I think my DM is consistently faking dice rolls for saves against a specific spell; how do I call my DM out?

I’ve been watching one of our players repeatedly cast toll the dead (Xanathar’s Guide to Everything, p. 169), across seven sessions, and a dozen different combat encounters, and the DM has never once allowed her to do any damage with the cantrip. She has a spell save DC of 16, yet our DM always “mysteriously” rolls the saving throw.

Obviously, “just quit the game”, “that group is not for you”, are the answers most folks will immediately suggest, but I’m not the one playing a warlock and I feel like telling her to quit would be awfully rude of me. She’s a really quiet and shy person, and I can’t help feeling like someone needs to stand up and defend her. Last session she looked like she was on the verge of tears.

Anyone have a creative method of calling your DM out for being a dice cheat in front of the entire group? I’m really disgusted by his behavior and I’m guessing that statistically speaking the permutation is so large by this point that his monsters have won the powerball ten times over.

Circumventing inbound traffic rule by faking reply traffic

My question is about security groups/firewalls and protecting a virtual private cloud from the external world. Here is a description of VPC default policy for inbound/outbound traffic (on AWS):

Each security group by default contains an outbound rule that allows access to any IP address. It’s important to note that when an instance sends traffic out, the security group will allow reply traffic to reach the instance, regardless of what inbound rules are configured.

I was wondering if there exists an attack vector where a malicious user tries to circumvent the VPC’s inbound policy (i.e. block all traffic) by tricking it into thinking that the incoming traffic is a “reply” traffic? Does such attack have a name in the literature?

I can also think of a scenario where a target machine T (within a VPC) sends a request to some valid server V, but the malicious user M sends a malicious response to T (tricking it into believing that it comes from V) before T receives the actual response from V, thence circumventing T‘s inbound traffic policy.

What prevents a website from faking signing from a trusted certificate authority? [duplicate]

This question already has an answer here:

  • How does SSL/TLS work? 3 answers

I have a question about SSL (TLS) certificate signing authorities. How does this validation work? I know the browser has copies of (the public?) keys of the major signing authorities, but how does the comparison work when they receive encrypted data from a server and the server claims its certificate was signed by one of those signing authorities? What prevents the owner of the server sending the SSL data faking ownership of the certificate signing authority?