Dutch journalist gatecrashes EU defence video conference
bbc.co.ukAccording to a screenshot that the journalist posted on Twitter, it appears like the video conference session is browser-based, and the pin and username are in the browser URL in plaintext.
So then if you can see anyone's screen, or any clear photo of it, you can easily join the conference. Seems like very poor security design if that's so
https://pbs.twimg.com/media/EnRlaFeWMAQzyIS?format=jpg
The software URL format looks similar to that used by Pexip.com
Well, the page title in that video says "Consolium Videoconferencing", so it's probably something by this company:
Maybe this?
https://consiliuminc.com/product/UniVCX-video-customer-exper...
this should require something more than a URL, even a skype meeting would be more secure.
If he joined the video conference to watch and listen, but just sent a blank screen video, or maybe a freeze frame of an empty chair, would anyone have noticed?
I remember being in voice chat for a space spreadsheet game [0] and hearing the 'ding' for a new user joining the channel. Everyone knew to stop taking lest a spy discover where our fleet was. I really hope there's a similar reaction in these chats!
[0]eve-online.com
Corporation and guild leaders really should put that on their CVs, it's literally management experience!
Eve is a special special game. I led/CEO’d a ~200 player Corp (WH/Null pirates) for a fair few years. We had a security division responsible for protecting our web services and communications, custom web and phone apps because we didn’t trust the publicly available ones, an intelligence division responsible for trying to break into enemy services and get info, a propaganda division for feeding false Intel “accidentally” via reddit/etc comments, PR department for managing recruits, and a strict chain of command with levels of management. The bigger corps went even way further than that. It was lots of fun, probably the most fun I’ve ever had in a video game in 35yrs of gaming, but eventually I needed to actually see sunlight again and have a life.
Sounds like I would probably love getting into eve online, but u can't find enough time to game anymore on regular basis. My Steam account and old ps3 is still full of games I haven't played yet.
Same boat. Eve is my too disabled/elderly to leave the house much plan. Immerse myself and live the rest of my life as a space captain.
I think they should be a lot more concerned about the people recording the meeting who don't show up on the attendee list, than of the people who show up and wave in front of the camera.
The conference chair couldn't help giggling. What was it he said? "Hey you better hang up before the police arrives"?
It's very serious stuff, it's not funny.
Someone leaves their doors unlocked it doesn't mean you should be entering.
More importantly, how on bloody earth are defence discussions happening in a situation that can so easily be defeated.
The officials themselves are to blame for blatantly terrible security protocols.
> Someone leaves their doors unlocked it doesn't mean you should be entering.
Yea, well, it's a useful function of journalism to poke their head in open doors and say "you're doing _WHAT_ in here?!"
I slot this in alongside the time US nuclear missile officers were found asleep, with the door open waiting for takeout - simultaneously seriously disturbing and quite funny.
https://www.cnn.com/2013/10/23/us/air-force-nuclear-silo-doo...
Someone leaves door unlocked means you must enter one step and scream out loud before criminals come and trigger a global thermonuclear war. That’s basic ethics for software engineers.
This is by far the most effective way to make sure said door is locked in the future. This guy deserves a reward.
I think it's better to have a journalist step in and warn you about your door being open, rather than having someone with bad intentions sneak in, don't you think?
They're laughing right now, but really these kinds of mistakes are telling how weak the security of various agencies are.
EU militaries are a joke tbf. Apart from France and (formerly) the UK, most of them can't do shit except sell firearms to Arab despots. I think someone from Romania here mentioned that they trust the US to protect them more than they trust France or Germany.
German here, you're right. The biggest part of the problem is that historically there are only three superpowers in the EU - France, UK and Germany. The UK is gone off the rails, the French can't pick up the slack for everyone else alone and us Germans are (out of very valid historical concern) extremely wary of pulling our weight on the international stage.
Add to this that the EU is corrosively fractured, nowhere near as coherent as the US. We're no match, hell (thanks to the Brits) the EU doesn't even have a Foreign Minister, and the effective veto power of even a super tiny nation doesn't make it any easier.
Is Germany really that reserved because of the last world war? I mean, I get that it was bad, but it's history.
Everyone else who has a very similar history (even though it's painted in a better light by the media) has moved on.
Germany caused not one but two world wars and is, despite being beaten almost to death after ww2, once again the dominant power in the EU. Let's face it we usually get what we want even without having a competitive military - if we had there would not be much to stop us.
I'm actually grateful that our leaders have been and still are mindful of that fact.
I'll give you last word if you reply to this comment, since this discussion seems like something that generally doesn't belong on this site.
But, Germany did not cause two world wars.
Did I just imagine up a tyrannical despot who seized power from the democratic process, called himself Fuhrer, then went on to slowly acquire land from Czechoslovakia, Austria and Yugoslavia, before deciding to invade France, Benelux, Poland and a host of other countries?
Or the time when the hot-tempered Kaiser couldn't keep it in his pants and wanted to test his new toys with the rest of his aristocrat buddies?
France and Britain declared war on Germany during WW2, which effectively triggered a world war.
It is quite a lot more complex than that. I'd say it is a stretch to argue that Germany was to blame for WW1 (post-WW1 Germany was forced to take the blame but the reality was a lot more complex).
You can then also argue about the context/contribution the harsh treaty of Versailles made to WW2. But to not blame principally Germany/NSDAP/Hitler for WW2 after Germany marched into Poland is pretty absurd.
West Germany had been very proactive under the Adenauer years to abolish all forms of Nazism. In East Germany, the Soviets did that, albeit violently often, which is why there is a higher rate of Neo-Nazism in the east (apart from the usual issues such as poverty and unemployment).
> In East Germany, the Soviets did that, albeit violently often, which is why there is a higher rate of Neo-Nazism in the east (apart from the usual issues such as poverty and unemployment).
Sorry, that's wrong. Eastern (Communist) Germany painted itself as an "anti-fascist state by definition", but in reality there were awful lots of Neo-Nazis active in the GDR - and after the Mauerfall Western cadres only had to move in to find faithful people. It's estimated that there were 15.000 (!) Neo-Nazis at the time. See https://www.deutschlandfunk.de/die-ddr-und-ihre-neonazis-rea... or https://www.zeit.de/2012/08/DDR-Nazis for more details.
This "the DDR was antifascist and there were no Nazis there" nonsense is a huge part of why the neo-Nazi problem in the former GDR was overlooked until 2015ff with PEGIDA and other violent far right movements appearing (for many uninitiated) "out of thin air".
I did not say the DDR was anti-fascist or something. But there was a concerted effort by the Soviets to purge all forms of Nazism actively - which effectively failed, as per the evidence you provide yourself. A large part of the population resented the Soviet rule and effectively turned to Fascism as a reprieve (something I thought was implied so I skipped mentioning it explicitly). The Soviets went, but Fascism was there to stay.
If the EU is to become independent from the US as Macron wants it to, then that's going to have to change.
As a bloc, I don't think EU had much of a choice. US had them on tight leash until DJT came through and force thenm to consider protecting themselves.
To think DJT has woken up the EU from their decades long slumber is incredible.
There was chatter about this back in the mid-2000s about the EU forming their own independent foreign policy. There was lots of ink spilled about the EU's soft power which evaporated as it turns out soft power doesn't exist without hard power. Obama lamented the "free rider" problem where much of the EU wouldn't live up to their treaty obligations. The EU wasn't on a leash; it just didn't bother.
By a leash I mean being a freeloader at your friends house with his wife and kids. He says its ok because he has known you since you were toddlers. That's the leash.
The EU didnt bother on account of the US taxpayer footing the bill regardless thus removing their freedom of action and their seat on the table. They've gotten so feeble, no one even cares.
> The EU didnt bother on account of the US taxpayer footing the bill regardless
The US didn't just burn that money for naught, they got something from all that investment and that is that they were for all intents and purposes the leader of the world, both in "soft power" and "hard power".
The problem is that it is very hard to quantify the benefits while it's extremely easy to quantify the costs.
Note that there are different levels of "secret" when it comes to this stuff. Given the size of that meeting (20+ people) and the reaction, I'd be surprised if the topic matter was more secret than how much the defense agencies pay their employees - secret, no doubt, but not exactly the nuclear launch codes.
Indeed this was a ministerial level conference, the prep meetings are probably more secure and no one would be stupid enough there to share screenshots.
At least since Snowden EU leaders probably always assume that someone is listening in. NSA and GHQ had breached Belgacom (Belgian former telecoms monopoly) to listen in on the EU.
Its amazing how well they took it, laughing and all
Probably because they secretly knew that if word gets out real fast (which it won't because it'll controlled by them), they'll all be booted from office.
Sure word got out, but it need not reach most of the populace.
This is on BBC.com's frontpage.
Yeah, and how many mainlander Europeans read the BBC in English?
Other journalists in mainland Europe.
And then they publish articles in the native language of their country.
In France: https://www.lefigaro.fr/flash-actu/un-journaliste-s-introdui... In Belgium: https://www.rtbf.be/info/medias/detail_un-journaliste-neerla...
And so on...
Probably a lot of them and even if they don't journalists do as BBC is the source for many articles that are later being translated and editorialized in local newspapers.
Nobody cares about trivia like this when it comes to elections.
I wonder, I he was sitting in a suit and in a room with some flags behind him (not in his shirt in an ordinary office) if anyone would have even noticed he was intruding on their conference. They laugh it off now because he doesn't fit in.
Probably if he didn't turn on his camera then nobody would've noticed at all.
This is profoundly depressing. The fact that an EU defence conference is being held... on Zoom, is truly a microcosm of what has been the strategic policy of the EU for the past 20-30 years. We have sold off our independence, out advantages economic and otherwise, for pennies. For minuscule short-term gains, we have sold off our industry, our tech, to a hostile and totalitarian government. Well when I say "we" I mean private enterprise, but also the governments who were supposed to be raking in (though as one German economist said, government and private enterprise are pretty much one and the same).
It will come soon a time (in fact, it's pretty much here already) where China calls the shots over us. "Obey, or no microchips for you. In fact, no manufacturing of any kind." Thoroughly depressing.
thats not zoom, its Pexip
The Zoom security debate has been hashed to death on HN lately, but Webex for example patched some RCEs only a couple weeks ago. I’m not fully convinced Zoom is objectively less secure than all the other alternatives these days. They just get a lot more attention for it.
Besides, if the EU defence conference had an open URL or weak password that issue would apply regardless of Zoom, Webex, etc.
The point of GP is that Zoom is american software, regardless of any particular issue related to the app itself. Which IMO, is a very crucial point.
A EU security conference should use EU software, and as little foreign stuff as possible. Otherwise, it's just theater (and it currently really is just that!).
> The point of GP is that Zoom is american software,
Wait. Isn't Zoom Chinese software?
All of Zoom’s security team is based in the US to be fair. I don’t really agree in general that the X-conference should use X-software.
Well, if you are using foreign software for sensitive stuff, then you should at least be able to fully review the source and build the app yourself.
> All of Zoom’s security team is based in the US
That's the point. Thinking that the US are truthful and honest allies of the EU is plain laughable.
They’re also all using Apple products, for example.
Yes, much to the EU population's dismay.
I think it's way too paranoid and impractical to seriously have every single thing homegrown. No Zoom, no Microsoft, no Apple, no Google, no Intel or ARM chips. It's just not going to work. It's not even clear to me that would be more secure. Okay, so you've successfully defended against the threat of the US government pressuring those companies to add backdoors to spy on your conference. Now you have to make sure your homegrown software and hardware in secure. Also the EU is multiple countries with competing interests anyway. Come on. We have to be a little more practical in the real-world I think.
Kinda cool if defense conferences were done using some defense apps that works, so that in case of a Soviet or Romulan invasion or whatever, military generals and SecDefs could just open their defense laptop and resume on defense discussions, though granted the world don’t have runaway Soviet threats anymore.
It's about sovereign interest, and if you rely on foreign assistance to run state, you are a vassal at best. Last time I checked, Russia is still holding onto annexed land in Ukraine, and there is a proxy war in Yemen, the Korean peninsula is prepared for a full blown conflict at any moment, hostilities between India and Pakistan, and on, and on, and on, and on. There are absolutely ambitious geopolitical interests at play willing to use brutal force as a means to obtain their goals at costs most people cannot comprehend. It's probably advantageous to have your own tech and verticals for building it domestically. I mean it's not like securing uranium deposits.
But it should not matter how secure chatting software is. This sort of stuff should be on offline VPM, separated from normal internet. If officials are using their personal devices for this....
It is not that simple. The minute China does it - they stand alone. The whole premise of outsourcing manufacturing to China will die. No one will trust them to do it. In my opinion they won’t do it
With ~20% of the world’s population, more than the entire combined population of the G7, they might be able to stand alone.
They may not explicitly desire standing alone, but I wouldn’t bet against them deciding that’s the better option, nor would I bet against them using or threatening to use their manufacturing capability to put pressure on certain policy objectives. It’s not like other countries don’t use economic impact as a carrot/stick to achieve policy objectives.
Imo, it's because they have such a huge population that they can't stand alone. They simply don't have enough resources. And unlike the US, they're surrounded by current and potential enemies.
The setup of China being the world’s workshop is temporary. Chinese leadership is using foreign capital to bootstrap their internal market. They will be self-sufficient in less than a generation.
And, perhaps more importantly, they are using all of the monies to start getting their own foothold in other continents. IOW they are entering their own modern expansionist phase.
> It will come soon a time (in fact, it's pretty much here already) where China calls the shots over us.
The U.S. already does that. Why is that any better?
If china bullies too much the US and Europe will ally together against them.
The difference between the US and China's government is that almost nobody likes China. The US, at least before recent political developments, tries to make sure that agreements benefit both sides.
The US is also a democracy that respects freedom of the press and human rights to a degree. China doesn't give a shit about any of that.
> If china bullies too much the US and Europe will ally together against them.
Right. My problem is that the U.S. already is bullying too much and nobody pushes back against them, if it takes China to do it, so be it. I wish the EU to grow a backbone, but it is unlikely to happen.
I mean you have the U.S. sanctioning MEDICINE to Iran in the middle of a global pandemic and threatening Europe with secondary sanctions if we help out.
You have the U.S. sanctioning ICC officials for wanting to investigate U.S. war crimes. You have the U.S. arguing in the open[1] that it is free to kill its own citizens without due process.
I'd like someone to push against that, may as well be China if the EU is not up to the task, as it has repeatedly shown.
1 - https://www.techdirt.com/articles/20201117/12384545723/gover...
These are all very recent developments. The last few years has been very different than decades before. Hopefully we can restore some normalcy after this turbulent period...
Would you rather have the US tell you what to do or China?
While there may be some negative news coverage of China's actions, most of them are within or at their borders.
I have yet to see recent news of them bombing other countries, kidnapping people from around the world and destabilising regions around the world.
In truth, I'd rather have neither of them bullying others but if I had to choose, I think the less violent bully is a better choice.
They do intimidate people abroad
Canada: https://www.theglobeandmail.com/politics/article-china-ramps...
same in Australia https://www.abc.net.au/news/2019-08-19/fake-chinese-police-c...
kidnapping abroad (Thailand): https://en.wikipedia.org/wiki/Gui_Minhai
killing abroad (Indonesia): https://www.bbc.com/news/stories-45976946
(Australia) https://www.abc.net.au/news/2019-11-25/asio-says-its-taking-...
Neither. I would like there however to be a credible power to challenge U.S. policy, perhaps China even, so that it's hard for both sides to get aggressive policies implemented internationally as there's credible pushback.
Right now, there's practically no pushback on crippling U.S. sanctions against Iran or Venezuela for example.
One of the ways China managed to hack into America's F35 (or F22) fighter development program was listening into a conference call of various vendors discussing project status.
Of course they respond with the obligatory "we'll report this to the authorities", rather than "thank you for pointing this out in a harmless way we'll do better".
It was humor... The "threatener" was laughing, the audience was laughing, and the journalist laughed too.
Probably the best response you can hope for in the moment.
Hmmmm
>The meeting was ended due to the breach, while a Foreign Affairs Council spokesman told RTL: "Such a breach is illegal and will be reported to the authorities."
The journalist was laughing, but the foreign policy chief just got painted as an emperor without clothes.
And the foreign policy chief was laughing, but I bet he was asking himself "who do I send over there to stop them" while trying to maintain the laughing face.
Yeah, the problem with online meetings is that someone else might be taking part as well, unseen and unheard.
Does not matter as much if you discuss reconstruction of a mountain hut, matters a lot in defence, espionage or diplomacy.
Not sure how confidential that conference was but I'd imagine these use at least a 2FA dongle to authenticate. This is surprising.
It was a six-digit pin of which 5 digits were accidentally shown in a tweet from the Dutch Defence Minister Ank Bijleveld.
Had the laptop had a 15 inch screen it would likely have shown the entire URL including the full PIN code. Also visible in the screen are bookmarks to Netflix and what looks like barber shop music. Also a Gmail tab open. Did now know defense ministers were using Gmail on official hardware...
Everyone and their mother uses Google services for their personal and/or confidential stuff, going from blind faith or just never thinking about it. After all it is good old Google, not some large surveillance capitalist.. Oh wait.
Some sources said they will hold off further meetings until the security is improved.
You'd imagine, but this conference software apparently only requires a pin that's visible as a GET parameter in the URL. I don't think you can blame the users for posting a screen shot.
In this case, you can blame the user. They are the minister of defense, they can (and should) request an audit for the conference system they use. Personally, I think that they didn't want a more secure system like 2FA because it's not convenient for them.
Zoom introduced meeting passwords a few months ago after similar issues to prevent randos joining meetings by guessing short meeting IDs. But there's a tradeoff between security and usability so they accept passwords as a param in URL, which for 95% cases is a good tradeoff (for example Outlook Zoom plugin generates the URL with password directly in meeting invites). Most people don't live-share their super secret in-progress meeting IDs and passwords on Twitter. Probably more people share their CC number or boarding passes on instagram each day.
However what Zoom and other conf tools could do is that they could read the password from the URL and then use `history.pushState()` DOM API to replace the URL and erase the password once the meeting is launched.
Downside would be though users wouldn't be able anymore to just copy the URL from browser's URL bar and send to other people to join.
Or, they could use a hash of the password in the URL, that's always longer than what will fit in the visible part of the address box.
What's more depressing is that this official has GMail open. How ridiculous is that? Which defense minister outside of the USA uses Google Mail? After Snowden, really?
I want to facepalm so hard right now.
Unfortunately the bureaucrats still go through dated curriculum to get where they are and there no incentives to keep up with the times, technology or otherwise. These same people decide on the criteria for the incoming class and the vicious cycle goes on.
Let’s be fair: many of these “bureaucrats” went to school when the modern internet didn’t exist. I’m in my early 40s and lived “the new economy” in my teenage years, most 50+ people would have no real familiarity with this sort of tech. Conversely, a lot of under-40 politicians and bureaucrats do grasp the internet - sometimes unfortunately so, considering they can be among the strongest supporters of draconian censorship.
And these are the people pushing for laws around encryption. They have no idea what they're doing. In fact, that's really odd - you'd think that by now, tech-competent people would be in positions of power. Why aren't they?
EU has no defense anyway so this is not entirely disastrous, though still very unacceptable.