Jump to content
City of Heroes 20th Anniversary: Time Capsule Event, Q&A With Original Team, Costume Contests ×

An Overly Long Tangent Talking About Hacking (TM)

McSpazz

By McSpazz
in Roleplaying

 Share

Recommended Posts

McSpazz

McSpazz

Posted
Posted (edited)

It's Spazz again! I decided that I have nothing better to do so I should make a write-up talking about hacking. Specifically, what it is and what it isn't. For all of you out there that have characters who hack into systems, I encourage you to take this to heart and consider how you can use it in your own roleplay. Please also keep in mind that while I am a computer scientist, I am not an expert on hacking myself. What I am going to provide is a very general overview of what it is and how you should consider going about it in your roleplay.

1. What is hacking?

Hacking is a REALLY broad term when you think about it. While, at its core, hacking is all about entering computer systems you are not supposed to be in, the means you do so are extremely numerous. What most people see in popular media is more often than not exploiting software vulnerabilities on exposed networks. Software vulnerabilities can range in severity with the most dangerous being "Zero Day Exploits". A Zero Day Exploit is a software vulnerability that is so easily taken advantage of and/or provides so much access to a system's permissions that it needs to have been patched yesterday. These are a really big deal and, while potent, are very rare. Details on zero day exploits are sometimes sold on black markets and the utilization of more than a few zero day exploits on a system is often done by nation states. Exploits are often not the end of the journey, however. Sometimes an exploit might get you into the target servers, but not the server you wanted to take advantage of. I'm sure you can start to see why hacking can take a great deal of skill.

 

However, I'm sure you noticed earlier that I emphasized exposed networks. That's because I was talking about what is found on popular media. Not all networks are actually accessible directly through the internet and some networks have literally no connection to the internet at all. Ultra secure servers are often given this treatment. More importantly, even if the server is exposed to the wider internet, there might not be any vulnerabilities in their software (that you are aware of at least). You can't exploit a system that has no means of exploitation. This brings us to literally the most important aspect of hacking that many people don't utilize in roleplay.

 

2. Social Engineering

Computers are stupid. Humans can be far, far more stupid. Welcome to Social Engineering script kiddies! This is where the real fun begins.

Social engineering is using a variety of tactics to attempt to introduce malicious code into a target system not by forcing your way in, but by letting somebody open the door for you. No amount of passwords or anti-virus will save a system when the operator just downloads a malicious file sight unseen and opens it. In fact, what you see most often in popular media (some nerd sitting at their computer clacking away at keys) isn't how systems get compromised more often than not. It's this. It's literally convincing humans to do stupid things for your own benefit.

 

Just about any file type can be set up with hidden, malicious code that will execute when the file is opened. Everything from PDF's to .docx files. As a matter of fact, part of the reason Flash was abandoned is because Adobe couldn't keep up with the number of ways it could be used to make viruses. It extends even further though! I am positive most of you reading this use Discord. Recently, in large part because of how popular Discord has become, scams and malicious links have become rampant on the platform. This is social engineering at its finest. No, dude, trust me! Click on this disc0rd.com link and get a free year of Nitro!!!

 

Remember how I mentioned servers with no access to the wider internet? This is where more complicated means of social engineering needs to take place. An extremely good example of a nearly impossible server to crack that was accessed via social engineering and very complicated software is Stuxnet. If you want an idea of what a virus created by a nation state looks like, Stuxnet is THE best example. I kid you not, this virus is one of the most important viruses in history due to just how unprecedented the whole thing was.

 

3. The Mistakes

The most common mistake I see with hacking (besides not utilizing social engineering) is how long it takes when working remotely. Someone just sits down and in an afternoon they have access to the entire network of an underground Malta complex and could do just about anything in it. Hacking, generally, is not this quick. It can take quite some time just to get into a server, let alone get access to the things you need. If you have time to play with it, actually have your character talk about what they're doing. How they're trying to get their way into the server, the social engineering, the exploits they might have found, etc. If they do get in quickly, try and have some fun with the creative ways they went about it. In Secret World, my character hacked into an outpost's wifi by connecting to a bluetooth and wifi enabled coffee machine in their break room and exploiting the fact the coffee machine was given permission to use the wifi as a means of connecting to it. See how much more fun that is than just "I'M IN!"

 

Hacking a computer in the flesh is theoretically far easier as is getting what is directly on that computer. Actually opening the files, accessing other parts of the network, etc, generally require additional work. The biggest issue is generally credentials. A well made computer system generally keeps everything need-to-access only. A standard user isn't going to be able to access the registry or some highly encrypted folder. As missions are generally pretty fast paced, consider how your character might be looking for credentials as they smack down enemies. Maybe they collect smart card enabled ID's and use a script to try and log in with those accounts using common passwords. Or maybe they snatched up someone's phone and glanced through it to find the password saved in a plain text document.

 

Another pretty big mistake I've seen is a lack of understanding between the difference between a worm, virus, Trojan, RAT, and other forms of malicious code. There are many kinds of viruses and it's REALLY not hard to look them up. Wikipedia has an entire series on computer hacking and information security that contains articles on all of them. It's not just important to have a basic understanding of how these can all differ, but it's also important because it can give you new ideas of how your character might try and infect a system. For example, is your character aiming to run malicious code on a single computer? Multiple computers? Do they want to actively control another desktop? What are they doing to avoid detection? Even if a lot of what you come up with is technobabble, being aware of how things operate in the real world can make a world of difference.

 

Speaking of detection, another common mistake I've seen is how long someone has access to a network. It is so difficult to remain undetected in a well maintained network that there is an actual term for it: APT (Advanced Persistent Threat). To be acting as a single individual not backed by a nation state with an intrusion into a system that goes on for months can actually speak less towards the skill of a character and more to the incompetence of whoever owns the server.

 

4. Okay, I get it! Lots of technical stuff! But do I really need to know how to hack?!

Nope! You don't. As I said at the start, I might know a good deal about computer software, but I know zip as to how to actually hack into a system. I actually had to go to google to verify a few things as I was writing this. While you don't need to be an expert to write for a profession you aren't skilled in yourself, you should ALWAYS research it. As I pointed out several times, there are a lot of story opportunities that can be missed if you just follow the lead of movie hackers. Also, as mentioned, it can give a serious impression of incompetence on the part of the people you are hacking if it can really be done so quickly. While some people can be very skilled hackers, like many other professions, there is a certain point where your level of success says more about your target than it does yourself.

 

Wikipedia is an amazing resource, but a far greater resource is talking to someone with some knowledge on the subject. While you can learn a lot about what it's like to work on an Airforce flight deck, speaking to someone who has can yield a far more human outlook than a dry description. If you need help with a profession, make a post on the forums asking for insight. I'm sure others would be happy to help.
 

5. Can you give me an example of how this might play out?

Keep in mind that while what I described is grounded in reality and can yield more story potential, roleplay is a cooperative "sport" and you need to try and include others in your fun. So no matter how you do your hacking, if it's going to be more than a short quip, you should try and get others involved in it.

So can I detail how that might look? No! Because I never considered that might be an important thing to do never included that. So someone else did. Thanks a TON to @chase that took the time to write ALL of the below up.

On 2/24/2022 at 12:47 PM, chase said:

One of the real takeaways here is that while in a TV show, the hacking is just usually a quick moment to get a specific piece of information to move the plot forward.  A real hacking effort could be a show unto itself, particularly if you introduce colorful and entertaining elements around the well-grounded hacking as provided by McSpazz.  But what will your team consider colorful and entertaining?   The easiest way to do that, is let them add it:

Discovery:  

This is the part where you're gathering as much intel as possible before you do anything.  The more info you have, the more directions you can take the attack.   You won't use everything you find, but it gives you a chance to piece things together.   This makes it an ideal time to introduce collaborative storytelling- distribute tasks and encourage them to get creative with the outcome.

 

You send out a non-techie to walk around the public areas around the target with device that passively picks up wireless signals.

- they come back saying how they were out on the sidewalk for less than 5 minutes when a whole crey response team came and interrogated them.  Great- guess what?  That's one crey response team not available to react elsewhere. 

- or they come back commenting on all the food delivery services that come in all the time, and security just waves them in without checking ID's.   A potential vulnerability.

- or they overheard a conversation about some tech that's on the fritz or mention an underground tunnel that's not on any of the plans...

- or they encounter another organization (arachnos?) also scouting the place.

- or they notice employees sleeping in their cars, rather than going home.

- the scan finds an unexpected hotspot.

 

You have a techie guy scan ancillary systems (like the utilities, phone company, etc)

- they find on the hacker databases that a guy whose name matches a telephone company engineer uses the same username and password on a bunch of gaming sites.  That let them get into the phone records- we can intercept calls!

- on one of the message boards, they find where a hacker kid discovered a newly-replaced wirelessly-managed sewer pump still had the default password.  It's changed now, but not before he inserted a back door to prove he was there.

 

Someone else just scans the systems for software with zero-day exploits. 

