#UqafV3L6

-------- Forwarded Message --------
Subject: EU und unser Cyber-'security' zukunft. Schmutzige deals?
Date:  Aug 2016
Philipp.Seibt@spiegel.de,


Hallo Philipp und Alexander,

We have send a letter to Günther Oettinger, informing him that the (PPP)
deal with commercial organizations will only lead to more problems
instead of a decent solution to the 'cyber security' issues. Because the
commercial organizations benefit too much from selling even more
products and outsource- & support- contracts (= keeping the problem
alive), instead of just fixing the problem once and for all.
So there is a elementary conflict of interest!

We have also informed him that a rather simple method exists which
eliminates root causes, instead of continuing their rat race with more
and more insufficient, expensive and complexity increasing product$ with
endless patches and updates.


It seems like the deal between Günther and Luigi (THALES) & Co, is at
the expense of the common people(their security & privacy rights, and
their tax money) in the E.U. countries. That deal is something that
seems to prevent Günther(The E.U.) from even wanting to consider
a proven to be far more functional  simple proven solution!
There has been no response at all from his office :(
[which was kind of expected after reading your article about their preference to /deal/ with
commercial 'friends' rather than using common sense and decency]

It's easy to prove that ecs-org.eu is a scam, (and ENISA incompetent),
by showing that their own security and privacy protection is negligent
inadequate. They really don't care about 'security', so much so that
they don't even try to use the simple well-known top 5 protection
measures, and are also violating privacy protection laws, etc.
..With a few basic questions one should be able to get Luigi to confess,
to get a nice expressive quote ;-)

Freundliche grüsse,
*

---
www.spiegel.de/wirtschaft/soziales/guenther-oettinger-und-lobbyismus-eu-kommissar-trifft-selten-ngos-a-1040147.html

www.europa.eu/rapid/press-release_IP-16-2321_en.htm

!!  www.linkedin.com/in/luigi-rebuffi-90a439b0

https://web.archive.org/web/20170408084356/http://ecs-org.eu/news/ecso-ec-contract-signature

www.ecs-org.eu/documents/ecso-membership-form.docx

=>   www.ec.europa.eu/avservices/photo/photoByReportage.cfm?ref=032087&sitelang=en

-------- Forwarded Messages --------
On 08/18/2016 18:02, Luigi Rebuffi wrote:

>> I got also your comment from the "info" mail.
>> Until now we (as EOS and ECSO) have nothing to "hide" in our website and server, therefore, security measure are reduced at minimum.
>> In the past we had only one hacker attack at the EOS website, that lasted for few hours and then disappeared, just to test the "security" of a "security organisation".
>> When we have created ECSO, ANSSI (the French cyber agency) made a pentest and found the weakness of our site. The answer was the same as for you. No need for the moment to rise our level and invest money when not needed.
>> I know that there could be some hacker having fun in disrupting our site and degrading our image, but this is not a problem for the moment. We have to be as transparent as possible.
>> Yet, I was thinking during my vacation that something more will be done in the future for the protection certain topics, like the database and the intranet. It is my intention to discuss with friends (white hat hackers) and see what could be done for our website and some exposed computers.
>>
>> Regards
>>
>> L.R.
>>
>
>
> ----
> Thanks for your message.
> I am on summer vacations. I'll come back on August 24th.
>
> In the meantime I'll try to read my mails and reply as best and as fast
> as possible.
>
> In case of urgent need, please contact my assistent, Nadège
> nadege.grard@eos-eu.com
>
>
> Regards
> L.Rebuffi



-------- Forwarded Messages -------
Subject: Re: ECSO membership . versus EU: IP-16-2321
Date: Thu, 18 Aug 2016

To: Luigi Rebuffi <luigi.rebuffi@eos-eu.com>
CC: president.juncker@ec.europa.eu
CC: GUENTHER-OETTINGER-CONTACT@ec.europa.eu
CC: marietje.schaake@europarl.europa.eu

Dearest vacationing Luigi,

[Excuse the use or some sarcasm, it seems to fit a gap between what is
stated by ECSO & Co and what is actually observed.]

It seems rather odd or naive to use the "nothing to hide" argument, when
website defacement of 'security' organizations is well documented as a
reputation Terminator. But maybe ECSO/EOS doesn't care much about it's
reputation, when the money contract has already been signed with the EU?

> "I know that there could be some hacker having fun in disrupting our
site and degrading our image, but this is not a problem for the moment."

Besides that, i think that you would mind if someone else would get
access and for instance send a malicious email to all Registered contact
persons of all those member organizations/companies. Or would change one
of the (insecure and info leaking) download PDF documents (for using the
RSA hack method). To just name some age old attack vectors.
Even if one somehow chooses to accept those risks, one still has to act
as an Example of how to do it right, or not??

If you really believe the "nothing to hide" argument, why did ANSSI (the
French cyber agency) do u penetration test?
And how can you talk about "and found The weakness of our site", when
there are at least 8 major and about 20odd minor possible paths visible,
for just ECSO? (excluding all those in relation to EOS), like the
www.eos-eu.com/default.aspx?page=memarea , which even joyfully helps
hackers find valid registered users.
The ECSO systems don't even seem to be protected against childsplay
1990's vectors.
Besides that, 'pen-tests' are known to be rather useless because they
(A) depend on the skill and allocated time the specific tester has (most
testers are not very skilled these days, having just done a childsplay
CEH certification, and normally get too little time especially in
comparison to actual hackers). And (B), if a random pen-tester doesn't
manage to get 'in' today, that doesn't mean that a pimple-faced bored
schoolkid can't find a way to mess the the infrastructure tomorrow. So..
IMHO, pen-tests are yet an other commercial smoke-and-mirrors product.


Yet one more odd or naive argument in our eyes: "No need for the moment
to rise our level and invest money when not needed."
No money investment is needed, in fact it would save you some money if
you would chose the correct (instead of the lazy) setup for your web,
email, client, legal, etc.. structure.
A little caring/effort would also have enabled your organisation to
comply with privacy laws, which you are at the moment violating in
several ways. Even after the EU and Court of Justice of the European
Union have released clear statements about why and how to comply, some time ago.

Can you explain what you mean with the "We have to be as transparent as possible." argument?
I suppose it doesn't mean that everybody may read all your work emails
and analyze the web access statistics for possible easy govt attack
victims by looking for their outdated(vulnerable) Browser & OS & email
client identification strings. So what do want to be public(transparent) and what not?


> "It is my intention to discuss with friends (white hat hackers) and
see what could be done"

*sigh*
Here we are, offering a simple cost saving method to get the protection to an
adequate level within 3 years, and instead of even asking what that entails... you
chose to completely ignore the offer and state that you are thinking
about asking 'Hackers' instead. Maybe you missed the security-101
seminar, but 'Hackers' know about breaking weakest link things, and
Information Protection Specialists know more about how to prevent those
white/grey/black-hat hackers from even finding any weak links.


My educated guess is that; the EU commission <=*=> ECSO deal is all just
about dancing with $$ 'friends', instead of the proclaimed "A partnership for cyber security in Europe.
Building together a European cyber ecosystem"
# We like to invite you to prove the opposite
But don't feel obliged to prove anything.. it's just that only 10% of
the in IP-16-2321 stated as pre-allocated funds would be more than
sufficient to get the cyber-security to an adequate level in the willing
EU member states within just 2..3 years. And that would be the honorable
choice when dealing with all those citizens data & critical-infra protection needs.
That's all.

* It is up to you (& Günther) to chose a hat for the next few years.

ec.europa.eu/avservices/photo/photoDetails.cfm?sitelang=en&ref=032087#3

Cordiali saluti,
*




----#
> Your message
>
> To: CAB GUENTHER OETTINGER CONTACT
> Subject: Re: ECSO membership . versus EU: IP-16-2321
> Sent: 19 August 2016
>
> was read on 19 August 2016 16:02:07 (UTC+01:00) Brussels, Copenhagen,
> Madrid, Paris.
>
>
> Final-recipient: RFC822; GUENTHER-OETTINGER-CONTACT@ec.europa.eu

> Disposition: automatic-action/MDN-sent-automatically; displayed