NEWS

Commlinks and Personas

  • 64 Replies
  • 12521 Views

Reaver

  • *
  • Prime Runner
  • *****
  • Posts: 6422
  • 60% alcohol 40% asshole...
« Reply #45 on: <05-26-22/1310:10> »
Just caught this bit while looking up Certified Credsticks:

Quote from: Sixth World, Core Rulebook, p. 272
A credit account is a Matrix bank account accessible via your commlink as long as you are on a grid. Transactions require passcode or biometric verification to be authorized, hence the reason for a biometric reader on your commlink. The digital transactions from these accounts leave a trail that, while it can be hidden or concealed, is entirely too traceable for serious criminal activities. Each account must be registered to a particular (usually fake) SIN, unless the account is handled by an anonymous underworld banking service (with its own risks and complications). The cost of banking services is included in your lifestyle costs if you’ve got a Low Lifestyle or better—otherwise you’ll need to keep all your money on credsticks. If a fake SIN attached to an account is burned, the money is lost.

From that, it says to me that if you're purchasing anything and NOT using a certified credstick, the commlink attached to your account has to have biometric reader so it can identify you and allow access to your account. I'd GM that to mean that, to access your persona is akin to accessing your SIN/Accounts, and it identifies you with a bio-reader. If you don't use a bio-reader to identify yourself, it's a generic persona/icon that has all the limited abilities and access of a public PC in the library.

See, THIS makes sense.

The SIN contains your Biometrics already. So when you want to purchase something online, Your Persona wonders up to the item and hits the Buy button. Which in turn triggers a challenge/response from the Persona, <Please confirm biometrics to complete purchase> So you jab your thumb on the reader, which tracks back to your SIN and accounts. IF the biometrics match the SIN (and why wouldn't it... you're not a criminal... ARE YOU?!!), the SIN unlocks the bank account, money is taken out of the account (through the Persona's actions), and the item is registered to you.

I would imagine that an item that required a license would also run a check for said license at the same time, but before the funds were taken from the accounts....



And this makes sense to me, because it features the SIN (you know, that thing that
Quote
A SIN identifies a
person in the global information system and is attached
to every piece of information associated with them in
the Matrix 
)

And fits in with canon, and is reasonable to what should happen....


But this SIN/Persona/OWnership no touchy no talky no connection..... just doesn't fly.
Where am I going? And why am I in a hand basket ???

Remember: You can't fix Stupid. But you can beat on it with a 2x4 until it smartens up! Or dies.

Reaver

  • *
  • Prime Runner
  • *****
  • Posts: 6422
  • 60% alcohol 40% asshole...
« Reply #46 on: <05-26-22/1328:20> »
Quote

No.  That's NOT what I'm saying.

SINs are not tied to the matrix recognizing ownership of a device.

Personas are not tied to the matrix recognizing ownership of a device.

Matrix ownership is its own distinct concept independent of SINs and Personas.
So, how do you track who owns what? IF they are all separate, then none of them are talking to each other. The SIN knows I live at 166-666th street, because it has the record of the land titles office attached to it, And the Mortgage papers are digitally signed in my name. So how does My Persona know that I "own" that house if its not talking to my SIN?

Quote
How does the cop that pulls you over for Speeding in downtown core, verify:
1: that you are allowed to drive?

They submit your driver's license thru the SIN verification system (same thing checks licenses)

Quote
2: that you actually own (OWNERSHIP!!!! in this case, personal Property!) the car?

They submit your driver's license thru the SIN verification system (same thing checks licenses)

What if I am remotely piloting my car so I am not there?
IF I bought the car online, with certified cred, how does my SIN know l own that car? Something has to be talking to each other... somewhere

3: that you car (if you own it) is insured?

Actually insurance is not a thing, strictly speaking, as a rules mechanic.  But if it were it'd be some combination of lifestyle to cover the cost, and having a convincing license as a means by which to verify your insurance is current.

Oh I can assure you, Insurance is VERY MUCH a thing in Shadowrun :P But as you say, its probably absorbed into the lifestyle.

Which is another point...
IF everything is "separate" as you say, then that's even MORE of a clusterfuck! the Matrix "knows" I own a subscription to "Murdercross Maddness", but my Persona doesn't know the passcodes - Cause they DON'T TALK TO EACH OTHER!!

That Bike I bought with certified Cred, ISN'T registered to my SIN, So I can't park it anywhere, nor can I insure it because my SIN doesn't know I own it! But My Persona Knows!

I can't get into my house cause my Persona can't wirelessly unlock the door, because it doesn't know I have a lease for it on my SIN!!!


And to top it off.... I'm off to jail! Because the Matrix ownership doesn't talk to my SIN, so when I put my LEGALLY 'Possessed" gun into my jacket, The Matrix Ownership flagged for having stolen property, and a dangerous weapon to boot!
Where am I going? And why am I in a hand basket ???

Remember: You can't fix Stupid. But you can beat on it with a 2x4 until it smartens up! Or dies.

Dreamwalker

  • *
  • Newb
  • *
  • Posts: 39
« Reply #47 on: <05-26-22/1407:05> »
Can you really be considered a matrix owner of a wireless enabled device  if you have zero matrix presence. If you never access the matrix and you don't have a matrix persona then to whom should the previous matrix owner legally transfer the matrix ownership to...?
It is a valid question. What subject would said ownership be linked to if there is no digital identity?

Note that if you're not even IN AR, then you have no persona, and the question of authenticating your not-used persona is moot ;)

[..] what is explicit is that you only have a persona when accessing the matrix through a device with the proper matrix attributes. So by extension then it can be concluded that if your not fully accessing the matrix (through a minimum of AR) then there is no persona generated.
And how is authorization for matrix service access granted in an unauthenticated context, i.e., if there is no prior authentication of non-AR/VR users? Authentication is always a prerequisite for non-trivial authorization. Do non-AR/VR users (such as AR vertigos avoiding nauseating experiences) not have access to secured matrix services or are there different means to prove who you are?

Xenon

  • *
  • Prime Runner
  • *****
  • Posts: 6467
« Reply #48 on: <05-26-22/1517:44> »
Dude, Stop. JUST STOP. LISTEN TO ...
Reaver, please calm down a notch ;-)

To SSDR's defense when you posted the citation of "owned property" from SR4 I too thought about owned real-estate. I was not reading it as literally everything you own, like pants, watches, plants, mirrors, computers etc. Going by the literal meaning of the word property (which you provided a few times now) you are of course correct. I don't think this is what we are debating here.

The reason why I think there is still a discussing around the word "property" is because you included a citation from SR4 that mention that owned property is linked to SINs. This citation was never included in SR5 (nor SR6). There is no mentioning of the word property in relation to SIN in SR5. So no matter what the original intent was in SR4, in SR5+ SIN does not seem to be required in order to buy things. There does not seem to be a hard link between ownership and SIN (anymore). If your SIN is burned your (now) get to keep items that you bought. The exception here are licenses and bank accounts from respected financial institutes. They are tightly connected to one of your SINs and if that specific SIN is burned then so are you licenses and bank accounts associated with that specific SIN.


What IS the point, is how that OWNERSHIP is tracked.
If I (or rather my representation in the matrix, my matrix persona) in 5th edition have matrix ownership of a matrix icon (equivalent of 4 marks) that belong to a physical object (a device icon) then I can choose to legally transfer my ownership from my matrix persona to you and your matrix persona. This process take about one minute. The original author have confirmed that this have to be while both you and the device is online. It seem to involve registering the new owner of the device in a series of secure online databases.

It seem as if I can transfer matrix ownership to you no matter if you have a SIN or not. Having a SIN or not does not seem to be part of the ownership equation. At all.


The majority of people in SR do their shopping online. (you can see that in just about every write up about the matrix, or buying stuff.) Heck, even today, online shopping is outpacing store shopping.

BUT, from what you are saying, this is impossible! As there is no "Tracking" in the matrix... No logging... nothing to follow, nothing to confirm, nothing to verify back to.
Payment:

When you pay with your credit account then it seem as if the transaction is logged, confirmed and validated by the bank where you have your credit account. The data trail seem to lead back to you and the SIN you originally used when you applied for the bank account. In a sense there is a financial record that link the product back to your SIN, however, matrix ownership of the device you bought is not linked to the SIN your bank account is connected to. Once you bought the device you can choose to transfer ownership to someone else without leaving a financial data trail that is connected to your or the recipients SIN. All the logs will show is that at one point you used your bank account to successfully buy the item. Nothing more. Nothing less.

When you pay with a certified credstick then the transaction seem to still be logged, confirmed and validated by the bank that certified the credstick. But the data trail instead leads back to the certified credstick that was used in the transaction rather than a bank account connected to a specific SIN. It seem as if a certified credstick belong to whoever is in possession of it. Credsticks does not seem to have any legit matrix owner. If I choose to give the physical credstick to someone else (or someone physically steal the certified credstick) then there does not seem to be anything stopping him from transferring founds to or from the credstick or to use it in transactions to buy stuff with it. There is nothing linking transactions made with a the credstick back to me. All the logs will show is that at one point someone used a credstick to successfully buy an item. Nothing more. Nothing less.


Ownership:

Once the financial transaction (either with a bank account or a certified credstick) is approved by the bank (or if the previous owner decide to just gift you the item without payment or perhaps you traded goods or services for the item) the previous owner will file a motion to transfer ownership over to you. This seem to be a process that take about one minute. Once ownership transfer is complete it seem as if you you will be considered the new legit owner of whatever you bought. As its new matrix owner you can automatically spot it and you can also trace its physical location.

An alternative is that you illegally try to transfer ownership of the thing from its previous owner. This seem to require that you are physically in possession of the item and that both you and the item are connected to the matrix for a lengthy period of time. Once ownership transfer is complete you will be considered the new legit owner.

It does not seem as if you need to be a legit citizen in order to be considered the owner of a wireless device. There does not seem to be any requirement that you have a SIN (legit or otherwise) here, but it does seem as if you need to be connected to the matrix in order to become the new matrix owner of the device.


How does the cop that pulls you over for Speeding in downtown core, verify:
1: that you are allowed to drive?
Cop can check that you have a general driver's license attached to the SIN that your matrix persona is currently broadcasting (note that example characters in SR5 doesn't have driver's licences on their fake SINs but example characters in SR6 do). Cop can also run your SIN through his SIN validation unit to validate that you are are a legit citizen (not using a fake SIN).

Cop can also verify this remotely over the matrix even before he decides to pull you over (and depending on what type of security zone you are driving around in, not broadcasting a SIN at all might be a sure red flag for the cop to pull you over).


2: that you actually own ... the car?
Actual ownership of a device seem to be handled by a registration that is maintained in multiple and redundant databases across the Matrix (separate from personas and SINs).

In 5th edition it is also not even mechanically possible for anyone but the real owner to instruct the car's auto pilot (a hacker could perhaps try to spoof commands to the car's auto pilot, but only while they have a mark on the car's legit matrix owner).

It is also not mechanically possible for anyone to remote control the car unless they are the car's owner of if the car's owner have invited them to place 3 marks on the car (a hacker can temporarily remote control the car if he tricked or forced 3 of their marks onto the car's device icon, but in 5th edition it typically take GOD just an hour or so to converge on a hacker that have not rebooted yet).

Grand Theft Auto doesn't seem to be as easy as it perhaps used to be back in 2022.



See, THIS makes sense.

The SIN contains your Biometrics already. So when you want to purchase something online, Your Persona wonders up to the item and hits the Buy button. Which in turn triggers a challenge/response from the Persona, <Please confirm biometrics to complete purchase> So you jab your thumb on the reader, which tracks back to your SIN and accounts. IF the biometrics match the SIN (and why wouldn't it... you're not a criminal... ARE YOU?!!), the SIN unlocks the bank account, money is taken out of the account (through the Persona's actions), and the item is registered to you.
This might make sense from a 2022 security engineer point of view. But if you rule it like this, then how do you explain that it would work if the bank account is linked to a fake SIN (as fake SINs doesn't have copies of its owner's biometrics on file).

We are back to Gattaca where criminality and impersonation is rendered almost impossible and leaving a single hair at the wrong place will immediately will give you away.

NOT a very good setting for a game where players are supposed to be able to act outside the law, saying within the shadows.



...
(Before we start to compare apples and oranges note that me and I think Reaver as well are discussing how it used to work in SR5 while Banshee is talking about how the matrix works now in SR6).

Dreamwalker

  • *
  • Newb
  • *
  • Posts: 39
« Reply #49 on: <05-26-22/1620:33> »
(Before we start to compare apples and oranges note that me and I think Reaver as well are discussing how it used to work in SR5 while Banshee is talking about how the matrix works now in SR6).
I know. Reliable attribution of matrix-related privileges seems to be a persistent issue across editions.

Stainless Steel Devil Rat

  • *
  • Errata Coordinator
  • Prime Runner
  • *****
  • Posts: 4572
« Reply #50 on: <05-26-22/1812:00> »
On the topic of biometric locks on a commlink:
They don't do anything more than what biometric locks do on a gun.  Biometric locks on a commlink make it so that someone else cannot use your commlink to access the matrix. 

When an online financial transaction requires a SIN verification, it can't just query the persona because SIN data is not tied to your persona.  It's as simple as that.

« Last Edit: <05-26-22/1908:28> by Stainless Steel Devil Rat »
RPG mechanics exist to give structure and consistency to the game world, true, but at the end of the day, you’re fighting dragons with algebra and random number generators.

Odsh

  • *
  • Chummer
  • **
  • Posts: 151
« Reply #51 on: <06-03-22/1736:44> »
There is no mentioning of the word property in relation to SIN in SR5. So no matter what the original intent was in SR4, in SR5+ SIN does not seem to be required in order to buy things. There does not seem to be a hard link between ownership and SIN (anymore). If your SIN is burned your (now) get to keep items that you bought. The exception here are licenses and bank accounts from respected financial institutes. They are tightly connected to one of your SINs and if that specific SIN is burned then so are you licenses and bank accounts associated with that specific SIN.

Given your thorough and extensive knowledge of the rules, I have no doubt that this is RAW.

But it doesn't really make any sense. It should be trivial to link a SIN with a persona and this link would make crime fighting so much easier. It's like deliberately separating someone's national security number from his fingerprints.

Basically we're asked to forego common sense just to make the rules work.

Stainless Steel Devil Rat

  • *
  • Errata Coordinator
  • Prime Runner
  • *****
  • Posts: 4572
« Reply #52 on: <06-03-22/1820:54> »
But it doesn't really make any sense. It should be trivial to link a SIN with a persona and this link would make crime fighting so much easier. It's like deliberately separating someone's national security number from his fingerprints.

Basically we're asked to forego common sense just to make the rules work.

We're not being asked to forgo common sense.  We're being asked to accept that, given the aftermath of a global comms catastrophe the powers that be decided to employ a network that they couldn't fully control, much less fully understand...but was on-hand at the time and ready to be exploited.  Choosing to do so when it's NOT an emergency might be a bit of suspension of disbelief... but during an emergency?  Less so, for sure.  A decade or two in, they're so fully in that bed it's not cost effective to perform yet another clean slate and start over with yet another matrix where you CAN link SINs to Personas.
« Last Edit: <06-03-22/1823:20> by Stainless Steel Devil Rat »
RPG mechanics exist to give structure and consistency to the game world, true, but at the end of the day, you’re fighting dragons with algebra and random number generators.

Hobbes

  • *
  • Catalyst Demo Team
  • Prime Runner
  • ***
  • Posts: 3078
« Reply #53 on: <06-03-22/1826:49> »
SINs are issued by many entities, corps, governments, ect.  None of them want to share data with each other.  Even internal sharing of sensitive data is tightly controlled.  Do you think a Megacorp wants it's rent-a-cops to have access to the CEO's Biometric data?  No.

And nobody fights crime.  Nobody actually cares who did what.  Lone Star and the rest are paid to keep the status quo.  If some justice gets done along the way, that's fine as long as it didn't cost anything. 

The SIN registry is just there to validate, "Yes, that SIN is a valid SIN."  that's it.  Because that's all the corps could agree on.

Odsh

  • *
  • Chummer
  • **
  • Posts: 151
« Reply #54 on: <06-04-22/0401:09> »
A SIN in itself is just 12 alpha-numeric characters that hold information like name, birthdate, birthplace, gender and metatype. Sharing a SIN doesn't share biometric data, in fact nearly everyone does so through the Global SIN Registry.

I agree that corps don't necessarily share biometric data associated to a SIN with each other - at least not those of their stand-up citizens. And maybe nobody cares about fighting crime, but I'm sure as hell that a corp would want to know when a SIN associated to the persona of notorious Shadowrunner is spotted lurking in the proximity of one of their top secret labs.


We're not being asked to forgo common sense.  We're being asked to accept that, given the aftermath of a global comms catastrophe the powers that be decided to employ a network that they couldn't fully control, much less fully understand...but was on-hand at the time and ready to be exploited.  Choosing to do so when it's NOT an emergency might be a bit of suspension of disbelief... but during an emergency?  Less so, for sure.  A decade or two in, they're so fully in that bed it's not cost effective to perform yet another clean slate and start over with yet another matrix where you CAN link SINs to Personas.

I'll try my best to amp up my suspension of disbelief to max.

In summary:
  • An individual's persona is unique
  • You can't change your persona
  • Nobody fully controls or understand the matrix. Suffice to say that it allows certain interactions and will fight any non-conformant activity like an immune system reacting to an interloper.
  • The matrix is able to link non-conformant matrix activities with your persona. But only so until you reboot.
  • Your persona has certain access rights in the matrix (ownership, whatever). They are either granted to you in a way that the matrix likes and will remember in between reboots. Or they are forged in a way that the matrix doesn't like and will forget after a reboot.
  • Apart from the cases mentioned above, nobody and nothing is able to persist any data related to a persona that would allow them to identify that persona in the future

Do I miss something?

Xenon

  • *
  • Prime Runner
  • *****
  • Posts: 6467
« Reply #55 on: <06-04-22/0535:15> »
It should be trivial to link a SIN with a persona and this link would make crime fighting so much easier.
I see SIN as the equivalent of having a green card. Proof that you are a legit citizen.
And I see matrix persona as the equivalent of your combined steam+facebook+microsoft+google account. Your internet identity.

You have persons who lives in a country without having official permission to live there using the internet in 2022.
You have SINless people using the matrix in 2082.
Same thing really.


Your persona has certain access rights in the matrix (ownership, whatever). They are either granted to you in a way that the matrix likes and will remember in between reboots. Or they are forged in a way that the matrix doesn't like and will forget after a reboot.
This is perhaps not so different from how authentication (and authorization) worked back in 2022.

When you accessed a resource, web page, etc (or accessing the matrix) you typically showed your credentials to a third party token provider. A federation gateway of sorts that both the client and the server was trusting (such as keycloak). You are given a token. Instead of providing your credentials every time you click on a link you instead use and reuse the same token for all API calls you make (think single sign on). On the server side they never really saw your username and password. They just saw your token. And they asked the federation gateway if the token was legit or not. They could track all the calls you do with this token, but once you log out (or the token expire) and again wanted to access (when you reboot your matrix persona) you would again have to show your credentials - and even though you were still using the same internet user (matrix persona), the token you would receive the second time would be a different token than the last time you accessed the same resource.

I am not suggesting that the matrix is using OAuth2.0, but it could perhaps serve as en example to better understand why it is not completely impossible that you would start out fresh each time you access the matrix.

Odsh

  • *
  • Chummer
  • **
  • Posts: 151
« Reply #56 on: <06-04-22/0738:00> »
That analogy is a bit far fetched if I may.
The token in the OAuth flow is a way to grant authorization to a third party app without communicating your login/password. It doesn't mean there is no way to link suspect activity tied to that token with the corresponding resource owner.

Xenon

  • *
  • Prime Runner
  • *****
  • Posts: 6467
« Reply #57 on: <06-04-22/0812:13> »
Overwatch score could be seen as the abstraction of the act of keeping track of suspect activity tied to that specific "token" or the current "signature" that was generated for the persona last time it accessed the matrix. Once OS reach 40 GOD have gathered enough suspicious activity revolving this specific "signature" that it converge on it. From this point this "signature" is "burned" and "monitored" and you can never execute matrix actions using this token. But if the client (the persona, the internet account - the equivalent of the combination of username and password) go offline or reboots before this then the link to this specific "signature" is broken. If the persona access the matrix again then it will do so with a new fresh "signature" that is not linked to any suspect stuff. The resource owner (the host or PAN) is never really directly aware of which specific internet user (username, password, email, phone number, etc) that was performing the hack. Only the specific temporary 3rd party generated signature it had while it was still online.

Yes of course I understand that the analogy is not perfect (and also there is no talk about tokens at all in Shadowrun, nobody will use web tokens 50 years from now), but I still think it should be good enough for you to get an an idea of how it is perhaps not impossible how a persona could be considered white as snow after each reboot as the mechanics seem to dictate.

If you have a better analogy then feel free to use (and perhaps share?) that instead.

Stainless Steel Devil Rat

  • *
  • Errata Coordinator
  • Prime Runner
  • *****
  • Posts: 4572
« Reply #58 on: <06-04-22/1359:00> »
A SIN in itself is just 12 alpha-numeric characters that hold information like name, birthdate, birthplace, gender and metatype. Sharing a SIN doesn't share biometric data, in fact nearly everyone does so through the Global SIN Registry.

I'm not going to argue about whether that was NEVER accurate, but it was not accurate as of 5e at least.  Legit SINs (and good/high ranking Fake SINs) in 5e and 6e absolutely include biometric data.

Quote

I'll try my best to amp up my suspension of disbelief to max.

In summary:
  • An individual's persona is unique
  • You can't change your persona
  • Nobody fully controls or understand the matrix. Suffice to say that it allows certain interactions and will fight any non-conformant activity like an immune system reacting to an interloper.
  • The matrix is able to link non-conformant matrix activities with your persona. But only so until you reboot.
  • Your persona has certain access rights in the matrix (ownership, whatever). They are either granted to you in a way that the matrix likes and will remember in between reboots. Or they are forged in a way that the matrix doesn't like and will forget after a reboot.
  • Apart from the cases mentioned above, nobody and nothing is able to persist any data related to a persona that would allow them to identify that persona in the future

Do I miss something?

Yes, that's at least 95% what I believe is accurate.  The quibbles are:
on point 2, you can change the outward appearances of your persona, but it can only possibly trick people who aren't bothering to do any sort of verification.   If I, persona SSDR were to impersonate persona Odsh for the purposes of making persona Xenon think you said whatever I tell them, the way that'd be handled via the rules is by hacking the target I mean to deceive, not the target I mean to impersonate.  So I'd hack Xenon to think Xenon is talking to Odsh, rather than hacking Odsh to steal whatever technobabble makes Odsh Odsh.

Exactly the same concept for "using" an employee's work credentials to trick the work host into thinking the employee is entering the host.  If I change my persona to 0dsh it might trick Xenon into thinking I'm Odsh if he's not paying close attention, but that sort of fuckery won't work on automated systems like a host.  The host has to be hacked, not a persona.

on point 6, that's completely inaccurate due to how it was semantically presented.  What would be accurate is to say that "Apart from the cases mentioned above, nobody and nothing is able to persist any data related to a persona that would allow them to correlate that persona with its real world user."  Even then, what is truly *possible* isn't necessarily known.  Maybe someone can, but if so they're not talking.  But what's important is Big Brother can put together a dossier on personas SSDR and Odsh, and where the authorities are willing to share data perhaps even put case files together tracking our various matrix hacks, even when we change up the outward presentations of our personas (see point 2), but unless we literally leave our real world deets behind somehow, these dossiers on persona activity won't tie back to a real life user.  Maybe a spider or tracker IC learn we often hack from a given real world address.  Maybe that means we live there, but it could also mean we simply habitually go there to hack... contextually it could link to a real life identity but not directly.  Likewise providing a SIN during an online purchase is certainly a juicy hint, should Big Brother find that, but technically it doesn't mean that's the persona's SIN.  maybe they're buying for someone else... but certainly it's a hint you could be, or at least know, that real life person.   Using fake SINs for online purchases may well be nearly as common as using VPNs in the real world, simply for the actual anonymity it affords, even to legal citizens.
RPG mechanics exist to give structure and consistency to the game world, true, but at the end of the day, you’re fighting dragons with algebra and random number generators.

Odsh

  • *
  • Chummer
  • **
  • Posts: 151
« Reply #59 on: <06-04-22/1528:57> »
but unless we literally leave our real world deets behind somehow, these dossiers on persona activity won't tie back to a real life user

I really don't mean to come out as being stubborn.

If I was a corp, the first thing I'd do is to force anyone to leave real these world deeds behind.

"You want a SIN? Sure, please log into the matrix through that terminal while we collect some biometric data."