[Xenon]

Xenon, you never responded to my specific "What would I like?"

I would like that the device you used to form your persona on is unmerged from your persona when the persona enter a host.

I would like that technomancers would get a direct connection to devices they physically touch (but then again with repeat threading low level cleaner they get to keep marks for a very long time so this might actually not be required).

Not get a direct connection from within a host, only from physical connection, mean that you no longer can interact with devices out on the grid from within a host. Also you will screw over TMs that by RAW can't establish a physical connection. This would be a bad idea (tm).

[SlugShaman]

Not get a direct connection from within a host, only from physical connection, mean that you no longer can interact with devices out on the grid from within a host. Also you will screw over TMs that by RAW can't establish a physical connection. This would be a bad idea (tm).

Not give you a direct connection from within a host mean that you can't interact with the device (whose icon is located out on the grid). Also,  forcing a physical connection in order to bypass host ratings mean that a technomancer have to fight host ratings for every single slaved device they want to control. From a balance perspective this is not even an option. You need to let go of that house rule....

To be honest, I don't know the Technomancer rules (no one I play with has, or is vaguely interested in them, so I never bothered).  I naturally assumed they *could* direct connect to something without a cable.  But, that small change is all that's necessary to balance that part.  Frankly, it's weird that they can't.

Regarding "interacting to devices from within a host", as I've stated, this is not RAW.  This is something you learned from someone related to the authoring.  But it if wasn't for that piece of knowledge, nothing I've ever read suggests devices can't be in a host, or seen or connected to from within it.  RAW wouldn't even need to change to solve this problem, just the interpretation of them.

So, to solve your problems, we need  a single change for TMs that should already be there.  I'm cool with that.  Why wouldn't anyone else be?

What rule change? Seem to have overlooked it or maybe it isn't really clear to me what you mean.

Oh, just the whole "Don't give out direct connections for a single mark on the Host".  Whether it requires two marks, or my personal opinion that it should require some physical connection somewhere in the WAN to fool the WAN into thinking you're a part of it.  The latter would bring about interesting gameplay.

One of the biggest complaints in the past was "Hey, I am gonna go out and get food, while you run that matrix bit" and SR5 has done very well to fix that.  Slug, your houserule that you mention seems like it will just take a step backwards, back towards that time when hacking was so slow, it needed to be done separately from the group.  OR, so slow (needing extra marks, extra connections) that it can't be done alongside the runners, because they will be moving faster than their hacker can hack.

How so?  Yes, if you need two marks on the Host, I guess that technically takes more time, but not *that* much more.  And using my rule of "You need to be connected to the WAN" forces either the hacker to direct connect (which most will already do to bypass Host ratings) or fight the Host ratings a little bit more (either two marks on the Host instead of one, or entering the host (1 mark) and marking a device w/o a direct connection (1 mark).  None of this slows the hacker down so much that he's playing a separate mini-game, nor slows him/her down so much he/she can't keep up with the rest of the group.

A street level campaign's hacker would certainly be a bit tougher, but that's kind of where I'm going with this.

I really don't understand where there can ever be a consequence-free Hack on the Fly.

If outside of the Host, very little can be done to you if you fail HotF.  You get a "mark", but that's useless to anyone but the Host spider, who is very likely not going to stop defending the Host just to come look for the "script kiddie" who just failed to enter the Host (if you can't even get inside, what kind of threat could you possibly be?).  And you don't get GOD on you unless you *really* failed that HotF trying to get into a *really* high level host.  Which is why it's nearly consequence-free.

Even counting your average schlub with a commlink.. your average guy on the street (Thugs and mouth breathers) don't have a point of edge to try using their commlink to hack.  You next step up, Gangers & Street Scum typically have 1 edge point between the group.. still not enough to reliably try hacking with a commlink. 

That example is operating under the assumption that we're talking about a person, not a "group" whose edge is combined purely for the ease of play.

Since decks are illegal, most common Hosts don't have to worry about people with Decks showing up.

Do they?  yeah.  Just like in the real world.  Guns are illegal, most convenience stores are uber-protected because of the chance someone might show up with a gun and rob them.  It happens, and sometimes they take extra steps, but usually, the robber robs them and gets away.  Until recordings are turned over, and the police get involved.

Decks aren't illegal, just restricted.  Second, clearly they do worry or they wouldn't prepare.  Also, guns aren't illegal, at least not in the US.  In fact, the fact that many convenience stores protect themselves from robbery by gun point is because of just how common guns are.  Go to a small convenience store in a small town, and even late at night, there's not a lot of precaution.  Go to a worse area, and you're talking to someone behind thick plastic.  People don't pay for protection they are very unlikely to ever need.

I'll say again that the presence of Spiders and IC proves hacking isn't that rare.  And remember, even if decks were strictly F(orbidden), a little tech savvy and a little Matrix searching and you could build (code?) one.  We'll likely be getting rules for that in a later source book (people always find ways to hobble together something if it saves them huge costs).

