Can you track through VPNs?

23 posts / 0 new
Last post
Grim G Grim G's picture
Can you track through VPNs?

So I'm trying to write up an adventure, and I came across a bit of a block.

The idea is that the PCs salvage the key to a VPN that can help them with a murder mystery. But something I want to know is if it's possible to track someone that you only know from a VPN. Can you find someone's mesh ID over a VPN? Can you track them physically?

MAD Crab MAD Crab's picture
At the risk of applying real

At the risk of applying real world logic to the game world...

There are generally two ways to "break" VPN protection. One is to gather leaked information - say, the target left their GPS on and some site requested it. If you can sniff their traffic or the site's traffic, hey bingo you've got their GPS location. Same goes for leaked network information, ie their mesh ID.
The other way is to break into the actual VPN servers and check their logs for the real mesh ID. You can also start attacking the target directly that way.

Grim G Grim G's picture
MAD Crab wrote:At the risk of

MAD Crab wrote:
At the risk of applying real world logic to the game world...

There are generally two ways to "break" VPN protection. One is to gather leaked information - say, the target left their GPS on and some site requested it. If you can sniff their traffic or the site's traffic, hey bingo you've got their GPS location. Same goes for leaked network information, ie their mesh ID.
The other way is to break into the actual VPN servers and check their logs for the real mesh ID. You can also start attacking the target directly that way.


I don't really understand what the differences between the two examples you gave were. In both you need to have the person's mesh ID, which as far as I understand is the only way to physically track someone outside of surveillance.

In any case, is there any way to actually HIDE an ID? Obviously you need to locate it in order to interact with it's device, but is it possible for the person who started the VPN to, say, completely block access to their mesh ID?

NotActuallyTim NotActuallyTim's picture
MESH STUFF!

False Mesh IDs can be made up on the spot and given to any service that requires them, even simple things like accessing the mesh in the first place. Pg 252, core rulebook.

What's crab's talking about is the difference between finding somebody by listening in on a phone call and finding somebody by TRACKING ALL THE CELLPHONES IN THE CITY!

https://www.youtube.com/watch?v=MQNeqeVpHF0

Grim G Grim G's picture
NotActuallyTim wrote:False

NotActuallyTim wrote:
False Mesh IDs can be made up on the spot and given to any service that requires them, even simple things like accessing the mesh in the first place. Pg 252, core rulebook.

What's crab's talking about is the difference between finding somebody by listening in on a phone call and finding somebody by TRACKING ALL THE CELLPHONES IN THE CITY!

https://www.youtube.com/watch?v=MQNeqeVpHF0


I know what false IDs are and they don't help in this situation. All it does is disguise you, but you can still have your physical location tracked. What I'm talking about is preventing someone from seeing ID period, be it real or fake.

Also the second point is moot, all devices broadcast throughout a habitat, so unless a signal is stealthed, finding it is just a matter of knowing the ID and knowing how to use a search engine. And that's even if you're out of their device range, when your in it you can see the mesh ID pop up on your AR display.

MAD Crab MAD Crab's picture
Quote:What's crab's talking

Quote:
What's crab's talking about is the difference between finding somebody by listening in on a phone call and finding somebody by TRACKING ALL THE CELLPHONES IN THE CITY!

Not really.

If you can listen in between the VPN and the resource the target is accessing (say, hack a server for facebook, or tap a teleco bus. Hi NSA!), you can get leaked information that might help you track him down. It's easy to misconfigure something and have your "secure" connection ask for a related resource over an unproxied channel (providing current mesh ID), or provide information that you didn't intend for it to provide, such as your location, name, email, etc. If I remember right, cracking encrypted mesh traffic is easier in EP than in reality anyway.

Or, if you can compromise the VPN server itself, you can just ask it who it's connected to.

Point is, method 1 can be passive, if you know a service the target is likely to connect to.

As for "hide the ID entirely" as I understand it Mesh ID is the unholy offspring of MAC address and cell phone number. Sure, you can randomize it at any time, but you HAVE to provide something if you want any other mesh device to have a conversation with your device. If you have none at all... nothing can talk to you. Which is to say, a disabled radio is very secure. My understanding is "Stealthed" means "not shouting it's name everywhere, all the time." It still has to declare itself to some devices, or else no messages it WANTS to get could be routed to it.

