Feed aggregator

OSR Commentary - Adapting Judge's Guilld's The F'dech Fo's Tomb adventure by Scott Fulton For Old School Campaigns

Swords & Stitchery - Wed, 11/21/2018 - 19:56
"The Prophet said that the great Druid F'dech Fo would rise again to wreak vengeance and destruction on the people! You must find him; you must destroy him; you must end the curse! This product contains multiple adventures, new creatures, a castle, and a completely described barbarian village!" So over the last seventy two hours I've pulled out an old Judge's Guild adventure & Needleshttp://www.blogger.com/profile/11243274667834930867noreply@blogger.com0
Categories: Tabletop Gaming Blogs

Spoofed addresses and anonymous sending: new Gmail bugs make for easy pickings

Malwarebytes - Wed, 11/21/2018 - 17:53

Tim Cotten, a software developer from Washington, DC, was responding to a request for help from a female colleague last week, who believed that her Gmail account has been hacked, when he discovered something phishy. The evidence presented was several emails in her Sent folder, purportedly sent by her to herself.

Cotten was stunned when, upon initial diagnosis, he found that those sent emails didn’t come from her account but from another, which Gmail—being the organized email service that it is—only filed away in her Sent folder. Why would it do that if the email wasn’t from her? It seems that while Google’s filtering and organizing technology worked perfectly, something went wrong when Gmail tried to process the emails’ From fields.

This trick is a treat for phishers

Cotten noted in a blog post that the From header of the emails in his coworker’s Sent folder contained (1) the recipient’s email address and (2) another text—usually a name, possibly for increased believability. The presence of the recipient’s address caused Gmail to move the email to the Sent folder while also disregarding the email address of the actual sender.

Weird “From” header. Screenshot by Tim Cotten, emphasis (in purple) ours.

Why would a cybercriminal craft an email that never ends up in a victim’s inbox? This tactic is particularly useful for a phishing campaign that banks on the recipient’s confusion.

“Imagine, for instance, the scenario where a custom email could be crafted that mimics previous emails the sender has legitimately sent out containing various links. A person might, when wanting to remember what the links were, go back into their sent folder to find an example: disaster!” wrote Cotten.

Cotten provided a demo for Bleeping Computer wherein he showed a potentially malicious sender spoofing the From field by displaying a different name to the recipient. This may yield a high turnover of victims if used in a business email compromise (BEC)/CEO fraud campaign, they noted.

After raising an alert about this bug, Cotten unknowingly opened the floodgates for other security researchers to come forward with their discovered Gmail bugs. Eli Grey, for example, shared the discovery of a bug in 2017 that allowed for email spoofing, which has been fixed in the web version of Gmail but remains a flaw in the Android version. One forum commenter claimed that the iOS Mail app also suffers from the same glitch.

Another one stirs the dust

Days after publicly revealing the Gmail bug, Cotten discovered another flaw wherein malicious actors can potentially hide sender details in the From header by forcing Gmail to display a completely blank field.

Who’s the sender? Screenshot by Tim Cotten, emphasis (in purple) ours.

He pulled this off by replacing a portion of his test case with a long and arbitrary code string, as you can see below:

The string. Screenshot from Tim Cotten, emphasis (in purple) ours.

Average Gmail users may struggle to reveal the true sender because clicking the Reply button and the “Show original” option still yields a blank field.

The sender with no name. Screenshot by Tim Cotten, emphasis (in purple) ours.

There’s nothing there! Screenshot by Tim Cotten, emphasis (in purple) ours.

Missing sender details could potentially increase the possibility of users opening a malicious email to click an embedded link or open an attachment, especially if it contains a subject that is both actionable and urgent.

When met with silence

The Gmail vulnerabilities mentioned in this post are all related to user experience (UX), and as of this writing, Google has yet to address them. (Cotten has proposed a possible solution for the tech juggernaut.) Unfortunately, Gmail users can only wait for the fixes.

Spotting phishing attempts or spoofed emails can be tricky, especially when cybercriminals are able to penetrate trusted sources, but a little vigilance can go a long, long way.

The post Spoofed addresses and anonymous sending: new Gmail bugs make for easy pickings appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Are Deepfakes coming to a scam near you?

Malwarebytes - Wed, 11/21/2018 - 16:00

Your boss contacts you over Skype. You see her face and hear her voice, asking you to transfer a considerable amount of money to a firm you’ve never ever heard of. Would you ask for written confirmation of her orders? Or would you simply follow through on her instructions?

I would certainly be taken aback by such a request, but then again, this is not anywhere near a normal transaction for me and my boss. But, given the success rate of CEO fraud (which was a lot less convincing), threat actors would need only find the right person to contact to be able to successfully fool employees into sending the money.

Imagine the success rate of CEO fraud where the scam artists would be able to actually replicate your boss’ face and voice in such a Skype call. Using Deepfake techniques, they may reach that level in a not too distant future.

What is Deepfake?

The word “Deepfake” was creating by mashing “deep learning” and “fake” together. It is a method of creating human images based on artificial intelligence (AI). Simply put, creators feed a computer data consisting of a lot of facial expressions of a person and find someone who can imitate that person’s voice. The AI algorithm is then able to match the mouth and face to synchronize with the spoken words. All this would result in a near perfect “lip sync” with the matching face and voice.

Compared against the old Photoshop techniques to create fake evidence, this would qualify as “videoshop 3.0.”

Where did it come from?

The first commotion about this technique arose when a Reddit user by the handle DeepFakes posted explicit videos of celebrities that looked realistic. He generated these videos by replacing the original pornographic actors’ faces with those of the celebrities. By using deep learning, these “face swaps” were near to impossible to detect.

DeepFakes posted the code he used to create these videos on GitHub and soon enough, a lot of people were learning how to create their own videos, finding new use cases as they went along. Forums about Deepfakes were immensely popular, which was immediately capitalized upon by coinminers. And at some point, a user-friendly version of Deepfake technology was bundled with a cryptominer.

The technology

Deepfake effects are achieved by using a deep learning technology called autoencoder. Input is compressed, or encoded, into a small representation. These can be used to reproduce the original input so they match previous images in the same context (here, it’s video). Creators need enough relevant data to achieve this, though. To create a Deepfake image, the producer reproduces face B while using face A as input. So, while the owner of face A is talking on the caller side of the Skype call, the receiver sees face B making the movements. The receiver will observe the call as if B were the one doing the talking.

The more pictures of the targeted person we can feed the algorithm, the more realistic the facial expressions of the imitation can become.

Given that an AI already exists which can be trained to mimic a voice after listening to it for about a minute, it doesn’t look as if it will take long before the voice impersonator can be replaced with another routine that repeats the caller’s sentences in a reasonable imitation of the voice that the receiver associates with the face on the screen.

Abuse cases

As mentioned earlier, the technology was first used to replace actors in pornographic movies with celebrities. We have also seen some examples of how this technology could be used to create “deep fake news.”

So, how long will it take scammers to get the hang of this to create elaborate hoaxes, fake promotional material, and conduct realistic fraud?

Hoaxes and other fake news are damaging enough as they are in the current state of affairs. By nature, people are inclined to believe what they see. If they can see it “on video” with their own eyes, why would they doubt it?

You may find the story about the “War of the Worlds” broadcast and the ensuing panic funny, but I’m pretty sure the more than a million people that were struck with panic would not agree with you. And that was just a radio broadcast. Imagine something similar with “live footage” and using the faces and voices of your favorite news anchors (or, better said, convincing imitations thereof). Imagine if threat actors could spoof a terrorist attack or mass shooting. There are many more nefarious possibilities.


