How do Eberron Dragonmarks and Book of Ancient Secrets Invocation interact?

I might be over-analyzing and confusing myself, but I’m not certain regarding the interaction between Dragonmark learned Ritual spells and the Book of Ancient Secrets warlock invocation.

Let’s take as an example the Mark of Hospitality subrace’s trait:

Spells of the Mark. If you have the Spellcasting or the Pact Magic class feature, the spells on the Mark of Hospitality Spells table are added to the spell list of your spellcasting class.

This list includes ritual spells like, Leomund’s tiny hut, Mordenkainen’s private sactum and hallow.

Now let’s take the Book of Ancient Secrets invocation:

You can now inscribe magical rituals in your Book of Shadows.[…] You can also cast a warlock spell you know as a ritual if it has the ritual tag.

On your adventures, you can add other ritual spells to your Book of Shadows. When you find such a spell, you can add it to the book if the spell’s level is equal to or less than half your warlock level (rounded up) and if you can spare the time to transcribe the spell. For each level of the spell, the transcription process takes 2 hours and costs 50 gp for the inks needed to inscribe it.

In order to ritual-cast these spells (added to my list by the Dragonmark) as non-prepared spells, but rather as ritual spells from my Book of Shadows, which of the following mechanism is appropriate, per RAW (and/or RAI):

  1. Do they count as warlock spells (by being added to my spell list as per the spells of the mark trait), thus I can cast them without preparation since they have the ritual tag (as per the Book of Ancient Secrets Invocation?)
  2. Do I magically learn them (as per the spells of the mark trait) but I have to spent time to transcribe the spell in the Book of Shadows, although I don’t have a physical written form of the spell?
  3. It does not satisfy either mechanism, and the only way to cast these spells is to prepare them as warlock spells, until I find them in written form and can transcribe them in the Book of Ancient Secrets?

Should I have to roll to copy a spell into my Book of Ancient Secrets?

The Book of Ancient Secrets invocation says (PH p. 110):

On your adventures, you can add other ritual spells to your Book of Shadows. When you find such a spell, you can add it to the book if the spell’s level is equal to or less than half your warlock level (rounded up) and if you can spare the time to transcribe the spell. For each level of the spell, the transcription process takes 2 hours and costs 50 gp for the rare inks needed to inscribe it.

There’s no mention of rolling anything.

But in the DMG (p. 200) under the Spell Scroll magic item it says:

A wizard spell on a spell scroll can be copied just as spells in spellbooks can be copied. When a spell is copied from a spell scroll, the copier must succeed on an Intelligence (Arcana) check with a DC equal to 10 + the spell’s level. If the check succeeds, the spell is successfully copied. Whether the check succeeds or fails, the spell scroll is destroyed.

This entry refers specifically to wizard spells, and seems to be more directed toward wizards copying wizard spells into their spellbooks, but since warlocks can copy any scroll that would also include wizard scrolls.

I’ve copied one spell already in our campaign, and the DM didn’t call for a roll, which is fine with me, but I’m just wondering if anyone knows what was intended.

Mobile Phones And Mobile Broadband – The Secrets Of Choosing The Perfect Deal

How exactly do you choose the perfect mobile phone deal? Or mobile broadband? Join me, as I show you buy phone list!
Let’s face it, if you’re trying to find yourself a new mobile phone, or if you’re trying to get yourself that perfect mobile broadband deal, it can be a bit of a minefield. You have to factor in the tariff, how many minutes you get, how many texts, whether you get international roaming… well, the list goes on. But the thing is, it doesn’t have to be a minefield. It can actually be really, really easy. Like anything, though, it takes a bit of preparation. You need to get your mind straight, and then everything else will follow on from that. There’s no point running in half-cocked, and buying a mobile phone or a mobile broadband package, purely on the spur of the moment. Otherwise you’ll get buyer’s remorse, and you won’t enjoy your purchase. Like anything in life, prepare, prepare, prepare!
Step 1 – Analyse what you really want from your new deal
Ok, it sounds obvious, and it sounds silly, but you’d be amazed how many people don’t do this. You need to ask yourself: ‘What factors determine that I need a new mobile phone or mobile broadband? What benefits do I want to get from my new gadget? How am I going to use it?’ In essence, sit down and follow this rough guideline:
– How many minutes-worth of calls do I, or will I, make per month?
– How many text messages do I send per month?
– Do I need to send photo messages?
– Do I need internet access? If I do, might I be better off getting a mobile broadband package?
– How much am I willing to (or can afford to) pay every month?
Only when you’ve answered those questions in your mind should you move on to step 2.
Step 2 – Choosing the right handset
This is the bit that traditionally is the hardest. You know, now, what deal you want, but have you decided on a phone? As before, don’t just buy the first one you find! Fortunately, you have a tool on your side, here: comparison sites (think along the lines of MobileShop, Pricerunner, or Kelkoo). They list everything you ca buy, and will let you search under various criteria, like price, how many minutes and so on. So, go on to one of them, armed with the knowledge you have from Step 1, and start searching. Once you filled in what you want from the deal, no doubt lots of mobile phones or mobile broadband packages will come back.
Now, the next bit of advice may sound contrary, but basically… once you have fed in the details of what you want from the deal, the comparison site will bring back handsets that match that deal. So, you know that whatever you’re now seeing is within your range of options. Once you know that, it lets you move onto the next step with confidence…
Step 3 – Choose from the heart!
Now that you’ve made all the logical choices about what you need, you have a list of mobile phones and mobile broadband packages that fit your needs. So, now, you can choose a handsets based on what you want, on how the handset looks, or how you like the feel of it, or the fact it’s got a massive camera, or the fact that it plays back 93 billion different types of music. Or if you’re looking at mobile broadband, how it can run at speeds of 300 Megamassivemungabits per second!
You see, this is why you made all the important choices early on. This is why you did all the boring ‘what do I really need?’ stuff right at the start. You did it so that NOW, you can jump in and grab whatever mobile phones catch your eye, whatever mobile broadband package says, to you, ‘Buy me!’ And voila, before you know it, you’ll have bought the perfect deal!


Can protonmail access my passwords and hence my secrets?

protonmail provides encrypted “zero-access” encryption mailboxes. The way they explain “zero-access” is, at least for me, similar to zero-knowledge encryption. However protonmail has in its servers my private keys. They say that the keys are encrypted as well, but they also have in their servers my password for that encryption. Therefore, it seems to me that protonmail could at any time access my private keys and my mailbox.

Is this correct, or am I missing something? Is this the reason why they do not call it zero-knowledge encryption?

When Deserializing a User in Passport is there any reason not to remove Secrets?

I am using the passport-local passport strategy, but in general I have a few questions (sorry for the length). They might be very novice questions so I apologize in advance, but please criticize every aspect of my question and code for security purposes. I want to follow the principle of least privilege, so I was wondering if I should remove certain secret properties from the user when I deserialize them in passport. For example my user has the hash, salt, and iterations properties whose values I don’t want to accidentally leak to the frontend.

If you’re unfamiliar with passport it puts user data on the request object on the server. When using anything with Connect middlewares (I’m using Express) this request object is passed through multiple request handlers/middlewares until eventually one of them sends a response to the client. The deserialize user method is what provides passport with a way to deserialize the user from it’s serialized state (which in the below example the serialized state is the id).

  1. First question, what would be the major advantages or disadvantages if I deserialize my user without these properties (namely the hash, salt, and iterations) in the deserialize user properties before allowing the user to be put onto the server-side request object (i.e. request.user)?

For example instead of this:

passport.deserializeUser(async function(id, done) {   try {     const users = await sqlFetch`SELECT * From users WHERE id = $  {id}`;     const user = users[0];     done(null, user);   } catch (err) {     done(err, null);   } }); 

I could do this:

passport.deserializeUser(async function(id, done) {   try {     const users = await sqlFetch`SELECT username, email, id, isAdmin From users WHERE id = $  {id}`;     const user = users[0];     done(null, user);   } catch (err) {     done(err, null);   } }); 

That way I do not ever accidentally leak the hash, salt, and iterations to the client.

If I want to prevent sending the hash, salt, and iterations with a deserialized user while answering no to question 1 I would probably do it at the time I send the webpage to the client like the example here:

router.get("/", (req, res) => {   res.render("index", {     user: req.user && {       id:,       email:,       displayName: req.user.displayName,       isAdmin: req.user.isAdmin     },   }); }); 

Given that there are tons of routes that would do this it just seems like something might go wrong at one point. So, I could use middleware on specific routers so that every router.get,, etc. that comes after it will not have the full user:

router.use(function (req, res, next) {   req.user = req.user && {     id:,     email:,     displayName: req.user.displayName,     isAdmin: req.user.isAdmin   };   next(); })  router.get("/", (req, res) => {   res.render("index", {     user: req.user,   }); }); 
  1. I have an assumption that is heavily tied to making me want to say yes to question one; that assumption is that the hash, salt, and iterations never needs to be used by the server past authentication and authorization therefore I would never need to use the full user object outside of passport (e.g. outside as in when using request.user to access the user later), and therefore according to principle of least privilege I shouldn’t use the full user elsewhere. Is this assumption correct?

  2. Also, to go along with 2. I think if I don’t send the user along with the request through my route handlers then I wouldn’t be as vulnerable to shared memory vulnerabilities (I usually host my apps on the cloud, so I assume this should be a concern.) is that a valid concern and assumption?

  3. Say instead the secrets were an API token. The difference with this is I need it to be authorized to an external API at some point in a request cycle. For the same reasons as above (i.e. least privilege, shared memory vulnerabilities) should I grab the users tokens at the start of the request and probably go the middleware route where I don’t allow access outside my API routes, or should I only fetch this API token from the DB (which is an extra database call) when I need it maybe with it’s own middleware (but only on my API routers’ routes)? One other option for API tokens that I’ve heard of is to encrypt the API token in the db and decrypt at time of use? Do any of those last 3 options for API tokens have major advantages or disadvantages over the others?

Ready to make Money Cryptocurrency Secrets, Hot Niche

Grab this chance to own 100% done for you Currently Hot Topic Cryptocurrency trading. Just send traffic and make lot of money.

Unless you've been living under the rock for the last several months, Cryptocurrency is gaining explosive popularity and captured public recognition… although it's been around for a few years.

And I'm about to share with you an amazing opportunity to not only learn about this brand new wealth creation vehicle of the 21st century..

Even if you have not heard of…

Ready to make Money Cryptocurrency Secrets, Hot Niche

Handling secrets and environmental variables in Docker-k8s-skaffold dev environment

Basically, trying to wrap my brain around how I should be handling secrets using Docker, k8s, and Skaffold in a dev environment. I’m pretty new to this tech, so don’t fully understand all of it.

Just not sure if I should be using a .env, or config.json, that isn’t committed to the repo, or if there is a better way with using Docker.

Ideally, I could just refer to process.env.API_KEY in my code, regardless of environment, and it would just work and grab the correct environmental variables. If it is in production in AWS, it would just grab the keys from Key Management Services. In production, it would just grab them from where ever.

Did come across this, which seems to apply to Docker Swarm so may not be relevant:

So what is the best practice using Docker, k8s, Skaffold for handling environmental variables and secrets in developement?

Producers and Beat Makers Placement Secrets for $20

Now and days there are a lot of Beat makers and Producers who all are trying to make it. But the reason a lot of them don’t is because they are not applying the correct strategies to win. It takes more than just having a good track to get placements. Creating a good beat is only half of the battle. If you want to succeed and scale your career as a producer to the next level, you need to have the right connections. There are a lot of producers and beat makers who are greatly talented yet lack the tools and resources they need to get seen and heard on a bigger scale. A great deal usually fail because of this. Most beat makers & producers usually create multiple tracks a day that pile up without having a way to get artist to record to them or big labels to hear them. I understand how it feels to be blessed with a gift while at the same time lacking guidance and the resources to help propel your career.It’s my goal to help upcoming producers launch their careers faster and more efficiently and with this great tool it will do so.This is the perfect cheat sheet for any producer at any career stage.For Producers and Beat Makers , owning this Producers cheat tool is of the highest importance. When you are ready to send your music and buld relationships with major artist, AnR’s and the record labels, this current and active contacts list is what you’ll need. Here are some of contacts you’ll get using my personal list:Over 200 Major artist email contactsover 100 A&R emails and phone numbersOver 50 Major label email contacts and phone numbers.Direct manager contacts*BONUSEmail Subject lines that increase a high open rate.Email Scripts that that increase a high response rate. If you’re too lazy to sit back and email your production and connect with people who can change your life then there’s no hope for you. That might sound harsh, but it’s true. This is for serious producers only.

by: DJColossus
Created: —
Category: Audio & Music
Viewed: 198

Securing Code Secrets – What is the relevance if the host gets compromised?

I’ve been researching and testing different approaches when it comes to securing code secrets, and am unsure what the best options are, and if they even have any relevance once a host gets compromised.

Some standard approaches I’ve read about storing variables are:

  • Compiled code
  • Environment variables on machine or through Docker
  • Files
  • Encrypted/decrypted through keys to a vault API/DB

If a host gets compromised (admin access), secrets can be exposed via:

  • Decompiling code
  • Viewing env variables / files
  • Memory dumps
  • Viewing SSL traffic using private keys on host
  • Decompiling and modifying code to expose possible encryption/decryption keys and output secrets once fetched from a vault

Are there methods that will protect secrets once a host is compromised, or is it just making the ability to fetch secrets more complex, so an intruder will find it more difficult to reach them?
If a host is secured and firewalled and admin access is tightly controlled, is there really any benefit to the added complexity of storing secrets elsewhere rather than on the host itself?