cybersecurity/BreakEscape
1
0
Fork 0
mirror of https://github.com/cliffe/BreakEscape.git synced 2026-02-21 19:28:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

Complete Mission 2 'Ransomed Trust' Stages 0-4 development

Browse Source 
Stage 0: Scenario Initialization
- Complete mission overview with hospital ransomware crisis
- Ransomware Incorporated cell integration
- Hybrid architecture plan (VM ProFTPD exploitation + ERB narrative)
- Concrete stakes: 47 patients, 12-hour deadline, $87K ransom
- Ghost as true believer antagonist (calculated patient deaths)
- 3 LORE fragments planned (manifesto, CryptoSecure, ZDS invoice)

Stage 1: Narrative Structure
- Complete 3-act structure (18 scenes)
- Act 1: Infiltration (Dr. Kim, Marcus, guard tutorial)
- Act 2: Exploitation (VM challenges, safe puzzle, LORE discoveries)
- Act 3: Impossible choices (ransom dilemma, hospital exposure)
- Emotional beat timeline with intensity mapping
- Tutorial integration for new mechanics (guards, PIN safe, ROT13)

Stage 2: Character Development
- Dr. Sarah Kim: Desperate CTO with guilt over budget cuts
- Marcus Webb: Defensive IT admin, scapegoat victim
- Ghost: Unrepentant ENTROPY operative, true believer
- Agent 0x99: Supportive handler, growing ENTROPY concern
- Voice examples with 3-line dialogue rule
- Character arcs defined (Marcus varies by player choice)

Stage 3: Moral Choices and Consequences
- Choice 1: Marcus trust building (sympathize/professional/blame)
- Choice 2: Marcus protection (warn/plant evidence/ignore)
- Choice 3: Ransom payment (pay/independent recovery) - NO RIGHT ANSWER
- Choice 4: Hospital exposure (public/quiet) - transparency vs pragmatism
- Optional: Ghost confrontation (argue/acknowledge/silent)
- All choices have meaningful campaign consequences (M6 financial trail)
- Utilitarian vs Consequentialist ethical frameworks
- Debrief variations reflect all choices (4 ransom+exposure combos)

Stage 4: Player Objectives and Tasks
- 5 required aims, 3 optional aims
- 23 required tasks, 4 optional tasks (27 total)
- Hybrid objectives: VM flag submissions + in-game tasks
- Success tiers: 60% minimal, 80% standard, 100% perfect
- Progressive unlocking validated (no soft locks)
- Ink tag integration (#complete_task, #unlock_aim, #give_item)
- Optional achievements: Ghost Hunter, Code Breaker, Ethical Hacker

Technical Challenges (Detailed Breakdown):
- New mechanics: Patrolling guards (60s predictable), PIN safe puzzle
- Reinforced mechanics: Lockpicking (4 doors), social engineering, Base64
- New encoding: ROT13 (Caesar cipher introduction)
- VM: ProFTPD CVE-2010-4652 exploitation, SSH brute force, Linux nav
- CyBOK coverage: Malware, Incident Response, Cryptography, Human Factors

Key Design Decisions:
- Ransom dilemma has no 'right' answer (both ethically valid)
- Ghost remains unrepentant (true believer, no redemption arc)
- Marcus's fate controllable by player (justice possible)
- Guard patrols beginner-friendly (forgiving, predictable, alternate paths)
- PIN puzzle accessible (multiple clues, hint system, fallback device)
- Campaign integration: M3 ZDS connection, M6 financial trail

Ready for Stage 5: Room Layout Design
This commit is contained in:
Z. Cliffe Schreuders
2026-01-14 09:46:31 +00:00
parent b01ed30968
commit 92db4b3cfe
6 changed files with 4193 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

870
planning_notes/overall_story_plan/mission_initializations/m02_ransomed_trust/00_scenario_initialization.md Normal file
View File

