For anyone who doesn't read German, here is a summary: The company in charge of the connectors for the health care system "Telematik" built devices with certificates that expire after 5 years. Instead of updating thousands of machines with new certificates, the company claims these need to be replaced for a total cost of 400M Euro. The CCC showed how the firmware can be changed to accept new certificates, making the hardware replacement unnecessary, and offers to assist hospitals and doctor's offices with the software patch. However, the company "gematik" who delivers these connection endpoints first has to sign the new certificates, which they so far haven't agreed to.
What's worse about this story is that the company apparently planned the hardware replacement in a way that it would have to be replaced again in 2027, and they still were awarded the contracts for this multi-million dollar project.
I wonder how many golf trips with steak dinners and female "companions" the bureaucrats awarding the contracts got treated to...
The German government has been lauded as this great bastion, "Look, their economy is still running!", but it's also has its corrupt elements. Besides, the whole roaring economy thing is related to making the rest of Europe peg its currency to the German one by way of the Euro, making the rest of the continent suffer...
We've already been fined by the EU for refusing to work against corruption. It's a big thing here and voters only care for a few months after the news reports, if that much.
This makes it sound like Germany had chosen to introduce the Euro whereas [1]:
>President François Mitterrand argued for the single currency because he hoped to bolster French influence in an EU that would otherwise fall under the sway of a unified Germany
However, you can argue that the continent suffers because Germany had reduced its labor costs [2], which unnecessarily moved production processes.
I‘m assuming the German government wouldn’t be able to compel them to turn over their private key, but they could certainly make it very clear that they would jeopardise any future contracts if they refused to cooperate.
The Gematik GmbH is in part managed (owned?) by the German ministry of health [0] and some health organizations like the Association of Statutory Health Insurance Agencies.
That says something about the 'risks' the Gematik takes (Hint: none).
Similar story: Earlier this year some health card readers, certified by the Gematik had a bug. They wouldn't read certain cards that supposedly were electrostatically charged. The solution was a grounding device connected to the USB port of the card reader. [1] This thingy cost the doctor's practices another 100 bucks even though this clearly is a design flaw by the manufacturer.
They can do pretty much what they want at this point and the physicians and hospitals just have to cough up the dough.
In almost every country there is a number of well connected companies who make a living exclusively by specializing at navigating through the complicated layers of bureaucracy and swindling the taxpayer by selling overpriced and unnecessary proprietary products and services to a government who by cluelessness or corruption, has no idea or doesn't care about sensible technical solutions and just agrees with whatever those preferential suppliers offer.
It's hilarious when you look at the web pages of such companies and see that their only customers in the last decades are various government agencies and state enterprises which are their bread an butter as they would never be competitive on the free market. Working at such companies is even more toxic. Extremely outdated tech, poorly qualified staff, huge bureaucracy yet poor management and poor understanding of the work going on, and so many people doing nothing all day than keeping seats warm and answering a couple of emails per week.
This is especially true in Germany. I remember the story from a former colleague who worked at the German information security government office (BSI) which had a cipher calculator on their website and it turned out to have a flaw in the calculation, and since the guy who implemented it didn't work there anymore and nobody on the staff knew where the code was, so instead of fixing the calculator or removing it from the website, they instead put a warning on the webpage that this calculator is wrong and shouldn't be used and called it a day lol. Hilarious but also sad for the German taxpayer.
One big german company who has had a couple of scandals attached to their name and that has been 'disappearing' progressively from markets operated in similar ways (and the market cap going down progressively).
They end up cornered in markets where the expertise needed and moats are high and where they are slightly not too behind or ahead of the competition.
But anyway, the way to procure such "routers for secure networks" would be to add a contractual requirement of support for 20+ yrs.
I work at a company like this. From what I gather, it seems to have started out as a fine product-oriented business, but turned into what it is today due to the incentives involved. We sell our product primarily through public sector invitations to tender, where what matters is hitting a bunch of feature checkboxes on a list, with zero regard for the actual quality of the product.
When it comes to anything with computers it’s difficult to imagine ways to end up more incompetent than literally all German public (or pseudo-public, like here) agencies. You’d certainly get something more competent by collecting random strangers off the street.
It’s virtually impossible to overstate how bad the situation in this area truly is in Germany.
The fact that the agency is public or private has no innate meaning in terms of efficiency. The people in the organization and the processes make it more or less efficient and this is true independently from where the funding is coming from.
Can public organizations be made more efficient? Of course, as any organization can.
Finally, in this case is it not a private firm that is promoting inefficiency via dishonest market practices?
The real issue here is that the public agency has to buy services and products from private firms. Why can't the German state produce cost efficient routers on its own?
It’s unconscionably incompetent how a financially-stressed federal government appears to be unable to immediately seize an opportunity like this, along with doling out harsh repercussions for the executives who have decided (and still do) to cash in on this scheme.
This has become a repeating pattern to such a degree that claiming plain incompetence cannot plausibly explain it any more. Maybe it’s not outright malice but corruption and fraud indeed.
> Special routers are required in German doctors' offices to connect to the "telematics" health data network. After only five years of operation, there is no alternative to replacing the devices - at least according to the manufacturers. This exchange is expected to burden the already struggling healthcare system with additional costs of around 400 million euros. The Chaos Computer Club (CCC) shows that the expensive hardware exchange is anything but necessary, and donates a solution to the problem free of charge.
>This exchange is expected to burden the already struggling healthcare system with additional costs of around 400 million euros.
I'm always amazed at the gross inefficiencies of the German bureaucratic machine (including most public and government institutions), despite the traditional world renowned stereotype of "German efficiency", even though at this point I know I shouldn't be surprised anymore.
Call me jaded, but my experience with public contracts told me that, most likely, the hardware will still be replaced or, best case, the company providing the firmware will get a follow up contract around 100 million to do the update.
Also expect close to no media coverage about that, or any political consequences. Heck, it took a thorough, highly public late night show investigation into the head of a government agency for cyber security and his close, and private links to former KGB agents and owners of cyber security firms, shady lobbying associations and whatnot for to be soon replaced. As if his known close ties to the private sector, and specific companies that ended up in the concil advising the government on cyber security, wasn't enough. One has to wonder so, how such a position doesn't require a security clearance. If I had close private contacts to known former KGB guys (known because the guy in question got an award in public for long service for the KGB and the state) I wouod have never passed these checks. Or if I had not mentioned them I would have lost my job immediately. Fun fact, it was the former conservative led government, and more specifically conservative politicians in cjarge of the ministry of interior, that put the guy in his position. And politians from the same party maintained the contact with Russian authorities.
Isnt the stereotype 'deutsche Gruendlichkeit' which is not efficiancy but thoroughness, which just mean that a few thousand pages need to be filled out, signed and countersigned for the 400 mill order.
€400M sounds a lot but how many of these devices are there? If there's one in every medical practice that could be 100-200,000. [EDIT: this article https://www.healthcareitnews.com/news/emea/error-which-cause... suggests there are 130,000 clinics, that would be €3K per clinic]
Having a technician visit each and do a firmware update - could well cost over $5K or more, as long as introducing downtime at the surgery, the changes would need to be done by people who are trained and this is a device that is involved in personal medical data - they need to be managed and monitored.
Delivering a new piece of hardware with the new certificates that could be dropped in could well be cheaper (how ever bad for the environment) than updating them within the legal requirements that may be in place for tech that handles medical data.
There may be good technical and legal reasons why the certificates can't be updated remotely or are set to expire, but if I were the companies involved I would take in some devices, 'refurbish' them with new certificates and send them out to medical practices for drop in replacement, rather than sending out new devices.
>There may be good technical and legal reasons why the certificates can't be updated remotely or are set to expire, but if I were the companies involved I would take in some devices, 'refurbish' them with new certificates and send them out to medical practices for drop in replacement, rather than sending out new devices.
It's about that the Devices DON'T accept new certificates over a certain date, like when your iphone just accept certificates who are valid up to 2022, then you need a new iphone, that should be illegal, and the firm should have to pay the technician/fw-update.
Isn't that because the certificate the boxes to use to validate the remote certificates have an expiration date (as they probably should). An iPhone gets updated certificates every time iOS is updated.
Love the CCC! Visited the congress in Leipzig in 2017 and it's been such a great and fun experience, absolutely recommended for everyone. Finally a tech event that isn't all about money and corporate sponsors.
Readit News
What's worse about this story is that the company apparently planned the hardware replacement in a way that it would have to be replaced again in 2027, and they still were awarded the contracts for this multi-million dollar project.
The German government has been lauded as this great bastion, "Look, their economy is still running!", but it's also has its corrupt elements. Besides, the whole roaring economy thing is related to making the rest of Europe peg its currency to the German one by way of the Euro, making the rest of the continent suffer...
>President François Mitterrand argued for the single currency because he hoped to bolster French influence in an EU that would otherwise fall under the sway of a unified Germany
However, you can argue that the continent suffers because Germany had reduced its labor costs [2], which unnecessarily moved production processes.
[1] https://www.economist.com/leaders/2012/11/17/the-time-bomb-a...
[2] https://en.wikipedia.org/wiki/Hartz_concept
The Gematik GmbH is in part managed (owned?) by the German ministry of health [0] and some health organizations like the Association of Statutory Health Insurance Agencies.
That says something about the 'risks' the Gematik takes (Hint: none).
Similar story: Earlier this year some health card readers, certified by the Gematik had a bug. They wouldn't read certain cards that supposedly were electrostatically charged. The solution was a grounding device connected to the USB port of the card reader. [1] This thingy cost the doctor's practices another 100 bucks even though this clearly is a design flaw by the manufacturer.
They can do pretty much what they want at this point and the physicians and hospitals just have to cough up the dough.
[0] https://de.m.wikipedia.org/wiki/Gematik
[1] https://www.borncity.com/blog/2022/01/16/problem-mit-statisc...
This is fucking brilliant XD
It's hilarious when you look at the web pages of such companies and see that their only customers in the last decades are various government agencies and state enterprises which are their bread an butter as they would never be competitive on the free market. Working at such companies is even more toxic. Extremely outdated tech, poorly qualified staff, huge bureaucracy yet poor management and poor understanding of the work going on, and so many people doing nothing all day than keeping seats warm and answering a couple of emails per week.
This is especially true in Germany. I remember the story from a former colleague who worked at the German information security government office (BSI) which had a cipher calculator on their website and it turned out to have a flaw in the calculation, and since the guy who implemented it didn't work there anymore and nobody on the staff knew where the code was, so instead of fixing the calculator or removing it from the website, they instead put a warning on the webpage that this calculator is wrong and shouldn't be used and called it a day lol. Hilarious but also sad for the German taxpayer.
They end up cornered in markets where the expertise needed and moats are high and where they are slightly not too behind or ahead of the competition.
But anyway, the way to procure such "routers for secure networks" would be to add a contractual requirement of support for 20+ yrs.
You get exactly what you pay for.
It’s virtually impossible to overstate how bad the situation in this area truly is in Germany.
Can public organizations be made more efficient? Of course, as any organization can.
Finally, in this case is it not a private firm that is promoting inefficiency via dishonest market practices?
The real issue here is that the public agency has to buy services and products from private firms. Why can't the German state produce cost efficient routers on its own?
On average, this means they’re more rigorous in their vendor selection processes.
Therefore private entities are less likely to make bad purchases.
>>difficult to imagine ways to end up more incompetent than literally all German public
I think that pretty much sums it up perfectly.
This has become a repeating pattern to such a degree that claiming plain incompetence cannot plausibly explain it any more. Maybe it’s not outright malice but corruption and fraud indeed.
> Special routers are required in German doctors' offices to connect to the "telematics" health data network. After only five years of operation, there is no alternative to replacing the devices - at least according to the manufacturers. This exchange is expected to burden the already struggling healthcare system with additional costs of around 400 million euros. The Chaos Computer Club (CCC) shows that the expensive hardware exchange is anything but necessary, and donates a solution to the problem free of charge.
I'm always amazed at the gross inefficiencies of the German bureaucratic machine (including most public and government institutions), despite the traditional world renowned stereotype of "German efficiency", even though at this point I know I shouldn't be surprised anymore.
The CCC is a national treasure.
Also expect close to no media coverage about that, or any political consequences. Heck, it took a thorough, highly public late night show investigation into the head of a government agency for cyber security and his close, and private links to former KGB agents and owners of cyber security firms, shady lobbying associations and whatnot for to be soon replaced. As if his known close ties to the private sector, and specific companies that ended up in the concil advising the government on cyber security, wasn't enough. One has to wonder so, how such a position doesn't require a security clearance. If I had close private contacts to known former KGB guys (known because the guy in question got an award in public for long service for the KGB and the state) I wouod have never passed these checks. Or if I had not mentioned them I would have lost my job immediately. Fun fact, it was the former conservative led government, and more specifically conservative politicians in cjarge of the ministry of interior, that put the guy in his position. And politians from the same party maintained the contact with Russian authorities.
€400M sounds a lot but how many of these devices are there? If there's one in every medical practice that could be 100-200,000. [EDIT: this article https://www.healthcareitnews.com/news/emea/error-which-cause... suggests there are 130,000 clinics, that would be €3K per clinic]
Having a technician visit each and do a firmware update - could well cost over $5K or more, as long as introducing downtime at the surgery, the changes would need to be done by people who are trained and this is a device that is involved in personal medical data - they need to be managed and monitored.
Delivering a new piece of hardware with the new certificates that could be dropped in could well be cheaper (how ever bad for the environment) than updating them within the legal requirements that may be in place for tech that handles medical data.
There may be good technical and legal reasons why the certificates can't be updated remotely or are set to expire, but if I were the companies involved I would take in some devices, 'refurbish' them with new certificates and send them out to medical practices for drop in replacement, rather than sending out new devices.
It's about that the Devices DON'T accept new certificates over a certain date, like when your iphone just accept certificates who are valid up to 2022, then you need a new iphone, that should be illegal, and the firm should have to pay the technician/fw-update.
You forgot the mask-scandal ;)