Discussion: "Cybersecurity and Privacy" board + Poll (request v1)

[NotATether]

Gave that a shot!...

Though on this day of March 06, 2023, we still have no Cybersecurity & Privacy board 

I'll ask him myself. It seemed to work for me last time.

[1714483662]

1714483662

[1714483662]

1714483662

[BenCodie]

That's a good idea, we definitely need Cybersecurity and Privacy board, it will attract not only bitcoin enthusiasts but other people who are looking for enhanced security.
To be honest, we need structured WIKIs in each section too. For example, have a look at the wiki of buildapc subboard: Planning on building a computer but need some advice? This is the place to ask!
If you read and follow steps on this WIKI, you will understand what to consider when building a pc, when and where to buy components, how to assemble it and even more.

It will be amazing if we create similar wiki about bitcoin development, economics, etc. Since this thread is focused at cybersecurity and privacy, imagine how good it will be to have wiki on bitcointalk that will cover the information about:
1. Linux distros like TailsOS.
2. Browser Privacy
3. Tor and VPN
4. Information encryption including messages, videos, files, disk, etc.

If we create Cybersecurity and Privacy board with sticked Wiki thread and ombine all the information in Wiki thread, this will enlighten more people and will truly do amazing job for society.

I will support this idea of creating cyber security and privacy board since cybersecurity is a necessity these days. Most of us take security forgranted and embrace it only once we are hacked or experience any cyber security breach. All of us can contribute to cybersecurity according to our knowledge.
I recently cleared 'ISACA Cyber security' exam and can help ( to best of my knowledge) who is trying to pursue ISACA certification in cyber security.

I want to support this request, it is a subforum in my opinion useful for grouping these news or articles that have no place at the moment
in the end it seems like a sector destined to remain with smart working which has now become a normal thing

Great to see some more support! Congratulations on passing your exam WatChe. It sounds like you would be one of the many assets to the board if it were to be added

Gave that a shot!...

Though on this day of March 06, 2023, we still have no Cybersecurity & Privacy board 

I'll ask him myself. It seemed to work for me last time.

Hopefully we get some feedback I hope that that new "no" vote was not him! If you receive any response, let us all know

[WatChe]

Great to see some more support! Congratulations on passing your exam WatChe. It sounds like you would be one of the many assets to the board if it were to be added

Thanks a bunch.

Defiantly I will be there on cyber security board once it's created. Getting new board these days is not easy, we are also trying to get a local board for Pakistani community and thread is there but no success so far. But we are fully motivated and will keep reminding the administrator about our request. Same is required to create a separate thread for Cybersecurity. We may not get that in a week or two but keep this thread active.
https://bitcointalk.org/index.php?topic=5430735.0

[NotATether]

Bump.

Never forget this request.

[BenCodie]

Since the demise of ChipMixer, users have begun to question lately about whether or not it is a wise move to participate in mixing signature campaigns, and if there are any risk to users who are being paid to have these services in their signatures around the forum, such as in this thread:
Participating in Mixer Signatures

BitcoinTalk staff were allegedly asked not to promote these services, raising more cause for concern:
staff were asked to stop advertising mixing services

Additionally, recent news has exposed that an unknown person or group (dubbed "LinkingLion") may be collecting IP addresses from Bitcoin nodes/users.

If the Cybersecurity & Privacy board were added, I would be almost certain that there would be a bountiful amount of knowledge and resources that would allow people to reduce their fears and take comfort in the measures that they are taking to keep their privacy from being compromised. The reasons for adding this board are only increasing by the day and I could bet that it would soon become a necessity if we want to help to assist the (unfortunately) wider, currently unaware/uninformed portion of the community in upholding their anonymity and privacy.

[BenCodie]

Theymos, enable us to increase our online armor and to help do the same for individuals who are otherwise vulnerable by adding the Cybersecurity & Privacy board!



This is a rather older article that I stumbled across recently however I believe that it highlights the shift from being a victim of deception (controllable by common sense, experience, reduced naivety, skepticism and/or wisdom) to being a victim of hacks - which is controllable only with exposure to knowledge. The majority of people don't have access to accurate information without looking for it, which is what I hope the Cybersecurity & Privacy board here on BitcoinTalk would achieve!

