How Exactly Does Hacking Work?


Rules Questions


Pathfinder Adventure Path, Starfinder Adventure Path Subscriber

Hi everyone,

I'm trying to wrap my head around the Hacking Rules and would appreciate some feedback. Below is a realistic scenario of something that would likely happen in one of my games. I would appreciate some feedback on if the steps in the scenario are valid, as well as a few questions following it. Thanks!

-----------------------------------

Our heroes have infiltrated the hanger of a starship and spot a computer terminal. On their way to the hanger they defeated an officer and freed her of her security card key. Unfortunately, the officer didn’t stay conscious long enough to tell them her password too. Unknown to Quig’s player, this is a Tier-3 Computer with a Security I Upgrade, two Firewalls and an Alarm Countermeasure. The DC to Hack this system is 26. The specifics of the computer are not disclosed to Quig, but he is informed that hacking the system will take three rounds so he can determine if he wants to attempt to breach the system faster. From that information the player can deduce this is a Tier-3 computer and expect the DC to be 25.

Quig is lacking the password to access the system, so he attempts to hack it. Quig’s bonus to Computers is +11, and is increased by another +5 for having the officer’s security key card to a total +16 bonus. This will take three full rounds. If he wished to hack it faster, he could declare so before rolling the dice and increase the DC to 31. He decides not to risk it and takes the full three rounds.

After three rounds pass, Quig’s player rolls the Computers Check, 1d20+16. If his total is 26 or higher he gains Access to the system. If his total is 22-25, he fails to Access the system, but there are no negative consequences. Basically, he ran into a few roadblocks and wasn’t able to complete the attempt within three rounds. That time is wasted and he may try again.

If his total is 21 or lower, he fails the attempt and is detected. The computer detects the breach attempt, triggers the Alarm countermeasure, and invalidates the security key card. Quig may try again, but will no longer receive the card’s +5 bonus. And although it’s mathematically impossible, if Quig was a higher level and had a better bonus, if his total was 46 or higher he would have breached into the system and gained Root Access to the computer, but would still not be able to see or Access anything behind the two firewalls.

We’ll say Quig’s player rolls a 12 on the die for a total of 28, enough to gain Access to the computer. The GM informs him that he now has access to the computer’s basic functions which include opening/closing the interior doors, cycling an airlock, controlling the lighting system, accessing the hanger’s PA system, and transmitting messages through the ship’s internal comm system. The GM also tells him that he can see two Firewalls, but not what’s hidden behind them. The GM does not inform the player that there is an Alarm countermeasure.

Because this is a player, Quig immediately declares that he is going to use the terminal to shut off life support systems to the bridge. The GM politely informs him that that is not a Basic Function of this terminal. The player argues that all computers on a starship are networked and if the bridge can monitor activities in the hanger, then the hanger’s computer should be able to access what’s on the bridge. The GM sighs and says, “Okay, if you want to mess with the ship’s life support you’ll need to hack into the ship’s Computer Core. You can do that from here, but the attempt will take you 10 full rounds.” Quig’s player deduces the check will be at minimum DC 53 and decides to find a different strategy.

(Can you tell I’ve had this argument before?)

Now Quig’s player wants to know what’s behind the two firewalls. He decides to breach Firewall #1. Unknown to Quig, the DC for this check is 28 (the computer’s Hacking DC plus 2). He gets lucky and rolls a total of 29! He now has Access, but not Root Access, to whatever is hiding behind Door #1 – in this case it’s a Secure Data Module. He examines the data and discovers it is a log of all ships entering and leaving the hanger, their cargo manifests and destinations. He copies the data and moves to Firewall #2. Again, we’ll say he got a lucky roll and breached the second Firewall. Behind it he finds three Control Modules. One controls the large, exterior hanger door to space, the second controls a Cargo Loading Robot, and the third controls cameras in the hanger. He now has access to these three functions… he can open/close the exterior hanger door, can view what’s on the cameras and issue commands to the Cargo Loading Robot from this terminal – he does not have direct control over the robot, but can issue commands.

-----------------------------------

Is all of that accurate?

Follow-up Questions:
1) What triggers an alarm? Any hacking failure? Only failure by 5 or more? 10 or more? Would the alarm be triggered by failures after gaining Access to a system... like a failure to breach a Firewall?

2) If I have both the security key and password, why do I need to make a Computers Check to hack the system? If I have both those items, wouldn’t the computer treat me as authorized and just let me in?

3) How long does it take to breach a Firewall? Is it one standard action? Or is it a completely new Hacking check at 1 full action per tier of the computer? Does he get the +5 bonus for having the security key here? Does failure trigger the Alarm countermeasure?

4) Once Quig is through Firewall #1 and has Access to the Secure Data Module we know he can view and copy the data. But can he edit it?

5) Regarding Secure Data Modules, the book says, “This… is almost never available without root access or an action by someone with root access to grant another user the ability to access the secure data module… it is frequently also kept behind a firewall.” So, does this mean the Secure Data Module can be not kept behind a Firewall, but instead on the main computer partition but set so that only people with Root Access can see it? That doesn’t make much sense because the check to access it then would be a DC +18 higher than keeping it behind a Firewall.


3 people marked this as a favorite.

That's a lot to unpack. This is gonna be long...

I think it helps to map out the computer system. Draw it on paper.

Yours isn't very complex. It's hard to draw it in text on the forum, but I'll try.

Like this:

R (46)
|
B (26) - F1 (28) - M1:sd
|
F2 (28)
|
M2:c1, c2, c3

B: Basic Access. You need to log in with the password and can only do basic, unsecured functions (doors, lights, PA, etc.). DC 26 (13 + 3x4 + 1). 3 Rounds to hack.
R: Root Access. You need to already have Basic access and then Hack the computer again to reach this level of access. This is the level that programmers and network admins use to do their jobs, but uers never use this. DC 46 (26 + 20). 3 Rounds to hack.
F: Firewall DC 28 (26 + 2). 3 Rounds to hack each one.
M1: Module 1 - Secure Data (sd)
M2: Module 2 - 3 control modules (c1, c2, c3)

They can get to B with just a simple login. If they have the card and know the password, it's automatic. Without it, they need to hack it.

Getting to R requires another computers check and is very difficult, probably beyond this hacker's ability, but if he could do it then he would have access to everything at this computer system, including F1, F2, M1 and M2, and he can even turn off the firewalls, alarms, passwords, etc.

Getting through one firewall (without Root access) requires a computers check and 3 rounds. Each firewall must be hacked separately. Once hacked, the PC can do whatever is allowed in the module behind that firewall.

Accessing any module (B, R, M1, M2, sd, c1, c2, c3) takes a standard action.

The Security 1 upgrade applies to every hack attempt (B, R, and firewalls).
You, the designer, can put the alarm wherever you want. Just on B, or just on M1, or everywhere. It's up to you. Buy it once for 10 credits and assign it to whatever you think should have it.

Accessing M1, M2, sd, c1, c2, or c3 takes one standard action after they get past the appropriate firewall. I see no rules telling how long it takes to copy data so this may be up to GM fiat, or assume the technology is so fast that it can all be copied in that same standard action that "manipulates" the module, though it's easy enough to assume that "copy" takes the same time as "remove" (1 minute per tier). GM's call, but I like that assumption since it matches real world computers (copying is actually slower than deleting but I'll settle for the same speed).

Answers to your questions:

1. Whatever you want (see above)
2. Yes. "Characters who are authorized, have the security object, and know the password can access a computer and use it for its intended purpose without needing to hack into it." If that card and password belonged to a person who had Root access, then you get root access. Congratulations, you got the best card! Otherwise, you only get Basic access. Maybe that user also had access to some or all of the Modules (maybe he was a manager or an engineer who uses those modules as part of his job duties). In that case, your card and password automatically access the authorized modules but not the Root or any other unauthorized modules. This is all up to the GM to decide how much access is granted to which users and whether or not the card your hacker is using belonged to a user with limited or unlimited authorization.
3. It's not a module so it's not manipulated, which means it needs to be hacked. Thsi takes 3 rounds, based on the tier, just like all hacking attempts. "Accessing the hidden modules requires another successful Computers check, usually with a DC equal to the original DC + 2."
3a. It's up to you if the security card works. Somebody has access to M1 and M2, right? Managers or advanced users might have access to some or all of the modules while basic users would not. If your hacker has already hacked in with a user's card and password, that login should also get them through any firewalls that user could normally access. So your hacker would just ignore the firewall and access the module, but only if the card he acquired belonged to a person who had "authorization" to that module. If that user did NOT have authorization, then his card won't help you get through the firewall because this specific card never had authorization to bypass that firewall.
3b. The alarm is up to you (see above)
4. Yes. Sounds exactly like the "Create Forgery" section of the Computers skill since he's forging a fake version of that data.
5. No. See my explanation above. If you have Root access, you can get anywhere in THIS computer system but if you want to access another computer system (like station's central computer) you would need to hack that computer system separately. If the data module is on this computer system, then Root access let's you manipulate that module. M1 and M2 are on this computer system, so Root access to this computer grants you full access to M1 and M2. The sentence you quoted applies to authorized users with their key cards and passwords. A general user has access to only basic functions. Other users might also have authorized access to some modules if they were granted that access by a Root user (a system admin, for example). A system admin has root access and can grant root access and/or specific firewall and module access to any other user. Hackers don't need "autorhized" access because they're hacking. Once they pass the computers check to get Root access they have everything. If not, they make individual computers checks for basic access (B) as well as each firewall (F). Once your player has hacked a firewall, he gets access to everything behind that firewall.


2 people marked this as a favorite.

In my previous reply I explained the rules as I understand them. Now I'd like to walk through the time frame of what Quig does:

(Note: 1 Standard Action is basically a full round since hacker cannot use his Move Action for any hacking purposes so it is just wasted)

FunkamusPrime wrote:

Quig is lacking the password to access the system, so he attempts to hack it. Quig’s bonus to Computers is +11, and is increased by another +5 for having the officer’s security key card to a total +16 bonus. This will take three full rounds. If he wished to hack it faster, he could declare so before rolling the dice and increase the DC to 31. He decides not to risk it and takes the full three rounds.

We’ll say Quig’s player rolls a 12 on the die for a total of 28, enough to gain Access to the computer.

Access: Basic access to the computer (B)

Time: 3 rounds
Total: 3 rounds

FunkamusPrime wrote:
Now Quig’s player wants to know what’s behind the two firewalls. He decides to breach Firewall #1. Unknown to Quig, the DC for this check is 28 (the computer’s Hacking DC plus 2). He gets lucky and rolls a total of 29!

Access: Basic access to the computer (B) and Module 1 (M1:sd)

Time: 3 rounds
Total: 6 rounds

FunkamusPrime wrote:
He now has Access, but not Root Access, to whatever is hiding behind Door #1 – in this case it’s a Secure Data Module. He examines the data

Access: Basic access to the computer (B) and Module 1 (M1:sd)

Time: 1 standard action
Total: 7 rounds

FunkamusPrime wrote:
and discovers it is a log of all ships entering and leaving the hanger, their cargo manifests and destinations. He copies the data

Access: Basic access to the computer (B) and Module 1 (M1:sd)

Time: 1 standard action to insert his recording device and 1 standard action to start the copying
Total: 9 rounds

The copying will take 3 minutes (per my assumption in the previous reply) or will take 1 round (possible rule interpretation that I'm not personally fond of). Either way, it's reasonable to assume he doesn't need to wait for it and can do other things while it copies.

FunkamusPrime wrote:
and moves to Firewall #2. Again, we’ll say he got a lucky roll and breached the second Firewall.

Access: Basic access to the computer (B) and Module 1 (M1:sd) and Module 2 (M2:c1, c2, c3)

Time: 3 rounds
Total: 12 rounds

FunkamusPrime wrote:
Behind it he finds three Control Modules. One controls the large, exterior hanger door to space, the second controls a Cargo Loading Robot, and the third controls cameras in the hanger.

