In Roleplaying Tips #536, Johnn ran a tips request (reproduced below) asking for tips on how to GM computer hacking. I decided that simply offering a few tips wasn’t quite going to cut it, and that the subject deserved a slightly more in-depth treatment.

I’m currently running a sci-fi future campaign where computers are an integral part of space station and starship security.

The rules include skills that allow dice rolls to hack computers. This is fine for the random security door or the like, but feels too random and flavorless to me to have more important events hinge on it (like when you are in the bad guy’s empty lair trying to extract secrets from his computer without tripping any alarms).

I’m not asking for a whole game built around computer use, but are there any interesting ways you or other DMs handle computer hacking?

Computers in RPGs: The Problems

Before solutions can be found to problems, it’s usually a requirement that the problems themselves be considered. Often, they aren’t even identified when you start, let alone articulated and analyzed. So that’s where I’m going to start.

The Legacies of Obsolete Iron

The first problem is that game systems often need to accommodate a whole range of computer systems with extremely varied hardware capabilities. Many of the key concepts stem from early mainframes, which could only run a few programs at a time. Compare the stats of a state-of-the-art mainframe from the early 1960s with the microprocessor in a new car from the year 2000, and you will find that the car has the better computer – it’s certainly better than the mainframe used for the Apollo missions, for example. (There are good reasons for that, related to proven reliability, but nevertheless…)

Similarly, compare a modern desktop computer with the stats of the Cray Supercomputer, famed as the Ultimate Computer in many TV shows and movies, and astonishingly, the modern desktop wins out over the liquid-nitrogen-cooled billion-dollar machine in most if not all respects. Processor speed, calculation rate, memory, storage capacity, storage retrieval rate, efficiency… just think about that for a minute.

Of course, physical reality means that this exponential growth curve in capacity, known (in terms of transistor count) as Moore’s Law, can’t continue, and in fact it seems to have leveled off in recent years – refer to this (slightly technical) article, for example, or this (somewhat less technical) blog post for the more generalist reader. Both are now a little dated, but the general principle remains.

But the fact is that much of the mass-media’s concept of what computers can and can’t do derives from the fancies of people back when Mainframes, also known as Big Iron, was the ultimate in computer power.

When I set out to create the computer rules for my superhero roleplaying game, I soon struck a fundamental problem in trying to not only modernize those conceptual standards, but to also accommodate the past and project into the future. The results were a bewildering rules draft of more than 60 pages length. There were three attempts at a conceptual rules framework prior to that monstrosity and two attempts at more abstract approaches afterwards before my co-writer and I finally struck a computer rules system that seemed balanced in terms of game performance, abstraction, and realism. That process took 8 years to complete.

Since I doubt most game designers care to spend eight years and six attempts in the creation of a relatively minor subsystem within the rules, it follows that most game systems have computer rules that are going to be inadequate at some point in time, and that aren’t going to be as playable as they could be. Unless someone’s had a stroke of genius, of course, that let them short-cut the development process.

There are always going to be:

  • Unreasonable limits on what a computer can do,
  • Unreasonable translations of real-world computer system capabilities into game-scale performance,
  • A juggling act between simulation and abstraction that will always fall short of the optimum, and
  • Frustration with the computer rules as a result.

While it cannot solve such problems, whatever solutions to the problems of roleplaying the interaction between a PC and a computer are offered should at least ameliorate this situation.

The Power of Tomorrow-tech

If the concepts of the past lead to modern problems of abstraction in game systems, trying to forecast the capacities of the computers of tomorrow is even more problematic – because it’s exactly the same problem, but compounded with the handicap of trying to foretell the future.

The scale of the problem can be demonstrated by considering virtually any movie or TV show in which computers play a significant role – from Babylon 5 to Star Trek to Hackers to Sneakers to The Net to The Matrix to, well, you name it. Events, and computer capabilities, not only outstrip the speculations within those shows almost immediately, it can easily be shown that in order to connect with a lowest-common-denominator audience, such outstripping is inevitable. Who, as late as the 1990s, could have forecast the iPod, iPad, Smartphone, GPS Navigation, or Kindle? (Hackers is notable for getting about half of the technical dialogue and computer concepts right – putting it way ahead of the field!)

Again, this problem will not be completely solved by whatever solution we adopt, but a good solution should at least mask the difficulties.

Computer Time vs. Game Time vs. Real Time

Computers don’t operate on the same time scale as people do. Preprogramming, and the ability to launch massive undertakings with a single mouse-click (or equivalent), means that a computer can do 10,000 things in the time it takes a person to do one. For example, trying to guess a password – a modern desktop computer can easily try 1,000+ password guesses in a second, proceeding in a systematic attempt to break security by brute force. The weaker the password or other security, the more quickly success will be achieved in this manner.

There’s an inevitable compromise between security and accessibility when it comes to such things. The strongest password is a long string of apparently unrelated characters and numbers – but those are hard to remember and harder to type in accurately and even harder to type in both accurately and quickly. There are various ways around such problems – using a password manager to generate complex passwords for you, or using some system to derive that seemingly random string of characters. I even once saw a program that had the rules and statistics of the English language built into it so that, given a pair of letters, it could generate a password of any desired length that consisted of the least-likely characters to follow the preceding one, with a random choice when multiple options were possible.

This discrepancy poses serious problems for the GM when it comes to PC-computer interactions, because it means that the number of actions that can be launched and completed by an individual in the cyber-world is vastly disproportionate to the number of actions that can be carried out by other PCs in the real world.

In fact, there are three serious problems that arise. The first is that either the GM compromises the effectiveness of computer technology, reducing the effectiveness of the computer to “human” standards, or he gives the computer hacker a vastly disproportionate share of screen time. This problem is exacerbated by game systems that operate on a binary “success/fail” structure when assessing skill use.

One Stands Alone

The second problem is that all this screen time is necessarily conducted outside of the group environment; essentially, it is solo in nature and not collaborative. The other characters can’t interact with the hacker while he’s in “hack mode” and he can’t interact with them.

For example, think about how much information on a target a good hacker could accrue while the other PCs are engaged in a 45-minute drive across town to the target. Even without doing anything illegal, just using standard tools like Wikipedia and Google, how much information can you get in that period of time on any given subject? Would 90 relevant websites – two per minute – be unreasonable? Most would come up early, later it would be harder to find something that wasn’t a redundant regurgitation of information already retrieved. It actually takes longer to assimilate the information retrieved than it does to retrieve that information in the first place; the core of the subject – whatever it is – will probably be retrieved in the first 30 seconds, and you’ll spend more time excluding unwanted data than reading relevant information.

You couldn’t wrap your head around a vast subject – for example Microsoft Controversies – in such a short span. But on any specific subject – say, the 2007 Cricket World Cup? You may not gain enough information to be an “expert”, but you can certainly expect to be an “authority” on an amateur scale in such a period of time – unless the subject itself is so broad as to be useless in any realistic context. (A Google search for 2007 Cricket World Cup brings up 26,300,000 references; being more specific with a search for 2007 +”cricket world cup” refines the results to the most relevant 9,350,000 results. Of course, you might not understand all the nuances without also reading up on the rules of cricket – fortunately, there are another 8,480,000 web sites out there to help with that. There are even 71,900 web sites that deal with the overlap between the two subjects. It took me more time to type in the questions than it did to retrieve the results.

How about something really specific: The thermodynamics of frozen mercury? Well, obvious search terms are “solid mercury”, “supercooled metal”, “supercooled mercury”, and “frozen mercury” – perhaps refining all of the above with the additional term ‘thermodynamics’. Those searches yield, respectively:

  • “solid mercury” – 107 million results, down to 1,120,000 with “thermodynamics” as an additional term;
  • “supercooled metal” – 900 thousand results, down to 93,300 with “thermodynamics” as an additional term;
  • “supercooled mercury” – 427,000 results, increasing to 680,000 with the additional term “thermodynamics” included(!); and,
  • “frozen mercury” – 17,500,000 results, reduced to 746,000 with the additional search term.

The searches took perhaps 30 seconds, and already I know more on the subject than I did – notably, that frozen mercury can be sculpted using liquid nitrogen – there’s even youTube video of it being done!

And that’s only using the net for information retrieval; a properly set up system with various operations scripted in advance can permit a more substantial interaction with any computer connected to the internet almost as quickly as you can click on it. Changing someone’s identity? Crack the site, locate the database, search it for the record you want, overwrite it. The more automated that process, the faster the whole thing happens; it would take some fancy programming to get it to the “point-and-one-click” standard of ease, but it’s (unfortunately) not that far removed from it now.

The Impersonal Face Of I.T.

The final problem that comes from the differential in speeds is that “interacting” with computer systems is an impersonal activity – a series of die rolls. There’s no real interaction, no real capacity for role-playing, in that approach. Player rolls a dice, GM interprets the results – that’s it. Not very satisfying.

In fact, this is a consequence of the first two problems and hence only indirectly related to the “computer time” issue, but this is at the heart of the problem.

The Request For Help

The request for help didn’t elaborate on the problem with computer interaction that was being anticipated, and doesn’t specify game system – just a vague hope that there’s something more than the “roll a die” approach that is the last of the problems identified above.

Well, don’t despair, because there is a solution!

Computers in RPGs: A Solution

Having layed out the problems that the GM faces in trying to referee the man-machine interface, it’s time to consider solutions – preferably, one solution that solves or at least minimizes all of the specific problems identified.

Simulation, Thy Aim Is Virtual

In the late 1980s and beyond, it has become fashionable to create a virtual world for characters to inhabit while interacting with computers in any deep, meaningful, way. This is a concept that quickly migrated into RPGs – notably Cybertech’s “Cyberspace” and TORG’s “Godnet”. The reason is simple: it holds the seeds to cure virtually all the ills described previously.

The reason for the effectiveness of a VR world as a solution to these problems is that it reflects a translation of machine-scale (especially in terms of time) into a character-scale interaction. By using metaphor and symbolism to represent the various barriers and problems that the character hacking the machine encounters, and the tools that can be employed to assist in the solution of those problems, VR-simulation recasts computer events into roleplaying events. With voice-recognition style input mechanisms and text-to-voice systems – both of which have been around for a decade or so in primitive form, but which have not yet achieved seamless functioning – the entire experience of hacking a computer can be re-envisaged in this fashion, and the conversation between computer systems becomes a roleplaying event between the character and his target.

For my superhero game, I wanted to come up with a new metaphor for the internet, as perceived in this fashion. What I eventually settled on was a term derived from the Aboriginal Natives of my Australian homeland, “The Dreamtime”. The principles of The Dreamtime are simple: Everything happens as a character-level interaction and on a human time-scale; there is ONE die roll per action which is shaped and interpreted to describe the entire encounter; each system has its own metaphor, its own virtual world if you will, so that each time you penetrate a new computer you enter a strange new environment that can be anything I can imagine.

Aggregation is your ally

Making this approach work requires two adjustments to your thinking; the first is “aggregation” and the second is “variable time”, which I will discuss in the next section.

Aggregation is the principle of loading multiple subtasks into a single overall task and using a single die roll to ascertain the character’s success or failure at that overall task. For example, let’s talk about the act of filching a set of blueprints from a villain’s computer. The subtasks are breaking through the outer security layer that protects the computer systems from outside infiltration, evading the anti-tampering measures that continually search for unauthorized changes, searching the system for the blueprints, gaining access to the blueprints, packaging the blueprints for transport out of the host computer, and escaping the system without detection.

You could have the character make six or more die rolls for these six or more tasks, but a far better approach is to consider them all one big task – getting the plans out of the target computer, creating a virtual world to represent the target computer system and roleplaying the encounter as a metaphor for the larger task.

A key aspect to the concept of aggregation is that there are degrees of success and degrees of failure, and the function of the die roll is to determine where on this spectrum of possible outcomes events will fall, based on the character’s abilities, and the difficulty of the overall task.

  • I describe a castle, middle-ages European in style, with moat, portcullis, and drawbridge. This gives the basic motif of the virtual world the virtual character is going to enter.
  • The character doing the hacking makes his one and only skill check of the entire process, which indicates to me (as GM), but NOT to him, that a partial success will occur.
  • The player describes how the character overcomes the problems already thrown his way: the character swims the moat, fires a jet-propelled climbing hook so that it fixes to the battlements, climbs the rope attached to the climbing hook, then draws the rope up behind him. Since he doesn’t know what he will find on the battlements, he can’t go further without input from me.
  • I assess the difficulty of each substep relative to the difficulty of the overall task. If that difficulty indicates that the character would have failed the test, I can either apply a sufficient bonus that he succeeds (giving me a penalty that I can put in my pocket for later) or simply have the action fail, requiring the player to come up with an alternative approach.
  • I decide that the moat is easily crossed, and that climbing the rope is not overly difficult, and that the character succeeds in both. I indicate this success by describing the actions and then move on to describing the battlements. In effect, the character is using a back door to evade the initial security. If the back door approach is not going to work, the character will find nothing but solid stone on the battlements; if it is, either there will be a locked door or perhaps a palm-print scanner or whatever to be overcome before the backdoor is actually opened.
  • …and so on. There might be ghosts representing the internal security and suits of living armor blocking doors and puzzles and riddles and who knows what else to be overcome before the player achieves his reward.

The key is that I decide, based on the die roll, how successful the player is going to be, and where he will fall short of his overall objective. If the character rolls well enough, everything he tries will work (somehow), no matter how unlikely it is. If he rolls badly enough, everything he attempts will end in disaster. If he rolls somewhere in between – which is the most likely – perhaps he will get the blueprints, but be unable to carry them out; or will find where in the castle they are, but fail to get through the lock; or set off security; or even get away with the blueprints but only by leaving clear evidence that he did so. The success or failure of the character both shapes, and is shaped by, the overall plotline.

Time Doesn’t Fly When You’re Having Fun

The second key concept that a VR solution entails is that of Variable Time. Most RPGs take the position that each round a character gets to make a new die roll; this approach, by aggregating all those die rolls into one, also aggregates the time frames that are involved. It doesn’t take a lot of thought to realize that this means that just as there can be degrees of success involved, so the time taken to succeed in a subtask is also under the GMs control. The amount of time it takes to achieve any given task is under GM control – all a successful die roll means is that the character will succeed – eventually.

That means that the GM can configure the apparent difficulty to a level appropriate to the target – low for a fairly open public system, incredibly high for the arch-villain’s main computer – without compromising that impression with an easy success by the hacking player.

Even better, it means that the GM can run the hacking in temporal lockstep with the activities of non-VR characters, eliminating the problem of differing temporal rates altogether.

Interacting with the Intractable

Why stop there? Combat can occur between virtual characters, representing some sort of active opposition to whatever the character is trying to achieve, as compared to a passive obstacle like a moat, a door, or a lock. Damage inflicted would be to the systems and hardware that the character is using to “go online” and would affect his virtual self as though he had actually sustained the damage. A portion of the damage might even feed back as physical harm to the character as though he were in real combat.

The Ghosts In The Machine

The VR approach has proven itself in past uses in my campaigns, but of late I have taken it even further. I have realized that the nature of a computer system will reflect the personality and abilities of its creator and its programmer. Rather than a simple score to be overcome, the difficulty assigned should be a summation of all those who contributed to the system’s creation – and, since they can keep trying until they get it right, they are represented at their very best. That means the last line of defense should be a simulacrum of the system’s creator (the arch-villain, in the case of the example enquiry) – a creator who always rolls a natural 20 for anything prepared in advance.

That character’s normal skill levels will be applied to such tasks as disguising data, blocking hacking attempts, etc. The target will reflect the creator, or – to put it another way – the creator’s ghost will inhabit the machine that he has created.

Even if the basic hardware is off-the-shelf, each user will modify the system to better suit his own needs and uses. My computer set-up would not be the same as Johnn’s, even if we had identical computers; I would have options configured differently, I would have software installed that he does not have (and vice-versa) and so on. In the virtual world, that would make my computer a somewhat-inadequate reflection of me, and his computer a reflection of him.


A quick check of the problems that were indentified earlier shows that the VR approach, with both Aggregation and Variable Time elements, not only solves or at least ameliorates them all, but it offers additional avenues for roleplay and characterization, and permits the GM to flex his creative muscles to the maximum.

It’s not a perfect solution, as there can be some additional prep involved, but as solutions to problems go, it’s not half bad.

Related Posts with Thumbnails
Print Friendly