As it has been requested several times, by myself included, I’ve decided to write an example “hack scenario.” This is by no means authoritative – I have yet to run an SR4 game. In fact, I wrote this with the rules in front of me, looking things up as I went. I've probably got as many questions as anyone else about the hacking rules. What I'm saying is it isn’t necessarily correct. But I figure if I at least throw something out there, we can start getting comments and other examples. So by all means, if you see something wrong with my examples, let me know.

I’ve decided to basically walk through an entire run, and gloss over any non-hacker parts. That might make this post rather long, but I figure too much example is better than not enough (or the current standard, which is no example...) The team will be made up entirely of the Sample Characters found starting on page 89. Most prominent in this example, of course, will be the Hacker, on page 96. I’ve made two changes to the hacker – I’ve added the “Exploit” program at 5. I don’t know how a hacker gets by without exploit, without that you can’t get in the door. I’ve also given him an “Agent 4” program, to demonstrate the use of agents. I’ve gone ahead and used a dice rolling program to roll the dice, to add to the realism. I won’t be doing any technomancers this time.

I’ll be breaking the story into several sections, with each section its own reply to this post. It will be long enough as is... I tried to address nearly all of Eyeless Blond’s suggestions for examples posted in another thread. I think I got them all but rigging:

-hacking a secured node (plenty of time to Probe the target)
-hacking a secured node (building burning down around you)
-stealing someone's car
-Rigging
-at a meet with a Johnson
-doing a research project; legwork
-doing a disinformation project; anti-legwork?

Wrapup is the last section; please wait until it is posted to comment. It shouldn’t take me long to cut, paste, and format.

So, without further a due, I bring you Ménage-a-Trideo

The players:
Hacker – Jim Bean
Face – Façade
Gunslinger Adept – Handsome Stranger
Radical Eco Shaman – Lilly

italics is story
plain text is hacking rules.

The Bar
It's always a bar, isn't it...


Jim Bean watched through the club’s security camera in an AR window as Ms Johnson strolled confidently into the Fire-Watering Hole. She was tall and thin, possibly an elf – but Bean was more focused on the commlink she keyed as she entered the building. (Rolls Logic + Operating Systems knowledge, 3 Hits) It was a Transys Avalon, one of the few commercial links that could run a top-of-the line OS like Novatech Navi. It was an expensive investment, but it also meant that it was probably standard. It would be a tough crack, but with few surprises. Good thing, too – that troll escort she left at the entrance looked like he could cause a lot of trouble if there where too many surprises.

Ms J. walked into the hazy back room, where Jim, Façade, Stranger, and Lilly sat at one side of an oversized and slightly stained booth. Up close, Jim could see she wasn’t an elf, simply a tall and thin human woman in her mid-30’s, dressed in last year’s fashionable business suit. She slid into the cracked leather seat across from the runners, and introduced herself as Vonna. She explained that she worked for TRKL, a small media conglomerate that, among other ventures, ran news on channel 253. TRKL is involved in a ratings war with TVGP (channel 248), and that would be what this run was about.

Jim lost focus on the conversation as he began working in AR. He would have preferred to go full VR, but because he had been asked for by name, Façade had told him it would be “rude – and potentially deal breaking” to “sleep” through the meet. (The GM asks Jim what programs he has loaded for this meet. While Jim should have specified this info beforehand, the GM knows that Jim’s character would have come prepared, even if the player wasn’t. Jim Bean’s Commlink is loaded initially with Analyze, Browse, Exploit, Stealth, and his Agent (which is loaded with its own programs as well). This is 5 programs, equal to the System rating of 5, so the response time will not be affected.) Jim knows Vonna has a commlink (he saw it in the club’s security camera), but as it isn’t found among the active or passive nodes in the area, (A free action to check) Jim knows it must be in hidden mode. Jim searches for Vonna’s now-hidden commlink signal (A “Detecting Wireless Nodes” extended test, using Electornic Warfare + Scan (4, 1 combat turn). Jim first spends a complex action to load his Scan program – this lowers his response to 4, as he has exceeded his System in running programs. For now Jim decides this is acceptable. Next, Jim rolls Electronic Warfare + Scan, and scores 5 hits. As the threshold for this test is 4, he finds the commlink on the first turn. Having found the signal, Jim decides to break in. This is a “Hacking on the Fly” test, and uses Hacking + Exploit (Firewall, 1 Initiative Pass). He rolls poorly, and gets only 2 hits. The commlink rolls Analyze + Firewall, and gets 2 hits. This is less than Jim’s Stealth of 5, so he remains undetected. Remaining fairly certain this is a Novatech Navi OS, Jim is confident he can get one more success before the commlink gets the three successes it needs to detect him. This time he rolls considerably better, achieving 7 hits. The commlink still gets its roll, however, and scores 2 hits. This is a total of 4, and fortunately still less than Jim’s stealth. It was, however, very close. Well, no need to tell the teammates about that part.

Once in the node, Jim immediately noticed another icon. Afraid it might be IC, he spends a simple action Observing it in Detail (Computer + Analyze, GM determines Threshold). Jim rolls 2 hits, enough to determine two “facts” about the icon. Normally Jim would choose the facts, but the GM decides that this is a special case. The GM informs Jim that the icon is a Sprite, specifically a courier sprite. This is very curious indeed. Jim begins to hope fervently that Vonna is not a technomancer. He also spends his remaining simple action shutting down his Scan program; it is unlikely he will need it further. This allows his response to return to normal. On Jim’s next turn, he spends a simple action looking for any other hidden icons that might be accompanying the sprite. He makes the same test as above, scoring 2 hits. The GM informs him that he doesn’t find anything. Not having anything else to do with a simple action, Jim spends a turn fretting about the sprite.

