Is my DM stacking the odds against us?

So, I’ll set the stage. We’re a party of 4, level 8 at the moment, with an allied NPC. In our most recent encounter we went up against:

  • ~20 “minions”, (<35 HP, +4 to hit)
  • 1 Winter wolf (75 HP, +5 to hit)
  • 3 dire wolves (37 HP, +6 to hit)
  • 1 modified Huskarl (<105 HP, +7 to hit)
  • 1 Druid (~40 HP)

All of these enemies, Druid exempt, got at least 2 attacks. About half the minions had a harpoon attack that Grappled upon hit, so that kept us pinned pretty good.

Keep in mind, this was designed narratively to be a “challenging” encounter; it was set up as a raiding camp that we were vastly outnumbered for. But every encounter is set up narratively to be challenging in this way. So when the norm is something we’re not supposed to beat, that feels a little off base. If the smart answer is just to walk away from the story, that strikes me as setting us up to fail.

Am I overreacting, or was this fight a little harsh? We won this one, but I also lost track of the amounts of times that the DM crit-failed attacks, and he almost always rolled min damage. I only really have experience with this DM and it’s sort of always been this way. I just wanna know if this sort of setup (roughly 820 HP to slap grind through, 26 mooks w/ 35 HP, etc) is a good way to set up an encounter or if it’s just intentionally difficult for difficulty’s sake.

Does the Heavy Armor Master feat reduce damage twice against a mixed damage attack?

Displacer Beasts have a Tentacle attack that does 7 (1d6 + 4) bludgeoning damage plus 3 (1d6) piercing damage. Does the bludgeoning and piercing damage reduction granted by Heavy Armor Master reduce that total damage by 6 or 3? If only 3, what determines which of the two damage types is reduced?

How does failing a Sense Motive check against a Bluff affect your character’s perception of the world?

There doesn’t seem to be a concrete explanation for what happens to your character if you fail a sense motive check against a bluff. I want to know the limits of failing a sense motive check, as well as the effect it has on your character and their mindset.

The wording of ‘Sense Motive’ is pretty straightforward:

A successful check lets you avoid being bluffed (see the Bluff skill). You can also use this skill to determine when “something is up” (that is, something odd is going on) or to assess someone’s trustworthiness. (Core Rules, p. 104)

The issue I’m having is that failing a sense motive check isn’t outlined in the skill itself. The closest I can find is in the ‘Bluff’ check description:

Bluff is an opposed skill check against your opponent’s Sense Motive skill. If you use Bluff to fool someone, with a successful check you convince your opponent that what you are saying is true. (Core Rules, p. 90)

Due to the way the game I’m in is structured, most of the people that we meet are either hostile to us, or at the very least don’t want us to succeed. Furthermore, most of the people we interact with have absurdly high bluff checks, to the point that I can’t recall any of us successfully detecting a lie with ‘sense motive’ (despite us being lied to nearly constantly).

For instance, we recently had an encounter with a devil who we were sure knew the whereabouts of a MacGuffin. We also knew that this devil had a history of tricking adventurers by giving them bad directions that sent them into ambushes. So, we talked to this devil, and sure enough he gave us directions to the MacGuffin. The interaction then went like this:

Devil – “Oh yes, I know where that is. You just need to take the Winding Road, and make a left at the big gnarled tree. No one uses that path, it’ll get you there safe and sound”

Fighter – “I don’t really believe this guy one bit. I’m rolling sense motive to see if he’s lying to us. I rolled a 29”

GM – “(rolls) You think he’s telling the truth”

Naturally, he wasn’t telling the truth, and we ended up getting ambushed.

The problem is that by deciding to roll a sense motive check, we basically forced ourselves to accept the results of the check instead of our own intuition. Since we know we have a good chance of failing the checks no matter how well we roll, it seems advantageous to us to make as few sense motive checks as possible. That way, at least we can have some chance of recognizing when we’re being lied to. In the example above, if we simply didn’t try to roll a sense motive, all of us would have been almost 100% sure the devil was sending us into an ambush, and we would have planned to go another way. However, since we tried to determine if it was a lie, we ended up failing the check and then believing that it was the truth, which put us in a much worse position than if we just hadn’t attempted to determine if it was a lie in the first place.

The Hunch option of Sense Motive seems like it tries to address situations similar to this:

This use of the skill involves making a gut assessment of the social situation. You can get the feeling from another’s behavior that something is wrong, such as when you’re talking to an impostor. Alternatively, you can get the feeling that someone is trustworthy. (Core Rules, p. 104)

Unfortunately in our game, I know that everyone we meet is not ‘trustworthy’, and that ‘something is up’ at all times. Knowing the devil isn’t trustworthy doesn’t give me anything useful; I know he’s untrustworthy, he’s a devil. However, sometimes you need to work with untrustworthy people, and in those times it’s important to be able to try to suss out what they’re being truthful about, and what they’re lying about. With Sense Motive the way it’s written, it seems like it’s better to not roll unless you’re almost 100% sure you’ll succeed, or else you’re going to be convinced that the lie is actually the truth, instead of just not being sure if you’re being lied to or not.

Is there anything official that deals with the limits of believing a lie? In my example, does failing a sense motive check mean you truly believe the devil is being honest, without a doubt? Does the failed check assuage any feelings of uncertainty you had about the situation? What should characters do when they’re pretty sure they’re being lied to, and they’re also pretty sure they’ll never be able to pass their sense motive checks?

What kinds of steganography still work against a skilled adversary? [on hold]

At this point in surveillance capabilities, any adversary should know all the most common steganographic techniques. What kinds of steganography will work when sending a payload over a digital mean such as email?
The payload is pure text and I can only use steganography that uses text-based concealment (e.g. VoIP steganography won’t do).

Does the bulk value of items in my backpack count against my limit?

My Pathfinder 2e character has a bulk limit of 7. I’ve purchased an adventurer’s pack, which costs 2 bulk but includes a backpack, which can carry up to 4 bulk.

The description of the backpack (Core Rulebook, pg.287) says:

A backpack holds up to 4 Bulk of items. If you’re carrying or stowing the pack rather than wearing it on your balk, its bulk is light instead of negligible.

I’m not sure how this interacts with my bulk. I can foresee two options:

  1. I can still only carry up to 7 bulk. My backpack can hold 4 bulk byitself, but when I carry or wear the backpack I have to hold its 4 bulk too. It seems like in this case there is no real benefit to a backpack, unless you have to justify how you are carrying things.
  2. While wearing the backpack, I can carry up to 11 bulk (7 from my limit, 4 from the backpack). This makes the backpack useful, but I don’t see this interpretation supported in the rules.

So how does the backpack work? Does the bulk value of the items in my backpack count against my bulk limit?

Booming Blade or Green Flame Blade: Utility against creatures with immunity to non-magical damage?

Both Booming Blade and Green Flame Blade have the following text:

You make a single melee weapon attack against a creature you can see within the spell’s range. If the attack hits…

Reading this question makes me believe that a weapon which has been magically enchanted or enhanced, even temporarily, would overcome this immunity, and that both base weapon damage and cantrip damage would apply on a hit (and double on a critical hit).

Question: What damage, if any, would be generated by attacking a creature (with immunity to damage from non-magical weapons) with a non-magical weapon as part of a Booming Blade or Green Flame Blade attack?

Are there balance issues when allowing attack of opportunity against any creature?

As shown in this question and answer, I am confused by the terms hostile and enemy. So I was wondering if in my own game I could simply remove the requirement hostile from the attack of opportunity, because I think there it is particularly useless. PHB p195:

You can make an opportunity attack when a hostile creature that you can see moves out of your range.

I’m thinking attacks are allowed against allies, why shouldn’t attacks of opportunity be.

Are there any balance issues if I homerule that particular text like this? Any spells, effects or others that now unexpected work differently?

You can make an opportunity attack when a creature that you can see moves out of your range.

Does TLS protect against a man-in-the-middle masquerading as the client?

A message authorization code is used in TLS to prevent man-in-the-middle-attacks that involve tampering with the contents of the packet in-flight. However, there is one specific attack which I don’t see covered.

At one stage of the TLS handshake, the client sends the server a private randomly generated proposed symmetric key which has been encrypted with the server’s public key. A man the middle cannot decrypt that value and learn the value of the symmetric key because it does not possess the private key. However, it can swap the contents of the message with its own private symmetric key, and send that message to the server instead.

The message authorization code (MAC) can supposedly prevent this from happening:

If we agree on a key and hashing cipher, you can verify that my message comes from me, and I can verify that your message comes from you.


An attacker can modify the message but does not know the key. He cannot compute the correct MAC, and you will know the message is not authentic.

What if an attacker generates their own symmetric key, encrypting that value with the public key, setting that value as the data payload, setting the MAC to the corresponding value for the new proposed symmetric key, and sends that to the server?

If my understanding is correct, the server will decrypt the message payload using its private key, verify message integrity using the MAC, set that to be the shared secret symmetric key value, and respond to the “client” (really, the attacker) with the data payload “Finished” encrypted with that key. In essence, the server now has a shared secret with the attacker, who it thinks is the client.

Not knowing the original secret symmetric key, the man in the middle cannot actually forward the server response to the client. Nevertheless, at this point the man in the middle can make requests to the server, whilst masquerading as the client.

Does TLS actually protect against this somehow?

What is the following regex trying to protect against?

I am looking at a Java web application that compares all incoming request params and cookies against the following regex. If it matches, it is considered “an attack” and refuses the request. I’m guessing it’s trying to prevent SQL injection / class loading or something, but I’m not sure. Can anyone help?