I might have missed something in the hacking rules, so if I have please forgive me.

It seems next to impossible to keep a hacker (or TM) out of a computer. From commlink, to cash register to Lone Star's Mainframe for Seattle.. As long as it is a hacker and not someone deciding to hack, they are throwing at least 15 dice for hacking test (and I have had characters thrown 20++), that is 5+ hits vs the "computer". Well d**m! they are going to get in. It might take a few IPs to do so but you cant stop them. You can only hope they glitch (or even better critical glitch) so you can set off an alarm.

I have been putting up wireless paint around places that have semi-secure data (or better) but that doesnt stop the hacker but just slows them down.

Am I missing something or what do you recommend?

dog

At best, a regular hacker can pull 6 (program) + 7 (hacking w/aptitude) + 2 (specialization) + 2 (codeslinger) +2 (VR) + 2 (lvl 2 encephalon) = 21 dice. That is the absolute limit of their hacking abilities. And this is with 20 BP spent on making it their thing.

It is virtually impossible to keep hackers out of a system. Keep it without wireless, so they have to go in with the team. Put some IC in it with analyze. (System 6, Firewall 6 w/ IC 6 w/ analyze 6) this makes the hacker hack in with threshold 6, and the node is trying to spot you with 12 dice. Since the best stealth program in the game is rating 6, then, let the node buy hits at 4 dice = 1 hit. That means if they can't hack through in 2 shots, the node detects them.

If they do get in, the IC gets a chance to spot them with its 12 dice vs stealth program. Give the IC more attempts anytime they do something that isn't allowed with their access rating. (Such as a user rating hack trying to look at the security cameras, the hacker can do it via hacking skill, but give the IC another shot to see through the stealth).

Don't forget many devices will require no less than Admin access to do anything useful, thus +6 threshold to hack in.
Not that that changes much, they'll still get in eventually.

...shooting the hacker?

Seriously, there are a few alternate houserule variants floating around. The most widely accepted is the Skill + Logic hits capped by Programme Rating. This forces many matrix ops to become extended tests which first, take more time and second, increase the chance of the system noticing something is up as each interval allows the system to make another detection test (at least the way we run it). We also use the skill rating as the cap for how many rolls a character gets in an extended test.

Also [as mentioned in the response above] there is the level of access the MS desires. This changes the required threshold. Make sure that the player mentions what level of access he or she wants before rolling.

Of course the main thing is having IC. Even if it is not killer, it can slow the intruder down as well as send an alert if it is crashed. In our group, we use the old rule that if the MS defeats an IC construct, she can opt to withhold 1 die from her pool to suppress it. Several IC encounters and then it becomes a challenge as the DP is reduced further. Also programme load is another thing to watch for. If the MS goes in with more active programmes than commlink Response/System rating, all her programmes operate at one level lower so now her utilities including stealth & spoof can become easier to overcome.

It's a bit tricky to follow, but the opposition to Hacking is not in the initial hacking test. The Hacker gets the extended test and the system gets it's test to detect the attempt. The odds are likely the Hacker will succeed.

So it seems so easy. Why yes it is.

But look at p. 222 Hacked! - Once Inside, and Intruder Alerts.

Once the Hacker has gained access, it is up to the GM to decide if and how there is IC and what will happen.

Up to the GM to be creative or choose what opposition there is. There are some examples to follow and a description of some cases and standard routines, but it's up to the GM to figure out what happens.

Compare this to the character that pulls out a gun and shoots a random someone in the street. They roll agility + Gun and they hit! Wow, it's so easy, they shot someone, how do I stop them from shooting people? Well, D'uh, the GM concludes that Lone Star will show up, or the person shot shoots back, or whatever. Whatever is fun for the story.

You want Hacking to be a simple die roll that succeeds most of the time, then don't have IC.

You want to have the Hacker have a challenge, then give them a challenge.

The only limit is your imagination.

...@DR, good points. Indeed the only way to really make it a challenge is that you the GM have to put some work into it if you don't want the Matrix Specialist on the team just waltzing through. Yes it can be a bit more daunting than just whipping up a few sec guards, some Lonestar cops, or a gunbunny or two as IC constructs can be loaded with various utilities just like Agents.

Databombs are always a good and simple option. The MS has to successfully defuse the bomb. If not, her icon not only takes damage but the data is destroyed as well.

But yes, the bottom line is imagination (and a bit of work). For example, In my last run of RiS I creeped out the Decker (and player) so badly that he jacked out before encountering any of the really bad IC waiting for the character. This was done just by description of the sculpting. Suspense can be the best weapon in your arsenal of tricks if you know how to build it up.

probably meant to write 6+ and just switched the plus and the six around

EDIT: Sorry, nothing to see here.

ANOTHER EDIT: I can say that I believe that the "can't be immune to hacking" thing is intentional. Much the same way that things "can't be immune to magic" and "can't be immune to bullets/explosives/etc." There's always a way past defenses; it's true in Real Life, too. This is why there are guards and security magicians and spiders.

When I was playing a hacker, I would completely own any node I wanted, but I learned real quick to back the hell off if there was a spider in the node.

Hacking is way more dumb than that, honestly.

Yes. If your computer is connected to the interwebs at all then people can hack them.

Yes. If someone can hack your computer they will succeed in doing so. Like pretty much instantaneously.

If you expose your brain to the interwebs at all, you're dead. Like, yesterday. It doesn't really matter whether you're Fastjack or Dodger, the black IC rules are so gratuitously deadly that you will die. Probably in one round.

But you don't have to expose your brain to the interwebs. Also you don't have to expose any of your devices to the interwebs. There's no enforcement mechanism for any of this.

---

So yeah. Under the basic rules the acting player always wins in hacking. The hacker hacks into the system. The Black IC kills the hacker. All the die rolling is just a formality.

But because it's so deadly, and because nothing actually happens to you if you opt out, everyone opts out. You just set your devices to not accept incoming signals from hostile devices because you can fucking do that and you just run all your computer operations in AR. It's a problem hich solves itself.

Final analysis is that the Hacker would be unstoppable, but there's literally no reason for his abilities to ever be usable. It's like if Mages were completely unstoppable but people could stop them entirely just by stating at the beginning of the session that you'd prefer to not have spells cast on you.

Shameless Plug

-Frank

In the shadowrun world as written, everyone is kept out of devices because they all come with a handy on-off switch for wireless that is turned to 'off' by any player. GM opponents often also indulge in the off switch while defending secure compounds and other such things.

This makes you, as a player, immune to hacking relatively easily as frank points out. GM's usually manage this with a blend of 'secure' systems with no wireless and 'unsecure' systems with wireless tat the hacker can do cool stuff with, but its all strikingly silly.

i'm playing in a game with franks rules atm and i'm rather impressed actually - the infomational powers work quite well, and the attack powers are not as good as feared, but you do need signal defense. Ironically a death note and manaball did much the same thing, though the manaball was more effective.

Also, things are not nearly as secure as he imagines they are. Nobody is unless they have a complete air gap on their network, and it's hard for people at home to do their banking on-line if the banks servers are air-gapped from the internet.

'the biggest problem he sees in industry is the feeling that "we don't think it [breaches] can happen to us,", he said, "but it's happening every day."'

'"We are well past the $5 billion per year mark, and I don't know where the top end is," commented one STRATCOM official. "The $5 billion is mostly on defense. We buy huge amounts of software and people to run that, but it's totally ineffective against Tier III" cyber [advanced persistent] threats, this official noted.'

You can still do AR through hard lines and skin links. But it would only be via those that are part of your immediate person (unless you bring long cords to run between every member of your team...) So this would handle smart link guns, AR driving (put the skinlink on the steering wheel), and other similar things but you wouldn't be able to get camera images or map overlays or any other such thing provided by another member of your team.

Nor would you see the myriad of AROs that are all about the area...and it think that is the main area that you are getting a bulk of the bonus.

Opting out in RL is rapidly becoming a near impossibility and I imagine that in a future where you can live in whatever virtual world you want to it'd be even harder to opt out of that technology.

I dare you Frank, to spend 1 week without using the Internet AT ALL.

Tell me how useful you were and how satisfied you are after that.

There are so many tricks that you can use that it is daunting. Password levels are a good way to do this. Not every user has access to the security cameras. Passkeys are another great way since you have to get your hands on one before you can even try to hack.

Track is possibly the best deterrent to hackers. My PCs hate it when they are hacking and I say that the IC runs up to them yells "Tag! You're it!" and runs off. Now they're on the clock. This gets even funnier if a Black IC jams open their link. Also keep in mind that jacking out doesn't instantly wipe out their datatrail so if the IC can track fast enough it can still narrow down their location. That's when the corp shadow team starts to hack its way into gridguide etc to track you physically.

Edit: also please note that Track only requires MLOS now not even a matrix attack. I just like to see the look of panic on the hacker's face when they know they are being tracked. A more sadistic GM doesn't even have to let the PC know that they are being tracked and could potentially have surveillance on the hacker before the hack is completed.

Why should a corp NOT run its network if Black IC is guranteed to win everytime? Why wouldn´t there be services that provide roaming Black IC to all loyal corp citizens? Why wouldn´t you trust your corp, your loving family, not to kill you because they can?

Answer: The corp will run the network and everybody will use the matrix.

Problem: The black IC won´t win all the time, and hackers will succeed. Problem for the target, that is. The corp will rather drop dead than admit the problem.


Now should there be easy ways to keep hackers out? In my opinion, the scale should go a bit further on the hard side. One first step may indeed be to use skill+attribute instead of equipment+skill, as now you have to learn.
If you use ratings as thresholds, not just anyone is going to reliably beat a system 3 all of a sudden. Script kiddies are kept out, and serious phone service provider strike teams take care of attacks against the general populace. Minor hacking attempts are handled by your matrix security provider, usually LoneStar.

Regarding black IC v. intruders, when I was playing a hacker, my program loadout was configured for stealth and intrusion when I got into a node, not for combat. That skewed a lot of results toward any black IC in the node.

...Ryu, I like your thinking. I am currently playing a Matrix Specialist under a new (as in "green" GM) and have been schooling him on how to make the Matrix tougher. The last couple of runs were pretty much cakewalks even though we do use the Attribute + Skill capped by Programme rating rule. I like the idea of the system's rating being a threshold however how this is applied is another matter.

Since pretty much every matrix test becomes an extended test under the Skill + Attribute houserule (save for cybercombat), this would make it tougher. However, should the threshold be applied against the total number of hits in each roll, or the number of hits allowed by the programme rating cap?

If it counts. we can hack it.

@Kyoto: I am slowly building another version of alternative matrix rules, but that is still very muddy. I´ve opened a thread some time ago on a restructuring of matrix programs, where I have written a bit more. My basic idea is not to use extended tests at all. Encryption defends the net, firewall defends the device, system defends user access. Each is the threshold needed to succeed at intrusion.
So program ratings must be as high as system ratings! Allthough a player character can at the high end hack all systems, there are tiers below that, which allow you to properly place your char against a level of opposition.
And you need both skill and attribute to reliably beat high-end servers. Dice Pool boni could be given for fake credential files etc. Advantage: Rating 3 servers start to be a (low-level) obstacle, as in a dicepool of 9 on average - no need to go military-grade all the time. Higher rating = higher threshold = less hackers can get in.

Edit: On the extended tests: I would consider them with a threshold on each single test, and under some form of limited rolls, say as your rating in an appropiate program. So you´d need to list "Single Test Threshold" / "number of hits required" / "Program","time".

...unfortunately, system rating can outstrip programme rating. This is when one would need to turn to an extended test. I look at Extended tests as more finessing one's way in over a longer period of time. The one thing here (as I mentioned) in our rules the system gets to roll to detect the intrusion for every roll the MS performs in the test. Yeah with a good stealth utility, it would still be hard for the system to notice something, but not impossible.

For the MS, the system/node rating threshold would make it tougher to get those needed successes for access even during an extended test particularly at the security and admin levels as the thresholds would stack. Again the number or rolls would have to be capped by skill or programme rating. Now if programme rating was used, then programme load vs. system rating becomes an even more important factor.

I can see applying the thresholds on every roll during an extended test however only if it affects the entire roll not the capped hits. This would still have an impact on a MS's ability to hack in. Fior example a moderately secure node (rating 4) would take away 4 hits each time. On a DP of 12 that negates all the hits based on the average. No hits means the test is over and the MS must start all over again. In a way though this makes system rating a lot more powerful as it controls two functions; the threshold, and the target to overcome. This was where the "colour" security ratings in previous editions made sense as they controlled the threshold and the system rating controlled the TN. I do not see why this couldn't be implemented again. Systems would be rated as they were in the past (red 5, orange 4 etc). Heck the really paranoid could have a rating 4 system with a red ore even violet security level if they wanted.

...just a few thoughts.

hacking is, and probobly always will be very easy. As an Information Systems student at DeVry, my professors are always using hackers in some way as relevant examples for various things we do in the business. They often say that most of the real hackers in the world were once professionals who "changed sides" because they realized how easy it really was.

Im still in my first years of classes, so I couldnt really show you how easy it is to hack systems, but do keep in mind that I have college professors spouting random crap about hackers at me all the time about "how easy it really is".

The closer people are to hands-on computer and network security the more they feel security is an issue. The CIO and above are very comfortable, the people who do incident response and network security monitoring much less.

Computer attacks have been growing in effectiveness over time. Things are not getting better, they are getting worse. They are cross-platform and work on fully patched systems by exploiting applications like flash via browsers without user interaction. Where this will lead I don't know, but it's going to be ugly when we get there.

10% is pretty unacceptabled depending on the material you are protecting. If you are protecting a banks transaction system, or the interbank funds transfer system, any at all is unacceptable.

Especially when you consider how many times a such a valuable system could get probed on a daily basis. In the world of computing an awful lot can get done in 24 hours.

In the fun world of agents I can only imagine how many times such a valuable system would get probed every minute.

Opting out doesn't even require you to not use the Matrix. It just reuires that you deny Matrix access to your brain, your sensitive data, and all your important devices.

Sure, your metalink will fill up with viruses and porn. But your Caliban would as well. And you don't lose anytthing by keeping your important stuff off line.

Don't just wave your hands about how generally useful the Matrix s. Go ahead and read the Wireless World section and tell me one thing that happens to you if you simply deny all access to everything you care about.

-Frank

My job doesn't require computer. I don't actually do -anything- that requires a computer that's not a hobby. Period. Were I a professional criminal who could very well be killed by/because of his internet connection, I think I'd get rid of it. Then again, I don't own a car or a cell phone either. I'm going to go out on a limb here and say that we probably have different definitions of "necessary".

I really dislike the idea of AR hacking. Looses the flavor, the face on my team has wired reflexes and decent computer skill... So he moves at the same speed as I do via Hot Sim, with AR. Seems like VR needs something more to make it worthwhile. Rigging gets +2 roll, and -1 Threshold on vehicle tests, hacking just the +2 roll. Granted getting more passes in Matrix is alot cheaper than multiple passes in physical, but when most people do it regardless of cost it seems kinda gimped.

As for being unaware a good way around this is a micro camera on a pair of glasses, or some other similar thing. That way you don't have to drop out of VR to be aware, you just check your heads up display once in a while to see whats going on. This way you only suffer the perception penalty for splitting your attention (I think its -2).

Back to the Black IC always "winning" against the hacker. I was going back through the RAW and while once the Black IC jams open the hackers connection and he can't jack out without beating the IC on an opposed test and risk dumpshock damage, what's preventing him from using a free action and changing to AR mode?

I mean, yeah, his connection is open and he is going to be traced, but he bypasses any further damage, unless of course the IC switches to normal Attack program and crashes his commlink.

I'm just trying to think logically as a hacker...if I don't think I can "win", why not just admit defeat, switch to AR and then take your chances when the physical security team shows up?

I really like that AR hacking is possible, but it does bother me that it's so good relative to VR.
Maybe if both were good options for hacking, but there was a massive superiority just for cybercombat, that would make me feel better.
*shrug*

deek, You can't just switch to AR for the same reason you can't jack out. Now, I'd rule that you could switch to AR and take dumpshock (just like you can make the test to try to physically pull your plug and eat dumpshock).