Mechanics of a town where magic doesn’t work

I’m planning a campaign and I want to have a village where magic doesn’t work. You can’t cast spells, magical items lose their ability, things like that.

I am fairly new to the lore and mechanics of the D&D world so I don’t have a good grasp on how to do this. I could say the village is cursed but that opens up who and why questions I don’t want my adventurers distracted by. I want something more like, the village happens to lie in a pocket that is disconnected for the magic plane (if that’s a thing). How could that work?

Privilege Escalation – WildCard Injection doesn’t work

I have a cronjob that runs a backup script every minutes enter image description here

As you can see, this script is vulnerable a TAR Command Injection because it accepts * (wildcard) as input

enter image description here

I add a 2 files called “checkpoint..” (parameter) for the TAR command where i say to execute the shell script that add a entry to my /etc/sudoers file in order to do a Priv Esc.

enter image description here

In this way, crontab should runs every minutes the backup.sh that executes the TAR command that executes my script shell that add a entry to /etc/sudoers as root.

But it doesn’t work, like you can see the /etc/sudoers is like before.

enter image description here

But if i run the backup.sh script manually, (not using the crontab), it works!

enter image description here

Where am I doing wrong?

Thanks

John the Ripper doesn’t crack passwords when I use wordlists

Title says it all, I can’t tell if John is just crashing or “gives up” on cracking the hash. First I start off by creating an md5 hash out of a word I KNOW is on the rockyou.txt wordlist:

echo -n 'password' | md5sum > testhash 

After removing the hyphen at the end of the test hash file:

5f4dcc3b5aa765d61d8327deb882cf99 

Now I attempt to crack the md5 hash using the following John the Ripper command:

john --format=raw-md5 --wordlist= /usr/share/wordlists/rockyou.txt testhash 

I get the output:

Loaded 1 password hash (Raw-MD5 [MD5 256/256 AVX2 8*3]) No password hashes left to crack (see FAQ) 

Then I run:

john --show testhash 

Which outputs:

0 password hashes cracked, 2 left 

Sorry if I’m doing something terribly wrong, but I’m at a loss here. I’m assuming it’s something wrong with how my installation of John on Kali Linux is handling the wordlist. Thank you in advance!

I use a SendMessage function for my melee attack, but it doesn’t work

I have a melee attack script that work like a charm for the other enemy. But for this one enemy, it doesn’t work. This is the script for the melee attack which utilises the SendMessage function. You can see that there is a Debug.Log statement whenever my player hits something. For the enemy that doesn’t work, when in game, the message is sent, but the effect doesn’t happen.Weirdly enough, the particles instantiate, but the enemy health doesn’t work. This is the melee attack script (only the SendMessage function)

    private void CheckAttackHitBox()     {         Collider2D[] detectedObjects = Physics2D.OverlapCircleAll(attackHitBoxPos.position, attack1Radius, whatIsDamageable);          attackDetails[0] = attack1Damage;         attackDetails[1] = transform.position.x;          foreach (Collider2D collider in detectedObjects)         {             collider.transform.parent.SendMessage("Damage", attackDetails);             Debug.Log("MessageSent");         }     } 

This is my enemy script that receives the message:

private void Damage(float[] attackDetails)     {         currentHealth -= attackDetails[0];          Instantiate(hitParticle, transform.position, Quaternion.Euler(0.0f, 0.0f, Random.Range(0.0f, 360.0f)));          //the x position of the player is greater than the x position of the enemy         if (attackDetails[1] > transform.position.x)         {             damageDirection = -1;         }         else         {             damageDirection = 1;         }          if (currentHealth <= 0.0f)         {             Die();         }     } ``` 

Doesn’t installing a TOTP client on your primary PC undermine the whole point of 2FA? [duplicate]

Authy is a popular cross-platform TOTP application that supports syncing keys across devices. I have been a little confused by the idea of having a desktop client… This way if someone accesses my primary PC they’d find all my passwords saved in my browsers, and would have access to my TOTP keys as well…

Doesn’t installing a TOTP client on your primary PC undermine the whole point of 2FA?

