Thursday, July 28, 2016

Computer Hacking and Roleplaying

Note: The following is merely for tabletop role-playing purposes and not for actual hacking.


  • We are in a post cyber punk environment.
  • Hacking is pushing something to make it do something outside of the anomaly.
  • A motivated hacker will get in.
  • The Focus is act vs result
  • Result needs to be the focus for rpgs.
  • The act needs to be defined by the rule mechanics.

What does the act require?

1.  Skill
- while you need skill to perform the task, the main purpose of the skill is to be able to detect anomaly's that can be exploited.
- hacking is a slow with an occasional eureka moments.  It's best to treat most of it not unlike travelling in an rpg.

2. Tools
- tools are relatively cheap for the base usage
- however a lot of tools are for a single job (such as a bot net, security key, etc) and are effectively consumables.
- a lot of it can be automated, but it still requires a seasoned set of eyes to interpret the data.

3. Time
- your not going to be able to script during a battle situation.
- it also works in your flavor as there is a good chance you might not be detected until it's too late.

Cyber kill Chain

Reconnaissance: Intruder selects target, researches it, and attempts to identify vulnerabilities in the target network.
- not detectable, so much noise, social engineering, physical reconnaissance.
- reconnaissance is the real party endeavour. and the most group party interaction.
Weaponization: Intruder creates remote access malware weapon, such as a virus or worm, tailored to one or more vulnerabilities.
- not detectable, understand vulnerabilities.
Delivery: Intruder transmits weapon to target (e.g., via e-mail attachments, websites or USB drives)
Exploitation: Malware weapon's program code triggers, which takes action on target network to exploit vulnerability.
Installation: Malware weapon installs access point (e.g., "backdoor") usable by intruder.
Command and Control: Malware enables intruder to have "hands on the keyboard" persistent access to target network.
Actions on Objective: Intruder takes action to achieve their goals, such as data ex-filtration, data destruction, or encryption for ransom.

Gaming Basis

  • Ultimately it is easiest to treat hacking like spellcasting.
  • Treat hacking requirements like a magic item or artefact. - it's not so much having skill but the acquisition of info or data that allows it to go off.
  • This creates a fetch quest like feel to get the info and tools required as well as provides a means for the rest of the party to get involved.
  • It is time extensive action that acts in conjunction with the other action.
  • It also has material components as ablative resources.  new code has to be treated as crafting. - it will cost time,money and other sources.
  • The hacker needs to operate in real time with the party and whenever possible, endure the same threats.
  • The hacking skill should be used to setup the  killing blow not the entirety of the action.

Designing a target

I'm splitting it into four categories: Goal, People, Processes, and Technology.


1. What is the purpose of the Hack?
The Purpose of hacking is as follows:
i. Message - the act is the message, often for political purposes.
ii. Money
iii. Sabotage
iv. Secrets
2. How traceable is the data received?


Human nature is a flaw and weakest part of an organisation.
1. How computer savvy is the people involved overall
2. Which people are "loose ends" (such as a janitor, someone in the sales department, etc) due to apathy (ex. using password for password)
3. does anybody have a "grudge" against anybody else that can be exploited?
4. Is the average employee a faceless minion, or is it a place where everybody knows whose there.
5. Are their any scandals that can be exploited?
6. Whom within the company will be most affected by the hack?


1. how large is the company?
2. How serious do they take internet security.
2. how likely is security processes are to be circumvented for other reasons (ex. key purchasing times for a company)
3. do they have relationships with other companies that might be easier to exploit?
4. how long have the users been using the processes?


1. What is the life cycle of the equipment?  If it's based on a 10 year interval, it might be easier at the end of it's life cycle.
2. How accessible is the equipment via wireless connection?
3. How often is the equipment and related software updated for security vulnerabilities?
4. What are the flags that will be set-off if they don't cover their tracks?
5. How automated is the target?  Are the doors, lights, temperature control, or even the fridge accessible on the network?
6. How easy is the location able to intercept communication?  A key way to discover you've been detected is that your radio communicators have stopped working.
7. how "user friendly" is the equipment used by the location.
8. how specialised is the tools used?  are the clients using dumb drones that are limited or is it a more traditional network of standard computer equipment and some servers.

Examples for Openings

1. email entry
2. physical key
3. social engineering.
4. failed updates.

One Last Thing

When we discussed this brainstorm, one of the things is what game you would use to simulate this conceptual model.  I'm still stewing on it, but I could see this for an espionage heavy game, such as a  tweaked ninjas and super-spies as well as spycraft.  Feel free to suggest others in the comments.

Season 8 Episode 15 - The Hacking the RPG
presented by Presented by Shane Harsch, Clark Valentine & Tim Rodriguez
Techsnap by Jupiter Broadcasting

No comments:

Post a Comment