I'm trying to script a few Matrix encounters, and I'm coming to realize I don't know what I'm doing. Can somebody help me out on the following?

1) J. Random Hacker badly wants a Nuka-Cola, and is using hack-on the fly against his nemesis, the Vending Machine. The Vending Machine rolls well, and beats J. Random's Stealth. This triggers an Alert. J. Random Hacker feels that even with an Alert giving the Machine a Firewall bonus against him, and whatever other countermeasures might be launched, he is still good enough to hack in and get his soda. Is J. Random allowed to continue attempting to hack-on-the-fly, or is he automatically blocked once an alert is triggered?

2) J. Random has planned ahead, and has taken the time to Probe the Vending Machine. The Vending Machine does not detect J. Random Hacker as he uses his forged credentials, and J. Random gains access to the Vending Machine's node without triggering an Alert. J. Random believes that he now owns the node, at the level of authority he hacked to. Is it possible for the node's Firewall to trigger an alert after a successful hack without the presence of ICe or Security Hackers to spot the intruder?

3) A normal commlink can only run a number of programs equal to its system rating. J. Random Hacker believes this means he will only face serious opposition on corporate Nexi, since an average commlink will only have three slots, and fighting off a hacker will require at the minimum an ICe frame running Attack and Analyse. If the target were using the commlink for something like a tac-net, then the system would drop everything from Rating3 to Rating 2, and J. Random is not worried about any system that can't roll six dice. Is J. Random reading this correctly?

4) J. Random Hacker is getting ready to 'harden' his commlink, and decides to save money and resources by not including an ICe frame to run his security. He reasons that his commlink can just run Analyse and Attack itself, so why pay for the extra code?

5) J. Random has a great idea. He is going to buy his cousin's old Nexus and load it with a dozen ICe programs, all packing useful security tools. Then, he will call all his friends with cheap commlinks and offer to have ICe hosted on his Nexus patrolling their Commlinks. Since the ICe is running on his machine, he reasons, the low system resources on the commlinks won't matter, and for a few nuyen a month they will have automated overwatch like a serious system. Will J. Random's plan work?


...thanks in advance for just *reading* this far; I know this is a lot of questions, and I hope somebody can clarify how these things are supposed to work together.

Nice! Cloud computing applied to Shadowrun. It absolutely will work once your nexus has access to all those commlinks. However, your nexus had better have good security of its own, because now it's a single point of access to every commlink it patrols.

Mesh

When the firewall detects him an alert is triggered which includes not only a higher firewall rating (making it a lot harder to hack into), but also some sort of alert response as well, see page 238 SR4A, it even has a random chart for what type of response the machine does.

Continuing to attempt to hack into the machine alerted to his presence is doable, if it hasn't shut down, though it is alot harder against the significantly stronger firewall. He can also attempt to change to another ID that the machine isn't alerted against, since the bonus firewall from the alert only applies to the detected user. He can either change commlinks or spoof/hack a new matrix connection with his existing commlink (I think unwired has those rules? and I don't remember it being particularly difficult). Either way there might be active IC or a spider looking for intruders at that point.

For 1), yeah, JRH can can still hack into the node, dealing with the + 4 Firewall on and the results of any security measures that alert triggered. For a vending machine, its not likely going to be a spider or even any serious IC. There is probably a camera recording the vicinity and it might get sent to local authorities, but the likelihood anyone will come down there and bust JRH is slim. He'll have enough time to get his Nuka-Cola and leave before anyone shows up. He'd likely want to clean up the Access Logs (although if using a temp Access ID, that may not be an issue as long as he doesn't use it again) or check what the alert triggered and clean that up. But then again, it may not even be worth the time for such a petty crime.

For 2), yeah, the node itself could be set up to do random or scheduled scans on all icons it can see. If JRH was Stealthed, then its even less likely that he'll get checked, but its still possible if the node just checks everything on a regular basis. Doesn't make a lot of sense for lower security, but it could happen.

For 3), just to clarify, you can run more programs than system rating, its just that running more will degrade your response, which basically translates into one less die to roll in many of your pools. So, yeah, JRH is reading that correctly.

For 4), I don't think your node can Attack anything, so the best your node would be able to do is run Analyze and if it finds anything, report back to you, then you could decide. If you had an agent in there, it could Analyze, report and then Attack. Node's actions are pretty limited, so that's the main difference.

4) You want to run an agent because the agent can be scripted with responses. The agent, once it detects the intruder can load attack and start spanking.

5) This really is an ideal situation. Your agents just need an open subscription to the commlink. You could also slave their commlinks to your nexus. Allowing only skinlinked connections, and connections from the nexus.

2) No, with no ICE and no Spider, he owns that vending machine. Of course, that vending machine probably gets software updates that reset the accounts every so often. And your cloud security idea works for corporations too.

1) A vending machine that detects an intruder is probably configured to send a mayday to Corp Headquarters and then do a hard reboot, kicking you out of the system.

3) He's reading this wrong.
A) Average Commlink with response 3 only has 2 slots before response degredation
B) Response degrading does not effect the rating of the programs that can be run (those are determined by the System Rating of the Commlink)
C) Response degradation only effects initiative rolls
D) You lose a point of Response when ever the number of programs your running is N-1 where N = Max Rating

Response 3 Commlink
# of Programs Running | Current Response
1 | 3
2 | 3
3 | 2
4 | 2
5 | 2
6 | 1
7 | 1
8 | 1
9 | System Crash

Well, depends. According to the BBB, Agents cannot "project" their icon into nodes they are not running on, as a human user's persona can. According to Unwired, they can.

Just want to add:

2) JRH can glitch his rolls, which can cause an alert at GM fiat.
3) JRH can be incredibly slow at hacking himself an account into said system, due to general bad rolling. The system may use its low dicepool to detect the hacking attempt and go on alert. The general populace's idea of an alert response should be along the lines of 'Hit that power button!' JRH on the other hand should know when to quit picking at the door, and leave for a bit, to wait for the dog to fall back asleep.

That depends on what the Vending machine's response is to an active alert. It could:

1) Reboot. That would prevent him from connecting, and likely wipe out any successes he's made.
2) Attempt to log him off. Since he's not yet logged on, I'd say it works, and his Access ID is blocked.
3) Call a spider/IC/etc. from HQ.



A glitch might trigger an alert. Resident IC, an agent, or a spider might periodicaly Analyze and attempt to detect the hacker.

And whenever he attempts something that his access level wouldn't allow (such as creating a legitimate account with just User access), the firewall would get another chance to detect (i.e. whenever Hacking is used, instead of Computer).



A node/nexus/commlink can run Response programs before degradation. There are also Ergonomic programs (Unwired Software option) that don't count against this limit (the # of Ergonomic programs is limited to the system's Response, as well). So a rating 3 node could run 3 programs and 3 ergonomic programs.

And a software suite counts as 1 program for both load and crashing purposes. That Black IC with Armor, Medic, and Cascading Attack might be a whole suite, and thus count as only 1 program. Analyze is your friend.




His commlink will make use of the Analyze, but he'll need an agent (or his own persona) to make use of the Attack (or any other) program. And the node will only use the Analyze when the Firewall gets an attempt to detect an intruder (hack on the fly, probing, etc.)



Sure, but as others said, while he secures some areas, he introduces other problems. Putting all your eggs in one basket is fine, as long as you WATCH THAT BASKET.

Guys

The limit to the number of programs a System can run before degradation is not it's response. It's the System Rating - 1. It's a subtle difference, but it makes a BIG difference.

Not that you really lose anything for going over it anyway.

Supposing the alert is raised...is there any way that J. Random can cancel the alert. For example if he is the administrator can he command the node to cancel the alert.

Going a little bit further, if J. Random has a clever piece of software, or a helpful sprite, that delayed the alert for 1 round...could J.Random stop the alert from happening?

Yes, both of those options exist. I'll check for pages.

Unwired p55: "Most of the time a user with security access is able to create or delete standard user accounts, edit other users’ data, initiate (and deactivate) an active alert, and read the access log (see Access Log, p. 65)."

Unwired p117: "If a program with the Mute option is used in an action which triggers an alarm, the alarm is temporarily delayed for one full Combat Turn."

Canceling an alert is not stopping it from ever happening, in your first example. I'm not *sure* about the second example, but I think I'd allow it.

Thanks Yerameyahu.

We have played that you can, but were never sure if we were fudging it.

When you've triggered an alert, your account on that Node is considered restricted. That means that you lose all account privileges.

However, you still have access, so you can preform ANY action, including removing the alert and the restriction by making a hacking test. That's a Hacking + Exploit vs System + Firewall test, with the firewall bonus form the alert.
So, for a good hacker who somehow forgot his Mute option, the game's still not over.

Also, while Response degradation from overloading with programs won't effect max System and therefore program rating, it will effect Initiative and Dodge for drones or cybercombat. Not as bad as overloading on armor, but still it's basically losing a point of Reaction, which is significant in some circumstances.

This is not correct canceling an alert requires security level access per unwired, if you don't have security level access, because of an alert you can't shut down the alert. Is it a catch 22? Sure, but I've found it works good in my games.

When it comes to hacking like so much else in shadowrun the best practice is not to get caught.

Thanks to everybody who has already jumped in; This has been a very educational thread. I do have one other scenario I need help with, and I'm hoping that somebody will spot this and save me from making a new thread. The effectiveness of stealthy hackers actually came up in our last game, and my players really want a clear ruling on this.

6) Due to a troubling amount of missing Nuka-Colas, the Vending Machine has been upgraded, and is now being actively patrolled by a Spy-Eye (ICE-4 running Analyse-4 Stealth-4). J. Random Hacker is unaware of this, and proceeds to probe and hack the system as per usual, and does not trigger an alert. Assuming that J. Random is running an Analyze, he will need to get more hits then the ICE does with it's pool of 8 just to detect the presence of the ICE. Meanwhile, the ICE is running Analyse on the Node, presumably to beat J. Random Hacker's Stealth. Since J. Random Hacker is using an apparently legal login that has the authority to be testing the Mechanized Soda Ejector, will the Spy-Eye trigger an Alert immediately when it detects him, or is J. Random safe as long as he seems to be using his credentials in accordance with system policy?

Here's the relevant section w/ emphasis.



Unwired is just chock full of instances where they say "If you do not have sufficient access privileges, use Hacking + [relevant program]" and the section on Alerts says specifically that you can hack past privileges while targeted by an Alert.

So, you're right in that it doesn't specifically say, "to deactivate an alert, follow this process," but it does say hacking = actions. I know there are more rules here, but I'm too tired to hit all the pages. I'll dip back into this tomorrow though. In the mean time, an example of this in action is on p79 of Unwired in the Security in Action play demo.

Basically, if they have a legitimate account, then they can do anything that account has access to do without risking suspicion. If they do something outside of the scope of their privileges then they risk being found out.

All the relevant info is on p97 of Unwired.

One more thing to keep in mind... A legit account will not be using the Stealth program. Legit users have no reason to hide. We've always played that if you are using a legit account you turn off stealth, otherwise the system will still be suspicious of you and your activity. We also say that using the Hacking skill while not using a Stealth program could be seen as bad. It really helps to keep Hackers under control.

So a legit account (or one hacked as legit) can do anything that account should be able to do, but if you want to do anything shady, you need to really watch yourself or turn on stealth and become non-legit.

Just my 2¥
-D

A Stealth program isn't like a commlink's hidden mode.

Stealth is a clever hacker program that attempts to make
the hacker as “invisible” as possible to other system processes by
obfuscating his activities, erasing system tracks, and mimicking
authorized traffic. Stealth hides the hacker from the Firewall’s
watchful gaze as he breaks into a system (see Breaking In, p.
221). Stealth also protects the hacker from prying Analyze actions
(p. 217) and track attempts (p. 219).

It is literally hiding you from the system's processes, sneaking you into the little cracks. It's not a 'this user is hidden' flag.

What’s the difference between the two? With one you are hiding your activity, with the other you are hiding your activity…

If you saw someone skulking around your office and acting dodgy would you question it? Using a Stealth program is skulking and being dodgy, not using one isn’t.

-D

P.S.
I’m not trying to be a smartass, just trying to clarify for my own sanity.

The difference sounds like "I'm not here" versus "I'm here but being quiet about it".

The idea is that your digital skulking around and acting dodgy keeps you from being seen, period, not what you do from being seen. If you see the office skulker, yeah, that's suspicious. If you don't, would you even think something was going on?

Stealth is a S.E.P. Device.

I understand the argument that, because Stealth tries to obfuscate the source of commands or actions, any time it fails, it makes that action automatically suspect, even if the user it is traced to has full permissions to preform that action. "Why did User 423's edit action come through the operating system's old sub-level command line?" and such.

One decent way of modeling this is the Security Tally rule tweak on p39 of Unwired.

Agreed.

Analyse is software, and hence unable to make calls of the 'dodgy' neomer.
It analyses something running Stealth, and based on the test outcome, reports wether or not the icon in question is doing something it shouldn't, based on user access rights, or lack thereof.

Infrastructure in place on a system is there to be used, and said use by authorised parties shouldn't be suspect -or objected to by Analyse, by default- unless a spider would specifically want that infrastructure watched, which would make it bait.

I tend to see Stealth as a way to make use of Analyse's scanning priority algorythm. Stack the office full of christmas trees with blinking lights, and chances are you won't see the man behind. Without him acting suspicious to avoid notice.

This is software that occasionally breaks and becomes sentient enough to pass a Turing test.

I think you underestimate it.

Thanks all, this is insightful.

I’ve always seen the Stealth Program to be the same for the Matrix as the Infiltration Skill in the meat-space. I do believe that the books support this view. That’s why I made the reference I did about a legit account not running Stealth.

However I can see both sides of the possible operations.

Again thanks all for the input.

-D

I think I really like the idea of being stealthy or being legit as alternate modes of operation. It rewards the sort of legwork that Probing a Target is supposed to indicate, and makes it riskier to go hot.

To justify this, I might claim that if Analyse detects a user with malware, viruses, or exploitive hacker-softs loaded, the system security policy is to treat it as a compromised account. Obviously getting the list of running programs would involve beating the Stealth, but if the defender first beats the hacker's Stealth and then realizes that the persona is running Stealth, alarms might go off. Ditto if the persona has a running Attack program.

It's analogous to a 2011 sysadmin noticing BitTorrent traffic on a user's node. The user might be entirely legit and updating legal software, but company policy is to assume he has been rootkitted by pirates and is racking up lawsuits. Paranoia is a legitimate business plan, doubly so in 2074.

Speaking of which, Happy New Year, Dumpshock!

Just FYI: it takes an action for a spider/IC to run Analyze on a icon to figure out what programs its running.
(By RAW I believe it is 1 action to identify how many, then 1 action per each program to determine the program name/type).

It looks like you can get more information with more hits on the Matrix Perception test, but it's unclear how many is needed to uncover the info. I'm guessing I would have the Analyze accumulate hits, as follows:

1) Persona identified.
2) Running programs catalogued
3) Checking program for malware
4) Checking next program...

...so a hacker with multiple running programs, one of which is banned by system policy, would trigger an alert when the Analyse had accumulated 3-7 hits. This puts a lot of pressure on the hacker, but gives time to mess around before the system catches on.

Thats actually not strictly true. All analyzers have Automatic mode, which rolls your analyze score against every icon it can render.

Its a simple action to toggle it on and off, but that goes down to a Free(changed linked device mode) with DNI input. 4a 228 for details.

At least in my games, its the reason that hacking nodes with active IC patrols is a bad idea - every time you do something, all running analyzers get a chance to see past your stealth. I assume that all analyzers run in automatic, unless a user needs to look at something specific.


I mean, when you think about it, having the Analyze Icon action as the -sole- way to spot something is stupid. If it were so, even casual use of the matrix would be retarted.
'I want to check my mail!
'I analyze the login page. Then the username prompt. Then the password field. A free action to Transmit Data for my login details. Oh, now i have to spend a simple action to Log On. Now I can data search for my new mail, since its on a Specific System, thats a complex action... '
No, fuck that. Automatic rendering with Analyze programs makes so much more sense.