philipma1957 (OP)
Legendary
Offline
Activity: 4298
Merit: 8826
'The right to privacy matters'
|
here it is anyone else get this? Hi there,
you are member of DefaultTrust. Therefore, the security of your account is crucial.
However, you have a security question in place, what often means lower entropy than a secure password and maybe being easier to guess. Simplest thing I have seen in DefaultTrust was "1+1" with answer "2" was correct - I have frozen it for security. Easy questions ask for an age (try 0-99) or a birth year (try 1940-2022) or lower case initials (try aa-zz). Many questions ask for a city or a make of first car - brute force can help. And there are loads of questions for names of wife, birth names, pet names and so on. These are things that may be shared even in a post or require only your real name! The better people know the account owner, the better they know the answer!
Recommended action to take is to remove security question at all. Please get back to me stating how you improved account security. If I do not get a reply, I need to inform board administration for our all safety.
I started with whole DefaultTrust as I think the base of community should be secured first. Later, I will go for more users. Captcha is useless as I use some trick I will only discuss with theymos.
Thank you!
I will quote this with my alt as I am concerned this is a hack attempt .
|
|
|
|
a1 Hashrate LLC2022
Member
Offline
Activity: 112
Merit: 83
|
|
July 07, 2022, 04:13:50 AM Last edit: July 07, 2022, 04:26:00 AM by a1 Hashrate LLC2022 |
|
quoted with my alt. edit quote is below: here it is anyone else get this? Hi there,
you are member of DefaultTrust. Therefore, the security of your account is crucial.
However, you have a security question in place, what often means lower entropy than a secure password and maybe being easier to guess. Simplest thing I have seen in DefaultTrust was "1+1" with answer "2" was correct - I have frozen it for security. Easy questions ask for an age (try 0-99) or a birth year (try 1940-2022) or lower case initials (try aa-zz). Many questions ask for a city or a make of first car - brute force can help. And there are loads of questions for names of wife, birth names, pet names and so on. These are things that may be shared even in a post or require only your real name! The better people know the account owner, the better they know the answer!
Recommended action to take is to remove security question at all. Please get back to me stating how you improved account security. If I do not get a reply, I need to inform board administration for our all safety.
I started with whole DefaultTrust as I think the base of community should be secured first. Later, I will go for more users. Captcha is useless as I use some trick I will only discuss with theymos.
Thank you!
|
|
|
|
EFS
Staff
Legendary
Offline
Activity: 3906
Merit: 2198
Crypto Swap Exchange
|
|
July 07, 2022, 04:20:45 AM |
|
You are not the only one. Just "Report to Admin" the PM and they will take care of this.
|
|
|
|
philipma1957 (OP)
Legendary
Offline
Activity: 4298
Merit: 8826
'The right to privacy matters'
|
|
July 07, 2022, 04:22:35 AM |
|
So I did check the pm out and the security question is disabled. So I am not sure why this person sent me the pm. It implies he knows that I have a security question setup. Like I said my security question was in a disabled status. @efs I reported it to admin. note no password change has been made by me and my btc address is this: https://www.blockchain.com/btc/address/1JdC6Xg3ajT3rge3FgPNSYYFpmf53Vbtjesomeone please quote this. I have it quoted somewhere else but just in case.
|
|
|
|
jackg
Copper Member
Legendary
Offline
Activity: 2856
Merit: 3071
https://bit.ly/387FXHi lightning theory
|
|
July 07, 2022, 04:26:13 AM |
|
There's a recommendation that security questions are quite weak for keeping accounts safe (it's why most places have multiple and why a lot got replaced with multifactor authentication).
I had a brief skim through the seclog and haven't found much over the past week of many resets actually being done so it's probably just an unsolicited piece of advice.
|
|
|
|
philipma1957 (OP)
Legendary
Offline
Activity: 4298
Merit: 8826
'The right to privacy matters'
|
|
July 07, 2022, 04:31:01 AM |
|
There's a recommendation that security questions are quite weak for keeping accounts safe (it's why most places have multiple and why a lot got replaced with multifactor authentication).
I had a brief skim through the seclog and haven't found much over the past week of many resets actually being done so it's probably just an unsolicited piece of advice.
