As I’ve discussed before, and will no doubt discuss again, the core mechanic of D&D is the Three Step Conversation. It starts with the referee describing the environment, followed by the player describing how they interact with that environment, followed by the referee describing how the environment changes. Rinse and repeat until fun is achieved.
The Three Step Conversation is a powerful, versatile tool for making the game happen. But, like any core mechanic, it can’t cover every situation that will come up during play. That’s why we have subsystems and dice; deviations from the core mechanic that help resolve situations where conversation is not the best tool. There are basically two types of deviations: quick, and involved.
Skill checks are an example of a Quick Deviation. They handle problems that can’t effectively be solved by conversation, and aren’t interesting enough in themselves to waste any time on. Nobody wants to play a “foraging for food” minigame, so resolution is distilled down to a single die roll.
Which isn’t to say that foraging for food can’t be interesting. It totally can be, but within the context of a D&D game, it’s enough to know whether the foraging was a success or a failure. Spending any more time on it would distract from game’s focus. Rolling a single die skips straight to the interesting bit (success/failure), and gets us right back to the Three Step Conversation.
Combat is an example of an Involved Deviation. It’s a whole minigame, with its own rules, and choices for the players to make. It presents the player with a set of risk/reward choices (If I attack I can do damage, but I’ll put myself in danger of taking damage myself), which are mostly resolved with die rolls. Hopefully, any involved deviation will have a few key elements:
- It’s fun.
- It’s dangerous.
- It’s quick enough that it doesn’t dominate the game session.
- It’s possible to completely trivialize it with adequate planning.
All of which brings me around to Hacking. In ORWA, hacking is a quick deviation, handled with a single die roll. But, as the game moves into more of a cyberpunk / science fiction territory, I am curious about the possibility of making it an involved deviation. I’ve also been playing Shadowrun lately, which has got me thinking about that game’s rules (which are interesting, but also terrible).
All of this started with a conversation I had with my friend Frotz, who already wrote up his own thoughts based on that conversation. His ideas focus on making the system work within the Shadowrun framework, while I’m more interested in creating something modular that could work well in a more D&D style ruleset.
The referee will design computer systems (sometimes improvising them on the spot if need be), just as they would for a monster. Each computer has three basic pieces of information: Security Rating, Access, and Network.
A computer’s security rating is a number between 2 and 5. It’s a measure of how well protected the computer is, and will need to be overcome each time the hacker wants to do something. It functions a little bit like a monster’s armor rating this way.
Access is an explicit list of important information and systems which can be reached from a given terminal. This might be something like “Mr. Badguy’s Emails,” “Blackmail gifs,” or “Automated turret control.” The list does not need to be exhaustive, it should only mention the items the referee feels are most notable. If the players try to find something that isn’t explicitly listed, the referee can either say yes, say no, or determine the answer by rolling a die.
Network is optional, and can mostly be handled by common sense. It’s just a way of determining which computers are connected to one another. So if you go into the big bad guy’s fortress, all the computers there might be on the BBG network. Or, if the referee wants to be clever, there may be multiple networks in the fortress.
Hacking is done with a pool of d6s, because this whole idea started off as a mod for Shadowrun before I decided to make it modular.
Untrained characters have a pool of 2d6, whilst trained characters begin with a pool of 3d6, which increases periodically. (Either when skill points are put into it, or when a hacker character levels up, depending on how you want to use the system).
A hacking attempt is a complete success if two or more of the dice roll equal to, or above, the system’s security rating.
A hacking attempt is a partial success if only one die is equal to or above the security rating. In this event, the character’s action succeeds, but the system’s Alarm goes up by 1.
A hacking attempt is a failure if all the dice roll below the security rating, The character’s action fails, and the system’s alarm goes up by 1.
Hacking isn’t just about getting what you want from a computer. It’s about getting what you want, and not getting caught while you’re getting it.
Each computer’s alarm begins at 0, which means nobody knows nothin’, and there ain’t any evidence for them to find if they go looking for it. Each time the hacker messes up whilst hacking, the alarm increases by 1. The higher the alarm gets, the more trouble the hacker is in.
- 1. A minor flag. There are tons of false positives at this level every day. It’s unlikely anyone will ever notice unless they have some other reason to investigate a possible hacking.
- 2. Yellow flag. At some point within the next day or so, security is going to make a thorough examination of the system, and realize it was hacked.
- 3. Red Flag. The sysadmin will receive a phone call at home, and is going to remotely check on the system. They will realize it is being hacked within a few minutes, to a few hours, depending on how urgently they treat the call.
- 4. Black Flag. A trace is made. The authorities are automatically contacted.
Logging into most computers will require passing a security check, and is required in order to perform any of the actions listed below. Once you’re in, though, passively viewing the terminal’s unsecured information can be done without any further checks. That includes stuff like company memos, and possibly some security cameras.
Of course there will be protected information that will require security checks to see. Security checks are also required for changing or downloading anything on the computer, or uploading something to it.
So if the hacker wants to help their companions sneak past a security camera, they’ll have to make one security check to access the computer, another to record 10 seconds of security camera footage, and a third to set the camera to play that 10 seconds over and over again on an endless loop.
If the Alarm is getting too high, and the player wants to try and lower it, they can do so. However, this requires a check made against a Security Rating of +1.
If the hacker wishes to access another computer on the same network, they may attempt to do so. Treat the new computer just as you would any new computer. The only difference is that the hacker is not physically present. Hacking across a network uses the target computer’s security rating, +1.
If the hacker would like to gain Root Access over a system, they’ll need to make a security check with four successes, instead of the usual two. There is no partial success for gaining Root Access. Once the players have that, they no longer need to make a security check for most actions they take on this computer, with only two exceptions: root access does not affect the chance of reducing the alarm rating, nor does it allow you to access any other computers on the network.
Deck – A set of portable tools, necessary if you want to try to hack without getting access to a terminal. With a deck, a hacker can break in to devices like ATMs directly, or splice into a network cable to create their own terminal in a secluded location. The downside, of course, is that most hacking attempts have a +1 to their difficulty when made without direct access to the machine. Decks are an encumbering item.
Script – Scripts are digital items that are both expensive, and consumable. They’re most useful when hacking with a deck, where they can be used without needing to upload them first (which, of course, requires a security check).
If a script is available, it can be used to reroll one die per action. If the rerolled die comes up a 1, then the computer’s auto-patching function has discovered the exploit your script was using, and closed it. The script is now useless.