The faster you type, the better at hacking you are

Also no matter what you're hacking, the screen will go all Black and green like the matrix

I should Know- I hack several internets each day so I can blow up cars remotely.

I'm trying to start up a Shadowrun/80's cyberpunk that involves hackers. I don't think it helps you since it's retro-future. The kind with jack ports in the skull that connect to computers and you go to cyberspace.

Modern hackers are probably folks who can get into code. Everything on the internet everywhere is made of code, so I think you'd want it to be people who know how to crack to code, or crack the algorithm TO the code.
Or alternatively, finding loopholes in the system to take direct control by just hitting the right links.

>>14167674
if it's true that the FBI monitors 4chan, then some dude probably just had a heart attack at his desk

Make a computer skill that doubles for 'hacking'.

Set a DC for whatever it is the player is trying to do.

If none of you know anything about networks, that will probably be your best option.

(random portraits)

>>14167694
Ok, I'm looking more in terms of
-What do they need to do it?
-What factors makes some system easy to hack and what makes it hard?
-How long does it take?
-Does it always require unwitting compliance by actual authorized users?
etc...

I think GURPS puts together a good characterization of mundane hacking.

>The Computer Hacking skill is cinematic, and simulates the way computer intrusion works in many movies and novels. It does not exist in realistic settings!
>Realistic “hackers” should learn a combination of Computer Operation (to exploit OS loopholes and run intrusion software), Computer Programming (to write intrusion software), Cryptography, Electronics Operation (Communications or Surveillance), Electronics Repair (Computers), Fast-Talk (to convince legitimate users to reveal passwords), Research (to find documented security holes), and Scrounging (to “Dumpster dive” for manuals, passwords on discarded sticky notes, etc.).

For Hacking the idividual needs to find the computer he's hacking (the ip address) then he needs to get around the firewall.

What I would do it set DCs for different firewalls, then have a 'hacking' DC just to get started. unless of course, the skill cannot be used untrained.

I mean other than getting past the firewall and keeping your connection hidden you really just need a connection to the computer in victim. Whether through internet or hardwire.

Just to add modifiers you can have the hacker send an email to the target computer then roll a bluff check (so the target opens it) if the target fails his sense motive, then he opens the virus and gives the hack +5 or +10 on the hacking check.

Protip: The reason Hollywood hacking involves fast typing and fancy GUI is because real life hacking is about as entertaining to watch as watching paint dry.

Real life hacking is basically some guy on a coffee and cigarettes diet analysing code for hours on end.

In real life, encryption and passwords are nigh impenetrable. Unless someone leaves a gaping hole in a network, or you can trick a user into giving you their password you won't be hacking anything.

It basically boils down to fast talking, spying, and breaking and entering.

Ok, here we go.

First of all, there are several different pieces to the hacking puzzle. There's software, obviously: code, backdoors, and exploits. There's hardware: knowing what hardware the server's running can give you insight into what can be done to break it. And there's social engineering: nowadays, hackers need to be able to talk to Real People, either in person or over the phone.

So. Primary stat would be intelligence, but charisma and wisdom are both useful as well. Hackers need to be able to multitask, and need to be thinking several steps ahead of their current position.

You might do something like this: Give the character the goal... say it's hacking into a bank, for instance. There would be several ways to do this. Hang around the building for a few days, maybe go inside and "apply for a loan", just to make notes of names and job descriptions. Keep an eye out for any security company names - they'll almost always be contracted, so you can drop names and be fairly confident that no one at the bank will catch onto the ruse. The software is easy to see - just poke at their website and see if you can't get an error page... they'll usually tell what software is running the server. From there, you can usually deduce what exploits are needed.

Of course, if you want to abstract it a bit, then you could just say, "Roll a spot check, roll an Int check, roll a Cha check," etc.

brb, someone's knocking at the door-

>>14167725
I'm looking into this because I want to at least try to model "real world" phenomena. I would like for it to seem believable and authentic. Obviously it will not be actually realistic, but I would like the system to at least have a "real" feel to it.

My point is that RPG systems model things like modern firearms with an eye towards simulating, at least approximately what the various attributes, trade-offs and limitations of weapons are. I would love to do something like that for hacking rules.

Google Metasploit Op.

>>14167772
>Protip: The reason Hollywood hacking involves fast typing and fancy GUI is because real life hacking is about as entertaining to watch as watching paint dry.

Make it a willpower based extended action op. To make it more exciting, have them do Social Engineering and just make them roleplay that.

>>14167740
>-What factors makes some system easy to hack and what makes it hard?
firewalls, network monitors.
>-How long does it take?
other than connection speed, really the only thing that'll keep you (if you know what you're doing) is finding an open port, social engineering (sending fake emails) or getting kicked/banned from the network.

>>14167793
also encryption will make it hard to do.

basically after they've downloaded a library (of passwords/usernames/accounts) they have to then unencrypt it. which with the right programs can take minutes to hours to days.

Just run it in Modempunk.

this thread is turning out to be very helpful.

>>14167792
>Google Metasploit Op.

All right, I'm going to say this only once.
This is a very powerful piece of software.
If you start dinking around with it and start trying to mess with servers that you do not own, you CAN be arrested. You CAN go to jail for upwards of TEN years.

Be wary. I'm fucking serious.

Ok, how about actual physical security systems. How often are they hooked up to some kind of network that you can gain access to and fuck with them? I'm guessing not as often as in movies/games. How does one get past say am electronic slide-card lock?

It really depends what kind of 'hacking' they need to accomplish.

Creating software-computer skill
Taking down website-contacts/resources (+skill)
Breaking into reasonably secured data-contact/resources +skill, + physical intrusion / good information

>>14167851
'Sup, FBI? Your partner's heart attack stop?

This is how I'd do it.

Player: "I'd like to hack his computer."

GM: "do a computer use check."

rolled a 5

GM: "all the ports you find are protected, try again next round"

Player: "I send the target an email titled 'Free laptop'"

rolls bluff: 15

GM rolls sense motive: 2

GM: "make a computer use check to attemp hacking again with a +5"

rolls a 21

GM: "you break through, the weak firewall had a DC20 hacking difficulty. Now what do you want to do?"

Player: "grab all the accounts"

GM: "downloading will complete in 5 rounds, from there you can unencrypt it and try to log in."

>>14167851
Yeah you are right I should have included a disclaimer.

Anyway, how would you guys handle honeypots in a system like this?

>>14167871
Oh yeah. TIME

>>14167877
.
>>14167674
here, I'm wondering what's with the heart attack thing. Presumably FBI agents have seen the same movies that I have, so...

>>14167868
When a person tried connecting to a network on his personal computer the network can ask for a password. if you know the password the network will add your ip to the exceptions list.

>>14167707
I thought the FBI just blew up computers. not give heart attacks.

The Three Levels of Security:
What You Know - Level One. Passwords. Easily compromised without target's knowledge.
What You Have - Level Two. Keycards. Difficult to compromise without target's knowledge.
What You Are - Level Three. Biometrics. Nearly impossible to compromise without target's knowledge.

>>14167868
It's almost imperative that you social engineer the keycard away from the target. One -might- be able to "borrow" it, make a copy, and return it before it's missed, but it's pretty difficult.

On the note of social engineering and hacking, I read an article a little while back about some security specialists hired to look for vulnerabilities in a particular office.

They littered the break areas, smoking areas, cafeteria, etc, with USBs containing exploits. I'm sure a few people caught the exploits before it executed but apparently most people tend to just plug those things in without so much as a scan.

>>14167899here

if you don't know the password, you have to find an 'open port' which would probably just be a 'hacking check'

>>14167913

Are you implying that biometrics are difficult to compromise?
Biometrics are pretty easy.
You can just take high-definition photos of the target data, then replicate.

Or. Software bypass.

>>14167913
assuming the keycard system is not a closed system you can hack into it and inject the data of your own card or print a card with one of the numbers you find in there.

>>14167936
Yes, I'm >implying that biometrics are difficult to compromise, when used properly.

