Checking CR calculation for homebrew larger version of Giant Ape

I am considering allowing a larger version of a Giant Ape, in which some of the stats have been embiggened to achieve the low end of CR8.

I would appreciate a confirmation that I am calculating this correctly.

In particular, it appears that what the DMG calls Damage Per Round, what is actually being assessed is average damage per round, assuming that the maximum number of most damaging attacks hit.

CR7 Giant Ape
AC12, 157hp (15d12+60), At. 2 @ +9 to hit, 3d10+6 dmg, DPR 45

CR8 Proposed Giant Ape [all other stats as RAW Giant Ape]
AC13, 168hp (16d12+64), At. 2 @ +9 to hit, 3d12+6 dmg, DPR 51

CR7 Giant Ape Calculation
Hp 146-160 = CR6, AC is more than two below 15, adjust DCR -1 to 5
DPR 45-50 = CR7, to hit is more than two above +6, adjust OCR +1 to 8
Average CR 6.5, round to CR7

CR8 Proposed Giant Ape Calculation
Hp 161-175 = CR7, AC is two below 15, adjust DCR -1 to 6
DPR 51-56 = CR8, to hit is more than two above +6, adjust OCR +1 to 9
Average CR 7.5, round to CR8

Are there heuristics in CSP to help avoid redundancy while checking constraints for inconsistent values?

I’m a complete beginner. Please forgive my ignorance.Trying to learn about CSP online, I noticed a lot of the focus on search methods and heuristics which tell you which variable to expand next (e.g. most constrained variable) and those that tell you which value to try first (e.g. least constraining value) but I’ve yet to see heuristics that relate to the ordering of constraints. Since I’m doing everything by hand, I notice a lot of redundancy when eliminating values from variable domains. How do you go about checking for violated constraints in a way that is efficient? Say constraint A will have me eliminate odd numbers 1 to 1000 and constraint B will have me wipe out everything above 250. Intuitively, it feels like order matters as I would waste my time cherry picking even numbers above 250 to only later find out that anything above 250 was not consistent in the first place. I apologize for lacking the proper terminology, my understanding is mostly intuitive. I hope it makes sense. Thanks in advance! I’m mostly looking to acquire a conceptual understanding of selected topics in computer science so if you have book recommendations or any resource that would be appropriate for me as an interested layman, please don’t hesitate!

Checking potentially infected photos for stegonography

A friend of mine has an old family PC with a bunch of important photos on it. Unfortunately, from what he told me, it seems like they have fallen victim to a tech support scam some five years ago, during which the scammer had remote access to their machine. They haven’t used this PC ever since that incident, because they were afraid that the scammer might have put some sort of malware onto their system. Since they aren’t super tech-savvy, my friend asked if I could help him safely recover their photos.

My idea would be to connect his HDD to my laptop using a SATA-to-USB adapter, boot into a Linux live environment, mount the HDD there, and copy the photos to either an external HDD or to my NAS. I see one problem with this, however. I’m by no means a security professional, but form what I’ve learned, it’s rather easy to embed a malicious payload into an image file (or at least a file that looks like an image; "steganography", "stegosploit"). So, it seems entirely possible that someone with remote access could have either copied an infected image to their hard drive, or run some sort of malware that infected their own photos. I think it’s unlikely that a tech support scammer would do this sort of thing, but the last thing I want to do is recover their photos and at the same time infect their current devices with malware.

Is there a reliable way for me to check their image files for such embedded malicious payloads (ideally from a Linux system)? My best guess would be to scan these files using an AV program such as ClamAV – do you think that would be good enough? Other than that, all I found were research papers looking into methods for detecting steganography, which leads me to believe that this is still a rather difficult problem to solve…

Edit: I have played around with OpenCV a while ago, which lets you read an image file into a Numpy array. So, theoretically, I could write a Python script that reads each of their photos into a Numpy array and exports it as a completely new image file, for a more of a "sanitizing" approach, rather than a "scanning" one. Do you think this is a good idea (especially of done by someone who’s not a security expert)?

seems like a wide gaping hole in the process for checking integrity of e.g. linux distro releases

Many linux distributions recommend using downloaded signing keys to verify the integrity of downloaded checksums. This seems utterly ridiculous to me, since the downloaded keys are just as suspect as the downloaded checksums. And checking key fingerprints is exactly the same thing, ie the page with the fingerprints is just another file downloaded by my browser.

Example: https://getfedora.org/en/security/

If I trust the PKI of my browser (assuming https) to authenticate the key or key fingerprints, then I dont need the signing process in the first place. But of course I DONT trust the PKI because the list of root certs distributed with major OS’s is chocked full of very very dodgy CAs.

At minimum, shouldn’t the keys of a new release be signed with the keys of the previous release? That way you can maintain a chain of integrity.

Given that the same process is used for GPG: https://gnupg.org/signature_key.html I assume I am being a moron and missing something obvious. Can anyone explain?

