Found on the ground during the last days of work next to the office.

The story is recollected by an individual that decided to talk to us regarding a case involving a very large data leak at the Extreme Light Infrastructure (ELI-NP) at the Institutul Național de Cercetare-Dezvoltare pentru Fizică și Inginerie Nucleară "Horia Hulubei" (IFIN-HH) that the staff, management and the Romanian police participated in the attempt to cover up the accident. As per sources, to our knowledge, there has never been any official acknowledgement of the data leak and the leak content consisted in authentication credentials (username and passwords) as well as E-Mail body content that ended up transmitted in plain text depending on how the various users configured their mail client.

We like to stick to facts because ultimately it is what matters, but we suppose that some more "background" is necessary, in particular for institutions such as the IFIN-HH in order to be able to comprehend how such leaks occur, how come they are never made public, why the perpetrators end up getting away with it even when the European Community is aware but also as a more general overlook over the IFIN-HH. That being said, some background will be offered, and then only the facts will be listed in chronological order without further explanations such that if you're looking for just the technical gist of it, you can skip to the memorandum. The "background" is provided due to multiple "employer" rating websites such as Glassdoor, as we're told, deleting the content posted by former employees, as well as one case of the Romanian online mobbing on Wikipedia that attempted to bury the truth, such that it seem more of an imperative (or a last resort) of getting the truth out some way given that all these online venues are either corrupt or have been corrupted. That said, if you're just looking for the core-narrative of this case, please see the memorandum section. If you would like more background, factual but only tangential to the case itself, then carry on reading.

The IFIN-HH institute was founded by Dej, the former "president" of Romania before Ceausescu and the IFIN-HH became a hotbed of controversies with most of the staff being members of either the Romanian communist party or part of the Romanian Securitate. These were the sort-of "faux" scientists that due to international cooperation ended up doing favors with various people around the world with the result of ending up involved with organizations ranging from the Italian mafia and up to even more prestigious institutes such as the Max Plank institute in Germany. Many of these people became "well-known" across the years, yet due to their political implication with various either shady or not so-shady structures, most of their "academic prestige" became more closed-circuit over time. For instance, you would find academicians (an institute of prestige, an ode to entitlement and a monument to elitism) that even though they would have a large amount of publications, would spend their time in Russia telling the KGB how food made out children in sold in Romania, of course, for the benefits of being invited again to Russia with a relatively large additional wage.

Many of these people literally burned their communist party membership card on the stairways at the IFIN-HH when the revolution came to be, for the sake of not being "caught" as being an avid communist party member. Some of these people often made it a story that they were somehow "coerced" or "forced" into the Romanian communist party, yet at the time, becoming a member of the Romanian communist party was, in fact, "competitive" due to the many additional benefits that would be bestowed upon anyone that became a party member. For example, if you became a member, you were immediately entitled to a second house or apartment, which was great, especially for a growing family. Similarly, becoming a "communist party" member was not only competitive, but also a matter of "purity" where, for example, you would have had to quit the Romanian Securitate in order to become a communist party member (with the Romanian Securitate, as complex as it might seem, being seen as "too dirty" for a proud communist party member).

Then again, many people, for example, Mr. Nicolae Victor Zamfir, one of the researchers at the time, that struck their gold elsewhere and via other means, turned the story around after communist and even went as far as stating that they were somehow coerced, victims or even up to "blackmailed" to join the Romanian communist party, which, given the actual history of both the Romanian communist party and the Romanian Securitate, was quite controversial given the many benefits one would have had. For example, and perhaps even tied to the Romanian online mobs that crawl the Internet in order to save Romania's reputation, a former investigation, looking at the history of Mr. Zamfir's page on Wikipedia a funny quote is found that is fairly funny having mentioned the former context:

"Deși înainte de decembrie 1989, supus presiunilor acelor vremuri este forțat să devină, datorită rezultatelor sale excepționale, unul dintre liderii UTC, totuși imediat după revoluția din 1989 pleacă în Germania. Dovadă că și astăzi, institutul pe care îl conduce are o bună deschidere spre străinătate. [..]"

which translates to:

"Even though before December 1989, given the pressures of the time, he is forced to become, due to his exceptional results, one of the leaders of the UTC (Uniunea Tineretului Comunist, Romanian Communist Youth), thus immediately after the revolution from 1989 he leaves to Germany."

Judging just from how the person writing this has contorted the sentence so much that, even in Romanian, the sentence does not make much sense (ie: "Even though", not really corresponding to any counter-"though"), you can observe how much the writer of this text is lying. Similarly, the quote follows with:

"Proof that even today, the institute that he leads has a good opening (translate fail, gen. "overseas")."

which seems to be more in-tone with communist propaganda than actually being factual. As propaganda goes, typically holds oratorical value at the expense of grammar (ie: first sentence not even bothering to bless the reader with a predicate, "Proof that even today,").

Looking at the page, the insertion of these sentences is made by a user named "Mondan", that does not have any other edits on Wikipedia and whose implicit webpage on Wikipedia is blank.

This content spends time up on Wikipedia from 2007 to about 2023 when some users seem to start a fight by pointing out that the sentence is junk, has no citations and hence must be removed. However, this is met with phenomenal resistance from the users that attempt to drag the discussion into ToS violations, editors such as Andrei Stroe deflecting the discussion, spewing complete nonsense and for some reason requesting proof that Mr. Zamfir even was a member of the Romanian Communist Youth (UTC). Ironically, Mr. Zamfir's membership to the UTC is actually a pretty public fact, and by his own words, Mr. Zamfir states for B1 TV (a TV station in Romania) that he was a party member such that all the resistance from these users are just for the purpose of saving face and to deflect from the truth.

As a general frame for the institute, this is a Molvanian-like structure (one of the newest reactors in Eastern Europe) and with big hopes being sold to Romanians. The ELI-NP project is written about in the press, depicted with images as the harbinger of flying cars, suspended fast rail trains and other elements of promise as-if captured from "Zorba the Greek" that ended up just narrowing down, well, to just cutting up the street in half with one half being dedicated to bicycles, and so poorly made that the whole cannibalization of the already existing infrastructure turned into a flash point of accidents. Do not go there at night, because you might just start driving on the pavement. Otherwise, like from a Kusturika movie, Mr. Zamfir can be read in various magazines, making brave statements on how Romania is going to win the Nobel prize and other expressions of grandeur that, whelp, at least to this date, did not come to fruition.

Whilst all of that is more interesting from a historical perspective, it is still fairly benign albeit hopeful, with no harm done; or at least, so far, might seem petty but not a show stopper. One letter received by us, from an alleged source contains an attachment that is supposed to be an E-Mail that allegedly had been sent by an employee at the IFIN-HH to some other employee, and here is the content. This is where it starts to get a little … strange.

The employee claims that their spouse and them have been harassed after their spouse raising some concerns about the ELI-NP. This includes, citing "anonymous phone calls during the night" and/or various noises being made during the night to prevent them from sleeping. Of course, along with the the reaction of the staff at ELI-NP / IFIN-HH against these two employees that even dared to question the ELI-NP project. The letter ends by claiming that due to the stress, the spouse of the employee got ill and died, with the spouse left over asking the receiver of the letter to comment and contribute to one of the sites that they maintain as a testament to what happened to them. Surely, quite unbecoming of a Yale graduate, a person courted by Romanian masonry (and who-knows what other para-organizations) and a Romanian "academician". Ultimately, with all the prestige that Yale might convey, you surely do not want to be remembered for the person that was in charge and let this happen to these two employees, regardless how financially vested you might be in a project or not, especially given that these two individuals did not seem to pose much of a threat and the project would have been built anyway regardless of their comments.

Otherwise, the whole scene is roughly the same with most ex-communists that drew benefits back then, drawing benefits now, the overreaching SRI backed by the police, gendearmerie and others that perpetuate an institute filled with the shady and suspicious communist swamp dwellers that fight for the adulation of foreigners and the dissolution of their own communist past. Which, is interesting, or a country that never truly covered their own communist extermination camps, but actually perpetuated them on external funding.

A lot of the staff that seems politically connected, as in, holding positions of leadership where the line between "scientist" and politician becomes blurry, hold the citizenship of numerous other countries, making it seem like if they mess up in Romania, then they can jump into the next available boat and float away to Germany or perhaps the USA. Mr. Livius Trache, for example, another value that, as sources claim, used to chase lots of women during his University years, now also a Romanian value, is the holder of dual citizenship, both Romanian and from the United States. You get the idea though, if things go bad, board a plane and you're out and while that seems funny, it also seems something along the lines of "conflict of interest" where leadership positions, pertaining to the state or funded out of public money, should not allow such a waiver of responsibility. Similarly, and closing in to the case itself, a letter received shows an E-Mail sent to the IEEE describing various instances of, to put it lightly, misbehavior at the "DFCTI: Computational Physics and Information Technologies" under the leadership of Mr. Mihnea Dulea.

To name a few, as related by the source and the received materials:

• the open and organized harassment of some members of staff taking place right in front of the CO, Mr. Dulea, to an unprecedented level with the individuals in question going as far as attempting sucide (small callout here to recent events in Romania, regarding the alleged "overworking" of a Romaian woman that ended up being blamed on "corporations"),
• requests to employees to spy on each other, extended by Mr. Dulea and justified by the need "to fire them",
• various cases of sabotage at the workplace, right down the chute of employees disconnecting each other's servers, in order to set each other up,
• outright violence, downright to fist-fights between members of staff with no repercussions given that the offender's family is also a member of the Romanian parliament,
• violations of correspondence, apparently a long-standing problem at the IFIN-HH, where leaders of department and the technical staff rummaging through E-Mails (and a lot of controversy around the subject being raised), with the added "resistance" of the leadership to delegate the responsibility to "uninterested third-parties" hinting to the interest of the staff to preserve control and monopoly over correspondence,
• no "real" application process, with management staff claiming that they do not have "open applications" because if they would make the jobs public, then they would allegedly not find "trustworthy" people; the procedure is to first find "someone trustworthy", more along the lines of "members of the family" and then to publish the position, as requested by the law, but to reject any application regardless and hiring the "trustworthy person",
• no real accountability or responsibility, with "round tables" being established in case something happens, but only for the show, with the offending party not really being sanctioned in any palpable or consistent way, with raising the issue being more detrimental to the victim rather than the offender (even in cases where both can be clearly distinguished),
• all matter of "finesserie", such as sexual harassment, when brought up during meetings, being treated more or less as a joke, both by male and female staff; even though the institute is notorious for such matters,
• people hiring their spouses (for example, Mr. Dulea hiring his wife) within the same department, even though it is considered a conflict of interest in Romania

or otherwise a full swing of the proverbial dial on measuring the scale of what is called workplace toxicity.

As related by the source, an employee at IFIN-HH, at the DFCTI department, with Mr. Dulea being the CO, here is the full sequence of events. Bear in mind that from top to bottom, during the whole affair, the source was acting right under the obligations of the contract between themselves and the IFIN-HH, such that this is one of those infamous Romanian cases where a company desires something but when they get that something they are unhappy because the results are too good. More to the point, the source was asked deliberately to look into vulnerabilities and tasked with that right by Mr. Mihnea Dulea, such that all of this is very much legitimate. Furthermore, there had been other incidents in the past, reported the very same way, that were resolved. As we interviewed the source, it became sort-of obvious that the institute did not anticipate the capabilities of the source and when they started having to plug all sorts of critical security issues, they became irritated. Maybe, they can hire someone more incompetent in the future, that way at least, they can claim that they do not have vulnerabilities! Either way, here is the rundown:

• An E-Mail is received to the work E-Mail of the source from an employee that needed some work be done,
• The employee is asked, as per Mr. Dulea's instructions to open a ticket instead of send the E-Mail (this is relevant because Mr. Dulea, the CO of the DFCTI, will later claim that the ticket system should not be used, which is contrary to the code of conduct that Mr. Dulea himself establishes; also, not the only contraction, as shall be seen).
• The ticket is attributed to the source for processing.
• As it turns out, mail.eli-np.ro, the MX of the mail server of the ELI-NP did not have its forward-confirmed reverse DNS (FCrDNS) set up properly, such that the mails sent from the ELI-NP mail sever were sent with an IP address that did not resolve to the host name; the source suggests to contact the people responsible with the ELI-NP server due to this issue being fairly critical in terms of misconfiguration and possibility leading up to E-Mails from ELI-NP being rejected by other mail-servers and/or being classified as spam (FCrDNS being mandatory at the time of writing).
  • On closer investigation, the Sender Policy Framework (SPF) rules, something that the CO of the DFCTI, Mr. Mihnea Dulea himself is very adamant about, seem to be broken for the ELI-NP mail server, such that a followup is made to Mr. Laurentiu Serban and Mr. Mihai Ciubancan. Interestingly enough, Mr. Serban seems more versed on how things go down, such that he does maintain a polite attitude, contrasted to, say, Mr. Mihnea Dulea that goes far out on the slander and libel (as shall be seen later on). In brief, the E-Mail states that Mr. Serban and Mr. Ciubancan have resolved the problem of forged envelop senders being accepted by the ELI-NP mail server, and Mr. Serban states that he is adding Mr. Vasile to the discussion because the mail from the source asked Mr. Ionut Vasile to be notified that the SPF has to be fixed:

• Mr. Ionut Vasile is added to the ticket as being responsible, claiming that the "junk" in the SPF line has been deleted (oof, big bracket: mostly a snarky remark, Romania is in the stone ages regarding computers and computer science, most of any reputation being just a LARP, such that some terms do not carry over easily; there are difficulties in spelling out expressions such as "forged E-Mails", the closest being perhaps "counterfeit E-Mails" which sounds dumb, or the word "junk", with "junk" as an example, being directly translated to "gunoi", yet given Romanian, "gunoi" can come across as offensive to some level, such that this individual Mr. Vasile, takes offense and also mocks the translation, something that is a bit of reoccurring problem with this employee) but also claiming that there was some "logic" to the SPF line. Carrying on and summarizing, Mr. Vasile follows up, stating that FCrDNS has been added, that the SPF rule has been fixed (junk / garbled SPF line fixed) but also claims that the SPF garbled line / "junk" in SPF line as intentional and had at some point a meaning. He states that he considers that the ticket can be closed.
• A followup is made by the source explaining that due to the cited grammar of the SPF line, there are no possible combinations that could lead to what was formerly within the SPF rule, such that it could only have been junk and Mr. Vasile is asked to explain what logic he is referring to. It is also explained to Mr. Vasile, that the current "fix" for the SPF, given his changes, will not work because the rule is not properly composed. Mr. Vasile is asked politely to "check again".
• To keep the story concise, the ticket is eventually closed and resolved but with a lot of whining from Mr. Ionut Vasile that cannot contain himself when it is made known to him that his fixes do not make sense and that the problem is, in fact, not fixed, such that he loses his cool and whines about "being lectured". To our impression, this is just Mr. Vasile being emotive, it is commonly standard procedure to back up your claims with quotes, instead of, (maybe?) just saying "it don't work, son". It certainly was not meant to lecture him but apparently it ended up doing so given that another followup was needed to get the matter resolved. Also, the cargo-addagio without any justification or explanation on "it had some logic but now it has been deleted" just does not hold in the absence of an explanation and seems more like a way to save face rather than anything factual. Citing the RFC grammar and saying that there is no possible composition to match the broken SPF he configured is pretty water-tight. However, as will be discussed later on, Romanians do not have the capability nor propensity to value facts over drama, with many people "just getting away" by throwing tantrums. We should also add that, maybe it is a cultural thing, especially since it is both the source and our own experience that Romanians, for whatever reason, consider replying "in-line" as impolite, apparently the judgement being made that it would somehow be perceived as dismissive but we are unsure. At the very least, it bears to remember that apparently replying to the point or in-line by citing the correspondence is somehow "impolite", as seen by Romanians, so perhaps that is something else that added to Mr. Vasile losing his composure. Ultimately, for whatever hierarchy can be established, the source actually reported to Mr. Mihnea Dulea (as a by the way, as per a direct quote from the contract "reports directly to […]") such that Mr. Vasile's lecturing is just infatuation (ie: the source could have just told him to fuck off, which is apparently also something fairly acceptable in Romania):

• Nevertheless, it seems very suspicious that such as highly acclaimed department such as the Romanian Extreme Light Infrastructure would have a petty mail sever configured so poorly, and given that it is within the source's attributions to seek out issues (as per their contract), the source follows up with a further investigation of the mail server. And, the hunch is correct, the former is not the only problem!
• A new ticket is opened sometime after mentioning a very detailed problem report (as per the source's contract and as per Mr. Dulea's requests), and to summarize:
  • The source discovers that the sender can be forged due to the E-Mail server being misconfigured (it is also spelled out "falsified mails" to appease Mr. Vasile, even though, that expression is fairly dumb). In other words, you can connect to the ELI-NP server, define the envelope sender as any username and ending in @eli-np.ro and then send E-Mail to the employees.
  • The ELI-NP mail sever permits POP access without any SSL/TLS thereby leading to the potential disclosure of all credentials and mail body content of all users that might have configured their mail client to use POP (highly likely, people being mostly paranoid-with-good-reason, and given that POP downloads their E-Mails locally with the additional benefit of deleting them from the server) [the first leak method],
  • IMAP access is also provided without any encryption [second leak method],
  • Based on the former, a case-study is made where it is determined that widespread E-Mail clients (except Apple Mail!) all accept to set up accounts, even automatically and without warning if no encryption is advertised by the E-Mail server, which would imply that anyone since the inception of ELI-NP that set up their E-Mail account with any client (including Android) would have their whole mail correspondence leaking from the point of access of their E-Mail account and all the way to the ELI-NP mail server in Bucharest, Romania. For a research institute this is rather bad because contrary to any other profile, researchers are "meant to travel", such that they would have had to access their E-Mail remotely and many times. Unfortunately, people use work E-Mail for private affairs, many times, also with their bank accounts and other details contained within the E-Mails which all-in-all is a pretty catastrophic leak (to try and put out a forest fire with a 1L bottle, at the very least, the users should change their passwords. . .). At the end of the analysis, the source themselves seem to panic and end with "I do not even know what has to be done. . ."
  • 8 hours later, Mr. Ionut Vasile closes the ticket down without any explanation. The source checks whether the issue is resolved and apparently it is not,
  • The source opens up yet another ticket, asking why the previous ticket has been closed and without any resolution. No response is received.
  • 4 hours later a snarky E-Mail, like never before (? no bad blood before either), is sent by Mr. Mihnea Dulea making all sorts of claims on being absent from work, having "lots to talk about" with colleagues, claiming some procedural omissions that have been made referring to holidays (you know, the kind that are never respected anyway), claims about clocking in are made and also requests to meet in person are extended.
  • A followup is sent by the source, thanking him for taking the time to write (the drivel) but that the ELI-NP server is still leaking and asking again to solve the issue before anything else is discussed (of course, setting him straight has to be performed, for example, he needs to be reminded that "discussions with colleagues", when referring to the data leak, are not "as in beer" but rather asking them to plug the leak, along the same lines, it has to be reminded to him that "you have many problems to discuss" are not, personal problems, yet rather professional problems and incidentally with reference to their staff, not the source, being unprofessional in closing down the ticket without remedy and/or misconfiguration the server int he first place).
    • A small trap is extended to Mr. Dulea, asking that all further correspondence between him and the source should henceforth at the request of the source, be performed using the Romanian politeness form. In principle, the law is such that polite ways to address people are more or less negotiated on a best-effort basis between two people, regardless of any structure: if someone wants the politeness form to be used and the other person is not using it, then by Romanian law the person not using the politeness form is obliged to use the politeness form. There is some "insider information" that the source added, stating that in a previous conversation between the source and Mr. Dulea, Mr. Dulea told the source to only use the politeness form when addressing him (Mr. Dulea) but to not use the politeness form with colleagues. The source mostly singes with their first name in most correspondence (maybe even when they shouldn't!), such that politeness is irrelevant, but due to Mr. Dulea's request, this small addagio to the case was launched into the fray. Mr. Zamfir, the CEO of the institute at the time, is announced as well of the problem, with mostly the hope of someone, well, in context, lucid enough, can be reached to plug the leak.
• Overall, it takes the staff at IFIN-HH / ELI-NP about two days to finally close the ports with the source having to deal with the funny slander coming in from Mr. Dulea, whilst at the same time juggling the tickets on the ticket system as people start to become interested.
• After the ports are closed, Mr. Dulea follows up with more slander, libel, various veiled threats, funny delusions of grandeur such as "I only use the politeness form with people superior to me", or even calling the source a "wannabe persecuted hero", or to cite the full "pâté" spelled out in Mr. Dulea's E-mail: "Vrei in schimb sa pozezi in erou persecutat in fata …, a dlui director general, etc., erou care si-a sacrificat prezenta la serviciu pentru a salva institutul. Multumesc pentru inchiderea porturilor." Mr. Dulea apparently states that there was a legitmate use for the non-secure ports, however the case is such that Mr. Dulea's own "Security Guide" that he wrote with the source's and Mr. Vasile's help, explicitly forbids any non-secure ports to be exposed such that he contradicts himself and his own work. To cite the full sentence: "iar inchiderea porturilor se facea oricum. De ce s-a tot amanat, cred ca stii, nu este un secret ca sunt unii utilizatori legitimi ai porturilor respective (pe care o sa-i directionam catre tine daca cer explicatii pt. intreruperea accesului la email)." where he also mentions "sending the users of the non-secure ports" to the source, which does not really seem like a … plausbile solution, nor too rational a statement. More importantly, the source is invaded to some "backroom discussions" and without being able to know the contents of alternative universes, one can only speculate that more than likely it was an invitation to have a talk that would not have seen the light - then again, given the sensitivity of the matter, the invitation is discarded by the source. There is also a funny phrase where Mr. Dulea sort-of, it is thoughtful to suspect, knows that this will not end up well, where he asks why I am addressing Mr. Ionut Vasile using the full-title, that seems to be irrespective of his lack of knowledge of what is contained within the "Code of Manners" book, but rather, to us at least, seems to be a premonition that this case will be acted upon given the formalities.

• Either way, for what is important, it is clear that Mr. Nicolae Victor Zamfir, the CEO of the ELI-NP and, at the time, the director of IFIN-HH, has been informed, given that he is to be found within the CC line.

The following is provided due to its contribution to computer security in a broader sense, especially since part of the problem is that mail clients accept to configure mail servers without any sort of encryption but everything will be covered in detail. For completeness, here is the output of an online port-check tool that verifies servers remotely and that demonstrates that the IMAP and POP plaintext service ports were open for the mail server at ELI-NP:

the IP address reading 188.27.74.96 is the IP address of the source, performing this check remotely, outside the institute (IP records indicate "RO-RESIDENTIAL"), and with the port checking tool also being remote to ELI-NP, such that the data leak is not restricted just to the internal IFIN-HH network.

First, the ELI-NP mail server was accepting forged enveloped senders under the eli-np.ro domain, which is a misconfiguration problem and here is a transcript of the communication.

# telnet mail.eli-np.ro 25
Trying 194.102.58.7...
Connected to mail.eli-np.ro.
Escape character is '^]'.
220 mail.eli-np.ro ESMTP Postfix
ehlo mail.eli-np.ro
250-mail.eli-np.ro
250-PIPELINING
250-SIZE 50000000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: <ticket258@eli-np.ro>
250 2.1.0 Ok
rcpt to: <...@yahoo.com>
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
Acesta este un mesaj fals trimis doar ca exemplu pentru rezolvarea tichetului #258.
.
250 2.0.0 Ok: queued as 06C9C40000FA1
QUIT
221 2.0.0 Bye

The transcript shows a connection to the eli-np.ro server made manually where the client identifies itself as a sender with a terminating eli-np.ro domain. The destination is set to be some E-Mail address outside the ELI-NP network at Yahoo. Finally a body is added and the E-Mail is accepted for delivery to the Yahoo mail server. Note that the connection is made from outside of ELI-NP and the IFIN-HH such that the former is possible without having to be within the institute's network allowing anyone to perform this attack.

Finding the plaintext mail services is easy with a manual connection. Here is the plain POP3 connection:

# telnet mail.eli-np.ro 110
Trying 194.102.58.7...
Connected to mail.eli-np.ro.
Escape character is '^]'.
+OK Dovecot ready.

and here is the plain IMAP connection:

# telnet mail.eli-np.ro 143
Trying 194.102.58.7...
Connected to mail.eli-np.ro.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN
AUTH=LOGIN] Dovecot ready.

Note that whilst the IMAP service advertises for STARTTLS implying that "encryption is available" it turned out that MTA decided that no encryption should be used just due to the fact that the service is available over the plain IMAP port 143. Furthermore, note that the authentication scheme implies plaintext passwords via AUTH=PLAIN which justifies the data leak as having leaked the credentials of incoming connections.

In order to check, here is an intercepted communication between Microsoft Outlook and the ELI-NP plain IMAP server, showing the connection and the whole packet payload communication in multiple steps whilst attempting to configure an account using various E-Mail clients. The username will be ticket258@eli-np.ro and the password will be PAROLAINCLAR and they will be used to setup the accounts on the ELI-NP mail server.

First, Outlook connects to the eli-np.ro plaintext IMAP service just like the manual connection and the expected Dovecot advertisement of features payload is received:

21:50:08.217090 IP (tos 0x2,ECT(0), ttl 53, id 9086, offset 0, flags [DF], proto TCP (6), length 174)
mail.eli-np.ro.imap2 > REDACTAT.14021: Flags [P.], cksum 0x6de7 (correct), seq 124:258, ack 18, win 115, length 134
0x0000: 0401 b782 e601 5c45 2779 0330 0800 4502 ......\E'y.0..E.
0x0010: 00ae 237e 4000 3506 d89f c266 3a07 2e65 ..#~@.5....f:..e
0x0020: 1e58 008f 36c5 1fe9 493e dc7b f730 5018 .X..6...I>.{.0P.
0x0030: 0073 6de7 0000 2a20 4341 5041 4249 4c49 .sm...*.CAPABILI
0x0040: 5459 2049 4d41 5034 7265 7631 204c 4954 TY.IMAP4rev1.LIT
0x0050: 4552 414c 2b20 5341 534c 2d49 5220 4c4f ERAL+.SASL-IR.LO
0x0060: 4749 4e2d 5245 4645 5252 414c 5320 4944 GIN-REFERRALS.ID
0x0070: 2045 4e41 424c 4520 4944 4c45 2053 5441 .ENABLE.IDLE.STA
0x0080: 5254 544c 5320 4155 5448 3d50 4c41 494e RTTLS.AUTH=PLAIN
0x0090: 2041 5554 483d 4c4f 4749 4e0d 0a76 3867 .AUTH=LOGIN..v8g
0x00a0: 6b20 4f4b 2043 6170 6162 696c 6974 7920 k.OK.Capability.
0x00b0: 636f 6d70 6c65 7465 642e 0d0a completed...

Next, Outlook attempts to log-in with the ticket258@eli-np.ro E-Mail, a made-up address that is used to fill out the setup wizard for setting up an account with ELI-NP:

21:50:08.304497 IP (tos 0x2,ECT(0), ttl 63, id 16152, offset 0, flags [DF], proto TCP (6), length 89)
REDACTAT.14021 > mail.eli-np.ro.imap2: Flags [P.], cksum 0xe1cc (correct), seq 18:67, ack 258, win 257, length 49
0x0000: 0000 5e00 0166 0401 b782 e601 0800 4502 ..^..f........E.
0x0010: 0059 3f18 4000 3f06 b35a 2e65 1e58 c266 .Y?.@.?..Z.e.X.f
0x0020: 3a07 36c5 008f dc7b f730 1fe9 49c4 5018 :.6....{.0..I.P.
0x0030: 0101 e1cc 0000 7638 346d 204c 4f47 494e ......v84m.LOGIN
0x0040: 2022 7469 636b 6574 3235 3840 656c 692d ."ticket258@eli-
0x0050: 6e70 2e72 6f22 2022 5041 524f 4c41 494e np.ro"."PAROLAIN
0x0060: 434c 4152 220d 0a CLAR"..

and, as claimed, the transcript contains the password PAROLAINCLAR in plaintext as part of the intercept transcript.

Here is the same attempt to set up an E-Mail account with the mail client on Android KitKat using the made-up user ticket258@eli-np.ro and the password androidparola. First the Android mail client connects to the ELI-NP Dovecot plaintext IMAP service and the features advertisement payload is received:

22:19:58.469461 IP (tos 0x0, ttl 255, id 29423, offset 0, flags [none], proto TCP (6), length 171)
mail.eli-np.ro.imap2 > REDACTAT.49064: Flags [P.], cksum 0xb0bc (correct), seq 124:255, ack 15, win 5826, length 131
0x0000: 4500 00ab 72ef 0000 ff06 9e50 c266 3a07 E...r......P.f:.
0x0010: ac10 018f 008f bfa8 65c1 7010 0f7d f40e ........e.p..}..
0x0020: 5018 16c2 b0bc 0000 2a20 4341 5041 4249 P.......*.CAPABI
0x0030: 4c49 5459 2049 4d41 5034 7265 7631 204c LITY.IMAP4rev1.L
0x0040: 4954 4552 414c 2b20 5341 534c 2d49 5220 ITERAL+.SASL-IR.
0x0050: 4c4f 4749 4e2d 5245 4645 5252 414c 5320 LOGIN-REFERRALS.
0x0060: 4944 2045 4e41 424c 4520 4944 4c45 2053 ID.ENABLE.IDLE.S
0x0070: 5441 5254 544c 5320 4155 5448 3d50 4c41 TARTTLS.AUTH=PLA
0x0080: 494e 2041 5554 483d 4c4f 4749 4e0d 0a31 IN.AUTH=LOGIN..1
0x0090: 204f 4b20 4361 7061 6269 6c69 7479 2063 .OK.Capability.c
0x00a0: 6f6d 706c 6574 6564 2e0d 0a ompleted...

Apparently, the Android mail client sends some UID which seems irrelevant, but it is part of the setup, so here goes:

22:19:58.497219 IP (tos 0x0, ttl 255, id 29424, offset 0, flags [none], proto TCP (6), length 40)
mail.eli-np.ro.imap2 > REDACTAT.49064: Flags [.], cksum 0x54ed (correct), seq 255, ack 206, win 5635, length 0
0x0000: 4500 0028 72f0 0000 ff06 9ed2 c266 3a07 E..(r........f:.
0x0010: ac10 018f 008f bfa8 65c1 7093 0f7d f4cd ........e.p..}..
0x0020: 5010 1603 54ed 0000 P...T...
22:19:58.621495 IP (tos 0x0, ttl 255, id 29425, offset 0, flags [none], proto TCP (6), length 70)
mail.eli-np.ro.imap2 > REDACTAT.49064: Flags [P.], cksum 0x6206 (correct), seq 255:285, ack 206, win 5635, length 30
0x0000: 4500 0046 72f1 0000 ff06 9eb3 c266 3a07 E..Fr........f:.
0x0010: ac10 018f 008f bfa8 65c1 7093 0f7d f4cd ........e.p..}..
0x0020: 5018 1603 6206 0000 2a20 4944 204e 494c P...b...*.ID.NIL
0x0030: 0d0a 3220 4f4b 2049 4420 636f 6d70 6c65 ..2.OK.ID.comple
0x0040: 7465 642e 0d0a ted...

and then finally a log-in is attempted in plaintext:

22:19:58.624632 IP (tos 0x0, ttl 63, id 7615, offset 0, flags [DF], proto TCP (6), length 85)
REDACTAT.49064 > mail.eli-np.ro.imap2: Flags [P.], cksum 0xeb8f (correct), seq 206:251, ack 285, win 65535, length 45
0x0000: 4500 0055 1dbf 4000 3f06 73d7 ac10 018f E..U..@.?.s.....
0x0010: c266 3a07 bfa8 008f 0f7d f4cd 65c1 70b1 .f:......}..e.p.
0x0020: 5018 ffff eb8f 0000 3320 4c4f 4749 4e20 P.......3.LOGIN.
0x0030: 7469 636b 6574 3235 3840 656c 692d 6e70 ticket258@eli-np
0x0040: 2e72 6f20 2261 6e64 726f 6964 7061 726f .ro."androidparo
0x0050: 6c61 220d 0a la"..

As can be observed the password is transmitted in plaintext, which justifies the leak of credentials.

Conventionally, there is no additional setup procedure for the E-Mail body that would offer an encryption of the E-Mail body in spite of the credentials traveling in plaintext, for example, looking at the misconfiguration example, the whole process of sending an E-Mail happens within the same session, such that iff. the session is not encrypted then the body of the E-Mail is not encrypted, such that it is safe to assume that the E-Mail body would be transmitted in plaintext. What happens is that if the account is configured, then there is no "re-evaluation" of cryptographic primitives performed by E-Mail clients, due to the process being part of the setup of the account, such that after having configured the account, all the communication will just take place unencrypted.

Interestingly, Apple Mail refused to set up an account using plaintext IMAP yet it seems that Android and Microsoft Outlook were happy to accept no encryption as part of the setup wizard without any complaint. Even if, users are not necessarily versed in determining whether that is alright or not. Apple instead adamantly refused, and even mentioned that it will not set up an account with an unencrypted session.

The impact is that the credentials and the E-Mail body would have leaked all the way from where the ELI-NP server was accessed by a user and up to the ELI-NP server in Bucharest, Romania with all the credentials and E-Mail body being leaked. At the very least, the E-Mail content and the credentials would have to be considered compromised such that, at the very least, the users should be made aware in order to change their credentials and mitigate the leak of their correspondence. From the official data, the leak affects about 500 souls at the Extreme Light Infrastructure (ELI-NP) (with 500 being the "original number of employees when ELI-NP was founded" and probably not the actual number of employees when the leak took place in 2020) since receiving an official E-Mail address is part of the hiring process.

A data-breach was filed with the E.U. E.D.P.S., however, as former experiences confirm, the E.U. cannot be bothered and they redirect the request to the Romanian data protection agency A.N.S.P.D.C.P. Given the sensitivity of this issue, the actual submission of the document is literally taped on the screen and then a followup E-Mail is sent to the A.N.S.P.D.C.P. in order to re-confirm that the issue has been filed with the A.N.S.P.D.C.P. Curiously enough, the A.N.S.P.D.C.P. does not answer at all in this case, even though the A.N.S.P.D.C.P. typically answers even if the answer is not always the most useful of answers. This is due to papers being filed such that at the least, a formal response has to be formulated (typically, outside this case, and indifferent of the source regarding this case, our experience has been that people prefer talking in-person or via the phone, in order to not leave a paper trail that could potentially be cited).

Four years later, and with our help, the A.N.S.P.D.C.P. has been contacted again by the source in order to ask whether they received the data breach notification and whether anything has been done since then. Ultimately, because we are acquainted with the 51 different security agencies in Romania, given the previous cases and the continuous harassment, we also placed Mr. Tolontan, an investigative journalist, in the CC of E-Mail in order to ensure that at least someone other than the people involved with the A.N.S.P.D.C.P. receives a copy of the E-Mail.

The A.N.S.P.D.C.P. answers this time, after a few weeks, by stating the following:

• It turns out that the data operator, the one guilty of the data breach, is the one that must file a data breach report and that the data operator (ie: the people at IFIN-HH, ELI-NP) has not filed any report.
• Next, the A.N.S.P.D.C.P. claim that, citing "[…] the complaint is inadmissible to our competences because the usage of IMAP and POP3 [comment: and not their secure counterparts, which was the whole point of filing the complaint by the source 4 years ago], do not automatically lead to a breach of data […]" and that "[…] no conclusive proof has been found to lead to a breach of G.D.P.R. rights at the National Institute of Physics "Horia Hulubei" […]".

The point that IMAP and POP3 (without any encyrption) do not automatically lead to a breach of data is just false. Any non-encrypted data is by default observable across a network (ultimately, that was the main point of encryption when it started to be added to the stack of various enviroments, when networks exceeded the reach of Universities). In fact, the reverse would be more true, namely that the lack of encryption automatically leads to any communication being observable. It is tough to believe that Mr. George Balaiti would sign somethning like this if they were advised by someone that would have the necessary background in computers to make statements and also assume their responsibility as experts within their competences about such statements. More than likely, this is yet-another case of dismissive responses, the kind that we're accustomed to by Mr. Micol at the European Community, while he was responsible with matters of the G.D.P.R. where, the response is sordidly just a refusal to do work. To us, the response from the A.N.S.P.D.C.P. is clearly an attempt to cover for the IFIN-HH and the ELI-NP. However, we would like to reserve this discussion for a follow-up sub-section that discusses the finer implications of this case.

Mr. Zamfir the CEO of the institute is also made aware, along with Mr. Allen Weeks, both of whom do not even bother replying.

A followup response is formulated to the A.N.S.P.D.C.P. where they are made aware that it is well-within their mandate to followup with an investigation given any probable cause, and that, in spite of them pretending that "no proof has been provided", and in the sense that the proof that overtly was in fact provided, that submitted proof should be sufficient for a follow-up investigation with institutions within Romania that would have the necessary competences to perform those investigations. The source claims that during their employment, it was not the first time when matters of the G.D.P.R. had been brought up, but in fact quite a few times, and protocol was mostly followed. However, the A.N.S.P.D.C.P. apparently took it upon themselves to be the proverbial judge, jury and executioner and to outright drop the case based on the judgement, citing "[…] the complaint is inadmissible to our competences because the usage of IMAP and POP3 [comment: and not their secure counterparts, which was the whole point of filing the complaint by the source 4 years ago], do not automatically lead to a breach of data […]". The response phlegmatically tells them that the source (sometimes labeled a witness other times labelled a victim) does not owe these institutions anything, let alone "proof" to the quality that an investigator can produce and that if they had probable cause, they should have petitioned the institutions responsible with such matters following their own protocol.

We wanted to create a "finesserie" section but decided to state the same matter here. Another slipper slope that we observe, and even in the global sense, is some sort of subtle disrespect towards constituents in general, that comes across very awkward. The source that sends this notification, is not some outcast of society, but rather full credentials were provided and, in this case in particular, the source themselves was one of the people responsible with matters of security such that the response from the A.N.S.P.D.C.P. comes across as bold, especially by claiming the exact opposite of what the source claims. It is true that the source was not the data protection officer, but the source was, in fact, delegated officially and contractually to spot vulnerabilities and report on them such that the information is supplied by someone that does have the background to call Mr. Balaiti's statement, namely that the usage of IMAP and POP3 (and not their secure counterparts, IMAPs and / or POP3s) does not lead to a data breach as laughable. It is a bit of a slipper slope, we find, because typically political figures are more or less, via the label itself, supposed to occupy themselves with politics, and even in a court of law, experts in the professions where the claims are being made are brought to testify and not political managers. It's subtle. If you end up working as a manager, you're supposed to carry out managerial work, even if your base degree just happens to be in the same domain that you manage. Your own evaluation does not hold weight at all in a court of law, unless you are incidentally cited as both the judge and the "expert" in a case, which in any equitable court, you are not and someone impartial to the case is cited as a referential expert.

This is more of an European vs. US problem rather than a problem with Romania itself (maybe, amplified by some notion of ego, at best); in Europe the government itself names itself as expert even in matters where the government is not an expert thereof, with the civilians being seen, even if factually experts, as adversaries whereas in the US the government generally-speaking respects their civilian experts according to their credentials. Perhaps a case based on the distinction between common vs. written law.

Another point that has to be made is that the A.N.S.P.D.C.P. tends to use font styles on … snippets, ranging from single words to full sentences and sometimes it is not exactly clear why because what they try to highlight does not really seem relevant in context. After many years of seeing this as papers are brought to us by sources, we now believe that this is some sort of… way of making statements without making statements (or rather, a solution to Ms. Óðinsdóttir inability to distinguish between a statement and a question). It goes like this. In this context, the A.N.S.P.D.C.P underlines a citation from the law where the operator is absolved from submitting a data-breach report, citing "unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons." but the A.N.S.P.D.C.P. does not directly state that, well, "the breach is unlikely to result in a risk to the rights and freedoms of natural persons." which means that they cannot really be held responsible - they just underlined a citation but they did not imply it! We could send back a response where we cite laws against pedophilia and underline and bolden the quotes, even though we have no proof thereof nor is there any connection to this case! Yes, it's just that trite. It's like the government itself is directly gaslighting you by changing font sizes, along the lines of "judge, jury, executioner" and now also playing the role of the criminal as well, as in "judge, jury, executioner and criminal"!

Again, the point has to be made that most of this entsprings just from malice, without any of these cases being just "accidents" and that most of the people in such cases participate willfully based upon their own choices and are not coerced to participate if they have different opinions.

The other witnessing of the behaviors at the DFCTI IFIN-HH, in particular the harassment of several colleagues, is definitely at the very least an "optional participation" and if anyone disagrees they have plenty of measures at their disposal, such as complaining like the source and up to resigning or finding a different job. Even attempting to defend the people that were harassed by the staff, lead to people answering with attitudes along the lines of "are you in love with them?" (apparently, this seems to be something common in Romanian workplaces, as we have been told).

Given the setup, it seems trivial to explain why it often comes to tragedies, as a response perhaps, to publications within the Romanian press regarding the abuse of individuals - well, no, it is clearly not the fault of "evil corporations", but rather bad management, nepotism, false values and the overreaching arm of an overly obese government along with its numerously affiliated institutions. It would be so much convenient to, put one single person, one single institution and given the European context, just one single country in the corner as a scapegoat and blame them for the perceived decline. There is some form of retribution, but ultimately it does not prevent Romania and Romanian society to act as a trap, where, let's say, the bad reputation of Romania acts as the only deterrent to others to approach the country. Ultimately, these are the same people that vanished during the Romanian communist revolution, spared themselves of all the blame and then appeared much later in order to do exactly the same as they have done before, while all the time being very adamant about covering their past. It's like, 2nd up, in a game!

Even as remedial measures, the overall perceived feeling has been one of a government with all powers blended together into one, determined to use all the means at their disposal to, remarkably, cover up such cases instead of being genuinely curious to find out the real reasons behind the problems that they then go on and complain about in other forums. Even with reference to the European Community, we have seen people that we would have expected to jump off their chairs when these cases brought to light, namely because these cases represent a breach of their own agreements and their own laws and not just some made-up pretense that someone might have had, turn into some villain from a cheesy spy movie, opting to side with corruption and with fraud to the detriment of everyone else. It is a more powerful impression than, let's say, disproving someone in a discussion where some opinions are exchanged, without any responsibility being wagered - it's like catching police being criminals, compared to, say, nobodies being criminals.

The European Community when contacted, always seem to offload all the responsibility on the country, claiming that they cannot interfere. However, the EU in this case does fund the A.N.S.P.D.C.P. such that the measures to address any sort of incompetence that the EU might get wind of seems straightforward by not financing them any further. We disagree, and in particular, for countries like Romania, where the corruption is not exactly "unknown", the financing does indeed become some form of interference. Ultimately, regardless whether this case is processed or not, forgotten or otherwise, the A.N.S.P.D.C.P. will carry on getting financed, so why bother to kick up a kerfuffle when… "we can all be friends, a, Tovarashi?!".

On the other hand, we generally like the European Community, and the European Union, but these issues come across as a trap to others that might take the prestige granted by the EU to these countries for granted and then end up being caught in a trap. If you'd ask us, instead of the European Community whether you should come to Romania and open a business, we would definitely tell you NO and we would offer up these investigations as justification. And hence from there, other privacy-related questions:

• Are you sure you want to use the Romanian VPN? No.
• Are you sure you the Romanian company will delete your data? No (and that does not even need G.D.P.R. breaches to be justified).
• … Do you want to visit Romania? If you will be doing anything in Romania that you want to be kept a secret, then no.
• Do you want to share database data, questionless travel through your city and country and various other form of government controls with Romanians such as Schengen accession? No. Actually, given recent history, not just "No." but rather "please not" because any other weapon handed to the Romanian authorities will be used upon their own population given antecedents highlighted by the press.

Do you get it now?

Of course such revelations are not necessarily altruistic, in particular remembering that bridges do go both back and froth and that these people given the privilege and opportunity might as well just do the same somewhere else. Romania has within its history entire divisions of their espionage apparatus that were responsible of capturing people that "fled" Romania and brought them back to Romania such that anyone leaving or planning to leave should be concerned that the old habits either die hard, have not died at all, or, as the memetic enlightenment strip goes, are in fact now put on steroids by European funding.