But, if that really concerns you, then simply implement this.  When you get a legal mark on a Host because it invited you, it sticks a mark on you.  if you remove that mark, you are immediately kicked from the Host.  So, non-criminal people in Hosts, that aren't trying to do criminal actions, don't have to worry, and if you have criminal intent, then you are that much easier to track, unless you acquired your mark illegally.

This is actually a really good idea.  It doesn't go that far in dealing with what I wanted to deal with, but it's at least a good idea for the seemingly silliness of Hosts inviting marks despite the security hole.  Thanks for this.

[Xenon]

You basically want to force deckers that actually does goes with the team to stop hacking devices on the fly from AR and instead remain unprotected and connected to one slaved device in a hostile facility while the team moves on.

And you want dedicated deckers with double digit dice pools that stay at their apartment and hack hosts remote to have a 50/50 risk of failure for every single device they want to control during the run.

Why don't you just say you don't want your players to roll hackers at your table and be done with it...?

Regarding "interacting to devices from within a host", as I've stated, this is not RAW.  This is something you ...

The book might be vague on the matter, i give you that.
That is the reason why we asked for clarification in the official FAQ thread.
(and since we also got a reply I don't understand why we are even having this debate... it is asked and answered)


You state that you don't get a direct connection to devices slaved to the Host you are in
(this is a house rule of yours, goes against RAW, make all devices inaccessible while in a host and screws over TMs)

You state that wireless devices no longer have an icon on the grid once you slave them to a host.
(this have been clarified to not be true, so this would be a house rule as well...)


There is nothing in the book that contradict the following three statements;
1) Wireless devices have an icon on a grid (SR5 p. 233 Grids on a Run).
2) From within a Host you cannot interact with device icons out on a grid (SR5 p. 246 Hosts).
3) You get a direct connection to devices slaved to the Host you are in (SR5 p. 233 PANs and WANs).

As if this would not be enough; it has even been clarified (several times) that slaved devices have their icon on a grid, not in a host. That you still can interact with device icons on a grid from within a host if (and only if) the device is slaved to the host.




Also,  it make little to no sense with the rule that you get a:
- mark on the host if you hack a mark on the device (if the device can only be hacked while you are already inside the host anyway)
- direct connection to devices slaved to a host (since you already have a connection to all icons within a host anyway)

... or entering the host (1 mark) and marking a device w/o a direct connection (1 mark).  None of this slows the hacker down so much that ...

Now you turned the decker from a valuable asset that will make the run much smoother by opening locks, turning off cameras, fetching elevators and turning off alarms into a liability since every single device he is about to hack will be opposed by double digits and even an experienced hacker will have a 50/50 risk of failure for every single device he is about to hack (and you might need to hack 20+ devices on a run).

While the B&E expert would still only be opposed by device rating x 2 dice to control them mechanically rather than wireless.

...you also house ruled away a fundamental game mechanic of the SR5 matrix protocol; that you can interact with any wireless device directly no matter where in the world it is located and without first hacking some sort of master "node"...

[SlugShaman]

You basically want to force deckers that actually does goes with the team to stop hacking devices on the fly from AR and instead remain unprotected and connected to one slaved device in a hostile facility while the team moves on.

And you want dedicated deckers with double digit dice pools that stay at their apartment and hack hosts remote to have a 50/50 risk of failure for every single device they want to control during the run.

Why don't you just say you don't want your players to roll hackers at your table and be done with it...?

If that's what you're getting from what I'm saying, I can see why you're fighting it so vociferously.  I never meant a constant physical connection.  I meant a single connection to trick the WAN.  Remember that I'm not writing a rulebook here.  Just showing there's a problem, the way I see it, and suggesting a solution.  Other people have suggested other solutions, too, which work better or worse depending.  But I, and as far as I know, no one else, ever wanted a constant cable running to every device.  Just something a bit more clever or involved than a single Host mark, which is crazy easy to get.

As for the hacker from home, there are numerous ways to not hack against Host ratings for every device.  Again, some way to trick the WAN into recognizing you.  Maybe a mark to get into the Host and a mark against host defenses on a device when in the network.  Or something else.  I'm open to whatever to circumvent the silliness as it stands.

The book might be vague on the matter, i give you that.
That is the reason why we asked for clarification in the official FAQ thread.
(and since we also got a reply I don't understand why we are even having this debate... it is asked and answered)

?  I don't understand why you think that an official declaration of RAI means that the rule could never change or shouldn't change?  Sure, okay, Aaron says that devices aren't in a Host.  That's fine.  I've pointed out that I recognize that multiple times.  But we're talking about a fictional technology here.  It could just as easily be that "Devices in a WAN are seen inside a host" without giving direct connections to every stranger.  That you learned the details of devices and Hosts doesn't change the problem I see.

