Pages:
Author

Topic: Cryptios - page 2. (Read 3273 times)

full member
Activity: 123
Merit: 474
May 08, 2019, 06:13:39 PM
#59
FYI: The humans handling the new account recoveries system which was implemented late last year are a company that Cyrus [...]

Not sure why I found the use of the word "humans" in that sentence so funny. Only something non-human would refer to others as "the humans". I think the autonomous theymos AI needs more training data to better blend in with us lowly humans and avoid subtly revealing its true nature. Grin
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
May 08, 2019, 05:12:58 PM
#58
@theymos, couldn't a lot of this be avoided if we had a 2FA system in place?  I know you don't want to use the google system, and I don't blame you, but what about a decentralized system like using a PGP public key to generate single-use passwords, and send PGP encrypted password recovery links to the registered email?

I know we've discussed this numerous times, and it's always been shutdown.  Forgive me if I'm beating a dead horse, but I think I would rather live the downsides of a 2FA system opposed to the downsides of farming out account recovery.
legendary
Activity: 1806
Merit: 1828
May 08, 2019, 05:02:32 PM
#57
he can see it

Good, personally I don't have a problem with "mysterious newbies" having access to see my IP address, they probably need it "when handling the new account recoveries system". As for my own understanding, if my account locked from being "suspected to be compromised" do I only need to send them an email which I used on my account and "provide some evidence that I owned that email, that would unlock my account right?

Yes, I believe if you send them an e-mail from the e-mail that you used to create the account, that would be proof. You can also stake a bitcoin address on this thread https://bitcointalksearch.org/topic/stake-your-bitcoin-address-here-996318. Basically you sign a message with a bitcoin address that you control and in the future, you can sign another message using this same Bitcoin address. For privacy, use an address that you have not used and will not use for  BTC payments.
hero member
Activity: 2268
Merit: 588
You own the pen
May 08, 2019, 04:52:15 PM
#56
he can see it

Good, personally I don't have a problem with "mysterious newbies" having access to see my IP address, they probably need it "when handling the new account recoveries system". As for my own understanding, if my account locked from being "suspected to be compromised" do I only need to send them an email which I used on my account and "provide some evidence that I owned that email, that would unlock my account right?
copper member
Activity: 2996
Merit: 2374
May 08, 2019, 04:38:14 PM
#55
In the past 7 days, they viewed the basic info/logs of 461 users and viewed the IP logs of 51 users.

Boss, can You also see what they are doing or they gave you that info?

he can see it

Quote
each of their accesses to private info are logged
hero member
Activity: 2268
Merit: 588
You own the pen
May 08, 2019, 04:35:54 PM
#54
In the past 7 days, they viewed the basic info/logs of 461 users and viewed the IP logs of 51 users.

Boss, can You also see what they are doing or they gave you that info?
administrator
Activity: 5222
Merit: 13032
May 08, 2019, 04:20:53 PM
#53
The account was security-locked, not "banned for sending stupid merit". The user would see a message saying "Your account is locked because it is suspected to be compromised, email ...". Then if they email and provide some evidence that it's not compromised, it'd be unlocked.

Locking without a recovery email can be appropriate in cases similar to this where the user woke up, their access had suspicious characteristics, and they immediately started doing suspicious things. If their access characteristics change from one week to the next, without a long period of inactivity, then I'd be more likely to assume by default that they're using someone else's computer or they sold their account (which is allowed), and I'd rely on a complaint email to move from this default assumption.

Cryptios's main purpose is recovering accounts, but they can also do minor patroller-type things. They are neither admins nor global moderators. They have access to IP/security logs (not PMs), but each of their accesses to private info are logged and per-day-limited; even if their access was compromised, the damage would be limited. In the past 7 days, they viewed the basic info/logs of 461 users and viewed the IP logs of 51 users.
legendary
Activity: 3654
Merit: 8909
https://bpip.org
May 08, 2019, 04:05:05 PM
#52
That sounds unlikely to happen.

Which part, the locking or me being erratic? The latter is very likely Smiley

If the password would be changed as well, being hacked would be more plausible (Occam's razor). However, even in this made-up scenario of yours, I would be very careful how/if to proceed (especially since I could risk tipping off a hacker on how to hide their tracks by giving away too many details).

