Internal 'Set Of Blunders' Crashed Australia's Census Site

Slashdot reader River Tam explains the crash of Australia's online census site, citing the account of a security researcher who says IBM and the Australian Bureau of Statistics "were offered DDoS prevention services from their upstream provider...and said they didn't need it." From an article on CSO: The ABS and IBM gambled on a plan to ask its upstream network provider to block traffic from outside Australia in the event that a denial-of-service attack was detected... Offshore traffic to the site was blocked in line with the plan, however, another attack, for which the ABS had no contingency to repel, was directed at it from within Australia. The attack crippled the firewall and the census site's operators opted to restart it and fall back to a secondary firewall. However, they forgot to check that it had the same configuration as the primary firewall. That crippled the census site.

In an unfortunate confluence of events, IBM's security warning systems started flagging some unusual activity, which indicated that information on the ABS servers was heading offshore. The site's operators, thinking the DDoS activity was a distraction, interpreted the alarms as a successful hack...these were little more than benign system logs and the technical staff monitoring the situation poorly understood it. Amid the confusion they naturally erred on the side of caution, [and] decided to pull the plug on the site...

Re:IBM you say?

[lucm]

The part that was hosted by IBM (static files, etc) is the only part that didn't go down in flames. Why did they host only the static files? Because they didn't have the Australian-specific certification for cloud computing. So the Australian government opted to host this thing on their own servers. A piece of shit solution, but a certified one.

What DDOS?

I still haven't seen any mention of evidence that there was any attack at all. Well, except in the negative sense, as in "Global DDOS sensors failed to register any attack".

From the server's point of view, what exactly is the difference between "a DDOS attack from within the country" and "ten million users trying to log on to the site within one hour"?

Re:What DDOS?

[sg_oneill]

Arguably if the census servers where nullrouting traffic from uoff-site, that might well explain why nothing showed up on those maps.

Regardless, a DDOS seemed like it was innevitable. The stupid and anti privacy decision to store identifying info (Names, etc) with this census despite widespread condemnation from academics, activists and security researchers (at least 9 senators from across the political spectrum are refusing to fill it in citing the leaked papers from the bureau stating they want names and addresses to create "saleable products", ie selling peoples personal info.

Of course Anonymous or someone of their ilk was going to take umbrage and attempt to sabotage the whole thing.

Online voting

[Gavin+Rogers]

There's some good news here. This ABS blunder sets the likelihood of paperless and/or online voting happening in Australia back another decade or so.

It's probably weird that as a technology geek I'd be a fan of paper voting, but paper forms are a lot harder to hack or manipulate without a trace.

Consequence of not having a Social License

In Australia the phrase 'Social License' is starting to register with the wider community. Issues such as the coal seam gas mining and a range of unpopular but otherwise legally compliant initiatives are feeling the backlash from ordinary people.

People may think that the 'Brexit' phenomenon is new, however there is a growing discontent among the wider population with the small but influential groups that ignore the views of the community affected by these schemes.

I wouldn't support the alleged DDOS attacks on the ABS web site, however the ABS has moved ahead with changes to its data retention policies without considering the associated risks, and even well known politicians are refusing to cooperate with the Census.

You can imagine the executives at the ABS discussing their planned changes and asking "what will people do if they don't like the changes" - well now they have seen what could happen.

It's more than likely that the Chief Statistician (on over $700,000 a year) will be asked to resign. It's difficult to sack him (a quirk of the legislation that created the ABS) however you would not expect that a person on such a salary would show such poor judgement.

The 'Brexit' phenomenon has only begun to unfold, and you can only hope that people look past the technology issues surrounding the ABS Census debacle and start asking the question - if you don't have community support is your idea actually any good?

Re:Consequence of not having a Social License

[dbIII]

The Chief Statistician is fairly new and stepped in to fill a 12 month+ vacancy. The true blame lies above that level and dates to before his employment.
"Denial of service attack" by means of cutting resources and by people in politics pushing a scare campaign to get people to all log in on the same night in fear of being fined for doing it a day late.

DDOS? More like a self inflicted slashdotting.

[complete+loony]

In previous years, they had been quite careful to inform people to pre-fill their form before census night, and submit after. This year they were expecting only a minor increase in peak traffic.

Then they go and blast the message, "Fill in your form online, ontime or face massive fines", all over the media.