You state that you don't get a direct connection to devices slaved to the Host you are in
(this is a house rule of yours, goes against RAW, make all devices inaccessible while in a host and screws over TMs)

You state that wireless devices no longer have an icon on the grid once you slave them to a host.
(this have been clarified to not be true, so this would be a house rule as well...)

I never stated these things don't happen.  I stated they shouldn't happen.  It's possible I used odd phrasing which confused you, but if I said something like "Joe Everyman can't get a connection just for visiting", I was referring to a hypothetical scenario.  I think we've well established what the RAW states on the matter.

Call it a "house rule" all you want, I'm allowed my opinions of what seems silly or unrealistic, and what I think might have eventually gone against the intention of the Matrix rules.  Keep in mind that authoring these kinds of things is beyond complex.  It's entirely possible that, through all the edits and intentions and revisions, the direct connection was meant for hackers but not meant for visitors, despite both having the same requirements (1 mark on Host).

... or entering the host (1 mark) and marking a device w/o a direct connection (1 mark).  None of this slows the hacker down so much that ...

Now you turned the decker from a valuable asset that will make the run much smoother by opening locks, turning off cameras, fetching elevators and turning off alarms into a liability since every single device he is about to hack will be opposed by double digits and even an experienced hacker will have a 50/50 risk of failure for every single device he is about to hack (and you might need to hack 20+ devices on a run).

You keep saying I intend for Host ratings to oppose every device.  I keep saying I never said that.  I feel like we're not meeting somewhere in terms of communicating accurately to each other.  Again, the suggestion I'm putting forward about the one-time link is a one-time link to the WAN.

...you also house ruled away a fundamental game mechanic of the SR5 matrix protocol; that you can interact with any wireless device directly no matter where in the world it is located and without first hacking some sort of master "node"...

I think what you're referring to here is my suggestion that you must enter a Host to hack the device?  If you don't think that's appropriate for 5th edition, it could easily be something else.  Someone suggested 2 marks on a Host.  Someone suggested all Host invites also request a mark on you to ensure no foul play.  My suggestion could easily just require both a mark on a Host and a mark on a device (in or out of the Host) to get the WAN privileges.  I didn't necessarily mean you had to enter the Host to even see the device, circumventing what you think is a fundamental game mechanic.  I just meant, say, having a mark on both the Host and the Device in order to gain the WAN privileges, while visitors only get a Host mark.  That would solve the problem nicely.

[Yinan]

Xenon, I fear that you're completely missing the point about what I am talking. At least your last post to me leads me to that believe.

Als I am saying is that I can that it is completely OK if the Hacker that stays at home or in some secluded place while his team is on the run in constant danger, should have a harder team doing his stuff, even if it's something easy like opening a maglock.

Yes, Locksmithin Skill will let you do it against something like 4 dice. The Hacker will have to deal with the Host, which might has Ratings of 6 and higher.
If he doesn't want that, he should simply come with the others on the run and directly connect to the device. Now he only has something like rating 2 to deal with, and when he get's the MARK he also gets one on the host, which means that he now has a direct connection to every device slaved to the host, which means that he never has to battle against the hosts rating.

I find that completely acceptable and even desirable, as being proficcient in more skills than just hacking might give you even more of an advantage. If you stay at home, well you have to deal with the consequenzes.


About the Throwbacks:
Yes, but the point is that the Hacker at home can't access it at all, because it has no connection to the Matrix. That makes it impossible for him to open that door, while any other character present there with a Lockpicking Pool of 6 dice or more might have an easy time with it.

[Xenon]

OK. So SlugShaman, you are only arguing various house rules. That changes everything.



So how do your proposed house rule work once i establish a physical direct connection to a device and hack a mark on it. From your last post it sound as if I am now free to remove the cable and automatically have a direct connection (ignore host ratings) to any other device in the same WAN as long as I keep the mark on the device.
- Do I even need to Enter the Host at all or do I now have a direct connection to all devices in the same WAN while on a Grid?
- Can I choose to hack a device on the Grid without a direct connection (fighting host ratings) and be considered directly connected to all devices in the same WAN?
- Do devices that are slaved to a host still have their icon on a grid or are you house ruling that they now vanish from their grid and only exist inside the host they are slaved to?



...does the whole house rule boil down to the fact some public hosts automatically invite people to take a mark...?
I thought we established that if this is a serious issue then the owner can just slave their security devices to a private security host rather than to their public host.



slipped by Yinan. Ill answer you next....

[Xenon]

...it is completely OK if the Hacker that stays at home or in some secluded place while his team is on the run in constant danger, should have a harder team doing his stuff, even if it's something easy like opening a maglock.

It IS harder for him since he have to place a mark on the host by fighting host ratings before he can open that maglock.

A local Corporate Host is rating 7-8 with matrix attributes that range from 7-11
For arguments sake let's assume that it is a rating 7 host with a firewall rating of 9.
To get a mark on the host he will be opposed by 16(!) dice.

This is a test that require a quite dedicated decker to pull off.  To set in perspective:
With a Logic of 7, Hacking 6, Hot-Sim and Cyberdeck for over 200k¥ he still have a >50% risk of alerting the host. Odds are he need to spend a point of Edge to make it.

Once fighting through the Host firewall he will be directly connected to all devices in the WAN and from now on things will be easier. But the time is ticking. Once his overwatch score get too high (due to time and/or because he caused too many ripples while hacking devices for his team) he will be forced to jack out. Now he need to fight the host firewall again(!)

If GOD manage to converge on him then it will report his physical location to the Grid owner as well as the Host owner. The Host will automatically get 3 marks on him, instantly be aware and start launching IC. Both G-Men from the Grid Division and a HTR team from the corporation will be sent to his apartment while the Shadowrun team is still on the run inside the facility unable to protect their deckers meat.

gg

If he doesn't want that, he should simply come with the others on the run and directly connect to the device...

Yes. I think we agree here that the "price" for this is that the decker will be exposed to potential gunfire and need to invest into physical stuff like sneaking, maybe a firearm skill, maybe some agility (or a cyberarm with agility) and reaction augmentations (which he also benefit when hacking from AR while moving with his team). Since he does not plan to ever fight host ratings if he can avoid it he doesn't really need to be a super skilled decker (a dice pool of around 8 dice is probably enough for most runs). This would be more of a hybrid hacker archetype. Maybe an Adept / Gunslinger / Decker or a Breaking & Entering Expert / Decker. Not really suited for pure pay data runs against high rating hosts...

Yes, but the point is that the Hacker at home can't access it at all...

Actually he can (but not without help). A member of the team on site can attach a data tap on the cable to the wired maglock and turn the data tap wireless ON. This let the decker at home hack the maglock by wireless matrix connection.

[SlugShaman]

OK. So SlugShaman, you are only arguing various house rules. That changes everything.

Kind of.  I'm saying that this point is weird, and that I strongly believe it wasn't intended at some point in the authoring process.  Entering a Host gives you direct connections to all devices is silly.  So, I'm open to house rules to fix what seems like a goof in the Matrix chapter.  Because we all know that the Matrix chapter is hardly the most clear or precise chapter in the 5th Edition.  It's not hard to imagine that, in the jumble that is that chapter of vague and weird rules, something goofy got in there that was never intended.

So how do your proposed house rule work once i establish a physical direct connection to a device and hack a mark on it. From your last post it sound as if I am now free to remove the cable and automatically have a direct connection (ignore host ratings) to any other device in the same WAN as long as I keep the mark on the device.
- Do I even need to Enter the Host at all or do I now have a direct connection to all devices in the same WAN while on a Grid?

Considering the spirit of the Matrix chapter really emphasizes how separate Hosts are from Grids, I would think it would be reasonable to require entering the Host.  I'm not just making crap up left and right.  I'm trying to sift through what the difference is between the spirit of the Matrix chapter and the "Letter of the law" rules-as-written.  I would be incredibly surprised if the RAW were exactly what was intended for every detail.

- Can I choose to hack a device on the Grid without a direct connection (fighting host ratings) and be considered directly connected to all devices in the same WAN?

I would think so, or your concerns about at-home hackers would be true.  That would suck for anyone running support in the van or at home.

- Do devices that are slaved to a host still have their icon on a grid or are you house ruling that they now vanish from their grid and only exist inside the host they are slaved to?

I dunno, does it matter?  You have said many times you can see them on the grid.  I don't see the problem with this.

...does the whole house rule boil down to the fact some public hosts automatically invite people to take a mark...?
I thought we established that if this is a serious issue then the owner can just slave their security devices to a private security host rather than to their public host.

The two Host rule makes sense in some ways.  I can see banks and big corps doing it commonly.  But I see two major problems with it:  it seems odd for literally every public host to have a separate private host in the background, and no matter what you keep saying, there has to be *some* sensitive devices on the public host that you wouldn't want people accessing easily. 

I reread the BK bank heist story, and the hacker definitely hacks files with marks on the devices and not the file icon.  Maybe it's a mistake, but it's in the book and it's pretty clear.  And it still makes sense, because files have to be stored in *some* device, and having ownership over that device must allow for *some* leeway with the files on the device.

After reading the story, I looked up the file related Matrix Actions.  Crack Protection requires a mark and uses the file's rating to defend, but the Edit File action requires a mark and uses the Host defenses.  That combined with the story leads me to believe that it's possible (but not assured) that you mark the file to break the protection but mark the device to edit the file.  If that's not true (which is possible) then the story is just wrong.

At the very least, the story, accurate or not, may explain why I've been having problems with the whole Two Hosts thing.  Even if the cameras and elevators are on the private host, the things the customers have to use would, by the rules in the story, leave open sensitive information and data.  Everyone who references the two hosts solution as viable seems to assume that "all the sensitive money stuff" would be hidden on a second host, but that seems virtually impossible to assure considering that the public host must access *something*.

[Namikaze]

The problem is that there are direct connections, Direct Connections, and DNI connections.

A "Direct Connection" as defined by the rules is a physical connection to something.  DNI is not being discussed, so I won't bother bringing it into the thread.  And then there are the direct connections that are achieved by getting a mark on a Host.  The direct connection that you get from having a mark on a Host is simply a...  path of sorts that allows a hacker to see all the devices that are slaved to the Host.  It doesn't allow the hacker to actually manipulate those devices necessarily.  At least, that's my interpretation of things.

[Xenon]

...it seems odd for literally every public host to have a separate private host in the background, and no matter what you keep saying, there has to be *some* sensitive devices on the public host that you wouldn't want people accessing easily. 

Just because you are in a host does not mean you can control all devices slaved to it.
Just because a device on the grid is not slaved to a host does not mean you can control it.

And why does there has to be some sensitive devices slaved to a public host...?

I reread the BK bank heist story, and the hacker definitely hacks files with marks on the devices and not the file icon.

Unfortunately the BK example have multiple errors in it (like cracking the file protection in the example is a sleaze action and just went sour because he failed while it is really an attack action and always attract attention but only when successful).

Thankfully both issues have been clarified (you put marks on the file and you cannot use sleaze actions to remove file protection).

If you want an example, then here is a better one SR5 p. 232 Example:
Tesseract needs to pick up a piece of data a Renraku sarariman has on his commlink, and he decides to go for a smash-and-grab. The target isn’t running silent, so he can see the file he wants, but it’s protected. He’ll need to crack the protection before he copies it, and both actions need a mark on the file. He starts with a Brute Force action on the file (which uses its owner’s ratings), getting four hits to the target’s two. He succeeds and gets a mark on the file, but he also gets an Overwatch Score of two since the file’s owner got two hits. Next he attempts a Crack File action, again rolling four hits...

Crack Protection requires a mark and uses the file's rating to defend, but the Edit File action requires a mark and uses the Host defenses. 

The file protection have a rating of its own no matter if the file is stored in a device or in a host.
Files does not have ratings of their own. They use ratings of their owner (if on a device) or the Host (if stored in a host).
Just because you have a mark on the host does not automatically mean you can start to copy all files in the host....
You need a mark on each individual file you want to edit. Just having a mark on the device or host is not enough (or even needed)

...but that seems virtually impossible ...

Think of a host as a homepage.
The public host is your regular http://www.homepage that display various information and pictures. public information. Anyone can surf to any bank's external public homepage without having an account there. Same thing really. Public hosts invite you to take a mark if you wish.

Your private host is when you normally access https:// which will require that you enter your credentials etc. This host does not invite you to take a mark just like that. You need credentials to enter this host. In the BK example he is accessing the bank’s heavily protected private host (indicating that there might also be a less protected public host). You will also notice that the pay data he is after is located in the same host as security devices are slaved to (and in SR5 p. 358 PANs and WANs we learn that host owners normally tries to only slave devices they can physically protect)

And again, even if you gain access to the private host you still can't read files or control devices slaved to it without proper authorization (or bending of the matrix). Same as you can't control devices out on a grid even if it is not slaved to a host, or if you have a direct connection to it because it is slaved to the host your are in or if you connect the device you formed your persona on directly to it's universal data connector. You still need marks on it (and you normally can't get marks on a device you don't own or have authorization to use unless you have a cyberdeck and is skilled in hacking or cybercombat)

[SlugShaman]

Just because you are in a host does not mean you can control all devices slaved to it.
Just because a device on the grid is not slaved to a host does not mean you can control it.

Yes, yes, I know, we've discussed it.  But I think you minimize just how nice that link is.  It allows you to have the lack of protection of something on the grid while also having the lack of noise of something in a host.  Really, a device in a Host, barring the single Host mark you need, is less protected than devices on the grid.  You trade noise for a single Host mark, some of which are given.

And why does there has to be some sensitive devices slaved to a public host...?

Because the user must interact with devices to get the functionality of a store, or a bank or what-have-you.  Maybe the store's camera is private, but the system to take and process transactions must be on the public one.   I guess you could say that somehow, the Host has files that can be accessed while the devices that store and process those files are on the private host, but the further you dig into this functionality, the more it seems like it would be a pain to deal with as a business.  And some devices would just have to be public.  The SIN checker for the store, for example.  I guess you can keep saying "No, that's on private hosts, too", but it seems both unrealistic and inconvenient that every device you have, no matter how useful to the user, is stuffed into a private host.  At this point, I think it'd be easier to just use as a defense "Who cares?  Let IC deal with it."

Unfortunately the BK example have multiple errors in it (like cracking the file protection in the example is a sleaze action and just went sour because he failed while it is really an attack action and always attract attention but only when successful).

That's unfortunate, because much of my understanding came from that story, as the rules in other sections are very stark and lack context.  The bank story gave some context for why icons were important, how marks worked, and the like. 

Still, it's hard for me to believe that having marks on a device, which allow you to reformat the boot drive (!!!) don't also allow you to copy files.  That's just as silly as the direct connection thing.  Device marks let you drive drones, jump into rigged drones, watch video feeds, reformat boot drives, reboot devices, but don't let you copy a song or a text file.  =|   

Actually, through RAW, you could just mark a device that processes transactions (bank tellers comm/computer, Shack's cred register) and Snoop it to get all the info you want, never marking a single file.  That's with 1 device mark (or persona mark) and no file marks.

Think of a host as a homepage.
The public host is your regular http://www.homepage that display various information and pictures. public information. Anyone can surf to any bank's external public homepage without having an account there. Same thing really. Public hosts invite you to take a mark if you wish.

Your private host is when you normally access https:// which will require that you enter your credentials etc. This host does not invite you to take a mark just like that. You need credentials to enter this host. In the BK example he is accessing the bank’s heavily protected private host (indicating that there might also be a less protected public host). You will also notice that the pay data he is after is located in the same host as security devices are slaved to (and in SR5 p. 358 PANs and WANs we learn that host owners normally tries to only slave devices they can physically protect)

Actually, now you're talking about three Hosts.  1 public, 1 private for customers, and 1 private for employees and security.  Otherwise, we're back to "nearly free" invites if all you need is to be a "customer" to get access to all of the cameras and alarms.  (Fake) SIN and small deposit is closer to Stuffer Shack free than "trusted and background checked employee" protected.

[Agonar]

One of the biggest complaints in the past was "Hey, I am gonna go out and get food, while you run that matrix bit" and SR5 has done very well to fix that.  Slug, your houserule that you mention seems like it will just take a step backwards, back towards that time when hacking was so slow, it needed to be done separately from the group.  OR, so slow (needing extra marks, extra connections) that it can't be done alongside the runners, because they will be moving faster than their hacker can hack.

How so?  Yes, if you need two marks on the Host, I guess that technically takes more time, but not *that* much more.  And using my rule of "You need to be connected to the WAN" forces either the hacker to direct connect (which most will already do to bypass Host ratings) or fight the Host ratings a little bit more (either two marks on the Host instead of one, or entering the host (1 mark) and marking a device w/o a direct connection (1 mark).  None of this slows the hacker down so much that he's playing a separate mini-game, nor slows him/her down so much he/she can't keep up with the rest of the group.

A street level campaign's hacker would certainly be a bit tougher, but that's kind of where I'm going with this.

Any extra roll that is required where one wasn't needed before adds time.  Throw in failures, and something that might have needed 6 Matrix Rolls might now need 9 because of the extra requirements.  If a Hacker is alongside the group, then most likely he's not going to have as many as the combat monkeys, which means a lot of time spent waiting for the Decker to try to get these extra marks, so that he can do what he should be able to do with fewer rolls.

There was a Technomancer in my game, and even when he was VR and had a wicked Initiative score, by the time he succeeded in most combat-useful matrix actions (like hacking the nearby water cannon or street corner cameras, disabling weapons, cybereyes, etc.) the combat was already over.  Require even more rolls (even 1 more Mark before they can get in on the action) and it's just that much more discouragement for a Hacker to even try anything alongside his team.  And when you have the Street Sam just "waiting" through 2 or 3 of his actions until the Hacker can finally get enough marks to start trying to open the door, you have more than just a frustrated decker at this point.

I really don't understand where there can ever be a consequence-free Hack on the Fly.

If outside of the Host, very little can be done to you if you fail HotF.  You get a "mark", but that's useless to anyone but the Host spider, who is very likely not going to stop defending the Host just to come look for the "script kiddie" who just failed to enter the Host (if you can't even get inside, what kind of threat could you possibly be?).  And you don't get GOD on you unless you *really* failed that HotF trying to get into a *really* high level host.  Which is why it's nearly consequence-free.

Yes, but this takes time.  If my group is depending on me to get a mark on something, and 2 minutes later, I am still Hacking > Failing > Rebooting..  there's consequences there.  Security is catching up to my Runners, someone is seeing them on security Trid, something.  Even if I am having no negative consequences because I am rebooting every time, something is happening.  And really, if I were a spider, and kept getting alerts of someone failing to hack me, and rebooting, I would start looking for that person.  I wouldn't just ignore them and let them try for hours and hours without consequence.

Even counting your average schlub with a commlink.. your average guy on the street (Thugs and mouth breathers) don't have a point of edge to try using their commlink to hack.  You next step up, Gangers & Street Scum typically have 1 edge point between the group.. still not enough to reliably try hacking with a commlink. 

That example is operating under the assumption that we're talking about a person, not a "group" whose edge is combined purely for the ease of play.

In my game, the PCs average about 2.5 Edge.  So even assuming a person, they won't get to try many times, and each attempt means one less point of Edge that could have been useful down the line.

Since decks are illegal, most common Hosts don't have to worry about people with Decks showing up.

Do they?  yeah.  Just like in the real world.  Guns are illegal, most convenience stores are uber-protected because of the chance someone might show up with a gun and rob them.  It happens, and sometimes they take extra steps, but usually, the robber robs them and gets away.  Until recordings are turned over, and the police get involved.

Decks aren't illegal, just restricted.  Second, clearly they do worry or they wouldn't prepare.  Also, guns aren't illegal, at least not in the US.  In fact, the fact that many convenience stores protect themselves from robbery by gun point is because of just how common guns are.  Go to a small convenience store in a small town, and even late at night, there's not a lot of precaution.  Go to a worse area, and you're talking to someone behind thick plastic.  People don't pay for protection they are very unlikely to ever need.

I'll say again that the presence of Spiders and IC proves hacking isn't that rare.  And remember, even if decks were strictly F(orbidden), a little tech savvy and a little Matrix searching and you could build (code?) one.  We'll likely be getting rules for that in a later source book (people always find ways to hobble together something if it saves them huge costs).

As per page 419  "Items are classified as legal, restricted (R), or forbidden
(F)."
Restricted is still illegal without a proper License, otherwise, it would be in the "Legal" category.  So, in a law-abiding situation, Someone would walk into Stuffer Shack, and the Clerk might notice the deck slaved to his PAN, then he might check to see if he was broadcasting his SIN..check to see if there was an appropriate license for it, or whether the guy looked a little shady.

[Malevolence]

I think that when Data Trails comes out there will be the option for partitioning of hosts that will be for all intents and purposes multiple hosts. Virtual hosts, if you will.

But until then, I think it is safe to assume that any reasonably sized corp runs multiple hosts - secret projects get their own hidden (running silently) hosts, public access gets their own host(s), and the day to day business operations gets its own host that the sararymen use. Security for each facility (or all facilities in a geographic area) would also likely be provided its own host.

The problem with having security on its own host (from a game play perspective) is that the maglocks or cameras that your decker is supposes to use to bypass host defenses would also not be the host that the pay data files are in - it would have the video feed files and other security related stuff (so if you were looking for access logs to the facility, this would be the place). So, this isn't all bad - you would just have to jack into the desk phone or computer in some sararyman's office instead, or other such device, if you were after pay data that would be associated with the day to day operations of the corp.

In a secret facility, the security and research files might be on the same host to save resources/time or to reduce the overhead in order to maintain secrecy. Or it can be broken out, depending on how difficult the GM wants to make things for the decker.

Files would not need to be on separate devices they are on the host. It is a matrix, a data repository, and a kind of "super device" all rolled into one. It has no matrix damage track and cannot be attacked other than to place marks on it (and this only from outside - once inside you can only get marks on it by marking devices or IC).

In short, only personas (including your agent if yo have one), programs, and files exist within a host. When you enter a host, your device icons stay where they were. By default, this is their actual location in meat space, but I doubt there is anything preventing you from putting them wherever you want (other than inside a host, and presumably multiple icons can't occupy the same location on most grids). Icon location is not tied in any way to real location, other than for convenience. The book doesn't explicitly stay that your device icons can be moved arbitrarily, but if they couldn't, being spotted in the matrix would give your physical location away, obviating the need for a trace icon action. Note that you would still need to run silent as parts of matrix perception is based on real world distances - the 100 meter limit. So your device icons could be spotted via matrix perception without a roll if within 100 meters and not running silently and a single hit would reveal their presence as hidden icons within a 100 meters, but the location of the icon when spotted would not give away your exact physical location.

In any case, the publicly accessible hosts (those that invite marks - and I do like the house rule that they mark you back unless you obtain the mark illegally) would not slave any devices to them that have sensitive data. Your bank host would have personas using the send message matrix action to interact with the devices that are on the private host, providing the needed layer of separation. The virtual environment inside a host could emulate devices as part of its decor, so you could have trid screens and cash registers, but they would not necessarily have to be real devices. The host emulates the device and as a non-device icon protected by the host, it would have the hosts stats if you tried to mess with it.

In a smaller corp (like independently owned Stuffer Shacks) where resources are tight, having security devices on the same host as the public system is not all doom and gloom either. Sure, you could bypass the host rating to hack the security camera, but you could do the same from within the building. Patrol IC would be watching for malicious behavior just like a security guard. The risk in hacking a device while inside a host is similar to the risk of doing it outside - other personas could certainly notice and the IC could as well. So, you run silent inside the host and hack the device, or you stealth through the building and physically connect to the device to hack it. Same general level of difficulty and effort and the chance to spot you and deter the attempt is roughly equal.

Getting caught at one over the other DOES have a different set of consequences, of course. In the meat world, you have to talk, run, or fight your way out of it. In the host, you can jack out or you can hide and/or fight. If you have an unlimited amount of time, the matrix can be much safer. But just because you jacked out doesn't mean that the host has suddenly given up on you. It is safe to assume that the host will be on high alert for at least a few minutes, if not an hour or more - deploying more and more IC. The security spider will show and likely hang around for a while. The G-Men will likely get involved, investigating the issue and perhaps finding you in meatspace even if your OS didn't result in convergence. ("The G-men investigate cases that aren’t lengthy enough or blatant enough to leave sufficient ripples for the demiGODs to track through standard overwatch alone.").  So, it isn't exactly risk free (though the core book only describes the G-Men in passing, so it is really up to the GM to make them as dangerous or mild as they feel is appropriate).

The only thing that confuses me about this is that on p246 it states that you cannot SEE or interact with an icon outside the host, which either makes a host very different from a mini-Matrix (like the claim) or violates (as in it is more specific and therefore overrides) the rule on p235 that "You can always keep track of your marks, so you can spot an icon you have a mark on without a test, no matter the distance". Spotting is not interacting, and on p246 they don't specifically restrict you from seeing icons inside a host when you are outside (only from interacting with them).

[SlugShaman]

Any extra roll that is required where one wasn't needed before adds time.

I narrowed the rule down a bit better to "Need a mark on a device in the WAN and the Host".  This is basically what's going to happen in RAW.  You either go against Host ratings once or physically connect.  With the rule change, it's the same thing.

There was a Technomancer in my game, and even when he was VR and had a wicked Initiative score, by the time he succeeded in most combat-useful matrix actions (like hacking the nearby water cannon or street corner cameras, disabling weapons, cybereyes, etc.) the combat was already over.

Really?  You sure he wasn't forgetting something basic?  That close, unless you're dealing with huge Noise from Spam or Static, that's a pretty easy mark and a pretty easy Control Device.  Unless you mean that the combat just lasted a single turn through good shooting.

Restricted is still illegal without a proper License, otherwise, it would be in the "Legal" category.  So, in a law-abiding situation, Someone would walk into Stuffer Shack, and the Clerk might notice the deck slaved to his PAN, then he might check to see if he was broadcasting his SIN..check to see if there was an appropriate license for it, or whether the guy looked a little shady.

Do you really think a Stuffer Shack employee is going to be able to tell a deck from a comm, and checks licenses?  This may be standard fare for your games, but I would never have assumed anyone but law enforcement would check licenses because it's no one else's business.  I mean, I agree if they did notice, they might watch you closely or put an AR flag on you for the cameras to keep closer track of, but beyond acting a bit suspicious of you, not sure they could do much more.  And that's a big "if" regarding noticing.

So, you run silent inside the host and hack the device, or you stealth through the building and physically connect to the device to hack it. Same general level of difficulty and effort and the chance to spot you and deter the attempt is roughly equal.

While you technically could have Matrix and physical security in the two situations, I'd way rather get "caught" by a Patrol IC than getting caught jacking in to the cred register with a cable.  Those two situations, to me, are not comparable.

The only thing that confuses me about this is that on p246 it states that you cannot SEE or interact with an icon outside the host, which either makes a host very different from a mini-Matrix (like the claim) or violates (as in it is more specific and therefore overrides) the rule on p235 that "You can always keep track of your marks, so you can spot an icon you have a mark on without a test, no matter the distance". Spotting is not interacting, and on p246 they don't specifically restrict you from seeing icons inside a host when you are outside (only from interacting with them).

I assume it's the same exception given for interacting with devices with a physical connection.  Clearly the "Host is separate" thing is not a hard and fast rule and has a few exceptions.

[Namikaze]

Do you really think a Stuffer Shack employee is going to be able to tell a deck from a comm, and checks licenses?

Yes.  A cyberdeck and a commlink look completely different.  It's the difference between carrying a keyboard and a cell phone.  As far as the "checks licenses" bit - that's a maybe.  Bear in mind that Stuffer Shack is a wholly owned subsidiary of Aztechnology.  And corporate drones, even at the bottom rungs, are given privileges that the non-corporate citizens are not given.  Therefore, there's a degree of expectation from these employees.  Stuffer Shack might be dull, and it might be devoid of anything resembling happiness.  But it's still corporate and the employees there are still corporate.

This may be standard fare for your games, but I would never have assumed anyone but law enforcement would check licenses because it's no one else's business.  I mean, I agree if they did notice, they might watch you closely or put an AR flag on you for the cameras to keep closer track of, but beyond acting a bit suspicious of you, not sure they could do much more.  And that's a big "if" regarding noticing.

Assumptions should never be made, especially if you could get jail time if those assumptions are wrong.