this is the article in De Morgen of today and it is really staggering because if this is true
CD&V-Kamerlid Roel Deseyn stuurt niet langer vertrouwelijke e-mails en sms'en via Belgacom. "Er wordt al eens rondgesnuffeld in mailboxen van kritische politici en journalisten", klinkt het.
Deseyn: "De eerste keer dat er een belletje ging rinkelen, was voor de zomer toen mijn Skynet-mailbox plots werd afgesloten (Skynet is het internetfiliaal van Belgacom, STS). Na lang aandringen kreeg ik te horen dat dit uit veiligheidsoverwegingen was gebeurd, maar men iets te overijverig te werk was gegaan. Ook de Skynet-blog van Belsec, waar een aantal informaticaspecialisten en betrokkenen aan meewerken, werd plots geblokkeerd na een aantal kritische artikels."
Kan dat geen toeval zijn?
"Misschien, maar ik heb nog heel wat andere zaken te horen gekregen van verschillende interne bronnen bij Belgacom. Bijvoorbeeld dat er al eens rondgesnuffeld wordt in mailboxen van kritische politici en journalisten. Dat bepaalde bestuurders en managers voor het versturen van gevoelige sms-berichten met voorbetaalde telefoonkaarten werken omdat ze er geen vertrouwen in hebben dat het systeem waterdicht is. Uitgerekend Didier Bellens zelf heeft een mailadres bij Yahoo.fr omdat hij weet hoe lek zijn eigen systeem is."
Bestaan daar bewijzen van?
"Het is enorm moeilijk om dergelijke zaken te bewijzen. Mensen die het kunnen weten zeggen dat Bellens medewerkers verzoekt om bepaalde vertrouwelijke zaken op te snorren en te printen. Er is al eens een incident rond geweest. Toen onderzocht men of het mogelijk is om zomaar de inhoud van mailboxen te doorzoeken. En bleek dat men zomaar aan die paswoorden kan. Als je een paswoord en een mailadres hebt, kun je via de webmail de inhoud van een mailbox checken."
He says that
* the CEO of Belgacom uses a mailbox of yahoo.fr because he doesn't trust the internal mailsystem according to internal sources the members of parliament says
* the CEO of Belgacom and his direct staff use prepaid cards to send confidential messages by email (which is a method used by terrorists and spies by the way). If this is only since may 2013 it is a normal and good practice because as we have said over and over again, if there has been a full penetration of the network for over several years and it will take normally months to be sure that everything has been found, traced, cleaned or changed than those hyperconfidential messages shouldn't use any internal system as long as they haven't been totally cleaned and seperated in a totally secured zone under permanent detailed monitoring (securing from inside out after securing the walls around the network)
* Belgacomstaff had access to the mailbox of the member of parliament and if this is the case, one should file an official compliant with the Privacycommission, which normally when such accusations are made in the press will even have the power to start itself an investigation because if Belgacomstaff have direct access to the mailboxes of individual members (even if they are not journalists or members of parliament) than I can imagine of no greater risk to privacy and freedom of press and in the case of the members of parliament of democracy itself - especially if there is no courtorder or case of enormous interest of national security (intelligence, terrorism)
* belsec, this critical blog, has been several times kept offline by skynetblogs during a limited time and the main problem with that is not that they have done it (somewhere they will have the right in their legal fine letters) but the way in which they do it. Their procedure is one without any pre-warning and without asking the author to delete the postings or part of it. An alternative is to only block the concerned postings and ask the writer meanwhile to delete or adapt the postings. The writer-blogger doesn't even know who has complained about your blog or any of your postings (and at Belsec we are at more than 6000 postings)
the only thing we would like to see is that skynetblogs has a more transparant procedure for treating such complaints and treats its bloggers-writers with the necessary due respect and not with the feeling that we are guilty without having any possibility to be heard first
this procedure lacks any transparancy because they don't publish a case-officer and you don't know who will decide what when you have adapated the postings accordingly (and they don't tell you what aspect of your posting is at the heart of the complaint)
even if I am VERY critical of the way Belgacom is treating security before and since the incident (and the other ISP's are not any better) I have only been kept offline when there were complaints about personal details from leaks and passwords that were public on the internet and easy to be found but that lawyers in Belgacom and the people complaining didn't want to see on this blog read by many Belgian journalists and ITpeople (to close at home)
and for the people concerned, if we do publish that information than it was because it was necessary as proof like with VOO (who said that no server was hacked while the details of the servers were published by Rex Mundi) or because people forget that not only logins and emailaddresses are published online but also many other personal financial and administrative details (for which we in Belgium have no national plan of remedy so for example what will we do if a 1000 or half a milllion numbers of Belgian EID cards or mobile numbers are published online)
If we find personal logins and details online, we forward them to the CERT who will treat and forward that information to the persons and institutions concerned, if we would publish every personal detail or all the vulnerability information we had-have, this blog would be very seldom online (and I would probably be more in court than at home)
we try to do responsable disclosure without closing our eyes to the fact that it would not be good for the public and the democratic institutions responsable for the oversight of the policymakers and administrations to be left in the dark about the dramatic state of cybersecurity in Belgium today and the very high need for that central cybersecurity institution with a budget threefold more than was originally asked (don't spend it on reports and very expensive blablabla consultants with long cv's and no battle experience - we need more cybersoldiers than any more wining and dining generals)