Welcome! These forums will be deactivated by the end of this year. The conversation continues in a new morph over on Discord! Please join us there for a more active conversation and the occasional opportunity to ask developers questions directly! Go to the PS+ Discord Server.

Exploit markets

12 posts / 0 new

Last post

Wed, 2013-07-17 20:22

Arenamontanus Arenamontanus's picture

Exploit markets

Something that came up during our game: although they might not use much of the hightech that surrounds them, the Jovians will be very interested in knowing the weaknesses of the technology so they can sabotage or defeat it if needed. They are not alone, of course. But thanks to their relative low-tech status and deliberately different systems they can also use attacks that would cripple the attacker's own systems if they were from an equivalent tech level. Plus, the Republic is willing to have a lot more people employed to pick apart code than most other organisations. "Many eyes makes the weaknesses visible." This got me thinking of the market and use of exploits. Many companies (both in RL and EP) seek out vulnerabilities in common software and sell them on to customers who use it to further their hacking attempts. In EP this is not just for software: since so many objects are smart they are potential vulnerabilities too. If you know your opponent is using Osiris Medical's medichines v4.83 you can buy an exploit for them: it will likely be quite effective. The downside is that you need to know the exact version, and hope that there is something on the market. If you know a longer list of software and hardware you have a much better chance. (If the probability of an exploit existing for a random system is p, and there are N possible systems, then the probability of at least one exploit that works is 1-(1-p)^N: typically it is close to one if N>1/p) If you do not know the list of systems you will have to throw a lot of general exploits at the opponent and hope something sticks; this is ordinary and brute force hacking. [ Essentially, if you know a system of the opponent you can shop around for an exploit for it. These specific exploits are cheaper than the [High] general exploit libraries - exploits or libraries for common systems like standard synthmorphs are [Medium], while exploits for specific systems like OM Medicines 5.83 are [Low]. Finding one might be tougher, though: specific exploits give a -10 or -20 penalty on the Networking roll to find them. Hiding your system versions is an ordinary Infosec roll - but this needs to be done for *every* system. Assume that 100-Infosec % of the systems are visible. ] Exploits can involve denial of service or sabotage rather than help gaining control. This is usually easier since there are many more bugs that involve the function of the system than its security properties. [ This kind of exploits are useless for hacking, but allows impairing or turning off the function of the device. A medichine denial of service exploit allows the attacker to turn off or reduce function of medichines for a while (for example by having them undergo perpetual reboots). ] Using exploits will eventually lead to patches - the makers will find the bug and fix it. For each day after an exploit is used it is a 50% chance that the exploit is detected and patched (although the patch may not reach remote, poor or isolationist users). If the hack went very smooth the chance goes down, while a high-profile hack ups it. Does this make sense? Too powerful?

—

Thu, 2013-07-18 09:05

OneTrikPony OneTrikPony's picture

I like the idea. I'm not sure

I like the idea. I'm not sure if I like the existence of an exploit being dependent on the research skill of the character. That kind of assumes that there is an exploit for every piece of software and you just have to know who to ask. Really the existence of an exploit is dependent on the programming skill of the people who made the gear. As a GM I like the potential this gives me to make freeware a bit more scary. I'd make freeware exploits easier to find and cheaper while making the availability and frequency of patches lower.

—

Mea Culpa: My mode of speech can make others feel uninvited to argue or participate. This is the EXACT opposite of what I intend when I post.

Tue, 2013-07-23 20:59

Jay Dugger Jay Dugger's picture

Good Idea, But Needs Playtesting

I think this makes some sense for groups whose play features such hacking as a theme. It needs play-testing to check for abuses, specifically for ego hacking attempts. PCs might try to outrun news of an exploit. The days-until-patched will vary a great deal, possibly enough to require GM hand-waving. I don't think the Jovian Republic would have any success exploiting the technological differences as you describe. By analogy, GPS jamming requires less technological prowess than creating and maintaining a satellite positioning system. GPS jamming hasn't made GPS militarily obsolete, AFAIK. I can imagine the JR spending lots of resources on it, rationalizing it as a successful secret project, and sidelining critics. (Lacoon and his sons, anyone? A defector from the JR makes an interesting NPC...)

