Bitcoin Forum
December 18, 2017, 07:28:16 PM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 »  All
  Print  
Author Topic: Bitcointalk Forum's Security  (Read 1630 times)
francisdean
Hero Member
*****
Offline Offline

Activity: 618


View Profile
September 19, 2016, 05:54:02 PM
 #1

A lot of users have been hacked this past few days, weeks or months. I'm not sure. I'm one of those who have been recently hacked.
And thanks to Cyrus and Theymos i managed to get my account back. The things is i don't want this kind of thing to keep on happening!
I don't want this to happen to other users and i think my idea would be a great leap to our forum's security.

So here's how it's going to work. Most of us that we're hacked weren't able to regain access on our account because our email was changed.
What if every time a user wants to change his email he needs to authenticate that request using the current email address registered to his account.
And after authenticating the request there will be a 24 hour process. The user can still cancel it within 24 hours if he change his mind.

I also think that it would be great if we add the service like Cloudflare to completely secure our forum. Of course all of us should be a part of this.
We should all contribute on this. We should build a donation address for this plan.

Getting hacked feels really bad. And i don't want that to happen to any of you.

So what do you guys think?

I really want this post to be noticed by our mods, staff and admins! So if you agree with me reply to this post saying that you want to make this forum secure as well.
Or if you have other ideas put it here as well


Let this post serve as a petition to make our forum more secure and greater than before!

DONATE: 1CThzMwKtAWyg4PHDYqqFQkFqKyuMenpB2
1513625296
Hero Member
*
Offline Offline

Posts: 1513625296

View Profile Personal Message (Offline)

Ignore
1513625296
Reply with quote  #2

1513625296
Report to moderator
1513625296
Hero Member
*
Offline Offline

Posts: 1513625296

View Profile Personal Message (Offline)

Ignore
1513625296
Reply with quote  #2

1513625296
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1513625296
Hero Member
*
Offline Offline

Posts: 1513625296

View Profile Personal Message (Offline)

Ignore
1513625296
Reply with quote  #2

1513625296
Report to moderator
1513625296
Hero Member
*
Offline Offline

Posts: 1513625296

View Profile Personal Message (Offline)

Ignore
1513625296
Reply with quote  #2

1513625296
Report to moderator
achow101
Staff
Legendary
*
Offline Offline

Activity: 1246


17kKQppUsngUiByDsce4JXoZEjjpvX9bpR


View Profile WWW
September 19, 2016, 06:21:29 PM
 #2

A lot of users have been hacked this past few days, weeks or months. I'm not sure. I'm one of those who have been recently hacked.
And thanks to Cyrus and Theymos i managed to get my account back. The things is i don't want this kind of thing to keep on happening!
I don't want this to happen to other users and i think my idea would be a great leap to our forum's security.

So here's how it's going to work. Most of us that we're hacked weren't able to regain access on our account because our email was changed.
What if every time a user wants to change his email he needs to authenticate that request using the current email address registered to his account.
And after authenticating the request there will be a 24 hour process. The user can still cancel it within 24 hours if he change his mind.
24 hour process for what? You have to wait 24 hours to change the email? That's just plain stupid. What if the hacker got into your email as well?

The only good idea here is to validate that the email or password was changed. Unfortunately that isn't going to happen since a lot of users here just registered with a fake email address.

I also think that it would be great if we add the service like Cloudflare to completely secure our forum. Of course all of us should be a part of this.
We should all contribute on this. We should build a donation address for this plan.
No. This has been discussed before. Cloudflare does not provide any additional security whatsoever, in fact, they actually reduce your security. Cloudflare acts as a man in the middle, they can see all of your communication in plaintext, not encrypted as it should be. This opens up a whole other attack vector and a bunch more problems.

Let this post serve as a petition to make our forum more secure and greater than before!
The forum is already very secure; it's part of the reason that the SMF version hasn't been updated, many many changes have been made to significantly increase the security. The problem is when people fall for phishing scams, use weak passwords, or set a security question. There is only so much the forum can do to protect you from yourself.

francisdean
Hero Member
*****
Offline Offline

Activity: 618


View Profile
September 19, 2016, 06:29:01 PM
 #3

A lot of users have been hacked this past few days, weeks or months. I'm not sure. I'm one of those who have been recently hacked.
And thanks to Cyrus and Theymos i managed to get my account back. The things is i don't want this kind of thing to keep on happening!
I don't want this to happen to other users and i think my idea would be a great leap to our forum's security.

So here's how it's going to work. Most of us that we're hacked weren't able to regain access on our account because our email was changed.
What if every time a user wants to change his email he needs to authenticate that request using the current email address registered to his account.
And after authenticating the request there will be a 24 hour process. The user can still cancel it within 24 hours if he change his mind.
24 hour process for what? You have to wait 24 hours to change the email? That's just plain stupid. What if the hacker got into your email as well?

The only good idea here is to validate that the email or password was changed. Unfortunately that isn't going to happen since a lot of users here just registered with a fake email address.

I also think that it would be great if we add the service like Cloudflare to completely secure our forum. Of course all of us should be a part of this.
We should all contribute on this. We should build a donation address for this plan.
No. This has been discussed before. Cloudflare does not provide any additional security whatsoever, in fact, they actually reduce your security. Cloudflare acts as a man in the middle, they can see all of your communication in plaintext, not encrypted as it should be. This opens up a whole other attack vector and a bunch more problems.

Let this post serve as a petition to make our forum more secure and greater than before!
The forum is already very secure; it's part of the reason that the SMF version hasn't been updated, many many changes have been made to significantly increase the security. The problem is when people fall for phishing scams, use weak passwords, or set a security question. There is only so much the forum can do to protect you from yourself.

24 hour process until the user's account is updated with the newly registered email address. I think people aren't dumb enough to use one password for all his accounts.

DONATE: 1CThzMwKtAWyg4PHDYqqFQkFqKyuMenpB2
achow101
Staff
Legendary
*
Offline Offline

Activity: 1246


17kKQppUsngUiByDsce4JXoZEjjpvX9bpR


View Profile WWW
September 19, 2016, 06:39:13 PM
 #4

24 hour process until the user's account is updated with the newly registered email address.
That is not a good idea. What website takes 24 hours to update an email address? There are very few cases where this would be useful at all. It provides no security to do that, and may be even more insecure. The security is in requiring users to confirm that they are changing their emails, not having to wait for the change to happen.

I think people aren't dumb enough to use one password for all his accounts.
You'd be surprised, but you really shouldn't be. A lot of people use the same password or some variation of the same password. Once you know one of them, you can get the rest. Common word mangling makes that very easy. Just google it, there are tons of studies of how people reuse passwords, use simple passwords, and are very vulnerable to dictionary attacks.

francisdean
Hero Member
*****
Offline Offline

Activity: 618


View Profile
September 19, 2016, 06:56:49 PM
 #5

24 hour process until the user's account is updated with the newly registered email address.
That is not a good idea. What website takes 24 hours to update an email address? There are very few cases where this would be useful at all. It provides no security to do that, and may be even more insecure. The security is in requiring users to confirm that they are changing their emails, not having to wait for the change to happen.

I think people aren't dumb enough to use one password for all his accounts.
You'd be surprised, but you really shouldn't be. A lot of people use the same password or some variation of the same password. Once you know one of them, you can get the rest. Common word mangling makes that very easy. Just google it, there are tons of studies of how people reuse passwords, use simple passwords, and are very vulnerable to dictionary attacks.

You don't get it. If the hacker was able to change the email address instantly like what happened to us here then we "instantly" don't have and can't access our accounts anymore.

If he can't change our email address instantly, then the account won't do him any good.

In some cases like what you're stating before, what if both account and email was hacked? Then that's where the 24 hour process comes in.

Let's say you can't access your account so you use your email to retrieve it, (you can still retrieve your account using your old email because it takes 24 hours to update your profile)  but what if the email was hacked as well, then you have 24 hours to retrieve your email before everything goes into shit.

It's very easy to retrieve email accounts as long as it's really yours.

DONATE: 1CThzMwKtAWyg4PHDYqqFQkFqKyuMenpB2
ToucheCoin
Full Member
***
Offline Offline

Activity: 121



View Profile
September 19, 2016, 07:11:11 PM
 #6

I got no confirmation email from bitcointalk when i joined the forum. it is very esy to change the email without confirming the email ownership. we can set security question to secure our accounts from hacker.every time if you want to change your password/email you must answer the security question to prove the account is still under your control.
achow101
Staff
Legendary
*
Offline Offline

Activity: 1246


17kKQppUsngUiByDsce4JXoZEjjpvX9bpR


View Profile WWW
September 19, 2016, 07:12:26 PM
 #7

You don't get it. If the hacker was able to change the email address instantly like what happened to us here then we "instantly" don't have and can't access our accounts anymore.

If he can't change our email address instantly, then the account won't do him any good.

In some cases like what you're stating before, what if both account and email was hacked? Then that's where the 24 hour process comes in.

Let's say you can't access your account so you use your email to retrieve it, (you can still retrieve your account using your old email because it takes 24 hours to update your profile)  but what if the email was hacked as well, then you have 24 hours to retrieve your email before everything goes into shit.

It's very easy to retrieve email accounts as long as it's really yours.
If both your email and your Bitcointalk are hacked, then the 24 hours doesn't help you at all. You won't be able to access your email either so you can't fix anything.

francisdean
Hero Member
*****
Offline Offline

Activity: 618


View Profile
September 19, 2016, 07:13:39 PM
 #8

I got no confirmation email from bitcointalk when i joined the forum. it is very esy to change the email without confirming the email ownership. we can set security question to secure our accounts from hacker.every time if you want to change your password/email you must answer the security question to prove the account is still under your control.

this is a great idea!

DONATE: 1CThzMwKtAWyg4PHDYqqFQkFqKyuMenpB2
francisdean
Hero Member
*****
Offline Offline

Activity: 618


View Profile
September 19, 2016, 07:15:32 PM
 #9

You don't get it. If the hacker was able to change the email address instantly like what happened to us here then we "instantly" don't have and can't access our accounts anymore.

If he can't change our email address instantly, then the account won't do him any good.

In some cases like what you're stating before, what if both account and email was hacked? Then that's where the 24 hour process comes in.

Let's say you can't access your account so you use your email to retrieve it, (you can still retrieve your account using your old email because it takes 24 hours to update your profile)  but what if the email was hacked as well, then you have 24 hours to retrieve your email before everything goes into shit.

It's very easy to retrieve email accounts as long as it's really yours.
If both your email and your Bitcointalk are hacked, then the 24 hours doesn't help you at all. You won't be able to access your email either so you can't fix anything.

You can always recover your email within 24 hours. Most people use Google, Hotmail, Yahoo and most of this services have great recovery options and live support. (except for Google; they suck at this)

DONATE: 1CThzMwKtAWyg4PHDYqqFQkFqKyuMenpB2
satmas
Sr. Member
****
Offline Offline

Activity: 350


View Profile
September 19, 2016, 09:36:00 PM
 #10

I got no confirmation email from bitcointalk when i joined the forum. it is very esy to change the email without confirming the email ownership. we can set security question to secure our accounts from hacker.every time if you want to change your password/email you must answer the security question to prove the account is still under your control.
The database was hacked a while ago, which is why Theymos disabled the security question(I think). Although, Theymos should get confirmation from us by email if we change the email address.
Cloverdale
Sr. Member
****
Offline Offline

Activity: 364

Want Loan ? : Goo.gl/KjntcF


View Profile
September 20, 2016, 12:50:43 AM
 #11

The authentication requirement sounds good but I think that the 24 hours process is a bit too much. Also the only way you can be secure is for you to secure your account. There is a new forum being made and I think things are more secure on that one. I don't think the cloudflare will be implemented in this forum as theymos has his reason not to put one in the first place.
Xanidas
Hero Member
*****
Offline Offline

Activity: 672



View Profile WWW
September 20, 2016, 01:31:55 AM
 #12

I suggest we should increase password requirements to minimum 12 characters with alpha numeric and symbol that way hackers would have hard time decrypting the passwords in case of database leak.

they are already working on the new forum so probably it will not be made in our current forum. try to post it here, that way forum dev team can make it if admin wants

https://bitcointalk.org/index.php?board=167.0


NEUROMATION

▀▀
██
 
██
   
██
   
██
   
██
   
██
▄▄
    █▄     
    ███▄   
    ██▀██▄ 
█▄   ▀  ▀██▄
███▄      ██
██▀██▄    ██
██  ▀██▄  ██
██    ▀██▄██
██▄     ▀███
 ▀██▄  ▄  ▀█
   ▀██▄██  
     ▀███  
       ▀█  
▀▀
██
 
██
   
██
   
██
   
██
   
██
▄▄
....Distributed Synthetic Data Platform for Deep Learning Applications....
▬ ● ● ● ● ▬▬▬▬▬▬▬ ● ● ● ● ▬▬▬▬▬▬▬ ● ● ● ● ▬▬▬▬▬▬▬ ● ● ● ● ▬▬▬▬▬▬▬ ● ● ● ● ▬▬▬▬▬▬ ● ● ● ● ▬▬▬▬▬▬ ● ● ● ● ▬▬▬▬▬▬ ● ● ● ● ▬
Facebook LinkedIn Twitter White Paper Reddit YouTube Medium
▀▀
██
 
██
   
██
   
██
   
██
   
██
▄▄
Avirunes
Legendary
*
Offline Offline

Activity: 924



View Profile
September 20, 2016, 06:43:12 AM
 #13

I suggested this earlier and I am suggesting again now.

