So, when a decker breaks into a system, and is discovered but manages to get out (with or without the data they wanted), what sorts of things are left behind that a sys-admin could discover?
For example:
would they know what kind of searches were run if any?
would they know what files were accessed?
would they have any kind of video recording capability in the matrix? could IC do something like that?
(also, it seems kind of important to know that i'm relatively ignorant of how this is done in RL, so i'm not sure if any of it would even make sense)
and would any of this change if it was a valid account (from a previous Validate run)?
And finally (i think), would a sys-admin really poring over all of the access in the last 24 hours be able to retrace the steps or anything?
just a couple of thoughts/questions.
Full Version: Decker tracks
My understanding is that in RL if the sysadmin is paranoid enough and has the proper software installed, pretty much everything can be recorded and reviewed at a later date.
I think the illegality of the cyberdecks in SR stems a lot from their ability to spoof, sleaze, trick, and misdirect the hosts they are using, and a graceful logoff before a trace occurs wipes records.
Also, the manner in which the matrix run was performed has a lot to do with the ability of the system to figure out what happened. If you go in with a smash and grab technique and don't try to forge your tag lines to make them appear legit, then the system will be able to figure out what you interacted with (at least r/w and editing of files).
I think the illegality of the cyberdecks in SR stems a lot from their ability to spoof, sleaze, trick, and misdirect the hosts they are using, and a graceful logoff before a trace occurs wipes records.
Also, the manner in which the matrix run was performed has a lot to do with the ability of the system to figure out what happened. If you go in with a smash and grab technique and don't try to forge your tag lines to make them appear legit, then the system will be able to figure out what you interacted with (at least r/w and editing of files).
The whole point of masking is to avoid leaving those trails. Read over ...I think... virtual Realities 2.0 if you can get your hands on it. it goes over a lot of stuff like that without going into a solid rules book like Matrix does.
Obviously, like joker said, the more they screw up on the run, the more they can trace. Crash IC (suppressed or not), security tally, those kind of things are what will leave a trail. because eventually, when the decker leaves the system, that suppressed IC is no longer suppressed, and the system is going to notice a downed program.
These days, if you're logged into a system, they can monitor every keystroke. That's the point of 'masking', basically covering your trail. Evasion factors into that too, w/ stuff like Trace IC, but that's a little different.
Easiest way to look at it, the higher the security tally they run up, the more the system will know about what went down. if it send IC somewhere in the system, it's gonna know where it went . If the decked kept screwing up trying to access a particular file and ran up a few points, they'll see those flags eventually. All of this is assuming that they actually have a reason too look over the logs, like a run going down, suspected data theft, a high security tally setting off any kind of alert, or crashed ice.
Obviously, like joker said, the more they screw up on the run, the more they can trace. Crash IC (suppressed or not), security tally, those kind of things are what will leave a trail. because eventually, when the decker leaves the system, that suppressed IC is no longer suppressed, and the system is going to notice a downed program.
These days, if you're logged into a system, they can monitor every keystroke. That's the point of 'masking', basically covering your trail. Evasion factors into that too, w/ stuff like Trace IC, but that's a little different.
Easiest way to look at it, the higher the security tally they run up, the more the system will know about what went down. if it send IC somewhere in the system, it's gonna know where it went . If the decked kept screwing up trying to access a particular file and ran up a few points, they'll see those flags eventually. All of this is assuming that they actually have a reason too look over the logs, like a run going down, suspected data theft, a high security tally setting off any kind of alert, or crashed ice.
This is the function of the Graceful Logoff. Using it is supposed to eliminate traces of the Decker's presence (other than the obvious changes made to data, etc.). If the Decker just unplugs, then those traces remain in the host.
Right. "Graceful" here should be replaced with "Smart" or "Dont fuck-up".
I like the immagery of graceful logoff. In order to get into character I think of pretty ballerinas leaping off the stage and fading from view as they pass through the orchestra pit.
Mmmmmmm, pretty.
Mmmmmmm, pretty.
Awesome. I hadn't really formulated what a Gracefull Log-off did, but that helps tons. Thanks, all!
Was it the ballerinas that really helped?
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.