How does one track/incorporate errata in relation to printed rulebooks without having to memorize, or constantly check against, the errata?

I bought myself a shiny new rulebook for a relatively new system and, of course, there’s already a full document of errata!

In order to make this easier for myself, I sat down with a pen and sticky notes to mark places in the book that have been errata’d. I found that the pen tended to smudge, and don’t want to wait for each individual sticky note to dry as I make my way through the document.

Is there a good way to point to errata from within a rulebook, without risk of damage? I’m essentially looking for a method that:

  • Incorporates short errata directly into the book
  • Summarizes longer errata to incorporate directly into the book
  • Marks places where the errata document needs to be referenced
  • Does so in a legible, or easily intelligible, manner
  • Does all of this with minimal damage to the book itself and not diminish the books longevity. (Smudging, page wear, stickers that begin to peel, &c.)

Relevant Meta: I want to ask about methods of incorporating errata into a rulebook, but I'm not sure of its subjectivity

Password checking resistant to GPU attacks and leaked password files without introducing a DoS attack on the server?

In very old time the passwords were stored in clear text. This made it trivial for an attacker to log in if he had access to a leaked password file.

Later, passwords were hashed once and the hashed value stored. If the attacker had a leaked password file he could try hashing guesses and if a hash value matched, use that guess to login.

Then passwords were salted and hashed thousands of times on the server and the salt and the resulting hash value was stored. If the attacker had a leaked password file he could use specialized ASICs to hash guesses and if a guess matched use that password to login.

Can we do better than that?

Can we make password guessing of an attacker so hard that even if he has the hashed password file, he will not get a major advantage over testing the passwords against the server – even if he has specialized ASICs?

Running MalwareBytes & Spybot without Defender stepping aside

For years, I had Microsoft Security Essential on Windows 7, and I installed MalwareBytes and Spybot Search & Destroy. I deactivated real time components of the non-native antimalware products. On the odd occassion in which I needed to execute a downloaded file (e.g., to install something), I would update all 3 databases and scan the file.

I just bought a Windows 10 computer because Windows 7 is no longer supported. I want the native Windows Defender to be the main antimalware. Web searching confirms that I should de-activate real time components of non-native antimalware. But it also reveals that Defender steps aside if another antimalware program is detected.

Does that mean it is not sufficient to simply turn off non-native real time components?

How would I make Defender to be the main antimalware, with MalwareBytes and Spybot only for on-demand scans of selected files or file trees?

Bitlocker without PIN

In simple words: Does Bitlocker (without Pin) transforms the normal “Windows User login” into something secure?

So if you activate Bitlocker (without a pin before booting) you are forced to use the original unaltered Windows installation to retrieve the key from the TPM Module. Meaning, if you try to start the computer with e.g. a Linux USB-Livestick you cannot access the hard disks.

Is this correct?

OAuth native app without localhost redirect

Section 4.1 of RFC 8252 describes the OAuth authorization flow for native apps using the browser (i.e., external user-agent). In this flow, the native app receives the authorization code in step 4 by setting the redirect URI to the loopback IP. This, of course, requires the native app to open a port on the loopback interface and subjects us to attacks where other apps could get the authorization code (unless we use something like PKCE).

Our system is a client-server model where the clients are various custom command line tools with no real user interface. In our deployments, we can’t always guarantee that we will be able to open a port on the loopback (and we’d like to avoid the added security concerns that PKCE addresses). We would like to tweak the flow for our use case but want to make sure we aren’t leaving the door open for security issues. Here is the flow we’d like to use:

  1. Command line tool initiates intent to perform OAuth flow to Application Server.
  2. Application Server generates a random in progress session token and a separate random OAuth flow state value
  3. Application Server stores both values in the database together
  4. Application Server returns both values to the Command line tool
  5. Command line tool launches the external user-agent (e.g., browser) and starts the authentication process against the Authorization Server using the OAuth state value provided by the Application Server
  6. User authenticates
  7. Authorization Server redirects to the Application Server along with the state value
  8. Application Server retrieves authorization code and stores it in the database along with the in progress session token and OAuth state value
  9. Command line tool submits the in progress session token to the application server
  10. Application server retrieves the authorization code from the database and treats it as if the command line tool provided it

Outside of the potential for DoS abuse on submitting lots of OAuth initiations and the potential for the command line tool to initiate step 9 before the application server has completed step 8, are there other security issues to be concerned with?

How to allow single quote with esc_html__() without sprintf()

Because of security reasons we are of course required to use esc_html__() for WP development. This is annoying because if you’d want to pass a single quote into your strings, you’d have to use sprintf() to make it work. Otherwise you just get ' printed out, instead of a '.

Without using sprintf():

esc_html__( 'Wasn\'t your favorite color red?', 'domain' ); // Output: Wasn't your favorite color red? esc_html__( 'Provided reason isn\'t selected', 'domain' ); // Output: Provided reason isn't selected 

With the use of sprintf() I can get single quotes to work (of course).

sprintf( esc_html__( 'Wasn%st your favorite color red?', 'domain' ), '\'' ); // Output: Wasn't your favorite color red? sprintf( esc_html__( 'Provided reason isn%st selected', 'domain' ), '\'' ); // Output: Provided reason isn't selected 

I’d like to know if there is a different way to achieve the same output. I am afraid there is none, but I thought why not give it a shot, who knows.

Is there any way to improve ability score without items, only with spells or class features?

I found a few, but they are all bad, like true Polymorph to improve ability scores (but I lose class features), does someone know any way to improve ability scores without losing class features, and without using magical items, only spells and class shenanigans? temporary and permanent increases are welcome my objective is improve warlock damage from lifedrinker

Accidentally let party wander into a high level situation, how do I help them get out without cheesing?

TL;DR – due to poor planning on my part in my sandbox-esque game, a party of four Level 5s (fighter, warlock, non-healer bard, wizard) is about to wander into a high level situation and I’d like them to not die while still letting them accomplish something.

Here’s the situation.

The party recently emerged from the Feywild to find that two months had passed on the outside. They ended up near the capital city. Okay, cool. I prepare some rumors they can dig up so they can help find out what they missed. One character in particular has a lot of backstory in the capital, so we hashed out some of the relevant NPCs.

In an attempt to set up and highlight how tensions are escalating in the kingdom with the threat of war on the horizon, as well as to set up an NPC Big Bad later, I let them find out that some people around the capital have been “disappearing” on order of the Queen’s Spymaster because they were suspected of being spies for the enemy empire. The Queen herself has been rumored to be ill and has definitely become hard to get a hold of. One of the NPCs who disappeared was one of a character’s school friends, who we’d hashed out the existence of between sessions.

Now, these disappearances were all on trumped up charges. The character who’d spent the most time in the capital actually is a spy for the enemy empire and would know this. She was adamant – and correctly so – that her friend was innocent.

What I expected to happen – and this is on me – was that they’d hear that the second most powerful person in the kingdom had a direct hand in these events and get out of town. The entire group is Level 5. I expected this entire setup to be set dressing for stuff they’d deal with later. It’s not like they don’t have a lot of side quests and leads to chase down elsewhere.

Instead, they resolved to do whatever they could to rescue this girl and get to the bottom of the situation.

Here’s what I know that they have no feasible way to find out at this point:

  • The Queen’s Spymaster has defected – she’s orchestrating events to deliberately try and undercut faith in the government as well as generally sow chaos
  • She’s not operating in the good faith the group assumes she is. This is not an innocent mistake or paranoia they can assuage.
  • The Queen’s Spymaster is actually one of the six heroes of long ago legend and is thus a Level 15 assassin living in secret.
  • The Queen herself is not even in the city at this time, and (as a high level sorcerer) she’s left a simulacrum in her place to help allay suspicion.
  • The group has rolled really badly on Perception checks to see if they’re being tailed and they are, in fact, being intermittently tailed.

    I don’t want to punish them for jumping in to this plot with both feet. I don’t want to stonewall them from finding this missing girl since they’re super invested in doing so, and they know she’s still in the city.

How can I help arrange things so they have a chance of succeeding while still putting them in a reasonable amount of danger?

How closely can I copy a game without getting in trouble? [duplicate]

This question already has an answer here:

  • How closely can a game legally resemble another? 11 answers

I’m making a clone game of Zelda, my favorite franchise, and am wondering if what I’m doing will still earn me a cease order.

Obviously I’m not using any of the names from the original series, and my game allows character creation with clothing that will allow you to look slightly like Link if you unlock it. With the skin name being something like “Woodland warrior shirt/hat/boots.

I’m also copying the UI for links awakening pretty closely and the way dungeons look is about the same.

However, I’m making all my own textures/assets from scratch.

Will I be allowed to release this game, with the title “Legend of Dungeons …”?

Main concerns are: similar UI, Font, Some skins resemble characters slightly, and textures, even though they’re all made by my hand?

Proving a pattern exist in a string without revealing where

Some time ago i read the following problem (i don’t remember the article from which i read it from) :

“Suppose you are given a picture where the goal is to find waldo (from the game where is waldo), you search for a bit and don’t find him so you become suspicious of the fact that waldo actually is in the picture, how can one prove to you that waldo indeed is without revealing where ? Well one can just take a very big sheet of paper, bore a hole inside it and place this sheet of paper on top of your picture so that waldo’s head appears inside the hole.”

My question is how could one transfer this idea to a mathematical concept ? One idea would be something along the lines of :

  • Let L be some language in complexity class C

  • given $ a_1 , a_2 , … a_n$ can one prove to you that there is a $ i$ for which $ a_i \in L$ without revealing for which $ i$ it stands

However this falls short as it stands right now because one can just feed the same input $ a$ n times for which it wishes to know appartenance to class L. So we either need to consider specific complexity class C for which the problem becomes interesting or loosen the condition of “non disclosure”, and it doesn’t seem that obvious. Or we could just change paradigm, my question is just how to convert the waldo idea to a computationnal model, i suspect the approach i gave isn’t the right one.