[Darzil]

Well, one cannot identify something running silently if they don't know something about it in the first place.  So the Patrol IC cannot search for silently-running icons.  However, I still think that Patrol IC should be able to look for MARKs on the host.  If nothing else, this encourages hackers to take that risk of getting multiple MARKs in one action.  Hopefully you finish your job before the Patrol IC finds your MARK(s) on the host.

Interesting, I never really noticed the caveat that one has to know at least one feature about an icon to be able to spot it running silently, and you also have to be aware that there are even any icons running silently nearby.

I've mostly seen that interpreted here as being able to slim down the number of hits by knowing a feature, such as "look at persona icons running silently", "look at icons running silently that just attacked me". Otherwise you are picking randomly between them all, which can be a lot!

Moving on to marks; while Patrol IC certainly seem to be able to look for marks, is that actually useful information? As per Matrix Perception on page 235, one question you can ask is for "the marks on an icon, but not their owners". Is knowing the mark an icon uses enough to identify the icon itself? Doesn't that seem to break with the "but not their owners" part of that very statement?

So, say the Patrol IC tries to spot a new (and potentially unrecognized or unauthorized) mark on the host it's guarding; would the mark itself be running silent if the hacker that placed it was? If the Patrol IC spotted the mark, what could it do with that information, assuming the hacker is running silent and hasn't attracted any obvious attention?

Marks can't run silent (pg 236). All it'd know would be that the mark had appeared, it wouldn't know whose it was nor whether it was legally or illegally placed. (Unless there was additional security, such as a whitelist file, that it could compare with.)

[Namikaze]

But, this doesn't seem to follow with the "If you know at least one feature of an icon running silent, you can spot the icon (Running Silent, below)." Surely knowing that there is an icon running silent is not knowing "at least one feature of an icon running silent", right? So when does this ever become applicable? I think this section is both in agreement and disagreement with you here, Namikaze, because it both suggests that you need to know at least one feature of an icon running silently to be able to spot it, and also that you ask whether any icons are running silently nearby with a single hit on a Matrix Perception Test.

Simple: run the scan in AR, and target every person you can see.  If you can see the person, you can look at them in AR and say "show me their icons."  It's time-consuming and droll, so you'd probably use an Agent to assist you.

Moving on to marks; while Patrol IC certainly seem to be able to look for marks, is that actually useful information? As per Matrix Perception on page 235, one question you can ask is for "the marks on an icon, but not their owners". Is knowing the mark an icon uses enough to identify the icon itself? Doesn't that seem to break with the "but not their owners" part of that very statement?

I can't speak with certainty, but based on several mentions throughout the books of "owner's MARKs" and things of that nature, I suspect there will be some differentiation between MARKs when Data Trails comes out.  If my hunch is correct, it would mean that Patrol IC might be able to differentiate between having a MARK that you acquired legitimately vs. illegally.

So, say the Patrol IC tries to spot a new (and potentially unrecognized or unauthorized) mark on the host it's guarding; would the mark itself be running silent if the hacker that placed it was? If the Patrol IC spotted the mark, what could it do with that information, assuming the hacker is running silent and hasn't attracted any obvious attention?

MARKs are only visible to the person that placed the MARK, with the exception of having found one via a Matrix Perception test (pg. 236).  The Patrol IC's Matrix Perception test initially just tells you how many MARKs are on the host.  A second Matrix Perception test will reveal the information about the MARKs (such as who owns the MARK, where it came from, etc.).

[Herr Brackhaus]

Intriguing.

In that case, the police officer scenario I posted previously would seem to be quite plausible. I would then at the very least play Patrol IC as rolling Matrix Perception to see if it's able to spot any decker attempting to enter the host while running silent; this seems like logical security design to my mind.

As for what else Patrol IC does, I'd say that is probably up to how fiendish the GM wants to be. You could run periodic Matrix Perception Tests at set or random intervals (once per combat turn, for example, or on a result of 6 on a d6 or some such), or after an illegal action is performed, or never unless an overtly illegal action is performed.

I'd probably run Patrol IC as checking the door, so to speak, looking for icons running silently which would trigger a mechanical roll when a decker attempted to silently enter the system at the very least. In order not to slow down the game too much I'd probably just make the Patrol IC check only after an active alert (i.e. a successful Attack action or failed Sleaze action) and then periodically once per combat turn after that. Feels like a solid compromise between risk of discovery and flow of play to my mind.

