What balance pitfalls result from this house rule regarding levitating creatures?

My table is considering the following house rule:

A creature suspended above the ground and unable to move on its own (e.g., under the effect of the levitate spell) is especially susceptible to forces that would push or pull it. When you successfully target a suspended creature with an effect that would move it, you can choose to move it an additional number of feet equal to 5 times your relevant ability modifier (e.g., your Strength modifier if you shoved the creature with a special melee attack, or your spellcasting ability modifier if you used a magical effect, such as the gust spell or the shove effect of the Telekinetic feat). The additional movement must be in the same direction as the normal movement caused by the effect you used.

A creature with a flying speed is not affected by this rule.

The logic here should be obvious — a creature hanging in mid-air, with no ability whatsoever to stop itself from being moved, should be easy to move. But what are the implications of such a house rule from a balance standpoint? Are we setting ourselves up for headaches?

(For context: this might seem like a corner case, but we’re playing a heavily psionics-themed campaign, and so maximizing players’ opportunities to embody the tropes of telekinesis even at low levels is important. It isn’t inconceivable that someone else in a similarly-themed campaign might have similar ideas.)

Are the “Touched” feats’ spells ever subject to a spellcaster’s class rules (such as regarding preparation, components, and focuses)?

The Fey Touched and Shadow Touched feats published in Tasha’s Cauldron of Everything each grant the use of two spells. Among other things, they say:

  1. You learn the [spells].
  2. You can cast each of these spells without expending a spell slot [once per long rest].
  3. You can also cast these spells using spell slots you have of the appropriate level.

The spellcasting ability for these spells is specific to the feat, so it may or may not be the same as the ability of the class that granted the spell slots.


My question applies to both feats and all spellcasting classes, but for the sake of clarity consider an artificer who has taken Fey Touched, which grants Misty Step. Artificers must add the M component to all spells they cast using the artificers’ spellcasting feature, but #2 above has nothing to do with their feature so shouldn’t require that. That’s good, because the reason the artificer can teleport is their prior exposure to the Fey, not some magical widget.

However, things get more complicated when they’re casting Misty Step as described in #3, because the artificer’s spell slots do come from their spellcasting feature. In that case, does the artificer simply use the spell slot as “fuel” and otherwise cast the spell exactly as it had been cast for #2? Or is this inherently different, for which we must assume the artificer studied the Misty Step effect and replicated it with a widget?

If the former, we can assume the spell never needs to be prepared; if the latter, it almost certainly does need to be prepared like all artificer spells.

Also, Misty Step is not on the Artificer Spell List, but the Invisibility spell granted by Shadow Touched is. Would that alter the answer in any way?


Potentially Related:

Does Magic Initiate allow the chosen spell to effectively be “always prepared” if the spell is on their spell list?

What makes a spell being cast considered to be a {class} spell?

If a spellcaster’s racial trait grants a spell that requires material components, can they use their class’ focus to cast that spell?

5E rules regarding armor and being prone [closed]

In 5E, the rules seem pretty straightforward, but clear, regarding armor and the associated AC. However, it seems a little out of balance for characters who fall prone.

Does, or should, the AC for a character change if they are prone? For example, the Paladin in my group I am DM’ing was wearing plate armor and was knocked unconscious, falling prone. As far as I can tell, this means he still retains his 18 AC, regardless of the fact he is no longer moving.

Should the AC stay at 18 or get reduced? Am I missing where this might be covered?

The whirpool application of the Control Water spell leads to several questions regarding creatures caught in it

As written, the whirlpool usage of the Control Water spell says:

Whirlpool. This effect requires a body of water at least 50 feet square and 25 feet deep. You cause a whirlpool to form in the center of the area. The whirlpool forms a vortex that is 5 feet wide at the base, up to 50 feet wide at the top, and 25 feet tall. Any creature or object in the water and within 25 feet of the vortex is pulled 10 feet toward it. A creature can swim away from the vortex by making a Strength (Athletics) check against your spell save DC.

When a creature enters the vortex for the first time on a turn or starts its turn there, it must make a Strength saving throw. On a failed save, the creature takes 2d8 bludgeoning damage and is caught in the vortex until the spell ends. On a successful save, the creature takes half damage, and isn’t caught in the vortex. A creature caught in the vortex can use its action to try to swim away from the vortex as described above, but has disadvantage on the Strength (Athletics) check to do so.

The first time each turn that an object enters the vortex, the object takes 2d8 bludgeoning damage; this damage occurs each round it remains in the vortex.

Are creatures or objects in the water and within 25′ of the vortex automatically pulled 10′ toward it? Do they continue to be pulled 10′ further toward the center of the vortex every round they are in it? Is a creature or object caught in the vortex also pulled down toward the bottom? On a failed save, are they caught for the entire duration of the spell, with no more chance at saves, or until they can swim free of it? On a failed save, does a creature continue to take 2d8 bludgeoning damage every round they are in the vortex? Can the whirlpool be cast so that it is completely underwater? Also, can the whirlpool be cast ‘upside down’ so the widest part is at the bottom?

False PayPal regarding new phone number message?

I have just received a message from a false PayPal email account – service@paypal.com (looks genuine, but it is NOT) – with the message "You added new phone number to your account".

Only I didn’t do that recently and the phone number in the email is not mine.

Here is a screenshot:

enter image description here

The email does not even have the footer information that genuine PayPal info have, starting with:

"Copyright © 1999-2020 PayPal. All rights reserved."

Further more, clicking on the link in the email navigates to diagnolita.lt!!!

So, watch out for this, everyone, it is a fraud, by all appearances.

Conceptual question regarding signing with Yubikey/Solokey/Nitrokey using GnuPG

The named hardware dongles (or at least several models of them) allow me to store PGP secret keys key.

Suppose I am using such a secret key to sign data (doesn’t matter what). As I understand the operation happens on the hardware itself and the PGP secret key doesn’t leave the device.

Now suppose I am signing several GiB of data, does that mean all that data gets squeezed through the hardware and therefore the hardware dongle becomes a bottleneck, or is the signature practically the same as signing a hash of the data – where the hash gets computed on my host machine?

To summarize:

  • When signing large amounts of data, will that data go through the hardware dongle in some way or will its hash be computed and the signature simply signifies the validity of the hash?
  • Does the involvement of gpg-agent change anything? I.e. suppose I am signing content on host2 connected from host1 which has the hardware dongle with the PGP secret key plugged in.
  • Suppose I am encrypting data against some public key and subsequently signing it. Does this change anything or create a bottleneck?

Beyond unauthorized data access, what security considerations should I have regarding a user-facing language based on SQL SELECT statements?

I’m considering making a new language based on SQL SELECT statements to allow users to export CSV data in the manner they please. I’m confident in being able to interface this with a permissions system by inspecting the resulting AST from parsing before turning it into a SELECT statement to execute, so I’m not really concerned about this leading to unauthorized data access.

This language would be pretty much a 1-to-1 mapping of SQL SELECT statements, except for a few changes regarding joins and a few other things.

Users are relatively few and can be easily traced and contacted. It’s not the public at large.

The underlying DB would be MariaDB.

What should I be concerned about from this idea? If it’s a bad idea, why?

I thought about the possibility of making a query that doesn’t terminate by using WITH RECURSIVE, so I’m not going to support that syntax, and I made the following question at the DBA SE to see what other ways a SELECT statement could be non-terminating (I thought of a few more while writing that question):

What are all the ways that a SELECT statement could be made to not terminate or take a very long time?

Besides that, is there anything more? Any particular risk? Is it possible to make some type of resource bomb with it, to consume all memory for example?

Access to this language could be put under a permission so only very privileged users could use it, but I wonder if that’s needed.

What security concerns are there regarding website users inputting personal financial data without putting in personally identifying data?

I am a web developer, but I have only a rudimentary grasp of security, e.g., be careful to sanitize inputs, store as little user data as possible, encrypt passwords, keep up with security issues of libraries and packages, etc.

Today, I was approached by a client who does financial planning about replacing a spreadsheet he gives clients with a web-based form. The spreadsheet asks users to input certain financial data – e.g., current value of various investment accounts, business interests, etc. These numbers are put into a formula and a value is generated which is supposed to help the user decide whether the consulting could be useful to them.

The phone call was very short, and my questions focused on more mundane matters about user experience, desired UI elements, etc. No commitments have been made, and I’m analyzing the project to see if it’s something I can do. I began to think about potential security issues, and I realized I really don’t know where to start. So far it seems that client wants the form to be accessed via a magic link, and that the user would not enter any personally identifying information. I do not know yet whether my potential client wants to store the value generated, a simple dollar amount which is the ‘benefit’ the user could get by using the service. The impression I got is that my potential client simply wants to use this value as a motivator for clients to inquire further about his services.

My question is this: In this scenario, what security-related matters should I consider?

Thank you.

Regarding space of linear speed-up theorem

I was reading the proof of speed-up lemma from this slide (page 10 to 13) but I could not understand why the plus two factor appears in the new space bound. Would anybody elaborate?

Furthermore for a Turing machine that uses a linear amount of space, isn’t it possible to reduce the amount of space used by a constant factor without additional constant overhead? (i.e. to have only the εf(n) part as the new space)

Theorem: Suppose TM M decides language L in space f(n). Then for any ε > 0, there exists TM M’ that decides L in space εf(n) + 2.