err, where exactly did the comcode come in? im tempted to say you give it to much value by comparing it to a ip address...

i may not have catched this before, and so im sorry, but as i think about it more, i would say the comcode is more like a email address then a ip address...

that is, it has no real effect on the day to day running of the matrix. its just there as a convenient shorthand for getting hold of person x when needed.

So, no spoofing commlinks to transfer you the Personal Data file. Good to know.

But you can hack it and grab the file. Once you decrypt it you have access to his cred accounts which is useless without his authentication (password, whatever). So where to next? Say I really want to drain this guys account, what do I need to do next? Hack the bank?

I don't think I agree with the idea of being able to transfer nuyen to commlinks; basically taking a digital certified nuyen from the bank and moving it to your credstick. If you could do this, then why not to a toaster or anything else that can hold data? Also, I don't believe that it says that commlinks necessarily replace a registered credstick, it says that commlinks now store your SIN and other forms of ID that the credstick use to carry. It even says that certified credsticks are still around as "certified but relatively anonymous means of payment". If the commlink could store nuyen, then why use credsticks? Why not just beam the creds directly from your commlink to theirs and be done with it?

And another question. If I need to log into someones password protected account, be it a cred account, user account, whatever, can I do it without knowing their password? Exploit doesn't look like it can be used to brute force passwords... or is that one of its features?

Exploit is not about passwords, its about finding a way around the password dialog entirely.

Say rather then picking the doors lock, you walk around to find a unhooked window or some other weakness (a classical office trick is the false ceiling).

Right, that's what I thought. So brute-forcing passwords doesn't work anymore? Is there a way to crack an account?

get security or admin, and override access rights on the accounts files?

its not without reason that a admin level account can be said to be god of the machine

Technically? Nothing. Except remember that there is a hardware encryption protocol to keep the money from wandering or being altered that is unique to devices designed to handle "cash".


You said it yourself: it assumed the functions of the credstick. My BlackBerry^TM can do most of the functions of my old PDA, but I still use both. Why? Because it suits me. Would most people waste time carrying two devices when one is essentially redundant? Nope.
Certified credsticks are still around, and remember the old 'sticks had security levels commensurate with their maximum storage value. (Some literature also seems to indicate they could use spare - unencrypted - space like a modern USB thumb drive) The comlink's onboard "credstick" is probably not better than the old "silver" level since it expressley states in the BBB description that it includes a fingerprint scanner, and that was necessary to access a Silver credstick (the base model needed only a fingerprint). For larger transactions (Especially the Platinum and Ebony levels) the comlink fails to have the necessary built-in measures for authentication. Remember, I DID stipulate SMALL amounts of cash. And your description of 'link-tp-'link beaming DOES happen for small amounts of cash, but for larger amounts you would be tapping your "online" bank account, and the 'link would transparently establish a three-way bridge with your device, the receiving device and a third party broker to ensure the funds moved apropriately (and that assumes you didn't have both banks directly involved as well, but I'm keeping it simple). From a game mechanics perspective, it's a moot point, since hacking the OS into granting access to transfer the funds is probably easier than cracking the embedded forgery-protection of the built-in credstick.
I never suggested (or meant to imply) that credsticks had been phased out. They are just fairly uncommon. That COULD be said of cash these days, too: look at the (ever rising) proportion of FAST FOOD meals that are paid for electronically these days? Businesses like it because it's fast, efficient, keeps great records, it's impossible to give incorrect change, and there's nothing for the minimum wage addolescent to steal from the drawer.


Somebody else addressed this very well already. But consider what I mentioned in a previous post: lazy users will often either have a single password - easy for them to remember - for everything, or they will have some kind of "password vault" on the device to keep them all in one place. Most higher end CELL PHONES now have such a "vault" on them, and if you could Exploit that one file... well, their world is your oyster.

There are two ways to completely clean out someone's account. Both require you to get his account number / what bank his account is with, which is where hacking a comm comes in handy. no you don't get automatic access from hacking someone's link, but you get the information needed to go to the next step.

The easy way is to spoof his id / account info and just spend all of his available nuyen. Pretty quick and dirty, causes him no end of trouble for between a day and a week as the system figures out his identity was stolen. Good for the short term annoyance factor, but in the long run not real damaging. this can also be done by just stealing his commlink. Kinda like stealing someone's credit card and trying to empty out their account before they figure out it was stolen / call in to have everything changed. It has some serious drawbacks (you have to watch out for tripping any sort of spending limits, unusual activity, whatever else they've invented between now and 2070 to monitor those things) but if you just want to mess with some wageslave's head to get him distracted enough not to notice the 9 ft tall troll sneaking through the office, it might work. It's also fun to spend every available cent he has ordering illegal / illicit goods which will cause him even more trouble when they start getting delivered. I wonder if Troll Doms with a specialty in rape fantasies accept credit cards?

The harder way, but a more long term solution, is to gain access to his account through the banks database. At this point you can transfer the funds out and delete the account itself, making sure to erase all logs of any activity involved with the now nonexistant account, as well as any trace you were there. This is HARD, as most banks are run by megacorps, and they do not skimp on security. If you want to be more subtle, you can put in a hidden subroutine that routes any funds destined for this account to another account of your choosing. So he doesn't lose any money, but he never gains any more.

Actually, I just thought of a third way to get all of this done. Have him declared dead. You don't get his funds, but it pretty much screws up ALL of his accounts as well as everything else he does. It's even better if you could somehow change the data entered for his biometrics, so that when he tries to prove he is ho he says he is by dna / fingerprint / retina, it comes back as someone else's. Maybe a wanted criminal, even a shadowrunner...

Now there's a retirement scenario for your highly skilled hacker. Just trade places with some rich fragger who cut you off in traffic the other day. He spends the rest of his life in lockup as you, you get to tour the world without worrying about anyone coming after you, because you've already been caught...

heh, hired troll dom. now i feel like watching hackers again for the scene where they inserted the name of the fbi agent into the adult classifieds