Okay I had disabled the question a while back. but I guess it was showing as active to admin as this account had red type saying to delete it. my alt had nothing. as I said password was not altered. I will keep an eye out for issues with this account. and a1 Hashrate LLC2022 https://bitcointalk.org/index.php?action=profile;u=3482040 Summary - a1 Hashrate LLC2022 Picture/Text Name: a1 Hashrate LLC2022 Posts: 82 Activity: 42 Merit: 60 Position: Jr. Member Date Registered: June 05, 2022, 04:38:14 PM Last Active: Today at 04:31:21 AM is my current alt. Please note I always have an active alt to protect the main account.
|
|
|
|
cabalism13
Legendary
Offline
Activity: 1428
Merit: 1166
🤩Finally Married🤩
|
|
July 07, 2022, 06:05:08 AM |
|
I am an inactive user here,... First I thought this user was the one who hacked my google account just recently (already changed my password few days ago) so I checked the email regarding this... So it seems it wasn't just me. So I did check the pm out and the security question is disabled. So I am not sure why this person sent me the pm. It implies he knows that I have a security question setup. Like I said my security question was in a disabled status. @efs I reported it to admin. note no password change has been made by me and my btc address is this: https://www.blockchain.com/btc/address/1JdC6Xg3ajT3rge3FgPNSYYFpmf53Vbtjesomeone please quote this. I have it quoted somewhere else but just in case.
|
|
|
|
joeperry
|
|
July 07, 2022, 06:26:05 AM |
|
Received the same thing from this user, not quite sure what's the goal of this guy. Trying a petty attempt to disable the user's security question so probably he could get easy link to change the password of the account? I think he sends all the DT user a personal message.
|
|
|
|
lovesmayfamilis
Legendary
Offline
Activity: 2268
Merit: 4540
✿♥‿♥✿
|
|
July 07, 2022, 06:31:39 AM |
|
I also received this PM. Probably, according to the one who poisoned these PMs, he sent such letters to all DT, and not necessarily whether they have control questions or not.
If I'm not mistaken, having a security question hasn't been important for a long time, or does it still matter?
|
|
|
|
LoyceV
Legendary
Offline
Activity: 3486
Merit: 17653
Thick-Skinned Gang Leader and Golden Feather 2021
|
|
July 07, 2022, 06:45:28 AM |
|
There's a recommendation that security questions are quite weak for keeping accounts safe I usually enter random gibberish to those questions (but keep the random data, just in case). Dumb questions like the name of your first pet make social engineering very easy. SMS account recovery is also a big security risk. I disable all of this whenever I can, including Bitcointalk. I'm not sure what newalias' angle is here, he seems to know that security questions can only lock an account, so it's in no way a security risk for DefaultTrust. No PM for me, I feel left out Maybe that's because trying to restore my account through security questions shows: Sorry, there is no secret question set for this member.
|
| | Peach BTC bitcoin | │ | Buy and Sell Bitcoin P2P | │ | . .
▄▄███████▄▄ ▄██████████████▄ ▄███████████████████▄ ▄█████████████████████▄ ▄███████████████████████▄ █████████████████████████ █████████████████████████ █████████████████████████ ▀███████████████████████▀ ▀█████████████████████▀ ▀███████████████████▀ ▀███████████████▀ ▀▀███████▀▀
▀▀▀▀███████▀▀▀▀ | | EUROPE | AFRICA LATIN AMERICA | | | ▄▀▀▀ █ █ █ █ █ █ █ █ █ █ █ ▀▄▄▄ |
███████▄█ ███████▀ ██▄▄▄▄▄░▄▄▄▄▄ █████████████▀ ▐███████████▌ ▐███████████▌ █████████████▄ ██████████████ ███▀███▀▀███▀ | . Download on the App Store | ▀▀▀▄ █ █ █ █ █ █ █ █ █ █ █ ▄▄▄▀ | ▄▀▀▀ █ █ █ █ █ █ █ █ █ █ █ ▀▄▄▄ |
▄██▄ ██████▄ █████████▄ ████████████▄ ███████████████ ████████████▀ █████████▀ ██████▀ ▀██▀ | . GET IT ON Google Play | ▀▀▀▄ █ █ █ █ █ █ █ █ █ █ █ ▄▄▄▀ |
|
|
|
NotATether
Legendary
Offline
Activity: 1778
Merit: 7372
Top Crypto Casino
|
I also received this PM. Probably, according to the one who poisoned these PMs, he sent such letters to all DT, and not necessarily whether they have control questions or not.
I haven't received that PM. So maybe the list he's using to determine DT users is not accurate. If I'm not mistaken, having a security question hasn't been important for a long time, or does it still matter?
