If you roll for a saving throw that if succeeded you only take half damage, and roll a natural 20, are you reduced any more damage?

In context, my character just got pounded by flaming boulders. She is currently immune to fire for story reasons, so the fire damage is null, however she has to make a dexterity saving throw against the bludgeoning damage. it’s 60 damage. if she succeeds, she takes half damage. She rolls a natural 20. I know the damage is halved because she did succeed, but are there any other deductions to damage because of her natural 20 roll?

Postgres 12.1 uses Index Only Scan Backward instead of index when LIMIT is present

I have a medium sized table (~4M rows) of “functionCalls” which consists of 2 columns, input and function (both ids for another table):

  Column  |  Type   | Collation | Nullable | Default  ----------+---------+-----------+----------+---------  input    | integer |           | not null |   function | integer |           | not null |  Indexes:     "functionCall_pkey" PRIMARY KEY, btree (input, function) CLUSTER     "functionCallSearch" btree (function, input) Foreign-key constraints:     "fkey1" FOREIGN KEY (function) REFERENCES function(id) ON UPDATE CASCADE ON DELETE CASCADE     "fkey2" FOREIGN KEY (input) REFERENCES input(id)  

I want to find all rows that match a certain function, which is why I added the functionCallSearch index. Here is my query:

SELECT c.input FROM "functionCall" c INNER JOIN "function" ON (function.id = c.function) WHERE function.text LIKE 'getmyinode' ORDER BY c.input DESC LIMIT 25 OFFSET 0; 

This takes forever (currently ~ 20s) because pg refuses to use the index, and decides to do a Index Only Scan Backward on the primary key instead:

 Limit  (cost=0.71..2178.97 rows=25 width=4) (actual time=12903.294..19142.568 rows=8 loops=1)    Output: c.input    Buffers: shared hit=59914 read=26193 written=54    ->  Nested Loop  (cost=0.71..135662.48 rows=1557 width=4) (actual time=12903.292..19142.561 rows=8 loops=1)          Output: c.input          Inner Unique: true          Join Filter: (c.function = function.id)          Rows Removed by Join Filter: 3649900          Buffers: shared hit=59914 read=26193 written=54          ->  Index Only Scan Backward using "functionCall_pkey" on public."functionCall" c  (cost=0.43..80906.80 rows=3650225 width=8) (actual time=0.040..17083.489 rows=3649908 loops=1)                Output: c.input, c.function                Heap Fetches: 3649909                Buffers: shared hit=59911 read=26193 written=54          ->  Materialize  (cost=0.28..2.30 rows=1 width=4) (actual time=0.000..0.000 rows=1 loops=3649908)                Output: function.id                Buffers: shared hit=3                ->  Index Scan using function_text on public.function  (cost=0.28..2.30 rows=1 width=4) (actual time=0.023..0.026 rows=1 loops=1)                      Output: function.id                      Index Cond: ((function.text)::text = 'getmyinode'::text)                      Buffers: shared hit=3  Planning Time: 0.392 ms  Execution Time: 19143.967 ms 

When I remove the LIMIT this query is blazingly fast:

 Sort  (cost=5247.53..5251.42 rows=1557 width=4) (actual time=3.762..3.763 rows=8 loops=1)    Output: c.input    Sort Key: c.input DESC    Sort Method: quicksort  Memory: 25kB    Buffers: shared hit=6 read=4    ->  Nested Loop  (cost=0.71..5164.97 rows=1557 width=4) (actual time=0.099..3.739 rows=8 loops=1)          Output: c.input          Buffers: shared hit=6 read=4          ->  Index Scan using function_text on public.function  (cost=0.28..2.30 rows=1 width=4) (actual time=0.054..0.056 rows=1 loops=1)                Output: function.id                Index Cond: ((function.text)::text = 'getmyinode'::text)                Buffers: shared hit=2 read=1          ->  Index Only Scan using "functionCallSearch" on public."functionCall" c  (cost=0.43..5103.71 rows=5897 width=8) (actual time=0.039..3.670 rows=8 loops=1)                Output: c.function, c.input                Index Cond: (c.function = function.id)                Heap Fetches: 8                Buffers: shared hit=4 read=3  Planning Time: 0.514 ms  Execution Time: 3.819 ms 

Why is this? And how can I fix this?

I’ve checked https://dba.stackexchange.com/a/249676/106982 but n_distinct is not that far off, pg_stats says n_distinct: 623 while SELECT COUNT(*) FROM (SELECT DISTINCT function FROM "functionCall") returns 1065

Why after dd’ing ISO file to entire USB flash device, only the first partition match the ISO checksum?

I use dd to “burn” an ISO file to USB stick:

dd bs=4M if=/mnt/media/ISO/Fedora-Workstation-Live-x86_64-31-1.9.iso   of=/dev/sdd conv=fdatasync  status=progress 

Now I can see several partitions has been created:

sdd      8:48   1   1.9G  0 disk  ├─sdd1   8:49   1   1.8G  0 part /run/media/alex/Fedora-WS-Live-31-1-9 ├─sdd2   8:50   1  10.6M  0 part  └─sdd3   8:51   1  22.2M  0 part  

Why only sdd1 matches the ISO checksum, not an entire drive? I checked files on other partitions, they contain this ISO related files..

How do I configure Azure Web Apps so that the only access is via CloudFlare?

I have a Web Apps (Linux) application on Azure, and I added a custom domain which I have protected with CloudFlare.

I added Azure Security Center to my subscription.

At the moment one can access the application either

  1. directly via example.azurewebsites.net or
  2. via www.example.com which is protected by CloudFlare

How do I configure the Azure portal so that the only access to my web application is via CloudFlare?

One idea I had is to add an Azure Firewall, and set it to white list the CloudFlare IP Addresses, but I wondered if there is an easier way (and anyway I am not sure how to configure it)

Bettercap DNS and ARP spoofing only denies access to website

I recently have been using Bettercap and have been trying to use the dns spoof feature to redirect websites to my Apache server which has a beef hook embedded. It is very simple theoretically, but when I use the dns and arp features, it only denies access to spoofed websites. *For reference 192.168.1.3 is the target ip, 192.168.1.11 is the attacker ip, and 192.168.1.1 is the gateway. My hosts.conf file looks like this:

192.168.1.11 *yahoo.com 192.168.1.11 *microsoft.com 

Here is what I run when I start Bettercap:

root@kali:~# bettercap bettercap v2.26.1 (built for linux amd64 with go1.13.4) [type 'help' for a list of commands]  192.168.1.0/24 > 192.168.1.107  » set dns.spoof.hosts hosts.conf 192.168.1.0/24 > 192.168.1.107  » set arp.spoof.internal true 192.168.1.0/24 > 192.168.1.107  » set arp.spoof.targets 192.168.1.3, 192.168.1.1 192.168.1.0/24 > 192.168.1.107  » arp.spoof on 192.168.1.0/24 > 192.168.1.107  » [01:52:01] [sys.log] [inf] arp.spoof starting net.recon as a requirement for arp.spoof 192.168.1.0/24 > 192.168.1.107  » [01:52:01] [sys.log] [war] arp.spoof arp spoofer started targeting 254 possible network neighbours of 2 targets. 192.168.1.0/24 > 192.168.1.107  » dns.spoof on 192.168.1.0/24 > 192.168.1.107  » [01:52:05] [sys.log] [inf] dns.spoof loading hosts from file hosts.conf ... 192.168.1.0/24 > 192.168.1.107  » [01:52:05] [sys.log] [inf] dns.spoof *yahoo.com -> 192.168.1.11 192.168.1.0/24 > 192.168.1.107  » [01:52:05] [sys.log] [inf] dns.spoof *outlook.com -> 192.168.1.11 192.168.1.0/24 > 192.168.1.107  » [01:52:05] [sys.log] [inf] dns.spoof *microsoft.com -> 192.168.1.11 

I can tell that it attempts to spoof due to the output of the Bettercap console and that Microsoft and Facebook are failing to load, but the problem is, all Google Chrome does is give me and error and no redirection happens: Google Chrome's error Also, even after I close out of Bettercap on the attacking machine, Microsoft and Facebook still fail to load until I completely shut down the attacking machine. Could anyone explain that? And could anyone tell me why it is not redirecting? Happy to provide more information if needed.

