Author

Topic: weird pm received (Read 1103 times)

legendary
Activity: 4256
Merit: 8551
'The right to privacy matters'
July 08, 2022, 10:45:35 PM
#74
I took his advice and removed the secret question as I also saw the forum warning which was making the whole option look stupid. I didn't see his message as a hack attempt but it was wired. Why haven't theymo disabled that secret question option. Basically anybody closed could easily guess this so called secret question especially mine (which has been removed though)..
I have considered not using that security question, its very risky for me. I prefer to use a strong password and might consider changing it periodically after someone tries to hack into my account by forget password. I feel silly knowing that someone did it, but actually it surprised me.

So for now, I have to sign the message just in case because I'm really starting to worry if hackers try something more extreme. Please quote and verify me.

Code:
-----BEGIN BITCOIN SIGNED MESSAGE-----
I _BlackStar, signed this message after someone tried to hack my account a few days ago. This will serve to verify me in the future if this account changes hands.
-----BEGIN SIGNATURE-----
bc1qlctkn6lrzx2sffkfzt6yv6klles72dfdvd3jas
H0K9q5/RICREjfd2h3mvyjZGXqgt1JUH5amrlsZ4Z2DzXYSpdaHCgryUffXw2UGPOOk5GT3ndp0Dw0UkI8KwcYo=
-----END BITCOIN SIGNED MESSAGE-----



But for this one, just report one post to the moderators so they can merge the post if the user ignores your suggestion.
Done.

here is a quote.

I also am locking the thread.
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
July 08, 2022, 07:34:45 PM
#73
What would he have done if he was able to break into one of the accounts he harassed?

Rather than dreaming up hypothetical scenarios about what he didn’t do (but maybe could have?), I am more worried about what a malicious blackhat will do without sending any PMs to anybody.  Not “if”, but “when”.

Also, “harassed” is an interesting word for “gave sound advice, which in some cases was sorely needed.”

Maybe he is doing what he said:  Trying to help users to improve their account security, and ultimately to help the forum to tighten security.  Maybe?

Maybe he should have written a thread about it rather than going around trying to break people's security, then threatening them via PM.  Maybe?

...

I don’t vouch for him; but absent evidence of malice, there is no need for a conspiracy theory.  And no need to rehash the first three pages of discussion on this thread.
How else could this point have been made?
By creating a thread in Meta.

IIRC, I have made various suggestions in Meta for improving account security.  IIRC, so has OgNasty.  So have others...

The response is always either silence, or “new forum software” vapourware which has only been in development for, what, about seven or eight years?
However, methods like this are inacceptable

At least he understand the problem now.

I can't say I grasp the series of events and the timeline, but warning someone about a potential issue with their password, then demonstrating that it was an issue after being ignored without compromising anything seems like the right way to do it?  How else could this point have been made?
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
July 08, 2022, 05:56:27 PM
#72
Maybe he is doing what he said:  Trying to help users to improve their account security, and ultimately to help the forum to tighten security.  Maybe?

Maybe he should have written a thread about it rather than going around trying to break people's security, then threatening them via PM.  Maybe?

What would he have done if he was able to break into one of the accounts he harassed?
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
July 08, 2022, 05:34:28 PM
#71

xkcd 565, “Security Question”.


Seriously, I do think that some companies are probably exploiting this fantastically stupid insecurity misfeature to suck more personal details out of people.  There is no way that such ill-conceived security theatre could be so popular, unless someone benefits.  It is widespread on sites owned by companies that make money off of personal data.  These companies have professional security teams, who should know better.  People answer these questions with all sorts of obscure details about themselves.  Cui bono?


It seems rather obvious that it's a phishing type attack, but I'm not sure how this user is expecting to gain access to the accounts he's targeting.  Maybe he's trying to engage people into a discussion, and convince them he's a staff member or an admin, then trick them into leaking more account details?

It seems not obvious at all.  Maybe he is doing what he said:  Trying to help users to improve their account security, and ultimately to help the forum to tighten security.  Maybe?

The PM he sent doesn’t make sense for gaining access to the accounts.  It provided good advice.  The way he benignly flushed out two DT accounts with extremely poor “secret question” answers was a work of art.  I don’t vouch for him; but absent evidence of malice, there is no need for a conspiracy theory.  And no need to rehash the first three pages of discussion on this thread.

I want to see security questions disabled, option to disable email recovery per account and 2FA introduced. BCT is about large sums and does not have up-to-date security mechanisms.
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
July 08, 2022, 03:51:38 PM
#70
No PM for me, I feel left out Sad Maybe that's because trying to restore my account through security questions shows:
Code:
Sorry, there is no secret question set for this member.

He might only be targeting DT1 members with the PM, but I didn't get one either.  Maybe my account isn't worth the time.  Cry  

I'm wondering if this is the same shithead that's been trying to change The Pharmacist's password through email reset.  It seems rather obvious that it's a phishing type attack, but I'm not sure how this user is expecting to gain access to the accounts he's targeting.  Maybe he's trying to engage people into a discussion, and convince them he's a staff member or an admin, then trick them into leaking more account details?
legendary
Activity: 1064
Merit: 1228
Playgram - The Telegram Casino
July 08, 2022, 03:28:16 PM
#69
I took his advice and removed the secret question as I also saw the forum warning which was making the whole option look stupid. I didn't see his message as a hack attempt but it was wired. Why haven't theymo disabled that secret question option. Basically anybody closed could easily guess this so called secret question especially mine (which has been removed though)..
I have considered not using that security question, its very risky for me. I prefer to use a strong password and might consider changing it periodically after someone tries to hack into my account by forget password. I feel silly knowing that someone did it, but actually it surprised me.

So for now, I have to sign the message just in case because I'm really starting to worry if hackers try something more extreme. Please quote and verify me.

Code:
-----BEGIN BITCOIN SIGNED MESSAGE-----
I _BlackStar, signed this message after someone tried to hack my account a few days ago. This will serve to verify me in the future if this account changes hands.
-----BEGIN SIGNATURE-----
bc1qlctkn6lrzx2sffkfzt6yv6klles72dfdvd3jas
H0K9q5/RICREjfd2h3mvyjZGXqgt1JUH5amrlsZ4Z2DzXYSpdaHCgryUffXw2UGPOOk5GT3ndp0Dw0UkI8KwcYo=
-----END BITCOIN SIGNED MESSAGE-----



But for this one, just report one post to the moderators so they can merge the post if the user ignores your suggestion.
Done.
legendary
Activity: 2800
Merit: 2736
Farewell LEO: o_e_l_e_o
July 08, 2022, 12:49:34 PM
#68
I couldn't resist Cheesy I set this as a secret question (with a very long random string as answer), but after that, the answer showed an empty field and the why is this blank? link showed "disabled". So I got nervous and wiped it again.
It's safe not to set it up. If it locks the account and do not help to get recover the account then the feature is not helping at all. It's without any purpose and better to disable it.

He can do it, but it must be more than 24 hours from his first post. But for this one, just report one post to the moderators so they can merge the post if the user ignores your suggestion.
I know he can but this is not a service thread in marketplace so I did not think it was worth mentioning. The discussion is not old too. Many users are still making their posts. It was assumable that in few hours we will have more comments.
legendary
Activity: 2464
Merit: 2094
July 08, 2022, 11:11:52 AM
#67
newalias, the forum rules prevent you to post two response in a row.
He can do it, but it must be more than 24 hours from his first post. But for this one, just report one post to the moderators so they can merge the post if the user ignores your suggestion.

Why haven't theymo disabled that secret question option. Basically anybody closed could easily guess this so called secret question especially mine (which has been removed though)..
There is confusion here as to why this feature is not closed. There's a message stating that the feature is not recommended as it could be a second password to access the account if someone guesses the answer correctly, but it's not closed yet. I checked mine, luckily I never used this security feature.

Quote
Secret Question:
To help retrieve your password, enter a question here with an answer that only you know.Using this feature is not recommended. Anyone who guesses your secret answer will have access to your account. It's like a second password.
hero member
Activity: 1659
Merit: 687
LoyceV on the road. Or couch.
July 08, 2022, 10:31:04 AM
#66
Simplest thing I have seen in DefaultTrust was "1+1" with answer
I couldn't resist Cheesy I set this as a secret question (with a very long random string as answer), but after that, the answer showed an empty field and the why is this blank? link showed "disabled". So I got nervous and wiped it again.
legendary
Activity: 2800
Merit: 2736
Farewell LEO: o_e_l_e_o
July 08, 2022, 08:58:22 AM
#65
newalias, the forum rules prevent you to post two response in a row.
Quote
I dont see a problem with this statement. This means there is some trick* AND I would discuss it with the most trusted person being in charge. This implies that I will not speak with anyone else or sell the trick to bad guys.
No, this was not the threat. It was okay for users.

Quote
Please get back to me stating how you improved account security
I would say for THIS users felt threaten. You said to get back to you and you said it in PM which was concerning for them. Assuming you had good intention but in the forum we are designed to feel threaten when something comes from a new account. We have been gone through some hacks and phishing attacks are regular things.

I hope others see the same that I realized after paying better attention to your PM.
legendary
Activity: 2408
Merit: 4282
eXch.cx - Automatic crypto Swap Exchange.
July 08, 2022, 08:53:47 AM
#64
I received the PM same day this thread was created as well, it was looking wired but it serve it purpose. I haven't visited my Account Related Settings page for a very long time so I didn't know I added that option when I created my account and the secret question wasn't that secret as I have disclosed it severally while participating in discussion on the forum.  I don't blame myself as I wasn't as knowledgeable as I'm now back then when I created my account.

I took his advice and removed the secret question as I also saw the forum warning which was making the whole option look stupid. I didn't see his message as a hack attempt but it was wired. Why haven't theymo disabled that secret question option. Basically anybody closed could easily guess this so called secret question especially mine (which has been removed though)..
copper member
Activity: 143
Merit: 85
July 08, 2022, 08:31:21 AM
#63
Quote
Captcha is useless as I use some trick I will only discuss with theymos.

