Editorial: Patching is not a Nice-to-have

Week 2 feels like a déjà vu on repeat. Critical security vulnerabilities, political dependencies, cloud lock-ins – all known, all documented, yet everything continues as before. While conferences on digital sovereignty are held, productive systems remain unpatched online. While reliance is placed on “proven platforms,” prices and dependencies rise. And while authorities often point to responsibility, it surprisingly often ends exactly at their own jurisdiction.

At least: Open Source doesn’t just quietly die. And sometimes, reason even prevails in court.

Tech-News:

MongoDB Vulnerability Affects Thousands of Systems in Germany

More than 11,500 vulnerable MongoDB instances in Germany. Third place worldwide. This is not a footnote in IT security, but a structural failure in the operation of digital infrastructure.

The vulnerability “MongoBleed” is reminiscent of CitrixBleed. Yet another critical flaw, yet again publicly available exploit code, yet again tens of thousands of exposed systems. And once again it becomes clear: The existence of a vulnerability is not the problem, but its massive, months-long non-remediation.

Particularly striking is the view of the providers. With Hetzner, a German hoster tops the list of vulnerable MongoDB instances worldwide. This does not automatically imply misconduct by the provider – but it shows how easily responsibility can be delegated away in the cloud era. “The customer is responsible” becomes an excuse when basic security standards are not even visibly enforced.

MongoBleed is not an exotic edge case. The affected configuration – enabled zlib compression – is often standard according to security researchers. That thousands of productive databases are openly accessible from the internet without timely patching is not an operational accident. It is everyday reality.

And this is precisely where the political and economic problem lies: Germany discusses digital sovereignty while central data repositories with CVSS 8.7 remain unpatched on the net. Open-Source software is not the risk – it provides patches quickly and transparently. The risk arises where operation, maintenance, and responsibility are cheaply outsourced.

Those who use the cloud assume responsibility. Those who operate productive systems must patch. And those who host critical infrastructure cannot hide behind contractual clauses. MongoBleed once again shows: Security is not a function of the product, but of the organization behind it.

🔗https://www.heise.de/news/MongoBleed-Mehr-als-11-500-verwundbare-MongoDB-Instanzen-in-Deutschland-11126702.html?utm_term=Autofeed&utm_medium=Social&utm_source=LinkedIn#Echobox=1767185913

Verdict with Signal Effect

The Administrative Court of Cologne strengthens the role of the Federal Office for Information Security. A software manufacturer wanted to prohibit the BSI by an urgent application from assessing its security concept as “conspicuous.” The court dismissed the application. The message is clear: State cybersecurity authorities are allowed to inform, even if it is economically inconvenient.

The core of the decision is less legal-technical than regulatory. The court makes it clear that preventive legal protection against official security assessments must remain the exception. Companies cannot prevent a critical publication solely by pointing to potential reputational damage. Negative market consequences are part of the risk when products are security-relevant and evaluated.

Noteworthy is the standard. “Conspicuous” was sufficient. No warning of acute exploitation, no total condemnation, no flashy placement. And yet the manufacturer wanted to stop the state’s intervention. The court opposes this: Security assessments are dynamic, correctable, and can be contained by counterstatements. Those who provide better arguments or better software can regain lost trust.

This shifts the debate. No longer the question of whether the BSI may warn, but how professionally companies deal with criticism. In times of NIS2, this is consistent. The legislator has explicitly standardized the authority’s information powers. Those who offer digital products must expect to be publicly measured – not only by marketing promises but by real security standards.

The case is reminiscent of the Kaspersky decision but goes beyond it. It is not about geopolitical exceptional situations, but about everyday software for consumers. Here, it becomes clear how important independent state classification is. The market alone does not regulate security. Transparency does not arise from whitepapers, but from verifiable assessments.

The verdict is therefore not an attack on the software industry. It is a clarification: Security criticism is not a pillory, but part of public welfare. Those who perceive this as a threat have a problem – not with the BSI, but with their own security understanding.

🔗https://www.heise.de/news/Schlappe-fuer-Softwarebauer-BSI-darf-Sicherheitskonzept-als-auffaellig-ruegen-11127661.html?utm_term=Autofeed&utm_medium=Social&utm_source=LinkedIn#Echobox=1767417532

Debanking via Sanctions List

The case of Rote Hilfe is more than a dispute over a terminated association account. It shows how fragile Europe’s financial and political sovereignty has become when decisions from Washington effectively determine who has access to the banking system in Germany.

