The hacker is in his commlink if directly hacking something within range of his signal or he is hacking from the node in the matrix that connects to the node he is trying to hack into.

A security node for a facility may have several signal repeaters throughout the facility. Turn off the repeaters nearest the hacker, and suddenly he's out of range. Another nasty trick would be to temporarily suspend all new log ins even admin. Only users who are already logged into the node can then take action in it. Alternatively the node may only allow 1 log in attempt per minute.

The hacker likely set off an alert breaking in so its completely reasonable. Keep in mind the +4 firewall dice are now in effect since the hacker set off an alert. It may also try to immediately close his connection.

No but the +4 alert bonus will likely make it so, very quickly.

I'd say they are in their own commlink node. However the argument could be made that technomancers are just floating about.

What's happening is that she's looking at the node, trying to find a way to get in. Her icon is, as far as I can tell from the rules, at the target node, just not on the inside of it.

When she's probing (what I like to call the "slow, romantic way"), she's scanning ports, figuring out what the traffic patterns are, learning about legitimate users, and the like. She's looking for a way in, and doesn't move until she's certain she has a way to get into the node. This is why the node only gets one roll against the intrusion.

When she's hacking "on the fly," she is also looking at the node, but she tries every possible method she finds, rather than analyzing each opening. She's making an intrusion attempt every time she rolls the dice, and the system has a chance to detect that intrusion.

There are options, and you, as GM, has to decide what action the node will take. Personally, I like to decide ahead of time what the node will do, and sort of write up a script of what happens. In real life, automated security systems also have scripts to follow under circumstances like an intruder alert, so this is feasible. If you haven't any idea what to do, there's a table on page 223 that lets you determine alert responses randomly. Actually, it's a pretty good list, so I'll go through it and hopefully describe each option with a bit more clarity than the (rather terse) rules offer.

Launch Track IC
First off, the node's Firewall gets a +4 bonus against the detected hacker (this comes for free with the alert), and the node records the hacker's Matrix ID. Then, the node uses its next action to load an IC program that comes with the Track program. The IC then uses the Track action, an Extended Pilot + Track Test (10, one Complex Action) to find the hacker's meatspace location. Note that the IC's dice pool for this test is reduced by the Rating of the Stealth program that the hacker is running, if any. If the hacker's location is found, the node will alert the appropriate authorities (Lone Star or Knight Errant, Corp Security, gang leaders, crime syndicate hit squad, what have you).

A nasty variant of this is IC that also carries Blackout, to jam the hacker's connection open and make the trace easier (the threshold is reduced by 2 if the hacker's connection is stuck open). The IC would attack the hacker's icon until it hits and jams the link open, then start the trace.

Launch Attack IC
Like the first choice, the node's Firewall gets a +4 bonus against the detected hacker (this comes for free with the alert), and the node records the hacker's Matrix ID. Then the node spends its next action launching IC that carries Attack and Armor.

Another variant of this is the node taking two actions, one to load IC to attack, and one to load IC to track, and have them both work on the hacker.

Launch Blackout or Black Hammer IC
Same deal as the last one, only the IC carries Blackout or Black Hammer. This one might compliment a tracking IC program better.

Scramble Security Hacker
Guess what? The node's Firewall gets a +4 bonus against the detected hacker (this comes for free with the alert), and the node records the hacker's Matrix ID. The node then alerts a hacker (spider) who's job it is to deal with intrusions. The hacker would be an NPC, and you'd have to prepare him ahead of time. Me, I'd just use the stats for the Tir Ghost Lieutenant on page 276.

Terminate Connection
You (deek) were absolutely correct in that terminating a hacker's connection to the node is a legitimate option. In fact, it's explicitly stated how it works.

First, of course, the node's Firewall gets a +4 bonus against the detected hacker (this comes for free with the alert), and the node records the hacker's Matrix ID. The node makes an Opposed Test with its System + Firewall against the hacker's Exploit + Hacking. If the node gets at least one net hit, the hacker is disconnected from the node and winds up back in his own node.

Interestingly, if the hacker is using a legitimate account or access ID for the node, his Exploit program doesn't help against the disconnect attempt, and he's stuck rolling only his Hacking skill.

System Reset/Shutdown
This one's extreme, but very effective. We start, as always, with the fact that the node's Firewall gets a +4 bonus against the detected hacker (this comes for free with the alert), and the node records the hacker's Matrix ID. Gee, I love copy-and-paste. Anyway, the node shuts down immediately, which disconnects the hacker, dumping him back into his own node. The node then starts the reboot process, which takes the form of an Extended System + Response Test (10, one Combat Turn). Then it's back up and the hacker has to start over, preferably with a new Matrix ID.


There ya go. Hope that was mildly helpful.