Hacker News new | past | comments | ask | show | jobs | submit login
Luca App: CCC calls for a moratorium (ccc.de)
575 points by hacka22 on April 16, 2021 | hide | past | favorite | 163 comments

The Luca app really is a complete train wreck. And what's worse is that the federal governments don't even have any direct control over the app itself, they just bought access to the contact tracing data for 12 months from the company operating the app. Meanwhile the company controls the app and all connected user accounts and can repurpose it in whichever way they see fit (and they already announced they have plans for the app beyond the pandemic).

It's absolutely mind-boggling to me how our government(s) can get the idea to "rent" contact tracing data from a private company like this, it just reeks of corruption. I wasn't a big fan of the Covid tracing app in the beginning, but in retrospect the concept of that app seems miles ahead of the current situation with the Luca app.

> I wasn't a big fan of the Covid tracing app in the beginning, but in retrospect the concept of that app seems miles ahead of the current situation with the Luca app.

I think the concept behind is really solid and a great example for what is possible w/o invading privacy. The only problem is that development got very very slow after the initial release and a lot of potential was wasted. E.g. adding some kind of check in feature was already discussed mid last year but it took them until now to pick that idea up.

I only have positive things to say about our contact tracing application.

It’s open source https://github.com/immuni-app.

It’s simple: contact tracing only, easy for non technical people.

And has minimal tracking (I only see a periodic ping to get.immuni.gov.it)

Yeah. Too bad nobody downloaded it

Immuni is the official contact tracing app for Italy with 10mm downloads.

Which is not "nobody", but it is not even close to the statistical threshold of "enough use, helps prevent the spread of the disease"

Globally yes, but the thing about contact tracing is that it is inherently local. So getting 1/6:th (if we assume most of those downloads are in Italy) of a single country would probably be helpful in preventing spread.

It means 1/36 interactions will be recorded by the app, which is almost certainly not enough to move the needle.

> I wasn't a big fan of the Covid tracing app in the beginning

Let this be a lesson. If you get something good and still keep complaining and complaining, then what you get in the end is something bad.

I don't think this is a lesson, at all.

Yeah, just bow your head down like a good boy.

There is so much incompetency in governmental IT/software decisions and software it's actually sad.

Is it a product of smart people simply not working in this sector or corruption?. It seems from the outside to be filled with imbeciles masquerading as administrators.

We need to somehow make the government way more accountable, if only there was an organization that could do that, we could call it the media.

It's actually "accountability" that's a big part of the problem.

Government procurement is so focused on the appearance of fairness and money saving that all other goals, like actually getting something that works, take a back seat.

You end up with over-specified requirements that remove the possibility of innovative or creative solutions. Providers are treated like a commodity, where it is assumed that all will do the same job, and cost is the only real negotiation point, maybe with some kind of scoring grid against the over-specified requirements thrown in.

And the procurement decisions are made by procurement officers who are not the actual users of what is being bought (in the name of objectivity).

So what happens, on a good day, is that the operational users in the purchasing department work with the preferred vendor to "wire" the RFP to reflect the scope or work that is wanted and add requirements (e.g. years of very specific experience, past projects) that heavily favor the preferred vendor. At least this way the department may get something they want, thought it obviously can be gamed. Worse though is that many contracts just go to lowest cost staffing firms that are optimized to comply with government procurement requirements and provide the minimum set of bodies that meet those requirements, usually former government folks rented back, plus some low cost IT resources, that are there to execute to the letter of what the government has over-specified, usually something that wont actually work as written.

This is why so much government procurement is a failure by any objective measure. What I have seen work is when a vendor provides a credible unsolicited pitch to a known problem at a fixed cost, and the relevant departments are forced to decide if it makes sense.

In Canada we had a major one like that a few years ago, the outcome was great for the department that needed it, but careers were destroyed in the process as politicians and their incumbent friends pushed back to try and stop it.

This is exactly it.

And to be clear, there's a good reason for it: it's to prevent corruption.

If things aren't overspecified and providers aren't treated like a commodity, then it's incredibly hard to prove that a government official actually awarded a contract in a fair process, rather than just sending it over to their best friend's business.

Unfortunately, nobody's really come up with any reliable process for having the flexibility to get good products for good value, while reliably preventing corruption. And when there aren't these ironclad protections against corruption, experience shows it turns endemic, so much money flows through the government.

It's a seriously tough problem.

The reason it doesn't exist in the private sector is that the chain of accountability from managers to CEO to board seats is actually quite strong, and shareholders are incredibly motivated to extract profits. The accountability to voters in a democracy, on the otherhand, is far, far, far weaker -- as voters vote primarily along party lines or on only the absolute biggest hot-button issues.

I'm skeptical it's even good at that intended purpose. Perhaps one could argue it prevents blatant, direct corruption, but it does little to control for large company influence and other forms of soft power.

The biggest companies in this space maintain an active revolving door, which ensures that procurement policy is moulded (either consciously or unconsciously) to their process and needs over time. Even more insidiously, they've convinced governments to gut their own IT workforce, removing the people most qualified to critically analyze software vendors. This appeals to your average bureaucrat because it appears to strike a good balance between effort and risk minimization (e.g. why bother managing multiple smaller vendors or timelines?), while in practice it does exactly the opposite.

Yeah, I'm not sure if it prevents corruption at all. In my country public tenders are just another word for corruption.

A real example: police force wanted to get say 1000 new squad cars. One of the points in the tender was that the car's trunk has to be exactly that many litres (say 307L, don't remember the exact number). So of course, only one model of all the cars from all manufacturers had that value, and of course the only dealer who submitted for that tender won it. So it was blatantly obvious that the process was rotten from the start. But it was legal. And they (government)did it many times. And pretty much they are doing it for the last 20 years or so. So corruption is not something which you can solve easily, you need a lot of checks and balances to make it work.

You're right in that it absolutely requires either a watchdog agency to ensure tenders are written in a neutral way before being issued, and/or a court system where losing bidders are able to successfully sue as soon as they're issued, on the grounds of the tender not being neutral.

