Topic: weird pm received (Read 1094 times)

here is a quote.

I also am locking the thread.

Rather than dreaming up hypothetical scenarios about what he didn’t do (but maybe could have?), I am more worried about what a malicious blackhat will do without sending any PMs to anybody.  Not “if”, but “when”.

Also, “harassed” is an interesting word for “gave sound advice, which in some cases was sorely needed.”


...

Maybe he should have written a thread about it rather than going around trying to break people's security, then threatening them via PM.  Maybe?

What would he have done if he was able to break into one of the accounts he harassed?

xkcd 565, “Security Question”.

Seriously, I do think that some companies are probably exploiting this fantastically stupid insecurity misfeature to suck more personal details out of people.  There is no way that such ill-conceived security theatre could be so popular, unless someone benefits.  It is widespread on sites owned by companies that make money off of personal data.  These companies have professional security teams, who should know better.  People answer these questions with all sorts of obscure details about themselves.  Cui bono?

---

It seems not obvious at all.  Maybe he is doing what he said:  Trying to help users to improve their account security, and ultimately to help the forum to tighten security.  Maybe?

The PM he sent doesn’t make sense for gaining access to the accounts.  It provided good advice.  The way he benignly flushed out two DT accounts with extremely poor “secret question” answers was a work of art.  I don’t vouch for him; but absent evidence of malice, there is no need for a conspiracy theory.  And no need to rehash the first three pages of discussion on this thread.

He might only be targeting DT1 members with the PM, but I didn't get one either.  Maybe my account isn't worth the time.   

I'm wondering if this is the same shithead that's been trying to change The Pharmacist's password through email reset.  It seems rather obvious that it's a phishing type attack, but I'm not sure how this user is expecting to gain access to the accounts he's targeting.  Maybe he's trying to engage people into a discussion, and convince them he's a staff member or an admin, then trick them into leaking more account details?

I have considered not using that security question, its very risky for me. I prefer to use a strong password and might consider changing it periodically after someone tries to hack into my account by forget password. I feel silly knowing that someone did it, but actually it surprised me.

So for now, I have to sign the message just in case because I'm really starting to worry if hackers try something more extreme. Please quote and verify me.

---

Done.

It's safe not to set it up. If it locks the account and do not help to get recover the account then the feature is not helping at all. It's without any purpose and better to disable it.

I know he can but this is not a service thread in marketplace so I did not think it was worth mentioning. The discussion is not old too. Many users are still making their posts. It was assumable that in few hours we will have more comments.

He can do it, but it must be more than 24 hours from his first post. But for this one, just report one post to the moderators so they can merge the post if the user ignores your suggestion.

There is confusion here as to why this feature is not closed. There's a message stating that the feature is not recommended as it could be a second password to access the account if someone guesses the answer correctly, but it's not closed yet. I checked mine, luckily I never used this security feature.

I couldn't resist I set this as a secret question (with a very long random string as answer), but after that, the answer showed an empty field and the why is this blank? link showed "disabled". So I got nervous and wiped it again.

newalias, the forum rules prevent you to post two response in a row.
No, this was not the threat. It was okay for users.

I would say for THIS users felt threaten. You said to get back to you and you said it in PM which was concerning for them. Assuming you had good intention but in the forum we are designed to feel threaten when something comes from a new account. We have been gone through some hacks and phishing attacks are regular things.

I hope others see the same that I realized after paying better attention to your PM.

I received the PM same day this thread was created as well, it was looking wired but it serve it purpose. I haven't visited my Account Related Settings page for a very long time so I didn't know I added that option when I created my account and the secret question wasn't that secret as I have disclosed it severally while participating in discussion on the forum.  I don't blame myself as I wasn't as knowledgeable as I'm now back then when I created my account.

I took his advice and removed the secret question as I also saw the forum warning which was making the whole option look stupid. I didn't see his message as a hack attempt but it was wired. Why haven't theymo disabled that secret question option. Basically anybody closed could easily guess this so called secret question especially mine (which has been removed though)..

I dont see a problem with this statement. This means there is some trick* AND I would discuss it with the most trusted person being in charge. This implies that I will not speak with anyone else or sell the trick to bad guys.

*This trick allowed me to scan whole DT for secret question set. It also allows to bruteforce passwords and security answers by the way. This was the intention - to make clear that security answers can be bruteforced, so they are even weaker.

---

I have to admit that this was not okay. Sorry.

Better I had written sth like "I will check again if you have a security question in place after 5 days. If you want to keep security question, please be advised of the disadvantages (link) and shortly confirm to me that your security answers entropy is sufficient (ie at least as high as your passwords entropy). If nothing happens, I will notify the board administration to ensure DefaultTrust integrity". Next time I would do so. It was never my intention to threat someone.

Yes (provided that there were no additional forum hacks after 2015).

I had a chance to read the whole PM with a cool mind, paid full attention and without been biased. When a PM comes from a lower rank member we usually think something is not right. It's the forum experience that led us to have this suspicious mind.

Read the PM posted again but without considering followings lines
This is what happened to me when I read get back to me. The moment I read it, I had in mind that this is it, this user was trying to get information from OP and other users.

Read the full PM again. It seems the user's native language is not English. Some choices of words clearly tells that he used translator to pick the words. Yes I agree with buwaytress some words sounds offensive. But I feel that this was not an intent to get something bad from it.

The user asked you to get back to him, could be to suggest you to remove the secret question. If you do not then he will inform theymos so theymos can consider to remove the security question feature entirely for the safety of DT member. It seems he thinks DT members are the ones who need to stay safe so his all effort were to be sure DT accounts are safe.

They only sent the PM to those who had security questions turned on. Somewhere theymos also said that it is not recommended to use security questions because it locks your account and some other hassles when you try to recover the account.

Oh hey, so I am spending now more time in Meta the past 2 weeks than in my entire bitcointalk lifetime, seem to be crawling down rabbit holes from user posts and ending up here.

So just also realised now I had a completely different reaction to most posts in here -- I replied to newalias actually and explained why I felt my confidence in my answer (a language method I also use for some seed phrases). He actually agreed, though said I shouldn't have given clues to my method. I still think explaining it doesn't help anyone with any software, my answer is as good as a long random string (I believe).

Despite that, I deleted my security question.

Had no idea the whole event already generated a thread here until I looked up his profile now.

Thought to mention here, some small realisation afforded to me because English was my third language (though now practically my first) -- I almost can understand the true "intent" of people in different types of English heh. Reading his PM, I felt no shade of bad behaviour at all, somehow I even understood the meaning behind his "frozen" claim (which he seems to have proven now).

I don't think he was naive though, I do think he comes off as having a slight dick attitude. Personally never found anything wrong with that, and now I see he's German, I totally get it, and I'm not trying to be offensive, many Southeast Asians will find the German's English deliberately dickish heh.

newalias, you've done the forum a favour, hopefully. But you know, you can't always equate a lack of good security behaviour with being dumb. Intelligence, self-awareness and wisdom aren't always on the same page and sometimes live in the same room as recklessness.

As nullius also pointed out, you didn't remove the red trust so you're not infallible yourself.

Now there. I hope not to post in Meta again so soon. I don't know how to act in here.

Non sequitur.  Nothing that you said indicates that the user deserves negative trust feedback, or speaks to his trustworthiness in any way.  Beyond that:

First of all, you are creatively rewriting history.  Look back to the beginning of the thread.  You were so scared that you had been hacked, you self-quoted from another account to preserve your post.

Zeroth of all, you have now passed beyond the realm of security theatre into Rube Goldberg style security.  Guess what:  My Bitcoin wallet has “no [secret] question at all” (of this type).  Would it be made “far superior”, if a ridiculously weak insecurity misfeature were added, and then misused in a way that’s less weak?  Please advise:  I am considering the possibility that I may write my own Bitcoin wallet software.

Reductio ad absurdum, would my wallet “fucking help hackers” by only using poor, weak little Bitcoin public keys, without a “secret question” insecurity mechanism?  Should I draft a BIP to add a consensus feature that lets people somehow add coin recovery questions on the blockchain, if they can leave it blank as you describe?  Would that improve Bitcoin’s security to be “far superior” to what it now is?

I think that you and some others still don’t understand that the whole “secret question” feature is strictly a negative to security, with no security benefits whatsoever.  It was originally an account recovery mechanism:  A per-account backdoor to gain access to an account, without knowing the password.  As mprep informed us, it was changed in 2015 to be “only” a way to lock an account without the password.

I have no “secret question” set on any of my Bitcoin Forum accounts.  My accounts are surely more secure than yours.  You still believe that you can nonsensically add security with a misfeature designed to undermine security; that indicates to me that you do not know how to secure an account.

---

When I first checked his account after this thread began, he had only one received feedback of any kind:  willi9974’s negative dated 2022-07-07, now removed.  As of early yesterday, he did not have any negative feedbacks not pertaining to this incident.

I don’t know why you think that sent feedback is relevant.  I myself have only rarely sent positive feedback.  In my case, that is intentional and well-considered.  I have written essays as to why—even posted a policy noting this.
Anyway, I don’t see why you would issue negative feedback partly on the basis that someone does not trust anyone here.


As I indicated in my initial post on this thread, I thought it was clumsy and naïve.  I think it’s likely that newalias did not foresee the nature of many people’s reactions.  I have seen it before in security contexts:  Someone tries to be helpful, in a way that inadvertently incites suspicions—even panic.

Pending investigation, a precautionary negative feedback may arguably have been warranted.  Well, I do not agree with it; but I also don’t think it necessarily shows poor judgment.  willi9974’s tag said said he received a suspicious PM.  In my opinion, it was hasty; but it was not so unreasonable, in the circumstance.

You and uelque both gave bad security advice in your feedback—as if the “secret question” misfeature were beneficial to security.  You both also jumped to conclusions about a malicious hack.  In my opinion, that shows poor judgment.  I do not want such tags above the fold in my view of trust pages.

greenplastic’s tag was beyond the pale:  A string of all-caps profanities, with no explanation.  That shows extremely poor judgment.

I also disagree with your interpretation of the PM’s wording—with how you read it.

But thank you for explaining; I am glad better to understand your thought process.  I hope you better understand my own thought process from this post.

For my part:  I just saw this thread and thought, “Oh, no.  This fellow is about to be mobbed.”  I do not know newalias, and could not vouch for his intentions; caution was indicated.  But I strongly disagreed with how it seemed that everyone else thus far was jumping to conclusions.  It looked to me more likely than not that he was attempting to improve forum security—maybe going about it in a misguided way, liable to be misunderstood.  I have always detested that stupid “secret question”—thus the strength of my reaction here.

hahha i receive the PM yesterday and I ask to him

are u trying sell security program but he said that I must delete the security question in my account  I think this person DM high ranking member

Okay, seems to make sense to me.
I actually have said above, that it should be a small chance if you are trying to hijack DT member accounts.
I guess you understand it, right?

---

Don't misunderstand or judge too early!!

How do you define success? If you think success is hijacking your account you are wrong.

Agree. He should have criteria, I assume he is likely to target high-rank accounts.
He may start with DT members, then he will target random members.

In my opinion, that account only tried to make chaos since he won't succeed if he targeted DT members. DT members won't be easily trapped by that weird PM, only careless members can be the victims.

By the way, it is a bit strange why he did this. He must know if he won't have a chance to succeed, but he did it. If he really wants to make chaos or suspicion among the members, what his goals exactly? 

---

I also got that weird PM.