So what did we all do? When the majority of 9-5 workers got home, we all tried to login and submit at about the same time.

Sure they screwed up their network config, but it was a combination of poor planning and poor communication that triggered the whole mess.

anti-DDOS is like real estate

[Orgasmatron]

It is all about location, location, location...

My employer is on a state-wide network that connects, among other things, a ton of colleges and universities. After some recent BLM events, there were sympathy DDOS attacks from anonymous or whoever, so the state just spent millions on fancy new anti-DDOS gear on the external side of all of their POPs.

A few weeks ago, I had an opportunity to ask the state's Chief Information Security Officer what their plan was to handle internal attacks coming from the colleges, which are inside the perimeter, and typically have incredible switching and routing capacities (as part of I2), far in excess of anything our rural fiber rings could handle. It took him a few seconds to review the topology of the network in his head before he realized that we'd be screwed.

I have some sympathy for Australia. DDOS is a hard problem to solve, even if you've got millions to spend on the newest, shiniest gear.

Re:IBM you say?

[dbIII]

So the Australian government opted to host this thing on their own servers

Where did you get that from?
Everything else I've read disagrees with that and says that IBM was hosting the VMs for the ABS.

Re:Implementation was good though

[marka63]

30+ hours to get your password / receipt emailed to you. 20 minutes, maybe 1 hour is acceptable.

Started my census return on the 12th at 17:05 and requested the password be emailed to me.
The password email was sent by the ABS servers in the 14th at 03:50.

If I was depending upon the password to resume doing the census I would have had to wait an additional day.

Additionally the forms really didn't handle doing "Father", "Daughter", "Wife". Had to go and delete all the data entry for my daughter. Add my wife then re-add my daughter.

Off with his head!

[thegarbz]

The prime minister Malcolm Turnbull went on the record to say that he will punish those responsible.

Yet it was the coalition government that cut the ABS budget by $68m, left the department leaderless for a year, and also poked the bear with talk of selling citizen information to make money which may have prompted the attack in the first place.

The only question is who will be the scapegoat.

Re:Off with his head!

[thegarbz]

So you believe this census debacle happened entirely in the last 3 years? even though ABS get specific budget for census and they have been planning current systems for way longer than 3 years.

not saying current government is good, but you are completely full of shit and making excuses for bad decisions made by ABS and IBM.

Re-read my post. The budget cuts were a direct driver for the ABS to attempt to make money by selling data, which is exactly what people are blaming the DDoS for.

As for bad decisions, they are very easy to do when you have no oversight or leadership, a role which was left vacant for over a year by the government.

As for planning the current systems and funding, it may be worth looking into the time line. IBM was a contractor selected for outsourcing a good 8 years ago. That project was then put on hold indefinitely. It was restarted after the announced budget cuts as a way of reducing costs by the ABS by not having to manage their own servers.

ABS is a government entity. I didn't make excuses for bad decisions, I laid blame. When you fuck up something this glorious and affect every person in the country, the buck rests at the very top. Systems were in place that let this happen, e.g. why would the federal government partner with a company that has been blacklisted is a government supplier by two Australian states without some form of inquiry?

Re:Off with his head!

[thegarbz]

Labor had also done cuts in the previous years to the tune of $45 million and had plans for more cuts had it won the election

Oh I'm sorry. You seem to be under the impression that my comment was partisan. That doesn't change what happened. A series of budget cuts, lack of management oversight, decision to outsource to save costs, and then entice the DDoS by making the unpopular move to sell data of citizens is a bad call that could have been made by any government.

The only reason I mentioned the libs at all was that it was the current lib leader looking for a scape goat despite his hands being covered with digital blood from the incident.

Also as for your retort, saying someone else cut a budget previously has no relation to what happened closer to an event. If you earn $1000 a month and spend $200 on booze and barely get by as it is you can still function if someone cuts your budget by $200. If someone else comes afterwards and cuts you budget by a further $400 and you end up homeless would you take kindly to the excuse "It wasn't just me, the previous person cut your budget too!" That's the wonderful thing about budgets, they typically can be cut to a point.

Was that point reached? I don't know. What I do know is that after years of successive budget cuts the ABS now failed to do the one thing they are responsible for.

Re:IBM you say?

[telchine]

So the Australian government opted to host this thing on their own servers

Where did you get that from?

You must be new here. On Slashdot, you don't need to be right, you just have to sound right to get mod points.