back to article IBM used dud DoS shield for failed online census says Oz PM

Australian prime minister Malcolm Turnbull says the reason for the failure of the nation's census is that systems put in place by IBM did not include adequate protection against denial of service (DoS) attacks. In an interview with conservative radio personality Alan Jones, embedded below, Turnbull said “My advice is that the …

  1. Sebastian A

    So what is it? "It was a DDOS" or "There was no DDOS"? I'd bet 2:1 that the person lying is the politician.

    1. Pompous Git Silver badge

      I'd bet 2:1 that the person lying is the politician.

      There would appear to be a few zeros missing after the 2...

      1. Dabooka Silver badge
        Stop

        Do you really mean 200:1? Surely as a statistical certainty the bookies would put it at 1:200 not 200:1?

        Mind I'd have a tenner on those odds if they were indeed offered.

    2. Anonymous Coward
      Anonymous Coward

      DDOS?

      You would think would be a relatively easy question to answer - especially now after the dust has settled.

      Smart money is on the system was just poorly designed and implemented and all wounds were self-inflicted.

    3. Version 1.0 Silver badge

      "the person lying is the politician." - were their lips moving?

  2. Diogenes Silver badge

    Turnbull advocating beheadings ?

    “Lots of people are trying to find out who to blame and what heads should roll.”

    1. Pompous Git Silver badge

      Re: Turnbull advocating beheadings ?

      what heads should roll

      Presumably if it's those Byron Bay hippies wot dunnit, they'll be rolling another spliff. Beheading's a lot less fun ;-)

  3. dan1980

    This is another case of the answer being much the same, regardless of the specifics.

    That answer is that the ABS cannot honestly assure us of the security of our data which, under their decision will now be far more valuable to hackers* and far more dangerous to us if misappropriated or misused.

    It is up to the ABS to ensure that the systems in place are up to the task, regardless of whether they are in house or outsourced to a third-party. The buck stops with them and hanging the blame of the third-party contractor, after the fact, does not magically wind back the clock and stop an attack from happening.

    If a breach occurs and data is lost then all the rolling heads in the world won't undo the damage.

    It should be noted that the root cause for all of this was the decision that the ABS made - on its own - to make this Census a primarily online submission, rather than paper-based. Regardless of the justifications for this, the fact remains that the ABS did not and does not have the internal capabilities to build or run such a system.

    Once you involve a third-party, you can no longer say 'trust' us, because you have left parts of the process in the hands of a someone that the public might not trust. And when you're talking about that third-party being IBM . . .

    The absolutely BEST way to imagine this, for the sake of the ABS, is that they did everything they could to make sure it was up-to-snuff and specified very clearly - and technically - exactly how the DoS protection should work and hired external people to test it and independently verified that IBM had built the system to spec and it was working as required.

    If that was the case, and I do not believe for a second that it was, then the take-away is that no matter how trust-worthy and well meaning the ABS is, they still cannot ensure the level of security that is absolutely required for the creation, processing and storage of this data.

    That's at best. The far more likely scenario is that the ABS did not do enough to either specify the required level of protection or simply palmed that off to IBM and stuck their heads in the sand. Given the tone of their responses to the legitimate, factually-based concerns and questions from journalists, politicians (thank heaven for those few making a big deal of this), privacy advocates and former heads of the ABS, it is no great leap to imagine how such self-righteous arrogance and refusal to listen to others could easily lead to them pushing ahead in the blind belief that they are right.

    It should also be remembered that when the ABS's plans were trounced by an independent assessment (not to mention every previous assessment), they simply did an internal one and, surprise, they agreed with themselves.

    I.e.: they ignored anyone who disagreed with them and pushed ahead with their own agenda regardless. Can't see how that could possibly backfire when it comes to security . . .

    * - As well as police and government agencies. That legislation prevents then getting access now gives NO guarantee that future legislation won't blast that wide open.

    1. Pompous Git Silver badge
      Pint

      @ an1980

      Wish I could upvote your comment more!

    2. Dagg
      FAIL

      That's at best. The far more likely scenario is that the ABS did not do enough to either specify the required level of protection or simply palmed that off to IBM and stuck their heads in the sand.

