Topic: Why is this system not set up for the Bitcointalk forum? (Read 601 times)

Because if there is an email about confirming the OTP code, the hacker will know that the email was used to register for bitcointalk. It's possible to delete OPT confirmation emails, but most people forget to do that. Without an OTP code, no one knows if the email was used to register with bitcointalk. You don't need to worry if your email is hacked, there is no proof that your email has a connection to bitcointalk

I think it’s important to leave the settings to the user’s preferred level of privacy and security. There’s good and bad in this, but overall I think the good sides lead.

• I can create an account using a disposable e-mail address.
• I can own and use my account from anywhere without having to use or have mandatory 2FA.
• I can use the typical login page or I can remember and write down the ccode page and use that one to avoid Google’s captchas
• I don’t need a phone to use the forum. Some countries still have a very negative view on Bitcoin and try to oppress its use and users. How do you enter Bitcointalk then if you’re scared the government might find out?
• Since you can use disposable e-mail addresses to create a Bitcointalk account (I think you can even create one by introducing a fake address in there) and you can enter even using Tor, should you want to be private you’re given that choice.

And more.

The least third parties you use, the better if you want privacy. If you don’t care, of course you can use your primary e-mail and even set your phone number as the answer to the secret questions too. But the important word here is choice. You get to choose if you want an IP retention limit and nothing’s mandatory, unlike other websites.

If I wanted to have privacy on about any website, I’d have to think how to create an anonymous e-mail address (you can’t even have a disposable one because you’ll need to confirm e-mail address every login), how to get a disposable phone number to register and eventually how to access the website without having my IP registered on there. It’s tough and it only shows how much theymos cares.

I guess now I should argue why it’s the good leading in theymos’s choice of running the forum like this: we’ve all noticed that introducing limits and mandatory settings typically leads to only more restrictions and mandatory settings. By leaving it to our choice, this is avoided. We’re fortunately on a website where user’s opinion and word counts and isn’t rejected and kicked out because the other users have other ideologies and politics. Although it’s Bitcointalk, there have been users before who hate Bitcoin and publicly showed this, but they never got kicked out by the administration. This freedom can only work as long as the mind leading this forum is okay with giving users their freedom of speech and choice.

Afaik, this forum does not use google to take advantage of its commercial side, such as ad space.
After all, crypto-related sits are almost entirely using google analytics tools, so I honestly have no idea how to avoid them all even if captcha verification is removed on this forum only.

The primary focus of the forum is to be private and anonymous. All those mentioned by you are good suggestion! There is only one problem, in one way or another they compromise the privacy and anonymity aspect of an user. I was against the use of Google CAPTCHA for logging in as it is a privacy issue.  The responsibility to keep the account secure should be owned by the user and not the forum. As you said it is not that easy to rank up in the forum. If a user knows it then why not take the same responsibility of keeping the account secure. That is what we have been preaching from the day someone buys Bitcoin. Therefore the same principle applies here too.

Don't you think there's more to this than just hackers hacking and selling at a low price? What if a user decides to leave the forum and sells his or her account? Can't that happen as well? Because the forum makes it simple to create a new account, a user whose account has been hacked can simply create a new one and notify the moderators that his account has been hijacked and the hacker is now using it.

If I'm not mistaken, I once saw a post from a user stating that his account had been hacked and that a new user was already in control of it and utilizing it in the forum. A compromised account, in my opinion, can easily reported to the forum and maybe not all sold accounts are actually sold by hackers.


I'm just imagining it, but won't it make it more difficult for people to join the forum or even boost their security when changing passwords by email?

The forum is open for everyone and in as much as they are strict on their rules the forum also give a free chance for people to access it freely, despite anything, to enable everyone have full access to their account in order to promote the wide spread of bitcoin and its adoption. From my point of view, this was remove to enable people ease stress to get back their account, in other way round it should be something that would had required OTP at least people wouldn't have lost their account or having that chance to sell account in this forum.

Nevertheless, there are people who are old enough for them not to be seating like you and I to operate in this forum or possibly had gain other work that occupies their attention they may decides to sell their account to other people, but looking down to it, is not something that we should encourage over the forum because those people buying it might likely used it for evil or scam. That is why any account that changes hands are likely to be tag and if they found unusual activity or spam such account is at risk of getting penalized for their evil deed. 

2FA is in many cases not a low maintenance option. It's not a swiss knife solution if you're sloppy with other good practices for security. 2FA is often done with apps on mobile phones. People loose them or have them stolen. They forget to safely store their 2FA initial details offline. They forget or aren't able to migrate 2FA data to a new shiny mobile device. You can continue this nearly ad infinitum.
If 2FA needs to be reset, that's not too easy to do safely and with low support.

It has already been said that every user can protect its account by signing a Bitcoin message and posting it here at the appropriate places.


Some simple rules for account security (by no means a complete list):

• use a separate email address for account registration which you don't use for everyday communication
• use 2FA for above email address
• use a long and complex random password, never reuse a password for multiple accounts; (this implies the use of a safe and reputed password manager; take the safety of your password vault very seriously, obviously you should have a long, strong and unguessable vault main password)
• don't click on links that beg you for it without ever checking where it will take you
• be careful which browser extension you activate, especially when those extension ask for extensive rights in your browser
• don't let greed cloud your brain and actually use your brain wisely; it's there for a purpose
• learn how to maintain good security while using your digital devices and surfing the internet

There is no ban for selling accounts on the forum. There's nothing moderators can do here, since selling accounts on the forum is not officially forbidden. But it's not welcomed. And it's already a matter of trust. If someone proves that a high-ranking account was sold, then those who are in DT1 and DT2 lists will leave negative marks that the account was sold and it's better not to do business with such. And such an account will be just a waste of money for the person who bought it.

I understand how this works, but hasn't it been too long since the implementation of the merit system to not understand which accounts reached their high rank before it was implemented? I mean, now the sale and activation, for example, of a hero account that became a hero before the merit system, will be a very noticeable event, because it will be clear that this account has not earned merits during all this time. Or, if a hero account that has recent merite is for sale, this means that the account farmer had to maintain such an account in the active phase for a long time and write something worthwhile in order to earn merits. But this is too much work, is it worth the money for which such an account can be sold? Moreover, reputation is valued on the forum, and accounts that receive regular merits become quite recognizable both in terms of writing style and topics discussed. If these characteristics suddenly change, then the suspicion will naturally arise that the owner has changed, and then other users can report this to the moderators and contribute to the ban of such an account. In general, I don’t quite understand why this is still the case, if it is quite easily to understand that the account was bought?

When this forum was created it just all talks and discussions about the development of Bitcoin, they never thought that this forum will become a promotion platform for projects through Signature, it works like a regular forum, and the members are the ones benefiting from these incentives so each member should be responsible for his account



There are already parameters on how to recover your account in case, we are not paying or sharing our earnings with the administrators in fact they are using their own money to run and maintain the site's security, so maintain your account if it's your livelihood or you have projects being promoted here.

Exactly my thought. Theymos has that ideology of freedom and decentralization. Even if the forum moderation is not decentralized, bitcoin it's is.
No one should care you submitting your emails and if possible your phone number for OTP.

Theymos do not want to deprive someone from participating in the group because they don't have an email. That is why it is even possible to use the forum and access everything even in the guest mode.

You have the responsibility of protecting your account outside the forum by being careful and inside the forum by signing a message or staking your bitcoin address.
This might not change anytime unless in the new software in anticipation.

There are cases of reported hacked accounts but i don't think they are on a regular basis, this are occassional experience and that has nothing to do with the forum being responsible, because they have already set the pace to remain private and secured but we often go beyond expectations on inviting what will harm us and get us under attack.

 
If one's account got hacked it's a different case and if the hacker now wish to sell ot to someone else then it's another serious case on itself, that selling aspect is where the forum may now come in but not when your carelessly loose control of your account for hackers


Because the forum preached privacy and it has to be from here where you get the best privacy that you could wanted to have on open platform like this.



No OTP is required at all in either of the process, since it is believed that you're the bearer of the account but whenever you wanted to change your email address or password is when you will discover the importance of using a correct email for registration, so if someone doesn't get hold of your email address, or bitcointalk forum login password, he may not acquire the account from you.

Ye, most of them make sense, but this is a very old forum who is currently working a new forum software and probably all of the mentioned features will be available there. Unfortunately there is no exact date when it will be available to use.

It's uncommon for a user to register an account with an email that does not exist, the purpose of the email is for account recovery and getting updates about the platform

This will compel us to use the strongest possible password for our account having a 2FA will not motivate us to use a strong password because we will be comfortable in thinking we have a 2FA to rely on in case there is an attempt on our account.

We already have the captcha to protect us from hackers, two things that can get your account in trouble and these are not putting the right security in your email and not using a strong password here in Bitcointalk.

If you think your account is very valuable to you then it's your initiative to put the best security in your email where hackers can get a shortcut to get access to your account, and using a strong password, I think Bitcointalk is telling us it's our business to protect our account, so the challenge is with us.

The security of your account is your own responsibility - of course there must be good security methods for you such as signing bitcoin messages and having an active email with a strong password. You can combine your account password with a strong one and take security measures as suggested. Account hacking can happen even if you have 2FA - so it won't be a 100% guarantee to be safe.

Then from that, the average sold account is not an account that was built after the merit system was introduced, but mostly old accounts that had high rank before the merit system was introduced.

It’s true selling of bitcointalk accounts is not against the forum rules and people are free to sell their accounts but the buyers of these accounts should bear in mind that they stand the risk of getting scammed by the supposed seller and even when they successfully buy an account, they could get a neutral tag or even in cases a negative tag. The whole account sales business is generally perceived as shady business.

Actually account farmers are still there, there are many places in the forum where merit earning can be done easily. In fact, it is easier for those who know and they are the ones who do account farming. But it is true that now phishing, hacking is more likely than farming.
Sometimes 2-factor authentication plays a big role in this case, and forum users can fall into phishing traps by mistake. I also think that it is not enough to blame the user here. There is an option of recovery but I think it can become a kind of hassle for the user. And since I saw in someone's post that already someone offered a script so action should be taken on this matter
The question is not that whether the forum or its database is secure or not. Nowadays, Phishing is becoming very complicated, and for this reason almost all platforms now provide 2FA authentication to protect users, which largely saves users from hacking. I hope you always maintain your own security and never fall into a phishing trap

This forum is very secure. I'm here since August, 2021 and my account hasn't been hacked. I'm even more sure that it will never get hacked if forum doesn't experience any data leak. People have to learn that they have to take care of their own security and that's why I like the freedom that this forum gives us. This also helps and prepares you to take care of your wallet and keep it more secure.

Probably, one of his account got banned and he finds out a little bit hard to earn merits and rank up his account. Probably, that made him angry enough to open a new thread and reveal his secret.
Just kidding but I'm sure there is a 51% chance that what I wrote is true

You're right with those critical issues you raised in all. Email confirmation and OTP should at least be a part of account verification process in this forum. Now that we don't have such, we should at least have a 2FA kind of security. I believe this will help reduce the numerous account hacks we often have here. Yeah, I know there's a thread one can stake one's address by signing it to facilitate quick account recovery when it's hacked but we shouldn't wait for an account to be hacked and then go through that process. It's cumbersome. Preventive measures should be better approach. I don't like the idea of "secret question" because it can be easily bridged.

When the merit system weren't implementation we barely had information of account sale or account hack because there where no stress to increase account rank. From your points you made a good suggestion of enabling 2fa I think that would increase the security aspect of the forum by reduce that rate at which people sells account.

If 2fa is included and the account is being bridge I think all security aspect has been destroyed because there's also a secret question option provided and once account is being hacked I don't have this assurance that it would be active any longer. I believe there may be solution to this to eliminate the rate at which account sales fly's over here.