We have talked about realistic hacking in Spycursion a lot of times, but what exactly is hacking and what do we mean by realistic? Let’s answer those questions one at a time.
Frequently when people hear about hackers they imagine a shady figure with a hood trying to steal your bank account information or get into your e-mail, but it is more about applied knowledge and outsmarting systems to get what you want, some times maliciously (black hat hacking) and some times legally (white hat hacking). In general when people think about hackers they are thinking of coders that can cast magical “spells” which allow them to do almost anything, changing traffic lights, changing their college grades, moving money around, or even get heart attacks to people using connected pacemakers.
In modern days a lot of these things can be realistic, if the systems can be controlled remotely chances are somebody can design an attack that will allow them govern the system, and make it do things, some of which are unexpected even to those who designed the system. But hacking is not limited to that, however in a game we need to limit things to what can be achieved inside our simulation of the world.
Realistic Hacking in Spycursion
To disrupt or infiltrate a system we need to know how things work, how do clients access the system, what happens when a system receives a request (or a lot of them), how do systems protect against over-lookers, and how can you overlook the information coming and going from the parts involved in a conversation.
Once we know how things work, we have to be ingenious to know how we can make them do what we want or stop doing what they are supposed to do. So in order to have realistic hacking in our game, we need to have systems that are accessed in a similar way than real systems do, with existing protocols, and with limitations similar to those of real systems.
Where do systems, break?, the answer could be in the physical layer, in the low level communications, in the protocols, in the limitations of the server (an its underlying OS), and a lot of times in the people using the system. So a player in our game should be able to create attacks to any of those layers. This means that:
There must be servers, clients and peers interconnected trough an internet, with messages going to a from servers, some times through wires, and sometimes wirelessly, IR, Wi-Fi, bluetooth, sound, lasers, etc. Operated by real people and/or NPCs.
The Players/NPCs should have an environment which they live, and where they have personal possessions, garbage, social interactions, etc. In the world of hacking information is crucial, and it is not always obtained electronically. Some times you have to spy, eavesdrop, invade private property and look for clues, go trough somebody’s garbage to gain information, go to social media to gain insights about a person, impersonate trusted entities in real life or electronically, etc.
So, the Spycursion world should allow you to do physical hacking, tap lines, connect usb devices to servers or computers, set up wireless hot spots, intercept radio frequency, infra red, or other types of transmission media. It should also allow you to use public connections and code to intercept communications not intended for you and be able to use that information.
Each server should have speed limitations, and be limited in the number of connections it can keep alive, and should obey some rules on what to do with incomplete communications, disconnected clients, and other disruptions.
Finally, our citizens (some of them NPCs) should have the same type of vulnerabilities as real persons, use obvious password, leave unprotected ports opened, be vulnerable to phishing and social engineering. and make silly mistakes as leaving the computer unlocked and unattended, or send passwords in chats or phone conversations, etc.
An example, Man in the middle attack.
There are several ways this can happen in real life, we will talk about one. When you connect to a hotspot on an airport or restaurant. You normally open turn on your Wi-Fi and start looking for hot spots and look for something that looks right, “theBurger-guests’ for example, what you are in effect doing is connecting to the Wi-Fi router which in turn connects to the internet. Now, most phones can be turned into a hotspot to allow you to use your phone carrier’s internet to connect to the internet from other devices (normally your laptop), it also allows you to change the predefined name so you could name it “spacecowboy” or whatever you want, and you can set up the security for it. So if I were to go to theBurger and rename my hotspot “theBurger-guests’ and make it insecure, anyone could connect to it. and in fact many people would, because they trust it is a Wi-Fi for the customers. Now you have all the internet traffic from the people who connected going through your phone, and if you have the right apps you could redirect them to wherever you want, or sniff their packets (since all the traffic is going through your phone you can see what is being sent and received for all the users, that is what we call sniffing). You can imagine you could do all sorts of malicious stuff then, like serving a custom page of your own when somebody asks for amazon.com, and try to trick them into giving you personal information under false pretenses, or try to add your own items into their shopping cart and change the delivery address, etc.
Now, in game if you have a device that can serve as a Wi-Fi hotspot, that could be simulated by a process that has a certain number of channels that can receive and send information, the game will know if a player or NPC is sufficiently close to it to discover it and/or connect to it. Imagine you want to spy on employees of a data center, and they normally go to the same coffee shop ‘AstroDollars’, then you could set up your device somewhere in the shop and have all packets dumped into a file that you can later analyze with your computer. You could write the “sniffer” and “analysis software” yourself, or get it in an in game store, either way is going to be “Slang”. Now since Spycursion is as much about defending as it is about attacking, then, knowing what you know, you would not be connecting to any random hotspot you find, but you also have a need to connect to the internet on the go, so you have to figure some countermeasures, you could for example use your laptop to send and received encrypted messages to your home computer, and have your computer be the one connected to the web site you want to reach, effectively acting as a tunnel, then anyone looking at those packets should be able to un-encrypt the traffic in order to see any info in it. Again, in game your computers are processes that can receive and send messages, in this case with a program that allows them to receive and send encrypted messages between them, these programs could have different types of encryption with different strengths, and demand on resources.