NEWS

Hacking, Stealth and Detection

  • 14 Replies
  • 3836 Views

Razhul

  • *
  • Omae
  • ***
  • Posts: 268
« on: <02-21-13/2011:32> »
Hey there,

Once I login as Admin to a node that I probed (meaning just 1 check against my stealth upon log on), how often should I expect to be scanned by IC and Spiders? Can the GM just roll vs my Hacking+Stealth every IP or should I expect him to try once and then let it go as I checked out as a proper Admin user?

When you GM, how do you do it?

Mantis

  • *
  • Omae
  • ***
  • Posts: 586
« Reply #1 on: <02-21-13/2226:54> »
On a really paranoid system where no other personas should be present, then yeah it could be that often. But in general, no, not every IP, Maybe not even every round or minute. It depends on the system and how secure it is as well as how busy it is. Remember, they (IC) need to scan all the icons present to look for intruders so if the system is a busy place then that takes time.
If you want those tests to detect you to stop or become a non-issue, just disarm the analyze software on the system or else create a legit account with your hacked admin account and then log in again with your new legit account. The system will think you belong and leave you alone.
Basically, the more secure the system, the more frequently it should check if you are actually legit or not. Disarming the analyze against you makes that very difficult for the system so should be a first step after you analyze the node yourself.

UmaroVI

  • *
  • Prime Runner
  • *****
  • Posts: 2655
« Reply #2 on: <02-22-13/0820:10> »
The other thing to keep in mind is that IC or spiders that failed to find you take a -2 cumulative penalty each time they retry until they wait for 5 minutes to an hour. See "Trying Again" p65. This helps stop things from getting too stupid.

Razhul

  • *
  • Omae
  • ***
  • Posts: 268
« Reply #3 on: <02-22-13/1344:19> »
Thanks for both replies!

I'll probably log on, create a legit Admin account and then re-login, hoping the GM doesn't come up with "you will need passkey authentication for a legit Admin account..." or somesuch.

Another question: Do you have a general order of actions / workflow once logged in? Seems like some actions just need to be done to be safe, like:
1) Check alert status
2) Start looking for access log (for later erasing)
3) Observe In Detail to get a list of all icons within the node
4) Set analyse program to report new icons entering the node
5) Check for IC running
6) Check for Spiders registered and potentially logged in
etc. etc. etc.

And that's all before starting to actually do what you're there for to do.

Mantis

  • *
  • Omae
  • ***
  • Posts: 586
« Reply #4 on: <02-23-13/0247:01> »
If you have an agent available, after checking alert status I would set the agent to many of those routine tasks so you can get to doing the thing you are actually there for. As a technomancer, you can set a sprite to these tasks. I feel that a hacker really should have at least 1 or more agents to help with hacking. They can be set to probe systems for you, crack encryption, sort data and as the usual support roles like an extra gun or a healer.

One thing I would add to your list between step 1 and 2 is to disarm the system Analyze program so you can avoid it picking you up later as well as detecting your introduction of your helper agent. It won't completely prevent the system from detecting this but it does cut the dice pool down quite a bit.
Oh and you missed redirect data trail to your safety list  ;).

farothel

  • *
  • Prime Runner
  • *****
  • Posts: 3859
« Reply #5 on: <02-23-13/0531:25> »
Be careful if you turn of the analyse.  Some systems have scripts set-up to warn if that happens (at least, I would do it like that), to prevent hackers just from doing that.

Most normal nodes without a spider will have an analyse script that works a bit like the example, I think it's in Unwired:
See which Icon has not been scanned for the longest time and scan that.  If it's okay (or appears to be okay), go to the next one on the next IP.  That way the frequency of scanning is dependant on the number of icons and that depends on the node itself.

With a spider in it, it depends on how paranoid he is.  If he knows he's the only admin that should be there and suddenly there's a second one, he will investigate (if your GM plays him logically).  Maybe just in the form of a routine query to see if you're a collegue that logged in for some extra work, but he can if he knows that all admins have a certain avatar and you don't, immediately take out the big guns.  Most spiders are smart (high logic) so they should be played as such.
"Magic can turn a frog into a prince. Science can turn a frog into a Ph.D. and you still have the frog you started with." Terry Pratchett
"I will not yield to evil, unless she's cute"

Sichr

  • *
  • Prime Runner
  • *****
  • Posts: 7202
  • TOTÁLNÍ FAŠÍRKA ZMRDI !!!
« Reply #6 on: <02-23-13/0653:36> »
Also i would rule in my game, if player asks for such info, that since you were talking about probing, which takes some time, successfull matrix perception test would reveal regular checks and intervals for those. Prewarned means prearmed.

RHat

  • *
  • Prime Runner
  • *****
  • Posts: 6317
« Reply #7 on: <02-23-13/0718:46> »
Be careful if you turn of the analyse.  Some systems have scripts set-up to warn if that happens (at least, I would do it like that), to prevent hackers just from doing that.

See, that's why Disarm is a beautiful program.  Rather than shutting the Analyze off, Disarm makes it completely incapable of being used on you - they can keep on using that program, but they can't detect you with it.
"Speech"
Thoughts
Matrix <<Text>> "Speech"
Spirits and Sprites

Razhul

  • *
  • Omae
  • ***
  • Posts: 268
« Reply #8 on: <02-25-13/1357:26> »
Be careful if you turn of the analyse.  Some systems have scripts set-up to warn if that happens (at least, I would do it like that), to prevent hackers just from doing that.

See, that's why Disarm is a beautiful program.  Rather than shutting the Analyze off, Disarm makes it completely incapable of being used on you - they can keep on using that program, but they can't detect you with it.

My GM did not allow Disarm, hence I am left without that option.

Concerning the use of an agent: If I load him into my own system, I would need to get him another access account on the node and he would run against my processor limit, correct? If I load him onto the hacked node, he would run off that node but someone might pick up on an extra agent running there, no? Also, the agent should be able to use all programs on the hacked node, too, no? Or is that only for me, as I hacked in as admin? /confused

Mantis

  • *
  • Omae
  • ***
  • Posts: 586
« Reply #9 on: <02-25-13/1442:12> »
If you load the agent on your commlink node, it uses whatever software you allow it to. If you send the agent off to run autonomously then it would need its own access account and can run whatever software you load into it (payload) as well as whatever it could use by using a hacked account. When the agent runs on your commlink it counts against your processor limit but not subscription limit. When it runs autonomously, it counts against the processor limit of the node it is in and against your subscription limit. In that case, yes the system could notice the agent as it is acting as another persona basically. Pg 234 of SR4A explains all this.

Try to think of an agent running autonomously as a sort of NPC you give orders to as far as what it can do. When run from your commlink it acts more like a software suite that can only access what you allow it to. In both cases though, you can still use it to help you fight or whatever, so long as it has the programs to do what you want.

Why did your GM disallow Disarm? Can you use anything else in Unwired? If so, load your agent with programs modified with the Ergonomic and Optimized options. Ergonomic will mean the agent has far less impact on your commlink and Optimized means it can operate at much closer to max capability no matter what the rating of the node it is on.

Razhul

  • *
  • Omae
  • ***
  • Posts: 268
« Reply #10 on: <02-25-13/1710:46> »
Let's say I get into a node and have my agent loaded on my comlink. Can the agent use the same program instance of stealth (and other programs) that I am running or do I have to load (own?) Stealth twice?

Mantis

  • *
  • Omae
  • ***
  • Posts: 586
« Reply #11 on: <02-25-13/1758:20> »
Yes you would, but the Agent only counts programs it is actually running (as opposed to loaded in its payload) against the processor limit. This is why Ergonomic is quite useful. But you only need to have Stealth loaded in that agent to avoid Matrix Perception Tests. If you know how often a node runs Analyze, you just give your Agent an order to load that program when an Analyze is about to run and then unload it and have it do whatever tasks you need. A node isn't likely to analyze every action that every icon takes as that would to take quite a bit of time.
Matrix security has to balance usability against security. The checks themselves take an action so if the node is busy (with Personas/Icons) it will take a while for the analyze to roll around and check you again.
The Shadowrun FAQ may help you with some of this.
http://www.shadowrun4.com/game-resources/frequently-asked-questions/

Falconer

  • *
  • Ace Runner
  • ****
  • Posts: 1112
« Reply #12 on: <02-25-13/1828:36> »
Not quite Mantis....

In the case of a commlink... the analyze is run and set to automatic... it automatically sweeps the node constantly for changes and suspicious activity.

p57 unwired expands this default behaviour into larger nexus.
There it states... "divide the proc limit of the nexus by 10 (round normally).   This is the amount of time it takes the Analyze program to complete a full scan of all users and activity in the node."

The analyze isn't being activated... it's running constantly.. it's only the check which is spaced out.   

A high security node can easily run multiple security agents (ICE) each with thier own analyze for providing for security scans at an even higher rate than this.   So no, you're not going to get away with turning the stealth on and off.

Also the ergonomic limits of the system don't necessarily help the agent if the host is running ergonomic programs already.  Because now your ergonomic program doesn't have room to run.   And if it's interfering with an ergonomic security ICE or other critical function of the node (the kinds of things which are normally ergonomic)... then that will also cause problems.


Mantis

  • *
  • Omae
  • ***
  • Posts: 586
« Reply #13 on: <02-25-13/1842:22> »
You can set the analyze on a commlink to run automatically but that isn't by default. You need to set it to do so but otherwise, yes. As far as the check, yes that is what I was saying, just unclear wording on my part I see. Whoops.
IC will also be on some sort of interval as to how often it scans a given Icon so you can still pull this trick off. A system isn't going to be coded to keep checking the same icon every time it does something unless there is an alert on. If an icon passes a sweep it will be left alone until the next sweep or it does something to attract attention.
I imagine a matrix infiltration to be more along the lines of sneaking into a building with guards on a patrol. Once you know the patrol route (analyze scan interval, IC scan interval), you can time things to avoid them (activate Stealth). You should be fine so long as you don't do something to attract attention from the patrolling guard (IC).
« Last Edit: <02-25-13/1906:36> by Mantis »

Falconer

  • *
  • Ace Runner
  • ****
  • Posts: 1112
« Reply #14 on: <02-25-13/2038:16> »
Yes, because the prior sentence reiterates the bits that are in the SR4a mainbook...   about sys-ads and security spiders using analyze set to automatic... specifically because it is an automated procedure to watch for any suspicious behaviour as often as practical while they continue working.

Actually ICE would scan every icon every chance it gets.   It's an automated batch file process.  It's the only job it performs.   ICE would use the exact same rules for analyze as a user would... nowhere in the book does it state it doesn't.   It would sit in the node with the analyze on automatic... scanning as often as it could (as defined by unwireds clarifications).   Or just like a spider... it could do a 'simple' action to scan the node at penalty as often as it could.


And if you're going to go into that... suggest you look at scripting on p69 which describes how ice security scripts are setup using a bloodhound as an example...  that kind of brain-numbing single-minded activity of simply scanning every icon in a node as often as it can is exactly what security ICE is setup to do.