I wanted to run through a potential flow of Hacking in 2e. I'm interested to know if people think I've interpreted the rules correctly, and if there's better options that I've overlooked.
First, the defense team:
Alice is an Infomorph sleeved in an Agent. The morph doesn't matter much, except that it provides her with 4 Insight pool points. She has Infosec 80 with a specialization in Security. She's hosted on her own Enhanced Server (p. 331).
Alice creates an Alpha fork. She's purchased a second copy of the Agent morph so that she can fork without resleeving. Her fork goes by Bob.
Alice has convinced the rest of her team to use her Enhanced server as the master for a PAN to better secure their systems. They're on a VPN as well, but since the server needs to talk to the outside world (it's forwarding everyone's traffic), it's still available from the mesh.
Alice spends 2 of her Insight pool to increase her COG linked skills by 10. Her effective skill for Infosec (Security) is now 100.
Bob spends 2 of his Insight pool to increase his COG linked skills by 10. His effective skill for Infosec (Security) is now 100.
Bob starts his work, which is essentially sitting on Active Defense. This will take his complex action every turn (which is why he's a fork, so Alice can still participate). This gives the defense a skill of 100 instead of 70 (from Firewall rating).
I think this is about as optimal as it can get for the defense team.
Now, the offense team:
Moriarty is a hacker with an Infosec skill of 80.
This is a little better than a typical NPC hacker. An optimized player would have their effective skill at 100 between specializations and COG linked Insight boosts.
Since Moriarty is attacking an Enhanced Server, his effective skill is 70.
It's not entirely clear how initiative is supposed to work with Subtle Intrusion, but I've assumed that Moriarty goes first, and then the others go. Bob has declared that he'll be engaging in active defense, so he won't get his first action.
Both Bob and Moriarty will use pools to flip dice when it's worthwhile.
Bob has a 1% chance to get a critical failure on his defense roll. If that happens, there's no alert, and we can just assume Moriarty manages to achieve his goals. Otherwise, Bob will succeed on his defense roll, but it may not be good enough to win.
Turn 1, Action 1
Moriarty is going to attempt a Subtle Intrusion (p. 258).
Bob is engaged in Active Defense (p. 259)
- 6.58% of the time, Moriarty succeeds with a critical success. In this case, he's able to log into the system with hidden status. The rules text is a bit unclear here, but I'm going to give Bob the benefit of the doubt and say that since the defense roll was successful (but lost), the system still goes on passive alert.
- 13.24% of the time, Moriarty succeeds, but does not get a critical success. In this case, since Bob was successful on the defense roll, he will get a Passive alert. Moriarty will have covert status. It's possible that he has admin privilege, but unlikely.
- 80.18% of the time, Bob is able to prevent Moriarty's attack. Bob will get a passive alert. We'll still need to try to find the intruder, because we don't know.
Our passive alert has automatically triggered a re-authentication, but that's not going to trigger for 1d6 action turns, which is forever when there's an intruder. It will also reduce privileges, but Moriarty was going to hack anyhow, so he really doesn't care about his permissions.
Bob's muse sees the passive alert. It uses the Trigger Alert (p. 249) option to put the system on Active Alert. In all likelyhood, there's no intruder, but it would rather be safe than sorry. This will automatically terminate all connections at the end of the turn. If Moriarty is in, he'll be able to spend Insight pool to get 2 more actions before that happens.
Alice sees the passive alert. She could look through the user lists to try to identify the intruder, but the intruder may be hidden. Instead, she'll use Zeroing In (p. 259). This will be an opposed test vs. Moriarty.
Alice has a skill of 80 and I'll assume her Security specialization still applies. She's also got the +10 for COG linked skills. If Moriarty is hidden, she has a -30 penalty to find him. This leaves her with an effective skill of 70.
Moriarty has a skill of 80. I think that he's not making a test to hack the Enhanced Server, so that -10 doesn't apply (he's defending, which isn't a Hacking Test). At the same time, I'm not counting his attempt to stay hidden as an effort to subvert the system, so he doesn't get that +10 (the -30 modifier to Alice seems to cover this). His effective skill is 80.
- 35.03% of the time, Alice will locate Moriarty.
- 64.97% of the time, Alice doesn't find anyone.
If Moriarty wasn't hidden, Alice would have better odds
- 70.68% of the time, Alice will locate Moriarty.
- 29.32% of the time, Alice doesn't find anyone.
At this point, Bob and Alice have to make a difficult choice. Do they burn Insight pool for extra actions to try to find someone who may or may not be there?
Turn 1, Action 2
Moriarty installs a backdoor. He suspects he's triggered an alert, and the system will be kicking him off shortly (either because he's found, or because of the terminate connections). Before that happens, he wants an easy way to get back in later. With his skill of 80, a +10 for being hidden, a -10 for hacking an Enhanced Server, and a -10 for the active alert, his effective skill is 70.
Bob's active defense continues to apply with an effective skill of 100.
As with the initial hacking attempt, Moriarty has about a 20% chance of success.
If Alice successfully noticed Moriarty, she'll attempt to crash his shell. She doesn't really have enough time to do this, but she can cause him some wounds, which will make it less likely his attempt to install a backdoor will succeed.
Otherwise, Alice won't burn a pool point to go here, since it's much more likely that there's not an intruder (80% of the time, we got the passive alert, but no intrusion).
Turn 1, Action 3
Between this and action 3, Moriarty has a total chance of about 36% to get a good backdoor. Even if he fails, he'll still have a +30 on his next attempt, giving him about even odds to get back in.
Turn 2, Action 1
Now that the server is disconnected, Alice and Bob can View Logs (p. 249). If Moriarty wasn't hidden (or Alice found him), they'll now have his mesh ID, and can Lockout (p. 248) to prevent him from accessing the system. He'll probably use a burner mesh ID or an Ecto to get around this, though.
Alice will probably bring the server back online. Checking for a backdoor with a Security Audit (p. 261) will take 24 hours (a little less with superior successes and Digital Speed), and we can't wait that long. Our team lost us as security, and are all somewhat vulnerable right now. If they needed access to the mesh, they'll probably have reset their PANs to be local for now. If they can wait a turn (probably the case), they'll reconnect when we come back online.
A lot of this changes if Alice knows Moriarty's rolls. While the player probably knows (since these things are usually rolled where they're visible), I don't think the character is supposed to.
I'm interested in anything the defense team can do to make their outcome better. Overall, after a 1 hour probe, they have about a 6% chance to be compromised. There's no decent way to prevent the attacker from repeating this over 24 hours, meaning given a day, a good hacker can probably get into any system.
Edit: I realized I'm giving Moriarty too many pool points. While he can get back in later, and I still think this is problematic, he won't be able to keep buying actions to install backdoors.
Edit 2: Alice's Locate Intruder step can be automatically triggered by a script, based on the passive alert. I'm not certain if Moriarty can take advantage of this. If he needs a Hacking test to load the script, he may as well directly pursue the backdoor. If his existing permissions allow him to load the script (which Alice may be able to limit to admin accounts), he can avoid spending pool points.
Edit 3: It's entirely possible that Moriarty is unable to locate Alice/Bob's server. The team's devices send all their mesh communications to this anonymous cloud. Since Moriarty has no way of tracking the exit point of that cloud to the Alice/Bob server, he has no reason to attack that server.