What if an attacker gets access to public key through an insecure media in digital signature?

If A encrpyts the message and creates signature using his private key and sends through the network then only B with the public key of A can decrypt that message.

But what if the attacker gets access to the public key of A and the encrypted message through the network? Will he be able to decrypt the message?

What is the attacker for Spiritual Weapon the caster or the weapon?

This question was prompted by this question about the relation to the rogue’s uncanny dodge feature and being able to see the attacker when spiritual weapon is used.

When a creature is subject to the magic melee attack of spiritual weapon what is considered to be the attacker?

  • Is the caster considered the attacker?
  • Is the spiritual weapon itself considered the attacker?
  • Are both?

security of AES where attacker can ask secure code to decrypt arbitrary cypher-text

A service or library provides a function decrypt( user_id, cypher_text) and gives back plain text. Internally to the function it loads an AES key from a secure vault, decrypts the cypher_text, and returns the plain text. If an attacker gets access to this function alone, but doesn’t know any valid cyphertext, can they perform an attack to recover the AES key for a particular user_id?

To be clear when I say “the attacker doesn’t know any valid cyphertext” I mean it not only doesn’t have access to a matching encryption function but also that the attacker doesn’t have access to any cypher text that has been encrypted with the key. So the attacker can only feed in some specially crafted series of attacking cyphertext and inspect the decryption results to try to deduce the key.

I have looked for the name of such an attack and haven’t been able to find it. In this case the attacker cannot use a “known plaintext” attack as they don’t have access to a function that encrypts with the AES key. I would describe the scenario above as a “crafted cyphertext attack on a decrypt function”. So my question is whether AES is secure against anything but a brute force attack in such a scenario.

If a Tempest cleric uses the Wrath of the Storm and Thunderbolt Strike features to push an attacker away, can the attacker complete its multiattack?

The Tempest Domain cleric’s Thunderbolt Strike feature (PHB, p. 62) says:

At 6th level, when you deal lightning damage to a Large or smaller creature, you can also push it up to 10 feet away from you.

I envision the Thunderbolt Strike as throwing the target creature away from it, not gently pushing it away. I mean, lightning is an instantaneous thing, and 10 feet is more than just losing your balance.

The Thunderbolt Strike feature of a Tempest cleric leaves me with many questions. For instance, if a monster is able to make a multiattack consisting of 2 claw attacks and then a bite, and it hits me with its first attack, I can use Wrath of Storm as a reaction to deal lightning damage to it, and thereby blast the creature back 10 feet using Thunderbolt Strike.

If the monster does not have 10 feet of movement left after being pushed, does it lose its other 2 attacks against me (if no other targets are in range of it)? Or does it get to make all 3 attacks before it is blasted away from me?

Why attacker do not care about masking the IP of the infected device of botnet?

I get a sentence:

If an attack is created using a botnet the likelihood of tracking the attack back to its source is low. For an added level of obfuscation, an attacker may have each distributed device also spoof the IP addresses from which it sends packets. If the attacker is using a botnet such as the Mirai botnet, they generally won’t care about masking the IP of the infected device.

Why attacker do not care about masking the IP of the infected device of botnet?

Why is targeting an adjacent attacker with a 5 foot cube area attack considered a ranged attack?

An opponent has moved adjacent up into a character’s face and swung at them. On their turn, in retaliation, the character would like to attack back with their favoured cube area attack, made at the size of a 5 foot sized cube to be ergonomic. Oddly the rules as written (see below) seems to qualify this attack as a ranged attack even though the target is adjacent and every other area attack also containing the attacker would not. Is this an oversight, an intentional design decision, or is there anything I’m overlooking that makes this ruling invalid?

The rules leading me to this conclusion appears here:

Ranged Attacks in Melee

Any time you make a ranged attack and there is an enemy within melee reach of you, you have disadvantage 1 on your attack roll. Area attacks are considered ranged attacks if the area does not include at least one space adjacent to the attacker.

The 5 foot cube placed on the attacker’s square does not include at least one space adjacent to the attacker but it does include attacker’s square itself which intuitively feels like it shouldn’t be a ranged attack as well as other area attacks. RAW however, this means it’s a ranged attack and imposes disadvantage 1. To me a more intuitive ruling and writing of it would be:

Ranged Attacks in Melee

Any time you make a ranged attack and there is an enemy within melee reach of you, you have disadvantage 1 on your attack roll. Area attacks are considered ranged attacks if the area does not include the attacker or at least one space adjacent to the attacker. (changes italicized)

Are there existing rules or other evidence the designer’s intention was for this scenario to be a ranged attack? If so, why only 5 foot cubes and not every other area effect (they have to include a square adjacent to the opponent as well)? Is there perhaps another mechanical reason I can’t find that this attack should be considered ranged? Is the attack simply supposed to impose disadvantage 1 and being considered ranged is simply a byproduct?

In the case that it shouldn’t be considered ranged (or only considered ranged for the purpose of disadvantage 1), I would like to revise this confusing wording. I have found the Open Legends repository and my intention is to submit a pull request if I understand the rules correctly and this ruling is against the RAI. However, I’m asking my question here first to gain assurance, as I know that I am very new to the system and may be overlooking something.

If a Slow spell ends due to a failed concentration (CON) saving throw, does the attacker get to make any remaining attacks?

The Slow spell (PHB 277) requires concentration and states the following:

Regardless of the creature’s abilities or magic items, it can’t make more than one melee or ranged attack during its turn.

Suppose a PC or monster who could normally make more than one attack is affected by the Slow spell, takes the Attack action, and hits the spell’s caster, who then fails their concentration check, causing the Slow spell to end. Does the attacker then get to take their remaining attack(s) because the slow spell is no longer in effect, or do they still only get 1 because the Slow spell was in effect at the time they took the Attack action?

Android Encryption: Can an attacker get the master key due to Android’s default password and wear-leveling?

Since Android 5.0: Upon first boot, the device creates a randomly generated 128-bit master key and then hashes it with a default password and stored salt. The salt and the encrypted master key are stored in the crypto footer.

When the user sets the PIN/pass or password on the device, only the 128-bit master key is re-encrypted and the crypto footer is updated.

Because of wear-leveling multiple “versions” of a single sector may be available to an attacker. For my understanding Android can not ensure that the old encrypted master key is really overwritten.

Would it therefor theoretically be possible for an attacker to decrypt the user data by recovering the old encrypted master key (derived from the default password) and thus calculating the static unencrypted master key with the known salt and the default password.

High bounce rate due to attacker is using website’s mail system

We got a realatively high bounce rate today, because someone decided to spread some links using our mail server. The implementation looked like this: He used the registration form and planted a link in the firstname field, which appears in the email’s first line. Then he sent out like 1200 emails like this. And my question is what can we do to prevent this? We can use captcha for sure, but can we do more about it?