Category Archives: Strategic Thinking

Thinking Strategically: Security Mindset

More than those fucking elves, magic, or pretty computer graphics Shadowrun is a game about exploiting circumstances.

Recognizing, engineering, and closing such opportunities is a valuable real life skill.

Bruce Schneier, who may have coined the term, contrasted a security mindset with an engineering mindset.

When you act with the engineering mindset, you break an end goal into manageable, concrete parts to refine. Then you make them work together to perform to whatever standards you’ve establish.

Security mindset is both like this and the opposite of it. Engineering is about making things which do what they’re supposed to. Security is about recognizing you can use mechanisms for unintended purposes.

An early affinity for security mindset once almost got me kicked off a plane when returning from England in the summer of 2002. Apparently, it’s not polite to inform someone Security Theater is useless during a performance.

One of my “favorite” security flaws today is uneven security authentication between websites. Things like one website using the same information another website just gives away. The more accounts you have, the more likely to run into this you are. Amazon and Apple are two big culprits here.

Hackers can and do take advantage of these uneven overlaps in security to compromise accounts. Nasty stuff when combined with data mining.

What does this have to do with Shadowrun? Pretty much everything. Shadowrun is usually about committing crimes without getting caught. If things, lol, go according to plan.

Devising a plan means watching a system and pushing it against itself. You ask, “What are they doing to stop people like me?” and “Where are they skimping?”

Note how I don’t say anything about a place being secure. In both shadowrun and the real world there is a fundamental lack of security. Cost and priorities limit what you can do.

The best you can manage is making it too inconvenient for would-be criminals. Make the risk bigger than the potential reward and you’ll save yourself trouble.

As an example, the White House’s security plans assume it will take 10 minutes for someone to break the locks on secure rooms.

A few years back, some researchers figured out to crack the locks the White House was using in around 30 seconds instead of ten minutes.

Ooops. And that’s the locks on one of the most visible secured buildings on the planet.

This illustrates how even well-designed security can contain hidden flaws. I hope they fixed it.

With careful observation and testing, such breakdowns become more likely.

There are two reasons to develop a security mindset. To defend yourself and your interests and to commit attacks. I don’t suggest the latter in the real world, which is why I play games like shadowrun.

Developing Security Mindset.

Martial arts give a compelling reason to spend time practicing and developing skills. If you wait till you’re attacked to think about how to react to it, it’s too late.

This also applies to learning how to think like a subversive attacker.

So, where can you go to learn more? Well, playing a game like Shadowrun will help to a point.

If you’re looking for inspiration there are no shortage of well made fiction. TV such as Burn Notice or Leverage or the movie Catch Me If You Can. Or any good heist flick. On the note of Catch Me If You Can, the story’s protagonist is a real guy who has since become a security consultant. Frank Abagnale is pretty awesome at what he does.

Studying hacking tricks and security techniques are good sources.

Ultimately, the best way to develop it is just be curious how the world you see around you works and where the limits are.

A real life example: I once asked a hotel if I could borrow someone’s left cell phone charger from the lost and found. Because this was a work trip and my boss handled the paperwork next morning, I didn’t return it. Should I assume I could walk into any hotel and expect to be able to get another?

No. For starters, the helpfulness of most people varies on their mood, stress levels, and if they think you’re trying to take advantage of them. My intention to return the charger and my need for one were both honest at the time. Am I a good enough liar to avoid making someone suspicious? Have other people tried this as a scam before? Lots of variables to work around even if each is small on their own.

Ultimately, Security Mindset is about fleshing out the phrase, “The Devil is in the details.” People tend to build systems to handle the most common circumstances. There are always weird exceptions which make it harder to work around. And it will always be possible to create them.

Next week we’ll discuss applying this to shadowrun.

Strategic Thinking: Hardened Armor

One of the big shake-ups from Run and Gun was putting the option for hardened armor in metahuman hands.

In SR4, the only way to get hardened armor was as a critter power; Shadowrun 5 offers the option of Hardened mil-spec battle armor.

Mil-spec armor makes the wearer almost immune to small arms fire.

How it works:

Hardened is the key word here. Regular armor turns physical damage into stun damage when the Damage Value is less than the rating of the armor.

The hardened armor critter power instead negates all damage under its rating.

And if the DV is over the Hardened Armor rating? Roll a damage resistance test and add half the Hardened Armor rating as automatic hits.

So, a guy with 15 hardened armor won’t even roll a damage resistance test against a light pistol unless the shooter gets 9 net hits. Even with those net hits, the target gets 8 free hits on his damage resistance test. Almost negating the crazy-good roll before even rolling.

Shotguns and assault rifles have an easier time damaging. Yet, I’ve seen a guy in hardened armor take 3 rounds from a Krime cannon before dropping.

Nasty stuff.

The up-side is a few of the options from SR4 which made the non-hardened-but-still-mil-spec-armor extra-dangerous. So, no increased mobility or jacking strength beyond augmented max because the suit isn’t you.

 

Houserule note: It’s possible for hardened armor and regular armor to stack through Cyberware/bioware, adept powers, spells, and critter powers. At my table we assume hardened armor takes AP first so it retains some influence over a fight.

 

Dealing with Mil-spec armor:

There aren’t many good strategies for handling Mil-spec armor. It’s stupidly powerful and each suit has a ton of capacity for extra tricks.

Before going any further we should know a little about the other qualities they provide. First, each Mil-spec armor is tailored for an individual. It won’t fit otherwise.

This is, of course, expensive military equipment. No reason not to pretend they’re not going to protect it.

Mil-spec armor has 3 neat features and one important one. The holster, increased ease to ready gear, and raised social limit for intimidation are neat. What matters is how it halves speed and forces a fatigue roll for every run/sprint.

This means if you can get out of a mil-spec wearer’s line of sight, you can probably get away. The most agility a metahuman can have is 12. So, if you have six agility you can outrun anyone in mil-spec armor.

Most people wearing mil-spec armor will not have 12 agility.

Mil-spec armor halves all movement, including from making running checks.

Yes, GTFO is the first strategy. It’s simple enough in theory. In practice, anyone with this kind of armor probably also has vehicle/air support and getting away might not be so simple.

The next strategy relies on them not having the legal option to wear it. This one is spotty since a corporation or military unit are the main users of mil-spec armor.

If you can get your armored-pursuers to commit some kind of crime near someone with more firepower than you… Mil-spec armor becomes Someone Else’s Problem.

If you have to fight without big guns, it’s best to go for disabling. Disarm, break weapons, shake up, etc. If you can keep them away from their weapons they might not be as big a threat. The book also makes mention of knocking them into water, which is lucky if you can pull it off.

Risky, but there’s a shot.

Keep in mind shake up/Shake, rattle, and pop!/Shake, Rattle, and boom! can hamstring an opponent even if they don’t do any damage, buying you time for plan 1.

Let’s not forget the all-purpose solution to all problems: Magic. These guys are why your mage ought to be able to cast Manabolt/Manaball.

And last, there’s overwhelming force. Get the biggest guns, gratuitous amounts of explosives, and attack from surprise with edge. Hope for the best. Prepare for the bad news they brought an armored mage along.

Bottom line? Stay away from people with Mil-spec armor.