Cryptios - page 2. | Bitcointalksearch.org

Cøbra

full member

Activity: 123

Merit: 474

Quote from: theymos on May 01, 2019, 05:55:35 PM

FYI: The humans handling the new account recoveries system which was implemented late last year are a company that Cyrus [...]

Not sure why I found the use of the word "humans" in that sentence so funny. Only something non-human would refer to others as "the humans". I think the autonomous theymos AI needs more training data to better blend in with us lowly humans and avoid subtly revealing its true nature. Grin

DireWolfM14

copper member

Activity: 2338

Merit: 4543

Join the world-leading crypto sportsbook NOW!

@theymos, couldn't a lot of this be avoided if we had a 2FA system in place? I know you don't want to use the google system, and I don't blame you, but what about a decentralized system like using a PGP public key to generate single-use passwords, and send PGP encrypted password recovery links to the registered email?

I know we've discussed this numerous times, and it's always been shutdown. Forgive me if I'm beating a dead horse, but I think I would rather live the downsides of a 2FA system opposed to the downsides of farming out account recovery.

bones261

legendary

Activity: 1806

Merit: 1828

Quote from: yazher on May 08, 2019, 04:52:15 PM

Quote from: Quickseller on May 08, 2019, 04:38:14 PM

he can see it

Good, personally I don't have a problem with "mysterious newbies" having access to see my IP address, they probably need it "when handling the new account recoveries system". As for my own understanding, if my account locked from being "suspected to be compromised" do I only need to send them an email which I used on my account and "provide some evidence that I owned that email, that would unlock my account right?

Yes, I believe if you send them an e-mail from the e-mail that you used to create the account, that would be proof. You can also stake a bitcoin address on this thread https://bitcointalksearch.org/topic/stake-your-bitcoin-address-here-996318. Basically you sign a message with a bitcoin address that you control and in the future, you can sign another message using this same Bitcoin address. For privacy, use an address that you have not used and will not use for BTC payments.

yazher

hero member

Activity: 2268

Merit: 588

You own the pen

Quote from: Quickseller on May 08, 2019, 04:38:14 PM

he can see it

Good, personally I don't have a problem with "mysterious newbies" having access to see my IP address, they probably need it "when handling the new account recoveries system". As for my own understanding, if my account locked from being "suspected to be compromised" do I only need to send them an email which I used on my account and "provide some evidence that I owned that email, that would unlock my account right?

Quickseller

copper member

Activity: 2996

Merit: 2374

Quote from: yazher on May 08, 2019, 04:35:54 PM

Quote from: theymos on May 08, 2019, 04:20:53 PM

In the past 7 days, they viewed the basic info/logs of 461 users and viewed the IP logs of 51 users.

Boss, can You also see what they are doing or they gave you that info?

he can see it

Quote

each of their accesses to private info are logged

yazher

hero member

Activity: 2268

Merit: 588

You own the pen

Quote from: theymos on May 08, 2019, 04:20:53 PM

In the past 7 days, they viewed the basic info/logs of 461 users and viewed the IP logs of 51 users.

Boss, can You also see what they are doing or they gave you that info?

theymos

administrator

Activity: 5222

Merit: 13032

The account was security-locked, not "banned for sending stupid merit". The user would see a message saying "Your account is locked because it is suspected to be compromised, email ...". Then if they email and provide some evidence that it's not compromised, it'd be unlocked.

Locking without a recovery email can be appropriate in cases similar to this where the user woke up, their access had suspicious characteristics, and they immediately started doing suspicious things. If their access characteristics change from one week to the next, without a long period of inactivity, then I'd be more likely to assume by default that they're using someone else's computer or they sold their account (which is allowed), and I'd rely on a complaint email to move from this default assumption.

Cryptios's main purpose is recovering accounts, but they can also do minor patroller-type things. They are neither admins nor global moderators. They have access to IP/security logs (not PMs), but each of their accesses to private info are logged and per-day-limited; even if their access was compromised, the damage would be limited. In the past 7 days, they viewed the basic info/logs of 461 users and viewed the IP logs of 51 users.

suchmoon

legendary

Activity: 3654

Merit: 8909

https://bpip.org

Quote from: Cyrus on May 08, 2019, 03:25:02 PM

That sounds unlikely to happen.

Which part, the locking or me being erratic? The latter is very likely

Quote from: Cyrus on May 08, 2019, 03:25:02 PM

If the password would be changed as well, being hacked would be more plausible (Occam's razor). However, even in this made-up scenario of yours, I would be very careful how/if to proceed (especially since I could risk tipping off a hacker on how to hide their tracks by giving away too many details).

Fair enough. But I'm quite certain I've done at least 3 out of 4 red flags (password change, e-mail change, IP/browser change, and atypical posting) at once and it's not a huge stretch to imagine all 4 happening - e.g. e-mail provider has a problem so I change my e-mail and password, maybe log in from a fresh device to verify... then go to WO to relieve the stress with rocket memes. Would be nice to not get locked preemptively.

Theb

hero member

Activity: 1680

Merit: 655

Well I just witnessed an account being locked just by over sending 1 merit to a worthless post along with some telltale signs like email being change, IP changes, and posting habits by one of the employees of the company. And just by the looks of how quick they decide to lock an account I think they should be moderated as well on this matter.

Quote from: alanst on May 08, 2019, 08:51:59 AM

Well spotted! It appears that this account has indeed changed hands as the email address was changed on July 22, 2017, alongside with posting and IP patterns. I've now locked it! In the meantime, DT members can go ahead and paint it red until (and if) we determine the real owner.

Thank you for bringing this up!

I don't like the idea that one day I have changed my email, travel to another country, or somehow have a different posting habit that week and suddenly find out that my own account got locked and now I need to prove my ownership with it (How will they or I even prove it?). It just gives me a state of unrest knowing that I can wrongly be suspended in the future. Well this is just my two cents on the matter before things gets out of hand.

Cyrus

administrator

Activity: 3934

Merit: 3143

Quote from: suchmoon on May 08, 2019, 12:42:34 PM

I feel seriously uneasy about this and I don't think it's the burrito. So let's say if I change my e-mail address, get a new Tor circuit, and want to entertain my Russian friends with the help of Google Translate, will my account get locked because someone felt like it?

That sounds unlikely to happen. If the password would be changed as well, being hacked would be more plausible (Occam's razor). However, even in this made-up scenario of yours, I would be very careful how/if to proceed (especially since I could risk tipping off a hacker on how to hide their tracks by giving away too many details).

Quote from: Harlot on May 08, 2019, 01:46:33 PM

Does Cryptios have any thread with regards to their account recovery or sort of a list for their attempts here in the forum? If they don't have one yet I think they should because it would be great to see how they have successfully (or fail) on every account they try to to recover. Another thing is that it will be an added transparency other forum members will be interested to see.

The seclog shows manual recoveries and I feel a bit better knowing that users check it often.

Quote from: ibminer on May 08, 2019, 02:04:19 PM

How many Cryptios employees can see the IP address(es) of forum users?

We have tiered access, on a need-to-know basis. There have also been recent changes on how data is being handled by the forum, you can check it here: https://bitcointalk.org/privacy.php

Quote from: DireWolfM14 on May 08, 2019, 02:11:51 PM

Sounds like they have access to IPs and old sec/mod logs, do they have access to PMs?

No.

Quote from: hacker1001101001 on May 08, 2019, 02:39:29 PM

[...]

As I said, there have been no changes in the public forum policy. As always, account sales are not against the rules but they' not enouraged either. There's no random account locks going on.

hacker1001101001

sr. member

Activity: 1288

Merit: 415

I feel uneasy too!

I don't think there is any moderation issue even if accounts change hands, until it's proven to be hacked by the original owner. (IPs and email changes does not prove that the account is hacked it rather could be sold)

Also, if the original owner is concerned about his account being hacked, he could personally lock it through the email.

I don't want to sound bad, but atleast a clarification about how does the process go would help, so that everyone could protect there accounts from being locked without a warning.

FFrankie

hero member

Activity: 2254

Merit: 960

100% Deposit Match UP TO €5000!

Quote from: DireWolfM14 on May 08, 2019, 02:11:51 PM

Can we have a list of all the forum features to which the mysterious newbies have access?

Sounds like they have access to IPs and old sec/mod logs, do they have access to PMs?

everyone has access to our PMs because we use cloudflair now

DireWolfM14

copper member

Activity: 2338

Merit: 4543

Join the world-leading crypto sportsbook NOW!

Can we have a list of all the forum features to which the mysterious newbies have access?

Sounds like they have access to IPs and old sec/mod logs, do they have access to PMs?

ibminer

legendary

Activity: 1789

Merit: 2535

Goonies never say die.

How many Cryptios employees can see the IP address(es) of forum users?

Harlot

hero member

Activity: 1806

Merit: 672

Does Cryptios have any thread with regards to their account recovery or sort of a list for their attempts here in the forum? If they don't have one yet I think they should because it would be great to see how they have successfully (or fail) on every account they try to to recover. Another thing is that it will be an added transparency other forum members will be interested to see.

suchmoon

legendary

Activity: 3654

Merit: 8909

https://bpip.org

I feel seriously uneasy about this and I don't think it's the burrito. So let's say if I change my e-mail address, get a new Tor circuit, and want to entertain my Russian friends with the help of Google Translate, will my account get locked because someone felt like it? I mean I get the "private forum so you got no rights here" vibe but it always used to err on the side of all kinds of shit being allowed. And I can live with the consequences of fucking something up myself but this "help with moderation" sounds a bit too nebulous.

If we're running out of things to do with the IP addresses and whatnot may I suggest to crack down on ban evasions instead.

Steamtyme

legendary

Activity: 1554

Merit: 2037

Thanks for clarifying, I wasn't aware there was also a moderation aspect involved; apart from obviously anything you chose to do being Admin.

I can see some accounts causing worries and possibly warranting a preemptive lock for safety/security; such as Mods, Merit sources, "forum trusted escrow" etc. Again I don't see what you guys see, I'm just wondering what they would need to do in this case. Perhaps they bought the account - not that I encourage this - what would they have to post to regain the account.

I definitely understand needing the ability to lock accounts once the recovery process is started. It just seemed a slippery slope to me in this instance before anyone involved or potentially involved with the account raised a concern. As you said though you've been doing this for a while, I only noticed this as it was stated in the thread.

Thanks again for taking the time to clarify the role and stance of Cryptios

Quickseller

copper member

Activity: 2996

Merit: 2374

Quote from: Steamtyme on May 08, 2019, 10:37:48 AM

I came across something today, and I'd like to get further clarification on a couple of things.

1) Scope of the service Cryptios is offering to the forum. I was under the impression it was solely for account recoveries.
2) Forum policy regarding Locking accounts suspected to have been hacked, sold or otherwise changed hands.

I'm concerned about action being taken without the account recovery process being started by anyone claiming ownership of the account. I've quoted the post below, I can understand the reasoning behind taking action; if forum policies have changed. Currently though this seems to be an overreach, and has the potential to lock peoples accounts unnecessarily. I don't think an account should be locked without the recovery process being started.

Quote from: alanst on May 08, 2019, 08:51:59 AM

Well spotted! It appears that this account has indeed changed hands as the email address was changed on July 22, 2017, alongside with posting and IP patterns. I've now locked it! In the meantime, DT members can go ahead and paint it red until (and if) we determine the real owner.

Thank you for bringing this up!

https://bitcointalksearch.org/topic/this-guy-is-asking-for-merit-which-should-be-earned-and-not-asked-5140656

I would suggest that theymos review the above thread and manage expectations as to when actions should be taken, and when/what information should be disclosed publicly. ETA/ (and when information should be accessed)

Cyrus

administrator

Activity: 3934

Merit: 3143

Cryptios also helps out with some basic moderation.
There is no change in forum policy.
Regarding the post above: In the years I've handled recoveries I've came across quite a few similar cases where the account was compromised with a fair degree of certainty and it was safer for everyone that the account be locked until it was claimed. In this case we temporarily locked it to check if anyone claimed it. It's worth noting that not all the accounts that people are trying to recover are locked to begin with. So we need to be able to lock them until the recovery process is completed.

Steamtyme

legendary

Activity: 1554

Merit: 2037

I came across something today, and I'd like to get further clarification on a couple of things.

1) Scope of the service Cryptios is offering to the forum. I was under the impression it was solely for account recoveries.
2) Forum policy regarding Locking accounts suspected to have been hacked, sold or otherwise changed hands.

I'm concerned about action being taken without the account recovery process being started by anyone claiming ownership of the account. I've quoted the post below, I can understand the reasoning behind taking action; if forum policies have changed. Currently though this seems to be an overreach, and has the potential to lock peoples accounts unnecessarily. I don't think an account should be locked without the recovery process being started.

Quote from: alanst on May 08, 2019, 08:51:59 AM

Well spotted! It appears that this account has indeed changed hands as the email address was changed on July 22, 2017, alongside with posting and IP patterns. I've now locked it! In the meantime, DT members can go ahead and paint it red until (and if) we determine the real owner.

Thank you for bringing this up!

Topic: Cryptios - page 2. (Read 3273 times)