So there is always the system without patrol IC where you hack in as admin and have a jolly good time. Great for things you don't want to spend much time on in game.

Alright but what about when you do have patrolling IC.

First how often do you have it roll against the player?

Is there any way to completly stop it from finding you.

Also what if at some point you get into a fight with an IC and crash it. Seems like it should just reboot. Anyway to stop that.

Also is there any way to stop a system from shutting down?

1. How often the IC "patrols" is somewhat up to the GM. Until Unwired says otherwise, I tend to use similar rules for the Astral Patrolling in Street Magic. Astral patrolling involves physical distances to make the patrolling test more difficult on the astral being, so I usually rule that if one program is set to patrol more than one node, then it's more difficult as well. Also, I make a roll for the system any time a person does something for which they're not authorized, like a user initiating a system restart, for example.
   
2. No. A character can roll Hacking + Stealth to avoid being seen (Matrix Infiltration, if you will) but the IC might still roll better.
   
3. It could reboot if the system is designed to. Think of it this way, though: if your anti-virus program is compromised by a virus or trojan, the anti-virus software tends to continue to run even though it's not actually protecting your computer any more. Thus, the system might thing the IC is still running even though it's been dealt with by a Hacker. Like #1, exactly what happens which IC is crashed is largely up to the GM and the system.
   
4. I can imagine a system that would roll it's System + Firewall (for example) to detect an unauthorized or unexpected reboot process. Since the test to reboot a system is an extended test, there's then a chance that the system could notify a superuser or administrator that there's a problem. Depending on how fast that person moves, they might be able to keep the system up and running.

I always see this as a matter of intrusion. If you're using an established account that you've either had someone on the inside make, or skillfully inserted yourself, then it should either be indefinite, or measured in weeks for a target's security review mechanisms to realize the problem. On the other hand, if you just right-hooked your way in, then the classic hacker adage applies: "The longer you stay in a system, the greater the chance of detection, regardless of activity."

So you figure if you hack in and then spend the time to give yourself and actual password and the like. Then log out and log in again using that the IC will simply regard you as a normal user regardless of activity.

I guess that makes sense.

Still, if a legitimate account begins to perform actions that it's not authorized to perform, patrolling IC might still raise an alarm.

Hindsight is always 20/20. Foresight, on the other hand, is a little more fuzzy. I've seen people create an account to control cameras and, half way through handling the cameras, alarms are triggered by the rest of the team and the hacker's got to work outside the box to get the alarms canceled. That's an action outside the things that the account was originally created to do, so IC gets a chance to notice.

Rhe other option is, of course, to create an administrative or super user account, I suppose, and give it the right to do everything, but there are people who probably know or can determine how many of those accounts there should be. There might even be dedicated IC doing nothing but watching the user accounts to make sure that no one does such a thing.

I guess I just hate giving away a free lunch. Just cause you've got it easy for a some quanta of time (while you legitimately use your legitimate account) doesn't mean that the other shoe won't drop if you step out of line or if you get unlucky.

It's up to the GM for now.

Personally, I like to compare the Matrix plane with the physical plane, so I handle ICE more or less like drones in a building.
They patrol, and if they see you they can identify you as a threat, ignore you, ask to check your ID...

You can't exactly prevent it from finding you, but you can either hide from them (using the Stealth program), you can impersonate a legitimate user (using the Spoof program the way you use it to spoof commands to an agent) or you can crash it.

As for crashing it, I consider that the IC program is still running, but may be frozen, or acting inefficiently. The system won't be able to notice it, so you'll need a security hacker to reload it.

@Rotbart,
True, but a hacker with a legitimate account could use their skills to attempt actions for which they're not authorized. That is, in essence, what Hacking does, at least in my games.

So if you've hacked your way into a janitorial account, you might be able to open and close doors, control lights, get into storage areas that might be off-limits to the general employees, but the second you try to go outside that account's privileges (a) you stop using the Computer skill and switch to Hacking and (b) you might get seen by IC.

In other words, if you have account A and you try to hack it up to an account B with better privileges (even only temporarily, like for one action) then you might get caught.

The roll is the same in all cases, yes, but the motivation for the roll doesn't have to be.

Alright so you're saying that you could hack yourself up a new account and log in with that. But the active IC will be scanning the file at some point. And per how I read p217 the IC would roll analyze+rating vs Hacking/Computer+Edit. Probably on one success it just knows something is wrong with the file. On more successes it would be able to cross check promotion records or something and figure out exactly which entry was false.

So essentially you're back to the question of how long is it before the IC scans the file and how often it will do so. That and I suppose modifiers. A file like that probably wouldn't have any, but maybe a file that isn't cross referenced or anything would have a penatly to detect the editing.

The 'how often' thing is really up to you, but should be based on the importance of the data in question and overall security of the system. If your looking at joe SINner's commlink, your not likely to be challenged at all if you can get in in the first place, maybe daily or weekly exams of various data, but that would be about it.

Now, if your talking novatech's systems, your looking at verying times based on what the data is. Unimportant data generated by employees (personal data, e-mails, notes to self, unimportant projects, etc etc) would maybe be checked daily for errors. More important things like user accounts would maybe get an hourly check, and the super research data maybe every miniute. Of course this is just a rough idea, and it basicly comes down to this: How hard do you want the system to be for the hacker?

But remember, the hacker is generally going to have at least several minutes between scans except for the absolute most vital data, and even then a minute or so, part of the reason being the following:

"A processes importance is raited from 1 to 7, with 1 being the most important and having the most resources dedicated to it, and 7 being the least. A word program would be a likely example of something with a 7. The process for keeping track of and adjusting for the heat at a nuclear plant would be an example of a 2" - Pulled roughly from a friend's CS collage textbook. His question after reading this of course was "What the heck gets a 1 then?"

Just goes to prove that even absurdly important things tend to have things above them.