Is this Enhanced Eyebite balanced vs other spells of comparable level and utility?

Motivation: Many, me included consider Eyebite be cool, but mechanically very underwhelming spell for its level. So, let’s make it a balanced choice. Still, this question does not depend on if original version really is weak or not, this is only about this homebrew version.

The classes to consider as users of the spell: Bard, Sorcerer and especially Warlock, who needs to choose it as an Arcanum, the only and unchangeable 6th level spell they’ll have.

The other spells to consider as comparison points specially: Hold Monster (similar effect on target at 5th level already, for Bard and Sorcerer up-castable to 6th level for 2 targets) and then as actual 6th level aternatives, Mass Suggestion and Mental Prison (in XGtE so paywalled link), which also can be used to take enemies out of a fight, and for which Mass Suggestion has great utility use as well. There doesn’t need to be comparison against the original version of Eyebite. You can also compare to other spells up to level 6, if you think they’re relevant for the same role.

Goal of the homebrew: Eyebite should be an equal contender, when the character reaches the point where they can choose these spells.

Does this Enhanced Eyebite, description below, meet the above goal?


Enhanced Eyebite

Level: 6th
Casting Time: 1 Action
Range/Area: Self
Components: V, S
Duration: Concentration, 1 hour
School: Necromancy
Attack/Save: WIS Save

For the spell’s duration, your eyes become an inky void imbued with dread power. One creature of your choice within 90 feet of you that you can see must succeed on a Wisdom saving throw or be affected by one of the following effects of your choice for the duration. On each of your turns until the spell ends, you can use your action to target another creature. If you target a creature again after it has succeeded on a saving throw against this casting of Eyebite, the creature has advantage on its saving throws.

Asleep. The target falls unconscious. It wakes up if it takes any damage or if another creature uses its action to shake the sleeper awake.

Panicked. The target is frightened of you. On each of its turns, the frightened creature must take the Dash action and move away from you by the safest and shortest available route, unless there is nowhere to move. If the target moves to a place at least 90 feet away from you where it can no longer see you, this effect ends.

Sickened. The target has disadvantage on attack rolls and ability checks. At the end of each of its turns, it can make another Wisdom saving throw. If it succeeds, the effect ends. If it fails, it takes 2d8 points of necrotic damage.

When cast at higher levels: The distance needed for Panicked effect to end increases by 10 feet for each level above 6th. The damage done by Sickened effect increases by 1d8 for each level above 6th.


Notes: Changes to original are highlighted for the benefit of those who know the original spell, even though comparison to original is not what I’m asking. The duration is increased to give this spell more utility, and ability to last for several encounters. The range is increased to match Hold Monster. The damage is added to Sickened effect, so it wouldn’t be strictly inferior to Panicked, which also gives the same disadvantages with different and arguable much stronger condition to end the effect. Scaling with level is added to keep the spell competitive at higher character levels. The ability to target same creature again is given so the spell doesn’t become useless if all enemies succeed at their saving throw, but disadvantage is given so that in most situation it’d still be better to do something else than keep spamming Eyebite at disadvantage.

Are d20 Future HP comparable to regular old D&D 3.5 HP?

So, for research reasons, I am interested in the explosive yield of the SRD’s Hellball with its 40d6 damage over a 40′ radius. However, I have come up with two wildly disparate results based on the path taken, so I believe there’s a logical issue somewhere, but my math pointed me at an odd result, namely that d20 Future uses a different "scale" of hit point than a regular fantasy D&D 3.5e game would. Is this correct, or have I gone awry somewhere?

Path 1: conversion-by-damage-dice

As pointed out by Hey I Can Chan in an answer to a similar question, the Nuclear Missile from d20 Future, with its said-to-be-1MT warhead, does 16d8 damage, which is roughly equivalent to 21d6 according to his translation of the damage dice. Extrapolating linearly from this datapoint puts us at a Hellball yield of ~2MT, which is certainly hellish enough!

Path 2: conversion-by-effective-radius

However, to try to cross-check this answer, I took the 40′ damage radius provided by Hellball, mapped it to the "nothing survives" fireball radius of a nuclear warhead, and took the NUKEMAP for a spin. However, even with a surface blast from the tiny 20ton Davy Crockett, I get a fireball radius of 20m, or over 60′; getting a smaller fireball than that requires going to a 10-15ton yield, although model uncertainties become limiting at this small scale.

Of course, if you try to plug the Path 1 answer of 2MT into NUKEMAP, you get a far larger fireball of about a mile wide. Furthermore, 16d8 of raw energy damage sounds like a lot…but in the context of anywhere-close-to-upper-level D&D 3.5 characters, even with no saving throw, resists, or SR, the 128 maximum damage it produces is quite tankable. For example, the character that prompted this inquiry has 220HP with only their gear warding them, and still manages 112HP stark naked.

As a result, I am sitting here wondering if I’m barking up the wrong tree somewhere.

Is this Will’O’Wisp Homebrew Comparable to other Pact of the Chain Familiars?

For a level 3 one shot I will be playing a Warlock who made a deal with the ghost of a wizard to help find a way to revive the wizard, and by carrying soot from the wizard’s final resting place in a locket, they stay near me and give me warlock powers. Because of this, I thought it’d be cool to have a ghost familiar through Pact of the Chain and since no ghost-like undead are CR 1, I decided to nerf a Will’O’wisp from CR 2 to 1.

For reference, here’s the original Will’O’Wisp and here are the Quasit and the Imp which are CR 1 creatures available through Pact of the Chain.

Is the following Will’O’Wisp homebrew comparable, or at least less powerful that other familiars at level 3? The two skills were added to flavour the creature as a wizard’s ghost and to give some utility outside of combat.

Will’O’Wisp

tiny celestial (since the Find Familiar spell only creates fiends, fey, and celestials, not undead)


Armor Class 13

Hit Points 10

Speed 0 ft, fly 40 ft (hover)


STR 1 (-5) Dex 15 (+2) CON 10 (+0) INT 16 (+3) WIS 12 (+1) CHA 11 (+0)


Skills: Arcana +5, History +5

Damage Resistance: necrotic; thunder; bludgeoning, piercing, and slashing from non-magical attacks

Damage Immunities: lightning, poison

condition Immunities: grappled, poisoned, prone, restrained

Senses: darkvision 120 ft, passive perception 11

languages: common

challenge: hopefully 1 (200 XP)


Ephemeral. The will-o’-wisp can’t wear or carry anything.

Incorporeal Movement. The will-o’-wisp can move through other creatures and objects as if they were difficult terrain. It takes 5 (1d10) force damage if it ends its turn inside an object.

Variable Illumination. The will-o’-wisp sheds bright light in a 5- to 20-foot radius and dim light for an additional number of feet equal to the chosen radius. The will-o’-wisp can alter the radius as a bonus action.


Actions:

Shock. Melee Spell Attack: +4 to hit, reach 5 ft., one creature. Hit: (2d8) lightning damage.

Invisibility. The will-o’-wisp and its light magically become invisible until it attacks or uses its Consume Life, or until its concentration ends (as if concentrating on a spell).

Is the vulnerability described in rfc6749 10.16 for implicit Flow is comparable to “man in the middle”?

I’m trying to understand if the vulnerability described in the specification for implicit flow : link is the same principle of a man in the middle attack. From what I understood, the malicious client get in the way of the access token grant and then impersonate an issuer. Yes he isn’t really “in the middle” like the aforementioned but there’s still an impersonation in place.

I’m asking here because there might be some concepts I didn’t grasp and I want to gain a full understanding of what I’m trying to implement.

Thank you in advance for enlightening me.

Does File-Based Encryption offer comparable security to Full-Disk Encryption on Android?

Between version 4.4 and 9, Android supported Full-Disk Encryption (FDE). On Android 7, a new system called File-Based Encryption (FBE) was introduced, and was subsequently made mandatory on Android 10.

The primary upside cited in the page for File-Based Encryption is the usage of Direct Boot, allowing you to use specific features before the device has first been unlocked, such as alarms or similar. As this seems primarily focused on User Experience, I am worried that the security will suffer from this choice.

My question is, does File-Based Encryption offer comparable security to Full-Disk Encryption? Are there any major downsides or flaws with it? And if so, which ones?

XSS exploitation tools written in PHP/python comparable to BeEF [on hold]

I asked already a similar question. But for most it was not clear what I was asking about. Now I try my best and clarify as much as possible.

I tested XSS-exploitation tools: JSShell, BeEF, xssshell-xsstunnell and JShell. But was not satisfied (reasons below).

