When will the account recovery problem be solved?

[cellard]

It's been years since we've had people in endless queues waiting to get a message back from either Cyrus or theymos, and none of them answering for some reason, even after sufficient cryptographic proof was presented (typically, a signed bitcoin address).

We are not talking obvious spammers, but legit posters getting their account hacked, signing various BTC addresses and never getting a reply back. I think this is unfair and a bigger problem than some 3rd worlders spamming on 100+ page threads. Some legit users just can't get their accounts back, they lose their PM history and other valuable stuff.

I wonder when will the account recovery methods be improved. Probably hiring new staff to do the task should do.

[1714111561]

1714111561

[1714111561]

1714111561

[1714111561]

1714111561

[1714111561]

1714111561

[mdayonliner]

We are not talking obvious spammers, but legit posters getting their account hacked, signing various BTC addresses and never getting a reply back. I think this is unfair and a bigger problem than some 3rd worlders spamming on 100+ page threads. Some legit users just can't get their accounts back, they lose their PM history and other valuable stuff.

I wonder when will the account recovery methods be improved. Probably hiring new staff to do the task should do.

Does it scare you when you think if your account gets hacked or anything happen and then you wait weeks after weeks or months after months without any result to get your account back?

It does scare me a lot, because I am addicted to this forum.  

[bitmover]

It's been years since we've had people in endless queues waiting to get a message back from either Cyrus or theymos, and none of them answering for some reason, even after sufficient cryptographic proof was presented (typically, a signed bitcoin address).

We are not talking obvious spammers, but legit posters getting their account hacked, signing various BTC addresses and never getting a reply back. I think this is unfair and a bigger problem than some 3rd worlders spamming on 100+ page threads. Some legit users just can't get their accounts back, they lose their PM history and other valuable stuff.

I wonder when will the account recovery methods be improved. Probably hiring new staff to do the task should do.

Yeah, this is very important as they are legit users. Most of them with quoted signed messages... I see some of them are having their account back, but it takes too long.

I think people look at those post where people ask for help and most users may think that they have nothing to do with it.

But we all could have our accounts hacked... This is a problem that concerns every legit user.

Maybe this process of address signature verification could be made faster.

[mocacinno]

It's been years since we've had people in endless queues waiting to get a message back from either Cyrus or theymos, and none of them answering for some reason, even after sufficient cryptographic proof was presented (typically, a signed bitcoin address).

We are not talking obvious spammers, but legit posters getting their account hacked, signing various BTC addresses and never getting a reply back. I think this is unfair and a bigger problem than some 3rd worlders spamming on 100+ page threads. Some legit users just can't get their accounts back, they lose their PM history and other valuable stuff.

I wonder when will the account recovery methods be improved. Probably hiring new staff to do the task should do.

Yeah, this is very important as they are legit users. Most of them with quoted signed messages... I see some of them are having their account back, but it takes too long.

I think people look at those post where people ask for help and most users may think that they have nothing to do with it.

But we all could have our accounts hacked... This is a problem that concerns every legit user.

Maybe this process of address signature verification could be made faster.

I concur with the other opionions in this thread, altough i doubt it's merely a problem of the speed or effort of the signature verification process. Personally, i think the complete workflow might be long overdue for a complete overhaul.
I've got some experience writing scripts using the json-rpc interface of a bitcoin node, i think it should be fairly simple to automate the complete process up to the point where a human just needs to look at the end result of a request and click a button to either confirm or deny a password reset/account unlock.

Basically, if one would write a simple form where a random string is shown and where a user can enter the post where he/she staked his address, the address itself, the reset email address and the signature he made using the staked address signing the random string. The script could then just use the json-rpc query of a locked node to verify the message and save this data into a simple relational database.

An admin would have an admin interface with a view of this database showing the qouted post + post history (was this post edited or not) and the result of the signature, maybe combined with some account info fetched from the db (like logintimes, ip's, password changes,...). When this info is given in a simple way, the admin should be able to either confirm or deny the password request with the click of a button.
I haven't looked at smf's data model, but i can only imagine that resetting a password is just a matter of generating a random string, hashing it, updating the user's entry in the users info table and creating an email to send the unhashed password to the entered email (together with instructions for a password reset).