      The IBM approach:

      Customer: I would like to buy a car.

      IBM: Certainly, $xxxx please

      Customer: ok

      IBM: here is your car

      Customer: Where are the tyres and there is no engine!!

      IBM: Oh, you never asked for them, they are extra.

      1. dan1980

        @Dagg.

        Quite right.

        Indeed, I would dare to say that it is the way Indian outsourcing works. I mean no disrespect to Indian technicians as some of the brightest techs I know (in Australia) are Indian. What I mean is that when you offshore to cheap Indian firms, you often get exactly what you ask for, without any attempt to understand what it really is you need.

        I had a client who engaged an Indian firm to build an ecommerce portal, reasoning that, as they had engaged consultants and designers to make sure all the creative parts were nailed down, the back-end coding could be considered a commodity and farmed out to any old mob.

        When they got the finished (or penultimate) site, they were fuming that there was no real ecommerce functionality. when it came down to it, however, they never exactly specified what they wanted in that area so it was considered completely out of scope.

        That's what you get when you treat IT like a commodity - a commodity answer that may fail to meet your needs.

        The key to leveraging the cost savings of out-sourcing is to ensure you have competent people in-house who understand which parts can be farmed out and which need special attention. Those people are, with the help of a technically-savvy project manager, able to break a system or delivery into discreet parts with well understood functions and connections so that it all fits back together.

        My point about the failures of ABS is that I strongly suspect that they did not do that.

      2. CrazyOldCatMan Silver badge

        > IBM: Oh, you never asked for them, they are extra.

        Ah - the BMW/Mercedies/Audi way then.

        1. dan1980

          @CrazyOldCatMan

          Ah-ha! So that's why most of them don't have indicators!

    3. Disgusted of Cheltenham

      And DTO?

      Where was DTO when ABS needed them? Surely the friends recruited from GDS could have warned them about previous recent experience in the UK, such as DVLA, DEFRA, HMRC, and Electoral Registration?

      1. Anonymous Coward
        Anonymous Coward

        Re: And DTO?

        Argh. I'm getting a bad case of AO (Acronym Overload)..

    4. Poe

      It is genuinely hard to believe we're legally required to trust them.

      I can only hope there was at least one person in these meetings that put their hand up and said "what we're doing is dumb" and was shouted down... It means they might have someone to ask how to fix this. If no one saw this coming or even objected it shows a staggering void of critical thinkers.

      I hope it's not another herd of yes men and a naked emperor... But based on the current tide of emperors, this one will almost certainly be an agile scrum master with an 'extensive' background in cloud and devops.

  4. bep

    Yeah but

    the Government cut the ABS budget which left if with little alternative but to go for a primarily web-based approach, so there is plenty of blame to go around. I suspect the responsible Minister will still be standing after all the other heads have rolled, but we will see.

    1. Simon Sharwood, Reg APAC Editor (Written by Reg staff)

      Re: Yeah but

      The minister will only be standing because he's been in the portfolio for three weeks. The previous minister, however, is now hopefully one typo away from permanent demotion

      1. dan1980

        Re: Yeah but

        Simon's spot-on.

        I've no love for Michael McCormack, MP and homophobe, but it is unfair to pin this on him. From the sounds of it, it seems the ABS barely consulted cabinet - if at all. McCormack could well be the least to blame of all the cast.

        But yes, when you cut their budget so heavily, what choice but a third-party, online solution? At least Malcolm 'Cloud' Turnbull will be glad they're not 'box huggers' . . .

        1. Anonymous Coward
          Anonymous Coward

          Re: Yeah but

          No offense but just when I think there is no place more backwards and right wing than the US in the developed world I remember there is always Australia where black face on TV is still acceptable and legitimate political refugees are sent to the third world.

          1. lglethal Silver badge
            Go

            Re: Yeah but

            @AC: Australia is nowhere near as backwards and right wing as the US. What your saying is just hyperbole.

            Australia takes far more refugees on a per capita basis then the US. That it sends boat people to PNG and Nauru is to try and discourage people from dying by taking the boat route. Those that come in by plane tend to be accepted.

            Also the whole black face thing, it's hardly encouraged and it is beginning to be viewed as unacceptable but it is worth remembering that Australia does not have the history where using black face was a way of humiliating black people. That was never part of our history or culture, so we have no hang ups about it. A few years ago, KFC got hugely bad press in the US because it showed an advert in Australia to do with the cricket which showed a West Indian family (so Carribeans in other words) and an Aussie family sharing some KFC chicken. It was funny and there was no problems in Australia, but Americans got all up in arms because showing the West Indians loving to eat KFC was apparently racist stereotyping. Since we don't have that racist stereotype in Australia, it wasn't racist here. As another example, in Australia the Pakistan cricket team are known as the Pakis. Just the shortened form of the name Pakistan. However, you would NEVER call someone a Paki in the UK as there is a historical context there which is highly racist.

            Different cultures have different considerations for what is racist or discriminatory. You would do well to remember that....

            1. Anonymous Coward
              Anonymous Coward

              Re: Yeah but

              Well its good thing you set the record straight what with the news coming out lately about aboriginal treatment and refugees being raped in Nauru. A progressive paradise.

              1. dan1980

                Re: Yeah but

                @AC

                Oh absolutely - the ongoing mistreatment of Indigenous people is a national shame that a great portion of the country are rightly outraged about, as is the treatment of people on Nauru and, formerly, Christmas Island.

                Australia is not immune to these things as, like the US, we are a country composed of many people with many different views and cultures that is governed predominantly by older, white, Christian men.

                It's pointless to go back and forth on this - in both the US and Australia, the majority of the public are good, ordinary, respectful, well-meaning people who are appalled when their elected leaders and appointed law enforcement agencies behave in this way.

                We keep cycling our lizards but change happens slowly.

    2. Diogenes Silver badge

      Re: Yeah but , what budget cut ?

      What Budget cut ?

      From Perfessor Sinclair Davidson (RMIT) ...

      One of the arguments going around is that we shouldn’t blame the ABS for last nights shemozzle as they had had their budget cut. This is a very sneaky “blame the Coalition” tactic. Of course this tactic will have some traction because it is widely believed that the Abbott government slashed spending in its first budget.

      Now it is true that Joe Hockey cut funding to the ABS by some $7 million in his first budget. Not as much as the $19 million Wayne Swan cut from the ABS in his first budget.

      But as the graph below shows (data taken from the Budget Papers) it is simply not true to suggest that the ABS had had its budget cut. There is a clear pattern in the data – ABS funding ramps up dramatically in the year before and the year of a census and then falls back again. The Australian government (of either persuasion) is funding the ABS to undertake the census.

      http://catallaxyfiles.com/files/2016/08/ABS-budget.jpg

      I am reminded that in 2015 the federal government invested $250 million to upgrade ABS infrastructure, systems and processes.

  5. Phil Kingston Silver badge

    I'd have hoped a leader would be concerned with informing his populace when the compulsory system will be back online and fit for purpose. Not trying to play the aggressive bully-boy with his mentions of rolling heads etc.

    That said, heads must roll for this clusterf.

    1. Anonymous Coward
      Anonymous Coward

      heads must roll for this clusterf.

      It should start with Turnbull, after all he is the one in charge of all government departments and organisations.

  6. Anonymous Coward
    Anonymous Coward

    their own heads

    Of course their own heads won't roll even though they are the ones at the top and ultimately responsible for the mess.

  7. Anonymous Coward
    Anonymous Coward

    No way IBM will comment

    Like all contracts with the Fed. Govt, the supplier is forbidden to make any public comment or statement unless approved by the Department. And the Department wont approve IBM releasing a statement or rebuttal while the PM is busy smashing them.

    AC as I negotiate a lot of fed govt contracts.

    1. Pascal Monett Silver badge

      Well why doesn't somebody at IBM just say so when they get a call ? You can't really argue with the law.

    2. trashsilo
      WTF?

      Re: No way IBM will comment

      AC for a near AU$10 million contract - it is probably right for Fed.Govt & tax payers to expect a

      'gold plated, bomb proof delivery, support, fix' from the chosen vendor - not 'mud slinging'.

  8. Anonymous South African Coward Silver badge

    And this is why outsourcing is not always a good idea...

  9. Lee D Silver badge

    Denial of Service is a lovely phrase.

    Do you mean a deliberate attack designed to knock you offline?

    Or that they didn't account for lots of people logging on simultaneously?

    All the phrase means is that you weren't able to get onto the census. We know that much already.

  10. Pascal Monett Silver badge

    "systems put in place by IBM did not include adequate protection against [..] (DoS) attacks"

    I have one question : where is it stated that ABS required such protection in the specifications ?

    IBM may well be a lumbering behemoth that whose right hand doesn't know what the left hand is doing, but from my experience its consultants are very procedural and tend to want to include absolutely everything in the specifications to max out all possible chances of revenue. To me, that means that it is very likely that IBM offered DOS protection measures, and ABS said no to the cost, so the measures were taken out of the offer before signature and go-ahead.

    I simply cannot believe that IBM got handed the project and "forgot" to implement DOS protection measures. If IBM didn't implement it, I think it's because ABS said no. Probably because they thought the risk was insignificant ("who would DOS a census ?"). Now that the risk has revealed itself to be much more important, ABS wants to deflect the blame on the supplier. Typical coward's response.

    So which is it ? Can somebody shed some light on this ?

    1. Anonymous Coward
      Anonymous Coward

      Re: "systems put in place by IBM did not include adequate protection against [..] (DoS) attacks"

      I think you'll find IBM is copping the flack for its telecommunications subcontractor here, which is fair enough as far as contractural responsibility is concerned. Can you guess who the major telecommunications provider, who owns the layer within which DDoS protection would reside, might be?

  11. trashsilo

    Pattern ripper

    The critical 2009 CFA 'bushfire alert' website was another IBM implemented website that dramatically failed when really needed :

    "For several hours, amid the hottest and most dangerous conditions since the deadly February 7 fires, Victorians could not call up CFA web pages giving vital information about the status and progress of fires."

    http://www.smh.com.au/national/cfa-computer-failures-raise-fresh-alarm-on-day-of-danger-20091216-kxho.html

    That website cost >1.1m AUD according to parliament.vic.gov.au accounts for that year

    "IBM AUSTRALIA LIMITED Bushfire Preparedness 1,136,521.49 N/A Welfare Programs"

    http://www.parliament.vic.gov.au/images/stories/committees/paec/finance_performance_outcomes/2009-10_2010-11/QP1/FPO_09-11_P1_further_information_-_DoJ-CFA.pdf

    Sorry, can not find El Reg link for that other outrage

    "But today, war [and the NBN] is too important to be left to politicians." General Jack D. Ripper.

    1. Anonymous Coward
      Anonymous Coward

      Re: Pattern ripper

      FYI ....IBM ran the 2011 Census for ABS

  12. Anonymous Coward
    Anonymous Coward

    Has the Aust census data been stipulated as "must be kept in Australia?"

    As a general question, does anyone know if the Aust census data is one of those "must be kept in Australia at all times, and never transferred outside the country" things?

    Asking because when I used to work at IBM with various Gov data sources, some of them had requirements like this.

    That never stopped IBM from giving access to the data by remote (non-Aust located) operations staff though. IBM never seems to have been called out of this.

    Perhaps this is an opportunity for such practises to be discovered, and finally dealt with as well?

  13. J. Cook Silver badge
    FAIL

    "The Register has attempted to contact IBM, locally and at its US headquarters, for 36 hours. The only reply we have received was to refer us to different people inside IBM, who have also not answered questions."

    After trying to get support on an obscure IBM branded software product (encryption key management for an LTO tape vault) I suffered the same exact thing; the few people who did respond to me refused to do anything unless I had some obscure contract number (which I didn't have recorded anywhere) nor were they willing to help me divine that information. I managed to grease the wheels via our VAR and get some actual help on the software, but it was a bit aggravating. Unfortunately, the software product is obscure enough that Big Blur is the only vendor for it- no one else seems to want to make a competing product.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019