Feeds

back to article COFFEE AND DANISH HELL: National ID system cockup forces insecure Java on Danes

A bungled IT upgrade has downed Denmark's universal NemID login system, forcing people to stay on an insecure version of Java if they want to carry out online banking, check their insurance, or retrieve tax return information. Problems with NemID were first reported on Tuesday, and on Thursday the NATS IT consultancy behind the …

COMMENTS

This topic is closed for new posts.

Oh dear

A sage lesson for any other gov who think about introducing a similar scheme. Not that they'll take any notice of course

What's that? Putting all our eggs in one basket you say? Nah, it'll be FINE...

11
2
Silver badge
Facepalm

Re: Oh dear

I could only file my 2012 tax return online in Spain with XP/IE 8/Java 7u9.

I imagine next year I could scrape by with Vista/IE 9/Java 7u25.

Must be something about government websites.

3
0
Silver badge

Re: Oh dear

On the contrary, other governments and their suppliers will use this as value add to, say the UK, who has a more proficient and robust IT sector and who would never allow something like this to happen to them. The biggest problem is that the Denmark Govt went the cheap route. We can prevent this from ever happening to you, but it will cost more than the bottom dollar they paid.

It'll all be rubbish of course, but I can already smell the thousands of 4-color charts being printed to 'prove' it.

6
0

Re: Oh dear

In a strange twist of fate H.C. Andersen has a story about keeping all your eggs in one basket, not sure if that's the originating story though.

Oh and the company who failed us miserably (again) is called NETS not NATS.

/Søren

2
0
Anonymous Coward

Why should the danes worry?

I thought all the real crooks were in the secret services, the tax offices and other government bodies who can already read your e-mails anyway !

[Yes the life of a civil servant can get THAT boring that they find entertainment in reading our daily electronic drivel :-)]

3
1
Bronze badge
FAIL

Forward Compatibility

It always baffles me to see code written that will break from security updates of the underlying platform, especially one that has been touted as 'Write Once, Run Anywhere'. Either the developers were improperly using certain functionality or Oracle coded the patch and broke the function making the documentation/specification invalid.

17
1
Silver badge
Facepalm

Re: Forward Compatibility

I'll take "the developers can't code their way out of a paper bag on a government project" for 30, Alex.

6
0
Bronze badge

Re: Forward Compatibility

It happens, through poor planning and poor programming.

Using things like depreciated API calls, even though they are documented as being removed "in a future version" or similar.

0
0
Silver badge

Re: Forward Compatibility

Deprecated API methods are never removed from Java, so that's not the issue. The only time I've seen this is in the following scenarios:

1. The application checks for specific version strings, and refuses to run if the installed runtime is different.

2. Calls are made to a non-public API that's then removed or modified.

My money's on scenario one, as changes to the non-public API are rare between major releases. The usual explanation for the version check is that the software is certified for a specific runtime version. Great for the contractor, since they can charge again and again for certification as a new release of Java is released. Completely pointless though, as Sun (and now Oracle) go to great lengths to ensure compatibility between releases, to the point that in some cases unintended behaviour in the class library can't be fixed for backwards compatibility reasons.

3
0
Anonymous Coward

Re: Forward Compatibility

I can tell you exactly what the problem is: Oracle have changed the fucking applet security model AGAIN. Exactly 18 hours after I fixed our code for the changes they made in their previous model.

They're not just moving the goalposts, they've picked them up and are legging it down the field. I and my customers are spectacularly fucked off, and my day will be spent trying to divine information from the various cagily-worded press releases, the half-complete and sometimes working bug database and the one line summaries in the changelog to figure out what the hell is going on, and stuffing largely random lines into the Jar Manifest, signing, resigning, testing, and starting again and again and again. Again.

Bastards.

5
0

Re: Forward Compatibility

I've been hit by this as well.

The original change was in JDK 7u25 was to add Permissions and Codebase Attributes to the JAR file manifest to defend agains unauthorized code repurposing. I would guess that something has changed in JDK 7u45. More information: http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/no_redeploy.html and http://www.java.com/en/download/help/trusted_expired_variations.xml.

0
0
Gold badge

Sloppy code

I would guess a bit of sloppy code, perhaps even illegal per Java spec, that slipped by but now doesn't. I've seen this with gcc too, although of course with it it hits at recompile time rather than run time. At least should be easy to find and fix most likely.

3
0
Anonymous Coward

hurr

"cockup"

"Enjoy your gaping holes"

AC for obvious reasons

0
0

Legacy

Some pdfs don't work on acrobat reader 10 on hmrcs site. Its probably because the government is still on xp. Burying head in sand. Someone should make a browser just for java with a whitelist.

1
0
Bronze badge

Re: Legacy

The reason some of HMRC's PDFs don't work may not be that "the government is still on xp". Older, tried-and-tested PDF writers are likely to fairly bug-free by now. It seems more likely that someone in playing with new software using flashy features that aren't necessary.

0
0
FAIL

Don’t They Read?

Here in Australia, you need Java for any online transactions with the Tax Office.

How many more IT departments are there that still believe that Java is the right way to secure a transaction?

The irony is that using Java requires some technical know-how on the part of the user, either keeping it up to date, or, in this case to work around it. Those with the know-how already know that Java is a flawed solution.

3
1
Anonymous Coward

Re: Don’t They Read?

I could be wrong, but I could see one plausible reason for the Java: the One-Time Password. Trust cannot be secured if it's generated server-side (black box, possible black helicopters, also potential network interception). So it has to be done client-side. Since there's no telling what OS the client's running, you need something that can run on as many as possible. That pretty much narrows it down to Java.

Unless you can propose an alternate solution for a client-side, multi-platform OTP generator capable of being run on systems with low privileges.

2
2
Facepalm

Re: Don’t They Read?

> Unless you can propose an alternate solution for a client-side, multi-platform OTP generator capable of being run on systems with low privileges.

Eh? A 15 second Google for NemID shows that the OTPs are actually generated in advance and sent out to you on paper. You use one each time you log into a government/banking service, then never use again. You run out, you request more.

http://multimedia.pol.dk/archive/00545/n_glekort_nemid_545025a.jpg

And anyway, there are a quite a number of ways of generating OTPs offline, without having to do anything on the client's PC. My bank has sent me an electronic OTP generator. When I log in, I use my username and password (which the bank knows) to log in, then I'm asked to generate the OTP. I enter a PIN into my Secure ID device (the bank has no record of this) to unlock, then it generates an OTP presumably based on the current time and the device's serial ID. The bank generates the same code its end and if they match, I'm in. I would presume the algorithm has been designed to reduce the chances of two secure IDs producing the same number at the same time.

2
0
Bronze badge
FAIL

Re: Don’t They Read?

In South Africa you need the latest version of Flash and the latest Adobe PDF reader (no other versions or PDF reader will do)

Bloody annoying

0
0
Anonymous Coward

Re: Don’t They Read?

But the paper's a weak link. It can be STOLEN, much as a text can be intercepted. In fact, just about ANY situation where there's at least one step between the client and the password can have the trust broken. Even if handed directly to you, what's to say someone else doesn't have a copy?

0
0
Silver badge

One JVM to rule them all

NemID is a single login for services from private banking and email to insurance services, local council services.

Whoever thought that was a good idea?

5
0
Facepalm

Re: One JVM to rule them all

> Whoever thought that was a good idea?

Politicians, of course.

As usual, comfortably detached from the real world.

4
0
Bronze badge
Alert

Re: One JVM to rule them all

single login system

= single point of failure

= single target for exploits

4
0
Bronze badge

Re: One JVM to rule them all

Well the alternative would be every bank has different ways of you logging on, each with various security issues, each done differently, and each done by people of varying degrees of skill.

The NemID system is set up so users make an account (mostly just their social security number) and a password. Then when they log into NemID they are prompted to deliver a code matching a set of numbers. So 4452 = 452234 - which then gives you access.

If you are logging in using the correct bank page, then even if your account and password is stolen, the baddies still have to find a way to get the correct number, or they wont be able to log in.

It's not a perfect system, but it's easy enough for people to use, and secure enough that it would take quite an effort to gain access to an account. Unless you can get in the know about which numbers correspond to which for what users.

1
0
Anonymous Coward

Re: One JVM to rule them all

But probably not enough for a DTA environment since many if not most security breaks have an insider element. An insider could put the pieces together AND have the connections to slip by without detection.

0
0
Gold badge
FAIL

Just think the UK could have enjoyed similar "benefits" if Tony Blair had had his way.

I wish govt ministers would take one simple point away.

If a country of 5.6m is going to f**k this up why do you think a country of 66m is going to do better?

5
0
Anonymous Coward

IT would NEVER happen in Britain

nosir, our systems are absolutely, 200% secure!

2
0

Same with VPNs

I'm forced to use a Java applet based VPN for a client. Had same issue this week. Browser updated Java version and suddenly VPN stopped and no work could be done. :(

-Matt

0
0
Anonymous Coward

"And, to the no-doubt dismay of Reg readers, it relies on Java"

On the contrary - not all of us buy into the "java is insecure" rubbish that's peddled by the fanbois on El Reg.

1
5

"On the contrary - not all of us buy into the "java is insecure" rubbish that's peddled by the fanbois on El Reg."

So the 41 security fixes in this update arent really needed then cos Java is nice and secure according to you?

3
1
EJ
Pint

Excuse us, Mr. Gosling...

Go home... you're drunk.

0
0
Anonymous Coward

"So the 41 security fixes in this update arent really needed then cos Java is nice and secure according to you?"

I guess your language of choice has never needed a security patch then?

0
0
Silver badge

Can we say "Single Point of Failure"

or "Broken by Design"

Who in their right mind though it a good idea to have multiple systems like this secured with a single login? As should be blatantly obvious to anyone with a functioning brain, a single flaw such as this brings the whole house of cards crashing down.

2
0
Anonymous Coward

Re: Can we say "Single Point of Failure"

And what if that single point of failure also happens to be the only thing your clients will accept because "ease of use" clashes with "security"?

0
0
Bronze badge

I thought there was a workaround built in to the Java plugin...

...you can set it up so that any specific app that requires an older edition of the Java virtual machine, can be given it? I don't know the details that would apply, though.

0
0
Bronze badge

Minor update to the story

Nets have announced that come April next year a new approach will be made using javascript instead of java

(source: http://politiken.dk/tjek/digitalt/internet/ECE2107661/nets-dropper-java-i-den-naeste-version-af-nemid/ )

Also the system is now working

0
0
This topic is closed for new posts.