Topic: weird pm received - page 3. (Read 1021 times)

Oh, really? Maybe just the ones with a secret question set. You can figure that out by reading my PM.

This thread is unbelievable dumb. I warned affected users of a security problem and they make public they are affected. But what should I expect from users having set a security question, ignoring a warning? If you set a second password, both can be used to login. How can someone think this improves security, especially when the second password is "5"? I would ask greenplastic that question, but unfortunately he is not able to login.

pwned!


For the record:


I gave only 5 merits for this, because I am widely merit-boycotted; I need to save up, so I can afford to give more when you make a thread about this.

I want public key authentication.  Disable password authentication (like in sshd).  Has the Bitcoin Forum ever heard of such a thing as digital signatures?  Do people here do crypto, or not?  Sigh.

I made some suggestions years ago.  Nothing happened.  Your way is better:  Teach a little lesson, which will be less painful coming from you than from someone who actually wants to pwn a bunch of accounts.  It will more likely result in positive changes.

---

Because I knew alia as I wish for people not to be reminded—ugh.  A smooth-talking gambling addict sex scammer, likely from India or SEA (IIRC), who only temporarily fooled people with a pretense of some technical skills.  Not a German hacker who just kindly refrained from helping himself to some tasty DT accounts.  To make a connection based only on a very vague similarity of names verges on how schizophrenics find secret messages in white noise.

While it seems that it is possible that what you were doing REALLY was "for the good of mankind" and possibly completely altruistic, I believe you went about it the wrong way.  Don't you think simply starting a topic here in META might have avoided the panic created?  You have to admit, the PM's did sound a bit "scammy" as you put it in the title of the PM, and the results, while possibly an overreaction, wouldn't or shouldn't have been totally unexpected.

Edit:  Whatever the motive, you did jolt me into changing my password for the first time in years and to remove my "secret word" for which I didn't even know the answer which I put in when I joined years ago!  Thank you for that. 

Yes, I may be stupid but how are you so sure 🤣

I have not received the PM yet which means I am not in DT too 😉? My bet, the user is targeting people with some other criteria not just a DT.

I received several negative trust. Okay.

I was able to get access to SPQRCoin yesterday answering "1+1" with "2". No joke. He is in DefaultTrust level 2.

greenplastic gave negative trust to me. Now he is security locked for using "5" as answer to "how old was justin in 1980?". He was warned and had left this stupid question (answer should be between 0 and 99, the rate limit is one try per 45 second and IP address - in reality, you get a bunch of IPs and laugh about the limit).

Proof: https://bitcointalk.org/seclog.php

Security questions are a joke and should be disabled. There are members using questions with a probably secure answer or maybe even fake questions, but "1+1" is a joke. In case of greenplastic, he did not even understand the problem. We should think of who is member of DefaultTrust.

Security lock is a good thing for sure, otherwise I would control two DefaultTrust accounts now, one of them being inactive for months. Thank god, I was not able unlocking using a fake mail. I want to see security questions disabled, option to disable email recovery per account and 2FA introduced. BCT is about large sums and does not have up-to-date security mechanisms.

Yes, after receiving a PM from a user with a recent email-change and negative reputation asking to change my account-settings I left a preliminary neutral trust saying:
and referenced a screenshot of the PM (https://i.imgur.com/e7RGXmN.png).
I didn't see a reason for negative trust.

After doing more research and reading this thread I removed the neutral trust (took only a few minutes).

Luckily I'm not a DT member, so that damn user didn't target me for that weird PM. 

So far I've received emails about someone trying to hack into my account by forgetting my password (last february to be exact), that's stupid because I'm sure he never knows what my email is. But luckily the odd PM didn't haunt me, but certainly didn't expect to receive it. If there's one later, I'll definitely report it to the mod as soon as I can.

This thread, and newalias’ growing list of negative trust feedbacks, are classic security theatre like the American TSA confiscating nailclippers from grandmas in wheelchairs.  Bruce Schneier should give out some beatings here.

https://www.schneierfacts.com/

IIUC, it is a fan site not affiliated with Bruce Schneier.

---

Or perhaps I have less faith in humanity, especially on this forum.  No good deed goes unpunished, as the aphorism goes.  The guilty get away scot-free—I have seen it happen many times on this forum—while the innocent get burnt at the stake.

Indisputable objective fact:  Having a “secret question” set is dumb.  The users mentioning publicly that they received this PM are declaring to the world, “I do not know how to secure my forum account; and I do not read the forum UI warning which says, ‘Using this feature is not recommended.’”

Sorry to be so blunt, sandy-is-fine.  You seem fine, although you should probably stop using that insecurity misfeature.  Some others are getting on their high horses, making ridiculous statements, proclaiming sanctimoniously (and quite proudy as to their own smarts) that they caught the evil hacker.  WTF?  This would be the most moronic possible way to hack the forum:  Notify people who have weak account security, and give them good advice about how to improve.

“Faith in the goodness of humanity”?  The booby prizes for extreme stupidity thus far go to BitcoinGirl.Club...
...and to three of the four DT red-tags that newalias has thus far accrued:


Yours was more reasonable, but arguable.  If it turns out that newalias’ intentions were non-malicious, I’ll remove my ~ after you remove or neutralize your tag.  (If he was acting maliciously, then of course, I will remove my ~ and give him my own negative; but from available evidence, I think it is improbable.)

These will stay, because the trust feedback texts show extremely poor judgment:


uelque and tweetious giving bad security advice in negative trust feedback shows judgment at least as bad as greenplastic leaving a tag that says, “FUCK THESE FUCKING FUCKERS!! HA!”  Oh, yes.  That user is currently in DT.  No wonder I love DT so very much.

tweetious called a purported intent to communicate with theymos about insecure accounts a “threat”.  If that’s a threat, then threatening people is a virtue.  He also sneers in negative trust feedback at what was actually good security advice—the same advice given in the forum’s profile UI!

uelque smugly implies that a misfeature, which the forum warns people against using, improves the security of his account.

What’s worse than a forum thread full of security theatre?  Negative trust feedback security theatre!

---

I very briefly discussed this with JollyGood upthread.  Adding to what I said there:  When I glanced at the user’s post history before, I noticed that he has a longstanding interest in CAPTCHA systems, and in the breaking of CAPTCHA systems.  Note that his PM claims that he has a secret method to bypass the CAPTCHA, which he says he will discuss only with theymos.


From a thread almost two years ago:

Re: php human verification / antibot v2 ---> i challenge you to defeat it as bot

On 2020-08-01, newalias issued negative trust feedback to the author of bad PHP code.  Egads!  Is it a death_wish sighting?

More recently, but still >30 days ago (thus before the e-mail change), newalias showed other security-related interest in CAPTCHAs:

Re: [ANN] ChipMixer.com - Bitcoin mixer / Bitcoin tumbler - mixing reinvented

---

You are entirely correct!


And you!  IIRC, I walked through the same thought process when I first saw the thread—then somehow confused myself.  Need coffee.  Always my excuse when I make a stupid mistake:  Need more coffee.  :-)

---

^^^ Excellent advice!  If newalias posts the same publicly, preferably on a new Meta thread linked from here, then it will deserve significant merits.  Hint, hint.

@nullius    I think you have too much faith in the goodness of humanity.     Of course you may be right but you have to look at where you are and what often goes on around here and in this world (forum world not geographic world).  User in question recently changed email which can possibly also mean a hacked account.  Do any of his/her previous posts have such altruistic discussions on protecting all of Bitcointalk  humanity?    The PM's in question seems way out of  character for the posters past conversations.  But I guess one never knows. 

Right, I didn't make the connection that frozen = locked I admit . However, we know that hasn't happened since the OP confirmed nothing has happened. Therefore, they haven't frozen anything. So, the whole thing from a white hat perspective doesn't make a whole lot of sense.

Besides, its always best to leave things how they are when it comes to being a white hat. Locking someone out of their account before they can change it, isn't exactly the best idea.

If you know/guess someone's secret question you could lock their account and change their password. No other info required besides username + secret answer

i got that one

I'm feeling a little silly now, because I've reread it a few times, and I'm still reading it the same way.

Here's the bit I'm talking about:
I've bolded the part which keeps tripping me up. That might be a language barrier thing as suggested, but I'm failing to read that another way other than they've frozen the account, "due to security" giving the impression they have access that a normal user doesn't. Although, its not exactly clear what they're talking about when they say freeze, and what that exactly means either.

The part where they talk about the captcha, and only talking to theymos is separate.

I do however, agree with JollyGood here, it does seem some of the sentences aren't quite fluid, in terms of a native speaker. So, there might be some translation issues here which just complicates the situation.

Hello nullius,

I have set the neg. trust as a precaution, so that other users see that there might be something wrong. Should the whole thing turn positive and the said user have only positive intentions, I will remove the negative trust very gladly again.

In the crypto scene, caution and skepticism is certainly not the worst thing and we old hands have to protect all the new users a bit.

Many greetings
Willi

Would someone in DT please copy my neutral tag before this user’s account gets burned to the ground?  Thanks.

I have excluded two users who are too trigger-happy with neg tags:

[Edited later:  I removed ~willi9974, and excluded some others.]

---

Get a grip.  No other way to say this:  That is ridiculously stupid.

Or am I Greg Maxwell (nullc in many venues) because I call myself “nullius”?  (Someone actually suggested that, years ago.)

---

I noticed that.  But I don’t think it is the problem.

Most people are not actually reading his PM—just panicking, and jumping to conclusions without even reading.  I admit that I myself misread it the first time; please see the edit to my prior post on this thread.


I noticed that, too; but it does not mean much, unless it matches other evidence.  Perhaps the user may be experimenting with his own account security; compare what my prior post said about disabling e-mail addresses.  Or maybe he got a new e-mail address.

Check the username. Does it remind you the user alia? A girl back in 2017 - 2018. She was having everyone's attention. Then caught on planning for scam before resting in peace. Someone is having fun.

I do not see she is ban yet.

I did not receive the PM. Ah well.....

I maybe have less pessimistic view than yours when it comes to human nature in general but I am highly sceptical when to comes to the conduct of many users in this forum therefore I can understand your views and even relate to them.

On this subject of the PMs though, if English is not the first language of the sender (newalias) I think it only compounds the confusion. His post history shows he has been active in the German language boards as well but his trust currently shows the following message which might mean he is no longer in control of his account: This user's email address was changed recently

Agreed.  [Edit:  I reread the PM quoted in OP.  He does not claim to have frozen accounts.  He seems to have some trick to bypass the CAPTCHA while probing accounts.  He only says that he will report DT accounts with “secret questions” to the administration; that sounds reasonable to me, in itself.]

---

On a side note, I don’t like that the forum doesn’t let you remove your e-mail address, and/or otherwise totally disable password reset by e-mail.  (Yes, you can set a fake e-mail address; but then, you need to be careful to make sure it can never be valid.  And that does not itself totally disable password reset by e-mail.)  I’m not the only one.  Lauda complained to me about that.

On a side note, I don’t like that the forum doesn’t let you disable password authentication, and log in by signing a challenge with your PGP key...  OK, I will stop right here.

---

For the record, I reached out to him by PM as I said I would.  With a link to my post on this thread.  Kind of sticking my neck out, doing that.  Eh.  Anyway, he should be well on notice about this thread.

Looks like @newalias is online today, so i expect he'll respond to this thread soon either because he check Meta board or found out he has 2 new feedback and check reference link.


It's part of SFM 1.x feature[1], so IMO it's either theymos don't bother remove it or it can't be removed without lots of work.

[1] https://wiki.simplemachines.org/smf/Logging_In

I got mine as well, and I was about to tag his a$$ out when I realized he had already been tagged by OP, so I saved my time for something more important. Trying to con the most knowledgeable members of the forum appears stupid to me. Some con artists are dumps.

---

I suppose he came to a halt the moment he was exposed. You guys are lucky