[HN Gopher] Luca App: CCC calls for a moratorium ___________________________________________________________________ Luca App: CCC calls for a moratorium Author : hacka22 Score : 417 points Date : 2021-04-16 11:24 UTC (10 hours ago) (HTM) web link (www.ccc.de) (TXT) w3m dump (www.ccc.de) | [deleted] | ArmandGrillet wrote: | What was wrong with Corona-Warn-App? Looked amazing compared to | TousAntiCovid last year yet I'm learning here that it isn't | improved anymore and I haven't seen ads for it anywhere. The | differences between German states and the way news are | communicated is so complicated, and it's been more than a year | that it's like that now. | | As a French citizen living in Germany I can get vaccinated if I | go back to France soon (the French state literally sent me an | email to tell me that as they know I'm living in a foreign | country), meanwhile I keep on reading that some German states are | trying to get more vaccines than the others (e.g. Sputnik in | Bavaria) and I cannot get a free PCR in a state where I do not | live. Why having such friendly fire in your own country, | especially when my health insurance works at the national level? | perlgeek wrote: | Nothing really. | | Luca app just had more hype/better marketing. | step21 wrote: | It is still improved. The actually also want to add this kind | of check-in (almost done) but it might be blocked by | apple/google as the terms of use of the contact tracing API | forbids use of additional data. | foepys wrote: | As far as I know CWA will save it on the device and thus | comply with all requirements for contact tracing apps. | majkinetor wrote: | This is amazing. | | There should be hacker clubs in each country double checking all | suspicious public procurements. | jnxx wrote: | CCC in Germany does really fantastic work and they are well | recognized in the public. And they have some friends. Years | ago, the club was moving from Berlin to Hamburg, I think. They | had an ongoing dispute whether they are, tax-wise, recognized | as a charitable, non-profit entity (many associations in | Germany are recognizes as non-profits, but for some that are | politically inconvenient, such as the Deutsche Umwelthilfe | (DUH) [1], the tax administration as well as politicians are | trying to dispute their tax exemption). | | Then they got a mailing where somebody mailed them an entire | collection of correspondence between the tax administration and | other government bodies which was apparently intended to be | sent to the Hamburg tax administration. It detailed how they | were trying to actively put obstacles to financing the CCC's | work. Apparently, that mailing went accidentally to CCC, which | was not the intended address.... | | [1] | https://en.wikipedia.org/wiki/Environmental_Action_Germany#P... | hutzlibu wrote: | Do you have a link of the email correspondence? | motohagiography wrote: | The CCC is a mature organization and culture, there would be | some clear challenges to bootstraping something similar | elsewhere that wouldn't be quickly infiltrated and co-opted the | way that civil liberties, environmental, and other activist | organizations have. CCC (and defcon) appeared to work because | they operated in a similar grey-area of risk and competence as | a motorcycle club. | | I've been pitching around the idea to use hackerone as a | framework but restricted to local college and university | programs to do bug finding in provincial/municipal public | service delivery systems as a way to create a pipeline of | competent public service talent, develop real civic engagement, | and create the incentives within govt to build less appallingly | shitty systems. | | The main challenge with that is it requires a total rethinking | of what government is, which is already happening organically | as dev/eng people and culture builds more generational | influence in govt beyond being just "IT," but that's a longer | term vision. GenX doesn't code and they're still 10-15 years | from retirement, but internet generation people are slowly | taking the management reins. | | Near term, absolutely hack your region's contact tracing apps, | and if you want to really affect change, use technology and | data to create and test hypothesis' to find corruption. It's | going to be unpopular and even make you a target, but if you | want to summarize what the cyberpunk aspect of hacker culture | was, a lot of it was based on the hypothesis of there being a | corrupt conspiracy running infrastructure of The System, and by | learning its secrets you could become somehow more safe from | it, or expose it. | [deleted] | lampe3 wrote: | I'm part of the CCC in Hamburg | | We will move to stockholm and I'm thinking of creating one :) | Zolomon wrote: | I would join in a heartbeat! | Tistron wrote: | Check out https://www.blivande.com/ Burners, artists and (I | think) hackers doing stuff together in Stockholm. (I'm not in | sthlm but part of the Scandinavian burning scene) | lampe3 wrote: | Looks amazing! I will | ben0x539 wrote: | What does burner mean here? | jtdev wrote: | Do you know if CCC supports regional chapters? | tazjin wrote: | Yes, they're called Erfa-Kreise: | https://www.ccc.de/en/club/erfas | | They're all in German-speaking countries. | martin_a wrote: | In Germany there are various "local subsidiaries", mainly | in or around larger cities. They are also often somewhat | tied/connected with local hackerspaces and whatnot. | tazjin wrote: | Good luck. In countries like Germany or Norway there is a | culture of hacker organisations sustaining themselves | financially via their members. | | This culture doesn't exist in Sweden, and the spaces and | organisations that aren't subsidised by government funds or | universities all disappear after a few years. | | (Source: Lived in all three countries, was active in such | organisations in all three countries) | zibzab wrote: | Oh, there