Attempting to answer the security questions will automatically lock your account, because they were leaked with the rest of the DB back in 2015.
|
|
|
|
crwth
Copper Member
Legendary
Offline
Activity: 2940
Merit: 1280
https://linktr.ee/crwthopia
|
|
July 07, 2022, 07:34:34 AM |
|
Do you think that newalias tried to check every DT member who has security questions? Then PM-ed them accordingly? I don't have a security question for this so that's probably why I didn't receive a PM. Attempting to answer the security questions will automatically lock your account, because they were leaked with the rest of the DB back in 2015.
Members after that time when it was leaked are safe? Is that correct?
|
| | . .Duelbits. | │ | ..........UNLEASH.......... THE ULTIMATE GAMING EXPERIENCE | │ | DUELBITS FANTASY SPORTS | ████▄▄▄█████▄▄▄ ░▄████████████████▄ ▐██████████████████▄ ████████████████████ ████████████████████▌ █████████████████████ ████████████████▀▀▀ ███████████████▌ ███████████████▌ ████████████████ ████████████████ ████████████████ ████▀▀███████▀▀ | . ▬▬ VS ▬▬ | ████▄▄▄█████▄▄▄ ░▄████████████████▄ ▐██████████████████▄ ████████████████████ ████████████████████▌ █████████████████████ ███████████████████ ███████████████▌ ███████████████▌ ████████████████ ████████████████ ████████████████ ████▀▀███████▀▀ | /// PLAY FOR FREE /// WIN FOR REAL | │ | ..PLAY NOW.. | |
|
|
|
The Sceptical Chymist
Legendary
Offline
Activity: 3514
Merit: 6986
Top Crypto Casino
|
|
July 07, 2022, 07:42:52 AM |
|
so it's probably just an unsolicited piece of advice.
I don't know if we read the same PM, because it totally looks like some kind of phishing attempt to me--and a bad one at that, despite all the technical garbledegoo. I haven't received any PMs like that, but I just started a thread in Reputation about being alerted via e-mail about someone trying to reset my password or some such thing. And not that it matters, but I recently got a PM from some guy who wanted to pay me for a review of some app. The devil was on my shoulder and I wanted to string him along for a bit, but I lost motivation after his second reply. I'm wondering if other DT members got that same PM, because I'm pretty sure I wasn't singled out for that one.
|
|
|
|
Welsh
Staff
Legendary
Offline
Activity: 3304
Merit: 4115
|
|
July 07, 2022, 08:06:50 AM |
|
Likely, by asking you to get back to them how you secured your account after removing it, is likely a way to get more information. They've already claimed that they've frozen accounts, which isn't really possible, unless they had some kind of database access, which would mean they'd be able to remove the security questions themselves if they really wanted too.
In other words, this user isn't to be trusted, and no reply is warranted. If they have information about security, they can contact theymos. Other than that, them finding out who has a security question, and who doesn't is fairly simple as LoyceV alluded to above.
I suspect, a further attack would've been launched if you replied to them. Smells of social engineering, where they attempt to gain your trust by offering you some semi valid advice, and then looking to exploit that further down the line.
|
|
|
|
nullius
|
Before jumping to conclusions and screaming “hack!”, has anyone even considered a potentially innocent explanation? I have a pessimistic view of human nature, but the paranoia in this thread is off the charts. This is good advice, in my opinion: The better people know the account owner, the better they know the answer!
Recommended action to take is to remove security question at all.
The forum officially agrees with newalias about that, and with me. Read the warning that the forum gives you, when you set up the ridiculously stupid insecurity misfeature of a so-called “secret question”:Duh. Why does theymos even allow this? I spot-checked this user’s post history. At a glance, it looks normal to me. I also noticed that he just received a red tag from someone in DT (fortunately outside my trust network; my trust network is infinitely superior to DT). Now, this could be a bizarre beginning for a social engineering attack. And the PM also seems to indicate that newalias is probing something, somehow. I will reach out to him, and politely ask just what he is trying to do. Meanwhile, I will add a neutral tag linking to this post—to be updated or removed, if or as appropriate. I request that someone in DT should do likewise. Maybe, just maybe, this could simply be a very clumsy attempt at whitehat protection of the forum, from someone who needs to see the late Dan Kaminsky’s White Hat Hacker Flowchart:
|
|
|
|
Welsh
Staff
Legendary
Offline
Activity: 3304
Merit: 4115
|
|
July 07, 2022, 08:58:10 AM |
|
Before jumping to conclusions and screaming “hack!”, has anyone even considered a potentially innocent explanation? I have a pessimistic view of human nature, but the paranoia in this thread is off the charts.
Yeah, I haven't ruled out that. However, the things that stand out to me is the comment about letting them know how you've secured your account, and the fact they claimed to have frozen accounts. The latter being a outright lie. That's not exactly good, if you're looking to do some white hat work. Although, that might have been a way of trying to convince the user. I'm not going to get my pitchfork out, but I do believe users should be cautious dealing with this user in further message exchanges. Not that I distrust them entirely, but at the very least advise caution. On a side note, I don't like that anyone can find out if a user has a security question or not. I'm not a fan of security questions in the first place, but probing like that just opens up those accounts for further attack. I kind of wish that the security question field popped up regardless of if a user has set one or not. If someone tries to guess the security question of one of these users, it simply just gives a non match, rather than indicating they don't have one set up.
|
|
|
|
Igebotz
Staff
Legendary
Offline
Activity: 1554
Merit: 1821
Stake Sherrif 🌠
|
|
July 07, 2022, 09:14:43 AM |
|
I got mine as well, and I was about to tag his a$$ out when I realized he had already been tagged by OP, so I saved my time for something more important. Trying to con the most knowledgeable members of the forum appears stupid to me. Some con artists are dumps.
I suppose he came to a halt the moment he was exposed. You guys are lucky No PM for me, I feel left out Maybe that's because trying to restore my account through security questions shows: I haven't received that PM. So maybe the list he's using to determine DT users is not accurate.
I haven't received any PMs like that, but I just started a thread in Reputation about being alerted via e-mail about someone trying to reset my password or some such thing.
|
|
|
|
..stake.com.. | | | ▄████████████████████████████████████▄ ██ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ██ ▄████▄ ██ ▀▀▀▀▀▀▀▀▀▀ ██████████ ▀▀▀▀▀▀▀▀▀▀ ██ ██████ ██ ██████████ ██ ██ ██████████ ██ ▀██▀ ██ ██ ██ ██████ ██ ██ ██ ██ ██ ██ ██████ ██ █████ ███ ██████ ██ ████▄ ██ ██ █████ ███ ████ ████ █████ ███ ████████ ██ ████ ████ ██████████ ████ ████ ████▀ ██ ██████████ ▄▄▄▄▄▄▄▄▄▄ ██████████ ██ ██ ▀▀▀▀▀▀▀▀▀▀ ██ ▀█████████▀ ▄████████████▄ ▀█████████▀ ▄▄▄▄▄▄▄▄▄▄▄▄███ ██ ██ ███▄▄▄▄▄▄▄▄▄▄▄▄ ██████████████████████████████████████████ | | | | | | ▄▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄ █ ▄▀▄ █▀▀█▀▄▄ █ █▀█ █ ▐ ▐▌ █ ▄██▄ █ ▌ █ █ ▄██████▄ █ ▌ ▐▌ █ ██████████ █ ▐ █ █ ▐██████████▌ █ ▐ ▐▌ █ ▀▀██████▀▀ █ ▌ █ █ ▄▄▄██▄▄▄ █ ▌▐▌ █ █▐ █ █ █▐▐▌ █ █▐█ ▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀█ | | | | | | ▄▄█████████▄▄ ▄██▀▀▀▀█████▀▀▀▀██▄ ▄█▀ ▐█▌ ▀█▄ ██ ▐█▌ ██ ████▄ ▄█████▄ ▄████ ████████▄███████████▄████████ ███▀ █████████████ ▀███ ██ ███████████ ██ ▀█▄ █████████ ▄█▀ ▀█▄ ▄██▀▀▀▀▀▀▀██▄ ▄▄▄█▀ ▀███████ ███████▀ ▀█████▄ ▄█████▀ ▀▀▀███▄▄▄███▀▀▀ | | | ..PLAY NOW.. |
[center][table][tr][td][url=https://stake.com/?c=Igebotz][font=Arial black][size=24pt][glow=#0f212e,2][color=transparent][size=8pt].[/size].[size=9pt][sup][size=16pt][color=#fff]Stake.com[/size][/sup][/size].[size=8pt].[/td] [td][/td][td][/td] [td][size=2pt][tt] [color=#2d4454]▄████████████████████████████████████▄ [glow=#fff,2]██ [color=#ccc]▄▄▄▄▄▄▄▄▄▄[/color] [color=#ccc]▄▄▄▄▄▄▄▄▄▄[/color] ██[/glow] [color=#ed5564]▄████▄[/color] [glow=#fff,2]██ [color=#ccc]▀▀▀▀▀▀▀▀▀▀[/color] [color=#0c79ed]██████████[/color] [color=#ccc]▀▀▀▀▀▀▀▀▀▀[/color] ██[/glow] [color=#ed5564]██████[/color] [glow=#fff,2]██ [color=#0c79ed]██████████ ██ ██ ██████████[/color] ██[/glow] [color=#ed5564]▀██▀[/color] [glow=#fff,2]██ [color=#0c79ed]██ ██ ██████ ██ ██ ██[/color] ██[/glow] [color=#ccc]██[/color] [glow=#fff,2]██ [color=#0c79ed]██████ ██ █████ ███ ██████ ██[/color] ██[/glow][color=#ccc]██▄ ██[/color] [glow=#fff,2]██ [color=#0c79ed]█████ ███ ████ ███
|
|
|
ABCbits
Legendary
Offline
Activity: 3052
Merit: 8074
Crypto Swap Exchange
|
Looks like @newalias is online today, so i expect he'll respond to this thread soon either because he check Meta board or found out he has 2 new feedback and check reference link. Duh. Why does theymos even allow this? It's part of SFM 1.x feature[1], so IMO it's either theymos don't bother remove it or it can't be removed without lots of work. [1] https://wiki.simplemachines.org/smf/Logging_In
|
|
|
|
nullius
|
|
July 07, 2022, 09:26:21 AM Last edit: July 07, 2022, 09:48:15 AM by nullius |
|
Before jumping to conclusions and screaming “hack!”, has anyone even considered a potentially innocent explanation? I have a pessimistic view of human nature, but the paranoia in this thread is off the charts.
Yeah, I haven't ruled out that. However, the things that stand out to me is the comment about letting them know how you've secured your account, and the fact they claimed to have frozen accounts. The latter being a outright lie. That's not exactly good, if you're looking to do some white hat work. Agreed. [Edit: I reread the PM quoted in OP. He does not claim to have frozen accounts. He seems to have some trick to bypass the CAPTCHA while probing accounts. He only says that he will report DT accounts with “secret questions” to the administration; that sounds reasonable to me, in itself.][...snip good advice...]
Recommended action to take is to remove security question at all. Please get back to me stating how you improved account security. If I do not get a reply, I need to inform board administration for our all safety.
I started with whole DefaultTrust as I think the base of community should be secured first. Later, I will go for more users. Captcha is useless as I use some trick I will only discuss with theymos.
Thank you!
</edit>
Although, that might have been a way of trying to convince the user. I'm not going to get my pitchfork out, but I do believe users should be cautious dealing with this user in further message exchanges. Not that I distrust them entirely, but at the very least advise caution.
On a side note, I don't like that anyone can find out if a user has a security question or not. I'm not a fan of security questions in the first place, but probing like that just opens up those accounts for further attack. I kind of wish that the security question field popped up regardless of if a user has set one or not. If someone tries to guess the security question of one of these users, it simply just gives a non match, rather than indicating they don't have one set up.
On a side note, I don’t like that the forum doesn’t let you remove your e-mail address, and/or otherwise totally disable password reset by e-mail. (Yes, you can set a fake e-mail address; but then, you need to be careful to make sure it can never be valid. And that does not itself totally disable password reset by e-mail.) I’m not the only one. Lauda complained to me about that. On a side note, I don’t like that the forum doesn’t let you disable password authentication, and log in by signing a challenge with your PGP key... OK, I will stop right here.
Looks like @newalias is online today, so i expect he'll respond to this thread soon either because he check Meta board or found out he has 2 new feedback and check reference link.
For the record, I reached out to him by PM as I said I would. With a link to my post on this thread. Kind of sticking my neck out, doing that. Eh. Anyway, he should be well on notice about this thread.
|
|
|
|
JollyGood
Legendary
Offline
Activity: 2716
Merit: 1819
|
|
July 07, 2022, 09:55:44 AM |
|
I also received this PM. Probably, according to the one who poisoned these PMs, he sent such letters to all DT, and not necessarily whether they have control questions or not. I haven't received that PM. So maybe the list he's using to determine DT users is not accurate. I did not receive the PM. Ah well..... Before jumping to conclusions and screaming “hack!”, has anyone even considered a potentially innocent explanation? I have a pessimistic view of human nature, but the paranoia in this thread is off the charts. This is good advice, in my opinion: The better people know the account owner, the better they know the answer!
Recommended action to take is to remove security question at all.
I maybe have less pessimistic view than yours when it comes to human nature in general but I am highly sceptical when to comes to the conduct of many users in this forum therefore I can understand your views and even relate to them. On this subject of the PMs though, if English is not the first language of the sender (newalias) I think it only compounds the confusion. His post history shows he has been active in the German language boards as well but his trust currently shows the following message which might mean he is no longer in control of his account: This user's email address was changed recently
|
|
|
|
|