[Adder]

Edit - One thing worth thinking about when you are setting the frequency of which Patrol IC does it's checks is that false alarms (glitches) happen remarkably often, if you were rolling three a combat turn. If someone has to check them all out, you'd probably tone down the frequency, or you'd have many false call outs per day!

I was thinking about that, and I think Patrol IC glitches should actually be GOOD for the player. If the Patrol IC glitches the perception test and launches IC (even if it hasn't spotted the player), that just makes it worse when the player is eventually spotted and gets hammered by lie four IC simultaneously. I would probably rule a glitch on the perception test to delay the next check, buying the player more time.

I think we are all in agreement that having marks is not actually illegal, yes? If the Patrol IC noticed I have three marks on a file, that's fine, because having a mark is never bad (excluding custom-defined behavior).

Regarding scanning on entry, I agree that if you enter in while silent running the Patrol IC does not get a chance to scan you.

So regarding my original proposal:

1. Patrol IC automatically examines all "loud" icons every turn. If you are a loud icon and do not have a mark on the host, then you are unauthorized and it triggers the alert. (I don't know if this is a valid scenario- is there a way to enter a host without having at least one mark?)
2. Patrol IC will scan for silent icons "periodically". That depends on host configuration, security level, "alert status" of the host. For example, if another hacker just broke into the system and was caught, Patrol IC would constantly scan for silent icons which might catch me even though I haven't done anything yet.
3. If the Patrol IC spots a silent running icon, it will check if they have a mark. If they have a mark they will ignore them, but they're still spotted so an illegal action would automatically be detected. (You could change this so that any silent running icons are always illegal and immediately trigger an alert but that feels a little harsh).
4. Whenever an illegal action is committed, the Patrol IC does a Matrix Perception test to detect the aggressor. Spotting will result in an alert. Even not spotting could result in increased "alert status", see #2 above, depending on the host.
5. Whenever some other custom-defined action is taken, the Patrol IC does a Matrix Perception test as above in #4. This is configured by the host. For example, if there's a super special file that only the owner should be able to edit, that would count as an "illegal action" and trigger #4's test. Note that a host -defined illegal action does not increase overwatch score.

Is the only objection here how frequently #4 occurs? I could tune that to be "the first illegal action in a Combat Turn", which of course encourages people to be in hot-sim VR and rewards good initiative in general. More initiative = more actions you can perform without a check.


On a somewhat related note, if there's a device that is slaved to a host in a WAN and I direct connect to the device, am I in the host? Could I immediately start interacting with files in the host? That's one way to possibly get in without a mark if that is true.


P.S. I'm surprised there aren't more GMs weighing in. My characters run into at least one host literally every run. The Patrol IC behavior question comes up every time :-(
 

[Darzil]

However, where my argument falls on itself is the periodic check I've suggested; physical guards don't normally roll to search for intruders after an alert is sounded, and certainly not every initiative pass or even combat turn. So the challenge to my mind becomes coming up with an approach to matrix security that doesn't bog down the game but that could potentially throw a wrench in the plans while maintaining some semblance of "realism".

It's an issue with Matrix Perception more generally, it's one of the reasons I suggested this : http://forums.shadowruntabletop.com/index.php?topic=19312.0

[Namikaze]

I missed out on all this conversation today, so I will avoid putting in my two cents.  I don't feel like getting caught up completely.  Patrol IC are a weird thing though, that's for sure.  My expectation is that Data Trails will give us more actions, more opportunities, and possibly more IC and such.

[Adder]

I missed out on all this conversation today, so I will avoid putting in my two cents.  I don't feel like getting caught up completely.  Patrol IC are a weird thing though, that's for sure.  My expectation is that Data Trails will give us more actions, more opportunities, and possibly more IC and such.

Damn, I was thinking this whole time "where's Namikaze to the rescue with a well-thought out explanation?" :-(

[DeathStrobe]

I missed out on all this conversation today, so I will avoid putting in my two cents.  I don't feel like getting caught up completely.  Patrol IC are a weird thing though, that's for sure.  My expectation is that Data Trails will give us more actions, more opportunities, and possibly more IC and such.

I'm not expecting Data Trails to resolve anything. This has always been an ambiguous part of the rules, or else we could say, "Well it worked like this in 3rd/4th so naturally it must work like this in 5th." But its always been left open. Which is annoying. But then again, we did get Spirit Index in Street Grimoire which has always been left open to GM interpretation in previous editions.. So who knows.

[Kincaid]

After a certain point, it's tough to make rules about how things interact because so much of that comes down to GM fiat.  If you want Patrol IC to check every pass, it makes sense on a certain level (You had one job!) but it means the GM is going to be rolling a *ton* of dice and it will drag down gameplay.  Some tables may be totally fine with that and more power to them; other tables may want to keep the pace and action of a white-knuckle Matrix run moving and balk at the idea.

In my game, deckers have essentially two options: sneak or bluff (I guess they could assault things as well, but they all take Hack on the Fly over Brute Force).  You can enter a host with a mark(s) and using a wrapper program to make it look like you belong or you can run silently and hope to avoid detection altogether.  Bluffing gets you in trouble if you perform an action or go someplace that isn't allowed for your icon--a delivery man's persona isn't going to wander into the host's research notes and mark files, for example.  When you "break character," the Patrol IC rolls.  Running silent comes with its own advantages, so whenever you accrue OS, I have the Patrol IC roll.  It's not perfectly symmetrical--you could accrue OS "in character" and I wouldn't roll--but it's worked fine so far.

[Namikaze]

I missed out on all this conversation today, so I will avoid putting in my two cents.  I don't feel like getting caught up completely.  Patrol IC are a weird thing though, that's for sure.  My expectation is that Data Trails will give us more actions, more opportunities, and possibly more IC and such.

Damn, I was thinking this whole time "where's Namikaze to the rescue with a well-thought out explanation?" :-(

LOL I'll pour through the stream of stuff this afternoon and give you my opinion.  Bear in mind it's just an opinion though. 

[Namikaze]

Alright Adder, I promised I'd look things over and here's what I've got. 

1. Patrol IC automatically examines all "loud" icons every turn. If you are a loud icon and do not have a mark on the host, then you are unauthorized and it triggers the alert. (I don't know if this is a valid scenario- is there a way to enter a host without having at least one mark?)

This sounds right, but I don't think there's any way for a person to enter a host without a mark.  At least, not yet.  It's possible we'll see some stuff with the deep dives that have been hinted at.

2. Patrol IC will scan for silent icons "periodically". That depends on host configuration, security level, "alert status" of the host. For example, if another hacker just broke into the system and was caught, Patrol IC would constantly scan for silent icons which might catch me even though I haven't done anything yet.

This is what I envision the Patrol IC's primary job is going to be.  I agree that this all depends on the security level and alert status of the host.  Generally, I wouldn't do more than one scan per turn just to prevent bogging things down in the Matrix.  Also, I would assume that any icon that the Patrol IC has already scanned is on the "okay" list and won't be re-scanned unless something changes.  Such as a security elevation, or one of the triggering events mentioned below.

Here's how I see the Patrol IC working, step-by-step:

• Hacker enters host using Brute Force
• Patrol IC immediately elevates the security level by 1 (corresponding security protocols are followed)
• Patrol IC begins scanning for silent icons
• If the Patrol IC finds a silent icon, it raises the security level by 1 again (corresponding security protocols are followed)

• Hacker enters host using Hack on the Fly
• Patrol IC scans the new icon in the host (if running "loud")
• Patrol IC scans for silent icons
• Patrol IC finds a silent icon, it raises the security level by 1 (corresponding security protocols are followed)

Once the Patrol IC has scanned your icon, you are clear to travel about the host (assuming you have a mark and aren't skulking about).

3. If the Patrol IC spots a silent running icon, it will check if they have a mark. If they have a mark they will ignore them, but they're still spotted so an illegal action would automatically be detected. (You could change this so that any silent running icons are always illegal and immediately trigger an alert but that feels a little harsh).

It does feel harsh, but that's one of the side effects of breaking into a corporate host.  If you get caught sneaking around, security-minded folks will automatically assume you're up to no good.  And a host is much like a corp's private turf - they have full extraterritoriality and they will use it.  Note that a Patrol IC may not make an alert known system-wide, rather just sending a subtle message to the decker on duty.

4. Whenever an illegal action is committed, the Patrol IC does a Matrix Perception test to detect the aggressor. Spotting will result in an alert. Even not spotting could result in increased "alert status", see #2 above, depending on the host.

In the event that the illegal action is discovered (such as using Brute Force or failing a Hack on the Fly action) then yes, I think this makes sense.  The term demiGOD gets used a lot for system administrators of hosts.  However, they aren't directly affiliated with GOD and therefore don't have access to quite the same protocols and tools.  With that said, breaking into hosts sneakily is really the prefered method of hacking specifically because a host can lock itself down super-quick if needed.

5. Whenever some other custom-defined action is taken, the Patrol IC does a Matrix Perception test as above in #4. This is configured by the host. For example, if there's a super special file that only the owner should be able to edit, that would count as an "illegal action" and trigger #4's test. Note that a host -defined illegal action does not increase overwatch score.

Seems reasonable to me.  I don't know if every host requires a specific set of events to be created.  You could probably get away with just using the idea that every time the host gets a mark on something, the Patrol IC investigates what that something is.


I just realized I should probably outline what I see as a reasonable security protocol list.

Security level 1:

• Alert the decker assigned to host security
• Decker decides whether or not the threat is a false alarm
• Launch a single instance of White IC (I like Marker and Tar Baby)

Security level 2:

• Alert the decker assigned to host security
• Decker personally investigates the alert
• Launch a single instance of Blaster, Killer, or Sparky IC
• Command Patrol IC to start scanning for silent icons every turn
• Command Tar Baby IC to attack any icon revealed by the Patrol IC

Security level 3:

• Launch instances of all remaining IC available (starting with the deadly stuff and working down from there), remember the host can only launch one IC per turn
• Command Tar Baby to link-lock every icon it can find

[Adder]

lots of detailed thoughts

https://www.youtube.com/watch?v=OBwS66EBUcY

After a certain point, it's tough to make rules about how things interact because so much of that comes down to GM fiat.

LOL I'll pour through the stream of stuff this afternoon and give you my opinion.  Bear in mind it's just an opinion though. 

I think now's a good time to mention what my goal is with all of these questions.

I love the world of Shadowrun. I think the rules are partially so ambiguous precisely because the rulebook tries to be so ambitious and give us all of this content. If Shadowrun rules were as fleshed out as say, Pathfinder, I think the rulebook would easily exceed 1000 pages. I mean the magic section of a typical D&D player's guide takes up about a third of the book!

My goal is to provide my players with balanced, understandable and thematically-appropriate rules that stick as close to the intention of the game designers as possible. I can't imagine playing a decker if I had no idea what the Patrol IC did and its behavior wildly varied from one host to another. I need to give my players something they can understand and plan around, otherwise they start feeling like their success feels arbitrary. "Why am I being scanned every turn now when last time it only scanned me once, ever?"

To that end, I have two different phases of investigation:

1. Rules analysis. Did I miss a rule? Is there a rule in another section that answers my question? Is the wording precise enough to answer my question after further discussion?
2. Rules interpretation. When #1 fails to give a complete answer, devise a complete answer based on information found from #1, general speculation on usage ("theorycrafting") and other tables' experiences.

When I originally joined this forum and asked questions I expected a bunch of "you missed a section, here is the correct ruling". That happened maybe 10% of the time. What I typically get is actually "well the rules are a bit unclear, but this how I think it should work/what we do at our table..."

Which is great! That actually is exactly what I'm looking for. I want to know what people do at their specific tables regarding these rules. If I could survey 100 tables and get 100 different opinions on how to interpret the mechanics, that would help tremendously towards me building my own table's solution. I don't really expect anyone to actually know the "true" rules implementation. I would actually be shocked if the game designers knew- there's no way they could have thought of all these different scenarios. I'm just looking for feedback on how people are actually running with these rules.

[Namikaze]

If my players have a relevant knowledge skill, such as Matrix Security, I'll let them get some info on the "default" settings for IC.  Also, if a hacker on my team just wants to get info on a host, like what kind of stats it might be using, I'll provide them with the array of default stats for that type of host (assuming they pass a relevant Computer test).  Note these are just the defaults, and I make sure my player knows that this information might change.  If nothing else, it helps them to make a determination about whether or not they want to poke their neck into a host illegally.  Another thing you could try doing is letting the hacker probe the target with Matrix Perception, and maybe learn the device rating of the host.  This won't tell them the breakdown of stats, but generally all stat arrays are (Rating +1)/Rating/(Rating -1)/(Rating -2).

While I think having some sort of codified definition of basic information is critical to any GM, I think giving the players too much of that information at once is going to lead to one of two results: information overload, or metagaming.  Instead, I try to keep my information to myself and let the players learn the information with appropriate knowledge tests.  This puts more emphasis on knowledge skills (active skills double as knowledge skills by the way), and makes the player realize that his/her character is actually knowledgeable about the world.

[DeathStrobe]

So I just went back and read up a bit on previous editions. And I'm sure the rules do not work for SR5, but if we translate it maybe we can get some ideas or compromises.

SR3: Every hit from a Probe IC adds to the security tally of the decker. Probe IC makes that test for every action the decker does.

So, security tally is basically over watch score except with alarms going off at seemingly random tally levels set by the GM.

So maybe, since OS caps at 40, we can have different host responses at lower levels like this:

0 OS – Patrol IC makes a perception test every time the decker makes an action. If the target is running silent, each hit (not net hit) adds to the targets OS. If running loud, it's assumed to be a legal user.

15 OS  – Patrol IC takes notice of the hacker, actively looks for silent targets, or sets of an alert on a loud user. White IC is launched to aid the Patrol.

30 OS – Sets off an alert, regardless of if an intruder was spotted or not. Grey or Black IC is launched to aid the other IC.

40 OS – Host Convergence. Bad things happen.

But the problem is that IC can be suppressed in SR3, which can buy the decker time. In SR5, attacking an IC immediately sets off alerts to the owner. So the problem is that OS is going to build crazy fast, maybe too fast, with this.

SR4. IC actually sees you, but has to figure out if you're not suppose to be there. So apparently I was playing SR4's Matrix wrong forever. Because I always figured you needed to spot an icon with a Matrix perception test to know that it is there. But I guess not. I guess you just need to make the perception test to learn information about an icon. So I guess a spider can just log on, see the hacker and start attacking them without needing to spot them. So this super doesn't apply to SR5, because running silent does make you "invisible."

SR4's Patrol IC description is also super not helpful, because it says it scans icons randomly. So, we just roll a d6, on 1 we make the appose Matrix Perception test? I don't know...that just feels really...lame. But that's kind of how it sound in SR5 too.

[Namikaze]

The thing is that a hacker's overwatch score isn't visible to the host.  Or at least, that's what seems to be the case.  Because the host is not controlled by GOD, and overwatch score is a construct of GOD, it stands to reason that the host may not be aware of a hacker's overwatch score.  With that said, illegal actions in the host do build overwatch score, so the relationship is a murky one.  I think using OS as a metric for the GM to determine the level of resistance the hacker faces is a good idea though.

[Herr Brackhaus]

This won't tell them the breakdown of stats, but generally all stat arrays are (Rating +1)/Rating/(Rating -1)/(Rating -2).

Is this something unique for your table? I ask because the attributes for Hosts according to SR5 page 247 is somewhat different:
"The ratings of these attributes are usually (Host Rating), (Host Rating + 1), (Host Rating + 2), and (Host Rating + 3), in any order. For example, a Rating 4 host might have Attack 5, Sleaze 4, Data Processing 7, Firewall 6."

[Darzil]

I started writing the same note, then realised that maybe he meant stats rather than attributes. Though I thought you normally just substitute rating for those. Only matters on defence anyway, as all IC attack with Host Rating x 2 dice.

[Namikaze]

Nope, just doing it from memory late at night so I had the wrong numbers.