Table of Contents

Preamble

Found on the ground during the last days of work next to the office.

About

The story is recollected by an individual that decided to talk to us regarding a case involving a very large data leak at the Extreme Light Infrastructure (ELI-NP) at the Institutul Național de Cercetare-Dezvoltare pentru Fizică și Inginerie Nucleară "Horia Hulubei" (IFIN-HH) that the staff, management and the Romanian police participated in the attempt to cover up the accident. As per sources, to our knowledge, there has never been any official acknowledgement of the data leak and the leak content consisted in authentication credentials (username and passwords) as well as E-Mail body content that ended up transmitted in plain text depending on how the various users configured their mail client.

We like to stick to facts because ultimately it is what matters, but we suppose that some more "background" is necessary, in particular for institutions such as the IFIN-HH in order to be able to comprehend how such leaks occur, how come they are never made public, why the perpetrators end up getting away with it even when the European Community is aware but also as a more general overlook over the IFIN-HH. That being said, some background will be offered, and then only the facts will be listed in chronological order without further explanations such that if you're looking for just the technical gist of it, you can skip to the memorandum. The "background" is provided due to multiple "employer" rating websites such as Glassdoor, as we're told, deleting the content posted by former employees, as well as one case of the Romanian online mobbing on Wikipedia that attempted to bury the truth, such that it seem more of an imperative (or a last resort) of getting the truth out some way given that all these online venues are either corrupt or have been corrupted. That said, if you're just looking for the core-narrative of this case, please see the memorandum section. If you would like more background, factual but only tangential to the case itself, then carry on reading.

Background

The IFIN-HH institute was founded by Dej, the former "president" of Romania before Ceausescu and the IFIN-HH became a hotbed of controversies with most of the staff being members of either the Romanian communist party or part of the Romanian Securitate. These were the sort-of "faux" scientists that due to international cooperation ended up doing favors with various people around the world with the result of ending up involved with organizations ranging from the Italian mafia and up to even more prestigious institutes such as the Max Plank institute in Germany. Many of these people became "well-known" across the years, yet due to their political implication with various either shady or not so-shady structures, most of their "academic prestige" became more closed-circuit over time. For instance, you would find academicians (an institute of prestige, an ode to entitlement and a monument to elitism) that even though they would have a large amount of publications, would spend their time in Russia telling the KGB how food made out children in sold in Romania, of course, for the benefits of being invited again to Russia with a relatively large additional wage.

Many of these people literally burned their communist party membership card on the stairways at the IFIN-HH when the revolution came to be, for the sake of not being "caught" as being an avid communist party member. Some of these people often made it a story that they were somehow "coerced" or "forced" into the Romanian communist party, yet at the time, becoming a member of the Romanian communist party was, in fact, "competitive" due to the many additional benefits that would be bestowed upon anyone that became a party member. For example, if you became a member, you were immediately entitled to a second house or apartment, which was great, especially for a growing family. Similarly, becoming a "communist party" member was not only competitive, but also a matter of "purity" where, for example, you would have had to quit the Romanian Securitate in order to become a communist party member (with the Romanian Securitate, as complex as it might seem, being seen as "too dirty" for a proud communist party member).

Then again, many people, for example, Mr. Nicolae Victor Zamfir, one of the researchers at the time, that struck their gold elsewhere and via other means, turned the story around after communist and even went as far as stating that they were somehow coerced, victims or even up to "blackmailed" to join the Romanian communist party, which, given the actual history of both the Romanian communist party and the Romanian Securitate, was quite controversial given the many benefits one would have had. For example, and perhaps even tied to the Romanian online mobs that crawl the Internet in order to save Romania's reputation, a former investigation, looking at the history of Mr. Zamfir's page on Wikipedia a funny quote is found that is fairly funny having mentioned the former context:

"Deși înainte de decembrie 1989, supus presiunilor acelor vremuri este forțat să devină, datorită rezultatelor sale excepționale, unul dintre liderii UTC, totuși imediat după revoluția din 1989 pleacă în Germania. Dovadă că și astăzi, institutul pe care îl conduce are o bună deschidere spre străinătate. [..]"

which translates to:

"Even though before December 1989, given the pressures of the time, he is forced to become, due to his exceptional results, one of the leaders of the UTC (Uniunea Tineretului Comunist, Romanian Communist Youth), thus immediately after the revolution from 1989 he leaves to Germany."

