[Modern Firepower] Technothriller gear for secret DHS team in 2017

[Icelander]

Quote:

Originally Posted by Kalzazz

I know Remington and other manufacturers have custom shops where, for suitably immense sums, you can get the rifle of your dreams

I wonder whether that wouk d be a thing

One advantage of the immense proliferation of commercially available components for AR-15, and to a slightly lesser extent, AR-10 rifles, is that for someone competent at Armoury (Small Arms), almost any reasonable modification or custom configuration can be performed in a garage workshop. Granted, constructing a custom precision rifle from components bought online will probably require more than basic hobbyist skill, but given that some of the test subjects have Armoury at an expert-to-master level, skill 14+, their skill will certainly suffice.

For AR type rifles, Fine (Accurate) and Fine (Reliable) can be achieved by buying a few simple components that the shooter installs instead of the stock barrel, trigger, magazine, etc. and by careful machining of anything likely to interfere with the working of the action. Rechambering in other calibers can be accomplished simply by buying complete uppers or, by the more skilled, by rebarrelling and replacing or modifying the bolt, chamber, gas system and possibly the magazine.

For rifles more complicated to work on or without such a wealth of drop-in accessories, it might be worth it even for a skilled armourer to get a custom shop to work on his weapon. That is not necessarily because he is not skilled enough, but because actually manufacturing custom parts requires more expensive tools than the average garage gunsmith will want to buy, at least if he's only looking to get one custom built rifle.

[Icelander]

M4 Long-Range Recon Carbine, 6mm 'Timslayer'
Dmg: 5d pi
Acc: 7+2
Range: 800/4,200
Weight: 10.4/1.3
RoF: 16
Shots: 29+1
ST: 10†
Bulk: -4
Rcl: 2
Cost: $2,700
LC: 2
Notes: Fine (Accurate), Fine (Reliable) and handloaded Match ammunition.

This a custom AR-15 type carbine, using a lower and accessories from a M4A1 SOPMOD carbine and an upper chambered in a wildcat 6mm cartridge made by necking out 5.56x45mm brass to 6mm, bumping the shoulder out to 40°, trimming the brass and fire-forging it.[1] The 6mm wildcats still fit into STANAG magazines or any other magazine designed for the M16/M4/AR-15 family, as the widest part of the cartridges are no wider than the 5.56x45mm. The operator carries them in first generation PMAG magazines, loading only 29 rounds instead of 30 for increased reliability.

This carbine actually uses many of the same parts as the previous M4 Sniper. When the 5.56x45mm Lilja barrel had shot 4,500 rounds through it, the operator decided to rebarrel his weapon in 6mm and ordered a 31" match quality heavy stainless steel barrel blank from Bartlein in 1:8 twist, cut it in half, machined it for fit and contour, crowned it and mounted it freefloating on the carbine as a 14.5-inch recon carbine barrel.[2] The Cost is the unit cost of an unmodified M4A1 SOPMOD plus the parts bought, but note that if the character had not done his gunsmithing himself, paying a custom shop to do the same modifications would probably have cost at least $1,000 and probably more.

Chambering for the 6mm wildcat required a stronger bolt, in which role a creatively acquired 6.8 SPC bolt served admirably and some fine-tuning of the mid-length gas system. The Geiselle SSA match trigger and much of the furniture of the carbine was still usable. Even after the changes, the carbine remains exquisitely maintained, having been carefully worked over, machining every surface free of irregularities and loose tolerances, ensuring reliability and consistent precision.

The carbine still mounts Daniel Defense full-length RIS handguards, a Trijicon ACOG TA01 ECOS 4x scope, Insight AN/PEQ-15 ATPIAL IR light and targeting laser and an Insight M3X LED weapon light. The listed Weight includes all these accessories, but the Cost does not.[3]

The listed stats include a personalised match handload for the 6mm wildcat cartridge, pushing a 90 grain Lapua Scenar bullet at slightly over 2,600 fps out of the short barrel. This load is optimised for this specific carbine, giving a +2 Acc (WPS 0.034; CPS $1 [4]). The load is of a very high pressure and is hard on both brass and barrel, but the Fine (Reliable) construction of the weapon and the use of Fine magazines means that even with a -1 to Malf. due to operating at the edge of the performance envelope, with very long bullets seated at the magazine lauds, reliability is no worse than any other M4 using PMAGs. Firing this round at full-automatic or from a carbine-length gas system is not recommended and either imposes a further -1 Malf. penalty (down from Fine (Reliable), so only if both are done will the weapon reach Malf. 16).