Seeing a sprite in the commlink spooks Jim, and he spends a few moments ignoring the AR displays and focuses on the conversation. Façade is doing well at distracting Vonna from Jim’s lack of attention, it would seem. Jim wishes briefly he was better at understanding people; that he could tell if Vonna was really a technomancer and that her commlink was a decoy. Paranoia runs deep in hackers. But he decides that if Vonna’s face betrays anything, Façade will notice first and be ready. Jim goes back to his AR work.

Jim decides first to find out if Vonna is really who she claims to be. He does a Browse action, looking for identity information. This is a complex action using Browse + Data Search. Jim rolls 5 successes, easily enough to find a good amount of information. The GM informs Jim that “Vonna” is really Sally VonHesker, a minor TLKL reporter. The information also suggests her stories focus mainly on celebrities. In addition, Jim finds her birthday, and adds it to his own records. You never know when a Johnson will become a frequent employer, and a thoughtful gift on a birthday might just help that next bargaining session. Jim decides it is unlikely, based in this information in the commlink, that Vonna is a technomancer.

Now Jim decides it’s time to unleash his latest creation. He spends another complex action loading an agent into “Vonna’s” link. This agent is configured with Jim’s own personal blend of Sniff, Redirect, Stealth, and Armor. As the Agent is rating 4, the programs are all capped at rating 4 as well. On his next turn, Jim issues the sprite its commands: It is to scan for any comcall signals from the link, and report to Jim when it detects them. Should it get caught and attacked, it is to Redirect any traces until it crashes. Jim hopes the Armor 4 will keep the agent alive long enough to spoof it’s data trail away from him. Lastly, having finished issuing commands to the Agent, Jim logs out (another simple action, no test required unless being attacked by black IC). To this point, 10 turns have passed.

As the last of the matrix browser windows fade from Jim’s view, he glances around the room. Only half a minute has passed, and it looks like Façade and Vonna are just finishing up pleasantries and introductions. No one seems to have noticed his hacking.

Vonna goes on to explain the job: TVGP has put together a special report on TRKL’s reporting, which exposes several stories as fakes designed to raise ratings. “Vonna” wants the team to infiltrate TVGP just before the story airs, which is prime-time tomorrow, destroy the copy about to be broadcast, and replace it with the one she is providing. This will prevent the story from getting out immediately, and simultaneously ruin the credibility of TVGP. That way, if they decide to re-release the story, it won’t have its intended effect. She has a specific broadcast facility in mind that covers the lower half of Seattle as well as several key matrix feeds. The pay is a bit better than usual, and the team hope that doesn’t mean extra trouble. Oh, and one more thing – the story Vonna is providing is encoded by a courier sprite – so no use trying to peak, as the sprite will just erase if it is crashed. Jim breathes an audible sigh of relief, now that the sprite has been explained.

Legwork

The team splits up for legwork. Lilly and Handsome Stranger head down to TVGP’s local broadcast station to case it for possible entrances. Façade hits up his contacts for more information. Jim Bean jacks in, and muses about the term “legwork” – as his legs only had to carry him as far as his easy chair.

This time Jim loads his commlink with his standard “probing” setup – Exploit, Stealth, Edit, Redirect, and Biofeedback. He logs in in Cold Sim mode – no need to risk addiction or Black IC just for an access code. The Biofeedback program is “just in case.” You don’t get to stay a hacker very long if you aren’t paranoid…

Jim heads for the TVGP main site. It is a public node, and requires no test. He then searches for the broadcasting station the team is to infiltrate. A Computer + Browse extended test yields 3 hits. The GM has stated that finding this information is “Average” difficulty (as the public most likely does not need to access the broadcast station) which has a threshold of 4. So, Jim makes another roll, getting 4 hits. Thus, 2 turns pass (interval for “same network” as the station is closely associated with the main office) before Jim moves to the broadcast node. It is a secure node, so he must break in.

As Jim has a lot of time to work before his teammates return, he decides to probe for his way in. This is a “Probing the Target” test, an extended test using Hacking + Exploit with an interval of 1 hour. The GM decides that this facility is running a system that will challenge the hacker, and assigns it stats of 5. Thus, the base threshold is 10 (System + Firewall). Jim also decides he will need security access, and that adds 3 to the threshold, for a total of 13. Jim’s first roll scores 2 successes. Jim settles in for a long night. He spends two more hours, rolling 4 hits both times, bringing his total to 10.

At last Jim feels like he’s making some real progress – he’s so close to an access code he can smell it (or maybe that’s just some noise in the Sim module?) when he is interrupted by an incoming message. It’s his Agent program informing him that Vonna is making a phone call! Feeling certain that TVGP has not detected him, and that he is thus safe for the moment, he “opens” another VR session and begins searching for the agent.

The GM decides that Jim automatically successfully perceives his own agent, and Jim can immediately begin tracking it to Vonna’s commlink where it is running. Jim decides to first spend a complex action loading his Track 4 program, which should speed up the time. He also spends another action loading up Sniffer, which he will need to tap the call once he finds the node. Not wanting to waste any more time, Jim leaves the other programs running. As his current running programs total is 7, his response is again reduced to 4.

Rolling Computer + Track nets Jim 1 hit. He keeps rolling and gets: 3 hits, 1 hit, 1 hit, 1 hit, and 4 hits. This means it takes Jim 6 initiative passes. Had the GM been using the optional rules from SECKSY, Jim would have failed this extended action, as he could only have rolled 5 times. However, the BBB has no rules about the number of roles for an extended test, so sticking with the main rulebook, Jim succeeds in three combat turns.

Now that he has once again found Vonna’s commlink, he must once again break in. He could optionally break in to one of the matrix routing nodes that the comcall is passing through, but this would probably be more difficult than the commlink. Jim is again “Hacking on the Fly.” As exploit is already loaded, Jim rolls Exploit + Hacking for 2 hits. The system responds with a System + Firewall test for 1 hit. Next pass, Jim scores 3 hits, and breaks in. The system rolls again as well, scoring 2 hits. The total of 3 is again less than Jim’s Stealth of 5, so again he is undetected.

Now that he is in, Jim can tap the call. The GM decides that because Jim hacked the commlink, and not a matrix node, that he does not need to roll a Data Search test to locate the call traffic; it is pretty obvious as there is limited other activity in the commlink. So only an “Intercept Traffic” test is needed (Hacking + Sniffer, successes are the threshold to avoid detection. This is a complex action. Jim rolls 1 hit. Frag! He’s tapped the call, but not skillfully. The GM decides that since Analyze can be set to scan automatically, that Vonna has enough computer know-how to have done so. He rolls for the automatic analyze (Rolling just Analyze 4), and gets a lucky 3 hits.

Jim overhears, through a somewhat static-filled connection, Vonna’s voice saying “…has been paid. He’ll get what he deserves. What the… someone’s tapping my comm., I have to go. *click*.” Jim knows he’ll have to act fast – fortunately, he’s in VR, and will probably have an initiative pass to act.

Jim spends a simple action to deactivate the agent he left running on Vonna’s commlink, to prevent any data trail leading back to him. He then quickly logs off (another simple action) – thankfully before Vonna, acting at AR speeds, can investigate.

Slightly frazzled, yet exhilarated by his close call, Jim Bean returns to his probing attempt. Because he never logged off, and only a little time has passed, he can pick up where he left off. First he unloads Track and Sniffer, to bring his comlink up to full responsiveness. Then he again rolls Hacking + Exploit, getting 5 hits. This brings his total to 15, allowing him to gain security access to the system. Upon success, the node rolls Analyze + Firewall to attempt to notice the break in. Unfortunately, the node rolls 5 hits, which is enough to defeat Jim’s stealth program. The node goes on alert.

Jim might normally log off before he is caught – but this time, he’s on a tight schedule. The run is tomorrow, and the system might not come down off alert before then. The exploit he found will certainly be closed as soon as they investigate the alert, so he needs to use it now, or never. Jim decides to chance it – he switches to Hot Sim mode (a free action) and presses on, using the exploit he found to log on (a complex action). The GM decides this is a good time to roll initiative. But because Jim paid for the pizza the group is eating, he decides the combat turn starts just after Jim switched to hot sim mode – his first actions in the system will have 3 passes (the same as the IC). Jim rolls Response + Intuition + 1, and scores 3 hits. This brings his initiative to 14. The GM secretly rolls for IC, and achieves an initiative of 13.

Being the creative type, Jim first wants to know if he can use his “Security” access to turn off the alert. The GM decides that even a security user can’t cancel an Alert status until it has been investigated. Jim wishes he had hacked in as an Admin, as it wouldn’t have been any harder, it would have just added an extra hour. The GM wonders what excuse he could have used then – or if Admins can cancel any alert and redirect any IC they trigger at whim, as these things would fall under the legitimate purview of “Admin.” He also wonders if the play testers for the Matrix section really thought through the account statuses.

Jim needs to know what to expect now that he’s triggered an alert. He uses his Security Procedures knowledge skill to determine a likely response. The GM decides thinking the security plan through in a hurry is a complex action. Jim rolls Logic + Security Procedures, and scores 5 hits. The GM informs Jim that for a node this size, the first response will probably be an IC designed to scan for intruders and that further IC will be launched based on what it finds. Also, an alert probably triggered the on-call decker – but it might be several rounds before he can be woken up (or more likely this time of night, convinced to log off his VR MMORPG.).

The IC attempts to locate Jim. As Jim is running a stealth program, this is an opposed test – the IC rolls Analyze + Computer (and as IC doesn’t have a computer skill, the GM assumes the book meant that he should substitute the IC’s rating for Computer), Jim rolls Hacking + Stealth + 2 (for Hot Sim). The IC gets 3 hits, Jim gets 5. As a perception test is only a simple action, the IC repeats the test – scoring 2 hits. Jim scores 4; he remains undetected this pass.

Jim is pretty sure something is out there looking for him, so he rolls a matrix perception test to find it (a standard action). He rolls Computer + Analyze +2, and achieves 6 hits. The GM rolls for the IC – Stealth + Firewall + 4 (for active alert), and scores 4 hits. This is two net hits for Jim, and so he can choose two facts to learn about the icon. Most important to him right now are what the icon is, and what its rating is. The GM informs him it is an IC, rating 5. Jim spends his next standard action unloading exploit – he won’t be needing it any more, and might need the extra memory for something more useful.

The IC continues its search pattern, the same as before. This time it rolls 4 hits, and Jim also rolls 4 hits. Ties generally go to the defender; Jim escapes detection briefly, but that IC is getting very close. For its next simple action, the IC rolls 4 hits again – but Jim only rolls 2. He’s been spotted!

Jim briefly considers loading a combat Agent. But the GM declares that since the rules state that agents “Can be loaded” with programs, that Jim must take a complex action for each program the agent loads. Instead he decides he needs to focus on what he came here for – getting access he can use for the run tomorrow. He decides to use Edit to create himself an account.

Unfortunately for the GM, the book is exceedingly vauge on this concept – Hacking + Edit (or Computer + Edit) is nice to know, but what is the threshold and interval? The GM improvises, and decides that since the system is on alert, and actively trying to thwart hacking attempts, creating a new hidden user account will be an opposed test against the node’s System + Firewall + 4 (alert status). Under normal circumstances, an extended test against the system’s Firewall would probably have been good, too. Jim sighs, knowing the odds are against him, and rolls, remembering to add +2 for Hot Sim. Sadly, he achieves only 1 hit. The GM uses the system’s dice to buy 3 hits, and saves the need to roll.

The system, having been alerted by the “Search” IC that there is a hacker, loads an “And Destroy” IC. The GM decides that since it is the same rating as the Search IC, it gets the same initiative. “And Destroy” also begins searching for Jim (as he is still running stealth, he is undetected by the new IC). The GM decides that the IC gets some pretty hefty bonuses -- +2 for being on active alert, and +4 for having been spotted by the other IC. With a whopping +6 dice to it’s matrix perception test (Computer + Analyze, hopefully agent rating is allowed), it rolls 6 hits. Jim only scores 4 with his Hacking + Stealth + 2 opposed test, and the IC locks on to Jim. A digital Ares Citymaster comes barreling over the virtual landscape towards Jim. This ends the first Combat Turn.

Rolling Initiative again, Jim this time gets 15, while the IC (The GM rolls once for both IC, to save time) remain at 13.

Jim Tries again to create an account. He knows this is critical, so he spends a point of edge. This time he gets 6 hits, and the system only gets 3. This is a success! He’s made a hidden account to use for the run.

“Search” IC begins tracking Jim’s data trail. It rolls Computer (er, Rating) + Track, with a threshold of 15 (10 + Jim’s Stealth of 5). 4 Hits, Jim’s clock is ticking…

“And Destroy,” Having found Jim, and identified him as a hacker, opens up with it’s rooftop cannon – a Blackout 4 attack program. “And Destroy” rolls Rating + Blackout, and Jim defends by rolling Response + Firewall +2 (I’m assuming the +2 here. Technically, Hot Sim applies to “all matrix actions” – but defending from attack isn’t an “action.” However, it seems within the spirit of the rule to allow it. I don’t really know about this one.). The hits are 2 to 5, Jim dodges the attack.

Jim now needs to get rid of any evidence of the account he created while here. Fortunately, security logs are within the purview of Jim’s “security” access. Even more fortunately, the GM says that the logs are currently unencrypted because of the massive amount of data being logged due to the attack (Did I mention that pizza had all of the GM’s favorite toppings?). Now Jim just needs to find the logs. The GM decides for someone with as much knowledge as Jim has of both security procedures and operating systems, finding the security logs is an easy test. A Computer + Data Search +2 test yields 4 hits, more than enough to locate the logs. This is a complex action, but Jim has found the logs.

“Search” takes another complex action of following Jim’s data trail, rolling Rating + Track for 2 hits. It’s got a ways to go until it finds Jim’s commlink.

The GM wishes once again the authors had been more clear on the Edit rules, then decides that an Edit + Hacking (because while he can legitimately access the logs, altering them in this way is more “hacking” than “normal use”) test will serve as a threshold for noticing that he created a hidden account while in the system. He rolls, again remembering to add +2 for Hot Sim, and gets 6 hits! (Technically, this is probably incorrect. The Edit test states that you can only change a single line, or a single image, without an extended test. Rather than figure out how many lines in a security log need to be changed, it’s probably easier to assume a single “file” regardless of the file type can be changed.)

“Search” continues it’s digital sniffing, by rolling Rating + Track. It gets but one success, bringing its total to 7.

“And Destroy” releases another volley, rolling 3 hits. Jim defends, getting 6. Another successful evasion!

Just then, the Security hacker logs in. As he spends a complex action logging in, he is unable to act this phase.

It is time for a new initiative roll. The IC get 13 once again; Jim scores 15 again.
Jim decides things are getting WAY too hot. Besides, he has what he came for. As “And Destroy” has yet to connect with an attack, Jim is still free to log out, and decides to do just that. Jim winces at the thought of the dump shock he’d have received in Hot Sim if the IC had jammed his connection, as the VR simulation closes around him.

Jim smiles and chugs a super-hyper-caff-cola (now with double the nerps!) It’s been a long night so far, and the night’s hack didn’t go as smoothly as they like. But as they say, any hack you can walk away from is a good hack.

The next morning, the rest of the team meets up via commlink to share what they have found. Jim Bean tells them of his partially overheard conversation, and that he has matrix access for tomorrow’s run. He doesn’t mention how close he came to getting blasted doing it. Nor does he mention the (fortunately slim) chance of someone discovering and closing that access. Façade informs the group that his fixer knows someone who used to be a secretary for Ms. VonHesker, but that he can’t arrange a meet until the day after tomorrow. That’s too late for the run, but the group agrees to set up the meet anyway. If things go good, it won’t do any harm; if things go bad, it will be good to know who to blame. Stranger and Lilly report that late at night, they saw a group leaving the premises that didn’t look like the regular techs. In exchange for a brief magic show, the group revealed that they where co-op students at the nearby college. They said there was practically a new group of students every day. The group decides that this might be a way into the building. A good thing, too, because Lilly says that she’s pretty sure the astral signatures around the only other entrance, near the transmitting tower, show signs of barghast activity.

The Break In

A quick Stick-n-Shock ambush by Handsome Stranger, and the group had a set of student access badges. Jim Bean used his access to re-enter the building’s matrix (which had gone off active alert sometime around noon) and change the pictures and other info in the student files to match the runners. Façade gave the guards at the front gate a story about how the pictures on the badge had been mixed up by the printer, and how there wasn’t enough time to get them reprinted.

Normally, after the matrix break in the night before, the guards would have been very suspicious of the matrix information that backed up the runner’s story – but Lilly’s mob mood spell had them feeling quite agreeable. Once inside the building, the corporate suits never looked at the group’s badges. The account Jim created was sufficient to open doors right up to the side of the secured area.

After breaking in to the secured area only minutes before showtime, the team decided there wasn’t time to try to hack the secured system. Instead they made their way to the editor’s room, where they ambushed an editor with the appropriate access cards. They used these to upload the sprite into the system, then Jim was able to erase the original program with his editor’s access rights. Unfortunately, their attack and computer tampering alerted the guards, and a harrowing escape down a waste chute landed the team in the underground garage for the facility.

A quick look around finds a suitable getaway vehicle – a small armored sedan. However, it (and all the other vehicles in the lot) are currently off – thus, not hackable. No doubt the expensive ones have remote starters, but without intercepting and spoofing the remote starter, there’s no way to use a wireless link to start the car. Fortunately, Jim Bean has studied more than just wireless – hardware is part of his skill set, and he’s brought his electronics kit. (What’s that? The hacker archetype doesn’t have an electronics kit? He darn well should!) But he’d better hurry, those guards are on their way down the elevator.

Jim sets to work on the car. The GM decides it is a Basic difficulty to get the car to power on. The approaching guards have the hacker nervous, and underneath the car is very cramped for an Orc, so the GM applies a -1 penalty for distracting conditions. However, today is going much better for ‘ole Jim Bean, and he rolls 5 hits! Having started the car’s computer, Jim immediately drops into VR Hot Sim mode. Those guards are only two floors away now!

Fortunately, the car starts up in active mode. Jim immediately begins “Hacking on the Fly.” Because Jim didn’t specify his program loadout, the GM decides he has his standard “Hacking” loadout that he used last night. Fortunately, this includes Exploit. Cars that have not been upgraded with their own commlinks, the GM decides, are “standard electronic device” according to page 216’s “Access Privileges” section. This means it only has Admin security status, which adds 6 to the breaking in roll. Jim Rolls Hacking + Exploit +2 (Firewall 3 + 6 for admin), the car rolls Firewall + Analyze (Stealth 5) to detect Jim. Jim rolls only one hit (maybe his luck is running out?) The car, with it’s Pilot (and therefore system, firewall, etc.) of 3, rolls no successes. Jim continues, this time rolling 6 hits. The car scores 2 hits. One more round (ending the combat phase) and Jim scores 4 more hits, which has him as admin of the car. The car scores one more hit, not enough to detect Jim.

With the combat turn over (3 phases of Hot Sim VR), the guards are only one floor away by elevator. Jim logs into the car with his Admin privileges, which takes a complex action. Unfortunately, the car is not rigger adapted, so Jim can’t “Jump In” to it. However, he can unlock the doors and start the engine, which he immediately does. The GM rules that these actions are simple enough not to require a control test. Jim then spends his last action of the phase logging out and shutting off VR so he can climb into the vehicle.

The car starts and the doors unlock, but before the team can move, the sound of the elevator chime rings across the parking lot, and the doors begin to open. It’s going to be a close race to get out of here.

Wrapup

There’s no more hacking here, but I wanted to finish out my storyline. 

As the team sped away in their now (slightly damaged) armored sedan, Jim Bean fed a matrix stream of TVGP’s newscast into the sedan’s display screen so the team could watch the results of their handywork. They where all curious as to what the sprite had contained, and they had just barely made the deadline.

“…ack team of investigative reporters has found that our competitor, TRKL, has been distorting the news they report for financial gain! We here at TVGP are devoted to the truth, no matter the cost. And in that vein we now give you our report!”

The screen switched to a few frames of the original broadcast, scrambled. Then, it slowly resolved into… was that… oh my. A very raunchy scene involving a middle-aged man, an elven joygirl, and… a male dwarf? Whoever they where, those objects where clearly intended for external use only, and the group was thus very much in violation of their EULAs. Scrolling across the bottom was the text “How would Mrs. Heintrek feel about this? Why don’t you call and ask her, at comcode #256FG36Y.” The ghastly scene played on for a solid minute and fifteen seconds before the techs at the station, still recovering from the team’s infiltration and daring escape, where able to kill the feed.

…

The warehouse in the docks district – Façade’s fixer sure had a classic streak in him. It was a foggy night, too. The secretary was younger than the group had expected. She was clearly nervous about meeting a team of possibly dangerous runners on a foggy night; to try to cover her nervousness she launched immediately into her story.

“I started working for Mrs. VonHesker at TRKL two years ago. About a year ago, I stumbled in on.... that is to say, it came to my attention that she was having an affair with a married man. a Mr. Heintrek (she blushed bright red at his name; clearly she had seen the broadcast) was the one she was with... and the one on the braodcast yesterday. Not the dwarf, the... uh, well, never mind. Well, Sally – that’s Mrs. VonHesker, she, found out after about six months that she. wasn’t the only one he was cheating with. What a pig! She swore up and down she’d get that two-timing… er, three timing? drek-head if it was the last thing she did.

After that, she was kind of hard to work with, very moody, and eventually I left the company as a result. But I found out about the ratings war with TVGP, and that she had been given the authority to hire runners to win that ratings war. Well, don’t you see? Heintrek was one of TVGP’s anchormen, on their morning show! I just knew she’d use the opportunity to get back at him, and hurt TVGP in the process, but I couldn’t have predicted this!”

The team just stared at the secretary, slack-jawed. She went on:

“I followed up a bit before we met up here. Mrs. Heintrek had the divorce papers filed within minutes of that broadcast. She got so many calls about it that they had to disconnect her com from the net. I hear she’s moved out, and her lawyer is pretty certain she’ll get everything.”

“I guess in a way, things worked out then” muttered Handsome Stranger, a bit bewildered.

“Not quite… “said the secretary. “Sally VonHesker… well, she didn’t count on one thing. TVGP’s ratings SKYROCKETED after that clip. They where the highest rated broadcaster for a full 37 minutes after that, outpacing even much higher budgeted networks in this area. TRKL fired her when they found out, her vengeance cost them their ratings war!”

-- End --

Post: Apparently I am very fond of the words "very" and "thus." Please ignore their repetition.

Great story Feshy! Don't know if you have ever played the Munchkin card game but Jim obviously just went up a level or 2!

I was entertained ... nice job!

So Matrix Gurus (Guri?), is it correct, rules-wise?

Quick oberservation.... with jim loading an agent onto to the other comlink would that affect the other persons system and response as well because then she would have his agent running on her comlink.

Thanks, Feshy, for the example; it defintely helped me put the rules into some context. It's also disturbing how many holes you pointed out. So basically, all a hacker needs to do is gain admin privileges and then he can turn off the alert and make any threat from the system pointless. Sigh. I am NOT looking forward with having to deal with this when I run a game.

unfortunately, in their attempts towards making the game lighter on the rules, they left some big questions floating about, and I swear half of them are concerning hacking. However, there are a few things you can do to limit them from in game:

Use various types of passcodes, such as linked or passkey passcodes (pg. 215), that need an additional confirmation of some sort before it will hand the keys over to the player. It's best to use this as an excuse to keep the dreaded admin rights out of players hands, but for some closed Zero Zone systems, the players may have to find a keycard before they are even allowed to log on as a grunt!

Secondly, feel free to add additional modifiers for trying to get higher level access for better designed systems. Finding the code for an admin that hasn't changed his password in two decades is not that hard. Finding the code for an admin that uses an offline synchronized code sequence is going to be a heck of a lot harder without access to the admin layer of the node or quietly swiping the code generator off an admin.

Third, feel free to tell a player the extended test is over anytime you feel it would make sense. For instance if a player is looking for security holes in a system and the system shuts down and resets over the night, an auto-update from the main offices might have plugged up the security leak by morning, forcing them to start all over. This one may not stop them from going for admin status, but it will make them sweat a bit when you tell them "This site is going offline at Midnight for two hours of daily maintainance."

You said it loaded IC onto the comlink but isn't IC just a program that has to be weilded like a weapon by either a person or an agent?

Also, to prevent the players from making one roll and having admin rights to everything just put different data on different nodes. That way they need to system hop a bit to get everything. I talked a little bit about setting up different nodes here: http://forums.dumpshock.com/index.php?show...=0&#entry322396

Way to go Feshy, that does break down the majority of a hacking scenario quite well. My GM and I were perusing this and it looks like it nails down most of the hacking issues we had.

I'm not sure what the rules say, but IRL if anyone ever made it so you could edit a security audit log with "security" access rather than full admin access I would stab them in the face. In really secure systems, audit logs are written to write-once media (there are write-once harddrive controllers, but the simplest solution is to just immediately print the logs on paper). Another trick is called "capabilities", where even a full admin doesn't have permission to modify the logs.

Again, in real life, on computer systems with admin accounts, any logs that might be used for a security audit can only be deleted or modified by an admin. It can get harder than that, but should never get easier unless the OS designer or the sysadmin are total morons.

Beautiful examples. This is exactly what we needed. Thanks for taking the time to write out the story and examples. I enjoyed it.

Thanks for the encouragement and comments, everyone.

Just have it so whatever comlink is connecting in needs a maglock key inserted into the comlink also. It adds extra security and the rules for breaking that key are in the book too.

It wouldn't really take long to have different nodes, just set it up so the player can only connect into one or two nodes pre-run. I just say that once you hack in you only have so long until they eventually find traces of you hacking in. Also, each is accessible from the ground level, you don't need to node climb at all. It's just that you can't get ALL the data from one node.

For separate nodes, do you need to make seperate Hack in on the Fly tests for each, or would your hacked account from the first carry over? Or maybe would only certain nodes (ex. highly secure areas) have their own new sets of passcodes, perhaps requiring a physical identification too (like what's been mentioned)?

hmm, it could be that the corp network style nodes have a special mode. ie, you have to take it down into that mode, while at the same time shutting down any wireless or wired matrix connections, and sit down at a special console to get access to the controls for the IC and the other stuff.

this way, a remotely logged in admin cant tell the IC to go away as thats is out of reach for even that style admin. allso, they may be able to force the triggering of an alert, but cant shut it down again.

it kinda makes me think of linux with the SElinux addon from NSA. there you can basicly lock yourself out compleatly, even as the root user (the boss of bosses on unix style systems), if your not carefull. fixing that will require a full reboot to take the kernel into a diffrent mode where you can config and test the SElinux system without it fully applying to your current enviroment.

hell, mess around to much with the access control lists in windows and presto, you have files and other stuff that not even a admin level account can change or delete

We really should begin saving and sorting everything we have put up, maybe put it all up as a series of ideas and concepts for how to work with the matrix within the new mostly open design of SR4 rules.

Under Windows Server 2003, which we could consider to be a baseline for current network security, there is no simple 'Admin' level account. Computers have Local Administrators, networks have Domain Administrators and Enterprise Administrators, each with varying flavors of authority. And it's generally foolish to give out admin powers to more than one or two people, because there's a couple dozen pre-configured account groups that give out only very specific powers. You can set a guy up so that his sole authority is to be able to reset one specific printer queue on alternate Tuesdays between 1:30 and 1:45.

Now real world computer security is made by people who have serious money to lose, so you've gotta make allowances for Shadowrun being a game. If corporations were as serious in 2070 about network security as they are today, all the deckers would be straight out of a job. Or dead. But if you want more realistic computer security without making it nigh-impossible, do the following:

1. Reaching for admin level access should be unwise. It should be standard operating procedure at any corp with a marginally-competent IT department to check the user list to make certain there are the same number of admins this morning as there were yesterday at closing time. A more paranoid IT department should be checking the user list with every shift change. That way grabbing an admin account will properly provide supreme ultimate power, but be a huge red flag to whomever's computer you're breaking into. Better use it quick and delete it before any corp deckers check the user list.

2. Less personnel at night, but other obstacles. I have yet to see a place paying an army of MCSAs to be hunched over keyboards 24/7 in case some kid in Turkey tries to break into the server and stash their porn and MP3s on it. Some companies do have living people babysitting the server at godawful hours, but those people are usually low-paid rubes doing the daily backup operations instead of the administrators. The admins go home and go to bed like everyone else. However, people also aren't usually dumb enough to leave their networks open and defenseless outside of business hours. Some places shut their systems down at night (rarely), cut off the routers to keep remote people out (more commonly), or have access policies in place that make the servers reject logon attempts outside of business hours (most common). In Shadowrun terms, I'd have it less likely to run across a person in the system at night, but raise the Firewall rating and make the IC nastier, because the corp knows that people shouldn't be in there at those hours and cranks up the security settings.

3. People, not computers, are the weakest link. Network security today can be cranked up so tight it'll pop the fillings out of your teeth, but it almost never is. People are lazy and don't want to type three passwords, swipe a smart card, and scan their thumbprint just to open a text file. Executives are greedy and don't want to pay for the top of the line security measures. IT departments are sullen about the lazy employees and greedy executives and will occasionally drop security levels down to insanely permissive settings just to make the phonecalls stop for a day. GMs should reward hackers who try to exploit human nature in their crimes by collecting network information from people. 'My brother used to work there, and he said the passwords were all 12345, that's so stupid!' 'I was making a delivery and saw that everyone had post-it notes all over their monitors...', etc. Likewise, one sneaky little trick is to simply use a telescope to peek through a window and watch someone type their password, circumventing all security in one fell swoop.

hacking Admin privileges is not more difficult than hacking security user privileges, just longer :
I don't totally agree. True, it's an Extended Test, so "with time" you'll have the necessary hits to succeed. BUT
- trying to get Admin privileges requires 6 hits more than for a basic account, so more tests will be necessary to achieve the threshold;
- the more tests you perform, the more the odds of getting a glitch;
- the more tests you perform, the more the system gets hits to detect you;
- someone has already quoted the rule about limiting the number of tests possible for an extended test. You mentioned that this limit was insufficient, so let's set this limit to the Hacking skill instead of the dice pool. Or modifiy this limit to take into account the targeted privileges (-3 for security user, -6 for Admin). I think that should do the trick.
Finally, I would say that, if given the necessary gear, a good hacker can crack virtually anything, it's just a matter of time. I have the feeling that the rules perfectly reflect that.

Admin users tracking
Maybe a workaround to create an Admin account, which could be detected and quickly suppressed, would be to hack an existing Admin account...

Nice exhaustive example, thanks for that and congrats. I think that, with your permission, I'll make it translated in French for "mass education" on the French SR4 forums

Indeed; this is why it's almost never worth running more than (System) programs. He should have dropped his Scan program (a free action) the second he found the node.