Judging just from how the person writing this has contorted the sentence so much that, even in Romanian, the sentence does not make much sense (ie: "Even though", not really corresponding to any counter-"though"), you can observe how much the writer of this text is lying. Similarly, the quote follows with:

"Proof that even today, the institute that he leads has a good opening (translate fail, gen. "overseas")."

which seems to be more in-tone with communist propaganda than actually being factual. As propaganda goes, typically holds oratorical value at the expense of grammar (ie: first sentence not even bothering to bless the reader with a predicate, "Proof that even today,").

Looking at the page, the insertion of these sentences is made by a user named "Mondan", that does not have any other edits on Wikipedia and whose implicit webpage on Wikipedia is blank.

This content spends time up on Wikipedia from 2007 to about 2023 when some users seem to start a fight by pointing out that the sentence is junk, has no citations and hence must be removed. However, this is met with phenomenal resistance from the users that attempt to drag the discussion into ToS violations, editors such as Andrei Stroe deflecting the discussion, spewing complete nonsense and for some reason requesting proof that Mr. Zamfir even was a member of the Romanian Communist Youth (UTC). Ironically, Mr. Zamfir's membership to the UTC is actually a pretty public fact, and by his own words, Mr. Zamfir states for B1 TV (a TV station in Romania) that he was a party member such that all the resistance from these users are just for the purpose of saving face and to deflect from the truth.

As a general frame for the institute, this is a Molvanian-like structure (one of the newest reactors in Eastern Europe) and with big hopes being sold to Romanians. The ELI-NP project is written about in the press, depicted with images as the harbinger of flying cars, suspended fast rail trains and other elements of promise as-if captured from "Zorba the Greek" that ended up just narrowing down, well, to just cutting up the street in half with one half being dedicated to bicycles, and so poorly made that the whole cannibalization of the already existing infrastructure turned into a flash point of accidents. Do not go there at night, because you might just start driving on the pavement. Otherwise, like from a Kusturika movie, Mr. Zamfir can be read in various magazines, making brave statements on how Romania is going to win the Nobel prize and other expressions of grandeur that, whelp, at least to this date, did not come to fruition.

Whilst all of that is more interesting from a historical perspective, it is still fairly benign albeit hopeful, with no harm done; or at least, so far, might seem petty but not a show stopper. One letter received by us, from an alleged source contains an attachment that is supposed to be an E-Mail that allegedly had been sent by an employee at the IFIN-HH to some other employee, and here is the content. This is where it starts to get a little … strange.

The employee claims that their spouse and them have been harassed after their spouse raising some concerns about the ELI-NP. This includes, citing "anonymous phone calls during the night" and/or various noises being made during the night to prevent them from sleeping. Of course, along with the the reaction of the staff at ELI-NP / IFIN-HH against these two employees that even dared to question the ELI-NP project. The letter ends by claiming that due to the stress, the spouse of the employee got ill and died, with the spouse left over asking the receiver of the letter to comment and contribute to one of the sites that they maintain as a testament to what happened to them. Surely, quite unbecoming of a Yale graduate, a person courted by Romanian masonry (and who-knows what other para-organizations) and a Romanian "academician". Ultimately, with all the prestige that Yale might convey, you surely do not want to be remembered for the person that was in charge and let this happen to these two employees, regardless how financially vested you might be in a project or not, especially given that these two individuals did not seem to pose much of a threat and the project would have been built anyway regardless of their comments.

Otherwise, the whole scene is roughly the same with most ex-communists that drew benefits back then, drawing benefits now, the overreaching SRI backed by the police, gendearmerie and others that perpetuate an institute filled with the shady and suspicious communist swamp dwellers that fight for the adulation of foreigners and the dissolution of their own communist past. Which, is interesting, or a country that never truly covered their own communist extermination camps, but actually perpetuated them on external funding.

A lot of the staff that seems politically connected, as in, holding positions of leadership where the line between "scientist" and politician becomes blurry, hold the citizenship of numerous other countries, making it seem like if they mess up in Romania, then they can jump into the next available boat and float away to Germany or perhaps the USA. Mr. Livius Trache, for example, another value that, as sources claim, used to chase lots of women during his University years, now also a Romanian value, is the holder of dual citizenship, both Romanian and from the United States. You get the idea though, if things go bad, board a plane and you're out and while that seems funny, it also seems something along the lines of "conflict of interest" where leadership positions, pertaining to the state or funded out of public money, should not allow such a waiver of responsibility. Similarly, and closing in to the case itself, a letter received shows an E-Mail sent to the IEEE describing various instances of, to put it lightly, misbehavior at the "DFCTI: Computational Physics and Information Technologies" under the leadership of Mr. Mihnea Dulea.

To name a few, as related by the source and the received materials:

or otherwise a full swing of the proverbial dial on measuring the scale of what is called workplace toxicity.

Memorandum

As related by the source, an employee at IFIN-HH, at the DFCTI department, with Mr. Dulea being the CO, here is the full sequence of events. Bear in mind that from top to bottom, during the whole affair, the source was acting right under the obligations of the contract between themselves and the IFIN-HH, such that this is one of those infamous Romanian cases where a company desires something but when they get that something they are unhappy because the results are too good. More to the point, the source was asked deliberately to look into vulnerabilities and tasked with that right by Mr. Mihnea Dulea, such that all of this is very much legitimate. Furthermore, there had been other incidents in the past, reported the very same way, that were resolved. As we interviewed the source, it became sort-of obvious that the institute did not anticipate the capabilities of the source and when they started having to plug all sorts of critical security issues, they became irritated. Maybe, they can hire someone more incompetent in the future, that way at least, they can claim that they do not have vulnerabilities! Either way, here is the rundown:

Technicalities

The following is provided due to its contribution to computer security in a broader sense, especially since part of the problem is that mail clients accept to configure mail servers without any sort of encryption but everything will be covered in detail. For completeness, here is the output of an online port-check tool that verifies servers remotely and that demonstrates that the IMAP and POP plaintext service ports were open for the mail server at ELI-NP:

the IP address reading 188.27.74.96 is the IP address of the source, performing this check remotely, outside the institute (IP records indicate "RO-RESIDENTIAL"), and with the port checking tool also being remote to ELI-NP, such that the data leak is not restricted just to the internal IFIN-HH network.

Misconfiguration

First, the ELI-NP mail server was accepting forged enveloped senders under the eli-np.ro domain, which is a misconfiguration problem and here is a transcript of the communication.

# telnet mail.eli-np.ro 25
Trying 194.102.58.7...
Connected to mail.eli-np.ro.
Escape character is '^]'.
220 mail.eli-np.ro ESMTP Postfix
ehlo mail.eli-np.ro
250-mail.eli-np.ro
250-PIPELINING
250-SIZE 50000000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: <ticket258@eli-np.ro>
250 2.1.0 Ok
rcpt to: <...@yahoo.com>
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
Acesta este un mesaj fals trimis doar ca exemplu pentru rezolvarea tichetului #258.
.
250 2.0.0 Ok: queued as 06C9C40000FA1
QUIT
221 2.0.0 Bye

The transcript shows a connection to the eli-np.ro server made manually where the client identifies itself as a sender with a terminating eli-np.ro domain. The destination is set to be some E-Mail address outside the ELI-NP network at Yahoo. Finally a body is added and the E-Mail is accepted for delivery to the Yahoo mail server. Note that the connection is made from outside of ELI-NP and the IFIN-HH such that the former is possible without having to be within the institute's network allowing anyone to perform this attack.