are tons of hackerspaces in Sweden. Its just that | they are either tied to universities, startup clusters or | for kids. | | I guess you were simply not in contact with the right | people. | teddyh wrote: | > _Its just that they are either tied to universities, | startup clusters or for kids._ | | ...or lacking members. _He wrote, glancing around the | empty room_ | ValentineC wrote: | Because of COVID? | teddyh wrote: | Currently, I suppose, but no; it's been "active" since | about 2010. | tazjin wrote: | You're saying exactly the same thing as me: There are | very few independent hacker spaces (in most cities, | none), unlike in Germany and Norway where that is the | norm. | 271828182846 wrote: | CCC isn't a hacker space as I understand the term. CCC is | a club of security experts. hacker spaces are communal | spaces where you can tinker with peers using provided | tools. | jan_Inkepa wrote: | In Germany the CCC has a lot of physical clubs where | people hang out. They have some specialised equipment, | but are from my limited experience more social spaces for | cohacking, giving talks, etc. There's also the chaos | communication congress, with is a big hacker | festival/conference (by the same group of people), run by | I think the same org, and I've never fully understood how | one navigates the identical acronyms... | pantalaimon wrote: | Chaos Computer Club also means there are actual physical | club rooms where members can meet. | shezi wrote: | The CCC is both. It's a club of computer- and technology- | interested d people. Most cities have some rented space | that doubles as a hacker and tinker space. It really | depends on the members in each city what the specific | location looks like. | | That there is also a branch of very public security | experts is... Incidental, I'd say. | catdog wrote: | > CCC is a club of security experts | | No. It happens that a lot of members are security experts | but it is far far broader than that. | | The CCC is a very decentralized organization. A lot of | hacker spaces are in fact operated by local subdivisions | or are completely independent organizations but with a | lot of overlap in membership. | | In general the CCC likes define itself more by those who | share its values and less by the legal entity with that | name. | step21 wrote: | Neither is right. CCC also has security experts as | members, which sometimes comment publicly. In general | however, it is the parent organization for local hacker | spaces (though it is possible to be member on only local | or only CCC level). And many local spaces are also called | ccc-xy. Wnd their interests. | elliekelly wrote: | Maybe this is a naive question since I've never been | involved in a hacker/computer club but why is a dedicated | space required? Does the club usually purchase | hardware/equipment that needs to be stored? I suppose I | always assumed the members brought their own equipment to | meetings. | | You know, the more I think about it, I'm not really sure | I have any idea what a computer club actually _is_ and | does... | pantalaimon wrote: | It's a space to hang out and meet people, where you can | talk about and tinker with technology. | | Only socializing online is just not the same. | motge wrote: | It's a good question and not easy to answer in general as | there a lot of different types of hackerspaces. | | Some hackerspaces are more a kind of makerspace and | provide expensive, large or complicated hardware like | industrial laser cutters, 3D printers, embroidery | machines and (electronics) workshops with soldering | irons, electronic parts etc. | | Other hackerspaces are focusing more on the social side | and offer a space to hang out, meet and discuss with | beverages (I guess mostly mate and beer). There can be | talks, workshops or competitions (like CTFs) and so on. | | Also providing services to the public, like repair cafes | and holiday programs for kids can be a way to further | engage in society to share technical knowledge. | | hackerspaces.org has also extensive explanations on | theory of hackerspaces: | https://wiki.hackerspaces.org/Theory | [deleted] | birktj wrote: | As a Norwegian I would love some pointers to the Norwegian | hacker spaces. I am vaguely familiar with some, but it | would be nice with some more info. | tazjin wrote: | I'm mostly familiar with the Oslo scene, which has | Hackeriet[0] (of which I'm still a member) with more of a | CCC-style crowd and Bitraf[1] which has a lot of physical | equipment for "makers" and has a much larger space. | Hackeriet's IRC channel is also quite nice (though | usually in Norwegian and/or svorsk). | | There's a few other organisations, notably | Teknologihuset[2] which has some communities organising | regular events and NUUG[3] which doesn't have a physical | space but moves around and is generally a good community | to get in contact with. | | Note that NUUG have members all throughout Norway, and | also an active (Norwegian) IRC channel, which may be a | good place to ask about other towns as my knowledge of | those is either outdated or non-existing! | | Ses pa IRC! :) | | [0]: https://hackeriet.no [1]: https://bitraf.no/ [2]: | https://www.teknologihuset.no/ [3]: https://nuug.no | ValentineC wrote: | Have you tried the Hackerspaces wiki? | https://wiki.hackerspaces.org/Norway | ChrisMarshallNY wrote: | I love what I hear about them. Germany has a basic culture that | is quite conducive to this kind of thing. | | The only thing I wish, is that it was called "KAOS Computer | Club," and that they have a picture of Bernie Kopell in their | entryway. | | http://classicshowbiz.blogspot.com/2016/07/an-interview-with... | jtdev wrote: | Is there a U.S. based Chaos Computer Club (CCC) or CCC like | group? | lupire wrote: | There's defcon, but it's more of annual conference than an | ongoing group that works together. | lozaning wrote: | There's also the local