I'm reading DC Comics' output from January 1980 (cover date) to Crisis! This week, I'm continuing my look at the comics at newsstands on the week of July 10, 1980. 

Justice League of America #183: This issue is mostly setup--but it's an enticing setup! Conway and Dillin have the JSA and JLA getting together, only to be whisked away to an empty New Genesis. It seems that Apokolips is ascendant and the remaining free New Gods (Metron, Mr. Miracle, Big Barda, and Orion) need the help of the greatest heroes of two Earths. The end reveals Darkseid (presumed killed at the end of the Adventure Comics revival of the New Gods) to be back amongst the living. While Superman has interacted with the Fourth World mythos before, this is the biggest step to integration in the wider universe DC has taken since the New Gods' creation. It's the harbinger of what's to come.

Secrets of Haunted House #29: The first story here illustrates the sort of "twist that doesn't really work" ending that these horror stories sometimes fall prey to. An old magician, angry at the praise being given a young upstart, reveals that he truly possesses magical powers by kidnapping the young magician and his girl and putting them in the grasp of a demon he summoned. The young magician defeats the demon who seems to declare the young magician really has magical powers too before taking the old wizard's soul. The girlfriend queries the young magician about his powers, and he sort of shrugs it off with a vague answer. The second story by Gill and Henson has a classic suspense radio program vibe. A nephew ingratiates himself on his elderly uncle, then once he discovers the old man's secret vault, kills him for the inheritance. A police lieutenant knows the nephew is guilty, but can't prove it, so harasses him for years hoping hill slip up. He assumes the nephew got away with it, until when the old house is demolished and his corpse is found in the vault. He knew how to get in but not how to get out!
Lasky and Rubeny's "Master of the Double-Cross" has a tabloid reporter stealing the typewriter of a deceased mystery author after a seance and finding out it will magical type manuscripts in the vein of its previous owner. He uses this to get fame and fortune, but then the seance crowd discovers a cache of unpublished manuscripts of the deceased author and the former reporter gets arrested for fraud (?). It appears the ghost double-crossed him. The last story by Kellay and Henson has nice art, but that art doesn't convey some of the story beats it was supposed to, I guess. An aspiring model is snooping around the chateau of a reclusive, but very successful modelling agent and discovering--well, something that shocks her about the models, but there are a couple of panels where I can't tell what they are trying to convey. It's clear it has something to do with plastic surgery, though, and the young woman begs to get in on it. The agent and the surgeon agree, and the woman is transformed into their star model. Apparently, the surgeon somehow did his job too well, because all the assembled press rush up to touch the woman and all the rough handling makes her dissolve into a "putrescent," "crumpled mass." I don't think that's how plastic surgery works, but the story doesn't explain any more than that. 

Superman #352: Wolfman and Swan bring in Destiny (later "of the Endless," but in 1980 he's just a horror host) for a guest appearance, and he drains Superman's powers and restrains him by mystical means to keep him from helping people. Superman even goes on TV to announce his retirement to the world. This is all to teach Superman a lesson to let people save themselves from time to time so they don't become dependent on him. A dubious moral makes for a bad story. 
The backup introduces the "World of Krypton" feature. It has the simple but more reasonable moral of "stay in school, kid." Newman and Buckler have Superman relating the story of Kandorian citizenship classes to a potential high school dropout. Based on the story, Kandorian citizenship classes teach an unusual amount of wilderness survival, but then Krypton can be a pretty harsh environment so maybe that makes sense. It did cross my mind that Superman was just making up this story to keep the kid in school, but surely he wouldn't do that, right?

Weird War Tales #92: The first story by Burkett and Sutton is set during the Crusades. A Christian knight and a Muslim warrior must put aside their hatred to defeat the Four Horsemen of the Apocalypse. The second story by Kashdan and Redondo is the obligatory World War II piece. Here a Nazi experiment that turns soldiers in giantish, purple troll sort of creatures is uncovered. So has not to leave the Allied troops at the mercy of the monster, an American soldier bravely volunteers to have the procedure done to him. Neither of these stories are spectacular, but they're also not notably bad either. Meat and potatoes Weird War stuff.

Wonder Woman #272: Conway and Delbo reset Wonder Woman in the last issue and the cover to this one trumpets: "A brand new start for the amazing Amazon--against her greatest foe!!" Which is Angle Man. A brand new start to just to fight Angle Man? He's her "greatest foe?" It's not a bad Angle Man story, but it's an Angle Man story! The Huntress backup by Levitz and Staton features Solomon Grundy, and is pretty good.

World's Finest #265: Five features, and none of them particularly good. The Haney/von Eeden is the best of the lot, though it has an over-complicated plot involving roses, an obscure point of Star City history, an evil twin, and the kidnapping of Dinah. Equally confusing but less enjoyable in the end is the Superman/Batman and Robin cover story. where old JLA villain Simon Magus returns with a plot to siphon science energy to bolster his power in Earth's universe as well as the magical universe he comes from so he can take over both. Maybe he's siphoning magical energy from the other universe too? I don't know. Anyway, it's got Superman fighting what he calls a Balrog, for what it's worth. The Hawkman story by DeMatteis and Landrgraf works a Star Trek-esque "alien rebels with a legit grievance but deplorable immediate aims/methods" plot, but with less skill. The Red Tornado tale by DeMatteis and Delbo is just a recap of his story thus far to set up conflict with a new villain" T.O. Morrow, who has now transformed himself into a buff, nongreen Leader-type with bulbous cranium and moustache. Bridwell and Newton continue their Marvel Family yarn with conflict with Kull (not that one, the other one) and Mr. Atom is sort of a modern take on the Monster Society of Evil, I think. 

