Pages:
Author

Topic: weird pm received - page 2. (Read 1103 times)

sr. member
Activity: 2060
Merit: 405
Cryptoshi Blockomoto
July 07, 2022, 05:24:43 PM
#54
uelque and tweetious giving bad security advice in negative trust feedback shows judgment at least as bad as greenplastic leaving a tag that says, FUCK THESE FUCKING FUCKERS!! HA!  Oh, yes.  That user is currently in DT.  No wonder I love DT so very much.

tweetious called a purported intent to communicate with theymos about insecure accounts a “threat”.  If that’s a threat, then threatening people is a virtue.  He also sneers in negative trust feedback at what was actually good security advice—the same advice given in the forum’s profile UI!

Since my name was mentioned here, followed by allegations that I am giving bad security advice, and being a serial "trigger-happy with negative trust feedback" (as mentioned in the trust feedback that I received), I thought of chipping in and explaining the reasoning behind I providing such feedback.

Generally speaking, when someone (with purely good intentions) are contacting me, letting me know of possible security breaches, and providing me with advice and optional solutions to overcome a possible threat, I am thankful.

What happened here is completely different though. I received a PM from a user that I didn't know & never interacted before with. The topic of the PM was "(No subject)" & was sent to "(Undisclosed recipients)", hence not directed explicitly to me (it was not intended for only me, but to unknown recipients)

In the beginning, there was a short introduction about a "potential" forum security issue, and a mention of their achievement that they have already frozen a user account because the user didn't follow their security standards. (ie they took the law into their hands, and executed it accordingly leaving the user with a locked/frozen account -just because they could-, instead of informing a moderator about the situation and letting them handle it in the most appropriate way).

Then, things started getting a bit more interesting. This user demanded me not only to change my security settings but to also report back to them (secretly via PMs) stating how I improved my account security (ie providing them details about my security settings and the way I "improved" them - ie changed them). Not only that, but they also threaten me that if I do not comply and they do not get a reply back from me, they will report me to the board administration "for our all safety"

Hence, in my point of view, someone was sending PM's acting as forum police, making demands and threats, without even having the authority of doing so, having as an excuse a very critical forum security issue (security question in place).

This PM's didn't come from a high-ranked user, a moderator, or from a highly trusted member. In the contrary, it came from a low-ranked member that has only negative feedback on their trust (both given & taken). If what I said is not clear, this user since 2019 has only provided negative feedback to other users, and not a single positive one (+ the negative feedback that have received so far).
Furthermore, there is a warning on their trust feedback page, that "This user's email address was changed recently."

The reason for leaving negative trust feedback was not to hurt newalias reputation but to warn potential receivers of those PM's that it is a bad tactic and "bad security advice" (what nullius is accusing me that I provide) to reply to unknown senders PM's and providing sensitive security information about their account (specifically when someone is actually demanding about them, and letting them know that they will get reported if not doing so). Especially, coming from a user that claims that they have hacked/breached/tricked (whatever the right word is) the forums Captcha security system.

@newalias I have nothing against you, and I do not want to turn this into a drama. You might have the purest intentions, however, it was so badly executed that your PM actually turned into a security concern (instead of the security issue that you were forcing other users to comply with)

@nullius I disagree with you that I am a serial "trigger-happy with negative trust feedback". If you still believe so, I totally respect your opinion and have no hard feelings at all. (you can leave your trust feedback as is). My trust feedback history is open to everyone to see, hence everyone could end up to conclusions whenever I misuse the trust feedback by providing negative feedback without reasoning.
Yes, I agree that using "neutral" feedback instead of negative might have been an option. However (as said) due to the amount and the combination of all those red flags together, I wanted to do my best of triggering PM receivers (by reading my text in red), so as not to fall into a potential phishing scam attempt.

Here is the PM that I received. I have indicated in bold, all those segments that support my above elaboration.

Edit: just to be crystal clear, I do not disagree that having a security question in place, might be a security issue for your account.

Quote
Hi there,

you are member of DefaultTrust. Therefore, the security of your account is crucial.

However, you have a security question in place, what often means lower entropy than a secure password and maybe being easier to guess. Simplest thing I have seen in DefaultTrust was "1+1" with answer "2" was correct - I have frozen it for security. Easy questions ask for an age (try 0-99) or a birth year (try 1940-2022) or lower case initials (try aa-zz). Many questions ask for a city or a make of first car - brute force can help. And there are loads of questions for names of wife, birth names, pet names and so on. These are things that may be shared even in a post or require only your real name! The better people know the account owner, the better they know the answer!

Recommended action to take is to remove security question at all. Please get back to me stating how you improved account security. If I do not get a reply, I need to inform board administration for our all safety.

I started with whole DefaultTrust as I think the base of community should be secured first. Later, I will go for more users. Captcha is useless as I use some trick I will only discuss with theymos.

Thank you!
legendary
Activity: 4256
Merit: 8551
'The right to privacy matters'
July 07, 2022, 05:21:17 PM
#53
Yeah, it was the wording of the personal message that was tripping me up. Might have been a better option to contact the admins, and say you're aware of someone's security question, they could've possibly checked, and then forced the security question to be disabled, rather than forcibly locking an account. Maybe, the admins could've messaged only those with security questions enabled, I'm not sure of the best way of going about this.

Also, not a fan of talking about the specifics of a certain users security question as that could potentially be a further security/privacy issue.

However, I think the point has been made, and hopefully this highlights the issues of a security question. Personally, I'd prefer it to be removed, but at the very least hopefully this wakes up some users to discontinue using it.

For those that are unaware; Security questions are designed in such a way, that it encourages you to ask a question, and then directly answer that question, therefore it's no longer random. We've talked about random for ages now, and how it's important to generation of passwords. So, the mere fact you come up with the question, and the answer usually means you either reduce the randomness or completely remove it. You could say you'll have a answer that's not something that's related to the question, but it likely is as we as people aren't very good at thinking randomly.

I was about to conclude that the message was only sent to high ranking members only, I just found out that DT members were the only target, I am just wondering what exactly this user is trying to achieve by this
You're much more likely to make a point, if you make it to the higher ranked users of the forum, as the point hits closer to home, than doing this to someone who is of a lower rank. The user has proven that security questions are ridiculously stupid, which we kind of knew anyway, but has highlighted that to those that don't know it.

I do feel left out that I didn't receive one of these messages.  I guess because I have no security questions (that I'm aware of)
Maybe check it, and amend it if so.


I think he deserves the neg trust. As I stated my question was there but was already in a disabled state. So it is far superior then no question at all. Since a hacker would spend all eternity and get no where trying to answer the question.

It was what is the name of my wife's father.

A hacker could have tried every name ever written in the human race and have no answer.

Since I knew I my secret question was disabled but listed I had created a time waster trap for hacker's which this moron fucked up with his clever hacking bs.

So frankly his so called well intended deed fucking helps hackers since they now know security question can be disabled and thus un answerable.
copper member
Activity: 784
Merit: 710
Defend Bitcoin and its PoW: bitcoincleanup.com
July 07, 2022, 05:14:39 PM
#52
If you really wanted the secret question option removed by admin. Why didn't you just opt for the Security bounties option?

Because filling in the secret question and answer is a security risk. The bounty is for security vulnerabilities.

Copying your seed and password in a notepad is a major security risk, but Electrum will not pay you if you mention it's a common practice of their users...  Wink
copper member
Activity: 2170
Merit: 1822
Top Crypto Casino
July 07, 2022, 04:55:00 PM
#51
At least he understand the problem now.
I have a question.

If you really wanted the secret question option removed by admin. Why didn't you just opt for the Security bounties option?
I think it would have been a quicker way of getting his attention.

Some people are very sensitive when they realize someone tried to gain access to their account, regardless of your motive.
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
July 07, 2022, 04:24:35 PM
#50
Negative trust removed, thanks for the clarification

~willi9974 removed; my neutral feedback “This user is too trigger-happy with negative trust feedback. ~willi9974” is deleted.  I will edit a relevant prior post accordingly, in case anyone reads it out of context.  [Done.]  Thanks for the correction.

My other recent trust actions will stay (modulo the need for some refinements and extensions).
legendary
Activity: 3500
Merit: 2792
Enjoy 500% bonus + 70 FS
July 07, 2022, 04:10:54 PM
#49
Negative trust removed, thanks for the clarification
copper member
Activity: 143
Merit: 85
July 07, 2022, 03:36:59 PM
#48
Don't be naive and just delete that damn question already !

If an empty answer would allow you to set a question without having any correct answer, that would be interesting to steal time and resources of an attacker (without wasting own time). However, a long random string should have the same result. But I feel uncomfortable with having any security question active.
copper member
Activity: 784
Merit: 710
Defend Bitcoin and its PoW: bitcoincleanup.com
July 07, 2022, 03:29:00 PM
#47
According to https://bitcointalk.org/index.php?action=helpadmin;help=secret_why_blank the feature is disabled if you set a question without setting an answer, right?

Don't be naive and just delete that damn question already !

staff
Activity: 3304
Merit: 4115
July 07, 2022, 03:18:25 PM
#46
That's the point I've been looking at as opposed to Jackg's speculation earlier to have have just a friendly advice. It's far from anything friendly with the way I see it. This could be a possible tip-off on where to start the hack and what tricks he or she could use.
Yeah, mprep summed it up nicely. Don't communicate, at least with any detail in relation to security with users that might do this sort of thing, as it could lead to a social engineering attempt.

I think most suspicions came from how the personal message was worded, but also we're a rather suspicious community as a whole. Which, neither helps when combined. I do think things could've been handled a bit better, but the actions have already been taken.

Like I said, I was somewhat suspicious to how the personal message was worded, but I wasn't ready to get the pitchfork out yet.
legendary
Activity: 1554
Merit: 1139
July 07, 2022, 03:12:56 PM
#45
Likely, by asking you to get back to them how you secured your account after removing it, is likely a way to get more information.
That's the point I've been looking at as opposed to Jackg's speculation earlier to have have just a friendly advice. It's far from anything friendly with the way I see it. This could be a possible tip-off on where to start the hack and what tricks he or she could use. Else, why would the user need a feedback on if you hackened to his/her advice or not.
By the user being aware of a security question to have been activated on the account, it simply means there have possibly been att.epts on hacking the account and that was some of the recovery options presented. Hence, having it set up doenst guarantee much safety as, a signed address could aid a lot in the course of forgotten details and getting your account back at any point.

Am not a DT just yet neither have I gotten the pm making rounds but am sure this user isn't done yet and would be trying his luck on other accounts.
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
July 07, 2022, 03:11:35 PM
#44
How else could this point have been made?
By creating a thread in Meta.

IIRC, I have made various suggestions in Meta for improving account security.  IIRC, so has OgNasty.  So have others...

The response is always either silence, or “new forum software” vapourware which has only been in development for, what, about seven or eight years?

[ANN] Nulltalk, the new new forum software

Everything on this forum makes me rage nowadays

Me, too.  Let’s do something constructive about it.

I propose that I myself should indeed write the new new forum software.  As aforesaid, I will write it in C, then rewrite it in Rust; if I need to take more time, then along the way, I may also rewrite the code in Java, C#, Go, Javascript, Python, C++ with Boost, C++ without Boost, COBOL, MUMPS, Solidity, Visual BASIC, LISP, FORTRAN, and/or Brainfuck.  I don’t know many of these languages; thus, the schedule slippage will be spectacular as I spend time learning.  My proposed schedule is to deliver a feature-incomplete pre-alpha demo by the 2028 Halving, a beta before BIP 42 becomes economically relevant, and the official 1.0 release before the heat death of the universe—maybe.  I’m so slick!

The project is called Nulltalk, because its distinguishing innovation shall be that it autobans all users, and stores all posts in the /dev/null NoSQL database.  Thus, there shall be no talk.  Silence!  Hey—if John Cage could sell records this way, why can’t I build a forum that forbids all discussion?  Also, I shall integrate the zero-dimensional graph-theoretic /dev/null NoSQL cloud database with Blockchain, because Blockchain has maximal synergies with buzzwords in Enterprise NoSQL Cloud Blockchain.

Because it auto-bans all users, Nulltalk’s user accounts shall be totally unhackable.  Purr-fect security. 😼
staff
Activity: 3304
Merit: 4115
July 07, 2022, 03:04:16 PM
#43
Yeah, it was the wording of the personal message that was tripping me up. Might have been a better option to contact the admins, and say you're aware of someone's security question, they could've possibly checked, and then forced the security question to be disabled, rather than forcibly locking an account. Maybe, the admins could've messaged only those with security questions enabled, I'm not sure of the best way of going about this.

Also, not a fan of talking about the specifics of a certain users security question as that could potentially be a further security/privacy issue.

However, I think the point has been made, and hopefully this highlights the issues of a security question. Personally, I'd prefer it to be removed, but at the very least hopefully this wakes up some users to discontinue using it.

For those that are unaware; Security questions are designed in such a way, that it encourages you to ask a question, and then directly answer that question, therefore it's no longer random. We've talked about random for ages now, and how it's important to generation of passwords. So, the mere fact you come up with the question, and the answer usually means you either reduce the randomness or completely remove it. You could say you'll have a answer that's not something that's related to the question, but it likely is as we as people aren't very good at thinking randomly.

I was about to conclude that the message was only sent to high ranking members only, I just found out that DT members were the only target, I am just wondering what exactly this user is trying to achieve by this
You're much more likely to make a point, if you make it to the higher ranked users of the forum, as the point hits closer to home, than doing this to someone who is of a lower rank. The user has proven that security questions are ridiculously stupid, which we kind of knew anyway, but has highlighted that to those that don't know it.

I do feel left out that I didn't receive one of these messages.  I guess because I have no security questions (that I'm aware of)
Maybe check it, and amend it if so.
copper member
Activity: 143
Merit: 85
July 07, 2022, 02:48:46 PM
#42
According to https://bitcointalk.org/index.php?action=helpadmin;help=secret_why_blank the feature is disabled if you set a question without setting an answer, right?

Maybe, but question and form to answer is shown
legendary
Activity: 2422
Merit: 1083
Leading Crypto Sports Betting & Casino Platform
July 07, 2022, 02:46:37 PM
#41
I was about to conclude that the message was only sent to high ranking members only, I just found out that DT members were the only target, I am just wondering what exactly this user is trying to achieve by this, because I believe its impossible to hack an account without having access to the password, now, my confusion is, how is it possible for an account to be hacked through a message like this ?, what kind of action is the sender of this PMs expecting his/her targets to take so as to enable him or her gain access to the target's account?
knowing this, I believe will keep us on a safer side.  
donator
Activity: 4760
Merit: 4323
Leading Crypto Sports Betting & Casino Platform
July 07, 2022, 02:38:19 PM
#40
However, methods like this are inacceptable

At least he understand the problem now.

I can't say I grasp the series of events and the timeline, but warning someone about a potential issue with their password, then demonstrating that it was an issue after being ignored without compromising anything seems like the right way to do it?  How else could this point have been made?

I think the problem was that the PMs were worded strangely as if it was sent from a scammer.  Perhaps something a little more simple and to the point would have been more effective.

I do feel left out that I didn't receive one of these messages.  I guess because I have no security questions (that I'm aware of) or maybe I'm not in DT anymore.  Who knows?
copper member
Activity: 143
Merit: 85
July 07, 2022, 02:24:17 PM
#39
However, methods like this are inacceptable

At least he understand the problem now.
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
July 07, 2022, 02:22:12 PM
#38
I want to see security questions disabled, option to disable email recovery per account and 2FA introduced. BCT is about large sums and does not have up-to-date security mechanisms.
QFT.


Thanks, mprep—I did not know this:

This is a Public Service Announcement:

If you lose your password, DO NOT USE THE SECRET QUESTION TO RECOVER THE ACCOUNT. It will result in your account being locked. Please use the email recovery option to recover the account.

(This post is obviously edited.  I saw the below before I saw the above.)


The PM looked scammy but I guess it was "okay" after reading this thread.

However, methods like this are inacceptable:
I was able to get access to SPQRCoin yesterday answering "1+1" with "2". No joke. He is in DefaultTrust level 2.

greenplastic gave negative trust to me. Now he is security locked for using "5" as answer to "how old was justin in 1980?". He was warned and had left this stupid question (answer should be between 0 and 99, the rate limit is one try per 45 second and IP address - in reality, you get a bunch of IPs and laugh about the limit).

Would you prefer that he have left an insecure account wide-open for someone else to hack?  While greenplastic himself not only ignored good advice about securing his account, but attacked the giver of the advice with negative trust feedback?  Please advise if you think that would be a better solution.

If he only locked the accounts, I don’t think he did anything wrong.  (Not legal advice.  Speaking ethically here.)  theymos can check server logs to see what he really did.
legendary
Activity: 1919
Merit: 1230
AKA Ms-overzealous-condecsending-explitive-account
July 07, 2022, 02:21:26 PM
#37
LOL, I did BEFORE you posted!  Cheesy  (sort-of)


pwned!

I received several negative trust. Okay.

I was able to get access to SPQRCoin yesterday answering "1+1" with "2". No joke. He is in DefaultTrust level 2.

greenplastic gave negative trust to me. Now he is security locked for using "5" as answer to "how old was justin in 1980?". He was warned and had left this stupid question (answer should be between 0 and 99, the rate limit is one try per 45 second and IP address - in reality, you get a bunch of IPs and laugh about the limit).