DC chapters, http://dc612.org/ has | been going strong up in Minneapolis for years. | jnxx wrote: | I think what comes closest is the Electronic Frontier | Foundation: https://www.eff.org/ | Forbo wrote: | There's places like Noisebridge (which was an absolute pleasure | to visit and experience) or regional DEF CON groups. | | As mentioned by others, the EFF's Electronic Frontier Alliance | tries to act as a regional group for these types of things, but | in my experience it's pretty dead (at least the Utah group has | been completely unresponsive). | black_puppydog wrote: | My understanding _as an outsider who has never been to the US_ | is that the US hacker scene is quite different. | | One notable difference is a much closer connection to e.g. | intelligence services. | | On the other hand, the relationship to democratic processes, as | well as the stance on state/federal involvement in IT problem | spaces, seems to differ between Germany and the US. | | Again: I'm an outsider and would actually like to hear from | others how they see this. | pizzapill wrote: | > One notable difference is a much closer connection to e.g. | intelligence services. | | Some CCC hackers had a pretty good relationship with the | Russian KGB. They got information about a wide range of US | military secrets including details about the Space Defense | Initiative (SDI). They were so successful that they wound up | dead and a movie was made about them. Since then the CCC has | to be heavily infiltrated by all kinds of Intelligence | Services. | black_puppydog wrote: | At least the CCC of today is actually much more loosely | knit that what your comment implies. Much of the work being | done to dismantle e.g. election counting systems, the covid | apps etc comes from various corners of that community. | | Infiltrating the CCC would be akin to infiltrating Antifa. | Sure, you can get close to _a_ group and learn their | secrets, but you can 't get close to the center of it | because it has none. | GekkePrutser wrote: | Yes the Cuckoo's Egg by Clifford Stoll recounts this story | well. | | However since then the CCC has been very honourable and I | have nothing but respect for them. | pantalaimon wrote: | > Since then the CCC has to be heavily infiltrated by all | kinds of Intelligence Services. | | I think this more served as a cautionary tale to not get | involved with this kind of agencies at all. | pizzapill wrote: | I think the CCC has a strong ethos to not work for such | agencies but I'm sure many members do it, either because | they are agents or because of other incentives. | motge wrote: | There is no chapter of the CCC in the U.S. (yet?). While there | is no head-organization (as far as I know), there are similar | hackerspaces all around the U.S. (and the globe), e.g. see map | on hackerspaces.org: | https://wiki.hackerspaces.org/List_of_Hacker_Spaces | ThePhysicist wrote: | The Luca app really is a complete train wreck. And what's worse | is that the federal governments don't even have any direct | control over the app itself, they just bought access to the | contact tracing data for 12 months from the company operating the | app. Meanwhile the company controls the app and all connected | user accounts and can repurpose it in whichever way they see fit | (and they already announced they have plans for the app beyond | the pandemic). | | It's absolutely mind-boggling to me how our government(s) can get | the idea to "rent" contact tracing data from a private company | like this, it just reeks of corruption. I wasn't a big fan of the | Covid tracing app in the beginning, but in retrospect the concept | of that app seems miles ahead of the current situation with the | Luca app. | wildmanx wrote: | > I wasn't a big fan of the Covid tracing app in the beginning | | Let this be a lesson. If you get something good and still keep | complaining and complaining, then what you get in the end is | something bad. | catdog wrote: | > I wasn't a big fan of the Covid tracing app in the beginning, | but in retrospect the concept of that app seems miles ahead of | the current situation with the Luca app. | | I think the concept behind is really solid and a great example | for what is possible w/o invading privacy. The only problem is | that development got very very slow after the initial release | and a lot of potential was wasted. E.g. adding some kind of | check in feature was already discussed mid last year but it | took them until now to pick that idea up. | tgragnato wrote: | I only have positive things to say about our contact tracing | application. | | It's open source https://github.com/immuni-app. | | It's simple: contact tracing only, easy for non technical | people. | | And has minimal tracking (I only see a periodic ping to | get.immuni.gov.it) | seesawtron wrote: | Is this one of the many examples of German government wasting | taxpayer's money? | simfoo wrote: | Yes. This is what you get when incompetent officials jump on | any offered solution that promises to make their awful track | record of "digitalization" projects look better. Of course | without listening to actual experts and instead looking for | buzzwords. | dathinab wrote: | The absurd thing is like CCC mentioned the german covid app | (state payed, kinda decentralized, _very privacy respecting_ | contact tracing app) does not only potentially cover some of | the cases (if people are close to each other and the phone | can detect it using Bluetooth tokens) but also seem to be | getting a feature "to handle meetings" in a privacy friendly | way. | pantalaimon wrote: | Exhibit B: Ubirch and their 5 Blockchains | | https://www.heise.de/news/Digitaler-Corona-Impfpass-IBM- | Ubir... | thinkberg wrote: | An issue with the reporting is that the ubirch standard | solution is confused all the time with the actual project. | Especially since it is mostly guessing, not knowledge of | the actual technology behind it. | pantalaimon wrote: | Yes. | | Especially since there is already a government funded app | (whose developers also make a much more competent impression) | which is scheduled to receive similar functionality as the Luca | app with the next update. | black_puppydog wrote: | And which doesn't have to plan for a business model post- | pandemic. | lampe3 wrote: | It does not need to. Its open source and funded by the | government | | Its not run by a private company which only thinks about | money. | weird-eye-issue wrote: | That was probably his point already | martin_a wrote: | May I present to you that the government spend over 430 million | Euro for external consultants in the last year? | | That's just a raise of about 46% in comparison to 2019... | lampe3 wrote: | yes and its super easy to just create random valid qr codes: | https://wolf128058.gitlab.io/schmudo2go/ | | also they don't have any rate limit on the sms service... | | so anybody can build a loop and call the sms endpoint... | | More fails: | | - https://github.com/mame82/misc/blob/master/luca_traceIds.md | | - https://lucatrack.de/ | | - development private and public key in the repo ( not harmful | but a bad sign) | | - more that i forgot | read_if_gay_ wrote: | What do these QR codes do? | lampe3 wrote: | These qr codes should only valid after you verified that | you are an real person. | | So the health department could call you. | | This was done by SMS but the verification of an account | does not check against that SMS verification but its just a | simple else/if on the client. | sReinwald wrote: | The QR codes let you "check in" at venues that use Luca to | make contact tracing possible. | timdaub wrote: | Haha I'm waiting for Smudo's disstrack! | lampe3 wrote: | There are enough diss tracks and mentions of fanta4 in german | hip hop | | I always found them whack... | timdaub wrote: | jein | lampe3 wrote: | I was in Hamburg,Germany in the 2000's and listen to stuff | like samy deluxe and beginner ect ect. | | Almost all of my friends did not consider fanta 4 to be rap | music but rather pop music :) | fidesomnes wrote: | A hacker club condemning government software contracts is pretty | hilarious and irreverent. | fock wrote: | worst thing is, my university seemingly developed something | similar (which has been used for exams for half a year now) | already: https://qroniton.eu/ | | But I guess kickbacks for using something created by state | employees are not as good as for something new from a private | enterprise (with blockchain! - they silently removed it, when the | CCC called that out and now the CEO claims: "we've never used | blockchain"). | renewiltord wrote: | Yeah, I knew this shit was gonna happen. I installed literally | zero of these apps. | wccrawford wrote: | I like the idea of these apps, but none of them were advertised | enough near me to think that others would be using them, so | they were all pointless. | | And of course, they were rushed out the door, so they'd | probably have quite a few problems. | GekkePrutser wrote: | Wow this is bad, I'm sorry to hear it's already mandatory in one | German state. | | I'm really surprised Germany is playing so loose and fast with | privacy as they're known to be one of the countries with the | strictest privacy laws around. | | By the way how does this work being mandatory with people that | don't own a smartphone?? | glitchcrab wrote: | It stated in the article that you can purchase a fob which can | be used in place of the smartphone app. | read_if_gay_ wrote: | > I'm really surprised Germany is playing so loose and fast | with privacy | | You're surprised because you're expecting politicians to have | consistent principles, but it's just about what's convenient | right now. This is an inherent issue with having elections | every couple of years. | leipert wrote: | Source code for the app can be found here: | https://gitlab.com/lucaapp | perlgeek wrote: | ... though in the past many developers have complained that the | source code didn't seem to be the one from which the app on the | appstore was built and/or it was quite out of date. | KingOfCoders wrote: | Germany paid 20M+ for this already, without owning anything | (code, data, ...). | ndom91 wrote: | What's the difference between this Luca app and the "official" | German covid tracing app (Corona-Warn)? Or are they the same | thing? | perlgeek wrote: | The official app stores all its data decentralized, only | cryptographic hashes are stored centrally that each device then | can check locally for potential risks. | | In the Luca app, the user's location data is stored centrally, | and the states can then purchase a license to access data of | potentially risky contacts. | | (BTW the public health offices are notoriously overworked | during the pandemic, so it's not clear to me if they'd even | manage to _do_ anything with this data). | catdog wrote: | > (BTW the public health offices are notoriously overworked | during the pandemic, so it's not clear to me if they'd even | manage to do anything with this data). | | Anecdotally most of them are completely overwhelmed because | of the currently fairly high case numbers and effective | contact tracing does not really happen anymore. Also they | mostly live in the technological stone age so they have a | hard time scaling it up [1]. | | [1] https://www.dw.com/en/german-health-care-tackling-covid- | with... | pantalaimon wrote: | Luca app is made by a private company and stores personal data | on a central server. | | The official Corona Warn App uses the Exposure Notification | Framework and does not share any personal data. | qwertox wrote: | This is a privacy issue, in the country which thinks so highly of | the GDPR. So it's not something which they should be able to | sweep under the rug as if nothing happened. As the article | explains, the issue is far bigger than just vulnerabilities, it's | about how politics supported this app. | | If this would be some other thing, like the implementation of a | video surveillance system in the political center of Berlin, or | any other important place, they would have taken care to at least | adhere to the basics in how to give whom the job to do this, how | it will be licensed/owned, how it will be run, what happens with | the data. A thorough check of the company would have been made. | | But in this case? It's a small startup with no expertise | whatsoever in data protection, expecting the silliest terms and | conditions, and the politicians are just glad to throw the money | at them, and even expecting citizens to install this app if they | want to take part in public life. | | This is as crazy as it gets and shows how incapable they are of | controlling this pandemic, even how little they care to seriously | work on it, and I wonder how much this represents what they have | been doing over the last decade in general. | | I was glad to install the Corona-Warn-App and am a bit sad that | there are so few people using it, but it was implemented | correctly. Not only from a technical point of view. | | But should any of these apps become a requirement to participate | in public life, I'd take it as far as going to jail for not | installing or uninstalling it. | catdog wrote: | > This is as crazy as it gets and shows how incapable they are | of controlling this pandemic, even how little they care to | seriously work on it, and I wonder how much this represents | what they have been doing over the last decade in general. | | Fully agree, the whole "Merkel era" was an era of political | stagnation. The pandemic relentlessly uncovered that. | | But now we've reached a new low, German politicians seem | completely unwilling to fight the pandemic anymore despite a 3. | wave caused by the B.1.1.7 variant building up rapidly. It's | crazy times, the luca app disaster is just one manifestation of | it. | wyck wrote: | There is so much incompetency in governmental IT/software | decisions and software it's actually sad. | | Is it a product of smart people simply not working in this sector | or corruption?. It seems from the outside to be filled with | imbeciles masquerading as administrators. | | We need to somehow make the government way more accountable, if | only there was an organization that could do that, we could call | it the media. | andrew_v4 wrote: | It's actually "accountability" that's a big part of the | problem. | | Government procurement is so focused on the appearance of | fairness and money saving that all other goals, like actually | getting something that works, take a back seat. | | You end up with over-specified requirements that remove the | possibility of innovative or creative solutions. Providers are | treated like a commodity, where it is assumed that all will do | the same job, and cost is the only real negotiation point, | maybe with some kind of scoring grid against the over-specified | requirements thrown in. | | And the procurement decisions are made by procurement officers | who are not the actual users of what is being bought (in the | name of objectivity). | | So what happens, on a good day, is that the operational users | in the purchasing department work with the preferred vendor to | "wire" the RFP to reflect the scope or work that is wanted and | add requirements (e.g. years of very specific experience, past | projects) that heavily favor the preferred vendor. At least | this way the department may get something they want, thought it | obviously can be gamed. Worse though is that many contracts | just go to lowest cost staffing firms that are optimized to | comply with government procurement requirements and provide the | minimum set of bodies that meet those requirements, usually | former government folks rented back, plus some low cost IT | resources, that are there to execute to the letter of what the | government has over-specified, usually something that wont | actually work as written. | | This is why so much government procurement is a failure by any | objective measure. What I have seen work is when a vendor | provides a credible unsolicited pitch to a known problem at a | fixed cost, and the relevant departments are forced to decide | if it makes sense. | | In Canada we had a major one like that a few years ago, the | outcome was great for the department that needed it, but | careers were destroyed in the process as politicians and their | incumbent friends pushed back to try and stop it. | jjk166 wrote: | This is the best explanation for the phenomenon I've ever | heard, thank you | BadInformatics wrote: | Name and shame: | https://www.cbc.ca/news/canada/ottawa/phoenix- | costs-137-mill... | briffle wrote: | > Government procurement is so focused on the appearance of | fairness and money saving that all other goals, like actually | getting something that works, take a back seat. | | I worked at a small 2 year college for many years. One time, | my Dean I reported to was on vacation, so I had to go talk to | the college president, and get him to sign a form for a $7 | petty cash reimbursement for some zip ties I had bought to | clean up some cabling. | | One year, our President had to travel to the capital city | (about 250 miles away, over the mountains) almost every other | week for some budget discussions with other colleges, | legislators, etc. We could have saved the taxpayers THOUSANDS | of dollars by renting a modest house to use for him (and some | of the other staff members that regularly traveled to the | capital). But that "might" look like we were providing them | with a second home, so we spent thousands more on hotels. | crazygringo wrote: | This is exactly it. | | And to be clear, there's a good reason for it: it's to | prevent corruption. | | If things aren't overspecified and providers aren't treated | like a commodity, then