Found on the ground during the last days of work next to the office.

The story is recollected by an individual that decided to talk to us regarding a case involving a very large data leak at the Extreme Light Infrastructure (ELI-NP) at the Institutul Național de Cercetare-Dezvoltare pentru Fizică și Inginerie Nucleară "Horia Hulubei" (IFIN-HH) that the staff, management and the Romanian police participated in the attempt to cover up the accident. As per sources, to our knowledge, there has never been any official acknowledgement of the data leak and the leak content consisted in authentication credentials (username and passwords) as well as E-Mail body content that ended up transmitted in plain text depending on how the various users configured their mail client.

We like to stick to facts because ultimately it is what matters, but we suppose that some more "background" is necessary, in particular for institutions such as the IFIN-HH in order to be able to comprehend how such leaks occur, how come they are never made public, why the perpetrators end up getting away with it even when the European Community is aware but also as a more general overlook over the IFIN-HH. That being said, some background will be offered, and then only the facts will be listed in chronological order without further explanations such that if you're looking for just the technical gist of it, you can skip to the memorandum. The "background" is provided due to multiple "employer" rating websites such as Glassdoor, as we're told, deleting the content posted by former employees, as well as one case of the Romanian online mobbing on Wikipedia that attempted to bury the truth, such that it seem more of an imperative (or a last resort) of getting the truth out some way given that all these online venues are either corrupt or have been corrupted. That said, if you're just looking for the core-narrative of this case, please see the memorandum section. If you would like more background, factual but only tangential to the case itself, then carry on reading.

The IFIN-HH institute was founded by Dej, the former "president" of Romania before Ceausescu and the IFIN-HH became a hotbed of controversies with most of the staff being members of either the Romanian communist party or part of the Romanian Securitate. These were the sort-of "faux" scientists that due to international cooperation ended up doing favors with various people around the world with the result of ending up involved with organizations ranging from the Italian mafia and up to even more prestigious institutes such as the Max Plank institute in Germany. Many of these people became "well-known" across the years, yet due to their political implication with various either shady or not so-shady structures, most of their "academic prestige" became more closed-circuit over time. For instance, you would find academicians (an institute of prestige, an ode to entitlement and a monument to elitism) that even though they would have a large amount of publications, would spend their time in Russia telling the KGB how food made out children in sold in Romania, of course, for the benefits of being invited again to Russia with a relatively large additional wage.

Many of these people literally burned their communist party membership card on the stairways at the IFIN-HH when the revolution came to be, for the sake of not being "caught" as being an avid communist party member. Some of these people often made it a story that they were somehow "coerced" or "forced" into the Romanian communist party, yet at the time, becoming a member of the Romanian communist party was, in fact, "competitive" due to the many additional benefits that would be bestowed upon anyone that became a party member. For example, if you became a member, you were immediately entitled to a second house or apartment, which was great, especially for a growing family. Similarly, becoming a "communist party" member was not only competitive, but also a matter of "purity" where, for example, you would have had to quit the Romanian Securitate in order to become a communist party member (with the Romanian Securitate, as complex as it might seem, being seen as "too dirty" for a proud communist party member).

Then again, many people, for example, Mr. Nicolae Victor Zamfir, one of the researchers at the time, that struck their gold elsewhere and via other means, turned the story around after communist and even went as far as stating that they were somehow coerced, victims or even up to "blackmailed" to join the Romanian communist party, which, given the actual history of both the Romanian communist party and the Romanian Securitate, was quite controversial given the many benefits one would have had. For example, and perhaps even tied to the Romanian online mobs that crawl the Internet in order to save Romania's reputation, a former investigation, looking at the history of Mr. Zamfir's page on Wikipedia a funny quote is found that is fairly funny having mentioned the former context:

"Deși înainte de decembrie 1989, supus presiunilor acelor vremuri este forțat să devină, datorită rezultatelor sale excepționale, unul dintre liderii UTC, totuși imediat după revoluția din 1989 pleacă în Germania. Dovadă că și astăzi, institutul pe care îl conduce are o bună deschidere spre străinătate. [..]"

which translates to:

"Even though before December 1989, given the pressures of the time, he is forced to become, due to his exceptional results, one of the leaders of the UTC (Uniunea Tineretului Comunist, Romanian Communist Youth), thus immediately after the revolution from 1989 he leaves to Germany."

Judging just from how the person writing this has contorted the sentence so much that, even in Romanian, the sentence does not make much sense (ie: "Even though", not really corresponding to any counter-"though"), you can observe how much the writer of this text is lying. Similarly, the quote follows with:

"Proof that even today, the institute that he leads has a good opening (translate fail, gen. "overseas")."

which seems to be more in-tone with communist propaganda than actually being factual. As propaganda goes, typically holds oratorical value at the expense of grammar (ie: first sentence not even bothering to bless the reader with a predicate, "Proof that even today,").

Looking at the page, the insertion of these sentences is made by a user named "Mondan", that does not have any other edits on Wikipedia and whose implicit webpage on Wikipedia is blank.

This content spends time up on Wikipedia from 2007 to about 2023 when some users seem to start a fight by pointing out that the sentence is junk, has no citations and hence must be removed. However, this is met with phenomenal resistance from the users that attempt to drag the discussion into ToS violations, editors such as Andrei Stroe deflecting the discussion, spewing complete nonsense and for some reason requesting proof that Mr. Zamfir even was a member of the Romanian Communist Youth (UTC). Ironically, Mr. Zamfir's membership to the UTC is actually a pretty public fact, and by his own words, Mr. Zamfir states for B1 TV (a TV station in Romania) that he was a party member such that all the resistance from these users are just for the purpose of saving face and to deflect from the truth.

As a general frame for the institute, this is a Molvanian-like structure (one of the newest reactors in Eastern Europe) and with big hopes being sold to Romanians. The ELI-NP project is written about in the press, depicted with images as the harbinger of flying cars, suspended fast rail trains and other elements of promise as-if captured from "Zorba the Greek" that ended up just narrowing down, well, to just cutting up the street in half with one half being dedicated to bicycles, and so poorly made that the whole cannibalization of the already existing infrastructure turned into a flash point of accidents. Do not go there at night, because you might just start driving on the pavement. Otherwise, like from a Kusturika movie, Mr. Zamfir can be read in various magazines, making brave statements on how Romania is going to win the Nobel prize and other expressions of grandeur that, whelp, at least to this date, did not come to fruition.

Whilst all of that is more interesting from a historical perspective, it is still fairly benign albeit hopeful, with no harm done; or at least, so far, might seem petty but not a show stopper. One letter received by us, from an alleged source contains an attachment that is supposed to be an E-Mail that allegedly had been sent by an employee at the IFIN-HH to some other employee, and here is the content. This is where it starts to get a little … strange.

The employee claims that their spouse and them have been harassed after their spouse raising some concerns about the ELI-NP. This includes, citing "anonymous phone calls during the night" and/or various noises being made during the night to prevent them from sleeping. Of course, along with the the reaction of the staff at ELI-NP / IFIN-HH against these two employees that even dared to question the ELI-NP project. The letter ends by claiming that due to the stress, the spouse of the employee got ill and died, with the spouse left over asking the receiver of the letter to comment and contribute to one of the sites that they maintain as a testament to what happened to them. Surely, quite unbecoming of a Yale graduate, a person courted by Romanian masonry (and who-knows what other para-organizations) and a Romanian "academician". Ultimately, with all the prestige that Yale might convey, you surely do not want to be remembered for the person that was in charge and let this happen to these two employees, regardless how financially vested you might be in a project or not, especially given that these two individuals did not seem to pose much of a threat and the project would have been built anyway regardless of their comments.

Otherwise, the whole scene is roughly the same with most ex-communists that drew benefits back then, drawing benefits now, the overreaching SRI backed by the police, gendearmerie and others that perpetuate an institute filled with the shady and suspicious communist swamp dwellers that fight for the adulation of foreigners and the dissolution of their own communist past. Which, is interesting, or a country that never truly covered their own communist extermination camps, but actually perpetuated them on external funding.

A lot of the staff that seems politically connected, as in, holding positions of leadership where the line between "scientist" and politician becomes blurry, hold the citizenship of numerous other countries, making it seem like if they mess up in Romania, then they can jump into the next available boat and float away to Germany or perhaps the USA. Mr. Livius Trache, for example, another value that, as sources claim, used to chase lots of women during his University years, now also a Romanian value, is the holder of dual citizenship, both Romanian and from the United States. You get the idea though, if things go bad, board a plane and you're out and while that seems funny, it also seems something along the lines of "conflict of interest" where leadership positions, pertaining to the state or funded out of public money, should not allow such a waiver of responsibility. Similarly, and closing in to the case itself, a letter received shows an E-Mail sent to the IEEE describing various instances of, to put it lightly, misbehavior at the "DFCTI: Computational Physics and Information Technologies" under the leadership of Mr. Mihnea Dulea.

To name a few, as related by the source and the received materials:

• the open and organized harassment of some members of staff taking place right in front of the CO, Mr. Dulea, to an unprecedented level with the individuals in question going as far as attempting sucide (small callout here to recent events in Romania, regarding the alleged "overworking" of a Romaian woman that ended up being blamed on "corporations"),
• requests to employees to spy on each other, extended by Mr. Dulea and justified by the need "to fire them",
• various cases of sabotage at the workplace, right down the chute of employees disconnecting each other's servers, in order to set each other up,
• outright violence, downright to fist-fights between members of staff with no repercussions given that the offender's family is also a member of the Romanian parliament,
• violations of correspondence, apparently a long-standing problem at the IFIN-HH, where leaders of department and the technical staff rummaging through E-Mails (and a lot of controversy around the subject being raised), with the added "resistance" of the leadership to delegate the responsibility to "uninterested third-parties" hinting to the interest of the staff to preserve control and monopoly over correspondence,
• no "real" application process, with management staff claiming that they do not have "open applications" because if they would make the jobs public, then they would allegedly not find "trustworthy" people; the procedure is to first find "someone trustworthy", more along the lines of "members of the family" and then to publish the position, as requested by the law, but to reject any application regardless and hiring the "trustworthy person",
• no real accountability or responsibility, with "round tables" being established in case something happens, but only for the show, with the offending party not really being sanctioned in any palpable or consistent way, with raising the issue being more detrimental to the victim rather than the offender (even in cases where both can be clearly distinguished),
• all matter of "finesserie", such as sexual harassment, when brought up during meetings, being treated more or less as a joke, both by male and female staff; even though the institute is notorious for such matters,
• people hiring their spouses (for example, Mr. Dulea hiring his wife) within the same department, even though it is considered a conflict of interest in Romania

or otherwise a full swing of the proverbial dial on measuring the scale of what is called workplace toxicity.

As related by the source, an employee at IFIN-HH, at the DFCTI department, with Mr. Dulea being the CO, here is the full sequence of events. Bear in mind that from top to bottom, during the whole affair, the source was acting right under the obligations of the contract between themselves and the IFIN-HH, such that this is one of those infamous Romanian cases where a company desires something but when they get that something they are unhappy because the results are too good. More to the point, the source was asked deliberately to look into vulnerabilities and tasked with that right by Mr. Mihnea Dulea, such that all of this is very much legitimate. Furthermore, there had been other incidents in the past, reported the very same way, that were resolved. As we interviewed the source, it became sort-of obvious that the institute did not anticipate the capabilities of the source and when they started having to plug all sorts of critical security issues, they became irritated. Maybe, they can hire someone more incompetent in the future, that way at least, they can claim that they do not have vulnerabilities! Either way, here is the rundown:

• An E-Mail is received to the work E-Mail of the source from an employee that needed some work be done,
• The employee is asked, as per Mr. Dulea's instructions to open a ticket instead of send the E-Mail (this is relevant because Mr. Dulea, the CO of the DFCTI, will later claim that the ticket system should not be used, which is contrary to the code of conduct that Mr. Dulea himself establishes; also, not the only contraction, as shall be seen).
• The ticket is attributed to the source for processing.
• As it turns out, mail.eli-np.ro, the MX of the mail server of the ELI-NP did not have its forward-confirmed reverse DNS (FCrDNS) set up properly, such that the mails sent from the ELI-NP mail sever were sent with an IP address that did not resolve to the host name; the source suggests to contact the people responsible with the ELI-NP server due to this issue being fairly critical in terms of misconfiguration and possibility leading up to E-Mails from ELI-NP being rejected by other mail-servers and/or being classified as spam (FCrDNS being mandatory at the time of writing).
  • On closer investigation, the Sender Policy Framework (SPF) rules, something that the CO of the DFCTI, Mr. Mihnea Dulea himself is very adamant about, seem to be broken for the ELI-NP mail server, such that a followup is made to Mr. Laurentiu Serban and Mr. Mihai Ciubancan. Interestingly enough, Mr. Serban seems more versed on how things go down, such that he does maintain a polite attitude, contrasted to, say, Mr. Mihnea Dulea that goes far out on the slander and libel (as shall be seen later on). In brief, the E-Mail states that Mr. Serban and Mr. Ciubancan have resolved the problem of forged envelop senders being accepted by the ELI-NP mail server, and Mr. Serban states that he is adding Mr. Vasile to the discussion because the mail from the source asked Mr. Ionut Vasile to be notified that the SPF has to be fixed:

• Mr. Ionut Vasile is added to the ticket as being responsible, claiming that the "junk" in the SPF line has been deleted (oof, big bracket: mostly a snarky remark, Romania is in the stone ages regarding computers and computer science, most of any reputation being just a LARP, such that some terms do not carry over easily; there are difficulties in spelling out expressions such as "forged E-Mails", the closest being perhaps "counterfeit E-Mails" which sounds dumb, or the word "junk", with "junk" as an example, being directly translated to "gunoi", yet given Romanian, "gunoi" can come across as offensive to some level, such that this individual Mr. Vasile, takes offense and also mocks the translation, something that is a bit of reoccurring problem with this employee) but also claiming that there was some "logic" to the SPF line. Carrying on and summarizing, Mr. Vasile follows up, stating that FCrDNS has been added, that the SPF rule has been fixed (junk / garbled SPF line fixed) but also claims that the SPF garbled line / "junk" in SPF line as intentional and had at some point a meaning. He states that he considers that the ticket can be closed.
• A followup is made by the source explaining that due to the cited grammar of the SPF line, there are no possible combinations that could lead to what was formerly within the SPF rule, such that it could only have been junk and Mr. Vasile is asked to explain what logic he is referring to. It is also explained to Mr. Vasile, that the current "fix" for the SPF, given his changes, will not work because the rule is not properly composed. Mr. Vasile is asked politely to "check again".
• To keep the story concise, the ticket is eventually closed and resolved but with a lot of whining from Mr. Ionut Vasile that cannot contain himself when it is made known to him that his fixes do not make sense and that the problem is, in fact, not fixed, such that he loses his cool and whines about "being lectured". To our impression, this is just Mr. Vasile being emotive, it is commonly standard procedure to back up your claims with quotes, instead of, (maybe?) just saying "it don't work, son". It certainly was not meant to lecture him but apparently it ended up doing so given that another followup was needed to get the matter resolved. Also, the cargo-addagio without any justification or explanation on "it had some logic but now it has been deleted" just does not hold in the absence of an explanation and seems more like a way to save face rather than anything factual. Citing the RFC grammar and saying that there is no possible composition to match the broken SPF he configured is pretty water-tight. However, as will be discussed later on, Romanians do not have the capability nor propensity to value facts over drama, with many people "just getting away" by throwing tantrums. We should also add that, maybe it is a cultural thing, especially since it is both the source and our own experience that Romanians, for whatever reason, consider replying "in-line" as impolite, apparently the judgement being made that it would somehow be perceived as dismissive but we are unsure. At the very least, it bears to remember that apparently replying to the point or in-line by citing the correspondence is somehow "impolite", as seen by Romanians, so perhaps that is something else that added to Mr. Vasile losing his composure. Ultimately, for whatever hierarchy can be established, the source actually reported to Mr. Mihnea Dulea (as a by the way, as per a direct quote from the contract "reports directly to […]") such that Mr. Vasile's lecturing is just infatuation (ie: the source could have just told him to fuck off, which is apparently also something fairly acceptable in Romania):

• Nevertheless, it seems very suspicious that such as highly acclaimed department such as the Romanian Extreme Light Infrastructure would have a petty mail sever configured so poorly, and given that it is within the source's attributions to seek out issues (as per their contract), the source follows up with a further investigation of the mail server. And, the hunch is correct, the former is not the only problem!
• A new ticket is opened sometime after mentioning a very detailed problem report (as per the source's contract and as per Mr. Dulea's requests), and to summarize:
  • The source discovers that the sender can be forged due to the E-Mail server being misconfigured (it is also spelled out "falsified mails" to appease Mr. Vasile, even though, that expression is fairly dumb). In other words, you can connect to the ELI-NP server, define the envelope sender as any username and ending in @eli-np.ro and then send E-Mail to the employees.
  • The ELI-NP mail sever permits POP access without any SSL/TLS thereby leading to the potential disclosure of all credentials and mail body content of all users that might have configured their mail client to use POP (highly likely, people being mostly paranoid-with-good-reason, and given that POP downloads their E-Mails locally with the additional benefit of deleting them from the server) [the first leak method],
  • IMAP access is also provided without any encryption [second leak method],
  • Based on the former, a case-study is made where it is determined that widespread E-Mail clients (except Apple Mail!) all accept to set up accounts, even automatically and without warning if no encryption is advertised by the E-Mail server, which would imply that anyone since the inception of ELI-NP that set up their E-Mail account with any client (including Android) would have their whole mail correspondence leaking from the point of access of their E-Mail account and all the way to the ELI-NP mail server in Bucharest, Romania. For a research institute this is rather bad because contrary to any other profile, researchers are "meant to travel", such that they would have had to access their E-Mail remotely and many times. Unfortunately, people use work E-Mail for private affairs, many times, also with their bank accounts and other details contained within the E-Mails which all-in-all is a pretty catastrophic leak (to try and put out a forest fire with a 1L bottle, at the very least, the users should change their passwords. . .). At the end of the analysis, the source themselves seem to panic and end with "I do not even know what has to be done. . ."
  • 8 hours later, Mr. Ionut Vasile closes the ticket down without any explanation. The source checks whether the issue is resolved and apparently it is not,
  • The source opens up yet another ticket, asking why the previous ticket has been closed and without any resolution. No response is received.
  • 4 hours later a snarky E-Mail, like never before (? no bad blood before either), is sent by Mr. Mihnea Dulea making all sorts of claims on being absent from work, having "lots to talk about" with colleagues, claiming some procedural omissions that have been made referring to holidays (you know, the kind that are never respected anyway), claims about clocking in are made and also requests to meet in person are extended.
  • A followup is sent by the source, thanking him for taking the time to write (the drivel) but that the ELI-NP server is still leaking and asking again to solve the issue before anything else is discussed (of course, setting him straight has to be performed, for example, he needs to be reminded that "discussions with colleagues", when referring to the data leak, are not "as in beer" but rather asking them to plug the leak, along the same lines, it has to be reminded to him that "you have many problems to discuss" are not, personal problems, yet rather professional problems and incidentally with reference to their staff, not the source, being unprofessional in closing down the ticket without remedy and/or misconfiguration the server int he first place).
    • A small trap is extended to Mr. Dulea, asking that all further correspondence between him and the source should henceforth at the request of the source, be performed using the Romanian politeness form. In principle, the law is such that polite ways to address people are more or less negotiated on a best-effort basis between two people, regardless of any structure: if someone wants the politeness form to be used and the other person is not using it, then by Romanian law the person not using the politeness form is obliged to use the politeness form. There is some "insider information" that the source added, stating that in a previous conversation between the source and Mr. Dulea, Mr. Dulea told the source to only use the politeness form when addressing him (Mr. Dulea) but to not use the politeness form with colleagues. The source mostly singes with their first name in most correspondence (maybe even when they shouldn't!), such that politeness is irrelevant, but due to Mr. Dulea's request, this small addagio to the case was launched into the fray. Mr. Zamfir, the CEO of the institute at the time, is announced as well of the problem, with mostly the hope of someone, well, in context, lucid enough, can be reached to plug the leak.
• Overall, it takes the staff at IFIN-HH / ELI-NP about two days to finally close the ports with the source having to deal with the funny slander coming in from Mr. Dulea, whilst at the same time juggling the tickets on the ticket system as people start to become interested.
• After the ports are closed, Mr. Dulea follows up with more slander, libel, various veiled threats, funny delusions of grandeur such as "I only use the politeness form with people superior to me", or even calling the source a "wannabe persecuted hero", or to cite the full "pâté" spelled out in Mr. Dulea's E-mail: "Vrei in schimb sa pozezi in erou persecutat in fata …, a dlui director general, etc., erou care si-a sacrificat prezenta la serviciu pentru a salva institutul. Multumesc pentru inchiderea porturilor." Mr. Dulea apparently states that there was a legitmate use for the non-secure ports, however the case is such that Mr. Dulea's own "Security Guide" that he wrote with the source's and Mr. Vasile's help, explicitly forbids any non-secure ports to be exposed such that he contradicts himself and his own work. To cite the full sentence: "iar inchiderea porturilor se facea oricum. De ce s-a tot amanat, cred ca stii, nu este un secret ca sunt unii utilizatori legitimi ai porturilor respective (pe care o sa-i directionam catre tine daca cer explicatii pt. intreruperea accesului la email)." where he also mentions "sending the users of the non-secure ports" to the source, which does not really seem like a … plausbile solution, nor too rational a statement. More importantly, the source is invaded to some "backroom discussions" and without being able to know the contents of alternative universes, one can only speculate that more than likely it was an invitation to have a talk that would not have seen the light - then again, given the sensitivity of the matter, the invitation is discarded by the source. There is also a funny phrase where Mr. Dulea sort-of, it is thoughtful to suspect, knows that this will not end up well, where he asks why I am addressing Mr. Ionut Vasile using the full-title, that seems to be irrespective of his lack of knowledge of what is contained within the "Code of Manners" book, but rather, to us at least, seems to be a premonition that this case will be acted upon given the formalities.

• Either way, for what is important, it is clear that Mr. Nicolae Victor Zamfir, the CEO of the ELI-NP and, at the time, the director of IFIN-HH, has been informed, given that he is to be found within the CC line.

The following is provided due to its contribution to computer security in a broader sense, especially since part of the problem is that mail clients accept to configure mail servers without any sort of encryption but everything will be covered in detail. For completeness, here is the output of an online port-check tool that verifies servers remotely and that demonstrates that the IMAP and POP plaintext service ports were open for the mail server at ELI-NP:

the IP address reading 188.27.74.96 is the IP address of the source, performing this check remotely, outside the institute (IP records indicate "RO-RESIDENTIAL"), and with the port checking tool also being remote to ELI-NP, such that the data leak is not restricted just to the internal IFIN-HH network.

First, the ELI-NP mail server was accepting forged enveloped senders under the eli-np.ro domain, which is a misconfiguration problem and here is a transcript of the communication.

# telnet mail.eli-np.ro 25
Trying 194.102.58.7...
Connected to mail.eli-np.ro.
Escape character is '^]'.
220 mail.eli-np.ro ESMTP Postfix
ehlo mail.eli-np.ro
250-mail.eli-np.ro
250-PIPELINING
250-SIZE 50000000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: <ticket258@eli-np.ro>
250 2.1.0 Ok
rcpt to: <...@yahoo.com>
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
Acesta este un mesaj fals trimis doar ca exemplu pentru rezolvarea tichetului #258.
.
250 2.0.0 Ok: queued as 06C9C40000FA1
QUIT
221 2.0.0 Bye

The transcript shows a connection to the eli-np.ro server made manually where the client identifies itself as a sender with a terminating eli-np.ro domain. The destination is set to be some E-Mail address outside the ELI-NP network at Yahoo. Finally a body is added and the E-Mail is accepted for delivery to the Yahoo mail server. Note that the connection is made from outside of ELI-NP and the IFIN-HH such that the former is possible without having to be within the institute's network allowing anyone to perform this attack.

Finding the plaintext mail services is easy with a manual connection. Here is the plain POP3 connection:

# telnet mail.eli-np.ro 110
Trying 194.102.58.7...
Connected to mail.eli-np.ro.
Escape character is '^]'.
+OK Dovecot ready.

and here is the plain IMAP connection:

# telnet mail.eli-np.ro 143
Trying 194.102.58.7...
Connected to mail.eli-np.ro.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN
AUTH=LOGIN] Dovecot ready.

Note that whilst the IMAP service advertises for STARTTLS implying that "encryption is available" it turned out that MTA decided that no encryption should be used just due to the fact that the service is available over the plain IMAP port 143. Furthermore, note that the authentication scheme implies plaintext passwords via AUTH=PLAIN which justifies the data leak as having leaked the credentials of incoming connections.

In order to check, here is an intercepted communication between Microsoft Outlook and the ELI-NP plain IMAP server, showing the connection and the whole packet payload communication in multiple steps whilst attempting to configure an account using various E-Mail clients. The username will be ticket258@eli-np.ro and the password will be PAROLAINCLAR and they will be used to setup the accounts on the ELI-NP mail server.

First, Outlook connects to the eli-np.ro plaintext IMAP service just like the manual connection and the expected Dovecot advertisement of features payload is received:

21:50:08.217090 IP (tos 0x2,ECT(0), ttl 53, id 9086, offset 0, flags [DF], proto TCP (6), length 174)
mail.eli-np.ro.imap2 > REDACTAT.14021: Flags [P.], cksum 0x6de7 (correct), seq 124:258, ack 18, win 115, length 134
0x0000: 0401 b782 e601 5c45 2779 0330 0800 4502 ......\E'y.0..E.
0x0010: 00ae 237e 4000 3506 d89f c266 3a07 2e65 ..#~@.5....f:..e
0x0020: 1e58 008f 36c5 1fe9 493e dc7b f730 5018 .X..6...I>.{.0P.
0x0030: 0073 6de7 0000 2a20 4341 5041 4249 4c49 .sm...*.CAPABILI
0x0040: 5459 2049 4d41 5034 7265 7631 204c 4954 TY.IMAP4rev1.LIT
0x0050: 4552 414c 2b20 5341 534c 2d49 5220 4c4f ERAL+.SASL-IR.LO
0x0060: 4749 4e2d 5245 4645 5252 414c 5320 4944 GIN-REFERRALS.ID
0x0070: 2045 4e41 424c 4520 4944 4c45 2053 5441 .ENABLE.IDLE.STA
0x0080: 5254 544c 5320 4155 5448 3d50 4c41 494e RTTLS.AUTH=PLAIN
0x0090: 2041 5554 483d 4c4f 4749 4e0d 0a76 3867 .AUTH=LOGIN..v8g
0x00a0: 6b20 4f4b 2043 6170 6162 696c 6974 7920 k.OK.Capability.
0x00b0: 636f 6d70 6c65 7465 642e 0d0a completed...

Next, Outlook attempts to log-in with the ticket258@eli-np.ro E-Mail, a made-up address that is used to fill out the setup wizard for setting up an account with ELI-NP:

21:50:08.304497 IP (tos 0x2,ECT(0), ttl 63, id 16152, offset 0, flags [DF], proto TCP (6), length 89)
REDACTAT.14021 > mail.eli-np.ro.imap2: Flags [P.], cksum 0xe1cc (correct), seq 18:67, ack 258, win 257, length 49
0x0000: 0000 5e00 0166 0401 b782 e601 0800 4502 ..^..f........E.
0x0010: 0059 3f18 4000 3f06 b35a 2e65 1e58 c266 .Y?.@.?..Z.e.X.f
0x0020: 3a07 36c5 008f dc7b f730 1fe9 49c4 5018 :.6....{.0..I.P.
0x0030: 0101 e1cc 0000 7638 346d 204c 4f47 494e ......v84m.LOGIN
0x0040: 2022 7469 636b 6574 3235 3840 656c 692d ."ticket258@eli-
0x0050: 6e70 2e72 6f22 2022 5041 524f 4c41 494e np.ro"."PAROLAIN
0x0060: 434c 4152 220d 0a CLAR"..

and, as claimed, the transcript contains the password PAROLAINCLAR in plaintext as part of the intercept transcript.

Here is the same attempt to set up an E-Mail account with the mail client on Android KitKat using the made-up user ticket258@eli-np.ro and the password androidparola. First the Android mail client connects to the ELI-NP Dovecot plaintext IMAP service and the features advertisement payload is received:

22:19:58.469461 IP (tos 0x0, ttl 255, id 29423, offset 0, flags [none], proto TCP (6), length 171)
mail.eli-np.ro.imap2 > REDACTAT.49064: Flags [P.], cksum 0xb0bc (correct), seq 124:255, ack 15, win 5826, length 131
0x0000: 4500 00ab 72ef 0000 ff06 9e50 c266 3a07 E...r......P.f:.
0x0010: ac10 018f 008f bfa8 65c1 7010 0f7d f40e ........e.p..}..
0x0020: 5018 16c2 b0bc 0000 2a20 4341 5041 4249 P.......*.CAPABI
0x0030: 4c49 5459 2049 4d41 5034 7265 7631 204c LITY.IMAP4rev1.L
0x0040: 4954 4552 414c 2b20 5341 534c 2d49 5220 ITERAL+.SASL-IR.
0x0050: 4c4f 4749 4e2d 5245 4645 5252 414c 5320 LOGIN-REFERRALS.
0x0060: 4944 2045 4e41 424c 4520 4944 4c45 2053 ID.ENABLE.IDLE.S
0x0070: 5441 5254 544c 5320 4155 5448 3d50 4c41 TARTTLS.AUTH=PLA
0x0080: 494e 2041 5554 483d 4c4f 4749 4e0d 0a31 IN.AUTH=LOGIN..1
0x0090: 204f 4b20 4361 7061 6269 6c69 7479 2063 .OK.Capability.c
0x00a0: 6f6d 706c 6574 6564 2e0d 0a ompleted...

Apparently, the Android mail client sends some UID which seems irrelevant, but it is part of the setup, so here goes:

22:19:58.497219 IP (tos 0x0, ttl 255, id 29424, offset 0, flags [none], proto TCP (6), length 40)
mail.eli-np.ro.imap2 > REDACTAT.49064: Flags [.], cksum 0x54ed (correct), seq 255, ack 206, win 5635, length 0
0x0000: 4500 0028 72f0 0000 ff06 9ed2 c266 3a07 E..(r........f:.
0x0010: ac10 018f 008f bfa8 65c1 7093 0f7d f4cd ........e.p..}..
0x0020: 5010 1603 54ed 0000 P...T...
22:19:58.621495 IP (tos 0x0, ttl 255, id 29425, offset 0, flags [none], proto TCP (6), length 70)
mail.eli-np.ro.imap2 > REDACTAT.49064: Flags [P.], cksum 0x6206 (correct), seq 255:285, ack 206, win 5635, length 30
0x0000: 4500 0046 72f1 0000 ff06 9eb3 c266 3a07 E..Fr........f:.
0x0010: ac10 018f 008f bfa8 65c1 7093 0f7d f4cd ........e.p..}..
0x0020: 5018 1603 6206 0000 2a20 4944 204e 494c P...b...*.ID.NIL
0x0030: 0d0a 3220 4f4b 2049 4420 636f 6d70 6c65 ..2.OK.ID.comple
0x0040: 7465 642e 0d0a ted...

and then finally a log-in is attempted in plaintext:

22:19:58.624632 IP (tos 0x0, ttl 63, id 7615, offset 0, flags [DF], proto TCP (6), length 85)
REDACTAT.49064 > mail.eli-np.ro.imap2: Flags [P.], cksum 0xeb8f (correct), seq 206:251, ack 285, win 65535, length 45
0x0000: 4500 0055 1dbf 4000 3f06 73d7 ac10 018f E..U..@.?.s.....
0x0010: c266 3a07 bfa8 008f 0f7d f4cd 65c1 70b1 .f:......}..e.p.
0x0020: 5018 ffff eb8f 0000 3320 4c4f 4749 4e20 P.......3.LOGIN.
0x0030: 7469 636b 6574 3235 3840 656c 692d 6e70 ticket258@eli-np
0x0040: 2e72 6f20 2261 6e64 726f 6964 7061 726f .ro."androidparo
0x0050: 6c61 220d 0a la"..

As can be observed the password is transmitted in plaintext, which justifies the leak of credentials.

Conventionally, there is no additional setup procedure for the E-Mail body that would offer an encryption of the E-Mail body in spite of the credentials traveling in plaintext, for example, looking at the misconfiguration example, the whole process of sending an E-Mail happens within the same session, such that iff. the session is not encrypted then the body of the E-Mail is not encrypted, such that it is safe to assume that the E-Mail body would be transmitted in plaintext. What happens is that if the account is configured, then there is no "re-evaluation" of cryptographic primitives performed by E-Mail clients, due to the process being part of the setup of the account, such that after having configured the account, all the communication will just take place unencrypted.

Interestingly, Apple Mail refused to set up an account using plaintext IMAP yet it seems that Android and Microsoft Outlook were happy to accept no encryption as part of the setup wizard without any complaint. Even if, users are not necessarily versed in determining whether that is alright or not. Apple instead adamantly refused, and even mentioned that it will not set up an account with an unencrypted session.

The impact is that the credentials and the E-Mail body would have leaked all the way from where the ELI-NP server was accessed by a user and up to the ELI-NP server in Bucharest, Romania with all the credentials and E-Mail body being leaked. At the very least, the E-Mail content and the credentials would have to be considered compromised such that, at the very least, the users should be made aware in order to change their credentials and mitigate the leak of their correspondence. From the official data, the leak affects about 500 souls at the Extreme Light Infrastructure (ELI-NP) (with 500 being the "original number of employees when ELI-NP was founded" and probably not the actual number of employees when the leak took place in 2020) since receiving an official E-Mail address is part of the hiring process.

A data-breach was filed with the E.U. E.D.P.S., however, as former experiences confirm, the E.U. cannot be bothered and they redirect the request to the Romanian data protection agency A.N.S.P.D.C.P. Given the sensitivity of this issue, the actual submission of the document is literally taped on the screen and then a followup E-Mail is sent to the A.N.S.P.D.C.P. in order to re-confirm that the issue has been filed with the A.N.S.P.D.C.P. Curiously enough, the A.N.S.P.D.C.P. does not answer at all in this case, even though they typically just senselessly barf out the very same things that is requested of them and, supposedly, the case "evaporates"? Mr. Zamfir the CEO of the institute is also made aware, along with Mr. Allen Weeks, both of whom do not even bother replying.

Weeks after, upon meeting actual staff at ELI-NP, the source extends the question whether they had been asked to change their password lately, but the staff that can be reached say that they have not been asked to. Similarly, the staff has not been warned about any potential leaks, such that it seems that the leak was never announced and, in good Romanian tradition, swept under the rug with the help of the proverbial Molvanian 34 different Romanian "security services". Ultimately, a few months later (unsure), Mr. Mihnea Dulea pulls a "Vladimir Putin" move, where he gives up the leadership of the DFCTI and a "junior" researcher (as per comparing titles, CP1 vs. CP3, not in terms of results) is made the head of the DFCTI with Mr. Dulea being now only part of "research staff". However, the same staff is still there in the very same positions without any serious restructuring to be seen and with the same ties between people being maintained.

Again, the point has to be made that most of this entsprings just from malice, without any of this being just "accidents" and that most of the people in such cases participate willfully based upon their own choices and are not coerced to participate if they have different onions. The other witnessing of the behaviors at the DFCTI IFIN-HH, in particular the harassment of several colleagues, is definitely at the very least an "optional participation" and if anyone disagrees they have plenty of measures at their disposal, such as complaining like the source and up to resigning or finding a different job. Even attempting to defend the people that were harassed by the staff, lead to people answering with attitudes along the lines of "are you in love with them?" (apparently, this seems to be something common in Romanian workplaces, as we have been told). Given the setup, it seems trivial to explain why it often comes to tragedies, as a response perhaps, to publications within the Romanian press regarding the abuse of individuals - well, no, it is clearly not the fault of "evil corporations", but rather bad management, nepotism, false values and the overreaching arm of a obese government. Obviously, given that individuals have connections to the Italian mafias, are known to have had parents that dealt with selling heavy machinery to Arabic countries during communism, have reached into institutions such as Max Plank, Cambridge and others whilst having a very shaky basis of knowledge, only amplifies a bad situation. For example, there have been publications, mainly started from Romanian citizens publishing via Cambridge in the United Kingdom, regarding some sort of alleged "anti-Romanian sentiment" and as a parallel, if you will, traditionally it is not nice to berate former colleagues because it is not done, however that does not account for the colleagues themselves being willful participants and contributors to a racket that drives other colleagues to suicide (with official cases). In other words, very similar to the "anti-Romanian sentiment" publications, Romanians try to "escape" judgement this way, by claiming some sort of racism, but it is only really used to wash over such incidents that carry on wildly within Romanian institutions. An uninformed reader, could look up the "anti-Romanian sentiment" and be even begrudged that "there is so much racism" when, in fact, these publications are really just used as a cover to censor the truth of Romanian society.

After contacting Mr. Stefan Lüeders at CERN regarding these misbehaviors, technically speaking, by the job description, a colleague, Mr. Lüeders chose to try and get the source to dox one individuals=, tried to apply pressure by CC-ing the main lawyer at CERN, Mr. Jonathan Drakeford and was terribly undignified when it was explained to him that unfortunately, regardless whether he claims that he is not obliged to tell the source the results of an investigation, that CERN and, even the IFIN-HH or ELI-NP are public institutions running on public funding such that their obligation is to the tax payer first.

Being snarky at press, maybe out of some form of misunderstood entitlement, just does not uphold any case for censorship and lack of statements ("no comment" works fine, it is still a statement!) from a public institution. However, that seems to be a more widespread European problem where, in spite of institutions being both financed by public money or even themselves granting rights, whenever those rights are claimed by an individual, the individual claiming the rights is met by some sort of misplaced "entitlement" as if the European Community is not subject to its own rules or absolved of responsibility.

Of course this exceeds the case involving Mr. Lüeders and another member of staff, yet it should be spelled out. On this matter, the source "mistakenly" contacted some British organization regarding the case, and even though the source was told that they do not deal with the IFIN-HH, even though they are cited, they did thank the source for bringing the affair to their attention - which, at the very least, makes it clear that these cases do not travel outbound out of Romania and that surely some random citizen in a different country would be shocked to find out what they are contributing with money to. Not only that, but these structures would be taken aback when exposed, as if there should be some out-of-this-world, or rather religious blessing bestowed upon them, and that for whatever reason, gross mismanagement ending up with real victims should be covered up. Lesser so, it is pretty funny how fastly these individuals seem entitled to tax payer money, as if receiving payments is some (even) religiously justified state of affairs (or see Varoufakis' statement on feudalism and capitalism), all being granted regardless whether they provide a service or not.

It is beyond our capabilities to investigate but it seems a solid argument that the ties between CERN and IFIN-HH are established on political grounds, rather than (even) trust, such that it makes one wonder how bad a case must get for the larger institute, say CERN or the European Community, to have to step in and take measures by force. For example, in one of the sister-departments of the DFCTI, one person actually attempted suicide at work, and from what we know, not much of a settlement had been met, with the same observations that are made in this case where the staff is still there years after and even making bank. Would pedophilia be good grounds of intervention, how about genocide and/or witnessed homicide, or maybe this case involving mass-leaks is sufficient? We are fully aware that the European Community is batch-copying the United States, not only in structure but also funnily in port and language, but needless to say that plastering Mr. Edward Snowden's face allover European Union pages on whistle-blowing and the bad-evil hackers, but then turning down a 500 person data leak does invalidate their concerns on being hacked by the U.S. - surely, "they'd care if they care", for a lack of a better emphasis of a double-standard. Perhaps the U.S.A. should also provide hints to the EU about which hacker they should be upset about and when, even if the U.S. hacked them initially? Or perhaps the source should wear a suit and tie, as it is somehow traditional on the Eastern-side of the Berlin wall, because without a suit and tie facts have no value? Contrary to Mr. Dulea's slander, the source claims they are not seeking any sort of "attention" but that they are more "amazed" by the complete lack of response (in terms of actual measures) from any of these institutions that match the profile very closely of the case, with pursuing these cases further being fueled more by exactly that amazement, rather than "being a wannabe hero" - after all, the first time Mr. Lüeders asked the source to divulge the identity of the people involved, the source told Mr. Lüeders that it is their opinion that the IFIN-HH should be grazed to the ground and instead of institutes, there should be saloons made for cool people such as the source to, well, tan their balls.

Departing the case by far, and involving all the other cases, in such a context where all these checks and measures EU institutions are just existing "prophylactically", it makes quite a lot of sense that tragedies can happen at any time. Ultimately, the source "discovered" the breach, please bear that in mind, but that someone with ill-intentions would maybe not have pushed for a resolution, but perhaps even monetized the opportunity in the off-hours. Similarly, you can realize that someone with ill-intentions could have dealt a lot of damage, with these institutions being careless the very same way, if petitioned by someone else. It reminds one of the many tragedies have appeared in the press either regarding Romania, the EU or geographic Europe in general, where apparently a foreign force can just waltz in do whatever they like with the said institutions just playing paddy-cake with the responsibility. Nevertheless, more than other cases, this case demonstrates the complicity of the European Union in such matters: the EU loves to claim how they do not intervene and put up the strawman argument about sovereignty, however the EU does not hesitate to finance these institutions via European projects, to name one example, which is probably the main financing backing the IFIN-HH (the source claims that at some point, the IFIN-HH did not even have the money to pay wages). In this sense, the effect of the EU "intervening" is immediately observable, with the people responsible still being employed and with these issues going not only unsanctioned but also unaddressed (because it is highly unlikely that the "manners" would have drastically changed given the exact same staff within the department). What is extremely ironic, is that upon contacting various institutions, the source was asked by an European institution (that will remain unnamed, obviously, because it at least has a shimmer of being functional such that divulging its name would not be wise) to file a complaint with The European Anti-Fraud Agency (OLAF) and then to let them know what OLAF answered. Here is the response from OLAF:

most of which is just closely compacted stupidity, for the following reasons:

• the usual EU institution-wide behavior of ritualistically self-stroking their own ego by enumerating what they are meant to do but without much of a tangent to the case at hand with the whole blurb of text pertaining to that sounding more like an "Eat at Joe's" advert,
• actually expecting the person filing the complaint to literally hand them numerical E.U. project values written on European funding dossiers that sustain the IFIN-HH and, in context, ELI-NP as if the source is expected to followup with the raging individual responsible for the leak in the first place, Mr. Mihnea Dulea, whether he would like to provide dossier numbers in order to be reported to OLAF,
• followed by more advertisement and other webpages littered littered with self-advertisement, bold claims, etc.

The response was handed back to the institute that asked for the complaint to be filed with OLAF and the source moved on.

To close this chapter, let's just say that the source had other "receptions" and involving near-death experiences, which, in context, would just be too naive to be incidental, rather than planned as a response to the former. Maybe the EU can assassinate the whistleblowers for daring to inform / help them? Then again with such a huge octopus as the EU one cannot wonder that no measures are taken due to political interests. Otherwise, we heard that it is a journalist's highest honor to have an assassination attempt on record by the C.I.A., but even if that were true, we're doing things ass-backwards here with the information getting out only after the assassination attempt taking place (which is convenient). To some degree, the authoritarian shift on the planet seems to have these cases as good justification because it is clear that there is wide-range of people in the wrong here, such that the only other option for the people responsible to keep themselves in power is to just carry out summary executions of the whistleblowers because in the event that any of this is brought to justice, most of these people would have to be behind bars. Obviously, that will not happen and just like other Romanian atrocities, the population will be persecuted until, hopefully, the source dies and the matter can be brushed over (or like a war so-very-conveniently broke out just after COVID, only to keep the people in charge extremely busy).

A part of the lack of reaction from people is due to Romania not being the kind of nation that is pro-efficient with computers and traditionally do not or cannot understand computing very well, with most of the "security" that Romania would have ever provided being more along the lines of "espionage" rather than security (ie: placing a camera in an employee's office, or harassing individuals with loud noises and breaking the law themselves in the process, contrasted to, say, being able to investigate a leak, even if the experise required to debug something as trivial as IMAP or POP is very low bar compared to other computing primitives). This is most of what ensued, as traditionally Romanian, with noisy neighbors trying to harass the source / whistleblower, the police paying visits to ask about random stuff, and the typical East-German stasi measures that any old-timer could recount. Even the source's lawyer explained to the source, after being shown the material of the cars, the flag and the rest that this is just typical of "filaje", which are part of, to use a fast term, sting operations carried out by the Romanian security services. Unfortunately, having the population ill-informed of their rights and keeping them in the dark with censorship and fear, also works for the people that know about the leak, such as Mr. Nicolae Victor Zamfir, Mr. Mihai Ciubancan or Mr. Nicolae Vasile, all of whom were very well-aware and decided to shut down the ticket as fast as possible, with Mr. Dulea sending various threats on tangential subjects that he just had to wait with, instead of letting it out later, untill "a data leak occurred".

On a more broad outlook though, it is somehow fortunate that Romanians have little capabilities and even the source stated during the interview with us that they will never ever be teaching or providing any sort of technology to Romania or Romanians in general. The problem is that it is unsure whether the technology provided by, say, NATO or other espionage agencies that are now allied with Romania, will not be co-opted and then recycled in order to be used to strike at the population at large, rather than, say, used to determine whether a fire would occur at the Collectiv club. It is clear that the Romanians dispose of plenty of assets, given how this case was approached, and that those assets were made to work against the source, either to discredit them, or worse. If you would like a comparison to modern times, the Russian and Ukraine conflict leads to, say, tertiary issues where news outlets have reported that over 40% of the weaponry has gone "amiss", such that you now have high-tech weaponry floating around the planet that might end up in the hands of … well, people with little accounting for, such as kingpins and gangbangers in tribal republics. That being said, Romania is still highly tribal itself and has clearly demonstrated a war upon its citizens, even with famous press writing stuff about the security services wrestling with its own citizens, such that it can only be described as relief that Romania and Romanians are still very much primitive on the technological side, with keeping Romanian that way being more of a moral obligation. Quite frankly it is even unsettling that Romania has such a large representation at NATO, given that the mean average "opinion" of "the people" runs along the notion of "the end justifies the means". Ultimately, you are inviting people that want to cover up what happened at the death camps from the Danube-Black Sea communist initiative to advise on matters of "security" (wait, what?) and then wondering why your group or alliance is turning into a fascist force. Or as the saying goes, "you are what you eat".