What's that Skip?
Cue fingerpointing in 3... 2... 1...
Australia's Bureau of Statistics has heavily criticised IBM for the security it applied to the nation's failed online census, which was taken offline after a distributed denial of service (DDoS) attack that battered a curiously flimsy defensive shield. The Bureau also admits it could have done better in a submission (PDF) to a …
"If you build it, they will come"
and fuck it up
While I am sure IBM deserve a serious kick up the arse (and will get it if any Aussie politician/media whore get they're way).
Talk about naive "We want a system that is totally secure", "Fine, disconnect it from the outside world."
"Oh, and remember to unplug it at the power socket in the wall".
I suspect both sides are equally deserving of the titles Dickwit,Fuckwit and Asshat of the week.
It's not something that Australians living abroad might have an interest in? Or news agencies?
It's a census of people in Australian households on the night of the census. Australians abroad on the night of the census are not part of the census. Nor news agencies.
And if you wanted to fill in your census in such a scenario, then you would presumably have the minimal intelligence required to turn off the VPN if you'd received "you must be residing at an Australian address at the date of the census" geoblock warning.
If they'd planned for the idiocies of VPN-users, I'd object to my tax money being wasted, frankly.
"I thought it was cheap and easy to hire a DDoS attack nowadays."
From 2015: $38 an hour is the cost of destructive DDoS Attacks
<Sarcasm> <Can't believe I had to do that>
But a world class mega-giant IT provider who has more patents than any other company and holds itself to be a leader in security can't possibly be expected to competently respond to something as devilishly rare and creative as a denial of service attack. A Distributed one at that! Cut them a break, they're only IBM.
</Sarcasm> <Probably>
"Australia's .. failed online census, which was taken offline after a distributed denial of service (DDoS) attack"
Is there any actual verifiable evidence that a DDoS was occurring at the time?
Attack on Australian Census site didn’t register on global DDoS sensors
Is there any actual verifiable evidence that a DDoS was occurring at the time?
None whatsoever. In the earlier discussion on El Reg it was determined that the "DDoS" was caused by the 16% of Australians who use a VPN. Turning off their VPN wouldn't have made the slightest difference other than possibly making them liable for prosecution for doing what the Bureau were exhorting them to do.
The blue screwup has a long history of blunders and stupidities that they have to reinvent themselves every few years so there are new suckers to leach off of. Also, if the Aussie government procurement is anything like the ferals what you tend to get is overpriced, third rate work (if you are lucky) form a vendor that is more competent at navigating the bidding process than they are technically competent.
A July 2016 Risk Management Plan specified that IBM would be responsible for DDoS protection, “with ISP measures of Island Australia (geoblocking international traffic) a key measure.”
Awfully late in the game to bring this up as this needs a contract with Akamai or the like. The drop dead staring them in the face and only then realing an Internet connected service might have a bullseye on it?
I agree that there was a DDoS, one that the census bureau instigated by telling the whole of Australia to go online and complete it in basically a 4 hour window. I don't believe there was an external DDoS (the fact that security traffic tracking websites showed no abnormal external traffic coming in backs this up), I believe they just screwed up by asking 15+ millon people to go online simultaneously!
I agree that there was a DDoS, one that the census bureau instigated by telling the whole of Australia to go online and complete it in basically a 4 hour window.
I would agree except that the DoS was firmly at the ABS end and not Distributed. They failed to have sufficient capacity for demand.
Yes, there are roughly 10 million households in Australia, but you would have to wonder why the ABS claim the Census website was supposed designed for "up to 1 million forms per hour" (by their own website publicity before the Census night debacle).
The vast majority of the Australian population live in the eastern states, which were all in the same time zone on Census night (and South Australia is only half an hour behind). Common sense should have told the ABS that most households would try to fill in the form "after dinner" - between say 7:00 pm to 9:00 pm, so "up to 1 million forms per hour" was simply nowhere near enough capacity.
If the ABS can't even get simple "order of magnitude" estimates right, what chance of success did the Online census ever have?
Yes, there are roughly 10 million households in Australia, but you would have to wonder why the ABS claim the Census website was supposed designed for "up to 1 million forms per hour" (by their own website publicity before the Census night debacle).
So no need for the exaggeration of 15 million. As it happens, I filled the form in after dinner without suffering any problems from congestion. The paper form was hand-delivered by ABS with a reply-paid envelope. I suspect that our household was not the only recipient of a paper form and ABS may have been expecting ever so many households to possess a pen.
There are certainly many households that do not have Internet access. Here in Tasmania many have had their ADSL disconnected and have been told they must wait up to a year to be reconnected on the NBN.
No,
I was watching the news,
story about filling in the census,
nothing on TV after the news,
oh, I'll go fill in the census,
didn't work, try again, 10 times,
and try again 10 minutes later, 10 more times
there's 10 -> 100 mellion +++
it's not about adding the total of Australians
it's about multiplying by their stupidity
"Additionally, no suggestion was made to the ABS that the DDoS protections that were planned were inadequate."
Right. And who does the ABS think would make such a suggestion? It was their responsibility to test it and they didn't. IBM f$#ked up but the ABS failed the Australian people by not taking all reasonable steps to ensure the system was safe.
That they hired a third party to conduct penetration testing shows that someone at least understood the need to independently verify the system so saying they didn't feel the need to independently verify the system is a little odd.
It's clear that they saw independent verification as a reasonable measure so it's hard to accept that they took all reasonable measures when they failed to independently verify a system put in place to mitigate a risk identified as 'extreme'.
Ultimately, the buck stops with the ABS.
The ABS information in this report came from their submission to the senate inquiry setup to investigate the census debacle.
There is some delicious irony that the ABS submission was pulled by them shortly after it had been submitted, because they realised it contained commercial in-confidence information.
The ABS, "we'll keep your data safe"
Yeah right!
I have little sympathy with the ABS and IBM over this debacle, when I note that the Melbourne Cup betting via the TAB is probably many times the volume of the census night transactions.
And no systems went down.
Can you imagine the howls of outrage if ordinary punters could not put on a bet? Governments could fall! Stock market losses etc.