Welcome! These forums will be deactivated by the end of this year. The conversation continues in a new morph over on Discord! Please join us there for a more active conversation and the occasional opportunity to ask developers questions directly! Go to the PS+ Discord Server.

Firewall on Firewall action

18 posts / 0 new
Last post
Sun, 2014-04-06 15:27
#1
Teneroth Teneroth's picture
Firewall on Firewall action
So I have an interesting question which I have been mulling over for a while. One of the situations I've looked into as a possibility for the game I run involves several assumptions about firewall. First off Firewall is very much a 'need to know only' group, with a cell like structure and a number of routers controlling various groups of proxies on different missions. Even among the 'inner circle' information about what missions are being taken on and to what goal are often not shared to prevent intel leaks. Division of information or whatever it's called. Because of this it is possible for two or more routers who aren't in direct communication to send proxy teams out on missions in response to similar perceived x-threats. Also, routers and proxies have different methods of going about said mission, one team may be given orders to retrieve the mcguffin intact for study, while another group may be told to destroy it. This would likely lead to the two teams being in direct conflict with one another. So my question is thus: How do firewall members recognize one another? Is there a method for these two teams to identify one another as firewall agents in the field so they can solve the issue without a firefight and someone having to ask their router for a new morph? Or is it simply the winning team gets back to base and finds out another team, that oddly matches the description of a group they faced, was killed in the same area at the same time as they were in a firefight, and the router controlling that group put out a warning for a group matching their description as a possible target? "Oops, that was us... well.. guess we're the better team... sorry?"
Game & narrative designer in training
Top
Mon, 2014-04-07 11:42
MAD Crab MAD Crab's picture
I don't know for sure that
I don't know for sure that this is canon, but an easy solution is to use a technology that's common today - public key cryptography and certificate signing. Root certificates maintained by the highest levels of Firewall are used to sign certificates of routers who sign certificates of agents. Agents meeting can compare certificates and check if they are issued by the same root authority. This has drawbacks of course - not least, you're handing around evidence that you're firewall. And of course, if you are in shoot-first mode, will you or your muse try the certificate exchange?
Top
Mon, 2014-04-07 11:59
bibliophile20 bibliophile20's picture
I'm picturing a Flock Of
I'm picturing a Flock Of Wolves scenario; plenty of opportunity for comedy, even more for tragedy. Because this is completely possible, to my mind; as MAD Crab pointed out, twitchy people don't have the best IFF systems... But, yeah, must now figure out what kind of project would attract the simultaneous attentions of the different factions of Firewall, Project Ozma, and, for good measure, a Jovian infiltrator squad. How many different factions of spies can we have converging on a single project?

"Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well-armed lamb contesting the vote." -Benjamin Franklin

Top
Mon, 2014-04-07 15:50
Ancient History Ancient History's picture
Shameless Plugging
My take on that was Operation Orphan: http://www.farcastblog.com/2013/12/352-operation-orphan.html
[url=http://farcastblog.com]Farcast, an Eclipse Phase yearblog[/url]
Top
Mon, 2014-04-07 23:23
DivineWrath DivineWrath's picture
MAD Crab wrote:I don't know
MAD Crab wrote:
I don't know for sure that this is canon, but an easy solution is to use a technology that's common today - public key cryptography and certificate signing...
You might not want to be trading data with something that might be infected by a TITAN virus... or is a TITAN...
Top
Tue, 2014-04-08 10:34
MAD Crab MAD Crab's picture
I felt that was covered by
I felt that was covered by the "If you're in shoot first mode..." bit.
Top
Wed, 2014-04-09 22:09
Chernoborg Chernoborg's picture
Heh, I'd sort of thought you
Heh, I'd sort of thought you might try something like this over on the Orion Drive thread. I even used [spoiler] so on the off chance it WAS your plan I didn't blow it! Aaand and now I've caught myself using Giza as a verb!
Current Status: Highly Distracted building Gatecrashing systems in Universe Sandbox!
Top
Wed, 2014-04-16 19:28
The Doctor The Doctor's picture
MAD Crab wrote:This has
MAD Crab wrote:
This has drawbacks of course - not least, you're handing around evidence that you're firewall. And of course, if you are in shoot-first mode, will you or your muse try the certificate exchange?
I think that would be a good argument for Firewall not maintaining a CA. Agents would be carrying evidence that a highly illegal conspiracy exists which could also be used for tracking down other, more highly trusted agents in the power structure. It would be too big a risk to operational security, I think.
[img]http://drwho.virtadpt.net/graphics/info_userbar.jpg[/img] [img]http://drwho.virtadpt.net/graphics/argo_userbar.jpg[/img] [url=https://drwho.virtadpt.net/graphics/blankbadge.png][img]http://drwho.vir...
Top
Sat, 2014-04-19 05:19
Kassil Kassil's picture
The Doctor wrote:MAD Crab
The Doctor wrote:
MAD Crab wrote:
This has drawbacks of course - not least, you're handing around evidence that you're firewall. And of course, if you are in shoot-first mode, will you or your muse try the certificate exchange?
I think that would be a good argument for Firewall not maintaining a CA. Agents would be carrying evidence that a highly illegal conspiracy exists which could also be used for tracking down other, more highly trusted agents in the power structure. It would be too big a risk to operational security, I think.
I'll second the idea that Firewall probably doesn't maintain any kind of recognition handshake; even with encryption provided by their secret superintellects, it's too big a risk. So the real reason you get 'the response team' and 'the cleanup squad' on missions is because otherwise you have too much risk of cross-team conflict. You could build an entire campaign around a case of mistaken identity in this fashion, with the PCs chasing a dangerous band of x-threat terrorists sowing chaos and destruction, only to find that the terrorists are Firewall agents being directed by a somewhat overzealous Purifier proxy.
"Don't eat the jelly, that's a protoplasm someone sleeved into."
Top
Mon, 2014-04-21 08:30
Rallan Rallan's picture
MAD Crab wrote:I don't know
MAD Crab wrote:
I don't know for sure that this is canon, but an easy solution is to use a technology that's common today - public key cryptography and certificate signing.
I think it's safe to assume Firewall already has already licked its secure communications problems about as well as they can be licked. The big communication problem is more likely to be people deciding (either as a matter of policy or on their own initiative) that certain folks don't need to know certain things. A committee decides suppress all information about a basilisk hack that wiped out an exoplanet research station because they suspect that the schematics have their own hacks encoded in them. An agent on Extropia gives his handlers edited accounts of what he's up to (occasionally altering data that will be mission-critical for someone else later on) to obscure his criminal connections. You've got a gig to do on Mercury, and you don't even know that some of the Grand High Poobahs of Firewall have decided to deliberately feed misinformation to all their proxies there as part of a sting operation to flush out an Ozma infiltrator that they're not even sure exists. Plus because it's all so informal and slapdash and more of a volunteer organisation than a part of the traditional military-industrial-surveillance complex, there's probably gonna be a fair bit of stuff involving Firewall people who just do things off their own bat without calling anyone upstairs to let them know what's going on. And even more stuff involving Firewall agents who run headlong into completely unaffiliated folks who've made it their business to deal with existential threats, from Ozma to Jovian Intelligence to Ultimate mercenaries to official unofficial temporarily deputised Scum posses who quote Holy Grail whenever someone asks how their organisation works.
Top
Tue, 2014-04-22 00:11
MAD Crab MAD Crab's picture
Rallan wrote:
Rallan wrote:
I think it's safe to assume Firewall already has already licked its secure communications problems about as well as they can be licked. ... (Snip)
Sure, those are all valid points. But that's sort of beside the idea of using certs to identify branches. Being able to identify yourself only works if you actually go and try and identify yourself. And even then, do you believe that the other guys are doing a worthwhile job?
The Doctor wrote:
I think that would be a good argument for Firewall not maintaining a CA. Agents would be carrying evidence that a highly illegal conspiracy exists which could also be used for tracking down other, more highly trusted agents in the power structure. It would be too big a risk to operational security, I think.
Carrying a cert isn't really any greater risk than just being in Firewall. If somebody has access to your ego or backups and wants to pry info out of your brain, there's no really good way of stopping them, is there?
Top
Tue, 2014-04-22 12:31
Mandella Mandella's picture
MAD Crab wrote:
MAD Crab wrote:
Carrying a cert isn't really any greater risk than just being in Firewall. If somebody has access to your ego or backups and wants to pry info out of your brain, there's no really good way of stopping them, is there?
And that's really the thing, isn't it? Firewall isn't truly secret. Ozma knows about them, the Jovians know about them -- "secret" only applies to public knowledge, and even that only goes so far. But the problem of even a properly encrypted cert is that do you really trust it? There are plenty of ways to spoof a cert today, and except for the
Spoiler: Highlight to view
super secret Promethean actually running the show
handwavium absolutely secure authentication path, it is totally possible to have opponents showing fake credentials as a matter of course. I guess it all depends on how Spy vs Spy the GM wants to run things, versus how much emphasis the GM wishes to put into the above mentioned absolutely secure authentication path. (And one needs to be careful lest things slip into Paranoia territory, where everybody is a double agent and it's more funny than horrific.)
Top
Tue, 2014-04-22 13:52
MAD Crab MAD Crab's picture
True, you'd have to worry
True, you'd have to worry about faked or compromised certs. But somebody without a cert at all is definitely not part of the org.
Top
Wed, 2014-04-23 09:55
ShadowDragon8685 ShadowDragon8685's picture
Honestly, I just go with the
Honestly, I just go with the handwavium excuse. Do some Matrix chatter with somebody who's part of Firewall that you don't know is part of Firewall? Congratulations, you now have access to her i-Rep. and by extension, the implicit fact that they're part of the Eye. Because too much paranoia (non-capital P paranoia,) just isn't very fun for the game. Plus, if you beat it into your players that they should be suspicious of everybody, they're going to wind up operating as their own parallel Firewall that doesn't trust [i]anybody[/i] who's ostensibly also a part of the Eye, not even the guy sending them their missions. That will make it impossible to spring the surprise double agent on them when it comes to hit them with the fact that that guy who has a totally legitimate i-Rep score and is, in fact, a Firewall member, is being blackmailed/bribed/bought/has defected to Project Ozma, because they won't trust anybody without interrogating a fork. My players: No, I am [b]not[/b] planning a Firewall double-agent in the near future. Or even the far future. It was an example: a GM only gets one good double-cross in on his players per game, two at the [i]most[/i], before they circle the wagons and start interrogating forks of the girl who offered to take them out for a soycaf, her treat. So don't waste it and make it a good one. It's the old Shadowrun saw, that a veteran 'runner won't go to breakfast at his grandmother's house without doing at least a day's worth of legwork, bringing backup, and deploying drones on overwatch.
Skype and AIM names: Exactly the same as my forum name. [url=http://tinyurl.com/mfcapss]My EP Character Questionnaire[/url] [url=http://tinyurl.com/lbpsb93]Thread for my Questionnaire[/url] [url=http://tinyurl.com/obu5adp]The Five Orange Pips[/url]
Top
Wed, 2014-04-30 00:50
Steel Accord Steel Accord's picture
Funny
Because I feel that this sort of situation could be best summed up by this scene: https://www.youtube.com/watch?v=kHHitXxH-us
Your passion is power. Focus it. Your body is a tool. Hone it. Transhummanity is a pantheon. Exalt it!
Top
Wed, 2014-04-30 20:10
The Doctor The Doctor's picture
Kassil wrote:I'll second the
Kassil wrote:
I'll second the idea that Firewall probably doesn't maintain any kind of recognition handshake; even with encryption provided by their secret superintellects, it's too big a risk.
That in itself would be suspicious. Any intelligence entity in Eclipse Phase that happened to capture a sample of cyphertext that, upon analysis, appeared to have been generated using a wholly novel cryptosystem would just about leap out of its skin because they would have discovered something completely unknown. That would imply the existence of an entity somewhere in the solar system that 0) is probably more advanced than they are in the field of cryptography, and 1) has agents somewhere in the solar system because it is sending a message to /someone/ out there. Uh-oh. Are the TITANs back?
[img]http://drwho.virtadpt.net/graphics/info_userbar.jpg[/img] [img]http://drwho.virtadpt.net/graphics/argo_userbar.jpg[/img] [url=https://drwho.virtadpt.net/graphics/blankbadge.png][img]http://drwho.vir...
Top
Wed, 2014-04-30 20:15
The Doctor The Doctor's picture
MAD Crab wrote:Carrying a
MAD Crab wrote:
Carrying a cert isn't really any greater risk than just being in Firewall. If somebody has access to your ego or backups and wants to pry info out of your brain, there's no really good way of stopping them, is there?
Somebody finding a certificate issued by a CA they had no knowledge of (because CAs participate in ecosystems that are, in theory mutually supporting) implies a CA that does not participate in the ecosystem. Rogue CAs are themselves strange. Then the question "Why issue a cert?" comes up... In an environment in which a conspiracy is at work, and that conspiracy works to conceal itself as thoroughly as possible (especially for reasons involving stuff I do not have the compute cycles to figure out how to spoiler-alert right now..), leaking any bits at all is probably too big a risk. Especially in a solar system which is more or less terrified of anything even vaguely resembling the TITANs coming after them. It impacts deniability of both operatives in the field, and lines of communication from those operatives back to whomever is giving them orders.
[img]http://drwho.virtadpt.net/graphics/info_userbar.jpg[/img] [img]http://drwho.virtadpt.net/graphics/argo_userbar.jpg[/img] [url=https://drwho.virtadpt.net/graphics/blankbadge.png][img]http://drwho.vir...
Top
Thu, 2014-05-01 06:01
Kassil Kassil's picture
The Doctor wrote:Kassil wrote
The Doctor wrote:
Kassil wrote:
I'll second the idea that Firewall probably doesn't maintain any kind of recognition handshake; even with encryption provided by their secret superintellects, it's too big a risk.
That in itself would be suspicious. Any intelligence entity in Eclipse Phase that happened to capture a sample of cyphertext that, upon analysis, appeared to have been generated using a wholly novel cryptosystem would just about leap out of its skin because they would have discovered something completely unknown. That would imply the existence of an entity somewhere in the solar system that 0) is probably more advanced than they are in the field of cryptography, and 1) has agents somewhere in the solar system because it is sending a message to /someone/ out there. Uh-oh. Are the TITANs back?
And that's exactly why it'd be too big of a risk - plus if enough samples are dropped, unless it's a constantly shifting encryption scheme, it'll be compromised. After all, if you have sufficiently advanced codebreaking tools and a large enough sample size, you'll [i]eventually[/i] get the patterns worked out. And constantly shifting the patterns means your sentinels and proxies who are out of touch for a bit will no longer be able to handshake with other agents. Run too far down this particular road and there's no way Firewall could possibly maintain a secret via any technological method. So they clearly resort to old-fashioned espionage and just hide in plain sight, piggybacking darkcasts and hijacking server time to run their own simulspaces and so on. It's really more of a shock that every Firewall agent with much of any information isn't fitted with mandatory deadswitches.
"Don't eat the jelly, that's a protoplasm someone sleeved into."
Top