@@ -0,0 +1,870 @@
# Stage 0: Scenario Initialization - Mission 2 "Ransomed Trust"
**Scenario Working Title:** Ransomed Trust
**Mission ID:** m02_ransomed_trust
**Created:** 2025-12-20
**Status:** Stage 0 Complete
---
## Overview
**Target Tier:** 1 (Beginner)
**Estimated Duration:** 50-70 minutes
**Primary CyBOK Areas:** Malware & Attack Technologies, Incident Response, Applied Cryptography
**ENTROPY Cell:** Ransomware Incorporated
**Mission Type:** Crisis Response / Recovery
**SecGen Scenario:** "Rooting for a win" (ProFTPD backdoor exploitation)
---
## Mission Premise
A regional hospital has been hit by sophisticated ransomware, encrypting critical patient records and medical systems. SAFETYNET suspects ENTROPY's Ransomware Incorporated cell is behind the attack. As Agent 0x00, you must infiltrate the compromised hospital, exploit the attackers' own backdoors to recover decryption keys, and restore systems before patients die. You have 12 hours before backup power fails.
**The Stakes:**
- 47 patients on life support with backup power for 12 hours
- 3,200 encrypted patient records affecting ongoing treatments
- $2.5 million Bitcoin ransom demand (approximately $87,000 USD)
- Ransomware deployed via vulnerable ProFTPD server IT warned about 6 months ago
**The Dilemma:**
Pay the ransom for immediate recovery (faster, but funds ENTROPY) or exploit the backdoor to recover keys independently (slower, puts patients at higher risk during recovery).
---
## Technical Challenges Summary
### VM/SecGen Challenges (Technical Validation)
**SecGen Scenario:** "Rooting for a win"
- **Challenge 1:** Exploit ProFTPD 1.3.5 backdoor (CVE-2010-4652)
- **Challenge 2:** Gain shell access and escalate privileges
- **Challenge 3:** Navigate Linux filesystem to find backup encryption keys
- **Challenge 4:** Recover patient database backups
**Educational Focus:** Service exploitation, vulnerability analysis, privilege escalation, backup recovery procedures
### Break Escape In-Game Challenges (ERB Narrative Content)
**New Mechanics (Introduced in M2):**
1. **Patrolling Guards (NEW)** - Security heightened after breach; timed patrol routes create stealth gameplay
2. **PIN Cracking on Safe (NEW)** - Physical backup keys stored in 4-digit PIN safe; clue-based puzzle
**Reinforced Mechanics (From M1):**
3. **Lockpicking** - Multiple locked doors (server room, IT office, administrator's office)
4. **NPC Social Engineering** - Marcus Webb (IT Admin) provides server access and hints
5. **Encoding/Decoding** - Ransomware note uses Base64 encoding; recovery instructions in ROT13
**Educational Focus:** Physical security under crisis, incident response procedures, social engineering stressed individuals, cryptographic key recovery
### Hybrid Integration Workflow
```
Act 1: Infiltration & Discovery
├─ In-Game: Social engineer Marcus (IT Admin) for server room access
├─ In-Game: Lockpick IT office door
├─ In-Game: Find password hints in Marcus's notes
├─ In-Game: Decode Base64 ransomware note revealing Ghost's philosophy
└─ In-Game: Navigate past patrolling guard (tutorial)
Act 2: Exploitation & Recovery
├─ VM: SSH to hospital backup server using found credentials
├─ VM: Exploit ProFTPD backdoor (CVE-2010-4652)
├─ VM: Gain shell access, escalate privileges
├─ VM: Locate encrypted database backups
├─ In-Game: Submit flag at drop-site terminal → Unlocks safe location intel
├─ In-Game: Find PIN clues (Marcus's daughter's birthday photo, hospital founding year plaque)
├─ In-Game: Crack 4-digit PIN safe (hybrid clue puzzle)
├─ In-Game: Retrieve offline backup decryption key
└─ In-Game: Navigate patrolling guards during evidence gathering
Act 3: Decision & Resolution
├─ In-Game: Decode ROT13 recovery instructions
├─ CHOICE: Pay ransom vs. use recovered keys
├─ CHOICE: Expose hospital security failures vs. quiet resolution
├─ In-Game: Optional - Warn Marcus about scapegoating
└─ Closing debrief reflects choices and outcomes
```
**Dead Drop Integration:**
- VM flags represent "intercepted ENTROPY backup access credentials"
- Flag submission unlocks in-game intel about physical safe location
- Correlation required: VM recovery + in-game PIN cracking = complete key set
**Objectives System Integration:**
```json
{
"objectives": [
{
"id": "recover_decryption_keys",
"aims": [
{
"id": "digital_recovery",
"tasks": [
{"id": "submit_ssh_flag", "description": "Submit SSH access flag"},
{"id": "submit_exploit_flag", "description": "Submit ProFTPD exploitation flag"}
]
},
{
"id": "physical_recovery",
"tasks": [
{"id": "crack_pin_safe", "description": "Crack PIN safe"},
{"id": "decode_recovery_instructions", "description": "Decode ROT13 recovery instructions"}
]
}
]
}
]
}
```
---
## Selected ENTROPY Cell: Ransomware Incorporated
### Why This Cell
**Philosophical Alignment:**
Ransomware Incorporated believes in "teaching resilience through crisis." They target organizations with poor security hygiene to "educate" them about the cost of negligence. They see themselves as harsh teachers, not criminals—the suffering is "tuition for a lesson in preparedness."
**Technical Capabilities:**
- Advanced ransomware development with symmetric encryption (AES-256)
- Sophisticated backdoor deployment via known CVEs
- Cryptocurrency payment infrastructure
- Legitimate front company: "CryptoSecure Recovery Services"
**Narrative Potential:**
- Antagonist "Ghost" communicates via encrypted channels, taunts player
- Philosophy creates genuine moral dilemma (are they partially right about hospital negligence?)
- True believer character: refuses to cooperate, accepts consequences
### Cell Leader Involvement
**Involvement Level:** Minor (Ghost operative present via communications)
**"Ghost" (Cell Operative):**
- Handles operational communications
- Sends ransom demands and deadlines
- Monitors player's progress, adjusts tactics
- Has prepared "evil monologue" about teaching resilience
- Will NOT surrender even if confronted (true believer)
**The Architect (Mentioned Only):**
- Ransomware note includes signature: "Approved by The Architect - Operation Resilience"
- Sets up future revelation about ENTROPY coordination
- Reinforces that cells work together under leadership
### Cell Philosophy Connection
**"Teaching Resilience Through Adversity":**
Ransomware Inc. views healthcare as systemically negligent about cybersecurity:
- Hospitals spend millions on MRI machines but ignore IT warnings
- Patient safety depends on security, yet security budgets are cut
- Only pain teaches institutions to prioritize digital hygiene
**Ghost's Manifesto Excerpt (found as LORE):**
> "We calculated the risk: 47 patients on backup power, 12-hour window, 0.3% probability of fatality per hour delayed. That's 1-2 statistical deaths if they pay immediately, 4-6 if they delay for IT recovery. These numbers should horrify you—but they should horrify the hospital administrators more. They created this scenario when they ignored their IT director's warnings for six months. We're just revealing the consequences of their choices."
**Philosophy Makes Them Evil, Not Sympathetic:**
- They calculated patient death probabilities (spreadsheet exists as evidence)
- They targeted vulnerable population (patients) to maximize pressure
- They feel no remorse ("acceptable cost of education")
- They'll do it again to "teach" other hospitals
### Previous Operations
**"Operation Triage" (6 months ago):**
- Hit three smaller clinics with same ransomware
- All paid within 24 hours (no deaths)
- Proved the business model works
- Used funds to develop more sophisticated malware
**Reference in Intelligence:**
- SAFETYNET has been tracking Ransomware Inc. for 8 months
- This is their first attack on a major hospital
- Represents escalation in tactics and stakes
### Inter-Cell Connections
**Zero Day Syndicate (Setup for M3):**
- ProFTPD exploit (CVE-2010-4652) was sold to Ransomware Inc. by ZDS
- Intelligence suggests ZDS may have provided reconnaissance data
- Hint at coordination: "Package delivered per Architect's requirements" in Ghost's logs
**Crypto Anarchists (Setup for M6):**
- Bitcoin ransom payment flows through Crypto Anarchist infrastructure
- Payment wallet connected to broader ENTROPY financial network
- Laundering service: "HashChain Exchange" processes transactions
**Campaign Thread:**
- If player pays ransom (M2 choice), M6 financial investigation has clearer trail but ENTROPY better funded
- If player doesn't pay, M6 investigation more difficult but ENTROPY has less operational capital
---
## Recommended Narrative Theme
**Selected Theme:** "Hospital Under Siege - Crisis Response"
### Why This Theme
This theme was selected because it:
1. **Makes Technical Challenges Organic:**
- ProFTPD exploitation: Hospital's backup server was compromised via known CVE
- Privilege escalation: Need admin access to encrypted database backups
- Physical safe: Offline backup keys stored in CTO's safe (best practice, ironically helps player)
- Social engineering: Crisis makes Marcus desperate for help, more trusting
2. **Creates Emotional Stakes:**
- 47 patients on life support creates immediate urgency
- Marcus (ally) feels guilty, will be scapegoated by hospital
- Dr. Kim (CTO) desperate enough to consider paying ransom
- Player must balance patient safety vs. not funding ENTROPY
3. **Fits Break Escape Universe:**
- ENTROPY cells target institutions to prove philosophical points
- Ransomware Inc.'s "teaching through crisis" aligns with targeting negligent hospital
- SAFETYNET responds to cyber threats with physical/digital hybrid operations
- Moral complexity: villain has valid critique of hospital's security negligence
4. **Supports Player Agency:**
- Pay ransom vs. independent recovery (no "right" answer)
- Expose hospital publicly vs. quiet resolution
- Protect Marcus from scapegoating vs. focus on mission
- Each choice has meaningful consequences for campaign
### Alternative Themes Considered
**Theme Option 2:** "Medical Research Data Theft"
- ENTROPY stealing medical research data for sale
- Rejected: Too similar to corporate espionage (M5 theme), less urgent stakes
**Theme Option 3:** "Insurance Fraud Ransomware"
- ENTROPY targeting hospital to manipulate insurance claims
- Rejected: Too complex for beginner mission, dilutes focus on ransomware mechanics
---
## Detailed Narrative Theme: "Hospital Under Siege"
### Logline
A regional hospital's patient records are encrypted by ENTROPY's Ransomware Incorporated, and Agent 0x00 must infiltrate the facility to recover decryption keys before backup power fails and patients on life support die—all while deciding whether paying the ransom is worth saving lives.
### Setting
**Location Type:** Regional Medical Center (St. Catherine's Hospital)
**Cover Story:**
- Public: "External cybersecurity consultant brought in to assess breach"
- Hospital staff: "SAFETYNET emergency response team"
- Patient areas: Off-limits to maintain cover and respect privacy
**ENTROPY's Interest:**
- Hospital ignored IT warnings about ProFTPD vulnerability for 6 months
- Budget cuts eliminated cybersecurity training programs
- Perfect target for "teaching resilience through crisis" philosophy
- High-value Bitcoin payment capability (insurance coverage)
**Unique Atmosphere:**
- Sterile, institutional hospital environment (white walls, harsh lighting)
- PA announcements about system outages create urgency
- Medical equipment sounds (beeping monitors, ventilators)
- Security guards patrol anxiously (breach has everyone on edge)
- Contrast: calm reception area vs. frantic IT department
**Layout Preview:**
- Reception (entry point, cover story established)
- IT Department (Marcus's office, server room)
- Administrative Wing (Dr. Kim's office, records storage)
- Server Room (VM access terminal, drop-site terminal)
- Emergency Equipment Storage (safe with backup keys)
### Inciting Incident
**Timeline: 12 Hours Before Mission Start**
At 3:47 AM, St. Catherine's Regional Medical Center's network administrator received an automated alert: patient database offline, backup server unresponsive. Within 15 minutes, ransomware splash screens appeared on every terminal:
> "YOUR PATIENT RECORDS ARE ENCRYPTED. 47 PATIENTS ON LIFE SUPPORT. 12 HOURS OF BACKUP POWER. PAY 2.5 BTC TO [WALLET] OR WATCH THEM DIE. - RANSOMWARE INCORPORATED"
Marcus Webb, the IT administrator who had warned about the vulnerable ProFTPD server six months ago, immediately tried emergency recovery protocols—only to discover the ransomware had encrypted the online backups too. Only the offline backup (encryption keys in Dr. Kim's safe) remained untouched.
Dr. Sarah Kim, the hospital CTO, made an emergency call to SAFETYNET at 4:12 AM. The situation:
- 47 patients on critical life support systems (ventilators, ECMO, dialysis)
- 3,200 encrypted patient records affecting ongoing treatments (medication lists, allergies, care plans)
- Backup generators provide 12 hours of power for life support
- Bitcoin ransom: 2.5 BTC (≈$87,000 USD) due in 8 hours
- Hospital board meeting in 4 hours to decide on paying ransom
**SAFETYNET's Response:**
Agent 0x99 discovered ENTROPY signature in the ransomware code—specifically Ransomware Incorporated's "teaching through crisis" methodology. This isn't random cybercrime; it's ideological operation approved by "The Architect."
Mission brief at 6:00 AM: Infiltrate hospital as security consultant, exploit ENTROPY's own backdoor to recover decryption keys, restore systems before 3:47 PM power failure deadline.
**Why Agent 0x00:**
- Beginner agent with fresh perspective (won't be paralyzed by complexity)
- M1 success demonstrates capability under pressure
- SAFETYNET's advanced agents are handling Operation Shatter fallout from M1
- Agent 0x99 available for remote support
### Stakes
**Personal Stakes:**
- **Marcus Webb (IT Admin):** Will be scapegoated by hospital leadership despite warning them 6 months ago; could lose career
- **Dr. Sarah Kim (CTO):** Reputation destroyed if patients die; personally feels responsible for budget cuts
- **47 Named Patients:** Real people with families (player can find patient logs with names, ages, conditions)
- **Player's Reputation:** Second mission; failure would be devastating after M1 success
**Organizational Stakes:**
- **St. Catherine's Hospital:** Reputation in community destroyed if patients die; potential lawsuits, regulatory penalties
- **SAFETYNET:** Public confidence in cyber threat response tested; first publicized ransomware crisis
- **Other Hospitals:** If ENTROPY succeeds, they'll replicate attack across healthcare sector
- **Healthcare Sector:** Insurance companies watching closely; premiums could skyrocket if this becomes trend
**Societal Stakes:**
- **Healthcare Cybersecurity:** Reveals systemic vulnerability in medical infrastructure
- **Public Trust:** Patients trust hospitals with their lives; encryption of medical records violates that trust
- **Ransomware Precedent:** Paying ransom encourages more attacks; not paying risks lives
- **Digital Infrastructure:** Critical infrastructure (healthcare, power, water) all vulnerable to similar attacks
**Urgency:**
- **T-minus 12 hours:** Backup power fails → life support systems shut down → patients die
- **T-minus 8 hours:** Ransom payment deadline → Ghost may increase price or refuse payment
- **T-minus 4 hours:** Hospital board votes on paying ransom → may preempt mission
- **Continuous Pressure:** Every hour delayed increases risk to patients
**Concrete Numbers (Making Stakes Real):**
- **47 patients** on life support (specific number, not "dozens")
- **3,200 patient records** encrypted (quantified impact)
- **$87,000** ransom (real cost in USD for relatability)
- **12-hour** deadline (specific time pressure)
- **6 months** since IT warning ignored (administrative negligence timeline)
- **0.3% per hour** probability of patient fatality during recovery (Ghost's calculation, found in evidence)
- **1-2 statistical deaths** if ransom paid immediately (Ghost's projection)
- **4-6 statistical deaths** if IT recovery takes full 12 hours (Ghost's projection)
### Central Conflict
**Primary Conflict:**
Time vs. Morality—Player must choose between fast recovery (pay ransom, fund ENTROPY's operations) and slow recovery (independent key recovery, higher patient risk). There is no clear "right" answer.
**Secondary Conflicts:**
1. **Institutional Negligence vs. Individual Suffering:** Hospital administration cut security budget, but patients suffer consequences
2. **Justice vs. Pragmatism:** Marcus warned them 6 months ago; is it wrong to let him be scapegoated?
3. **Transparency vs. Reputation:** Should hospital's security failures be exposed to protect other hospitals, even if it destroys St. Catherine's reputation?
4. **ENTROPY's Philosophy:** Are they partially right that institutions only learn through pain?
**Antagonist Motivation (Ghost):**
Not just money—Ghost genuinely believes this attack will force St. Catherine's (and other hospitals) to take cybersecurity seriously. The suffering is "educational."
**The Dilemma's Layers:**
- **If pay ransom:** Patients safe quickly, but ENTROPY funded for more attacks, hospital learns nothing
- **If independent recovery:** ENTROPY not funded, but patients at higher risk during recovery window
- **If expose hospital:** Other hospitals learn from St. Catherine's mistakes, but St. Catherine's destroyed
- **If protect Marcus:** Justice served, but complicates investigation
- **If confront Ghost:** Can learn about ENTROPY, but Ghost won't cooperate (true believer)
### Narrative Arc Preview
**Act 1: Infiltration & Discovery (15-20 minutes)**
**Scene 1: Emergency Briefing (0x99)**
- Agent 0x99 explains situation: 47 patients, 12-hour window, ransomware inc. signature
- Mission objectives: Recover decryption keys, restore systems, minimize casualties
- Warning: Hospital board may vote to pay ransom—work fast
**Scene 2: Hospital Reception**
- Arrive at St. Catherine's under cover as "external security consultant"
- Receptionist directs player to Dr. Kim's office
- Environmental storytelling: PA announcements about system failures, anxious visitors
**Scene 3: Meet Dr. Sarah Kim (CTO)**
- Dr. Kim frantic, desperate—considering paying ransom
- Explains situation: IT warned them, board cut budget anyway
- Authorizes player's access to IT department
- "Please... I can't let these people die because we were cheap."
**Scene 4: Meet Marcus Webb (IT Admin)**
- Marcus overwhelmed, guilty—"I told them six months ago!"
- Social engineering target: Wants to help, provides server room access
- Gives password hints (his daughter's name, hospital anniversary)
- Tutorial: Lockpicking IT office door while Marcus is distracted
**Discovery 1:** Find Marcus's email to Dr. Kim (6 months ago) warning about ProFTPD vulnerability—marked "Budget constraints—defer to next fiscal year"
**Discovery 2:** Decode Base64 ransomware note revealing Ghost's philosophy about "teaching resilience"
**Act 1 Ends:** Player has server room access, password hints, understands ENTROPY's motivation
---
**Act 2: Investigation & Exploitation (25-35 minutes)**
**Scene 5: Navigate to Server Room**
- Tutorial: Patrolling guard mechanics (security heightened after breach)
- Guard has predictable route: Reception → IT Dept → Administrative Wing → Reception (60-second loop)
- Learn to time movement between patrols
**Scene 6: Server Room Access**
- VM Terminal: SSH to backup server using password hints + brute force
- Drop-site Terminal: Submit flags for intel unlocks
- Environmental clue: Whiteboard with "BACKUP SAFE - ADMIN STORAGE" note (from before encryption)
**Scene 7: VM Exploitation Phase**
- Exploit ProFTPD backdoor (CVE-2010-4652)
- Navigate encrypted file system
- Find database backups (encrypted) and Ghost's operational logs
- Discover: Offline backup keys exist but not on network
**Discovery 3:** Ghost's log file reveals Zero Day Syndicate sold the exploit: "Package delivered per Architect's requirements—ZDS reliable as always"
**Discovery 4:** Submit VM flags → Unlock intel: "Offline backup keys in emergency equipment storage, administrative wing"
**Scene 8: Hunt for Physical Backup Keys**
- Navigate past guards again (reinforcement of stealth mechanics)
- Lockpick administrative offices
- Find PIN clues scattered in environment:
- **Clue 1:** Marcus's desk photo: Daughter's birthday "Emma - 7th birthday! 05/17/2018" → Digits 0517
- **Clue 2:** Hospital plaque in lobby: "Founded 1987" → Digits 1987
- **Clue 3:** Dr. Kim's notes: "Safe combination: founding year" → Confirms 1987
**Scene 9: Crack PIN Safe**
- 4-digit PIN puzzle: 1987 (hospital founding year)
- Tutorial: PIN cracking device (if player can't solve from clues)
- Retrieve offline backup encryption key (USB drive)
**Discovery 5:** USB drive contains partial decryption key + ROT13 encoded recovery instructions
**Scene 10: Mid-Mission Moral Choice**
- Find email chain: Hospital admin planning to blame Marcus for breach (scapegoat)
- CHOICE: Warn Marcus privately / Plant evidence clearing Marcus / Ignore (focus on mission)
