home
news
columns
features
Matrix 2.0 Overwatch: A running example
by Marc A Renouf
Okay…here goes. First, an overview. Matrix Overwatch (or matrix cover) is the presence of a decker in a site’s network concurrent to a physical attack/insertion/robbery/whatever. It is both tremendously useful and potentially dangerous. So consider the following as an example.
The party is hired to conduct an extraction of a low-level corporate exec who happens to know some crucial bit of intel that interests another corporate competitor. The target lives in a residential high-rise in a well-to-do neighborhood.
The decker hits the system shortly before the rest of the party gets on site. While there, he hits the security host, looking especially for the slave systems controlling the cameras that look out over the building’s loading dock. Once he finds this particular slave function, he can alter what the guard in the booth sees on his monitor by executing the Edit Slave system operation. He can fool the guard by looping a video track of nothing out of the ordinary happening in the loading dock. Care must be taken to not loop a section where the same thing will happen over and over (the guard would get suspicious if the same car drove by every twelve seconds). Note that Edit Slave is a Monitored Operation, meaning that it requires the decker’s full attention. The decker can get around this by making a Command Set that does the work for him. Simple Command Sets, such as this kind of video looping, do not require prior work or programming by the decker. He or she merely makes a system test against the appropriate subsystem, in the case the Slave subsystem. An enterprising decker could also try to find the slave function that controls external security calls or alarms to the police, though these things are often not matrix accessible.
From there, the decker locates the slave function controlling the timed maglocks on the loading dock’s doors. He unlocks said door. Suspending the deck’s ASIST input momentarily, he radios the “all clear” signal to the rest of the party, who rush to the loading dock secure in the fact that the door is open and they will not be seen by security. The team is now inside the building with no one the wiser. From here they move to the freight elevator, surprising and narcojecting the single guard on patrol in the vicinity. The party was hoping not to have to do this as the guard will be missed soon. Oh well.
The decker then races to the maintenance host, logging on and locating the slave function controlling the freight elevator. If he was smart, the decker could move the elevator without it telling security that it had moved. If not, he could change the elevator icon on the guard’s security panel to “at rest” and make it stay that way (though this would require yet another Command Set). So now the team takes a pleasant ride up to the twenty fourth floor. A party member picks the the door lock and the sams and mage burst into the exec’s room, narcojecting both him and his nubile plaything in bed.
Meanwhile, the decker, secure in the knowledge that the party is in, goes back to the security host, watching through the security cameras and checking to make sure the downed guard has not been missed (a Monitor Slave system operation). Just as the decker settles in to watch, a call comes in reporting the downed guard near the freight elevator. A call immediately goes out to the building’s security provider and the police, but that function has been previously flubbed by the decker, so the security pukes can’t get through. If they have a security decker on site, he’ll jack in and go about trying to clear the Command Sets. If not, oh well.
Back at the ranch, the party has subdued and trussed their quarry, but the decker has tipped them off that security is on alert. Rather than trying to fight their way past the goons downstairs, they opt for “Plan B”. At this point, some enterprising guard calls 911 from the payphone in the lobby (unbeknownst to both the party and the decker), so things may get hairy soon. The decker, blissfully unaware of the fact that the cops are en route, jumps around to random slave functions, causing as much chaos as possible in as little time. Fire alarms, smoke alarms, burglar alarms, sprinklers, door locks, etc. go crazy as the decker frags with every slave function he can get his hot little Spoof program into. Finally he takes the freight elevator (sans party) back down to the lobby and makes sure security knows about it. Security thinks, “They’re makin’ a break for it in the freight elevator. Get ‘em!” Many goons are amassed at the loading dock level, waiting to ambush the party as they come out of said elevator.
But lo, the party has employed a glass cutter, and is currently rappelling down the side of the building with their unconscious quarry strapped onto the street-sam like luggage. By the time the freight elevator doors open and the guards discover that the elevator is empty, the party is already beating feet across the street, heading for the safety of their ultra-rigged van. Once the party is safely away, the decker hops back into the security host and prints “seeeya, chumps!” on the screen, (much to the chagrin of the fuming security chief) and gracefully logs off. Mission accomplished.
Debriefing
As far as what skills are necessary for such a run, it’s just basic decking. The difference between the standard “matrix run” and matrix overwatch is that the former is concerned primarily with the acquisition of data. Matrix overwatch, on the other hand, is concerned primarily with executing host functions to help the party. Chief among these are controlling slave functions to give the party as much time and cover as possible. To execute a host function, all it takes is a Computer skill test against the appropriate subsystem rating. The most common subsystem will be the Slave subsystem, as it controls most of the things a decker will want to screw around with.
Keep in mind that Control Slave, Monitor Slave, and Edit Slave are all Monitored Operations, and thus require the decker’s full attention. For simple things, the decker can cook up a small Command Set “on the fly” if you will. For more complicated things, the decker will need to write the command set before hand, upload it to the host, and try to fool the host into running it (a successful Control test). Pre-written command sets can affect multiple functions, so if the decker knows what he or she is after, a single Command Set can be written beforehand to do everything the decker wants. This may be quicker and more economical than jumping around and writing lots of little Command Sets, each of which does only one thing.
