Topic: weird pm received - page 2. (Read 1021 times)

Since my name was mentioned here, followed by allegations that I am giving bad security advice, and being a serial "trigger-happy with negative trust feedback" (as mentioned in the trust feedback that I received), I thought of chipping in and explaining the reasoning behind I providing such feedback.

Generally speaking, when someone (with purely good intentions) are contacting me, letting me know of possible security breaches, and providing me with advice and optional solutions to overcome a possible threat, I am thankful.

What happened here is completely different though. I received a PM from a user that I didn't know & never interacted before with. The topic of the PM was "(No subject)" & was sent to "(Undisclosed recipients)", hence not directed explicitly to me (it was not intended for only me, but to unknown recipients)

In the beginning, there was a short introduction about a "potential" forum security issue, and a mention of their achievement that they have already frozen a user account because the user didn't follow their security standards. (ie they took the law into their hands, and executed it accordingly leaving the user with a locked/frozen account -just because they could-, instead of informing a moderator about the situation and letting them handle it in the most appropriate way).

Then, things started getting a bit more interesting. This user demanded me not only to change my security settings but to also report back to them (secretly via PMs) stating how I improved my account security (ie providing them details about my security settings and the way I "improved" them - ie changed them). Not only that, but they also threaten me that if I do not comply and they do not get a reply back from me, they will report me to the board administration "for our all safety"

Hence, in my point of view, someone was sending PM's acting as forum police, making demands and threats, without even having the authority of doing so, having as an excuse a very critical forum security issue (security question in place).

This PM's didn't come from a high-ranked user, a moderator, or from a highly trusted member. In the contrary, it came from a low-ranked member that has only negative feedback on their trust (both given & taken). If what I said is not clear, this user since 2019 has only provided negative feedback to other users, and not a single positive one (+ the negative feedback that have received so far).
Furthermore, there is a warning on their trust feedback page, that "This user's email address was changed recently."

The reason for leaving negative trust feedback was not to hurt newalias reputation but to warn potential receivers of those PM's that it is a bad tactic and "bad security advice" (what nullius is accusing me that I provide) to reply to unknown senders PM's and providing sensitive security information about their account (specifically when someone is actually demanding about them, and letting them know that they will get reported if not doing so). Especially, coming from a user that claims that they have hacked/breached/tricked (whatever the right word is) the forums Captcha security system.

@newalias I have nothing against you, and I do not want to turn this into a drama. You might have the purest intentions, however, it was so badly executed that your PM actually turned into a security concern (instead of the security issue that you were forcing other users to comply with)

@nullius I disagree with you that I am a serial "trigger-happy with negative trust feedback". If you still believe so, I totally respect your opinion and have no hard feelings at all. (you can leave your trust feedback as is). My trust feedback history is open to everyone to see, hence everyone could end up to conclusions whenever I misuse the trust feedback by providing negative feedback without reasoning.
Yes, I agree that using "neutral" feedback instead of negative might have been an option. However (as said) due to the amount and the combination of all those red flags together, I wanted to do my best of triggering PM receivers (by reading my text in red), so as not to fall into a potential phishing scam attempt.

Here is the PM that I received. I have indicated in bold, all those segments that support my above elaboration.

Edit: just to be crystal clear, I do not disagree that having a security question in place, might be a security issue for your account.

I think he deserves the neg trust. As I stated my question was there but was already in a disabled state. So it is far superior then no question at all. Since a hacker would spend all eternity and get no where trying to answer the question.

It was what is the name of my wife's father.

A hacker could have tried every name ever written in the human race and have no answer.

Since I knew I my secret question was disabled but listed I had created a time waster trap for hacker's which this moron fucked up with his clever hacking bs.

So frankly his so called well intended deed fucking helps hackers since they now know security question can be disabled and thus un answerable.

Because filling in the secret question and answer is a security risk. The bounty is for security vulnerabilities.

Copying your seed and password in a notepad is a major security risk, but Electrum will not pay you if you mention it's a common practice of their users... 

I have a question.

If you really wanted the secret question option removed by admin. Why didn't you just opt for the Security bounties option?
I think it would have been a quicker way of getting his attention.

Some people are very sensitive when they realize someone tried to gain access to their account, regardless of your motive.

~willi9974 removed; my neutral feedback “This user is too trigger-happy with negative trust feedback. ~willi9974” is deleted.  I will edit a relevant prior post accordingly, in case anyone reads it out of context.  [Done.]  Thanks for the correction.

My other recent trust actions will stay (modulo the need for some refinements and extensions).

Negative trust removed, thanks for the clarification

If an empty answer would allow you to set a question without having any correct answer, that would be interesting to steal time and resources of an attacker (without wasting own time). However, a long random string should have the same result. But I feel uncomfortable with having any security question active.

Don't be naive and just delete that damn question already !

Yeah, mprep summed it up nicely. Don't communicate, at least with any detail in relation to security with users that might do this sort of thing, as it could lead to a social engineering attempt.

I think most suspicions came from how the personal message was worded, but also we're a rather suspicious community as a whole. Which, neither helps when combined. I do think things could've been handled a bit better, but the actions have already been taken.

Like I said, I was somewhat suspicious to how the personal message was worded, but I wasn't ready to get the pitchfork out yet.

That's the point I've been looking at as opposed to Jackg's speculation earlier to have have just a friendly advice. It's far from anything friendly with the way I see it. This could be a possible tip-off on where to start the hack and what tricks he or she could use. Else, why would the user need a feedback on if you hackened to his/her advice or not.
By the user being aware of a security question to have been activated on the account, it simply means there have possibly been att.epts on hacking the account and that was some of the recovery options presented. Hence, having it set up doenst guarantee much safety as, a signed address could aid a lot in the course of forgotten details and getting your account back at any point.

Am not a DT just yet neither have I gotten the pm making rounds but am sure this user isn't done yet and would be trying his luck on other accounts.

IIRC, I have made various suggestions in Meta for improving account security.  IIRC, so has OgNasty.  So have others...

The response is always either silence, or “new forum software” vapourware which has only been in development for, what, about seven or eight years?


Because it auto-bans all users, Nulltalk’s user accounts shall be totally unhackable.  Purr-fect security. 😼

Yeah, it was the wording of the personal message that was tripping me up. Might have been a better option to contact the admins, and say you're aware of someone's security question, they could've possibly checked, and then forced the security question to be disabled, rather than forcibly locking an account. Maybe, the admins could've messaged only those with security questions enabled, I'm not sure of the best way of going about this.

Also, not a fan of talking about the specifics of a certain users security question as that could potentially be a further security/privacy issue.

However, I think the point has been made, and hopefully this highlights the issues of a security question. Personally, I'd prefer it to be removed, but at the very least hopefully this wakes up some users to discontinue using it.

For those that are unaware; Security questions are designed in such a way, that it encourages you to ask a question, and then directly answer that question, therefore it's no longer random. We've talked about random for ages now, and how it's important to generation of passwords. So, the mere fact you come up with the question, and the answer usually means you either reduce the randomness or completely remove it. You could say you'll have a answer that's not something that's related to the question, but it likely is as we as people aren't very good at thinking randomly.

You're much more likely to make a point, if you make it to the higher ranked users of the forum, as the point hits closer to home, than doing this to someone who is of a lower rank. The user has proven that security questions are ridiculously stupid, which we kind of knew anyway, but has highlighted that to those that don't know it.

Maybe check it, and amend it if so.

Maybe, but question and form to answer is shown

I was about to conclude that the message was only sent to high ranking members only, I just found out that DT members were the only target, I am just wondering what exactly this user is trying to achieve by this, because I believe its impossible to hack an account without having access to the password, now, my confusion is, how is it possible for an account to be hacked through a message like this ?, what kind of action is the sender of this PMs expecting his/her targets to take so as to enable him or her gain access to the target's account?
knowing this, I believe will keep us on a safer side.  

I can't say I grasp the series of events and the timeline, but warning someone about a potential issue with their password, then demonstrating that it was an issue after being ignored without compromising anything seems like the right way to do it?  How else could this point have been made?

I think the problem was that the PMs were worded strangely as if it was sent from a scammer.  Perhaps something a little more simple and to the point would have been more effective.

I do feel left out that I didn't receive one of these messages.  I guess because I have no security questions (that I'm aware of) or maybe I'm not in DT anymore.  Who knows?

At least he understand the problem now.

QFT.

---

Thanks, mprep—I did not know this:


(This post is obviously edited.  I saw the below before I saw the above.)

---

Would you prefer that he have left an insecure account wide-open for someone else to hack?  While greenplastic himself not only ignored good advice about securing his account, but attacked the giver of the advice with negative trust feedback?  Please advise if you think that would be a better solution.

If he only locked the accounts, I don’t think he did anything wrong.  (Not legal advice.  Speaking ethically here.)  theymos can check server logs to see what he really did.

LOL, I did BEFORE you posted!    (sort-of)

The PM looked scammy but I guess it was not optimal, but "okay" after reading this thread.

However, methods like this are inacceptable:
(and very likely illegal.)

---

Saying you would have performed black-hat/gray-hat-activities -- are you serious?

---

I temporarily re-added a neutral entry in order to prevent more negative trust and redirect people to this thread.

I don't know what the user's motivation is, but on the surface the advice about not using the security question feature is very much on point: security questions are insecure and shouldn't be used on any website (if possible). Use a really strong password and have a valid email set so you can recover your account in case you forget your password. More importantly, having a weak security question on Bitcointalk allows an attacker to easily lock someone's account (see https://bitcointalksearch.org/topic/psa-accounts-will-be-locked-if-the-secret-question-is-used-to-recover-it-1206977).

You probably shouldn't message him back about anything related to the security of your account - as others pointed out, that may be the start of a social engineering attack.

While I'm not sure whether it's 100% secure, an idea would be to set the email to something like [email protected] since .test (and similar TLDs) "is not intended to ever be installed into the global Domain Name System (DNS) of the Internet" (from https://en.wikipedia.org/wiki/.test).