Bitcoin Forum

here it is anyone else get this?


I will quote this with my alt as I am concerned this is a hack attempt .

quoted with my alt. edit quote is below:

You are not the only one. Just "Report to Admin" the PM and they will take care of this.

So I did check the pm out and the security question is disabled. So I am not sure why this person sent me the pm.

It implies he knows that I have a security question setup. Like I said my security question was in a disabled status.


@efs I reported it to admin.


note no password change has been made by me  and my btc address is this:


https://www.blockchain.com/btc/address/1JdC6Xg3ajT3rge3FgPNSYYFpmf53Vbtje


someone please quote this.

I have it quoted somewhere else but just in case.

There's a recommendation that security questions are quite weak for keeping accounts safe (it's why most places have multiple and why a lot got replaced with multifactor authentication).

I had a brief skim through the seclog and haven't found much over the past week of many resets actually being done so it's probably just an unsolicited piece of advice.

Okay I had disabled the question a while back. but I guess it was showing as active to admin as this account had red type saying to delete it.

my alt had nothing.

as I said password was not altered.  I will keep an eye out for issues with this account.

and

a1 Hashrate LLC2022

 https://bitcointalk.org/index.php?action=profile;u=3482040


  Summary - a1 Hashrate LLC2022   Picture/Text
Name:   a1 Hashrate LLC2022
Posts:   82
Activity:   42
Merit:   60
Position:   Jr. Member
Date Registered:   June 05, 2022, 04:38:14 PM
Last Active:   Today at 04:31:21 AM


is my current alt.


Please note I always have an active alt to protect the main account.

I am an inactive user here,...
First I thought this user was the one who hacked my google account just recently (already changed my password few days ago) so I checked the email regarding this...
So it seems it wasn't just me.

https://i.ibb.co/whm0JDw/Screenshot-20220707-140030-Chrome.jpg (https://ibb.co/RTwvhLB)

Received the same thing from this user, not quite sure what's the goal of this guy. Trying a petty attempt to disable the user's security question so probably he could get easy link to change the password of the account? I think he sends all the DT user a personal message.

I also received this PM. Probably, according to the one who poisoned these PMs, he sent such letters to all DT, and not necessarily whether they have control questions or not.

If I'm not mistaken, having a security question hasn't been important for a long time, or does it still matter?

I usually enter random gibberish to those questions (but keep the random data, just in case). Dumb questions like the name of your first pet make social engineering very easy. SMS account recovery is also a big security risk.
I disable all of this whenever I can, including Bitcointalk. I'm not sure what newalias' angle is here, he seems to know that security questions can only lock an account, so it's in no way a security risk for DefaultTrust.

No PM for me, I feel left out :( Maybe that's because trying to restore my account through security questions shows:

I haven't received that PM. So maybe the list he's using to determine DT users is not accurate.


Attempting to answer the security questions will automatically lock your account, because they were leaked with the rest of the DB back in 2015.

Do you think that newalias tried to check every DT member who has security questions? Then PM-ed them accordingly? I don't have a security question for this so that's probably why I didn't receive a PM.

Members after that time when it was leaked are safe? Is that correct?

I don't know if we read the same PM, because it totally looks like some kind of phishing attempt to me--and a bad one at that, despite all the technical garbledegoo.

I haven't received any PMs like that, but I just started a thread in Reputation about being alerted via e-mail about someone trying to reset my password or some such thing.  And not that it matters, but I recently got a PM from some guy who wanted to pay me for a review of some app.  The devil was on my shoulder and I wanted to string him along for a bit, but I lost motivation after his second reply.  I'm wondering if other DT members got that same PM, because I'm pretty sure I wasn't singled out for that one.

Likely, by asking you to get back to them how you secured your account after removing it, is likely a way to get more information. They've already claimed that they've frozen accounts, which isn't really possible, unless they had some kind of database access, which would mean they'd be able to remove the security questions themselves if they really wanted too.

In other words, this user isn't to be trusted, and no reply is warranted. If they have information about security, they can contact theymos. Other than that, them finding out who has a security question, and who doesn't is fairly simple as LoyceV alluded to above.

I suspect, a further attack would've been launched if you replied to them. Smells of social engineering, where they attempt to gain your trust by offering you some semi valid advice, and then looking to exploit that further down the line. 

Before jumping to conclusions and screaming “hack!”, has anyone even considered a potentially innocent explanation?  I have a pessimistic view of human nature, but the paranoia in this thread is off the charts.

This is good advice, in my opinion:


The forum officially agrees with newalias about that, and with me.  Read the warning that the forum gives you, when you set up the ridiculously stupid insecurity misfeature of a so-called “secret question”:


Duh.  Why does theymos even allow this?

I spot-checked this user’s post history.  At a glance, it looks normal to me.  I also noticed that he just received a red tag from someone in DT (https://bitcointalk.org/index.php?action=trust;u=2705337;dt) (fortunately outside my trust network; my trust network is infinitely superior to DT).

Now, this could be a bizarre beginning for a social engineering attack.  And the PM also seems to indicate that newalias is probing something, somehow.

I will reach out to him, and politely ask just what he is trying to do.  Meanwhile, I will add a neutral tag linking to this post—to be updated or removed, if or as appropriate.  I request that someone in DT should do likewise.

Maybe, just maybe, this could simply be a very clumsy attempt at whitehat protection of the forum, from someone who needs to see the late Dan Kaminsky’s White Hat Hacker Flowchart (https://dankaminsky.com/2012/02/20/whitehat/):

https://dakami1.files.wordpress.com/2012/02/whitehat-0-3.png

Yeah, I haven't ruled out that. However, the things that stand out to me is the comment about letting them know how you've secured your account, and the fact they claimed to have frozen accounts. The latter being a outright lie. That's not exactly good, if you're looking to do some white hat work.

Although, that might have been a way of trying to convince the user. I'm not going to get my pitchfork out, but I do believe users should be cautious dealing with this user in further message exchanges. Not that I distrust them entirely, but at the very least advise caution.

On a side note, I don't like that anyone can find out if a user has a security question or not. I'm not a fan of security questions in the first place, but probing like that just opens up those accounts for further attack. I kind of wish that the security question field popped up regardless of if a user has set one or not. If someone tries to guess the security question of one of these users, it simply just gives a non match, rather than indicating they don't have one set up.

I got mine as well, and I was about to tag his a$$ out when I realized he had already been tagged by OP, so I saved my time for something more important. Trying to con the most knowledgeable members of the forum appears stupid to me. Some con artists are dumps.

---

I suppose he came to a halt the moment he was exposed. You guys are lucky  ;D

Looks like @newalias is online today, so i expect he'll respond to this thread soon either because he check Meta board or found out he has 2 new feedback and check reference link.


It's part of SFM 1.x feature[1], so IMO it's either theymos don't bother remove it or it can't be removed without lots of work.

[1] https://wiki.simplemachines.org/smf/Logging_In (https://wiki.simplemachines.org/smf/Logging_In)

Agreed.  [Edit:  I reread the PM quoted in OP.  He does not claim to have frozen accounts.  He seems to have some trick to bypass the CAPTCHA while probing accounts.  He only says that he will report DT accounts with “secret questions” to the administration; that sounds reasonable to me, in itself.]
</edit>

---

On a side note, I don’t like that the forum doesn’t let you remove your e-mail address, and/or otherwise totally disable password reset by e-mail.  (Yes, you can set a fake e-mail address; but then, you need to be careful to make sure it can never be valid.  And that does not itself totally disable password reset by e-mail.)  I’m not the only one.  Lauda complained to me about that.

On a side note, I don’t like that the forum doesn’t let you disable password authentication, and log in by signing a challenge with your PGP key...  OK, I will stop right here. :)

---

For the record, I reached out to him by PM as I said I would.  With a link to my post on this thread.  Kind of sticking my neck out, doing that.  Eh.  Anyway, he should be well on notice about this thread.

I did not receive the PM. Ah well.....

I maybe have less pessimistic view than yours when it comes to human nature in general but I am highly sceptical when to comes to the conduct of many users in this forum therefore I can understand your views and even relate to them.

On this subject of the PMs though, if English is not the first language of the sender (newalias) I think it only compounds the confusion. His post history shows he has been active in the German language boards as well but his trust currently shows the following message which might mean he is no longer in control of his account: This user's email address was changed recently

Check the username. Does it remind you the user alia? A girl back in 2017 - 2018. She was having everyone's attention. Then caught on planning for scam before resting in peace. Someone is having fun.

I do not see she is ban yet.

Would someone in DT please copy my neutral tag (https://bitcointalk.org/index.php?action=trust;u=2705337;dt) before this user’s account gets burned to the ground?  Thanks.

I have excluded two users who are too trigger-happy with neg tags:

[Edited later:  I removed ~willi9974 (https://bitcointalk.org/index.php?topic=5405459.msg60529934#msg60529934), and excluded some others (https://bitcointalk.org/index.php?topic=5405459.msg60529111#msg60529111).]

---

::)

Get a grip.  No other way to say this:  That is ridiculously stupid.

Or am I Greg Maxwell (nullc in many venues) because I call myself “nullius”?  (Someone actually suggested that, years ago.)

---

I noticed that.  But I don’t think it is the problem.

Most people are not actually reading his PM—just panicking, and jumping to conclusions without even reading.  I admit that I myself misread it the first time; please see the edit to my prior post on this thread. (https://bitcointalk.org/index.php?topic=5405459.msg60526242#msg60526242)


I noticed that, too; but it does not mean much, unless it matches other evidence.  Perhaps the user may be experimenting with his own account security; compare what my prior post said about disabling e-mail addresses.  Or maybe he got a new e-mail address.

Hello nullius,

I have set the neg. trust as a precaution, so that other users see that there might be something wrong. Should the whole thing turn positive and the said user have only positive intentions, I will remove the negative trust very gladly again.

In the crypto scene, caution and skepticism is certainly not the worst thing and we old hands have to protect all the new users a bit.

Many greetings
Willi

I'm feeling a little silly now, because I've reread it a few times, and I'm still reading it the same way.

Here's the bit I'm talking about:
I've bolded the part which keeps tripping me up. That might be a language barrier thing as suggested, but I'm failing to read that another way other than they've frozen the account, "due to security" giving the impression they have access that a normal user doesn't. Although, its not exactly clear what they're talking about when they say freeze, and what that exactly means either.

The part where they talk about the captcha, and only talking to theymos is separate.

I do however, agree with JollyGood here, it does seem some of the sentences aren't quite fluid, in terms of a native speaker. So, there might be some translation issues here which just complicates the situation.

i got that one

https://i.imgur.com/YiR83yc.jpg

If you know/guess someone's secret question you could lock their account and change their password. No other info required besides username + secret answer


I'm not giving them any sort of legitimacy to their claims of locking several accounts, but they could if they knew the answer. Facepalm moment aside, this is more of a hassle to remove than to ask users not to write anything in that field...

edit:

It does look weird and (almost) everyone (me included) was looking for his angle. Not sure what it could be though. Until then...

Right, I didn't make the connection that frozen = locked I admit :P. However, we know that hasn't happened since the OP confirmed nothing has happened. Therefore, they haven't frozen anything. So, the whole thing from a white hat perspective doesn't make a whole lot of sense.

Besides, its always best to leave things how they are when it comes to being a white hat. Locking someone out of their account before they can change it, isn't exactly the best idea.

@nullius    I think you have too much faith in the goodness of humanity.  :D :D :D   Of course you may be right but you have to look at where you are and what often goes on around here and in this world (forum world not geographic world).  User in question recently changed email which can possibly also mean a hacked account.  Do any of his/her previous posts have such altruistic discussions on protecting all of Bitcointalk  humanity?  :D  The PM's in question seems way out of  character for the posters past conversations.  But I guess one never knows. 

This thread, and newalias’ growing list of negative trust feedbacks, are classic security theatre like the American TSA confiscating nailclippers from grandmas in wheelchairs.  Bruce Schneier should give out some beatings here.

https://www.schneierfacts.com/
https://www.schneierfacts.com/images/bruce-schneier-1.jpg (https://www.schneierfacts.com/)
IIUC, it is a fan site (https://boingboing.net/2006/08/16/bruce-schneier-facts.html) not affiliated with Bruce Schneier.

---

Or perhaps I have less faith in humanity, especially on this forum.  No good deed goes unpunished, as the aphorism goes.  The guilty get away scot-free—I have seen it happen many times on this forum—while the innocent get burnt at the stake.

Indisputable objective fact:  Having a “secret question” set is dumb.  The users mentioning publicly that they received this PM are declaring to the world, “I do not know how to secure my forum account; and I do not read the forum UI warning which says, ‘Using this feature is not recommended.’”

Sorry to be so blunt, sandy-is-fine.  You seem fine, although you should probably stop using that insecurity misfeature.  Some others are getting on their high horses, making ridiculous statements, proclaiming sanctimoniously (and quite proudy as to their own smarts) that they caught the evil hacker.  WTF?  This would be the most moronic possible way to hack the forum:  Notify people who have weak account security, and give them good advice about how to improve.

“Faith in the goodness of humanity”?  The booby prizes for extreme stupidity thus far go to BitcoinGirl.Club...
...and to three of the four DT red-tags that newalias has thus far accrued:


Later than any of the above, Nestade (https://bitcointalk.org/index.php?action=profile;u=134226) left a DT “neutral” alert.  It does not link to this thread.  He seems to have removed it now.

At the time when I left my neutral feedback, the only existing negative (only received feedback of any kind) was from willi9974.


Yours was more reasonable, but arguable.  If it turns out that newalias’ intentions were non-malicious, I’ll remove my ~ after you remove or neutralize your tag.  (If he was acting maliciously, then of course, I will remove my ~ and give him my own negative; but from available evidence, I think it is improbable.)

These will stay, because the trust feedback texts show extremely poor judgment:


uelque and tweetious giving bad security advice in negative trust feedback shows judgment at least as bad as greenplastic leaving a tag that says, “FUCK THESE FUCKING FUCKERS!! HA!”  Oh, yes.  That user is currently in DT.  No wonder I love DT so very much.

tweetious called a purported intent to communicate with theymos about insecure accounts a “threat”.  If that’s a threat, then threatening people is a virtue.  He also sneers in negative trust feedback at what was actually good security advice—the same advice given in the forum’s profile UI!

uelque smugly implies that a misfeature, which the forum warns people against using, improves the security of his account.

What’s worse than a forum thread full of security theatre?  Negative trust feedback security theatre!

---

I very briefly discussed this with JollyGood upthread.  Adding to what I said there:  When I glanced at the user’s post history before, I noticed that he has a longstanding interest in CAPTCHA systems, and in the breaking of CAPTCHA systems.  Note that his PM claims that he has a secret method to bypass the CAPTCHA, which he says he will discuss only with theymos.


From a thread almost two years ago:

Re: php human verification / antibot v2 ---> i challenge you to defeat it as bot

On 2020-08-01, newalias issued negative trust feedback to the author of bad PHP code.  Egads!  Is it a death_wish sighting? (https://bitcointalk.org/index.php?topic=178336.msg60311076#msg60311076) ::)

More recently, but still >30 days ago (thus before the e-mail change), newalias showed other security-related interest in CAPTCHAs:

Re: [ANN] ChipMixer.com - Bitcoin mixer / Bitcoin tumbler - mixing reinvented

---

You are entirely correct!


And you!  IIRC, I walked through the same thought process when I first saw the thread—then somehow confused myself.  Need coffee.  Always my excuse when I make a stupid mistake:  Need more coffee.  :-)

---

^^^ Excellent advice!  If newalias posts the same publicly, preferably on a new Meta thread linked from here, then it will deserve significant merits.  Hint, hint.

/me has a longtime personal grudge against so-called “secret questions”.

Luckily I'm not a DT member, so that damn user didn't target me for that weird PM.  :D

So far I've received emails about someone trying to hack into my account by forgetting my password (last february to be exact), that's stupid because I'm sure he never knows what my email is. But luckily the odd PM didn't haunt me, but certainly didn't expect to receive it. If there's one later, I'll definitely report it to the mod as soon as I can.

I received several negative trust. Okay.

I was able to get access to SPQRCoin yesterday answering "1+1" with "2". No joke. He is in DefaultTrust level 2.

greenplastic gave negative trust to me. Now he is security locked for using "5" as answer to "how old was justin in 1980?". He was warned and had left this stupid question (answer should be between 0 and 99, the rate limit is one try per 45 second and IP address - in reality, you get a bunch of IPs and laugh about the limit).

Proof: https://bitcointalk.org/seclog.php

Security questions are a joke and should be disabled. There are members using questions with a probably secure answer or maybe even fake questions, but "1+1" is a joke. In case of greenplastic, he did not even understand the problem. We should think of who is member of DefaultTrust.

Security lock is a good thing for sure, otherwise I would control two DefaultTrust accounts now, one of them being inactive for months. Thank god, I was not able unlocking using a fake mail. I want to see security questions disabled, option to disable email recovery per account and 2FA introduced. BCT is about large sums and does not have up-to-date security mechanisms.

Yes, I may be stupid but how are you so sure 🤣

I have not received the PM yet which means I am not in DT too 😉? My bet, the user is targeting people with some other criteria not just a DT.

While it seems that it is possible that what you were doing REALLY was "for the good of mankind" and possibly completely altruistic, I believe you went about it the wrong way.  Don't you think simply starting a topic here in META might have avoided the panic created?  You have to admit, the PM's did sound a bit "scammy" as you put it in the title of the PM, and the results, while possibly an overreaction, wouldn't or shouldn't have been totally unexpected.

Edit:  Whatever the motive, you did jolt me into changing my password for the first time in years and to remove my "secret word" for which I didn't even know the answer which I put in when I joined years ago!  Thank you for that.  :D

pwned!


For the record:


My hat is a little bit grey, so I probably would have switched the stupid negative feedback against myself to positive before locking the account.  lulz.

His negative feedback against you is still there.  Yes, I think that you are probably not malicious.  You are definitely a little bit naïve.


I gave only 5 merits for this, because I am widely merit-boycotted; I need to save up, so I can afford to give more when you make a thread about this.

I want public key authentication.  Disable password authentication (like in sshd).  Has the Bitcoin Forum ever heard of such a thing as digital signatures?  Do people here do crypto, or not?  Sigh.

I made some suggestions years ago.  Nothing happened.  Your way is better:  Teach a little lesson, which will be less painful coming from you than from someone who actually wants to pwn a bunch of accounts.  It will more likely result in positive changes.

---

Because I knew alia as I wish for people not to be reminded—ugh.  A smooth-talking gambling addict sex scammer, likely from India or SEA (IIRC), who only temporarily fooled people with a pretense of some technical skills.  Not a German hacker who just kindly refrained from helping himself to some tasty DT accounts.  To make a connection based only on a very vague similarity of names verges on how schizophrenics find secret messages in white noise.

Oh, really? Maybe just the ones with a secret question set. You can figure that out by reading my PM.

This thread is unbelievable dumb. I warned affected users of a security problem and they make public they are affected. But what should I expect from users having set a security question, ignoring a warning? If you set a second password, both can be used to login. How can someone think this improves security, especially when the second password is "5"? I would ask greenplastic that question, but unfortunately he is not able to login.

I don't know what the user's motivation is, but on the surface the advice about not using the security question feature is very much on point: security questions are insecure and shouldn't be used on any website (if possible). Use a really strong password and have a valid email set so you can recover your account in case you forget your password. More importantly, having a weak security question on Bitcointalk allows an attacker to easily lock someone's account (see https://bitcointalk.org/index.php?topic=1206977.0 (https://bitcointalk.org/index.php?topic=1206977.0)).

You probably shouldn't message him back about anything related to the security of your account - as others pointed out, that may be the start of a social engineering attack.

While I'm not sure whether it's 100% secure, an idea would be to set the email to something like noemail@noemail.test since .test (and similar TLDs) "is not intended to ever be installed into the global Domain Name System (DNS) of the Internet" (from https://en.wikipedia.org/wiki/.test (https://en.wikipedia.org/wiki/.test)).

LOL, I did BEFORE you posted!  :D  (sort-of)

QFT.

---

Thanks, mprep—I did not know this:


(This post is obviously edited.  I saw the below before I saw the above.)

---

Would you prefer that he have left an insecure account wide-open for someone else to hack?  While greenplastic himself not only ignored good advice about securing his account, but attacked the giver of the advice with negative trust feedback?  Please advise if you think that would be a better solution.

If he only locked the accounts, I don’t think he did anything wrong.  (Not legal advice.  Speaking ethically here.)  theymos can check server logs to see what he really did.

At least he understand the problem now.

I can't say I grasp the series of events and the timeline, but warning someone about a potential issue with their password, then demonstrating that it was an issue after being ignored without compromising anything seems like the right way to do it?  How else could this point have been made?

I think the problem was that the PMs were worded strangely as if it was sent from a scammer.  Perhaps something a little more simple and to the point would have been more effective.

I do feel left out that I didn't receive one of these messages.  I guess because I have no security questions (that I'm aware of) or maybe I'm not in DT anymore.  Who knows?

I was about to conclude that the message was only sent to high ranking members only, I just found out that DT members were the only target, I am just wondering what exactly this user is trying to achieve by this, because I believe its impossible to hack an account without having access to the password, now, my confusion is, how is it possible for an account to be hacked through a message like this ?, what kind of action is the sender of this PMs expecting his/her targets to take so as to enable him or her gain access to the target's account?
knowing this, I believe will keep us on a safer side.  

Maybe, but question and form to answer is shown

Yeah, it was the wording of the personal message that was tripping me up. Might have been a better option to contact the admins, and say you're aware of someone's security question, they could've possibly checked, and then forced the security question to be disabled, rather than forcibly locking an account. Maybe, the admins could've messaged only those with security questions enabled, I'm not sure of the best way of going about this.

Also, not a fan of talking about the specifics of a certain users security question as that could potentially be a further security/privacy issue.

However, I think the point has been made, and hopefully this highlights the issues of a security question. Personally, I'd prefer it to be removed, but at the very least hopefully this wakes up some users to discontinue using it.

For those that are unaware; Security questions are designed in such a way, that it encourages you to ask a question, and then directly answer that question, therefore it's no longer random. We've talked about random for ages now, and how it's important to generation of passwords. So, the mere fact you come up with the question, and the answer usually means you either reduce the randomness or completely remove it. You could say you'll have a answer that's not something that's related to the question, but it likely is as we as people aren't very good at thinking randomly.

You're much more likely to make a point, if you make it to the higher ranked users of the forum, as the point hits closer to home, than doing this to someone who is of a lower rank. The user has proven that security questions are ridiculously stupid, which we kind of knew anyway, but has highlighted that to those that don't know it.

Maybe check it, and amend it if so.

IIRC, I have made various suggestions in Meta for improving account security.  IIRC, so has OgNasty.  So have others...

The response is always either silence, or “new forum software” vapourware which has only been in development for, what, about seven or eight years?


Because it auto-bans all users, Nulltalk’s user accounts shall be totally unhackable.  Purr-fect security. 😼

That's the point I've been looking at as opposed to Jackg's speculation earlier to have have just a friendly advice. It's far from anything friendly with the way I see it. This could be a possible tip-off on where to start the hack and what tricks he or she could use. Else, why would the user need a feedback on if you hackened to his/her advice or not.
By the user being aware of a security question to have been activated on the account, it simply means there have possibly been att.epts on hacking the account and that was some of the recovery options presented. Hence, having it set up doenst guarantee much safety as, a signed address could aid a lot in the course of forgotten details and getting your account back at any point.

Am not a DT just yet neither have I gotten the pm making rounds but am sure this user isn't done yet and would be trying his luck on other accounts.

Yeah, mprep summed it up nicely. Don't communicate, at least with any detail in relation to security with users that might do this sort of thing, as it could lead to a social engineering attempt.

I think most suspicions came from how the personal message was worded, but also we're a rather suspicious community as a whole. Which, neither helps when combined. I do think things could've been handled a bit better, but the actions have already been taken.

Like I said, I was somewhat suspicious to how the personal message was worded, but I wasn't ready to get the pitchfork out yet.

Don't be naive and just delete that damn question already !

https://i.imgur.com/90yjCXw.jpg

If an empty answer would allow you to set a question without having any correct answer, that would be interesting to steal time and resources of an attacker (without wasting own time). However, a long random string should have the same result. But I feel uncomfortable with having any security question active.

Negative trust removed, thanks for the clarification

~willi9974 removed; my neutral feedback “This user is too trigger-happy with negative trust feedback. ~willi9974” is deleted.  I will edit a relevant prior post accordingly, in case anyone reads it out of context.  [Done.] (https://bitcointalk.org/index.php?topic=5405459.msg60526486#msg60526486)  Thanks for the correction.

My other recent trust actions will stay (modulo the need for some refinements and extensions).

I have a question.

If you really wanted the secret question option removed by admin. Why didn't you just opt for the Security bounties (https://bitcointalk.org/index.php?topic=309785.0) option?
I think it would have been a quicker way of getting his attention.

Some people are very sensitive when they realize someone tried to gain access to their account, regardless of your motive.

Because filling in the secret question and answer is a security risk. The bounty is for security vulnerabilities.

Copying your seed and password in a notepad is a major security risk, but Electrum will not pay you if you mention it's a common practice of their users...  ;)

I think he deserves the neg trust. As I stated my question was there but was already in a disabled state. So it is far superior then no question at all. Since a hacker would spend all eternity and get no where trying to answer the question.

It was what is the name of my wife's father.

A hacker could have tried every name ever written in the human race and have no answer.

Since I knew I my secret question was disabled but listed I had created a time waster trap for hacker's which this moron fucked up with his clever hacking bs.

So frankly his so called well intended deed fucking helps hackers since they now know security question can be disabled and thus un answerable.

Since my name was mentioned here, followed by allegations that I am giving bad security advice, and being a serial "trigger-happy with negative trust feedback" (as mentioned in the trust feedback that I received), I thought of chipping in and explaining the reasoning behind I providing such feedback.

Generally speaking, when someone (with purely good intentions) are contacting me, letting me know of possible security breaches, and providing me with advice and optional solutions to overcome a possible threat, I am thankful.

What happened here is completely different though. I received a PM from a user that I didn't know & never interacted before with. The topic of the PM was "(No subject)" & was sent to "(Undisclosed recipients)", hence not directed explicitly to me (it was not intended for only me, but to unknown recipients)

In the beginning, there was a short introduction about a "potential" forum security issue, and a mention of their achievement that they have already frozen a user account because the user didn't follow their security standards. (ie they took the law into their hands, and executed it accordingly leaving the user with a locked/frozen account -just because they could-, instead of informing a moderator about the situation and letting them handle it in the most appropriate way).

Then, things started getting a bit more interesting. This user demanded me not only to change my security settings but to also report back to them (secretly via PMs) stating how I improved my account security (ie providing them details about my security settings and the way I "improved" them - ie changed them). Not only that, but they also threaten me that if I do not comply and they do not get a reply back from me, they will report me to the board administration "for our all safety"

Hence, in my point of view, someone was sending PM's acting as forum police, making demands and threats, without even having the authority of doing so, having as an excuse a very critical forum security issue (security question in place).

This PM's didn't come from a high-ranked user, a moderator, or from a highly trusted member. In the contrary, it came from a low-ranked member that has only negative feedback on their trust (both given & taken). If what I said is not clear, this user since 2019 has only provided negative feedback to other users, and not a single positive one (+ the negative feedback that have received so far).
Furthermore, there is a warning on their trust feedback page, that "This user's email address was changed recently."

The reason for leaving negative trust feedback was not to hurt newalias reputation but to warn potential receivers of those PM's that it is a bad tactic and "bad security advice" (what nullius is accusing me that I provide) to reply to unknown senders PM's and providing sensitive security information about their account (specifically when someone is actually demanding about them, and letting them know that they will get reported if not doing so). Especially, coming from a user that claims that they have hacked/breached/tricked (whatever the right word is) the forums Captcha security system.

@newalias I have nothing against you, and I do not want to turn this into a drama. You might have the purest intentions, however, it was so badly executed that your PM actually turned into a security concern (instead of the security issue that you were forcing other users to comply with)

@nullius I disagree with you that I am a serial "trigger-happy with negative trust feedback". If you still believe so, I totally respect your opinion and have no hard feelings at all. (you can leave your trust feedback as is). My trust feedback history is open to everyone to see, hence everyone could end up to conclusions whenever I misuse the trust feedback by providing negative feedback without reasoning.
Yes, I agree that using "neutral" feedback instead of negative might have been an option. However (as said) due to the amount and the combination of all those red flags together, I wanted to do my best of triggering PM receivers (by reading my text in red), so as not to fall into a potential phishing scam attempt.

Here is the PM that I received. I have indicated in bold, all those segments that support my above elaboration.

Edit: just to be crystal clear, I do not disagree that having a security question in place, might be a security issue for your account.

Agree. He should have criteria, I assume he is likely to target high-rank accounts.
He may start with DT members, then he will target random members.

In my opinion, that account only tried to make chaos since he won't succeed if he targeted DT members. DT members won't be easily trapped by that weird PM, only careless members can be the victims.

By the way, it is a bit strange why he did this. He must know if he won't have a chance to succeed, but he did it. If he really wants to make chaos or suspicion among the members, what his goals exactly?  ???

---

I also got that weird PM.

How do you define success? If you think success is hijacking your account you are wrong.

Okay, seems to make sense to me.
I actually have said above, that it should be a small chance if you are trying to hijack DT member accounts.
I guess you understand it, right?

---

Don't misunderstand or judge too early!!

hahha i receive the PM yesterday and I ask to him

are u trying sell security program but he said that I must delete the security question in my account  ;D ;D I think this person DM high ranking member

Non sequitur.  Nothing that you said indicates that the user deserves negative trust feedback, or speaks to his trustworthiness in any way.  Beyond that:

First of all, you are creatively rewriting history.  Look back to the beginning of the thread.  You were so scared that you had been hacked, you self-quoted from another account to preserve your post.

Zeroth of all, you have now passed beyond the realm of security theatre into Rube Goldberg style security.  Guess what:  My Bitcoin wallet has “no [secret] question at all” (of this type).  Would it be made “far superior”, if a ridiculously weak insecurity misfeature were added, and then misused in a way that’s less weak?  Please advise:  I am considering the possibility that I may write my own Bitcoin wallet software.

Reductio ad absurdum, would my wallet “fucking help hackers” by only using poor, weak little Bitcoin public keys, (https://bitcointalk.org/index.php?topic=2859033.0) without a “secret question” insecurity mechanism?  Should I draft a BIP to add a consensus feature that lets people somehow add coin recovery questions on the blockchain, if they can leave it blank as you describe?  Would that improve Bitcoin’s security to be “far superior” to what it now is? ::)

I think that you and some others still don’t understand that the whole “secret question” feature is strictly a negative to security, with no security benefits whatsoever.  It was originally an account recovery mechanism:  A per-account backdoor to gain access to an account, without knowing the password.  As mprep informed us, it was changed in 2015 to be “only” a way to lock an account without the password.

I have no “secret question” set on any of my Bitcoin Forum accounts.  My accounts are surely more secure than yours.  You still believe that you can nonsensically add security with a misfeature designed to undermine security; that indicates to me that you do not know how to secure an account.

---

When I first checked his account after this thread began, he had only one received feedback of any kind:  willi9974’s negative dated 2022-07-07, now removed. (https://bitcointalk.org/index.php?topic=5405459.msg60529934#msg60529934)  As of early yesterday, he did not have any negative feedbacks not pertaining to this incident.

I don’t know why you think that sent feedback is relevant.  I myself have only rarely sent positive feedback.  In my case, that is intentional and well-considered.  I have written essays as to why—even posted a policy noting this.
Anyway, I don’t see why you would issue negative feedback partly on the basis that someone does not trust anyone here.


As I indicated in my initial post on this thread, I thought it was clumsy and naïve.  I think it’s likely that newalias did not foresee the nature of many people’s reactions.  I have seen it before in security contexts:  Someone tries to be helpful, in a way that inadvertently incites suspicions—even panic.

Pending investigation, a precautionary negative feedback may arguably have been warranted.  Well, I do not agree with it; but I also don’t think it necessarily shows poor judgment.  willi9974’s tag said said he received a suspicious PM.  In my opinion, it was hasty; but it was not so unreasonable, in the circumstance.

You and uelque both gave bad security advice in your feedback—as if the “secret question” misfeature were beneficial to security.  You both also jumped to conclusions about a malicious hack.  In my opinion, that shows poor judgment.  I do not want such tags above the fold in my view of trust pages.

greenplastic’s tag was beyond the pale:  A string of all-caps profanities, with no explanation.  That shows extremely poor judgment.

I also disagree with your interpretation of the PM’s wording—with how you read it.

But thank you for explaining; I am glad better to understand your thought process.  I hope you better understand my own thought process from this post.

For my part:  I just saw this thread and thought, “Oh, no.  This fellow is about to be mobbed.”  I do not know newalias, and could not vouch for his intentions; caution was indicated.  But I strongly disagreed with how it seemed that everyone else thus far was jumping to conclusions.  It looked to me more likely than not that he was attempting to improve forum security—maybe going about it in a misguided way, liable to be misunderstood.  I have always detested that stupid “secret question”—thus the strength of my reaction here.

Oh hey, so I am spending now more time in Meta the past 2 weeks than in my entire bitcointalk lifetime, seem to be crawling down rabbit holes from user posts and ending up here.

So just also realised now I had a completely different reaction to most posts in here -- I replied to newalias actually and explained why I felt my confidence in my answer (a language method I also use for some seed phrases). He actually agreed, though said I shouldn't have given clues to my method. I still think explaining it doesn't help anyone with any software, my answer is as good as a long random string (I believe).

Despite that, I deleted my security question.

Had no idea the whole event already generated a thread here until I looked up his profile now.

Thought to mention here, some small realisation afforded to me because English was my third language (though now practically my first) -- I almost can understand the true "intent" of people in different types of English heh. Reading his PM, I felt no shade of bad behaviour at all, somehow I even understood the meaning behind his "frozen" claim (which he seems to have proven now).

I don't think he was naive though, I do think he comes off as having a slight dick attitude. Personally never found anything wrong with that, and now I see he's German, I totally get it, and I'm not trying to be offensive, many Southeast Asians will find the German's English deliberately dickish heh.

newalias, you've done the forum a favour, hopefully. But you know, you can't always equate a lack of good security behaviour with being dumb. Intelligence, self-awareness and wisdom aren't always on the same page and sometimes live in the same room as recklessness.

As nullius also pointed out, you didn't remove the red trust so you're not infallible yourself.

Now there. I hope not to post in Meta again so soon. I don't know how to act in here.

I had a chance to read the whole PM with a cool mind, paid full attention and without been biased. When a PM comes from a lower rank member we usually think something is not right. It's the forum experience that led us to have this suspicious mind.

Read the PM posted again but without considering followings lines
This is what happened to me when I read get back to me. The moment I read it, I had in mind that this is it, this user was trying to get information from OP and other users.

Read the full PM again. It seems the user's native language is not English. Some choices of words clearly tells that he used translator to pick the words. Yes I agree with buwaytress some words sounds offensive. But I feel that this was not an intent to get something bad from it.

The user asked you to get back to him, could be to suggest you to remove the secret question. If you do not then he will inform theymos so theymos can consider to remove the security question feature entirely for the safety of DT member. It seems he thinks DT members are the ones who need to stay safe so his all effort were to be sure DT accounts are safe.

They only sent the PM to those who had security questions turned on. Somewhere theymos also said that it is not recommended to use security questions because it locks your account and some other hassles when you try to recover the account.

Yes (provided that there were no additional forum hacks after 2015).

I dont see a problem with this statement. This means there is some trick* AND I would discuss it with the most trusted person being in charge. This implies that I will not speak with anyone else or sell the trick to bad guys.

*This trick allowed me to scan whole DT for secret question set. It also allows to bruteforce passwords and security answers by the way. This was the intention - to make clear that security answers can be bruteforced, so they are even weaker.

---

I have to admit that this was not okay. Sorry.

Better I had written sth like "I will check again if you have a security question in place after 5 days. If you want to keep security question, please be advised of the disadvantages (link) and shortly confirm to me that your security answers entropy is sufficient (ie at least as high as your passwords entropy). If nothing happens, I will notify the board administration to ensure DefaultTrust integrity". Next time I would do so. It was never my intention to threat someone.

I received the PM same day this thread was created as well, it was looking wired but it serve it purpose. I haven't visited my Account Related Settings page for a very long time so I didn't know I added that option when I created my account and the secret question wasn't that secret as I have disclosed it severally while participating in discussion on the forum.  I don't blame myself as I wasn't as knowledgeable as I'm now back then when I created my account.

I took his advice and removed the secret question as I also saw the forum warning which was making the whole option look stupid. I didn't see his message as a hack attempt but it was wired. Why haven't theymo disabled that secret question option. Basically anybody closed could easily guess this so called secret question especially mine (which has been removed though)..

newalias, the forum rules prevent you to post two response in a row.
No, this was not the threat. It was okay for users.

I would say for THIS users felt threaten. You said to get back to you and you said it in PM which was concerning for them. Assuming you had good intention but in the forum we are designed to feel threaten when something comes from a new account. We have been gone through some hacks and phishing attacks are regular things.

I hope others see the same that I realized after paying better attention to your PM.

I couldn't resist :D I set this as a secret question (with a very long random string as answer), but after that, the answer showed an empty field and the why is this blank? (https://bitcointalk.org/index.php?action=helpadmin;help=secret_why_blank) link showed "disabled". So I got nervous and wiped it again.

He can do it, but it must be more than 24 hours from his first post. But for this one, just report one post to the moderators so they can merge the post if the user ignores your suggestion.

There is confusion here as to why this feature is not closed. There's a message stating that the feature is not recommended as it could be a second password to access the account if someone guesses the answer correctly, but it's not closed yet. I checked mine, luckily I never used this security feature.

It's safe not to set it up. If it locks the account and do not help to get recover the account then the feature is not helping at all. It's without any purpose and better to disable it.

I know he can but this is not a service thread in marketplace so I did not think it was worth mentioning. The discussion is not old too. Many users are still making their posts. It was assumable that in few hours we will have more comments.

I have considered not using that security question, its very risky for me. I prefer to use a strong password and might consider changing it periodically after someone tries to hack into my account by forget password. (https://bitcointalk.org/index.php?topic=5405457.msg60529234#msg60529234) I feel silly knowing that someone did it, but actually it surprised me.

So for now, I have to sign the message just in case because I'm really starting to worry if hackers try something more extreme. Please quote and verify me.

---

Done.

He might only be targeting DT1 members with the PM, but I didn't get one either.  Maybe my account isn't worth the time.  :'(  

I'm wondering if this is the same shithead that's been trying to change The Pharmacist's password through email reset.  It seems rather obvious that it's a phishing type attack, but I'm not sure how this user is expecting to gain access to the accounts he's targeting.  Maybe he's trying to engage people into a discussion, and convince them he's a staff member or an admin, then trick them into leaking more account details?

https://imgs.xkcd.com/comics/security_question.png
xkcd 565, “Security Question”. (https://xkcd.com/565/)

Seriously, I do think that some companies are probably exploiting this fantastically stupid insecurity misfeature to suck more personal details out of people.  There is no way that such ill-conceived security theatre could be so popular, unless someone benefits.  It is widespread on sites owned by companies that make money off of personal data.  These companies have professional security teams, who should know better.  People answer these questions with all sorts of obscure details about themselves.  Cui bono?

---

It seems not obvious at all.  Maybe he is doing what he said:  Trying to help users to improve their account security, and ultimately to help the forum to tighten security.  Maybe?

The PM he sent doesn’t make sense for gaining access to the accounts.  It provided good advice.  The way he benignly flushed out two DT accounts with extremely poor “secret question” answers was a work of art.  I don’t vouch for him; but absent evidence of malice, there is no need for a conspiracy theory.  And no need to rehash the first three pages of discussion on this thread.

Maybe he should have written a thread about it rather than going around trying to break people's security, then threatening them via PM.  Maybe?

What would he have done if he was able to break into one of the accounts he harassed?

Rather than dreaming up hypothetical scenarios about what he didn’t do (but maybe could have?), I am more worried about what a malicious blackhat will do without sending any PMs to anybody.  Not “if”, but “when”.

Also, “harassed” is an interesting word for “gave sound advice, which in some cases was sorely needed (https://bitcointalk.org/index.php?topic=5405459.msg60529330#msg60529330).”


...

here is a quote.

I also am locking the thread.