November 20, 2007


Dan Egerstad, the man who was swooped by the swedish police for putting up 100s of passwords of enbassies all over the world . This man uncovered the security lapses and now being prosecuted for this stunt.Dan Egerstad said that he accidentally stumbled onto the problem and made passwords and other details of those accounts public to highlight the security risk.

He released addresses and passwords on a blog ( from the list of easily compromised accounts, which included accounts from Indian, Pakistani, Uzbek, and Kazakh embassies and other government institutions. In fact, the list included 26 embassies and six consulates of
Uzbekistan alone. Ten accounts belonged to the Kazakh Embassy in Russia, according to a technology-based website,, that covered the story.They also included Chinese human-rights groups and one of Tibetan spiritual leader Dalai Lama's liaison offices.

Egerstad says that the only officials who have contacted him from the embassies or governments involved are Iranians, including the Iranian Embassy in

"They pretty much said, 'Thank you.' The Indians, they were kind of pissed," Egerstad says. "No one wanted to talk to me except

Egerstad says the affected governments are merely those using software that is susceptible to the hack that he discovered. He says that after he accidentally uncovered the flaw, those vulnerable accounts were like an open book.Egerstad has stressed that he never actually opened the correspondence, so as to avoid breaking the law. He said he released the information to shed light on security problems to allow the groups involved to fix them.

"After they calm down a little bit and get over the first shock, they will realize I didn't do this to hack into their system or anything like that, I did it because they have a major problem," Egerstad says.Egerstad lives in Malmo, in southern Sweden, and describes himself as a security specialist who works for Danish and Swedish companies. But he also says the discovery did not even require much expertise.

These are facts that create different points of view.

1. Those who used TOR for communicating sensitive informations probably didn't read carefully it's homepage and all the warnings included. Building secure communication channels in government environments should be mandatory, but use TOR for this... excuse me, please, this is stupid.

2. Please note the fact, that most of the accounts were already used by malicious people - Egerstad discovered only top of iceberg.

3. Even he has intercepted traffic on exit node, and this is from ethical point of view something unacceptable, he didn't misused it and selected the best solution he could - informing governments of affected countries - and this could be considered as ethical approach. The fact, that except Iran nobody seriously investigated this issue. What a shame for more developed countries!

4. He posted account informations to public - another controversial move from ethical point of view. But, let me place here question: if you give out informations for free to governments and become not even "thank you", what will you do?

5. Egerstad showed only, than anybody can do the same - and have the same informations as he got, with no special and expensive intelligence. And because he published the details, lot of intelligence agencies may become angry.


1. Most of the high-profile persons in the embassies had their passwords with their name and numbers 1234 which is so sick to hear . Persons of high responsiblity couldn't even care for password??

2. Iranian Embasy's account in
tunisia had the password "TUNISIA" . Even 5th grade child would keep a password better than this...

3. When we dont have the brain to find out the major security flaws like this,... Why this ego not to negotiate with him to make it flawless when Dan obliges to fix it.

4. Dan's BLOG "" was taken down few days before... where he posted how he did this and other security lapses...

5. Dan intercepted 5 TOR servers where he hosted some packet sniffers to get the information. some of the TOR servers all over the world was hosted by wrong people.

6. How come people hosting these servers without providing these encryption on the data not prosecuted [;)]

Add this as bookmark to ....

No comments: