back to article IBM botched geo-block designed to save Australia's census

Australia's Bureau of Statistics has heavily criticised IBM for the security it applied to the nation's failed online census, which was taken offline after a distributed denial of service (DDoS) attack that battered a curiously flimsy defensive shield. The Bureau also admits it could have done better in a submission (PDF) to a …

  1. Magani
    Mushroom

    What's that Skip?

    Cue fingerpointing in 3... 2... 1...

  2. David 132 Silver badge
    Coat

    Poor IBM

    Tried and convicted by a kangaroo court.

    1. Anonymous Coward
      Anonymous Coward

      Re: Poor IBM

      Unfortunately they will soon bounce back...

      1. Mark 65

        Re: Poor IBM

        Stuffed up a state level (QLD) and Federal level, just global to go for the trifecta!

  3. Pompous Git Silver badge

    "the Bureau of Statics was told by the Signals Directorate"

    to stop combing their hair and picking up little pieces of paper with the comb and do something a bit more useful with taxpayers' money ;-)

  4. Queeg

    "If you build it, they will come"

    and fuck it up

    While I am sure IBM deserve a serious kick up the arse (and will get it if any Aussie politician/media whore get they're way).

    Talk about naive "We want a system that is totally secure", "Fine, disconnect it from the outside world."

    "Oh, and remember to unplug it at the power socket in the wall".

    I suspect both sides are equally deserving of the titles Dickwit,Fuckwit and Asshat of the week.

    1. James Anderson Silver badge

      "Disconnect it from the outside world".

      Actually quit sensible given that:

      a). no one outside Australia has a legitimate reason to access the website.

      b). an attack from inside Australia could be traced and the perpetrators locked up by local law enforcement.

      1. Robert Helpmann?? Silver badge
        Childcatcher

        Disconnect it from the outside world

        a). no one outside Australia has a legitimate reason to access the website.

        It's not something that Australians living abroad might have an interest in? Or news agencies?

        1. Pompous Git Silver badge

          Re: Disconnect it from the outside world

          It's not something that Australians living abroad might have an interest in? Or news agencies?

          It's a census of people in Australian households on the night of the census. Australians abroad on the night of the census are not part of the census. Nor news agencies.

          1. Mark 65

            Re: Disconnect it from the outside world

            There's a lot of Australians using VPNs, not all of which will have a domestic end-point.

            1. Trixr

              Re: Disconnect it from the outside world

              And if you wanted to fill in your census in such a scenario, then you would presumably have the minimal intelligence required to turn off the VPN if you'd received "you must be residing at an Australian address at the date of the census" geoblock warning.

              If they'd planned for the idiocies of VPN-users, I'd object to my tax money being wasted, frankly.

  5. Anonymous Coward
    Anonymous Coward

    Fired? Nooo surely not

    The email we got inside IBM wasn't "we fired them" it was "resigned effective immediately" followed by some drivel about what wonderful people they were. Poor guys, you can't strip the technical base of your organisation then be surprised when things go wrong.

    1. Michael Hoffmann
      Meh

      Re: Fired? Nooo surely not

      With the never-ending "resource actions" going on, how does anybody at IBM even tell whether it's resigning, firing or laying-off anymore?! Do you get a different coloured hat when walking out the door or something?

      1. Anonymous Coward
        Anonymous Coward

        Re: Fired? Nooo surely not

        No - just a different manager.

        As soon as one jumps ship, you know the next one will be delivering bad news....

  6. Winkypop Silver badge
    FAIL

    ABS new culture

    Rules

    • Blame everyone BUT ourselves.
    • See 1

    1. Anonymous Coward
      Anonymous Coward

      Re: ABS new culture

      This culture is far from new in the ABS - it was there when I worked there 25 years ago.

      Tossers.

  7. frank ly

    Keep up with the times

    But the Bureau “did not independently test the DDoS protections that IBM was contracted to put in place, as it considered that it had received reasonable assurances from IBM.”

    I thought it was cheap and easy to hire a DDoS attack nowadays.

    1. Wensleydale Cheese

      Re: Keep up with the times

      "I thought it was cheap and easy to hire a DDoS attack nowadays."

      From 2015: $38 an hour is the cost of destructive DDoS Attacks

  8. Anonymous Coward
    Anonymous Coward

    <Sarcasm> <Can't believe I had to do that>

    But a world class mega-giant IT provider who has more patents than any other company and holds itself to be a leader in security can't possibly be expected to competently respond to something as devilishly rare and creative as a denial of service attack. A Distributed one at that! Cut them a break, they're only IBM.

    </Sarcasm> <Probably>

    1. Blank Reg

      IBM are on a good streak of breaking stuff

      http://www.abc.net.au/news/2016-09-01/canada-ibm-payroll-debacle-echoes-queensland-health/7802944

      1. julianh72

        IBM probably won the Canadian job because they were able to demonstrate relevant prior experience with the Queensland Health project.

        (It's just a shame that nobody in Canada bothered to ask Queensland Health for a reference check, to see if it IBM's work was well-received by the Client!)

  9. Anonymous Coward
    Anonymous Coward

    The Cloud..

    Other people's computers you have no control over.

  10. Frank N. Stein

    I wish I could say that this was a surprise. It isn't. How possible is it that the suits who got canned for this nonsense were just sacrificial lambs, while the useless managers who are really responsible for this debacle, still have their jobs?

  11. Anonymous Coward
    Facepalm

    ​Attack on Australian Census site didn't register on global DDoS ...

    "Australia's .. failed online census, which was taken offline after a distributed denial of service (DDoS) attack"

    Is there any actual verifiable evidence that a DDoS was occurring at the time?

