Is it really possible to hide behind another player character?

So I’ve been DMing a 5e game lvl 1-3 so far. And I have a question about stealth for my rogue. My player has been hiding behind/stealthing behind another PC.

So this is what usually happens. PCs bust into a room, and the enemies see him. The rogue makes a stealth check and hides behind a PC as a bonus action, then attacks from stealth and gets sneak attack. He will do this every round. I do try to do Perception for the NPCs, but they fail. So he basically disappears for the whole encounter.

So then he attacks cause he is fully hidden and gets a sneak attack every time. This seems OP!! I thought you could only hide in full cover. I know the Skulker feat allows a player to hide in partial cover, which I looked up. Hiding behind a PC of medium size only allows partial cover. Please help me! I just wanna make sure I’m doing this right and I hate players who take advantage of a loop hole.

Rate my idea: NodeJS as root behind Apache as a proxy with password

I’m the admin of a small Linux server owned by a relative of mine. He’s fairly tech savvy, but more at a level of a power user than an expert. I want to make a handy visual tool for him that would allow to do some simple server tasks: add/remove users and change their passwords; set up/remove websites; set up/remove mailboxes (I’ve decoupled those from system users so it’s a separate task if needed); and perhaps something else as needed.

Most of these things can be done from command line and some require the editing of some config files, but lengthy incantations with a lot of changing parts is just asking for trouble. I’d rather have a handy script.

The trouble is: most of these tasks require superuser permissions. He already has that, so I could make a textmode tool (which requires to be run as root), but a website would be so much nicer.

There’s already an apache webserver in place on port 80, bit running that as root would obviously be a lousy idea. Similarly, I don’t want to store root password anywhere.

So I had the idea of making the website in NodeJS and running the Node process as root, listening only on a specific port which only accepts incoming connections from localhost. Then Apache would be a non-elevated proxy in front of the NodeJS app. In addition, both Apache and NodeJS would ask for a password (taken from the same .htpasswd file).

If you can’t enter the password to Apache, you can’t even get to Node. If you hack Apache (or have access to some local account) you still need the password to get the Node app to cooperate.

Would this be safe enough? Ok, that’s kinda subjective, but considering that I’m more worried about opportunistic hackers from outside than malicious local users, would this be ok? There’s really nothing of much value stored on the server; I don’t expect anyone to do targeted hacking because there’s not much to gain (Wanna see pictures of my kids? You’re welcome…) I consider automated scanners and hackers trying to add to their botnets/db leaks the main threat. Any other suggestions on how to achieve this maybe?

Term behind APPF

I’m new to the malware scene, and recently I heard from somewhere about the term APPF. I’m not sure what it means, and can’t seem to find anything on google, however I’m curious about the meaning of this term.

What is the logic or fallacy behind the Perpetual Power Point trick?

The Perpetual Power Point trick uses two feats.

The first is Azure Talent (which grants 1:2 ratio of incarnum in for double the power points out) per point of incarnum invested. When essentia is invested, the feat locks for the day, as usual for an incarnum receptacle.

The second is Psycarnum Infusion (which allows one to expend psionic focus in exchange for treating one incarnum receptacle as if it had maximum incarnum until the beginning of your next turn.

The idea is to then refocus and repeat, probably with the Mediation feat to reduce the time.

In theory, this means a small but almost perpetual supply of power points.

Thus, what is the logic (it works) or fallacy (it doesn’t) behind this Perpetual Power Point trick?

How does AI Robot detect a target behind a wall, but the target has part exposed?

Like a FPS game, a target’s whole body is behind a wall or box, but its finger or foot exposed, and the AI can detect it and shoot its finger?

In my opinon, just traverse all targets, find who is near a wall, and compare its position with the corner of wall, but I don’t know how to check if its finger is exposed?

Or use raycast from AI’s gun to front, but you need add collider to all targets’ every small part?

Is it possible to scan the whole IP range to find a domain behind the CDN?

I am very curious if it is possible to find the real IP address of a domain “protected” by a CDN service.

For example, uses Fastly service, and the domain name only resolves to a Fastly edge server’s IP. If I scan the whole 4 billion IP range, sending HTTP GET request with header Host:, how possible it will be that I can find the real IP of cnn’s origin server?

What is the history behind the “single-use spell scroll”?

The concept of a spell being stored on a scroll, which can be used once and then vanishes, shows up in numerous tabletop and video game RPGs. From a game design perspective, the idea of a one-use spell is sensible. But considering that the whole idea of writing is to record information permanently, the idea that a single-use spell should take the form of a scroll of all things is kind of unintuitive. What’s the history behind this idea? Is it based off of some old mythology or folklore, or was it a later invention?

Secure Windows 10 Home admin’s data behind a password, even when user apps are running

Windows 10 Home’s default account lock system for the admin account is not completely secure because there are multiple free password recovery tools & ways available that can be used by a non-admin to reset/bypass the admin password.

How to secure Windows 10 Home admin’s data & installed programs behind a password, even when programs like Office, Chrome, etc. are opened and running in the background with some documents/pages opened in it?

What’s the algorithm behind MySQL’s sha256_password hashing scheme?

MySQL’s old mysql_native_password hashing scheme was the equivalent of this in PHP:

sha1(sha1('password', true)); 

That’s a hex-encoded SHA-1 hash of a binary SHA-1 hash of the password, without any salting.

MySQL 8.0 introduced a two variants of a new hashing scheme based on SHA256 called caching_sha2_password and sha256_password, the former being the default (docs. Despite their name, neither appears to be vanilla SHA256.

Yes, I know SHA256 is not a great choice for password hashing, but it’s a lot better than SHA-1 and it wasn’t up to me!

Can anyone tell me the actual algorithms for these new schemes, in PHP or similar code?

Is it safe to whitelist my public ip to a server, even I am behind CGNAT?

I have a few VPS and Databases in GCP, I can access them by whitelisting my IP, but just few months ago my ISP rollout their CGNAT and I was affected. As far as I know CGNAT, allow multiple subscriber to have a single public IP.

Is still safe to whitelist my IP or I need another means or extra layer of protection?