Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- --------
- Forwarded Messages --------
- On 08/18/2016 18:02, Luigi Rebuffi wrote:
- >> I got also your comment from the "info" mail.
- >> Until now we (as EOS and ECSO) have nothing to "hide" in our
- website and server, therefore, security measure are reduced at minimum.
- >> In the past we had only one hacker attack at the EOS website,
- that lasted for few hours and then disappeared, just to test the
- "security" of a "security organisation".
- >> When we have created ECSO, ANSSI (the French cyber agency) made
- a pentest and found the weakness of our site. The answer was the same
- as for you. No need for the moment to rise our level and invest money
- when not needed.
- >> I know that there could be some hacker having fun in disrupting
- our site and degrading our image, but this is not a problem for the
- moment. We have to be as transparent as possible.
- >> Yet, I was thinking during my vacation that something more will
- be done in the future for the protection certain topics, like the
- database and the intranet. It is my intention to discuss with friends
- (white hat hackers) and see what could be done for our website and some
- exposed computers.
- >>
- >> Regards
- >>
- >> L.R.
- >>
- >
- >
- > ----
- > Thanks for your message.
- >
- >
- > I am on summer vacations. I'll come back on August 24th.
- >
- > In the meantime I'll try to read my mails and reply as best and as
- fast
- > as possible.
- >
- > In case of urgent need, please contact my assistent, Nadège
- > nadege.grard@eos-eu.com
- >
- >
- > Regards
- > L.Rebuffi
- -------- Forwarded Messages -------
- Subject: Re: ECSO membership . versus EU: IP-16-2321
- Date: Thu, 18 Aug 2016 22:45:42 +0200
- To: Luigi Rebuffi
- CC: president.juncker@ec.europa.eu
- CC: GUENTHER-OETTINGER-CONTACT@ec.europa.eu
- CC: marietje.schaake@europarl.europa.eu
- Dearest vacationing Luigi,
- [Excuse the use or some sarcasm, it seems to fit a gap between what is
- stated by ECSO & Co and what is actually observed.]
- It seems rather odd or naive to use the "nothing to hide" argument, when
- website defacement of 'security' organizations is well documented as a
- reputation Terminator. But maybe ECSO/EOS doesn't care much about it's
- reputation, when the money contract has already been signed with the EU?
- > "I know that there could be some hacker having fun in disrupting
- our
- site and degrading our image, but this is not a problem for the moment."
- Besides that, i think that you would mind if someone else would get
- access and for instance send a malicious email to all Registered contact
- persons of all those member organizations/companies. Or would change one
- of the (insecure and info leaking) download PDF documents (for using the
- RSA hack method). To just name some age old attack vectors.
- Even if one somehow chooses to accept those risks, one still has to act
- as an Example of how to do it right, or not??
- If you really believe the "nothing to hide" argument, why did ANSSI (the
- French cyber agency) do u penetration test?
- And how can you talk about "and found The weakness of our site", when
- there are at least 8 major and about 20odd minor possible paths visible,
- for just ECSO? (excluding all those in relation to EOS), like the
- www.eos-eu.com/default.aspx?page=memarea , which even joyfully helps
- hackers find valid registered users.
- The ECSO systems don't even seem to be protected against childsplay
- 1990's vectors.
- Besides that, 'pen-tests' are known to be rather useless because they
- (A) depend on the skill and allocated time the specific tester has (most
- testers are not very skilled these days, having just done a childsplay
- CEH certification, and normally get too little time especially in
- comparison to actual hackers). And (B), if a random pen-tester doesn't
- manage to get 'in' today, that doesn't mean that a pimple-faced bored
- schoolkid can't find a way to mess the the infrastructure tomorrow. So..
- IMHO, pen-tests are yet an other commercial smoke-and-mirrors product.
- Yet one more odd or naive argument in our eyes: "No need for the moment
- to rise our level and invest money when not needed."
- No money investment is needed, in fact it would save you some money if
- you would chose the correct (instead of the lazy) setup for your web,
- email, client, legal, etc.. structure.
- A little caring/effort would also have enabled your organisation to
- comply with privacy laws, which you are at the moment violating in
- several ways. Even after the EU and Court of Justice of the European
- Union have released clear statements about why and how to comply, some
- time ago.
- Can you explain what you mean with the "We have to be as transparent as
- possible." argument?
- I suppose it doesn't mean that everybody may read all your work emails
- and analyze the web access statistics for possible easy govt attack
- victims by looking for their outdated(vulnerable) Browser & OS &
- email
- client identification strings. So what do want to be public(transparent)
- and what not?
- > "It is my intention to discuss with friends (white hat hackers) and
- see what could be done"
- *sigh*
- Here we are, offering a simple cost saving method to get the protection
- to an
- adequate level within 3 years, and instead of even asking what that
- entails... you
- chose to completely ignore the offer and state that you are thinking
- about asking 'Hackers' instead. Maybe you missed the security-101
- seminar, but 'Hackers' know about breaking weakest link things, and
- Information Protection Specialists know more about how to prevent those
- white/grey/black-hat hackers from even finding any weak links.
- My educated guess is that; the EU commission ECSO deal is
- all just
- about dancing with $$ 'friends', instead of the proclaimed "A
- partnership for cyber security in Europe. Building together a European
- cyber ecosystem"
- # We like to invite you to prove the opposite
- But don't feel obliged to prove anything.. it's just that only 10% of
- the in IP-16-2321 stated as pre-allocated funds would be more than
- sufficient to get the cyber-security to an adequate level in the willing
- EU member states within just 2..3 years. And that would be the honorable
- choice when dealing with all those citizens data & critical-infra
- protection needs.
- That's all.
- * It is up to you (& Günther) to chose a hat for the next few years.
- ec.europa.eu/avservices/photo/photoDetails.cfm?sitelang=en&ref=032087#3
- Cordiali
- saluti,
- *
- ---
- -------- Forwarded Message --------
- Subject: EU und unser Cyber-'security' zukunft. Schmutzige deals?
- Date: Thu, 18 Aug 2016 16:39:12 +0200
- To: Philipp.Seibt@spiegel.de,
- Hallo Philipp und Alexander,
- We have send a letter to Günther Oettinger, informing him that the (PPP)
- deal with commercial organizations will only lead to more problems
- instead of a decent solution to the 'cyber security' issues. Because the
- commercial organizations benefit too much from selling even more
- products and outsource- & support- contracts (= keeping the problem
- alive), instead of just fixing the problem once and for all.
- So there is a elementary conflict of interest!
- We have also informed him that a rather simple method exists which
- eliminates root causes, instead of continuing their rat race with more
- and more insufficient, expensive and complexity increasing product$ with
- endless patches and updates.
- It seems like the deal between Günther and Luigi (THALES) & Co, is
- at
- the expense of the common people(their security & privacy rights,
- and
- their tax money) in the E.U. countries. That deal is something that
- seems to prevent Günther(The E.U.) from even wanting to consider our
- simple proven solution.
- There has been no response at all from his office :( [which was kind of
- expected after reading your article about the preference to /deal/ with
- commercial 'friends' rather than using common sense and decency]
- It's easy to prove that ecs-org.eu is a scam, (and ENISA incompetent),
- by showing that their own security and privacy protection is negligent
- inadequate. They really don't care about 'security', so much so that
- they don't even try to use the simple well-known top 5 protection
- measures, and are also violating privacy protection laws, etc.
- ..With a few basic questions one should be able to get Luigi to confess,
- to get a nice expressive quote ;-)
- Freundliche grüsse,
- *
- ---
- www.spiegel.de/wirtschaft/soziales/guenther-oettinger-und-lobbyismus-eu-kommissar-trifft-selten-ngos-a-1040147.html
- europa.eu/rapid/press-release_IP-16-2321_en.htm
- www.linkedin.com/in/luigi-rebuffi-90a439b0
- www.ecs-org.eu/news/ecso-ec-contract-signature
- ecs-org.eu/documents/ecso-membership-form.docx
- ec.europa.eu/avservices/photo/photoByReportage.cfm?ref=032087&sitelang=en
- ----#
- >
- Your message
- >
- > To: CAB GUENTHER OETTINGER CONTACT
- > Subject: Re: ECSO membership . versus EU: IP-16-2321
- > Sent: 19 August 2016 13:47:11 (UTC+01:00) Brussels, Copenhagen,
- > Madrid, Paris
- >
- > was read on 19 August 2016 16:02:07 (UTC+01:00) Brussels,
- Copenhagen,
- > Madrid, Paris.
- >
- >
- > Final-recipient: RFC822; GUENTHER-OETTINGER-CONTACT@ec.europa.eu
- > Disposition: automatic-action/MDN-sent-automatically; displayed
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement