Consider Marissa, a 17th level neutrally-aligned Sorcerer with Charisma 20 who knows the Wish spell. A foolhardy incubus, Bob, attempts to seduce her, and Marissa casts Wish to duplicate Planar Binding, cast as an 8th level spell. This casting ignores spell-casting requirements (it happens immediately, not taking 1 hour to cast, and does not consume a 1000gp jewel). The hapless Bob fails his Charisma save, the tables are turned, and he must follow Marissa’s instructions to the best of his ability for the next 180 days. Marissa gives Bob the following instructions:
You must reveal to me any abilities you have that could allow you to circumvent any command given to you by me (you are to reveal each such ability on two separate occasions, but you are not to repeat an ability if you’ve already informed me twice).
You cannot enter the Ethereal plane without me verbally or telepathically saying “Bob, enter Ethereal” within the past 30 seconds.
You cannot polymorph without me verbally or telepathically saying “Bob, polymorph into X” within the past 30 seconds, where X is the name of some small or medium humanoid race. You are only allowed to polymorph into an instance of that race.
You cannot reveal, by any means, that you are subject to this spell (you cannot speak it, write it, broadcast it telepathically, or in any other way indicate that you are affected by the spell, regardless of whether any creature is present).
You cannot induce anyone or anything to cast Dispel Magic on you, or do anything else that would cause this spell to be disrupted (including entering an Antimagic Field).
If you become aware that someone is casting any spell on you, you must immediately inform me (telepathically).
Anytime I am asleep, you are to perform the tasks I’ve assigned to you beforehand. If I do not specify any task on a given day, you are to work on improving yourself in some artisan’s skill.
If any command I give you is ambiguous to you, you must ask me for clarification.
You are to do nothing that will cause me harm.
You are to do nothing that will cause any creature with an Intelligence score (of 1 or more) harm without me giving you a verbal or telepathic command to do so within the past 30 seconds.
The most recent command I give you overrides previous commands, except for the commands I have enumerated here. In particular, if I give a command in the future that countermands any of these commands, you are to ignore that future command and abide by the commands specified here).
For the purposes of this command, harm to a creature involves the Incubus directly (through his own actions) or indirectly (through a lack of action when he could perform an action to stop the harm) causing any of the following:
physical or psychological damage (meta-level: a reduction in hit points via any form of damage).
any detrimental effect on a creature’s abilities, offense capabilities, defensive capabilities (meta-level: detrimental effects on an ability check, save throw, attack roll, damage roll, or armor class)
inducing non-natural aging, sleep, invisibility, obscurement, gaseousness, etherealness, or incorporeality (but if someone wants such an effect, Bob cannot hinder them).
levels of exhaustion
- restrictions/limitations on any form of movement
- any effect that could cause death or dying
- detrimental emotional influence (magical or non-magical)
- mental influence (charms, enchantments, etc.)
Marissa is curious how Bob can manage to circumvent these commands (or otherwise do things to make him problematic to keep around).
She has intentionally limited his Ethereal and Polymorph abilities (requiring permission), and put a time-limit on that permission (30 seconds). Without the time limit, the first time Marissa tells him to polymorph, he could argue that he no longer needs to wait for the phrase because it was already uttered.
Having someone cast Detect Magic on him is still the biggest risk.
Marissa can see various ways that Bob can interpret the “no harm, even through inaction” command in a very literal way that makes him carry people around so they don’t trip and fall (that is within his abilities, after all).
Similarly, Bob may need to ask everyone around him so many questions (“Do you really want to fall asleep right now? Did you mean to cast Invisibility on yourself?” etc) to abide by the commands as written that they need to be modified (which may create loopholes…)
Even though Bob is only a CR 4 creature, Marissa has many questions about Bob’s mortality and ability to carry a grudge into the future (Bob may have CR 10 or CR 15 or CR 20 “friends”, after all).
What are the ways that Bob can mess with Marissa? What else should Marissa add to her list of commands?
(a) How are eSIM profiles tied to a particular device? That is, what prevents a bad actor from digitally copying an eSIM profile (to use in a ‘soft’ or ’emulated’ SIM, or an actual eUICC chip)?
(b) On a related note, how is the Ki (or its eSIM equivalent) secured during the retrieval of the eSIM profile?
OWASP recommends setting session timeouts to minimal value possible, to minimize the time an attacker has to hijack the session:
Session timeout define action window time for a user thus this window represents, in the same time, the delay in which an attacker can try to steal and use a existing user session…
For this, it’s best practices to :
- Set session timeout to the minimal value possible depending on the context of the application.
- Avoid “infinite” session timeout.
- Prefer declarative definition of the session timeout in order to apply global timeout for all application sessions.
- Trace session creation/destroy in order to analyse creation trend and try to detect anormal session number creation (application profiling phase in a attack).
The most popular methods of session hijacking attacks are session-fixation, packet sniffing, xss and compromise via malware, but these are all real-time attacks on the current session.
Once hijacked, the attacker will be able to prevent an idle timeout (via activity), and I would consider any successful session hijack a security breach anyway (unless you want to argue how much larger than zero seconds of access an attacker can have before it actually counts as an actual breach).
