back to article COFFEE AND DANISH HELL: National ID system cockup forces insecure Java on Danes

A bungled IT upgrade has downed Denmark's universal NemID login system, forcing people to stay on an insecure version of Java if they want to carry out online banking, check their insurance, or retrieve tax return information. Problems with NemID were first reported on Tuesday, and on Thursday the NATS IT consultancy behind …

COMMENTS

This topic is closed for new posts.
  1. Rich 2 Silver badge

    Oh dear

    A sage lesson for any other gov who think about introducing a similar scheme. Not that they'll take any notice of course

    What's that? Putting all our eggs in one basket you say? Nah, it'll be FINE...

    1. Dan 55 Silver badge
      Facepalm

      Re: Oh dear

      I could only file my 2012 tax return online in Spain with XP/IE 8/Java 7u9.

      I imagine next year I could scrape by with Vista/IE 9/Java 7u25.

      Must be something about government websites.

    2. Don Jefe

      Re: Oh dear

      On the contrary, other governments and their suppliers will use this as value add to, say the UK, who has a more proficient and robust IT sector and who would never allow something like this to happen to them. The biggest problem is that the Denmark Govt went the cheap route. We can prevent this from ever happening to you, but it will cost more than the bottom dollar they paid.

      It'll all be rubbish of course, but I can already smell the thousands of 4-color charts being printed to 'prove' it.

    3. Steelsky

      Re: Oh dear

      In a strange twist of fate H.C. Andersen has a story about keeping all your eggs in one basket, not sure if that's the originating story though.

      Oh and the company who failed us miserably (again) is called NETS not NATS.

      /Søren

  2. Anonymous Coward
    Anonymous Coward

    Why should the danes worry?

    I thought all the real crooks were in the secret services, the tax offices and other government bodies who can already read your e-mails anyway !

    [Yes the life of a civil servant can get THAT boring that they find entertainment in reading our daily electronic drivel :-)]

  3. Crazy Operations Guy
    FAIL

    Forward Compatibility

    It always baffles me to see code written that will break from security updates of the underlying platform, especially one that has been touted as 'Write Once, Run Anywhere'. Either the developers were improperly using certain functionality or Oracle coded the patch and broke the function making the documentation/specification invalid.

    1. Gene Cash Silver badge
      Facepalm

      Re: Forward Compatibility

      I'll take "the developers can't code their way out of a paper bag on a government project" for 30, Alex.

    2. localzuk

      Re: Forward Compatibility

      It happens, through poor planning and poor programming.

      Using things like depreciated API calls, even though they are documented as being removed "in a future version" or similar.

      1. Anonymous Coward
        Anonymous Coward

        Re: Forward Compatibility

        Deprecated API methods are never removed from Java, so that's not the issue. The only time I've seen this is in the following scenarios:

        1. The application checks for specific version strings, and refuses to run if the installed runtime is different.

        2. Calls are made to a non-public API that's then removed or modified.

        My money's on scenario one, as changes to the non-public API are rare between major releases. The usual explanation for the version check is that the software is certified for a specific runtime version. Great for the contractor, since they can charge again and again for certification as a new release of Java is released. Completely pointless though, as Sun (and now Oracle) go to great lengths to ensure compatibility between releases, to the point that in some cases unintended behaviour in the class library can't be fixed for backwards compatibility reasons.

        1. Anonymous Coward
          Anonymous Coward

          Re: Forward Compatibility

          I can tell you exactly what the problem is: Oracle have changed the fucking applet security model AGAIN. Exactly 18 hours after I fixed our code for the changes they made in their previous model.

          They're not just moving the goalposts, they've picked them up and are legging it down the field. I and my customers are spectacularly fucked off, and my day will be spent trying to divine information from the various cagily-worded press releases, the half-complete and sometimes working bug database and the one line summaries in the changelog to figure out what the hell is going on, and stuffing largely random lines into the Jar Manifest, signing, resigning, testing, and starting again and again and again. Again.

          Bastards.

          1. mathew42

            Re: Forward Compatibility

            I've been hit by this as well.

            The original change was in JDK 7u25 was to add Permissions and Codebase Attributes to the JAR file manifest to defend agains unauthorized code repurposing. I would guess that something has changed in JDK 7u45. More information: http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/no_redeploy.html and http://www.java.com/en/download/help/trusted_expired_variations.xml.

  4. Henry Wertz 1 Gold badge

    Sloppy code

    I would guess a bit of sloppy code, perhaps even illegal per Java spec, that slipped by but now doesn't. I've seen this with gcc too, although of course with it it hits at recompile time rather than run time. At least should be easy to find and fix most likely.

  5. Anonymous Coward
    Anonymous Coward

    hurr

    "cockup"

    "Enjoy your gaping holes"

    AC for obvious reasons

  6. bigfoot780

    Legacy

    Some pdfs don't work on acrobat reader 10 on hmrcs site. Its probably because the government is still on xp. Burying head in sand. Someone should make a browser just for java with a whitelist.

    1. David Pollard

      Re: Legacy

      The reason some of HMRC's PDFs don't work may not be that "the government is still on xp". Older, tried-and-tested PDF writers are likely to fairly bug-free by now. It seems more likely that someone in playing with new software using flashy features that aren't necessary.

  7. Mark Simon
    FAIL

    Don’t They Read?

    Here in Australia, you need Java for any online transactions with the Tax Office.

    How many more IT departments are there that still believe that Java is the right way to secure a transaction?

    The irony is that using Java requires some technical know-how on the part of the user, either keeping it up to date, or, in this case to work around it. Those with the know-how already know that Java is a flawed solution.

    1. Anonymous Coward
      Anonymous Coward

      Re: Don’t They Read?

      I could be wrong, but I could see one plausible reason for the Java: the One-Time Password. Trust cannot be secured if it's generated server-side (black box, possible black helicopters, also potential network interception). So it has to be done client-side. Since there's no telling what OS the client's running, you need something that can run on as many as possible. That pretty much narrows it down to Java.

      Unless you can propose an alternate solution for a client-side, multi-platform OTP generator capable of being run on systems with low privileges.

      1. Hyphen
        Facepalm

        Re: Don’t They Read?

        > Unless you can propose an alternate solution for a client-side, multi-platform OTP generator capable of being run on systems with low privileges.

        Eh? A 15 second Google for NemID shows that the OTPs are actually generated in advance and sent out to you on paper. You use one each time you log into a government/banking service, then never use again. You run out, you request more.

        http://multimedia.pol.dk/archive/00545/n_glekort_nemid_545025a.jpg

        And anyway, there are a quite a number of ways of generating OTPs offline, without having to do anything on the client's PC. My bank has sent me an electronic OTP generator. When I log in, I use my username and password (which the bank knows) to log in, then I'm asked to generate the OTP. I enter a PIN into my Secure ID device (the bank has no record of this) to unlock, then it generates an OTP presumably based on the current time and the device's serial ID. The bank generates the same code its end and if they match, I'm in. I would presume the algorithm has been designed to reduce the chances of two secure IDs producing the same number at the same time.

        1. Anonymous Coward
          Anonymous Coward

          Re: Don’t They Read?

          But the paper's a weak link. It can be STOLEN, much as a text can be intercepted. In fact, just about ANY situation where there's at least one step between the client and the password can have the trust broken. Even if handed directly to you, what's to say someone else doesn't have a copy?

    2. tony2heads
      FAIL

      Re: Don’t They Read?

      In South Africa you need the latest version of Flash and the latest Adobe PDF reader (no other versions or PDF reader will do)

      Bloody annoying

  8. Phil O'Sophical Silver badge

    One JVM to rule them all

    NemID is a single login for services from private banking and email to insurance services, local council services.

    Whoever thought that was a good idea?

    1. Sealand
      Facepalm

      Re: One JVM to rule them all

      > Whoever thought that was a good idea?

      Politicians, of course.

      As usual, comfortably detached from the real world.

    2. This post has been deleted by its author

      1. Eguro

        Re: One JVM to rule them all

        Well the alternative would be every bank has different ways of you logging on, each with various security issues, each done differently, and each done by people of varying degrees of skill.

        The NemID system is set up so users make an account (mostly just their social security number) and a password. Then when they log into NemID they are prompted to deliver a code matching a set of numbers. So 4452 = 452234 - which then gives you access.

        If you are logging in using the correct bank page, then even if your account and password is stolen, the baddies still have to find a way to get the correct number, or they wont be able to log in.

        It's not a perfect system, but it's easy enough for people to use, and secure enough that it would take quite an effort to gain access to an account. Unless you can get in the know about which numbers correspond to which for what users.

        1. Anonymous Coward
          Anonymous Coward

          Re: One JVM to rule them all

          But probably not enough for a DTA environment since many if not most security breaks have an insider element. An insider could put the pieces together AND have the connections to slip by without detection.

  9. John Smith 19 Gold badge
    FAIL

    Just think the UK could have enjoyed similar "benefits" if Tony Blair had had his way.

    I wish govt ministers would take one simple point away.

    If a country of 5.6m is going to f**k this up why do you think a country of 66m is going to do better?

  10. Anonymous Coward
    Anonymous Coward

    IT would NEVER happen in Britain

    nosir, our systems are absolutely, 200% secure!

  11. Matt Hamilton

    Same with VPNs

    I'm forced to use a Java applet based VPN for a client. Had same issue this week. Browser updated Java version and suddenly VPN stopped and no work could be done. :(

    -Matt

  12. Anonymous Coward
    Anonymous Coward

    "And, to the no-doubt dismay of Reg readers, it relies on Java"

    On the contrary - not all of us buy into the "java is insecure" rubbish that's peddled by the fanbois on El Reg.

    1. Dazzz

      "On the contrary - not all of us buy into the "java is insecure" rubbish that's peddled by the fanbois on El Reg."

      So the 41 security fixes in this update arent really needed then cos Java is nice and secure according to you?

      1. Anonymous Coward
        Anonymous Coward

        "So the 41 security fixes in this update arent really needed then cos Java is nice and secure according to you?"

        I guess your language of choice has never needed a security patch then?

    2. EJ
      Pint

      Excuse us, Mr. Gosling...

      Go home... you're drunk.

  13. Loyal Commenter Silver badge

    Can we say "Single Point of Failure"

    or "Broken by Design"

    Who in their right mind though it a good idea to have multiple systems like this secured with a single login? As should be blatantly obvious to anyone with a functioning brain, a single flaw such as this brings the whole house of cards crashing down.

    1. Anonymous Coward
      Anonymous Coward

      Re: Can we say "Single Point of Failure"

      And what if that single point of failure also happens to be the only thing your clients will accept because "ease of use" clashes with "security"?

  14. Robert Carnegie Silver badge

    I thought there was a workaround built in to the Java plugin...

    ...you can set it up so that any specific app that requires an older edition of the Java virtual machine, can be given it? I don't know the details that would apply, though.

  15. Eguro

    Minor update to the story

    Nets have announced that come April next year a new approach will be made using javascript instead of java

    (source: http://politiken.dk/tjek/digitalt/internet/ECE2107661/nets-dropper-java-i-den-naeste-version-af-nemid/ )

    Also the system is now working

This topic is closed for new posts.

Other stories you might like