Daniel R. Horne"She had those damned crazy eyes. I don't got nothin' else to say about her or any of 'em." - Zauzikhoo Khalimas

Nomenclature: Yeti, Frost monkey, Ice ape, White death, Hunters, Snow Giants, Abominable snowmen, The horror that walks the mountain

Description: A white, furred, giant, ape-like creature

Things that are known:

  • They live in cold, arctic, climes
  • Their gaze leaves men not what they once were

Rumors and other whispers in the dark:
  • Some things are lost in the mountains what a man does what he must to survive. Many will not pay that cost, and they freeze to death. Those that do are transformed in both shape and spirit, possessing only rage and pure madness. 
  • The emotions of a Yeti are so strong that they are contagious. Meeting their gaze is glimpsing the deepest, obfuscated, recesses of your soul. Apart from the terror, it causes your human nature to traumatically rebel against your animal flesh.
  • The fear that results from gazing into a Yeti's eyes, is the realization that each yeti is in fact their far future selves, returned and sent to slay themselves before the horror of their transformation into the yeti occurs. Sadly, this does not cause the yeti to cease to exist.
  • Yeti fur is actually a wiry red-orange, yet invisible in the snow. Nearby tribes will often have colors considered strange by foreigners. However bright orange huts are a sure sign you are in yeti territory.
  • The urine of a Yeti is thick and viscous and warm. It turns snow into hardened ice, melting it, and the water refreezing in the cold. This is why their are so many deadly slick traps near yeti lairs
  • When the lost, spiritual, or weak willed die in the mountains, they dream they are a beast, walking the land as a Yeti. If you gaze into the eye of a yeti you can see the dreamer, but also their dream reflection of you in their eyes. This is knowledge forbidden, and those that see it can lose their minds, becoming mad forevermore
  • Yetis do not have brains. They all worship Ithaqua and Wendigo and madness, chaos, and an icy hear lurk behind their eyes, and it is this you see that drives you mad
  • Yeti are bailiffs of terrible evils frozen and hidden in the mountains. They try to prevent people from visiting their prisons by yelling, throwing things, and scaring people away, but no one ever listens
  • The yeti and the abominable snowman are two sides of the same species. During interglacial periods, men turn into yeti. Except in rare peaks, where the torturous elements conspire to create and awaken an abomination. When the winter comes and the cold descends, the yeti are subject to this cold and become abominations themselves. 
  • Yeti, although as intelligent as a normal man, able to speak and reason and act as any creature can, is touched by the fae realms and lives only in the moment, unthinking of the future or the past
  • They yeti are not as intelligent as their abominable snowmen cousins, and have none of their psychic powers, save one. Their blue, blue, paralyzing eyes are the only psionic power they possess
  • The yeti is adapt at swimming in arctic waters, and dives deep feeding off the plankton filtered through it's fur
  • Yeti are not creatures. They are the parasitic spawn of the elder kind who sleep beyond the universe, burning with the fire of infinite darkness. Their eyes are portals to their masters, and to look upon them is to lose ones self. Those who die from this gaze are drawn through the portal to suffer eternally at the hand of the darkness in the universe
  • The glare in the eye of the yeti is lust. The hugs are a prelude to something horrible and it is that thought that drives men mad
  • Yeti are 4 feet tall, and very angry for short people
  • Yeti are not of average intelligence. They are hyper-intelligent, smarter than any other living creature. They act like beasts, because they take the minimum effort to survive, maximizing every ounce of brainpower on greater cosmic mysteries. They care for no other creatures, and not even themselves, convinced this world is just an illusion attempting to distract them from greater cosmic mysteries. It is this - this otherworldly intelligence far beyond that of mortals or even gods, that is seen when one gazes into their eyes.
  • Yeti don't naturally live in frozen wastes. Their life their is a choice to separate themselves from worldly things.
  • A yeti is winter manifest. It is the cold embrace of winter. Those that fear the frozen cold are frightened of its spirit, and the cold chills of fear grant the yeti power over them
  • Yeti theater is melodramatic and wildly sentimental. It features long, tragic, repetitive musical interludes which are absolutely not songs and which are never woven into the narrative
  • Yeti shamans make a trade, they lose a portion of their boundless fury in exchange for an understanding of the spirits. Their 'damned crazy eyes' only deal 3-18 damage and they can cast Faerie Fire, Speak with Dead, and Preserve Manflesh once per day each.
  • Yeti are thoughts of a peculiar intensity, wandering the mountains high. They are hallucinations brought on by oxygen deprivation. Possibly they are the self, cast out by the mind and made flesh
    • If the character looks into the yeti's eyes, then the full weight and significance of the revelation grips them. It is a calling and a geas. Save versus spells or get another class at level 1. Roll 3d6:
    • 3: Barbarian - you have seen the wild and it is you. No more shoes
    • 4-5: Ranger. You can keep your shoes
    • 6-9: Druid. The wild has shown you things
    • 10-12: Monk. Duh, mountaintop
    • 13-16: Cleric. You must bring the word to the people
    • 17: Thief. But they can't hear it while they're distracted by fripperies
    • 18: Yeti. You can't come down from the mountain until you've passed the vastation on to someone else
    • What the nature of the revelation is left to the Dungeon Master and player to disscuss, but it must be heretical, troublesome, and right
  • Yeti are beasts that only live during the ages of ice. They estevate for millenia, frozen in glaciers, polar caps, far beneath the ice. They wait for the intense hot period that occurs briefly before the ice age starts
    • When the yeti come down the mountain, things are about to get much worse
  • Yeti are fire spirits, trapped in cold places lest they set fire to the earth and sky. Their fur is sooty smoke or pale mist. "Eyes" are holes in the smoky covering, through which primal fire, maddening to mortals, projects
  • Yeti is a pasta shape associated with the cannibal tribes of high Dolomites
  • There are beach yetis, marsh yetis, and perhaps others, each a tyrant of it's own territory
    • There are rumors of sewer Yetis, but no man has ever seen one
  • Yetis are bundles of sticks and fur, animated by rage spirits
  • Yeti have a propensity to rip your arms out of your sockets if they lose in a game
  • Yetis are the wandering, tortured souls of extinct volcanoes. As such, they are immune to fire, and disintegrate into ash when slain.
  • Yetis will guide travelers through frozen mountain passes if approached with the gift of a mirror and hairbrush
    • Perhaps their anger is due only to bad hair days
  • Yetis have a mortal phobia of mirrors and hairbrushes, blasting out the call of the yeti if confronted with them. The yodel causes all within 100' to save versus magic spells or become forever warped by the haunting trills and falsetto growls of the yeti yodel. 
  • All yeti's are functional hermaphrodites
  • Yetis are obsessed with salt
  • Yetis worship Cryonax, their progenitor and evil para-elemental lord of the ice realm. Without this holy worship, they lose powers of ice and cold and are less aggressive. 
    • Some are blessed with tentacles like their lord
  • Yeti's are the harbingers of snowstorms and blizzards
  • They are accomplished abstract  snow sculptures, focusing on the abstractions of good and evil
  • Yeti refer to themselves as "Ch'rrawr'grrah'hwtech", which in the yeti tongue roughly translates to "the true folk". 
  • Yeti are self-absorbed liars.

The list of July 2021 Patch Tuesday updates looks endless. 117 patches with no less than 42 CVEs assigned to them that have FAQs, mitigations details or workarounds listed for them. Looking at the urgency levels Microsoft has assigned to them, system administrators have their work cut out for them once again:

  • 13 criticial patches
  • 103 important patches

You can find the list of CVEs that have FAQs, mitigations, or workarounds on the Microsoft July release notes page.

Six vulnerabilities were previously disclosed and four are being exploited in-the-wild, according to Microsoft. One of those CVE’s is a familiar one, 2021-34527 aka the anyone-can-run-code-as-domain-admin RCE known as PrintNightmare. Microsoft issued out-of-band patches for that vulnerability a week ago, but those were not as comprehensive as one might have hoped.

Since then, the Cybersecurity and Infrastructure Security Agency’s (CISA) has issued Emergency Directive 21-04, “Mitigate Windows Print Spooler Service Vulnerability” because it is aware of active exploitation, by multiple threat actors, of the PrintNightmare vulnerability. These directive list required actions for all Federal Civilian Executive Branch agencies.


Besides the ongoing PrintNightmare, er, nightmare, there are some others that deserve your undivided attention. Vulnerabilities being exploited in the wild, besides PrintNightmare, are:

  • CVE-2021-34448  Scripting Engine Memory Corruption Vulnerability for Windows Server 2012 R2 and Windows 10.
  • CVE-2021-33771  Windows Kernel Elevation of Privilege Vulnerability for Windows Server 2012, Server 2016, Windows 8.1, and Windows 10.
  • CVE-2021-31979 Windows Kernel Elevation of Privilege Vulnerability for Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, Windows Server 2016, and Windows Server 2019.

Other vulnerabilities that are not seen exploited in the wild yet, but are likely candidates to make that list soon:

  • CVE-2021-34458 Windows Kernel Remote Code Execution Vulnerability for some Windows Server versions, if the system is hosting virtual machines, or the Server includes hardware with SR-IOV devices.
  • CVE-2021-34494  Windows DNS Server Remote Code Execution Vulnerability for Windows Server versions if the server is configured to be a DNS server.
Exchange Server

Another ongoing effort to patch vulnerable systems has to do with Microsoft Exchange Server. Flaws that were actually already patched in April have now been assigned new CVE numbers CVE-2021-34473 (Microsoft Exchange Server Remote Code Execution Vulnerability) and CVE-2021-34523 (Microsoft Exchange Server Elevation of Privilege Vulnerability). As you may remember this combo of elevation of privilege (EOP) and remote code execution (RCE) caused quite the panic when  attackers started using the Exchange bugs to access vulnerable servers before establishing web shells to gain persistence and steal information.

If you applied the patches in April, you are already protected. If you didn’t, move them to the top of your to-do-list.

Windows Media Foundation

Two other critical vulnerabilities, and one considered important, were found in Microsoft Windows Media Foundation. Microsoft Media Foundation enables the development of applications and components for using digital media on Windows Vista and later. If you do have this multimedia platform installed on your system you are advised to apply the patches, but note that many of them include the Flash Removal Package. So do the patches for CVE-2021-34497 a critical Windows MSHTML Platform RCE vulnerability.

Stay safe, everyone!

The post Four in-the-wild exploits, 13 critical patches headline bumper Patch Tuesday appeared first on Malwarebytes Labs.

By Addison Short Torchlight Press 5e Levels 10-11

Once a faithful young acolyte to a goddess of war, Acantha tended to her god’s temple diligently and without protest. One fateful evening a rival god appeared and wrought destruction on the temple. Rather than take pity on Acantha, her goddess cursed her with the powers she is now feared for: her petrifying gaze and the mass of writhing snakes that protrude from her head. Little known, however, is that the curse also bound her life to the broken temple; if she strays from it for too long, she grows weak and begins to die.In the millenia since she was cursed, her presence has imbued the surrounding forest with its own petrifying magic. Creatures that enter the depths of the forest risk being turned to stone by the latent magic and for each creature petrified, the forest grows further outward. Now, Acantha is known as the Lady of Sorrows.

This 34 page adventure details a petrified forest and with a ten room temple at the center containing an ancient medusa. It has some good ideas for putting the medusa in to the context of the larger game world, but really doesn’t know what it wants to be when it grows up, never going fully down any path. The results are a muddled mess that takes a great concept and comes off as generic.

This thing has four different elements to it, and doesn’t fully go down the path of any one of them, or, perhaps, use any one of them effectively, much less using all four effectively. You’ve got “the medusa in the larger context of the region”, “the medusa’s petrified forest”, “the temple of the medusa at the center of the forest” and “the medusa’s allies.” Each of these, individually, has some interesting ideas (well, except maybe the temple) but they are just surface level concepts, not going far enough and not working together.

What sucked me in to this product in the first place is the medusa in the larger context. Let’s think of this as THE medusa, and, in fact, this medusa’s origin is much like the mythical one, cursed by a god. The forest is a mythical place. This isn’t just a medusa that shows up as a random encounter, one of many, inside of a cave complex. This is HER place in the world. The people know about her. They know about the forest. It’s a thing for people. And, there;s notes on her actions in the wider world. Outlying farms getting visits from her, a kind of protection thing, which is either a racket or beneficial, depending on how youplay the medusa. Her showing up at some nobles party, all Sleeping Beauty style, to fuck with people. Longer plans, like her minions raiding a village to forcibly disasm the village. But it doesn’t do anything with any of this. It’s not a coherent narrative. Rather than picking one , or two, and going with it, instead it’s just a couple of sentences thrown at the DM. “Do what you want with this concept.” This is a SEVERELY missed opportunity. A mythical creature in a mythical place with plots? That would be GOLD, but it’s not handled well here at all, and given no life or room to grow. 

The forest. Petrified. Full of statues, etc. Slowly expanding as more and more animals and people get petrified. It’s cut off a village awhile ago and now they are isolated from the rest of the kingdom. All super good. Nice concept. Terribly handled. The forest has two things going on. First, if you kick up a dust cloud you get to save to turn to stone in a few days. Also, dust storms randomly swirl around at times, especially during encounters. There’s no way mentioned to cure the “flesh to stone” infection. During a dust squall it’s noted that a cloth over the face keeps you from having to make a save … but not during general travel? There’s an entire page devoted to the dust storms, inhaling the dist, etc, and these sorts of very basic are never mentioned. Further, it feels punitive to me. Much like heat and cold rules, it feels like torture to play in it. And, when you get to the temple, your “make a saving throw every day or the disease progresses” changes to “make a saving throw every turn.” Fuck me man. And then the encounters are … strange? Each takes about a column, for a VERY basic encounter in most cases. There are two tables, one of which I don’t think is ever used and has ten entries on it and “roll a d4” noted. Fuck if I know what this table is for. The other is athe “traveling through the forest” table with the encounters getting a column each. There are no set encounter locations in the forest, just wander the fuck around in it having these random encounters and making saving throws to not die untli you reach the somewhat random hex with the medusa’s temple in it. (Admitidadly, in the center of the zone, but the players don’t know that and don’t know how big the place is so they won’t know which hex is the center.) This is all pretty fucking terrible design. Again, nice concept, but “wander the death zone having random encounters” is not an adventure. What this needed was some fixed locations, with the NPC’s scattered about.

And NPC’s there are. A treant with no home forest to guard anymore because it was logged out. A hag with a bunch of orphan children. The invisible snake that likes silver tableware. Not bad. Maybe we can ever count a tribe of trolls that serve the medusa. But, as NPC’s, they are all just stuffed in to the ten room temple. Any subplots or interesting encounters will have to happen there, perhaps in the context of a fight. They have no room to breathe and nothing interesting going on within the context of the adventure (more on their role in the larger context later.) 

And the medusa’s tempe is boring as all fuck. The descriptions are essentially non-existent. Which, I guess, makes sense in a way, maybe? I mean, It’s not an exploratory location. You either talk to her or stab her. But I just can’t get over the lack of any meaningful detail. “An alter devoted to the god of war cracked down the middle.” Well, fuck, that’s certainly a great description for the fucking thing that started the entire ordeqal of medusa in the first place, isn’t it? And the cleaning closet is one of the ten rooms. What the fuck? Seriously? Along with the outhouse. With a bucket to put the excrement in to fertilize the garden. This is what you devote pages to in a ancient cursed medusa’s temple? And the creatures/allies just sit in their locations if you start stabbing her, I guess, since there’s no notes on this outcome. 

And now we must deal with the elephant. There is an attempt to make the various major NPC’s more well rounded. A ham-handed attempt that amounts to “DRAGON GOOD. PRINCESS BAD. HUR HUR HUR.” Let’s be clear, I really like a complex social environment, including the “monsters.” I think it offers much more rewarding play than just having everyone and everything attack outright when they see the party. But I’ve got my limits. The medusa has grown increasingly impatient with the greed and cruelty of the humanoid kingdoms over the millenia.” Uh huh. Says the chick you turns people to stone. Cue the South Park “It was coming right at me!” schtick. The treant advisor/friend whos forest was cut down by the human kingdom. The NE hag who doesn’t eat children and instead rescues orphans from the forest to raise them. Uh huh. Or hooks that involve rescuing the women children and elderty from a village that are in danger. Uh huh. There’s a passing attempt to create “were allied with the medusa” the medusa relationship to us is neutral” and “stabbing the medusa” hooks, but, in reality, this is just stabbing the medusa. Otherwise there’s not really an adventure here, it’s just a patron. Ph, oh! The stabbing the medusa hook? You’re hired by the Lord to go do it. And if you do he fucks you over by giving the worst hex in the petrified forest as your domain. This sort of ham-handed shit doesn’t fly. It doesn’t when the monsters are all psychos and it doesn’t when we turn the tables and make them the good guys and the humans all evil. And it oesn’t matter how many encounters there are like “flocks of birds turn to stone midair and rain down” there are. The inability to give the major NPC’s more than a single dimension, either direction, destroys the ability to create a lager game context for the party to enjoy and/or exploit. 

Discounting this ham-handedness though, the other parts of the adventure are extremely weak both as stand-along elements and in the way that they should be working together to create a larger context for adventuring. The surrounding area stuff is a throw-away. The wilderness has no depth. The NPC’s have no room to experience them. And the temple is a disaster of “Nothing going on but boring.”  But, in concept, each one of those is great! Yes, even the ham-handed shit. This are great ideas … that jts did NOT make it in to execution in any way shape or form beyond “I have a good idea …”

This is $7 at DriveThru. The preview is the entire thing which is GREAT. I would suggest taking a look at the forest few tables. They will general the general vibe of the product, as well as the missed potential.


This has been episode “A pernod at 7:30am sounds like a good idea to me” of Bryce reviews everything on his wishlist.

The Tenth Doctor is back in action – David Tennant faces the Daleks once more in the second volume of Doctor Who – Dalek Universe   Doctor Who: Dalek Universe 2 is out today from Big Finish. These three new epic full-cast dramas continue the adventures of the Tenth Doctor (David Tennant) in the Dalek […]

The post Doctor Who: The Dalek Universe Volume 2 is Out Now appeared first on Blogtor Who.

" In CURSE OF THE AMBER PRINCESS the travel into the Great Desert of Shifting Sands in search of the lost city of Khartopolis. What evil waits for them beneath the dunes? Will they survive?"In 'Mini Quest: Curse of the Amber Princess' six pages David Dudka creates a nice mid point Egyptian themed or lost city adventure perfect as a roll up for a Castles & Crusades campaign. 'Mini Quest: Curse of
In an adventure that features a race against time or against unseen ememies, players will ask if they have time to rest,  search, or prepare. If the adventure lacks a way to reveal how much time remains, such decisions become guesswork. Informed choices make roleplaying games fun, but guessing can just feel frustrating. Players wonder if their blind decisions really matter or if their choices just get ignored so the session tracks a narrative. Often, story conventions win, so choices don’t matter. How often do parties of adventurers reach a diabolical ritual seconds before its completion? Such luck! All those guesses led to the most improbable, dramatic conclusion. (I don‘t condemn it; I’ve done it.)

The movie version of the race to foil a ritual would cut speeding characters against shots revealing the cultists’ nearing success. For drama, a dungeon master could take the storytelling liberty of describing events the characters can’t see, but that gives players actionable information their characters lack. To play in character, does the group have to pretend they don’t know what they can’t know?

Potions photo by Jan Ranft

Some years ago, the multi-table epic adventure Return to White Plume Mountain suffered from such an information gap. In it, some tables worked to create a distraction to divert foes from other groups who might otherwise be overwhelmed. At the end of the adventure, groups that drew more foes faced more monsters. The best strategy balanced making some distration without drawing a lethal amount of attention. But the players lacked feedback revealing the rising threat they faced, so I wished for some divination magic that would give players a better sense of how their actions shaped their future.

I’ve considered all this as I prepare to run the adventure Necropolis of the Mailed Fist, a “punishing” tournament adventure sure to be relished by a particular group of gluttons for punishment. Author Sersa Victory favors competition over immersion by sometimes telling DMs to make metagame announcements or to issue challenges:

“Announce to players that ‘the constellation of living spheres of annihilation has been awakened!’”

“Tell characters that they have one minute to choose between supremacy for themselves or subjugation for their enemies.”

I imagine an unseen narrator’s announcements sounding across the necropolis, and the characters looking quizzically for the source, Instead, I want a way to bring these announcements out of the metagame and into the game world.

Sometimes Dungeons & Dragons scenarios would play better when the players gain feedback that would lead to interesting choices and added tension. Often, the characters have no ordinary way to get that information. Fortunately, D&D characters live in a magical world where divination exists.

Potion of Omens
Potion, rare
After drinking this potion, you begin seeing visions or hearing phrases that reveal your progress toward whatever short-term goal you feel is most important. These omens may also reveal the most likely outcome of current activities meant to reach the goal. The DM chooses the frequency and the exact nature of the omens. The effects last for 10 days or until your goal changes.

By providing the capability in a potion, the DM controls access, so when a mission works better with extra information, characters can happen upon a potion that helps.

Elon Musk is an incredibly popular target for scammers and spammers on social media. Attach his name to something he has no involvement in and watch it fly. Verified accounts on Twitter continue to be favourites for account compromise / fake Elon scams. Those often turn out to be Bitcoin related. Sometimes, it’s on a grand scale.

There are other Elon scams out there, though.

Elon, word searches, and watches

Here’s one currently doing the rounds on Twitter. It’s not Bitcoin for a change, nor does it appear to exclusively be the domain of verified accounts.

What happens is this:

A Twitter account goes viral with a popular (or even semi-popular) tweet.

On almost every tweet I do that gets more than a few RTs I get this same spam image of an Elon Musk tweet with a couple of random words as the caption, always from different Twitter users. It's really bizarre! pic.twitter.com/PqLpkbkiND

— Sooz Kempner (@SoozUK) July 12, 2021

An account which is almost certainly a bot replies to the popular tweet. They don’t appear to post anything coherent which is peculiar. You don’t want your fake message to loudly proclaim “I’m fake”, but we’re already perilously close in this instance. Two random words are mashed into a reply, along with a screenshot.

The screenshot appears to show Elon Musk, on Twitter, saying:

Just google “Topmid Dust Watch” and thank me later.

He hasn’t said anything of the kind, but anyone searching for this phrase will be met with…well…bafflement, for the most part.

Scrabbling in the dust

The aim of the game here is presumably to bypass spam detection, via images of bogus tweets. The very common name of the watch in this case (“Dust watch”) means the results are filled with YouTube videos and gaming articles about the popular CounterStrike map “Dust”. As far as results regarding watches go, there’s just a few scattered here and there. Easy to miss in a plethora of gaming pages and videos!

Now, we can’t say which site is tied to the spam messages on Twitter. The site responsible may already be offline. Instead, let’s outline what happens should you search for this product.

A “free” watch?

Tactics such as the above usually lead to portals “selling” the item for a grand total of $0. What you actually pay here is shipping only, calculated once you enter your address. However, you may not want to get your credit card out just yet.

This isn’t a recent marketing technique; sites giving away free stuff and “just” charging shipping have been around for years. And sites doing so-called limited time offers on shipping only watches had some attention in 2017.

What do offers really cost online?

Generally speaking, people should avoid suggestions to go search words and / or products in the replies of social media posts. The same goes for promotions pushed by accounts you know, or even verified accounts. There’s always a chance what you’re seeing is the result of a compromise. You’ve no idea what waits at the other end of a link, or indeed search result. It might be a slight peculiar watch offer, or something else altogether like phishing or malware.

If it’s too good to be true…well, you know the rest.

The post Nope, that isn’t Elon Musk, and he isn’t offering a free Topmist Dust watch either appeared first on Malwarebytes Labs.

Firefox recently announced that it will be rolling out DNS-over-HTTPS (or DoH) soon to one percent of its Canadian users as part of its partnership with CIRA (the Canadian Internet Registration Authority), the Ontario-based organization responsible for managing the .ca top-level domain for Canada and a local DoH provider. The rollout will begin on 20 July until every Firefox Canada user is reached in late September 2021.

This announcement came five months after Firefox rolled out DoH by default for its US-based users.

The overall purpose of this rollout is to increase the privacy of all Firefox users by encrypting DNS requests. DNS requests are sent in plain text—meaning, any computer they pass through is able to see what website domains you’re looking up and likely visiting. This includes websites you visit over an encrypted connection, prefixed with https://. The DNS resolver the request is sent to also sees the DNS request, too. It needs to in order to convert the domain name users want to visit to the IP address equivalent for that destination. DNS-over-HTTPS is designed to shut out everyone else.

Because a DNS request has no encryption—again, regardless of whether the website you want to visit is encrypted or not—intermediates can monitor or modify DNS requests. This means that the organization you work for, your favorite coffee shop, or your ISP, can spy on your web browsing history without you knowing or letting you know what they do with the information.

“Today, we know that unencrypted DNS is not only vulnerable to spying but is being exploited, and so we are helping the internet to make the shift to more secure alternatives,” wrote Selena Deckelmann on Mozilla’s official blog. “We do this by performing DNS lookups in an encrypted HTTPS connection. This helps hide your browsing history from attackers on the network, helps prevent data collection by third parties on the network that ties your computer to websites you visit.”

The downside of encrypting DNS

Not everyone is a fan of DNS-over-HTTPS. To many, DNS-over-TLS is a more appropriate solution to the encryption problem but its “correctness” is also its great flaw. DNS-over-TLS communication (and nothing else) happens on port 853. Your ISP, or employer, can’t spy on your DNS requests if you use DNS-over-TLS but they can block port 853 and stop you from using it, leaving you no option but to revert to the unencrypted version of DNS on port 53, which they can spy on.

DoH communication happens on port 443, the port used for https:// web browsing. Because of that, DoH requests are indistinguishable from web traffic. Your ISP or employer can’t block port 443 to stop DoH without also stopping all web browsing. And an ISP that does that will quickly find itself with no customers.

So, from a personal privacy point of view, DoH is a clear win. But from a corporate security point of view it’s a problem. Security appliances like Next-Generation firewalls want to peer inside network traffic to identify security threats, and encryption like DoH makes that harder.

Some are also concerned about the way DoH might centralize trust. Using DNS-over-HTTPs is similar to using a third-party VPN in that it keeps your traffic private inside an encrypted tunnel, but you have to trust the VPN vendor or DNS resolver at the end of the tunnel an awful lot. Because DoH is relatively new there aren’t many DoH resolvers. So instead of everyone’s DNS requests being fulfilled by their respective ISPs they are sent to one of a relatively small number of DoH resolvers, operated by organizations like Google and CloudFlare.

CIRA Canadian Shield

In the case of Canadian Firefox users, their DNS resolver is CIRA. Canadian users who use DoH by default will begin seeing “CIRA Canadian Shield” as their default DNS provider. You can read more about CIRA Canadian Shield on CIRA’s official website here.

Canadian users of Firefox should expect this window, letting them know that their DNS requests are encrypted and router through a DoH provider. (Source: Mozilla Blog)

“Protecting the privacy of Canadians is a key element of restoring trust on the internet,” says CIRA President and CEO Byron Holland in a statement, “Our goal is to cover as many Canadians as possible with Canadian Shield, and that means finding like-minded partners who share our values. We are proud to be the first Canadian participant in the Trusted Recursive Resolver (TRR) Program and are always seeking out new ways to extend the reach of Canadian Shield to enhance the privacy of Canadians.”

The post DNS-over-HTTPS takes another small step towards global domination appeared first on Malwarebytes Labs.

