Donate to Remove ads

Got a credit card? use our Credit Card & Finance Calculators

Thanks to johnstevens77,Bhoddhisatva,scotia,Anonymous,Cornytiv34, for Donating to support the site

Identity Theft

Formerly "Lemon Fool - Improve the Recipe" repurposed as Room 102 (see above).
UncleEbenezer
The full Lemon
Posts: 10694
Joined: November 4th, 2016, 8:17 pm
Has thanked: 1460 times
Been thanked: 2965 times

Identity Theft

#450

Postby UncleEbenezer » November 4th, 2016, 8:49 pm

First, thanks to ClariStooz for the continuity!

I see a fair few names I recognise from TMF. I expect you're the same people here as there.

But it would be entirely possible for someone to steal a TMF identity. That is to say, register here in the name of a Fool who is trusted with something that matters. For example, various Fools use software from itsallaguess and kiloran. If a malefactor were to sign up here under one of those names, they could post a link to malware designed to damage the user, and Fools would trust them based on a stolen track record. Similarly, someone could impersonate a Fool respected for good analysis of small caps to post pump&dump scams.

That risk is low today, but grows over time as prospective blackhats become aware of a new forum, and can trawl TMF for posters trusted there but not already signed up here.

Itsallaguess
Lemon Half
Posts: 9129
Joined: November 4th, 2016, 1:16 pm
Has thanked: 4140 times
Been thanked: 10023 times

Re: Identity Theft

#460

Postby Itsallaguess » November 4th, 2016, 8:59 pm

UncleEbenezer wrote:First, thanks to ClariStooz for the continuity!

I see a fair few names I recognise from TMF. I expect you're the same people here as there.

But it would be entirely possible for someone to steal a TMF identity. That is to say, register here in the name of a Fool who is trusted with something that matters. For example, various Fools use software from itsallaguess and kiloran. If a malefactor were to sign up here under one of those names, they could post a link to malware designed to damage the user, and Fools would trust them based on a stolen track record. Similarly, someone could impersonate a Fool respected for good analysis of small caps to post pump&dump scams.

That risk is low today, but grows over time as prospective blackhats become aware of a new forum, and can trawl TMF for posters trusted there but not already signed up here.


Just wanted to re-assure anyone specifically worried about me and Kiloran that we were early adopters of this new site, and we are both the real deal.

That said, your concern is a valid one and this is of course why we've always made the HYPTUSS tool open-source, and it's been verified a few times over the years as being issue-free in this regard. The background code is password-protected purely to keep people from breaking it when they didn't mean to, and we've always freely given out the password to it for those really interested to 'get behind the scenes' and see what's going on.

The coding password to the HYPTUSS is 'pleaseletmein', and anyone at all is of course welcome to take a look. All we would ask is that if you see anything that looks like poor coding, rather than malicious coding, then please keep that to yourself.... :lol:

Cheers,

Itsallaguess

Meatyfool
Lemon Slice
Posts: 313
Joined: November 4th, 2016, 11:43 am
Has thanked: 2 times
Been thanked: 55 times

Re: Identity Theft

#468

Postby Meatyfool » November 4th, 2016, 9:13 pm

This is an issue I raised on MTV before I even new lemonfool was in existence. I suggested a solution on the original closure thread on tif.

It would require assistance for development from tmf but not an onerous amount, something lemonfools could contribute if need be.

Essentially, log in to motleyfool, click on a link saying please direct my username to lemonfool and I will then set up a password there.

Poorly described but provides continuity of username ownership.

Meatyfool..

UncleEbenezer
The full Lemon
Posts: 10694
Joined: November 4th, 2016, 8:17 pm
Has thanked: 1460 times
Been thanked: 2965 times

Re: Identity Theft

#483

Postby UncleEbenezer » November 4th, 2016, 9:33 pm

Itsallaguess wrote: All we would ask is that if you see anything that looks like poor coding, rather than malicious coding, then please keep that to yourself.... :lol:

:D

Sometimes poor coding can be the best thing you can do. The reason? It grows the community, as people post fixes, and some of them go on to contribute much more.

This applies when the software itself is (reasonably) substantial, and the author has credibility. Otherwise nobody else is going to take much interest in the first place: they'll look elsewhere or write their own rather than contribute to something that doesn't have starting value.

(Yes, Free Software and its associated communities are my day job).

AleisterCrowley
Lemon Half
Posts: 6381
Joined: November 4th, 2016, 11:35 am
Has thanked: 1880 times
Been thanked: 2026 times

Re: Identity Theft

#509

Postby AleisterCrowley » November 4th, 2016, 10:15 pm

Identity management worries me a bit (part of the day job...)
I guess a screenshot of a TMF profile in edit mode posted here would deter casual identity theft, but (I guess) could be photoshopped
I have suggested an authentication thread on the TMF boards so people can confirm their 'new' identity.
I think most I posters would get caught quickly, as regular posters have a style which is easily recognisable, but difficult to copy (akin to a morse code operator's 'fist' - their unique signature)

Meatyfool
Lemon Slice
Posts: 313
Joined: November 4th, 2016, 11:43 am
Has thanked: 2 times
Been thanked: 55 times

Re: Identity Theft

#533

Postby Meatyfool » November 4th, 2016, 10:54 pm

AleisterCrowley wrote:Identity management worries me a bit (part of the day job...)
I have suggested an authentication thread on the TMF boards so people can confirm their 'new' identity.

Could you post a link please?

Meatyfool..

staffordian
Lemon Quarter
Posts: 2298
Joined: November 4th, 2016, 4:20 pm
Has thanked: 1887 times
Been thanked: 869 times

Re: Identity Theft

#549

Postby staffordian » November 4th, 2016, 11:10 pm

Meatyfool wrote:
AleisterCrowley wrote:Identity management worries me a bit (part of the day job...)
I have suggested an authentication thread on the TMF boards so people can confirm their 'new' identity.

Could you post a link please?

Meatyfool..


This is it...

http://www.lemonfool.co.uk/viewtopic.php?f=9&t=17&p=284#p284

As links don't (yet?) work, you will need to copy it and paste it into a browser window, but it says...

just 'thinking aloud' but how about a thread on TMF for 'username authentication' ?

EG we all post something along the lines of;
(1) Hi this is foolusername, I also post on lemonfool as foolusername
or
(2) Hi this is foolusername, I post on lemonfool as lemonfoolusername
or
(3) Hi this is foolusername, I also post on lemonfool under a different name which I don't wish to divulge, so anyone on there claiming to be foolusername is an imposter!
or
(4) Hi this is foolusername, I don't post on lemonfool so anyone on there claiming to be foolusername is an imposter

AleisterCrowley
Lemon Half
Posts: 6381
Joined: November 4th, 2016, 11:35 am
Has thanked: 1880 times
Been thanked: 2026 times

Re: Identity Theft

#555

Postby AleisterCrowley » November 4th, 2016, 11:20 pm

Haven't figured out links on my phone yet (and they are disabled on this site I think) so thanks for above.
There are a few high profile posters as yet unregistered under TMF usernames (based on a random unscientific check)
I'm definitely 'me' (trust me on that one) but vaguely worried people could take on the identity of TMF regulars and post libellous /unpleasant comments.
I love West Brom - c'mon you baggies!
No, only joking ...

Julian
Lemon Quarter
Posts: 1386
Joined: November 4th, 2016, 9:58 am
Has thanked: 532 times
Been thanked: 676 times

Re: Identity Theft

#618

Postby Julian » November 5th, 2016, 8:04 am

I think the horse has probably bolted on this one but, at least until 17th Nov (i.e. while the Fool UK boards are still accepting posts) it would be pretty simple to have a scheme where we, the community, could validate users. It goes like this...

1 - Existing Fool user registers here
2 - Post a hello message here, ideally to a dedicated validation board here or failing that to some nominated board such as the testing board. That message would contain a random 16 digit number of the user's choice.
3 - Go to Fool UK and make a post with the same 16 digit number using the same user name as was registered here. There would be the ability to handle changes of user names as well. If the lemonfool name is different then say in the lemonfool post "I'm now FatRabbit but I was SlimRabbit on the Fool so look for the SlimRabbit post over there".

The community now kicks in. When someone sees a post on the validation board here they, after waiting a few minutes to give time for the Fool post to be made, go and look on the Fool UK post for the corresponding validation post there and check the numbers are the same in each post and the user name(s) as expected.

If the validation passes then reply to the validation message here indicating the fact so that hundreds of lemonfools don't waste time checking the same posts. If the validation fails then again post the fact and report the post to the moderators so that further action can be taken.

Technically one should require the lemonfool post to be seen to preced the Fool one to remove doubt that someone miraculously saw a validation post on the Fool, copied the 16 digit number, and then was quick enough to register and post here before the valid Fool user could. I don't think that's a big concern though but post order should probably be checked as well simply for logical rigour and completeness.

The only issue would be informing new users of the validation method. That could be done by changing the text of the activation email but I for one never read those but the validation can always be done retrospectively as long as it's before 17th Nov so it would probably work out. Alternatively, if there is a facility to block posting to all but specific boards then new users could be set up to be only allowed to post to the validation board and maybe the welcome board so someone who missed the instructions would probably go to the Biscuit Bar and post a "why can't I post?" message (or see an old one from someone else) and be told what to do. The downside of that is that the moderators need to explicitly unlock every valid user so it is more work for them whereas without the initial locking moderators only need to be involved on validation failure.

As I say, I think the horse has bolted here and it's not worth the effort. I was worried about it yesterday but am now more confident that anyone we know and love from the other place will be recognised by their style, anyone hijacking their user name found out pretty quickly, and subsequently banned.

- Julian

LemonFool
Posts: 9
Joined: November 4th, 2016, 6:46 pm
Been thanked: 1 time

Re: Identity Theft

#674

Postby LemonFool » November 5th, 2016, 10:18 am

+1 Julian

Not worth the effort, it'll sort itself out.

Gengulphus
Lemon Quarter
Posts: 4255
Joined: November 4th, 2016, 1:17 am
Been thanked: 2628 times

Re: Identity Theft

#1227

Postby Gengulphus » November 6th, 2016, 4:54 pm

Julian wrote:1 - Existing Fool user registers here
2 - Post a hello message here, ideally to a dedicated validation board here or failing that to some nominated board such as the testing board. That message would contain a random 16 digit number of the user's choice.
3 - Go to Fool UK and make a post with the same 16 digit number using the same user name as was registered here. There would be the ability to handle changes of user names as well. If the lemonfool name is different then say in the lemonfool post "I'm now FatRabbit but I was SlimRabbit on the Fool so look for the SlimRabbit post over there".


Maybe I'm being dim, but what do the hello message and the 16-digit number add? I.e. what's the flaw it fixes in the simpler procedure:

1 - Existing Fool registers here
2 - Then existing Fool goes to Fool UK and posts there to say that they've registered here under such-and-such a name.

I can't see that there is such a flaw. In particular, if the existing Fool's Fool UK account has been broken into by a 'thief', that 'thief' can complete either procedure - so while there is a flaw, it's not fixed by adding the hello message and the 16-digit number. And if it hasn't been broken into, the 'thief' cannot complete either procedure.

Gengulphus


Return to “Room 102 - Site Issues, Complaints & General Chat”

Who is online

Users browsing this forum: No registered users and 11 guests