Interface Zero 2.0 Fate Edition – Hacking Q&A

Over on the Interface Zero: Fate Edition Google+ Community we received a bunch of questions from Nicholas Simpson about hacking. I said I’d answer them on a blog post so I could easily come back and add more information. Putting it on my blog also means it will stay around as an easily searchable resource for anyone else with hacking questions.

So, here goes nothing!

1)If an access point is protected by something like a biometric scanner, can that also be hacked, and if so would it probably have better security than the network it’s guarding?

Biometric scanners are used to provide the highest level of physical security, whether that’s for a vault door or an on-off switch for a subnet. Nobody can hack a subnet that can’t be turned on without a detailed biometric scan of the VP of security, am I right?

It’s impossible to hack a biometric scanner wirelessly, but it can be bypassed physically if you have the knowledge, tools, and time. Biometric scanners are hardened as much as possible, making this a laborious process; it’s easier to kidnap the person who has authorized access to activate the biometric lock.

That’s for story reasons! The overriding drive when making the hacking system was to prevent ‘hacker stays in the van and solves the plot’ syndrome, and the limited range of cloud access points was a big factor in that. Biometric locks are the next step up, and should be used relatively infrequently in only the most security critical situations.

Overcoming a biometric lock is a Tech action against opposition appropriate to the situation, but it will usually be somewhere up in the Fantastic (+6) to Epic (+8) range, and with a timeframe of an hour.

2)Under Intrusion, it’s noted that some Hyper Objects can be “Invisible” when a hacker is trying to detect them; can subnets or clouds be made invisible as well?

Yes. ‘Invisible’ just means it doesn’t advertise itself when you search for it. It’s a bit like how today’s wi-fi networks can be hidden so that you must know the name of the network to be able to connect to it.

3)Can a hacker look for hidden targets without knowing they are there/what they are?

You can find concealed targets by searching with Hack opposed by the highest Firewall of the hidden targets in range. This will give you a list of object IDs (in hexadecimal or some kind of quantum computing gobbledegook!) and a rough idea of what each is (e.g. ‘a cloud’, ‘a hyper object’).

4)How is the broadcast range of a network determined for the purposes of hacking it?

According to the needs of plot! For security reasons access points are generally kept quite limited in range and shielding is used to prevent signal leakage. Each floor of a corporate skyscraper could have a subnet with the AP available on the entire floor, or a floor could be divided into multiple shielded suites, each with their own subnet and AP. It’s highly unlikely that you could access anything except the skyscraper’s Public Access Network.

5)When hacking a target outside of its broadcast range, can it only be achieved through a nearby connected Public Access Network, or can it be through any kind of nearby network? Can this only be done within range of the first connecting network, or can it be daisychained through multiple networks? Can this be done only to stationary networks, or can it be done on a moving Hyper Object or TAP? Can it be done to a network that would be Invisible or Concealed?

As long as something is connected to a cloud, whether directly or indirectly, you can use it as a point of ingress. You could theoretically use a drone or other trojan horse to carry an access point somewhere, then hack via that device–as long as you can somehow connect to it. Practically this is of limited utility because of the use of wireless shielding in secure areas. Again, the aim here was to prevent ‘hacker-in-a-van’ syndrome; we want hackers to be moving around with IZ teams, not stuck far away from the action. I said PAN in the rules because by definition the GDN terminates in PANs, from which you can then reach out to connect to things within range of the terminal access point.

6)What happens if a network has no Sysop or Sprites on it; does nothing roll to Notice hacking/intrusion attempts?

That’s correct. An unmonitored network is unprotected except for its Firewall.

7)How many sprites/sysops are normally assigned to a network? Does this differ by security?

This is down to the GM to decide. The more sprites/sysops there are the tighter the security; the same considerations apply as to building any conflict scenario.

