Back to the main page

Mailing List Logs for ShadowRN

Message no. 1
From: mamos@*****.com (Mike Amos)
Subject: Meet your new runner, Kevin Mitnick
Date: Fri, 31 Jan 2003 08:04:04 -0700
Let me start by saying thanks for all the help regarding my character and
his bodybuilding fetish. I appreciate all the input.

Now onto new business.

I've been reading The Art of Deception by Kevin Mitnick. Although I'm a bit
concerned about the moral implications of the book (it's a bit more of a how
to and less of a security guide). It provides an interesting read and a
wonderful companion to any face character for shadowrun. I keep hearing
everyone talk about how much they want, but what would you do if you had an
adept social engineer like Mitnick in your campaign? I mean legwork is one
thing, this guy could finish the whole mission and at most send his Decker
into the system once with adequate passwords and access to not have to worry
about IC. Is someone who does this kind of leg work a GM's dream or
nightmare? Would you grant him extra karma even though it is obvious that
this is the easiest way for him to handle it? How would you deal with the
conflict between the other players and this guy when they really want to
shoot something, but end up just sitting in their hideout counting their
earnings?
Just seemed like an interesting problem. Thanks.
Message no. 2
From: trunks@********.org (kawaii)
Subject: Meet your new runner, Kevin Mitnick
Date: Fri, 31 Jan 2003 10:18:34 -0500
From: "Mike Amos" <mamos@*****.com>
Sent: Friday, January 31, 2003 10:04


> Let me start by saying thanks for all the help regarding my character and
> his bodybuilding fetish. I appreciate all the input.
>
> Now onto new business.
>
> I've been reading The Art of Deception by Kevin Mitnick. Although I'm a
bit
> concerned about the moral implications of the book (it's a bit more of a
how
> to and less of a security guide). It provides an interesting read and a
> wonderful companion to any face character for shadowrun. I keep hearing
> everyone talk about how much they want, but what would you do if you had
an
> adept social engineer like Mitnick in your campaign? I mean legwork is one
> thing, this guy could finish the whole mission and at most send his Decker
> into the system once with adequate passwords and access to not have to
worry
> about IC. Is someone who does this kind of leg work a GM's dream or
> nightmare? Would you grant him extra karma even though it is obvious that
> this is the easiest way for him to handle it? How would you deal with the
> conflict between the other players and this guy when they really want to
> shoot something, but end up just sitting in their hideout counting their
> earnings?
> Just seemed like an interesting problem. Thanks.
>

My solution has always been that if the characters come up with an
unexpected way of solving a run without any fighting, that's more power to
them. I typically give them an extra point or two of karma for being
creative and then readjust what I think the corp and opposition will do.

The key is that most Johnsons don't want noise, and the runners can do it
without noise and accomplish the object, there's no need to penalize them
for it. There are more than one way to do it, as Perl says.

On the other hand, social engineering won't work for a lot of cases. Social
engineering requires the victim to be gullible, or for the face to have
enough 'insider' enough to make social engineering successful. Those two
pieces of information are hard to come by, without having the decker do some
'real' work to get it. After all, you don't want to try to social engineer,
and fail, which only leads the victim to be _more_ suspicious.

Then there are the physical aspects of runs - extractions, prototype steals
(no data, but the actual prototype), etc. Guards in 2062 are in
communication with each other and with the central database of information,
a lot more than in the 1980s. Whereas the security guard (or IT helpdesk
guy) in 1980 (or 90s) might be willing to believe that so-and-so on the call
is on the up and up, the guard in 2062 can almost instantly check and ask
for identifying information (SIN, for example) because of the more advanced
communication network.

Ever lovable and always scrappy,
kawaii

Julius Caesar extinguished himself on the battlefields of Gaul. The Ides of
March murdered him because they thought he was going to be made king. Dying,
he gasped out: "Tee hee, Brutus."
Message no. 3
From: cmd_jackryan@***.de (Phillip Gawlowski)
Subject: Meet your new runner, Kevin Mitnick
Date: Fri, 31 Jan 2003 16:18:24 +0100
On Fri, 31 Jan 2003 08:04:04 -0700, Mike Amos <mamos@*****.com> wrote:

> I've been reading The Art of Deception by Kevin Mitnick.

