Does Evasion allow half damage even when unconscious?

Evasion is a class feature gained by Rogues and Monks at level 7:

At 7th level, your instinctive agility lets you dodge out of the way of certain area effects, such as a blue dragon’s lightning breath or a Fireball spell. When you are subjected to an effect that allows you to make a Dexterity saving throw to take only half damage, you instead take no damage if you succeed on the saving throw, and only half damage if you fail.

Does this feature allow a character to “dodge” area effects, taking half damage, even if they are unconscious?

Does Telekinetic Projectile allow choosing both projectile and target within range even if they are further apart than 30 feet?

Telekinetic Projectile allows you to "hurl [an] object that is within range […] at the target". The spell’s range is 30 feet.

My reading of this is that both the target and the object must be picked from within 30 feet from the caster. But nothing states that the path that the projectile flies (from object to target) must be less than 30 feet.

Are my assumptions correct or have I missed any relevant rules?

Also, if so, does the path between them have to be clear as to not provide Cover for the target?

Object <- 30ft -> caster <- 30ft -> target        <-         ~60ft          -> 

For every imperative function, is there a functional counterpart with identical performance or even instructions?

Currently, I haven’t learned about a functional language that can achieve the same performance as C/C++. And I have learned that some languages that favor functional programming to imperative programming, such as Scala and Rust, use imperative ways to implement their library functions for better efficiency.

So here comes my question, on today’s comptuters that execute imperative instructions, is this a limitation of the compiler or functional programming itself? For every imperative function with no side effects, either in a language without GC such as C/C++/Rust/assembly or one with GC such as Java, is there a pure functional counterpart in Haskell, Scala, etc. that can be compiled to run with identical performance in time and space (not just asymptotic but exactly the same) or even to the same instructions, with an optimal functional compiler that utilizes all modern and even undiscovered optimization techniques such as tail recursion, laziness, static analysis, formal verification, and so on which I don’t know about?

I am aware of the equivalence between λ-computable and Turing computable, but but I couldn’t find an answer to this question online. If there is, please share a compiler example or a proof. If not, please explain why and show a counter-example. Or is this a non-trivial open question?

Can’t use /wp-json/wp/v2/plugins API endpoint even as administrator

Using Basic Authentication as an Administrator, I am getting an error code 401 Unauthorized : [rest_cannot_view_plugins] Sorry, you are not allowed to manage plugins for this site. error when I attempt to access the GET /wp-json/wp/v2/plugins endpoint of my server. I can pull Post and Page info with no problem, but when I query against the plugins, I’m getting the 401 error. I’ve confirmed that the userid used in the API call should be able to manage plugins using the CLI tool:

#  wp user list-caps $  USER | grep plugin activate_plugins edit_plugins update_plugins delete_plugins install_plugins 

Any pointers would be appreciated.

Are hardware security keys (e.g ones supporting Fido2) “able to protect authentication” even in case of compromised devices?

Correct me if I am wrong, please.

I understand that 2FA (MFA) increases account security in case an attacker obtains a password which might be possible via various ways, e.g. phishing, database breach, brute-force, etc..

However, if the 2FA device is compromised (full system control) which can also be the very same device then 2FA is broken. It’s not as likely as opposed to only using a password but conceptually this is true.

Do hardware security keys protect against compromised devices? I read that the private key cannot be extracted from those devices. I think about protecting my ssh logins with a FIDO2 key. Taking ssh as an example, I would imagine that on a compromised device the ssh handshake and key exchange can be intercepted and the Fido2 key can be used for malicious things.

Additionally: Fido2 protects against phishing by storing the website it is setup to authenticate with. Does FIDO2 and openssh also additionally implement host key verification or doesn’t it matter because FIDO2 with openssh is already asymmetric encryption and thus not vulnerable to MitM attacks?

Does a natural 20 on an attack cause a critical hit (even if the attack would have missed)?

Related question

I was going over the degrees of success rules in relation to the above question and it’s answers and came across a bit of rules that seem contradictory.

Step 4: Determine degree of success (Core Rulebook, General Rules, Checks p445)

You critically succeed at a check when a check’s result meets or exceeds the DC by 10 or more. If the check is an attack roll, this is sometimes called a critical hit. You can also critically fail a check. The rules for critical failure—sometimes called a fumble—are the same as those for a critical success, but in the other direction: if you fail a check by 10 or more, that’s a critical failure.

If you rolled a 20 on the die (a “natural 20”), your result is one degree of success better than it would be by numbers alone.

We are, in general, pretty familiar of this concept introduced in the playtest era. However, there are more rules that seem like they may be more specific.

Critical Hits (Core Rulebook, Equipment, Weapons, Attack Rolls p278)

When you make an attack and roll a natural 20 (the number on the die is 20), or if the result of your attack exceeds the target’s AC by 10, you achieve a critical success (also known as a critical hit).

If you critically succeed at a Strike, your attack deals double damage (page 451). Other attacks, such as spell attack rolls and some uses of the Athletics skill, describe the specific effects that occur when their outcomes are critical successes.

This second section makes no accounting for "would have been a success/hit", and says that "When you make an attack and roll a natural 20 […] you achieve a critical success." Does this make attack an exception to the rules that natural 20’s only take you one degree higher on success?

How is AMP-Same-Origin: true even remotely secure?

in the AMP Docs, the following snippet is given:

If the Origin header is set:

  1. If the origin does not match one of the following values, stop and return an error response:

    • <publisher's domain>

    • the publisher’s origin (aka yours)

      where * represents a wildcard match, and not an actual asterisk ( * ).

  2. Otherwise, process the request.

If the Origin header is NOT set:

  1. Verify that the request contains the AMP-Same-Origin: true header. If the request does not contain this header, stop and return an error response.
  2. Otherwise, process the request.

What I don’t understand is how the AMP-Same-Origin header provides a form of security.


Couldn’t anyone provide an AMP-Same-Origin: true header in a browser missing the Origin header and skip CSRF protection even if it’s not on a trusted AMP CDN?

Chrome Vulnerabilities are detected in vulnerability scan even after upgraded with latest versions

Had few chrome vulnerabilities [CVE-2020-6420] detected by BI(Retina). Upgraded the affected machines to chrome version 84.0.4147.89. After re-scan still the same vulnerabilities are detected.

Anyone experienced it before ? please help to resolve

Is it possible that my personal photos in my smartphone may end up in the internet even if I never uploaded or sync it anywhere in the internet?

Sorry if its a dumb question. I am pretty sure that my smartphone (android miui11) is constantly sending various data to its servers anytime when the internet is on. So, does it send my personal photos to the servers? Or any data related to my personal photos? Can this be a threat? Like if someone in the servers could see and upload my photos somewhere else in the internet?

A lot of my windows drivers have expired dates for the certificate, and some are not even signed, is this normal? [migrated]

I just gathered all the drivers in my system32/drivers folder and checked their certificate (my windows is updated and its a windows 10 x64)

But i found that so many of them have expired certificate! and some are not even signed! (pictures included)

so my questions are :

  1. Is this normal? if not, what should i do? and if not, then why are the expiration date expired?

  2. How are these drivers are able to get loaded when they have no certificate or its expired? my system is W10 x64 with secure boot enabled, i thought you can only load signed drivers with valid certificates?

  3. What is the role of these countersignatures put in simply? i tried reading MSDN and other websites but couldn’t understand whats the need of this?

here are some examples

WindowsTrustedRTProxy.sys (countersignature is also expired) :

enter image description here

winusb.sys (no certificate) :

enter image description here