How can I prevent casters from stealing the spotlight from non-casters?

I have been running a game of D&D and the group is split with two non magic users (Fighter, Barbarian), one quarter-caster (Paladin), one half-caster (Bard), and two full casters (Cleric, Wizard). The game was going rather well as I had started them from level one, however the group has reached level five and the wizard and the cleric have started solving everything which has been making everyone grumpy. Wizard summons are better at tanking than the barbarian and Paladin. Cleric is far better at buffing the party and talking compared to the bard.

I don’t wish to just go, “You guys walk into a dead magic zone. None of your fancy magic works now.” What can I do to distribute the spotlight equally among the party members?

I was asked for examples. For prime example whenever there is a combat encounter the wizard casts alter self to gain a high natural armor combined with mage armor causing the wizard to have an AC equal to the paladin removing the whole squishiness disadvantage. The wizard also has spell focus conjuration and augment summon so his creatures are actually as good as the fighter and paladin during combat situation.

As for the cleric he has the divine metamagic feat focusing on persistent spell so he is able to give out two buffs that last all day long so the bards song bonuses are pretty much negligible.

Can a sword of life stealing steal more hp than the target has?

The entry for Sword of Life Stealing says: "When you attack a creature with this magic weapon and roll a 20 on the attack roll, that target takes an extra 10 necrotic damage if it isn’t a construct or an undead. You also gain 10 temporary hit points.

Note: According to the SRD, it is an extra 3d6 necrotic damage."

However, my DM says that a Sword of Life Stealing inflicts its damage in a certain order on a natural 20: first the regular damage, then crit damage, THEN the necrotic damage…so if by that point the target has no more hp left to lose, I receive no temporary hp. Basically he said that the target "has no more life to steal".

I thought this was a bit of a strange interpretation. Is there an official ruling somewhere?

Stealing a beholder’s soul [closed]

So I kinda half-assed a session yesterday where the party found a unscathed beholder skeleton which was feasted upon by gas spores and made a town sick. I just have this idea that the beholder had its soul stolen by some monster or was put in a phylactery. I’m thinking a night hag but I can’t think of a way to implement it or any of the other options.

How to harden against credential stealing in EC2 via the http://169.254.169.254 API?

AWS has a feature called Instance Metadata, which on EC2 gives you access to the AWS credentials through HTTP calls:

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<role> 

The feature itself is intentional, thus technically not a vulnerability. The risk is also stated in the documentation:

If you use services that use instance metadata with IAM roles, ensure that you don’t expose your credentials when the services make HTTP calls on your behalf. The types of services that could expose your credentials include HTTP proxies, HTML/CSS validator services, and XML processors that support XML inclusion.

As long as an application cannot be tricked by an attacker to make such a request and to output the response, it is certainly a convenient feature. Unfortunately, it is a common source of attacks.

Of course, a server should properly verify all URLs before, but in the spirit of defense in depth, I wonder if it is possible to disable it, or maybe allow it only during startup (before opening any ports).

Questions:

  • Is it technically possible to disable the feature? In other words, how can I ensure that requests to http://169.254.169.254/ are blocked?
  • If it is technically possible, are there any drawbacks in blocking it?
  • Is there a way to still have access to the safe parts of the API, but not to the critical ones? Maybe by whitelisting specific paths? For example, I see the point of allowing /meta-data/spot/instance-action, which tells you whether your EC2 spot instance has been scheduled for termination.

Firefox bug permits stealing encrypted passwords: How is this possible?

It’s my understanding that passwords I save in Firefox’s Password Manager are encrypted and that setting a Master Password encrypts the encryption key used in this process. The Google hit for “Does firefox encrypt saved passwords?” returns this Mozilla Support forum article in which the chosen answer (posted by a moderator) states:

The passwords stored in logins.json are encrypted, but the encryption key is stored in key4.db (previously in key3.db) and without a master password you merely need to place the two files is Firefox profile folder to see the passwords in the Password Manager.

(Note that logins.json is where FF stores passwords.)

This Information Security question posted by a high rep user assumes the encryption of the passwords, even before a user has set a Master Password, as does this well-received question.

But according to the Sophos Naked Security article, Firefox fixes “master password” security bypass bug, Mozilla released a security fix to resolve an issue where an attacker can copy saved passwords to the clipboard without entering the Master Password:

It was found that locally stored passwords can be copied to the clipboard thorough the ‘copy password’ context menu item without first entering the master password, allowing for potential theft of stored passwords.

How is this possible if the passwords are encrypted?

Isn’t the Master Password, needed to decrypt them before access? I’m very worried now that an attacker that gains access to my logins.json and key4.db files would have all my saved passwords!

How can I handle a player (unintentionally) stealing the spotlight?

Quite recently, I replaced a friend as DM for a D&D game. During that game, I came across something I did not expect: One of the players was just too good.

When I am saying “too good” I am not talking about his character being overpowered, but the player himself having the time of his life roleplaying his bard.

Now I have no problem with someone enjoying roleplaying, quite the contrary, the problem came from the fact that the rest of the party (3 players), weren’t quite on the same level of intensity.

This disparity caused the game to basically devolve into a 1 on 1 with the bard. Usually on that kind of situation I tend to give more attention to the withdrawn players, by interacting with them a bit more often. But in this case, whenever I did that, they almost always found a way to give the spotlight back to the bard.

A simple example:

At one point the group witnessed a girl being annoyed by a group of ruffians, so I asked one of the other players (a paladin) what he was going to do, his answer was, word by word:

I think we should let the bard handle this.

This is the kind of answer I got for almost every problem I threw at them.

Another example:

The adventure is heavily puzzle based, with combat encounters being pretty rare. So the DM had prepared a dungeon with custom made puzzle for each class.

  • 1 puzzle for the paladin, where the goal was to identify which object between several was wicked.
  • 1 puzzle for the ranger, where the goal was to guide the party through a labyrinth that took the form of a forest
  • 1 puzzle for the cleric, where the goal was to reconstitute a story from fragments, related to different deities
  • 1 puzzle for the bard, where the goal was to sing the correct song to a creature to put it to sleep

Of all these puzzles, only the paladin did his puzzle without asking the bard to do it for him. All the other puzzles were basically done by the bard, on demand from the other players.

So my question would be:

In that kind of situation, how can I prevent a single player from hogging the spotlight, when all other players always refuse to be in the spotlight?

PS:

This problem has also been noted by the usual DM of the group, and he did not find a solution either.

Stealing WiFi password on reconnect [duplicate]

This question already has an answer here:

  • How does WPA2-PSK prevent evil twin password phishing? 2 answers

If I made a clone of a WiFi network I’m trying to access, could I get the WiFi password when someone tries to connect to my network?

I know my phone will automatically try connect to the network if it’s saved already and set to automatically connect. All of this assuming I’m closer to the device that will try connect than the router is.

In short, I’m making a WiFi network with the same name as the one I’m trying to crack on my laptop/phone and then waiting for someone to connect to it. Will this work?

When stealing something do you need to roll stealth and sleight of hand?

Scenario: An arcane trickster casts disguise self as a blind old man.

In a crowded room, his accomplice distracts the target, while the arcane trickster tries to steal his pouch of gold. As a DM, what would you have him roll?

I am trying to solve a minor disagreement between a player (me) and a DM. He felt like I should roll a stealth check followed by a sleight of hand check. I thought I should roll a sleight of hand check with advantage since I had gone to all the trouble to orchestrate the distraction with a party member and disguise myself.