[Erling]

As stated above, absolutely any (nearly consequence-free) marking of a Host results in immediate direct connection to all devices on its WAN, which allows for incredibly easy hacking.  This makes no sense in terms of either realism or game balance.

You bet! The only mentioned advantage is speed (no more "going out for pizza while decker is doing his job", as they speak), but I agree that such an easy way to get direct connection with ALL slaved devices is silly. The only balancing factor is Overwatch Score (decker will need to put marks on cameras for controlling them anyway).

[Xenon]

To physically open a maglock using lockpicking is an opposed test against device rating X 2 (often 4 dice).

Why would hacking the maglock with a direct connection be an opposed test against 12+ dice?? Considering you often need to hack several doors, elevators, alarms etc during a run that would actually make matrix overwatch pointless and just bring more attention. Cause more harm than it would benefit you. It would be vastly superior to just invest in lockpicking skill... If you are a dedicated hacker with double digit dice pools then you are simply not supposed to have a 50/50 risk of failure for each single device you control during matrix overwatch.

Fighting host ratings is for when you try to gain access to a host without abusing a physical direct connection to a slaved device and for pay data runs where the protected file is stored within a host...

[SlugShaman]

To physically open a maglock using lockpicking is an opposed test against device rating X 2 (often 4 dice).

Why would hacking the maglock with a direct connection be an opposed test against 12+ dice?? Considering you often need to hack several doors, elevators, alarms etc during a run that would actually make matrix overwatch pointless and just bring more attention. Cause more harm than it would benefit you. It would be vastly superior to just invest in lockpicking skill... If you are a dedicated hacker with double digit dice pools then you are simply not supposed to have a 50/50 risk of failure for each single device you control during matrix overwatch.

Fighting host ratings is for when you try to gain access to a host without abusing a physical direct connection to a slaved device and for pay data runs where the protected file is stored within a host...

No one is claiming that hackers should have to fight host ratings.  Host ratings are exceedingly difficult, even at lower levels, and as you said, it would make hacking pointless.  My problem isn't that a hacker gains a direct connection to all devices, but that **everyone** invited into the host gains the same.  Guy buying gum at StufferShack has direct connections to the camera and cred register.  No need to even hack the host, as he's invited into it freely.  Meanwhile, any publicly visible host can be hacked consequence free, and the moment you're in, you have wireless direct connections to all devices.

At that point, what's the point of the Host defenses, other than IC?  You say it's for "gaining access to a host without a physical connection", but if you note, you can do that without consequence.  So basically, the host defenses are never utilized (except for sharing with IC).

What I'm suggesting though, isn't fighting Host ratings on every device (yikes!), but that the rules seem to be intending for you to need a single physical direct connect, just like in the short story.  Once you have that, and you mark the device, you're connected to the WAN, thus everything in the WAN.  That means that sneak-thief hacker Plug-In can plug into the WAN, help her team access cameras, drones, and elevators without worrying about Host ratings, while everyday-citizen Joe Everyman doesn't get direct connections to every device in a building just because he was given a simple invite into the Host (which can be a very public thing in some cases).

And all that requires is changing "If you are in a host that has a WAN..." to "If you are connected to a host's WAN..."

[Yinan]

Well, there are probably two hosts everywhere.
One host for "public access" where only the devices are connected that are upposed to be accessed by everyone.
And one silent running Host, that only a selected few (i.e. employees) are invited to mark, where all the other devices are connected to.
In the second Host, ICs are running scanning every Icon joining. If they don't broadcast a Signal that identifies them as an employee (or something similiar), they get attacked immediately.


But I also think that the whole "you are directly connected to every device in the Host while inside the Host" isn't supposed to be like that.
You should only have no Noise Rating there and only get direct connection to everything if you're directly connected to any device that is slaved to that host in meatspace.
That solves nearly all Problems.

[SlugShaman]

Well, there are probably two hosts everywhere.
One host for "public access" where only the devices are connected that are upposed to be accessed by everyone.
And one silent running Host, that only a selected few (i.e. employees) are invited to mark, where all the other devices are connected to.
In the second Host, ICs are running scanning every Icon joining. If they don't broadcast a Signal that identifies them as an employee (or something similiar), they get attacked immediately.

I definitely think two hosts is appropriate in specific circumstances.  The public host for Ares is likely very distinct and separate from the host for its secret underground research lab.  On the opposite end of the spectrum, the local StufferShack on 3rd and Glarston is only going to have one host.  But for the middle ground?  What about a small bank?  Seems to me that it would be incredibly inconvenient to have two hosts in a bank where the visitors are going to be accessing the accounts that are what should be protected.  I'm not even sure, if the public Host allows access to accounts, it *could* separate those accounts to a second host  At the least, they'd have to be accessible by both. 

But that raises the question... Why, then, would being in that host (visiting a bank) give you, a stranger on the street, direct connection privileges to account-related files and devices at the least?  Even if the cameras, vault, schedules, employee info, etc were all on a separate hidden host, visitors would have direct connection privileges to whatever devices access the accounts.  No direct, precautionary Host defenses, only secondary and reactionary IC.  Saying a direct connection, or at least a solid mark or two or three, on the WAN, is what allows you access to the WAN makes far more sense than saying any ole mark on the host itself does the same.  And you're right that it solves nearly all of my problems with the Host-related rules.

[Xenon]

...My problem isn't that a hacker gains a direct connection to all devices, but that **everyone** invited into the host gains the same. 

But having a direct connection does not let you control, modify, view, alter or in any way shape or form affect the device you have a direct connection to. All operations like that still need a Mark on the device. You don't 'automatically get a Mark just because you got a Direct Connection. All Direct Connection does is that it let you bypass master device or host ratings when you attack it with a matrix action.

Guy buying gum at StufferShack has direct connections to the camera and cred register. 

Guy buying a gum at StufferShack does not have a sleaze or attack rating. He can't use Control Device as Control Device require Mark on the camera as well as a persona with a Sleaze rating. He can't snoop the camera feed because he does not have a Mark on the camera and his persona does not have a Sleaze rating. The StufferShack owner that Enter the StufferShack Host, however, get a direct connection to the camera even if he is at home. A decker only need to fight 4 dice when trying to Mark or Snoop the camera slaved to the StufferShack host.

...and the moment you're in, you have wireless direct connections to all devices.

Everyone have wireless connection to all wireless devices in the entire world all the time (all wireless devices are connected to the Matrix and they are all on a Grid). You don't need to enter a host for that (but you might suffer noise due to distance if you don't have a direct connection, you might get cross grid penalty if you don't have a direct connection, you might get a negative penalty for public grid if you don't have a direct connection and if you access the device out on the grid without a direct connection you have to fight master device or host ratings if the device is slaved to a master device or host).

Just because you can spot a device icon does not mean you have full control of it.

Just because you attach your commlink cable to a device to establish a direct connection does not mean you have full control of it.

Without marks and without a persona with attack/sleaze attributes you can't hack the device. Direct connection or not.

What I'm suggesting though, isn't fighting Host ratings on every device (yikes!), but that the rules seem to be intending for you to need a single physical direct connect, just like in the short story.  Once you have that, and you mark the device, you're connected to the WAN, thus everything in the WAN. 

If you hack a device on the grid you fight host ratings. If you are successful you get a mark on the device and you get a mark on the host. If you Enter Host you get a direct connection to all slaved devices to the Host and you don't have to fight host ratings when trying to mark the other devices. You don't need a physical direct connection for that.

If you hack a host on the grid you fight host ratings. If you are successful you get a mark on the host. If you Enter Host you get a direct connection to all slaved devices to the Host and you don't have to fight host ratings when trying to mark the other devices. You don't need a physical direct connection for that.

If you hack a device on the grid with a physical direct connection you don't fight host ratings. If you are successful you get a mark on the device and you get a mark on the host. If you Enter Host you get a direct connection to all slaved devices to the Host and you don't have to fight host ratings when trying to mark the other devices.

...while everyday-citizen Joe Everyman doesn't get direct connections to every device in a building just because he was given a simple invite into the Host (which can be a very public thing in some cases).

SR5 p. 233 PANs and WANs
...If you are in a host that has a WAN, you are considered directly connected to all devices in the WAN...

And all that requires is changing "If you are in a host that has a WAN..." to "If you are connected to a host's WAN..."

It is not the act of having a physical direct connection to a device that give you a direct connection to all other slaved devices in the WAN.

You still have to Enter Host.

The direct connection is only there to let you avoid host ratings to Enter Host (since this test is otherwise resisted by double digits(!) and require a very very skilled decker and/or using Edge!).

You only get a direct connection if you are inside the host (all devices slaved to the host) or if you have a physical connection (only the device you are physical connected to).

[prionic6]

Direct connection isn't a "privilege", it just circumvents the master/slave relationship. You cant' do shit if you have a direct connection to something, you still need to mark it. Which is pretty easy for the devices slaved to the host but files inside the host still use the hosts ratings. So if you're looking for a file, you need to:

- Get a mark on the host (This is the only action that's easier with a camera/device that you plug into)
- Enter host
- Matrix search for the file (30 seconds with browse!) - only if the file was used "recently", otherwise it's in an archive and mostly unaccessible.
- Get a mark on the file
- Copy file ("Edit")

First you spend a lot of time (10 combat rounds, but each net hit halves the time) looking for your file. In that time ICE can certainly spot you.
Then, marking the file and copying it are pretty difficult dice rolls and if you fail them you either get damaged or the host (and all of its ICE) gets marks on you.

Also for a device, sure, you have direct connection to the device and can get marks pretty easily. But your options are still limited then. You can modify the live feed of the camera, but that's a complex action every combat round. That isn't bad in itself. But that is just one camera. Most of the time, cameras are overlapping, so you probably want to edit all the feeds at the same time. This isn't even possible in the rules as far as I see but a generous GM might allow you to edit the "combinded recordings" file on the host. Which still uses host ratings. Oh, and you can open locks, of course. Now let's be honest here, you need someone to be able to this stuff for the game to be playable. If you have to make a difficult test for each and every lock, camera and other device that needs to be tampered with, you will probably fail. This is actually a problem for our table because we fail matrix stuff all the time because it's so difficult. Meh.

[SlugShaman]

But having a direct connection does not let you control, modify, view, alter or in any way shape or form affect the device you have a direct connection to. All operations like that still need a Mark on the device. You don't 'automatically get a Mark just because you got a Direct Connection. All Direct Connection does is that it let you bypass master device or host ratings when you attack it with a matrix action.

First, this is obvious.  Yes, of course you need a mark on something to do many of the more useful Matrix actions.  Second, and more to the point, though, this has nothing to do with what Yinan and I were discussing.  So you still need marks.  Does that in any way diminish the incredible usefulness of direct connections?  The usefulness you yourself mention later because it's significantly easier hacking a Device rating 2 camera than a Host with even a moderate rating.  If you consider direct connections so trivial, I would imagine your local bank or Stuffer Shack wouldn't mind you plugging a hard wire into the cred register or bank teller's system, right?  That must not be even remotely suspicious behavior considering that you're invited into the Host, which grants you the same connections.  It's silly on its face.

As for the rest of what you replied, I think maybe you skimmed what we said as you seemed to reply with quotes from the book (?) despite that the line you quoted is exactly what I'm suggesting is likely meant not as written.

Maybe I wasn't clear enough earlier?  What I'm suggesting is that the concept that strangers off the street are invited to receive marks on the host which then allows said strangers to bypass all Host defenses is just plain silly.  What purpose does Host security serve, at that point?  And no, I'm not requesting a copy and paste of the rules.  Yes, obviously hacking the Host to enter it requires breaching defenses.  Which isn't necessary for some Hosts, right?  You're literally given, freely, marks that give you the ability to bypass all Host defenses (save IC).  That's not trivial, and it's not something to dismiss because the RAW say so.  It's as I said before, just kind of silly.

What I'm suggesting is that it's possible, and I think likely, that a physical direct connection was meant to be the lead in to access every device on the network without fighting Host defenses.  That the RAW say one thing, but the RAI might be something else.


Also, to drive home the point, while Joe Everyman might not have a deck, it's been explicitly stated by the local Freelancer that Edge can be used to hack without a deck.  So, yes, literally anyone can access the Stuffer Shack's cred register (account system?  cred scanner?) with a little luck and pluck without ever having to hack the host itself.  Just straight to the register, fighting only the device rating x 2 a couple of times, and Joe Everyman makes off with the day or week's profits.  Seems silly.

[SlugShaman]

If you have to make a difficult test for each and every lock, camera and other device that needs to be tampered with, you will probably fail.

As I said, I never meant for every test to fight the Host ratings.  That would be silly, and no one would want to be a decker, in or out of the game universe.  My problem was that simply being "in" the Host grants what would otherwise require a data cable physically plugged into the devices.  For a secret hidden and highly protected Host, sure, getting into the Host in the first place would be a feat, and the fact you're in might warrant some high level privilege. 

But some hosts are much easier to enter, some even freely offering Marks to enter.  Am I really supposed to believe that any Host, no matter what, must grant every visitor connections to every WAN device that would otherwise only be attainable (for example, out on the grid) through a data cable physically inserted?  Every bank receiving patrons is offering direct connections to every device on the Host WAN?  Every store receiving customers is offering direct connections to every device on the WAN?  And these connections that "can't do anything" would be unobtainable outside of a Host if you didn't have a physical cable connection.

What the RAW suggests is that if a local store wants a Host that can sell products in the Matrix to Matrix visitors, it has to do what is tantamount to asking customers to pay for products in a 2014 store by plugging their laptop into the USB of their cash register.  This behavior is not only commonplace, but unavoidable, and not considered an incredible security flaw?  And no one has ever found a way to ask customers to pay for products on the Matrix without basically handing them data cables connected to their registers?

I dunno about you, but this seems mighty shady to me.  It comes across as a rule that was slightly miswritten.  As someone mentioned earlier, simply changing the rule as written ever so slightly solves virtually every problem related to it.

[prionic6]

Also, to drive home the point, while Joe Everyman might not have a deck, it's been explicitly stated by the local Freelancer that Edge can be used to hack without a deck.  So, yes, literally anyone can access the Stuffer Shack's cred register (account system?  cred scanner?) with a little luck and pluck without ever having to hack the host itself.  Just straight to the register, fighting only the device rating x 2 a couple of times, and Joe Everyman makes off with the day or week's profits.  Seems silly.

Now we're talking! First of all, I've never heard about using edge for hacking without a deck. I wouldn't allow it. But even then, maybe he has a cheap deck and uses edge. Now, in my opinion, nothing money-related would ever be stored in a device. Sure, you could tamper with a reader (if something like that is even needed, could as well be all software) and mess with a single transaction. But money just passes through it. The account system you mention would be something that runs on the host or maybe off-premises in a different, central host. So here you're confronted with host ratings again.

How much edge does Joe Everyman have, anyway?

[Xenon]

The dangerous part of hacking a file is that it is protected (if not everyone can read it) and to crack the protection you need to use an attack action. If successful the host will be alerted (until this point you are basically a legit icon). Patrol IC will start spamming matrix perception to "Find the icon that attacked the file" and if you are not running silent then you will automatically be spotted. Host will start to launch IC and the second you are found (only a matter of time) they will all attack you.

Meanwhile you need to fight host ratings to edit the file (double digits and you have a negative dice pool because you run silent - you might need several action phases).

It will become a race against the clock.

[SlugShaman]

Now we're talking! First of all, I've never heard about using edge for hacking without a deck. I wouldn't allow it. But even then, maybe he has a cheap deck and uses edge. Now, in my opinion, nothing money-related would ever be stored in a device. Sure, you could tamper with a reader (if something like that is even needed, could as well be all software) and mess with a single transaction. But money just passes through it. The account system you mention would be something that runs on the host or maybe off-premises in a different, central host. So here you're confronted with host ratings again.

How much edge does Joe Everyman have, anyway?

Yes, obviously you'd have to have a lucky Joe Everyman to hack without a deck into even a simple device.  But, the possibility is still there, right?  It's a huge security flaw.

And, okay, let's pretend most transactions are just data passing through and not held in a device.  You could still hack the camera to turn it off while you pocket cred sticks, or products.  Rating 2 camera, single hack for a mark, single hack for a Control Device.  Suddenly you can do anything you want with no camera feed.  It's just all very... silly.  There's nothing strictly coming against the gameplay of the situation (though Host ratings seem pretty easy to bypass with consequence-free Hack-On-The-Flys), but the premise of focusing so much on security as to have patrolling spiders, IC, Host ratings, all to ignore the very silly bypass you get freely to all visitors.

PS  I also dislike the idea of using Edge to hack without a deck.  Another RAW that seems awfully silly considering the background they built for the Matrix and the universe at large.

The dangerous part of hacking a file is that it is protected

For the sake of argument, let's say we're turning off cameras to do something illegal, rather than accessing files directly.  Doesn't change the premise that it's a huge security hole.  But if we say it's a camera, we have two Sleaze actions which, if successful, are never discovered. If they fail, Mr. Everyman reboots and gets some rest to try again another day.




To put all of this another way:
According to RAW, at worst, you can hack any device bypassing Host defenses with freely given public Host marks.  At best, you have to use a consequence-free Hack-On-The-Fly repeatedly until you get in, and you're at the same point as before.

My guess of RAI, or at least what I think should be RAI, to get access to that camera, you'd need to jack in, physically, to *something* or face a serious Host defense from even a low rating Host.  Camera, lock, register, refrigeration unit.  It'd require stealth, being clever, and proximity.  While the previous scenario allows someone across the world to hack the devices, this one would require proximity to bypass Host rating.

For Shadowrunners, this changes nothing as you'd likely be using a physical jack to get into a host in a shadowrun in the first place (since most runs likely wouldn't be against your local store), so nothing would change.  For some tech savvy wannabe-ganger, this goes from two really simple Sleaze hacks for easy access to a much more tricky situation where he/she must be much more clever to break security.  Rather than just pressing a button for "Get Free Store Invite Here".  Frankly, I like the change I suggest much better than the RAW.

[prionic6]

But some hosts are much easier to enter, some even freely offering Marks to enter.  Am I really supposed to believe that any Host, no matter what, must grant every visitor connections to every WAN device that would otherwise only be attainable (for example, out on the grid) through a data cable physically inserted?  Every bank receiving patrons is offering direct connections to every device on the Host WAN?  Every store receiving customers is offering direct connections to every device on the WAN?  And these connections that "can't do anything" would be unobtainable outside of a Host if you didn't have a physical cable connection.

No company with a sense for security would slave a device to a public host if the device is useful to a hacker. I see a couple of ways this can be handled:

- Second host. This was already mentioned and certainly is the standard operating procedure for anyone who has the resources to do so.
- Negligence. The stuffer shack might be run by someone who just doesn't care.
- Maybe slaving the devices to a high rating commlink if a host is too expensive?
- Higher rating devices.
- Some sort of utility that allows to secure the connected devices, maybe partition the host into regions that you have to mark seperately? This probably exists and we might get rules for it in the Matrix book.

Another idea: Maybe the public host invites you to mark him only if you do the same? So a Patrol ICE or something else on the host could keep an eye on the users. A hacker would use another way in then.

[prionic6]

For the sake of argument, let's say we're turning off cameras to do something illegal, rather than accessing files directly.

I'd say a camera that stops working would incite a reaction by whoever is watching those feeds.

Let's repeat this: Joe Everyman has a lucky day and manages to switch off a security camera in a local stuffer shack that has badly managed IT. You call this a "huge security hole"?

[Xenon]

Everyone have a connection to all wireless devices in the entire world all the time and most devices only defend with the same amount of dice as if you plug a cable directly into its universal data connector.

I get the feeling you are just getting stuck in the word "direct".

A "direct" connection just reduce the number of dice the device get to defend with - down to the same level as all the other millions and millions of devices out there that are not slaved.



As for a bank; In the BK example he attack the "bank's heavily protected private host" suggesting that the bank also have a less protected public host (without sensitive information and without slaved security services).

As for hacking a maglock; A maglock will only oppose with 4 dice if you "hack" it manually with lockpicking. This is the same amount of dice it would resist when you hack it with a wireless connection (or from a direct connection if slaved). I honestly don't see the issue here....