Alert Threshold
Systems are designed to defend themselves and some systems are attacked on a regular basis because of hotshots trying to prove something, hackers testing their setup on known mega systems, and bored security agents. Each system has a threshold that alerts of a serious threat. Some set it high not to be bothered, some set it low cause they want to bring to bear their defenses to shut down any real attacks quickly. Most set the alert to move to Yellow after 1/3 of teir or more successful passes at the firewall.
INTRUDER ALERT
If a node is aware that it has been hacked, it will immediately go on alert and initiate various countermeasures. These include launching IC, terminating connections, and—as an extreme measure—initiating a shutdown and rebooting.
For gamemasters who want to randomly determine what a system’s alert response is, consult the following table.
| Random Alert | Response |
|---|
| 1 |
Launch non-combative IC |
| 2 |
Launch Killer IC |
| 3 |
Launch Black IC |
| 4 |
Scramble Security Decker |
| 5 |
Terminate Connection |
| 6 |
System Reset/ Stundown |
This check is your Computer Use(data) Rank + Firewall + Cloak program and it rolls 1d20 + 2.5 x its tier.
Active Alert
A node on alert status has verified an intrusion or other unauthorized activity. Most nodes are programmed to automatically alert security personnel or the owner/user of the device when an alert is triggered. If the node contains security deckers (or if there are any on call), they will be alerted and will come looking for the interloper.
A node on alert receives a Firewall bonus of +4 against the intruder that triggered the alert. This applies to all tests made by or against the node’s Firewall.
Launch IC Program
Once an alert is triggered, the node will typically launch IC programs to attack or interfere with the intruder. The gamemaster determines which programs the node has on hand, and in what order it uses them. Secure corporate systems will have an entire library of IC to throw at deckers, whereas some goon’s cyberarm is only likely to have a single defensive program (if any). If the intruder has been traced, the node may even send IC to launch its own hacking attempts on the intruder’s system.
Terminate Connection
Once an intruder is identified, a node may attempt to sever the decker’s connection by shutting down the port through which he is accessing. On some isolated high-security nodes or hand-held devices that do not often rely on remote access, all outside connections may be severed.
In order to sever a connection, the node immediately rolls 1d20 + Firewall + System opposed by the intruder's Computer Use Rank + Exploit program check. If the decker used a passcode and legitimate account to log on, rather than hacking his way in with an exploit program, then the Exploit program does not apply to the test. If the node is successful, it disconnects the decker. The decker can attempt to log back on, but the node will be on alert (and may have closed down all outside connections).
System Reset
As a last resort, many nodes will simply reset themselves or shut down in order to purge an intruder before he wreaks too much havoc. This is a Reboot action. Anyone accessing the node when it shuts down is logged off; all active programs are saved and shut down.
