Computer hacking 5e

[armadillo]

I've noticed in one of my games, a modern superhero game, that computer hacking (using Computer Programming) is pretty powerful. (I'm using 5th Edition, so answers in that edition will help me the most!)

 

So, I'm considering making it more expensive, and expecting characters to have a certain roll level to attempt certain feats. Like, having an 11- in Computer Programming is not going to get you into a high-security database. (Okay, if the character has an 11- roll, I'm not saying they can never access a high-security database. Just not directly. They might use the 11- to put a keylogger into a non-adept's computer and find the passwords that way. But they wouldn't be able to hack the database directly.)

 

Also, Cryptography will be necessary for getting into higher-level databases (arguably a person could run software to decrypt, but the skill allows the user to choose the appropriate decryption software). I'm considering making Security Systems another necessary aspect for real hacking to occur.

 

My questions:

1. Are there rules in Hero that expand computer hacking and head in the direction I am heading?

2. How do you keep 3-point Computer Programming from taking over a modern game?

 

 

[Tjack]

Most real world computer systems have complex security systems in place. Computer programming as a skill shouldn’t give a player the ability to do more than get into somebody’s home computer or install a virus program. Specialized skills like KS: Comp Hacking & KS: Comp Security should be bought for big jobs.

[Sketchpad]

I would suggest looking at Hero System Skills on p. 125-132 for some expanded Computer Programming rules. That might have some options that you could use. 

 

As for how to keep Computer Programming from taking over a modern game, there are several ways. First off, certain computer systems will be harder to crack than others. This could be a negative modifier to any check. 

For example: Kyle "0v3rk1ll" Obert is attempting to hack into a heavily fortified bank with Computer Programming 15-. The bank has some anti-hacking software installed in it, giving anyone trying to hack it a -3 to Computer Programming checks. This means Kyle will have to now make a 12- check. 

 

Another option is to use a more Cyberpunk-ish system, making different aspects of the hacked system harder.

As above, 0v3rk1ll is trying to hack a bank. To get in is a -3 to Computer Programming (a 12- check). But to get into the financial records of Claude Van Claude, he may discover a more difficult security setting (-5 to check, giving him a 10-). And if he trips something on the way, exiting the system may make it harder (-8, for a 7- check to leave without a trace). 

 

Lastly, the character may have to have the right hardware to hack. This could take the form of Software or Hardware Powers that modify certain rolls, or circumvent things entirely. 

Finally, 0v3rk1ll has been discovered in the bank system. He uses a Virtual Scrambler built as Change Environment (-5 to Computer Programming to find traces of hack) to cover his tracks as he leaves.

[unclevlad]

Give the system a security rating, and make it a competitive roll.

 

Or give the system(s) penalties from -1 to -3, and when you're really getting into *secure* areas...areas where tech geniuses are building the security aspects...there's no upper bound.  -10 might only be on, say, the government's metahuman database...real name, cover name/villain handle, known powers, threat assessment, weaknesses...but some things should have this level.

 

Alarms.  Fail a roll?  Alert the other side.  Fail a 2nd?  Active opposition kicks in, with MUCH larger penalties, and possibly starting a traceback to see where the hack's coming from.

 

Programming alone might not be enough.  Crypto isn't needed to break in, at least most of the time;  it may well be needed to be able to understand the data in the database, tho.  Security Systems would be a more sensible complementary skill.

 

Hacking can be as complicated as you want it to be.

[armadillo]

2 hours ago, unclevlad said:

 

 

Hacking can be as complicated as you want it to be.

 

I think I want it as complicated as you described!

[LoneWolf]

The rules for hacking into a system were written by game designers not programmers as such are not really realistic. 

 

Hacking should be an opposed roll not a straight roll.  What you are trying to do is to beat the roll of the people who setup the system.  Don’t forget to factor in all the complementary skill rolls a well-trained computer programmer would have.  When factoring in that a real network administrator probably has well over an 18 or less on the roll.  Things like Cryptography, SS Computer Science, SS Mathematics,  KS Computers Hardware, PS Network Engineer and others will all be complementary.  Also factor in that you have a team of engineers not just a single person and the extra engineers all can aid the primary roll with their own rolls.   Last but not least you factor in the fact that it takes time to setup a network which means you get a bonus to your roll for taking extra time.   

 

So assuming the primary engineer has an 18 or less with all this complementary skills.  He has 4 assistants aiding his roll and is getting a +5 bonus for time.  That gives him a 27 or less roll.  Assuming he rolls 11 that means he made it by 17.  So to hack into a something along the lines of a bank would be a -17 to the roll.   That 13 or less is the player spent 3points on is not going to cut it.  At minimum they are going to need to take a significant amount of time to boost their roll.   
 

[unclevlad]

The most involved hacking rules I know of, are in Shadowrun...because one of the core character concepts is the decker, who is...a hacker.

 

The problem was always, tho, the decker played by himself.  No one could help him.  It was him rolling against the GM for however long it would take.  Conversely, the decker was all but useless outside of hacking;  it took too great an investment of char-gen resources to be good at anything else.  IIRC, not as bad as a full caster;  those were XP sinks like few others.  (A Jedi in Star Wars was worse, but they were *insanely* imbalanced and supposed to be hard to build.)  And that's gonna largely be the same thing here, if you make it involved...altho the cost of skills is such that at least your hacker-type doesn't have to be crippled.  

 

One concept I use is from the comments on the skill roll table, altho this might be in 6th only.

11-:  competent.  Can get a job using the skill.  High school to associates' degree, IMO.

12-:  skilled.  Qualified to manage entry-level (11-) positions.  Assoc to bachelor's degree.

14-:  I read this as Masters level.

16-:  Doctorate.

18-:  Recognized among the top in his field.

20-:  Getting into the realm of the tech geniuses

 

That there are tech geniuses says that setting up REAL security, is going to call for tech geniuses to set up the protection.  In many ways, the real-world experience...hackers broke into several fairly large databases (like Target) and harvested enormous amounts of personal data, but that led to tighter and tighter security.  The pipeline hack that's shut down the critical pipeline to the East Coast, is going to lead to a *massive* investment in security.

 

So generally, as LoneWolf suggests, it's going to be HARD.

 

BTW:  I don't personally think most of the skills listed would be complementary, or would tend to be specific subsets of Programming anyway.  The big issue is that the people setting up the security had TIME!!!! to do it right, and to hammer the HECK out of it looking for problems.  If you go with the notion of opposed rolls...because of the time aspect, high-end security might be 24-, or if you're just using a modifier, -10 is not that hard to imagine at all.  

Alternately, the safest form of security is simply no connection to the outside world whatsoever.  For diverse networks like banking, the first key is the physical security of the communications lines so they can't be tapped.  Mmm...come to think, these may well be encrypted as an additional security layer.  Used to work on a team that test-fired missiles.  Real ones.  For combat deployment.  At one point, they upgraded the lines, and our building got a military-grade encryption/decryption box.  EXTREMELY fast at doing it;  it had to be.  So this is a context where Crypto actually wouldn't be a complementary skill, it'd be a full-scale phase of the problem.  

 

Also note the ongoing growth of physical verification methods...fingerprint scanning, for example.  Or...when we had that upgraded comms line, ALL our computers had ID cards, and IIRC, single-use password generators, for computers that were not physically in a vault.  ALL the computers in public-access areas were also scanned by the base's computer security people.  By simply being on the network, they had permission to intrusively, completely scan any system added to it...and to order software to be taken off, if it was deemed a risk.

 

Information security is taken EXTREMELY seriously.

 

[dmjalund]

remember Air-Gap security is a thing. sometimes you have to get the hacker to the far side of the air gap before he can do anything

[armadillo]

9 hours ago, unclevlad said:

 

 

One concept I use is from the comments on the skill roll table, altho this might be in 6th only.

11-:  competent.  Can get a job using the skill.  High school to associates' degree, IMO.

12-:  skilled.  Qualified to manage entry-level (11-) positions.  Assoc to bachelor's degree.

14-:  I read this as Masters level.

16-:  Doctorate.

18-:  Recognized among the top in his field.

20-:  Getting into the realm of the tech geniuses

 

 

 

 

This is very cool. I will definitely use this in my 5e, even if it is 6e. I'll also peek at the Shadowrun hacking rules. Merci!

[Tech]

I cap minuses to skill rolls at -10 since that's the point where it's considered 'making an impossible' roll. Forgot which book that was in.

[Ockham's Spoon]

Another thing to consider is how most real-world hacking is done.  It isn't that the hacker is some kind of computer-god that can make computers bend to their will.  Typically they target the weak link in the security chain, namely the human operator.  They exploit people who have weak passwords or get clues to passwords and security questions through phishing operations.  Once they get access to part of the system, they can often use that as a backdoor into more secure areas.

 

So if you want to role-play that, the hacker doesn't just need tech skills, they need to strike up conversations (in person or online) to get their mark to reveal information that leads to their password, or break into their office and find the little slip of paper where they record all their passwords, or trick them into entering their password in a fake website, etc.