NEWS

Hacking Procedure Questions

  • 14 Replies
  • 2948 Views

Typhus

  • *
  • Omae
  • ***
  • Posts: 386
« on: <04-15-21/0321:46> »
I'm building myself a walkthrough of hacking procedures, since the CRB doesn't offer one.  I have some questions after trying to puzzle out some basics.

Finding Stuff In Hosts
(1) When I sleaze into a host and get my Admin access, what can I see and how do I find things other than files?
(1a) If I am looking for a file, I get that I would use the Hash Check action.
(1b) If I want to find the elevator my team is in, do I just find that device automatically because access rights? It seems like Matrix Perception would reasonably be needed here?  But I am an Admin, no?  Can’t I just tell the system to show it to me?
(1c) If I want to use the Snoop action, do I also have to roll to locate the feed I want?  A host potentially has a lot of traffic to sort through. 
(1d) Am I also automatically aware of any IC that is active, or do I have to locate that also? 

(2) Assuming an MP roll is needed, would each of these always need a separate roll, or would one roll find everything out if I know what I am looking for from the gate?

It seems reasonable to need at least one roll per “thing” you want to find.  Am I in "Gm's call" territory here?  Seems like there should be a standardized expectation, but I can't find anything direct.

Using IC
(1) Presumably, most typical corp hosts have Patrol IC already running.  Assuming that you didn't Brute Force your way in, what constitutes “detection” to trigger the Patrol IC to launch additional IC programs? Is it only the case of the Patrol IC's MP check?  Or is that up to me as the GM?  Can the system or the IC auto-detect Matrix Attacks or Cybercombat?  There's no clear intent or examples here. 

(1a) How does should Patrol IC respond when a device network goes down or stops responding (due to haxx)?  It seems like its mostly a system nanny, so it seems that would at least trigger a new active MP test?  Or is that all up to the GM based on their idea of how system security would be pre-programmed?

(2) When I first sleaze in, how does that work with active Patrol IC? 
As written, Hide appears to be a post detection action, not a pre-detection action.  It seems like if you Sleazed in, you would be considered to be entering in running silent mode.  However, since the Patrol IC is active, you would  immediately need to roll your W+S vs its MP, to see if it sees you.  If it fails, you are good for 1 minute, at which time it rerolls, and may spot you.  If it ever wins, you are in trouble, as it will start launching IC right away.  Plus any other cases that might constitute "detection".

(3) Can IC run silent?  Seems like it could? 

Thanks in advance!

Aria

  • *
  • Ace Runner
  • ****
  • Posts: 2265
« Reply #1 on: <04-15-21/0654:59> »
Have you looked at Banshee’s guide: https://docs.google.com/document/u/0/d/1DYgYXlKQ5XUG_3R4aDbaTTcm5XeYfdjf6Kqlop1J72k/mobilebasic

Lots of useful stuff there!
Excel Cha Generators <<CG5.26>> & <CG6.xx> v36

Stainless Steel Devil Rat

  • *
  • Errata Coordinator
  • Prime Runner
  • *****
  • Posts: 4572
« Reply #2 on: <04-15-21/1127:27> »
I'm building myself a walkthrough of hacking procedures, since the CRB doesn't offer one.  I have some questions after trying to puzzle out some basics.

I'd also recommend this thread as well.

With respect to your specific questions:

Quote
Finding Stuff In Hosts
(1) When I sleaze into a host and get my Admin access, what can I see and how do I find things other than files?
(1a) If I am looking for a file, I get that I would use the Hash Check action.
(1b) If I want to find the elevator my team is in, do I just find that device automatically because access rights? It seems like Matrix Perception would reasonably be needed here?  But I am an Admin, no?  Can’t I just tell the system to show it to me?
(1c) If I want to use the Snoop action, do I also have to roll to locate the feed I want?  A host potentially has a lot of traffic to sort through. 
(1d) Am I also automatically aware of any IC that is active, or do I have to locate that also? 