The Defense Advanced Research Project Agency (DARPA) is aware of the dangers that Deepfakes can pose.

“While many manipulations are benign, performed for fun or for artistic value, others are for adversarial purposes, such as propaganda or misinformation campaigns.

This manipulation of visual media is enabled by the wide-scale availability of sophisticated image and video editing applications, as well as automated manipulation algorithms that permit editing in ways that are very difficult to detect either visually or with current image analysis and visual media forensics tools. The forensic tools used today lack robustness and scalability, and address only some aspects of media authentication; an end-to-end platform to perform a complete and automated forensic analysis does not exist.”

DARPA has launched the MediFor program to stimulate researchers to develop technology that can detect manipulations and even provide information about how the manipulations were done.

One of the signs that researchers now look for when trying to uncover a doctored video is how often the person in the video blinks his eyes. Where a normal person would blink every few seconds, a Deepfake imitation might not do it at all, or not often enough to be convincing. One of the reasons for this effect is that pictures of people with their eyes closed don’t get published that much, so they would have to use actual video footage as input to get the blinking frequency right.

As technology advances, we will undoubtedly see improvements on both the imitating and the defensive sides. What already seems to be evident is that it will take more than the trained eye to recognize Deepfake videos—we’ll need machine learning algorithms to adapt.

Anti-video fraud

With the exceptional speed of developments in the Deepfakes field, it seems likely that you will see a hoax or scam using this method in the near future. Maybe we will even start using specialized anti-video fraud software at some point, in the same way as we have become accustomed to the use of anti-spam and anti-malware protection.

Stay safe and be vigilant!

The post Are Deepfakes coming to a scam near you? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Moogly CAL 2018 – Afghan Block #23

Moogly - Wed, 11/21/2018 - 16:00

Moogly CAL 2018 Block 23 is coming to you one day “early” due to American Thanksgiving – and it’s a square to be grateful for! So a big thanks to Kirsten Holloway Designs for contributing the gorgeous Magnolia Square – and Happy Thanksgiving! Disclaimer: This post includes affiliate links; materials provided by Red Heart Yarns, [...]

The post Moogly CAL 2018 – Afghan Block #23 appeared first on moogly. Please visit www.mooglyblog.com for this post. If you are viewing this on another site they have scraped the content from my website without permission. Thank you for your support.

Categories: Crochet Life

Cryptozoic and Igrology Announce Release of Cult: Choose Your God Wisely

Cryptozoic - Wed, 11/21/2018 - 14:00

Cryptozoic Entertainment and Igrology today announced the November 28 release of Cult: Choose Your God Wisely. This 2-5 player board game is a worker/Priest placement game with a unique take on in-game currency: Followers. Players choose Gods and send their Priests to places in the Eternal City in an attempt to bring their deity victory over the minds and souls of humanity. Followers are gained and sacrificed and Altars are built to the different Gods as they clash in this new take on the genre.

Categories: Tabletop Gaming Blogs

D.A.M.N. Magazine – Sprint/Summer 2018 – Demon Serpent of Balmosphos

Ten Foot Pole - Wed, 11/21/2018 - 12:24

The Demon Serpent of Balmorphos, daniel j bishop
Daniel J Bishop
Low Levels

Derp! I bought a 116 page DCC magazine. Un-derp! It’s pretty interesting. I also have a headache this morning.

DCC magazine with the usual set of DCC magazine things, like patrons and a bestiary. It’s also got three adventures in it. One is quite short, and I shall not mention it again. A second, “Cannibal Tiger Women of Tsaru” is about fifty pages and involves several groups and areas, making it almost a hex crawl without hexes. (Great art though!) Dense, I’m not going to cover it. The third (which is the first in the issue) is the first part of a megadungeon.

“Demon Serpent of Balmosphos”, by Daniel Bishop, is a forty five room dungeon with two levels and four theming areas ,in about thirty pages. It pushes my buttons in read-aloud, italics, and verbosity, but never goes off the deep end. Usually. What it does have is that DCC charm, which is kind of like a good OD&D thing turned up to 11.

Daniel does a good job with sprinkling the text with little tidbits that make the dungeon come alive. Early on you find a boot … that still has a rotting left foot in it. Little bits like that are scattered throughout the rooms. They don’t quite fall in to the trivia category because they do such a good job in setting mood and conveying it to the party.

The read aloud runs from about three to six sentences, in italics. I don’t like long sections of italics, I think it’s hard to read. I don’t like hard to read. My eyes glaze over. This read aloud almost always starts te same way: with a sentence on dimensions. “The door opens into a dusty space some 30 feet wide and 40 feet deep, vaulted to a height of 12 feet.” Yes, it completionist, since the read-aloud is meant to read to the party, but it has NEVER made sense to me to put that shit in the text. You’ve got a map, right? Anyway, the read-aloud, except for those points, is not too bad. Toom two tells us “Jumbles of bones and cast-off bits of detritus lie in the corners of this area. The uneven flagstones sag in the middle of the floor, as though from subsidence in the depths. You can hear the distant trickle of water from somewhere deep underground. The whole area smells of dry reptile musk, rotting meat, and sulfur.” That’s pretty good. Smells, sounds, good use of adjectives. It absolutely creates a good mental picture and that’s what I’m looking for in a room description.

The DM text then follows, and uses paragraph breaks and whitespace to good effect. Each thing mentioned in the read-aloud generally gets its own paragraph. That makes it easy to scan to find things to follow up on as the players explore. IE: it’s helping the DM run the adventure, which is what its supposed to do.

Treasure and monsters are exactly what you expect of DCC: good. There’s this magic ring that may cause a devil to show up to retrieve it t some point in the future. Further, if you kill the devil, you get a respite for awhile while the bureaucracy of hell catches up. Hey! You just got some roleplaying notes for said devil! Perfect. Monsters also get some good descriptions. “The Balmorphos Serpent is a 50-foot long viper with hard brass scales and a head shaped like a blunt arrowhead. Its eyes glow red in the darkness. It smells of reptile musk, but its hissing breath reeks of sulfur (not unlike the smell of a struck match or rotting eggs) … transparent green venom drips from its fangs.” Great imagery, lots of USEFUL detail, meaning its oriented towards what the party will interact with and see/smell, rather than trivia on its background, etc. Bonus points: when you kill it a demon crawls out its mouth, getting larger. Then it bitches about missing it’s little lemurs first day of school before it goes home. Nice.

Which is a good transition in to the encounters proper. Written in a neutral format, not gimping players, things to talk to that don’t always attack and some semblance, because of the four themed areas, of factions. Daniel puts in some good advice for the DM here and there, mentioning things like how to remove giant snake skin and some hints about boiling water damage in a stream before the entire 10d6 damage is received by people who ignore the initial signs.

DCC adventures can be a bit linear, but this one, with 3.5 roots, is not. What it does lack, though, is a little attention to the warriors. DCC rooms needs a little bit more in them so warriors can perform Might Deeds. No chandeliers and barren rooms can make things hard on the warriors. Not every room needs to be a parkour playground, but more attention to this area would have been good.

Even with my read-aloud bitching I’m happy to pay for just this adventure.

This is $10 at DriveThru. The preview just shows you editorial and interview shit, and not any of the adventure text. BAD DCC WRITERS! YOUR PATRON IS DISPLEASED.

Categories: Tabletop Gaming Blogs

Wednesday Comics: Cosmic Tales!

Sorcerer's Skull - Wed, 11/21/2018 - 12:00

I'm proud to announce friend of FtSS Michael "Aos" Gibbons has released his long-anticipated space-faring superhero comic Cosmic Tales Quarterly, available in a limited print run.

It's 48 pages of story and 3 pin-ups in glorious black and white with a cover colored by yours truly. Head over to Michael's blog, The Metal Earth, to secure your copy while supplies last!


Looking For Group - Wed, 11/21/2018 - 05:00

The post 249 appeared first on Tiny Dick Adventures.

Categories: Web Comics

Hookin On Hump Day #179: A Yarny Link Party!

Moogly - Wed, 11/21/2018 - 02:00

Hookin On Hump Day is having a hat week – must be autumn! This round, all 5 featured patterns are free – and crochet! And ideal for taking along on your holiday travels! Hookin On Hump Day is a knit and crochet link party hosted here on Moogly and on Petals to Picots! On HOHD, you can [...]

The post Hookin On Hump Day #179: A Yarny Link Party! appeared first on moogly. Please visit www.mooglyblog.com for this post. If you are viewing this on another site they have scraped the content from my website without permission. Thank you for your support.

Categories: Crochet Life

OSR Commentary - The Alko Option Arthur Machen Mythological Campaign Madness

Swords & Stitchery - Tue, 11/20/2018 - 22:17
“We lead two lives, and the half of our soul is madness, and half heaven is lit by a black sun. I say I am a man, is the other that hides in me?” ― Arthur Machen, The White People and Other StoriesPart of the problem with the OSR is staying fresh as every adventure idea, old school author, old module, etc. is snapped up & brought into another product, fanNeedleshttp://www.blogger.com/profile/11243274667834930867noreply@blogger.com0
Categories: Tabletop Gaming Blogs

Imperfection for the win

Yarn Harlot - Tue, 11/20/2018 - 20:56

You know, earlier this year, when I turned 50, I wondered if this was going to be the year I finally learned a lesson or two.  (This is a separate wish than the sort I make every night, when I go to bed swearing that in the morning when I wake up it will be the start of a whole new me. The sort of me that finally cleans closets and streamlines her life and never, ever opens the fridge and thinks holy crap what is that smell, or the sort of me who always has a salad for lunch. I like to think that’s normal – as is my inability to wake up as that other person (she says, munching peanut butter toast, again.) I speak here of my failure to learn what I’ve come to think of as The French Lesson.

It’s possible I’ve told you this before, because it’s something I still struggle with (despite it being a really powerful lesson.)  When I was in grade nine, the first year with classes in different rooms of the school – something came over me, and I skipped French. I just didn’t go. Looking back I can’t even remember what I did instead of going to french, although at the time it all seemed important. It probably involved the boy next door. I was pretty deeply in love with him and everything he said seemed right. Anyway, love and complications aside, I skipped the class, and it was the first time I’d ever done it, and I knew instantly that it was the wrong thing. I felt horrible, and guilty, and that feeling stuck.  I had no idea how I was going to face the teacher after doing that, and so… I skipped the next class too.

Now the problem was huge.  I’d skipped two french classes.  Two in a row.  That was just too horrible to face, and so I skipped a third one while I tried to figure some elegant way out. You see where this is going. The whole thing, and this is still just unbelievable to me, even though I was really, really young and stupid, the whole thing culminated in my mum going to the end of term parent-teacher interviews, and the teacher had no idea who I was.  I still remember my mum asking me not just why the hell I’d skipped an entire term of french, but why on earth hadn’t I told her before she walked into the interview.  She was going to find out – in mere moments. I could have come clean, taken a minute and been all “Hey, mum. I kinda screwed up here, you’re going to find out in 39 seconds what I’ve done, so I might as well not make it worse.” Instead, I let her walk in there and knowing it was certainly all blowing up just a few metres away from me, I sat in the hall thinking “I really could have handled this better.”

Anyway, it’s turned out that some things, some approaches are thematic. They crop up over and over again in your life – and for me, this is a big one. Getting in too deep, and then getting in deeper while I try to get out is one of them,  and it turns out that turning 50 didn’t improve it at all… so here I’ve sat for the last while trying to figure out how to write to you when it’s been so long, and it’s not that I don’t have anything to tell you, it’s that I’ve let it go on for so long that now I have too much to tell you.  I have to tell you about Spain and the baby blanket and Sam’s wedding shawl and Sam’s wedding and I knit a cowl and had a retreat and I think I might be knitting more tiny things for Christmas and I need to take a million pictures and…. I’d wake up every morning and try to think about the worlds longest blog post to dig out, and then there wouldn’t be time for that post and then… The French Lesson all over again.

Then I woke up this morning and thought “$%*^ it. Maybe I just won’t be perfect.  (This is the great message of the French Lesson.  I’m still working on it.) So, here goes. Imperfection for the win.

1. I went to Spain with Joe to celebrate his 50th birthday and my 50th birthday. Together we have a century of experience. That seemed like something worth going big for.

2. It was totally worth it, except for the part where I had 9 hours at home before flying off to the November Strung Along Retreat. I had real regrets at 4am when I was back in the airport.

3. That feeling went away pretty fast when I got to the retreat and it was great.

4. I knit a bunch of stuff I haven’t taken pictures of, and I totally finished that baby blanket, and Joe mailed it for me while I was getting on and off planes, and the recipient allegedly loves it, and when I get a snap or two I’ll post about it here. Promise.

5. I’m furiously knitting Sam’s wedding shawl – her “wedding” is on Saturday. I’ve got that in quotes because it’s not really her wedding, because (in a very Sam-like move) the kid woman already took off to Vegas and got hitched. We’re just celebrating on Saturday because if you’re going to freakin’ elope, then you have to throw you family some kind of bone.

6. I think I’m going to make it. I have one row left to go and then a rather ridiculous bind off, but it still seems doable as long as I don’t buy a new dress, get my hair done or clean the house.

7. Luckily,  I don’t care much about any of those things.

8. There’s a chance Sam comes by her temperament honestly.

9. I am thinking about knitting 25 tiny things before December 1st. I have three.

10.  Yeah.

How are you?

Categories: Knitting Feeds

PDF Piracy

Bat in the Attic - Tue, 11/20/2018 - 19:34
Busy News day. So I logged on my publisher's page on RPGNow and found a warning from OBS about a pirate website with hundreds of RPG PDFs.

A couple of things

  • Don't lose your cool
  • See above
  • Don't use the DMCA link on that site. In the words of Admiral Ackbar. "It's a trap!"
  • Do a search for your products on Google and Bing. If a link appears to the fore mention pirate. Send them a DMCA request. I done it and it works relatively quickly. 
This is the link for the Google DMCA linkThis is the link for Microsoft Bing DMCA
Understand software, video, and PDF piracy is semi-organized. The new pirate site is especially slick which is probably why OBS reacted the way it did. However it existed at least a year prior. In addition there are various underground directories floating around that are updated regularly. The links are coded so that they don't show up on the search engines text functions. So the key is to keep those links off of the first handful of pages of search results. And that is not so hard to do thanks to the above links.
It sucks but it not as bad as it could be. 

Categories: Tabletop Gaming Blogs

Web skimmers compete in Umbro Brasil hack

Malwarebytes - Tue, 11/20/2018 - 16:51

Umbro, the popular sportswear brand has had their Umbro Brasil website hacked and injected with not one but two web skimmers part of the Magecart group.

Magecart has become a household name in recent months due to high profile attacks on various merchant websites. Criminals can seamlessly steal payment and contact information from visitors purchasing products or services online.

Multiple threat actors are competing at different scales to get their share of the pie. As a result, there are many different web skimming scripts and groups that focus on particular types of merchants or geographical areas.

Case in point, in this Umbro Brasil compromise, one of the two skimming scripts checks for the presence of other skimming code and if present will slightly alter the credit card number that was entered by the victim. Effectively, the first skimmer will receive wrong credit card numbers as a direct act of sabotage.

Two skimmers go head to head

The Umbro Brasil website (umbro.com[.]br) runs the Magento e-commerce platform. The first skimmer is loaded via a fake BootStrap library domain bootstrap-js[.]com, recently discussed by Brian Krebs. Looking at its code, we see that it fits the profile of threat actors predominantly active in South America, according to a recent report from RiskIQ.

1st skimmer with code exposed in plain sight (conditional with referer check)

This skimmer is not obfuscated and exfiltrates the data in a standard JSON output. However, another skimmer is also present on the same site, loaded from g-statistic[.]com. This time, it is heavily obfuscated as seen in the picture below:

2nd skimmer, showing large obfuscation blurb

No fairplay between Magecart groups

Another interesting aspect is how the second skimmer alters the credit card number from the first skimmer. Before the form data is being sent, it grabs the credit card number and replaces its last digit with a random number.

The following code snippet shows how certain domain names trigger this mechanism. Here we recognize bootstrap-js[.]com, which is the first skimmer. Then, a random integer ranging from 0 to 9 is generated for later use. Finally, the credit card number is stripped of its last digit and the previously generated random number is used.

Code to conditionally swap the last digit of the credit card (decoding courtesy of Willem de Groot)

By tampering with the data, the second skimmer can send an invalid but almost correct credit card number to the competing skimmer. Because only a small part of it was changed, it will most likely pass validation tests and go on sale on black markets. Buyers will eventually realize their purchased credit cards are not working and will not trust that seller again.

The second skimmer, now being the only one to hold the valid credit card number, uses a special function to encode the data it exfiltrates. Looking at the POST request, we can only see what looks like gibberish sent to its exfiltration domain (onlineclouds[.]cloud):

Encoded data sent back to exfiltration server

This situation where multiple infections reside on the same host is not unusual. Indeed, unless a vulnerability with a webserver is fixed, it can be prone to several compromises by different perpetrators. Sometimes they can coexist peacefully, sometimes they are directly competing for the same resources.

Coolest sport in town

While web skimming has been going on for years, it has now become a very common (re-)occurrence. Security researcher Willem de Groot has aggregated data for 40K websites since counting in 2015. His study also shows that reinfection among e-commerce sites (20% reinfection rate) is a problem that needs addressing.

Website owners that handle payment processing need to do due diligence in securing their platform by keeping their software and plugins up-to-date, as well as paying special attention to third-party scripts.

Consumers also need to be aware of this threat when shopping online, even if the merchant is a well known and reputable brand. On top of closely monitoring their bank statements, they should consider ways in which they can limit the damage from malicious withdrawals.

We have informed CERT.br of this compromise and even though the skimmers are still online, Malwarebytes users are covered by our web protection module.


Thanks to Willem de Groot for his assistance in this research.



1st skimmer: bootstrap-js[.]com 2nd skimmer: g-statistic[.]com


1st skimmer's exfil domain: bootstrap-js[.]com 2nd skimmer's exfil domain: onlineclouds[.]cloud

The post Web skimmers compete in Umbro Brasil hack appeared first on Malwarebytes Labs.

Categories: Techie Feeds

What DNA testing kit companies are really doing with your data

Malwarebytes - Tue, 11/20/2018 - 15:00

Sarah* hovered over the mailbox, envelope in hand. She knew as soon as she mailed off her DNA sample, there’d be no turning back. She ran through the information she looked up on 23andMe’s website one more time: the privacy policy, the research parameters, the option to learn about potential health risks, the warning that the findings could have a dramatic impact on her life.

She paused, instinctively retracting her arm from the mailbox opening. Would she live to regret this choice? What could she learn about her family, herself that she may not want to know? How safe did she really feel giving her genetic information away to be studied, shared with others, or even experimented with?

Thinking back to her sign-up experience, Sarah suddenly worried about the massive amount of personally identifiable information she already handed over to the company. With a background in IT, she knew what a juicy target hers and other customers’ data would be for a potential hacker. Realistically, how safe was her data from a potential breach? She tried to recall the specifics of the EULA, but the wall of legalese text melted before her memory.

Pivoting on her heel, Sarah began to turn away from the mailbox when she remembered just why she wanted to sign up for genetic testing in the first place. She was compelled to learn about her own health history after finding out she had a rare genetic disorder, Ehlers-Danlos syndrome, and wanted to present her DNA for the purpose of further research. In addition, she was on a mission to find her mother’s father. She had a vague idea of who he was, but no clue how to track him down, and believed DNA testing could lead her in the right direction.

Sarah closed her eyes and pictured her mother’s face when she told her she found her dad. With renewed conviction, she dropped the envelope in the mailbox. It was done.

*Not her real name. Subject asked that her name be changed to protect her anonymity.

An informed decision

What if Sarah were you? Would you be inclined to test your DNA to find out about your heritage, your potential health risks, or discover long lost family members? Would you want to submit a sample of genetic material for the purpose of testing and research? Would you care to have a trove of personal data stored in a large database alongside millions of other customers? And would you worry about what could be done with that data and genetic sample, both legally and illegally?

Perhaps your curiosity is powerful enough to sign up without thinking through the consequences. But this would be a dire mistake. Sarah spent a long time weighing the pros and cons of her situation, and ultimately made an informed decision about what to do with her data. But even she was missing parts of the puzzle before taking the plunge. DNA testing is so commonplace now that we’re blindly participating without truly understanding the implications.

And there are many. From privacy concerns to law enforcement controversies to life insurance accessibility to employment discrimination, red flags abound. And yet, this fledgling industry shows no signs of stopping. As of 2017, an estimated 12 million people have had their DNA analyzed through at-home genealogy tests. Want to venture a guess at how many of those read through the 21-page privacy policy to understand exactly how their data is being used, shared, and protected?

Nowadays, security and privacy cannot be assumed. Between hacks of major social media companies and underhanded sharing of data with third parties, there are ways that companies are both negligent of the dangers of storing data without following best security practices and complicit in the dissemination of data to those willing to pay—whether that’s in the name of research or not.

So I decided to dig into exactly what these at-home DNA testing kit companies are doing to protect their customers’ most precious data, since you can’t get much more personally identifiable than a DNA sample. How seriously are these organizations taking the security of their data? What is being done to secure these massive databases of DNA and other PII? How transparent are these companies with their customers about what’s being done with their data?

There’s a lot to unpack with commercial DNA testing—often pages and pages of documents to sift through regarding privacy, security, and design. It can be mind-numbingly difficult to process, which is why so many customers just breeze through agreements and click “Okay” without really thinking about what they’re purchasing.

But this isn’t some app on your phone or software on your computer. It’s data that could be potentially life-changing. Data that, if misinterpreted, could send people into an emotional tailspin, or worse, a false sense of security. And it’s data that, in the wrong hands, could be used for devastating purposes.

In an effort to better educate users about the pros and cons of participating in at-home DNA testing, I’m going to peel back the layers so customers can see for themselves, as clearly as possible, the areas of concern, as well as the benefits of using this technology. That way, users can make informed choices about their DNA and related data, information that we believe should not be taken or given away lightly.

That way, when it’s your turn to stand in front of the mailbox, you won’t be second-guessing your decision.

Area of concern: life insurance

Only a few years ago in the United States, health insurance companies could deny applicants coverage based on pre-existing conditions. While this is thankfully no longer the case, life insurance companies can be more selective about who they cover and how much they charge.

According to the American Counsel for Life Insurers (ACLI), a life insurance company may ask an applicant for any relevant information about his health—and that includes the results of a genetic test, if one was taken. Any indication of health risk could factor into the price tag of coverage here in the United States.

Of course, there’s nothing that forces an individual to disclose that information when applying for life insurance. But the industry relies on honest communication from its customers in order to effectively price policies.

“The basis of sound underwriting has always been the sharing of information between the applicant and the insurer—and that remains today,” said Dr. Robert Gleeson, consultant for the ACLI. “It only makes sense for companies to know what the applicant knows. There must be a level playing field.”

The ACLI believes that the introduction of genetic testing can actually help life insurers better determine risk classification, enabling them to offer overall lower premiums for consumers. However, the fact remains: If a patience receives a diagnosis or if genetic testing reveals a high risk for a particular disease, their insurance premiums go up.

In Australia, any genetic results deemed a health risk can result in not only increased premiums but denial of coverage altogether. And if you thought Australians could get away with a little white lie of omission when applying for life insurance, they are bound by law to disclose any known genetic test results, including those from at-home DNA testing kits.

Area of concern: employment

Going back as far as 1964 to Title VII of the Civil Rights Act, employers cannot discriminate based on race, color, religion, sex, or nationality. Workers with disabilities or other health conditions are protected by the Americans with Disabilities Act, the Rehab Act, and the Family and Medical Leave Act (FMLA).

But these regulations only apply to employees or candidates with a demonstrated health condition or disability. What if genetic tests reveal the potential for disability or health concern? For that, we have GINA.

The Genetic Information Nondiscrimination Act (GINA) prohibits the use of genetic information in making employment decisions.

“Genetic information is protected under GINA, and cannot be considered unless it relates to a legitimate safety-sensitive job function,” said John Jernigan, People and Culture Operations Director at Malwarebytes.

So that’s what the law says. What happens in reality might be a different story. Unfortunately, it’s popular practice for individuals to share their genetic results online, especially on social media. In fact, 23andMe has even sponsored celebrities unveiling and sharing their results. Surely no one will see videos of stars like Mayim Bialik sharing their 23andMe results live and follow suit.

The hiring process is incredibly subjective. It would be almost impossible to point the finger at any employer and say, “You didn’t hire me because of the screenshot I shared on Facebook of my 23andMe results!” It could be entirely possible that the candidate was discriminated against, but in court, any he said/she said arguments will benefit the employer and not the employee.

Our advice: steer clear of sharing the results, especially any screenshots, on social media. You never know how someone could use that information against you.

Area of concern: personally identifiable information (PII)

Consumer DNA tests are clearly best known for collecting and analyzing DNA. However just as important—arguably more so to their bottom line—is the personally identifiable information they collect from their customers at various points in their relationship. Organizations are absorbing as much as they can about their customers in the name of research, yes, but also in the name of profit.

What exactly do these companies ask for? Besides the actual DNA sample, they collect and store content from the moment of registration, including your name, credit card, address, email, username and password, and payment methods. But that’s just the tip of the iceberg.

Along with the genetic and registration data, 23andMe also curates self-reported content through a hulking, 45-minute long survey delivered to its customers. This includes asking about disease conditions, medical and family history, personal traits, and ethnicity. 23andMe also tracks your web behavior via cookies, and stores your IP address, browser preference, and which pages you click on. Finally, any data you produce or share on its website, such as text, music, audio, video, images, and messages to other members, belongs to 23andMe. Getting uncomfortable yet? These are hugely attractive targets for cybercriminals.

Survey questions gather loads of sensitive PII.

Oh, but there’s more. Companies such as Ancestry or Helix have ways to keep their customers consistently involved with their data on their sites. They’ll send customers a message saying, “You disclosed to us you had allergies. We’re doing this study on allergies—can you answer these questions?” And thus even more information is gathered.

Taking a closer look at the companies’ EULAs, you’ll discover that PII can also be gathered from social media, including any likes, tweets, pins, or follow links, as well as any profile information from Facebook if you use it to log into their web portals.

But the information-gathering doesn’t stop there. Ancestry and others will also search public and historical records, such as newspaper mentions, birth, death, and marriage records related to you. In addition, Ancestry cites a frustratingly vague “information collected from third parties” bullet point in their privacy policy. Make of that what you will.

Speaking of third parties, many of them will get a good glimpse of who you are thanks to policies that allow for commercial DNA testing companies to market new products offers from business partners, including producing targeted ads personalized to users based on their interests. And finally, according to the privacy policy shared among many of these sites, DNA testing companies can and do sell your aggregate information to third parties “in order to perform business development, initiate research, send you marketing emails, and improve our services.”

That’s a lot of marketing emails.

One such partner who benefits from the sharing of aggregate information is Big Pharma: at-home DNA testing kits profit by selling user data to pharmaceutical companies for development of new drugs. For some, this might constitute crossing the line; for others, it represents being able to help researchers and those suffering from disease with their data.

“You have to trust all their affiliates, all their employees, all the people that could purchase the company,” said Sarah, our IT girl who elected to participate in 23andMe’s research. “It’s better to take the mindset that there’s potential that any time this could be seen and accessed by anyone. You should always be willing to accept that risk.”

Sadly, there’s already more than enough reason to assume any of this information could be stolen—because it has.

In June 2018, MyHeritage announced that the data of over 92 million users was leaked from the company’s website in October the previous year. Emails and hashed passwords were stolen—thankfully, the DNA and other data of customers was safe. Prior to that, the emails and passwords of 300,000 users from Ancestry.com were stolen back in 2015.

But as these databases grow and more information is gathered on individuals, the mark only becomes juicier for threat actors. “They want to create as broad a profile of the target as possible, not just of the individual but of their associates,” said security expert and founder of Have I Been Pwned Troy Hunt, who tipped off Ancestry about their breach. “If I know who someone’s mother, father, sister, and descendants might be, imagine how convincing a phishing email I could create. Imagine how I could fool your bank.”

Cybercriminals can weaponize data not only to resell to third parties but for blackmail and extortion purposes. Through breaching this data, criminals could dangle coveted genetic, health, and ancestral discoveries in front of their victims. You’ve got a sibling—send money here and we’ll show you who. You’re pre-dispositioned to a disease, but we won’t tell you which one until you send Bitcoin here. Years later, the Ashley Madison breach is still being exploited in this way.

Doing it right: data stored safely and separately

With so much sensitive data being collected by DNA testing companies, especially content related to health, one would hope these organizations pay special attention to securing it. In this area, I was pleasantly surprised to learn that several of the top consumer DNA tests banded together to create a robust security policy that aims to protect user data according to best practices.

