Does the playable UA Centaur’s Charge racial feature affect both attacks if I have the extra attack feature?

The Centaur’s racial feature “Charge” reads as follows:

If you move at least 20 feet straight toward a target and then hit it with a melee weapon attack on the same turn, roll the weapon’s damage dice twice and add them together. Once you use this ability, you can’t use it again until you finish a short or long rest. (Source of wording D&D Beyond)

From this I understand that the affected attack(s) must occur after the Charge ability is triggered, and must occur during the same turn the Charge is triggered.

But, as the title question indictes, I’m in doubt whether this wording means that the doubling of the weapons damage dice only occurs on a single attack that hits after the Charge, and if so must it then be the first attack that hits or can it be any attack that hits during that turn? Or would it affect every attack that hits after the Charge during that turn?

Do SS7 attacks affect receiving Google Voice sms?

Hackers are able to steal 2FA sms messages by exploiting SS7, in my understanding basically by hacking in to the SS7 system and then saying “this number is roaming on my network, send me all their sms messages!”

Would this work for a Google Voice number? If my understanding above is correct, Google knows it’ll be sending the sms to the app and not to some other network, so I would guess it might be immune to SS7 exploitation. Or does the hacker only need to say the number is roaming to whoever is generating the sms message?

NOTE: I’m aware of the other downsides to using Google Voice as a 2FA factor, and am mitigating them by using an alternate Google account for which I have a strong, separate password that I only ever enter when logging into the app on my mobile device, and nowhere else, ever. I trust Google’s security a hell of a lot more than the telcos. This way customer service won’t give out my info or re-route the number just because someone knows my mother’s goddamn name, keylogger attacks are unlikely, and i hope i might be at least a bit more protected from atrocious SS7 holes.

Please don’t respond to this telling me to use Google Authenticator or a hardware key – I already do so where possible.

Is Block Finalization a valid development to remove the threat of 51% attacks?

A recent comment from a Reddit user in response to BTC.top acquiring 54 of the Bitcoin Cash has hate noted that a Block Finalization development removes the threat of a 51% attack.

I have never heard of block finalization before but my understanding is that it results in nodes reject the altering of blocks once they have reached a certain amount of confirmation in the blockchain. At the moment, I believe it stands at ten confirmations in the Bitcoin Cash blockchain.

Is this a valid development? Are there limitations to it?

no HSTS but still protected to mitm attacks?

i am aware of HSTS and their directives… If you had enabled HSTS on your site however, and this user has visited your site before, the browser will remember it should go back to https. As the fake site does not have an SSL certificate, the user can’t visit the site, and will be safe.

However i am unable to reproduce a mitm attack when i had visited the site before, only when deleting all cookies and trying again it works just fine. For some reason the website is acting like it had HSTS but it doesn’t… so what is wrong here?? if the website doesn’t have HSTS then the browser shouldn’t remember to connect to HTTPS

How can I hide my server’s ip to avoid attacks? [on hold]

The majority has happened when they have a game, when ctrl + u in the client shows the person the real ip of the server where the game is installed, web page and etc …

Update (More specific)


Would there be any way to hide the data with any programming language, php, js, json etc., or should we use a proxy?

Archive Client.php, where it shows the server ip.

<script type="text/javascript"> FlashExternalInterface.loginLogEnabled = false;  FlashExternalInterface.logLoginStep("web.view.start");  if (top == self) {     FlashHabboClient.cacheCheck(); }  var flashvars = {              "client.allow.cross.domain" : "1",              "client.notify.cross.domain" : "0",             "connection.info.host" : "{$  connection_info_host}", // Ip Server             "connection.info.port" : "{$  connection_info_port}", // Port             "site.url" : "{$  www}",              "url.prefix" : "{$  www}",              "client.reload.url" : "{$  www}/client",              "client.fatal.error.url" : "{$  www}/flash_client_error",              "client.connection.failed.url" : "{$  www}/flash_client_error",              "external.variables.txt" : "{$  variables}",              "external.override.texts.txt" : "{$  override_texts}",             "external.override.variables.txt" : "{$  override_variables}",             "external.figurepartlist.txt" : "{$  figuredata}",             "flash.dynamic.avatar.download.configuration" : "{$  figuremap}",             "external.texts.txt" : "{$  texts}",             "productdata.load.url" : "{$  productdata}",              "furnidata.load.url" : "{$  furnidata}",              "use.sso.ticket" : "1",              "processlog.enabled" : "1",             "account_id" : "19927505",             "client.starting" : "{$  loadingtext}",             "flash.client.url" : "{$  baseurl}",             "sso.ticket" : "{$  sso}",             "user.hash" : "199275052dbf5f89adb0a643bf16b0ea1cd646db",              "nux.lobbies.enabled": "true",             "flash.client.origin" : "popup",     };  var params = {     "base" : "{$  baseurl}",     "allowScriptAccess" : "always",     "menu" : "false"                 };  if (!(HabbletLoader.needsFlashKbWorkaround())) {     params["wmode"] = "opaque"; }  var clientUrl = "{$  habbo_swf}";  FlashExternalInterface.signoutUrl = "https://www.domain/logout"; swfobject.embedSWF(clientUrl, "flash-container", "100%", "100%", "10.0.0", "{$  www}/images/web-gallery/flash/expressInstall.swf", flashvars, params);  window.onbeforeunload = unloading; function unloading() {     var clientObject;     if (navigator.appName.indexOf("Microsoft") != -1) {         clientObject = window["flash-container"];     } else {         clientObject = document["flash-container"];     }     try {         clientObject.unloading();     } catch (e) {} } 

Do Life Drain attacks from wights stack?

The wight has an attack called Life Drain:

Life Drain. Melee Weapon Attack: +4 to hit, reach 5 ft., one creature. Hit: 5 (1d6 + 2) necrotic damage. The target must succeed on a DC 13 Constitution saving throw or its hit point maximum is reduced by an amount equal to the damage taken. This reduction lasts until the target finishes a long rest. The target dies if this effect reduces its hit point maximum to 0.

A humanoid slain by this attack rises 24 hours later as a zombie under the wight’s control, unless the humanoid is restored to life or its body is destroyed. The wight can have no more than twelve zombies under its control at one time.

If the same wight hits a character with it multiple times, or a number of wights hit the same character with it, assuming the character fails their Constitution save each time, do the max HP reduction effects stack?

I know magical effects don’t normally stack, but this isn’t listed as being magical. Additionally, if it doesn’t stack, I can’t see how most characters could ever have their max HP reduced to 0.

How to protect against mitm attacks in first connection? – no HSTS Preload

i have been searching around this area about mitm attacks and realize that every single page that doesn’t have HSTS preload is vunerable to mitm attacks in first connection to the site. the solution to this, is to add it to the HSTS preload list : https://hstspreload.org/

But for differents reasons some websites can’t implement this because as a bug bounty team told me 2 days ago:

“we are limited in some technical example.com subdomains. At foreseeable future, we can’t force HTTPS on all subdomains because it breaks dependent infrastructure”

does anybody know another way to protect agaisnt this attack without adding the domains and all subdomains into the HSTS preload list??

How do attacks with an underwater target and an attacker on land (and the reverse) work?

The Underwater Combat rules on attacking state:

When making a melee weapon attack, a creature that doesn’t have a swimming speed (either natural or granted by magic) has disadvantage on the attack roll unless the weapon is a dagger, javelin, shortsword, spear, or trident.

A ranged weapon attack automatically misses a target beyond the weapon’s normal range. Even against a target within normal range, the attack roll has disadvantage unless the weapon is a crossbow, a net, or a weapon that is thrown like a javelin (including a spear, trident, or dart).

When it says underwater combat, I assume this is true while both that attacker and target are underwater, but the rule doesn’t seem to explicitly define whether this rule is triggered when:

  1. Both are underwater
  2. Attacker is underwater, target is on land
  3. Target is underwater, attacker is on land

Scenario 1 obviously follows the underwater combat rules, but how about 2 and 3? Do both of them follow the underwater combat rules?

Do ranged weapon attacks against creatures restrained in a Watery Sphere have advantage?

Creatures engulfed by a Watery Sphere are restrained, which grants advantage on all attacks against them. However, they may also be considered underwater, which would impose disadvantage on most ranged weapon attacks and negate the advantage. Does attacking into the sphere with a ranged weapon have advantage, or do the underwater combat rules apply to this situation and negate that advantage? (Assume the ranged weapon is not a crossbow or one of the other weapons that doesn’t suffer disadvantage underwater.)