This thread, and newalias’ growing list of negative trust feedbacks, are classic
security theatre like the American TSA confiscating nailclippers from grandmas in wheelchairs. Bruce Schneier should give out some beatings here.
https://www.schneierfacts.com/
IIUC, it is a fan site not affiliated with Bruce Schneier.
@nullius I think you have too much faith in the goodness of humanity.
Of course you may be right but you have to look at where you are and what often goes on around here and in this world (forum world not geographic world).
Or perhaps I have
less faith in humanity, especially on this forum.
No good deed goes unpunished, as the aphorism goes. The guilty get away scot-free—I have seen it happen many times on this forum—while the innocent get burnt at the stake.
Indisputable objective fact:
Having a “secret question” set is dumb. The users mentioning publicly that they received this PM are declaring to the world, “I do not know how to secure my forum account; and I do not read the forum UI warning which says, ‘Using this feature is not recommended.’”
Sorry to be so blunt, sandy-is-fine. You seem fine, although you should probably stop using that insecurity misfeature. Some others are getting on their high horses, making ridiculous statements, proclaiming sanctimoniously (and quite proudy as to their own smarts) that they caught the evil hacker. WTF? This would be
the most moronic possible way to hack the forum: Notify people who have weak account security, and give them good advice about how to improve.“Faith in the goodness of humanity”? The booby prizes for
extreme stupidity thus far go to
BitcoinGirl.Club...
Check the username. Does it remind you the user alia? A girl back in 2017 - 2018. She was having everyone's attention. Then caught on planning for scam before resting in peace. Someone is having fun.
...and to
three of the four DT red-tags that newalias has thus far accrued:
Hello nullius,
I have set the neg. trust as a precaution, so that other users see that there might be something wrong. Should the whole thing turn positive and the said user have only positive intentions, I will remove the negative trust very gladly again.
In the crypto scene, caution and skepticism is certainly not the worst thing and we old hands have to protect all the new users a bit.
Many greetings
Willi
Yours was more reasonable, but arguable. If it turns out that newalias’ intentions were non-malicious, I’ll remove my
~ after you remove or neutralize your tag. (If he
was acting maliciously, then of course, I will remove my
~ and give him my own negative; but from available evidence, I think it is improbable.)
These will stay, because the trust feedback texts show extremely poor judgment:
~greenplastic
~uelque
~tweetious
uelque and tweetious giving
bad security advice in negative trust feedback shows judgment at least as bad as greenplastic leaving a tag that says,
“FUCK THESE FUCKING FUCKERS!! HA!” Oh, yes. That user is currently in DT. No wonder I love DT so very much.
tweetious called a purported intent to communicate with theymos about insecure accounts a “threat”. If that’s a threat, then threatening people is a virtue. He also sneers in negative trust feedback at what was actually good security advice—the same advice given in the forum’s profile UI!
uelque smugly implies that a misfeature,
which the forum warns people against using, improves the security of his account.
What’s worse than a forum thread full of security theatre? Negative trust feedback security theatre!
User in question recently changed email which can possibly also mean a hacked account. Do any of his/her previous posts have such altruistic discussions on protecting all of Bitcointalk humanity?
The PM's in question seems way out of character for the posters past conversations. But I guess one never knows.
I very briefly discussed this with JollyGood upthread. Adding to what I said there: When I glanced at the user’s post history before, I noticed that he has a longstanding interest in CAPTCHA systems, and in the breaking of CAPTCHA systems. Note that his PM claims that he has a secret method to bypass the CAPTCHA, which he says he will discuss only with theymos.
Captcha is useless as I use some trick I will only discuss with theymos.
From a thread almost two years ago:
Re: php human verification / antibot v2 ---> i challenge you to defeat it as botThe code of this is a disaster. It does not allow multiple users solving the "captcha" at the same time either.
I am sorry to say so, but the code is the work of a script kiddie.
This captcha is easy to be solved by bots, I agree with Aveatrex.
There are solutions like Google reCaptcha out there, with many, many algorithms. They even watch out for malicious activity, badly-known IP addresses and so on. They have sort of scoring behind it and make the captcha as difficult as needed for the specific client (or block it at all).
The only need for another captcha solution is a self-hosted approach, without sending clients data to Google or some other service providers. To my knowledge, there is no nice solution for PHP as library. So, your idea is nice, but the current state is absolutely useless.
On 2020-08-01, newalias issued negative trust feedback to the author of bad PHP code. Egads!
Is it a death_wish sighting? More recently, but still >30 days ago (thus before the e-mail change), newalias showed other security-related interest in CAPTCHAs:
Re: [ANN] ChipMixer.com - Bitcoin mixer / Bitcoin tumbler - mixing reinventedI am glad to see .com is back and I like this approach, but it's going to be interesting to see how long until phishing domain do the same thing, linking to their own scam onion link.
Looks like chipmlxer.com (SCAM!) just got a nice idea from you
However, this is the most advanced scam, even maintaining session expiration time and renew/restore.
I think the new API is really nice but it is a matter of time until scam sites will use it:
Checking and redeeming sessions and vouchers entered or even providing fully functional scam sites, scamming only higher amounts to gain trust.
For sure, the latter can be done with own infrastructure, but with much more effort.
All scam sites lack captcha, just as observation.
Captcha is to protect from DoS, I think. That is also a problem for API, isnt it?
I think API is (or will get) a nightmare.
Anyone has a clue about how many these sites are making? I would start monitoring on my own otherwise.
Here's the bit I'm talking about:
However, you have a security question in place, what often means lower entropy than a secure password and maybe being easier to guess. Simplest thing I have seen in DefaultTrust was "1+1" with answer "2" was correct - I have frozen it for security.
You are entirely correct!
If you know/guess someone's secret question you could lock their account and change their password. No other info required besides username + secret answer
And you! IIRC, I walked through the same thought process when I first saw the thread—then somehow confused myself. Need coffee. Always my excuse when I make a stupid mistake: Need more coffee.
:-)
However, you have a security question in place, what often means lower entropy than a secure password and maybe being easier to guess. Simplest thing I have seen in DefaultTrust was "1+1" with answer "2" was correct - I have frozen it for security. Easy questions ask for an age (try 0-99) or a birth year (try 1940-2022) or lower case initials (try aa-zz). Many questions ask for a city or a make of first car - brute force can help. And there are loads of questions for names of wife, birth names, pet names and so on. These are things that may be shared even in a post or require only your real name! The better people know the account owner, the better they know the answer!
Recommended action to take is to remove security question at all.
^^^ Excellent advice! If newalias posts the same publicly, preferably on a new Meta thread linked from here, then it will deserve significant merits. Hint, hint.* nullius has a longtime personal grudge against so-called “secret questions”.