If current time in milliseconds is considered good enough random seed for a pseudorandom number generator, why not just use that time directly?

I was reading about pseudorandom number generators and how they need a seed and how that seed is usually current system time in milliseconds. One of the most common algorithms is the linear congruential generator, which is an algorithm that based on some fixed constants and this seed through some mathematical computations gives the final pseudorandom output.

But what are the disadvantages of using this time directly as a pseudorandom number?

There is not enough space on http://myCompany.com

I am using SP 2010 and try to copy a lot of files to a document library by the file explorer. I got this error:

There is not enough space on http://myCompany.com. You need an additional 13,4 GB to copy these files

I try to upload only small parts and only the first 3 parts worked. The fourth part give me again the same error but with another gb value:

There is not enough space on http://myCompany.com. You need an additional 2,4 GB to copy these files

What is going wrong? I do not have a site collection quota!

Here is a print screen of the site collection quota. There is no limit. enter image description here

Is an index, nonce and HMAC good enough for session management?

I’m researching session management for web applications. I’ve been looking at a couple places, and from my understanding is we shouldn’t use a secret as a session identifier(index). Because it can lead to timing attacks.

Let’s say for the sake of performance sessions on the server-side are stored in cache/memory. And the index is reset(e.g: starts back at 1) every time the server restarts or they are all purged.

session_payload = index || HMAC(server_key, index) 

But doing it like that would leave room for replay attacks, right? An attacker could generate a bunch of session payloads and store them for later to hijack sessions. Something is needed to make each session payload unique to prevent that, right?

So what about:

payload = index || nonce session_payload = payload || HMAC(server_key, payload) 

If my understanding is correct, the nonce just needs to be unique to make the session payload unique. Should it be just the output of a CSPRNG, RNG or the current time(milliseconds?, nanoseconds?)? What are the caveats of each?

So if the above is done right, it should be able to avoid:

  • Timing attacks.
  • Volume attacks.
  • Replay attacks.*
  • Tampering.

Right? And is there any other attacks I should be aware of? Please exclude session fixation, that can be mitigated via session payload regeneration on privilege escalation.

  • What I define by a replay attack, is adversaries could store pre-computed session payloads and hijack sessions later, hence the use of the nonce.

Could a regenerating troll feed enough stirges to live off them?

We are working on creating a room that is a self-sustaining ecosystem (like ecosystem aquariums but with creatures) that is an obstacle for PCs to pass (as part of an entire “Island of Dr. Moreau” filled with these ecosystems.)

Our current thought is a mad wizard who has set up a room with hundreds of stirges fed by a regenerating troll in a box that only allows as many stirges to feed on him at once as it can regenerate. Ideally, the troll could occasionally grab and eat some of the stirges as well.

The question we have is what guidance is there anywhere across the game or previous adventures or interviews with designers to calculate any or all of the following:

  1. The amount a creature needs to eat each day to survive.

(This would give the number of stirges the troll could support and the number of stirges the troll needs to eat per day.)

  1. Whether there is any known gestational period for stirges

(This would allow us to answer the question whether or not a troll could actually survive on something feeding on its regenerating blood – and allow us to calculate the equilibrium state for number of stirges supported.)


We use DnD to teach kids math, biology and physics. If we can make scenarios that teach various principles while also fitting with existing game guidance – it is a double win.


Of note, the underlying assumption in this scenario, of course, is that a troll’s regeneration has a magical aspect to it given how fast trolls regenerate and given that there is nothing describing how much they have to eat based on what they regenerated. (Proportional eating would be required if regeneration was a purely physical phenomena.)

Would Vicissitude alone be enough to produce flying animal ghouls?

I’m running a Dark Ages campaign and one of the players is a young Tzimisce vampire, left in service of Gutka in Poland. While there, he decided to invent winged hussars several hundred years early, but instead of winging the hussar, he’d prefer to use Vicissitude III to shape horses into wing-bearing, flight-capable death cavalry machines, ghouled to their rider. Extra armour in bone included.

To me, this seems incredibly cool, yet I cannot see whether such proficiency in Vicissitude actually allows such a feat.

How to create a user with the least privileges/permissions but enough to do ssh tunneling?

I want to use SSH Tunneling on my local machines to bypass government restrictions. I’m talking about creating a socks proxy server using a ssh connection.

ssh -f -N -D 1080 admin@server1.example.com 

This works perfectly right now. But I want to pass this to few other people (friends and family members). The thing is right now I’m using an admin user to do this. I thought I should probably just create a non-admin/guest user for each person.

I’m a bit worried if they decide to ssh normally and mess up with the server, or if they lose the login credentials or it gets into a hacker’s hand.

That’s I wanna take it one step further and just limit them to the point where they literally can’t do anything or harmful, but with just enough functionality to run the ssh tunneling.

So what do I do after adduser <username>?

Is 8 characters long password reset token strong enough

I am testing this website, in its password reset functionality it provides a link with a token like most websites, now i asked for multiple password reset links to see any pattern in tokens and this is what i noticed, all the tokens had 8 characters, all alphabetes capital and small, no numbers or special characters, would you consider it a weak token if so how long would it take to brute force such a token considering you have a good computer and internet, also with each account it appears that a password reset token is attached, it never changes no matter howany times i ask for password reset link it always comes with same token for that perticular account , wouldn’t you consider a vulnerability?