Is checking if regular languages are equivalent decidable?

Is this problem algorithmically decidable?

L1 and L2 are both regular languages with alphabet $ \Sigma$ . Does L1 = L2?

I think that it is decidable because you can write regular expressions for each language and see if they are the same. But I’m not sure how to prove it since I see that you prove something is decidable by showing a Turing Machine

Checking equality of integers: O(1) in C but O(log n) in Python 3?

Consider these equivalent functions in C and Python 3. Most devs would immediately claim both are O(1).

def is_equal(a: int, b: int) -> bool:   return a == b 
int is_equal(int a, int b) {   return a == b } 

But consider what is happening under the surface. Integers are just binary strings and, to determine equality, both languages will compare the strings bit-by-bit. In either case this scan is O(b) where b is the number of bits. Since integers have a constant size in bits in C, this is simply O(1).

In Python 3 however, integers do not have fixed size and the scan remains O(b) for the number of bits in the input, or O(log a) where a is the value of the input in base 10.

So if you’re analyzing code in Python, any time you compare two integers, you are embarking on a surprisingly complex journey of O(log n) with respect to the base 10 value of either number.

For me this raises several questions:

  1. Is this correct? I haven’t seen anyone else claim that Python compares ints in log time.
  2. In the context of conducting an interview, should you notice or care if a candidate calls this O(1)?
  3. Should you notice or care about this distinction in the real world?

What is the expected time complexity of checking equality of two arbitrary strings?

The simple (naive?) answer would be O(n) where n is the length of the shorter string. Because in the worst case you must compare every pair of characters.

So far so good. I think we can all agree that checking equality of two equal length strings requires O(n) runtime.

However many (most?) languages (I’m using Python 3.7) store the lengths of strings to allow for constant time lookups. So in the case of two unequal length strings, you can simply verify len(string_1) != len(string_2) in constant time. You can verify that Python 3 does indeed make this optimization.

Now, if we’re checking the equality of two truly arbitrary strings (of arbitrary length) then it is much more likely (infinitely, I believe) that the strings will be of unequal length than of equal length. Which (statistically) ensures we can nearly always compare them in constant time.

So we can compare two arbitrary strings at O(1) amortized, with a very rare worst-case of O(n). Should we consider strings comparisons then to be O(1) in the same way we consider hash table lookups to be O(1)?

Stack Overflow, and my copy of Cracking the Coding interview cite this operation as O(n).

checking whether turing machine passes at least k>2 states before accepting a word

$ L=\{<M,k>|\exists\,\,w\in L(M)\,\,such\,\,that\,\,M\,\,passes\,\,at\,\,least\,\,k>2\,\,distinct\,\,states\,\,before\,\,accepting\,\,w\}$

I try to think of reduction to prove that this language is neither RE nor coRE. How to approach this problem? Is there a hint, or intuition?

I usually check whether Rice can be used, but the question here is not about the language itself

checking configuration history of Turing machine using PDA

I am trying to understand the technique of using configuration history in proofs.

To prove that: $ \{<M>|M\,\,\,is\,\,\,a\,\,\,TM\,\,\,and\,\,\,L(M)=\sum^* \}\notin RE$

given $ <M,w>$ we have built a Turing machine that accepts all words except M accepting configuration on w. (and then simple reduction)

To prove that: $ \{<P>|P is\,\,\, a\,\,\, PDA\,\,\, and\,\,\, L(P)=\sum^*\}\notin RE$

we showed the same proof, only that we built a PDA that accepts all the words except the accepting configuration of M on w.

Does PDA’s ability to determine whether input is an accepting configuration of M on w actually means that I can simulate M’s run on w with a PDA? Or testing whether configuration is an accepting configuration is different from a simulation

Checking system integrity after clicking scam email link on Linux

Earlier today, my mother opened an email thinking it was from my sister-inlaw, then clicked on the shortened link.

The link loaded a page of fairly nonsensical text. The source of the page had no explicit javascript code, but the text was formatted with a non-standard identifier. NoScript told me there were scripts on the page (but they weren’t trusted, so should have been blocked).

The system is Fedora 32, upgraded to this release a few days ago. The browser is Firefox with NoScript installed.

What should I do to confirm the integrity of the system? I’m concerned about the integrity of the Linux system, of course, but I’d also be concerned about any possible transfer of viruses or malware to Windows users my mother emails.

I’ve done this once before after a similar incident. I’m planning to create a live USB to scan the system for problems (which I did before) using one of the forensic Linux distros designed for this, but I’m pretty sure I did something else last time and can’t remember what.

What is necessary to ensure the system’s integrity?

I’ve read Clicked link in faked email and https://security.stackexchange.com/a/17854. https://security.stackexchange.com/a/73660 is fairly scary, though I’m somewhat sceptical of its claims.

I also read various online guides, but had difficulty finding anything specific to Linux and reasonably current. (I think I must be searching the wrong terms because I seem to remember finding this kind of information fairly easily before.)