The nomenclature of the round is based on an unfortunate side effect of using the otherwise excellent 90 grain Lapua Scenar bullet, which is that the very low drag, long range projectile will not tumble or yaw in flesh unless travelling at extreme speeds, usually only within 50-100 yds. Outside of that range, the carbine only does pi- damage. Thus, despite the otherwordly precision and ballistics at extreme ranges, terminal effects of this load at 100-300 yds are far inferior to the Mk 262 Mod 1 that most operators carry for their M4A1 carbines and other members of the ODA are fond of claiming that the round is mostly useful in case one must face a particularly fierce rabbit at long range.

Using the bullet travel rules, the projectile travels 700 yards in the first second and out to 1,100 yards in the second, to 1,450 yards in the third second and then 300 yds per second out to the maximum range at which anyone cares. It enters the transonic flight regime at 800 yards (the GM might give an extra -1 range penalty for shots beyond that range).

This precision carbine can consistently hit a 4" steel place at 1,000 yards, for better than 0.5 MOA accuracy. If zeroed for a 100 yards, drop is just over a foot at 300 yards, around 5' at 500 yds and 414" at 1,000 yds. In a 10 mph crosswind, it will drift 7.5" at 300 yds, 22.6" at 500 yds and only about 111" at a 1,000 yds.

[1] Very similar to wildcat 6mm Mongoose, though independently developed.
[2] That way, the remaining length of barrel blank could be machined into a spare barrel once the current one was shot out.
[3] Because they are all part of the SOPMOD kit to which the operator has access without having to buy them.
[4] Assuming that the operator only pays for the powder, bullet and primers, as the brass is free and he does the work himself. If available commercially, such ammunition would probably be at least CPS $3, if only for the rarity.

[Icelander]

Does anyone know what the state of the art in 2017 smartphone espionage would realistically be?

Aside from remote monitoring devices like the Stingray, what kind of devices exist to obtain information from smartphones?

What kind of timeframe would be relevant to such operations? Is there any utility to getting close to someone with a smartphone while carrying some kind of high-tech gadget that will allow hacking into or cloning of his phone?

Or does this take long enough so that either you are using a huge base station that mimics a cell tower (and costs hundreds of thousands of dollars) or you have to actually have to have his phone in your possession for a few hours?

[Anthony]

Quote:

Originally Posted by Icelander

Does anyone know what the state of the art in 2017 smartphone espionage would realistically be?

I doubt anyone who really knows would be free to comment, but general principles are well enough known. In general it's the same as spying on any other computer: install a keylogger, install surveillance hardware, gain access to backups, snoop on upstream communication, snoop on electronic leakage from the phone, or physically snoop on the phone being used.

Note that the software options tend to be a moving target with a very short viability period.

Quote:

Originally Posted by Icelander

What kind of timeframe would be relevant to such operations? Is there any utility to getting close to someone with a smartphone while carrying some kind of high-tech gadget that will allow hacking into or cloning of his phone?

Hacking is generally going to be done by tricking the target into downloading infected content, not directly attacking the phone. Physical surveillance and electronic snooping would involve hardware that needs to be physically close to the phone while it's in use. Installing a physical bug on a phone can probably be done quickly given access to the phone.

[RogerBW]

Quote:

Originally Posted by Icelander

Does anyone know what the state of the art in 2017 smartphone espionage would realistically be?

And is prepared to talk about it… this is coming from someone who doesn't work in that world but talks occasionally with people who do.

In short: a constant war of exploit and counter-exploit.

If you know your target, the main thing you want to do is get your code onto his phone. If he's not both effectively paranoid and up to the moment on security patches, you can pretty much do this, by taking over the local base station while he's using the phone and feeding exploit code into the HTTP connections. (You have phone company uniforms and a ladder, right?) At which point you can pull out the data as you want them.

It's a slightly tedious process and might take an hour or two. Less if you know the make and model of phone in advance.

[Icelander]

Quote:

Originally Posted by Anthony

I doubt anyone who really knows would be free to comment, but general principles are well enough known.

Quote:

Originally Posted by RogerBW

And is prepared to talk about it… this is coming from someone who doesn't work in that world but talks occasionally with people who do.

Well, while various government secrecy laws tend be sweeping and even all-encompassing in their effect, corporate non-disclosure agreements or confidentiality clauses usually do not affect the ability of people who work for technology companies or service providers to discuss the state of the technology, as long as they do not provide details proprietory to their employer.

As a defence attorney, there are certain things I can't reveal about clients who can be personally identified, but that has no impact on what I can discuss about ways and means of police investigations.

So if my question were about the state-of-the-art in Iceland ca 2012-2015, I'd have a wealth of details, having had a client who was an engineer at a mobile service provider who was investigated on a suspicion of having illegally accessed personal information in their systems.*

I got copies of all investigation documents related to how he might have done so and how the police investigated it. As it turned out, deposing people from the Computer Investigation unit of the National Police Comissioner about their methods ended up disproving the prosecution's case, so I had to gather quite a lot of very technical data.

In other cases, I've also gotten data on phone taps, investigations of SMS communications, narrowing down the location of suspects through cell tower data, etc. I know several detectives and technical experts on the Reykjavík Metropolitan Police and have spent some time talking to people forming their new computer science unit about their investigation methods.

Unfortunately, my access allows me to be completely confident in how Icelandic police can gather data from smartphones, but at the same time know for a fact that it is of no use for the PCs in my game.

Icelandic police use the Administration skill to write up a document for the investigative need for a phone tap, surveillance or other data gathered from a suspect's phone. A police prosecutor uses Law (Police) to justify the request and cite all appropriate laws, regulation and precedent. A judge approves it, almost automatically (over 99% rate of approval), which results in a warrant.

The warrant then goes to the telephone company that is the service provider for the phone number listed in the warrant. Someone there uses Administration routinely to check that everything is okay with the warrant (if it wasn't, they'd contact the police to discuss it) and then give a technician or an engineer the task of fetching the requested data or setting up a 'phonetap', in both cases a simple Computer Operation skill roll, as these are options that can be selected in their software that can be selected by anyone with the top-level access that their senior software engineers and technicians have.

None of this has any application to gathering this information in a foreign country, without warrants or authorisation. Especially not if the characters only have pictures of suspects, old numbers for burner phones and maybe a few voice recordings from prior intercepts.

*No, the client is not one of the players in the game, although I maintain contact with him and consider him a friend today. I keep trying to get him to play with us, but haven't had luck yet, he only wants to play fantasy. He is actually much more knowledgable about ways and means of smartphone espionage than any of the police I spoke with, which makes sense in light of how Icelandic police actually investigate phone data. His job actually was responding to police requests for phone data, when they arrived.

Quote:

Originally Posted by Anthony

In general it's the same as spying on any other computer: install a keylogger, install surveillance hardware, gain access to backups, snoop on upstream communication, snoop on electronic leakage from the phone, or physically snoop on the phone being used.

What the characters want to do is go from visual surveillance of a location to being able to find out the phone numbers of phones that suspects they spot there are talking on and somehow track these phones after the suspects leave, with the ultimate goal of reaching the person at the top of the organisation and gaining a current phone number for him. Any extra information they can gather would probably be a plus.

Quote:

Originally Posted by RogerBW

In short: a constant war of exploit and counter-exploit.

Quote:

Originally Posted by Anthony

Note that the software options tend to be a moving target with a very short viability period.

Yeah, I'm willing to let the two players with computer science or software engineering backgrounds provide colour detail there, or abstract it away if they do not. I just don't want to provide the GM with rules advice or general guidelines that are impossible, implausible or somehow wrong.

Quote:

Originally Posted by Anthony

Hacking is generally going to be done by tricking the target into downloading infected content, not directly attacking the phone. Physical surveillance and electronic snooping would involve hardware that needs to be physically close to the phone while it's in use.

It would, of course, make for a supremely interesting game scenario if a PC had to get within a few feet from a target and stay there for some minutes in order for some automatic gismo to install a software bug on it.

What I don't know is if it is plausible; i.e. if there is technology that they are likely to have that demands ranges in feet rather than a couple of hundred yards and if installing a software bug takes less than 5 minutes, preferably something like 10 seconds to a minute.

Quote:

Originally Posted by Anthony

Installing a physical bug on a phone can probably be done quickly given access to the phone.

This is a very interesting possibility.

What would be a good ballpark Cost, Weight, Holdout modifier and capabilities for such a physical smartphone bug? One which allows remote surveillance access to the phone, ideally, as well as GPS tracking.

Quote:

Originally Posted by RogerBW

If you know your target, the main thing you want to do is get your code onto his phone. If he's not both effectively paranoid and up to the moment on security patches, you can pretty much do this, by taking over the local base station while he's using the phone and feeding exploit code into the HTTP connections. (You have phone company uniforms and a ladder, right?) At which point you can pull out the data as you want them.

This could be done, as well.

The PCs' truck has space for a modern Stingray device, but one was not issued to the PC for this mission. Something about preventing mission creep and that they should simply trust their intelligence support to provide them with accurate data. Of course, the PCs do not trust them to do so and actually have a point, in as much as the people they work for are almost as shady as the ones they are spying on.

There is radio intercept capability on the truck and some sort of improvised, less effective cell phone surveillance capability, one maybe an order of magnitude cheaper than the $200,000 Stingray.

Quote:

Originally Posted by RogerBW

It's a slightly tedious process and might take an hour or two. Less if you know the make and model of phone in advance.

Probably not.

[Anthony]

Quote:

Originally Posted by Icelander

What the characters want to do is go from visual surveillance of a location to being able to find out the phone numbers of phones that suspects they spot there are talking on and somehow track these phones after the suspects leave

That's really about getting access to cell site records, and is exactly what hardware that replaces a cell tower is for. On the plus side, something resembling this information is necessarily exposed in order to perform the basic functions of a phone (being able to receive messages), though it might be a hardware ID rather than a phone number, and thus it's a bit less of a moving target as far as technology goes.

Quote:

Originally Posted by Icelander

What I don't know is if it is plausible; i.e. if there is technology that they are likely to have that demands ranges in feet rather than a couple of hundred yards and if installing a software bug takes less than 5 minutes, preferably something like 10 seconds to a minute.

Software intrusion uses the range of the communications medium used to transfer data, and there isn't really anything with a range of a small number of feet, there's stuff with a range of inches (near-field communication) and stuff with a range of tens to hundreds of yards (WiFi and cell).

Quote:

Originally Posted by Icelander

What would be a good ballpark Cost, Weight, Holdout modifier and capabilities for such a physical smartphone bug? One which allows remote surveillance access to the phone, ideally, as well as GPS tracking.

The largest component of a tracking bug is the battery, so to make it compact you'll want to take advantage of the cell phone's battery. Obvious options include replacing the cell phone's battery pack, and opening up the cell phone and replacing internal hardware. Neither option will change the size of the phone at all, though it will be hard to install without causing the phone to reboot.

Quote:

Originally Posted by Icelander

There is radio intercept capability on the truck and some sort of improvised, less effective cell phone surveillance capability, one maybe an order of magnitude cheaper than the $200,000 Stingray..

If the target is in the habit of using WiFi hotspots, those may be less protected than cell towers and certainly involve less expensive hardware.

[acrosome]

Here's another funky caliber for your consideration. Doesn't really meet your requirements but it is interesting. Apparently the AMU developed their own AR with a magazine well that was intermediate in size between the AR15 and AR10 to feed it. They have also made a polymer cased version.

