So, it’s time to talk about how to actually conduct a hack in code::2050.
We fought long and hard about this.
Anyone who’s been following along this far knows that Matthew’s take was, “Here’s a computer, go!”, where mine was, “You see a network, roll to connect. You’re in the network, roll to scan for devices. You detect a vending machine, a thermostat, two computer terminals, a PlayStation 17, an Amazon Echo, a smart refrigerator, a hot water heater, three door locks, and a data silo labelled ‘Secret Stuff Here’. Your rig is green with blue stripes and the network is mauve, which has the most RAM. Roll to make a double half-caff mocha latte!”
We needed to meet in the middle somewhere: Something simple and usable so that GMs and Hackers have a basic understanding of what to do, how to do it, and how hard it is; but not so barebones that it left everyone scratching their heads going, “What now?”
Here’s a guide to quick-and-dirty hacking. It’s broken down into several steps, each with a one-sentence description of what you’re doing, a thumbnail difficulty based on who you’re trying to hack, suggested penalties for failing at that point, and then some clever text to give it a little flavor. And at the end short discussions about scripting, hacking, and countermeasures.
The thumbnail DC of each step is based on the size of the entity you’re hacking:
|Small||Home / Small Business (10 employees)||Town|
|Midsize||Medium Business (100 employees)||Small City|
|Large||Large Business (1,000 employees)||Large city|
|Huge||Multinational Corporation (10,000 employees)||Megacity / Nation / Military|
|*Includes the police or security forces for that size government.|
Alright, guns up! Let’s do this.
Step 1: Connect
Action: Connect your rig to a network access point, either wirelessly or through a port.
Difficulty: Small: 15, Midsize: 15, Large: 10, Huge: 10.
Penalty: Physical dangers finding and getting to the access point, loss of access through password violations.
The difficulty is in finding an open connection; the bigger you are, the more connections you have, and the easier it is to find one. But a lot of the difficulty is going to depend on where that connection is. You may be able to connect through the Net while nibbling jamón in Madrid, or you might be able to plug into a port in an office building while pretending to be a repairman, or your team may have to shoot their way into a security substation at a corporate warehouse. How you get here is up to your GM.
Step 2: Seek
Action: Look for the data, device, etc. that you need.
Difficulty: Small: 5, Midsize: 10, Large: 15, Huge: 20.
Penalty: The time required to search.
Sure, shuffling through a home server is child’s play, but big corporations have big networks and big data farms, and that robocab company has thousands of vehicles. Finding the exact file or exact cab you’re looking for might take longer than you’re expecting. Hopefully you’ve done your homework, or have someone on the inside to get you pointed in the right direction and save you some time. And, hey, the clock is ticking!
Step 3: Defeat
Action: Bypass, suppress, or defeat any countermeasures you encounter.
Difficulty: Small: 5, Midsize: 10, Large: 15, Huge: 20. (Varies internally based on secrecy.)
Penalty: Small: Setback, Midsize: Setback, Large: Dangerous, Huge Government: Dangerous, Huge Civil: Deadly (Based on Trap DCs and Attack Bonuses from the 5e Online Compendium section on traps.)
Lots of potential dangers here, and this is where you’re most likely to get pinched if you screw up. Depending on the size of the prize and the nastiness of the guy you’re hacking, that might hurt a lot. Grabbing some incriminating dirty pics from some guy’s home server? You’ll probably only get booted from his network. Snag something secret from the Army? Go to jail, go directly to jail. Going after a big paycheck by hacking the formulation for a new drug from MegaPharmaCo? Those bastards’ll kill ya. And, of course, the more sensitive something is, the better it is protected. Nobody is bothering to protect the coffee order for the canteen, but that drug formula? Yeah: locked up tighter than a gnat’s ass.
Repeat steps 2 & 3 as the DM dictates.
Why repeat? Maybe you have to open a series of doors for your team. Maybe you have to check several different data silos to find what you’re looking for. Maybe your target isn’t in the first robocab you hack to drive itself off a cliff. Maybe the DM’s a dick and wants to see you suffer.
Combine steps 2 & 3 as the DM dictates.
Or maybe your DM is awesome and wants to save everyone some time. Maybe you’re sleeping with her. Whatevs, it’s all good! The DM can easily elect to combine these steps – even multiple iterations – into a single roll to get you there a little quicker.
Step 4: Achieve
Action: Do what you came here to do.
Difficulty: GM’s estimation.
Penalty: Consequences of failing to complete the mission.
This is you earning your paycheck. You may be stealing data, leaving data, altering video, opening doors to clear a path for your team, implanting a script, tapping a camera, crashing a pizza delivery drone, rerouting a jumbo jet, whatever floats your boat (and gets you paid). It’s going to be up to the DM to decide how hard it is to make that happen, especially after you made it this far!
Step 5: Exfiltrate
Action: Finalize and log off.
Difficulty: Small: Auto, Midsize: 5, Large: 10, Huge: 15. (GM’s estimation.)
Penalty: Physical dangers of leaving the access point, danger of exposure through traces in the target system, dangers from any remaining countermeasures.
You’re not out yet. You got your data, but you tripped a countermeasure and now you’re going to have to shoot your way out; or you are at a plaza in Madrid, but even then this may not be as easy as unplugging your rig and walking away. You may need to alter logs or adjust inventories in order to disguise the hack and to cover your tracks, or your team may be deep in a corporate archive with the item you need for your next hack in a satchel, looking for you to guide them out. Hell, the DM may run you through steps 2 & 3 again as you wend your way out. Good luck, Hacker!
Scripts can be used to make things easier. A task that has been scripted can be performed faster and more accurately. Writing scripts to do simple and repetitive things is easy, complex scripts that automate decisions normally made by a human are hard. Bonuses are based on the how heavily the script is customized. If the target is a business, a generic ‘security defeat’ script might give a bonus of +2, the same script customized into BizOS might give a +4, and a script customized for a specific business might give a +6.
Scripts can be created, or acquired and customized, using the crafting rules (See Downtime Activities in the PH).
The effects of countermeasures can range from inconvenient to deadly, making use of elements such as system ejection, headache-inducing blasts of light and noise, rig-scramblers, security alerts, automatic lockdowns, and backtracing. Countermeasures can be triggered by events such as an invalid logon ID or password, too much time connected to a network, too many scans, using an computer unknown to the network, and accessing a particular directory or file. And like physical traps, Hackers will get a a save DC to resist the affects of a triggered countermeasure.
(See the 5e Online Compendium section on traps.)
I Hacked It!
Once you hack a device, you can make it do anything that is controlled by software. What you can not do by hacking is change something you have to touch, like pressing a button or turning a key.
When you hack a network, you have full control over its users, security, connections, etc. If the device is a machine or an electronic device, you can read and alter any of its settings or data, turn it on or off, and so on. If you hack vehicles or robots, you’ll need an interface to avoid penalties when directing them. It may be built in, or may have to be acquired or written.
And I’m spent.
There’s probably a good-sized supplement waiting to be written about how the Net works and how you hack it, but for the time being, there it is. This has been the code::2050 Quick-and-Dirty Guide to Hacking.