## What was the original intent for the feature that StrandHogg uses?

The “Affinity” of Android tasks seems really complex to handle. The StrandHogg vulnerability uses tricks with “Affinity” to render itself inside an another app.

The information that I’ve found this far does not provide exact details of vulnerability but as far as I know there is not a technical vulnerability but a poorly designed API which allows for clever social engineering attacks.

Is there a real use case for the API behavior that StrandHogg uses?

If I have understood correctly, the API the vulnerability uses allow attacker to place its own Activity on the victim “Back stack”. From reading the API description and the provided example cases the main intent of this API is to allow embedded activities from other apps to be displayed within your own task. However, the StrandHogg vulnerability seems to the other way around: using API to push your own activity over another task’s “Back stack”.

My best guess is that the attack uses the weird behavior described on page 100 of presentation called “Manipulating Android tasks and back stack” from year 2011. However, I cannot imagine any sensible use case for the behavior described.

## If a Tempest cleric uses the Wrath of the Storm and Thunderbolt Strike features to push an attacker away, can the attacker complete its multiattack?

The Tempest Domain cleric’s Thunderbolt Strike feature (PHB, p. 62) says:

At 6th level, when you deal lightning damage to a Large or smaller creature, you can also push it up to 10 feet away from you.

I envision the Thunderbolt Strike as throwing the target creature away from it, not gently pushing it away. I mean, lightning is an instantaneous thing, and 10 feet is more than just losing your balance.

The Thunderbolt Strike feature of a Tempest cleric leaves me with many questions. For instance, if a monster is able to make a multiattack consisting of 2 claw attacks and then a bite, and it hits me with its first attack, I can use Wrath of Storm as a reaction to deal lightning damage to it, and thereby blast the creature back 10 feet using Thunderbolt Strike.

If the monster does not have 10 feet of movement left after being pushed, does it lose its other 2 attacks against me (if no other targets are in range of it)? Or does it get to make all 3 attacks before it is blasted away from me?

## tracking in odi the package which uses a given mapping

I am trying to find the whole lineage and loading process of a certain table column. To begin with i am locating the mapping used to populate the column. To do this i use:

select     m.name mapping_name,     mr.qualified_name,     mc.name datastore_alias,     t.table_name target_table,     mdl.cod_mod model_code from snp_mapping m inner join snp_map_comp mc on m.i_mapping = mc.i_owner_mapping     inner join snp_map_cp cp on mc.i_map_comp = cp.i_owner_map_comp     inner join snp_map_ref mr on mc.i_map_ref = mr.i_map_ref     inner join snp_table t on mr.i_ref_id = t.i_table     inner join snp_model mdl on t.i_mod = mdl.i_mod where cp.direction = 'O' and --output connection point     cp.i_map_cp not in         (select i_start_map_cp from snp_map_conn) --not a starting connection point; 

which works very nice. (Thread found here : https://stackoverflow.com/questions/60566000/odi-column-lineage-query/60566807#60566807).

Now i need to find the package which uses this mapping, so that i will be able to investigate the whole loading process. So the question is: is there a query which can return the packages that use the mapping defined?. I did find an SNP_PACKAGES table but i am not sure if i can get anything from there.

## What happens if a Divination wizard uses the Portent feature to replace an enemy’s initiative roll, when the DM rolls once for a group of enemies?

Say 4 goblins ambush a level 2 party, everyone is surprised but the Wizard decides to use his Portent feature to influence the initiative roll of the enemy. One of his portents is a natural 1, and he uses that die to replace the initiative roll.

Do all 4 of the goblins’ initiative change to 1 or does just one goblin change?

Here’s what I got from a reading of the PHB:

PHB 189

## Initiative

… When combat starts, every participant makes a Dexterity Check to determine their place in the initiative order. The DM makes one roll for an entire group of identical creatures, so each member of the group acts at the same time…

Emphasis mine. Reading the bolded text, it seems that in cases of identical creatures, Portent can effectively cripple the entire initiative of the opposing team.

However, when you read the first sentence, it seems that the entire group shouldn’t be crippled by a single portent roll as each creature should be rolling separately and the bolded text really just says, “hey, don’t waste your time on rolling for each goblin. Just roll once and they all go together.”

A big factor of my hesitance to rule on the side of the first interpretation, is that it seems too overpowered for a 2nd-level feature.

So which is which? Am I missing something?

## Can my Dragonborn gain more breath weapon uses per short rest?

Even though the Player’s Handbook says a dragonborn only gets one breath weapon per short rest, is there any way outside of rule 0 for a dragonborn to gain multiple uses per short rest, like by using a spell or magic item?

## Uses of Immovable Object, Does it Allow me to Make a Impenetrable Shield? [closed]

Looking at Immovable Object, doesn’t it seem like I can cast it on something like an umbrella, I’d be able to put it in front of me, and nothing would be able to penetrate it, essentially giving me full cover. In order for it to be penetrated, it requires something to pierce it, or in other words, move the pieces of the umbrella apart. Am I reading this wrong?

EGW p187 2nd-level transmutation Casting Time: 1 action Range: Touch Components: V, S, M (gold dust worth at least 25 gp, which the spell consumes) Duration: 1 hour You touch an object that weighs no more than 10 pounds and cause it to become magically fixed in place. You and the creatures you designate when you cast this spell can move the object normally. You can also set a password that, when spoken within 5 feet of the object, suppresses this spell for 1 minute.  If the object is fixed in the air, it can hold up to 4,000 pounds of weight. More weight causes the object to fall. Otherwise, a creature can use an action to make a Strength check against your spell save DC. On a success, the creature can move the object up to 10 feet.  At Higher Levels. If you cast this spell using a spell slot of 4th or 5th level, the DC to move the object increases by 5, it can carry up to 8,000 pounds of weight, and the duration increases to 24 hours. If you cast this spell using a spell slot of 6th level or higher, the DC to move the object increases by 10, it can carry up to 20,000 pounds of weight, and the effect is permanent until dispelled.$$$$ `

## Name for a Ceasar Cipher that uses random offsets?

In a traditional Ceasar Cipher you pick a specific offset such as “plus three” so that to encrypt each character of a message you count three letters up from the input and to decrypt you count three letters down from the input. For example, “APPLE” would become “DSSOH” where D is A+3, S is P+3, and so on.

I saw a variant of this where the key is used as the seed of a random number generator instead of a constant offset, and those random offsets are then used to encode the message. This has the advantage that the same input characters are not mapped to the same output characters. For example my RNG might generate a sequence of 3 7 5 0 2, so then “APPLE” would become “DWULG” where D is A+3, W is P+7, U is P+5, etc.

Since the random number generator is deterministic, you can re-seed the RNG with the original key and generate the same random sequence to decode.

Is there a specific name for this type of cipher?

## How does “uses” and “duration” apply to Wonder Woman’s bracers and Superman’s suit in DC Heroes?

In DC Heroes (first edition, 1985), Wonder Woman (Gamemaster’s Manual, page 80) has, under equipment, her “Bracers” with “Uses 10: Duration: 15″. Superman (page 79) has his “Super Uniform” with “Uses: 4, Duration: 26”.

I see a description of uses and durations for buildings (page 29), vehicles (page 32), and weapons (page 33), but I don’t grok how that applies to bracers or the suit.

From the description of buildings and weapons, this would seem to mean that Wonder Woman can use her bracers for up to 10 days (10 uses, and duration 15 is 1 day), after which maintenance is required? Superman can use his suit for up to thirty-two years (4 uses, and duration 26 is 8 years), after which maintenance is required?

The note about duration on page 28 for “ordinary gadgets” implies the the uses must be tracked when in actual use—that is, Wonder Woman would only count the few seconds of combat time per day that she uses her bracers. But the note about duration on page 25 describes uses as “the number of times the gadget can be used” and describes duration in terms of “gadgets that mimic Attributes and Automatic Actions (like Running, Flight, Swimming) or “gadgets that mimic Standard Actions (like Starbolt, Bio-Blast, etc,).

Because Force Shields (Wonder Woman’s bracers) are “Type: Automatic”, does this mean the player tracks the actual combat time that the bracers are in use? Seems like they would last forever. Skin Armor (Superman’s suit) are also automatic (and the suit’s Body is an attribute), so the player technically would track the amount of use the suit gets?

In both cases, it seems as though tracking is unnecessary unless there’s some sort of time travel involved, as, especially in the case of Superman’s suit the time used will never in normal game time reach the uses times the duration.

The section on armor in the Player’s Manual, page 24, does not mention use or duration.

How does uses and duration affect Wonder Woman’s use of her bracers, or Superman’s use of his suit?

## Is it possible to extract a certificate that an application uses to connect to an API server?

There’s an API server that only allows connections including specific SSL certificates. Talking about an Android application that has those certificates.

Using Fiddler without SSL descryption as a proxy between the app and the server, I can see the request being accepted by the server. Now how can I extract that certificate and use it to send requests to the API. Is it possible with Fiddler, or other tools are needed, like Wireshark?

I have tried Wireshark and exported Certificates, but using them with Fiddler, still doesn’t let me connect to the server.

Also, is this called SSL pinning from server side?

## Which uses of Bonus-Action spellcasting are legal?

Looking at other questions about casting spells as a bonus action has left me trying to keep a lot of information in my head about whether a given combination of spells is legal according to the official 5th edition spellcasting rules.

So I’d like to consolidate all these rules into a single easily accessible table, containing all the possible combinations of spells that could possibly be cast in a single turn, and hopefully create an easy reference for future use. But I’m not certain about how some of these combinations should be treated.

Based on the second question I linked, the ordering doesn’t matter, so I’ve simplified the chart to ignore order of these actions, and only focus on what actions are being taken. But if I’m mistaken (i.e. the answer provided to that question was wrong) then this table will need adjusting.

$$\begin{array}{|l|l|l|l|} \hline \text{Action} & \text{Bonus Action} & \text{Action Surge} & \text{LEGAL?} \ \hline \text{Non-Cantrip} & & & \text{Yes} \ \hline \text{Cantrip} & & & \text{Yes} \ \hline & \text{Non-Cantrip} & & \text{Yes} \ \hline & \text{Cantrip} & & \text{Yes} \ \hline \text{Non-Cantrip} & \text{Cantrip} & & \text{No} \ \hline \text{Cantrip} & \text{Non-Cantrip} & & \text{Yes} \ \hline \text{Non-Cantrip} & \text{Non-Cantrip} & & \text{No} \ \hline \text{Cantrip} & \text{Cantrip} & & \text{Yes} \ \hline \text{Non-Cantrip} & & \text{Cantrip} & \text{Yes} \ \hline \text{Non-Cantrip} & & \text{Non-Cantrip} & \text{?Yes?} \ \hline \text{Cantrip} & & \text{Non-Cantrip} & \text{?Yes?} \ \hline \text{Cantrip} & & \text{Cantrip} & \text{Yes} \ \hline \text{Cantrip} & \text{Non-Cantrip} & \text{Non-Cantrip} & \text{?No?} \ \hline \text{Non-Cantrip} & \text{Cantrip} & \text{Non-Cantrip} & \text{?No?} \ \hline \text{Non-Cantrip} & \text{Non-Cantrip} & \text{Non-Cantrip} & \text{?No?} \ \hline \text{Non-Cantrip} & \text{Non-Cantrip} & \text{Cantrip} & \text{?No?} \ \hline \text{Cantrip} & \text{Non-Cantrip} & \text{Cantrip} & \text{?Yes?} \ \hline \text{Non-Cantrip} & \text{Cantrip} & \text{Cantrip} & \text{?No?} \ \hline \text{Cantrip} & \text{Cantrip} & \text{Non-Cantrip} & \text{?No?} \ \hline \text{Cantrip} & \text{Cantrip} & \text{Cantrip} & \text{Yes} \ \hline \end{array}$$

### Is this table (Column 4 in particular) correct?

The core issue for me is that it’s not clear to me how Action Surges interact with the spellcasting rules, hence the question marks listed there. It seems like an Action Surge might permit 2 leveled spells to be cast in a turn, unless a Bonus Action is used to cast a spell, in which case this is no longer permitted. If this is correct, then my table above should be correct, minus the question marks. But I need that validated.