OK, the core rules for computer usage and hacking are a bit pants at the moment, so I've made a few suggested modifications but just sufficient not to be too extreme in the changes. This is a work in progress (I still have to look at actions and software) and comments are appreciated. # Interfacing and Infosec in Eclipse Phase ## Interfacing vs InfoSec The standard rules state that Interfacing is used "to understand an electronic device you are not familiar with, use a program according to its normal operating parameters" etc Available specializations include "Forgery, Scanning, Stealthing, by program" (p180 Core Rules) The specialisations, which are more InfoSec knowledges, are contrary to the description, which is basically about applications usage. As an alternative use the application protocols as specialisations: Augmented Reality (AR), Virtual Reality (VR), or Experience Playback (XP) c.f., p239 Core Rules] In contrast the InfoSec skill is "for hacking into electronic devices and mesh networks and for protecting them" and "encompasses training in electronic intrusion and counterintrusion techniques as well as encryption and decryption." The specialisations are "Brute-Force Hacking, Decryption, Probing, Security, Sniffing, Spoofing" (p180 Core Rules). These are somewht closer to real hackings specialisations, although "Security" is an odd one and "Brute force hacking" could be replaced with "Cracking" in general. "Probing" can represent various forms of vulnerbility scanners. Thus the InfoSec specialisations are: Cracking, Encryption, Probing, Sniffing, and Spoofing. Note that the most common forms of real-world hacking is the use of social skills such as Deception, Intimidation, Persuasion, and even making use of Reputation! ## Using the Mesh The rules basically provide something similar to a MAC address for devices. "Every mesh user (and, in fact, every device) has a unique code called their mesh ID. ...Devices, networks (such as PANs, VPNs, and hard-wired networks), and services require that every user that accesses them does so with an account. ,,,. There are four types of accounts: public, user, security, and admin." (p246 Core Rules) It is probably worth specifying that MeshID is device-based, not user-based. "Mesh networks and AR are overrun with yottabytes of information. ...At the gamemaster’s discretion, mist can interfere with a user’s sensory perceptions. This modifier can range from –10 to –30 ...To lift the data fog, a character or muse must adjust their filter settings by succeeding in an Interfacing Test modified by the mist modifier." (p247 Core Rules) This provides an important use of the Interface rules, especially when accessing information in a information-dense public environment. ## Tracking "Most users leave traces of their physical and digital presence all throughout the mesh. Accounts they access, devices with which they interact, services they use, entoptics they perceive—all of these keep logs of the event, and some of these records are public. Simply passing in the vicinity of some devices is enough to leave a trail, as near-field radio interactions are often logged." (p251 Core Rules) Whilst most wireless devices can be found by a public scan, detecting a private wireless device is of greater difficulty. "To detect a stealthed signal, the scanning party must actively search for such signals, taking a Complex Action and making an Interfacing Test with a –30 modifier. If the character aiming for stealth engages in active countermeasures, also requiring a Complex Action, then an Opposed Interfacing Test is called for (with the –30 modifier still applying to the scanning party)." (p251, Core Rules) Contrary to the Core Rules finding a hidden wireless network should not be an Interfacing test, but rather an InfoSec test with use of the Sniffing specialisation. "An unknown user’s physical location can also be tracked via their online mesh activity—or more specifically, by their mesh ID (p. 246) ...To track an unknown user by their mesh ID alone requires a Research Test. If successful, they have been tracked to their current physical location (if still online) or last point of interaction with the mesh. If the character is in Privacy Mode, (p. 252), a –30 modifier applies." (p251, Core Rules) "A more investigative search can attempt to use the target’s mesh ID (p. 246) as a sort of digital fingerprint to look up where else they’ve been online. This primarily involves checking access/transaction logs, which are not always publicly accessible. This sort of search requires a Research Test, handled as a Task Action with a timeframe of 1 hour." (p252, Core Rules) ### False IDs "The easiest method of making mesh activities anonymous is to set your muse to supply false mesh IDs in online transactions. ...This method makes it extremely difficult for anyone to track the user’s online actions. Someone attempting to track the character via these false mesh IDs must beat them in an Opposed Test, pitting their Research skill with a –30 modifier against the character’s (or more likely their muse’s) Infosec skill. This is a Task Action with a base timeframe of 1 hour, adjusted higher according to the amount of activity they hope to track." (p252, Core Rules) Supplying false meshIDs should be an easy (+30) InfoSec (Spoofing) test, and it is common for devices to randomly generate MeshIDs. Beyond this the rules have the right implication but the wrong execution. To detect a spoofed address a system may do a database lookup (trivial Interfacing test +30 to do manually, or have it automated) on the profile and determine whether there is a match. Note that the database lookup is huge and process intensive and usually is only applied for systems that are very worried about someone using an anonymous MeshID, as it means that all logins take at least a minutes to complete. If there is no match, it can refuse or limit access, or trigger an alert. Another reason to use an false meshID is to reduce bans on detection intrusion attempts. Many systems will simply block instrusion attempts after a specified number failures based on the meshID. ### Anonymous Services "...various online service vendors offer anonymous accounts for messaging and credit transfers. ...While some anonymous accounts are established for regular use, the truly paranoid use (multiple) one-time accounts for maximum security. One-time accounts are used for a single message (incoming or out- going) or credit transaction and then are securely erased. Tracking an anonymous account is a practical impossibility..." (p253, Core Rules) Note that various forms of anonymised user identity is used but with credit transactions they are not securely erased, but securely erased from public view and archived (according to law or contractual obligation) for several years. This is necessary for ensure legitimacy and proof of the transaction. A banking or credit transaction body that deletes transaction records would be viewed with significant suspicion. ## Mesh Security ### Authentication "There are several different ways for a system to authenticate a user. Account ...Mesh ID ...Passcode ...Biometric Scan ...Passkey ...Ego Scan ...Quantum Key" (p253, Core Rules) Biometric scans, as the Rule Book suggests, are quite rare because people keep changing their Morph. Systems that use such authentication have been largely replaced by Nanotat scans, Brainprints, and Ego Scans. ### Active Monitoring "Active surveillance makes intrusions more difficult, since the interloper must beat the monitoring hacker/AI in an Opposed Test (see Intrusion, next page). Active monitoring also includes monitoring any devices slaved to the monitored system. Characters may actively monitor their own PANs if they so choose, though this requires a moderate level of attention (count as a Quick Action)." (p253, Core Rules) The second sentence indicates a typical set-up as systems that care about security will have an alert system for unauthorised attempts to gain ingress. ## Encryption "Due to the strength of the public key system algorithms, such [public key] crypto is essentially unbreakable without a quantum computer ...quantum encrypted data transfers are unbreakable and attempts to intercept automatically fail." (p254, Core Rules) "...quantum computers can also be used to break public key encryption. This requires an Infosec Task Action Test with a +30 modifier and a timeframe of 1 week" (p254, Core Rules) Change to an InfoSec (Encryption) task action. Note that acquiring the private key may be easier. ### Intrusion "To spoof a legitimate user, the hacker must be using both sniffer and spoofing software (p. 331). The hacker must then monitor a connection between the legitimate user and the target system and succeed in an Infosec Test to sniff the traffic between them (p. 252). Apply a –20 modifier if the user has security account privileges, –30 if they have admin rights (p. 246). If the connection is encrypted, this will fail unless the hacker has the encryption key." (p255, Core Rules) The spoofing here refers to network sniffing and then spoofing, which really only effective on systems which authenticate based on MeshID. Other spoofing attacks (e.g, phishing) attempt to get targets to reveal their username and password through deception. "Biometric and passkey systems used for authentication (p. 253) can potentially be forged by hackers who are able to get a look at the originals. The means and techniques for doing so differ and are beyond the scope of this book, but successfully forging such systems would allow a hacker to log in as the legitimate user." (p255, Core Rules) These "means and technqiues" are phishing attacks, a trivial +30 Interface test to set up, followed by a contested Deception versus Willpower roll with a +30 bonus for the target, with InfoSec skill bonuses assisting. Transhumanity is used to receiving emails allegedly from their banks, and their Muse's (if not the character) can check to see whether the return MeshID is legitimate. "Hacking into a node is a time-consuming task. ...Hackers require special exploit software (p. 331) to take advantage of security holes. ...Lacking a passcode, the hacker must break in the old-fashioned way: discreetly scanning the target, look for weaknesses, and take advantage of them. In this case the hacker takes their exploit software and makes an Infosec Test. This is handled as a Task Action with a timeframe of 10 minutes." (p255, Core Rules) Note that the above is about finding a exploit in the operating system's authentication system with an Infosec (Probing) roll typically ranging from +30 for highly public systems to -30 for more private systems (e.g., one which requires a login for further access to utilities). A successful InfoSec (Probing) will inform the attacker of the type of system and any vulnerabilities that exist. As above, "This is handled as a Task Action with a timeframe of 10 minutes." The result of the probe will provide the attacker a modifier to the authentication attack using an Infosec (Cracking) roll is typically used to gain user-level access, with a time-frame of one test per minute. Unmanged home computers will provide +0 bonus to the attacker, small retail commercial at -10, commercial -20, with further degrees of difficulty up to -60 for a well-secured system. A failed InfoSec (Probing) task will also generate a -60 modifier, as they simply are attacking blind. For individual systems much depends on whether on the skill of the person managing the system and how often they apply security patches and so forth. "By default, a hacker trying to break in this way is pursuing standard user access rights (p. 246). If the hacker wishes to obtain security or admin privileges on the system, apply a –20 or –30 modifier, respectively." (p255, Core Rules) There should also be the opportunity for escalation of account privileges. From a user-level account an attempt may be made to achieve a security level account with a -10 penalty, and from there a administrative account with a -20 penalty. Both of these require an InfoSec (Cracking) roll, again modified by the security level of the system. "If a system is also actively monitored (p. 253), the hacker must avoid detection. Treat this as a Variable Opposed Infosec Test between the intruder and the monitor." (p255, Core Rules) Use Infosec (Snooping) versus Infosec (Sniffing), representing the two aspects of stealth and detection. ## Brute Force Hacking "This is handled as an Infosec Test, but as a Task Action with a timeframe of 1 minute (20 Action Turns). The hacker receives a +30 modifier on this test. Many hackers choose to rush the job (see Task Actions, p. 120), in order to cut this time even shorter. The drawback to brute-force hacking is that it immediately triggers an alarm." (p257, Core Rules) Note the alarm is only triggered if there was in place. Note that brute-force attacks are almost certain to fail unless a spoofed meshID is used (this is assumed in the above). Otherwise after the first few attempts the system will block the attacker's meshID and invoke a Lockout (p258 Core Rules).