Proof: https://bitcointalk.org/seclog.php

For the record:

Security questions are a joke and should be disabled. There are members using questions with a probably secure question or maybe even fake questions, but "1+1" is a joke. In case of greenplastic, he did not even understand the problem. We should think of who is member of DefaultTrust.

Security lock is a good thing for sure, otherwise I would control two DefaultTrust accounts now, one of them being inactive for months. Thank god, I was not able unlocking using a fake mail. I want to see security questions disabled, option to disable email recovery per account and 2FA introduced. BCT is about large sums and does not have up-to-date security mechanisms.

I gave only 5 merits for this, because I am widely merit-boycotted; I need to save up, so I can afford to give more when you make a thread about this.

I want public key authentication.  Disable password authentication (like in sshd).  Has the Bitcoin Forum ever heard of such a thing as digital signatures?  Do people here do crypto, or not?  Sigh.

I made some suggestions years ago.  Nothing happened.  Your way is better:  Teach a little lesson, which will be less painful coming from you than from someone who actually wants to pwn a bunch of accounts.  It will more likely result in positive changes.


Check the username. Does it remind you the user alia?

Roll Eyes

Get a grip.  No other way to say this:  That is ridiculously stupid.
Yes, I may be stupid but how are you so sure 🤣

Because I knew alia as I wish for people not to be reminded—ugh.  A smooth-talking gambling addict sex scammer, likely from India or SEA (IIRC), who only temporarily fooled people with a pretense of some technical skills.  Not a German hacker who just kindly refrained from helping himself to some tasty DT accounts.  To make a connection based only on a very vague similarity of names verges on how schizophrenics find secret messages in white noise.
jr. member
Activity: 41
Merit: 793
inactive
July 07, 2022, 02:13:55 PM
#37
While it seems that it is possible that what you were doing REALLY was "for the good of mankind" and possibly completely altruistic, I believe you went about it the wrong way.  Don't you think simply starting a topic here in META might have avoided the panic created?  You have to admit, the PM's did sound a bit "scammy" as you put it in the title of the PM, and the results, while possibly an overreaction, wouldn't or shouldn't have been totally unexpected.
The PM looked scammy but I guess it was not optimal, but "okay" after reading this thread.

However, methods like this are inacceptable:
I was able to get access to SPQRCoin yesterday answering "1+1" with "2". No joke. He is in DefaultTrust level 2.

greenplastic gave negative trust to me. Now he is security locked for using "XXX" as answer to "XXX". He was warned and had left this stupid question (answer should be between 0 and 99, the rate limit is one try per 45 second and IP address - in reality, you get a bunch of IPs and laugh about the limit).

Proof: https://bitcointalk.org/seclog.php

Security questions are a joke and should be disabled. There are members using questions with a probably secure answer or maybe even fake questions, but "1+1" is a joke. In case of greenplastic, he did not even understand the problem. We should think of who is member of DefaultTrust.
(and very likely illegal.)



pwned!
My hat is a little bit grey, so I probably would have switched the stupid negative feedback against myself to positive before locking the account.  lulz.
Saying you would have performed black-hat/gray-hat-activities -- are you serious?
Code:
~nullius



I temporarily re-added a neutral entry in order to prevent more negative trust and redirect people to this thread.
global moderator
Activity: 3794
Merit: 2612
In a world of peaches, don't ask for apple sauce
July 07, 2022, 02:16:40 PM
#36
I don't know what the user's motivation is, but on the surface the advice about not using the security question feature is very much on point: security questions are insecure and shouldn't be used on any website (if possible). Use a really strong password and have a valid email set so you can recover your account in case you forget your password. More importantly, having a weak security question on Bitcointalk allows an attacker to easily lock someone's account (see https://bitcointalksearch.org/topic/psa-accounts-will-be-locked-if-the-secret-question-is-used-to-recover-it-1206977).

You probably shouldn't message him back about anything related to the security of your account - as others pointed out, that may be the start of a social engineering attack.

On a side note, I don’t like that the forum doesn’t let you remove your e-mail address, and/or otherwise totally disable password reset by e-mail.  (Yes, you can set a fake e-mail address; but then, you need to be careful to make sure it can never be valid.  And that does not itself totally disable password reset by e-mail.)  I’m not the only one.  Lauda complained to me about that.
While I'm not sure whether it's 100% secure, an idea would be to set the email to something like [email protected] since .test (and similar TLDs) "is not intended to ever be installed into the global Domain Name System (DNS) of the Internet" (from https://en.wikipedia.org/wiki/.test).
Pages:
Jump to: