I'm finally working on some computer hacking rules for Missions & Mayhem. I've heard before from fellow gamers, and reading a lot on the internet about how many games try to make hacking fun and exciting, or make it fairly realistic, but it turns into a mini-game that one player is playing while everyone else sits and twiddles their thumbs. Or, it just gets made into a single skill check that is not very exciting.
There's got to be a sweet spot of just complex enough (providing choice/strategy to the hacker PC) while not bogging down into 30+ minutes of solo play. And as always for M&M, I am trying to follow the KISS principle. Don't make any mechanic more complex than it needs to be.
Or as Einstein (I think) once said, "Make everything as simple as possible, but no simpler."
Right now, I've got two ideas in mind. One is for hacker vs hacker scenes, as you might see in a spy or superhero movie/show. The other is for simple player vs system checks, but could also be used for hacker vs hacker stuff.
My original idea was to try and make a strategy vs strategy results chart, similar to the Chainmail jousting rules. The PC hacker selects a strategy. The opposing NPC hacker (or the system being hacked) selects a countermeasure strategy. Cross reference on the table to see what happens.
But I'd really need to test and refine that chart. I remember Delta analyzed the Nash equilibrium of the Chainmail joust, and there is definitely a single dominant strategy to it that will more often than not result in a win. And that's boring if you always know the optimal options to select.
So my current thinking is to use the second option, which would break hacking a system into three phases.
Phase 1: Entry. Hacking into the system. Make a roll to get into the system. If the roll succeeds, you're in. Either way, make a check to see if the attempt was noticed.
This phase could be made much easier with some other character talents. One Charismatic Hero class talent, and several of the starting occupation talents allow for a check to get "information, access, or a favor" from an NPC or organization. This could be done to represent social engineering before the hack.
Phase 2: Manipulation. Depending on the security level of the system, this might be automatic for unsecured systems, or require a check/counter-check. Either way, once you're in, you can search for information (including physical location if unknown), download or copy information, attempt to reprogram the computer system, control connected (security) devices, or try to sabotage the system. The longer the PCs stay in the system (each additional check after the first) increases the odds of being noticed/having countermeasures triggered.
If the attempt to enter was noticed, countermeasures will be in place (if there are any). If not, each action runs the risk of being noticed, and triggering countermeasures. If there's an opposing hacker, the hacker can attempt to reverse hack the PCs and direct the countermeasures. And of course, this could all be reversed, with an NPC trying to hack the PCs' computer system.
Phase 3: Exit. Attempt to cover your trace as you log out of the system. Depending on the countermeasure response, this might not be necessary as your cover could already be blown or you could have already been booted from the system. But it would be a simple check at the end.
Computer systems will have three categories. Unsecured systems are your typical home/office PC. Sure, they may have some passwords or firewalls, but nothing unusual, and no countermeasures unless an NPC hacker is on them. A lot of IoT devices will also be unsecured.
Secured systems will have some automated countermeasures in place that can be triggered, and are harder to hack into during entry or exit cleanly. Unless an NPC hacker is working against the intrusion, though, the responses will be preprogrammed/limited. Most small to medium size businesses and non-military/intelligence government agencies would have this level of computer system.
Hardened systems will be the hardest to enter or have a clean exit, and will have responsive AI countermeasures that act as an NPC hacker even if none is present. This is what megacorps, militaries, and intelligence agencies use.
No comments:
Post a Comment