hey guys one of the groups I hang out with had an odd matrix encounter that after re reading the matrix rules doesn't quite sit well with me, on what they did I was wondering if I might get the opinions of uninvolved parties on what was done wrong. basically I need a second opinion for the group just in case I interpret something wrong.
if I left out information let me know, any pointers to what was done wrong or should be done better would be helpful as they are all new, and I don't know eveything.

the setup:
Hacker (standard hacekr style), and technomancer (predominantly rigger) team up to hack a system to perform an extraction team has two days prep time so the hacking has to be done pretty much on the fly.
technomancer gives a rating 5 machine sprite to hacker using its diagnosis power on her commlink (5 hits adds +5 dice) he has two rating 5 fault sprites to assist with cybercombat, and one more sprite, to sustain threading as needed.
the system was rating 6 or 5 in everything. each node was subsrcibe to the preceeding node and it was ten nodes deep. the only way past the first node was to hack the second and so on (that part is fine and something I do repeatedly) they only got to the second node so I won't go further than that.
Main System: Main hub "A1I" --> Security hub --> Research --> etc...
Redundant System: Main hub "A2SI" --> Security hub --> Research --> etc...

day 1:
probing the target via VR (system+firewall=12)
3 tests to complete (15 hits) (total time = 3 hours)
day 2:
using complex action on "back door" to gain entry to backup system (the node they accessed rolled its analyze+firewall 12 dice once for each player it did not beat the technomancers stealth of 10 (threaded) and the hackers stealth of 6)
once inside the system has roaming agents as IC analyzing the users inside. every action they performed the node rolled its analyze+system once against the stealth of the hackers. (one roll if it beats hers but not his he's still stealthy)
using edit they added a series of authenticated users to the main hub node in the system.
(he didn't apply a threshold, they just rolled skill to avoid glitching)
attempting to move from the main hub to the security hub, the technomancer performed "hacking on the fly" since his stealth was higher, GM fiat allowed both to enter through the same "opening"
once in the securty node they added RFID signature and a premade code (switches all subscribed PAN's to enemy and the PAN's with the RFID code to friendly in reference to the physical security, drones and guns etc). then they exited.
using the same back door they entered the main hub of the main system in order to bypass the sync at midnight.

first attempt using back door the system sees the hacker (8 hits), but not the technomancer (3 hits), random response rolled was a 6 (system reset/shutdown) the system restarted and was placed on alert (+4 firewall, and now security hacker)

second attempte the back door was still open but the node didn't see either player.
they did the edit, and attempted to hack on the fly again to the security node (technomancer).
the technomancer was detected on his third round of hacking the system (rolled a 3) requested black hammer to reeducate the offending technomancer. it arrived and initiated combat it rolled 11 dice (rating+rating) technomancer defended with Response+firewall (intuition+willpower+1), and resisted damage with willpower+charisma (biofeedback). the fault sprites tried crashing the program (black hammer) on both the IC and the security hacker.
the technomancer continued hacking the security node and when successful the hacker entered the door he opened (GM fiat). and he immediately began attempting to disconnect. the hacker succeeeded in editing teh event logs after adding in the premade code, and DC'd no one ever saw her.
the technomancer eventually disconnected and suffered dumpshock 5P (willpower+charisma, 3 hits) 2 damage leaving him (after the black hammer attacks) with one box of physical left damage left.
they tracked him before his dissconnect (track program threshold 10 hits he glitched so GM decided his stealth didn't reduce the dicepool.)

the game ended with the technomancer waking up in his van which he parked at a random location with 7 boxes of stun, and 8 boxes of physical damage. he is disoriented for a while and is in character certain that a high threat response is headed his way (due to the high security of the system).

I think you did pretty well except for one thing: the Fault Sprites shouldn't have been using Black Hammer on the IC. Black Hammer (and Blackout) is specifically for attacking persona icons, not agents. Attack was all they needed for the IC. 'Course since sprites (and spirits) generally have the same dice pool regardless of what they're doing, it probably would have worked out the same.

As fro having a security team heading to the TM, was his connection tracked prior to him logging off? If not, then the security team heading his way might be a bit much, but beyond that, it looks like a tense, suspenseful hack. I sort of which that sort of thing would happen in my games, but my TM tends to avoid being seen

..I keep having problems with pans ands slave/hardwired connections.. The FAQ for sr4 had a question:

"Does you have to hack each node in a daisy chain or can you skip to the last one?" And they answered that you can skip to the last one...
Is that assuming that none of those nodes are slaved or hardwired?? or what?

If the hacker/techno were in range of the last node why couldnt they hack it no matter what?
-------------------------------------------------------
Oh first thing i have to ask is what the hell user level were they aiming for. On day 2 when they are editing tons of stuff it better have been security or admin.

Anyways... on Day 1 they made 3 rolls to break into the first node? Did the system make 3 checks against them to detect them??

-day 2: "every action they performed the node rolled its analyze+system once against the stealth of the hackers. (one roll if it beats hers but not his he's still stealthy)" What?? One of them got spotted??

-when they logged out did they ever spoof their ID's. Otherwise if they just immedeately logged back in I would have the system instantly spot them lol. If a user logged in with a fake account they had created and gets spotted I would also nuke that fake account unless they took the time to spoof the security logs and erase their data trail before logging out.

The systems could have been wired allowing access only to each node from within another node. Or, the nodes could have been preprogrammed to ignore all information coming to them except from a specific source: the node before them in the chain. Regardless, there's nothing wrong with the set up described above. The rules, FAQ, and Errata cannot describe every possible security measure that could be taken against hacking. That's why they're left somewhat vague: they need to be flexible. As the power level of the game increases or as the power level of the targets increase, the systems have become more secure. One way of doing this would be to set up a system similar to what the original poster described. Other ways might include more IC or more specific lists of what each user level could do (like alert canceling, account creation, etc. can only be performed from Terminal A. All other attempts to perform these actions will result in an immediate alert).




It was a probe, so the system only gets 1 check. Only for hacking on the fly does the system check every time the hacker/techno roles. See the difference on page 221 of SR4.



I'm not sure what you're asking here. I think the original poster is saying that one of the two of them got spotted by this analysis, yes.



Those would be viable actions for the system to make, yes. Personally, I tend not to nuke accounts, but, instead, send a message to a security hacker or some other security personnel so they can investigate the problem. That way you don't accidentally delete the account if it's a false positive. More paranoid corps (or security officers) might feel that acting on a false positive is better than letting your system get hacked, so I can see your method being okay as well.

In one of the black-boxes in the Sr Matrix section on network security, it talks about using tiered nodes and choke-points, which would be useless if you could "skip to the end" node.

the big question is how common wireless connection are in the branches or trunk of whatever network one is targeting.

i can see it being very common for leafs (cameras, terminals, comlinks and so on) but for the central storage servers and traffic routers i dont think it would be that common beyond the ones that acts as first tier vs the leafs.

I agree, hobgoblin. And some of those leaves might even be signal 1 or zero to make subverting them more difficult.

"It was a probe, so the system only gets 1 check. Only for hacking on the fly does the system check every time the hacker/techno roles. See the difference on page 221 of SR4."

Well in his set up he said they were going to fly hack. So I didnt pay any attention to the fact that they probed and assumed it was a fly hack. My mistake.

the attack was crashing the blackhammer program I think they did that right (extended test versus rating+rating = 12) took three turns to crash the blackhammer, my feel as that since the blackhammer was crashed his connection logout shouldn't have been impeded (or at least lessened to not include the porgram rating)

yeah the trace was successful the initiative pass before he logged off, so depending on how long it takes him to wake up and what disorient does depends on how he's gonna do.
not sure if that has been discussed before