—

Sometimes the delete key serves best.

Wed, 2013-07-24 04:51

Arenamontanus Arenamontanus's picture

Jay Dugger wrote:It needs

Jay Dugger wrote:
It needs play-testing to check for abuses, specifically for ego hacking attempts. PCs might try to outrun news of an exploit. The days-until-patched will vary a great deal, possibly enough to require GM hand-waving.

Yes, play-testing and balancing are needed. I am not that good at it, I tend to be more interested in what makes technological and business sense. From a gaming perspective I guess what we want is to reward players (and NPCs!) who research their opponent and plan ahead. It should also increase the paranoia about revealing anything about your internals: even other PCs who got to peek might now have log files and data in their equipment that an attacker could abscond with. Outrunning exploit news is probably tricky: as soon as it is official, it will spread across the mesh at near-lightspeed... Hmm. Not all habitats are in broadcast communication with each other - most likely use high bandwidth laser links to nearby or important habitats, making the interplanetary mesh a bit like the Internet. A kind of Delaunay-triangulation with long range links... I don't want to do the statistics right now, but I expect the end result is that the average time between information showing up at habitat A and reaching habitat B will be roughly the direct lightspeed transmission time multiplied by a factor around 2 (just guessing). So it might be possible at least in the outer system to outrun an exploit. Fun! Days until patched is likely a skew distribution. Maybe one could roll a dice roll each day to see if it gets patched (modified by urgency, competence, complexity, open source vs proprietary, etc). That way the days until the patch will be distributed like a geometric distribution which is nicely skew.

Jay Dugger wrote:
I don't think the Jovian Republic would have any success exploiting the technological differences as you describe. By analogy, GPS jamming requires less technological prowess than creating and maintaining a satellite positioning system. GPS jamming hasn't made GPS militarily obsolete, AFAIK. I can imagine the JR spending lots of resources on it, rationalizing it as a successful secret project, and sidelining critics.

GPS jamming is really useful for point applications - confusing simple cruise missiles and drones when they try to strike certain buildings in Maryland, or messing up somebody's military operation. Same thing with exploits: Stuxnet likely wanted to achieve a particular end, burned a few good exploits, but likely got the target. Same thing for many of the hacking operations over the past year: there are certain people and organisations you want to get into, and you get exploits to get you in. Finding exploits is a matter of spending resources, but it is software gruntwork rather than requiring geniuses. It is possible to hack low-tech systems too, of course. Modern computers can crack the cryptographic keys used in old devices in no time, and they are too slow to run updated modern encryption. Storing your files as Wordperfect under Windows 3.0 will protect you to some extent, but mostly because your PPP modem connection will not be up most of the time...

Quote:
(Lacoon and his sons, anyone? A defector from the JR makes an interesting NPC...)

They make great PCs and NPCs! I have one doing information security on Extropia, funding anti-Jovian activities everywhere. Another one is a Firewall agent, with a new identity but constantly looking over his shoulder for Jovian assassins. A bit like exile-Cubans in Florida, I expect the exile-Jovians to politically push their polities against the JR.

—

Thu, 2013-07-25 23:13

The Doctor The Doctor's picture

Arenamontanus wrote:This got

Arenamontanus wrote:
This got me thinking of the market and use of exploits. Many companies (both in RL and EP) seek out vulnerabilities in common software and sell them on to customers who use it to further their hacking attempts. In EP this is not just for software: since so many objects are smart they are potential vulnerabilities too.

Ooh!

Arenamontanus wrote:
[ Essentially, if you know a system of the opponent you can shop around for an exploit for it. These specific exploits are cheaper than the [High] general exploit libraries - exploits or libraries for common systems like standard synthmorphs are [Medium], while exploits for specific systems like OM Medicines 5.83 are [Low]. Finding one might be tougher, though: specific exploits give a -10 or -20 penalty on the Networking roll to find them.

I think you are lowballing the cost of specific exploits for vulnerabilities. In real life, zero days have been known to go for as much as $50kus on the open market, and the cost of purchasing subscriptions to companies' zero day feeds is in the tens of millions of dollars American per year. I would change the cost of exploit toolkits to Medium to reflect how commoditized they are, but charge Medium to High for general purpose to very specific or bleeding edge exploits (respectively). I would also consider adding vulnerability bounty programmes to Eclipse Phase, the better for characters to build their rep and bank accounts, and possibly run afoul of a hypercorp with a hit squad who takes offense at systems crackers taking their code apart...

Arenamontanus wrote:
Hiding your system versions is an ordinary Infosec roll - but this needs to be done for *every* system. Assume that 100-Infosec % of the systems are visible. ]

Good one.

Arenamontanus wrote:
Using exploits will eventually lead to patches - the makers will find the bug and fix it. For each day after an exploit is used it is a 50% chance that the exploit is detected and patched (although the patch may not reach remote, poor or isolationist users). If the hack went very smooth the chance goes down, while a high-profile hack ups it.

It depends on when the compromise is detected. A few zero days have been discovered in the field after being first exploited over a decade previously. So, I would factor in either the Infosec skill of the character or their muse to detect the compromise, with penalties to the roll to analyze just what happened and how.

Arenamontanus wrote:
Does this make sense? Too powerful?

Where are the rules for actually using the exploits characters purchase? Bonuses on the skill roll, perhaps?

—

[img]http://drwho.virtadpt.net/graphics/info_userbar.jpg[/img] [img]http://drwho.virtadpt.net/graphics/argo_userbar.jpg[/img] [url=https://drwho.virtadpt.net/graphics/blankbadge.png][img]http://drwho.vir...

Thu, 2013-07-25 23:16

The Doctor The Doctor's picture

OneTrikPony wrote:I like the

OneTrikPony wrote:
I like the idea. I'm not sure if I like the existence of an exploit being dependent on the research skill of the character.

Research can also refer to the time and effort spent taking apart software to look for exploitable vulnerabilities.

OneTrikPony wrote:
That kind of assumes that there is an exploit for every piece of software and you just have to know who to ask.

Statistically, that is often the case. Whether or not a bug is actually useful is a different question entirely (see also, DefCon's White Elephant Trade).

OneTrikPony wrote:
Really the existence of an exploit is dependent on the programming skill of the people who made the gear.

Yes and no. Many vulnerabilities arise from the interactions of sufficiently complex systems and not necessarily mistakes made by the developers.

OneTrikPony wrote:
As a GM I like the potential this gives me to make freeware a bit more scary. I'd make freeware exploits easier to find and cheaper while making the availability and frequency of patches lower.

Or much more difficult to find, if your game has an Antisec subculture in it that wreaks havoc just to get people to stop disclosing vulnerabilities. Or a thriving market for zero days, in which people are more than willing to get paid to do something they enjoy anyway.

—

Thu, 2013-07-25 23:20

The Doctor The Doctor's picture

Arenamontanus wrote:From a

Arenamontanus wrote:
From a gaming perspective I guess what we want is to reward players (and NPCs!) who research their opponent and plan ahead. It should also increase the paranoia about revealing anything about your internals: even other PCs who got to peek might now have log files and data in their equipment that an attacker could abscond with.

Now it makes more sense. Thank you.

Arenamontanus wrote:
Outrunning exploit news is probably tricky: as soon as it is official, it will spread across the mesh at near-lightspeed...

Especially if the crackers brag about their shenanagains on the habitat's mesh for the lulz^W@-rep.

Arenamontanus wrote:
Days until patched is likely a skew distribution. Maybe one could roll a dice roll each day to see if it gets patched (modified by urgency, competence, complexity, open source vs proprietary, etc). That way the days until the patch will be distributed like a geometric distribution which is nicely skew.

May I suggest researching the statistical distribution of how long it takes real life exploits to be patched? The data might be helpful, and could certainly be used as a baseline to invent mechanics.

—

Fri, 2013-07-26 00:46

OneTrikPony OneTrikPony's picture

The Doctor wrote:OneTrikPony

The Doctor wrote:
OneTrikPony wrote:
I like the idea. I'm not sure if I like the existence of an exploit being dependent on the research skill of the character.
Research can also refer to the time and effort spent taking apart software to look for exploitable vulnerabilities.

Nah. I really think if you're going to personally do the work you need to make programming and infosec rolls. If you're just looking online to find an exploit making a research roll or networking roll doesn't cut it. For one thing any exploit you find is likely to allready be patched. (I'll give you similar odds to google a login:pasword for any random porn site.) For another thing having a research or networking skill of 90 shouldn't make 90% of all software open to you.

The Doctor wrote:
OneTrikPony wrote:
That kind of assumes that there is an exploit for every piece of software and you just have to know who to ask.
Statistically, that is often the case. Whether or not a bug is actually useful is a different question entirely (see also, DefCon's White Elephant Trade).

This is an idea I like and I want to incorporate somehow. I need a random table of innocuous and common bugs.

The Doctor wrote:
OneTrikPony wrote:
Really the existence of an exploit is dependent on the programming skill of the people who made the gear.
Yes and no. Many vulnerabilities arise from the interactions of sufficiently complex systems and not necessarily mistakes made by the developers.

Ha! That [i]is[/i] true, (any time you allow the developer to define what is a "mistake" ;)

The Doctor wrote:
OneTrikPony wrote:
As a GM I like the potential this gives me to make freeware a bit more scary. I'd make freeware exploits easier to find and cheaper while making the availability and frequency of patches lower.
Or much more difficult to find, if your game has an Antisec subculture in it that wreaks havoc just to get people to stop disclosing vulnerabilities. Or a thriving market for zero days, in which people are more than willing to get paid to do something they enjoy anyway.

I think you run a more optimistic game than I do.

The Doctor wrote:
May I suggest researching the statistical distribution of how long it takes real life exploits to be patched? The data might be helpful, and could certainly be used as a baseline to invent mechanics.

I would love to do this any hints on where to start looking for the data? I don't have much of the appropriate vocabulary.

—

Mea Culpa: My mode of speech can make others feel uninvited to argue or participate. This is the EXACT opposite of what I intend when I post.

Fri, 2013-07-26 05:45

Arenamontanus Arenamontanus's picture

The Doctor wrote

The Doctor wrote:
Arenamontanus wrote:
Days until patched is likely a skew distribution. Maybe one could roll a dice roll each day to see if it gets patched (modified by urgency, competence, complexity, open source vs proprietary, etc). That way the days until the patch will be distributed like a geometric distribution which is nicely skew.
May I suggest researching the statistical distribution of how long it takes real life exploits to be patched? The data might be helpful, and could certainly be used as a baseline to invent mechanics.

It turns out to be a Weibull distribution: http://www.heinz.cmu.edu/~rtelang/patching_published_ISR.pdf As far as I know, there is no simple way of simulating it using dice (one could use a table). But it is not too far away from an exponential distribution, which is the continuous counterpart to the geometric distribution. Disclosure roughly halves the time to patch: it increases the instant probability of patch release by almost 2.5 times. Of course, as pointed out in http://www.techzoom.net/publications/0-day-patch/ just because there is a patch doesn't mean it is installed. In EP I think post-Fall people and AIs are zealous about rapid patching, but there will always be some lags or complications ("I refuse to wreck my cool medichine-drug gland setup with that update - do you know how long it took me to jailbreak those nanomachines?") And that window of vulnerability represents a period where exploits are cheap (since they are in the open) and there are at least some targets.

—

Fri, 2013-07-26 06:06

#10

Arenamontanus Arenamontanus's picture

OneTrikPony wrote:The Doctor

OneTrikPony wrote:
The Doctor wrote:
OneTrikPony wrote:
That kind of assumes that there is an exploit for every piece of software and you just have to know who to ask.
Statistically, that is often the case. Whether or not a bug is actually useful is a different question entirely (see also, DefCon's White Elephant Trade).
This is an idea I like and I want to incorporate somehow. I need a random table of innocuous and common bugs.

