Pages:
Author

Topic: weird pm received - page 3. (Read 1116 times)

copper member
Activity: 143
Merit: 85
July 07, 2022, 02:13:49 PM
#35
My bet, the user is targeting people with some other criteria not just a DT.

Oh, really? Maybe just the ones with a secret question set. You can figure that out by reading my PM.

This thread is unbelievable dumb. I warned affected users of a security problem and they make public they are affected. But what should I expect from users having set a security question, ignoring a warning? If you set a second password, both can be used to login. How can someone think this improves security, especially when the second password is "5"? I would ask greenplastic that question, but unfortunately he is not able to login.
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
July 07, 2022, 02:13:24 PM
#34
pwned!

I received several negative trust. Okay.

I was able to get access to SPQRCoin yesterday answering "1+1" with "2". No joke. He is in DefaultTrust level 2.

greenplastic gave negative trust to me. Now he is security locked for using "5" as answer to "how old was justin in 1980?". He was warned and had left this stupid question (answer should be between 0 and 99, the rate limit is one try per 45 second and IP address - in reality, you get a bunch of IPs and laugh about the limit).

Proof: https://bitcointalk.org/seclog.php

For the record:

Security questions are a joke and should be disabled. There are members using questions with a probably secure question or maybe even fake questions, but "1+1" is a joke. In case of greenplastic, he did not even understand the problem. We should think of who is member of DefaultTrust.

Security lock is a good thing for sure, otherwise I would control two DefaultTrust accounts now, one of them being inactive for months. Thank god, I was not able unlocking using a fake mail. I want to see security questions disabled, option to disable email recovery per account and 2FA introduced. BCT is about large sums and does not have up-to-date security mechanisms.

I gave only 5 merits for this, because I am widely merit-boycotted; I need to save up, so I can afford to give more when you make a thread about this.

I want public key authentication.  Disable password authentication (like in sshd).  Has the Bitcoin Forum ever heard of such a thing as digital signatures?  Do people here do crypto, or not?  Sigh.

I made some suggestions years ago.  Nothing happened.  Your way is better:  Teach a little lesson, which will be less painful coming from you than from someone who actually wants to pwn a bunch of accounts.  It will more likely result in positive changes.


Check the username. Does it remind you the user alia?

Roll Eyes

Get a grip.  No other way to say this:  That is ridiculously stupid.
Yes, I may be stupid but how are you so sure 🤣

Because I knew alia as I wish for people not to be reminded—ugh.  A smooth-talking gambling addict sex scammer, likely from India or SEA (IIRC), who only temporarily fooled people with a pretense of some technical skills.  Not a German hacker who just kindly refrained from helping himself to some tasty DT accounts.  To make a connection based only on a very vague similarity of names verges on how schizophrenics find secret messages in white noise.
legendary
Activity: 1919
Merit: 1230
AKA Ms-overzealous-condecsending-explitive-account
July 07, 2022, 02:07:08 PM
#33
While it seems that it is possible that what you were doing REALLY was "for the good of mankind" and possibly completely altruistic, I believe you went about it the wrong way.  Don't you think simply starting a topic here in META might have avoided the panic created?  You have to admit, the PM's did sound a bit "scammy" as you put it in the title of the PM, and the results, while possibly an overreaction, wouldn't or shouldn't have been totally unexpected.

Edit:  Whatever the motive, you did jolt me into changing my password for the first time in years and to remove my "secret word" for which I didn't even know the answer which I put in when I joined years ago!  Thank you for that.  Cheesy


I received several negative trust. Okay.

I was able to get access to SPQRCoin yesterday answering "1+1" with "2". No joke. He is in DefaultTrust level 2.

greenplastic gave negative trust to me. Now he is security locked for using "5" as answer to "how old was justin in 1980?".

Proof: https://bitcointalk.org/seclog.php

Security questions are a joke and should be disabled. There are members using questions with a probably answer or maybe even fake questions, but "1+1" is a joke. In case of greenplastic, he did not even understand the problem. We should think of who is member of DefaultTrust.

Security lock is a good thing for sure, otherwise I would control two DefaultTrust accounts now, one of them being inactive for months. Thank god, I was not able unlocking using a fake mail. I want to see security questions disabled, option to disable email recovery per account and 2FA introduced. BCT is about large sums and does not have up-to-date security mechanisms.
legendary
Activity: 2800
Merit: 2736
Farewell LEO: o_e_l_e_o
July 07, 2022, 01:41:31 PM
#32
Check the username. Does it remind you the user alia?

Roll Eyes

Get a grip.  No other way to say this:  That is ridiculously stupid.
Yes, I may be stupid but how are you so sure 🤣

Luckily I'm not a DT member, so that damn user didn't target me for that weird PM.  Cheesy
I have not received the PM yet which means I am not in DT too 😉? My bet, the user is targeting people with some other criteria not just a DT.

copper member
Activity: 143
Merit: 85
July 07, 2022, 01:41:01 PM
#31
I received several negative trust. Okay.

I was able to get access to SPQRCoin yesterday answering "1+1" with "2". No joke. He is in DefaultTrust level 2.

greenplastic gave negative trust to me. Now he is security locked for using "5" as answer to "how old was justin in 1980?". He was warned and had left this stupid question (answer should be between 0 and 99, the rate limit is one try per 45 second and IP address - in reality, you get a bunch of IPs and laugh about the limit).

Proof: https://bitcointalk.org/seclog.php

Security questions are a joke and should be disabled. There are members using questions with a probably secure answer or maybe even fake questions, but "1+1" is a joke. In case of greenplastic, he did not even understand the problem. We should think of who is member of DefaultTrust.

Security lock is a good thing for sure, otherwise I would control two DefaultTrust accounts now, one of them being inactive for months. Thank god, I was not able unlocking using a fake mail. I want to see security questions disabled, option to disable email recovery per account and 2FA introduced. BCT is about large sums and does not have up-to-date security mechanisms.
jr. member
Activity: 41
Merit: 793
inactive
July 07, 2022, 01:28:45 PM
#31
Later than any of the above, Nestade left a DT “neutral” alert.  It does not link to this thread.  He seems to have removed it now.
Yes, after receiving a PM from a user with a recent email-change and negative reputation asking to change my account-settings I left a preliminary neutral trust saying:
Quote
Received suspicious PM by this user, additionally "This user's email address was changed recently."

(Feedback will be deleted/changed, as soon as there is more information).
and referenced a screenshot of the PM (https://i.imgur.com/e7RGXmN.png).
I didn't see a reason for negative trust.

After doing more research and reading this thread I removed the neutral trust (took only a few minutes).
legendary
Activity: 2464
Merit: 2094
July 07, 2022, 01:22:42 PM
#30
Luckily I'm not a DT member, so that damn user didn't target me for that weird PM.  Cheesy

So far I've received emails about someone trying to hack into my account by forgetting my password (last february to be exact), that's stupid because I'm sure he never knows what my email is. But luckily the odd PM didn't haunt me, but certainly didn't expect to receive it. If there's one later, I'll definitely report it to the mod as soon as I can.
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
July 07, 2022, 01:19:07 PM
#29
This thread, and newalias’ growing list of negative trust feedbacks, are classic security theatre like the American TSA confiscating nailclippers from grandmas in wheelchairs.  Bruce Schneier should give out some beatings here.

https://www.schneierfacts.com/

IIUC, it is a fan site not affiliated with Bruce Schneier.


@nullius    I think you have too much faith in the goodness of humanity.  Cheesy Cheesy Cheesy   Of course you may be right but you have to look at where you are and what often goes on around here and in this world (forum world not geographic world).

Or perhaps I have less faith in humanity, especially on this forum.  No good deed goes unpunished, as the aphorism goes.  The guilty get away scot-free—I have seen it happen many times on this forum—while the innocent get burnt at the stake.

Indisputable objective fact:  Having a “secret question” set is dumb.  The users mentioning publicly that they received this PM are declaring to the world, “I do not know how to secure my forum account; and I do not read the forum UI warning which says, ‘Using this feature is not recommended.’”

Sorry to be so blunt, sandy-is-fine.  You seem fine, although you should probably stop using that insecurity misfeature.  Some others are getting on their high horses, making ridiculous statements, proclaiming sanctimoniously (and quite proudy as to their own smarts) that they caught the evil hacker.  WTF?  This would be the most moronic possible way to hack the forum:  Notify people who have weak account security, and give them good advice about how to improve.

“Faith in the goodness of humanity”?  The booby prizes for extreme stupidity thus far go to BitcoinGirl.Club...
Check the username. Does it remind you the user alia? A girl back in 2017 - 2018. She was having everyone's attention. Then caught on planning for scam before resting in peace. Someone is having fun.
...and to three of the four DT red-tags that newalias has thus far accrued:

Hello nullius,

I have set the neg. trust as a precaution, so that other users see that there might be something wrong. Should the whole thing turn positive and the said user have only positive intentions, I will remove the negative trust very gladly again.

In the crypto scene, caution and skepticism is certainly not the worst thing and we old hands have to protect all the new users a bit.

Many greetings
Willi

Yours was more reasonable, but arguable.  If it turns out that newalias’ intentions were non-malicious, I’ll remove my ~ after you remove or neutralize your tag.  (If he was acting maliciously, then of course, I will remove my ~ and give him my own negative; but from available evidence, I think it is improbable.)

These will stay, because the trust feedback texts show extremely poor judgment:

Code:
~greenplastic
~uelque
~tweetious

uelque and tweetious giving bad security advice in negative trust feedback shows judgment at least as bad as greenplastic leaving a tag that says, FUCK THESE FUCKING FUCKERS!! HA!  Oh, yes.  That user is currently in DT.  No wonder I love DT so very much.

tweetious called a purported intent to communicate with theymos about insecure accounts a “threat”.  If that’s a threat, then threatening people is a virtue.  He also sneers in negative trust feedback at what was actually good security advice—the same advice given in the forum’s profile UI!

uelque smugly implies that a misfeature, which the forum warns people against using, improves the security of his account.

What’s worse than a forum thread full of security theatre?  Negative trust feedback security theatre!


User in question recently changed email which can possibly also mean a hacked account.  Do any of his/her previous posts have such altruistic discussions on protecting all of Bitcointalk  humanity?  Cheesy  The PM's in question seems way out of  character for the posters past conversations.  But I guess one never knows.  

I very briefly discussed this with JollyGood upthread.  Adding to what I said there:  When I glanced at the user’s post history before, I noticed that he has a longstanding interest in CAPTCHA systems, and in the breaking of CAPTCHA systems.  Note that his PM claims that he has a secret method to bypass the CAPTCHA, which he says he will discuss only with theymos.

Captcha is useless as I use some trick I will only discuss with theymos.

From a thread almost two years ago:

Re: php human verification / antibot v2 ---> i challenge you to defeat it as bot
The code of this is a disaster. It does not allow multiple users solving the "captcha" at the same time either.  Roll Eyes
I am sorry to say so, but the code is the work of a script kiddie.

This captcha is easy to be solved by bots, I agree with Aveatrex.

There are solutions like Google reCaptcha out there, with many, many algorithms. They even watch out for malicious activity, badly-known IP addresses and so on. They have sort of scoring behind it and make the captcha as difficult as needed for the specific client (or block it at all).

The only need for another captcha solution is a self-hosted approach, without sending clients data to Google or some other service providers. To my knowledge, there is no nice solution for PHP as library. So, your idea is nice, but the current state is absolutely useless.

On 2020-08-01, newalias issued negative trust feedback to the author of bad PHP code.  Egads!  Is it a death_wish sighting? Roll Eyes

More recently, but still >30 days ago (thus before the e-mail change), newalias showed other security-related interest in CAPTCHAs:

Re: [ANN] ChipMixer.com - Bitcoin mixer / Bitcoin tumbler - mixing reinvented
I am glad to see .com is back and I like this approach, but it's going to be interesting to see how long until phishing domain do the same thing, linking to their own scam onion link.

Looks like chipmlxer.com (SCAM!) just got a nice idea from you  Undecided

However, this is the most advanced scam, even maintaining session expiration time and renew/restore.

I think the new API is really nice but it is a matter of time until scam sites will use it:
Checking and redeeming sessions and vouchers entered or even providing fully functional scam sites, scamming only higher amounts to gain trust.
For sure, the latter can be done with own infrastructure, but with much more effort.

All scam sites lack captcha, just as observation.
Captcha is to protect from DoS, I think. That is also a problem for API, isnt it?
I think API is (or will get) a nightmare.

Anyone has a clue about how many these sites are making? I would start monitoring on my own otherwise.


Here's the bit I'm talking about:
However, you have a security question in place, what often means lower entropy than a secure password and maybe being easier to guess. Simplest thing I have seen in DefaultTrust was "1+1" with answer "2" was correct - I have frozen it for security.

You are entirely correct!

If you know/guess someone's secret question you could lock their account and change their password. No other info required besides username + secret answer

And you!  IIRC, I walked through the same thought process when I first saw the thread—then somehow confused myself.  Need coffee.  Always my excuse when I make a stupid mistake:  Need more coffee.  :-)


However, you have a security question in place, what often means lower entropy than a secure password and maybe being easier to guess. Simplest thing I have seen in DefaultTrust was "1+1" with answer "2" was correct - I have frozen it for security. Easy questions ask for an age (try 0-99) or a birth year (try 1940-2022) or lower case initials (try aa-zz). Many questions ask for a city or a make of first car - brute force can help. And there are loads of questions for names of wife, birth names, pet names and so on. These are things that may be shared even in a post or require only your real name! The better people know the account owner, the better they know the answer!

Recommended action to take is to remove security question at all.

^^^ Excellent advice!  If newalias posts the same publicly, preferably on a new Meta thread linked from here, then it will deserve significant merits.  Hint, hint.

* nullius has a longtime personal grudge against so-called “secret questions”.
legendary
Activity: 1919
Merit: 1230
AKA Ms-overzealous-condecsending-explitive-account
July 07, 2022, 11:26:09 AM
#28
@nullius    I think you have too much faith in the goodness of humanity.  Cheesy Cheesy Cheesy   Of course you may be right but you have to look at where you are and what often goes on around here and in this world (forum world not geographic world).  User in question recently changed email which can possibly also mean a hacked account.  Do any of his/her previous posts have such altruistic discussions on protecting all of Bitcointalk  humanity?  Cheesy  The PM's in question seems way out of  character for the posters past conversations.  But I guess one never knows. 
staff
Activity: 3304
Merit: 4115
July 07, 2022, 10:55:11 AM
#27
If you know/guess someone's secret question you could lock their account and change their password. No other info required besides username + secret answer
Right, I didn't make the connection that frozen = locked I admit Tongue. However, we know that hasn't happened since the OP confirmed nothing has happened. Therefore, they haven't frozen anything. So, the whole thing from a white hat perspective doesn't make a whole lot of sense.

Besides, its always best to leave things how they are when it comes to being a white hat. Locking someone out of their account before they can change it, isn't exactly the best idea.

copper member
Activity: 786
Merit: 710
Defend Bitcoin and its PoW: bitcoincleanup.com
July 07, 2022, 09:59:17 AM
#26
They've already claimed that they've frozen accounts, which isn't really possible, unless they had some kind of database access, which would mean they'd be able to remove the security questions themselves if they really wanted too.



If you know/guess someone's secret question you could lock their account and change their password. No other info required besides username + secret answer

Before jumping to conclusions and screaming “hack!”, has anyone even considered a potentially innocent explanation?  I have a pessimistic view of human nature, but the paranoia in this thread is off the charts.

legendary
Activity: 4326
Merit: 8950
'The right to privacy matters'
July 07, 2022, 08:31:04 AM
#25
so it's probably just an unsolicited piece of advice.
I don't know if we read the same PM, because it totally looks like some kind of phishing attempt to me--and a bad one at that, despite all the technical garbledegoo.

I haven't received any PMs like that, but I just started a thread in Reputation about being alerted via e-mail about someone trying to reset my password or some such thing.  And not that it matters, but I recently got a PM from some guy who wanted to pay me for a review of some app.  The devil was on my shoulder and I wanted to string him along for a bit, but I lost motivation after his second reply.  I'm wondering if other DT members got that same PM, because I'm pretty sure I wasn't singled out for that one.

i got that one
staff
Activity: 3304
Merit: 4115
July 07, 2022, 08:15:53 AM
#24
On this subject of the PMs though, if English is not the first language of the sender (newalias) I think it only compounds the confusion. His post history shows he has been active in the German language boards as well

I noticed that.  But I don’t think it is the problem.

Most people are not actually reading his PM—just panicking, and jumping to conclusions without even reading.  I admit that I myself misread it the first time; please see the edit to my prior post on this thread.
I'm feeling a little silly now, because I've reread it a few times, and I'm still reading it the same way.

Here's the bit I'm talking about:
However, you have a security question in place, what often means lower entropy than a secure password and maybe being easier to guess. Simplest thing I have seen in DefaultTrust was "1+1" with answer "2" was correct - I have frozen it for security.
I've bolded the part which keeps tripping me up. That might be a language barrier thing as suggested, but I'm failing to read that another way other than they've frozen the account, "due to security" giving the impression they have access that a normal user doesn't. Although, its not exactly clear what they're talking about when they say freeze, and what that exactly means either.

The part where they talk about the captcha, and only talking to theymos is separate.

I do however, agree with JollyGood here, it does seem some of the sentences aren't quite fluid, in terms of a native speaker. So, there might be some translation issues here which just complicates the situation.



legendary
Activity: 3654
Merit: 3003
Enjoy 500% bonus + 70 FS
July 07, 2022, 06:21:48 AM
#23
Would someone in DT please copy my neutral tag before this user’s account gets burned to the ground?  Thanks.

I have excluded two users who are too trigger-happy with neg tags:
Code:
~willi9974
~tweetious


Hello nullius,

I have set the neg. trust as a precaution, so that other users see that there might be something wrong. Should the whole thing turn positive and the said user have only positive intentions, I will remove the negative trust very gladly again.

In the crypto scene, caution and skepticism is certainly not the worst thing and we old hands have to protect all the new users a bit.

Many greetings
Willi
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
July 07, 2022, 05:15:04 AM
#22
Would someone in DT please copy my neutral tag before this user’s account gets burned to the ground?  Thanks.

I have excluded two users who are too trigger-happy with neg tags:
Code:
[edited out]
~tweetious

[Edited later:  I removed ~willi9974, and excluded some others.]


Check the username. Does it remind you the user alia?

Roll Eyes

Get a grip.  No other way to say this:  That is ridiculously stupid.

Or am I Greg Maxwell (nullc in many venues) because I call myself “nullius”?  (Someone actually suggested that, years ago.)


On this subject of the PMs though, if English is not the first language of the sender (newalias) I think it only compounds the confusion. His post history shows he has been active in the German language boards as well

I noticed that.  But I don’t think it is the problem.

Most people are not actually reading his PM—just panicking, and jumping to conclusions without even reading.  I admit that I myself misread it the first time; please see the edit to my prior post on this thread.

but his trust currently shows the following message which might mean he is no longer in control of his account: This user's email address was changed recently

I noticed that, too; but it does not mean much, unless it matches other evidence.  Perhaps the user may be experimenting with his own account security; compare what my prior post said about disabling e-mail addresses.  Or maybe he got a new e-mail address.
legendary
Activity: 2800
Merit: 2736
Farewell LEO: o_e_l_e_o
July 07, 2022, 05:03:38 AM
#21
Check the username. Does it remind you the user alia? A girl back in 2017 - 2018. She was having everyone's attention. Then caught on planning for scam before resting in peace. Someone is having fun.

You are not the only one. Just "Report to Admin" the PM and they will take care of this.
I do not see she is ban yet.
legendary
Activity: 2534
Merit: 1713
Top Crypto Casino
July 07, 2022, 04:55:44 AM
#20
I also received this PM. Probably, according to the one who poisoned these PMs, he sent such letters to all DT, and not necessarily whether they have control questions or not.
I haven't received that PM. So maybe the list he's using to determine DT users is not accurate.
I did not receive the PM. Ah well.....

Before jumping to conclusions and screaming “hack!”, has anyone even considered a potentially innocent explanation?  I have a pessimistic view of human nature, but the paranoia in this thread is off the charts.

This is good advice, in my opinion:

The better people know the account owner, the better they know the answer!

Recommended action to take is to remove security question at all.
I maybe have less pessimistic view than yours when it comes to human nature in general but I am highly sceptical when to comes to the conduct of many users in this forum therefore I can understand your views and even relate to them.

On this subject of the PMs though, if English is not the first language of the sender (newalias) I think it only compounds the confusion. His post history shows he has been active in the German language boards as well but his trust currently shows the following message which might mean he is no longer in control of his account: This user's email address was changed recently
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
July 07, 2022, 04:26:21 AM
#19
Before jumping to conclusions and screaming “hack!”, has anyone even considered a potentially innocent explanation?  I have a pessimistic view of human nature, but the paranoia in this thread is off the charts.
Yeah, I haven't ruled out that. However, the things that stand out to me is the comment about letting them know how you've secured your account, and the fact they claimed to have frozen accounts. The latter being a outright lie. That's not exactly good, if you're looking to do some white hat work.

Agreed.  [Edit:  I reread the PM quoted in OP.  He does not claim to have frozen accounts.  He seems to have some trick to bypass the CAPTCHA while probing accounts.  He only says that he will report DT accounts with “secret questions” to the administration; that sounds reasonable to me, in itself.]
[...snip good advice...]

Recommended action to take is to remove security question at all. Please get back to me stating how you improved account security. If I do not get a reply, I need to inform board administration for our all safety.

I started with whole DefaultTrust as I think the base of community should be secured first. Later, I will go for more users. Captcha is useless as I use some trick I will only discuss with theymos.

Thank you!



Although, that might have been a way of trying to convince the user. I'm not going to get my pitchfork out, but I do believe users should be cautious dealing with this user in further message exchanges. Not that I distrust them entirely, but at the very least advise caution.

On a side note, I don't like that anyone can find out if a user has a security question or not. I'm not a fan of security questions in the first place, but probing like that just opens up those accounts for further attack. I kind of wish that the security question field popped up regardless of if a user has set one or not. If someone tries to guess the security question of one of these users, it simply just gives a non match, rather than indicating they don't have one set up.

On a side note, I don’t like that the forum doesn’t let you remove your e-mail address, and/or otherwise totally disable password reset by e-mail.  (Yes, you can set a fake e-mail address; but then, you need to be careful to make sure it can never be valid.  And that does not itself totally disable password reset by e-mail.)  I’m not the only one.  Lauda complained to me about that.

On a side note, I don’t like that the forum doesn’t let you disable password authentication, and log in by signing a challenge with your PGP key...  OK, I will stop right here. Smiley


Looks like @newalias is online today, so i expect he'll respond to this thread soon either because he check Meta board or found out he has 2 new feedback and check reference link.

For the record, I reached out to him by PM as I said I would.  With a link to my post on this thread.  Kind of sticking my neck out, doing that.  Eh.  Anyway, he should be well on notice about this thread.
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
July 07, 2022, 04:20:19 AM
#18
Looks like @newalias is online today, so i expect he'll respond to this thread soon either because he check Meta board or found out he has 2 new feedback and check reference link.


Duh.  Why does theymos even allow this?

It's part of SFM 1.x feature[1], so IMO it's either theymos don't bother remove it or it can't be removed without lots of work.

[1] https://wiki.simplemachines.org/smf/Logging_In
staff
Activity: 1316
Merit: 1610
The Naija & BSFL Sherrif 📛
July 07, 2022, 04:14:43 AM
#17
I got mine as well, and I was about to tag his a$$ out when I realized he had already been tagged by OP, so I saved my time for something more important. Trying to con the most knowledgeable members of the forum appears stupid to me. Some con artists are dumps.


I suppose he came to a halt the moment he was exposed. You guys are lucky  Grin

No PM for me, I feel left out Sad Maybe that's because trying to restore my account through security questions shows:

I haven't received that PM. So maybe the list he's using to determine DT users is not accurate.

I haven't received any PMs like that, but I just started a thread in Reputation about being alerted via e-mail about someone trying to reset my password or some such thing. 
Pages:
Jump to: