Where to store tokens for analysis team members

As part of their day-to-day work, each member of our analysis team must handle a variety of sensitive information. For example: username and passwords for our internal databases, and tokens for accessing APIs. Some of this is specific to each individual, while some are shared by the whole team.

Ideally, each team member would only need to enter some individual login information once and then have automatic access to everything. For instance, our custom analysis libraries would need to be able to find the tokens it needs to access the web services we use.

What is a best practice for handling this type of situation?

Balancing story with team play

The crux of the problem is that to stick true to my character and the situation he is in I feel he wouldn’t bring the rest of the party along to something he needs to do. Me the player, however, is aware that this breaks up the flow of play and other players will have to sit around for a while waiting.

I’ve spoken to my DM and without giving anything away they said I should feel free to stick to my character. We’re all fairly new to DnD though so I don’t want to put too much strain on us at this point.

There are plenty of people here with more experience than us, how would you proceed? Split up? Keep together? What about at different levels of experience?

How do you know when its best to split up and stick to your character?

cybersecurity startup (vulnerability research & red team )

If I wanted to move from independent to a good plan to build a startup based on what I basically have been worked on corporates penetration testing, some red team engagements, but I have been for the last few years into vulnerability research, but I would like to apply to business too. of course, I cannot start with everything, but how do companies offering vulnerability research sell the service without having a product like Metasploit, core impact or selling exploits to the government? the closest to this area is application vulnerability analysis/product security that it takes from web app to software, looking for loopholes, and giving remediation. it may also involve the following stuff depending on engagement restrictions

fuzzing reverse engineering protocol analysis data injection target application binary analysis and debugging session manipulation flow analysis 

Can a Nova use “Boost” and spend Team on the same roll?

The Nova class has a flare entitled “boost” (bold added for emphasis):

Spend 1 burn to supercharge a teammate’s efforts with your powers, giving them a +1 bonus to their roll as if you had spent Team from the pool.

Now, I know that the rules for using Team state (Masks, p. 82):

each teammate can only spend one Team out of the pool for any single roll

But I’m not clear whether the “as if you had spent Team” part of the Boost flare means that you are restricted from spending an actual Team on the same roll.

So if a Nova has already spent a blaze to add a +1 to a teammate’s roll with Boost, could that Nova also spend a Team to add an additional +1 to that same roll?

What’s the RPG about a journey from A to B, with examples about French soldiers going to kill Hitler and a team trying to win a TV race contest?

There’s this roleplaying game that’s all about a group of people trying to get from point A to point B.

The two example scenarios that are the base for all the examples in the manual are French soldiers going to Berlin to kill Hitler and guys on a TV game show needing to reach point B to win a prize before a team of hunters catches them.

If I’m not mixing two different games together, the main game mechanic is throwing dice from a certain distance at a target lying flat on a table. Rolling outside the target (too long or too short) or knocking over the pile of dice stacked in the center of the target means failure.

Should I present forged documents in a Penetration Test/Red team engagement?

A previous question of mine lead to this discussion which mentioned the subject of Document forgery.

I’ve seen many people (in videos) forge IDs and employee badges for such engagements so that seems fine as a test. However, if asked to present a more critical/serious document like a “Permission to Attack” slip (when caught), or asked by a police officer to present some ID, should we test them by first show them a forged “Permission to Attack” slip or ID and only show the real documents if caught?

What to do if caught in a Red Team engagement?

I’ve seen a lot of people talk about how to pentest and how NOT to get caught during engagements but have a hard time finding “How to behave when caught during a Red Team engagement”.

Red Teams are to simulate adversaries attacking systems. Many actions can’t be done (or at least very hard to) with just some computers and Red Teams often have to go on site and break in (legally). What I’ve seen so far is people succeeding in not getting caught. However, I haven’t seen anyone talk about what to do when caught. It may just be some suspicion or even being chased by security (possibly armed).

In cases wear a Red Teamer is caught during an engagement, what should he/she do?

  • Say “I’m a security tester. You’ve caught me so I’ll just leave.”
  • Run away like a criminal with their stolen data (which sounds fun but dangerous) to be more like an actual criminal attacker
  • Contact the employer to report it and get a “just continue” pass
  • Quietly come along for some possible interrogation (I think this would be the safest)