[Icelander]

Quote:

Originally Posted by acrosome

Here's another funky caliber for your consideration. Doesn't really meet your requirements but it is interesting. Apparently the AMU developed their own AR with a magazine well that was intermediate in size between the AR15 and AR10 to feed it. They have also made a polymer cased version.

Well, loaded with Hornady ELD, Lapua Scenar-L or Berger VLD, it might well meet my requirements. I'll have to research how long a bullet it will seat without reducing powder capacity in the case or causing feeding problems in the AR-12 rifle AMU designed for it.

From a background point of view, a couple of the characters who were test subjects for Project Jade Serenity took part in AMU's testing for an intermediate cartridge, serving one or more short TDY with them and taking a few rifles with them when deployed to Afghanistan for field testing. This would have been at some point between 2001-2011.

I knew/decided they would have shot an upnecked wildcat from 5.56x45mm, the 6.5 Grendel, the 6.8 SPC and probably several variations on these themes. Maybe 6.5 Creedmoor in an AR-10/SR-25/DPMS platform. Looks like the .264 USA in the AR-12 was another interesting option they evaluated.

[Icelander]

Quote:

Originally Posted by Anthony

That's really about getting access to cell site records, and is exactly what hardware that replaces a cell tower is for.

It is indeed, so you may imagine that there was much wailing and gnashing of teeth when the PCs failed to roll well enough on Administration and Savoir-Faire (Police) to manage to get one of the coveted Stingray units assigned to their vehicle.

It is possible that the ISA/'Army of Northern Virginia' intelligence element supporting their operation has a Stingray or whatever the bleeding-edge equivalent happens to be. If so, however, the PCs will receive only what product from it that Onyx Rain wants them knowing, which is almost certain not to be nearly everything the PCs feel that they need to know.

Quote:

Originally Posted by Anthony

On the plus side, something resembling this information is necessarily exposed in order to perform the basic functions of a phone (being able to receive messages), though it might be a hardware ID rather than a phone number, and thus it's a bit less of a moving target as far as technology goes.

Very good.

Quote:

Originally Posted by Anthony

Software intrusion uses the range of the communications medium used to transfer data, and there isn't really anything with a range of a small number of feet, there's stuff with a range of inches (near-field communication) and stuff with a range of tens to hundreds of yards (WiFi and cell).

Are there any espionage possibilities with near-field communication? It sounds like it offers very gamable scenarios...

Having to use Pickpocket to get the phone from a target and then find a way to give it back to him without him realising it was taken would be a good one. Maybe using Fast-Talk, Shadowing, Stealth and/or Sex Appeal to get close enough to someone to use some kind of pre-programmed spy gadget to install spyware on the target's phone through his tight jeans, with near-field communication.

Quote:

Originally Posted by Anthony

The largest component of a tracking bug is the battery, so to make it compact you'll want to take advantage of the cell phone's battery. Obvious options include replacing the cell phone's battery pack, and opening up the cell phone and replacing internal hardware. Neither option will change the size of the phone at all, though it will be hard to install without causing the phone to reboot.

It sounds like you'd have to design the bugs for a specific configuration of phone, one with a certain amount of 'extra' space where you could fit it. Or replace the battery with a pre-bugged one.

Would probably make sense for the surveillance expert to carry a couple of bugs designed for the most common brands, especially if, e.g. all Samsung or iPhone models made between years x and y have space behind their battery for a bug of certain size.

Quote:

Originally Posted by Anthony

If the target is in the habit of using WiFi hotspots, those may be less protected than cell towers and certainly involve less expensive hardware.

That's a good point. Of course, the PCs have absolutely no idea whether or not any of their targets will be using WiFi hotspots.

Well, given the size of Guadelupe and the few neighbouring villages in the Juarez Valley, Chihuahua, Mexico, WiFi hotspots are probably an unlikely luxury. Especially given that nine out of every ten businesses in the valley have gone under or closed down due to the violence of the past decade.