So tried running a test run of 5e last night. Went pretty well, Combat and Magic are not changed much, so that was easy to get. The Matrix however is still a little tricky. Would love more examples of hacking runs.

Anyhoo, my questions.

Once you are in a host, how does the host find you? I know this seems a dumb question. For instance, to log into the host, you have to have 1 Mark (Per the Enter Host action). Having the mark means the host considers you to be a legitimate user. Even if you are running silent and the Patrol IC spots you, you still have the Mark, so you are legit as far as the IC is concerned. Aside from Overwatch Score, it seems the only way the system can detect your illegal actions is when you screw up on a Hack on the Fly, or Attack action. It is only the mark gaining actions that seem to carry any risk (except for all illegal actions increasing your OS)

Attack Actions: It states when you use an attack action, the target knows it is under attack by another icon, but does not necessarily spot you. It goes on to state that it will search for you on its next action. Can a device search? What about the Host itself? Wouldn't the Host rely on its IC? And if you have marks on the host, even if the Patrol IC spots you, wouldn't you appear a legit user? Or is the IC smart enough to recognize your actions or does it rely on your status (marks).

Last question: Direct Connections. Directly connecting to a slave allows you use its stats, not the host. But in the WAN section, it states that once you are in the WAN, you are directly connected to all devices that are part of the WAN. So if thats the case, if my decker connects to the outer Maglock of a facility of a host running a WAN, then I am directly connected to all devices in the WAN, thereby totally negating the Host's defenses for its devices? If that is the case, what is the point of the Host?

(BTW, this post is not a bash of the 5e system. I'm just trying to understand it better)

For 1), your marks aren't legitimate so when the Patrol IC looks at you it recognizes that you're not a legitimate user.

For 2), a device can't spot you though its user certainly can try. Hosts rely on IC or spiders to do this.

For 3), I'm not sure. I'd probably rule that you're able to access them without noise, etc, but still use the host for defense unless you actually hook a cable to them.

I've been cobbling together Matrix questions and answers over the last few days. Most of these answers are from Xenon over in the official forums.



It's possible (perhaps even wise) to create more than one mark before entering a host.

Patrol IC rolls (Host Rating x2) for its Matrix Perception check to find you.

There aren't clear rules as to when, exactly, this happens. I would have the IC check when you first enter and when you perform any action that adds to your OS. Note that an Attack action automatically alerts the Host to your presence (although not your exact location), so after an Attack action, I roll initiative and have the Patrol IC roll on every pass. If the IC spots you and you have a mark (which you presumably do), what happens next probably depends on the complexity of the host. For a super-secret UV host, finding anything running silent will probably be brought to a spider's attention. For a more common rating 5-6 host, I'd rule that it means that the host automatically knows where you are once you perform an Attack action--a decidedly bad thing. Note that Crack File is an Attack action that you almost inevitably have to perform.



Yes, but it's very hard to run in any Host with any value without performing an Attack action (unless your meat team can convince a wageslave to cough up his passcodes, which could circumvent the need for the Crack File roll).



A legit user does not perform an Attack action, so it doesn't matter how many marks you have on the host at that point. The only thing that can search for you, aside from a spider, is Patrol IC. I think it's reasonable for a host that knows it's under attack to have the Patrol IC use every available complex action to search for you (hence why I have them roll initiative at this point). Once the Patrol IC spots you, that information is instantly shared with the host, which in turn instantly shares it with all the other IC, even IC that have yet to show up on the scene. This is a very bad thing.



No, it just means that you can reach other parts of the host through the Maglock. If you want to spoof a door on the other side of the facility, you can, but you're still going to need to roll some dice. With more advanced groups running against harder targets, I almost never have security and data on the same WAN. To use older terminology, the CCSS rigger runs one system that includes the maglocks and the decker runs the other system that includes the paydata. This is an expensive option, and no corp is going to do this for every building, but it's something to consider for down the road.

Is there a rule/text passage that says this? How would ICE differ between legitimate/hacked marks if the host it runs on can't even do that?

p236



Patrol IC goes on to note that having a mark isn't illegal, but placing a mark is. So if you hack a mark onto something, I'd say that the Patrol IC gets a chance to spot the new mark (matrix perception) and query the host to see if that mark was invited or not. If not, it starts looking for you actively, and the host launches additional IC to back it up for when it finds you.

Simply from a game balance perspective, it's not too hard to get 3 marks on a host (admin level), but having 3 marks should not suddenly trivialize all decking challenges. Decking can go south really quickly and GMs really need to pay attention when they're designing hosts, or it becomes very unfun for players very quickly.

Thank ya'll! That helps.


I do wish they would have given more insight into how legit users work. Right now, it seems Mr. Wageslave just has "Access" to do what he wants legitimately in a host, but there are not much details in how this works for runners to subvert. I assume the old gun to the head works regardless, but some room for social engineering would be nice. But there's only so much room in the book I suppose.

I do like that the rules are focused from the runner's pov however.

They do give a few examples of this. Think about it like this. Joe Wageslave works as a data entry user for a medium corp. They come to work every day and either have a console they use exclusively or a docking station they can plug their commlink into. The host they plug into or access has a database that holds all of the user names and passcodes for the corp. When Joe logs in to get started with work that day, he query's the host with the right information, which then goes to check it out. Finding it legitimate, the host invites three marks on Joe's commlink or console, letting him have access to what his credentials give him. At this point, it's not Joe that owns marks on the host, it's the other way around: the host owns marks on Joe's commlink. Because of this, it might very well be a direct slave device of the host.

Going further, if Joe left his computer on and someone comes around with it still logged in, they can access files that Joe normally has access to. But, if they try to access anything funny, they get denied, simply because the user is not able to modify the rules in the matrix under the host while being marked. They don't, themselves, have marks on the host to make that kind of a change. They would have to put marks of their own on the host, and because the host already has marks on them (because they're logged in and registered, like good sheeple should be) it's going to be a pretty quick exchange with Joe and his boss about company security policies.

Now, if you're talking about security and admin users, this would be a different story. While they could have normal login accounts like Joe, Sarah Spider isn't really a typical user. She's a security spider and has actual control of how the host functions. Again, the host would have a database of known marks and how many marks a specific user can hold on their systems without incurring problems. Maybe Sarah is a backup spider, tasked with watching the camera's of the company. When she logs in, she's putting registered marks on the host, which the host has information about. When it sees these marks, it acknowledges that Sarah is a registered spider and gives her access to the camera feeds, door logs, and so on. Sarah can do whatever she wants. Patrol IC will still be sniffing her marks every five seconds, but this isn't seen as rolls, since Sarah is using legitimate marks. Now, maybe Sarah oversteps her bounds. She wants to cross-reference some logs she's seen with some CEO's that have been coming and going lately. She doesn't have enough marks on the host to actually access personelle records that high up. But, she knows a few tricks. She puts another mark on the host and digs into the files. The patrol IC, knowing that Sarah isn't supposed to have that many on an HR icon, sniffs at it. At this point, IC would make a roll to check if Sarah is supposed to be there. If she's not, it doesn't care who Sarah WAS before the third mark was placed. It starts up an alert and begins to launch IC, because it doesn't know any better.

To summarize, I would say that having a login of a user would allow a runner to act as a normal user and access programs and files, but not actually do anything hacking-related with them. Also, because the runner has marks invited onto his hardware, the host is going to know about that hardware and where it is and what it's doing. Logs are fun to read. But if they have any actual security login information, I would say that they could place their mark on the host, given that their mark is in the system, and be able to access what they want with that many marks without putting up too many red flags. However, that kind of data should be super hard to get or create, and it's the kind of thing that gets audited quickly. One could say that if you had a sample of the corp's login credentials, you could forge a login for yourself and insert it into the host at some point. Sure, this would be a run in and of itself, but by doing that, you could then enter the corp at a later date with the new login as freely as you want. Or, at least until the corp's spider audits the logs and finds out that a new security user was created that they have no reference to. At that point, it would be a matter of the Forgery skill to determine what's right. I would say that every day a forgery is contained in the server, a spider of the host is able to make an opposed Forgery or Perception check to cross-reference that login with others.

A quick addition to the benefits of having a user login: that's the only way to access archived files, so snatching high-level executives still has its role.

Thanks again. This kind of detail is what the book was lacking for me. I have a better understanding now, thank you.