Also he rolled insanely well in any case; even an experienced hacker will have a skill of 5-6 + his programs at 4, so on average you expect about 3 successes for most tests. Most of his rolls are alot better than that, leaving me to conclude that perhaps Jim is an adept with Improved Ability(Hacking), an even more broken ability in this game than it was in SR3 because it breaks all skill caps and doesn't have extra costs for going over everyone else's limit. In theory you could be rolling 18 dice on all hacking tests at chargen, where every hacker and technomancer character would be stuck at around 12.

I'm pretty sure it is a Simple Action to stop a running program.

Nice post, Feshy. It was nice to read examples in such complete context. you sure you don't want to run our game instead of me? I mean, what with all the time on your hands Don't get me wrong, I'm really looking forward to it, but... you do seem to have a lot of time. And your brothers never get back to me.

-GRR

Great comments, NightRain!

* saves thread to HD *

there is a reason why having root/admin level access is considerd being god

still, dont the hacker have to spend a complex action shutting down a IC just like any other program? if so, will not the firewall just keep spawning new IC, basicly making the hacker unable to do anything but shutting them down?

or do the hacker get so many initiative passes that he can outperform the firewall in terms of speed?

If the hacker creates an admin account, spawning ICE in the process, he couldn't just start shutting them down. I think he'd have to log off, then log back in as the admin, which would have a different access ID. Hacker-logged-in-as-Admin wouldn't have any aggro, to borrow an MMO term, and could shut down any ICE he wished without spawning more.

Or I could be completely wrong.

that is if the target flagging follows the account, not the "icon". or would he get a diffrent icon the moment he logged in again?

hell, he may even log out. change icon manualy and then log back in or something.
there is so many ways of screwing with the simple logics that a IC most likely will follow that it may not even be worth trying to think them all out.

the moment a person hits admin, your drop in the security hackers. the IC is allready defeated...

Or you can do what I did to my overambitious hacker last night.

Player: "WiFi Interface 2.3? Why the hell is the security techie ending program W-" *Dumpshock*

How about this: actually coming off Alert statuc (and thus shutting down of IC, other response proceedures, etc) requires hitting a physical switch on the machine, or even a reboot. The idea is that an alert never--or at least rarely--happens as a false positive, so when one does happen there should *have* to be someone woken up to physically go to the server room and hit a button to sound the all-clear.

As I envision it, an active alert's rather like blowing a circuit breaker; once you've done it no amount of fiddling with light switches or unplugging things inside the house can bring the power back on. You've got to get dressed, go around to the backyard in the rain and open up that panel where all the little mechanical switches are and fiddle with them.

Um, in a metaphorical sense.

(Edit): Regarding the idea of System limiting the number of programs, my theory (Theory 4?) is that Response doesn't drop until you run (System) rating in programs, where the rating is System's "natural" rating. In other words, if you have System 6 you can run 6 programs before Response is lowered, regardless of what Response is in the first place. All other uses of System however are limited by Response, as all other running programs are. Thus if you start witth Response 5, System 6 you can run 6 programs with no effect; 7-12 at Response 4 (Effective System rating for tests involving System rating: 4), 13-18 at Response 3 (Effective System rating for tests involving System rating: 3), etc etc.

It is an exception to the not-well-written-rule that Response limits System at all times, but so is yours. Your first theory has Response limiting System for the purposes of max programs only before Response slowdown. Let's say you were running 7 programs on a Response 5, System 6 commlink. By your rule, when your Response slows down your System has three ratings:

• first the rating you bought it at (6),
• second the rating it had when your "normal" Response slowed it down (5) which determines the max number of programs it can run before slowing down Response,
• and thirdly the rating it's running at after Response is slowed, in this case 4.

When you increase to 11 programs under your rule you refer to your second System rating (5) and lower Response from 5 to 3, lowering the effective System rating of your rating 6 program to the slowed Response rating of 3. Er, etc etc.

So you see my way is easier and requires less bookkeepping and mindbending.

With a permission of Feshy, I started Japanese translation of the "Hacking Example" posts on my SR4 Wiki.
Though I have translated only the introduction and "The Bar", I will also translate other parts later.
The URL of the entry on my Wiki is:
http://www.imasy.or.jp/%7Emiyamoto/rpg/SR4...20Example%5D%5D

These posts are great work to help understanding of SR matrix rules, so it is a great pleasure for me to translate them to Japanese. Thank you for your permission for translation, Feshy.

Methinks that the Real Life IT geeks are futzing up a pretty simple system.

The Stealth program hides a hacker by 'erasing system tracks, and mimicking authorized traffic' (SR4, pg 227). Logs are system tracks folks. This is the catch-all for that stuff. I would probably use additional logs as a foil for sometime that the hacker is supposed to be especially careful....or when he's supposed to get caught.

I very much agree that the admin vs security vs user concepts are messed up, but!, any IC launched imho would watch the activities of the users or have an alternate key to shut them down. Doing something naughty? Prepare for the smiting! Know the secret password? Ignore the IC while it wanders around in circles looking for that naughty naughty user.
Also, one should have at least admin access to supress the alert, and security to have the IC key. Thereby giving a reason for security level access.

Another Geek

Yea!

I am really glad this got bumped up! This is exactly what I was looking for. Wow. Feshy, that was a lot of work you put into this example... and just to be helpful too.

Thank-you.

Oh, andif you or anyone else knows of any more threads of this ilk, please bump them. I have tried searching, I even did a "Hacking AND example" search and did not see this, so perhaps there are others.

...perhaps it is time for me to spend some karma on improving my SEARCH skills...