Given the lessons of the Fall and the very real risk still posed by hackers, virii, and similar threats, network security is taken extremely seriously in Eclipse Phase. Four methods are typically used: authentication, firewalls, active monitoring, and encryption.
Most devices, networks (PANs, VPNs, etc.), and services require some kind of authentication (a process by which a system determines whether the claimed identity of a user is genuine) before they grant an account and access privileges (p. 246) to a user. There are several different ways for a system to authenticate a user. Some are more reliable and secure than others, but for the most part, the more secure the method, the higher the operational expenses.
Account: If you have access to an account on one system, this may give you automatic access to related systems or subsystems. This is typical of slaved devices (p. 248), where access to the master automatically grants you access to slaves.
Mesh ID: Some systems accept mesh IDs as authentication. This is extremely common with most public systems, which merely log the mesh ID of any user that wishes access. Other systems will only allow access to specific mesh IDs, but these are vulnerable to spoofing (p. 255).
Passcode: This is a simple string of alphanumeric characters or logographic symbols, submitted in an encrypted format. Anyone with the passcode can access the account.
Biometric Scan: This calls for a scan of one or more of the user’s biometric signatures (fingerprint, palm print, retinal scan, DNA sample, etc.). Popular before the Fall, such systems have fallen out of use as they are impractical with synthmorphs or users that frequently resleeve.
Passkey: Passkey systems call for some of encrypted code that is either hardwired into a physical device (that is either implanted or physically jacked into
an ecto) or extracted from specialized software. Advanced passkeys combine hardwired encryption with physical nanotech etching to create a unique key. To access such systems, the passkey must either be acquired or somehow spoofed.
Ego Scan: This system authenticates the user’s ego ID (p. 279).
Quantum Key: Quantum key systems rely on the unbreakable encryption of quantum cryptography (p. 254).
Firewalls are software programs (sometimes hardwired into a device) that intercept and inspect all traffic to and from a protected network or device. Traffic that meets specified criteria that designates it as safe is passed through, whereas all other traffic is blocked. In Eclipse Phase, every network and device can be assumed to have a firewall by default. Firewalls are the main obstacle that an intruder must overcome, as discussed under Intrusion Tests, p. 255.
Like other gear, firewalls come in varying quality levels and so may apply modifiers to certain tests.
Active Mon itoring
Instead of relying on authentication and firewalls alone, secure systems are actively monitored by a security hacker or a muse. These digital security guards inspect network traffic using a number of software tools and applications that flag conspicuous events. Active surveillance makes intrusions more difficult, since the interloper must beat the monitoring hacker/AI in an Opposed Test (see Intrusion, p. 254). Active monitoring also includes monitoring any devices slaved to the monitored system.
Characters may actively monitor their own PANs if they so choose, though this requires a moderate level of attention (count as a Quick Action). It is far more common for a muse to actively guard a user’s PAN.
Encryption is an exceptionally effective extra layer of security. There are two types of encryption commonly used in Eclipse Phase: public key cryptosystems and quantum cryptography.
Public Key Crypto
In public key cryptosystems, two keys are generated by the user, a public key and a secret key. The public key is used to encrypt messages to that user, and is made freely available. When messages are encrypted using that public key, only the secret key—controlled
Quantum key distribution systems use quantum mechanics to enable secure communications between two parties by generating a quantum key. The major advantage of transmitting information in quantum states is that the system itself instantly detects eavesdropping attempts as quantum systems are disturbed by any sort of external interference. In practical terms, this means that quantum encrypted data transfers are unbreakable and attempts to intercept automatically fail. Note that quantum crypto doesn’t work for basic file encryption, its only use is in protecting communication channels.
While quantum key systems have an advantage over public key systems, they are both more expensive and less practical. In order to generate a quantum key,
the two communications devices must be entangled together on a quantum level, in the same location, and then separated. So quantum key encrypted communications channels require some setup effort, especially if long distances are involved. Since the implementation of quantum cryptographic protocols is an extraordinary expense, it is usually only adopted for major high-security communications links.
What this means is that encrypted communications lines and files are very safe if using public key systems, and that data transfers are absolutely safe if using quantum crypto. Gamemasters should take note, however: while this may be useful to player characters, it may also hinder them. If the characters need to get at something that is encrypted, they’re going to need to figure out some way to get the secret key’s passcode. Common methods include the old standbys of bribery, blackmail, threats, and torture. Other options involve espionage or social engineering to somehow acquire the passcode. Hackers could also find some other method to compromise the system and gain inside access, bypassing the encryption entirely.
As noted above, quantum computers can also be used to break public key encryption. This requires an Infosec Task Action Test with a +30 modifier and a timeframe of 1 week (once started, the quantum computer finishes the job on its own; the user does not need to provide constant oversight). Gamemasters should feel free to modify this timeframe as fits the needs of their game. Note that quantum computers cannot break quantumencrypted communications, only encrypted files.
The art of intrusion lies in penetrating a device’s security. The best methods involve infiltrating a system quietly, without catching a watchdog’s attention, by using exploits—code glitches, flawed security protocols—to create a path circumventing the target’s defenses. When called for, however, a hacker can toss aside pretenses and attempt to brute-force their way in.
