## 5E rules regarding armor and being prone [closed]

In 5E, the rules seem pretty straightforward, but clear, regarding armor and the associated AC. However, it seems a little out of balance for characters who fall prone.

Does, or should, the AC for a character change if they are prone? For example, the Paladin in my group I am DM’ing was wearing plate armor and was knocked unconscious, falling prone. As far as I can tell, this means he still retains his 18 AC, regardless of the fact he is no longer moving.

Should the AC stay at 18 or get reduced? Am I missing where this might be covered?

## The whirpool application of the Control Water spell leads to several questions regarding creatures caught in it

As written, the whirlpool usage of the Control Water spell says:

Whirlpool. This effect requires a body of water at least 50 feet square and 25 feet deep. You cause a whirlpool to form in the center of the area. The whirlpool forms a vortex that is 5 feet wide at the base, up to 50 feet wide at the top, and 25 feet tall. Any creature or object in the water and within 25 feet of the vortex is pulled 10 feet toward it. A creature can swim away from the vortex by making a Strength (Athletics) check against your spell save DC.

When a creature enters the vortex for the first time on a turn or starts its turn there, it must make a Strength saving throw. On a failed save, the creature takes 2d8 bludgeoning damage and is caught in the vortex until the spell ends. On a successful save, the creature takes half damage, and isn’t caught in the vortex. A creature caught in the vortex can use its action to try to swim away from the vortex as described above, but has disadvantage on the Strength (Athletics) check to do so.

The first time each turn that an object enters the vortex, the object takes 2d8 bludgeoning damage; this damage occurs each round it remains in the vortex.

Are creatures or objects in the water and within 25′ of the vortex automatically pulled 10′ toward it? Do they continue to be pulled 10′ further toward the center of the vortex every round they are in it? Is a creature or object caught in the vortex also pulled down toward the bottom? On a failed save, are they caught for the entire duration of the spell, with no more chance at saves, or until they can swim free of it? On a failed save, does a creature continue to take 2d8 bludgeoning damage every round they are in the vortex? Can the whirlpool be cast so that it is completely underwater? Also, can the whirlpool be cast ‘upside down’ so the widest part is at the bottom?

## False PayPal regarding new phone number message?

I have just received a message from a false PayPal email account – service@paypal.com (looks genuine, but it is NOT) – with the message "You added new phone number to your account".

Only I didn’t do that recently and the phone number in the email is not mine.

Here is a screenshot:

The email does not even have the footer information that genuine PayPal info have, starting with:

Further more, clicking on the link in the email navigates to diagnolita.lt!!!

So, watch out for this, everyone, it is a fraud, by all appearances.

## Question regarding public hotspots

Do ISPs like Xfinity gather geographical information about the users of their public hotspots? If so how is it done and how accurate is it?

## Conceptual question regarding signing with Yubikey/Solokey/Nitrokey using GnuPG

The named hardware dongles (or at least several models of them) allow me to store PGP secret keys key.

Suppose I am using such a secret key to sign data (doesn’t matter what). As I understand the operation happens on the hardware itself and the PGP secret key doesn’t leave the device.

Now suppose I am signing several GiB of data, does that mean all that data gets squeezed through the hardware and therefore the hardware dongle becomes a bottleneck, or is the signature practically the same as signing a hash of the data – where the hash gets computed on my host machine?

To summarize:

• When signing large amounts of data, will that data go through the hardware dongle in some way or will its hash be computed and the signature simply signifies the validity of the hash?
• Does the involvement of gpg-agent change anything? I.e. suppose I am signing content on host2 connected from host1 which has the hardware dongle with the PGP secret key plugged in.
• Suppose I am encrypting data against some public key and subsequently signing it. Does this change anything or create a bottleneck?

## Beyond unauthorized data access, what security considerations should I have regarding a user-facing language based on SQL SELECT statements?