8)When taking a Hacking action, it says they are opposed by the Sysop or sprite. Can they only do this if they’ve detected you, or is it automatic if they’re connected to the same subnet? What happens if there is no Sysop/Sprite?

From the rules:

“No roll is required to perform the standard actions of the hacked target, but doing something the target wasn’t designed for or which needs security clearance (such as logging into the user’s VR game account, taking an elevator to the penthouse suite, or permanently deleting their files) requires a Hack roll against the target’s Firewall, and a SysOp or Sprite connected to the cloud is always justified in providing active opposition.

So it’s against the firewall if there’s no SysOp or Sprite. If there is a SysOp or Sprite they’re always justified in providing active opposition; even if they aren’t aware of you as an intruder, their active monitoring and security protocols allow this. Practically, this means you’re opposed by the higher of the target’s Firewall or the SysOp/Sprite’s Hack.

9)Is there a delay/action required on moving from one subnet to another? How about from one connected cloud network to another? What is the general limitation imposed by being connected to a subnet in terms of affecting other subnets, the cloud network, or one’s own TAP? Basically, how many places can a Sprite/Sysop/Hacker be affecting an accessing at once and what are the restrictions on moving in between them?

You don’t literally move from one subnet to another, but you can only execute code in one place at a time (e.g. on an exchange). A single SysOp can monitor an entire cloud. In general as you penetrate deeper into a cloud your range of hacking options increases. In reality, security considerations mean that clouds have a limited number of subnets that are hackable by accessing the main cloud.

For example, hacking the Genshi Corporate Access Network from the main rules lets you (among other things):

1) Get a list of the subnets (finding the hIdden money laundering subnet would take a roll) and where their access points are.

2) Attack any of the subnets attached to the CAN or the entire network.

Let’s say you make your way up to the fourth floor and hack the Security subnet. On any given exchange you can now:

1) Control any of the security Hyper Objects attached to the Security subnet.

2) Attack any object, sprite, or sysop attached to the Security subnet.

3) Attack any subnet attached to the CAN.

In other words, you’re still connected to the CAN even when you connect to one of its subnets, because the subnet is a part of the network. You just can’t connect directly from the CAN to the subnet without being physically proximate to its authorised access point.

10) How exactly does IC work? Can it effectively take all the actions available to a Sysop/Sprite, or is it limited? If it is limited, please give a list of what it can and can’t do.

IC can only attack. It represents the network’s built in security attempting to get rid of hackers with DDOS attacks and other stuff.

11) Since the risk of attacking an entire network at once is being swarmed by sysops/sprites, is it assumed that each network has multiple sysops and sprites, and do they each count as another NPC in a conflict/contest?

The GM should decide how many SysOps and sprites are monitoring a given network (and its subnets) when creating the network. Yes, they each count as an NPC, but can be mobbed together as mooks per the standard Fate Core rules for handling the opposition.

12) When a sysop/sprite creates an “Alarm” aspect, does this clue in security to a general alert, or would it be able to clue them in to the more access locations of a specific subnet if the hacker was sighted at that level?

An alarm is just an aspect that can be used to gain advantages against the hacker. Security will certainly know the subnet that triggered the alarm, and this may give them a clue as to the whereabouts of the intruders if the subnet’s only access point is in a restricted area. If the SysOp has previously used Backtrace IP then they can tag the exact location of the intruder to the alarm.

13)How is difficulty set for a Sysop/Sprite calling/running another sprite as an overcome roll?

It’s automatic unless the hacker is opposing it (which they usually will!).

14) If a hacker wants to oppose calling a sprite, do they just need to declare this, or do they need to be in the same subnet/have placed a relevant advantage to do this?

They need to be connected to the same subnet.

15)When a hacker uses a relevant advantage to oppose an attempted system shutdown, does this use up the advantage or does it still exist?

Depends on the advantage and the situation, but it probably does not use up the advantage.

16) If a system is shut down, will sysops count as being forcibly booted or just hackers?