 "A disease of the mind, perhaps a bit of indigestion. A fancy for fools" -Ilx, Naif Merchant

Nomenclature: Chimera, Triaeon, Dewmist, 

Description: A rumor of an imaginary beast, one of the mind
Things that are known:
  • It has the head, mane and legs of a lion, the body of a goat, and the tail of a dragon.
Rumors and other whispers in the dark:
  • A mountain in the ancient land of Lycia had a volcano at the peak which nourished lions, a pasture on its cliffs that is attractive to goats, and the wild grasses and rocks at the bottom were infested with serpents. From this mountain comes all Chimera
  • Chimera are especially vulnerable to arrows unable to avoid any launched from the air.
  • Sometimes black dark magics merging the flesh of life produce a horrible heresy which manifests as a terrible beast, who's only weakness is time. This is the Chimera
  • The wise Yang Chu tells us that there are four chimera that prevent the soul from rest: Age, Rank, Reputation, Riches. Those possessed by these desires are followed by the four Chimera. The Chimera of life to death brings ghosts, the Chimera of power and rank brings killing men, the Chimera of integrity bringing light and fire, and the Chimera of wealth bringing chains and punishment
  •  Chimera are the manifest creations of the astral. They are star-forms sent into the world to penetrate it, and enlighten and align the world to the order dictated by the stars.
  • Chimera attack with phantoms and dreams, distorting countenance of creatures, and causing visitation by etheric ghastly visions
  • A chimera is a substance that is separate and distinct from reality, eternal, and anathema to gods
  • The Chimera sits at the end of every universe and is either the first or final cause
  • The Chimera is actually a three legged bird-lizard, the goat and serpent heads are simply effective camouflage to scare away predators. 
  • A chimera is a machine woven with silken spider webs by intelligent spiders that they ride within
  • Chimeras are a hidden disease, upon slaying a dragon, the corpse bursts open, and from within a lion attacks. When the lion is killed, his corpse in turn bursts open, and in the interior is the demonic chimera. With its suits of flesh ruined, it attacks with frenzied fury
  • Daydreamers, manifest their creations as Chimera, lugubrious beasts they attack the dreamer for daring to make them manifest
  • Echidna had nothing left but pieces when she went to forge the chimera
  • The Chimera is the sister of the hydra, they are two breeds of the same creature
  • Chimeras are secretly people who have been infected by other variations of itself, turning into creatures much more terrifying then a lion with a snake and goat head
  • Chimera are serpents with two front legs and a whip like tail
  • Chimera are all immortal and cannot die from natural causes
  • The breath of a chimera is so hot that it melts all arrowheads and sets all arrows aflame
  • All chimera are female
  • The chimera is just a word unknowing primitive creatures applied to a working forge
  • The chimera is representative of seasons of growth, harvest, and death
  • Tales of chimera with goat heads and snake heads are just the ramblings of fools, who mistake the chimeras wings for a goat head, and its lionized tail for a snake
  • Why would one fear a goat? The lion and the dragon are there to protect and shield the goat head from harm
  • The chimera is a pale sickly beast, barely able to breath and reliant on the kindness of other creatures for survival
VariantsThe winged lion This chimera is a lion with wings, it does not breath fire. 
Valuable Resources All parts of the chimera, bone, teeth, claw, and fur, are useful for illusions and dream magics

By Greg Saunders Fire Ruby Designs Warlock! Beginners

The Vale is a wilderness on the fringes of the Kingdom where a number of factions,

from pilgrims to goblin clans, exist in an uneasy state of truce. Now someone has

shown up to claim a piece of its past, they’ll need adventurers to do it, and what they

will find risks upsetting the delicate balance.

This 76 digest page setting and adventure details a small valley, popular amongst pilgrims, with a lot of generalized hints of what could be going on and a brief ten page “heres something that could happen” adventure. It’s got a nice vibe, and the ideas of things that could be going on are good, but its far far too high level to be called an adventure and way too limited by the digest format to be a good setting.

It’s a valley. There’s a little town/village in it. There is a holy site nearby where pilgrims make their way to, and the people around here make some money off of them. There are goblin bands scattered about, really more like bands of humans bandits in the way they are handled. Protection rackets and opportunists. The town and locales around it have little quirks that make it feel alive and like a real place, and they all tend to be supplemented by a little tables of things that could be going on. Some Red Priests show up and want to go to the holy site for a pilgrimage. The locals are aghast at these heretics. Local priestess is looking for some compromise to keep the locals mollified and not hurt the pilgrim industry. That’s it. Or, “was that a man with the head of a fish that just disappeared into the water?” They are ideas, left open ended. And that’s ok, for something like this. I think they all could have been expanded upon just a bit more with some supporting information for each, to integrate better in to the valley, but, as a high level idea thing it’s fine. And there’s a sly little humor present throughout. One of the first tables is about weather. “Mud. Everywhere.” and “Snow, still snow. WIll it never end?” It does a good job of communicating a a great vibe with a few words. It reminds me a lot of the Dungeon Dozen in its ability to do that, and I don’t think there’s a higher compliment. 

Still, the digest format limits this greatly. As a supplement to run the valley it’s going to be very hard to find the information you’re looking for to add local color. This is going to have to be an almost memorization job for the potential DM. You’re going to need to keep almost everything in your head because there’s both enough local color, and its hard enough to reference in a seventy page digest, that’s its going to be hard to work in well otherwise. Digest, for these longer settings, just doesn’t work. You need more page space and better formatting than “a normal paragraph page style” … which this uses. I’m sure there are exceptions, but those are not the rule.

The adventure included is quite high level also. Frank wants you to go find some artifacts/ of his legendary dad (of the aforementioned holy site) for a ceremony. He sends you to some ruins. In the ruins are a goblin outlaw band, who will talk to you. They’ll let you in the crypt if you go kill the leader of another band, the main one in the area. That guy, if talked to, will send some of his dudes to drive off the first band … but only if you go poison the holy sites water with some laxatives, for the lols. The crypt you gain access to, one way or another, has one room. And the entire adventure is really not handled in a much more complex ay than I just put here. It’s VERY high level notes and not much more than that. As an introduction to the politics of the bands and the valley, supported by the rest of the book, it might be fine, but in terms of supporting the DM running the adventure … well, no. And, it’s full of padding like “With the threat of Izmirelda neutralized (by force, spider-handling, or Ardak’s own goblins), the player characters can get to the back chamber of the crypt, clearly meant for someone important.” That is both a long sentence and a completely empty one for adventure content, saying nothing useful.

I’m disappointed in this. While the various little tables and “hook/rumors” give the impression of a lot going on, there’s not really any support for the DM beyond this. It does a good job of setting up a potential situation, at a very high level, and I can truly see that this could be a great place to adventure and home base in. But the formatting just makes it unusable as a reference book for play and there’s just not enough TO those hooks to support the DM. The entire thing feels like specificity at the level of a hex crawl … which is good for a hex crawl and less good for a regional setting or actual adventure.

This is $14 at DriveThru. The preview is ten pages and can give you an overview of the writing style, even if it the generalize background stuff. A few more mixed pages would have been better.


Still reviewing everything on my Wishlist. I should be done about the end of the next Long Count, where I will op all of my great scientists. In fact, I think have a couple of more of these Warlock! things on it … if I can find one by a different author I might try it.

The world is too much with us: late and soon,
Getting and spending, we lay waste our powers …

These are the first two lines of a sonnet by William Wordsworth, English poet of the nineteenth century. As a poet of the romantic era, he believed the clank and roar of the Industrial Revolution with its belching smoke stacks had smothered the beauty of the natural world.  

Sprawling factories, and the obsession of making profit from man’s labor, had so captured the attention of the masses, he seems to proclaim, that they had obscured Nature from human wonderment, a bitter loss

In a much more ancient era, the wise man who wrote the Book of Ecclesiastes goes further than Wordsworth, with a penetrating summary not merely of Man and Nature but of the whole drama of life in both its temporal and eternal dimensions. 

And speaking even more directly to eternal matters, our Lord Jesus asks, “What good will it be for someone to gain the whole world yet forfeit their soul, or what can anyone give in exchange for their soul?” (Matthew 16:26). 

There is more in Ecclesiastes and our Lord’s words than in Wordsworth: not only the loss of Nature’s beauty but also the loss of the soul. The aged writer of this book summarizes his findings about life’s meaning with these words: 

“Now all has been heard; here is the conclusion of the matter: fear God and keep his commandments, for this is the duty of all mankind. For God will bring every deed into judgment, including every hidden thing, whether it is good or evil.” (Ecclesiastes 12:13-14)

Image info: Thales (via flickr.com)

The original Dark Sun campaign setting calls the Sorcerer-King Nibenay "a bizarre and enigmatic
figure." He is seldom seen by his people--to the degree that rumors sometimes spread than he has died. All his Templars are women, and they may or may not all be his wives. By the 4e version of Dark Sun they were definitely his wives, though the marriage is "purely ceremonial."
In the later versions of the setting, Nibenay is seldom seen because he looks like a humanoid dragon. But in the novel Amber Enchantress, Nibenay is inhuman, though more of a mollusk-arthropod creature. I like this version better for reasons I discussed in an earlier post.
Nibenay is called the Shadow King because he's so reclusive. I think we could do better and have him typically giving audiences from behind a screen so he's seen only as a shadow (and likely a magically or psionically generated one). Perhaps he even uses his powers only to appear as some sort of shadow puppet. Maybe he appears to those who have displeased him in any place in the city in the same way?
Nibenay's son Dhojakt is monstrous in form, as well. In the canon, this is due to actions of his mother, but I think it might be interesting if Nibenay himself was just rather to only partial human children. Nibenay is not only trying to ascend to a transhuman form himself, but to breed progeny who are also transhuman. He's the family-oriented Sorcerer-King.
Here I would draw inspiration from Gregory Keyes' Chosen of the Changeling duology where the royal family descended from the River God sometimes produce inhuman fish or water aspected children the royals keep locked away. Also, there's the recent comic book limited series the The Goddamned: The Virgin Brides by Jason Aaron and R. M. Guéra where a cult of nuns on an isolated mountain are offering up child brides to angels, and then tending the monstrous, Nephilim children.
I feel like Nibenay's Templars are both his cult and the source of his brides. There could be in number of inhuman children sulking about his massive and forbidden palace.

Last week on Malwarebytes Labs: Other cybersecurity news:
  • A group of privacy-first tech companies have published an open letter today asking regulators to ban surveillance-based advertising. (Source: The Record)
  • Fake cryptomining apps, some found on the Play Store, scam $350,000 from users. (Source: TechSpot)
  • Ransomwhere has been launched as the open, crowdsourced ransomware payment tracker.
  • The hard truth about ransomware: we are not prepared. (Source: DoublePulsar)
  • Hackers leak scraped data of 87,000 GETTR users. (Source: HackRead)
  • Cyber is the new weapons system of the future. (Source: The Cipher Brief)
  • NCSC: Impersonating the taxman remained phishers’ favourite pastime. (Source: The Register)
  • Hackers use new trick to disable macro security warnings in malicious Office files. (Source: The Hacker News)
  • How fake accounts and sneaker-bots took over the internet. (Source: ThreatPost)
  • Online course provider Coursera hit with API issues, with cloud driving additional exposure. (Source: SC Magazine)

Stay safe, everyone!

The post A week in security (July 5 – July 11) appeared first on Malwarebytes Labs.