In one country where I previously lived, there was also an "escape clause" where if there was emergency time pressure, you could circumvent the process -- so guess what? The government would "invent delays" in writing up the specifications until the last possible minute, then award the contract without a public tender because there was no time left for the tender process!

So yes, the process absolutely has to be designed with some form of oversight and without loopholes, in order to achieve the aim of preventing corruption.

It's to avoid the very specific form of corruption via kickbacks, essentially -- and if you look at the history of how politicians used to spend money in the US, you'll see that it is actually quite effective at this, and that it was once a gigantic problem -- and continues to be in some countries today.

You're right that it does nothing about other forms of influence like the revolving door.

And like I said, it comes at a tremendous cost of efficiency and quality. It's not trying to strike a balance between corruption and efficiency/quality, it's trying to explicitly minimize corruption at the expense of efficiency/quality.

> And to be clear, there's a good reason for it: it's to prevent corruption.

There’s consensus in this thread that this process reinforces corruption, and is controlled by the corrupt, so preventing corruption isn’t the real reason.

If you want to prevent corruption, hire engineers directly at market rate, and promote / retain them based on their ability to deliver projects.

If you want proof that this approach works, just study history. The US government used to work this way (back when our middle class and economic clout were growing) but corrupt politicians decided to outsource everything to increase the supply of kickbacks.

> There’s consensus in this thread that this process reinforces corruption

There is no such consensus, and the idea that it reinforces corruption is contrary to common sense -- it's self-evident that maximum corruption bypasses specifications and public bidding altogether and just hands a contract to a politician's friend.

> If you want to prevent corruption, hire engineers directly at market rate

It's not feasible for a government to accomplish all its tasks by hiring and never by contracting. It would be incredibly wasteful because many projects are one-off, whether building a new suspension bridge or a huge new IT project. It's like saying a company should have no suppliers and write all its own software from scratch.

> just study history. The US government used to work this way

I've studied quite a bit of history thanks, and government in the US used to be quite corrupt compared to today -- just look up Tammany Hall [1] if you'd like a quick introduction. Corruption in the US has very much decreased over the past 150 years.

Outsourcing has existed as long as government has existed. I think you're confusing outsourcing as a general concept with privatization as a specific issue, which is about one-off decisions to choose to start outsourcing things that were previously done in-house. Which has its own set of pros and cons.

But no government can in-house everything. So hiring in-house is not the answer to corruption.

[1] https://en.wikipedia.org/wiki/Tammany_Hall

> Unfortunately, nobody's really come up with any reliable process for having the flexibility to get good products for good value, while reliably preventing corruption.

I've seen one approach work, but it struggles to scale, as it needs technical people on the client side.

Buying "outcomes" rather than services can work well - rather than procuring a specific "specification", you buy a solution. The standard contractual framework means you are paid for delivery to tangible milestones (demonstrable value), with engineering/technical background project management team overseeing the work. You work at risk, as you only get paid for delivery. That keeps many of the charlatans away, since it's very clear you're paid for delivery, not effort. That means the headline rate is higher, of course.

Focusing aggressively on actual delivery, but also not dictating the solution means you can see suppliers compete not only on price, but also on how they'll solve the problem. This means the government client needs to understand their problem well enough to articulate it (with some of that support from a technical project manager), but they then evaluate proposals for solving their problem. This moves away from the incentives to "body-shop" low-pay graduates onto a project that a partner pitched for, as it has to actually deliver.

I tend to see the "worst" projects (in terms of non-delivery, large bills incurred, poor value, and the only output being a report recommending more work) come about when the government client doesn't understand their own problem or goal though, so perhaps this approach self-selects problems where the customer can actually articulate their need.

Problem with that is government is worst customer: don't know what they want, what they have and how to get anything done. It is very hard for companies to commit to deliverables, when incompetent department they need to integrate with doesn't play the ball.

Indeed, however this approach effectively offers them a carrot - if you understand your problem, you can use this (very effective and well regarded) route to getting your problem fixed.

The end result, as you'd expect, is mission-focused solutions to problems with minimal external dependencies. That means the problem gets solved in the simplest way possible, with the least overlap with incompetency possible.

It doesn't work for every problem, but it does show that forcing government to understand the problem before spending money can actually work, at least at some scale.

> The reason it doesn't exist in the private sector

The same problem absolutely does exist in the private sector. Many of the same big government contractors are running almost the same scam on big companies.

I think this problem is more a function of the size of the organization than public vs. private.

I was referring to the problem of corruption and kickbacks.

I'm certainly not saying companies can't overpay for things, but there is an inherent pressure from competition to incentivize companies to try to pay less, whereas taxpayer-funded government often doesn't experience similarly direct pressure.

Corrupt businessmen are a thing.

When I said it didn't exist, I meant it doesn't exist as a problem at the same scale.

Yes there are obviously employees who embezzle or contractors who defraud, but companies are generally able to police this themselves relatively effectively. It's nothing like government left to its own devices.

> Government procurement is so focused on the appearance of fairness and money saving that all other goals, like actually getting something that works, take a back seat.

I worked at a small 2 year college for many years. One time, my Dean I reported to was on vacation, so I had to go talk to the college president, and get him to sign a form for a $7 petty cash reimbursement for some zip ties I had bought to clean up some cabling.

One year, our President had to travel to the capital city (about 250 miles away, over the mountains) almost every other week for some budget discussions with other colleges, legislators, etc. We could have saved the taxpayers THOUSANDS of dollars by renting a modest house to use for him (and some of the other staff members that regularly traveled to the capital). But that "might" look like we were providing them with a second home, so we spent thousands more on hotels.

A house? A modest apartment I can see, but a house seems a bit much

Renting a furnished apartment can sometimes be almost as much as a renting a furnished house depending upon the area.

Last week we lost a bid for a government contract. That's nothing unusual but I almost laughed when they described how they reached that conclusion. They weighted price against quality at a ratio of 80 to 20. I mean: really?

