Pages:
Author

Topic: weird pm received (Read 1094 times)

legendary
Activity: 4256
Merit: 8551
'The right to privacy matters'
July 08, 2022, 11:45:35 PM
#74
I took his advice and removed the secret question as I also saw the forum warning which was making the whole option look stupid. I didn't see his message as a hack attempt but it was wired. Why haven't theymo disabled that secret question option. Basically anybody closed could easily guess this so called secret question especially mine (which has been removed though)..
I have considered not using that security question, its very risky for me. I prefer to use a strong password and might consider changing it periodically after someone tries to hack into my account by forget password. I feel silly knowing that someone did it, but actually it surprised me.

So for now, I have to sign the message just in case because I'm really starting to worry if hackers try something more extreme. Please quote and verify me.

Code:
-----BEGIN BITCOIN SIGNED MESSAGE-----
I _BlackStar, signed this message after someone tried to hack my account a few days ago. This will serve to verify me in the future if this account changes hands.
-----BEGIN SIGNATURE-----
bc1qlctkn6lrzx2sffkfzt6yv6klles72dfdvd3jas
H0K9q5/RICREjfd2h3mvyjZGXqgt1JUH5amrlsZ4Z2DzXYSpdaHCgryUffXw2UGPOOk5GT3ndp0Dw0UkI8KwcYo=
-----END BITCOIN SIGNED MESSAGE-----



But for this one, just report one post to the moderators so they can merge the post if the user ignores your suggestion.
Done.

here is a quote.

I also am locking the thread.
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
July 08, 2022, 08:34:45 PM
#73
What would he have done if he was able to break into one of the accounts he harassed?

Rather than dreaming up hypothetical scenarios about what he didn’t do (but maybe could have?), I am more worried about what a malicious blackhat will do without sending any PMs to anybody.  Not “if”, but “when”.

Also, “harassed” is an interesting word for “gave sound advice, which in some cases was sorely needed.”

Maybe he is doing what he said:  Trying to help users to improve their account security, and ultimately to help the forum to tighten security.  Maybe?

Maybe he should have written a thread about it rather than going around trying to break people's security, then threatening them via PM.  Maybe?

...

I don’t vouch for him; but absent evidence of malice, there is no need for a conspiracy theory.  And no need to rehash the first three pages of discussion on this thread.
How else could this point have been made?
By creating a thread in Meta.

IIRC, I have made various suggestions in Meta for improving account security.  IIRC, so has OgNasty.  So have others...

The response is always either silence, or “new forum software” vapourware which has only been in development for, what, about seven or eight years?
However, methods like this are inacceptable

At least he understand the problem now.

I can't say I grasp the series of events and the timeline, but warning someone about a potential issue with their password, then demonstrating that it was an issue after being ignored without compromising anything seems like the right way to do it?  How else could this point have been made?
copper member
Activity: 2296
Merit: 4460
Join the world-leading crypto sportsbook NOW!
July 08, 2022, 06:56:27 PM
#72
Maybe he is doing what he said:  Trying to help users to improve their account security, and ultimately to help the forum to tighten security.  Maybe?

Maybe he should have written a thread about it rather than going around trying to break people's security, then threatening them via PM.  Maybe?

What would he have done if he was able to break into one of the accounts he harassed?
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
July 08, 2022, 06:34:28 PM
#71

xkcd 565, “Security Question”.


Seriously, I do think that some companies are probably exploiting this fantastically stupid insecurity misfeature to suck more personal details out of people.  There is no way that such ill-conceived security theatre could be so popular, unless someone benefits.  It is widespread on sites owned by companies that make money off of personal data.  These companies have professional security teams, who should know better.  People answer these questions with all sorts of obscure details about themselves.  Cui bono?


It seems rather obvious that it's a phishing type attack, but I'm not sure how this user is expecting to gain access to the accounts he's targeting.  Maybe he's trying to engage people into a discussion, and convince them he's a staff member or an admin, then trick them into leaking more account details?

It seems not obvious at all.  Maybe he is doing what he said:  Trying to help users to improve their account security, and ultimately to help the forum to tighten security.  Maybe?

The PM he sent doesn’t make sense for gaining access to the accounts.  It provided good advice.  The way he benignly flushed out two DT accounts with extremely poor “secret question” answers was a work of art.  I don’t vouch for him; but absent evidence of malice, there is no need for a conspiracy theory.  And no need to rehash the first three pages of discussion on this thread.

I want to see security questions disabled, option to disable email recovery per account and 2FA introduced. BCT is about large sums and does not have up-to-date security mechanisms.
copper member
Activity: 2296
Merit: 4460
Join the world-leading crypto sportsbook NOW!
July 08, 2022, 04:51:38 PM
#70
No PM for me, I feel left out Sad Maybe that's because trying to restore my account through security questions shows:
Code:
Sorry, there is no secret question set for this member.

He might only be targeting DT1 members with the PM, but I didn't get one either.  Maybe my account isn't worth the time.  Cry  

I'm wondering if this is the same shithead that's been trying to change The Pharmacist's password through email reset.  It seems rather obvious that it's a phishing type attack, but I'm not sure how this user is expecting to gain access to the accounts he's targeting.  Maybe he's trying to engage people into a discussion, and convince them he's a staff member or an admin, then trick them into leaking more account details?
legendary
Activity: 1064
Merit: 1228
Playgram - The Telegram Casino
July 08, 2022, 04:28:16 PM
#69
I took his advice and removed the secret question as I also saw the forum warning which was making the whole option look stupid. I didn't see his message as a hack attempt but it was wired. Why haven't theymo disabled that secret question option. Basically anybody closed could easily guess this so called secret question especially mine (which has been removed though)..
I have considered not using that security question, its very risky for me. I prefer to use a strong password and might consider changing it periodically after someone tries to hack into my account by forget password. I feel silly knowing that someone did it, but actually it surprised me.

So for now, I have to sign the message just in case because I'm really starting to worry if hackers try something more extreme. Please quote and verify me.

Code:
-----BEGIN BITCOIN SIGNED MESSAGE-----
I _BlackStar, signed this message after someone tried to hack my account a few days ago. This will serve to verify me in the future if this account changes hands.
-----BEGIN SIGNATURE-----
bc1qlctkn6lrzx2sffkfzt6yv6klles72dfdvd3jas
H0K9q5/RICREjfd2h3mvyjZGXqgt1JUH5amrlsZ4Z2DzXYSpdaHCgryUffXw2UGPOOk5GT3ndp0Dw0UkI8KwcYo=
-----END BITCOIN SIGNED MESSAGE-----



But for this one, just report one post to the moderators so they can merge the post if the user ignores your suggestion.
Done.
legendary
Activity: 2800
Merit: 2736
Farewell LEO: o_e_l_e_o
July 08, 2022, 01:49:34 PM
#68
I couldn't resist Cheesy I set this as a secret question (with a very long random string as answer), but after that, the answer showed an empty field and the why is this blank? link showed "disabled". So I got nervous and wiped it again.
It's safe not to set it up. If it locks the account and do not help to get recover the account then the feature is not helping at all. It's without any purpose and better to disable it.

He can do it, but it must be more than 24 hours from his first post. But for this one, just report one post to the moderators so they can merge the post if the user ignores your suggestion.
I know he can but this is not a service thread in marketplace so I did not think it was worth mentioning. The discussion is not old too. Many users are still making their posts. It was assumable that in few hours we will have more comments.
legendary
Activity: 2464
Merit: 2094
July 08, 2022, 12:11:52 PM
#67
newalias, the forum rules prevent you to post two response in a row.
He can do it, but it must be more than 24 hours from his first post. But for this one, just report one post to the moderators so they can merge the post if the user ignores your suggestion.

Why haven't theymo disabled that secret question option. Basically anybody closed could easily guess this so called secret question especially mine (which has been removed though)..
There is confusion here as to why this feature is not closed. There's a message stating that the feature is not recommended as it could be a second password to access the account if someone guesses the answer correctly, but it's not closed yet. I checked mine, luckily I never used this security feature.

Quote
Secret Question:
To help retrieve your password, enter a question here with an answer that only you know.Using this feature is not recommended. Anyone who guesses your secret answer will have access to your account. It's like a second password.
hero member
Activity: 1659
Merit: 687
LoyceV on the road. Or couch.
July 08, 2022, 11:31:04 AM
#66
Simplest thing I have seen in DefaultTrust was "1+1" with answer
I couldn't resist Cheesy I set this as a secret question (with a very long random string as answer), but after that, the answer showed an empty field and the why is this blank? link showed "disabled". So I got nervous and wiped it again.
legendary
Activity: 2800
Merit: 2736
Farewell LEO: o_e_l_e_o
July 08, 2022, 09:58:22 AM
#65
newalias, the forum rules prevent you to post two response in a row.
Quote
I dont see a problem with this statement. This means there is some trick* AND I would discuss it with the most trusted person being in charge. This implies that I will not speak with anyone else or sell the trick to bad guys.
No, this was not the threat. It was okay for users.

Quote
Please get back to me stating how you improved account security
I would say for THIS users felt threaten. You said to get back to you and you said it in PM which was concerning for them. Assuming you had good intention but in the forum we are designed to feel threaten when something comes from a new account. We have been gone through some hacks and phishing attacks are regular things.

I hope others see the same that I realized after paying better attention to your PM.
legendary
Activity: 2408
Merit: 4282
eXch.cx - Automatic crypto Swap Exchange.
July 08, 2022, 09:53:47 AM
#64
I received the PM same day this thread was created as well, it was looking wired but it serve it purpose. I haven't visited my Account Related Settings page for a very long time so I didn't know I added that option when I created my account and the secret question wasn't that secret as I have disclosed it severally while participating in discussion on the forum.  I don't blame myself as I wasn't as knowledgeable as I'm now back then when I created my account.

I took his advice and removed the secret question as I also saw the forum warning which was making the whole option look stupid. I didn't see his message as a hack attempt but it was wired. Why haven't theymo disabled that secret question option. Basically anybody closed could easily guess this so called secret question especially mine (which has been removed though)..
copper member
Activity: 143
Merit: 85
July 08, 2022, 09:31:21 AM
#63
Quote
Captcha is useless as I use some trick I will only discuss with theymos.

I dont see a problem with this statement. This means there is some trick* AND I would discuss it with the most trusted person being in charge. This implies that I will not speak with anyone else or sell the trick to bad guys.

*This trick allowed me to scan whole DT for secret question set. It also allows to bruteforce passwords and security answers by the way. This was the intention - to make clear that security answers can be bruteforced, so they are even weaker.



Quote
Please get back to me stating how you improved account security. If I do not get a reply, I need to inform board administration for our all safety.

I have to admit that this was not okay. Sorry.

Better I had written sth like "I will check again if you have a security question in place after 5 days. If you want to keep security question, please be advised of the disadvantages (link) and shortly confirm to me that your security answers entropy is sufficient (ie at least as high as your passwords entropy). If nothing happens, I will notify the board administration to ensure DefaultTrust integrity". Next time I would do so. It was never my intention to threat someone.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
July 08, 2022, 07:24:59 AM
#62
Attempting to answer the security questions will automatically lock your account, because they were leaked with the rest of the DB back in 2015.
Members after that time when it was leaked are safe? Is that correct?
Yes (provided that there were no additional forum hacks after 2015).
legendary
Activity: 2800
Merit: 2736
Farewell LEO: o_e_l_e_o
July 08, 2022, 06:31:04 AM
#61
I had a chance to read the whole PM with a cool mind, paid full attention and without been biased. When a PM comes from a lower rank member we usually think something is not right. It's the forum experience that led us to have this suspicious mind.

Read the PM posted again but without considering followings lines
Quote
Please get back to me stating how you improved account security. If I do not get a reply, I need to inform board administration for our all safety.
Quote
Captcha is useless as I use some trick I will only discuss with theymos.
This is what happened to me when I read get back to me. The moment I read it, I had in mind that this is it, this user was trying to get information from OP and other users.

Read the full PM again. It seems the user's native language is not English. Some choices of words clearly tells that he used translator to pick the words. Yes I agree with buwaytress some words sounds offensive. But I feel that this was not an intent to get something bad from it.

The user asked you to get back to him, could be to suggest you to remove the secret question. If you do not then he will inform theymos so theymos can consider to remove the security question feature entirely for the safety of DT member. It seems he thinks DT members are the ones who need to stay safe so his all effort were to be sure DT accounts are safe.

They only sent the PM to those who had security questions turned on. Somewhere theymos also said that it is not recommended to use security questions because it locks your account and some other hassles when you try to recover the account.
legendary
Activity: 2968
Merit: 3684
Join the world-leading crypto sportsbook NOW!
July 08, 2022, 12:19:18 AM
#60
Oh hey, so I am spending now more time in Meta the past 2 weeks than in my entire bitcointalk lifetime, seem to be crawling down rabbit holes from user posts and ending up here.

So just also realised now I had a completely different reaction to most posts in here -- I replied to newalias actually and explained why I felt my confidence in my answer (a language method I also use for some seed phrases). He actually agreed, though said I shouldn't have given clues to my method. I still think explaining it doesn't help anyone with any software, my answer is as good as a long random string (I believe).

Despite that, I deleted my security question.

Had no idea the whole event already generated a thread here until I looked up his profile now.

Thought to mention here, some small realisation afforded to me because English was my third language (though now practically my first) -- I almost can understand the true "intent" of people in different types of English heh. Reading his PM, I felt no shade of bad behaviour at all, somehow I even understood the meaning behind his "frozen" claim (which he seems to have proven now).

I don't think he was naive though, I do think he comes off as having a slight dick attitude. Personally never found anything wrong with that, and now I see he's German, I totally get it, and I'm not trying to be offensive, many Southeast Asians will find the German's English deliberately dickish heh.

newalias, you've done the forum a favour, hopefully. But you know, you can't always equate a lack of good security behaviour with being dumb. Intelligence, self-awareness and wisdom aren't always on the same page and sometimes live in the same room as recklessness.

As nullius also pointed out, you didn't remove the red trust so you're not infallible yourself.

Now there. I hope not to post in Meta again so soon. I don't know how to act in here.
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
July 07, 2022, 09:53:45 PM
#59
I think he deserves the neg trust. As I stated my question was there but was already in a disabled state. So it is far superior then no question at all. Since a hacker would spend all eternity and get no where trying to answer the question.

It was what is the name of my wife's father.

A hacker could have tried every name ever written in the human race and have no answer.

Since I knew I my secret question was disabled but listed I had created a time waster trap for hacker's which this moron fucked up with his clever hacking bs.

So frankly his so called well intended deed fucking helps hackers since they now know security question can be disabled and thus un answerable.

Non sequitur.  Nothing that you said indicates that the user deserves negative trust feedback, or speaks to his trustworthiness in any way.  Beyond that:

First of all, you are creatively rewriting history.  Look back to the beginning of the thread.  You were so scared that you had been hacked, you self-quoted from another account to preserve your post.

Zeroth of all, you have now passed beyond the realm of security theatre into Rube Goldberg style security.  Guess what:  My Bitcoin wallet has “no [secret] question at all” (of this type).  Would it be made “far superior”, if a ridiculously weak insecurity misfeature were added, and then misused in a way that’s less weak?  Please advise:  I am considering the possibility that I may write my own Bitcoin wallet software.

Reductio ad absurdum, would my wallet “fucking help hackers” by only using poor, weak little Bitcoin public keys, without a “secret question” insecurity mechanism?  Should I draft a BIP to add a consensus feature that lets people somehow add coin recovery questions on the blockchain, if they can leave it blank as you describe?  Would that improve Bitcoin’s security to be “far superior” to what it now is? Roll Eyes

I think that you and some others still don’t understand that the whole “secret question” feature is strictly a negative to security, with no security benefits whatsoever.  It was originally an account recovery mechanism:  A per-account backdoor to gain access to an account, without knowing the password.  As mprep informed us, it was changed in 2015 to be “only” a way to lock an account without the password.

I have no “secret question” set on any of my Bitcoin Forum accounts.  My accounts are surely more secure than yours.  You still believe that you can nonsensically add security with a misfeature designed to undermine security; that indicates to me that you do not know how to secure an account.


This PM's didn't come from a high-ranked user, a moderator, or from a highly trusted member. In the contrary, it came from a low-ranked member that has only negative feedback on their trust (both given & taken). If what I said is not clear, this user since 2019 has only provided negative feedback to other users, and not a single positive one (+ the negative feedback that have received so far).
Furthermore, there is a warning on their trust feedback page, that "This user's email address was changed recently."

When I first checked his account after this thread began, he had only one received feedback of any kind:  willi9974’s negative dated 2022-07-07, now removed.  As of early yesterday, he did not have any negative feedbacks not pertaining to this incident.

I don’t know why you think that sent feedback is relevant.  I myself have only rarely sent positive feedback.  In my case, that is intentional and well-considered.  I have written essays as to why—even posted a policy noting this.
General note:  I am extremely conservative in matters of trust.  I do not trust easily; and most of all, I do not vouch lightly.
Anyway, I don’t see why you would issue negative feedback partly on the basis that someone does not trust anyone here.

Generally speaking, when someone (with purely good intentions) are contacting me, letting me know of possible security breaches, and providing me with advice and optional solutions to overcome a possible threat, I am thankful.

What happened here is completely different though. I received a PM from a user that I didn't know & never interacted before with. The topic of the PM was "(No subject)" & was sent to "(Undisclosed recipients)", hence not directed explicitly to me (it was not intended for only me, but to unknown recipients)

In the beginning, there was a short introduction about a "potential" forum security issue, and a mention of their achievement that they have already frozen a user account because the user didn't follow their security standards. (ie they took the law into their hands, and executed it accordingly leaving the user with a locked/frozen account -just because they could-, instead of informing a moderator about the situation and letting them handle it in the most appropriate way).

