Jump to content

Penalties to Computer Programing for trying to hack into a system


LoneWolf

Recommended Posts

I was wondering how big of a penalty people usually give on computer programing rolls to hack into a system.  The books mention a penalty of -5 being reasonable, but to me this seems to be actually pretty low.  It seems to me the penalty should be much higher.  What you are really doing when you hack into a system is making a skill vs skill roll against the person who setup the system.  This got me thinking about what a decent network engineer would have in game terms. 

 

I came up with the following skills for good network engineer.  He starts with a slightly above average INT, say a 13.  For skills he has the following Computer Programing 13-, Cryptography 12-, Security Systems 12-, Science Skill Computer Science 12-, Science Skill Mathematics 12-, and Professional Skill Network Engineer 12-.  All these should be complementary skills to the base computer programing.  Assuming a roll of 11 for all skills, that gives him a base roll of 18- on computer programing.   The base setup of a network probably takes around a week to complete.  After it is setup he goes over it for about a year to give him an additional +3.  That brings his roll up to a 21-  Again assuming a roll of 11 that would mean a -10 for someone trying to hack into the system. 

 

The above number would be for a small company with a single dedicated engineer.  Most large companies would have a team of engineers.  Highly secure networks like most government networks would probably have very large teams of highly trained engineers. 

 

Does this look reasonable? 

Link to comment
Share on other sites

First, gameplay perspective:

 

Do we want systems to be hack-able?  Assuming we do, the penalties have to achieve that objective. 

 

Mechanically:

 

-5 is the high end of “extremely difficult”.  It is the penalty for an Animal Handler to calm a charging guard dog, the Lockpicking penalty for using a hairpin instead of proper tools, shadowing someone through a flat desert, or stabilizing someone at the brink of death (paramedics on someone at -10 BOD – normal are already dead).

 

By setting the parameters for a good network engineer, I suggest you have also mandated any character envisioned to have hacking skills requiring all of the same skills, all of which will also be complementary for him.  That’s also an 18 point investment in skills (plus 3 in INT) when “character with PS: Plumbing might not understand the intricacies of water pressure and water flow friction, but he could fix a broken pipe and knows how to use plumbing tools. A character could (and often should) have a KS and a PS of the same subject to reflect both a theoretical and practical knowledge.”

 

If you are setting the criteria to work for a living at 18 points of skills, few PCs are qualified for many occupations, and Normals need a lot of sell-backs to have a decent-paying job.

 

The assumption that the company can pay this engineer a year’s salary for network security seems unlikely – that means he is doing  nothing else but beef up network security.  How many companies make that kind of investment?

 

Drop that year to a month, and allow only one or two complementary skills, and that -5 is starting to look about right.

Link to comment
Share on other sites

Possibly a better approach in addition to some penalties is to have other tasks required (you'll need to unplug that over there at the same time, you need to pull that drive out when I say go) and time limits.  It just takes a while to do the work and there's a guard patrolling outside, people will show up to work soon, the hot girl distracting the IT guy will lose his interest in a while if she won't commit, etc.

Link to comment
Share on other sites

To come clean, I've worked in the computer security business (which is a large branch of computer programming).  I've found that 9 times out of 10, people not in the computer security business don't want to hear all the security safeguards that can be put into place to protect an system with a link to the outside.  What they want to see is what they see in movies, comics, and television.  They just want to find the website for the police department, make a roll and voila, they are in or they are not.

 

The way I do it to prevent my friends from glazing their eyes over is just to ask them to make a roll and tell me how much they make it by.  I then adjudicate how difficult it is compared by how much they made the roll by and describe them hacking the system without going into the details of hacking the system.  If they say "make it by 3", I'll tell them it will take a while but they think they can do it but its not going to be quick.  If they roll a 3, I generally tell them you quickly scan the system and find a security vulnerability and have broken in immediately.  If they fail, I'll tell them the feel they can't do it.

 

 

Link to comment
Share on other sites

Actually something that I'm using for a system that I'm designing, but that I think is totally workable with Hero and was inspired by conversations here on non-combat skills and how often they get cheesed by way of 'six rolls define this one phase of this one combat, one roll often resolves, for good or ill, many other skills'.

 

Find ways to break it into more than one roll. Further, if it's important to a character or NPC, find ways beyond the skill to define it, perhaps more specific specialties that are higher level than the general hacking skill. Bonuses for time, of course. Lastly, gear, even if that gear is a program, adds to this and to the suspense.

 

By making it a process against an unknown opponent, instead of a roll, with more than one element, suspense can be built. By defining different elements, some of which you, as GM, know must succeed to break into the system, and other rolls whole failure is only important if some other event occurs(but the players don't know this), they will wonder, does this obviously failed roll mean discovery? This other, mediocre roll, the one that appeared to succeed, did it, or am I being led along by someone into believing I succeeded on cracking the password, but actually everything I'm looking at is a trick?

