I'm building myself a walkthrough of hacking procedures, since the CRB doesn't offer one. I have some questions after trying to puzzle out some basics.
I'd also recommend
this thread as well.
With respect to your specific questions:
Finding Stuff In Hosts
(1) When I sleaze into a host and get my Admin access, what can I see and how do I find things other than files?
(1a) If I am looking for a file, I get that I would use the Hash Check action.
(1b) If I want to find the elevator my team is in, do I just find that device automatically because access rights? It seems like Matrix Perception would reasonably be needed here? But I am an Admin, no? Can’t I just tell the system to show it to me?
(1c) If I want to use the Snoop action, do I also have to roll to locate the feed I want? A host potentially has a lot of traffic to sort through.
(1d) Am I also automatically aware of any IC that is active, or do I have to locate that also?
1- essentially, GM discretion/depends on circumstance. There's essentially infinite possibilities on what hosts can look like. Even physically impossible environments (escher staircases and whatnot) are possible in virtual reality. More to your question: how hard things are to find is a matter ALSO up to GM discretion. Consider a physical world analogy to some office. Is it neatly organized with filing cabinets all neatly labeled as to what is contained within? Is it a crazy scientist scenario where everything is covered in loose papers and bizarre equipment and nothing is labelled, because the office owner "knows where everything is"?
1a- correct. For example, you might want to edit out your footprints in the security logs towards the end of your hack. You know they must exist, but unless you have reason to know exactly where they're kept (this will be a question of GM fiat, or potentially a question of what homework/research the hacker did prior to hacking) it's the higher threshold.
1b- Completely GM fiat. Are we talking about an Arcology host where THOUSANDS of elevators are in play? Are we talking about having User access where a security elevator might be "visible" only to special (admin access) personnel? Is the elevator even controlled by this host, or by a nested or connected one? It should probably be easily evident for smoothness of game play, but there are plenty of perfectly valid reasons why it might require some additional snooping/research.
1c- same answer as 1b.
1d- Patrol IC is the SR equivalent of captcha verification "USER! Click this box to verify you're not a hostile script" and therefore can be obnoxiously obvious...
As for combat IC that is launched in response to an alert running silent: see below for thoughts on that. (spoiler: generally, I recommend ignoring the potential for them to run silent)
Note that having Admin access is NOT the same thing as being an Admin. For example, just because you've hacked Admin access it doesn't mean you can do everything a true admin can do, like stand down an alert, or tell IC to despawn.
(2) Assuming an MP roll is needed, would each of these always need a separate roll, or would one roll find everything out if I know what I am looking for from the gate?
It seems reasonable to need at least one roll per “thing” you want to find. Am I in "Gm's call" territory here? Seems like there should be a standardized expectation, but I can't find anything direct.
Yep, if the GM decides that the "thing" you're looking for is going to not be immediately apparent, then either a Matrix Perception or a Matrix Search is going to be in order. Note that there's a significant time difference between the two, so only make someone "search" a host if it's truly appropriate. Arguably: a Hash check could be used in place of a Matrix Search for a type of icon that's only one of hundreds or thousands controlled by that host, when you need to pinpoint one specific icon/data stream.
Using IC
(1) Presumably, most typical corp hosts have Patrol IC already running. Assuming that you didn't Brute Force your way in, what constitutes “detection” to trigger the Patrol IC to launch additional IC programs? Is it only the case of the Patrol IC's MP check? Or is that up to me as the GM? Can the system or the IC auto-detect Matrix Attacks or Cybercombat? There's no clear intent or examples here.
Complete GM fiat. I know that doesn't help... but it is what it is. the following may help:
edit: Cybercombat is always obvious. You might still be successfully hidden, but Data Spikes and Tar Babies and similar Technomancer shenanigans are always immediately obvious even when the source isn't. Do either of those, and I'd say that's an easy "host goes on alert" rule.
(1a) How does should Patrol IC respond when a device network goes down or stops responding (due to haxx)? It seems like its mostly a system nanny, so it seems that would at least trigger a new active MP test? Or is that all up to the GM based on their idea of how system security would be pre-programmed?
I'm not sure I understand the question. Patrol IC's game mechanic function is to execute Matrix Perception rolls. Success = host goes on alert. The way it's worded on pg. 187 it essentially tests once every minute, although in prior editions it'd test against the player character hacker more or less often based on how busy (or not) the host was. 1 minute is basically a good rule of thumb, but I'd add a caveat to feel free to potentially modify the increment up for a particularly low security host or down for a particularly high security host.
Ok, so what IS the threshold the Patrol IC must hit in order to "know" the player character is hacking the host? You guessed it: GM fiat. Now the GM SHOULD give weight to the character's actions and test results, of course. A decent rule of thumb might be to ask the hacker to defend against the Matrix Perception roll every minute, and use that result to determine the success or failure for the Patrol IC. Of course, the more impactful the actions the intruder is taking, the lower the threshold should be for the Patrol IC to "notice something is wrong" and so you can also/instead have the Patrol IC roll against a static threshold (see Threshold Guidelines on pg 36 to establish that that value should be, based on how "obvious" it is that something's wrong in your specific circumstance). Also note that Spider(s) should also be present, and as people they're a bit smarter about noticing anomalies than computer programs are. When a security spider notices something wrong is even moreso a matter of GM fiat.
TL;DR: the Patrol IC mechanic is more or less simply meant to work in concert with Overwatch Score to prevent a hacker from having infinite time to execute a hack inside a host. You eventually trigger an alert if you're indefinitely present.
(2) When I first sleaze in, how does that work with active Patrol IC?
As written, Hide appears to be a post detection action, not a pre-detection action. It seems like if you Sleazed in, you would be considered to be entering in running silent mode. However, since the Patrol IC is active, you would immediately need to roll your W+S vs its MP, to see if it sees you. If it fails, you are good for 1 minute, at which time it rerolls, and may spot you. If it ever wins, you are in trouble, as it will start launching IC right away. Plus any other cases that might constitute "detection".
Hide, Backdoor Entry, and Running Silent are all distinct concepts, even though there are some relationships between them.
If you are in the host, generally speaking you appear at first glance to be a legit user. So you really don't even HAVE to be running silent. The legit employees and legit customers using a host aren't running silent, so why do you set off an alarm simply for NOT running silent? You don't. That's why Patrol IC exists: to interrogate users and discern who's legit and who's a hacker. Now, CAN you be running silent? Sure. But in the context of Patrol IC and host alerts, it's essentially a non-sequitur. It literally doesn't matter. Patrol IC will know "something's up" just as fast whether you're running silent or not. Granted, running silent COULD matter, if cybercombat ensues!
Of course if you Brute Force your way in, absolutely go in Running Silent because the host will immediately be on alert the moment you're in.
(3) Can IC run silent? Seems like it could?
This is a question with a very arcane answer. It's a lot more complex than one might expect on the surface of such a simple question.
Short answer: I'd say it's a best practice to just have IC NOT running silent.
Longer answer:
This is already a long post.. so I'm not going to go fully into this... but:
1) There's a lot of inertia from 5e in the 6e matrix rules, even when not explicitly stated it's still factoring in on the assumptions
2) To update a 5e maxim for 6e rules: "Access now flows DOWNSTREAM as well as upstream). This means you can "see" the icons at your access level
2a) you might use this for IC to be considered "running silent" from hackers who only have User or Outsider access, but not from hackers who've achieved Admin access
3) adding real-life table time to have to spot IC is IMO a generally bad idea. It just complicates and prolongs cybercombat by adding another step to execute.
Thanks in advance!
YW!