What upsets me most is that NRC is withholding information in name of "US national security". Having a crooked government is bad, but when journalists rather side with the man than stand up to him (as they're supposed to in a democratic society), all hope is lost. They don't admit doing this in the English version of this article, which reads:
A spokesperson for the American government stated that
the publication of classified information is a threat to
US national security.
But the Dutch version does:
De Amerikaanse overheid laat in een reactie weten dat
publicatie van staatsgeheimen de nationale veiligheid
schaadt. Om die reden publiceert deze krant belangrijke
technische details niet.
Translation:
A spokesperson for the American government stated that
the publication of classified information is a threat to
US national security. For this reason, the paper won't
publish important technical details.
The Dutch government is conducting illegal activities and its citizens deserve to know exactly how their government is screwing them.
A lot of forums like phpBB are installed via cPanel and may have default passwords and not be secured fully.
If you have a machine in the ISP, which just means renting 1 machine per ISP, then scan the local IP ranges for open MySQL ports... or more nefariously scan for Memcached as that is hardly ever secured.
Then use the default credentials or the credentials stolen from Memcached to access MySQL.
You're dealing with a known set of forum software, probably phpBB, Vanilla, vBulletin and Invision. So you only need to map out a few schema to be able to make sense of hundreds if not thousands of sites.
Forums are slow moving, even the big ones only have a few thousand to low tens of thousand of posts per day... and your rented machine could easily poll for differences and send it back to HQ.
This is all just speculation of course, but it wouldn't surprise me that this is how it was done.
You're making some pretty big assumptions there. I don't think there is any evidence that MySQL databases set up via cPanel (or any other control panel) have default passwords or are inherently insecure. If this was the case, we would be seeing websites being hacked left and right, and not just by intelligence services.
> “They use sweeps to collect data from all users of web forums. The use of these techniques could easily lead to mass surveillance by the government.”
Which implies that they are not scanning traffic constantly but are instead performing a sweep across the fora and gathering all data. Which implies querying the databases on a schedule and pulling info as the full dataset nevers exists in the ephemeral traffic.
> “They acquire MySQL databases via CNE access”
Which states that they exploit something on the network to "acquire" the data from MySQL databases.
Those two things together suggest periodic access to the databases.
And given the previous behaviour from accessing networks and hardware without permission of the companies operating on those networks (the Google dark fibre intercept) it isn't too much of a stretch to imagine a similar scenario that could give them access to these databases without asking first.
And the easiest way to get access to a large volume of forums would be to use a common platform as the attack point: A common deployment (cPanel, Plesk, etc) or a common technology that could give up credentials (memcached).
Of course they could use a vulnerability in MySQL, but I bet that's harder work than just trying default passwords or pulling credentials from the unsecured memory cache.
National security /is/ about standing up for the people. And yes, that should be closely monitored by journalists, but that does not mean that everything should be public.
In this case, everything should be made public because the government needs to be held accountable. Governments should serve the people, not the other way around. Without proper scrutiny, there's no way to tell if the proper balance is maintained going forward.
Making things like that public helps terrorists to hide their communication in ways that cannot be decrypted or broken into. That is clearly a threat to all civilians. Giving journalists access to documents and not publishing details is a good balance IMO. The government is still held accountable, it's just not held directly accountable by you. That's the way a democracy works.
By that logic TLS, PGP, etc. should only be available to governments because it can help terrorists to hide their communication in ways that cannot be decrypted or broken into. And let's outlaw pressure cookers, because terrorists have used them as crude bombs so clearly they're a threat to all civilians. Heck, we should all stop wearing clothes and bags because terrorists can use them to conceal weapons.
Governments are to serve the people and we cannot blindly trust them with power regardless of how they're formed. As long as people continue to subscribe to scaremongering for terrorism, the terrorists have already won anyway. The surveillance states of late have powers blown way out of proportion. They ought to save lives in face of threats, not save lives for retrieval by automated data systems. I have no problems with the former, but I do very much have problems with the latter.
The NOS reported that at least four important political parties are outraged and want an investigation on the issue. In my opinion this is better than the american government's response.
I believe the Dutch are not being screwed by their government, but simply by inadequate control on its intelligence agencies. The government can fix this.