Source: https://edition.cnn.com/2022/08/16/tech/crypto-hack-rise-2022/index.html
The good news: Significantly less people are falling for ponzi schemes similar to BitConnect than in 2017:

But there may be at least one silver lining in the report: The amount of money lost in cryptocurrency scams, such as the $2 billion dollar Ponzi scheme carried out by BitConnect founder Satish Kumbhani, was 65% less than the year prior as the falling value of crypto made it a less enticing investment opportunity for potential victims.

The bad news: Over $1.9 billion has been hacked or stolen from protocols and users during the first 7 months of 2022

Some more validation of the need for the Cybersecurity & Privacy board below.


As of March 2023, ransomware attacks are increasing
Source: https://www.ghacks.net/2023/04/22/ransomware-attacks-record-march/

Basic cybersecurity measures can very easily prevent the threat of non-targeted ransomware.


GDAC hot wallet hacked for $13 million

List of some recent exchange hacks: https://www.hedgewithcrypto.com/cryptocurrency-exchange-hacks/

The end-user could have easily prevented their exposure to centralized exchange hacks by not using them altogether or keeping their coins off-exchange unless they need to use the exchange (last resort, many alternatives out there nowadays).  



Some other non-crypto hacks in 2023 where the end-user may have been able to reduce their exposure if they were taking intermediate to advanced privacy measures:

April 10

Pizza Hut/KFC Data Breach: Yum! Brands, which owns fast food chains Pizza Hut, KFC, and Taco Bell, has informed a number of individuals that their personal data was exposed during a ransomware attack that took place in January of this year. The hospitality giant confirmed that names, driver's license, and ID card info was stolen. An investigation into whether the information has been used to commit fraud already is currently underway.

How risk for the end user could have been mitigated:
- Don't upload personal/sensitive information where you don't need to (why on earth would you upload a drivers license/ID card to these companies anyway?)
- Use non-identifiable information and a pre-paid debit card to make purchases, if possible.
- Don't trade your identity/privacy/payment information for convenience.

March 24

ChatGPT Data Leak: A bug found in ChatGPT's open-source library caused the chatbot to leak the personal data of customers, which included some credit card information and the titles of some chats they initiated.  “In the hours before we took ChatGPT offline,” OpenAI said after the incident, “it was possible for some users to see another active user’s first and last name, email address, payment address, the last four digits (only) of a credit card number, and credit card expiration date. Full credit card numbers were not exposed at any time.”

How risk for the end user could have been mitigated:
- Using PVA's to create a ChatGPT account in conjunction with a VPN/Proxy to make the data less/non-identifiable to the chatGPT user.

Chick-fil-A Data Breach: fast food chain Chick-fil-A is investigating “suspicious activity” linked to a select number of customer accounts. The company has published information on what customers should do if they notice suspicious activity on their accounts, and advised such customers to remove any stored payment methods on the account.

How risk could have been mitigated by the end user:
- Using a pre-paid debit card solution separate from the main bank account would allow the user to easily disable access to funds without effecting day to day life.

February 21

Activision Data Breach: Call of Duty makers Activision has suffered a data breach, with sensitive employee data and content schedules exfiltrated from the company's computer systems. Although the breach occurred in early December 2022, the company has only recently revealed this to the public. According to reports, an employee's credentials were obtained in a phishing attack and subsequently used to infiltrate the system.

Twitter Data Breach: Twitter users' data was continuously bought and sold on the dark web during 2022, and it seems 2023 is going to be no different. According to recent reports, a bank of email addresses belonging to around 200 million Twitter users is being sold on the dark web right now for as little as $2. Even though the flaw that led to this leak was fixed in January 2022, the data is still being leaked by various threat actors.

How risk for the end user could have been mitigated:
- Using a privacy-friendly, disposable email with non-identifiable information for the activision account to make the mistake of the employee of no concern for the end-user.

PayPal Data Breach: A letter sent to PayPal customers on January 18, 2023, says that on December 20, 2022, “unauthorized parties” were able to access PayPal customer accounts using stolen login credentials.

PayPal goes on to say that the company has “no information” regarding the misuse of this personal information or “any unauthorized transactions” on customer accounts and that there isn't any evidence that the customer credentials were stolen from PayPal's systems.

How risk could have been mitigated by the end user:
- Don't use paypal (there are many alternatives that serve the same purpose out there)

December 1

LastPass Data Breach: Password manager LastPass has told some customers that their information was accessed during a recent security breach. According to LastPass, however, no passwords were accessed by the intruder. This is not the first time LastPass has fallen victim to a breach of their systems this year – someone broke into their development environment in August, but again, no passwords were accessed.

How risk could have been mitigated by the end user:
- Using offline encryption methods on external storage to protect passwords instead of using supposedly "encrypted" and "secure" cloud storage services


Source: https://tech.co/news/data-breaches-updated-list

[WatChe]

The good news: Significantly less people are falling for ponzi schemes similar to BitConnect than in 2017:

Its good to see the crypto community getting matured and not falling to ponzi schemes anymore. Its time may be for ponzi schemes to change there strategy as existing ones are no longer getting success. On the other hand the community should be ready for new wave of frauds/ponzi.

The bad news: Over $1.9 billion has been hacked or stolen from protocols and users during the first 7 months of 2022

This is an inherit feature of Bitcoin and can never be fixed. The weakest link in digital security of every entity is the human link. As long as humans are willing to make some mistakes, the hacking business will continue to exists. 

[BenCodie]

The good news: Significantly less people are falling for ponzi schemes similar to BitConnect than in 2017:

Its good to see the crypto community getting matured and not falling to ponzi schemes anymore. Its time may be for ponzi schemes to change there strategy as existing ones are no longer getting success. On the other hand the community should be ready for new wave of frauds/ponzi.

Ponzis that aren't ponzis, aren't ponzis (if that makes sense ). The strategy can't really be changed, just the face of it. They should change their strategy to just building legitimate products!

The bad news: Over $1.9 billion has been hacked or stolen from protocols and users during the first 7 months of 2022

This is an inherit feature of Bitcoin and can never be fixed. The weakest link in digital security of every entity is the human link. As long as humans are willing to make some mistakes, the hacking business will continue to exists. 

The non-refundable nature of transactions will never be fixed, sure, but that is not a downfall of Bitcoin nor is it a digital security issue. Strengthening each human link is one of the motivations toward the Cybersecurity & Privacy board. The more people that learn, the more people become strong enough to resist attacks. Even web administrators and smart contract developers could benefit from the cybersecurity part of the board. It might not be something that can be completely eliminated (unless security innovation beats hacking innovation) however it can be significantly be reduced...especially when you think about how many users still use flawed Microsoft and Apple products over how many people know about let alone use Linux.

[BenCodie]

On April 30 2023, Avirunes received a loan from shasan and was reportedly hacked of the whole amount lent (0.015 BTC, approx $450 USD market value). The hack shows a lot of similarities to the situation that occurred with julerz12, Avirunes was likely to have been infected with malware that was able to either grab the secret/seed phrase of the Electrum wallet, or sweep/send from the electrum wallet to the hackers address.

If the Cybersecurity and Privacy board was added any time in the last 3 months after the situation with julerz12, maybe a post there (such as one explaining and emphasizing that all users should be using Linux over Windows) may have prevented the OP from being hacked.

The Cybersecurity and Privacy board is becoming imperative for the safety of BitcoinTalk users as two incidents have now effected and caused damage to the BitcoinTalk economy.


Update May 01, 2023:
- Updated OP to include one call to action and necessary information relating to the request. Also cleaned and improved the look and layout of the thread for cleaner reading.
- Move past calls to action into the second post

[LoyceV]

If the Cybersecurity and Privacy board was added any time in the last 3 months after the situation with julerz12, maybe a post there (such as one explaining and emphasizing that all users should be using Linux over Windows) may have prevented the OP from being hacked.

That's very unlikely to happen. I wrote this years ago:

How to prevent this
1. Don't use Windows, but we both know you're not going to change that.

A more realistic suggestion would be to use a hardware wallet, but both julerz12 and Avirunes knew that already.

[BenCodie]

If the Cybersecurity and Privacy board was added any time in the last 3 months after the situation with julerz12, maybe a post there (such as one explaining and emphasizing that all users should be using Linux over Windows) may have prevented the OP from being hacked.

That's very unlikely to happen. I wrote this years ago:

How to prevent this
1. Don't use Windows, but we both know you're not going to change that.

A more realistic suggestion would be to use a hardware wallet, but both julerz12 and Avirunes knew that already.

You've referred to one sentence in a thread that is out of sight for a lot of the time. A detailed, well reasoned thread giving reason and proof as to why Windows is so dangerous paired with a detailed guide to switch to Linux might help to persuade those who are still using it to make the transition. A detailed thread would provide the ability to ask questions about making the change, inform people about why Windows is so dangerous and push them much more toward making a change. If this request is never attended to, I'll go ahead and make the thread myself. Though I would be much more motivated to post it in a section where it belongs instead of a board that anyone who doesn't consider themselves a beginner to Bitcoin itself (a lot of bitcointalk members I am sure) would never read.

I thoroughly believe that if this board was introduced around the time julerz12 was hacked, which was one of the prompts for this request, this guide would have been posted by myself or someone else and it is very possible that the scenario with Avirunes have a chance of being avoided.

[joker_josue]

If the Cybersecurity and Privacy board was added any time in the last 3 months after the situation with julerz12, maybe a post there (such as one explaining and emphasizing that all users should be using Linux over Windows) may have prevented the OP from being hacked.

That's very unlikely to happen. I wrote this years ago:

How to prevent this
1. Don't use Windows, but we both know you're not going to change that.

A more realistic suggestion would be to use a hardware wallet, but both julerz12 and Avirunes knew that already.

If people don't change behaviors, these problems will continue to arise! It doesn't matter what OS you use or whether or not you have a cold wallet, if your online browsing attitude continues carelessly, you may have these or other problems. Of course, using a more secure OS or using the cold wallet more may be less exposed to problems, but what really makes the difference is the overall behavior.

How are we going to change behaviors? This is difficult, but we are trying and warning.

[BenCodie]

If the Cybersecurity and Privacy board was added any time in the last 3 months after the situation with julerz12, maybe a post there (such as one explaining and emphasizing that all users should be using Linux over Windows) may have prevented the OP from being hacked.

That's very unlikely to happen. I wrote this years ago:

How to prevent this
1. Don't use Windows, but we both know you're not going to change that.

A more realistic suggestion would be to use a hardware wallet, but both julerz12 and Avirunes knew that already.

If people don't change behaviors, these problems will continue to arise! It doesn't matter what OS you use or whether or not you have a cold wallet, if your online browsing attitude continues carelessly, you may have these or other problems. Of course, using a more secure OS or using the cold wallet more may be less exposed to problems, but what really makes the difference is the overall behavior.

How are we going to change behaviors? This is difficult, but we are trying and warning.

You're right, however this post would be most accurate pre-2020's and just minding behavior (no matter how vigilant) is not entirely enough. The advancement of threats in the last couple of years has grown exponential. As I highlighted on Avirunes thread, attacks such as Reverse shell attacks can compromise your system just by you connecting to a website that might not even seem malicious. In this case, it is actually imperative that you're using a secure OS or else you are exposed at all times, even if you are using Windows and behaving with pre-existing knowledge and taking precautions. The fact is, Windows is absolutely not the OS to use for day-to-day activities let alone crypto activity, where coins can be very easily stolen.

My point being - We are at a stage now where minding behavior such as not downloading unknown files and blocking inbound connections via firewall are simply not enough. More steps are needed to prevent vulnerabilities from being exploited. It should be noted that this discussion only talks about cybersecurity as well, covering the base of privacy too is an entirely new discussion in itself.

[LoyceV]

attacks such as Reverse shell attacks can compromise your system just by you connecting to a website that might not even seem malicious. In this case, it is actually imperative that you're using a secure OS or else you are exposed at all times

The site asks for a login, so I can't read it. If what you're saying is true, that's simply ridiculous! How is it even legal to sell an OS that can get compromised from visiting a website, and why is the manufacturer not liable for that?

[BenCodie]

attacks such as Reverse shell attacks can compromise your system just by you connecting to a website that might not even seem malicious. In this case, it is actually imperative that you're using a secure OS or else you are exposed at all times

The site asks for a login, so I can't read it. If what you're saying is true, that's simply ridiculous! How is it even legal to sell an OS that can get compromised from visiting a website, and why is the manufacturer not liable for that?

That's odd. No login required here.

Microsoft are too big to fail. Their operating system is recognized and used by most of the western world. When it comes down to user safety versus profit, Microsoft will choose profit. While the responsible thing to do at this point is to terminate Windows and build a new operating system from scratch, Microsoft won't take this kind of action. The same thing is happening to Apple, however it's harder for the user to see it happening and the age old "apple can't get infected" myth is still believed by the wider users of Apple products.

[joker_josue]

The site asks for a login, so I can't read it. If what you're saying is true, that's simply ridiculous! How is it even legal to sell an OS that can get compromised from visiting a website, and why is the manufacturer not liable for that?

