How can one mitigate both DOS attacks and online brute force attacks at the same time?

I was recently reading this question, where the accepted answer claims that it is easy for attackers to bypass rate limiting that is based on IP, which makes any sort of IP rate limiting to prevent a brute force attack much less useful. But, if it is based on the account that is a victim, then it becomes very easy for an attacker to block access to a victim’s account. What is the best way to defend against both DOS attacks and online brute force attacks (and anything else that is in this same category)?

Simply sleeping for, for example, 1 second isn’t sufficient because the attacker can simply put in more requests before the first one finishes (1 second latency, but unbounded throughput, and throughput is what matters for brute force). If subsequent requests are blocked until the first one finishes, then they must be blocked per-IP or per-user, which produces the same problem.

2FA isn’t always a good solution either, because, for worse, many people fail to use it.

As a DM, what changes do I need to make to my preparation when transitioning to online play?

I, like many others, have been forced by the current situation to re-evaluate how my games are played. I current run/play in pathfinder 1e and D&D 5e campaigns that have been played entirely in person with pen/paper character sheets and hand-drawn battlemats.

We are investigating the move to online play instead. Likely using a combination of Roll20 and Discord but this question is intended to be digital platform agnostic unless it has significant bearing on the answer.

Specifically I am looking for advice on what parts of my DM preparations need to be modified, extended, added or removed in comparison to in-person play.


Typical preparations for me look like:

  • World Building / Adventure Planning: Large scale worldbuilding in Onenote. Places, people, adventure hooks and lore. Often I am months or even years ahead of my campaign in this area.
  • Session Planning: On a session level I usually go on fairly light on detailed planning. Some stats or details for NPCs and creatures they might encounter in this region. Occasional write-ups of set pieces for specific situations.
  • Encounter Building: I typically build my encounters on the fly. Free handing my battlemat based on the current environment and then choosing appropriate stats for the monsters and NPC.

I have found this style of lots of world prep, little specific session prep, allows me to run a very sandboxed world where I can be ready for pretty much anything my party can throw at me with minimal fuss. However I’m not sure how well it will adapt to online play.


Some things that I am concerned about:

  • Creating encounters on the fly may be more difficult with digital tools. Do I need to pre-make more encounters and maps to keep the game flowing?
  • Decreased immersion due to lack of visuals. Should I prepare visuals for NPCs or environments to help maintain immersion?
  • Other limitations I haven’t even thought of that may arise during the session and be difficult to adapt to without disrupting gameplay.

How Do Online Identiy Verification Companies Ensures Their APIs to Be Not Abused?

I am trying to implement a photo ID verification along with a live-selfie verification on my Android/iOS apps.

I figured that I might be able to implement these features using Python machine learning libraries. However, I have no idea how to prevent hackers from directly sending verification data to my app’s server.

So, these days, many online identity verification companies utilize the “liveness” detection that can prevent users from taking photos of other people’s photos or photos of ID cards. They confirm if the images were not modified. They even make short videos to confirm the liveness.

However, what if the abuser is not a normal user, but a programmer? What can we do if the programmer directly calls our APIs and send photos or videos to the server? Then the liveness detection will become useless because we will not be able to differentiate the selfie directly sent by the programmer from a lively taken new selfie.

Any solutions? I can only guess that the only way to prevent this type of attacks would be making users take random actions generated by the server. Such as saying something on the screen or making users writing down random digits on the paper and take a picture with it.

Strategies for effectively running a temporary online game

Other questions have done a good job of outlining where to find online players and some of the tools available for ongoing virtual games (Roll20, Fantasy Grounds, etc). Many of those tools have a cost associated with them and a large time commitment to configure a custom, homebrew game.

Occasionally, circumstances prevent us from gathering in the way we prefer. The 2020 COVID-19 pandemic is a good example. During those times, finding ways to continue to play together, even if in a non-standard, non-permanent way, is important.

In this question, I’m interested to know what DMs and their players are using to temporarily convert their normal pen and paper, in person gatherings into a system that works with a remote group. I’m specifically interested in answers that address the following common concerns with this type of conversion:

  1. Cost – Low or no added cost (it’s temporary)
  2. Roleplaying – Support for high quality, low delay audio
  3. Content – Support for custom content including maps, handouts, items, etc
  4. Combat – Support for combat positioning, distances, and area effects normally done on a battle mat

Which is less trackable by online services, using a SIM card or free wifi?

I cannot do anything about government agencies, but I doubt that they are interested in me.

I do not like the idea of Google, FaceTweet, etc, compiling data on me.

What’s the best way to prevent them doing so, if I purchase a smartphone – buy a pay as you go (unregistered) SIM, or use only public WiFi? Would a Linux ‘phone make a major difference?

What challenges might I expect from switching to online DMing from exclusively tabletop?

Because of COVID-19 our exclusively in-person sessions are going entirely online. We have downloaded roll 20, and we have voice chat, but beyond that we are fish out of water in the new medium.

What challenges might I expect from switching to online DMing from exclusively tabletop?

How Online Cell Phone Number Listings Can Save You Precious Time and Money

If you have a cell phone number and you want to find out who the owner of it is, there are a number of things that you can do to identify the person in question. Firstly, you could go to a private investigator to do some leg work on your behalf. Secondly, you could turn to the White Pages and search the owner with your finger. Thirdly, you could go to one of the many online databases.
The problem with the first and second options is that they either cost time or money. Private investigators will have their expenses and their basic fee, and it’s not realistic to spend at least a few hundred dollars to get the name behind a phone number list.
The fact is that the White Pages don’t list cell phone numbers, only residential and business numbers. In fact, cell phone numbers are considered personal information and details surrounding them are protected from public display by law.
That leaves the online databases. These databases are leased from the cell phone service providers, like Sprint and Verizon, and are available to the public for a small fee usually (though there are some free databases also). These reverse cell phone lookup services are completely confidential and are fast in delivering the information you require. Just enter the number and soon you’ll know who that mystery caller is.
But there are some things to keep in mind before choosing one of the many sites that are online. Only the best will have 200 million or more numbers on their databases (that’s 90% of the total phones in the US). Also, be sure that the details are up-to-date; the site should publicize how frequently they update their database.

.jpg   USA-Business-Phone-List.jpg (Size: 65.53 KB / Downloads: 0)

Definitions of and difference between adaptive online adversary and adaptive offline adversary?

I recently started learning about randomized online algorithms, and the Wikipedia definitions for the three adversary models are very unhelpful to put it mildly. From poking around I think I have a good understanding of what an oblivious adversary is. From my understanding, the oblivious adversary must determine the “worst possible input sequence” before we even start running our algorithm. Let $ I_w$ denote the worst possible input sequence this adversary comes up with. (I.e., the input sequence that produces the greatest gap between the best that can be done and what we expect our algorithm to do.)

We then say that our algorithm is $ c$ -competitive (for a minimization problem) under this adversary if $ $ E[Alg(I_w)] \le c \cdot Opt(I_w) + b$ $ where $ c,b$ are some constants, $ E[Alg(I_w)]$ is the expected value of our algorithm on the input, and $ Opt(I_w)$ is the cost if we had made perfect decisions. (I.e., if the problem went offline.)

My confusion concerns the adaptive online and adaptive offline adversaries. I neither fully understand their definitions nor the difference between them. I will list my confusions directly below.

  • As I understand it, both of these adversaries somehow build the input sequences as your online algorithm runs. This says before you create the input at time $ t$ , unlike in the case of the oblivious adversary, both the adaptive online and adaptive offline adversaries have access to the outcomes of your algorithm at time steps $ 1, \ldots , t-1$ . Then it says that in both cases the adversary “incurs the costs of serving the requests online.” The difference being that for the online adaptive adversary, it “will only receive the decision of the online algorithm after it decided its own response to the request.” Does this mean that the difference is that the offline adaptive adversary can see how your algorithm performs during future steps? Or just the present step? But then why is it still incurring the cost of serving requests online?
  • This source contradicts the source above. It says that the adaptive offline adversary “is charged the optimum offline cost for that sequence.” Like I said previously, the previously source says both incur “the cost of serving the requests online.” What does it even mean to incur the cost of serving requests online vs. offline? Which is correct?
  • This takes a completely different tack and talks about knowing randomness (online adaptive) vs. knowing “random bits” (offline adaptive). Is this equivalent somehow? How so?
  • How does the definition of the competitive ratio change for these two adversaries? Most sources I looked at just defined the competitive ratio for the oblivious adversary.

A simple example of each to illustrate the difference would be much appreciated. Thanks for the help!