 

By expanding it in a way that builds suspense, the droid trying to trick the system into opening the door and letting allies in faces as incremental and suspenseful a role as the two allies trapped in the building with him facing stiff odds so that he can get them help.

 

As an aside, I tend to view difficulty as more usable a concept for things that are environmental, including stress, but also including a slow connection in the case of hacking. Having the feeling of an actual opponent who you cannot touch has a value, though, if it is not a prepared session where I expected hacking, and does not represent a highly secure target, I would totally just go with difficulty. Otherwise, I might invent a few layers of security, some of it actually seeking to shut down the hero's system, and thus requiring responses.

 

That said, it's much more usable for either a well prepared session, or where the write-ups for the system being hacked and its tools and the hero's is all there. Otherwise, I'd keep it simple, but still probably not default to a single roll except for the simplest thing.

Link to comment
Share on other sites

18 hours ago, dsatow said:

To come clean, I've worked in the computer security business (which is a large branch of computer programming).  I've found that 9 times out of 10, people not in the computer security business don't want to hear all the security safeguards that can be put into place to protect an system with a link to the outside.  What they want to see is what they see in movies, comics, and television.  They just want to find the website for the police department, make a roll and voila, they are in or they are not.

 

The way I do it to prevent my friends from glazing their eyes over is just to ask them to make a roll and tell me how much they make it by.  I then adjudicate how difficult it is compared by how much they made the roll by and describe them hacking the system without going into the details of hacking the system.  If they say "make it by 3", I'll tell them it will take a while but they think they can do it but its not going to be quick.  If they roll a 3, I generally tell them you quickly scan the system and find a security vulnerability and have broken in immediately.  If they fail, I'll tell them the feel they can't do it.

 

How is this different from a single Science roll providing a breakthrough, rather than going through step by step, or Paramedics dealing with blunt trauma, internal bleeding, extraction of foreign objects and treating shock, etc. etc.

 

We could make any success/failure option more detailed, and we could also make "combat" an opposed roll of the "brawling", "fencing" or "gunfighting" skills.  It seems like this would be good fodder for APG3 - how to make detailed resolution systems for areas of focus in a specific game, and non-detailed resolution for areas not intended to be a focus.  A courtroom drama does not want a case resolved with one opposed PS: Litigator roll, but might be OK with an opposed Brawling roll to deal with a fistfight in the foyer.

Link to comment
Share on other sites

I'm not quite sure what to address so I'll address it from the points I think you are making.  If not, clarify I'll try and answer again.

 

Some gamers like the detail, it just depends on your group.  For instance, there are gun geeks who want to simulate gunfu campaigns.  They can get perturbed when you allow the wrong caliber in the wrong gun with no consequences.  For example, a .45 ACP and a .45 Super round might be the same size and thus fit into the same gun, but the power of the rounds are significantly different.  Another issue are bullets that are rated the same caliber and type (pistol) but can not be shot in the same gun.  However, if you aren't that into guns, you wouldn't care if you use one .45 round from one pistol into another.  It just depends on your group.  If you were doing a "Young doctors in love" campaign for a group of med students, you might want to have them use paramedics for stabilizing a patient for each action (defibrillate, stop bleeding, compensate for shock, get blood pressure up, stabilize heart rate, etc.) and other skills for other parts (sorry, not a doctor, just watch the shows).

 

What I do (and I've seen other do) is a little bit different.  Its similar to fudging a roll for the game without having to secretly roll and fudge it.  Its basically allows how successfully they make the skill roll determine how well they complete the action without actually determining all the penalties.  The player then knows relative to their own skill how well they did and it is reflected back in the answer I give without actually saying, you need to roll at -8.

Link to comment
Share on other sites

On 3/25/2018 at 11:34 AM, LoneWolf said:

I was wondering how big of a penalty people usually give on computer programing rolls to hack into a system.  The books mention a penalty of -5 being reasonable, but to me this seems to be actually pretty low.  It seems to me the penalty should be much higher.  What you are really doing when you hack into a system is making a skill vs skill roll against the person who setup the system.  This got me thinking about what a decent network engineer would have in game terms. 

 

I came up with the following skills for good network engineer.  He starts with a slightly above average INT, say a 13.  For skills he has the following Computer Programing 13-, Cryptography 12-, Security Systems 12-, Science Skill Computer Science 12-, Science Skill Mathematics 12-, and Professional Skill Network Engineer 12-.  All these should be complementary skills to the base computer programing.  Assuming a roll of 11 for all skills, that gives him a base roll of 18- on computer programing.   The base setup of a network probably takes around a week to complete.  After it is setup he goes over it for about a year to give him an additional +3.  That brings his roll up to a 21-  Again assuming a roll of 11 that would mean a -10 for someone trying to hack into the system. 