Both of these approaches have their advantages drawbacks. Multiple smaller Command Sets require more tests, which in turn have the potential to rack up Security Tally points faster. Having to deal with IC while trying to provide Matrix Overwatch is just a bad scene. On the plus side, there are lots of them, which means that legitimate security deckers have to track them all down and purge them one-by-one (a Crash Application system operation will pretty much slay a Command Set). This can cost the security decker lots of time and give the team’s decker the room he or she needs to cover the party or warn them of new developments.
Using a pre-written Command Set, on the other hand, only requires a little bit of upload time and a single Control test to get the host to execute it. That finished, the decker is freed up to do other things (though the decker’s Command Set may require input from the decker during its execution, like prompting the decker to push the big, red, virtual button to execute the “all hell breaks loose” subroutine). Think of these larger Command Sets as “control-panels” for a program called “Create Chaos v1.0.” Unfortunately, the decker needs to have some idea of what functions are available, and where on the host they are (i.e. the Locate Slave operation needs to be done on them). This may require some extensive “research” on the appropriate host beforehand, something which may not be possible. The other drawback here is that the security folks only need to crash a single application to purge the Command Set from the host completely, forcing the decker to either upload it again or do the tasks manually.
Also, keep in mind that the Security Tally of the decker may transfer from host to host within the overall system. For this example, I assumed a network where security operations were handled on one host, maintenance operations on another, and possibly record-keeping or administrative operations on a third. All of these hosts are linked, but all are part of the same system (a Host-Host type grid). Thus, as the decker jumps from one host to another depending on what he or she is trying to accomplish, the Security Tally may follow, increasing regardless. The decker may pick up a tally in a low-security host that doesn’t hinder operations or trigger IC locally, but may send a higher-security host into alert when the decker jumps onto this new host. This can cause all manner of problems for the decker and team alike.
Some other things bear thinking about as well. For instance, how does the decker know where everything is? In order to be able to affect a slave function, the decker has to find it first. This requires the “Locate Slave” system operation to be performed. Locate Slave is an Interrogation Operation, so there’s no guarantee that the decker will find the appropriate slave function straight off. Once found, however, the decker will be able to return to that function without searching for it again. On a later run, however, this may not be the case, as system administrators may have swapped or changed memory and port addresses for functions and devices. This is especially likely if the system was hit recently.
The other option (and one that some GM’s may disallow) is to purchase a black market system map from some enterprising decker who has been on the appropriate host and created a list of the locations of interesting functions. These types of “maps” may be expensive (in the case of high-profile or high-security systems), or generally unavailable (in the case of small, obscure systems, or really high-security systems).
Also, many of the most critical host functions may have additional security, usually in the form of Scramble IC (yes, you can scramble a slave function) to keep the decker from being able to change or modify that particular function. Decrypting these additional measures will cost the decker extra time and effort, and may raise his or her Security Tally. Particularly nasty GM’s may wish to look into the section on Scramble Bombs, which blow up if they aren’t Defused before being crashed or Decrypted. Though I don’t think the rules explicitly state it, I treat exploded IC as crashed for purposes of adding to the decker’s Security Tally (hey, somebody’s going to notice that a bomb went off in the system!)
The final crucial difference between ordinary Matrix runs and Matrix Overwatch is the suite of programs used. Of paramount importance are Sleaze (when isn’t this imprtant?), Analyze (for the Locate Slave operation), Spoof (for Control, Edit and Monitor Slave operations), Decept (for executing Command Sets), and Decrypt (for getting through Scramble IC on important host functions). Defuse is handy too, just in case that Scramble IC is of the bombing variety. Cybercombat should be avoided whenever possible (as it preoccupies the decker and keeps them form their primary mission of aiding the team). As such, most of the cybercombat-dedicated programs (Attack, Cloak, Shield, etc.) can be left out. Low bandwidth, high Detection Factor, and smarts can (hopefully) make up the difference.
The big thing to consider in Matrix Overwatch runs is timing. There will be certain time constraints put on the party by the decker and vice versa. If the decker can’t get to a crucial host function quickly enough, or can’t control or change it once he gets there, he may force the party to wait while he dorks around. That waiting may take place in a fire fight, where nobody likes to just hang around waiting for the decker.
Finally, matrix overwatch can be dangerous because carelessness or bad luck on the part of the decker can send up active alerts before the party ever gets on site. If the decker goes in too far in advance of the party, the chances of the new changes and Command Sets being detected increase drastically. If the decker doesn’t go in far enough in advance, he or she won’t be able to get to the critical hosts or functions in time. It’s a balance thing. Also keep in mind that the decker can be traced, giving his location away and forcing him to jack out and get away before the cops show up. Any number of circumstances can occur (cybercombat, tracing, tar babies) which will make a decker’s position untenable, and force him or her to jack out, thus depriving the party of an edge that they may have planned on.
It’s like anything else. A million things can go wrong, but if it works, it’s absolutely stylin’
I hope this example helped. If you want further clarification on anything, or further examples, contact me via private e-mail (jormung@engin.umich.edu) and I’ll be happy to oblige.
Marc