Then, things started getting a bit more interesting. This user demanded me not only to change my security settings but to also report back to them (secretly via PMs) stating how I improved my account security (ie providing them details about my security settings and the way I "improved" them - ie changed them). Not only that, but they also threaten me that if I do not comply and they do not get a reply back from me, they will report me to the board administration "for our all safety"

Hence, in my point of view, someone was sending PM's acting as forum police, making demands and threats, without even having the authority of doing so, having as an excuse a very critical forum security issue (security question in place).

As I indicated in my initial post on this thread, I thought it was clumsy and naïve.  I think it’s likely that newalias did not foresee the nature of many people’s reactions.  I have seen it before in security contexts:  Someone tries to be helpful, in a way that inadvertently incites suspicions—even panic.

Pending investigation, a precautionary negative feedback may arguably have been warranted.  Well, I do not agree with it; but I also don’t think it necessarily shows poor judgment.  willi9974’s tag said said he received a suspicious PM.  In my opinion, it was hasty; but it was not so unreasonable, in the circumstance.

You and uelque both gave bad security advice in your feedback—as if the “secret question” misfeature were beneficial to security.  You both also jumped to conclusions about a malicious hack.  In my opinion, that shows poor judgment.  I do not want such tags above the fold in my view of trust pages.

greenplastic’s tag was beyond the pale:  A string of all-caps profanities, with no explanation.  That shows extremely poor judgment.

I also disagree with your interpretation of the PM’s wording—with how you read it.

But thank you for explaining; I am glad better to understand your thought process.  I hope you better understand my own thought process from this post.

For my part:  I just saw this thread and thought, “Oh, no.  This fellow is about to be mobbed.”  I do not know newalias, and could not vouch for his intentions; caution was indicated.  But I strongly disagreed with how it seemed that everyone else thus far was jumping to conclusions.  It looked to me more likely than not that he was attempting to improve forum security—maybe going about it in a misguided way, liable to be misunderstood.  I have always detested that stupid “secret question”—thus the strength of my reaction here.
copper member
Activity: 2156
Merit: 983
Part of AOBT - English Translator to Indonesia
July 07, 2022, 09:40:19 PM
#58
hahha i receive the PM yesterday and I ask to him

are u trying sell security program but he said that I must delete the security question in my account  Grin Grin I think this person DM high ranking member
legendary
Activity: 2226
Merit: 1086
Free Bitcoins Every Hour!
July 07, 2022, 08:16:36 PM
#57
How do you define success? If you think success is hijacking your account you are wrong.
Okay, seems to make sense to me.
I actually have said above, that it should be a small chance if you are trying to hijack DT member accounts.
I guess you understand it, right?



Don't misunderstand or judge too early!!

copper member
Activity: 143
Merit: 85
July 07, 2022, 07:28:12 PM
#56
Luckily I'm not a DT member, so that damn user didn't target me for that weird PM.  Cheesy
I have not received the PM yet which means I am not in DT too 😉? My bet, the user is targeting people with some other criteria not just a DT.
Agree. He should have criteria, I assume he is likely to target high-rank accounts.
He may start with DT members, then he will target random members.

In my opinion, that account only tried to make chaos since he won't succeed if he targeted DT members. DT members won't be easily trapped by that weird PM, only careless members can be the victims.

By the way, it is a bit strange why he did this. He must know if he won't have a chance to succeed, but he did it. If he really wants to make chaos or suspicion among the members, what his goals exactly?  Huh



I also got that weird PM.



How do you define success? If you think success is hijacking your account you are wrong.
legendary
Activity: 2226
Merit: 1086
Free Bitcoins Every Hour!
July 07, 2022, 06:57:08 PM
#55
Luckily I'm not a DT member, so that damn user didn't target me for that weird PM.  Cheesy
I have not received the PM yet which means I am not in DT too 😉? My bet, the user is targeting people with some other criteria not just a DT.
Agree. He should have criteria, I assume he is likely to target high-rank accounts.
He may start with DT members, then he will target random members.

In my opinion, that account only tried to make chaos since he won't succeed if he targeted DT members. DT members won't be easily trapped by that weird PM, only careless members can be the victims.

By the way, it is a bit strange why he did this. He must know if he won't have a chance to succeed, but he did it. If he really wants to make chaos or suspicion among the members, what his goals exactly?  Huh



I also got that weird PM.

Pages:
Jump to: