Author

Topic: When will the account recovery problem be solved? (Read 486 times)

global moderator
Activity: 3990
Merit: 2717
Join the world-leading crypto sportsbook NOW!
ld like to see if someone can make a list of all the most blatant cases of a person whose account obviously belongs to the user demanding it to be recovered but they have been waiting for a long time to no end. I

Someone already compiled a list of accounts, though I don't think it's even half complete: https://bitcointalksearch.org/topic/list-of-accounts-that-need-to-be-recovered-17-accounts-4190622
legendary
Activity: 1372
Merit: 1252
Another case of insanity: 9 months of wait for an hero account and counting:

https://bitcointalksearch.org/topic/almost-1-year-hero-account-locked-please-unlock-i-have-many-proofs-2851296

I would like to see if someone can make a list of all the most blatant cases of a person whose account obviously belongs to the user demanding it to be recovered but they have been waiting for a long time to no end. I wonder who currently holds the forum record of waiting. Looks like some people is definitely about to cross the 1 year mark... c'mon guys.

edit: actually that guy says he cannot sign a message, but anyway, there are many other cases, for instance:

https://bitcointalk.org/index.php?topic=2251399.40

That's x4 signature proof. Yet it's been a wait since November 2017. We a have big queue of cases like that, which would take 2 seconds to fix. The longer a solution is delayed the bigger the queue is becoming. At some point it will be nonviable even after hiring more staff for the task. We need to empty the queue soon.
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
If the message verifies successfully, you are redirect to a set a new password page
That creates another angle of attack: people lose (or even sell) private keys, which would give someone access to their account.

But if someone sells his own private key, or loses it, this is entirely his fault.

This is different from a hacked account, which is a lot more unsafe.
As a private key can be stored 100% offline.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
If the message verifies successfully, you are redirect to a set a new password page
That creates another angle of attack: people lose (or even sell) private keys, which would give someone access to their account.
copper member
Activity: 630
Merit: 420
We are Bitcoin!
i think this could be easily solved using a form on a login page.
You just click on "my account was hacked"

Then you enter your username, your registered address  and the page tells you to write today's date and sign the message.

This could be easily checked, maybe even automatically if someone uses a script like brainwallet's website.

If the message verifies successfully, you are redirect to a set a new password page
Bottom line is: Automation.
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
i think this could be easily solved using a form on a login page.
You just click on "my account was hacked"

Then you enter your username, your registered address  and the page tells you to write today's date and sign the message.

This could be easily checked, maybe even automatically if someone uses a script like brainwallet's website.

If the message verifies successfully, you are redirect to a set a new password page
legendary
Activity: 2968
Merit: 3061
Join the world-leading crypto sportsbook NOW!
The only way it is going to be solved is if theymos or cyrus start actively restoring them, or somebody else is promoted to Admin or given access to restore accounts. The issue is purely manpower based. Theymos and Cyrus probably don't have time so they're just not getting looked into. Even cases that almost certainty cut and dry are just getting added to the pile which grows bigger every day.
 
Now both theymos and cyrus just keep getting the same PMs over and over again. That's a waste of their time too.

I've volunteered in the past to help with this issue but didn't get a reply. Nothing else I can do on my end.

I guess this is where the conspiracy theories come from, said conspiracies being that theymos and cyrus take control of some accounts in order to sell them or something along the lines.

If theymos wanted to make more money there are numerous legitimate ways that he could monetise this forum better, but as usual people like to invent conspiracies up because they're always more sexy and exciting. I've personally suggested a few ways to theymos like adding more donator ranks and more advertising slots like at the top of certain sub boards (I think people would pay premium for ones above Bitcoin Discussion and Gambling etc). The current advertising slots are barely noticeable especially when they're drowned out with signatures (and some people have even mistaken them for a signature advertisement before). If theymos wanted more money for himself he could also just pay himself a huge wage but as far as mod payments go even a very active patroller gets more than him currently so it's probably not about money. A while back I did even suggest he pay himself an appropriate wage and do admin duties here full time because one is still badly needed and if there's nobody else he trusts fully then that's probably the only way.

