Pretty simple question:
If you gain Security or Admin access while hacking a system, what exactly do patrolling IC find when they Analyze you? By all rights, you are a legitimate user, especially if you managed to pull down an Admin account. They scan you and note access ID. The only thing I can imagine that would clue in IC that you aren't supposed to be there would be that, since by definition you used an Exploit to get into the system, you are not a legitimate user, but are instead using a loophole in the network's coding to gain access (and they note this when they Analyze you.)
If this is correct so far, does anything stop a hacker from logging in with Admin access, creating a new, legitimate Admin account, logging out and then back into the new account? Would this not make IC completely oblivious to them?
I'm trying to figure out what, on a logical level, separates a hacker with an Admin or Security account from a legitimate user, and what a patrolling IC would find if it analyzed a hacker versus a legitimate user. And if there is any way to prevent players from becoming invincible within a system in terms of triggering alerts and such. Thanks for the help!
PS: Feel free to sort out any points of confusion or outright falsehoods I have in the above post.
Full Version: Patrolling IC
The way I read it is this:
If the hacker used his hacking skill + a Program...to do whatever that is considered detectable and will alert the IC with a successful Matrix Perception test.
In Unwired there are rules for making accounts and how to detect it. Not sure the page, but if he creates himself an legal account and logs out and then back in, the IC will accept him till he makes a roll with hacking. (but if has admin he should not need hacking and should use computer with most tests.)
Hacking skill means your are creating or finding loopholes that don't make you legit and leaves a trail for an IC to find unless he is cleaning it...ie spoof or edit...though the act of spoof or edit can leave a trail...just remember with Admin access most rolls default to computer instead of hacking...only hack when you don't have the rights needed to do it...Thus deleting an access log with admin rights won't leave much of a trail...though hacking a access log with user rights to delete will.
If the hacker used his hacking skill + a Program...to do whatever that is considered detectable and will alert the IC with a successful Matrix Perception test.
In Unwired there are rules for making accounts and how to detect it. Not sure the page, but if he creates himself an legal account and logs out and then back in, the IC will accept him till he makes a roll with hacking. (but if has admin he should not need hacking and should use computer with most tests.)
Hacking skill means your are creating or finding loopholes that don't make you legit and leaves a trail for an IC to find unless he is cleaning it...ie spoof or edit...though the act of spoof or edit can leave a trail...just remember with Admin access most rolls default to computer instead of hacking...only hack when you don't have the rights needed to do it...Thus deleting an access log with admin rights won't leave much of a trail...though hacking a access log with user rights to delete will.
The first important difference to note (which you did mention) is that hacking Admin rights is not the same as being a legitimate Admin user. If the Hacker is running a Stealth program than they are actively attempting to hide from the system, while using the system loophole that they have discovered to do nefarious stuff. If an patrolling IC does manage to spot the Hacker they will detect them as an intruder, regardless of what access rights they have hacked. It is up to the GM what the hacker can do with their Admin privileges. Can the intruding hacker just shut down the patrolling IC (for example)? If a hacker has managed to get into a system with Admin rights without trigging an alarm it is entirely possible that they could shut down an IC. However, this is the kind of action that would certainly be noted (and appear extremely suspicious) in the System Log. In highly secure systems there would undoubtedly be some Security Hacker watching the log (and the system in general) for highly suspicious activity such as the spontaneous deactivation of patrolling IC. So, to re-answer your first question: if the user has hacked Admin privileges they are not a legitimate user and will appear to be an intruder if spotted by an IC.
Now, what if they have managed to get the credentials to an actual Admin account, possibly through some sort of "social hacking" maneuver? This comes down to how the Hacker behaves when they are in the system. If they continue to run their Stealth program than they are assumed to still be trying to "hide" from the system's security. If a patrolling IC does spot them they will check out as a legitimate user, but will be extremely suspicious. Think of it this way: what if the night watchman of an office spotted some strange person skulking under a desk and after asking for their ID the person produced what appeared to be a perfectly valid ID as a manager (or CEO) of the company? What were you doing under the table - why are you hiding? Any decently-programmed IC would probably (at least) send some notification off to the on-site or on-call Security Hacker for an additional verification. If the Hacker decided not to run Stealth, then the patrolling IC "automatically" sees them whenever the GM determines that the Hacker is within the "vision" of the IC. In which case the presence of the Hacker along with the account they are using and their Access ID would likely be logged, but otherwise ignored. If the Hacker doesn't do anything that is outside of their privileges (and not much would be as an Admin), then they could probably get away "scot free." The Hacker should be careful to either: edit the system log or change the Access ID they used for the intrusion, but beyond that there's not much the system defenders can do about it.
In all cases it is up to the GM what a user can do and under what conditions. If a system Alert is triggered it may be the configuration of the system that even Admin accounts cannot cancel the alert before a certain amount of time has elapsed, or that even under non-Alert conditions IC cannot be shut down. There is no way this has to be played: each system's configuration is entirely up to the GM. It is this change that is the best one in the new Matrix (IMO). The vagueness of things may cause confusion, and possibly upset people, but it does prevent clever player "exploits." If all privileges and rights were laid out in "stone" in the rules, then a clever player could very well figure out a sequence of clever actions that "guarantees" success. I believe player cleverness should be rewarded, but it should not be an "I win all the time" button. I very much appreciate the "whatever the GM says" design of Matrix 2.0.
Now, what if they have managed to get the credentials to an actual Admin account, possibly through some sort of "social hacking" maneuver? This comes down to how the Hacker behaves when they are in the system. If they continue to run their Stealth program than they are assumed to still be trying to "hide" from the system's security. If a patrolling IC does spot them they will check out as a legitimate user, but will be extremely suspicious. Think of it this way: what if the night watchman of an office spotted some strange person skulking under a desk and after asking for their ID the person produced what appeared to be a perfectly valid ID as a manager (or CEO) of the company? What were you doing under the table - why are you hiding? Any decently-programmed IC would probably (at least) send some notification off to the on-site or on-call Security Hacker for an additional verification. If the Hacker decided not to run Stealth, then the patrolling IC "automatically" sees them whenever the GM determines that the Hacker is within the "vision" of the IC. In which case the presence of the Hacker along with the account they are using and their Access ID would likely be logged, but otherwise ignored. If the Hacker doesn't do anything that is outside of their privileges (and not much would be as an Admin), then they could probably get away "scot free." The Hacker should be careful to either: edit the system log or change the Access ID they used for the intrusion, but beyond that there's not much the system defenders can do about it.
In all cases it is up to the GM what a user can do and under what conditions. If a system Alert is triggered it may be the configuration of the system that even Admin accounts cannot cancel the alert before a certain amount of time has elapsed, or that even under non-Alert conditions IC cannot be shut down. There is no way this has to be played: each system's configuration is entirely up to the GM. It is this change that is the best one in the new Matrix (IMO). The vagueness of things may cause confusion, and possibly upset people, but it does prevent clever player "exploits." If all privileges and rights were laid out in "stone" in the rules, then a clever player could very well figure out a sequence of clever actions that "guarantees" success. I believe player cleverness should be rewarded, but it should not be an "I win all the time" button. I very much appreciate the "whatever the GM says" design of Matrix 2.0.
Probably even admin rights are usually restricted in some way. Like the CEO under the desk at night, he can be questioned. And while he can make life miserable for the questioner, he can't prevent being questioned. Those are limits placed because no one can be trusted completely. So if an admin starts to do some radical things, there may be some delays, special manual switches that need to be toggled and so forth.
I think the distinction between Computers and Hacking is a good one. Anything done with Hacking is a violation of system rules, and IC may pick it up as trespassing. Even when a legitimate admin places a hack to fix some problem that can't be done (quickly) in a legitimate way.
As an admin, a lot of things should be possible with Computers that would require Hacking to achieve otherwise; perhaps like shutting down IC and standing down alerts.
Intrusion into a system using Hacking also doesn't normally generate account; it gives you the ability to do things on a permission level similar to an account, but unless you make an account for yourself, you're confined to hacking.
It's also to be expected that high-security systems have limits on account generation; they may be hardcoded so that Security level can only generate User accounts, Admin can only generate Security accounts, and you need manual admin access to generate a new Admin account. Same for removing accounts by the way; otherwise, wouldn't it be a hoot to delete the security hacker's accounts? Forcing them to hack their way in would slow them down a few turnsm giving you enough time to get a job done.
I think the distinction between Computers and Hacking is a good one. Anything done with Hacking is a violation of system rules, and IC may pick it up as trespassing. Even when a legitimate admin places a hack to fix some problem that can't be done (quickly) in a legitimate way.
As an admin, a lot of things should be possible with Computers that would require Hacking to achieve otherwise; perhaps like shutting down IC and standing down alerts.
Intrusion into a system using Hacking also doesn't normally generate account; it gives you the ability to do things on a permission level similar to an account, but unless you make an account for yourself, you're confined to hacking.
It's also to be expected that high-security systems have limits on account generation; they may be hardcoded so that Security level can only generate User accounts, Admin can only generate Security accounts, and you need manual admin access to generate a new Admin account. Same for removing accounts by the way; otherwise, wouldn't it be a hoot to delete the security hacker's accounts? Forcing them to hack their way in would slow them down a few turnsm giving you enough time to get a job done.
QUOTE (Malachi @ Jan 8 2010, 04:16 PM) 
Can the intruding hacker just shut down the patrolling IC (for example)?
Reminds me of Decker and the fact that there is a node explicitly for IC entering the system and that shutting it down is pretty trivial. Crashing the system on the other hand is very very hard (read: lethal, and I don't mean from dumpshock).
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.