That's odd. No login required here.

Microsoft are too big to fail. Their operating system is recognized and used by most of the western world. When it comes down to user safety versus profit, Microsoft will choose profit. While the responsible thing to do at this point is to terminate Windows and build a new operating system from scratch, Microsoft won't take this kind of action. The same thing is happening to Apple, however it's harder for the user to see it happening and the age old "apple can't get infected" myth is still believed by the wider users of Apple products.

You are right in terms of business and security. I'm not even going to debate that point.

But, back to the same thing, to start this type of attack, the user will need to have at some point something that exposed him to the situation. Many still continue to use pirated OS, continue not to perform updates, not to mention using pirated software. If the person does not meet the basic requirements, no matter what OS he uses, he will be exposed to the same kind of problems.

[vapourminer]

But, back to the same thing, to start this type of attack, the user will need to have at some point something that exposed him to the situation. Many still continue to use pirated OS, continue not to perform updates, not to mention using pirated software. If the person does not meet the basic requirements, no matter what OS he uses, he will be exposed to the same kind of problems.

basically, this. i am truly amazed at how many people run pirated software, and no matter what the OS you will get compromised doing that.

as for the OS yeah linux etc. ive run it. but i still run windows for 90% of my daily driver stuff. as it generally does what i want it.

consider: i have run windows and the same btc wallet (core) since literally 2011 and its run 24/7.  winxp, win7, win10. all running 24/7 with wallet.dat and core and connected to the net 24/7 also. i just move the 2011 wallet.dat to the new install/upgrade when they happen.

AND guess how much ive lost to malware/virus/ransomware: IN 12 YEARS OF A HOT CORE WALLET IN WINDOWS,. ZERO NOTHING NADA ZILCH NEGATIVE

so yeah linux is inherently  "safer" but even windows can be configured to be pretty close.

security all comes down to the person. rarely is it ONLY the OS thats the security problem..

just my observations over 12 years in the space, and certainly not to be taken as The Only Way To Do It., so have fun tearing my "security" apart.

btw i use hardware wallets and paper wallets for my main stash, core and my phone have spending amounts.

[NotATether]

38 votes for versus 4 votes against - theymos, let's have that cybersecurity board now.

[LoyceV]

AND guess how much ive lost to malware/virus/ransomware: IN 12 YEARS OF A HOT CORE WALLET IN WINDOWS,. ZERO NOTHING NADA ZILCH NEGATIVE

That sounds like survivor bias. Many people have never lost their coins, but that doesn't change the fact that many others did lose their coins. I've never needed my seat belt, but that doesn't guarantee I won't need it in the future.

security all comes down to the person. rarely is it ONLY the OS thats the security problem..

True. But it can help a lot. I'm not installing Wine to run Windows malware.

btw i use hardware wallets and paper wallets for my main stash, core and my phone have spending amounts.

And that's how it should be As long as you can afford losing it, there's nothing wrong with using hot wallets.

[vapourminer]

AND guess how much ive lost to malware/virus/ransomware: IN 12 YEARS OF A HOT CORE WALLET IN WINDOWS,. ZERO NOTHING NADA ZILCH NEGATIVE

That sounds like survivor bias. Many people have never lost their coins, but that doesn't change the fact that many others did lose their coins. I've never needed my seat belt, but that doesn't guarantee I won't need it in the future.

security all comes down to the person. rarely is it ONLY the OS thats the security problem..

True. But it can help a lot. I'm not installing Wine to run Windows malware.

btw i use hardware wallets and paper wallets for my main stash, core and my phone have spending amounts.

And that's how it should be As long as you can afford losing it, there's nothing wrong with using hot wallets.

funny you mention seat belts. i wear mine. but not for when i get hit although that reason is a pretty up there. but i wear them mainly to stay in the drivers seat when doing "stupid vapourminer things" like drifts, catching air in the favorite "how high can you get road jump" and stuff like that. as it sure does help still being in your seat to regain control when finally back on 4 wheels. so not sure if thats a good analogy? but off topic so..

survivorship bias is a thing thats for sure. as im living proof with all the seriously serious stupid things that i done lived through that a few friends didnt. RIP my some of old buddies.

anyhow i certainly dont advocate rolling with windows for security stuff for the general peeps with coin. but my results does go to show that if one is careful (and luck has a bit to do there too) you can be fairly safe.

gonna have to get my CP/M rig up. hack THAT