Applications of Will in Condensed vs. in Core

Some months ago, I noticed a difference between the Core and Condensed editions in the way the Will skill is described. I would like to know whether this is an intentional change between editions (or ‘editions’ – whatever you call the subtle variations in the crunch between the books), or whether all the functions attributed to Will in Core are to still be attributed to it in Condensed; and, if it’s the former, which Skill(s) should take over those functions.

To be more specific, Core’s description of Will includes the following:

You can use Will to pit yourself against obstacles that require mental effort. Puzzles and riddles can fall under this category, as well as any mentally absorbing task, like deciphering a code. Use Will when it’s only a matter of time before you overcome the mental challenge, and Lore if it takes something more than brute mental force to get past it. Many of the obstacles that you go up against with Will might be made part of challenges, to reflect the effort involved.

Contests of Will might reflect particularly challenging games, like chess, or competing in a hard set of exams. In settings where magic or psychic abilities are common, contests of Will are popular occurrences.

In contrast, Condensed’s description of Will doesn’t even hint at anything like that, instead portraying Will is a pretty much exclusively reactive, not proactive, Skill (in fact the only one in the list that is like that):

Will: Mental fortitude, the ability to overcome temptation and to withstand trauma. Will stunts let you ignore mental consequences, withstand the mental agony of strange powers, and hold steady against enemies who provoke you. In addition, a high Will rating gives you more mental stress or consequence slots (page 12).

Spoofed DNS answers ignored by target machine applications

Attacker: Arch Linux

Target: Windows 10

Scenario The attackers launches an ARP spoof attack to redirect all target traffic to the attacker. (This works)

The target sends DNS queries for domain name resolution to the attacker machine. (This works)

The attacker machine listens for this queries and if the query tries to resolve a specific domain (detectportal.firefox.com) sends an spoof DNS answer with the attacker’s ip. For all the other domains the queries are not answered and not even forwarded.

Wireshark on both attacker and target machine confirms the reception of the spoofed dns answers although the applications that triggered the dns resolution seems to ignore this answers and just timeout.

Example on target machine:

ipconfig /flushdns nslookup detectportal.firefox.com DNS request timed out.     timeout was 2 seconds. Server: UnKnown Address: 10.42.0.1  (my gateway ip and the ip being spoofed by the ARP attack)  DNS request timed out.     timeout was 2 seconds.  DNS request timed out.     timeout was 2 seconds.  DNS request timed out.     timeout was 2 seconds.  DNS request timed out.     timeout was 2 seconds. **** Request to UnKnown timed-out 

Wireshark confirms the DNS spoof answers are correct and correlates them to the queries.

Assumption:

I do not compute the ip header checksum nor the udp checksum, just put some value (i.e. 0xdead, 0xbeef, 0xcafe). Could it be the target machine dropping these packets AFTER wireshark picks them?

Practical applications of the palindromic substring problem?

The longest palindromic substring problem is certainly an interesting intellectual exercise, and seems to be popular in coding interviews in industry. As an interesting puzzle, its popularity for interviews is not too hard to understand–it’s not too hard to find an $ O(N^2)$ solution, and if someone manages to come up with a linear time solution, they’re probably either a genius or at least well-read, which is arguably as valuable.

Given the apparent frivolity of the problem, however, it seems like a surprising amount of effort has gone in to analyzing it. There are at least three published linear-time solutions (by Manacher, Jeuring, and Gusfield). But, is it actually useful for anything? Are there other problems in which finding a palindromic substring is a necessary step? And in the absence of a direct application, did any of the known solutions to this problem reveal new techniques that have been applicable elsewhere?

Are the following two ways to obtain server certificates for web servers to host web applications?

https://www.digitalocean.com/community/tutorials/how-to-serve-flask-applications-with-gunicorn-and-nginx-on-ubuntu-18-04#step-6-%E2%80%94-securing-the-application says for running a flask web application with gunicorn and nginx with https:

Certbot provides a variety of ways to obtain SSL certificates through plugins. The Nginx plugin will take care of reconfiguring Nginx and reloading the config whenever necessary. To use this plugin, type the following:

sudo certbot --nginx -d your_domain -d www.your_domain 

This runs certbot with the –nginx plugin, using -d to specify the names we’d like the certificate to be valid for.

https://stackoverflow.com/a/59702094/ says that for running an asp.net web application with https:

On Ubuntu the standard mechanism would be:**

  • dotnet dev-certs https -v to generate a self-signed cert
  • convert the generated cert in ~/.dotnet/corefx/cryptography/x509stores/my from pfx to pem using openssl pkcs12 -in <certname>.pfx -nokeys -out localhost.crt -nodes
  • copy localhost.crt to /usr/local/share/ca-certificates
  • trust the certificate using sudo update-ca-certificates
  • verify if the cert is copied to /etc/ssl/certs/localhost.pem (extension changes)
  • verify if it’s trusted using openssl verify localhost.crt

I was wondering if the above two ways are to achieve the same goal as obtaining a server certificate for a web server to host a web application?

Specifically, do the single certbot command and the dotnet dev-certs https and openssl commands do the same thing?

Are the two ways working directly on web servers, instead of web applications?

Can the two ways replace each other in their use case scenarios? (suppose dotnet dev-certs https would work on Ubuntu, for simplifying my questions.)

I am new to digital certificate, and have seen the above two approaches for different web application frameworks, and am trying to understand the commonality.

Thanks.

Do any API-based CASB use native DLP features in cloud applications?

I think I’ve understood what CASB are and the differences between proxy/API-based architectures. What is still unclear to me is how exactly API-based CASB function.

I know most products use APIs to traverse the cloud documents storage to download and inspect the documents. Or maybe even use APIs to download auditing logs from the service. But for example Office 365 offers DLP features such as Exchange Mail Flow Rules or Office 365 DLP rules. Do any API-based CASB also automatically configure and use these DLP functions?

Is it safer to “chown” the Applications folder on macOS?

Whenever I copy a program into the Applications folder on my Mac, I have to use admin rights to do that. My standard user account (marc) does not have admin rights, so I get an alert and have to fill in the right credentials. I’m the only user on this computer.

I’ve done that many times, but often ask myself if this is safe, and if it’s better to chown the whole Applications folder to my standard user account (marc).

  1. When copy with admin rights, does the program get admin rights? Maybe I’m wrong about that, and there is no risk involved?
  2. With admin rights, the program has access to my user account, so why not limit all it can do to that user, as there are no other users?
  3. Are there downsides or other concerns when I do this?

Maybe it’s useless to change it. I’ve wondered several times what is best. And if I do this, I’ll first make an entire copy of the Applications folder so I can get back (of course I have that already with my backups).