it's incredibly hard to prove that a | government official actually awarded a contract in a fair | process, rather than just sending it over to their best | friend's business. | | Unfortunately, nobody's really come up with any reliable | process for having the flexibility to get good products for | good value, while reliably preventing corruption. And when | there aren't these ironclad protections against corruption, | experience shows it turns endemic, _so_ much money flows | through the government. | | It's a seriously tough problem. | | The reason it doesn't exist in the private sector is that the | chain of accountability from managers to CEO to board seats | is actually quite strong, and shareholders are incredibly | motivated to extract profits. The accountability to voters in | a democracy, on the otherhand, is far, far, far weaker -- as | voters vote primarily along party lines or on only the | absolute biggest hot-button issues. | BadInformatics wrote: | I'm skeptical it's even good at that intended purpose. | Perhaps one could argue it prevents blatant, direct | corruption, but it does little to control for large company | influence and other forms of soft power. | | The biggest companies in this space maintain an active | revolving door, which ensures that procurement policy is | moulded (either consciously or unconsciously) to their | process and needs over time. Even more insidiously, they've | convinced governments to gut their own IT workforce, | removing the people most qualified to critically analyze | software vendors. This appeals to your average bureaucrat | because it appears to strike a good balance between effort | and risk minimization (e.g. why bother managing multiple | smaller vendors or timelines?), while in practice it does | exactly the opposite. | xwolfi wrote: | In France, the tiny company I was in lost a lot of gov | contracts to our absolute surprise since we felt we actually | had a better solution for the price. | | What we did to start winning was to make friends with the | people judging us, offering free services making them | personally look good until we started having such relations | with them they d ask us out to frame the contracts and give | them to us whatever our competitors would come up with. | | It's impossible to take decisions based on surprise proposals | in a public tender and it felt it was an open secret that | tenders' winners MUST be decided before publication. | metanonsense wrote: | Last week we lost a bid for a government contract. That's | nothing unusual but I almost laughed when they described how | they reached that conclusion. They weighted price against | quality at a ratio of 80 to 20. I mean: really? | g_p wrote: | This is fairly standard, sadly, and is why Government | struggles to deliver, especially on IT and similar | "intangibles" type contracts. | | The same issues happen in any other procurement activity | that is required to rigorously follow a specific process | due to spending public money, or bill-payer money of a | regulated monopoly etc. | | In short, you need large numbers of people involved to | avoid "corruption" (irrespective of the actual level of | such risk), and this means you end up less flexible and | less able to buy what's needed. Weighting price by 80% is | common, as nobody wants to be seen to deliver "poor value | for money to the tax-payer". Hence the cheapest bid almost | always wins, as nobody wants to have to stand up and | explain why they didn't pick the cheapest bid. | | There's a whole separate issue in how to handle "too cheap" | bids (i.e. where you under-bid on the initial work, knowing | you can get technical lock-in and be able to win future | contracts uncontested, and turn those lucrative), but this | is still an issue - see how the large outsourcers or | consultancies do this regularly, and end up winning | renewals on basis of "necessity". | | There's an art to writing a winning (cheap) tender, then | staffing it with people who rigorously enforce the scope | back onto the Government client, and force every single | change through an expensive change process. That's the | business model many follow, and it delivers far poorer | value for money in the long run. But the headline price was | cheaper, so they'll still get selected... | varispeed wrote: | > There is so much incompetency in governmental IT/software | decisions and software it's actually sad. | | Most likely because a company with lowest bid wins or a company | that has connections with government, so they get selected | based on friendships rather than competence. Then such company | typically sends least experienced developers working for | pittance and they hope project will last long enough that it | gets scrapped before it gets completed, so they will not be | held accountable for anything. | dukeofdoom wrote: | Politicians operate by building support and making money for | their backers. If you are too efficient, and leave no crumbs, | you will quickly lose support. Being a messy eater will get you | much further. If you piss of enough tech billionaires, look no | further than the last election to see what happens. | virbtb wrote: | I have interacted with a level of the US DoD that is far | removed from actual politicians. The situation there is | closer to what others described: a pervasive, penny wise and | pound foolish fear of being seen to spend money. It really | affects everything: an entire professional workforce hired at | well below market salary, wasted man-hours due to | restrictions on equipment purchases, frequent reorgs to | shuffle budgets around, etc. If this is anything like that, I | bet they gave this to the cheapest bidder without | consideration of much else. | salawat wrote: | I turned down a contracting opportunity that would have been | exceedingly lucrative for me because the contractor wanted me | to take liberties with what I've done all in the name of | greasing RFP's for government procurement. | | Was initially stoked and honored to be considered, but the | longer I thought about it, the more uncomfortable and heavy the | thought of how it all worked started to sour me to the entire | idea. | | Never realized how pervasive the whole practice was til then. | Thought it was a rumor or story... Turns out... | Swizec wrote: | Government IT: pays government salaries | | Private sector: pays more than lawyers and surgeons even if yiu | never graduated college | | Gee I wonder where smart ambitious people will go | bierjunge wrote: | Exactly. I dropped out of university, so I can't be hired by | any German agency/office, because a degree is a hard | requirement. But I can work for them as a consultant asking | for more than two-three times the money... | | The salary is a joke, I've made their base salary, which | requires at least bachelors degree, as part time working | student in private sector. | | There is only one reason to work for the government in | Germany and it's called "Verbeamtung" (a legal state where | you are not employed, but appointed for government service, | it's almost impossible to get fired and you pay little to no | taxes, etc.), but the whole office politics and long decision | making channels are awful (source: me working for a company | owned by the local government years ago). | nkmnz wrote: | Agree with everything, except for the point about taxes. | Income tax for employees, state officials (,,Beamte") and | self employed people in Germany is exactly the same | regarding the tax rates. The difference is social | insurance, especially pensions and health insurance. | dathinab wrote: | And pensions, and health insurance, state officials | (Beamte) get a (non small part) part of the health | insurance payed by the state (at least that was the case | in many state official jobs until recently). | | When you get old and had a not supper high paying job | this can _easily_ be as if you had gotten 50%-100% more | salery!! At the same time they (state officials) complain | they get to little. It 's completely stupid. AND at the | same time non "Beamte" state officials do not get any | such benefits, nor especially good pensions or reasonable | pay or absurd employment protections(1) or even a proper | working contract... | | (1): If you are a "ver_beamte_ter" state official it's | close to impossible to get fired as long as you don't | idk. commit some serve crime (and a few other special | cases). So you are not getting any work done because you | don't care anyone, no problem keep your job. You mess up | all your work, ok you still have a job. You working moral | degraded to a degree you are basically unemployable _and | still you have a full paycheck every moth and keep your | job_. Through besides serve crimes there are a few things | which can cost you your job, but they are easy to avoid. | | Anyway this doesn't meant there are not honest, proper | employees in such positions it's just very hard for them | to keep their motivation. | nkmnz wrote: | To be fair: German employee protection is so strong, it's | almost impossible for anyone to get fired from any | company bigger than 10 employees for reasons other than | committing crimes or felonies, as long as the company | cannot prove that they have to let people go due to bad | overall business. Even then, as an employer, you cannot | simply fire the underachievers, but you have to negotiate | with the works council to be able to keep the youngest, | highest performers, because they have the least | protection and have to fired first... | polypodiopsi wrote: | Which is exactly how it should be, no? Or do you favour | kickin someone in their 50s out who has worked at the | place for the last 20 years and will have a super hard | time to find another job no matter how hard they try, so | that their only option is being unemployed and to rely on | social security? | nkmnz wrote: | First, employers should be able to keep employees based | on merit, not on arbitrary measures neither the employer | nor the employee can change (sex, gender, age,...). If a | company is already in trouble, having to let go talent | will hurt them even more. It's so hard (and expensive) to | let people go in Germany that it's almost always the last | cry for help to get more subsidies or shut down for good. | The 50 year old won't any guarantee to keep that job for | much longer like that... Secondl, the reasoning holds | also for an overperforming 50 year old employee who's | recently been hired vs. a 35 year old that started | vocational training 19 years prior - no chance for the | newbie to stay. What's your opinion on this? Third, the | job market for people with experience is very good in | Germany. There are indefinite ways to learn new skills | and redevelop your career, mostly sponsored by the | taxpayer. At age 50, a lot of people start their second | or third career. I don't trust the narrative that old | People are doomed if they lose their job compared to a 28 | year old with two kids and a husband that's doing his PhD | on a shitty part time salary. | themulticaster wrote: | On the other hand, employers often work around the | restrictions on termination by employing people on a | fixed-term employment contract ("befristeter | Arbeitsvertrag") and then extending the employment period | again and again [1]. In many sectors it is pretty much | impossible to get an indefinite contract. | | [1] Although there is a regular limit of two years, i.e. | if you continue working after two years the employment | contract will be considered indefinite. (Obligatory | IANAL) | nkmnz wrote: | Funny thing - the only entity allowed to make | ,,Kettenbefristung" (chaining fixed-term contracts) | indefinite is... ... the government! | dathinab wrote: | "Verbeamtung" which you basically won't have any chance of | getting in most German states in a IT related job even if | you litterally save their ass. | | The only way to do money there is by having a position | where you can make decisions and then twist requirements | for "external tasks" so that "your" company has a good | chance to get it. Worse if you don't twist requirements the | job is still most likely going to a partially incompetent | scam company due to how stupid the whole process it... | whimsicalism wrote: | People always wonder why our government often sucks so hard | at implementing stuff. | | Easy solution: | | 1. Pay fewer people more money 2. Reinstitute civil service | exams | | I guess this is politically impossible? | tetha wrote: | Additionally, well. the BKA, similar to the FBI, looks for | security experts. However, since they would be employed by | the BKA, they have to go through mandatory physical exams and | drug tests. That's just dumb. I'd be able and interested to | do that work, but I'm medically unable and not allowed to do | that test. So that's that topic done. Can't do security due | to asthma. | Krasnol wrote: | I know one even worse: health IT. | | The prices for crappy software/hardware solutions are mind | boggling. I guess this is how it is if you just can afford it. | vbsteven wrote: | Don't forget that pretty much all software that touches | medical data will have to go through various approval and | regulatory processes. Which sometimes take up even more time | than actually writing the software. Hence high costs in this | industry. | m463 wrote: | If you were a top computer person (software, security, IT, | etc)... emphasis on _top_... would you want to work for a | government? Would they value you? | foepys wrote: | Weirdly enough, the Bundesamt fur Sicherheit in der | Informationstechnik (BSI), Germany's cyber security authority, | is actually very good and has very competent security experts. | I bet the officials never consulted them about Luca. | g_p wrote: | I've seen authorities like this "not consulted" deliberately, | on the basis that there's a more expedient need for the | product, than for the product to be secure. | | If the experience of the procuring department is that "BSI | finds everything is insecure", then you procure without | letting BSI know or have a say in it, and then you look good | for getting the procurement completed. | | Getting cross-department cooperation on anything complex | tends to be the exception rather than the rule - it's much | easier for everyone to make the same (avoidable) mistakes | over and over again, apparently, than it is to accept the | process doesn't work and fix it. | | "Intangible" non-functional requirements are simply something | that don't translate well into the procurement world, and are | the first thing dropped to try and lower the "headline | price". Being secure enough to get past BSI is a cost that | your competitor likely won't be factoring in. | themulticaster wrote: | > If the experience of the procuring department is that | "BSI finds everything is insecure", then you procure | without letting BSI know or have a say in it, and then you | look good for getting the procurement completed. | | Sounds plausible. Especially looking at years of (German) | data protection officials recommending against using | Windows 10/Office 365 in government agencies, followed by | officials explaining that only Microsoft's products are | able to fulfill their "extremely complicated requirements". | | I'm not entirely convinced that only Windows 10 has the | necessary features for registering a vehicle title... | 908B64B197 wrote: | > Is it a product of smart people simply not working in this | sector or corruption? | | Depends on the country/jurisdiction. | | This reminds me of a story: college career fair is held in | January. Government is there and takes resumes. Candidates | start getting callbacks for government positions in late April. | | Do I even have to explain that those still available late April | for the summer maybe were not... the sharpest tools in the | shed? | stinkytaco wrote: | At least in the US, some of it is the vagaries of government | acquisitions. The requisition process is one that works fairly | well for services and products that are established and largely | interchangeable, but is more difficult for something that's | either emerging or complex. So it's fairly straightforward to | say "I require a piece of construction equipment that does | something" and then go view a few off-the-shelf options and | pick the best price. But for software and services, especially | things that don't exist, the existing requisition process | doesn't work well. You're required to plan very far ahead in a | market that moves quickly. By the time you get to bids, the | requirements have likely changed, but it might be too late to | go back and change requisition without going through an | approval process again. It also requires you boil down a | process into a series of atomized pieces that can be scored so | you've got a clear paper-trail of the acquisitions process. | | It's a system that benefits vendors that can manage the red | tape that's there to prevent corruption. | s_dev wrote: | Ireland has a Covid19 tracker app that can easily intergrate with | other EU covid apps. NearForm the Developer sells a branded | version for a million. | | It's also open source with a generous licence. | | Why didn't Germany use that? Corruption. | detaro wrote: | The equivalent app to that in Germany launched a month earlier | than Irelands, is also open-source and integrated with other | countries' (like Irlands), and not the app talked about here. | cameronperot wrote: | Related discussion from a few weeks ago about the mentioned | licensing issue: | | https://news.ycombinator.com/item?id=26644053 ___________________________________________________________________ (page generated 2021-04-16 22:00 UTC)