This is fairly standard, sadly, and is why Government struggles to deliver, especially on IT and similar "intangibles" type contracts.

The same issues happen in any other procurement activity that is required to rigorously follow a specific process due to spending public money, or bill-payer money of a regulated monopoly etc.

In short, you need large numbers of people involved to avoid "corruption" (irrespective of the actual level of such risk), and this means you end up less flexible and less able to buy what's needed. Weighting price by 80% is common, as nobody wants to be seen to deliver "poor value for money to the tax-payer". Hence the cheapest bid almost always wins, as nobody wants to have to stand up and explain why they didn't pick the cheapest bid.

There's a whole separate issue in how to handle "too cheap" bids (i.e. where you under-bid on the initial work, knowing you can get technical lock-in and be able to win future contracts uncontested, and turn those lucrative), but this is still an issue - see how the large outsourcers or consultancies do this regularly, and end up winning renewals on basis of "necessity".

There's an art to writing a winning (cheap) tender, then staffing it with people who rigorously enforce the scope back onto the Government client, and force every single change through an expensive change process. That's the business model many follow, and it delivers far poorer value for money in the long run. But the headline price was cheaper, so they'll still get selected...

In France, the tiny company I was in lost a lot of gov contracts to our absolute surprise since we felt we actually had a better solution for the price.

What we did to start winning was to make friends with the people judging us, offering free services making them personally look good until we started having such relations with them they d ask us out to frame the contracts and give them to us whatever our competitors would come up with.

It's impossible to take decisions based on surprise proposals in a public tender and it felt it was an open secret that tenders' winners MUST be decided before publication.

This is the best explanation for the phenomenon I've ever heard, thank you

Government IT: pays government salaries

Private sector: pays more than lawyers and surgeons even if yiu never graduated college

Gee I wonder where smart ambitious people will go

Exactly. I dropped out of university, so I can't be hired by any German agency/office, because a degree is a hard requirement. But I can work for them as a consultant asking for more than two-three times the money...

The salary is a joke, I've made their base salary, which requires at least bachelors degree, as part time working student in private sector.

There is only one reason to work for the government in Germany and it's called "Verbeamtung" (a legal state where you are not employed, but appointed for government service, it's almost impossible to get fired and you pay little to no taxes, etc.), but the whole office politics and long decision making channels are awful (source: me working for a company owned by the local government years ago).

"Verbeamtung" which you basically won't have any chance of getting in most German states in a IT related job even if you litterally save their ass.

The only way to do money there is by having a position where you can make decisions and then twist requirements for "external tasks" so that "your" company has a good chance to get it. Worse if you don't twist requirements the job is still most likely going to a partially incompetent scam company due to how stupid the whole process it...

Agree with everything, except for the point about taxes. Income tax for employees, state officials („Beamte“) and self employed people in Germany is exactly the same regarding the tax rates. The difference is social insurance, especially pensions and health insurance.

And pensions, and health insurance, state officials (Beamte) get a (non small part) part of the health insurance payed by the state (at least that was the case in many state official jobs until recently).

When you get old and had a not supper high paying job this can easily be as if you had gotten 50%-100% more salery!! At the same time they (state officials) complain they get to little. It's completely stupid. AND at the same time non "Beamte" state officials do not get any such benefits, nor especially good pensions or reasonable pay or absurd employment protections(1) or even a proper working contract...

(1): If you are a "ver_beamte_ter" state official it's close to impossible to get fired as long as you don't idk. commit some serve crime (and a few other special cases). So you are not getting any work done because you don't care anyone, no problem keep your job. You mess up all your work, ok you still have a job. You working moral degraded to a degree you are basically unemployable and still you have a full paycheck every moth and keep your job. Through besides serve crimes there are a few things which can cost you your job, but they are easy to avoid.

Anyway this doesn't meant there are not honest, proper employees in such positions it's just very hard for them to keep their motivation.

To be fair: German employee protection is so strong, it's almost impossible for anyone to get fired from any company bigger than 10 employees for reasons other than committing crimes or felonies, as long as the company cannot prove that they have to let people go due to bad overall business. Even then, as an employer, you cannot simply fire the underachievers, but you have to negotiate with the works council to be able to keep the youngest, highest performers, because they have the least protection and have to fired first...

On the other hand, employers often work around the restrictions on termination by employing people on a fixed-term employment contract ("befristeter Arbeitsvertrag") and then extending the employment period again and again [1]. In many sectors it is pretty much impossible to get an indefinite contract.

[1] Although there is a regular limit of two years, i.e. if you continue working after two years the employment contract will be considered indefinite. (Obligatory IANAL)

Funny thing - the only entity allowed to make „Kettenbefristung“ (chaining fixed-term contracts) indefinite is... ... the government!

Which is exactly how it should be, no? Or do you favour kickin someone in their 50s out who has worked at the place for the last 20 years and will have a super hard time to find another job no matter how hard they try, so that their only option is being unemployed and to rely on social security?

First, employers should be able to keep employees based on merit, not on arbitrary measures neither the employer nor the employee can change (sex, gender, age,...). If a company is already in trouble, having to let go talent will hurt them even more. It’s so hard (and expensive) to let people go in Germany that it’s almost always the last cry for help to get more subsidies or shut down for good. The 50 year old won’t any guarantee to keep that job for much longer like that... Secondl, the reasoning holds also for an overperforming 50 year old employee who’s recently been hired vs. a 35 year old that started vocational training 19 years prior - no chance for the newbie to stay. What’s your opinion on this? Third, the job market for people with experience is very good in Germany. There are indefinite ways to learn new skills and redevelop your career, mostly sponsored by the taxpayer. At age 50, a lot of people start their second or third career. I don’t trust the narrative that old People are doomed if they lose their job compared to a 28 year old with two kids and a husband that’s doing his PhD on a shitty part time salary.

So this might be an element of the problem, but having been in government for 17 years (and last 5 dealing with IT), I'm not even sure this is a top 3 problem.

Against all odds, the government manages to recruit and retain people who can do good work.

The larger problem is that government seems designed to make it impossible for IT talent to actually apply their talent. Now I understand why one of Grace Hopper's most famous quotes in the Navy was "it is better to beg forgiveness, than to ask permission".

Additionally, well. the BKA, similar to the FBI, looks for security experts. However, since they would be employed by the BKA, they have to go through mandatory physical exams and drug tests. That's just dumb. I'd be able and interested to do that work, but I'm medically unable and not allowed to do that test. So that's that topic done. Can't do security due to asthma.

People always wonder why our government often sucks so hard at implementing stuff.

Easy solution:

1. Pay fewer people more money 2. Reinstitute civil service exams

I guess this is politically impossible?

At least in the US, some of it is the vagaries of government acquisitions. The requisition process is one that works fairly well for services and products that are established and largely interchangeable, but is more difficult for something that's either emerging or complex. So it's fairly straightforward to say "I require a piece of construction equipment that does something" and then go view a few off-the-shelf options and pick the best price. But for software and services, especially things that don't exist, the existing requisition process doesn't work well. You're required to plan very far ahead in a market that moves quickly. By the time you get to bids, the requirements have likely changed, but it might be too late to go back and change requisition without going through an approval process again. It also requires you boil down a process into a series of atomized pieces that can be scored so you've got a clear paper-trail of the acquisitions process.

It's a system that benefits vendors that can manage the red tape that's there to prevent corruption.

> Is it a product of smart people simply not working in this sector or corruption?

Depends on the country/jurisdiction.

This reminds me of a story: college career fair is held in January. Government is there and takes resumes. Candidates start getting callbacks for government positions in late April.

Do I even have to explain that those still available late April for the summer maybe were not... the sharpest tools in the shed?

> There is so much incompetency in governmental IT/software decisions and software it's actually sad.

Most likely because a company with lowest bid wins or a company that has connections with government, so they get selected based on friendships rather than competence. Then such company typically sends least experienced developers working for pittance and they hope project will last long enough that it gets scrapped before it gets completed, so they will not be held accountable for anything.

Weirdly enough, the Bundesamt für Sicherheit in der Informationstechnik (BSI), Germany's cyber security authority, is actually very good and has very competent security experts. I bet the officials never consulted them about Luca.

I've seen authorities like this "not consulted" deliberately, on the basis that there's a more expedient need for the product, than for the product to be secure.

If the experience of the procuring department is that "BSI finds everything is insecure", then you procure without letting BSI know or have a say in it, and then you look good for getting the procurement completed.

Getting cross-department cooperation on anything complex tends to be the exception rather than the rule - it's much easier for everyone to make the same (avoidable) mistakes over and over again, apparently, than it is to accept the process doesn't work and fix it.

"Intangible" non-functional requirements are simply something that don't translate well into the procurement world, and are the first thing dropped to try and lower the "headline price". Being secure enough to get past BSI is a cost that your competitor likely won't be factoring in.

> If the experience of the procuring department is that "BSI finds everything is insecure", then you procure without letting BSI know or have a say in it, and then you look good for getting the procurement completed.

Sounds plausible. Especially looking at years of (German) data protection officials recommending against using Windows 10/Office 365 in government agencies, followed by officials explaining that only Microsoft's products are able to fulfill their "extremely complicated requirements".

I'm not entirely convinced that only Windows 10 has the necessary features for registering a vehicle title...

Of course it doesn't! I've yet to meet a procurement team that actually understands what they are buying. Companies like Microsoft focus heavily on "training" and "awareness" of their products and solutions - pure slideware, but speaking the right language.

At enterprise-scale, I must concede that Microsoft have a really sleek sales pitch. Group Policy in AD offers a level of "managed desktop" that a low-pay, mid-skill sysadmin can operate. That lets you set and enforce "policies", and they get enforced on the computers, and this is something that entirely non-technical senior managers can understand and feel confident in.

Any OS could be used to register a vehicle title, but MS' option gives you a fleet of relatively cheap and accessible talent with an "official certification" (MCSP or whatever it has become) - governments love certifications, as it helps them de-risk things they don't understand. The clever enterprise vendors understand this, and try to ensure the market is awash with "their people". It's probably controversial to say, but governments love technology that is able to be run (by-design) by hiring mediocre people to run it. Windows Server with a shiny GUI to edit group policies and apply updates hits that spot for many organisations.

I wouldn't be surprised to find the "extremely complicated requirements" for the vehicle registration government agency are the ability to run some (procured) proprietary endpoint protection client (which probably runs everything it sees unsandboxed, as NT AUTHORITY\SYSTEM [1]), and enforce a whole host of client-side restrictions (which could easily be network-layer) to prevent people using personal email on managed devices.

[1] https://www.recon.cx/2018/brussels/resources/slides/RECON-BR... like Windows Defender did (!)

Oh my, your post reads like a bureaucracy horror story, but I fear it is not a work of fiction!

Regarding client-side restrictions: I doubt I'll ever understand why many organizations appear to be so focused on restricting their employees' computers, some even going for full-blown surveillance. Maybe I'm just a little naive, but is intercepting and filtering all network traffic really the only way to notice whether an employee is playing browser games all day (instead of, you know, noticing the employee's productivity dropping)?

My primary concern that those enterprise firewalls intercepting all traffic (including MitM-ing TLS traffic) regularly prevent adoption of new Internet standards. At the same time, the idea of total communication surveillance seems surreal. Image the equivalent situation 20-30 years ago: What would you have said if your employer hired a team in order to eavesdrop on every single telephone call and open every single letter entering or leaving the office?

> Oh my, your post reads like a bureaucracy horror story, but I fear it is not a work of fiction!

Afraid it's not fiction. I see it pretty regularly.

> Regarding client-side restrictions: I doubt I'll ever understand why many organizations appear to be so focused on restricting their employees' computers, some even going for full-blown surveillance.

Several reasons I've seen. Firstly, don't underestimate the importance of protecting people's data at scale. If staff can use their Gmail on a computer, someone will email themselves someone's personal data. Maybe it won't be malicious, but it's still a breach. Maybe it was some software running on the computer (malware) that got in via an ad or game, that simply emails out information.

Governments (and large enterprise) operate at a scale where you need to be careful of data exfiltration by malicious users or software. While you might be able to trust people in a team of 5, it's very hard to scale that trust up to 5000 people.

> Maybe I'm just a little naive, but is intercepting and filtering all network traffic really the only way to notice whether an employee is playing browser games all day (instead of, you know, noticing the employee's productivity dropping)?

This implies that the person's manager is competent enough to actually notice this, and has enough understanding of what they do to act.

Filtering network traffic is often more about preventing data egress of other people's personal information than it is about spotting someone playing candy crush.

> My primary concern that those enterprise firewalls intercepting all traffic (including MitM-ing TLS traffic) regularly prevent adoption of new Internet standards. At the same time, the idea of total communication surveillance seems surreal. Image the equivalent situation 20-30 years ago: What would you have said if your employer hired a team in order to eavesdrop on every single telephone call and open every single letter entering or leaving the office?

In financial services and other regulated sectors, they pretty much did/do that, albeit recorded rather than having someone listen all day long. I agree with you that these kinds of active MITM firewalls likely introduce more issues than they solve - many don't themselves validate the certificate of the site they're MITM'ing properly, therefore introducing a whole new attack vector if you can convince the MITM box to serve up a valid certificate for your site's invalid certificate.

Unfortunately though, for as long as the goal is to make it possible to work at big scale and minimise the risk posed by individual employees, you'll continue to see this be the default way of working, I reckon.

I know one even worse: health IT.

The prices for crappy software/hardware solutions are mind boggling. I guess this is how it is if you just can afford it.

Don’t forget that pretty much all software that touches medical data will have to go through various approval and regulatory processes. Which sometimes take up even more time than actually writing the software. Hence high costs in this industry.

It is true for actual patient touching software/hardware but it doesn't stop there. If the licence for a single scanner the lady on the registration uses to scan your referral sheet is 500€, than it's clear that this is a "because we can" price and not something which would have some real life connection.

If you were a top computer person (software, security, IT, etc)... emphasis on top... would you want to work for a government? Would they value you?

Politicians operate by building support and making money for their backers. If you are too efficient, and leave no crumbs, you will quickly lose support. Being a messy eater will get you much further. If you piss of enough tech billionaires, look no further than the last election to see what happens.

I have interacted with a level of the US DoD that is far removed from actual politicians. The situation there is closer to what others described: a pervasive, penny wise and pound foolish fear of being seen to spend money. It really affects everything: an entire professional workforce hired at well below market salary, wasted man-hours due to restrictions on equipment purchases, frequent reorgs to shuffle budgets around, etc. If this is anything like that, I bet they gave this to the cheapest bidder without consideration of much else.

I turned down a contracting opportunity that would have been exceedingly lucrative for me because the contractor wanted me to take liberties with what I've done all in the name of greasing RFP's for government procurement.

Was initially stoked and honored to be considered, but the longer I thought about it, the more uncomfortable and heavy the thought of how it all worked started to sour me to the entire idea.

Never realized how pervasive the whole practice was til then. Thought it was a rumor or story... Turns out...

Due to various reasons, government IT jobs pay a fraction of private sector jobs. So they tend to have slim pickings when it comes to hiring skilled people.

This is amazing.

There should be hacker clubs in each country double checking all suspicious public procurements.

The CCC is a mature organization and culture, there would be some clear challenges to bootstraping something similar elsewhere that wouldn't be quickly infiltrated and co-opted the way that civil liberties, environmental, and other activist organizations have. CCC (and defcon) appeared to work because they operated in a similar grey-area of risk and competence as a motorcycle club.

I've been pitching around the idea to use hackerone as a framework but restricted to local college and university programs to do bug finding in provincial/municipal public service delivery systems as a way to create a pipeline of competent public service talent, develop real civic engagement, and create the incentives within govt to build less appallingly shitty systems.

The main challenge with that is it requires a total rethinking of what government is, which is already happening organically as dev/eng people and culture builds more generational influence in govt beyond being just "IT," but that's a longer term vision. GenX doesn't code and they're still 10-15 years from retirement, but internet generation people are slowly taking the management reins.

Near term, absolutely hack your region's contact tracing apps, and if you want to really affect change, use technology and data to create and test hypothesis' to find corruption. It's going to be unpopular and even make you a target, but if you want to summarize what the cyberpunk aspect of hacker culture was, a lot of it was based on the hypothesis of there being a corrupt conspiracy running infrastructure of The System, and by learning its secrets you could become somehow more safe from it, or expose it.

CCC in Germany does really fantastic work and they are well recognized in the public. And they have some friends. Years ago, the club was moving from Berlin to Hamburg, I think. They had an ongoing dispute whether they are, tax-wise, recognized as a charitable, non-profit entity (many associations in Germany are recognizes as non-profits, but for some that are politically inconvenient, such as the Deutsche Umwelthilfe (DUH) [1], the tax administration as well as politicians are trying to dispute their tax exemption).

Then they got a mailing where somebody mailed them an entire collection of correspondence between the tax administration and other government bodies which was apparently intended to be sent to the Hamburg tax administration. It detailed how they were trying to actively put obstacles to financing the CCC's work. Apparently, that mailing went accidentally to CCC, which was not the intended address....

[1] https://en.wikipedia.org/wiki/Environmental_Action_Germany#P...

Do you have a link of the email correspondence?

I'm part of the CCC in Hamburg

We will move to stockholm and I'm thinking of creating one :)

Good luck. In countries like Germany or Norway there is a culture of hacker organisations sustaining themselves financially via their members.

This culture doesn't exist in Sweden, and the spaces and organisations that aren't subsidised by government funds or universities all disappear after a few years.

(Source: Lived in all three countries, was active in such organisations in all three countries)

Oh, there are tons of hackerspaces in Sweden. Its just that they are either tied to universities, startup clusters or for kids.

I guess you were simply not in contact with the right people.

You're saying exactly the same thing as me: There are very few independent hacker spaces (in most cities, none), unlike in Germany and Norway where that is the norm.

Maybe this is a naive question since I’ve never been involved in a hacker/computer club but why is a dedicated space required? Does the club usually purchase hardware/equipment that needs to be stored? I suppose I always assumed the members brought their own equipment to meetings.

You know, the more I think about it, I’m not really sure I have any idea what a computer club actually is and does...

It's a good question and not easy to answer in general as there a lot of different types of hackerspaces.

Some hackerspaces are more a kind of makerspace and provide expensive, large or complicated hardware like industrial laser cutters, 3D printers, embroidery machines and (electronics) workshops with soldering irons, electronic parts etc.

Other hackerspaces are focusing more on the social side and offer a space to hang out, meet and discuss with beverages (I guess mostly mate and beer). There can be talks, workshops or competitions (like CTFs) and so on.

Also providing services to the public, like repair cafes and holiday programs for kids can be a way to further engage in society to share technical knowledge.

hackerspaces.org has also extensive explanations on theory of hackerspaces: https://wiki.hackerspaces.org/Theory

It's a space to hang out and meet people, where you can talk about and tinker with technology.

Only socializing online is just not the same.

CCC isn't a hacker space as I understand the term. CCC is a club of security experts. hacker spaces are communal spaces where you can tinker with peers using provided tools.

The CCC is both. It's a club of computer- and technology-interested d people. Most cities have some rented space that doubles as a hacker and tinker space. It really depends on the members in each city what the specific location looks like.

That there is also a branch of very public security experts is... Incidental, I'd say.

> CCC is a club of security experts

No. It happens that a lot of members are security experts but it is far far broader than that.

The CCC is a very decentralized organization. A lot of hacker spaces are in fact operated by local subdivisions or are completely independent organizations but with a lot of overlap in membership.

In general the CCC likes define itself more by those who share its values and less by the legal entity with that name.

In Germany the CCC has a lot of physical clubs where people hang out. They have some specialised equipment, but are from my limited experience more social spaces for cohacking, giving talks, etc. There's also the chaos communication congress, with is a big hacker festival/conference (by the same group of people), run by I think the same org, and I've never fully understood how one navigates the identical acronyms...

Typically, the Chaos Communication Congress is referred to by its number and the abbreviation C3. So it's 36C3 for the last regular installment.

Neither is right. CCC also has security experts as members, which sometimes comment publicly. In general however, it is the parent organization for local hacker spaces (though it is possible to be member on only local or only CCC level). And many local spaces are also called ccc-xy. Wnd their interests.

Chaos Computer Club also means there are actual physical club rooms where members can meet.

> Its just that they are either tied to universities, startup clusters or for kids.

…or lacking members. He wrote, glancing around the empty room

Because of COVID?

Currently, I suppose, but no; it’s been “active” since about 2010.

As a Norwegian I would love some pointers to the Norwegian hacker spaces. I am vaguely familiar with some, but it would be nice with some more info.

I'm mostly familiar with the Oslo scene, which has Hackeriet[0] (of which I'm still a member) with more of a CCC-style crowd and Bitraf[1] which has a lot of physical equipment for "makers" and has a much larger space. Hackeriet's IRC channel is also quite nice (though usually in Norwegian and/or svorsk).

There's a few other organisations, notably Teknologihuset[2] which has some communities organising regular events and NUUG[3] which doesn't have a physical space but moves around and is generally a good community to get in contact with.

Note that NUUG have members all throughout Norway, and also an active (Norwegian) IRC channel, which may be a good place to ask about other towns as my knowledge of those is either outdated or non-existing!

Ses på IRC! :)

[0]: https://hackeriet.no [1]: https://bitraf.no/ [2]: https://www.teknologihuset.no/ [3]: https://nuug.no

Have you tried the Hackerspaces wiki? https://wiki.hackerspaces.org/Norway

Check out https://www.blivande.com/ Burners, artists and (I think) hackers doing stuff together in Stockholm. (I'm not in sthlm but part of the Scandinavian burning scene)

What does burner mean here?

Wow, I didn't expect that to be a thing people identify with so strongly in Stockholm of all places.

Looks amazing! I will

Do you know if CCC supports regional chapters?

Yes, they're called Erfa-Kreise: https://www.ccc.de/en/club/erfas

They're all in German-speaking countries.

In Germany there are various "local subsidiaries", mainly in or around larger cities. They are also often somewhat tied/connected with local hackerspaces and whatnot.

I would join in a heartbeat!

The CCC is a national treasure.

I love what I hear about them. Germany has a basic culture that is quite conducive to this kind of thing.

The only thing I wish, is that it was called "KAOS Computer Club," and that they have a picture of Bernie Kopell in their entryway.


Is this one of the many examples of German government wasting taxpayer's money?

yes and its super easy to just create random valid qr codes: https://wolf128058.gitlab.io/schmudo2go/

also they don't have any rate limit on the sms service...

so anybody can build a loop and call the sms endpoint...

More fails:

- https://github.com/mame82/misc/blob/master/luca_traceIds.md

- https://lucatrack.de/

- development private and public key in the repo ( not harmful but a bad sign)

- more that i forgot

What do these QR codes do?

The QR codes let you "check in" at venues that use Luca to make contact tracing possible.

These qr codes should only valid after you verified that you are an real person.

So the health department could call you.

This was done by SMS but the verification of an account does not check against that SMS verification but its just a simple else/if on the client.

Yes. This is what you get when incompetent officials jump on any offered solution that promises to make their awful track record of "digitalization" projects look better. Of course without listening to actual experts and instead looking for buzzwords.

The absurd thing is like CCC mentioned the german covid app (state payed, kinda decentralized, very privacy respecting contact tracing app) does not only potentially cover some of the cases (if people are close to each other and the phone can detect it using Bluetooth tokens) but also seem to be getting a feature "to handle meetings" in a privacy friendly way.

Exhibit B: Ubirch and their 5 Blockchains


An issue with the reporting is that the ubirch standard solution is confused all the time with the actual project. Especially since it is mostly guessing, not knowledge of the actual technology behind it.

Can't really blame the reporting there imho. At the time that article was written they actively marketed towards the blockchain solution and the government side wasn't really forthcoming with public information. Luckily that changed a few days ago but this article in particular is from March 9th.


Especially since there is already a government funded app (whose developers also make a much more competent impression) which is scheduled to receive similar functionality as the Luca app with the next update.

And which doesn't have to plan for a business model post-pandemic.

It does not need to. Its open source and funded by the government

Its not run by a private company which only thinks about money.

That was probably his point already

May I present to you that the government spend over 430 million Euro for external consultants in the last year?

That's just a raise of about 46% in comparison to 2019...

This is a privacy issue, in the country which thinks so highly of the GDPR. So it's not something which they should be able to sweep under the rug as if nothing happened. As the article explains, the issue is far bigger than just vulnerabilities, it's about how politics supported this app.

If this would be some other thing, like the implementation of a video surveillance system in the political center of Berlin, or any other important place, they would have taken care to at least adhere to the basics in how to give whom the job to do this, how it will be licensed/owned, how it will be run, what happens with the data. A thorough check of the company would have been made.

But in this case? It's a small startup with no expertise whatsoever in data protection, expecting the silliest terms and conditions, and the politicians are just glad to throw the money at them, and even expecting citizens to install this app if they want to take part in public life.

This is as crazy as it gets and shows how incapable they are of controlling this pandemic, even how little they care to seriously work on it, and I wonder how much this represents what they have been doing over the last decade in general.

I was glad to install the Corona-Warn-App and am a bit sad that there are so few people using it, but it was implemented correctly. Not only from a technical point of view.

But should any of these apps become a requirement to participate in public life, I'd take it as far as going to jail for not installing or uninstalling it.

> This is as crazy as it gets and shows how incapable they are of controlling this pandemic, even how little they care to seriously work on it, and I wonder how much this represents what they have been doing over the last decade in general.

Fully agree, the whole "Merkel era" was an era of political stagnation. The pandemic relentlessly uncovered that.

But now we've reached a new low, German politicians seem completely unwilling to fight the pandemic anymore despite a 3. wave caused by the B.1.1.7 variant building up rapidly. It's crazy times, the luca app disaster is just one manifestation of it.

Related discussion from a few weeks ago about the mentioned licensing issue:


worst thing is, my university seemingly developed something similar (which has been used for exams for half a year now) already: https://qroniton.eu/

But I guess kickbacks for using something created by state employees are not as good as for something new from a private enterprise (with blockchain! - they silently removed it, when the CCC called that out and now the CEO claims: "we've never used blockchain").

If a lot of people with good pentesting skills started bashing the hell out of this app in an organized yet brutal fashion, that could be very interesting and likely legally problematic. I wouldn’t advise anyone to do that. Ever. Honestly.

What's the difference between this Luca app and the "official" German covid tracing app (Corona-Warn)? Or are they the same thing?

The official app stores all its data decentralized, only cryptographic hashes are stored centrally that each device then can check locally for potential risks.

In the Luca app, the user's location data is stored centrally, and the states can then purchase a license to access data of potentially risky contacts.

(BTW the public health offices are notoriously overworked during the pandemic, so it's not clear to me if they'd even manage to do anything with this data).

> (BTW the public health offices are notoriously overworked during the pandemic, so it's not clear to me if they'd even manage to do anything with this data).

Anecdotally most of them are completely overwhelmed because of the currently fairly high case numbers and effective contact tracing does not really happen anymore. Also they mostly live in the technological stone age so they have a hard time scaling it up [1].

[1] https://www.dw.com/en/german-health-care-tackling-covid-with...

Luca app is made by a private company and stores personal data on a central server.

The official Corona Warn App uses the Exposure Notification Framework and does not share any personal data.

Germany paid 20M+ for this already, without owning anything (code, data, ...).

Haha I'm waiting for Smudo's disstrack!

There are enough diss tracks and mentions of fanta4 in german hip hop

I always found them whack...


I was in Hamburg,Germany in the 2000's and listen to stuff like samy deluxe and beginner ect ect.

Almost all of my friends did not consider fanta 4 to be rap music but rather pop music :)

Is there a U.S. based Chaos Computer Club (CCC) or CCC like group?

My understanding as an outsider who has never been to the US is that the US hacker scene is quite different.

One notable difference is a much closer connection to e.g. intelligence services.

On the other hand, the relationship to democratic processes, as well as the stance on state/federal involvement in IT problem spaces, seems to differ between Germany and the US.

Again: I'm an outsider and would actually like to hear from others how they see this.

> One notable difference is a much closer connection to e.g. intelligence services.

Some CCC hackers had a pretty good relationship with the Russian KGB. They got information about a wide range of US military secrets including details about the Space Defense Initiative (SDI). They were so successful that they wound up dead and a movie was made about them. Since then the CCC has to be heavily infiltrated by all kinds of Intelligence Services.

At least the CCC of today is actually much more loosely knit that what your comment implies. Much of the work being done to dismantle e.g. election counting systems, the covid apps etc comes from various corners of that community.

Infiltrating the CCC would be akin to infiltrating Antifa. Sure, you can get close to a group and learn their secrets, but you can't get close to the center of it because it has none.

> Since then the CCC has to be heavily infiltrated by all kinds of Intelligence Services.

I think this more served as a cautionary tale to not get involved with this kind of agencies at all.

I think the CCC has a strong ethos to not work for such agencies but I'm sure many members do it, either because they are agents or because of other incentives.

Yes the Cuckoo's Egg by Clifford Stoll recounts this story well.

However since then the CCC has been very honourable and I have nothing but respect for them.

I think what comes closest is the Electronic Frontier Foundation: https://www.eff.org/

There's defcon, but it's more of annual conference than an ongoing group that works together.

There's also the local DC chapters, http://dc612.org/ has been going strong up in Minneapolis for years.

There is no chapter of the CCC in the U.S. (yet?). While there is no head-organization (as far as I know), there are similar hackerspaces all around the U.S. (and the globe), e.g. see map on hackerspaces.org: https://wiki.hackerspaces.org/List_of_Hacker_Spaces

There's places like Noisebridge (which was an absolute pleasure to visit and experience) or regional DEF CON groups.

As mentioned by others, the EFF's Electronic Frontier Alliance tries to act as a regional group for these types of things, but in my experience it's pretty dead (at least the Utah group has been completely unresponsive).

Wow this is bad, I'm sorry to hear it's already mandatory in one German state.

I'm really surprised Germany is playing so loose and fast with privacy as they're known to be one of the countries with the strictest privacy laws around.

By the way how does this work being mandatory with people that don't own a smartphone??

> I'm really surprised Germany is playing so loose and fast with privacy

You're surprised because you're expecting politicians to have consistent principles, but it's just about what's convenient right now. This is an inherent issue with having elections every couple of years.

It's more like playing loose and slow. For a year, all reasonable projects aiming for a pragmatic compromise between privacy and checkin tracking were reliably choked by privacy concerns.

It's hardly surprising that now that opinions are shifting, the only projects remaining are those most lacking in privacy awareness. The aware have long given up.

And opinions are shifting in no small part because unsurprisingly, the ineffective pen & paper tracking that was deployed instead was suffering from quite real privacy problems that weren't theoretic at all (routinely breached not by ssh keys in the wrong hands or some backdoor hidden in the code but by just asking nicely).

It stated in the article that you can purchase a fob which can be used in place of the smartphone app.

What was wrong with Corona-Warn-App? Looked amazing compared to ‎TousAntiCovid last year yet I'm learning here that it isn't improved anymore and I haven't seen ads for it anywhere. The differences between German states and the way news are communicated is so complicated, and it's been more than a year that it's like that now.

As a French citizen living in Germany I can get vaccinated if I go back to France soon (the French state literally sent me an email to tell me that as they know I'm living in a foreign country), meanwhile I keep on reading that some German states are trying to get more vaccines than the others (e.g. Sputnik in Bavaria) and I cannot get a free PCR in a state where I do not live. Why having such friendly fire in your own country, especially when my health insurance works at the national level?

It is still improved. The actually also want to add this kind of check-in (almost done) but it might be blocked by apple/google as the terms of use of the contact tracing API forbids use of additional data.

As far as I know CWA will save it on the device and thus comply with all requirements for contact tracing apps.

The CWA is developed under extreme scrutiny wrt privacy. It's really good at what it does, so good that even the CCC gave it it's blessing (despite being made by companies that would traditionally be considered evil empire in CCC, which really puts CCC in a very favorable light for objectivity). But that strength makes it the absolute opposite of move fast and break things.

PS: and I believe that there is hardly a scenario where moving fast even if breaking things is more called for than pandemic response, particularly regarding privacy where most problems are of the kind "if we did that for decades, eventually abusive patterns would develop" - e.g. mass mail voting is fine done a few times, but if it was routine you'd eventually have most ballot forms filled under some form of supervision. On openly privacy-invading tracing method that is so bad that it's clear that it won't survive until after the worst of the pandemic is over might end up being less invasive long term than something that is "so safe that it can become a fixture" (it isn't).

But leaving the fast-moving to those least concerned with privacy is still a recipe for disaster.

Nothing really.

Luca app just had more hype/better marketing.

> Mecklenburg-Western Pomerania even wants to make installation of the app a prerequisite for participating in public life.

This is the trajectory for everything essential it seems. Want to function in the modern world? You need a pocket computer with approved applications on it to do increasingly important, but basic tasks. Banking, health, transportation, etc. are all sitting on the pocket computer that can watch where you go and track what you do to the minute.

Is there any government contact tracing app that is considered successful by tech people? Japan had a similar problem: its contact tracing app, COCOA, was originally developed by volunteers in open source. Then the government "purchased" the app and subsidized it to some medium IT vendor, which further subsidized it to six (!) other companies. The app has been regarded clusterfuck and failed to support the latest version of iOS/Android.

The official german contact tracing app [1] that has been developed by two major german corporations on behalf of the german government has received quite good feedback from tech-media as well as the CCC.

Similar to other governmentally supported apps this one has been made open-source beginning with the first drafts, is based on the provided framework by Apple and Google, does not store privacy relevant data on centralized servers and even follows the 10 baseline rules the CCC has published.

That actually makes it even more sad that the german government reaches out to the Luca app developers and buys their service for such a huge amount of money - although there is a product that is on par service wise and way better from a privacy perspective.

[1]: https://www.bundesregierung.de/breg-de/themen/corona-warn-ap...

Source code for the app can be found here: https://gitlab.com/lucaapp

... though in the past many developers have complained that the source code didn't seem to be the one from which the app on the appstore was built and/or it was quite out of date.

The former, at the time the gitlab repos for the mobile clients were published they contained code newer than what was available in the app stores.

german hiphop star smudo has been promoting the luca app in german tv, etc.

- funnily enough the same smudo who was a very vocal "Napster bad!!11eleven" voice back in the day ... however napster would at least meet 2 op the ccc criteria(instead of 0, like luca :)

I’m shocked (and amused) how little of this is comprehensible to me without more context.

Yeah, I knew this shit was gonna happen. I installed literally zero of these apps.

I like the idea of these apps, but none of them were advertised enough near me to think that others would be using them, so they were all pointless.

And of course, they were rushed out the door, so they'd probably have quite a few problems.

Ireland has a Covid19 tracker app that can easily intergrate with other EU covid apps. NearForm the Developer sells a branded version for a million.

It's also open source with a generous licence.

Why didn't Germany use that? Corruption.

The equivalent app to that in Germany launched a month earlier than Irelands, is also open-source and integrated with other countries' (like Irlands), and not the app talked about here.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact