May a spellthief cast a stolen spell using a metamagic rod?

Spellthiefs (Complete Adventurer variant, p. 13) can not apply metamagic feats to stolen spells they posses.

The Steal Spell’s description reads, in part:

A spellthief can’t apply metamagic feats or other effects to the stolen spell unless the specific spell stolen was prepared with such an effect. For example, a spellthief of 6th level or higher could steal a wizard’s empowered magic missile, but only if he specifically chose to steal empowered magic missile. If he chose to steal an unmodified magic missile, he couldn’t steal an empowered magic missile, a silent magic missile, or any other metamagic form of the spell. A spellthief couldn’t steal an empowered magic missile from a sorcerer, since the sorcerer applies metamagic effects upon casting and thus has no prepared empowered magic missile spell.

Does this description refer to metamagic feats in general?

Would it make any difference to apply a metamagic feat through the usage of a metamagic rod?

stolen article is the first result in google search

After moving my old domain as I have noted that my post URL disappeared from the google search as shown below

enter image description here

Is it normal?

The main issue when I tried to search by the keyword Show / Hide fields based on choice field selection using JQuery in SharePoint I found out the first result is a stolen article with my identical image and content

enter image description here

enter image description here

So I am Wondering

  • How the stolen article get rank 1 in the search result
  • Is it normal my migrated url not appear in google as sown in the image 1
  • How to overcome this issue and get my post come back to the first result, should I reminded the old post url or reindex the new one

Please Help


301 redirect implemented correctly 4 months ago

enter image description here

iPad stolen with LastPass, Should I be worried?

Unfortunately my iPad was recently stolen and I had LastPass installed on it. Both the iPad and the app are protected with TouchID and passcodes. However, LastPass keeps an encrypted offline cache of the passwords and other stuff including secure notes for bank accounts and cards, etc. I understand that it should be very unlikely for someone to get through TouchID and the master password for the app. Just in case, I can go ahead and change the password for all the critical websites, but I can’t change anything about the bank accounts and other secure notes already in there. Should I be worried about someone getting the vault decrypted? I’m assuming the everyday petty thief wouldn’t go through all that but some advice could still be helpful.

Will 2FA, in general, be bypassed by a stolen passport?

You have a friend called Bob.

You have a copy of Bob’s passport.

Bob uses 2FA for all of his accounts.

Would you, in general, be able to bypass this 2FA and access his accounts, by doing the following:

  • Emailing support

  • Explaining to support that you lost access to your account

  • Sending support a copy of Bob’s passport, claiming that you are, indeed, Bob

Would it be fair to say that the majority of support agents would reset 2FA on Bob’s account?

Phone number stolen. What to do?

It seems a friend of mine got his phone number stolen. Someone got access to his Facebook account (where they tried to post ad campaigns) and to his WhatsApp account. The Facebook security page said his account was accessed using his password and phone validation. This combined with the WhatsApp access is what makes us think they have access to his text messages.

He does not have a smartphone, and he recently got a new phone from a little-known brand (a “Danew konnect 245 Bara”, this phone:, and he recently spent some time at airports. He says he received an SMS a while back saying asking him to confirm a new login, but he deleted the message. It was around the time of buying the new phone, but he’s not sure if it was just before or just after.

I’ve read about people transferring your number to other providers to take over access to your phone, but he can still make and receive calls using his phone number. He called his provider and they said he hasn’t requested any new sim card lately, and they couldn’t see any other suspicious activity. His phone (both the old and the new) does not support apps, so he hasn’t installed anything himself. I’ve never heard of copying sim cards through wireless means. Could it be that the new phone is somehow malicious or had a security flaw that allowed this to happen? He bought a new phone now just in case.

To me it sounds impossible that the phone number was stolen considering he can still access it, but I don’t know what else to make of these facts. Could these things have been accessed some other way? And more importantly, what can he do to secure himself now?

Where is the line drawn for ethical hackers using stolen credentials in their paid services?

The very interesting question I have is when “ethical” hackers/pen testers harvestthese repositories of stolen credentials to then use them in pen testing for paying clients what ethical boundaries are broken? What laws are broken? If a lazy hacker leaves their captured credentials out on un insecure, public facing server and then an “ethical” hacker grabs them for their own paid services, it seems to me that it’s stealing already stolen goods.

What about a penetration tester taking credentials gathered from a paid/contracted job and adding them to a database to be used in future client jobs?

Do more credit cards get stolen through public WiFi than through data breaches?

I was listening to a podcast the other day which was sponsored by a VPN provider. During the talking points for the advertisement, the host said something to the effect of the following (I’m recalling this from memory, but this is the gist)

Have you ever had your credit card hacked? Be wary of using public WiFi networks when purchasing something, the networks are full of hackers attempting to steal your information. In fact, the number one way that credit card details are stolen is through hackers downloading them via coffee shop wifi. With VPN Provider you can count on a safe experience…

And then goes on to tout the benefits of a VPN. However, this claim doesn’t sit right with me. Are more details stolen through public WiFi interception than, say, data breaches from major retailers? Or is this a case of “coverage bias” where large breaches get more news coverage (and therefore more recognition)?

Security Risk of Stolen Session ID vs Authentication Token

I was intrigued by the discussion of this SO question as well as the accompanying blog post. I’m trying to better understand the mechanics of the two systems, and one of the questions I came up with is how much worse is it to have a token stolen vs. a session ID?

Here’s what I understand so far, and please do correct me if I’m wrong:

A session ID is an opaque reference to actual session data stored on the server. It is safe insofar as it is random enough to not be guessed easily, and the data is safe because it is not directly accessible by or beholden to the front-end. The session ID is stored in a cookie to simplify authenticated requests.

An authentication token is a plaintext segment of JSON user data with a cryptographic signature that verifies the data’s integrity. It is tamper-proof because of the signature, so no one can simply come up with their own token. The data it grants access to is safe on the server, except of course what is present in the token (which even then can be encrypted if need be). The token is also often stored in a cookie to simplify authenticated requests.

So here is what I do not understand. The way I see it currently, it seems just as likely that a token be stolen as a session ID, e.g. anyone breaking past my SSL and viewing my token would be able to view a session ID as well. Either event gives the attacker complete access to my account and all associated authorization. So in terms of the event likelihood and the resulting damage, is an authentication token really any worse than a session ID, as the article claims?

The one thing I could see potentially being worse for tokens is if the signing secret were somehow found out, in which case the attacker can do anything with anyone’s account, rather than just mine. However I almost want to relegate this to the reasonable unlikelihood of someone first breaking RSA, in which case they can get past SSL, and then what good is a session ID anyway?