For instance, it's gonna be fairly difficult to get a good retinal scan from someone without them noticing. Not so much with fingerprints. Combine them both, and you're pretty secure.

Just modify the trap/disable device rules to be program/hack.

>>14167962
Well even then, if you can get into the computer you can inject a program that opens the doors at a certain time.

but then you'd need to know what program they're using and how to program it.

>>14167962

I can get a good retinal scan with my Cannon Powershot.

You need A LOT better security than biometrics for sensitive data.
A mutable algorithm+answer system works nicely.
Person memorizes algorithm, receives number, applies algorithm, enters response.
Can even alter the algorithm regularly to prevent pattern cracking.

>>14167990
And have previous access to the hardware.

That's the hard thing about this, though - there are so many different ways it could be done, it's hard to codify rules for all of them without abstracting it completely.

>>14167662
GURPS Cyberpunk, for the 3rd edition, had pretty good rules for hacking. You should be able to find it on /rs/.

I use a pretty simplistic set of rules for Hacking in my own GURPS games.

Part 1 of 2
Every computer/network/system has a number of skill checks that must be made, in order to accomplish the goal.

-The first skill check is an Electronics Repair (computers) roll, for physically tapping into a network, through comms/network cables.

-The second skill check is a Computer Operation roll for finding the right “extension” (i.p. address, network location, etc.)

-Third skill check is a Computer Programming [could be Cryptography] roll to break through some security/encryption, and gain access

-Fourth skill check is Computer Operation roll to find the info you need.

-Fifth skill check is a Computer Ops. Roll again, to run an “over-writer” program that will trash the info, and work its way through the system, erasing and replacing information.

>>14168028
HSBC has security like this for their card holders. In order to do online banking you have to click a button on a card that gives you a string of numbers.

>>14168072

Mhm. Less secure than having the person memorize the number generation protocol, but perhaps more convenient.

>>14168062
Part 2 of 2

Additionally, when it comes to encryption, and hacking through security, I think in the manner of “Guards and doors”, i.e.

Each goal is behind a “Door”, which is “locked and Guarded” by particular security programming (ICE, for example); I assign each “lock” a number of “levels” of encryption.
-A success lets the hacker break through a number of levels of encryption equal to the margin of success; critical success breaks through it all, regardless.
-A failure “locks out” a hacker; the number of levels increases by twice the hacker’s margin of failure.
-A Critical failure “alerts a guard”; the hacker then must make an opposed skill check against the Security program.
_A critical success lets the hacker bypass the guard (i.e. make it seem like a false alarm)
_Success lets the hacker get away without leaving any “fingerprints”
_Failure has the Hacker leaving “fingerprints”, getting caught, having his system tagged, etc.
_Critical failure has the hacker’s computer tagged in such a manner that he could be traced if he connects to another network again (you could give him the opportunity to remove the “spyware/malware”).

Modify as you see fit. I play with some IT dudes, so I don't bother making it seem realistic; I have no clue about it, and they'd just trip me up on the details. So I use this, which is quick and simple, and keeps the game flowing, which keeps us all happy.

>>14168084
Considering the average putz has trouble with his PIN number, yea, it's a smart secondary security system to use. I figure they have a whole series of different algorithms that they cycle through to make it even more secure.

>I have no fucking idea how modern day hackers operate, what they can do and what their limitations are.
How do they work?
They email or call people and ask for passwords.
Sadly, that works some of the time.

>>14168109
Indeed.
http://www.pcworld.com/businesscenter/article/221504/8_security_tips_from_the_hbgary_hack.html

>Anonymous now had the username and password details of the executives, and found that the gentlemen concerned had reused the passwords in lots of other places: e-mail accounts, Twitter and a support server, in particular. Thus, Anonymous was able to access their e-mail.

>The accounts on the support server were only those of ordinary users but the system wasn't patched against a vulnerability that allowed standard users to use privilege escalation to illicitly get superuser powers. The flaw was patched in November, but the hack took place three months later in February this year (see above--regularly patch your systems!).