And what are those practices? For starters, DNA testing kit companies store user PII and genetic data in physically separating computing environments, and encrypt the data at rest and in transit. PII is assigned a randomized customer identification number for identification and customer support services, and genetic information is only identified using a barcode system.

Security is baked into the design of the systems that gather, store, and disseminate data, including explicit security reviews in the software development lifecycle, quality assurance testing, and operational deployment. Security controls are also audited on a regular basis.

Access to the data is restricted to authorized personnel, based on job function and role, in order to reduce the likelihood of malicious insiders compromising or leaking the data. In addition, robust authentication controls, such as multi-factor authentication and single sign-on, prohibit data flowing in and out like the tides.

For additional safety measures, consumer DNA testing companies conduct penetration testing and offer a bug bounty program to shore up vulnerabilities in their web application. Even more care has been taken with security training and awareness programs for employees, and incident management and response plans were developed with guidance from the National Institute of Standards and Technology (NIST).

In the words of the great John Hammond: They spared no expense.

When Hunt made the call to Ancestry about the breach, he recalls that they responded quickly and professionally, unlike other organizations he’s contacted about data leaks and breaches.

“There’s always a range of ways organizations tend to deal with this. In some cases, they really don’t want to know. They put up the shutters and stick their head in the sand. In some cases, they deny it, even if the data is right there in front of them.”

Thankfully, that does not seem to be the case for the major DNA testing businesses.

Area of concern: law enforcement

At-home DNA testing kit companies are a little vague about when and under which conditions they would hand over your information to law enforcement, using terms such as “under certain circumstances” and “we have to comply with valid requests” without defining the circumstances or indicating what would be considered “valid.” However, they do provide this transparency report that details government requests for data and how they have responded.

Yet, news broke earlier this year that DNA from 23andMe was used to find the Golden State Killer, and it gave consumers collective pause. While putting a serial killer behind bars is worthy cause, the killer was found because a relative of his had participated in 23andMe’s test, and the DNA was a close enough match to DNA found at the original 1970’s crime scenes that they were able to pin him down.

This opens up a can of worms about the impact of commercially-generated genetic data being available to law enforcement or other government bodies. How else could this data be used or even abused by police, investigators, or legislatures? The success of the Golden State Killer arrest could lead to re-opening other high-profile cold cases, or eventually turning to the consumer DNA databases every time there’s DNA evidence found at the scene of a crime.

Because so many individuals have now signed up for commercial DNA tests, odds are 60 percent and rising that, if you live in the US and are of European descent, you can be identified by information that your relatives have made public. In fact, law enforcement soon may not need a family member to have submitted DNA in order to find matches. According to a study published in Science, that figure will soon rise to 100 percent as consumer DNA databases reach critical mass.

What’s the big deal if DNA is used to capture criminals, though? Putting on my tinfoil hat for a second, I imagine a Minority-Report-esque scenario of stopping future crimes or misinterpreting DNA and imprisoning the wrong person. While those scenarios are a little far-fetched, I didn’t have to look too hard for real-life instances of abuse.

In July 2018, Vice reported that Canada’s border agency was using data from Ancestry.com and Familytreedna.com to establish nationalities of migrants and deport those it found suspect. In an era of high tensions on race, nationality, and immigration, it’s not hard to see how genetic data could be used against an individual or family for any number of civil or human rights violations.

Area of concern: accuracy of testing results

While this doesn’t technically fall under the guise of cybersecurity, the accuracy of test results is of concern because these companies are doling out incredibly sensitive information that has the potential to levy dramatic change on peoples’ lives. A March 2018 study in Nature found that 40 percent of results from at-home DNA testing kits were false positives, meaning someone was deemed “at risk” for a category that later turned out to be benign. That statistic is validated by the fact that test results from different consumer testing companies can vary dramatically.

The relative inaccuracy of the test results is compounded by the fact that there’s a lot of room to misinterpret them. Whether it’s learning you’re high risk for Alzheimer’s or discovering that your father is not really your father, health and ancestry data can be consumed without context, and with no doctor or genetic counselor on hand to soften the blow.

In fact, consumer DNA testing companies are rather reticent to send their users to genetic counselors—it’s essentially antithetical to their mission, which is to make genetic data more accessible to their customers.

Brianne Kirkpatrick, a genetic counselor and ancestry expert with the National Society for Genetic Counselors (NSGC), said that 23andMe once had a fairly prominent link on their website for finding genetic counselors to help users understand their results. That link is now either buried or gone. In addition, she mentioned that a one of her clients had to call 23andMe three times until they finally agreed to recommend Kirkpatrick’s counseling services.

“The biggest drawback is people believing that they understand the results when maybe they don’t,” she said. “For example, people don’t understand that the BRCA1 and BRCA2 testing these companies provide is really only helpful if you’re Ashkenazi Jew. In the fine print, it says they look at three variants out of thousands, and these three are only for this population. But people rush to make a conclusion because at a high level it looks like they should be either relieved or worried. It’s complex information, which is why genetic counselors exist in the first place.”

But what’s the symbology?

The data becomes even more messy when you move beyond users of European descent. People of color, especially those of Asian or African descent, have had a particularly hard go of it because they are underrepresented in many companies’ data sets. Often, black, Hispanic, or Asian users receive reports that list parts of their heritage as “low confidence” because their DNA doesn’t sufficiently match the company’s points of reference.

DNA testing companies not only offer sometimes incomplete, inaccurate information that’s easy to misunderstand to their customers, they also provide the raw data output that can be downloaded and then sent to third party websites for even more evaluation. But those sites have not been as historically well-protected as the major consumer DNA testing companies. Once again, the security and privacy of genetic data goes fluttering away into the ether when users upload it, unencrypted and unprotected, to third-party platforms.

Doing it right: privacy policy

As an emerging industry, there’s little in the way of regulation or public policy when it comes to consumer genetic testing. Laboratory testing is bound by Medicare and Medicaid clauses, and commercial companies are regulated by the FDA, but DNA testing companies are a little of both, with the added complexity of operating online. The General Data Protection Regulation (GDPR) launched in May 2018 requires companies to publicly disclose whether they’ve experienced a cyberattack, and imposes heavy fines for those who are not in compliance. But GDPR only applies to companies doing business in Europe.

As far as legal precedent is concerned, the 1990 California Supreme Court case Moore vs. Regents of the University of California found that individuals no longer have claim over their genetic data once they relinquish it for medical testing or other forms of study. So if Ancestry sells your DNA to a pharmaceutical company that then uses your cells to find the cure for cancer, you won’t see a dime of compensation. Bummer.

Despite the many opportunities for data to be stolen, abused, misunderstood, and sold to the highest bidder, the law simply hasn’t caught up to our technology. So the teams developing security and privacy policies for DNA testing companies are doing pioneering work, embracing security best practices and transparency at every turn. This is the right thing to do.

Almost two years ago, founders at Helix started working with privacy experts in order to understand all the key pieces they would need to safeguard—and they recognized that there was a need to form a formal coalition to enhance collaboration across the industry.

Through the Future of Privacy forum, they developed an independent think tank focused on creating public policy that leaders in the industry could follow. They teamed up with representatives from 23andMe, Ancestry, and others to create a set of standards that primarily hammered on the importance of transparency and clear communication with consumers.

“It is something that we are very passionate about,” said Misha Rashkin, Senior Genetic Counselor at Helix, and an active member of developing the shared privacy policy. “We’ve spent our careers explaining genetics to people, so there’s a years-long held belief that transparent, appropriate education—meaning developing policy at an approachable reading level—has got to be a cornerstone of people interacting with their DNA.”

While the privacy coalition strived for easy-to-understand language, the fact remains that their privacy policy is a 21-page document that most people are going to ignore. Rashkin and other team members were aware, so they built more touch points for customers to drill into the data and provide consent, including in-product notifications, emails, blog posts, and infographics delivered to customers as they continued to interact with their data on the platform.

Maps, diagrams, charts, and other visuals help users better understand their data.

After Rashkin and company finalized and published their privacy policy, they turned it into a checklist that partners could use to determine baseline security and privacy standards, and what companies need to do to be compliant. But the work won’t stop there.

“This is just the beginning,” said Elissa Levin Senior Director of Clinical Affairs and Policy at Helix, and a founding member of the privacy policy coalition. “As the industry evolves, we are planning on continuing to work on these standards and progress them. And then we’re actually going out to educate policy makers and regulators and the public in general. We want to help them determine what these policies are and differentiate who are the good players and who are the not-so-good players.”

Biggest area of concern: the unknown

We just don’t know what we don’t know when it comes to technology. When Mark Zuckerberg invented Facebook, he merely wanted an easy way to look at pretty college girls. I don’t think it entered his wildest dreams that his company’s platform could be used to directly interfere with a presidential election, or lead to the genocide of citizens in Myanmar. But because of a lack of foresight and an inability to move quickly to right the ship, we’re now all mired in the mud.

Right now, cybercriminals aren’t searching for DNA on the black market, but that doesn’t mean they won’t. Cybercrime often follows the path of least resistance—what takes the least amount of effort for the biggest payoff? That’s why social engineering attacks still vastly outnumber traditional malware infection vectors.

Because of that, cybercriminals likely believe it’s not worth jumping through hoops to try and break serious encryption for a product (genetic data) that’s not in demand—yet. But as biometrics and fingerprinting and other biological modes of authentication become more popular, I imagine it’s only a matter of time before the wagons start circling.

And yet—does it even matter? Even with all of the red flags exposed, millions of customers have taken the leap of faith because their curiosity overpowers their fear, or the immediate gratification is more satisfying than the nebulous, vague “what ifs” that we in the security community haven’t solved for. With so much data publicly available, do people even care about privacy anymore?

“There are changing sentiments about personal data among generations,” said Hunt. “There’s this entire generation who has grown up sharing their whole world online. This is their new social norm. We’re normalizing the collection of this information. I think if we were to say it’s a bad thing, we’d be projecting our more privacy-conscience viewpoints on them.”

Others believe that, regardless of personal feelings on privacy, this technology isn’t going away, so we—security experts, consumers, policy makers, and genetic testers alike—need to address its complex security and privacy issues head on.

“Privacy is such a personal matter. And while there may be trends, that doesn’t necessarily speak to an entire generation. There are people who are more open and there are people who are more concerned,” said Levin.  “Whether someone is concerned or not, we are going to set these standards and abide by these practices because we think it’s important to protect people, even if they don’t think it’s critical. Fundamentally, it does come down to being transparent and helping people be aware of the risk to at least mitigate surprises.”

Indeed, whether privacy is personally important to you or not, understanding which data is being collected from where and how companies benefit from using your data makes you a more well-informed consumer.

Don’t just check that box. Look deeper, ask questions, and do some self-reflection about what’s important to you. Because right now, if someone steals your data, you might have to change a few passwords or cancel a couple credit cards. You might even be embroiled in identity theft hell. But we have no idea what the consequences will be if someone steals your genetic code.

Laws change and society changes. What’s legal and sanctioned now may not be in the future. But that data is going to be around a long time. And you cannot change your DNA.

The post What DNA testing kit companies are really doing with your data appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Cryptozoic Will Showcase Latest Games at PAX Unplugged 2018

Cryptozoic - Tue, 11/20/2018 - 14:00

Cryptozoic Entertainment today announced that it will showcase recently released tabletop games at PAX Unplugged 2018, November 30-December 2 at the Pennsylvania Convention Center in Philadelphia. Cryptozoic will be at Booth #2956 demoing and selling its latest releases: Cult: Choose Your God Wisely, Rick and Morty: The Rickshank Rickdemption Deck-Building Game, and DC Deck-Building Game: Rivals — Green Lantern vs. Sinestro. In addition, Cryptozoic will feature popular recent releases Rick and Morty: The Pickle Rick Game and Pantone™: The Game.

Categories: Tabletop Gaming Blogs

RPGNow folding into DriveThruRPG

Bat in the Attic - Tue, 11/20/2018 - 13:13
OBS just sent a newsletter to all publishers that due to little growth RPGNow is folding into DriveThruRPG in February 2019. That RPGNow links will redirect to their DriveThruRPG equivalent.

Also metal rankings will merge which frankly is a good thing overall as the separate counts were always a pain.

The full text

Dear publisher,

Starting in February 2019, all elements of the RPGNow tool pages and storefront will redirect to similar pages on DriveThruRPG.

You most likely know this, but since RPGNow and DriveThruRPG first merged as businesses back in 2006, they have shared all the same tools and digital inventory. On the front end, they looked and behaved like two separate sites, but essentially they have just been two faces of the same site for many years. The only real differences were the color schemes and logos.

You might have some questions about the coming change, so we’ve done our best to anticipate and answer them below.

How will this affect me?

In most ways, you’ll be unaffected. Your entire catalog of titles from RPGNow is already listed on DriveThruRPG (as it always has been), and you can log in to DriveThruRPG using the same account(s) you’ve always used on RPGNow, just as you could before.

Even your old bookmarks to pages on RPGNow.com will still work: They’ll automatically be redirected to the same page on DriveThruRPG.

What about sales reporting? Will my past sales be combined?

Yes, as far as sales records and your titles’ metal rankings, we will be merging those together.

Starting in February, your sales records will show combined sales of each title across both the deprecated RPGNow site and DriveThruRPG, together. The number of unit sales will also be combined, so if you had metal rankings for titles on one or both sites, there’s a good chance you’ll find that your rankings on some titles will have increased on DriveThruRPG.

What about my Publisher Promotion Points and marketing impressions?

No worries. Your Publisher Promotion Points (PPP) are already shared across sister sites. They are compiled by publisher, not by site.

If you have used your PPP to purchase site impressions for banners or featured product messages on RPGNow, you will also be reimbursed, commensurately, for those expenditures on DriveThruRPG.

Why is this happening?

Here’s the big picture: In the 12 years since RPGNow and DriveThruRPG merged, the growth of RPGNow has tapered off constantly, while DriveThruRPG has continued to grow strongly, year over year, since it launched in 2004. We’ve reached the point where RPGNow rarely draws new customers or publishers and sells less than one-tenth the volume of titles purchased on DriveThruRPG.

To be honest, we have known this moment would come for years now. We’ve just finally decided it’s time to put the RPGNow brand out to pasture.
Categories: Tabletop Gaming Blogs

Why Gary Gygax Added Unrealistic Hit Points, Funny Dice, and Descending AC to D&D

DM David - Tue, 11/20/2018 - 12:15

In 1972, Dungeons & Dragons co-creator Dave Arneson introduced his Blackmoor campaign to co-creator Gary Gygax. The campaign stemmed from Gary’s Chainmail rules, but Dave’s game transformed the rules for miniature-figure battles into something new and irresistible—something that broadly resembled D&D.

My last post explained how Dave shaped a combat system that featured hit points, 2d6 to-hit rolls, damage rolls, and armor classes where higher numbers represented better protection.

Based on Dave’s demonstration, feedback, and notes, Gary added his own contributions to make the D&D game that reached print. In Pegasus issue 1, Dave recalled that Gary and his Lake Geneva group “had a lot more spare time than I did and they had a lot of ideas, so they came up with their own version of the rules.”

Gary changed Dave’s combat rules in 3 key ways:

  • Hit points became less realistic and more fun.
  • To-hit rolls switched to a twenty-sided dice, creating a new market for funny dice.
  • AC ratings flipped to make lower values better, forcing awkward, negative ACs on players.
Unrealistic hit points

Gary’s changes let characters gain hit points as they leveled. In Blackmoor, Dave wrote, “As the player progressed, he did not receive additional hit points, but rather he became harder to hit.” Dave based armor class on armor, but fighters gained better saving throws. By the Blackmoor rules, saves applied to weapon attacks, so fighters could avoid damaging blows. “Only Fighters gained advantages in these melee saving throws. Clerics and magicians progressed in their own areas, which might or might not modify their saving throws.”

In Chainmail, a hero fought as 4 ordinary soldiers and a superhero as 8. D&D translated this scheme by making heroes 4th-level fighting men and superheroes 8th level. When Gary reconciled Dave’s rules for hit dice with the notion of heroes that fought as several men, he probably decided to give characters more hit dice as they leveled. The mechanic seemed unrealistic. After all, nobody gets 10 or more times more durable through experience. But rising hit points helped power the game’s success. They boosted the positive reinforcement of leveling. Plus, heroes capable of unrealistically surviving many blows supported D&D’s combat-intensive, dungeon-bashing style. These advantages helped make the game so appealing.

Every “realistic” system to follow D&D echoed Dave Arneson’s original method of using hit points to measure a character’s body’s physical capacity to survive injury. In D&D, hit points rise as characters advance, and that turns hit points into an elegant damage-reduction mechanic. As characters level, they essentially reduce the damage they take from blows.

Using hit points for damage reduction boasts a number of virtues:

  • Combat plays fast because players do not have to calculate reduced damage for every single hit.
  • Although damage is effectively reduced, the reduction never makes a combatant impervious to damage.
  • Once characters gain enough points to survive a few blows, hit points provide a predictable way to see the course of battle. If a fight begins to go badly, the players can see their peril and bring more resources like spells and potions to the fight, or they can run. In a realistic fight, things can go bad in an instant, with a single misstep resulting in death.
  • Most attacks can hit and inflict damage, providing constant, positive feedback to players while everyone contributes to the fight. Realistic combatants do not wear down from dozens of damaging blows; instead each hit is likely to kill or maim. In more realistic systems like Runequest and GURPS, when two very skilled combatants face off, they block or dodge virtually all attacks. The duels turn static until someone muffs a defense roll and lets a killing blow slip through. This model may be realistic—it reminds me of those Olympic competitions where years of training turn on a single, split-second misstep—but the realistic model lacks fun. No popular sports begin as sudden-death competitions where the first to score wins.
  • Battles can gain a dramatic arc. Fights climax with bloodied and battle-worn combatants striving to put their remaining strength into a killing blow. No one likes to see the climactic battle fizzle with a handful of bad rolls, especially at their character’s expense.

Bottom line: Using hit points for damage reduction enables a combat system where you can hit a lot, and hitting is fun.

Funny dice

When Dave adapted the Chainmail rules for his Blackmoor campaign, he kept using ordinary 6-sided dice. He later explained, we had “no funny dice back then.”

The twenty-sided die may not have reached Dave’s corner of gaming yet, but Gary had funny dice and they enchanted him. At first, polyhedral dice only came from vendors in Japan and the United Kingdom, so getting a set required significant time and money. But by 1972, polyhedral dice started arriving from domestic sources. Gary recalled buying his first set from a teacher-supply catalog. In 1972, Creative Publications of California started selling 20-sided dice in a set of polyhedrals, and word spread among gamers. By 1973, Gary wrote an article touting funny dice. “The most useful are the 20-sided dice,” he explained. The original d20s came numbered from 0 to 9 twice, so most gamers rolled twice to generate a percentage from 1-100. Gary noted that gamers could do more. “Color in one set of numbers on the die, and you can throw for 5%—perfect for rules which call for random numbers from 1-20.” As an example, he mentions being “busy working up chance tables for a fantasy campaign game.” Gary found his new d20 so irresistible that he changed Dave’s 2d6 to-hit tables into D&D’s d20-based system.

Descending Armor Classes

As Gary reworked his attack table, he discovered that switching to descending AC numbers created a mathematical elegance. Game historian Jon Peterson describes how this system appears in a draft of the D&D rules. “If you were a first-level fighter rolling to hit, the number you needed was equivalent to 20 minus the armor class of your target. To hit AC 2, you needed an 18, to hit AC 3, a 17, and so on. Armor class descended to make it easy enough to calculate your needed roll that you wouldn’t even have to consult a table.”

If D&D had settled on this system, we might now be rolling a d20 to hit, adding the foe’s AC, and trying to reach a target number based on our character.

D&D reached players with a muddled system that kept descending armor classes, but hid any reason for the scheme. So players wondered why lower armor class represented better protection. Usually, bigger is better.

What happened?

When Gary expanded D&D to account for a greater range of levels than 9, he lost the mathematical simplicity. While the draft rules just present to-hit numbers for fighters up to level 9, the published D&D rules extend the table up to level 16 and beyond. To keep a steady advancement over a greater range of levels, Gary reworked the table and broke an elegant design. This left a system where players just used armor class to reference a row in a table and where intuitive, rising numbers could have worked just as well.

Categories: Tabletop Gaming Blogs

Black Friday 2018

Looking For Group - Mon, 11/19/2018 - 19:05

  *UPDATED* Now with direct links! Just click a pic!  It’s here again, friends! In spite of our best efforts, the Earth has rotated around the sun and we find ourselves at the precipice of that orgy of consumerism known […]

The post Black Friday 2018 appeared first on Looking For Group.

Categories: Web Comics

The Fourthcore Crew Have a New Kickstarter Up: 5e Team Deatchmatch

Thought Eater - Mon, 11/19/2018 - 19:05
I was a big fan of 4thcore. Some of those folks have moved on and now do some cool stuff for 5e. It is weird, I just recently heard about some kind of upcoming 5e competition series that is going to be live-streamed, then a few days later I was made aware of this. My money is on this being waaaay cooler than whatever the other thing is.


It has already funded and the thing is apparently already written. These guys are endlessly creative and really know how to kill...errr challenge a PC. For more on what they do, check out their home base, DEFY DANGER.

Categories: Tabletop Gaming Blogs

A week in security (November 12 – 18)

Malwarebytes - Mon, 11/19/2018 - 17:08

Last week on Malwarebytes Labs, we found out that TrickBot became a top business threat, so we took a deeper look at what’s new with it.

With Christmas just around the corner, the Secret Sister scam returned.

We also touched on the security and privacy (or lack thereof) in smart jewelry, air traffic control compromise, and what security concerns to take note of when automating your business.

Other cybersecurity news

Stay safe, everyone!

The post A week in security (November 12 – 18) appeared first on Malwarebytes Labs.

Categories: Techie Feeds


Subscribe to Furiously Eclectic People aggregator