Trappedinwikipedia Trappedinwikipedia's picture
Personally I like the idea

Personally I like the idea that the Mesh ID is fundamentally an awful protocol and everyone who knows more than average about computers laments that it's still the standard and has such widespread adoption. Part of it probably the space-future version of the "data footprint" a computer leaves in the form of cookie requests, hardware signatures, and the rest of the ways people try to figure out how to serve the most relevant ads to you today.

Personally I always like to allow a check trace or hide, as it's my general assumption that EP's omnipresent cloud computing is probably a security nightmare. Because of this and the fact that I can't find a rule to the contrary my assumption is that you can at least attempt to track a normal system through a VPN. Some kind of ultra secure system which only talks to other ultra secure systems on a whitelist or whatever could be different, but essentially aren't on the mesh at all.

Grim G Grim G's picture
SPACE PHONES, HOW DO THEY WORK?!

Mesh ID is something I have a hard time understanding, TBH.

Who keeps track of the ID numbers? ISP? Do they even exist any more? The local government?

Why are device IDs static but personal ones able to transfer with your morph?

What happens to your ID when you farcast across the system? Does it change? How do your loved ones keep in contact with you then? Does it stay the same? Then what happens when you and a local have the same ID? Habs that are far away don't keep track of other habs IDs.

NotActuallyTim NotActuallyTim's picture
Each Mesh device provides it

Each Mesh device provides it's own Mesh ID. It's easy to abuse! As far as I can tell, Mesh IDs are kept for convenience, when transferring morphs. Since devices aren't something you can carry with your ego, they don't get to come with. If you wanted to record the ID of a device to make people think you're actually an Ipod Human, you can probably do that.

And I was trying to be all analogous with the phone examples. Clearly, I shouldn't tried. :(

MAD Crab MAD Crab's picture
They're MAC addresses, they

They're MAC addresses, they're IP addresses. They are what your network device uses to announce itself to the group.

You MUST HAVE ONE. Somehow. Somewhere. By some name. Otherwise, how can any data transmission be routed? Mesh networks have to know who to pass messages to, who asked for what, etc. In fact, it's not a mesh network if you don't have them.
Keeping them between morph switches is convenience, yes. Because apparently in EP, people can shoot messages to you via these basic hardware addresses. Technically possible in real-world to, though we really don't have a system designed for it.

Grim G Grim G's picture
MAD CrabMy understanding is

MAD Crab wrote:
My understanding is "Stealthed" means "not shouting it's name everywhere, all the time." It still has to declare itself to some devices, or else no messages it WANTS to get could be routed to it.

I understand stealthing as just random frequency hopping. I know that "spread-spectrum signals" is also a thing, but I honestly don't know what that it.
NotActuallyTim wrote:
Each Mesh device provides it's own Mesh ID. It's easy to abuse! As far as I can tell, Mesh IDs are kept for convenience, when transferring morphs. Since devices aren't something you can carry with your ego, they don't get to come with. If you wanted to record the ID of a device to make people think you're actually an Ipod Human, you can probably do that.

And I was trying to be all analogous with the phone examples. Clearly, I shouldn't tried. :(


Being able to change IDs on resleeve sounds pretty reasonable, if they can just be changed that easily it would explain how false mesh ID work.

That said, there's a problem with this theory. It would be easy to pretend to be someone else on the mesh, and I don't think that's how spoofing works.

Grim G Grim G's picture
MAD Crab wrote:My

MAD Crab wrote:
My understanding is "Stealthed" means "not shouting it's name everywhere, all the time." It still has to declare itself to some devices, or else no messages it WANTS to get could be routed to it.

I understand stealthing as just random frequency hopping. I know that "spread-spectrum signals" is also a thing, but I honestly don't know what that it.
NotActuallyTim wrote:
Each Mesh device provides it's own Mesh ID. It's easy to abuse! As far as I can tell, Mesh IDs are kept for convenience, when transferring morphs. Since devices aren't something you can carry with your ego, they don't get to come with. If you wanted to record the ID of a device to make people think you're actually an Ipod Human, you can probably do that.

And I was trying to be all analogous with the phone examples. Clearly, I shouldn't tried. :(


Being able to change IDs on resleeve sounds pretty reasonable, if they can just be changed that easily it would explain how false mesh ID work.

That said, there's a problem with this theory. It would be easy to pretend to be someone else on the mesh, and I don't think that's how spoofing works.

NotActuallyTim NotActuallyTim's picture
Spoofing?

As I understand it, all the password information tech still exists in EP. So using the Martian governments Mesh ID is no good without their authentication info. Like, you can impersonate a cop on the Mesh, but you can't prove you are one if somebody asks the right questions. Not unless you have the passwords.

Grim G Grim G's picture
NotActuallyTim wrote:As I

NotActuallyTim wrote:
As I understand it, all the password information tech still exists in EP. So using the Martian governments Mesh ID is no good without their authentication info. Like, you can impersonate a cop on the Mesh, but you can't prove you are one if somebody asks the right questions. Not unless you have the passwords.

But you don't need to answer questions, you just need to have the ID. Passwords only work when authentication requires more than the Mesh ID. Most tame things like comment sections don't.
NotActuallyTim NotActuallyTim's picture
Grim G wrote:

Grim G wrote:

But you don't need to answer questions, you just need to have the ID. Passwords only work when authentication requires more than the Mesh ID. Most tame things like comment sections don't.

Exactly! So it's just like the current day Internet!

Except cheaper!

ThatWhichNeverWas ThatWhichNeverWas's picture
I have a love/hate relationship with Databases.

VPNs are something I have real trouble understanding IRL, but I think I can help with Mesh IDs in general.

A key thing to keep in mind is that there can only be ONE instance of a Mesh ID on any connected network - multiple devices can be registered under a single ID (in addition to their own) but they are treated as a single device by everything else.

What this means is that if you want to change a device's mesh ID to someone else's, either;
(A) The change will be denied as 'This ID is already active, please choose another',
(B) You get a message saying the target ID refuses possession of the device,
(C) You lose control of the device(s) that you're changing as they become the property of the new ID,
(D) Your mesh ID and the target's are associated with each other, so both you and the target have full control and access to each other's systems... probably followed by software/driver conflicts and a hard-restart.

If you want to pretend to be a member of the Marian Government, what you need to do is add your mesh ID to the appropriate government database so that it comes up when someone does a search for information using your ID as the seed.
If you want to pretend to be an individual you don't change your ID, you pretend to be a node in the network passing messages from that ID, or redirect queries about you to that ID.

Faking IDs and queries from systems without a direct connection to the local mesh (other habitats) is much easier, and presumably the go-to method for most of the shenanigans people get up to.

RL InfoTech isn't my wheelhouse, but I suspect it might be easier to think of the Mesh less as the Internet, and more as multiple users logging into a single huge Beowulf Cluster.

In the past we've had to compensate for weaknesses, finding quick solutions that only benefit a few.
But what if we never need to feel weak or morally conflicted again?

Grim G Grim G's picture
NotActuallyTim wrote:

NotActuallyTim wrote:

Exactly! So it's just like the current day Internet!

Except cheaper!


I don't follow...
NotActuallyTim NotActuallyTim's picture
If you have somebody's

If you have somebody's addresses you can impersonate them online. It was easier back in the 90's, when services mostly used those numbers directly. That's why we use accounts and passwords, and little tests that prove people aren't robots. Without them, we'd only have IP and MAC addresses to work with.

Grim G Grim G's picture
ThatWhichNeverWas wrote:VPNs

ThatWhichNeverWas wrote:
VPNs are something I have real trouble understanding IRL, but I think I can help with Mesh IDs in general.

A key thing to keep in mind is that there can only be ONE instance of a Mesh ID on any connected network - multiple devices can be registered under a single ID (in addition to their own) but they are treated as a single device by everything else.

What this means is that if you want to change a device's mesh ID to someone else's, either;
(A) The change will be denied as 'This ID is already active, please choose another',
(B) You get a message saying the target ID refuses possession of the device,
(C) You lose control of the device(s) that you're changing as they become the property of the new ID,
(D) Your mesh ID and the target's are associated with each other, so both you and the target have full control and access to each other's systems... probably followed by software/driver conflicts and a hard-restart.

If you want to pretend to be a member of the Marian Government, what you need to do is add your mesh ID to the appropriate government database so that it comes up when someone does a search for information using your ID as the seed.
If you want to pretend to be an individual you don't change your ID, you pretend to be a node in the network passing messages from that ID, or redirect queries about you to that ID.

Faking IDs and queries from systems without a direct connection to the local mesh (other habitats) is much easier, and presumably the go-to method for most of the shenanigans people get up to.

RL InfoTech isn't my wheelhouse, but I suspect it might be easier to think of the Mesh less as the Internet, and more as multiple users logging into a single huge Beowulf Cluster.


You say that there can only be one instance, but I just have to ask why. Will there be an error message? Will a signal get sent to two devices?
MAD Crab MAD Crab's picture
Arrrgggggh.

Arrrgggggh.
I am gathering that a lot of people here really aren't too up on network technology.

Technically speaking:
If two computers use the same "address" (whether MAC ie physical or IP) it's called a collision. Happens through accident far more often than malice. Networks handle this in a bunch of different ways, but in general it's true - you can impersonate the other device. It would be easier on a mesh network, because there's less authority for routers to go "Hey, THAT'S not right" and drop both connections. In windows, you get a little popup going "Hey idiot, your network is misconfigured." Because like I said, network collisions are almost always accident, not attack.

In EP: No way in hell Mesh ID is not tied to a certificate (something that exists in reality, supposed-to-be-totally-the-spec-is-written-what-do-you-mean-nobody-uses-IPSEC) which means that beyond the initial "Hi, I'm MAD's device!" exchange there's then a "prove it" stage. THIS is where spoofing gets difficult, because you have to break the security somehow. And yes, this can be tied to the actual mesh ID value. Somebody else could use same ID, but would have a different cryptographic signature. For the techies who've used SSH or PuTTY, ever connect to a new server? "HEY! The RSA fingerprint is BLAAAAAAAAAAAAAAAAH, do you want to connect?" Doesn't matter that the hostname is the same, changing the box behind it gives a new fingerprint.

Honestly, I can't remember EP's hacking rules well enough to say how this fits in, or if it fits at all. But that's the real side of things.

NotActuallyTim NotActuallyTim's picture
The Rules

For spoofing match up with your description pretty well, though admittedly I read them last on Thursday.

ubik2 ubik2's picture
Your explanation sounds like

Your explanation sounds like what I would expect, though in the world of EP, standard cryptography can be broken by quantum codebreaking. In the specific case of mesh ids, there may be a policy of frequent key rotation, to keep ahead of the 1 week decryption time required.

The section on spoofing authentication mentions that it's not possible if the connection is encrypted, unless you have the key. This implies that not all connections are encrypted, which doesn't make a whole lot of sense logically, but I suppose the same is true of our world.

Edit: Apparently there are unencrypted systems that are restricted to specific mesh ids. These systems are vulnerable to spoofing, so at least in this particular area, there are mesh ids being used without a corresponding certificate.

ThatWhichNeverWas ThatWhichNeverWas's picture
"According to your Mesh ID, you are a Deviantart account..."

Grim G wrote:
You say that there can only be one instance, but I just have to ask why. Will there be an error message? Will a signal get sent to two devices?

Fundamentally, computer systems need unique IDs to work. It's the same reason you can't have two files in a folder with the same name, or why two different websites can't have the same URL – without a way to tell them apart, they're treated as the same thing.
I'll leave the actual consequences of this to those with more hands on experience, but iirc they can be boiled down to 'Stuff Stops Working'.

MAD Crab wrote:
Networks handle this in a bunch of different ways, but in general it's true - you can impersonate the other device. It would be easier on a mesh network, because there's less authority for routers to go "Hey, THAT'S not right" and drop both connections.

Whilst it might be 'technically' easier, in practice it's going to be much harder thanks to restrictions and safety protocols hardwired in from the start.

This is due to the nature of the System; each device acts as a node for data routing, the system in general is used for distributed computing, and IDs can refer equally to physical devices, virtual devices, pieces of software, individuals, bank accounts... literally anything.
Not every ID will have the same capabilities, but there's no reason to loosen already established protocols.

MAD Crab wrote:
Arrrgggggh.
I am gathering that a lot of people here really aren't too up on network technology.

No, because that way lies Madness.

In the past we've had to compensate for weaknesses, finding quick solutions that only benefit a few.
But what if we never need to feel weak or morally conflicted again?