If you’re playing modern espionage, science fiction of any stripe, or steampunk, there’s one thing you’re going to run into: computers. The old cyberpunk systems dealt with cyberrunning/diving/fighting/hacking/whatever as combat-style actions, which is perfect for recreating the William Gibson-style hacking of his early novels. A lot of the modern games gloss over the importance of computers, and when they don’t tend to cinematize hacking.

You’ve seen this: the hero needs information…now! and the team geek with bang away furiously on the keyboard, opening windows that look like nothing that actually exists on the market and make you wish Hollywood set designers did graphic interfaces for your machine. Bang! He’s got camera footage of the bad guy wandering around the target location, he’s got the files on the guy from whatever agency, whilst accessing satellites and getting shots of the bad guy doing bad guy things. A few keystrokes and he’s accessed the security systems of the building (or whatever,) and can do [enter incredibly unlikely action here.]

It’s crap, of course, but it looks great on screen. Probably the worst offenders were the Bourne movies and 24. You would think every single camera on the planet, every bank, every agency, every street light, etc. is online and ready to be snagged by a super-grade A hacker.

In reality, here’s what your guy is doing: he’s doing research first. He wants to know the system the target is running, the kind of security. Fortunately, a lot of that information is available just pinging the target. You need passwords? Well there’s the top 10 people use, there’s researching people who do password properly to figure out the code, and there’s the heavy, randomized password security of some businesses and government systems. What a hacker stealing information, money, whatever, is not trying to access a particular account; they’re trying to break down to the administrative functions so they can do what they want.

There’s a couple of ways they’ll do this: they’ll craft a virus, or they’ll utilize know issues with the operating systems of the machines they’re targeting. (Yes, this is a bit simplistic, but most of the players aren’t going to be hackers and only need a convincing description of what they’re doing.) Some of the simple virii are open-sourced, available on bulletin boards that the black hat community use; the hacker will take and modify these for their use. Others are higher quality and require the hacker to craft them him/herself or gain code from friends and contacts. Here you can either have some canned virus with a specific skill level to use against the target machine, or you can have the hacker alter it and use a skill test to represent the efficiency of the virus.

Mechanically, there’s no real difference for what they’re doing. You could have them test for their research, to hit the target with a few probes to figure out what kind of server, OS, internet browser and sometimes even the security they’re using. Any success or failure could benefit or hurt them for the actual intrusion test. The intrusion test would go against either a static difficulty (an automated anti-virus system like Norton or Symantec) based on the quality of security — most of the time, this should be a “hard” test; top end systems will be more difficult. If there is a sysadmin on the network paying attention, you could test this as an opposed test — a perception-style test vs. the hacker’s test to either hack or craft the virus to enter the system.

Once in, the hacker can pretty much cruise around the network doing whatever they need to, although some networks are firewalled in nodes. The problem here — if you have admin access, you can usually bow through these nodes using a remote access program to do repair. Planting programs would be a computer skill test, finding information and snagging it a perception/search/investigate test. Any changes made to the system (planting keystroke loggers, programs, etc) can alert a sysadmin, as it will require administrator approval. Each time the hacker does something on the system that isn’t a normal user action (opening files, send email, etc.) they might be noticed; give the sysadmin a chance to see their activity. If they are trying to open encrypted files on the system, they can also be found. Better is to simply download the file and crack the encryption on your own machine.

This gives you a more realistic way to handle hacking (if that’s your desire.)

As for what you can find — there’s a lot of stuff online now, including stuff that is truly, monumentally idiotic to have accessible online (like, say, defense department mainframes.) Somethings, like a nuclear reactor, might be able to be monitored online, but the control systems are usually firewalled off (at the very least; many are mechanically operated.) Yes, you could probably reprogram streetlights, access traffic cameras, but you’re not going to find street cameras and security cameras in the local mall on the same network. Each system requires a hacking attempt; each thing you’re working means your attention is split, and running multiple processes slows your machine, working against the intruder. (This is why a lot of hackers work in “farms” in China, or utilize zombies and ‘bot to handle the basic functions.

Even if you can access satellites, they don’t see every portion of the world at all times — satellites usually orbit the planet about once an hour, each orbit a few hundred miles from the longitude of the last pass. If the satellite isn’t over the target, it can be anywhere from 45 minutes to days between overflies. Retasking a satellite is a big f’ing deal — you have to get all manner of permissions, the satellite has to blow reaction material, and then is on a new orbital interval (possibly screwing another team’s intelligence.) It pretty much doesn’t happen.

Most people’s personal information is scattered throughout the internet. You’re not going to get some clean sheet with bank info, personal, data, family photos, nifty headshot, military record, etc. in one shot. You’ll have to cast about for a while. Information from before the 1990s is often not transfered to digital as of this time, so old records might need to be pulled by hand. Some of the information is going to be redacted; the scan of the material isn’t going to give you anything useable. This gives the GM the opportunity to gloss over certain things he doesn’t want the players to know, and hence keep some level of surprise.

In a sci-fi setting, this is less a problem. You can have centralized data files, and more integrated surveillance systems…whatever the GM desires.

Hopefully, this gives the GM some idea of how to design their adventures to create a more realistic hacking experience for the players.