- this extends beyond "what luck! they're on CreyCorp 2016R2.  They never patched!

- Maye the wireless scan ends up showing an outdated or malware-infected smartphone.  Remotely enabling the microphone, you discover it's the poor underpaid security officer using a backup phone after the last one broke in a scuffle.

 

So you get Info.  What do you do with it?

 

Probe further-

  • Pull on those loose threads and see what it leads to.
  • Test it out- see if someone CAN sneak by the guard as a city of gyros employee.
  • Delicately probe at that zero day exploit and see where it leads to.
  • Entire side-quests can occur here, depending on interest.

Make Mistakes Happen-

In any hack, mistakes are the true key.  You only get so far on software exploits.  

  • Wonder what would happen if you went on social media and made a challenge that caused flashmobs around the building?  How many crey enforcement squads would come out?  What happens once they're tired and bored with all these false positives?
  • You found that the head of physical security had a gambling problem (and a terrible password-management system) but not enough for blackmail material.  Wonder what would happen, though, if suddenly someone made tons of bad bets on all his gambling websites accounts.  He's sure to be distracted, if nothing else.
  • That tech that's on the fritz.  The repairmen were coming today.  Social Engineer your way into a call with them and cancel the repairs.  Really piss them off when you do, so they'll be really grouchy when they get calls asking when they're showing up.

Form A Plan- (the heist)

 

Sure, you could do it all remotely.  You got info on vulneabilities and mistakes, you acted on them, prize accessed.  Done. .... but c'mon.  who doesn't like a good heist?

Once you have had your fun probing and exploring and checking out your options, bring them together into a course of action:   You've decided you need to break in to the crey lab and plug something into the wireless network.  No other way.   

  • Fortunately, you think that by flooding the sub-basement by shutting off the sewage pump, you can get a small crew inside as cleaners.  It's a shitty job, yes.   
  • Your intel gathering also let you know that the door that the lunchtime powerwalkers use when exiting the building has a broken sensor (they can sneak in and out without clocking out) so if they wedge something there to keep the door from latching, others can sneak in. 
  • Since you can triangulate the security guard's location with his cell phone and listen in, you know exactly where he'll be
  • ... and he'll be the only one inside because the response team will be dealing with those stupid flashmobs.
  • Once you get in, your hacker will need about 20 minutes of uninterrupted access to get what he wanted.  He also plans to introduce a stealthy worm that would infect any other systems that may connect to this network.  With any luck, techs that work on this project might get moved to other projects and take their infected computers with them.... it's a long game, but if it works, future heists will be far far easier.

 

The Complications:

Now the fun part- actively sabotaging your own plan.   While the best heists really are done without ever raising alarms, the best heist stories never go as planned.   By this point, everybody should have had a chance to contribute something to the story- some of these things may not have made it into the final plan... but they still might be needed when things go to crap.

  • Imagine halfway through the heist you realize that yesterday was patch day and the zero-day exploit no longer works.
  • The sewage pump handled a lot more effluent than you thought- and worse- it somehow restarted while your team was in the sub-basement.  Power's out, elevator's broken. stairwell's locked, and your up to your armpits in crap.
  • That security chief with the gambling addiction? the distraction backfired.  He was out all day dealing with his bank but came back to the office late to make up time.  One extra (and untracked) body in the building.
  • This puts the security officer with the compromised microphone on a different routine.  He's coming straight your way.   You need a distraction fast, and your catgirl knows just the one!

Now, you might all improvise.  You might take pieces of intel that didn't make the plan before to find a way to success.   Maybe you can still get out without being detected?  It's your story.

 

The Wrap:

You can just end it here. You got your hacker prize- you do what you planned with it and it's done.   Maybe you sell the intel, maybe it advances the overarching group story... but what about what you left behind?  What makes the news?  What doesn't?  Is there any lasting effect or a chance to add some flavor?   What are the threads from this story that might carry over into the next?

Maybe you all have a new enemy in the chief of security.   Maybe something had to be left behind- something that you can't just leave in your adversary's hands.   Maybe there was damage control.    Maybe that worm found its way into unexpected systems- including the neural implant of a cyborg assassin.  Its countermeasures detected the worm, dissected it, and traced the code style back to the author through code snippets in his doctoral thesis... 

 

Or maybe your catgirl brings her new beau by the base with his snazzy new (and more secure) smartphone to celebrate his promotion.  As the distraction she told the security officer that she was there to stop his boss from embezzling funds to fuel his gambling losses. She let him take the credit since she technically shouldn't have been there.  ---  How did you think she was going to distract him?  I mean, yeah she'd had a crush on the beautiful baritone after her first shift listening in on him looking for exploits... but she really felt like she got to know him in that time and he's really a decent dude that's good with his puppies Mr SnarfleLumps and Ed... but dammit, she's a PROFESSIONAL!  They didn't totally hook up until his shift was over!

 

 

This is tangentially part of a series of tutorials regarding roleplay! You can find the full list of tutorials here!

Edited by McSpazz
Added a link to the master list
  • Like 2
Link to comment
Share on other sites
Andreah

Andreah

Posted
Posted

I have a character whose psionic power is to be able to influence computers to perform subtly against their programming, and even in contradiction to their hardware. And is able to sense when a system is about to cut off access or raise an alarm via precognition. It's the sort of thing one has to be very judicious with in RP or it becomes an infinity power.

  • Like 1
Link to comment
Share on other sites
lemming

lemming

Posted
Posted

Bah.  I'm from the days when hacking was just good with computers. (Though I think we lost that fight in the late 80s)

 

That's really my only criticism, granted I'm at the point where I can hand wave a lot so I don't get too annoyed anymore.  (Many years of running computer security, mostly getting annoyed at developers making some holes easy to exploit such as executing files that shouldn't have any business being executed)

  • Thumbs Up 1
Link to comment
Share on other sites
chase

chase

Posted
Posted (edited)

One of the real takeaways here is that while in a TV show, the hacking is just usually a quick moment to get a specific piece of information to move the plot forward.  A real hacking effort could be a show unto itself, particularly if you introduce colorful and entertaining elements around the well-grounded hacking as provided by McSpazz.  But what will your team consider colorful and entertaining?   The easiest way to do that, is let them add it:

Discovery:  

This is the part where you're gathering as much intel as possible before you do anything.  The more info you have, the more directions you can take the attack.   You won't use everything you find, but it gives you a chance to piece things together.   This makes it an ideal time to introduce collaborative storytelling- distribute tasks and encourage them to get creative with the outcome.

 

You send out a non-techie to walk around the public areas around the target with device that passively picks up wireless signals.

- they come back saying how they were out on the sidewalk for less than 5 minutes when a whole crey response team came and interrogated them.  Great- guess what?  That's one crey response team not available to react elsewhere. 

- or they come back commenting on all the food delivery services that come in all the time, and security just waves them in without checking ID's.   A potential vulnerability.

- or they overheard a conversation about some tech that's on the fritz or mention an underground tunnel that's not on any of the plans...

- or they encounter another organization (arachnos?) also scouting the place.

- or they notice employees sleeping in their cars, rather than going home.

- the scan finds an unexpected hotspot.

 

You have a techie guy scan ancillary systems (like the utilities, phone company, etc)

- they find on the hacker databases that a guy whose name matches a telephone company engineer uses the same username and password on a bunch of gaming sites.  That let them get into the phone records- we can intercept calls!

- on one of the message boards, they find where a hacker kid discovered a newly-replaced wirelessly-managed sewer pump still had the default password.  It's changed now, but not before he inserted a back door to prove he was there.

 

Someone else just scans the systems for software with zero-day exploits. 

- this extends beyond "what luck! they're on CreyCorp 2016R2.  They never patched!

- Maye the wireless scan ends up showing an outdated or malware-infected smartphone.  Remotely enabling the microphone, you discover it's the poor underpaid security officer using a backup phone after the last one broke in a scuffle.

 

So you get Info.  What do you do with it?

 

Probe further-

  • Pull on those loose threads and see what it leads to.
  • Test it out- see if someone CAN sneak by the guard as a city of gyros employee.
  • Delicately probe at that zero day exploit and see where it leads to.
  • Entire side-quests can occur here, depending on interest.

Make Mistakes Happen-

In any hack, mistakes are the true key.  You only get so far on software exploits.  

  • Wonder what would happen if you went on social media and made a challenge that caused flashmobs around the building?  How many crey enforcement squads would come out?  What happens once they're tired and bored with all these false positives?
  • You found that the head of physical security had a gambling problem (and a terrible password-management system) but not enough for blackmail material.  Wonder what would happen, though, if suddenly someone made tons of bad bets on all his gambling websites accounts.  He's sure to be distracted, if nothing else.
  • That tech that's on the fritz.  The repairmen were coming today.  Social Engineer your way into a call with them and cancel the repairs.  Really piss them off when you do, so they'll be really grouchy when they get calls asking when they're showing up.

Form A Plan- (the heist)

 

Sure, you could do it all remotely.  You got info on vulneabilities and mistakes, you acted on them, prize accessed.  Done. .... but c'mon.  who doesn't like a good heist?

Once you have had your fun probing and exploring and checking out your options, bring them together into a course of action:   You've decided you need to break in to the crey lab and plug something into the wireless network.  No other way.   

  • Fortunately, you think that by flooding the sub-basement by shutting off the sewage pump, you can get a small crew inside as cleaners.  It's a shitty job, yes.   
  • Your intel gathering also let you know that the door that the lunchtime powerwalkers use when exiting the building has a broken sensor (they can sneak in and out without clocking out) so if they wedge something there to keep the door from latching, others can sneak in. 
  • Since you can triangulate the security guard's location with his cell phone and listen in, you know exactly where he'll be
  • ... and he'll be the only one inside because the response team will be dealing with those stupid flashmobs.
  • Once you get in, your hacker will need about 20 minutes of uninterrupted access to get what he wanted.  He also plans to introduce a stealthy worm that would infect any other systems that may connect to this network.  With any luck, techs that work on this project might get moved to other projects and take their infected computers with them.... it's a long game, but if it works, future heists will be far far easier.

 

The Complications:

Now the fun part- actively sabotaging your own plan.   While the best heists really are done without ever raising alarms, the best heist stories never go as planned.   By this point, everybody should have had a chance to contribute something to the story- some of these things may not have made it into the final plan... but they still might be needed when things go to crap.

  • Imagine halfway through the heist you realize that yesterday was patch day and the zero-day exploit no longer works.
  • The sewage pump handled a lot more effluent than you thought- and worse- it somehow restarted while your team was in the sub-basement.  Power's out, elevator's broken. stairwell's locked, and your up to your armpits in crap.
  • That security chief with the gambling addiction? the distraction backfired.  He was out all day dealing with his bank but came back to the office late to make up time.  One extra (and untracked) body in the building.
  • This puts the security officer with the compromised microphone on a different routine.  He's coming straight your way.   You need a distraction fast, and your catgirl knows just the one!

Now, you might all improvise.  You might take pieces of intel that didn't make the plan before to find a way to success.   Maybe you can still get out without being detected?  It's your story.

 

The Wrap:

You can just end it here. You got your hacker prize- you do what you planned with it and it's done.   Maybe you sell the intel, maybe it advances the overarching group story... but what about what you left behind?  What makes the news?  What doesn't?  Is there any lasting effect or a chance to add some flavor?   What are the threads from this story that might carry over into the next?

Maybe you all have a new enemy in the chief of security.   Maybe something had to be left behind- something that you can't just leave in your adversary's hands.   Maybe there was damage control.    Maybe that worm found its way into unexpected systems- including the neural implant of a cyborg assassin.  Its countermeasures detected the worm, dissected it, and traced the code style back to the author through code snippets in his doctoral thesis... 

 

Or maybe your catgirl brings her new beau by the base with his snazzy new (and more secure) smartphone to celebrate his promotion.  As the distraction she told the security officer that she was there to stop his boss from embezzling funds to fuel his gambling losses. She let him take the credit since she technically shouldn't have been there.  ---  How did you think she was going to distract him?  I mean, yeah she'd had a crush on the beautiful baritone after her first shift listening in on him looking for exploits... but she really felt like she got to know him in that time and he's really a decent dude that's good with his puppies Mr SnarfleLumps and Ed... but dammit, she's a PROFESSIONAL!  They didn't totally hook up until his shift was over!

Edited by chase
  • Like 5
Some of my CoH stuff. Old and newish
Link to comment
Share on other sites
PeregrineFalcon

PeregrineFalcon

Posted
Posted

@chase I would pay good money to watch your show.

"It is by caffeine alone I set my mind in motion. It is by the beans of Java that thoughts acquire speed, the hands acquire posts, the posts become warning points. It is by caffeine alone I set my mind in motion."

 

Being constantly offended doesn't mean you're right, it means you're too narcissistic to tolerate opinions different than your own.

Link to comment
Share on other sites
McSpazz

McSpazz

Posted
  • Author
Posted
3 hours ago, chase said:

One of the real takeaways here is that while in a TV show, the hacking is just usually a quick moment to get a specific piece of information to move the plot forward.  A real hacking effort could be a show unto itself, particularly if you introduce colorful and entertaining elements around the well-grounded hacking as provided by McSpazz.  But what will your team consider colorful and entertaining?   The easiest way to do that, is let them add it:

I love everything you put here and will add a quote of it in my original post so it doesn't get lost. Thank you so much for writing this up!

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...