Weekly Backlog Week 52/2025

Editorial

Christmas Eve is traditionally the moment when you convince yourself that nothing critical will happen this year. The pagers are silent, the deployment windows are closed, and somewhere a “fix after the holidays” is hastily noted in a ticket.

2025 does not adhere to this convention. Instead of a year-end review, Week 52 delivers a condensed lesson on what it was all about: Trust in infrastructure, power over rules, and the question of who really controls systems.

This issue is therefore a bit longer. Not out of nostalgia – but because many of the topics are more than just news. They are symptoms.

The Tech News of the Week

Critical Cisco Vulnerability: Trust is Not a Security Architecture

The Federal Office for Information Security (BSI) advisory on the vulnerability CVE-2025-20393 in several AsyncOS-based Cisco products initially appears to be a classic security case: Remote Code Execution with root privileges, CVSS 10.0, attacks apparently active since at least November.

On closer inspection, the incident tells a much more uncomfortable story. The affected systems are precisely those that companies use to secure their communications: Cisco Secure Email Gateway and the Secure Email and Web Manager. These are components that sit deep within email traffic, make decisions, filter content – and are thus by definition highly privileged.

Cisco and BSI correctly point out that successful exploitation requires certain conditions. The spam quarantine feature must be enabled and accessible from the internet – not a default configuration. But this is exactly where the structural risk lies: Security products are almost always customized, exposed, “quickly integrated” in practice. Not out of carelessness, but due to operational necessities.

The temporal dimension is particularly problematic. If attacks occur weeks before public warnings, operators must assume that systems could be compromised before patches or workarounds take effect. This is a poor starting point for incident response.

The real learning effect is therefore not in the specific CVE, but in the operational model. Market leadership, certifications, and security marketing do not replace one’s own threat modeling. The more central a product is, the more attractive it becomes as an attack surface. Security does not arise from the label “Security Appliance,” but from restrictive configuration, monitoring, and the willingness to question uncomfortable architectural decisions.

🔗 https://www.linkedin.com/posts/bsibund_bsi-it-sicherheitshinweis-zu-cisco-activity-7407793116444782592-JYBI/

Internet Governance after WSIS+20: Stabilized – but Not Decided

Just before Christmas, the UN General Assembly decided to permanently establish the Internet Governance Forum (IGF) as an institution. Formally, this is progress. Politically, it is primarily an interim status.

The process analyzed by Sophia Longwe on netzpolitik.org shows what it was essentially about: power. About whether the rules of the net will continue to be negotiated in a multistakeholder model – jointly by states, civil society, the technical community, and business – or whether governments will gradually take more control.

The institutionalization of the IGF ensures continuity and gives the forum more stability. This is especially important for civil society actors, as the IGF has often stood on shaky financial and political ground. The German government’s clear commitment to an open internet is also explicitly highlighted positively in the article.

At the same time, the resolution contains formulations suggesting a stronger role for governments. The achieved consensus conceals how contested these issues actually were. The fact that G77 countries have different ideas than the EU is not a detail, but an indication that the multistakeholder model is anything but secure.

The national level is particularly critical. While international participation is invoked, it often remains selective or late in Germany. Projects like the Deutschland-Stack show that multistakeholder rhetoric does not automatically lead to structural involvement.

WSIS+20 was thus not a conclusion, but a milestone. Whether the open internet politically survives will not be decided in resolutions, but in the concrete implementation of participation – globally and nationally.

🔗 https://netzpolitik.org/2025/internet-governance-ein-weihnachtswunder-der-internationalen-digitalpolitik/

Why AI Won’t Replace Junior Developers – and Companies Would Hurt Themselves Otherwise

In many AI debates, a familiar pattern emerges: Efficiency gains are equated with the reduction of entry-level positions. Matt Garman, CEO of AWS, strongly disagrees with this thinking – and not for sentimental reasons, but due to organizational logic.

Garman points out that junior developers are often particularly adept at using AI tools. They have already used these technologies during their studies or in early jobs and naturally employ them for code generation, analysis, and optimization. Data like the Stack Overflow Developer Survey 2025 supports these observations.

Additionally, there is a sober cost calculation. Junior positions are relatively inexpensive. Eliminating them saves little in the short term but risks significant long-term costs: lack of new talent, knowledge gaps, and later expensive new hires. Studies show that some companies ended up with higher overall costs after AI-induced layoffs.

The central point, however, is structural. Organizations that no longer offer entry-level roles disrupt their own talent pipeline. Experience does not arise in a vacuum but through learning on the job. AI changes task profiles, but it does not replace the process in which people take responsibility for systems.

Garman’s statement is thus less a defense of junior developers than a warning against short-sighted strategy. AI is a tool. Anyone who believes they can skip training, mentoring, and knowledge building with it is building a scaling problem.

🔗 https://www.finalroundai.com/blog/aws-ceo-ai-cannot-replace-junior-developers

🔍 Tools, Trends & Open Source

Free Office Alternatives: Sovereignty Arises in Everyday Life, Not in Decrees

The heise report on the use of free office solutions shows how much pragmatism is needed to actually implement digital sovereignty. For private users, LibreOffice is usually a trivial alternative. For authorities and large organizations, it is a strategic project.

The examples from Schleswig-Holstein, Schwäbisch Hall, or the Austrian Armed Forces show that the transition works – but not without compromises. Even pioneers retain some Microsoft licenses where specialized applications are technically closely coupled. However, the key point is: None of the organizations plan to return to Microsoft as the standard.

Schleswig-Holstein has gone particularly far. Around 80 percent of office licenses have expired, tens of thousands of workplaces use LibreOffice, Thunderbird, and Nextcloud with Collabora. The political goal is clear: reduce dependencies, regain control.

Financially, the state expects savings of over 15 million euros annually from 2026. More importantly, the investments – migration, training, development – do not dissipate but flow directly into open-source projects. The consistent switch to ODF plays a central role in this.

The report does not hide the weaknesses of free office suites. Document comparison, pivot tables, or diagrams are sometimes improvable. However, the example of Schleswig-Holstein also shows how to deal with this: through targeted commissioning and upstream contributions. Open source thus becomes a design tool rather than a compromise.

🔗 https://www.heise.de/ratgeber/Die-Erfahrungen-von-Behoerden-und-Unternehmen-mit-freien-MS-Office-Alternativen-11069385.html

Digital Sovereignty in Europe: Decisions Trump Declarations

The article from The Register dispels a popular misconception: Digital sovereignty is not a marketing term, but a question of ownership, legal jurisdiction, and control. The often-cited figure that around 90 percent of European digital infrastructure is in the hands of non-European providers is more than just a statistic.

The US CLOUD Act makes it clear why this is relevant. It allows US authorities to access data from US companies – regardless of where it is stored. For European organizations, this directly conflicts with data protection and compliance requirements.

Some institutions are now drawing operational conclusions from this. The Austrian Ministry of Economic Affairs deliberately relies on Nextcloud instead of a US cloud service. The International Criminal Court has replaced Microsoft products with a European open-source solution. The motive is not cost reduction, but control capability.

The article also shows the limits of this strategy. Even European providers do not offer permanent security if they can be acquired. The planned sale of Solvinity illustrates how quickly sovereignty can be lost – legally and quietly.

The criticism from Cristina Caffarra therefore hits a sore spot: Europe’s problem is less regulation than a lack of industrial policy. Without strategic procurement and protection of its own providers, sovereignty remains a claim without substance.

🔗 https://www.theregister.com/2025/12/22/europe_gets_serious_about_cutting/

US Sanctions Against HateAid: When Law Enforcement Becomes Escalation

The sanctions by the US Department of State against representatives of HateAid mark a new level of escalation in the conflict over digital regulation. The accusation of being part of a “global censorship-industrial complex” is not aimed at individual cases – it targets the Digital Services Act itself.

HateAid acts as a Trusted Flagger, a role explicitly provided for in the DSA. Trusted Flaggers report allegedly illegal content but do not decide on its removal. This decision remains with the platforms. Participation in advisory bodies of the Federal Network Agency also occurs on a legal basis.

With the sanctioning of Thierry Breton, it becomes clear that this is about more than NGOs. European digital regulation is being delegitimized, and its enforcement is portrayed as political interference.

The consequences are real: travel bans, possible restrictions on platform or payment services. Above all, a precedent is set. If democratically enacted European law is internationally treated as a hostile act, its enforceability is under pressure.

Now the EU Commission and the German government are called upon. Not with symbolic politics, but with a clear stance: European law applies in Europe – regardless of company headquarters.

🔗 https://www.digitalpolitik.de/usa-gehen-gegen-hateaid-vor/

Kubernetes:

Kubernetes 1.35 “Timbernetes”: Operation Instead of Surprise

With version 1.35, Kubernetes once again demonstrates that maturity does not mean stagnation. 60 enhancements, along with clear deprecations – the release is less flashy, but therefore op…