BeEF and co. are simply “command & control” (C&C) tools (with some extra exploits added as bonus) which obviously need to run on a public server to create a “communication channel” between an attacker and a victim. Now BeEF is written in ruby, but most websites are using PHP (79.1% in 2019) and often have also natively python installed. Many hosting providers don’t give you root access. That makes it a bit odd that someone comes to idea to write C&C in ruby or even in ASP.NET since one would expect it to be written in PHP or python.

I wanted to bypass such restrictions (if even possible?) and still (!) use it on my local machine but allow it being accessible from the the outside. Yes! By using VPN and reverse proxy: https://serverfault.com/questions/979393/hosting-files-on-local-machine-behind-a-nat-which-can-be-accessed-from-public-se But I will need to test it and as far as haven’t tested it remains an open problem for me and I will just try existing tools.

Question:

Are there any C&C tools which are comparable in quality to BeEF (since it offers many useful features which I miss in other tools which I tested so far) but written in PHP or python? Most tools which I’ve seen so far aren’t comparable in quality to BeEF or written in other scripting languages or for other platforms like Windows Server. I googled but maybe I’m overlooking something.

Because currently it appears to me that if you want to fully exploit XSS you need to rent a server which supports ruby or ASP.NET. This is absolute valid, but not far from ideal.

How to compare objects which are having multiple comparable field-values?

class File {   // Descriptive fields   string name;   string id;   string uploader_id;    // ----Comparable fields----   uint   downloads;  // 40% importance   uint   size_in_bytes;  // 20% importance   time_t time_millisec_created;  // 20% importance   time_t time_millisec_last_used;  // 20% importance }; 

In an array of such File objects, I want to find out an element from an array, which is delete-able. This element can be decided based on the “Comparable fields” mentioned above. Lower the value, it’s more delete-able.

Now, I can’t make a simple comparator operator due to complexity involved of percentage value.

What is a reasonable & rational way of comparing 2 such File objects?

Why doesn’t Comparable include any type bound? [on hold]

Why do you think the definition of Comparable<T> lacks an upper bound on T?

That is, why is it not defined as:

Comparable<T extends Comparable<?>> 

or

Comparable<T extends Comparable<? super T>> 

Wouldn’t the latter two proposals be closer to the intended correct use of the interface?

The interface documentation starts with the following sentence, suggesting that it’s intended to be used as T implements Comparable<T>:

This interface imposes a total ordering on the objects of each class that implements it.

Is it just for backward compatibility with pre-generic code?

How do I create comparable security to PHPmyadmin?

I have a website hosted by netfirms, and phpmyadmin is part of the package.

It’s a very powerful general tool, but it takes a while to load and there are some very long and specific tasks I need to do weekly.

I could easily write a php page that does all of these tasks for me, but some of these tasks include “changing prices” or “removing products”. These are tasks I would not want anyone on the internet to be able to perform.

I know I’ll never reach perfect security, but I’d like it to be no worse than it is now.

Ideally I’d like a solution that will work on any computer with internet access I can get a USB stick to. (I don’t want to have to run an installer for each new computer.)

Length of a stretched gnupg passphrase that is comparable in strength to an unstretched string of 256 random bits

Assume that we want to encrypt a file with gnupg using AES-256 as the encryption algorithm. (Hence, symmetric encryption.)

In this mode, gnupg requires a passphrase from the user. I understand that gnupg then derives from this passphrase a 256-bit key, which it uses for encryption.

This question is about choosing a passphrase that is at least as difficult to crack as the rest of the encryption scheme.

Now, passphrases are typically strings of printable characters, but if we used a random 256-bit string as the “passphrase”, then such a “passphrase” would be at least as secure as the rest of this encryption scheme.

In contrast, a passphrase consisting of a single ASCII character (8 bits) would probably not be deemed secure, since it would be too easy to guess through a brute-force search.

The comparison between the strentgth of the passphrase and the strength of a random 256-bit key is not straightforward, however, for at least two reasons.

First, in order to derive the key from the passphrase, gnupg uses “passphrase stretching”, which increases the computational cost of performing a brute-force search for the passphrase.

Second, passphrases are made of printable ASCII characters, so a 32-character (== 256-bit) passphrase, even if it were a random string of printable ASCII characters, would still have less entropy than a random 256-bit key, despite having the same number of bits.

So my question is, if we take into account both gnupg’s passphrase stretching as well as the fact that passphrases consist of printable ASCII characters, what would be the length of the shortest random passphrase that would be equally hard to guess as a random 256-bit string without passphrase stretching?