At Spin Two Swords
How To Hack
The rules here are a compilation of the rules in Scoundrel, Agent, and Robot and regard an involved attempt to hack a system. This might be thought of as the “long hack”. A “short hack” involves making an Intrusion roll without all the complications of steps 1-3, this is discussed here. The basics of hacking involve making a computer or network think that the character is someone other than who they really are. The bad news is that computers aren’t particularly susceptible to disguise; the whole point is authentication. The good news is that once you are authenticated, it’s unlikely that the computer will suddenly decide to double check credentials. In fact, if the computer does ask for the password again, it will happily accept the same password over and over again.
Step 1: Setting Up A Defense: What did they do to set-up the defenses.
Step 2: Casing and Planning: What will the hacker have to do to get to the target.
Step 3: Gathering Information: What kind of things can the hacker do to make his job easier
Step 4: Intrusion: This is the actual hacking run
Step 5: Finding Information: You’re in. Find Stuff.
Step 6: Data Analysis: Having found a great deal of information to sift through, this is roll to find relevant stuff.
Step 1, Set Up Defenses
This is the part before the characters deal with the defenses. It will, in general, setup the DM for the hacking run which is, intentionally high (it’s intended to be the last roll of a skill chain). The most common form of defense is an anti-virus program, and the most common anti-virus program is the best. This is not true all around, but it is most certainly true of most systems the characters will likely want to hack (installations, starships, etc.). Anybody who is afraid of being hacked or concerned about their information if they get hacked will, most likely, have the best defenses.
A system’s defenses be further bolstered by hiring anti-hack defense agents (White Hat Hackers) who either set up the defenses, monitor the defenses, or both. A system that has been run by White Hats is that much more difficult to get into.
Defenses having been setup, offers a suggestion of what a hacker will have to do to get in to the system. It will likely seem a formidable task, which is why hackers need to do their homework before going in.
The basics of determining the difficult for the BIG computers roll at the Intrusion step comes from the DM associated with anti-Intrusion Software:
|Technology Level||Average (+0)||Difficult (–2)||Very Difficult (–4)||Formidable (–6)||Impossible (–8)|
|TL9||Everyone||Miscellaneous Public||Average Business/Home||Secure||—|
|TL12||Incompetent||Minimum||Miscellaneous Public||Average Business/Home||Secure|
This DM is modified negatively by TL as well. For every 2 TL differences between the Hacker’s Computer and the TL of the world housing the Computer System, the hacker suffers a further -1. Imperial Computers are considered TL 12 minimum, but get up to TL 14 for any secure imperial system.
Differences in culture also tend to modify the Hacking DM. If the computer network belongs to a race other than the hacker’s, the character is at -1 (Humanati, Aslan, Vargr, K’Kree), -2 (Droyn, Hiver), -3 (minor races).
If the people owning the system had a white hat test it, the hacker is likely to face an opposed check against another hacker as well (who will have to have gone through this process also).
The final DM is against what will hereafter be referred to as the BIG Computers roll. This is the roll that will inevitably have to be made at the intrusion stage to get into the system. Other modifiers besides the anti-Intrusion software still continue as the hacker rummages through the system, but the anti-intrusion software pretty much only occurs when the character creates a new account, changes their clearance, or otherwise attempts to gain access to a system in which they are not a member.
Step 2, Casing
Casing involves learning what the hacker is up against. What will the hacker need to do to get in and what are they likely to defeat once they get in. A hacker at this stage of the mission ought to make choices about what they will try to accomplish in order to get in. Will they be stealing someone else’s identity or producing another one out of thin air, for instance?
Generally, casing a hacker job is a 1-6 day task however it is performed. It will probably involve trial runs to learn what kind of defenses are out there, doing the leg work to talk about the system with people who work with it (or set it up, or who’ve tried to hack it previously). After casing the computer system, the hacker should probably know enough about how the system responds to things like creating new user accounts, how access is granted to accounts, the various echelons of security clearance, etc.
In terms of a task chain, casing adds to the task chain of Gathering Information or to the BIG computer roll in Intrustion, but not both. Each bonus to DM applies to one roll.
Example: Hacker Pete tries to find out what OS the mainframe is being used at Evilmegacorp by discussing terrible jobs at a bar near a regional data processing plant. Using Carouse+Social, he succeeds with a + 1 effect. Getting in good with the natives takes him 2 days. He decides to poke around the system and see how much he can get into without a login. This is Recon+Endurance (he’ll be up for hours and for days). He gets a another +1 effect. If Hacker Pete goes into the system now, he can use the +1 effect from one of these rolls on the big computers roll, he will have to make. If he decides to Set Up his hack with this modifier, he gets a +1 on two different rolls—both of which will add to the BIG Computers Roll.
Step 3, Gathering Information:
Now that the character knows what they’re up against, they can prepare for the mission. This is the preparation phase of the plan, especially the gathering of (or production of) relevant software.
All Gathering Information rolls have a cumulative effect of +1 to the Big Computer Roll per 5 effect gained during the Gathering Information stage. Alternatively, the hacker can take a single effect and apply it to a different specific roll at another stage. This latter possibility is especially important if something other than access will try the hacker’s skill (sifting through the information, for instance).
Gathering Information generally requires crawling through computer systems and catalogs, talking to users and hackers, and possibly even infiltration, grey ops, and black ops. Any of which will take between 1-6 hours and 1-6 days.
The problem of Information Implosion, described in Computer Futurekill, can play a large role in the gathering of information.
Step 4, Intrusion:
If a character doesn’t have a way of accessing a network at this point (a user account), they will need to create an identity in order to gain access. If they have an identity to use, it will have a specific clearance which may, or may not, allow the hacker access to the necessary information. In either case, he may have to find a way to change his level of access. Basically, step 4 is likely to be the end of the task ladder and it is likely to require an incredibly difficult roll, the BIG computers roll. If the hacker hasn’t done their homework, they’re likely to end up alerting someone. Failed Computer rolls during the Intrusion phase have a chance of alerting the system as per the Scoundrel book (p. 67).
Note: a major part of Intrusion are the ideas present in Computer Futurekill, especially the idea of clearance. Just because you’re in doesn’t mean that you have access to everything. And just because you can access the stream of camera1, doesn’t mean that you have the remote feed software to read camera1. A white hat might have figured out that retrotech or loyaltech systems are useful to keep people out.
Often Intrusion should require more than one computers roll. Because of the difficulty involved, however, it’s better to simplify this down to a single roll which puts the hacker in as a user. Any higher clearance than that will raise the DM by two per step up the network’s hierarchy. Changing identity may also require an additional roll even if performed at the same level. This is especially necessary for private or friend access as explained in Computer Futurekill.
Step 5, Find Information
Once in, the hacker can look around at any material or use any peripherals available as Public at that clearance level, or Private or Friend to the User’s account. The difficulty, under these conditions, is minimal. How hard is it to find files or types of information on your computer? Do a Find. Simple enough.
The result is, however, either daunting or disappointing. Either you get lots of information or you get none. Sifting through the wellspring (or figuring out why it isn’t flowing) is more often the problem with finding information than actually finding the information. After all, how many letters to the CEO do you really want to read to find out if he’s going on vacation next week.
Step 6, Data Analysis
Chances are the hacker has lots and lots of information to sift through. It isn’t that they have one file that mentions the target but many. Do they have time to sift through all this data or not. If not, what will they look at.