tweetious called a purported intent to communicate with theymos about insecure accounts a “threat”. If that’s a threat, then threatening people is a virtue. He also sneers in negative trust feedback at what was actually good security advice—the same advice given in the forum’s profile UI!
Since my name was mentioned here, followed by allegations that I am giving bad security advice, and being a serial "trigger-happy with negative trust feedback" (as mentioned in the trust feedback that I received), I thought of chipping in and explaining the reasoning behind I providing such feedback.
Generally speaking, when someone (with purely good intentions) are contacting me, letting me know of possible security breaches, and providing me with advice and optional solutions to overcome a possible threat, I am thankful.
What happened here is completely different though. I received a PM from a user that I didn't know & never interacted before with. The topic of the PM was "(No subject)" & was sent to "(Undisclosed recipients)", hence not directed explicitly to me (it was not intended for only me, but to unknown recipients)
In the beginning, there was a short introduction about a "potential" forum security issue, and a mention of their achievement that they have already frozen a user account because the user didn't follow their security standards. (ie they took the law into their hands, and executed it accordingly leaving the user with a locked/frozen account -just because they could-, instead of informing a moderator about the situation and letting them handle it in the most appropriate way).
Then, things started getting a bit more interesting. This user demanded me not only to change my security settings but to also report back to them (secretly via PMs) stating how I improved my account security (ie providing them details about my security settings and the way I "improved" them - ie changed them). Not only that, but they also threaten me that if I do not comply and they do not get a reply back from me, they will report me to the board administration "for our all safety"
Hence, in my point of view, someone was sending PM's acting as forum police, making demands and threats, without even having the authority of doing so, having as an excuse a very critical forum security issue (security question in place).
This PM's didn't come from a high-ranked user, a moderator, or from a highly trusted member. In the contrary, it came from a low-ranked member that has only negative feedback on their trust (both given & taken). If what I said is not clear, this user since 2019 has only provided negative feedback to other users, and not a single positive one (+ the negative feedback that have received so far).
Furthermore, there is a warning on their trust feedback page, that "This user's email address was changed recently."
The reason for leaving negative trust feedback was not to hurt newalias reputation but to warn potential receivers of those PM's that it is a bad tactic and "bad security advice" (what nullius is accusing me that I provide) to reply to unknown senders PM's and providing sensitive security information about their account (specifically when someone is actually demanding about them, and letting them know that they will get reported if not doing so). Especially, coming from a user that claims that they have hacked/breached/tricked (whatever the right word is) the forums Captcha security system.
@newalias I have nothing against you, and I do not want to turn this into a drama. You might have the purest intentions, however, it was so badly executed that your PM actually turned into a security concern (instead of the security issue that you were forcing other users to comply with)
@nullius I disagree with you that I am a serial "trigger-happy with negative trust feedback". If you still believe so, I totally respect your opinion and have no hard feelings at all. (you can leave your trust feedback as is). My trust feedback history is open to everyone to see, hence everyone could end up to conclusions whenever I misuse the trust feedback by providing negative feedback without reasoning.
Yes, I agree that using "neutral" feedback instead of negative might have been an option. However (as said) due to the amount and the combination of all those red flags together, I wanted to do my best of triggering PM receivers (by reading my text in red), so as not to fall into a potential phishing scam attempt.
Here is the PM that I received. I have indicated in bold, all those segments that support my above elaboration.
Edit: just to be crystal clear, I do not disagree that having a security question in place, might be a security issue for your account.
you are member of DefaultTrust. Therefore, the security of your account is crucial.
However, you have a security question in place, what often means lower entropy than a secure password and maybe being easier to guess. Simplest thing I have seen in DefaultTrust was "1+1" with answer "2" was correct - I have frozen it for security. Easy questions ask for an age (try 0-99) or a birth year (try 1940-2022) or lower case initials (try aa-zz). Many questions ask for a city or a make of first car - brute force can help. And there are loads of questions for names of wife, birth names, pet names and so on. These are things that may be shared even in a post or require only your real name! The better people know the account owner, the better they know the answer!
Recommended action to take is to remove security question at all. Please get back to me stating how you improved account security. If I do not get a reply, I need to inform board administration for our all safety.
I started with whole DefaultTrust as I think the base of community should be secured first. Later, I will go for more users. Captcha is useless as I use some trick I will only discuss with theymos.
Thank you!