I dont see a problem with this statement. This means there is some trick* AND I would discuss it with the most trusted person being in charge. This implies that I will not speak with anyone else or sell the trick to bad guys.

*This trick allowed me to scan whole DT for secret question set. It also allows to bruteforce passwords and security answers by the way. This was the intention - to make clear that security answers can be bruteforced, so they are even weaker.



Quote
Please get back to me stating how you improved account security. If I do not get a reply, I need to inform board administration for our all safety.

I have to admit that this was not okay. Sorry.

Better I had written sth like "I will check again if you have a security question in place after 5 days. If you want to keep security question, please be advised of the disadvantages (link) and shortly confirm to me that your security answers entropy is sufficient (ie at least as high as your passwords entropy). If nothing happens, I will notify the board administration to ensure DefaultTrust integrity". Next time I would do so. It was never my intention to threat someone.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
July 08, 2022, 06:24:59 AM
#62
Attempting to answer the security questions will automatically lock your account, because they were leaked with the rest of the DB back in 2015.
Members after that time when it was leaked are safe? Is that correct?
Yes (provided that there were no additional forum hacks after 2015).
legendary
Activity: 2800
Merit: 2736
Farewell LEO: o_e_l_e_o
July 08, 2022, 05:31:04 AM
#61
I had a chance to read the whole PM with a cool mind, paid full attention and without been biased. When a PM comes from a lower rank member we usually think something is not right. It's the forum experience that led us to have this suspicious mind.

Read the PM posted again but without considering followings lines
Quote
Please get back to me stating how you improved account security. If I do not get a reply, I need to inform board administration for our all safety.
Quote
Captcha is useless as I use some trick I will only discuss with theymos.
This is what happened to me when I read get back to me. The moment I read it, I had in mind that this is it, this user was trying to get information from OP and other users.

Read the full PM again. It seems the user's native language is not English. Some choices of words clearly tells that he used translator to pick the words. Yes I agree with buwaytress some words sounds offensive. But I feel that this was not an intent to get something bad from it.

The user asked you to get back to him, could be to suggest you to remove the secret question. If you do not then he will inform theymos so theymos can consider to remove the security question feature entirely for the safety of DT member. It seems he thinks DT members are the ones who need to stay safe so his all effort were to be sure DT accounts are safe.

They only sent the PM to those who had security questions turned on. Somewhere theymos also said that it is not recommended to use security questions because it locks your account and some other hassles when you try to recover the account.
legendary
Activity: 2968
Merit: 3684
Join the world-leading crypto sportsbook NOW!
July 07, 2022, 11:19:18 PM
#60
Oh hey, so I am spending now more time in Meta the past 2 weeks than in my entire bitcointalk lifetime, seem to be crawling down rabbit holes from user posts and ending up here.

So just also realised now I had a completely different reaction to most posts in here -- I replied to newalias actually and explained why I felt my confidence in my answer (a language method I also use for some seed phrases). He actually agreed, though said I shouldn't have given clues to my method. I still think explaining it doesn't help anyone with any software, my answer is as good as a long random string (I believe).

Despite that, I deleted my security question.

Had no idea the whole event already generated a thread here until I looked up his profile now.

Thought to mention here, some small realisation afforded to me because English was my third language (though now practically my first) -- I almost can understand the true "intent" of people in different types of English heh. Reading his PM, I felt no shade of bad behaviour at all, somehow I even understood the meaning behind his "frozen" claim (which he seems to have proven now).

I don't think he was naive though, I do think he comes off as having a slight dick attitude. Personally never found anything wrong with that, and now I see he's German, I totally get it, and I'm not trying to be offensive, many Southeast Asians will find the German's English deliberately dickish heh.

newalias, you've done the forum a favour, hopefully. But you know, you can't always equate a lack of good security behaviour with being dumb. Intelligence, self-awareness and wisdom aren't always on the same page and sometimes live in the same room as recklessness.

As nullius also pointed out, you didn't remove the red trust so you're not infallible yourself.

Now there. I hope not to post in Meta again so soon. I don't know how to act in here.
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
July 07, 2022, 08:53:45 PM
#59
I think he deserves the neg trust. As I stated my question was there but was already in a disabled state. So it is far superior then no question at all. Since a hacker would spend all eternity and get no where trying to answer the question.

It was what is the name of my wife's father.

A hacker could have tried every name ever written in the human race and have no answer.

Since I knew I my secret question was disabled but listed I had created a time waster trap for hacker's which this moron fucked up with his clever hacking bs.

So frankly his so called well intended deed fucking helps hackers since they now know security question can be disabled and thus un answerable.

Non sequitur.  Nothing that you said indicates that the user deserves negative trust feedback, or speaks to his trustworthiness in any way.  Beyond that:

First of all, you are creatively rewriting history.  Look back to the beginning of the thread.  You were so scared that you had been hacked, you self-quoted from another account to preserve your post.

Zeroth of all, you have now passed beyond the realm of security theatre into Rube Goldberg style security.  Guess what:  My Bitcoin wallet has “no [secret] question at all” (of this type).  Would it be made “far superior”, if a ridiculously weak insecurity misfeature were added, and then misused in a way that’s less weak?  Please advise:  I am considering the possibility that I may write my own Bitcoin wallet software.

Reductio ad absurdum, would my wallet “fucking help hackers” by only using poor, weak little Bitcoin public keys, without a “secret question” insecurity mechanism?  Should I draft a BIP to add a consensus feature that lets people somehow add coin recovery questions on the blockchain, if they can leave it blank as you describe?  Would that improve Bitcoin’s security to be “far superior” to what it now is? Roll Eyes

I think that you and some others still don’t understand that the whole “secret question” feature is strictly a negative to security, with no security benefits whatsoever.  It was originally an account recovery mechanism:  A per-account backdoor to gain access to an account, without knowing the password.  As mprep informed us, it was changed in 2015 to be “only” a way to lock an account without the password.

I have no “secret question” set on any of my Bitcoin Forum accounts.  My accounts are surely more secure than yours.  You still believe that you can nonsensically add security with a misfeature designed to undermine security; that indicates to me that you do not know how to secure an account.


This PM's didn't come from a high-ranked user, a moderator, or from a highly trusted member. In the contrary, it came from a low-ranked member that has only negative feedback on their trust (both given & taken). If what I said is not clear, this user since 2019 has only provided negative feedback to other users, and not a single positive one (+ the negative feedback that have received so far).
Furthermore, there is a warning on their trust feedback page, that "This user's email address was changed recently."

When I first checked his account after this thread began, he had only one received feedback of any kind:  willi9974’s negative dated 2022-07-07, now removed.  As of early yesterday, he did not have any negative feedbacks not pertaining to this incident.

I don’t know why you think that sent feedback is relevant.  I myself have only rarely sent positive feedback.  In my case, that is intentional and well-considered.  I have written essays as to why—even posted a policy noting this.
General note:  I am extremely conservative in matters of trust.  I do not trust easily; and most of all, I do not vouch lightly.
Anyway, I don’t see why you would issue negative feedback partly on the basis that someone does not trust anyone here.

Generally speaking, when someone (with purely good intentions) are contacting me, letting me know of possible security breaches, and providing me with advice and optional solutions to overcome a possible threat, I am thankful.

What happened here is completely different though. I received a PM from a user that I didn't know & never interacted before with. The topic of the PM was "(No subject)" & was sent to "(Undisclosed recipients)", hence not directed explicitly to me (it was not intended for only me, but to unknown recipients)

In the beginning, there was a short introduction about a "potential" forum security issue, and a mention of their achievement that they have already frozen a user account because the user didn't follow their security standards. (ie they took the law into their hands, and executed it accordingly leaving the user with a locked/frozen account -just because they could-, instead of informing a moderator about the situation and letting them handle it in the most appropriate way).

Then, things started getting a bit more interesting. This user demanded me not only to change my security settings but to also report back to them (secretly via PMs) stating how I improved my account security (ie providing them details about my security settings and the way I "improved" them - ie changed them). Not only that, but they also threaten me that if I do not comply and they do not get a reply back from me, they will report me to the board administration "for our all safety"

Hence, in my point of view, someone was sending PM's acting as forum police, making demands and threats, without even having the authority of doing so, having as an excuse a very critical forum security issue (security question in place).

As I indicated in my initial post on this thread, I thought it was clumsy and naïve.  I think it’s likely that newalias did not foresee the nature of many people’s reactions.  I have seen it before in security contexts:  Someone tries to be helpful, in a way that inadvertently incites suspicions—even panic.

Pending investigation, a precautionary negative feedback may arguably have been warranted.  Well, I do not agree with it; but I also don’t think it necessarily shows poor judgment.  willi9974’s tag said said he received a suspicious PM.  In my opinion, it was hasty; but it was not so unreasonable, in the circumstance.

You and uelque both gave bad security advice in your feedback—as if the “secret question” misfeature were beneficial to security.  You both also jumped to conclusions about a malicious hack.  In my opinion, that shows poor judgment.  I do not want such tags above the fold in my view of trust pages.

greenplastic’s tag was beyond the pale:  A string of all-caps profanities, with no explanation.  That shows extremely poor judgment.

I also disagree with your interpretation of the PM’s wording—with how you read it.

But thank you for explaining; I am glad better to understand your thought process.  I hope you better understand my own thought process from this post.

For my part:  I just saw this thread and thought, “Oh, no.  This fellow is about to be mobbed.”  I do not know newalias, and could not vouch for his intentions; caution was indicated.  But I strongly disagreed with how it seemed that everyone else thus far was jumping to conclusions.  It looked to me more likely than not that he was attempting to improve forum security—maybe going about it in a misguided way, liable to be misunderstood.  I have always detested that stupid “secret question”—thus the strength of my reaction here.
copper member
Activity: 2156
Merit: 983
Part of AOBT - English Translator to Indonesia
July 07, 2022, 08:40:19 PM
#58
hahha i receive the PM yesterday and I ask to him

are u trying sell security program but he said that I must delete the security question in my account  Grin Grin I think this person DM high ranking member
legendary
Activity: 2226
Merit: 1086
duelbits.com
July 07, 2022, 07:16:36 PM
#57
How do you define success? If you think success is hijacking your account you are wrong.
Okay, seems to make sense to me.
I actually have said above, that it should be a small chance if you are trying to hijack DT member accounts.
I guess you understand it, right?



Don't misunderstand or judge too early!!

copper member
Activity: 143
Merit: 85
July 07, 2022, 06:28:12 PM
#56
Luckily I'm not a DT member, so that damn user didn't target me for that weird PM.  Cheesy
I have not received the PM yet which means I am not in DT too 😉? My bet, the user is targeting people with some other criteria not just a DT.
Agree. He should have criteria, I assume he is likely to target high-rank accounts.
He may start with DT members, then he will target random members.

In my opinion, that account only tried to make chaos since he won't succeed if he targeted DT members. DT members won't be easily trapped by that weird PM, only careless members can be the victims.

By the way, it is a bit strange why he did this. He must know if he won't have a chance to succeed, but he did it. If he really wants to make chaos or suspicion among the members, what his goals exactly?  Huh



I also got that weird PM.



How do you define success? If you think success is hijacking your account you are wrong.
legendary
Activity: 2226
Merit: 1086
duelbits.com
July 07, 2022, 05:57:08 PM
#55
Luckily I'm not a DT member, so that damn user didn't target me for that weird PM.  Cheesy
I have not received the PM yet which means I am not in DT too 😉? My bet, the user is targeting people with some other criteria not just a DT.
Agree. He should have criteria, I assume he is likely to target high-rank accounts.
He may start with DT members, then he will target random members.

In my opinion, that account only tried to make chaos since he won't succeed if he targeted DT members. DT members won't be easily trapped by that weird PM, only careless members can be the victims.

By the way, it is a bit strange why he did this. He must know if he won't have a chance to succeed, but he did it. If he really wants to make chaos or suspicion among the members, what his goals exactly?  Huh



I also got that weird PM.

sr. member
Activity: 2060
Merit: 405
Cryptoshi Blockomoto
July 07, 2022, 05:24:43 PM
#54
uelque and tweetious giving bad security advice in negative trust feedback shows judgment at least as bad as greenplastic leaving a tag that says, FUCK THESE FUCKING FUCKERS!! HA!  Oh, yes.  That user is currently in DT.  No wonder I love DT so very much.

tweetious called a purported intent to communicate with theymos about insecure accounts a “threat”.  If that’s a threat, then threatening people is a virtue.  He also sneers in negative trust feedback at what was actually good security advice—the same advice given in the forum’s profile UI!

Since my name was mentioned here, followed by allegations that I am giving bad security advice, and being a serial "trigger-happy with negative trust feedback" (as mentioned in the trust feedback that I received), I thought of chipping in and explaining the reasoning behind I providing such feedback.

Generally speaking, when someone (with purely good intentions) are contacting me, letting me know of possible security breaches, and providing me with advice and optional solutions to overcome a possible threat, I am thankful.

What happened here is completely different though. I received a PM from a user that I didn't know & never interacted before with. The topic of the PM was "(No subject)" & was sent to "(Undisclosed recipients)", hence not directed explicitly to me (it was not intended for only me, but to unknown recipients)

In the beginning, there was a short introduction about a "potential" forum security issue, and a mention of their achievement that they have already frozen a user account because the user didn't follow their security standards. (ie they took the law into their hands, and executed it accordingly leaving the user with a locked/frozen account -just because they could-, instead of informing a moderator about the situation and letting them handle it in the most appropriate way).

Then, things started getting a bit more interesting. This user demanded me not only to change my security settings but to also report back to them (secretly via PMs) stating how I improved my account security (ie providing them details about my security settings and the way I "improved" them - ie changed them). Not only that, but they also threaten me that if I do not comply and they do not get a reply back from me, they will report me to the board administration "for our all safety"

Hence, in my point of view, someone was sending PM's acting as forum police, making demands and threats, without even having the authority of doing so, having as an excuse a very critical forum security issue (security question in place).

This PM's didn't come from a high-ranked user, a moderator, or from a highly trusted member. In the contrary, it came from a low-ranked member that has only negative feedback on their trust (both given & taken). If what I said is not clear, this user since 2019 has only provided negative feedback to other users, and not a single positive one (+ the negative feedback that have received so far).
Furthermore, there is a warning on their trust feedback page, that "This user's email address was changed recently."

The reason for leaving negative trust feedback was not to hurt newalias reputation but to warn potential receivers of those PM's that it is a bad tactic and "bad security advice" (what nullius is accusing me that I provide) to reply to unknown senders PM's and providing sensitive security information about their account (specifically when someone is actually demanding about them, and letting them know that they will get reported if not doing so). Especially, coming from a user that claims that they have hacked/breached/tricked (whatever the right word is) the forums Captcha security system.

@newalias I have nothing against you, and I do not want to turn this into a drama. You might have the purest intentions, however, it was so badly executed that your PM actually turned into a security concern (instead of the security issue that you were forcing other users to comply with)

@nullius I disagree with you that I am a serial "trigger-happy with negative trust feedback". If you still believe so, I totally respect your opinion and have no hard feelings at all. (you can leave your trust feedback as is). My trust feedback history is open to everyone to see, hence everyone could end up to conclusions whenever I misuse the trust feedback by providing negative feedback without reasoning.
Yes, I agree that using "neutral" feedback instead of negative might have been an option. However (as said) due to the amount and the combination of all those red flags together, I wanted to do my best of triggering PM receivers (by reading my text in red), so as not to fall into a potential phishing scam attempt.

Here is the PM that I received. I have indicated in bold, all those segments that support my above elaboration.

Edit: just to be crystal clear, I do not disagree that having a security question in place, might be a security issue for your account.

Quote
Hi there,

you are member of DefaultTrust. Therefore, the security of your account is crucial.

However, you have a security question in place, what often means lower entropy than a secure password and maybe being easier to guess. Simplest thing I have seen in DefaultTrust was "1+1" with answer "2" was correct - I have frozen it for security. Easy questions ask for an age (try 0-99) or a birth year (try 1940-2022) or lower case initials (try aa-zz). Many questions ask for a city or a make of first car - brute force can help. And there are loads of questions for names of wife, birth names, pet names and so on. These are things that may be shared even in a post or require only your real name! The better people know the account owner, the better they know the answer!

Recommended action to take is to remove security question at all. Please get back to me stating how you improved account security. If I do not get a reply, I need to inform board administration for our all safety.

I started with whole DefaultTrust as I think the base of community should be secured first. Later, I will go for more users. Captcha is useless as I use some trick I will only discuss with theymos.

Thank you!
legendary
Activity: 4256
Merit: 8551
'The right to privacy matters'
July 07, 2022, 05:21:17 PM
#53
Yeah, it was the wording of the personal message that was tripping me up. Might have been a better option to contact the admins, and say you're aware of someone's security question, they could've possibly checked, and then forced the security question to be disabled, rather than forcibly locking an account. Maybe, the admins could've messaged only those with security questions enabled, I'm not sure of the best way of going about this.

Also, not a fan of talking about the specifics of a certain users security question as that could potentially be a further security/privacy issue.

However, I think the point has been made, and hopefully this highlights the issues of a security question. Personally, I'd prefer it to be removed, but at the very least hopefully this wakes up some users to discontinue using it.

For those that are unaware; Security questions are designed in such a way, that it encourages you to ask a question, and then directly answer that question, therefore it's no longer random. We've talked about random for ages now, and how it's important to generation of passwords. So, the mere fact you come up with the question, and the answer usually means you either reduce the randomness or completely remove it. You could say you'll have a answer that's not something that's related to the question, but it likely is as we as people aren't very good at thinking randomly.

I was about to conclude that the message was only sent to high ranking members only, I just found out that DT members were the only target, I am just wondering what exactly this user is trying to achieve by this
You're much more likely to make a point, if you make it to the higher ranked users of the forum, as the point hits closer to home, than doing this to someone who is of a lower rank. The user has proven that security questions are ridiculously stupid, which we kind of knew anyway, but has highlighted that to those that don't know it.

I do feel left out that I didn't receive one of these messages.  I guess because I have no security questions (that I'm aware of)
Maybe check it, and amend it if so.


I think he deserves the neg trust. As I stated my question was there but was already in a disabled state. So it is far superior then no question at all. Since a hacker would spend all eternity and get no where trying to answer the question.

It was what is the name of my wife's father.

A hacker could have tried every name ever written in the human race and have no answer.

Since I knew I my secret question was disabled but listed I had created a time waster trap for hacker's which this moron fucked up with his clever hacking bs.

So frankly his so called well intended deed fucking helps hackers since they now know security question can be disabled and thus un answerable.
copper member
Activity: 783
Merit: 710
Defend Bitcoin and its PoW: bitcoincleanup.com
July 07, 2022, 05:14:39 PM
#52
If you really wanted the secret question option removed by admin. Why didn't you just opt for the Security bounties option?

Because filling in the secret question and answer is a security risk. The bounty is for security vulnerabilities.

Copying your seed and password in a notepad is a major security risk, but Electrum will not pay you if you mention it's a common practice of their users...  Wink
copper member
Activity: 2170
Merit: 1822
Top Crypto Casino
July 07, 2022, 04:55:00 PM
#51
At least he understand the problem now.
I have a question.

If you really wanted the secret question option removed by admin. Why didn't you just opt for the Security bounties option?
I think it would have been a quicker way of getting his attention.

