=Intrusion= 
[[toc]]
The art of intrusion lies in penetrating a device’s security. The best methods involve in ltrating a system quietly, without catching a watchdog’s attention, by using exploits—code glitches, awed security protocols—to create a path circumventing the target’s defenses. When called for, however, a hacker can toss aside pretenses and attempt to brute-force their way in.
==Preconditions== 
In order to hack a device, the hacker needs to establish a direct connection to the target computer system. If the hacker is making a direct wireless connection to the target, the target system must be wireless-capable and within range, and the hacker must know the target is there (see Wireless Scanning). If the system is hard-wired, the hacker must physically jack in by using a regular jacking port or somehow tapping into a cable that carries the network’s data traffic. If the hacker is accessing the target through the mesh, the target system must be online and the hacker must know it’s mesh ID or otherwise be able to track it down.
==Circumventing Authentication== 
Rather than hacking in, an intruder can try to subvert the authentication system used to vet legitimate users. The easiest manner of doing this is to somehow acquire the passcode, passkey, or whatever authentication method the target uses. With this in hand, no test is necessary to access the system; the hacker simply logs in just like a legitimate user and has all of the normal access privileges of that user. Lacking a passcode, the hacker can try to subvert the authentication system in one of two other ways: spoofing or forgery.
===Spoofing Authentication=== 
Using this method, the hacker attempts to disguise their signals as coming from the legitimate, authenticated user, rather than from themself. If successful, the system is fooled by this masquerade, accepting the hacker’s commands and activity as if they came from a legitimate user. Spoofing is more difficult to pull off, but is very effective when it works. To spoof a legitimate user, the hacker must be using both sniffer and spoofing software. The hacker must then monitor a connection between the legitimate user and the target system, and succeed in an Infosec Test to sniff the traffic between them. Apply a –20 modifier if the user has security account privileges, –30 if they have admin rights. If the connection is encrypted, this will fail unless the hacker has the encryption key.
Armed with this data, the hacker then uses it to disguise their signals. This requires an Infosec Test, modified by the quality of the system’s firewall and the hacker’s spoofing program. If successful, communications sent by the hacker are treated as coming from the legitimate user.
===Forging Authentication=== 
Biometric and passkey systems used for authentication can potentially be forged hackers who are able to get a look at the originals. The means and techniques for doing so differ, and are beyond the scope of this book, but successfully forging such systems would allow a hacker to log in as the legitimate user.
==Intrusion Tests== 
Hacking into a node is a time-consuming task. The target system must be carefully analyzed and probed for weaknesses, without alerting its defenses. Depending on the type of security in place, more than one test may be called for.
Hackers require special exploit software to take advantage of security holes, but software does not a hacker make. What really counts is Infosec skill, which is the ability to use, modify, and improvise exploits to their full advantage.
===Sidebar: The Hacking Sequence=== 
# Defeat the Firewall Infosec Task Action (10 minutes)
# Bypass Active Security (Opposed Infosec Test)
## Hacker Wins with Excellent Success, Defender Fails = Hidden status/+30 all tests
## Hacker Succeeds, Defender Fails = Covert Status
## Both Succeed = Spotted Status/Passive Alert
## Defender Succeeds, Hacker Fails = Locked status/Active Alert
===Defeating the Firewall=== 
Lacking a passcode, the hacker must break in the old-fashioned way: discreetly scanning the target, look for weaknesses, and take advantage of them. In this case the hacker takes their exploit software and makes an Infosec Test. This is handled as a Task Action with a timeframe of 10 minutes. Various modifiers may apply, such as the quality of the exploit software, the quality of the firewall, or the alertness of the target system. The gamemaster may also modify the timeframe, shortening it to reflect systems that are cookie-cutter common with known security flaws or raising it as fitting for a top-of-the-line system with still-unreleased defenses.
By default, a hacker trying to break in this way is pursuing standard user access rights. If the hacker wishes to obtain security or admin privileges on the system, apply a –20 or –30 modifier, respectively. If the Infosec Test succeeds, the intruder has invaded the system without triggering any alarms. If the system is actively monitored, they must now avoid detection by that watchdog (see below). If there is no active monitor, the intruder gains the status of Covert (see Intruder Status, below). If the intruder scored an Excellent Success, however, their status is Hidden.
**Probing:** Players may choose to take the time when probing the target for weakness and exploits. In fact, this is a common procedure when a hacker wants to ensure success.
===Bypassing Active Security=== 
If a system is also actively monitored, the hacker must avoid detection. Treat this as a Variable Opposed Infosec Test between the intruder and the monitor. The outcome depends on both rolls: If only the intruder succeeds, the hacker has accessed the node without the monitor or the system noticing. The hacker has acquired Covert status. If the hacker scored an Excellent Success, their status is Hidden.
If only the monitor succeeds, the hacking attempt is spotted and the monitor may immediately lock the hacker out of the system before they manage to fully break in. The intruder may try again, but the monitor will be vigilant for further intrusions.
If both succeed, the intruder has gained access but the monitor is aware that something strange is going on. The hacker acquires Spotted status. If both fail, continue to make the same test on each of the hacker’s Action Phases, until one or both succeed.
==Intruder Status== 
Intruder status is a simple way of measuring an invader’s situation when they are intruding upon a system. This status has an impact on whether the hacker has caught any attention or if they managed to remain unobtrusive. Status is first determined when the intruder access the system, though it may change according to events.
Note that intruder status is a separate matter from account access privileges. The latter represents what a user can legally do on a system. The former indicates how aware the system is of the hacker’s true nature as an intruder.
===Hidden=== 
An intruder with Hidden status has managed to silently sneak into the system without anyone noticing. The system’s security is totally unaware of their presence and may not act against them. In this case, the hacker is not using an account so much as they are exploiting a flaw in the system that grants them a nebulous, behind-the-scenes sort of presence in the system. The hacker effectively has admin access rights, but does not show up as an admin-level user in logs or other statistics. Hidden characters receive a +30 modifier on any efforts to subvert the system.
===Covert=== 
An intruder with Covert status has accessed the system in a manner that doesn’t attract any unusual attention. For all intents and purposes, they appear to be a legitimate user with whatever access rights they sought. Only extensive checking will turn up any abnormalities. The system is aware of them, but does not consider them a threat.
===Spotted=== 
Spotted status indicates that the system is aware of an anomaly or intrusion but hasn’t zeroed in on the intruder yet. The hacker appears to be a legitimate user with whatever access rights they sought, but this will not hold up under close scrutiny. The system goes on passive alert (inflicting a –10 modifier to the hacker’s activities on that system) and may engage the hacker with passive countermeasures.
===Locked=== 
Locked status means that the intruder—including their datatrail—has been pinned down by system security. The hacker has access and account privileges, but they have been flagged as an interloper. The system is on active alert (inflicting a –20 modifier on the hacker’s actions) and may launch active countermeasures against the intruder.
==Changing Status== 
An intruder’s status is subject to change according to their actions and the actions of the system.
===Updating Status=== 
A hacker can attempt to improve their status in order to better protect themself. This requires a Complex Action and an Infosec Test. If the hacker has Spotted status, this is an Opposed Test between monitor and intruder. If the hacker wins and scores an Excellent Success (MoS of 30+), they have upgraded their status by one level (for example, from Covert to Hidden). Intruders with Locked status may not upgrade.
===Zeroing In=== 
A security hacker or muse that is actively monitoring a system can take a Complex Action and attempt to hone in on a Spotted intruder. An Opposed Infosec Test is made between both parties. If the system’s defender wins, the hacker is downgraded to Locked status.
===[[#Failing Tests]]Failing Tests=== 
Any time an intruder scores a Severe Failure (MoF 30+) on a test involving manipulating the system, they are automatically downgraded one status level (from Covert to Spotted, for example). If a critical failure is rolled, they immediately give themselves away and achieve Locked status.
==Brute-Force Hacking== 
Sometimes a character simply doesn’t have time to do the job right, and they need to hack in now or never. In this case the hacker engages the target system immediately, head on, without taking any time to prepare an attack. The hacker simply brings all of their software exploit tools to bear, throwing them at the target and hoping that one works. This is handled as an Infosec Test, but as a Task Action with a timeframe of 1 minute (20 Action Turns). The hacker receives a +30 modifier on this test. Many hackers choose to rush the job (see [[Time and Actions|Task Actions]], in order to cut this time even shorter.
The drawback to brute-force hacking is that it immediately triggers an alarm. If the system is actively monitored, the hacker must beat the monitor in an Opposed Infosec Test or be immediately locked out as soon as they break in. Even if they succeed, the hacker has Locked status and is subject to active countermeasures.

=See Also= 
[[Intrusion Countermeasures]]
[[Subversion]]
[[Cyberbrain Hacking]]

[ [[Home]] | [[Game Rules]] | [[The Mesh]] ]