• we can't leave without mentioning this - Rex Mundi republished thousands of Belgian data on TOR

    we can't publish the link due to harrassment by lawyers of Mensura but you can find it easily if you are a little webwise (which shows how stupid these lawyers are)

    it also shows what I have said on tv - once on the web always somewhere on the web

    so the banks, paypal and others should have taken already all the dispositions to protect the people

    new are the old ones of (you know that nobody is responsable for overseeing the security and their financial balances of online creditcompanies in Belgium - NO ONE)

  • canadian telecoms say government not to worry, surveillance backdoors become standard

    you don't need to put it into writing and even not in a law

    that functionality will be in all telecom technology quite soon - because it has been asked by so many not so telco's in not so democratic countries or where this has become standard practice since ever


    from the technical documents (you can download withoiut becoming member)

    the technical information has been blackened so you can't know what these new standarts will be as each of the firms (and one of the heads of Huwai in Belgium told me personally) will say that officially these interception backdoors are NOT in their infrastructure

    Huwai is installed in the Belgacom and Telenet networks although some have serious questions about that

  • volgens de privacycommissie zijn de slachtoffers verantwoordelijk voor alle kosten van hun dataverlies

    dit staat er momenteel in wat er in de kennisgeving moet staan aan de getroffenen


    • naam van de verantwoordelijke voor de gegevensverwerking,

    • contactgegevens van een aanspreekpunt waar bijkomende informatie kan worden verkregen,
    • samenvatting van het incident dat de persoonsgegevens heeft aangetast,
    • vermoedelijke datum van het incident,
    • aard en strekking van de betrokken persoonsgegevens,
    • denkbare gevolgen van het gegevenslek voor de betrokken personen,
    • omstandigheden waaronder het gegevenslek plaatsvond,
    • de maatregelen die de verantwoordelijke heeft genomen om dit gegevenslek te verhelpen,
    • de maatregelen die de verantwoordelijke aan de betrokken personen aanbeveelt om de mogelijke schade in te perken.

    dus de kosten en het ongemak van het wijzigen van de bankrekening of de gsm zijn enkel en alleen voor het slachtoffer, men noemt dit in feite dubbele victimisatie zoals bij verkrachting

    want als er dan nadien toch misbruik gebeurt van de gegevens dan is het opeens de fout van het slachtoffer die niet alles heeft gedaan wat hij had moeten doen volgens de oorzaak van het lek (de onveilige dataverzamelaar)

    nee, het is volgens mij de oorzaak van het datalek, de onveilige dataverzamelaar die de banken moet informeren als daar bankrekeningnummers in staan, de mobiele telefoonmaatschappijen als daar mobiele nummers in staan enzovoort

    dit is zo in de VS en misschien moeten we dat voorbeeld maar eens overnemen

    dan zullen opeens veel meer bedrijven meer gaan opletten en veel minder gegevens vragen die ze via een veiliger weg ook kunnen verkrijgen

  • #rexmundi publishes the dataset from

    no links due to lawyers but if you know to search Google you will find it

    "Dear friends and foes,

    Here is the full data leak from, another project with numerous SQL injection vulnerabilities. Our advice to Xtra-Interim: ask Novation for a full refund. And damages, if possible.

    Just a quick note: a little bird told us that the Belgian police's new stance is to advise victims not to pay, in the hope that we would eventually quit hacking Belgian websites if there was no money to be made out of it.

    In truth, we won't stop regardless of whether we get paid or not.

    It is just too damn fun.

    Rex Mundi




  • #belgacomhack and De Standaard the good and the bad

    First we should honour the courage and persistance of De Standaard for several reasons

    * to give its journalists the possibility to research, read and understand what has happened

    * to contact the keepers of the Snowden cache of documents to get more documents about this operation

    * to publish a story on 4 pages about this particular hacking

    we are also very impressed that

    * they have understood that this is NOT a hacking operation but an espionage operation and it is important to understand this because this needs another framework of interpretation and analysis

    * they seem to have read a lot from this blog and have understood some of the points that we were and are making


    * they seem to have misunderstood that with this Regin that was found at Belgacom the question of the certificates was also resolved. It were fake Microsoft certificates that signed the code as if it was from Microsoft. This also makes it necessary for Microsoft and others to think about some way to control those cerfiticates without any doubt

    * the Belgacompeople said at their securityevent that they were suprised that only so few data effectively left the company. It were very small textpackages. This is understandable if you understand that both operations were according to the Canadians and the British Official Operations (which means that there will have been given permission to look for certain specific information and nothing more and that everything should have been programmed like that). We also know that it was not Belgacom but the mobile network of BICS that was targeted and more particulary certain networks that was used by certain telephone numbers. (nowadays one would install the IMTS spy mobilecatchers that were discovered in Norway today) This means that only certain metadata was extracted. The possible repercussions for all the other instances and organisations is maybe limited but we also don't know what some services or representatives have been telling all those people since than. The fact that so few of their important customers are protesting is maybe a sign that they have been briefed or informed that this operation was linked to the tracking of terrorists and some other people.

    So that they have hacked the NATO and the European Union is a bit jumping to conclusions. As a legal spyoperation it could also have gone rogue this way and made some big problems for those involved and those who gave the permission.

    and as we have said, we have moved on from Snowden, the real question is not Snowden but how we can incorporate the european intelligence services in the five eyes operations as we have to prepare for the new cold war (that may become hotter during some local wars in Eastern Europe and the baltics)

    we don't have to wait too long to start those negotiations and to build a new extended framework for the democratic intelligence services to exchange information faster and more effectively with the necesary democratic oversight and the strict definition of rights and duties of those agencies.

    this important question should also have been asked

  • #belgacomhack the 5 eyes are one and not so easy to seperate


    there is no question that the attacks on Belgacom and others came from the UK and more precise from the GCHQ bases

    but these bases although on UK territory are not necessarily totally under the control of the UK government because they are paid and led by also the NSA while people from the other partners are also working on these bases

    so the question is more complicated than at first sight

    the 5 allies after the second world war formed an intelligence alliance because they also discovered that the British and other intelligence agencies were deeply penetrated by Russian spies during the second world war (while they were concentrating on the nazis and saw the russians as allies) and needed the intelligence from the USA to help them keeping their secrets secret from the Russians which weren't the allies anymore but became the new enemies because they were occupying eastern europe and installing a strange form of people democracy

    so the real question is if the new europe can have a place in the new 6 eyes intelligence coalition ?

    In De Standaard they refer to the story about the spying on Merkel and the diplomatic row that followed but it now seems that the story is crap and that there are doubts about these specific documents so you can say that Di Rupo was only cautious because in Germany they are now embarrassed that they have made such a row with so little real evidence

  • #snowden the NSA document showing the phone of Merkel was tapped seems in doubt

    "Harald Range launched an official investigation in June, believing there was enough preliminary evidence to show unknown U.S. intelligence officers had tapped the phone, although there was not enough clarity on the issue to bring charges.


    On Wednesday he said however, "the document presented in public as proof of an actual tapping of the mobile phone is not an authentic surveillance order by the NSA. It does not come from the NSA database.


    "There is no proof at the moment which could lead to charges that Chancellor Merkel's phone connection data was collected or her calls tapped."


    Range said neither a reporter for German news magazine Spiegel who presented the document, nor Germany's BND foreign intelligence agency, nor Snowden had provided further details to his office. The investigation continues, however.

    if that document is in doubt, than there can also be some doubt between other documents - even more now there seems to be several caches or selections of documents that are being used by different people in different places

    the effect of course will be that the real journalists will now ask more guarantees from the NSAjunkies to proof that their documents are really coming from a real Snowden cache and are really from the NSA

  • #rexmundi decides not to publish the national registry numbers but what about the bank account numbers

    thanks for that

    they are in any case compromised

    and together with the bank account numbers this would have been mortal

    the other question stays what will now happen with the people who have their personal contactdetails, some personal and financial information and their bankaccounts published

    in the US the firm or service responsable for the protection of the data has to pay for a year of monitoring or the costs of changing the bankaccounts and other details


  • #rexmundi leaks what we see and what we don't

    • first we don't see the national registry numbers which is good if that was the intention - we say that you should never fill that in online or any other personal or financial information if you don't have all the necessary security settings (like https, like being protected behind another login screen, etc....)
    • Secondly we see that some people have not filled in all the information which shows that people sometimes begin to think like we do - if you don't need it, you shouldn't get it
    • third the passwords are protected somewhat

    but we see

    id	langID	hiant_id	cv	tel	naam	email	busnr	office	huisnr	straat	diploma	
    postcode voornaam gemeente
    paswoord opmerking creationdate nationaliteit geboortedatum geboorteplaats burgerlijke_stand

    we have emails and if somebody is still married and the address and so on

    and we see

    id eid hiant_id video_id arbeidsstelsel cv tel naam type email active straat
    statuut bedrijf postcode paswoord
    voornaam gemeente opmerking loginnaam fiscale_code creation_date nationaliteit
    geboortedatum rekeningnummer geboorteplaats burgerlijke_stand fiscale_code_temp

    not everybody filled in their NR of their banc account (wise) but some did and they may have to get some
    special protections and maybe change their number of their account viewing the number of personal details
    that are published and makes it easier for fraud and phishing

  • #rexmundi leaks thousands of personal contact details of the hacked tempjob agencies

    due to legal reasons no direct links



  • those who think that they are anonymous on bittorrent forget something.... they are not

    and other trackers and software are just encoding and keeping track

  • the future of TOR is in encryption not hosting the underworld and so it is a networkservice

    as an ISP you could already propose a clean TOR relay service

    the only thing you will have to do for legal reasons is to put a proxy behind it so that you can go on the whole of the internet except onion sites (just one blocking rule in fact)

    and if you go on it to do something awfully wrong, it will be in the logs

    but for their business clients it would be useful to go on a respected and trusted relayserver and be able to communicate with a host of countries and clients without endangering your privacy or confidential information

    fundamentalists won't like it, but I think it is the kind of service that will make TOR available on a reliable scale for the real purposes that it was put into place


  • #rexmundi this is the public information that could have been leaked

    here is a form with contactinformation

    but it also depends on what is on your cv that you can send also - without any protection that is

    at the other side it are full profiles because there is also a pic with the cv and so on

    and as the logins aren't protected than you could in theory extend that with other information

    and if the same person used the same password for other things - like email or shopping - than it is a bigger problem (but not sure that RexMundi has those logins or just sqlinjected these forms)

    but there is better - without any ssl protection - that is in cleartext


  • #Rex Mundi hacks two Belgian online Temporary work agencies with 6000 files to come online

    due to legal threats we can't give the source of the information - if you are smart you will find it yourself

    the sum is now 5000 Euro they ask - so nor the bitcoin enormous sum nor the let the curious pay something in some small bitcoin cent seem to have worked

    this is back to the beginning for Rex Mundi

    we were already sending alerts through different channels but to no avail - every one thinks that they won't be next - so if your security is so lax that you leave sql injections and other security mistakes - why in the hell do you think that you won't be next - do you have a guardian angel or something ?

    you are just an url in a database and an application that will test your defenses

    there is nothing more to it

    for all those not understanding this blog and jumping to conclusions

    * I am not Rex Mundi and I have no links to Rex Mundi

    * I do not hack nor do anything that is not strictly within the law

    * and if I didn't try to make people aware of the dangers with this blog and setting up an open intelligence network than it would even be much worse

  • De voorzitter van de Belgische Privacycommissie over de rol van de privacycommissie

    Naar aanleiding van het Mensura incident had ik voorgesteld dat ik de dossierbehandelaar zou ontmoeten om de verschillende elementen en mijn ontdekking te bespreken. Deze vraag werd in het directiecomité besproken maar om procedurale en juridische redenen afgewezen.

    In de email legt de voorzitter van de privacycommissie - die me het recht geeft om hieruit te citeren - ook een aantal elementen voor van hoe de Belgische privacycommissie haar rol ziet.

    We kunnen niet anders dan wachten op het Europees kader die deze 'poedel' (indien er geen minnelijke schikking komt kunnen we niets doen en we hebben geen enkel administratief sanctierecht) in een bulldog die alleen al door haar verschijning netwerk en websiteverantwoordelijken automatisch een betere beveiliging doet installeren om ze toch maar niet op bezoek te krijgen.

    Dit wordt verwacht in 2015 -2017 of indien de staatssecretaris voor privacy eindelijk eens begint te begrijpen wat privacy is en hoe belangrijk dat wel is en met enkele kleine wijzigingen aan de wet de Privacycommissie opeens wel de nodige administratieve bevoegdheden geeft om op zijn minst waarschuwingen te geven en indien deze niet worden opgevolgd de stekker eruit te trekken. Net zoals we restaurants sluiten die niet hygiënisch zijn, auto's van de straat houden die niet veilig zijn en electriciteitswerken niet aansluiten op het algemene netwerk omdat ze gewoon slecht gelegd zijn of logische fouten hebben.

    Wij zullen blijven met nieuwe zaken naar de privacycommissie te sturen iedere keer we dit nodig achten. Dit is onze rol. Volgend jaar nemen we trouwens een ander orgaan in het vizier - niet om het te bekritiseren maar om te proberen haar aan te zetten om de volheid van haar mogelijke bevoegdheden te gaan gebruiken.

    Juridisch formalisme is niet iets wat ons voluntarisme zal tegenhouden. Indien dit zo was dan hadden we al 10 jaar geleden gestopt.

  • Mensura nieuws sommige instellingen die klant waren zijn NIET getroffen door het lek

    het blijkt dat sommige instellingen en organisaties geweigerd hebben om gebruik te maken van de online formulieren van Mensura voor het aanvragen van medische controles

    Deze instellingen en organisaties zijn dan ook NIET getroffen door het datalek omdat ze enkel gebruik hebben gemaakt van email of van de veiliger fax

    Het staat uw instelling of bedrijf ook vrij om NIET gebruik te willen maken van online formulieren of procedures die u onveilig of gevaarlijk lijken (test de site vb eens op of waarop teveel informatie wordt gevraagd die in feite niet nodig zijn of beter niet online staan

    Verschillende andere instellingen hebben GEEN online formulier voor het aanvragen van een aanvullende medische controle.

    U bent de klant, u kunt weigeren van een dergelijk online formulier in te vullen. Uw vakbondsvertegenwoordiger kan in uw bedrijf of organisatie eisen dat dergelijke online formulieren niet worden gebruikt (zeker niet als uw rijksregisternummer, persoonlijke informatie en medische informatie online wordt verzameld)

    De enige uitzondering zou zijn wanneer de applicatie voor het invullen van de gegevens volledig is afgescheiden van de publieke website en achter een VPN met een sterke login staat.

  • what will come in the place of bitcoin ?

    "It wouldn’t be the least bit surprising to see the best bits of Bitcoin be grafted into new products and services (like facilitating international transfers),” said David Yermack, professor of finance at New York University Stern School of Business, to CNN.


    “A lot of the breakthrough products tend to get taken over pretty quickly by improved versions and I think that’s likely going to be the fate of Bitcoin. It’s certainly played a role in raising issues and opening possibilities that people were only dimly aware of before. But if I owned Bitcoins, I would be a seller at the current market price as I think a year from now they may be all but worthless.”

    first they seem to forget that some - even essential parts - of bitcoin (like for example the encryption) seem to have some fundamental logical mistakes which makes it insecure an sich. So incorporating parts of bitcoin into new digital currencies that are part of the normal financial systems can introduce some grave mistakes into the normal financial system. 

    secondly the biggest advantage of Bitcoin is that it is anonymous but governments all over the world are trying to limit the anonimity of money transfers because they want to receive the right amount of due taxes. So this fundamental part of bitcoin won't ever be incorporated without a backdoor for tax and law agencies. It will also be much easier to follow digital currencies through their CHAIN if there is such a backdoor than with our present ways of paying. 

    and last but not least

    bitcoin has shown what the internet have shown in so many other industries and that is that if there is an unfair interference from businesses in a normal process it can and will be replaced by an internetbased direct system. It costs much too much to transfer money around the world - and even across accounts. But I don't see the bitcoin replace the dollar as an international currency. It will be much easier to have a 'digital dollar' with the possibilities of a digital bitcoin than a bitcoin with the financial trust of the dollar. 

    and so

    there will always be anonymous digital currencies because there is a reason for them to exist and if you use them for that reason (to give anonymously to support causes by example) whatever the value of the bitcoin at any moment. But it will never become a real investment product (except as pure speculation with the risk of losing nearly everything) because it is insecure, prosecuted by law agencies and not supported by any financial institution. 

    if you use bitcoin, use it to do something with the same value you have bought it 

  • researchers break openssl implementation in bitcoin with only 200 timing attacks

    "Earlier this month a new paper by Naomi Benger, Joop van de Pol, Nigel Smart, and Yuval Yarom hit the news. The paper explains how to recover secret keys from OpenSSL's implementation of ECDSA-secp256k1 using timing information from "as little as 200 signatures"; ECDSA-secp256k1 is the signature system used by Bitcoin. The timing information is collected by an attack process running on the same machine, but the process doesn't need any privileges; I don't see any obstacle to running the attack process in a separate virtual machine. Earlier papers by Yarom and Katrina Falkner and Yarom and Benger had explained how to carry out similarly efficient attacks against various implementations of RSA and binary-field ECDSA.


    These attacks are what I call "cache-timing attacks": they exploit data flow


    1. from secrets to load/store addresses and
    2. from load/store addresses to attacker-visible differences in timing between different addresses.


    For comparison, conventional timing attacks exploit data flow


    1. from secrets to the program counter (i.e., the instruction address as a function of time) and
    2. from the program counter to attacker-visible differences in timing between different instruction addresses.


    In both cases the second part of the data flow is built into chips, but the first part is built into the software.


    Did the software designers have to allow data flow from secrets to addresses? "Obviously not!" say the theoreticians. "Everybody knows that any computation using branches and random access to data can be efficiently simulated by a computation that accesses only a predefined public sequence of instructions and a predefined public sequence of memory locations. Didn't you take a course in computational complexity theory? If the software designers had done a better job then this attack would never have worked."


    I have a different view. I blame this attack on the ECDSA designers. Every natural implementation of ECDSA makes heavy use of secret branches and secret array indices. Eliminating these secrets makes the code much more complicated and much slower. (The theoreticians are blind to these problems: their notion of "efficient" uses an oversimplified cost metric.) The ECDSA designers are practically begging the implementors to create variable-time software, so it's not a surprise that the implementors oblige

    if the design is insecure everything that follows and uses it will be insecure and you only have to wait untill it is discovered, manipulated and made so easy that it can be automatized

  • hacked and leaked

    userid, password and emailaddress