Log Out is an action, so yes _everyone_ connected to the network is forcibly booted. That’s another reason why this is a last ditch action!

17)Can hackers take the action to trace the physical location of a user, or is this limited to sysops?

As designed, only SysOps and Sprites. You could allow hackers to do this an overcome if you wanted to.

18)Can the hacker wipe out traces of his presence on a network any other way than taking it out in hyper conflict?

No, but they can take steps to cover their actions (e.g. by creating relevant advantages).

19)When calling a sprite, can only one be called at a time?

Injecting a sprite into a system or moving one from another subnet is an action, so yes.

20)When targeting a cloud network, do effects (e.g. aspects, effects of hyper conflict) caused to it also apply to all of its subnets, even if they have restricted access? Or does it only affect the networks currently accessible to the hacker?

I’d judge this on a case-by-case basis. Something like Network Lag being placed on a CAN would also affect any subnets of the CAN, certainly.

21)I understand why a big network would slave a bunch of hyper objects, but is there any benefit to a single entity slaving objects to his TAP?

You can’t use hyper objects that aren’t attached to a network–directly connecting to your TAP counts as attaching it to a network–unless you hack them. That means you’d have to waste an action connecting to an object before you could use it. Imagine if you had to re-pair your smart watch with your phone every time you wanted to check for new messages on it; same thing.

2 thoughts on “Interface Zero 2.0 Fate Edition – Hacking Q&A

  1. Nick Simpson

    Thanks for the reply!
    Some follow up questions:

    I’ll include the number of the question I am following up on.

    1) So can it be assumed that any kind of security blocking the access to a subnet will usually not be able to be hacked into and require a tech roll or something else?

    5) so basically, provided that a roll is made to find the access point/s, anything can be accessed from a distance provided that there is an unbroken chain of access points. My point of confusion is when comparing the Internet to the GDN. The Internet has a lot of info, including private corporate or government info, hosted on websites that can be accessed by any member of the public with a password or ability to hack. Is the GDN different in terms of items only being accessible within their wireless range, or does it also work like the Internet where anything hosted online can possibly be accessed by anyone?

    In other words, is there a sort of general public “Internet” which hosts material that might be restricted or that can be used to reach any network connecting to it?

    As a Note, this was already partially answered in the Google Plus thread on this. David indicated that the GDN works much like our own Internet in terms of having public access to things, but that companies would likely block public access within range of their restricted subnets and clouds to prevent remote hacking.

    7) Can you give some guidance for how many sysops/sprites to have as a way for a GM to quickly generate a network?

    9) So is it possible to initiate hyper combat with a Subnet while only connected to its parent cloud? If so, does this only alert the subnet or the entire cloud? If a sysop can monitor the cloud and all of its subjects at once, it makes no since to infiltrate a subnet to attack it, as the sysop can just instantly summon every Sprite there the same way he could if you attacked the general cloud, and the IC might be stronger in the subnet (this could be fixed by not allowing a subnet to hold any more sprites than what it starts with and those attached to a sysop/hacker and allowing them to use the highest IC on a cloud when the cloud itself is attacked). Also, does crashing a cloud crash all of its subnets, even if the attacker can’t remotely access them?

    Basically, the subnets seem to work well for regular hacking, but there seem to be some issues with how they work for hyper combat.

    16) so does the sysop who uses shutdown automatically suffer the ejection and IC attack since they spent an action on shutdown and it will eject them at the start of their next action?

    21) so what is the difference between a character slaving hyper objects to his tap and a security network slaving cameras, locks, and drones to itself? The rules seem to indicate that the former has to have its hyper objects hacked one at a time whereas the latter can have them all be affected at once. Is it a case where only a category of hyper objects can all be affected at once, and if so what are the guidelines for categories (e.g. If guns were a category could all of a characters smart guns be shut down at once even if they have several?)

    Reply
    1. Richard Bellingham Post author

      1) So can it be assumed that any kind of security blocking the access to a subnet will usually not be able to be hacked into and require a tech roll or something else?

      Not necessarily. Someone could use a Hyper Object for extra security–say subnet access point which is turned on or off by a hyper object switch that has a Fantastic (+6) firewall compared to the standard Good (+3) firewall that the rest of the network has.

      5) so basically, provided that a roll is made to find the access point/s, anything can be accessed from a distance provided that there is an unbroken chain of access points. My point of confusion is when comparing the Internet to the GDN. The Internet has a lot of info, including private corporate or government info, hosted on websites that can be accessed by any member of the public with a password or ability to hack. Is the GDN different in terms of items only being accessible within their wireless range, or does it also work like the Internet where anything hosted online can possibly be accessed by anyone?

      In other words, is there a sort of general public “Internet” which hosts material that might be restricted or that can be used to reach any network connecting to it?

      As a Note, this was already partially answered in the Google Plus thread on this. David indicated that the GDN works much like our own Internet in terms of having public access to things, but that companies would likely block public access within range of their restricted subnets and clouds to prevent remote hacking.

      Think of the Internet as a Public Access Network with a bunch of secure subnets connected to it which are hidden behind authentication portals, VPNs, etc. That’s how things work in IZ too, but the really juicy paydata and other stuff is not accessible by indirect connection from the GDN, just as in the modern day companies don’t host their really secret stuff on a network which is accessible from the Internet. Partly this is for gameplay reasons, as mentioned earlier; it’s not much fun for everyone if the hacker can routinely solve plots etc. without having to leave his armchair.

      7) Can you give some guidance for how many sysops/sprites to have as a way for a GM to quickly generate a network?

      Simple answer? No, not really! It depends on the number of hackers going on a mission and how much opposition you want to put in their way. You can use the guidance on building the opposition from the main rules for this, but bear in mind that there are no ‘zones’ so things can escalate really fast with SysOps and Sprites dogpiling on helpless hackers. Like many things in Fate, it’s a bit of an art rather than a science.

      9) So is it possible to initiate hyper combat with a Subnet while only connected to its parent cloud?

      You can attack the subnet as an entity, yes.

      9) If so, does this only alert the subnet or the entire cloud? If a sysop can monitor the cloud and all of its subjects at once, it makes no since to infiltrate a subnet to attack it, as the sysop can just instantly summon every Sprite there the same way he could if you attacked the general cloud,

      It alerts the subnet and anything currently watching it. If you attack a subnet, it is the subnet’s IC that attacks you back, which may be good or bad depending on whether you’re hacking a public access subnet attached to a corporate access network, or a secure subnet attached to a public access network. Also, apologies, I misspoke earlier when I said summoning all the sprites on a cloud was a single action; it’s actually an action to summon each sprite and I have amended the post accordingly.

      9) Also, does crashing a cloud crash all of its subnets, even if the attacker can’t remotely access them?

      Yes.

      16) so does the sysop who uses shutdown automatically suffer the ejection and IC attack since they spent an action on shutdown and it will eject them at the start of their next action?

      Yes.

      21) so what is the difference between a character slaving hyper objects to his tap and a security network slaving cameras, locks, and drones to itself? The rules seem to indicate that the former has to have its hyper objects hacked one at a time whereas the latter can have them all be affected at once. Is it a case where only a category of hyper objects can all be affected at once, and if so what are the guidelines for categories (e.g. If guns were a category could all of a characters smart guns be shut down at once even if they have several?)

      This is user configurable. By default, you can command a single hyper object on a network to do one thing in any given action. You can configure a subnet so that it will send the same command to multiple linked objects, and you can also slave multiple hyper objects to a single master hyper object (like a camera controller etc.) so that a command sent to the master object will be sent to all of its slaves. It is unlikely that someone would configure the smart guns on their TAP that way, but the option is there if they want it!

      Reply

Let me know what you think!