Netrunning

Basics

A system contains data, programs, and devices (anything from cameras and locks to industrial machinery). A datafortress is a system or part of a system that protects restricted data, programs, or hardware: a firewall blocks access to its contents, and authorization checks if a user has permission to access it. A netrunner is anyone actively accessing these systems using a cyberlink; an intruder seeks unauthorized access to systems, while a sysop defends the system.

Systems also have terminals: computers in the same physical or virtual network. They are generally not considered systems, but it is possible to network systems together. A system could even only be accessible from another system; "air-gapped" or offline systems are only accessible from terminals.

Using these rules requires using a system through a cyberlink. Non-cyberlinked users can give directions to a system, but any actions taken as a result as considered to be taken by the system; the lack of neural interface makes the user's own skills largely irrelevant. In addition, most systems have enough automation to not need such instructions.

l33t Skillz

The following skills are important to netrunning:

Cyberlink Op: The big one. Used for most netrunning actions: intrusion, attacks, scans, and backdooring.
Computers: Used for indexing a system to find what you want.
System Knowledge: Complementary to everything you do on a system.
Programming: Used to write and maintain the programs you need.
Cryptography: Used to decrypt files and write Decryption programs.
Electronics/Digital: Used to build the hardware to run your programs.
Computer Engineering: Complementary to writing programs and building hardware.
Electronic Warfare: Used to bring your cyberwarfare into meatspace—jamming and its countermeasures, traffic analysis, signals intelligence, etc.
Vehicle Skills/Remote Op: Used to pilot drones by cyberlink.

Systems

Systems include servers housing datafortresses, as well as computers (often portable, sturdy cyberdecks) used to infiltrate them. For the purposes of these rules, systems have the following attributes:

Firewall: Measures a system's resistance to attacks, including intrusion (for datafortresses) or crashing. Level 1–10 (0 indicates no Firewalls; all actions opposed by Firewall succeed automatically).
Speed: Measures a system's speed when executing actions and programs, granting an advantage in initiative. Ranges from negative to positive.
Power: A rough measure of the sum of a system's processing power and the sophistication of its automation (AI or otherwise). It is used in place of INT + Skill for tests involving the system. Level 1+.
Memory: Only a certain number of programs may be loaded into a system's memory, available for use. A program takes up memory equal to its level. (Un-Loading and Loading programs requires an action.) Rated 1+.

A netrunner is always using a system: usually, an intruder is using a relatively weak system (a personal computer or cyberdeck), and a sysop is using a powerful server.

Multiple Users

A system can have multiple concurrent netrunners using it: this is typical of important corporate and governmental systems with multiple sysops. Each user can take their own actions, but will generally need their own copies of any programs loaded into Memory.

Each extra netrunner using a system imposes a -2 penalty to the system's Speed.

System Knowledge

An INT/System Knowledge test can be used as a complementary test for all netrunning against a specific system: if successful, the complementary bonus applies to all actions against the system, from attacks to indexing (but not sysops using the system).

Programs

Programs come in various types, and are measured in Level (generally 1–10). Without the appropriate program, a netrunner cannot attempt actions requiring it (but for actions where the program level would be added to the "defensive" test, it counts as 0).

Decryption is for bypassing Authorization (on a datafortress) or Encryption (on a file)
Intrusion is for bypassing a Firewall
Stealth is to thwart Detection
Protection defends against Anti-Personnel
Trace to follow a Route to reveal a netrunner's location
Anti-Personnel is for attacking netrunners
Anti-Software is for attacking and de-rezzing software
Anti-System is for attacking and crashing systems

De-Rez: To de-rez a program means to forcibly remove it from active Memory; it will remain in storage, and can be loaded back up.

(double memory use for anti-personnel software?)

Daemons

...

Connecting

To do anything useful, you must connect to a system. For most systems, you can do this online; some are public and easy to find, while others can only be connected to if you know where to go.

Routing

A netrunner will usually route or "bounce" their signal through servers, often compromised ones, to defeat traces.

Before connecting to a target system, a netrunner can place Steps between themselves and the system. Each Step reduces their Speed by 1. Generally, the netrunner can choose the security of the system they want to use as a Step: that is, they get to pick the DN that they and any trace have to defeat. To add a Step, the netrunner must succeed at a test of INT/Cyberlink Op vs. the chosen DN.

An established series of Steps is a Route, and a netrunner can keep and re-use a Route until it gets compromised (generally because law enforcement informs the system that it has been used for intrusion). A Route may be partially compromised (starting from the Step where logs were deleted).

A Trace will almost always eventually (usually within minutes, at most) complete, unless the netrunner is able to access a system used as a Step to delete or modify the logs.

Backdoored Steps

If a netrunner has backdoored a system on their route, they can quickly access it to delete logs and stop a trace cold.

In some cases, a netrunner may want to actively cut off a trace at a Step the trace hasn't reached and the netrunner hasn't backdoored; in that case, they must penetrate the datafortress to modify or delete the logs—an entire second intrusion attempt. Thus, a long Route starting with an easily-penetrated system may be a good idea.

Note that your effective Route to a system that is part of your full Route is shorter. Thus, any new Trace launched from that system is going to reach you faster.

Jacking In

A netrunner who has physical access to a terminal on a system can use that to get into the system. For "air-gapped" or offline systems, this is the only way to get access. Regardless, the netrunner gets +2 to Speed and +2 to Spoof Authorization, Bypass Firewall, and Avoid Detection. However, there is no way to bounce your connection: a single Trace will locate the terminal they are on, but the netrunner gets one chance to mislead the trace with an INT + Cyberlink Op + Stealth test. If successful, the Trace turns up some other terminal on the system (but obviously, they still know the intrusion is from inside the system).

Actions

Just as in meatspace, netrunners take one or more actions per phase. A netrunner can simultaneously take meatspace actions and cyberspace actions. As usual, each action beyond the first in a phase imposes a -3 penalty on other actions.

Systems only take one action per phase, unless they are multi-core systems (in which case each core takes their own action).

Standard protocol for systems and sysops is to try to crash the intruder (Attack System) and start a Trace; if a sysop is present, they will do each on the first phase. Black systems will try Attack Netrunner instead of trying to crash them. After the Trace is going, the next priority is to Cycle Firewall.

Note: Each instance of a program may only be used once per phase. In order to use e.g. Attack Software twice in a phase, a netrunner must have it loaded into their system's Memory twice.

Intrusion Actions

Bounce Step: If a netrunner is racing against time, they must use actions to add Steps to their Route.
3d6 + INT + Cyberlink Op vs. chosen DN
Connect to a System: The netrunner connects to a system, either directly or using their current Route. This creates a session, and allows actions to be performed in the system. Cannot be combined with other netrunning actions.
Spoof Authorization: A netrunner tries to crack, spoof, or otherwise falsify credentials to access a datafortress. Spoofed authorization can be re-used on later sessions, but if the intrusion is ever detected, the spoofed authorization is lost. On a Failure, they must try to Avoid Detection (with a cumulative -1 penalty per failed attempt); on a Fumble, they are detected.
3d6 + INT + Cyberlink Op + Decryption vs. 10 + Power + Authorization
Bypass Firewall: A netrunner tries to penetrate the firewalls protecting a datafortress to access it. Bypassing a firewall allows access only for one session. Regardless of Success or Failure, they must try to Avoid Detection; on a Fumble, they are detected.
3d6 + INT + Cyberlink Op + Intrusion vs. 10 + Power + Firewall
Avoid Detection (no action): Certain actions may draw the attention of a system's anti-intrusion software. If you took multiple actions this phase, the multiple action penalty applies, but Avoid Detection does not count as an action.
3d6 + INT + Cyberlink Op + Stealth vs. 10 + Power + Detection
Cycle Firewall: A system or its user can try to cycle the Firewall in order to remove access to a compromised datafortress.
(10 + Power + Firewall) or (3d6 + INT + Cyberlink Op + Firewall) vs. 3d6 + INT + Cyberlink Op + Intrusion
Trace: Each successful action eliminates 1 Step from the target netrunner's Route. If the target is reduced to 0 Steps (or less), the trace completes, revealing their location. A Trace does not require the intruder to be present in the system. A Trace is defeated if the logs at one of the Steps have been deleted or modified.
(3d6 + INT + Cyberlink Op + Trace) or (10 + Power + Trace) vs. Step DN

Attacks (attacker is automatically detected by the system and all users)

Attack Netrunner: A successful attack deals 1d6 + (degree of success) damage to the netrunner's Head. (Note: penalties for Head Wounds affect all netrunning tests.)
3d6 + INT + Cyberlink Op + Anti-Personnel vs. 3d6 + INT + Cyberlink Op + Protection
Attack Software: A successful attack reduces the target program's Level by the degree of success. A program reduced to Level 0 or below is de-rezzed (but may be restored with a Load Program action). If the datafortress has been compromised, you can attack a program in storage instead of memory, reducing its level and completely deleting it (it cannot be re-loaded until re-installed) at Level 0 or below.
3d6 + INT + Cyberlink Op + Anti-Software vs. (10 + Power + Software Level) or (3d6 + INT + Cyberlink Op + Software Level)
Attack System: A successful attack crashes the system, requiring 1D6 phases to boot up again.
3d6 + INT + Cyberlink Op + Anti-System vs. (10 + Power + Firewall) or (3d6 + INT + Cyberlink Op + Firewall)

Utility Actions

Load Program: The netrunner loads a program into their own system's Memory. There must be enough free Memory for the program. This action cannot be taken in the same phase as Unload Program.
Unload Program: The netrunner unloads a program from their own system, freeing up the Memory it was using. This action cannot be taken in the same phase as Load Program.
Install Program: Installing a program takes 1D6 phases per Level of the program, and counts as an action for the system in each phase; a system can still act, but will suffer a -3 multiple action penalty. Once a program is installed, it can be loaded into memory.
Scan: A netrunner scans a system to determine what programs (and at what Level) are running in its Memory. They must try to Avoid Detection.
3d6 + INT + Cyberlink Op + Scan vs. (10 + Power + Firewall) or (3d6 + INT + Cyberlink Op + Firewall)
Index: A netrunner searches a system for specific data, devices, or terminals. On a Success, they find what they want or confirm it does not exist. On a Fumble, they mistakenly think it does not exist.
3d6 + INT + Computers + Index vs. 10 + Power + Firewall
Backdoor: A netrunner can try to backdoor (or pwn) a system if they have penetrated the datafortress. A backdoor will allow them access later even if their spoofed authorization is removed. On a Success, a backdoor is created (record the test total as its DN). On a Failure, they must try to Avoid Detection. On a Fumble, they are detected.
3d6 + INT + Cyberlink Op + Intrusion vs. 10 + Power + Detection
Download/Upload Data: A netrunner must use an action to copy a piece of data in either direction. This action may be used to copy a system's programs if the datafortress is compromised. Only one piece per phase may be copied.
Modify Data: A netrunner must use an action to alter a piece of data on a system. Only one piece per phase may be altered, and at the Ref's option, complex alterations may take multiple phases. (Very complex alterations, like editing an audio/video file, might take minutes or hours, even with AI/expert program assistance.) Modifying logs requires you to Avoid Detection.
Delete Data: A netrunner must use an action to delete a piece of data (including any local backups) from a system. Only one piece per phase may be deleted. Deleting logs requires you to Avoid Detection.
Access Device: A netrunner must use an action to access a device. Multiple devices may be accessed in one phase, but any relevant rolls suffer a multiple action penalty.
Disconnect: A netrunner must use an action to disconnect a session. They end their session, leaving the system and any other netrunners in it unable to attack them. Any Trace will continue, however. This can be combined with other actions (for the usual multiple action penalty), except for Connect to a System.
Jack Out: Pull the plug. This ends the session and disconnects the netrunner from their system and route. Any Trace will continue to progress. Note that netrunners who are incapacitated by Anti-Personnel programs are unable to jack out on their own, and are easy prey to trace or kill, unless they have a dead man's switch.

Cyberspace Initiative

Netrunner: 3d6 + INT + Cyberlink Op + Speed
System: 3d6 + Power + Speed

Initiative is required only when a system or sysop is aware of an intruder, or when netrunners are taking conflicting actions (e.g. one is trying to access a file to copy it while another is trying to access it to delete it).

Attacking Software

A clever netrunner might want to use Attack Software on the Authorization, Detection, or Trace software on a system. This is an option, but any attack on a system causes detection. Generally, a system or sysop will deal with an intruder before re-loading Authorization or Detection, but if Trace is de-rezzed, they will Load it back and run it immediately. (If Trace is de-rezzed and loaded back up, it will resume from the last Step it had reached.)

Note that a damaged program may be Unloaded and Loaded again to restore its full Level.

Cleaning Up

Intrusion on a system leaves tracks. Removing your tracks from a system requires penetrating the datafortress and Modifying or Deleting the logs. Deleting the logs is going to make the intrusion obvious, but there will be no way to figure out who did it. Generally, an intrusion will happen too quickly for any backups of the logs to exist, but if the intrusion happened days ago, a very secure system may have backed up the logs to a secondary (or even offline) system.

Defeating a Trace

Defeating an ongoing trace requires, at a minimum, three actions: Disconnect from the current system, Connect to a System and Modify Data. The second cannot be combined with other netrunning actions, so this requires 3 phases. This assumes that the netrunner has spoofed authorization or backdoored the system used as a Step—if not, they must either Spoof Authorization or Bypass Firewall to access the logs.

Crashing whoever is tracing you will buy you more time, but they can pick the trace back up from the last Step they were at once they reboot.

Finding Backdoors

If a system detects intrusion, it will instantly try to detect and close backdoors (3d6 + Power + Detection, or 3d6 + INT + Cyberlink Op + Detection, vs. backdoor DN). Regardless, backdoors have a chance of being detected monthly on low-security systems, or weekly on high-security systems. Every time a backdoor is used, there is another chance it is detected.

Programming

typical system trace DNs...

Example Systems
System	Firewall	Speed	Power	Memory	Trace DN	Programs
Public server	+2	+0	+4	10	16	Authorization +2, Detection +2
Minor business	+4	+2	+8	20	18	Authorization +4, Detection +4, Trace +4, Anti-Software +3
Major business	+4	+4	+10	40	20	Authorization +6, Detection +5, Trace +5, Anti-Software +4, Anti-System +4
Government/Megacorp (grey)	+6	+6	+14	60	24	Authorization +8, Detection +7, Trace +7, Anti-Software +6, Anti-System +6
Government/Megacorp (black)	+8	+8	+18	80	28	Authorization +9, Detection +8, Trace +8, Anti-Software +8, Anti-System +8, Anti-Personnel +6

Standard Cyberdecks
Deck	Firewall	Speed	Power	Memory	Cost
Basic Cyberdeck	+2	+2	+2	20	$10,000
High-Quality Cyberdeck	+4	+4	+4	30	$20,000
Top-of-the-Line Cyberdeck	+5	+6	+6	40	$50,000
State-of-the-Art Cyberdeck	+6	+8	+8	50	$100,000

decrypting files...

meatspace netrunner stuff...

... multiple actions at cumulative -3 (hack something, do ECM/ECCM, and pilot 1 or more drones)...

Netrunner with cyberlink and some "extra actions" coprocessor running 2+ bodies at the same time ... Of course even without that you could have a daemon written for the job run someone's body to do something relatively simple