Running the Matrix 101

Groundwork

On the matrix, each device is represented by a node.

• Multiple devices can be represented by one node (Clusters/Slaving, pg. 55, Unwired).
• Using a program on a node requires a subscription to that node, and therefore at least user access.

Each user is represented by a commlinks persona.

• A commlink provides both a node and a persona.
• A users persona is present in all nodes the user subscribed to, and in the originating node.
• You can only interact with another persona if your and your targets personae share a node.
  (Your targets persona will be present on your targets commlink node, maybe more).

Legitimate matrix users will:

• Search for Information. "Data Search."
• Locate specific nodes without knowing their accessID. "WiFi-Scan."
• Inspect other icons/nodes. "Matrix Perception."
• Use a device via the matrix. "Using a node."

Hackers will

• Fake commands from legitimate users. "Spoofing Orders."
• Take access rights they are not supposed to have. "Node Hacking."

Legitimate Use

Data Search (pg. 220 main book)
Extended Test, Data Search + Browse, threshold 2-16, search area determines base time: Device: one IP, Network: one turn, whole matrix: one minute
Use:
Think internet, but with a severe increase in available information. See the optional AR bonus you might gain for some actions by getting DIY-help from the matrix (AR modifiers, pg. 208 main book, +1 to +3 for any information-dependant task, ie: repairing your car)
GM Decisions:
Reward specific search terms and search areas with better information, but keep in mind that some opponents might be resourceful and matrix-savy enough to monitor specific search topics. Mechanically you can assume success, unless time is of essence, or the used dicepool is very small and you want to check for a glitch.

WiFi-Scan:
Electronic Warfare + WiFi-Scan, threshold variable, 1 turn
Active/passive node: threshold 1+ depending on number of nodes present
Hidden node, location known: threshold 4
Hidden node, general search: threshold 15+
Use:
WiFi-Scan is used to detect wireless nodes in a specific physical location - even if they are hidden (for hidden icons on the same node see matrix perception above).

Matrix Perception (pg. 218 main book)
Computer + Analyse, in case of hidden personae/nodes opposed by Hacking/Firewall + Stealth.
One piece of information per (net) hit
Use:
All these funny icons have a purpose. They may advertise said purpose, but those a hacker cares about are often blatantly lying.

• A hacker should figure out how strong a nodes matrix defenses are before attempting a fast hack. Some opponents have surprisingly good commlinks/nodes.
• Some security hackers, IC, and other users will run in hidden mode. You can find those with matrix perception. (Finding hidden nodes is handled with WiFi-Scan.)
• A legitimate users accessID is the basic requirement for spoofing orders, see below.

Using a node
Matrix Functions:
Gaining Information about a node is handled under "Matrix Perception", finding data under "Data Search".
Data can be edited (access logs, vid feeds, accounting data, you name it): Computer/Hacking + Edit, (pg. 219 main book)
Using a matrix function without associated program, that you want to have a test for anyway: Logic+Computer
Real-World Functions:
Relevant Skill + Command, should a test be required
Most device functions are just a question of the necessary access rights, so you´ll at most test for Spoofing the required order.


Basic Hacking

Spoofing Orders (pg. 224 main book)
Hacking + Spoof against Pilot/System + Firewall, complex action.
The basic requirement is a legitimate user ID for the (type of) node in question.
Use:
Making a device perform a simple order, one time only. Advantage: It ties someone elses accessID to the crime, Disadvantage: There is a risk of detection each time an order is given. Your player might want to run Stealth.
GM Decisions:
You will have MANY nodes that might come up in game, so take it easy and have identical access rights across nodes. You just need user groups with different access rights:

• separate all on-site nodes into public/work-related/security measures, and larger facilities into different areas
• determine what kind of access to those nodes any user group would have
• if your players manage to spoof the order, they can do whatever the user in question would have been able to.

Node Hacking (pg. 221 main book)
Extended test, Hacking + Exploit vs. Firewall +0/+3/+6, one turn. System rolls Firewall+Analyse vs. Stealth, also an extended test unless the player increases the base time to one hour.
Use:
Gaining access rights of a certain level (but not an account) to a matrix node. The disadvantage is a limit to the rating of nodes that a hacker can reliably beat without raising an alarm, which can only be circumvented with a massive increase in required time.
GM Decisions:

• Note that you can almost ensure detection on the second intruder detection test if you beef up Firewall and Analyse too much. Try running with analyse 1 and variable Firewall for starters, or a device rating of 3-4.
• Other users or IC programs get a matrix perception roll to detect the hacker

Some semi-random spice

Quick&Dirty:
A device that only has a unified device rating will mostly roll 2*device rating on tests.

Simplicity:
The Cluster rules of Unwired allow you to combine several devices into one matrix node. Within the simplification of this subset of the rules, you simply have one node that controls all functions of all devices, with the twist that the lowest Firewall and System are used, and that Response is averaged. Which does not require any calculation if all devices have the same device rating. Lower number of nodes = fewer matrix tests, less book-keeping.

Difficulty:
Minimal investments into hacking enable your players to defeat rating 3 nodes. Step it up too quickly and they´ll abandon the attempt of learning the matrix rules. Real hacker builds can take rating 4 nodes. Remember: Success is mostly a given in other areas, too. Try to mention that a little bit of hacking and a better comlink are way cheaper than the common investment into hardware skill. Not to speak of the "secondary" uses of hacking.

Encryption: Encryption requires decryption on part of the attacker.
Response + Decryption vs. Encryption*2, extended test, 1 turn

Data Bombs: Certain data might be secured by a data bomb (find out with Matrix Perception)
Hacking + Defuse vs. Data Bomb*2, not an extended test. Can be used for plot protection.

Programs and You
Program Ratings
First things first: Program ratings are capped by System, which is in turn capped by Response.
Unwired introduces the Optimisation option, which permits programs to run on lower rated systems.

Advantage: Metahuman
While you may not want to play a hacker, you should consider some basic matrix skills.
Metahumans are not limited to a dicepool of 12 like any agents ultimately are. Dicepools are modified:

• by the hot-SIM bonus of +2 (Survival tip: No hot-SIM without Biofeedback-filters)
• by qualities (ie codeslinger)
• by augmentations
• by edge

Security Concerns
Firewall: Core requirement of a secure comlink
As high as you can get. You can get rating 6. `Nuff said. You are a runner, and while this may be a transhuman age, information is still king.
Stealth: core requirement of a runner comlink, required to enter hidden mode
As high as you can get. See your program cap. You want to hide your matrix self on the run, and stealth does exactly that.
Encryption: Core requirement of privacy
Decryption is easy. Really easy. Like in "listening in on the guards"-easy. Just saying.
The opposition might have an ear on the matrix, too. If you own Unwired, you want to run a tactical network. Any good guys hacking that one would get rather perfect targeting data, don´t you say?


Joe Average Utility
Analyse: You need it to get information about matrix nodes, and for some defensive rolls (against Spoof, Exploit).
At that price/benefit ratio, take what you can get.
Browse: Data Search
Free information on the matrix? Your connection charges, told you all information comes at a price?
Any rating will do, the test interval is rather short. Beware of glitch-heavy dp sizes.
Command: Used for controlling all kinds of real-world functions nodes might have, should they require a test.
Might or might not come up. It´s easy to justify rating 3.
Edit: Manipulation of all kinds of Data Formats
Must-buy at rating 3, take what you can get if you have any interest in tampering with files. Like security vid feeds.



Basic Hacking
There are basically two options to hacking a node: You can Exploit it to gain full access, or you can fake legitimate orders with Spoof.
Then there are two fundamentally different situations concerning the matrix:

• Due to the skills and planing of your group, you are still undetected. You want to avoid detection. The key to that is running a good Stealth program, and being careful with Exploit attempts. This calls for a stealthy hacker. Failure leads to a system on matrix alert.
• You already raised an alert, or the alert will be restricted to the matrix and you don´t care about that. Intrusion is a given at that point, but you will likely have to deal with active security measures. This situation often results in Matrix Combat. You can also try to be done before the active security measures take effect, or hide from IC while you finish your deeds (stealth rating should ideally be IC rating +2 for that strategy...)

Thus there are two approaches to hacking:

• The silent way is for true hackers, you need pretty good gear to avoid detection and good skill to take on better nodes and account types
• The combat way opens up with minimal investments - once the samurai have the lead flying, nobody cares about being found anymore, right? These types should be build for some physical action, too.

Spoof: Imitate a simple order from a legitimate user
A device resists faked orders with a dp of twice it´s rating, assuming it has Analyse running. You can beat that, and it doesn´t take time at all.
Seriously, the Hardware skill approach to opening a door is pretty obvious, and takes waaay longer than a complex action. The Hacking skill has better secondary uses, too.

Exploit: Gain access rights you are not supposed to have
Some big gains are to be made here. Often easy, this can get dangerous fast if you are hacking on the fly. Try being done after the first test, or take the slow approach.

• Consider the price of all those hacker services, and that beating a device rating of 3 is ruleswise an easy challenge. If you determined that the node is not running Analyse (Matrix Perception), you can even take two tests. Outside help is always a security risk.
• If your group already raised an alert, all bets are off. Go in expecting trouble, and always for admin.

Things-went-bad-programs:
Attack, Armor, Biofeedback-Filters. You DO have Analyse, you MIGHT have Blackout / Black Hammer. Stealth is always-on.
Handling the matrix is about avoiding detection. If you failed at that, you´ll need to fight a retreating battle. Or win.

Hacker´s Little Helpers
WiFi-Scan: Can´t hack it if you can´t find it. Used to find hidden nodes, as Analyse only finds hidden users on a node.
Trace: Want to know where your target is? No problem, defense is almost impossible.
Decryption: Rating is not that important, but you need it to defeat encrypted nodes
Defuse: If someone set you up the (data) bomb, this is handy. Warning: This is not an extended test, but opposed by the Data Bomb rating*2. Maybe getting the password is safer?

KE VSS
KnightErrant offers quite a list of security options for any customer who can pay the price. One very common feature is video surveilance. Everyone is doing it, but KE does it well.

Physical devices:
The VSS is made out of a number of both visible (deterrent) and hidden cameras.


Matrix Representation:
All cameras are combined into one node (see Clustering, Unwired: min of System/Firewall, average of Response). All devices have a device rating of the customers choice, in case of this example 3. Therfore the matrix node "VSS" has a device rating of 3.

Node Function:
The node controls all cameras (direction, used vision mode, on/off-state, intruder tracking, guard supervision, recipients of vid footage). You can access the node if you are in signal range of a single camera. Video feeds are stored, and can be manipulate with a successful computers/hacking+edit, usually extended test.

Uses for Matrix perception:
Take a second to figure out your dicepool. You get the visual representation (+ a bunch of other senses) for free, unless there are hard-to-notice details. If you want more info, you roll matrix perception. I´ll list the main book examples and possible uses:

• any ratings (the answer is 3 here, or "not present") The style of a node is only weakly correlated to the danger of hacking it. Find out you can´t before you fail.
• type. You want to hack the VSS, not the node of the coffeemaker next to one of the hidden cameras.
• alert state. Know if you´ve been noticed. Or someone else. If you fail a spoof attempt, the node will register an illicit command.
• find out if video evidence shows signs of tampering.
• each other relevant information: is any user looking at the video feed of the hidden camera you just found?
• Get a list of all active and passive personae and agents connected to the node, and of any hidden ones if you can beat their Firewall+Stealth test

What you can do by spoofing:
Switch a camera off (vid frozen), change camera direction, change the used vision system (ie to normal vision while wearing a chameleon suit).

What you can do with exploit:
Get a normal account to see footage of the "kosher" cameras, get a security account for seeing all footage, plus full control over all cameras, including an automatic tracking of any person you want. Track the guards and you are never surprised again. If you get admin access, you can revoke the accounts of the regular guards.

How do they compare?

• Spoof is simple and fast. A single short command, faked to come from a legitimate source. Getting a legitimate matrix ID can be simple. At the end of every shift, guards are leaving the facility. And any of those has likely a security account on the VSS. Getting into the Human Ressources Server of Knight Errant (a device rating of 4, but behind Chokepoint servers) is theoretically possible, but reserve that approach for weaker prey. Any guard (alive, and blissfully unaware of the runners) is likely broadcasting the ID over a load of game-servers.
• Exploit has some big gains. Take a slow approach during prep time, and you have stacked the deck in your favour. On the fly you´ll be facing 6 defending dice, so with a stealth of 5, the second test brings danger of detection. However with a bit of edge, and a solid Exploit program, and some hacking skill, blasting the barrier of 6 hits (device rating 3 + security account 3) is doable, and brings some immediate advantages.

GM Decisions
Why rating 3? You could say that security devices have a device rating of 4. In this case I judged it to be 3 because a) these are no hidden sentry guns, just cameras, and b) it´s easy to frustrate people that are just learning the rules. (I would recommend to put dedicated hackers into the 12-16 dice bracket (all boni considered), and part-timers at 8-12 dice. Both should be able to beat the VSS, and the dedicated hacker can still be challenged with rating 4 or 5 nodes. Which fits the given examples for device ratings nicely.

Shiawase "Empress" Door System
Not everything has to be wireless. Shiawase has just the right choice of household doors for any user who is both security- and comfort-minded. In the future, any door will be open for those who have the necessary rights to open it, and closed to all others. Grounding your child is easy if you bought the system for every door.

Physical devices:
The system consists mostly of mag-locked doors, although some users invest into windows from the same catalogue.

Matrix Representation:
This upper-class system has a device rating of 4. Each door has it´s own matrix node. The individual doors offer skinlink functionality over their whole surface, wireless links are available for the garage only. All doors are linked via wired connection to the central household telekom.