[cellard]

We are not talking obvious spammers, but legit posters getting their account hacked, signing various BTC addresses and never getting a reply back. I think this is unfair and a bigger problem than some 3rd worlders spamming on 100+ page threads. Some legit users just can't get their accounts back, they lose their PM history and other valuable stuff.

I wonder when will the account recovery methods be improved. Probably hiring new staff to do the task should do.

Does it scare you when you think if your account gets hacked or anything happen and then you wait weeks after weeks or months after months without any result to get your account back?

It does scare me a lot, because I am addicted to this forum.  

Yes, this is why I made the thread, it could happen to any of us, and it would leave us out of the forum for months, maybe years, making an huge gap of inactivity which you would need to explain every time you want to do business with someone, and there's a risk they will just not believe it.

It's been years since we've had people in endless queues waiting to get a message back from either Cyrus or theymos, and none of them answering for some reason, even after sufficient cryptographic proof was presented (typically, a signed bitcoin address).

We are not talking obvious spammers, but legit posters getting their account hacked, signing various BTC addresses and never getting a reply back. I think this is unfair and a bigger problem than some 3rd worlders spamming on 100+ page threads. Some legit users just can't get their accounts back, they lose their PM history and other valuable stuff.

I wonder when will the account recovery methods be improved. Probably hiring new staff to do the task should do.

Yeah, this is very important as they are legit users. Most of them with quoted signed messages... I see some of them are having their account back, but it takes too long.

I think people look at those post where people ask for help and most users may think that they have nothing to do with it.

But we all could have our accounts hacked... This is a problem that concerns every legit user.

Maybe this process of address signature verification could be made faster.

I concur with the other opionions in this thread, altough i doubt it's merely a problem of the speed or effort of the signature verification process. Personally, i think the complete workflow might be long overdue for a complete overhaul.
I've got some experience writing scripts using the json-rpc interface of a bitcoin node, i think it should be fairly simple to automate the complete process up to the point where a human just needs to look at the end result of a request and click a button to either confirm or deny a password reset/account unlock.

Basically, if one would write a simple form where a random string is shown and where a user can enter the post where he/she staked his address, the address itself, the reset email address and the signature he made using the staked address signing the random string. The script could then just use the json-rpc query of a locked node to verify the message and save this data into a simple relational database. An admin could have an admin interface with an outlook of this database showing the qouted post and the result of the signature, maybe combined with some account info fetched from the db (like logintimes, ip's, password changes,...). When this info is given in a simple way, the admin should be able to either confirm or deny the password request with the click of a button.
I haven't looked at smf's data model, but i can only imagine that resetting a password is just a matter of generating a random string, hashing it, updating the user's entry in the users info table and creating an email to send the unhashed password to the entered email.

Indeed, the verification process could be speed up with some automation, but still, it will need human review, this takes time and I doubt Cyrus and theymos will spend the required time to speed up the process, to benefit from said database we still need someone reviewing it, we would need more Staff looking at each individual cases anyway. Automating the verification of the message would help a lot tho.

[mdayonliner]

Yes, this is why I made the thread, it could happen to any of us, and it would leave us out of the forum for months, maybe years, making an huge gap of inactivity which you would need to explain every time you want to do business with someone, and there's a risk they will just not believe it.

From this fear, I proposed some solutions long ago and I have seen a lot of others did have different ideas but seems like we need to wait more to see any changes. I assume theymos has other priorities than looking at this issue.

[Proposal: prevent account hack] A complete new login system for BitcoinTalk <== https://bitcointalk.org/index.php?topic=3371718.0


I just hope for the best.

update:

IMO hiring a staff won't solve the problem since i'm sure there are too many cases to be handled by 1 person.