Access: Basic access to the computer (B) and Module 1 (M1:sd) and Module 2 (M2:c1, c2, c3)

Time: 1 round to examine each module to find out what it does (3 rounds total)
Total: 15 rounds

FunkamusPrime wrote:
He now has access to these three functions… he can open/close the exterior hanger door, can view what’s on the cameras and issue commands to the Cargo Loading Robot from this terminal – he does not have direct control over the robot, but can issue commands.

Access: Basic access to everything except Root (R)

Total: 15 rounds

Note that the copying is probably not yet finished (still 24 rounds to go).

Also note that copying probably requires inserting a thumb drive (or whatever recording device he's using) and then disconnecting it when done, which should be standard actions. So the copying will be done on round 39 and he'll have his thumb drive in hand by round 40.

I guess he can play around with that robot for 24 rounds while he waits. Maybe turn off the lights and make the robot sneak up and scare the bajeebies our of his friends who are all standing around bored while Quig does all the hacking work...

Sczarni

Starfinder Charter Superscriber

I love this. Thank you for your explanations.

Dataphiles

No disagreements here, merely clarifications that might have gotten lost in the fantastic in-depth explanation.

#1 [Countermeasures (Alarm)] According to the specific wording, all it takes is a failed hacking computer check to set off a countermeasure.

#3 [Timing on hacking through firewalls] Technically it doesn't explicitly state how long it takes to hack a firewall. That said, a timing equivalent to gaining access to begin with is a very reasonable assumption.

#5 [As it pertains to the 'root access'] "Gain Root Access" is its own action. Succeeding at a hacking check by 20+ does not give you root access, you have to choose to try for root access and succeed at that check. Fun Fact: "Gain root access" is technically not even a "hack system" action, for whatever relevance that may be.


Pathfinder Adventure Path, Starfinder Adventure Path Subscriber

Thanks everyone for the thoughtful and detailed explanations.

Follow-up question: How do Fake Shells work?

The rules say anyone who "fails to bypass this countermeasure" faces the Fake Shell. I feel like there's a lot of room for interpretation into the intent of failing to "bypass".

So say we have a computer with super top secret information on it and they install a Fake Shell.

1) Quig has both the password and security key of a user with permissions past the Fake Shell and logs onto the real system without problem.

2) Quig does not have the password or security key and attempts to hack into it. He fails, but is told he was successful. If he suspects he is in a Fake Shell, perhaps because he rolled horribly and there's no way a computer this Tier would be so easy to Hack, he can attempt to detect the Fake Shell by making another Hacking attempt, time required equal to Tier number of turns, and a DC equal to the Hacking DC plus 5. If he fails, he automatically tries again after every minute of using the computer with a cumulative +2 bonus.

If he succeeds he knows he is in a Fake Shell. But to actually get past the Fake Shell he needs to make another Computers Check to disable the countermeasure, time required is 1 standard action and the DC is equal to the hacking DC.

3) Here is where I get confused. If Quig does not have the password and security key and succeeds at hacking into the system, does that mean he also got past the Fake Shell? Or does it mean he unlocked and opened the front door, but walked into the illusion?

It kinda seems like if Fake Shells are limited to just when people fail the computers check, they'll be real easy to spot (on a meta level by the players), unless the GM is rolling for them in secret.

Dataphiles

3) I do believe that he gets past the countermeasure, as "Countermeasures are specifically designed to activate when an unauthorized user attempts unsuccessfully to access the system..."


1 person marked this as a favorite.
FunkamusPrime wrote:

Follow-up question: How do Fake Shells work?

The rules say anyone who "fails to bypass this countermeasure" faces the Fake Shell. I feel like there's a lot of room for interpretation into the intent of failing to "bypass".

So say we have a computer with super top secret information on it and they install a Fake Shell.

1) Quig has both the password and security key of a user with permissions past the Fake Shell and logs onto the real system without problem.

2) Quig does not have the password or security key and attempts to hack into it. He fails, but is told he was successful. If he suspects he is in a Fake Shell, perhaps because he rolled horribly and there's no way a computer this Tier would be so easy to Hack, he can attempt to detect the Fake Shell by making another Hacking attempt, time required equal to Tier number of turns, and a DC equal to the Hacking DC plus 5. If he fails, he automatically tries again after every minute of using the computer with a cumulative +2 bonus.

Everything above seems correct except:

I don't think detecting the Fake Shell is a hacking attempt. I think it's a normal Standard Action computers check with the DC+5. Likewise with the automatic checks being Free Actions (I assume because they are automatic so the hacker doesn't have to give up his action to make the roll).

FunkamusPrime wrote:
If he succeeds he knows he is in a Fake Shell. But to actually get past the Fake Shell he needs to make another Computers Check to disable the countermeasure, time required is 1 standard action and the DC is equal to the hacking DC.

True.

Which makes almost no sense. For a 50% price increase, you can have fake data that will slow down a skilled hacker for 6-12 seconds. That's a prohibitively expensive countermeasure that basically accomplishes nothing.

To make this really work, it should start by being less expensive but that's a house rule. To stay within the rules, put the Fake Shell behind its own firewall so it will take 3 full rounds to hack that firewall plus another standard action to disable it. Also make sure the original failure (the failed hack that put them into the Fake Shell) triggered a SILENT alarm countermeasure and that alarm alerted guards, robots, etc., who will respond in a few rounds - that way there is a penalty for wasting time in the Fake Shell.

Silent alarm because noisy alarms are supposed to scare the criminals away. The alarm goes off and they run away before they get caught. Noisy alarms keep you safe because the criminals leave before they cause any real harm. But you just spent a 50% price upgrade to make them stay where they are and waste time. Why pay for that if you're just going to scare them away? So, the plan must be to keep them there, lost in the Fake Shell, long enough for something important to happen, such as giving you time to get a security team to show up and capture them, or giving you time to get away through the back door, or whatever.

FunkamusPrime wrote:
3) Here is where I get confused. If Quig does not have the password and security key and succeeds at hacking into the system, does that mean he also got past the Fake Shell? Or does it mean he unlocked and opened the front door, but walked into the illusion?

Definitely gets fully authorized access to whichever parts of the system his card/password unlock without getting stuck in the Fake Shell.

Always remember why this computer exists and what the authorized people are supposed to do with it. Somewhere there is a guy, or lots of guys, who use this computer to do their job. Their employer doesn't expect these guys to have to disable countermeasures by hacking their work computer. So, when they log in with the proper key card and password, they simply get to do their real job without any further hassles.

FunkamusPrime wrote:
It kinda seems like if Fake Shells are limited to just when people fail the computers check, they'll be real easy to spot (on a meta level by the players), unless the GM is rolling for them in secret.

This is true too, especially if the players have looked at/remembered the DCs for their actions.

This could be a good time to say "Hey, this computer may or may not have countermeasures. You don't know, so I should roll your computers check and tell you the results based on your character's knowledge without you knowing how well or poorly the die roll was."

And of course, you should probably also do that when there are no countermeasures, just so the players never know.

If nothing else, it builds tension as the players try to hurry in case guards are on the way.


Pathfinder Adventure Path, Starfinder Adventure Path Subscriber
Dr. Cupi wrote:
3) I do believe that he gets past the countermeasure, as "Countermeasures are specifically designed to activate when an unauthorized user attempts unsuccessfully to access the system..."

Yes, but under the Computers Skill entry for "Detect Fake Shell" it says "If you have access to a computer, but not root access, you may

actually only have access to a fake shell..."

Which sounds like this is triggered when a hacking attempt succeeds. I guess "specific entries trump general entries"?


"I look for the fake shell" is the new "i perceive the door"

Community / Forums / Starfinder / Rules Questions / How Exactly Does Hacking Work? All Messageboards

Want to post a reply? Sign in.
Recent threads in Rules Questions