>To get this, they used Greg Hoglund's e-mail account to make contact with somebody who had root access to the server. In an entertaining e-mail exchange, Anonymous first suggested they had problems logging in to the server, using their acquired knowledge of the root password to give themselves authority and credibility. Following this they manipulated the root admin into resetting Greg's password, and also revealing his username--the two pieces of information they needed.

>>14168062
>GURPS Cyberpunk, for the 3rd edition, had pretty good rules for hacking.

The Secret Service certainly thought so...

>>14168300
Funny and true.

If anyone doesn't know this story, just Google a bit, you'll find it easily enough/

Physical access to the computer you want to hack should always give you a bonus. Trying to hack something over a local area network should give you no bonuses. Hacking a network from outside of the network or over the Internet should give you negative bonuses.

Also, successful hacks should be described as "You detect that he's using an older firewall, you attack a known exploit," or "You find he has a pirated version of Windows with a backdoor". Essentially, success or failure is based on made up circumstances, and your player's ability to "recognize" them. Hacking should also allow your players to craft a virus, so instead of actually using the keyboard on a target computer, they can just plug in a USB key (loaded with a virus) and restart the machine.

Also, viruses will need to be designed for the Operating System. Non-mainstream OSes will automatically refuse to run a virus that isn't designed for it in particular. Less exploits will exist for these OSs, but they are still there.

Basically, physical access to the target machine is ideal:
--If the computer is on, not password protected, then automatic access granted.
--If the computer is on, Hard drive is or is not encrypted, and USB detection is enabled, then that's easy. The player can plug in a USB key, even without a password, and autoplay will automatically run the virus or trojan.

>>14171050

--The computer is turned off, asks for a password on boot, but the Hard drive is not encrypted. You can run a different operating system from USB for immediate access, or just steal the hard drive. Here, the hacking skill doesn't matter much, but maybe should be used to determine the user-unfriendliness of the Operating System on USB that the Player Character is capable of using.
--If the computer is on and password protected and the hard drive in encrypted and USB detection is disabled, the player must be able to spray the RAM with a cooling agent like Freon, and steal the RAM and hard drive, plug them into another machine (possibly handheld or a laptop) and recover the encryption key, and then use the key to decrypt the hard drive. If this sounds like a tricky situation, that's because it is. It is important to move the RAM from one machine to another as quickly as possible, or the encryption key is lost. Higher DC.
--If the computer is powered off and the hard drive is encrypted, the computer can't fully boot without a password. In which case, the only way in is to install a hardware keylogger into the keyboard and wait for the owner to use it. This also means that you'll need to infiltrate twice, once to install the keylogger and again to recover it and the payload, OR you can use a small cellphone or something to transmit the keys entered.

What I've just described are five scenarios of increasing difficulty. It's a bit over simplified as far as IRL hacking goes, but it's probably more than sufficient for Hollywood hacking, which fits better in RPGs anyways. If you want things a bit more fleshed out, maybe visit /g/ and be careful of trolls.

>>14171050

dem asian big titties

also, I was going to wha? the autoplay bit, but your second post made it clear why it was so.

>>14171050
...I'm sorry, what were we talking about? I seem to have gotten distracted suddenly.

You're referring to crackers, who break things. Hackers build them. Read "how to be a hacker" by Eric Raymond, it'll highlight a few differences.

Cracking is boring as hell. Since your players probably don't understand it all that well, the simplest thing is to do some sort of extended check over the course of hours/days/weeks/whatever against the network you want to attack. It's important to keep in mind that this is a long, slow process, and isn't ever guaranteed to work. Moreover, you can't do anything by cracking that a person with root access to the computer couldn't do, so no blowing stuff up, no cutting off the power, no magically controlling traffic lights, etc. (unless the computers *can* do those things, in which case... go crazy).

Finally, some networks aren't connected to the internet, so you have to have physical access to the machine or at least physical access to a machine connected to that private network. The biggest hole in security networks is the human element. Look up "rubberhose cryptography" for advice; it's a lot easier and it doesn't require any special technical knowledge.