This is where I put stuff I’ve written about my campaign’s “fluff” - ie. the narrative and the fictional world.
This the multi-page printable view of this section. Click here to print.
The Sixth World
- 1: The (Wireless) Matrix
- 1.1: Overview of what is possible with these rules
- 1.2: Making the Matrix
- 1.3: Matrix icons
- 1.4: The augmented everyday
- 1.5: Hacking the Matrix
- 1.6: Symmetric entropy pools
- 1.7: Other stuff
- 1.8: Comparing these houserules to Shadowrun 5e/6e RAW
- 2: Everyday life
- 2.1: SINs and licences
1 - The (Wireless) Matrix
Although this overlaps with my Matrix re-fluff for Shadowrun stuff elsewhere on this site, it is signifcantly pared down. The intent, here, is not to contort the fluff to fit the baroque existing Shadowrun rules; but rather, to present a straightforward base for wireless hacking to exist in a Fun! Furious! Fast! cyberpunk setting.
Houserules for using this version of the matrix in Sprawlrunners / Savage Worlds are in this section.
1.1 - Overview of what is possible with these rules
Deckers can use their cyberdeck in augmented reality mode to wirelessly connect to nearby devices: cameras, maglocks, other people’s commlinks and smartguns… They can exploit these connections to hack the device and sublety manipulate them: stealing data, listening to phone calls, looping camera feeds, opening doors. Or they can abandon subtlety and switch to cybercombat: crashing devices, flooding them with bad data and 0-day vulnerabilities until they are knocked offline entirely.
People can defend against deckers in a few ways. The simplest method is to form a private network controlled by your commlink. A network groups all their gear behind the controller, then establishes it as the beachhead connection to the rest of the matrix. Now, in order to hack the devices in a network, the decker first has to hack the network itself. It’s not a lot of extra protection (unless they have a really expensive commlink), but it’s something.
Deckers and riggers can form more powerful networks using their cyberdeck or dronedeck as as controller. These are harder to hack, as these devices are much more powerful than any commlink – and even if you do hack into them, the decker or rigger might notice.
Corp wageslaves working in a facility often use a network controlled by a powerful host. This provides a lot more protection. To hack devices on a host-controlled network, the decker first of all has to hack the host; that involves a trip into VR, leaving their meatbod behind as a floppy, vulnerable shell.
Hosts are also where corps keep their juicy (and valuable!) secrets, so deckers naturally gravitate to attacking them. Those secrets are guarded by ICE and by counter-decker security staff called spiders, so it won’t be easy. Hosts can be hacked via wireless connections if the decker can get within connection range, but it’s better to find a convenient device the host trusts and use it to establish a back door via a wired connection to its inner workings.
With wireless connectivity, deckers also loom large on the modern battlefield. They can host and defend tacnets, realtime AR overlays for members of their team that allow them to share tactical information. When the situation calls for stealth, they can reconfigure their network to hide on the Matrix, disguising dataflow between the devices to look innocuous. And finally, they can make powerful DoS Attacks against opponents, overloading their electronic gear with junk data to inhibit its functionality.
1.2 - Making the Matrix
The third-generation Matrix of the 2070s is a technological marvel, delivering immersive AR and VR applications to users without the need for wires. But how does it manage such fast connections without requiring the user to physically connect a cable? The answer comes in two parts.
NotesThe design intent here is to keep deckers close to the action by tying their hacking activities to a short-range mesh network.
The first part is the global grid, also known colloquially as the backbone. This is broadly equivalent to what was known in the early 21st century as “the cloud”; it’s the sum of all the physical infrastructure of fibre trunks, satellite uplinks, and other super-speed connections that connect all the Matrix’s hosts together. Within the backbone, speed is functionally infinite, and distance is no issue. But you can only use the backbone if you have a physical, wired connection to it. Nobody wants that.
Early 21st century cellular wireless standards are no help. The Matrix demands very fast high-frequency ultra-wideband radios, but they are easily blocked by the gleaming steel-and-glass towers of the sprawl. You’d never get a signal. How to square this circle?
The local mesh
The answer is a short range, peer-to-peer mesh network. Suppose Alice wants to check the latest updates on her P2.1 social feed. Her commlink sends the request to her neighbour Bob’s commlink. From there, it’s forwarded to Charlie’s commlink. And so it travels, until it reaches an uplink host - which has a hardline connection to the backbone. From there, it can speed off to its final destination. The P2.1 host sees the request, and sends the response back down the same link. This all happens in the blink of an eye.
Every Matrix device automatically self-organises itself into a reliable mesh network, and sets up forwarding and routing so that everything transparently works. This is the local mesh. At all times, your Matrix devices exist in a bubble, extending perhaps a hundred meters around you. Somewhere in that bubble is your closest uplink host, the one you will send backbone traffic to. But where is your traffic going? Well, for most people, it’s usually a host.
Hosts come in a few major types, depending on what kind of connection they have.
First, there are the aforementioned uplink hosts, sometimes called beanstalks. These bridge between the backbone and the local mesh, a bit like an old-time cell tower. People don’t really think about them too much; like any piece of reliable infrastructure, they fade into the background. But they’re there, scattered around the sprawl.
The most common type people interact with in their personal lives are cloud hosts. These are hosts made up of many physical servers distributed around the planet, all with their own connection to the backbone. They exist everywhere and nowhere at once. Cloud hosts are very powerful and very secure.
However, you can’t use cloud hosts for everything. When Wally Wageslave sits working in his office like a good little drone, that office’s various systems - heat, light, power, security, Wally’s files and emails - are all run by a host located inside the building. These local hosts work exclusively on the local mesh, without a backbone connection. Local hosts have one defined place of existence; somewhere, there’s some computers in a rack you can point to and say “this is the host for this building.”
Some of the more prominent and successful hacker collectives might run illicit local hosts, sometimes called dark hosts as they (for obvious reasons) do not advertise their existence like most legal hosts do.
Offline hosts are computers that are totally air-gapped, with no connection to the local mesh or the backbone. The only way to connect to them is directly via a cable. Offline hosts are often used for very important, secret file storage, and are placed in locations that are very physically secure.
But how do you actually get stuff done on the Matrix? Well, you interact with icons.
Everything on the Matrix is represented by an icon. Icons can look like anything; cartoonish symbols, abstract runes, photorealistic 3d images; anything (although most sane Matrix designers use icons that at least vaguely resemble what they are used for). Icons can represent one of a few different types of thing:
- Tags: tiny little passive chips. They have no batteries or computing power of their own; they are powered by wireless power gathered from the Matrix. They typically hold and/or broadcast some number of files. They cannot be hacked, as such, as they lack any processor of their own. See Tags for more.
- Files: any type of data (text, audio, video, computer code, …), stored on any type of medium (in a tag, on a commlink, in a host, on a storage chip, …).
- Devices: toasters, cars, door locks, speakers, microwaves, etc etc etc. In the Sixth World, near enough everything that has electrons flowing through it also has a functioning Matrix connection of its very own. Devices can be directly connected to the matrix (unattended) or protected inside a network run by a commlink, ‘deck, or host.
- Commlinks: special devices that people use to see and interact with the Matrix.
- Cyberdecks: souped-up commlinks that can be used to bend the rules of the Matrix by hackers and counter-hackers. There’s also drone decks, which are similar but specialised and used to remotely control drones.
- Hosts: as mentioned above, these are the “servers” of the Matrix; big computer systems you can go into and do stuff within. So the social network P2.1 has a host that you go into to read your friends’ updates, post messages, play games with them; that sort of thing.
- Some hosts are so big that internally they are sub-divided into zones called nodes.
1.3 - Matrix icons
When you view the world in AR, your commlink or cyberdeck can overlay icons for any (and all) nearby matrix devices onto your vision. This is rather overwhelming - in an urban area, the local mesh can contain thousands of icons. So most people run filtering routines that hide most of them and only show ones deemed important. For example, in a crowded street, you might only show icons for commlinks for people you know, and hide the rest.
The mesh networking routing protocols that keep the wireless matrix working tracks the approximate position and motion of all these devices, so it can predict when devices are about to go out of range of each other and have fallback routes prepared to keep traffic flowing. AR leverages this information to position icons in the user’s sensorium in vaguely the correct place, relative to where the device is.
When the user has line-of-sight to the device, this positioning is quite accurate; glance at a coffee machine in AR and you’ll see its glowing matrix icon hovering just over it. When there’s no line of sight, position accuracy drifts randomly, often by a few metres. If you are in a shopping mall and your friend is in the store a few doors down from you, you’ll see an icon for their commlink, but it’ll appear vague and fuzzed-out so you know it’s only an approximate position.
When using VR inside a host, there is no need to make things correspond to meatspace. Icon positioning is arbitrary and governed by the sculpting of the host. Some hosts look like glowing neon wireframes, with icons clustered across an infinite 2d plane. Others are painstakingly rendered 3d environments with icons grouped logically and scattered across rooms or areas. The possibilities are limitless.
Types of icon
- Tags: tiny, passive chips; see Tags.
- Files: any type of data (text, audio, video, computer code, …), stored on any type of medium (in a tag, on a commlink, in a host, on a storage chipdrive, …).
- Devices: toasters, cars, door locks, speakers, cameras, drones, microwaves, etc etc etc. In the Sixth World, near enough everything that has electrons flowing through it also has a functioning Matrix connection of its very own.
- Commlinks: special devices that people use to see and interact with the Matrix.
- Cyberdecks: souped-up commlinks that can be used to bend the rules of the Matrix by hackers and counter-hackers. There are also drone decks, specialised variants used by riggers to control drone networks.
- Hosts: the “servers” of the Matrix; big computer systems you can go into in VR and do stuff within. Some hosts are so big that internally they are sub-divided into zones called nodes.
- Inside hosts, you can see (lots of!) icons for files and connected devices.
- Hosts also contain personas, which are VR icons representing people using the host. Personas can be very simple and generic, or highly customised and tailored to the person they represent. See Personas.
- Hosts also contain ICE, intrusion countermeasure electronics. These are autonomous software agents that form the first line of defence against hostile deckers.
1.4 - The augmented everyday
On this page, I present an overview of my personal canon for how augmented reality works in my cyberpunk setting.
I freely admit that I am attempting to have my cake and eat it. Traditional ’80s cyberpunk has a traditional view of computing and in particular the internet: it is a place where you go to. Computers are large, they are fixed in place, and they are used mostly by specialists. This is mirrored by the role of VR in my campaign.
The modern world of the 2020s have rendered this view obsolete. Smartphones have made computing and the internet ubiquitous, always within arm’s reach, and accessible to everyone. This is mirrored by the use of AR in my campaign.
Hopefully, my approach blends the two; maintains the feeling that VR is a special domain only open to a few, while keeping AR for the future masses who are as addicted to their social media feeds as we are today.
Interface issues: augmented reality is not telepathy
When a user is in VR, their body’s nervous system is partially shut down by a RAS override. One of the effects of this is that by blocking sensory input to the brain from the user’s body, it makes it much easier for their datajack to read their conscious and sub-conscious impulses. This, in turn, creates a really efficient control surface; the user can send instructions as fast as they can think.
AR doesn’t work like that, as it has no RAS override. The datajack has to try and pick out the impulses amongst a storm of unrelated sensory processing. For this reason, most control of devices via AR is done indirectly through holos (see below) instead of direct brain-computer interfacing as is typical in VR.
One area where AR can directly read thoughts quite successfully is via a sort of text-to-speech service. As long as the user deliberately and clearly forms words in their mind, their inner monologue can be picked up by the datajack and sent to a commlink or other device. This is often used for text messaging or sending very simple commands, eg. to turn a smart device on/off or fire a smartgun. Compared to doing stuff in VR, it’s glacially slow, though - only about the same speed as talking, perhaps a bit faster if the user has had a lot of practice.
For anything more complex than a on/off switch, the primary type of interface in AR is an Augmented Reality Object (ARO) - often called “arrows” or “holos” in everyday language.
For a user with a datajack, holos are inserted directly into their sensorium. They typically appear as semi-translucent neon glowing screens and buttons, floating in space (hence the name “holo”.) They can have sound elements, and usually have tactile elements too - holographic buttons and controls feel real when the user touches and presses them.
Holos can be private, viewable only by one person; this is typical for someone using their commlink via AR. They can be public, viewable by anyone; this is typical for advertising hoardings and billboards. Or they can be semi-private, shared with a selected group of people.
Perhaps surprisingly, a lot of work still happens in meatspace, with physical displays and interfaces.
The early promise of VR as an accelerator for productivity never emerged, for a variety of reasons. Firstly, using VR for extended periods of time is exhausting, both mentally and physically - it’s like running full-throttle for hours and hours. Few people can maintain the pace. Secondly, the sensation of being cut off from your body when it is in a public place is quite disconcerting to most people, and they find themselves constantly distracted by worrying about their meat. So outside of a small handful of elites working from private offices, most wageslaves only dip into VR occasionally for remote meetings and the like.
AR is more commonly used, but that also has limitations. For one thing, it’s not all that much faster to use than an old-fashioned screen and keyboard. And for another, using holos for detailed work like reading lots of text or running complex simulations often cause troublesome headaches or eyestrain if used for very long periods. So the typical wageslave bounces back and forth, dipping into AR screens while on the move, but falling back to large screens at their desks.
AR and VR without datajacks
Users who do not want or cannot afford datajacks can still get online, but with some big caveats.
VR can only be achieved with a clumsy ‘trode net worn around the head. Sensory fidelity is reduced, compared to a datajack, and speed is reduced. Worst of all, the trodes have to be placed in the right spots, and are easily dislodged if the user moves around while wearing them.
Users can get an AR overlay with a variety of sense link devices: smart contacts, glasses or goggles for visual, earbuds for audio, and feedback gloves for tactile elements. As with ‘trodes, these are clumsy and inferior to datajack interfaces, but they are usable. Civilian versions of these devices are mostly fairly delicate and easily damaged by rough handling in combat. Ruggedised versions exist, but are bulky and obvious.
1.5 - Hacking the Matrix
The end of encryption
The incorporation of early quantum processors into the first cyberdecks sent an earthquake through the tech world from which it never recovered. Even the strongest, best designed encryption of the day fell before it in fractions of a second. There could be no more secrets.
Today, things have improved only slightly; the most advanced encryption in the world still cannot hold up to sustained assault from a skilled hacker with high-end cyberdeck.
This single innovation has reshaped the world.
Rise of the spiders
Faced with the total loss of passive defence - ie. strong encryption of data - the megacorps had to pivot to active defence.
First, they built high walls around their kingdoms. Some of the most sophisticated pseudo-AI on the planet exists to run ICE: Intrusion Countermeasure Electronics. ICE patrols and defends the megacorp’s hosts tirelessly, rooting out invading hackers and - sometimes - frying their brains.
But ICE isn’t all-powerful, so the corps also set people to guard those walls. These counter-hackers, called spiders in the language of the street, sit in the middle of sprawling webs of sensors and alarms. Attract their attention, and they are swiftly dispatched to deal with you. And they are good, with all the equipment and training of their deep-pocketed masters.
The Grid Overwatch Division (GOD)
Each megacorp can hire its own security staff to patrol its own hosts, but that leaves the backbone itself vulnerable to attacks. It’s too important to leave undefended, so the Corporate Court formed the Grid Overwatch Division (GOD). GOD is a semi-autonomous organisation, tasked with defending public grid infrastructure, staffed by spiders and technicians loaned from the AA and AAA megacorps.
How to hack
Sending hacking traffic over the backbone is near-impossible. The uplink nodes are equipped with powerful coprocessors that carry out deep packet inspection, scanning for anything out of the ordinary. At the first sign of trouble, aggressive autonomous agents are deployed, rapidly followed by elite GOD spiders.
It is on the local mesh where the deckers can bring their powers to bear. Hampered by the need to maintain backwards compatibility with millions of devices that have fallen into planned obsolescence, and with even small changes to the protocols requiring dozens of squabbling corps to agree, the local mesh is… well, it’s a mess. Deckers exploit this ruthlessly, using vast databases of known vulnerabilities to carve through the laughable defences that devices rely on.
There is an obvious problem, though - the local mesh is small, typically extending only 50-100 metres. With the wireless matrix, Deckers need to get close to their targets. They can no longer sit in the safety of armoured bunkers, hundreds of miles from danger.
What to hack
TODObelow contains obsolete references to PANs/s-PANs/WANs; I’ve dropped this terminology in the latest iteration of these houserules
Any device that is attached directly to the matrix is considered to be unattended. Civilian and even security grade unattended devices have very weak defences against hacking.
Most ordinary people will arrange all of their various matrix gadgets into a personal area network (PAN.) A PAN is controlled and monitored by their commlink, which routes all matrix traffic through itself. Devices in a PAN cannot be hacked individually; instead, the decker must hack the commlink instead. PANs are a little bit more difficult to hack than an unattended device, but the main benefit is that if the commlink notices the hack attempt it can alert the owner at once. They can then take action, such as shutting down their devices.
The corporate grown-up version of a PAN is a wide area network, or WAN. WANs are very similar but instead of a commlink they are controlled and monitored by a host. As with a PAN, you cannot hack individual devices in a WAN; you have to enter VR and hack the host directly. If you can get a direct cabled connection to a device that is part of the WAN, you can exploit that to more easily hack the host. For this reason, corps tend not to put easily-accessed exterior building defences like cameras or maglocks on their primary security WANs.
Finally, there are also secure PANs, or s-PANs. S-PANs are PANs that are run from a cyberdeck or drone deck and are being actively monitored by a decker or rigger. S-PANs cannot be hacked at all, as their admin will swiftly notice any hack attempts and take defensive action. They can only be knocked offline via cybercombat.
A note about hostsSprawlrunners RAW describes very large hosts that are made up of many, many nodes, arranged in sprawling, labyrinthian structures. I do not plan to use this (typically, at least). Most hosts in my game will either have a single node that takes care of everything; or they will be divided into a handful of nodes, each dedicated to a task (eg. file storage, building system control, security.) Each node can typically be accessed from any other node; there is no internal “map” as such.
The local mesh protocols specify that all devices monitor all the traffic they can see to scan for hack attempts. This isn’t hard to avoid in the short term, but as a decker carries out more and more hacks using the local mesh against devices and PANs, it gradually becomes more and more difficult to hide. Once it reaches a critical level, GOD will deploy autonomous agents to hunt the decker down; if they are unsuccessful, a GOD spider will reinforce them. A skilled decker relies on speed and stealth to achieve their goals before this happens.
Hosts maintain their own alarm state, separate from the local mesh one as they are outside of GOD’s jurisdiction. They react to alarms by deploying ICE and security counter-hackers, as well as alerting security personnel in meatspace that a possible intrusion is underway.
1.6 - Symmetric entropy pools
NotesSymmetric entropy pools are intended to be used only as a plot device. No game mechanics are given for them.
Quantum processors used in cyberdecks for hacking and code-breaking can shred almost any known cryptography, given enough time; but they are not omnipotent. If you really, really need a secure communications channel, and are prepared to jump through hoops for it, there is something you can do.
Ancient cryptographers would sometimes use one-time pads to encode messages in a way that was nearly unbreakable. The 207x equivalent is a symmetric entropy pool. Two parties share a massive pool of carefully generated, thoroughly randomised data. The pool is used to encrypt all communications between them before they are sent via the public Matrix. The other party uses their matching copy of the pool to decrypt the message again. In theory, this cannot be decrypted by attackers, as it appears to be completely random noise.
Shared entropy pools come with some significant downsides, however:
- The entropy pool has to be kept absolutely secure and private, so the parties usually have to meet face to face to set the pool up, or the data has to be sent via eg. a trustworthy data courier.
- Physical access to one copy of a shared entropy pool for a few minutes is enough time to duplicate it. If you possess a copy of someone else’s pool, you can undetectably spy on their communications. This makes copies of established pools extremely high-value targets for espionage.
- Due to an interaction between the Roper-Eld quantum computational limit and the Shannon-Hartley theorem, the size of the entropy pool required to securely encrypt a channel increases with the square of the data being sent along it. This quickly becomes very difficult to manage if the intention is to use it for long-term communications. The pools have to regularly be recreated and re-copied between users.
- SEPs can be used for realtime audio or (at a push) video, but cannot support the data rates necessary for AR or VR traffic.
Most users of entropy pools use specialised hardware to store and work with them. This is a credstick-sized device that plugs into a standard dataport on a commlink or cyberdeck. The commlink sends the encrypted data stream into the device, and decrypted data comes back. The main advantage of this is that when being used normally the entropy pool cannot be hacked even if you hack the commlink, as the commlink cannot read the pool directly.
However, by flicking a recessed switch, the device can be put into setup mode; this is designed to allow pools to be created, synchonised, and copied. Hence, with physical access to any device for a minute or two, an attacker can easily duplicate the pool.
1.7 - Other stuff
NotesThis is a grab-bag of small things, intended to be used as optional/situational plot devices or for added flavour.
The backbone infrastructure is administered and patrolled by the Grid Overwatch Division, and is theoretically neutral between the megacorps. But the corps didn’t get rich by trusting each other. Where security demands it, it’s not unusual for corporations to run their own private communication lines - for example between a secure, hidden facility and a more public one. This lets the secure facility access the Matrix discreetly without making its location or purpose obvious. This is called dark fibre.
On the local mesh, dark fibre functions like a wormhole. If you can hack the controlling host on one end, you can coerce it to carry your traffic to the other, and suddenly you can “see” devices that could be dozens or even hundreds of kilometers away. Occasionally, wily shadowrunners use this as part of a smash-and-grab, using a forgotten dark fibre link to hack into a distant host that is too physically well-protected to get near in the physical world.
Tags are tiny, passive chips, with a small amount of ROM and minimal processing power. They use the ROM to store a small number of data, which can then be broadcast onto the matrix. They usually have no battery of their own, or only a very small backup battery; instead, they rely on wireless power transmission from nearby Matrix devices.
Tags cannot be hacked, as such, as they lack any processor to hack. They can be erased by a specialist tool that generates a powerful electromagnetic field, but it only has an effective range of a few centimetres, so you need to know where the tag is.
Tags are very common in my campaign, and have numerous uses:
Broadcasting a fixed AR holo - eg a billboard, signage, an animated menu outside a restaurant, or a piece of grafitti.
Local tracking of things - most goods that cost more than a few nuyen have tags included in the packaging. Warehouses and retailers can use these tags to track inventory and ring up your shopping bill.
Global tracking of things - tags can be configured to upload their location to a cloud server whenever they have a working Matrix connection. People use these as locators for any of their stuff they want to keep track of.
Theft prevention - a variation on the tracking idea, most expensive, durable, or legally restricted goods (definitely including vehicles, guns, and ammunition) are infested with multiple tracking tags. If the goods are noticed stolen, they can be swiftly tracked down via the locations being uploaded from the tags.
Sneaky users might have tags on their items that do not broadcast their location all the time, but sit passive and undetectable until certain times or they receive an incoming signal; this makes it very difficult to know you’ve definitely wiped every tag off something you just stole. Items the characters purchase with from the black market LPs have already gone through this.
RF blocking paint
The local mesh relies on ultra-wide band signals that can barely penetrate walls at the best of times. So it doesn’t take much to block them almost entirely via smartpaints that use nanotech to assemble a crude Faraday cage as it dries. This prevents any decker outside the area from seeing in; icons for devices inside cannot be seen from the outside, and all hacking traffic is blocked.
Smartpaints are quite expensive, so tend to be reserved for only high-security areas within a facility. These are, of course, combined with physical security measures and access controls. Smartpaints are also wildly unpopular with workers, as they are inconveniently cut off from the outside world.
Personas are a special kind of icon used in VR to represent a human user. They are endlessly customisable, by creating custom 3d models and animations and/or by purchasing expensive digital goods from your favourite brands. Most of humanity is happy with a generic persona, perhaps with a small purchased accessory or two. But for some, particularly those who live in the matrix, persona customisation is an important part of how they express themselves. This is particularly common in decker circles.
People who have spent a lot of time or money customising their persona often want to show it off in AR as well as VR. They run special programs on their commlink that do a public broadcast of their persona as an animated ARO. A miniature version may float over their head or ride around on their shoulder. Some people go so far as to animate a life-size version of their persona and have it envelop their meatbod, effectively hiding them within it. This is very difficult to do well; often they will clip through the animated persona, ruining the effect.
1.8 - Comparing these houserules to Shadowrun 5e/6e RAW
TODObelow contains obsolete references to PANs/s-PANs; I’ve dropped this terminology in the latest iteration of these houserules
These rules attempt to simplify the Shadowrun 5e Matrix rules by removing a number of options. For quick reference, some of the changes I have made include:
- Streamline and merge the “AR / VR” and “in host / on grid” distinctions. Now, being “in” a host means always being in VR, and if you’re not in a host then you are in AR.
- Split the Matrix into two parts; a localised, short-range, wireless mesh network and a global, wired network. Hacking is only viable on the former; the latter is ruthlessly protected by GOD agents. Thus, deckers need to be fairly close to their targets, so they can reach them via the local mesh.
- Mostly remove the concepts of personas and their associated magic unhackable digital ownership.
- Introduce a hard line between regular PANs (hosted on a commlink) and secure PANs (hosted on a cyberdeck or drone deck.)
Hacking & cybercombat
- Distill all primary decker offensive actions to three kinds: hacking (stealthy, grants access to manipulate devices), cybercombat (overt, violent, crashes devices), and denial of service attacks (disrupts traffic to/from a device or PAN to impose distraction penalties on people using it.)
- If a device is in a PAN or WAN, it cannot be hacked directly; the attacker must hack the PAN or WAN instead (this is in Shadowrun 6e, to be fair.)
- If a device is in a WAN, and the decker can get physical access to its internal debug ports, they can compromise it and get a big bonus to hacking the WAN host through it. Hence corps rarely put easily-accessed external devices like maglocks and cameras on WANs; instead, WANs are reserved for stuff like security guard gear and internal turrets and sensors.
- Secure PANs cannot be hacked; they must be crashed in cybercombat.
- Via a program on their cyberdeck, hackers who have infiltrated a host (in VR) can switch to AR (to move with the team) but maintain a connection to the host and still send hacking commands to devices attached to it. However, the persona they leave running in the host is more vulnerable to ICE.
Wireless off / running silent / Matrix stealth
- Wireless devices are always visible on the Matrix - no running silent, and devices connected to PANs or WANs don’t disappear from view on the local mesh.
- s-PANs (and only s-PANs) can be configured to hide themselves on the Matrix; they minimise traffic between their devices, cutting back to just text/voice comms. All devices are otherwise inactive and no game mechanical bonuses can be derived from them as long as the s-PAN stays in stealth mode. This is an active process that must be maintained by the decker/rigger running the s-PAN.
2 - Everyday life
NotesAlthough this overlaps with my Matrix re-fluff for Shadowrun stuff elsewhere on this site, it is signifcantly pared down. The intent, here, is not to contort the fluff to fit baroque existing Shadowrun rules; but rather, to present a straightforward base for wireless hacking to exist in a Fun! Furious! Fast! cyberpunk setting.
2.1 - SINs and licences
In a society defined by the haves and the have-nots, the sharpest line between them is the possession of a System Identification Number or SIN. A combination of citizenship, a passport, voting rights, and taxation obligations, it gives you the ability to live and work legally. To be SINless is to fall outside the system on almost every measure - no support, no right to employment or vote, unable to use public facilities or transit, turned away from shops and restaurants.
What a SIN is
SINs are issued by a wide variety of governmental and extra-territorial corporate entities. They can be granted by birth or by a similar process to obtaining citizenship. Sometimes, corps grant them to particularly desirable hires. Often, corps use the threat of revoking someone’s SIN to keep their workers in line.
Physically, a SIN is merely a string of alphanumeric characters. The only human-readable part of it is a prefix code indicating the issuing entity - country or corp - who owns and controls the SIN. What counts isn’t so much the SIN itself as the data associated with it in various online hosts and datafiles.
SINs are the de facto unique identifier in the Sixth World. They are tracked everywhere, both in person and in the Matrix. Every interaction and transaction you have can be tied to your SIN and tracked in some database - and almost all of them will be. Hence every SIN has, trailing behind it, vast wakes of data, scattered across innumerable databases.
Those who don’t have a SIN - the SINless - are condemned to a life of misery. They are locked out of legal employment, of all banking, of reasonable healthcare. They cannot vote and they have no social safety net; even their basic civil rights are reduced. They face a lifetime of grinding for low cash-only wages and paying shady landlords high rent for shitty apartments, and praying that when they get sick there’s room at the charity hospital for them.
Matrix protocols have a special sidechannel for SIN broadcasts, beamed out at all times from your commlink. These broadcasts are not quite legally required, but in any lower-middle-class or better area, not having an active broadcast is a screaming red flag that will definitely attract attention. (Note that in very rough parts of town, the kind where police only travel in entire squads or not at all, broadcasting a SIN becomes a mark that you are easy prey. Choose wisely.)
SINs can’t separate the privileged from the scum unless there’s a way to know which is which.
Simple ID checks
Every SIN issuer makes available a listing of basic personal information associated with the holder of the SIN: name, date of birth, metahuman race and ethnicity, home address, stuff like that. If you attract the attention of a beat cop on the street, you can expect them to pull this up; and if your SIN is fake and the details don’t match you, well, you’re in trouble now.
Unfortunately for the police (but luckily for our plucky criminals), the SIN database infrastructure is run by for-profit corps, so carrying out a check like this costs a fraction of a nuyen. So penny-pinching corps like Lone Star and Knight Errant put their cops on quotas, preventing the authorities from just checking everyone they see.
If someone wants to go a bit further in verifying your SIN, the next step is to validate that the datastream attached to it looks legitimate. SINs are tracked everywhere, and that tracking information ends up in numerous databases owned by data brokers; these brokers' main line of business is selling access to the data to advertisers so they can track your every desire. But a lucrative sideline for them is running pseudo-AIs over each SIN’s profile to see how real it looks. This often catches out fake SINs, as generating a detailed, realistic, long-term history for a fake SIN is a lot of work.
This is the most secure form of check; gather one or more biometics from the person in question (finger print, retina scan, even a DNA swab) and compare them to the biometrics stored on file for the SIN.
Just one problem: jurisdictions. SIN issuers do not make these biometric files readily available to anyone who asks, because the corps do not trust anyone with that data. Outside of investigations of very serious crime (eg. terrorism), most of the time, the only entity that can check biometrics is the corp or nation-state that issued the SIN.
The ins and outs of fake SINs
Every ‘runner has a fake SIN (or perhaps set of fake SINs) that they live their day-to-day lives under: buying groceries, paying rent, running their GridGuide subscription, that sort of thing. They don’t use this for criminal work, because it would make them far too easy to track down. There is no overhead associated with this, it’s absorbed in day-to-day living costs.
Although they last a long time, these fake SINs aren’t particularly good, and can’t pass a lot of inspection. Most people interacting with it – like ‘runner’s landlords – most likely know it’s fake, but aren’t the kind of people who are looking too closely. This is one reason ‘runners tend to live in the less gentrified neighbourhoods.
Where necessary, ‘runners can buy extra fake SINs for a job.
A fake SIN will pass simple ID checks from a beat cop on the street automatically. The fake datastream associated with the SIN might stand up to a consistency check, should the ‘runner try anything that might provoke one; for example, infiltrating a secure area through the front door via a fake identity. In game terms: roll a Notice check for whoever is inspecting the SIN to see if they spot any weirdness in the analysis results. This might be a +/- 1, depending on the resources of the corp doing the check.
Gear licences for these SINs are “open carry”, in the sense that the presence of the licence is automatically broadcast alongside the SIN. This can (obviously) attract attention, and often does.
Fake SINs are inserted into tracking databases via hacks that are quickly discovered and deleted. They are typically only useful for a week or so.
High quality fake SINs
If you’re really up to something nefarious, you can purchase a high-end fake SIN.
These are far better quality, with skilled counterfeiters creating near-impeccable fake histories spanning multiple databases. They pass all simple ID checks and consistency checks automatically. They might, or might not, pass a biometric test run against the SIN database of whoever ostensibly issued the fake. In game terms, this is a Notice check by the host/system running the scan - typically a d6-d10 rating.
Licences on high quality fake SINs can be open carry, or if the purchaser prefers, “concealed carry” – meaning the SIN broadcast does not tag the person as carrying concealed weaponry. They are still licensed, however, and get to be extra rude and snooty to any beat cops who notice their gun, stop them assuming they are unlicensed, then discover they are (seemingly) VIPs.
High quality fake SINs are still deleted after ~1 week, though, just like low-quality ones.
FAQs about SINs
Why can’t the cops look up my DNA/fingerprints/etc that I left at the crime scene?
Although many SIN issuers do gather and store a biometric profile, they don’t make this information available to the authorities (except, rarely, in the case of serious and high-profile crimes like terrorism.) So even if you do have a SIN in someone’s database, it’s very unlikely to be accessible to anyone investigating your crime… with the exception below.
What about criminal SINs?
Most nation-states will issue special “criminal SINs” to anyone convicted of crimes, petty or otherwise. If you’re unlucky enough to get issues a criminal SIN in, say, the UCAS, then any UCAS-jurisdiction cop is going to be able to read your fingerprints off their database. This can be a severe pain the ass for you and your criminal associates.
Even worse, criminal SINs are an exception to the hold-your-cards-close-to-your-chest rules most SINs are kept under. The SIN and its biometrics are shared widely and freely - that’s most of the point; a criminal SIN is an anchor you have to drag around forever. (Unless you have friends in high places who can get it wiped off the books, omae.)
Corporations don’t bother with criminal SINs. They prefer more immediate punishments.