Hi again all,

On average, how often do you have your nodes running Analyze to look for intruders? I goes without saying more secure nodes would probably be checking each time someone enters and then again every minute or so, maybe even after each action they perform? I'd assume a glitch triggers an immediate test, and a critical glitch an alert. I'm curious to how everyone else manages this.

Only part about this that still bugs me is that once inside, a Hacker is for all-intents-and purposes is a legit user albeit with a hacked account. The only way I'd wager Analyze would know otherwise is if they keep a list of valid Access ID's for each account. If that's the case, you could hack account access and your Spoof the ID of a valid node and glitching aside, be Joe_User_01 with no chance of detection. However, that's not the case with SR4.

Any ideas on how Analyze knows you're not legit even with "all the bases" covered?

As a security hacker setting up the system if I could spare the system resources to run the program at all I would have an IC agent running it with every action it didn’t have something else to do (attack an intruder).

There is no reason not to have it running continuously.

The problem with this however is that it makes hacking very very difficult. One solution would be to have an IC agent with detection programs but no attack programs to save runtime, on detection of an intruder it waists an action changing the running programs giving the hacker a free action.

Edward

As given in my example here I allow a scan for every illegitimate action, b y IC only. The node resists hacking attempts with firewall+system when the hacking skill is used for an illegitimate action.

Keep in mind that if an IC is running the Analyze program, then the rating of that Analyze program doesn't get rolled for the initial "hacking in" attempt. Those dice are supposed to be the Node's Firewall + Analyze. Any IC/Agents running on the Node aren't in the picture yet.

In my world, pretty much any Node/Commlink who's owner is remotely worried about security runs an Analyze program. I see it as the first thing that gets installing when securing a system (besides the Firewall itself, that is).

Depending on the interpretation, a node running IC with an analyze program may need to run a second analyze program (or the same program a second time) to augment the firewall.

Edward

That's pretty much how I do it. Things are "compartmented" inside of IC when they're being run by IC... the code for that piece of IC was compiled with an Analyse equivalent built into it. If the node itself wants to run Analyse, it needs to have it's own copy loaded into memory (because the IC's Analyse is part of it's own code).

Well then, that's the second interpretation of the rules: that every program running on the Agent counts towards the nodes total limit of programs. In that case I would rule that Agents and the Node itself can "share" programs. It depends how you want to play it.

However, I had thought that it was like Shrike30 above explains it. The Agent gets "compiled" with a certain number of built-in programs. The program load out cannot be quickly changed (side note: I don't think there are rules on this but I would say Agent Rating minutes would be a good rule). However, the flip-side is that the Agent and all of its "inherent" programs all count as 1 program as far as the Node is concerned. The Agent acts totally independent of the Node, using its own programs and performing its own actions.

I was under the understanding that the agent had to load the program (whip it out, as it were) into the node it was residing in to use it. By extension, I also presumed that an agent running on a node with access to that node's programs could use those programs.

By extension, of course, this means a hacker who broke into a node with admin privileges would be able to use the same BlackHammer program against the security hacker that the same security hacker is using to beat her up. Hm ...

It's worth noting that when a "node" isn't something like a drone or commlink (that is, when you're screwing around in a corporate mainframe or whatever) I don't apply the decreasing Response rule to the system you're on. If you can fit a rating 6 commlink, including all of it's memory and chips, into something the size of an iPod, then you can damn sure get enough parallel processors into something the size of a server rack slot that you can run a few programs without slowing down.

I'd probably apply this to characters, too... if they want to drag something that size into a run location, they can have as many programs going as they want. Think about it... if you could smuggle your hardware into their server room, you could have a real party in their node.

mdynna: I'm still up in the air as to whether or not Agents count as only 1 rating (Agent rating) program, or the sum of the Agent and it's component programs. This will hopefully get answered in Unwired, but i'm inclined to say that it's actually the sum of the agent and his components. What you gain by running an Agent isn't a massive jump in processor use efficiency (in exchange for the minor drawback of inflexibility)... you gain essentially an NPC running parallel to you, and doubling the number of actions you can take over any given period of time. So, if it were actually Agent+All Programs, people would either tend to built a really tricked out agent, and then upload it to the node (because it makes their commlink draaaaaaag when they fire up their Agent) or have an Agent running (at max) a couple of programs riding shotgun on their own commlink.

Ok, but you're saying that the Agent and all of its programs only count towards your Commlink's limit as long as the Agent is running on the Commlink. As soon as you load into onto the corp computer then it doesn't count anymore?

If you're hacked in with some account, anything you do that that account should be able to do uses your Computer skill (not hacking) and won't twig any alarms. If you do something that requires you to Hack the computer, it gets a chance to spot you.

The advantage to having a high-end account would be that a number of actions become legal, and don't run the risk of setting off any alarms.

From my reading of the rules, it seems that Computer is used for legitimate purposes, and Hacking for things you're not supposed to be doing. Thus, after breaking into a student's commlink, changing their term paper would be Computer + Edit, whereas changing the log file to make it look like you weren't there would be Hacking + Edit.

I think what's going on here is that people have different ideas about what constitutes a "legit" user. I think the interpretation that most people (including myself) take is this: once a Hacker has sucessfully beat the Firewall (+ whatever modifiers) threshold for their desired access level then they have effectively "stolen" a legitimate user account for that access level. If the Hacker didn't raise an alarm when breaking in they should be able to take whatever actions the GM deems are allowed for that user level on that system, and use their Computer skill to perform them.

As soon as they wish to do something that is not permitted by their current user level they switch to using the Hacking skill. In Shrike30's example, he is having the System (and any patrolling IC) make rolls to detect the Hacker every time one of these actions is taken. I would also say that if the Hacker raises an alarm on the way in then the system and/or IC start to scan everything that is going on in the system because they are "pretty sure there is an intruder somewhere."

All of these rules seem fairly reasonable to me. The Hacker basically has to decide on a greater chance of raising an alarm while breaking in (going for higher access), or chancing the rolls while they are in the system. The decision should probably be based on what they expect to be doing while they are in the system.

The only cases in which I don't have massive numbers of running programs lower the Response of a node is when the node is representative of some massive piece of hardware, like a mainframe. Inside of your commlink, the rule still applies. This exception was put into place due to the fact that I have a really hard time imagining 7 users running Browse on a corporate mainframe causing a performance hit.

Edward pointed out that this causes an issue if a player gets inventive, buys himself a mainframe of some sort, and uses it as a home base for his army of Agents (oh god, second Matrix movie flashbacks...). I replied, acnowledging that there were advantages to doing this, but pointed out a few disadvantages I could think of, saying that I felt it wouldn't cause a balance issue.

Shrike30 is saying (and I whole-heartedly agree) that there exist systems in the world that are big, powerful computers. These are the kind of computers that corporations put everything on. Although the "raw" processing power of these systems is limited (they have a System rating of <= 6, usually) they have enough parallel processing capability that they can run an unlimited number of programs/agents (and have an unlimited subscriber list?) without suffering system response.

It seems Shrike30 sees the same problem that I do: The Renraku SCIRE Main Host should not be limited to running 6 programs simultaneously. These "mainframe" hosts should not be affected by the same rules as joe-nobody's Commlink.

Think about it: does something like the IBM HQ Data Center run on your average $1,000 laptop? No way, they need tons more power than that. Those massively powerful computers they have are physically huge, need to be temperature controlled, and can run thousands of programs at once. In SR, does it make sense that the Renraku HQ Main Host have the same program limitations as a Y 2,000 Commlink? Absolutely not.

If you still think they should, please lookup my rant (forget which thread) about the entire SR4 Matrix being run on modified Meta Link Commlinks.

Thanks for clarifying that.

My question now is this: SR4 says IC counts against a nodes running total but does it explicitly mention Agents? I know IC and Agents are similar, but are they truely the same? Are Agents (much like Personas are to Nodes) a sub-set of IC? If so, then perhaps Agents *do not* count against a nodes Response but IC does? Ultimately, if Agents and IC are the same, why specify a difference unless different rules exist?

The two names are kind of a legacy thing. Way back, originally, Agents were not part of the "standard" rules, and IC were the only "autonimous" programs. In later books (in SR3 in was Matrix) they added rules for Frames and Agents that players could create.

To answer you question directly: yes, an IC is a sub-set of an Agent. An IC is an Agent that is activated/runs for the specific purpose of find and dealing with electronic intruders. However, I don't think they should be treated with any different rules.

I am past trying to resolve what is written in the book, I am on to making my own sensible Wireless World rules.

Hm. Parallel processors might do the trick. A machine large enough to have several parallel processors, all with the same stats, could run at the stated Ratings, but bump the Response limitation up to the total of the processors. For example, a mainframe with System 3 running five processors in parallel would be at least the size of our modern towers, have a System Rating of 3, and not suffer a Response hit until it's running fifteen programs.

The cost would have to be prohibitive, or at least inconvenient, just for the sake of balance and for keeping hackers from running around with backpacks full of commlink (maybe the power requirements would be too much for batteries?).

That runner gets shot at from behind, and his whole rig goes to hell. The heat he's generating running that many commlinks makes him easier to see on thermal. Or you could just forbid parallel linking of commlinks, and say it's a server-rack only kinda deal. However you choose to balance it, what works for your game is the best solution.