Simplified Netrunning Rules for GURPS Southowilson 4.0 (Updated 7/5/2010)
In the simplified netrunning system, we will not be using any of the existing cinematic, “Matrix”-style netrunning rules. Instead, use the following heavily abstracted rules. Normal computers by 2095 are nearly all equipped with some sort of system AI. Computers in 2095 are generally considered TL9, though some examples of TL10+ systems are occasionally available. “Cyberdecks” are small portable computers that are specialized and optimized for intrusion and tactical purposes. This is where the Netrunner comes in, supplying his human reflexes and intuition to do battle with the system AI, aided by carefully chosen software.
Typical 2095 Computer Systems
·
Personal
and small business systems – Complexity 5, IQ 8 Dedicated AI with effective
skill-13 due to software
· Local government, local police systems, large local business - Complexity 6, IQ 10 Dedicated AI with effective skill-16 due to software
· Normal corporate systems, most federal government systems – Complexity 7, IQ 10 Non-Volitional AI with effective skill-17 due to software
· Megacorp, military networks, or specific “high security” systems - Complexity 8, IQ 12 Non-Volitional AI with effective skill-20 due to software
· Extremely Illegal “No Such System Exists” Networks - Complexity 10+, IQ 16 Volitional AI with effective skill-25 due to software
Programs
In this abstracted system, software is rated by Complexity which can range from 1 to 15, though it is exceedingly rare to find anything above 5 or 6 commercially available at TL9. Prices are given in GURPS Ultratech, p25. Each category of programs actually represents a useful cluster of individual software, each with cool names like "Flatline", "Aegis", "Safecracker 6.1" or whatever. Programs have double the listed cost for TL9+ software.
Intrusion Software – Software designed to infiltrate computer security, mask one’s electronic signal or trace, and slip pass password/ID verification protection. This gives a bonus to hacking attempts equal to its complexity level.
Counter-Intrusion Software – Software designed to detect intrusion, alert system management, and protect systems against electronic attack of various sorts. This gives a bonus to the system’s defense roll equal to its complexity, essentially balancing out the hacker’s intrusion programs.
Offensive Software – Software designed to directly damage programs, hardware, or even directly attack the nervous system (so-called “Black ICE”). Exact effects depend on the software involved, and must be specified when purchased.
· Anti-Software programs attack software and subroutines on a computer, reducing its efficiency and effectiveness.
· Anti-System programs hinder or damage the computer directly by tying up resources or forcing actions that can damage delicate internal components.
· Black ICE programs attack the human element directly, with a variety of possible effects. These are rare and illegal in most cases.
Defensive Software – Software designed to defend other software, hardware, or users from direct attack by offensive software. It essentially acts as armor, offering “all or nothing” protection against direct attack.
Utilities – Software designed to perform various functional tasks, such as file management, hardware maintenance, remote/drone operation, et cetera. In many cases, these can be defined as skills. Many AI’s can learn skills on their own, not requiring utility software. It is common to have them anyway. A utility program grants a certain number of character points in a single skill, defined by its complexity.
Complexity Skill Points
1 1
2 2
3 4
4 8
5 16
6 20
7 24
Add. +1 +4
Software is constantly becoming obsolete, so add a penalty to the older software in any contest, -1 for each month between the two. This means that successful netrunners are constantly on the prowl for the latest and greatest software. Obsolescence is detailed using the rules provided in GURPS Cyberpunk, p79.
|
In a cyberpunk world the development of hardware and software speeds along at the same pace that everything else does. Attack and defense programs become less effective as they age because human hotshots and dedicated AIs are constantly finding faults and releasing new versions. Your Codewall may not stand up against a new Icepick, but it will laugh at last year's model. The GM should define a release date for each piece of software that the PCs get, or that is used by NPCs. When two programs oppose each other in a Contest of Skills, the older program has a penalty as given on the table below: 1 month: -1 6 months: -9 2 months: -2 7 months: -12 3 months: -3 8 months: -15 4 months: -5 9 months: -18 5 months: -7 Software more than 9 months old is simply useless in the world of high-stakes industrial espionage! |
Accounts
User accounts are the initial goal of any hacking attempt, as they allow the hacker access to the system’s functions and secrets. They come in four levels, as defined by GURPS Transhuman Space “Fifth Wave”, p127-128. These are as follows:
· No Access – The user can only access publicly available information and services not password protected.
· Data Access – A password protected account of the sort a customer or external user of a service might have. The user can send and store data, but cannot access internal information or services.
·
Limited
Access – An internal account on the system, allowing the user to send
instructions to the computer and have them acted upon. Control is usually
limited to specific functions related to the account’s job description, such as
a specific location and/or department. The account details must be defined at
creation.
·
Unlimited
Access – A system administrator account allowing full control over the
system in question. The system can be used to perform any task, regardless of
the nature of the account.
Gaining Access
Hacking is all about access. The netrunner will need to initially overcome passive defenses, passwords, and similar things simply to access the system. The hacker/netrunner will need to defeat the system defenses in a contest of skill – the hacker will use “Computer Hacking” plus Intrusion Software Bonus. The usual defense consists of the system AI’s “Computer Operations” skill (Defaults to IQ-4) + Defensive Software Bonus. System AI’s usually have Computer Ops at IQ level, but some systems are much stronger. Once the hacker has successfully penetrated the system, his margin of success determines the degree to which he has compromised the system security.
· Critical Failure Hacking attempt has been detected, and the system AI may initiate Cyberspace Combat
· Failure Hacking attempt has been unsuccessful, but the system is not alerted. User may try again at the usual penalties.
· Success Hacker is able to increase the level of his account by one step; “no access” to “data access”, “limited” to “unlimited”, et cetera.
· Critical Success Hacker is able to increase the level of his account by two steps; “no access” to “limited”, et cetera.
Every week, there is a chance that the hacker’s bogus
account will be discovered, depending on the type of system. In general, the
more secure the machine, the more frequently it will be audited. The weekly
chance of detection is roughly equal to the system’s Complexity or less on 3d,
adding +1 each time the account has been used in the last week, and a +5 if the
account is an “unlimited access” account (they are audited more severely). If
the hacker’s actions remain within the defined limits of the account the host
system will have little or no reason to suspect misbehavior, and no alarms will
be triggered. Most hackers are not interested in such things, though; they are
there, after all, to misbehave. This might include creating a new account somewhere
more useful, accessing information in “Security” or opening a door on the
shipping dock from an “Investment and Finance” limited user account, or nearly
anything else. If a hacker wishes to attempt something not allowed by the
account, it will require an additional “Penetration” roll as defined above.
Misbehaving
Once the hacker has gained access to the system, there are a variety of things that they will want to do while there. Most of these require separate skills, but the common ones are defined below. Failure means subsequent attempts are at -1 per attempt, while a Critical Failure means that the hacker has been detected.
· Creating New Accounts – Computer Hacking, as defined in “Gaining Access”
· Locating Information – Research, at a penalty based on the obscurity of the information in question
· Altering Information or Software – Computer Operations, at a penalty depending on the complexity of the desired results
· Controlling Physical Security – Electronic Ops (Security), at a penalty depending on the complexity of the desired results
· Controlling Remote Equipment – Piloting for aerial drones, Driving or Exoskeleton for ground drones, Electronic Ops (various) for equipment, all at penalty of -1 to -4 depending on the sophistication of the control equipment. The skill used will function at no higher than the user’s Computer Operations skill, though.
· Removing Traces of the Hacker’s Presence - Computer Operations or Computer Hacking, at a penalty depending on the complexity of the desired results
Other Factors
These modifiers are taken from Transhuman Space “Fifth Wave”, p130.
Multiple Attempts: -1 per previous or concurrent attempt against the same target, unless a significant amount of time has passed.
Prior Access: If the hacker has “No Access”, -8. “Data Access” is -4. “Limited Access” is +0.
Target Knowledge: If the hacker knows nothing about the system, -8. If the hacker knows the specific make and model of the system hardware, but nothing specific about the software load, -4. If the hacker knows who produced the system AI, -2. If the hacker knows who produced the system AI, and most of the major applications being run on the system, +0
Time Taken: Computer intrusion is a time-intensive process. The longer the hacker spends doing it right, the more likely the chance of success. These modifiers are taken from Transhuman Space “Fifth Wave”, p130.
Up to 1 minute -24
Up to 2 minutes -16
Up to 5 minutes -12
Up to 10 minutes -8
Up to 20 minutes -4
Up to 1 hour +0
Up to 2 hours +2
Up to 5 hours +4
More than 5 hours +6
Cyberspace Combat
If the hacker is discovered while in the system, cyberspace combat may be initiated. Occasionally a hacking attempt will go wrong, alarms will be tripped, and a host system or the personnel guarding it will take direct action. In the past, this was limited to tracing the connection and alerting the authorities. In the 2090’s, the consequences can be much more severe. Sometimes, the authorities are never notified at all. The system below is used to reflect what happens when the system AI engages the hacker directly, attempting to expel, subdue, or eliminate him.
Initiative: At the start of any action, an initiative roll will determine who acts first; highest roll goes first, followed in sequence counting down. In cyberspace combat, milliseconds are a matter of life or death.
Cyberspace Initiative = Basic Speed (IQ+DX/4) + System Complexity
Nearly all actions conducted in cyberspace combat are handled as a Contest of Skills, with the margin of success determining the specific effects. The skill used is always some variation of “Computer Operation” or “Computer Hacking” + Appropriate Program Complexity. The two major functions are Evasion and Attack
Evasion: If the hacker wishes to remain within the system and avoid engagement by the system AI or human sysops, it will be a contest of skills using the hacker’s Intrusion program against the defender’s Counter-Intrusion software. Roll a Contest of Skills, and consult the table below:
· Crit. Failure The system locks onto the hacker, who will be unable to evade the defender without first dropping offline completely.
· Failure Defender is able to maintain a fix on the hacker, and can attempt an attack or trace normally.
· Success Hacker is able to avoid detection this turn, but the system will remain engaged and continue to look for the hacker.
· Crit. Success Hacker eludes detection entirely, but the system remains wary… it knows someone was there, but not who or where.
Attack: Systems and humans may use various forms of software to directly attack each other. The specific effect depends of the margin of success in a contest between two opponents using “Offensive” and “Defensive” software. The table below determines the exact effect of an attack; defense is largely passive, serving only as a bonus to the defender’s skill roll.
· Crit. Failure The Defender is completely immune to attack by the Attacker, and cannot be affected by this particular form of attack.
· Failure The Defender completely avoids any effects from the current attack.
· Success The attacking software has normal impact on the defender.
· Critical Success The attacking software has double effect on the defender; roll damage, then double it.
Anti-Software programs reduce the effective Complexity of the targeted program by introducing “poison code”. They are usually used to soften up a target for a more serious form of attack; the most common target would be the opponent’s “Defense” software. Each attack reduces the target software’s effective complexity by “Swing Damage” per the Complexity level of the software; i.e. a Complexity-7 anti-software attack does 1d-3 damage. When target Complexity reaches 0, the targeted program is useless until a new copy is installed on the affected system.
Anti-System programs reduce the IQ of the targeted system by introducing “poison code”, aimed at slowing down the target computer, or causing it to damage itself, overheat, or seize up. This reduces the target system IQ by “Swing Damage” per the Complexity level of the software; i.e. a Complexity-7 anti-system program does 1d-3 damage. The target system must roll IQ or less to avoid being “stunned” and losing a round of action. When the targeted system’s IQ reaches 0, the system crashes until it is repaired. System IQ can usually be repaired using Electronics Repair (Computer), or occasionally Computer Programming.
Black ICE is the rarest form of computer software, expensive and usually illegal. It attacks the human element directly through the neural interface, with a variety of possible harmful effects. It is therefore a special case; different types are detailed below:
· “Zap”(x4 Cost) is the most direct form of ICE. It shocks the target through his neural interface, doing Swing damage based on the Complexity level of the software; i.e. Complexity-7 “Zapware” does 1d-3. This counts as a “Lethal Electrical Shock” per GURPS Basic p.432, exposing the victim to stun and possible fatal heart attack, based on the HT roll. This attack almost certainly also destroys the hacker’s computer.
· “Wipe” (x10 Cost) is more subtle than “Zap”, but possibly more feared. It attacks the target’s neurological functions by hijacking the neural interface long enough to produce devastating feedback. This reduces IQ and DX by Swing Damage per Complexity level of the software; i.e. Complexity-7 “Wipeware” does 1d-3 to both IQ and DX, simulating tremors and minor seizures that will plague the hacker. On a successful HT roll, this damage is temporary and can be recovered normally for a “Crippling Injury” per GURPS Basic p420. If IQ or DX is reduced to 0, the target goes into a coma and may die unless given medical care per GURPS Basic, p429.
· “Cult” (x20 Cost) is more insidious than the others, hijacking the user’s neural interface and implanting some sort of personality-altering code. This is usually disguised underneath a single round of “Zap” or “Wipe”. The “Cult” attack can implant Mental Disadvantages of most sorts, up to 5 points per Complexity level; these disadvantages must be defined at the time the software is written. For example, a Complexity-3 “Cult” might implant the victim with a -15 “Phobia: Internet”, Complexity-6 might inflict -30 “Epilepsy”, while a Complexity-10 “Cult” might inflict -40 “Slave Mentality” and -10 “Sense of Duty: EvilCorp”, turning the victim into a helpful minion. These ailments can be cured with time and medical care, bought off with experience points, or they might simply wear off with time.