In order to hack a device, the hacker needs to establish a direct connection to the target computer system. If the hacker is making a direct wireless connection to the target, the target system must be wireless-capable and within range (p. 299), and the hacker must know the target is there (see Wireless Scanning, p. 251). If the system is hard-wired, the hacker must physically jack in by using a regular jacking port or somehow tapping into a cable that carries the network’s data traffic. If the hacker is accessing the target through the mesh, the target system must be online and the hacker must know it’s mesh ID (p. 246) or otherwise be able to track it down (p. 251).
Rather than hacking in, an intruder can try to subvert the authentication system used to vet legitimate users. The easiest manner of doing this is to somehow acquire the passcode, passkey, or whatever authentication method the target uses (p. 253). With this in hand, no test is necessary to access the system; the hacker simply logs in just like a legitimate user and has all of the normal access privileges of that user.
Lacking a passcode, the hacker can try to subvert the authentication system in one of two other ways: spoofing or forgery.
Using this method, the hacker attempts to disguise their signals as coming from the legitimate, authenticated user, rather than from themself. If successful, the system is fooled by this masquerade, accepting the hacker’s commands and activity as if they came from a legitimate user. Spoofing is more difficult to pull off, but is very effective when it works.
To spoof a legitimate user, the hacker must be using both sniffer and spoofing software (p. 331). The hacker must then monitor a connection between the legitimate user and the target system, and succeed in an Infosec Test to sniff the traffic between them (p. 252). Apply a –20 modifier if the user has security account privileges, –30 if they have admin rights (p. 247). If the connection is encrypted, this will fail unless the hacker has the encryption key.
Armed with this data, the hacker then uses it to disguise their signals. This requires an Infosec Test, modified by the quality of the system’s firewall and
the hacker’s spoofing program. If successful, communications sent by the hacker are treated as coming from the legitimate user.
Biometric and passkey systems used for authentication (p. 253) can potentially be forged hackers who are able to get a look at the originals. The means and techniques for doing so differ, and are beyond the scope of this book, but successfully forging such systems would allow a hacker to log in as the legitimate user.
Hacking into a node is a time-consuming task. The target system must be carefully analyzed and probed for weaknesses, without alerting its defenses. Depending on the type of security in place, more than one test may be called for.
Hackers require special exploit software (p. 331) to take advantage of security holes, but software does not a hacker make. What really counts is Infosec skill (p. 180), which is the ability to use, modify, and improvise exploits to their full advantage.
Defeating the Firewall
Lacking a passcode, the hacker must break in the oldfashioned way: discreetly scanning the target, look for weaknesses, and take advantage of them. In this case the hacker takes their exploit software and makes an Infosec Test. This is handled as a Task Action with a timeframe of 10 minutes. Various modifiers may apply, such as the quality of the exploit software, the quality of the Firewall, or the alertness of the target system. The gamemaster may also modify the timeframe, shortening it to reflect systems that are cookie-cutter common with known security flaws or raising it as fitting for a top-ofthe-line system with still-unreleased defenses.
By default, a hacker trying to break in this way is pursuing standard user access rights (p. 247). If the hacker wishes to obtain security or admin privileges on the system, apply a –20 or –30 modifier, respectively. If the Infosec Test succeeds, the intruder has invaded the system without triggering any alarms. If the system is actively monitored (p. 253), they must now avoid detection by that watchdog (see below). If there is no active monitor, the intruder gains the status of Covert (see Intruder Status, p. 256). If the intruder scored an Excellent Success, however, their status is Hidden (p. 256). Probing: Players may choose to take the time (p. 116) when probing the target for weakness and exploits. In fact, this is a common procedure when a hacker wants to ensure success.
Bypassing Active Security
If a system is also actively monitored (p. 253), the hacker must avoid detection. Treat this as a Variable Opposed Infosec Test between the intruder and the
monitor. The outcome depends on both rolls: If only the intruder succeeds, the hacker has accessed the node without the monitor or the system noticing. The hacker has acquired Covert status (p. 256). If the hacker scored an Excellent Success, their status is Hidden (p. 256).
If only the monitor succeeds, the hacking attempt is spotted and the monitor may immediately lock the hacker out of the system before they manage to fully break in. The intruder may try again, but the monitor will be vigilant for further intrusions.
If both succeed, the intruder has gained access but the monitor is aware that something strange is going on. The hacker acquires Spotted status.
If both fail, continue to make the same test on each of the hacker’s Action Phases, until one or both succeed.
Intruder status is a simple way of measuring an invader’s situation when they are intruding upon a system. This status has an impact on whether the hacker has caught any attention or if they managed to remain unobtrusive. Status is first determined when the intruder access the system, though it may change according to events.
Note that intruder status is a separate matter from account access privileges (p. 246). The latter represents what a user can legally do on a system. The former indicates how aware the system is of the hacker’s true nature as an intruder.
