This keeps happening in Europe with these mega-IT suppliers repeatedly getting exposed using very bad development practices. Sweden most recently had a major breach back in 2024 when the other large IT services supplier TietoEvry had their data centres breached and claimed "not actually an issue of security".
Several government organisations / regional authorities and companies were down. Last I heard several medical journals for whole municipalities were just destroyed.
Unfortunately, the public tender process encourages awarding contracts to these giants that repeatedly fail to deliver on even basic opsec and still believe in security-by-obscurity, are suspicious of things like zero-trust, follow outdated engineering practices. Sigh.
The tender process is what they are optimised for. They are professional project bidders with a bit of outsourced software development bolted on the back.
> Unfortunately, the public tender process encourages awarding contracts to these giants that repeatedly fail to deliver on even basic opsec and still believe in security-by-obscurity
So what you think would be the solution ? From what I see (both public tender or not), I would claim that "any large IT project/company will suffer from security issues", so not sure what is the added value to single out a process (the tender) or a region (Europe) if there is no obvious alternative.
I have (the start of a) solution, but it's a boring one:
You have to have people who care about this stuff.
If you don't care, the rest does not matter. It does not matter if, when and how you outsource if you don't care about the outcome. You can't just pay someone a salary, nor a consulting bill, check the box and say you've done your part.
And the other way around: These huge consulting conglomerates would get very few jobs if purchasers cared about the details, and not just that all the boxes are checked.
I don't think that's a particularly novel idea, the question is how do you get people who care in an organization that has hundreds of thousands of employees (the public sector)?
You may not like the trivial answer: The same way as we do everything else. How do we get people to show up for work? How do we get people to respect data security boundaries? None of these are questions of technology. The answer is culture. We need to create a strong shared culture of caring, by hiring people that care and putting them in an environment where caring is appreciated.
> You have to have people who care about this stuff.
What?! Preposterous! How could you even make money out of that? No no no, that will not do. You will ask your AI agent some vague question, commit the result without review and push it to the client. And you’ll like it. If there’s any trouble, call Timothy, he’ll be on vacation with his family in Thailand. Some resort, “Lotus” something or other.
Split giant projects into small ones, award it to better smaller companies, require interoperability via API that is clearly documented and ask for around the clock security monitoring and patching. The last things being the same thing you do at any decent private company.
IBM or Accenture or whoever don't need to be the only ones winning tenders.
The total number of people working on the project might remain similar no matter if it's one company or many smaller companies. Writing clear documentation and API, well thought from the start is harder the larger the project.
Maybe there would be a benefit from having less layers of management, but multiple small companies or one big could have the same structure.
A smsller company would have a flatter structer and less management.
Waiting for my coffee now, I had a thought: what if you have more than one company providing the same service and for a project “lifetime” of say 5 years, the money is split procentually by what company attracts the more users and you make it so that for the services offered through this you can only use one company, but you can switch at anytime.
Absolutely. One of the root causes for these terrible tender processes is a fear of in-housing competence and skill for systems.
It's the same reason major govt. IT orgs keep pushing for closed source (recently the Swedish Tax Authority was in the media for _pushing for Office 365_ as necessary for operations), out-sourced designs, big firm purchases over FOSS or real standards.
You need people that care (and they exist, even in the gigantic state orgs.) in positions to make good decisions. Right now, everything is up in the hands of nebulously defined managerial staff with none-to-doubtful technical competence.
Another recent case: the Swedish digital exams platform flopped at a rough cost of a billion SEK. Can't sustain 150K concurrent users, despite paying a "large company". Like, come on.
Germany has iirc liability for the entire chain (engineers to upper management) in case of data breaches. I remember having to sign for that when I did a project in Germany. Would that help? I would not mind if the CEO/CTO of Odido would spend a couple of years in a federal pound them in the ass prison if it is found out the leak was due to malpractice.
The probleme here is that what tends to happen is that the security requirements are relatively vague and once the customer has signed the acceptance, good luck.
And signing up with a big company is good way to cover your behind, because "if they with all their people and knowledge could not do it...". Basically the mantra or "Nobody was ever fired for buying Cisco".
Japan is only in economic decline, we in the west are in a societal decline, we just lie to ourselves that we're not, due to the fiscalisation tricks we employ to pump up bullshit metrics like GDP graph and the DOW(cough Pam Bondi cough), that only benefit the top 10% asset owners, as if that means anything to the average city worker who lives paycheck to paycheck, has six figure debt, lives surrounded by homeless people and hears gunshots at night in the background.
Glad to have returned after missing out on FOSDEM for a while. However, I agree with OP on that undeniable success leading to heavy crowding.
I also missed some hacker hardware stands, there were very few this year.
I always enjoyed chatting with people demoing SDR/small cool hardware hacks as a refreshing break from whatever high-tech presentation room I got stuck in for half a day :-)
It would almost be good to ... have a bigger campus.
On the positive side, I think the little bit of chaos that came from the natural disorganization of a "free conference" helped me get in to a few rooms despite the general overcrowding, it also made me miss a few talks cause I could never get a grip on the wacky room locations and numberings.
I have this unsubstantiated fear though that having the conference more orderly may actually make things worse.
I liked how some people brought their kids, that was great.
(I found the anti-cash vibe in Brussels outside the conference pretty fucking annoying though. Metro machines that take coins but have no cash slot? What is this bullshit?)
>Oh, look at you, a Stockholm-based tech enthusiast with a screen so tall and narrow it’s practically a skyscraper for ants, browsing Hacker News like it’s your full-time job. You’re rocking a mysterious "K" model Android device with no CPU architecture listed—did you build this thing in your garage? And sure, you speak five languages, but let’s be real, you’re probably just using Google Translate to flex on your 418-pixel-wide display.
Hah. I have an older Xperia phone. They are tall and lovely.
Another group of source snakes to add to the collaboration/purchase/business blacklist. Quinn S., Beyang L., etc. are individuals happy to ride on FOSS until they're big enough to cash out. OK. Just be upfront about it. "We did this to focus" - no, you did it to make more money. Jesus, be honest - you're talking to developers, not your investors, we can smell the BS from across the Atlantic.