Node Function:
Simple: Keeping anyone who may not enter out. Everyone, including guests and personell, get normal user accounts. The respective "room owners" have security accounts, and can lock everyone but other "room owners" and admins out. If you have an admin account, you can always open any door.
So if you want into the living room, any account will do. If you want into the master bedroom, better be close friends with an owner. The household telekom can be used (by those without skinlink) to relay orders to the doors as long as it is in active mode.

Uses for Matrix perception:
Not much really, as there are few functions.

• any ratings (the answer is either 4 or "none present") The style of a node is only weakly correlated to the danger of hacking it. Find out you can´t before you fail.
• alert state. Know if you´ve been noticed. If you fail a spoof attempt, the node will register an illicit command.
• each other relevant information: is the door locked normally or by security account?

What you can do by spoofing:
Open the door, if the person you are pretending to be could open the door. Lock the door.

What you can do with exploit:
Open the door any time you want and the account level permits. But only that single door.

How do they compare?

• Spoof is simple and fast. A single short command, faked to come from a legitimate source. Which is all you want in this case. You need to find someone with the right access ID, either someone with admin access, or a valid account for each door you need to pass, security access preferred. If you have only normal access, you´ll have to pray that the door is not owner-locked.
• Exploit is a fail here, unless you have to pass one door again and again and again, or can not have any risk of failure, at all (like on the fallback escape route). The simplicity of the necessary orders does not justify the effort and risk of exploit well.

GM decisions
There are of course cheaper variants of this system, on the other hand some important security chokepoints might easily have even better locks. The Spoof dicepool should be higher than 2*device rating, as single orders are rarely worth a point of edge. Exploit can be different.

MCT FlySpy
The guards don´t want to die, and are too clumsy to sneak up on runners anyway. So they send out a scout drone.

MCT Rotordrone
The guards don´t want to die, and are too fragile to effectivly fight runners anyway. So they send out a remote-controlled firebase.

Physical device
The drone. Duh. The Rotordrone comes armed with an assault rifle that has both smartlink and underbarrel grenade launcher.

Matrix Representation:
A single node with device rating 3 (Flyspy) or 4 (Rotordrone).

Node Function:
Drone control. The drone node offers displays for all available sensor data, and controls for all functions like flight direction, speed etc. It also provides storage for any sensor data. The Rotordrone has an additional weapon control system, including virtual controls for all smartlink functions. Ammo count /current target/target priorities for autonomous mode...

Uses for Matrix perception:
Some basic ideas:

• any ratings (the answer is either 3 or 4 here, or "not present").
• type. You want to hack the drone, not the tactical network of the assaulting KE team.
• alert state. You care only if your presence is not well-known anyway.
• find out if the drone is in independant mode (as in: not piloted by the security rigger).

What you can do by spoofing:
Send GOTO orders, disarm a weapon system, disable all recording functions, put "target" on friendly list, reboot (sometimes very efficient, as it takes time), change sensor mode (only useful for patrolling drones, as scout drones are usually monitored, and modes switched right back), dump ammo of smartlinked weapons, including the coveted "dump grenade clip"

What you can do with exploit:
Get full access to the drone, including the ability to jump in. Rigging is a story for another time.

How do they compare?

• Spoof is simple and fast. But you need the matrix ID of the controller first, and if the drone is not in autonomous mode, any falsified orders are immediately revoked. (Unless the damage is already done, see dumping ammo)
• Exploit has some big gains. Not that interesting in the case of scout drones (bring your own), but very interesting in case of combat drones. Mind the security rigger! Shutting down a drone works for both sides, as does matrix combat.

Matrix Mechanics 101
Data Search (pg. 220 main book)
Extended Test, Data Search + Browse, threshold 2-16, search area determines base time: Device: one IP, Network: one turn, whole matrix: one minute

WiFi-Scan (pg. 225 main book)
Electronic Warfare + WiFi-Scan, threshold variable, 1 turn
Active/passive node: threshold 1+ depending on number of nodes present
Hidden node, location known: threshold 4
Hidden node, general search: threshold 15+

Matrix Perception (pg. 218 main book)
Computer + Analyse, in case of hidden personae/nodes opposed by Hacking/Firewall + Stealth.
One piece of information per (net) hit

Spoofing Orders (pg. 224 main book)
Hacking + Spoof against Pilot/System + Firewall, complex action.
The basic requirement is a legitimate user ID for the (type of) node in question.

Node Hacking (pg. 221 main book)
Extended test, Hacking + Exploit vs. Firewall +0/+3/+6, one turn. System rolls Firewall+Analyse vs. Stealth, also an extended test unless the player increases the base time to one hour.

Using a Node
Mind the access log!

Matrix Functions:
• Gaining Information about a node is handled under "Matrix Perception", finding data under "Data Search".
• Data can be edited (access logs, vid feeds, accounting data, you name it): Computer/Hacking + Edit, (pg. 219 main book)
• Using a matrix function without associated program, that you want to have a test for anyway: Logic+Computer
  Real-World Functions:
• Relevant Skill + Command, should a test be required

Encryption:
Response + Decryption vs. Encryption*2, extended test, 1 turn

Data Bombs (pg. 223 main book)
Hacking + Defuse vs. Data Bomb*2, not an extended test. Detect Databombs with Matrix Perception

Matrix Combat (pg. 231 main book)

Initiative
• Metahumans: AR: Physical Initiative/IPs
• Metahumans: cold VR: Response + Intuition / 2 IPs
• Metahumans: hot VR: Response + Intuition +1 / 3 IPs
• Agents/IC/Sprites: Response + Rating + 2 / 4 IPs
  Attack
• Matrix Combat (agents/IC: rating) + program rating, (program rating) base DV, complex action
  Defend
• Response + Firewall
• Full Defense: +Hacking (agents/IC: rating)
  Soak
• Matrix Damage Monitor: 8 + System/2, round up
• Matrix Damage (Attack): System + Armor; VR users take 5S (cold) or 5P (hot) dumpshock, should their icon crash, and suffer desorientation (-2 to all pools) for (10-willpower) minutes)
• Stun/Physical Damage (Blackout/Black Hammer): Willpower + Biofeedback Filters

Matrix Basics
What and where is the matrix? (pg. 206: Intro, Expanded World, Topology, Matrix Use(main paragraph), pg. 209 Zones)
"Unlimited numbers of wireless nodes, everywhere, used by everyone"

Augmented Reality (pg. 209, plus the boxes on page 209, 210, 208. Unwired heads-up: Tactical AR software gets rules)
Everyone does Augmented Reality.

Virtual Reality (pg. 228-230, any old-edition SR book)
Great for full-sensory entertainment, or working from home. Hackers might use it for short-term tasks, and get a cookie +2 hot-SIM bonus.

Matrix Devices: Nodes and Attributes (pg. 206: Device- and Software ratings, pg. 212-213: everything, pg. 215: authorised access)
Rules for every wireless device. No kidding.

Commlinks and Networks (pg. 210-211: all, 214: Commcodes, 215: data trail)
Concepts needed for "the matrix YOU"

The Crunch
Shortcut: Take a peek at "Running the Matrix 101" if you will. Understand that hacking consists of "avoiding detection" and "matrix combat", and that "Spoofing Orders" and "Hacking Nodes" are the mainstays of hacker work. Even if you don´t care about the matrix, look at "Programs and You". Some programs are clearly not optional for a runner.

On Exploit
Anytime a hacker exploits a node, there is a risk of detection. The target node will roll Firewall+Analyse vs. Stealth.
While hacking on the fly, the target node gets to make an extended test.

Chances of an Intruder alert
First test

• With a stealth rating that is higher than the device rating, the first hacking test poses no risk.
• If the ratings are equal, a good analyse program on the side of the target node brings a relevant chance of detection.

Subsequent tests

• All that gets a bit more complicated once the hacker needs more than one interval for hacking on the fly.
• The node gets to roll an extended test against Stealth, so the combined number of dice effectivly doubles (triples).
• Things get dangerous once the defending node rolled more than twice the hackers Stealth rating in dice.
  (At 2*stealth, the risk of detection is (Stealth rating): (4): 25,9% (5): 21,3% (6): 17,8%.)

Consequences of Intruder alert

• Depend on the kind of reaction (Disconnect/Reboot/Call Active Security)
• Passive measures only delay intruder success, so there has to be some form of active security plan

Exploit: Best Practice

1. Roll Matrix Perception vs. the target node: Firewall Rating, Analyse Rating.
2. Add those ratings up, and multiply by the number of tests to be taken.
3. Compare to Stealth*2. Higher = risk of detection
4. Figure out if you can deal with the expected kind of reaction to an Intruder alert. IC of rating 4 has little chance of detecting a hacker with Stealth 6.
5. The main problem might be that a security spider searches the sensor feeds for signs of a runner team. Get to that node first...
6. Spoof a new matrixID after each Exploit, just in case.

Tips:

• Stealth is important. Bears repeating.
• There is such a thing as a smart jammer in Arsenal. It´s a cold and lonely world for your target... No crying to mommy.
• If your group already triggered an alert, all bets are off. Blast in, take admin.

Who hunts the Hunter?, or: What game can a hacker take on?
Cutting a corner: The slow approach will usually work silently, provided Stealth is high enough.
Cutting another corner: Those who don´t care about alerts can take any access type they want. Note: You might care about "the node goes offline for 24h".

So we are looking at hacking on the fly, under the condition that alerts are to be avoided. We need to multiply the attackers average hits by the number of "doable" tests, and compare that to the threshold. The first step is determining how many tests the hacker can afford:

The node ratings that come up most often are 3 (standard nodes) and 4(security nodes, high-class nodes).

The Prey
A rating 3 node has thresholds of 3/6/9 for the different account types.

• If it runs analyse 3, only hackers with stealth 6 can take two attempts at exploiting it (Stealth 5: detection risk 36,8%)
• If it doesn´t run analyse, even someone with stealth 4 can risk a second attempt (the third would put the risk at 35%)

A rating 4 node has thresholds of 4/7/10 for the different account types.

• If it runs analyse 4, there is only one attempt at silent intrusion ( 45% of detecting a Stealth 6 attacker on the second attempt)
• If it doesn´t run analyse, even someone with stealth 4 can risk a second attempt (chance of detection is 25,9% at that point)

The second step:
Multiply the hackers exploit pool by the number of tests with acceptable risk. Check versus the threshold.

Silent hacking, on the fly

• A hacker rolling 8 dice can take standard accounts on rating 3 nodes, with Stealth 6 there is a solid shot at Security Accounts even on secure nodes
• A hacker rolling 12 dice can take security accounts on rating 4 secure nodes, using edge, but it can fail (edge 3 added: 44,9% of doing it)
• A hacker rolling 16 dice can take security accounts on rating 4 nodes, without edge
• (You were going to use an agent for hacking? Those don´t even have edge. Multiples make it WORSE because they GURANTEE detection)

Conclusions:

• high Stealth is important
• The danger of detection depends on Device rating (Firewall) and Analyse rating, and the consequences of an intruder alert
• Nodes that run Analyse tend to be chokepoints during the "stealth phase" - unless your hacker can take them in one go
• (But they are suddenly fair game in the "hot exit phase" for anyone who can hack at all - unless there are active defenses.)

Setup for Exploit

• Expect/Place Analyse on all nodes that are supposed to be defended against hacking on the fly.
• Expect/Place active defenses on nodes that are supposed to be secure against the slow approach and aggressive hackers.
• If a node can´t be exploited (enough), there is still Spoof
• -- GMs: Use the account types how they are supposed to be used, or face munched hacker pools (high thresholds + "one test only situations" + intelligent players...)
• - GMs: establish some limit on abort&retry on hacking on the fly, at some point the target node will "get it"

There are some game-changers, which can be either intentionally used or very surprising. Lets cut the surprises:

• If the security response is known&can be dealt with, alerts are no issue at all. Analyse and Firewall are suddenly rather worthless defenses against Exploit. Duh! Loads of low-rated ICs (up to rating 4) are both a reaction consistent with the gameworld AND no threat for a good hacker.
• And it works, up to "My first action will be an attack on the single security spider, it is only a matrix alert anyway"
• Those who don´t care about raising an alert at all (ie there already IS an alert) WILL take admin, the required time is measured in seconds.
• And unless there are active defenses, any runner with minimal skill can now play.

On Spoof
When you spoof an order, your chances depend on the size of your Spoofing Pool (Hacking+Spoof), compared to the nodes defense pool (System+Firewall).

Risk Analysis
Failing an attempt at Spoof has often little direct consequence - the order is detected as fake and not executed, done. But more secure nodes might be set up so that IC or a security spider are called in to investigate.

Worlds without End or: MatrixIDs make people
Anything with a device rating will resist spoofed orders with a dp of 2*device rating. Not a high benchmark in case of rating 3 or 4 nodes.

The following numbers do not consider glitches or edge:

• If both pools (hacker vs. node) are equal, the chance of attacker success is 40%, with a second attempt about 65% (depends on the exact numbers). Much dicerolling ensues.
• An advantage of 3 dice on the side of the hacker results in a success rate of about 60%, with two attempts 80%. Sounds better already, doesn´t it?
• Pool of 12 vs a node with device rating 3? 77%/94%.
• Tip: A little investment into a good Spoof program (rating 5), and Hacking 1 (Spoof +2) grants a 50% spoofing chance against rating 3 nodes.

Setup for Spoof
The prequeresite for spoof is the matrix ID of a legitimate user.

• For larger facilities user groups will come in handy: Security Personal, Site Manager, Janitory (often good rights!), Scientists...
• Devices can likewise be grouped, some might even build one giant cluster node distributed over the whole facility (See Example 1)
• Within the given device ratings, nothing will keep a dedicated hacker from spoofing an order. The only option would be to disable the emulated users rights.
• A node can react to failed attempts at spoof by calling IC to trace the connection attempt.
• A security spider might well suspect that the attack came from an onsite source, and simply check the cameras. (Did one of the group hack those?)

Quick Matrix Systems

I. Choose Security Concept

• Full Connectivity to the matrix
  
  • Open Network: All nodes that are not slaved to a central security node and technically used from there have some defenses on their own (ie run Analyse)
  • PANs: Assume that all devices are slaved to a central commlink, so that you only have to deal with that. Skip next step.
  • Vehicles: One node that has to be open for wireless communication (traffic control). Skip next step.
• Partial Connectivity to the matrix
  
  • Network Segregation: The site tries to keep all nodes from connecting to the matrix (Jammer, WiFi-Inhibiting paint, low signal ratings). There is no wanted connection to the outside.
  • Chokepoint Defense: See above, but a (well-defended) node provides matrix access (if need be by signal > WiFi-inhibitition rating)

II. Choose Network Structure

• Determine central nodes and chokepoints
  
  • Central nodes: Household telekom, Commlinks, Security Center Server, "data fortress", Human Ressources Cluster
  • Chokepoints: nodes that provide a matrix connection, in simple setups the central node
  • by default individual nodes
• Decide which relevant devices are clustered/slaved (both Unwired pg. 55)
  
  • Utility: The users benefit if they only have to connect to a single node, ie all needed industrial machinery is accessible from one node
  • Utility: Your group benefits if the dice rolls don´t get excessive
  • Security: The less nodes to watch, the less active security measures are needed
  • Security: You might not want to put all eggs into one basket
  • Slave if you have a potential central node, cluster if you don´t. Large number of users or devices = cluster (or Nexus from Unwired pg. 50)
• Cluster all secondary devices (maybe per type) to reduce the number of nodes
  
  • Coffee Maker, microwave oven, fridge, climate control,...

III. Choose Active Security Measures

• local IC programs (rating varies; don´t forget to note the program load if you use IC from Unwired, pg. 70)
  
  • patrolling (patrolling IC needs a home node)
  • in sensitive nodes (chokepoints, devices with important functions, sensitive datastores)
  • called upon defined user activities, like changing the list of admins (matrix perception test against the hacker), or accessing certain files
  • loaded programs depend on the task, Attack and Trace being the most common.
  • Attack: Analyse, Armor, one kind of damaging program, Stealth
  • Trace: WiFi-Scan, Analyse, Trace, Stealth
• Onsite Security Spider (Comlink Device Rating 4-6, Overall Skill Rating 3-6, or more detailed, Unwired pg. 68)
  
  • Might call a Matrix Security Firm for help, but that costs money. If a trace finds an onsite hacker, the physical security assets are alerted.
• Matrix Security Firm (pre-paid external support that is only called if a device with current security contract detects an intruder)
  
  • Choose number and quality of ICs and spiders, depending on the contractor (beware of the Grid Overwatch Division)
  • Prefer more IC over better IC - keep something in reserve for hot systems.
  • here you define how hot the "exit phase" might become. Mind that security has to find the hacker first.

IV. Choose device ratings (per pg. 213 main book)

• Determine standard device ratings
• Add Analyse to all nodes that an offsite hacker could attack without going through another node first
• Choose ratings of chokepoint/IC servers and important matrix nodes
  
  • baseline: a device rating of 4 with a good program load; all chokepoints run Analyse
  • the device rating limits the possible IC rating
  • the more secure the chokepoint, the more insecure the protected device
  • the nearly impossible-to-hack F&E node will have a rating of 5 or 6

V. Choose Reaction to Intruder Alerts (Unwired pg. 67: Alert Response Configuration, main book pg. 222)

• Close Connection (a Firewall + System vs. Hacking + Exploit test, pg. 223 main book) ie: vacuum-cleaner drone
  
  • Use: all unimportant nodes. The hacker can spoof a new matrixID and be right back
• Reboot System (a System+Response, 10, 1 turn extended test) (Reboots might be delayed)
  
  • Use: all nodes that have critical data or functions, but may go offline, like a F&E datastore.
• Call IC to trace the hacker
  
  • Use: all nodes that have a connection to the matrix, ie the household telekom (for report to Security Provider or Gridsec)
• Call active security measure to attack the hacker (might be done with Attack, Blackout or Black Hammer depending on the attitude of the node owner)
  
  • Use: all security-critical nodes, ie any combat drones.

On Rigging
The basics are provided by the FAQ, and a nice table can be found in Unwired (pg.105), too:

"What Matrix/vehicle attributes apply to attacking, defending, damage resistance, and so on?

• Jumped-in Rigger Test / Dice Pool Used:
• Perception Perception + Sensor
• Attack Gunnery + Sensor
• Defense Response
• Full Defense Dodge + Response
• Damage Resistance Body + Armor
• Infiltration Infiltration + Response
• Maneuvering Vehicle skill + Response"

So drones can be used under the tactical combat system everyone else is on. Mechanically speaking, the main difference between a drone and a PC is the sensor test mechanic. Some additional considerations are to be made if you want the drone to perform in autonomous mode.

Drone Perception
Simple really: Sensor + Clearsight/Perception (pilot/you), at a flat -3 for detecting the kinds of targets you care about. Not a great many dice left in autonomous mode, so you want to upgrade the sensors (see Arsenal+Errata). Note (for both sides of the fence) that a drone in autonomous mode is pretty unlikely to detect a sneaking runner/guard, as the opposed test is made with agility+Infiltration.

Riggers are left with quite a few other options: High Perception skill (main book), the Perceptive quality (Runners Companion), an Attention Coprocessor (Augmentation), an Reception Enhancer (Aug again). Note that active targeting using drone sensors is an action well spend in combat. The whole team can share the riggers targetting data (see Arsenal: Indirect Fire), and subsequent attacks from the drone will be quite deadly if the sensor test pool yields 4+ expected hits.

Riggers
Qualities of Note

• More than Metahuman. For fast drone switching.
• Perceptive. For Sensor tests.
• Gearhead. For style.

Skills

• At least one vehicle skill. Pilot Groundcraft and Pilot Aircraft are too good to pass up. Specialise and even rating 1 is enough.
• Perception. Sensor tests are important.
• Hardware. Upgrades at half cost? Yes please.
• Software. For pilot scripting.

For combat riggers:

• Gunnery __ (ballistics +2). Should be pre-printed on any rigger sheet.
• Dodge __ (ranged +2).

For information-oriented characters:

• Even more Perception.
• Computers. For tampering with collected data.
• Forgery. Dito.
• Infiltration. Is also used for vehicles.

Strong candidates:

• Cracking Group. All that is missing from a hacker. (Defense can be left to agents, so optional)
• Electronics Group. Pretty good buy, with some rigger/hackers getting use out of all four skills.

Augmentation

• A VCR.
• Attention Coprocessor.
• Cybercommlink. Never leave home without access to your drones.
• Cybereyes with smartlink.
• Reception Enhancer.
• Simsense Booster. More IPs = good.

Gear

• Drones (both expensive and expendable ones).
• A vehicle that can transport your drones and a few team members.
• A flat with enough space for a vehicle shop (RC lifestyle qualities can provide).
• Hardware shop (response chips en masse).
• Solid comlink (ratings 5+), if not headware.
• Complete collection of programs and autosofts. See "Programs and You".

Basic Drone Setup
There are two relevant device ratings, rating 3 for standard drones, and rating 4 for security drones. As the ratings of autosofts go up to 4, the simplifying formula, assuming the presence of all required autosofts, is rolling 2* device rating. If you are a player, you want to buy the Clearsight Soft (used for Perception), a maneuver soft (for piloting), and defense soft and weapon softs for combat drones. Unwired provides an Autosoft for Infiltration (Covered Ops).

Active matrix defense is best provided by an agent or IC running on the drone itself. The opposition might use a jammer, or a necessary change in your battle plan might leave you unable to defend the drone yourself. For this purpose, Analyse, Armor and Attack programs will be needed on top of the agent/IC. As a rigger you will need multiple agents for all your drones, so you should look into a cracked agent soft. If you are using the program load rules, even an upgraded response rating will be degraded by the combined number of programs and autosofts. So be it.


Drone Combat Setup
Reusable software bits:

• Drone Pilot/Autosofts.
• Active Matrix Defenses.

Expensive Hardware Strategy:

• Basic Drone.
• Response Upgrade. The best you can get. Run more and better softs, have more dice. Main book, pg. 240.
• Sensor Upgrade. See what you will be shooting at. Main book, pg. 240. Potentialy an Improved Sensor Suite, for even more individual sensors and better sensor range.
• Signal Upgrade.
• Armor Upgrade. 3*body is the limit. Reach it. Arsenal, pg. 132.
• (Weapon Mount of some type)
  Target levels:Response 5, Pilot 4+, Sensor 6, Signal 4+. Hardened armor 9+, one weapon (preferably an AR with grenade launcher, but a sports rifle will do). Expect to pay 15-20k¥ and up. Expect to perform as well as a semi-competent samurai if jumped into a single drone of this class, use multiple drones if you require more power.

Expendable Hardware Strategy:

• Basic drone, preferably a security drone for free Response 4/Signal 4.
• Sensor Upgrade.
• (Weapon Mount of some type)
• (Optional Armor Upgrade)
  Note: The program load rules will stop you from running IC or an agent on these drones.
  Target levels: Whatever comes in the box, Sensor 6. Bouncing small arms and civilian melee attacks would be nice, so armor 6. Expect to be shot down by competent armed opposition, expect to loose these drones to competent matrix attacks. Half a dozen can still mess up most peoples days.