Fair enough. But I'm quite certain I've done at least 3 out of 4 red flags (password change, e-mail change, IP/browser change, and atypical posting) at once and it's not a huge stretch to imagine all 4 happening - e.g. e-mail provider has a problem so I change my e-mail and password, maybe log in from a fresh device to verify... then go to WO to relieve the stress with rocket memes. Would be nice to not get locked preemptively.
hero member
Activity: 1680
Merit: 655
May 08, 2019, 03:58:21 PM
#51
Well I just witnessed an account being locked just by over sending 1 merit to a worthless post along with some telltale signs like email being change, IP changes, and posting habits by one of the employees of the company. And just by the looks of how quick they decide to lock an account I think they should be moderated as well on this matter.

Well spotted! It appears that this account has indeed changed hands as the email address was changed on July 22, 2017, alongside with posting and IP patterns. I've now locked it! In the meantime, DT members can go ahead and paint it red until (and if) we determine the real owner.

Thank you for bringing this up!

I don't like the idea that one day I have changed my email, travel to another country, or somehow have a different posting habit that week and suddenly find out that my own account got locked and now I need to prove my ownership with it (How will they or I even prove it?). It just gives me a state of unrest knowing that I can wrongly be suspended in the future. Well this is just my two cents on the matter before things gets out of hand.

administrator
Activity: 3934
Merit: 3143
May 08, 2019, 03:25:02 PM
#50
I feel seriously uneasy about this and I don't think it's the burrito. So let's say if I change my e-mail address, get a new Tor circuit, and want to entertain my Russian friends with the help of Google Translate, will my account get locked because someone felt like it?
That sounds unlikely to happen. If the password would be changed as well, being hacked would be more plausible (Occam's razor). However, even in this made-up scenario of yours, I would be very careful how/if to proceed (especially since I could risk tipping off a hacker on how to hide their tracks by giving away too many details).

Does Cryptios have any thread with regards to their account recovery or sort of a list for their attempts here in the forum? If they don't have one yet I think they should because it would be great to see how they have successfully (or fail) on every account they try to to recover. Another thing is that it will be an added transparency other forum members will be interested to see.
The seclog shows manual recoveries and I feel a bit better knowing that users check it often.

How many Cryptios employees can see the IP address(es) of forum users?
We have tiered access, on a need-to-know basis. There have also been recent changes on how data is being handled by the forum, you can check it here: https://bitcointalk.org/privacy.php

Sounds like they have access to IPs and old sec/mod logs, do they have access to PMs?
No.

[...]
As I said, there have been no changes in the public forum policy. As always, account sales are not against the rules but they' not enouraged either. There's no random account locks going on.
sr. member
Activity: 1288
Merit: 415
May 08, 2019, 02:39:29 PM
#49
I feel uneasy too!

I don't think there is any moderation issue even if accounts change hands, until it's proven to be hacked by the original owner. (IPs and email changes does not prove that the account is hacked it rather could be sold)

Also, if the original owner is concerned about his account being hacked, he could personally lock it through the email.

I don't want to sound bad, but atleast a clarification about how does the process go would help, so that everyone could protect there accounts from being locked without a warning.
hero member
Activity: 2254
Merit: 960
100% Deposit Match UP TO €5000!
May 08, 2019, 02:36:30 PM
#48
Can we have a list of all the forum features to which the mysterious newbies have access?

Sounds like they have access to IPs and old sec/mod logs, do they have access to PMs?

everyone has access to our PMs because we use cloudflair now
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
May 08, 2019, 02:11:51 PM
#47
Can we have a list of all the forum features to which the mysterious newbies have access?

Sounds like they have access to IPs and old sec/mod logs, do they have access to PMs?
legendary
Activity: 1789
Merit: 2535
Goonies never say die.
May 08, 2019, 02:04:19 PM
#46
How many Cryptios employees can see the IP address(es) of forum users?
hero member
Activity: 1806
Merit: 672
May 08, 2019, 01:46:33 PM
#45
Does Cryptios have any thread with regards to their account recovery or sort of a list for their attempts here in the forum? If they don't have one yet I think they should because it would be great to see how they have successfully (or fail) on every account they try to to recover. Another thing is that it will be an added transparency other forum members will be interested to see.
legendary
Activity: 3654
Merit: 8909
https://bpip.org
May 08, 2019, 12:42:34 PM
#44
I feel seriously uneasy about this and I don't think it's the burrito. So let's say if I change my e-mail address, get a new Tor circuit, and want to entertain my Russian friends with the help of Google Translate, will my account get locked because someone felt like it? I mean I get the "private forum so you got no rights here" vibe but it always used to err on the side of all kinds of shit being allowed. And I can live with the consequences of fucking something up myself but this "help with moderation" sounds a bit too nebulous.

If we're running out of things to do with the IP addresses and whatnot may I suggest to crack down on ban evasions instead.
legendary
Activity: 1554
Merit: 2037
May 08, 2019, 12:14:54 PM
#43
Thanks for clarifying, I wasn't aware there was also a moderation aspect involved; apart from obviously anything you chose to do being Admin.

I can see some accounts causing worries and possibly warranting a preemptive lock for safety/security; such as Mods, Merit sources, "forum trusted escrow" etc. Again I don't see what you guys see, I'm just wondering what they would need to do in this case. Perhaps they bought the account - not that I encourage this - what would they have to post to regain the account.

I definitely understand needing the ability to lock accounts once the recovery process is started. It just seemed a slippery slope to me in this instance before anyone involved or potentially involved with the account raised a concern. As you said though you've been doing this for a while, I only noticed this as it was stated in the thread.

Thanks again for taking the time to clarify the role and stance of Cryptios
copper member
Activity: 2996
Merit: 2374
May 08, 2019, 12:11:32 PM
#42
I came across something today, and I'd like to get further clarification on a couple of things.

1) Scope of the service Cryptios is offering to the forum. I was under the impression it was solely for account recoveries.
2) Forum policy regarding Locking accounts suspected to have been hacked, sold or otherwise changed hands.

I'm concerned about action being taken without the account recovery process being started by anyone claiming ownership of the account. I've quoted the post below, I can understand the reasoning behind taking action; if forum policies have changed. Currently though this seems to be an overreach, and has the potential to lock peoples accounts unnecessarily. I don't think an account should be locked without the recovery process being started.

Well spotted! It appears that this account has indeed changed hands as the email address was changed on July 22, 2017, alongside with posting and IP patterns. I've now locked it! In the meantime, DT members can go ahead and paint it red until (and if) we determine the real owner.

Thank you for bringing this up!
https://bitcointalksearch.org/topic/this-guy-is-asking-for-merit-which-should-be-earned-and-not-asked-5140656

I would suggest that theymos review the above thread and manage expectations as to when actions should be taken, and when/what information should be disclosed publicly. ETA/ (and when information should be accessed)
administrator
Activity: 3934
Merit: 3143
May 08, 2019, 11:55:23 AM
#41
Cryptios also helps out with some basic moderation.
There is no change in forum policy.
Regarding the post above: In the years I've handled recoveries I've came across quite a few similar cases where the account was compromised with a fair degree of certainty and it was safer for everyone that the account be locked until it was claimed. In this case we temporarily locked it to check if anyone claimed it. It's worth noting that not all the accounts that people are trying to recover are locked to begin with. So we need to be able to lock them until the recovery process is completed.
legendary
Activity: 1554
Merit: 2037
May 08, 2019, 10:37:48 AM
#40
I came across something today, and I'd like to get further clarification on a couple of things.

1) Scope of the service Cryptios is offering to the forum. I was under the impression it was solely for account recoveries.
2) Forum policy regarding Locking accounts suspected to have been hacked, sold or otherwise changed hands.

I'm concerned about action being taken without the account recovery process being started by anyone claiming ownership of the account. I've quoted the post below, I can understand the reasoning behind taking action; if forum policies have changed. Currently though this seems to be an overreach, and has the potential to lock peoples accounts unnecessarily. I don't think an account should be locked without the recovery process being started.

Well spotted! It appears that this account has indeed changed hands as the email address was changed on July 22, 2017, alongside with posting and IP patterns. I've now locked it! In the meantime, DT members can go ahead and paint it red until (and if) we determine the real owner.

Thank you for bringing this up!
Pages:
Jump to: