Feed aggregator

What special needs kids need to stay safe online

Malwarebytes - Wed, 10/06/2021 - 14:35

Online safety is hard enough for most adults. We reuse weak passwords, we click on suspicious links, and we love to share sensitive information that should be kept private and secure. (Just go back a few months to watch adults gleefully sharing photos of their vaccine cards.) The consequences of these failures are predictable and, for the most part, proportional—a hacked account, a visit to a scam website, maybe some suspicious texts asking for money.

But for an often-ignored segment of the population, online safety is more about discerning lies from truth and defending against predatory behavior. These are the threats posed specifically to children with special needs, who, depending on their disabilities, can have trouble understanding emotional cues and self-regulating their emotions and their relationship with technology.

This year, for National Cybersecurity Awareness Month, Malwarebytes Labs spoke with Alana Robinson, a special education technology and computer science teacher for K–8, to learn about the specific online risks posed to special needs children, how parents can help protect their children with every step, and how teachers can best educate special needs children through constant reinforcement, “gamification,” and tailored lessons built around their students’ interests.

Importantly, Robinson said that special needs education for online safety is not about a handful of best practices or tips and tricks, but rather a holistic approach to equipping children with the broad set of skills they will need to safely navigate any variety of risks online.

“Digital citizenship, information literacy, media literacy—these are all topics that need to be explicitly taught [to children with special needs],” Robinson said. “The different is, as adults, we think that you should know this; you should know that this doesn’t make sense.”

Whether adults actually know those things, however, can be disputed.

“I mean, as I said,” Robinson added, “it is also challenging for adults.”

Our full conversation with Robinson, which took place on our podcast Lock and Code, with host David Ruiz, can be listened to in full below.

The large risk of disinformation and misinformation

The risks posed to children online are often similar and overlapping, no matter a child’s disability. Cyberbullying, encountering predatory behavior, interacting with strangers, and posting too much information on social media platforms are all legitimate concerns.

But for children with behavioral challenges, processing challenges, and speech and language challenges in particular, Robinson warned about one enormous risk above all: The risk of not being able to discern fact from fiction online.

“Misinformation and disinformation online [are] a great threat to our students,” Robinson said. “There were many times [my students] would come in and say ‘I saw this online’ and we would get into discussions because they were pretty adamant that what they saw is correct.”

Those discussions have increased dramatically in frequency, Robinson said, as her students—and children all over the world—watch videos at an impossibly fast rate on platforms like YouTube, which, according to the company’s 2017 statistics, streams more than one billion hours of video a day. That video streaming firehose becomes a problem when those same platforms have to consistently play catch-up to stop the wildfire-like spread of disinformation and conspiracy theories online, as YouTube just did last week when it implemented new bans on vaccine misinformation.

“I have students pushing back and telling me, no, we never landed on the moon, that’s fake,” Robinson said. “These are the things they’re consuming on these platforms.”

To help her students understand how misinformation can spread so easily, Robinson said she shows them how it can be daylight outside her classroom, but at the same time, if she wanted, she could easily post a video online saying that it is instead nighttime outside her classroom.

Robinson said she also encourages her students to ask if they’re seeing these claims made elsewhere, and she steers them to what are called “norm-based reputable sources”—trustworthy websites that can provide fact-checks while also removing her students from the progression of recommended online videos that are fed to them through algorithms that prioritize engagement above all else.

“This is what we call building digital habits,” Robinson said, emphasizing the importance of digital literacy in today’s world.

Constant reinforcement

The promise of a “solution” to misinformation and disinformation online almost feels too good to be true, whether that solution equips special needs children with the tools necessary to investigate online sources or whether it helps adults without special needs defend against hateful content that is allegedly prioritized by one enormous technology company to boost its own profits.

So, when Robinson was asked directly as to whether these teaching models work, she said yes, but that the models require constant reinforcement from many other people in a child’s life.

Comparing digital literacy education to math education, Robinson said that every single year, students revisit the topics they learned the year before. She called this return to past topics “spiraling.”

“Part of developing digital students into really successful, smart, discernible, digital adults is the ongoing, constant spiraling and teaching of these concepts,” Robinson said. “If you can collaborate with other content area educators in your building, you’re infusing these topics through subject areas.”

Essentially, Robinson said, teaching online safety and cybersecurity to special needs children needs to be the responsibility of more than just a single technology teacher. It needs to be taken on by several subject matter educators and by parents at home.

For parents who want to know how they can help out, Robinson suggested finding teaching moments in everyday, common mistakes. If a parent themselves falls for a phishing scam, Robinson said those same parents can take that as an opportunity to teach their children about spotting online scams.

“It’s an ongoing work and it never stops,” Robinson said.

Teach kids about what they like using

To help special needs children understand and take interest in online safety education, Robinson said she always pays attention to what her students are using and what they’re interested in. This simple premise makes lessons both applicable and interesting to all students—not just those with special needs—and it provides a way for children to immediately understand what they’re learning, why they’re learning it, and how it can be applied.

As an example, since so many of her students watch videos on TikTok, Robinson spoke to her students last year about the US government’s reported plans to ban the enormously popular app.

“The federal government was thinking of not allowing TikTok to be used here because it might’ve been a safety risk, and so we had that discussion, and I said ‘What happens if you couldn’t use TikTok anymore?’” Robinson said.

Robinson said this tailored approach also gives teachers and parents an opportunity to help kids not just stay safe online, but also learn about the tools they use every day to view online content. The tools themselves, Robinson said, can greatly impact how a child with special needs feels on any given day—sad, happy, worried, scared, anything goes—and that children with special needs can often use guidance in self-regulating and understanding their own emotions.

Robinson added that many of her lessons about online tools and platforms have a similar message: If a game or website or tool makes her students feels uncomfortable, they should tell an adult.

It’s a rule that could likely help even adults when they find themselves gearing up to get into an online argument for little legitimate reason.

Embrace the game

Finally, Robinson said that many of her students enjoy using online games to learn about online safety, and she specifically mentioned Google’s Internet safety game called “Interland,” which parents can find here.

Google’s Interland leads kids through several short “games” on online safety, with lessons centered around the topics of “Share with Care,” “It’s Cool to Be Kind,” and “Don’t Fall for Fake.” The browser-based games ask kids to go through a series of questions with real scenarios, and each correct answer earns them points while their digital character jumps from platform to platform. The website works with most browsers, but Malwarebytes Labs found that it ran most smoothly on Google Chrome and Safari.

Interestingly, when it comes to lessons that Robinson’s special needs students excel at, she said they are excellent at creating strong passwords—and at calling people out for using weak ones.

“I teach 100 students, 10 classes, [and] I used not a very strong password for every student in this one class … and I said ‘By the way, everyone has this [password],’ and they’re like, when I said everyone has this same password, they’re like ‘Oh no no! That’s not a strong password, oooh,’” Robinson said, laughing. “They literally let me have it.”

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

The post What special needs kids need to stay safe online appeared first on Malwarebytes Labs.

Categories: Techie Feeds

[update]Patch now! Apache fixes zero-day vulnerability in HTTP Server

Malwarebytes - Wed, 10/06/2021 - 14:23

The Apache HTTP Server 2.4.49 is vulnerable to a flaw that allows attackers to use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by “require all denied” these requests can succeed. This issue is known to be exploited in the wild.

The vulnerability

The Apache HTTP Server Project started out as an effort to develop and maintain an open-source HTTP server for modern operating systems, including UNIX and Windows. It provides a secure, efficient, and extensible server that provides HTTP services in sync with the current HTTP standards.

The flaw (listed as CVE-2021-41773) was introduced by a change made to path normalization in Apache HTTP Server 2.4.49. So, earlier versions are not vulnerable, nor are servers that are configured to “require all denied”.

Unfortunately, “require all denied” is off in the default configuration. This is the setting that typically shows an error that looks like this:

“Forbidden. You don’t have permission to access {path}.”

Path traversal attack

Path traversal attacks are done by sending requests to access backend or sensitive server directories that should be out of reach for unauthorized users. While normally these requests are blocked, the vulnerability allows an attacker to bypass the filters by using encoded characters (ASCII) for the URLs.

Using this method an attacker could gain access to files like cgi scripts that are active on the server, which could potentially reveal configuration details that could be used in further attacks.

Impact

The Apache HTTP Server Project was launched in 1995, and it’s been the most popular web server on the Internet since April 1996. In August 2021 there were some 49 million active sites running on Apache server. Obviously we do not know which server every domain is using, but of the sites where we can identify the web server, Apache is used by 30.9%.

A Shodan search by Bleeping Computer showed that there are over a hundred thousand Apache HTTP Server 2.4.49 deployments online, many of which could be vulnerable to exploitation.

Security researchers have warned that admins should patch immediately.

If you use Apache HTTP Server 2.4.49 (only that version), you should update to 2.4.50 now due to CVE-2021-41773, a nasty 0-day path traversal vulnerability https://t.co/2QiV4h77B4

— Mark J Cox (@iamamoose) October 5, 2021 Another vulnerability

There’s a second vulnerability tackled by this patch—CVE-2021-41524—a null pointer dereference detected during HTTP/2 request processing. This flaw allows an attacker to perform a denial of service (DoS) attack on the server. This requires a specially crafted request.

This flaw also only exists in Apache Server version 2.4.49, but is different to the first vulnerability in that, as far as we know, it is not under active exploitation. It was discovered three weeks ago, fixed late last month, and incorporated now in version 2.4.50.

Mitigation

All users should install the latest version as soon as possible, but:

  • Users that have not installed 2.4.49 yet should skip this version in their update cycle and go straight to 2.4.50.
  • Users that have 2.4.49 installed should configure “require all denied” if they do not plan to patch quickly, since this blocks the attack that has been seen in the wild.

A full list of vulnerabilities in Apache HTTP Server 2.4 can be found here.

Update October 8

Apache issued a new patch. It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. The new part of the vulnerability is listed under CVE-2021-42013. The “require all denied” setting blocks attacks using this vulnerability as well.

Stay safe, everyone!

The post [update]Patch now! Apache fixes zero-day vulnerability in HTTP Server appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Twitch compromised: What we know so far, and what you need to do

Malwarebytes - Wed, 10/06/2021 - 11:57

Update, 7th October: Twitch has now confirmed the breach. The company’s statement is as follows:

We have learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party.

At this time, we have no indication that login credentials have been exposed. We are continuing to investigate.

Additionally, full credit card numbers are not stored by Twitch, so full credit card numbers were not exposed.

Original post:

Big, breaking news going around at the moment. If you have a Twitch account, you may wish to perform some security due diligence. There are multiple reports of the site being compromised. And they absolutely do mean compromised:

https://t.co/7vTDeRA9vt got leaked. Like, the entire website; Source code with comments for the website and various console/phone versions, refrences to an unreleased steam competitor, payouts, encrypted passwords that kinda thing.
Might wana change your passwords.

— Sinoc (@Sinoc229) October 6, 2021

There’s still no independent verification from Twitch itself yet. However, multiple people have confirmed that the leak details, which include streamer revenue numbers, match what they have in fact generated.

What has happened?

A 128GB torrent was released on the 4chan message board. The poster claims it incorporates all of Twitch including

  • Source code for desktop, mobile, and console clients
  • 3 years of creator payouts
  • Some form of unreleased Steam competitor
  • Various bits of data on several Twitch properties
  • Internal security tools

The leak is marked as “part 1”. The current data appears to contain nothing in the way of passwords or related data, but that potentially may be included in whatever comes next. This is something we may well find out from Twitch if and when it makes a statement.

In the meantime, we’d strongly suggest taking some proactive steps.

What should Twitch users do?

Log into your Twitch account and change your password to something else. If you’ve used the password on other services then you need to change them there too. Then enable two-factor authentication on Twitch, if you’re not already using it.

One small possibility against the leaking of passwords is there’s not been any visible “strange” activity from big name accounts. One would assume all sorts of dubious message shenanigans would follow in the wake of such a data grab. However, it’s possible that stolen passwords are being kept under lock and key until any such “Part 2” arrives.

This makes it all the more crucial to take some action now and start locking things down.

We’ll be updating this post with more information as we get it, so if you’re a Twitch user please feel free to check back every so often.

The post Twitch compromised: What we know so far, and what you need to do appeared first on Malwarebytes Labs.

Categories: Techie Feeds

The Blackapple Brugh

Ten Foot Pole - Wed, 10/06/2021 - 11:11
By Kyle Hettinger & Vasily Ermolaev Self Published Basic Fantasy Levels 1-3

Blackapple is a small village on the edge of a great wood, near a brugh (an earthen mound) wherein is confined a cruel elf lord who once ruled the people of the village. He cannot leave the brugh, but is he truly no longer a threat?

This 46 page “local region” adventure is fucking magnificent and I’m a fucking tool for waiting so long to review it. It’s whimsical, serious, and full of the sort of delightful, but terse, specificity that makes an adventure and locale come the fuck alive. I’m mother fucking buying it and it’s going to be a staple of my games from now. 

I bitch so much about token and half efforts on this blog. So many adventures lack any JOY in them. And I don’t mean happy adventures, but adventures by designers that seem to take a certain glee in creating them. You can tell. It’s obvious, almost immediately, when someone GROKS it. This dude (these dudes?) grok it. And I want to communicate that to you with one encounter/locale.

The adventure has a Sanitarium in it. “Ug! Sanitarium! Fucking Magical RenFaire garbàge!” Oh, no gentle reader, not at all! Recall that this blog and it’s lowly writer LUVs him some tropes. When well done, just like mom used to cook my steaks. And this fucking thing is DONE. There’s a stone country house with four rooms on the top floor, the front and rear doors locked and the windows barred. Hmmm. “That’s different than the usual dreck…” I say to myself. The good doctor gets the following description: “Doctor Livinius is a thin middle-aged man with soft features and a wisp of white hair. He is typically garbed in tan or light rose-colored robes. While acting as a healer of madness, he wears a funnel- like aluminum hat purported to focus his mental exertions.” FUCK! YES! This is the shit! Dude is in it to win it!  And he’s truly dedicated to healing mental illness, “which includes exorcism, leechcraft, and ad hoc brain surgery.” Oh god yes! This This THIS! I soooooo want to run this dude! And, while I’m normally not a big fan of laundry-list room contents, and this adventure generally doesn’t engage in that activity, this guys house does give a description of the contents of the treatment room: “Hand saw, pliers, hand drill, dagger, scalpel, reams of bandages, bucket, eight dishcloths, a straight-waistcoat, four 8’ ropes, a metal-framed glass aquarium (worth 30 gp), 24 leeches, a bottle of cheap wine (sedative), a cudgel (sedative), a lamp, a small silver bell, Goodbody’s Book of Prayer, six candles, a silver holy symbol (worth 20 gp), and 2 vials of holy water.” Can you imagine?! The players searching this room, looking around, and finding that shit! Oh, the delight in their reactions! Oh the joy! Other parts of the adventure interact with the sanitarium. There’s an escaped madman in the woods. The good doctor is treating the local lords son, which comes in the play. And he’s an expert on fairies, which could be needed (elves in this are fairy-like) And he’s fucking competent, being a CL3 and an actual expert. With his bizarre metal hat and trepaning drill. Oh geez, I’m dr000ling to run him. 

And this is just, I don’t know,  page of text. This shit is sticky as all fuck. It says with you. You KNOW how to run this shit. 

Oh, oh. The local kids? In the village? There’s a local legend, you stare in to a mirror and chant a rhyme “mirror man mirror man (other stuff)” and the local spirit comes to treat with you. AND HE FUCKING DOES! Ooooohhhhh, I love it! THis shit works! It all fits together! It’s relatable. It’s fun. It’s sticky. It’s fucking D&D!

There’s a witch, on the wandering monster tables. She’s a nasty old crone who’s lost her cat. If you find it she gives you “The Blond Lady’s Wig of Mediumship (9 charges) which allows the wearer to speak with dead..” That’s it. That’s your text for a new magic item. FUCKIGN PERFECT. A dead ladies hair, I’m imagining. Maybe some scape holding it together? Maybe with a bloody wound? Fuck yeah man! None of this clean and sanitized magic shit. REAL magic items, imbued with power!

I’m doing a shitty job, here, with this review, as I do with all of the reviews of good things. The hooks involve a rascally nephew that needs a talking to, a crazy uncle gone missing, and a wounded treasure hunter buddy. Just those descriptions can tell you things are different here, and their actual one-sentence descriptions are very good, giving the DM just enough detail to run with. 

And that’s true with SO many aspects of this adventure, from wanderers, to locations to NPC”s and so on. There’s just enough information to fire the DM’s imagination and let them run with it. It’s using a pretty traditional organization/formatting scheme, with just enough cross-references to help the DM, and a clear writing style that makes it easy for the DM to run with. And the village is full of little shit children, my favorite fucking kind of little shits! The kind that makes you just want to smack the shit out of them, kids or no. 

There’s a variety of things going on in Blackapple Brugh. A few more “mundane” things, with only tangential relations to the main “elf lord” quest, and others with varying degrees of stronger connections. 

And there a fucking ownbear in the damn woods! Need I say more about this things old school cops? At level 1! Delightful!

A couple of suggestions: The children, a major focus of the adventure, are a bit abstracted in to a generic “little shit” or “scared mindless” description. A sentence on each would have provided some more personalization for such a major part of the adventure. Likewise, the “generic’ elves could have used a one page description of their personality/dress, all of them on one page, I mean, to help personalize them some also. I’m getting a strong “Bioshock” read off of them, and helping to play that up would help with the fey-ness. Finally, the descriptions, the DM text in particular, can get long in places. It is in no way unmanageable, but, it does stick out. This combines, I think, with the Basic Fantasy house style, to produce a somewhat cumbersome experience in places, especially in the Brugh proper. I’m not sure what more to say about this. I think the house style has reached about as far as it can, in this adventure, and perhaps is just over the line, or close enough to it that you can it becoming trouble very soon. 

But, these are minor quibbles. This is an excellent sandbox location. Not handholding, and leaving A LOT of room for the DM to run things like “killing the wild dogs in the woods”, while supporting the DM with that they need to run a memorable game. With some fucked up Mr Norville type fey. Fucking elves man! 

This is free over at Basic Fantasy, and only $3 at lulu for a print copy. You should own it.

https://basicfantasy.org/downloads.html#kh1

Categories: Tabletop Gaming Blogs

Wednesday Comics: DC, January 1981 (wk 1, pt 1)

Sorcerer's Skull - Wed, 10/06/2021 - 11:00
I'm reading DC Comics' output from January 1980 (cover date) to Crisis! This week, I start my second year (cover date-wise). I'm looking at the comics at newsstands on the week of  October 9, 1980. 

Batman #331: Wolfman and Fleisher team-up on the writing credits (Fleisher is credited as "scripter." Maybe Wolfman is spreading himself thin?) with workmanlike Novick pencils. A lethal vigilante, The Electrocutioner, stalks the streets of Gotham killing criminals that got off on a "technicality" which there seemed to be a lot of in 80s media. These days, we tend to think of that as "due process" and "civil rights." Anyway, Batman wants to stop this guy, but almost gets electrocuted the first time he tries. The next time they fight, the Electrocutioner seems to die of his own gimmick, but we get the ol' hand reaching out of the water bit, so you know he'll be back. In the midst of all that Robin just wants to talk about their relationship, because he knows Bruce is mad at him for quitting college, but Bruce just wants to catch the bad guy. When Dick discovers Bruce is letting Talia stay at his place, he blows up and storms out. Honestly, Wolfman is really trying to make this riff between the dynamic duo a thing, but at all comes off so one-sided, like Dick is just spoiling for a fight with Bruce. 

The backup story by Barr and Newton, has Batman disguising himself as a cop to infiltrate the GCPD and expose a corrupt cop who may be a friend to Gordon. It turns out there is a corrupt cop, but he isn't Gordon's friend, but one of that guy's colleagues. What's interesting about this story is Barr has Batman in disguise on a police firing range unable to shoot because he has a "psychological block" against using a gun. It's odd that Barr writes this, because in 1987 he'll write the infamous "Batman: Year Two" arc where a young Batman is forced to use a gun against the Reaper. He also will write other Batman stories post-Crisis where Batman will occasionally pick up a gun. I wonder what changed his mind?

DC Comics Presents #29: Starlin brings a bit of his cosmic flourish to an encounter between Superman and the Spectre. Picking up where last issue left off, Superman is trying to find his cousin, who went flying off to who knows where at supraluminal speeds. Superman goes faster and faster until he shifts into higher planes of existence. He sees Supergirl, but then the Spectre stops him. Spectre tells Superman that the one he works for has sent him to stop the Man of Steel, but just like in the recent Martian Manhunter issue Superman takes anyone telling him to hold on a second as an invitation to fight. Not that he can do anything to the Spectre who is by now in his cosmic being mode. Superman eventually gives up, and Spectre presents Supergirl, still unconscious. He explains that Superman's actions ripping the fabric of reality and all could have destroyed whole universes. Superman has learned his lesson, and he and his cousin head home. This issue reminds me a lot of an issue of Alan Moore's Supreme, with a Starlin-esque style and a run in with a Spectre stand-in that humbled the titular character.  
The backup is "What Ever Happened To..." Dr. Mid-Nite. Again, I feel like Rozakis and Saviuk just give us essentially another Dr. Mid-Nite adventure. It doesn't really live up to the title.  

Flash #294: Conway pinch hits for Bates and has the Flash fighting the Pied Piper in a story lame enough that it loses the cover to the backup feature. Pied Piper is blackmailing cities by leading hordes of exotic animals (from zoos or something? I don't know) to attack unless he's paid off to "lead them away." No one can figure out how he's summoning them, but Flash eventually does and uses the Piper's own trick against him.
In the Firestorm backup, the Flash accidentally causes a sonic boom beneath Superman's flying prison, and the Atomic Skull gets loose. The Flash actually hitches a hide on a jet liner then runs across the clouds to check it out. Anyway, a blast from the Atomic Skull irradiates him, and the Flash will be a swift moving hazard unless he can find some way to get rid of it. He goes to Firestorm for help who obliges, but then gets drunk off all the nuclear energy. The Flash has got to manage drunk Firestorm to get him to take out the Atomic Skull. It's goofy enough for a Bob Haney yarn, but it's just more Conway.