<snip>

> Is someone who does this kind of leg work a GM's dream or
> nightmare? Would you grant him extra karma even though it is obvious that
> this is the easiest way for him to handle it? How would you deal with the
> conflict between the other players and this guy when they really want to
> shoot something, but end up just sitting in their hideout counting their
> earnings? Just seemed like an interesting problem. Thanks.

Well, first of all: He wouldn't get any extra karma from me. 'Tis his job
to be
smart'n'creative.

And, to be honest, a runner like that would take all the fun out of the
game. A Decker who get's the proper password's? Come on, that's not
very intersting for the player nor the GM: "Ah, yes, you detected several
black ICE, but they ignore you, because you have the right ID." Doesn't
sound interesting, does it?
And if the team won't run into difficulties involving fire fights, how does
a GM
kill the legally?

I think that a runner with knowledge about such kind of stuff
(a Private Eye, a SuperSpy like 007 etc.pp.) will be a great asset.
But only one piece to a great thing, IMHO.



--
Phillip Gawlowski
GameMaster and GeneralIdiot
Message no. 4
From: davidb@****.imcprint.com (Graht)
Subject: Meet your new runner, Kevin Mitnick
Date: Fri, 31 Jan 2003 08:51:19 -0700
At 08:04 AM 1/31/2003 -0700, Mike Amos wrote:
>Let me start by saying thanks for all the help regarding my character and
>his bodybuilding fetish. I appreciate all the input.
>
>Now onto new business.
>
>I've been reading The Art of Deception by Kevin Mitnick. Although I'm a bit
>concerned about the moral implications of the book (it's a bit more of a how
>to and less of a security guide). It provides an interesting read and a
>wonderful companion to any face character for shadowrun. I keep hearing
>everyone talk about how much they want, but what would you do if you had an
>adept social engineer like Mitnick in your campaign? I mean legwork is one
>thing, this guy could finish the whole mission and at most send his Decker
>into the system once with adequate passwords and access to not have to worry
>about IC. Is someone who does this kind of leg work a GM's dream or
>nightmare?

It wouldn't make much of a difference to me. My dream right now are
players who can show up on a regular basis ;)

>How would you deal with the
>conflict between the other players and this guy when they really want to
>shoot something, but end up just sitting in their hideout counting their
>earnings?

I'd give the other players something to shoot at. It's like the opening
scene in almost every James Bond film. There's a chase or something to get
the movie started, then it quiets down for a while, and then builds to the
climactic ending. It's pretty easy to create a situation where there is
going to be combat no matter what. Again, Bond is a classic example: You
Only Live Twice ends with a battle that would've happened with or without
James Bond.

Also, there are "random" encounters. Put stuff in the adventure that
provides action, like a biker gang that picks the PC's car as a target
while they are on the way to do the shadowrun. Or, a last minute shift
change at the target lab because one of the security guards got sick, and
the fill-in guy has his own way of doing things.

--
To Life,
-Graht
ShadowRN Assistant Fearless Leader II
http://www.graht.com
Message no. 5
From: joe_dark@**************.com (Joe Dark)
Subject: Meet your new runner, Kevin Mitnick
Date: Fri, 31 Jan 2003 10:52:10 -0700
Mike Amos wrote:

>I've been reading The Art of Deception by Kevin Mitnick. Although I'm a bit
>concerned about the moral implications of the book (it's a bit more of a how
>to and less of a security guide).
>
I find that there is little difference between the two. In fact, guides
that tell you how to are far more useful in prevention because it allows
you to understand _what_ it is you're preventing and all if it's
implications.

>
>
Message no. 6
From: mamos@*****.com (Mike Amos)
Subject: Meet your new runner, Kevin Mitnick
Date: Fri, 31 Jan 2003 10:57:33 -0700
>I find that there is little difference between the two. In fact, guides
>that tell you how to are far more useful in prevention because it allows
>you to understand _what_ it is you're preventing and all if it's
>implications.

Well, I kind of agree. This is true of most things. The basic feeling I get
from this book is that. The problem I have as I'm reading this is that I'm
not sure you could stop being vulnerable to these attacks without seriously
distrupting the flow of business. It brings to mind on of my favorite
adages, "You can only keep a secrect between two people, if one of them is
dead".

I'm only about half way through and the last section is the section on how
to teach a class on the topic, so I ma be judging too early. But, at this
point I feel I have learned a lot more about how I could social engineer
into almost anything with a little practice than how to stop it.
Message no. 7
From: mancini@******.com (Steve Mancini)
Subject: Meet your new runner, Kevin Mitnick
Date: Fri, 31 Jan 2003 10:17:18 -0800 (PST)
>
> I've been reading The Art of Deception by Kevin Mitnick. Although I'm a bit
> concerned about the moral implications of the book (it's a bit more of a how
> to and less of a security guide).

I would not be too worried. In real life, I am a "white hat"
for a major corporation and among my peers, and even many in
the community, Mitnick is the poster child for incompetence -
he got caught. While social engineering is still a viable
solution against the naieve, it's lifespan is dwindling. He
was roasted nicely at last year's RSA conference - for those
wanting to know more I would direct you to the conf notes.

> It provides an interesting read and a
> wonderful companion to any face character for shadowrun. I keep hearing
> everyone talk about how much they want, but what would you do if you had an
> adept social engineer like Mitnick in your campaign?

Maybe I have been in the business too long, but I just presumed
this would be in any good decker's arsenal, to a degree. One needs
to keep in mind the timeframe. Without getting on a soapbox or
anything, in my world, true passwords are obsolete. I'd have
systems locked with passwords someplace I used a tumbler lock.

Even now, you can acquire biometric readers pretty cheap - plus
you also have securid cards which incorporate 2 of the 3 methods
of authentication. (Knowledge/Possession).

We have biometrics, secure id cards, encrypted streams, session
keys, onetime passwords - all of these rapidly diminish the return
of social engineering in the sense of Mitnick's hayday.

Social engineering, in my world, has assumed the role of helping
runners gain entrance in the physical world - it doesn't get
them passwords any longer. It gets them identifications to forge,
data to use in a fast talk roll against a rent-a-cop, etc.

And in the end, you can't schmooze black ice. :)

-Da Minotaur
Message no. 8
From: mamos@*****.com (Mike Amos)
Subject: Meet your new runner, Kevin Mitnick
Date: Fri, 31 Jan 2003 11:20:41 -0700
>I would not be too worried. In real life, I am a "white hat"
>for a major corporation and among my peers, and even many in
>the community, Mitnick is the poster child for incompetence -
>he got caught. While social engineering is still a viable
>solution against the naieve, it's lifespan is dwindling. He
>was roasted nicely at last year's RSA conference - for those
>wanting to know more I would direct you to the conf notes.

hmm, this would be very interesting. I will have to seek those out

>And in the end, you can't schmooze black ice. :)

But, I would want to be the GM in a game where someone tried
Message no. 9
From: trunks@********.org (kawaii)
Subject: Meet your new runner, Kevin Mitnick
Date: Fri, 31 Jan 2003 13:58:30 -0500
From: "Phillip Gawlowski" <cmd_jackryan@***.de>
Sent: Friday, January 31, 2003 10:18


>
> And, to be honest, a runner like that would take all the fun out of the
> game. A Decker who get's the proper password's? Come on, that's not
> very intersting for the player nor the GM: "Ah, yes, you detected several
> black ICE, but they ignore you, because you have the right ID." Doesn't
> sound interesting, does it?
> And if the team won't run into difficulties involving fire fights, how
does
> a GM
> kill the legally?
>

Isn't that what the validate command for deckers do? Give you the right
password (if temporarily)?

If they can get the right password legally, more power to them, I say.

> --
> Phillip Gawlowski
> GameMaster and GeneralIdiot

Ever lovable and always scrappy,
kawaii

Julius Caesar extinguished himself on the battlefields of Gaul. The Ides of
March murdered him because they thought he was going to be made king. Dying,
he gasped out: "Tee hee, Brutus."
Message no. 10
From: JSB@**************.net (JS Bracher)
Subject: Meet your new runner, Kevin Mitnick
Date: Fri, 31 Jan 2003 12:03:46 -0800
At 10:57 AM 1/31/2003 -0700, Mike Amos wrote:
> >I find that there is little difference between the two. In fact, guides
> >that tell you how to are far more useful in prevention because it allows
> >you to understand _what_ it is you're preventing and all if it's
> >implications.
>
>Well, I kind of agree. This is true of most things. The basic feeling I get
>from this book is that. The problem I have as I'm reading this is that I'm
>not sure you could stop being vulnerable to these attacks without seriously
>distrupting the flow of business. It brings to mind on of my favorite
>adages, "You can only keep a secrect between two people, if one of them is
>dead".
>
>I'm only about half way through and the last section is the section on how
>to teach a class on the topic, so I ma be judging too early. But, at this
>point I feel I have learned a lot more about how I could social engineer
>into almost anything with a little practice than how to stop it.

The book is very useful for defending against social engineering, and less
helpful for learning to make those attacks. The most important thing to
learn is to check the situation out before helping "some fellow employee on
the phone". Along with some warnings about the vulnerability of on-line
company directories and other means of identity verification. There are
other points to learn, too, but that is the big one. Most people don't
bother, and want to be helpful, to be a good "team player", etc.

The book is not all that helpful for making social engineering
attacks. It's on thing to know what to do, and another to have the
skills/abilities to do it. Mitnick comes off as being -very- smooth on the
phone, and very quick to adjust his manipulations to the responses he
gets. Most of us are just not that smooth. I've heard recordings of
myself on the phone, and seen video of me. I don't even convince myself
and I know how honest I am ;).

You want to know the difference- read the book, then record yourself trying
to "play" a friend. You'll be amazed. And appalled.

That said, the book is fun. Most of the stories get pretty similar, but
it's still very enjoyable. And I love how he showed how 3
innocent-sounding requests can add up to major security breaches.

As for the game implications, this book is not just useful for
players. GM's should read it too, and use what they learn for evilness. A
"friend" of a player calls, and has a very innocent request. The players
are hired to help security for something, and get an incentive bonus if
they are good team players and really help the clients in this fast-paced
and busy time. Building security for their up-scale condo calls, with a
very innocent message about building upgrades and new ID verification
systems; and just needs to verify their ID with a few simple questions... ;)
Message no. 11
From: sf_fuller@********.com.au (Simon & Fiona)
Subject: Meet your new runner, Kevin Mitnick
Date: Sat, 1 Feb 2003 11:18:41 +1100
----- Original Message -----
From: Mike Amos <mamos@*****.com>
To: 'Shadowrun Discussion' <shadowrn@*****.dumpshock.com>
Sent: Saturday, February 01, 2003 2:04 AM
Subject: Meet your new runner, Kevin Mitnick


>How would you deal with the
> conflict between the other players and this guy when they really want to
> shoot something, but end up just sitting in their hideout counting their
> earnings?
> Just seemed like an interesting problem. Thanks.

Shadowrun has these guys already. They're not called social engineers
though, they're called fixers. If shadowrunners are called in, you can
pretty much guarantee the time for this guy's specialty has passed. What's
more, what fixer would help to employ a potential rival? Unless it was an
apprenticeship . . .

Further Reading

If you enjoyed reading about Meet your new runner, Kevin Mitnick, you may also be interested in:

Disclaimer

These messages were posted a long time ago on a mailing list far, far away. The copyright to their contents probably lies with the original authors of the individual messages, but since they were published in an electronic forum that anyone could subscribe to, and the logs were available to subscribers and most likely non-subscribers as well, it's felt that re-publishing them here is a kind of public service.