It's been years since we've had people in endless queues waiting to get a message back from either Cyrus or theymos, and none of them answering for some reason, even after sufficient cryptographic proof was presented (typically, a signed bitcoin address).

Here is what I don't understand.... Theymos is intelligent when it comes to programming.  He could easily create a type of account that had limited moderator abilities - specifically  the security rights to unlock an account.  A trusted user (like me) could spend some time to review signed messages and restore accounts, reducing workload.


Any other active staff member could do this as well. I don't think Cyrus' account has full admin-access like theymos' (or root access or whatever).

At the same time, the fact that they are bitcoin whales also make it understandable that they wouldn't spend too much time managing the forum

I've spent almost 300 days online in this forum.  I don't make any money...  Some people do things because they like to do them.

I wouldn't be against a user like you doing it but there are also numerous staff members who could as well. I think you'd get pretty burned out by it quite quickly though if you were doing it purely voluntarily. You would get spammed to death by people and the amounts of accounts that need restoring is probably at least a part-time job right now (and we probably need at least one full time admin anyway to handle all the other issues). If you're happy to spend half of your time on here restoring accounts for fun though, then go for it  Grin.

Unfortunate events can happen to everyone. Even satoshi lost his gmx account and said account got eventually hacked and exploited. It can happen to anyone. Keeping email accounts and forum passes online it's not the same as keeping your private keys offline (which never touch the internet). As soon as something touches the internet there is a % of disaster out of your reach, like a security breach on the email provider's side and so on.

Exactly, there's always a weak point and anyone could be targetted or slip up at some point. Let's not forget that one of the main reasons why people are losing their accounts in the first place is that the forum was hacked and password hashes were leaked. Is this theymos' fault? No, it was the hosting's as they were cleverly exploited, but it shows you that there's always some way that you can get hacked.

Personally, I don't really care who does it as long as they're trusted, but if theymos and cyrus aren't actively going to be doing account restorations then someone else really needs to.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
I guess this is where the conspiracy theories come from, said conspiracies being that theymos and cyrus take control of some accounts in order to sell them or something along the lines.
Theymos answered this:
Quote
No, we never sell accounts.
~
if I wanted to sell highly-ranked accounts, I would just create accounts with Ultra-Legendary status, 1 million merit, +9999 trust, etc. and sell those.
newbie
Activity: 2
Merit: 0
This is a serious problem and it should be solved in hours instead of months. It can be frustrating for a member to wait for so long.
Vod
legendary
Activity: 3668
Merit: 3010
Licking my boob since 1970
At the same time, the fact that they are bitcoin whales also make it understandable that they wouldn't spend too much time managing the forum

I've spent almost 300 days online in this forum.  I don't make any money...  Some people do things because they like to do them.
KWH
legendary
Activity: 1904
Merit: 1045
In Collateral I Trust.
I don't think it's a conspiracy, more like little time for something that takes a lot of time to verify.
legendary
Activity: 1372
Merit: 1252
Now both theymos and cyrus just keep getting the same PMs over and over again. That's a waste of their time too.

I've volunteered in the past to help with this issue but didn't get a reply. Nothing else I can do on my end.

I guess this is where the conspiracy theories come from, said conspiracies being that theymos and cyrus take control of some accounts in order to sell them or something along the lines. I think that is nonsense considering theymos is loaded with bitcoins from being an early miner so he is set for life, cyrus is probably in good standing too.

At the same time, the fact that they are bitcoin whales also make it understandable that they wouldn't spend too much time managing the forum, but this isn't a justification to leave people in a desperate endless wait, ignoring signed bitcoin addresses as definitive proof (if that proof is going to be ignored, then what's the point? that is what bitcoin is about, verifying, and verifying takes just a minute, something that Staff could be doing speeding up the process and cleaning up the meta section as all the lost password threads get solved. As people get desperate they bump their own threads, so the queue keeps growing and everyone is self bumping these growing threads, eventually the entire meta section will be people wanting to get their passes recovered.
KWH
legendary
Activity: 1904
Merit: 1045
In Collateral I Trust.
I've volunteered in the past to help with this issue but didn't get a reply. Nothing else I can do on my end.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
Does it scare you when you think if your account gets hacked or anything happen and then you wait weeks after weeks or months after months without any result to get your account back?
Yes, it does Sad

I wonder when will the account recovery methods be improved. Probably hiring new staff to do the task should do.
Hilariousandco often responds in those threads already, it seems to me he's capable and has the time to do it, but has no access to restore accounts.

A trusted user (like me) could spend some time to review signed messages and restore accounts, reducing workload.
I tried that that 2 months ago, but locked the thread after reading this:
You'll be wasting your time and theirs. I was doing this when people have fully verified their accounts sufficiently and the number of responses I've had from them both is zero and as far as I'm aware they're all still awaiting their accounts to be restored.

I guess he just does not prioritize account recovery.  I understand his reasoning, since losing your account is, in most cases, your fault.
Now both theymos and cyrus just keep getting the same PMs over and over again. That's a waste of their time too.
donator
Activity: 4760
Merit: 4323
Leading Crypto Sports Betting & Casino Platform
While you see an account recovery problem, I’m sure the forum’s administration sees it as a user securing their login problem.
legendary
Activity: 1372
Merit: 1252
It's been years since we've had people in endless queues waiting to get a message back from either Cyrus or theymos, and none of them answering for some reason, even after sufficient cryptographic proof was presented (typically, a signed bitcoin address).

Here is what I don't understand.... Theymos is intelligent when it comes to programming.  He could easily create a type of account that had limited moderator abilities - specifically  the security rights to unlock an account.  A trusted user (like me) could spend some time to review signed messages and restore accounts, reducing workload.

I guess he just does not prioritize account recovery.  I understand his reasoning, since losing your account is, in most cases, your fault.  

Unfortunate events can happen to everyone. Even satoshi lost his gmx account and said account got eventually hacked and exploited. It can happen to anyone. Keeping email accounts and forum passes online it's not the same as keeping your private keys offline (which never touch the internet). As soon as something touches the internet there is a % of disaster out of your reach, like a security breach on the email provider's side and so on.


I agree. Everyone can be hacked. Maybe not everyone ,but most of people.  not everyone here is a cyber security expert, there is a lot of diversification here in this forum.

 people have different life styles. Some people use multiple devices (if someone travels a lot), or they can trust some third party password manager that got hacked... There are many things out of our control, and one security solution that works for one person may not work for another as they have different habits

It's not even a matter of being a cyber security expert. It's only a matter of time and everyone will get their password stolen or somehow compromised, it's going to happen to everyone because of reasons out of your control.

Again, one just can't "cold storage passwords". Passwords are exposed online daily, by necessity, this is an huge attack vector, that can come from the forum, from the email provider, and so on. This is why Bitcoin is genius, the cold storaged private keys don't suffer from that. Which is why also account recovery, when presented with signed private addresses, should have high priority and the recovery should be fast, not take months, sometimes not even happening.
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
It's been years since we've had people in endless queues waiting to get a message back from either Cyrus or theymos, and none of them answering for some reason, even after sufficient cryptographic proof was presented (typically, a signed bitcoin address).

Here is what I don't understand.... Theymos is intelligent when it comes to programming.  He could easily create a type of account that had limited moderator abilities - specifically  the security rights to unlock an account.  A trusted user (like me) could spend some time to review signed messages and restore accounts, reducing workload.

I guess he just does not prioritize account recovery.  I understand his reasoning, since losing your account is, in most cases, your fault.  

Unfortunate events can happen to everyone. Even satoshi lost his gmx account and said account got eventually hacked and exploited. It can happen to anyone. Keeping email accounts and forum passes online it's not the same as keeping your private keys offline (which never touch the internet). As soon as something touches the internet there is a % of disaster out of your reach, like a security breach on the email provider's side and so on.


I agree. Everyone can be hacked. Maybe not everyone ,but most of people.  not everyone here is a cyber security expert, there is a lot of diversification here in this forum.

 people have different life styles. Some people use multiple devices (if someone travels a lot), or they can trust some third party password manager that got hacked... There are many things out of our control, and one security solution that works for one person may not work for another as they have different habits
legendary
Activity: 1372
Merit: 1252
It's been years since we've had people in endless queues waiting to get a message back from either Cyrus or theymos, and none of them answering for some reason, even after sufficient cryptographic proof was presented (typically, a signed bitcoin address).

Here is what I don't understand.... Theymos is intelligent when it comes to programming.  He could easily create a type of account that had limited moderator abilities - specifically  the security rights to unlock an account.  A trusted user (like me) could spend some time to review signed messages and restore accounts, reducing workload.

I guess he just does not prioritize account recovery.  I understand his reasoning, since losing your account is, in most cases, your fault.  

Unfortunate events can happen to everyone. Even satoshi lost his gmx account and said account got eventually hacked and exploited. It can happen to anyone. Keeping email accounts and forum passes online it's not the same as keeping your private keys offline (which never touch the internet). As soon as something touches the internet there is a % of disaster out of your reach, like a security breach on the email provider's side and so on.

I guess theymos is paranoid to allow other people to do this job, otherwise I don't understand why he doesn't hire more people. Until then we will have ridiculous amounts of threads with an endless queue of people wanting to get their account back.

I could do it too, it would take me literally 1 minute to verify signatures and a quick look at posting history.
legendary
Activity: 1168
Merit: 1049
I guess he just does not prioritize account recovery.  I understand his reasoning, since losing your account is, in most cases, your fault.  

I still don't think that it justifies putting them on standby indefinitely. Everyone makes mistakes, and those people got hacked because of them. We're not a perfect society and forcing people out of their accounts on this forum because of their blunders in the past is way harsher than it needs to be.

IMO hiring a staff won't solve the problem since i'm sure there are too many cases to be handled by 1 person.

Surely once we get past the backlog of hacked accounts, the influx of them can't exceed, say, 20 or 30 a day (which is quite an overestimation just to emphasize my point). That number would comfortably be checked and restored within an hour. An hour of work per day can, again, comfortably be put onto one semi-dedicated person. All we need is some extra work in the beginning and this issue wouldn't even be an issue.
Vod
legendary
Activity: 3668
Merit: 3010
Licking my boob since 1970
It's been years since we've had people in endless queues waiting to get a message back from either Cyrus or theymos, and none of them answering for some reason, even after sufficient cryptographic proof was presented (typically, a signed bitcoin address).

Here is what I don't understand.... Theymos is intelligent when it comes to programming.  He could easily create a type of account that had limited moderator abilities - specifically  the security rights to unlock an account.  A trusted user (like me) could spend some time to review signed messages and restore accounts, reducing workload.

I guess he just does not prioritize account recovery.  I understand his reasoning, since losing your account is, in most cases, your fault. 
copper member
Activity: 630
Merit: 420
We are Bitcoin!
Yes, this is why I made the thread, it could happen to any of us, and it would leave us out of the forum for months, maybe years, making an huge gap of inactivity which you would need to explain every time you want to do business with someone, and there's a risk they will just not believe it.

From this fear, I proposed some solutions long ago and I have seen a lot of others did have different ideas but seems like we need to wait more to see any changes. I assume theymos has other priorities than looking at this issue.

[Proposal: prevent account hack] A complete new login system for BitcoinTalk <== https://bitcointalksearch.org/topic/proposal-prevent-account-hack-a-complete-new-login-system-for-bitcointalk-3371718


I just hope for the best.


update:
IMO hiring a staff won't solve the problem since i'm sure there are too many cases to be handled by 1 person.

There should be automatic account restore with bitcoin address which already mentioned on these threads System to prove account ownership and recovery automatically - Demo included & [Proposal: prevent account hack] A complete new login system for BitcoinTalk
One staff only need to prove recovery request or/and investigate whether the private key was stolen if needed when the account was hacked.
Oh thanks ETFbitcoin for bringing the topic before me.
legendary
Activity: 1372
Merit: 1252
We are not talking obvious spammers, but legit posters getting their account hacked, signing various BTC addresses and never getting a reply back. I think this is unfair and a bigger problem than some 3rd worlders spamming on 100+ page threads. Some legit users just can't get their accounts back, they lose their PM history and other valuable stuff.

I wonder when will the account recovery methods be improved. Probably hiring new staff to do the task should do.
Does it scare you when you think if your account gets hacked or anything happen and then you wait weeks after weeks or months after months without any result to get your account back?

It does scare me a lot, because I am addicted to this forum.  Embarrassed

Yes, this is why I made the thread, it could happen to any of us, and it would leave us out of the forum for months, maybe years, making an huge gap of inactivity which you would need to explain every time you want to do business with someone, and there's a risk they will just not believe it.

It's been years since we've had people in endless queues waiting to get a message back from either Cyrus or theymos, and none of them answering for some reason, even after sufficient cryptographic proof was presented (typically, a signed bitcoin address).

We are not talking obvious spammers, but legit posters getting their account hacked, signing various BTC addresses and never getting a reply back. I think this is unfair and a bigger problem than some 3rd worlders spamming on 100+ page threads. Some legit users just can't get their accounts back, they lose their PM history and other valuable stuff.

I wonder when will the account recovery methods be improved. Probably hiring new staff to do the task should do.

Yeah, this is very important as they are legit users. Most of them with quoted signed messages... I see some of them are having their account back, but it takes too long.

I think people look at those post where people ask for help and most users may think that they have nothing to do with it.

But we all could have our accounts hacked... This is a problem that concerns every legit user.

Maybe this process of address signature verification could be made faster.

I concur with the other opionions in this thread, altough i doubt it's merely a problem of the speed or effort of the signature verification process. Personally, i think the complete workflow might be long overdue for a complete overhaul.
I've got some experience writing scripts using the json-rpc interface of a bitcoin node, i think it should be fairly simple to automate the complete process up to the point where a human just needs to look at the end result of a request and click a button to either confirm or deny a password reset/account unlock.

Basically, if one would write a simple form where a random string is shown and where a user can enter the post where he/she staked his address, the address itself, the reset email address and the signature he made using the staked address signing the random string. The script could then just use the json-rpc query of a locked node to verify the message and save this data into a simple relational database. An admin could have an admin interface with an outlook of this database showing the qouted post and the result of the signature, maybe combined with some account info fetched from the db (like logintimes, ip's, password changes,...). When this info is given in a simple way, the admin should be able to either confirm or deny the password request with the click of a button.
I haven't looked at smf's data model, but i can only imagine that resetting a password is just a matter of generating a random string, hashing it, updating the user's entry in the users info table and creating an email to send the unhashed password to the entered email.

Indeed, the verification process could be speed up with some automation, but still, it will need human review, this takes time and I doubt Cyrus and theymos will spend the required time to speed up the process, to benefit from said database we still need someone reviewing it, we would need more Staff looking at each individual cases anyway. Automating the verification of the message would help a lot tho.
legendary
Activity: 3584
Merit: 5243
https://merel.mobi => buy facemasks with BTC/LTC
It's been years since we've had people in endless queues waiting to get a message back from either Cyrus or theymos, and none of them answering for some reason, even after sufficient cryptographic proof was presented (typically, a signed bitcoin address).

We are not talking obvious spammers, but legit posters getting their account hacked, signing various BTC addresses and never getting a reply back. I think this is unfair and a bigger problem than some 3rd worlders spamming on 100+ page threads. Some legit users just can't get their accounts back, they lose their PM history and other valuable stuff.

I wonder when will the account recovery methods be improved. Probably hiring new staff to do the task should do.

Yeah, this is very important as they are legit users. Most of them with quoted signed messages... I see some of them are having their account back, but it takes too long.

I think people look at those post where people ask for help and most users may think that they have nothing to do with it.

But we all could have our accounts hacked... This is a problem that concerns every legit user.

Maybe this process of address signature verification could be made faster.

I concur with the other opionions in this thread, altough i doubt it's merely a problem of the speed or effort of the signature verification process. Personally, i think the complete workflow might be long overdue for a complete overhaul.
I've got some experience writing scripts using the json-rpc interface of a bitcoin node, i think it should be fairly simple to automate the complete process up to the point where a human just needs to look at the end result of a request and click a button to either confirm or deny a password reset/account unlock.

Basically, if one would write a simple form where a random string is shown and where a user can enter the post where he/she staked his address, the address itself, the reset email address and the signature he made using the staked address signing the random string. The script could then just use the json-rpc query of a locked node to verify the message and save this data into a simple relational database.

An admin would have an admin interface with a view of this database showing the qouted post + post history (was this post edited or not) and the result of the signature, maybe combined with some account info fetched from the db (like logintimes, ip's, password changes,...). When this info is given in a simple way, the admin should be able to either confirm or deny the password request with the click of a button.
I haven't looked at smf's data model, but i can only imagine that resetting a password is just a matter of generating a random string, hashing it, updating the user's entry in the users info table and creating an email to send the unhashed password to the entered email (together with instructions for a password reset).
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
It's been years since we've had people in endless queues waiting to get a message back from either Cyrus or theymos, and none of them answering for some reason, even after sufficient cryptographic proof was presented (typically, a signed bitcoin address).

We are not talking obvious spammers, but legit posters getting their account hacked, signing various BTC addresses and never getting a reply back. I think this is unfair and a bigger problem than some 3rd worlders spamming on 100+ page threads. Some legit users just can't get their accounts back, they lose their PM history and other valuable stuff.

I wonder when will the account recovery methods be improved. Probably hiring new staff to do the task should do.

Yeah, this is very important as they are legit users. Most of them with quoted signed messages... I see some of them are having their account back, but it takes too long.

I think people look at those post where people ask for help and most users may think that they have nothing to do with it.

But we all could have our accounts hacked... This is a problem that concerns every legit user.

Maybe this process of address signature verification could be made faster.
copper member
Activity: 630
Merit: 420
We are Bitcoin!
We are not talking obvious spammers, but legit posters getting their account hacked, signing various BTC addresses and never getting a reply back. I think this is unfair and a bigger problem than some 3rd worlders spamming on 100+ page threads. Some legit users just can't get their accounts back, they lose their PM history and other valuable stuff.

I wonder when will the account recovery methods be improved. Probably hiring new staff to do the task should do.
Does it scare you when you think if your account gets hacked or anything happen and then you wait weeks after weeks or months after months without any result to get your account back?

It does scare me a lot, because I am addicted to this forum.  Embarrassed
legendary
Activity: 1372
Merit: 1252
It's been years since we've had people in endless queues waiting to get a message back from either Cyrus or theymos, and none of them answering for some reason, even after sufficient cryptographic proof was presented (typically, a signed bitcoin address).

We are not talking obvious spammers, but legit posters getting their account hacked, signing various BTC addresses and never getting a reply back. I think this is unfair and a bigger problem than some 3rd worlders spamming on 100+ page threads. Some legit users just can't get their accounts back, they lose their PM history and other valuable stuff.

I wonder when will the account recovery methods be improved. Probably hiring new staff to do the task should do.
Jump to: