FezzedOne’s Realistic Computers

This supplement intends to add realistic rules for various computer-based activities in GURPS.

Measurements in This Supplement

Weight values are in metric. Use the following simplified conversion if you need pounds:

Metric US customary Conversion

1 kilogram 2 pounds kg × 2 = lbs
30 grams 1 oz g ÷ 30 = oz

Tech Level Notes

Quarter tech-levels (henceforth referred to as quarter-TLs or qTLs) from Pyramid 3/37: Thinking Machines are used throughout
the supplement; if you don’t want to use quarter-TLs in your game, round quarter-TL decimals down to the basic TL, use the
the “vanilla” version of Cutting-Edge Training from PU2:16, and use the computer rules from High-Tech, Ultra-Tech and/or
High-Tech: Electricity and Electronics instead.

Quarter-TL Table

Quarter-TL Basic TL Real-world time period

6 6 1880-1910
6.25 1910s
6.5 1920s
6.75 1930s
7 7 1940s
7.25 1950s
7.5 1960s
7.75 1970s
8 8 1980s
8.25 1990s
8.5 2000s
8.75 2010s
9 9 2020s

Quarter-TLs after qTL9 may start at any time period after 2030.

Networking and the Internet

On real-life Earth, computer networking was invented at qTL7.5, remaining the domain of corporate mainframe systems, high-end
labs and government installations until public network access, i.e., internet access, became available at qTL8. Internet access
did not become widespread until qTL8.25, at which point remote network-based hacking became much more feasible as more
computers were connected. On alternate worlds, networking may be available as early as qTL7 and may become widespread as
early as qTL7.5.
Generally speaking, network-based hacking techniques, Electronics Repair (Networking) and Electronics Operation
(Communications) do not exist if networking has not yet been invented. If networking has been invented but remains a high-
end domain, computer networking skills are very rare and probably require a 1- to 5-point Unusual Background (Computer
Networking). With the advent of public network access, computer networking skills become common enough that an Unusual
Background is no longer required to justify having the skills.

Computer Interfaces and Remote Computer Use

The ease-of-use penalty for Computer Operation from
the Basic Set has been replaced with Interface Type
Illiteracy (see Quirks below). Instead, you get -2 on
Computer Operation to use a computer remotely
without a RAT (see Equipment below).
Existing Advantages
High TL [5 points/TL above campaign level; 5 points for any quarter-TL above campaign level in the same
basic TL]
Your personal TL or quarter-TL is higher than that of the campaign world. Only one level is required if it’s a higher quarter-TL
in the same basic TL or the next one. The normal rules for this advantage on B22 apply for TLs higher than that.

Existing Perks
‡ This perk requires specialisation.

Cutting-Edge Training‡
You have cutting-edge training, allowing you to learn skills ahead of your tech level, or for qTL-based skills, ahead of your
quarter-TL. You must specialise by skill. Having five skills with this perk in the next basic TL (for quarter-TL-based skills, round
decimals down for basic TL) allows you to exchange the 5 perks for one level of High TL; qTL-based skills with this perk in the
current basic TL do not count. This perk can only justify qTL-based skills up to four quarter-TLs above your own; take High
TL if you want to have qTL-based skills more than four quarter-TLs ahead. If you want to have a technique ahead of your tech
level or quarter-TL, take as many instances of this perk as necessary to upgrade all your skill prerequisites; do not take this perk
for the technique itself. (See PU2:16 for more on the “vanilla” version of this perk.)

New Perks
‡ This perk requires specialisation.

Speedrunner
You regularly speedrun video games, i.e., you play them as fast as possible. You get a +1 to reactions from other speedrunners
and a +2 to all IQ and IQ-based skill rolls related to video gaming. Similar perks are possible for pinball and tabletop games.

Computer Geek
Computer operation comes naturally to you. This perk offsets -1 in familiarity penalties for software and hardware, but not
penalties from (Interface Type) Illiteracy. Incompatible with Technologically Illiterate.

New Quirks
† This quirk is levelled. ‡ This quirk requires specialisation.

Out Of Date†
Your personal quarter-TL is below that of the campaign world, but it’s not enough to put you in a lower basic TL. Each level of
this quirk represents a quarter-TL below the campaign’s level. Theoretically, you can have at most three levels of this quirk – e.g.,
you’re a qTL8 character in a qTL8.75 campaign.

Habitual Video Game Cheater

You regularly cheat in video games and have a -1 to reactions from “legit” gamers. On the plus side, you get +1 to routine uses
of Hobby Skill (Video Game Cheating), assuming you need to roll in the first place.

Standard Operating Procedure (Internet Anonymity)

You always change your IP address and, if possible, device after anything even remotely “black hat”. You do not need to tell the
GM you’re doing so as long as it’s plausible that you’ve switched your IP address and/or hardware. Note that this is often an
expensive habit. This may be construed as a sort of quirk-level Paranoia.

Technologically Illiterate
You don’t “get” computers and other electronics. You have a -2 penalty to Electronics Operation and Computer Operation,
and cannot learn Computer Programming, Electronics Repair or Engineer (Electronics) at all unless you get rid of this
quirk. People who didn’t grow up around computers and electronics often have this quirk. Incompatible with Computer Geek.
Existing Skills
Any IQ-based skills with qTL mentioned below now have quarter-TLs. The GM should specify the quarter-TL of his game. You
get the normal full TL penalty only if the TL being your skill and what you’re trying to do is four quarter-TLs apart or more;
otherwise take half the penalty, rounded down; there is no TL penalty for tasks below your skills’ quarter-TL in the same basic
TL. Quarter-TL skills with regular-TL prerequisites need the regular-TL prerequisite to be in the same basic TL; e.g., a qTL7.5
skill requires its basic-TL prerequisite to be TL7.

Quarter-TLs and You

Record your character’s current quarter-TL alongside their
basic TL on the sheet. In order to have a character of a
higher quarter-TL than the game setting, buy
Cutting-Edge Training for all their qTL-based skills.
The cost of the perk does not change no matter how many
quarter-TLs ahead the skills are.

Staying Up to Date
It takes 2000 hours to adapt your qTL-based skills and
techniques to a sudden change in quarter-TL in the same
basic TL (e.g., qTL8 to qTL8.75). If the basic TL also
suddenly changes, as from qTL8.75 to qTL9, it still takes
the usual 2000 hours for your qTL-based skills. Normal,
slow, sequential basic-TL and quarter-TL transitions do not
require any extra time to adapt, as usual.

Electronics Operation/qTL [IQ, Average]

All specialties of this skill are qTL-based.

New Specialties EM Analysis: The operation of EM analysis equipment. Other specialties default at -4 to this one and
vice versa.

Surgery/TL [IQ, Very Hard]

Only the following new specialty is qTL-based.

New Optional Specialty Cybersurgery (qTL): The surgical installation of bionic limbs, neural jacks and other cybernetics,
as well as the insertion of implants. First appears in qTL8. Unlike other specialties of Surgery, this one is qTL-based due to
the rapid changes in cybernetics. Has the usual defaults to other specialties and non-specialised Surgery. When using this
specialty’s default from non-specialised Surgery or another specialty, the default is at the character’s quarter-TL.

Electronics Repair/qTL [IQ, Hard]

All specialties of this skill are qTL-based.

New Specialty EM Analysis: The repair of EM analysis equipment. Other specialties default at -4 to this one and vice
versa.

Computer Operation/qTL [IQ, Easy]

Familiarities This skill takes penalties for each of an unfamiliar interface type, hardware, software and OS, adding up to a
maximum penalty of -8. Any of these may be taken as familiarities when purchasing a skill. People are assumed to be familiar
with the most common and widely used interfaces, hardware, software and OSes, even when using this skill at default. Those
with Technologically Illiterate (see above) cannot gain any new familiarities in this skill, but still have the familiarities that
anyone has at default.

Computer Programming/qTL [IQ, Hard]

Field Familiarities A general field of computer programming may be taken as a familiarity instead of a programming language
- this offsets the -2 familiarity penalty when programming in that field, which may stack with the -2 penalty for unfamiliarity
with the language. There is no field familiarity penalty to offset for “general-purpose” hobby programming, which doesn’t exist if
no computers smaller than mainframes exist.
• Low-Level: OS, driver and firmware programming. Programmers with this familiarity tend to be acquainted with OS- and
hardware-level bugs and exploits.
• Applications: Mid-level application development: word processors, spreadsheets, publishing software, etc. This field
familiarity is common among corporate accountants with programming skill.
• Industrial: Development of industrial applications such as CAD/CAM software, CNC programs, factory control software,
industrial robotics, etc. Includes familiarity with exploits in the field. At TL5.75-7.75, this is typically the only available
field familiarity and includes punched-card programming.
• Neural nets: Development of non-sentient neural nets. Includes familiarity with neural net exploits. Does not substitute for
Computer Programming (AI). Does not normally exist before TL8.5.
• Cybernetic: Development of low-level code for implants, bionic limbs, robots (including industrial ones), non-sentient
domestic robots, etc. Includes familiarity with exploits in programmable implants and bionic and cybernetic limbs. Does
not normally exist before TL8.75.
• Web Development: High-level website and networked application development. Includes familiarity with network exploits.
Exists if there are publicly available computer networks.
• Databases: Database development. Includes familiarity with database exploits.
• Video Games: Video game programming tends to be more high-level than the usual, but has important low-level components
in the graphics stack. Includes familiarity with cheats and exploits in video games.
• Science and Mathematics: Specialised cryptographic, mathematical and scientific programming. Includes some familiarity
with digital cryptographic exploits.
Other field familiarities may exist in the setting, and any of the familiarities above may be nonexistent in the campaign, as per
GM discretion.

Expert Skill (Computer Security)/qTL [IQ, Hard]

Knowing Exploits: You may roll against Computer Security to know of exploits within one of your field familiarities; there is
no penalty for not having a relevant language familiarity.

Familiarities Computer Security takes the same types of familiarities as Computer Programming. Do not stack penalties
for lacking the same familiarity in both Computer Security and Computer Programming (this can happen with techniques
that have both as prerequisites); instead, take a single -2 penalty for the missing familiarity.

Other Familiarities Computer Programming has the same familiarities (and penalties for the lack thereof) for OSes,
software and hardware as Computer Operation, but does not share individual familiarities with that skill; i.e., familiarity with
an OS for Computer Operation does not entail familiarity with that OS for Computer Programming. These penalties do
not stack with the equivalent penalties for an unknown target OS, non-OS program or hardware. (If a technique specifically
mentions that familiarity or knowledge penalties are to be applied and this rule also applies, do not redundantly stack penalties
for the same unfamiliarity or missing knowledge.)

AI Programming Familiarities A familiarity with a given type of AI protocol, format, etc., gives you some knowledge of
exploits within that protocol, format, etc. As stated above, you may roll against Computer Programming (AI) to know of
exploits within a familiarity you have.

Other Quarter-TL Skills

• Cryptography/qTL.
• Engineer (Electronics)/qTL and Engineer (Robotics)/qTL. No other Engineering specialties take quarter-TLs
though.
• Mechanic (Robotics)/qTL.

Games (Video Games)/qTL [DI, Average]

Default: DI-4, Games (Tabletop RPGs)-2, Games (other specialties)-3. Note: Use the DI-based versions of these skills for the
defaults.
This is the skill of playing video games. Routine use is for casual gaming; non-routine use is for competitive gaming. Make an
IQ-based roll to recall general video gaming trivia; apply familiarity penalties for anything not widely known in gaming circles.
May be used in place of Computer Operation to start video games and adjust routine video game settings on computers and
video game consoles.
Familiarities: Each video game is a familiarity. The familiarity penalty is -4 for game in different genres (e.g., metroidvanias
versus first-person shooters), -2 for games in the same genre (e.g., first-person shooters) and -1 for games in the same series (e.g.,
The Legend of Zelda). Genre familiarities offset up to -2 in familiarity penalties for games in that genre and franchise familiarities
offset up to -3 for games in that franchise.
Other specialties: Video Games and other specialties of Games do not cross-default. However, you may use another Games
if you’re playing an ordinarily non-computer game on a computer; this does not give a Computer Operation default, unlike
Video Games.

New Skills
Note: Some skills use a new combination attribute, Dexterity-Intelligence (DI). This is (DX + IQ) ÷ 2, rounded down.

Professional Skill (Security)/TL [IQ, Average]

Default: None.
Knowledge of physical security protocols, set-ups and loopholes. Does not substitute for Lockpicking, but can assist that skill.
Bouncers and security guards typically have at least a point or two in this skill.
Familiarities: Each security protocol is a familiarity. -2 penalty for unfamiliar protocols.

Expert Skill (AI Security)/qTL [IQ, Hard]

Default: Expert Skill (Computer Security)/qTL-5.
Knowledge of security holes and countermeasures in sentient AIs.
Gaming Your PC: At TL8+, Computer Operation defaults to the IQ-based version of this skill at -2, since gamers tend to
know a few things about using their computers and consoles.

Hobby Skill (Speedrunning)/qTL [DI, Very Hard]

Defaults: Games (Video Games)/qTL-3 or Hobby Skill (Video Game Cheating)/qTL-4.
Prerequisites: Games (Video Games)/qTL.
The skill of speedrunning video games. Routine use (+4 or no roll needed) means you’re using the skill to play games faster than
normal. Non-routine use means you’re trying to get a world record or impress someone with the skill. Success means +1 to
reaction rolls (or influence rolls) with non-speedrunners and +2 with non-gamers! If you manage to beat or match the record
holder’s margin of success, you get the world record and +1 to reaction rolls from speedrunners. Critical success adds 1d-3
(minimum of 0) to your margin, and a confirmed critical success adds 1d. Extra time here literally means speedrunning all day.
Strategies and glitches: You may make an IQ-based roll against this skill to recall known exploits and glitches in a game. Soon
enough, it’ll be near impossible to even match the record holder’s margin of success, so new strategies and glitches will have to be
discovered. Discovering new speedrunning techniques, exploits and glitches takes an hour and a Per- or IQ-based skill roll at a
penalty of half the world record’s MoS, rounded down (full MoS for glitchless runs), since it’s harder to optimise already highly
optimised speedruns. Success means you reduce the world record’s MoS by 1; critical success means you reduce it by 1d and a
confirmed critical success reduces it by 2d. The world record’s MoS can never be reduced below 0. There is no bonus for routine
use since the more casually you play, the less likely you are to find new strategies, exploits or glitches. You may attempt to
discover glitches and exploits without the MoS penalty, but the glitch will only lower the world record’s MoS on a critical success,
and even then, only by 1; this easier unpenalised glitch hunting is mainly useful for Hobby Skill (Video Game Cheating).
Familiarities: As with this skill’s prerequisite, but independently from it.
Noticing glitches: The GM may make rolls against this skill or Per-6 (if you don’t have it, even at default) to see if you notice a
new video game glitch, adding a bonus or penalty for obviousness or non-obviousness, and/or a familiarity penalty for the game.

Hobby Skill (Video Game Cheating)/qTL [IQ, Average]

Defaults: Games (Video Games)/qTL-2 or Hobby Skill (Speedrunning)/qTL-2. Note: Use the IQ-based forms of those skills for
the defaults.
Prerequisites: Games (Video Games)/qTL.
The skill of cheating in video games and using “hacked” video game clients. Roll versus this skill to use cheats in multiplayer or
otherwise competitively; no roll is needed for “routine” casual gaming with cheats. Roll versus this skill to recall a video game
cheat code or similar, at +1 to +5 for popular video games.
Cheating others: If making a QC versus someone else’s Games (Video Games) (at -3), Hobby Skill (Speedrunning) (at
-2) or Hobby Skill (Video Game Cheating) (at no penalty) to cheat in a competitive game or to make a fake speedrun,
winning means you’ve successfully cheated without their noticing. If making a fake speedrun, use the lower of Hobby Skill
(Speedrunning) and this skill on your side, even if Speedrunning is being rolled at default, with all applicable video game
familiarity penalties. A tie means they’re suspicious of you, getting a +2 to their side, and if you lose, they’ve noticed you cheating
and may ban or kick you from their game server. Any success on your side, win or lose, means you’ve pulled off the cheat itself
(usually a bonus to the associated), and any critical success means the cheat’s effect is increased. A successful complementary
Computer Security roll on your side of the QC gives a +2 bonus for you; critical success gives +4. The QC isn’t required if
staff and other players are okay with cheats (though they usually aren’t okay with remote exploits through the game).
Fooling anti-cheat: If you’re trying to fool anti-cheat software, use its Hardness instead of skills in the Quick Contest. A tie or
loss to the software means your cheat was detected and/or, if it’s cheat prevention software, didn’t work. Anti-cheat software
typically kicks or bans players it detects cheating.
Familiarities: As with this skill’s prerequisite, synchronised with it.
Modifiers: +2 to use built-in cheats in single-player games, +2 for having a “hacked” video game client, library injection or
similar.

Making Anti-Cheat Software

Roll versus Computer Programming to program
anti-cheat software, at a -2 if lacking Video Games
familiarity. Success yields anti-cheat software with Hardness
determined as per the rules in Hardness and Complexity.
Add a -2 penalty if trying to make software that prevents
cheating rather than (or in addition to) detecting cheaters.
Game developers may add built-in anti-cheat at a -2 to the
prototype roll, in addition to the penalty for programming
built-in cheat prevention.

Computer Hacking
Familiarity penalties for hardware, software and administrative protocols apply cumulatively to any attacks where they’d be
relevant. Do not apply ease-of-use bonuses for the targeted software; you’re hacking it, so ease of use doesn’t matter. Regarding
your own software, use the higher of the software’s skill level or your own. As per B346, you may take bonuses for taking extra
time or penalties for being hasty. The usual penalties and required Stealth rolls for being stealthy apply. Some level of Expert
Skill (Computer Security) (hereafter referred to as Computer Security) is required for all attacks. Substitute non-AI
Computer Programming for Computer Programming (AI) and Computer Security for Expert Skill (AI Security)
if the target is a sentient AI.
Time taken: Most hacking techniques involve very little time actually hacking the target computer. Unless otherwise specified,
assume the hacker only needs to access the target computer for 5 minutes.

Hacking Techniques
These are techniques used for computer hacking. Feel free to add your own for the setting. Some of these techniques are
TL-specialised. These techniques can get bonuses for extra time and routine use. All techniques with qTL must take a quarter-TL
and now take quarter-TL penalties as mentioned above in Existing Skills.

Soft Hacking (A) Defaults: Acting, Interrogation, Intimidation or Fast-Talk.

Prerequisites: Any of Acting, Intimidation, Interrogation or Fast-Talk; cannot exceed the best skill plus 4.
This is the art of convincing someone to give you their access credentials or otherwise allow you access to their computer or
other locked or restricted item. Roll a QC versus the target’s highest of Professional Skill (Security), Computer Security,
Detect Lies and other applicable social skill counters; do not count Computer Security if computer access isn’t involved. If
you win, the winning margin and whether the other side got a critical failure determine how much access you receive; critical
failure by the target may mean you got Access 4 or 5 to the target’s computer right off the bat, for example. Critical success
by you has no special effect. Critical failure by you or critical success by the defender means you got useless or “honey trap”
credentials; you may not know this until you attempt to use them. (A successful roll against a relevant security-related skill may
warn you before using them.) Attempts to use this technique take 30 minutes.
Keypass Scrounging (E) Defaults: Scrounging or Search.
Prerequisites: Either Scrounging or Search; cannot exceed the higher of Scrounging+3 or Search+3.
The technique of searching through people’s trash, desks, cabinets and the like for access credentials like computer accounts
and passwords, combinations, keys and passcards. This technique is useful at any TL for anyone looking for a way into or past
anything locked. Roll a QC of this technique versus the organisation’s higher of Computer Security and Professional Skill
(Security) to find access credentials of any kind; if searching a computer you have at least Access 3 to, use the lower of this
technique and Computer Operation (plus or minus any interface and OS modifiers) for your side of the QC. If you win, margin
of success (and whether you get a critical success) determines the value of the credentials found; critical success may mean you’ve
found root or admin credentials to a corporate network, for example. If you tie or lose, critical failure by you or critical success
by the defender means you’ve found useless or “honey trap” credentials; you may not know this until you attempt to use them.
(A successful roll against a relevant security-related skill may warn you before using them.) Attempts to use this technique take
30 minutes.
Software: Software that automatically searches a computer for passwords may be programmed with this technique; this is an
unspecialised use of Computer Programming. The resulting software has the lower of the owner’s technique level and his
Computer Operation plus or minus interface and OS modifiers.

Code Injection/qTL (VH) Default: Computer Security/qTL-2 or Computer Programming/qTL-6.

Prerequisites: Computer Security/qTL7.75+ and Computer Programming/qTL7.75+; cannot exceed either skill.
This attack involves attempting to exploit a bug or security hole in a running program in order to gain privileges. To find an
exploit for this technique, roll a QC of the higher of Research and Computer Security against application Hardness. If you
have a disassembly or decompilation of the target program, add the disassembly/decompilation quality bonus to your skill; if you
have source code, add +5 to your skill (this overrides the bonus from a disassembly or decompilation); getting these bonuses
requires replacing Research with Computer Programming, minus any unfamiliarity penalties. If you win, you’ve found an
exploit; any critical failure on the target’s side means you get +3 to this technique. If you tie or lose, you may attempt again at a
cumulative +2 bonus to the target. Critical success by you or the defender has no special effects. Attempting to find an exploit
normally takes minutes equal to the application’s Complexity squared.
If you’ve found an exploit, roll a QC of this technique against application Hardness. Your side takes any familiarity penalties for
Computer Programming. Attempts take five minutes. If you win, you inject enough code to elevate yourself to the program’s
current Access level. If you tie or lose, the attempt failed. On any attempt, successful or not, roll a QC for any anti-malware
program (see Malware and Anti-Malware below) that hasn’t been bypassed or stopped; if the anti-malware program wins, it’ll
remove any successfully injected code and possibly warn whoever manages the server or start a Network Trace (see below). If
time and the risk of tripping an anti-malware program aren’t an issue, you may reattempt this technique as many times as you
want at no penalty; this obviously takes a lot of time though.

Probabilistic Attack/qTL (VH) Defaults: Computer Security/qTL-4, Professional Skill (Security)/TL-4, Mathematics
(Applied)/TL-4 or Research/TL-4.
Prerequisites: Mathematics/TL4+, Research/TL4+ and either Computer Security/qTL6.75+ or Professional Skill (Secu-
rity)/TL4+; cannot exceed the highest prerequisite.
This technique involves determining which accounts, passwords, safe combinations and the like are likely to see use. Roll a QC of
this technique versus the target’s highest of IQ, Computer Security and Professional Skill (Security) to attempt just that.
You need to win to get any credentials; if you win, critical success by you or critical failure by the target means you managed to
get the password or combination particularly valuable. Having a plain-text file (or physical document) that may (or may not)
contain passwords (as from decryption techniques, Intelligence Analysis or EM Analysis, below) adds a bonus or penalty to
your side of the QC. Each attempt takes 5 minutes. Note that two or three failed attempts to unlock a system may lock down the
targeted system.

Access Elevation/qTL (H) Defaults: Computer Security/TL-3 or Computer Operation/TL-3

Prerequisites: Computer Security/qTL and Computer Operation/qTL; cannot exceed the highest prerequisite plus 1.
This technique allows you to attempt to elevate your access on any electronic or photonic device or system or computer application
with Access levels. Requires at least Access 3 or physical access to the device, system or application, as well as software in the
form of an access elevation exploit.
Roll a QC of this technique versus the target’s Hardness to make an attempt. If you win, you elevate your Access to that of the
software; if the target gets a critical failure, you elevate your Access to one level above the software’s; as an exception, critical
success will never elevate you to Access 6 unless the software is running at that level. Critical success on your side has no special
effects. If you tie, your permission elevation didn’t work, but at least you aren’t locked out. If you lose, you get locked out of the
system or application. If the target wins, critical success, winning by 5 or more, or if the hacker is using a low-quality exploit, any
win may trigger security software and systems. Each attempt takes 5 minutes at TL7 and 1 minute at TL8+.
Anti-malware: On any attempt, successful or not, roll a QC for any anti-malware program (see Malware and Anti-Malware below)
that hasn’t been bypassed or stopped; if the anti-malware program wins, it may warn whoever manages the server or start a
Network Trace (see below). If time and the risk of tripping an anti-malware program aren’t an issue, you may reattempt this
technique as many times as you want at no penalty; this obviously takes a lot of time though.
Writing exploits: To program an access elevation exploit for specific software, instead of handling it as a new invention, roll a
QC of Research versus the software’s Hardness, and if you win, then roll a QC of the lower of Computer Programming
(-2 if lacking Low-Level familiarity) and this technique against the software’s Hardness; Code Injection may substitute for
Computer Programming if better. This takes (OS Hardness ˆ 2) × 1 hours. A system or VM running the target OS is
required; a disassembly of the software gives +2 to both rolls, in addition to decompilation quality bonuses, and access to source
code gives +5, overriding the bonuses for disassembly and decompilation. If you win both QCs, you’ve made a working access
elevation exploit that gives your technique’s level to unskilled and low-skilled users; critical success on either QC also gives a +2
bonus to technique when a skill hacker with this technique uses the exploit.

Rainbow-Table Decryption/qTL (H) Defaults: Cryptography/qTL-1, Cryptography (Cryptanalysis)/qTL+0 or Computer

Operation/TL-1
Prerequisites: Computer Operation/qTL7.75+ and Cryptography/qTL
This technique involves using a rainbow table (see above) to decrypt encrypted data, like the username/password sets in a
database. This is a lot faster than using regular Cryptography, but less likely to work for high-end or newer forms of encryption.
Roll a QC of the lowest of your Computer Programming (Science and Mathematics field), your Computer Security and
the rainbow table’s Cryptography versus the target encryption software’s lowest of Cryptography, Computer Security and
Computer Programming (Science and Mathematics field). If you win, you turn the encrypted information into plain text, a
tie or loss means the decryption wasn’t successful; there are no special bonuses for you if you win and critically succeed or the
target loses and critically fails. Takes 2 hours to run on a Complexity (TL of encryption - 4) machine. Double time for each
Complexity level lower and halve for each level higher, as usual. Rainbow tables are “spent” on a given encrypted file regardless
of the QC’s result, so if you tied or lost, you have to use old-fashioned Cryptography instead (or obtain an updated set of
rainbow tables).
Generating a rainbow table requires a copy of the encryption software in question and takes a QC of the lower of Computer
Programming (Science and Mathematics field), Computer Operation and Cryptography at -4 versus the target encryption
format’s Cryptography. If you win, you have a usable rainbow table; if the encryption format loses and has a critical failure,
the rainbow table gives a +2 to anyone who uses it. If you lose or tie, the rainbow table is worthless; if the encryption format
wins and gets a critical success, you don’t know it’s worthless.
Note: Roll 3d; if the result is less than the encryption format’s age in weeks, no rainbow tables are available, making the technique
impossible. This technique usually cannot be used on encryption techniques that use private keys (and rainbow tables generated
for these techniques are worthless), though it may be possible if the encryption key is never or rarely changed and ends up leaked.

Computer Exploitation/qTL (H) Defaults: Computer Operation/qTL-6, Computer Programming/qTL-3 or Computer

Security/qTL-1.
Prerequisites: Computer Operation/qTL, Computer Programming/qTL and Computer Security/qTL; may not exceed Computer
Security/qTL+0 or Computer Programming/qTL+3.
The art of discovering and exploiting bugs or flaws in software (including OSes) and hardware. Roll a QC of this technique versus
the target software or hardware’s Hardness - Complexity (minimum of 3); lacking Low-Level field familiarity in prerequisite
Computer Programming gives you a -2 penalty, in addition to any language penalties. Takes (target’s Complexity ˆ 2)
hours to complete; this time may be split into multiple sessions. If you win and get a critical success or the OS critically fails, the
exploit requires a major update to patch. If you win otherwise, the exploit remains “good” until the next minor update. Winning
by only 1 means the exploit only works on a roll of 4 or less on 1d (i.e., 2/3 of the time). If you tie, the exploit only works on
a roll of 1 or 2 on 1d (i.e., 1/3 of the time). If you lose, you don’t have a working exploit; if the defender wins and critically
succeeds, you don’t know your exploit isn’t working until you actually use it. The target software needs to be known before using
this technique. Requires a copy of the hardware or software you’re trying to exploit; software may be emulated in a VM.
Script kiddies and exploits: Ready-to-use exploits may be used by script kiddies like other software.
Modifiers for software exploits: -2 to the hacker if not using or emulating hardware similar to the target’s. Add another -1 if
testing the exploit in a VM.
Modifiers for hardware exploits: -1 to the hacker if using a different version of the same hardware (e.g., Intel i5 to i7), -2 if using
slightly different hardware (e.g., x86 to x86-64) or -5 if using significantly different hardware (e.g., x86 to ARM or PowerPC). If
using a VM to emulate the hardware (which can’t be done for hardware of the same Complexity as yours), just add a flat -1
instead of the hardware penalties.

What Am I Using?
A computer user working with unknown software may roll
Computer Operation at +2 or Computer
Programming (or any of its specialties) at +4 to know
which software they’re using or working with, with penalties
for rarity and bonuses for very common or widely used
software; add -3 for non-OS firmware. No roll is needed for
this if the software is widely used, isn’t non-OS firmware,
and you have Computer Operation at better than default
for the software’s quarter-TL. Familiarity penalties also
apply. Users automatically recognise software relevant to
their skills - no roll necessary - unless the software is very
obscure.

EM Analysis/qTL (H) Defaults: Computer Security/qTL-3, Electronics Operation (EM Sensors)/TL-3, Telecommunication
(Radio)-3 or Computer Programming/qTL-3.
Prerequisites: Computer Security/TL7+, Computer Programming/TL7+ and either Electronics Operation (EM Sensors)/TL7+
or any form of Telecommunication (Radio); may not exceed any prerequisite skill, but if Telecommunication is not skill-based, the
lack of Telecommunications skill does not count against this technique’s maximum level.
EM analysis techniques involve using an EM scanner or specialised radio receiver to pick up the EM radiation that all electronics
emit, especially CPUs, GPUs, keyboards and displays. An EM scanner or equivalent is required equipment for this technique.
For each device, the GM rolls two QCs of this technique against only the hardware modifiers in the device’s Hardness (excluding
hardware encryption; minimum of three). The hacker gets normal range penalties (on the SSRT) to each target device, as well as
jamming penalties. Modifiers: -2 for residential computers and devices, +2 for large commercial networks, +5 for server racks (a
lot of sensitive data goes through these; but they’re usually well-secured, offsetting this modifier). Takes any familiarity penalties
that its prerequisite Computer Programming would take.
The first roll determines whether any passwords or credentials were gathered and how valuable they are. If you win, the data you
gathered may then be used to provide a bonus of this technique’s margin of success for Probabilistic Attack (see above); add
another +3 if the target critically failed. However, even a critical failure by the target does not mean you get, say, high-ranking
government credentials on a residential computer (but it’s not impossible). On loss, apply the margin of failure as a penalty to
Probabilistic Attack if used for that; a critical success by the target adds a further -3. A tie means a net +0 modifier. You
won’t know how successful or unsuccessful you are until you actually use the data. Critical success by you has no extra effects.
The second roll determines how much useful data besides passwords and credentials was gathered. If you win, gathered data
contains useful or valuable information, the value depending on the margin of success. Critical failure by the target means you got
something particularly valuable, but even this does not normally mean you get corporate blueprints off a random residential PC
(but it’s not impossible). If you lose, it means the gathered data doesn’t contain anything useful, but keep the margin of failure.
Critical failure by you and critical success by the target have no extra effects. Critical success by you also has no extra effects.
Multiple attempts: Multiple concurrent attempts for this technique use the same rolls as for the first. Do not roll again. (If
someone else is attempting to run EM Analysis on the same targets as you, roll a QC of their skill against the results already
rolled for the target’s side.)
Extracting information: Extracting information from gathered data takes another hour and a GM-made Intelligence Analysis,
Electronics Repair, Engineer (Electronics) or Computer Programming roll, whichever is highest. Intelligence Anal-
ysis gets +2 for the information roll while the other three get +2 for the password roll. If successful, you’ll know the roll results
on both sides (and win/loss margin) for both EM Analysis rolls performed on the data, along with any useful data you picked up
from nearby devices; critical success adds 3 to both win/loss margins, which can turn a loss into a tie or win. Failure means you
don’t know anything; critical failure means the GM lies to you. Normally takes one hour.
Engineers only: People with experience in electronics can try to tune the EM receiver/scanner for the specific device in question.
If you know the target device well enough (i.e., no familiarity penalties), a successful GM-made Engineer (Electronics) or
Electronics Repair adds +1 to your side on both EM analysis QCs; critical success makes that +2. Failure gives -1 and critical
failure a -2.
Remote viewing: Make a third QC at -2 to your side to remotely view a device’s display. A win or tie means you get to remotely
see the display. Criticals have no special effects. You may keep viewing for as long as you wish (barring getting caught) as long as
the target device remains powered on.
Being detected: EM analysis does not generate any unusual EM transmissions, so this method is undetectable that way by others
without the technique; this obviously means the technique will never trip anti-malware programs. (You may still be seen or heard
using the technique though.) Detecting ongoing EM Analysis using EM Analysis takes a QC of your technique versus theirs
with a +5 to the defender. A win means you detect it, and a tie or loss means you don’t.

DoS/DDoS Attacking/qTL (A) Defaults: Computer Operation/qTL-2, Electronics Operation (Communications)/qTL-2 or

Computer Security/qTL-2.
Prerequisites: Computer Security/qTL6.75+ and either Electronics Operation (Communications)/qTL6.75+ or Computer
Operation/qTL6.75+; cannot exceed the lowest prerequisite plus 2.
(Distributed) Denial of Service, or (D)DoS for short, is the art of flooding networked systems (usually servers) with so much data
that they essentially shut down. The “distributed” kind is when a botnet consisting of hundreds of computers does it. Roll a QC
of this technique versus the target system’s Hardness to set up a DoS or DDoS attack. Having a botnet of 10 proxies gives +1 on
your side, 100 proxies give +2, 1000 proxies give +3 and so on; basically add +1 for every full order of magnitude in proxies. If
you win, you’ve disrupted the target system(s) such that it’s unable to function as intended (e.g., a forum server is too bogged
down to be usable); critical failure by the target system means it’s so overwhelmed that it needs to be completely shut down for
1d days; critical success by you and critical failure by the target means that shutdown lasts 3d days! If you lose, the attack was
warded off; critical success by the target or critical failure by you also means you’re traced.

Network Trace/qTL (H) Defaults: Computer Operation/qTL-3, Electronics Operation (Communications)/qTL-3, or Com-
puter Security/qTL-3.
Prerequisites: Computer Security/qTL6.5+ and either Electronics Operation (Communications)/qTL6.5+ or Computer Opera-
tion/qTL6.5+; cannot exceed the lowest prerequisite plus 2.
A technique many sysadmins (and hackers) know, network tracing allows targets to be tracked down to their actual IP addresses
if successful. To trace a target, the GM will roll a QC of your technique versus the target’s encryption Hardness (0 if not using
encryption) plus, if successful, margin of success from their Computer Security, plus +1 for at least 10 zombie proxies in use
and an additional +1 for each extra order of magnitude in use (e.g., 1000 proxies give +3); regular proxies do not count since the
target’s IP is still exposed through them. If you tie or win, it means the target’s IP was traced; a critical failure by the target also
means their HWID or similar hardware identifier was traced. A loss by the target’s proxy penalty or less means you’ve traced a
proxy (and possibly triggered the target’s tracing software), reducing the target’s proxy penalty by (Proxy Penalty - Margin
of Loss), but loss by more than the proxy penalty means you’ve been led off track. Critical success by the target or critical
failure by you means you don’t know it’s failed, believing the IP address you traced to be the target’s (i.e., the GM lies to you).
You may make repeated attempts at no penalty. Critical success by you has no special effects. If you failed because of proxies,
you won’t know how many proxies you still have left to get through.
Being traced? If a target of a trace has tracing software on their proxies and those proxies have been traced, the GM roll a QC of
the software’s Network Trace versus the tracer’s Network Trace. Winning means the target knows he’s being traced, and if
the tracer critically fails too, his own IP address is traced! The target may try to trace the target back at +2 on his side of the
QC.

“Honey Pot” Networks

Some organisations own zombie proxies which hackers have
to get through in order to get to the actual target system.
These proxies’ firewalls are programmed to allow legitimate
network packets through. To attempt to get past these
proxies, a hacker has to win a Network Trace on the
target server. Loss by within the proxy penalty means the
hacker may get himself traced by software on the zombies.
Most systems with strong DDoS protection also have around
one to ten thousand zombie proxies “leased” to them by the
DDoS protection organisation (or owned outright, if it’s “in
house”) for this purpose; this provides a -3 to -4 penalty (see
Network Trace). Feel free to increase the number of
zombies, and thus the penalty, by an order of magnitude or
two (or more) in qTL9+ settings.
 The Great National Firewall
Some polities have massive firewall networks that filter
public network traffic for various motives, often including
political censorship or, for that matter, stopping hackers
who work for an opposing polity. If such a firewall network
exists and presents an obstacle to the hacker, he must either
obtain a proxy in a jurisdiction outside the firewall’s reach
(which is often illegal) or win a Network Trace against a
proxy penalty of -5 or more every time he attempts a remote
hack or exploit on the network; if he’s on the network for
more than an hour, roll the QC again every hour. Losing the
Network Trace means the hacker is blocked by the
firewall, and if the loss is within the proxy penalty, he is also
being traced by whoever owns the firewall (assume a high
Network Trace level, somewhere north of 15). This
Network Trace against the firewall is separate from any
other Network Traces, including those for “honey pots”.

Anonymity
To cut down on risks, a good hacker is always on the move,
changing IP addresses and often also devices like soiled
diapers, so that by the time someone manages to find his IP
address or hardware, the hacker is almost always long gone.
Many smart hackers also have long chains of proxies
spanning several countries, as well as multiple automated
network tracers present on some of those proxies.

Tracing software: Automated tracing programs have the Network Trace level of their programmer.
Modifiers for the tracer: -2d+4 to impossible if logs were carefully scrubbed, -1d if logs were outright wiped or mutilated, no
modifier for intact logs, +1d if hardware/browser/program identifiers were logged and the target isn’t using proxies.
What do I do with an IP address? Roll Research to trace the IP down to the city level; if you have telecom Contacts or access
to telecom databases, you can get a precise address at a -2 penalty to your roll (or theirs for a Contact). Public IPs (like most
residential and commercial IPs) give up to a +3 bonus, but certain private IPs may give you up to a -3 penalty.

I’ve Hacked Into a Computer, Now What?

You may do anything a normal user with your current
Access level can do on the computer. That includes
downloading all the data you can access (provided you have
a decent connection and a minute or two). Roll Computer
Operation at -3 to get data off a computer quickly. If
you’ve got Access 4 or 5 on the box, you can simply install a
RAT to remotely control it later. Again, roll Computer
Operation if you must do it quickly.

Hardness and Complexity

Complexity is determined as per Pyramid 3/37: Thinking Machines. Hardness is determined below in Hardness.
Programming software for a computer of a given Complexity requires at least a Target Complexity - 1 computer. Fortunately,
servers are typically only a single Complexity level above workstations. Using a computer of a given Complexity requires the
user to have a racial IQ of at least ((target Complexity - 3) × 2) to avoid penalties; any IQ bought up from the racial
average doesn’t count. In other words, the User Complexity Limit or UCL for a given race is (Racial IQ ÷ 2) + 3, rounded
down. Daring computer users can attempt to use high-Complexity or above-UCL software and hardware, but at a penalty of
(Programmer/Creator’s Racial IQ - 1 - User’s Racial IQ) × 2 (minimum of 0) and a penalty of (Target Complexity
- User’s UCL) × 2 (minimum of 0). For reference, the racial IQ of humans is 10 and their UCL is 8.
Quick Contests versus Hardness: The following rules apply when Hardness (with or without modifiers) is defending in a QC.
Having less than 3 Hardness after all modifiers is an automatic loss for the defender, and having 0 Hardness or less after all
modifiers is an automatic critical failure. If the defender’s modified Hardness minus the attacker’s modified skill or technique
level is more than +25, the defender has an automatic success; the hacker has no chance.

“Script Kiddies”
A “script kiddy” is someone attempting to use software,
usually hacks or access elevation exploits, without technical
skills. If you are using software that provides a skill or
technique you don’t have or wish to use the software’s skill
or technique level rather than yours, roll against your
Computer Operation plus any bonuses or penalties for
the software’s ease of use; if this roll succeeds, then resolve
the original roll using the software’s skill or technique level.
Routine use of skill-providing software does not require a
Computer Operation roll and gives the full +4 bonus for
routine use to the software’s skill or technique.

Hardness
Current-day (qTL8.75-9) examples are provided for reference. Base Hardness is twice the software or hardware’s Complexity.
Subtract 2 for each quarter-TL that has passed since the software or hardware’s last update; for hardware, subtract 1 if Old and
add 1 if Advanced. If Hardness comes to 2 or less, increase it back to 3, then add all applicable modifiers from below.
The modifiers below apply to all QCs:
• Updates: Pick the highest applicable: +2 for up-to-date software, +1 if the software or hardware’s last security update was
at least a week ago, +0 if at least a month ago, -1 if it hasn’t been updated for three months, -2 if it’s six months out of
date, -3 if it’s a year out of date. Add another -1 for every full year after the first since the last update, up to -5; e.g., a
system five years out of date gets a -4. Note: Yes, this is cumulative with modifiers for being one or more quarter-TLs out
of date - obsolete stuff is far easier to hack into since exploits for it are well known.
• Hardware security quality: If hardware, firmware or an OS is targeted, roll the hardware manufacturer’s Engineer
(Electronics) + 2 - (Complexity × 2) + Quality Modifier and add the margin of success or failure as a modifier,
or add their Engineer (Electronics) - 8 - (Complexity × 2) + Quality Modifier (keep zeroes and negatives). This
assumes some extra time was taken to fix bugs. See Software and Hardware Security Quality below for more.
• Software security quality: If software is targeted, roll the programmers’ Computer Programming + 2 - (Complexity
× 2) + Quality Modifier and add the margin of success or failure as a modifier, or add their Computer Programming
- 8 - (Complexity × 2) + Quality Modifier (keep zeroes and negatives). This assumes some extra time was taken to
fix bugs. See Software and Hardware Security Quality below for more.
The modifiers below apply to QCs against Research:
• Software obscurity: -1 to -5 for widely used software (e.g., Windows, server Linux), no modifier for specialised or less widely
used software (e.g., macOS, desktop Linux, CAD/CAM programs), +1 to +5 for very obscure software. Add another +1 to
+5 for lesser-known variants of widely used software. Don’t apply this modifier if software or firmware isn’t the target (as
with EM Analysis).
• Hardware obscurity: Add +1 to +5 for rare CPU architectures or hardware or +6 to +10 for really obscure architectures or
hardware. Use the full modifier if firmware or hardware is the target; halve this modifier, rounding down, if an OS is the
target; do not apply this modifier at all if other software is the target.
The modifiers below apply to QCs against anything other than Research:
• Firewalls: Pick the highest applicable: +1 for a basic OS firewall, +2 for a decent firewall, +3 to +5 for custom firewall
setups, +5 to +10 for cutting-edge high-security firewalls. Notes: Do not apply modifiers if the firewall has been disabled or
bypassed; disabling or bypassing a firewall requires Access 4. Do not apply firewall modifiers if the hacker has physical
access to the system.
• Access: Add (Software Access - User’s Access) × 2; minimum is 0. This modifier is reduced by gaining increased
Access to a target system and can be reduced by exploiting lower-Access software instead of the OS directly. Most software
has Access 2 or 3, daemons have Access 3 to 5, OSes have Access 5 and firmware has Access 6; see Access below for more
information. Don’t apply this modifier if EM Analysis is being done.
• Repeated attempts: If a secure or very secure access control program is present (see Access control programs below), add +1
for every previous or concurrent attempt to use an access elevation exploit or code injection after the first. This “attempt
 counter” usually takes several weeks or even months (or removal or resetting of the software) to reset. Don’t apply this
modifier if EM Analysis is being done, you’ve overridden the access control program, or you’re at Access 5 or more.
• ROM file protection: +10 if the software is firmware, i.e., loaded from a BIOS ROM. Notes: Do not apply this modifier to
reading the ROM if the BIOS allows it. You may be able to modify the ROM using a firmware flasher at Access 5.
• Obfuscation: Add the obfuscation bonus from the obfuscator used on the software. For commercial software or video
games, you can use the developer’s Computer Programming - 8 instead; if lacking Low-Level familiarity, subtract 2;
the modifier has a minimum of 0. This makes the realistic assumption that the obfuscator’s Cryptology is usually on par
with or better than programming skill. Don’t add this modifier if the target was successfully deobfuscated.
• Hardware security: Apply this modifier if EM Analysis (see above) is being done. Pick the best applicable: +5 to +10 for
RF/EM/EMP shielding or +10 for photonic hardware.
• Network capacity and DDoS protection: Pick the highest applicable: +1 to +5 for basic DDoS protection or +6 to +10 for
advanced DDoS protection (like CloudFlare). These modifiers only apply for DoS/DDoS attacks.
• AIs: Add IQ - 4 for a sentient AI; add (IQ - 4) ÷ 2, rounded up, for a non-sentient AI. Minimum modifier is 0. Note:
This modifier reflects both the programmatic complexity and flexibility of AIs.

Software and Hardware Security Quality

Software and hardware security quality modifiers are
determined separately from prototype rolls. A negative
modifier represents the presence of security bugs and
exploits, and a positive one represents good security
practices. Neither affects the quality or bugginess of the
code when used for its main purpose (unless it’s security, OS
or access control software, in which case the modifier is
really important). You could have really buggy software with
good security or really high-quality software with a bunch of
security holes.
Making software and hardware: To get the security quality
modifier for newly invented hardware or software, make the
roll mentioned in Hardware or Software quality, adding extra
or reduced time modifiers and assistance bonuses, after the
software prototype roll. (If the extra time bonus is +2 or
better, you may opt to use Skill Level - 10 + Extra
Time Modifier - (Complexity × 2) + Quality
Modifier.) The quality modifier is the final product’s
quality bonus or penalty (see Programming Quality below).
Improving security: Better hope someone on your coding or
engineering team is good with security if your software or
hardware is going to need it! A successful Computer
Security roll during development allows one reroll of the
quality modifier; the higher of the two rolls is used. Critical
success adds +2 to the quality modifier on top of that.
Using Computer Security to reroll requires you to take at
least +1 in extra time for the software development; add the
extra time bonus minus 1 to Computer Security and the
rerolled skill.
Security auditing: Anyone with access to software source
code or hardware blueprints can audit the software or
hardware by rolling the lower of Computer
Programming / Engineer (Electronics) and
Computer Security. On a success, the auditor knows the
quality modifier and can choose to reroll it using their
Computer Programming / Engineer (Electronics);
the higher of the original and audit modifiers is used. A
critical success adds a +2 to the rerolled modifier on top of
that. Audits take (software or hardware Complexity ˆ 2)
hours. Extra and reduced time modifiers apply to the audit
reroll as well as the Computer Security roll.
 Software and Hardware Security Quality
Auditing without code: Auditing may be done without
blueprints / source code at -2 with an assembly code readout
or hardware programmer’s manual or at -5 with just the
binaries or hardware, but this does not allow a reroll.

Hacking AIs
To hack an AI system (i.e., any computer, android, device,
etc. with an IQ stat), roll a Quick Contest of your chosen
hacking technique versus the AI’s Will or Hardness,
whichever is highest; do not count Will if the AI isn’t
sentient. The targeted AI may roll Expert Skill (AI
Security); success gives +2 to their side, critical success
gives +4, failure gives no penalty and critical failure gives -2.

Sysadmin!
If you are unlucky enough to have a sysadmin, user or other
hacker trying to actively thwart your hacking, roll a QC of
your Computer Operation versus the other
user/hacker/admin’s Computer Operation. Both sides
take a cumulative -3 for every Access level below 5, but may
claim a margin-of-success bonus from a successful
Computer Security roll (if they have the skill); critical
success adds +3 to the margin. There is no penalty for
failure or critical failure on Computer Security. If the
attacker wins, the attacker has managed to kick the defender
off the system. if the attacker ties, he gets a -3 penalty to
further hacking rolls because of the defender trying to kick
him out (unless the defender decides to let up). If the
attacker loses, he’s kicked out of the system.

Magical Computing
If you need to determine the Hardness of a computer or
software that is not tech-based, use the relevant skill level,
spell level, technique level, etc., of the caster or creator as
Hardness instead of determining it with the above method.
If no level is available, use the caster or creator’s IQ, plus
any trait or skill bonuses that apply to the creation of the
computer or software.

Computer Programming and Invention

There are a few rule changes for software inventions:
• Critical failure on the software’s Prototype roll means files and/or software were corrupted. No damage is dealt to anybody.
• On your Concept and Prototype rolls, if you’re taking at least +2 for extra time and Computer Programming - 10 - (
Software Complexity × 2 ) + Extra Time Bonus + Variant of Existing Software Bonus - Quality Modifier
comes out to zero or more, you may call it an automatic success on both rolls, avoiding the effects of a critical failure but
also unable to get a critical success. If the final result is 3 or more, you get the “minor bugs only” result for success by 3
or more. Time taken is as for a single prototype roll multiplied by the extra time multiplier. The quality modifier is the
inverse of the final product’s quality bonus or penalty (see Programming Quality below).
• If you’re taking at least +2 for extra time above and you have Computer Operation, bug testing, known as “debugging”
in the trade, takes (Minor Bugs + (Major Bugs × 3)) × (15 - Computer Operation) weeks (minimum of 1 week)
to work out the bugs. Use the best Computer Operation skill among the people testing; if you have at least ten assistant
testers, add +1 to Computer Operation for this purpose.
 • If you want, you can skip bug testing to save time, but the bugs will still be there.
• Software does not cost anything other than the programmer’s time and any lost income to invent.
• Software bugs surface on a failed Hardness QC roll by five or more; major bugs, if any, always show up on a critically failed
roll. These bugs can be exploited - make another Hardness roll. If that roll fails, the bug is exploitable; major bugs need a
success by 5 or more or a critical success on the roll to not be exploitable.

Software Updates and Game Mods

Minor software and hardware updates are handled just like
new releases, but with the full +5 bonus to invention for
being a variant on existing software or hardware. Major
updates get +3 or +4. New releases get +3 at best.
Hardware may be “patched” with a software update - this
requires rolling Engineer (Electronics) alongside the
usual Computer Programming; take the lower roll. Any
Computer Programming familiarities required to
program the original software without penalties are also
required for the update; add +2 plus any disassembly quality
bonus if you have a disassembly or decompilation, or add +5
if you have source code for the software.
Game Modding: Handle minor game mods like minor
software updates, major game mods like major software
updates and overhaul mods like new releases; if the game
lacks a modding API or the API isn’t good enough for your
level of modding, you need to do a successful Code
Injection first. You take a -2 penalty to Computer
Programming without Video Games familiarity, plus any
language familiarity penalty.

Access
There are seven levels of Access, from 0 to 6. Any user at a given Access level may execute or stop programs running at that
Access level or below. Users can also create, modify or delete files associated with that Access level or below. Users at Access 3 or
below cannot manage programs or files associated with a different user.
Access 6: Complete, unfettered access to the targeted computer system via firmware installed on its BIOS ROM, allowing you
to, say, install nearly undetectable backdoors. Software installed at this level, called firmware, gets a +5 to Quick Contests. Users
at this access level can manage any file or program on the system in addition to the perks of having Access 4+.
Examples: The earliest computers, at qTL6.75 through qTL7.25, gave you this much access by default since they had no real
OSes. Any system backdoored through a flashed BIOS also gives you this much access.

Firmware Flashing
In order to get Access 6 at qTL7.5 through qTL8, you
typically have to physically replace and resolder the ROM
chip, which requires 30 minutes and an Electronics
Repair roll (add any applicable repair difficulty modifiers).
The old-fashioned soldering method may still be used after
qTL8, as long as the computer is repairable. However, at
qTL8.25 and afterwards, most BIOS ROMs become
“flashable” for easier updating. To get Access 6 this way, you
need to use a special piece of software called a firmware
flasher at Access 5. Many qTL8.5+ systems require the
hacker to either have a valid BIOS key, have “legit” firmware
that hasn’t been tampered with, or win a QC of the flasher
programmer’s Computer Programming (at -2 without
Low-Level familiarity) versus the BIOS’s Hardness (separate
from OS Hardness if it isn’t the OS) to flash the BIOS. Any
program within the BIOS’s Complexity limit can be
installed as firmware; a hacker will most often install a RAT
bundled with a programmable daemon.
 Firmware Flashing
Firmware Complexity: Before qTL9.5, firmware may be at
most Complexity 3 and is often merely Complexity 2 to
reduce the number of security holes and exploits. At TL9.5
and afterwards, firmware may be at most the computer’s
Complexity - 1, but Complexity is still usually kept as low
as possible. Exception: At any quarter-TL, Complexity 3
computers allow firmware to be installed at Complexity 2,
and Complexity 1 and 2 computers can have firmware
installed at the computer’s full Complexity.
ROM Reading: You may use a firmware flasher to dump a
computer’s ROM, giving you a copy of its binaries, if the
BIOS doesn’t otherwise expose it to the OS. Again, Access 5
is required. To dump a computer’s ROM with a firmware
flasher, win a QC of the flasher programmer’s Computer
Programming (+2 with Low-Level familiarity, no modifier
without it) versus the BIOS’s Hardness.

Access 5: Almost unfettered access to the targeted computer system, allowing you to delete and overwrite critical system files
and built-in software - basically everything outside of the BIOS - to your heart’s content, backdoor the system’s OS for later
access, etc.
Examples: Most qTL7.25-qTL7.5 computers give you this much access by default; physical barriers and checkpoints are the
typical access-control mechanism in this period. Many qTL7.75-8.5 OSes (notably DOS and CP/M) also give you this much
access by default. Rooting a device by using access elevation exploits also gives this much access.
Access 4: Enough access to the system to install and remove any non-system software and even some system software, shut the
system down, reboot it, add or remove user accounts, and do most of what the system is capable of. However, this is not enough
access to delete or modify critical system files or remove critical system software (or other software the user or manufacturer may
have “built in”). Users at this access level and above can restrict lower Access levels from reading, modifying or deleting files that
this Access level has access to.
Examples: Most workstations and smaller-sized computers before qTL8.5 once unlocked. Many smaller domestic computers have
appallingly low security through TL9.25 though.
Access 3: Enough access to do anything a normal non-administrative user could do on the system. You can delete, modify or
create files owned by the user account you have access to. You may be able to install some software at this access level, but it’s
often quite restricted. Many computers allow the user to reboot or shut them down through the interface at this Access level, but
OSes may be configured to deny reboot and shut-down access to users at this level; this doesn’t stop the machine from being
physically unplugged or rebooted or shut down using the physical power button (if it has any).
Examples: “Standard” user accounts on most desktop and personal OSes, a qTL8.25 innovation that did not become widespread
until qTL8.5. The usual level of access for most game consoles.
Access 2: Enough access to do anything the accessed process (running program) could do. This includes anything that programme
could normally do. This amount of access is what is usually provided by a successful Code Injection. Access to files is normally
limited only to files the program needs to run or access at this level.
Examples: “Admin access” on most databases and game servers.
Access 1: The normal level of access a user has when logged into an account on most websites or remote systems. Users cannot
manage files or programs at this access level unless the software allows it.
Examples: Most websites, really.
Access 0: The default level of access to most ’net servers, such as when making searches, viewing web pages, watching videos,
playing online games, etc. You’re not even logged into a user account here. Users cannot manage files or programs at this access
level unless the software allows it.
Examples: Login and authentication prompts on most OSes and websites (or the equivalent). TL7 OSes often elevate you to
Access 5 upon successfully logging in, most TL8 desktop OSes elevate you to Access 3 upon logging in, and most websites elevate
you only to Access 1 upon logging in.
Equipment
New Computer Options
The following new options are available for computers:
• Video Game Console (qTL7.75+): The computer can only run video games (and only one at a time), but you may use the
computer with any video gaming skill instead of Computer Operation. Default Access level is either 0 or 3. Rooting a
computer with this option requires an access elevation exploit programmed as a trojan inside a video game or physically
replacing the ROM chip with one that removes the limitations. When the computer is rooted, it loses this option. No cost
multiplier.
• Firmware OS (qTL7.75+): The computer has an OS installed as firmware. Software Complexity is limited to that of the
firmware OS. This option is often seen in cybernetics. Cost multiplier is anywhere between ×0.2 and ×1; if a firmware-based
microcontroller would logically be integrated into a non-computer item, don’t increase the item’s cost unless the firmware
provides a skill, technique, advantage or perk. If a hacker or cyberneticist installs firmware that provides a skill, technique,
advantage or perk into any item of yours, including bionic limbs, they’ll usually ask you to pay the cost for a computer with
this modifier.
• Case Lock (qTL7.5+): The computer has a lock installed on its case to prevent unauthorised users from getting physical
access to its innards. It optionally also prevents users from physically rebooting or shutting it down, with an extra option
to lock away the power cable. Pick any lock available at the TL, then add the cost of that lock to the computer’s cost after
all CF and cost multipliers. Case locks may be bypassed with Forced Entry, but note that this has a good chance of
damaging the computer’s innards. Corporate computers often have this option. Not available for SM-3 or smaller computers;
tiny computers can still be locked up in a regular lockbox though.
• Wireless (qTL7.75+): Allows the use of wireless networks and peripherals. Before qTL8.5, add $1000 and 0.25 kg to
computers with this modifier. Wireless signals can be intercepted with EM Analysis (see above; target is the signal’s
encryption method/software).

Computer Interfaces and Peripherals

External interfaces may be bought separately as peripherals for pocket computers, small computers and workstations. Cost is
unchanged. Peripherals from an earlier quarter-TL are available at the price of a current peripheral; reduce cost as usual if buying
a peripheral from an earlier full TL. Computer terminals are usually bought as peripherals if the computer isn’t meant to be
portable - e.g., a desktop PC.
Standard terminals have the following changes:
• Don’t apply the ×0.2 weight modifier for standard terminals until qTL8.5; standard terminals before qTL8.5 give +1 to
Video Game Skill (Speedrunning) because CRTs don’t have input lag.
• At qTL8.25, you can buy a flat-screen terminal for $2500 (5× the price of a regular standard terminal). It has a ×0.2
weight modifier (weighing 2.5 kg) and doesn’t give the +1 to Video Game Skill (Speedrunning). A flat-screen terminal
can take any option a standard terminal can take at qTL8.25.
There’s a new modifier for all peripherals:
• Wireless (qTL7.75+): This peripheral exchanges data wirelessly with the computer(s) it’s connected to. Before qTL8.5,
add $1000 and 0.25 kg to peripherals with this modifier.
Without Wireless, peripherals come with a 1-metre cable; a longer cable (below) may be bought. Androids and robots may have
wired peripherals plugged into their cable jack; the 10-metre cable that Cable Jack comes with may be used as an extension
cable for this purpose.
There’s a new modifier for standard terminals:
• No Input Devices (qTL6.75+): The terminal doesn’t come with an input device; you cannot input anything into the
computer via the terminal, as it is basically just a computer monitor. You must buy input devices separately. This is the
default option for terminals bought as peripherals. ×0.9 cost, no change to weight.
The following new peripherals are available:
• Keyboard (qTL7.5+): A standard computer keyboard. 0.25 kg. $10; Multiply cost by ×2 for fine quality (+1 to typing
tasks and video gaming) and by ×5 for very fine quality (+2 to typing tasks and video gaming); a cheap keyboard breaks on
a critical failure while using it. Halve cost for cheap quality (-1 to typing tasks and video gaming). If used with a terminal
without No Input Devices, use the higher of the terminal’s modifier and keyboard’s modifier if doing typing or video gaming
tasks. Use the higher of your mouse and keyboard’s modifiers for video gaming tasks, but always add the -1 penalty for a
cheap keyboard (cumulative with the penalty for a cheap mouse).
• Mouse (qTL7.5+): A standard computer mouse. 120 g. $10; Multiply cost by ×2 for fine quality (+1 to video gaming)
and by ×5 for very fine quality (+2 to video gaming). Halve cost for cheap quality (-1 to video gaming); a cheap mouse
 breaks on a critical failure while using it. If used with a terminal without No Input Devices, use the higher of the terminal’s
modifier and mouse’s modifier if doing video gaming tasks. Use the higher of your mouse and keyboard’s modifiers for video
gaming tasks, but always add the -1 penalty for a cheap mouse (cumulative with the penalty for a cheap keyboard).
• Game controller (qTL7.75+): Normally bundled with video game consoles. Acts like a mouse. Connecting multiple game
controllers to a computer allows split-screen multiplayer as long as the game supports it. 120 g. $20.
• Network/peripheral cable (qTL7+): Standardised cables and connectors don’t really exist before qTL8. 5 mm thick. 60
grams/metre. Price per metre varies before qTL8, $2 per metre at qTL8.25, $0.25 afterwards.
• Adapter (qTL7.75+): Needed if a peripheral or computer does not support a connected computer’s communication protocols;
protocols are usually standardised by qTL8.5. 120 grams. Price widely varies, but is usually not more than $100.
• Physical locks and identity verifiers (TL1+): May be bought as computer peripherals. Vulnerable to any kind of intrusion
that the lock or verifier would be vulnerable to if not bought as a peripheral. Add $50 to the device’s cost before qTL8.25;
afterwards, there is no mark-up compared to regular devices. Electronic verifiers and scanners may be used as peripherals
(with the Wireless option at qTL8.5+) without needing to be bought as such. The only peripheral option for these devices
is Wireless, above. (See HT205, UT102, UT104, UT105 and other sections of High-Tech and Ultra-Tech for options.)
If your computer (or video game console) lacks a keyboard - any terminal without No Input Devices counts as a keyboard -
typing-related tasks are at a -3 penalty and take twice as long if routine.

Television Screens
A television set may be used instead of a terminal. It
provides the effects of a standard terminal with No Input
Devices at that quarter-TL, including the +1 video gaming
bonus for CRTs. Flat-screen television sets become available
at qTL8.5.

Proxies
Proxies allow a computer user to do various network-based tasks with a degree of anonymity.
• Proxy server (qTL7.5+): Proxy servers may be used as a bonus for DoS/DDoS attacks. Critical failure on a network-based
attack using proxies means you’re being traced through the proxies (see Network Trace above). Minimum Complexity
of 3; does not require an interface (outside the built-in Machine Interface) since it’s accessed remotely. Has a RAT and
daemons installed. LC4.
• Rented proxy server (qTL7.5+): Works like a regular proxy server, except you don’t own it. However, if you lose rented
proxies to a failed DDoS attack, they’ll “regenerate” in 1 month (3 months at TL7, 10 days at late TL8+) as proxy IPs are
switched out. Unfortunately, this comes at a price: Roll versus (6 + 1d + Hardness) every month once for every organisation
you’re renting proxies from. If that roll fails, the organisation renting out proxies is raided or shut down and you lose all
proxies rented from that organisation, and failure by 5+ or critical failure means you are traced (see Network Traces below).
Base price is $10d/month at TL7, $2d/month at mid-TL8, $1d/month at late TL8+; roll once for each organisation renting
out proxies. Prices are for Hardness 5; add 15% for each extra level of Hardness or subtract 15% for each reduced level.
• “Zombie” proxy server (qTL8.25+): A botnetted computer used as an anonymous proxy. Each “zombie” allows you an
extra attempt at a network-based attack at no penalty. Like other proxies, these can be used for DDoS attacks, giving
the usual penalty for trace attempts. Roll versus (3 + 1d + Hardness) every month. Failure means you lose the proxy,
critical failure means a trace (see Network Traces below). $2d+3 each at mid-TL8, $1d each at late TL8+ (roll only once for
each seller if buying in bulk). Typically available only on the darknet. May be obtained for free by hacking low-Hardness
computers and installing an automated RAT. LC2.

Other devices
• Video game console (qTL7.75+): A computer with the Video Game Console option (see New Computer Options above)
and, in models having Complexity 3 or below, Firmware OS. TL8+ consoles typically come with specialised anti-malware
software that flags anything that isn’t a legitimate game as malware. Comes with a game controller, but no terminal.
(You’re expected to own a spare TV set or terminal.) Anywhere from $50 to $525.

Software and Tech Level

Computers cannot run software more than one quarter-TL ahead of their own, and unless the computer is Advanced, software
one quarter-TL ahead of the computer gets a -2 to its built-in skills and techniques and gives a -2 to Computer Operation (or,
if it’s a video game, -4 to video gaming skills) when using it; video games get -2 to video gaming skills on Advanced computers
one quarter-TL behind them.
Lightning Fast: You get +1 to video gaming skills if playing video games on a computer that is any of the below:
 • One or more quarter-TLs ahead of the game.
• Has any of Advanced, Multiple Cores, Fast or Faster Than Light and is of the game’s quarter-TL. Note: If only Multiple
Cores applies, the game must have at least two cores to itself to get the bonus.
• Is of a higher Complexity than the game and of the game’s quarter-TL.
Programming Retro Software: Programming software and games for older quarter-TLs requires either taking any applicable
quarter-TL penalty on Computer Programming (or technique with that as a prerequisite) or having the skill at the target
computer’s quarter-TL. Make sure you’re also familiar with the target’s programming languages!

A Cornucopia of Software
Almost all software can be had for free, legally or illegally, so no costs are listed. If you want to establish prices for software,
you can research software prices for the quarter-TL or come up with your own. All software listed here requires Computer
Programming to program, obviously, aside from any other skills listed with the particular software (use the lowest modified
prerequisite skill).

Programming Quality
Add a +2 bonus to Computer Programming rolls for
cheap-quality software, or a +2 or +4 penalty for fine or
very fine quality, respectively. Cheap-quality software gives a
-2 penalty to whatever it does for you (and/or counts as
cheap equipment), whereas fine or very fine software give a
+2 or +4 bonus (and/or counts as fine or very fine),
respectively, to whatever it does for you. Making
cutting-edge software (+TL/2 bonus) takes a penalty to
Computer Programming equivalent to the bonus the
software gives. Critical success on the software prototype
roll ups the quality by one step, up to very fine, and critical
failure lowers the quality by one step, down to cheap.
Security and quality: The above modifiers to Computer
Programming also affect the skill when used to determine
Hardness.

Multitasking software (qTL8+): Allows multitasking on a Complexity 2 or 3 computer that doesn’t otherwise have it built into
the OS. Complexity 2 or 3. Does not take up a running program slot unless it’s cheap-quality software.
Interface software (qTL7.75+): Allows use of an interface type not supported by the computer’s OS. Complexity is that required
to run the interface normally. Does not take up a running program slot unless it’s cheap-quality software.

Multitasking
Multitasking is the ability to run more than one program on
a computer at the same time; this feature is usually available
on computers of Complexity 3 and always available above it;
if not available on the computer, it can only run one
program at a time (daemons and programs started by them
don’t count).
Multitasking Skills: You cannot run multiple programs that
enhance or provide the same skill or technique at the same
time (technically, you can, but you can only use one running
instance of your choice), with the exception of access
elevation exploits. Running multiple identical hacks or
access elevation exploits counts as multiple concurrent
attempts (see Hardness above). You can run as many video
games as your Complexity and running software allow, but
you can only actively play one at a time (unless you have
Compartmentalised Mind).

Video games (qTL7.5+): Everyone knows what these are. Complexity for current-qTL games is usually either that of a medium
computer or workstation at the qTL or one level less. At qTL8.75-9, games are often Complexity 3 or 4.
Video game cheats (qTL8+): Often called “hacks”, but the worst they can do is annoy gamers and game server admins. Most
single-player game cheats require no roll to use, assuming you know about them and have them installed, but a few cheats (e.g.,
the infamous Konami code in qTL8 and qTL8.25), require a DX-based Games (Video Games) roll (or specialised DX- or
IQ-based Games skill or Hobby Skill for the game in question). Usually free; often built into single-player games. LC4.

Cheats or Hacks?
Hacks that exploit bugs in multiplayer games are often
bundled with cheats, which often leads people people to call
the cheats “hacks” and gives multiplayer game cheats a bad
rap among game developers and game server admins.

Makin’ Cheats
To program video game cheats, roll a QC of Computer
Programming (-2 without Video Games familiarity);
complementary Computer Security, Hobby Skill
(Speedrunning) or Hobby Skill (Video Game
Cheating) provides +2 to this roll on a success and +4 on a
critical success. Programming cheats takes ((game Hardness
- game Complexity) ˆ 2) minutes (minimum of 30 minutes).
Success means you have a working game cheat/hack with 1d
bugs and glitches; critical success means you have no bugs or
glitches and may even have 1d-3 (minimum 0) extra minor
features. Failure means you don’t have a working hack and
critical failure also means you think the hack works, giving a
-2 to video gaming rolls where you’re using the borked hack.
Having assembly code gives +2 and source code gives +5 to
programming rolls. If the game has anti-cheat or DRM, roll
a QC versus the game’s Hardness. You need to win the QC
to get a successfully working hack; critical success gives the
usual benefits provided you won in the first place.

Disassemblers, decompilers and deobfuscators (qTL7.5+): These are used to reverse-engineer software, giving a bonus to find
exploits and the like. LC4 in free societies, LC3 in more controlled ones.
• A disassembler allows you to disassemble software executables. At qTL7.5-7.75, disassemblers only support one CPU
architecture, but at qTL8+, disassemblers support most or all widely used CPU architectures. Complexity 2. Low-Level
familiarity plus familiarity with assembly language needed to avoid penalties when programming one of these; add another
-2 if programming for multiple architectures.
• A decompiler, usually bundled with a disassembler, gives an extra +1 to Computer Programming and Code Injection
on top of the +2 for having a disassembly. Fine decompilers raise that +1 to +2 and very fine ones make it +3 - equivalent
to having full source code. Unfortunately, some languages (C and C++, for example) can’t or don’t have fine and/or
very fine decompilers. Not available until qTL8. Complexity 3. Programming one of these is at a -6 penalty; Low-Level
familiarity (+2) plus familiarity with both the assembly and compiled language (+2 if you have both) negates up to -4 of
the penalty.
• A deobfuscator attempts to deobfuscate software binaries and/or disassemblies. A deobfuscator works on only one obfuscation
format. Some decompilers and disassemblers come bundled with one of these. See Deobfuscation for more.
Obfuscator (qTL7.75): Used to obfuscate software binaries to stymie disassemblers and decompilers. An obfuscator works on
only one language. Cryptography is required to program one; the prototype roll’s margin of success is the obfuscation bonus.
If taking at least +2 in extra time, you may opt to use Skill Level - 10 + Extra Time Modifier instead to determine the
margin of success. Complexity 3. LC4 in free societies, LC3 in controlled societies.
 Deobfuscation
If a software binary is obfuscated (as is the case with most
popular video games), win a QC of the highest of
Computer Programming (-2 with Low-Level familiarity,
-4 without) and Cryptography (-2 for unfamiliar
obfuscation techniques) versus the software’s Hardness to get
a useful disassembly or decompilation. A disassembler and
both skills are required; you can’t use either skill at default.
Deobfuscation attempts take (Software Complexity ˆ 2)
hours. A disassembly can never give more than +3 on
deobfuscated code. If using a deobfuscator, use its
programmer’s skills rather than the user’s. Programming a
deobfuscator requires the skills used to deobfuscate at the
same penalties, in addition to a deobfuscated disassembly in
the target obfuscation format; always use modified
Computer Programming as the software’s skill, even if
it’s higher than modified Cryptography.

Rainbow table (qTL8.25+): Required to use Rainbow-Table Decryption. Data, 100 GB. ×0.2 size for cheap quality (-1
penalty); ×3 size for fine quality (+1 bonus); ×10 size for very fine quality (+2 bonus). Size multiplier for quality also affects the
time taken by Rainbow-Table Decryption. LC4 in free societies, LC3 in more controlled ones.
Virtual machine software (qTL7.75+): Allows you to emulate a (usually older) computer or other electronic device on your
(typically newer and more powerful) computer. The Complexity of the emulated device and its software may not exceed the
Complexity of the “bare metal” machine, or Complexity - 1 if the emulated and “bare metal” architectures are significantly
different (e.g., ARM vs x86-64). Very alien architectures may limit emulation to Complexity - 2. VMs are often available to
emulate software from the previous TL, and may be available for software older than that. Hacks and access elevation exploits
(below) cannot break out of VMs. LC4.
Access elevation exploits and rootkits (qTL7.5+): Software used to exploit bugs or loopholes in OS or application programming in
an attempt to elevate access. A rootkit is exploit software specifically designed to elevate Access 4 to 5. These programs vary
widely in ease of use (typically from -4 to +2). Some of this software gives bonuses to Access Elevation for experienced users
(+1 to +3); many access elevation exploits and rootkits grant the programmer’s Access Elevation technique level when used,
allowing them to be used by unskilled “script kiddies” with only Computer Operation. LC3 in free societies, LC2 in more
controlled ones.
Firmware flasher (qTL8.25+): Software used to “flash” - i.e., overwrite - firmware, allowing a hacker to get Access 6 without
having to physically replace ROM chips. Needs at least Access 5 to use. Firmware flashers are often used legitimately to install
security updates to firmware. See Firmware Flashing above. May be bundled with rootkits and access elevation exploits to get
the Access 5 needed to flash. LC4 in free societies, LC3 in controlled societies.
Anti-malware software (qTL8+): Software designed to detect malware of all kinds, including code injection attempts. See Malware
and Anti-Malware below. Complexity 2 in qTL8 and qTL8.5; Complexity 3 thereafter. LC4.
RATs, scripts and daemons (qTL7.5+): These are software allowing a user (or hacker) to remotely or automatically control a
computer after it is installed.
• A RAT (remote-access tool) negates or reduces the -2 remote-use penalty to Computer Operation on a remote computer
that a hacker has access to, as well as allowing persistent access at the Access level it is installed at across reboots. You need
at least Access 3 (or, on more secure computers, Access 4) to install a RAT. Installing a RAT while the hacker has physical
access is a regularly employed hacking strategy. RATs are often “legitimately” used to monitor students’, employees’ or
children’s computers. “Black-hat” RATs are often bundled with hacks or access elevation exploits.
• Scripts are software designed to automatically perform various basic computer management tasks; scripts use the pro-
grammer’s Computer Operation, plus modifiers from OS familiarities and interface quirks and perks, as a built-in skill.
Complexity 2. Scripts do not require installation to run. In GURPS terms, a script can use simple procedural if-then
statements and “while/until” loops to run other programs, including daemons and other scripts. Scripts can be as complex
as desired, but try not to go overboard. Multiple scripts can be executed at the same time.
• Daemons are software that starts other programs at a programmed time and/or frequency. Some daemons are easily
reprogrammable, giving between +1 to +5 to Computer Programming (no field familiarity needed) to reprogram them.
In GURPS terms, a daemon can run programs, including scripts but not other daemons, at its current Access level as
frequently as once per minute or at any set time; a daemon can start as many programs on as complex a schedule as desired.
Multiple daemons can be used to simplify organisation or if you need to start certain programs at certain access levels.
Installation requires at least Access 3. Does not take up a running program slot unless it’s cheap-quality software.
Hacks are software that automatically performs programmed operations for the hacker (or, for that matter, legitimate user).
At TL8+, hacks often have an access elevation exploit built in and can often copy themselves and spread. Hacks often don’t
require much more than basic Computer Operation to use, but Computer Security is needed to program them. Here some
common types of scripts:
• Keylogger: Logs a user’s keypresses from whatever it has access to. Access 4 is needed to log computer and device passwords;
Access 2 is usually good enough for bank, chat and forum passwords and the like. Complexity 2 at minimum.
• Virus: Automatically copies itself. These hacks are usually high on the maliciousness scale, but some famous qTL7.75-8.5
viruses were relatively innocuous. Most viruses need at least Access 3 to run, but some sneaky higher-quality viruses can
run at Access 2. Complexity 2 at minimum.
• “Computer fryer”: Overloads processors, hard drives or other hardware with the goal of causing them to corrupt, jam,
overheat or burn out. See Burning Silicon below for the gory details. Must be of the computer’s Complexity to have any
effect. Very malicious; LC2 or less.
• Ransomware: Combination of a daemon and encryption software that encrypts the poor target’s user files and holds them
ransom unless the user pays money, typically in the $100-to-$500 range, but often much higher if a large corporate system
is targeted. If the ransom isn’t paid within a short period, usually 3 to 7 days, the files are deleted and wiped. Complexity
3 at minimum.
• Trojans: Hacks designed to trick the user into installing them, typically by looking like more legitimate software. Programming
trojans requires a copy of the legitimate software to be bundled with first as well as a copy of the software to be concealed.
Roll a QC between the trojan author’s Computer Security and target’s higher of Computer Security and Detect
Lies when the target installs the trojan; if the user wins, he realises it’s a trojan and doesn’t install it (or removes it
immediately); on a tie, he realises after installation. Use the target’s Hardness in the QC if you’re trying to trick the
computer itself rather than its user; sentient AI targets use the highest of Hardness, Will, Expert Skill (AI Security)
and Detect Lies. Trojans may have up to the bundled legitimate software’s Complexity, but get a -2 to the author’s side
of the trojan QC if not lower then the legitimate software’s Complexity.
This software goes by many other names - e.g, trojans, viruses, botnets, worms - but all belong to the same basic two types. LC
varies depending on maliciousness.

Learning Obsolete Skills

Educational institutions often offer courses for qTL-based
skills up to four quarter-TLs behind and may even offer
courses for skills from further back (though probably at a
premium). You can also self-learn as per Social Engineering:
Back to School as long as information about the obsolete
version of the skill is available. Research rolls to get at this
information are often at a penalty because info on obsolete
tech can be hard to find.

Burning Silicon

“Computer fryers” are some of the most malicious hacks out there, but fortunately also the least commonly used by professionals
in the trade. Once installed, running and past the computer’s defences, roll a QC of the hack programmer’s lower of Electronics
Repair / Engineer (Electronics) (use the higher electronics skill) and Computer Programming (Low-Level field) versus
Hardness to fry a computer. If the hack wins, the machine is damaged, requiring repairs worth (Margin of Winning × 10%)
of the computer’s cost. If the poor computer has a critical failure or loses by more than 5, it’s a useless doorstop now; there’s too
much damage to repair. Bomb Squad: Fryers require several minutes to run, so an attentive computer user might be able to kill
the program before it does any damage; see Sysadmin! above, but use the fryer programmer’s Computer Programming for
the attacker’s side in the QC. |
Why Would You Ruin a Perfectly Good Computer?
If you have physical access to the machine, a spray of dust or
a spilled cup of water (or coffee, the IT guy’s favourite) is
much faster and usually more reliable (but less stealthy)
than a computer fryer. Spilled liquids fry electronic
motherboards and the dust clogs fans, giving the same
effects as a critical success by a computer fryer. These
methods likely won’t work on machines made after qTL9.5
and definitely won’t work on waterproof or ruggedised
computers.
Rushed? If you’re in a rush, you’ll need to roll DX to ruin a
computer you have physical access to. On a success, the
machine is damaged, requiring repairs worth (Margin of
Success × 10%) of the computer’s cost. On a critical
success, it’s a useless hunk of silicon (or other kind of
computronium) now. Failure means the liquid spill or dust
spray didn’t damage anything. Critical failure means you’ve
blinded yourself for 1d turns if trying to spray dust (those
with Nictitating Membranes are immune), or spilled the
liquid on yourself if trying to spill liquid.
What Else? A gunshot might do the trick; you don’t need to
roll to hit unless rushed or the computer is really small or
large. Do feel free to come up with other weird and wacky
ways to ruin perfectly good computers if the above methods
aren’t quite enough.

Getting RATty
Winning a Quick Contest of Soft Hacking versus a
computer user’s Computer Security or social counter skill
lets you convince the user to install a RAT for you if he has
at least Access 3 (assuming installation at that access level is
allowed, otherwise Access 4); the RAT will have the user’s
current Access level. The targeted user obviously must be
able to download or otherwise obtain the RAT in order to
install it.

Malware and Anti-Malware

Software that uses or was installed with exploits, as well as
most LC3- software, is called malware. Malware may be
detected by installed anti-malware software. Roll a QC of
the malware creator’s lower of Computer Programming
(penalised by lack of Low-Level familiarity) and Computer
Security versus the anti-malware software’s Hardness when
the malware is installed and then every time the malware
attempts any kind of access elevation. Use the best
anti-malware program installed on the system. If the
defender wins, the malware is detected and, if the
anti-malware software has at least as much Access as the
malware, often quarantined and removed by bundled scripts.
As for firewalls, those are already factored into Hardness;
“smart” firewalls act like anti-malware software. Hackers and
other users with enough Access to stop or bypass an
anti-malware program can add exceptions for their own
programs, but an admin can see these exceptions.
Anti-malware programs cannot scan files they don’t have
enough Access to read and can only detect malware at
Access 6 if running as firmware at Access 6.
 Remote Computer Operation
You get a -2 penalty (in addition to the usual unfamiliarity
penalties) to Computer Operation on a remote computer
- i.e., one you don’t have physical access to. This -2 penalty
can be negated by installing a RAT on the target computer;
RATs allow routine use of remote computers.

Access control programs There’s a wide variety of software available for controlling access to a computer system or program,
especially after qTL8. This list of access control programs is listed in order of the TL it first appears at. After qTL8, most access
control software is built into the OS.
How access control works: Access control programs can grant access to the computer at their installed Access level or any level
below it, and can run additional programs of any kind upon authentication, in addition to or instead of granting a higher Access
level to an authenticated user. These programs can drop an unauthorised user’s access level to any level below the one they’re
running at, not to mention that they allow Access levels below 5 to exist in the first place.

Access Levels and You

Access control programs for non-OS programs often run at
the associated program’s Access level for the extra security,
but those for OSes almost always run at Access 5.

Secure Access
Access control programs come in four quality levels:
Cheap (qTL7+): Practically only keeps the honest out.
Treat as an out-of-date cheap program.
Standard (qTL7+): Your standard no-frills security.
Available at any TL where access control programs are
available.
Secure (qTL8+): Can be set up to lock up the system or
program after a programmed number of failed
authentication attempts. Minimum required Complexity is 2.
Equivalent to fine.
Very secure (qTL8.25+): Atempts to use access elevation
exploits are cumulatively penalised (see Hardness above).
The program can be programmed to trigger other programs
(usually anti-malware software) and/or notify someone
(usually the owner or an admin) upon failed authentication
or a breach attempt. Minimum required Complexity is 3.
Equivalent to very fine.
Yes, a very secure access control program can be set to
trigger other access control programs upon failed
authentication or a breach attempt.

Here are some common examples of access control programs:

• Hardware lock switch (TL1+): Technically not software, this type of access control is basically a regular old lock or identity
verifier used as a switch to power on the computer; the computer can’t be accessed at all (not even Access 0) if it isn’t
powered on. Any kind of lock or verifier available at the TL for physical access control may be used as a hardware lock.
Intrusion is as for any other lock (using Lockpicking), but Electronics Repair or Forced Entry can be used to bypass
it; make sure to also add the Case Lock option to the computer for extra security! The price for this kind of access control
is that of the lock.
• Password prompt (qTL7.25+): A basic password prompt. Does not allow multiple user accounts on the system. Complexity
1.
• Basic identity verifier (qTL7.25+): This is a program combined with a lock or other verification device installed as a
peripheral (usually still built into the computer to prevent tampering). Successful authentication accesses whatever is locked
behind the program. No user account support. Complexity 1.
• User account prompt (qTL7.5+): Allows multiple user accounts on the system. The secure option allows users’ access levels
 to be customised on a per-user basis. Complexity 2.
• Advanced identity verifier (qTL8+): This program requires one or more identity verifiers bought as peripherals – the
more verifiers used, the better the security (hopefully). Supports multiple user accounts. (See Computer Interfaces and
Peripherals above.) Complexity 3.
• Infomorphic identity verifier (qTL9.5+): Essentially a smart AI/infomorph verification program; uses connected peripherals
and/or installed interfaces for verification. See Gaming User Identification on p. 124 of Transhuman Space: Fifth Wave for
rules regarding this kind of program. Complexity 6.
Other kinds of access control programs may exist in the setting. Consult your GM for details.