OK, so I can stay up a bit longer before the wife gets pissed off...

It looks like VPN encryption can be sniffed and spoofed just like everything else. They typically use passkey encryption which requires a quantum computer to break (Quantum Condebreaking, page 254). VPNs do not typically use quantum encryption, which would make them unbreakable.

You can also get the 'secret' encryption key off of the equipment - it's a piece of software that shouldn't be able to encrypt itself (otherwise you have effectively placed your key within the locked room and the whole system is useless).

I think you and the commenter below are making the mistake of assuming that the /only/ way to access a system is to somehow get the passkey or sniff/spoof a connection, which as I understand it is not the case.

These methods are used to gain access to a genuine, authenticated account on the system which cannot be distinguished from a any other genuine account (although a pattern of suspicious activity might still be flagged for audit on a particularly paranoid system).

If you are unable to use these methods (as would be the case with quantum encryption) or use of these efforts fail then you go to the main Hacking system.

This involves several stages, starting with bypassing the firewall and ending with unauthorised (and hopefully undetected) access to the machine. Hacking by this method means that the user is rarely accepted as an authorised user and will certainly be under a lot more scrutiny as going about his or her insidious tasks.

The only difference in hacking a computer behind a VPN and one which is on the general Mesh is that you can almost never hack the VPN traffic itself and gain access to it that way. Instead you have to find a terminal which has access TO the VPN and hack that.

So, say I want to get on to Skinthetics' VPN and find the blueprints latest morph, I can either:

1) Find a Skinthetics exec who lives near me, and start to find out what I can about him in an effort to work out how to exploit his passkey and get on to the VPN by authenticating as him. This may not be possible if Skinthetics uses quantum encryption to protect the VPN.

2) Find a Skinthetics exec, break into his apartment one night and make sure he'll stay asleep by dosing him with some drugs. Then I start the process of hacking into his Mesh inserts, constantly competing with his Mesh Implants' AI security. Once I've bypassed his Mesh inserts' security and have an account on his computer I can simply use his computer's existing connection to the VPN to get access to the other computers on the Skinthetics network, from whence I need to hack my way into the actual blueprint server.

This isn't that difficult.. the primary methods for hacking a secure connection today without the use of bugs, flaws in a system are. Social Engineering (IE: Ask someone nicely in the right way.) These are man in the middle attacks: Sniffing: You don't need the full password just a key which in many systems is part of the broadcast so if you know what your looking for encrypted or not you can find the key and work on just that data. rebroadcast sampling: If you have a section of encrypted data part of it you know contains the key you can force the connecting system offline (jam, or whatever) forcing it to reconnect and rebroadcast the key getting you additional samples of the encrypted key. With enough samples any encryption can be broken.. True man in the middle: If you know what encryption they are using you can spoof that you are the recieving machine then rebroadcast things to the real receiving machine. The sender authenticates with you, then you use that to authenticate with the reciever putting you as a clear text man in the middle. There is others but these are common today and obviously all are related and part of a greater scheme or system. Each having various levels of visibility and some systems actively look for all these making them less likely. ***Lastly nothing created by man is perfect. There is always some flaw somewhere find it. Also remember it's not always getting the exact information but knowing who has it and who wants it. Encrypted or not it still has to be routed which is likely still a set standard.

i never like seeing fantasy systems emulating modern systems, to the point that we're referencing specific technologies, protocols and vulnerabilities. handwavium is probalby more appropriate for the pacing of a game. that being said, there seems to be a prevalant assumption that fooling machines is easy for infomorphs. im not sure why interfereing with machine-on-machine communications at high enough speeds to fool both machines should be easy for informorphs. an IM is essentially an organic brain running in a software emulator on a larger computer. its going to operate much slower than the computer does natively, and its method of thinking is going to be inherantly much slower than the machines' algorithms. in many cyberpunk games, there seems to be a basic premise that the decker is god and can do anything to any computer system he touches - overriding peoples cyberwear or hacking drones or whatever abuses players want to imagine. there never seems to be any thought given to the idea that those same systems were archtechted by large teams of equally skilled individuals, over long periods of time. the decker is one guy (or one IM and its forks, as the case may be in EP), working on the fly. sure, just like today, there will probably be some well known exploits pre-built in the IM/decker's toolbox, but the better maintained systems will be already aware of those exploits and the maintainers will have taken steps to architecturally protect the system from such vulnerabilities. rather than trying to model some absrud extreme of measures-coutermeasures-countercountermeasures ad-nauseum, its probalby best for each GM to allow whatever security abuses he feels are plot appropriate and just handwave the mechanics of it with some abstract skill rolls. regarding cracking mesh inserts, i imagine it is (in an abstract sense) like your web browser. its reasonably secure (depending on your usage of it) until it isnt. once it isnt, there is a race to deploy exploits against a race to deploy fixes. some people are exploited, others are patched and are once again reasonably secure until a new exploit is found and then theyre not. wither such an exploit is available at any given time is probalby more a plot point more than anything. but some people like more crunch in their hacking than i do, so dont let me get your wheaties soggy if thats not what you prefer.

Well true modern VPN hacking methods may not be the best place to start and also just because it's possible does not mean that it's easy, or even that your going to get what you want once you do have access. All of this ability, information and range of possibilities depend on GM and player decisions. These prolly based on security level and type of, character skill, interface for the character, Available tools and lastly and most importantly the story and level of Fun for the action. I capitalize fun for the reason that what's fun for the group Always should be considered when deciding and working out what happens in a game. As it relates to EP consider that VPN tech is most likely Super Common It's how Everyone Connects to things and gets Data and Resources they don't want to share. So the Technology is pretty developed and depended on. I would make a character effort for this reflect that.. Also remember for somethings connected directly (Physical connection) often requires physical access to at least part of the system. That alone can be an adventure.

I disregarded the absolute statements of "Hacking VPNS". I'd assume hacking a VPN depends on the encryption it is using and which devices are accessible over the mesh. Situation A: An AR team makes a VPN for tactical communication (can't have the opponents hearing your chatter, so use a VPN to encrypt it), it's hackable. The hacker would have to compromise one of the player's mesh inserts (p.259, they can be hacked) in order to gain access to the other team's VPN to listen to their communications. Even though the players are using the VPN, they aren't cut off from the rest of the mesh (unless they are especially paranoid players and they are fine with cutting themselves off from the databanks of information, regular communications, hab emergency signals, etc) Situation B: A ComEx trade broker is a member of a corporate VPN. He meets with a client on a Venutian aerostat and makes a deal. After securely collecting credits from his client, he relays the details of the trade arrangement to his head office's server back on Luna. If a hacker wants that information, he'll have to hack into a ComEx employee's inserts and use them to get access into the ComEx server, or intercept the transmission, and using a quantum computer to decrypt it, taking a couple weeks. Situation C: Stellar Intelligence has been having problems keeping tabs on the informorphs of Glitch because their communications keep coming back corrupted or not at all. Since quantum encryption needs to be entangled and physically separated, newly arrived agents bring a quantum key in an ecto so their agents can communicate without infomorph tampering. (I'd rule that performing quantum entanglement inside a person's mesh insert is probably a BAD idea, if it's even possible). They'd obviously turn off any other mesh functions, so this kind of VPN couldn't be hacked. That's my interpretation of the rules, at least.

Something else to consider is that some of the best hacks of all time where social engineering not technical hacking.