There should be automatic account restore with bitcoin address which already mentioned on these threads System to prove account ownership and recovery automatically - Demo included & [Proposal: prevent account hack] A complete new login system for BitcoinTalk
One staff only need to prove recovery request or/and investigate whether the private key was stolen if needed when the account was hacked.

Oh thanks ETFbitcoin for bringing the topic before me.

[Vod]

It's been years since we've had people in endless queues waiting to get a message back from either Cyrus or theymos, and none of them answering for some reason, even after sufficient cryptographic proof was presented (typically, a signed bitcoin address).

Here is what I don't understand.... Theymos is intelligent when it comes to programming.  He could easily create a type of account that had limited moderator abilities - specifically  the security rights to unlock an account.  A trusted user (like me) could spend some time to review signed messages and restore accounts, reducing workload.

I guess he just does not prioritize account recovery.  I understand his reasoning, since losing your account is, in most cases, your fault. 

[bitcoin revo]

I guess he just does not prioritize account recovery.  I understand his reasoning, since losing your account is, in most cases, your fault.  

I still don't think that it justifies putting them on standby indefinitely. Everyone makes mistakes, and those people got hacked because of them. We're not a perfect society and forcing people out of their accounts on this forum because of their blunders in the past is way harsher than it needs to be.

IMO hiring a staff won't solve the problem since i'm sure there are too many cases to be handled by 1 person.

Surely once we get past the backlog of hacked accounts, the influx of them can't exceed, say, 20 or 30 a day (which is quite an overestimation just to emphasize my point). That number would comfortably be checked and restored within an hour. An hour of work per day can, again, comfortably be put onto one semi-dedicated person. All we need is some extra work in the beginning and this issue wouldn't even be an issue.

[cellard]

It's been years since we've had people in endless queues waiting to get a message back from either Cyrus or theymos, and none of them answering for some reason, even after sufficient cryptographic proof was presented (typically, a signed bitcoin address).

Here is what I don't understand.... Theymos is intelligent when it comes to programming.  He could easily create a type of account that had limited moderator abilities - specifically  the security rights to unlock an account.  A trusted user (like me) could spend some time to review signed messages and restore accounts, reducing workload.

I guess he just does not prioritize account recovery.  I understand his reasoning, since losing your account is, in most cases, your fault.  

Unfortunate events can happen to everyone. Even satoshi lost his gmx account and said account got eventually hacked and exploited. It can happen to anyone. Keeping email accounts and forum passes online it's not the same as keeping your private keys offline (which never touch the internet). As soon as something touches the internet there is a % of disaster out of your reach, like a security breach on the email provider's side and so on.

I guess theymos is paranoid to allow other people to do this job, otherwise I don't understand why he doesn't hire more people. Until then we will have ridiculous amounts of threads with an endless queue of people wanting to get their account back.

I could do it too, it would take me literally 1 minute to verify signatures and a quick look at posting history.

[bitmover]

It's been years since we've had people in endless queues waiting to get a message back from either Cyrus or theymos, and none of them answering for some reason, even after sufficient cryptographic proof was presented (typically, a signed bitcoin address).

Here is what I don't understand.... Theymos is intelligent when it comes to programming.  He could easily create a type of account that had limited moderator abilities - specifically  the security rights to unlock an account.  A trusted user (like me) could spend some time to review signed messages and restore accounts, reducing workload.

I guess he just does not prioritize account recovery.  I understand his reasoning, since losing your account is, in most cases, your fault.  

Unfortunate events can happen to everyone. Even satoshi lost his gmx account and said account got eventually hacked and exploited. It can happen to anyone. Keeping email accounts and forum passes online it's not the same as keeping your private keys offline (which never touch the internet). As soon as something touches the internet there is a % of disaster out of your reach, like a security breach on the email provider's side and so on.

I agree. Everyone can be hacked. Maybe not everyone ,but most of people.  not everyone here is a cyber security expert, there is a lot of diversification here in this forum.

 people have different life styles. Some people use multiple devices (if someone travels a lot), or they can trust some third party password manager that got hacked... There are many things out of our control, and one security solution that works for one person may not work for another as they have different habits

[cellard]

It's been years since we've had people in endless queues waiting to get a message back from either Cyrus or theymos, and none of them answering for some reason, even after sufficient cryptographic proof was presented (typically, a signed bitcoin address).

Here is what I don't understand.... Theymos is intelligent when it comes to programming.  He could easily create a type of account that had limited moderator abilities - specifically  the security rights to unlock an account.  A trusted user (like me) could spend some time to review signed messages and restore accounts, reducing workload.

I guess he just does not prioritize account recovery.  I understand his reasoning, since losing your account is, in most cases, your fault.  

Unfortunate events can happen to everyone. Even satoshi lost his gmx account and said account got eventually hacked and exploited. It can happen to anyone. Keeping email accounts and forum passes online it's not the same as keeping your private keys offline (which never touch the internet). As soon as something touches the internet there is a % of disaster out of your reach, like a security breach on the email provider's side and so on.

I agree. Everyone can be hacked. Maybe not everyone ,but most of people.  not everyone here is a cyber security expert, there is a lot of diversification here in this forum.

 people have different life styles. Some people use multiple devices (if someone travels a lot), or they can trust some third party password manager that got hacked... There are many things out of our control, and one security solution that works for one person may not work for another as they have different habits

It's not even a matter of being a cyber security expert. It's only a matter of time and everyone will get their password stolen or somehow compromised, it's going to happen to everyone because of reasons out of your control.

Again, one just can't "cold storage passwords". Passwords are exposed online daily, by necessity, this is an huge attack vector, that can come from the forum, from the email provider, and so on. This is why Bitcoin is genius, the cold storaged private keys don't suffer from that. Which is why also account recovery, when presented with signed private addresses, should have high priority and the recovery should be fast, not take months, sometimes not even happening.

[OgNasty]

While you see an account recovery problem, I’m sure the forum’s administration sees it as a user securing their login problem.

[LoyceV]

Does it scare you when you think if your account gets hacked or anything happen and then you wait weeks after weeks or months after months without any result to get your account back?

Yes, it does

I wonder when will the account recovery methods be improved. Probably hiring new staff to do the task should do.

Hilariousandco often responds in those threads already, it seems to me he's capable and has the time to do it, but has no access to restore accounts.

A trusted user (like me) could spend some time to review signed messages and restore accounts, reducing workload.

I tried that that 2 months ago, but locked the thread after reading this:

You'll be wasting your time and theirs. I was doing this when people have fully verified their accounts sufficiently and the number of responses I've had from them both is zero and as far as I'm aware they're all still awaiting their accounts to be restored.

I guess he just does not prioritize account recovery.  I understand his reasoning, since losing your account is, in most cases, your fault.

Now both theymos and cyrus just keep getting the same PMs over and over again. That's a waste of their time too.

[KWH]

I've volunteered in the past to help with this issue but didn't get a reply. Nothing else I can do on my end.

[cellard]

Now both theymos and cyrus just keep getting the same PMs over and over again. That's a waste of their time too.

I've volunteered in the past to help with this issue but didn't get a reply. Nothing else I can do on my end.

I guess this is where the conspiracy theories come from, said conspiracies being that theymos and cyrus take control of some accounts in order to sell them or something along the lines. I think that is nonsense considering theymos is loaded with bitcoins from being an early miner so he is set for life, cyrus is probably in good standing too.

At the same time, the fact that they are bitcoin whales also make it understandable that they wouldn't spend too much time managing the forum, but this isn't a justification to leave people in a desperate endless wait, ignoring signed bitcoin addresses as definitive proof (if that proof is going to be ignored, then what's the point? that is what bitcoin is about, verifying, and verifying takes just a minute, something that Staff could be doing speeding up the process and cleaning up the meta section as all the lost password threads get solved. As people get desperate they bump their own threads, so the queue keeps growing and everyone is self bumping these growing threads, eventually the entire meta section will be people wanting to get their passes recovered.

[KWH]

I don't think it's a conspiracy, more like little time for something that takes a lot of time to verify.

[Vod]

At the same time, the fact that they are bitcoin whales also make it understandable that they wouldn't spend too much time managing the forum

I've spent almost 300 days online in this forum.  I don't make any money...  Some people do things because they like to do them.

[aronalek]

This is a serious problem and it should be solved in hours instead of months. It can be frustrating for a member to wait for so long.

[LoyceV]

I guess this is where the conspiracy theories come from, said conspiracies being that theymos and cyrus take control of some accounts in order to sell them or something along the lines.

Theymos answered this:

No, we never sell accounts.
~
if I wanted to sell highly-ranked accounts, I would just create accounts with Ultra-Legendary status, 1 million merit, +9999 trust, etc. and sell those.

[hilariousetc]

The only way it is going to be solved is if theymos or cyrus start actively restoring them, or somebody else is promoted to Admin or given access to restore accounts. The issue is purely manpower based. Theymos and Cyrus probably don't have time so they're just not getting looked into. Even cases that almost certainty cut and dry are just getting added to the pile which grows bigger every day.
 

Now both theymos and cyrus just keep getting the same PMs over and over again. That's a waste of their time too.

I've volunteered in the past to help with this issue but didn't get a reply. Nothing else I can do on my end.

I guess this is where the conspiracy theories come from, said conspiracies being that theymos and cyrus take control of some accounts in order to sell them or something along the lines.

If theymos wanted to make more money there are numerous legitimate ways that he could monetise this forum better, but as usual people like to invent conspiracies up because they're always more sexy and exciting. I've personally suggested a few ways to theymos like adding more donator ranks and more advertising slots like at the top of certain sub boards (I think people would pay premium for ones above Bitcoin Discussion and Gambling etc). The current advertising slots are barely noticeable especially when they're drowned out with signatures (and some people have even mistaken them for a signature advertisement before). If theymos wanted more money for himself he could also just pay himself a huge wage but as far as mod payments go even a very active patroller gets more than him currently so it's probably not about money. A while back I did even suggest he pay himself an appropriate wage and do admin duties here full time because one is still badly needed and if there's nobody else he trusts fully then that's probably the only way.

It's been years since we've had people in endless queues waiting to get a message back from either Cyrus or theymos, and none of them answering for some reason, even after sufficient cryptographic proof was presented (typically, a signed bitcoin address).

Here is what I don't understand.... Theymos is intelligent when it comes to programming.  He could easily create a type of account that had limited moderator abilities - specifically  the security rights to unlock an account.  A trusted user (like me) could spend some time to review signed messages and restore accounts, reducing workload.

Any other active staff member could do this as well. I don't think Cyrus' account has full admin-access like theymos' (or root access or whatever).

At the same time, the fact that they are bitcoin whales also make it understandable that they wouldn't spend too much time managing the forum

I've spent almost 300 days online in this forum.  I don't make any money...  Some people do things because they like to do them.

I wouldn't be against a user like you doing it but there are also numerous staff members who could as well. I think you'd get pretty burned out by it quite quickly though if you were doing it purely voluntarily. You would get spammed to death by people and the amounts of accounts that need restoring is probably at least a part-time job right now (and we probably need at least one full time admin anyway to handle all the other issues). If you're happy to spend half of your time on here restoring accounts for fun though, then go for it  .

Unfortunate events can happen to everyone. Even satoshi lost his gmx account and said account got eventually hacked and exploited. It can happen to anyone. Keeping email accounts and forum passes online it's not the same as keeping your private keys offline (which never touch the internet). As soon as something touches the internet there is a % of disaster out of your reach, like a security breach on the email provider's side and so on.

Exactly, there's always a weak point and anyone could be targetted or slip up at some point. Let's not forget that one of the main reasons why people are losing their accounts in the first place is that the forum was hacked and password hashes were leaked. Is this theymos' fault? No, it was the hosting's as they were cleverly exploited, but it shows you that there's always some way that you can get hacked.

Personally, I don't really care who does it as long as they're trusted, but if theymos and cyrus aren't actively going to be doing account restorations then someone else really needs to.