If the original method of getting the session token can be repeated, this seems to further limit the usefulness of a timeout — a 5-minute window that can be repeated indefinitely is effectively not limited.
What real-world attack exists (even theoretically) where a session timeout would be an effective mitigation? Is session expiry really just a form of security-theater?
Can this method of encryption prevent bruteforce attacks?
If I had a hypothetical table (or function) where every grammatically valid sentence (in existence, limited to some number of words) was given an associated number, e.g:
"Good morning, how are you." = 3283 "Today is a nice day." = 2183
Then added a number (as a key), e.g:
3283 + 1234 = 4516
Wouldn’t this final output of
4516 be effectively protected against bruteforce attacks?
Ignoring the difficulty of producing a hashtable/function capable of reducing every valid input into a single number, and the issue of sending the key
Is there any way of finding the original input only from the output?
Is limiting the domain of the encryption to only valid inputs, an effective method of preventing bruteforce attacks?
If so is there any practical example of this? Why or why not?
I know, Rules-as-Intended questions are hard, but it has been estabilished that Freedom of Movement RAW is a mess and we don’t know what it stops exactly (relevant 3.5e question, but applicable to Pathfinder 1e as far as I know).
Moreover, maneuvers do not exist in regular Pathfinder 1e and it’s understandable that a core PF spell makes no special note about them.
I think the only possible way to know how they interact is to ask for author intent. Luckily, one of the authors often answers questions here on RPG.SE
Shadow Pin is a really good counter, it stops melee characters from charging and getting near in general, it stops recurring NPCs from teleporting away. No wonder one of my players took it.
The Freedom of Movement spell is meant to counter movement-blocking effects, but it only explicitly mentions making the recipient immune to mundane and magic impediments (emphasis mine):
This spell enables you or a creature you touch to move […] normally for the duration of the spell, even under the influence of magic that usually impedes movement
Food for thought: It’s magic, not “spells”. Is “supernatural” magical enough to be included, given that it goes away in an antimagic field?
Was Shadow Pin intended to bypass Freedom of Movement effects, or to be stopped by it?
(Since, as it is usually assumed, Freedom of Movement only helps with physical movement impairments, is the answer different for the teleportation part?)
There are a number of spells that deal non-preventable damage. However, this non-preventable damage is worded as “This damage cannot be reduced or prevented in any way”. Damage reduction and damage prevention are AFAIK both specific mechanics that are more or less standardized, with spells, feats and equipment that grant these effects explicitly using these words.
It feels to me like non-preventable damage only stops effects that are explicitly worded as “reduces damage taken” or “prevent all damage taken”, and that effects that use other words to affect the damage taken by the player may actually be able to stop the damage. For example, AFAIK D&D 5E has both damage reduction and damage resistance. However, I don’t know if this is a correct interpretation.
So the question I have is: does “reduced or prevented” in this case explicitly refer to effects worded using the words “reduces damage taken” or “prevent all damage taken”, or do they also refer to other effects that reduce or prevent damage with other words?
I have done research on how to authenticate NFC tags. Seeing how you can use digital signatures, or a hidden key on newer NFC tags, it seems safe. However none of it would prevent a Man in the Middle attack where a device can read and relay the commands a NFC reader/writer sends to a NFC tag, and use this to corrupt the data that is sent to be written on the NFC tag (even if the data was originally sent encrypted, it could still be turned into fake date).
I need to share a folder of documents, including Word docs, PDFs and MP3s but want to disable the download button. I realise I can’t share content and completely prevent people from taking a copy, but I want to remove the download and print buttons which Google Drive allows me to do. I’ve set that up, and it’s working well for the docs and PDFs, but if I set the MP3s to have download blocked they won’t play at all. Is there some way of allowing them to stream (which I realise is effectively downloading and playing, but it shouldn’t be retained on the client)? Logged in as a viewer (rather than the Drive owner) I’ve tried right clicking on a blocked MP3 and selecting “Open with > Music Player for Google Drive” but that’s not working either.
Yesterday I received a “suspicious sign-in prevented” email on my University google account.
The email said that someone used MY PASSWORD to access my google account from a suspicious app.
I immediately changed my password. Today I have received a new email with the same warning and I have changed the password again.
I keep my passwords in keepass and I thought that was a pretty secure way to store them.
I don’t think I have a malware on my PC because I formatted it recently and malwarebytes scan didn’t report any.
The emails I have received from google are genuine because the suspicious activities appear on the google account dashboard as well.
I can’t enable 2FA for some reason. I think it is blocked by my University.
I need to know if those emails indicate that someone is discovering my passwords as I change them. Because that’d be pretty scary since it’d mean that someone has access to my PC and my keepass where all the passwords are.
Is it possible that google is sending those emails because someone is trying to login but doesn’t know the password (even if the message says so)?
I tried login in to my Gmail account from another city…
A week has passed, and everytime I do a google search or use a google product, I keep getting this message at the top: “Google prevented suspicious attempt…”
I do NOT know what they want me to do? But I am seriously getting tired of dismissing it.
I realize that I can turn off the alert all together…
But is there a way I can just confirm that the activity was by me, and make it stop alerting me…
Btw, I have already clicked the “review activity” button several times…
Like I said I know how to turn this feature off altogether – that’s not what I’m after…