[Adder]

While the act of placing a mark is an illegal activity, the act of simply having a mark is not. Once you have the mark, you are considered a legitimate user.

Based on that line, I don't think spotting a mark will throw up any warning flags. Even if the Patrol IC saw your mark it wouldn't register it as odd.

What I'd like to do is define a reasonable pattern of behavior for Patrol IC that is not too time-consuming or difficult for the hacker as well.

How does this sound?

1. Patrol IC automatically examines all "loud" icons every turn. If you are a loud icon and do not have a mark on the host, then you are unauthorized and it triggers the alert. (I don't know if this is a valid scenario- is there a way to enter a host without having at least one mark?)
2. Patrol IC will scan for silent icons "periodically". That depends on host configuration, security level, "alert status" of the host. For example, if another hacker just broke into the system and was caught, Patrol IC would constantly scan for silent icons which might catch me even though I haven't done anything yet.
3. If the Patrol IC spots a silent running icon, it will check if they have a mark. If they have a mark they will ignore them, but they're still spotted so an illegal action would automatically be detected. (You could change this so that any silent running icons are always illegal and immediately trigger an alert but that feels a little harsh).
4. Whenever an illegal action is committed, the Patrol IC does a Matrix Perception test to detect the aggressor. Spotting will result in an alert. Even not spotting could result in increased "alert status", see #2 above, depending on the host.
5. Whenever some other custom-defined action is taken, the Patrol IC does a Matrix Perception test as above in #4. This is configured by the host. For example, if there's a super special file that only the owner should be able to edit, that would count as an "illegal action" and trigger #4's test. Note that a host -defined illegal action does not increase overwatch score.


How does that sound? Is it too harsh, or too easy?

[Darzil]

I don't think you can enter a host without having a mark. I think you could be in a host without one if it was removed after entry, though, for example by a security spider.

I like the idea of silent running being 'illegal' in a high security host, but not generally, though.

Bear in mind that they'll probably have to mark the file to edit it, as well as crack it's protection possibly, both of which would be illegal, even if the editing wouldn't.

Custom reasoning per host sounds reasonable. It's not supported by the Patrol IC text on pg 248, but is by the first paragraph of Security Response on pg 247.

[DeathStrobe]

I'd probably run Patrol IC as checking the door, so to speak, looking for icons running silently which would trigger a mechanical roll when a decker attempted to silently enter the system at the very least. In order not to slow down the game too much I'd probably just make the Patrol IC check only after an active alert (i.e. a successful Attack action or failed Sleaze action) and then periodically once per combat turn after that. Feels like a solid compromise between risk of discovery and flow of play to my mind.

I honestly don't think any illegal actions should provoke a Matrix Perception Test since they already have downsides on success or failure.

[DeathStrobe]

I think Patrol IC should not care if you enter a host, silent or not. Because you have a mark so it means you're a "legal" user. And if you're silent then it shouldn't know you entered, since that's the point of running silent.

I also don't think Patrol IC should make perception tests on illegal actions, because illegal actions already come with downsides. If its a successful attack action, the Host knows to start looking for who just attacked it. If its an unsuccessful sleaze action then it marks the hacker and knows to start launching IC to deal with the hacker.

But legal Matrix actions that are performed from silent running persona's is strange. And that is when the Patrol IC should try to find the hacker or report it as a false positive or glitch and ignore it. Legal actions done while not running silent should be recorded and leave a data trail that the hacker won't want, which is why they won't want to not run silent and make a legal Matrix action, or maybe they would because they don't care if the IC spots them and would rather have that +2 dice.

There needs to be some risk to being in a host, obviously or else the corp would never use them. But it can't be so risky that the host instantly starts launching more IC and alarms go off and the entire run goes to drek, or else the Matrix becomes too much of a liability and no one will want to play it.

[DigitalZombie]

I suppose some hosts would have their IC performing matrix perception tests on "legal" personas in order to check their last matrix action. If that action happens to be hack on the fly, the IC would likely be instructed to interpret that as a non-legal user.

Which of course makes it very important for a hacker to do some boring legal matrix actions as soon as he has hacked his way inside a host, as to hide his intend.

[Herr Brackhaus]

While the act of placing a mark is an illegal activity, the act of simply having a mark is not. Once you have the mark, you are considered a legitimate user.