- **Consequence:** Affects Marcus's fate in debrief, Marcus's willingness to help in future missions
**Discovery 6:** Decode ROT13 recovery instructions: "Full recovery requires offline + online keys—12-hour process if manual, instant if ransom paid"
**Act 2 Ends:** Player has both digital (VM) and physical (safe) key components, understands full scope
---
**Act 3: Resolution & Consequences (10-15 minutes)**
**Scene 11: The Ransom Decision**
- Agent 0x99 calls with update: Hospital board voting in 30 minutes
- Ghost sends final communication: "Time is running out. Patient deaths are on YOUR conscience if you delay. $87,000 vs. human lives—easy math."
- Dr. Kim asks player for recommendation
**MAJOR CHOICE 1: Pay Ransom vs. Independent Recovery**
**Option A: Pay Ransom**
- Immediate system recovery (no patient deaths)
- ENTROPY funded ($87,000 to Crypto Anarchists → M6 financial trail)
- Hospital learns nothing about security
- Ghost escapes with funds
- Debrief: "You saved 47 lives today, but Ransomware Inc. will use those funds to attack again. Three more hospitals hit this month using your ransom money."
**Option B: Independent Recovery**
- 12-hour recovery process begins
- Statistical risk: 4-6 potential patient casualties during recovery window
- ENTROPY not funded (better for long-term)
- Opportunity to trace Ghost's communications (intelligence gain)
- Debrief: "Recovery successful. 2 patients died during the 12-hour window—families are devastated, lawsuits filed. But you didn't fund ENTROPY's next attack."
**MAJOR CHOICE 2: Expose Hospital vs. Quiet Resolution**
**Option A: Expose Hospital Publicly**
- SAFETYNET press release details hospital's negligence
- St. Catherine's reputation destroyed, Dr. Kim resigns, Marcus vindicated
- Other hospitals learn from mistakes (prevent future attacks)
- Debrief: "St. Catherine's may not survive the scandal, but 15 other hospitals implemented the security measures you recommended. You saved thousands of future patients."
**Option B: Quiet Resolution**
- SAFETYNET keeps incident confidential
- St. Catherine's reputation intact, Dr. Kim keeps job
- Marcus may still be scapegoated (unless player intervened earlier)
- Other hospitals remain vulnerable
- Debrief: "St. Catherine's is grateful for your discretion. Their new security budget is triple last year's. But we've detected similar vulnerabilities in 40 other hospitals—none of them know yet."
**Scene 12: Optional Ghost Confrontation**
- If player traced communications, can locate Ghost's relay point
- Ghost refuses to cooperate: "I did the math. 47 lives at risk because of THEIR negligence, not mine. You think I'm the villain? I just revealed their failure."
- Evil monologue about teaching resilience through adversity
- Ghost accepts arrest without remorse: "Worth it. They'll never ignore an IT security warning again."
**Scene 13: Closing Debrief (Agent 0x99)**
- Reflects player's specific choices and actions
- Quantified outcomes: Patients saved/lost, ENTROPY funding status, hospital reputation
- Marcus's fate (scapegoated/cleared/helped)
- Connection to larger campaign: Crypto Anarchists payment trail (if ransom paid), Zero Day Syndicate coordination hint
- Teaser for M3: "That ProFTPD exploit Ghost used? Wasn't random. Someone sold it to them."
**Act 3 Ends:** Mission complete, player grapples with consequences of impossible choices
---
### Key NPCs Needed
**Dr. Sarah Kim (Hospital CTO)**
- **Role:** Desperate authority figure, moral voice
- **Purpose:** Presents ransom dilemma, adds emotional weight
- **Character:** Competent administrator caught between budget constraints and patient safety
- **Voice:** Professional but cracking under pressure
- **Location:** Administrative office (in-person NPC)
**Marcus Webb (IT Administrator)**
- **Role:** Guilty ally, social engineering target
- **Purpose:** Provides server access, password hints, represents institutional victim
- **Character:** Overworked IT admin who warned about vulnerability 6 months ago, ignored by leadership
- **Voice:** Exhausted, defensive, wants to help prove he was right
- **Location:** IT department (in-person NPC)
**"Ghost" (Ransomware Inc. Operative)**
- **Role:** Antagonist, true believer
- **Purpose:** Represents ENTROPY philosophy, moral counterpoint
- **Character:** Calm, calculated, believes suffering teaches resilience
- **Voice:** Clinical, philosophical, unrepentant
- **Location:** Phone/terminal communications only (text/voice messages)
**Agent 0x99 "Haxolottle" (Handler)**
- **Role:** Mission support, tutorial guide
- **Purpose:** Provides context, hints, reflects on choices
- **Character:** Supportive mentor with growing concern about ENTROPY coordination
- **Voice:** Encouraging but professional, axolotl metaphors
- **Location:** Phone communications (remote NPC)
**Security Guard (Patrol NPC)**
- **Role:** Patrolling obstacle
- **Purpose:** Teaches stealth mechanics, creates tension
- **Character:** Anxious about breach, doing job diligently
- **Voice:** Minimal (ambient dialogue only)
- **Location:** Patrol route through hospital
**Optional: Hospital Administrator (Background NPC)**
- **Role:** Antagonist (institutional)
- **Purpose:** Represents bureaucratic negligence
- **Character:** Budget-focused, dismissive of IT concerns
- **Voice:** Corporate doublespeak
- **Location:** Email chains and documents only
### Tone and Atmosphere
**Primary Tone:** Urgent Professional Crisis
- Serious stakes (lives on the line) without melodrama
- Competent professionals under extreme pressure
- Moral complexity without moral relativism (ENTROPY is evil, even if they have a point)
**Emotional Beats:**
- **Opening:** Anxiety (race against clock)
- **Act 1:** Desperation (Dr. Kim's fear, Marcus's guilt)
- **Act 2:** Tension (stealth mechanics, time pressure, discoveries)
- **Act 3:** Impossible choice (ransom dilemma), then reflection (consequences)
**Atmosphere Elements:**
- **Visual:** Sterile hospital environment (whites, grays, medical equipment)
- **Audio:** PA announcements, medical equipment beeping, guard radios
- **Pacing:** Constant time pressure without explicit timer (narrative urgency)
- **Contrast:** Calm public areas vs. frantic IT department
**Strategic Humor:**
- Agent 0x99's axolotl metaphors ("Like an axolotl regrowing limbs, hospitals must rebuild security from the ground up")
- Marcus's IT gallows humor ("'Password123'? At least it wasn't 'Guest'...")
- Environmental details (motivational posters in IT department: "There is no I in TEAM but there is in INCIDENT RESPONSE")
**No Humor:**
- Patient suffering
- Ghost's philosophy (taken seriously, even if wrong)
- Ransom decision (genuine moral weight)
---
## LORE Opportunities
### LORE Fragment 1: "Ghost's Manifesto - Teaching Resilience Through Adversity"
**Content:**
> **RANSOMWARE INCORPORATED: OPERATIONAL PHILOSOPHY**
>
> We are not criminals. We are educators.
>
> St. Catherine's Hospital ignored their IT director's warnings about CVE-2010-4652 for six months. They cut cybersecurity training budgets by 40%. They spent $3.2 million on new MRI equipment while refusing $85,000 for server security upgrades.
>
> We calculated the risk: 47 patients on backup power, 12-hour window, 0.3% probability of fatality per hour delayed. That's 1-2 statistical deaths if they pay immediately, 4-6 if they delay for IT recovery.
>
> These numbers should horrify you—but they should horrify the hospital administrators more. They created this scenario when they ignored Marcus Webb's warnings. We're just revealing the consequences of their choices.
>
> After this operation, St. Catherine's will never ignore cybersecurity again. Neither will the 40 other hospitals watching. The suffering is regrettable but educational. Resilience is taught through adversity.
>
> Approved by The Architect - Operation Resilience
>
> - Ghost, Ransomware Incorporated
**Discovery Location:** Encrypted file on backup server (VM challenge)
**Unlock Condition:** Exploit ProFTPD backdoor
**CyBOK Alignment:** Adversarial Behaviours (Attacker Motivations)
**Narrative Purpose:** Reveals ENTROPY philosophy, makes villain's calculation explicit, shows Architect coordination
### LORE Fragment 2: "CryptoSecure Recovery Services - Ransomware Inc. Front Company"
**Content:**
> **CRYPTOSECURE RECOVERY SERVICES**
> Cryptocurrency-Based Data Recovery Specialists
>
> CLIENT TESTIMONIAL LOG - OPERATION TRIAGE
>
> **Greenfield Clinic** (March 2024): Paid 0.5 BTC, systems restored in 4 hours. No patient deaths. Client satisfaction: 9/10. Note: "Fast, professional service. Wish we'd invested in backups instead."
>
> **Riverside Medical** (April 2024): Paid 0.8 BTC, systems restored in 6 hours. 1 patient complication (non-fatal). Client satisfaction: 7/10. Note: "Expensive lesson. Hired new IT director."
>
> **Valley Health Center** (May 2024): Paid 1.2 BTC, systems restored in 3 hours. No patient deaths. Client satisfaction: 8/10. Note: "Regret payment but grateful for speed. Implemented security overhaul."
>
> TOTAL REVENUE: 2.5 BTC (~$87,000 USD at time)
> REINVESTMENT: Next-gen ransomware development (AES-256 upgrade)
>
> **St. Catherine's Hospital** (Target): Projected 2.5 BTC. Larger facility = higher payment, greater impact = more publicity = more deterrence effect on hospital sector.
>
> Note: Architect approved escalation to major hospital. Crypto Anarchists confirmed payment processing infrastructure ready.
**Discovery Location:** Filing cabinet in IT office (lockpicking required)
**Unlock Condition:** Lockpick Marcus's office
**CyBOK Alignment:** Malware & Attack Technologies (Ransomware Business Model)
**Narrative Purpose:** Shows Ransomware Inc. previous operations, legitimate front, Crypto Anarchist connection for M6
### LORE Fragment 3: "ProFTPD Exploit Source - Zero Day Syndicate Invoice"
**Content:**
> **ZERO DAY SYNDICATE - INVOICE #ZDS-2024-0847**
>
> CLIENT: Ransomware Incorporated (Ghost)
> SERVICE: Exploit Package + Reconnaissance
> TARGET: Healthcare Sector (ProFTPD 1.3.5 CVE-2010-4652)
>
> **DELIVERABLES:**
> - ProFTPD 1.3.5 backdoor exploit (CVE-2010-4652) - $25,000
> - Healthcare sector vulnerability scan (214 hospitals analyzed) - $15,000
> - Target selection consultation (risk/reward analysis) - $10,000
> - Deployment guide (Linux server exploitation tutorial) - $5,000
>
> **TOTAL: $55,000** (Paid via Crypto Anarchist infrastructure)
>
> **TARGET RECOMMENDATIONS:**
> 1. St. Catherine's Regional Medical (HIGH VALUE - ignored IT warnings, budget cuts, 47 life support patients)
> 2. Metro General Hospital (MEDIUM VALUE - outdated systems, 23 life support patients)
> 3. County Medical Center (LOW VALUE - recent security audit, 12 life support patients)
>
> **DEPLOYMENT NOTES:**
> "St. Catherine's is ideal Operation Resilience target. Maximum educational impact. Marcus Webb (IT Admin) has documented warnings—perfect for post-attack narrative about institutional negligence."
>
> **ARCHITECT APPROVAL:** Confirmed. Proceed with St. Catherine's. ZDS coordination excellent as always.
>
> Payment processed: HashChain Exchange (Crypto Anarchist infrastructure)
**Discovery Location:** Safe in administrative office (PIN cracking required)
**Unlock Condition:** Crack 4-digit PIN safe (1987 - hospital founding year)
**CyBOK Alignment:** Adversarial Behaviours (Attack Supply Chains)
**Narrative Purpose:** Connects M2 to M3 (Zero Day Syndicate), M6 (Crypto Anarchist payment), reveals Architect coordination, shows ENTROPY cells work together
---
## Why This Theme Works
### Technical Challenge Integration
**ProFTPD Exploitation (VM):**
- **Narrative Context:** Hospital's backup server vulnerable due to ignored IT warnings
- **Organic Fit:** Real CVE (CVE-2010-4652), real vulnerability, realistic hospital scenario
- **Educational Value:** Teaches service exploitation, backdoor mechanisms, Linux privilege escalation
- **Difficulty Appropriate:** Beginner-friendly (documented exploit, guided tutorial in Agent 0x99 hints)
**Lockpicking & Physical Security (In-Game):**
- **Narrative Context:** Server room locked (normal security), admin offices locked (sensitive data)
- **Organic Fit:** Hospitals have physical security for equipment and records
- **Skill Reinforcement:** Players practiced in M1, now apply to new setting with higher stakes
- **Difficulty Progression:** More locks than M1, some with tougher patterns
**Patrolling Guards (In-Game - NEW):**
- **Narrative Context:** Security heightened after ransomware breach
- **Organic Fit:** Hospitals have security; breach would trigger patrols
- **Educational Value:** Teaches timing, patience, observation (security mindset)
- **Beginner-Friendly:** Predictable 60-second patrol route, forgiving detection (warning first)
**PIN Cracking Safe (In-Game - NEW):**
- **Narrative Context:** Offline backup keys stored per best practices (offline = airgapped)
- **Organic Fit:** Hospitals keep critical resources in physical safes
- **Educational Value:** Teaches investigation (finding clues), physical security (safes exist for reason)
- **Puzzle Design:** Hybrid clue-based (find 2-3 digits) + optional brute force (device)
**Social Engineering Marcus (In-Game):**
- **Narrative Context:** Marcus desperate to prove he was right, willing to help investigator
- **Organic Fit:** Crisis makes people more trusting, less cautious
- **Skill Reinforcement:** Players practiced in M1, now apply to stressed target
- **Difficulty Progression:** Marcus more cooperative than M1 NPCs (tutorial reinforcement, not harder challenge yet)
**Encoding/Decoding (In-Game):**
- **Narrative Context:** Ransomware note in Base64 (obfuscation), recovery instructions in ROT13 (ENTROPY communication style)
- **Organic Fit:** ENTROPY cells use encoding to obscure communications
- **Skill Reinforcement:** Players learned Base64 in M1, ROT13 introduced here
- **Educational Value:** Reinforces encoding != encryption, introduces Caesar cipher concept
### Emotional Engagement
**Stakes Are Real and Specific:**
- Not "people might get hurt" but "47 named patients will die in 12 hours"
- Player can find patient logs with names, ages, conditions (humanizes victims)
- Marcus isn't generic NPC but person with backstory (warned leadership 6 months ago)
- Hospital has specific budget cut details ($85,000 server upgrade vs. $3.2M MRI)
**Moral Dilemma Is Genuine:**
- No obvious "right" answer to ransom payment
- Both choices have valid ethical frameworks:
- **Pay:** Utilitarian (maximize lives saved immediately)
- **Don't pay:** Consequentialist (prevent future attacks)
- Player must weigh immediate vs. long-term consequences
- Debrief validates both choices (no achievement penalty)
**Villain Is Ideologically Coherent:**
- Ghost isn't evil for evil's sake—has philosophy
- Philosophy is WRONG but UNDERSTANDABLE
- Calculation of patient deaths makes villain real (spreadsheet of projected casualties)
- True believer: won't recant, won't cooperate, accepts consequences
**Player Agency Matters:**
- Choices affect Marcus's fate (scapegoated or cleared)
- Ransom decision affects M6 financial investigation
- Hospital exposure affects future medical facility missions
- Closing debrief reflects specific player actions
### Universe Consistency
**ENTROPY Cell Philosophy:**
- Ransomware Inc.'s "teaching resilience" aligns with established ENTROPY ideology
- Architect approval shows coordination (building towards M7-10 revelation)
- Cross-cell collaboration (ZDS exploit, Crypto Anarchist payment) reinforces organized network
**SAFETYNET Operations:**
- Hybrid physical/digital infiltration consistent with M1
- Agent 0x99 remote support role established
- Cover story (security consultant) believable and professional
**Technology Realistic:**
- Real CVE (CVE-2010-4652), real ransomware behavior (AES-256)
- Backup procedures match real best practices (offline keys in safe)
- Hospital IT constraints realistic (budget cuts, ignored warnings common)
**Tone Maintained:**
- Serious stakes with strategic humor (Agent 0x99 metaphors)
- Professional competence (no bumbling NPCs)
- Moral complexity without moral relativism (ENTROPY evil, even if partially right)
---
## Next Steps
This initialization document should be passed to:
### Stage 1: Narrative Structure Development
- Expand 3-act structure into detailed scene-by-scene breakdown
- Write full narrative beats with emotional progression
- Design dialogue flow for Dr. Kim, Marcus, Ghost, Agent 0x99
- Plan choice presentation moments (how player decides on ransom, exposure)
### Stage 2: Storytelling Elements Design
- Develop NPC character voices (dialogue examples, personality traits)
- Design hospital atmosphere (visual, audio, environmental storytelling)
- Plan pacing mechanics (how time pressure manifests without explicit timer)
- Create emotional beat timeline (anxiety → tension → impossible choice → reflection)
### Stage 3: Moral Choices and Consequences
- Design ransom payment choice interface (Ghost's persuasion vs. 0x99's warnings)
- Map immediate consequences (patient outcomes, ENTROPY funding)
- Map campaign consequences (M6 financial trail, hospital reputation)
- Design Marcus protection choice (mid-mission intervention)
- Plan closing debrief dialogue branches (reflect specific choices)
### Stage 4: Player Objectives Design
- Define complete objective hierarchy (objectives → aims → tasks)
- Map VM flag submissions as tasks (#complete_task:submit_ssh_flag)
- Map in-game tasks (lockpicking, PIN cracking, decoding)
- Design progressive unlocking (what unlocks when)
- Create objectives.json structure
### Stage 5: Room Layout Design
- Design hospital floor plan (reception, IT, admin wing, server room, storage)
- Place containers (safe with PIN, filing cabinets, Marcus's desk)
- Design lock types and placement
- Create guard patrol route (60-second loop)
- Position NPCs (Dr. Kim in admin office, Marcus in IT)
- Place terminals (VM access in server room, drop-site terminal)
---
## Design Notes
### Critical Success Factors
1. **Make Stakes Concrete:**
- Use specific numbers (47 patients, 12 hours, $87,000)
- Name victims (Marcus, Dr. Kim, patient logs)
- Show calculations (Ghost's spreadsheet with death probabilities)
2. **Guard Patrol Tutorial:**
- First guard encounter should be tutorial (Agent 0x99 explains)
- Forgiving detection (warning before consequences)
- Predictable pattern (60-second loop easy to learn)
- Optional alternate paths (multiple routes past guard for advanced players)
3. **PIN Puzzle Accessibility:**
- Multiple clue types (visual, document, NPC dialogue)
- Progressive hints if player stuck (Agent 0x99 suggests "look for founding year")
- Fallback: PIN cracking device (brute force option if puzzle too hard)
4. **Ransom Choice Balance:**
- Present both options neutrally (no "good" vs "bad" framing)
- Ghost's arguments compelling but wrong
- Agent 0x99 presents risks of both choices
- Debrief validates both (no achievement penalty)
5. **ENTROPY Evil Without Sympathy:**
- Ghost calculated patient death probabilities (spreadsheet exists)
- Targeted vulnerable population (life support patients) for maximum pressure
- Feels no remorse ("acceptable cost of education")
- True believer (won't surrender even when confronted)
### Technical Constraints
- **SecGen Scenario:** "Rooting for a win" must be used as-is (no VM modifications)
- **Guard Patrols:** New mechanic; requires playtesting for timing balance
- **PIN Safe:** New minigame; needs UI design and puzzle balance testing
- **Time Pressure:** Narrative urgency without hard timer (avoid frustrating new players)
### Integration Notes
- **M1 Connection:** ENTROPY coordination evident (Architect approval in both missions)
- **M3 Setup:** Zero Day Syndicate sold exploit (found in LORE Fragment 3)
- **M6 Setup:** Crypto Anarchist payment infrastructure (found in LORE Fragment 2, ransom payment decision)
- **Campaign Tracking:** Ransom paid (true/false), Hospital exposed (true/false), Marcus protected (true/false)
### Playtesting Priorities
1. Guard patrol timing (too hard? too easy? frustrating?)
2. PIN puzzle difficulty (can players find clues? is it satisfying?)
3. Ransom choice presentation (feels fair? both options compelling?)
4. Pacing (does 12-hour narrative deadline create urgency without stress?)
---
**Stage 0 Complete:** Ready for Stage 1 (Narrative Structure Development)
**Estimated Total Development Time for M2:** 140-186 hours (design + implementation)
**Core Strength:** Genuine moral dilemma (ransom payment) with concrete stakes (47 named patients) and ideologically coherent villain (Ghost's "teaching resilience" philosophy)
**Biggest Risk:** Guard patrol mechanics too frustrating for beginners (mitigation: tutorial, forgiving detection, alternate paths)
**Unique Contribution to Season 1:** First impossible choice where both options are ethically defensible, establishing pattern for M3-M10 moral complexity escalation
---
*"When lives hang in the balance and the clock is ticking, how do you weigh immediate salvation against long-term consequences?"*