 

The above number would be for a small company with a single dedicated engineer.  Most large companies would have a team of engineers.  Highly secure networks like most government networks would probably have very large teams of highly trained engineers. 

 

Does this look reasonable? 

 

I don't think it's reasonable.

 

A skill roll of 11- is supposed to be competent in your profession.  You can make a living by performing the skill.  An 18- means you're one of the best people in history to ever perform the skill (page 43, 5th ed revised).  I don't think I'd allow five complementary skill rolls to boost a guy who is "pretty darn good" into "one of the best in history".  Also he's not spending that entire year fixing every possible weak point in the system.  He spends a week installing it and then the rest of the year screwing around looking at porn.

 

Also, you attack the easiest point of failure in a system.  I'm not a computer guy, but I do know how large corporations work.  The guy may design what he believes to be the perfect system.  But Bob from HR regularly checks his Facebook on the company computer system.  Bob has zero skills in computers, and he's always clicking on some link he shouldn't be clicking.  Plus, the CEO decides that the company needs to upgrade some random piece of software, and he wants your network engineer to make it happen.  Plus, things need to be backward compatible with the program the company used back in 1993, because you've still got a lot of old records stored on that system.  So make it happen!

 

As I was typing this, I got a call on my cell phone from an unknown number.  I answered with "Hello, this is (my name)".  It was just some recording telling me that I needed to call them because of my credit card information.  Of course, it wasn't my credit card company, it was somebody else.  I used to answer the phone with "Yes?"  But I don't anymore, because there have been reports of telemarketers recording you when you pick up, and if you say "yes" at any point, they insert that as an answer to a question letting them bill you.  Very shady, very crooked.  Also very likely to catch your company's least intelligent employee off guard.

 

You don't have to defeat Hacker McNerd's ideal computer security system, because regular normal folk are using the system and are basically inflicting massive skill roll penalties to his Computer Programming roll.

Link to comment
Share on other sites

A couple thoughts:

 

  • Unless dealing with a group of coders, the steps needed to successfully hack a system don't need to be uber realistic, hollywood gets away with this all the time
  • That said, the suspense is not from 'will I get past this firewall', the suspense is from the need for whatever is in that system, how quickly it is needed, what the repercussions are for not attaining it, and what the repercussions are for getting caught trying to attain it- if those four are not things that have an effect on the action, then the entire skill and roll adds nothing to the excitement of the game, and can too easily become a GM exposition power paid for by the player

 

Every round of combat contains the possibility of strong consequences, if every roll of a skill manages to lack the same, players won't enjoy that part of the game because there's zero suspense in that.

 

I also tend to view past successes on certain skill rolls as actual development of an item. If, using his forensics skill and his profiling and criminal psychology skill, dark detective has repeatedly had to study the crimes of the Deadly Mum, a mime who copies the crimes of others(technically a mimeograft), the developed profile is an actual item with an actual value based on the rolls(including failed rolls that lead to incorrect assumptions about the Deadly Mum). Mind you, he needs somewhere to store this profile, and it can be lost or even purposefully destroyed. The same could apply to dealing with a known hacker or system, and give advantages in that case, but, likewise, too often using such a profile might clue that hacker in to change their MO, reducing the bonus.

 

 

Link to comment
Share on other sites

For games that have some focus on Tech, but not total focus (i.e. probably not playing Hackers Hero, but a more rounded Cyberpunk game) I broke down into the following broad skills for flavor:

Programming - actually writing software

Phreaking - phone systems

Networking - all layers (physical and software)

Hacking - part programming, but mostly the actual act of digital B&E (basically a computer only version of Security Systems)

(this on top of Security Systems for physical security, and Electronics gets hardware done.)

 

It's not super detailed, but it gets the job done for gaming. I find it has just enough detail to emulate a small group of tech-saavy characters that each have a field of expertise.

Link to comment
Share on other sites

In general, if you want to break it up the skill in a hacking world, I would do this:

 

Keep computer programming as is and make it a general computer skill,

  • Computer Programming: The ability to compile code and operate OSs.  Your basic CIS degree.

 

Next create the following science skills:

  • Networking: Specializing in networking protocols and electronics.  Covering layers 1-5 in the networking model.
  • Computer Security: Specializing in known and esoteric vulnerabilities in computer systems as well as common computer security vectors.
  • Encryption: Specializing in encoding and decoding data.
  • Data Science: Specializing in accessing large and distributed databases and the ability to sift through that data.

Most people with a CIS degree could do basics in any of these sciences given enough time and research.  So I see this less as a secondary skill but as complementary skills.  i would also increase the minimum amount of time to complete the task if you didn't have these skills.

  • If someone wanted to gain remote access to a secured system, you would take a -1 on your computer programming roll and another -1 to -5 depending on the level of security of the network.  It would also take probably an hour.  You would also need to take another roll at the same penalties to prevent trace back or identification of your actions.  If you have networking as a science skill, you can use that as a complementary skill to yourself and reduce the amount of time it takes by two levels on the time chart (from 1 hour to 5 minutes).
  • Once you have gained access to the server, you would need to get in if you don't have a user name and password.  Computer Security would allow you to identify vulnerabilities in the system to gain actual access to the OS as a user or root/admin.  The same penalties and time would apply.  Again, a second roll would be needed to prevent trace back or fingerprints from being discovered.  Computer security would also be used to evade black ice and honey pots.
  • Encryption - To be honest in real life, proper encryption can't be broken easily by a home PC like you see in TV/movies.  CIA/NSA use large clusters of systems working around the clock to break encryption.  In movies it just seems to take hours.  So the same roll penalties apply but the minimum amount of time would be 1 day or 1 week without the science skill.  Secondly, the user would not know if they failed, unless it was a spectacularly bad roll, until the minimum amount of time was completed.  Again, having the science skill would reduce the amount of time by two levels on the time chart to hour or 5 hours.
  • Data Science - If you have heard about google data or Facebook data in the news, you already know that the data on a single person can range from hundreds of MB to GB of straight text data.  It was once said an entire encyclopedia could be put on a 1.4MB floppy disk so if you multiply by multiple MB or GB, you can envision the amount of data that might be.  Now, multiply it by the number of users and the amount of data you would have to scan through is staggering.  Also note that the data on you while retrievable is based on keys (yes, you are a number) in the databases so it isn't usually as easy as typing in a query like "What did Steve Long eat for dinner yesterday?"  Data science people are adept at formulating searches through multiple databases at one time.  They are also in the lead at machine learning which teaches computers to look through that data for us (primitive AI).  The modifier here would be the size of the database and the minimum amount of time without data science would probably be at least 1 hour.

Again, my friends would be bored by this even if they worked in the industry (several of the do and would correct me at simplifying a lot of actions and penalty ranges).  It would be easier and quicker to game flow to just ignore this and use dramatic license on the computer programming skill.

Link to comment
Share on other sites

My take - broadening computer skills makes sense if they will be a heavy point of the game, as this will both enhance that aspect of the game (adding more options) and allow characters to be differentiated in this area.

 

Similarly, if you want to play Courtroom Drama Hero, "PS: Lawyer" won't be enough for a PC to be competent in the courtroom.   But if we are playing Champions, or Pulp Hero, where courtrooms and legal battles rarely enter into the picture, Daredevil can get by with PS: Lawyer, and be one of the Top Ten Litigators in the world if he buys it up to 16-. While he will need a much larger suite of legal skills to be even competitive in Courtroom Drama Hero, he can buy "Martial Artist: 16-" to get a Daredevil level mastery of HTH combat, since combat won't be the focus of our Courtroom Drama Hero games, so that should free up some points for his skills as a litigator, a criminal lawyer, and a lawyer in multiple legal systems.

 

But he still won't be too great in divorce court and may not be very knowledgeable of tax law.

Link to comment
Share on other sites

  • 2 weeks later...

I would say that depends on two things:

The system being hacked

 

and

 

what you want to do with it.

 

Hacking is not a single activity:

There is social engineering to uncover the schema the system is based on so that one can develop the malware tools needed to break it.  Furthermore social engineering may be needed to guess the password of a user or to know which users to emulate..

 

Then there is the break in to the system which requires access.  This is the attempts to identify users and break their passwords.  For large companies and government this may mean that one has to first hack say a user's private email for clues to hack their work email, etc.  This may also require devices on lines to pick up the magnetic traffic being sent and/or decryption software to uncover what is being sent.

 

It also may mean that holes in the software and OS are exploited looking for places where even for a brief instant data is in the clear and not encrypted because of communication problems with the programs that transfer data or buffers that were overlooked in a security review.  A large hack may require all of this.

 

There is also a time aspect to this as the hacker may need to keep probing systems, uncovering people's identities and breaking in to covertly monitor just to find the user, an administrative account, that can perform the tasks he desires.  He may also need to do this in order to figure out the software in place and research how it works.  Not an easy task.

 

So it my be quite alright with a penalty of -5 but this may require several steps to get through to get what he wants and even then this might take months of dedicated work.  Then for every point above the required roll for a task then that timeframe can be reduced.

 

Complicated systems are probably not more secure because they are difficult to hack because difficult to hack means difficult to use.  Instead they are probably harder to hack because there are several redundancies and fail safes that the hacker has to get through requiring more time and more skill rolls. 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...