Ghosts #96: Doctor Thirteen keeps ghostbreakin' in a story by Kupperberg and Adams. An air show is apparently haunted by the ghost of a WWI pilot, but when a vintage biplane with no one at the controls shoots down another plane, killing the pilot, Thirteen is on the case. It turns out it's a guy with a remote control device and an overly complicated plan, hoping to crash the plane into an office to destroy records of his embezzlement. See, there's no such thing as ghosts!
Meanwhile, the rest of the comic is full of ghosts. Kashdan and Henson have two stories this issue. The first involves a criminal who can't escape from a train because the engineer he killed still has his ghostly foot on the deadman's clutch until the train arrives at the prison. In "The Phantom Strangler" a buffalo poacher is smothered to death inside the buffalo carcass he's sleeping in overnight by the ghost of the man he killed. Finally, Allikas and Landgraf reveal "Dread of the Deadly Domestic" which is really a cautionary tale about not taking a reference for a housekeeper from the sister of your dead wife who thinks your a murderer. While Rodney's away in Europe, the new zombie-like housekeeper with fuchsia hair terrorizes his wife who becomes convinced the maid's the ghost of Rodney's former wife. Rodney returns form Europe just in time to reveal it was all a ruse and the housekeeper is actually his former sister-in-law doing some sort of Scooby-Doo-esque scaring. How has Rodney deduced all this? Twist! His plane went down over the Atlantic, and he's a ghost. The ghost of his former wife told him.

Jonah Hex #44: The story continues from last issue, with Hart and Hex having escaped the Apaches, but now facing the Spast Brothers. The Brothers crease Hart's scalp, knocking him out, and Hex gets shot in the shoulder. They make it to the river where they hide out until the Spasts are gone. Hex takes Hart to a farm house to heal while he sets out to clear his name. Mei Ling, meanwhile, has recuperated and gone to a saloon to try to find Hex, only to find the Spast Brothers. Hex shows up and guns them all down when they threaten his girl. Back at the farm, Hart reads the message Hex left for him, then helps the family fight off an attack by the bandits sent to run them off by the land-grabbing, wealthy cabal in town. That cabal hears that Hex is still alive when he and Hart appear to be facing off in the street. Hex outdraws the marshall, then goes to negotiate with the businessmen. They confirm his suspicions about their misdeeds and offer to cut him in if he'll finish running off the homesteaders. Marshall Hart, very much alive, has heard their confession and arrests them. He and Hex had planned a ruse to flush them out. DeZuniga joins as inker here. He'll be on this title for quite some time.
Next issue, Hex is to be married to Mei Ling. I'm sure that will go off with no problems.

G.I. Combat #225: As usual, there are two Haunted Tanks stories written by Kanigher with art by Glanzman and Ayers. The first is the best of the two, with the tank crawling through a cave on the lookout for a secret weapons cache, which Prussian military officers plan to use to start another world war after Hitler's inevitable defeat. Thankfully, the cave has tunnels big enough for the tank crew to complete their mission, and the leader of the cabal is fortuitously killed in the Allied bombing of Dresden. The second story sees the Haunted Tank damaged, without working weapons and forced to tow a Stuart tank with weapons but no functioning treads, becoming a "2 for 1 Tank." We get a flashback to the early days when the Haunted Tank first became haunted and they had another loader before Gus named Arch.
The others stories include an O.S.S. tale, where in a departure, the protagonist survives. He gets close enough to kidnap a German scientist working on chemical weapons in Italy by taking a sedative and playing a corpse in a coffin. He smuggles the scientist out of the country in the same way. Boltinoff and Matucenio deliver a perfunctory story about a glider crew in the Invasion of Normandy. Haney and Evans present a yarn about a wheelchair bound vet who deserves the Congressional Medal of Honor for his actions in the war, but nobody survived to write the report to get him one. One day, after a chance encounter with the Japanese ambassador in Washington, the soldier accompanying the ambassador reveals he was the enemy commander on that island that day and confirms the vet's story. The short yarn by Allikas and Amongo has a salty old British fisherman getting the better of a German frogman with a bucket of chum and a hungry shark.

Justice League of America #186: This issue is dedicated to Dick Dillin. Conway is again joined by Perez for the return of the Shaggy Man. Or rather return of one of the two Shaggy Men. The Shaggy Man is rampaging through Moscow and the JLA, absent their heavy-hitters have to rely on Batman's planning to stop him. After leading the Shaggy Man where they want him to go, Batman lures him onto a rocket and they blast him into space. Maybe not as epic as the New Gods arc, but I feel like Conway is getting a much better feel for the JLA now and delivering solid, Bronze Age stories.

MINKY WOODCOCK RETURNS IN A SHOCKING NEW HARD CASE CRIME SERIES: THE GIRL WHO ELECTRIFIED TESLA! – on sale NOVEMBER 9!

First Comics News - Wed, 10/06/2021 - 08:12

Cynthia von Buhler’s latest graphic novel is woven around little-known historical facts such as Nazi interest in Nikola Tesla’s death ray, Josephine Baker’s spy activity during WWII, and Donald Trump’s uncle’s involvement following Tesla’s mysterious death.

OCT 5, 2021 – Titan Comics and Hard Case Crime are thrilled to announce the return of the critically acclaimed Minky Woodcock hardboiled detective series in a brand-new graphic novel arriving in stores on November 9, 2021. Written and illustrated by award-winning artist, author, director, and playwright Cynthia von Buhler, Minky Woodcock: The Girl Who Electrified Tesla also features stunning cover art by the legendary Robert McGinnis, poster artist for classic films such as Breakfast at Tiffany’s and the original James Bond movies.

Minky’s new adventure is set during World War II, nearly two decades after the events of the first volume (Minky Woodcock: The Girl Who Handcuffed Houdini) and pits the talented female detective against another sinister and twisted conspiracy when she gets involved with world-renowned inventor Nikola Tesla, Nazi agents, and the race to command the world’s first weapon of mass destruction. Based on extensive historical research by von Buhler, the story teams the fictional Minky Woodcock with real-world figures such as the ground-breaking performer Josephine Baker, who secretly spied for the French during the war; Nazi agent Otto Skorzency; multiple generations of the J.P. Morgan family, driven by greed to stifle Tesla’s inventions; and Dr. John Trump, Donald Trump’s scientist uncle, who was recruited by the FBI to investigate Tesla’s design for a death ray.

Von Buhler’s past projects include collaborations with Steven Spielberg, Clive Barker, and Neil Gaiman, who said he was “seduced by Cynthia von Buhler’s artwork. She is a wonder.” Geeks Worldwide described the first Minky Woodcock volume as “Stunning…10 out of 10,” while NB Magazine called it “bold and extravagant…weaves fantasy into fact to dazzling effect.”

Cynthia von Buhler is not only the creative talent behind Minky Woodcock, but also an internationally celebrated artist and the visionary creator of Titan’s bestselling graphic novel The Illuminati Ball and the immersive NYC theatrical experience of the same name. Her work has featured in outlets including the New York Times, Broadway World, Forbes and the Wall Street Journal.

Describing Minky’s new adventure, von Buhler said, “As with the Houdini episode, all the anecdotes related to Tesla’s life in my book are based on fact. I really love finding bizarre, unbelievable facts and weaving them into my stories.”

Minky Woodcock: The Girl Who Electrified Tesla will be available from comic shops, bookstores and digital platforms on November 9, 2021, and is available to pre-order from Forbidden Planet (UK & Europe) and Amazon (US). The official Minky Woodcock website is MinkyWoodcock.com.

Categories: Comic Book Blogs

The Loop Scoop #23: A Yarny Link Party!

Moogly - Wed, 10/06/2021 - 01:00

Loop Scoop #23 includes five free crochet patterns that are perfect for gift giving! Cozy up your own life or get a jump on your holiday to-do list here, and then remember to check out the new patterns and links at the bottom as well, to help determine what gets featured next round! What is...

Read More

The post The Loop Scoop #23: A Yarny Link Party! appeared first on moogly. Please visit www.mooglyblog.com for this post. If you are viewing this on another site they have scraped the content from my website without permission. Thank you for your support.

0
Categories: Crochet Life

Well, that didn’t last

Yarn Harlot - Tue, 10/05/2021 - 21:25

As predicted, the cleaning and organizing bug didn’t last and worse, ran out midway on a project or two which are now a slog, and a slog I need resolved fast, since this weekend is Thanksgiving and Christmas is coming, and…  our gathering will be still be very tiny, but there will indeed be a few people in the house and I’m aiming to have things as lovely as they can be. (You wait and see what kind of hum-dinger of a holiday we’re throwing when this thing finally rolls over.)

It makes total sense then, that as the pressure comes on and I should be making a grocery list and planning how the parsnips will be and deciding about cranberry sauce, that I completely abandoned all that and finished a shawl.

Pattern and yarn are from the Gauge Dye Works Summer club. I don’t belong to many anymore, but that one always turns my crank. No matter what they send I always adore it. The colours are pretty indeed, and the yarn’s mostly merino with a little cashmere, just to ice the cake. It was a pleasure, and fun and easy too. I mostly knit it while being interrupted by Ellie every few minutes, so that was much appreciated.  It’s a small-ish shawl.

I find the really tiny ones hard to find a use for – but this is just big enough to be useful without being unwieldy. The larger ones I might use for a layer, draped over my shoulders in a fairly classic fashion, but that was in the before-times when I went knitterly places. (Or, um… places.)  Shawls this size I wear like a scarf, piling and winding it round my neck as caulking against the cold. Or, that’s how I would wear it if it were for me, which it isn’t.  This one will go in the post a little closer to Christmas, which makes me feel a little bit like I’m planning for a future instead of just knitting.

With the rest of today I’m finishing a video for the Patreon, and then tomorrow I am going to alter the time space continuum, and finish another video, clean the whole house, sort the groceries, and I’m thinking I’ll finish a pair of socks that currently look like this.

I’m sure it will be a snap, and I won’t regret the shawl at all.

Categories: Knitting Feeds

Doctor Who’s Matt Smith Stars in New House of the Dragon Teaser

Blogtor Who - Tue, 10/05/2021 - 20:12

HBO Max have unveiled the first teaser for their Game of Thrones prequel, House of the Dragon, with former Doctor Who Matt Smith taking centre stage   For eight seasons Game of Thrones was one of HBO’s flagship shows, drawing in millions of viewers. With that battle for the Iron Throne of the Seven Kingdoms […]

The post Doctor Who’s Matt Smith Stars in New House of the Dragon Teaser appeared first on Blogtor Who.

Categories: Doctor Who Feeds

OSR Review & Commentary 'On Skull and Crossbones: Piracy in Clement Sector ' By John Watts From Independence Games For the Clement Sector Campaign Setting & 2d6 Cepheus Engine

Swords & Stitchery - Tue, 10/05/2021 - 18:40
 "ARRRR!  Heave to and prepare to be boarded!Piracy has been a near constant in Clement Sector since the Conduit was first opened.  In fact, some historians maintain that piracy may have played as large a part in the direction that civilization spread from Hub as did the astrography of the sector.  The act has been part of the fabric of the sector and continues to be so despite the best efforts Needleshttp://www.blogger.com/profile/11243274667834930867noreply@blogger.com0
Categories: Tabletop Gaming Blogs

A5E Kickstarter live! Go back it!

Blog of Holding - Tue, 10/05/2021 - 16:36

Level Up: Advanced 5E, the project I’ve been working on for a year, is now live on Kickstarter! (Funded in 18 minutes!) Go back it immediately!

Let me tell you about my contributions to each of the 3(?!) core books.

The Monstrous Menagerie

The Monstrous Menagerie is closest to my heart. I’m the lead writer and designer on this one. In this book, I’ve worked over every stat block in core D&D (except the dozen Wizards IP monsters: mind flayers, gith, displacer beasts, and so on). This is a straight up upgrade of the Monster Manual. There’s really no reason not to get the Monstrous Menagerie.

  • Gone are the boring bag-of-hit-points monsters. Every monster does something interesting.
  • Monsters have been re-balanced, so there are no more disappointing one-round disappointments (looking at you, mummy and vampire).
  • There are more monsters! About twice as many stat blocks as in the MM, including NPCs (my favorite monster).
  • A big team of writers re-did the lore for every monster: Andrew Engelbrite, Anthony Alipio, Cassandra Macdonald, J R Zambrano, Jocelyn Gray, Josh Gentry, Mike Myler, Morrigan Robbins, Peter Coffey, Peter N Martin, Russ Morrissey, Sarah Breyfogle, Sarah Madsen, Shane Stacks, Will Fischer, Will Gawned, Yvonne Hsiao, and me. By throwing a lot of biological determinism in the garbage, we opened up a lot of room for more interesting storytelling.
  • More dragon stat blocks than the Monster Manual and Fizban’s combined, with more interesting and specific abilities too boot. Cassandra Macdonald and Andrew Engelbrite did great design work here.
  • I got to add every bell and whistle I wanted in a bestiary: name lists, sample treasures, monster behavior charts, and other game-running aids.
  • Dozens of “elite” monsters, much stronger than legendary monsters, which can provide solo challenges to high-level parties.
  • New monster-building guidelines based on my MM on a Business card.
  • New encounter-building guidelines. If you’ve noticed that high-level characters are impossible to challenge using the traditional guidelines – or that first-level parties are too easy to TPK – I’ve got fixes for that.

    the Adventurer’s Guide

    OK, you already know about the Monstrous Menagerie – I talk about it plenty. The Adventurer’s Guide is the player-facing book, with classes and spells and so on. What did I do on the Adventurer’s Guide?

  • I did the rogue class, along with three new subclasses: the cutthroat, burglar, and trapsmith. Like all A5E classes, the rogue has a lot more customization options than the 5e class, including access to battlemaster-like combat maneuvers. My biggest change to the rogue class, though, was the addition of skill tricks, a menu of mini-abilities that expand the way you can use a skill, and which incidentally grant you an expertise die.
  • What’s an expertise die? It’s a replacement for 5e’s doubled proficiency bonus (which I don’t particularly like: I play a lot of high-level D&D, and a +12 bonus to a skill roll smashes bounded accuracy). You add an expertise die to a roll when you are particularly skilled at a task. Expertise dice stack in an interesting way. When you first gain an expertise die in, say, Stealth, you get a d4. If another feature grants you another expertise die in Stealth, the d4 becomes a d6. You never roll more than one expertise die on a check. Expertise dice started as a rogue feature and ended up becoming an important A5E design tool.
  • Spells! In my opinion, this is worth the price of admission alone. It was very important to me that we rebalance 5e’s spells. If you play high-level D&D, you know that certain spells, like force cage and animate object, make for less-fun encounters. We redid every spell, clarifying confusions, fixing broken spells and outliers, and folding in errata – and we’ve also added about a hundred new spells.
  • Rare spells! Another one of my home-game inventions that I snuck into the final project. I’ve always loved the idea of a special version of a spell, which can be obtained as treasure, which has an extra, cool effect in addition to the standard usage. For instance, a version of flaming sphere that you can ride like a chariot, or (very important in my game group) a permanent version of animal friendship. The other developers loved this idea and ran with it and now we have tons of rare spells.
  • Backgrounds. I redid the format of backgrounds, with an eye to providing adventure possibilities past level 1. Instead of a d6 list of bonds, a background now includes a d10 list of connections: specific NPCs from your history that the GM can leverage. Instead of a single equipment list, a background comes with a d10 list of trinkets or mementos, each of which provides a plot hook. For example, as an acolyte, your connection might be “the inquisitor who rooted out your heresy (or framed you) and had you banished from your temple” and your memento “a half-complete book of prophecies which seems to hint at danger for your faith—-if only the other half could be found!” Finally, each background comes with an “advancement” section detailing how you might earn an extra background advantage at high level. (An acolyte who advances their faith might earn devoted followers.)
  • Math! I did a pretty good amount of balancing for all the classes and combat maneuvers. “Balance” isn’t everything, but you might as well shore up the classes that lag behind.
  • The above are just my contributions, out of a dozen designers. Other stuff you should look for: every class has been expanded and rebalanced. Weapons, armor, and equipment have been overhauled and expanded. 5e “race” is gone, replaced by a hugely expanded set of ancestries and heritages. A character can now pick a destiny, which is like a fully-baked version of inspiration dice. Plus there are new feats, new combat maneuvers, and so on.

    Trials and Treasure

    If you’ve been following A5E, you might be surprised to see… there’s a third core book! 1000ish pages was just too big for a single book, so the core book was split in two. (Including the 500+ pages of the Monstrous Menagerie, the three core books are now 1500 pages!) Trials and Treasure is a primarily game-master-facing book.

  • The main work I did for Trials and Treasure is an overhaul of treasure. As I’ve mentioned, I don’t love the 5e treasure tables, and I got a chance to make my own. They’re granular and provide a better treasure mix; they come with a hugely expanded list of random jewelry, art, rare books, and other valuables; and they’re completely compatible with 5e economy, but with the proud nails hammered down. (Plus, of course, the list of magic items is, like, doubled.)
  • In D&D, sometimes it can feel like there’s not much to buy beyond level 3 or so. A5E includes prices for the training of monsters and the hiring of armies; the eggs of griffons, dragons, and other beasts; and extensive rules for strongholds and bases.
  • Lots of great stuff in here by other people, including safety tools, magic item crafting, and a really cool system where hazards and traps are expanded into well-defined, leveled encounters.

    forwards compatibility

    Level Up: Advanced 5E is, of course, backwards compatible with 5E. What about the 5e refresh that’s coming out in 2 or 3 years? Will A5E still be compatible with that?

    No one knows much about the 5e update (beyond the fact that it’s coming out in 2024), but all signs point to it being a fairly small change, with some new updated base classes, a new way of handling races, and so on: more of a 5.5E than a 6E. Wizards has said that it will be compatible with their older material. That means that A5E should be just as compatible with it in 2024 as it is with D&D in 2021.

    I’m excited to get the new 5e books when they come out! And I know I’ll be using them along with A5E – probably mixing and matching. In the games I DM, players will be able to use classes and player-facing features from 5E, 5.5, or A5E (though I may insist on them using the A5E fixed versions of broken spells) – but the A5E-only GM tools – the new treasure tables, the rare spells, the blessed high-level support, plus my precious Monstrous Menagerie – are going to be invaluable for years to come.

    Back the Kickstarter!

  • Categories: Tabletop Gaming Blogs

    Embroidery Ideas: Using Your Embroidery in a Quilt Square

    Knitted Bliss - Tue, 10/05/2021 - 16:22

    www.knittedbliss.com

    I love seeing how people take a craft and really run with it, don’t you?  I was blow away when I saw what a long time knitter and all-round clever crafter Valerie did after she stitched the Cozy Winter embroidery kit. Valerie finished up her kit (you can find it here) and turned it into

    The post Embroidery Ideas: Using Your Embroidery in a Quilt Square appeared first on %%www.knittedbliss.com%%.

    4
    Categories: Knitting Feeds

    Facebook shoots own foot, hits Instagram and WhatsApp too

    Malwarebytes - Tue, 10/05/2021 - 16:21

    Mark Zuckerberg was left counting the personal cost of bad PR yesterday (about $6 billion, according to Bloomberg) on a day when his company couldn’t get out of the news headlines, for all the wrong reasons.

    The billionaire Facebook CEO’s bad day at the office started with whistleblower Frances Haugen finally revealing her identity in a round of interviews that looked set to lay siege to the Monday headlines. Anonymous revelations by the former Facebook product manager had fuelled an entire Wall Street Journal series about the harm inflicted or ignored by Instagram and Facebook, and her unmasking was its denouement. It was supposed to be big news, and for a while it was.

    But then something even bigger happened.

    Facebook, Instagram, and WhatsApp completely disappeared. For six hours.

    Despite losing access to the world’s favourite confirmation bias apparatus, conspiracy theorists didn’t miss a beat. Putting two and two together to make five, they decided that it was all too convenient and that Facebook was using the dead cat strategy to rob Haugen of the spotlight!

    It was a convenient theory, but there is no evidence for it besides an interesting coincidence, and it ignores the fact that Facebook taking itself out to silence a whistleblower is a far more interesting story than Facebook simply taking itself out by accident. I’m afraid that in the absence of more compelling information, Hanlon’s Razor will have to suffice: “Never attribute to malice that which is adequately explained by stupidity”.

    BGP

    What we can say for sure, is that Facebook took itself and its stablemates out with a spectacular self-inflicted wound, in the form of a toxic Border Gateway Protocol (BGP) update.

    The Internet is a patchwork of hundreds of thousands of separate networks, called Autonomous Systems, that are stitched together with BGP. To route data across the Internet, Autonomous Systems need to know which IP addresses other Autonomous Systems either control or can route traffic to. They share this information with each other using BGP.

    According to Cloudflare—which has published an excellent explanation of what it saw—Facebook’s trouble started when its Autonomous System issued a BGP update withdrawing routes to its own DNS servers. Without DNS servers, the address facebook.com stopped working. In Cloudflare’s words: “With those withdrawals, Facebook and its sites had effectively disconnected themselves from the Internet.”

    Cloudflare appears to have noticed the problem almost straight away, so we can assume that Facebook did too. So why did it take six more hours to fix it? The social media scuttlebutt, later confirmed in Facebook’s own terse explanation, was that the outage disabled the very tools Facebook’s enormous number of remote workers would normally rely on to both communicate with each other and to fix the problem.

    The underlying cause of this outage also impacted many of the internal tools and systems we use in our day-to-day operations, complicating our attempts to quickly diagnose and resolve the problem.

    The unconfirmed part of the same scuttlebutt is that Facebook is so 21st century that folks were locked out of offices, and even a server room, which had to be entered forcibly in order to fix the configuration issue locally.

    Of course that could just be another conspiracy theory, but as somebody who has themselves been stranded outside a building, forced to look through a glass door at the very computer that controls that door attempting and failing to boot from the broken network I had come to investigate, let me assure you that it’s not an outrageous suggestion.