    Attack on Australian Census site didn’t register on global DDoS sensors

    1. Pompous Git Silver badge

      Re: ​Attack on Australian Census site didn't register on global DDoS ...

      Is there any actual verifiable evidence that a DDoS was occurring at the time?

      None whatsoever. In the earlier discussion on El Reg it was determined that the "DDoS" was caused by the 16% of Australians who use a VPN. Turning off their VPN wouldn't have made the slightest difference other than possibly making them liable for prosecution for doing what the Bureau were exhorting them to do.

      1. Diogenes

        Re: ​Attack on Australian Census site didn't register on global DDoS ...

        Exactly, the supposed times the site was DDoSed correspond with morning tea, lunch, and kids are fed, bathed , ready for bed !

        Much as I dislike IBM I think the ABS screwed up its load estimates

  12. a_yank_lurker Silver badge

    Remember who the contractor is

    The blue screwup has a long history of blunders and stupidities that they have to reinvent themselves every few years so there are new suckers to leach off of. Also, if the Aussie government procurement is anything like the ferals what you tend to get is overpriced, third rate work (if you are lucky) form a vendor that is more competent at navigating the bidding process than they are technically competent.

  13. Anonymous Coward
    Anonymous Coward

    We friggin TOLD YOU SO!!!!

    --- Queensland Health

  14. Anonymous Coward
    Anonymous Coward

    A July 2016 Risk Management Plan specified that IBM would be responsible for DDoS protection, “with ISP measures of Island Australia (geoblocking international traffic) a key measure.”

    Awfully late in the game to bring this up as this needs a contract with Akamai or the like. The drop dead staring them in the face and only then realing an Internet connected service might have a bullseye on it?

  15. Daniel Voyce

    I call bullshit on this

    I agree that there was a DDoS, one that the census bureau instigated by telling the whole of Australia to go online and complete it in basically a 4 hour window. I don't believe there was an external DDoS (the fact that security traffic tracking websites showed no abnormal external traffic coming in backs this up), I believe they just screwed up by asking 15+ millon people to go online simultaneously!

    1. Pompous Git Silver badge

      Re: I call bullshit on this

      I agree that there was a DDoS, one that the census bureau instigated by telling the whole of Australia to go online and complete it in basically a 4 hour window.

      I would agree except that the DoS was firmly at the ABS end and not Distributed. They failed to have sufficient capacity for demand.

    2. Pompous Git Silver badge

      Re: I call bullshit on this

      asking 15+ millon people to go online simultaneously!

      IIRC there are ~10 million households in Australia and it seems hardly likely that all would log on simultaneously, so you are exaggerating somewhat methinks.

      1. julianh72

        Re: I call bullshit on this

        Yes, there are roughly 10 million households in Australia, but you would have to wonder why the ABS claim the Census website was supposed designed for "up to 1 million forms per hour" (by their own website publicity before the Census night debacle).

        The vast majority of the Australian population live in the eastern states, which were all in the same time zone on Census night (and South Australia is only half an hour behind). Common sense should have told the ABS that most households would try to fill in the form "after dinner" - between say 7:00 pm to 9:00 pm, so "up to 1 million forms per hour" was simply nowhere near enough capacity.

        If the ABS can't even get simple "order of magnitude" estimates right, what chance of success did the Online census ever have?

        1. Pompous Git Silver badge

          Re: I call bullshit on this

          Yes, there are roughly 10 million households in Australia, but you would have to wonder why the ABS claim the Census website was supposed designed for "up to 1 million forms per hour" (by their own website publicity before the Census night debacle).

          So no need for the exaggeration of 15 million. As it happens, I filled the form in after dinner without suffering any problems from congestion. The paper form was hand-delivered by ABS with a reply-paid envelope. I suspect that our household was not the only recipient of a paper form and ABS may have been expecting ever so many households to possess a pen.

          There are certainly many households that do not have Internet access. Here in Tasmania many have had their ADSL disconnected and have been told they must wait up to a year to be reconnected on the NBN.

      2. Colin Tree

        Re: I call bullshit on this

        No,

        I was watching the news,

        story about filling in the census,

        nothing on TV after the news,

        oh, I'll go fill in the census,

        didn't work, try again, 10 times,

        and try again 10 minutes later, 10 more times

        there's 10 -> 100 mellion +++

        it's not about adding the total of Australians

        it's about multiplying by their stupidity

  16. dan1980

    "Additionally, no suggestion was made to the ABS that the DDoS protections that were planned were inadequate."

    Right. And who does the ABS think would make such a suggestion? It was their responsibility to test it and they didn't. IBM f$#ked up but the ABS failed the Australian people by not taking all reasonable steps to ensure the system was safe.

    That they hired a third party to conduct penetration testing shows that someone at least understood the need to independently verify the system so saying they didn't feel the need to independently verify the system is a little odd.

    It's clear that they saw independent verification as a reasonable measure so it's hard to accept that they took all reasonable measures when they failed to independently verify a system put in place to mitigate a risk identified as 'extreme'.

    Ultimately, the buck stops with the ABS.

  17. Anonymous Coward
    Anonymous Coward

    The ABS information in this report came from their submission to the senate inquiry setup to investigate the census debacle.

    There is some delicious irony that the ABS submission was pulled by them shortly after it had been submitted, because they realised it contained commercial in-confidence information.

    The ABS, "we'll keep your data safe"

    Yeah right!

  18. Parash2

    I have little sympathy with the ABS and IBM over this debacle, when I note that the Melbourne Cup betting via the TAB is probably many times the volume of the census night transactions.

    And no systems went down.

    Can you imagine the howls of outrage if ordinary punters could not put on a bet? Governments could fall! Stock market losses etc.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020