[1] https://flashism.wordpress.com/2010/03/09/swedish-armed-forc...
P.S.: And strangers will sometimes help you find vulnerabilities (and sometimes be very obnoxious but that's not open source's fault).
Government / handles society-critical things code should really be public unless there are _really_ good reasons for it not to be, where those reasons are never "we're just not very good at what we're doing and we don't want anyone to find out".
Who will take responsibility and get fired and lose all pension etc.? Oh wait no one.
Well the citizens need to suck it up.
Edit, i checked the facts: The Bulgarian government said that the it should pay too much to itself, and appealed the fine for few years until it somehow expired. And the guy (20 year at that time) they accused was later acquitted after they tried to ruin his life.
It's very hard to steal everyone's documents when they weight about the same as a train.
Wouldn't a fire or flood affect everything? Both data stored on paper and hard disks?
Several government organisations / regional authorities and companies were down. Last I heard several medical journals for whole municipalities were just destroyed.
Unfortunately, the public tender process encourages awarding contracts to these giants that repeatedly fail to deliver on even basic opsec and still believe in security-by-obscurity, are suspicious of things like zero-trust, follow outdated engineering practices. Sigh.
The tender process + clueless buyers + tender process law(s) cause this. Whole process needs a revamp for this to not be a problem.
So what you think would be the solution ? From what I see (both public tender or not), I would claim that "any large IT project/company will suffer from security issues", so not sure what is the added value to single out a process (the tender) or a region (Europe) if there is no obvious alternative.
You have to have people who care about this stuff.
If you don't care, the rest does not matter. It does not matter if, when and how you outsource if you don't care about the outcome. You can't just pay someone a salary, nor a consulting bill, check the box and say you've done your part.
And the other way around: These huge consulting conglomerates would get very few jobs if purchasers cared about the details, and not just that all the boxes are checked.
Public money, public code.
[1]: https://www.svt.se/nyheter/inrikes/uppgift-statlig-it-inform...
[2]: https://www.cgi.com/se/sv/news/cybersakerhet/cgi-informerar-...
Accountability now, send these people to prison
robertlagrant•1h ago
> citizen PII databases and electronic signing documents were also collected but are being sold separately
simonklitj•1h ago
blell•1h ago
xorcist•1h ago
And if we are to believe the hacked company, it is a development environment with test data in it. That remains to be seen, but is a risky thing to lie about. If there is production data in the leak, we will surely know about it.
UltraSane•45m ago
lukan•1h ago
dns_snek•53m ago
That's not an excuse though, any system handling data like that should be continuously reviewed and pentested by professionals. Hopefully they can show that this has been done otherwise it's just negligence.
lukan•42m ago
fc417fc802•37m ago
dijit•57m ago
Being able to validate that a citizen is a citizen and their ID is valid inherently requires the system be accessible
fc417fc802•38m ago
dijit•36m ago
AdamN•1h ago
worldsayshi•1h ago
ACS_Solver•1h ago
worldsayshi•1h ago
https://www.aftonbladet.se/nyheter/a/ArvG0E/cgi-sverige-uppg...
yaris•40m ago
zyberzero•39m ago
jetsetman192•1h ago
ptx•41m ago
nunobrito•27m ago
Because in that case they can sign documents on my behalf without my permission. In a court case, it would be near impossible for me to prove that the government gave my private key to someone else and that it wasn't me signing an incriminating document.