I would assume the severity of bugs follows some kind of skew distribution: most are just quirks, a few mess up functionality, some can lock up the software or damage data, and a few open your system to hacking. This PPT has an interesting bar graph on slide 28: reliability bugs are about 50%. Usability 18%, maintainability, installation, documentation, capability about 6% each, while security, service and performance are just 2.4% each. So the average bug-finder will mostly find useless annoyances. So if they find N bugs, we should expect N*0.024 to be security bugs that would give bonuses to hacking, N*0.06 bugs that might cause denial or service (medichines going into a reboot loop, neurachems refusing to turn on) and a larger number (say N*0.1) that give minor tricks against the system ("If you send this packet to the DA-45.30 gun, it will stutter once"). I would expect the price to reflect this: security exploits would be about 7 times more expensive than tricks and denial of service 3 times, just judging from rarity - but since they are more useful this might be more like squaring the price. So if there are enough exploits around to hack a system, we should expect loads more denial of service or mess with the system exploits.

—

Wed, 2013-07-31 15:54

#11

The Doctor The Doctor's picture

OneTrikPony wrote:

OneTrikPony wrote:
Nah. I really think if you're going to personally do the work you need to make programming and infosec rolls. If you're just looking online to find an exploit making a research roll or networking roll doesn't cut it. For one thing any exploit you find is likely to allready be patched. (I'll give you similar odds to google a login:pasword for any random porn site.) For another thing having a research or networking skill of 90 shouldn't make 90% of all software open to you.

I inadvertantly confused the meaning of Research the skill in EP, and vulnerability research. My bad.

OneTrikPony wrote:
This is an idea I like and I want to incorporate somehow. I need a random table of innocuous and common bugs.

* An unbounded dynamically allocated buffer in the login routine pseudorandomly changes the language of the user interface. Statistical analysis shows that it seems to favor Modern Sperethiel over any other transhuman language. * Development mode is enabled and an interactive debugging shell is spawned and attached to a local serial port on the device. What is a serial port in three thousand years' time and how does one find it? Or plug into it? * The protocol stack begins requiring all packets to be sent in reverse order. * The protocol stack begins requiring the [url=http://www.cs.umd.edu/class/sum2003/cmsc311/Notes/Data/endian.html]endia... of all communications to be reversed. * The connection seems to hang for a second and goes back to normal. In reality, the software crashed and was automatically restarted, but its pre-crash internal state was cached and restored automatically. * A stupid/annoying/potentially exploitable easter egg is discovered in the code. For example, somebody hid a 2D manual flight simulator in an office application. * The entropy gathering subsystem freezes, so all cryptographic keys generated from that point onward are identical. * The window of the user interface - and only that window - crashes. * The program only responds to the user with whatever the user just typed in. * All characters are shifted one significant binary place forward/backward, resulting in what seems to be garbage. * The online help limited AI in the remote service begins swearing at the user but never actually helps you. * The remote service inserts into the traffic stream a packet or two from the user poking at the system. * The registration code/license key is deleted, returning the system to its crippled, fresh-from-the-manufactory state. This also wipes the network settings, so unless you are directly interfaced with the unit you can no longer interact with it. * The software prints "You are standing in an open field west of a white house, with a boarded front door. There is a small mailbox here."

OneTrikPony wrote:
I think you run a more optimistic game than I do.

I do. Then again, I work in infosec, so the only technology-related optimism I have is in RPGs.

OneTrikPony wrote:
I would love to do this any hints on where to start looking for the data? I don't have much of the appropriate vocabulary.

See Arenamontanus' reply. He found the study I was thinking of.

—

Thu, 2013-08-08 22:10

#12

Arenamontanus Arenamontanus's picture

Great list of

Great list of vulnerabilities! It is funny, our real-world infosec guy also thinks Eclipse Phase is optimistic :-) BTW, this post http://blog.risk.io/2013/08/stop-fixing-all-the-things-bsideslv/ suggests another aspect of vulnerabilities: once they are in the open, if they are known in enough places they will very likely be exploited. Fixing the most well-known gives a decent amount of security. Conversely, PCs returning to solar space after a leave better patch their possessions quickly, since some vulnerabilities might have become widely known: I can totally see Gatecrashers and colonists getting into trouble here.

—