An intruder with Hidden status has managed to silently sneak into the system without anyone noticing. The system’s security is totally unaware of their presence and may not act against them. In this case, the hacker is not using an account so much as they are exploiting a flaw in the system that grants them a nebulous, behind-the-scenes sort of presence in the system. The hacker effectively has admin access rights, but does not show up as an admin-level user in logs or other statistics. Hidden characters receive a +30 modifier on any efforts to subvert the system.
An intruder with Covert status has accessed the system in a manner that doesn’t attract any unusual attention. For all intents and purposes, they appear to be a legitimate user with whatever access rights they sought. Only extensive checking will turn up any abnormalities. The system is aware of them, but does not consider them a threat.
Spotted status indicates that the system is aware of an anomaly or intrusion but hasn’t zeroed in on the intruder yet. The hacker appears to be a legitimate user with whatever access rights they sought, but this will not hold up under close scrutiny. The system goes on passive alert (inflicting a –10 modifier to the hacker’s activities on that system) and may engage the hacker with passive countermeasures (p. 257).
Locked status means that the intruder—including their datatrail—has been pinned down by system security. The hacker has access and account privileges, but they have been flagged as an interloper. The system is on active alert (inflicting a –20 modifier on the hacker’s actions) and may launch active countermeasures (p. 257) against the intruder.
An intruder’s status is subject to change according to their actions and the actions of the system.
A hacker can attempt to improve their status in order to better protect themself. This requires a Complex Action and an Infosec Test. If the hacker has Spotted status, this is an Opposed Test between monitor and intruder. If the hacker wins and scores an Excellent Success (MoS of 30+), they have upgraded their status by one level (for example, from Covert to Hidden). Intruders with Locked status may not upgrade.
A security hacker or muse that is actively monitoring a system can take a Complex Action and attempt to hone in on a Spotted intruder. An Opposed Infosec Test is made between both parties. If the system’s defender wins, the hacker is downgraded to Locked status.
Any time an intruder scores a Severe Failure (MoF 30+) on a test involving manipulating the system, they are automatically downgraded one status level (from
Covert to Spotted, for example). If a critical failure is rolled, they immediately give themselves away and achieve Locked status.
Sometimes a character simply doesn’t have time to do the job right, and they need to hack in now or never.
In this case the hacker engages the target system immediately, head on, without taking any time to prepare an attack. The hacker simply brings all of their software exploit tools to bear, throwing them at the target and hoping that one works. This is handled as an Infosec Test, but as a Task Action with a timeframe of 1 minute (20 Action Turns). The hacker receives a +30 modifier on this test. Many hackers choose to rush the job (see Task Actions, p. 120), in order to cut this time even shorter.
The drawback to brute-force hacking is that it immediately triggers an alarm. If the system is actively monitored, the hacker must beat the monitor in an Opposed Infosec Test or be immediately locked out as soon as they break in. Even if they succeed, the hacker has Locked status and is subject to active countermeasures.
THE HACKING SEQUENCE
|1. Defeat the Firewall||Infosec Task Action 10 minutes|
|2. Bypass Active Security||Opposed Infosec Test|
|2a. Hacker Wins with Excellent Success, Defender Fails||Hidden status/admin privileges/+30 all Subversion Tests|
|2b. Hacker Succeeds, Defender Fails||Covert Status|
|2c. Both Succeed||Spotted status/passive alert/-10 all Subversion Tests|
|2d. Defender Succeeds, Hacker Fails||Locked status/active alert/-20 all Subversion Tests|
1. Common data = automatic acquisition
2. Uncommon data:
- a. Research Task Test (timeframe: 1 minute) modified by
data obscurity to accumulate data
- b. Measure of Success determines depth of data found
3. Analyzing data:
- a. Research Task Test (timeframe: GM call) using
complementary skill to understand data
MESH GEAR MODIFIERS
|–30||Bashed-up devices, no-longer-supported software, relics from
Earth or the early expansion into space
|–20||Malfunctioning/inferior devices, buggy software, pre-Fall technology|
|–10||Outdated and low quality systems|
|0||Standard ectos, mesh inserts, and software|
|+10||High-quality goods, standard security-grade products|
|+20||Next-generation devices, advanced software|
|+30||Newly-developed, state-of-the-art, top-of-the-line technology|
|>+30||TITANs and/or alien technology|
Difficulty modifiers for common computer tasks
|–0||Execute commands, view restricted information, run restricted
software, open/close connections to other systems, read/write/copy/
delete files, access sensor feeds, access slaved devices
|–10||Change system settings, alter logs/restricted files|
|–20||Interfere with system operations, alter sensor/AR input|
|–30||Shut system down, lockout user/muse, launch countermeasures at others|
If an intruding hacker fails to penetrate a system’s defenses (i.e., they are Spotted or Locked, see p. 256), then the system goes on alert and activates certaindefenses. The nature of the applied countermeasures depends on the capabilities of the system, the abilities of its security defender(s), and the policy of its owner/admins. While some nodes will simply seek to kick the intruder out and keep them shut out, others will actively counterattack, seeking to track the intruder and potentially hack the intruder’s own PAN.