1- essentially, GM discretion/depends on circumstance. There's essentially infinite possibilities on what hosts can look like.  Even physically impossible environments (escher staircases and whatnot) are possible in virtual reality.  More to your question: how hard things are to find is a matter ALSO up to GM discretion.  Consider a physical world analogy to some office. Is it neatly organized with filing cabinets all neatly labeled as to what is contained within? Is it a crazy scientist scenario where everything is covered in loose papers and bizarre equipment and nothing is labelled, because the office owner "knows where everything is"?
1a- correct. For example, you might want to edit out your footprints in the security logs towards the end of your hack.  You know they must exist, but unless you have reason to know exactly where they're kept (this will be a question of GM fiat, or potentially a question of what homework/research the hacker did prior to hacking) it's the higher threshold.
1b- Completely GM fiat.  Are we talking about an Arcology host where THOUSANDS of elevators are in play?  Are we talking about having User access where a security elevator might be "visible" only to special (admin access) personnel? Is the elevator even controlled by this host, or by a nested or connected one? It should probably be easily evident for smoothness of game play, but there are plenty of perfectly valid reasons why it might require some additional snooping/research.
1c- same answer as 1b.
1d- Patrol IC is the SR equivalent of captcha verification "USER! Click this box to verify you're not a hostile script" and therefore can be obnoxiously obvious...

As for combat IC that is launched in response to an alert running silent: see below for thoughts on that. (spoiler: generally, I recommend ignoring the potential for them to run silent)

Note that having Admin access is NOT the same thing as being an Admin.  For example, just because you've hacked Admin access it doesn't mean you can do everything a true admin can do, like stand down an alert, or tell IC to despawn.


Quote
(2) Assuming an MP roll is needed, would each of these always need a separate roll, or would one roll find everything out if I know what I am looking for from the gate?

It seems reasonable to need at least one roll per “thing” you want to find.  Am I in "Gm's call" territory here?  Seems like there should be a standardized expectation, but I can't find anything direct.

Yep, if the GM decides that the "thing" you're looking for is going to not be immediately apparent, then either a Matrix Perception or a Matrix Search is going to be in order.  Note that there's a significant time difference between the two, so only make someone "search" a host if it's truly appropriate. Arguably: a Hash check could be used in place of a Matrix Search for a type of icon that's only one of hundreds or thousands controlled by that host, when you need to pinpoint one specific icon/data stream.

Quote
Using IC
(1) Presumably, most typical corp hosts have Patrol IC already running.  Assuming that you didn't Brute Force your way in, what constitutes “detection” to trigger the Patrol IC to launch additional IC programs? Is it only the case of the Patrol IC's MP check?  Or is that up to me as the GM?  Can the system or the IC auto-detect Matrix Attacks or Cybercombat?  There's no clear intent or examples here. 

Complete GM fiat. I know that doesn't help... but it is what it is.  the following may help:
edit: Cybercombat is always obvious.  You might still be successfully hidden, but Data Spikes and Tar Babies and similar Technomancer shenanigans are always immediately obvious even when the source isn't.  Do either of those, and I'd say that's an easy "host goes on alert" rule.

Quote
(1a) How does should Patrol IC respond when a device network goes down or stops responding (due to haxx)?  It seems like its mostly a system nanny, so it seems that would at least trigger a new active MP test?  Or is that all up to the GM based on their idea of how system security would be pre-programmed?

I'm not sure I understand the question.  Patrol IC's game mechanic function is to execute Matrix Perception rolls.  Success = host goes on alert.  The way it's worded on pg. 187 it essentially tests once every minute, although in prior editions it'd test against the player character hacker more or less often based on how busy (or not) the host was.  1 minute is basically a good rule of thumb, but I'd add a caveat to feel free to potentially modify the increment up for a particularly low security host or down for a particularly high security host. 

Ok, so what IS the threshold the Patrol IC must hit in order to "know" the player character is hacking the host?  You guessed it: GM fiat.  Now the GM SHOULD give weight to the character's actions and test results, of course.  A decent rule of thumb might be to ask the hacker to defend against the Matrix Perception roll every minute, and use that result to determine the success or failure for the Patrol IC.  Of course, the more impactful the actions the intruder is taking, the lower the threshold should be for the Patrol IC to "notice something is wrong" and so you can also/instead have the Patrol IC roll against a static threshold (see Threshold Guidelines on pg 36 to establish that that value should be, based on how "obvious" it is that something's wrong in your specific circumstance).  Also note that Spider(s) should also be present, and as people they're a bit smarter about noticing anomalies than computer programs are.  When a security spider notices something wrong is even moreso a matter of GM fiat.

TL;DR: the Patrol IC mechanic is more or less simply meant to work in concert with Overwatch Score to prevent a hacker from having infinite time to execute a hack inside a host.  You eventually trigger an alert if you're indefinitely present.

Quote
(2) When I first sleaze in, how does that work with active Patrol IC? 
As written, Hide appears to be a post detection action, not a pre-detection action.  It seems like if you Sleazed in, you would be considered to be entering in running silent mode.  However, since the Patrol IC is active, you would  immediately need to roll your W+S vs its MP, to see if it sees you.  If it fails, you are good for 1 minute, at which time it rerolls, and may spot you.  If it ever wins, you are in trouble, as it will start launching IC right away.  Plus any other cases that might constitute "detection".

Hide, Backdoor Entry, and Running Silent are all distinct concepts, even though there are some relationships between them.

If you are in the host, generally speaking you appear at first glance to be a legit user. So you really don't even HAVE to be running silent.  The legit employees and legit customers using a host aren't running silent, so why do you set off an alarm simply for NOT running silent?  You don't.  That's why Patrol IC exists: to interrogate users and discern who's legit and who's a hacker.  Now, CAN you be running silent?  Sure.  But in the context of Patrol IC and host alerts, it's essentially a non-sequitur.  It literally doesn't matter.  Patrol IC will know "something's up" just as fast whether you're running silent or not. Granted, running silent COULD matter, if cybercombat ensues! 

Of course if you Brute Force your way in, absolutely go in Running Silent because the host will immediately be on alert the moment you're in.

Quote
(3) Can IC run silent?  Seems like it could? 

This is a question with a very arcane answer.  It's a lot more complex than one might expect on the surface of such a simple question.

Short answer:  I'd say it's a best practice to just have IC NOT running silent.

Longer answer:
This is already a long post.. so I'm not going to go fully into this... but:
1) There's a lot of inertia from 5e in the 6e matrix rules, even when not explicitly stated it's still factoring in on the assumptions
2) To update a 5e maxim for 6e rules: "Access now flows DOWNSTREAM as well as upstream). This means you can "see" the icons at your access level
2a) you might use this for IC to be considered "running silent" from hackers who only have User or Outsider access, but not from hackers who've achieved Admin access
3) adding real-life table time to have to spot IC is IMO a generally bad idea. It just complicates and prolongs cybercombat by adding another step to execute.

Quote
Thanks in advance!

YW!
« Last Edit: <04-15-21/1130:31> by Stainless Steel Devil Rat »
RPG mechanics exist to give structure and consistency to the game world, true, but at the end of the day, you’re fighting dragons with algebra and random number generators.

MercilessMing

  • *
  • Omae
  • ***
  • Posts: 600
« Reply #3 on: <04-15-21/1147:08> »
Yeah, as improved as 6e is on Matrix stuff it's clear that it still has a ways to go. 
Quote
(1b) If I want to find the elevator my team is in, do I just find that device automatically because access rights? It seems like Matrix Perception would reasonably be needed here?  But I am an Admin, no?  Can’t I just tell the system to show it to me?

Unfortunately like a lot of 6e most of this is "GM call".  The guidelines for when to use Matrix perception are:
when something is hidden from you
when you want more information about a specific icon

So it's up to the GM to decide when things count as hidden from you.  I think the general consensus around here is that most things do not require a perception check. 
Personally, I think if you could find it with a simple search function, you don't need a perception check.  Hash Check, you notice, isn't for finding any file, it's specifically for finding a file that's encrypted without decrypting it first. 
From that I would GM rule that if you're looking for an unencrypted file, and you know what you're looking for, you don't need to test.  Or if you like, you need to take an action but not a test.

Xenon

  • *
  • Prime Runner
  • *****
  • Posts: 6469
« Reply #4 on: <04-15-21/1343:43> »
(1) When I sleaze into a host and get my Admin access, what can I see and how do I find things other than files?
So, unlike previous edition, in this edition you don't just have Admin access on the Host Icon itself. No matter if you use Brute Force to violently enter through the front door of the Host or if you probe the host and exploit a backdoor into the host you will have access on the entire network. All files stored in the Host. All devices connected to the host.



(1b) If I want to find the elevator my team is in, do I just find that device automatically because access rights?
You are already an admin in the entire network, including the elevator. Icons that you have access on cannot hide from you. They can't run silent to avoid detection. As long as you have access on the network they can't even hide form you with the illegal Hide Matrix Action.

Rather than finding the elevator your team is in you just take your action (typically this would be Spoof Command if you wish to just send it to a specific floor as a one shot action or Control Device if you wish to control it during a longer period of time) on the elevator itself.

Matrix in this edition is fast to resolve and have excellent action economy.



(1c) If I want to use the Snoop action, do I also have to roll to locate the feed I want? 
Think of a scene from Mission Impossible where they get access to all camera feeds at once...



(2) Assuming an MP roll is needed, would each of these always need a separate roll, or would one roll find everything out if I know what I am looking for from the gate?
Matrix Perception in this edition is almost always resolved just like Regular Perception


Just like regular Perception, you typically don't need to take a matrix perception test to spot individual devices that are not trying to hide from you. This is a difference from previous edition where you typically had to take a matrix perception test to spot each individual icon before you could interact with them. Spotting things that are trying to hide is in this edition also resolved as a minor action if you are using a cyberdeck and/or cyberjack or a living persona.

Just like regular perception, if you want to know more about a specific icon then you spend and Observe in Detail action on that specific icon (this part is also similar to how it used to work in previous edition).


Example 1, regular perception: Sammy the street samurai is paranoid and check if there might be any ninjas lurking in the shadows. This would be resolved with a Perception + Intuiton test and if there had been any ninjas lurking in the shaodws then they would all have opposed the test with their Stealth + Agility (you don't spend one action for each character you want to find). Sammy didn't find any ninjas. This might be because there was no ninjas lurking in the shadows or because he failed the opposed test against all of them. Sammy is allowed to Try Again, but when circumstances have not changed he will take a negative dice pool modifier of 2 dice. Taking a significant break, for example 1 minute, resets the dice pool.

Example 1, matrix perception: Xenon the decker is paranoid and check if there might be any hackers lurking in his PAN. This is resolved as an Electronics + Intuition test and if there are any hackers lurking in his PAN then they all get to oppose the test with their Willpower + Sleaze (you don't spend one action for each PAN you want to find). That Xenon doesn't find any hackers might be because there are no hackers in his PAN or because he failed the opposed test against all of them. Xenon is allowed to Try Again, but when circumstances have not changed he will take a negative dice pool modifier of 2 dice. Taking a significant break, for example 1 minute, resets the dice pool.


Example 2, regular perception: Sammy is walking up to a security checkpoint. The security guard that is not trying to hide is immediately obvious and doesn't require a test for Sammy to notice. Sammy also directly notice that the security guard have a rifle-like firearm on his back. If Sammy spend an action to Observe the rifle more In Detail he get to take a perception test. With just a single hit he will notice that it is a Colt M23 assault rifle. With more hits he might notice more details. For example GM might judge that to spot if the safety is on or not require 3 hits.

Example 2, matrix perception: Xenon is observing the same security guard, but from a Matrix point of view. The PAN of the security guard is not trying to hide (is not running silent) and, together with all its devices, is immediately obvious and doesn't require a test for Xenon to notice. Xenon also directly notice that one of the device icons is a firearm of sorts. If Xenon spend an action to Observe the icon more in Detail he get to take a Matrix Perception test. With just a single hit he will learn that it is a Colt M23 assault rifle. With more hits he might notice more details. For example GM might judge that to spot if the safety is on or not require 3 hits.


Example 3, regular perception: Sammy is getting shot by a hidden sniper. Sammy may spend an action trying to "spot the hidden sniper that is attacking me". This is resolved as an opposed Perception + Intuition vs. Stealth + Agility test. If successful then Sammy is allowed to for example fire back.

Example 3, matrix perception: Xenon is getting data spiked by a hidden hacker. Xenon may spend an action trying to "spot the hidden hacker that is attacking me". This is resolved as an opposed Electronics + Intuition vs. Willpower + Sleaze test. If successful then Xenon is allowed to for example data spike him back.



Assuming that you didn't Brute Force your way in, what constitutes “detection” to trigger the Patrol IC to launch additional IC programs?
Actions linked to Attack (such as Brute Force that you mentioned) are immediately obvious and will trigger the host to go on alert, it will start to launch IC and its Patrol IC will start looking for you specifically.

Unlike previous edition, in this edition hackers inside a host are obviously not legal users.
Unlike previous edition, in this edition hackers are assumed to always run silent when hacking a host.

If Patrol IC detect a hacker then it will immediately know that the hacker is an intruder and the Host will start to launch IC.

Author also suggested that Overwatch Score can be used to trigger different responses.
At OS 5 Patrol IC begins making perceptions checks every round
At OS 10 Tar Baby IC is activated
At OS 15 Blaster IC is activated
At OS 20 Spider is called in
For example



(1a) How does should Patrol IC respond when a device network goes down or stops responding (due to haxx)? 
Not sure I follow.

Crashing an entire network (host and all) is not really supported by the rules I think.
And if the host is shut down then so will its patrol IC.....

Same with a PAN. If you brick the device that the owner use to access the matrix with then the entire PAN will go offline (and the owner might suffer dump shock if he happen to be in VR).



(2) When I first sleaze in, how does that work with active Patrol IC? 
Granted you are running silent then you get to oppose its Matrix Perception test.
If you are not running silent then you will probably be automatically spotted.

Patrol IC will typically get to take a perception once per minute or so (but it can also be more often or less often than that). Doesn't need to be the second you enter the host and then exactly 60 seconds later...

Xenon

  • *
  • Prime Runner
  • *****
  • Posts: 6469
« Reply #5 on: <04-15-21/1405:30> »
If you are in the host, generally speaking you appear at first glance to be a legit user. So you really don't even HAVE to be running silent.
This was deliberately changed from previous edition (where this was indeed the case).
In this edition Host will immediately recognize hackers as illegal users and hackers are supposed to always run silent when hacking. Running silent in this edition also doesn't impose a negative dice pool modifier of 2 dice as it did in previous edition.

Typhus

  • *
  • Omae
  • ***
  • Posts: 386
« Reply #6 on: <04-15-21/1418:27> »
Thanks for all these great answers.  A lot to catch up on, but it mostly sounds like I have to take the basics and write my own rules on how I want things to work.  "If X do Y" sort of things, using the most logical existing mechanic to resolve unusual tasks or unclear situatons. 

My goal is a "Decking for New Players" guide, so I'm going to have to make some calls on what the defaults situations should look like I guess.  I may have more questions later where the above advice conflicts.

Thanks all!

Xenon

  • *
  • Prime Runner
  • *****
  • Posts: 6469
« Reply #7 on: <04-15-21/1420:49> »

Stainless Steel Devil Rat

  • *
  • Errata Coordinator
  • Prime Runner
  • *****
  • Posts: 4572
« Reply #8 on: <04-15-21/1421:02> »
If you are in the host, generally speaking you appear at first glance to be a legit user. So you really don't even HAVE to be running silent.
This was deliberately changed from previous edition (where this was indeed the case).
In this edition Host will immediately recognize hackers as illegal users...

What makes you say this?  I can't recall anything that'd lead me to agree with the bolded portion being a true statement...

Quote
...and hackers are supposed to always run silent when hacking. Running silent in this edition also doesn't impose a negative dice pool modifier of 2 dice as it did in previous edition.

It may well be that in 6e you "should" always run silent when hacking.  Unless you can show me something I missed/overlooked, I'm still quite sure that so long as you're not taking any cybercombat-y actions, it literally doesn't matter if you're running silent or not (at least as far as Patrol IC is concerned).

And if we carry over 5e assumptions, there's actually a profound disadvantage to running silent: Anyone.. be it Patrol IC, security spider, or even Joe Wageslave... can execute a Matrix Perception on the host and ask "Hey, are any of the icons in this host running silent?".  This took all of 1 hit on an UNOPPOSED matrix perception test in 5e.  In 6e, the threshold to learn that info is "GM Fiat" rather than explicitly 1 hit, but it's still unopposed.  ergo: running silent can paradoxically cause the host to go on alert with absolutely no warning, and at any time.
« Last Edit: <04-15-21/1423:26> by Stainless Steel Devil Rat »
RPG mechanics exist to give structure and consistency to the game world, true, but at the end of the day, you’re fighting dragons with algebra and random number generators.

Xenon

  • *
  • Prime Runner
  • *****
  • Posts: 6469
« Reply #9 on: <04-15-21/1450:40> »
What makes you say this? 
Banshee’s Guide to the 6we Matrix
Yes Patrol IC knows you are an illegal user when they detect you.

Stainless Steel Devil Rat

  • *
  • Errata Coordinator
  • Prime Runner
  • *****
  • Posts: 4572
« Reply #10 on: <04-15-21/1456:27> »
Which goes to what I was saying :D

Prior to the point that Patrol IC susses you out as an intruder, it didn't matter if you were running silent or not.
RPG mechanics exist to give structure and consistency to the game world, true, but at the end of the day, you’re fighting dragons with algebra and random number generators.

Xenon

  • *
  • Prime Runner
  • *****
  • Posts: 6469
« Reply #11 on: <04-15-21/1534:32> »
While the act of gaining a mark on the host was illegal in SR5, entering and being in the host - was not. As long as you change you icon to fit, act as you belong and don't do anything illegal you typically didn't have anything to fear even if Patrol IC checked you out specifically.

In SR5 you only needed a single hit on an unopposed matrix perception test to get aware of the fact that there are silent running icons in your host (as you mentioned - the presence of silent running icons were basically as obvious as a neon sign or a running crowd for regular perception). Then you used opposed matrix perception tests to spot them, one by one. But again, spotting a silent running persona didn't automatically mean that it was a hacker (perfectly legit users sometimes run silent and in 5th edition not even silent running hackers were immediately recognized as intruders).



In SR6 you instead roll Matrix Perception once. Compare hits to figure out how much you notice. Depending on how many hits you get and how good the targets are at hiding you might notice all, some or none of them. If a hacker is spotted in SR6 then he or she will be immediately recognized as an illegal intruder. Unlike SR5 he or she will not be considered an actual legal user (even if he might have User or even Admin Access on the network).

Stainless Steel Devil Rat

  • *
  • Errata Coordinator
  • Prime Runner
  • *****
  • Posts: 4572
« Reply #12 on: <04-15-21/1536:45> »
I think it suffices to say Xenon that we're looking at the same materials and coming to different conclusions.
RPG mechanics exist to give structure and consistency to the game world, true, but at the end of the day, you’re fighting dragons with algebra and random number generators.

Typhus

  • *
  • Omae
  • ***
  • Posts: 386
« Reply #13 on: <04-15-21/1806:14> »

Typhus

  • *
  • Omae
  • ***
  • Posts: 386
« Reply #14 on: <04-15-21/1826:53> »
I think my "searching a host" house rule will leverage the Host Rating.  If there's any ambiguity on finding what you are looking for that isn't a file, you will need to make a Matrix Perception test.  The Host Rating will represent the degree of system complexity, and thus act as a threshold for the MP test, which I think could be handled as an Extended Test, with a 1 Major Action interval.  Otherwise, I would have things be automatic.  Matrix Search actions would be rare unless they made their way into a Data Haven or major corp archive or something.

As to Patrol IC, I think I will keep it visible and assumed always on as standard expectation in hosts.  If you ever don't see it, worry.  The assumption will be that if you sleazed in through the Backdoor, you start off hidden from the system.  After that, you are racking up OS and you don't know what the OS thresholds will trigger or when.

From there, I think I can use the guides on what causes an IC to investigate or alert or what have you.  Attack actions being automatic makes sense.  Investigating devices that crash and pinging live operators that something is now offline makes sense too.  Sounds like it's more of a "story first" mode, which is fine for me.  No wrong way to do it, just use the rules when you do the thing.