Some people are very sensitive when they realize someone tried to gain access to their account, regardless of your motive.
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
July 07, 2022, 04:24:35 PM
#50
Negative trust removed, thanks for the clarification

~willi9974 removed; my neutral feedback “This user is too trigger-happy with negative trust feedback. ~willi9974” is deleted.  I will edit a relevant prior post accordingly, in case anyone reads it out of context.  [Done.]  Thanks for the correction.

My other recent trust actions will stay (modulo the need for some refinements and extensions).
legendary
Activity: 3500
Merit: 2792
Enjoy 500% bonus + 70 FS
July 07, 2022, 04:10:54 PM
#49
Negative trust removed, thanks for the clarification
copper member
Activity: 143
Merit: 85
July 07, 2022, 03:36:59 PM
#48
Don't be naive and just delete that damn question already !

If an empty answer would allow you to set a question without having any correct answer, that would be interesting to steal time and resources of an attacker (without wasting own time). However, a long random string should have the same result. But I feel uncomfortable with having any security question active.
copper member
Activity: 783
Merit: 710
Defend Bitcoin and its PoW: bitcoincleanup.com
July 07, 2022, 03:29:00 PM
#47
According to https://bitcointalk.org/index.php?action=helpadmin;help=secret_why_blank the feature is disabled if you set a question without setting an answer, right?

Don't be naive and just delete that damn question already !

staff
Activity: 3304
Merit: 4115
July 07, 2022, 03:18:25 PM
#46
That's the point I've been looking at as opposed to Jackg's speculation earlier to have have just a friendly advice. It's far from anything friendly with the way I see it. This could be a possible tip-off on where to start the hack and what tricks he or she could use.
Yeah, mprep summed it up nicely. Don't communicate, at least with any detail in relation to security with users that might do this sort of thing, as it could lead to a social engineering attempt.

I think most suspicions came from how the personal message was worded, but also we're a rather suspicious community as a whole. Which, neither helps when combined. I do think things could've been handled a bit better, but the actions have already been taken.

Like I said, I was somewhat suspicious to how the personal message was worded, but I wasn't ready to get the pitchfork out yet.
legendary
Activity: 1554
Merit: 1139
July 07, 2022, 03:12:56 PM
#45
Likely, by asking you to get back to them how you secured your account after removing it, is likely a way to get more information.
That's the point I've been looking at as opposed to Jackg's speculation earlier to have have just a friendly advice. It's far from anything friendly with the way I see it. This could be a possible tip-off on where to start the hack and what tricks he or she could use. Else, why would the user need a feedback on if you hackened to his/her advice or not.
By the user being aware of a security question to have been activated on the account, it simply means there have possibly been att.epts on hacking the account and that was some of the recovery options presented. Hence, having it set up doenst guarantee much safety as, a signed address could aid a lot in the course of forgotten details and getting your account back at any point.

Am not a DT just yet neither have I gotten the pm making rounds but am sure this user isn't done yet and would be trying his luck on other accounts.
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
July 07, 2022, 03:11:35 PM
#44
How else could this point have been made?
By creating a thread in Meta.

IIRC, I have made various suggestions in Meta for improving account security.  IIRC, so has OgNasty.  So have others...

The response is always either silence, or “new forum software” vapourware which has only been in development for, what, about seven or eight years?

[ANN] Nulltalk, the new new forum software

Everything on this forum makes me rage nowadays

Me, too.  Let’s do something constructive about it.

I propose that I myself should indeed write the new new forum software.  As aforesaid, I will write it in C, then rewrite it in Rust; if I need to take more time, then along the way, I may also rewrite the code in Java, C#, Go, Javascript, Python, C++ with Boost, C++ without Boost, COBOL, MUMPS, Solidity, Visual BASIC, LISP, FORTRAN, and/or Brainfuck.  I don’t know many of these languages; thus, the schedule slippage will be spectacular as I spend time learning.  My proposed schedule is to deliver a feature-incomplete pre-alpha demo by the 2028 Halving, a beta before BIP 42 becomes economically relevant, and the official 1.0 release before the heat death of the universe—maybe.  I’m so slick!

The project is called Nulltalk, because its distinguishing innovation shall be that it autobans all users, and stores all posts in the /dev/null NoSQL database.  Thus, there shall be no talk.  Silence!  Hey—if John Cage could sell records this way, why can’t I build a forum that forbids all discussion?  Also, I shall integrate the zero-dimensional graph-theoretic /dev/null NoSQL cloud database with Blockchain, because Blockchain has maximal synergies with buzzwords in Enterprise NoSQL Cloud Blockchain.

Because it auto-bans all users, Nulltalk’s user accounts shall be totally unhackable.  Purr-fect security. 😼
staff
Activity: 3304
Merit: 4115
July 07, 2022, 03:04:16 PM
#43
Yeah, it was the wording of the personal message that was tripping me up. Might have been a better option to contact the admins, and say you're aware of someone's security question, they could've possibly checked, and then forced the security question to be disabled, rather than forcibly locking an account. Maybe, the admins could've messaged only those with security questions enabled, I'm not sure of the best way of going about this.

Also, not a fan of talking about the specifics of a certain users security question as that could potentially be a further security/privacy issue.

However, I think the point has been made, and hopefully this highlights the issues of a security question. Personally, I'd prefer it to be removed, but at the very least hopefully this wakes up some users to discontinue using it.

For those that are unaware; Security questions are designed in such a way, that it encourages you to ask a question, and then directly answer that question, therefore it's no longer random. We've talked about random for ages now, and how it's important to generation of passwords. So, the mere fact you come up with the question, and the answer usually means you either reduce the randomness or completely remove it. You could say you'll have a answer that's not something that's related to the question, but it likely is as we as people aren't very good at thinking randomly.

I was about to conclude that the message was only sent to high ranking members only, I just found out that DT members were the only target, I am just wondering what exactly this user is trying to achieve by this
You're much more likely to make a point, if you make it to the higher ranked users of the forum, as the point hits closer to home, than doing this to someone who is of a lower rank. The user has proven that security questions are ridiculously stupid, which we kind of knew anyway, but has highlighted that to those that don't know it.

I do feel left out that I didn't receive one of these messages.  I guess because I have no security questions (that I'm aware of)
Maybe check it, and amend it if so.
copper member
Activity: 143
Merit: 85
July 07, 2022, 02:48:46 PM
#42
According to https://bitcointalk.org/index.php?action=helpadmin;help=secret_why_blank the feature is disabled if you set a question without setting an answer, right?

Maybe, but question and form to answer is shown
legendary
Activity: 2422
Merit: 1083
Leading Crypto Sports Betting & Casino Platform
July 07, 2022, 02:46:37 PM
#41
I was about to conclude that the message was only sent to high ranking members only, I just found out that DT members were the only target, I am just wondering what exactly this user is trying to achieve by this, because I believe its impossible to hack an account without having access to the password, now, my confusion is, how is it possible for an account to be hacked through a message like this ?, what kind of action is the sender of this PMs expecting his/her targets to take so as to enable him or her gain access to the target's account?
knowing this, I believe will keep us on a safer side.  
donator
Activity: 4760
Merit: 4323
Leading Crypto Sports Betting & Casino Platform
July 07, 2022, 02:38:19 PM
#40
However, methods like this are inacceptable

At least he understand the problem now.

I can't say I grasp the series of events and the timeline, but warning someone about a potential issue with their password, then demonstrating that it was an issue after being ignored without compromising anything seems like the right way to do it?  How else could this point have been made?

I think the problem was that the PMs were worded strangely as if it was sent from a scammer.  Perhaps something a little more simple and to the point would have been more effective.

I do feel left out that I didn't receive one of these messages.  I guess because I have no security questions (that I'm aware of) or maybe I'm not in DT anymore.  Who knows?
copper member
Activity: 143
Merit: 85
July 07, 2022, 02:24:17 PM
#39
However, methods like this are inacceptable

At least he understand the problem now.
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
July 07, 2022, 02:22:12 PM
#38
I want to see security questions disabled, option to disable email recovery per account and 2FA introduced. BCT is about large sums and does not have up-to-date security mechanisms.
QFT.


Thanks, mprep—I did not know this:

This is a Public Service Announcement:

If you lose your password, DO NOT USE THE SECRET QUESTION TO RECOVER THE ACCOUNT. It will result in your account being locked. Please use the email recovery option to recover the account.

(This post is obviously edited.  I saw the below before I saw the above.)


The PM looked scammy but I guess it was "okay" after reading this thread.

However, methods like this are inacceptable:
I was able to get access to SPQRCoin yesterday answering "1+1" with "2". No joke. He is in DefaultTrust level 2.

greenplastic gave negative trust to me. Now he is security locked for using "5" as answer to "how old was justin in 1980?". He was warned and had left this stupid question (answer should be between 0 and 99, the rate limit is one try per 45 second and IP address - in reality, you get a bunch of IPs and laugh about the limit).

Would you prefer that he have left an insecure account wide-open for someone else to hack?  While greenplastic himself not only ignored good advice about securing his account, but attacked the giver of the advice with negative trust feedback?  Please advise if you think that would be a better solution.

If he only locked the accounts, I don’t think he did anything wrong.  (Not legal advice.  Speaking ethically here.)  theymos can check server logs to see what he really did.
legendary
Activity: 1919
Merit: 1230
AKA Ms-overzealous-condecsending-explitive-account
July 07, 2022, 02:21:26 PM
#37
LOL, I did BEFORE you posted!  Cheesy  (sort-of)


pwned!

I received several negative trust. Okay.

I was able to get access to SPQRCoin yesterday answering "1+1" with "2". No joke. He is in DefaultTrust level 2.

greenplastic gave negative trust to me. Now he is security locked for using "5" as answer to "how old was justin in 1980?". He was warned and had left this stupid question (answer should be between 0 and 99, the rate limit is one try per 45 second and IP address - in reality, you get a bunch of IPs and laugh about the limit).

Proof: https://bitcointalk.org/seclog.php

For the record:

Security questions are a joke and should be disabled. There are members using questions with a probably secure question or maybe even fake questions, but "1+1" is a joke. In case of greenplastic, he did not even understand the problem. We should think of who is member of DefaultTrust.

Security lock is a good thing for sure, otherwise I would control two DefaultTrust accounts now, one of them being inactive for months. Thank god, I was not able unlocking using a fake mail. I want to see security questions disabled, option to disable email recovery per account and 2FA introduced. BCT is about large sums and does not have up-to-date security mechanisms.

I gave only 5 merits for this, because I am widely merit-boycotted; I need to save up, so I can afford to give more when you make a thread about this.

I want public key authentication.  Disable password authentication (like in sshd).  Has the Bitcoin Forum ever heard of such a thing as digital signatures?  Do people here do crypto, or not?  Sigh.

I made some suggestions years ago.  Nothing happened.  Your way is better:  Teach a little lesson, which will be less painful coming from you than from someone who actually wants to pwn a bunch of accounts.  It will more likely result in positive changes.


Check the username. Does it remind you the user alia?

Roll Eyes

Get a grip.  No other way to say this:  That is ridiculously stupid.
Yes, I may be stupid but how are you so sure 🤣

Because I knew alia as I wish for people not to be reminded—ugh.  A smooth-talking gambling addict sex scammer, likely from India or SEA (IIRC), who only temporarily fooled people with a pretense of some technical skills.  Not a German hacker who just kindly refrained from helping himself to some tasty DT accounts.  To make a connection based only on a very vague similarity of names verges on how schizophrenics find secret messages in white noise.
jr. member
Activity: 41
Merit: 793
inactive
July 07, 2022, 02:13:55 PM
#37
While it seems that it is possible that what you were doing REALLY was "for the good of mankind" and possibly completely altruistic, I believe you went about it the wrong way.  Don't you think simply starting a topic here in META might have avoided the panic created?  You have to admit, the PM's did sound a bit "scammy" as you put it in the title of the PM, and the results, while possibly an overreaction, wouldn't or shouldn't have been totally unexpected.
The PM looked scammy but I guess it was not optimal, but "okay" after reading this thread.

However, methods like this are inacceptable:
I was able to get access to SPQRCoin yesterday answering "1+1" with "2". No joke. He is in DefaultTrust level 2.

greenplastic gave negative trust to me. Now he is security locked for using "XXX" as answer to "XXX". He was warned and had left this stupid question (answer should be between 0 and 99, the rate limit is one try per 45 second and IP address - in reality, you get a bunch of IPs and laugh about the limit).

Proof: https://bitcointalk.org/seclog.php

Security questions are a joke and should be disabled. There are members using questions with a probably secure answer or maybe even fake questions, but "1+1" is a joke. In case of greenplastic, he did not even understand the problem. We should think of who is member of DefaultTrust.
(and very likely illegal.)



pwned!
My hat is a little bit grey, so I probably would have switched the stupid negative feedback against myself to positive before locking the account.  lulz.
Saying you would have performed black-hat/gray-hat-activities -- are you serious?
Code:
~nullius



I temporarily re-added a neutral entry in order to prevent more negative trust and redirect people to this thread.
global moderator
Activity: 3794
Merit: 2612
In a world of peaches, don't ask for apple sauce
July 07, 2022, 02:16:40 PM
#36
I don't know what the user's motivation is, but on the surface the advice about not using the security question feature is very much on point: security questions are insecure and shouldn't be used on any website (if possible). Use a really strong password and have a valid email set so you can recover your account in case you forget your password. More importantly, having a weak security question on Bitcointalk allows an attacker to easily lock someone's account (see https://bitcointalksearch.org/topic/psa-accounts-will-be-locked-if-the-secret-question-is-used-to-recover-it-1206977).

You probably shouldn't message him back about anything related to the security of your account - as others pointed out, that may be the start of a social engineering attack.

On a side note, I don’t like that the forum doesn’t let you remove your e-mail address, and/or otherwise totally disable password reset by e-mail.  (Yes, you can set a fake e-mail address; but then, you need to be careful to make sure it can never be valid.  And that does not itself totally disable password reset by e-mail.)  I’m not the only one.  Lauda complained to me about that.
While I'm not sure whether it's 100% secure, an idea would be to set the email to something like [email protected] since .test (and similar TLDs) "is not intended to ever be installed into the global Domain Name System (DNS) of the Internet" (from https://en.wikipedia.org/wiki/.test).
copper member
Activity: 143
Merit: 85
July 07, 2022, 02:13:49 PM
#35
My bet, the user is targeting people with some other criteria not just a DT.

Oh, really? Maybe just the ones with a secret question set. You can figure that out by reading my PM.

This thread is unbelievable dumb. I warned affected users of a security problem and they make public they are affected. But what should I expect from users having set a security question, ignoring a warning? If you set a second password, both can be used to login. How can someone think this improves security, especially when the second password is "5"? I would ask greenplastic that question, but unfortunately he is not able to login.
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
July 07, 2022, 02:13:24 PM
#34
pwned!

I received several negative trust. Okay.

I was able to get access to SPQRCoin yesterday answering "1+1" with "2". No joke. He is in DefaultTrust level 2.

greenplastic gave negative trust to me. Now he is security locked for using "5" as answer to "how old was justin in 1980?". He was warned and had left this stupid question (answer should be between 0 and 99, the rate limit is one try per 45 second and IP address - in reality, you get a bunch of IPs and laugh about the limit).

Proof: https://bitcointalk.org/seclog.php

For the record:

Security questions are a joke and should be disabled. There are members using questions with a probably secure question or maybe even fake questions, but "1+1" is a joke. In case of greenplastic, he did not even understand the problem. We should think of who is member of DefaultTrust.

Security lock is a good thing for sure, otherwise I would control two DefaultTrust accounts now, one of them being inactive for months. Thank god, I was not able unlocking using a fake mail. I want to see security questions disabled, option to disable email recovery per account and 2FA introduced. BCT is about large sums and does not have up-to-date security mechanisms.

I gave only 5 merits for this, because I am widely merit-boycotted; I need to save up, so I can afford to give more when you make a thread about this.

I want public key authentication.  Disable password authentication (like in sshd).  Has the Bitcoin Forum ever heard of such a thing as digital signatures?  Do people here do crypto, or not?  Sigh.

I made some suggestions years ago.  Nothing happened.  Your way is better:  Teach a little lesson, which will be less painful coming from you than from someone who actually wants to pwn a bunch of accounts.  It will more likely result in positive changes.


Check the username. Does it remind you the user alia?

Roll Eyes

Get a grip.  No other way to say this:  That is ridiculously stupid.
Yes, I may be stupid but how are you so sure 🤣

Because I knew alia as I wish for people not to be reminded—ugh.  A smooth-talking gambling addict sex scammer, likely from India or SEA (IIRC), who only temporarily fooled people with a pretense of some technical skills.  Not a German hacker who just kindly refrained from helping himself to some tasty DT accounts.  To make a connection based only on a very vague similarity of names verges on how schizophrenics find secret messages in white noise.
legendary
Activity: 1919
Merit: 1230
AKA Ms-overzealous-condecsending-explitive-account
July 07, 2022, 02:07:08 PM
#33
While it seems that it is possible that what you were doing REALLY was "for the good of mankind" and possibly completely altruistic, I believe you went about it the wrong way.  Don't you think simply starting a topic here in META might have avoided the panic created?  You have to admit, the PM's did sound a bit "scammy" as you put it in the title of the PM, and the results, while possibly an overreaction, wouldn't or shouldn't have been totally unexpected.

Edit:  Whatever the motive, you did jolt me into changing my password for the first time in years and to remove my "secret word" for which I didn't even know the answer which I put in when I joined years ago!  Thank you for that.  Cheesy


I received several negative trust. Okay.

I was able to get access to SPQRCoin yesterday answering "1+1" with "2". No joke. He is in DefaultTrust level 2.

greenplastic gave negative trust to me. Now he is security locked for using "5" as answer to "how old was justin in 1980?".

Proof: https://bitcointalk.org/seclog.php

Security questions are a joke and should be disabled. There are members using questions with a probably answer or maybe even fake questions, but "1+1" is a joke. In case of greenplastic, he did not even understand the problem. We should think of who is member of DefaultTrust.

Security lock is a good thing for sure, otherwise I would control two DefaultTrust accounts now, one of them being inactive for months. Thank god, I was not able unlocking using a fake mail. I want to see security questions disabled, option to disable email recovery per account and 2FA introduced. BCT is about large sums and does not have up-to-date security mechanisms.
legendary
Activity: 2800
Merit: 2736
Farewell LEO: o_e_l_e_o
July 07, 2022, 01:41:31 PM
#32
Check the username. Does it remind you the user alia?

Roll Eyes

Get a grip.  No other way to say this:  That is ridiculously stupid.
Yes, I may be stupid but how are you so sure 🤣

Luckily I'm not a DT member, so that damn user didn't target me for that weird PM.  Cheesy
I have not received the PM yet which means I am not in DT too 😉? My bet, the user is targeting people with some other criteria not just a DT.

copper member
Activity: 143
Merit: 85
July 07, 2022, 01:41:01 PM
#31
I received several negative trust. Okay.

I was able to get access to SPQRCoin yesterday answering "1+1" with "2". No joke. He is in DefaultTrust level 2.

greenplastic gave negative trust to me. Now he is security locked for using "5" as answer to "how old was justin in 1980?". He was warned and had left this stupid question (answer should be between 0 and 99, the rate limit is one try per 45 second and IP address - in reality, you get a bunch of IPs and laugh about the limit).

Proof: https://bitcointalk.org/seclog.php

Security questions are a joke and should be disabled. There are members using questions with a probably secure answer or maybe even fake questions, but "1+1" is a joke. In case of greenplastic, he did not even understand the problem. We should think of who is member of DefaultTrust.

Security lock is a good thing for sure, otherwise I would control two DefaultTrust accounts now, one of them being inactive for months. Thank god, I was not able unlocking using a fake mail. I want to see security questions disabled, option to disable email recovery per account and 2FA introduced. BCT is about large sums and does not have up-to-date security mechanisms.
jr. member
Activity: 41
Merit: 793
inactive
July 07, 2022, 01:28:45 PM
#31
Later than any of the above, Nestade left a DT “neutral” alert.  It does not link to this thread.  He seems to have removed it now.
Yes, after receiving a PM from a user with a recent email-change and negative reputation asking to change my account-settings I left a preliminary neutral trust saying:
Quote
Received suspicious PM by this user, additionally "This user's email address was changed recently."

(Feedback will be deleted/changed, as soon as there is more information).
and referenced a screenshot of the PM (https://i.imgur.com/e7RGXmN.png).
I didn't see a reason for negative trust.

After doing more research and reading this thread I removed the neutral trust (took only a few minutes).
legendary
Activity: 2464
Merit: 2094
July 07, 2022, 01:22:42 PM
#30
Luckily I'm not a DT member, so that damn user didn't target me for that weird PM.  Cheesy

So far I've received emails about someone trying to hack into my account by forgetting my password (last february to be exact), that's stupid because I'm sure he never knows what my email is. But luckily the odd PM didn't haunt me, but certainly didn't expect to receive it. If there's one later, I'll definitely report it to the mod as soon as I can.
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
July 07, 2022, 01:19:07 PM
#29
This thread, and newalias’ growing list of negative trust feedbacks, are classic security theatre like the American TSA confiscating nailclippers from grandmas in wheelchairs.  Bruce Schneier should give out some beatings here.

https://www.schneierfacts.com/

IIUC, it is a fan site not affiliated with Bruce Schneier.


@nullius    I think you have too much faith in the goodness of humanity.  Cheesy Cheesy Cheesy   Of course you may be right but you have to look at where you are and what often goes on around here and in this world (forum world not geographic world).

Or perhaps I have less faith in humanity, especially on this forum.  No good deed goes unpunished, as the aphorism goes.  The guilty get away scot-free—I have seen it happen many times on this forum—while the innocent get burnt at the stake.

Indisputable objective fact:  Having a “secret question” set is dumb.  The users mentioning publicly that they received this PM are declaring to the world, “I do not know how to secure my forum account; and I do not read the forum UI warning which says, ‘Using this feature is not recommended.’”

Sorry to be so blunt, sandy-is-fine.  You seem fine, although you should probably stop using that insecurity misfeature.  Some others are getting on their high horses, making ridiculous statements, proclaiming sanctimoniously (and quite proudy as to their own smarts) that they caught the evil hacker.  WTF?  This would be the most moronic possible way to hack the forum:  Notify people who have weak account security, and give them good advice about how to improve.

“Faith in the goodness of humanity”?  The booby prizes for extreme stupidity thus far go to BitcoinGirl.Club...
Check the username. Does it remind you the user alia? A girl back in 2017 - 2018. She was having everyone's attention. Then caught on planning for scam before resting in peace. Someone is having fun.
...and to three of the four DT red-tags that newalias has thus far accrued:

Hello nullius,

I have set the neg. trust as a precaution, so that other users see that there might be something wrong. Should the whole thing turn positive and the said user have only positive intentions, I will remove the negative trust very gladly again.

In the crypto scene, caution and skepticism is certainly not the worst thing and we old hands have to protect all the new users a bit.

Many greetings
Willi

Yours was more reasonable, but arguable.  If it turns out that newalias’ intentions were non-malicious, I’ll remove my ~ after you remove or neutralize your tag.  (If he was acting maliciously, then of course, I will remove my ~ and give him my own negative; but from available evidence, I think it is improbable.)

These will stay, because the trust feedback texts show extremely poor judgment:

Code:
~greenplastic
~uelque
~tweetious

uelque and tweetious giving bad security advice in negative trust feedback shows judgment at least as bad as greenplastic leaving a tag that says, FUCK THESE FUCKING FUCKERS!! HA!  Oh, yes.  That user is currently in DT.  No wonder I love DT so very much.

tweetious called a purported intent to communicate with theymos about insecure accounts a “threat”.  If that’s a threat, then threatening people is a virtue.  He also sneers in negative trust feedback at what was actually good security advice—the same advice given in the forum’s profile UI!

uelque smugly implies that a misfeature, which the forum warns people against using, improves the security of his account.

What’s worse than a forum thread full of security theatre?  Negative trust feedback security theatre!


User in question recently changed email which can possibly also mean a hacked account.  Do any of his/her previous posts have such altruistic discussions on protecting all of Bitcointalk  humanity?  Cheesy  The PM's in question seems way out of  character for the posters past conversations.  But I guess one never knows.  

I very briefly discussed this with JollyGood upthread.  Adding to what I said there:  When I glanced at the user’s post history before, I noticed that he has a longstanding interest in CAPTCHA systems, and in the breaking of CAPTCHA systems.  Note that his PM claims that he has a secret method to bypass the CAPTCHA, which he says he will discuss only with theymos.

Captcha is useless as I use some trick I will only discuss with theymos.

From a thread almost two years ago:

Re: php human verification / antibot v2 ---> i challenge you to defeat it as bot
The code of this is a disaster. It does not allow multiple users solving the "captcha" at the same time either.  Roll Eyes
I am sorry to say so, but the code is the work of a script kiddie.

This captcha is easy to be solved by bots, I agree with Aveatrex.

There are solutions like Google reCaptcha out there, with many, many algorithms. They even watch out for malicious activity, badly-known IP addresses and so on. They have sort of scoring behind it and make the captcha as difficult as needed for the specific client (or block it at all).

The only need for another captcha solution is a self-hosted approach, without sending clients data to Google or some other service providers. To my knowledge, there is no nice solution for PHP as library. So, your idea is nice, but the current state is absolutely useless.

On 2020-08-01, newalias issued negative trust feedback to the author of bad PHP code.  Egads!  Is it a death_wish sighting? Roll Eyes

More recently, but still >30 days ago (thus before the e-mail change), newalias showed other security-related interest in CAPTCHAs:

Re: [ANN] ChipMixer.com - Bitcoin mixer / Bitcoin tumbler - mixing reinvented
I am glad to see .com is back and I like this approach, but it's going to be interesting to see how long until phishing domain do the same thing, linking to their own scam onion link.

Looks like chipmlxer.com (SCAM!) just got a nice idea from you  Undecided

However, this is the most advanced scam, even maintaining session expiration time and renew/restore.

I think the new API is really nice but it is a matter of time until scam sites will use it:
Checking and redeeming sessions and vouchers entered or even providing fully functional scam sites, scamming only higher amounts to gain trust.
For sure, the latter can be done with own infrastructure, but with much more effort.

All scam sites lack captcha, just as observation.
Captcha is to protect from DoS, I think. That is also a problem for API, isnt it?
I think API is (or will get) a nightmare.

Anyone has a clue about how many these sites are making? I would start monitoring on my own otherwise.


Here's the bit I'm talking about:
However, you have a security question in place, what often means lower entropy than a secure password and maybe being easier to guess. Simplest thing I have seen in DefaultTrust was "1+1" with answer "2" was correct - I have frozen it for security.

You are entirely correct!

If you know/guess someone's secret question you could lock their account and change their password. No other info required besides username + secret answer

And you!  IIRC, I walked through the same thought process when I first saw the thread—then somehow confused myself.  Need coffee.  Always my excuse when I make a stupid mistake:  Need more coffee.  :-)


However, you have a security question in place, what often means lower entropy than a secure password and maybe being easier to guess. Simplest thing I have seen in DefaultTrust was "1+1" with answer "2" was correct - I have frozen it for security. Easy questions ask for an age (try 0-99) or a birth year (try 1940-2022) or lower case initials (try aa-zz). Many questions ask for a city or a make of first car - brute force can help. And there are loads of questions for names of wife, birth names, pet names and so on. These are things that may be shared even in a post or require only your real name! The better people know the account owner, the better they know the answer!

Recommended action to take is to remove security question at all.

^^^ Excellent advice!  If newalias posts the same publicly, preferably on a new Meta thread linked from here, then it will deserve significant merits.  Hint, hint.

* nullius has a longtime personal grudge against so-called “secret questions”.
legendary
Activity: 1919
Merit: 1230
AKA Ms-overzealous-condecsending-explitive-account
July 07, 2022, 11:26:09 AM
#28
@nullius    I think you have too much faith in the goodness of humanity.  Cheesy Cheesy Cheesy   Of course you may be right but you have to look at where you are and what often goes on around here and in this world (forum world not geographic world).  User in question recently changed email which can possibly also mean a hacked account.  Do any of his/her previous posts have such altruistic discussions on protecting all of Bitcointalk  humanity?  Cheesy  The PM's in question seems way out of  character for the posters past conversations.  But I guess one never knows. 
staff
Activity: 3304
Merit: 4115
July 07, 2022, 10:55:11 AM
#27
If you know/guess someone's secret question you could lock their account and change their password. No other info required besides username + secret answer
Right, I didn't make the connection that frozen = locked I admit Tongue. However, we know that hasn't happened since the OP confirmed nothing has happened. Therefore, they haven't frozen anything. So, the whole thing from a white hat perspective doesn't make a whole lot of sense.

Besides, its always best to leave things how they are when it comes to being a white hat. Locking someone out of their account before they can change it, isn't exactly the best idea.

copper member
Activity: 783
Merit: 710
Defend Bitcoin and its PoW: bitcoincleanup.com
July 07, 2022, 09:59:17 AM
#26
They've already claimed that they've frozen accounts, which isn't really possible, unless they had some kind of database access, which would mean they'd be able to remove the security questions themselves if they really wanted too.



If you know/guess someone's secret question you could lock their account and change their password. No other info required besides username + secret answer

Before jumping to conclusions and screaming “hack!”, has anyone even considered a potentially innocent explanation?  I have a pessimistic view of human nature, but the paranoia in this thread is off the charts.

legendary
Activity: 4256
Merit: 8551
'The right to privacy matters'
July 07, 2022, 08:31:04 AM
#25
so it's probably just an unsolicited piece of advice.
I don't know if we read the same PM, because it totally looks like some kind of phishing attempt to me--and a bad one at that, despite all the technical garbledegoo.

I haven't received any PMs like that, but I just started a thread in Reputation about being alerted via e-mail about someone trying to reset my password or some such thing.  And not that it matters, but I recently got a PM from some guy who wanted to pay me for a review of some app.  The devil was on my shoulder and I wanted to string him along for a bit, but I lost motivation after his second reply.  I'm wondering if other DT members got that same PM, because I'm pretty sure I wasn't singled out for that one.

i got that one
staff
Activity: 3304
Merit: 4115
July 07, 2022, 08:15:53 AM
#24
On this subject of the PMs though, if English is not the first language of the sender (newalias) I think it only compounds the confusion. His post history shows he has been active in the German language boards as well

I noticed that.  But I don’t think it is the problem.

Most people are not actually reading his PM—just panicking, and jumping to conclusions without even reading.  I admit that I myself misread it the first time; please see the edit to my prior post on this thread.
I'm feeling a little silly now, because I've reread it a few times, and I'm still reading it the same way.

Here's the bit I'm talking about:
However, you have a security question in place, what often means lower entropy than a secure password and maybe being easier to guess. Simplest thing I have seen in DefaultTrust was "1+1" with answer "2" was correct - I have frozen it for security.
I've bolded the part which keeps tripping me up. That might be a language barrier thing as suggested, but I'm failing to read that another way other than they've frozen the account, "due to security" giving the impression they have access that a normal user doesn't. Although, its not exactly clear what they're talking about when they say freeze, and what that exactly means either.

The part where they talk about the captcha, and only talking to theymos is separate.

I do however, agree with JollyGood here, it does seem some of the sentences aren't quite fluid, in terms of a native speaker. So, there might be some translation issues here which just complicates the situation.



legendary
Activity: 3500
Merit: 2792
Enjoy 500% bonus + 70 FS
July 07, 2022, 06:21:48 AM
#23
Would someone in DT please copy my neutral tag before this user’s account gets burned to the ground?  Thanks.

I have excluded two users who are too trigger-happy with neg tags:
Code:
~willi9974
~tweetious


Hello nullius,

I have set the neg. trust as a precaution, so that other users see that there might be something wrong. Should the whole thing turn positive and the said user have only positive intentions, I will remove the negative trust very gladly again.

In the crypto scene, caution and skepticism is certainly not the worst thing and we old hands have to protect all the new users a bit.

Many greetings
Willi
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
July 07, 2022, 05:15:04 AM
#22
Would someone in DT please copy my neutral tag before this user’s account gets burned to the ground?  Thanks.

I have excluded two users who are too trigger-happy with neg tags:
Code:
[edited out]
~tweetious

[Edited later:  I removed ~willi9974, and excluded some others.]


Check the username. Does it remind you the user alia?

Roll Eyes

Get a grip.  No other way to say this:  That is ridiculously stupid.

Or am I Greg Maxwell (nullc in many venues) because I call myself “nullius”?  (Someone actually suggested that, years ago.)


On this subject of the PMs though, if English is not the first language of the sender (newalias) I think it only compounds the confusion. His post history shows he has been active in the German language boards as well

I noticed that.  But I don’t think it is the problem.

Most people are not actually reading his PM—just panicking, and jumping to conclusions without even reading.  I admit that I myself misread it the first time; please see the edit to my prior post on this thread.

but his trust currently shows the following message which might mean he is no longer in control of his account: This user's email address was changed recently

I noticed that, too; but it does not mean much, unless it matches other evidence.  Perhaps the user may be experimenting with his own account security; compare what my prior post said about disabling e-mail addresses.  Or maybe he got a new e-mail address.
legendary
Activity: 2800
Merit: 2736
Farewell LEO: o_e_l_e_o
July 07, 2022, 05:03:38 AM
#21
Check the username. Does it remind you the user alia? A girl back in 2017 - 2018. She was having everyone's attention. Then caught on planning for scam before resting in peace. Someone is having fun.

You are not the only one. Just "Report to Admin" the PM and they will take care of this.
I do not see she is ban yet.
legendary
Activity: 2534
Merit: 1713
Top Crypto Casino
July 07, 2022, 04:55:44 AM
#20
I also received this PM. Probably, according to the one who poisoned these PMs, he sent such letters to all DT, and not necessarily whether they have control questions or not.
I haven't received that PM. So maybe the list he's using to determine DT users is not accurate.
I did not receive the PM. Ah well.....

Before jumping to conclusions and screaming “hack!”, has anyone even considered a potentially innocent explanation?  I have a pessimistic view of human nature, but the paranoia in this thread is off the charts.

This is good advice, in my opinion:

The better people know the account owner, the better they know the answer!

Recommended action to take is to remove security question at all.
I maybe have less pessimistic view than yours when it comes to human nature in general but I am highly sceptical when to comes to the conduct of many users in this forum therefore I can understand your views and even relate to them.

On this subject of the PMs though, if English is not the first language of the sender (newalias) I think it only compounds the confusion. His post history shows he has been active in the German language boards as well but his trust currently shows the following message which might mean he is no longer in control of his account: This user's email address was changed recently
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
July 07, 2022, 04:26:21 AM
#19
Before jumping to conclusions and screaming “hack!”, has anyone even considered a potentially innocent explanation?  I have a pessimistic view of human nature, but the paranoia in this thread is off the charts.
Yeah, I haven't ruled out that. However, the things that stand out to me is the comment about letting them know how you've secured your account, and the fact they claimed to have frozen accounts. The latter being a outright lie. That's not exactly good, if you're looking to do some white hat work.

Agreed.  [Edit:  I reread the PM quoted in OP.  He does not claim to have frozen accounts.  He seems to have some trick to bypass the CAPTCHA while probing accounts.  He only says that he will report DT accounts with “secret questions” to the administration; that sounds reasonable to me, in itself.]
[...snip good advice...]

Recommended action to take is to remove security question at all. Please get back to me stating how you improved account security. If I do not get a reply, I need to inform board administration for our all safety.

I started with whole DefaultTrust as I think the base of community should be secured first. Later, I will go for more users. Captcha is useless as I use some trick I will only discuss with theymos.

Thank you!



Although, that might have been a way of trying to convince the user. I'm not going to get my pitchfork out, but I do believe users should be cautious dealing with this user in further message exchanges. Not that I distrust them entirely, but at the very least advise caution.

On a side note, I don't like that anyone can find out if a user has a security question or not. I'm not a fan of security questions in the first place, but probing like that just opens up those accounts for further attack. I kind of wish that the security question field popped up regardless of if a user has set one or not. If someone tries to guess the security question of one of these users, it simply just gives a non match, rather than indicating they don't have one set up.

On a side note, I don’t like that the forum doesn’t let you remove your e-mail address, and/or otherwise totally disable password reset by e-mail.  (Yes, you can set a fake e-mail address; but then, you need to be careful to make sure it can never be valid.  And that does not itself totally disable password reset by e-mail.)  I’m not the only one.  Lauda complained to me about that.

On a side note, I don’t like that the forum doesn’t let you disable password authentication, and log in by signing a challenge with your PGP key...  OK, I will stop right here. Smiley


Looks like @newalias is online today, so i expect he'll respond to this thread soon either because he check Meta board or found out he has 2 new feedback and check reference link.

For the record, I reached out to him by PM as I said I would.  With a link to my post on this thread.  Kind of sticking my neck out, doing that.  Eh.  Anyway, he should be well on notice about this thread.
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
July 07, 2022, 04:20:19 AM
#18
Looks like @newalias is online today, so i expect he'll respond to this thread soon either because he check Meta board or found out he has 2 new feedback and check reference link.


Duh.  Why does theymos even allow this?

It's part of SFM 1.x feature[1], so IMO it's either theymos don't bother remove it or it can't be removed without lots of work.

[1] https://wiki.simplemachines.org/smf/Logging_In
staff
Activity: 1316
Merit: 1610
The Naija & BSFL Sherrif 📛
July 07, 2022, 04:14:43 AM
#17
I got mine as well, and I was about to tag his a$$ out when I realized he had already been tagged by OP, so I saved my time for something more important. Trying to con the most knowledgeable members of the forum appears stupid to me. Some con artists are dumps.


I suppose he came to a halt the moment he was exposed. You guys are lucky  Grin

No PM for me, I feel left out Sad Maybe that's because trying to restore my account through security questions shows:

I haven't received that PM. So maybe the list he's using to determine DT users is not accurate.

I haven't received any PMs like that, but I just started a thread in Reputation about being alerted via e-mail about someone trying to reset my password or some such thing. 
staff
Activity: 3304
Merit: 4115
July 07, 2022, 03:58:10 AM
#16
Before jumping to conclusions and screaming “hack!”, has anyone even considered a potentially innocent explanation?  I have a pessimistic view of human nature, but the paranoia in this thread is off the charts.
Yeah, I haven't ruled out that. However, the things that stand out to me is the comment about letting them know how you've secured your account, and the fact they claimed to have frozen accounts. The latter being a outright lie. That's not exactly good, if you're looking to do some white hat work.

Although, that might have been a way of trying to convince the user. I'm not going to get my pitchfork out, but I do believe users should be cautious dealing with this user in further message exchanges. Not that I distrust them entirely, but at the very least advise caution.

On a side note, I don't like that anyone can find out if a user has a security question or not. I'm not a fan of security questions in the first place, but probing like that just opens up those accounts for further attack. I kind of wish that the security question field popped up regardless of if a user has set one or not. If someone tries to guess the security question of one of these users, it simply just gives a non match, rather than indicating they don't have one set up.
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
July 07, 2022, 03:48:42 AM
#15
Before jumping to conclusions and screaming “hack!”, has anyone even considered a potentially innocent explanation?  I have a pessimistic view of human nature, but the paranoia in this thread is off the charts.

This is good advice, in my opinion:

The better people know the account owner, the better they know the answer!

Recommended action to take is to remove security question at all.

The forum officially agrees with newalias about that, and with me.  Read the warning that the forum gives you, when you set up the ridiculously stupid insecurity misfeature of a so-called “secret question”:


Duh.  Why does theymos even allow this?

I spot-checked this user’s post history.  At a glance, it looks normal to me.  I also noticed that he just received a red tag from someone in DT (fortunately outside my trust network; my trust network is infinitely superior to DT).

Now, this could be a bizarre beginning for a social engineering attack.  And the PM also seems to indicate that newalias is probing something, somehow.

I will reach out to him, and politely ask just what he is trying to do.  Meanwhile, I will add a neutral tag linking to this post—to be updated or removed, if or as appropriate.  I request that someone in DT should do likewise.

Maybe, just maybe, this could simply be a very clumsy attempt at whitehat protection of the forum, from someone who needs to see the late Dan Kaminsky’s White Hat Hacker Flowchart:

staff
Activity: 3304
Merit: 4115
July 07, 2022, 03:06:50 AM
#14
Likely, by asking you to get back to them how you secured your account after removing it, is likely a way to get more information. They've already claimed that they've frozen accounts, which isn't really possible, unless they had some kind of database access, which would mean they'd be able to remove the security questions themselves if they really wanted too.

In other words, this user isn't to be trusted, and no reply is warranted. If they have information about security, they can contact theymos. Other than that, them finding out who has a security question, and who doesn't is fairly simple as LoyceV alluded to above.

I suspect, a further attack would've been launched if you replied to them. Smells of social engineering, where they attempt to gain your trust by offering you some semi valid advice, and then looking to exploit that further down the line. 
legendary
Activity: 3500
Merit: 6981
Top Crypto Casino
July 07, 2022, 02:42:52 AM
#13
so it's probably just an unsolicited piece of advice.
I don't know if we read the same PM, because it totally looks like some kind of phishing attempt to me--and a bad one at that, despite all the technical garbledegoo.

I haven't received any PMs like that, but I just started a thread in Reputation about being alerted via e-mail about someone trying to reset my password or some such thing.  And not that it matters, but I recently got a PM from some guy who wanted to pay me for a review of some app.  The devil was on my shoulder and I wanted to string him along for a bit, but I lost motivation after his second reply.  I'm wondering if other DT members got that same PM, because I'm pretty sure I wasn't singled out for that one.
copper member
Activity: 2940
Merit: 1280
https://linktr.ee/crwthopia
July 07, 2022, 02:34:34 AM
#12
Do you think that newalias tried to check every DT member who has security questions? Then PM-ed them accordingly? I don't have a security question for this so that's probably why I didn't receive a PM.

Attempting to answer the security questions will automatically lock your account, because they were leaked with the rest of the DB back in 2015.
Members after that time when it was leaked are safe? Is that correct?
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
July 07, 2022, 02:11:21 AM
#11
I also received this PM. Probably, according to the one who poisoned these PMs, he sent such letters to all DT, and not necessarily whether they have control questions or not.


I haven't received that PM. So maybe the list he's using to determine DT users is not accurate.

Quote
If I'm not mistaken, having a security question hasn't been important for a long time, or does it still matter?

Attempting to answer the security questions will automatically lock your account, because they were leaked with the rest of the DB back in 2015.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
July 07, 2022, 01:45:28 AM
#10
There's a recommendation that security questions are quite weak for keeping accounts safe
I usually enter random gibberish to those questions (but keep the random data, just in case). Dumb questions like the name of your first pet make social engineering very easy. SMS account recovery is also a big security risk.
I disable all of this whenever I can, including Bitcointalk. I'm not sure what newalias' angle is here, he seems to know that security questions can only lock an account, so it's in no way a security risk for DefaultTrust.

No PM for me, I feel left out Sad Maybe that's because trying to restore my account through security questions shows:
Code:
Sorry, there is no secret question set for this member.
legendary
Activity: 2072
Merit: 4265
✿♥‿♥✿
July 07, 2022, 01:31:39 AM
#9
I also received this PM. Probably, according to the one who poisoned these PMs, he sent such letters to all DT, and not necessarily whether they have control questions or not.

If I'm not mistaken, having a security question hasn't been important for a long time, or does it still matter?
sr. member
Activity: 2282
Merit: 470
Telegram: @jperryC
July 07, 2022, 01:26:05 AM
#8
Received the same thing from this user, not quite sure what's the goal of this guy. Trying a petty attempt to disable the user's security question so probably he could get easy link to change the password of the account? I think he sends all the DT user a personal message.

legendary
Activity: 1428
Merit: 1166
🤩Finally Married🤩
July 07, 2022, 01:05:08 AM
#7
I am an inactive user here,...
First I thought this user was the one who hacked my google account just recently (already changed my password few days ago) so I checked the email regarding this...
So it seems it wasn't just me.



So I did check the pm out and the security question is disabled. So I am not sure why this person sent me the pm.

It implies he knows that I have a security question setup. Like I said my security question was in a disabled status.


@efs I reported it to admin.


note no password change has been made by me  and my btc address is this:


https://www.blockchain.com/btc/address/1JdC6Xg3ajT3rge3FgPNSYYFpmf53Vbtje


someone please quote this.

I have it quoted somewhere else but just in case.

legendary
Activity: 4256
Merit: 8551
'The right to privacy matters'
July 06, 2022, 11:31:01 PM
#6
There's a recommendation that security questions are quite weak for keeping accounts safe (it's why most places have multiple and why a lot got replaced with multifactor authentication).

I had a brief skim through the seclog and haven't found much over the past week of many resets actually being done so it's probably just an unsolicited piece of advice.


Okay I had disabled the question a while back. but I guess it was showing as active to admin as this account had red type saying to delete it.

my alt had nothing.

as I said password was not altered.  I will keep an eye out for issues with this account.

and

a1 Hashrate LLC2022

 https://bitcointalksearch.org/user/a1-hashrate-llc2022-3482040


  Summary - a1 Hashrate LLC2022   Picture/Text
Name:   a1 Hashrate LLC2022
Posts:   82
Activity:   42
Merit:   60
Position:   Jr. Member
Date Registered:   June 05, 2022, 04:38:14 PM
Last Active:   Today at 04:31:21 AM


is my current alt.


Please note I always have an active alt to protect the main account.
copper member
Activity: 2856
Merit: 3071
https://bit.ly/387FXHi lightning theory
July 06, 2022, 11:26:13 PM
#5
There's a recommendation that security questions are quite weak for keeping accounts safe (it's why most places have multiple and why a lot got replaced with multifactor authentication).

I had a brief skim through the seclog and haven't found much over the past week of many resets actually being done so it's probably just an unsolicited piece of advice.
legendary
Activity: 4256
Merit: 8551
'The right to privacy matters'
July 06, 2022, 11:22:35 PM
#4
So I did check the pm out and the security question is disabled. So I am not sure why this person sent me the pm.

It implies he knows that I have a security question setup. Like I said my security question was in a disabled status.


@efs I reported it to admin.


note no password change has been made by me  and my btc address is this:


https://www.blockchain.com/btc/address/1JdC6Xg3ajT3rge3FgPNSYYFpmf53Vbtje


someone please quote this.

I have it quoted somewhere else but just in case.
EFS
staff
Activity: 3822
Merit: 2123
Crypto Swap Exchange
July 06, 2022, 11:20:45 PM
#3
You are not the only one. Just "Report to Admin" the PM and they will take care of this.
member
Activity: 112
Merit: 83
July 06, 2022, 11:13:50 PM
#2
quoted with my alt. edit quote is below:

here it is anyone else get this?

Hi there,

you are member of DefaultTrust. Therefore, the security of your account is crucial.

However, you have a security question in place, what often means lower entropy than a secure password and maybe being easier to guess. Simplest thing I have seen in DefaultTrust was "1+1" with answer "2" was correct - I have frozen it for security. Easy questions ask for an age (try 0-99) or a birth year (try 1940-2022) or lower case initials (try aa-zz). Many questions ask for a city or a make of first car - brute force can help. And there are loads of questions for names of wife, birth names, pet names and so on. These are things that may be shared even in a post or require only your real name! The better people know the account owner, the better they know the answer!

Recommended action to take is to remove security question at all. Please get back to me stating how you improved account security. If I do not get a reply, I need to inform board administration for our all safety.

I started with whole DefaultTrust as I think the base of community should be secured first. Later, I will go for more users. Captcha is useless as I use some trick I will only discuss with theymos.

Thank you!
legendary
Activity: 4256
Merit: 8551
'The right to privacy matters'
July 06, 2022, 11:12:16 PM
#1
here it is anyone else get this?

Hi there,

you are member of DefaultTrust. Therefore, the security of your account is crucial.

However, you have a security question in place, what often means lower entropy than a secure password and maybe being easier to guess. Simplest thing I have seen in DefaultTrust was "1+1" with answer "2" was correct - I have frozen it for security. Easy questions ask for an age (try 0-99) or a birth year (try 1940-2022) or lower case initials (try aa-zz). Many questions ask for a city or a make of first car - brute force can help. And there are loads of questions for names of wife, birth names, pet names and so on. These are things that may be shared even in a post or require only your real name! The better people know the account owner, the better they know the answer!

Recommended action to take is to remove security question at all. Please get back to me stating how you improved account security. If I do not get a reply, I need to inform board administration for our all safety.

I started with whole DefaultTrust as I think the base of community should be secured first. Later, I will go for more users. Captcha is useless as I use some trick I will only discuss with theymos.

Thank you!

I will quote this with my alt as I am concerned this is a hack attempt .
Jump to: