I not running a SR4 game currently, but I'm continually thinking about improving games I have run, and the Matrix has always been a sticking point (yeah, go figure, right?). So much so, that any matrix characters get the banstick from my players. One of the problems that I've had is that any matrix action is two-step: 1) gain access and 2) do something. I guess there could be another step of "find something" before you "do something", but for this topic, I'm just looking at speeding up "gain access".

As I was rereading some matrix sections in SR4A and Unwired, I was discovering some things I am not sure I was aware of and wanted to get some opinions.

The way I see it, a hacker going for an admin account that fails his hack on the fly, gets in the node, but sets an active alert and all actions that an admin would normally have, but need hacking rolls to complete due to the alert.

Now, if the hacker had just went for a user account, it would be easier to get in without setting an active alert, but he'd only have user access, so all other actions above user access, would need hacking rolls to complete.

I think that's all pretty straightforward. The part I missed in my previous games was the admin account with an active alert, can't just spend an action and cancel the alert and go back to doing his thing. Every action he takes, must be a hacking roll.

Now, the other thing I was looking at was the active alert. It appears that once it happens, per Unwired, the alert is going to trigger 1) IC deployment to node, 2) Alert sent to spider and potentially auto-log spider into node, 3) attempt to log intruder out of node or 4) shutdown/reboot node. But, after that action is completed, the intruder goes on his way in the node.

I'd assume the intruder would want to shut off the alert and if he hacked admin access, after dealing with the results of the active alert, would simply need a hacking roll to turn it off and have full admin access.

I know there can be other IC patrolling the node, but assuming there are no other IC, then its pretty safe for the intruder once that alert-triggered response is dealt with, right? I mean, I know everything the intruder is doing is logged in Access Logs, but once that alert is dealt with, there's really nothing else.

I suppose that any hacking rolls made in the node, regardless of account type, could trigger another alert and the intruder would have to deal with another response. I guess I was thinking that I could speed up matrix stuff if there was a "failed" login, but based on RAW, there is no such thing as a failed login. Whether hacking on the fly or probing, no matter what access you are trying to get, you will always log in with the access you want. You just may trigger an alert when you log on.

I guess you could use the optional limit of extended tests rolls or create an optional rule that an alerted hack also drops you to a user or public account...

Well, that is very similar to attempting to log an intruder off. You attempt to strip him of his rights. Logging him off = stripping him of ALL his rights, even log-in rights. Stripping him down to User-level would be a weaker version of that. So, if you weren't able to boot him off your server, you probably won't be able to strip him down to user-level anyway.

If you wanted to play with the mechanics, I'd have Log Off Intruder have variable success based on threshold. I'd make the test more likely to partially succeed, though.

It is my understanding that if you have triggered a alert on login your account has no privlidges (is essentially public) and moreover can never get them back. I cannot recall any way to terminate a targeted alert even with admin access. I'm away from books so I cannot cite and it has been brought to my attention I have at least my share of comfortable misconceptions about the rules system however once you've got a alert on your account your stuck like that until you log out and hack another account. Not sure if that will help speed things but in my experience SR4 hacking is fast and relatively painless unless you insist on multitiered matrix dungeon crawls, it sacrifices realism for playability.

I'd say that if there was a "fail" outcome, yes, it would speed things up at my table. Whether that is forcing a public account, not being able to turn an alert off or some sort of reduced log-in rights, it would be something more than what I've been running.

I could see an alert, once triggered, would be connected to the Access ID indefinitely. Therefore, a hacker would need to change Access ID and try to login again, or if critical, would maintain the Firewall + 4 and force the hacker to always use Hacking rolls to do anything. Now that doesn't speed the game up, but it at least makes it feel there is a fair obstacle for botching the initial login.

I'm just going back to my previous games and while I agree with SR4 being fast and relatively painless, it feels more like theory than in practice. I mean, the mechanics are very easy to work with, but it seems like the table time just drags on. I have rarely seen a hacker log in on the fly in less than 3-4 rolls on the extended test. And once in, there's likely going to be a Matrix Perception, a Browse and then some sort of action (e.g. grabbing a file, viewing a camera feed, accessing security). Again, all of this is straightforward, but its a lot of rolls to get it resolved...and that's assuming no alert and no patrolling IC.

And I've tried to stay away from cybercombat as the couple times I've run it was miserable. It was pretty much a stalemate. The IC couldn't damage the hacker and the hacker had trouble hitting the IC...so it went on forever, with the end result being the hacker's comm was crashed, but he was quickly able to switch Access ID and hack back in. So, it was kind of just a waste of time to resolve.

I'd agree with Lurker regarding the result of being alerted on. Your 'admin' access is actually a public anon account that's been internally spoofed or exploited to appear something higher to the system. It's electron magic. The system hates you.

One of the problems your users are having is they're insisting on hacking on the fly into a system with admin access. Any system worth its salt (3/3, 4/4) is almost DEFINATELY going to see this hack attempt with the +6 for admin. Remember for hack on the fly it's a threshold extended test to see 'em. The highest I'd try is security for a hack on the fly, and then only against a 3/3, unless I was Techno-godding it. Slow probe is a different story. You can roll all day there, but if you're more then 2 rolls, you're gonna get caught.

One of the slowdowns I've found is the descriptions of what's in the node, and then the hacker has to analyze everything in the thing with a detailed review to figure out what's what. As user they have to be that cautious (it's part of the plan, the analyzer has more time to find 'em), but as admins I'll let them know what things actually are, surface wise, as the admins can see full icon information, and I'll assume they bought their first set of hits looking around, makes life easier.

Two ICs, one's scanning with analyzer, the other's response attack software. There's 3 node portals, hardlines to somewhere, one of them says 'factory floor', which is where you assume the controls for the forklifts hide. There's a number of data storage files here, and you're relatively sure a few encrypted ones. The factory portal is clean of bombs, encryption, and you now have its AccessID. You have no idea what the data in here is. Actions?


Oh, yeah, one other thing... when they're in cybercombat, they should also be fighting a trace or being delayed until spyders can arrive. The 'one action on alert' thing is utter crap, and I threw that out the window. Okay, fine, you want to be technical, the node goes on alert and sends a comm signal to another node, you're not sure where, but OOC: it was instructions to activate a level 1 agent with a script to do the following...

If i remember right there is nothing that specifically limits an ARC to one action in fact there are several in book examples that do multiple things.

That's the Hackastack problem.

Maybe that is in errata, but when I looked at Unwired, it made it very clear that on alert, the node can only do 1 of 4 things. Now, there may be IC in there patrolling or following their own scripts, but that is different than a node's response to an alert.

I suppose one hole I can plug is the resulting account access an intruder ends up with when an alert is sounded. Once that alert is up, the hacked account is basically a public one and the Firewall is +4 until the intruder comes back in with a different Access ID. That will make my players a lot more cautious to sound an alert and probably cause them to exit the system immediately. In a way, that speeds things up...not exactly what I was hoping for, though!

Sorry we couldn't help that score Deek, but that is essentially how I run it it inspires the proper level of paranoia in my hackers and makes them a lot less proone to hack everything.

"Most of the time a user with security access is able to ... initiate (and deactivate) an active alert," -- p. 53, Unwired

One plugged hole is better than none.

I'm still intrigued that turning off an alert is not common practice. I allowed my players to do it before. At this point, I'm still considering the possibility. They'd still need a Hacking roll to complete it and the end result would just be the +4 Firewall to be removed. They'd still be stuck with a "public" account that they'd have to basically continuing using Hacking rolls (and risk future alerts) and they are no longer in the system undetected, but they would be in the node and oftentimes, that is sufficient.