Fingerprint mismatch only for 32-bit DLL linked statically to FIPS Capable OpenSSL

Appreciate any help on the following.

1) Built OpenSSL Fips Module and then ‘static binaries’ of FIPS capable OSSL which ‘statically link to the windows run-time’. Thus, my application binary (FipsApp.exe) does not depend on OSSL DLLs.

2) Consumed these static binaries namely (libeaycompat32.lib, libeayfips32.lib and ssleay32.lib) into myapp.dll using msincore.pl.

3) FipsApp.exe calls function foo() inside myapp.dll which executes FIPS_mode_set() which returns (100:error:2D06B06F:lib(45):func(107): reason (111):/FIPS/FIPS.c:232)

Result

1) On executing 64-bit FipsApp.exe, the FIPS mode gets set and working with 64-bit myapp.dll

2) But on executing 34-bit FipsApp.exe which uses 32-bit myapp.dll with same configuration, FIPS_mode_set() fails with reason 111 (Fingerprint mismatch)

Attempted

Since above 32-bit myapp.dll did not work, some additional configuration changes were made.

1) ReBuilt 32-bit myapp.dll with above LFLAGS “/DynamicBase:No /Fixed”. Here default base address gets used for myapp.dll

2) ReBuilt 32-bit myapp.dll with base address of 0xFB00000. (OSSL does same thing for FIPS dlls)

3) Checking out following http://openssl.6102.n7.nabble.com/FIPS-Static-Library-linked-into-Win32-Dll-builds-but-fails-self-test-td63011.html

But 32-bit myapp DLL does always fail with fingerprint mismatch.

Question

How do I get 32-bit myapp.dll working in FIPS mode? FIPS_mode_set() returns (100:error:2D06B06F:lib(45):func(107): reason (111):/FIPS/FIPS.c:232)

Thanks.

How to accept only user identity keys of type ed25519 on OpenSSH Linux server?

I want to force all users to use only ed25519 type keys when logging in via SSH / SFTP to a Linux server which is running a recent version* of OpenSSH.

The reasons include:

In many cases, SSH keys have been completely overlooked in identity and access management planning, implementation, and audits. Users have been able to create and install keys without oversight and controls. This has led to violations of corporate access policies and dangerous backdoors.

Information security starts from controlling who is given access to systems and data. If there is no control over access, there is no security, no confidentiality, no integrity, and no guarantees of continued operation

Source: https://www.ssh.com/iam/ssh-key-management/

However, I do not wish to remove the ability for a user to manage their own SSH keys (including adding, removing, changing the keys). My only objective is to mandate that the key used is of type ed25519.

How can this be accomplished while maintaining the above user privileges and while maintaining this setting?

AuthorizedKeysFile  .ssh/authorized_keys 

The main (non-default) sshd_config settings I’m using on this server include:

The only host key enabled: HostKey /etc/ssh/ssh_host_ed25519_key  PermitRootLogin no PasswordAuthentication no ChallengeResponseAuthentication no UsePAM yes AuthorizedKeysFile  .ssh/authorized_keys KexAlgorithms curve25519-sha256@libssh.org MACs hmac-sha2-512-etm@openssh.com Ciphers chacha20-poly1305@openssh.com AllowUsers user@host ... 

However, with those settings a user can still select an older user identity key type and use it to log in. My only objective now is to stop a user from getting access except via an ed25519 user identity key. How?

*Actually running: OpenSSH_8.1p1, OpenSSL 1.1.1d

HTTPS only

Hi @Sven I am trying to post only to https:// URLs, I noticed a lot of the ones being posted to are http with security warning. How do I post to only https please?
I tried “Skip sites with the following words in URL/Domain” > “http://” (without quotes) > then type of filter: Path , but doesn’t seem to work.