New Operations

Edit Host
Test: Control (See Below)
Utility: Root
Action: Complex
This operation allows a user to temporarily alter the basic functions of a host by manipulating the link libraries that make up its operations. It has one of three effects, chosen by the user when the test is made: it can enable or disable a system operation; it can change the function of a system operation; or it can embed a command set so that it will not be erased upon host shutdown. A user who changes the function of an operation can impair it so that one aspect of that operation is impossible to accomplish; for instance, removing the ability to create new files with the Edit Data operation. Alternatively, a user could lock an operation into performing only one aspect of its function; disabling everything but the audio feed on Monitor Slave operation would be one example. A user could even switch one system operation with another, so long as the two operations fall under the same subsystem. A user attempting a switched operation automatically employs the appropriate utility, if he has it. In any case, a user gets a free Sensor test against the host's Security Value to notice that a system operation has been altered, before he attempts the altered operation.

To use the Edit Host operation, a user must make a Control test at +6 TN. On a Blue host, the operation is successful if the decker scores a single net success; on a Green host, the test has a threshold of 2; on an Orange, 4; and on a Red, 6. Altered operations remain in place for 1d6 x 10 hours per net success; at the end of this time, the host's self-tests note the change, and reset them to their original configuration. A user who notices an altered operation can restore with another Edit Host operation, reducing the original user's successes with his own. Successive tests in pursuit of a common end result accumulate results, to a maximum number of results equal to twice the hacker's Computer (Decking) specialization.
The Edit Host operation is limited in scope. The list of system operations that Edit Host can affect is: Abort Host Shutdown, Analyze Host, Analyze Icon, Analyze Operation, Analyze Security, Analyze Subsystem, Control Slave, Crash Host, Decrypt Access, Decrypt File, Decrypt Slave, Disarm Data Bomb, Download Data, Edit File, Edit Slave, Encrypt Access, Encrypt File, Encrypt Slave, Graceful Logoff, Locate Access Node, Locate Decker, Locate File, Locate Frame, Locate Slave, Locate Tortise Users, Make Comcall, Monitor Slave, Send Data.

Edit Security
Test: Control (See Below)
Utility: Root
Action: Complex
This operation allows a user to directly manipulate the security sheaf, changing what type of IC activates at a given trigger step, or changing the security tally at which a trigger step activates. It is up to the GM what IC might be stored on the system but not linked to a trigger step, but at the very least, a user can select from the IC listed in the security sheaf. A user cannot raise a trigger step higher than its normal maximum value for a host; for instance, the third trigger step on an Orange host cannot be higher than 15 (6/2+3, see SR3 p.211 for details). Each trigger step must have IC associated with it; the maximum security tally on a host is equal to the maximum trigger step value times the host's security value; at that point, the host automatically attempts to shut itself down every turn. A user can also move the trigger step of the Passive Alert, Active Alert, or System Shutdown up or down one step at a time. A successful Edit Security operation can also lower the user's security tally by one point per two net successes.
To use the Edit Security operation, a user must make a Control test at +6 TN. On a Blue host, the operation is successful if the decker scores a single net success; on a Green host, the test has a threshold of 2; on an Orange, 4; and on a Red, 6.

Subvert Host
Test: Control (See Below)
Utility: Slash
Action: Complex
This operation introduces viral software into operating system of the host, degrading its error-checking and intrusion detection functions and lowering the effectiveness of the host. To do this, a user makes a Control test at +6 TN; on a Blue host, the operation is successful if the decker scores a single net success; on a Green host, the test has a threshold of 2; on an Orange, 4; and on a Red, 6. For every two net successes on the test, lower the security value of the host by 1. The user's security tally automatically goes up by the same amount that the security value goes down, in additon to any successes scored by the host on the system test. If the security value is brought to 0, the host immediately goes offline and shuts down. All connected users are dumped, and suffer dumpshock with a power of 2. The security value is fully restored when the host is restarted.

Subvert Subsystem
Test: Targeted Subsystem (See Below)
Utility: Slash
Action: Complex
This operation introduces viral software into a targeted subsystem--Access, Control, Index, Files, or Slave--degrading its error-checking and intrusion detection functions, lowering the effectiveness of the subsystem. To do this, a user makes a test against the targeted subsystem at +6 TN; on a Blue host, the operation is successful if the decker scores a single net success; on a Green host, the test has a threshold of 2; on an Orange, 4; and on a Red, 6. Every net success on the test lowers the subsystem's value by 1; every two successes automatically raises the user's security tally by 1, in addition to any successes scored by the host on the system test. If a subsystem is brought to 0, no system operations related to that subsystem are possible until the host is shut down and restarted, at which point all damaged subsystems are fully restored.

Destroy Host
Test: Control (See Below)
Utility: Burn
Action: Complex
This operation sends a power surge through the host's processor, damaging or burning it out completely. To do this, a user makes a Control test at +6 TN; on a Blue host, the operation is successful if the decker scores a single net success; on a Green host, the test has a threshold of 2; on an Orange, 4; and on a Red, 6. For every two net successes on the test, permanently lower the security value of the host by 1. The user's security tally automatically goes up by the number of net successes scored on the test, in addition to any successes scored by the host on the system test. The damage to the host's security value can only be remedied by replacing the processor. Because the host is If the security value is brought to 0, the host immediately goes offline and shuts down. All connected users are dumped, and suffer dumpshock with a power of 2.

Destroy Node
Test: Control or Slave(See Below)
Utility: Burn
Action: Complex
This operation can destroy almost any external hardware connected to the system, generally by sending a barrage of high-voltage jolts through it. Vulnerable hardware includes cyberterminals and anything controlled by a slave node. To do this, a user makes a Control test at +2 TN. On a Blue or Green host, the operation is successful if the user scores a single net success; on an Orange host, the test has a threshold of 2; and on a Red, 3. For every net success (past the threshold) on the test, permanently reduce the rating of the connected hardware by one point; if the hardware does not have a rating, a user can destroy it by building up a number of successes equal to half the host's Slave rating over the course of as many tests as are required. Massive hardware, such as factory machinery, generally requires a total number of successes equal to the host's Slave rating. Only one piece of hardware can be targeted per test; for instance, a decker attempting to destroy all of the cameras in a facility would have to destroy each camera. individually.

New Utilities

Root
Multiplier: 5
Options: A
System Operations: Edit Host, Edit Security
This program creates a temporary root hack, allowing the user to access a host's basic functions.

Slash
Multiplier: 10
Options: A
System Operations: Subvert Host, Subvert Subsystem
This program studies the host or subsystem, searching out areas in the code which can be manipulated to damage the host or subsystem's effectiveness.

Burn
Multiplier: 20
Options: A
System Operations: Destroy Host
This program studies a piece of hardware, searching out connections which can be used to physically damage the target.

Log Tracing

It is possible to track decker activities by studying the host logs of their activities, by making a Log Trace test. An investigator must first get a copy of the host's log, by using the Dump Log operation. Once the investigator has the host's log, he makes a Computer (Decking) test against a base TN equal to the decker's Detection Factor. Other factors affect the Log Trace test's TN:

* If the decker's Security Tally was less than 5, the TN rises by +2; if between 6 and 10, the TN rises by +1; if between 11 and 15, the TN is not affected. Every 5 points of security tally above 15 reduces the TN by -1.
* If the decker has performed the Graceful Logoff operation, the TN rises by +8.
* If examining the log for a grid or host that the decker has performed the Edit Log operation on, the TN rises by +8.
* If examining the log for a grid that the decker has performed the Redirect Datatrail operation on, the TN rises by +8.
* If the decker used one or more valid accounts (either real ones, or those created via the Validate Account operation), reduce the TN by -4, if the highest-rated account was User-level; -6, if the highest-rated account was Security-level; or -8, if the highest-rated account was Administrator-level.
* Every round that the decker spent in cybercombat reduces the TN by -1.
* If the decker was hit with Trace IC that reached the Location cycle, or if the investigator has access to information provided by another decker whose Track utility reached the Location cycle, reduce the TN by -2. Multiple Traces/Tracks that reached the Location cycle provide a further -1 TN each, to a maximum of -4 TN.
* If the decker was hit with Trace IC that completed the Location cycle, or if the investigator has access to information provided by another decker whose Track utility completed the Location cycle, reduce the TN by a total of -8, including the -2 for reaching the Location cycle. Further Traces/Tracks which completed the location cycle provide a further -2 TN each, to a maximum total TN mod of -12. The maximum TN mod provided by Traces/Tracks which reach and/or complete the Location cycle is -12.
* If the investigator has data from other, previously-investigated logs of a specific decker's activity, he may choose to cross-reference them if at least 4 successes were obtained on the previous logs. Each log so cross-referenced provides a -2 to the TN, to a maximum of four logs and -8 TN. However, if the investigator cross-references the wrong logs (eg, the logs are not of the decker currently being pursued), each log referenced increases the TN by +2.
* Every fifteen-minute increment that passes between the time the decker left the host or grid and the time the log under study was dumped raises the TN by +1.

Each Trace Log test has a base time of one hour. Successes on this test are compared to the table below; extra successes can be used to reduce the base time. If an investigator wishes to use Trace Log tests to find a decker's jackpoint, he must follow the decker's path backwards through the Matrix, accessing and examining the log of every host or grid the decker accessed.

1. A decker or deckers have invaded the system.
2. The number of deckers is known, and a general idea of their activities can be determined (datasteal, overwatch, etc.)
3. The address of the host or grid that the decker/deckers connected from is known. If the decker connected directly to the host, the jackpoint address is known.
4. More of the decker's/deckers' activities can be determined--specifics like what files were downloaded during a datasteal, what camera slaves were edited during overwatch, etc.
5. Further details can be determined, such as what IC the decker activated, how the decker handled the IC, etcetera.

Persona Program Subprocessors

Overview
A variety of new routines for cyberdeck functions have been discovered during the past decade, which can be programmed into existing persona programs in order to expand their utility.

Limitations and Activation
However, the base MPCP chip doesn't have the firmware required to run these new routines; a subprocessor must be linked to each persona program chip in order for the routines to run. Furthermore, the MPCP can only accept input from one persona program subprocessor at a time, and the persona program itself requires more processing power from the MPCP--the deck must be running in a mode that boosts the rating of the desired persona program. For instance, in order to gain the advantage offered by the Bod subprocessor, the deck must be running in Bod mode.
Each persona program subprocessor has a different effect. If a subprocessor for a given persona program is installed, it is automatically activated whenever the deck is running in a mode that boosts that persona program. If multiple persona programs are boosted by the current mode, the one with the largest boost is considered active; if two or more programs are getting the same boost, the highest total rated program is considered active. The decker can choose not to run any subprocessor.

Installation
Adding a persona program subprocessor is treated as creating a new persona program. If the persona program is pre-existing, subtract the time for creating the base persona progam from the programming time of the subprocessor; re-installation of the program chip is unnecessary. The Design and Software tests incur a +2 modifier to the TN, and the size multiplier for the persona program rises by +1. A seperate installation test is made for the subprocessor, with the same base time and TN as the persona program. The parts cost of the subprocessor is 50¥*(rating2 ).

Subprocessor Effects

Bod Subprocessor
Advanced error-checking routines reduce the effects of icon damage. For every two points of Hardening on the deck, subtract one box from your current icon damage before determining injury modifiers. The damage is not actually reduced, only its effects.

Evasion Subprocessor
Multiple processors allow for multitasking in cybercombat. The decker can perform two combat maneuvers at the same time, splitting the net successes from the maneuver opposed check between both maneuvers as desired. Only one roll is made by the decker and the opponent for the combined maneuvers. The maneuvers being performed must be chosen before the rolls are made.

Masking Subprocessor
Internalization of some processing needs lessens the chance that the host's security software will detect planted commands in the queue. The decker's Detection Factor rises by +1.

Sensor Subprocessor
Additions to the logic structure enable collatting of new telltales. Add the following options to the respective Analyze operations.

Analyze Host
* Ratings an untriggered bouncer host will assume when it bounces
* Whether a previously-located SAN is one-way or not
* Ratings of the real host, if in a previously-detected Virtual Machine

Analyze IC
* Any options the IC has, 1 per success

Analyze Icon
* Current access level of icon (invalid, user, security, administrator)

Analyze Security
* Next trigger step
* Next IC in sheaf

Why?
because i can. these were originally going to be a submission for SOTA:65, but weren't accepted for obvious reasons. the "decker evolution" thread reminded me of them, so i thought i'd post 'em.

my intention with this collection was to expand the world of decking, specifically at the top end. you might notice that a lot of the operations require 4, 6, 8, or more net successes. this is because at the level i expect deckers to start using these, most normal systems just won't provide much of a challenge to them. likewise, the log tracing rules were added to provide an extra level of difficulty to even normal decker runs. sure, most of the time, the difficulty of log tracing will provide deckers with plenty of protection from it--the time factor alone acts as a firebreak. but once in a while, they might find themselves hunted by a hot forensic decker who knows their every move before they even make it. moreover, log tracing provides a deterrent to using the "cheap" loophole of simply creating a security or admin account and performing most actions without even having to roll.