Logs for ShadowRN and Associated Mailing Lists

From:	ceadawg2@***.net (Russ Myrick)
Subject:	Money and ID
Date:	Wed, 20 Nov 2002 00:50:47 -0600

Message no. 1 Guys, this thread has been a riot, so far.

There are a couple of companies, whose primary business is online
transaction services. However, there is available, for certain accounts, a
debit card. At one time one of these companies experimented with support
for transactions between Palm Pilot type devices, but dropped it for lack of
a standardized architecture among the brands/models. This is expected to
change as more companies issue devices like the new Sony Navigator palm
computer (P4 mobile CPU, wireless web, XP, Cellular, color display, built in
web cam).

Back to the debit card. The card carries a major credit card logo just like
the check cards most banks issue now. So, it is widely accepted.....around
20 million personal users and growing.

One thing to consider with the credstiks, fraud. Credit card companies and
banks are losing money big time to it. over 25% in most cases. The
governments are powerless to stop it without major support from the
corporations (we're still talking RL here). Then along comes some new corp.
that has a means of limiting the fraud loses to less than 1/2 that. That
makes their technology very desirable to the transaction industry. It also
makes their tech a ripe peach for the various government treasury
departments. The US is already developing smart card currency based upon
PCMCIA II architecture. I don't know about other countries, but banks,
credit card companies, and other financial/transaction services that are
found to have received/passed on funds resulting from fraud/theft/other
criminal activities are prosecuted under the money laundering laws. With
the current emphasis on terrorism that 15% fraud tech. is very juicy indeed.
Especially when the 2000 major crime report from the FBI estimated that the
dollar amount of illegal/criminal currency transactions accounted for 31% of
all CASH transactions with in the US that year. It becomes obvious that
both the government and the affected corporations/ banks are pushing heavily
for the electronic currency.

Last year, when our local game group presented a "credstik" counter, for use
with the Shadowrun trading card game, at a local minicon, it was confiscated
by the Secret Service on the basis that electronic currency systems are a
"restricted technology". We've since researched this and found that there
are indeed several laws on the the federal level that limit r&d in this area
by the private sector.
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.417 / Virus Database: 233 - Release Date: 11/8/2002

From:	pgrosse@********.com (Paul Grosse)
Subject:	Money and ID
Date:	Wed, 20 Nov 2002 11:39:12 -0500

Message no. 2 <snip of header>

> From: Russ Myrick [mailto:ceadawg2@***.net]

<snip>

> Last year, when our local game group presented a "credstik"
> counter, for use
> with the Shadowrun trading card game, at a local minicon, it
> was confiscated
> by the Secret Service on the basis that electronic currency
> systems are a
> "restricted technology". We've since researched this and
> found that there
> are indeed several laws on the the federal level that limit
> r&d in this area
> by the private sector.

</snip>

Kewl, what con? It would be interesting to see any news articles on
it, if it got leaked to the news media. Or if anyone cares about
gaming :)

From:	davidb@****.imcprint.com (Graht)
Subject:	Money and ID
Date:	Wed, 20 Nov 2002 12:06:48 -0700

Message no. 3 At 12:50 AM 11/20/2002 -0600, Russ Myrick wrote:

>Last year, when our local game group presented a "credstik" counter, for use
>with the Shadowrun trading card game, at a local minicon, it was confiscated
>by the Secret Service on the basis that electronic currency systems are a
>"restricted technology". We've since researched this and found that there
>are indeed several laws on the the federal level that limit r&d in this area
>by the private sector.

So... by brainstorming about this, are we in violation of US Federal law? ;)

Here's how I think certified credsticks should work.

Each credstick is effectively a bank account in and of itself with the
ability and rights (granted by the creating Bank) to transfer funds from
itself to other bank accounts (credsticks, cash registers, bank accounts, etc).

A certified credstick is *heavily* encrypted to prevent hackers from
increasing/decreasing the amount in the credstick. Furthermore certified
credsticks have an expiration date, after which any money stored in the
stick cannot be removed until the credstick has been rekeyed by the Bank
that issued it. Certified credsticks also have a hard expiration date
after which they will not be rekeyed (but the issueing Bank can still
remove the money).

In short, once a credstick is purchased from a Bank (with or without a
balance) the Bank doesn't see it again for at least a year (when the
encryption key expires). And there is no way to trace a credstick, because
it doesn't have any identifying characteristic other then the Bank that
issued it.

Can the encryption key be hacked? Given enough computing power (a *lot*)
and a considerable amount of genius and time, yes. By a player
character? Not if I'm the GM. If someone did, the consequences would be
dire, as *everyone* (every corporation, government, and criminal
organization) would come down on the person(s) who cracked the
encryption. When the economy is threatened, everyone gets pissed. See the
movie Sneakers for some insight on this.

--
To Life,
-Graht
ShadowRN Assistant Fearless Leader II
http://www.graht.com

From:	ceadawg2@***.net (Russ Myrick)
Subject:	Money and ID
Date:	Wed, 20 Nov 2002 13:24:45 -0600

Message no. 4 >Kewl, what con? It would be interesting to see any news articles on
>it, if it got leaked to the news media. Or if anyone cares about
>gaming :)

KongCon, Omaha, NE. It was at the Holiday Inn just off I80.
I've never seen anything on it in the news here.

As big a flop as it was I doubt that this particular con will be repeated;
there's been no mention of any upcoming cons by that name, nor any in the
same time frame as GenCon like it was last year.

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.417 / Virus Database: 233 - Release Date: 11/8/2002

From:	iridios@********.net (Iridios)
Subject:	Money and ID
Date:	Wed, 20 Nov 2002 20:00:48 -0500

Message no. 5 Russ Myrick wrote:

>
> Last year, when our local game group presented a "credstik" counter, for
use
> with the Shadowrun trading card game, at a local minicon, it was confiscated
> by the Secret Service on the basis that electronic currency systems are a
> "restricted technology". We've since researched this and found that there
> are indeed several laws on the the federal level that limit r&d in this area
> by the private sector.

What I'd like to know is how the Secret Service found out about your
"credstik"? Was it advertised before the con started?

--
Iridios
--
Good manners do not excuse criminal behavior.
------------------------------------------------------
GCC0.3: y69>?.us[PA] G89 SCP/F/PA:@@[SR] B+>++ f@* RR rm= rr+ l- m=>-
w--->= s=>*:= GM+:+(=):=[PF] h= p!>+ LA= mf+ W+ C--(+) CG- OG+ F= c->= K=(?)
------------------------------------------------------
Selections from the diary of an AOL user.

August 7 Why have a Caps Lock key if you're not suppose to use
it? Its probably an extra feature that costs more money.

From:	ceadawg2@***.net (Russ Myrick)
Subject:	Money and ID
Date:	Wed, 20 Nov 2002 22:03:54 -0600

Message no. 6 >What I'd like to know is how the Secret Service found out about your
>"credstik"? Was it advertised before the con started?

yep, on the fliers that were posted at the various bookstores, game shops,
and on a few lamp posts
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.417 / Virus Database: 233 - Release Date: 11/8/2002

From:	jzealey@***.edu.au (James Zealey)
Subject:	Money and ID
Date:	Fri, 22 Nov 2002 09:19:13 +1100

Message no. 7 >
> Can the encryption key be hacked? Given enough computing power (a
> *lot*) and a considerable amount of genius and time, yes. By a player
> character? Not if I'm the GM. If someone did, the consequences would
> be dire, as *everyone* (every corporation, government, and criminal
> organization) would come down on the person(s) who cracked the
> encryption. When the economy is threatened, everyone gets pissed. See
> the movie Sneakers for some insight on this.
>
>

If the credstick-to-credstick process is an exchange of information,
this becomes far less of a problem. When both credsticks are slotted,
over whatever period of time, and their transaction records checked, if
your credstick says my credstick gave it 500NY, and my credstick has no
record of the transaction, then chances are someone's going to come
knocking on our doors to find out what's up.

Combine that with some form of one-time-pad (ie - the bank distributes
the credstick with it's own semi-unique OTP, and the exchanged
information is encrypted using it), probably combined with a bit of
wheat-and-chaff and you have a system where unless someone has (or once
had) BOTH the giving and recieving sticks, it's not possible for them to
have to OTPs for both of them. So essentially the only guy who can rip
you off is someone who gave you the credstick in the first place. And
even then, you would assume that the OTP could (and would) be changed
every time you headed into the bank.

Then you go a step further - whenever a stick is 'charged', it has an
extra database on it which is updated, full of numbers of sticks which
have been branded as faked or tampered with. An interaction with a stick
branded as tampered causes the tampered stick to wipe itself clean, or
otherwise brand itself as inactive, forcing the user to come into the bank.

SR computer tech seems to be sufficiently advanced that the storage
requirements for this sort of thing would be quite minimal.

The only type of fraud that would be possible under this system would be
a) 'borrowing' money from another stick, one that you've already
tampered with, then quickly moving the money to some third party
(spending it or something like that).
b) Maliciously getting other peoples sticks cancelled through deliberate
bogus records. Again this would only be possible if you had
deconstructed the targets stick at some point.

I suppose that some party could circulate a large quantity of bogus
sticks which they had the keys to, then simultaeneously 'borrow' a lot
of cash from them, and thereby make quite a bit of money, at least in
the short term. Of course if one of the users took the stick into the
bank a bit early, the gig would more-or-less be up. Banks would probably
issue recommendations that any unknown stick should be checked in with
them ASAP to prevent this kind of thing.

From:	loneeagle@********.co.uk (Lone Eagle)
Subject:	Money and ID
Date:	Fri, 22 Nov 2002 17:43:05 +0000

Message no. 8 At 09:19 AM 22/11/2002 +1100, James wrote:
>Combine that with some form of one-time-pad (ie - the bank distributes the
>credstick with it's own semi-unique OTP, and the exchanged information is
>encrypted using it), probably combined with a bit of wheat-and-chaff <Snip>

The problem with that is that either the stick contains the encryption key
(making them very easy to hack) or they are incapable of communication with
anything which doesn't have the key. A one-time-pad cypher uses two (or
more) identical cypher keys and a different "pad" should be used for every
message, although in practice it's more likely that a "pad" is used for a
set time period (24 hours, one hour...etc). Therefore either the credstick
would either have to carry every pad it would ever have to use and know
when to use it, or the data would have to be written (and could only be
read) by the "person" with the "pads" ie the bank, either in situ or
via a
credstick verification reader connected to a matrix link.

The virtual impossibility of maintaining encryption system (bearing in mind
that the data encryption available in the Street Gear section of SR3 is a
lot less than Scramble IC and is considered reasonable if not SOTA) when
there are people out there running around with Fairlight Excaliburs and
High rating Decrypt utilities is one of the reasons I don't agree that cash
has become obsolete... plus the crash of twenty-nine wiped out electronic
currency there are probably a lot of people out there who remember that and
prefer to put their trust in more physical funds.

--
Lone Eagle
"Hold up lads, I got an idea."

www.wyrmtalk.co.uk - Please be patient, this site is under construction

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GE d++(---) s++: a->? C++(+) US++ P! L E? W++ N o? K? w+ O! M- V? PS+ PE-()
Y PGP? t+@ 5++ X- R+>+++$>* tv b+++ DI++++ D+ G++ e+ h r* y+>+++++
-----END GEEK CODE BLOCK-----

GCC0.2: y75>?.uk[NN] G87 S@:@@[SR] B+++ f+ RM(RR) rm++ rr++ l++(--) m- w
s+(+++) GM+++(-) A GS+(-) h++ LA+++ CG--- F c+

"Yes Kate, I want you to become a prostitute."
Blackadder II (Bells)

From:	korishinzo@*****.com (Ice Heart)
Subject:	Money and ID
Date:	Fri, 22 Nov 2002 13:17:51 -0800 (PST)

Message no. 9 [SNIP good arguments]

Everyone has posted very valid threads about why, by
todays standards and today's culteral outlook,
bills/coins would be preferred to electronic currency.
I've put forth my own arguments to support my take.

Now I am going to take a different angle on this
debate.

The people who wrote the SR system said, in effect,
"cash is no more, certified cred replaced it". IMO,
the challenge then is not to rewrite their world, but
to make it work. So I put my energy toward finding
ways to make certified credit function in 20xx just as
bills/coins function today. After all, we accepted
that the standard of datastorage was a Mega-"pulse".
The explanation for how much space a Megapulse is
something like "blah seconds of full simsense data".
By now, all of you (or most) have had the computer
science guru in the group say something like, "How
many Mp for a text file?", or "So how much of that is
the emotional information?"

I doubt we are going to agree to a single unified
interpretation of credsticks any more than we did to
the effects of Invis. spells on doors or walls. This
thread started because I posted some SIN building
rules that stated certified cred was equal to cash.
Is there any feed back on those? I have not really
examined them closely for updates to SR3, nor have I
used them in a long time (no one in my last campaign
tried to make or use a fake ID). So, I am really
looking for some feedback so I can go make Version 2.

======Korishinzo
--paid for by the Friends of Electonic Currency, using
a mix of UCAS dollars, Aztlan pesos, CAS coinage,
ECU's, and Monopoly money (none of the suits could
tell the difference at the time) ;p

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus � Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

From:	loneeagle@********.co.uk (Lone Eagle)
Subject:	Money and ID
Date:	Sat, 23 Nov 2002 00:08:56 +0000

Message no. 10 At 01:17 PM 22/11/2002 -0800, Kori wrote:
>The people who wrote the SR system said, in effect,
>"cash is no more, certified cred replaced it". IMO,
>the challenge then is not to rewrite their world, but
>to make it work. So I put my energy toward finding
>ways to make certified credit function in 20xx just as
>bills/coins function today. <Snip>

True enough. I suppose then I really ought to have everyone take the cash
off their character sheets. Replace it with gold ("ingots" rather than
jewelry) and diamonds or other precious stones, Some of my players
characters (and mine) are rather paranoid about tracability and frequently
demand payment in manners which "inconvenience" the Johnson (a small bundle
of credsticks could easily contain a bug, or be painted with a radioactive
isotope or a unique scent or whatever... (Our other GM had to come up with
a price for a Black light (UV lamp) so that we could check for UV reactive
inks and stuff.)
Admittedly the gold or the bearer bonds could be painted as well but the
johnson is less likely to have that prepped.
This is not a sarcastic comment by the way, a quick scan back through it
shows me it could be read that way but it isn't.

--
Lone Eagle
"Hold up lads, I got an idea."

www.wyrmtalk.co.uk - Please be patient, this site is under construction

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GE d++(---) s++: a->? C++(+) US++ P! L E? W++ N o? K? w+ O! M- V? PS+ PE-()
Y PGP? t+@ 5++ X- R+>+++$>* tv b+++ DI++++ D+ G++ e+ h r* y+>+++++
-----END GEEK CODE BLOCK-----

GCC0.2: y75>?.uk[NN] G87 S@:@@[SR] B+++ f+ RM(RR) rm++ rr++ l++(--) m- w
s+(+++) GM+++(-) A GS+(-) h++ LA+++ CG--- F c+

"Yes Kate, I want you to become a prostitute."
Blackadder II (Bells)

From:	jzealey@***.edu.au (James Zealey)
Subject:	Money and ID
Date:	Mon, 25 Nov 2002 09:18:25 +1100

Message no. 11 > From:
> Lone Eagle <loneeagle@********.co.uk>
> Date:
> Fri, 22 Nov 2002 17:43:05 +0000
>
> At 09:19 AM 22/11/2002 +1100, James wrote:
>
>> Combine that with some form of one-time-pad (ie - the bank distributes
>> the credstick with it's own semi-unique OTP, and the exchanged
>> information is encrypted using it), probably combined with a bit of
>> wheat-and-chaff <Snip>
>
>
> The problem with that is that either the stick contains the encryption
> key (making them very easy to hack) or they are incapable of
> communication with anything which doesn't have the key. A one-time-pad
> cypher uses two (or more) identical cypher keys and a different "pad"
> should be used for every message, although in practice it's more likely
> that a "pad" is used for a set time period (24 hours, one hour...etc).
> Therefore either the credstick would either have to carry every pad it
> would ever have to use and know when to use it, or the data would have
> to be written (and could only be read) by the "person" with the
"pads"
> ie the bank, either in situ or via a credstick verification reader
> connected to a matrix link.
>

Actually, my point was that the ENCRYPTED transaction records remain on
the stick, and are only ever decrypted by the bank. The OTP is changed
each time your stick is slotted, and the transaction records it has are
downloaded, decrypted, and then made sense of.

Like I said, it's entirely possible under my system for someone to crack
into their own stick and find out their OTP, but that only lets them
place fake records on other people's sticks. They can't actually gift
themselves with some cash.

The worst case scenario that I can image is that:
Bob is a criminal who has cracked into a stick.
Bob gives Frank the stick.
Bob fakes transactions from Franks stick onto another stick, then spends
the money.
Frank slots his stick, the bank confiscate it and assign Bob's stick a
'kill' flag. They probably also start an investigation into the fraud,
assuming it's worth it.
Bob has to stop using his faked-transaction stick, and Frank probably
turns him in. Bob's next simsense login (detected through the use of the
stick) is redirected to a corp-owned system, where his brain is legally
subjected to some psychotropic black IC, giving him a severe phobia of
credsticks, and effectively turning him into a hobo.

Also note the transaction limits on sticks, which would limit severely
the amount of cash which could be forged in the above case.

> The virtual impossibility of maintaining encryption system (bearing in
> mind that the data encryption available in the Street Gear section of
> SR3 is a lot less than Scramble IC and is considered reasonable if not
> SOTA) when there are people out there running around with Fairlight
> Excaliburs and High rating Decrypt utilities is one of the reasons I
> don't agree that cash has become obsolete... plus the crash of
> twenty-nine wiped out electronic currency there are probably a lot of
> people out there who remember that and prefer to put their trust in more
> physical funds.

Note that there are precisely ZERO rules on using a decrypt utility to
do anything EXCEPT defeat scramble IC. It is therefore my personal point
of view that scramble IC is that same sort of level as the average
archive or word-processor-document password, and the decrypt is on the
same sort of level as the average 'password retrieval' utility. In other
words, the software is basically incapable of performing anything except
defeating scramble IC, the very bottom of the heap in terms of
encryption. The only way forward is to use the rules which are present
under the description of encrypt/decrypt hardware.

Which unfortunately means that you need to test (decrypt+electronics) vs
(encryption rating + 4) and get (encryption rating/2) successes. Once
encryption hits a decent level (which is perfectly possible, even when
using codes which have to be two way, have a massive volume of
duplicable data and have to be fast, all worst-case scenarios for
reliable encryption) decryption becomes almost impossible. Playing a
rigger, I have only ever defeated rating 8 encryption once, rolling on
15 dice or so, and using a few points of karma. I would expect that the
bank could afford higher levels of encryption than that.

From:	loneeagle@********.co.uk (Lone Eagle)
Subject:	Money and ID
Date:	Sun, 24 Nov 2002 23:00:57 +0000

Message no. 12 At 09:18 AM 25/11/2002 +1100, James wrote:
>Note that there are precisely ZERO rules on using a decrypt utility to do
>anything EXCEPT defeat scramble IC.

Sorry, but to quote SR3 Page 292, Data Encryption:
"The software that performs the data encryption is a variant of Scramble
IC. Such encryption may be decrypted by a decker using a Decrypt utility or
by someone with a data code-breaker system (which contains a dumb program
frame of the Decrypt utility)."

A password finder doesn't take up umpteen MP of optical memory :-)

--
Lone Eagle
"Hold up lads, I got an idea."

www.wyrmtalk.co.uk - Please be patient, this site is under construction

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GE d++(---) s++: a->? C++(+) US++ P! L E? W++ N o? K? w+ O! M- V? PS+ PE-()
Y PGP? t+@ 5++ X- R+>+++$>* tv b+++ DI++++ D+ G++ e+ h r* y+>+++++
-----END GEEK CODE BLOCK-----

GCC0.2: y75>?.uk[NN] G87 S@:@@[SR] B+++ f+ RM(RR) rm++ rr++ l++(--) m- w
s+(+++) GM+++(-) A GS+(-) h++ LA+++ CG--- F c+

"Yes Kate, I want you to become a prostitute."
Blackadder II (Bells)

From:	jzealey@***.edu.au (James Zealey)
Subject:	Money and ID
Date:	Mon, 25 Nov 2002 10:47:10 +1100

Message no. 13 > From:
> Mike Amos <mamos@*****.com>
> Date:
> Fri, 22 Nov 2002 14:26:19 -0700
>
> Now you have a tamper resistant stick (don't want to screw up the beads by
> truing to install a different kind of data jack, or trying to crack the case
> to get at the actual data storage unit inside the stick) and well encrypted,
> but portable through asymmetrical encryption, including a signature key.
> This makes the transactions reversible (as I believe they are today) and the
> money handling system overall, safe.

No - actually the stick is only tamper resistant as far as you cannot
interfere with the window containing the beads. Installing another jack
would be perfectly possible, unless a beads/epoxy shell was being used
as casing, and even then, you still have to have SOME form of jack...

Finally, the fact is that while this is more secure than other forms
(the example cited was barcodes, signatures and magnetic strips), it's
not much more secure than the average smart chip. It does rely on a
physical reading of a static physical quantity which is observable, and
despite the fact that the researchers themselves couldn't find a way to
recreate it, it's quite likely to be possible, especially if the
specifications of the readers are known. It's also probably not possible
to use the system at the levels of accuracy that the researchers were
using it, for the simple fact that scratches in the surface of the epoxy
will produce significant artifacts in the readings, not to mention
imperfections in the systems which are reading the codes etc. There is a
vast difference between experimentally reproducable results and workable
commercial solutions.

Finally, there's the fact that in SR, optical technology is
significantly more advanced than in our world.

> Now one for you guys/glass, how would quantum computing impact the world of
> shadowrun as we know it?

From what I've read and understood (which is difficult - quantum
computing researchers seem determined to obscure the actual facts behind
their research), quite a bit or bugger all, depending on the state of
encryption at the time. Quantum computing is a very efficient way for
performing brute-force on an encryption technique (or any other
mathematical problem). That's basically all it can do. The primary use
for brute-force currently is cracking a public-key system. Using quantum
computing to do something requires that you know what the solution is,
and you know what the process in between the question and the solution
is, and you're just missing part of the question. It would be unable to
crack a properly implemented one-time-pad for instance, nor would it be
able to crack a wheat-and-chaff algorithm.

More important is quantum communication technology. It's entirely
possible that, if you have a technique of transmitting individual
photons all the way to their destination, then you can have a system
which cannot be intercepted without the recipient knowing that it has
been intercepted. This would make quantum encryption cracking totally
obsolete, and would require some physical breakthrough in order to crack
the communication. Here's something which gives a basic overview:

http://www.ehto.org/legal/quantumencryption.htm

Currently the technology is valid for short distances. As soon as you
need to have any sort of signal repeater, the technology breaks down,
because the signal repeater would act the same way as any other third
party on the line - it will invalidate 50% of the data, and will be
unable to reproduce it. It is possible that a secure line could be built
out of multiple secure links, but then an attacker would simply attack
the secure link station, rather than the uncontrollable intermediate line.

From:	jzealey@***.edu.au (James Zealey)
Subject:	Money and ID
Date:	Wed, 27 Nov 2002 08:56:06 +1100

Message no. 14 > From:
> Lone Eagle <loneeagle@********.co.uk>
> Date:
> Sun, 24 Nov 2002 23:00:57 +0000
>
>
> At 09:18 AM 25/11/2002 +1100, James wrote:
>
>> Note that there are precisely ZERO rules on using a decrypt utility to
>> do anything EXCEPT defeat scramble IC.
>
>
> Sorry, but to quote SR3 Page 292, Data Encryption:
> "The software that performs the data encryption is a variant of Scramble
> IC. Such encryption may be decrypted by a decker using a Decrypt utility
> or by someone with a data code-breaker system (which contains a dumb
> program frame of the Decrypt utility)."
>
> A password finder doesn't take up umpteen MP of optical memory :-)
>
Neither should a text editor, but tell that to Microsoft :)

Conversely any encryption who's uncrackable life was measured in seconds
wouldn't be in use anymore.

I didn't remember that part of the book. Interesting to know in the future.

But doesn't that section of the book also use the resolution system I
gave earlier (ie - decrypt + computer vs encrypt + 4, encrypt/2
successes required)?

From:	gte138j@****.gatech.edu (Jeff Stewart)
Subject:	Money and ID
Date:	Tue, 26 Nov 2002 18:06:16 -0500 (EST)

Message no. 15 On Wed, 27 Nov 2002, James Zealey wrote:

> Conversely any encryption who's uncrackable life was measured in seconds
> wouldn't be in use anymore.
>
> I didn't remember that part of the book. Interesting to know in the future.
>
> But doesn't that section of the book also use the resolution system I
> gave earlier (ie - decrypt + computer vs encrypt + 4, encrypt/2
> successes required)?

Let me ask this simple question:

Why does the credstick have to be encrypted?

With a proper transaction history attached to every transaction made
to and from a credstick, you wouldn't need encryption. Everything is
verifiable. Take this for example:

Joe walks into a bank. He gets a credstick with a SIN on it and the
bank puts 1,000 nuyen onto the stick. Along with that 1,000 nuyen, the
bank puts information that states: "THIS BANK PUT 1,000 NUYEN ON JOE'S
CREDSTICK".

Joe then walks out onto the street and meets Sally. Joe gives Sally
500 nuyen (He's such a nice guy). So, Joe and Sally attach credsticks
and make a transaction. When that 500 nuyen goes to Sally's credstick,
it carries a message that says, "JOE PUT 500 NUYEN ON SALLY'S
CREDSTICK THAT CAME FROM 1,000 NUYEN THAT THE BANK PUT ON JOE'S
CREDSTICK".

Joe and Sally go on and on giving out money to all the nice people
they meet. Eventually, these nice people go back to the bank to
deposit the cred on their credsticks. Part of this is a verification
phase where the bank tracks down each and every piece of nuyen that
was moved via those sticks. Since the verification is entirely one
handed (Only the bank controls the actual flow of real money), no one
can generate money. If a transaction does not have a proper flow, the
bank cancels the transaction and tells the person, "Sorry, that cred
on your credstick isn't worth anything."

With certified credsticks, this would happen the same way. Each
certified credstick carries an identifier saying who issued it and how
much it had on it.

Even if I could hack a credstick, it would be useless unless I set up
a very intricate trail of financial transactions leading back to some
credit issuer. I might as well hack the banks themselves then bother
trying this! Also, if I hack a credstick, I run a risk of destroying
the cred on that stick and making it worthless. Not a very good idea
to me.

Now, this does present a very good idea for people of an unscrupulous
nature. Because the verification doesn't actually happen until someone
slots a credstick to a reader hooked to the Matrix, I could have a
fake credstick that I use to slot cred to all those unfortunate slots
that don't have a reader. Because my transaction is not immediately
verifiable, I can temporarily get away with making someone think I
gave them 200,000 nuyen when I actually didn't give them squat.

Of course, when that person goes to verify his stick and finds that
the cred on it isn't real, he's most likely going to come and do
particularly nasty things to me.

So, my take on this is that a credstick is certainly hackable. The
only problem is that you can't so easily hack the transaction history
because it all goes back to the issuers of credit (Banks, megacorps,
nations, etc.). Because of this, hacking a credstick can only provide
you with short term gains against people that don't have a Matrix link
(...Which would be the people in Siberia) and a credstick reader of
some sort (Considering that phones in the UCAS count as both credstick
readers and Matrix links, I'd suspect that this type of fraud is hard
to get away with for long).

Jeff Stewart |
Email: gte138j@****.gatech.edu | Post no bills

From:	mamos@*****.com (Mike Amos)
Subject:	Money and ID
Date:	Tue, 26 Nov 2002 16:52:01 -0700

Message no. 16 >Why does the credstick have to be encrypted?

I wish I could agree with you, but I would argue there needs to be some form
of encryption.
First, Corruption of data. If any kid over twelve could hack his, or more
importantly his mom and dad's, crestik then most likely they will. Or at
least several of them will. So now you have maybe 40 or 50 percent of the
population able to hack it, and maybe 10 or 15 percent of them willing to.
So you have at least 10 percent of your data corrupted. Now you have a full
time staff to go through more tricky discrepancies and try to figure out how
screwed whom. This is really a fairly minor problem and would come under
control soon.
The bigger problem comes when I get a certified credits and hack it. I use
that fake money to buy lots of crap, probably from street vendors. Now you
have plain, honest street vendors getting their cred rejected, going out of
business. Then turn around and sell the items as my own, as street vendor,
or just take the item as free, since I didn't actually spend any red on it.
Further as you and I know once someone takes a little money, they usually
want more. Thus you have quite a few fake new yen circulating the streets
driving down the value of new yen. Economics 101, this is not good.
For those reasons I feel it should be encrypted.

From:	pentaj2@****.edu (Penta John C)
Subject:	Money and ID
Date:	Tue, 26 Nov 2002 19:03:36 -0500

Message no. 17 ----- Original Message -----
From: Mike Amos <mamos@*****.com>
Date: Tuesday, November 26, 2002 6:52 pm
Subject: RE: Money and ID

> Further as you and I know once someone takes a little money, they
> usuallywant more. Thus you have quite a few fake new yen
> circulating the streets
> driving down the value of new yen. Economics 101, this is not good.
> For those reasons I feel it should be encrypted.

Also, given that credsticks act basically as cash in many
circumstances, governments are going to insist they be encrypted, for
the same reasons as they prevent the counterfeiting of money.

From:	iridios@********.net (Iridios)
Subject:	Money and ID
Date:	Tue, 26 Nov 2002 20:12:30 -0500

Message no. 18 Jeff Stewart wrote:
> On Wed, 27 Nov 2002, James Zealey wrote:
>
>
>>Conversely any encryption who's uncrackable life was measured in seconds
>>wouldn't be in use anymore.
>>
>>I didn't remember that part of the book. Interesting to know in the future.
>>
>>But doesn't that section of the book also use the resolution system I
>>gave earlier (ie - decrypt + computer vs encrypt + 4, encrypt/2
>>successes required)?
>
>
> Let me ask this simple question:
>
> Why does the credstick have to be encrypted?
>
> With a proper transaction history attached to every transaction made
> to and from a credstick, you wouldn't need encryption. Everything is
> verifiable. Take this for example:

Credsticks also serve as ID in most cases. I'd say they serve as ID
long before any significant amount of financial transactions go through
it. Probably used as school ID starting back in Junior High (if not
earlier). Hacking the identity would make all of Joe's transactions now
appear to be Frankie's.

>
> Joe walks into a bank. He gets a credstick with a SIN on it and the
> bank puts 1,000 nuyen onto the stick. Along with that 1,000 nuyen, the
> bank puts information that states: "THIS BANK PUT 1,000 NUYEN ON JOE'S
> CREDSTICK".
>
> Joe then walks out onto the street and meets Sally. Joe gives Sally
> 500 nuyen (He's such a nice guy). So, Joe and Sally attach credsticks
> and make a transaction. When that 500 nuyen goes to Sally's credstick,
> it carries a message that says, "JOE PUT 500 NUYEN ON SALLY'S
> CREDSTICK THAT CAME FROM 1,000 NUYEN THAT THE BANK PUT ON JOE'S
> CREDSTICK".

Another point this is two transactions out of how many in a normal
user's life? And what if I hack the transaction record to add "THIS
BANK PUT 1,000 NUYEN ON JOE'S CREDSTICK" a few times more, mixed in with
a bunch of real transactions? Does the bank invalidate all the credit?
Including the credit that has already been verified?

Also, as someone else pointed out, if you buy real goods with hacked
credit it cannot be "invalidated" by the bank. And if it were food, no
one can get it back. People will spend money only if they trust it. If
no one can trust the funds a credstick, no one will use them. The banks
will feel the pinch in the loss of service fees. That would be in the
billions of nuyen. They'll encrypt it to make the masses feel good,
even if some smart hacker has figured out how to crack the encryption.

>
> So, my take on this is that a credstick is certainly hackable. The
> only problem is that you can't so easily hack the transaction history
> because it all goes back to the issuers of credit (Banks, megacorps,
> nations, etc.). Because of this, hacking a credstick can only provide
> you with short term gains against people that don't have a Matrix link
> (...Which would be the people in Siberia) and a credstick reader of
> some sort (Considering that phones in the UCAS count as both credstick
> readers and Matrix links, I'd suspect that this type of fraud is hard
> to get away with for long).

You are assuming that the public at large will be vigilant about forgery
(hacked credsticks). They aren't now about paper money, why should they
be in the future. One of the benefits of a secure and trustable
currency is the conveniance of using it without having to check it.
This applies mostly to person-to-person transaction, but can include
smaller businesses. Anyone who hacks their credstick won't be going
anywhere they can instantly verify it's authenticity. And their victims
may be of the type to also avoid those situations.

--
Iridios
--
Good manners do not excuse criminal behavior.
------------------------------------------------------
GCC0.3: y69>?.us[PA] G89 SCP/F/PA:@@[SR] B+>++ f@* RR rm= rr+ l- m=>-
w--->= s=>*:= GM+:+(=):=[PF] h= p!>+ LA= mf+ W+ C--(+) CG- OG+ F= c->= K=(?)
------------------------------------------------------
Selections from the diary of an AOL user.

August 13 I sent another post to every usenet group on the
Internet asking where the ftp.netcom.com is. I had forgot
yesterday to include my new signature file which is only 8 pages
long. I know everyone will want to read my favorite poem so I
included it. I'm also going to add that short story I like.

From:	SteveG@***********.co.za (Steve Garrard)
Subject:	Money and ID
Date:	Wed, 27 Nov 2002 08:30:41 +0200

Message no. 19 Has nobody here heard of current smartcard/e-purse technology? This thread
is very interesting from an academic point of view, but the fact is that I
don't believe banks in 2060 would treat credsticks the way you are all
discussing.

Read my post from a few days ago under "RE: (no subject)" if you're
interested in another view point.

Slayer

"Beware my wrath, for you are crunchy and taste good with ketchup."
- Unknown Dragon

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.

www.mimesweeper.com
**********************************************************************

From:	Gurth@******.nl (Gurth)
Subject:	Money and ID
Date:	Wed, 27 Nov 2002 11:18:13 +0100

Message no. 20 According to James Zealey, on Tue, 26 Nov 2002 the word on the street was...

> Neither should a text editor, but tell that to Microsoft :)

You've never installed Emacs, have you? :)

> Conversely any encryption who's uncrackable life was measured in seconds
> wouldn't be in use anymore.

Not for anything remotely important, anyway.

> But doesn't that section of the book also use the resolution system I
> gave earlier (ie - decrypt + computer vs encrypt + 4, encrypt/2
> successes required)?

The only thing that comes close, AFAIK, is the system for cracking
encryption on broadcasts, on page 289, SR3: decryption rating (with
Electronic Warfare skill as complimentary dice) against encryption rating
+4, needing (encryption / 2) successes.

--
Gurth@******.nl - http://www.xs4all.nl/~gurth/index.html
I know all this and more
-> Probably NAGEE Editor * ShadowRN GridSec * Triangle Virtuoso <-
-> The Plastic Warriors Page: http://plastic.dumpshock.com <-

GC3.12: GAT/! d- s:- !a>? C++(---) UL+ P(+) L++ E W--(++) N o? K w(--)
O V? PS+ PE@ Y PGP- t- 5++ X(+) R+++$ tv+(++) b++@ DI- D+ G+ e h! !r y?
Incubated into the First Church of the Sqooshy Ball, 21-05-1998

From:	Shannon@*****.co.za (Shannon Buys)
Subject:	Money and ID
Date:	Thu, 28 Nov 2002 15:59:59 +0200

Message no. 21 I jumped onto this thread a bit late and had to try catch up on all the
mails while no one was looking over my shoulder in the office.

I've just started reading "House of the sun" and in it, when Dirk gets paid,
he immediately goes home to his telecom and slots the credstick to "verify"
the transaction. I assume from this that even though a credstick only
records the details of a transaction and tracks how much cash is in a bank
account, cash put onto it isn't a "sure thing" untill it's slotted somewhere
that can connect to the bank and verify the transaction. Thus, the funds are
in limbo untill BOTH parties have slotted sticks where the bank can verify
it.

Fixed credreaders like in restaurants and any other fixed establishment
connected to the matrix will immediately verify their side of all
transactions still queued on the credstick as well as deducting their own
transaction.

?????

Lastly, in the book Wolf and Raven, Wolfgang pays for some drinks in a bar
with 'corp script' In my games, corps have the right to issue their own
cash scripts/bills, it's up to any place to accept it or not, however most
do, as long as it's not in large ammounts. Paying for a drink is ok, buying
a car, uuh no.

From:	powbr323@*******.otago.ac.nz (Bryan Pow)
Subject:	Money and ID
Date:	Fri, 29 Nov 2002 15:33:01 +1300 (NZDT)

Message no. 22 > when Dirk gets
> paid,
> he immediately goes home to his telecom and slots the credstick to
> "verify"
> the transaction. I assume from this that even though a credstick only
> records the details of a transaction and tracks how much cash is in a bank
> account, cash put onto it isn't a "sure thing" untill it's slotted
> somewhere
> that can connect to the bank and verify the transaction. Thus, the funds are
> in limbo untill BOTH parties have slotted sticks where the bank can verify
> it.

To me, a personal (Non-Certified) credstick, operates pretty much exactly as an
EFTPOS card does. I'm not sure what the American equivilant is as I've heard
they tend to use Credit Cards instead. The difference between a credstick and
and EFPOS card is mainly in the extra information that can be accessed from a
Credstick. Basically the credstick holds a few details that may need to be
accessed by people without matrix connections immediately handy (Lonestar) but
otherwise it just has his SIN number and a few numbers attached to his account,
so that without a matrix connection the information is inaccessable.
But what about money transfers?
Well thats where the rating of the Credstick comes in, such as Gold, Platinum,
etc. as mentioned in the main book. The colour of the credstick being how much
money you can transfer at once. This would include tranfers from stick to stick
that do not involve a matrix access. These would be like writing a cheque, so
until its verified, the money is still in the first persons account. Whwn the
second person slots his stick, the cheque is cashed, and he gets the money,
though there may be a waiting period like their is for some cheques, probably
defined by the amount of money and the type of account. It would most likely not
be possible for that person to then give the money to someone else until he has
verified the transfer via the matrix, just like you can't hand a cheque signed
to you to someone else.
Certified Credsticks could work in one of two ways. Either as a cheque signed
for cash, so that it can be handed to anyone. They then need matrix access to
get the cash, but anyone holding the stick can do so. If they put it straight
into their own account then there will be a record of this (This can be found
via the Matrix like in Never Deal with a Dragon). The other way is for the
certified credstick to be like a money order, or straight cash. This would mean
that it can be spent straight away by anyone, and there will be no record if you
put it into your own account. I tend to prefer the first way as the banks have
more control, and forgery is less likely.
Also encryption and so forth need not be as huge, as the sticks are generally
jusr pointers to information stored on the matrix (Behind all kinds of IC
nastiness.)

From:	powbr323@*******.otago.ac.nz (Bryan Pow)
Subject:	Money and ID
Date:	Fri, 29 Nov 2002 15:33:01 +1300 (NZDT)

Message no. 23 > when Dirk gets
> paid,
> he immediately goes home to his telecom and slots the credstick to
> "verify"
> the transaction. I assume from this that even though a credstick only
> records the details of a transaction and tracks how much cash is in a bank
> account, cash put onto it isn't a "sure thing" untill it's slotted
> somewhere
> that can connect to the bank and verify the transaction. Thus, the funds are
> in limbo untill BOTH parties have slotted sticks where the bank can verify
> it.

To me, a personal (Non-Certified) credstick, operates pretty much exactly as an
EFTPOS card does. I'm not sure what the American equivilant is as I've heard
they tend to use Credit Cards instead. The difference between a credstick and
and EFPOS card is mainly in the extra information that can be accessed from a
Credstick. Basically the credstick holds a few details that may need to be
accessed by people without matrix connections immediately handy (Lonestar) but
otherwise it just has his SIN number and a few numbers attached to his account,
so that without a matrix connection the information is inaccessable.
But what about money transfers?
Well thats where the rating of the Credstick comes in, such as Gold, Platinum,
etc. as mentioned in the main book. The colour of the credstick being how much
money you can transfer at once. This would include tranfers from stick to stick
that do not involve a matrix access. These would be like writing a cheque, so
until its verified, the money is still in the first persons account. Whwn the
second person slots his stick, the cheque is cashed, and he gets the money,
though there may be a waiting period like their is for some cheques, probably
defined by the amount of money and the type of account. It would most likely not
be possible for that person to then give the money to someone else until he has
verified the transfer via the matrix, just like you can't hand a cheque signed
to you to someone else.
Certified Credsticks could work in one of two ways. Either as a cheque signed
for cash, so that it can be handed to anyone. They then need matrix access to
get the cash, but anyone holding the stick can do so. If they put it straight
into their own account then there will be a record of this (This can be found
via the Matrix like in Never Deal with a Dragon). The other way is for the
certified credstick to be like a money order, or straight cash. This would mean
that it can be spent straight away by anyone, and there will be no record if you
put it into your own account. I tend to prefer the first way as the banks have
more control, and forgery is less likely.
Also encryption and so forth need not be as huge, as the sticks are generally
jusr pointers to information stored on the matrix (Behind all kinds of IC
nastiness.)

From:	davidb@****.imcprint.com (Graht)
Subject:	Money and ID
Date:	Mon, 02 Dec 2002 08:43:52 -0700

Message no. 24 At 03:59 PM 11/28/2002 +0200, Shannon Buys wrote:
>I jumped onto this thread a bit late and had to try catch up on all the
>mails while no one was looking over my shoulder in the office.
>
>I've just started reading "House of the sun" and in it, when Dirk gets paid,
>he immediately goes home to his telecom and slots the credstick to "verify"
>the transaction. I assume from this that even though a credstick only
>records the details of a transaction and tracks how much cash is in a bank
>account, cash put onto it isn't a "sure thing" untill it's slotted somewhere
>that can connect to the bank and verify the transaction. Thus, the funds are
>in limbo untill BOTH parties have slotted sticks where the bank can verify
>it.
>
>Fixed credreaders like in restaurants and any other fixed establishment
>connected to the matrix will immediately verify their side of all
>transactions still queued on the credstick as well as deducting their own
>transaction.

I'm wondering why credreaders are even required.

What if credsticks have built in transmitters/receivers that communicate
with banks via the bank's private satellite network (or perhaps just via a
satellite phone network). When money is transferred from one credstick to
another, both credsticks call their banks to request the transaction, the
banks approve, and communicate that back to the credsticks. If an owner
wants to know how much cash is available on the credstick, he pushes a
button on the stick, and the stick asks the bank what the balance is. All
of this is done wirelessly, creating the illusion that the credstick does
everything internally but in fact the account is managed by the bank and
funds aren't actually stored on the credstick.

--
To Life,
-Graht
ShadowRN Assistant Fearless Leader II
http://www.graht.com

From:	powbr323@*******.otago.ac.nz (Bryan Pow)
Subject:	Money and ID
Date:	Tue, 03 Dec 2002 13:53:32 +1300 (NZDT)

Message no. 25 Quoting shadowrn-request@*****.dumpshock.com:

> I'm wondering why credreaders are even required.
>
>What if credsticks have built in transmitters/receivers that communicate
>with banks via the bank's private satellite network (or perhaps just via a
>satellite phone network). When money is transferred from one credstick
>to
>another, both credsticks call their banks to request the transaction, the
>banks approve, and communicate that back to the credsticks. If an
owner
>wants to know how much cash is available on the credstick, he pushes
a
>button on the stick, and the stick asks the bank what the balance is. All
>of this is done wirelessly, creating the illusion that the credstick does
>everything internally but in fact the account is managed by the bank and
>funds aren't actually stored on the credstick.

Do credsticks have transmitters in them? If they did then any decent
hacker could find anyone with a normal credstick, just by getting it to
transmit and then triangulating the signal. I've always thought that
credsticks had no transmitting capability at all, otherwise why would there
be card-readers of the various ratings?

From:	SteveG@***********.co.za (Steve Garrard)
Subject:	Money and ID
Date:	Tue, 3 Dec 2002 12:13:25 +0200

Message no. 26 Graht wrote:
> [snip]
> I'm wondering why credreaders are even required.
>
> What if credsticks have built in transmitters/receivers that
> communicate
> with banks via the bank's private satellite network (or
> perhaps just via a
> satellite phone network). When money is transferred from one
> credstick to
> another, both credsticks call their banks to request the
> transaction, the
> banks approve, and communicate that back to the credsticks.
> [snip]

Question: how do you guys play credsticks WRT paying your runners? To open a
bank account requires a valid SIN, which most runners do not have. All this
talk about credsticks, encryption, and validating transactions with the bank
assumes both credstick holders to possess valid bank accounts. How do you
guys get around this, or am I missing something?

Slayer

"Beware my wrath, for you are crunchy and taste good with ketchup."
- Unknown Dragon

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.

www.mimesweeper.com
**********************************************************************

From:	korishinzo@*****.com (Ice Heart)
Subject:	Money and ID
Date:	Tue, 3 Dec 2002 04:27:01 -0800 (PST)

Message no. 27 > Question: how do you guys play credsticks WRT paying
> your runners? To open a
> bank account requires a valid SIN, which most
> runners do not have. All this
> talk about credsticks, encryption, and validating
> transactions with the bank
> assumes both credstick holders to possess valid bank
> accounts. How do you
> guys get around this, or am I missing something?
>
>
> Slayer

SR3 Main Rule Book, Page 239, which states that
certified credsticks are the 2060's equivalent to cash
or bearer bonds. No bank account, ID, or pulse
required. Electronic cash, traceable only to itself,
for verification purposes.

It seems that there is a vast pool of contention
surrounding this rather core concept of economics in
SR. To the extent that most people flat out ignore
it. Creates some confusion when such people wander
into one of my games. :)

======Korishinzo

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

From:	mjcasav@****.edu (Dr. Michael J. Casavant)
Subject:	Money and ID
Date:	Tue, 3 Dec 2002 06:45:32 -0600

Message no. 28 >-----Original Message-----
>From: shadowrn-bounces@*****.dumpshock.com
>
>Question: how do you guys play credsticks WRT paying your
>runners? To open a bank account requires a valid SIN, which
>most runners do not have. All this talk about credsticks,
>encryption, and validating transactions with the bank assumes
>both credstick holders to possess valid bank accounts. How do
>you guys get around this, or am I missing something?

Certified credsticks (pg. 239 main book), cash, services, and/or goods.

Dr. Michael J. Casavant

From:	SteveG@***********.co.za (Steve Garrard)
Subject:	Money and ID
Date:	Tue, 3 Dec 2002 14:49:47 +0200

Message no. 29 Ice Heart wrote:
> > Question: how do you guys play credsticks WRT paying
> > your runners? To open a
> > bank account requires a valid SIN, which most
> > runners do not have. All this
> > talk about credsticks, encryption, and validating transactions with
> > the bank assumes both credstick holders to possess valid bank
> > accounts. How do you
> > guys get around this, or am I missing something?
> >
> >
> > Slayer
>
> SR3 Main Rule Book, Page 239, which states that
> certified credsticks are the 2060's equivalent to cash
> or bearer bonds. No bank account, ID, or pulse
> required. Electronic cash, traceable only to itself,
> for verification purposes.
>
> It seems that there is a vast pool of contention
> surrounding this rather core concept of economics in
> SR. To the extent that most people flat out ignore
> it. Creates some confusion when such people wander
> into one of my games. :)

Thank you! This is what I've been saying all along, and nobody seems to have
regarded my posts. As I said, I treat credsticks as electronic cash (see my
post from a week or so ago included below). I was getting so frustrated I
thought maybe everybody thought I was a looney or something and I was
missing some vital piece of the puzzle.

Thanks for the validation.

Previous post follows (let me know if you disagree with any of this, just
for interest's sake):

=============
Captain Canuck wrote:
> [snip]
> The questions I've never given much thought to are whether
> the credstick
> would be used as a pay-as-you-go type top up card where you
> need to fill up
> the stick before use (like many cell/mobile phones), or a much more
> realistic debit stick scenario where you could essentially
> squander the
> entirety of your bank account in one transaction.
> [snip]

If you look at some e-purse technologies that exist today, it would seem
that the former is the popular case. However, I think that there would be
multiple types of credsticks available in 2060 (as there will be multiple
types of smartcards available very soon today), such as e-purse, debit and
credit, although SR3 only lists one (excluding the transaction limit
factor).

I treat credsticks as e-purse smartcards. E-cash is transferred to the
credstick from a valid bank account or another credstick, and that e-cash
remains on that credstick until it is transferred to another credstick or
bank account via any number of transactions from loaning your buddy some
money to purchasing soykaf to putting gas in your car.

As for authentication, when you buy something today with paper bills, the
other guy doesn't care who you are or where you come from. If you treat
credsticks as e-cash holders then the same mentality can apply. The shop
owner only cares that he/she is getting the money. Since the e-purse-type
credstick doesn't link to a bank account, the bank doesn't care either, and
it's the same as cash-in-hand.

I don't generally agree with the over-complexity that many other people here
seem to want to inject into the concept. As far as I'm concerned, a
credstick is just electronic cash. You must remember that SR was born before
smartcard technology existed, so we are older and wiser today. The only
tangible (and beneficial) difference between credsticks and smartcards would
be the LED on the credstick telling you it's current balance. The rest is
just window-dressing.

=============
Slayer

"Beware my wrath, for you are crunchy and taste good with ketchup."
- Unknown Dragon

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.

www.mimesweeper.com
**********************************************************************

From:	davidb@****.imcprint.com (Graht)
Subject:	Money and ID
Date:	Tue, 03 Dec 2002 07:47:59 -0700

Message no. 30 At 01:53 PM 12/3/2002 +1300, Bryan Pow wrote:
>Quoting shadowrn-request@*****.dumpshock.com:
>
>
> > I'm wondering why credreaders are even required.
> >
> >What if credsticks have built in transmitters/receivers that communicate
> >with banks via the bank's private satellite network (or perhaps just via a
> >satellite phone network). When money is transferred from one credstick
> >to
> >another, both credsticks call their banks to request the transaction, the
> >banks approve, and communicate that back to the credsticks. If an
>owner
> >wants to know how much cash is available on the credstick, he pushes
>a
> >button on the stick, and the stick asks the bank what the balance is. All
> >of this is done wirelessly, creating the illusion that the credstick does
> >everything internally but in fact the account is managed by the bank and
> >funds aren't actually stored on the credstick.
>
>Do credsticks have transmitters in them? If they did then any decent
>hacker could find anyone with a normal credstick, just by getting it to
>transmit and then triangulating the signal. I've always thought that
>credsticks had no transmitting capability at all, otherwise why would there
>be card-readers of the various ratings?

Note, I did say "what if" :)

--
To Life,
-Graht
ShadowRN Assistant Fearless Leader II
http://www.graht.com

From:	davidb@****.imcprint.com (Graht)
Subject:	Money and ID
Date:	Tue, 03 Dec 2002 08:11:01 -0700

Message no. 31 At 02:49 PM 12/3/2002 +0200, Steve Garrard wrote:
>Ice Heart wrote:
> > > Question: how do you guys play credsticks WRT paying
> > > your runners? To open a
> > > bank account requires a valid SIN, which most
> > > runners do not have. All this
> > > talk about credsticks, encryption, and validating transactions with
> > > the bank assumes both credstick holders to possess valid bank
> > > accounts. How do you
> > > guys get around this, or am I missing something?
> > >
> > >
> > > Slayer
> >
> > SR3 Main Rule Book, Page 239, which states that
> > certified credsticks are the 2060's equivalent to cash
> > or bearer bonds. No bank account, ID, or pulse
> > required. Electronic cash, traceable only to itself,
> > for verification purposes.
> >
> > It seems that there is a vast pool of contention
> > surrounding this rather core concept of economics in
> > SR. To the extent that most people flat out ignore
> > it. Creates some confusion when such people wander
> > into one of my games. :)
>
>Thank you! This is what I've been saying all along, and nobody seems to have
>regarded my posts. As I said, I treat credsticks as electronic cash (see my
>post from a week or so ago included below). I was getting so frustrated I
>thought maybe everybody thought I was a looney or something and I was
>missing some vital piece of the puzzle.

Well, I for one treat certified credsticks per the rules and acknowledge
that they are used by the majority of the population just like cash :)

I'm just not agreement with the rules on *how* they work.

>I treat credsticks as e-purse smartcards. E-cash is transferred to the
>credstick from a valid bank account or another credstick, and that e-cash
>remains on that credstick until it is transferred to another credstick or
>bank account via any number of transactions from loaning your buddy some
>money to purchasing soykaf to putting gas in your car.
>
>As for authentication, when you buy something today with paper bills, the
>other guy doesn't care who you are or where you come from. If you treat
>credsticks as e-cash holders then the same mentality can apply. The shop
>owner only cares that he/she is getting the money. Since the e-purse-type
>credstick doesn't link to a bank account, the bank doesn't care either, and
>it's the same as cash-in-hand.

An issue that crops up is how secure are credsticks? (certified or otherwise)

How are they protected from tampering (keeping a person from changing the
amount of money on a credstick)?

What's keeping someone from listening to a transfer (just like using a
packet sniffer) to get an encryption key and then use that to deposit more
cash on a credstick?

I personally like the idea of e-purse/smartcards. But players being
players will start to wonder the same things and I as a GM would prefer to
answer with something other than, "You can't hack a credstick because it
can't be done."

--
To Life,
-Graht
ShadowRN Assistant Fearless Leader II
http://www.graht.com

From:	SteveG@***********.co.za (Steve Garrard)
Subject:	Money and ID
Date:	Tue, 3 Dec 2002 17:28:27 +0200

Message no. 32 Graht wrote:
> [Slayer wrote:]
> >I treat credsticks as e-purse smartcards. E-cash is
> transferred to the
> >credstick from a valid bank account or another credstick, and that
> >e-cash remains on that credstick until it is transferred to another
> >credstick or bank account via any number of transactions
> from loaning
> >your buddy some money to purchasing soykaf to putting gas in
> your car.
> >
> >As for authentication, when you buy something today with
> paper bills,
> >the other guy doesn't care who you are or where you come
> from. If you
> >treat credsticks as e-cash holders then the same mentality
> can apply.
> >The shop owner only cares that he/she is getting the money.
> Since the
> >e-purse-type credstick doesn't link to a bank account, the
> bank doesn't
> >care either, and it's the same as cash-in-hand.
>
> An issue that crops up is how secure are credsticks?
> (certified or otherwise)
>
> How are they protected from tampering (keeping a person from
> changing the
> amount of money on a credstick)?
>
> What's keeping someone from listening to a transfer (just
> like using a
> packet sniffer) to get an encryption key and then use that to
> deposit more
> cash on a credstick?
>
> I personally like the idea of e-purse/smartcards. But players being
> players will start to wonder the same things and I as a GM
> would prefer to
> answer with something other than, "You can't hack a credstick
> because it
> can't be done."

Fair enough, and I agree that some form of encryption/anti-tampering must
exist on credsticks, but I don't think that has anything to do with a direct
bank account linkage.

Have a look at some of the smartcard technology sites on the web. They seem
to be faced with a similar problem, since the tech is based on the same
concept. Somebody on this list mentioned the "glass bead in epoxy" tech
being developed at MIT (I think) as one possible solution, since it creates
a type of one-way function.

Many people will claim that there will never be such a thing as an
uncrackable code. I disagree, but even if the first statement is true, the
fact is that there can and will be codes uncrackable to all but the best,
with a large budget. Look at military encryption tech today, for example.

The bottom line is that banks in 2060 will never be able to completely
eliminate counterfeit e-cash, but with the correct measures in place (and
you can bet they will be in place), it can make counterfeiting credsticks as
close to impossible that you can happily tell your players "it can't be
done", and refer them to this e-mail or some other medium explaining the
reason.

Just my two cents worth :)

Slayer

"Beware my wrath, for you are crunchy and taste good with ketchup."
- Unknown Dragon

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.

www.mimesweeper.com
**********************************************************************

From:	korishinzo@*****.com (Ice Heart)
Subject:	Money and ID
Date:	Tue, 3 Dec 2002 08:22:34 -0800 (PST)

Message no. 33 > An issue that crops up is how secure are credsticks?
> (certified or otherwise)
>
> How are they protected from tampering (keeping a
> person from changing the
> amount of money on a credstick)?
>
> What's keeping someone from listening to a transfer
> (just like using a
> packet sniffer) to get an encryption key and then
> use that to deposit more
> cash on a credstick?
>
> I personally like the idea of e-purse/smartcards.
> But players being
> players will start to wonder the same things and I
> as a GM would prefer to
> answer with something other than, "You can't hack a
> credstick because it
> can't be done."

I spent a lot of time wreslting with this exact
question back in SR2. This is what I came up with.

--What can write to a credstick?
Other credsticks, or credstick readers.

--What can read from credstick?
The same as above.

--What prevents someone from counterfeiting cash in
the present day?
Watermarks, serial numbers, plastic strips, and ghost
only knows how many other methods. Obviously, the
majority of effort banks invest is in preventing the
distribution of illegitimate cash, not tracing
specific bills.

--How to apply this to credsticks?
Only two devices can read/write credsticks. Special
devices called credstick readers, and other
credsticks. Wait, the canon information on credsticks
indicates that cred transactions are "verified" when
the credstick is slotted in a reader with matrix
access. So write operations between credsticks are
probationary. This means that credstick readers are
like big credticks, with authorization ability, via
the matrix, presumably by talking to the host for the
bank that issued...what? The credit? The credstick?
Hmmm. Let's assume that banks protect the integrity
of their cash just as banks today do.

Serial Number:
Each credstick carries a serial number, a
soft/firmware code, which it imparts to all
transactions. This number is encrypted, and the
public (shared) part of the key is embedded in the
optical firmware of credstick readers. Thus, one
credstick does not know if another one is valid, but
credstick readers of any rating know immediately.
They also know if any transaction in the credstick's
memeory carries an invalid key. Lastly, they apend
their own addition to the serial number on any
transaction that passes through it. Can this key be
forged? Can the reader be spoofed? Yes. Not easily,
but yes. Read on.

Watermarks:
The optical technology of SR makes this wonderfully
easy. Full holographic watermarks are stored in the
memory of each credstick. These are unique to the
bank that issued a given credstick. This watermark is
"stamped" on every transaction, in a format that
credstick readers look for. The specialized code is
transparent to most systems, requiring special
firmware to read. Can these be forged? With
difficulty, yes. Can they be copied? Certainly.
Read on.

Harware code:
Each credstick has a harware code on it, like a MAC
address combined with a Vehicle Identification Number.
It is laser etched beneath the outermost layer of the
credstick's tip. The credstick reader can read this,
as could any device specifically designed to do so.
It is invisible to the naked eye. The credstick
reader checks this code against the issuing bank's
records. Can this be faked? If you have the right
equipment, yes. Can it be spoofed? No. If it isn't
there, the credstick reader rejects the stick.

Now, you can add more methods of identifying a
credstick and the information on it as valid, but
these are all I use. Here is how it all works.

A bank "mints" a credstick. It gets a unique code
engraved on it, and serial number firmcoded onto it.
A holographic watermark is also firmcoded into it. At
this point it is ready for use. If it is to be issued
as Registered, additional information is firmcoded
onto it, pointing to various secure infomormation
stored all over the matix, linked by the SIN of the
user. An software overview is loaded into credstick
memory, for those lightweight checks where the reader
has no matrix accesss. Flags set in the credstick's
"bios" will decide how many types of indentity
verification are needed to unlock the stick, from
passcodes to biometric scans. Certified credsticks
need none of this, and are issued with just the
engraving, the watermark, and the serial number.

Nuyen floats around the world, over the matrix, into
credsticks, off of credsticks, into datastores, and so
on. Everywhere it goes, it carries serial numbers,
watermarks, and any trace information included by a
registered user. Only when it reaches a bank's host,
and that bank communicates with other banks, can
watermarks get removed from nuyen. The encyption is
layered on like the Blackest IC in the darkest hosts.
The only portion of the whole mess that anyone can
read is the nuyen amount. Creadstick readers can read
(but not write) enough of the transaction file to see
the watermark and serial number. Whole portions of
the datastream could be bank-only info, encrypted
beyond even what credstick readers can decypher.
Remember, the packets that make up a given transaction
need not be just the nuyen amount. That is probably
the smallest portion of the data embedded in the
dtatstream.

What does all this mean to the decker who wants to put
more cash on her credstick. First of all, she has to
generate the cash. She can't just type numbers into
her virtual caclulator and send the info off to her
credstick. First of all, she needs a credstick reader
to even write new info onto a stick. And remember,
the credstick reader cannot write watermarks or serial
numbers, only copy information from elsewhere. So the
decker needs that serial number and that watermark.
Oops, she's back to needing a credstick reader,
because that is the only device that can see that
information seperate from the heavily encrypted
datafile that is a nuyen transfer. So, perhaps the
decker owns a credstick reader, and has it talking to
her cyerdeck. She sets to work with her Decrypt
utils. Personally, I set the TN up around 14. Banks
aren't messing around here. But, you say, the decker
has the serial number and watermark decrypted by the
credstick reader. Sure. But the decker has to figure
out how the datafile is constructed to figure out
where they go in a legitimate file. You don't think
the information is only in one place in the file? No
no. It is broken up, scattered through the file, and
duplicated in a few places.

So, the decker finally figures out the nuyen datafile.
She can construct her own. She punches in 5K and
transfers it onto the credstick, via her reader.
Which updates the file to add its own "fingerprint" to
the transaction. We'll assume the decker knows about
it, and allow for it. She can't get rid of it, unless
she is also a techwiz who can alter the firmware and
hardware of the crestick reader to suppress that
function. I make that task even harder. Doable, but
not easy. Moving on.

She runs out and uses her new funds. They slip into
the matrix, carrying all that wonderful info.
Eventually, they find their way to a bank, who
immediately queries the bank who issued that
watermark. For small transactions, the bank probably
approves the transaction, and writes off any loss to
couterfeiters as operating expense. As long as that
fake money stays in small, small amounts, spread over
time, our decker has her goose laying golden eggs.
She is smart, so keeps it quiet and small. If she
gets greedy or boastful, she is going to be in
trouble. Because if the bank audits any of those
transactions, they are eventually going to learn that
their money (the stuff with their own watermark) is
doubling out there somewhere. They are going to trace
it to a specific credstick reader. They may go after
our decker, but that could be difficult and pricy.
More likely, they issue an invalidate command on all
cred carrying their watermark and that reader's serial
number. Done deal. The cred starts hitting bottle
necks everywhere it goes until it is flushed from the
system. Numerous people are inconvenienced and
embarrased. Our decker had better hope it is not some
Saedder Krupp Johnson out to lunch with his boss, neh?
:)

Couterfeiting operations of any scale usually fall to
organized crime, because of the cost and difficulty
involved. Just like now. Liken that credstick reader
to one of the specialized printing presses used in
minting money. You had better believe they don't just
get sold to anyone. I often go a step further, making
the efficacy of forging money dependant on the rating
of the credstick reader. This further limits
counterfeiting to big operations.

I have actually had players put fake money on
credsticks in many ways. I have even had deckers run
Control Slave operations on credstick readers (you
don't want to know what sort of rolls were involved).
In the end, my players have always learned that the
cost-benefit ratio is not in their favor. They can
save themself 10 or 20 grand a year and not worry too
much. Any more than that has always ended up biting
them back....hard.

That 10 or 20 grand usually involves weeks of work
each year. Sure, it is safer than running. However,
two months of shadowruns could net them upwards of a
hundred thousand. Make counterfeiting unprofitable on
anything less than a grand scale. Make it the purview
of organized crime or the largest gangs. Keep it
where it is today, on the scale it is today, and no
one can question the realism of your SR. :)

This probably meandered a bit. I will sit down at
some point and write it up formally. I can send it to
NERPS or TSS maybe. How to couterfeit money in SR.
It should be about as diffcult as forging an ID. :)

======Korishinzo
--Making credsticks work: easier than it looks.

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

From:	john@********.net (John Jacobsma)
Subject:	Money and ID
Date:	Tue, 3 Dec 2002 11:25:48 -0600

Message no. 34 --
Later,
John

"Imagination is the only weapon in the war against reality."
-- Jules de Gautier

Ice Heart wrote:
> SR3 Main Rule Book, Page 239, which states that
> certified credsticks are the 2060's equivalent to cash
> or bearer bonds.

There's a big difference between cash and bearer bonds. Have you ever tried
to buy something and pay for it with bearer bonds? It matters whether your
GM thinks certified credits are used for everyday transactions or not.

Steve Garrard wrote:
> Thank you! This is what I've been saying all along, and nobody seems to
have
> regarded my posts. As I said, I treat credsticks as electronic cash.

Not to put *too* fine a point on it, but certified credsticks are not the
same beast as normal credsticks, and that may be where some of the confusion
is arising. Normal credsticks are like combination debit cards and
identification. A SIN would be required to obtain one.

Graht wrote:
> I personally like the idea of e-purse/smartcards. But players being
> players will start to wonder the same things and I as a GM would prefer to
> answer with something other than, "You can't hack a credstick because it
> can't be done."

How about, "Sure, you can hack a credstick if you want to spend the entire
game session making skill test rolls. Here's the procedure..."

The characters are shadowrunners, not hackers. Even the deckers are into
"adventuresome" hacking. It's probably possible to hack a credstick, but you
would do it in the safety of your own home. That means it would have to be
very difficult, or everyone would do it. That means it's boring, from a
gaming point of view. Play it as such, and the players won't want to try.

Long, long ago, when I played D&D (Shadowrun hadn't been invented), I had a
player who was always looking for an edge. He asked me two questions over
the course of a week, slipping them in with other items so I didn't put two
and two together until it was too late. The questions were: "How much does a
used sword cost?" and "What are the odds of finding a magic sword hidden in
a bunch of mundane swords?" You see where this was going: he bought enough
swords to give himself a decent chance of finding a couple of magic ones.
Being a nice guy, I let him do this one-on-one, between gaming sessions.
Being a probability & statistics nut, I used the Poisson distribution to
come up with a nice table of the percentage chance of him finding 0, 1, 2,
or more magic swords. Then I generated the swords he found at random, using
the standard rules.

The point of this anecdote? I wouldn't handle it this way today. With the
benefit of 20/20 hindsight, since the characters were supposed to be
adventurers, get rich quick schemes are to be discouraged. So, instead of
letting him handle it with one simple roll, although the odds were the same,
I would require him to roll for each sword individually to see if it was
magical. And I would require him to do it as part of the normal game.
leaving the other players to sit around bored for a couple of hours. Then I
would let peer pressure do its work, and that would probably be the last
time anyone tried something like that.

We play these games to have fun, so the best way to discourage things that
would unbalance the game is to make them not fun, as early as possible. Then
the players won't want to engage in them, instead of the GM having to make
arbitrary rulings regarding what is and isn't possible.

YMMV,
John

From:	korishinzo@*****.com (Ice Heart)
Subject:	Money and ID
Date:	Tue, 3 Dec 2002 09:56:43 -0800 (PST)

Message no. 35 --- John Jacobsma <john@********.net> wrote:
>
>
> --
> Later,
> John
>
> "Imagination is the only weapon in the war against
> reality."
> -- Jules de Gautier
>
> Ice Heart wrote:
> > SR3 Main Rule Book, Page 239, which states that
> > certified credsticks are the 2060's equivalent to
> cash
> > or bearer bonds.
>
> There's a big difference between cash and bearer
> bonds. Have you ever tried
> to buy something and pay for it with bearer bonds?
> It matters whether your
> GM thinks certified credits are used for everyday
> transactions or not.

However, a bank will cash bearer bonds without
requesting ID.

> Steve Garrard wrote:
> > Thank you! This is what I've been saying all
> along, and nobody seems to
> have
> > regarded my posts. As I said, I treat credsticks
> as electronic cash.
>
> Not to put *too* fine a point on it, but certified
> credsticks are not the
> same beast as normal credsticks, and that may be
> where some of the confusion
> is arising. Normal credsticks are like combination
> debit cards and
> identification. A SIN would be required to obtain
> one.

We have repeatedly said in the course of this thread
that registered and certified credsticks are different
beasts! *sigh* I give up. I am not posting on this
thread any further. You either run certified
credsticks as cash, or you require your players to
carry physical currency. Nuff said. Rehashing
everything already posted is not going to bring us to
any agreement on this.

> Graht wrote:
> > I personally like the idea of e-purse/smartcards.
> But players being
> > players will start to wonder the same things and I
> as a GM would prefer to
> > answer with something other than, "You can't hack
> a credstick because it
> > can't be done."
>
> How about, "Sure, you can hack a credstick if you
> want to spend the entire
> game session making skill test rolls. Here's the
> procedure..."
>
> The characters are shadowrunners, not hackers. Even
> the deckers are into
> "adventuresome" hacking. It's probably possible to
> hack a credstick, but you
> would do it in the safety of your own home. That
> means it would have to be
> very difficult, or everyone would do it. That means
> it's boring, from a
> gaming point of view. Play it as such, and the
> players won't want to try.
>
> Long, long ago, when I played D&D (Shadowrun hadn't
> been invented), I had a
> player who was always looking for an edge. He asked
> me two questions over
> the course of a week, slipping them in with other
> items so I didn't put two
> and two together until it was too late. The
> questions were: "How much does a
> used sword cost?" and "What are the odds of finding
> a magic sword hidden in
> a bunch of mundane swords?" You see where this was
> going: he bought enough
> swords to give himself a decent chance of finding a
> couple of magic ones.
> Being a nice guy, I let him do this one-on-one,
> between gaming sessions.
> Being a probability & statistics nut, I used the
> Poisson distribution to
> come up with a nice table of the percentage chance
> of him finding 0, 1, 2,
> or more magic swords. Then I generated the swords he
> found at random, using
> the standard rules.
>
> The point of this anecdote? I wouldn't handle it
> this way today. With the
> benefit of 20/20 hindsight, since the characters
> were supposed to be
> adventurers, get rich quick schemes are to be
> discouraged. So, instead of
> letting him handle it with one simple roll, although
> the odds were the same,
> I would require him to roll for each sword
> individually to see if it was
> magical. And I would require him to do it as part of
> the normal game.
> leaving the other players to sit around bored for a
> couple of hours. Then I
> would let peer pressure do its work, and that would
> probably be the last
> time anyone tried something like that.
>
> We play these games to have fun, so the best way to
> discourage things that
> would unbalance the game is to make them not fun, as
> early as possible. Then
> the players won't want to engage in them, instead of
> the GM having to make
> arbitrary rulings regarding what is and isn't
> possible.
>
> YMMV,
> John

Which is basically what I did when I created rules for
forging credsticks. It is boring, and the
cost-benefit analysis proves that one ought to spend
their time running, or retire to a full time life as a
counterfeiter. Anything in between simply does not
work in the character's favor.

======Korishinzo
--signing out of this thread

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

From:	mamos@*****.com (Mike Amos)
Subject:	Money and ID
Date:	Tue, 3 Dec 2002 11:25:40 -0700

Message no. 36 =====Korishinzo Wrote:

Which is basically what I did when I created rules for
forging credsticks. It is boring, and the
cost-benefit analysis proves that one ought to spend
their time running, or retire to a full time life as a
counterfeiter. Anything in between simply does not
work in the character's favor.

Korishinzo
--signing out of this thread
=======================
If it's any consolation I liked your credstick rules. I would also agree
this has gone on long enough. This is one of those many things that are
entertaining to think about, but I personally have never had cause to need
to know the entirety of the mechanics of the credstick. The majority of the
rules are laid out pretty well. I never figured I could possibly do what it
took 60 years of in game innovation to create. Although technology is moving
a little faster than planned for my Shadowrun, I'm willing to bet it'll be a
few more years to make something like cresticks. Happy debating.

The nefarious one

From:	mjcasav@****.edu (Dr. Michael J. Casavant)
Subject:	Money and ID
Date:	Tue, 3 Dec 2002 13:49:46 -0600

Message no. 37 >
>I personally like the idea of e-purse/smartcards. But players being
>players will start to wonder the same things and I as a GM
>would prefer to
>answer with something other than, "You can't hack a credstick
>because it
>can't be done."
>
>--
>To Life,
>-Graht
>ShadowRN Assistant Fearless Leader II
>http://www.graht.com

I just keep them too busy to worry about stuff like that. :)

If my game gets to the point where we are role-playing hacking into a
certified credstick and it's not the point of the adventure, it's time
for me to come up with new material or switch games/GMs for a while.

Actually, my standard answer is this - "It's not worth the effort or the
risk."

Dr. Michael J. Casavant

From:	shadowrun@********.net (Augustus)
Subject:	Money and ID
Date:	Tue, 3 Dec 2002 14:01:41 -0800

Message no. 38 ----- Original Message -----
From: "Graht" <davidb@****.imcprint.com>
>
> An issue that crops up is how secure are credsticks? (certified or
otherwise)
>
> How are they protected from tampering (keeping a person from changing the
> amount of money on a credstick)?

Looking at today, on the internet you can do online banking, buy/sell
stocks, make credit card purchses... In most cities you can order pizza
and pay at your door with your bank card (using a card reader with a
cellular modem)

All of these transmissions (through the internet, through the cellular
network) can be intercepted pretty easily... what makes them secure is 128
bit encryption.

You can't just "get" an encryption key... current estimates using todays
technology is that it would take a computer over
300,000,000,000,000,000,000,000,000 years to crack 128 bit encryption. If
computers in 2060 were 1,000,000 times faster than they are today, you could
cut the time down to just under 20,000,000,000,000,000,000,000 years

Sure, fake credit cards are floating around... but they aren't produced by
cracking bank codes and similar. Instead the hackers prey on the human side
and take advantages of people's stupidity and mistakes (dumpster diving for
credit card bills or transaction slips, hacking a password on a server's
database and downloading all the credit card info there, reading and then
duplicating the strip on the back of a credit card, etc)

But anyhow... I was more going to say:

Why do people need "real world" explanations of how things work?

There have been arguments over the years on How does cyberware work? Where
does the "essence" go? How does magic work? How does the matrix work? How
do credsticks work?

Its almost funny (almost, but more annoying) when people get nit picky and
argue over where essence goes and why it doesn't come back (and similar
arguments for other aspects of the Shadowrun game world, such as this whole
'how do credsticks work' thing), and base their arguments over "real world"
examples, when nothing like it exists in our world.

Anyhow, that was my 2 cents...

Clint

From:	arclight@*********.de (Arclight)
Subject:	Money and ID
Date:	Tue, 03 Dec 2002 23:30:39 +0100

Message no. 39 At 14:01 03.12.2002 -0800, Augustus wrote:

<snip>

>All of these transmissions (through the internet, through the cellular
>network) can be intercepted pretty easily... what makes them secure is 128
>bit encryption.

Which means almost nothing. For exampel, you (well, most probably neither
you and me) can crack a 64bit GSM-encryption (this standard is used in most
european cellphones) with an 1999 off-the-shelf computer with 128 MB of
RAM. With the right "angle" of your attack you can decrypt a GSM-encoded
phonecall in one second.

>You can't just "get" an encryption key... current estimates using todays
>technology is that it would take a computer over
>300,000,000,000,000,000,000,000,000 years to crack 128 bit encryption.

Depends on the definition of "a computer" and the algorithm.

>If computers in 2060 were 1,000,000 times faster than they are today, you
>could
>cut the time down to just under 20,000,000,000,000,000,000,000 years

Or you analyze the algorithm, find is weak points, attack these weak points
and you're a LOT faster. Because you just don't have to try out every
single possible key, you only try the promising ones by getting clues from
analysing the encrypted data, the mathematic formula of the code and all
other influences on the process of encrypting the data.

>Sure, fake credit cards are floating around... but they aren't produced by
>cracking bank codes and similar. Instead the hackers prey on the human side
>and take advantages of people's stupidity and mistakes (dumpster diving for
>credit card bills or transaction slips, hacking a password on a server's
>database and downloading all the credit card info there, reading and then
>duplicating the strip on the back of a credit card, etc)

... or just calling you and try to talk you into giving them the needed info.

--
Arclight

Tell me what you need, and I'll tell you how to get along without it.

From:	paul@*********.demon.co.uk (Paul Squires)
Subject:	Money and ID
Date:	Wed, 4 Dec 2002 07:56:01 +0000

Message no. 40 In message <005d01c29b17$a442f5c0$168457d1@****>, Augustus
<shadowrun@********.net> writes

>Why do people need "real world" explanations of how things work?
>
>There have been arguments over the years on How does cyberware work? Where
>does the "essence" go? How does magic work? How does the matrix work? How
>do credsticks work?

That's interesting as I've always treated essence as a game mechanic,
purely to prevent totally cybered freaks. However, I was flipping
through Shadowbeat last night and the section on sports rules mentions
that major league baseball players can have up to 3 essence worth of
cyber - It just seems like the sort of thing which would be difficult to
measure. Compare Basketball pros who have limits on the level of cyber
(WR maximum 1 for example). This then begs the question - if essence can
be measured are the characters aware of their own loss of humanity? I
always found the contrast with Cyberpunk interesting in this regard.
--
Paul Squires
paul@*********.demon.co.uk

From:	Gurth@******.nl (Gurth)
Subject:	Money and ID
Date:	Wed, 4 Dec 2002 10:16:26 +0100

Message no. 41 According to Arclight, on Tue, 03 Dec 2002 the word on the street was...

> Which means almost nothing. For exampel, you (well, most probably neither
> you and me) can crack a 64bit GSM-encryption (this standard is used in
> most european cellphones) with an 1999 off-the-shelf computer with 128 MB
> of RAM. With the right "angle" of your attack you can decrypt a
> GSM-encoded phonecall in one second.

Been paying attention to Rob Hansen, have you? :) BTW, you forgot to
mention that the computer needs quite a lot of hard drive space to store
all the possible keys, and that GSM encryption is not considered very safe
to start with due to some built-in flaws (I forget if those were
intentional or not, though).

--
Gurth@******.nl - http://www.xs4all.nl/~gurth/index.html
Je moet knoeien met de riemen die je hebt.
-> Probably NAGEE Editor * ShadowRN GridSec * Triangle Virtuoso <-
-> The Plastic Warriors Page: http://plastic.dumpshock.com <-

GC3.12: GAT/! d- s:- !a>? C++(---) UL+ P(+) L++ E W--(++) N o? K w(--)
O V? PS+ PE@ Y PGP- t- 5++ X(+) R+++$ tv+(++) b++@ DI- D+ G+ e h! !r y?
Incubated into the First Church of the Sqooshy Ball, 21-05-1998

From:	Gurth@******.nl (Gurth)
Subject:	Money and ID
Date:	Wed, 4 Dec 2002 10:19:35 +0100

Message no. 42 According to Paul Squires, on Wed, 04 Dec 2002 the word on the street was...

> That's interesting as I've always treated essence as a game mechanic,
> purely to prevent totally cybered freaks. However, I was flipping
> through Shadowbeat last night and the section on sports rules mentions
> that major league baseball players can have up to 3 essence worth of
> cyber - It just seems like the sort of thing which would be difficult to
> measure.

I suppose it would be measured with the equivalent of a certified nose: if
a qualified mage, using astral perception, says they're below 3 Essence,
then they're below 3 Essence.

> Compare Basketball pros who have limits on the level of cyber
> (WR maximum 1 for example). This then begs the question - if essence can
> be measured are the characters aware of their own loss of humanity? I
> always found the contrast with Cyberpunk interesting in this regard.

Shadowrun is not Cyberpunk: essence loss does not equal humanity loss.

--
Gurth@******.nl - http://www.xs4all.nl/~gurth/index.html
Je moet knoeien met de riemen die je hebt.
-> Probably NAGEE Editor * ShadowRN GridSec * Triangle Virtuoso <-
-> The Plastic Warriors Page: http://plastic.dumpshock.com <-

GC3.12: GAT/! d- s:- !a>? C++(---) UL+ P(+) L++ E W--(++) N o? K w(--)
O V? PS+ PE@ Y PGP- t- 5++ X(+) R+++$ tv+(++) b++@ DI- D+ G+ e h! !r y?
Incubated into the First Church of the Sqooshy Ball, 21-05-1998

From:	Gurth@******.nl (Gurth)
Subject:	Money and ID
Date:	Wed, 4 Dec 2002 10:26:18 +0100

Message no. 43 According to Augustus, on Tue, 03 Dec 2002 the word on the street was...

> But anyhow... I was more going to say:
>
> Why do people need "real world" explanations of how things work?

It's what I call Trekkie mentality: some people are not satisfied with "It
just does, OK?" but want to know in far too much detail _why_ something is
the way it is, and then sometimes go to extreme lengths to come up with
"plausible" reasons for it, even if those reasons tend to come across as
just as implausible.

It's kind of like telling lies, I suppose: sooner or later you have to
invent more lies to keep the first one seem the truth.

Still, my idea is that it's good to have a little idea about how something
works in the game world in RL terms rather than just in terms of game
rules. For one thing, it helps in dealing with players who want to know the
same thing, but it also helps when players want to do something with the
item that's not covered by the rules. You just shouldn't take it too far,
IMHO.

--
Gurth@******.nl - http://www.xs4all.nl/~gurth/index.html
Je moet knoeien met de riemen die je hebt.
-> Probably NAGEE Editor * ShadowRN GridSec * Triangle Virtuoso <-
-> The Plastic Warriors Page: http://plastic.dumpshock.com <-

GC3.12: GAT/! d- s:- !a>? C++(---) UL+ P(+) L++ E W--(++) N o? K w(--)
O V? PS+ PE@ Y PGP- t- 5++ X(+) R+++$ tv+(++) b++@ DI- D+ G+ e h! !r y?
Incubated into the First Church of the Sqooshy Ball, 21-05-1998

From:	mooseshagger@*******.com (Captain Canuck)
Subject:	Money and ID
Date:	Wed, 04 Dec 2002 06:15:14 -0800

Message no. 44 Credstick Lovers,

Read this:

http://www.cnn.com/2002/TECH/ptech/11/26/mini.credit/index.html

CMF

_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*.
http://join.msn.com/?pageþatures/featuredemail

From:	paul@*********.demon.co.uk (Paul Squires)
Subject:	Money and ID
Date:	Wed, 4 Dec 2002 18:14:43 +0000

Message no. 45 In message <02120410193503.00576@***************>, Gurth
<Gurth@******.nl> writes
>> I
>> always found the contrast with Cyberpunk interesting in this regard.
>
>Shadowrun is not Cyberpunk: essence loss does not equal humanity loss.
>

No, but it's nonetheless an interesting comparison. In CP someone with
lots of cyber *is* edgy, dangerous and, well, less human. In SR you can
have .01 essence, still have 6 charisma (or 8 for an elf), with an
etiquette to match (or seduction, or whatever). Is the SRunner less
human? The background seems to suggest so, but the rules don't - at
least not unless you've got the companion which puts in place a penalty
for having low (or negative) essence in dealings with contacts. So which
is it?

My point was that essence should be merely a stat - is the same
character aware of his bod? Does the strongman club have a membership
that STR>3, or do they actually test *what* you can do with your STR? (I
realise that I'm about to move into the territory of RL IQ and
MENSA - but IQ testing is basically rubbish anyway). Given the nature of
stats as a way of *describing* the object/person I find it odd that an
IG org. would have a rule regarding that stat.
--
Paul Squires
paul@*********.demon.co.uk

From:	zebulingod@*****.com (Zebulin Magby)
Subject:	Money and ID
Date:	Wed, 4 Dec 2002 10:20:57 -0800

Message no. 46 "Paul Squires" <paul@*********.demon.co.uk> wrote:
>
> No, but it's nonetheless an interesting comparison. In CP someone with
> lots of cyber *is* edgy, dangerous and, well, less human. In SR you can
> have .01 essence, still have 6 charisma (or 8 for an elf), with an
> etiquette to match (or seduction, or whatever). Is the SRunner less
> human? The background seems to suggest so, but the rules don't - at
> least not unless you've got the companion which puts in place a penalty
> for having low (or negative) essence in dealings with contacts. So which
> is it?
>

Now wait a minute. I thought one of the recent sourcebooks did have a rule
where someone with a bunch of cyber had penalties to social interaction.
Wasn't it M&M? Essence isn't just a stat, and I thought the rules did link
it to a loss of humanity or somesuch.

Zebulin

From:	loneeagle@********.co.uk (Lone Eagle)
Subject:	Money and ID
Date:	Wed, 04 Dec 2002 18:29:44 +0000

Message no. 47 At 10:19 AM 4/12/2002 +0100, Gurth wrote:
> > That's interesting as I've always treated essence as a game mechanic,
> > purely to prevent totally cybered freaks. However, I was flipping
> > through Shadowbeat last night and the section on sports rules mentions
> > that major league baseball players can have up to 3 essence worth of
> > cyber - It just seems like the sort of thing which would be difficult to
> > measure.
>
>I suppose it would be measured with the equivalent of a certified nose: if
>a qualified mage, using astral perception, says they're below 3 Essence,
>then they're below 3 Essence.

Or it's just a game mechanic explanation of lots of medical exams and
interviews...

Wired reflexes... level 2? What grade? Who installed this? and it's last
service was? Now if I could just check the certification on that?

You know, they aren't actually limited to 3 points of cyber just to
particular pieces which are easiest expressed as 3 points of essense.

Oh and I will get round to updating my GCC...eventually.

--
Lone Eagle
"Hold up lads, I got an idea."

www.wyrmtalk.co.uk - Please be patient, this site is under construction

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GE d++(---) s++: a->? C++(+) US++ P! L E? W++ N o? K? w+ O! M- V? PS+ PE-()
Y PGP? t+@ 5++ X- R+>+++$>* tv b+++ DI++++ D+ G++ e+ h r* y+>+++++
-----END GEEK CODE BLOCK-----

GCC0.2: y75>?.uk[NN] G87 S@:@@[SR] B+++ f+ RM(RR) rm++ rr++ l++(--) m- w
s+(+++) GM+++(-) A GS+(-) h++ LA+++ CG--- F c+

"Yes Kate, I want you to become a prostitute."
Blackadder II (Bells)

From:	paul@*********.demon.co.uk (Paul Squires)
Subject:	Money and ID
Date:	Wed, 4 Dec 2002 18:59:07 +0000

Message no. 48 In message <5.1.1.6.0.20021204182226.00b568d8@www.wyrmtalk.co.uk>;, Lone
Eagle <loneeagle@********.co.uk> writes
>At 10:19 AM 4/12/2002 +0100, Gurth wrote:
>You know, they aren't actually limited to 3 points of cyber just to
>particular pieces which are easiest expressed as 3 points of essense.
>
Which could be almost any amount of cyber given the vagaries introduced
by surgery rules (especially in combination with custom 'ware). As a
disclaimer I've not got M&M (getting hold of a copy is proving to be
extremely difficult) so I'm going on 1st ed rules in SSC.

IIRC the penalties associated with cyber are BECAUSE of the cyber - that
obvious cyberarm will make people avoid you - it's a role-playing thing.
A lack of essence could be caused by something else entirely (Pity the
ML ball player who gets attacked by a vampire - the resident wiz
announces he's only got 2 essence left and the player gets a lifetime
ban)

Do you also believe that the character would buy WR lvl 2? Or would he
buy "Renraku SpeedEnhancer 2060" (ok that's a ruibbish name)? It comes
back to whether the stats are merely GAME mechanics or whether the
characters are aware of them. I don't see people walking round referring
to stats in the way this indicates - a skill level of 8 is world
class/genius (the rulebook tells me so) - would your character say "He's
got pistols:8" or would it be "He's world-class with a pistol"

I seem to have drifted even more OT (and I'm sure that I'm getting less
coherent. I'm certain I'm making more typos - I think my target numbers
for typing must be getting increased due to having 3 boxes of stun
damage)
--
Paul Squires
paul@*********.demon.co.uk

From:	arclight@*********.de (Arclight)
Subject:	Money and ID
Date:	Wed, 04 Dec 2002 23:52:38 +0100

Message no. 49 At 10:16 04.12.2002 +0100, Gurth wrote:

<snip>

>Been paying attention to Rob Hansen, have you? :)

That, and some further reading ;)

>BTW, you forgot to mention that the computer needs quite a lot of hard
>drive space to store
>all the possible keys, and that GSM encryption is not considered very safe
>to start with due to some built-in flaws (I forget if those were
>intentional or not, though).

D'uh. Yeah, I did. That was intentional (frenchmen did that, AFAIK)...
anyway, I guess it was OK to deliver my point. At least I hope that *g*
Ok, I could have used that other example he gave. Someone defeated a crypto
based on decay of a radioactive material (which is absolutely random) by
finding regularities (sp?) in the method and instruments used to monitor
the radioactive decay ... kind of impressive =)

--
Arclight

Tell me what you need, and I'll tell you how to get along without it.

From:	Gurth@******.nl (Gurth)
Subject:	Money and ID
Date:	Thu, 5 Dec 2002 10:56:57 +0100

Message no. 50 According to Paul Squires, on Wed, 04 Dec 2002 the word on the street was...

> No, but it's nonetheless an interesting comparison. In CP someone with
> lots of cyber *is* edgy, dangerous and, well, less human. In SR you can
> have .01 essence, still have 6 charisma (or 8 for an elf), with an
> etiquette to match (or seduction, or whatever). Is the SRunner less
> human?

In the Darth Vader sense, sure.

> The background seems to suggest so, but the rules don't - at
> least not unless you've got the companion which puts in place a penalty
> for having low (or negative) essence in dealings with contacts. So which
> is it?

That modifier is for the effects cyberware has on the way you look, move,
etc. rather than for psychological effects on the "user", which Humanity
loss in Cyberpunk represents.

> My point was that essence should be merely a stat - is the same
> character aware of his bod? Does the strongman club have a membership
> that STR>3, or do they actually test *what* you can do with your STR? (I
> realise that I'm about to move into the territory of RL IQ and
> MENSA - but IQ testing is basically rubbish anyway). Given the nature of
> stats as a way of *describing* the object/person I find it odd that an
> IG org. would have a rule regarding that stat.

True, but there is not really another way they could have put it, I think.
I mean, the strongman club could say you have to be able to lift x kg,
which typically requires a Strength of y, but someone with y-1 could do it
as well on a good roll. But how do you _do_ anything with your Essence?

--
Gurth@******.nl - http://www.xs4all.nl/~gurth/index.html
Je moet knoeien met de riemen die je hebt.
-> Probably NAGEE Editor * ShadowRN GridSec * Triangle Virtuoso <-
-> The Plastic Warriors Page: http://plastic.dumpshock.com <-

GC3.12: GAT/! d- s:- !a>? C++(---) UL+ P(+) L++ E W--(++) N o? K w(--)
O V? PS+ PE@ Y PGP- t- 5++ X(+) R+++$ tv+(++) b++@ DI- D+ G+ e h! !r y?
Incubated into the First Church of the Sqooshy Ball, 21-05-1998

Mailing List Logs for

Further Reading

Disclaimer