I’m considering making a new language based on SQL SELECT statements to allow users to export CSV data in the manner they please. I’m confident in being able to interface this with a permissions system by inspecting the resulting AST from parsing before turning it into a SELECT statement to execute, so I’m not really concerned about this leading to unauthorized data access.

This language would be pretty much a 1-to-1 mapping of SQL SELECT statements, except for a few changes regarding joins and a few other things.

Users are relatively few and can be easily traced and contacted. It’s not the public at large.

The underlying DB would be MariaDB.

What should I be concerned about from this idea? If it’s a bad idea, why?

I thought about the possibility of making a query that doesn’t terminate by using WITH RECURSIVE, so I’m not going to support that syntax, and I made the following question at the DBA SE to see what other ways a SELECT statement could be non-terminating (I thought of a few more while writing that question):

What are all the ways that a SELECT statement could be made to not terminate or take a very long time?

Besides that, is there anything more? Any particular risk? Is it possible to make some type of resource bomb with it, to consume all memory for example?

Access to this language could be put under a permission so only very privileged users could use it, but I wonder if that’s needed.

## What security concerns are there regarding website users inputting personal financial data without putting in personally identifying data?

I am a web developer, but I have only a rudimentary grasp of security, e.g., be careful to sanitize inputs, store as little user data as possible, encrypt passwords, keep up with security issues of libraries and packages, etc.

Today, I was approached by a client who does financial planning about replacing a spreadsheet he gives clients with a web-based form. The spreadsheet asks users to input certain financial data – e.g., current value of various investment accounts, business interests, etc. These numbers are put into a formula and a value is generated which is supposed to help the user decide whether the consulting could be useful to them.

The phone call was very short, and my questions focused on more mundane matters about user experience, desired UI elements, etc. No commitments have been made, and I’m analyzing the project to see if it’s something I can do. I began to think about potential security issues, and I realized I really don’t know where to start. So far it seems that client wants the form to be accessed via a magic link, and that the user would not enter any personally identifying information. I do not know yet whether my potential client wants to store the value generated, a simple dollar amount which is the ‘benefit’ the user could get by using the service. The impression I got is that my potential client simply wants to use this value as a motivator for clients to inquire further about his services.

My question is this: In this scenario, what security-related matters should I consider?

Thank you.

## Regarding space of linear speed-up theorem

I was reading the proof of speed-up lemma from this slide (page 10 to 13) but I could not understand why the plus two factor appears in the new space bound. Would anybody elaborate?

Furthermore for a Turing machine that uses a linear amount of space, isn’t it possible to reduce the amount of space used by a constant factor without additional constant overhead? (i.e. to have only the εf(n) part as the new space)

Theorem: Suppose TM M decides language L in space f(n). Then for any ε > 0, there exists TM M’ that decides L in space εf(n) + 2.

## Differences between Mathematica versions 11 and 12 regarding ODE solution

Solving the ODE

$$(\lambda +y(x)) y”(x)-y'(x)^2-1=0$$

with Version 11 I got the solution

yx = 1/2 (Exp[-Exp[C[1]] (C[2] + x) - 2 C[1]] + Exp[Exp[C[1]] (C[2] + x)] - 2 lambda) 

while in Version 12 for the same ODE I got the solution

yx = -lambda - Tanh[E^C[1] (x + C[2])]^2/Sqrt[-E^(2 C[1]) Sech[E^C[1] (x + C[2])]^2 Tanh[E^C[1] (x + C[2])]^2] 

This last result isn’t ever real: see the denominator. My question is regarding how to ask the solver in Version 12 to obtain the Version 11 answer. Thanks.

## Regarding submission of multiple target URL.

Hi,
I have a query about submission. Suppose I am adding more than 1 URL an instance 10 URLs. And I am not choosing option “RANDOM submission from the above list”.  I have a list of 1000 web directories in my ser list then what would be the result? Are 10 URLs submitted to 1000 directories or each 1 URL will be submitted to 1000 directories?