home
news
columns
features
Passwords and How to Get Them
by Mark Fender (mfender@ozarks.sgcl.lib.mo.us) adapted by Paolo Marcucci (paolo@interware.it)
Under the new matrix system, it becomes very important to get passwords, passcodes, and passchips. Passwords and passcodes are lines of computer code that the decker enters into the SAN when entering the system. Passchips are specially coded optical chips that use advanced logarithms and special programming techniques to encode highly detailed passwords that continually change. Some systems require the decker to actually have a passchip slotted into their deck before they are granted any access level. Passchips are the hardest type of protection to get around, but there are ways.
There are various ways to find out someone’s password. Two of these methods are social engineering and trashing.
Social Engineering
Social engineering is what deckers call finding out someone’s password. It involves fooling people into turning over their code without them knowing that they’ve been ripped off. Frighteningly easy to do, it usually takes very little effort on the decker’s part.
A typical scenario for social engineering is pretending to be the phone company or head office of the victim’s corporation, calling him, and then wheedling it out of him. A typical conversation might run like this:
Decker (pretending to be in the security office of the victim’s corporation): “Is this Charles Burkenstock?”
Victim: “Yes.”
Decker: “This is Thomas Vaughn in the Security Office and we have a few questions.”
Victim (beginning to fantasize all the illegal activities the security office thinks that he’s been doing and becoming very unnerved): *gulp**
Decker: “Did you access the SPU of your subsystem last night between the hours of 2:00 A.M. and 3:00 A.M.?”
Victim: “No.”
Decker: “Hmmm. Last week when you reported in your access times, there was a discrepancy of over twelve hours of time. can you explain this?”
Victim: “I reported those hours correct. I know I did. When I turned in those hours to the Accounting Head last week…”
Decker: “Accounting?”
Victim: “yes, Accounting. I turned in my access hours to the Accounting Head above me in the office…”
Decker: “Is this Charles Burkenstock?”
Victim: “Yes.”
Decker: “In Production?”
Victim: “No, Accounting. I’ve worked in Accounting since I was hired.”
Decker (acting very confused): “And your password is ‘Sheila’, correct?”
Victim: “No, it’s ‘Fido.’ Say, what’s going on?”
Decker (embarrassed): “Mr. Burkenstock, I am incredibly sorry. Apparently we’ve called the wrong office. I apologize for any inconvenience this may have caused you.”
Victim (becoming quite relieved he’s not in hot water): “No, no problem. Glad to help.” ad nauseum
The beauty of this system is that the victim will never suspect a thing because he was too worried about being caught at something he might really have been doing. Relieved at not getting caught, he will never tell his superiors about the call. He might even joke about it to his buddies in the office about how much trouble that other Charles Burkenstock is going to be in. Of course, not everyone is such an easy pushover.
In order to use social engineering, the decker makes a roll of his Negotiation against the Intelligence of his target, modified by circumstances accordingly.
| Situation | Target Modifier |
|---|---|
| The NPC is: | |
| User | +2 |
| Superuser | +4 |
| Suspicious | +2 |
| Decker doesn’t know basic information about the victim | +2 |
| Decker has supporting evidence | -2 |
Finding out a user’s password doesn’t have to take place over the phone. Social engineering can use any con method to find out the needed information. With more suspicious victims, the decker may have to use more elaborate schemes to figure out their passwords. It is virtually impossible to con someone out of a passchip, although it has been done.
Trashing
Trashing is what deckers call digging through the trash to discover information about a system. The average corporation has literally tons of trash thrown out every day. Most corporations shred high-security documents, but neglect to shred low-security ones. Decker often use the corporations’ stupidity to discover information about a system.A primary example of this in modern times is the department store.
Millions of people every week pay for goods using credit cards in department stores. These stored make carbon copies of their receipts for their records. Once the proper paperwork on t he credit card numbers is completed, the stores throw out the carbons. These carbons list the credit card numbers of thousands of consumers. It is quite simple for a thief to ransack the dumpsters behind the store in the night before the trash pick-up and discover quite a few credit card numbers.
The future is no different. companies still create thousands of pounds of trash every day, full of information that they would normally not disclose, including passwords, private LTG numbers, and information on the layout of the system. All a decker has to do is wear some scummy clothes to the dumpsters at night and dig until something useful shows up. He may even go so far as to get a job in the corporation’s janitorial service and empty wastebaskets inside the building.
Trashing requires a new skill, Research. Concentrations include Library and Trashing. The target number for location of an applicable piece of information is usually 6, but can be modified depending on the amount of shredding a company does. If a corporation has high-security facilities, it becomes a shadowrun just to reach the garbage to dig through.
Passchips
As mentioned above, passchips are encoded optical ships with ever-changing passwords on them. They are usually used for specific nodes, commonly datastores, that the corporation wants only a select few to have access to. They are very hard to get. Needless to say, one cannot go trashing to find these. Usually only outright theft or some elaborate social engineering trick must be used. The problem with both of these methods is that the victim becomes suspicious rather quickly and will alert security . This can create many problems for the decker. It is slightly easier to gain access to a passchip for a few hours and copy it. That way, the corporation still had their original chip and the decker had a copy to use. Copying a passchip requires an optical chip recorder and a fresh optical code chip (VR, p. 25). The target number for the encoding process is equal to the security rating of the CPU of the system plus the security rating of the specific node that the passchip is needed for. If the pass chip is a general chip that allows access to no specific node, double the CPU rating for the target number. Yes, this will usually give target numbers beginning in the 8 range. Nobody said this was easy, chummier. See VR p. 25 to see how long it will t ake to encode the chip.