Slashdot Mirror
Disaster Strikes Norwegian Government Web Portal
An anonymous reader writes "Altinn.no is a web service run by the Norwegian government, on which citizens can find, fill out and deliver forms electronically. Every year Norwegian citizens can also log in to check their tax results. This year, as every year, the site was unable to cope with the traffic generated from everyone wanting to check their taxes at the same time. New this year, however, was that once people were finally able to log in, a significant amount of people were logged in as someone else. Users then had access to all financial data of this unfortunate person over two years back in time, in addition to the financial information of his wife and the company he worked for. Altinn shut down some 15 minutes later, and has been down since."
It seems like a handy thing to be able to check your tax results online, but what say you?
Taxes, are they good or are they whack?
by the government sending them a letter saying how much is owed.
The government does all the calculations.
This is what happens when login credentials are based on the SSN, which is a serialised integer system. One wrong digit doesn't throw an error - it fuckin' logs you in as someone else!
Operation Guillotine is in effect.
Really they need a staggered ticket system to distribute the load over time. Issue each citizen a ticket that indicates a period when they can log in to check data, both a soonest and latest date (stragglers not tolerated). This is no different than physical scenarios where people are grouped by first letter of last name, etc. in a crowded office and then each group served sequentially to lighten the load.
Wanna guess how the norwegian government decided how traffic shoul be scaled? Come on, guess They made a limit of 300 000 logins, before making the main web page redirect to a page saying "sorry the lines are full pleas pick a number" - it, apparantly , seemed more logical than scaling the hardware :P
I foresee a large lawsuit settlement in his future
* The government has spent on the order of $200 millions on this system
* Accenture is the main developer
* Every year the systems go down because it doesn't scale
* This year a queueing system was put in place to "fix" scalability
* From an outsider's view at least, it would seem like some cowboy decided to put up a Varnish-type frontend cache as a desperate measure to handle traffic with no thought given to sessions
* An independent report basically slaughtered most of the systems with criticism of flaws last year, which was kept secret until a week ago
* Also yesterday someone found several flaws which allowed any website to grab a json(?) script and steal userinfo if the browser had a valid session
One of those Scandinavian countries publishes the income of every citizen in the paper and online annually. Is that Norway or some other romper room country?
How, from a technical POV can this even happen? Dirty cache? Corrupted pointers?
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Slap together some web system pieces without considering what goes with what, and charge a naive socialist government $200 million for it.
now we need to go OSS in diesel cars
A 16 bit session id should be enough for everyone...
We have had the same problem in Denmark previously (site not being able to cope, not the wrong identity problem).
This year they introduced a new queue system, which actually seemed to work.
You were put in queue for a few mins, and no one seemed to have problems with site not responding and the likes.
Sure, you might have to wait a few mins in queue, but at least you knew you're turn were up soon, as opposed to not knowing when the site is ready to handle the traffic.
- Don't do what I do, it's probably not healthy nor safe. -
When everybody's money is 'stored' in a government computer somewhere saying how much money you have, imagine what happens when there's a glitch putting your money in someone else's account.
Yeah, I know, bank accounts.
But, glitches happen there, too. At least you have a little cash to get to and from the bank to pursue the matter. When it's digital all the way down, what will you do?
I'm not a lawyer, but I play one on the Internet. Blog
I normally wouldn't care about this, but since the Norwegian government (i.e. the people, myself included) paid 1 billion NOK for this solution, I expect it to WORK. Mind you, this is not the first time we've had problems with Altinn, this has been a recurring drama the past few years. As the article states; every year they claim to be prepared, and every year they are unable to deliver.
We're not *that* many people in Norway (recently hit the 5 million mark), and certainly not that many adults checking their tax returns online. Guesstimate: 1 million? And how many checks it simultaneously? Let's be generous and say half.
So how the hell can a 175 million USD project not be able to deal with 500k visitors? It's a fucking joke.
www.6502asm.com - Code 6502 assembly or.. DIE!!
All Norwegian tax returns are published publicly on the Internet, so Kenneth's information was already available to anyone who cared to check it. There's been no privacy violation here that I can see.
It is done similarly in über-effective, ultra-efficient Singapore:
1) Let's say I'm employed by company C. Company C will send to taxman my identity card number and the amount they have paid me for the tax year.
2) Taxman will do the calculation of tax. Taxman will also consider the recurring tax claims/rebates I am likely to have (spouse/parents-related rebates, for example).
4) Taxman sends me a reminder to confirm their calculations on their website.
5) I will adjust the calculations if needed and submit the final figure.
6) Taxman sends me the final amount of tax I need to pay with payment options including a 12-month instalment plan deducted from my bank account.
7) If I'm audited, I will have to provide documents for the claims/rebates.
Total time spent: about 1 hour (including claims for private insurance, education expenses, donations)
Total $$$ spent: ZERO, ZILCH, NADA!
A casual stroll through the lunatic asylum shows that faith does not prove anything.
Seems relevant http://accidenture.com/
What the submitter wrote is not entirely accurate. All this person's financial data were not available. What was made available was his inbox, containing the full names and personal number (SSN) of this guy and his wife, and some information on a company he was working for.
The officials say that while they do not consider the information that was revealed to be sensitive, they take any information leak very seriously, and therefore the site will stay down until they find the error and correct it.
It is certainly very convenient, when it works. It feels kinda strange to trust every financial detail of my life to the government, so whether it is good in a real sense is a question I'm very open to debate. It does allow some very useful applications to be developed, with a very nice potential for streamlining interaction between government, citizens and private sector. This is actually very high on the government's agenda, which I'm happy about, because the bureaucracy is sometimes both heavy and heavy handed. If it is done well, it could potentially enable citizens to simulate possible choices in their lives before they make a decision: "If I do $that, the taxes will be $this". It would also enable an improved public debate: now it is a lot of bickering of the style "if you raise $that_tax, it will adversly effect $that_group" "no, it won't, but not doing it is required by $that_group". They're just making things up, of course, the debate is usually completely devoid of facts. Soon, it might be possible to simulate those scenarios on a regular basis, so we get real facts on the table before making a decision. Unfortunately, there's a long way from good ideas to actual implementations. I've been in meetings with the people who actually order these systems, and what can I say... Heads gotta roll to go anywhere... They're easily blinded by suits, and they have no idea what makes a robust system. So, for now, I'm not too confident it will happen, even though there are some very interesting ideas around.
Employee of Inrupt, Project Release Manager and Community Manager for Solid
Bunch of useless egotistical idiots the lot of them. The know-nothings they hire seem to think they're gods gift because they work for this piss poor company , but most of them are clueless. Many a time I've had to sort out the mess they've created.
..when you pay Accidenture 400 NOK (~70M USD) to put all your eggs in one MS-based web application basket.
The solution does what it's supposed to, but it will never scale because it's designed by people with shirts, ties and certifications on their laptops, and then handed over to a hosting partner which is supposed to make sure it works 24/7.
VAT is not a flat tax as such, from the consumer perspective it's a sales tax. We still have progressive income taxation and various other taxes. To implement a mostly flat tax regime would result in higher taxes on people on lower earnings and lower taxes on higher earners. It would not be politically viable.
Most people in the UK have their taxes dealt with through the PAYE system, where employers deduct the appropriate amount of tax and send it to the Treasury each month, along with a statement to you of what your earnings were and what tax was paid. You also get an annual statement of earnings and taxes, which the government announced yesterday will in future be accompanied by an explanation of how much of your taxes was spent on what.
This is why other people make fun of y'all for being litigious.
Norway has a long story of projects that doesn't work out as expected. The reason it goes like this is because there's no incentive for any state employee to do a god job, in fact the consulting companies have a good incentive to make everything as complicated as possible, because then they make more money. And when Altinn doesn't work, no minister gets fired.
And everything in this country is so rigigd and requires an enourmous overhead of bureacracy. And the organization of Altinn is a complete mess with several departments being involved.
If you're hired by the government in Norway it's almost impossible to get fired even if you do a sub-par job.
Then over to another sad issue. As a Norwegian I'm very disappointed with the general lack of customer service in this country, and this also reflects the general attitude of most workers (including coders, project managers and so on). We're f**king lazy. That's a fact. Most Norwegians don't really want to work. And of those who do, the majority only does the minimum required.
What would be needed to make efficient projects on a state level would be a high salary to project leaders, hand picking the best. Then those leaders should have the power to hand pick sub-managers which again should have the ability to hand pick the workers. Having a department of only highly skilled, motivated and eager people, would give much better results.
In Norway, nobody likes to take the blame for anything, or taking the responsibility when something goes wrong. We all blame it at someone else. Recently a computer system for hospitals here in Norway was scrapped entirely after tens of millions were spent on it with the outcome that it was useless.
I'm ashamed of being a Norwegian. Sweden and Denmark doesn't have a problem with their online web solutions.
Also it's a complete joke that because people are going to check their taxes online, then the systems that companies are depended on to fill their export forms etc. goes down as well. Even a teenager could've imagined that if you run a set of services and you know they're all important to the companies that need them, then you rather put these services on separate redundant systems, and you don't pile it all up in one bucket hoping for the best, even though you know there could be problems.
So, because of the lack of ability of Altinn to scale to the recent demand and because of the accident with the caching error, the system was shut entirely down, and thus making a shitload of problems for companies dependent on the site for their daily business.
What we would need to run Altinn efficiently would be a strong efficient organization with a strong authorative leader with the power to make decisions. Also, there's a job ad out now at nav.no and finn.no searching for a new technical head of Altinn, with a salary of 450-550K NOK. That's a fucking joke when you think of the responsibility of the manager of such a site. If you want the best possible manager that will work 10+ hours a day, then you pay him much more. I wouldn't touch that job with a barge pole.
I betcha some contractor decided to use a singleton in the authentication code or something like that! Probably worked great in single-user testing! And they probably never did any multi-user testing. I saw a very similar thing happen a company I worked for a few years back. They had to push back a release date because of static methods and members in a bunch of the auth code. Whole system worked great as long as only one user ever logged on at a time. Too bad we'll probably never know, because if there is an investigation the results will quickly be filed in a cabinet in the basement behind a sign that reads "Beware of leopard."
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Fully agreed.
You are free to leave. Anywhere in the EU is open to you.
Someone made a pretty funny spoof site (half decent google translation). The translation will give you the gist of it if you can't read Norwegian. I especially like "Login as Kenneth (does not require password)". They missed the chance to misspell Buypass (an authentication service) as Bypass, though :)
Are you a grammar Nazi? I'm trying to improve my English; please correct my errors!