    The Facebook Empire withdrawing itself from the Internet didn’t stop people looking for it though. In fact, it made them look much, much harder (just imagine everyone, everywhere, frustrated, hitting “refresh” or reinstalling Instagram until they’re bored, and you get the idea). Unanswered DNS requests spiked, and DNS resolvers groaned, as computers groped around in the dark looking for the now non-existent facebook.com domains.

    When they weren’t pummelling DNS resolvers, the rest of the Facebook diaspora was forced to find other forms of entertainment or other means of communication. Some local mobile phone operators reported being overwhelmed, and encrypted messaging app Signal said it welcomed “millions” of new users as people looked for alternatives to WhatsApp.

    And let’s not forget that there are companies that rely on Facebook, Instagram, and WhatsApp to drive business, and there are services that use Facebook logins for authentication. And then there’s the influencers. All of them had to stop. For six hours. Won’t somebody think of the influencers?

    When it finally sank in that nobody could use Facebook, Instagram, or WhatsApp, it started to dawn on us all just how much so many of us have put Facebook and its products at the centre of our lives.

    And then we all went to Twitter to tell everyone else how good or bad it all was. Thankfully, it withstood the onslaught.

    hello literally everyone

    — Twitter (@Twitter) October 4, 2021

    Which leads us to the “so what?” part of our story. This is a security blog after all, and if this wasn’t a cyberattack you may be wondering what all of this has to do with security. Where’s the lesson in all of this?

    Single points of failure people.

    That’s it. That’s the tweet.

    The post Facebook shoots own foot, hits Instagram and WhatsApp too appeared first on Malwarebytes Labs.

    Categories: Techie Feeds

    Baker’s Blake’s 7 Bad Guy Bayban the Butcher’s Back!

    Blogtor Who - Tue, 10/05/2021 - 15:00

    He’s back and badder than ever – Bayban the Butcher returns in a box set of his own in the next instalment of The Worlds of Blake’s 7, due for release in December 2021   Big Finish have revealed the cover and story details for Colin Baker’s return as Bayban, the career criminal first introduced […]

    The post Baker’s Blake’s 7 Bad Guy Bayban the Butcher’s Back! appeared first on Blogtor Who.

    Categories: Doctor Who Feeds

    Top Comments – Pages 1541 – 1544

    Looking For Group - Tue, 10/05/2021 - 14:38

    Tuesday, YOU are the star! We curate our favourites from the previous week’s comments on lfg.co and Facebook and remind you how clever you are. Here are your top comments for Looking For Group pages 1541 – 1544. Looking For […]

    The post Top Comments – Pages 1541 – 1544 appeared first on Looking For Group.

    Categories: Web Comics

    Criminals were inside Syniverse for 5 years before anyone noticed

    Malwarebytes - Tue, 10/05/2021 - 14:22

    “A global privacy disaster”, “espionage gold”, and “a state-sponsored wet dream” are just some of the comments one can read regarding the breach at Syniverse, a key player in the tech/telecommunications industry that calls itself the “center of the connected world.”

    In a filing with the US Security and Exchange Commission, Syniverse said the breach affected more than 200 of its clients who have an accumulated number of cellphone users by the billions worldwide. Syniverse’s clients include Verizon, AT&T, T-Mobile, Vodafone, China Mobile, Telefonica, and America Movil, to name a few.

    The company revealed that it first noticed the breach in May 2021, but that the access had begun in May 2016—a whole five years before.

    According to Motherboard, who first wrote about this story, Syniverse receives, processes, stores, and transmits electronic customer information, which includes billing information among carriers globally, records about calls and data usage, and other potentially sensitive data. It processes more than 740 billion SMS messages alone per year, routing text messages between users of two different carriers (both in the US and abroad).

    The filing said that “Syniverse’s investigation revealed that the individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer (“EDT”) environment was compromised for approximately 235 of its customers.”

    In an email interview with Motherboard, Karsten Nohl, a security researcher is quoted saying, “Syniverse systems have direct access to phone call records and text messaging, and indirect access to a large range of Internet accounts protected with SMS 2-factor authentication. Hacking Syniverse will ease access to Google, Microsoft, Facebook, Twitter, Amazon and all kinds of other accounts, all at once.”

    A telecomm industry insider, who spoke to Motherboard said: “With all that information, I could build a profile on you. I’ll know exactly what you’re doing, who you’re calling, what’s going on. I’ll know when you get a voicemail notification. I’ll know who left the voicemail. I’ll know how long that voicemail was left for. When you make a phone call, I’ll know exactly where you made that phone call from.”

    “I’ll know more about you than your doctor.”

    Motherboard asked Syniverse whether the hackers had accessed or stolen personal data on cellphone users, but Syniverse declined to answer. 

    Syniverse said all EDT customers have had their credentials reset or inactivated, whether they were part of the breach or not. The company says no further action is required on behalf of those customers.

    “We have communicated directly with our customers regarding this matter and have concluded that no additional action is required. In addition to resetting customer credentials, we have implemented substantial additional measures to provide increased protection to our systems and customers.” 

    The post Criminals were inside Syniverse for 5 years before anyone noticed appeared first on Malwarebytes Labs.

    Categories: Techie Feeds

    The 9th-Level Spell that Breaks D&D (It’s Not Wish)

    DM David - Tue, 10/05/2021 - 12:02

    When Magic the Gathering players talk about broken cards, they mean ones powerful enough to dominate games so that every competitive deck either includes the card or focuses on countering it. These cards break the game by destroying the options that make playing fun. D&D includes some spells that suck fun from the game, but nothing that ruins it.

    Still, foresight breaks D&D. I don’t mean that it’s over-overpowered; 9th level spells should deliver wahoo powers that feel a bit overpowered. In the words of lead designer Jeremy Crawford, “High-level spells are often just whack-a-doo on purpose.” (I’ll bet he didn’t expect to be quoted on that one.)

    By broken, I mean that foresight makes D&D dull, and a 9th-level spell should always add excitement. Even if the spell’s power wrecks an encounter, the magic should feel game breaking and thrilling. Foresight just feels game breaking and boring.

    For 8 hours, the target of foresight “can’t be surprised and has advantage on attack rolls, ability checks, and saving throws. Additionally, other creatures have disadvantage on attack rolls against the target for the duration.”

    Fifth edition’s rules for advantage and disadvantage streamline the game by eliminating the fiddly pluses and minuses that older editions imposed on attacks and checks. While the old modifiers added realism, they slowed play and seldom made a difference.

    To gain even more quick simplicity, multiple sources of advantage and disadvantage don’t stack. At most they offset, leading to a straight roll. Usually that works because multiple advantages and disadvantages come infrequently. (For instances where this rule creates illogical situations, see numbers 12 and 10 of the 13 of the Craziest Quirks in the Dungeons & Dragons Rules.)

    The simple approach falters when some ongoing factor adds advantage or disadvantage to every roll. Suddenly other circumstances stop affecting the odds. D&D’s designers recognized this when they opted to have cover impose a minus to attacks rather than disadvantage. They wanted a factor as common as cover to stack with all the other situations that can create advantage and disadvantage in a fight.

    During my D&D weekend, when two level-20 wizards benefited from the 8-hour duration of foresight and spent an entire adventure with advantage, I realized how much less interesting the game became. Foresight eliminates all motivations to seek an edge. By erasing fifth-edition’s foundation of advantage/disadvantage, foresight nullifies the effect of too many decisions, tactics and character traits.

    Incidentally, the 3rd-edition version of foresight gave just a +2 bonus to AC and Reflex saves—at 9th level! Instead of a broken spell that sucked the fun from D&D, the spell just sucked.

    Categories: Tabletop Gaming Blogs

    Windows 11 is out. Is it any good for security?

    Malwarebytes - Tue, 10/05/2021 - 09:00

    Windows 11, the latest operating system (OS) from Microsoft, launches today, and organizations have begun asking themselves when and if they should upgrade from Windows 10 or older versions. The requirements and considerations of each organization will be different, and many things will inform the decisions they make about whether to stick or twist. One of those things will be whether or not Windows 11 makes them safer and more secure.

    I spoke to Malwarebytes’ Windows experts Alex Smith and Charles Oppermann to understand what’s changed in Windows 11 and what impact it could have on security.

    A higher bar for hardware

    If you’ve read anything about Windows 11 it’s probably that it will only run on “new” computers. Microsoft’s latest OS sets a high bar for hardware, with the aim of creating a secure platform for all that’s layered on top of it. In effect, Microsoft is making its existing Secured-core PC standards the new baseline, so that a range of technologies that are optional in Windows 10 are mandatory, or on by default, in Windows 11.

    In reality the hardware requirements will only seem exacting for a short period. Moore’s Law and the enormous Windows install base mean that yesterday’s stringent hardware requirements will rapidly turn into today’s minimum spec.

    Three of the new OS’s hardware requirements play major, interlocking roles in security:

    All hail the hypervisor

    At a minimum, Windows 11 requires a 64-bit, 1 GHz processor with virtualization extensions and at least two cores, and HVCI-compatible drivers. In practice that means it requires an 8th generation Intel processor, an AMD Zen 2, or a Qualcomm Snapdragon 8180.

    This is because Virtualization Based Security (VBS) has become a keystone concept in Microsoft’s approach to security. VBS runs Windows on top of a hypervisor, which can then use the same techniques that keep guest operating systems apart to create secure spaces that are isolated from the main OS. Doing that requires hardware-based virtualization features, and enough horsepower that you won’t notice the drag on performance.

    Noteworthy security features that rely on VBS include:

    • Kernel Data Protection, which uses VBS to mark some kernel memory as read only, to protect the Windows kernel and its drivers from being tampered with.
    • Memory Integrity (a more digestible name for HVCI), which runs code integrity checks in an isolated environment, which should provide stronger protection against kernel viruses and malware.
    • Application Guard, a protective sandbox for Edge and Microsoft Office that uses virtualization to isolate untrusted websites and office documents, limiting the damage they can cause.
    • Credential Guard runs the Local Security Authority Subsystem Service in a virtual container, which stops attackers dumping credentials and using them in pass-the-hash attacks.
    • Windows Hello Enhanced Sign-In uses VBS to isolate biometric software, and to create secure pathways to external components like the camera and TPM.
    United Extensible Firmware Interface (UEFI)

    UEFI is a specification for the firmware that controls the first stages of booting up a computer, before the operating system is loaded. (It’s a replacement for the more widely-known BIOS.) From a security standpoint, UEFI’s key feature is Secure Boot, which checks the digital signatures of the software used in the boot process. It protects against bootkits that load before the operating system, and rootkits that modify the operating system.

    Trusted Platform Module 2.0 (TPM 2.0)

    TMP is tamper-resistant technology that performs cryptographic operations, such as creating and storing cryptographic keys, where they can’t be interfered with. It’s probably best known for its role in Secure Boot, that ensures computers only load trusted boot loaders, and in BitLocker disk encryption. In Windows 11 it forms the secure underpinning for a host of security features, including Secure Boot’s big brother, Measured Boot; BitLocker (Device Encryption on Windows Home); Windows Defender System Guard; Device Health Attestation; Windows Hello; and more.

    New in Windows 11

    Windows 11 has some new tricks up its sleeve too.

    Hardware-enforced Stack Protection

    Windows 11 extends the Hardware-enforced Stack Protection introduced in Windows 10 so that it protects code running in kernel mode as well as in user mode. It’s designed to prevent control-flow hijacking by creating a “shadow stack” that mirrors the call stack’s list of return addresses. When control is transferred to a return address on the call stack it’s checked against the shadow stack to ensure it hasn’t changed. If it has, something untoward has happened and an error is raised.

    Pluton

    Windows 11 comes ready to embrace the impressively-named Pluton TPM architecture. It’s been a feature of the Xbox One gaming console since 2013, but doesn’t exit in PCs… yet.

    Pluton sees the security chip built directly into the CPU, which prevents physical attacks that target the communication channel between the CPU and the TPM. And while Pluton is backwards-compatible with existing TPMs, it’ll do more if you let it. According to Microsoft, “Pluton also provides the unique Secure Hardware Cryptography Key (SHACK) technology that helps ensure keys are never exposed outside of the protected hardware, even to the Pluton firmware itself”.

    Microsoft Azure Attestation (MAA)

    No discussion about security in 2021 would be complete without somebody mentioning Zero Trust, so here it is. Windows 11 comes with out-of-the-box support for MAA, which can verify the integrity of a system’s hardware and software remotely. Microsoft says this will allow organizations to “enforce Zero Trust policies when accessing sensitive resources in the cloud”.

    Evolution, not revolution

    For several years, Microsoft’s approach to Windows security has been to create a chain of trust that ensures the integrity of the entire hardware and software stack, from the ground up. The latest version of Windows seeks to make that approach the default, and demands the hardware necessary to make it work. With Windows 11, Microsoft is making an aggressive attempt to raise the security floor of the PC platform, and that’s a good thing for everyone’s security.

    Make no mistake that threat actors will adapt, as they have done before. Advanced Persistent Threat (APT) groups are well-funded enough to find a way through tough defences, ransomware gangs are notoriously good at finding the lowest-hanging fruit, and lucrative forms of social engineering like BEC are notoriously resistant to technology solutions.

    And you can add to that the interlocking problems of increasing complexity, backwards compatibility, and technical debt. Operating systems and the applications they must support are a behemoth, and while Microsoft pursues its laudable aim of eliminating entire classes of vulnerabilities, new bugs will appear and a lot of legacy code will inevitably come along for the ride.

    Decisions about whether to adopt Windows 11 will doubtless be impacted by the fact it won’t run on a lot of otherwise perfectly good computers. We expect this to have a chilling effect on organizations’ willingness to migrate away from Windows 10.

    And there are other headwinds too. These days, new Windows operating systems are rarely greeted with great enthusiasm unless they’re putting right the wrongs of a particularly disliked predecessor. The bottom line is that Windows 10 works and OS upgrades are painful, so it is difficult to imagine that anyone will conclude they need Windows 11.

    Migration away from older versions of Windows is inevitable eventually, and by the time mainstream support for Windows 10 ends in October 2025, users will undoubtedly be more secure. But we expect organizations to move away from Windows 10 slowly, which will delay the undoubted security benefits that will follow from wide-scale adoption of Windows 11.

    The post Windows 11 is out. Is it any good for security? appeared first on Malwarebytes Labs.

    Categories: Techie Feeds

    The Omega Factor: Immaculate Possessions – OUT NOW

    Blogtor Who - Tue, 10/05/2021 - 08:30

    Spooky season begins with a brand new audiobook in Big Finish’s occult adventure series, The Omega Factor, based on the scary 1970s BBC TV drama   The Omega Factor: the end of scientific knowledge. And beyond. This is the remit of Department Seven, a secret government unit established to explore the paranormal. But can such […]

    The post The Omega Factor: Immaculate Possessions – OUT NOW appeared first on Blogtor Who.

    Categories: Doctor Who Feeds

    Pages

    Subscribe to Furiously Eclectic People aggregator