Are there features that actually specify their own bonus action timing?

The PHB States:

You choose when to take a bonus action during your turn, unless the bonus action’s timing is specified, and anything that deprives you of your ability to take actions also prevents you from taking a bonus action.

I’ve found lots of triggering specifics, but nothing that says WHEN you have to take it.

Are there example(s) where the exact timing of the bonus action is dictated and not just the triggering requirement FOR a bonus action that you then choose when or if to use.

Phishing Email Timing

Sometimes I realize that I receive phising emails, just after doing some operations on the web. For instance, I was trying to pay taxes from my bank account (website was trusted 100%, I checked the signature), just after a few minutes I receive a phising email from bank with a fake email address.

Timing was very close with this operation I have performed. I had the same feeling in the past with other phising emails, but I always thoght was just a case. I wonder if there are some way / chance that this is not just a coincedence.

Use delay with a fixed total time to defend against timing attacks

Consider this common example used to demonstrate timing attacks:

async def sign_in(username, password):   user = await get_user_from_db(username)   if user is None:     return False  # early return :(    password_hash = slow_hash(password)   return verify(password_hash, user.password_hash) 

The usual suggestion is to do the same thing on all execution branches. For example, something like this:

async def sign_in(username, password):   user = await get_user_from_db(username)   if user is None:     actual_password_hash = "foo"   else:     actual_password_hash = user.password_hash    password_hash = slow_hash(password)   res = verify(password_hash, actual_password_hash)   return res and user is not None 

But I wonder if the following strategy is also useful against timing attacks (not considering other types of side-channel attacks), while not wasting computing resources:

async def sign_in(username, password):   # Longer than what `sign_in_impl` takes normally   fixed_duration = ...     _, sign_in_result = await asyncio.gather(delay(fixed_duration), sign_in_impl)    return sign_in_result  # Awaits a certain amount of time async def delay(duration):   ...  # This takes variable time async def sign_in_impl(username, password):   user = await get_user_from_db(username)   if user is None:     return False  # early return :(    password_hash = slow_hash(password)   return verify(password_hash, user.password_hash) 

Cutting Words timing when playing online

Lore Bard’s Cutting Words feature states the following:

Also at 3rd level, you learn how to use your wit to distract, confuse, and otherwise sap the confidence and competence of others. When a creature that you can see within 60 feet of you makes an attack roll, an ability check, or a damage roll, you can use your reaction to expend one of your uses of Bardic Inspiration, rolling a Bardic Inspiration die and subtracting the number rolled from the creature’s roll. You can choose to use this feature after the creature makes its roll, but before the DM determines whether the attack roll or ability check succeeds or fails, or before the creature deals its damage. The creature is immune if it can’t hear you or if it’s immune to being charmed.

What exactly does that mean. At what time do I have to say my DM I interrupt them?

When playing at a table, my DM usually goes this way: “The goblin attacks [player character] with their bow and [rolls] hits”. I can hear the dice roll and I say I want to know the result in order to decide if I want to use Cutting Words.

Now with the current sanitary situation, we play online, and the DM usually rolls their own physical dice and tells whether it hits or not because they have all our ACs registered. This basically forbids me to use my Cutting Words.

So what is the exact timing where I can interrupt the DM, online, and use my Cutting Words?

How does the reaction timing work for Wrath of the Storm? Can it potentially prevent the damage from the triggering attack?

With attacks of opportunity, the PHB is pretty clear that your reaction occurs as an interruption to your opponent’s move, just before they move beyond your reach, then they resume their turn. Fair enough.

However, there are some abilities that happen during an opponent’s attack – for example, the Shield spell, and a Tempest cleric’s Wrath of the Storm ability. These both say they happen when you’re “hit” by an attack – but the Shield spell raises your AC, so I assume that occurs before rolling damage, and makes it possible for you to be retroactively not hit by the attack. Is the same true for Wrath – that your reaction might KO your opponent, and you wouldn’t have to worry about taking damage?

(I was planning to include Hellish Rebuke in this question but I see it specifically refers to “being damaged”, so I assume that means it happens on your opponent’s turn but definitely after getting hit, meaning you can only cast it if you’re still conscious.)

Google Scrape Keeps Timing Out

hey guys,
I’ve got a problem with my scrape and would really appreciate any help anyone can give me.
Whenever i try to scrape Google, i get through about 30 searches, then Scrapebox starts returning zero results for everything else.

I’m using:

  • 50 semi-dedicated proxies from buyproxies.org
  • Detailed harvester
  • Scraping Google
  • 30 second delay
  • ~3,000 keywords to search

Why can’t i scrape using my entire list?

Is it an issue with my proxies?
Can anyone recommend a reliable source of proxies for scraping?

thanks!

Google Scrape Keeps Timing Out

hey guys,
I’ve got a problem with my scrape and would really appreciate any help anyone can give me.
Whenever i try to scrape Google, i get through about 30 searches, then Scrapebox starts returning zero results for everything else.

I’m using:

  • 50 semi-dedicated proxies from buyproxies.org
  • Detailed harvester
  • Scraping Google
  • 30 second delay
  • ~3,000 keywords to search

Why can’t i scrape using my entire list?

Is it an issue with my proxies?
Can anyone recommend a reliable source of proxies for scraping?

thanks!

What are the main differences between a covert timing channel and a covert storage channel?

I am trying to find the differences between a covert timing channel and a covert storage channel in terms of detectability, performance, features, and any other advantages and disadvantages.

Is there any resource that directly compares the advantages and disadvantages of the two attacks?

Do arbitrary/Byzantine failures include omission failures and timing failures?

Distributed Systems 5ed by Coulouris says on p68

2.4.2 Failure Models

Omission Failures

Arbitrary Failures The term arbitrary or Byzantine failure is used to describe the worst possible failure semantics, in which any type of error may occur. For example, a process may set wrong values in its data items, or it may return a wrong value in response to an invocation.

Timing Failures

Are arbitrary/Byzantine failures arbitrary? (Sounds yes to me.)

Do arbitrary/Byzantine failures include omission failures and timing failures? (I guess not. Otherwise, why does it describe omission failures and timing failures separately?)

Thanks.

Can string comparison realistically be exploited in a timing attack on a web server?

Suppose you have the following code in Node:

const { token } = req.body const hash = crypto.createHmac('sha256', SECRET).update(token).digest('hex') const user = await User.findById(req.session.userId)  if (hash === user.rememberMeHash) {/*...*/} 

The string comparison above is deemed vulnerable to a timing attack because it can leak the character position on a mismatch, so the correct way is

// Hashes are already equal in length because the same hash function was used if (crypto.timingSafeEqual(new Buffer(hash), new Buffer(user.rememberMeHash)) 

While true in principle, I can’t see how this leak is practically possible. To get reliable time measurements, you’d need to

  • isolate the code snippet to avoid interference from side effects (request handling, Express routing, DB queries);
  • run a large number of empirical tests in a strictly identical environment (same CPU & memory usage, processes, OS);
  • have access to a local server instance that has no traffic or intervention from outside.

None of these are realistic in a distributed system, much less to an attacker with no privileged access and no knowledge of the specific hashing algorithms and secret keys employed.

In practice, you will necessarily get varying and inconsistent results when timing any code, particularly one that is just-in-time compiled like JavaScript. This is well understood in algorithm analysis which doesn’t directly measure algorithm runtime because these measurements are acutely sensitive to the underlying hardware, software, compiler, language, etc. In this particular case, compared to a database query or a network call (or even script processing when running node binary on a .js file), string comparison takes a minuscule amount of CPU time to process.

Now, also consider that the above code runs across a cluster of servers behind a load balancer. As such, HTTP response times will vary depending on other incoming and ongoing requests (i.e. website traffic), background processes, hosting provider uptime, network fluctuations (e.g. speed drops), use of Tor or a VPN, and hundreds of other factors.

Considering a real-world web server architecture, how can a mere string comparison ever be exploited in a timing attack?