weird pm received

[BitcoinGirl.Club]

I had a chance to read the whole PM with a cool mind, paid full attention and without been biased. When a PM comes from a lower rank member we usually think something is not right. It's the forum experience that led us to have this suspicious mind.

Read the PM posted again but without considering followings lines

Please get back to me stating how you improved account security. If I do not get a reply, I need to inform board administration for our all safety.

Captcha is useless as I use some trick I will only discuss with theymos.

This is what happened to me when I read get back to me. The moment I read it, I had in mind that this is it, this user was trying to get information from OP and other users.

Read the full PM again. It seems the user's native language is not English. Some choices of words clearly tells that he used translator to pick the words. Yes I agree with buwaytress some words sounds offensive. But I feel that this was not an intent to get something bad from it.

The user asked you to get back to him, could be to suggest you to remove the secret question. If you do not then he will inform theymos so theymos can consider to remove the security question feature entirely for the safety of DT member. It seems he thinks DT members are the ones who need to stay safe so his all effort were to be sure DT accounts are safe.

They only sent the PM to those who had security questions turned on. Somewhere theymos also said that it is not recommended to use security questions because it locks your account and some other hassles when you try to recover the account.

[NotATether]

Attempting to answer the security questions will automatically lock your account, because they were leaked with the rest of the DB back in 2015.

Members after that time when it was leaked are safe? Is that correct?

Yes (provided that there were no additional forum hacks after 2015).

[newalias]

Captcha is useless as I use some trick I will only discuss with theymos.

I dont see a problem with this statement. This means there is some trick* AND I would discuss it with the most trusted person being in charge. This implies that I will not speak with anyone else or sell the trick to bad guys.

*This trick allowed me to scan whole DT for secret question set. It also allows to bruteforce passwords and security answers by the way. This was the intention - to make clear that security answers can be bruteforced, so they are even weaker.

Please get back to me stating how you improved account security. If I do not get a reply, I need to inform board administration for our all safety.

I have to admit that this was not okay. Sorry.

Better I had written sth like "I will check again if you have a security question in place after 5 days. If you want to keep security question, please be advised of the disadvantages (link) and shortly confirm to me that your security answers entropy is sufficient (ie at least as high as your passwords entropy). If nothing happens, I will notify the board administration to ensure DefaultTrust integrity". Next time I would do so. It was never my intention to threat someone.

[CryptopreneurBrainboss]

I received the PM same day this thread was created as well, it was looking wired but it serve it purpose. I haven't visited my Account Related Settings page for a very long time so I didn't know I added that option when I created my account and the secret question wasn't that secret as I have disclosed it severally while participating in discussion on the forum.  I don't blame myself as I wasn't as knowledgeable as I'm now back then when I created my account.

I took his advice and removed the secret question as I also saw the forum warning which was making the whole option look stupid. I didn't see his message as a hack attempt but it was wired. Why haven't theymo disabled that secret question option. Basically anybody closed could easily guess this so called secret question especially mine (which has been removed though)..

[BitcoinGirl.Club]

newalias, the forum rules prevent you to post two response in a row.

I dont see a problem with this statement. This means there is some trick* AND I would discuss it with the most trusted person being in charge. This implies that I will not speak with anyone else or sell the trick to bad guys.

No, this was not the threat. It was okay for users.

Please get back to me stating how you improved account security

I would say for THIS users felt threaten. You said to get back to you and you said it in PM which was concerning for them. Assuming you had good intention but in the forum we are designed to feel threaten when something comes from a new account. We have been gone through some hacks and phishing attacks are regular things.

I hope others see the same that I realized after paying better attention to your PM.

[LoyceMobile]

Simplest thing I have seen in DefaultTrust was "1+1" with answer

I couldn't resist I set this as a secret question (with a very long random string as answer), but after that, the answer showed an empty field and the why is this blank? link showed "disabled". So I got nervous and wiped it again.

[skarais]

newalias, the forum rules prevent you to post two response in a row.

He can do it, but it must be more than 24 hours from his first post. But for this one, just report one post to the moderators so they can merge the post if the user ignores your suggestion.

Why haven't theymo disabled that secret question option. Basically anybody closed could easily guess this so called secret question especially mine (which has been removed though)..

There is confusion here as to why this feature is not closed. There's a message stating that the feature is not recommended as it could be a second password to access the account if someone guesses the answer correctly, but it's not closed yet. I checked mine, luckily I never used this security feature.

Secret Question:
To help retrieve your password, enter a question here with an answer that only you know.Using this feature is not recommended. Anyone who guesses your secret answer will have access to your account. It's like a second password.

[BitcoinGirl.Club]

I couldn't resist I set this as a secret question (with a very long random string as answer), but after that, the answer showed an empty field and the why is this blank? link showed "disabled". So I got nervous and wiped it again.

It's safe not to set it up. If it locks the account and do not help to get recover the account then the feature is not helping at all. It's without any purpose and better to disable it.

He can do it, but it must be more than 24 hours from his first post. But for this one, just report one post to the moderators so they can merge the post if the user ignores your suggestion.

I know he can but this is not a service thread in marketplace so I did not think it was worth mentioning. The discussion is not old too. Many users are still making their posts. It was assumable that in few hours we will have more comments.

[_BlackStar]

I took his advice and removed the secret question as I also saw the forum warning which was making the whole option look stupid. I didn't see his message as a hack attempt but it was wired. Why haven't theymo disabled that secret question option. Basically anybody closed could easily guess this so called secret question especially mine (which has been removed though)..

I have considered not using that security question, its very risky for me. I prefer to use a strong password and might consider changing it periodically after someone tries to hack into my account by forget password. I feel silly knowing that someone did it, but actually it surprised me.

So for now, I have to sign the message just in case because I'm really starting to worry if hackers try something more extreme. Please quote and verify me.

Code:

-----BEGIN BITCOIN SIGNED MESSAGE-----
I _BlackStar, signed this message after someone tried to hack my account a few days ago. This will serve to verify me in the future if this account changes hands.
-----BEGIN SIGNATURE-----
bc1qlctkn6lrzx2sffkfzt6yv6klles72dfdvd3jas
H0K9q5/RICREjfd2h3mvyjZGXqgt1JUH5amrlsZ4Z2DzXYSpdaHCgryUffXw2UGPOOk5GT3ndp0Dw0UkI8KwcYo=
-----END BITCOIN SIGNED MESSAGE-----

But for this one, just report one post to the moderators so they can merge the post if the user ignores your suggestion.

Done.

[DireWolfM14]

No PM for me, I feel left out Maybe that's because trying to restore my account through security questions shows:

Code:

Sorry, there is no secret question set for this member.

He might only be targeting DT1 members with the PM, but I didn't get one either.  Maybe my account isn't worth the time.   

I'm wondering if this is the same shithead that's been trying to change The Pharmacist's password through email reset.  It seems rather obvious that it's a phishing type attack, but I'm not sure how this user is expecting to gain access to the accounts he's targeting.  Maybe he's trying to engage people into a discussion, and convince them he's a staff member or an admin, then trick them into leaking more account details?

[nullius]

xkcd 565, “Security Question”.

Seriously, I do think that some companies are probably exploiting this fantastically stupid insecurity misfeature to suck more personal details out of people.  There is no way that such ill-conceived security theatre could be so popular, unless someone benefits.  It is widespread on sites owned by companies that make money off of personal data.  These companies have professional security teams, who should know better.  People answer these questions with all sorts of obscure details about themselves.  Cui bono?

It seems rather obvious that it's a phishing type attack, but I'm not sure how this user is expecting to gain access to the accounts he's targeting.  Maybe he's trying to engage people into a discussion, and convince them he's a staff member or an admin, then trick them into leaking more account details?

It seems not obvious at all.  Maybe he is doing what he said:  Trying to help users to improve their account security, and ultimately to help the forum to tighten security.  Maybe?

The PM he sent doesn’t make sense for gaining access to the accounts.  It provided good advice.  The way he benignly flushed out two DT accounts with extremely poor “secret question” answers was a work of art.  I don’t vouch for him; but absent evidence of malice, there is no need for a conspiracy theory.  And no need to rehash the first three pages of discussion on this thread.

I want to see security questions disabled, option to disable email recovery per account and 2FA introduced. BCT is about large sums and does not have up-to-date security mechanisms.

[DireWolfM14]

Maybe he is doing what he said:  Trying to help users to improve their account security, and ultimately to help the forum to tighten security.  Maybe?

Maybe he should have written a thread about it rather than going around trying to break people's security, then threatening them via PM.  Maybe?

What would he have done if he was able to break into one of the accounts he harassed?

[nullius]

What would he have done if he was able to break into one of the accounts he harassed?

Rather than dreaming up hypothetical scenarios about what he didn’t do (but maybe could have?), I am more worried about what a malicious blackhat will do without sending any PMs to anybody.  Not “if”, but “when”.

Also, “harassed” is an interesting word for “gave sound advice, which in some cases was sorely needed.”

Maybe he is doing what he said:  Trying to help users to improve their account security, and ultimately to help the forum to tighten security.  Maybe?

Maybe he should have written a thread about it rather than going around trying to break people's security, then threatening them via PM.  Maybe?

...

I don’t vouch for him; but absent evidence of malice, there is no need for a conspiracy theory.  And no need to rehash the first three pages of discussion on this thread.

How else could this point have been made?

By creating a thread in Meta.

IIRC, I have made various suggestions in Meta for improving account security.  IIRC, so has OgNasty.  So have others...

The response is always either silence, or “new forum software” vapourware which has only been in development for, what, about seven or eight years?

However, methods like this are inacceptable

At least he understand the problem now.

I can't say I grasp the series of events and the timeline, but warning someone about a potential issue with their password, then demonstrating that it was an issue after being ignored without compromising anything seems like the right way to do it?  How else could this point have been made?

[philipma1957]

I took his advice and removed the secret question as I also saw the forum warning which was making the whole option look stupid. I didn't see his message as a hack attempt but it was wired. Why haven't theymo disabled that secret question option. Basically anybody closed could easily guess this so called secret question especially mine (which has been removed though)..

I have considered not using that security question, its very risky for me. I prefer to use a strong password and might consider changing it periodically after someone tries to hack into my account by forget password. I feel silly knowing that someone did it, but actually it surprised me.

So for now, I have to sign the message just in case because I'm really starting to worry if hackers try something more extreme. Please quote and verify me.

Code:

-----BEGIN BITCOIN SIGNED MESSAGE-----
I _BlackStar, signed this message after someone tried to hack my account a few days ago. This will serve to verify me in the future if this account changes hands.
-----BEGIN SIGNATURE-----
bc1qlctkn6lrzx2sffkfzt6yv6klles72dfdvd3jas
H0K9q5/RICREjfd2h3mvyjZGXqgt1JUH5amrlsZ4Z2DzXYSpdaHCgryUffXw2UGPOOk5GT3ndp0Dw0UkI8KwcYo=
-----END BITCOIN SIGNED MESSAGE-----

But for this one, just report one post to the moderators so they can merge the post if the user ignores your suggestion.

Done.

here is a quote.

I also am locking the thread.