[concinds]

Penalties don't work for government agencies. Taxpayers would pay for it and it doesn't act as an incentive.

The way to fix it is to empower one government agency to do aggressive pentesting against every other agency, hospitals, banks, infrastructure, and big corporations, with salaries matching the private sector. Impose a legally-enforced deadline to fix any issues, with a fine (for private actors) or demotion of the guy in charge of infosec (for state agencies).

Forget compliance checklists, KPMG "audits" and all that crap, just have government-sponsored hackers trying to get into everything like an attacker would.

France seems to have had a ton of government hacks in the past year at various levels, so it's sorely needed.

[selfhoster1312]

I agree with the premise that SSII audits are useless, but your solution sounds like bandaid on a cancer. The real solution solution is stop this surveillance machine madness!

I understand that identity is required for property deeds and bank accounts for tax reasons and that should 100% not be online. But for the rest, it should be entirely outlawed to collect personal information beyond what's necessary for the service, including for government agencies.

Make healthcare (really) free => no social security database to hack. Give me back humans in offices for taxes and drivers licences => no ANTS database to hack. etc.

[guenthert]

Er? social security covers more than just healthcare and the issue with on-line data in context of healthcare is patients' history, which i) is sensitive and ii) needs to be shared among health care providers.

[selfhoster1312]

French context: sécurité sociale exclusively means socialized healthcare. Sorry for the confusion.

[concinds]

Flagged for AI use.

[selfhoster1312]

Tough luck, i've never used any machine learning in my life (that i know of). AI tools are part of the same problem, the same techno-fascism i was decrying in my comment. I'm just curious how you could even think i was using AI????

[spwa4]

You don't seem to realize the difference between those 2.

> The way to fix it is to empower one government agency to do aggressive pentesting against every other agency, hospitals, banks, infrastructure, and big corporations, with salaries matching the private sector. Impose ...

And now you've got private people empowered to attack specific government officials. In fact, that's their job. Btw: you forgot to specify "in public", and that needs to be how it works, otherwise it will just result in officials attacking this security agency. Oh, AND you're giving government officials an obvious point of attack: "salaries matching the private sector".

> Forget compliance checklists, KPMG "audits" and all that crap, just have government-sponsored hackers trying to get into everything like an attacker would.

You mean forget the way even the dumbest of the dumb can "provide security"? Do you think government officials in France got their position based on their IQ?

Of course this is the only way it can work, but this needs a very un-French form of government to get it to work.

[selfhoster1312]

> this needs a very un-French form of government to get it to work

I'm usually not one to defend french culture, but i believe your interpretation is wrong. What went wrong in this case is the americanization of the french administration: make everything complex, remove all local government branches and workers who can help you, remove every sensical administrator from their position, ignore all the privacy laws that were passed after Vichy and the nazi/IBM databases, "just make all the NUMÉRISATION".

The french government didn't have a proper national ID system until the nazi administration (Vichy) who invented the CNI and the Ausweis. There was strong sentiment against this well into the 70s and the Loi Informatique et Libertés, and it's only the more recent startup generation that started undoing all our ancestors hard fought battles against data collections/centralization.

[mcmcmc]

> Penalties don't work for government agencies. Taxpayers would pay for it and it doesn't act as an incentive.

This is the same as the rogue police problem in the US. What needs to happen is a shift to personal liability for those responsible.

[signatoremo]

Personal liability? Are you also against no blame culture that is prevalent in the tech world?

[arkh]

Someone(s), somewhere, is paid "big bucks" to be in charge.

That's the person we should charge. If they cannot be charged for this kind of fuck-ups, then they should not be paid anything for simply rubber-stamping anything going over their desk. A simple machine could do their job.

[mcmcmc]

If it’s related to compliance? Yeah I think that’s a pretty dangerous culture to have. Compliance requirements need owners who will ensure standards are met. If they don’t do their jobs, then they should face the consequences for the harm they allow.