NMinimize doesn’t work with Defined function and data set

I have a data set

data={{-35., 0.315382}, {-30., 0.510487}, {-25., 0.808823}, {-20.,    1.25604}, {-15., 1.91404}, {-10., 2.86533}, {-5., 4.21811}, {0.,    6.11213}, {5., 8.7253}, {10., 12.2811}, {15., 17.0568}, {20.,    23.3919}, {25., 31.6982}, {30., 42.4692}, {35., 56.2906}, {40.,    73.8511}, {45., 95.9534}, {50., 123.525}, {55., 157.628}, {60.,    199.474}, {65., 250.427}, {70., 312.022}, {75., 385.967}, {80.,    474.158}, {85., 578.681}, {90., 701.827}, {95., 846.09}, {100.,    1014.18}, {105., 1209.02}, {110., 1433.77}, {115., 1691.8}, {120.,    1986.71}} 

and a function

f[t_, a_, b_, c_] := Exp[a + b/(c + t)]; 

Now I do the NMinimize to find parameters a, b, c by using command:

NMinimize[  Total[((f[data[[All, 1]], a, b, c] - data[[All, 2]])/      data[[All, 2]])^2], {a, b, c}] 

The output parameters are wrong. Please let me know what is the problem? Why NMinimize give wrong results.

Thank you

Hydra Brute-force attack on Gitlab doesn’t work!

I’m using hydra to test my organization’s security since our GitLab is accessible online, I wanted to make sure the security of the login itself before implementing other types of security measure (e.g. hiding the subdomain, or .htaccess or Recaptcha)

here’s what I’m facing exactly:

the domain is: git.website.com

the URL after it, as a default of GitLab is: /users/sign_in

so if you even type git.website.com it redirects to git.website.com/users/sign_in

my THC Hydra command is :

hydra -l root -P /Users/john/Desktop/realhuman_phill.txt git.website.com http-post-form "/users/sign_in:utf8=%E2%9C%93&authenticity_token=MaxhReOTOWuQz5UjUR4YZ295k%2FGsPiQ2O8UUQE4RHgqhPMsqMP3gPMLfqukhZQJyVyMVgDFlp26sxvE5O1f0XA%3D%3D&user%5Blogin%5D=^USER^&user%5Bpassword%5D=^PASS^&user%5Bremember_me%5D=0:F=Invalid Login or Password." -vv 

I’m using Burpsuite for capturing the request and this is what’s shown:

POST /users/sign_in HTTP/1.1 Host: git.website.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://git.website.com/users/sign_in Content-Type: application/x-www-form-urlencoded Content-Length: 211 Origin: https://git.website.com DNT: 1 Connection: close Cookie: _gitlab_session=fb399cff612eecda0c4a75770700e655 Upgrade-Insecure-Requests: 1  utf8=%E2%9C%93&authenticity_token=%2F4y5%2BI62o%2Fi7nfnnwVsdAwCbMhpXqtOW1tnqrLziGyRvHBOXXdh6r%2BmNxi2xIAcWOMG0a8rxUM5B2g%2FVyaTxcg%3D%3D&user%5Blogin%5D=TESTING&user%5Bpassword%5D=TESTING&user%5Bremember_me%5D=0 

gitlab request, POST data

So when I’m trying to send these parameters to hydra it always returns one of these 2 scenarios:

  1. if I type this command, it just prints the manual:

Command:

hydra -l root -P /Users/john/Desktop/realhuman_phill.txt git.website.com http-post-form "/users/sign_in:utf8=%E2%9C%93&authenticity_token=MaxhReOTOWuQz5UjUR4YZ295k%2FGsPiQ2O8UUQE4RHgqhPMsqMP3gPMLfqukhZQJyVyMVgDFlp26sxvE5O1f0XA%3D%3D&user%5Blogin%5D=TESTING&user%5Bpassword%5D=TESTING&user%5Bremember_me%5D=0:F=Invalid Login or password." -vv 

Result:

Hydra v9.1-dev (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).  Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-03-24 13:20:01 Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [-m MODULE_OPT] [service://server[:PORT][/OPT]]  Options:   -l LOGIN or -L FILE  login with LOGIN name, or load several logins from FILE   -p PASS  or -P FILE  try password PASS, or load several passwords from FILE   -C FILE   colon separated "login:pass" format, instead of -L/-P options   -M FILE   list of servers to attack, one entry per line, ':' to specify port   -t TASKS  run TASKS number of connects in parallel per target (default: 16)   -U        service module usage details   -m OPT    options specific for a module, see -U output for information   -h        more command line options (COMPLETE HELP)   server    the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)   service   the service to crack (see below for supported protocols)   OPT       some service modules support additional input (-U for module help)  Supported services: adam6500 asterisk cisco cisco-enable cvs ftp http-{head|get|post} http-{get|post}-form http-proxy http-proxy-urlenum icq imap irc ldap2 ldap3[s] mssql mysql(v4) nntp pcanywhere pcnfs pop3 redis rexec rlogin rpcap rsh rtsp s7-300 smb smtp smtp-enum snmp socks5 teamspeak telnet vmauthd vnc xmpp  Hydra is a tool to guess/crack valid login/password pairs. Licensed under AGPL v3.0. The newest version is always available at; https://github.com/vanhauser-thc/thc-hydra Please don't use in military or secret service organizations, or for illegal purposes. (This is a wish and non-binding - most such people do not care about laws and ethics anyway - and tell themselves they are one of the good ones.)  Example:  hydra -l user -P passlist.txt ftp://192.168.0.1 

which means hydra is not even processing my command, so something is wrong

  1. when i trim down the command, remove UTF8, authenticity_token & rememeber_me in post request and also change the way i write the domain.module.module-options following hydra guidelines:

Command:

hydra -l root -P /Users/john/Desktop/realhuman_phill.txt http-post-form://git.website.com:login=^USER^&password=^PASS^:F=Invalid Login or password. -vv 

Result:

hydra -l root -P /Users/john/Desktop/realhuman_phill.txt http-post-form://git.website.com:login=^USER^&password=^PASS^:F=Invalid Login or password. -vv [1] 75788 Hydra v9.1-dev (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).  Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-03-24 13:24:46 [WARNING] You must supply the web page as an additional option or via -m, default path set to / [ERROR] the variables argument needs at least the strings ^USER^, ^PASS^, ^USER64^ or ^PASS64^: (null) [1]    exit 255   hydra -l root -P /Users/john/Desktop/realhuman_phill.txt  Login incorrect login:  

P.S 1: I need to mention that I have thoroughly searched and didn’t get a solution, most videos and guidelines test it on single IP without extra URLs (e.g. /users/sign_in) so they have been practically useless.

P.S 2: git.website.com is obviously fake so if you need a real example to test let me know

I would really appreciate it if you could guide me and correct me where I’m wrong.

Rage benefits for someone who doesn’t attack

I’ve had in mind a character built around defensive and supernatural effects from rage, who doesn’t attack.

Towards this end, I’m using druidic avenger to actually get rage. I’ll take both Blazing Berserker (Sandstorm) and Frozen Berserker (Frostburn) to gain both fire and cold immunity, and Instantaneous Rage (Complete Warrior) to ensure I’m always raging when I need to be.

Extra Rage (Complete Warrior) is obvious.

Other defensive benefits include Ettercap Berserker (Unapproachable East) for a larger Consitution bonus, and Mad Foam Rager (Player’s Handbook II) for delaying the effects of one spell or ability used against me for a round.

Intimidating Rage (Complete Warrior) and various Intimidate optimization tricks are one non-attacking application of rage, and a likely choice here. Still, Intimidate has serious limitations, and druid isn’t a Charisma-based class (though that may matter somewhat less).

Druid spells are great, but can’t be cast while raging without cheesing my way into rage mage (Complete Warrior). So maybe totemist (Magic of Incarnum) would be thematic, and leverage the high Constitution well? Cobalt Rage (idem) is a pretty good feat, after all, and while totem rager (idem) is somewhat lackluster, totem rage certainly fits the bill pretty well. Could maybe do some weird thing where I hit sapphire hierarch too (idem)?

Having written this answer, I’m pretty familiar with other options, like frostrager’s natural armor (Frostburn) and wildrunner’s Dexterity (Races of the Wild), but those aren’t great answers here: natural armor is poor and the frostrager is a huge pain to enter, and the wildrunner’s Dexterity is largely wasted on a character that won’t be attacking with that Dexterity.

And there is stuff I technically can’t get if I go the druidic avenger route. Resilient rage (Dragon vol. 330) would be really nice, but you have to be an implacable barbarian to get it. Ferocity (Cityscape “Urban Class Features” web enhancement) is nice too, but again, technically, that’s a substitution level. Spells and wild shape more than make up for those, but it’s good to be aware of them.

So, can you recommend to me any other rage features that have substantial benefits when not attacking? Defensive benefits, non-attack offense, utility, whatever. Supernatural stuff is great.

All D&D 3.5e Wizards-published materials, as well as Dragon and Dungeon, are valid. Level must be pre-epic, but otherwise doesn’t matter, since I’ll build towards things I cannot currently take. Race and other restrictions should be mentioned, but a lot of “fluff” requirements will be waived so that should be no impediment. The key thing is the options must be

  1. activated by raging, or active during a rage, or in some way tied to the raging status,

  2. provide benefits even when the raging character is not attacking.

I might be convinced to back-port something from Pathfinder, but the Pathfinder barbarian, chained or unchained, as well as the rage powers, are not going to be. It has to be somethat that makes sense with the 3.5e rage, so probably a feat.

Since this answer was kind of rambling, everything mentioned in this question:

  • Cityscape: ferocity (“Urban Class Features” web enhancement)
  • Complete Warrior: Extra Rage, Instantaneous Rage, Intimidating Rage, rage mage
  • Dragon magazine: implacable barbarian (vol. 330)
  • Frostburn: Frozen Berserker, frostrager
  • Magic of Incarnum: Cobalt Rage, totem rager, sapphire hierarch
  • Player’s Handbook II: Mad Foam Rager
  • Races of the Wild: wildrunner
  • Sandstorm: Blazing Berserker
  • Unapproachable East: Ettercap Berserker
  • Unearthed Arcana: druidic avenger

Why doesn’t my government, and governments in general, provide useful statistics in digital format? [closed]

I live in Sweden, but this applies to all other countries as well.

I have a general interest in, and fascinations of, statistics and working with data in databases. By far the biggest obstacle has nothing to do with technically dealing with the database software, writing SQL queries, or designing databases. Rather, the #1 problem is:

Nobody wants to provide useful data!

I have spent a significant part of the last 20 years searching for databases/data files of all kinds. Time and time again, I end up at a “contact us for pricing” webpage, or a “Buy now for only $ 4,799!” text. Oddly, this does not just apply to commercial entities, but also authorities.

Even though the Swedish government has been talking about “open data” and “free information for all” for a very long time, the actual reality is that virtually none of that juicy data is available for you and I to grab and use. Instead, they have multiple layers of “red tape”, requiring you to pay through the nose for any kind of access, and in many cases, you aren’t even allowed to pay for it unless you run a major corporation with special ties to the government. It’s really bizarre.

The data they do allow you to look at is meaningless/shallow statistics, rarely if ever provided in a format which can be reasonably parsed by a computer and fed into my database for further analysis. The so-called “open data for everyone” often consists of nothing more than a bunch of formatted PDFs, useless for my purposes.

I’m not interested in static columns showing how many new people were born in 2020. I want a list of those people, with their names, genders, race, blood type, etc.

I realize that all data cannot be open without heavy abuse inevitably resulting from it. However, at least the Swedish government has this idea of “public records”, where you are theoretically allowed to request all kinds of data. The problem is that they only allow you to do this in person, over phone or via e-mail, and you have to do it manually and only request at most three (3) “units” each time. In practice, this makes it useless unless.

If this information is allegedly “public”, why are they so unwilling to actually make it available? I could send an e-mail to a Swedish government entity right now, requesting all kinds of information (including their full social security number) for a given person, and they will respond within 24 hours with it, no questions asked. I’ve done it many times. However, if I ask them for a Swedish_people.csv file with every person registered in Sweden and the same information I requested manually for one or up to three persons, they will refuse.

Major corporations are able to pay a lot of money to get access to their government APIs, but it costs a fortune and they wouldn’t let me buy access to it even if I had the money (because I don’t run a major company).

It doesn’t make any sense to me. I wonder why they have these double standards, and how they can possibly charge money for “public” records.

A dream of mine would be to be able to do:

SELECT name, email_address, physical_address, passport_photo FROM people WHERE current_city = $  1 AND gender = $  2 AND age >= $  3 AND age <= $  4 AND civil_status = $  5 ORDER BY distance_from_me DESC; 

Of course, this is completely unrealistic, but you get the idea. I wish to have actual, curated records from (semi) trusted sources rather than having to play with the few, measly databases which are freely available to the public at no charge.

A perfect example of something very basic would be the telephone book. Back in the day, they sent out a complete book of every single person’s name, telephone number and address to every household in the entire country. This was standard practice all over the world, I believe. A digital version of that would be a .csv file which I could just download from a government website at a static URL, always kept updated. Nope. Nothing like that. I’m forced to use these third-party, commercial websites where I get to enter individual people’s names and send this information to the company in question. They are paying the government a lot of money to get this information, even though it could be made available for virtually no cost at all.

Why, since they used to provide this information in physical form, is it now unthinkable in the digital age?

Website doesn’t show first when looking for the exact domain name

I need a website to have good results when looking for the domain name.

A quick rundown of my research results :

Searching for -> Results

“le-petit-pois.fr” -> “lepetitpois.fr”, which is another website.

http://le-petit-pois“->”lepetitpois.fr”

https://le-petit-pois“>”le-petit-pois.fr” (finally the good website)

Seeing that “petit pois” (green beans) is a pretty wide term in French, I focused the SEO on “petit pois+location”. The website is pretty new and I made adjustment to the SEO so that the website would be better ranked for searching the domain.

Weird thing is 2 domains are registered for the website and one is just a redirection. When searching for “le-fraisier.fr” (only redirection on this), it shows the good website as well.

What solution other than putting more value to the domain name in the SEO would be valuable?