The Matrix Explained, ...sort of... Options Track this topic Email this topic Print this topic Download this topic Subscribe to this forum Display Modes Switch to: Outline Standard Switch to: Linear+

[Fortune]

Definitely looking forward to more. As I said before, this is all very helpful. :)

[JonathanC]

Does Firewall count as a "Matrix Program" for the purposes of being limited by System (which in turn in limited by Response)? Both Firewall and System are listed under "Matrix Attributes", which is why I'm not sure. Does that mean that anyone wanting reasonable security on their commlink has to buy a Fairlight Caliban?

[Fortune]

[noonesshowmonkey]

Hacking, a "How To". Part 1 - Can You Hear Me Now?
Hacking a Commlink

One of the single most common uses of hacking is the unauthorized access of another person's commlink. All manner of mischeif can be had after hacking someone's commlink. But how exactly is this done, what are the variables and what are the significant benefits of doing so?

The Workup:

Example: Grot Harvey is handling the electronic warfare for his team’s run. Their current mission is to find a kidnapped researcher and, if possible, determine who was behind the kidnapping plot. Their team has followed legwork and leads to the Club Inferno in Seattle. Once there, they need to try and find a particular patron amongst the host of patrons, hack his commlink and get access to his call logs, any files on there, and otherwise make some mischief.

Step 1 - Consider Sensitivity:
Sensitivity: Inextricably inter-related with security is sensitivity. How badly does this particular commlink (and person attatched to it) not want to be found? What would motivate them to stay hidden in such a way? Are they of particular network significance - which is to say, if you hack their commlink, are you getting a foothold in a larger and more secure network? All of these factors will contribute to how much Access, Exposure and Security problems you will be dealing with.

Example: Their target is a known human trafficker and interfaces with all manner of underworld contacts. He is not the kind of man who wants to be found easily nor disturbed. Grot presumes that at the very least his commlink will be in hidden mode and will be running encryption. Little other information about the target is known and Grot does not know if he can expect to engage any IC during the hack.

Step 2 - Consider Access and Exposure:
Access: Where is the commlink you intend on hacking? Do you already have its commlink ID? Maybe even the Access ID? Is the target in a public access location where you can readily gain access to it? Is the target commlink running in active, passive or hidden mode and if in the latter, can you find it?

Example: The team has the target’s commlink ID through vigorous amounts of legwork. The target is also known to be in the Inferno club, but what level is unknown. Presuming that the commlink is in hidden mode, they will be able to figure out whether or not the target is running a “dummy� commlink easily if they just arrange a call.

Exposure: Once you have located the commlink, can you find a way to it obliquely? Is that necessary for stealth purposes? Often for commlinks, this will rely on either close proximity or previous working knowledge of the target. If it is known that they operate given electronics or cyberwear, then a hacker can plan to exploit those network-bridged connections.

Example: Grot's team has little information about their target. Other than commcodes, they do not know if he is sporting any slick cyber or bio enhacements, if he is running any whiz gadgets to cover his tracks or has sexy new IC to discourage hacking. Without previous knowledge nor the wish to get too close to their target lest he become aware of the heat, Grot decides on an conventional hack rather than exploiting possible network-bridges between his target's devices and commlink.

Step 3 – Consider Security:
Security: Dependent on the Sensitivity of the information on the commlink, its relative placement in the overall network that it may be connected to and how paranoid the user is, the security for the commlink may be very high or nearly non-existent.

Example: Since their target is a known criminal working in a portion of business that relies on networking, it is probably safe to assume that there is an Encrypt program running on his commlink at the very least, if not a Stealth program as well. The target’s commlink is also likely to have a decent firewall, probably improved over stock models. As for IC, Grot is not sure what to expect but plans for the worst.

The Hack:

Step 1 – Scanning...

Finding the target commlink can range from blindingly easy (you know who and where) to extremely time consuming (you are not sure who or where and must use Scan to locate them).

If the target is in a known location and available for connection (not in hidden mode) skip ahead to Step 3 – Smash…

Dependent on information available, to locate the commlink’s node will require an Electronic Warfare + Scan test. The threshold of this test can vary (pg 225 SR4 corebook).

Conditions such as knowing the commlink ID, access ID or being able to place a call or otherwise create specific activity on the commlink would result in an Electronic Warfare + Scan (4, 1 combat turn) test to find the hidden commlink.

If you know absolutely nothing about the commlink, it must be located amongst general wireless traffic. This can require an Electronic Warfare + Scan (15+, 1 combat turn) test. Dependent on interference, crowding and the comings & goings of other commlinks, the threshold can realistically be 30 or higher.

Step 2 – Hurry Up and Wait

Once the commlink is located, the runners have several options. They can begin a workup for a probed hack, begin surveillance of wireless traffic coming from the commlink or move straight to hacking.

If the time constraints or goals of the runners require speed rather than subtlety, proceed to Step 3 – Smash!

Now that the commlink is located, the runners may set up surveillance on commcalls coming from that device. This requires an Intercept Wireless Signal action as per page 225 of the SR4 corebook. If the Electronic Warfare + Sniffer (3) test is a success, the runners can observe all traffic from the commlink that is of sufficient signal strength to be observed.

Local PAN devices such as the wifi connection between a smartlink and smart-contacts has such a small broadcast range that this sort of traffic requires the hacker to be nearly on top of the target to monitor passively.

Any information broadcast by the commlink may be under the protection of an Encrypt program and must be decrypted as per rules on page 225 of the SR4 corebook.

Step 3 – Smash!

Now that the commlink has been located it is time to hack the sucker. This can be done on the fly or by probing the target as per rules in page 221 of the SR4 corebook.

Often the time constraints of a run will require that the commlink be hacked on the fly rather than after a long work-up period. Being a commlink, if the target leaves the area, turns off his device, enters a wireless secure area or otherwise complicates the hack, the window of opportunity is distinctly variable and often small.

If the hack is successful, the runner has access to the commlink. For purposes of Intercept Traffic (SR4 corebook page 224), the commlink is “compromised� and any actions listed by that heading may be undertaken.

Step 4 – Grab!

So now you have hacked the commlink… now what? Well, you may be attacked immediately by IC that is defending that node. Presuming that the IC are defeated or not present you can have a look around just as you would any node.

These actions include but are not limited to:

• Computer + Analyze for a Matrix Perception test to see what is available on the commlink node, examine a particular program, piece of data or agent etc.
• Computer + Edit to modify or copy data present. This can be followed with a Hacking + Sniffer to insert fake data and send it as if it were from the hacked commlink.
• Hacking + Edit to cover your tracks.
• Decrypt + Response to decrypt any encrypted data.
• Hacking + Defuse to disable a found databomb.

Example Hack On the Run

Example: After spending the better part of an hour looking for their target in Club Inferno, Grot’s team locates their mark on the 6th floor with the help of a contact. Grot casually saunters up and sits down at a pleasure booth to “enjoy some entertainment� from the simsense vendor there. While under the cover of walking the fine line between BTLs and entertainment, Grot beings his work.

Since he knows where his target is and has the commlink’s commcode and is now within signal range, he makes an Electronic Warfare + Scan (4) test to locate the node. Considering the crowding, the comings and goings of the patrons and all of the AR noise in the club, the GM decides to increase the threshold to 8 to reflect the difficulty of finding the node amongst the noise. Grot easily passes the test within a few combat turns and has located his target’s commlink amongst the shuffle and bustle of the club.

Grot sets up surveillance immediately by making an Electronic Warfare + Sniffer (3) test. He is now monitoring commcall traffic that his target makes. Finding outgoing and incoming traffic encrypted, Grot runs his Decrypt software to cut through the electronic security. Setup and ready, Grot begins to probe his target, searching for weakness while not tipping his hand. Before the first hour is up, his mark receives a commcall. It would seem that he will be leaving shortly. Grot needs to work fast.

Tossing aside his preparations, Grot goes on the offensive and smashes his way into the commlink. Making a Hacking + Exploit (target’s firewall, 1 combat turn) test, Grot gets lucky and kicks the door down on the first try with an amazing 5 hits. Now inside, he makes a Computer + Analyze (Matrix Perception) and becomes aware that the Commlink is running Stealth 4, Encrypt 4 and a pilot rating 3 IC agent.

Kicking on his Stealth program, Grot frantically starts searching about while hoping not to get noticed. His target has gotten up from his table and is walking out of the club. Searching with a Computer + Browse he finds call logs, some stored data, and a contacts list. Grabbing the files, he cranks up his Edit program to clean the logs of his passing. Unfortunately his target has entered the elevator and as the doors close, Grot loses his connection. Slammed by dumpshock (5P since he is running hotsim), Grot disconnects. Wiping the blood coming from the corner of his eye, Grot tries to play it Bogart and covers up his pain as shudders of “pleasure� and informs his team that he has their information but it is likely that his hacking was noticed.

Any questions or comments?

- der menkey

"Certainly there is no hunting like the hunting of man and those who have hunted armed men long enough and liked it, never really care for anything else thereafter."
~ Ernest Hemingway

[Syonyde]

...This thread is absolutely beautiful. This answers so many questions for me and my group. We all recently started and with me as the hacker, I have had no clue on what is going on so far. Our only 2 runs dealt with me monitoring a camera on a train (Which shouldn't have been possible, the train was probably out of range for me.) and taking care of some drones (My actual first use of Hacking/Spoof).

I do have a few questions that have been floating around in my head.

1. How hard would it be to make a backdoor into a system. While it may not be very useful for corp computers, it would be nice for getting access to drones that are very rarely scanned for abnormalities. (Those used by gangers anyways.)

2. Is it possible to rank up your access rights after entering a system?

You have contributed quite a bunch, if i were as good as my hacker kinda is, I'd give you a few accounts for your good deeds.

[Cadmus]

The problem is no one can real be told what the Matix is.

[noonesshowmonkey]

In response to questions about Backdoors and their availability in other systems:

The "Backdoor" that is created by a successful Probe hack is a route (as opposed to the gunshot wound of a Hack on the Fly) into that node. If the node is a computer terminal, file server, engine computer, traffic light, roto-drone, refrigerator or commlink, the backdoor remains as a route to gain access in the future. The backdoor remains open as long as the system remains in the vulnerable state that the hacker is exploiting. Once a system is aware that it has been compromised, security measures will be taken such as raising alert levels and dispatching IC, but also in closely examining the network infrastructure to locate, prevent and close vulnerabilities.

Security conscious hackers will not want to re-use established backdoors on systems that have any reason to believe they have been hacked. The sledgehammer of corporate security may be too slow to catch many fast moving runner's on their first acts of thievery, but when the hammer falls, it falls hard. If there is any reason for a corp to believe they have been compromised on site, in the matrix, amongst personnel etc. the corp is most likely to respond with overwhelming (if ponderous) security measures such as fresh background checks, a full network security scan, a consultant checkup of their on-site security.

**********

In response to questions about ranking up access permissions once hacked into a node:

It is certainly possible for a hacker to increase their permissions once inside of a node. Though the core book does not provide rules for this that I know of or can remember. The following is created by me and not backed up by any of the corebook's rules, though it is an extension of them:

Increasing privileges once inside a node:
Once a hacker is inside a node, they may increase the privileges they had attained in their initial entry. This is accomplished by a new Hacking + Exploit (system's firewall +3 or +6, 1 combat turn or 1 hour) check. Attempting to gain security level access results in a +3 to the threshold. Admin access requires an additional +6 hits. If the interval for the check is one combat turn, the system gets an Analyze + Firewall vs the hacker's full Stealth program per turn of hacking. If the interval is one hour, the system gets a single Analyze + Firewall vs the hacker's full Stealth program to detect illicit activity.

A hacker can spend time researching the network and observing users before attempting to hack further privileges. Should the hacker be unable to piggy-back another user, snatch passcodes by monitoring traffic etc. the hacker can make an appropriate Matrix Knowledge check against a threshold of the target node's System. Any net hits give the hacker bonus dice for his hacking attempt. The following is a continuation of the above rules:

Example: LoCoPyRo is hacking a NovaTech research lab and has gotten access as a wage-slave with basic permissions. Taking the opportunity to snoop around for a few hours, PyRo is unable to get any passcodes (the node is running a really whiz encrypt program and its IC are actively scanning for illegal decrypt programs). Deciding he has become bored with the online cubicle farm, Pyro sets himself to the task of hacking further privileges. Due to PyRo's rather long immersion in the network and the very inquisitive scans he has made, the GM awards an additional 3 dice for competency to PyRo's knowledge check. Making a Network Design knowledge test, he gets 6 hits. The node's system is rating 3 and PyRo nets 3 successes over the node's system (6 hits - System 3 = 3 net hits). Making his next Hacking + Exploit for new privileges, PyRo is awarded an additional 3 dice.

***

Essentially, I would require a fresh hacking attempt on the part of the hacker to gain further privileges. The advantage of attempting this from inside of a system should be rather obvious: the hacker can research the network's structure, observe user's at work and otherwise gain very useful working knowledge of the system to aid in their hacking, awarding bonus dice if a hacker actively investigates the node.

I hope this helps.

- der menkey

"Certainly there is no hunting like the hunting of man and those who have hunted armed men long enough and liked it, never really care for anything else thereafter."
~ Ernest Hemingway

[Syonyde]

If you guys would not mind, I would like to try to summarize what happened last session that pertained to hacking. Any comments would be marvelous.

Anyways, there we were, scoping out a ganger hideout that Ares decided not to deal with. Buncha losers if you ask me. Anyways, our face and troll infiltrated the base with the face's fast talkin', good thing too, our troll is only for hostile negotiations anyways. While the party was goin on, I was scoping out the Wifi works, finding 6 spots moving around and a central high security node. Really nifty setup if I say so myself.

I made an extended Detect Wireless Node, since no one was running stealth I found them all pretty easily. The High Security Node was a relay point for the 6 Steel Lynx-Type Drones under the gang's possession. I hacked into the Secure Node and found the program coordinating the drone information, I logged out and left, forgetting to erase the logs, although my GM didn't notice.

The Ninja decided to wriggle through the sewers to take out the leader. Silly supposedly stealth ninjas blowing holes through the floor. He got to encounter the motion activated drones. I guess they were expecting someone to hack them. No clue why a bunch of gangers would drop drones in the sewers for a party. Eh.

The drones were motion activated, so I couldn't actively hack in, and since they weren't online, the backdoor I left earlier failed (Hacking+Exploit(Firewall+System) 1 Turn.

Push came to shove, and after blowing a hole into the basement, one of the drones finally activated, my chance to shine was here. The leader was about to taste some full auto lead.

I used my first Init pass to hack the drone for user access, my second init pass was to spoof a command to fire at the ganger.

While in Hindsight I shouldn't have fired full auto like a moron, I still did what I had to do. After messing that one up, I decided to try to light him up one more.

I discussed attempting to hack up access so I didn't have to spoof all the damn time, but seeing as how if the drone didn't finish him off, the ninja would. I used another spoof command, this time the GM critical glitched, so I got full ownership of the drone. Worked out to my advantage.

After the explosion, Ares started coming out of the woodwoork, backing up the gang for some reason. Eh, corps suck. After excavating the drone, I realized that they probably have this thing being tracked. Can't have it broadcasting our location and everything.

The GM ruled that we just disconnected it's NIC or 2070 counterpart and got out of there scott free. I would have thouht to make a hardware test to remove it quickly, since time is of the essence.

5 Hits of Long Haul, a new drone, and causing a few hundred-thousand nuyens worth of damage, all in all a good run I'd say.

[virgileso]

If a commlink is hacked into, what are the methods of detection. Does it only have the one test (assuming you hack in in your first attempt)? If it wants more security, can a system have a guard dog agent basically get to look three times a Turn (since Agents get three IP); and if so, is there anyway to slow it down?

[Eleazar]

[virgileso]

So every attempt to hack in, and every attempt to actually do something once you're inside the system grants the commlink an Analyze + Firewall test; its hits slowly culmating into a total that beats the threshold? If that's the case, a maximum security node (firewall & analyze of 6), could just buy hits and be guaranteed to detect ANY intruder by their second hacking action.

[DireRadiant]

[noonesshowmonkey]

[virgileso]

So a single Beagle Probe agent would be almost guaranteed to find any intruder within a Combat Turn (two max), assuming it had Analyze at 4 (one IP for stealth, two IP for scanning)?

[noonesshowmonkey]

[Syonyde]

Another idea I had, I have a mechanical cat that I have loaded with an agent. My whole purpose to have the cat is as a hacking buddy. Between the both of us, could we co-ordinate hacking attempts when breaking in? I know that if it runs solo it can be traced back to me, and that is one hell of a flaw.

The cat agent rating is 4, so it would be rolling 8 dice. The cat is the weakest link though, so it would probably be able to find me through the agent.

Also, on a side note, do agents get the +2 to Matrix Actions since they get the +3 IP of hot sim?

[knasser]

[noonesshowmonkey]

Since what you explained, Knasser, is basically the method I use for GMing matrix encounters, I guess I was very unclear in my explanation of the Agent, its uses etc. Also, criticism is exactly what this thread is about. Just as long as it leads to an answer that is useful to players. ;)

Because every hacker worth their salt runs the fattest Stealth program you can get and every matrix perception test made by the IC is opposed, I generally abstract the whole deal.

Essentially, the Beagle Probe gets a scan at your Persona when you hop into the node publically and it checks you out. If you sneak in, the Beagle is sniffing around trying to find any activity, essentially buying hits at a rate that allows me to nudge a player along if he spends 10 to 20 some odd turns in a node. If an alert has been raised and the Probe is searching for a user that is a known illicit hacker, I begin making dice checks immediately, requiring opposed checks be made. Since its Hacking + Stealth, I consider it an active attempt on the part of the hacker and run it similar to a Misdirect action - ie it requires an action to do. This bleeds precious actions from the hacker, further intensifying the dramatic action in the scene. Very Silent Hunter.

Does that make a bit more sense?

The buying hits diagram was simply to explain how an Agent goes about various methods and modes of detection. If left to its own devices, scanning 3x times a round and a player only spends 1 phase on a misdirect, eventually the Agent catches up in hits. Abstracting the math a little bit, the turns given earlier show up regularly in play doing it the way I do it. The biggest question is how alert the agent and node are and how much information to track or locate the intruder they have.

Thanks fer the clarifications and the compliments.

- der menkey

"Certainly there is no hunting like the hunting of man and those who have hunted armed men long enough and liked it, never really care for anything else thereafter."
~ Ernest Hemingway

[noonesshowmonkey]

Hacking and Tracking implications of the Commlink and Access ID

When hacking around in the Matrix a hacker will leave a long datatrail behind, showing all of the connections they have made, login attempts, password successes and failures etc. The residual fallout from their latest hack will be left in the settling dust of kicking down a firewall (massive spamming of various servers in a strong-arm attack) or in a more subtle mis-match of access codes or passwords and other such matrix trickery.

Whenever a hacker or organization wishes to track a given matrix user, one of their primary methods of recourse is to track a commlink ID. Most corp employees are issued a commlink ID upon hire and will have a periodic update and change to the ID by the corporate IT and security staff. Depending on the level of exposure a commlink ID has to being hacked or otherwise compromised, there is little reason for most matrix users to change the ID even if they knew how.


What is gained by obtaining and tracing a Commlink ID

Commlink IDs are the exterior of most day-to-day matrix traffic for the average user. As a result, they leave their digital "fingerprint" on nearly every piece of data they touch and interact with. Your commlink ID gives a handshake to the WAN at the local Stuffer Shack as you walk through the sliding double doors to get your morning coffee. The same ID says "hello, I'd love my regular coffee with double cream" to the coffee machine. As you drive your car to the corporate lot, the same ID broadcasts to the security gate to let you in. Essentially, the commlink ID is engaged in regular and mundane tasks that are closely related to the use of the SIN.

Further, a commlink ID can provide a triangulated position on that commlink as it moves from network to network and connects to larger WANs to do general matrix functions such as making a commcall.

Tracking and hacking a commlink ID can lead to a SIN lookup and a SIN lookup can lead almost anywhere. For a bit of information about the implications of a hacked SIN, check Serbitar's Guide to Paranoia, page 6-7.

Getting a commlink ID does not just give a hacker a SIN or loads of information. It does, however, allow a hacker to develop an indepth target profile of where that ID goes and when, what networks the ID interacts with and how it interacts with them... It is a foot in the door, so to speak.


What can be obtained by hacking the Access ID

Acting as the physical, device address, the Access ID is the most literal "fingerprint" that is left behind by a digital interaction. A commlink ID changes rather regularly and can be switched in a matter of moments... Many users maintain several commlink IDs, perhaps even simultaneously. Any commlink ID, however, must eventually funnel data back to that user's device (their commlink or what have you). Because of this simple fact any transaction that occurs carries with it routing information that points back to the unique physical device used to carry out said transaction. This can be an incredibly useful bit of information. Due to the vastly more time consuming and niche skill requirements associated with changing an Access ID, the Access ID can be used forensically to identify exactly who it was that perpetrated a given action.

Since a commlink ID is essentially software and can be changed regularly, the access ID provides a slightly longer and more detailed tracking method. Total exposure for an Access ID is a bit higher than that of the Commlink ID. With an Access ID, there is far more power available to a hacker than simply the software commlink ID... Consider an Access ID akin to something like a SIN for computers - something that is required and logged for nearly any transaction of note or importance.

- der menkey

"Certainly there is no hunting like the hunting of man and those who have hunted armed men long enough and liked it, never really care for anything else thereafter."
~ Ernest Hemingway

[deek]

[noonesshowmonkey]

"Ed's got DATA!" - Traceroute's and You

When working as a 2nd Story Man (2nd Data-Layer Hacker?) a hacker comes accross all kinds of information. Eventually a hacker will be called upon to perform one of the most important kinds of legwork: finding someone. Further, a hacker's worst nightmare is the inverse of this situation: being found.

The Hotroute – Traceroutes Mid-Hack
Hackers get made; it is the rule of the matrix. When you live in binary, you understand that your chances of getting found are 50/50 – 1 and 0. Once a hacker has become compromised during a hack a common tactic is to deploy IC with the Black Hammer line of attack programs to jam the connection open and perform a hotroute – tracing the hacker while their connection is still open. The SR4 Core Rules provide ample explanation of how to perform such a trace and the methods of spoofing such an attempt.

Example: Proto's team is in the midst of a smash-and-grab on a Mistuhama facility and the team hacker, PyRo, is trying to bust into a local database and steal some shipping and routing information. All hell breaks loose and Proto is soon hacking guards apart with arm spurs and emptying magazine after magazine trying to keep PyRo's back clear. Things are not All Quiet on the Digital Front, however, and PyRo is battling for his life against a pair of IC. From the moment he noticed the IC, PyRo has been actively spoofing his connection but when a Black Hammer blow jams the connection open PyRo knows that he must crash the IC before he can make his getaway.

General spoofing of the datatrail during a matrix hack or in matrix combat is representative of tactical concealment – actively working in real time to keep IC and the like from finding you. This equates to the use of Active skills.


Coldrouting – Long-term Tracking
A slick hacker slides in and out without anyone being the wiser. A good Corp Spider knows that if he misses his prey today, he may be able to find him later and on more... amenable terms. Coldrouting is performing long term matrix searches using whatever data is available. Sometimes a cold lead may start with just knowing that a hack has been performed and working matrix forensics to find out where, when and how that hack took place to eventually find out whodunnit. Working a Coldroute involves performing sweeping Searches, preferably using bots and/or a large hacker staff, to locate the next clue that will eventually lead to the target.

The primary advantage of a Coldroute is that the target is not necessarily aware that the trace is being run... Being “cold�, the “heat� is not felt until the last minute. Starting with as little information as where or when a hack took place a coldroute relies on finding key information like the Commlink ID or Access ID used in the hack. Commlink ID's change regularly but can be used to establish a profile on the target that can lead to other, more fruitful information. Access ID's generally provide more meaty information due to the difficulty in changing the hardware address. Using either form of identification, a hacker running a coldroute can start checking various financial databases, public search engines and datalibraries etc. for any transaction that conforms to the target profile. If the target was sloppy or simply unaware, routing information can come up quickly that can lead to the target.

NOTE: The following are rules completely made up by myself and are in no way considered “canon�, RAW, are not chiseled in Hebrew on tablets of stone or any other such nonsense. As such, they may not be balanced or fit in your game. They are merely suggestions and examples of how to resolve a given conflict within SR4 using methods inspired by the game itself.

Performing a Coldroute
Cold routing begins with a point of exposure (see earlier posts about network security and “exposure� - a point where man and machine meet and mistakes can be made, data changes hands and a hacker or target reveals themselves in a notable fashion.

To perform a Coldroute a hacker must make an extended Logic + Datasearch test (variable time interval, variable threshold) against a threshold determined by the GM.

Coldrouting Threshold
A good base threshold for a long term test such as a Coldrouting is around five. Use whatever is appropriate. The following modifiers may apply:

Target was and is actively attempting to obscure their datatrail ..+2
Target is “off the grid� ............................................................+2
Target is “on the grid� ............................................................-2
Target maintains high security ................................................+1-3

Being “on the grid� relates to having regular interactions with the Matrix in a civilian form. This includes regularly making financial transactions at common and low security points of sale (Stuffer Shack, a fuel-cell station, telecom and other bills etc.), regular use of civilian datamanagement points such as Public Transportation Networks and other blatantly unsecure and commonplace networking.

A target that is “off the grid� is taking a step backward in time and eschewing the digital amenities of the 2070s. To truly be “off the grid� would require that a commlink be off or in a “deadzone�, that no digital transactions take place whatever and generally staying away from anything that plugs into the wall or requires batteries. Needless to say it is both very difficult and extremely inconvenient. Generally, the most common methods of falling “off of the grid� involve going native in the mountains, taking a long vacation in the Barrens or “going under� and descending into the old sewers and subway lines under Seattle. All three can be extremely dangerous.

High security implies that the target is either a skilled hacker that maintains good “best practices� such as keeping a good encrypt program running constantly. Generally for most non-prime runner targets, high security equates to having a dedicated security team that includes a hacker.

Actively obscuring datatrail has multiple effects on a Coldroute. The most direct example of obscuring a datatrail is either hiding in plain sight by navigating through public access domains that manage so much traffic that locating a single user is a monumental task or using such arcane and rare methods of entry that only a select few even know about them.

To successfully perform nearly any of these acts would require use of an appropriate Matrix Knowledge skill.

Coldroute Interval
How long a coldroute takes is relative to how much knowledge the searching party has about their intended target. The interval for a coldroute is relative to the amount of information available on the target and how fresh that information is.

The base interval is 24 hours. The following conditions can change the interval:

Known Access ID ....................................................30 hour base
Known Commlink ID ................................................36 hour base
Known Access ID and Commlink ID ...................12 hour base

Working Knowledge of Point of Intrusion .....................-2 to 8 hours
High Access ..............................................................-1 to 4 hours
Greater Access .........................................................-2 to 8 hours
Target actively running Encrypt ...................................+2 hours * rating

Intervals for these checks are subject to any changes necessary as deemed by the GM. If the pace of the game demands shorter intervals, halve or even quarter the listed values.

Knowing the Access ID and/or the Commlink ID is generally the first step in a Coldroute. These bits of information are considered the baseline interval.

Working Knowledge of the Point of Intrusion is applied most directly to forensic Matrix investigations. If a internal employee of a hacked corp manages the investigation, their working knowledge of the inner structure of their corp's network provides significant advantage in generating leads.

High and Greater Access describe a user that has powerful access levels within a general section of Matrix. Having large amounts of access describes a hacker's ability to quickly (and generally legally) get into and out of large databases and other hubs of information traffic. A .root user in a large corporation with ties to the Telecom industry, an administrator on a large datahaven or a government spider are all examples of users that would have varying degrees of Access that would assist in finding their target.

Total Term
Total term refers to the maximum effective search length. A user that knows that their Access ID and Commlink ID are compromised will take measures to either replace their hardware or spoof the ID. Total term describes most accurately the termination of a search's utility and importance as compared to its expedience. Generally shadowrunners do not work with an indefinite time line and must find something or someone and find them/it fast. There is almost always an expiration date on the payment or utility of finding something or someone – this is the Total Term.

Coldrouting using Contacts & Knowledge
Because coldrouting is a mostly passive practice similar to legwork, knowledge skills and appropriate use of contacts can assist dramatically in the success or failure of a search. If a hacker, or a contact a hacker knows, makes an appropriate Matrix (and sometimes General) Knowledge check, any hits scored add bonus dice to the final Logic + Datasearch check. If a contact is being used, arrangements (ie payment) must be made and they may not contribute more dice than either their Connection or Loyalty (whichever is lower).

Example: D-Bass is trying to find a Novatech employee that just defected to another corp. beginning with the commlink ID and Access ID of the employee's commlink provided by Novatech, his base interval is 24 hours. His target is running a whiz rating 5 encrypt program that bumps D-Bass's interval to 34 hours. Novatech is being extremely helpful in finding their “lost� employee and is allowing D-Bass limited access to their systems which confer “High Access� and “Working Knowledge� and reduces the interval by 8 hours. The final interval is 26 hours.

D-Bass's target is still in the city and will likely remain there for the next 48 to 72 hours, limiting the scope of his effective search to no more than three days. His threshold is a base of 3, -2 for the target still being “on the grid� in the city but +2 for being actively obscured. D-Bass's target was a tech who knows his way around a commlink and has good network security, increasing the threshold by another 2.

Making a Data Havens Matrix Knowledge check, D-Bass gets 3 hits. Using the extra bonus dice D-Bass's final test is a Hits(3) +Logic + Datasearch (5, 26 hours). Looks like D had best be hitting the Matrix and pulling a few all nighters if he has any hope of finding the tech before he skips town...

- der menkey

"Certainly there is no hunting like the hunting of man and those who have hunted armed men long enough and liked it, never really care for anything else thereafter."
~ Ernest Hemingway

[noonesshowmonkey]

As an addendum to the above post about Tracerouts:

As a GM, keep the game moving. The variables to interval and threshold are just suggestions. The list of variables is given with a range of numbers to allow a lot of "play" in determining what the right thing to do is. My intention was to furnish a GM with a basis upon which to agree or disagree...

Buut above all the post is intended to help a GM make their own decisions about handling a traceroute in a timely and effecient manner that keeps the game intense without pulling players out of the "dream" with excessive hand waving.

Always adapt and modify.

- der menkey

"Certainly there is no hunting like the hunting of man and those who have hunted armed men long enough and liked it, never really care for anything else thereafter."
~ Ernest Hemingway

[hobgoblin]

[noonesshowmonkey]

This is not the cyberware you are looking for... Move along... - Hacking Security Devices on the Fly

The shadows are a dangerous place, 'omae. You can bet your ass that if you are not keeping up with SOTA, staying in the latest whiz chrome and the biggest slug throwers you can find, that will be floating face down in the bay before too long. Or just flat broke, which might be worse than flat lined.

The grim reality of the 6th World's streets is that a cyber-samurai must trade significant amounts of cash and humanity to augment their body to levels supra human. They walk the fine line between learning to use weapons and becoming weapons. Like everything designed to kill or maim, a living weapon is tracked, restricted with laws and controlled whenever possible.

One of the most common (and therefore extremely dangerous due to volume of exposure) tasks that a cyber-samurai comes up against is simply the logistics of performing their duties – getting to and from a meet, run, target or even their local stuffer shack and apartment. Never you mind a high class neighborhood or park, an expensive restaurant, or (outer-gods forbid) an airport.

Due to the ubiquitous nature of the Matrix 2.0 and the demands of SINful culture, individuals are expected to broadcast certain information nearly 100% of the time. Some locales are less stringent and will even understand a certain necessity of privacy. All the same, a samurai will come up against a very low-tech and high threat security measure – SIN queries for cyberware backed up by cyberware scanners. A cheap way to thin out the population of murderous thugs that can enter your average mall is to request a manifest of installed cyberware, complete with permits, upon logging into the WAN. Coupling this query with a cyberware scanner can ensure that if an individual's 'ware does not jive with what they are broadcasting, the proper authorities are notified and SWAT / HRT teams can be scrambled.

Seriously. A Samurai sporting spurs, an implant SMG, bone lacing and dermal armor is essentially walking around decked out like a terrorist, special forces operator or general misanthropist at all times. You had better bet your Ares Predator that The Man will hassle (read: shoot first and ask questions later ==> kill) you.

Jedi Hand Waiving and You – A How To

Bypassing security checkpoints will become second nature to a hacker whose team mate is covered in chrome. The first step is to assess the threat level and make up of a security checkpoint.

Generally speaking, a security checkpoint has two elements – one human and one machine. A human guard mans a monitor or kiosk or even walks up to incoming personnel. This meat body is interfaced via commlink or readout to the hardware aspect of the checkpoint – the literal scanners. The good news about the point where man and machine meet is that the human element is often the weakest and electronic devices are brought in to side-step authority and responsibility issues. A human can be bribed but if a machine is constantly broadcasting results that the human cannot tamper with easily, the human guard is far less fallible as he can be held directly responsible (the machine does its job without question, it is clearly the human failure). Scanners tend to come in several flavors:

Hand-Held – Hand held security scanners tend to be of lower power and fidelity than larger systems, but they are possibly the most difficult to spoof. Some may just display a readout on the device itself, not allowing for a spoofed data signal between user and device. All hand-held devices require the user to get close to their subject which can lead to visual detection. This proximity means that if things go south in a hurry there is already at least one security operator within arms reach.

Drone – Drone scanners offer a mobile and relatively low cost solution to security problems. Somewhere in the mid range between a large scale static scanner and the more modest hand held scanners, a drone can carry heavier hardware and, being mobile, is resistant to vandalization. Drone scanners are electronic, however, and therefor can be hacked. This is good news. By spoofing broad casted information between the target and the scanner, the scanner can be compromised. Further, a drone can be hacked outright. Drone scanners, however, have a habit of exploiting their mobility and showing up unannounced and at the worst times.

Static – A static security asset is both a boon and a curse. Because they are large, electronic devices there are all manner of methods to bypass them – go to a different physical location, hack the data stream from scanner to user, hack the device itself, broadcast secure (bogus) information and spoof the scans... Unfortunately these devices can be extremely sophisticated, sensitive and networked in such a fashion that hacking them is a death wish. Many static security scanners are linked to a security node that is off-site or not within direct sight of clients/targets meaning that data is processed elsewhere thereby increasing the complexity of spoofing or hacking the data.

What To Do?!

Hacking in SR4 is a delightful experience where a problem can be solved in many different ways from as many different angles. After you have determined the type and level of a security threat, its time to figure out what exactly it is that you want to do. The following are typical solutions:

Hack the signal - By finding the node (the matrix location of the scanner itself), a good electronic warfare specialist can spoof signal between the scanner and whatever console or output device it uses. This allows the scanner to scan properly but report negligible findings.

Requires: good Electronic Warfare skills and a decent Sniffer program to find the wireless signal, Encrypt to decrypt the signal a good Edit program to change the datastream, some time to find the correct nodes and possibly Exploit for any additional hacking. A little bit of Con (Impersonation) or Knowledge – Fake SINs never hurt anyone trying to disguise information.

Broadcast Bogus Information – Some scanners are of low quality or simply just request from a user's commlink their current registered cyberware information. Due to the complexity and variation of systems available in the 6th world, these types of systems are extremely common. By simply broadcasting doctored information complete with fake permits, a samurai can get by looking like an augmented construction worker or some such.

Requires: a quality Fake SIN modified with the Edit program to broadcast falsified information, fake permits. May require Cybertech Build/Repair or a tag eraser to change/destroy RFID on cyberware.

Hack the Device – a rather direct approach is to simply hack the device that is doing the scanning. To gain entry into the device requires accessing either its node or an attached node (generally a security console or security officer's commlink). This can be done either On-The-Fly or over a prolonged hack. The goal of such a hack would be to change the settings on the scanning device to be otherwise disabled when the offending 'runner has to go through the scanner. Generally this only works on drone and static scanners as most smaller pieces of hardware are not sophisticated enough to warrant a full hack.

Requires: a good idea of the network architecture must be attained to assess Sensitivity, Access and Exposure of the desired network. Once the hacker understands this much he can begin the actual hacking attempts as covered in hacking rules in the core book. This is probably the most traditional method of hacking a security system and also perhaps the most complex. A hacker will need decent all around hacking skills and program suite. Also requires a point of Exposure; a route into the target device.

Example: Grot Harvey and Proto need to meet their contacts in a Bellvue Heights park. Between them and their destination is a 5 meter tall plascrete wall with periodic autogun turrets. Going up to one of the major traffic flow points Grot decides to sit down and enjoy and orange. Flipping into the Matrix he pokes around. After a few Electronic Warfare + Sniffer tests Grot has a rough idea of how the electronic security at the checkpoint is handled. One officer mans a handheld scanner that is brought in ad hoc to assess questionable individuals while a large static arch serves as the main scanner. Long ago Grot had invested in a quality SIN linked to an old corporate hacker and generally passes through scans without incident. Proto, on the other hand, is a walking incident – he is more than half chromed out, an absolute twitching killing machine.

Grot scans (Computer + Scan -- ie Matrix Perception) the node for the Cyberware Scanning Arch as well as the security console. Looks pretty diesel, not an easy break in and hardly worth the risk. Deciding on a less intrusive method, Grot scans for the traffic coming off of the scanning arch and finds it after a few Electronic Warfare + Sniffer tests then Decrypts the traffic. Having compromised the arch he sets to work with his Edit program to cook up a datastream that will cover for his omae Proto. “You have no idea the things you make me do, Proto,� Grot mutters over the commlink.

Having prepared a faked out signal for Proto he sets to the task of screwing with the hand held scanner. A few more minutes pass as Grot locates the signal (Electronci Warfare + Sniffer, 3) from the hand held scanner. Eventually it becomes evident that the only method of getting access to the signal is to be nearly on top of the scanner itself... Looks like this operation is about to go live. Letting Proto know that its Showtime, Grot gets up and gets in line a few people back from his chromed out companion. Crossing his fingers and scrolling through various dialogue windows in AR, Grot hopes that he can spoof the signal from a few meters away and that he can do it fast enough. Proto gets to the arch and passes through without issue, the falsified cyberware (Scanner Rating vs. Successes from the Con + Edit to make the data) info goes through without a hitch.

As it just seems like Proto is going to get away scott free, the guard armed with the handheld scanner motions for him to “Step aside, sir.� Playing it Bogart, Proto cooly stands there and allows the scanner to pass over his synthetic limbs, pulsing fibreoptic nerves and coiled synthetic muscles. Grot, meanwhile, is smashing through his Edit program trying to spoof a signal to the handheld scanner. He manages to get a spoofed signal out just before the scanner completes its work. They almost got made.

Moving through the arch with a sigh of relief, the two runners continue towards their destination. Secretly the GM makes a perception check for them both to notice a rotodrone scanner dip over a rooftop and start following them...

Questions and comments, please.

EDIT: added more information about dice rolls and checks.

- der menkey

"Certainly there is no hunting like the hunting of man and those who have hunted armed men long enough and liked it, never really care for anything else thereafter."
~ Ernest Hemingway

[noonesshowmonkey]

An interesting note in the above example:

The handheld scanner mentioned when Proto and Grot try to make their play through the arch is an example of Low Tech solutions trumping High Tech assets. Being a simplistic MAD scanner, it may not find the precise location of a holdout pistol or be able to even identify someone cybered out with bioware, but it can tell if someone is made of metal. This is all done without a necessary wireless signal, though I imagine that most models output to a commlink via wireless. Further, the Signal rating of the device is a mere 1. You have to put the device over your intended target to read them and likewise nearly anyone that was to communicate with the device must be extremely close to do so.

This can completely eliminate technological security threats through good tactical procedure - ie. isolating subjects from others before scanning them, scanning outside of LoS of others, entering a scanning area protected by a local jammer etc. Indeed, it is generally through tactical proficiency that security operators minimize exposure. By exhibiting structured and disciplined behavior (machine-like?) the humans reduce the human element. Needless to say, this can be a serious problem for 'runners.

Just an interesting note. I write a lot of this sort of information into the examples, showing and teaching a lot more about the game than is directly on the surface. You can feed a man forever if...

- der menkey

"Certainly there is no hunting like the hunting of man and those who have hunted armed men long enough and liked it, never really care for anything else thereafter."
~ Ernest Hemingway