Based on that line, I don't think spotting a mark will throw up any warning flags. Even if the Patrol IC saw your mark it wouldn't register it as odd.

What I'd like to do is define a reasonable pattern of behavior for Patrol IC that is not too time-consuming or difficult for the hacker as well.

How does this sound?

1. Patrol IC automatically examines all "loud" icons every turn. If you are a loud icon and do not have a mark on the host, then you are unauthorized and it triggers the alert. (I don't know if this is a valid scenario- is there a way to enter a host without having at least one mark?)

For a decker I don't think this is possible; I'm wondering if a Technomancer could achieve this with the use of Puppeteer or Resonance Veil, but I somehow doubt it.

2. Patrol IC will scan for silent icons "periodically". That depends on host configuration, security level, "alert status" of the host. For example, if another hacker just broke into the system and was caught, Patrol IC would constantly scan for silent icons which might catch me even though I haven't done anything yet.

I think this is fair. Scan every icon on entry, and periodically scan if an active alert is issued (i.e. failed sleaze or successful attack). In the case of a failed sleaze, though, the host gets a mark on you anyway, so in theory your cover is already blown as anyone can automatically spot an icon they have marked. That being said, a clever and fast hacker could potentially have time to erase the mark and hide before the IC got a chance to look for the offender, so it makes sense that Patrol IC actively look for hidden icons when an alert is issued.

3. If the Patrol IC spots a silent running icon, it will check if they have a mark. If they have a mark they will ignore them, but they're still spotted so an illegal action would automatically be detected. (You could change this so that any silent running icons are always illegal and immediately trigger an alert but that feels a little harsh).

I like this, though this is somewhat like 1 in that it's seems difficult, if not impossible, to enter the host without a mark in the first place.

4. Whenever an illegal action is committed, the Patrol IC does a Matrix Perception test to detect the aggressor. Spotting will result in an alert. Even not spotting could result in increased "alert status", see #2 above, depending on the host.

That's a little too much in my opinion.

5. Whenever some other custom-defined action is taken, the Patrol IC does a Matrix Perception test as above in #4. This is configured by the host. For example, if there's a super special file that only the owner should be able to edit, that would count as an "illegal action" and trigger #4's test. Note that a host -defined illegal action does not increase overwatch score.

How does that sound? Is it too harsh, or too easy?

This is more reasonable to me. You could even have honeypot files set up to always trigger an alert if modified in any way (heh), but a custom response certainly should keep players on their toes as long as they have some way of finding out about potential traps. Good recon should pay off.

I'd probably run Patrol IC as checking the door, so to speak, looking for icons running silently which would trigger a mechanical roll when a decker attempted to silently enter the system at the very least. In order not to slow down the game too much I'd probably just make the Patrol IC check only after an active alert (i.e. a successful Attack action or failed Sleaze action) and then periodically once per combat turn after that. Feels like a solid compromise between risk of discovery and flow of play to my mind.

I honestly don't think any illegal actions should provoke a Matrix Perception Test since they already have downsides on success or failure.

I'm not sure I agree with this. Nearby guards get perception tests to hear the silenced gunshot that you just took, and astrally perceiving or projecting mages get a chance to spot spells you just cast whether the action was successful or not. The fact that an action has consequences should not preclude further consequences, necessarily.

I think Patrol IC should not care if you enter a host, silent or not. Because you have a mark so it means you're a "legal" user. And if you're silent then it shouldn't know you entered, since that's the point of running silent.

This comes down to system design in my opinion. If you have a corporate host where running silent is off limits, icons that are running silent should be something that Patrol IC looks for. Is it applicable to all hosts? No. But it should certainly be allowed for some where higher security is desired.

I also don't think Patrol IC should make perception tests on illegal actions, because illegal actions already come with downsides. If its a successful attack action, the Host knows to start looking for who just attacked it. If its an unsuccessful sleaze action then it marks the hacker and knows to start launching IC to deal with the hacker.

I agree with this in principle, but some illegal actions set off the equivalent of alarms. A successful Sleaze and a failed Attack should not cause Patrol IC to look for icons running silent because it wouldn't know. But a failed Sleaze is something a Host would already know about, and a successful Attack is very overt but the cause may not be known, so Patrol IC looking for a culprit at this point makes perfect sense to me.

But legal Matrix actions that are performed from silent running persona's is strange. And that is when the Patrol IC should try to find the hacker or report it as a false positive or glitch and ignore it. Legal actions done while not running silent should be recorded and leave a data trail that the hacker won't want, which is why they won't want to not run silent and make a legal Matrix action, or maybe they would because they don't care if the IC spots them and would rather have that +2 dice.

There needs to be some risk to being in a host, obviously or else the corp would never use them. But it can't be so risky that the host instantly starts launching more IC and alarms go off and the entire run goes to drek, or else the Matrix becomes too much of a liability and no one will want to play it.

This gets too complex too quickly for my taste, which is why I'd run Patrol as checking everything at the door (first line of defense) and periodically after an active alert (second line of the defense). GOD notifying the host that a breach is underway (Covergence, and last line of defense) is the extreme prejudice option.

[DeathStrobe]

I suppose some hosts would have their IC performing matrix perception tests on "legal" personas in order to check their last matrix action. If that action happens to be hack on the fly, the IC would likely be instructed to interpret that as a non-legal user.

Which of course makes it very important for a hacker to do some boring legal matrix actions as soon as he has hacked his way inside a host, as to hide his intend.

I'm not a fan of that interpretation either because it feels as cheesy as having the Patrol IC look for hidden icons every IP. Its basically a way to say, hacking should not be allowed in this game because every host will always see you no matter what and thus you can never hack anything. So it either slows hacking down to a crawl, which SR5 has done a great job at not letting happen, or it makes hacking too dangerous.

[Herr Brackhaus]

I suppose some hosts would have their IC performing matrix perception tests on "legal" personas in order to check their last matrix action. If that action happens to be hack on the fly, the IC would likely be instructed to interpret that as a non-legal user.

Which of course makes it very important for a hacker to do some boring legal matrix actions as soon as he has hacked his way inside a host, as to hide his intend.

I'm not a fan of that interpretation either because it feels as cheesy as having the Patrol IC look for hidden icons every IP. Its basically a way to say, hacking should not be allowed in this game because every host will always see you no matter what and thus you can never hack anything. So it either slows hacking down to a crawl, which SR5 has done a great job at not letting happen, or it makes hacking too dangerous.

I don't think anyone is advocating Matrix Perception tests every IP, I'm certainly not. For me, it's once upon entry (like a guard would attempt to spot someone trying to sneak past them), and then once every Combat Turn only after an active alert has been issued.

[DeathStrobe]

I'm not sure I agree with this. Nearby guards get perception tests to hear the silenced gunshot that you just took, and astrally perceiving or projecting mages get a chance to spot spells you just cast whether the action was successful or not. The fact that an action has consequences should not preclude further consequences, necessarily.

While I would like it if Matrix Perception worked exactly like normal Perception tests, it sadly does not. So I don't think it is an equivalent for Patrol IC to make Matrix Perception tests for every action, though that may not necessarily be a bad way of handling it. But I don't really want to make that many tests for every action.

This comes down to system design in my opinion. If you have a corporate host where running silent is off limits, icons that are running silent should be something that Patrol IC looks for. Is it applicable to all hosts? No. But it should certainly be allowed for some where higher security is desired.

The problem is that why wouldn't ALL hosts be set up like that? Which then makes hacking too big of a liability. There has to be a reason why hosts don't look for silent running icons every turn. There is the reducing dice pool for making the same test, which is probably that reason. Which means that hosts should only look for hidden icons if it suspects that there are hidden icons to look for.

This gets too complex too quickly for my taste, which is why I'd run Patrol as checking everything at the door (first line of defense) and periodically after an active alert (second line of the defense). GOD notifying the host that a breach is underway (Covergence, and last line of defense) is the extreme prejudice option.

Well, how often is periodically? Checking the door isn't a bad idea. But I just don't think it fits thematically, because you should be able to enter a host not running silent and have your persona blend in with all the other personas in the host. You got examples of that in the fluff from Buddy walking around Crashcart's host in 2XS and talking with information IC to that dwarf decker who name I forgot in Frost and Fire would talked with an AI managing the host at the start of the book. So hiding in plain sight in a thing and I don't want to take that away from the setting.

[Herr Brackhaus]

The problem is that why wouldn't ALL hosts be set up like that? Which then makes hacking too big of a liability. There has to be a reason why hosts don't look for silent running icons every turn. There is the reducing dice pool for making the same test, which is probably that reason. Which means that hosts should only look for hidden icons if it suspects that there are hidden icons to look for.

Are all Windows servers today patched with the latest security updates? Are all SQL servers hardened against code injection? No. There are variables in system design in general and system security in particular, and varying levels of host ratings is one way the game tells us how "hardened" a host is.

Well, how often is periodically? Checking the door isn't a bad idea. But I just don't think it fits thematically, because you should be able to enter a host not running silent and have your persona blend in with all the other personas in the host. You got examples of that in the fluff from Buddy walking around Crashcart's host in 2XS and talking with information IC to that dwarf decker who name I forgot in Frost and Fire would talked with an AI managing the host at the start of the book. So hiding in plain sight in a thing and I don't want to take that away from the setting.

Like I said:

I don't think anyone is advocating Matrix Perception tests every IP, I'm certainly not. For me, it's once upon entry (like a guard would attempt to spot someone trying to sneak past them), and then once every Combat Turn only after an active alert has been issued.

Furthermore, the check for icons running silent would turn up nothing on a hacker entering the host normally with a mark. The suspicious activity is the act of running silent, and that is what may throw up a red flag that warrants further investigation. I'm certainly not advocating taking that option away, though I think it's certainly a dangerous method of hacking because the second you fail a Sleaze action or succeed an Attack action the host should by all rights be all over you.

[Darzil]

I think Patrol IC should not care if you enter a host, silent or not. Because you have a mark so it means you're a "legal" user. And if you're silent then it shouldn't know you entered, since that's the point of running silent.

That certainly sounds the default, from the Patrol IC text.

I also don't think Patrol IC should make perception tests on illegal actions, because illegal actions already come with downsides.

According to the Patrol IC text on pg 248 that is the job of Patrol IC.

There needs to be some risk to being in a host, obviously or else the corp would never use them. But it can't be so risky that the host instantly starts launching more IC and alarms go off and the entire run goes to drek, or else the Matrix becomes too much of a liability and no one will want to play it.

A host doesn't instantly launch IC. Per pg 247 It can only launch one IC per combat turn, at the start of the combat turn. You may well have a couple of actions after you set the alarms off before the first dangerous IC turns up. Depending on the policies of the host owner (which you should have researched) you might well be facing something non deadly.

Edit - One thing worth thinking about when you are setting the frequency of which Patrol IC does it's checks is that false alarms (glitches) happen remarkably often, if you were rolling three a combat turn. If someone has to check them all out, you'd probably tone down the frequency, or you'd have many false call outs per day!

[Herr Brackhaus]

Edit - One thing worth thinking about when you are setting the frequency of which Patrol IC does it's checks is that false alarms (glitches) happen remarkably often, if you were rolling three a combat turn. If someone has to check them all out, you'd probably tone down the frequency, or you'd have many false call outs per day!

I'm not sure this is necessarily a valid argument. Take the door check example; you could reliably buy hits as a GM and never risk a glitch or critical glitch. A high enough rating host could be problematic even with bought hits.

Another thing that bothers me about the assumption that a glitch will eventually happen is that it relies solely on probability. Over a long enough time frame sure, you'll get some glitches, but that doesnt necessarily mean that such an event will occcur at the time when the PC Decker makes their entrance.

All of that being said, I think you and I are pretty much on the same page when it comes to Patrol IC.

However, I thought about what Deathstrobe said in the car on my way home, and I have to say that my own argument is a little hypocritical. I argue that Patrol IC checking Icons as they enter the host would be similar to a physical guard checking to see if he spots someone trying to sneak by him.

I maintain my above stance that the guard and patrol IC will both eventually glitch and critically glitch their rolls from a probability point of view but I've never seen anyone argue that the guard should somehow suffer the glitch and critical glitch when performing perception tests even though he does so constantly for all intents and purposes.

However, where my argument falls on itself is the periodic check I've suggested; physical guards don't normally roll to search for intruders after an alert is sounded, and certainly not every initiative pass or even combat turn. So the challenge to my mind becomes coming up with an approach to matrix security that doesn't bog down the game but that could potentially throw a wrench in the plans while maintaining some semblance of "realism".

How one goes about this is honestly beyond me at this point. I just hope Data Trails clarifies how the designers thought this whole thing should work.