Tag: european union

  • Interesting and worrisome views of the European public digital infrastructure

    Digital sovereignty is currently the order of the day. It seems European leaders suddenly opened their eyes and realized they were living in a fairy tale.

    Many practitioners and organizations have been alerting to this need for years (decades?). They were ignored.

    Nevertheless, this is not the topic of this post, even though it could help us visualize the extent of our dependency.

    Recently I became aware of a few very interesting projects that map the providers and security settings of the digital infrastructure of many public institutions.

    We have the maps of the email providers:

    And many others can be found in the original project readme file.

    The overall picture is not good (pretty bleak, actually) for something that should already be a “commodity.” From the countries I was able to take a look at, Portugal is not one of the worst, still far from the one in better shape (France) but not the worst. However, in this land, some people just don’t learn.

    Another project, announced here, focuses on a different area. Not on the providers, but on the configurations and security good practices of the said infrastructure. Essentially, it aims to monitor and evaluate the security settings of many websites and platforms from European governments. The results can be found on:

    https://securitybaseline.eu

    Even though I disagree with some criteria for evaluating the risk of a few settings, looking at Madeira and Portugal, the picture isn’t also pretty. Insecure ciphers on HTTPS, lack of encryption in FTP servers, lack of DKIM signatures for email, etc.

    There is lots of room for improvement on basic and essential things. It reinforces the idea that security is not a first-class citizen, and I’m always skeptical when I hear/read that some institution was a target of a “sophisticated” cyber attack.

    Nevertheless, visualizing things helps us know where to focus and track progress. That’s why I found these projects interesting and worth sharing. So with this in mind, I will leave here a few other things I would like to also see tracked:

    • The technologies and providers of those platforms
    • Where and how the code managed
    • Where and how the data are hosted
    • The official file and data formats used by these public institutions
    Fediverse Reactions
  • EU-Free and Open Source Software Auditing project

    Today I stumbled on this blog post about a poll for the EU-FOSSA. I’m not familiarized with all aspects of this pilot project, however by the information I could gather, it seems to be a really great idea.

    Most of us regularly use, up to a certain degree, several pieces of free (as in freedom) software on a daily basis. Many of these projects are essential to assure the security of our communications, documents and work. European institutions and countries make use of these tools as well, so why not spend a little time and money to assure they meet certain quality goals and are free of major bugs that can undermine the safety of its users?

    This will also raise the public’s trust on these tools, so they can become standards over their proprietary counterparts, which we are unable to review and modify according to our needs, leading to many security questions.

    One of its components is a sample review of one open-source project and until the 8th day of July you can give your opinion on which one. Go there it only takes 1 minute and it will help them understand that this is an important issue. Here is the link