Dutch journalist gatecrashes EU defence video conference (opens in new tab)

this should require something more than a URL, even a skype meeting would be more secure.

FatalLogic5y ago

If he joined the video conference to watch and listen, but just sent a blank screen video, or maybe a freeze frame of an empty chair, would anyone have noticed?

snypher5y ago

I remember being in voice chat for a space spreadsheet game [0] and hearing the 'ding' for a new user joining the channel. Everyone knew to stop taking lest a spy discover where our fleet was. I really hope there's a similar reaction in these chats!

[0]eve-online.com

bserge5y ago

Corporation and guild leaders really should put that on their CVs, it's literally management experience!

https://www.cnn.com/2013/10/23/us/air-force-nuclear-silo-doo...

zaroth5y ago

I think they should be a lot more concerned about the people recording the meeting who don't show up on the attendee list, than of the people who show up and wave in front of the camera.

pkz5y ago

The conference chair couldn't help giggling. What was it he said? "Hey you better hang up before the police arrives"?

jariel5y ago

It's very serious stuff, it's not funny.

Someone leaves their doors unlocked it doesn't mean you should be entering.

More importantly, how on bloody earth are defence discussions happening in a situation that can so easily be defeated.

The officials themselves are to blame for blatantly terrible security protocols.

curiousllama5y ago

> Someone leaves their doors unlocked it doesn't mean you should be entering.

Yea, well, it's a useful function of journalism to poke their head in open doors and say "you're doing _WHAT_ in here?!"

I slot this in alongside the time US nuclear missile officers were found asleep, with the door open waiting for takeout - simultaneously seriously disturbing and quite funny.

numpad05y ago

Someone leaves door unlocked means you must enter one step and scream out loud before criminals come and trigger a global thermonuclear war. That’s basic ethics for software engineers.

mekkkkkk5y ago

This is by far the most effective way to make sure said door is locked in the future. This guy deserves a reward.

0dmethz5y ago

I think it's better to have a journalist step in and warn you about your door being open, rather than having someone with bad intentions sneak in, don't you think?

rosmax_13375y ago

They're laughing right now, but really these kinds of mistakes are telling how weak the security of various agencies are.

fakedang5y ago

EU militaries are a joke tbf. Apart from France and (formerly) the UK, most of them can't do shit except sell firearms to Arab despots. I think someone from Romania here mentioned that they trust the US to protect them more than they trust France or Germany.

mschuster915y ago

German here, you're right. The biggest part of the problem is that historically there are only three superpowers in the EU - France, UK and Germany. The UK is gone off the rails, the French can't pick up the slack for everyone else alone and us Germans are (out of very valid historical concern) extremely wary of pulling our weight on the international stage.

Add to this that the EU is corrosively fractured, nowhere near as coherent as the US. We're no match, hell (thanks to the Brits) the EU doesn't even have a Foreign Minister, and the effective veto power of even a super tiny nation doesn't make it any easier.

rgblambda5y ago

If the EU is to become independent from the US as Macron wants it to, then that's going to have to change.

vagrantJin5y ago

As a bloc, I don't think EU had much of a choice. US had them on tight leash until DJT came through and force thenm to consider protecting themselves.

To think DJT has woken up the EU from their decades long slumber is incredible.

curiousllama5y ago

Note that there are different levels of "secret" when it comes to this stuff. Given the size of that meeting (20+ people) and the reaction, I'd be surprised if the topic matter was more secret than how much the defense agencies pay their employees - secret, no doubt, but not exactly the nuclear launch codes.

estaseuropano5y ago

Indeed this was a ministerial level conference, the prep meetings are probably more secure and no one would be stupid enough there to share screenshots.

At least since Snowden EU leaders probably always assume that someone is listening in. NSA and GHQ had breached Belgacom (Belgian former telecoms monopoly) to listen in on the EU.

kyriakos5y ago

Its amazing how well they took it, laughing and all

fakedang5y ago

Probably because they secretly knew that if word gets out real fast (which it won't because it'll controlled by them), they'll all be booted from office.

Sure word got out, but it need not reach most of the populace.

rebuilder5y ago

This is on BBC.com's frontpage.

pjc505y ago

Nobody cares about trivia like this when it comes to elections.

aequitas5y ago

I wonder, I he was sitting in a suit and in a room with some flags behind him (not in his shirt in an ordinary office) if anyone would have even noticed he was intruding on their conference. They laugh it off now because he doesn't fit in.

bouk5y ago

Probably if he didn't turn on his camera then nobody would've noticed at all.

andrepd5y ago

This is profoundly depressing. The fact that an EU defence conference is being held... on Zoom, is truly a microcosm of what has been the strategic policy of the EU for the past 20-30 years. We have sold off our independence, out advantages economic and otherwise, for pennies. For minuscule short-term gains, we have sold off our industry, our tech, to a hostile and totalitarian government. Well when I say "we" I mean private enterprise, but also the governments who were supposed to be raking in (though as one German economist said, government and private enterprise are pretty much one and the same).

It will come soon a time (in fact, it's pretty much here already) where China calls the shots over us. "Obey, or no microchips for you. In fact, no manufacturing of any kind." Thoroughly depressing.

kyriakos5y ago

thats not zoom, its Pexip

https://www.pexip.com/

Moodles5y ago

The Zoom security debate has been hashed to death on HN lately, but Webex for example patched some RCEs only a couple weeks ago. I’m not fully convinced Zoom is objectively less secure than all the other alternatives these days. They just get a lot more attention for it.

Besides, if the EU defence conference had an open URL or weak password that issue would apply regardless of Zoom, Webex, etc.

rscho5y ago

The point of GP is that Zoom is american software, regardless of any particular issue related to the app itself. Which IMO, is a very crucial point.

A EU security conference should use EU software, and as little foreign stuff as possible. Otherwise, it's just theater (and it currently really is just that!).

jankotek5y ago

But it should not matter how secure chatting software is. This sort of stuff should be on offline VPM, separated from normal internet. If officials are using their personal devices for this....

john_minsk5y ago

It is not that simple. The minute China does it - they stand alone. The whole premise of outsourcing manufacturing to China will die. No one will trust them to do it. In my opinion they won’t do it

ben_w5y ago

With ~20% of the world’s population, more than the entire combined population of the G7, they might be able to stand alone.

They may not explicitly desire standing alone, but I wouldn’t bet against them deciding that’s the better option, nor would I bet against them using or threatening to use their manufacturing capability to put pressure on certain policy objectives. It’s not like other countries don’t use economic impact as a carrot/stick to achieve policy objectives.

toyg5y ago

The setup of China being the world’s workshop is temporary. Chinese leadership is using foreign capital to bootstrap their internal market. They will be self-sufficient in less than a generation.

AsyncAwait5y ago

> It will come soon a time (in fact, it's pretty much here already) where China calls the shots over us.

The U.S. already does that. Why is that any better?

throwaway1892625y ago

If china bullies too much the US and Europe will ally together against them.

The difference between the US and China's government is that almost nobody likes China. The US, at least before recent political developments, tries to make sure that agreements benefit both sides.

The US is also a democracy that respects freedom of the press and human rights to a degree. China doesn't give a shit about any of that.

smabie5y ago

Would you rather have the US tell you what to do or China?

dba7dba5y ago

One of the ways China managed to hack into America's F35 (or F22) fighter development program was listening into a conference call of various vendors discussing project status.

0dmethz5y ago

Of course they respond with the obligatory "we'll report this to the authorities", rather than "thank you for pointing this out in a harmless way we'll do better".

curiousllama5y ago

It was humor... The "threatener" was laughing, the audience was laughing, and the journalist laughed too.

Probably the best response you can hope for in the moment.

agilob5y ago

Hmmmm

>The meeting was ended due to the breach, while a Foreign Affairs Council spokesman told RTL: "Such a breach is illegal and will be reported to the authorities."

xuhu5y ago

The journalist was laughing, but the foreign policy chief just got painted as an emperor without clothes.

And the foreign policy chief was laughing, but I bet he was asking himself "who do I send over there to stop them" while trying to maintain the laughing face.

inglor_cz5y ago

Yeah, the problem with online meetings is that someone else might be taking part as well, unseen and unheard.

Does not matter as much if you discuss reconstruction of a mountain hut, matters a lot in defence, espionage or diplomacy.

praptak5y ago

Not sure how confidential that conference was but I'd imagine these use at least a 2FA dongle to authenticate. This is surprising.

pkz5y ago

It was a six-digit pin of which 5 digits were accidentally shown in a tweet from the Dutch Defence Minister Ank Bijleveld.

pkz5y ago

Had the laptop had a 15 inch screen it would likely have shown the entire URL including the full PIN code. Also visible in the screen are bookmarks to Netflix and what looks like barber shop music. Also a Gmail tab open. Did now know defense ministers were using Gmail on official hardware...

rapnie5y ago

Everyone and their mother uses Google services for their personal and/or confidential stuff, going from blind faith or just never thinking about it. After all it is good old Google, not some large surveillance capitalist.. Oh wait.

claudex5y ago

Some sources said they will hold off further meetings until the security is improved.

j00575y ago

You'd imagine, but this conference software apparently only requires a pin that's visible as a GET parameter in the URL. I don't think you can blame the users for posting a screen shot.

claudex5y ago

In this case, you can blame the user. They are the minister of defense, they can (and should) request an audit for the conference system they use. Personally, I think that they didn't want a more secure system like 2FA because it's not convenient for them.

jakub_g5y ago

Zoom introduced meeting passwords a few months ago after similar issues to prevent randos joining meetings by guessing short meeting IDs. But there's a tradeoff between security and usability so they accept passwords as a param in URL, which for 95% cases is a good tradeoff (for example Outlook Zoom plugin generates the URL with password directly in meeting invites). Most people don't live-share their super secret in-progress meeting IDs and passwords on Twitter. Probably more people share their CC number or boarding passes on instagram each day.

However what Zoom and other conf tools could do is that they could read the password from the URL and then use `history.pushState()` DOM API to replace the URL and erase the password once the meeting is launched.

Downside would be though users wouldn't be able anymore to just copy the URL from browser's URL bar and send to other people to join.

tdons5y ago

What's more depressing is that this official has GMail open. How ridiculous is that? Which defense minister outside of the USA uses Google Mail? After Snowden, really?

I want to facepalm so hard right now.

hawk_5y ago

Unfortunately the bureaucrats still go through dated curriculum to get where they are and there no incentives to keep up with the times, technology or otherwise. These same people decide on the criteria for the incoming class and the vicious cycle goes on.

toyg5y ago

Let’s be fair: many of these “bureaucrats” went to school when the modern internet didn’t exist. I’m in my early 40s and lived “the new economy” in my teenage years, most 50+ people would have no real familiarity with this sort of tech. Conversely, a lot of under-40 politicians and bureaucrats do grasp the internet - sometimes unfortunately so, considering they can be among the strongest supporters of draconian censorship.

bserge5y ago

And these are the people pushing for laws around encryption. They have no idea what they're doing. In fact, that's really odd - you'd think that by now, tech-competent people would be in positions of power. Why aren't they?

https://pbs.twimg.com/media/EnRlaFeWMAQzyIS?format=jpg

EU has no defense anyway so this is not entirely disastrous, though still very unacceptable.

j / k navigate · click thread line to collapse

90 comments

FatalLogic5y ago

According to a screenshot that the journalist posted on Twitter, it appears like the video conference session is browser-based, and the pin and username are in the browser URL in plaintext.

So then if you can see anyone's screen, or any clear photo of it, you can easily join the conference. Seems like very poor security design if that's so

The software URL format looks similar to that used by Pexip.com

justinclift5y ago

Well, the page title in that video says "Consolium Videoconferencing", so it's probably something by this company:

https://consiliuminc.com

Maybe this?

https://consiliuminc.com/product/UniVCX-video-customer-exper...

this should require something more than a URL, even a skype meeting would be more secure.

FatalLogic5y ago

If he joined the video conference to watch and listen, but just sent a blank screen video, or maybe a freeze frame of an empty chair, would anyone have noticed?

snypher5y ago

[0]eve-online.com

bserge5y ago

Corporation and guild leaders really should put that on their CVs, it's literally management experience!

https://www.cnn.com/2013/10/23/us/air-force-nuclear-silo-doo...

zaroth5y ago

I think they should be a lot more concerned about the people recording the meeting who don't show up on the attendee list, than of the people who show up and wave in front of the camera.

pkz5y ago

The conference chair couldn't help giggling. What was it he said? "Hey you better hang up before the police arrives"?

jariel5y ago

It's very serious stuff, it's not funny.

Someone leaves their doors unlocked it doesn't mean you should be entering.

More importantly, how on bloody earth are defence discussions happening in a situation that can so easily be defeated.

The officials themselves are to blame for blatantly terrible security protocols.

curiousllama5y ago

> Someone leaves their doors unlocked it doesn't mean you should be entering.

Yea, well, it's a useful function of journalism to poke their head in open doors and say "you're doing _WHAT_ in here?!"

I slot this in alongside the time US nuclear missile officers were found asleep, with the door open waiting for takeout - simultaneously seriously disturbing and quite funny.

numpad05y ago

Someone leaves door unlocked means you must enter one step and scream out loud before criminals come and trigger a global thermonuclear war. That’s basic ethics for software engineers.

mekkkkkk5y ago

This is by far the most effective way to make sure said door is locked in the future. This guy deserves a reward.

0dmethz5y ago

I think it's better to have a journalist step in and warn you about your door being open, rather than having someone with bad intentions sneak in, don't you think?

rosmax_13375y ago

They're laughing right now, but really these kinds of mistakes are telling how weak the security of various agencies are.

fakedang5y ago

mschuster915y ago

rgblambda5y ago

If the EU is to become independent from the US as Macron wants it to, then that's going to have to change.

vagrantJin5y ago

As a bloc, I don't think EU had much of a choice. US had them on tight leash until DJT came through and force thenm to consider protecting themselves.

To think DJT has woken up the EU from their decades long slumber is incredible.

curiousllama5y ago

estaseuropano5y ago

Indeed this was a ministerial level conference, the prep meetings are probably more secure and no one would be stupid enough there to share screenshots.

At least since Snowden EU leaders probably always assume that someone is listening in. NSA and GHQ had breached Belgacom (Belgian former telecoms monopoly) to listen in on the EU.

kyriakos5y ago

Its amazing how well they took it, laughing and all

fakedang5y ago

Probably because they secretly knew that if word gets out real fast (which it won't because it'll controlled by them), they'll all be booted from office.

Sure word got out, but it need not reach most of the populace.

rebuilder5y ago

This is on BBC.com's frontpage.

pjc505y ago

Nobody cares about trivia like this when it comes to elections.

aequitas5y ago

bouk5y ago

Probably if he didn't turn on his camera then nobody would've noticed at all.

andrepd5y ago

It will come soon a time (in fact, it's pretty much here already) where China calls the shots over us. "Obey, or no microchips for you. In fact, no manufacturing of any kind." Thoroughly depressing.

kyriakos5y ago

thats not zoom, its Pexip

https://www.pexip.com/

Moodles5y ago

Besides, if the EU defence conference had an open URL or weak password that issue would apply regardless of Zoom, Webex, etc.

rscho5y ago

The point of GP is that Zoom is american software, regardless of any particular issue related to the app itself. Which IMO, is a very crucial point.

A EU security conference should use EU software, and as little foreign stuff as possible. Otherwise, it's just theater (and it currently really is just that!).

jankotek5y ago

But it should not matter how secure chatting software is. This sort of stuff should be on offline VPM, separated from normal internet. If officials are using their personal devices for this....

john_minsk5y ago

It is not that simple. The minute China does it - they stand alone. The whole premise of outsourcing manufacturing to China will die. No one will trust them to do it. In my opinion they won’t do it

ben_w5y ago

With ~20% of the world’s population, more than the entire combined population of the G7, they might be able to stand alone.

toyg5y ago

The setup of China being the world’s workshop is temporary. Chinese leadership is using foreign capital to bootstrap their internal market. They will be self-sufficient in less than a generation.

AsyncAwait5y ago

> It will come soon a time (in fact, it's pretty much here already) where China calls the shots over us.

The U.S. already does that. Why is that any better?

throwaway1892625y ago

If china bullies too much the US and Europe will ally together against them.

The difference between the US and China's government is that almost nobody likes China. The US, at least before recent political developments, tries to make sure that agreements benefit both sides.

The US is also a democracy that respects freedom of the press and human rights to a degree. China doesn't give a shit about any of that.

smabie5y ago

Would you rather have the US tell you what to do or China?

dba7dba5y ago

One of the ways China managed to hack into America's F35 (or F22) fighter development program was listening into a conference call of various vendors discussing project status.

0dmethz5y ago

Of course they respond with the obligatory "we'll report this to the authorities", rather than "thank you for pointing this out in a harmless way we'll do better".

curiousllama5y ago

It was humor... The "threatener" was laughing, the audience was laughing, and the journalist laughed too.

Probably the best response you can hope for in the moment.

agilob5y ago

Hmmmm

>The meeting was ended due to the breach, while a Foreign Affairs Council spokesman told RTL: "Such a breach is illegal and will be reported to the authorities."

xuhu5y ago

The journalist was laughing, but the foreign policy chief just got painted as an emperor without clothes.

And the foreign policy chief was laughing, but I bet he was asking himself "who do I send over there to stop them" while trying to maintain the laughing face.

inglor_cz5y ago

Yeah, the problem with online meetings is that someone else might be taking part as well, unseen and unheard.

Does not matter as much if you discuss reconstruction of a mountain hut, matters a lot in defence, espionage or diplomacy.

praptak5y ago

Not sure how confidential that conference was but I'd imagine these use at least a 2FA dongle to authenticate. This is surprising.

pkz5y ago

It was a six-digit pin of which 5 digits were accidentally shown in a tweet from the Dutch Defence Minister Ank Bijleveld.

pkz5y ago

rapnie5y ago

claudex5y ago

Some sources said they will hold off further meetings until the security is improved.

j00575y ago

You'd imagine, but this conference software apparently only requires a pin that's visible as a GET parameter in the URL. I don't think you can blame the users for posting a screen shot.

claudex5y ago

jakub_g5y ago

Downside would be though users wouldn't be able anymore to just copy the URL from browser's URL bar and send to other people to join.

tdons5y ago

What's more depressing is that this official has GMail open. How ridiculous is that? Which defense minister outside of the USA uses Google Mail? After Snowden, really?

I want to facepalm so hard right now.

hawk_5y ago

toyg5y ago

bserge5y ago