMS |
Security Systems, typically with the Limitation
"Only For Computer Security; -1/2"
can be used for a few purposes in the context
of Computer Programming: |
- Make Penetration of Target Computers easier
- Make Penetration of a Computer harder
- Allow the use of computerized Security Systems
|
A Hacker can use Security Systems as a Complementary
Skill Roll to their Computer Programming
Skill Roll when Penetrating a Target Computer's
security. |
A Computer Programmer can use Security Systems
to make their own Computers more Secured
and therefore more difficult to Hack by
installing and configuring various security
software and following various safe practices.
Most Computer Programmers take sufficient
precautions for their Computers to be at
least Well Secured, but the use of Security
Systems can improve this by one or more
levels depending on how successful their
Skill usage is and the GM's judgment. |
A Hacker that has penetrated a Computer
that runs one or more Security programs
can use Security Systems to use and abuse
those programs. This could be very useful
for things like hacking into a Computer
that controls the video surveillance system
of a building and disabling or tricking
the system so that allies can infiltrate
that building undetected.
|
THE "NAD" AND COMPUTER PROGRAMMING |
There are millions of individual Terminals
and Computers connected to the NET in one
fashion or another, and further each of
them could potentially be identified via
many aliases or host many virtual "locations",
each of which have a unique address.
|
Obviously without some kind of order imposed,
it would be practically impossible to find
anything on the NET. Fortunately there is
an answer; the Network Address Directory,
aka the NAD, which is a list maintained
on hundreds of nodes world wide, which are
all refreshed frequently from a master list
maintained by CERN.
|
NADs have Neurally Enabled Content, accessible
from the NET with a number of different
sensorium effects to choose from based upon
user preference. However NADs can also receive
direct programmatic requests for information
and emit responses back, which is a feature
that exists to allow peer to peer and business
to business software to function, but is
also frequently used by programmers for
their own convenience. A simple utility
is needed for this, but all personal and
business computers can be assumed to have
it by default. |
Any character with the Computer Programming
Skill and access to a Computer connected
to the NET can make NAD requests as a Routine
Task to locate the addresses of Computers
on the NET or Terminals. However, this can
be detected which can be an unwanted outcome
if the request is for a less than upright
purpose. To use the NAD in this fashion
without leaving a trace is a Difficult Task
rather than a Routine Task. |
Some Computers are connected to the NET,
but their addresses are either unlisted
or more commonly are hidden behind multiple
aliases and redirects. An unlisted address
costs a lot of money and they are rare,
the purview of the mega wealthy or very
well connected (or both). Finding an unlisted
address is extremely difficult, and at any
rate the NAD is of no help in such an endeavor;
discovering an unlisted address is the sort
of thing that can serve as the goal for
multiple sessions and even story arcs. Finding
an obfuscated address on the other hand
is possible via the NAD with patience; it
is a Very Difficult Task and can take hours
or even days, and doing so stealthily imposes
a further -2 penalty. |
Though there are plenty of legitimate reasons
to need to resolve an address for specific
Computers or Terminals, for the most part
its likely to come up in a MetaCyber campaign
in the context of an intent to find a target
computer and Hack it. |
|