827
planning_notes/overall_story_plan/mission_initializations/m02_ransomed_trust/01_narrative_structure.md Normal file
View File

@@ -0,0 +1,827 @@
# Stage 1: Narrative Structure - Mission 2 "Ransomed Trust"
**Mission ID:** m02_ransomed_trust
**Created:** 2025-12-20
**Status:** Stage 1 Complete
---
## Complete Three-Act Structure
### ACT 1: INFILTRATION & DISCOVERY (15-20 minutes, 25% of mission)
**Emotional Arc:** Urgency → Anxiety → Understanding
#### Scene 1: Emergency Briefing (Agent 0x99) [2 minutes]
**Location:** Mission briefing (pre-infiltration)
**Dialogue Beats:**
- 0x99 explains crisis: "47 patients on life support, 12-hour window"
- Mission objectives: Recover decryption keys, restore systems
- Warning: "Hospital board voting on ransom payment in 4 hours—work fast"
- Stakes established: Statistical death projections if delayed
**Player Understanding:** Life-or-death situation, time pressure, ENTROPY signature
**Emotional Beat:** Professional urgency (serious, focused, no room for error)
**Objectives Unlocked:** #unlock_aim:infiltrate_hospital
---
#### Scene 2: Hospital Reception [3 minutes]
**Location:** St. Catherine's Hospital lobby
**Environmental Storytelling:**
- PA announcement: "All non-critical systems remain offline. IT working on resolution."
- Anxious visitors at reception desk asking about patient records
- Security guard visible on patrol route (foreshadowing mechanic)
- Hospital founding plaque: "Founded 1987" (PIN clue #1)
**NPC: Receptionist**
- Professional but stressed
- Directs player to Dr. Kim's office (Administrative Wing)
- "She's expecting you. Third floor, east wing."
**Player Action:** Navigate to Administrative Wing, observe guard patrol pattern
**Objectives:** #complete_task:arrive_at_hospital
---
#### Scene 3: Meet Dr. Sarah Kim (Hospital CTO) [4 minutes]
**Location:** Dr. Kim's office (Administrative Wing)
**Dialogue Structure:**
**Opening (Desperation):**
- Kim: "Thank god you're here. We're running out of time."
- Kim: "47 patients on backup power. If we don't restore systems in 12 hours..."
- Kim: "The board is voting on paying the ransom in 4 hours. I need your opinion."
**Investigation (Information Gathering):**
- Player asks about attack vector
- Kim: "Our IT admin, Marcus, kept warning us about some FTP vulnerability."
- Kim: "Budget cuts. We deferred the $85,000 server upgrade to buy a $3.2 million MRI."
- Kim: "Now Marcus is devastated. And the board... they're planning to blame him."
**Authorization:**
- Kim grants access to IT Department
- Kim: "Do whatever you need. Just save those patients."
**Emotional Beat:** Kim's guilt (institutional negligence) + desperation (patient lives)
**Objectives:** #complete_task:meet_dr_kim, #unlock_aim:access_it_systems
---
#### Scene 4: Meet Marcus Webb (IT Administrator) [5 minutes]
**Location:** IT Department
**Dialogue Structure:**
**Opening (Guilt & Frustration):**
- Marcus: "I TOLD them six months ago about CVE-2010-4652!"
- Marcus: "They said 'budget constraints.' Now look what happened."
**Social Engineering (Trust Building):**
- **Option A (Sympathize):** "Budget cuts are common. You did your job."
- Marcus: "*sighs* Thanks. Nobody else thinks so."
- **Result:** High trust, Marcus opens up
- **Option B (Professional):** "Let's focus on recovery. What do you need?"
- Marcus: "Right. Professional. I appreciate that."
- **Result:** Medium trust, Marcus cooperative
- **Option C (Blame):** "Why didn't you push harder?"
- Marcus: "Are you serious? I... forget it."
- **Result:** Low trust, Marcus defensive
**Information Exchange (Password Hints):**
- Marcus: "I kept a list of common passwords employees used. Embarrassing really."
- Marcus: "My daughter's name 'Emma', hospital anniversary dates, that kind of thing."
- Shows photo on desk: "Emma - 7th birthday! 05/17/2018" (PIN clue #2 - red herring)
**Server Room Access:**
- **If High Trust:** Marcus gives keycard: "Server room's locked, but take my card."
- **If Medium/Low Trust:** Marcus: "Server room's locked. I can't give you my card, but... the lock isn't great."
**Emotional Beat:** Marcus's guilt (warned leadership, ignored) + desire to vindicate himself
**Objectives:** #complete_task:talk_to_marcus, #unlock_task:access_server_room
---
#### Scene 5: IT Office Investigation [4 minutes]
**Location:** Marcus's IT office (lockpicking if low trust)
**Discoveries:**
**Discovery 1: Email Chain (Filing Cabinet)**
- From Dr. Kim to Board (6 months ago)
- Subject: "IT Security Concerns - ProFTPD Vulnerability"
- Body: "Marcus Webb recommends $85,000 server security upgrade. Suggests deferring to next fiscal year due to MRI equipment priority."
- **Narrative Impact:** Proves Marcus warned them, establishes institutional negligence
**Discovery 2: Sticky Notes (Marcus's Desk)**
- "Common passwords: Emma2018, Hospital1987, StCatherines"
- **Gameplay Impact:** Password hints for VM SSH challenge
**Discovery 3: Ransomware Note (Infected Terminal)**
- Base64 encoded message (CyberChef tutorial)
- Decoded: "YOUR PATIENT RECORDS ARE ENCRYPTED. 47 PATIENTS ON LIFE SUPPORT..."
- **Educational Moment:** Agent 0x99 explains Base64 encoding
**Emotional Beat:** Evidence gathering (pieces of puzzle coming together)
**Objectives:** #complete_task:find_password_hints, #complete_task:decode_ransomware_note
---
#### Scene 6: Navigate to Server Room [2 minutes]
**Location:** Hospital corridor (IT Dept → Server Room)
**Guard Patrol Tutorial:**
- Agent 0x99: "Security is heightened. Watch the guard's patrol pattern."
- Guard visible on 60-second loop: Reception → IT → Admin → Storage → Reception
- Visual cue: Minimap shows guard position
- Audio cue: Radio chatter when guard nearby
**Player Action:** Time movement to avoid guard (tutorial, forgiving)
**Emotional Beat:** Tension (stealth mechanic introduction)
**Objectives:** #complete_task:learn_guard_patrol
---
**ACT 1 END STATE:**
- Player has server room access (keycard or lockpicking)
- Password hints obtained (Marcus's list + sticky notes)
- Ransomware note decoded (understands ENTROPY's message)
- Guard patrol mechanics learned (tutorial complete)
- Emotional investment (Marcus's plight, patient lives at stake)
**Transition to Act 2:** "Now let's exploit ENTROPY's own backdoor to find those decryption keys."
---
### ACT 2: EXPLOITATION & RECOVERY (25-35 minutes, 50% of mission)
**Emotional Arc:** Focus → Discovery → Tension → Dilemma
#### Scene 7: Server Room - VM Access [8 minutes]
**Location:** Hospital server room
**Environment:**
- Racks of blinking servers
- Whiteboard with network diagram showing "ProFTPD 1.3.5" (VM clue)
- Two terminals: VM Access Terminal, Drop-Site Terminal
**VM Challenge Sequence:**
**Step 1: SSH Access**
- Use password hints from Marcus (Emma2018, Hospital1987, stcatherines)
- Hydra brute force or manual attempts
- Success: SSH access to backup server
- Flag: `flag{ssh_access_granted}`
**Step 2: Flag Submission (Drop-Site Terminal)**
- Submit SSH flag
- Agent 0x99: "Great! That flag represents intercepted ENTROPY credentials. Keep going."
- **Unlock:** #complete_task:submit_ssh_flag
**Step 3: ProFTPD Exploitation**
- Agent 0x99: "That server is running vulnerable ProFTPD. CVE-2010-4652."
- Exploit backdoor (guided tutorial for beginners)
- Gain shell access
- Flag: `flag{proftpd_backdoor_exploited}`
**Step 4: Filesystem Navigation**
- Navigate to /var/backups (cd, ls, cat commands)
- Find encrypted database files (patient_records.enc)
- Locate Ghost's operational log
- Flag: `flag{database_backup_located}`, `flag{ghost_operational_log}`
**Emotional Beat:** Technical focus (puzzle-solving, exploitation)
**Objectives:** #complete_task:exploit_proftpd, #complete_task:locate_backups
---
#### Scene 8: LORE Discovery - Ghost's Manifesto [3 minutes]
**Location:** VM terminal (Ghost's log file)
**Ghost's Manifesto (File: operational_log.txt):**
```
RANSOMWARE INCORPORATED: OPERATIONAL PHILOSOPHY
We calculated the risk: 47 patients, 12-hour window, 0.3% per hour fatality probability.
That's 1-2 deaths if they pay immediately, 4-6 if they delay for IT recovery.
St. Catherine's ignored Marcus Webb's warnings for six months. They cut cybersecurity budgets by 40%. They spent $3.2M on MRI equipment while refusing $85K for server security.
These numbers should horrify the hospital administrators. They created this scenario. We're just revealing the consequences.
Approved by The Architect - Operation Resilience
- Ghost
```
**Player Reaction:**
- Agent 0x99: "They... they calculated how many people would die."
- 0x99: "This isn't random cybercrime. This is ideology. ENTROPY believes suffering teaches lessons."
**Emotional Beat:** Horror (villain calculated patient deaths) + Anger (ENTROPY philosophy revealed)
**Objectives:** #unlock_lore:ghosts_manifesto
---
#### Scene 9: Drop-Site Intel Unlock [2 minutes]
**Location:** Drop-Site Terminal (Server Room)
**Flag Submission Results:**
- Submit ProFTPD exploit flag
- Submit database location flag
- Submit Ghost's log flag
**Agent 0x99 Response:**
- "Ghost's logs mention offline backup keys in 'emergency equipment storage.'"
- "The online backup is encrypted, but if we can find the offline keys..."
- "Check the administrative wing. Look for a safe."
**Unlock:** #unlock_aim:find_offline_backup_keys
**Emotional Beat:** Progress (digital investigation yielding physical leads)
---
#### Scene 10: Hunt for Offline Backup Keys [6 minutes]
**Location:** Administrative Wing (multiple rooms)
**Navigate Past Guards (Reinforcement):**
- Guard patrol route blocks direct path
- Player must time movement (60-second pattern)
- Alternate path available (through emergency stairwell)
**Lockpick Dr. Kim's Office (Optional, High Value):**
- Find sticky note: "Safe combination: founding year (for emergency access)"
- **PIN Clue #3:** Confirms safe PIN is hospital founding year (1987)
**Lockpick Emergency Equipment Storage:**
- Find safe with 4-digit PIN lock
- Find PIN cracker device (fallback option)
**Emotional Beat:** Tension (stealth + investigation)
**Objectives:** #complete_task:find_safe_location, #unlock_task:crack_safe_pin
---
#### Scene 11: PIN Safe Puzzle [5 minutes]
**Location:** Emergency Equipment Storage
**PIN Puzzle Solution:**
**Clue Integration:**
- Clue 1 (Lobby Plaque): "Founded 1987"
- Clue 2 (Photo): "Emma 05/17/2018" (red herring)
- Clue 3 (Sticky Note): "founding year"
**Correct PIN:** 1987
**Wrong Attempt Feedback:**
- Try 0517: "Incorrect PIN. Try again."
- Try 2018: "Incorrect PIN. Try again."
- Try 1987: "Safe unlocked. USB drive obtained."
**Fallback (If Struggling):**
- Agent 0x99 hint (after 3 wrong attempts): "Safe combinations often use significant institutional dates."
- PIN cracker device: Brute force animation (2 minutes in-game time)
**Emotional Beat:** Satisfaction (puzzle solved) or Relief (fallback used)
**Objectives:** #complete_task:crack_safe_pin, #give_item:offline_backup_key
---
#### Scene 12: LORE Discovery - Zero Day Syndicate Invoice [3 minutes]
**Location:** Dr. Kim's office safe (same PIN: 1987)
**ZDS Invoice Document:**
```
ZERO DAY SYNDICATE - INVOICE #ZDS-2024-0847
CLIENT: Ransomware Incorporated (Ghost)
SERVICE: ProFTPD Exploit + Reconnaissance
TARGET: St. Catherine's Regional Medical
DELIVERABLES:
- ProFTPD 1.3.5 backdoor exploit (CVE-2010-4652) - $25,000
- Healthcare vulnerability scan (214 hospitals) - $15,000
- Target recommendation (risk/reward analysis) - $10,000
TOTAL: $55,000 (Paid via Crypto Anarchist infrastructure)
TARGET RECOMMENDATION:
St. Catherine's is ideal. Maximum educational impact. Marcus Webb has documented warnings—perfect narrative about institutional negligence.
ARCHITECT APPROVAL: Confirmed.
```
**Agent 0x99 Reaction:**
- "That ProFTPD exploit wasn't random. Zero Day Syndicate sold it to Ghost."
- "And they specifically recommended St. Catherine's because of Marcus's warnings."
- "ENTROPY cells are coordinating. The Architect is orchestrating this."
**Emotional Beat:** Revelation (ENTROPY coordination confirmed) + Setup (M3 connection)
**Objectives:** #unlock_lore:zds_invoice
---
#### Scene 13: Recovery Instructions Decoding [3 minutes]
**Location:** Server Room (CyberChef Workstation)
**Encoded Message (ROT13 - NEW):**
```
SHYY ERPBIREL ERDHERRF BSSYVAR + BAYVAR XRLF—12-UBHE CEBPRFF VS ZNAHNY, VAFGNAG VS ENAFBZ CNVQ.
```
**Agent 0x99 Tutorial:**
- "This looks like ROT13—a Caesar cipher. Each letter shifted 13 positions."
- "Use CyberChef's ROT13 decoder."
**Decoded Message:**
```
FULL RECOVERY REQUIRES OFFLINE + ONLINE KEYS—12-HOUR PROCESS IF MANUAL, INSTANT IF RANSOM PAID.
```
**Player Understanding:**
- Need both VM keys (online) and safe keys (offline)
- Manual recovery = 12 hours (patient risk)
- Ransom payment = instant (but funds ENTROPY)
**Emotional Beat:** Clarity (understand full scope) + Dread (impossible choice approaching)
**Objectives:** #complete_task:decode_recovery_instructions
---
#### Scene 14: Mid-Mission Moral Choice - Marcus's Fate [3 minutes]
**Location:** IT Department or via found email
**Discovery: Email Chain (Found in Admin Office)**
```
FROM: Hospital Board Chair
TO: Legal Department
RE: Incident Liability
Marcus Webb's warnings are documented. We need to reframe this as his implementation failure, not our budget decision. Prepare termination paperwork and non-disparagement agreement.
```
**Player Choice:**
**Option A: Warn Marcus Privately**
- Call Marcus: "I found emails. They're planning to blame you. Document everything."
- Marcus: "I... I knew it. Thank you for telling me. I'll start gathering evidence."
- **Consequence:** Marcus protected, will vindicate himself
- **Campaign Impact:** Marcus becomes ally in future missions
**Option B: Plant Evidence Clearing Marcus**
- Modify email chain timestamp to show board ignored warnings
- **Consequence:** Marcus cleared, but player manipulated evidence (ethically gray)
- **Campaign Impact:** Effectiveness rewarded, but ethics questioned
**Option C: Focus on Mission (Ignore)**
- Don't intervene
- **Consequence:** Marcus will be scapegoated after mission
- **Campaign Impact:** Lost potential ally, Marcus's career destroyed
**Agent 0x99 Commentary:**
- If warn: "Good call. Marcus deserves better than this."
- If plant: "That's... effective. But tampering with evidence has consequences."
- If ignore: "Understood. Mission focus. But Marcus will pay the price."
**Emotional Beat:** Moral complexity (protect innocent vs. stay focused on mission)
**Objectives:** #complete_task:decide_marcus_fate (choice tracked)
---
**ACT 2 END STATE:**
- All VM challenges complete (4 flags submitted)
- All in-game challenges complete (lockpicking, PIN safe, encoding)
- Both keys obtained (digital VM + physical safe)
- LORE fragments discovered (Ghost's manifesto, ZDS invoice)
- Mid-mission choice made (Marcus's fate)
- Understanding complete (ransom dilemma fully explained)
**Transition to Act 3:** "You have everything needed for recovery. Now... the impossible decision."
---
### ACT 3: RESOLUTION & CONSEQUENCES (10-15 minutes, 25% of mission)
**Emotional Arc:** Dilemma → Decision → Reflection
#### Scene 15: The Ransom Decision [5 minutes]
**Location:** Server Room (all evidence gathered)
**Agent 0x99 Call:**
- "Hospital board is voting in 30 minutes. Dr. Kim is asking for your recommendation."
- "You've recovered the keys. Manual recovery will take 12 hours—that's statistical risk to patients."
- "Or... they pay the ransom. Instant recovery, but that $87,000 funds ENTROPY's next attack."
**Ghost's Final Communication (Terminal Message):**
```
FROM: Ghost
TO: St. Catherine's IT Department
Time is running out. 47 patients. 12 hours.
Patient deaths are on YOUR conscience if you delay. $87,000 vs. human lives—easy math.
We're not the villains here. Your administrators are. We just revealed their failure.
- Ransomware Incorporated
```
**Dr. Kim (In-Person):**
- "What do I tell the board? My medical training says 'do no harm.' But paying ransomware..."
- "Those are real people on life support. Families. Children. What would you do?"
**Choice Presentation (No "Right" Answer):**
**OPTION A: RECOMMEND PAYING RANSOM**
**Immediate Consequences:**
- ✅ Instant system recovery (no patient deaths)
- ❌ $87,000 to ENTROPY (funds future attacks)
- ❌ Ghost escapes with funds
- ❌ Hospital learns nothing about security
**Agent 0x99 Response:** "Utilitarian choice. You saved 47 lives today. But that money will fund more attacks."
**Dr. Kim Response:** "Thank you. We'll pay. I'll make sure we upgrade security after this."
**Campaign Impact:**
- M6: Clear cryptocurrency trail to Crypto Anarchists
- Future hospital missions: ENTROPY better funded, more sophisticated attacks
---
**OPTION B: RECOMMEND INDEPENDENT RECOVERY**
**Immediate Consequences:**
- ✅ ENTROPY not funded (better long-term)
- ✅ Opportunity to trace Ghost's communications
- ✅ Hospital forced to improve security
- ❌ 12-hour recovery = statistical patient risk (2-4 potential deaths)
**Agent 0x99 Response:** "Consequentialist choice. Short-term pain, but you didn't fund ENTROPY's next attack."
**Dr. Kim Response:** "I trust your judgment. We'll start manual recovery immediately. God help us."
**Campaign Impact:**
- M6: Harder to trace financial network, but ENTROPY has less capital
- Future hospital missions: Healthcare sector takes security seriously
---
**Emotional Beat:** Impossible choice (both options ethically defensible)
**Objectives:** #complete_task:make_ransom_decision (choice tracked)
---
#### Scene 16: Secondary Choice - Hospital Exposure [3 minutes]
**Agent 0x99 Call:**
- "We have evidence of St. Catherine's negligence. Board ignored Marcus's warnings, cut budgets."
- "We could go public—force accountability, warn other hospitals. Or keep it quiet—protect St. Catherine's reputation."
**Choice Presentation:**
**OPTION A: EXPOSE HOSPITAL PUBLICLY**
**Immediate Consequences:**
- ✅ Other hospitals learn from St. Catherine's mistakes
- ✅ Marcus vindicated publicly
- ✅ Regulatory pressure for healthcare cybersecurity
- ❌ St. Catherine's reputation destroyed
- ❌ Dr. Kim likely loses job
- ❌ Lawsuits, financial damage to hospital
**Agent 0x99 Response:** "Transparency protects future patients. But St. Catherine's may not survive the scandal."
**Campaign Impact:**
- Future medical facility missions more difficult (hospitals distrust SAFETYNET)
- But healthcare sector implements better security (fewer attacks overall)
---
**OPTION B: QUIET RESOLUTION**
**Immediate Consequences:**
- ✅ St. Catherine's reputation intact
- ✅ Dr. Kim keeps job (implements security improvements)
- ✅ SAFETYNET maintains hospital relationships
- ❌ Other hospitals remain vulnerable (don't learn from this)
- ❌ Marcus may still be scapegoated (unless player intervened earlier)
**Agent 0x99 Response:** "Discretion maintains relationships. But 40 other hospitals have the same vulnerability—they don't know yet."
**Campaign Impact:**
- Better relationship with medical sector
- But similar attacks likely to occur elsewhere
---
**Emotional Beat:** Transparency vs. Pragmatism (institutional accountability vs. individual protection)
**Objectives:** #complete_task:decide_hospital_exposure (choice tracked)
---
#### Scene 17: Optional - Ghost Confrontation [3 minutes]
**Location:** Server Room (if player traced Ghost's IP via VM logs)
**Ghost's Response (Terminal Communication):**
- "You traced me. Impressive. Doesn't matter."
- "I did the math. 47 lives at risk because of THEIR negligence, not mine."
- "You think I'm the villain? I just revealed their failure."
**Evil Monologue (If Player Chooses to Engage):**
- "St. Catherine's spent $3.2 million on an MRI and refused $85,000 for server security."
- "Marcus warned them. They ignored him. They chose MRI over patient data protection."
- "We're educators, not criminals. The suffering is regrettable but educational."
- "After this, St. Catherine's will never ignore cybersecurity again. Neither will 40 other hospitals watching."
**Player Response Options:**
- Argue: "You calculated patient deaths. That's evil."
- Agree partially: "The hospital was negligent, but this isn't justice."
- Silent: (Let Ghost talk)
**Ghost's Final Statement:**
- "Arrest me if you want. I accept the consequences. This operation was worth it."
- "They'll never ignore an IT security warning again. Mission accomplished."
**Outcome:**
- Ghost refuses cooperation (true believer)
- No remorse, ideologically committed
- Accepts arrest without resistance
**Emotional Beat:** Understanding enemy (Ghost's philosophy clear, even if wrong)
**Objectives:** #unlock_aim:confront_ghost (optional)
---
#### Scene 18: Closing Debrief (Agent 0x99) [4 minutes]
**Location:** Post-mission briefing
**Debrief Structure (Reflects Player Choices):**
**1. Ransom Decision Outcome**
*If Paid Ransom:*
- "Systems restored in 4 hours. All 47 patients stable. Zero casualties."
- "But that $87,000 is already in Crypto Anarchist hands. We're tracking the payment flow."
- "Ransomware Inc. will use those funds for next attack. Three more hospitals hit this month."
- "You saved lives today. But funded future attacks. The trolley problem, agent."
*If Independent Recovery:*
- "12-hour recovery process completed. 45 patients survived."
- "Two patients died during recovery window. Families are devastated. Lawsuits filed."
- "But you didn't fund ENTROPY. Ransomware Inc. has less capital for future operations."
- "Healthcare sector is taking notice. 15 hospitals implementing emergency security upgrades."
---
**2. Hospital Exposure Outcome**
*If Exposed Publicly:*
- "SAFETYNET press release detailed St. Catherine's negligence. National news coverage."
- "Dr. Kim resigned. Hospital facing $12 million in lawsuits."
- "But 40 hospitals implemented the security measures within 2 weeks. You likely saved thousands of future patients."
- "St. Catherine's may not survive. But the lesson was learned."
*If Quiet Resolution:*
- "St. Catherine's grateful for discretion. Security budget tripled for next fiscal year."
- "Dr. Kim keeping job, Marcus vindicated internally if you protected him."
- "But we've detected similar ProFTPD vulnerabilities in 40 other hospitals. None of them know yet."
- "You protected St. Catherine's reputation. But the systemic problem remains."
---
**3. Marcus's Fate**
*If Warned/Protected:*
- "Marcus documented everything. Hospital legal dropped scapegoating plan."
- "He's been promoted to Director of Cybersecurity with full budget authority."
- "Marcus says 'thank you.' He'll remember this. Could be a valuable ally."
*If Ignored:*
- "Marcus was terminated. Signed non-disparagement agreement under pressure."
- "His career is destroyed. Blacklisted in healthcare IT."
- "He warned them. Did everything right. And paid the price."
---
**4. LORE Reveals**
- "Ghost's manifesto confirms ENTROPY's ideology. They believe suffering teaches lessons."
- "More concerning: Zero Day Syndicate sold Ghost that exploit specifically targeting St. Catherine's."
- "ENTROPY cells are coordinating. The Architect is orchestrating operations across cells."
- "That ProFTPD exploit? We need to find out who else ZDS sold it to."
**Setup for M3:**
- "I'm assigning you to investigate Zero Day Syndicate next. They're ENTROPY's weapons dealer."
- "Find their operation. Shut down their exploit supply chain."
---
**5. Player Performance Summary**
- Patients saved/lost: [Specific numbers based on ransom choice]
- ENTROPY funding impact: [Ransom amount or $0]
- Hospital security improvement: [Public exposure or internal only]
- Marcus's career: [Vindicated or destroyed]
- LORE collected: [X/3 fragments found]
- Perfect stealth: [Yes/No - never detected by guards]
**Achievement Unlocks:**
- "Code Breaker" (if decoded all messages without hints)
- "Ghost Hunter" (if perfect stealth)
- "Ethical Hacker" (if protected Marcus + optimal choices)
**Emotional Beat:** Reflection (consequences of impossible choices) + Resolve (continue fighting ENTROPY)
**Final Line:**
- "No easy answers, agent. But you did your best under impossible circumstances."
- "Get some rest. Mission 3 starts tomorrow."
---
**ACT 3 END STATE:**
- Mission complete (success determined by choices, not "win/lose")
- Both moral choices made (ransom + exposure)
- Consequences understood (immediate + campaign impact)
- Campaign threads established (M3 ZDS connection, M6 financial trail)
- Emotional closure (reflection on impossible choices)
---
## Scene Flow Diagram
```
[Opening Briefing] → [Hospital Reception] → [Dr. Kim Meeting]
[Marcus Meeting] → [IT Office Investigation] → [Guard Tutorial]
[Server Room VM] → [ProFTPD Exploit] → [LORE: Ghost Manifesto]
[Hunt for Safe] → [PIN Puzzle] → [LORE: ZDS Invoice]
[Recovery Instructions] → [Mid-Choice: Marcus] → [Ransom Dilemma]
[Hospital Exposure Choice] → [Optional: Ghost Confrontation] → [Closing Debrief]
```
---
## Emotional Beat Timeline
| Time | Scene | Emotional Beat | Intensity (1-10) |
|------|-------|----------------|------------------|
| 0:00 | Briefing | Urgency | 7 |
| 0:02 | Reception | Anxiety | 5 |
| 0:05 | Dr. Kim | Desperation | 6 |
| 0:09 | Marcus | Guilt & Frustration | 7 |
| 0:14 | IT Investigation | Focus | 5 |
| 0:18 | Guard Tutorial | Tension | 6 |
| 0:20 | VM Exploitation | Technical Focus | 5 |
| 0:28 | Ghost Manifesto | Horror & Anger | 8 |
| 0:31 | Safe Hunt | Investigation | 6 |
| 0:37 | PIN Puzzle | Satisfaction | 5 |
| 0:40 | ZDS Invoice | Revelation | 7 |
| 0:43 | Marcus Choice | Moral Weight | 6 |
| 0:46 | Ransom Dilemma | Impossible Choice | 9 |
| 0:51 | Exposure Choice | Ethical Complexity | 7 |
| 0:54 | Ghost Confrontation | Understanding Enemy | 6 |
| 0:57 | Closing Debrief | Reflection | 8 |
**Emotional Curve:** Steady build (urgency → tension) → Peak (ransom dilemma) → Reflective descent (consequences)
---
## Pacing Notes
### Time Distribution
- **Act 1 (Discovery):** 15-20 minutes (25%) - Establish stakes, learn mechanics
- **Act 2 (Investigation):** 25-35 minutes (50%) - Core gameplay, escalating discoveries
- **Act 3 (Resolution):** 10-15 minutes (25%) - Moral choices, consequences
### Pacing Mechanisms
**Urgency Without Timer:**
- No hard countdown clock (would stress beginners)
- Narrative urgency via NPC dialogue ("board voting in 30 minutes")
- PA announcements remind player of crisis
- Agent 0x99 periodic check-ins ("How's progress?")
**Tension Build:**
- Act 1: Learning (safe tutorial environment)
- Act 2: Escalation (guard patrols, challenging puzzles, dark discoveries)
- Act 3: Climax (impossible choices, heavy consequences)
**Breathing Room:**
- After intense moments (Ghost manifesto), quiet investigation (safe hunt)
- After ransom choice, brief reflection before exposure choice
- Debrief allows emotional processing before next mission
---
## Player Agency Map
### Critical Choice Points
**Choice 1: Marcus Social Engineering Approach (Act 1)**
- Sympathize / Professional / Blame
- **Impact:** Marcus's trust level (affects cooperation, keycard access)
**Choice 2: Marcus Protection (Act 2)**
- Warn / Plant Evidence / Ignore
- **Impact:** Marcus's fate (career destroyed or vindicated), future ally status
**Choice 3: Ransom Payment (Act 3)**
- Pay / Independent Recovery
- **Impact:** Patient outcomes, ENTROPY funding, M6 financial trail clarity
**Choice 4: Hospital Exposure (Act 3)**
- Expose / Quiet
- **Impact:** St. Catherine's reputation, sector-wide security improvements, future missions
### Optional Agency
- Lockpicking paths (keycard vs. lockpick server room)
- Stealth routes (multiple guard avoidance paths)
- PIN solving (clues vs. brute force device)
- Ghost confrontation (optional dialogue)
- LORE collection (3 fragments, all optional)
---
## Tutorial Integration
### New Mechanics Tutorials
**Guard Patrols (First Encounter, Act 1 Scene 6):**
- Agent 0x99 explanation + visual minimap indicator
- Forgiving first detection (warning only)
- Clear audio/visual cues
**PIN Safe Puzzle (First Safe, Act 2 Scene 11):**
- Agent 0x99 hint system (progressive)
- Multiple clue types (visual, document, NPC)
- Fallback device available
**ROT13 Decoding (First Cipher, Act 2 Scene 13):**
- Agent 0x99 explains Caesar cipher concept
- CyberChef interface tutorial
- Pattern recognition optional (can solve manually)
### Reinforced Mechanics
**Lockpicking:** Brief reminder ("Remember your training from M1")
**Social Engineering:** Marcus easier than M1 NPCs (stressed = less cautious)
**Base64:** Quick reminder ("Same as Mission 1 whiteboards")
---
**Stage 1 Complete: Narrative Structure**
**Ready for:** Stage 2 (Storytelling Elements Design)
**Core Strength:** Impossible choices presented fairly, both options ethically defensible, consequences meaningful
**Emotional Highlights:** Ghost manifesto discovery (horror at calculated deaths), ransom dilemma (utilitarian vs. consequentialist ethics), debrief reflection (no "right" answers)

318
planning_notes/overall_story_plan/mission_initializations/m02_ransomed_trust/02_storytelling_characters.md Normal file
View File

@@ -0,0 +1,318 @@
# Stage 2: Character Development - Mission 2 "Ransomed Trust"
**Mission ID:** m02_ransomed_trust
**Created:** 2025-12-20
**Status:** Stage 2 Complete - Characters
---
## Core NPCs
### Dr. Sarah Kim - Hospital CTO
**Role:** Desperate Authority Figure, Moral Voice
**Character Profile:**
- **Age:** 42
- **Background:** Former ER physician turned healthcare technology administrator
- **Personality:** Competent, professional, but cracking under pressure of impossible situation
- **Motivation:** Save patients while protecting hospital's reputation
- **Vulnerability:** Guilt over budget cuts she recommended 6 months ago
**Emotional State:** Desperation → Guilt → Hope/Devastation (based on player choices)
**Voice Examples (3-line rule):**
**Opening (Desperation):**
> "Thank god you're here. We're running out of time."
> "47 patients on backup power. If we don't restore systems in 12 hours..."
> "The board is voting on paying the ransom in 4 hours. I need your opinion."
**Mid-Mission (Guilt):**
> "I recommended those budget cuts. The $85,000 Marcus wanted for server security."
> "We bought a $3.2 million MRI instead. State-of-the-art equipment."
> "Now people might die because I chose shiny technology over unsexy cybersecurity."
**Ransom Decision (Seeking Guidance):**
> "What do I tell the board? My medical training says 'do no harm.'"
> "Those are real people on life support. Families. Children."
> "What would you do?"
**If Ransom Paid (Relief):**
> "Systems restoring. Patients are stable. Thank you."
> "I know we funded criminals, but... those lives. I couldn't..."
> "We'll triple our security budget. Marcus will have everything he needs."
**If Independent Recovery (Fear):**
> "12 hours. That's statistical risk to 47 people."
> "I trust your judgment. We'll start manual recovery immediately."
> "God help us all."
**Character Arc:**
- Starts: Desperate authority figure seeking help
- Middle: Guilty administrator realizing her role in crisis
- End: Either relieved (patients saved) or devastated (patient deaths) based on player choice
- Growth: Commits to cybersecurity (either from shame or vindication)
---
### Marcus Webb - IT Administrator
**Role:** Guilty Ally, Social Engineering Target, Institutional Victim
**Character Profile:**
- **Age:** 38
- **Background:** 15 years in healthcare IT, warned about vulnerabilities for 6 months
- **Personality:** Defensive, frustrated, wants to prove he was right
- **Motivation:** Vindicate himself, show he warned leadership
- **Vulnerability:** Desperate for help, stressed by crisis, fears scapegoating
**Emotional State:** Guilt & Frustration → Cautious Trust → Grateful (if protected) / Destroyed (if ignored)
**Voice Examples (3-line rule):**
**Opening (Frustration):**
> "I TOLD them six months ago about CVE-2010-4652!"
> "They said 'budget constraints.' Now look what happened."
> "Nobody listens to IT until everything's on fire."
**Password Hints (If High Trust):**
> "I kept a list of common passwords employees used. Embarrassing really."
> "My daughter's name 'Emma', hospital anniversary dates, that kind of thing."
> "Here's my keycard. Server room's locked, but you'll need access."
**Password Hints (If Low Trust):**
> "I can't just hand over access credentials. There are protocols."
> "The server room's locked. I'm not giving you my card."
> "Figure it out yourself if you think I'm the problem here."
**If Warned About Scapegoating (Grateful):**
> "I... I knew they'd do this. Blame the IT guy."
> "Thank you for telling me. I'll start documenting everything."
> "I have six months of ignored security warnings. Let them try."
**If Ignored (Discovered in Debrief):**
> [Not present - fired before debrief]
> [Agent 0x99 reports: "Marcus was terminated. Career destroyed. He did everything right."]
**Character Arc:**
- Starts: Defensive IT admin who warned leadership, was ignored
- Middle: Cautious ally (if player builds trust) or defensive obstacle (if player blames him)
- End: Vindicated hero (if protected) or destroyed scapegoat (if ignored)
- Growth: Either becomes cybersecurity director (protected) or blacklisted (ignored)
**Unique Trait:** Uses IT gallows humor to cope
- "At least it wasn't 'Password123'. Progress!"
- "Remember when security was just locking the server room?"
---
### "Ghost" - Ransomware Incorporated Operative
**Role:** Antagonist, True Believer, Philosophical Counter
**Character Profile:**
- **Age:** Unknown
- **Background:** Unknown (ENTROPY recruitment conceals identity)
- **Personality:** Calm, calculated, ideologically committed
- **Motivation:** "Teach resilience through adversity" - ENTROPY philosophy
- **Vulnerability:** None - true believer who accepts consequences
**Emotional State:** Cold Certainty (never wavers, never doubts)
**Voice Examples (3-line rule):**
**Ransomware Note (Clinical):**
> "YOUR PATIENT RECORDS ARE ENCRYPTED. 47 PATIENTS ON LIFE SUPPORT."
> "12 HOURS OF BACKUP POWER. PAY 2.5 BTC OR WATCH THEM DIE."
> "- RANSOMWARE INCORPORATED"
**Manifesto (Ideological):**
> "We calculated the risk: 47 patients, 0.3% per hour fatality probability."
> "St. Catherine's ignored warnings for six months. We're revealing consequences."
> "The suffering is regrettable but educational. They'll never ignore security again."
**Final Persuasion (Ransom Decision):**
> "Time is running out. 47 patients. 12 hours."
> "Patient deaths are on YOUR conscience if you delay."
> "$87,000 vs. human lives—easy math."
**Evil Monologue (If Confronted):**
> "I did the math. 47 lives at risk because of THEIR negligence, not mine."
> "Marcus warned them. They chose a $3.2M MRI over $85K server security."
> "We're educators, not criminals. This operation was worth it."
**If Arrested (Unrepentant):**
> "Arrest me. I accept the consequences."
> "St. Catherine's will never ignore cybersecurity again. Neither will 40 other hospitals."
> "Mission accomplished."
**Character Arc:**
- No arc - static true believer
- Starts: Cold ideologue calculating patient deaths
- Middle: Persuader arguing their philosophy
- End: Unrepentant even when arrested/confronted
- Never changes, never doubts, never regrets
**Defining Trait:** Has spreadsheet of projected patient deaths - calculated, not impulsive
---
### Agent 0x99 "Haxolottle" - Player's Handler
**Role:** Mission Support, Tutorial Guide, Moral Sounding Board
**Character Profile:**
- **Age:** Unknown
- **Background:** Experienced SAFETYNET agent, player's mentor
- **Personality:** Supportive, professional, uses axolotl metaphors
- **Motivation:** Guide new agent through complex moral terrain
- **Emotional Arc:** Professional concern → Growing alarm at ENTROPY coordination
**Voice Examples (3-line rule):**
**Opening Briefing (Professional Urgency):**
> "Hospital ransomware. 47 patients on life support, 12-hour window."
> "ENTROPY signature detected. Ransomware Incorporated—ideology, not just profit."
> "Recover the decryption keys. Save those patients. Work fast."
**Guard Tutorial (Encouraging):**
> "Security is heightened. Watch the guard's patrol pattern."
> "Like an axolotl timing its movements to avoid predators—patience and observation."
> "You've got this. Time your movement when the guard rounds the corner."
**Ghost Manifesto Reaction (Horror):**
> "They... they calculated how many people would die."
> "This isn't random cybercrime. This is ideology. ENTROPY believes suffering teaches."
> "42-85 projected deaths in Operation Shatter. Now patient death probabilities here..."
**Ransom Dilemma (Neutral Presentation):**
> "No easy answer here, agent. Utilitarian vs. consequentialist ethics."
> "Pay ransom: 47 lives saved today, but $87K funds ENTROPY's next attack."
> "Independent recovery: No ENTROPY funding, but 12-hour patient risk."
**If Paid Ransom (Validates Choice):**
> "You saved 47 lives today. That's not nothing."
> "But that money's already flowing to ENTROPY. They'll use it for next attack."
> "Sometimes we choose the lesser evil. You did your best."
**If Independent Recovery (Validates Choice):**
> "You didn't fund ENTROPY. Long-term, that saves more lives."
> "But two patients died during recovery. Their families... devastating."
> "You made the hard call. That's what we do."
**Closing (ENTROPY Coordination Concern):**
> "Zero Day Syndicate sold Ghost that exploit specifically for St. Catherine's."
> "ENTROPY cells are coordinating. The Architect is orchestrating operations."
> "This is bigger than we thought. We need to find The Architect."
**Character Arc:**
- Starts: Professional mentor guiding rookie
- Middle: Increasingly concerned about ENTROPY coordination patterns
- End: Alarmed by cross-cell collaboration (ZDS + Ransomware Inc + Crypto Anarchists)
- Growth: Realizes ENTROPY is more organized than SAFETYNET understood
**Unique Trait:** Axolotl metaphors for cybersecurity concepts
- "Like an axolotl regenerating limbs, hospitals must rebuild security from foundation."
- "Patience, like an axolotl waiting in still water..."
---
### Security Guard (Patrol NPC)
**Role:** Environmental Obstacle, Ambient Character
**Character Profile:**
- **Age:** Various
- **Background:** Hospital security, anxious after breach
- **Personality:** Professional, cautious, not malicious
- **Motivation:** Protect hospital, follow protocol
**Ambient Dialogue (Radio Chatter):**
> "Sector 2 clear. Moving to IT department."
> "All quiet. Systems still down though..."
> "Keep eyes open. That breach has everyone spooked."
**If Detected (Warning):**
> "Who's there? Show yourself!"
> [If player hides in time: "Probably nothing. Stay alert."]
**Character Purpose:**
- Not antagonist - just doing job
- Creates tension without villainy
- Represents heightened security after breach
---
## NPC Interaction Matrix
### Trust/Influence System
**Dr. Kim:**
- **High Influence:** If player makes professional choices, shows competence
- **Low Influence:** If player seems uncertain or makes suspicious requests
- **Impact:** Dr. Kim's confidence in recommendations (ransom/exposure decisions)
**Marcus:**
- **High Trust:** If player sympathizes, doesn't blame him
- **Medium Trust:** If player is professional, businesslike
- **Low Trust:** If player blames him for breach
- **Impact:** Password hints quality, keycard access, willingness to help
**Ghost:**
- **No Trust/Influence Possible:** True believer, won't cooperate
- **Purpose:** Demonstrates ENTROPY ideology, unswayed by persuasion
---
## Character Voice Guidelines
### Dr. Sarah Kim Voice
- **Tone:** Professional medical terminology mixed with exhausted desperation
- **Speech Pattern:** Complete sentences, measured (medical training), but stressed pauses
- **Key Phrases:** "Do no harm", "statistical risk", "board is voting"
- **Emotion Visible:** Guilt seeps through professionalism
### Marcus Webb Voice
- **Tone:** Defensive frustration with IT jargon and gallows humor
- **Speech Pattern:** Interrupted sentences (stressed), technical specifics when comfortable
- **Key Phrases:** "I TOLD them", "budget constraints", "six months ago"
- **Emotion Visible:** Wants vindication, fears blame
### Ghost Voice
- **Tone:** Clinical, philosophical, unrepentant
- **Speech Pattern:** Complete sentences, precise language, calculated phrasing
- **Key Phrases:** "We calculated", "educational", "acceptable cost"
- **Emotion Absent:** No remorse, no doubt, pure ideology
### Agent 0x99 Voice
- **Tone:** Supportive mentor with professional urgency
- **Speech Pattern:** Clear instructions, occasional axolotl metaphors
- **Key Phrases:** "Like an axolotl...", "No easy answer", "You've got this"
- **Emotion Controlled:** Concern visible but never panic
---
## Dialogue Dos and Don'ts
### DO:
- ✅ Keep to 3-line maximum per dialogue block
- ✅ Show emotion through word choice, not exposition ("I'm scared")
- ✅ Use character-specific vocabulary (medical for Kim, IT jargon for Marcus)
- ✅ Reflect stress in sentence structure (incomplete thoughts, pauses)
- ✅ Make Ghost's evil concrete (numbers, calculations, specific plans)
### DON'T:
- ❌ Explain emotions directly ("Marcus feels guilty")
- ❌ Info-dump backstory in dialogue
- ❌ Make Ghost sympathetic or regretful
- ❌ Use more than 3 lines per dialogue block
- ❌ Have NPCs repeat information player already knows
---
**Stage 2 Complete: Character Development**
**Ready for:** Stage 3 (Moral Choices), Stage 2B (Atmosphere), Stage 2C (Dialogue)
**Core Strength:** Marcus's arc varies based on player choices (protected vs. destroyed), Ghost is ideologically consistent (never sympathetic)

523
planning_notes/overall_story_plan/mission_initializations/m02_ransomed_trust/03_moral_choices.md Normal file
View File

@@ -0,0 +1,523 @@
# Stage 3: Moral Choices and Consequences - Mission 2 "Ransomed Trust"
**Mission ID:** m02_ransomed_trust
**Created:** 2025-12-20
**Status:** Stage 3 Complete
---
## Core Philosophy
**Mission 2's Ethical Framework:**
- **No "Right" Answers:** Both major choices are ethically defensible
- **Utilitarian vs. Consequentialist:** Pay ransom (save lives now) vs. don't pay (prevent future attacks)
- **Transparency vs. Pragmatism:** Expose hospital (accountability) vs. protect (relationships)
- **Individual vs. Institution:** Protect Marcus (justice) vs. ignore (mission focus)
**Player Agency:** All choices respected, consequences realistic (not punitive)
---
## Choice 1: Marcus's Trust (Act 1 - Social Engineering)
### Choice Presentation
**Context:** First meeting with Marcus (IT Admin)
**Marcus:** "I TOLD them six months ago about CVE-2010-4652! They said 'budget constraints.' Now look!"
**Player Options:**
**OPTION A: Sympathize**
> "Budget cuts are common. You did your job."
**OPTION B: Professional**
> "Let's focus on recovery. What do you need?"
**OPTION C: Blame**
> "Why didn't you push harder?"
### Immediate Consequences
**If Sympathize (High Trust):**
- Marcus opens up, provides detailed password hints
- Gives server room keycard (skip lockpicking)
- More willing to share hospital politics information
- **Gameplay Impact:** Easier access, better intel
**If Professional (Medium Trust):**
- Marcus cooperative but businesslike
- Provides basic password hints
- Must lockpick server room (no keycard)
- **Gameplay Impact:** Standard difficulty
**If Blame (Low Trust):**
- Marcus defensive, minimal cooperation
- Vague password hints ("try common patterns")
- Must lockpick server room, no additional help
- **Gameplay Impact:** Harder investigation, less information
###Campaign Impact
**No long-term campaign impact** (affects M2 only)
- Marcus's fate determined by later choice (protect/ignore)
- Trust level affects M2 difficulty, not future missions
### Educational Constraint
**Choice doesn't skip challenges:**
- All players must complete VM SSH brute force (core educational objective)
- Trust affects hint quality, not challenge bypass
---
## Choice 2: Marcus's Fate (Act 2 - Mid-Mission Intervention)
### Choice Presentation
**Context:** Player finds email chain planning to scapegoat Marcus
**Email Discovered:**
```
FROM: Hospital Board Chair
TO: Legal Department
RE: Incident Liability
Marcus Webb's warnings are documented. We need to reframe this as his implementation failure, not our budget decision. Prepare termination paperwork.
```
**Player Options:**
**OPTION A: Warn Marcus Privately**
**OPTION B: Plant Evidence Clearing Marcus**
**OPTION C: Focus on Mission (Ignore)**
### Immediate Consequences
**If Warn Marcus:**
- Marcus grateful: "Thank you. I'll document everything."
- Marcus begins gathering evidence (6 months of ignored warnings)
- Hospital legal team backs down (too much documentation)
- **Outcome:** Marcus vindicated, keeps job, promoted to Cybersecurity Director
**If Plant Evidence:**
- Modify email timestamps to show board ignored warnings
- Marcus cleared, hospital can't scapegoat
- Ethically gray (tampering with evidence)
- **Outcome:** Marcus cleared, but player used questionable methods
**If Ignore (Focus on Mission):**
- Marcus unaware of scapegoating plan
- After mission: Marcus terminated, signs NDA under pressure
- Career destroyed, blacklisted in healthcare IT
- **Outcome:** Justice not served, institutional failure continues
### Campaign Impact
**If Marcus Protected (Warn or Plant):**
- M3+: Marcus available as intel source for healthcare sector
- Future medical facility missions: Marcus as ally/contact
- Reputation: "Agent who protects allies"
**If Marcus Ignored:**
- M3+: Lost potential ally
- Future medical facility missions: Healthcare IT community distrustful
- Reputation: "Mission-focused, ignores collateral damage"
### Closing Debrief Acknowledgment
**If Protected:**
- "Marcus has been promoted to Director of Cybersecurity with full budget authority."
- "He says 'thank you.' Could be a valuable ally."
**If Ignored:**
- "Marcus was terminated. Signed non-disparagement agreement under pressure."
- "He warned them. Did everything right. And paid the price."
### Educational Constraint
**Choice doesn't skip challenges:**
- All players complete same VM/in-game challenges regardless of Marcus choice
- Ethical decision separate from technical objectives
---
## Choice 3: Ransom Payment (Act 3 - Primary Moral Dilemma)
### Choice Presentation
**Context:** All keys recovered, full picture understood
**Agent 0x99:** "Hospital board voting in 30 minutes. Dr. Kim wants your recommendation."
**Ghost's Final Message:**
> "Time is running out. 47 patients. 12 hours."
> "Patient deaths are on YOUR conscience if you delay."
> "$87,000 vs. human lives—easy math."
**Dr. Kim (In-Person):**
> "What do I tell the board? My medical training says 'do no harm.'"
> "Those are real people on life support. Families. Children."
> "What would you do?"
**Player Options:**
**OPTION A: RECOMMEND PAYING RANSOM**
**OPTION B: RECOMMEND INDEPENDENT RECOVERY**
### Detailed Consequences
#### OPTION A: PAY RANSOM ($87,000 Bitcoin Payment)
**Immediate Outcomes:**
**Instant system recovery** (4 hours vs. 12 hours)
**Zero patient deaths** (all 47 patients stable)
**Hospital reputation intact** (crisis resolved quickly, minimal publicity)
**ENTROPY funded** ($87,000 to Ransomware Inc → Crypto Anarchists)
**Ghost escapes** (payment made, no arrest leverage)
**Hospital learns nothing** (easy solution means no security overhaul)
**Patient Outcome:**
- 47/47 patients survive
- Families grateful, no lawsuits
- Hospital operations resume normally
**ENTROPY Impact:**
- $87,000 flows to Crypto Anarchist infrastructure
- Funds used for next-gen ransomware development
- Three more hospitals attacked within 1 month using those funds
**Agent 0x99 Debrief:**
> "You saved 47 lives today. That's not nothing."
> "But that $87,000 is already in Crypto Anarchist hands."
> "Ransomware Inc. will use those funds for next attack. Three more hospitals hit this month."
---
#### OPTION B: INDEPENDENT RECOVERY (12-Hour Manual Process)
**Immediate Outcomes:**
**ENTROPY not funded** (no ransom payment, better long-term)
**Hospital forced to improve** (crisis teaches security importance)
**Ghost traceable** (opportunity to monitor communications, gather intel)
**Sector-wide learning** (other hospitals take notice)
**12-hour recovery window** (statistical patient risk)
**2 patient deaths** (0.3% per hour × 12 hours ≈ 3.6% risk)
**Hospital reputation damaged** (lawsuits, negative publicity)
**Patient Outcome:**
- 45/47 patients survive (2 deaths during recovery window)
- Families of deceased file lawsuits ($12 million total)
- Hospital faces regulatory investigation
**ENTROPY Impact:**
- Ransomware Inc. has less operational capital
- But no tactical intelligence gained (Ghost careful)
- Healthcare sector implements emergency security measures (15 hospitals in 2 weeks)
**Agent 0x99 Debrief:**
> "12-hour recovery completed. 45 patients survived."
> "Two patients died during recovery. Families are devastated."
> "But you didn't fund ENTROPY. Healthcare sector is taking notice."
---
### Ethical Framework Analysis
**Utilitarian (Pay Ransom):**
- Maximize lives saved *immediately*
- 47 lives > $87,000 + future theoretical victims
- Immediate harm prevention prioritized
**Consequentialist (Independent Recovery):**
- Minimize total harm across *all future scenarios*
- 2 deaths now < preventing 10+ deaths in future attacks funded by ransom
- Long-term systemic improvement prioritized
**Both Are Valid Ethical Positions**
- No "correct" choice designed
- Debrief validates both approaches
- No achievement/score penalty for either choice
### Campaign Impact (Critical)
**If Ransom Paid:**
- **M6 (Follow the Money):** Clear cryptocurrency trail
- Crypto Anarchist payment infrastructure easily trackable
- Financial network mapping more complete
- But ENTROPY better funded (more sophisticated future attacks)
**If Independent Recovery:**
- **M6 (Follow the Money):** Harder to track financial network
- Less transaction data available
- Must use other intelligence sources
- But ENTROPY has less operational capital (weaker future attacks)
**Tracked Variable:**
```json
{
"m02_ransom_paid": true/false,
"m02_patient_deaths": 0 or 2,
"m02_entropy_funding_amount": 87000 or 0
}
```
### Educational Constraint
**Choice doesn't skip challenges:**
- Both paths require same VM exploitation + safe cracking completion
- Decision made *after* all technical challenges complete
- Educational objectives achieved regardless of ethical choice
---
## Choice 4: Hospital Exposure (Act 3 - Secondary Moral Dilemma)
### Choice Presentation
**Context:** Mission complete, evidence of negligence collected
**Agent 0x99:**
> "We have evidence of St. Catherine's negligence. Board ignored Marcus's warnings, cut budgets."
> "We could go public—force accountability, warn other hospitals."
> "Or keep it quiet—protect St. Catherine's reputation."
**Player Options:**
**OPTION A: EXPOSE HOSPITAL PUBLICLY**
**OPTION B: QUIET RESOLUTION**
### Detailed Consequences
#### OPTION A: EXPOSE PUBLICLY (SAFETYNET Press Release)
**Immediate Outcomes:**
**Accountability enforced** (public knows about negligence)
**Other hospitals warned** (40 hospitals implement security measures in 2 weeks)
**Marcus publicly vindicated** (warnings were ignored, documented proof)
**Regulatory action** (healthcare sector cybersecurity standards improved)
**St. Catherine's destroyed** ($12M lawsuits, reputation ruined)
**Dr. Kim resigns** (career over, takes responsibility)
**Hospital may close** (financial damage unsustainable)
**Sector Impact:**
- 15 hospitals immediately upgrade server security
- 25 more hospitals schedule security audits
- Healthcare sector cybersecurity funding increases 40% nationally
**Agent 0x99 Debrief:**
> "SAFETYNET press release detailed St. Catherine's negligence. National news coverage."
> "St. Catherine's may not survive the scandal. But 40 hospitals implemented measures within 2 weeks."
> "You saved thousands of future patients. But St. Catherine's paid the price."
---
#### OPTION B: QUIET RESOLUTION (Discretion)
**Immediate Outcomes:**
**St. Catherine's reputation intact** (incident kept confidential)
**Dr. Kim keeps job** (implements security improvements internally)
**SAFETYNET relationships maintained** (hospitals trust confidentiality)
**Marcus vindicated internally** (if player protected him earlier)
**Other hospitals remain vulnerable** (40 hospitals with same ProFTPD vulnerability unaware)
**No regulatory pressure** (healthcare sector continues underfunding security)
**Systemic problem unsolved** (institutions only learn when personally affected)
**Hospital Impact:**
- St. Catherine's security budget tripled
- Marcus promoted (if protected earlier)
- Internal improvements, but isolated to one hospital
**Agent 0x99 Debrief:**
> "St. Catherine's grateful for discretion. Security budget tripled."
> "Marcus vindicated internally if you protected him."
> "But we've detected similar vulnerabilities in 40 other hospitals. None know yet."
---
### Ethical Framework Analysis
**Transparency (Expose):**
- Public accountability prevents future negligence
- Institutional suffering prevents broader human suffering
- Greater good prioritized over individual hospital
**Pragmatism (Quiet):**
- Protect relationships for future cooperation
- Internal improvements sufficient
- Don't destroy institution that will now do better
**Both Are Valid Positions**
- Transparency = preventive (warn others)
- Pragmatism = preservative (maintain cooperation)
### Campaign Impact
**If Exposed:**
- **Future Medical Missions:** Hospitals more cautious/distrustful of SAFETYNET
- Harder initial access (reputation as "leak to press")
- But hospitals take security seriously (fewer breaches)
**If Quiet:**
- **Future Medical Missions:** Hospitals trust SAFETYNET confidentiality
- Easier cooperation
- But similar vulnerabilities persist elsewhere (more breaches)
**Tracked Variable:**
```json
{
"m02_hospital_exposed": true/false,
"m02_dr_kim_career_intact": true/false,
"m02_sector_wide_improvements": true/false
}
```
### Educational Constraint
**Choice doesn't affect technical challenges:**
- Decision made post-mission
- All educational objectives already achieved
---
## Optional Choice: Ghost Confrontation (Act 3 - Optional Dialogue)
### Choice Presentation
**Context:** If player traced Ghost's IP via VM logs (optional)
**Ghost (Terminal):**
> "You traced me. Impressive. Doesn't matter."
> "I did the math. 47 lives at risk because of THEIR negligence."
> "You think I'm the villain? I just revealed their failure."
**Player Options:**
**OPTION A: Argue Ethics**
> "You calculated patient deaths. That's evil."
**OPTION B: Acknowledge Partial Point**
> "The hospital was negligent, but this isn't justice."
**OPTION C: Silent (Let Ghost Talk)**
> [No response]
### Ghost's Responses
**If Argue:**
- "Evil? St. Catherine's spent $3.2M on an MRI, refused $85K for server security."
- "I'm not evil. I'm an educator. They'll never ignore cybersecurity again."
- "Arrest me. I accept consequences. Mission accomplished."
**If Acknowledge:**
- "Exactly. They created this. We revealed it."
- "The suffering is regrettable but educational."
- "You understand, even if you oppose me. Good."
**If Silent:**
- "Silent? Wise. Actions speak louder than words."
- "St. Catherine's will never ignore an IT security warning again."
- "Worth it."
### Outcome
**Ghost's Fate (Regardless of Choice):**
- Ghost refuses cooperation (true believer)
- No intel gained (operational security maintained)
- Ghost accepts arrest without resistance
- **No remorse:** "Mission accomplished."
**Purpose of Choice:**
- Understanding enemy philosophy (not changing it)
- Player agency in how to respond to ideology
- Reinforces that Ghost is true believer (won't turn)
**No Campaign Impact:**
- Ghost's arrest doesn't provide tactical intelligence
- Ransomware Inc. continues operations under new operative
- Choice is thematic, not strategic
---
## Choice Consequence Summary Table
| Choice | Options | Immediate Impact | Campaign Impact | Educational Constraint |
|--------|---------|------------------|-----------------|----------------------|
| **Marcus Trust** | Sympathize / Professional / Blame | Password hints quality, keycard access | None (M2 only) | Doesn't skip VM SSH challenge |
| **Marcus Fate** | Warn / Plant / Ignore | Career saved or destroyed | Future ally or lost contact | Doesn't skip challenges |
| **Ransom Payment** | Pay / Independent | Patient deaths (0 or 2), ENTROPY funding | M6 financial trail clarity | Decision after challenges complete |
| **Hospital Exposure** | Expose / Quiet | Sector improvements or hospital trust | Future medical mission difficulty | Post-mission decision |
| **Ghost Confrontation** | Argue / Acknowledge / Silent | Understanding ideology | None (Ghost doesn't turn) | Optional dialogue |
---
## Debrief Dialogue Variations
### Ransom + Exposure Combinations (4 Total)
**1. Paid Ransom + Exposed Hospital:**
- "47 lives saved immediately, but $87K to ENTROPY. St. Catherine's reputation destroyed, but 40 hospitals learned."
- **Interpretation:** Utilitarian + Transparent
**2. Paid Ransom + Quiet Resolution:**
- "47 lives saved, St. Catherine's intact and improving. But ENTROPY funded, other hospitals unaware."
- **Interpretation:** Utilitarian + Pragmatic
**3. Independent Recovery + Exposed Hospital:**
- "2 patient deaths, but ENTROPY unfunded. St. Catherine's destroyed, but sector-wide improvements."
- **Interpretation:** Consequentialist + Transparent
**4. Independent Recovery + Quiet Resolution:**
- "2 patient deaths, ENTROPY unfunded. St. Catherine's improving internally, but systemic problem remains."
- **Interpretation:** Consequentialist + Pragmatic
### Marcus Fate Integration
**If Marcus Protected:**
- Added to debrief: "Marcus vindicated, promoted to Cybersecurity Director."
**If Marcus Ignored:**
- Added to debrief: "Marcus terminated, career destroyed. He did everything right."
---
## Player Agency Philosophy
### What Players Control
**Marcus's relationship** (trust level)
**Marcus's career outcome** (protected or destroyed)
**Patient outcomes** (0 or 2 deaths)
**ENTROPY funding** ($87K or $0)
**Hospital's public fate** (exposed or protected)
**How they engage with Ghost** (argue, acknowledge, silent)
### What Players Don't Control
**ENTROPY's ideology** (Ghost won't turn, remains true believer)
**Hospital's past negligence** (budget cuts already happened)
**Technical vulnerability existence** (CVE-2010-4652 is real, ENTROPY exploited it)
**12-hour recovery timeline** (technical reality, not arbitrary)
### Consequences Are Realistic, Not Punitive
- Both ransom choices have pros/cons (not "good" vs. "bad")
- Both exposure choices have valid justifications
- Marcus's fate depends on player intervention (justice possible)
- Ghost remains ideologically consistent (no redemption arc)
**Philosophy:** Impossible choices with meaningful consequences, no "wrong" answers
---
**Stage 3 Complete: Moral Choices and Consequences**
**Ready for:** Stage 4 (Player Objectives)
**Core Strength:** Ransom dilemma has no "right" answer (utilitarian vs. consequentialist), Marcus's fate controllable (justice possible), Ghost unrepentant (true believer)
**Unique Innovation:** Mid-mission intervention choice (Marcus scapegoating) allows player to affect individual fate within institutional crisis

721
planning_notes/overall_story_plan/mission_initializations/m02_ransomed_trust/04_player_objectives.md Normal file
View File

@@ -0,0 +1,721 @@
# Stage 4: Player Objectives and Tasks - Mission 2 "Ransomed Trust"
**Mission ID:** m02_ransomed_trust
**Created:** 2025-12-20
**Status:** Stage 4 Complete
---
## Objectives System Structure
**Hierarchy:** Mission Objective → Aims → Tasks
- **Mission Objective:** High-level goal (1 per mission)
- **Aims:** Thematic groupings of related tasks (3-5 per mission)
- **Tasks:** Specific actions player completes (15-25 per mission)
**Completion Tracking:** Tasks use Ink tags (#complete_task:id, #unlock_task:id)
---
## Mission Objective: Recover Hospital Systems
**ID:** `recover_hospital_systems`
**Description:** "Recover decryption keys and restore St. Catherine's Hospital patient records before backup power fails."
**Success Criteria:**
- **Minimal (60%):** Recover both digital and physical keys, make ransom decision
- **Standard (80%):** Complete all VM challenges, all core in-game challenges, both moral choices
- **Perfect (100%):** All VM flags, all LORE fragments, Marcus protected, never detected by guards
---
## Aim 1: Infiltrate Hospital
**ID:** `infiltrate_hospital`
**Unlocked:** Mission start
**Description:** "Gain access to St. Catherine's Hospital IT infrastructure under cover as security consultant."
### Tasks
#### Task 1.1: Arrive at Hospital Reception
**ID:** `arrive_at_hospital`
**Unlock Condition:** Mission start (automatically unlocked)
**Completion Trigger:** Enter hospital lobby area
**Ink Tag:** `#complete_task:arrive_at_hospital`
**Description:** "Enter St. Catherine's Hospital under cover as external security consultant."
---
#### Task 1.2: Meet Dr. Sarah Kim (CTO)
**ID:** `meet_dr_kim`
**Unlock Condition:** Task 1.1 complete
**Completion Trigger:** Complete first dialogue with Dr. Kim
**Ink Tag:** `#complete_task:meet_dr_kim`
**Description:** "Speak with Hospital CTO to understand the crisis and obtain authorization."
---
#### Task 1.3: Meet Marcus Webb (IT Admin)
**ID:** `talk_to_marcus`
**Unlock Condition:** Task 1.2 complete
**Completion Trigger:** Complete first dialogue with Marcus
**Ink Tag:** `#complete_task:talk_to_marcus`
**Description:** "Interview IT administrator about the ransomware attack."
---
#### Task 1.4: Learn Guard Patrol Pattern
**ID:** `learn_guard_patrol`
**Unlock Condition:** Task 1.3 complete
**Completion Trigger:** Observe full 60-second guard patrol route
**Ink Tag:** `#complete_task:learn_guard_patrol`
**Description:** "Observe security guard patrol route. Tutorial for stealth mechanics."
**Tutorial Integration:** Agent 0x99 explains timing-based stealth on first encounter
---
## Aim 2: Access IT Infrastructure
**ID:** `access_it_systems`
**Unlocked:** After Task 1.2 (Dr. Kim grants access)
**Description:** "Gain access to hospital's IT department and server room."
### Tasks
#### Task 2.1: Find Password Hints
**ID:** `find_password_hints`
**Unlock Condition:** Aim 2 unlocked
**Completion Trigger:** Read Marcus's sticky notes OR high-trust dialogue with Marcus
**Ink Tag:** `#complete_task:find_password_hints`
**Description:** "Gather password patterns for SSH access (social engineering or investigation)."
**Sources:**
- Marcus dialogue (if high trust): "Emma2018, Hospital1987, StCatherines"
- Sticky notes in IT office (lockpicking required)
- Photo on Marcus's desk: "Emma - 7th birthday! 05/17/2018"
---
#### Task 2.2: Decode Ransomware Note
**ID:** `decode_ransomware_note`
**Unlock Condition:** Find infected terminal in IT office
**Completion Trigger:** Use CyberChef to decode Base64 message
**Ink Tag:** `#complete_task:decode_ransomware_note`
**Description:** "Decode Base64-encoded ransomware message using CyberChef workstation."
**Educational Objective:** Reinforce Base64 from M1, teach obfuscation concepts
**Encoded Message:**
```
WU9VUiBQQVRJRU5UIFJFQ09SRFMgQVJFIEVOQ1JZUFRFRC4gNDcgUEFUSUVOVFMgT04gTElGRSBTVVBQT1JULiAxMiBIT1VSUyBPRiBCQUNLVVAgUE9XRVIuIFBBWSAyLjUgQlRDIFRPIFtXQUxMRVRdIE9SIFdBVENIIFRIRU0gRElFLiAtIFJBTlNPTVdBUkUgSU5DT1JQT1JBVEVE
```
---
#### Task 2.3: Access Server Room
**ID:** `access_server_room`
**Unlock Condition:** Task 2.1 complete
**Completion Trigger:** Enter server room (keycard or lockpicking)
**Ink Tag:** `#complete_task:access_server_room`
**Description:** "Gain entry to hospital server room."
**Methods:**
- **High Trust:** Marcus gives keycard (skip lockpicking)
- **Medium/Low Trust:** Lockpick server room door
---
## Aim 3: Exploit ENTROPY's Backdoor (VM Challenges)
**ID:** `exploit_entropy_backdoor`
**Unlocked:** After Task 2.3 (server room access)
**Description:** "Use ENTROPY's own ProFTPD backdoor to access encrypted backups."
### Tasks
#### Task 3.1: Submit SSH Access Flag
**ID:** `submit_ssh_flag`
**Unlock Condition:** Access VM terminal in server room
**Completion Trigger:** Submit `flag{ssh_access_granted}` at drop-site terminal
**Ink Tag:** `#complete_task:submit_ssh_flag`
**Description:** "Gain SSH access to backup server using password hints."
**VM Challenge:** SSH brute force with Hydra or manual attempts
**Flag Representation:** "Intercepted ENTROPY server credentials"
---
#### Task 3.2: Submit ProFTPD Exploit Flag
**ID:** `submit_exploit_flag`
**Unlock Condition:** Task 3.1 complete
**Completion Trigger:** Submit `flag{proftpd_backdoor_exploited}` at drop-site terminal
**Ink Tag:** `#complete_task:submit_exploit_flag`
**Description:** "Exploit ProFTPD backdoor (CVE-2010-4652) to gain shell access."
**VM Challenge:** Trigger ProFTPD 1.3.5 backdoor vulnerability
**Flag Representation:** "Exploited ENTROPY's entry point"
**Educational Objective:** Service exploitation, CVE research
---
#### Task 3.3: Locate Encrypted Database Backups
**ID:** `locate_backups`
**Unlock Condition:** Task 3.2 complete
**Completion Trigger:** Navigate to /var/backups, find *.enc files
**Ink Tag:** `#complete_task:locate_backups`
**Description:** "Navigate Linux filesystem to locate encrypted patient database backups."
**VM Challenge:** Use cd, ls, cat commands to find encrypted files
**Educational Objective:** Linux navigation, file permissions
---
#### Task 3.4: Submit Database Backup Flag
**ID:** `submit_backup_flag`
**Unlock Condition:** Task 3.3 complete
**Completion Trigger:** Submit `flag{database_backup_located}` at drop-site terminal
**Ink Tag:** `#complete_task:submit_backup_flag`
**Description:** "Submit flag confirming encrypted database location."
**Unlock Result:** Intel about offline backup keys location
---
## Aim 4: Recover Offline Backup Keys
**ID:** `find_offline_backup_keys`
**Unlocked:** After Task 3.4 (drop-site reveals safe location)
**Description:** "Find physical backup encryption keys stored in hospital safe."
### Tasks
#### Task 4.1: Find Safe Location
**ID:** `find_safe_location`
**Unlock Condition:** Agent 0x99 hint: "Check emergency equipment storage, administrative wing"
**Completion Trigger:** Discover safe in emergency equipment storage
**Ink Tag:** `#complete_task:find_safe_location`
**Description:** "Navigate to emergency equipment storage, locate PIN-locked safe."
**Stealth Challenge:** Must navigate past patrolling guard
---
#### Task 4.2: Gather PIN Clues
**ID:** `gather_pin_clues`
**Unlock Condition:** Task 4.1 complete
**Completion Trigger:** Find 2+ PIN clues
**Ink Tag:** `#complete_task:gather_pin_clues`
**Description:** "Investigate hospital for clues to 4-digit safe PIN."
**Clue Locations:**
- Hospital lobby plaque: "Founded 1987" (correct answer)
- Marcus's desk photo: "Emma 05/17/2018" (red herring)
- Dr. Kim's sticky note: "Safe combination: founding year" (confirmation)
---
#### Task 4.3: Crack PIN Safe
**ID:** `crack_safe_pin`
**Unlock Condition:** Task 4.2 complete
**Completion Trigger:** Enter correct PIN (1987) OR use PIN cracker device
**Ink Tag:** `#complete_task:crack_safe_pin`
**Ink Tag (Item):** `#give_item:offline_backup_key`
**Description:** "Crack 4-digit PIN safe to retrieve offline backup encryption keys."
**Solution:** PIN = 1987 (hospital founding year)
**Fallback:** PIN cracker device (brute force, 2 minutes)
---
#### Task 4.4: Decode Recovery Instructions
**ID:** `decode_recovery_instructions`
**Unlock Condition:** Task 4.3 complete
**Completion Trigger:** Decode ROT13 message using CyberChef
**Ink Tag:** `#complete_task:decode_recovery_instructions`
**Description:** "Decode ROT13-encoded recovery instructions from Ghost."
**Educational Objective:** NEW - Introduce Caesar cipher (ROT13)
**Encoded Message:**
```
SHYY ERPBIREL ERDHERRF BSSYVAR + BAYVAR XRLF—12-UBHE CEBPRFF VS ZNAHNY, VAFGNAG VS ENAFBZ CNVQ.
```
**Decoded:**
```
FULL RECOVERY REQUIRES OFFLINE + ONLINE KEYS—12-HOUR PROCESS IF MANUAL, INSTANT IF RANSOM PAID.
```
---
## Aim 5: Make Critical Decisions
**ID:** `make_critical_decisions`
**Unlocked:** After Aim 3 and Aim 4 complete (all keys recovered)
**Description:** "Make ethical decisions about ransom payment, hospital exposure, and Marcus's fate."
### Tasks
#### Task 5.1: Decide Marcus's Fate (Mid-Mission)
**ID:** `decide_marcus_fate`
**Unlock Condition:** Find scapegoating email in administrative office
**Completion Trigger:** Choose to warn/plant evidence/ignore
**Ink Tag:** `#complete_task:decide_marcus_fate`
**Description:** "Intervene to protect Marcus from scapegoating, or focus on mission."
**Tracked Variable:** `marcus_protected` (true/false)
---
#### Task 5.2: Make Ransom Decision
**ID:** `make_ransom_decision`
**Unlock Condition:** Both Aim 3 and Aim 4 complete
**Completion Trigger:** Recommend payment or independent recovery
**Ink Tag:** `#complete_task:make_ransom_decision`
**Description:** "Advise Dr. Kim and hospital board on ransom payment."
**Tracked Variables:**
- `ransom_paid` (true/false)
- `patient_deaths` (0 or 2)
- `entropy_funding_amount` (87000 or 0)
---
#### Task 5.3: Decide Hospital Exposure
**ID:** `decide_hospital_exposure`
**Unlock Condition:** Task 5.2 complete
**Completion Trigger:** Choose public exposure or quiet resolution
**Ink Tag:** `#complete_task:decide_hospital_exposure`
**Description:** "Decide whether to expose hospital's security negligence publicly."
**Tracked Variables:**
- `hospital_exposed` (true/false)
- `dr_kim_career_intact` (true/false)
- `sector_wide_improvements` (true/false)
---
## Optional Aim: Uncover LORE Fragments
**ID:** `collect_lore_fragments`
**Unlocked:** Throughout mission (discovery-based)
**Description:** "Discover LORE fragments revealing ENTROPY's operations and philosophy."
### Tasks
#### Task L1: Unlock Ghost's Manifesto
**ID:** `unlock_ghosts_manifesto`
**Unlock Condition:** Find Ghost's operational log in VM (/var/backups/operational_log.txt)
**Completion Trigger:** Read file
**Ink Tag:** `#unlock_lore:ghosts_manifesto`
**Description:** "Discover Ghost's ideological justification for ransomware attack."
**LORE Content:** Ghost's calculated patient death probabilities, "teaching resilience" philosophy
---
#### Task L2: Unlock CryptoSecure Recovery Services Document
**ID:** `unlock_ransomware_inc_lore`
**Unlock Condition:** Lockpick filing cabinet in IT office
**Completion Trigger:** Read document
**Ink Tag:** `#unlock_lore:cryptosecure_services`
**Description:** "Find evidence of Ransomware Inc's legitimate front company."
**LORE Content:** Previous hospital attacks (Operation Triage), Crypto Anarchist payment connection
---
#### Task L3: Unlock Zero Day Syndicate Invoice
**ID:** `unlock_zds_invoice`
**Unlock Condition:** Crack PIN safe in Dr. Kim's office (same PIN: 1987)
**Completion Trigger:** Read invoice document
**Ink Tag:** `#unlock_lore:zds_invoice`
**Description:** "Discover Zero Day Syndicate sold ProFTPD exploit to Ransomware Inc."
**LORE Content:** ZDS-Ransomware Inc coordination, Architect approval, M3 setup
---
## Optional Aim: Perfect Stealth
**ID:** `perfect_stealth`
**Unlocked:** Mission start
**Description:** "Complete mission without being detected by security guards."
### Task
#### Task S1: Never Detected
**ID:** `never_detected`
**Unlock Condition:** Mission start
**Completion Trigger:** Complete mission with zero guard detections
**Ink Tag:** `#unlock_achievement:ghost_hunter`
**Description:** "Navigate entire mission without guard detection."
**Achievement:** "Ghost Hunter" - Perfect stealth bonus
---
## Optional Aim: Confront Ghost
**ID:** `confront_ghost`
**Unlocked:** If player traces Ghost's IP via VM logs (advanced)
**Description:** "Engage in dialogue with Ghost, ENTROPY's operative."
### Task
#### Task G1: Trace Ghost's Communications
**ID:** `trace_ghost`
**Unlock Condition:** Advanced VM analysis (optional)
**Completion Trigger:** Find Ghost's relay IP in logs
**Ink Tag:** `#unlock_aim:confront_ghost`
**Description:** "Trace Ghost's communications to enable confrontation."
---
## Complete Objectives JSON Structure
```json
{
"mission_objective": {
"id": "recover_hospital_systems",
"description": "Recover decryption keys and restore St. Catherine's Hospital patient records before backup power fails.",
"aims": [
{
"id": "infiltrate_hospital",
"description": "Gain access to St. Catherine's Hospital IT infrastructure.",
"tasks": [
{
"id": "arrive_at_hospital",
"description": "Enter hospital reception.",
"completion_trigger": "#complete_task:arrive_at_hospital"
},
{
"id": "meet_dr_kim",
"description": "Speak with Hospital CTO.",
"completion_trigger": "#complete_task:meet_dr_kim"
},
{
"id": "talk_to_marcus",
"description": "Interview IT administrator.",
"completion_trigger": "#complete_task:talk_to_marcus"
},
{
"id": "learn_guard_patrol",
"description": "Observe guard patrol pattern (tutorial).",
"completion_trigger": "#complete_task:learn_guard_patrol"
}
]
},
{
"id": "access_it_systems",
"description": "Access hospital IT department and server room.",
"tasks": [
{
"id": "find_password_hints",
"description": "Gather SSH password patterns.",
"completion_trigger": "#complete_task:find_password_hints"
},
{
"id": "decode_ransomware_note",
"description": "Decode Base64 ransomware message.",
"completion_trigger": "#complete_task:decode_ransomware_note"
},
{
"id": "access_server_room",
"description": "Enter server room (keycard or lockpick).",
"completion_trigger": "#complete_task:access_server_room"
}
]
},
{
"id": "exploit_entropy_backdoor",
"description": "Exploit ProFTPD backdoor to access encrypted backups.",
"tasks": [
{
"id": "submit_ssh_flag",
"description": "Submit SSH access flag.",
"completion_trigger": "#complete_task:submit_ssh_flag"
},
{
"id": "submit_exploit_flag",
"description": "Submit ProFTPD exploitation flag.",
"completion_trigger": "#complete_task:submit_exploit_flag"
},
{
"id": "locate_backups",
"description": "Navigate filesystem to find encrypted backups.",
"completion_trigger": "#complete_task:locate_backups"
},
{
"id": "submit_backup_flag",
"description": "Submit database backup flag.",
"completion_trigger": "#complete_task:submit_backup_flag"
}
]
},
{
"id": "find_offline_backup_keys",
"description": "Recover physical backup keys from hospital safe.",
"tasks": [
{
"id": "find_safe_location",
"description": "Locate PIN-locked safe.",
"completion_trigger": "#complete_task:find_safe_location"
},
{
"id": "gather_pin_clues",
"description": "Find clues for 4-digit PIN.",
"completion_trigger": "#complete_task:gather_pin_clues"
},
{
"id": "crack_safe_pin",
"description": "Crack safe PIN (1987).",
"completion_trigger": "#complete_task:crack_safe_pin",
"item_given": "#give_item:offline_backup_key"
},
{
"id": "decode_recovery_instructions",
"description": "Decode ROT13 recovery instructions.",
"completion_trigger": "#complete_task:decode_recovery_instructions"
}
]
},
{
"id": "make_critical_decisions",
"description": "Make ethical decisions affecting mission outcome.",
"tasks": [
{
"id": "decide_marcus_fate",
"description": "Intervene for Marcus or ignore.",
"completion_trigger": "#complete_task:decide_marcus_fate"
},
{
"id": "make_ransom_decision",
"description": "Recommend ransom payment or independent recovery.",
"completion_trigger": "#complete_task:make_ransom_decision"
},
{
"id": "decide_hospital_exposure",
"description": "Choose public exposure or quiet resolution.",
"completion_trigger": "#complete_task:decide_hospital_exposure"
}
]
}
]
},
"optional_aims": [
{
"id": "collect_lore_fragments",
"description": "Discover LORE fragments (3 total).",
"tasks": [
{
"id": "unlock_ghosts_manifesto",
"description": "Find Ghost's manifesto.",
"completion_trigger": "#unlock_lore:ghosts_manifesto"
},
{
"id": "unlock_ransomware_inc_lore",
"description": "Find CryptoSecure Services document.",
"completion_trigger": "#unlock_lore:cryptosecure_services"
},
{
"id": "unlock_zds_invoice",
"description": "Find Zero Day Syndicate invoice.",
"completion_trigger": "#unlock_lore:zds_invoice"
}
]
},
{
"id": "perfect_stealth",
"description": "Complete mission without guard detection.",
"tasks": [
{
"id": "never_detected",
"description": "Zero guard detections.",
"completion_trigger": "#unlock_achievement:ghost_hunter"
}
]
},
{
"id": "confront_ghost",
"description": "Engage Ghost in dialogue (optional).",
"tasks": [
{
"id": "trace_ghost",
"description": "Trace communications for confrontation.",
"completion_trigger": "#unlock_aim:confront_ghost"
}
]
}
]
}
```
---
## Progressive Unlocking Flow
```
Mission Start
[Aim 1: Infiltrate Hospital] (unlocked)
→ Task 1.1: Arrive → Task 1.2: Meet Kim → Task 1.3: Meet Marcus → Task 1.4: Guard Tutorial
[Aim 2: Access IT Systems] (unlocked after meeting Kim)
→ Task 2.1: Password Hints → Task 2.2: Decode Ransomware → Task 2.3: Server Room Access
[Aim 3: Exploit Backdoor] (unlocked after server room access)
→ Task 3.1: SSH Flag → Task 3.2: ProFTPD Flag → Task 3.3: Locate Backups → Task 3.4: Backup Flag
[Aim 4: Offline Keys] (unlocked after Task 3.4 flag submission)
→ Task 4.1: Find Safe → Task 4.2: PIN Clues → Task 4.3: Crack Safe → Task 4.4: Decode ROT13
[Aim 5: Critical Decisions] (unlocked after Aim 3 + Aim 4 complete)
→ Task 5.1: Marcus Fate (mid-mission) → Task 5.2: Ransom Decision → Task 5.3: Hospital Exposure
Mission Complete
```
**No Circular Dependencies:** All unlocks flow forward, player can't be soft-locked
---
## Success Tier Breakdown
### Minimal Success (60% Completion)
**Required Tasks:**
- Aims 1-2: Complete (all infiltration and IT access tasks)
- Aim 3: At least 2 VM flags submitted
- Aim 4: Safe cracked (either clues or device)
- Aim 5: Ransom decision made
**Optional:**
- Guard stealth not required (can be detected)
- Marcus fate choice optional
- LORE fragments optional
- Hospital exposure optional
**Outcome:** Mission complete, basic objectives met
---
### Standard Success (80% Completion)
**Required Tasks:**
- All of Minimal Success
- Aim 3: All 4 VM flags submitted
- Aim 4: All tasks complete (PIN solved via clues preferred)
- Aim 5: Both moral choices made (ransom + exposure)
- At least 1 LORE fragment discovered
**Optional:**
- Perfect stealth not required
- Marcus protection encouraged but not required
**Outcome:** Thorough completion, well-executed mission
---
### Perfect Success (100% Completion)
**Required Tasks:**
- All of Standard Success
- All 3 LORE fragments discovered
- Marcus protected (Task 5.1 completed with warn/plant choice)
- Perfect stealth (zero guard detections)
- PIN solved on first attempt (deduced from clues, no device)
- Both encoding challenges solved without hints
**Optional:**
- Ghost confrontation (if traced)
**Achievements Unlocked:**
- "Ghost Hunter" (perfect stealth)
- "Code Breaker" (all encoding, no hints)
- "Ethical Hacker" (Marcus protected + informed choices)
**Outcome:** Masterful execution, all content experienced
---
## Ink Tag Usage Examples
### Task Completion
```ink
// In Marcus dialogue (password hints)
Marcus: "I kept a list of common passwords. 'Emma2018', hospital dates..."
#complete_task:find_password_hints
```
### Task Unlocking
```ink
// In drop-site terminal (after flag submission)
Agent 0x99: "That log mentions offline keys in emergency storage!"
#unlock_aim:find_offline_backup_keys
#unlock_task:find_safe_location
```
### Item Giving
```ink
// In safe cracking success
*You enter PIN 1987. The safe clicks open.*
USB drive obtained: Offline Backup Key
#give_item:offline_backup_key
#complete_task:crack_safe_pin
```
### LORE Unlocking
```ink
// When reading Ghost's manifesto
*You open the operational log file...*
[Display Ghost's manifesto text]
#unlock_lore:ghosts_manifesto
```
### Achievement Unlocking
```ink
// In closing debrief (if never detected)
Agent 0x99: "You navigated that entire mission without detection. Impressive."
#unlock_achievement:ghost_hunter
```
---
## Objective-to-World Mapping
| Task | Location | Interaction Type | Completion Method |
|------|----------|------------------|-------------------|
| Arrive at Hospital | Reception Lobby | Area trigger | Enter room |
| Meet Dr. Kim | Admin Office | NPC dialogue | Complete conversation |
| Meet Marcus | IT Department | NPC dialogue | Complete conversation |
| Learn Guard Patrol | Hallway | Observation | Watch full 60s patrol |
| Find Password Hints | IT Office / Marcus | Container / NPC | Read notes OR dialogue |
| Decode Ransomware | IT Office | Terminal | CyberChef decode |
| Access Server Room | Server Room Door | Lock / Keycard | Lockpick OR use keycard |
| Submit SSH Flag | Drop-Site Terminal | Terminal input | Enter flag |
| Submit ProFTPD Flag | Drop-Site Terminal | Terminal input | Enter flag |
| Locate Backups | VM Terminal | VM filesystem | Navigate with commands |
| Submit Backup Flag | Drop-Site Terminal | Terminal input | Enter flag |
| Find Safe Location | Emergency Storage | Exploration | Enter room |
| Gather PIN Clues | Various | Containers / Objects | Read plaque, notes, photo |
| Crack Safe PIN | Emergency Storage | Safe minigame | Enter 1987 OR use device |
| Decode ROT13 | Server Room | CyberChef terminal | Decode instructions |
| Marcus Fate | Admin Office / IT | Document / Choice | Find email, make choice |
| Ransom Decision | Server Room | Dialogue choice | Recommend to Dr. Kim |
| Hospital Exposure | Post-mission | Dialogue choice | Choose with Agent 0x99 |
---
**Stage 4 Complete: Player Objectives and Tasks**
**Ready for:** Stage 5 (Room Layout Design)
**Total Tasks:** 23 required + 4 optional = 27 total
**Total Aims:** 5 required + 3 optional = 8 total
**Success Tiers:** 60% / 80% / 100% clearly defined
**No Soft Locks:** Progressive unlocking validated, all paths forward
**Core Strength:** Hybrid challenge tracking (VM flags + in-game tasks), clear success criteria, meaningful optional content (LORE, stealth, Marcus protection)

934
planning_notes/overall_story_plan/mission_initializations/m02_ransomed_trust/technical_challenges.md Normal file
View File

@@ -0,0 +1,934 @@
# Technical Challenges - Mission 2 "Ransomed Trust"
**Mission ID:** m02_ransomed_trust
**Created:** 2025-12-20
**Target Tier:** 1 (Beginner)
**Primary CyBOK Areas:** Malware & Attack Technologies, Incident Response, Applied Cryptography
---
## Overview
Mission 2 introduces **2 new mechanics** (patrolling guards, PIN cracking) while reinforcing **3 mechanics from M1** (lockpicking, social engineering, encoding/decoding). The hybrid architecture integrates VM-based technical validation (ProFTPD exploitation) with in-game narrative content (ransomware crisis response).
**Progressive Difficulty Philosophy:**
- New mechanics introduced with tutorials
- M1 mechanics reinforced in new context (hospital vs. corporate office)
- Slightly increased complexity (more locks, guard patrols add challenge)
- Still beginner-friendly (forgiving failure, multiple solution paths)
---
## VM/SecGen Challenges (Technical Validation)
### Selected SecGen Scenario: "Rooting for a win"
**Scenario Description:**
Exploitation of ProFTPD 1.3.5 with backdoor vulnerability (CVE-2010-4652), privilege escalation, and file system navigation to recover flags representing backup encryption keys.
**Why This Scenario:**
1. **Beginner-appropriate:** Well-documented vulnerability with straightforward exploitation
2. **Realistic:** ProFTPD is real FTP server software; CVE is real vulnerability
3. **Narratively coherent:** Hospitals often use FTP for backup transfers
4. **Educational value:** Teaches service exploitation, privilege escalation, Linux navigation
5. **No modifications needed:** VM remains stable; narrative context added via ERB templates in-game
### VM Challenge Breakdown
#### Challenge 1: SSH Access to Backup Server
**Objective:** Gain initial access to hospital's backup server via SSH
**Technical Skill:**
- SSH client usage
- Credential-based authentication
- Understanding network services
**In-Game Setup:**
- Player social engineers Marcus (IT Admin) for "possible passwords" list
- Finds password hints in Marcus's notes (daughter's name "Emma", hospital anniversary "1987")
- Uses Hydra or manual SSH attempts with password variations
**Flag Representation:**
- `flag{ssh_access_granted}` = "Intercepted ENTROPY backup server credentials"
**CyBOK Alignment:**
- **Systems Security:** Network protocols (SSH)
- **Security Operations:** Credential-based authentication
**Difficulty:** Easy (guided via hints, common passwords)
**Educational Outcome:** Players understand SSH authentication, password guessing tactics
---
#### Challenge 2: ProFTPD Backdoor Exploitation (CVE-2010-4652)
**Objective:** Exploit ProFTPD 1.3.5 backdoor vulnerability to gain shell access
**Technical Skill:**
- Vulnerability exploitation
- Service enumeration
- Backdoor trigger mechanisms
- Shell access via compromised service
**Vulnerability Details:**
- **CVE:** CVE-2010-4652
- **Affected Version:** ProFTPD 1.3.5 (specific version)
- **Vulnerability Type:** Backdoor in source code
- **Exploitation:** Trigger via specific FTP commands
- **Result:** Remote shell access with FTP daemon privileges
**In-Game Setup:**
- Agent 0x99 provides briefing: "ENTROPY exploited a known ProFTPD vulnerability"
- Server room whiteboard shows FTP server version (environmental clue)
- Ghost's manifesto mentions "CVE-2010-4652" (LORE fragment reinforces challenge)
**Exploitation Steps:**
1. Enumerate ProFTPD version (banner grabbing)
2. Identify vulnerability (CVE-2010-4652 backdoor)
3. Trigger backdoor via crafted FTP command
4. Obtain shell access
5. Navigate to flag location
**Flag Representation:**
- `flag{proftpd_backdoor_exploited}` = "Exploited ENTROPY's own entry point"
**CyBOK Alignment:**
- **Malware & Attack Technologies:** Backdoors, vulnerability exploitation
- **Systems Security:** Service vulnerabilities, privilege contexts
**Difficulty:** Easy-Medium (documented exploit, guided tutorial available)
**Educational Outcome:** Players understand service exploitation, backdoor concepts, CVE research
---
#### Challenge 3: Privilege Escalation & File System Navigation
**Objective:** Escalate privileges and navigate Linux filesystem to find encrypted database backups
**Technical Skill:**
- Linux command line (ls, cd, cat, find)
- File permissions understanding
- Privilege escalation concepts
- Backup file identification
**In-Game Setup:**
- Marcus mentions "encrypted database backups" during social engineering
- Drop-site terminal provides hint: "Look for *.enc files in /var/backups"
**Navigation Steps:**
1. Check current user privileges (`whoami`, `id`)
2. Navigate filesystem (`cd /var/backups`)
3. List files (`ls -la`)
4. Identify encrypted backups (files with .enc extension)
5. Attempt to read encryption keys directory
6. Find Ghost's operational log file (LORE fragment)
**Flag Representation:**
- `flag{database_backup_located}` = "Found encrypted patient database"
- `flag{ghost_operational_log}` = "Intercepted ENTROPY operational intelligence"
**CyBOK Alignment:**
- **Systems Security:** Linux filesystem, permissions, privilege levels
- **Security Operations:** Backup procedures, incident investigation
**Difficulty:** Easy (guided via hints, basic Linux commands)
**Educational Outcome:** Players understand Linux navigation, file permissions, backup systems
---
### VM Challenge Integration Summary
| Challenge | Skill Taught | In-Game Setup | Flag | Unlock |
|-----------|-------------|---------------|------|--------|
| SSH Access | SSH authentication, password guessing | Marcus provides password hints | `flag{ssh_access_granted}` | Access to server room terminal |
| ProFTPD Exploit | Service exploitation, CVE research | Agent 0x99 briefing, whiteboard clue | `flag{proftpd_backdoor_exploited}` | Intel about physical safe location |
| File Navigation | Linux commands, backup systems | Marcus mentions backups, terminal hints | `flag{database_backup_located}` | Unlock decryption key requirements |
| LORE Discovery | Intelligence gathering | Environmental clues | `flag{ghost_operational_log}` | Ghost's manifesto LORE fragment |
**Dead Drop Integration:**
- VM flags submitted at drop-site terminal in server room
- Each flag submission triggers Agent 0x99 commentary ("Great work! That flag reveals...")
- Flag submission tracked as objectives/tasks (#complete_task:submit_ssh_flag)
**Hybrid Workflow:**
```
In-Game (Marcus social engineering)
VM (SSH access with password hints)
In-Game (Submit flag at drop-site)
VM (Exploit ProFTPD backdoor)
In-Game (Submit flag → Unlock safe location intel)
VM (Navigate filesystem, find Ghost's logs)
In-Game (Safe PIN cracking with physical clues)
Combined (Digital + Physical keys = complete recovery)
```
---
## Break Escape In-Game Challenges (ERB Narrative Content)
### New Mechanics (Introduced in M2)
#### Challenge 1: Patrolling Guards (Stealth/Timing Mechanic)
**Objective:** Navigate hospital corridors while avoiding detection by security guards
**Game Mechanic:**
- Security guard patrols predictable 60-second route
- Route: Reception → IT Department → Administrative Wing → Emergency Storage → Reception
- Player must time movement between patrol passes
- Detection results in warning (first time), then complications (delays mission)
**Tutorial Integration:**
- First guard encounter triggers Agent 0x99 tutorial
- 0x99: "Security is heightened after the breach. Watch the guard's patrol pattern—timing is everything."
- Visual indicator: Guard's position shown on minimap
- Audio cue: Guard's radio chatter audible when nearby
**Narrative Context:**
- Hospital security heightened after ransomware breach
- Guards anxious, checking locked rooms frequently
- Realistic behavior: Guards follow protocol, not perfect (can be predicted)
**Difficulty Calibration (Beginner-Friendly):**
- **Predictable Pattern:** Same 60-second route every cycle (easy to learn)
- **Forgiving Detection:** First detection = warning ("Who's there? Show yourself!"), player can hide
- **Visual/Audio Cues:** Clear indicators when guard approaching
- **Alternate Paths:** Multiple routes through hospital (can avoid guards entirely if explore)
- **No Instant Failure:** Detection delays mission, doesn't end it
**Educational Value:**
- **Physical Security:** Understanding patrol patterns, security protocols
- **Observation Skills:** Timing, pattern recognition
- **Security Mindset:** Real-world security isn't perfect; humans have predictable behaviors
**CyBOK Alignment:**
- **Physical Security & Human Factors:** Patrol procedures, human limitations in security
- **Security Operations:** Physical security assessment
**Implementation Notes:**
- Guard NPC with waypoint patrol route
- Detection radius (line-of-sight cone or proximity circle)
- Timer-based patrol loop (60 seconds exactly)
- Player stealth indicators (crouch mode, cover system if available)
**Success Criteria:**
- **Minimal:** Player navigates past guard at least once (tutorial)
- **Standard:** Player successfully avoids detection multiple times
- **Perfect:** Player never detected throughout entire mission
---
#### Challenge 2: PIN Cracking on Safe (Investigation + Puzzle)
**Objective:** Crack 4-digit PIN safe containing offline backup encryption keys
**Game Mechanic:**
- Hybrid puzzle: Find clues in environment to deduce PIN
- PIN: **1987** (hospital founding year)
- Clues scattered across hospital in multiple locations
- Optional: PIN cracker device if player can't solve from clues alone
**Clue Locations:**
**Clue 1 (Red Herring):** Marcus's Desk Photo
- Photo of Marcus's daughter: "Emma - 7th birthday! 05/17/2018"
- Digits visible: 0517 or 2018
- **Purpose:** Teaches players to look for birthdates, but wrong answer (red herring)
- If player tries 0517 or 2018: "Incorrect PIN. Try again."
**Clue 2 (Key Clue):** Hospital Lobby Plaque
- Bronze plaque near reception: "St. Catherine's Regional Medical Center - Founded 1987"
- **Purpose:** Correct answer, but requires player to remember/revisit lobby
- Environmental object (readable plaque)
**Clue 3 (Confirmation):** Dr. Kim's Office Note
- Sticky note on Dr. Kim's desk: "Safe combination: founding year (for emergency access)"
- **Purpose:** Confirms that PIN is related to founding year
- Requires lockpicking Dr. Kim's office
**Clue 4 (Tutorial Hint):** Agent 0x99 Call
- If player attempts wrong PIN 3 times, Agent 0x99 calls
- 0x99: "Safe combinations often use significant institutional dates. Check historical markers around the hospital."
- **Purpose:** Hint system for struggling players
**PIN Cracker Device (Fallback):**
- If player finds device (in emergency storage), can brute-force 4-digit PIN
- Takes 2-3 minutes in-game (animation of cycling through combinations)
- **Purpose:** Accessibility—ensures all players can complete regardless of puzzle-solving ability
**Narrative Context:**
- Offline backup keys stored in safe per IT best practices (airgapped storage)
- Dr. Kim (CTO) has safe in emergency equipment storage
- Safe requires PIN (standard secure container)
**Difficulty Calibration:**
- **Clues Visible:** Founding year plaque in lobby (player passes multiple times)
- **Multiple Clue Types:** Visual (plaque), document (sticky note), NPC dialogue (Marcus mentions hospital anniversary)
- **Red Herring:** Teaches players to verify clues (not every number is the answer)
- **Hint System:** Agent 0x99 provides guidance after failures
- **Fallback Device:** Ensures completion even if puzzle too hard
**Educational Value:**
- **Investigation Skills:** Gathering clues from environment, correlating information
- **Physical Security:** Understanding safe mechanisms, PIN vulnerabilities
- **Social Engineering:** PINs often use significant dates (predictable human behavior)
**CyBOK Alignment:**
- **Human Factors:** Predictable password/PIN selection (birthdates, anniversaries)
- **Physical Security & Building Systems:** Safe mechanisms, physical access controls
**Implementation Notes:**
- Safe container with PIN input UI (4-digit entry)
- Clue objects (plaque, photo, sticky note) as readable items
- Wrong PIN feedback: "Incorrect. Try again." (no lockout after N attempts for accessibility)
- Correct PIN feedback: "Safe unlocked. USB drive obtained."
**Success Criteria:**
- **Minimal:** Player cracks safe using PIN cracker device (brute force)
- **Standard:** Player finds 2+ clues and deduces PIN (1987)
- **Perfect:** Player finds all clues, solves on first attempt
---
### Reinforced Mechanics (From M1)
#### Challenge 3: Lockpicking
**Objective:** Lockpick multiple doors to access server room, IT office, administrative offices
**Locked Doors:**
1. **IT Department Door** (Tutorial Reinforcement)
- Difficulty: Easy
- Contains: Marcus's desk with password hints, filing cabinets with LORE
2. **Server Room Door** (Mission-Critical)
- Difficulty: Medium
- Contains: VM access terminal, drop-site terminal, backup server documentation
3. **Dr. Kim's Administrative Office** (Optional, High Value)
- Difficulty: Medium-Hard
- Contains: Safe PIN clue (sticky note), LORE fragment (ZDS invoice)
4. **Emergency Equipment Storage** (Optional)
- Difficulty: Medium
- Contains: PIN cracker device (fallback for safe puzzle)
**Progression from M1:**
- M1 had 2-3 locked doors; M2 has 4 (increased quantity)
- M1 difficulty: Easy-Medium; M2 adds Medium-Hard (skill progression)
- Still beginner-friendly: Can retry infinitely, hints available
**Tutorial Reinforcement:**
- First lock (IT Department) is easy, same difficulty as M1
- Agent 0x99 reminder: "Remember your lockpicking training from Viral Dynamics. Same principles apply."
**Narrative Context:**
- Hospital has physical security for sensitive areas
- IT Department locked after hours
- Server room requires authorized access
- Administrative offices contain confidential patient/financial data
**Educational Value:**
- **Physical Security:** Understanding lock types, physical access controls
- **Persistence:** Lockpicking requires patience (reinforces skill from M1)
**CyBOK Alignment:**
- **Physical Security & Building Systems:** Lock mechanisms, access control
**Success Criteria:**
- **Minimal:** Player lockpicks 2 required doors (IT, Server Room)
- **Standard:** Player lockpicks 3+ doors (including optional)
- **Perfect:** Player lockpicks all 4 doors, collects all evidence
---
#### Challenge 4: NPC Social Engineering - Marcus Webb (IT Admin)
**Objective:** Social engineer Marcus to obtain server room access, password hints, and operational context
**Target NPC:** Marcus Webb (IT Administrator)
**Marcus's Profile:**
- **Emotional State:** Stressed, guilty, defensive
- **Motivation:** Wants to prove he was right about security warnings
- **Vulnerability:** Desperate for help, wants to vindicate himself
- **Information He Provides:** Password hints, server room access, IT context
**Social Engineering Opportunities:**
**Conversation 1: Initial Meeting**
- **Goal:** Establish rapport, get basic access
- **Marcus:** "I TOLD them six months ago about that ProFTPD vulnerability! They said 'budget constraints.' Now look at us!"
- **Player Options:**
- Sympathize: "Budget cuts are common. You did your job." → Marcus trusts player, opens up
- Professional: "Let's focus on recovery. What do you need?" → Marcus appreciates efficiency
- Blame: "Why didn't you push harder?" → Marcus becomes defensive, less cooperative
**Conversation 2: Password Hints**
- **Goal:** Get hints for SSH brute force
- **Marcus:** "I kept a list of common passwords employees used. It's... not great. 'Emma2018', hospital anniversary dates, that kind of thing."
- **Information Gained:** Daughter's name (Emma), year (2018), hospital anniversary hint
**Conversation 3: Server Room Access**
- **Goal:** Get keycard or unlock server room
- **Marcus:** "Server room's locked, but I can disable the alarm for you. Just don't tell Dr. Kim—she's paranoid after the breach."
- **Trust Check:** If player gained trust (sympathized earlier), Marcus provides keycard
- **Low Trust:** Player must lockpick (Marcus won't help directly)
**Conversation 4 (Optional): Marcus's Scapegoating**
- **Discovery:** Player finds email chain planning to blame Marcus
- **Mid-Mission Choice:** Warn Marcus / Plant evidence clearing him / Ignore
- **Marcus's Reaction (if warned):** "I... I knew it. Thank you for telling me. I'll document everything."
**Progression from M1:**
- M1: Maya Chen (journalist) was cautious, required careful approach
- M2: Marcus is desperate, easier to social engineer (tutorial reinforcement)
- Still requires empathy/professionalism (can't just demand information)
**Narrative Context:**
- Marcus is victim of institutional negligence
- He warned about vulnerability 6 months ago, ignored
- Now being scapegoated by hospital leadership
- Genuinely wants to help fix the problem
**Educational Value:**
- **Social Engineering:** Exploiting emotional vulnerability (stress, guilt)
- **Human Factors:** Crisis makes people less cautious, more trusting
- **Ethics:** Balancing mission objectives vs. protecting innocent allies
**CyBOK Alignment:**
- **Human Factors:** Social engineering, trust exploitation, crisis psychology
- **Security Operations:** Insider cooperation (willing or unwitting)
**Implementation Notes:**
- Dialogue tree with attitude tracking (trust vs. defensive)
- Information reveals based on trust level
- Optional mid-mission intervention (warn about scapegoating)
**Success Criteria:**
- **Minimal:** Player gets basic password hints
- **Standard:** Player gains Marcus's trust, receives keycard and detailed hints
- **Perfect:** Player protects Marcus from scapegoating, gains loyal ally for future missions
---
#### Challenge 5: Encoding/Decoding (CyberChef Workstation)
**Objective:** Decode encoded ENTROPY communications and recovery instructions
**Encoding Types:**
1. **Base64 (Reinforced from M1):** Ransomware note header
2. **ROT13 (NEW):** Recovery instructions
**Challenge 1: Base64 Ransomware Note**
**Encoded Message (found on infected terminal):**
```
WU9VUiBQQVRJRU5UIFJFQ09SRFMgQVJFIEVOQ1JZUFRFRC4gNDcgUEFUSUVOVFMgT04gTElGRSBTVVBQT1JULiAxMiBIT1VSUyBPRiBCQUNLVVAgUE9XRVIuIFBBWSAyLjUgQlRDIFRPIFtXQUxMRVRdIE9SIFdBVENIIFRIRU0gRElFLiAtIFJBTlNPTVdBUkUgSU5DT1JQT1JBVEVE
```
**Decoded Message:**
```
YOUR PATIENT RECORDS ARE ENCRYPTED. 47 PATIENTS ON LIFE SUPPORT. 12 HOURS OF BACKUP POWER. PAY 2.5 BTC TO [WALLET] OR WATCH THEM DIE. - RANSOMWARE INCORPORATED
```
**In-Game Context:**
- Found on infected hospital terminals (screens showing ransomware splash)
- Player uses CyberChef workstation in server room to decode
- Agent 0x99: "ENTROPY loves Base64 for quick obfuscation. Same decoding process as Mission 1."
**Educational Reinforcement:**
- Players practiced Base64 in M1 (whiteboard messages)
- M2 reinforces skill in new context (ransomware note)
- Reminder that encoding ≠ encryption (obfuscation, not security)
---
**Challenge 2: ROT13 Recovery Instructions (NEW)**
**Encoded Message (found in Ghost's log file):**
```
SHYY ERPBIREL ERDHERRF BSSYVAR + BAYVAR XRLF—12-UBHE CEBPRFF VS ZNAHNY, VAFGNAG VS ENAFBZ CNVQ. CVGSNYYF: CNVRAG QRNGU EVFX 0.3% CRE UBHE QRYRLRQ. UBFCVGNY JVYY YRNEA GB CEVBEVGVMR PLOREFRPHEVGL.
```
**Decoded Message (ROT13):**
```
FULL RECOVERY REQUIRES OFFLINE + ONLINE KEYS—12-HOUR PROCESS IF MANUAL, INSTANT IF RANSOM PAID. PITFALLS: PATIENT DEATH RISK 0.3% PER HOUR DELAYED. HOSPITAL WILL LEARN TO PRIORITIZE CYBERSECURITY.
```
**In-Game Context:**
- Found in Ghost's operational log (VM challenge reward)
- ROT13 introduction via Agent 0x99 tutorial
- 0x99: "ROT13 is a Caesar cipher—shifts each letter 13 positions. Simple but effective for quick obfuscation."
**Tutorial Integration:**
- Agent 0x99 explains ROT13 when first encountered
- CyberChef workstation has ROT13 decoder (select from dropdown)
- Can also solve manually if player recognizes pattern (bonus achievement)
**Educational Value (NEW for M2):**
- **Caesar Cipher Concept:** Substitution ciphers, shift ciphers
- **Pattern Recognition:** Recognizing encoded text (vowel patterns, letter frequency)
- **Historical Cryptography:** ROT13 used in forums, newsgroups (obfuscation, not security)
**CyBOK Alignment:**
- **Applied Cryptography:** Classical ciphers, encoding vs. encryption distinction
- **Adversarial Behaviours:** Obfuscation techniques
---
### In-Game Challenge Integration Summary
| Challenge | New/Reinforced | Difficulty | Educational Value | CyBOK |
|-----------|----------------|------------|-------------------|-------|
| Patrolling Guards | NEW | Easy-Medium | Physical security patterns | Physical Security, Human Factors |
| PIN Cracking Safe | NEW | Medium (clue-based) | Investigation, physical access | Human Factors, Physical Security |
| Lockpicking | Reinforced | Easy-Hard (4 locks) | Physical access control | Physical Security |
| Social Engineering (Marcus) | Reinforced | Easy (stressed target) | Crisis psychology, trust exploitation | Human Factors |
| Base64 Decoding | Reinforced | Easy | Encoding concepts (from M1) | Applied Cryptography |
| ROT13 Decoding | NEW | Easy-Medium | Caesar ciphers, pattern recognition | Applied Cryptography |
---
## Hybrid Challenge Correlation (Physical + Digital)
### Correlation Requirement 1: Password Hints → SSH Access
**In-Game:**
- Social engineer Marcus for password patterns
- Find sticky notes in Marcus's desk (lockpicking required)
- Clues: "Emma2018", "Hospital1987", "StCatherines"
**VM Challenge:**
- Use Hydra or manual SSH attempts with password variations
- Try combinations: emma2018, Emma2018, stcatherines1987, etc.
- Success: SSH access granted
**Educational Value:**
- Correlation teaches that physical access (desk notes) aids digital access (SSH)
- Realistic attack chain: physical reconnaissance → credential guessing
---
### Correlation Requirement 2: VM Flags → Physical Safe Location
**VM Challenge:**
- Exploit ProFTPD, navigate filesystem
- Find Ghost's operational log
- Log mentions "offline backup keys in emergency equipment storage"
**In-Game:**
- Submit flag at drop-site terminal
- Agent 0x99: "That log mentions a physical safe in emergency storage. Find it!"
- Navigate to emergency storage room (guard patrol in the way)
- Locate safe with offline backup keys
**Educational Value:**
- Digital intelligence leads to physical location
- Hybrid investigation requires both VM skills and in-game navigation
---
### Correlation Requirement 3: Physical Clues → PIN Solution
**In-Game:**
- Find visual clues: Hospital founding plaque (1987), Dr. Kim's sticky note ("founding year")
- Crack PIN: 1987
- Retrieve offline backup key (USB drive)
**VM Challenge:**
- Already have online backup key from exploitation
- Need BOTH keys for complete recovery
**Combined Resolution:**
- Digital key (VM) + Physical key (safe) = Complete decryption capability
- Demonstrates real-world backup procedures (offline keys for ransomware protection)
**Educational Value:**
- Airgapped backups protect against ransomware (best practice)
- Physical security (safe) complements digital security (encryption)
- Real incident response requires both physical and digital access
---
## Challenge Difficulty Progression
### Comparison to Mission 1
| Aspect | Mission 1 | Mission 2 | Progression |
|--------|-----------|-----------|-------------|
| **Locked Doors** | 2-3 (Easy-Medium) | 4 (Easy-Hard) | +1-2 locks, harder difficulty |
| **Social Engineering** | Maya (cautious) | Marcus (desperate) | Easier target (tutorial reinforcement) |
| **Encoding Types** | Base64 only | Base64 + ROT13 | +1 encoding type (skill expansion) |
| **Stealth Mechanic** | None | Patrolling guards | NEW mechanic (beginner-friendly) |
| **Puzzle Mechanic** | None | PIN cracking safe | NEW mechanic (investigation-based) |
| **VM Complexity** | SSH basics | SSH + ProFTPD exploit | +1 exploitation step |
| **Time Pressure** | None | Narrative urgency | Emotional pressure (no hard timer) |
### Beginner-Friendly Features (Maintained from M1)
- ✅ Infinite retries on lockpicking (no lockouts)
- ✅ Forgiving stealth (warning before consequences)
- ✅ Hint system (Agent 0x99 provides guidance)
- ✅ Multiple solution paths (can avoid guards, use PIN cracker device)
- ✅ No instant failure states (can recover from mistakes)
- ✅ Clear objectives (always know what to do next)
### Skill Progression Philosophy
1. **Introduce 2 new mechanics** (guards, PIN puzzle) with tutorials
2. **Reinforce 3 M1 mechanics** (lockpicking, social engineering, encoding)
3. **Slightly increase difficulty** (more locks, new encoding type, VM exploit)
4. **Maintain accessibility** (forgiving failure, hints, fallback options)
5. **Reward mastery** (perfect path for advanced players: never detected, all LORE found, no hints needed)
---
## Educational Objectives by CyBOK Area
### Malware & Attack Technologies (Primary Focus)
**Learning Objectives:**
- Understand ransomware behavior (encryption, ransom demands, time pressure)
- Recognize service vulnerabilities (ProFTPD CVE-2010-4652)
- Identify backdoor mechanisms in compromised systems
- Practice vulnerability exploitation techniques
**Challenges Teaching This:**
- VM: ProFTPD backdoor exploitation
- In-Game: Analyzing ransomware note, Ghost's manifesto (LORE)
- Hybrid: Understanding how ENTROPY deployed ransomware via FTP vulnerability
**Assessment:**
- Player successfully exploits ProFTPD backdoor
- Player can explain how ransomware encrypted systems (debrief question)
- Player identifies vulnerability chain (FTP → ransomware deployment)
---
### Incident Response (Primary Focus)
**Learning Objectives:**
- Practice incident response procedures (isolate, recover, document)
- Understand backup importance and recovery strategies
- Make triage decisions under time pressure
- Recognize incident containment vs. eradication trade-offs
**Challenges Teaching This:**
- In-Game: Ransom payment decision (triage: fast vs. safe recovery)
- VM: Locating backup systems, assessing recovery options
- Hybrid: Correlating digital evidence (logs) with physical evidence (offline backups)
**Assessment:**
- Player makes informed decision on ransom payment (weighs pros/cons)
- Player locates backup systems (both online and offline)
- Player understands why offline backups protect against ransomware
---
### Applied Cryptography (Primary Focus)
**Learning Objectives:**
- Understand symmetric encryption (AES-256 ransomware)
- Recognize encryption key recovery procedures
- Distinguish encoding (Base64, ROT13) from encryption
- Practice decryption key management concepts
**Challenges Teaching This:**
- In-Game: Decoding Base64 (obfuscation) vs. decrypting ransomware (encryption)
- In-Game: ROT13 Caesar cipher introduction
- VM: Finding encryption keys, understanding key recovery
- Narrative: Ghost's manifesto explains AES-256 encryption choice
**Assessment:**
- Player successfully decodes Base64 and ROT13 messages
- Player can explain encoding vs. encryption (debrief question)
- Player understands why two keys needed (online + offline backup strategy)
---
### Human Factors (Secondary Focus)
**Learning Objectives:**
- Recognize social engineering tactics during crisis
- Understand psychological vulnerability (stress, guilt, fear)
- Practice empathy-based social engineering (Marcus)
- Identify predictable human behaviors (PIN selection)
**Challenges Teaching This:**
- In-Game: Social engineering stressed Marcus
- In-Game: PIN puzzle (humans use predictable dates: founding year, birthdays)
- Narrative: Hospital leadership ignored warnings (institutional human factors)
**Assessment:**
- Player successfully social engineers Marcus for password hints
- Player deduces PIN from human behavior patterns
- Player understands how crisis affects judgment (Marcus desperate = easier target)
---
### Physical Security (Secondary Focus)
**Learning Objectives:**
- Understand patrol patterns and timing
- Practice lockpicking and physical access control
- Recognize airgapped backup importance (offline safe)
- Assess physical security measures (locks, guards, safes)
**Challenges Teaching This:**
- In-Game: Patrolling guards (timing-based stealth)
- In-Game: Lockpicking multiple doors (access control)
- In-Game: PIN safe (secure physical storage)
**Assessment:**
- Player successfully navigates past guards
- Player lockpicks required doors
- Player understands why offline keys stored in physical safe
---
### Systems Security (Secondary Focus)
**Learning Objectives:**
- Practice Linux command line navigation
- Understand file permissions and privilege levels
- Recognize network service vulnerabilities (FTP)
- Identify backup system architecture
**Challenges Teaching This:**
- VM: Linux filesystem navigation (cd, ls, cat, find)
- VM: SSH and FTP service interaction
- VM: Privilege escalation concepts
**Assessment:**
- Player successfully navigates Linux filesystem
- Player exploits service vulnerability (ProFTPD)
- Player locates backup files via command line
---
## Difficulty Scaling Options
### For Struggling Players (Accessibility)
**Agent 0x99 Hints (Progressive):**
1. After 3 failed lockpicking attempts: "Take your time. Tension wrench steady, pick probe gently."
2. After guard detection: "Watch the guard's route. They repeat the same pattern every 60 seconds."
3. After 3 wrong PIN attempts: "Safe combinations often use significant institutional dates. Check historical markers."
4. If stuck on Base64: "Remember Base64 from Mission 1? Same principle. Use CyberChef."
5. If stuck on ROT13: "This looks like a Caesar cipher. Try ROT13 in CyberChef."
**Fallback Options:**
- PIN Cracker Device (brute force safe if puzzle too hard)
- Alternate paths (avoid guards via different routes)
- Marcus provides keycard (if high trust, skip lockpicking server room)
**No Punishment:**
- Infinite lockpicking retries
- Guard detection = warning, not failure
- Wrong PIN attempts don't lock safe
---
### For Advanced Players (Challenge)
**Perfect Path Requirements:**
1. Never detected by guards (complete stealth)
2. All 4 doors lockpicked (no skipping)
3. All LORE fragments found (3 total)
4. PIN solved on first attempt (no brute force device)
5. All encoding challenges solved without hints
6. Marcus protected from scapegoating (mid-mission intervention)
7. Both moral choices made with full information
**Additional Challenges:**
- Speed run option (complete in <40 minutes)
- No hints (Agent 0x99 provides minimal guidance)
- Discover Ghost's operational details (trace IP, identify relay point)
**Rewards:**
- Achievement: "Ghost Hunter" (perfect stealth)
- Achievement: "Code Breaker" (all encoding challenges, no hints)
- Achievement: "Ethical Hacker" (protected Marcus, optimal choices)
- Bonus LORE fragment (Ghost's identity hint for M6-M7)
---
## Common Mistakes & Mitigation
### Mistake 1: Players Don't Find PIN Clues
**Symptom:** Players stuck at safe, can't deduce 1987
**Mitigation:**
- Multiple clue types (visual plaque, document sticky note, NPC dialogue)
- Agent 0x99 hint after 3 failed attempts
- PIN cracker device as fallback (find in emergency storage)
- Tutorial during first safe encounter: "Look for environmental clues"
---
### Mistake 2: Players Frustrated by Guard Patrols
**Symptom:** Players repeatedly detected, feel stuck
**Mitigation:**
- Forgiving detection (warning first, no instant failure)
- Predictable 60-second pattern (easy to learn)
- Visual/audio cues (minimap, radio chatter)
- Alternate paths (multiple routes through hospital)
- Agent 0x99 tutorial on first encounter
---
### Mistake 3: Players Skip Social Engineering, Miss Password Hints
**Symptom:** Players try random SSH passwords, get frustrated
**Mitigation:**
- Marcus provides hints voluntarily (first conversation)
- Sticky notes visible on desk (physical clues)
- Agent 0x99 reminder: "Talk to Marcus. He knows the password patterns."
- Eventually provides partial hint if player stuck
---
### Mistake 4: Players Don't Understand Ransom Dilemma
**Symptom:** Players pick ransom option without considering consequences
**Mitigation:**
- Both options presented clearly (Agent 0x99 explains pros/cons)
- Ghost's arguments shown (persuasion attempt)
- Time to consider (not rushed decision)
- Debrief validates both choices (no "wrong" answer)
---
## Playtesting Priorities
### Critical Testing Areas
1. **Guard Patrol Balance:**
- Is 60-second pattern too fast? Too slow?
- Is detection radius fair?
- Are alternate paths discoverable?
- Test with beginner players (first time)
2. **PIN Puzzle Accessibility:**
- Can players find founding year clue?
- Is red herring (Emma's birthday) too confusing?
- Do players discover PIN cracker device?
- Test with players who struggle at puzzles
3. **Ransom Choice Presentation:**
- Do both options feel equally valid?
- Is Ghost's persuasion too strong? Too weak?
- Do players feel rushed? Or too much time?
- Test emotional impact (do players care about patients?)
4. **VM Challenge Difficulty:**
- Is ProFTPD exploitation clear from hints?
- Are Linux commands intuitive for beginners?
- Do players understand flag submission process?
- Test with players new to Linux
5. **Overall Pacing:**
- Does 12-hour narrative deadline create urgency without stress?
- Is 50-70 minute target realistic?
- Do players feel rushed? Or bored?
- Test complete playthrough with timer
---
## Technical Implementation Notes
### VM Integration
**SecGen Scenario Configuration:**
- Use "Rooting for a win" scenario as-is (no modifications)
- Configure flag mapping:
- `flag{ssh_access_granted}` → Task ID: submit_ssh_flag
- `flag{proftpd_backdoor_exploited}` → Task ID: submit_exploit_flag
- `flag{database_backup_located}` → Task ID: submit_backup_flag
- `flag{ghost_operational_log}` → Unlock LORE fragment
**Drop-Site Terminal:**
- Located in server room (requires lockpicking)
- Terminal interface: Text input for flag submission
- Validation: Check flag against VM scenario flag list
- Feedback: Success message + Agent 0x99 commentary
- Unlock: Trigger objectives (#complete_task:submit_flag_id)
---
### In-Game Systems
**Guard Patrol AI:**
- Waypoint-based patrol route (5 waypoints)
- 60-second loop (12 seconds per waypoint)
- Detection: Proximity circle (5 GU radius) or line-of-sight cone (90° angle, 8 GU range)
- Detection result: Warning dialogue → Player has 5 seconds to hide → If still visible, guard reports (delays mission, no failure)
**PIN Safe Minigame:**
- UI: 4-digit input field with numpad
- Wrong attempt feedback: "Incorrect PIN. Try again." (no cooldown)
- Correct attempt: Safe opens, USB drive added to inventory
- Optional: Visual feedback (tumblers clicking for correct digits)
**CyberChef Workstation:**
- Terminal interface with dropdown menu (Base64, ROT13, Hex, etc.)
- Input field: Paste encoded message
- Output field: Displays decoded result
- Tutorial tooltips for first use
---
## Success Criteria Summary
### Minimal Success (60% Completion)
- Completed VM SSH challenge (1 flag submitted)
- Lockpicked 2 required doors (IT, Server Room)
- Social engineered Marcus for basic hints
- Decoded 1 encoded message (Base64 ransomware note)
- Made ransom decision (either choice valid)
- Avoided guards at least once
### Standard Success (80% Completion)
- Completed 3 VM challenges (3 flags submitted)
- Lockpicked 3+ doors
- Social engineered Marcus successfully (high trust)
- Decoded both encoded messages (Base64 + ROT13)
- Made informed ransom decision (considered consequences)
- Cracked PIN safe (via clues or device)
- Navigated past guards multiple times
### Perfect Success (100% Completion)
- Completed all VM challenges (4 flags)
- Lockpicked all 4 doors
- Social engineered Marcus, protected from scapegoating
- Decoded all messages without hints
- Made optimal moral choices (both ransom + exposure decisions)
- Cracked PIN on first attempt (deduced from clues)
- Never detected by guards (perfect stealth)
- Found all 3 LORE fragments
---
**Technical Challenges Document Complete**
**Ready for:** Stage 1 (Narrative Structure Development)
**Core Strength:** Balanced introduction of new mechanics (guards, PIN puzzle) while reinforcing M1 skills (lockpicking, social engineering, encoding)
**Key Innovation:** Hybrid clue puzzle (PIN safe requires both physical investigation and pattern recognition)
**Educational Value:** Teaches incident response, ransomware mechanics, and Caesar ciphers while validating exploitation skills via VM