Plain-Text Mail Services

Finding the plaintext mail services is easy with a manual connection. Here is the plain POP3 connection:

# telnet mail.eli-np.ro 110
Trying 194.102.58.7...
Connected to mail.eli-np.ro.
Escape character is '^]'.
+OK Dovecot ready.

and here is the plain IMAP connection:

# telnet mail.eli-np.ro 143
Trying 194.102.58.7...
Connected to mail.eli-np.ro.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN
AUTH=LOGIN] Dovecot ready.

Note that whilst the IMAP service advertises for STARTTLS implying that "encryption is available" it turned out that MTA decided that no encryption should be used just due to the fact that the service is available over the plain IMAP port 143. Furthermore, note that the authentication scheme implies plaintext passwords via AUTH=PLAIN which justifies the data leak as having leaked the credentials of incoming connections.

In order to check, here is an intercepted communication between Microsoft Outlook and the ELI-NP plain IMAP server, showing the connection and the whole packet payload communication in multiple steps whilst attempting to configure an account using various E-Mail clients. The username will be ticket258@eli-np.ro and the password will be PAROLAINCLAR and they will be used to setup the accounts on the ELI-NP mail server.

First, Outlook connects to the eli-np.ro plaintext IMAP service just like the manual connection and the expected Dovecot advertisement of features payload is received:

21:50:08.217090 IP (tos 0x2,ECT(0), ttl 53, id 9086, offset 0, flags [DF], proto TCP (6), length 174)
mail.eli-np.ro.imap2 > REDACTAT.14021: Flags [P.], cksum 0x6de7 (correct), seq 124:258, ack 18, win 115, length 134
0x0000: 0401 b782 e601 5c45 2779 0330 0800 4502 ......\E'y.0..E.
0x0010: 00ae 237e 4000 3506 d89f c266 3a07 2e65 ..#~@.5....f:..e
0x0020: 1e58 008f 36c5 1fe9 493e dc7b f730 5018 .X..6...I>.{.0P.
0x0030: 0073 6de7 0000 2a20 4341 5041 4249 4c49 .sm...*.CAPABILI
0x0040: 5459 2049 4d41 5034 7265 7631 204c 4954 TY.IMAP4rev1.LIT
0x0050: 4552 414c 2b20 5341 534c 2d49 5220 4c4f ERAL+.SASL-IR.LO
0x0060: 4749 4e2d 5245 4645 5252 414c 5320 4944 GIN-REFERRALS.ID
0x0070: 2045 4e41 424c 4520 4944 4c45 2053 5441 .ENABLE.IDLE.STA
0x0080: 5254 544c 5320 4155 5448 3d50 4c41 494e RTTLS.AUTH=PLAIN
0x0090: 2041 5554 483d 4c4f 4749 4e0d 0a76 3867 .AUTH=LOGIN..v8g
0x00a0: 6b20 4f4b 2043 6170 6162 696c 6974 7920 k.OK.Capability.
0x00b0: 636f 6d70 6c65 7465 642e 0d0a completed...

Next, Outlook attempts to log-in with the ticket258@eli-np.ro E-Mail, a made-up address that is used to fill out the setup wizard for setting up an account with ELI-NP:

21:50:08.304497 IP (tos 0x2,ECT(0), ttl 63, id 16152, offset 0, flags [DF], proto TCP (6), length 89)
REDACTAT.14021 > mail.eli-np.ro.imap2: Flags [P.], cksum 0xe1cc (correct), seq 18:67, ack 258, win 257, length 49
0x0000: 0000 5e00 0166 0401 b782 e601 0800 4502 ..^..f........E.
0x0010: 0059 3f18 4000 3f06 b35a 2e65 1e58 c266 .Y?.@.?..Z.e.X.f
0x0020: 3a07 36c5 008f dc7b f730 1fe9 49c4 5018 :.6....{.0..I.P.
0x0030: 0101 e1cc 0000 7638 346d 204c 4f47 494e ......v84m.LOGIN
0x0040: 2022 7469 636b 6574 3235 3840 656c 692d ."ticket258@eli-
0x0050: 6e70 2e72 6f22 2022 5041 524f 4c41 494e np.ro"."PAROLAIN
0x0060: 434c 4152 220d 0a CLAR"..

and, as claimed, the transcript contains the password PAROLAINCLAR in plaintext as part of the intercept transcript.

Here is the same attempt to set up an E-Mail account with the mail client on Android KitKat using the made-up user ticket258@eli-np.ro and the password androidparola. First the Android mail client connects to the ELI-NP Dovecot plaintext IMAP service and the features advertisement payload is received:

22:19:58.469461 IP (tos 0x0, ttl 255, id 29423, offset 0, flags [none], proto TCP (6), length 171)
mail.eli-np.ro.imap2 > REDACTAT.49064: Flags [P.], cksum 0xb0bc (correct), seq 124:255, ack 15, win 5826, length 131
0x0000: 4500 00ab 72ef 0000 ff06 9e50 c266 3a07 E...r......P.f:.
0x0010: ac10 018f 008f bfa8 65c1 7010 0f7d f40e ........e.p..}..
0x0020: 5018 16c2 b0bc 0000 2a20 4341 5041 4249 P.......*.CAPABI
0x0030: 4c49 5459 2049 4d41 5034 7265 7631 204c LITY.IMAP4rev1.L
0x0040: 4954 4552 414c 2b20 5341 534c 2d49 5220 ITERAL+.SASL-IR.
0x0050: 4c4f 4749 4e2d 5245 4645 5252 414c 5320 LOGIN-REFERRALS.
0x0060: 4944 2045 4e41 424c 4520 4944 4c45 2053 ID.ENABLE.IDLE.S
0x0070: 5441 5254 544c 5320 4155 5448 3d50 4c41 TARTTLS.AUTH=PLA
0x0080: 494e 2041 5554 483d 4c4f 4749 4e0d 0a31 IN.AUTH=LOGIN..1
0x0090: 204f 4b20 4361 7061 6269 6c69 7479 2063 .OK.Capability.c
0x00a0: 6f6d 706c 6574 6564 2e0d 0a ompleted...

Apparently, the Android mail client sends some UID which seems irrelevant, but it is part of the setup, so here goes:

22:19:58.497219 IP (tos 0x0, ttl 255, id 29424, offset 0, flags [none], proto TCP (6), length 40)
mail.eli-np.ro.imap2 > REDACTAT.49064: Flags [.], cksum 0x54ed (correct), seq 255, ack 206, win 5635, length 0
0x0000: 4500 0028 72f0 0000 ff06 9ed2 c266 3a07 E..(r........f:.
0x0010: ac10 018f 008f bfa8 65c1 7093 0f7d f4cd ........e.p..}..
0x0020: 5010 1603 54ed 0000 P...T...
22:19:58.621495 IP (tos 0x0, ttl 255, id 29425, offset 0, flags [none], proto TCP (6), length 70)
mail.eli-np.ro.imap2 > REDACTAT.49064: Flags [P.], cksum 0x6206 (correct), seq 255:285, ack 206, win 5635, length 30
0x0000: 4500 0046 72f1 0000 ff06 9eb3 c266 3a07 E..Fr........f:.
0x0010: ac10 018f 008f bfa8 65c1 7093 0f7d f4cd ........e.p..}..
0x0020: 5018 1603 6206 0000 2a20 4944 204e 494c P...b...*.ID.NIL
0x0030: 0d0a 3220 4f4b 2049 4420 636f 6d70 6c65 ..2.OK.ID.comple
0x0040: 7465 642e 0d0a ted...

and then finally a log-in is attempted in plaintext:

22:19:58.624632 IP (tos 0x0, ttl 63, id 7615, offset 0, flags [DF], proto TCP (6), length 85)
REDACTAT.49064 > mail.eli-np.ro.imap2: Flags [P.], cksum 0xeb8f (correct), seq 206:251, ack 285, win 65535, length 45
0x0000: 4500 0055 1dbf 4000 3f06 73d7 ac10 018f E..U..@.?.s.....
0x0010: c266 3a07 bfa8 008f 0f7d f4cd 65c1 70b1 .f:......}..e.p.
0x0020: 5018 ffff eb8f 0000 3320 4c4f 4749 4e20 P.......3.LOGIN.
0x0030: 7469 636b 6574 3235 3840 656c 692d 6e70 ticket258@eli-np
0x0040: 2e72 6f20 2261 6e64 726f 6964 7061 726f .ro."androidparo
0x0050: 6c61 220d 0a la"..

As can be observed the password is transmitted in plaintext, which justifies the leak of credentials.

Conventionally, there is no additional setup procedure for the E-Mail body that would offer an encryption of the E-Mail body in spite of the credentials traveling in plaintext, for example, looking at the misconfiguration example, the whole process of sending an E-Mail happens within the same session, such that iff. the session is not encrypted then the body of the E-Mail is not encrypted, such that it is safe to assume that the E-Mail body would be transmitted in plaintext. What happens is that if the account is configured, then there is no "re-evaluation" of cryptographic primitives performed by E-Mail clients, due to the process being part of the setup of the account, such that after having configured the account, all the communication will just take place unencrypted.

Interestingly, Apple Mail refused to set up an account using plaintext IMAP yet it seems that Android and Microsoft Outlook were happy to accept no encryption as part of the setup wizard without any complaint. Even if, users are not necessarily versed in determining whether that is alright or not. Apple instead adamantly refused, and even mentioned that it will not set up an account with an unencrypted session.

The impact is that the credentials and the E-Mail body would have leaked all the way from where the ELI-NP server was accessed by a user and up to the ELI-NP server in Bucharest, Romania with all the credentials and E-Mail body being leaked. At the very least, the E-Mail content and the credentials would have to be considered compromised such that, at the very least, the users should be made aware in order to change their credentials and mitigate the leak of their correspondence. From the official data, the leak affects about 500 souls at the Extreme Light Infrastructure (ELI-NP) (with 500 being the "original number of employees when ELI-NP was founded" and probably not the actual number of employees when the leak took place in 2020) since receiving an official E-Mail address is part of the hiring process.

Reception

A data-breach was filed with the E.U. E.D.P.S., however, as former experiences confirm, the E.U. cannot be bothered and they redirect the request to the Romanian data protection agency A.N.S.P.D.C.P. Given the sensitivity of this issue, the actual submission of the document is literally taped on the screen and then a followup E-Mail is sent to the A.N.S.P.D.C.P. in order to re-confirm that the issue has been filed with the A.N.S.P.D.C.P. Curiously enough, the A.N.S.P.D.C.P. does not answer at all in this case, even though the A.N.S.P.D.C.P. typically answers even if the answer is not always the most useful of answers. This is due to papers being filed such that at the least, a formal response has to be formulated (typically, outside this case, and indifferent of the source regarding this case, our experience has been that people prefer talking in-person or via the phone, in order to not leave a paper trail that could potentially be cited).

Four years later, and with our help, the A.N.S.P.D.C.P. has been contacted again by the source in order to ask whether they received the data breach notification and whether anything has been done since then. Ultimately, because we are acquainted with the 51 different security agencies in Romania, given the previous cases and the continuous harassment, we also placed Mr. Tolontan, an investigative journalist, in the CC of E-Mail in order to ensure that at least someone other than the people involved with the A.N.S.P.D.C.P. receives a copy of the E-Mail.

The A.N.S.P.D.C.P. answers this time, after a few weeks, by stating the following:

The point that IMAP and POP3 (without any encyrption) do not automatically lead to a breach of data is just false. Any non-encrypted data is by default observable across a network (ultimately, that was the main point of encryption when it started to be added to the stack of various enviroments, when networks exceeded the reach of Universities). In fact, the reverse would be more true, namely that the lack of encryption automatically leads to any communication being observable. It is tough to believe that Mr. George Balaiti would sign somethning like this if they were advised by someone that would have the necessary background in computers to make statements and also assume their responsibility as experts within their competences about such statements. More than likely, this is yet-another case of dismissive responses, the kind that we're accustomed to by Mr. Micol at the European Community, while he was responsible with matters of the G.D.P.R. where, the response is sordidly just a refusal to do work. To us, the response from the A.N.S.P.D.C.P. is clearly an attempt to cover for the IFIN-HH and the ELI-NP. However, we would like to reserve this discussion for a follow-up sub-section that discusses the finer implications of this case.

Mr. Zamfir the CEO of the institute is also made aware, along with Mr. Allen Weeks, both of whom do not even bother replying.

A followup response is formulated to the A.N.S.P.D.C.P. where they are made aware that it is well-within their mandate to followup with an investigation given any probable cause, and that, in spite of them pretending that "no proof has been provided", and in the sense that the proof that overtly was in fact provided, that submitted proof should be sufficient for a follow-up investigation with institutions within Romania that would have the necessary competences to perform those investigations. The source claims that during their employment, it was not the first time when matters of the G.D.P.R. had been brought up, but in fact quite a few times, and protocol was mostly followed. However, the A.N.S.P.D.C.P. apparently took it upon themselves to be the proverbial judge, jury and executioner and to outright drop the case based on the judgement, citing "[…] the complaint is inadmissible to our competences because the usage of IMAP and POP3 [comment: and not their secure counterparts, which was the whole point of filing the complaint by the source 4 years ago], do not automatically lead to a breach of data […]". The response phlegmatically tells them that the source (sometimes labeled a witness other times labelled a victim) does not owe these institutions anything, let alone "proof" to the quality that an investigator can produce and that if they had probable cause, they should have petitioned the institutions responsible with such matters following their own protocol.

We wanted to create a "finesserie" section but decided to state the same matter here. Another slipper slope that we observe, and even in the global sense, is some sort of subtle disrespect towards constituents in general, that comes across very awkward. The source that sends this notification, is not some outcast of society, but rather full credentials were provided and, in this case in particular, the source themselves was one of the people responsible with matters of security such that the response from the A.N.S.P.D.C.P. comes across as bold, especially by claiming the exact opposite of what the source claims. It is true that the source was not the data protection officer, but the source was, in fact, delegated officially and contractually to spot vulnerabilities and report on them such that the information is supplied by someone that does have the background to call Mr. Balaiti's statement, namely that the usage of IMAP and POP3 (and not their secure counterparts, IMAPs and / or POP3s) does not lead to a data breach as laughable. It is a bit of a slipper slope, we find, because typically political figures are more or less, via the label itself, supposed to occupy themselves with politics, and even in a court of law, experts in the professions where the claims are being made are brought to testify and not political managers. It's subtle. If you end up working as a manager, you're supposed to carry out managerial work, even if your base degree just happens to be in the same domain that you manage. Your own evaluation does not hold weight at all in a court of law, unless you are incidentally cited as both the judge and the "expert" in a case, which in any equitable court, you are not and someone impartial to the case is cited as a referential expert.

This is more of an European vs. US problem rather than a problem with Romania itself (maybe, amplified by some notion of ego, at best); in Europe the government itself names itself as expert even in matters where the government is not an expert thereof, with the civilians being seen, even if factually experts, as adversaries whereas in the US the government generally-speaking respects their civilian experts according to their credentials. Perhaps a case based on the distinction between common vs. written law.

Another point that has to be made is that the A.N.S.P.D.C.P. tends to use font styles on … snippets, ranging from single words to full sentences and sometimes it is not exactly clear why because what they try to highlight does not really seem relevant in context. After many years of seeing this as papers are brought to us by sources, we now believe that this is some sort of… way of making statements without making statements (or rather, a solution to Ms. Óðinsdóttir inability to distinguish between a statement and a question). It goes like this. In this context, the A.N.S.P.D.C.P underlines a citation from the law where the operator is absolved from submitting a data-breach report, citing "unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons." but the A.N.S.P.D.C.P. does not directly state that, well, "the breach is unlikely to result in a risk to the rights and freedoms of natural persons." which means that they cannot really be held responsible - they just underlined a citation but they did not imply it! We could send back a response where we cite laws against pedophilia and underline and bolden the quotes, even though we have no proof thereof nor is there any connection to this case! Yes, it's just that trite. It's like the government itself is directly gaslighting you by changing font sizes, along the lines of "judge, jury, executioner" and now also playing the role of the criminal as well, as in "judge, jury, executioner and criminal"!

A More Ample Outlook

Again, the point has to be made that most of this entsprings just from malice, without any of these cases being just "accidents" and that most of the people in such cases participate willfully based upon their own choices and are not coerced to participate if they have different opinions.

The other witnessing of the behaviors at the DFCTI IFIN-HH, in particular the harassment of several colleagues, is definitely at the very least an "optional participation" and if anyone disagrees they have plenty of measures at their disposal, such as complaining like the source and up to resigning or finding a different job. Even attempting to defend the people that were harassed by the staff, lead to people answering with attitudes along the lines of "are you in love with them?" (apparently, this seems to be something common in Romanian workplaces, as we have been told).

Given the setup, it seems trivial to explain why it often comes to tragedies, as a response perhaps, to publications within the Romanian press regarding the abuse of individuals - well, no, it is clearly not the fault of "evil corporations", but rather bad management, nepotism, false values and the overreaching arm of an overly obese government along with its numerously affiliated institutions. It would be so much convenient to, put one single person, one single institution and given the European context, just one single country in the corner as a scapegoat and blame them for the perceived decline. There is some form of retribution, but ultimately it does not prevent Romania and Romanian society to act as a trap, where, let's say, the bad reputation of Romania acts as the only deterrent to others to approach the country. Ultimately, these are the same people that vanished during the Romanian communist revolution, spared themselves of all the blame and then appeared much later in order to do exactly the same as they have done before, while all the time being very adamant about covering their past. It's like, 2nd up, in a game!

Even as remedial measures, the overall perceived feeling has been one of a government with all powers blended together into one, determined to use all the means at their disposal to, remarkably, cover up such cases instead of being genuinely curious to find out the real reasons behind the problems that they then go on and complain about in other forums. Even with reference to the European Community, we have seen people that we would have expected to jump off their chairs when these cases brought to light, namely because these cases represent a breach of their own agreements and their own laws and not just some made-up pretense that someone might have had, turn into some villain from a cheesy spy movie, opting to side with corruption and with fraud to the detriment of everyone else. It is a more powerful impression than, let's say, disproving someone in a discussion where some opinions are exchanged, without any responsibility being wagered - it's like catching police being criminals, compared to, say, nobodies being criminals.

The European Community when contacted, always seem to offload all the responsibility on the country, claiming that they cannot interfere. However, the EU in this case does fund the A.N.S.P.D.C.P. such that the measures to address any sort of incompetence that the EU might get wind of seems straightforward by not financing them any further. We disagree, and in particular, for countries like Romania, where the corruption is not exactly "unknown", the financing does indeed become some form of interference. Ultimately, regardless whether this case is processed or not, forgotten or otherwise, the A.N.S.P.D.C.P. will carry on getting financed, so why bother to kick up a kerfuffle when… "we can all be friends, a, Tovarashi?!".

On the other hand, we generally like the European Community, and the European Union, but these issues come across as a trap to others that might take the prestige granted by the EU to these countries for granted and then end up being caught in a trap. If you'd ask us, instead of the European Community whether you should come to Romania and open a business, we would definitely tell you NO and we would offer up these investigations as justification. And hence from there, other privacy-related questions:

Do you get it now?

Of course such revelations are not necessarily altruistic, in particular remembering that bridges do go both back and froth and that these people given the privilege and opportunity might as well just do the same somewhere else. Romania has within its history entire divisions of their espionage apparatus that were responsible of capturing people that "fled" Romania and brought them back to Romania such that anyone leaving or planning to leave should be concerned that the old habits either die hard, have not died at all, or, as the memetic enlightenment strip goes, are in fact now put on steroids by European funding.