Shortly before the end of the year, both Sparkasse Göttingen and GLS Bank terminated the accounts of an association that is not banned and operates legally in Germany. The timing coincides with the classification of a nebulous “Antifa Ost” as a terrorist organization by the US government under Donald Trump. That a German association ends up on an OFAC sanctions list is apparently enough to deprive it of essential infrastructure here.

Legally, this is precarious. Politically, it is a warning sign. Rote Hilfe may be controversial, it is monitored by the Office for the Protection of the Constitution, but it is not banned. Yet banks resort to a measure otherwise justified by terrorist financing or organized crime: debanking. Without judgment, without ban, without transparency.

Particularly problematic is the role of public institutions. Sparkassen regularly claim that they can only terminate accounts of right-wing organizations upon a ban. Why this line does not apply to a left-wing association remains unanswered. Trust in the political neutrality of state-affiliated financial institutions suffers significantly.

The case also highlights how extraterritorial US sanctions policy works. OFAC lists are not European law, but they have a de facto effect because banks shy away from global risks. The result is a creeping privatization of political decisions: Banks implement what governments threaten – without democratic control.

That even alternative banks like GLS Bank hide behind banking secrecy, despite publicly presenting themselves as politically engaged and protest-friendly, reinforces the impression of opportunism. Stance ends where it becomes regulatorily inconvenient.

The lawsuit of Rote Hilfe against Sparkasse is therefore more than self-defense. It is a test case. It concerns the question of whether public welfare-oriented infrastructure can be withdrawn from politically unpopular actors without a legal breach. And it concerns Europe’s ability to resist political pressure from third countries.

Debanking is no longer a fringe phenomenon. It becomes an instrument. Those who accept this accept that political power no longer operates through laws, but through account freezes.

🔗https://www.fr.de/wirtschaft/rote-hilfe-klagt-gegen-debanking-nach-us-sanktionsliste-94104327.html

Denmark Calls the USA a Security Risk – and Washington Provides the Evidence in Caracas

Denmark has spoken a sentence that many European governments have avoided for years: Under President Donald Trump, the USA is considered a potential threat to national security for the first time. Not rhetorically, not diplomatically veiled, but in black and white in the threat report of the military intelligence service. This is not an affront, but a situation assessment.

The context is clear. Washington openly uses economic pressure, threatens with tariffs, does not fundamentally question military means even towards partners, and treats Greenland as a strategic bargaining chip. For a country like Denmark, this is not a theoretical debate, but a question of state sovereignty.

Just days later, the next reality check follows – this time in Venezuela. The USA conducts a long-planned military operation, infiltrates Caracas with special forces, disables infrastructure, captures the incumbent President Nicolás Maduro, and flies him out of the country. Live followed by the President from Mar-a-Lago. Without a UN mandate. Without due process. With the declared aim of “temporarily governing the country themselves.”

Maduro is no victim. His authoritarian rule, massive corruption, election manipulation, and the systematic destruction of democratic institutions are well documented. His offenses are real and serious. They justify indictment, sanctions, and international pressure. But they do not justify military abduction by another state.

This is precisely the point Denmark addresses – and which Europe can no longer ignore. When the USA defines when international law applies and when it does not. When regime change by special forces is declared a legitimate foreign policy tool. When military power is openly used against states that do not fit the strategic pattern, this is not a slip, but a pattern.

For Europe, this is an uncomfortable but necessary realization. Security is not based on habit, but on reliability. And reliability ends where law becomes optional. Denmark draws conclusions from this. Other European states will have to follow – not out of anti-Americanism, but out of sober self-respect.

In the end, a central question remains: What message does the unlawful abduction of Nicolás Maduro send to the world – and to all those states that will have to decide in the future whether to rely on international law or military strength?

🔗https://www.tagesschau.de/ausland/venezuela-us-angriff-ablauf-100.html & https://www.nordisch.info/daenemark/stuft-usa-erstmals-als-nationales-sicherheitsrisiko-ein/

Europe Voluntarily Hands Over Its Administration to Microsoft

The warnings are on the table. In Switzerland, thirty data protection officers sound the alarm, in Germany, Bavaria under Markus Söder discusses a long-term commitment to Microsoft 365. The arguments are the same everywhere, the decisions surprisingly similar. And therein lies the problem.

Digital sovereignty is often invoked in Europe. In practice, it is systematically undermined – through procurement decisions that prioritize short-term convenience over long-term control. Microsoft is not just any provider, but the infrastructural standard to which administrations bind themselves for years, often decades.

The core is not a technical detail dispute, but a question of power. US law applies to US