How about adding an email verification system for users who are logging in after a long time? If they lost their email then maybe a signed message from btc address staked in.

And also dissallowing disposable email addresses for new account signups as they are easy to access and it might get in bad hands.

███████████████████████████████████████████████████
██████████████████████████████████████████████████

     ▄▄▄▄▄▄▄▄▄            █     ███           ███   ▄▄▄          █          ▄▄▄▄▄▄▄▄▄▄▄▄
   ▄███████████▄         ███     ███         ███    ███         ███         ██████████████▄
 ▄███▀       ▀█▀        █████     ███       ███     ███        █████        ███        ▀▀███
▄██▀                   ███ ███     ███     ███      ███       ███ ███       ███          ███
███                   ███   ███     ███   ███       ███      ███   ███      ███        ▄▄███
███                  ███     ███     ███ ███        ███     ███     ███     ██████████████▀
▀██▄                ███       ███     █████         ███    ███       ███    ███▀▀▀▀▀███▄
 ▀███▄       ▄█▄   ███         ███     ███          ███   ███         ███   ███      ▀███▄
   ▀███████████▀  ███           ███     █           ███  ███           ███  ███        ▀███▄
     ▀▀▀▀▀▀▀▀▀   ███
                ███
▌  .
ranochigo
Legendary
*
Offline Offline

Activity: 1288


View Profile WWW
September 20, 2016, 09:40:59 AM
 #14

I suggest we should increase password requirements to minimum 12 characters with alpha numeric and symbol that way hackers would have hard time decrypting the passwords in case of database leak.
The passwords in the database are encrypted with SHA256 with 7500 rounds so that isn't a problem. The amount of resources required is insane, since there is no vulnerabilities found in SHA256 that can reduce its security as of now. The only way for them to do so is bruteforcing it. However, a real concern is if the attacker manages to do MITM using the SSL certificate again. This would result in the attacker having plain text access to the passwords.


The 24 hours wait is likely to make little to no difference to the impact. Most of the time, the hackers use these accounts for loans and currency exchange scams. They can't sell it since they have no signed message and they have little use for it. They don't need to change the email or password to conduct such trades. Furthermore, as the time passes, the chances of the original owner finding out about the hack increases.














 

 

█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
BitBlender 

 













 















 












 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
Sharma
Legendary
*
Offline Offline

Activity: 1050


GATCOIN : The New Currency Of Digital Marketing


View Profile
September 20, 2016, 10:30:50 AM
 #15

I suggest our mobile numbers are allowed to be linked to our profile and any change in password or other information must require code sent on linked mobile number.This will not only prevent hacking but also curb the menace of account farming as a person cannot afford so many mobile numbers for obvious reasons.
This will also take lots of work load off Admins as members will themselves be able to get back their hacked/stolen account back themselves


          ▄▄
        ▄█▀█
      ▄█▀  █
    ▄█▀    █    ▄█▄
  ▄█▀     ▄█  ▄█▀▀██▄
 ██     ▄█▀ ▄█▀   ████
██    ▄█▀  █▀    ▄██▌██
█▌  ▄██    █   ▄██▄█  █
█▌ █▀▐█    █ ▄█▀██▀   █
██▐█  ▀█▄  ██▀▄█▀    ▄█
 ███    ▀█▄ ▄█▀     ▄█
  ▀██     ▀█▀     ▄█▀
    ▀█▄    █    ▄█▀
      ▀█▄  █  ▄█▀
        ▀█▄█▄█▀
          ▀▀▀




▬▬▬▬▬▬▬▬▬▬▬ANN THREAD▬▬▬▬▬▬▬▬▬▬▬
.The New Currency Of Digital Marketing.
▬▬▬▬▬▬▬▬▬▬BOUNTY THREAD▬▬▬▬▬▬▬▬▬▬







    ▄██▀▀▀▀▀▀▀▀▀▀▀▀█▌
  ▄█▀ █            █▌
▄██▄▄▄█            █▌
█▌                 █▌
█▌                 █▌
█▌        ▄███▄    █▌
█▌      ▄█▀▄█▀     █▌
█▌    ▄█▀▄█▀       █▌
█▌   ▐█▄█▀         █▌
█▌                 █▌
█▌                 █▌
█▌                 █▌
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀







                 ▄████▄▄    ▄
██             ████████████▀
████▄         █████████████▀
▀████████▄▄   █████████████
▄▄█████████████████████████
██████████████████████████
  ▀██████████████████████
   █████████████████████
    ▀█████████████████▀
      ▄█████████████▀
▄▄███████████████▀
   ▀▀▀▀▀▀▀▀▀▀▀




                      ▄▄████
                ▄▄▄████████▌
          ▄▄▄███████▀▄█████
     ▄▄█████████▀▀ ▄██████▌
▄▄███████████▀  ▄█████████
 ▀▀▀█████▀    ▄██████████▌
       ██   █████████████
        █▄ █████████████▌
        ▐█▄███▀▀████████
         ███▀    ▀▀████▌
                    ▀▀█
ranochigo
Legendary
*
Offline Offline

Activity: 1288


View Profile WWW
September 20, 2016, 11:05:28 AM
 #16

I suggest our mobile numbers are allowed to be linked to our profile and any change in password or other information must require code sent on linked mobile number.This will not only prevent hacking but also curb the menace of account farming as a person cannot afford so many mobile numbers for obvious reasons.
This will also take lots of work load off Admins as members will themselves be able to get back their hacked/stolen account back themselves
It would in turn compromise the privacy of the user. Not many users would like to store their numbers with Bitcointalk. Bitcointalk might have to find a third party to send the SMSes. It is fairly easy and cheap to get a phone number.

It is also possible for hackers to redirect the SMSes and phone calls to their own sim card through social engineering. The most direct way is to allow users to use 2FA for actions that concern account security. It is implemented in the new forum IIRC so the hacking cases would he reduced.














 

 

█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
BitBlender 

 













 















 












 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
francisdean
Hero Member
*****
Offline Offline

Activity: 618


View Profile
September 20, 2016, 12:05:21 PM
 #17

I suggested this earlier and I am suggesting again now.

How about adding an email verification system for users who are logging in after a long time? If they lost their email then maybe a signed message from btc address staked in.

And also dissallowing disposable email addresses for new account signups as they are easy to access and it might get in bad hands.

i agree. we should start disallowing disposable email addresses during signup.

DONATE: 1CThzMwKtAWyg4PHDYqqFQkFqKyuMenpB2
unindentified
Newbie
*
Offline Offline

Activity: 4

May the Force be with you


View Profile WWW
September 25, 2016, 06:00:07 PM
 #18

not possible with current forum owner and staff. Stop asking for more security if it is obvious, theymos does not want more security, be clever to understand the reason/s.

There are simple and complex solutions for your request, in your words, it is very easy. But theymos denied any suggestion or help, make your own conclusions, if you would understand me, you would lock your own thread.

A lot of users have been hacked this past few days, weeks or months. I'm not sure. I'm one of those who have been recently hacked.
And thanks to Cyrus and Theymos i managed to get my account back. The things is i don't want this kind of thing to keep on happening!
I don't want this to happen to other users and i think my idea would be a great leap to our forum's security.

So here's how it's going to work. Most of us that we're hacked weren't able to regain access on our account because our email was changed.
What if every time a user wants to change his email he needs to authenticate that request using the current email address registered to his account.
And after authenticating the request there will be a 24 hour process. The user can still cancel it within 24 hours if he change his mind.

I also think that it would be great if we add the service like Cloudflare to completely secure our forum. Of course all of us should be a part of this.
We should all contribute on this. We should build a donation address for this plan.

Getting hacked feels really bad. And i don't want that to happen to any of you.

So what do you guys think?

I really want this post to be noticed by our mods, staff and admins! So if you agree with me reply to this post saying that you want to make this forum secure as well.
Or if you have other ideas put it here as well


Let this post serve as a petition to make our forum more secure and greater than before!

OpenPGP ID: AC1A5E0F
The Pharmacist
Hero Member
*****
Online Online

Activity: 994


View Profile
September 25, 2016, 06:26:54 PM
 #19

I suggested this earlier and I am suggesting again now.

How about adding an email verification system for users who are logging in after a long time? If they lost their email then maybe a signed message from btc address staked in.

And also dissallowing disposable email addresses for new account signups as they are easy to access and it might get in bad hands.

i agree. we should start disallowing disposable email addresses during signup.
Then these email hosts need to start disallowing disposable people.
actmyname
Legendary
*
Offline Offline

Activity: 910

trustless trust


View Profile
September 25, 2016, 07:37:01 PM
 #20

i agree. we should start disallowing disposable email addresses during signup.

Like what? If you mean temporary email addresses, it's easy to see that you could sign up for a gmail account in about 2 minutes and use that as a "disposable email address".

Adhere to proper Internet safety and you should be fine. Change your password regularly (or use a manager if you truly wish) and keep your computer virus-free. It's easy, really. You just have to not be stupid.
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!