It is an established fact that government use computer hackers to acquire information from hostile sources. In the 2008 presidential campaign, foreign governments are know to have hacked the computer systems of both the Republican and Democratic campaigns. According to publicly available information, the goal was to learn about policy positions of the campaigns, ostensibly to determine which candidate would be more favorable to the hacking nation (or nations).

There's another really good reason to attack a campaign server though. Suppose that the government in question had a distinct preference for one candidate over another. After hacking in to a campaign website to learn about their internal policy planning, they might modify the polling reports. If a state by state tracking poll was altered so that a candidate looked to be doing a couple of points better there than they really were, it would affect resource allocation for that state campaign. A candidate might pour resources into a state where it looked like they had a chance, especially if it was relatively high value like Michigan or Pennsylvania. That would divert resources from another state, where the opposition (which is favored by the foreign government), would be able to make inroads.

I'm not suggesting anything like that actually happened in the current election. But there's no reason that it couldn't happen in your game world. If you run a game with a political component, this kind of skulduggery would make your hacker characters very valuable, either as the supplier of the false data, or the one defending the integrity of the data.

The risk with planting this kind of false intelligence is that you can't always predict how the bad information will be used. The results are often chaotic or ineffectual.

In the run up to the Iraq war, one of the bits of evidence produced to make the case for invasion was the infamous "Yellowcake Memo." This document purported to provide direct evidence that the Iraqi government was buying uranium ore to make nuclear weapons. According to Seymour Hirsch, it was actually a forgery produced by elements of the CIA opposed to the Iraq war, in an attempt to embarrass the President and discredit his intelligence gathering efforts. In fact, the forgery was done poorly enough that even the smallest bit of fact checking would have revealed it for a fake.

The deception worked, but not quite the way the perpetrators wanted. The forgery was supposed to be so obvious that the President and his advisors would see that their sources weren't reliable and they would take a step back. They hadn't counted on the fact that the President had more confidence in his intelligence services than they did, and the fake wasn't revealed until long after the country was committed to war. The President still looked the fool, and there were changes at the top in the CIA, but the intended goal of stopping the march to war failed.

Planting False Seeds

To plant your false information, the first thing you must do is make it look legitimate. Nobody will trust information that just falls into their lap. It needs to come from trusted sources. There are a couple of ways that can be made to work for electronic information.

Forged email could be a good way to handle things. Simple mail forgery is trivial for anybody with a little bit of programming knowledge. Normal email has no security precautions at all. You can say you are whoever you want to say you are and the servers don't care. Digital signatures (easily implemented with free software) can prevent this, if both parties are equipped to do it and regularly practice digital signing. In that case a custom virus (see last month's column) or some other compromise on the sender's system or systems is necessary.

Another alternative is a honeypot server. These are machines left out for people to hack into. To really sell it, and make sure that somebody attacking the machines believes in what they get, the machine can't be too easy to compromise. If they don't work for it, they won't trust it, and there is a good chance that they will recognize it's a trap if they are experienced professionals.

This planting of false information isn't limited to the electronic world. In general, if you have found someone who is passing information to an outside agency, you have two options. One is to remove that person, which is probably going to involve a shovel and a sack of lime in the dead of night (lime, by the way, can be picked up very inexpensively with no questions asked at most feed stores). The other is to start passing that person false information, but false to a point. If you give them information that simply fails to check out, they'll be dropped as a resource by the agency they were feeding (which may also involve shovels and lime). Or it can be information that does check out. It might, for instance, tip freight hijackers off to a shipment of microchips, which have a high market value. Except that instead of microchips, the back of the truck will be full of state troopers, or guys from the local "Dirty Deeds, Done Dirt Cheap" franchise.

Putting It Into The Game

I've been snapping up the GURPS Action books as soon as they come out, and this series makes for the ideal place to do a little digital deception. The book doesn't go into the sort of in-depth deception that we're talking about here though. This kind of deception works in both directions. The players may be trying to plant false information for their enemies to read, but their enemies may also be planting false information for them.

When your players are planting false information in game, consider that there are many venues for planting this kind of information. While this column deals mostly with computers, phone calls, especially cell phones, are a prime medium for compromise. Planting a message in somebody's voice mail is relatively easy, with the appropriate rolls for producing a convincing message that fools the recipient into thinking it's legitimate. Forged contracts, shipping documents or memos would also be ideal.

When they are being fed false information, they should have opportunities to roll to detect the falseness. If you want to play it properly, the rolls should be secret, i.e. don't say "roll to see if you can detect that the information is garbage." Just make the roll, if there's any way at all that they would be able to tell. TO be fair, you might want to suggest to them that they work to verify the information, which is what a credible intelligence operation does. Between unreliable sources and deliberately falsified information, the survivors in the intelligence game are the ones who verify facts before acting on them.

A fairly typical scenario is for the player characters to be guarding a person from an expected assassination attempt. Presumably the PCs would be monitoring the groups suspected of planning the attempt. Let them compromise an email account or website where the group does planning, so they can learn when and where the attack is coming. Except, of course, that you, as the GM, will be feeding the players false information. While they're expecting an attack on the motorcade leading to the big conference, the actual bad guys have been busy infiltrating the hotel staff. An attack will, of course occur on the motorcade. Probably something with a lot of flash and noise, to sell it very well. But the real attack will go down at the hotel, when the PCs' guard is down, believing the real danger to have passed. Avenging that attack can be a great lead off to a whole campaign, or just a great climax to an adventure where the PCs save the day.

Check out my gaming website at www.obrienscafe.com for a full adventure based on this seed.